Home‎ > ‎Software‎ > ‎Microsoft‎ > ‎

Active Directory

Microsoft Windows Active Directory tools and notes.

List Domain Controllers

Get-ADDomainController -Filter * | Format-Table Name, Site, OperatingSystem, IPv4Address, IsGlobalCatalog -AutoSize

# Get the Forest functional level
# Get the Domain functional level

Get-ADDomainController -Filter * | Format-Table Name, Site, OperatingSystem, IPv4Address, IsGlobalCatalog -AutoSize
Get-ADReplicationSiteLink -Filter * | ft Name, Cost, ReplicationFrequencyInMinutes

Account Lockout

I recently needed to find out want machine was causing a users account to continually get locked out. I had previously had the benifit of just being able to look to a monitoring alert that generated an email for account lockouts and included the content of the Event ID. This time no such luck.


Microsoft Account Lockout and Management Tools (ALTools.exe)

Download MS ALTools

  1. Extract the tools
  2. Run LockoutStatus.exe
  3. File / Select Target
  4. Specify the Target UserName and Domain
  5. In the results find the server with a value for "Bad Pwd Count"
  6. Open the Security event log on that server and filter for event it 644
  7.  In that event determine what machine is causing the account to get locked out

Cached Credentials

Directory Size


FSMO Roles

List the Roles and Servers that hold those roles

netdom query fsmo

domain management
connect to server localhost
Select operation target
List roles for connected server

List Password Policy

C:\>net accounts /domain
The request will be processed at a domain controller for domain blah.corp.

Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 90
Minimum password length: 8
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): Never
Lockout observation window (minutes): 99999
Computer role: PRIMARY
The command completed successfully. 

Replication status

repadmin /replsum /bysrc /bydest /sort:delta

DNS status

DCDiag /Test:DNS /e /v > .\DCdiagDNS.txt

ADRAP Prep tool

Great tool for testing network access between different Domain Controllers. 

Risk and Health Assessment Program for Active Directory – Scoping Tool v1.4

Active Directory Web Service ADWS

Download ADWS

Subnets without a defined site

Event id 5807

LDAP queries



Import and export .ldif files.



New resolution for problems with Kerberos authentication when users belong to many groups

How to force Kerberos to use TCP instead of UDP in Windows

Limiting a user's concurrent connections in Windows Server 2003

 Addressing Problems Due to Access Token Limitation

tokensz syntax



Urgent replication