Computer Support » domain controller

Finding the Closest Domain Controller

admin — Tue, 06 Jan 2009 00:42:57 +0000

Using a command-line interface

The following command finds the closest domain controller in the specified domain (); that is, a domain controller that is located in the same site or in the closest site if a local DC is not available. By default, it will return the closest DC for the computer nltest is being run from, but you can optionally use the /server option to target a remote host. If you are interested in finding a DC within a particular site regardless of whether it is the closest DC to you, you can also optionally specify the /site option to find a domain controller that belongs to a particular site.

	> nltest /dsgetdc: [/site:] [/server:]

Using VBScript

	' This code finds the closest domain controller in the domain

' that the computer running the script is in.

' ------ SCRIPT CONFIGURATION ------

strDomain = "" ' e.g. emea.rallencorp.com

' ------ END CONFIGURATION --------

	set objIadsTools = CreateObject("IADsTools.DCFunctions")

objIadsTools.DsGetDcName( Cstr(strDomain) )

Wscript.Echo "DC: " & objIadsTools.DCName

Wscript.Echo "DC Site: " & objIadsTools.DCSiteName

Wscript.Echo "Client Site: " & objIadsTools.ClientSiteName

Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003

admin — Sat, 03 Jan 2009 00:51:40 +0000

Using a graphical user interface

Insert a Windows Server 2003 CD into the Windows 2000 domain controller or map a drive to the files contained on the CD. Run the following command from the \i386 directory:

	> winnt32 /checkupgradeonly

Using a command-line interface

To produce a compatibility report from the command line, first you need to create a text file containing the following information:

[Unattended]

Win9xUpgrade = Yes

[Win9xUpg]ReportOnly = Yes

SaveReportTo = "\\server1\upgradereports\"

Save this file as unattend.txt, and then run the following from the command-line:

	> winnt32 /checkupgradeonly /unattend:c:\unattend.txt

Listing Domain Controllers and Global Catalog Servers Used by an Exchange Server

admin — Mon, 10 Nov 2008 23:18:45 +0000

Exchange is very dependent upon Active Directory domain controllers. The list of domain controllers currently being used by a server is usually one of the first pieces of information you should gather when you encounter an Exchange issue. While this can be done through the GUI, it is much easier to get the data through a script.

While the GUI provides only a listing of the domain controllers and global catalog servers in use, the WMI provider offers considerably more information. This additional information can be extremely important during troubleshooting, so you should have this script or something similar available to your Exchange Admins for troubleshooting purposes.

Using a graphical user interface

Open the Exchange System Manager (ESM) snap-in.
In the left pane, browse to the Servers container.
Right-click on the target server and select Properties.
Click on the Directory Access tab and view the domain controllers being used.

Using VBScript

' This code enumerates domain controllers being used.' ------ SCRIPT CONFIGURATION ------

strComputer = "" 'e.g., ExchServer2

' ------ END CONFIGURATION ---------set objWMI = GetObject("winmgmts:\\" & strComputer & _

"\root\MicrosoftExchangeV2")

set objDCList = objWMI.ExecQuery("Select * from Exchange_DSAccessDC",,48)

for each objDc in objDCList

Wscript.Echo "DCName: objDc.name"

strTemp = "Automatic"

if (dc.ConfigurationType=0) then strTemp="Manual"

Wscript.Echo "  Selection: " & strTemp

Wscript.Echo "  Is Fast  : " & objDc.IsFast

Wscript.Echo "  In Sync  : " & objDc.IsInSync

Wscript.Echo "  Is Up    : " & objDc.IsUp

Wscript.Echo "  Ldap Port: " & objDc.LDAPPort

strTemp = "Global Catalog"

if (objDc.type=0) then strTemp = "Config"

if (objDc.type=1) then strTemp = "Local Domain"

Wscript.Echo "  Role     : " & strTemp

Wscript.Echo "-----------"

Next

Wscript.Echo "Script completed successfully.

Finding the Closest Domain Controller

admin — Thu, 28 Feb 2008 23:24:57 +0000

The DC locator process as described in MS KB 314861 and MS KB 247811 defines how clients find the closest domain controller. The process uses the site topology stored in Active Directory to calculate the site where a particular client is. After the client site has been identified, it is a matter of finding a domain controller that is either a member of that same site or that is covering that site.

The Microsoft DsGetDcName Directory Services API method implements the DC Locator process, but unfortunately cannot be used directly from a scripting language, such as VBScript. The IADsTools interface provides a wrapper around DsGetDcName, which is what I used. The nltest /dsgetdc command is also a wrapper around the DsGetDcName method, and is a handy tool when troubleshooting client issues related to finding an optimal domain controller.

Using a command-line interface

The following command finds the closest domain controller in the specified domain (). By default, it will return the DC closest to the computer nltest is being run from, but you can optionally use the /server option to target a remote computer. You can also optionally specify the /site option to find a domain controller that belongs to a particular site.

> nltest /dsgetdc: [/site:] [/server:]

Using VBScript

' This code finds the closest domain controller in the domain
 ' that the computer running the script is in.
 ' ------ SCRIPT CONFIGURATION ------
 strDomain = ""  ' e.g., emea.rallencorp.com
 ' ------ END CONFIGURATION ---------

set objIadsTools = CreateObject("IADsTools.DCFunctions")
 objIadsTools.DsGetDcName( Cstr(strDomain) )
 Wscript.Echo "DC: " & objIadsTools.DCName
 Wscript.Echo "DC Site: " & objIadsTools.DCSiteName
 Wscript.Echo "Client Site: " & objIadsTools.ClientSiteName

Running DHCP Server on a Domain Controller

admin — Fri, 22 Feb 2008 20:45:29 +0000

By default, the DHCP Server runs under the credentials of the computer account that is hosting it. If it happens to be running on a domain controller, it runs under the domain controller’s computer account. A domain controller has full permissions over any Active Directory-integrated zones it replicates. The result of the DHCP Server running on a domain controller means that if the DHCP Server has been configured to dynamically register DNS records on behalf of clients, it can potentially update any record stored in an Active Directory-integrated zone. Ultimately, that leaves the zones vulnerable to name hijacking, whereby a client can cause records to be overwritten that shouldn’t be. This can cause all sorts of havoc if an attacker starts replacing important records in your zones.

Microsoft recommends that you avoid this completely by not running the DHCP Server on a domain controller. But as of Windows 2000 Service Pack 1, you can work around this issue by configuring the DHCP Server to use alternate credentials when making dynamic updates. The account doesn’t need any special permissions in order to dynamically update records. After you’ve configured alternate credentials, check the event log for any errors pertaining to logon issues (perhaps the username or password are incorrect) or dynamic update errors.

If you back up a DHCP Server’s configuration using NTBackup, DNS credentials are not backed up. This is done intentionally to prevent someone from hijacking names by restoring a DHCP Server from backup. You must manually restore the DNS credentials if you have to restore a DHCP Server.

Using a graphical user interface

Open the DHCP snap-in.
In the left pane, right-click on DHCP and select Add Server.
Type in the name of the DHCP Server you want to target and click OK.
Right-click the server and select Properties.
Click the Advanced tab.
Click the Credentials button.
Enter the username, domain, and password for the account you want to use.
Click OK until all dialog windows are closed.

Using a command-line interface

Use the following command to display the current DNS credentials used by the DHCP Server:

> netsh dhcp server show dnscredentials

Use the following command to configure new DNS credentials on the DHCP Server:

> netsh dhcp server set dnscredentials

Use the following command to remove the DNS credentials used by the DHCP Server:

> netsh dhcp server delete dnscredentials dhcpfullforce