Confirming computer exists under all domain controllers in a domain?

Question

Confirming computer exists under all domain controllers in a domain?

Christopher Compton 1

I am trying to create a PowerShell script that will confirm what domain controllers are seeing a computer that I am joining to the domain. The reason being is I would like it as a tool to troubleshoot trust relationship issues with computers that are having difficulty joining the domain. I'm unsure how I would go about checking. Obviously I could use something like:

get-addomaincontroller -filter * | Select name

This could be run from the target computer to see all listed domain controllers. But I would more so like to be able to search domain controllers filtering by the computer name of the computer in question because I am mostly troubleshooting the trust issues remotely.

Anybody have any ideas?

Andreas Baumgarten 123.5K Reputation points MVP Volunteer Moderator

2023-01-14T17:46:55.2233333+00:00

Hi @Christopher Compton ,

did the answer work for you? Are there any additional questions to this topic?

If you found the answer helpful, it would be great if you please mark it "Accept as answer". This will help others to find answers in Q&A

Regards

Andreas Baumgarten

3 answers

Your answer

Andreas Baumgarten 123.5K Reputation points MVP Volunteer Moderator

2023-01-14T17:46:55.2233333+00:00

Hi @Christopher Compton ,

did the answer work for you? Are there any additional questions to this topic?

If you found the answer helpful, it would be great if you please mark it "Accept as answer". This will help others to find answers in Q&A

Regards

Andreas Baumgarten

Answer 1

Andreas Baumgarten 123.5K MVP Volunteer Moderator

Hi @Christopher Compton ,

maybe something like this helps to get started:

$computer = "test1"  
Get-ADDomainController | ForEach-Object {  
  try {  
    $compObj = Get-AdComputer -Identity $computer -Server $_.Name -ErrorAction SilentlyContinue  
    if ($compObj) {  
      Write-Host "Computer $computer found on DC $_" -ForegroundColor Green  
    }  
  }  
  catch {    
    Write-Host "($_)" -ForegroundColor Red  
  }  
}

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

NHS Chris 0 Reputation points

2024-12-05T09:02:19.72+00:00

Hi Andreas Baumgarten

I used your code today to solve a problem I was having, but I've found it doesn't work as I thought. It simple appears to check one AD controller and not all that are in the domain. How can it be adjusted to check each in turn?
Andreas Baumgarten 123.5K Reputation points MVP Volunteer Moderator

2024-12-05T17:50:56.63+00:00
Hi @NHS Chris ,

what is the result if you run just this cmdlet?

Get-ADDomainController

It should be a list of all domain controllers.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
Rich Matheisen 47,901 Reputation points

2024-12-05T20:22:06.1233333+00:00

@Andreas Baumgarten "It should be a list of all domain controllers"

That's true, but it needs a qualification: "within the domain of the user account running the cmdlet, or within the domain of the queried domain controller."

The OP thinks he has a trust problem (". . . troubleshoot trust relationship issues with computers that are having difficulty joining the domain"). That implies the possible use of multiple domains in a single AD forest. Or a trust between multiple forests.

But there's so much left unsaid in the problem description! For example, if the work is to be done from a machine that's a member of a workgroup (recall that machine is the one that's having a problem joining a domain), can the ActiveDirectory module be installed on that machine?

If not, the OP will have to use nltest to acquire the information.

Get all domains in the forest: nltest /dsgetdc:yourdomain.com /forest

Get all the DCs in a domain from one DC: nltest /server:yourdc.yourdomain.com /dclist:yourdomain.com

And (if necessary), reset the secure channel to a DC to enable using nltest: nltest /sc_reset:yourdomain.com\yourdc

But really, what's being asked is already covered by command line tools written to aid in troubleshooting!

While it's possible to use ActiveDirectory module on a workgroup machine, the -Credential parameter would be needed on each cmdlet

Answer 2

Get a list of all DCs and use that in a ForEach-Object loop. Use the Get-ADComputer cmdlet to look for the computer name in the filter and add the "-Server" parameter using the name of the DC in the iteration of the loop.

But this isn't going to help you troubleshoot trusts, or replication. There are GUI and command line tools for that. Here's one of each:

get-use-active-directory-replication-status-tool
repadmin-how-to-check-active-directory-replication

If you want to use PowerShell, there are ways to do that, too: 326364

Answer 3

Neither my earlier answer, nor Andreas' answer, handled the task of getting all Domain Controllers in a forest.

function Get-AllDCs {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $true)
        [string]$DCName = $ForestName
    )
 
    $Forest = Get-ADForest -Server $ForestName
    foreach($Domain in $Forest.Domains) {    # get each domain in forest
        Get-ADDomainController -Filter * -Server $Domain |  # for each domain get DCs
            Select-Object Domain,HostName,Site
    } 
}

You can expand on that to check each DC in each domain and verify that each DC in a domain returns the same list.

To be through you should probably verify that each Global Catalog server in each domain contains the same list for each domain.

I still think you should verify that AD replication is functioning properly.

You can verify trusts, too:

https://serverfault.com/questions/509965/how-can-i-verify-the-trust-between-2-domains-in-windows-server-2008r2-active-dir

Share via

Confirming computer exists under all domain controllers in a domain?

3 answers

Your answer