AD link

AD PowerShell Basics 3: Set-ADUser


Terminal Server has exceeded max number of connections

When a user establishes a Remote Desktop connection to the server this connection will remain active until the user selects “Log Off” from the Start Menu. As such, if a user simply closes the remote desktop window when they’re finished with the server, that username will remain logged on.

The software running on the server to facilitate the Remote Desktop connection will allow for up to two simultaneous administrative sessions.

If a third attempt is made to login to the server, the error discussed here will be shown to the user, and they will be unable to complete the login process.

To get around this error and log into the server, you can log into a special session call the Console Session in order to Log Out the other connections.

To do this, simply type the following in a Start -> Run or Command Prompt.

mstsc /v: /admin or mstsc /v: /console

Replace with your server’s IP Address.

Alternatively you may also modify the Remote Desktop Shortcut by going to:
For Windows Vista/7:

Click Start, type Remote Desktop. Right Click the shortcut, click Properties.

In the target field paste the following command:

%systemroot%\system32\mstsc.exe /admin

For Windows XP:

Click Start, go to All Program > Accessories > Communications, Right click Remote Desktop Connection and click Properties.

In the target field paste the following command:

%systemroot%\system32\mstsc.exe /admin

Click OK to save the change.

Now type in the IP of your server and you should be able to login via the Console.

Log off the remote Terminal server session

query session /server:RZ2ADM002


reset session 2 /server:fk-apps-01 /V

2- session ID

Server name :fk-apps-01

Connect Two Group Policy Objects in Active Directory and Compare Them Offline


Hey, Scripting Guy! How Can I Connect Two Group Policy Objects in Active Directory and Compare Them Offline? (Part 1)



Common Active Directory Troubleshooting Commands

DCDiag /c /v /e /fix /f:c:\DCDIAG.Log
Run a comprehensive test against all DCs in the forest with verbose logging

  • /c: Performs a comprehensive suite of tests.
  • /v: Provides verbose logging displaying additional information on what is being tested and the result.
  • /fix: fixes any unregistered DC SPNs
  • /a: Test all DCs in the site.
  • /e: Tests ALL the DCs in the enterprise. Use with caution.
  • /ReplSource:<SourceDomainController>: test connection between this DC and another.

DCDiag Replication Related tests:

  • CutOffServers
  • Intersite
  • MachineAccount
  • NCSecDesc
  • Netlogon
  • ObjectsReplicated
  • VerifyEnterpriseReferences
  • VerifyRreplicas

NLTest /sc_query:DNSDomainName

Check Secure Channel

NLTest /sc_verify:DNSDomainName

Verifies Secure Channel

NLTest /dsgetsite

Check computer site (also checks secure channel)

Kllist -li 0x3e7

List Kerberos tickets for machine account


Shows replication rpc ports


Run against port 135 to see mapped RPC ports.

Repadmin /SyncAll /A /e /P
Force a full forest replication synchronization of all partitions “pushing” changes out from the DC the command is run on.

Repadmin /options *

Check to see if any DC is misconfigured (Options)

Repadmin /replsummary

Forest wide replication health check

Repadmin /kcc *

Forces KCC to run on all DCs

Repadmin /kcc /site:SITENAME

Forces KCC to run on all DCs in specified site

repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition /advisory_mode

Repadmin /bind

Check RPC connectivity

NOTE: If LinkValueReplication=NO, then it’s Windows 2000 Forest Functional Mode.
Repadmin /queue <DCNAME>

See replication queue
Or Perf counter: NTDS_DRA Pending Replication Synchronizations

Repadmin /showreps

Repadmin /showrepl /v

Information about replication partners – shows NEVER replicated DCs

Repadmin /showutdvec

Information about NC Up-to-dateness Vector

Repadmin /showconn

Information about connection objects

Repadmin /showsig

Shows InvocationID & Retired InvIDs


Repadmin /siteoptions SERVERNAME /site:SITENAME +Win2k3_Bridges_Required

When BASL is disabled, this site option configures Intersite Mesaging to develop the intersite cost matrix useful for DFS.
Repadmin /showobjmeta

See AD object history

  • Legacy shows groups existing before Win2k3 Forest Funtional Level
  • Present shows groups created/modified (group members removed/added) after Win2k3 Forest Funtional Level
  • Recycle Bin deleted objects show here as Present but with DEL:GUID

Ipconfig /all

Ping ##.##.##.##

Nslookup ######.###


DNSLint (KB 321045)

Active Directory Common Ports Used:

53 DNS
88 Kerberos
123 SNTP
135 RPC Endpoint Mapper
137 NetBIOS
138 NetBIOS
139 NetBIOS
389 LDAP
445 SMB
464 Kerberos Change Password
636 LDAP (SSL)
3268 Global Catalog
3269 Global Catalog (SSL)
5985 WinRM
9389 ADWS (AD Powershell)

Windows Server 2008 (and newer) DCs use IANA RPC port range: 49152 – 65535

DC promoting via powershell (server 2012 )

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDNSDelegation:$False `
-DatabasePath “c:\Windows\NTDS” `
-DomainMode “Win2012” `
-DomainName “” `
-DomainNetbiosName “test” `
-ForestMode “Win2012” `
-InstallDNS:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-Sysvolpath “C:\Windows\SYSVOL” `

More info Link:

How to Refresh AD Groups Membership Without User Logoff

the system reboot or user logoff is impossible for production reasons. At the same time you need to use the rights, access or apply new policies right now. There is an opportunity to update the membership of an account in Active Directory groups without computer restart or user relogin.

Note. The method described in this article will work only for network services supporting Kerberos authentication. The services working only with NTLM authentication still require logoff and logon of a user or Windows restart.

You can get the list of groups the current user is a member of in the command prompt using the following command:

whoami /groups

or GPResult

gpresult /r

gpresult: security groups membership

The list of groups a user is a member of is displayed in the section The user is a part of the following security groups.

Kerberos tickets can be reset without the restart of a computer using klist.exe . Klist is included in OS Windows since Windows 7. For XP and Windows Server 2003 it is installed as a part of Windows Server 2003 Resource Kit Tools.

To reset the whole cache of Kerberos tickets on a computer (a local system) and update the computer membership in AD groups, run the following command in the command prompt with the administrator privileges:

klist -lh 0 -li 0x3e7 purge

klist -lh 0 -li 0x3e7 purge

Note. 0x3e7 is a special identifier showing the session of the local computer (Local System).

After running the command and updating the policies, all policies assigned to the AD group using Security Filtering will be applied to the computer.

As for the user. Suppose that the user domain account has been added to the Active Directory group to access a file share. Obviously, without re-login a user won’t be able to access it.

share access denied

Reset all Kerberos tickets of the user with this command:

klist purge

klist purge

To see the updated list of groups, run a new command prompt window using runas for a new process to be created with a new security token.

For example, the AD group has been assigned to a user to access a network share. Try to access it using its FQDN name (e. g., \\lon-fs1.woshub.loc\Install) and make sure that the TGT ticket has been updated:

klist tgt

The network share to be accessed using the AD group will open without user re-login (!!! You must use the FQDN name).

fqdn path share access

%d bloggers like this: