We have quite a few AD Domain controllers. I recently was investigating logon delays so one thing I was looking at was whether all the Domain Controllers could be reached.
Each of the following in terminal returned the same list of servers from DNS:
host -t SRV _ldap._tcp.my.domain.name
host -t SRV _kerberos._tcp.my.domain.name
host -t SRV _kpasswd._tcp.my.domain.name
host -t SRV _gc._tcp.my.domain.name
I then attempted to connect to each of the machines using telnet to each of the ports for ldap, kerberos, kpasswd and gc - 389, 88, 464 and 3268
The results quite quickly showed that something was blocking access to some Domain Controllers (DC's) on the subnet I was trying to sort out. Even though the DC's could be pinged. Our friendly Firewall Guy helped and found that 3 of the 9 DC's were not in the rule allowing access.
What I am wondering is whether anyone has worked out a way to automate this sort of check - see if each of the DC's listed in DNS is responding on the correct port. The way I was checking was with Telnet and by default that is not installed any more