I love PowerShell. The more I learn the better it becomes.
There are several versions of the Active Directory Schema available. You must know what version you are running to fully understand the capabilities it allows for. Below shows the different versions of the Active Directory Schema.
Windows 2000 RTM with all Service packs = Schema version 13
Windows Server 2003 RTM with all Service packs = Schema version 30
Windows Server 2003 R2 RTM with all Service packs = Schema version 31
Windows Server 2008 RTM with all Service packs = Schema version 44
Windows Server 2008 R2 RTM with all Service packs = Schema version 47
Now to see what version you are running just open up PowerShell (make sure you’ve loaded the native AD Cmdlets) and type the following:
Get-ADObject "cn=schema,cn=configuration,dc=domain_name,dc=local" -properties objectversion
Just check the objectversion results for the corresponding number above to check your schema version.
Time and time again I run into an issue that presents me with a SID which I need to resolve. I’ve used a number of tools and scripts over the years to address this issue. I think I have the best and easiest method for me to solve this issue that always seems to pop up.
If you’re new to PowerShell you will want to make sure you have it installed if you want to use this script…and yes it is a script not a command. I do this by opening a text file and renaming it from a .txt file to a .ps1 file. When you try to open a .ps1 file it may open in your text editor but for this you will want to Right Click it and select Edit which will open up whatever you have as your PowerShell editor. Copy the following code into the Script Pane:
$objSID = New-Object System.Security.Principal.SecurityIdentifier
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
Now just save this file and you can run it to return the results of the SID that you place in there. The one thing that will change is the actual SID. In this example i’m using S-1-5-21-768745588-123456789-987654321-500 which is the Well Known SID for the domain Administrator. My results should show me the friendly name. Anytime you change the SID you will have to resave the file but then just Run the script and it will show you the results.
I’m sure there is a way I could make this into an application but I”ll leave that fun for those looking to take this to the next step.
You may be familiar with the traditional ways to transfer FSMO roles but how about by using PowerShell? By now you should just know that PowerShell can do everything the GUI can do…well at least that is the way it feels to me.
If you want to use PowerShell to transfer any of your five FSMO roles (PDC Emulater, RID Master, Infrastructure Master, Domain Naming Master and Schema Master) then you will first need to import the Active Directory Module into PowerShell.
Now that you have the AD module loaded the cmdlet you will use for this is quite large – Move-ADDirectoryServerOperationMasterRole. Thankfully we have the Get-help cmdlet to help us remember that. All I need to do is remember move-ad and then I press tab to complete the rest. There is only one other cmdlet that is similar to it and you just have to remember you are trying to move the FSMO role and not the sever.
When entering the cmdlet you need to specify the operation master roles to move. the syntax for the five roles are as follows – PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, or DomainNamingMaster. To specify more than one role just separate each role with a comma.
An example of me moving the RID Master and PDC Emulater to DC2 is as follows:
Move-ADDirectoryServerOperationMasterRole -Identity "DC2" -OperationMasterRole RIDMaster,PDCEmulator
A feature that I just love in PowerShell is the –WhatIf parameter. By adding this to your code it will do a dry run and let you know what is going to change if you did the command without that parameter.
One key thing to note here is that I am NOT seizing the FSMO role. For that you will need to use NTDSUtil as defined here.
Here are two ways for you to use PowerShell to raise your Forest Functional level to Server 2008 R2:
Either way will work. Enjoy
Tip of the day today is to view your Active Directory Tombstone period while using PowerShell
The result shows up in days…very cool.
Just make sure to change dc=AdminPrep,DC=Local to match your domain.
Last night was the inaugural Arizona PowerShell user group meeting known as AZPOSH. There was well over 20 people there and a great guest speaker. Dr. Ferdinand Rios who is the CEO of Sapien Technologies spent an hour talking to us about what is new at Sapien…and wow there is some really cool stuff coming out soon. Dr. Rios is a dynamic presenter and also a coder of some of their products. He showed off an early alpha version of Visual Powershell which is perfect for a person like me that doesn’t like to remember (ok doesn’t have the mental capacity) a bunch of cmdlets and the ability to save portions of code for later use. He also showed iPowerShell which is an app for iPhones as well as the iPad. The future of that app (as long as it gets ported over to other phones) looks amazing. The ability to use a device like the iPhone or iPad to run PowerShell remotely reminds me of the old Star Trek days.
Jason and Mike both did a great job running the meeting and I’m really looking forward to where this user group is going. I know they are working on opening this up to a remote audience as well which is really intriguing for people that aren’t in the Phoenix area but still want to be part of the PowerShell community. Jason suckered me in to presenting for the July meeting…actually I’m really excited to be able to speak about Active Directory and PowerShell. Can’t wait to attend the next month’s meeting!!!
If you have been playing with the the AD PowerShell cmdlets you know that it requires a few things to run, first Windows Server 2008 R2 or Windows 7, the .NET Framework 3.5.1 and of course if you want to manage an AD domain you need Active Directory Web Services (ADWS) installed on at least one domain controller.
By the way ADWS requires TCP port 9389
So how in the world does a Windows 7 system know how to find a DC running ADWS? Well your client running PowerShell will use the normal DC locator process. First the client will determine which site it is in nltest /dsgetsite and then it will determine the closest DC nltest /dsgetdc:<FQDN Domain>. It is looking at the DC for the following flag:
More info on that flag can be found here.
Now what if you don’t have Server 2008 R2 DCs? With Server 2003 and Server 2008 a problem occurs because the Net Logon service of those domain controllers does not recognize the DS_WEB_SERVICE_REQUIRED flag. There are two hotfixes (one for what ever version of AD you are running) available to fix that in those environments. Server 2003 and Server 2008
After you install this hotfix the AD PowerShell module and Active Directory Administrative Center will be able to locate DCs that have Active Directory Management Gateway Service installed, similar to Active Directory Web Services (ADWS) on a Windows Server 2008 R2-based computer.
Did I say free? You bet I did. Microsoft has done this for quite some time now and is something everyone should take advantage of. Especially in today’s economy where training budgets are getting slashed.
Here are three great labs that you can use to learn all about Server 2008 R2’s Active Directory.
Do you have any cool free training resources?
With PowerShell 2.0 being released with Windows 7 and Server 2008 R2 there are plenty of fun stuff to do. Although what I”m about to show you is not specific to PoSh 2.0 but it a great way to pull info from the Event Viewer.
When I’m presented with a problem on a server one of the first place I go is the Event Viewer. Sure there are ways to filter it but I’d always wanted a way to dump that filter into another file to review later on another system. PowerShell gives you a great method for displaying events as well as saving those results to a file.
The Event Log has several cmdlets available which can be seen here:
As you can see you can read an write to the Event Viewer here. The Get-EventLog cmdlet is a favorite of mine. With it you specify which Event Log to view and off you go. Below is an example of using that command and showing how to only list the first 20 events.
Get-Eventlog -Logname System -Newest 20
Now if you want to save that you have several options. You can save it as a text, htm or csv file. Realize it may take awhile to build the whole file. Below show the commands needed to output the files.
Get-Eventlog System | Out-file c:Tempsystem.txt
Get-Eventlog System | ConvertTo-html | Out-file c:Tempsystem.htm
Get-Eventlog System | ConvertTo-csv| Out-file c:Tempsystem.csv
The great thing is you don’t have to show everything. If you want you can filter by the Event ID by using the –instanceid switch. Below is an example.
Get-Eventlog System -instanceid 4 | Out-file c:TempEventID4.txt
As you can see PowerShell is really handy when it comes to EventLog management. The best part is I haven’t even talked about Remoting. You can use PowerShell to remote into other machines in your environment running PowerShell 2. But that is another story…