Backup & Restore Active Directory integrated DNS zones

DNS is one of the core components for Active Directory Domain Services. In a disaster scenario, it becomes impossible to locate resources within the network and all AD operations come to a screeching halt. Therefore, it’s absolutely necessary to restore the DNS servers. One way to set this right is by performing an AD DS authoritative restore by using Microsoft’s preferred method for backing up a DNS server by performing a system state backup. That process is a time-consuming and a complex process in which the domain controllers must be restarted for the changes to take effect also you will also end up restoring the Registry, Active Directory database and a number of other components. Eventually, it leads to increased downtime, which impacts productivity.

Luckily, it’s possible to back up a DNS server independently using PowerShell.

Backup:

For AD integrated zones, the support tool dnscmd.exe can get the job done. To back up any DNS zone with dnscmd.exe, you just need to use the /zoneexport switch with the command. To back up the Zone1.com zone locally on a DNS server, you’d run the below command on the DNS server:

dnscmd DC1 /zoneexport Zone1.com backup\zone1.com.dns.bak

1	dnscmd DC1 /zoneexport Zone1.com backup\zone1.com.dns.bak

where DC1 is DNS server name, This command writes a copy of the Zone1.com zone to the %systemroot%\system32\dns\backup\Zone1.com.dns.bak file.

Note that the command doesn’t overwrite existing files, so if you’re including it with a backup script, be sure to move the file to an alternate location after the export completes, or to rename or delete the current backup file before you run a new dnscmd /zoneexport job.

PowerShell Script to backup DNS:

#AD-DNS-Backup.ps1
#PowerShell 2.0+ required
#Run this script locally on a DNS Server
#Backup all DNS Zones defined on a Windows DNS Server

#Get Name of the server with env variable
$DnsServer = Get-Content env:computername

#Define folder where to store backup
$BackupFolder = ”c:\windows\system32\dns\backup”

#Output File to store Dns Settings
$StrFile = Join-Path $BackupFolder “input.csv”

#Check if folder exists. if exists, delete contents
if (-not(test-path $BackupFolder)) {
    New-Item $BackupFolder -Type Directory | Out-Null
}
else {

    Remove-Item $BackupFolder”\*” -recurse
}
#Get DNS Settings using WMI Object
$List = Get-WmiObject -ComputerName $DnsServer -Namespace root\MicrosoftDNS -Class MicrosoftDNS_Zone

#Export information into input.csv file
#Line wrapped should be only one line
$list | Select-Object Name, ZoneType, AllowUpdate, @{Name = ”MasterServers”; Expression = { $_.MasterServers } },
DsIntegrated | Export-csv $strFile -NoTypeInformation

#Call Dnscmd.exe to export dns zones
$list | ForEach-Object {
    $path = ”backup\” + $_.name
    $cmd = ”dnscmd {0} /ZoneExport {1} {2}” -f $DnsServer, $_.Name, $path
    Invoke-Expression $cmd
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

#AD-DNS-Backup.ps1

#PowerShell 2.0+ required

#Run this script locally on a DNS Server

#Backup all DNS Zones defined on a Windows DNS Server

#Get Name of the server with env variable

$DnsServer = Get-Content env:computername

#Define folder where to store backup

$BackupFolder = ”c:\windows\system32\dns\backup”

#Output File to store Dns Settings

$StrFile = Join-Path $BackupFolder “input.csv”

#Check if folder exists. if exists, delete contents

if (-not(test-path $BackupFolder)) {

New-Item $BackupFolder -Type Directory | Out-Null

}

else {

Remove-Item $BackupFolder”\*” -recurse

}

#Get DNS Settings using WMI Object

$List = Get-WmiObject -ComputerName $DnsServer -Namespace root\MicrosoftDNS -Class MicrosoftDNS_Zone

#Export information into input.csv file

#Line wrapped should be only one line

$list | Select-Object Name, ZoneType, AllowUpdate, @{Name = ”MasterServers”; Expression = { $_.MasterServers } },

DsIntegrated | Export-csv $strFile -NoTypeInformation

#Call Dnscmd.exe to export dns zones

$list | ForEach-Object {

$path = ”backup\” + $_.name

$cmd = ”dnscmd {0} /ZoneExport {1} {2}” -f $DnsServer, $_.Name, $path

Invoke-Expression $cmd

}

Restore:

Make sure the zone does not exist on DNS manager as it will give an error. If you need to re-create a new zone from the export file, you’ll find that you can do this by using dnscmd.exe with the /zoneadd switch. The only catch with this approach is that if you’re looking to recover an AD-integrated zone, you need to add the zone as a primary first and then convert it to AD-integrated. For example, to recover my Zone1.com zone:

dnscmd DC1 /zoneadd Zone1.com /primary /file Zone1.com.dns /load

1	dnscmd DC1 /zoneadd Zone1.com /primary /file Zone1.com.dns /load

Note that the backup file needs to reside in the %systemroot%\system32\dns folder for it to be properly discovered.

