/ Insights / Domain Controller DNS Record Registration Insights Domain Controller DNS Record Registration January 28, 2019 ConcurrencyDNS plays a central part in Active Directory. Clients use DNS records to discover and communicate with domain controllers which, in turn, allows for proper domain functionality. Let’s take a look at the key DNS records and some other helpful information for troubleshooting DNS issues.Core DNS RecordsThere are 7 types of DNS records that get registered by the DCs in a domain. They are:PDC SRV Record: _ldap._tcp.pdc._msdcs.domain.comOne per domainGlobal Catalog SRV Records: _ldap._tcp.gc._msdcs.domain.comOne per global catalog domain controllerKerberos SRV Records: _kerberos._tcp.dc._msdcs.domain.comOne per domain controllerDC SRV Records: _ldap._tcp.dc._msdcs.domain.comOne per domain controllerDC A Records: domaincontroller.domain.comOne per domain controllerGlobal Catalog A Records: gc._msdcs.domain.comOne per domain controllerDomain Controller CNAME Records: dcguid._msdcs.domain.comOne per domain controllerIn addition to the above, some records also have site-specific DNS entries:Kerberos SRV Records: _kerberos._tcp.sitename._sites.dc._msdcs.domain.comOne per domain controllerDC SRV Records: _ldap._tcp.sitename._sites.dc._msdcs.domain.comOne per domain controllerGlobal Catalog SRV Records: _ldap._tcp.sitename._sites.gc._msdcs.domain.comOne per global catalog domain controllerTo summarize with an example, a DC named mydc01 in the domain contoso.com would register the following records:_ldap._tcp.gc._msdcs.contoso.com – SRV record pointing to mydc01_kerberos._tcp.dc._msdcs.contoso.com – SRV record pointing to mydc01_ldap._tcp.dc._msdcs.contoso.com – SRV record pointing to mydc01 _ldap._tcp.dc._msdcs.contoso.com – SRV record pointing to mydc01mydc01.contoso.com – A record pointing to IP of mydc01gc._msdcs.contoso.com – A record pointing to IP of mydc0190f50531-96cf-4ffe-ab5e-9ce96f2580d1._msdcs.contoso.com – CNAME record pointing to mydc01_kerberos._tcp.site1._sites.dc._msdcs.contoso.com – SRV record pointing to mydc01_ldap._tcp.site1._sites.dc._msdcs.contoso.com – SRV record pointing to mydc01_ldap._tcp.site1._sites.gc._msdcs.contoso.com – SRV record pointing to mydc01_ldap._tcp.pdc._msdcs.contoso.com – SRV record pointing to mydc01Only registered if mydc01 is the PDCe for the domainRe-registering RecordsA domain controller can be forced to re-register its DNS records with two commands:ipconfig /registerdnsThis will register the DCs A record (mydc01.contoso.com).net stop netlogon && net start netlogonThis will restart the netlogon service. When the netlogon service starts up, it will automatically try to register the rest of the DC’s DNS records.An important point to note is that these processes will use the preferred DNS server on the NIC settings to do the registration. If the NIC has invalid DNS servers configured, the record registration will fail.TroubleshootingIf any of the required DNS entries are missing and running the above commands doesn’t resolve it, check for the following:The System event log will contain entries from the NETLOGON source if the service has an issue registering the SRV and related DNS recordsThe System event log will contain entries from the DNS Client Events source if there’s an issue with the standard A record registrationEnable Netlogon debug logging and check the netlogon.log fileRun Nltest /DBFlag:2080FFFF to enable debug logging for the netlogon serviceRestart the netlogon service to force re-registrationCheck the C:\Windows\debug\netlogon.log file for errorsRun Nltest /DBFlag:0x0 to disable debug logging when doneEnsure that the DNS Servers on the DC’s NIC are configured correctly. Since the NETLOGON DNS record registration uses the primary DNS servers on the NIC, a misconfiguration here can cause failures. For example, make sure that the DNS settings are pointed to valid, online DNS servers.
