Verify DNS consistency for Active Directory binding in macOS

To integrate with Active Directory, macOS clients must be able to find and identify Domain Controllers, Kerberos servers, and Global Catalog servers via DNS.

This article is intended for system administrators. If you are experiencing an issue with your Active Directory account on your Mac, contact the system administrator for your business or school.

Identify Active Directory servers

The DNS system that hosts Active Directory must be complete, correct, and consistent. To identify which Active Directory servers provide the required services, use the following Terminal commands to query DNS records. Replace example.com with the domain name for your Active Directory.

dns-sd -q _ldap._tcp.example.com SRV dns-sd -q _kerberos._tcp.example.com SRV dns-sd -q _kpasswd._tcp.example.com SRV dns-sd -q _gc._tcp.example.com SRV

After you receive the results, press Control-C on your keyboard to exit the query.

View example outputs

Successful lookups return one or more results in the Rdata column of the output, similar to this:

macosclient$ dns-sd -q _ldap._tcp.example.com srv DATE: ---Wed 12 Sep 2018--- 10:14:56.212 ...STARTING... Timestamp A/R Flags if Name Type Class Rdata 10:14:56.213 Add 3 0 _ldap._tcp.example.com. SRV IN 0 100 389 dc1.example.com. 10:14:56.214 Add 2 0 _ldap._tcp.example.com. SRV IN 0 100 389 dc5.example.com.

Verify the results

Verify that the results from the previous commands resolve to an IP address.

Use the following command and replace dc1.example.com with the fully qualified domain name returned in the Rdata column of the previous commands.

dns-sd -q dc1.example.com

Your result should look similiar to this:

macosclient$ dns-sd -q dc1.example.com DATE: ---Wed 12 Sep 2018--- 10:23:22.866 ...STARTING... Timestamp A/R Flags if Name Type Class Rdata 10:23:22.867 Add 2 0 dc1.example.com. Addr IN 10.0.100.1

Verify that the results for each service record type correctly maps to an IP address.

Learn more

Troubleshoot DNS issues related to Active Directory.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: