Active Directory

Microsoft Windows Active Directory tools and notes.

List Domain Controllers

Get-ADDomainController -Filter * | Format-Table Name, Site, OperatingSystem, IPv4Address, IsGlobalCatalog -AutoSize

# Get the Forest functional level
(Get-ADForest).ForestMode
# Get the Domain functional level
(Get-ADDomain).DomainMode

Get-ADDomainController -Filter * | Format-Table Name, Site, OperatingSystem, IPv4Address, IsGlobalCatalog -AutoSize
Get-ADReplicationSiteLink -Filter * | ft Name, Cost, ReplicationFrequencyInMinutes

Account Lockout

https://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab

http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx

I recently needed to find out want machine was causing a users account to continually get locked out. I had previously had the benifit of just being able to look to a monitoring alert that generated an email for account lockouts and included the content of the Event ID. This time no such luck.

Microsoft Account Lockout and Management Tools (ALTools.exe)

Download MS ALTools

Extract the tools
Run LockoutStatus.exe
File / Select Target
Specify the Target UserName and Domain
In the results find the server with a value for "Bad Pwd Count"
Open the Security event log on that server and filter for event it 644
In that event determine what machine is causing the account to get locked out

Cached Credentials

Directory Size

%windir%\NTDS\NTDS.dit

FSMO Roles

List the Roles and Servers that hold those roles

netdom query fsmo

ntdsutil
domain management
connections
connect to server localhost
quit
Select operation target
List roles for connected server

List Password Policy

C:\>net accounts /domain
The request will be processed at a domain controller for domain blah.corp.

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          90
Minimum password length:                              8
Length of password history maintained:                24
Lockout threshold:                                    5
Lockout duration (minutes):                           Never
Lockout observation window (minutes):                 99999
Computer role:                                        PRIMARY
The command completed successfully.

Replication status

 repadmin /replsum /bysrc /bydest /sort:delta

DNS status

DCDiag /Test:DNS /e /v > .\DCdiagDNS.txt

ADRAP Prep tool

Great tool for testing network access between different Domain Controllers.

Risk and Health Assessment Program for Active Directory – Scoping Tool v1.4

Active Directory Web Service ADWS

Download ADWS

Subnets without a defined site

Event id 5807

%SystemRoot%\debug\netlogon.log

LDAP queries

http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm

LDIF

Import and export .ldif files.

https://github.com/jhbooth/LDIF-PowerShell

Links

New resolution for problems with Kerberos authentication when users belong to many groups

How to force Kerberos to use TCP instead of UDP in Windows

Limiting a user's concurrent connections in Windows Server 2003

Addressing Problems Due to Access Token Limitation

tokensz syntax

ifmember

http://technet.microsoft.com/en-us/library/cc773360%28WS.10%29.aspx

Urgent replication

http://technet.microsoft.com/en-us/library/cc772726%28WS.10%29.aspx#w2k3tr_repup_how_huzs

http://www.windowsitsecurity.com/articles/print.cfm?articleid=102483

Subpages (5): 2008 R2 Upgrade Cached Credentials Ifmember LDAP Searches slow or timeout when querying the entire directory Time Server

Comments

Grr	Search this site