Windows Active Directory: Difference between revisions

Latest revision as of 18:10, 12 March 2025

Client Commands

List Applied GPO's

GUI:

 rsop.msc

CLI:

 gpresult /r /scope computer

or save it to an html file with /h:

 gpresult /h c:\gpresult.html

Confirm DC is Reachable

 net view \\<DC name>

Domain Controller Admin

Show DC Replication Status

This also shows the DSA object GUID of all DC's.

 repadmin /showrepl

Show replication state and relative health of a forest

 repadmin /replsummary

Sync Domain Controller with all Replication Partners

 repadmin /syncall /d /e

Domain Controller Diagnostics

Verify DNS Services for DC

 dcdiag /test:dns

Comprehensive, Run all tests, Verbose

 dcdiag /c /v

Force registration of all DC-specific DNS records

 nltest.exe /dsregdns

Check DC FSMO Roles

 netdom query FSMO

Enable LDAPS

Essentially, all you have to do is generate a SSL Server Certificate with the CN={hostname_of_dc} and place it into the Computer Certificates > Personal cert store. The DC will automatically use the server cert in there with the most longevity. You don't even need to restart any services nor the server itself (in my experience, anyway). Then the DC will start accepting LDAP over SSL/TLS on port 636. I did not have to adjust the Windows Firewall on the DC.

Using Linux BIND DNS Servers for Dynamic AD Updates

See ISC BIND.

@@ Line 14: / Line 14: @@
 ===Confirm DC is Reachable===
-   net view \\<source DC name>
+   net view \\<DC name>
 ==Domain Controller Admin==
-===Show DC GUID===
+===Show DC Replication Status===
-   repadmin /showreps
+This also shows the DSA object GUID of all DC's.
+   repadmin /showrepl
+===Show replication state and relative health of a forest===
+  repadmin /replsummary
 ===Sync Domain Controller with all Replication Partners===
-   repadmin /syncall
+   repadmin /syncall /d /e
 ===Domain Controller Diagnostics===
@@ Line 44: / Line 50: @@
    netdom query FSMO
-==Using Linux BIND DNS Servers for Dynamic AD Updates==
+===Enable LDAPS===
-===ACL===
+Essentially, all you have to do is generate a SSL Server Certificate with the ''CN={hostname_of_dc}'' and place it into the '''Computer Certificates > Personal''' cert store. The DC will automatically use the server cert in there with the most longevity. You don't even need to restart any services nor the server itself (in my experience, anyway). Then the DC will start accepting LDAP over SSL/TLS on port 636. I did not have to adjust the Windows Firewall on the DC.
-  acl "DOMAIN-CONTROLLERS" {
+==Using Linux BIND DNS Servers for Dynamic AD Updates==
-.144.30.101;  // DC1-dave
-.144.35.2;    // DC2-dave
-.150.30.5;    // DC-jim
-  };
-===Zone Delcarations===
-====Master Config====
-  zone "_msdcs.lambnet.us" IN {
-      type master;
-      file "dynamic/_msdcs.lambnet.us";
-      allow-update { DOMAIN-CONTROLLERS; };
-  };
-  zone "_sites.lambnet.us" IN {
-      type master;
-      file "dynamic/_sites.lambnet.us";
-      allow-update { DOMAIN-CONTROLLERS; };
-  };
-  zone "_tcp.lambnet.us" IN {
-      type master;
-      file "dynamic/_tcp.lambnet.us";
-      allow-update { DOMAIN-CONTROLLERS; };
-  };
-  zone "_udp.lambnet.us" IN {
-      type master;
-      file "dynamic/_udp.lambnet.us";
-      allow-update { DOMAIN-CONTROLLERS; };
-  };
-====Slave Config====
-  zone "_msdcs.lambnet.us" IN {
-      type slave;
-      masters { 10.144.30.4; };
-      file "dynamic/_msdcs.lambnet.us";
-      allow-update-forwarding { DOMAIN-CONTROLLERS; };
-  };
-  zone "_sites.lambnet.us" IN {
-      type slave;
-      masters { 10.144.30.4; };
-      file "dynamic/_sites.lambnet.us";
-      allow-update-forwarding { DOMAIN-CONTROLLERS; };
-  };
-  zone "_tcp.lambnet.us" IN {
-      type slave;
-      masters { 10.144.30.4; };
-      file "dynamic/_tcp.lambnet.us";
-      allow-update-forwarding { DOMAIN-CONTROLLERS; };
-  };
-  zone "_udp.lambnet.us" IN {
-      type slave;
-      masters { 10.144.30.4; };
-      file "dynamic/_udp.lambnet.us";
-      allow-update-forwarding { DOMAIN-CONTROLLERS; };
-  };
-===Logging===
-  channel update-log {
+See [[ISC Bind#Windows AD Dynamic Updates|ISC BIND]].
-      file "/var/log/named/named.update" versions 5 size 5m;
-      severity info;
-      print-category yes;
-      print-severity yes;
-      print-time yes;
-  };
-  category update       { update-log; };