1

Evening Folks,

edited for clarity

I have to get the Domain Controller GUID for a Certificate Request. I have a script that is provided by our CA that will generate the request and pull the GUID. what I don't understand is why their command produces a different GUID result from mine.

Their command

([guid]((([directoryservices.directorysearcher] "(distinguishedname=$DistinguishedName)").findall())[0].properties.getenumerator() | ? { $_.name -eq "objectguid"}).value[0]).ToString('N')

my command

Get-ADDomainController | Select ServerObjectGuid

They both provide a GUID that can be translated back to the Domain Controller, but what one is the "right" one?

Fitzgery
  • 558
  • 5
  • 14
  • The only answer here is if the computer running the script has RSAT or not. If it hasn't then the script provided to you is one way to do it. Otherwise, it's much simpler to just use the AD Module as you're doing. – Santiago Squarzon Oct 29 '22 at 01:24
  • The computer has RSAT tools. What I don’t get though is why one provides a different guid than the other. Shouldn’t it be the same, that’s the point of the GUID(unless I’m understanding incorrectly) – Fitzgery Oct 29 '22 at 01:40
  • 1
    Is it a completely different guid, or does it have the same hex pairs in a different order? See this question for a potential explanation… https://stackoverflow.com/questions/38446421/why-does-php-use-objectguid-in-different-order-than-active-directory – mclayton Oct 29 '22 at 06:50

1 Answers1

2

The ServerObjectGuid returned by Get-ADDomainController is a complete different Guid than the Domain Controller's computer object ObjectGuid, the ServerObjectGuid is the GUID of the object that contains NTDS settings from the Configuration partition of that Domain Controller (these are different objects in Active Directory and of a different object class hence different GUIDs).

$dc = Get-ADDomainController myDC
(Get-ADObject $dc.ServerObjectDN).ObjectGuid -eq $dc.ServerObjectGuid # True

If you're looking to compare apples to apples, I would do:

$dn = 'CN=myDC,OU=Domain Controllers,DC=domain,DC=com'
(Get-ADObject -Filter "distinguishedName -eq '$dn'").ObjectGuid

$dn = 'CN=myDC,OU=Domain Controllers,DC=domain,DC=com'
[guid]::new(([adsisearcher] "(distinguishedName=$dn)").FindOne().Properties['objectGuid'][0])
Santiago Squarzon
  • 41,465
  • 5
  • 14
  • 37
  • 1
    I’ll give this a look see. Idk why they can’t just put the same ``objectguid`` under the ``get-addomaincontroller`` properties but I appreciate the assistance in clarifying! – Fitzgery Oct 29 '22 at 16:19
  • 1
    Hah, I can’t take any credit - I was barking up a different tree. I was guessing it might be the same binary guid just serialised into a string in a different order by 2 different tools, which is what the question I linked to was suggesting for its scenario… :-). – mclayton Oct 29 '22 at 18:37
  • 1
    @mclayton fair enough, I misread your comment and also clarified what that GUID actually is. – Santiago Squarzon Oct 29 '22 at 18:59
  • @Fitzgery hope my update clarifies what that GUID from `Get-ADDomainController` actually is – Santiago Squarzon Oct 29 '22 at 19:03
  • 1
    @SantiagoSquarzon I does clear it up and once again, I appreciate the assistance as always! – Fitzgery Oct 30 '22 at 01:44