Windows Domains and DNS

Last updated: January 30, 2023
Audience: IT Staff / Technical

Understanding the Windows Domain DNS reliance

Windows domains now require a fully qualified domain name (FQDN) to support LDAP, Kerberos, PKI certificates, and other new technologies which are now integrated with the operating system.

For this reason, Windows domain controllers must have a FQDN within the FQDN of the Windows domain. So if my Windows domain name is joe.washington.edu, then my domain controllers must have a FQDN of myDCname.joe.washington.edu. Only Windows domain controllers have this restriction; the Windows workstation with the DNS name of myWorkstation.microsoft.com can join the joe.washington.edu Windows domain.

Windows domain controllers hold authentication and directory services. Domain controllers must register roughly a dozen special DNS records called SRV records to provide name resolution for authentication and directory services. Without these records login and most domain services would break. These SRV records may be registered statically or via DDNS. SRV records are supported by DNS BIND 4.96 or higher, and DDNS is supported by DNS BIND 8.12 or higher. The campus DNS servers don’t current support dynamic DNS, but this functionality is being investigated.

Because of the existing lack of DDNS support, you need to send DNS updates to the NOC when you first bring up a domain controller and every time the IP address changes. This is done simply by sending the netlogon.dns file. The netlogon.dns file is commonly located at %windir%\system32\config\netlogon.dns.

In addition to these SRV records, you must also have an A record for each domain controller. Microsoft also recommends that you have an A record for the Windows domain’s FQDN. This final A record provides the “glue” for non-Microsoft clients which won’t know how to find domain services otherwise.

If you are running a split-DNS in conjunction with a NAT, you need to make sure that these DNS records resolve correctly from both sides of the NAT.

If you are running a non-authoritative DNS server, you might want to think again. Microsoft doesn’t support this option.

See the following document for further reading:

Windows 2000 DNS White Paper