Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to query the Active Directory configuration context to return DHCP servers.
Microsoft Scripting Guy, Ed Wilson, is here. One of the cool things about Windows Server 2012 and Windows 8 is the numerous cmdlets and functions available. After installing the Remote Server Admin Tools (RSAT) on Windows 8, all the administrator Windows PowerShell modules become available. Therefore, in addition to just having DHCP client cmdlets and functions, I also have the DHCP server cmdlets and functions available as well.
First find the AD DS location for DHCP servers
Ok, so the first thing I need to do is to figure out where DHCP servers reside in Active Directory Domain Services (AD DS). I knew they were not in the default naming context, so I figured they would be in the configuration naming context. The tool I use when looking around at AD DS is ADSI Edit. As it turned out, it was rather obvious. I am looking for a service, and the service is Networking. Here is a screenshot of ADSI Edit illustrating this container.
Query AD DS for authorized DHCP servers
Now that I know where the DHCP servers reside in the AD DS infrastructure, I can easily query for them. To do this, I use the Get-ADOObject cmdlet from the ActiveDirectory module that becomes available on my computer running Windows 8 after I have Remote Server Administration Tools (RSAT) installed. Because I am using Windows PowerShell 3.0, I do not need to first import the ActiveDirectory module. It loads automatically upon first use of the cmdlet. But, if I know I am going to use it, then I generally go ahead and load the module. Here is the command:
Import-Module ActiveDirectory
Now I need to query the configuration naming context. To do this, I use the –SearchBase parameter of the Get-ADOObject cmdlet. Here is the parameter I use:
-SearchBase "cn=configuration,dc=iammred,dc=net"
If I only use the Get-ADOObject cmdlet with the configuration search base, it returns a lot of information. This is definitely a place where my Filter Left edict should firmly be in place. Now, I can write a LDAP Dialect query just as well as the next Microsoft Scripting Guy, but hey, using the plain old –Filter parameter works just as well and is easier to understand. When I looked up the location of DHCP servers in Active Directory via ADSI Edit, I did not just find the container and leave it at that. No, I also paid attention to the value under the Classcolumn because it informs me the appropriate value to use in my filter for the ObjectClass attribute. In this case, once again, it makes sense; I need the DHCPClass class of objects. Here is that part of the query:
-Filter "objectclass -eq 'dhcpclass'
Now, I also know that I am not interested in the DHCPRoot container because it does not contain names of DHCP servers. Therefore, I add an exclusion to my filter by using the –AND operator. Here is the exclusion to filter out the DHCPRoot container.
-AND Name -ne 'dhcproot'"
The complete filter I use for the –Filter parameter appears here.
-Filter "objectclass -eq 'dhcpclass' -AND Name -ne 'dhcproot'"
That is it. The entire Get-ADObject command appears here (this is a single line that wraps in the blog. I have not added any line continuation characters to the command).
Get-ADObject -SearchBase "cn=configuration,dc=iammred,dc=net" -Filter "objectclass -eq 'dhcpclass' -AND Name -ne 'dhcproot'"
On my computer, when I run the command, the following appears.
14:42 C:\> Get-ADObject -SearchBase "cn=configuration,dc=iammred,dc=net" -Filter "obj
ectclass -eq 'dhcpclass' -AND Name -ne 'dhcproot'"
DistinguishedName Name ObjectClass ObjectGUID
----------------- ---- ----------- ----------
CN=wds1.iammred.ne... wds1.iammred.net dHCPClass 0afcbc79-4268-4a8...
Once I analyze the output, I see that I am only interested in the value of the Name property. I can use the Select-Object cmdlet to return only the name property, as shown here.
15:14 C:\> Get-ADObject -SearchBase "cn=configuration,dc=iammred,dc=net" -Filter "o
ectclass -eq 'dhcpclass' -AND Name -ne 'dhcproot'" | select name
name
----
wds1.iammred.net
I can also use the group and dot techniquebecause Windows PowerShell 3.0 does the automatic foreach and will, therefore, return multiple DHCP server names here. This technique is shown here.
15:20 C:\> (Get-ADObject -SearchBase "cn=configuration,dc=iammred,dc=net" -Filter "ob
jectclass -eq 'dhcpclass' -AND Name -ne 'dhcproot'").name
wds1.iammred.net
Why is this such a big deal? Dude, take a look at what is involved in finding authorized DHCP servers via VBScript—there are many such scripts on the Internet, but here is one from the Scripting Guys Script Repository—this script is a five-star favorite!
That is all there is to querying Active Directory Domain Services for authorized DHCP servers. Join me tomorrow when I will talk about more cool Windows PowerShell stuff.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy