Locating Domain Controllers

So I just setup a mini enterprise environment with a domain controller (tip: win2k8r2 can be used free for 180 days)and a client. I decided to run wireshark while I added the client to the new domain, which resulted in the following screenshot:

Now that looks rather interesting when you want to locate domain controllers doesn’t it? Let’s give it a go with nslookup

C:\>nslookup -type=SRV _ldap._tcp.dc._msdcs.pen.test
Server: UnKnown

_ldap._tcp.dc._msdcs.pen.test SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = win-62u3ql0g1ia.pen.test
win-62u3ql0g1ia.pen.test internet address =
win-62u3ql0g1ia.pen.test internet address =

Now isn’t that neat? It’s like a quick and easy way to find the available domain controllers in a network, if you know the domain name. Additionally it seems that the client communicates with the domain controller using CLDAP. I didn’t find a  suitable Linux client, but in the links below you’ll find a perl script capable of performing the so called “LDAP Ping“, the other option is of course using a windows client. The output of the script is similar to the one shown in Wireshark which looks as follow:

Now I can’t be the only one doing this, so I googled around a bit and found some nice additional material worth the read, they are summed up below: