PowerShell for Windows Admins


February 6, 2012  6:28 AM

Inbound replication

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

Continuing round the MicrosoftActiveDirectory namespace we get to the MSAD_ReplCursor class which provides inbound replication state information about all replicas of a Naming Context

 

Get-WmiObject -Namespace root\MicrosoftActiveDirectory -Class MSAD_ReplCursor  |
Format-Table -GroupBy NamingContextDN -Property SourceDsaDN, SourceDsaInvocationID,
@{N="LastSuccessfulSync"; E={$_.ConvertToDateTime($_.TimeOfLastSuccessfulSync)}}, USNAttributeFilter –AutoSize

The interesting properties are the TimeofLastSuccessfulSync and the USNAttributeFilter.  The latter – to quote from the documentation  “gets the maximum update sequence number to which the destination server can indicate that it has recorded all changes originated by the given server at update sequence numbers less than, or equal to, this update sequence number. This property is used to filter changes that the destination server has already applied at replication source servers”.

 

Between the WMI classes we have the basis of a good test of replication  for our AD domain.  All we have to do is put it together in a coherent picture.

February 6, 2012  5:00 AM

Automating replication testing

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

Building on the recent post about testing replication I though a bit more automation was needed. Lets create a function to discover the domain controllers

function get-DomainControllerNames {            
 $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()             
 $dom.FindAllDomainControllers() | select -ExpandProperty Name            
}

 

We then use a simple pipeline to produce a nicely formatted report

 

get-DomainControllerNames |

foreach { test-replication -computername $_ } |

Format-Table -Property SourceDsACN, NamingContextDN, Last* -GroupBy DomainController –AutoSize 

 

   DomainController: DC02.Manticore.org

SourceDsaCN NamingContextDN                                LastSyncAttempt     LastSyncSuccess   
———– —————                                —————     —————   
SERVER02    DC=Manticore,DC=org                            06/02/2012 10:53:45 06/02/2012 10:53:45

SERVER02    CN=Configuration,DC=Manticore,DC=org           06/02/2012 10:01:46 06/02/2012 10:01:46

SERVER02    CN=Schema,CN=Configuration,DC=Manticore,DC=org 06/02/2012 10:01:46 06/02/2012 10:01:46

SERVER02    DC=DomainDnsZones,DC=Manticore,DC=org          06/02/2012 10:22:17 06/02/2012 10:22:17

SERVER02    DC=ForestDnsZones,DC=Manticore,DC=org          06/02/2012 10:07:02 06/02/2012 10:07:02


   DomainController: SERVER02.Manticore.org

SourceDsaCN NamingContextDN                                LastSyncAttempt     LastSyncSuccess   
———– —————                                —————     —————   
DC02        DC=Manticore,DC=org                            06/02/2012 10:03:17 06/02/2012 10:03:17

DC02        CN=Configuration,DC=Manticore,DC=org           06/02/2012 10:02:01 06/02/2012 10:02:01

DC02        CN=Schema,CN=Configuration,DC=Manticore,DC=org 06/02/2012 09:59:38 05/02/2012 19:48:03

DC02        DC=ForestDnsZones,DC=Manticore,DC=org          06/02/2012 10:07:17 06/02/2012 10:07:17

DC02        DC=DomainDnsZones,DC=Manticore,DC=org          06/02/2012 10:22:00 06/02/2012 10:22:00

 

If you have a very large number of domain controllers this may take a while to run. In that case split the domain controller list into a number of CSV files and work from those.


February 5, 2012  3:22 PM

Passing no parameters

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

This was interesting question on the forum – user wants to retrieve something by name or id and if neither are given then return all objects.  This is similar to

Get-Process powershell
Get-Process -Id 1568
Get-Process

In the first two we filter on a name or id – in the last one we get everything

 

This is what I arrived at using processes as an example

function test-proc{             
[CmdletBinding(DefaultParameterSetName="XXXXX")]             
param (             
[parameter(Position=0,            
   ParameterSetName="ByName",            
   ValueFromPipeline=$true,             
   ValueFromPipelineByPropertyName=$true)]            
   [ValidateNotNullOrEmpty()]            
   [string]$name,            
               
   [parameter(Position=0,            
   ParameterSetName="ById",            
   ValueFromPipeline=$true,             
   ValueFromPipelineByPropertyName=$true)]            
   [ValidateNotNullOrEmpty()]            
   [int]$id              
)             
BEGIN{}#begin             
PROCESS{            
            
switch ($psCmdlet.ParameterSetName) {            
 "ByName"  {Get-Process -Name $name }            
 "ById"  {Get-Process -Id $id }            
 "XXXXX" {Get-Process }            
}            
}#process             
END{}#end            
}            
            
##

The trick is to define a default parameter set with no parameters – then when you don’t use any parameters it kicks in at the switch statement and your code can run as required

Be interested if this gets broken in any scenarios as it seems to simple to be correct – but it works


February 5, 2012  2:06 PM

Testing replication

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

We’ve seen a few things we can do with the WMI provider for Active Directory. One of the most useful is testing replication

function test-replication{            
[CmdletBinding()]            
param(            
 [string]$computername=$env:COMPUTERNAME            
)            
Get-WmiObject -Namespace root\MicrosoftActiveDirectory -Class MSAD_ReplNeighbor -ComputerName $computername|            
select SourceDsaCN, NamingContextDN,             
@{N="LastSyncAttempt"; E={$_.ConvertToDateTime($_.TimeOfLastSyncAttempt)}},            
@{N="LastSyncSuccess"; E={$_.ConvertToDateTime($_.TimeOfLastSyncSuccess)}}             
}

A simple call to the MSAD_ReplNeigbor and we can test the last times the DCs attempted to synchronise and the last time they were successful


February 5, 2012  6:40 AM

PAM release February 2012

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

I have added another module to the PowerShell Admin Modules – http://psam.codeplex.com/

 

Release 0.7 adds a PAMHostsFile module with the following members

add-hostfilecontent
add-IPv6hostfilecontent
clear-hostfilecontent
get-hostfilecontent
remove-hostfilecontent

 

A release notes document is also available which includes a listing of all modules and members together with a history of releases.


February 5, 2012  3:59 AM

Training for the Scripting Games

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

Like all sporting events you need to train before participating – as part of your training follow the links on the sites in my previous post

http://msmvps.com/blogs/richardsiddaway/archive/2012/02/04/scripting-games-2012-link-page.aspx

and also use these resources

http://blogs.technet.com/b/heyscriptingguy/archive/2012/02/05/2012-scripting-games-study-guide-a-resource-for-learning-powershell.aspx

Good luck


February 4, 2012  9:31 AM

Scripting Games 2012–link page

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

The 2012 Scripting Games were announced

http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/30/scripting-guys-announce-the-2012-powershell-scripting-games.aspx

They will start on 2 April – with events released to schedule after that. The usual Advanced and Beginner categories will be available

An all links page is available

http://blogs.technet.com/b/heyscriptingguy/archive/2012/02/04/the-2012-windows-powershell-scripting-games-all-links-on-one-page.aspx

This is worth book marking.

If you didn’t compete last year – follow the links to see the type of fun that is in store.

Last year there were some amazing PowerShell scripts submitted – looking forward to this years games already.

And just to add to the fun – this year you can use PowerShell v3


January 28, 2012  2:51 PM

Naming Contexts

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

Continuing our quick look at The ActiveDirectory name space lets have a look at the MSAD_NamingContext  class

Get-WmiObject -Namespace root\MicrosoftActiveDirectory -Class MSAD_NamingContext |

Format-Table DistinguishedName, IsFullReplica –AutoSize

 

DistinguishedName                              IsFullReplica
—————–                              ————-
DC=DomainDnsZones,DC=Manticore,DC=org                   True
DC=ForestDnsZones,DC=Manticore,DC=org                   True
CN=Schema,CN=Configuration,DC=Manticore,DC=org          True
CN=Configuration,DC=Manticore,DC=org                    True
DC=Manticore,DC=org                                     True

 

This is equivalent to the information you see in the root of the AD provider

PS> Get-ChildItem -Path AD:\

Name                 ObjectClass          DistinguishedName
—-                 ———–          —————–
Manticore            domainDNS            DC=Manticore,DC=org
Configuration        configuration        CN=Configuration,DC=Manticore,DC=org
Schema               dMD                  CN=Schema,CN=Configuration,DC=Manticore,DC=org
ForestDnsZones       domainDNS            DC=ForestDnsZones,DC=Manticore,DC=org
DomainDnsZones       domainDNS            DC=DomainDnsZones,DC=Manticore,DC=org


January 28, 2012  10:20 AM

Active Directory and WMI

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

A lot of the Active Directory related functionality has been removed from WMI but  there is a little bit left in the root\MicrosoftActiveDirectory namespace.

This is on a Windows 2008 R2 domain controller – I don’t know if this is available on down level versions of Windows.

Get-WmiObject -Namespace root\MicrosoftActiveDirectory -List | where {$_.Name -notlike "__*"}

 

ReplicationProvider1
MSAD_ReplPendingOp
Microsoft_TrustProvider
Microsoft_DomainTrustStatus
Microsoft_LocalDomainInfo
MSAD_NamingContext
MSAD_ReplCursor
MSAD_DomainController
MSAD_ReplNeighbor

The mixture of naming conventions doesn’t help but lets start looking at some domain information

Get-WmiObject -Namespace root\MicrosoftActiveDirectory -Class Microsoft_LocalDomainInfo

 

The following properties of interest are returned

DCname           : SERVER02
DNSname          : Manticore.org
FlatName         : MANTICORE
SID              : S-1-5-21-3881460461-1879668979-35955009
TreeName         : Manticore.org

 

We can also get a quick replication test

 

Get-WmiObject -Namespace root\MicrosoftActiveDirectory -Class MSAD_DomainController |
select CommonName, DistinguishedName, IsAdvertisingToLocator, IsGC, IsNextRIDPoolAvailable,
IsRegisteredInDNS, IsSysVolReady, NTDsaGUID, PercentOfRIDsLeft, SiteName,
@{N="OldestQueuedAddition"; E={$_.ConvertToDateTime($_.TimeOfOldestReplAdd)} },
@{N="OldestQueuedDeletion"; E={$_.ConvertToDateTime($_.TimeOfOldestReplDel)} },
@{N="OldestQueuedModification"; E={$_.ConvertToDateTime($_.TimeOfOldestReplMod)} },
@{N="OldestQueuedReplicationSync"; E={$_.ConvertToDateTime($_.TimeOfOldestReplSync)} },
@{N="OldestQueuedReplicationUpdate"; E={$_.ConvertToDateTime($_.TimeOfOldestReplUpdRefs)} }

 

CommonName                    : SERVER02
DistinguishedName             : CN=NTDS Settings,CN=SERVER02,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Manticore,DC=org
IsAdvertisingToLocator        : True
IsGC                          : True
IsNextRIDPoolAvailable        : False
IsRegisteredInDNS             : True
IsSysVolReady                 : True
NTDsaGUID                     : baba1150-8a6a-41ac-9889-4b69268d3f7c
PercentOfRIDsLeft             : 91
SiteName                      : Site1
OldestQueuedAddition          : 01/01/1601 00:00:00
OldestQueuedDeletion          : 01/01/1601 00:00:00
OldestQueuedModification      : 01/01/1601 00:00:00
OldestQueuedReplicationSync   : 01/01/1601 00:00:00
OldestQueuedReplicationUpdate : 01/01/1601 00:00:00

 

The 1601 dates mean nothing is queued


January 27, 2012  2:10 PM

PowerShell Deep Dive 2012

Richard Siddaway Richard Siddaway Profile: Richard Siddaway

The 2012 PowerShell Deep Dive has been announced  – April 29 – May 2 in San Diego.

http://blogs.msdn.com/b/powershell/archive/2012/01/27/it-s-time-for-another-powershell-deep-dive.aspx

 

This time PowerShell is a full track so expect more of your favourite stuff.  Hope to see you there.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: