When dealing with Active Directory it is very important to really know your environment. This means knowing your Domain Controllers, your Global Catalogs, which DCs have the FSMO roles, sites, policies and so on. This info is needed especially when you have a problem and want to start debugging or worse, you need to recover some data or to rebuild something.
Now first I want to mention that all information that you may need can be also obtained via the GUI but the problem there is that in some cases you will waste a lot of time just clicking all over the place. Here is were Powershell comes in: in just a couple of lines of code you can obtain a lot of info about your Active Directory infrastructure.
In this post I want to show you how to obtain 3 of the things an administrator needs to know in certain moments:what are the Domain Controllers in my domain, what DCs are Global Catalogs and which DCs hold the 5 FSMO roles .It is also useful to know how to obtain this info for writing documentations.
We are going to get everything using Powershell. These commands work in all PS versions from 2.0 and up and should work on all operating systems that support the Powershell versions. Another requirement is to run the commands from a computer with the Active Directory Powershell module installed. This means you can run the commands from a Domain Controller, a server with the Powershell Module for Active Directory installed or a client with the RSAT tools installed. For Powershell 2.0 you will also need to import the module in order to use the commands.
Enough talking; let’s start. First we will get a list with all Domain Controllers in the current domain.
If you are using Powershell 2.0 run the following command first in order to import the Active Directory module in the Powershell console:
Get a list of Domain Controllers
In big AD infrastructures you may have a lot of DCs so it does not hurt to know a command that can find all of them at once. The Powershell CmdLet to do this is Get-ADDomainController. By running the below command you will get a list of all DCs with some basic info about them:
Get-ADDomainController -Filter *
Here is the result for my test domain with 2 DCs promoted.
You can see I got DC1 and DC2. The thing is that all I really wanted is just to see the Domain Controller names and nothing more. This ca be done by piping the above command to Select-Object so you keep only the Name property:
Get-ADDomainController -Filter * | Select-Object Name
Now the result is much cleaner and easier to read.
Get FSMO role holders
With the DC list covered let’s see which one has what FSMO role on it. FSMO or Flexible Single Master Operations roles represent special tasks that Domain Controllers must do in order for AD to work. One role is assigned to one Domain Controller and it is important to not forget where each role is installed.
There are 5 FSMO roles: 3 are domain wide and the other 2 are forest wide. This is an important fact as the commands to get the roles are different for domain and forest scopes.
For the domain wide FSMO roles the command to use is Get-ADDomain. This brings up some useful info about the domain your are connected to.
To clean up the code a little so it shows only the 3 FSMO roles at the domain level just run the command and select the desired fields:
Get-ADDomain | Select-Object InfrastructureMaster,PDCEmulator,RIDMaster
With the Get-ADForest CmdLet you can obtain some info regarding the forest your domain is in. This includes the 2 FSMO roles remaining.
As before, using Select-Object can help us concentrate on the information we need right now:
Get-ADForest | Select-Object DomainNamingMaster,SchemaMaster
Get Global Catalogs
Another thing that will be useful to you is to know which Domain Controllers are Global Catalogs. Every domain must have at leats one GC so it doesn’t hurt to have this information up to date.
A Global Catalog list for the forest can be obtained from the Get-ADForest CmdLet by selecting the output like shown in the code below:
Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs
The result can be seen in the picture:
So there you have it. This is how easy it si to obtain this info from your AD infrastructure.