Discovery
Discover domain NetBIOS name:
PS > ([ADSI]"LDAP://megacorp.local").dc
PS > $DomainName = (Get-ADDomain).DNSRoot
PS > (Get-ADDomain -Server $DomainName).NetBIOSName
Discover DCs' FQDN names:
PS > nslookup -type=all _ldap._tcp.dc._msdcs.$env:userdnsdomain
PS > $ldapFilter = "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"
PS > $searcher = [ADSISearcher]$ldapFilter
PS > $searcher.FindAll()
PS > $searcher.FindAll() | ForEach-Object { $_.GetDirectoryEntry() }
Or
PS > ([ADSISearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll() |ForEach-Object { $_.GetDirectoryEntry() }
PS > [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().DomainControllers.Name
Cmd > nltest /dsgetdc:megacorp.local
PS > $DomainName = (Get-ADDomain).DNSRoot
PS > $AllDCs = Get-ADDomainController -Filter * -Server $DomainName | Select-Object Hostname,Ipv4address,isglobalcatalog,site,forest,operatingsystem
PS > $AllDCs = (Get-ADForest).GlobalCatalogs
PV3 > Get-DomainController | Select Name,IPAddress
Discover global catalog:
PS > Get-ADDomainController -Discover -Service "GlobalCatalog"
Discover MS Exchnage servers' FQDN names:
PS > Discover-PSMSExchangeServers | Select ServerName,Description | Tee-Object exch.txt
Discover MS SQL servers' FQDN names:
PS > setspn -T megacorp.local -Q MSSQLSvc/*
PS > Discover-PSMSSQLServers | Select ServerName,Description | Tee-Object mssql.txt

DC IPs

Ask _ldap._tcp.dc._msdcs:
$ nslookup -type=srv _ldap._tcp.dc._msdcs.megacorp.local
$ dig -t srv _ldap._tcp.dc._msdcs.megacorp.local
Or query one of the DCs directly for forest/domain FQDN to get corresponding DC IP addresses:
$ dig @192.168.1.11 megacorp.local
$ dig @192.168.1.11 child.megacorp.local

Subnets

$ cme ldap 192.168.11.1 -d megacorp.local -u snovvcrash -p 'Passw0rd!' -M subnets
Copy link