Discover FSMO Roles with PowerShell

With PowerShell the defacto standard for Windows management I’ve started digging into it a little more as I need to.  Recently I had to use PS to seize the FSMO roles from a failed DC.  Now in my lab I only had two DCs, DC01 and DC02.  DC01 was the first and therefore held the FSMO roles and I didn’t need to do anything to figure out where they were.

But in a larger environment you may need to run the following commands to determine where the roles are held.  There are two commands we need to use, Get-ADForest for the Schema Master and Domain Naming Master roles and Get-ADDomain for the PDC Emulator, RID Master and Infrastructure Master roles.

Now you could look the role holders up in your documentation (you have documented this right?) but it might be quicker to fire up PowerShell and run the following commands:

Get-ADForest <domain_name> | Format-Table SchemaMaster,DomainNamingMaster

Get-ADDomain | Format-Table PDCEmulator,RIDMaster,InfrastructureMaster

That is all there is to it. The roles will be listed in a nice formatted table.  Now if you are wondering why I piped the output to Format-Table it was simply so I could limit the results to the information I was looking for.

Active Directory Database Maintenance

In an article titled Active Directory Database Maintenance I wrote on how you could use Ntdsutil to defrag your AD database. Well Ntdsutil doesn’t always do the trick.

You may receive one of a number of errors including

Operation failed because the database was inconsistent,

Initialize jet database failed; cannot access file, or

Error while performing soft recovery.

In situations like this we can use another utility, Esentutl, to repair the database. Esentutl is an Exchange tool but is also installed with the support tools. You must be in Directory Services Restore mode to perform any of these operations. From a command prompt run:

esentutl /g “C:WindowsNTDSntds.dit”

After pressing enter, Esentutl will run an integrity check on the database. Once complete run this command to repair the database:

esentutl /p “C:WindowsNTDSntds.dit”

After you have repaired the database delete all the database log files (*.log) and restart the DC.

For more information see:
Article ID: 816120

Typical Symptoms when secure channel is broken

How to create a fake virus for testing anti-virus software installations.

The European Institute of Computer Anti-Virus Research, EICAR, center developed a standard to help users test anti-virus software.  This standard has been incorporated into most anti-virus software as the virus.

Note: This a harmless file.  IT IS NOT A VIRUS!   Most anti-virus packages recognize this text file as a virus for testing only.

To create the EICAR Standard Anti-Virus Test File, do the following:

  1. Highlight and copy the following line of code:


  2. Open any ASCII text editor (Notepad or DOS editor) and paste the copied code into the editor.
  3. Save the file as EICAR.COM.
  4. Save the file and scan it on the test machine or e-mail the file to the test machine.
  5. Delete the file when done testing.

The Security Database on the Server Does Not Have a Computer Account for This Workstation Trust Relationship

Problem:  Rebooted domain member Server or Windows 7 PC and receive error “The security database on the server does not have a computer account for this workstation trust relationship” when trying to logon.

Cause: This is usually caused by having a mixed Active Directory Server environment with 2003 domains & member Server 2008 servers & Windows 7 PCs on a Server 2003 domain.


  1. Unplug the network cables on the Server/PC that is inaccessible..
  2. Login on to the Server/PC that is inaccessible with an account that has Administrator privileges.
  3. Plug the server network cable back in while logged on.
  4. Change the domain name from FQDN (xyz123.local ) to the short name (xyz123).
  5. Reboot the server and log back in as the domain user and all should be fine.
%d bloggers like this: