System Administrator Daily Routine - Useful Commands

This post is to help me in my daily routine as a knowledge base and to help others colleagues as well. It will be always updated.

WSUS:

To check if the Windows client is connected to the WSUS Server, open the CMD and type:

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

If it's not ok, type:

wuauclt.exe /detectnow

wuauclt.exe /reportnow

wuauclt.exe /register

ACTIVE DIRECTORY:
[Health]

Basic report:
dcdiag

Specific DC:
dcdiag /S:DCNAME

All DC's in the current AD site:
dcdiag /A

All DC's in the forest AD:
dcdiag /E

Only error messages to be displayed:
dcdiag /Q

To export the output to a log file:
dcdiag /F:C:\log.txt


[Replication]

1º - Perform this command:

RepAdmin /ReplSummary (for all DC's)
RepAdmin /ReplSummary DC01 (for an specific DC)
RepAdmin /ReplSummary %computername% (for the current DC)

How to analyze?
Check if there is no fails and all largest deltas are less than 1 hour within sites and 3 hours between sites.


2º - In the case of any errors shown in the command above, check which kind of connection it is:

repadmin /showrepl
repadmin /showrepl dc01

Basically, there are 5 NC's (naming context) connections:

Domain NC
Configuration NC
Schema NC
DomainDNSZones
ForestDNSZones

The expected result is to have the last attempt time equivalent to replsummary result.
The AD replication is 100% dependent of DNS, errors can be related to DNS issues.

3º - To try fix any replication issues, type:

Repadmin /replicate

This command will manually start a replication process.


or

repadmin /syncall /AdeP

/A - All; synchronizes all directory partitions that are held on the home server.
/d - Identifies servers by their distinguished names in messages.
/e - Enterprise; includes partners in all sites.
/P - Pushes changes outward from the home server.


4º - To check the items waiting to be replicated, perform:

Repadmin /queue

FSMO:

To quick discovery where the master operations are running, type:

netdom /query fsmo

To perform a seize operation:

NTDSUTIL


Register snap-in of Schema Master:

regsvr32 schmmgmt.dll

 
Domains and Trusts

Types:

Trust type
Transitivity
Direction
Description
External
Nontransitive
One-way or two-way
Use external trusts to provide access to resources that are located on a Windows NT 4.0 domain or a domain that is located in a separate forest that is not joined by a forest trust.
Realm
Transitive or nontransitive
One-way or two-way
Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and an Active Directory domain.
Forest
Transitive
One-way or two-way
Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests that are made in either forest can reach the other forest.
Shortcut
Transitive
One-way or two-way
Use shortcut trusts to improve user logon times between two domains within An Active Directory forest. This is useful when two domains are separated by two domain trees.

Transitive : Only Types Shortcut, Forest and Realm
Transitivity determines whether a trust can be extended outside the two domains between which the trust was formed. For example, new domains under the main domain made the trust, will inherit the parent trust from parent domain.

Nontransitive : Only Types External and Realm
A nontransitive trust is restricted by the two domains in the trust relationship. It does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust. Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts.

One-way: Can be either Transitive or Nontransitive
A one-way trust is a unidirectional authentication path that is created between two domains. This means that in a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A.

Two-way: Can be either Transitive or Nontransitive
All domain trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions.

Establishing a Secure Connection to Domain:

NLTEST:

nltest.exe can be used to check the channel and attempt to reset it.
nltest.exe /sc_verify:<fully.qualified.domain.name.here>
If that does not do it, you can restart the netlogon service (I mainly use PowerShell, so I'll give an example of that).
Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here>
I ran the nltest command after restarting the service to validate that the secure channel was back in operation.
If you've made some network changes (IP Addresses, changing hardware, virtualizing, etc..) you might want to flush your dns cache and clear your arp table before running the above commands.
ipconfig /flushdns
arp -d *
Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here>


PowerShell:

Checking if domain connection is ok:
Open PowerShell A sAdministrator
Test-ComputerSecureChannel  -Verbose
Test-ComputerSecureChannel  -Server "fqdn.server" -Verbose

Resert computer's password:
Reset-ComputerMachinePassword -server DC01


If False then run:
Test-ComputerSecureChannel -Repair -Server PDCEmulatorName -Verbose
If repaired you will see message, if it fails then try adding a credential
Test-ComputerSecureChannel -Repair -Server PDCEmulatorName -Credential Domain\UserName -Verbo

Querys:

DSQUERY

The following command will find all computers in Active Directory that have not been logged into during the past 8 weeks:

dsquery computer -inactive 8 -limit 0

The following command will find and delete them:

dsquery computer -inactive 8 -limit 0 | dsrm

The DSQUERY utility comes with the Windows Server 2003 Support Tools package (Adminpak.msi) which can be installed directly from your Windows Server 2003 installation media or downloaded from the Microsoft website.

Klist

1 - To query what domain controllers this computer recently contacted, you can use the following command.

klist query_bind

2 - When you want to diagnose a logon session for a user or a service, you can use the following command to find the LogonID that is used in other Klist commands.
klist sessions

SYSVOL & Netlogon Replication


https://technet.microsoft.com/pt-br/Library/cc816833%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
If use FRS replication between DCs and need to restore it in one or more DCs, perform the BurFlags procedure:

https://support.microsoft.com/en-us/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-service

GPO

gpresult /R
gpresult /H c:\file.html
gpupdate /target:computer /force
gpupdate /force

Force update of group membership of computer object without reboot the system:
klist -li 0x3e7 purge


POWERSHELL

How to enable remote sessions:
Enable-psRemoting <ENTER>

How to remotely connect to another server:
Enter-psSession MachineName <ENTER>

How to end your remote session type:
Exit-psSession <ENTER>

How to use PowerShell on Windows 2003 servers:
Download and install Windows Management Framework Core (WinRM 2.0 and Windows PowerShell 2.0) from:

http://www.microsoft.com/downloads/details.aspx?FamilyId=f002462b-c8f2-417a-92a3-287f5f81407e

or 64bit OS:

http://www.microsoft.com/downloads/details.aspx?FamilyId=909bbcf1-bd78-4e03-8c83-69434717e551


On services.msc

Scroll down and find: Windows Management Instrumentation and Windows Remote Management (WS-Management) and make sure they are both started and set to run automatically.

NTP

Checking the time in all DCs the on domain:
w32tm /monitor /domain:domainname

Checking the time source on a workstation or server:
w32tm /query /source

Checking the last synchronization and others information:
w32tm /query /status


Event ID
How to Identify a System Reboot

Event ID 6005: “The event log service was started.” This is synonymous to system startup.
Event ID 6006: “The event log service was stopped.” This is synonymous to system shutdown.
Event ID 6008: "The previous system shutdown was unexpected." Records that the system started after it was not shut down properly.
Event ID 6009: "Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
Event ID 6013: "Displays the uptime of the computer. There is no TechNet page for this id.
Event ID 1074: "The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z." Indicates that an application or a user initiated a restart or shutdown.
Event ID 1076: "The reason supplied by user X for the last unexpected shutdown of this computer is: Y." Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

How to check updates downloaded and installed
Event ID 22
Event ID 44


Comentários