Sign in to follow this  
Followers 0
shornw

_AD_ListDomainControllers question

20 posts in this topic

Hi - I use many of the AD.au3 functions regularly and usually have no issues however I am having difficulties with _AD_ListDomanControllers()

if I compile the following and RunAs from a device on the domain I want to query, everything works OK

_AD_Open()
If @error Then MsgBox(16, "AD Error", "_AD_Open failed - Error = " & @error & ", @extended = " & @extended)

Global $aDC = _AD_ListDomainControllers()
If @error Then Exit MsgBox(16, "AD DC Error", "Error = " & @error)
_ArrayDisplay($aDC, "Domain Controllers")
_AD_Close()

However if I try and use the code below from another domain, I get @error = 1 'No Domain Controllers Found'. The account & password are a DA account and work with other queries.

_AD_Open("Domain\User", "password", "DC", "DC.FQDN", "CN=configuration")
If @error Then MsgBox(16, "AD Error", "_AD_Open failed - Error = " & @error & ", @extended = " & @extended)

Global $aDC = _AD_ListDomainControllers()
If @error Then Exit MsgBox(16, "AD DC Error", "Error = " & @error)
_ArrayDisplay($aDC, "Domain Controllers")
_AD_Close()

The point of this exercise is to increase the reliability of a script we use daily which queries four domains. At present if the specified DC were to fail, the script would fail.

I know I can use netdom query to get the results I require but I would much rather keep this all within AutoIT. Any ideas greatly appreciated

Thanks


[font='Comic Sans MS']Eagles may soar high but weasels dont get sucked into jet engines[/font]

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

At present if the specified DC were to fail, the script would fail.

What exactly does "fail" mean in this context? If one of the DCs is down then the script will crash or return an error? Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

currently the script uses:

_AD_Open("DomainUser", "password", "DC", "DC.FQDN", "CN=configuration")

however DC.FQDN points at a specific DC. If that DC is unavailable then the _AD_Open() fails so the script cannot function.

I want to list all DC's to an array, test connectivity and, if necessary, move to the next DC in the array. My existing script queries four domains so has to have the ability to work across the domains (all are in the same forest with trusts setup)

I hope this helps to clarify


[font='Comic Sans MS']Eagles may soar high but weasels dont get sucked into jet engines[/font]

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Let me describe how I understand your problem:

You have one DC for every domain hardcoded in your script. You connect to this DC, get a list of all DCs and then test all of them for connectivity.

The problem is: If the hardcoded DC fails you can't query the whole domain.

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Another question:

When you run the script you are already successfully connected to a domain?


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Hi Water - that is absolutely right, I log onto domain A, then run a query on Domains B, C and D, each of which has a DC specified in the _AD_Open() command.

This all started out as part of a larger task, I have a script which extracts devices by O/S and I thought it would be useful to identify DC's. Then I got to thinking I could use this list of DC's to provide resilience in the event of a DC failure in any script which connects to the different domain(s). At this point, I found I couldn't query DC's on a different domain, hence the post. (I understand that I have to have a connection before I can query anything including DC's, but we have a server estate of around 7000 and new DC's are installed whenever we open a new site)

I know I could get the info by logging on to a device on each domain, which I will do if necessary, but it would be nice if I could control everything from one single instance (also, I'm curious as to why it doesn't seem to work that way).

Hopefully this helps, and thanks for taking time on this


[font='Comic Sans MS']Eagles may soar high but weasels dont get sucked into jet engines[/font]

Share this post


Link to post
Share on other sites

Haven't tried it before so I'm not sure if you get the desired results in your environment. I have only one domain available, so the result is always the same.

The script connects to the domain you are a member of, retrieves the list of DCs plus GCs (should be all DCs of the domain), closes the connection, connects to the first GC and retrieves the list of DCs (should be all DCs of the forest).

You could then loop through the list to check for availability of the DCs.

#include <Ad.au3>
Global $sHostServerGC
; Connect to AD
_AD_Open()
ConsoleWrite("_AD_Open: " & @error & "-" & @extended & @LF)
; Get a list of DCs (including GCs) of the current domain
Global $aDC = _AD_ListDomainControllers(False, True)
ConsoleWrite("_AD_ListDomainControllers in Domain: " & @error & "-" & @extended & @LF)
; Search for the first GC
For $i = 1 To $aDC[0][0]
    If $aDC[$i][6] = True Then
        $sHostServerGC = $aDC[$i][2]
        ExitLoop
    EndIf
Next
; Close the current connection to AD
_AD_CLose()
ConsoleWrite($sHostServerGC & @LF)
; Connect to the GC in the current domain
_AD_Open("", "", "", $sHostServerGC & ":3268")
ConsoleWrite("_AD_Open to GC: " & @error & "-" & @extended & @LF)
; Get a list of DCs (including GCs) of the forest
$aDC = _AD_ListDomainControllers(False, True)
ConsoleWrite("_AD_ListDomainControllers in Forest: " & @error & "-" & @extended & @LF)
If IsArray($aDC) Then
    _ArrayDisplay($aDC)
Else
    ConsoleWrite("_AD_ListDomainControllers in Forest: " & @error & "-" & @extended & @LF)
EndIf
; Close connection to the GC
_AD_Close()

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

If I connect to a remote domain, the connection is made OK but _AD_ListDomainControllers() still returns the same error (@error = 1, No Domain Controllers Found), which I kinda expected. if I run the script on a device on each domain then _AD_ListDomainControllers() works absolutely fine.

Don't spend any more time on this, I can work with what I have and it was more curiosity than anything really. Thanks for help though, as always it is very much appreciated


[font='Comic Sans MS']Eagles may soar high but weasels dont get sucked into jet engines[/font]

Share this post


Link to post
Share on other sites

If I connect to a remote domain, the connection is made OK but _AD_ListDomainControllers() still returns the same error (@error = 1, No Domain Controllers Found), which I kinda expected. if I run the script on a device on each domain then _AD_ListDomainControllers() works absolutely fine.

Why do you expect to get no DCs when you connect to another domain?

I think it should be possible to connect to any domain and retrieve the list of DCs.

Maybe it's simply a bug in function_AD_ListDomainControllers?


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

I expected the error as this is what has happened each time I have tried it, on each domain, and trying different accounts. It doesn't seem to be possible to get DC info off any domain that I am not physically logged into. So far all other _AD() functions I have tried work fine on remote domains, but this one seems not to.


[font='Comic Sans MS']Eagles may soar high but weasels dont get sucked into jet engines[/font]

Share this post


Link to post
Share on other sites

I think this is a bug. If you like - and have time to - we can do some debugging and hopefully make it work.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

I'd be happy to do what I can. I can work with things as they are, but it would be nice to make this work for myself and anyone else who may be having the same issue (although nobody has made reference to it).

If you let me know what you want done, I'll fit it in. I work in UK usually 8am - 4pm (in theory, usually longer) but I have the facility to work from home aswell


[font='Comic Sans MS']Eagles may soar high but weasels dont get sucked into jet engines[/font]

Share this post


Link to post
Share on other sites

Fine.

Step 1: Please add _AD_ErrorNotify(2) at the top of the script. So we get detailed error information.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

_AD_Open() produced a list of DC's on the domain I am logged into as expected

_AD_Open(remote domain) using settings from a working script produced an error - screenshot attached

post-12536-0-25777700-1360672236_thumb.p

Edited by shornw

[font='Comic Sans MS']Eagles may soar high but weasels dont get sucked into jet engines[/font]

Share this post


Link to post
Share on other sites

I will search the web and hope to come up with a script that lists all DCs in a forest.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

as a matter of interest, I have tried running this from a command prompt:

nltest /dclist:<fqdn>

and it returns a list of domain controllers including site info, even from a trusted domain in a different forest, so it ispossible to get the info.


[font='Comic Sans MS']Eagles may soar high but weasels dont get sucked into jet engines[/font]

Share this post


Link to post
Share on other sites

Thanks for the info.

I've found a script which queries the Global Catalog (GC) for this info. Need to translate it to AutoIt.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

OK, so here's a thing - how stupid do I feel!! :>

This isn't a resolution to the AD_ListDomainControllers issue but it does resolve the original issue I had (no resilience with single DC specified).

It occurred to me that, rather than specify a single DC ($sAD_HostServerParam in AD_Open()) I could use the domain root FQDN (instead of dc.domain.forest.com use domain.forest.com)

I have just tested this across 4 different domains and it seems to work fine

This makes a big difference to me as it means that scripts will connect to any DC available rather than a trying to connect to a specific DC which may be unavailable, so stuff I have written for other people is more reliable (identifying DC's which are down is not usually the purpose of my scripts as we have MOM and SCOM in place :) )

Water - you probably need to test this to your satisfaction, but if you find no issues, it might be worth updating the AD_Open.htm to reflect this.


[font='Comic Sans MS']Eagles may soar high but weasels dont get sucked into jet engines[/font]

Share this post


Link to post
Share on other sites

shornw,

thanks for this information!

I just tested here and it works great. Will change the docu and - if I find some spare time - the wiki too.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Done!


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0