Active Directory and DNS


Export User List to CSV File from Active Directory using PowerShell

posted 26 Oct 2016, 04:01 by Tristan Self

Here is a one liner to allow you to do this:

Get-ADUser -SearchBase “OU=Users,OU=Stuff,DC=domain,DC=co,DC=uk” -filter {enabled -eq $true} -properties GivenName,Surname,Department,Company,EmailAddress | select-object GivenName,Surname,Department,Company,EmailAddress | Export-CSV -path 'c:\export.csv'

Check if two domain controllers are in-sync

posted 18 Sep 2015, 06:30 by Tristan Self

PROBLEM: You need to check if two domain controllers are in sync with each other.

SOLUTION: To do this you need to understand a bit about how Active Directory reports if a domain controller replication is in sync. There is something called a UTDV up-to-dateness vector that is basically a number representing what the domain controller thinks the latest version of the active directory database is.

If you interrogate DC01 and that thinks itself has a USN (I.e the UTDV) of 1552480, you then interrogate DC02 and that thinks DC01 USN is: 1552480 then you can conclude that both the domain controllers are in-sync.

So to check this you would run the commands below each domain controller DC01 and DC02 in turn to check the status:

> repadmin /showutvec DC01 dc=domain,dc=local

SITE1\DC01                    @ USN 1552480 @ Time 2011-02-13 13:09:30
SITE2\DC02                    @ USN 1438130 @ Time 2011-02-13 12:57:31

> repadmin /showutvec DC02 dc=domain,dc=local

SITE1\DC01                    @ USN 1552123 @ Time 2011-02-13 13:03:29
SITE2\DC02                    @ USN 1438145 @ Time 2011-02-13 13:57:31

So in this example, the USNs (up to date-ness vectors) are not the same, so the domain controllers are no in sync. DC01 thinks its USN (UTDV) is 1552480 while DC02 thinks that DC01's USN is: 1552123. Now in the example below:

> repadmin /showutvec DC01 dc=domain,dc=local

SITE1\DC01                    @ USN 1552505 @ Time 2011-02-13 13:18:40
SITE2\DC02                    @ USN 1438188 @ Time 2011-02-13 13:15:37

> repadmin /showutvec DC02 dc=domain,dc=local

SITE1\DC01                    @ USN 1552505 @ Time 2011-02-13 13:16:37
SITE2\DC02                    @ USN 1438224 @ Time 2011-02-13 13:19:31

DC01 thinks its USN is: 1552505, and DC02 thinks that is also 1552505 too. Meaning they are in sync.

However you'll notice that DC01 thinks that DC02 USN is: 1438188 while DC02 thinks its USN is: 1438224, because DC02 has a higher USN that DC01 it means there are un-replicated changes waiting to go from DC02 to DC01.

Set a specific AD attribute with PowerShell

posted 14 May 2015, 06:32 by Tristan Self

So here is an example you want to set all the users in the OU called "Users" to have the extensionAttribute10 with the value "student" to do this you can run the below script:

$users = Get-ADUser -Filter * -SearchScope Subtree -SearchBase "OU=Users,DC=domain,DC=co,DC=uk" | Select-Object DistinguishedName, SamAccountName

foreach ($i in $users)
{
$id = $i.DistinguishedName
$extattrib2 = Get-ADUser -Identity $id -Properties extensionAttribute10 | select-object -ExpandProperty extensionAttribute10
Write-Host $i.SamAccountName,"-",$extattrib2
Set-ADUser -Identity $i.SamAccountName -Add @{extensionAttribute10 = "Student"}
}


Getting a specific attribute about each AD User using PowerShell

posted 14 May 2015, 06:16 by Tristan Self

Using powershell you can get the value of a specific attribute of a user. To do this run the below, this will get all the user objects in the OU called "Users" and display the samAccountName and extensionAttribute10 attribute.

$users = Get-ADUser -Filter * -SearchScope Subtree -SearchBase "OU=Users,DC=domain,DC=co,DC=uk" | Select-Object DistinguishedName, SamAccountName

foreach ($i in $users)
{
$id = $i.DistinguishedName
$extattrib2 = Get-ADUser -Identity $id -Properties extensionAttribute10 | select-object -ExpandProperty extensionAttribute10
Write-Host $i.SamAccountName,"-",$extattrib2
}

Tracking Down Cause of Locked Active Directory Account

posted 17 Jul 2014, 02:20 by Tristan Self

With the prevalence of mobile devices this is becoming more of a problem, you have a user who comes in every day and swears blind nothing has the wrong password, but something is locking them out.

Here is how to fix it:

1. Firstly you must ensure that you are logging the stuff correctly on your domain controllers. Ensure your "Default Domain Controller Policy" has these settings, or create a new GPO at this level and then set the settings under the GPO to this:

Default Domain Controllers Policy->Policies->Windows Settings->Security Settings->Local Policies/Audit Policy
  • Audit Account Logon Events = Failure
  • Audit Account management = Success, Failure
  • Audit Directory Service Access = Failure
  • Audit Logon Events = Failure
  • Audit Object Access = No Auditing
All other settings should not be set to "undefined."

2. If you have made changes, wait for it to apply the policy shouldn't take long.

3. You'll see new "Audit Failure" events logged on the domain controller "Security" log now all being well, these are people getting it wrong.

4. Now download the Account Lockout tool: http://www.microsoft.com/en-gb/download/details.aspx?id=15201

5. Run this on the server, selecting the target user (person being locked out) and domain, this will then tell you which domain controllers that are seeing the lock out.

6. Hook onto that server to investigate the event log, specifically the "Security" log.

7. Now to filter things you can do two things, one: click on "Filter Current Log.." and enter the event ID: as 4771 (Windows 2008)

Alternatively you can click on the "XML":

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[EventData[Data[@Name='TargetUserName']="USERNAME"]]</Select>
  </Query>
</QueryList>

This will show you where the lockouts are coming from and the IP address of the device, then from there you can track it down through DHCP to get a Mac address.




How to add Lync 2010 SRV records to Ja.net DNS via admin.dns.ja.net

posted 21 Nov 2012, 08:49 by Tristan Self   [ updated 21 Nov 2012, 08:52 ]

This can be a bit tricky as it is not obvious how you add them.
 
Follow the below:
 
1. Logon to the admin.dns.ja.net console, then click on the forward zone you want to add the records to e.g. mycollege.ac.uk.
2. Now click on the "Service Address" records section.
3. Now enter the settings as shown below, obvious substitute the settings your Microsoft office365 or Lync Administrator has provided.
 
The key thing to remember is that you don't enter the '_' underscore in front of the "sip" or the "sipfederationtls" records. If you do it will add two underscores and it won't resolve properly.
 
4. Now you can verify it by using the following:
 
a) Start, Run, CMD.
b) nslookup
c) set type=all
d) server 208.67.222.222 (or your favorite DNS resolver!)
e) Now to query you should enter something like this
    _sip._tls.mycollege.ac.uk.
    _sipfederationtls._tcp.mycollege.ac.uk.
 
And you should see the results of the resolution as a SRV service location record, with the settings as applied above.
 
 
 

Microsoft Windows 2008 R2 Domain Controller with DNS Server Fails to Resolve Some External Domains

posted 13 Aug 2011, 09:30 by Tristan Self   [ updated 13 Aug 2011, 09:37 ]

Upon the setup of the new Windows 2008 R2 DNS servers there is a problem that the DNS lookups for external domain fail; internal domain name resolution is unaffected. 

Restarting the DNS server (or the whole server) resolve the problem, as does clearing the cache.

When the problem is happening, an nslookup command issued for an affected name will return the error "server failed". A network trace will show that the DNS server does not send any traffic for such a request to the Internet. No events related to a problem are reported in the DNS Event Log.

There are two DNS related hotfixes we need to install/do on the servers to ensure the DNS works correctly for external domain name resolution. Once the two hotfixes are installed the server needs to be rebooted.

I've applied these hotfixes and the problems with DNS resolution for some domains that intermittently fail have gone away.

Hotfix Update 1 to be Applied

You need to apply the hotfix defined here: http://support.microsoft.com/kb/2549656, once installed, reboot the server.

http://support.microsoft.com/kb/2508835 (This should work, but it doesn’t) So for now this hasn’t been installed, upon attempting to install the update, it says the system doesn’t support it.

Hotfix Update 2 to be Applied

This isn’t an application of a patch more a change of a setting change; the problem is defined well in the excerpt from a website shown below:

PROBLEM:

The cause of this problem is that in EU countries (and certain other TLDs outside the USA), nameserver records are typically cached for more than 1 day. SBS2008 has a cap on the maximum time that it will allow nameserver records to be cached, which defaults to 1 day. This default works fine in the USA but When the .uk and .eu records become stale, they are not deleted from the cache but are no longer returned as valid records. Therefore, they effectively prevent DNS lookups in those TLDs from succeeding until the records expire and are deleted from teh cache, or the DNS Server service is restarted.

The fix is to increase the maximum Time To Live (TTL) setting in the DNS server so that it recognises records older than 1 day. Experience has shown that setting the value to 4 days is usually enough, but the maximum setting is 30 days.

WORKAROUND:

1. This problem can be temporarily resolved by restarting DNS Server service or by clearing the DNS cache on DNS server. – YUK don’t like this!

2. Permanent resolutions include - increasing the maximum DNS cache TTL value. - Reconfiguring the DNS server to use DNS forwarders instead of relying on Root Hints. – This is a possible option, but why should we not use root hints just because of a Microsoft oddity, so I’ve gone with the solution as below. However if all else fails I may need to use this and reconfigure forwarders on all our DNS servers to look at the ISPs DNS resolvers. 

SOLUTION:

To resolve the issue and continue using root hints, change the MaxCacheTTL registry value to 2 days or greater. 

1.    Start Registry Editor (regedit.exe). 

2.    Locate the following registry key: 

3.    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters 

4.    On the Edit menu, click New, click DWORD (32-bit) Value, and then add the following value: 

            Value: MaxCacheTTL 

            Data Type: DWORD 

            Data value: 0x2A300 (172800 seconds in decimal, or 2 days)

5.    Click OK. 

6.    Quit Registry Editor. 

7.    Restart the DNS Server service. 


Configuring and Troubleshooting Active Directory

posted 12 Jun 2011, 07:24 by Tristan Self

While setting up my new domain controllers, came across this site, looks to offer some good tips about AD.

http://www.tech-faq.com/configuring-and-troubleshooting-active-directory-replication.shtml

1-8 of 8