Active Directory / Powershell - How to identify if a server, in a federated cluster, is down

Question

This question is in the context of a service that is running on a DC server (or is accessing the DC remotely) such that the service can access Active Directory, but the service has no awareness of the Active Directory servers, how many servers there should be, what the server addresses are, etc...

Furthermore, the service must be written under the assumption that the Active Directory setup could involve a group of Federated servers.

So to illustrate the problem by way of an example -

Say I'm trying to run a very simple AD query, via Powershell v2 (or you could use Directory Services), to get all of the ADUsers:

$users = Get-ADUser

Now let's assume that the example company, Contoso, has an AD server in New York (for their NY office), and one in Seattle (for their Seattle office). Also, the service will be pointing to the DC which will be the server in the NY data center.

So for the purposes of simplicity, let's just say that $users returns two user objects with display-name attributes of:

Dan Jump Jim Wilson

Now let's assume that the Seattle server is down so I run the query again and just get:

Dan Jump

From what I understand - AD will not return an error indicating that the Seattle server is down..it will just return the users it can find..

I know it's possible to detect deleted objects so, if I saved a list of all the users, I could potentially verify that the user was deleted...but that's a bit of overhead especially if I'm interested in more than just a list of users

So is there a way to detect one or more AD servers, in a Federated cluster, are down before I even run my query?

Answer 1

You might like to read this , before you make use of any of the following. S.DS and S.DS.AD abstract a lot of what happens but there's a lot of useful information in there and it might help you to clarify your requirements.

I'm not aware that there's a function to return DCs that are down but the System.DirectoryServices.ActiveDirectory namespace contains classes you need to determine domain topology. For example, the Forest class will return a collection of Domain objects (and Site s and many other useful properties). Domain will give you access to a collection of DomainController objects( as well as the Children and Parent domains and many other props and methods).

You could iterate over the domains to get all DCs and then iterate over the DCs and try a ping although this may not work in a well-secured and segmented network. You might consider trying to connect to each DC using S.DS.DirectoryEntry as that should work, from a DC, in any scenario. Of course, if your network guys have been overzealous with their locking-down, even that might not work.

Answer 2

This sounds like a job for the wonderful people of www.serverfault.com

I do not see how this is programmer specific? It sounds like network troubleshooting? Anyways...

IMO, it depends where your federation servers are located. Are they in the cloud? Are they virtual? If so, it's easy to detect when they go down, through simple API calls to your server platform.

Or you could try to implement a server ping mechanism, like the example on this website here :

$servers = Get-Content 'servers.txt'
ForEach-Object ($server in $servers) {
   # Ping the machine to see if it's on the network
   $results = Get-WMIObject -query "select StatusCode from
Win32_PingStatus where Address = '$server'"
   $responds = $false  
   ForEach-Object ($result in $results) {
      # If the machine responds break out of the result loop and indicate success
      if ($result.statuscode -eq 0) {
         $responds = $true
         break
      }
   }
         If ($responds) {
      # Gather info from the server because it responds
      Write-Output "$server responds"
   } else {
      # Let the user know we couldn't connect to the server
      Write-Output "$server does not respond"
   }
}

** This assumes your servers are "pingable".

You could probably also make use of AD-GetComputer cmdlet found on MS Technet here.

The Get-ADComputer cmdlet gets a computer or performs a search to retrieve multiple computers.

The Identity parameter specifies the Active Directory computer to retrieve. You can identify a computer by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the parameter to a computer object variable, such as $ or pass a computer object through the pipeline to the Identity parameter.

To search for and retrieve more than one computer, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter.

This cmdlet retrieves a default set of computer object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for computer objects, see the Properties parameter description.