Specify DC Locator DNS records not registered by the DCs


Quite a long heading, so let’s cut to the chase:

Sometimes we want to hide Domain Controllers. One way to achieve this is by configuring the GPO Element:

Computer Configuration > Policies > Administrative Templates > System > Net Logon > DC Locator DNS Records


Specify DC LOcator DNS records not registered by the DCs

This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.

If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.

Select the mnemonics from the following list:

Mnemonic Type DNS Record

LdapIpAddress A
Ldap SRV _ldap._tcp.
LdapAtSite SRV _ldap._tcp.._sites.
Pdc SRV _ldap._tcp.pdc._msdcs.
Gc SRV _ldap._tcp.gc._msdcs.
GcAtSite SRV _ldap._tcp.._sites.gc._msdcs.
DcByGuid SRV _ldap._tcp..domains._msdcs.
GcIpAddress A gc._msdcs.
DsaCname CNAME ._msdcs.
Kdc SRV _kerberos._tcp.dc._msdcs.
KdcAtSite SRV _kerberos._tcp.._sites.dc._msdcs.
Dc SRV _ldap._tcp.dc._msdcs.
DcAtSite SRV _ldap._tcp.._sites.dc._msdcs.
Rfc1510Kdc SRV _kerberos._tcp.
Rfc1510KdcAtSite SRV _kerberos._tcp.._sites.
GenericGc SRV _gc._tcp.
GenericGcAtSite SRV _gc._tcp.._sites.
Rfc1510UdpKdc SRV _kerberos._udp.
Rfc1510Kpwd SRV _kpasswd._tcp.
Rfc1510UdpKpwd SRV _kpasswd._udp.

If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.

If you do not configure this policy setting, DCs use their local configuration.

I will come back later and change the above to a table.

If you want to simply add them all, here’s a cut paste for you:

LdapIpAddress Ldap LdapAtSite Pdc Gc GcAtSite DcByGuid GcIpAddress Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd

In the list above, DsaCname needs to be excluded, otherwise replication may be affected.


  1. Hi Damien,

    Thanks for the write-up. where we need to map this Group Policy ?. I believe it should be mapped to the site but want to confirm.


Please enter your comment!
Please enter your name here