This will out put a list of systems that have SMB. This may also reveal one or more domains that are in that IP range.
Using nmap
nmap-sP-oG-<iprange>
This command will output nmap's grepable format to the console. If you would rather have it go to a file, replace the dash after the -oG with the file you want to create containing the output.
First, what is a naming context ((NC)? From Microsoft's documentation, the NC is a set of objects organized as a tree. This NC contains information about specific types of objects, such as users, computers, or groups. The base or main NC is the Domain NC which contains information about all the objects in a specific domain. By default there are three different NCs:
Domain
Contains information about the objects in the domain.
Configuration
Contains information about the overall structure and configuration of AD to include the domains and sites in the forest.
Schema
Contains information about the classes and attributes that define the types of objects that are stored in AD.
nslookup -type=srv _ldap._tcp.dc._msdcs.<Domain Name> 192.168.56.10 # finds the DC
nslookup -query=srv _ldap._tcp.dc._msdcs.<Domain Name> 192.168.56.10 # finds the DC
nslookup -query=srv _ldap._tcp.<Domain Name> <DNS Server> # finds the server hosting the NC
nslookup -type=srv _ldap._tcp.<Domain Name> <DNS Server> # finds the server hosting the NC
