DNS Records Registered by an Active Directory Domain Controller:
DNS is vital in an Active Directory (AD) domain, providing the mechanism by which all domain members locate domain controllers (DCs) for authentication, which must succeed before they are able to access any resources in the domain. Access to resources also typically requires further queries to DNS to resolve the names of servers hosting those resources. If DNS isn’t functioning properly, Active Directory-related functionality will be severely impaired.
Every DC registers certain records in DNS. To ensure that DNS and AD are working properly, it is important to make sure these records are present on DNS servers within the domain. The following screenshots illustrate these records. Each AD domain is unique, of course, so the records will vary somewhat, but the screenshots should give you an idea of what to look for.
There will be at least one forward lookup zone named after the domain itself. There may also be a forward lookup zone whose name begins with _msdcs and ends with the domain’s name. However, this zone may instead exist as a folder named _msdcs inside the domain forward lookup zone. For the purpose of record registration, the two arrangements are equivalent. The zones will typically be AD-integrated for ease of replication, as shown in the picture below, though this is not necessary.
The domain forward lookup zone will contain a number of important records:
We’re concerned here with the ones registered by DCs (named 2008r2dc and 2012dc in this example). The following records should exist in the root of this zone:
- SOA (start of authority) record: In an AD-integrated zone, each DC/DNS server will have an SOA record with the server’s own IP address in its data field. This indicates that the server hosts a writeable copy of the zone. In a non-AD-integrated zone, only the primary server will host a writeable copy of the zone, so it will be the only server with an SOA record.
- NS (name server) records: There should be one of these for each DNS server in the domain.
- A (host) records: Each DC should have two host records in this location: one for the DC’s unique hostname and one for the domain. The latter records will have the name (same as parent folder). The data field of each of these records should contain the DC’s IP address.
Note: Every machine in the domain will likely register at least one host record, but only DCs should register (same as parent folder) host records. If there are (same as parent folder) host records in this location with IP addresses that don’t correspond to DCs, problems may result.
Within the domain forward lookup zone are a number of folders. Among them are the DomainDnsZones and ForestDnsZones folders. These folders correspond to the two default DNS application directory partitions, which are used to replicate DNS data to all DNS servers in the domain or forest. Inside these two folders, you will find (same as parent folder) host records for each DNS server that hosts a replica of the corresponding directory partition – in other words, the DomainDnsZones folder should contain records for each DNS server in the domain, and the ForestDnsZones folder should contain records for each DNS server in the forest. In a single-domain forest, these folders will contain the same records.
As mentioned, there are other folders inside the domain forward lookup zone. Some of these folders may in turn contain one or more levels of other folders, and at the bottom of this hierarchy will be SRV (service) records.
These records correspond to various services running on the machines that register them, and DCs register quite a few. It is not typically necessary to comb through all of these records unless a DC needs to be manually removed from DNS, which is rare. In this situation, the records that must be deleted are easy to spot, since they will all contain the corresponding DC’s name in their data fields.
The root of the _msdcs zone will contain some of the same types of records as the domain zone. The SOA and NS records will be there, but there should be no host records present in this location.
Instead, there should be CNAME (alias) records for each DC. The name of each CNAME record is the GUID of the corresponding DC’s NTDS Settings object, which can be found using the Active Directory Sites and Services console.
As with the domain zone, there are several folders beneath the _msdcs zone. Among these folders is one named gc.
This folder should contain a (same a parent folder) host record for each DC that is also a global catalog (GC) server. If a GC’s record is missing from this folder, it could indicate that the initial GC replication process did not complete successfully, meaning that the affected DC is not operating as a GC.
In addition to the forward lookup zones, there will likely be one or more reverse lookup zones present in DNS.
There will typically be one reverse lookup zone for each IP subnet within the environment. Aside from the expected SOA and NS records that every DNS zone contains, reverse lookup zones contain only PTR records.
These records are used to resolve IP addresses to fully qualified domain names. Every machine in the domain, including the DCs, will typically register at least one PTR record.
© 2019, Techrunnr. All rights reserved.