PS > ([ADSI]"LDAP://megacorp.local").dc
PS > $DomainName = (Get-ADDomain).DNSRoot
PS > (Get-ADDomain -Server $DomainName).NetBIOSName
PS > nslookup -type=all _ldap._tcp.dc._msdcs.$env:userdnsdomain
PS > $ldapFilter = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"
PS > $searcher = [ADSISearcher]$ldapFilter
PS > $searcher.FindAll()
PS > $searcher.FindAll() | ForEach-Object { $_.GetDirectoryEntry() }
Or
PS > ([ADSISearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll() |ForEach-Object { $_.GetDirectoryEntry() }
PS > [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().DomainControllers.Name
Cmd > nltest /dsgetdc:megacorp.local
PS > $DomainName = (Get-ADDomain).DNSRoot
PS > $AllDCs = Get-ADDomainController -Filter * -Server $DomainName | Select-Object Hostname,Ipv4address,isglobalcatalog,site,forest,operatingsystem
PS > $AllDCs = (Get-ADForest).GlobalCatalogs
PV3 > Get-DomainController | Select Name,IPAddress
PS > Get-ADDomainController -Discover -Service "GlobalCatalog"
PS > Discover-PSMSExchangeServers | Select ServerName,Description | Tee-Object exch.txt
PS > setspn -T megacorp.local -Q MSSQLSvc/*
PS > Discover-PSMSSQLServers | Select ServerName,Description | Tee-Object mssql.txt
$ nslookup -type=srv _ldap._tcp.dc._msdcs.megacorp.local
$ dig -t srv _ldap._tcp.dc._msdcs.megacorp.local
$ proxychains4 -q dig +tcp +noall +answer -t srv _ldap._tcp.dc._msdcs.megacorp.local @192.168.1.11
Or query one of the DCs directly for forest/domain FQDN to get corresponding DC IP addresses:
$ dig @192.168.1.11 megacorp.local
$ dig @192.168.1.11 child.megacorp.local
$ cme ldap 192.168.11.1 -d megacorp.local -u snovvcrash -p 'Passw0rd!' -M subnets