Tuesday, April 1, 2008

Active Directory Diagnostics

The text in this post is a batch file for Active Directory diagnostics. Simply set the variables for DCs, and it will collect information about your Active Directory environment. This is useful for troubleshooting, benchmarking, analysis and history. All operations are read-only.

:: Changes:
:: 21/09/2006, Initial version
:: 18/02/2008, Updated commands to be more generic and use variables for DC/DN/FQDN commands
:: 19/02/2008, Updated 'Subnet Information' to return a mapping of subnet to site.
:: 20/02/2008, Updated 'Find all connection objects' to provide more information
:: Author:
:: Wayne Martin
:: Use:
:: Perform various diagnostic commands against a domain and capture the output for analysis and history
:: Notes:
:: Most commands will work against a 2000 domain, but some are targeted at 2003-only functionality
:: Requires:
:: acldiag.exe
:: AdFind.exe
:: adrestore.exe
:: dcdiag.exe
:: dnscmd.exe
:: dsastat.exe
:: gpotool.exe
:: ldifde.exe
:: netdiag.exe
:: nltest.exe
:: psexec.exe
:: Psinfo.exe
:: repadmin.exe
:: setspn.exe


Set Server=%DC1%
Set SecondDc=%DC2%
Set ThirdDC=%DC3%
Set TimeServer=%TIME%
Set DomainDN=DC=domain,DC=com

:: Make the directory for the output
If not Exist .\Diag md Diag

:: FSMO Roles
ntdsutil roles Connections "Connect to server %Server%" Quit "select Operation Target" "List roles for conn server" Quit Quit Quit >>"Diag\FSMO_Roles_%Server%.txt

:: Domain Controllers
Nltest /dclist:%userdnsdomain% >>"Diag\Domain_Controllers_%computername%.txt

:: Domain Controller IP Configuration
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do psexec \\%%i /s ipconfig /all >>"Diag\Domain_Controller_IP_Configuration_%%i.txt

:: Domain Controller SystemInfo
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do systeminfo /s %%i >>"Diag\Domain_Controller_SystemInfo_%%i.txt

:: AD Database disk usage
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do dir \\%%i\admin$\ntds >>"Diag\AD_Database_disk_usage_%%i.txt

:: Global Catalog Servers from DNS
dnscmd %Server% /enumrecords %userdnsdomain% _tcp find /i "3268" >>"Diag\Global_Catalog_Servers_from_DNS_%Server.txt

:: Global Catalog Servers from AD
dsquery * "CN=Configuration,%DomainDN%" -s %Server% -filter "(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))" >>"Diag\Global_Catalog_Servers_from_AD_%Server%.txt

:: DNS Information
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do dnscmd %%i /info >>"Diag\DNS_Information_%%i.txt

:: DNS Zone Detailed information
dnscmd %Server% /zoneinfo %userdnsdomain% >>"Diag\DNS_Zone_Detailed_information_%server%.txt

:: Garbage Collection and tombstone
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,%DomainDN%" -s %Server% -attr garbageCollPeriod tombstoneLifetime >>"Diag\Garbage_Collection_and_tombstone_%server%.txt

:: Group Policy Verification Tool
gpotool.exe /checkacl /verbose >>"Diag\Group_Policy_Verification_Tool.txt

:: AD OU membership
dsquery computer -s %Server% -limit 0 1>>"Diag\AD_OU_membership_%server%.txt

:: AD OU membership
dsquery user -s %Server% -limit 0 1>>"Diag\AD_OU_membership_%server%.txt

:: List Service Principal Names
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do setspn -L %%i >>"Diag\List_Service_Principal_Names_%%i.txt

:: Compare DC Replica Object Count
dsastat -s:%server%;%SecondDC%;%ThirdDC% -p:999 >>"Diag\Compare_DC_Replica_Object_Count.txt

:: Check AD ACLs
acldiag %DomainDN% >>"Diag\Check_AD_ACLs.txt

:: NTFRS Replica Sets
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do ntfrsutl sets %%i >>"Diag\NTFRS_Replica_Sets_%%i.txt

:: NTFRS DS View
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do ntfrsutl ds %%i >>"Diag\NTFRS_DS_View_%%i.txt

:: Domain Controllers per site
Dsquery * "CN=Sites,CN=Configuration,%DomainDN%" -s %server% -filter (objectCategory=Server) >>"Diag\Domain_Controllers_per_site_%%i.txt

:: DNS Zones in AD
for /f %%i in ('dsquery server -o rdn') do Dsquery * -s %%i domainroot -filter (objectCategory=dnsZone) >>"Diag\DNS_Zones_in_AD_%%i.txt

:: Enumerate DNS Server Zones
for /f %%i in ('dsquery server -o rdn') do dnscmd %%i /enumzones >>"Diag\Enumerate_DNS_Server_Zones_%%i.txt

:: Subnet information
dsquery * "CN=Subnets,CN=Sites,CN=Configuration,%DomainDN%" -s %server% -attr cn siteObject description location >>"Diag\Subnet_information_%server%.txt
::Dsquery subnet -s %server% >>"Diag\Subnet_information_%server%.txt

:: List Organisational Units
Dsquery OU -s %server% >>"Diag\List_Organisational_Units_%server%.txt

:: ACL on all OUs
For /f "delims=" %%i in ('dsquery OU -s -s %server%') do acldiag %%i >>"Diag\ACL_on_all_OUs.txt

:: Domain Trusts
nltest /domain_trusts /v /server:%server% >>"Diag\Domain_Trusts_%server%.txt

:: Print DNS Zones
dnscmd %Server% /zoneprint %DomainFQDN% >>"Diag\Print_DNS_Zones_%server%.txt

