Mohammed Wasay

Force synchronization for DFSR-replicated SYSVOL

One of my clients had a problem with processing GPO on client computers. Different computers applied different settings from the same GPO but from different domain controllers. All tests related to replication was successful, all GPOs are applied, but replication between domain controllers was a problem, and because of that most clients had a different GPO configuration.

I had a similar problem with a newly promoted domain controller which I previously blogged about here.

Scenarios where this problem typically occurs:

Replication was moved from FRS to DFSR
Demoting an old domain controller in the environment
When there is a problem with the DFS replication of the SYSVOL folder

To solve this problem, I had to manually perform an authoritative synchronization between the domain controllers.

I am including steps for authoritative and non-authoritative synchronization, but before we get started we need to see the state of the replication.

Steps:

Find the state of the replication state. Typically the problem DCs will be at 0 or 2. The goal is to get to state 4.
Get to State 2
Get to State 4

Find the state of the replication of all DCs

For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

1	For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

The states should translate as below

0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error

Non-authoritative synchronization of DFSR-replicated SYSVOL

Stop the DFS Replication service ( net stop dfsr).
In the ADSIEDIT.MSC tool modify the following distinguished name (DN) value and attribute on each of the domain controllers that you want to make non-authoritative:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
Force Active Directory replication throughout the domain ( repadmin /syncall primary_dc_name /APed )
Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
DFSRDIAG POLLAD
You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication).
On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
Force Active Directory replication throughout the domain ( repadmin /syncall primary_dc_name /APed).
Start the DFS Replication service ( net start dfsr).
Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:

MS DOS

DFSRDIAG POLLAD

1

DFSRDIAG POLLAD
You will see Event ID 4614 and 4604 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done non-authoritative sync of SYSVOL.
Run Wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo get replicationgroupname,replicatedfoldername,stat and make sure the state is at 4. If it is at 2, it may take some time to reach state 4. Wait a few minutes and try again until all DCs are at state 4.

Authoritative synchronization of DFSR-replicated SYSVOL

Find the PDC Emulator (Elevated Command Prompt: netdom query fsmo ) – which is usually the most up to date for SYSVOL contents. Or the server holding all the policies and scripts. Consider this the primary server.
Stop the DFS Replication service ( net stop dfsr) on the primary server.
On the primary server, In the ADSIEDIT.MSC tool, modify the following DN and two attributes to make authoritative:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
msDFSR-options=1
Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
Force Active Directory replication throughout the domain and validate its success on all DCs ( repadmin /syncall primary_dc_name /APed). Probably need to run the same command 3-4 times.
Start the DFSR service set as authoritative ( net start dfsr) on the primary DC.
You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication).
On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
Force Active Directory replication throughout the domain and validate its success on all DCs ( repadmin /syncall primary_dc_name /APed ). Probably need to run the same command 3-4 times.
Run the following command from an elevated command prompt on the same server that you set as authoritative (primary server):
DFSRDIAG POLLAD
Wait a few minutes you will see Event ID 4602 in the DFSR event log (Open up event viewer and navigate to Applications and Services Logs -> DFS Replication) indicating SYSVOL has been initialized. That domain controller has now done an authoritative sync of SYSVOL.
Start the DFSR service on the other non-authoritative DCs ( net start dfsr). You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.
Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=TRUE
Run the following command from an elevated command prompt on all non-authoritative DCs (i.e. all but the formerly authoritative one):

MS DOS

DFSRDIAG POLLAD

1

DFSRDIAG POLLAD
Verify you see Event ID 2002 and 4602 on all other domain controllers.
Run Wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo get replicationgroupname,replicatedfoldername,stat and make sure the state is at 4. If it is at 2, it may take some time to reach state 4. Wait a few minutes and try again until all DCs are at state 4.

If setting the authoritative flag on one DC, you must non-authoritatively synchronize all other DCs in the domain. Otherwise, you will see conflicts on DCs, originating from any DCs where you did not set auth/non-auth and restarted the DFSR service. For example, if all logon scripts were accidentally deleted and a manual copy of them was placed back on the PDC Emulator role holder, making that server authoritative and all other servers non-authoritative would guarantee success and prevent conflicts. If making any DC authoritative, the PDC Emulator as authoritative is preferable, since its SYSVOL contents are usually most up to date. The use of the authoritative flag is only necessary if you need to force synchronization of all DCs. If only repairing one DC, simply make it non-authoritative and do not touch other servers. This article is designed with a 2-DC environment in mind, for simplicity of description. If you had more than one affected DC, expand the steps to includeALL of those as well. It also assumes you have the ability to restore data that was deleted, overwritten, damaged, etc. previously if this is a disaster recovery scenario on all DCs in the domain.

After these actions, all problems with GPO processing and SYSVOL replication disappeared. 🙂

Date April 22, 2020
Author mo wasay
Comments No Comments

Get Inactive Users Report for the past 60 days in a multi domain environment

I had a request recently to provide an inactive user report for the past 60 days. Basically, find out which accounts have not logged in for the past 60 days so action can be taken against them.

The request was for a multi domain forest which queries every domain controller and gets the latest lastlogon value by comparing value from each. I wrote a script and wanted to share as other might find it handy too.

<#
.SYNOPSIS
  Get the last logon report of users that have not logged for the past XX (Default 60) days from multiple domain controllers.
.DESCRIPTION
  Get details of users that have not logged on or are inactive for the past 60 days across the domain and get the latest value from multiple domain controllers
.INPUTS
  None. Script captures Forest and Domain details when run in the environment. 
.OUTPUTS
  Generated output CSV file will be in the created in the same path from where the script was executed.
.NOTES
  Version:        2.0
  Author:         Mohammed Wasay
  Email:          hello@mowasay.com
  Web:            www.mowasay.com
  Creation Date:  02/14/2020
.EXAMPLE
  Get-LastLogonReport.ps1 
#>

#Get Logged on user details
$cuser = $env:USERDOMAIN + "\" + $env:USERNAME
Write-Host -ForegroundColor Gray "Running script as: $cuser authenticated on $env:LOGONSERVER"

#Get the Forest Domain
$forest = (Get-ADForest).RootDomain

#Get all the Domains in the Forest
$domains = (Get-ADForest).Domains

#Time format for report naming
$timer = (Get-Date -Format MM-dd-yyyy)

Write-Host -ForegroundColor Magenta "Your Forest is: $forest"

#Loop through each domain
foreach ($domain in $domains) {
  Write-Host -ForegroundColor Yellow "Working on Domain: $domain"

  #Get all the domain controllers in the domain
  $dcs = Get-ADDomainController -Filter * -Server $domain

  #Storing all the users in an array for comparison later
  $users = @()

  foreach ($dc in $dcs.Hostname) {
    Write-Host -ForegroundColor Cyan "Working on Domain Controller: $dc"
 
    #Days Inactive - Modify the value to the number of days (1,30,45,60,90,120)
    $DaysInactive = "60"
    $time = (Get-Date).Adddays( - ($DaysInactive))

    #Get all AD Users with lastLogonTimestamp less than our time
    $users += Get-ADUser -Filter { lastlogondate -le $time } -Properties * -Server $dc | `
      Select-Object Enabled, `
    @{Name = "Domain"; Expression = { $domain } }, `
      samAccountName, `
      displayName, `
      lastlogondate, `
      lastlogon, `
    @{Name = 'DC'; Expression = { $dc } }, `
      whenCreated, `
      description, `
      distinguishedName, `
      department, `
      company, `
      office 
  }
  Write-Host -ForegroundColor Yellow "Sorting for most recent lastlogons"
   
  #Get the last logon from each server for every filtered user and used the last entry available
  $LatestLogOn = @()
  $users | Group-Object -Property samAccountName | ForEach-Object { 
          
    $LatestLogOn += ($_.Group | Sort-Object -Property lastlogon -Descending)[0] 
              
    $users.Clear() 
  }
  
  #Export the results to a single file per forest/multidomain
  $LatestLogOn | Select-Object Enabled, `
    Domain, `
    samAccountName, `
    displayName, `
  @{Name = 'lastlogondatetime'; Expression = { [datetime]::FromFileTime($_.lastlogon) -replace '12/31/1600 7:00:00 PM', 'Never' -replace '1/1/1601 12:00:00 AM', 'Never' } }, `
    lastlogon, `
    DC, `
    whenCreated, `
    description, `
    distinguishedName, `
    department, `
    company, `
    office `
  | Sort-Object lastlogondatetime -Descending | Export-Csv ./$forest-InactiveUserReport-$timer.csv -NoTypeInformation -Append

  #Uncomment below if exported results need to be multiple files seperated per domain
  #Export the results to a seperate file per domain
  <#
  $LatestLogOn | Select-Object Enabled, `
    Domain, `
    samAccountName, `
    displayName, `
  @{Name = 'lastlogondatetime'; Expression = { [datetime]::FromFileTime($_.lastlogon) -replace '12/31/1600 7:00:00 PM', 'Never' -replace '1/1/1601 12:00:00 AM', 'Never' } }, `
    lastlogon, `
    DC, `
    whenCreated, `
    description, `
    distinguishedName, `
    department, `
    company, `
    office `
  | Sort-Object lastlogondatetime -Descending | Export-Csv ./$domain-InactiveUserReport-$timer.csv -NoTypeInformation -Append
  #>
    
  Write-Host -ForegroundColor Green "Report for $domain generated!"
}
Write-Host -ForegroundColor Green "------======= Done! =======------"

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

<#

.SYNOPSIS

Get the last logon report of users that have not logged for the past XX (Default 60) days from multiple domain controllers.

.DESCRIPTION

Get details of users that have not logged on or are inactive for the past 60 days across the domain and get the latest value from multiple domain controllers

.INPUTS

None. Script captures Forest and Domain details when run in the environment.

.OUTPUTS

Generated output CSV file will be in the created in the same path from where the script was executed.

.NOTES

Version: 2.0

Author: Mohammed Wasay

Email: hello@mowasay.com

Web: www.mowasay.com

Creation Date: 02/14/2020

.EXAMPLE

Get-LastLogonReport.ps1

#>

#Get Logged on user details

$cuser = $env:USERDOMAIN + "\" + $env:USERNAME

Write-Host -ForegroundColor Gray "Running script as: $cuser authenticated on $env:LOGONSERVER"

#Get the Forest Domain

$forest = (Get-ADForest).RootDomain

#Get all the Domains in the Forest

$domains = (Get-ADForest).Domains

#Time format for report naming

$timer = (Get-Date -Format MM-dd-yyyy)

Write-Host -ForegroundColor Magenta "Your Forest is: $forest"

#Loop through each domain

foreach ($domain in $domains) {

Write-Host -ForegroundColor Yellow "Working on Domain: $domain"

#Get all the domain controllers in the domain

$dcs = Get-ADDomainController -Filter * -Server $domain

#Storing all the users in an array for comparison later

$users = @()

foreach ($dc in $dcs.Hostname) {

Write-Host -ForegroundColor Cyan "Working on Domain Controller: $dc"

#Days Inactive - Modify the value to the number of days (1,30,45,60,90,120)

$DaysInactive = "60"

$time = (Get-Date).Adddays( - ($DaysInactive))

#Get all AD Users with lastLogonTimestamp less than our time

$users += Get-ADUser -Filter { lastlogondate -le $time } -Properties * -Server $dc | `

Select-Object Enabled, `

@{Name = "Domain"; Expression = { $domain } }, `

samAccountName, `

displayName, `

lastlogondate, `

lastlogon, `

@{Name = 'DC'; Expression = { $dc } }, `

whenCreated, `

description, `

distinguishedName, `

department, `

company, `

office

}

Write-Host -ForegroundColor Yellow "Sorting for most recent lastlogons"

#Get the last logon from each server for every filtered user and used the last entry available

$LatestLogOn = @()

$users | Group-Object -Property samAccountName | ForEach-Object {

$LatestLogOn += ($_.Group | Sort-Object -Property lastlogon -Descending)[0]

$users.Clear()

}

#Export the results to a single file per forest/multidomain

$LatestLogOn | Select-Object Enabled, `

Domain, `

samAccountName, `

displayName, `

@{Name = 'lastlogondatetime'; Expression = { [datetime]::FromFileTime($_.lastlogon) -replace '12/31/1600 7:00:00 PM', 'Never' -replace '1/1/1601 12:00:00 AM', 'Never' } }, `

lastlogon, `

DC, `

whenCreated, `

description, `

distinguishedName, `

department, `

company, `

office `

| Sort-Object lastlogondatetime -Descending | Export-Csv ./$forest-InactiveUserReport-$timer.csv -NoTypeInformation -Append

#Uncomment below if exported results need to be multiple files seperated per domain

#Export the results to a seperate file per domain

<#

$LatestLogOn | Select-Object Enabled, `

Domain, `

samAccountName, `

displayName, `

@{Name = 'lastlogondatetime'; Expression = { [datetime]::FromFileTime($_.lastlogon) -replace '12/31/1600 7:00:00 PM', 'Never' -replace '1/1/1601 12:00:00 AM', 'Never' } }, `

lastlogon, `

DC, `

whenCreated, `

description, `

distinguishedName, `

department, `

company, `

office `

| Sort-Object lastlogondatetime -Descending | Export-Csv ./$domain-InactiveUserReport-$timer.csv -NoTypeInformation -Append

#>

Write-Host -ForegroundColor Green "Report for $domain generated!"

}

Write-Host -ForegroundColor Green "------======= Done! =======------"

Date February 18, 2020
Author mo wasay
Comments No Comments

Get Primary, Secondary, Tertiary DNS values and more from Multiple Servers

Came across a unique request to get primary, secondary, and tertiary DNS values for multiple computers/servers across the domain. I started writing the script and got what I wanted.

Now this started off as just to query for DNS Server information, but then I thought to add other pieces to get myself a good Network Inventory of all the servers in the environment.

I am utilizing the Win32_NetworkAdapterConfiguration WMI Class to get the required information.

