Active Directory my personal notes

Intro

I will put here everything that I find useful about Active Directory.

Configure DNS

I never remember the order of definition of DNS.

Let's say we have two AD servers :

• SRVAD1 : 192.168.1.10
• SRVAD2 : 192.168.1.20

what should be the correct dns configuration? The answer is :

Commands

Tests

• Analyzes the state of domain controllers and reports any problems to help in troubleshooting :

PS C:\ > dcdiag

• Run dns, replications or netlogons tests only :

PS C:\ > dcdiag /test:dns

PS C:\ > dcdiag /test:replications

PS C:\ > dcdiag /test:netlogons

• Displays the replication status :

PS C:\ > repadmin /showrepl

• Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report :

PS C:\ > repadmin /replsum

Misc

• Synchronizes a domain controller with all of its replication partners :

PS C:\ > repadmin /syncall

Move fsmo roles

• Show current list of operations master role holders with associates servers :

PS C:\ > netdom query /domain:std.local fsmo

Dos method (old) :

PS C:\ > ntdsutil
ntdsutil:
ntdsutil: roles
fsmo maintenance:
fsmo maintenance: connections
server connections:server connections: connect to server SRVAD
Binding to ad ...
Connected to ad using credentials of locally logged on user.
server connections:
server connections: q
fsmo maintenance:
Transfer naming master
Transfer infrastructure master
Transfer PDC
Transfer RID master
Transfer schema master

PowerShell method (New) :

• Check current configuration :

PS C:\ > Get-ADDomainController -Server SRVAD | Select-Object -ExpandProperty OperationMasterRoles

PS C:\ > Get-ADForest std.local -Server SRVAD | format-list schemamaster,domainnamingmaster

• Transfer fsmo roles in one command :

PS C:\ > Move-ADDirectoryServerOperationMasterRole -Identity SRVAD -OperationMasterRole pdcemulator,ridmaster,infrastructuremaster,schemamaster,domainnamingmaster

Rename DC

⚠️ Renaming a DC is a sensitive operation, so make sure you have at least one backup and/or a second domain controller before making any changes. ⚠️

Check :

• Lists the primary name or any alternate names :

PS C:\ > Netdom computername SRVAD /ENUMerate

• Checks if there is a DNS record and a service principal name (SPN) for a computer name :

PS C:\ > Netdom computername SRVAD /verify

Quick but unsafe :

Here we ask directly for name change, if the process fails we can brick our DC.

• Rename DC :

PS C:\ > netdom renamecomputer SRVOLD /NewName:SRVAD

Slow but safer :

Here we add a secondary name first, if the process fails we still have a valid name that should work.

• Add a secondary name :

PS C:\ > Netdom computername SRVAD /add:SRVAD2.std.local

• Make secondary name as primary name :

PS C:\ > Netdom computername SRVAD /makeprimary:SRVAD2.std.local

• Remove old name :

PS C:\ > Netdom computername SRVAD2 /remove:SRVAD.std.local

Hardening Active Directory

In its default configuration Active Directory is not really secure, to harden its configuration we can use the PingCastle tool.

• Go to the official page and download the tool :

• Uncompress and double click to PingCastle.exe to start the tool :

• Press enter to healtcheck-Score :

• Press enter to investigate :

• Once the task end press enter to close the command prompt :

• Go back to the uncompressed folder and open the html report :

• Read the html report to correct the weakness :