How to find a Global Catalog server?

With DNS Requests (NSLOOKUP)

In an Active Directory environment, all Global Catalogs are anchored in DNS . There is a separate subdomain ‘GC._msdcs ….’ in the namespace of the AD root domain (please remember: the global catalog does not refer to individual domains, but to the entire forest). So if your root domain in the forest is e.g. example.root, then you get a list of all GCs with this command:

C:\> nslookup gc._msdcs.example.root

Server:  dns01.example.root

Name:  gc._msdcs.example.root

The container _msdcs contains the infrastructural DNS records of the Active Directory. This is also where all the SRVservice records for the domain controllers are stored.


You can also use the standard command line tool DSQUERY for searching GCs. The search can be limited to certain domains or AD sites. However, you must be authenticated in the regarding forest and DSQUERY must be available on your machine (this is usually the case on Widows servers). As a result, the server objects in the Configuration partition is displayed:

C:\> dsquery server -isgc


C:\> dsquery server -isgc -domain ""

C:\> dsquery server -isgc -site "Site-Auckland"

Per Script with an LDAP filter
In the last section we have seen that the global catalog servers are present in the configuration partition of the directory as specific objects. Her we can look for them with our own script. These servers have set the first bit in their ‘options’ attribute. All we need is the appropriate LDAP filter:

ldapFilter = "(&(objectClass=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))"

Set rootDSE = GetObject("LDAP://rootDSE")
configDN =   rootDSE.Get("configurationNamingContext")

Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Open "ADSearch"
Set objectList =   ado.Execute("<LDAP://" &configDN& ">;" & ldapFilter & ";distinguishedName;subtree")

While Not objectList.EOF
nTSDSA = objectList.Fields("distinguishedName")
serverDN = Mid(nTSDSA, 18)                                         'CN=NTDS Settings abschneiden => Server Objekt
Set serverObj = GetObject("LDAP://" & serverDN )

WScript.Echo serverObj.dNSHostName




Deixe uma resposta

O seu endereço de email não será publicado. Campos obrigatórios marcados com *