Verify DNS consistency for Active Directory binding in macOS

To integrate with Active Directory, macOS clients must be able to find and identify Domain Controllers, Kerberos servers, and Global Catalog servers via DNS.

This article is intended for system administrators. If you are experiencing an issue with your Active Directory account on your Mac, contact the system administrator for your business or school.

Identify Active Directory servers

The DNS system that hosts Active Directory must be complete, correct, and consistent. To identify which Active Directory servers provide the required services, use the following Terminal commands to query DNS records. Replace example.com with the domain name for your Active Directory. 

dns-sd -q _ldap._tcp.example.com SRV
dns-sd -q _kerberos._tcp.example.com SRV
dns-sd -q _kpasswd._tcp.example.com SRV
dns-sd -q _gc._tcp.example.com SRV

After you receive the results, press Control-C on your keyboard to exit the query.

View example outputs

Successful lookups return one or more results in the Rdata column of the output, similar to this:

macosclient$ dns-sd -q _ldap._tcp.example.com srv
DATE: ---Wed 12 Sep 2018---
10:14:56.212  ...STARTING...
Timestamp     A/R Flags if Name                             Type   Class  Rdata
10:14:56.213  Add     3  0 _ldap._tcp.example.com.     SRV    IN     0 100 389 dc1.example.com.
10:14:56.214  Add     2  0 _ldap._tcp.example.com.     SRV    IN     0 100 389 dc5.example.com.

Verify the results

Verify that the results from the previous commands resolve to an IP address.

Use the following command and replace dc1.example.com with the fully qualified domain name returned in the Rdata column of the previous commands.

dns-sd -q dc1.example.com

Your result should look similiar to this:

macosclient$ dns-sd -q dc1.example.com
DATE: ---Wed 12 Sep 2018---
10:23:22.866  ...STARTING...
Timestamp     A/R Flags if Name                                  Type  Class   Rdata
10:23:22.867  Add     2  0 dc1.example.com.         Addr   IN     10.0.100.1

Verify that the results for each service record type correctly maps to an IP address.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

วันที่เผยแพร่: