Powershell - How to find your read-only Domain Controllers (RODC)

TL;DR: Get-ADDomainController -filter {isreadonly -eq $true}

This week I introduced a 2012R2 Read Only Domain Controller (RODC) into our domain and I already have a couple of Powershell scripts in mind that I want to write in order to help manage this DC.

That said, I thought it would be a good idea to be able to identify the RODC’s in our domain via Powershell as a first step, as it’s likely we are going to add more RODC’s at some of our other remote sites.

So, here is how my thought process went:

1.

I thought I’d take a look at modules available by typing: get-module -listavailable
1
Looking through the displayed list, it looked like I was probably going to find what I needed in the ActiveDirectory module.

2.

I then took a look at the available commands within that module to see if there were any specific RODC ones available. I did this by typing: get-command -module ActiveDirectory
2
Well, I didn’t really see anything specific to what I was looking for, however I did see a couple of commands that may come in useful later that look specific to RODC’s – namely the add and get-ADDomainControllerPasswordReplicationPolicy.

Well, an RODC is a domain controller, so let’s take a look at the Get-ADDomainController cmdlet…

3.

I started off by looking at the help for this cmdlet using: help get-addomaincontroller -full

Reading the help file did not show me any specific RODC parameters, however, it did have a -filter parameter that I thought could come in handy.

4.

I now knew that I was probably going to use the Get-ADDomainController cmdlet with the filter parameter. So to see if I could find anything relevant to filter on, I looked at the attributes of my RODC in Active Directory Users and Computers:
3

Well – maybe I missed it but I couldn’t see anything overly relevant that would identify a RODC that could be used in a filter. (Actually, I did notice the msDS-RevealedUsers attribute but I really wanted something very specific.)

I was determined not to ‘Google’ this, so for my next step….

5.

I piped Get-ADDomainController to Get-Member to see if that revealed anything useful and…
5
Bingo! We have hit the jackpot! An ‘IsReadOnly’ property.

6.

Now to try this out in a filter. I tried the following command: Get-ADDomainController -filter {isreadonly -eq $true}
6
And we have success!

As mentioned above, I’m no expert and there may be a much more obvious method of achieving the same thing, but, this was my ‘non-google’ thought process.

I then started playing around with this property to query a specific DC to discover if it is a RODC by running this command: (Get-ADDomainController -Identity servername).isreadonly which returns true or false and opens up a few more scripting possibilities. Brilliant!
7