I will put here everything that I find useful about Active Directory.
I never remember the order of definition of DNS.
Let's say we have two AD servers :
what should be the correct dns configuration? The answer is :
PS C:\ > dcdiag
PS C:\ > dcdiag /test:dns
PS C:\ > dcdiag /test:replications
PS C:\ > dcdiag /test:netlogons
PS C:\ > repadmin /showrepl
PS C:\ > repadmin /replsum
PS C:\ > repadmin /syncall
PS C:\ > netdom query /domain:std.local fsmo
PS C:\ > ntdsutil ntdsutil: ntdsutil: roles fsmo maintenance: fsmo maintenance: connections server connections:server connections: connect to server SRVAD Binding to ad ... Connected to ad using credentials of locally logged on user. server connections: server connections: q fsmo maintenance: Transfer naming master Transfer infrastructure master Transfer PDC Transfer RID master Transfer schema master
PS C:\ > Get-ADDomainController -Server SRVAD | Select-Object -ExpandProperty OperationMasterRoles
PS C:\ > Get-ADForest std.local -Server SRVAD | format-list schemamaster,domainnamingmaster
PS C:\ > Move-ADDirectoryServerOperationMasterRole -Identity SRVAD -OperationMasterRole pdcemulator,ridmaster,infrastructuremaster,schemamaster,domainnamingmaster
⚠️ Renaming a DC is a sensitive operation, so make sure you have at least one backup and/or a second domain controller before making any changes. ⚠️
PS C:\ > Netdom computername SRVAD /ENUMerate
PS C:\ > Netdom computername SRVAD /verify
Here we ask directly for name change, if the process fails we can brick our DC.
PS C:\ > netdom renamecomputer SRVOLD /NewName:SRVAD
Here we add a secondary name first, if the process fails we still have a valid name that should work.
PS C:\ > Netdom computername SRVAD /add:SRVAD2.std.local
PS C:\ > Netdom computername SRVAD /makeprimary:SRVAD2.std.local
PS C:\ > Netdom computername SRVAD2 /remove:SRVAD.std.local
In its default configuration Active Directory is not really secure, to harden its configuration we can use the PingCastle tool.