Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-09-11) Service (SRV) Locator Records Registered By Windows Domain Controllers

Posted by Jorge on 2011-09-11


Windows DCs register a set of service locator records in DNS to be able to service both windows and non-clients. The complete list of service (SRV) records is specified below with an explanation of the service that’s represented, including which clients used it. By default. Windows DCs register all available service records. This is OK for datacenter located RWDCs. For RWDCs not located in datacenters, the RWDCs need to be told not to register the domain-wide SRV records. This can be achieved through the registry or through a GPO. The latter of course is preferred and a best practice. For more information about how to configure RWDCs NOT to register specific mnemonics see this blog post. RODCs by default only register site-wide SRV records, so no need to use a GPO to tell the RODC not to register domain-wide SRV records.

The NetLogon service on a DC, during boot and regularly (every hour, and previously that was every 24 hours), is responsible to registering the correct service records. The service records that will be registered are listed in the “netlogon.dns” file in the “C:\Windows\System32\config” folder. An example of this file is shown below.

image

 

It is also possible to force the registration and deregistration of the service records that should be registered/deregistered. The commands are:

  • Forced manual registration: NLTEST /DSREGDNS
  • Forced manual deregistration: NLTEST /DSDEREGDNS:<FQDN DC>

The following RFC provide detailed information about this: “A DNS RR for specifying the location of services (DNS SRV)

The SRV record is used to map the name of a service (in this case, the LDAP service) to the DNS computer name of a server that offers that service. In a Windows Server network, an LDAP resource record locates a domain controller. A workstation that is logging on to a Windows domain queries DNS for SRV records in the general form:

_Service._Protocol.DnsDomainName

Active Directory servers offer the LDAP service over the TCP protocol; therefore, clients find an LDAP server by querying DNS for a record of the form:

_ldap._tcp.DnsDomainName

_msdcs Subdomain

There are possible implementations of LDAP servers other than Windows based domain controllers. There are also possible implementations of LDAP directory services that employ Global Catalog servers but are not servers that are running Windows Server. To facilitate locating Windows Server–based domain controllers, in addition to the standard _Service._Protocol.DnsDomainName format, the NetLogon service registers SRV records that identify the well-known server-type pseudonyms "dc" (domain controller), "gc" (Global Catalog), "pdc" (primary domain controller), and "domains" (globally unique identifier, or GUID) as prefixes in the _msdcs subdomain. This Microsoft-specific subdomain allows location of domain controllers that have Windows Server–specific roles in the AD domain or AD forest, as well as the location by GUID when an AD domain has been renamed (more info about domain rename can be found here). To accommodate locating domain controllers by server type or by GUID (abbreviated "dctype"), Windows Server–based domain controllers register SRV records in the following form:

_Service._Protocol.DcType._msdcs.DnsDomainName

The addition of the _msdcs subdomain means that two sets of DNS names can be used to find an LDAP server: DnsDomainName is used to find an LDAP server or Kerberos server that is running TCP (or, in the case of a Kerberos server, either TCP or the User Datagram Protocol [UDP]), and the subdomain _msdcs.DnsDomainName is used to find an LDAP server that is running TCP and also functioning in a particular Windows Server role. The name "_msdcs" is reserved for locating WIndows domain controllers. The single keyword "_msdcs" was chosen to avoid cluttering the DNS namespace unnecessarily. Other constant, well-known names (pdc, dc, and gc) were kept short to avoid exceeding the maximum length of DnsDomainName.

SRV Records Registered by NetLogon

The list that follows provides the definitions of the names associated with registered SRV records. It also describes the lookup criteria supported by each record and the checks performed by Net Logon as each record is registered. Text in bold type denotes constant record components; text in italic type denotes variable names.

In the descriptions of registered SRV records, DnsDomainName refers to the DNS domain name that is used during creation of the first domain controller when the AD domain tree is joined or created (that is, while the computer is running the Active Directory Installation Wizard). DnsForestName refers to the DNS domain name of the forest root AD domain.

The following is a list of the owner names of the SRV records that are registered by NetLogon. An owner name is the name of the DNS node to which the resource record pertains.

_ldap._tcp.DnsDomainName.

Allows a client to locate a server that is running the LDAP service in the AD domain named by DnsDomainName. The server is not necessarily a domain controller — that is, the only assumption that can be made about the server is that it supports the LDAP application programming interface (API). All Windows Server–based domain controllers register this SRV record (for example, _ldap._tcp.adcorp.lab.).

_ldap._tcp.SiteName._sites.DnsDomainName.

Allows a client to locate a server that is running the LDAP service in the AD domain named in DnsDomainName in the AD site named by SiteName. SiteName is the relative distinguished name of the site object that is stored in the Configuration container in Active Directory. The server is not necessarily a domain controller. All Windows Server–based domain controllers register this SRV record (for example, _ldap._tcp.amsterdam._sites.adcorp.lab.).

_ldap._tcp.dc._msdcs.DnsDomainName.

Allows a client to locate a domain controller (dc) of the AD domain named by DnsDomainName. All Windows Server–based domain controllers register this SRV record.

_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName.

Allows a client to locate a domain controller for the AD domain named by DnsDomainName and in the AD site named by SiteName. All Windows Server–based domain controllers register this SRV record.

_ldap._tcp.pdc._msdcs.DnsDomainName.

Allows a client to locate the server that is acting as the primary domain controller (also known as a "PDC") in the AD domain named in DnsDomainName. Only the PDC emulator FSMO of the AD domain (the Windows Server–based domain controller that advertises itself as the primary domain controller to computers that need a primary domain controller) registers this SRV record.

_ldap._tcp.gc._msdcs.DnsForestName.

Allows a client to locate a Global Catalog (gc) server for this AD forest. Only domain controllers that are functioning as Global Catalog servers for the AD forest named in DnsForestName register this SRV record (for example, _ldap._tcp.gc._msdcs.adcorp.lab.).

_ldap._tcp.SiteName._sites.gc._msdcs.DnsForestName.

Allows a client to locate a Global Catalog (gc) server for this AD forest in the AD site named in SiteName. Only domain controllers that are serving as Global Catalog servers for the AD forest named in DnsForestName register this SRV record (for example, _ldap._tcp.amsterdam._sites.gc._msdcs.adcorp.lab.).

_gc._tcp.DnsForestName.

Allows a client to locate a Global Catalog (gc) server for this AD domain. The server is not necessarily a domain controller. Only a server that is running the LDAP service and functioning as the Global Catalog server for the AD forest named in DnsForestName registers this SRV record (for example, _gc._tcp.adcorp.lab.).

REMARK: In Windows Server, a Global Catalog server is a domain controller. Other non-Windows 2000 implementations of directory services can also register servers as Global Catalog servers.

_gc._tcp.SiteName._sites.DnsForestName.

Allows a client to locate a Global Catalog (gc) server for this AD forest in the AD site named in SiteName. The server is not necessarily a domain controller. Only a server that is running the LDAP service and functioning as the Global Catalog server for the AD forest named in DnsForestName registers this SRV record (for example, _gc._tcp.amsterdam._sites.adcorp.lab.).

_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName.

Allows a client to locate a domain controller in an AD domain on the basis of its GUID. A GUID is a 128-bit number that is automatically generated for referencing objects in Active Directory – in this case, the AD domain object. This operation is expected to be infrequent; it occurs only when the DnsDomainName of the AD domain has changed, the DnsForestName is known, and DnsForestName has not also been renamed (for example, _ldap._tcp.4f904480-7c78-11cf-b057-00aa006b4f8f.domains._msdcs.adcorp.lab.). All domain controllers register this SRV record.

_kerberos._tcp.DnsDomainName.

Allows a client to locate a server that is running the Kerberos KDC service for the AD domain that is named in DnsDomainName. The server is not necessarily a domain controller. All Windows Server–based domain controllers that are running an RFC 1510–compliant Kerberos KDC service register this SRV record.

_kerberos._udp.DnsDomainName.

Same as _kerberos._tcp.DnsDomainName, except that UDP is implied.

_kerberos._tcp.SiteName._sites.DnsDomainName.

Allows a client to locate a server that is running the Kerberos KDC service for the AD domain that is named in DnsDomainName and is also in the AD site named in SiteName. The server is not necessarily a domain controller. All Windows Server–based domain controllers that are running an RFC 1510–compliant Kerberos KDC service register this SRV record.

_kerberos._tcp.dc._msdcs.DnsDomainName.

Allows a client to locate a domain controller that is running the Windows Server implementation of the Kerberos KDC service for the AD domain named in DnsDomainName. All Windows Server–based domain controllers that are running the KDC service (that is, that implement a public key extension to the Kerberos v5 protocol Authentication Service Exchange subprotocol) register this SRV record.

_kerberos.tcp.SiteName._sites.dc._msdcs.DnsDomainName.

Allows a client to locate a domain controller that is running the Windows Server implementation of the Kerberos KDC service for the AD domain that is named in DnsDomainName and that is also in the AD site named in SiteName. All Windows Server–based domain controllers that are running the KDC service (that is, that implement a public key extension to the Kerberos protocol Authentication Service Exchange subprotocol) register this SRV record.

_kpasswd._tcp.DnsDomainName.

Allows a client to locate a Kerberos Password Change server for the AD domain. All servers that provide the Kerberos Password Change service (which includes all Windows Server–based domain controllers) register this name. This server at least conforms to "Kerberos Change Password Protocol”. The server is not necessarily a domain controller. All Windows Server–based domain controllers that are running an RFC 1510–compliant Kerberos KDC service register this SRV record.

_kpasswd._udp.DnsDomainName.

Same as _kpasswd._tcp.DnsDomainName, except that UDP is implied.

If multiple domain controllers have the same criteria, multiple records exist with the same owner name. A client that is looking for a domain controller with specific criteria would receive all the applicable records from the DNS server. The client would pick one of the returned records to select a domain controller, as described in the RFC "A DNS RR for specifying the location of services (DNS SRV)."

For information about the Kerberos v5 authentication protocol see:

Host Records for Non-SRV-Record-Aware Clients

NetLogon registers the following DNS A records for the use of LDAP clients that do not support DNS SRV records (that is, that are "non-SRV-aware"). The Locator does not use these records.

The following owner names of A (host) records are registered by NetLogon:

DnsDomainName.

Allows a non-SRV-aware client to locate any domain controller in the AD domain by looking up an A record. A name in this form is returned to the LDAP client through an LDAP referral. A non-SRV-aware client looks up the name; an SRV-aware client looks up the appropriate SRV resource record.

gc._msdcs.DnsForestName.

Allows a non-SRV-aware client to locate any Global Catalog server in the AD forest by looking up an A record. A name in this form is returned to the LDAP client through an LDAP referral. A non-SRV-aware client looks up this name; an SRV-aware client looks up the appropriate SRV resource record.

NetLogon also registers a DNS CNAME (alias) record for use by Active Directory replication. The Locator does not use this record. The owner name of the CNAME record is:

DsaGuid._msdcs.DnsForestName.

Allows a client to locate any domain controller in the AD forest by looking up an A record. The only information that is known about the domain controller is the GUID (“objectGUID” attribute) of the directory system agent (also known as the "DSA") object (“NTDS Settings” object) for the domain controller and the name of the AD forest in which the domain controller is located. This record is used to facilitate renaming a domain controller.

Other SRV Record Content

The following information is also included in an SRV record:

  • Priority – The priority of the server. Clients attempt to contact the server with the lowest priority (a.k.a. lowest (cost)value).
  • Weight – A load-balancing mechanism that is used when selecting a target host from those that have the same priority. Clients randomly choose SRV records that specify target hosts to be contacted, with probability proportional to the weight
  • Port Number – The port where the server is listening for this service.
  • Target – The fully qualified domain name of the host computer.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

 

One Response to “(2011-09-11) Service (SRV) Locator Records Registered By Windows Domain Controllers”

  1. […] to register that mnemonic (the host record for the AD domain for non-SRV aware clients) (also see: (2011-09-11) Service (SRV) Locator Records Registered By Windows Domain Controllers). In general only central RWDCs should register that mnemonic (the host record for the AD domain […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: