Without the proper DNS information, a client can't discover which server to contact for authentication. Each DC registers and maintains its own AD DNS integration records consisting of several A (Host), CNAME (Alias), and SRV (Service) records. These records are initially registered by the DC's NetLogon service.
When examining the various DNS resource records in the Microsoft DNS server, you may
think that this data must reside in sub zones of the parent domain due to the way the
data is structured. This isn't necessarily the case, because DDNS updates have no way
of creating additional zones. The records are simply added as resource records with
label separators (".") into the parent domain’s zone file. Notice that some record names
contain underscore ("_") characters. This is common practice in Microsoft development
tools and was borrowed for the DNS naming technique for AD. The following table lists
the naming conventions used in the records:
DNS Label | Description |
---|---|
_ldap | LDAP service |
_tcp | Service uses TCP connections |
udp | Service uses UDP connections |
_kerberos | Record contains information about a Kerberos Key Distribution Center (KDC) |
_msdcs | Service is running on a Domain Controller |
_kpasswd | Kerberos Password Change service |
_gc | Global Catalog service |
_sites | Record contains information a specific site |
dc | Domain Controller (DC) |
gc | Global Catalog (GC) |
A registered DNS record can contain one or more of the above names to describe a service
that can be queried. For example, the following record locates an LDAP service on
server1.bluecatnetworks.com in the
bluecatnetworks.com:
_ldap._tcp.bluecatnetworks.com SRV 0 0 389 server1.bluecatnetworks.com
This is an alternative form of this record showing that the LDAP service is on a
DC:
_ldap._tcp.dc._msdcs.bluecatnetworks.com SRV 0 0 389 server1.bluecatnetworks.com
For a detailed list of these records, refer to Active Directory DNS records.