If you want to know one method of finding your RODC’s using PowerShell then you will want to read this.

TL;DR: Get-ADDomainController -filter {isreadonly -eq $true}

This week I introduced a 2012R2 Read Only Domain Controller (RODC) into our domain and I already have a couple of Powershell scripts in mind that I want to write in order to help manage this DC.

That said, I thought it would be a good idea to be able to identify the RODC’s in our domain via Powershell as a first step, as it’s likely we are going to add more RODC’s at some of our other remote sites.

So, here is how my thought process went:


I thought I’d take a look at modules available by typing:

get-module -listavailable


Looking through the displayed list, it looked like I was probably going to find what I needed in the ActiveDirectory module.


I then took a look at the available commands within that module to see if there were any specific RODC ones available. I did this by typing:

get-command -module ActiveDirectory


Well, I didn’t really see anything specific to what I was looking for, however I did see a couple of commands that may come in useful later that look specific to RODC’s – namely the add and get-ADDomainControllerPasswordReplicationPolicy.

Well, an RODC is a domain controller, so let’s take a look at the Get-ADDomainController cmdlet…


I started off by looking at the help for this cmdlet using:

help get-addomaincontroller -full

Reading the help file did not show me any specific RODC parameters, however, it did have a -filter parameter that I thought could come in handy.


I now knew that I was probably going to use the Get-ADDomainController cmdlet with the filter parameter. So to see if I could find anything relevant to filter on, I looked at the attributes of my RODC in Active Directory Users and Computers:


Well – maybe I missed it but I couldn’t see anything overly relevant that would identify a RODC that could be used in a filter. (Actually, I did notice the msDS-RevealedUsers attribute but I really wanted something very specific.)

I was determined not to ‘Google’ this, so for my next step….


I piped Get-ADDomainController to Get-Member to see if that revealed anything useful and…


Bingo! We have hit the jackpot! An ‘IsReadOnly’ property.


Now to try this out in a filter. I tried the following command: Get-ADDomainController -filter {isreadonly -eq $true}


And we have success!

As mentioned above, I’m no expert and there may be a much more obvious method of achieving the same thing, but, this was my ‘non-google’ thought process.

I then started playing around with this property to query a specific DC to discover if it is a RODC by running this command:

(Get-ADDomainController -Identity servername).isreadonly

which returns true or false and opens up a few more scripting possibilities. Brilliant!


Get my book:

ConfigMgr - An Administrator’s Guide to Deploying Applications using PowerShell