SRV Records and Active Directory, Part II

Earlier this month we discussed how special DNS resource records called SRV (service locator) records help Windows systems find domain controllers so they can authenticate to the domain. Interestingly, SRV records also help Windows systems find other kinds of important computers, too. One of these is the global catalog server, or GC. The GC has extra, read-only partitions in its copy of the Active Directory database, so that it knows about all the objects in all domains – not just its own domain. (GC’s don’t need to know about all attributes of all objects, but just the ones likely to be used in a search operation.) A Windows system needs to know where a GC is to perform a search of the entire directory on port 3268. (The alternative would be for the search client to enumerate and then search every domain in the forest, which Microsoft deemed inefficient.) Global catalog servers are also used to provide lists of universal group memberships and User Principal Name details to domain controllers. (The universal group membership information is required to build an authenticating user’s Security Access Token, and a UPN that is used in a logon request can refer to a domain different from the user’s. In both cases, the GC is needed, at least if the forest contains more than one domain.) Finally, the GC is used to provide global address list information to Exchange Server. Here’s the format of an SRV record specifying the location of a GC: _ldap._tcp.gc._msdcs. dnsforestname The SRV record that includes site awareness, to facilitate Windows’ finding the nearest global catalog server based on sites and subnets, has the following format: _ldap._tcp. sitename ._sites.gc._msdcs. dnsforestname Notice that these records include the term “msdcs” which indicates that a global catalog server is also a domain controller in Microsoft’s implementation.