Active Directory and its Relationship with DNS - Part 2 - _msdcs and the part it plays

DNSWindows
Written By Jamie Redford-Brown

Part 2 - _msdcs and the part it plays

Flash back to AD, you know how DNS works on a basic level now, time to learn about _msdcs zones. This is an authoritative DNS zone for the inner workings of your domain, it exists for the entirety of your forest and the records in this zone serve all forest level operations.

It's important to note the location of _msdcs in newer domains will be in the forward lookup section of the DNS mmc tool as its own independent zone, however older domains will have placed it inside the forward lookup zone of your domain, consider it best practice for newer domains but don't feel the need to transition into this setup for your older domains, it’ll tick along just fine.

An _msdcs zone can consist of:

  • _ldap SRV records - These exist in each site and point to the DCs configured to serve LDAP authentication, commonly paired with _kerberos records.

  • _kerberos SRV records - These exist in each site and point to the DCs configured to serve Kerberos authentication, commonly paired with _ldap records.

  • NS records - Name Servers, points to the authoritative zone servers for a domain

  • CNAME records - This is used to redirect queries to the right answer, in _msdcs case it’ll be used for mapping GUIDs to the actual FQDN of domain controllers.

Sites and Services, this is where DNS becomes important in the performance of your domains, for example, when first configuring your domain it gives you a site called ‘Default-First-Site-Name’, any server can request a DC from that site despite possibly being in different geographic regions. This is resolved by creating new sites based on location, you will have at least 1 DC in each site, then once sites are built you will add the subnets each DC is responsible for, this way your servers/clients know that since its in a specific subnet it's in the ‘Berlin’ site, therefore will query the ‘closest’ domains controllers according to DNS.

I’ve tried to capture how a client will talk to the DC on initial communication in relation to DNS with text messages, please don’t judge, also don't forget most SRV records and such will be stored in the _msdcs zone.

I’ll also mention DC Locator, I won’t talk much about it other than it’s a critical component to cut down chatter across your network, it’s a shotgun method clients in a domain will use to locate their closest Domain Controller according to the Sites the subnet is attached to and availability.

We see above the simplification of how a computer will initially interact with AD on startup but it’s a more complicated relationship with the NetLogon service on your client. The client will use unicast to resolve the SRV records it requested earlier and then tries to contact the SRV records it got back in the order of weight/priority specified in the authoritative zone.

Jamie Redford-Brown

A dark arts engineer specializing in Linux, Active Directory, DNS and Certificates, dabbles in Automation and Scripting.

RHCSA | MCP

Next

Active Directory and its Relationship with DNS - Part 1 - The Basics