how to verify a machine is a DC

Michael B Allen ioplex at gmail.com
Sat Feb 23 02:39:16 GMT 2008


On 2/22/08, ronnie sahlberg <ronniesahlberg at gmail.com> wrote:
>  you can try a cldap ping to the host and if it is an AD dc it will
>  respond back to you and tell you which domain it belongs to.

I agree the CLDAP netlogon attribute query is perfect for this. The
flags field will tell you not only if it's a KDC but also if it's
writable, a PDC, a GC, etc.

Unfortunately there's no generic CLDAP netlogon attribute query code
out there. OpenLDAPs support for CLDAP is flakey. I ended up writing
my own code to do this (although in hindsight I probably could have
used OpenLdap's liblber to help but I wasn't sure if AD would care
about it being encoded in DER as opposed to Windows' quirky encoding
style).

Someone should really write a little 'cldap-ping' utility. The network
monitoring and asset manager types would love it.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/


More information about the samba-technical mailing list