DNS: should the A record of the domain name point to the dns servers or to the Windows domain controllers?

baroot
baroot used Ask the Experts™
on
Hi, does anyone know if the A record of your dns domain name (e.g. A record 'company.local'), should point to your authoritative dns servers or to your Windows domain controllers?
I'm talking about a DNS domain on a company intranet (e.g. 'company.local'), where DNS domain name = windows domain name, but where the domain controllers aren't running dns anymore.


Background info:
Microsoft domain controllers (which are usually also the dns servers) always create A records for the domain name itself. E.g. if your Windows domain name is 'mycompany.local' and you have 2 domain controllers, then you will find 2 A records in dns zone mycompany.local:
mycompany.local A ip-of-domaincontroller1
mycompany.local A ip-of-domaincontroller2

But why do they do this: is it to be able to find the domain controllers of windows domain mycompany.local (which can also be found by looking at certain SRV rr), or is it to be able to find the dns servers which are authoritative of dns domain mycompany.local (which can also be found by looking at NS rr)?

When you have an 'all Microsoft' environment, this doesn't really matter. But I'm asking this question because we have a mixed environment: we switched from Microsoft DNS to a non-Microsoft DNS server (BIND). And currently the A record of the dns/windows domain contains 6 entries: 3 pointing to domain controllers and 3 pointing to dns servers...
In my opinion this is a messy situation, and 3 of them should/could be removed, but of course I don't want to cause operational problems so I want to be sure before I change anything.

So the question is: what information should the A record of the Windows domain actually contain:
- the IP of our Windows domain controllers (which are not running DNS anymore)?
- the IP of our (BIND) dns servers?

I looked at Microsoft documentation but didn't find the right answer (yet), so I'm hoping someone in here has the right answer.

Thanks in advance, Bart
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Systems Administrator
Commented:
Well it should point to the DCs. If you want to add a machine to the domain or resources in sysvol or netlogon need to be located the domain name needs to resolve to a DC.
Gaurav SinghSolutions Architect

Commented:
it should point to the IP of the windows domain controller. mycompany.local is running as website?
Dan McFaddenSystems Engineer
Commented:
These should point to the IPs of the domain controllers (as stated by the experts above).

Here is a description of the basic required DNS entries for AD:

https://msdn.microsoft.com/en-us/library/bb727055.aspx#ECAA

The blank (domain.extension or in the MS DNS Mgr - "same as parent folder") entry is referred to as the LdapIpAddress and helps Microsoft domain clients find DFS and GPO objects available via a DNS query.

I suggest running the complete dcdiag test against your domain to verify the necessary DNS records are in place.

Dan

Author

Commented:
Thanks a lot for the input, was really helpful!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial