Active Directory : test et cmdlet utiles

Active Directory logo

Vérification de la cohérence

Repadmin /kcc ServerName

repadmin /syncall

repadmin /syncall/Aep ServerName

Pour la forêt

Repadmin /replsum

Au niveau des DCs

Repadmin /showrepl

Repadmin /removelingeringobjects ServerName /advisory_mode
  • Réplication du SYSVOL :

SONAR – Ultrasound – Dfsrmon – dfsrmgmt

  • Diagnostique général :

dcdiag /e

  • full test :

dcdiag /c

  • Autre test
DCDIAG /Test:KCCEvent

repadmin /failcache site:<nomsite>

repadmin /bind <DCname>

repadmin /syncall

 

Topologie

repadmin /kcc

repadmin /prp view <dc1> <dc2>

 

  • Check to see which domain controllers that the Directory Service Agent thinks are holding the roles
DCDIAG /Test:KnowsofRoleHolders /v
  • Check the integrity of a domain controller’s machine account
DCDIAG /Test:MachineAccount
  •  Au niveau des dc

Repadmin /removelingeringobjects ServerName/advisory_mode

 

  • Rôles FSMO

Netdom query fsmo

 

Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator

Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Where-Object {$_.OperationMasterRoles} | Ft -AutoSize

  • Test du canal sécurisé

Nltest /server:<ComputerName> /sc_query:<DomainName>

 

  • Réinit compte ordinateur

Dsmod computer <ComputerDN> -reset

Netdom reset <ComputerName> /domain <DomainName> /User0 <UserUPN> /Password0

 

DIVERS

# Base NTDS.dit/performance/service : BPA

# Sauvegarde de l’état du système : repadmin /showbackup

Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'”

 

# Identify the ISTG covering each site by running this command : repadmin /istg

 

# Quick test :

DCDIAG /Test:KnowsOfRoleHolders

 

# which domain controllers that the Directory Service Agent thinks are holding the roles

DCDIAG /Test:KnowsofRoleHolders /v

 

# DC’s machine account integrity

DCDIAG /Test:MachineAccount

 

# Naming Context Security Descriptors Test

# If security descriptors are invalid, then replication may fail

DCDIAG /Test:NCSecDesc

 

# NetLogons

# see that replication is not failing because of insufficient logon privileges

DCDIAG /Test:NetLogons

 

# The Objects Replicated Test

#used to confirm that machine accounts have replicated across all of your domain controllers, but it can also be used to check to see if other types of objects have replicated as well.

#If the object that you are looking up is something other than a machine account, then you will also have to know the object’s naming context. The syntax for this test looks something like this:

DCDiag /Test:ObjectsReplicated /ObjectDN:<object’s distinguished name> /N:<object’s naming context>

 

#The Outbound Secure Channels Test

#Secure channel is an authenticated remote procedure call (RPC) connection between two machines in a domain with an established security context used for signing and encrypting RPC packets

DCDIAG /Test:OutboundSecureChannels /TestDomain:<yourdomain>

 

#will only check the domain controllers within the current site. You can force the test to check external sites by adding the /NoRestriction switch to the test.
netsh http show sslcert

nltest /SC_QUERY:domainname

nltest /SC_reset:domainname /server:dcname

netdom reset hostname /domain:domainname /server:dcname

 

Réplication DNS

dnslint /ad <ip du dc> /s <ip du dns>

dcdiag /test:DNS -e

–        Base NTDS.dit/performance/service : BPA

 

/FixMachineAccount –> resets the accounts various flags

If that does not correct the problem, then you can always try recreating the machine account –> /RecreateMachineAccount

 

# Naming Context Security Descriptors Test

# If security descriptors are invalid, then replication may fail

DCDIAG /Test:NCSecDesc

 

#NetLogons

# It checks to see that replication is not failing because of insufficient logon privileges

DCDIAG /Test:NetLogons

 

#The Objects Replicated Test

#used to confirm that machine accounts have replicated across all of your domain controllers, but it can also be used to check to see if other types of objects have replicated as well.

#If the object that you are looking up is something other than a machine account, then you will also have to know the object’s naming context

DCDiag /Test:ObjectsReplicated /ObjectDN:<object’s distinguished name> /N:<object’s naming context>

 

# The Outbound Secure Channels Test

# Secure channel is an authenticated remote procedure call (RPC) connection between two machines in a domain with an established security context used for signing and encrypting RPC packets

DCDIAG /Test:OutboundSecureChannels /TestDomain:<yourdomain>

# will only check the domain controllers within the current site. You can force the test to check external sites by adding the /NoRestriction switch to the test.

netsh http show sslcert


nltest /SC_QUERY:domainname

nltest /SC_reset:domainname /server:dcname

netdom reset hostname /domain:domainname /server:dcname

Reinit SPN : setspn -R hostname

Requête users AD

$users = Get-ADUser -Filter {enabled -eq $True} -SearchBase "OU=utilisateurs,DC=f1nom0a,DC=local"

$users.Count

 

LOCK

get-aduser <UserName> -Properties badpwdcount, lockedout

 

Forcer une réplication non-autoritaire

–        Avec ADSIEDIT.msc, modifier la valeur du distinguished name (DN) :

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<servername>,OU=Domain Controllers,DC=<domain> msDFSR-Enabled=FALSE

–        Forcer une réplication Active Directory, via la commande suivante :

repadmin /syncall /e

–        Vérifier la réplication avec la commande suivante :

DFSRDIAG POLLAD

(Si vous voyez l’évènement ID 4114 dans les event DFRS, cela veut dire que le réplication est terminée)

–        Avec ADSIEDIT, modifier la valeur du distinguished name (DN) :

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<servername>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=TRUE

–        Si vous voyez l’évènement ID 4614 et 4604 dans les event DFRS, cela veut dire que la réplication en D2 est initialisée

Repadmin /replicate Server01 Server02 "dc=DomainName,dc=xxx"

 

FSMO roles Transfer

Transfering all roles

Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

 

Seizing all roles

Move-ADDirectoryServerOperationMasterRole -Identity "Target-DC" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

 

to transfer all roles to another Domain Controller:

Move-ADDirectoryServerOperationMasterRole -Identity "DC1" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

 

to seize all roles from a permanently offline Domain Controller:

Move-ADDirectoryServerOperationMasterRole -Identity "DC1" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

 

Instead of typing the Names of the operations master roles, Numbers may also be specified.

Here is table:

Role Name

Number

PDCEmulator

0

RIDMaster

1

InfrastructureMaster

2

SchemaMaster

3

DomainNamingMaster

4

TOOLS

DSAACLS Visualise et modifie les ACL sur les objets AD
DCAStats Permet de comparer deux arborescences AD et de fournir des statistique
DCDIAG Vérifie la santé d’un DC
DNSCMD Vérifie les enregistrements DNS dynamiques, liste les zones DNS
KLIST Vérifie de bout en bout le réseau et les fonctions de services distribuées
NETDIAG Affiche la topologie de réplication, force la réplication et le recalcul du KCC
REPLMon Teste les relations d’approbation et l’état de réplication d’un DC. Permet également de tester et réinitialiser le canal sécurisé du service NetLogon établi entre le client et le DC NLTest

Laisser un commentaire