Windows Active Directory: Difference between revisions
(Created page with "==List which GPO's are applied== <code>rsop.msc</code> (GUI version) <code>gpresult /r /scope computer</code> (CLI version) or save it to an html file with /h: <code>gpresult /h c:\gpresult.html</code>") |
|||
| (24 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== | ==Client Commands== | ||
===List Applied GPO's=== | |||
GUI: | |||
rsop.msc | |||
CLI: | |||
gpresult /r /scope computer | |||
<code>gpresult /h c:\gpresult.html</ | or save it to an html file with <code>/h</code>: | ||
gpresult /h c:\gpresult.html | |||
===Confirm DC is Reachable=== | |||
net view \\<DC name> | |||
==Domain Controller Admin== | |||
===Show DC Replication Status=== | |||
This also shows the DSA object GUID of all DC's. | |||
repadmin /showrepl | |||
===Show replication state and relative health of a forest=== | |||
repadmin /replsummary | |||
===Sync Domain Controller with all Replication Partners=== | |||
repadmin /syncall /d /e | |||
===Domain Controller Diagnostics=== | |||
====Verify DNS Services for DC==== | |||
dcdiag /test:dns | |||
====Comprehensive, Run all tests, Verbose==== | |||
dcdiag /c /v | |||
===Force registration of all DC-specific DNS records=== | |||
nltest.exe /dsregdns | |||
===Check DC FSMO Roles=== | |||
netdom query FSMO | |||
===Enable LDAPS=== | |||
Essentially, all you have to do is generate a SSL Server Certificate with the ''CN={hostname_of_dc}'' and place it into the '''Computer Certificates > Personal''' cert store. The DC will automatically use the server cert in there with the most longevity. You don't even need to restart any services nor the server itself (in my experience, anyway). Then the DC will start accepting LDAP over SSL/TLS on port 636. I did not have to adjust the Windows Firewall on the DC. | |||
==Using Linux BIND DNS Servers for Dynamic AD Updates== | |||
See [[ISC Bind#Windows AD Dynamic Updates|ISC BIND]]. | |||
Latest revision as of 18:10, 12 March 2025
Client Commands
List Applied GPO's
GUI:
rsop.msc
CLI:
gpresult /r /scope computer
or save it to an html file with /h:
gpresult /h c:\gpresult.html
Confirm DC is Reachable
net view \\<DC name>
Domain Controller Admin
Show DC Replication Status
This also shows the DSA object GUID of all DC's.
repadmin /showrepl
Show replication state and relative health of a forest
repadmin /replsummary
Sync Domain Controller with all Replication Partners
repadmin /syncall /d /e
Domain Controller Diagnostics
Verify DNS Services for DC
dcdiag /test:dns
Comprehensive, Run all tests, Verbose
dcdiag /c /v
Force registration of all DC-specific DNS records
nltest.exe /dsregdns
Check DC FSMO Roles
netdom query FSMO
Enable LDAPS
Essentially, all you have to do is generate a SSL Server Certificate with the CN={hostname_of_dc} and place it into the Computer Certificates > Personal cert store. The DC will automatically use the server cert in there with the most longevity. You don't even need to restart any services nor the server itself (in my experience, anyway). Then the DC will start accepting LDAP over SSL/TLS on port 636. I did not have to adjust the Windows Firewall on the DC.
Using Linux BIND DNS Servers for Dynamic AD Updates
See ISC BIND.