Specify DC Locator DNS records not registered by the DCs

2
23633

Quite a long heading, so let’s cut to the chase:

Sometimes we want to hide Domain Controllers. One way to achieve this is by configuring the GPO Element:

Computer Configuration > Policies > Administrative Templates > System > Net Logon > DC Locator DNS Records

Setting:

Specify DC LOcator DNS records not registered by the DCs

This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.

If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.

Select the mnemonics from the following list:

MnemonicDNS Record TypeAssociated DNS Record
DcSRV_ldap._tcp.dc._msdcs.[DnsDomainName]
DcAtSiteSRV_ldap._tcp.[SiteName]._sites.dc._msdcs.[DnsDomainName]
DcByGuidSRV_ldap._tcp.[DomainGuid].domains._msdcs.[DnsForestName]
DsaCnameCNAME[DsaGuid]._msdcs.[DnsForestName]
GcSRV_ldap._tcp.gc._msdcs.[DnsForestName]
GcAtSiteSRV_ldap._tcp.[SiteName]._sites.gc._msdcs.[DnsForestName]
GcIpAddressA_gc._msdcs.[DnsForestName]
GenericGcSRV_gc._tcp.[DnsForestName]
GenericGcAtSiteSRV_gc._tcp.[SiteName]._sites.[DnsForestName]
KdcSRV_kerberos._tcp.dc._msdcs.[DnsDomainName]
KdcAtSiteSRV_kerberos._tcp.dc._msdcs.[SiteName]._sites.[DnsDomainName]
LdapSRV_ldap._tcp.[DnsDomainName]
LdapAtSiteSRV_ldap._tcp.[SiteName]._sites.[DnsDomainName]
LdapIpAddressA[DnsDomainName]
PdcSRV_ldap._tcp.pdc._msdcs.[DnsDomainName]
Rfc1510KdcSRV_kerberos._tcp.[DnsDomainName]
Rfc1510KdcAtSiteSRV_kerberos._tcp.[SiteName]._sites.[DnsDomainName]
Rfc1510KpwdSRV_kpasswd._tcp.[DnsDomainName]
Rfc1510UdpKdcSRV_kerberos._udp.[DnsDomainName]
Rfc1510UdpKpwdSRV_kpasswd._udp.[DnsDomainName]

If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.

If you do not configure this policy setting, DCs use their local configuration.

If you want to simply add them all, here’s a cut paste for you:

LdapIpAddress Ldap LdapAtSite Pdc Gc GcAtSite DcByGuid GcIpAddress Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd

In the list above, DsaCname needs to be excluded, otherwise replication may be affected.

2 COMMENTS

  1. Hi Damien,

    Thanks for the write-up. where we need to map this Group Policy ?. I believe it should be mapped to the site but want to confirm.

LEAVE A REPLY

Please enter your comment!
Please enter your name here