Domain Controllers

This details various different techniques and methods required to enumerate domain controllers within Active Directory.

Windows
PowerView
Native Powershell
Enumerate all domain controllers
Get all domain controllers inside the domain corp.contoso.local
C:\> nltest /dclist:corp.contoso.local
C:\> nslookup -type=all _ldap._tcp.dc._msdcs.corp.contoso.local
C:\> net group "domain controllers" /domain
Which domain controller authenticated my session?
C:\>echo %LOGONSERVER%
C:\> nltest /dsgetdc:corp.contoso.local
Enumerate all domain controllers
PS C:\> Get-DomainController
Enumerate individual domain controller
PS C:\> Get-DomainComputer CDC001
Enumerate all domain controllers
PS C:\> ([ADSISearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll()
​

Active Directory Enumeration - Previous

Computer Enumeration

Next - Active Directory Enumeration

User Enumeration

Last modified 3yr ago