I'm setting up a new Active Directory instance for my department at a university. I have some experience managing domains at previous jobs (NT4/2k/2003), but there are two unique things about our environment here: The network is 100% public IP address space (effectively no firewalls and all DNS is public DNS) and DNS is centrally managed (BIND on UNIX and they won't delegate me a subdomain nor allow Dynamic DNS updates to their servers.)

Since no private or split DNS is possible, the SRV records for my domain (ad.dept.univ.edu) will be accessible via public DNS. Although the DNS is public, I will firewall to only allow machines on-campus to connect to my domain controllers. I'll have two AD controllers running Windows Server 2008r2. This is basically an authentication only domain, we don't run Windows file servers, most client machines will never join the domain or directly authenticate against the domain controller. This domain will mostly just provide centralized AD-integrated authentication for appliances and applications.

  • What's the process for setting up an AD controller without enabling MS DNS?
  • Which DNS records (SRV or otherwise) should I add? Should they exist before making the server a domain controller or be added after?
  • Is there anything which won't run nicely in such an environment? I know adding/removing DCs will require manually editing DNS, but is that it?

If you think Samba4+OpenLDAP is up to the task, I'm definitely interested, but please ask & self answer a new wiki question instead of just replying here.


Sounds a lot like my environment, only I get to have DNS delegation.

It is possible though very tricky to set up an AD DNS environment that doesn't require dynamic DNS. You'll have to hand-populate all the SRV records, as well as the needed NS and A records for the domain. PTR records aren't as important. Since you aren't going to be adding or removing machines from the domain much, this may even be supportable in the long-run.

Don't sweat the public IP address space. That's what firewalls are for. Just because the evil meanies can look at you doesn't mean they can touch you.


I've done this and managed it via webmin on my DNS server. *Adding DNS records via webmin is very very easy. Much better than doing it manually through config files.


Service Records needed:

Name TTL Priority Weight Port Server
gc.tcp.domain 600 0 100 3268 server-name.domain.
kerberos.tcp.dc._msdcs.domain. 600 0 100 88 server-name.domain.
kerberos.tcp.domain. 600 0 100 88 server-name.domain.
kerberos.udp.domain. 600 0 100 88 server-name.domain.
kpasswd.tcp.domain. 600 0 100 464 server-name.domain.
kpasswd.udp.domain. 600 0 100 464 server-name.domain.
ldap.tcp.dc._msdcs.domain. 600 0 100 389 server-name.domain.
ldap.tcp.gc.msdcs.domain. 600 0 100 3268 server-name.domain.
ldap.tcp.pdc
.msdcs.domain. 600 0 100 389 server-name.domain.
ldap.tcp.domain. 600 0 100 389 server-name.domain.
ldap.tcp.domain. 600 0 100 3268 server-name.domain.
msdcs.tcp.domain. 600 0 100 389 server-name.domain.
Select all. | Invert selection.

In addition to your service records, you need the appropriate A record(s):

gc._msdcs.domain. 600 IP-ADDRESS

Also DO NOT FORGET TO REGISTER YOUR DNS on your AD Server via cmd line: ipconfig/registerdns

If it still doesn't work, then in the Event Viewer on your AD server will have clear messages indicating what DNS Records it's trying to hit.


User56886 had most of it which got me started on the right track, but here's the full list of DNS Records (note the leading underscores) which worked for my domain (dept.univ.edu) and my active directory controller (ad.dept.univ.edu). TTL/Weights/Priority are up to you, I used 600, 0, 100 below.

_service._proto.name TTL class SRV priority weight port target

_gc._tcp.dept.univ.edu. 600 IN SRV 0 100 3268 ad.dept.univ.edu.
_gc._tcp.Default-First-Site-Name._sites.dept.univ.edu. 600 IN SRV 0 100 3268 ad.dept.univ.edu.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.dept.univ.edu. 600 IN SRV 0 100 88 ad.dept.univ.edu.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.dept.univ.edu. 600 IN SRV 0 100 88 ad.dept.univ.edu.
_kerberos._tcp.dc._msdcs.dept.univ.edu. 600 IN SRV 0 100 88 ad.dept.univ.edu.
_kerberos._tcp.dept.univ.edu. 600 IN SRV 0 100 88 ad.dept.univ.edu.
_kerberos._udp.dept.univ.edu. 600 IN SRV 0 100 88 ad.dept.univ.edu.
_kpasswd._tcp.dept.univ.edu. 600 IN SRV 0 100 464 ad.dept.univ.edu.
_kpasswd._udp.dept.univ.edu. 600 IN SRV 0 100 464 ad.dept.univ.edu.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
_ldap._tcp.Default-First-Site-Name._sites.dc.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.dept.univ.edu. 600 IN SRV 0 100 3268 ad.dept.univ.edu.
_ldap._tcp.dc._msdcs.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
_ldap._tcp.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
_ldap._tcp.gc._msdcs.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.
_ldap._tcp.pdc._msdcs.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.

In addition there's also two records (a SRV record and a CNAME) which rely on a generated SECID for your domain:

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._msdcs.dept.univ.edu CNAME ad.dept.univ.edu.
_ldap._tcp.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._msdcs.dept.univ.edu. 600 IN SRV 0 100 389 ad.dept.univ.edu.

Also, you (obviously) need an A record for your domain controller.

Reference: page 154 of Oreilly's Active Directory 5th Edition (also available via Safari Books Online).