Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Active Directory Domain Services Command Fu, Part 1

As some systems administrators have already found out, on Microsoft Windows Servers some tasks cannot be performed using the Graphical User Interface (GUI). Although multiple vendors have released graphical tools to make these tasks even more tedious easier for the typical click-on-through Windows Admin, these tasks can easily be performed using the built-in command tools. Also, some queries for information using the built-in graphical tools can result in numerous clicks, ending with information scattered throughout management consoles and screens.

I think every self-respecting Active Directory Domain Services Admin should know the command-line equivalents of 3rd party tools or needlessly complex click sequences.

Even when you’re comfortable using them, it wouldn’t hurt to show off some Active Directory Domain Services Command Fu, would it? Then again, only the more advanced stuff in Active Directory Domain Services is hidden from plain sight. Unless you’re aiming on using ldp.exe or adsiedit.msc all the time to hack your way through your Active Directory jungle and if you’re truly aiming for that senior Active Directory admin position, you should keep reading! Cool

So, to kick off this series, the following three Active Directory Domain Services management tasks, applicable to all current Domain and Forest Functional Levels, cannot or cannot be easily performed using the built-in Graphical User Interface (GUI), but instead rock on the command line!

In this blogpost:

CommandNinja[9][2][2]         
Part 1 
Part 2 
Part 3
 
Part 4
 
Part 5
 
Part 6

                         

Creating custom application partitions

ADSiteCommand-line tool to use:

  • dnscmd.exe
  • ntdsutil.exe

Replication in Active Directory is controlled through application directory partitions. An application directory partition is a directory partition that can be used to replicate changes only to specific domain controllers. Application directory partitions are particularly useful when controlling the Domain Controllers to which you want to replicate Active Directory-integrated DNS Zones, since some companies have requirements beyond the DomainDnsZones and ForestDnsZones application partitions available by default.

Tip!
To gain access to dnscmd.exe on a Windows 2000 Server you need to install the Resource Kit tools. a separately downloadable dnscmd.exe for usage on Windows 2000 Server is available here.

However, creating custom application directory partitions cannot be done using the Graphical User Interface (GUI). You will need to create a custom application directory partitions using dnscmd.exe /createdirectorypartition first, before you can change the replication scope of DNS to it.

While that last part can actually be performed using the Graphical User Interface, you can also use dnscmd.exe /enlistdirectorypartition to complete the task on the command line.

Alternatively, you can also use the built-in commands within the domain management context in ntdsutil.exe to delete or create directory partitions and add or remove replicas to or from the directory partition.

More information on custom application partitions:

 

Quering Group Policy Replication Health

GPMc Command-line tool to use:

  • gpotool.exe

Group Policy Objects (GPOs) typically consist of a Group Policy Container (stored within Active Directory under CN=Policies,CN=System,DC=Domain,DC=tld) and a Group Policy Template. (stored within the System Volume, SYSVOL in the Policies file folder)

When replicating the versions of the Group Policy Container (GPC) and Group Policy Template (GPT) might get skewed. When the version numbers don’t match, the Group Policy doesn’t get applied.

While you can check the versions and health of the Group Policy Object (GPO) using the Group Policy Management Console (GPMC) where you’d check the version tab, the GPMC is a download on most downlevel versions of Windows Server.

Using the Group Policy Verification Tool (gpotool.exe) you can check the health of Group Policy Objects (GPOs). Going one step further, using gpotool.exe with the /verbose switch, adds version information to the output.

Tip!
For Windows Server 2003, the Group Policy Verification Tool is part of the Windows Server 2003 deployment Tools. For Windows 2000 Serer, the Group Policy Verification Tool is part of the Windows 2000 Resource Kit.

More information on the Group Policy Verification tool:

    

Editing advanced trust properties

ADDomain Command-line tool to use:

  • netdom.exe

Active Directory Domains and Trusts, to most, are the stuff of acquisitions,mergers and worlds of distrust between groups of admins. I don’t want to diverge much in the wonderful world of trusts, but I do want to talk about editing two trust-related properties, that are essential to restructuring Active Directory forests using the Active Directory Migration Tool (ADMT):

  • SID Filtering
  • SID History

SID History is an attribute for an Active Directory object that may contain a SID, the object used to have in a former Active Directory forest or domain. You can fill the sIDHistory attribute using the the Active Directory Migration Tool (ADMT) or manually. With the sIDHistory attribute, the object may bypass Access Control Lists (ACLs).

By default on Windows Server 2003 and onwards, sIDfiltering quarantining is turned on for Active Directory external trusts. This means, the SIDHistory attribute for a user is filtered out and discarded. When creating a trust from a Pre-SP4 Windows 2000 Server-based Domain Controller you will need to enable sIDfiltering manually if you want to use it.

Note:
Performing the commands below to enable SID History and disable SID Quarantining may post a security risk. When an attacker manually fills the sIDHistroy attribute, the attacker may gain unauthorized rights over the trust.

To disable SID Filtering quarantining and enable SID History use the following commands:

Netdom trust TrustingDomain.tld /domain: TrustedDomain.tld
/quarantine:No

Netdom trust TrustingDomain.tld /domain: TrustedDomain.tld
/enableSIDHistory:Yes

More information on Active Directory trusts:

Posted: Thursday, March 11, 2010 3:04 PM by Sander Berkouwer

Comments

Active Directory Round Up 3/12/2010 - The Experts Community said:

The Active Directory team blog has a couple of posts worth mentioning and your time. First is an explanation on how to provision mailboxes in Exchange 2007 and 2010 using ILM and FIM. Clear cut with detailed notes and screen shots. The other entry is on managing different aspects of Active Directory that don't have a clear cut or easy to use GUI counterpart. For example, how do you create a custom application partition or manage advanced trust properties? This article will show you the way. The post appears to be the first in an upcoming series.
# March 12, 2010 1:23 PM

The things that are better left unspoken said:

This first part of the series covered some advanced commands to perform specific tasks in Active Directory Domain Services, available since Windows 2000 Server. Thanks to some great feedback on that first post, in this second part I’ll cover some more basic commands.

Granted, these commands will not make you look like a rocked scientist, but will make (the sysadmin part of) your life easier: These dedicated Directory Services ds* commands can be used to automate most of the object-related tasks.

# March 25, 2010 1:37 PM

TrackBack said:

Nicht alles kann man über die grafische Benutzeroberfläche im Active Directory bewerkstelligen, vieles geht aber auch schneller und ist scriptbar. Gemeint sind Tools wie dnscmd.exe oder dsadd.exe. Bis jetzt sind zwei Teile einer Blogreihe dazu erschienen.
# May 18, 2010 2:04 PM

TrackBack said:

This blogpost featured on the 'Ask the Directory Services Team' blog.
# May 18, 2010 2:05 PM

TrackBack said:

Active Directory Domain Services Commands: for DC renaming, DOmain renaming,...
 
Part1:
   http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/03/11/active-directory-domain-services-command-fu-part-1.aspx
Part2:
   http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/03/25/active-directory-domain-services-command-fu-part-2.aspx
Part3:  
   http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/04/08/active-directory-domain-services-command-fu-part-3.aspx
Part4:
   http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/04/16/active-directory-domain-services-command-fu-part-4.aspx
# May 18, 2010 2:06 PM
Anonymous comments are disabled