Windows DNS registers duplicate SRV records for a DC if its computer name has uppercase letters

Applies to: Windows Server 2019, all editionsWindows Server 2016

Symptoms


You have one or more Windows Server 2019-based or Windows Server 2016-based domain controllers (DCs) in a deployment that uses AD DS-integrated DNS zones. At least one of the DCs has a computer name that includes uppercase characters.

In this situation, you notice that the DNS records for the domain include duplicate server location (SRV) records for the DCs that have uppercase characters in their computer names. One record includes the computer name in the RDATA in all lowercase characters, and one record includes the computer name in the RDATA in the same character case as the computer name.

Cause


This behavior occurs because of a change in how the Windows Server DNS functionality manages the RDATA segment of an SRV record. In Windows Server 2012 R2 and earlier versions, the RDATA segment contains only lowercase letters. If a computer name contains uppercase letters, the DNS functionality converts them to lowercase. However, the Windows Server 2016 (or later version) DNS functionality accepts uppercase and lowercase letters.

When the DNS server checks to see whether a computer name already has an associated SRV record, it does not account for changes in case. Therefore, it considers "winserv16.contoso.com" and "WinServ16.contoso.com" to be different addresses. 

For this reason, you may see unexpected effects if you use the following configurations:

  • All the DNS servers and DCs in the domain have been upgraded from Windows Server 2012 R2 (or an earlier version) to Windows Server 2016 (or a later version). The DNS database may generate extra SRV records for any DC that has uppercase characters in its computer name.
  • All the DNS servers and DCs in the domain run Windows Server 2012 or earlier. You install the DNS server role on a Windows Server 2016 member server, and then you promote that member server to a DC in the same domain. If the Windows Server 2016 DC has uppercase characters in its computer name, it will have extra SRV records in DNS.
  • You have a domain that contains DCs and DNS servers that run various versions of Windows Server. The primary DNS server is a DC that runs Windows Server 2012 or earlier, and the secondary DNS server is a Windows Server 2016 DC. The primary DNS server becomes unavailable, and you change the Windows Server 2016 DC to be the new primary DNS server. After this change, the DNS database may generate extra SRV records for any DC that has uppercase characters in its computer name. 

Resolution


Microsoft has released an update that mitigates this issue. The following table lists the relevant versions of the update for affected versions of Windows.

Version
Release
Windows Server 2019, version 1903 March 24, 2020—KB4541335 (OS Builds 18362.752 and 18363.752)
Windows Server 2019, version 1809 March 17, 2020—KB4541331 (OS Build 17763.1131)
Windows Server 2016 March 17, 2020—KB4541329 (OS Build 14393.3595)


The update introduces a new Group Policy policy setting in the NETLOGON.ADMX file, as described in the following table.

Policy name Use lowercase DNS host names when registering domain controller SRV records
Policy path Computer Configuration\Policies\Administrative Templates\System\Net Logon\DC Locator DNS Records\
Policy values
  • 1 (default). The policy is enabled. The policy purges duplicate DNS SRV records. When you install the update on a DC, this becomes part of that DC's default local configuration.
  • 0. The policy is disabled. Under this setting, the problematic behavior continues, and DCs that have computer names that include uppercase characters continue to register SRV records that include those uppercase characters. The value of 0 is supported for only emergency or testing use. It should not be used under typical conditions. 
If the policy is not configured or the value is missing, the DC falls back to the new default local configuration and treats the policy as enabled.


The update adds the following registry entry that is associated with this policy. (This information is provided for reference only.)

Registry entry DnsSrvRecordUseLowerCaseHostNames
Registry subkey HKLM\Software\Policies\Microsoft\Netlogon\Parameters
Data type REG_DWORD

 

After you install the update

When you install the update (or enable the policy in an environment in which it has been disabled), the Netlogon service makes a best-effort attempt to remove existing DNS records that have uppercase characters. 

We recommend that you install this fix (or enable the policy), and then wait a day or two to allow time for Netlogon to acquire and apply the new setting. Then, wait long enough for the changes to replicate throughout the environment. After that time, examine the DNS records for any remaining duplicates. It is likely that the policy will miss some duplicate records. In that case, you would have to manually remove those records. 

You can use the following Windows PowerShell command to review records:

Get-DnsServerResourceRecord -ZoneName “contoso.com” -RRType Srv


To remove the remaining duplicate records, run the following PowerShell command:

Remove-DnsServerResourceRecord -ZoneName “contoso.com” -RRType Srv -Name “<hostname of record to delete>” -RecordData “<recorddata of record to delete>”​


Disabling the policy does not require any cleanup.

Workarounds


Preventing duplicate SRV records

You can use the following methods to prevent Windows DNS from creating duplicate SRV records:

  • Before you promote a member server to a DC or before you upgrade a DC to Windows Server 2016 or a later version, make sure that its computer name contains only lowercase characters.
  • Make sure that all internal build processes, tools, and scripts that create, modify, or use computer names also use lowercase characters.
  • If you cannot rename your DCs (or if it will take a long time to do so), configure your DNS topology so that DCs that run Windows Server 2016 or later use DNS servers that run Windows Server 2016 or later. Similarly, configure DCs that run Windows Server 2012 R2 or earlier to use DNS servers that run Windows Server 2012 R2 or earlier.
     

Removing duplicate SRV records

To work around this issue after you encounter it, you have to rename your DCs by using all lowercase characters. Depending on the details of your deployment, you may have to manually reconfigure settings or remove files. This section provides the following workaround methods, in order of complexity:

Method 1: Rename a DC in a single-DC domain

If you have one DC, use the steps in Renaming a Domain Controller to change the DC's computer name to a new name that contains only lowercase characters. In the case of a single DC, you do not have to demote and repromote it.

Method 2: Rename DCs in a multi-DC domain

If you have more than one DC in your domain, follow these steps for each affected DC:

  1. Demote the DC, and clean up the related metadata. For more information, see Demoting Domain Controllers and Domains and AD Forest Recovery - Cleaning metadata of removed writable domain controllers.
  2. Rename the computer, giving it a name that contains only lowercase characters.
  3. Promote the computer to a DC again.

By the time all the DCs are back online, the duplicate (mixed-case) SRV records should be gone.

Method 3: Rename DCs and remove all stored SRV records

If Method 1 and Method 2 do not provide satisfactory results, follow these steps for each affected DC:

  1. Demote the DC, and clean up the related metadata. For more information, see Demoting Domain Controllers and Domains and AD Forest Recovery - Cleaning metadata of removed writable domain controllers.
  2. On the demoted computer, follow these steps:
    1. Rename the computer, giving it a name that contains only lowercase characters.
    2. Stop the netlogon service. To do this, open an elevated Command Prompt window, and then run net stop netlogon.
    3. Delete the following files in the C:\Windows\System32\config\ folder:
      • netlogon.dnb
      • netlogon.dns
  3. On one of the other DCs, open Server Manager, select Tools, and then select DNS.
  4. In DNS Manager, inspect the containers under Forward Lookup Zones and then delete the SRV records for the DC that you demoted.
  5. On the renamed computer, start the netlogon service. To do this, open an elevated Command Prompt window, and then run net start netlogon.
  6. Promote the renamed computer to a DC again.