Active Directory

Microsoft Windows Active Directory tools and notes.

List Domain Controllers

Get-ADDomainController -Filter * | Format-Table Name, Site, OperatingSystem, IPv4Address, IsGlobalCatalog -AutoSize

# Get the Forest functional level

(Get-ADForest).ForestMode

# Get the Domain functional level

(Get-ADDomain).DomainMode

Get-ADDomainController -Filter * | Format-Table Name, Site, OperatingSystem, IPv4Address, IsGlobalCatalog -AutoSize

Get-ADReplicationSiteLink -Filter * | ft Name, Cost, ReplicationFrequencyInMinutes

Account Lockout

https://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab

http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx

I recently needed to find out want machine was causing a users account to continually get locked out. I had previously had the benifit of just being able to look to a monitoring alert that generated an email for account lockouts and included the content of the Event ID. This time no such luck.

Microsoft Account Lockout and Management Tools (ALTools.exe)

Download MS ALTools

• 1. Extract the tools

  2. Run LockoutStatus.exe

  3. File / Select Target

  4. Specify the Target UserName and Domain

  5. In the results find the server with a value for "Bad Pwd Count"

  6. Open the Security event log on that server and filter for event it 644

  7.  In that event determine what machine is causing the account to get locked out

Cached Credentials

Directory Size

 %windir%\NTDS\NTDS.dit

FSMO Roles

List the Roles and Servers that hold those roles

netdom query fsmo

ntdsutil

domain management

connections

connect to server localhost

quit

Select operation target

List roles for connected server

List Password Policy

C:\>net accounts /domain

The request will be processed at a domain controller for domain blah.corp.

Force user logoff how long after time expires?:       Never

Minimum password age (days):                          0

Maximum password age (days):                          90

Minimum password length:                              8

Length of password history maintained:                24

Lockout threshold:                                    5

Lockout duration (minutes):                           Never

Lockout observation window (minutes):                 99999

Computer role:                                        PRIMARY

The command completed successfully. 

Replication status

repadmin /replsum /bysrc /bydest /sort:delta

DNS status

DCDiag /Test:DNS /e /v > .\DCdiagDNS.txt

ADRAP Prep tool

Great tool for testing network access between different Domain Controllers. 

Risk and Health Assessment Program for Active Directory – Scoping Tool v1.4

Active Directory Web Service ADWS

Download ADWS

Subnets without a defined site

Event id 5807

%SystemRoot%\debug\netlogon.log

LDAP queries

http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm

LDIF

Import and export .ldif files.

https://github.com/jhbooth/LDIF-PowerShell

Links

New resolution for problems with Kerberos authentication when users belong to many groups

How to force Kerberos to use TCP instead of UDP in Windows

Limiting a user's concurrent connections in Windows Server 2003

 Addressing Problems Due to Access Token Limitation

tokensz syntax

ifmember

http://technet.microsoft.com/en-us/library/cc773360%28WS.10%29.aspx

Urgent replication

http://technet.microsoft.com/en-us/library/cc772726%28WS.10%29.aspx#w2k3tr_repup_how_huzs

http://www.windowsitsecurity.com/articles/print.cfm?articleid=102483