Share via

Active Directory Administration One Liners

  • Article

 

1.DCDIAG

 

To deploy an additional domain controller:
Dcdiag /test:dcpromo /DnsDomain:domain_name.com /ReplicaDC
To deploy a child domain:
**Dcdiag /test:dcpromo /DnsDomain:child_domain_name.forest.com /ChildDomain
**Test the FSMO
**Dcdiag /s:<DomainControllerName> /test:fsmocheck
**Check DNS
Dcdiag /test:dns
Check for missing and duplicate SPNs as well as other errors
Dcdiag /test:checksecurityerror
Check the rid pool
dcdiag /s:server /v /test:ridmanager

2. NSLOOKUP

Test SRV records

cmd---nslookup
 set q=srv
 _ldap._tcp.dc._msdcs.yourdomain.com
 _ldap._tcp.gc._msdcs.yourdomain.com
 _ldap._tcp.pdc._msdcs.yourdomain.com

Command to Troubleshoot DNS Issues

3. Repadmin

 

**Disable replication
**Repadmin /options <dc-fqdn> +DISABLE_OUTBOUND_REPL
Enable replication
Repadmin /options <dc-fqdn> -DISABLE_OUTBOUND_REPL

4. W32TM

**Time sync issue in DC
**

w32tm /config /manualpeerlist:<DC1.contoso.com> /syncfromflags:manual /update

Need to run non PDC.

w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover
net stop w32time && net start w32time

5. NLTEST

How to find the site for a Server
nltest /server:%computername% /dsgetsite
nltest /dsgetdc:contoso.com

How to find DCs IP addresses

nltest/dnsgetdc:contoso.com

Returns only those domains that are in the same forest as the primary domain.

nltest /trusted_domains /forest

Reset the netlogon secure channel

nltest /sc_reset:<domainname>

NLTEST to test the trust relationship between a workstation and domain

 

6. PortQuery

PortQry.exe -n 10.236.214.136 -e 53 -p both 
Portqry -n DC1.Contoso.com -o 135,137,138,139,389,445,88,636,3268,3269,53 -p both

7.How to check the delegation

Dsrevoke /Report OU=test,DC=gs,DC=Com gs\bshwjt
 ACLDiag.exe "OU=Employee,DC=Contoso,DC=Com"  /chkdeleg

For details see the below links.
http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-
permissions.aspx
http://msmvps.com/blogs/acefekay/archive/2012/02/07/active-directory-server-2008-r2-you-do-not-have-permission-to-modify-the-group.aspx

8. DNSlint

**All DCs GUID/CNAME & IP addresses
**

dnslint /ad /s localhost

9.RUNAS

runas /user:<domain\username> cmd