Domain Controller DNS Record Registration

Author by Mitchell Grande

DNS plays a central part in Active Directory.  Clients use DNS records to discover and communicate with domain controllers which, in turn, allows for proper domain functionality.  Let's take a look at the key DNS records and some other helpful information for troubleshooting DNS issues.

Core DNS Records

There are 7 types of DNS records that get registered by the DCs in a domain.  They are:
  • PDC SRV Record: _ldap._tcp.pdc._msdcs.domain.com
    • One per domain
  • Global Catalog SRV Records: _ldap._tcp.gc._msdcs.domain.com
    • One per global catalog domain controller
  • Kerberos SRV Records: _kerberos._tcp.dc._msdcs.domain.com
    • One per domain controller
  • DC SRV Records: _ldap._tcp.dc._msdcs.domain.com
    • One per domain controller
  • DC A Records: domaincontroller.domain.com
    • One per domain controller
  • Global Catalog A Records: gc._msdcs.domain.com
    • One per domain controller
  • Domain Controller CNAME Records: dcguid._msdcs.domain.com
    • One per domain controller
In addition to the above, some records also have site-specific DNS entries:
  • Kerberos SRV Records: _kerberos._tcp.sitename._sites.dc._msdcs.domain.com
    • One per domain controller
  • DC SRV Records: _ldap._tcp.sitename._sites.dc._msdcs.domain.com
    • One per domain controller
  • Global Catalog SRV Records: _ldap._tcp.sitename._sites.gc._msdcs.domain.com
    • One per global catalog domain controller
To summarize with an example, a DC named mydc01 in the domain contoso.com would register the following records:
  • _ldap._tcp.gc._msdcs.contoso.com - SRV record pointing to mydc01
  • _kerberos._tcp.dc._msdcs.contoso.com - SRV record pointing to mydc01
  • _ldap._tcp.dc._msdcs.contoso.com - SRV record pointing to mydc01
  •  _ldap._tcp.dc._msdcs.contoso.com - SRV record pointing to mydc01
  • mydc01.contoso.com - A record pointing to IP of mydc01
  • gc._msdcs.contoso.com - A record pointing to IP of mydc01
  • 90f50531-96cf-4ffe-ab5e-9ce96f2580d1._msdcs.contoso.com - CNAME record pointing to mydc01
  • _kerberos._tcp.site1._sites.dc._msdcs.contoso.com - SRV record pointing to mydc01
  • _ldap._tcp.site1._sites.dc._msdcs.contoso.com - SRV record pointing to mydc01
  • _ldap._tcp.site1._sites.gc._msdcs.contoso.com - SRV record pointing to mydc01
  • _ldap._tcp.pdc._msdcs.contoso.com - SRV record pointing to mydc01
    • Only registered if mydc01 is the PDCe for the domain

Re-registering Records

A domain controller can be forced to re-register its DNS records with two commands:
  1. ipconfig /registerdns
    1. This will register the DCs A record (mydc01.contoso.com).
  2. net stop netlogon && net start netlogon
    1. This will restart the netlogon service.  When the netlogon service starts up, it will automatically try to register the rest of the DC's DNS records.
An important point to note is that these processes will use the preferred DNS server on the NIC settings to do the registration.  If the NIC has invalid DNS servers configured, the record registration will fail.

Troubleshooting

If any of the required DNS entries are missing and running the above commands doesn't resolve it, check for the following:
  • The System event log will contain entries from the NETLOGON source if the service has an issue registering the SRV and related DNS records
  • The System event log will contain entries from the DNS Client Events source if there's an issue with the standard A record registration
  • Enable Netlogon debug logging and check the netlogon.log file
    • Run Nltest /DBFlag:2080FFFF to enable debug logging for the netlogon service
    • Restart the netlogon service to force re-registration
    • Check the C:\Windows\debug\netlogon.log file for errors
    • Run Nltest /DBFlag:0x0 to disable debug logging when done
  • Ensure that the DNS Servers on the DC's NIC are configured correctly.  Since the NETLOGON DNS record registration uses the primary DNS servers on the NIC, a misconfiguration here can cause failures.  For example, make sure that the DNS settings are pointed to valid, online DNS servers.
Author

Mitchell Grande

Systems Engineer

Tags in this Article