Active Directory Health Check

This post will simply focus on simple tasks we can perform to verify Active Directory Domain Services (AD DS) installation. Successfully completing the requirements of each verification task will provide a strong indication of a healthy, operational domain controller.

1. Verify Server IP maps to a subnet:

– Click on Start -> Administrative Tools -> Active Directory Sites and Services

– Expand the Sites container, and then click the Subnets container. In the right pane, you will notice no subnet object.

– We need to create one for the server subnet. Right-click on subnet -> New sebnet….

– Enter IP subnet of the server / prefix length, select Default-First-Site-Name. Use an IP subnet calculator online, put in the values in IP address and Subnet mask to calculate the subnet address. For example, IP Address of server is mask so prefix will be /24. For knowledge purpose if server IP was mask then prefix will be /22.

– Click OK. Notice in the site column (right pane) that the value corresponds to the site name on the left pane which has the Domain Controller as a member.

2. Verify presence of  Active Directory child object:

– Click on Start -> Administrative Tools -> Active Directory Sites and Services

– Expand the Sites container -> Default-First-Site-Name -> Servers container, and then expand the server object. Verify that the child object “NTDS Settings” is present.

3. Check SYSVOL and Netlogon Shares:

Before we verify the SYSVOL and Netlogon shares, first lets check that the following services Netlogon and Distributed File System (DFS) Replication services are started properly.- Click on Start -> Administrative Tools -> Services

– Ensure the following services are Started and set to Automatic “DFS Replication and Netlogon. If a service is stopped, click Restart.

– Next to verify that the SYSVOL tree has the sysvol and scripts shared folders, click on Start -> Run, type CMD and press OK. Type the command “net share” without the quote and press enter. From the result look for the following “C:\Windows\SYSVOL\sysvol (SYSVOL share)” and “C:\Windows\SYSVOL\sysvol\\SCRIPTS (NETLOGON share).

– We need to verify the right permissions are set for the SYSVOL replication. From the command prompt, type the following command “dcdiag /test:netlogons” without the quote and press enter. From the result look for the messages “passed test Connectivity and passed test Netlogons“. If non of this passed, then there are steps you need to take to reapply the default SYSVOL security settings.

4. Verify DNS Registration and TCP/IP Connectivity:

– Open up the command prompt, type the following command without the quote “dcdiag /test:dns” and press enter. Please wait for the test to complete as it takes some time depending on environment.

– Scroll to the end of the result and verify the status. As you can see all other checks passed except for Forwarder, reason been that I did not setup DNS forwarder. If DNS forwarder is not configured, then all queries are sent using the default root hint. In this case there was no internet access on this server for the test to query external DNS servers.

– I have enabled internet access on this server and run the command again. As you can see from the result, all test passed. Please note that if you do not get pass then you need to troubleshoot the problem else you’ll run into DNS issues later. Adding the switch /v will display more useful information.

5. Verify the Domain Computer Account for the New Domain Controller:

This test will simply verify if the domain controller computer account is registered properly and that the Service Principal Names (SPNs) are advertised.

– Open up the command prompt, type the following command without the quote “dcdiag /test:MachineAccount” and press enter. The result should show the following “<computername> passed test MachineAccount“. Adding the switch /v will display more useful information.

6. Verify the Availability of the Operations Masters:

This is the most important test and any failed result must be addressed immediately.

– Click on Start -> Run, type CMD and press OK or simply open the command prompt from Start -> All Programs -> Accessories. At the command prompt type the following command “dcdiag /s:<DomainControllerName> /test:knowsofroleholders /v” where <DomainControllerName> is the name of any existing domain controller in the domain. The verbose option provides a detailed list of the operations masters that were tested. Near the bottom of the screen, a message confirms that the test succeeded. If you use the verbose option, look carefully at the bottom part of the displayed output. The test confirmation message appears immediately after the list of operations masters.

– To ensure that the operations masters are functioning properly and available on the network, type the following command “dcdiag /s:<DomainControllerName> /test:fsmocheck” and then press ENTER. If you add the verbose switch ” /v”, this will provide a detailed list of the operations masters that were tested as well as other important servers, such as global catalog servers and time servers. See test result at the bottom of your screen, a message confirms that the test succeeded.

Note: If these tests fail, do not attempt any additional steps until you fix the problem that prevents the location of operations masters and you can verify that they are functioning properly

Allow standard user to change system date and time : How to change system date and time without admin privilege

Hey friends, In this post we will discuss about setting up permissions for a standard user to change system data and time in windows.
Let see how we can do that..

Login to your computer as ad administrator. Type secpol.msc in run and hit enter to open local security policy. Click on continue if UAC prompts…

Expand local Policies>User right assignment, in the right pane double click on Change the system time to edit it.

By default, Administrators and Local service will be having the permissions. To ad a standard user or a group, Click on add user or Group(marked as 1).  Then click on object type at the top right. Put a check mark on Groups if you want to add a group(marked as 2).

Type Users and click on check names(marked a s 3). Once the group name is resolved, click on Ok in all opened windows to accept the change. You can even add a single user name if you don’t want to add user group.

That’s it now login as a standard user, and you will be able to change the system data and time..

You can even manage this security policy through GPO if you are inside a domain network. Need to edit your GPO as below.

Hope this will help you…

Run psexec.exe for list of computers stored in text file

Psiexec.exe is a nice, handy command line utility given by Microsoft through which we can run batch commands remotely to remote computer.

Consider a situation when you need to run a specific or a set commands to multiple no of computers remotely from your computer across your LAN.

This script described in this post will fetch computer names from a text file and run commands remotely with psiexec.exe command line utility…

Let’s say that you need to renew ip address in many computers across your LAN,

First thing you need to do is to download ps tools from , extract the zip file and past all the files to c:\windows\syste32\ folder.

Then copy the below command lines and paste to a text file. rename it to ipenew.cmd

for /f %%a in (c:\users\delphin\desktop\list.txt) do (
psexec \\%%a ipconfig /renew

replace “delphin” with your login profile, make a text file with list of computer names or ip address (one computer name in a line)

That’s it. Double click the iprenew.cmd file to run it from your computer. That will take the computers names from the text file and will run the ipconfig /renew command in each of those computers.

Hope this helps..

replication status using Repadmin and PowerShell

Whenever I want to view the replication status in my domain, I use repadmin /replsum, which queries all of the DCs and gives me a summary of the replication links status per DC, which looks a little like this:

If I wanted to get detailed information, I’d use repadmin /showrepl * which would print some information for every replication link:

Since I have more than two DCs in some environments, looking at all of the information is quite a long read and I usually avoid using this option unless I have to.
Recently, I discovered a nifty trick.
repadmin /showrepl has a csv option, which isn’t exciting by itself:

repadmin /showrepl * /csv

However, combined with PowerShell’s ConvertFrom-Csv, I could convert the link status rows into objects and filter them within PowerShell:

repadmin /showrepl * /csv | ConvertFrom-Csv

Now, for example, if I wanted to view all links that had replication errors, I could use

repadmin /showrepl * /csv | ConvertFrom-Csv | ?{$_.'Number Of Failures'}

And I can even display all of the links in GridView, for ease of use:

repadmin /showrepl * /csv | ConvertFrom-Csv | ogv


Active Directory CMD

List FSMO Roles
netdom query fsmo
List DCs in current domain
nltest /dclist:%userdnsdomain%
Domain Controller IP Configuration
for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do psexec \\%i ipconfig /all
Garbage Collection and tombstone
dsquery * “cn=Directory Service,cn=WindowsNT,cn=Services,cn=Configuration,DC=forestRootDomain” -attrgarbageCollPeriod tombstoneLifetime
List Service Principal Names
for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do setspn -L %i
Compare DC Replica Object Count
dsastat ?s:DC1;DC2;… ?b:Domain ?gcattrs:objectclass ?p:999
Check AD ACLs
acldiag dc=domainTree
NTFRS Replica Sets
for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do ntfrsutl sets %i
for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do ntfrsutl ds %i
Domain Controllers per site
Dsquery * “CN=Sites,CN=Configuration,DC=forestRootDomain” -filter (objectCategory=Server)
Stale computer accounts
dsquery computer domainroot -stalepwd 180 -limit 0
Stale user accounts
dsquery user domainroot -stalepwd 180 -limit 0
Disabled user accounts
dsquery user domainroot -disabled -limit 0
AD Database disk usage
for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do dir \\%i\admin$\ntds
Global Catalog Servers from DNS
dnscmd %logonserver% /enumrecords %userdnsdomain% _tcp | find /i “3268”
Global Catalog Servers from AD
dsquery * “CN=Configuration,DC=forestRootDomain” -filter “(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))”
AD dump all computers
dsquery computer -limit 0
AD dump all users
dsquery user -limit 0
AD Subnet and Site Information
dsquery * “CN=Subnets,CN=Sites,CN=Configuration,DC=forestRootDomain” -attr cn siteObject description location
AD Site Information
dsquery * “CN=Sites,CN=Configuration,DC=forestRootDomain” -attr cn description location -filter (objectClass=site)
Printer Queue Objects in AD
dsquery * domainroot -filter “(objectCategory=printQueue)” -limit 0
Site Links and Cost
dsquery * “CN=Sites,CN=Configuration,DC=forestRootDomain” -attr cn costdescription replInterval siteList -filter (objectClass=siteLink)
Domain Controller Diagnostics
dcdiag /s:%logonserver% /v /e /c
Replication Failures from KCC
repadmin /failcache
Inter-site Topology servers per site
Repadmin /istg * /verbose
Replication latency
repadmin /latency /verbose
Queued replication requests
repadmin /queue *
Show connections for a DC
repadmin /showconn *
Replication summary
Repadmin /replsummary
Show replication partners
repadmin /showrepl * /all
All DCs in the forest
repadmin /viewlist *
Lookup SRV records from DNS
nslookup -type=srv }
Find when AD was installed
dsquery * cn=configuration,DC=forestRootDomain -attr whencreated -scope base
Enumerate the trusts from the specified domain
dsquery * “CN=System,DC=domainRoot” -filter “(objectClass=trustedDomain)” -attr trustPartner flatName
Find a DC for each trusted domain
for /f “skip=1” %i in (‘”dsquery * CN=System,DC=domainRoot -filter(objectClass=trustedDomain) -attr trustPartner”‘) do nltest /dsgetdc:%i
DC Netlogon reg values
for /f %i in (‘dsquery server /o rdn’) do echo %i & reg query \\%i\hklm\system\currentcontrolset\services\netlogon\parameters

Find error message

FIND /I “error” %SYSTEMROOT%\security\logs”

UNIX OS Flavors

The following is some of the well-known Unix flavors, with links to their official home pages.

BSD/OS (BSDi) – Wind River
CLIX – Intergraph Corp.
Debian GNU/Linux – Software in the Public Interest, Inc.
Tru64 Unix (formerly Digital Unix) –  Compaq Computer Corp.
DYNIX/ptx – IBM (formerly by Sequent Computer Systems)
Esix Unix – Esix Systems
FreeBSD – FreeBSD Group
GNU Herd – GNU Organization
HAL SPARC64/OS – HAL Computer Systems, Inc.
HP-UX – Hewlett-Packard Company
Irix – Silicon Graphics, Inc.
Linux – several groups several
LynxOS – Lynx Real-Time Systems, Inc.
MacOS X Server – Apple Computer, Inc.
NetBSD – NetBSD Group
NonStop-UX –  Compaq Computer Corporation
OpenBSD –  OpenBSD Group
OpenLinux –  Caldera Systems, Inc.
Openstep – Apple Computer, Inc.
Red Hat Linux – Red Hat Software, Inc.
Reliant Unix – Siemens AG
SCO Unix – The Santa Cruz Operation Inc.
Solaris – Sun Microsystems (now ORACLE)
SuSE – S.u.S.E., Inc.
UNICOS – Silicon Graphics, Inc.
UTS – UTS Global, LLC

%d bloggers like this: