_AD_ListDomainControllers question

[shornw]

Hi - I use many of the AD.au3 functions regularly and usually have no issues however I am having difficulties with _AD_ListDomanControllers()

if I compile the following and RunAs from a device on the domain I want to query, everything works OK

_AD_Open()
If @error Then MsgBox(16, "AD Error", "_AD_Open failed - Error = " & @error & ", @extended = " & @extended)

Global $aDC = _AD_ListDomainControllers()
If @error Then Exit MsgBox(16, "AD DC Error", "Error = " & @error)
_ArrayDisplay($aDC, "Domain Controllers")
_AD_Close()

However if I try and use the code below from another domain, I get @error = 1 'No Domain Controllers Found'. The account & password are a DA account and work with other queries.

_AD_Open("Domain\User", "password", "DC", "DC.FQDN", "CN=configuration")
If @error Then MsgBox(16, "AD Error", "_AD_Open failed - Error = " & @error & ", @extended = " & @extended)

Global $aDC = _AD_ListDomainControllers()
If @error Then Exit MsgBox(16, "AD DC Error", "Error = " & @error)
_ArrayDisplay($aDC, "Domain Controllers")
_AD_Close()

The point of this exercise is to increase the reliability of a script we use daily which queries four domains. At present if the specified DC were to fail, the script would fail.

I know I can use netdom query to get the results I require but I would much rather keep this all within AutoIT. Any ideas greatly appreciated

Thanks

[water]

At present if the specified DC were to fail, the script would fail.

What exactly does "fail" mean in this context? If one of the DCs is down then the script will crash or return an error? Edited February 11, 2013 by water

[shornw]

currently the script uses:

_AD_Open("DomainUser", "password", "DC", "DC.FQDN", "CN=configuration")

however DC.FQDN points at a specific DC. If that DC is unavailable then the _AD_Open() fails so the script cannot function.

I want to list all DC's to an array, test connectivity and, if necessary, move to the next DC in the array. My existing script queries four domains so has to have the ability to work across the domains (all are in the same forest with trusts setup)

I hope this helps to clarify

[water]

Let me describe how I understand your problem:

You have one DC for every domain hardcoded in your script. You connect to this DC, get a list of all DCs and then test all of them for connectivity.

The problem is: If the hardcoded DC fails you can't query the whole domain.

Edited February 11, 2013 by water

[water]

Another question:

When you run the script you are already successfully connected to a domain?

[shornw]

Hi Water - that is absolutely right, I log onto domain A, then run a query on Domains B, C and D, each of which has a DC specified in the _AD_Open() command.

This all started out as part of a larger task, I have a script which extracts devices by O/S and I thought it would be useful to identify DC's. Then I got to thinking I could use this list of DC's to provide resilience in the event of a DC failure in any script which connects to the different domain(s). At this point, I found I couldn't query DC's on a different domain, hence the post. (I understand that I have to have a connection before I can query anything including DC's, but we have a server estate of around 7000 and new DC's are installed whenever we open a new site)

I know I could get the info by logging on to a device on each domain, which I will do if necessary, but it would be nice if I could control everything from one single instance (also, I'm curious as to why it doesn't seem to work that way).

Hopefully this helps, and thanks for taking time on this

[water]

Haven't tried it before so I'm not sure if you get the desired results in your environment. I have only one domain available, so the result is always the same.

The script connects to the domain you are a member of, retrieves the list of DCs plus GCs (should be all DCs of the domain), closes the connection, connects to the first GC and retrieves the list of DCs (should be all DCs of the forest).

You could then loop through the list to check for availability of the DCs.

#include <Ad.au3>
Global $sHostServerGC
; Connect to AD
_AD_Open()
ConsoleWrite("_AD_Open: " & @error & "-" & @extended & @LF)
; Get a list of DCs (including GCs) of the current domain
Global $aDC = _AD_ListDomainControllers(False, True)
ConsoleWrite("_AD_ListDomainControllers in Domain: " & @error & "-" & @extended & @LF)
; Search for the first GC
For $i = 1 To $aDC[0][0]
    If $aDC[$i][6] = True Then
        $sHostServerGC = $aDC[$i][2]
        ExitLoop
    EndIf
Next
; Close the current connection to AD
_AD_CLose()
ConsoleWrite($sHostServerGC & @LF)
; Connect to the GC in the current domain
_AD_Open("", "", "", $sHostServerGC & ":3268")
ConsoleWrite("_AD_Open to GC: " & @error & "-" & @extended & @LF)
; Get a list of DCs (including GCs) of the forest
$aDC = _AD_ListDomainControllers(False, True)
ConsoleWrite("_AD_ListDomainControllers in Forest: " & @error & "-" & @extended & @LF)
If IsArray($aDC) Then
    _ArrayDisplay($aDC)
Else
    ConsoleWrite("_AD_ListDomainControllers in Forest: " & @error & "-" & @extended & @LF)
EndIf
; Close connection to the GC
_AD_Close()

[shornw]

If I connect to a remote domain, the connection is made OK but _AD_ListDomainControllers() still returns the same error (@error = 1, No Domain Controllers Found), which I kinda expected. if I run the script on a device on each domain then _AD_ListDomainControllers() works absolutely fine.

Don't spend any more time on this, I can work with what I have and it was more curiosity than anything really. Thanks for help though, as always it is very much appreciated

[water]

If I connect to a remote domain, the connection is made OK but _AD_ListDomainControllers() still returns the same error (@error = 1, No Domain Controllers Found), which I kinda expected. if I run the script on a device on each domain then _AD_ListDomainControllers() works absolutely fine.

Why do you expect to get no DCs when you connect to another domain?

I think it should be possible to connect to any domain and retrieve the list of DCs.

Maybe it's simply a bug in function_AD_ListDomainControllers?

[shornw]

I expected the error as this is what has happened each time I have tried it, on each domain, and trying different accounts. It doesn't seem to be possible to get DC info off any domain that I am not physically logged into. So far all other _AD() functions I have tried work fine on remote domains, but this one seems not to.

[water]

I think this is a bug. If you like - and have time to - we can do some debugging and hopefully make it work.

[shornw]

I'd be happy to do what I can. I can work with things as they are, but it would be nice to make this work for myself and anyone else who may be having the same issue (although nobody has made reference to it).

If you let me know what you want done, I'll fit it in. I work in UK usually 8am - 4pm (in theory, usually longer) but I have the facility to work from home aswell

[water]

Fine.

Step 1: Please add _AD_ErrorNotify(2) at the top of the script. So we get detailed error information.

[shornw]

_AD_Open() produced a list of DC's on the domain I am logged into as expected

_AD_Open(remote domain) using settings from a working script produced an error - screenshot attached

Edited February 12, 2013 by shornw

[water]

I will search the web and hope to come up with a script that lists all DCs in a forest.

[shornw]

as a matter of interest, I have tried running this from a command prompt:

nltest /dclist:<fqdn>

and it returns a list of domain controllers including site info, even from a trusted domain in a different forest, so it ispossible to get the info.

[water]

Thanks for the info.

I've found a script which queries the Global Catalog (GC) for this info. Need to translate it to AutoIt.

[shornw]

OK, so here's a thing - how stupid do I feel!!

This isn't a resolution to the AD_ListDomainControllers issue but it does resolve the original issue I had (no resilience with single DC specified).

It occurred to me that, rather than specify a single DC ($sAD_HostServerParam in AD_Open()) I could use the domain root FQDN (instead of dc.domain.forest.com use domain.forest.com)

I have just tested this across 4 different domains and it seems to work fine

This makes a big difference to me as it means that scripts will connect to any DC available rather than a trying to connect to a specific DC which may be unavailable, so stuff I have written for other people is more reliable (identifying DC's which are down is not usually the purpose of my scripts as we have MOM and SCOM in place )

Water - you probably need to test this to your satisfaction, but if you find no issues, it might be worth updating the AD_Open.htm to reflect this.

[water]

shornw,

thanks for this information!

I just tested here and it works great. Will change the docu and - if I find some spare time - the wiki too.

[water]

Done!