The /load switch to tell the command to load the configuration from the existing file. Without it, the command will create a new zone data file that will overwrite the contents of the backup file.

After adding the zone to the DNS server, you can convert it to an AD-integrated zone by running:

dnscmd /zoneresettype Zone1.com /dsprimary

1	dnscmd /zoneresettype Zone1.com /dsprimary

At this point, you can then enable secure dynamic updates for the zone by running:

dnscmd /config Zone1.com /allowupdate 2

1	dnscmd /config Zone1.com /allowupdate 2

This command configures the zone to accept only secure dynamic updates, as specified by the allowupdate value of 2 (use 0 to specify No dynamic updates, 1 for nonsecure and secure dynamic updates).

PowerShell Script to restore DNS:

#AD-DNS-Restore.ps1
#PowerShell 2.0+ required
#Run this script locally on a DNS Server 
#Restore all DNS Zones defined on a Windows DNS Server

# Get Name of the server with env variable
$DNSSERVER = Get-Content env:computername

#Define folder where to pick a backup
$BackupFolder = ”c:\windows\system32\dns\backup”

#Input File to read Dns Settings
$StrFile = Join-Path $BackupFolder “input.csv”

#Restore Zones based on settings found in input.csv
$Zone = Import-Csv $StrFile
$Zone | ForEach-Object {

    $path = ”backup\” + $_.name
    $Zone = $_.name
    $IP = $_.MasterServers
    $Update = $_.AllowUpdate
     
    #Check if AD Integrated or Not
    if ($_.DsIntegrated -eq $True) {
        Switch ($_.ZoneType) {
            1 {
                #Create Zone As Primary to get all records imported
                $cmd0 = ”dnscmd {0} /ZoneAdd {1} /primary /file {2} /load” -f $DNSSERVER, $Zone, $path
                Invoke-Expression $cmd0
                $cmd1 = ”dnscmd {0} /ZoneResetType {1} /dsprimary” -f $DNSSERVER, $Zone

            }

            3 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /dsstub {2} /load” -f $DNSSERVER, $Zone, $IP }
            4 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /dsforwarder {2} /load” -f $DNSSERVER, $Zone, $IP }
        }
    }
    else {

        Switch ($_.ZoneType) {
            1 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /primary /file {2} /load” -f $DNSSERVER, $Zone, $path }
            2 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /secondary {2}” -f $DNSSERVER, $Zone, $IP }
            3 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /stub {2}” -f $DNSSERVER, $Zone, $IP }
            4 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /forwarder {2}” -f $DNSSERVER, $Zone, $IP }
        }
    }

    #Restore DNS Zones  
    Invoke-Expression $cmd1

    Switch ($_.AllowUpdate) {
        #No Update
        0 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }
        #Secure and non secure
        1 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }
        #Only Secure Updates
        2 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }

    }
    #Reset DNS Update Settings
    Invoke-Expression $cmd2
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

#AD-DNS-Restore.ps1

#PowerShell 2.0+ required

#Run this script locally on a DNS Server

#Restore all DNS Zones defined on a Windows DNS Server

# Get Name of the server with env variable

$DNSSERVER = Get-Content env:computername

#Define folder where to pick a backup

$BackupFolder = ”c:\windows\system32\dns\backup”

#Input File to read Dns Settings

$StrFile = Join-Path $BackupFolder “input.csv”

#Restore Zones based on settings found in input.csv

$Zone = Import-Csv $StrFile

$Zone | ForEach-Object {

$path = ”backup\” + $_.name

$Zone = $_.name

$IP = $_.MasterServers

$Update = $_.AllowUpdate

#Check if AD Integrated or Not

if ($_.DsIntegrated -eq $True) {

Switch ($_.ZoneType) {

1 {

#Create Zone As Primary to get all records imported

$cmd0 = ”dnscmd {0} /ZoneAdd {1} /primary /file {2} /load” -f $DNSSERVER, $Zone, $path

Invoke-Expression $cmd0

$cmd1 = ”dnscmd {0} /ZoneResetType {1} /dsprimary” -f $DNSSERVER, $Zone

}

3 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /dsstub {2} /load” -f $DNSSERVER, $Zone, $IP }

4 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /dsforwarder {2} /load” -f $DNSSERVER, $Zone, $IP }

}

else {

Switch ($_.ZoneType) {

1 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /primary /file {2} /load” -f $DNSSERVER, $Zone, $path }

2 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /secondary {2}” -f $DNSSERVER, $Zone, $IP }

3 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /stub {2}” -f $DNSSERVER, $Zone, $IP }

4 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /forwarder {2}” -f $DNSSERVER, $Zone, $IP }

}

#Restore DNS Zones

Invoke-Expression $cmd1

Switch ($_.AllowUpdate) {

#No Update

0 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }

#Secure and non secure

1 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }

#Only Secure Updates

2 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }

}

#Reset DNS Update Settings

Invoke-Expression $cmd2

}

Note that this script will work to “recreate” a DNS zone. If the zone you are trying to restore is still present on the DNS Server, the dnscmd.exe utility will return a warning information telling you that the zone already exists. You might need to delete the zones before restoring them.

Date August 12, 2019
Author mo wasay
Comments No Comments

Fix Active Directory broken security inheritance problem

Ran into a situation at a client location where in Active Directory, the security permissions applied to an OU were not getting inherited permissions on to the objects. Basically, security inheritance was broken.This causes a problem when the administrative accounts or groups needing to modify an attribute on the AD object throw errors, or are unable to edit the AD object.

To find out which objects were not getting the inherited permissions run the following :

I ran it on the entire domain to identity potential problem accounts. 🙂

#Replace the -SearchBase value with the OU that contains the problems user(s)
Get-ADUser -SearchBase "DC=mowasay,DC=com" -Filter * -Properties nTSecurityDescriptor | ?{ $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True"}

1 2	#Replace the -SearchBase value with the OU that contains the problems user(s) Get-ADUser -SearchBase "DC=mowasay,DC=com" -Filter * -Properties nTSecurityDescriptor \| ?{ $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True"}

To fix the issue:

#Replace the -SearchBase value with the OU that contains the problems user(s)
Get-ADUser -SearchBase "DC=mowasay,DC=com" -Filter * -Properties nTSecurityDescriptor | Where-Object
{ $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True" } | ForEach-Object {
    $_.ntSecurityDescriptor.SetAccessRuleProtection($false, $true)
    $_ | Set-ADUser -Replace @{ntSecurityDescriptor = $_.ntSecurityDescriptor }
}

1

2

3

4

5

6

#Replace the -SearchBase value with the OU that contains the problems user(s)

Get-ADUser -SearchBase "DC=mowasay,DC=com" -Filter * -Properties nTSecurityDescriptor | Where-Object

{ $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True" } | ForEach-Object {

$_.ntSecurityDescriptor.SetAccessRuleProtection($false, $true)

$_ | Set-ADUser -Replace @{ntSecurityDescriptor = $_.ntSecurityDescriptor }

}

Reference:

https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.objectsecurity.areaccessrulesprotected?view=netframework-4.8
https://blogs.msdn.microsoft.com/adpowershell/2009/10/22/viewconfigure-protected-acl-and-fixing-broken-inheritance/

Date August 8, 2019
Author mo wasay
Comments No Comments

How to Fix: Attribute userAccountControl of DC is: 0x82020

When running a DCDiag at a customer site today I had the following error occur:

Warning: Attribute userAccountControl of is: 0x82020 = ( PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION ) Typical setting for a DC is 0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION ) This may be affecting replication?

It is a bug when we pre-create a computer account in ADUC and then promote it as DC, the UserAccountControl is set to 532512 instead of the default 532480. You need to manually set the vaulue to 532480 in ADSIEDIT.MSC.

Fix:

Open ADSIEDIT.MSC
Goto Default Naming Context
Goto OU=Domain Controllers,DC=yourdomain,DC=com
Right click on “Name of the Problem Domain Controller”
Change the value for attribute for userAccountControl from 532512 to 532480 (Change it to represent 0x82000.)

UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)

Date July 2, 2019
Author mo wasay
Comments No Comments

Find why an account is getting locked out and where

Many a times there comes a request that a user complains that an account is getting locked out for no apparent reason and it’s hard to pinpoint where it is getting locked out from.

I was trying to find out why a user account is getting locked out and where but needed to go through logs to find out my answer. Once the machine name was found, it’s a matter of reviewing services, scheduledtasks, or similar items to see where an account name and password were hardcoded.

I was able to utilize the following script to provide an answer.

#Get-LockedOutStatus.ps1

$Identity = "mwasay" #The samAccountName of the user that is getting locked out
$DCCounter = 0  
$LockedOutStats = @()   
#Get all domain controllers in domain 
$DomainControllers = Get-ADDomainController -Server yourdomain.com -Filter * #Update your domain name here
$PDCEmulator = ($DomainControllers | Where-Object { $_.OperationMasterRoles -contains "PDCEmulator" }) 
         
Write-Verbose "Finding the domain controllers in the domain" 
Foreach ($DC in $DomainControllers) { 
    $DCCounter++ 
    Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter / $DomainControllers.Count) * 100) 
    Try { 
        $UserInfo = Get-ADUser -Identity $Identity  -Server $DC.Hostname -Properties AccountLockoutTime, LastBadPasswordAttempt, BadPwdCount, LockedOut -ErrorAction Stop 
    } 
    Catch { 
        Write-Warning $_ 
        Continue 
    } 
    If ($UserInfo.LastBadPasswordAttempt) {     
        $LockedOutStats += New-Object -TypeName PSObject -Property @{ 
            Name                   = $UserInfo.SamAccountName 
            SID                    = $UserInfo.SID.Value 
            LockedOut              = $UserInfo.LockedOut 
            BadPwdCount            = $UserInfo.BadPwdCount 
            BadPasswordTime        = $UserInfo.BadPasswordTime             
            DomainController       = $DC.Hostname 
            AccountLockoutTime     = $UserInfo.AccountLockoutTime 
            LastBadPasswordAttempt = ($UserInfo.LastBadPasswordAttempt).ToLocalTime() 
        }           
    }#end if 
}#end foreach DCs 
$LockedOutStats | Format-Table -Property Name, LockedOut, DomainController, BadPwdCount, AccountLockoutTime, LastBadPasswordAttempt -AutoSize 
 
#Get User Info 
Try {   
    Write-Verbose "Querying event log on $($PDCEmulator.HostName)" 
    $LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName = 'Security'; Id = 4740 } -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending 
} 
Catch {           
    Write-Warning $_ 
    Continue 
}#end catch      
                                  
Foreach ($Event in $LockedOutEvents) {             
    If ($Event | Where-Object { $_.Properties[2].value -match $UserInfo.SID.Value }) {  
               
        $Event | Select-Object -Property @( 
            @{Label = 'User'; Expression = { $_.Properties[0].Value } } 
            @{Label = 'DomainController'; Expression = { $_.MachineName } } 
            @{Label = 'EventId'; Expression = { $_.Id } } 
            @{Label = 'LockedOutTimeStamp'; Expression = { $_.TimeCreated } } 
            @{Label = 'Message'; Expression = { $_.Message -split "`r" | Select-Object -First 1 } } 
            @{Label = 'LockedOutLocation'; Expression = { $_.Properties[1].Value } } 
        ) 
                                                 
    }#end ifevent 
             
}#end foreach lockedout event 
}#end process
}#end function

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

#Get-LockedOutStatus.ps1

$Identity = "mwasay" #The samAccountName of the user that is getting locked out

$DCCounter = 0

$LockedOutStats = @()

#Get all domain controllers in domain

$DomainControllers = Get-ADDomainController -Server yourdomain.com -Filter * #Update your domain name here

$PDCEmulator = ($DomainControllers | Where-Object { $_.OperationMasterRoles -contains "PDCEmulator" })

Write-Verbose "Finding the domain controllers in the domain"

Foreach ($DC in $DomainControllers) {

$DCCounter++

Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter / $DomainControllers.Count) * 100)

Try {

$UserInfo = Get-ADUser -Identity $Identity -Server $DC.Hostname -Properties AccountLockoutTime, LastBadPasswordAttempt, BadPwdCount, LockedOut -ErrorAction Stop

}

Catch {

Write-Warning $_

Continue

}

If ($UserInfo.LastBadPasswordAttempt) {

$LockedOutStats += New-Object -TypeName PSObject -Property @{

Name = $UserInfo.SamAccountName

SID = $UserInfo.SID.Value

LockedOut = $UserInfo.LockedOut

BadPwdCount = $UserInfo.BadPwdCount

BadPasswordTime = $UserInfo.BadPasswordTime

DomainController = $DC.Hostname

AccountLockoutTime = $UserInfo.AccountLockoutTime

LastBadPasswordAttempt = ($UserInfo.LastBadPasswordAttempt).ToLocalTime()

}

}#end if

}#end foreach DCs

$LockedOutStats | Format-Table -Property Name, LockedOut, DomainController, BadPwdCount, AccountLockoutTime, LastBadPasswordAttempt -AutoSize

#Get User Info

Try {

Write-Verbose "Querying event log on $($PDCEmulator.HostName)"

$LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName = 'Security'; Id = 4740 } -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending

}

Catch {

Write-Warning $_

Continue

}#end catch

Foreach ($Event in $LockedOutEvents) {

If ($Event | Where-Object { $_.Properties[2].value -match $UserInfo.SID.Value }) {

$Event | Select-Object -Property @(

@{Label = 'User'; Expression = { $_.Properties[0].Value } }

@{Label = 'DomainController'; Expression = { $_.MachineName } }

@{Label = 'EventId'; Expression = { $_.Id } }

@{Label = 'LockedOutTimeStamp'; Expression = { $_.TimeCreated } }

@{Label = 'Message'; Expression = { $_.Message -split "`r" | Select-Object -First 1 } }

@{Label = 'LockedOutLocation'; Expression = { $_.Properties[1].Value } }

)

}#end ifevent

}#end foreach lockedout event

}#end process

}#end function

Date June 6, 2019
Author mo wasay
Comments No Comments

List all SPNs in Active Directory

Ran into a situation where I needed to get all the SPNs that are listed in AD.

Find duplicate SPNs

Listing duplicate SPNs is fairly easy, just use setspn -X on your command-line and you’ll find out.

What is a SPN?

An SPN or Service Principal Name is a unique identity for a service, mapped with a specific account (mostly service account). Using an SPN, you can create multiple aliases for a service mapped with a domain account.

SetSPN command-line

To set, list or delete the SPN, we use an in-built command line tool SETSPN provided by Microsoft.

Quite some scripts assume you’re looking for a specific SPN (HTTP/…), a specific user, or a specific computer. For example, using setspn to find SPNs linked to a certain computer:

setspn <span class="token operator">-</span>L &lt;ServerName&gt;

1	setspn <span class="token operator">-</span>L <ServerName>

Or setspn to find SPNs linked to a certain user account:

setspn <span class="token operator">-</span>L &lt;domain\user&gt;

1	setspn <span class="token operator">-</span>L <domain\user>

Now we need a script to list all SPNs, for all users and all computers.

Get All SPNs

SPNs are set as an attribute on the user or computer accounts. That makes it fairly easy to query for that attribute.

Powershell to the rescue!

#Get-All-SPNS.ps1
#Gets all the SPNS in the domain

# Alternative way to get the same information using CMD.exe:
# dsquery * "DC=yourdomain,DC=com" -filter "(&(objectcategory=computer)(servicePrincipalName=*))" -attr distinguishedName servicePrincipalName > spns.txt

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=*)"

#OutPut text file
$OutputLocation = "C:\Scripts\Results\AllSPNsInDomain.txt"

# You can use this to filter for OU's:
# $results = $search.Findall() | ?{ $_.path -like 'DC=yourdomain,DC=com' }
$results = $search.Findall()

#Loop through all objects to find all SPNs on that object
foreach ( $result in $results ) {
    $userEntry = $result.GetDirectoryEntry()
    Write-host "Object Name = " $userEntry.name -backgroundcolor "yellow" -foregroundcolor "black"
    Write-Output "Object Name=$userEntry.name" | Out-File $OutputLocation -Append

    Write-host "DN      =      "  $userEntry.distinguishedName
    Write-Output "DN=$userEntry.distinguishedName" | Out-File $OutputLocation -Append

    Write-host "Object Cat.="  $userEntry.objectCategory
    Write-host "Object Cat.=$userEntry.objectCategory" | Out-File $OutputLocation -Append


    Write-host "servicePrincipalNames:"
    Write-Output "servicePrincipalNames:" | Out-File $OutputLocation -Append

    $i = 1
    foreach ( $SPN in $userEntry.servicePrincipalName ) {
        Write-host "SPN(" $i" )=" $SPN
        Write-Output "SPN($i)=$SPN" | Out-File $OutputLocation -Append

        $i += 1
    }

    Write-host ""
    Write-Output "==========================================" | Out-File $OutputLocation -Append
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

#Get-All-SPNS.ps1

#Gets all the SPNS in the domain

# Alternative way to get the same information using CMD.exe:

# dsquery * "DC=yourdomain,DC=com" -filter "(&(objectcategory=computer)(servicePrincipalName=*))" -attr distinguishedName servicePrincipalName > spns.txt

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")

$search.filter = "(servicePrincipalName=*)"

#OutPut text file

$OutputLocation = "C:\Scripts\Results\AllSPNsInDomain.txt"

# You can use this to filter for OU's:

# $results = $search.Findall() | ?{ $_.path -like 'DC=yourdomain,DC=com' }

$results = $search.Findall()

#Loop through all objects to find all SPNs on that object

foreach ( $result in $results ) {

$userEntry = $result.GetDirectoryEntry()

Write-host "Object Name = " $userEntry.name -backgroundcolor "yellow" -foregroundcolor "black"

Write-Output "Object Name=$userEntry.name" | Out-File $OutputLocation -Append

Write-host "DN = " $userEntry.distinguishedName

Write-Output "DN=$userEntry.distinguishedName" | Out-File $OutputLocation -Append

Write-host "Object Cat.=" $userEntry.objectCategory

Write-host "Object Cat.=$userEntry.objectCategory" | Out-File $OutputLocation -Append

Write-host "servicePrincipalNames:"

Write-Output "servicePrincipalNames:" | Out-File $OutputLocation -Append

$i = 1

foreach ( $SPN in $userEntry.servicePrincipalName ) {

Write-host "SPN(" $i" )=" $SPN

Write-Output "SPN($i)=$SPN" | Out-File $OutputLocation -Append

$i += 1

}

Write-host ""

Write-Output "==========================================" | Out-File $OutputLocation -Append

}

Date May 29, 2019
Author mo wasay
Comments No Comments

Get All DCs in the Entire Forest

Getting a know a new environment for a new client and I a quickly needed information about all domain controllers in the entire forest.

Wrote a small little script to provide me all the information I needed:

Import-Module ActiveDirectory

function Get-AllDCsInForest{
[CmdletBinding()]
param(
    [string]$ReferenceDomain = $env:USERDOMAIN
)
 
$ForestObj = Get-ADForest -Server $ReferenceDomain
foreach($Domain in $ForestObj.Domains) {
    Get-ADDomainController -Filter * -Server $Domain | select Domain,HostName,Site, IPv4Address, OperatingSystem, OperatingSystemVersion
     
}
 
}

Get-AllDCsInForest| Export-Csv -Path C:\Scripts\AllDcs.txt -NoTypeInformation

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

Import-Module ActiveDirectory

function Get-AllDCsInForest{

[CmdletBinding()]

param(

[string]$ReferenceDomain = $env:USERDOMAIN

)

$ForestObj = Get-ADForest -Server $ReferenceDomain

foreach($Domain in $ForestObj.Domains) {

Get-ADDomainController -Filter * -Server $Domain | select Domain,HostName,Site, IPv4Address, OperatingSystem, OperatingSystemVersion

}

Get-AllDCsInForest| Export-Csv -Path C:\Scripts\AllDcs.txt -NoTypeInformation

Date March 6, 2019
Author mo wasay
Comments No Comments

Determine & Change Tombstone Lifetime in Active Directory

Recently, I wanted to know what the tombstone lifetime was in my environment and decided to find this using PowerShell. There are a number of ways I could do this but dong it through PowerShell would be much easier. For those of you that are new to the attribute, a good explanation of it is:

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object.

Tombstone Lifetime is used to determine how long a deleted object in the Active Directory database (NTDS.dit) is stored. When object is deleted, it does not immediately delete from the AD database. Instead, the object as deleted is marked where the is-Deleted attribute is set to true. Additions, most attributes are removed and the object will be renamed as follows: CN=<old RDN>\0ADEL:<objectGUID>

After renaming the object is moved to the hidden Deleted Objects container. At this time, the deleted object is referred to as tombstone. Then replicates these changes to all other DCs. Only when the tombstone lifetime has been exceeded, the object is permanently removed from the AD database.

The tombstone lifetime is set with the install of the first DCs in a forest for all domains. The tombstone lifetime is not configurable per domain.

Windows 2000 (all SPs) = 60 days

Windows Server 2003 without SP = 60 days

Windows Server 2003 with SP1 = 180 days

Windows Server 2003 R2 with SP1 installed with both R2 discs = 60 days

Windows Server 2003 R2 with SP1 installed only with the first R2 Disc = 180

daysWindows Server 2003 with SP2 = 180 days

Windows Server 2003 R2 with SP2 = 180 days

Windows Server 2008 = 180 days

Windows Server 2008 R2 = 180 days

Windows Server 2012 = 180 days

Windows Server 2012 R2 = 180 days

Windows Server 2016 = 180 days

Windows Server 2019 = 180 days

More info:https://docs.microsoft.com/en-us/previous-versions/technet-magazine/cc137800(v=msdn.10)

AD Recycle Bin

The AD Recycle Bin enables rapid restoration of deleted objects without a restore operation by implementing two new attributes, and using two existing attributes:

isDeleted
- Has existed since Windows 2000
- Exists on every object
- Describes if an object is deleted but restorable
isRecycled
- New to Windows Server 2008 R2
- Exists on every object once it is recycled
- Describes if an object is deleted but not restorable
msDS-deletedObjectLifetime
- New to Windows Server 2008 R2
- Is set on the “CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration, DC=COMPANY,DC=COM” container
- Describes how long a deleted object will be restorable
tombstoneLifetime
- Has existed since Windows 2000
- Is set on the “CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration, DC=COMPANY,DC=COM” container
- Describes how long a deleted object will not be restorable

Basically, I wanted to know how long I had to recover if (in my case) one of my domain controllers were down for an extended period of time. For more information on the fun that can occur if this happens and it is down beyond the tombstone lifetime, check out this article: http://technet.microsoft.com/en-us/library/cc786630(v=ws.10).aspx

Determining Tombstone Lifetime:

PowerShell Code:

Write-Output “Get Tombstone Setting `r”
#Import the AD Module
Import-Module ActiveDirectory

#Get the Domain Configuration
$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext

#Get Schema details
$DirectoryServicesConfigPartition = Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Properties *

#Store the tombstone value
$TombstoneLifetime = $DirectoryServicesConfigPartition.tombstoneLifetime

#Result
Write-Output “Active Directory’s Tombstone Lifetime is set to $TombstoneLifetime days `r “

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

Write-Output “Get Tombstone Setting `r”

#Import the AD Module

Import-Module ActiveDirectory

#Get the Domain Configuration

$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext

#Get Schema details

$DirectoryServicesConfigPartition = Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Properties *

#Store the tombstone value

$TombstoneLifetime = $DirectoryServicesConfigPartition.tombstoneLifetime

#Result

Write-Output “Active Directory’s Tombstone Lifetime is set to $TombstoneLifetime days `r “

Upon successful execution it should return a numeric value and that’s how many days before the DC tombstones.

Did you know...

If the attribute’s value shows blank then it is setup as ‘not set’ , the tombstone lifetime of the forest is 60 days.

This happens if your enviornment has gones throught a few generations of upgrades! 🙂

Changing Tombstone Lifetime:

PowerShell:

#Import the AD Module 
Import-Module ActiveDirectory

#Get the Domain Configuration
$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext

#Set the TombStone Lifetime
Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Replace @{tombstonelifetime=’365′}

1

2

3

4

5

6

7

8

#Import the AD Module

Import-Module ActiveDirectory

#Get the Domain Configuration

$ADForestconfigurationNamingContext = (Get-ADRootDSE).configurationNamingContext

#Set the TombStone Lifetime

Set-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,$ADForestconfigurationNamingContext” -Partition $ADForestconfigurationNamingContext -Replace @{tombstonelifetime=’365′}

This same process can be leveraged to identify the msDS-deletedObjectLifetime value (180 days by default).

The tombstone lifetime of an AD forest can be modified using the ADSIEdit tool by following this procedure:

At an elevated command prompt, type adsiedit.msc.
Right-click ADSI Edit in the left pane and select Connect to.
In the Connection Point section, select the Select a well known Naming Context radio button and select Configuration from the dropdown list.
Expand Configuration; CN=Configuration,DC=<forest_root_domain>; CN=Services; and CN=Windows NT
Right-click CN=Directory Service and select Properties.
In the Attribute Editor tab of the properties window, locate the tombstoneLifetime attribute. The value of this attribute represents the forest’s current tombstone lifetime in days. If the attribute’s value shows <not set>, the tombstone lifetime of the forest is 60 days.
To modify the tombstone lifetime, click Edit.
Type the desired tombstone lifetime and click OK. Click OK again to close the properties window. The change takes effect immediately.

Date February 5, 2019
Author mo wasay
Comments No Comments

How to Enable or Disable Collect Activity History in Windows 10

Microsoft Windows 10 still collects activity data even when tracking is disabled., but there is a new workaround way to block it. 🙂

Starting with Windows 10 build 17040, Microsoft added settings that let you to view and manage your activity history, which Cortana uses to let you pick up where you left off. Your collected activity history allows you to jump back into what you were doing with apps, docs, or other activities, either on your PC or your phone. To resume your activities, Windows needs to collect your PC activity.

If you like, you can enable or disable letting Windows collect User Activities.

If enabled, Let Windows collect my activities will be turned on for all users, but users will still be able to turn this setting on or off for their account.
If disabled, Let Windows collect my activities will be turned off for all users, and users will not be able to turn this setting on or off for their account.

To enable or disable Activity history settings to let Windows collect User Activities for all users in Windows 10.

You must be signed in as an administrator to enable or disable online tips and help for the Settings app
Timeline requires the Windows Search service to be enabled, running, and set to Automatic (Delayed Start).

Enable or Disable Collect Activity History in Local Group Policy Editor

Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.

All editions can use Option TWO below.

1. Open the Local Group Policy Editor.

2. In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)

Computer Configuration\Administrative Templates\System\OS Policies

In the right pane of OS Policies in Local Group Policy Editor, double click/tap on the Allow publishing of User Activities policy to edit it. (see screenshot above)

4. Do step 5 (enable) or step 6 (disable) below for what you would like to do.

5. To Enable Collect Activity History – Select (dot) Not Configured or Enabled (recommended), click/tap on OK, and go to step 7 below. (see screenshot below)

NOTE: Not Configured is the default setting.

6. To Disable Collect Activity History – Select (dot) Disabled, click/tap on OK

Enable or Disable Collect Activity History using a REG file (Workaround) 🙂

The downloadable .reg files below will add and modify the DWORD value in the registry key below.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
PublishUserActivities DWORD
0 = Disable
1 = Enable

To Enable Collect Activity History

Download : Enable_Activity_history.reg

To Disable Collect Activity History

Download : Disable_Activity_history.reg

Save the .reg file to your desktop.
Double click/tap on the downloaded .reg file to merge it.
When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
Sign out and sign in to apply.

Date December 13, 2018
Author mo wasay
Comments No Comments

Convert a Dynamic IP to Static

Working on a project where on some servers the DHCP assigned addresses needs to be converted to static. Since there is always more than one…I needed to script it.

Here is a quick way to do it via PowerShell.

#SwitchIPtoStatic.ps1
#Get All the adapters that are on the Server
$adapters = gwmi -cl win32_networkadapterconfiguration | ? {($_.ipaddress) -and $_.dhcpEnabled -eq 'True' }

foreach ($adapter in $adapters) {
    # Get original settings
    $ipAddress = $adapter.IPAddress
    $subnetMask = $adapter.IPSubnet
    $dnsServers = $adapter.DNSServerSearchOrder
    $defaultGateway = $adapter.DefaultIPGateway

    # Set to static and set dns and gateway:
    $adapter.EnableStatic($ipAddress,$subnetMask)
    $adapter.SetDNSServerSearchOrder($dnsServers)
    $adapter.SetGateways($defaultGateway)
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

#SwitchIPtoStatic.ps1

#Get All the adapters that are on the Server

$adapters = gwmi -cl win32_networkadapterconfiguration | ? {($_.ipaddress) -and $_.dhcpEnabled -eq 'True' }

foreach ($adapter in $adapters) {

# Get original settings

$ipAddress = $adapter.IPAddress

$subnetMask = $adapter.IPSubnet

$dnsServers = $adapter.DNSServerSearchOrder

$defaultGateway = $adapter.DefaultIPGateway

# Set to static and set dns and gateway:

$adapter.EnableStatic($ipAddress,$subnetMask)

$adapter.SetDNSServerSearchOrder($dnsServers)

$adapter.SetGateways($defaultGateway)

}

Hope this helps!

Date October 18, 2018
Author mo wasay
Comments No Comments

Force Replication of all Domain Controllers on all Sites

If you want to replicate all Domain Controllers, then you have to start replication on each of them separately. This may take a while. To save time there is an easier way to force replication on all Domain Controllers of all Active Directory Sites.

Log on to one of your Domain Controllers. Start Windows PowerShell with administrative privileges. Using the Get-ADDomain cmdlet we can get the domain name and the domain partition.

function Replicate-AllDomainControllers {
(Get-ADDomainController -Filter *).Name | Foreach-Object {repadmin /syncall $_ (Get-ADDomain).DistinguishedName /e /A | Out-Null}; Start-Sleep 10; Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess
}

Replicate-AllDomainControllers

1

2

3

4

5

function Replicate-AllDomainControllers {

(Get-ADDomainController -Filter *).Name | Foreach-Object {repadmin /syncall $_ (Get-ADDomain).DistinguishedName /e /A | Out-Null}; Start-Sleep 10; Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess

}

Replicate-AllDomainControllers

Now depending on the size of your environment the results may take some time to appear. The final output should be something like this:

Date September 14, 2018
Author mo wasay
Comments No Comments

mo wasay

Backup & Restore Active Directory integrated DNS zones

Backup:

PowerShell Script to backup DNS:

Restore:

PowerShell Script to restore DNS:

Fix Active Directory broken security inheritance problem

How to Fix: Attribute userAccountControl of DC is: 0x82020

Fix:

Find why an account is getting locked out and where

Get All DCs in the Entire Forest

Determine & Change Tombstone Lifetime in Active Directory

AD Recycle Bin

Determining Tombstone Lifetime:

Changing Tombstone Lifetime:

Convert a Dynamic IP to Static

Force Replication of all Domain Controllers on all Sites

Mohammed Wasay

Dallas based Design Technologist & Hybrid Developer

Categories

Archives

Meta