Finding Domain Controllers

Domain Controllers are the keys to the kingdom as far as AD is concerned. Once we can find them we can do all sorts of stuff. So how do we find them?

if (-not (Get-Module ActiveDirectory)){            
  Import-Module ActiveDirectory            
$ou = "OU=Domain Controllers,DC=Manticore,DC=org"            
Get-ADDomainController -Filter * | Format-Table Name, ComputerObjectDN            
"`nAD provider"            
Get-ChildItem -Path Ad:\$ou | Format-table            
Get-QADComputer -ComputerRole "DomainController"            
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()            
$domain.FindAllDomainControllers() | select Name

The code using the provider assumes that the domain controllers have been left in the default location – you shouldn’t move them – otherwise the the techniques will retrieve them based on AD information

6 Responses to Finding Domain Controllers

  • Robert says:

    I of course know my OU’s DC=xyz,DC=com” values for my domain, but in these kinds of scripts they always seem to have to be hard coded. Is there a way for the script to determine the OU data based on the logged in entity running the script so they don’t have to be hard coded?

  • RichardSiddaway says:

    Thank you for taking the time to comment.
    I’ve shown how to get the distinguished name of the domain in this post

    Any OU can then be built on to that

  • Maria Rutgers says:

    Hi, I hope this question is not too much off topic.

    If use a directory searcher like this:

    $root = [adsi] “LDAP://$DnsDomainName”
    $searcher = [adsisearcher] $root

    $searcher.FindAll() | ForEach-Object { … } | Export-Csv $filepath

    Do you know if there is a way to determine which domain controller is actually servicing the FindAll() request?
    Some background information: I have been using this logic for many months and with many domains. Recently I have seen the occasional ‘More data is available’ error with one of the domains, and this causes the process to fail. I would like to record the actual domain controller being used, just in case.
    I am using PowerShell v2.0 on Windows Server 2003 SP2.
    Any help would be welcome

  • RichardSiddaway says:

    You are using the domain controller against which you authenticated. I explain how find that DC in this post

  • Maria Rutgers says:

    Thank you Richard, for replying in such an old thread; very much appreciated!
    I will definitely start logging the DC against which I authenticated in my “local” domain. Your function makes it so easy that there is no excuse not to use it.
    However I am afraid that I may not have put my original question very well. In the statement

    $root = [adsi] “LDAP://$DnsDomainName”

    The $DnsDomainName is always in the form or domain2.corp,, and so on. My script has been happily gathering data every day for almost a year against a dozen different remote domains, one domain at a time. The number of records varies, with a few dozen in the smallest domain and many thousands in the largest one.
    Now one of the medium-size domains is returning the occasional “more data is available” error, always on what I suspect is the very last page of data. The error cannot be reproduced on demand so I wanted to log a little additional information about each run if possible, in the hope that it would shed some light on the situation. To begin with I thought it would be useful to know the name of the DC in the remote domain that is servicing the request. Is this at all possible? or am I asking the wrong question?

  • Maria says:

    In case it helps someone else, I figured out how to record the DC that is used by a DirectorySearcher. Don’t let the searcher connect to the remote domain but instead connect to the remote domain *before* creating the searcher, like this:

    $rootDSE = [ADSI] “LDAP://$DnsDomainName/RootDSE”
    $defaultDC = $rootDSE.PSBase.Properties.dnsHostName.Value.ToString()
    Write-Host “DC used by the searcher: $defaultDC”
    $searcher = [adsisearcher] $root

    If the default DC happens to be the one that keeps failing with “more data is available” errors, it is now possible to get the list of DCs for the remote domain and pick a different one for use by the searcher.

    $context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext(‘domain’, $DnsDomainName)
    $domain = [system.directoryservices.activedirectory.Domain]::GetDomain($context)
    $DCs = $domain.DomainControllers

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>