Check For Morphed Folders In An Active Directory Forest

  • Get the list of domain controllers in forest. To do this, run the following command:
  • Dsquery server -r rdn -forest > C:\DCList.txt
  • The DC List will be stored in the DCList.TXT file. You need to use this file with the FOR command as shown below:
  • FOR /F “Tokens=*” %L IN (C:\DCList.txt) DO DIR /s \\%L\SYSVOL | Find /i “_NTFRS” >> C:\Result.TXT

The above FOR command runs against each DC in DCList.txt and looks for _NTFRS folder in SYSVOL share. If it finds it returns the name of the folder. The end results will be stored in the C:\Result.txt.


To find the Morphed Folders using Powershell

Get-ChildItem \\\sysvol\\Policies -Recurse | Select-String -Pattern ntfrs

Enable Telnet feature using DISM

@echo off

dism.exe /online /enable-feature:telnetclient /quiet /norestart

How to connect domain partitions

Powershell via DC promotion

Import-Module ADDSDeployment
Install-ADDSDomainController `
-ADPrepCredential (Get-Credential) `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath “C:\Windows\NTDS” `
-DomainName “TEST.COM” `
-InstallDns:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-SiteName “CloudSite” `
-SysvolPath “C:\Windows\SYSVOL” `

How to view and export Active Directory Delegated Permissions?

How to view and export AD delegate permissions assigned to an OU ?

Let’s check what’s the permission has been delegated to a OU.

View delegate permissions assigned to OU

1. Please open the ADUC and click View menu and check Advanced Features.

2. Please locate the specific OU and right click, then choose Properties.

3. Click the Security tab, click Advanced tab. All the permissions as well as the delegated permissions listed.

Export all permission assigned on specific OU to a text file

Moreover, we can use the dsacls tool to export all the security ACL on specific OU to a text file.

Please open a command prompt on the DC and run dsacls “<distinguish name of the ou>” > c:acl.txt

Syntax example:

For example, dsacls “ou=Marketing,dc=seneej,dc=com” > c:acl.txt

The dsacls tools is used for view and edit security ACL for AD objects.

Server Object GUID (DSA GUID) and Server Database GUID (Invocation ID)

The server object that represents a domain controller in the Sites container of the configuration directory partition has a globally unique identifier (GUID) that identifies it to the replication system as a domain controller. This GUID, called the DSA (Directory System Agent) GUID, is used in USNs to track originating updates. It is also used by domain controllers to locate replication partners. The DSA GUID is the GUID of the NTDS Settings object (class nTDSDSA), which is a child object of the server object. Its value is stored in the objectGUID attribute of the NTDS Settings object.

The DSA GUID is created when Active Directory is initially installed on the domain controller and destroyed only if Active Directory is removed from the domain controller. The DSA GUID ensures that the DSA remains recognizable when a domain controller is renamed. The DSA GUID is not affected by the Active Directory restore process.

The Active Directory database has its own GUID, which the DSA uses to identify the database instance (version of the database). The database GUID is stored in the invocationId attribute on the NTDS Settings object. Unlike the DSA GUID, which never changes for the lifetime of the domain controller, the invocation ID is changed during an Active Directory restore process to ensure replication consistency. For more information about replication following a restore process, see “Active Directory Replication on a Restored Domain Controller” later in this section.

On domain controllers that are running Windows Server 2003, the invocation ID also changes when an application directory partition is removed from or added to the domain controller.

Determining Changes to Replicate: Update Sequence Numbers

A source domain controller uses USNs to determine what changes have already been received by a destination domain controller that is requesting changes. The destination domain controller uses USNs to determine what changes it needs to request.

The current USN is a 64-bit counter that is maintained by each Active Directory domain controller as the highestCommittedUsn attribute on the rootDSE object. At the start of each update transaction (originating or replicated), the domain controller increments its current USN and associates this new value with the update request.

%d bloggers like this: