how to verify a machine is a DC

Michael B Allen ioplex at
Sat Feb 23 02:39:16 GMT 2008

On 2/22/08, ronnie sahlberg <ronniesahlberg at> wrote:
>  you can try a cldap ping to the host and if it is an AD dc it will
>  respond back to you and tell you which domain it belongs to.

I agree the CLDAP netlogon attribute query is perfect for this. The
flags field will tell you not only if it's a KDC but also if it's
writable, a PDC, a GC, etc.

Unfortunately there's no generic CLDAP netlogon attribute query code
out there. OpenLDAPs support for CLDAP is flakey. I ended up writing
my own code to do this (although in hindsight I probably could have
used OpenLdap's liblber to help but I wasn't sure if AD would care
about it being encoded in DER as opposed to Windows' quirky encoding

Someone should really write a little 'cldap-ping' utility. The network
monitoring and asset manager types would love it.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the samba-technical mailing list