(2012-05-25) Windows PowerShell Support for Windows 8 And Windows Server 2012

For a list of all CMDlets added to Windows 8 And Windows Server 2012, see Windows PowerShell Support for Windows Server "8" Beta

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2012-03-28) Managing The ‘Protect From Accidental Deletion’ Option On AD Objects Through PowerShell

In this post I explain the “Protect From Accidental Deletion” feature that is made accessible through both “Active Directory Users And Computers” and “Active Directory Administrative Center”. Under the hood that feature in reality is implemented through a combination of ACEs on objects. If you wanted to script the addition or removal of the protection you had to screw with ACEs and that was not always a fun thing to do as it could be quite complex to achieve a simple configuration.

-

Let’s say you want to create and protect the OU "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB". The OU "OU=TOPLevel,DC=ADCORP,DC=LAB" already exists and is already protected!

-

[1] Using ADMOD and DSACLS

Creating the OU:

• ADMOD -sc adaou:1;OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB

Adding the protection:

• DSACLS "OU=TOPLevel,DC=ADCORP,DC=LAB" /D "EVERYONE:DC" (DENY ACE for Everyone to DELETE CHILD with the This object only scope)
• DSACLS "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" /D "EVERYONE:SDDT" (DENY ACE for Everyone to DELETE and DELETE TREE with the This object only scope)

-

[2] Using the Microsoft AD PowerShell CMDlets And Configuring The Correct ACEs

Creating the OU (I know I could use the CMDlet “New-ADOrganizationalUnit”…):

• $objParent = [ADSI]"LDAP://ADCORP.LAB/OU=TOPLevel,DC=ADCORP,DC=LAB"
• $objOU = $objParent.Create("organizationalUnit","OU=MyProtectedOU")
• $objOU.SetInfo()

Adding the protection:

• Import-Module ActiveDirectory
• $sidEVERYONE = [System.Security.Principal.SecurityIdentifier]‘S-1-1-0′
• $ACLParent = Get-Acl "AD:\OU=TOPLevel,DC=ADCORP,DC=LAB"
• $ACEParent = $sidEVERYONE,"DeleteChild","Deny"
• $AccessRuleParent = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEParent
• $ACLParent.AddAccessRule($AccessRuleParent)
• Set-Acl -ACLObject $ACLParent -Path "AD:\OU=TOPLevel,DC=ADCORP,DC=LAB"
• $ACLOU = Get-Acl "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"
• $ACEOU = $sidEVERYONE,"Delete,DeleteTree","Deny"
• $AccessRuleOU = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEOU
• $ACLOU.AddAccessRule($AccessRuleOU)
• Set-Acl -ACLObject $ACLOU -Path "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"

Removing the protection:

• Import-Module ActiveDirectory
• $sidEVERYONE = [System.Security.Principal.SecurityIdentifier]‘S-1-1-0′
• $ACLOU = Get-Acl "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"
• $ACEOU = $sidEVERYONE,"Delete,DeleteTree","Deny"
• $AccessRuleOU = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $ACEOU
• $ACLOU.RemoveAccessRule($AccessRuleOU)
• Set-Acl -ACLObject $ACLOU -Path "AD:\OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB"

-

[3] Using the Microsoft AD PowerShell CMDlets And Using The Exposed Property

Creating the OU:

• Import-Module ActiveDirectory
• New-ADOrganizationalUnit -Name ‘MyProtectedOU’ -Path ‘OU=TOPLevel,DC=ADCORP,DC=LAB’

REMARK: when using this CMDlet, the default behavior is to protect the created OU

Adding the protection:

• Import-Module ActiveDirectory
• Set-ADOrganizationalUnit "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" -ProtectedFromAccidentalDeletion:$true

Removing the protection:

• Import-Module ActiveDirectory
• Set-ADOrganizationalUnit "OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB" -ProtectedFromAccidentalDeletion:$false

-

[4] Using the Quest AD PowerShell CMDlets

Creating the OU:

• Add-PSSnapin Quest.ActiveRoles.ADManagement
• New-ADOrganizationalUnit -Name ‘MyProtectedOU’ -Path ‘OU=TOPLevel,DC=ADCORP,DC=LAB’

Adding the protection:

• Add-PSSnapin Quest.ActiveRoles.ADManagement
• Add-QADPermission -identity ‘OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘DeleteChild’ -ApplyTo ThisObjectOnly
• Add-QADPermission -identity ‘OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘Delete,DeleteTree’ -ApplyTo ThisObjectOnly

Removing the protection:

• Add-PSSnapin Quest.ActiveRoles.ADManagement
• Get-QADPermission -identity ‘OU=MyProtectedOU,OU=TOPLevel,DC=ADCORP,DC=LAB’ -Deny -Account ‘EVERYONE’ -Right ‘Delete,DeleteTree’ -ApplyTo ThisObjectOnly | Remove-QADPermission

-

[5] Adjusting the default security descriptor for OUs

When you create any object, that object will receive the default explicit permissions as configured in the AD schema. So, by adjusting the default explicit permissions (a.k.a. the default Security Descriptor) for the organizationalUnit objectClass any newly created organizational unit from that point on will receive the new default security descriptor. The change to the default security descriptor can be undone if you desire so! However, just making the change is not enough as the schema is cached for performance reasons. Therefore any changes to the AD schema will be refreshed into the cache within five minutes after the change has been committed into the database. If you cannot wait and you want to reload the schema right away you can follow either of the following procedures:

1. Start the Active Directory Schema MMC, right-click “Active Directory Schema” and then click “Reload the Schema”
   OR
2. Add the “schemaUpdateNow” operational attribute to rootDSE with a value of 1

For more detailed information about the schema please see: How the Active Directory Schema Works

-

To adjust the default security descriptor for the organizationalUnit objectClass perform the following steps:

1. Open ADSIEDIT.MSC and connect to the SCHEMA naming context
2. Find the object “CN=Organizatinal-Unit” and adjust the value of the “defaultSecurityDescriptor” property
1. From the default value:
1. D:(D;;DCDTSD;;;WD)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO)
2. To the custom value (difference with the default has been highlighted in yellow):
1. D:(D;;DCDTSD;;;WD)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;LCRPLORC;;;ED)(OA;;CCDC;4828CC14-1437-45bc-9B07-AD6F015E5F28;;AO)

Figure 1: Adjusting The Default Security Descriptor Of The ObjectClass OrganizationalUnit

-

REMARK: During my testing with Windows Server “8” Beta, I discovered that there is a difference in behavior between ADUC and ADAC if you select to NOT protect the if the above custom configuration for the default security descriptor is in place. In ADAC, after the new object has been created/instantiated it will in addition remove the protection as expected. However, in ADUC it will not be removed as requested. I’m not sure if Microsoft will change this unexpected behavior for ADUC in the official release of Windows Server “8”. Just be aware of this!

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2012-02-10) Managing Certificates On A Windows Computer With PowerShell

To manage certificates on a computer, you can use the “Certificates” MMC. With that MMC you scope either the (local) computer or the current user or even both. For either scope you will find different certificate stores that contain the different certificates, with or without the private key.

Figure 1: Scoping The Certificates MMC And The Different Certificate Stores For Either Scope

-

Common management tasks are shown in the pictures below.

Figure 2a: Common Management Tasks For Certificates (For Existing Certificates In Stores)

-

Figure 2b: Common Management Tasks For Certificates (For New Certificates)

-

Now this is the way of doing it through the GUI. Can you do this through PowerShell to achieve automation? Yes, you can. I will provide you with examples for a few functions.

-

By default, when starting PowerShell a few default PowerShell Drivers are loaded and available. To view the current available PSDrives, use the CMDlet “Get-PSDrive”.

Figure 3: PS Drives Loaded And Available Right After Starting PowerShell

-

As you can see there is a PS Drive called “cert”. That’s the one you can use to manage existing certificates through PowerShell. When you issue the PoSH command “dir cert:\” you will see the two available scopes (or locations), including the available stores.

Figure 4: Scopes (Locations) And The Certificate Stores

-

When you issue the PoSH command “dir cert:\LocalMachine” or “dir cert:\CurrentUser”, you will see all the available stores for each scope more clear.

 

Figure 5: All The Certificate Stores For Each Scope (Location) (! May Be Different For Another Computer !)

-

When you issue the PoSH command “dir cert:\LocalMachine\<Cert Store>” or “dir cert:\CurrentUser\<Cert Store>”, you will see all the available certificates in that store.

Figure 6: All The Available Certificates In The Personal Store Of The Local Computer

-

Now with this knowledge it is possible to manage those certificates.

-

Exporting Certificates WITHOUT The Private Key

By using the following PoSH commands you can export the certificate to a CER file without the private key, if any.

# Find And Target The Cert Required Based Upon Some Condition
$CertToExport = dir cert:\LocalMachine\My | where {$_.ThumbPrint -eq "EC9498B48CA4E48EB8D5BC557BCFBC09B5A02651"}

# Export The Targeted Cert In Bytes For The CER format
$CertToExportInBytesForCERFile = $CertToExport.export("Cert")

# Write The Files Based Upon The Exported Bytes
[system.IO.file]::WriteAllBytes("D:\Temp\CertToExportCERFile.CER", $CertToExportInBytesForCERFile)

-

Exporting Certificates WITH The Private Key

By using the following PoSH commands you can export the certificate to a PFX file with the private key and protect it with a password.

# Find And Target The Cert Required Based Upon Some Condition
$CertToExport = dir cert:\LocalMachine\My | where {$_.ThumbPrint -eq "EC9498B48CA4E48EB8D5BC557BCFBC09B5A02651"}

# Define Cert Type When Exporting To PFX
$CertType = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx

# Define The Password To Protect The Private Key
# (ALSO see: http://jorgequestforknowledge.wordpress.com/2011/12/15/passwords-containing-special-characters-in-powershell/)
$PrivateKeyPassword = 'Pa$$w0rd'

# Export The Targeted Cert In Bytes For The PFX format While Specifying A Password
# REMARK: It Must Be Allowed To Export The Private Key, Otherwise You Will See The Error "Key not valid for use in specified state"
$CertToExportInBytesForPFXFile = $CertToExport.export($CertType, $PrivateKeyPassword)

# Write The Files Based Upon The Exported Bytes
[system.IO.file]::WriteAllBytes("D:\Temp\CertToExportPFXFile.PFX", $CertToExportInBytesForPFXFile)

-

Managing The Permissions On The Private Keys

By using the following PoSH commands you can manage the permissions on the private key of a certificate.

# Find And Target The Cert Required Based Upon Some Condition
$CertToAdjustPermissions = dir cert:\LocalMachine\My | where {$_.ThumbPrint -eq "EC9498B48CA4E48EB8D5BC557BCFBC09B5A02651"}

# Possible Values For File System Based Access Rights Are
# * ListDirectory, ReadData, WriteData 
# * CreateFiles, CreateDirectories, AppendData 
# * ReadExtendedAttributes, WriteExtendedAttributes, Traverse
# * ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes 
# * WriteAttributes, Write, Delete 
# * ReadPermissions, Read, ReadAndExecute 
# * Modify, ChangePermissions, TakeOwnership
# * Synchronize, FullControl

# Specify The User, The Permissions And The Permission Type
$ACE = "ADCORP\ADM.ROOT","Read,Synchronize","Allow"

# Define A New File System Based Access Rule Based Upon The Previus ACE
$AccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $ACE

# The Location Of The Machine Related Keys Can Be Found In The Following Location
$MachineKeysLocation = $env:ALLUSERSPROFILE + "\Microsoft\Crypto\RSA\MachineKeys\"

# Configuring ACE On Private Key Of Targeted Cert To Allow User Account To READ It (EXAMPLE!)
$KeyFileCertToAdjustPermissions = $CertToAdjustPermissions.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$KeyFileLocationCertToAdjustPermissions = $MachineKeysLocation + $KeyFileCertToAdjustPermissions

# Get The Current ACL Of The Private Key
$KeyFileCertToAdjustPermissionsACL = Get-Acl $KeyFileLocationCertToAdjustPermissions

# Add The New ACE To The ACL Of The Private Key
$KeyFileCertToAdjustPermissionsACL.SetAccessRule($AccessRule)

# Write Back The New ACL
$KeyFileCertToAdjustPermissionsACL | Set-Acl $KeyFileLocationCertToAdjustPermissions

Importing Certificates WITHOUT The Private Key

By using the following PoSH commands you can import the targeted certificate without the private key into the specified store.

# Define The Cert File To Import
$CertFileToImport = "D:\Temp\CertToImportCERFile.CER"

# Target The Cert That Needs To Be Imported
$CertToImport = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $CertFileToImport

# Define The Scope And Certificate Store Within That Scope To Import The Certificate Into
# Available Cert Store Scopes are "LocalMachine" or "CurrentUser"
$CertStoreScope = "LocalMachine"
# For Available Cert Store Names See Figure 5 (Depends On Cert Store Scope)
$CertStoreName = "My"
$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store $CertStoreName, $CertStoreScope

# Import The Targeted Certificate Into The Specified Cert Store Name Of The Specified Cert Store Scope
$CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$CertStore.Add($CertToImport)
$CertStore.Close()

-

You can also find multiple scripts about this here.

-

Importing Certificates WITH The Private Key

By using the following PoSH commands you can import the targeted certificate with the private key into the specified store. For this the password protecting the private key is needed.

# Define The Cert File To Import
$CertFileToImport = "D:\Temp\CertToImportPFXFile.PFX"

# Define The Password That Protects The Private Key
# (ALSO see: http://jorgequestforknowledge.wordpress.com/2011/12/15/passwords-containing-special-characters-in-powershell/)
$PrivateKeyPassword = 'Pa$$w0rd'

# Target The Cert That Needs To Be Imported
$CertToImport = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $CertFileToImport,$PrivateKeyPassword

# Define The Scope And Certificate Store Within That Scope To Import The Certificate Into
# Available Cert Store Scopes are "LocalMachine" or "CurrentUser"
$CertStoreScope = "LocalMachine"
# For Available Cert Store Names See Figure 5 (Depends On Cert Store Scope)
$CertStoreName = "My"
$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store $CertStoreName, $CertStoreScope

# Import The Targeted Certificate Into The Specified Cert Store Name Of The Specified Cert Store Scope
$CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$CertStore.Add($CertToImport)
$CertStore.Close()

-

You can also find multiple scripts about this here.

-

So, what else can you use? Is there more than this? Yes, there is!

-

After you install the Quest Active Roles Management Shell For Active Directory (download here), you get lots of additional PowerShell CMDlets to use. To find those, just issue the command “Get-Command *QAD*” or have a look at the reference information. Just download and install the snap-in. To see the available snap-ins issue the command “Get-PSSnapIn -registered”. To import the snap-in issue the command “Add-PSSnapIn Quest.ActiveRoles.ADManagement”. The following CMDlets are available:

• Get-QADLocalCertificateStore
• New-QADLocalCertificateStore
• Remove-QADLocalCertificateStore
• Get-QADCertificate
• Where-QADCertificate
• Add-QADCertificate
• Import-QADCertificate
• Show-QADCertificate
• Edit-QADCertificate
• Export-QADCertificate
• Remove-QADCertificate
• Remove-QADPrivateKey
• Get-QADCertificateRevocationList
• Add-QADCertificateRevocationList
• Import-QADCertificateRevocationList
• Export-QADCertificateRevocationList
• Remove-QADCertificateRevocationList
• Get-QADPKIObject
• Publish-QADCertificate
• Unpublish-QADCertificate
• Publish-QADCertificateRevocationList
• Unpublish-QADCertificateRevocationList

-

In addition, after you install the Public Key Infrastructure PowerShell Module available on Codeplex (download here), you get lots of additional PowerShell CMDlets to manage Microsoft Certificate Authorities. Just download and install the module. To see the available modules issue the command “Get-Module -ListAvailable”. To import the module issue the command “Import-Module PKI”. The following PowerShell CMDlets are available:

• Add-AuthorityInformationAccess (Alias: Add-AIA)
• Add-CAKRACertificate
• Add-CATemplate
• Add-CertificateEnrollmentPolicyService (Alias: Add-CEP)
• Add-CertificateEnrollmentService (Alias: Add-CES)
• Add-CRLDistributionPoint (Alias: Add-CDP)
• Add-ExtensionList
• Approve-CertificateRequest
• Deny-CertificateRequest
• Disable-CertificateRevocationListFlag (Alias: Disable-CRLFlag)
• Disable-InterfaceFlag
• Disable-KeyRecoveryAgentFlag (Alias: Disable-KRAFlag)
• Disable-PolicyModuleFlag
• Enable-CertificateRevocationListFlag (Alias: Enable-CRLFlag)
• Enable-InterfaceFlag
• Enable-KeyRecoveryAgentFlag (Alias: Enable-KRAFlag)
• Enable-PolicyModuleFlag
• Get-ADKRACertificate
• Get-AuthorityInformationAccess (Alias: Get-AIA)
• Get-CAExchangeCertificate
• Get-CAKRACertificate
• Get-CASchema
• Get-CATemplate
• Get-CertificateRevocationList (Alias: Get-CRL)
• Get-CertificateRevocationListFlag (Alias: Get-CRLFlag)
• Get-CertificateTemplate
• Get-CertificateValidityPeriod
• Get-CertificationAuthority (Alias: Get-CA)
• Get-CRLDistributionPoint (Alias: Get-CDP)
• Get-CRLValidityPeriod
• Get-CryptographicServiceProvider (Alias: Get-Csp)
• Get-CryptographicServiceProviderCNG (Alias: Get-CspCNG)
• Get-EnrollmentServiceUri
• Get-ErrorMessage
• Get-ExtensionList
• Get-FailedRequest
• Get-InterfaceFlag
• Get-IssuedRequest
• Get-KeyRecoveryAgentFlag (Alias: Get-KRAFlag)
• Get-ObjectIdentifier
• Get-PendingRequest
• Get-PolicyModuleFlag
• Get-RevokedRequest
• Import-LostCertificate
• Install-CertificationAuthority
• Publish-CRL
• Remove-AuthorityInformationAccess (Alias: Remove-AIA)
• Remove-CAKRACertificate
• Remove-CATemplate
• Remove-CertificateEnrollmentPolicyService (Alias: Remove-CEP)
• Remove-CertificateEnrollmentService
• Remove-CertificateTemplate
• Remove-CRLDistributionPoint (Alias: Remove-CDP)
• Remove-ExtensionList
• Remove-Request
• Restart-CertificationAuthority
• Restore-CertificateRevocationListFlagDefault (Alias: Restore-CRLFlagDefault)
• Restore-InterFaceFlagDefault
• Restore-KeyRecoveryAgentFlagDefault (Alias: Restore-KRAFlagDefault)
• Restore-PolicyModuleFlagDefault
• Revoke-Certificate
• Set-AuthorityInformationAccess (Alias: Set-AIA)
• Set-CAKRACertificate
• Set-CATemplate
• Set-CertificateValidityPeriod
• Set-CRLDistributionPoint (Alias: Set-CDP)
• Set-CRLValidityPeriod
• Set-ExtensionList
• Show-Certificate
• Show-CertificateRevocationList (Alias: Show-CRL)
• Start-CertificationAuthority
• Stop-CertificationAuthority
• Uninstall-CertificationAuthority

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2012-01-29) Exchange Management Console Not Working And Exchange Management Shell Missing In Exchange Server 2010

After installing Exchange Server 2010 in my test environment and applying the latest service pack for it (SP2) I got the following error when starting the Exchange Management Console.

Figure 1: Exchange Management Console In Exchange Server 2010 – Failed To Initialize

-

(X) Initialization Failed

The following error occurred while searching for the on-premises Exchange server:

The term ‘C:\Program Files\Microsoft\Exchange Server\V14\Bin\ConnectFunctions.ps1′ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. It was running the command ‘. ‘C:\Program Files\Microsoft\Exchange Server\V14\Bin\ConnectFunctions.ps1”.

-

In addition I saw that the shortcut for the Exchange Management Shell was missing.

Figure 2: Exchange Management Shell For Exchange Server 2010 Missing

-

The solution to both issues is mentioned in the following blog post:

• Exchange Management Shell (EMS) missing after applying Exchange 2010 SP1

-

Although it mentions SP1, it will also work for SP2.

-

PS: have you seen the Exchange Management Console Troubleshooter? Get it here.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2011-12-15) Passwords Containing Special Characters In PowerShell

I was playing with the new PowerShell CMDlets in WIndows Server 8 to promote and demote DCs. First of all I must say that this is very very very (Have I already said VERY VERY…) COOL!

While using two new CMDlets I became aware of something I at first was not aware of.

-

To promote an RODC using a staged  promotion in the second stage I used the following command:

Install-ADDSDomainController -DomainName ADCORP.LAB -SafeModeAdministratorPassword $(ConvertTo-SecureString "dsrmPWD!" -AsPlainText -Force) -ApplicationPartitionsToReplicate * -DatabasePath "D:\AD\DB" -LogPath "D:\AD\LOG" -SysvolPath "D:\AD\SYSVOL" -UseExistingAccount -Credential $creds | FL

-

After the promotion I could use the configured “SafeModeAdministratorPassword”. So far so good!

-

After the promotion I tested the demotion CMDlet by using the following command to demote the RODC to a stand alone server:

Uninstall-ADDSDomainController -LocalAdministratorPassword $(ConvertTo-SecureString "Pa$$w0rd" -AsPlainText -Force) | FL

-

Notice the password I used. After the demotion I wanted to logon to the stand alone server using the account “administrator” with the password “Pa$$w0rd”.

Guess what! It failed!!!! WTF!

To make sure I did not make any typos I tried this again and again and again. It kept failing, damn!

-

After filing this as a bug I discussed this with a Microsoft engineer and he discussed this with the Product Group. He also did some testing and in the end we came to a conclusion! Guess what! BY DESIGN!

-

So what’s up?

-

When using the “ConvertTo-SecureString” CMDlet you need to take into account special characters.

-

If you use the “Read-Host” CMDlet to capture the password you DO NOT need to take into account special characters.

-

So if you want to test your password when using the “ConvertTo-SecureString” CMDlet you can do so by just pasting the password into a PowerShell Command Prompt Window and see what the result is.

For example, if you want the actual password to be (without the double quotes) “dsrmPWD!”, the result is:

Figure 1: The Required Password Must Be “dsrmPWD!” – Correct!

-

For example, if you want the actual password to be (without the double quotes) “Pa$$w0rd”, the result is:

Figure 2: The Required Password Must Be “Pa$$w0rd” – Wrong!

-

For example, if you want the actual password to be (without the double quotes) “Pa$$w0rd”, the result is:

Figure 3: The Required Password Must Be “Pa$$w0rd” – Correct!

-

Figure 4: The Required Password Must Be “Pa$$w0rd” – Correct!

-

In other words….. when considering the use of special characters in PowerShell (in this case the $) you need to EITHER escape them (when using double quotes) as shown in figure 3 OR use single quotes. The single quotes method is more natural and of course less difficult. This is not something new in Windows Server 8 or something, but rather a common thing in the use of PowerShell.

-

UPDATE 2011-12-16: The option in figure 4 has been added based upon the comments added to this post. Thanks for the better solution guys!

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2011-12-14) Active Directory PowerShell Module CMDlets

Figure 1: The AD PowerShell Module CMDlets Posted

-

More information about the AD Powershell Module CMDlets:

• AD PowerShell Module
• Active Directory Administration with Windows PowerShell
• Active Directory PowerShell Blog

-

Windows Server 8 provides the following CMDlets to support AD/DCs:

PS C:\> Get-Command | Where-Object{$_.ModuleName -eq "ActiveDirectory"} | Select CommandType,Name,ModuleName | FT -AutoSize

CommandType Name                                                 ModuleName
———– —-                                                 ———-
Cmdlet      Add-ADCentralAccessPolicyMember                      ActiveDirectory
Cmdlet      Add-ADComputerServiceAccount                         ActiveDirectory
Cmdlet      Add-ADDomainControllerPasswordReplicationPolicy      ActiveDirectory
Cmdlet      Add-ADFineGrainedPasswordPolicySubject               ActiveDirectory
Cmdlet      Add-ADGroupMember                                    ActiveDirectory
Cmdlet      Add-ADPrincipalGroupMembership                       ActiveDirectory
Cmdlet      Add-ADResourcePropertyListMember                     ActiveDirectory
Cmdlet      Clear-ADAccountExpiration                            ActiveDirectory
Cmdlet      Clear-ADClaimTransformLink                           ActiveDirectory
Cmdlet      Disable-ADAccount                                    ActiveDirectory
Cmdlet      Disable-ADOptionalFeature                            ActiveDirectory
Cmdlet      Enable-ADAccount                                     ActiveDirectory
Cmdlet      Enable-ADOptionalFeature                             ActiveDirectory
Cmdlet      Get-ADAccountAuthorizationGroup                      ActiveDirectory
Cmdlet      Get-ADAccountResultantPasswordReplicationPolicy      ActiveDirectory
Cmdlet      Get-ADCentralAccessPolicy                            ActiveDirectory
Cmdlet      Get-ADCentralAccessRule                              ActiveDirectory
Cmdlet      Get-ADClaimTransformPolicy                           ActiveDirectory
Cmdlet      Get-ADClaimType                                      ActiveDirectory
Cmdlet      Get-ADComputer                                       ActiveDirectory
Cmdlet      Get-ADComputerServiceAccount                         ActiveDirectory
Cmdlet      Get-ADDCCloningExcludedApplicationList               ActiveDirectory
Cmdlet      Get-ADDefaultDomainPasswordPolicy                    ActiveDirectory
Cmdlet      Get-ADDomain                                         ActiveDirectory
Cmdlet      Get-ADDomainController                               ActiveDirectory
Cmdlet      Get-ADDomainControllerPasswordReplicationPolicy      ActiveDirectory
Cmdlet      Get-ADDomainControllerPasswordReplicationPolicyUsage ActiveDirectory
Cmdlet      Get-ADFineGrainedPasswordPolicy                      ActiveDirectory
Cmdlet      Get-ADFineGrainedPasswordPolicySubject               ActiveDirectory
Cmdlet      Get-ADForest                                         ActiveDirectory
Cmdlet      Get-ADGroup                                          ActiveDirectory
Cmdlet      Get-ADGroupMember                                    ActiveDirectory
Cmdlet      Get-ADObject                                         ActiveDirectory
Cmdlet      Get-ADOptionalFeature                                ActiveDirectory
Cmdlet      Get-ADOrganizationalUnit                             ActiveDirectory
Cmdlet      Get-ADPrincipalGroupMembership                       ActiveDirectory
Cmdlet      Get-ADReplicationAttributeMetadata                   ActiveDirectory
Cmdlet      Get-ADReplicationConnection                          ActiveDirectory
Cmdlet      Get-ADReplicationFailure                             ActiveDirectory
Cmdlet      Get-ADReplicationPartnerMetadata                     ActiveDirectory
Cmdlet      Get-ADReplicationQueueOperation                      ActiveDirectory
Cmdlet      Get-ADReplicationSite                                ActiveDirectory
Cmdlet      Get-ADReplicationSiteLink                            ActiveDirectory
Cmdlet      Get-ADReplicationSiteLinkBridge                      ActiveDirectory
Cmdlet      Get-ADReplicationSubnet                              ActiveDirectory
Cmdlet      Get-ADReplicationUpToDatenessVectorTable             ActiveDirectory
Cmdlet      Get-ADResourceProperty                               ActiveDirectory
Cmdlet      Get-ADResourcePropertyList                           ActiveDirectory
Cmdlet      Get-ADResourcePropertyValueType                      ActiveDirectory
Cmdlet      Get-ADRootDSE                                        ActiveDirectory
Cmdlet      Get-ADServiceAccount                                 ActiveDirectory
Cmdlet      Get-ADTrust                                          ActiveDirectory
Cmdlet      Get-ADUser                                           ActiveDirectory
Cmdlet      Get-ADUserResultantPasswordPolicy                    ActiveDirectory
Cmdlet      Install-ADServiceAccount                             ActiveDirectory
Cmdlet      Move-ADDirectoryServer                               ActiveDirectory
Cmdlet      Move-ADDirectoryServerOperationMasterRole            ActiveDirectory
Cmdlet      Move-ADObject                                        ActiveDirectory
Cmdlet      New-ADCentralAccessPolicy                            ActiveDirectory
Cmdlet      New-ADCentralAccessRule                              ActiveDirectory
Cmdlet      New-ADClaimTransformPolicy                           ActiveDirectory
Cmdlet      New-ADClaimType                                      ActiveDirectory
Cmdlet      New-ADComputer                                       ActiveDirectory
Cmdlet      New-ADFineGrainedPasswordPolicy                      ActiveDirectory
Cmdlet      New-ADGroup                                          ActiveDirectory
Cmdlet      New-ADObject                                         ActiveDirectory
Cmdlet      New-ADOrganizationalUnit                             ActiveDirectory
Cmdlet      New-ADReplicationSite                                ActiveDirectory
Cmdlet      New-ADReplicationSiteLink                            ActiveDirectory
Cmdlet      New-ADReplicationSiteLinkBridge                      ActiveDirectory
Cmdlet      New-ADReplicationSubnet                              ActiveDirectory
Cmdlet      New-ADResourceProperty                               ActiveDirectory
Cmdlet      New-ADResourcePropertyList                           ActiveDirectory
Cmdlet      New-ADServiceAccount                                 ActiveDirectory
Cmdlet      New-ADUser                                           ActiveDirectory
Cmdlet      Remove-ADCentralAccessPolicy                         ActiveDirectory
Cmdlet      Remove-ADCentralAccessPolicyMember                   ActiveDirectory
Cmdlet      Remove-ADCentralAccessRule                           ActiveDirectory
Cmdlet      Remove-ADClaimTransformPolicy                        ActiveDirectory
Cmdlet      Remove-ADClaimType                                   ActiveDirectory
Cmdlet      Remove-ADComputer                                    ActiveDirectory
Cmdlet      Remove-ADComputerServiceAccount                      ActiveDirectory
Cmdlet      Remove-ADDomainControllerPasswordReplicationPolicy   ActiveDirectory
Cmdlet      Remove-ADFineGrainedPasswordPolicy                   ActiveDirectory
Cmdlet      Remove-ADFineGrainedPasswordPolicySubject            ActiveDirectory
Cmdlet      Remove-ADGroup                                       ActiveDirectory
Cmdlet      Remove-ADGroupMember                                 ActiveDirectory
Cmdlet      Remove-ADObject                                      ActiveDirectory
Cmdlet      Remove-ADOrganizationalUnit                          ActiveDirectory
Cmdlet      Remove-ADPrincipalGroupMembership                    ActiveDirectory
Cmdlet      Remove-ADReplicationSite                             ActiveDirectory
Cmdlet      Remove-ADReplicationSiteLink                         ActiveDirectory
Cmdlet      Remove-ADReplicationSiteLinkBridge                   ActiveDirectory
Cmdlet      Remove-ADReplicationSubnet                           ActiveDirectory
Cmdlet      Remove-ADResourceProperty                            ActiveDirectory
Cmdlet      Remove-ADResourcePropertyList                        ActiveDirectory
Cmdlet      Remove-ADResourcePropertyListMember                  ActiveDirectory
Cmdlet      Remove-ADServiceAccount                              ActiveDirectory
Cmdlet      Remove-ADUser                                        ActiveDirectory
Cmdlet      Rename-ADObject                                      ActiveDirectory
Cmdlet      Reset-ADServiceAccountPassword                       ActiveDirectory
Cmdlet      Restore-ADObject                                     ActiveDirectory
Cmdlet      Search-ADAccount                                     ActiveDirectory
Cmdlet      Set-ADAccountControl                                 ActiveDirectory
Cmdlet      Set-ADAccountExpiration                              ActiveDirectory
Cmdlet      Set-ADAccountPassword                                ActiveDirectory
Cmdlet      Set-ADCentralAccessPolicy                            ActiveDirectory
Cmdlet      Set-ADCentralAccessRule                              ActiveDirectory
Cmdlet      Set-ADClaimTransformLink                             ActiveDirectory
Cmdlet      Set-ADClaimTransformPolicy                           ActiveDirectory
Cmdlet      Set-ADClaimType                                      ActiveDirectory
Cmdlet      Set-ADComputer                                       ActiveDirectory
Cmdlet      Set-ADDefaultDomainPasswordPolicy                    ActiveDirectory
Cmdlet      Set-ADDomain                                         ActiveDirectory
Cmdlet      Set-ADDomainMode                                     ActiveDirectory
Cmdlet      Set-ADFineGrainedPasswordPolicy                      ActiveDirectory
Cmdlet      Set-ADForest                                         ActiveDirectory
Cmdlet      Set-ADForestMode                                     ActiveDirectory
Cmdlet      Set-ADGroup                                          ActiveDirectory
Cmdlet      Set-ADObject                                         ActiveDirectory
Cmdlet      Set-ADOrganizationalUnit                             ActiveDirectory
Cmdlet      Set-ADReplicationConnection                          ActiveDirectory
Cmdlet      Set-ADReplicationSite                                ActiveDirectory
Cmdlet      Set-ADReplicationSiteLink                            ActiveDirectory
Cmdlet      Set-ADReplicationSiteLinkBridge                      ActiveDirectory
Cmdlet      Set-ADReplicationSubnet                              ActiveDirectory
Cmdlet      Set-ADResourceProperty                               ActiveDirectory
Cmdlet      Set-ADResourcePropertyList                           ActiveDirectory
Cmdlet      Set-ADServiceAccount                                 ActiveDirectory
Cmdlet      Set-ADUser                                           ActiveDirectory
Cmdlet      Sync-ADObject                                        ActiveDirectory
Cmdlet      Test-ADServiceAccount                                ActiveDirectory
Cmdlet      Uninstall-ADServiceAccount                           ActiveDirectory
Cmdlet      Unlock-ADAccount                                     ActiveDirectory

-

PS C:\> Get-Command | Where-Object{$_.ModuleName -eq "ADDSDeployment"} | Select CommandType,Name,ModuleName | FT -AutoSize

CommandType Name                                                        ModuleName
———– —-                                                        ———-
Function    Get-ActiveDirectoryDomainNames                              ADDSDeployment
Function    Get-ActiveDirectorySiteNames                                ADDSDeployment
Function    Invoke-ADDSCanContactOtherDCsinDomain                       ADDSDeployment
Function    Invoke-ADDSDoesDCHostOperationMasterRole                    ADDSDeployment
Function    Invoke-ADDSDoesDNSDelegationForThisMachineExistInParentZone ADDSDeployment
Function    Invoke-ADDSDoesDomainNamingContextExist                     ADDSDeployment
Function    Invoke-ADDSGetAllowedRodcReplicationAccounts                ADDSDeployment
Function    Invoke-ADDSGetApplicationPartitionsInForest                 ADDSDeployment
Function    Invoke-ADDSGetDatabaseFacts                                 ADDSDeployment
Function    Invoke-ADDSGetDefaultDNSOption                              ADDSDeployment
Function    Invoke-ADDSGetDefaultSiteName                               ADDSDeployment
Function    Invoke-ADDSGetDeniedRodcReplicationAccounts                 ADDSDeployment
Function    Invoke-ADDSGetDnsDelegationOptions                          ADDSDeployment
Function    Invoke-ADDSGetDomainControllersInDomain                     ADDSDeployment
Function    Invoke-ADDSGetExistingDCAccountInfo                         ADDSDeployment
Function    Invoke-ADDSGetForestFunctionalLevel                         ADDSDeployment
Function    Invoke-ADDSGetGeneratedNetbiosName                          ADDSDeployment
Function    Invoke-ADDSGetNDNCListWithNoOtherReplicas                   ADDSDeployment
Function    Invoke-ADDSGetSuitableHelperDomainController                ADDSDeployment
Function    Invoke-ADDSIsDc                                             ADDSDeployment
Function    Invoke-ADDSIsRodc                                           ADDSDeployment
Function    Invoke-ExpandEnvironmentVariables                           ADDSDeployment
Function    Restart-DeploymentTarget                                    ADDSDeployment
Function    Test-VerifyADPrepCredential                                 ADDSDeployment
Function    Test-VerifyAppPartitionRemoval                              ADDSDeployment
Function    Test-VerifyAvailableWinDirSpace                             ADDSDeployment
Function    Test-VerifyCertServiceExists                                ADDSDeployment
Function    Test-VerifyChild                                            ADDSDeployment
Function    Test-VerifyComputerName                                     ADDSDeployment
Function    Test-VerifyComputerWasRenamedAndNeedsReboot                 ADDSDeployment
Function    Test-VerifyCurrentUserIsAdministrator                       ADDSDeployment
Function    Test-VerifyDCServiceAvailableForDemotion                    ADDSDeployment
Function    Test-VerifyDemote                                           ADDSDeployment
Function    Test-VerifyDnsConfigOptions                                 ADDSDeployment
Function    Test-VerifyDnsDelegationRemoval                             ADDSDeployment
Function    Test-VerifyDnsRegistration                                  ADDSDeployment
Function    Test-VerifyDomainUpgradeStatus                              ADDSDeployment
Function    Test-VerifyForestName                                       ADDSDeployment
Function    Test-VerifyForestUpgradeStatus                              ADDSDeployment
Function    Test-VerifyFsmoForceRemoval                                 ADDSDeployment
Function    Test-VerifyInfrastructureMasterOnline                       ADDSDeployment
Function    Test-VerifyIsComputerNameValid                              ADDSDeployment
Function    Test-VerifyMachineAdminPassword                             ADDSDeployment
Function    Test-VerifyNamingMasterOnline                               ADDSDeployment
Function    Test-VerifyNetBiosName                                      ADDSDeployment
Function    Test-VerifyNotInSafeBootMode                                ADDSDeployment
Function    Test-VerifyNtfs5DriveAvailable                              ADDSDeployment
Function    Test-VerifyPaths                                            ADDSDeployment
Function    Test-VerifyReplica                                          ADDSDeployment
Function    Test-VerifyReplicateFromMedia                               ADDSDeployment
Function    Test-VerifyReplicationPartner                               ADDSDeployment
Function    Test-VerifyRequiredPortsAreAvailable                        ADDSDeployment
Function    Test-VerifyRODCUpgradeStatus                                ADDSDeployment
Function    Test-VerifySafeModePassword                                 ADDSDeployment
Function    Test-VerifySchemaMasterOnline                               ADDSDeployment
Function    Test-VerifySelectedDcAccount                                ADDSDeployment
Function    Test-VerifySiteSelection                                    ADDSDeployment
Function    Test-VerifySupportedPlatform                                ADDSDeployment
Function    Test-VerifyTcpIPIsInstalledAndFunctioning                   ADDSDeployment
Function    Test-VerifyTree                                             ADDSDeployment
Function    Test-VerifyUserCredentialPermissions                        ADDSDeployment
Function    Test-VerifyUserCredentials                                  ADDSDeployment
Function    Test-VerifyValidRoleChangeState                             ADDSDeployment
Cmdlet      Add-ADDSReadOnlyDomainControllerAccount                     ADDSDeployment
Cmdlet      Install-ADDSDomain                                          ADDSDeployment
Cmdlet      Install-ADDSDomainController                                ADDSDeployment
Cmdlet      Install-ADDSForest                                          ADDSDeployment
Cmdlet      Test-ADDSDomainControllerInstallation                       ADDSDeployment
Cmdlet      Test-ADDSDomainControllerUninstallation                     ADDSDeployment
Cmdlet      Test-ADDSDomainInstallation                                 ADDSDeployment
Cmdlet      Test-ADDSForestInstallation                                 ADDSDeployment
Cmdlet      Test-ADDSReadOnlyDomainControllerAccountCreation            ADDSDeployment
Cmdlet      Uninstall-ADDSDomainController                              ADDSDeployment

-

PS C:\> Get-Command | Where-Object{$_.ModuleName -eq "ADDeploymentWF"} | Select CommandType,Name,ModuleName | FT -AutoSize

CommandType Name             ModuleName
———– —-             ———-
Function    Invoke-ADCommand ADDeploymentWF

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2011-12-13) PowerShell Modules In Windows Server 8

A few years ago Microsoft started to introduce PowerShell in a few of their products. Nowadays more and more products support PowerShell and have either their own module or snap-in. With Windows Server 8 Microsoft introduces even more PowerShell Modules to support all kinds of features within the OS. Well see for your self below, I particularly like the yellow marked modules.

-

Figure 1: The PowerShell Modules In Windows Server 8 (Dev Preview)

Name                     : ActiveDirectory
ExportedCommands : {[Get-ADRootDSE, Get-ADRootDSE], [New-ADObject, New-ADObject], [Rename-ADObject, Rename-ADObject], [Move-ADObject, Move-ADObject]…}

Name                     : ADDeploymentWF
ExportedCommands : {[Invoke-ADCommand, Invoke-ADCommand]}

Name                     : ADDSDeployment
ExportedCommands : {[Add-ADDSReadOnlyDomainControllerAccount, Add-ADDSReadOnlyDomainControllerAccount], [Install-ADDSForest, Install-ADDSForest],
                   [Install-ADDSDomain, Install-ADDSDomain], [Install-ADDSDomainController, Install-ADDSDomainController]…}

Name                     : AppLocker
ExportedCommands : {[Set-AppLockerPolicy, Set-AppLockerPolicy], [Get-AppLockerPolicy, Get-AppLockerPolicy], [Test-AppLockerPolicy, Test-AppLockerPolicy],
                   [Get-AppLockerFileInformation, Get-AppLockerFileInformation]…}

Name                     : Appx
ExportedCommands : {[Add-AppxPackage, Add-AppxPackage], [Get-AppxPackageManifest, Get-AppxPackageManifest], [Get-AppxPackage, Get-AppxPackage],
                   [Remove-AppxPackage, Remove-AppxPackage]…}

Name                     : BestPractices
ExportedCommands : {[Get-BpaModel, Get-BpaModel], [Invoke-BpaModel, Invoke-BpaModel], [Get-BpaResult, Get-BpaResult], [Set-BpaResult, Set-BpaResult]}

Name                     : BitsTransfer
ExportedCommands : {[Add-BitsFile, Add-BitsFile], [Remove-BitsTransfer, Remove-BitsTransfer], [Complete-BitsTransfer, Complete-BitsTransfer],
                   [Get-BitsTransfer, Get-BitsTransfer]…}

Name                     : BranchCache
ExportedCommands : {[Add-BCDataCacheExtension, Add-BCDataCacheExtension], [Clear-BCCache, Clear-BCCache], [Disable-BC, Disable-BC], [Disable-BCDowngrading,
                   Disable-BCDowngrading]…}

Name                     : CimCmdlets
ExportedCommands : {[Get-CimInstance, Get-CimInstance], [Get-CimSession, Get-CimSession], [New-CimSession, New-CimSession], [New-CimSessionOption,
                   New-CimSessionOption]…}

Name                     : ClusterAwareUpdating
ExportedCommands : {[Get-CauPlugin, Get-CauPlugin], [Register-CauPlugin, Register-CauPlugin], [Unregister-CauPlugin, Unregister-CauPlugin], [Invoke-CauScan,
                   Invoke-CauScan]…}

Name                     : DirectAccessClientComponents
ExportedCommands : {[Get-DASiteTableEntry, Get-DASiteTableEntry], [Set-DASiteTableEntry, Set-DASiteTableEntry], [Remove-DASiteTableEntry,
                   Remove-DASiteTableEntry], [Reset-DASiteTableEntry, Reset-DASiteTableEntry]…}

Name                     : Dism
ExportedCommands : {[Apply-Unattend, Apply-Unattend]}

Name                     : DnsClient
ExportedCommands : {[Resolve-DnsName, Resolve-DnsName], [Get-DNSClient, Get-DNSClient], [Set-DNSClient, Set-DNSClient], [Get-DNSClientCache,
                   Get-DNSClientCache]…}

Name                     : DnsConfig
ExportedCommands : {[Get-DNSClient, Get-DNSClient], [Set-DNSClient, Set-DNSClient], [Get-DNSClientCache, Get-DNSClientCache], [Clear-DNSClientCache,
                   Clear-DNSClientCache]…}

Name                     : DnsLookup
ExportedCommands : {[Resolve-DnsName, Resolve-DnsName]}

Name                     : DnsNrpt
ExportedCommands : {[Get-DnsClientEffectiveNrptPolicy, Get-DnsClientEffectiveNrptPolicy], [Get-DnsClientNrptGlobal, Get-DnsClientNrptGlobal],
                   [Set-DnsClientNrptGlobal, Set-DnsClientNrptGlobal], [Add-DnsClientNrptRule, Add-DnsClientNrptRule]…}

Name                     : DnsServer
ExportedCommands : {[Clear-DnsServerCache, Clear-DnsServerCache], [Get-DnsServerCache, Get-DnsServerCache], [Set-DnsServerCache, Set-DnsServerCache],
                   [Show-DnsServerCache, Show-DnsServerCache]…}

Name                     : FailoverClusters
ExportedCommands : {[Add-ClusterCheckpoint, Add-ClusterCheckpoint], [Add-ClusterDisk, Add-ClusterDisk], [Add-ClusterFileServerRole,
                   Add-ClusterFileServerRole], [Add-ClusterGenericApplicationRole, Add-ClusterGenericApplicationRole]…}

Name                     : FileServer
ExportedCommands : {[Get-SmbShareWF, Get-SmbShareWF], [Get-FsrmQuotaWF, Get-FsrmQuotaWF], [Get-IscsiServerTargetWF, Get-IscsiServerTargetWF],
                   [Get-IscsiVirtualDiskWF, Get-IscsiVirtualDiskWF]…}

Name                     : GroupPolicy
ExportedCommands : {[Backup-GPO, Backup-GPO], [Copy-GPO, Copy-GPO], [Get-GPInheritance, Get-GPInheritance], [Get-GPO, Get-GPO]…}

Name                     : iSCSI
ExportedCommands : {[Connect-iSCSIDiscoveredTarget, Connect-iSCSIDiscoveredTarget], [Disconnect-iSCSIDiscoveredTarget, Disconnect-iSCSIDiscoveredTarget],
                   [Get-iSCSIConnection, Get-iSCSIConnection], [Get-iSCSIPersistentTarget, Get-iSCSIPersistentTarget]…}

Name                     : KdsCmdlets
ExportedCommands : {[Get-KdsRootKey, Get-KdsRootKey], [Add-KdsRootKey, Add-KdsRootKey], [Test-KdsRootKey, Test-KdsRootKey], [Get-KdsConfiguration,
                   Get-KdsConfiguration]…}

Name                     : Microsoft.PowerShell.Core
ExportedCommands : {[Get-Command, Get-Command], [Get-Help, Get-Help], [Update-Help, Update-Help], [Save-Help, Save-Help]…}

Name                     : Microsoft.PowerShell.Diagnostics
ExportedCommands : {[Get-WinEvent, Get-WinEvent], [Get-Counter, Get-Counter], [Import-Counter, Import-Counter], [Export-Counter, Export-Counter]…}

Name                     : Microsoft.PowerShell.Host
ExportedCommands : {[Start-Transcript, Start-Transcript], [Stop-Transcript, Stop-Transcript]}

Name                     : Microsoft.PowerShell.Management
ExportedCommands : {[Add-Content, Add-Content], [Clear-Content, Clear-Content], [Clear-ItemProperty, Clear-ItemProperty], [Join-Path, Join-Path]…}

Name                     : Microsoft.PowerShell.Security
ExportedCommands : {[Get-Acl, Get-Acl], [Set-Acl, Set-Acl], [Get-PfxCertificate, Get-PfxCertificate], [Get-Credential, Get-Credential]…}

Name                     : Microsoft.PowerShell.Utility
ExportedCommands : {[Format-List, Format-List], [Format-Custom, Format-Custom], [Format-Table, Format-Table], [Format-Wide, Format-Wide]…}

Name                     : Microsoft.WSMan.Management
ExportedCommands : {[Disable-WSManCredSSP, Disable-WSManCredSSP], [Enable-WSManCredSSP, Enable-WSManCredSSP], [Get-WSManCredSSP, Get-WSManCredSSP],
                   [Set-WSManQuickConfig, Set-WSManQuickConfig]…}

Name                     : MicrosoftiSCSITarget
ExportedCommands : {[Add-IscsiVirtualDiskTargetMapping, Add-IscsiVirtualDiskTargetMapping], [Checkpoint-IscsiVirtualDisk, Checkpoint-IscsiVirtualDisk],
                   [Dismount-IscsiVirtualDiskSnapshot, Dismount-IscsiVirtualDiskSnapshot], [Expand-IscsiVirtualDisk, Expand-IscsiVirtualDisk]…}

Name                     : MsDtc
ExportedCommands : {[New-DtcDiagnosticTransaction, New-DtcDiagnosticTransaction], [Complete-DtcDiagnosticTransaction, Complete-DtcDiagnosticTransaction],
                   [Join-DtcDiagnosticResourceManager, Join-DtcDiagnosticResourceManager], [Receive-DtcDiagnosticTransaction,
                   Receive-DtcDiagnosticTransaction]…}

Name                     : NetAdapter
ExportedCommands : {[Rename-NetAdapter, Rename-NetAdapter], [Set-NetAdapter, Set-NetAdapter], [Get-NetAdapter, Get-NetAdapter], [Enable-NetAdapter,
                   Enable-NetAdapter]…}

Name                     : NetLbfo
ExportedCommands : {[Get-NetLbfoTeam, Get-NetLbfoTeam], [Remove-NetLbfoTeam, Remove-NetLbfoTeam], [Set-NetLbfoTeam, Set-NetLbfoTeam], [New-NetLbfoTeam,
                   New-NetLbfoTeam]…}

Name                     : NetQos
ExportedCommands : {[Get-NetQosPolicy, Get-NetQosPolicy], [Set-NetQosPolicy, Set-NetQosPolicy], [Remove-NetQosPolicy, Remove-NetQosPolicy], [New-NetQosPolicy,
                   New-NetQosPolicy]}

Name                     : NetSwitchTeam
ExportedCommands : {[Get-NetSwitchTeam, Get-NetSwitchTeam], [Remove-NetSwitchTeam, Remove-NetSwitchTeam], [New-NetSwitchTeam, New-NetSwitchTeam],
                   [Rename-NetSwitchTeam, Rename-NetSwitchTeam]…}

Name                     : NetTCPIP
ExportedCommands : {[Get-NetIPAddress, Get-NetIPAddress], [Set-NetIPAddress, Set-NetIPAddress], [Remove-NetIPAddress, Remove-NetIPAddress], [New-NetIPAddress,
                   New-NetIPAddress]…}

Name                     : netwnv
ExportedCommands : {[New-NetVirtualizationAddress, New-NetVirtualizationAddress], [Get-NetVirtualizationAddress, Get-NetVirtualizationAddress],
                   [Remove-NetVirtualizationAddress, Remove-NetVirtualizationAddress], [Get-NetVirtualizationGlobal, Get-NetVirtualizationGlobal]…}

Name                     : NetworkConnectivityStatus
ExportedCommands : {[Get-DAConnectionStatus, Get-DAConnectionStatus], [Get-NCSIPolicyConfiguration, Get-NCSIPolicyConfiguration],
                   [Set-NCSIPolicyConfiguration, Set-NCSIPolicyConfiguration], [Reset-NCSIPolicyConfiguration, Reset-NCSIPolicyConfiguration]}

Name                     : NetworkSecurity
ExportedCommands : {[New-NetAuthenticationProposal, New-NetAuthenticationProposal], [New-NetMainModeCryptoProposal, New-NetMainModeCryptoProposal],
                   [New-NetQuickModeCryptoProposal, New-NetQuickModeCryptoProposal], [Get-DAPolicyChange, Get-DAPolicyChange]}

Name                     : NetworkTransition
ExportedCommands : {[Get-Net6to4Configuration, Get-Net6to4Configuration], [Set-Net6to4Configuration, Set-Net6to4Configuration], [Reset-Net6to4Configuration,
                   Reset-Net6to4Configuration], [Get-Net6to4State, Get-Net6to4State]…}

Name                     : PKIClient
ExportedCommands : {[Get-AutoEnrollmentPolicy, Get-AutoEnrollmentPolicy], [Set-AutoEnrollmentPolicy, Set-AutoEnrollmentPolicy], [Export-Certificate,
                   Export-Certificate], [Import-Certificate, Import-Certificate]…}

Name                     : PrintManagement
ExportedCommands : {[Get-Printer, Get-Printer], [Remove-Printer, Remove-Printer], [Set-Printer, Set-Printer], [Add-Printer, Add-Printer]…}

Name                     : PS_MMAgent
ExportedCommands : {[Disable-MMAgent, Disable-MMAgent], [Enable-MMAgent, Enable-MMAgent], [Set-MMAgent, Set-MMAgent]}

Name                     : PSDiagnostics
ExportedCommands : {[Start-Trace, Start-Trace], [Stop-Trace, Stop-Trace], [Enable-WSManTrace, Enable-WSManTrace], [Disable-WSManTrace, Disable-WSManTrace]…}

Name                     : PSScheduledJob
ExportedCommands : {[New-JobTrigger, New-JobTrigger], [Add-JobTrigger, Add-JobTrigger], [Remove-JobTrigger, Remove-JobTrigger], [Get-JobTrigger,
                   Get-JobTrigger]…}

Name                     : PSWorkflow
ExportedCommands : {[Import-PSWorkflow, Import-PSWorkflow], [New-PSWorkflowExecutionOption, New-PSWorkflowExecutionOption]}

Name                     : RDManagement
ExportedCommands : {[Grant-OrgUnitAccess, Grant-OrgUnitAccess], [Test-OrgUnitAccess, Test-OrgUnitAccess], [Restart-ComputersAndBlock,
                   Restart-ComputersAndBlock], [Export-MasterVirtualMachine, Export-MasterVirtualMachine]…}

Name                     : ScheduledTasks
ExportedCommands : {[New-JobTrigger, New-JobTrigger], [Add-JobTrigger, Add-JobTrigger], [Remove-JobTrigger, Remove-JobTrigger], [Get-JobTrigger,
                   Get-JobTrigger]…}

Name                     : SecureBoot
ExportedCommands : {[Confirm-SecureBootUEFI, Confirm-SecureBootUEFI], [Set-SecureBootUEFI, Set-SecureBootUEFI], [Get-SecureBootUEFI, Get-SecureBootUEFI],
                   [Format-SecureBootUEFI, Format-SecureBootUEFI]…}

Name                     : ServerManager
ExportedCommands : {[Add-WindowsFeature, Add-WindowsFeature], [Remove-WindowsFeature, Remove-WindowsFeature]}

Name                     : ServerManagerShell
ExportedCommands : {[WFAddRemoveServerComponentAsync, WFAddRemoveServerComponentAsync], [WFGetAlterationState, WFGetAlterationState], [WFGetGuid, WFGetGuid],
                   [WFGetCimGuid, WFGetCimGuid]…}

Name                     : SmbShare
ExportedCommands : {[Get-SmbShare, Get-SmbShare], [Remove-SmbShare, Remove-SmbShare], [Set-SmbShare, Set-SmbShare], [Block-SmbShareAccess,
                   Block-SmbShareAccess]…}

Name                     : SmbWitness
ExportedCommands : {[Get-SmbWitnessCluster, Get-SmbWitnessCluster], [Get-SmbWitnessClusterClient, Get-SmbWitnessClusterClient], [Move-SmbWitnessClusterClient,
                   Move-SmbWitnessClusterClient], [Get-SmbWitnessClusterResource, Get-SmbWitnessClusterResource]}

Name                     : Storage
ExportedCommands : {[Add-InitiatorIdToMaskingSet, Add-InitiatorIdToMaskingSet], [Add-PartitionAccessPath, Add-PartitionAccessPath], [Add-PhysicalDisk,
                   Add-PhysicalDisk], [Add-TargetPortToMaskingSet, Add-TargetPortToMaskingSet]…}

Name                     : TelemetryManagement
ExportedCommands : {[Set-CEIP, Set-CEIP], [Set-WER, Set-WER]}

Name                     : TroubleshootingPack
ExportedCommands : {[Get-TroubleshootingPack, Get-TroubleshootingPack], [Invoke-TroubleshootingPack, Invoke-TroubleshootingPack]}

Name                     : TrustedPlatformModule
ExportedCommands : {[Get-Tpm, Get-Tpm], [Initialize-Tpm, Initialize-Tpm], [Clear-Tpm, Clear-Tpm], [Unblock-Tpm, Unblock-Tpm]…}

Name                     : UserAccessLogging
ExportedCommands : {[Enable-Ual, Enable-Ual], [Disable-Ual, Disable-Ual], [Get-Ual, Get-Ual], [Get-UalDhcp, Get-UalDhcp]…}

Name                     : Wdac
ExportedCommands : {[Get-OdbcDriver, Get-OdbcDriver], [Set-OdbcDriver, Set-OdbcDriver], [Get-OdbcDsn, Get-OdbcDsn], [Add-OdbcDsn, Add-OdbcDsn]…}

Name                     : Whea
ExportedCommands : {[Get-WheaMemoryPolicy, Get-WheaMemoryPolicy], [Set-WheaMemoryPolicy, Set-WheaMemoryPolicy]}

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2011-12-12) The Active Directory Web Service (ADWS)

Windows Server 2008 R2 (W2K8R2) introduces a new service called the “Active Directory Web Service (ADWS)” to support remote management of running directory services through the WS-* protocols. The AD PowerShell Module (also see: Active Directory Administration with Windows PowerShell and Active Directory Powershell Blog) and the Active Directory Administrative Center (ADAC) are components that require the usage of ADWS. The ADWS is installed automatically when either promoting a W2K8R2 server to a DC (both RWDC and RODC) or installing the first ADLDS instance on a W2K8R2 server. It also supports directory services instances loaded with DSAMAIN (only when on W2K8R2 and not on W2K8!). To find a W2K8R2 DC/server with the ADWS installed DC locator uses a special flag called “DS_WEB_SERVICE_REQUIRED”. The server where the AD PowerShell Modules are being executed or where the ADAC has been started communicates with the DC/server with the ADWS installed over TCP:9389.

Of course it is possible to have the RSAT installed on Win7 workstation or W2K8R2 member server while your AD infrastructure is still running on W2K3 or W2K8. To support both scenarios Microsoft released an out-of-band version of the ADWS which can be downloaded from here.

-

To install the out-of-band version of the ADWS on W2K3 you must meet the following requirements:

• Operating system is at least W2K3 (R2) with SP2
• The following hotfix must be installed for .NET Framework 3.5 SP1 “A hotfix rollup package for Active Directory Web Service is available for the .NET Framework 3.5 SP1” (might already be included in .NET Framework 4.0)
• The following hotfix must be installed on the W2K3 (R2) DCs so that these understand the new DC Locator Flag “DS_WEB_SERVICE_REQUIRED”. “Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2003-based domain controllers”

-

To install the out-of-band version of the ADWS on W2K3 you must meet the following requirements:

• Operating system is at least W2K8 or W2K8 with SP2
• The following hotfix must be installed for .NET Framework 3.5 SP1 “A hotfix rollup package for Active Directory Web Service is available for the .NET Framework 3.5 SP1” (might already be included in .NET Framework 4.0)
• The following hotfix must be installed on the W2K8 DCs so that these understand the new DC Locator Flag “DS_WEB_SERVICE_REQUIRED”. “Windows 7 clients cannot locate the Active Directory Management Gateway service that is installed on Windows Server 2008-based domain controllers” (is already included in SP2 for W2K8)

-

Figure 1: The Network Trace On A W2K8R2 DC Reporting It Supports The ADWS

-

Additional information about the ADWS can be found through the following links:

• [MS-ADDM]: Active Directory Web Services: Data Model and Common Elements
• [MS-ADCAP]: Active Directory Web Services: Custom Action Protocol Specification
• What’s New in AD DS: Active Directory Web Services
• Active Directory Web Services Overview
• Active Directory Management Gateway Service released to web – manage YOUR Windows 2003/2008 DCs USING AD POWERSHELL !
• ADWS diagnostic logging

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2011-09-06) PowerShell Cheat Sheets

After having posted links to Powershell Guides/eBooks in the past (click HERE and HERE), I also found these cheat sheet that contain basic info about Powershell commands/functions.

• Powershell Cheat Sheet in WORD Format
• Powershell Cheat Sheet in PDF Format
• Powershell Cheat Sheet in XPS Format

I still think that this guide is one heck of a kick a$$ eBool/Guide about Powershell!

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2011-07-10) Transferring And Seizing FSMO Roles Through GUI, Command Line Or PowerShell

AD uses a multi-master replication mechanism, meaning that updates can originate on any RWDC. For all kinds of services AD is highly redundant assuming you have more than one RWDC. Within AD some operations cannot operate using the multi-master principle, but rather use the single-master principle to ensure consistency. The roles for those operations are the so called Flexible Single Masters of Operations (FSMO). From a forest perspective two forest wide FSMO roles exist and from a domain perspective three domain wide FSMO roles exist. Below you will find which one is which.

When FSMOs become unavailable, depending on the scenario you may need to transfer or seize the corresponding FSMO role(s). With regards to FSMO role transfer or seizure, please see "Moving FSMO Roles From One DC To Another DC". After a seizure the old FSMO role owner should never be brought online again. It should at least be force demoted while not connected to the network and its metadata in the AD should be cleaned.

-

To transfer/seize FSMOs through a GUI you can use:

• AD Schema Management MMC (For Schema FSMO)
  
• AD Domain And Trusts MMC (For Domain Naming Master FSMO)
  
• AD Users And Computers MMC (For PDC FSMO, RID FSMO and IM FSMO)

-

If you want to do this through the command line or PowerShell you can also use:

• NTDSUTIL
  
  • NTDSUTIL
    
  • Roles
    
  • Connections
    
  • Connect to server <FQDN NEW DC>
    
  • Quit
    
  • To Transfer FSMOs
    
    • Schema FSMO –> Transfer schema master
      
    • Domain Naming FSMO –> Transfer naming master
      
    • PDC FSMO –> Transfer PDC
      
    • RID FSMO –> Transfer RID master
      
    • Infrastructure FSMO –> Transfer infrastructure master
      
  • To Seize FSMOs
    
    • Schema FSMO –> Seize schema master
      
    • Domain Naming FSMO –> Seize naming master
      
    • PDC FSMO –> Seize PDC
      
    • RID FSMO –> Seize RID master
      
    • Infrastructure FSMO –> Seize infrastructure master
      
  • Quit
    
  • Quit
    
• ADMOD
  
  • To Transfer FSMOs
    
    • Schema FSMO (leverages "becomeSchemaMaster" operational attribute) –> ADMOD [-h <FQDN NEW DC>] -sc xferschema
      
    • Domain Naming FSMO (leverages "becomeDomainMaster" operational attribute) –> ADMOD [-h <FQDN NEW DC>] -sc xferdm
      
    • PDC FSMO (leverages "becomePdc" operational attribute) –> ADMOD [-h <FQDN NEW DC>] -sc xferpdc:<domain SID> (<domain SID> can be found on the rooDSE of any DC in the objectSid attribute)
      
    • RID FSMO (leverages "becomeRidMaster" operational attribute) –> ADMOD [-h <FQDN NEW DC>] -sc xferrid
      
    • IM FSMO (leverages "becomeInfrastructureMaster" operational attribute) –> ADMOD [-h <FQDN NEW DC>] -sc xferim
      
  • To Seize FSMOs
    
    • Schema FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> ADMOD [-h <FQDN NEW DC>] -b "CN=Schema,CN=Configuration,DC=<forest root domain>,DC=<tld>" "fSMORoleOwner::CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>"
      
    • Domain Naming FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> ADMOD [-h <FQDN NEW DC>] -b "CN=Partitions,CN=Configuration,DC=<forest root domain>,DC=<tld>" "fSMORoleOwner::CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>"
      
    • PDC FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> ADMOD [-h <FQDN NEW DC>] -b "DC=<domain>,DC=<tld>" "fSMORoleOwner::CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>"
      
    • RID FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> ADMOD [-h <FQDN NEW DC>] -b "CN=RID Manager$,CN=System,DC=<domain>,DC=<tld>" "fSMORoleOwner::CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>"
      
    • IM FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> ADMOD [-h <FQDN NEW DC>] -b "CN=Infrastructure,DC=<domain>,DC=<tld>" "fSMORoleOwner::CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>"
      
• Regular PowerShell CMDlets (leveraging ADSI)
  
  • To Transfer FSMOs
    
    • $objRootDSE = [ADSI]"LDAP://<FQDN NEW DC>/rootDSE"
      
    • Schema FSMO (leverages "becomeSchemaMaster" operational attribute) –> $objRootDSE.Put("becomeSchemaMaster", "1")
      
    • Domain Naming FSMO (leverages "becomeDomainMaster" operational attribute) –> $objRootDSE.Put("becomeDomainMaster", "1")
      
    • PDC FSMO (leverages "becomePdc" operational attribute) –> $objRootDSE.Put("becomePdc", (([adsi]"").objectsid)[0])
      
    • RID FSMO (leverages "becomeRidMaster" operational attribute) –> $objRootDSE.Put("becomeRidMaster", "1")
      
    • Infrastructure FSMO (leverages "becomeInfrastructureMaster" operational attribute) –> $objRootDSE.Put("becomeInfrastructureMaster", "1")
      
    • $objRootDSE.SetInfo()
      
  • To Seize FSMOs
    
    • Schema FSMO (just hijacks the attribute by writing new attribute value, no checks performed)
      
      • $objDN = [ADSI]"LDAP://<FQDN NEW DC>/CN=Schema,CN=Configuration,DC=<forest root domain>,DC=<tld>"
        
      • $objDN.Put("fSMORoleOwner", "CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>")
        
      • $objDN.SetInfo()
        
    • Domain Naming FSMO (just hijacks the attribute by writing new attribute value, no checks performed)
      
      • $objDN = [ADSI]"LDAP://<FQDN NEW DC>/CN=Partitions,CN=Configuration,DC=<forest root domain>,DC=<tld>"
        
      • $objDN.Put("fSMORoleOwner", "CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>")
        
      • $objDN.SetInfo()
        
    • PDC FSMO (just hijacks the attribute by writing new attribute value, no checks performed)
      
      • $objDN = [ADSI]"LDAP://<FQDN NEW DC>/DC=<domain>,DC=<tld>"
        
      • $objDN.Put("fSMORoleOwner", "CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>")
        
      • $objDN.SetInfo()
        
    • RID FSMO (just hijacks the attribute by writing new attribute value, no checks performed)
      
      • $objDN = [ADSI]"LDAP://<FQDN NEW DC>/CN=RID Manager$,CN=System,DC=<domain>,DC=<tld>"
        
      • $objDN.Put("fSMORoleOwner", "CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>")
        
      • $objDN.SetInfo()
        
    • IM FSMO (just hijacks the attribute by writing new attribute value, no checks performed)
      
      • $objDN = [ADSI]"LDAP://<FQDN NEW DC>/CN=Infrastructure,DC=<domain>,DC=<tld>"
        
      • $objDN.Put("fSMORoleOwner", "CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<forest root domain>,DC=<tld>")
        
      • $objDN.SetInfo()
        
• W2K8R2 AD PowerShell CMDlets
  
  • Import-Module ActiveDirectory
    
  • To Transfer FSMOs
    
    • Schema FSMO –> Move-ADDirectoryServerOperationMasterRole -Identity <FQDN NEW DC> -OperationMasterRole SchemaMaster
      
    • Domain Naming FSMO –> Move-ADDirectoryServerOperationMasterRole -Identity <FQDN NEW DC> -OperationMasterRole DomainNamingMaster
      
    • PDC FSMO –> Move-ADDirectoryServerOperationMasterRole -Identity <FQDN NEW DC> -OperationMasterRole PDCEmulator
      
    • RID FSMO –> Move-ADDirectoryServerOperationMasterRole -Identity <FQDN NEW DC> -OperationMasterRole RIDMaster
      
    • Infrastructure FSMO –> Move-ADDirectoryServerOperationMasterRole -Identity <FQDN NEW DC> -OperationMasterRole InfrastructureMaster
      
  • To Seize FSMOs
    
    • Schema FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject [-Server <FQDN NEW DC>] -Identity "CN=Schema,CN=Configuration,DC=<forest root domain>,DC=<tld>" -Replace @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      
    • Domain Naming FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject [-Server <FQDN NEW DC>] -Identity "CN=Partitions,CN=Configuration,DC=<forest root domain>,DC=<tld>" -Replace @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      
    • PDC FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject [-Server <FQDN NEW DC>] -Identity "DC=<domain>,DC=<tld>" -Replace @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      
    • RID FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject [-Server <FQDN NEW DC>] -Identity "CN=RID Manager$,CN=System,DC=<domain>,DC=<tld>" -Replace @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      
    • IM FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject [-Server <FQDN NEW DC>] -Identity "CN=Infrastructure,DC=<domain>,DC=<tld>" -Replace @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      
• Quest AD PowerShell CMDlets
  
  • Add-PSSnapin Quest.ActiveRoles.ADManagement
    
  • To Transfer FSMOs
    
    • I have not been able to achieve this with the Quest PowerShell CMDlets. Use the regular PowerShell CMDlets instead which leverage ADSI (see above)
      
  • To Seize FSMOs
    
    • Schema FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-QADObject -Identity "CN=Schema,CN=Configuration,DC=<forest root domain>,DC=<tld>" -ObjectAttributes @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      
    • Domain Naming FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-QADObject -Identity "CN=Partitions,CN=Configuration,DC=<forest root domain>,DC=<tld>" -ObjectAttributes @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      
    • PDC FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject -Identity "DC=<domain>,DC=<tld>" -ObjectAttributes @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      
    • RID FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject -Identity "CN=RID Manager$,CN=System,DC=<domain>,DC=<tld>" -ObjectAttributes @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}
      
    • IM FSMO (just hijacks the attribute by writing new attribute value, no checks performed) –> Set-ADObject -Identity "CN=Infrastructure,DC=<domain>,DC=<tld>" -ObjectAttributes @{fSMORoleOwner=’CN=NTDS Settings,CN=<New DC Name>,CN=Servers,CN=<Site Name>,CN=Sites,CN=Configuration,DC=<domain>,DC=<tld>’}

-

For more information about FSMO roles see "Operations master roles" and "FSMO Roles".

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————