Evening Folks,

edited for clarity

I have to get the Domain Controller GUID for a Certificate Request. I have a script that is provided by our CA that will generate the request and pull the GUID. what I don't understand is why their command produces a different GUID result from mine.

Their command

([guid]((([directoryservices.directorysearcher] "(distinguishedname=$DistinguishedName)").findall())[0].properties.getenumerator() | ? { $_.name -eq "objectguid"}).value[0]).ToString('N')

my command

Get-ADDomainController | Select ServerObjectGuid

They both provide a GUID that can be translated back to the Domain Controller, but what one is the "right" one?

CodePudding user response：

The ServerObjectGuid returned by Get-ADDomainController is a complete different Guid than the Domain Controller's computer object ObjectGuid, the ServerObjectGuid is the GUID of the object that contains NTDS settings from the Configuration partition of that Domain Controller (these are different objects in Active Directory and of a different object class hence different GUIDs).

$dc = Get-ADDomainController myDC
(Get-ADObject $dc.ServerObjectDN).ObjectGuid -eq $dc.ServerObjectGuid # True

If you're looking to compare apples to apples, I would do:

• Using Active Directory Module

$dn = 'CN=myDC,OU=Domain Controllers,DC=domain,DC=com'
(Get-ADObject -Filter "distinguishedName -eq '$dn'").ObjectGuid

• Using DirectorySearcher

$dn = 'CN=myDC,OU=Domain Controllers,DC=domain,DC=com'
[guid]::new(([adsisearcher] "(distinguishedName=$dn)").FindOne().Properties['objectGuid'][0])