Evening Folks,
edited for clarity
I have to get the Domain Controller GUID for a Certificate Request. I have a script that is provided by our CA that will generate the request and pull the GUID. what I don't understand is why their command produces a different GUID result from mine.
Their command
([guid]((([directoryservices.directorysearcher] "(distinguishedname=$DistinguishedName)").findall())[0].properties.getenumerator() | ? { $_.name -eq "objectguid"}).value[0]).ToString('N')
my command
Get-ADDomainController | Select ServerObjectGuid
They both provide a GUID that can be translated back to the Domain Controller, but what one is the "right" one?
The ServerObjectGuid returned by Get-ADDomainController is a complete different Guid than the Domain Controller's computer object ObjectGuid, the ServerObjectGuid is the GUID of the object that contains NTDS settings from the Configuration partition of that Domain Controller (these are different objects in Active Directory and of a different object class hence different GUIDs).
$dc = Get-ADDomainController myDC
(Get-ADObject $dc.ServerObjectDN).ObjectGuid -eq $dc.ServerObjectGuid # True
If you're looking to compare apples to apples, I would do:
$dn = 'CN=myDC,OU=Domain Controllers,DC=domain,DC=com'
(Get-ADObject -Filter "distinguishedName -eq '$dn'").ObjectGuid
$dn = 'CN=myDC,OU=Domain Controllers,DC=domain,DC=com'
[guid]::new(([adsisearcher] "(distinguishedName=$dn)").FindOne().Properties['objectGuid'][0])