Archive | August 2012

Active Directory troubleshooting tools

 

I was recently asked what kind of tools I would use if I need to troubleshoot Active Directory environment in company. This encouraged me to write this article and share information about those tools (thank you German for your asking about that 🙂 )

Active Directory Directory Services tools

Maybe that’s funny but I would strongly recommend using basic Windows tools first, to see if there is no issue with networking on a server itself.

  • ipcofnig
ipconfig /all

to see network settings on a server. Just simply review IP address, network mask, default gateway and DNS servers list to be sure that nothing has changed there. This is really useful in case that you are using DHCP with reservation for a server. When you see in IP address section 169.254.x.y with network mask 255.255.0.0 (APIPA address) you may be sure that there is no connection to DHCP server from your machine. In other case when settings are ok, you should check another command

  • ping

another step checks if network card is not broken and if network communication is working on a server. For the first check, you should ping loopback interface (127.0.0.1) address to see if it replies. If so, then you can be sure that NIC is not broken, in other case that means you have a network card issue

ping 127.0.0.1

When you have done the step above you need to check if server works properly on layer 3 and try to ping its real IP address or another machine in the same subnet

ping <ServerIPAddress>

after that check if there is communication with default gateway to be sure that another subnets are reachable

ping <DefaultGateway=Router>

the last check should be performed to remote host in another subnet. You will see if there is no problem with routing between current network and if communication goes out from the subnet.

ping <RemoteHostIPAddress>

at this stage that’s all you can check using ping command.

  • tracert

this tool allows you to see how network communication is transmitted to another subnet. You can see how many routers (hops) are in the path and you can evaluate if transmission goes over proper path. Tracert shows you also time delay on each hop which allows for detecting lags for connection. When specified point is not reachable, you will see at which step it is not working or where the communication has the longest delay.

tracert <DestinationIPAddress>
or
tracert -d <DestinationIPAddress>

as you can see there are 2 variants of this command. I would suggest to use the second option with -d switch. When your run tracert with -d then reverse DNS resolution is skipped and command is executed a little bit faster.

  • pathping

this command is a summary of ping and tracert. Its output shows you response time of each hop in the routing path.

pathping <RemoteHostIPAddress>
  • netstat

after verification if there is network communication, you should also check if all required ports are opened and your server is listening on them

netstat -an -p tcp

and you will get all ports on which server is listening.

The whole list with required ports to be opened for Active Directory communication over firewall, you can find on Microsoft Technet site.

  • portqry

this tool is similar to netstat but the main difference is that portqry checks specified port or ports range if they are opened. Netstat shows only ports which are already opened and server listens on them.To use that, you need to download it from Microsoft: Portqry Download

OK, now you have an overview about networking part. If there are no errors, you should investigate somewhere else. The next place to check if something is going wrong is Microsoft Event Viewer

  • Event Viewer

please review logs regularly to avoid any server issue. I know that is a lot of work but it would prevent your server to crash suddenly, if you detect error earlier. The most important logs are:

  1. System log
  2. Application log
  3. Security log (if you are investigating user account lockout or unauthorized access to domain machine)

This is the only one place where you can get information about lingering objects in your Active Directory environment. That’s why this is important to review event logs on regular basis.

To replace standard Event Viewer you can download Event Log Admin which is 3rd party tool but it’s free and much more convenient in logs management

  • dcdiag

this is one of the most important commands to troubleshoot Active Directory: Directory Services. Thanks to it, you can get quick overview of your domain/forest condition and start resolving issue, if any exists.

dcdiag /e /c /v /f:c:dcdiag.log

will scan all Domain Controllers in entire forest to check for potential issues with them.

Note! In large environments where is big amount of Domain Controllers, I would suggest to skip using /e switch to avoid generating huge output file and shorten reporting time

dcdiag /fix

does some fixes with DNS in the environment (this command superseded netdiag from Windows Server 2003)

  • repadmin

another very important command for enterprise/domain administrator. This allows you for:

  1. Checking replication status
  2. Forcing replication
  3. Removing lingering objects
  4. Checking status for system state backup of Domain Controllers
  5. Identifying issue with USN rollback

Checking replication status

to display information about replication status, you should use below syntax

repadmin /showrepl /intersite /all /verbose >c:repadmin.log

and check if there are any error statuses for replication. If you want to get summarized report about replication and its state, please use

repadmin /replsummary

that’s all about replication status possibilities.

Forcing replication

One option of repadmin is forcing replication with other DCs. If you wish to push standard Active Directory update in your domain only, try this way

repadmin /syncall /APd

to force replication to all Domain Controllers in entire forest, you need to use additionally /e switch

repadmin /syncall /APed

but to be able to run above command, you need to be a member of Enterprise Administrators group in forest root domain

Removing lingering objects

This happens not very often in environment but if it appears, you need to clean up AD database. Repadmin is really helpful for this activity. Below syntax is only an overview of its usage, if you’re interested how to really clean up database from lingering objects, please read Microsoft article “Use Repadmin to remove lingering objects

repadmin /removelingeringobjects DomainControllerName DomainControllerGUID DirectoryPartition

if you wish to only enumerate lingering objects on particular directory partition, use at the end /advisory_mode switch. It does not remove these objects, just only reports them.

repadmin /removelingeringobjects DomainControllerName DomainControllerGUID DirectoryPartition /advisory_mode

Checking status for system state backup of Domain Controllers

As you know, really important part of regular Domain Controller management is to have up-to-date System State backup. Mostly this is done by 3rd party backup tool or using Windows default command used as scheduled task. How often do you verify if this kind of backup has been finished successfully? 🙂

Believe me, you should do that to be sure that you have available the most actual System State backup for at least one Domain Controller. In case of DC failure, you would be able to restore it. However, you should take care about backing up:

  1. Domain Controller with forest-wide FSMO roles
  2. Domain Controller with domain-wide FSMO roles in each domain

In case of any domain failure you are able to restore the most important DC in a short time.

To verify if System State backup is performed properly by your Domain Controllers run below query

repadmin /showbackup *

and this will give you an output with last successful System State backup. One more important command to execute is vssadmin which allows to see if all necessary writers are running properly. When their status is stable you can be sure that System State backup would be performed without any issue. Vssadmin command needs to be run on each Domain Controller separately.

vssadmin list writers

and check status of these writers:

  1. System writer
  2. NTDS
  3. FRS writer
  4. Registry writer
  5. COM+ REGDB writer

if all of them have stable in status it’s good

Identifying issue with USN rollback

Normally, you should not worry about that but virtualization is used almost in every company now. Administrators try to use virtual machines snapshots to revert them to the previous state if they found any error. This may be a good option for domain member servers, however it is not the proper way to restore Domain Controllers. You cannot use virtual Domain Controller snapshot to revert it back as a DC restoration. This is not supported by Microsoft and may lead to USN Rollback

Information! Please do not use Domain Controller snapshots to restore it. Always use the latest available System State backup to avoid any issues

To start identifying USN rollback issue run below syntax

repadmin /showutdvec "dc=domain,dc=local"

where “dc=domain,dc=local” is distinguished name of your domain

That was only short introduction to repadmin command. If you’re more interested in its full possibilities, I would recommend reading Microsoft whitepaper.

  • ADRepl Status

that separately downloaded tool from Microsoft is really helpful when you want to see Active Directory replication status. It is available at this location.

  • dnslint

Another helpful command for domain administrator. Thanks to this command, you can see if all required DNS records exist for specified Domain Controller

dnslint /ad /s "DomainController-IP-Address"

if some records are missing, you can try to re-add them using below steps. On that DC in command-line run

ipconfig /flushdns
dcdiag /fix
nltest /dsregdns
ipconfig /registerdns

and check once again if they appeared.

  • nltest

This command has many useful switches. It allows to see:

  1. All Domain Controller for specified domain
  2. Check and verify secure channel for domain
  3. Reset secure channel for domain
  4. Site to which DC belongs to
  5. Sites covered by particular Domain Controller
  6. Query domain/forest trust information

and many others. If you want to see all of its possibilities run command with /? switch in command-line to get full help.

To get all Domain Controllers and compare it to your list (mostly administrators are sure that this machine is no longer DC but it shows up in query results)

nltest /dclist:DNSDomainName

To query and verify secure channel use

nltest /server:DomainController /sc_query:DNSDomainName
nltest /server:DomainController /sc_verify:DNSDomainName

if you want to troubleshoot issue related with Sites, you may list all of them firts

nltest /dsgetsite

and to see which Sites are covered by particular Domain Controller

nltest /dsgetsitecov

If you organization has established forest trust with another company, you can simply check information about that

nltest /dsgetfti:DNSDomainName

and the same can be done to get domain trust information

nltest /domain_trusts
  • NTDSUtil

command which is forgotten by admins but it is really helpful. You can use it for:

  1. Active Directory authoritative restoration of any object
  2. Change DSRM password (how many of you changes this password due to company password policy? 😉 )
  3. Transfer/Seize FSMO roles
  4. Do metadata cleanup
  5. Create Install from Media (IFM)
  6. Create application partitions
  7. Compress AD database
  8. Duplicate SID cleanup

and much more I did not mention here.

  • LDP

You can use this command to modify schema and AD objects attributes. In Windows Server 2008R2 you can also use this tool for deleted object restoration. Similar tool for almost the same tasks (except object restoration) is ADSIEdit which allows operating in GUI.

  • dsacls, dsrevoke and LIZA

these 2 commands and one GUI tool are really needed when you troubleshoot Active Directory Delegated rights. You can verify any Organizational Unit to see if user/group of user are allowed to do required tasks on that OU. For these commands you need to know distinguished name on an OU. To get that in short way, you need run dsquery command

dsquery ou -name "OUName"

and copy its output to dsacls command

dsacls "OUDistinguishedName" >c:dsacls.log

dsrevoke works a little bit different and needs to be downloaded first. It reports/removes specified user or group permissions from all objects where user/group is premitted

dsrevoke /report "DomainNameuserNameorGroup" >c:dsrevoke.log
dsrevoke /remove "DomainNameuserNameorGroup"

Note! Be aware of using /remove switch as this will remove user or group from object ACL

and finally LIZA. This is really good and free tool to see delegated permissions and it works as GUI tool. To be able to run it, you need to have .NET 2.0 installed on machine. Download LIZA

  • Account Lockout and Management Tools

this is really helpful when you troubleshoot user/computer account lockout issue. Just download it from Microsoft: AL Tools

and use

  1. LockoutStatus.exe to see on which Domain Controller an account is locked out
  2. eventCombMT.exe to review security log on all Domain Controllers or only on specified

I think, that’s all regarding direct tools for AD database troubleshooting. I probably did not mentioned all of available tools as I could not remember them. If you found that something important is missing here, please let me know, I will update this article.

SYSVOL replication tools (GPO, logon scripts)

Another part which needs to be checked separately is SYSVOL replication as it is not checked in details by mentioned tools above. First tool which allows you to see SYSVOL FRS replication is

  • FRS Diag

this is old tool and Microsoft does not recommend using it anymore, however it may be still helpful in the old environments. This is not a part of operating system and needs to be downloaded separately from Micrsoft: FRSDiag download

  • Ultrasound

newer and more appropriate tool for FRS diagnosis is Utrasound which is also free and needs to be downloaded from Microsoft: Ultrasound download

  • GPO Tool

this may be helpful to you when you are troubleshooting Group Policies. It is a part of Microsoft Windows 2003 Resource Kit but still can be used on Windows Server 2008/2008R2. To be able to use GPO Tool, you need to download it from Microsoft.

  • GPO Log View

this tool allows you in much more convenient way to review GPO logs. It is free and can be downloaded from Microsoft: GPO Log View

I think that’s all. If I forgot something, please let me know and I will update this article as it might be helpful to us during Active Directory troubleshooting process. Thank you in advance

Author: Krzysztof Pytko

DNS bulk PTR records creation

 

My previous article was about bulk DNS records creation in forward lookup zone. This time we will focus on the same activity but in reverse lookup zone. In my opinion this kind of task is much more frequently used that the previous on. You may ask, why? Because in regular basis when you create host (A) record in forward lookup zone you don’t care about pointer (PTR) record in reverse lookup zone. This may happen due to 3 scenarios:

  • You really don’t need PTR record(s) 🙂
  • You have not checked “Create associated pointer (PTR) record” when adding host record

Option for pointer (PTR) record auto creation

  •  You have checked above option but DNS reverse lookup zone does not exist

Reverse lookup zone does not exist

So, one of these cases may lead you to bulk PTR records creation in the future when you realize that you need this kind of record(s). I will try to simply show you, how to do that very quickly using the least administrative effort because using DNS Management console is not very convenient and fast method (you need to create each records separately by hand).

I will show you how to do that using simple scripts based on:

  • Windows DNScmd command
  • Using DNSShell module for Windows PowerShell (really great module)
  • Using native DNS cmd-lets in PowerShell 3.0

Windows DNScmd command is by default available on Windows Server 2008/2008R2 server where DNS role has been installed. To use it on Windows Server 2003, you need to install Support Tools from server’s CD#1

DNSShell module needs to be downloaded separately from Chris blog who is REAL genius in DNS topic. His module for PowerShell is really great and very helpful.

Windows PowerShell 3.0 DNS cmd-lets are available in Windows 8 and Windows Server 2012 and are new feature added by Microsoft to manage DNS server.

PowerShell 3.0 can be also installed on Windows 7/2008/2008R2 for more information about that, please check my another article “Windows Management Framework 3.0 for Windows Server 2008/2008R2”

DNScmd

Before we start preparing script for bulk DNS records creation, let’s check if appropriate reverse lookup zone(s) exist(s). This is mandatory to have reverse lookup zone existing in other case PTR (pointer) records won’t be created! When zone does not exist, you need to create it first before you can start using script for bulk records creation.

After we verified zone existence we can start to creating records. But before that let’s see how DNScmd syntax looks for single pointer (PTR) record. After that we would know which parameters should be inserted into input file for the script.

Note! To get help for DNScmd command you need to specify /? after its name or after any switch you want to get information

Now, we will prepare proper syntax to add single pointer (PTR) record into DNS zone. For that we need to know:

  • DNS server name
  • DNS zone name (reverse lookup zone name)
  • IP address
  • host name

proper syntax to create pointer (PTR) record is:

dnscmd ServerName /RecordAdd DNSReverseZoneName IPAddress RecordType FQDNHostName
 

Below you can find an example syntax

dnscmd %LOGONSERVER% /RecordAdd 1.168.192.in-addr.arpa 100 PTR testHost.testenv.local

DNScmd command execution

instead of %LOGONSERVER% system variable, you can use DNS server name (if all  your DCs are DNS servers too, you can sinply use %LOGONSERVER%, in other case, you need to type DNS server name manually)

As you can see in DNS Management console, new record has been created

DNS record verification

We have complete syntax and now, we can create a script to create many DNS records in short time. First of all, we need an input file containing all required data. To create that file we need put in a flat text file 2 or 3 values:

  • an octet of IP Address for which we want to add PTR record
  • host Fully-Qualified Domain Name
  • optionally reverse lookup zone name (if we want to create PTR records for multiple zones)

An example input file for script (2 values and the same zone)

100 testHost01.testenv.local
101 testHost02.testenv.local
102 testHost03.testenv.local
103 testHost04.testenv.local
104 testHost05.testenv.local

of example input file with 3 values

105 testHost06.testenv.local 1.168.192.in-addr.arpa
106 testHost07.testenv.local 1.168.192.in-addr.arpa
107 testHost08.testenv.local 2.168.192.in-addr.arpa
108 testHost09.testenv.local 2.168.192.in-addr.arpa
109 testHost10.testenv.local 3.168.192.in-addr.arpa

and save this as i.e. newPTR.txt on C-Drive

Now, you can use below script to create many DNS records (case with 2 values in file)

for /f "tokens=1-2" %i in (c:newPTR.txt) do dnscmd %LOGONSERVER% /RecordAdd 1.168.192.in-addr.arpa %i PTR %j

Bulk DNS pointer records created

and you can verify that in DNS Management console

DNS records verification

and now, code for the case with 3 values in file

for /f "tokens=1-3" %i in (c:newPTR.txt) do dnscmd %LOGONSERVER% /RecordAdd %k %i PTR %j

Bulk DNS records created

and you can verify that in DNS Management console once again

DNS records verification

DNSShell module for PowerShell

As I mentioned at the beginning of this article, this is separate module which needs to be downloaded. You can simply download it from

http://www.indented.co.uk/index.php/2010/04/16/dnsshell-zone-and-server-cmdlets/

When you download it, you have to extract content into one of the following locations:

  • %HOMEPATH%DocumentsWindowsPowerShellModules
  • %WINDIR%SYSTEM32WindowsPowerShellv1.0Modules

PowerShell modules path

and import this module before the first use

Import-Module DNSShell

to list all available cmd-lets use

help *DNS*

Importing DNSShell module and list all available cmd-lets

From now, you have all cmd-lets available. Let’s start to create single host record in DNS using New-DNSRecord cmd-let

To be able to create pointer (PTR) record using DNSShell, you need:

  • DNS zone name (reverse lookup zone name)
  • an octet of IP Address for which we want to add PTR record
  • host name

You will find general syntax below

New-DNSRecord -Name AnOctet -RecordType PTR -ZoneName ReverseZoneName -HostName HostFQDN

and short example

New-DNSRecord -Name 100 -RecordType PTR -ZoneName 1.168.192.in-addr.arpa -HostName testHost01.testenv.local

New-DNSRecord example

and you can see command’s result in DNS Manager

DNS record veryfying

So, now we can create a script to automatically create many DNS records. As for PowerShell is better to use CSV file format instead of flat text file, I would suggest to prepare an example here. CSV file requires a header for each attribute, we need 2 or 3 attributes to accomplish that.

An example CSV file for 2 values

octet,hostName
100,testHost01.testenv.local
101,testHost02.testenv.local
102,testHost03.testenv.local
103,testHost04.testenv.local
104,testHost05.testenv.local

An example CSV file for 3 values

octet,hostName,zoneName
105,testHost06.testenv.local,1.168.192.in-addr.arpa
106,testHost07.testenv.local,1.168.192.in-addr.arpa
107,testHost08.testenv.local,2.168.192.in-addr.arpa
108,testHost09.testenv.local,2.168.192.in-addr.arpa
109,testHost10.testenv.local,3.168.192.in-addr.arpa

Save this file as newPTR.csv on C-Drive and use below script to create DNS records

for 2 values

Import-Module DNSShell
Import-CSV c:newPTR.csv | %{
New-DNSRecord -Name $_."octet" -RecordType PTR -ZoneName 1.168.192.in-addr.arpa -HostName $_."hostName"
}

PowerShell script

and verify results in DNS Manager

DNS records veryfying

and one more case with 3 values in CSV file

Import-Module DNSShell
Import-CSV c:newPTR.csv | %{
New-DNSRecord -Name $_."octet" -RecordType PTR -ZoneName $_."zoneName" -HostName $_."hostName"
}

PowerShell code

and verify in DNS Manager if they were created

DNS records verifying

Native DNS cmd-lets in PowerShell 3.0

This is new feature and can be only used with PowerShell 3.0 which is available in Windows 8 and Windows Server 2012 (or in other Windows versions as it was mentioned at the beginning of this article). There are variety of DNS cmd-lets to manage DNS server and one of  them is Add-DNSServerResourceRecordPTR and we will use it in this article.

Add-DNSServerResourceRecordPTR cmd-let

To create pointer (PTR) record using this cmd-let you need:

  • DNS zone name (reverse lookup zone name)
  • an octet of IP Address for which we want to add PTR record
  • host name

And now for a practice, we will create single DNS record using Add-DNSServerResourceRecordPTR

Add-DNSServerResourceRecordPTR -ZoneName DNSReverseZoneName -Name octet -PTRDomainName hostName

according to above general syntax, let’s create pointer record

Add-DNSServerResourceRecordPTR -ZoneName 1.168.192.in-addr.arpa -Name 100 -PTRDomainName testHost01.testenv.local

PowerShell 3.0 DNS record creation

and as in previous methods, just verify  if DNS record was created

DNS record verification

So, now the last part. We need to prepare script for multiple records creation. As we would need to use CSV file as in previous method (DNSShell module for Windows PowerShell), we will reuse it. An example CSV file is below

for 2 values

octet,hostName
100,testHost01.testenv.local
101,testHost02.testenv.local
102,testHost03.testenv.local
103,testHost04.testenv.local
104,testHost05.testenv.local

and for 3 values

octet,hostName,zoneName
105,testHost06.testenv.local,1.168.192.in-addr.arpa
106,testHost07.testenv.local,1.168.192.in-addr.arpa
107,testHost08.testenv.local,2.168.192.in-addr.arpa
108,testHost09.testenv.local,2.168.192.in-addr.arpa
109,testHost10.testenv.local,3.168.192.in-addr.arpa

and save this as newPTR.csv file on C-Drive. When you do that, use below code for pointer (PTR) records creation

PowerShell 3.0 code for CSV with 2 values

Import-CSV c:newPTR.csv | %{
Add-DNSServerResourceRecordPTR -ZoneName 1.168.192.in-addr.arpa -Name $_."octet "-PTRDomainName $_."hostName"
}

PowerShell 3.0 code

and DNS Manager view to prove that record were created

DNS Manager and newly created DNS records

and the last part with PowerShell 3.0 for DNS, code for CSV file with 3 values

Import-CSV c:newPTR.csv | %{
Add-DNSServerResourceRecordPTR -ZoneName $_."zoneName" -Name $_."octet "-PTRDomainName $_."hostName"
}

just to be sure if records were created, let’s check each reverse lookup zone to verify that

DNS Manager and newly created DNS records

That’s all!

<<< Previous part

Author: Krzysztof Pytko

DNS bulk host (A) records creation

 

Sometimes we need to create many DNS records in a short time. Using DNS Management console is not very convenient and fast method because you need to create each records separately by hand. I will show you how to do that using simple scripts based on:

  • Windows DNScmd command
  • Using DNSShell module for Windows PowerShell (really great module)
  • Using native DNS cmd-lets in PowerShell 3.0

Windows DNScmd command is by default available on Windows Server 2008/2008R2 server where DNS role has been installed. To use it on Windows Server 2003, you need to install Support Tools from server’s CD#1

DNSShell module needs to be downloaded separately from Chris blog who is REAL genius in DNS topic. His module for PowerShell is really great and very helpful.

Windows PowerShell 3.0 DNS cmd-lets are available in Windows 8 and Windows Server 2012 and are new feature added by Microsoft to manage DNS server.

PowerShell 3.0 can be also installed on Windows 7/2008/2008R2 for more information about that, please check my another article “Windows Management Framework 3.0 for Windows Server 2008/2008R2”

DNScmd

Before we start preparing script for bulk DNS records creation, let’s see how DNScmd syntax looks for single host (A) record. After that we would know which parameters should be inserted into input file for the script.

Note! To get help for DNScmd command you need to specify /? after its name or after any switch you want to get information

Now, we will prepare proper syntax to add single host (A) record into DNS zone. For that we need to know:

  • DNS server name
  • DNS zone name
  • host name
  • IP address

proper syntax to create host (A) record is:

dnscmd ServerName /RecordAdd DNSZoneName HostName RecordType IPAddress

Below you can find an example syntax

dnscmd %LOGONSERVER% /RecordAdd testenv.local test01 A 192.168.1.101

DNScmd command execution

instead of %LOGONSERVER% system variable, you can use DNS server name (if all  your DCs are DNS servers too, you can sinply use %LOGONSERVER%, in other case, you need to type DNS server name manually)

As you can see in DNS Management console, new record has been created

DNS record verification

We have complete syntax and now, we can create a script to create many DNS records in short time. First of all, we need an input file containing all required data. To create that file we need put in a flat text file 2 values:

  • host name
  • IP address

An example input file for script

test01 192.168.1.101
test02 192.168.1.102
test03 192.168.1.103
test04 192.168.1.104
test05 192.168.1.105

and save this as i.e. newHosts.txt on C-Drive

Now, you can use below script to create many DNS records

for /f "tokens=1-2" %i in (c:newHosts.txt) do dnscmd %LOGONSERVER% /RecordAdd testenv.local %i A %j

Bulk DNS host records created

and you can verify that in DNS Management console

DNS records verification

DNSShell module for PowerShell

As I mentioned at the beginning of this article, this is separate module which needs to be downloaded. You can simply download it from

http://www.indented.co.uk/index.php/2010/04/16/dnsshell-zone-and-server-cmdlets/

When you download it, you have to extract content into one of the following locations:

  • %HOMEPATH%DocumentsWindowsPowerShellModules
  • %WINDIR%SYSTEM32WindowsPowerShellv1.0Modules

PowerShell modules path

and import this module before the first use

Import-Module DNSShell

to list all available cmd-lets use

help *DNS*

Importing DNSShell module and list all available cmd-lets

From now, you have all cmd-lets available. Let’s start to create single host record in DNS using New-DNSRecord cmd-let

To be able to create host (A) record using DNSShell, you need:

  • DNS zone name
  • host name
  • IP address

You will find general syntax below

New-DNSRecord -Name HostName -RecordType A -ZoneName DNSZoneName -IPAddress IPAddress

and short example

New-DNSRecord -Name test01 -RecordType A -ZoneName testenv.local -IPAddress 192.168.1.101

New-DNSRecord example

and you can see command’s result in DNS Manager

DNS record veryfying

So, now we can create a script to automatically create many DNS records. As for PowerShell is better to use CSV file format instead of flat text file, I would suggest to prepare an example here. CSV file requires a header for each attribute, we need only 2 attributes to accomplish that

HostName,IPAddr
 test01,192.168.1.101
 test02,192.168.1.102
 test03,192.168.1.103
 test04,192.168.1.104
 test05,192.168.1.105

Save this file as newHosts.csv on C-Drive and use below script to create DNS records

Import-Module DNSShell
Import-CSV c:newHosts.csv | %{
New-DNSRecord -Name $_."HostName" -RecordType A -ZoneName testenv.local -IPAddress $_."IPAddr"
}

PowerShell script

and verify results in DNS Manager

DNS records veryfying

Native DNS cmd-lets in PowerShell 3.0

This is new feature and can be only used with PowerShell 3.0 which is available in Windows 8 and Windows Server 2012. There are variety of DNS cmd-lets to manage DNS server and one of  them is Add-DNSServerResourceRecordA and we will use it in this article.

Add-DNSServerResourceRecordA cmd-let

To create host record using this cmd-let we need to have prepared:

  • DNS zone name
  • host name
  • IP address

And now for a practice, we will create single DNS record using Add-DNSServerResourceRecordA

Add-DNSServerResourceRecordA -ZoneName DNSZoneName -Name HostName -IPv4Address IPAddress

according to above general syntax, let’s create host record

Add-DNSServerResourceRecordA -ZoneName testenv.local -Name test01 -IPv4Address 192.168.1.101

PowerShell 3.0 DNS record creation

and as in previous methods, just verify  if DNS record was created

DNS record verification

So, now the last part. We need to prepare script for multiple records creation. As we would need to use CSV file as in previous method (DNSShell module for Windows PowerShell), we will reuse it. An example CSV file is below

HostName,IPAddress
test01,192.168.1.101
test02,192.168.1.102
test03,192.168.1.103
test04,192.168.1.104
test05,192.168.1.105

and save this as newHosts.csv file on C-Drive. When you do that, use below code for host (A) records creation

Import-CSV c:newHosts.csv | %{
 Add-DNSServerResourceRecordA -ZoneName testenv.local -Name $_."HostName" -IPv4Address $_."IPAddress"
 }

Script output

and DNS Manager view to prove that record were created

DNS Manager and newly created DNS records

This time, that’s all!

Next part >>>

Author: Krzysztof Pytko

Determine DFL and FFL using PowerShell

 

I was curious after the last article about checking schema version with PowerShell, if it is possible to use the same template to determine Domain and Forest Functional Levels. I’ve decided to check that using the same code and I found it is also working 🙂

You need to only check different AD objects to get that information.

For Domain Functional Level you need to query Default naming context (domain partition) and read msDS-Behavior-Version attribute. Its value tells you what kind of DFL is present in your domain. However, today, there is no need to check if domain is working in 2000 mixed mode but I decided also to put that information into script to have full overview of DFL. In this case (mixed mode) you have to check ntMixedDomain attribute.

If ntMixedDomain attribute is set to 0  that means Domain Functional Level is not in 2000 mixed mode. In case that this attribute is set to 1 then DFL is Windows 2000 Mixed mode.

For msDS-Behavior-Version attribute value and its corresponding DFL check below list

  • 0 – Windows 2000 Native mode
  • 1 – Windows Server 2003 Interim mode
  • 2 – Windows Server 2003 mode
  • 3 – Windows Server 2008 mode
  • 4 – Windows Server 2008 R2 mode
  • 5 – Windows Server 2012 mode
  • 6 – Windows Server 2012 R2 mode

To get Forest Functional Level mode, you need to check the same msDS-Behavior-Version attribute but in different AD object. This object is

cn=partitions,cn=configuration,dc=testenv,dc=local

on Configuration partition

Note! Remember that Forest Functional Level mode cannot be higher than Domain Functional Level. Its value may be equal or less but never HIGHER!

For msDS-Behavior-Version attribute value and its corresponding FFL check below list

  • 0 – Windows 2000 mode
  • 1 – Windows Server 2003 Interim mode
  • 2 – Windows Server 2003 mode
  • 3 – Windows Server 2008 mode
  • 4 – Windows Server 2008 R2 mode
  • 5 – Windows Server 2012 mode
  • 6 – Windows Server 2012 R2 mode

that’s all available option at this moment, so now it is possible to prepare PowerShell script checking that attribute and comparing it to above lists

Windows PowerShell module for Active Directory

Open Windows PowerShell or Windows PowerShell module for AD and use below syntax to get Domain Functional Level mode (in case that you are using module for AD, you don’t need to use Import-Module cmd-let!)

Import-Module ActiveDirectory
Get-ADObject -Identity "dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version,ntMixedDomain

Windows PowerShell syntax for DFL

Get-ADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version

Windows PowerShell syntax for FFL

Remember to change domain distinguished name from dc=testenv,dc=local to yours

Now, it’s time to see complete script which displays more friendly output for user

Import-Module ActiveDirectory
Clear-Host
Write-Host ""
Write-Host "Domain Functional Level is " -ForegroundColor Green -NoNewLine
$domain=Get-ADObject -Identity "dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version,ntMixedDomain
if ($domain.ntMixedDomain -eq 1){
Write-Host "Windows 2000 Mixed mode" -ForegroundColor Yellow
}
else {
switch ($domain."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 Native mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
}
Write-Host ""
Write-Host "Forest Functional Level is " -ForegroundColor Green -NoNewLine
$forest=Get-ADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -Properties * | Select msDS-Behavior-Version
switch ($forest."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
Write-Host ""

Copy above code and put it into notepad, save it as ps1 file and execute in Windows PowerShell environment

Script output

Quest PowerShell module for Active Directory

To be able to run below code, you need to have installed free Quest PowerShell module for Active Directory

If you have this available then you can run below syntax

Get-QADObject -Identity "dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version,ntMixedDomain

Quest PowerShell syntax for DFL

Get-QADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version

Quest PowerShell syntax for FFL

Remember to change domain distinguished name from dc=testenv,dc=local to yours

Now, it’s time to see complete script which displays more friendly output for user

Clear-Host
Write-Host ""
Write-Host "Domain Functional Level is " -ForegroundColor Green -NoNewLine
$domain=Get-QADObject -Identity "dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version,ntMixedDomain
if ($domain.ntMixedDomain -eq 1){
Write-Host "Windows 2000 Mixed mode" -ForegroundColor Yellow
}
else {
switch ($domain."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 Native mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
}
Write-Host ""
Write-Host "Forest Functional Level is " -ForegroundColor Green -NoNewLine
$forest=Get-QADObject -Identity "cn=partitions,cn=configuration,dc=testenv,dc=local" -IncludeAllProperties | Select msDS-Behavior-Version
switch ($forest."msDS-Behavior-Version")
{
0 { Write-Host "Windows 2000 mode" -ForegroundColor Yellow }
1 { Write-Host "Windows Server 2003 Interim mode" -ForegroundColor Yellow }
2 { Write-Host "Windows Server 2003 mode" -ForegroundColor Yellow }
3 { Write-Host "Windows Server 2008 mode" -ForegroundColor Yellow }
4 { Write-Host "Windows Server 2008 R2 mode" -ForegroundColor Yellow }
5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }
6 { Write-Host "Windows Server 2012 R2 mode" -ForegroundColor Yellow }
default { Write-Host "unknown" -ForegroundColor Red }
}
Write-Host ""

Script output

Now, we have two scripts, one to check schema version and one to check DFL and FFL. If you wish, you may combine them into one and get all necessary information in one output 🙂

<<< Previous part

Author: Krzysztof Pytko

5 { Write-Host "Windows Server 2012 mode" -ForegroundColor Yellow }

Schema version using PowerShell

 

I’ve just played with PowerShell in my test environment and I was wondering if it’s possible to verify Active Directory Schema version in some simple way using it. As I know that schema version number is stored in objectVersion attribute of

"cn=Schema,cn=Configuration,dc=domain,dc=local" object

I found that there is in PowerShell cmd-let which allows to query that object and get its attributes

So,you need to simply type below syntax of cmd-let to get version of schema in a domain

for Windows PowerShell (available when you have at least one Domain Controller based on Windows Server 2008R2)

Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -Properties * | Select objectVersion

Schema version using Windows PowerShell

for Quest PowerShell (required download from 3rd party website. This is free tool)

Get-QADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -IncludeAllProperties | Select objectVersion

Schema version using Quest PowerShell

as you can see, this was very short and quick way to get information about schema version 🙂 However, I went one step further and I prepared some script which checks objectVersion and writes on the screen its OS name. Basically, I started with if syntax but it was not the best possible solution for that. I started looking in the Internet if there is something like “case” which I remember from Turbo Pascal 😀 … and I found … this is switch in PowerShell. So, after I used switch, my code looks better and I’ve decided to share it here 🙂 (perhaps someone would find it useful)

Below you can find complete script code for Windows and Quest PowerShell

Windows PowerShell module for Active Directory

Import-Module ActiveDirectory

Clear-Host
Write-Host ""

Write-Host "Schema version is " -ForegroundColor Green -NoNewLine

$schema_ver=Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -Properties * | Select objectVersion

switch ($schema_ver.objectVersion)
 {

 13 { Write-Host "Windows 2000 Server" -ForegroundColor Yellow }
 30 { Write-Host "Windows Server 2003" -ForegroundColor Yellow }
 31 { Write-Host "Windows Server 2003 R2" -ForegroundColor Yellow }
 44 { Write-Host "Windows Server 2008" -ForegroundColor Yellow }
 47 { Write-Host "Windows Server 2008 R2" -ForegroundColor Yellow }
 51 { Write-Host "Windows Server 8 Developers Preview" -ForegroundColor Yellow }
 52 { Write-Host "Windows Server 8 Beta" -ForegroundColor Yellow }
 56 { Write-Host "Windows Server 2012" -ForegroundColor Yellow }
 69 { Write-Host "Windows Server 2012 R2" -ForegroundColor Yellow }
 72 { Write-Host "Windows Server Technical Preview (2014)" -ForegroundColor Yellow }
 81 { Write-Host "Windows Server Technical Preview 2 (2015)" -ForegroundColor Yellow }
 82 { Write-Host "Windows Server 2016 Technical Preview 3 (2015)" -ForegroundColor Yellow }
 85 { Write-Host "Windows Server 2016 Technical Preview 4 (2015)" -ForegroundColor Yellow }
 87 { Write-Host "Windows Server 2016" -ForegroundColor Yellow }
default { Write-Host "unknown - "$schema_ver.objectVersion -ForegroundColor Red }  }  Write-Host ""

Copy above code and paste it to notepad, save as ps1  file and you will be able to execute it in your environment (remember that you need to change distinguished name of a domain from dc=testenv,dc=local to yours)

Script based on Windows PowerShell

Quest PowerShell module for Active Directory

Clear-Host
Write-Host ""

Write-Host "Schema version is " -ForegroundColor Green -NoNewLine

$schema_ver=Get-QADObject -Identity "cn=Schema,cn=Configuration,dc=testenv,dc=local" -IncludeAllProperties | Select objectVersion

switch ($schema_ver.objectVersion)
{

13 { Write-Host "Windows 2000 Server" -ForegroundColor Yellow }
30 { Write-Host "Windows Server 2003" -ForegroundColor Yellow }
31 { Write-Host "Windows Server 2003 R2" -ForegroundColor Yellow }
44 { Write-Host "Windows Server 2008" -ForegroundColor Yellow }
47 { Write-Host "Windows Server 2008 R2" -ForegroundColor Yellow }
51 { Write-Host "Windows Server 8 Developers Preview" -ForegroundColor Yellow }
52 { Write-Host "Windows Server 8 Beta" -ForegroundColor Yellow }
56 { Write-Host "Windows Server 2012" -ForegroundColor Yellow }
69 { Write-Host "Windows Server 2012 R2" -ForegroundColor Yellow }
72 { Write-Host "Windows Server Technical Preview (2014)" -ForegroundColor Yellow }
81 { Write-Host "Windows Server Technical Preview 2 (2015)" -ForegroundColor Yellow }
82 { Write-Host "Windows Server 2016 Technical Preview 3 (2015)" -ForegroundColor Yellow }
85 { Write-Host "Windows Server 2016 Technical Preview 4 (2015)" -ForegroundColor Yellow }
87 { Write-Host "Windows Server 2016" -ForegroundColor Yellow }
default { Write-Host "unknown - "$schema_ver.objectVersion -ForegroundColor Red }  }  Write-Host ""

Copy above code and paste it to notepad, save as ps1  file and you will be able to execute it in your Quest PowerShell environment (remember that you need to change distinguished name of a domain from dc=testenv,dc=local to yours)

Script for Quest PowerShell

I hope it would be useful for you.

Next part >>>

Author: Krzysztof Pytko