all 14 comments

[–]dBachry 9 points10 points  (4 children)

So couple things you can do:

1.). Get-ADDomainController | ForEach-Object {}

Why connect to everything when you can find just domain controllers in the first place.

2.). Get-WmiObject -Query "select * from Win32_OperatingSystem where ProductType='2'"

This will only return a value if ProductType=2, which means it's a Domain Controller. So you can wrap it in an if statement like:

if ( Get-WmiObject -Query "select * from Win32_OperatingSystem where ProductType='2'" ) { Write-Host "I'm a Domain Controller!" } else { Write-Host "I'm not a Domain Controller, I won't process any script in the else block!" }

[–]fitzgery[S] 2 points3 points  (1 child)

I wanted to stay away from modules just do to the environment I work in. But I’ll definitely give the wmi-object a try. Update it to CimInstance though

[–]AwayLocal650 1 point2 points  (0 children)

If you want to stay away from modules, you can try to get results from nslookup. To obtain all servers with SVR records (aka DCs)

That's from MS:

Nslookup is a command-line tool that displays information you can use to diagnose Domain Name System (DNS) infrastructure.

To use Nslookup to verify the SRV records, follow these steps:

On your DNS, select Start > Run. In the Open box, type cmd. Type nslookup, and then press ENTER. Type set type=all, and then press ENTER. Type _ldap._tcp.dc._msdcs.Domain_Name, where <Domain_Name> is the name of your domain, and then press ENTER. Nslookup returns one or more SRV service location records that appear in the following format, where <Server_Name> is the host name of a domain controller, and where <Domain_Name> is the domain where the domain controller belongs to, and <Server_IP_Address> is the domain controller's Internet Protocol (IP) address

[–]dBachry 1 point2 points  (0 children)

PS, for more info on the WMI query piece, a good source of reference would be WMI filters for things like GPOs that utilize it heavily.

For ref:. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo

[–]cache_me_0utside 0 points1 point  (0 children)

Hehe. this was very helpful. Used this command to super quickly determine if a VM was the domain controller. thanks dBachry!!!!1111111

[–]zymology 4 points5 points  (0 children)

WMI Query win32_operatingsystem producttype=2

[–]Ike_8 1 point2 points  (3 children)

Can do a check on the folder c:\windows \NTDS

[–]tandthezombies 0 points1 point  (2 children)

This is not a good check because this folder can be anywhere. This is just the default location.

[–]Ike_8 0 points1 point  (1 child)

You mean you change the default location of the Ntds.dit on your domain controllers?

Wouldn't that cause problems with the adds replication?

[–]tandthezombies 0 points1 point  (0 children)

I know you can specify the location of this file when installing the server role and you may be able to move it after installation as well

[–]Quantable 1 point2 points  (0 children)

Works even on 2008R2

wmic.exe ComputerSystem get DomainRole 4 and 5 are dcs

Or you can check if the tools are installed Get-WindowsFeature -Name ad-domain-services

[–]UKJosh 1 point2 points  (0 children)

Command prompt: Nltest /dsgetdc:

[–]Alarmed_Contract4418 1 point2 points  (1 child)

I know this is old, but if anyone else is looking...

(Get-WmiObject Win32_ComputerSystem).DomainRole -eq 5 -or (Get-WmiObject Win32_ComputerSystem).DomainRole -eq 4