Troubleshooting Sudden Disappearance of Active Directory SRV Records in Server 2012 R2 Domain Controllers


2 views

Active Directory's proper functioning heavily depends on DNS SRV records. These records enable clients to locate domain controllers through standard DNS queries. When records like _ldap._tcp.dc._msdcs or _kerberos._tcp.dc._msdcs go missing, authentication and replication break down completely.

First, verify the records are truly missing with this PowerShell check:

Get-DnsServerResourceRecord -ZoneName "_msdcs.yourdomain.com" -RRType "SRV" | 
Where-Object {$_.RecordData.DomainName -like "*_ldap*"} | 
Format-Table HostName, RecordData

Key indicators of trouble:

  • Missing _ldap, _kerberos, _gc records
  • Domain controllers not registering themselves
  • Event ID 5774 in Directory Service logs

For manual recreation (last resort method):

# PowerShell method to recreate _ldap record
Add-DnsServerResourceRecord -Srv -ZoneName "_msdcs.yourdomain.com" 
-Name "_ldap._tcp.dc" 
-DomainName "dc01.yourdomain.com" 
-Priority 0 
-Weight 100 
-Port 389 
-TimeToLive 01:00:00

The GUID-based records (like {GUID}._msdcs) are machine-specific and should regenerate automatically once proper services restart.

Ensure these settings are correct:

# Verify DNS registration settings
Get-NetAdapter | Set-DnsClient -RegisterThisConnectionsAddress $true

# DC-specific registration check
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" | 
Select-Object UseDynamicDns

For scavenging configuration (use cautiously):

Set-DnsServerScavenging -ScavengingState $true 
-RefreshInterval 7.00:00:00 
-NoRefreshInterval 7.00:00:00

Here's a complete restoration script I've used successfully:

# DC SRV Record Restoration Script
$domain = "yourdomain.com"
$dcName = hostname
$dnsServers = Get-DnsServer -ComputerName $dcName

foreach ($server in $dnsServers) {
    # Standard SRV records
    $records = @(
        @{Name="_ldap._tcp.dc"; Proto="tcp"; Port=389},
        @{Name="_ldap._tcp.gc"; Proto="tcp"; Port=3268},
        @{Name="_kerberos._tcp.dc"; Proto="tcp"; Port=88}
    )
    
    foreach ($rec in $records) {
        try {
            Add-DnsServerResourceRecord -Srv -ZoneName "_msdcs.$domain" 
                -Name $rec.Name 
                -DomainName "$dcName.$domain" 
                -Priority 0 
                -Weight 100 
                -Port $rec.Port 
                -ComputerName $server.IPAddress
        }
        catch {
            Write-Warning "Failed to create $($rec.Name): $_"
        }
    }
    
    # Force Netlogon to re-register
    Restart-Service Netlogon -Force
    Register-DnsClient
}

Implement this monitoring check:

# Daily monitoring script
$requiredRecords = @(
    "_ldap._tcp.dc._msdcs",
    "_kerberos._tcp.dc._msdcs",
    "_ldap._tcp.pdc._msdcs"
)

foreach ($record in $requiredRecords) {
    $exists = Resolve-DnsName -Name "$record.$domain" -Type SRV -ErrorAction SilentlyContinue
    if (-not $exists) {
        Send-MailMessage -To "admin@domain.com" 
            -Subject "Critical AD DNS Record Missing: $record" 
            -Body "The $record SRV record is missing from DNS!"
    }
}

When your _msdcs zone records vanish suddenly, it's not just a DNS issue - it's an authentication crisis. These records are the backbone of Active Directory's service discovery mechanism. The absence of _ldap._tcp.dc._msdcs and _kerberos._tcp.dc._msdcs records effectively blinds clients to domain controller locations.

First, verify the extent of the damage with PowerShell:

# Check basic DNS functionality
Test-DnsServer -IPAddress 192.168.1.10 -Context DnsServer

# Verify SRV records existence
Resolve-DnsName -Type SRV -Name "_ldap._tcp.dc._msdcs.yourdomain.com"

# Check DC registration status
Get-WinEvent -LogName "Directory Service" -MaxEvents 20 | 
    Where-Object {$_.Id -eq 5774} | Format-List

For global record regeneration, execute this sequence on each DC:

# Stop Netlogon service temporarily
Stop-Service Netlogon -Force

# Clear existing registration
ipconfig /flushdns
ipconfig /registerdns

# Force service registration
net stop netlogon && net start netlogon

# Trigger full DNS registration
nltest /dsregdns

When automated methods fail, you'll need surgical precision. Here's a sample script to rebuild critical records:

# PowerShell script to recreate essential SRV records
Import-Module DnsServer

$domain = "yourdomain.com"
$dc1IP = "192.168.1.10"
$dc2IP = "192.168.1.11"

# LDAP records
Add-DnsServerResourceRecord -Srv -Name "_ldap._tcp.dc._msdcs.$domain" 
    -DomainName $domain -Priority 0 -Weight 100 -Port 389 
    -Target "dc1.$domain"

# Kerberos records
Add-DnsServerResourceRecord -Srv -Name "_kerberos._tcp.dc._msdcs.$domain" 
    -DomainName $domain -Priority 0 -Weight 100 -Port 88 
    -Target "dc1.$domain"

# GC records
Add-DnsServerResourceRecord -Srv -Name "_ldap._tcp.gc._msdcs.$domain" 
    -DomainName $domain -Priority 0 -Weight 100 -Port 3268 
    -Target "dc1.$domain"

Implement these monitoring safeguards:

  • Create a scheduled task to verify SRV records weekly
  • Enable debug logging for DNS registration events
  • Configure alerting for Netlogon registration failures

Those cryptic SID-based records (e.g., 1a1b2c3d-1234-5678-abcd-0123456789ab._msdcs) are actually GUIDs representing:

# To find your DC's GUID:
Get-ADDomainController -Identity YourDC | Select-Object NTDSettingsObjectGUID

These are automatically regenerated when the Netlogon service restarts, provided the DC can write to DNS.