I am wondering from a client computer is there any way that one can
find out which computer/ip address on the network are domain controllers
And which are just client computers ?

I know I can check by os finger printing to find out the OS but that doesn't imply it is a DC if it is a MS server OS and checking that the AD service port is open gives me a good sign that it is but doesn't tell me if it is a primary or something else.

But I was wondering if there was an easier way or a standard way to check if a computer is a DC on the domain.

And A way to find all the DC on the network and which ones are primary and so forth.
As well as what domains the found DC controls i.e just one or many subnets / domains /...etc

Anybody know?
Please note this is not specfic for a certain computer so NETDOM may not exist if its linux or if it is a windows client,mac ,...etc

 

Maybe they don't exist because MS does not want anybody but the PDC operators / admins to
have this ability thru there Domain Master Browsers and the ability in general to find servers that hold all the security to stuff . ( wonder what would happen if you DOS attacked all the DC hummm not that I would want to ruin anybodies day)

Hell even the more general dns zone transfer is restricted most of the times and the domain stuff would be just a subset of zone file
( mostly looking for cnames and A (ipv6 AAAA) names or maybe dn name entries though if you could then do some port scanning)
Either way I have my ways

And alot of the times the broadcast computers as well as knowning the PDC is all you need for complete controll over the domains.
As well as getting around the security protocals / ciphers

Of course one could always unjoin a domain when that happens and do local security

Learning the bounds of things is much better then doing redundent **** like the majority does

 

I've configured several Linux based domain controllers using the Samba software and use the software in my house to manage windows clients logins and disk mapping at the user level.
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/

There are several utilities to manage domains using this software.

 

The client finds the DC via DNS lookups. So you can get a list of all DCs on your subnet (or that service your subnet) from DNS. You could actually get all of them if you knew all the subnets.

You can also find them for you local broadcast domain via the browser. At least you could in XP. Haven't tried this with Win7.

DNS would be the best way of course, as that is how you computer knows where to go to authenticate.