Active Directory and its Relationship with DNS - Part 1 - The Basics

DNSWindows
Written By Jamie Redford-Brown

Part 1 - The Basics

When thinking of the structure of Active Directory (AD) and the sum of its components, a big part of it rests on the mighty shoulders of Domain Name System (DNS). DNS is a big part of any environment regardless of whether AD is involved, DNS servers across the world hold all the domain names we find important and if they were ever to disappear due to a DNS based plague the internet would likely cease to be.

How does this all relate to AD? Well as we pointed out before, you can’t escape TCP/IP based networking without running into DNS, any misconfiguration in DNS can cause AD to either run sluggish or completely stop working.

AD uses several types of DNS records to function:

  • A Record - Domain Name to IPv4

  • PTR Record - IPv4&IPv6 to Domain Name

  • SRV - Kerberos Authentication, LDAP, Global Catalogue Servers

  • SOA - Start of Authority, the name tag of your domain

  • NS - Name Servers, points to the authoritative zones holders for a domain

  • AAAA -  IPv6 to Domain Name

So there's a lot to keep track of, but we’ll start with the basics. Your domain either homelab.internal or haveyoutriedturningitoff.co.uk, has to have a base of operations for DNS records, an authoritative name server. You can configure your authoritative name server anywhere you like, commonly this is configured on whatever domain registrar (GoDaddy, Namecheap, IONOS, etc.) you’ve bought the domain from but sometimes you can do this on whatever service platform you’ve bought the domain for, Azure for example.

Now you can configure all your records on your Authoritative Name Server, several A Records; a few NS records; and maybe an MX record or two. So how does your computer or anyone on the internet know to check with these servers that you hold the most up to date information for your domain? This falls down to the Top Level Domain (TLD) Name Server, these guys govern the .co.uk, .com, .edu, .club TLDs and many, many more. See https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains.

So imagine you're a computer, trying to find the IP for haveyoutriedturningitoff.co.uk, you ask your router, what's the IP for that domain? It says no clue never heard of it, but might know someone who does, so it forwards your request onto your ISPs DNS service, they also have no clue but they might know a guy, so they forward it onto a root DNS server. The big cheese of the internet who knows everyone's dads, it sees you have a .co.uk TLD, it refers you onto the authoritative servers for .uk and then onto .co.uk, who actually has heard of your request and puts you in contact with the authoritative server of haveyoutriedturningitoff.co.uk, then it sends you an A record of the IP needed to get onto the site.

We’ve covered how DNS gets you from A to B, next we’ll have ‘Part 2 - _msdcs and the part it plays’, part of a series of dives into the inner workings of DNS and its relationship with AD.

Jamie Redford-Brown

A dark arts engineer specializing in Linux, Active Directory, DNS and Certificates, dabbles in Automation and Scripting.

RHCSA | MCP

Next

What is Veeam SureBackup?