The attached ps file will help to get the list of Domain Controller in a network, and will create a csv file in C: drive

This can be used during Network Pentesting or such other situtations.

 

See to it that you are running this PS file in a system which is in domain, however once completed will give the list of DC for that network.

This does not require any such privilege, a normal Domain user can also enumerate DC list by using the above PS script.

 

PowerShell
Edit|Remove
$getdomain = [System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain() 
$getdomain | ForEach-Object {$_.DomainControllers} |  
ForEach-Object { 
  $hEntry= [System.Net.Dns]::GetHostByName($_.Name) 
  New-Object -TypeName PSObject -Property @{ 
      Name = $_.Name 
      IPAddress = $hEntry.AddressList[0].IPAddressToString 
     } 
} | Export-CSV "C:\ControllersList.csv" -NoTypeInformation -Encoding UTF8