Author | Scott Sutherland, 2018 NetSPI , Friedrich Weinmann (@FredWeinmann) |
Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Find-DbaInstance on GitHub.
Want to see the Bill Of Health for this command? Check out Find-DbaInstance.
Discovers SQL Server instances across networks using multiple scanning methods
This function performs comprehensive SQL Server instance discovery across your network infrastructure using multiple detection methods. Perfect for creating complete SQL Server inventories, compliance auditing, and finding forgotten or undocumented instances that might pose security risks.
The function combines two distinct phases to systematically locate SQL Server instances:
Discovery Phase:
Compiles target lists using several methods: Active Directory SPN lookups (finds registered SQL services), SQL Instance Enumeration (same method SSMS uses for browsing), IP address range scanning (scans entire subnets), and Domain Server searches (targets all Windows servers in AD).
You can specify explicit computer lists via -ComputerName or use automated discovery via -DiscoveryType.
Scan Phase:
Tests each discovered target using multiple verification methods: Browser service queries, WMI/CIM SQL service enumeration, TCP port connectivity testing (default 1433), DNS resolution checks, ping tests, and optional SQL connection attempts.
Results include confidence levels (High/Medium/Low) based on scan success combinations.
Common DBA scenarios:
Security considerations:
The Discovery phase is non-intrusive, but the Scan phase generates network traffic and authentication attempts across your infrastructure. This creates audit logs and may trigger security monitoring systems. Some scan types require elevated privileges for WMI access or SQL connections. Always coordinate with your security team before running network-wide scans, especially in regulated environments.
Find-DbaInstance
[-Credential <PSCredential>]
[-SqlCredential <PSCredential>]
[-ScanType {TCPPort | SqlConnect | SqlService | DNSResolve | SPN | Browser | Ping | Default | All}]
[-DomainController <String>]
[-TCPPort <Int32[]>]
[-MinimumConfidence {None | Low | Medium | High}]
[-EnableException]
[<CommonParameters>]
Find-DbaInstance -ComputerName <DbaInstanceParameter[]>
[-Credential <PSCredential>]
[-SqlCredential <PSCredential>]
[-ScanType {TCPPort | SqlConnect | SqlService | DNSResolve | SPN | Browser | Ping | Default | All}]
[-DomainController <String>]
[-TCPPort <Int32[]>]
[-MinimumConfidence {None | Low | Medium | High}]
[-EnableException]
[<CommonParameters>]
Find-DbaInstance -DiscoveryType {IPRange | DomainSPN | Domain | DataSourceEnumeration | DomainServer | All}
[-Credential <PSCredential>]
[-SqlCredential <PSCredential>]
[-ScanType {TCPPort | SqlConnect | SqlService | DNSResolve | SPN | Browser | Ping | Default | All}]
[-IpAddress <String[]>]
[-DomainController <String>]
[-TCPPort <Int32[]>]
[-MinimumConfidence {None | Low | Medium | High}]
[-EnableException]
[<CommonParameters>]
PS C:\> Find-DbaInstance -DiscoveryType Domain, DataSourceEnumeration
Performs a network search for SQL Instances by:
PS C:\> Find-DbaInstance -DiscoveryType All
Performs a network search for SQL Instances, using all discovery protocols:
PS C:\> Get-ADComputer -Filter "*" | Find-DbaInstance
Scans all computers in the domain for SQL Instances, using a deep probe:
PS C:\> Get-Content .\servers.txt | Find-DbaInstance -SqlCredential $cred -ScanType Browser, SqlConnect
Reads all servers from the servers.txt file (one server per line),
then scans each of them for instances using the browser service
and finally attempts to connect to each instance found using the specified credentials.
then scans each of them for instances using the browser service and SqlService
PS C:\> Find-DbaInstance -ComputerName localhost | Get-DbaDatabase | Format-Table -Wrap
Scans localhost for instances using the browser service, traverses all instances for all databases and displays all information in a formatted table.
PS C:\> $databases = Find-DbaInstance -ComputerName localhost | Get-DbaDatabase
PS C:\> $results = $databases | Select-Object SqlInstance, Name, Status, RecoveryModel, SizeMB, Compatibility, Owner, LastFullBackup, LastDiffBackup, LastLogBackup
PS C:\> $results | Format-Table -Wrap
Scans localhost for instances using the browser service, traverses all instances for all databases and displays a subset of the important information in a formatted table.
Using this method regularly is not recommended. Use Get-DbaService or Get-DbaRegServer instead.
Specifies target computers to scan for SQL Server instances. Accepts computer names, IP addresses, or output from Get-ADComputer.
Use this when you have a specific list of servers to inventory rather than performing network-wide discovery.
Only the computer name portion is used - connection strings or SQL instance details are ignored.
Alias | |
Required | True |
Pipeline | true (ByValue) |
Default Value |
Alias | |
Required | True |
Pipeline | false |
Default Value |
The credentials to use on windows network connection.
These credentials are used for:
Alias | |
Required | False |
Pipeline | false |
Default Value |
The credentials used to connect to SqlInstances to during the scan phase.
See the '-ScanType' parameter documentation on affected scans.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Controls which verification methods are used to detect and validate SQL Server instances on target computers.
Use specific scan types to optimize performance or reduce network impact - for example, use only Browser and SQLService for quick detection, or add SqlConnect for definitive verification.
Default performs all scans except SqlConnect, which requires explicit specification due to authentication overhead.
Scans:
Alias | |
Required | False |
Pipeline | false |
Default Value | Default |
Accepted Values | Default,SQLService,Browser,TCPPort,All,SPN,Ping,SqlConnect,DNSResolve |
Defines custom IP ranges to scan when using IPRange discovery instead of auto-detecting local subnets.
Use this to target specific network segments like DMZ subnets or remote locations where SQL instances might exist.
Supports multiple formats: single IPs (10.1.1.1), ranges (10.1.1.1-10.1.1.5), CIDR notation (10.1.1.1/24), or subnet masks (10.1.1.1/255.255.255.0).
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies a specific domain controller for Active Directory queries when using DomainSPN or DomainServer discovery.
Use this when you need to target a specific DC for cross-domain searches or when the nearest DC is unavailable.
Requires the '-Credential' parameter when querying remote domains or when explicit authentication is needed.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies which TCP ports to test for SQL Server connectivity during port scanning.
Use this to detect instances running on non-standard ports or to scan multiple common SQL Server ports like 1433, 1434, and custom ports.
Defaults to 1433 (SQL Server default port).
Alias | |
Required | False |
Pipeline | false |
Default Value | 1433 |
Filters results based on how certain the scan is that a SQL Server instance exists on each target.
Use High for definitive results when you need accurate inventories, Medium for likely instances, or Low for comprehensive discovery that includes potential false positives.
High confidence requires successful SQL service detection or connection, Medium requires browser response or combined port+SPN validation, Low accepts single indicators like open ports or SPN records.
Alias | |
Required | False |
Pipeline | false |
Default Value | Low |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |