Table of Content > Extended Handling of AD Objects > LDAP Search Factory > How to find Active Directory domain controllers
How to search and find Active Directory domain controllers
We use the Active Directory attribute userAccountControl for this LDAP search. For domain controllers the flag bit UF_SERVER_TRUST_ACCOUNT (8192) is set. The SelfADSI tutorial article about LDAP filters shows in detail how to search for single flags in such bit fields. For the general explanation of LDAP searches read the SelfADSI-Chapter 'Searching LDAP objects in the directory'.
Finding all domain controllers in the own domain
This script finds all the Active Directory domain controllers in the domain in which the current user is a member of:
ldapFilter = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"
Set rootDSE = GetObject("LDAP://rootDSE")
domainDN = rootDSE.Get("defaultNamingContext")
Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Open "ADSearch"
Set objectList = ado.Execute("<LDAP://" & domainDN & ">;" & ldapFilter & ";distinguishedName,dnsHostName;subtree")
While Not objectList.EOF
dcDN = objectList.Fields("distinguishedName")
dcDNS = objectList.Fields("dnsHostName")
WScript.Echo dcDNS & " " & dcDN
objectList.MoveNext
Wend
Finding all domain controllers in any domain / OU
This script finds all Active Directory domain controller in the specified domain or OU. Use the suitable LDAP path for your desired domain or container. You could also set other credentials for the search (username and password specified):
searchDN = "DC=example,DC=com" 'insert your own search base container or domain name
serverName = "192.168.0.66"
'insert your own DC's name or address
userName = InputBox("Enter user name","Credentials") 'you could also just use a static username instead, like "EXAMPLE\userXYZ"
password = InputBox("Enter password","Credentials") 'you could also just use a static password instead, like "P@ssw0rd"
ldapFilter = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"
Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Properties("User ID") = userName
ado.Properties("Password") = password
ado.Properties("Encrypt Password") = True
ado.Open "ADSearch"
Set objectList = ado.Execute("<LDAP://" & serverName & "/" & searchDN & ">;" & ldapFilter & ";distinguishedName,dnsHostName;subtree")
While Not objectList.EOF
dcDN = objectList.Fields("distinguishedName")
dcDNS = objectList.Fields("dnsHostName")
WScript.Echo dcDNS & " " & dcDN
objectList.MoveNext
Wend
Finding all domain controllers in the own entire forest
This script finds all domain controllers in the Active Directory forest, in which the current user is a member. Please note that only those attributes can be searched which are also included in the Global Catalog. This affects the structure of the search filter and the list of attributes that are requested in the query:
ldapFilter = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"
Set aoi = CreateObject("ADSystemInfo") 'evaluate global catalog search base
gcBase = aoi.ForestDNSName
Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Open "ADSearch"
Set objectList = ado.Execute("<GC://" & gcBase & ">;" & ldapFilter & ";distinguishedName,dnsHostName;subtree")
While Not objectList.EOF
dcDN = objectList.Fields("distinguishedName")
dcDNS = objectList.Fields("dnsHostName")
WScript.Echo dcDNS & " " & dcDN
objectList.MoveNext
Wend
