100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Windows

Integrating DNS with Active Directory

Understand how Active Directory depends on DNS for service discovery, dynamic updates, and site-aware logon, and how to configure that integration correctly.

DNS & DHCPIntermediate11 min readJul 10, 2026
Analogies

Why AD Cannot Function Without DNS

Active Directory is fundamentally a DNS-dependent technology: domain controllers register SRV records advertising the services they provide, such as LDAP, Kerberos, and the Global Catalog, under well-known names like _ldap._tcp.dc._msdcs.corp.contoso.com. When a client logs on, joins the domain, or needs to locate a domain controller in its own AD site for efficient, low-latency authentication, it queries DNS for these SRV records rather than using a hardcoded list of domain controllers. This is why Microsoft's official guidance has always been that AD's DNS namespace should either be hosted on AD-integrated zones or on DNS infrastructure fully under the administrator's control, since any DNS outage or misconfiguration cascades directly into authentication and Group Policy failures across the environment.

🏏

Cricket analogy: AD's dependency on DNS is like a bowling attack that depends entirely on the umpire's signal to know which end to bowl from; without that signal, even a well-drilled team cannot function correctly.

Dynamic Updates and Secure Dynamic Updates

Domain-joined computers automatically register and refresh their own A, AAAA, and PTR records in DNS through a process called dynamic update, defined in RFC 2136, so administrators rarely need to create client host records by hand. On an AD-integrated zone, administrators should configure Secure Only dynamic updates rather than plain Nonsecure updates, which requires the registering computer to authenticate via Kerberos before the DNS server accepts the change; this prevents any arbitrary machine on the network from overwriting another computer's DNS record. Domain controllers additionally register their SRV records via the Netlogon service, which reads a generated file called netlogon.dns and re-registers those records on every restart of the Netlogon service, useful for repairing a domain controller's DNS registrations after a manual cleanup.

🏏

Cricket analogy: Dynamic update is like each player updating their own listed position on the electronic scoreboard as they move, while secure dynamic update is that same system requiring an accreditation badge scan before any update is accepted.

AD Sites, SRV Records, and Locator Efficiency

Active Directory Sites and Services associates IP subnets with logical sites so that when a client queries for a domain controller, DNS can return SRV records prioritized for domain controllers in the client's own site first, minimizing authentication traffic across slow WAN links. This site-awareness relies on Netlogon generating per-site SRV records, such as _ldap._tcp.hq-site._sites.dc._msdcs.corp.contoso.com, in addition to the generic forest-wide records. If a client's subnet is not mapped to any AD site, or is mapped incorrectly, the domain controller locator process (implemented by the Netlogon service and DsGetDcName) falls back to selecting any available domain controller essentially at random, which in a multi-site environment can mean a branch office client unnecessarily authenticates against a domain controller across a slow WAN link, dramatically slowing logons.

🏏

Cricket analogy: AD site-awareness is like a franchise system assigning players to their home ground first for a match, rather than flying a player across the country to play at a distant, unfamiliar venue.

powershell
# Verify a domain controller's SRV records are registered correctly
nltest /dsgetdc:corp.contoso.com /site:HQ-Site

# Force Netlogon to re-register all DC locator DNS records
Restart-Service Netlogon

# Inspect the generated file listing all DC-related DNS records
Get-Content "C:\Windows\System32\config\netlogon.dns"

# Confirm dynamic update setting on the AD-integrated zone is Secure Only
Get-DnsServerZone -Name "corp.contoso.com" | Select-Object ZoneName, DynamicUpdate

Never set an AD-integrated zone's dynamic update setting to Nonsecure and Secure or fully open, as this allows any unauthenticated machine on the network to create or overwrite DNS records, including potentially spoofing an existing server's A record. Always use Secure Only on zones tied to Active Directory.

  • Domain controllers register SRV records for LDAP, Kerberos, and Global Catalog under _msdcs subdomains that clients query to locate them.
  • Client logon, domain join, and Group Policy processing all depend on successful SRV record lookups.
  • Dynamic update (RFC 2136) lets domain-joined computers self-register their A/AAAA/PTR records automatically.
  • Secure Only dynamic updates require Kerberos authentication before a record can be created or changed, preventing spoofing.
  • Netlogon generates netlogon.dns and re-registers DC records on service restart, useful for repairing DNS after cleanup.
  • AD Sites and Services subnet-to-site mapping enables site-specific SRV records so clients prefer a local domain controller.
  • Misconfigured or missing subnet-to-site mappings can cause clients to authenticate across slow WAN links, degrading logon performance.

Practice what you learned

Was this page helpful?

Topics covered

#Windows#WindowsServerActiveDirectoryStudyNotes#MicrosoftTechnologies#IntegratingDNSWithActiveDirectory#Integrating#DNS#Active#Directory#Networking#StudyNotes#SkillVeris