Active Directory Back To Basics–Sysvol


What is SYSVOL?

SYSVOL is simply a folder which resides on each and every domain controller within the domain. It contains the domains public files that need to be accessed by clients and kept synchronised between domain controllers. The default location for the SYSVOL is C:\Windows\SYSVOL although it can be moved to another location during the promotion of a domain controller. It’s possible but not recommended to relocate the SYSVOL after DC promotion as there is potential for error. The SYSVOL folder can be accessed through its share \\domainname.com\sysvol or the local share name on the server \\servername\sysvol.

What makes up SYSVOL?

The SYSVOL folder is made up of folders, files and junction points. In essence SYSVOL uses DFS to share the relevant folders to users and clients. Lets take a look at a default SYSVOL folder.

image

We see four folders: domain, staging, staging areas and SYSVOL. For now we will concentrate on the domain and SYSVOL folders.

Starting with the SYSVOL folder c:\windows\SYSVOL\SYSVOL we can see that this is the folder our clients access as it’s shared out as SYSVOL.

image

Going into the folder we see another folder by the name of our domain.

image

Looking at the folder we can see the shortcut arrow on the folder icon indicating that this is a link to another folder. If we run a DIR command from a command prompt it shows us that what we are actually seeing is a junction point rather than a directory. We also see the junction point is pointing to the C:\Windows\SYSVOL\domain folder.

image

Browsing into the domain folder we can see two key folders. Policies and Scripts. These are the folders we are really interested in when we refer to SYSVOL.

image

The scripts folder by default is empty. Its really the Netlogon share which is mainly used to hold scripts that need to be replicated around all your domain controllers. Whereas the policies folder should always contain at minimum two folders.

image

The long file names represent the GUIDS of two group policies. In any new domain environment we always get two default GPO’s, Default Domain Policy and Domain Controllers Policy. Any new additional group policies will get a folder created within the SYSVOL policies folder which contain all the files required for that group policy.

Replication

Now we have talked about what the SYSVOL consists of we need to discuss replication. The whole purpose of the SYSVOL folder is that is is replicated to all domain controllers throughout the domain. There are two replication technologies used to replicate the SYSVOL folder, File Replication Service and Distributed File System Replication Service. We are going to explore both these in more detail now:

File Replication Service – FRS

FRS is a multi-master, multi-threaded replication technology. This means that any server that is part of the replication set can make changes. It was first introduced in Windows 2000 to replace the previous LMREPL technology used in NT3.x and 4 days. Although FRS can still be used with Server 2008R2 and above It really isn’t recommended and you would most likely want to move towards using DFS-R – more about that shortly.

Lets start by explaining the steps involved to keep the SYSVOL synchronised between domain controllers using FRS replication. Active Directory replication is different to SYSVOL replication using FRS or DFSR, although both use the replication topology and schedule from AD. This diagram shows the high-level steps which we will go into more detail about.

image

Whenever a file is written to disk on an NTFS volume the NTFS Change Journal is updated.This is also known as the USN journal and contains a log of changes made to files on the NTFS volume. The FRS service detects the change by monitoring the USN and applies a 3 second delay before creating an entry in its inbound log. This process, known as aging cache, is used to prevent replication when a file is undergoing rapid updates. We refer to to the inbound log, however this is actually a table within the NTFRS database. The log contains information about the file and the time it was changed, this is then used to build its change message. To ensure the file and all it’s attributes (i.e. permissions) are kept intact FRS calls the backup API which uses VSS technology to take a snapshot of the file and it’s attributes. This backup file is then compressed and stored in the staging area folder. At this point the outbound log is updated (again this is actually a table within the FRS database). This contains information about all the changes for a specified replication set. If in step 1 a file was deleted rather than created then we don’t create a staging file, but the outbound log reflects the deletion. FRS on DC1 then sends a change notification to its replication partner DC2. DC2 adds the information about the change into its inbound log and accepts the change then sends a change acknowledgment back to DC1. DC2 then copies the file from DC1 into its staging area. It then writes an entry to its outbound log to allow other partners to pickup the change. DC2 then calls the backup API to restore the file from the staging area into the SYSVOL folder. So there you have it, FRS replication. There is a very detailed and in-depth reference guide on TechNet here for further reference.

Distributed File System Replication – DFS-R

A brand new domain built upon Windows 2008 or higher will automatically use DFS-R to replicate its SYSVOL. However upgrading from 2003 to 2008 or above will not, the domain will still use FRS replication until it is transitioned to using DFS-R. If you are interested in migrating from FRS to DFS-R you should follow the steps here. Its a fairly painless exercise as long as you follow the guide correctly and don’t try and jump ahead and miss steps. DFS-R works in almost the same way as FRS, and Microsoft were kind enough to put some nice auto-healing functions in place to remedy some of the issues that FRS was prone to.

The main difference with FRS is that instead of replicating entire files we only replicate the chunks of data that have changed. This is achieved by creating an MD4 hash of the file. This makes it a much more efficient replication protocol compared to FRS. Also the use of inbound and outbound logs is not required as replication partners exchange version vectors to identify which files have to be replicated between them.

Summary

So we’ve covered what the SYSVOL is and what it consists of and how it’s replicated. The SYSVOL is a key function of Active Directory and an unhappy SYSVOL means an unhealthy AD. Don’t just rely upon the event logs to find errors, you should be proactively monitoring SYSVOL replication, there are plenty of free tools and utilities available to do so.

 

Cloning Active Directory Domain Controllers


A new feature in Server 2012 allows domain controllers to be cloned to allow easy domain controller provisioning. We will demonstrate the main steps required to achieve this using PowerShell.

You need to meet a few pre-requisites before actually cloning the domain controller:

  1. The PDC emulator FSMO role must be held on a Windows 2012 Domain Controller
  2. The server to be cloned must be running Windows Server 2012
  3. The Hypervisor must support DC cloning – (Hyper-V 3) (if the hypervisor is not supported for DC cloning, the DC will reboot into DSRM mode)
  4. You need to be a member of local administrators on the Hyper-V host
  5. To use the export / import feature on two different hyper-v servers make sure the virtual network switch is named the same
  6. You should not clone a VHD or restore a snapshot that is older than the tombstone lifetime value (or the deleted object lifetime value if Active Directory Recycle Bin is enabled). If you are copying a VHD of an existing domain controller, be sure the VHD file is not older that the tombstone lifetime value (by default, 60 days). You should not copy a VHD of a running domain controller to create clone media.

Follow these steps to clone your domain controller:

  1. Add the domain controller to be cloned to the Cloneable Domain Controllers Group

image

Add the computer to the group using powershell commandlet

Add-ADGroupMember –Identity “CN=Cloneable Domain Controllers,CN=Users,DC=Labchild,DC=labdomain,dc=com” –Member “DOMAIN CONTROLLER DN”

2. Check the PDC role is running on a 2012 domain controller

image

image

3. Check the list of excluded applications / applications which are not supported for DC Cloning

image

image

4. If any applications were found make sure you resolve these issue prior to cloning the applications then make the excluded application XML file

image

5. Create the clone config file

image

image

6. From the hyper-v host stop the virtual machine to be cloned, then delete any snapshots from the machine

clip_image001

clip_image002

7. Export the VM now to a folder

image

8. The VM can now be imported either on the same Hyper-V host or another

clip_image001[5]

clip_image002[5]

clip_image003

9. Start the new VM

clip_image001[7]

clip_image002[7]

clip_image003[5]

 

Account Locked Out Troubleshooting-EventCombMT


Table of Contents

Introduction

You can use LOCKOUTSTATUS.EXE (a free Microsoft tool) to help you troubleshoot locked out accounts. This tool will help you find the DC (Domain Controller) name where that account is locked out.


Download the Account Lockout and Management Tools.

The Account Lockout and Management tools contains a utility called EVENTCOMBMT.EXE. There is a builtin search for searching for ACCOUNT LOCKED OUT events.

Using EventCombMT

In EventcombMT’s events are for 2003; you need to add the 2008 event if your DCs are 2008.

  • Windows Server 2008 log the event with ID 4740 for user account locked out
  • Windows Server 2003 log the event with ID 644 for user account locked out

Finding Locked Out Accounts using Powershell

search-adaccount -u -l | ft name,lastlogondate -auto

Search the Windows Event Logs for the Lockout Event using PowerShell

#Windows 2008            
Get-EventLog -log Security | ? EventID -EQ 4740            
#Windows 2003            
Get-EventLog -log Security | ? EventID -EQ 644

Use Repadmin for getting the lockout location & lockout time.

 

repadmin /showobjmeta <dc_name>"CN=test1,OU=win7,DC=Jaihanuman,DC=net"

32 entries.
Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 objectClass
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 cn
45219 Default-First-Site-Name\TESTMAC01 45219 2013-11-27 13:44:00 2 description
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 givenName
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 instanceType
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 whenCreated
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 displayName
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 nTSecurityDescriptor
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 name
57741 Default-First-Site-Name\TESTMAC01 57741 2013-12-07 15:23:06 8 userAccountControl
45100 Default-First-Site-Name\TESTMAC01 45100 2013-11-26 12:26:00 1 codePage
45100 Default-First-Site-Name\TESTMAC01 45100 2013-11-26 12:26:00 1 countryCode
53312 Default-First-Site-Name\TESTMAC01 53312 2013-11-28 11:51:43 17 homeDirectory
57377 Default-First-Site-Name\TESTMAC01 57377 2013-11-28 12:00:38 16 homeDrive
57885 Default-First-Site-Name\TESTMAC01 57885 2013-12-17 13:22:47 3 dBCSPwd
45100 Default-First-Site-Name\TESTMAC01 45100 2013-11-26 12:26:00 1 logonHours
57885 Default-First-Site-Name\TESTMAC01 57885 2013-12-17 13:22:47 3 unicodePwd
57885 Default-First-Site-Name\TESTMAC01 57885 2013-12-17 13:22:47 3 ntPwdHistory
57885 Default-First-Site-Name\TESTMAC01 57885 2013-12-17 13:22:47 4 pwdLastSet
45100 Default-First-Site-Name\TESTMAC01 45100 2013-11-26 12:26:00 1 primaryGroupID
57886 Default-First-Site-Name\TESTMAC01 57886 2013-12-17 13:22:47 2 supplementalCredentials
45172 Default-First-Site-Name\TESTMAC01 45172 2013-11-27 10:05:21 8 profilePath
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 objectSid
45227 Default-First-Site-Name\TESTMAC01 45227 2013-11-27 13:56:43 6 comment
45100 Default-First-Site-Name\TESTMAC01 45100 2013-11-26 12:26:00 1 accountExpires
57885 Default-First-Site-Name\TESTMAC01 57885 2013-12-17 13:22:47 3 lmPwdHistory
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 sAMAccountName
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 sAMAccountType
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 userPrincipalName
 57915 Default-First-Site-Name\TESTMAC01 57915 2013-12-17 13:29:09 1 lockoutTime
45099 Default-First-Site-Name\TESTMAC01 45099 2013-11-26 12:26:00 1 objectCategory
57716 Default-First-Site-Name\TESTMAC01 57716 2013-12-07 09:57:44 1 mail
1 entries.
Type Attribute Last Mod Time Originating DSA Loc.USN Org.USN Ver
======= ============ ============= ================= ======= ======= ===
Distinguished Name
=============================
PRESENT manager 2013-11-27 13:15:04 Default-First-Site-Name\TESTMAC01 45203 45203 1
CN=test2,OU=win7,DC=Jaihanuman,DC=net

Unlock an Account using PowerShell.

Unlock-ADAccount -Identity biswajit

Audit Events for Disabled User Accounts

  • Event ID: 629 for 2003
  • Event ID’s 4725 (629+4096) for 2008

usefull link

Active Directory: DSQUERY Commands


DSQUERY Commands to query AD objects:-

1. How to find all members for a particular group.

dsget group “<DN of the group>” -members

1a. How to find all groups for a particular member (including nested groups)

dsget user “<DN of the user>” -memberof -expand
dsquery user -samid “username” | dsget user -memberof -expand

2. How to find memberof , lastlogontimestamp , homemta(Mail server) , Samaccountname & so on(Repadmin /showattr <DCname> <“DN”>)

dsquery * “<DN>” -scope base -attr lastlogontimestamp memberoff

repadmin /showattr <DCNAME> <“DN”> /attrs:lastlogon,homemta,whencreated,lastlogontimestamp,samaccountname

3. How to modify user last name.

dsmod user <dn> -ln “<last name>”

4. How to find memberof , lastlogontimestamp , homemta(Mail server) , Samaccountname & so on for “n” number of users

Create a batch file(for /f “eol= tokens=* delims= usebackq” %%x in (%1) do dsquery * %%x -scope base -attr sAMAccountName objectsid whencreated lastlogontimestamp mail homeMTA memberof) e.g ds.bat

Create a text file (All users DN e.g:dn.txt)

Open cmd & run ds.bat dn.txt >> c:\attr.txt

5. How to find DN for n number of computers

for /f %%x in (%1) do dsquery computer -name %%x

(Create a batch file with line & create a txt file computer.txt

open cmd >>>>>>batchfile computer.txt >> c:\dn.txt

6. Find Subnet with associated site.
dsquery subnet -name <CIDR> | dsget subnet

8.How to find disabled users
dsquery user “dc=ssig,dc=com” -disabled

dsquery * -filter “(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))”

9. How to find OS?
dsquery * <“DN”> -scope base -attr operatingSystem

10. How to find site ?

dsquery site -name * -limit 0

dsquery server -s <server> | dsget server -site

11. How to get tombstonelifetime ?

dsquery * “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com” -scope base -attr tombstonelifetime

13. How to find mail box?

dsquery * -filter “samaccountname=biswajit” -attr homemdb

14. How to find the GCs?

DsQuery Server -domain contoso.com -isgc

15.How to find all the active users?

dsquery * -filter “(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))”

16.How to find users logon name by their mail address for bulk users?

For Single user

dsquery * domainroot -filter “(&(objectCategory=Person)(objectClass=User)(mail=e-mailaddress))” -attr name

For bulk users

for /f %%x in (%1) do dsquery * domainroot -filter “(&(objectcategory=person)(objectclass=user)(mail=%%x))” -attr name

17. How to find Schema version?

dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion
or
schupgr


Shortest command for finding the schema version


18. How to find Site name by server name ?

dsquery server -name test1 | dsget server -site

dsquery server -name (provide the server name for DN) | dsget server -site

19. How to find all groups of a user is memberof without the DN’s?

dsquery user -samid anthony | dsget user -memberof | dsget group -samid

dsquery user -samid (provide the samaccount name of the user) | dsget user -memberof | dsget group -samid

20. How to find all groups if a computer account without giving the DN’s ?

dsquery computer -name test1 | dsget computer -memberof | dsget group -samid

21. How to find PDC role holder for the existing domain ?

dsquery server -hasfsmo PDC

22. How to find Infrastructure Master role holder existing domain ?

dsquery server -hasfsmo INFR

23. How to find RID master role holder for existing domain ?

dsquery server -hasfsmo RID

24. How to find Schema master role holder in a Forest ?

dsquery server -forest -hasfsmo Schema

25. How to find Domain Naming Master in a Forest ?

dsquery server -forest -hasfsmo Name

26. How to find if the Domain Controller is a Global Catalog (GC) or not ?

dsquery server -name test1 | dsget server -isgc

27. How to find subnet with associated site.

dsquery subnet -name 10.222.88.0/25 | dsget subnet

28. How to find SID of a user?

dsquery user -samid <bbiswas> | dsget user -sid
dsquery * -filter (samaccountname=santhosh) – attr sid

29. How to find sIDHisotry of a user?

Dsquery * -filter (samaccoutname=santhosh) – attr siDhistory

30. How to find enabled computer accounts in an OU?

dsquery computer OU=Test,DC=sivarajan,DC=com -limit 5000 | dsget computer -dn -disabled | find /i ” no”

31. How to count enabled computer accounts in an OU?

dsquery computer OU=Test,DC=sivarajan,DC=com -limit 5000 | dsget computer -dn -disabled | find /c /i ” no”

32. How to find all members for a OU.

dsquery user ou=targetOU,dc=domain,dc=com

33. How to find all groups for a OU.

dsquery group ou=targetOU,dc=domain,dc=com

34. To get the members status from the active directory group

dsquery group -samid “Group Pre-Win2k Name” | dsget group -members | dsget user -disabled -display

35.Command to find all the subnets for the given site

dsquery subnet -o rdn -site <site name>

36. Command to find all DCs in the given site

>> dsquery server -o rdn -site <site name>

37. Command to find all DCs in the Forest

>> dsquery server -o rdn -forest

38. To list the distinguished names of all directory partitions in the current forest
>>dsquery partition
Below example for single domain

Below example for parent/child domain

39. To find all contacts in the organizational unit (OU)

dsquery contact OU=Sales,DC=Contoso,DC=Com

40. To list the relative distinguished names of all sites that are defined in the directory

dsquery site -limit 0

41. List of all users with primary group “Domain Users”

dsquery * -filter “(primaryGroupID=513)” -limit 0

(You can change the “primaryGroupID” as per your requirement)

513:Domain Users
514:Domain Guests
515:Domain Computers
516:Domain Controllers

42. How to find all attributes for all users?

Dsquery * -limit 0 -filter “&(objectClass=User)(objectCategory=Person)” -attr * >>output123.txt

43. Show How Many Times wrong Password has been entered on a specified domain controller.

dsquery * -filter “(sAMAccountName=jsmith)” -s MyServer -attr givenName sn badPwdCount

The badPwdCount attribute is not replicated, so a different value is saved for each user on each domain controller.

44.Expire use account.
dsquery * “dc=contoso,dc=com” -filter “(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) ” -attr sAMAccountname displayName

Fine Granted Password Policy
45. How to find the ‘PSO Applies to’
i)
dsget user <user DN> -effectivepso

Example:

C:\>dsget user “CN=bshwjt,OU=pso,DC=contoso,DC=com” –effectivepso
effectivepso
“CN=test,CN=Password Settings Container,CN=System,DC=contoso,DC=com”
dsget succeeded
(“bshwjt” is the user and test is the “PSO” also see the below snap)

ii) How to find the PSO settings
C:\>dsquery * “<CN=your pso name>,CN=Password Settings Container,CN=System,DC=contoso,DC=com” -scope base -attr *

46. Find out Account Expiry date

dsquery user -name * -limit 0 | dsget user -samid -acctexpires

47.This example displays all attributes of the contoso.com domain object
dsquery * -filter (dc=contoso) -attr *

48.This complex example displays the names of all attributes (150) that Windows Server 2003 replicates to Global Catalog servers. (If the command displays no attributes, ensure that you typed TRUE in capital letters
>dsquery * cn=Schema,cn=Configuration,dc=contoso,dc=com -filter “(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))” -limit 0 -attr name

49. How to get all samaacount name ?
dsquery user -o rdn -limit 0

50.The command displays the DNS host name, the site name, and whether the server is Global Catalog (GC) server for each domain controller
dsquery server | dsget server -dnsname -site -isgc

Get all the servers in the forest

dsquery server -forest -limit 0 | dsget server -dnsname -site -isgc

51.The dsget command displays properties of users or other objects. In this example, it displays the 6 groups that explicitly list the Administrator as member

Note: The -memberof -expand combination recursively expands the list of groups of which the user is a member. In this example, the Users group is added to the list because Domain Users is a member of the Users group.
dsget user cn=Administrator,cn=Users,dc=contoso,dc=com -memberof

52.The output of the dsquery command can be used as input for the dsget command by using a pipe ( | ). In this example, the SAM account name and the security ID (SID) of each user is displayed.
dsquery user | dsget user -samid -sid -limit 0 >> c:\Allusers-samid-sid.txt

53. How to find RODC ?

dsquery server -isreadonly

Dsqury for exchange server

54. How to find the Schema Version for Exchange Servers.

dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr rangeUpper

55.How to find lastLogonTimestamp for all users for a domain

dsquery * -filter “&(objectClass=person)(objectCategory=user)” -attr cn lastLogonTimestamp -limit 0

56. Inactive users are go to disable state

dsquery *<ou>filter“(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807))”| dsmod user disabled yes

57.ADDS existing connection point objects

dsquery * forestroot -filter (objectclass=serviceconnectionpoint)


58. Find all Hyper-V hosts in your forest

C:\>dsquery * forestroot -filter "&(cn=Microsoft Hyper-V)(objectCategory=serviceconnectionpoint)" -attr servicebindinginformation >> c:\hyper-v.txt

59. Find all windows virtual machine in your forest

C:\>dsquery * forestroot -filter "&(cn=windows virtual machine)(objectCategory=serviceconnectionpoint)" -limit 0 -attr * >> c:\allvirtualPCs.txt

 

60.Extract the all groups from an OU with Group Scope & Group Type. Find the below snap for your reference.
C:\>dsquery group “ou=test,dc=gs,dc=com” -limit 0 | dsget group -samid -scope -secgrp


61.The below example displays a list of users from the OU “Customer Support”,
can then be forwarded to dsget that can provide detailed information about objects.
In the example, the requested user list is headed by the pipe symbol after dsget that
-outputs then the sAMAccountName for all users and email address.
If we wanted to carry out modifications to the information returned by DSQuery user list,
we could send the result to dsmod, which for us is making changes to all users.
In below snap shows the change in the command ensures that all users of DSQuery
-user list must change their passwords at next logon.

Another way to get the user attributes from an OU. Find the below snap & dsquery for that.
C:\>dsquery * “ou=test,DC=contoso,DC=com” -filter “(&(objectcategory=person)
(objectclass=user))” -limit 0
-attr samaccountname description department title

62.retrieve the DN of all users in the domain that are not direct members of a specified group
>>dsquery * -filter “(&(objectCategory=person)(objectClass=user)(!(memberOf=Groupname,ou=West,
dc=Contoso,dc=com))) -limit 0 > NotInGroup.txt

63. How to open DSQUERY GUI Window
rundll32 dsquery,OpenQueryWindow

DNS application partition
64. How to find the DNS servers from DomainDNSZones & ForestDNSzones

C:\>dsquery * DC=DomainDnsZones,DC=contoso,DC=com -scope base-attr msDs-masteredBy 
C:\>dsquery * DC=forestDnsZones,DC=contoso,DC=com -scope base-attr msDs-masteredBy

65.Finding the Functional Levels of Active Directory
dsquery * "DC=contoso,DC=com" -scope base -attr msDS-Behavior-Version ntMixedDomain
0, 0 Windows 2000 Native domain Level
0, 1 Windows 2000 Mixed domain Level
2, 0 Windows 2003 Domain Level
3, 0 Windows 2008 Domain Level
4, 0 Windows 2008 R2 Domain Level
66. Find the object for DES-Only-Encryption
 
dsquery * -filter "(UserAccountControl:1.2.840.113556.1.4.803:=2097152)"
67. Find the DNS servers from all the DNS partitions.
 
dsquery * "CN=Configuration,DC=contoso,DC=com" -filter "(&(objectClass=crossRef)(objectCategory=crossRef)(systemFlags=5))" -attr NcName msDS-NC-Replica-Locations
Using LDAP Filter. 
 68. How to find particular user attribute using LDAP Filter? 
 C:\>dsquery * -filter (samaccountname=biz) -attr name whenchanged
 name whenchanged
 biz 01/03/2014 07:02:14 
 69. How to find all disabled users.
 
PS C:\> dsquery * -filter ("&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)")
"CN=Guest,CN=Users,DC=Rocky,DC=com"
"CN=krbtgt,CN=Users,DC=Rocky,DC=com"
70. How to find Forestprep , domainprep & RodcPrep is done or not? 
C:\>dsquery * CN=ActiveDirectoryUpdate,CN=ForestUpdates,cn=configuration,dc=msft ,dc=net -scope base -attr revision revision 5
C:\>dsquery * CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,cn=configuration,dc= msft,dc=net -scope base -attr revision revision 2

 More on Active Directory: LDAP Syntax Filters 
 http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx 
______________________________________________________________________________________________
For more switch see the below link.

http://technet.microsoft.com/en-us/library/cc732535.aspx

SYSVOL & NETLOGON


Question:

What is the difference in between SYSVOL and NETLOGON folders speaking of ACTIVE directory?

 

image

 

image

Answer:

IN Active directory there are two critical folders which are shared by each domain controller. These folders are SYSVOL and NETLOGON.

Now,

SYSVOL, is used by the domain clients Windows 2X and upper versions to apply GPO ( Group Policies) When you create GPO from DC1 , the GPO gets put into this folder so that it can be replicated to other domain controllers within your Domain name space.

NETLOGON, is used by domain clients to obtain logon script, same goes for the logon scripts when you configure one logon script same scrip gets copied via network connectivity by FRS to other domain controllers

Now AD replication scope is Forest-wide, while SYSVOL replication scope will be Domain wide. The replication problems in AD may cause replication issues problems inconsistent SYSVOL and this will be bad effect to your environment.

FRS uses same connection objects and scheduled , except same site partners, Which Active directory replication uses, so no wonder when AD replication is having issues, so does SYSVOL replication gets effected by this problem. AD replication topology could lead to SYSVOL replication failure.

image

 

%d bloggers like this: