DNS is one of the core components for Active Directory Domain Services. In a disaster scenario, it becomes impossible to locate resources within the network and all AD operations come to a screeching halt. Therefore, it’s absolutely necessary to restore the DNS servers. One way to set this right is by performing an AD DS […]
Ran into a situation at a client location where in Active Directory, the security permissions applied to an OU were not getting inherited permissions on to the objects. Basically, security inheritance was broken.This causes a problem when the administrative accounts or groups needing to modify an attribute on the AD object throw errors, or are […]
Many a times there comes a request that a user complains that an account is getting locked out for no apparent reason and it’s hard to pinpoint where it is getting locked out from. I was trying to find out why a user account is getting locked out and where but needed to go through […]
Ran into a situation where I needed to get all the SPNs that are listed in AD. Find duplicate SPNs Listing duplicate SPNs is fairly easy, just use setspn -X on your command-line and you’ll find out. What is a SPN? An SPN or Service Principal Name is a unique identity for a service, mapped with a specific account (mostly […]
Recently, I wanted to know what the tombstone lifetime was in my environment and decided to find this using PowerShell. There are a number of ways I could do this but dong it through PowerShell would be much easier. For those of you that are new to the attribute, a good explanation of it is: […]
If you want to replicate all Domain Controllers, then you have to start replication on each of them separately. This may take a while. To save time there is an easier way to force replication on all Domain Controllers of all Active Directory Sites. Log on to one of your Domain Controllers. Start Windows PowerShell […]
If you want to find out how many domain/ enterprise admins are active/inactive in domain you can use the following PowerShell command to figure out: Get the list of domain admins and check if they are enabled.
|
1 |
Get-ADGroupMember -Identity "Domain Admins" -Recursive | %{Get-ADUser -Identity $_.distinguishedName} | Select Name, Enabled |
Get the list of enterprise admins and check if they are enabled.
|
1 |
Get-ADGroupMember -Identity "Enterprise Admins" -Recursive | %{Get-ADUser -Identity $_.distinguishedName} | Select Name, Enabled |
So had an interesting issue today where a Domain Controller (DC) was demoted yet the IP of the demoted DC was still showing up when running nslookup internaldomain.local Demoted DC: MWDC04 / IP: 10.14.111.111 I had done the metadata cleanup and tried many suggestions when googling the subject. To my surprise none of the solutions I […]
What Is an SPN? An SPN is a reference to a specific service, for example, an instance of SQL or a web application run by IIS. Since SPNs are specific, they reference not only what the service is (such as an SQL server), but also which hostname runs the instance and on which port it’s […]
Using the standard GUI Microsoft Management Consoles to make the change to speed up Active Directory replication is not possible. The best result of using administrator consoles will be to increase domain replication between domain controllers to 15 minutes. These large time values were instituted into Active Directory at version 1 because inter-site connections during that era of computing and networking were much lower in bandwidth with the most common being frame-relay or […]
