AD DNS

Active Directory DNS Requirements

Active Directory has a tight integration with DNS, as it relies on DNS for service location and name resolution.

DNS Functions for Active Directory:

• Service Location: Clients find domain controllers through DNS SRV records

• Name Resolution: Convert computer names to IP addresses for communication

• Site Awareness: Help clients locate services in their local site

• Replication: Domain controllers use DNS to find replication partners

AD-Integrated DNS Zones:

• Multi-Master Updates: Any domain controller can update DNS records

• Secure Dynamic Updates: Only authenticated computers can register records

• Active Directory Replication: DNS changes replicate with Active Directory data

• Zone Storage: DNS zone data stored in Active Directory database

DNS Records for Active Directory

Service (SRV) Records:

• _ldap._tcp.dc._msdcs.domain.com: Domain controller location

• _kerberos._tcp.dc._msdcs.domain.com: Kerberos authentication services

• _gc._tcp.domain.com: Global Catalog server location

• _ldap._tcp.pdc._msdcs.domain.com: PDC Emulator location

Host (A) Records:

• Domain controller IP addresses

• Member server and workstation IP addresses

• Service-specific host records

Alias (CNAME) Records:

• Service aliases (mail.company.com → exchange.company.com)

• Load balancing aliases

• Application-specific aliases

DNS Security Considerations

Secure Dynamic Updates:

• Only authenticated computers can register DNS records

• Prevents unauthorized DNS record creation

• Reduces DNS poisoning risks

DNS Scavenging:

• Removes stale DNS records automatically

• Prevents accumulation of obsolete entries

• Maintains DNS database accuracy

Forwarders and Root Hints:

• Configure DNS forwarders for external name resolution

• Maintain root hints for Internet DNS resolution

• Implement conditional forwarders for specific domains