Quite a long heading, so let’s cut to the chase:
Sometimes we want to hide Domain Controllers. One way to achieve this is by configuring the GPO Element:
Computer Configuration > Policies > Administrative Templates > System > Net Logon > DC Locator DNS Records
Setting:
Specify DC LOcator DNS records not registered by the DCs
This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.
If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.
Select the mnemonics from the following list:
Mnemonic | DNS Record Type | Associated DNS Record |
---|---|---|
Dc | SRV | _ldap._tcp.dc._msdcs.[DnsDomainName] |
DcAtSite | SRV | _ldap._tcp.[SiteName]._sites.dc._msdcs.[DnsDomainName] |
DcByGuid | SRV | _ldap._tcp.[DomainGuid].domains._msdcs.[DnsForestName] |
DsaCname | CNAME | [DsaGuid]._msdcs.[DnsForestName] |
Gc | SRV | _ldap._tcp.gc._msdcs.[DnsForestName] |
GcAtSite | SRV | _ldap._tcp.[SiteName]._sites.gc._msdcs.[DnsForestName] |
GcIpAddress | A | _gc._msdcs.[DnsForestName] |
GenericGc | SRV | _gc._tcp.[DnsForestName] |
GenericGcAtSite | SRV | _gc._tcp.[SiteName]._sites.[DnsForestName] |
Kdc | SRV | _kerberos._tcp.dc._msdcs.[DnsDomainName] |
KdcAtSite | SRV | _kerberos._tcp.dc._msdcs.[SiteName]._sites.[DnsDomainName] |
Ldap | SRV | _ldap._tcp.[DnsDomainName] |
LdapAtSite | SRV | _ldap._tcp.[SiteName]._sites.[DnsDomainName] |
LdapIpAddress | A | [DnsDomainName] |
Pdc | SRV | _ldap._tcp.pdc._msdcs.[DnsDomainName] |
Rfc1510Kdc | SRV | _kerberos._tcp.[DnsDomainName] |
Rfc1510KdcAtSite | SRV | _kerberos._tcp.[SiteName]._sites.[DnsDomainName] |
Rfc1510Kpwd | SRV | _kpasswd._tcp.[DnsDomainName] |
Rfc1510UdpKdc | SRV | _kerberos._udp.[DnsDomainName] |
Rfc1510UdpKpwd | SRV | _kpasswd._udp.[DnsDomainName] |
If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.
If you do not configure this policy setting, DCs use their local configuration.
If you want to simply add them all, here’s a cut paste for you:
LdapIpAddress Ldap LdapAtSite Pdc Gc GcAtSite DcByGuid GcIpAddress Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd
In the list above, DsaCname needs to be excluded, otherwise replication may be affected.
Hi Damien,
Thanks for the write-up. where we need to map this Group Policy ?. I believe it should be mapped to the site but want to confirm.
Any script to cleanup entries after applying GPO?