Check whether AD Domain Controllers are responding

Question

We have quite a few AD Domain controllers.  I recently was investigating logon delays so one thing I was looking at was whether all the Domain Controllers could be reached.

Each of the following in terminal returned the same list of servers from DNS:

host -t SRV _ldap._tcp.my.domain.name
host -t SRV _kerberos._tcp.my.domain.name
host -t SRV _kpasswd._tcp.my.domain.name
host -t SRV _gc._tcp.my.domain.name

I then attempted to connect to each of the machines using telnet to each of the ports for ldap, kerberos, kpasswd and gc - 389, 88, 464 and 3268
The results quite quickly showed that something was blocking access to some Domain Controllers (DC's) on the subnet I was trying to sort out.  Even though the DC's could be pinged.  Our friendly Firewall Guy helped and found that 3 of the 9 DC's were not in the rule allowing access.

What I am wondering is whether anyone has worked out a way to automate this sort of check - see if each of the DC's listed in DNS is responding on the correct port.  The way I was checking was with Telnet and by default that is not installed any more

merps · Accepted Answer

You should be able to check this using netcat, installed by default.

nc -z 10.xx.yy.zz 3268
Connection to 10.xx.yy.zz port 3268 [tcp/msft-gc] succeeded!
nc -z 10.xx.yy.zz 464
Connection to 10.xx.yy.zz port 464 [tcp/kpasswd] succeeded!
nc -z 10.xx.yy.zz 88
Connection to 10.xx.yy.zz port 88 [tcp/kerberos] succeeded!
nc -z 10.xx.yy.zz 389
Connection to 10.xx.yy.zz port 389 [tcp/ldap] succeeded!

To run it in a script, macOS has a required flag -G to handle connection timeout for unresponsive hosts.

nc -z -G 2 10.xx.yy.zz 3268 &> /dev/null && echo "Online" || echo "Offline"

dlondon · Answer

Thanks @merps (Michael) - much appreciated especially the usage tip - it's like you read my mind.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded