detecting PDCs

[Russell.Butturini at Healthways.com (Butturini, Russell)]

So one thing have to remember is that after NT4 there really is no such concept as a "PDC" anymore.  You have replica 
domain controllers and roles they play within the infrastructure (i.e. schema master, PDC emulator, domain naming 
master, infrastructure master, RID master).  So any machine you find that is a DC will contain the same data and 
importance within the network.  You could also have a single DC holding all the roles, but if you're in an environment 
large enough to have multiple DCs that would be dumb :-)

That being said, the domain controller which is the PDC emulator in your network will respond to NTP requests and takes 
a stratum of 2.  The other DCs in the forest root domain or PDC emulators in child domains take a stratum of 3.  So if 
you send out an NTP broadcast packet, you can see who responds.  Machines joined to the domain will automatically use 
this hierarchy (a net time /domain:domainname will spit the PDC emulator back out at you, or one of the stratum 3 
servers if the PDC emulator is offline).  Of course, if you aren't joined to the domain and have other NTP servers 
running on that segment, it's possible you get a response from a non-DC when you send an NTP broadcast out.

You can also look for machines with TCP 88 and 389 open (Kerberos/LDAP).  Again, possible to have non DCs running these 
services, but not likely in an M$ shop.  Along the same lines, you can also make DNS requests for _ldap and _kerberos 
SRV records for the domain.

There's also a cool VBScript for this that works awesome if you've owned...I mean your on a domain member 
workstation... http://msdn.microsoft.com/en-us/library/ms676299(VS.85).aspx



-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Robin 
Wood
Sent: Thursday, March 25, 2010 5:55 AM
To: PaulDotCom Mailing List
Subject: [Pauldotcom] detecting PDCs

Hi
I'm wondering what techniques people are using to detect domain
controllers when they get on networks. I've asked a few people and the
standard answer seems to be to look for the DNS server as the PDC is
usually also acting as the DNS server. Has anyone else got any better
or alternative techniques they use?

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


******************************************************************************
This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than 
the named recipient of this email, 
and is to be used only for the intended purpose of this communication.
******************************************************************************