PowerShell Script to Query UserAccountControl Flags

One of the services I provide as a Premier Field Engineer is performing health and security assessments in a customer’s environment and providing them a detailed report.  Recently I was performing an Offline Assessment for Active Directory Security for a customer and several accounts were flagged that had some non-standard userAccountControl flags set. The user…

2

Understanding and Managing the Certificate Stores Used for Smart Card Logon

Recently I was onsite helping a customer clean up some certificates related to smart card logon.  One of the things I find challenging about PKI and specifically about smart card  logon is remembering how and where to publish certificates.  It seems like every time I work on an issue related to smart card logon and…

11

How to Query Active Directory to Determine the Schema Version

You can query Active Directory to determine the schema version as shown below.  Replace “dc=domainname” with your information:   dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion   The PowerShell version below does not require any customization: Get-ADObject (get-adrootdse).schemaNamingContext -Property objectVersion   The table below shows Active Directory schema versions. Windows 2000 Server 13 Windows 2003…

4

How to Create Custom Active Directory LDAP Searches

A nice feature in Windows Server Active Directory is the ability for an administrator to create saved queries in Active Directory USers % Computers to return common information within the Directory.  The queries you can create through the GUI are pretty basic so to get the real benefit you need to create a “Custom Search”, click the…

9

Testing Global Catalog Server Connectivity

Occasionally I’ll run into a situation where a workstation hangs or fails when trying to retrieve information from Active Directory (AD).  In some cases the problem presents itself when running DSQUERY to query for Active Directory data.  In other cases it can a manifest itself as Exchange address book look up issue since the Global…

0

Testing Domain Controller Connectivity Using PORTQRY

One common problem I see with Active Directory implementations is an Active Directory topology that is not fully routable.  In a fully routable environment every domain controller (DC) can communicate with every other DC.  While most customers “think” they have a fully routable environment in reality they do not.  In some cases there are multiple firewalls…

3

Active Directory Troubleshooting Resources

Articles Troubleshooting Active Directory—Related DNS Problemshttp://blogs.msdn.com/controlpanel/blogs/posteditor.aspx?SelectedNavItem=NewPost&sectionid=7213&bpt=1 Troubleshooting Active Directory Replication Problemshttp://technet2.microsoft.com/WindowsServer/en/library/4f504103-1a16-41e1-853a-c68b77bf3f7e1033.mspx Additional Resources for Troubleshooting Active Directoryhttp://technet2.microsoft.com/WindowsServer/en/library/019a8a46-05eb-4969-b0e7-df48355184c11033.mspx Repadmin Exampleshttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/a103036b-5d82-4d99-8e61-23d434a8e6eb.mspx How to configure Active Directory diagnostic event logging in Windows Serverhttp://support.microsoft.com/kb/314980/en-us 332199 – Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in…

0