use dscl to find out what domain controller a mac is authenticated against

My company has more than several hundred macs integrated into the larger Active Directory through Apple’s built-in AD plugin. There are also several dozen domain controllers running different version Windows operating systems – 2003, 2008 SP2, 2008 R2 SP1, etc. Like many setups ours does not specify a domain controller for a mac to authenticate against. Thus, it’s become increasingly important for me to determine what DC exactly a mac is authenticated against since it can be one of about 50 globally (yes, OS X is supposed to choose a close DC to authenticate against, but I’ve recently discovered that this is not always the case in our current environment). In trolling the internet for an answer to this question, I came across an extremely helpful post here:

In short, the command to run is the following, but read through the linked article for the whole story:

dscl . -read /Config/Kerberos:<YOUR.KERBEROS.REALM>

This will spit out what DC the mac is actually authenticated against by reading through the kerberos config file for <YOUR.KERBEROS.REALM>. In my case the results were eye-opening, prompting severals emails to our server team 😉

This search has been painstaking for some reason, so I thought I’d repost the solution in another forum to increase visibility for anyone in a similar situation.

About this entry