Windows Domains and DNS
the Windows Domain DNS reliance
Windows domains now require a fully qualified domain
name (FQDN) to support LDAP, Kerberos, PKI certificates,
and other new technologies which are now integrated with
the operating system.
For this reason, Windows domain controllers must have
a FQDN within the FQDN of the Windows domain. So if my
Windows domain name is joe.washington.edu, then my domain
controllers must have a FQDN of
myDCname.joe.washington.edu. Only Windows domain
controllers have this restriction; the Windows
workstation with the DNS name of
myWorkstation.microsoft.com can join the
joe.washington.edu Windows domain.
Windows domain controllers hold authentication and
directory services. Domain controllers must register
roughly a dozen special DNS records called SRV records to
provide name resolution for authentication and directory
services. Without these records login and most domain
services would break. These SRV records may be registered
statically or via DDNS. SRV records are supported by DNS
BIND 4.96 or higher, and DDNS is supported by DNS BIND
8.12 or higher. The campus DNS servers don't current
support dynamic DNS, but this functionality is being
Because of the existing lack of DDNS support, you need
to send DNS updates to the NOC when you
first bring up a domain controller and every time
the IP address changes. This is done simply by sending
the netlogon.dns file. The netlogon.dns file is commonly
located at %windir%\system32\config\netlogon.dns.
In addition to these SRV records, you must also have
an A record for each domain controller. Microsoft also
recommends that you have an A record for the Windows
domain's FQDN. This final A record provides the "glue"
for non-Microsoft clients which won't know how to find
domain services otherwise.
If you are running a split-DNS in conjunction with a
NAT, you need to make sure that these DNS records resolve
correctly from both sides of the NAT.
If you are running a non-authoritative DNS server, you
might want to think again. Microsoft doesn't support this
See the following document for further reading:
Windows 2000 DNS White Paper