The DNS system that hosts Active Directory must be complete, correct, and consistent. To make sure that Active Directory service records are consistent, use this Terminal command to query DNS:
dig -t SRV _service._tcp.fqdn.example.com
In this command, _service is the service that you query (_ldap, _kerberos, _kpasswd, or _gc). The name of the Active Directory domain is fqdn.example.com.
Test the completeness, consistency, and correctness of service records in DNS to verify that they're in the right place. To do this, make sure that:
- Each service record type has at least one answer in the answer section, to test completeness.
- Each service record type has the same number of answers in the header section, to test consistency.
- Each answer in the additional section is a valid server name and IP address, to test correctness.
If the service records don't meet any of these three criteria, you can troubleshoot DNS issues that are related to Active Directory.
The dig command returns results similar to this:
; <<>> DiG 9.4.2-P2 <<>> -t SRV _ldap._tcp.fqdn.example.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53473
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;; ANSWER SECTION:
_ldap._tcp.fqdn.example.com. 600 INSRV0 100 389 dc1.fqdn.example.com.
_ldap._tcp.fqdn.example.com. 600 INSRV0 100 389 dc2.fqdn.example.com.
;; ADDITIONAL SECTION: