[Issue] - Health Checker is unable to retrieve AD Group Memberships in empty Root AD Scenario

[peschmi-msft]

Provide Version Number
24.12.06.1857

Describe the issue
Healthchecker is unable to determine AD Group Memberships also after PullRequest:#2243
This occurs in an Empty AD Root Forest Scenario.

Expected behavior
Successfully resolve the AD Group Memberships
Script Output
The Script fails in: 14184
$serverId = ([ADSI]("GC://$([System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name)/RootDSE")).dnsHostName.ToString()
with: You cannot call a method on a null-valued expression.
To determine the ServerID since the RootDSE call is made to a child DC leaving the $serverId empty.

Later on, in Line: 14217
if (-not([string]::IsNullOrEmpty($serverId)))
Due to this, the param: Server with the GC Port will not be set to retrieve the ADObject for the Groups in the memberof Iteration.
Therefore a non-GC Session is opened which cannot resolve the ADObject (memberof Group).

Additional context
This can potentially mitigated by adding an else condition to determine the GC to be used for the memberof Iteration in line 14219:
like:

else {
  $params["Server"] = "$((Get-ADRootDSE).dnsHostName):3268"
}

or already past line 14184 in a catch logic to retrieve the ServerID only once.

[lusassl-msft]

Assigning this to you @dpaulson45 since you have already looked at this

[dpaulson45]

This seems to be a rare situation, so this might need to wait until we come up with a better solution to find DCs/Computer Account DN.