Importance of Service Records (SRV) in an Active Directory Environment

SRV-aware applications and clients use SRV records registered in the DNS Server to communicate with each other. For example, a domain joined client will always send a DNS SRV query to locate a domain controller. Similarly, a KMS client will always locate a KMS Server by sending a DNS SRV query for the _VLMCS DNS SRV record. When you deploy an Active Directory domain controller, the promotion process registers required SRV records in the DNS Server. The Domain controller promotion process registers different types of SRV records in the DNS Server as listed below:

• SRV record for LDAP Service. Since a domain controller provides LDAP service, it has to register its LDAP SRV record in the DNS Server.

• SRV record for Global Catalog Service. If a domain controller has been configured as a Global Catalog Server, it must register its Global Catalog SRV records so clients requesting global catalog services can find a domain controller.

• Site specific SRV records for LDAP, KDC and Global Catalog Services. Site Specific SRV records are registered to ensure Active Directory clients can find domain controllers in their own site.

• KDC SRV Records. KDC SRV Records allow Active Directory clients to locate a domain controller for authentication purposes.

You might want to read below article written by a Microsoft Employee as to know why it is important to have proper SRV records in place for Active Directory domain controllers.

Impact if SRV Records are not present

It is worth mentioning the impact you will see in an Active Directory environment if the SRV records are not registered properly for domain controllers. As far as I know and the issues that I have seen when working with customers, below is the list of issues that you will see if SRV records are missing for domain controllers:

• Domain Controllers will fail to replicate Active Directory changes. It is important to note that a domain controller communicates with replication partners to replicate the changes by sending a DNS query to the local DNS Server for LDAP SRV records. If LDAP SRV records are missing, the domain controller will fail to communicate. As a result, any changes that you expect to be replicated across Active Directory will fail.

• Not only the domain controllers use the SRV records to communicate with each other, SRV records are also used by the applications. Applications that use SRV records to find a domain controller will not work. For example, if you have designed an in-house application that locates an LDAP Server by querying DNS SRV Records will fail to work.

• KMS clients will fail to activate if the _VLMCS SRV record is missing for the KMS Server. Note that a KMS client sends a DNS query to find a local KMS Server.

• New Group Policy Settings that you expect to be applied to domain clients will fail.

• Active Directory clients will take long time to log on to domain joined computers.

• KCC, which runs every 15 minutes, will fail to reevaluate replication topology resulting errors and warning messages in the event log of the domain controllers.

• Finally, no other computer, user and applications will be able to locate a domain controller.

Are all SRV Records registered?

Recently, I have seen Active Directory admins finding a way to report all SRV records registered in the DNS Server for all Active Directory domain controllers. We have designed a PowerShell script that can help you get SRV records registered for all domain controllers and report the missing SRV records in a CSV file. All you need to do is run the PowerShell script, explained in this article, from a computer that has DNS Server cmdlets installed. The script is part of Active Directory Dynamic Packs for use with Active Directory Health Profiler. AD Health Profiler ships with 97 Active Directory Dynamic Packs. Active Directory Dynamic Packs can be used to perform a complete Health Check of an Active Directory forest and help you generate a report with issue severity.

Requirements

Before you run the script, please ensure to meet the requirements mentioned below:

• You must run this script from a computer running Windows Server 2012 or later Operating Systems.

• Operating System must have DNS Server PowerShell modules installed.

• PDC Emulator for each domain must be available in order to gather the list of SRV records.

Tip: Script uses Get-DNSServerZoneResourceRecord PowerShell cmdlet to gather SRV records from each domain zone.

What does the script do?

The script performs the following functions:

• Gets all domains from the current Active Directory forest.

• Gets domain controllers for each domain.

• Connects to PDC emulator of each domain.

• Executes Get-DNSServerZoneResourceRecord PowerShell cmdlet to collect SRV records registered in the DNS Domain Zone.

• Checks SRV records for each domain controller of the domain and then create a CSV file.

Source : techgenix.com

Leave a Reply

Your email address will not be published. Required fields are marked *