Verify DNS registration for domain controllers using the nslookup command

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To verify DNS registration for domain controllers using the nslookup command

  1. Open Command Prompt.

  2. Type:

    nslookup

  3. After the previous command completes, at the nslookup (">") prompt type:

    **set q=**rr_type

  4. After the previous command completes, type:

    **_ldap._tcp.dc._msdcs.**Active_Directory_domain_name

  5. Review the output of the previous SRV query and determine if further action is needed based on whether the previous query succeeded or failed:

    • If the query succeeded, review the registered SRV RRs returned in the query to determine if all domain controllers for your Active Directory domain are included and registered using valid IP addresses.

    • If the query failed, continue troubleshooting dynamic update or DNS server related issues to determine the exact cause of the problem.

Value Description

nslookup

The name of the command-line program.

_ldap._tcp.dc._msdcs.Active_Directory_domain_name

The DNS name configured for use with your Active Directory domain and any of its associated domain controllers.

For example, if the DNS domain name of your Active Directory domain is example.microsoft.com, type:

_ldap._tcp.dc._msdcs.example.microsoft.com.

set q=

The command to send the query to the root server.

rr_type

The resource record (RR) type to apply as a filter for subsequent lookups.

For example, in this instance, because you want to limit subsequent name queries to filter and return only service location (SRV) RRs that use a specified name, type:

set q=srv

Notes

  • Performing this task does not require you to have administrative credentials. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • To view the complete syntax for this command, at a command prompt, type:

    nslookup, press Enter and then type help

  • In some cases, when performing the above procedure, you might see several time-outs reported. This happens when reverse lookup is not configured for DNS servers servicing the same DNS domain as your Active Directory domain.

  • The following is an example of command-line output for an Nslookup session, used to verify service location (SRV) resource records that are registered by domain controllers. In this example, the two domain controllers are dc1 and dc2 and are registered for the "example.microsoft.com" domain.

    C:\nslookup
    Default Server:  dc1.example.microsoft.com
    Address:  10.0.0.14
     set type=srv
     _ldap._tcp.dc._msdcs.example.microsoft.com
    Server:  dc1.example.microsoft.com
    Address:  10.0.0.14
    _ldap._tcp.dc._msdcs.example.microsoft.com   SRV service location:
              priority       = 0
              weight         = 0
              port           = 389
              svr hostname   = dc1.example.microsoft.com
    _ldap._tcp.dc._msdcs.example.microsoft.com   SRV service location:
              priority       = 0
              weight         = 0
              port           = 389
              svr hostname   = dc2.example.microsoft.com
    dc1.example.microsoft.com     internet address = 10.0.0.14
    dc2.example.microsoft.com     internet address = 10.0.0.15
    
  • The nslookup command is a standard command-line tool provided in most DNS service implementations. It offers the ability to perform query testing of DNS servers and obtain detailed responses as the command output. This information is useful in troubleshooting name resolution problems, verifying that resource records (RRs) are added or updated correctly in a zone, and debugging other server-related problems.

  • Verify that resource records used to register services and critical hosts, such as domain controllers, are correctly added to zones.

    In some cases, you might need to manually add or verify registration of the service location (SRV) resource records used to support Windows ServerĀ 2003 domain controllers.

    To add the SRV resource records that have been created for a domain controller, open and view the Netlogon.dns file, created by the Active Directory Installation wizard when a server computer is promoted to a domain controller. It can be found at:

    systemroot\System32\Config\Netlogon.dns

  • The resource records used in this file are listed in RFC-compliant text-file format. When verifying these records, look for the following records:

    _ldap._tcp.Active_Directory_domain_name IN SRV 0 0 389 ldap_server_name _ldap._tcp.dc._msdcs.Active_Directory_domain_name IN SRV 0 0 389 domain_controller_name

    In some cases, you might need to modify the Lightweight Directory Access Protocol (LDAP) server name if you are using a non-domain controller as an LDAP server for your network.

  • The Net Logon service on each domain controller registers, as appropriate, a number of different DNS resource records with DNS servers. To learn more about these records and how Net Logon updates DNS, obtain additional technical information on DNS available from the Microsoft Web site. For more information, see Related Topics.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Troubleshooting DNS servers
Nslookup subcommands
Nslookup
Using online resources
DNS RFCs