So one thing have to remember is that after NT4 there really is no such concept as a "PDC" anymore. You have replica domain controllers and roles they play within the infrastructure (i.e. schema master, PDC emulator, domain naming master, infrastructure master, RID master). So any machine you find that is a DC will contain the same data and importance within the network. You could also have a single DC holding all the roles, but if you're in an environment large enough to have multiple DCs that would be dumb :-)
That being said, the domain controller which is the PDC emulator in your network will respond to NTP requests and takes a stratum of 2. The other DCs in the forest root domain or PDC emulators in child domains take a stratum of 3. So if you send out an NTP broadcast packet, you can see who responds. Machines joined to the domain will automatically use this hierarchy (a net time /domain:domainname will spit the PDC emulator back out at you, or one of the stratum 3 servers if the PDC emulator is offline). Of course, if you aren't joined to the domain and have other NTP servers running on that segment, it's possible you get a response from a non-DC when you send an NTP broadcast out. You can also look for machines with TCP 88 and 389 open (Kerberos/LDAP). Again, possible to have non DCs running these services, but not likely in an M$ shop. Along the same lines, you can also make DNS requests for _ldap and _kerberos SRV records for the domain. There's also a cool VBScript for this that works awesome if you've owned...I mean your on a domain member workstation... http://msdn.microsoft.com/en-us/library/ms676299(VS.85).aspx -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Robin Wood Sent: Thursday, March 25, 2010 5:55 AM To: PaulDotCom Mailing List Subject: [Pauldotcom] detecting PDCs Hi I'm wondering what techniques people are using to detect domain controllers when they get on networks. I've asked a few people and the standard answer seems to be to look for the DNS server as the PDC is usually also acting as the DNS server. Has anyone else got any better or alternative techniques they use? Robin _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ****************************************************************************** _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
