AD-DS (Active Directory Domain Services) rely on DNS SRV RR (service location resource records). Those records can be queried to find the location of some servers : the global catalog, LDAP servers, the Kerberos KDC and so on.
nslookup is a DNS client that can be used to query SRV records. It usually comes with the dnsutils package.
nslookup -type=srv _kerberos._tcp.$FQDN_DOMAINnslookup -type=srv _kpasswd._tcp.$FQDN_DOMAINnslookup -type=srv _ldap._tcp.$FQDN_DOMAINnslookup -type=srv _ldap._tcp.dc._msdcs.$FQDN_DOMAINnslookup -type=srv gc._msdcs.$FQDN_DOMAIN
The same commands can be operated the old way with nslookup.
In order to function properly, the tools need to know the domain name and which nameservers to query. That information is usually sent through DHCP offers and stored in the
/etc/resolv.conf file in UNIX-like systems.
If needed, the nameservers may be found with a port scan on the network by looking for DNS ports 53/TCP and 53/UDP.
nmap -v -sV -p 53 $SUBNET/$MASKnmap -v -sV -sU -p 53 $SUBNET/$MASK