AD DS: This domain controller must advertise itself as a Kerberos server for the domain in its local site

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Error

Category

Configuration

Issue

The "Rfc1510KdcAtSite" Domain Name System (DNS) service (SRV) resource record that advertises this domain controller as an available Kerberos server for the domain in its local site is not registered. All Kerberos servers in the domain must register this record.

Impact

Other member computers and domain controllers in the domain or forest will not be able to locate this domain controller as a Kerberos server in the local site. This domain controller will not be able to provide a full suite of services.

This issue can be caused by incorrect Netlogon settings in Group Policy or in the registry. It can also be caused by a failure in the DNS registration process. So that other member servers and domain controllers in the domain or forest can locate this domain controller as a Kerberos server in the domain in a particular site, the correct set of DNS service (SRV) resource records must be registered by domain controller Locator (DC Locator).

Resolution

Ensure that "Rfc1510KdcAtSite" is not configured in the “DnsAvoidRegisteredRecords” list, either through Group Policy or through the registry. Restart the Netlogon service. Verify that the DNS record "_kerberos._tcp.<<SiteName of the local DC>>._sites.<<DnsDomainName of the local DC>>", pointing to the local domain controller "<<FQDN of local DC>>", is registered in DNS.

To resolve this issue, complete the following tasks:

  • Locate the DNS record: Determine whether the "_kerberos._tcp.<<SiteName of the local DC>>._sites.<<DnsDomainName of the local DC>>" DNS service (SRV) resource record is registered in DNS.

  • Verify Group Policy settings: If the "_kerberos._tcp.<<SiteName of the local DC>>._sites.<<DnsDomainName of the local DC>>" DNS service (SRV) resource record is not registered in DNS, verify that Rfc1510KdcAtSite is not included in the list of mnemonics that are specified for the Group Policy setting DC Locator DNS records not registered by the DCs.

Note

The mnemonics that are specified for the DC Locator DNS records not registered by the DCs Group Policy setting correspond to the DNS records that are not to be registered by this domain controller.

  • Verify registry settings: If the "_kerberos._tcp.<<SiteName of the local DC>>._sites.<<DnsDomainName of the local DC>>" DNS service (SRV) resource record is not registered in DNS, verify that Rfc1510KdcAtSite is not included in the list of mnemonics that are specified for the multivalued registry key DnsAvoidRegisterRecords.

Note

The mnemonics that are specified for the DnsAvoidRegisterRecords registry key correspond to the DNS records that are not to be registered by this domain controller.

  • Restart the Netlogon service, and verify that the "_kerberos._tcp.<<SiteName of the local DC>>._sites.<<DnsDomainName of the local DC>>" DNS service (SRV) resource record has been registered in DNS.

Note

You can use the Dcdiag tool to further investigate and resolve a continuing failure to register this record. For more information, see DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation (https://go.microsoft.com/fwlink/?LinkID=136425) and Dcdiag Overview (https://go.microsoft.com/fwlink/?LinkID=130605).

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To locate the "_kerberos._tcp.&lt;&lt;SiteName of the local DC&gt;&gt;._sites.&lt;&lt;DnsDomainName of the local DC&gt;&gt;" DNS service (SRV) resource record

  1. Open the DNS Manager snap-in. To open DNS Manager, click Start, click Administrative Tools, and then click DNS.

  2. In the console tree, expand the applicable forward lookup zone, expand the <<DnsDomainName of the local DC>> node, expand _sites, expand the <<SiteName of the local DC>> node, and then click _tcp.

  3. In the details pane, locate the _kerberos record.

To verify the mnemonics that are specified for the “DC Locator DNS records not registered by the DCs” Group Policy setting

  1. Open the Group Policy Management snap-in. To open Group Policy Management, click Start, click Administrative Tools, and then click Group Policy Management.

  2. To determine if the Group Policy setting DC Locator DNS records not registered by the DCs is set by one or more Group Policy objects (GPOs), in Group Policy Management, right-click Group Policy Results, and then click Group Policy Results Wizard. Run the Group Policy Results Wizard for this domain controller.

    If the Group Policy setting DC Locator DNS records not registered by the DCs is set, it appears in the generated Group Policy results in the Group Policy Management snap-in.

  3. In the Group Policy Management console tree, expand Group Policy Results, and then select the generated results report.

  4. To view the list of mnemonics that correspond to the DNS records that should not be registered by this domain controller, in the details pane, expand Administrative Templates, and then expand System/ Net Logon/ DC Locator DNS Records.

Membership in System Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To verify or edit the value of the DnsAvoidRegisterRecords registry key

  1. Open the Registry Editor snap-in. To open Registry Editor, click Start, click Run, and then type regedit.

  2. Navigate to HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.

  3. To view or edit the list of mnemonics that correspond to the DNS records that should not be registered by this domain controller, double-click the DnsAvoidRegisterRecords multivalued registry key.

Additional references

For more information, see DNS Support for Active Directory Tools and Settings (https://go.microsoft.com/fwlink/?LinkID=136428).