Printout Header
RSS Feed

How to search and find Active Directory domain controllers


We use the Active Directory attribute userAccountControl for this LDAP search. For domain controllers the flag bit UF_SERVER_TRUST_ACCOUNT (8192) is set. The SelfADSI tutorial article about LDAP filters shows in detail how to search for single flags in such bit fields. For the general explanation of LDAP searches read the SelfADSI-Chapter 'Searching LDAP objects in the directory'.


Finding all domain controllers in the own domain


This script finds all the Active Directory domain controllers in the domain in which the current user is a member of:

ldapFilter = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" Set rootDSE = GetObject("LDAP://rootDSE") domainDN = rootDSE.Get("defaultNamingContext") Set ado = CreateObject("ADODB.Connection") ado.Provider = "ADSDSOObject" ado.Open "ADSearch" Set objectList = ado.Execute("<LDAP://" & domainDN & ">;" & ldapFilter & ";distinguishedName,dnsHostName;subtree") While Not objectList.EOF dcDN = objectList.Fields("distinguishedName") dcDNS = objectList.Fields("dnsHostName") WScript.Echo dcDNS & " " & dcDN objectList.MoveNext Wend

Finding all domain controllers in any domain / OU


This script finds all Active Directory domain controller in the specified domain or OU. Use the suitable LDAP path for your desired domain or container. You could also set other credentials for the search (username and password specified):

searchDN = "DC=example,DC=com" 'insert your own search base container or domain name serverName = "192.168.0.66" 'insert your own DC's name or address userName = InputBox("Enter user name","Credentials") 'you could also just use a static username instead, like "EXAMPLE\userXYZ" password = InputBox("Enter password","Credentials") 'you could also just use a static password instead, like "P@ssw0rd" ldapFilter = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" Set ado = CreateObject("ADODB.Connection") ado.Provider = "ADSDSOObject" ado.Properties("User ID") = userName ado.Properties("Password") = password ado.Properties("Encrypt Password") = True ado.Open "ADSearch" Set objectList = ado.Execute("<LDAP://" & serverName & "/" & searchDN & ">;" & ldapFilter & ";distinguishedName,dnsHostName;subtree") While Not objectList.EOF dcDN = objectList.Fields("distinguishedName") dcDNS = objectList.Fields("dnsHostName") WScript.Echo dcDNS & "  " & dcDN objectList.MoveNext Wend

Finding all domain controllers in the own entire forest


This script finds all domain controllers in the Active Directory forest, in which the current user is a member. Please note that only those attributes can be searched which are also included in the Global Catalog. This affects the structure of the search filter and the list of attributes that are requested in the query:

ldapFilter = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" Set aoi = CreateObject("ADSystemInfo")   'evaluate global catalog search base gcBase = aoi.ForestDNSName Set ado = CreateObject("ADODB.Connection") ado.Provider = "ADSDSOObject" ado.Open "ADSearch" Set objectList = ado.Execute("<GC://" & gcBase & ">;" & ldapFilter & ";distinguishedName,dnsHostName;subtree") While Not objectList.EOF dcDN = objectList.Fields("distinguishedName") dcDNS = objectList.Fields("dnsHostName") WScript.Echo dcDNS & "  " & dcDN objectList.MoveNext Wend
Tweet