Verify DNS consistency for Active Directory binding in macOS

To integrate Active Directory, you must find and identify domain controllers and Global Catalog servers via DNS.

The DNS system that hosts Active Directory must be complete, correct, and consistent. To make sure that Active Directory service records are consistent, use this Terminal command to query DNS:

dig -t SRV

In this command, _service is the service that you query (_ldap, _kerberos, _kpasswd, or _gc). The name of the Active Directory domain is

Test the completeness, consistency, and correctness of service records in DNS to verify that they're in the right place. To do this, make sure that:

  1. Each service record type has at least one answer in the answer section, to test completeness.
  2. Each service record type has the same number of answers in the header section, to test consistency.
  3. Each answer in the additional section is a valid server name and IP address, to test correctness.

If the service records don't meet any of these three criteria, you can troubleshoot DNS issues that are related to Active Directory.

The dig command returns results similar to this:

; <<>> DiG 9.4.2-P2 <<>> -t SRV

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53473

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2



;; ANSWER SECTION: 600 INSRV0 100 389 600 INSRV0 100 389


Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Last Modified: