Active Directory quick queries via Powershell

October 6th, 2015

Here is reference to a few quick AD queries via Powershell’s “one command”.

Forest basic info:

Get-ADForest | Select Name, RootDomain, DomainNamingMaster, SchemaMaster, @{l='FFL';e={$_.ForestMode}} | Format-Table -autosize

Domains’ basic info from entire forest:

Get-ADForest | Select -ExpandProperty Domains | Get-ADDomain | Select DNSRoot, NetBIOSName, PDCEmulator, RIDMaster, InfrastructureMaster, @{l='DFL';e={$_.DomainMode}} | Format-Table -autosize

List of Domain Controllers:

Get-ADDomainController -filter * | Select Name, Domain, @{l='IPv4';e={$_.IPv4Address}}, Site, @{l='GC';e={$_.IsGLobalCatalog}}, @{l='OS';e={$_.OperatingSystem}}, @{l='OS Ver.';e={$_.OperatingSystemVersion}} | FT -auto

"myDomain" | Get-ADDomain | Select -Expand ReplicaDirectoryServers

DCs numbers per domains in whole forest:

Get-ADForest | Select -Expand Domains | Get-ADDomain | Select DNSRoot, @{l='DCs';e={ ($_.ReplicaDirectoryServers).Count}} | Format-Table -autosize

Sites:

Get-ADReplicationSite -Filter * | Select Name, @{l='ISTG';e={($_.InterSiteTopologyGenerator).Split(",")[1].Replace("CN=","")}} , Description | Sort Name | Format-Table -autosize

Subnets:

Get-ADReplicationSubnet -Filter * | Select Name, @{l='Site';e={($_.Site).Split(',')[0]}} | Sort Site, Name | Format-Table -Group Site -autosize

Site links:

Get-ADReplicationSiteLink -Filter * | Select Name, Cost, @{l = 'Interval';e={$_.ReplicationFrequencyInMinutes}}, @{l='Sites';e={$_.SitesIncluded}} | Sort Name | Format-Table -autosize

Get-ADReplicationSiteLink -Filter * | Select Name, Cost, @{l = 'Interval';e={$_.ReplicationFrequencyInMinutes}}, @{l='Sites';e={ForEach-Object {($_.SitesIncluded | Get-ADReplicationSite | Select -ExpandProperty Name).Replace("CN=","")}}} | Sort Name | Format-Table -autosize

Connection objects on <myDC>:

Get-ADReplicationConnection -Filter * -Server  <myDC> | Select @{l='To';e={ ($_.ReplicateToDirectoryServer).Split(",")[0].Replace("CN=","")}} , @{l='From';e={ ($_.ReplicateFromDirectoryServer).Split(",")[1].Replace("CN=","") }}, Name, AutoGenerated | Format-Table -autosize

Replication queue on <myDC>:

Get-ADReplicationQueueOperation -Server <myDC>

Replication status on <myDC>:

Get-ADReplicationPartnerMetadata -Target <myDC>

Get-ADReplicationPartnerMetadata -Target <myDC> | Select Server, @{l='From';e={ $_.Partner.Split(",")[1].Replace("CN=","")}}, Partition, LastReplicationSuccess, LastReplicationAttempt | Format-Table -autosize

Replication status in whole forest:

Get-ADForest | Select -Expand Domains | Get-ADDomain | Select ReplicaDirectoryServers | Get-ADReplicationPartnerMetadata | Select Server, @{l='From';e={ $_.Partner.Split(",")[1].Replace("CN=","")}}, Partition, LastReplicationSuccess, LastReplicationAttempt | Format-Table -autosize

Active Directory quick queries

January 31st, 2015

Here is reference to a few quick AD queries.

