You want to find domain controllers or global catalogs using DNS lookups.
Domain controllers and global catalog servers are represented in DNS as SRV records. You can query SRV records using nslookup by setting the type=SRV, such as the following:
> nslookup Default Server: dns01.rallencorp.com Address: 10.1.2.3 > set type=SRV
You then need to issue the following query to retrieve all domain controllers for the specified domain.
You can issue a similar query to retrieve global catalogs, but since they are forest-wide, the query is based on the forest name.
You can even find the domain controllers or global catalogs that are in a particular site or that cover a particular site by querying the following:
> _ldap._tcp.<SiteName>._sites.<DomainDNSName> > _gc._tcp.<SiteName>._sites.<ForestDNSName>
See Recipe 11.18 for more information on site coverage.
One of the benefits of Active Directory over its predecessor Windows NT is that it relies on DNS for name resolution. Active Directory uses DNS to locate servers that serve a particular function, such as a domain controller for a domain, global catalog server, PDC Emulator, KDC. It also uses the site topology information stored in Active Directory to populate site-specific records for domain controllers.
The DC locator process relies on this information in DNS to direct clients to the most optimal server when logging in. Reliance on DNS makes it easy to troubleshoot problems related to clients finding domain controllers. If you know the site a client is in, you can make a few DNS queries to determine which domain controller they should be authenticating with.
The resource records a domain controller registers in DNS can be restricted, so querying DNS may return only a subset of the actual domain controllers. See Recipe 13.14 and Recipe 13.15 for more information.
Recipe 3.28 for finding the PDC Emulator via DNS and MS KB 267855 (Problems with Many Domain Controllers with Active Directory Integrated DNS Zones)