With DNS Requests (NSLOOKUP)
In an Active Directory environment, all Global Catalogs are anchored in DNS . There is a separate subdomain ‘GC._msdcs ….’ in the namespace of the AD root domain (please remember: the global catalog does not refer to individual domains, but to the entire forest). So if your root domain in the forest is e.g. example.root, then you get a list of all GCs with this command:
C:\> nslookup gc._msdcs.example.root
Server: dns01.example.root
Address: 10.127.60.3
Name: gc._msdcs.example.root
Adresses: 10.127.60.100
10.127.60.102
10.127.60.103
10.127.77.1
10.127.77.130
10.127.93.2
10.127.93.12
192.168.35.1
The container _msdcs contains the infrastructural DNS records of the Active Directory. This is also where all the SRVservice records for the domain controllers are stored.
With DSQUERY
You can also use the standard command line tool DSQUERY for searching GCs. The search can be limited to certain domains or AD sites. However, you must be authenticated in the regarding forest and DSQUERY must be available on your machine (this is usually the case on Widows servers). As a result, the server objects in the Configuration partition is displayed:
C:\> dsquery server -isgc
“CN=DC001,CN=Servers,CN=Site-Sidney,CN=Sites,CN=Configuration,DC=example,DC=root”
“CN=DC014,CN=Servers,CN=Site-Auckland,CN=Sites,CN=Configuration,DC=example,DC=root”
…
C:\> dsquery server -isgc -domain "dev.example.com"
…
C:\> dsquery server -isgc -site "Site-Auckland"
…
Per Script with an LDAP filter
In the last section we have seen that the global catalog servers are present in the configuration partition of the directory as specific objects. Her we can look for them with our own script. These servers have set the first bit in their ‘options’ attribute. All we need is the appropriate LDAP filter:
ldapFilter = "(&(objectClass=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))" Set rootDSE = GetObject("LDAP://rootDSE") configDN = rootDSE.Get("configurationNamingContext") Set ado = CreateObject("ADODB.Connection") ado.Provider = "ADSDSOObject" ado.Open "ADSearch" Set objectList = ado.Execute("<LDAP://" &configDN& ">;" & ldapFilter & ";distinguishedName;subtree") While Not objectList.EOF nTSDSA = objectList.Fields("distinguishedName") serverDN = Mid(nTSDSA, 18) 'CN=NTDS Settings abschneiden => Server Objekt Set serverObj = GetObject("LDAP://" & serverDN ) WScript.Echo serverObj.dNSHostName objectList.MoveNext Wend