Domain Controller
Mastering DsQuery: Fast Domain Controller Auditing
Using the GUI to find specific servers in a large forest can be time-consuming. DsQuery Server provides a lightning-fast way to extract this data directly from the Command Prompt. Whether you need a list of Global Catalogs or want to find the Schema Master, these commands will save you hours of clicking.
1. Locating Domain Controllers in the Forest
To get a quick list of every DC across all domains in your entire forest, you can use the -Forest switch.
- To get the full Distinguished Name (DN):
DsQuery Server -Forest - To get just the Relative Distinguished Name (RDN):
DsQuery Server -o rdn -Forest
2. Targeting a Specific Domain
If you only want to see the controllers within a specific domain, use the -domain switch: DsQuery Server -domain lazyadminblog.com
3. Finding Global Catalog (GC) Servers
Global Catalogs are vital for forest-wide searches. To find which DCs in a specific domain are configured as GCs: DsQuery Server -domain lazyadminblog.com -isgc
4. Finding FSMO Role Holders
Instead of opening multiple MMC snap-ins, you can find the FSMO role holders directly. For example, to find the server holding the Schema Master role for the forest: DsQuery Server -Forest -hasfsmo schema
Note: You can replace
schemawithnaming,pdc,rid, orinfrastructureto find other role holders.
5. Exporting your Results
The most useful way to use DsQuery is to pipe the results into a text file for documentation or further scripting. Use the > operator to save your output: DsQuery Server -Forest > C:\Logs\AllDCs.txt
#ActiveDirectory #DsQuery #SysAdmin #WindowsServer #ITPro #CodingAdmin #ServerAudit #LazyAdmin #TechTips #DataCenter
Dcdiag Overview: The Essential Domain Controller Diagnostic Tool
If you suspect issues with Active Directory—whether it’s slow logins, replication failures, or DNS errors—the first command you should run is Dcdiag. This command-line tool analyzes the state of your Domain Controllers (DCs) across a forest or enterprise and provides a detailed report of abnormal behavior.
Why use Dcdiag?
In a Windows environment, all DCs are peers. Any DC can update the directory, and those changes must replicate to all other peers. If the replication topology is broken or the DC Locator service has inaccurate DNS information, your environment will quickly fall out of sync.
Dcdiag identifies these “silent” failures before they become major outages.
Key Functional Areas Tested
Dcdiag doesn’t just run one check; it executes a series of specialized tests:
- Connectivity: Verifies if DCs are reachable and have the necessary services running.
- Replication: Checks for latent or failed replication links between peers.
- Topology: Ensures the Knowledge Consistency Checker (KCC) has built a valid path for data to travel.
- Advertising: Confirms the DC is properly announcing its roles (Global Catalog, KDC, etc.) so clients can find it.
- DNS: Validates that the necessary resource records are present in DNS.
How to Run Dcdiag
To get the most out of the tool, you should run it with administrative credentials.
To test a single server:
DOS
dcdiag /s:DC_NameTo identify and automatically fix minor DNS/Service record issues:
DOS
dcdiag /fixUnderstanding the Scope
Dcdiag is flexible. You can target:
- A Single Server: For local troubleshooting.
- A Site: To check health within a specific physical location.
- The Entire Enterprise: To ensure forest-wide health.
The LazyAdmin Lesson: Make dcdiag a part of your weekly routine. Catching a replication error on Monday is much easier than fixing a fragmented database on Friday afternoon!
#ActiveDirectory #Dcdiag #SysAdmin #WindowsServer #ITPro #TechSupport #ServerHealth #LazyAdmin #ADTroubleshooting #DataCenter
How to Boot a Windows Server 2003 DC into Directory Services Restore Mode (DSRM)
There are times when Active Directory becomes unstable, or you need to perform a “System State” restore. To do this, you must take the Domain Controller offline by booting into Directory Services Restore Mode (DSRM).
In this mode, the server stops functioning as a DC and instead functions as a standalone member server, allowing you to manipulate the AD database files (ntds.dit) while they aren’t in use.
⚠️ The Golden Rule of DSRM: The Password
When you boot into DSRM, Active Directory is not running. This means you cannot log in with your Domain Admin credentials.
You must use the Local Administrator account, and the password is the unique DSRM Password that was set years ago when the server was first promoted to a Domain Controller (via dcpromo).
Tip: If you’ve forgotten this password but the server is still currently running as a DC, you can reset it before rebooting using the
setdsrmpasswordcommand inntdsutil.
Step-by-Step: Booting into DSRM Locally
If you have physical access (or console access via iDRAC/iLO/vCenter) to the machine, follow these steps:
- Initiate a Restart: Restart the Domain Controller as you normally would.
- The F8 Menu: As soon as the BIOS screen disappears and the Operating System selection menu appears, start tapping the F8 key.
- Advanced Options: You will be presented with the Windows Advanced Options Menu. Use the arrow keys to select Directory Services Restore Mode (Windows domain controllers only) and press Enter.
- Login: Once the Windows login screen appears, log on as the Local Administrator using that specific DSRM password.
What happens in this mode?
- The
NTDSservice is stopped. - The server does not respond to authentication requests from users.
- The local SAM (Security Accounts Manager) database handles authentication.
- You can now run
ntdsutilor backup software to perform database maintenance or restores.
#ActiveDirectory #DSRM #SysAdmin #WindowsServer #ITPro #TechSupport #ServerAdmin #LazyAdmin #Troubleshooting #LegacyIT
How to Change the Static IP Address of a Windows Domain Controller
Whether you are re-IPing a subnet or moving a server to a new VLAN, changing a Domain Controller’s IP address requires more than just updating the NIC settings. If DNS records don’t update correctly, users won’t be able to log in, and replication will fail.
Prerequisites
- Credentials: You must be a member of the Domain Admins group.
- Access: Log on locally to the system console. If you lose network connectivity during the change, you may need to boot into DSRM to recover.
Step-by-Step: Changing the IP Address
- Open Network Connections: Right-click My Network Places (or Network in newer versions) and click Properties.
- Edit Adapter: Right-click your Local Area Connection and select Properties.
- TCP/IP Settings: Double-click Internet Protocol (TCP/IP).
- Update Addresses:
- Enter the new IP address, Subnet mask, and Default gateway.
- Update the Preferred and Alternate DNS servers.
- Note: Usually, a DC points to itself (127.0.0.1) or a partner DC for DNS.
- WINS (Optional): If your environment still uses WINS, click Advanced > WINS tab and update any static WINS server entries.
- Apply: Click OK until all dialog boxes are closed.
Critical Step: Post-Change Registration
Once the IP is changed, Windows needs to tell the rest of the domain where the DC is now located. Do not skip these commands.
Open a Command Prompt and run:
- Register DNS Records:DOS
ipconfig /registerdnsThis forces the DC to update its ‘A’ (Host) record in DNS. - Fix Service Records:DOS
dcdiag /fixThis ensures that vital SRV records (which clients use to find the DC) are updated to point to the new IP.
Potential Pitfalls: Mapped Drives and Hardcoded IPs
Changing the IP settings won’t affect shared permissions, but it will break any connection made via IP address rather than hostname.
- Avoid This:
net use g: \\192.168.0.199\data(This breaks after the change). - Do This:
net use g: \\DC1\data(This continues to work regardless of the IP).
The LazyAdmin Lesson: Always use DNS names (Hostnames) for your resources. It saves you from manual updates every time a server moves!
ActiveDirectory #SysAdmin #WindowsServer #Networking #IPAddress #ITPro #DNS #Troubleshooting #LazyAdmin #ServerAdmin