In this Post I will show you some of the Active Directory command tools which will benefit the administrators to write the bat FILES and scripts.
DSADD: This command is used to add the computers,groups,user,ou's and some other objects in the Active directory using command Prompt.
Dsadd computer
Dsadd contact
Dsadd group
Dsadd ou
Dsadd quota
Dsadd user..............................Adds objects to the directory
Example:
dsadd ou "ou=sales, dc=virmansec, dc=com"
This command tells Active Directory to create an OU called Sales in the Vimansec.com domain.
dsadd user "cn=John doe, ou=sales, dc=virmansec, dc=com"
This command will create an user named John Doe in sales OU.
DSGET:This command is used to display the properties of objects in the directory like users,groups,computers etc.
Dsget computer
Dsget contact
Dsget group
Dsget ou
Dsget partition
Dsget quota Dsget server
Dsget site
Dsget subnet
Dsget user.............................. Displays properties of objects in the directory.
Example:
dsget user "CN=John Doe,CN=users,dc=virmansec,dc=com" -memberof -expand
The above command will show the list of groups, recursively expanded, to which the user John Doe belongs.
DSQUERY: This command finds objects in the directory that match a specified search criteria which includes users,computers,printers etc.
Dsquery computer
Dsquery contact
Dsquery group
Dsquery ou
Dsquery partition
Dsquery quota ..............................Finds objects in the directory that match a specified search criteria
Dsquery server
Dsquery site
Dsquery subnet
Dsquery user
Example:
dsquery ou dc=virmansec,dc=com
This command will produce a listing of all OUs
dsquery user cn=users,dc=virmansec,dc.com
It is going to show all the users in the users container.
dsquery servers -hasfsmo schema or (rid, name, infr and pdc.)
It is going to show which server(s) has the schema role
Combinig dsquery with other commands like dsget
To find all users in an organizational unit (OU) named sales whose name starts with "joh" and to show their descriptions, type:
dsquery user OU=sales,dc=virmansec,dc=com -name joh* | dsget user -desc
DSMOD: This command modifies selected attributes of an existing object in the directory like user,computer,ou's etc
Dsmod computer
Dsmod contact
Dsmod group
Dsmod ou .............................. Modifies select attributes of an existing object in the directory
Dsmod partition
Dsmod quota
Dsmod server
Dsmod user
Example:
dsmod computer CN=Server,CN=Computers,DC=virmansec,DC=Com -disabled yes
To disable computer account
dsmod user "CN=John Doe,CN=Users,DC=Virmansec,DC=Com" -pwd A1b2c3d4 -mustchpwd yes
To reset password and force him to change his password the next time
he logs on to the network
DSMOVE: This command moVes selected object in the directory like user,computer,ou's etc to a different location.
Example:
dsmove "CN=John Doe,OU=sales,DC=virmansec,DC=Com" -newname "John Comb"
Renames a user object from John Doe to John Combs.
dsmove "CN=John Doe,OU=Sales,DC=virmansec,DC=Com" -newparent
OU=Marketing,DC=virmansec,DC=Com
Moves Kim Falls from the Sales organization to the Marketing organization
DSRM: This command removes an object, the complete subtree under an object in the directory, or both.
Example:
dsrm -subtree -noprompt -c OU=Marketing,DC=virmansec,DC=Com
Removes an organizational unit called "Marketing" and all the objects
under that organizational unit
dsrm -subtree -exclude -noprompt -c "OU=Marketing,DC=virmansec,DC=Com"
Removes all objects under the organizational unit called "Marketing,"
but leaves the organizational unit intact.
One of the best features in Windows Server 2008 is Distributed File System Replication Service also known as DFS-R. This Service can now be used for replication of the SYSVOL share between domain controllers instead of the Legacy File Replication Service (FRS). The purpose of this article is to describe its advantages over FRS, both File Replication Service and Distributed File System-based replication rely on the NTFS constructs (such as Update Sequence Number journal and internal jet database) to keep track of changes to the file system.The efficiency and reliability of DFS-R has been further improved in Windows Server 2008, bringing such features as support for RPC asynchronous pipes (boosting the volume of replication requests that can be serviced simultaneously and mitigating blocking behavior that might surface if one of the replication partners is slower or overloaded) and the ability to take advantage of unbuffered I/O, allowing for higher number of concurrent downloads. In addition, the new version of DFS-R is RODC (Read Only Domain Controller) aware, automatically rolling back any changes applied to local replica of SYSVOL(such functionality is missing from FRS maintained volumes, which increases chances for administrative error). Finally, for larger environments, it eliminates the recommended limit on 1200 domain controllers per domain, stipulated in the Windows Server 2003 Active Directory Branch Office Guide. Lets chalk out the advantages and disadvantages and see the benefits.
Disadvantages of File Replication Services:
- FRS scalability and performance are significantly
lower than DFSR, especially with frequently modified files, larger data
sets, larger files, and slow wide area networks. FRS always replicates an entire
file regardless of modification type (i.e. a security change, data change,
attribute change, or file name change each replicate the entire file)
- FRS does not include a public development interface (API or WMI) for
monitoring, and it’s interface for management is limited
- FRS does not have a native, supported health reporting mechanism.
- FRS does not have a native, supported monitoring solution from Microsoft
System Center. Only has legacy unsupported tools like Sonar, Ultrasound,
CONNSTAT, etc. with limited MOM 2005 integration
- FRS has limited performance monitoring counters through PERFMON/ETW
- FRS does not have a working self-healing system
for problems like database corruption, journal wraps, and morphed folders
- FRS does not fully support RODC SYSVOL replicas and allows data to become
unsynchronized without chance of automatic resynchronization
- FRS does not support the inter-site change notification flag, leading to
artificially slow replication between DC’s in different AD logical sites
- FRS does not have significant built-in instrumentation (debug logs, event
logs) for troubleshooting and debugging
Advantages of DFS-R over FRS:
- Ability to replicate partial file changes using
RDC
(block-level delta replication) rather than entire files
- Support for cross-file RDC that can construct new files from similar files,
rather than replicating the new file over the wire (when using Enterprise
edition)
- A more efficient file compression on staged files
- The number of files that can be replicated inbound and outbound
simultaneously is significantly increased
- Support for unstable and slow networks with asynchronous RPC
- Support for more efficient OS kernel mechanisms introduced in Win2008 like
unbuffered I/O, low priority I/O, and asynchronous I/O’s
- No staging of smaller files (<=64KB by default)
- Staging compression can be controlled on a per-file type basis
- Scalable to a supported (not hard) limit of 10 terabytes of data.
Conclusion: DFS-R service is more reliable and efficient if compared to the FRS service for the replication service. Please see the following guide for the migration of FRS to DFS-R.
http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx
- In the ADSIEDIT.MSC tool modify the following distinguished name (DN) value and attribute on each of the domain controllers that you want to make non-authoritative:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
- Force Active Directory replication throughout the domain.
- Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
DFSRDIAG POLLAD
- You will see Event ID 4114 and 4008 in the DFSR event log indicating SYSVOL is no longer being replicated.
- Optional step: Modify the registry on the domain controller to explicitly specify a source computer for SYSVOL, then restart the DFSR service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Seeding SysVols
Value name: Parent Computer
Value type: REG_SZ
Value data: <computer to source from>
If you do not use this method to specify the source computer, any Active Directory replication partner that has the SYSVOL replicated folder in the NORMAL state could end up being used as the source.
-
On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
-
Force Active Directory replication throughout the domain.
-
Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
DFSRDIAG POLLAD
-
You will see Event ID 4614 and 4604 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done a “D2” of SYSVOL.
How to perform an authoritative synchronization of DFSR-replicated SYSVOL (like "D4" for FRS)
- In the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
msDFSR-options=1
- Force Active Directory replication throughout the domain.
- Run the following command from an elevated command prompt on the same server that you set as authoritative:
DFSRDIAG POLLAD
- You will see Event ID 4114 and 4008 in the DFSR event log indicating SYSVOL is no longer being replicated.
- On the same DN from Step 1, set:
msDFSR-Enabled=TRUE
- Force Active Directory replication throughout the domain.
- Run the following command from an elevated command prompt on the same server that you set as authoritative:
DFSRDIAG POLLAD
- You will see Event ID 4602 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done a “D4” of SYSVOL.
http://support.microsoft.com/kb/2218556
Home