Dump of AD:

csvde -f ad.csv

List of Domain Controllers:

NLTEST /dclist:<myDomain>
NETDOM QUERY /D:<myDomain> DC
DSQUERY SERVER -o rdn

List of FSMO holders:

NETDOM QUERY /D:<myDomain> FSMO
DSQUERY SERVER -hasfsmo SCHEMA
DSQUERY SERVER -hasfsmo NAME
DSQUERY SERVER -domain <myDomain> -hasfsmo RID
DSQUERY SERVER -domain <myDomain> -hasfsmo PDC
DSQUERY SERVER -domain <myDomain> -hasfsmo INFR
DCDIAG /s:<myDC> /test:KnowsOfRoleHolders

List of Global Catalog holders:

DSQUERY SERVER -domain <myDomain> -isgc
NLTEST /dsgetdc:<myDomain> /GC
repadmin /options *
nslookup gc._msdcs.<myDomain>

List of Sites:

DSQUERY * "CN=Sites,CN=Configuration,DC=<my>,DC=<domain>" -scope onelevel -attr cn

Site where myDC belongs:

NLTEST /server:<myDC> /DsGetSite
Get-WmiObject -Namespace root\rsop\computer -Class RSOP_Session | select site
reg query \\<myDC>\HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v "DynamicSiteName"

List of preffered bridgeheads:

DSQUERY * "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=<my>,DC=<domain>" -attr bridgeheadServerListBL

Domain Controller which authenticated my:

User account:
    NLTEST /dsgetdc:<myDomain>
    ECHO %LOGONSERVER%	

Computer account:
    NLTEST /sc_query:<myDomain>
    NETDOM verify <myComputer> /domain:<myDomain>

All users:

DSQUERY * -filter "(&(objectCategory=Person)(objectClass=User)) -attr sAMAccountName

Total number of users:

DSQUERY USER forestroot -o dn -limit 0 -name * | find /C /V "~~~~"

All active users:

DSQUERY * -filter "&(objectCategory=user)(userAccountControl=512)" -limit 0
512 - active
514 - disabled

Locked users:

DSQUERY * -filter "(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))"

Much more soon…

Restricting Active Directory replication traffic to the fixed ports

January 28th, 2015

Overview:

Except of well known ports such 389 TCP/UDP, 636 TCP, 3268 TCP, etc. (full overview is here) Active Directory uses a few ones from dynamic pool for replicaton purposes. If we don’t have strict security policy where is allowed only explicity defined traffic in firewalls we can leave default configuration of communication between domain contollers:

1024  – 65535 TCP Dynamic RPC W2K/W2K3

49152 – 65535 TCP Dynamic RPC W2K8+

However if we would like to have more control over AD and SYSVOL replication we can limit above scope to our needs:

#1. Restricting Active Directory replication traffic to exemplary 5000 TCP port (0x1388):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"TCP/IP Port"=dword:00001388

#2a. Restricting SYSVOL FRS traffic to exemplary 5050 TCP port (0x13ba):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters]
"RPC TCP/IP Port Assignment"=dword:000013ba

#2b. Restricting SYSVOL DFS-R traffic to exemplary 5050 TCP port:

Dfsrdiag StaticRPC /port:5050 /Member:<myDC>

#3. RPC dynamic port allocation to exemplary 6000 – 6050 TCP port pool:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
"Ports"=hex(7):36,00,30,00,30,00,30,00,2d,00,36,00,30,00,35,00,30,00,00,00,00,00
@=""
"PortsInternetAvailable"="Y"
"UseInternetPorts"="Y"

Practice:

Common operation issues in complex environments, like Event 1722: “The RPC server is unavailable”, are sometimes caused by FW restrictions where are allowed traffics on fixed ports only instead of full RPC dynamic pool. For example just promoted domain controller with default configuration is trying to replicate with remote partner located behind FW via dynamically assigned 49157 TCP port where design of replication topology strictly defines 5000 TCP for example and it is implemented on all DCs and FWs.

To check what ports are used for replication purposes simply query 135 TCP enpoint mapper of each domain contoller. It looks like as follow using portqry.exe:

portqry.exe -n <myDC> -e 135 -p TCP

and in the result try to find section: MS NT Directory DRS Interface to check AD replication ports:

...
 
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:127.0.0.1[\\pipe\\lsass]
 
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_np:127.0.0.1[\\PIPE\\protected_storage]
 
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:127.0.0.1[6003]
 
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:127.0.0.1[6004]
 
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_ip_tcp:127.0.0.1[5000]
 
UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2 MS NT Directory DRS Interface
ncacn_http:127.0.0.1[6005]
 
...

and: Frs2 Service to check DFS-R port

...
 
UUID: 897e2e5f-93f3-4376-9c9c-fd2277495c27 Frs2 Service
ncacn_ip_tcp:127.0.0.1[5050]
 
...

To find out if above RPC ports are fixed or not simply query registry settings of this domain controller:

Restricted Active Directory replication traffic:

reg query \\<myDC>\HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "TCP/IP Port"

RPC dynamic port allocation:

reg query \\<myDC>\HKLM\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters /v "RPC TCP/IP Port Assignment"

 

Reference articles:

How to configure a firewall for domains and trusts

Active Directory Replication Over Firewalls

Restricting AD Replication Traffic between DCs to only a few ports

Service overview and network port requirements for Windows

Using PORTQRY for troubleshooting

 

Active Directory numbers

January 18th, 2015

Here is quick reference to find out several metadata of AD.

Schema version:

DSQUERY * "CN=Schema,CN=Configuration,DC=<my>,DC=<domain>" -scope base -attr objectVersion
AD version objectVersion
Windows 2000 Server 13
Windows 2000 Server + Exchange 2000 17
Windows Server 2003 30
Windows Server 2003 R2 31
Windows Server 2008 44
Windows Server 2008 R2 47
Windows Server 8 – Developer Preview 51
Windows Server 8 – Beta 52
Windows Server 2012 56
Windows Server 2012 R2 69
Windows Server 10 Technical Preview 72

Schema revision: adprep /forestprep

DSQUERY * "CN=ActiveDirectoryUpdate,CN=ForestUpdates,CN=Configuration,DC=<my>,DC=<domain>" -scope base -attr revision
AD version Revision
Windows Server 2008 2
Windows Server 2008 R2 5
Windows Server 2003 R2 9
Windows Server 2012 11
Windows Server 10 Technical Preview 15

Schema revision: adprep /domainprep

DSQUERY * "CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,DC=<my>,DC=<domain>" -scope base -attr revision
AD version Revision
Windows Server 2008 3
Windows Server 2008 R2 5
Windows Server 2003 R2 8
Windows Server 2012 9
Windows Server 10 Technical Preview 10

Schema revision: adprep /rodcprep

DSQUERY * "CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,CN=Configuration,DC=<my>,DC=<domain>" -scope base -attr revision
AD version Revision
Windows Server 2008 2
Windows Server 2012 2
Windows Server 10 Technical Preview 2

Forest Functional Level:

DSQUERY * "CN=Partitions,CN=Configuration,DC=<my>,DC=<domain>" -scope base -attr msDS-Behavior-Version
FFL msDS-Behavior-Version
2000 0
2003 Interim 1
2003 2
2008 3
2008 R2 4
2012 5
10 Technical Preview 5

Domain Functional Level:

DSQUERY * "DC=<my>,DC=<domain>" -scope base -attr msDS-Behavior-Version ntMixedDomain
DFL msDS-Behavior-Version ntMixedDomain
Windows 2000 Native domain Level 0 0
Windows 2000 Mixed domain Level 0 1
Windows 2003 Domain Level 2 0
Windows 2008 Domain Level 3 0
Windows 2008 R2 Domain Level 4 0
Windows 2012 Domain Level 5 0
Windows Server 10 Technical Preview 5 0

Exchange version:
#1 – Forest rangeUpper attribute of ms-Exch-Schema-Version-Pt

DSQUERY * "CN=ms-Exch-Schema-Version-Pt,CN=Schema,CN=Configuration,DC=<my>,DC=<domain>" -scope base -attr rangeUpper

#2 – Forest objectVersion attribute of Organization container

DSQUERY * “CN=<myOrganization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<my>,DC=<domain>” -scope base -attr objectVersion

#3 – Domain objectVersion attribute on Microsoft Exchange System Objects

DSQUERY * "CN=Microsoft Exchange System Objects,DC=<my>,DC=<domain>" -scope base -attr objectVersion
Exchange Version #1 #2 #3
Exchange 2000 RTM 4397 - 4406
Exchange 2000 SP3 4406 - 4406
Exchange 2003 RTM 6870 6903 6936
Exchange 2003 SP1 6870 6903 6936
Exchange 2003 SP2 6870 6903 6936
Exchange 2007 RTM 10637 10666 10628
Exchange 2007 SP1 11116 11221 11221
Exchange 2007 SP2 14622 11222 11221
Exchange 2007 SP3 14625 11222 11221
Exchange 2010 RTM 14622 12640 12639
Exchange 2010 SP1 14726 13214 13040
Exchange 2010 SP2 14732 14247 13040
Exchange 2010 SP3 14734 14322 13040
Exchange 2013 RTM 15137 15449 13236
Exchange 2013 CU1 15254 15614 13236
Exchange 2013 CU2 15281 15688 13236
Exchange 2013 CU3 15283 15763 13236

 

Active Directory Topology Visualization part 2

January 11th, 2015

If you have a look closer into Active Directory Topology Visualization part 1 solution developed some time ago you will find that vbs script queries one domain controller to find replication topology. It is quick approach to have overview of AD replication ASAP. However it represents viewpoint only of this domain controller and sometimes it doesn’t have to be objective true.

If domain controllers replicate each other without any issues and there isn’t any modification in numbers of them (adding, removing, etc.) topology should look very the same on every DC and above solution is absolutely enough. But to have proper recognition of condition of AD environment during its modification there is needed something more comprehensive.

Here is my trial to find full overview of AD physical topology and condition of replication as a side effect of quering every particular domain controller in our environment. Below vbs script queries all DCs found in AD, formats information about sites, servers and connection objects into dot syntax and controls pictures of nodes (here: domain controllers) and labels of edges (here: connection objects) to report issues in topology: orphan or not accessible DCs or connection objects just generated and not seen by other DCs.

Practice:

Vbs script to query all DCs:

getReplicationTopology.zip

usage:

cscript /nologo getReplicationTopology.vbs

Example of dot code generated by above vbs script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
DIGRAPH replicationTopology {
 
	label = "Reference DC: POZ-DC1";
	labelloc = t;
	fontname = helvetica;
	node [fontname = helvetica, image = "server.png", labelloc = b, color = white];
	edge [style = dotted fontname = helvetica fontsize = 8.0];
 
	SUBGRAPH cluster_WRO {
	label = "Site: WRO\lSubnets:\l10.10.10.0/24\l"
 
	WRO_DC1 [label = "WRO-DC1.qa.local" image = "noaccess.png"];
 
	}
 
	SUBGRAPH cluster_POZ {
	label = "Site: POZ\lSubnets:\l10.20.20.0/24\l"
 
	POZ_DC1 [label = "POZ-DC1.qa.local"];
 
	}
 
	SUBGRAPH cluster_WAW {
	label = "Site: WAW\lSubnets:\l10.30.30.0/24\l"
 
	}
 
	POZ_DC1 -> WRO_DC1;
	WRO_DC1 -> POZ_DC1;
}

and diagram:

fdp4

Note:

Pictures of nodes used in diagrams:

server DC queried by vbs script

noaccessDC not queried by vbs script because of communication issue

orphanOrphan DC not fully removed from AD during decommission

Gallery:

dot5

fdp6

fdp7

 

Theory:

1. How Active Directory Replication Topology Works

2. KCC and Topology Generation

3. Active Directory Topology Visualization part 1

 

How to remove lingering objects from complex environment

December 27th, 2014

Based on “Clean that Active Directory forest of lingering objects” article on Glenn LeCheminant’s weblog here is an extract of my own development:

Overview:

Lingering objects are not desired entities in AD. If one or more domain controllers are disconnected from environment and back after some period of time (called: tombstone), deleted objects can be reintroduced by them. Clearing of AD is serious challenge and requires complex solution in complex environment.

Microsoft prepared simple tool to perform proper removal. However using it depends on design of the environment. Because connections between all sites are not always fully meshed, lacks in “seeing” domain controllers each other is mitigated by simple trick: one domain controller in particular domains is chosen as reference server for its own domain partition and is used by any other domain controller with global catalog function from other domains as reference source. The best is PDC because it should be accessible at least from any domain controller in its own domain and in theory from other domains. However it’s not really manadatory and any DC can be used. In rare cases of communication issue there is needed additional step described below.

Practice:

Below procedure can be used for effective removal of lingering objects in entire forest. It bases on preparing reference domain controller with clean, writable domain partition, and using it as an authoritative source for any other domain controller holding write (DC) or read-only (GC) version of this partition.

Solution is covered by using following command:

repadmin.exe /removelingeringobjects <targetDC> <sourceDCGUID> <partitionDN> | /advisory_mode

Note:

sourceDCGUID can be found in several ways:

repadmin /showreps <myDC>
nslookup -q=CNAME _msdcs.<my>.<domain>
dsquery * "CN=NTDS Settings,CN=<myDC>,CN=Servers,CN=,CN=Sites,CN=Configuration,DC=<my>,DC=<domain>" -scope base -attr objectGuid

This procedure requires to finish three steps in every domain in entire forest:

Step 1: Cleaning up domain partition on reference DC

Series of commands run against one choosen DC allow to clean up its partition in reference to all other DCs in this domain:

repadmin /removelingeringobjects DC1 DC2guid DC=my,DC=domain
repadmin /removelingeringobjects DC1 DC3guid DC=my,DC=domain
...
repadmin /removelingeringobjects DC1 DCnguid DC=my,DC=domain

In case of communication issue (because of firewall restriction, etc.) finish clearing process of chosen DC with the rest of DCs and begin again Step 1 with failured ones:

linger1

Step 2: Cleaning up writable version of domain partition on remaining DCs

Series of commands run against all other DCs of affected domain allow to clean up their partitions in reference to DC choosen in Step 1:

repadmin /removelingeringobjects DC2 DC1guid DC=my,DC=domain
repadmin /removelingeringobjects DC3 DC1guid DC=my,DC=domain
...
repadmin /removelingeringobjects DCn DC1guid DC=my,DC=domain

In case of communication issue repeat Step 2 with failured DCs:

linger2

 

Step 3: Cleaning up read-only version of domain partition on all GCs in entire forest

Series of commands run against all GCs located in different domains allow to clean up their read-only version of affected domain partitions in reference to any DCs from Step 1 or Step 2.

repadmin /removelingeringobjects AB1 DC1guid DC=my,DC=domain
repadmin /removelingeringobjects CD2 DC1guid DC=my,DC=domain
...
repadmin /removelingeringobjects XYn DC1guid DC=my,DC=domain

In case of communication issue replace DC1guid with any other one from Step 1 or 2. If all DC guids don’t allow to establish proper communication between GC under clearing process and any DC which is owner of affected domain partition, use the nearest last GC which walked through Step 3 without failure, to re-host this partition:

repadmin /unhost <myGC> DC=root,DC=local
repadmin /rehost <myGC> DC=root,DC=local <clean GC>

linger3

 

Events:

The following events are logged during clearing lingering objects:

Events logged on DC without lingering objects:

1388: SRC is off, lingering objects appeared

1988: SRC is on, lingering objects blocked

2042: Too long since source replication

Events logged on DC with lingering objects during:

repadmin /removelingeringobjects … /advisory_mode

1938: Starting detection summary

1946: For each lingering object detected

1942: Final detection summary

Events logged on DC with lingering objects during:

repadmin /removelingeringobjects …

1937: Starting removal summary

1945: For each lingering object detected and removed

1939: Final removal summary

Reference articles:

Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)

http://technet.microsoft.com/en-us/library/cc738018%28v=ws.10%29.aspx

Event ID 1388 or 1988: A lingering object is detected

http://technet.microsoft.com/en-us/library/cc780362%28v=ws.10%29.aspx

Lingering objects may remain after you bring an out-of-date global catalog server back online

http://support.microsoft.com/kb/314282

Outdated Active Directory objects generate event ID 1988 in Windows Server 2003

http://support.microsoft.com/kb/870695

How to find and remove lingering objects in Active Directory

http://sandeshdubey.wordpress.com/2011/10/09/how-to-find-and-remove-lingering-objects-in-active-directory/

Clean that Active Directory forest of lingering objects

http://blogs.technet.com/b/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

Repadmin for Experts

http://technet.microsoft.com/en-us/library/cc811549%28v=ws.10%29.aspx

Enable strict replication consistency

http://technet.microsoft.com/en-us/library/cc784245%28v=ws.10%29.aspx

 

VBS scripts to query everything

December 24th, 2014

There are a few simple scripts developed by me to automate somehow regular reporting against set of servers. Result is usually presented in csv file to use it quickly in Excel or similar calculation software.

Scripts to query WMI:

Script to report installed roles and features:

getRoles.zip

usage: cscript /nologo getRoles.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output file: getRoles_26-09-2014_12-30-14.csv

1
2
3
4
5
6
Server;Role ID;Role Name
DC1;256;Role Administration Tools
DC1;257;Active Directory Domain Services Tools
DC1;299;Active Directory Domain Controller Tools
DC2;6;File Services
DC2;9;Active Directory Lightweight Directory Services

Script to report info about installed services:

getServices.zip

usage: cscript /nologo getServices.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output file: getServices_19-11-2013_07-30-15.csv

1
2
3
4
Server;Display Name;Start Mode;State;Status;Path Name;Account
FS1;Disk Defragmenter;Manual;Stopped;OK;C:\Windows\system32\svchost.exe -k defragsvc;localSystem 
FS1;DHCP Client;Auto;Running;OK;C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted;NT Authority\LocalService 
FS1;DNS Client;Auto;Running;OK;C:\Windows\system32\svchost.exe -k NetworkService;NT AUTHORITY\NetworkService

Script to report information about capacity of local disks:

getCapacity.zip

usage: cscript /nologo getCapacity.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output file: getCapacity_01-10-2013_13-01-51.csv

1
2
3
4
Hostname;Drive;Size (GB);Used (GB);Free space (GB);Percent of free space
DC1;C:;59,95;27,03;32,92;54,91% 
DC2;E:;350,00;6,49;343,50;98,15% 
FS1;C:;29,30;28,09;1,21;4,11%

Script to report activation status:

getActivationStatus.zip

usage: cscript /nologo getActivationStatus.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FileServer1

Example of output file: getActivationStatus_17-06-2013_10-12-18.csv

1
2
3
4
Hostname;Activated;Product 
DC1;Activated;Windows Server(R), ServerEnterprise edition 
DC2;Activated;Windows Server(R), ServerEnterprise edition 
FS1;Activated;Windows Server(R), ServerStandard edition

Script to report about sharings:

getSharings.zip

usage: cscript /nologo getSharings.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output:

1
2
3
4
5
6
7
Hostname;Share;Type;Path;Trustee;Permissions
FS1;print$;Disk Drive;C:\Windows\system32\spool\drivers;Everyone;READ
FS1;print$;Disk Drive;C:\Windows\system32\spool\drivers;Administrators;FULL CONTROL
FS1;Users;Disk Drive;C:\Users;Administrators;FULL CONTROL
FS1;Users;Disk Drive;C:\Users;Everyone;FULL CONTROL
FS1;Xerox Phaser 6110MFP;Printer Queue;Xerox Phaser 6110MFP,LocalsplOnly;Everyone;FULL CONTROL
FS1;Xerox Phaser 6110MFP;Printer Queue;Xerox Phaser 6110MFP,LocalsplOnly;ALL APPLICATION PACKAGES;FULL CONTROL

Scripts to query registry:

Script to report installed software:

getSoftware.zip

usage: cscript /nologo getSoftware.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output file: getSoftware_12-06-2013_13-51-58.csv

1
2
3
4
Server;Name;Version;Publisher;Installation Date;Install Location
DC1;Adobe Flash Player 10 ActiveX;10.0.32.18;Adobe Systems Incorporated;;
DC1;FileZilla Client 3.2.4.1;3.2.4.1;;;C:\Program Files\FileZilla FTP Client
DC1;Windows Internet Explorer 7;20070813.185237;Microsoft Corporation;20090819;

Script to report status of WSUS:

getWSUS.zip

usage: cscript /nologo getWSUS.vbs servers.txt

Example of input file: servers.txt

1
2
3
DC1
DC2
FS1

Example of output:

1
2
3
4
Server;AUOptions;Description;Scheduled Install Date;Next Detection Time 
DC1;1;Never check for updates (not recommended);2013-03-02 00:00:00;2013-03-01 14:07:17 
DC2;2;Check for updates but let me choose wheter to download and install them;;2013-03-02 03:04:51
FS1;4;Install updates automatically (recommended);2013-03-02 02:00:00;2013-03-01 17:28:32

Scripts to query LDAP:

Script to enumarate groups where user, specified in input file, belongs to directly (nesting level = 0) and indirectly (nesting level > 0):

getMemberOf.zip

usage: cscript /nologo getMemberOf.vbs users.txt

Example of input file: users.txt

1
2
3
Administrator
myUser
myNextUser

Example of output:

1
2
3
4
User;Group;Nesting level
Administrator;Administrators;0
Administrator;Schema Admins;0
Administrator;Denied RODC Password Replication Group;1

Feel free to use them.

 

DFS resources

December 20th, 2014

Here is my trial of grouping DFS resources available to study and I’m sure I missed a lot useful web sites.

Microsoft Official Courses (MOC):

6419B: Configuring, Managing and Maintaining Windows Server 2008-based Servers

Module 4: Configuring and Managing Distributed File System:
– Lesson 1: Distributed File System Overview
– Lesson 2: Configuring DFS Namespaces
– Lesson 3: Configuring DFS Replication
Categorized as Level 200 by Microsoft

6421B: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

Module 11: Optimizing Data Access for Branch Offices
– DFS Overview
– Overview of DFS Namespaces
– Configuring DFS Replication
Categorized as Level 200 by Microsoft

20411D: Administering Windows Server 2012

Module 9: Optimizing File Services:
– Overview of DFS
– Configuring DFS Namespaces
– Configuring and Troubleshooting DFS Replication
Categorized as Level 200 by Microsoft

20413C: Designing and Implementing a Server Infrastructure

Module 10: Planning and Implementing File Services:
– Planning and Implementing DFS
Categorized as Level 300 by Microsoft

20414B: Implementing an Advanced Server Infrastructure

Module 7: Planning and Implementing High Availability for File Services and Applications:
– Planning and Implementing DFS
Categorized as Level 300 by Microsoft

Internet:

Perfect repository of all significant resources available in Internet:

DFS Replication: Survival Guide

My own development:

Script to check replication status on all servers found in AD as DFS replication partners:

getDFSRStatus.zip

usage: cscript /nologo getDFSRStatus.vbs

Script to check replication status on one server specified as parameter:

getDFSRStatusLite.zip

usage: cscript /nologo getDFSRStatusLite.vbs <myDFSRServer>

Above scripts generate csv report with status of connection state, target folder state, backlog, etc. Here is an example of output file getDFSRStatus_06-11-2014_13-59-06.csv:

1
2
3
4
5
Member name;Target folder;Partner name;Replication group;Connection state;Connection last sync;Connection last sync duration [s];Connection last successful sync;Connection next sync;Target folder state;Backlog count;Stage size [MB];Conflict size [MB];Last conflict cleanup;Last tombstone cleanup
FS-01;I:\DATA;FS-02;RG_DATA;1 (Online);6-11-2014 8:16:22;1113;6-11-2014 8:16:22;6-11-2014 8:34:56;2 (Initial Sync);0;0;0;5-11-2014 22:34:39;5-11-2014 22:34:39
FS-01;I:\USERS;FS-02;RG_USERS;1 (Online);6-11-2014 8:16:22;1113;6-11-2014 8:16:22;6-11-2014 8:34:56;4 (Normal);0;40952;1;5-11-2014 22:44:50;5-11-2014 22:44:50
FS-01;I:\USERS;FS-03;RG_USERS;1 (Online);6-11-2014 6:34:58;1806;6-11-2014 6:34:58;6-11-2014 7:05:04;4 (Normal);0;21784;497;30-10-2014 22:22:08;30-10-2014 22:22:08
FS-01;I:\DATA;FS-03;RG_DATA;1 (Online);6-11-2014 6:34:58;1806;6-11-2014 6:34:58;6-11-2014 7:05:04;4 (Normal);0;45551;508;30-10-2014 22:22:09;30-10-2014 22:22:09

 

DFS-R topology

May 4th, 2013

Topology of DFS-R can be easily visualized by using GraphViz tool.

Based on Active Directory Topology Visualization part 1 solution I’ve developed next script to have clear picture how DFS replication looks like. Design of solution is very the same: vbs script queries AD regarding to DFS replication groups, folders, servers and connections and formats result into dot language file. Then dot file is used as input for GraphViz package to generate picture of DFS-R topology.

Vbs script can be downloaded here without any limitation of using:

getDFSRTopology.zip

usage:

cscript /nologo getDFSRTopology.vbs

Result:

Generated dot file can look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
DIGRAPH DFSRTopology {
 
fontname=helvetica;
node [fontname=helvetica, image="server.png", labelloc=b,color=white];
 
SUBGRAPH cluster_Bold_and_Beautiful {
label = "Group: Bold_and_Beautiful\nFolder: B&amp;B";
 
FS01_0 [label=FS01];
FS02_0 [label=FS02];
 
}
 
SUBGRAPH cluster_OnlySN_PR {
label = "Group: OnlySN_PR\lFolder: PR-SN"
 
FS03_1 [label=FS03];
FS02_1 [label=FS02];
 
}
 
SUBGRAPH cluster_REPL_Maximo_PROD {
label = "Group: REPL_Maximo_PROD\lFolder: PROD_CfR_Archive\lFolder: PROD_CfR_Current"
 
FS03_2 [label=FS03];
FS02_2 [label=FS02];
FS01_2 [label=FS01];
 
}
 
SUBGRAPH cluster_RG_CORPDATA_DATA {
label = "Group: RG_CORPDATA_DATA\lFolder: DATA"
 
FS02_3 [label=FS02];
FS01_3 [label=FS01];
 
}
 
SUBGRAPH cluster_RG_CORPDATA_USERS {
label = "Group: RG_CORPDATA_USERS\lFolder: USERS"
 
FS01_4 [label=FS01];
FS02_4 [label=FS02];
 
}
 
FS02_0 -> FS01_0;
FS01_0 -> FS02_0;
FS02_1 -> FS03_1;
FS03_1 -> FS02_1;
FS01_2 -> FS03_2;
FS02_2 -> FS03_2;
FS01_2 -> FS02_2;
FS03_2 -> FS02_2;
FS03_2 -> FS01_2;
FS02_2 -> FS01_2;
FS01_3 -> FS02_3;
FS02_3 -> FS01_3;
FS02_4 -> FS01_4;
FS01_4 -> FS02_4;
 
}

and based on it here is the picture (command: fdp *.dot -Tjpg -O):

fdp4

Rectangles represent replication groups with replication partners. Opposite to Active Directory Topology Visualization part 1 or Site links topology solutions, where nodes occur only once, here is needed one trick to have the same server in various groups. In line 88 in vbs script I pin to node names additional counter to have group specific servers, however their labels stay the same. It allows to see the same server name in various groups but nodes are definitely different from dot language viewpoint.

 

Site links topology

May 4th, 2013

Based on solution developed for Active Directory Topology Visualization part 1 purpose I’ve made very similar script to have nice picture of defined site links in AD.

I think it’s quite good to know if gap in replication is not caused by lack of site link, etc.

Details:

Nothing special was developed by me. I simply query via vbs script this DN:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=my,DC=domain

and result is presented in dot language formatted file.

Vbs code can be downloaded here and feel free to use it:

getSiteLinks.zip

usage:

cscript /nologo getSiteLinks.vbs

Gallery:

Result of above vbs script can look like as follow:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
GRAPH siteLinks {
 
    node [fontname=helvetica, image="site.png", labelloc=b, color=white];
 
    Site1 -- HQ;
    Site2 -- Site3;
    Site2 -- HQ;
    Site3 -- HQ;
    Test -- HQ;
    Site2 -- HQ;
    Site4 -- HQ;
    Site5 -- Site6;
    Site5 -- HQ;
    Site6 -- HQ;
    Site6 -- HQ;
    Site7 -- Site3;
    Site7 -- HQ;
    Site3 -- HQ;
    Site8 -- Site4;
    Site8 -- Site9;
    Site8 -- HQ;
    Site4 -- Site9;
    Site4 -- HQ;
    Site9 -- HQ;
    Backup -- HQ;
    Site7 -- Site10;
    Site7 -- HQ;
    Site10 -- HQ;
    Test -- HQ;
 
}

and based on it GraphViz can generate:

dot diagram layout (command: dot *.dot -Tjpg -odot.jpg):

dot3

fdp diagram layout (command: fdp *.dot -Tjpg -ofdp.jpg):

fdp3

sfdp diagram layout (command: sfdp *.dot -Tjpg -osfdp.jpg):

sfdp3

Example of site node picture:

site

There is possible to use any other picture to present site in diagram than above one. The most important is to put picture file of site (site.png in this case) in the same location where dot file is stored before compilation.