One option for finding global catalog servers is often overlooked – DNS. In an AD environment DNS stores the SRV records that advertise the services domain controllers can deliver
$dnsserver = "dc02" Get-WmiObject -Namespace 'root\MicrosoftDNS' -Class MicrosoftDNS_SRVType ` -ComputerName $dnsserver -Filter "ContainerName = 'Manticore.org'" | Where {$_.OwnerName -like "_gc*"} | select TextRepresentation
We are interested in the ‘root\MicrosoftDNS’ name space and the MicrosoftDNS_SRVType records. We want the manticore.org zone and all records where the Ownername is like “_gc*”
The results look like this
_gc._tcp.Site1._sites.Manticore.org IN SRV 0 100 3268 dc02.manticore.org.
_gc._tcp.Site1._sites.Manticore.org IN SRV 0 100 3268 server02.manticore.org.
_gc._tcp.Manticore.org IN SRV 0 100 3268 dc02.manticore.org.
_gc._tcp.Manticore.org IN SRV 0 100 3268 server02.manticore.org.