On any computer, that has DNS configured to use AD's DNS server do:

• Start -> Run -> nslookup

  set type=all
  _ldap._tcp.dc._msdcs.DOMAIN_NAME
  

Replace DOMAIN_NAME with the actual domain name e.g. example.com. Read more here.

For a computer that is a member of a domain the Environment Variable LOGONSERVER contains the name of the DC that authenticated the current user. This is obviously not going to be all DC's in a multi-DC environment but if all you want is a quick way to find the name of a Domain Controller then from a command shell:

set l <enter>

Will return all Environment variables that start with "L" including the name of a DC.

An unmentioned, super easy, and quick option is to run this from a command prompt:

nltest /dclist:domainname

Just replace 'domainname' with your domain

You can also run some other options to find out more:

/dcname:domainname gets the PDC name for the domain /dsgetdc:domainname has flags for other information

Try nltest /? in your prompt to get more options! :)

This will return your closest Domain Controller in Powershell:

Import-Module ActiveDirectory
(Get-ADDomainController -DomainName <Domain FQDN> -Discover -NextClosestSite).HostName

From a Windows command prompt, run gpresult. You will get:

• General workstation and domain information
• For both the computer and the user:
  • Distinguished name in AD and which DC the policy was applied from
  • Applied Group Policy objects
  • List of security groups a member of

Here is some analysis of gpresult output. You can also specify gpresult /z to get more detailed information.

DNS and DHCP are the best way to check since there can be Unix/Linux machines on the network managed by the AD domain controller or acting as the domain controller.

Plus, considering active directory is nothing more than Microsoft's version of Kerberos, LDAP, dhcp and dns. It would be better to understand and debug things at lower layers than layer 7+. This is because the operating system would preform these same requests and the underlining RFC for each protocol actually operates at a OSI level not the "insert favorite tool here" level.

One can go a step further and query the dhcp for options 6, 15, and 44 to get the domain name, domain name server, and Wins/NetBIOS name server.

Then using dns to check for the _kerberos._tcp, _kpasswd._tcp, _LDAP._TCP.dc._msdcs, and _ldap._tcp SRV records:

nslookup -type=srv _kerberos._tcp.EXMAPLE.COM
nslookup -type=srv _kpasswd._tcp.EXAMPLE.COM
nslookup -type=srv _ldap._tcp.EXAMPLE.COM
nslookup -type=srv _ldap._tcp.dc._msdcs.EXAMPLE.COM

.EXAMPLE.COM ::= value returned from dhcp option-1

This breaks down into three areas, two are protocol supported DNS-SD records:

• _kerberos._tcp and _kpasswd._tcp (also under UNIX/Linux/OSX+some windows networks has _kadmin._tcp) are for kerberos
• _ldap._tcp is for ldap (openldap, opendc, sun/oracle directory, ms ad) _LDAP._TCP.dc._msdcs is the Microsoft only extension to ldap to map the domain controller.

Crude CMD

Just find DC names

Save as GetDcNames.cmd:

nslookup -type=any %userdnsdomain%.

Run as: GetDcNames.cmd.

(Note: The trailing dot in "%userdnsdomain%." is on purpose. It stops your local nslookup from using any DNS search path strings.)

Find more AD related DNS domains

I whipped up a quick and dirty batch file, so that I don't have to remember the DNS domain names and/or have to type them all. (List may not be complete.)

Works from domain joined machines. If your machine is not domain joined, then you must manually set USERDNSDOMAIN to what you want.

Save as TestAdDnsRecords.cmd:

@setlocal
@REM Test AD DNS domains for presence.
@REM For details see: http://serverfault.com/a/811622/253701

nslookup -type=srv _kerberos._tcp.%userdnsdomain%.
nslookup -type=srv _kerberos._udp.%userdnsdomain%.
@echo .

nslookup -type=srv _kpasswd._tcp.%userdnsdomain%.
nslookup -type=srv _kpasswd._udp.%userdnsdomain%.
@echo .

nslookup -type=srv _ldap._tcp.%userdnsdomain%.
@echo .

nslookup -type=srv _ldap._tcp.dc._msdcs.%userdnsdomain%.
@echo .

nslookup -type=srv _ldap._tcp.pdc._msdcs.%userdnsdomain%.
@echo .

@REM Those next few lines here are forest specific:
@REM Change the next line your current domain is not also the forest root.
@SET "DNSFORESTNAME=%USERDNSDOMAIN%"

nslookup -type=srv _ldap._tcp.gc._msdcs.%DNSFORESTNAME%.
@echo .

nslookup -type=srv _gc._tcp.%DNSFORESTNAME%.

Run as TestAdDnsRecords.cmd | more. There is a lot of text output.

Sources

• MSDN "ServerGeeks" blog, 2014-07-12, Habibar Rahman, DNS Records that are required for proper functionality of Active Directory (Archived here.)
• TechNet, Resource Kits > Distributed Systems Guide > Desktop Configuration Management > Active Directory > Name Resolution in Active Directory > Locating Active Directory Servers > SRV Resource Records (Archived here.)

Go to command prompt and type "net time" - it will fetch you Domain Controller name along with time. Example - "Current time at \{DCName} is {time}.

If you just have access to DNS, you can get a list of all DCs by the following query in PowerShell:

Resolve-DnsName -Name _ldap._tcp.dc._msdcs.<YOU_DOMAIN> -Type SRV

This can be done by any user with access to DNS.