You can modify the script below to suit your needs. The complete list of settings that can be captured:

  string   Caption;
  string   Description;
  string   SettingID;
  boolean  ArpAlwaysSourceRoute;
  boolean  ArpUseEtherSNAP;
  string   DatabasePath;
  boolean  DeadGWDetectEnabled;
  string   DefaultIPGateway[];
  uint8    DefaultTOS;
  uint8    DefaultTTL;
  boolean  DHCPEnabled;
  datetime DHCPLeaseExpires;
  datetime DHCPLeaseObtained;
  string   DHCPServer;
  string   DNSDomain;
  string   DNSDomainSuffixSearchOrder[];
  boolean  DNSEnabledForWINSResolution;
  string   DNSHostName;
  string   DNSServerSearchOrder[];
  boolean  DomainDNSRegistrationEnabled;
  uint32   ForwardBufferMemory;
  boolean  FullDNSRegistrationEnabled;
  uint16   GatewayCostMetric[];
  uint8    IGMPLevel;
  uint32   Index;
  uint32   InterfaceIndex;
  string   IPAddress[];
  uint32   IPConnectionMetric;
  boolean  IPEnabled;
  boolean  IPFilterSecurityEnabled;
  boolean  IPPortSecurityEnabled;
  string   IPSecPermitIPProtocols[];
  string   IPSecPermitTCPPorts[];
  string   IPSecPermitUDPPorts[];
  string   IPSubnet[];
  boolean  IPUseZeroBroadcast;
  string   IPXAddress;
  boolean  IPXEnabled;
  uint32   IPXFrameType[];
  uint32   IPXMediaType;
  string   IPXNetworkNumber[];
  string   IPXVirtualNetNumber;
  uint32   KeepAliveInterval;
  uint32   KeepAliveTime;
  string   MACAddress;
  uint32   MTU;
  uint32   NumForwardPackets;
  boolean  PMTUBHDetectEnabled;
  boolean  PMTUDiscoveryEnabled;
  string   ServiceName;
  uint32   TcpipNetbiosOptions;
  uint32   TcpMaxConnectRetransmissions;
  uint32   TcpMaxDataRetransmissions;
  uint32   TcpNumConnections;
  boolean  TcpUseRFC1122UrgentPointer;
  uint16   TcpWindowSize;
  boolean  WINSEnableLMHostsLookup;
  string   WINSHostLookupFile;
  string   WINSPrimaryServer;
  string   WINSScopeID;
  string   WINSSecondaryServer;

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

string Caption;

string Description;

string SettingID;

boolean ArpAlwaysSourceRoute;

boolean ArpUseEtherSNAP;

string DatabasePath;

boolean DeadGWDetectEnabled;

string DefaultIPGateway[];

uint8 DefaultTOS;

uint8 DefaultTTL;

boolean DHCPEnabled;

datetime DHCPLeaseExpires;

datetime DHCPLeaseObtained;

string DHCPServer;

string DNSDomain;

string DNSDomainSuffixSearchOrder[];

boolean DNSEnabledForWINSResolution;

string DNSHostName;

string DNSServerSearchOrder[];

boolean DomainDNSRegistrationEnabled;

uint32 ForwardBufferMemory;

boolean FullDNSRegistrationEnabled;

uint16 GatewayCostMetric[];

uint8 IGMPLevel;

uint32 Index;

uint32 InterfaceIndex;

string IPAddress[];

uint32 IPConnectionMetric;

boolean IPEnabled;

boolean IPFilterSecurityEnabled;

boolean IPPortSecurityEnabled;

string IPSecPermitIPProtocols[];

string IPSecPermitTCPPorts[];

string IPSecPermitUDPPorts[];

string IPSubnet[];

boolean IPUseZeroBroadcast;

string IPXAddress;

boolean IPXEnabled;

uint32 IPXFrameType[];

uint32 IPXMediaType;

string IPXNetworkNumber[];

string IPXVirtualNetNumber;

uint32 KeepAliveInterval;

uint32 KeepAliveTime;

string MACAddress;

uint32 MTU;

uint32 NumForwardPackets;

boolean PMTUBHDetectEnabled;

boolean PMTUDiscoveryEnabled;

string ServiceName;

uint32 TcpipNetbiosOptions;

uint32 TcpMaxConnectRetransmissions;

uint32 TcpMaxDataRetransmissions;

uint32 TcpNumConnections;

boolean TcpUseRFC1122UrgentPointer;

uint16 TcpWindowSize;

boolean WINSEnableLMHostsLookup;

string WINSHostLookupFile;

string WINSPrimaryServer;

string WINSScopeID;

string WINSSecondaryServer;

Since the scripts are querying for information it is best if it runs from a DC or a privileged server with an account that has privileged access.

To get the results you need the following two scripts:

Get-NetworkInfo.ps1:

#Get-NetworkInfo.ps1

[cmdletbinding()]
param (
    [parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
    [string[]] $ComputerName = $env:computername
)

begin { }
process {
    foreach ($Computer in $ComputerName) {
        Write-Verbose "Working on $Computer"
        if (Test-Connection -ComputerName $Computer -Count 1 -ea 0) {
			
            try {
                $Networks = Get-WmiObject -Class Win32_NetworkAdapterConfiguration `
                    -Filter IPEnabled=TRUE `
                    -ComputerName $Computer `
                    -ErrorAction Stop
            }
            catch {
                Write-Verbose "Failed to Query $Computer. Error details: $_"
                continue
            }
            foreach ($Network in $Networks) {
                $IP4 = $Network.IPAddress[0]
                $IP6 = $Network.IPXAddress
                $MACAddress = $Network.MACAddress
                $Gateway = $Network.DefaultIPGateway[0]
                $DNSDomain = $Network.DNSDomain
                $DNSServers = $Network.DNSServerSearchOrder
                $PrimaryWINS = $Network.WINSPrimaryServer
                $SecondaryWINS = $Network.WINSSecondaryServer
                $NetworkName = $Network.Description
                

                If (!$DNSServers) {
                    $PrimaryDNSServer = "Notset"
                    $SecondaryDNSServer = "Notset"
                    $TertiaryDNSServer = "Notset"
                }
                elseif ($DNSServers.count -eq 1) {
                    $PrimaryDNSServer = $DNSServers[0]
                    $SecondaryDNSServer = "Notset"
                    $TertiaryDNSServer = "Notset"
                }
                elseif ($DNSServers.count -eq 2) {
                    $PrimaryDNSServer = $DNSServers[0]
                    $SecondaryDNSServer = $DNSServers[1]
                    $TertiaryDNSServer = "Notset"
                }
                else {
                    $PrimaryDNSServer = $DNSServers[0]
                    $SecondaryDNSServer = $DNSServers[1]
                    $TertiaryDNSServer = $DNSServers[2]
                }

                If (!$PrimaryWINS) {
                    $PrimaryWINS = "Notset"
                }

                If (!$SecondaryWINS) {
                    $SecondaryWINS = "Notset"
                }

                If ($network.DHCPEnabled) {
                    $IsDHCPEnabled = $true
                }
				
                $OutputObj = New-Object -Type PSObject
                $OutputObj | Add-Member -MemberType NoteProperty -Name ComputerName -Value $Computer.ToUpper()
                $OutputObj | Add-Member -MemberType NoteProperty -Name IP4 -Value $IPv4
                $OutputObj | Add-Member -MemberType NoteProperty -Name IP6 -Value $IPv6
                $OutputObj | Add-Member -MemberType NoteProperty -Name Gateway -Value $Gateway
                $OutputObj | Add-Member -MemberType NoteProperty -Name MACAddress -Value $MACAddress
                $OutputObj | Add-Member -MemberType NoteProperty -Name DNSDomain -Value $DNSDomain
                $OutputObj | Add-Member -MemberType NoteProperty -Name PrimaryDNSServer -Value $PrimaryDNSServer
                $OutputObj | Add-Member -MemberType NoteProperty -Name SecondaryDNSServer -Value $SecondaryDNSServer
                $OutputObj | Add-Member -MemberType NoteProperty -Name TertiaryDNSServer -Value $TertiaryDNSServer
                $OutputObj | Add-Member -MemberType NoteProperty -Name PrimaryWINSServer -Value $PrimaryWINS
                $OutputObj | Add-Member -MemberType NoteProperty -Name SecondaryWINSServer -Value $SecondaryWINS
                $OutputObj | Add-Member -MemberType NoteProperty -Name IsDHCPEnabled -Value $IsDHCPEnabled
                $OutputObj | Add-Member -MemberType NoteProperty -Name NetworkName -Value $NetworkName
                $OutputObj
				
            }
        }
        else {
            Write-Verbose "$Computer not reachable"
        }
    }
}

end { }

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

#Get-NetworkInfo.ps1

[cmdletbinding()]

param (

[parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]

[string[]] $ComputerName = $env:computername

)

begin { }

process {

foreach ($Computer in $ComputerName) {

Write-Verbose "Working on $Computer"

if (Test-Connection -ComputerName $Computer -Count 1 -ea 0) {

try {

$Networks = Get-WmiObject -Class Win32_NetworkAdapterConfiguration `

-Filter IPEnabled=TRUE `

-ComputerName $Computer `

-ErrorAction Stop

}

catch {

Write-Verbose "Failed to Query $Computer. Error details: $_"

continue

}

foreach ($Network in $Networks) {

$IP4 = $Network.IPAddress[0]

$IP6 = $Network.IPXAddress

$MACAddress = $Network.MACAddress

$Gateway = $Network.DefaultIPGateway[0]

$DNSDomain = $Network.DNSDomain

$DNSServers = $Network.DNSServerSearchOrder

$PrimaryWINS = $Network.WINSPrimaryServer

$SecondaryWINS = $Network.WINSSecondaryServer

$NetworkName = $Network.Description

If (!$DNSServers) {

$PrimaryDNSServer = "Notset"

$SecondaryDNSServer = "Notset"

$TertiaryDNSServer = "Notset"

}

elseif ($DNSServers.count -eq 1) {

$PrimaryDNSServer = $DNSServers[0]

$SecondaryDNSServer = "Notset"

$TertiaryDNSServer = "Notset"

}

elseif ($DNSServers.count -eq 2) {

$PrimaryDNSServer = $DNSServers[0]

$SecondaryDNSServer = $DNSServers[1]

$TertiaryDNSServer = "Notset"

}

else {

$PrimaryDNSServer = $DNSServers[0]

$SecondaryDNSServer = $DNSServers[1]

$TertiaryDNSServer = $DNSServers[2]

}

If (!$PrimaryWINS) {

$PrimaryWINS = "Notset"

}

If (!$SecondaryWINS) {

$SecondaryWINS = "Notset"

}

If ($network.DHCPEnabled) {

$IsDHCPEnabled = $true

}

$OutputObj = New-Object -Type PSObject

$OutputObj | Add-Member -MemberType NoteProperty -Name ComputerName -Value $Computer.ToUpper()

$OutputObj | Add-Member -MemberType NoteProperty -Name IP4 -Value $IPv4

$OutputObj | Add-Member -MemberType NoteProperty -Name IP6 -Value $IPv6

$OutputObj | Add-Member -MemberType NoteProperty -Name Gateway -Value $Gateway

$OutputObj | Add-Member -MemberType NoteProperty -Name MACAddress -Value $MACAddress

$OutputObj | Add-Member -MemberType NoteProperty -Name DNSDomain -Value $DNSDomain

$OutputObj | Add-Member -MemberType NoteProperty -Name PrimaryDNSServer -Value $PrimaryDNSServer

$OutputObj | Add-Member -MemberType NoteProperty -Name SecondaryDNSServer -Value $SecondaryDNSServer

$OutputObj | Add-Member -MemberType NoteProperty -Name TertiaryDNSServer -Value $TertiaryDNSServer

$OutputObj | Add-Member -MemberType NoteProperty -Name PrimaryWINSServer -Value $PrimaryWINS

$OutputObj | Add-Member -MemberType NoteProperty -Name SecondaryWINSServer -Value $SecondaryWINS

$OutputObj | Add-Member -MemberType NoteProperty -Name IsDHCPEnabled -Value $IsDHCPEnabled

$OutputObj | Add-Member -MemberType NoteProperty -Name NetworkName -Value $NetworkName

$OutputObj

}

else {

Write-Verbose "$Computer not reachable"

}

end { }

Get-Remote-NetworkInfo.ps1

#Get-Remote-NetworkInfo.ps1
Import-Module ActiveDirectory

#Change the domain name to your needs
$Servers = Get-ADComputer -Filter{Enabled -eq 'True'} -Server $env:USERDOMAIN

foreach ($Server in $Servers.Name) {

    #Make sure the path of the previous file is the same, or modify the below .Get-NetworkInfo.ps1 to the location where the file was copied.
    .Get-NetworkInfo.ps1 -ComputerName $Server | Export-Csv -Path C:\temp\$env:USERDOMAIN-Servers-NetworkInfo.csv -NoTypeInformation -Append
}
Write-Host -ForegroundColor Green "Done!"

1

2

3

4

5

6

7

8

9

10

11

12

#Get-Remote-NetworkInfo.ps1

Import-Module ActiveDirectory

#Change the domain name to your needs

$Servers = Get-ADComputer -Filter{Enabled -eq 'True'} -Server $env:USERDOMAIN

foreach ($Server in $Servers.Name) {

#Make sure the path of the previous file is the same, or modify the below .Get-NetworkInfo.ps1 to the location where the file was copied.

.Get-NetworkInfo.ps1 -ComputerName $Server | Export-Csv -Path C:\temp\$env:USERDOMAIN-Servers-NetworkInfo.csv -NoTypeInformation -Append

}

Write-Host -ForegroundColor Green "Done!"

This will get the information and export to an excel file that you can have handy for reference or auditing. Hope this helps!

Date February 13, 2020
Author mo wasay
Comments No Comments

Backup & Restore Active Directory integrated DNS zones

DNS is one of the core components for Active Directory Domain Services. In a disaster scenario, it becomes impossible to locate resources within the network and all AD operations come to a screeching halt. Therefore, it’s absolutely necessary to restore the DNS servers. One way to set this right is by performing an AD DS authoritative restore by using Microsoft’s preferred method for backing up a DNS server by performing a system state backup. That process is a time-consuming and a complex process in which the domain controllers must be restarted for the changes to take effect also you will also end up restoring the Registry, Active Directory database and a number of other components. Eventually, it leads to increased downtime, which impacts productivity.

Luckily, it’s possible to back up a DNS server independently using PowerShell.

Backup:

For AD integrated zones, the support tool dnscmd.exe can get the job done. To back up any DNS zone with dnscmd.exe, you just need to use the /zoneexport switch with the command. To back up the Zone1.com zone locally on a DNS server, you’d run the below command on the DNS server:

dnscmd DC1 /zoneexport Zone1.com backup\zone1.com.dns.bak

1	dnscmd DC1 /zoneexport Zone1.com backup\zone1.com.dns.bak

where DC1 is DNS server name, This command writes a copy of the Zone1.com zone to the %systemroot%\system32\dns\backup\Zone1.com.dns.bak file.

Note that the command doesn’t overwrite existing files, so if you’re including it with a backup script, be sure to move the file to an alternate location after the export completes, or to rename or delete the current backup file before you run a new dnscmd /zoneexport job.

PowerShell Script to backup DNS:

#AD-DNS-Backup.ps1
#PowerShell 2.0+ required
#Run this script locally on a DNS Server
#Backup all DNS Zones defined on a Windows DNS Server

#Get Name of the server with env variable
$DnsServer = Get-Content env:computername

#Define folder where to store backup
$BackupFolder = ”c:\windows\system32\dns\backup”

#Output File to store Dns Settings
$StrFile = Join-Path $BackupFolder “input.csv”

#Check if folder exists. if exists, delete contents
if (-not(test-path $BackupFolder)) {
    New-Item $BackupFolder -Type Directory | Out-Null
}
else {

    Remove-Item $BackupFolder”\*” -recurse
}
#Get DNS Settings using WMI Object
$List = Get-WmiObject -ComputerName $DnsServer -Namespace root\MicrosoftDNS -Class MicrosoftDNS_Zone

#Export information into input.csv file
#Line wrapped should be only one line
$list | Select-Object Name, ZoneType, AllowUpdate, @{Name = ”MasterServers”; Expression = { $_.MasterServers } },
DsIntegrated | Export-csv $strFile -NoTypeInformation

#Call Dnscmd.exe to export dns zones
$list | ForEach-Object {
    $path = ”backup\” + $_.name
    $cmd = ”dnscmd {0} /ZoneExport {1} {2}” -f $DnsServer, $_.Name, $path
    Invoke-Expression $cmd
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

#AD-DNS-Backup.ps1

#PowerShell 2.0+ required

#Run this script locally on a DNS Server

#Backup all DNS Zones defined on a Windows DNS Server

#Get Name of the server with env variable

$DnsServer = Get-Content env:computername

#Define folder where to store backup

$BackupFolder = ”c:\windows\system32\dns\backup”

#Output File to store Dns Settings

$StrFile = Join-Path $BackupFolder “input.csv”

#Check if folder exists. if exists, delete contents

if (-not(test-path $BackupFolder)) {

New-Item $BackupFolder -Type Directory | Out-Null

}

else {

Remove-Item $BackupFolder”\*” -recurse

}

#Get DNS Settings using WMI Object

$List = Get-WmiObject -ComputerName $DnsServer -Namespace root\MicrosoftDNS -Class MicrosoftDNS_Zone

#Export information into input.csv file

#Line wrapped should be only one line

$list | Select-Object Name, ZoneType, AllowUpdate, @{Name = ”MasterServers”; Expression = { $_.MasterServers } },

DsIntegrated | Export-csv $strFile -NoTypeInformation

#Call Dnscmd.exe to export dns zones

$list | ForEach-Object {

$path = ”backup\” + $_.name

$cmd = ”dnscmd {0} /ZoneExport {1} {2}” -f $DnsServer, $_.Name, $path

Invoke-Expression $cmd

}

Restore:

Make sure the zone does not exist on DNS manager as it will give an error. If you need to re-create a new zone from the export file, you’ll find that you can do this by using dnscmd.exe with the /zoneadd switch. The only catch with this approach is that if you’re looking to recover an AD-integrated zone, you need to add the zone as a primary first and then convert it to AD-integrated. For example, to recover my Zone1.com zone:

dnscmd DC1 /zoneadd Zone1.com /primary /file Zone1.com.dns /load

1	dnscmd DC1 /zoneadd Zone1.com /primary /file Zone1.com.dns /load

Note that the backup file needs to reside in the %systemroot%\system32\dns folder for it to be properly discovered.

The /load switch to tell the command to load the configuration from the existing file. Without it, the command will create a new zone data file that will overwrite the contents of the backup file.

After adding the zone to the DNS server, you can convert it to an AD-integrated zone by running:

dnscmd /zoneresettype Zone1.com /dsprimary

1	dnscmd /zoneresettype Zone1.com /dsprimary

At this point, you can then enable secure dynamic updates for the zone by running:

dnscmd /config Zone1.com /allowupdate 2

1	dnscmd /config Zone1.com /allowupdate 2

This command configures the zone to accept only secure dynamic updates, as specified by the allowupdate value of 2 (use 0 to specify No dynamic updates, 1 for nonsecure and secure dynamic updates).

PowerShell Script to restore DNS:

#AD-DNS-Restore.ps1
#PowerShell 2.0+ required
#Run this script locally on a DNS Server 
#Restore all DNS Zones defined on a Windows DNS Server

# Get Name of the server with env variable
$DNSSERVER = Get-Content env:computername

#Define folder where to pick a backup
$BackupFolder = ”c:\windows\system32\dns\backup”

#Input File to read Dns Settings
$StrFile = Join-Path $BackupFolder “input.csv”

#Restore Zones based on settings found in input.csv
$Zone = Import-Csv $StrFile
$Zone | ForEach-Object {

    $path = ”backup\” + $_.name
    $Zone = $_.name
    $IP = $_.MasterServers
    $Update = $_.AllowUpdate
     
    #Check if AD Integrated or Not
    if ($_.DsIntegrated -eq $True) {
        Switch ($_.ZoneType) {
            1 {
                #Create Zone As Primary to get all records imported
                $cmd0 = ”dnscmd {0} /ZoneAdd {1} /primary /file {2} /load” -f $DNSSERVER, $Zone, $path
                Invoke-Expression $cmd0
                $cmd1 = ”dnscmd {0} /ZoneResetType {1} /dsprimary” -f $DNSSERVER, $Zone

            }

            3 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /dsstub {2} /load” -f $DNSSERVER, $Zone, $IP }
            4 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /dsforwarder {2} /load” -f $DNSSERVER, $Zone, $IP }
        }
    }
    else {

        Switch ($_.ZoneType) {
            1 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /primary /file {2} /load” -f $DNSSERVER, $Zone, $path }
            2 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /secondary {2}” -f $DNSSERVER, $Zone, $IP }
            3 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /stub {2}” -f $DNSSERVER, $Zone, $IP }
            4 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /forwarder {2}” -f $DNSSERVER, $Zone, $IP }
        }
    }

    #Restore DNS Zones  
    Invoke-Expression $cmd1

    Switch ($_.AllowUpdate) {
        #No Update
        0 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }
        #Secure and non secure
        1 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }
        #Only Secure Updates
        2 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }

    }
    #Reset DNS Update Settings
    Invoke-Expression $cmd2
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

#AD-DNS-Restore.ps1

#PowerShell 2.0+ required

#Run this script locally on a DNS Server

#Restore all DNS Zones defined on a Windows DNS Server

# Get Name of the server with env variable

$DNSSERVER = Get-Content env:computername

#Define folder where to pick a backup

$BackupFolder = ”c:\windows\system32\dns\backup”

#Input File to read Dns Settings

$StrFile = Join-Path $BackupFolder “input.csv”

#Restore Zones based on settings found in input.csv

$Zone = Import-Csv $StrFile

$Zone | ForEach-Object {

$path = ”backup\” + $_.name

$Zone = $_.name

$IP = $_.MasterServers

$Update = $_.AllowUpdate

#Check if AD Integrated or Not

if ($_.DsIntegrated -eq $True) {

Switch ($_.ZoneType) {

1 {

#Create Zone As Primary to get all records imported

$cmd0 = ”dnscmd {0} /ZoneAdd {1} /primary /file {2} /load” -f $DNSSERVER, $Zone, $path

Invoke-Expression $cmd0

$cmd1 = ”dnscmd {0} /ZoneResetType {1} /dsprimary” -f $DNSSERVER, $Zone

}

3 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /dsstub {2} /load” -f $DNSSERVER, $Zone, $IP }

4 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /dsforwarder {2} /load” -f $DNSSERVER, $Zone, $IP }

}

else {

Switch ($_.ZoneType) {

1 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /primary /file {2} /load” -f $DNSSERVER, $Zone, $path }

2 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /secondary {2}” -f $DNSSERVER, $Zone, $IP }

3 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /stub {2}” -f $DNSSERVER, $Zone, $IP }

4 { $cmd1 = ”dnscmd {0} /ZoneAdd {1} /forwarder {2}” -f $DNSSERVER, $Zone, $IP }

}

#Restore DNS Zones

Invoke-Expression $cmd1

Switch ($_.AllowUpdate) {

#No Update

0 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }

#Secure and non secure

1 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }

#Only Secure Updates

2 { $cmd2 = ”dnscmd /Config {0} /allowupdate {1}” -f $Zone, $Update }

}

#Reset DNS Update Settings

Invoke-Expression $cmd2

}

Note that this script will work to “recreate” a DNS zone. If the zone you are trying to restore is still present on the DNS Server, the dnscmd.exe utility will return a warning information telling you that the zone already exists. You might need to delete the zones before restoring them.

Date August 12, 2019
Author mo wasay
Comments No Comments

Fix Active Directory broken security inheritance problem

Ran into a situation at a client location where in Active Directory, the security permissions applied to an OU were not getting inherited permissions on to the objects. Basically, security inheritance was broken.This causes a problem when the administrative accounts or groups needing to modify an attribute on the AD object throw errors, or are unable to edit the AD object.

To find out which objects were not getting the inherited permissions run the following :

I ran it on the entire domain to identity potential problem accounts. 🙂

#Replace the -SearchBase value with the OU that contains the problems user(s)
Get-ADUser -SearchBase "DC=mowasay,DC=com" -Filter * -Properties nTSecurityDescriptor | ?{ $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True"}

1 2	#Replace the -SearchBase value with the OU that contains the problems user(s) Get-ADUser -SearchBase "DC=mowasay,DC=com" -Filter * -Properties nTSecurityDescriptor \| ?{ $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True"}

To fix the issue:

#Replace the -SearchBase value with the OU that contains the problems user(s)
Get-ADUser -SearchBase "DC=mowasay,DC=com" -Filter * -Properties nTSecurityDescriptor | Where-Object
{ $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True" } | ForEach-Object {
    $_.ntSecurityDescriptor.SetAccessRuleProtection($false, $true)
    $_ | Set-ADUser -Replace @{ntSecurityDescriptor = $_.ntSecurityDescriptor }
}

1

2

3

4

5

6

#Replace the -SearchBase value with the OU that contains the problems user(s)

Get-ADUser -SearchBase "DC=mowasay,DC=com" -Filter * -Properties nTSecurityDescriptor | Where-Object

{ $_.nTSecurityDescriptor.AreAccessRulesProtected -eq "True" } | ForEach-Object {

$_.ntSecurityDescriptor.SetAccessRuleProtection($false, $true)

$_ | Set-ADUser -Replace @{ntSecurityDescriptor = $_.ntSecurityDescriptor }

}

Reference:

https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.objectsecurity.areaccessrulesprotected?view=netframework-4.8
https://blogs.msdn.microsoft.com/adpowershell/2009/10/22/viewconfigure-protected-acl-and-fixing-broken-inheritance/

Date August 8, 2019
Author mo wasay
Comments No Comments

Missing SYSVOL & NETLOGON after domain controller promotion

Recently I found an issue with a newly promoted domain controller missing the SYSVOL and NETLOGON shares. Most of the cases it would also be a new domain controller for an existing or new forest. In most cases, you would need to update the flag below.

Open Regedit
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Set SysVolReady from 0 to 1
Close Regedit

This will create the SYSVOL share. If the NETLOGON share is not created you would need to create the folder scripts in C:\Windows\SYSVOL\domain\. When this is done, restart the NETLOGON service.

net start Netlogon

1	net start Netlogon

This is the easy part. In some cases, although the NETLOGON and SYSVOL shares are working, no group policies or scripts are being replicated using the DFSR. I have post talking about this issue in detail here.

We can verify the replication by running the following command.

For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

1	For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

The states should translate as below

0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error

In my case, I have noticed that the newly promoted server was showing 2 and the primary domain controller was showing “No Instance(s) Available” which is quite strange.

Here you would need to look into the original Active Directory server for any problems and you would see a warning on the DFS Replication under Applications with Event ID 2213 as below.

It says that the DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled.

What we need to do here is from the event viewer take note of the volumeGUID and run the below command and replacing GUID-NUMBER with your GUID.

wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="GUID-NUMBER" call ResumeReplication

1	wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="GUID-NUMBER" call ResumeReplication

This will restart the replication and recreate the database. This can be seen with an event with ID 2214 saying The DFS Replication service successfully recovered from an unexpected shutdown on volume C. This can occur if the service terminated abnormally (due to the VM shutting down incorrectly, for example) or an error occurred on the volume. No user action is required.

If you run the command again to see the state of the replication you will see that the servers are all showing state 4 as below and both SYSVOL and NETLOGON will be replicated.

Date August 2, 2019
Author mo wasay
Comments No Comments

How to Fix: Attribute userAccountControl of DC is: 0x82020

When running a DCDiag at a customer site today I had the following error occur:

Warning: Attribute userAccountControl of is: 0x82020 = ( PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION ) Typical setting for a DC is 0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION ) This may be affecting replication?

It is a bug when we pre-create a computer account in ADUC and then promote it as DC, the UserAccountControl is set to 532512 instead of the default 532480. You need to manually set the vaulue to 532480 in ADSIEDIT.MSC.

Fix:

Open ADSIEDIT.MSC
Goto Default Naming Context
Goto OU=Domain Controllers,DC=yourdomain,DC=com
Right click on “Name of the Problem Domain Controller”
Change the value for attribute for userAccountControl from 532512 to 532480 (Change it to represent 0x82000.)

UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)

Date July 2, 2019
Author mo wasay
Comments No Comments

Find why an account is getting locked out and where

Many a times there comes a request that a user complains that an account is getting locked out for no apparent reason and it’s hard to pinpoint where it is getting locked out from.

I was trying to find out why a user account is getting locked out and where but needed to go through logs to find out my answer. Once the machine name was found, it’s a matter of reviewing services, scheduledtasks, or similar items to see where an account name and password were hardcoded.

I was able to utilize the following script to provide an answer.

#Get-LockedOutStatus.ps1

$Identity = "mwasay" #The samAccountName of the user that is getting locked out
$DCCounter = 0  
$LockedOutStats = @()   
#Get all domain controllers in domain 
$DomainControllers = Get-ADDomainController -Server yourdomain.com -Filter * #Update your domain name here
$PDCEmulator = ($DomainControllers | Where-Object { $_.OperationMasterRoles -contains "PDCEmulator" }) 
         
Write-Verbose "Finding the domain controllers in the domain" 
Foreach ($DC in $DomainControllers) { 
    $DCCounter++ 
    Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter / $DomainControllers.Count) * 100) 
    Try { 
        $UserInfo = Get-ADUser -Identity $Identity  -Server $DC.Hostname -Properties AccountLockoutTime, LastBadPasswordAttempt, BadPwdCount, LockedOut -ErrorAction Stop 
    } 
    Catch { 
        Write-Warning $_ 
        Continue 
    } 
    If ($UserInfo.LastBadPasswordAttempt) {     
        $LockedOutStats += New-Object -TypeName PSObject -Property @{ 
            Name                   = $UserInfo.SamAccountName 
            SID                    = $UserInfo.SID.Value 
            LockedOut              = $UserInfo.LockedOut 
            BadPwdCount            = $UserInfo.BadPwdCount 
            BadPasswordTime        = $UserInfo.BadPasswordTime             
            DomainController       = $DC.Hostname 
            AccountLockoutTime     = $UserInfo.AccountLockoutTime 
            LastBadPasswordAttempt = ($UserInfo.LastBadPasswordAttempt).ToLocalTime() 
        }           
    }#end if 
}#end foreach DCs 
$LockedOutStats | Format-Table -Property Name, LockedOut, DomainController, BadPwdCount, AccountLockoutTime, LastBadPasswordAttempt -AutoSize 
 
#Get User Info 
Try {   
    Write-Verbose "Querying event log on $($PDCEmulator.HostName)" 
    $LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName = 'Security'; Id = 4740 } -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending 
} 
Catch {           
    Write-Warning $_ 
    Continue 
}#end catch      
                                  
Foreach ($Event in $LockedOutEvents) {             
    If ($Event | Where-Object { $_.Properties[2].value -match $UserInfo.SID.Value }) {  
               
        $Event | Select-Object -Property @( 
            @{Label = 'User'; Expression = { $_.Properties[0].Value } } 
            @{Label = 'DomainController'; Expression = { $_.MachineName } } 
            @{Label = 'EventId'; Expression = { $_.Id } } 
            @{Label = 'LockedOutTimeStamp'; Expression = { $_.TimeCreated } } 
            @{Label = 'Message'; Expression = { $_.Message -split "`r" | Select-Object -First 1 } } 
            @{Label = 'LockedOutLocation'; Expression = { $_.Properties[1].Value } } 
        ) 
                                                 
    }#end ifevent 
             
}#end foreach lockedout event 
}#end process
}#end function

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

#Get-LockedOutStatus.ps1

$Identity = "mwasay" #The samAccountName of the user that is getting locked out

$DCCounter = 0

$LockedOutStats = @()

#Get all domain controllers in domain

$DomainControllers = Get-ADDomainController -Server yourdomain.com -Filter * #Update your domain name here

$PDCEmulator = ($DomainControllers | Where-Object { $_.OperationMasterRoles -contains "PDCEmulator" })

Write-Verbose "Finding the domain controllers in the domain"

Foreach ($DC in $DomainControllers) {

$DCCounter++

Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter / $DomainControllers.Count) * 100)

Try {

$UserInfo = Get-ADUser -Identity $Identity -Server $DC.Hostname -Properties AccountLockoutTime, LastBadPasswordAttempt, BadPwdCount, LockedOut -ErrorAction Stop

}

Catch {

Write-Warning $_

Continue

}

If ($UserInfo.LastBadPasswordAttempt) {

$LockedOutStats += New-Object -TypeName PSObject -Property @{

Name = $UserInfo.SamAccountName

SID = $UserInfo.SID.Value

LockedOut = $UserInfo.LockedOut

BadPwdCount = $UserInfo.BadPwdCount

BadPasswordTime = $UserInfo.BadPasswordTime

DomainController = $DC.Hostname

AccountLockoutTime = $UserInfo.AccountLockoutTime

LastBadPasswordAttempt = ($UserInfo.LastBadPasswordAttempt).ToLocalTime()

}

}#end if

}#end foreach DCs

$LockedOutStats | Format-Table -Property Name, LockedOut, DomainController, BadPwdCount, AccountLockoutTime, LastBadPasswordAttempt -AutoSize

#Get User Info

Try {

Write-Verbose "Querying event log on $($PDCEmulator.HostName)"

$LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName = 'Security'; Id = 4740 } -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending

}

Catch {

Write-Warning $_

Continue

}#end catch

Foreach ($Event in $LockedOutEvents) {

If ($Event | Where-Object { $_.Properties[2].value -match $UserInfo.SID.Value }) {

$Event | Select-Object -Property @(

@{Label = 'User'; Expression = { $_.Properties[0].Value } }

@{Label = 'DomainController'; Expression = { $_.MachineName } }

@{Label = 'EventId'; Expression = { $_.Id } }

@{Label = 'LockedOutTimeStamp'; Expression = { $_.TimeCreated } }

@{Label = 'Message'; Expression = { $_.Message -split "`r" | Select-Object -First 1 } }

@{Label = 'LockedOutLocation'; Expression = { $_.Properties[1].Value } }

)

}#end ifevent

}#end foreach lockedout event

}#end process

}#end function

Date June 6, 2019
Author mo wasay
Comments No Comments

List all SPNs in Active Directory

Ran into a situation where I needed to get all the SPNs that are listed in AD.

Find duplicate SPNs

Listing duplicate SPNs is fairly easy, just use setspn -X on your command-line and you’ll find out.

What is a SPN?

An SPN or Service Principal Name is a unique identity for a service, mapped with a specific account (mostly service account). Using an SPN, you can create multiple aliases for a service mapped with a domain account.

SetSPN command-line

To set, list or delete the SPN, we use an in-built command line tool SETSPN provided by Microsoft.

Quite some scripts assume you’re looking for a specific SPN (HTTP/…), a specific user, or a specific computer. For example, using setspn to find SPNs linked to a certain computer:

setspn <span class="token operator">-</span>L &lt;ServerName&gt;

1	setspn <span class="token operator">-</span>L <ServerName>

Or setspn to find SPNs linked to a certain user account:

setspn <span class="token operator">-</span>L &lt;domain\user&gt;

1	setspn <span class="token operator">-</span>L <domain\user>

Now we need a script to list all SPNs, for all users and all computers.

Get All SPNs

SPNs are set as an attribute on the user or computer accounts. That makes it fairly easy to query for that attribute.

Powershell to the rescue!

#Get-All-SPNS.ps1
#Gets all the SPNS in the domain

# Alternative way to get the same information using CMD.exe:
# dsquery * "DC=yourdomain,DC=com" -filter "(&(objectcategory=computer)(servicePrincipalName=*))" -attr distinguishedName servicePrincipalName > spns.txt

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=*)"

#OutPut text file
$OutputLocation = "C:\Scripts\Results\AllSPNsInDomain.txt"

# You can use this to filter for OU's:
# $results = $search.Findall() | ?{ $_.path -like 'DC=yourdomain,DC=com' }
$results = $search.Findall()

#Loop through all objects to find all SPNs on that object
foreach ( $result in $results ) {
    $userEntry = $result.GetDirectoryEntry()
    Write-host "Object Name = " $userEntry.name -backgroundcolor "yellow" -foregroundcolor "black"
    Write-Output "Object Name=$userEntry.name" | Out-File $OutputLocation -Append

    Write-host "DN      =      "  $userEntry.distinguishedName
    Write-Output "DN=$userEntry.distinguishedName" | Out-File $OutputLocation -Append

    Write-host "Object Cat.="  $userEntry.objectCategory
    Write-host "Object Cat.=$userEntry.objectCategory" | Out-File $OutputLocation -Append


    Write-host "servicePrincipalNames:"
    Write-Output "servicePrincipalNames:" | Out-File $OutputLocation -Append

    $i = 1
    foreach ( $SPN in $userEntry.servicePrincipalName ) {
        Write-host "SPN(" $i" )=" $SPN
        Write-Output "SPN($i)=$SPN" | Out-File $OutputLocation -Append

        $i += 1
    }

    Write-host ""
    Write-Output "==========================================" | Out-File $OutputLocation -Append
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

#Get-All-SPNS.ps1

#Gets all the SPNS in the domain

# Alternative way to get the same information using CMD.exe:

# dsquery * "DC=yourdomain,DC=com" -filter "(&(objectcategory=computer)(servicePrincipalName=*))" -attr distinguishedName servicePrincipalName > spns.txt

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")

$search.filter = "(servicePrincipalName=*)"

#OutPut text file

$OutputLocation = "C:\Scripts\Results\AllSPNsInDomain.txt"

# You can use this to filter for OU's:

# $results = $search.Findall() | ?{ $_.path -like 'DC=yourdomain,DC=com' }

$results = $search.Findall()

#Loop through all objects to find all SPNs on that object

foreach ( $result in $results ) {

$userEntry = $result.GetDirectoryEntry()

Write-host "Object Name = " $userEntry.name -backgroundcolor "yellow" -foregroundcolor "black"

Write-Output "Object Name=$userEntry.name" | Out-File $OutputLocation -Append

Write-host "DN = " $userEntry.distinguishedName

Write-Output "DN=$userEntry.distinguishedName" | Out-File $OutputLocation -Append

Write-host "Object Cat.=" $userEntry.objectCategory

Write-host "Object Cat.=$userEntry.objectCategory" | Out-File $OutputLocation -Append

Write-host "servicePrincipalNames:"

Write-Output "servicePrincipalNames:" | Out-File $OutputLocation -Append

$i = 1

foreach ( $SPN in $userEntry.servicePrincipalName ) {

Write-host "SPN(" $i" )=" $SPN

Write-Output "SPN($i)=$SPN" | Out-File $OutputLocation -Append

$i += 1

}

Write-host ""

Write-Output "==========================================" | Out-File $OutputLocation -Append

}

Date May 29, 2019
Author mo wasay
Comments No Comments

Get All DCs in the Entire Forest

Getting a know a new environment for a new client and I a quickly needed information about all domain controllers in the entire forest.

Wrote a small little script to provide me all the information I needed:

Import-Module ActiveDirectory

function Get-AllDCsInForest{
[CmdletBinding()]
param(
    [string]$ReferenceDomain = $env:USERDOMAIN
)
 
$ForestObj = Get-ADForest -Server $ReferenceDomain
foreach($Domain in $ForestObj.Domains) {
    Get-ADDomainController -Filter * -Server $Domain | select Domain,HostName,Site, IPv4Address, OperatingSystem, OperatingSystemVersion
     
}
 
}

Get-AllDCsInForest| Export-Csv -Path C:\Scripts\AllDcs.txt -NoTypeInformation

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

Import-Module ActiveDirectory

function Get-AllDCsInForest{

[CmdletBinding()]

param(

[string]$ReferenceDomain = $env:USERDOMAIN

)

$ForestObj = Get-ADForest -Server $ReferenceDomain

foreach($Domain in $ForestObj.Domains) {

Get-ADDomainController -Filter * -Server $Domain | select Domain,HostName,Site, IPv4Address, OperatingSystem, OperatingSystemVersion

}

Get-AllDCsInForest| Export-Csv -Path C:\Scripts\AllDcs.txt -NoTypeInformation

Date March 6, 2019
Author mo wasay
Comments No Comments

mo wasay

Force synchronization for DFSR-replicated SYSVOL

Find the state of the replication of all DCs

Non-authoritative synchronization of DFSR-replicated SYSVOL

Authoritative synchronization of DFSR-replicated SYSVOL

Get Inactive Users Report for the past 60 days in a multi domain environment

Get Primary, Secondary, Tertiary DNS values and more from Multiple Servers

Get-NetworkInfo.ps1:

Get-Remote-NetworkInfo.ps1

Backup & Restore Active Directory integrated DNS zones

Backup:

PowerShell Script to backup DNS:

Restore:

PowerShell Script to restore DNS:

Fix Active Directory broken security inheritance problem

How to Fix: Attribute userAccountControl of DC is: 0x82020

Fix:

Find why an account is getting locked out and where

Get All DCs in the Entire Forest

Dallas based Design Technologist & Hybrid Developer

Categories

Archives

Meta