S.DS.AD – Domain Controllers
We saw one method of accessing domain controllers when we were looking at the domain class - http://richardsiddaway.spaces.live.com/blog/cns!43CFA46A74CF3E96!1932.entry
If we want to work directly with a domain controller we can create an object for the domain controller like this
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::DirectoryServer
$context = New-Object -TypeName System.DirectoryServices.ActiveDirectory.DirectoryContext -ArgumentList $type, DC02.Manticore.org
$dc = [System.DirectoryServices.ActiveDirectory.DomainController]::GetDomainController($context)
In a similar way to working with a forest (or a domain though I didn’t list it) we set the context by defining the object type – in this case a directory server ie a domain controller and the FQDN of the domain controller. We then use the GetDomainController static method – notice we are using a lot of static methods in these examples – of the DomainController class.
Things we can do with domain controllers include
Some of these don’t work in Windows 2008 especially the TransferRoleOwnership method.
The domain controller class has a number of interesting properties including
The current time property allows us to check for time issues – remember that Kerberos doesn’t like time differences between machines that are greater than a defined limit – 5 minutes by default. Lets see how we can check this.
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
$context = New-Object -TypeName System.DirectoryServices.ActiveDirectory.DirectoryContext -ArgumentList $type, "manticore.org"
[System.DirectoryServices.ActiveDirectory.DomainController]::FindAll($context) | Format-Table Name, CurrentTime
Create the context for the domain and then use the FindAll() static method of the DomainController class. We can then pipe that into a format-table that displays the DC name and its current time