To verify the consistency of Active Directory service records (SRV records), the following Terminal command can be used to query DNS:
dig -t SRV _service._tcp.fqdn.example.com
...where _service is the service to be queried (_ldap, _kerberos, _kpasswd or _gc) and fqdn.example.com is the fully qualified domain name of the Active Directory domain.
To verify the validity of service record location in DNS, ensure that three criteria are met:
- Each service record type has at least one answer in the ANSWER SECTION--this tests completeness.
- Each service record type has the same number of answers in the HEADER SECTION--this tests consistency.
- Each answer returned in the ADDITIONAL SECTION is a valid server name and IP address--this tests correctness.
If any of these three criteria are not met, you can use this Microsoft Technet article to troubleshoot Active Directory-related DNS issues: Troubleshooting Active Directory—Related DNS Problems.
The dig command will return results similar to this:
; <<>> DiG 9.4.2-P2 <<>> -t SRV _ldap._tcp.fqdn.example.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53473
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;; ANSWER SECTION:
_ldap._tcp.fqdn.example.com. 600 INSRV0 100 389 dc1.fqdn.example.com.
_ldap._tcp.fqdn.example.com. 600 INSRV0 100 389 dc2.fqdn.example.com.
;; ADDITIONAL SECTION: