Importance of Service Records (SRV) in an Active Directory Environment

By /

SRV-aware applications and clients use SRV records registered in the DNS Server to communicate with each other. For example, a domain joined client will always send a DNS SRV query to locate a domain controller. Similarly, a KMS client will always locate a KMS Server by sending a DNS SRV query for the _VLMCS DNS SRV record. When you deploy an Active Directory domain controller, the promotion process registers required SRV records in the DNS Server. The Domain controller promotion process registers different types of SRV records in the DNS Server as listed below:

• SRV record for LDAP Service. Since a domain controller provides LDAP service, it has to register its LDAP SRV record in the DNS Server.

• SRV record for Global Catalog Service. If a domain controller has been configured as a Global Catalog Server, it must register its Global Catalog SRV records so clients requesting global catalog services can find a domain controller.

• Site specific SRV records for LDAP, KDC and Global Catalog Services. Site Specific SRV records are registered to ensure Active Directory clients can find domain controllers in their own site.

• KDC SRV Records. KDC SRV Records allow Active Directory clients to locate a domain controller for authentication purposes.

You might want to read below article written by a Microsoft Employee as to know why it is important to have proper SRV records in place for Active Directory domain controllers.

https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory/

 

Impact if SRV Records are not present

It is worth mentioning the impact you will see in an Active Directory environment if the SRV records are not registered properly for domain controllers. As far as I know and the issues that I have seen when working with customers, below is the list of issues that you will see if SRV records are missing for domain controllers:

• Domain Controllers will fail to replicate Active Directory changes. It is important to note that a domain controller communicates with replication partners to replicate the changes by sending a DNS query to the local DNS Server for LDAP SRV records. If LDAP SRV records are missing, the domain controller will fail to communicate. As a result, any changes that you expect to be replicated across Active Directory will fail.

• Not only the domain controllers use the SRV records to communicate with each other, SRV records are also used by the applications. Applications that use SRV records to find a domain controller will not work. For example, if you have designed an in-house application that locates an LDAP Server by querying DNS SRV Records will fail to work.

• KMS clients will fail to activate if the _VLMCS SRV record is missing for the KMS Server. Note that a KMS client sends a DNS query to find a local KMS Server.

• New Group Policy Settings that you expect to be applied to domain clients will fail.

• Active Directory clients will take long time to log on to domain joined computers.

• KCC, which runs every 15 minutes, will fail to reevaluate replication topology resulting errors and warning messages in the event log of the domain controllers.

• Finally, no other computer, user and applications will be able to locate a domain controller.

Are all SRV Records registered?

Recently, I have seen Active Directory admins finding a way to report all SRV records registered in the DNS Server for all Active Directory domain controllers. We have designed a PowerShell script that can help you get SRV records registered for all domain controllers and report the missing SRV records in a CSV file. All you need to do is run the PowerShell script, explained in this article, from a computer that has DNS Server cmdlets installed. The script is part of Active Directory Dynamic Packs for use with Active Directory Health Profiler. AD Health Profiler ships with 97 Active Directory Dynamic Packs. Active Directory Dynamic Packs can be used to perform a complete Health Check of an Active Directory forest and help you generate a report with issue severity.

Requirements

Before you run the script, please ensure to meet the requirements mentioned below:

• You must run this script from a computer running Windows Server 2012 or later Operating Systems.

• Operating System must have DNS Server PowerShell modules installed.

• PDC Emulator for each domain must be available in order to gather the list of SRV records.

Tip: Script uses Get-DNSServerZoneResourceRecord PowerShell cmdlet to gather SRV records from each domain zone.

What does the script do?

The script performs the following functions:

• Gets all domains from the current Active Directory forest.

• Gets domain controllers for each domain.

• Connects to PDC emulator of each domain.

• Executes Get-DNSServerZoneResourceRecord PowerShell cmdlet to collect SRV records registered in the DNS Domain Zone.

• Checks SRV records for each domain controller of the domain and then create a CSV file.

Script Contents

### Start Script ###

$TestCSVFile = "C:\Temp\SRVRecordsStatus.CSV"
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$ThisString="Domain Name, Domain Controller, DC Site, DC LDAP SRV, DC Kerberos SRV, DC Site-LDAP SRV, DC Site-Kerberos SRV, DC GC SRV, DC GC Site SRV, Final Status"
Add-Content "$TestCSVFile" $ThisString
 
$GDomList = "C:\Temp\DomList.TXT"
Remove-item $GDomList -ErrorAction SilentlyContinue
$RInstNow = Get-ADForest
$allDomains = $RInstNow.Domains
ForEach ($AllItems in $allDomains)
{
       Add-Content $GDomList $AllItems
}
 
$TestStatus="Passed"
$TestText = ""
$sumVal=0
$ReachOrNot = "Yes"
$AnyGap = "No"
$TotNo = 0
$AnyOneOk = "No"
 
ForEach ($ThisDomain in Get-Content "$GDomList")
{
 
$SRVFile = "C:\Temp\SRVTemp.DPC"
Remove-item $SRVFile -ErrorAction SilentlyContinue
 
$RDC=Get-ADDomain -Identity $ThisDomain
$PDCDomain = $RDC.PDCEmulator
$ThisZoneNow = "_msdcs."+$ThisDomain
 
$Error.Clear()
Get-DnsServerResourceRecord -ComputerName $PDCDomain -ZoneName $ThisZoneNow | ? {($_.recordtype -eq 'SRV')} | Select -Property HostName,RecordType -ExpandProperty RecordData | export-csv $SRVFile -NoTypeInformation
IF ($Error.Count -eq 0)
{
 
$AnyOneOk="Yes"
$AllRecordsCSV = Import-CSV $SRVFile
$AllDCInDomain=Get-ADDomainController -filter * -Server $ThisDomain
ForEach ($DCName in $AllDCInDomain)
{
$ThisDCNameNow = $DCName.HostName
$ThisDCSiteNow = $DCName.Site
 
$DCLDAPSRV = "_ldap._tcp.dc."+$ThisDCNameNow+"."
$DCKerberosSRV = "_kerberos._tcp.dc."+$ThisDCNameNow+"."           
$DCSiteLDAPSRV = "_ldap._tcp."+$ThisDCSiteNow+"._sites.dc."+$ThisDCNameNow+"."
$DCSiteKerberosSRV = "_kerberos._tcp."+$ThisDCSiteNow+"._sites.dc."+$ThisDCNameNow+"."
$DCGCSRV = "_ldap._tcp.gc."+$ThisDCNameNow+"."
$DCGCSiteSRV = "_ldap._tcp."+$ThisDCSiteNow+"._sites.gc."+$ThisDCNameNow+"."
 
$IsDCLDAPSRVPresent = "Missing"
$IsDCKerberosSRVPresent = "Missing"
$IsDCSiteLDAPSRVPresent = "Missing"
$IsDCSiteKerberosSRVPresent = "Missing"
$IsDCGCSRVPresent = "Missing"
$IsDCGCSiteSRVPresent = "Missing"
 
$FinStatus=""
 
ForEach ($SRVInFile in $AllRecordsCSV)
{
$ThisDCInFile = $SRVInFile.DomainName
$ThisDCSRV = $SRVInFile.Hostname
 
$SRVToCheckNow = $ThisDCSRV+"."+$ThisDCInFile
 
IF ($SRVToCheckNow.ToLower() -eq $DCLDAPSRV.ToLower())
{
$IsDCLDAPSRVPresent = "Present : "+$SRVToCheckNow                   
}
IF ($SRVToCheckNow.ToLower() -eq $DCKerberosSRV.ToLower())
{
$IsDCKerberosSRVPresent = "Present : "+$SRVToCheckNow                   
}
IF ($SRVToCheckNow.ToLower() -eq $DCSiteLDAPSRV.ToLower())
{
$IsDCSiteLDAPSRVPresent = "Present : "+$SRVToCheckNow
}
IF ($SRVToCheckNow.ToLower() -eq $DCSiteKerberosSRV.ToLower())
{
$IsDCSiteKerberosSRVPresent = "Present : "+$SRVToCheckNow
}
IF ($SRVToCheckNow.ToLower() -eq $DCGCSRV.ToLower())
{
$IsDCGCSRVPresent = "Present : "+$SRVToCheckNow
}
IF ($SRVToCheckNow.ToLower() -eq $DCGCSiteSRV.ToLower())
{
$IsDCGCSiteSRVPresent = "Present : "+$SRVToCheckNow
}
}
 
IF ($IsDCLDAPSRVPresent -eq "Missing" -or $IsDCKerberosSRVPresent -eq "Missing" -or $IsDCSiteLDAPSRVPresent -eq "Missing" -or $IsDCSiteKerberosSRVPresent -eq "Missing" -or $IsDCGCSRVPresent -eq "Missing" -or $IsDCGCSiteSRVPresent -eq "Missing")
{
$AnyGap = "Yes"
$FinStatus = "WARNING: Required SRVs are missing for this DC."
$TotNo++
}
 
$FinalSTR = $ThisDomain+","+$ThisDCNameNow+","+$ThisDCSiteNow+","+$IsDCLDAPSRVPresent+","+$IsDCKerberosSRVPresent+","+$IsDCSiteLDAPSRVPresent+","+$IsDCSiteKerberosSRVPresent+","+$IsDCGCSRVPresent+","+$IsDCGCSiteSRVPresent+","+$FinStatus
Add-Content "$TestCSVFile" $FinalSTR
}
 
}
else
{
$ThisSTR = $ThisDomain+",Error Connecting to PDC in this domain."
$ErrorOrNot = "Yes"
Add-Content "$TestCSVFile" $ThisStr  
}
}
 
IF ($AnyGap -eq "Yes")
{
$TestStatus="Critical"
$TestText = "There are a few SRV records missing for Domain Controllers."
$SumVal = $TotNo
}
IF ($AnyGap -eq "No")
{
$TestStatus="Passed"
$TestText = "All SRV Records are present for Domain Controllers."
$SumVal = ""
}
 
$STR = $ADTestName +","+$TestStartTime+","+$TestStatus+","+$SumVal +","+$TestText
$STR

### End Script ###

 

Once the script has finished executing for all domains, a report file will be generated in a CSV file as shown in the figure 1 below. The report file name is RVRecordsStatus.CSV and is located at C:\Temp.

Image

Figure 1 – Showing CSV Report generated by the PowerShell Script

As you can see in the report generated by the script, the script reported “WARNING” in the “Final Status” column for domain controllers that have SRV records missing. As shown in the report above, domain controller DC3.ITDynamicPacks.Net, DC4.ITDynamicPacks.Net and DC7.ITDynamicPacks.Net have LDAP SRV records missing in the DNS domain zone. Once you have the SRV report, you can register the SRV records in the DNS Server to ensure Active Directory operates smoothly.

If you are using Active Directory Health Profiler, you can execute the Domain Controller Individual SRV Records Test Dynamic Pack against an Active Directory Forest or a domain to show you the status of SRV records in Active Directory Health Profiler console as shown in the Figure 2 below.

Image

Figure 2 – Showing SRV Records Status for each domain controller in AD Health Profiler

In case of any issues with the script, please send an email at [email protected].

Summary

We explained the important of SRV records in an Active Directory environment. Domain Controllers rely on SRV records registered in the DNS Server to perform important functions such as replicating changes and allow Active Directory clients to locate domain controller services. Any application that uses SRV records to find a domain controller will fail if SRV records for domain controllers are not registered.

We provided a PowerShell script that you can use to collect a report on SRV records for all domain controllers and the fix the missing ones easily.

About The Author

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top