Verify DNS Registration for Domain Controllers Using the nslookup Command
Applies To: Windows Server 2008
The nslookup command is a standard command-line tool that is provided in most Domain Name System (DNS) implementations. You can use this tool to perform query-testing of DNS servers and obtain detailed responses as command output. This information is useful in troubleshooting name resolution problems, verifying that resource records are added or updated correctly in a zone, and debugging other server-related problems.
You can use this procedure to verify DNS registration for domain controllers using the nslookup command.
You do not need administrative credentials to perform this procedure. Therefore, as a security best practice, consider performing this procedure as a user without administrative credentials.
To verify DNS registration for domain controllers using the nslookup command
Open a command prompt. To open a Command Prompt window, click Start, point to All Programs, click Accessories, and then click Command Prompt.
At the command prompt, type the following command, and then press ENTER:
nslookupAt the
nslookup (">")prompt, type the following command, and then press ENTER:set q=SRVAfter the previous command completes, type the following command, and then press ENTER:
_ldap._tcp.dc._msdcs.<AD_DS_domain_name>Where
_ldap._tcp.dc_msdcs.<AD_DS_domain_name>is the DNS name that is configured for use with your Active Directory domain and any of its associated domain controllers.Review the output of the previous SRV query and determine if further action is needed, based on whether the previous query succeeded or failed:
If the query succeeded, review the registered service (SRV) resource records that are returned in the query to determine if all domain controllers for your Active Directory domain are included and registered using valid IP addresses. See “Additional considerations” for an example of the results of a typical query.
If the query failed, continue troubleshooting dynamic-update-related or DNS-server-related issues to determine the exact cause of the problem.
| Parameter | Description |
|---|---|
nslookup |
The command-line program for query-testing DNS servers. |
_ldap._tcp.dc._msdcs. <AD_DS_domain_name> |
The DNS name that is configured for use with your Active Directory domain and any of its associated domain controllers. For example, if the DNS domain name of your Active Directory domain is example.microsoft.com, type: _ldap._tcp.dc._msdcs.example.microsoft.com. |
set q= |
Sends the query to the root server. |
SRV |
The resource record type to apply as a filter for subsequent lookups. |
Additional considerations
To view the complete syntax for this command, at a command prompt, type
nslookup, and then press ENTER. Typehelp, and then press ENTER.In some cases, when you perform this procedure you might see several time-outs reported. This happens when reverse lookup is not configured for DNS servers that are servicing the same DNS domain as your Active Directory domain.
The following is an example of command-line output for an Nslookup session that was used to verify service (SRV) resource records that are registered by domain controllers. In this example, the two domain controllers are dc1 and dc2. They are registered for the "example.microsoft.com" domain.
C:\nslookup Default Server: dc1.example.microsoft.com Address: 10.0.0.14 set type=srv _ldap._tcp.dc._msdcs.example.microsoft.com Server: dc1.example.microsoft.com Address: 10.0.0.14 _ldap._tcp.dc._msdcs.example.microsoft.com SRV service location: priority = 0 weight = 0 port = 389 svr hostname = dc1.example.microsoft.com _ldap._tcp.dc._msdcs.example.microsoft.com SRV service location: priority = 0 weight = 0 port = 389 svr hostname = dc2.example.microsoft.com dc1.example.microsoft.com internet address = 10.0.0.14 dc2.example.microsoft.com internet address = 10.0.0.15Verify that resource records that are used to register services and critical hosts, such as domain controllers, are added to zones correctly.
In some cases, you might have to manually add or verify registration of the service (SRV) resource records that are used to support domain controllers.
To add the service (SRV) resource records that have been created for a domain controller, open and view the Netlogon.dns file, which the Active Directory Domain Services Installation Wizard creates when you add Active Directory Domain Services (AD DS) to a server computer to make it a domain controller. The Netlogon.dns file is located at %systemroot%\System32\Config\Netlogon.dns.
The resource records that are used in the Netlogon.dns file are listed in an RFC-compliant text file format. When you verify resource records, look for the following records:
_ldap._tcp.<AD_DS_domain_name> IN SRV 0 0 389 <ldap_server_name>
_ldap._tcp.dc._msdcs.<AD_DS_domain_name> IN SRV 0 0 389 <domain_controller_name>
In some cases, you may have to modify the Lightweight Directory Access Protocol (LDAP) server name if you are using a server that is not a domain controller as an LDAP server for your network.
The Net Logon service on each domain controller registers, as appropriate, a number of different DNS resource records with DNS servers. To learn more about these records and how Net Logon updates DNS, obtain additional technical information on DNS available from the Microsoft Web site.