Active Directory Domain Services Command Fu, Part 1

Reading Time: 5 minutes

As some systems administrators have already found out, on Microsoft Windows Servers some tasks cannot be performed using the Graphical User Interface (GUI). Although multiple vendors have released graphical tools to make these tasks even more tedious easier for the typical click-on-through Windows Admin, these tasks can easily be performed using the built-in command tools. Also, some queries for information using the built-in graphical tools can result in numerous clicks, ending with information scattered throughout management consoles and screens.

I think every self-respecting Active Directory Domain Services Admin should know the command-line equivalents of 3rd party tools or needlessly complex click sequences.

Even when you’re comfortable using them, it wouldn’t hurt to show off some Active Directory Domain Services Command Fu, would it? Then again, only the more advanced stuff in Active Directory Domain Services is hidden from plain sight. Unless you’re aiming on using ldp.exe or adsiedit.msc all the time to hack your way through your Active Directory jungle and if you’re truly aiming for that senior Active Directory admin position, you should keep reading! [H]

So, to kick off this series, the following three Active Directory Domain Services management tasks, applicable to all current Domain and Forest Functional Levels, cannot or cannot be easily performed using the built-in Graphical User Interface (GUI), but instead rock on the command line!

In this blogpost:

CommandNinja[9][2][2]

Creating custom application partitions

ADSiteCommand-line tool to use:

  • dnscmd.exe
  • ntdsutil.exe

Replication in Active Directory is controlled through application directory partitions. An application directory partition is a directory partition that can be used to replicate changes only to specific domain controllers. Application directory partitions are particularly useful when controlling the Domain Controllers to which you want to replicate Active Directory-integrated DNS Zones, since some companies have requirements beyond the DomainDnsZones and ForestDnsZones application partitions available by default.

Tip!
To gain access to dnscmd.exe on a Windows 2000 Server you need to install the Resource Kit tools. a separately downloadable dnscmd.exe for usage on Windows 2000 Server is available here.

However, creating custom application directory partitions cannot be done using the Graphical User Interface (GUI). You will need to create a custom application directory partitions using dnscmd.exe /createdirectorypartition first, before you can change the replication scope of DNS to it.

While that last part can actually be performed using the Graphical User Interface, you can also use dnscmd.exe /enlistdirectorypartition to complete the task on the command line.

Alternatively, you can also use the built-in commands within the domain management context in ntdsutil.exe to delete or create directory partitions and add or remove replicas to or from the directory partition.

More information on custom application partitions:

 

Quering Group Policy Replication Health

GPMc Command-line tool to use:

  • gpotool.exe

Group Policy Objects (GPOs) typically consist of a Group Policy Container (stored within Active Directory under CN=Policies,CN=System,DC=Domain,DC=tld) and a Group Policy Template. (stored within the System Volume, SYSVOL in the Policies file folder)

When replicating the versions of the Group Policy Container (GPC) and Group Policy Template (GPT) might get skewed. When the version numbers don’t match, the Group Policy doesn’t get applied.

While you can check the versions and health of the Group Policy Object (GPO) using the Group Policy Management Console (GPMC) where you’d check the version tab, the GPMC is a download on most downlevel versions of Windows Server.

Using the Group Policy Verification Tool (gpotool.exe) you can check the health of Group Policy Objects (GPOs). Going one step further, using gpotool.exe with the /verbose switch, adds version information to the output.

Tip!
For Windows Server 2003, the Group Policy Verification Tool is part of the Windows Server 2003 deployment Tools. For Windows 2000 Serer, the Group Policy Verification Tool is part of the Windows 2000 Resource Kit.

More information on the Group Policy Verification tool:

 

Editing advanced trust properties

ADDomain Command-line tool to use:

  • netdom.exe

Active Directory Domains and Trusts, to most, are the stuff of acquisitions,mergers and worlds of distrust between groups of admins. I don’t want to diverge much in the wonderful world of trusts, but I do want to talk about editing two trust-related properties, that are essential to restructuring Active Directory forests using the Active Directory Migration Tool (ADMT):

  • SID Filtering
  • SID History

SID History is an attribute for an Active Directory object that may contain a SID, the object used to have in a former Active Directory forest or domain. You can fill the sIDHistory attribute using the the Active Directory Migration Tool (ADMT) or manually. With the sIDHistory attribute, the object may bypass Access Control Lists (ACLs).

By default on Windows Server 2003 and onwards, sIDfiltering quarantining is turned on for Active Directory external trusts. This means, the SIDHistory attribute for a user is filtered out and discarded. When creating a trust from a Pre-SP4 Windows 2000 Server-based Domain Controller you will need to enable sIDfiltering manually if you want to use it.

Note:
Performing the commands below to enable SID History and disable SID Quarantining may post a security risk. When an attacker manually fills the sIDHistroy attribute, the attacker may gain unauthorized rights over the trust.

To disable SID Filtering quarantining and enable SID History use the following commands:

Netdom trust TrustingDomain.tld /domain: TrustedDomain.tld
/quarantine:No

Netdom trust TrustingDomain.tld /domain: TrustedDomain.tld
/enableSIDHistory:Yes

More information on Active Directory trusts:

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.