Hello,
I’m still new to the forums. If outright asking for a solution is bad form please say so 
I manage several AD forests (all windows systems). I need to target a script to each Primary Domain Controller (PDC). What would the relevance language be for this?
On another note and for another project I’m working on, below is what I’ve used for finding all systems that are NOT a DC…
product type of operating system != nt domain controller product type
Thanks,
Joey
Hi Jason,
Both of the expressions below get me what I want but I am unsure how to wrap them up into a relevance expression.
If this expression outputs 0 then the system is a PDC
string value of select "DomainRole from Win32_ComputerSystem" of wmi
If this expression outputs Primary Domain Controller then the system is a PDC
tuple string items (unique values of integer values of selects "DomainRole from Win32_ComputerSystem" of wmis) of ("Standalone Workstation, Member Workstation, Standalone Server, Member Server, Backup Domain Controller, Primary Domain Controller")
I’m obviously new to this so I think once this next step is explained I’ll be able to move forward with lots of other stuff I’m trying to do.
On a related note, I tried to duplicate the structure of the expression I posted earlier for systems that are not DCs. I figured operating system within “product type of operating system” is pulled from the wmi class win32_operatingsystem. That said, I tried to pull domain role from win32_computersystem with the expression below. It doesn’t work, clearly I’ve misunderstood this 
.
domain role of computer system = nt primary domain controller domain role
Thanks for the help,
Joey
Use the following to determine if a machine is a PDC:
Relevance 1: (fast to execute)
product type of operating system = nt domain controller product type
Relevance 2: (slightly slower, but more specific)
exists unique values whose(5 = it) of integer values of selects "DomainRole from Win32_ComputerSystem" of wmis
To put these into a single expression, you really just do this:
(product type of operating system = nt domain controller product type) AND (exists unique values whose(5 = it) of integer values of selects "DomainRole from Win32_ComputerSystem" of wmis)jgstew,
This is great, thank you very much.
Is there any reason why I should not just use the Relevance 2 statement? If domain role = 5 it’s the PDC, done. No?
Thanks again,
Joey
WMI queries are “expensive” in relevance, meaning that they take longer; which in turn can delay the evaluation of other fixlets, analyses, etc.
By using the “cheap” query (product type of operating system = nt domain controller product type) first, all of the clients that are not domain controllers can stop evaluating before they trigger the WMI query.
You’ll often see this pattern to the order that Relevance is written - the fastest checks will come first, followed by progressively more expensive checks.
In general, you’ll want to avoid using a WMI query as part of Fixlet relevance (which is constantly evaluated); but it’s more acceptable in an Analysis Property, where you can configure the property to evaluate less frequently.
This is a case where 2 relevance statements are better than 1, as @JasonWalker points out.
It is much better to run a relevance query that is very fast to execute that will be FALSE on most clients so that they don’t continue to evaluate the next relevance statement. This is true when multiple statements are combined with AND. Combining them with OR will cause the processing to stop when the first TRUE statement is evaluated.
WMI is not always as slow as @JasonWalker suggests, but it definitely can be, depending on the query. In this case the Relevance 2 WMI query is pretty quick, so it shouldn’t cause any major issues, but it is definitely better to use them both in combination because Relevance 1 is significantly faster than Relevance 2 and Relevance 1 will be false on almost ALL endpoints, except for DCs, which are a minority.
Guys,
Thanks for not only a solution but also an explanation as to why. It makes perfect sense.
Thanks again,
Joey
This is an old discussion, but just to toss this into the ring …
(it = "4" or it ="5") of (string value of select "DomainRole from Win32_ComputerSystem" of wmi as string)
This should identify All Domain Controllers in the system (both Backup and Primary) using a single WMI call.