Nameserver issues related to AD authentication

If the Active Directory (AD) is configured as the authentication method, then each declared nameserver in the /etc/resolv.conf file is checked for the required entries in the DNS.

The AD servers must have the following entries:

_ldap._tcp.<Realm>
_ldap._tcp.dc._msdcs.<Realm>
_kerberos._tcp.<Realm>
_kerberos._tcp.dc._msdcs.<Realm>

A missing configuration setting triggers one of the following events:

dns_ldap_tcp_down
dns_ldap_tcp_dc_msdcs_down
dns_krb_tcp_down
dns_krb_tcp_dc_msdcs_down

These events alert the user that if the AD-enabled nameservers fail, some services might continue to work, but the AD-authenticated connections stop working.

If the /etc/resolv.conf file also contains non-AD nameservers, then a dns_query_fail event is triggered.