How to Query LDAP SRV Records in Windows DNS Using nslookup


2 views

When working with Active Directory or other LDAP services, discovering servers through DNS SRV records is a common practice. While Linux administrators typically use the host or dig commands, Windows environments require different tools.

The proper command to query LDAP SRV records in Windows is:

nslookup -type=SRV _ldap._tcp.yourdomain.com

Key differences from Linux approach:

  • Windows requires the equals sign in -type=SRV
  • The domain must be fully qualified
  • No automatic DNS suffix appending like in Linux

For a domain called "corp.example.com", you would run:

nslookup -type=SRV _ldap._tcp.corp.example.com

Sample output might look like:

Server:  dns1.corp.example.com
Address:  192.168.1.10

_ldap._tcp.corp.example.com     SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dc1.corp.example.com

For PowerShell users, consider these alternatives:

Using Resolve-DnsName:

Resolve-DnsName -Type SRV -Name "_ldap._tcp.corp.example.com"

For scripted solutions, this C# code can help:

using System.Net;
using System.Net.Dns;

var records = Dns.GetHostEntry("_ldap._tcp.corp.example.com");
foreach (var alias in records.Aliases)
{
    Console.WriteLine(alias);
}

If you're not getting results:

  • Verify DNS suffix is properly configured
  • Check if the domain controllers are publishing SRV records
  • Test basic DNS resolution first with nslookup dc1.corp.example.com
  • Ensure your network connection can reach the DNS servers

For environments with multiple domains or complex DNS setups:

nslookup -type=SRV _ldap._tcp.dc._msdcs.corp.example.com

This queries specifically for domain controller records in the Microsoft-specific DNS subtree.

When working with Active Directory authentication in Windows environments, discovering LDAP servers through DNS SRV records is a crucial step for service location. Unlike Linux's host command, Windows provides nslookup as its primary DNS query tool.

For Windows systems, the proper command to query LDAP SRV records is:

nslookup -type=SRV _ldap._tcp.domain.com

Key points about this command:

  • The -type=SRV parameter specifies we want SRV records
  • The underscore prefixes (_ldap._tcp) are required for service records
  • Replace domain.com with your actual Active Directory domain

A successful query returns information like this:

Server:  dns1.domain.com
Address:  192.168.1.10

_ldap._tcp.domain.com    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dc1.domain.com
_ldap._tcp.domain.com    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = dc2.domain.com

For more modern Windows systems, PowerShell provides better alternatives:

Resolve-DnsName -Type SRV -Name "_ldap._tcp.domain.com" | 
    Select-Object Name, Priority, Weight, Port, Target

If you encounter problems:

  • Ensure DNS suffixes are properly configured
  • Verify network connectivity to DNS servers
  • Check if the domain controller is registered in DNS
  • Try specifying the DNS server explicitly: nslookup -type=SRV _ldap._tcp.domain.com dns-server-ip

Here's how you might use this in a C# application for AD discovery:

using System.Net;
using System.Net.Sockets;

public List<string> DiscoverLdapServers(string domain)
{
    var results = new List<string>();
    var query = $"_ldap._tcp.{domain}";
    
    var request = new DnsMessage {
        Questions = new [] {
            new DnsQuestion {
                Name = query,
                Type = DnsRecordType.SRV
            }
        }
    };
    
    // Send DNS query and process results
    // ... implementation omitted for brevity
    
    return results;
}