Finding your RODC’s using Powershell

This week I introduced a 2012R2 Read Only Domain Controller (RODC) into our domain and I already have a couple of Powershell scripts in mind that I want to write in order to help manage this DC.

That said, I thought it would be a good idea to be able to identify the RODC’s in our domain via Powershell as a first step, as it’s likely we are going to add more RODC’s at some of our other remote sites.

Let me start by making it clear that I’m no powershell guru so I’m sure there may be better ways of achieving this.  In fact, everytime I use Powershell I’m finding new and more efficient methods of achieving things.

So, here is how my thought process went:

1 – I thought I’d take a look at modules available by typing: get-module -listavailable

1 - get-module

Looking through the displayed list, it looked like I was probably going to find what I needed in the ActiveDirectory module.

2 – I then took a look at the available commands within that module to see if there were any specific RODC ones available.  I did this by typing: get-command -module ActiveDirectory

2 - get-command

Well, I didn’t really see anything specific to what I was looking for, however I did see a couple of commands that may come in useful later that look specific to RODC’s – namely the add and get-ADDomainControllerPasswordReplicationPolicy.

Well, an RODC is a domain controller, so let’s take a look at the Get-ADDomainController cmdlet…

3 – I started off by looking at the help for this cmdlet using: help get-addomaincontroller -full

Reading the help file did not show me any specific RODC parameters, however, it did have a -filter parameter that I thought could come in handy.

4 – I now knew that I was probably going to use the Get-ADDomainController cmdlet with the filter parameter.  So to see if I could find anything relevant to filter on, I looked at the attributes of my RODC in Active Directory Users and Computers:

4 - RODC attribs

Well – maybe I missed it but I couldn’t see anything overly relevant that would identify a RODC that could be used in a filter. (Actually, I did notice the msDS-RevealedUsers attribute but I really wanted something very specific.)

I was determined not to ‘Google’ this, so for my next step….

5 –  I piped Get-ADDomainController to Get-Member to see if that revealed anything useful and…

5 - IsReadOnly

Bingo!  We have hit the jackpot!  An ‘IsReadOnly’ property.

6 – Now to try this out in a filter.  I tried the following command: Get-ADDomainController -filter {isreadonly -eq $true}

6 - filter

And we have success!

As mentioned above, I’m no expert and there may be a much more obvious method of achieving the same thing, but, this was my ‘non-google’  thought process.

I then started playing around with this property to query a specific DC to discover if it is a RODC by running this command:  (Get-ADDomainController -Identity chirodc3brin).isreadonly which returns true or false and opens up a few more scripting possibilities.  Brilliant!

7 - truefalse

Be the first to comment

Leave a Reply