Domain controller discovery identifies the KDC, LDAP server, DNS server, and SMB endpoint that anchor the domain.
We need the DC before Kerberos, LDAP, RID cycling, ASREP roasting, and password spraying become reliable.
DNS SRV Records
If DNS is pointed at the DC:
dig _ldap._tcp.dc._msdcs.ootw.local SRV
dig _kerberos._tcp.ootw.local SRV
If DNS is not configured:
dig @10.10.10.200 _ldap._tcp.dc._msdcs.ootw.local SRV
dig @10.10.10.200 _kerberos._tcp.ootw.local SRV
Expected:
OOTW-DC01.ootw.local
port 389 for LDAP
port 88 for Kerberos
Nmap Fingerprint
nmap -Pn -sV -p 53,88,135,139,389,445,464,593,636,3268,3269 10.10.10.200
Strong DC signal:
53/tcp domain
88/tcp kerberos-sec
389/tcp ldap
445/tcp microsoft-ds
3268/tcp globalcatLDAP
SMB And LDAP Clues
nxc smb 10.10.10.200
nxc ldap 10.10.10.200
LDAP root DSE:
ldapsearch -x -H ldap://10.10.10.200 -s base -b '' namingContexts defaultNamingContext dnsHostName
Expected:
defaultNamingContext: DC=ootw,DC=local
dnsHostName: OOTW-DC01.ootw.local
Windows Commands
From a domain-joined Windows host:
nltest /dsgetdc:ootw.local
nltest /dclist:ootw.local
nslookup ootw.local
echo %LOGONSERVER%
PowerShell:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
What To Record
Domain FQDN
NetBIOS name
DC hostname
DC IP
LDAP naming context
Kerberos realm
OOTW values:
ootw.local
OOTW
OOTW-DC01.ootw.local
10.10.10.200
DC=ootw,DC=local
OOTW.LOCAL
Detection
Defenders look for:
- repeated DNS SRV queries from unusual hosts
- LDAP root DSE queries from non-domain systems
- port scans against domain controllers
- many failed Kerberos requests after DC discovery
Remediation
DC discovery cannot be fully hidden in a functioning domain. Reduce attacker value by:
- restricting network access to DC ports
- limiting workstation-to-DC paths where possible
- monitoring LDAP and Kerberos from unmanaged hosts
- preventing direct access from guest or lab networks