Active Directory my personal notes

Microsoft logo

Intro

I will put here everything that I find useful about Active Directory.

Configure DNS

I never remember the order of definition of DNS.

Let's say we have two AD servers :

  • SRVAD1 : 192.168.1.10
  • SRVAD2 : 192.168.1.20

what should be the correct dns configuration? The answer is :

Windows AD | dns settings

Commands

Tests

  • Analyzes the state of domain controllers and reports any problems to help in troubleshooting :
PS C:\ > dcdiag
  • Run dns, replications or netlogons tests only :
PS C:\ > dcdiag /test:dns
PS C:\ > dcdiag /test:replications
PS C:\ > dcdiag /test:netlogons
  • Displays the replication status :
PS C:\ > repadmin /showrepl
  • Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report :
PS C:\ > repadmin /replsum

Misc

  • Synchronizes a domain controller with all of its replication partners :
PS C:\ > repadmin /syncall

Move fsmo roles

  • Show current list of operations master role holders with associates servers :
PS C:\ > netdom query /domain:std.local fsmo
Windows AD | show fsmo roles with netdom command

Dos method (old) :

PS C:\ > ntdsutil
ntdsutil:
ntdsutil: roles
fsmo maintenance:
fsmo maintenance: connections
server connections:server connections: connect to server SRVAD
Binding to ad ...
Connected to ad using credentials of locally logged on user.
server connections:
server connections: q
fsmo maintenance:
Transfer naming master
Transfer infrastructure master
Transfer PDC
Transfer RID master
Transfer schema master
Windows AD | moving fsmo roles with ntdutil command

PowerShell method (New) :

  • Check current configuration :
PS C:\ > Get-ADDomainController -Server SRVAD | Select-Object -ExpandProperty OperationMasterRoles
PS C:\ > get-adforest std.local -Server SRVAD | format-list schemamaster,domainnamingmaster
  • Transfer fsmo roles in one command :
PS C:\ > Move-ADDirectoryServerOperationMasterRole -Identity SRVAD -OperationMasterRole pdcemulator,ridmaster,infrastructuremaster,schemamaster,domainnamingmaster

Rename DC

⚠️ Renaming a DC is a sensitive operation, so make sure you have at least one backup and/or a second domain controller before making any changes. ⚠️

Check :

  • Lists the primary name or any alternate names :
PS C:\ > Netdom computername SRVAD /ENUMerate
  • Checks if there is a DNS record and a service principal name (SPN) for a computer name :
PS C:\ > Netdom computername SRVAD /verify

Quick but unsafe :

Here we ask directly for name change, if the process fails we can brick our DC.

  • Rename DC :
PS C:\ > netdom renamecomputer SRVOLD /NewName:SRVAD

Slow but safer :

Here we add a secondary name first, if the process fails we still have a valid name that should work.

  • Add a secondary name :
PS C:\ > Netdom computername SRVAD /add:SRVAD2.std.local
  • Make secondary name as primary name :
PS C:\ > Netdom computername SRVAD /makeprimary:SRVAD2.std.local
  • Remove old name :
PS C:\ > Netdom computername SRVAD2 /remove:SRVAD.std.local

Hardening Active Directory

In its default configuration Active Directory is not really secure, to harden its configuration we can use the PingCastle tool.

Ping Castle | Download page
  • Uncompress and double click to PingCastle.exe to start the tool :
Ping Castle | Start PingCastle
  • Press enter to healtcheck-Score :
Ping Castle | Start healtcheck-Score
  • Press enter to investigate :
Ping Castle | Investigate
  • Once the task end press enter to close the command prompt :
Ping Castle | Press any key to terminate the program
  • Go back to the uncompressed folder and open the html report :
Ping Castle | PingCastle folder with html report
  • Read the html report to correct the weakness :
Ping Castle | PingCastle html report
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :