Windows Client resolve Realm KDC over DNS

Andrin Vocat avocat at
Thu Aug 28 12:08:21 EDT 2008

I read some threads with the same problem but without any solution, so I will try it again.
Today we have four completely separated Active Directory with thousands of clients.
I implemented a MIT KDC to build a shared resource Realm for SSO.
Now I want to deploy that to all client. 
The client send a TGS to his AD Controller, the DC sends a referral with the resource Realm.
At this point the client needs to evaluate what KDC is responsible for the Realm. 
Easiest way is to configure it on client (ksetup /AddKdc [Realm] [KDC]). If there is no configuration the client try to
resolve the KDC over DNS (SVR _kerberos._tcp.dc._msdcs.[domain]).
ksetup on each client would take a long time and be a lot of work. I add this DNS settings entry with a pointer to the
The client resolved it successfully and does a CLDAP query  —> No Response (or icmp). 
I read CLDAP query is something like a AD ping, to check if the AD is responsible for the domain and available.
Is there a way to switch this setting off (CLDAP Query)? Or could I emulate the required response, for example with
Any Ideas?
Andrin Vocat

More information about the Kerberos mailing list