dcdiscovery
Use the dcdiscovery utility to search and archive a list of sites and domain controllers in an Microsoft Active Directory domain. The information is saved in the dclist.txt file in the \<instance>\script\ directory. You can specify another name for this file.
The dcdiscovery utility is useful in global Active Directory domains with multiple sites and domain controllers. When users change their passwords in a domain, a sub-host plugin can use the information cached by the dcdiscovery utility to immediately set the users’ passwords in the appropriate domain controllers.
The following sub-host plugins use the information archived by dcdiscovery when configured by the Program to run to generate a list of target systems plugin point:
dcselectselects a domain controller based on its proximity to the user. This eliminates the latency of password propagation for the user.w2kranddcmakes a random selection.
Both of these sub-host plugins can also use information saved in the dc.man file that you can create and install in the \<instance>\script\ directory. The dc.man file is used to save site information not saved by dcdiscovery in dclist.txt.
The dcdiscovery program automatically generates the dclist.txt file; however, in some cases, you may need to manually create this file. For example, dcdiscovery will not work if your Active Directory does not have complete site information.
Write the dclist.txt file in the following format:
DOMAIN "<domain name>" SITENAME "<site name>" "<site description>" DC "<domain controller name>" "<IP address>" "<optional description>" SITELINK "<sitelink.com>" SUBNET "<IP address range>" "<site name>"
Where each site can have zero or more domain controllers (DC), zero or more links (SITELINK), and one or more subnets (SUBNET). For example, write the dclist.txt file as:
DOMAIN "eg.com" SITENAME "RABU.eg.com" "Sydney Office - Sydney, Australia" DC arbundc0.eg.com "172.25.130.252" "" SITELINK "RABL.eg.com" SITELINK "RAPL.eg.com" SITELINK "RASA.eg.com" SITELINK "YUMT.eg.com" SITELINK "SUTC.eg.com" SUBNET "172.23.204.0/23" "HTSI.eg.com" SUBNET "165.28.173.0/24" "SUNP.eg.com"
The dc.man file allows users to specify additional domain site and domain controller information that the automatic discovery process does not or is not able to gather. It also allows users to exclude certain sites or controllers from Bravura Security Fabric operations if there is a need to do so.
Write the dc.man file in the following format:
DOMAIN "<domain name>" SITE "<site name>" "<domain controller name>" excludeDC "<domain controller name>" excludeSite "<site name>"
The excludeDC and excludeSite lines are optional. If specified, programs like dsdisc will ignore the defined domain controllers and sites. A site can be excluded, for example, to prevent dcselect from automatically choosing the site based on a user’s profile or IP address information. Domain controllers that are members of an excluded site are not automatically hidden. You must use excludeDC to exclude them.
The site name defined by SITE can include the wildcards ? for any single character and * for any number of characters. Domain controllers that are to be used as default targets can be specified using the * site. Wild cards can not be used in excludeSite definitions.
For example, write the dc.man file as:
DOMAIN "eg.com" SITE "RAPL.eg.com" "arbundc0.eg.com" SITE "RASA.eg.com" "arbundc0.eg.com" SITE "RASL.eg.com" "arbundc0.eg.com" SITE "TAHA.eg.com" "uktcndc0.eg.com" "uktcndc1.eg.com" "uktcndc2.eg.com" SITE "TAVI.eg.com" "uktcndc0.eg.com" "uktcndc1.eg.com" "uktcndc2.eg.com" excludeDC "arbundc1.eg.com" excludeDC "arbundc2.eg.com" excludeSite "TASA.eg.com"
Requirements
The administrative account for the Active Directory domain must be able to enumerate domain controllers in the domain.
Usage
Bravura Security Fabric uses the credentials configured for the target ID to retrieve information about sites and domain controllers:
dcdiscovery.exe -t <target ID> -f <filename>
If the credentials configured for the target ID are insufficient to retrieve information about sites and domain controllers, then a different user ID and password can be specified:
dcdiscovery.exe -s <domain> -u <user> -p <password> -f <filename>
Argument | Description |
|---|---|
-f <filename> | The name of the output file generated by the program. By convention, this file is called dclist.txt. |
-s <domain> | The domain name of the Active Directory domain to search. |
-t <targetID> | The target ID of the Active Directory domain to search. If this argument is used, then the -s, -u and -p options are not required. |
-u <user> | The user ID of an administrative account in the Active Directory domain. |
-p <password> | The password of the user specified by the -u option. |
Examples
To search a domain, by using arguments "-s", "-u" and "-p", type on one line:
dcdiscovery.exe -s domain1 -u administrator1 -p adminpw -f dclist.txtTo search an Active Directory target system defined in Bravura Security Fabric , type on one line:
dcdiscovery.exe -t W2KDOM -f dclist.txt