Friday, July 20, 2012

Is It a Domain Controller

I recently went into our test lab and there was a guy working in there and he asked me.

If I'm on a machine how do I know if it is a Domain Controller
These are often my favorite types of questions.  No time to check Bing/Google, no time to check a book.  Just a quick question that is answered in seconds.   By the way in those situations it is also ok to say "I don't know" or "I'll get back to you".  A lot of times you will see people blowing smoke and making stuff up.

The guy wasn't trying to be an ass but trying to learn AD and the lab is a perfect place for it.  We have a lot of VMs in our lab and I didn't know what box he was on when I walked in.

My initial thought was to tell him to look for admin tools etc but then after a second I realized not every box has the admin tools installed.  Then I thought look for the AD Domain Services and see if they are started.  That thought lasted for a half second.  We still have 2003 DCs too so if he was on one of those then no services.

The answer I gave him was to run:

net share 

If the sysvol share is present then it is a domain controller.

I started thinking of other ways and reached out to some friends and asked what they would have suggested for this quick question.

One suggestion by my friend Troy was to run

netdom query dc

I thought that was a good one and team that with hostname so that the person knows the name of the machine works great.

My buddy Eric had a good one, it is a bit more involved because it would require the person to know about AD ports...but if they are learning they should know some of these. Use netstat -ano and look for AD ports (88, 389, 3268, and others)

netstat -ano  or netstat -ano | findstr /i listening

There are a lot of ways to do this.  You could look for SRV records.  If ADUC was installed you could have them check there for the DC.

If you also look at the drop down when you login and it has no local server name then that is another good indication.  In this case he was already logged in.

So what answers would you have given?  Are there quicker easier ways that you would have told someone just starting out with AD to check if they are at a domain controller?

Update from Kurt (thanks for your service in the war zones).    I posed this question to a mid-level AD admin.  His response was "run dcpromo, it will tell you if it is a DC".   That is true and something I didn't think of in the 5 second response.  This is why I love many ways to do something and a lot of great solutions.

My only caveat about this method is that if someone was being careless didn't read and clicked next next and finished the wizard then they could also be demoting a DC....I'm hoping people using AD can read :)

In the example below the computer is obviously a DC.

Note: The dcpromo method won't work in Windows 2012...because they killed that off...more on that in future posts.   I'm guessing very few folks are currently running Windows 2012 in production.  Example of start > run > dcpromo on a Windows 2012 DC below.

Update 2: Krzystof  had a great suggestion in the comments and that was to use systeminfo 

systeminfo /i "os configruation"

Friday, July 13, 2012

Speaking at Microsoft TechGate Conference on 9/15

This mainly applies to readers that are in the DC, Virginia, and Maryland region as I don't think anyone is going to fly in for this :)

Microsoft is sponsoring TechGate 2012 on September 15, 2012 at their Reston, VA office.  There are 15 sessions and five workshops so it should be a good day.  It will also not be 100 degrees every day by that time so come out if you can.

You can find more information and register for the conference here:

As you can see I will be speaking about new Active Directory features in Windows Server 2012.  I'm really looking forward to it.  l'm also hoping to devote 10 minutes at the end to discuss what features folks would like to see in R2 or future versions.  That is feedback I'll take back to the AD team during the MVP summit in early 2013.

I'm really looking forward to meeting other members of the DC IT community in a few months.

Monday, July 2, 2012

MVP Award - Year Four

I woke up yesterday to great news that I've been awarded the MVP award in Directory Services for the fourth year.  I have previously written blogs with long thank you lists so I won't do that again.  Just a continued huge thanks to everyone I mentioned in those two blog entries.  I've learned from a lot of people and glad to help others.

My favorite part about being an MVP is the MVP summit and I'm really looking forward to going to Seattle again in the late winter.

This is an exciting time for Active Directory.  Windows 2012 is being released later this year.  Windows Azure Active Directory is coming online.  We will have a lot to learn but that is the fun part for me.