:: AD Subnet and Site Information
dsquery * "CN=Subnets,CN=Sites,CN=Configuration,%DomainDN%" -s %server% -attr cn siteObject description location >>"Diag\AD_Subnet_and_Site_Information_%server%.txt

:: AD Site Information
dsquery * "CN=Sites,CN=Configuration,%DomainDN%" -s %server% -attr cn description location -filter (objectClass=site) >>"Diag\AD_Site_Information_%server%.txt

:: Printer Queue Objects in AD
dsquery * domainroot -filter "(objectCategory=printQueue)" -s %server% -limit 0 1>>"Diag\Printer_Queue_Objects_in_AD_%server%.txt

:: Group Membership with user details
dsget group groupDN -members dsget user -samid -fn -mi -ln -display -empid -desc -office -tel -email -title -dept -mgr >>"Diag\Group_Membership_with_user_details_%server%.txt

:: Site Links and Cost
dsquery * "CN=Sites,CN=Configuration,%DomainDN%" -s %server% -attr cn cost description replInterval siteList -filter (objectClass=siteLink) >>"Diag\Site_Links_and_Cost_%server%.txt

:: Check time against Domain
w32tm /monitor /computers:%server%,%SecondDC%,%ThirdDC%,%TimeServer% >>"Diag\Check_time_against_Domain.txt

:: Domain Controller Diagnostics
for %%i in (%server% %SecondDC% %ThirdDC%) do dcdiag /s:%%i /v /e /c >>"Diag\Domain_Controller_Diagnostics_%%i.txt

:: Domain Replication Bridgeheads
repadmin /bridgeheads >>"Diag\Domain_Replication_Bridgeheads.txt

:: Replication Failures from KCC
repadmin /failcache >>"Diag\Replication_Failures_from_KCC.txt

:: Inter-site Topology servers per site
Repadmin /istg * /verbose >>"Diag\Inter-site_Topology_servers_per_site.txt

:: Replication latency
repadmin /latency /verbose >>"Diag\Replication_latency.txt

:: Queued replication requests
repadmin /queue * >>"Diag\Queued_replication_requests.txt

:: Show connections for a DC
repadmin /showconn * >>"Diag\Show_connections_for_a_DC.txt

:: Replication summary
Repadmin /replsummary >>"Diag\Replication_summary.txt

:: Show replication partners
repadmin /showrepl * /all >>"Diag\Show_replication_partners.txt

:: All DCs in the forest
repadmin /viewlist * >>"Diag\All_DCs_in_the_forest.txt

:: ISTG from AD attributes
dsquery * "CN=NTDS Site Settings,CN=CLB,CN=Sites,CN=Configuration,%DomainDN%" -s %server% -attr interSiteTopologyGenerator >>"Diag\ISTG_from_AD_attributes_%server%.txt

:: Return the object if KCC Intra/Inter site is disabled for each site
Dsquery site dsquery * -attr * -s %server% -filter "((Options:1.2.840.113556.1.4.803:=1)(Options:1.2.840.113556.1.4.803:=16))" >> "Diag\Return_the_object_if_KCC_Intra-Inter_site_is_disabled_for_each_site_%server%.txt"

:: Find all connection objects
::dsquery * forestRoot -s %server% -filter (objectCategory=nTDSConnection) -attr distinguishedName fromServer whenCreated displayName >>"Diag\Find_all_connection_objects_%server%.txt
dsquery * "CN=Servers,CN=%SITECODE%,CN=Sites,CN=Configuration,%DomainDN%" -attr fromServer cn >>"Diag\Find_all_connection_objects_%server%.txt

:: Find all connection schedules
adfind -b "CN=Configuration,%DomainDN%" -f "objectcategory=ntdsConnection" cn Schedule -csv >>"Diag\Find_all_connection_schedules_%server%.txt

:: Software Information for each server
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do psinfo \\%%i > ServerInfo_%%i.txt & filever \\%%i\admin$\explorer.exe \\%%i\admin$\system32\vbscript.dll \\%%i\admin$\system32\kernel32.dll \\%%i\admin$\system32\wbem\winmgmt.exe \\%%i\admin$\system32\oleaut32.dll >>"Diag\Software_Information_for_each_server_%%i.txt

:: Check Terminal Services Delete Temp on Exit flag
For /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do Reg query "\\%%i\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v DeleteTempDirsOnExit >>"Diag\Check_Terminal_Services_Delete_Temp_on_Exit_flag_%%i.txt

:: Information on existing GPO’s
dsquery * "CN=Policies,CN=System,%DomainDN%" -s %server% -filter "(objectCategory=groupPolicyContainer)" -attr displayName cn whenCreated gPCFileSysPath >>"Diag\Information_on_existing_GPOs_%server%.txt

:: Domain Controller Netlogon entries
for /f %%i in ('dsquery server /o rdn') do echo %%i & reg query \\%%i\hklm\system\currentcontrolset\services\netlogon\parameters >>"Diag\Domain_Controller_Netlogon_entries_%%i.txt

:: Find empty groups
dsquery * -s %server% -filter "&(objectCategory=group)(!member=*)" -limit 0 -attr whenCreated whenChanged groupType sAMAccountName distinguishedName memberOf >>"Diag\Find_empty_groups.txt

:: Disk statistics, including the number of files on the filesystem
for %%i in (%server% %SecondDC% %ThirdDC%) do psexec \\%%i chkdsk C: /i /c >>"Diag\CheckDisk_%%i.txt
for %%i in (%server% %SecondDC% %ThirdDC%) do psexec \\%%i defrag C: -a -v >>"Diag\CheckDisk_%%i.txt

:: Query IIS web sites
for /f %%i in ('dsquery server /o rdn') do iisweb /s %%i /query "Default Web Site" >>"Diag\IIS_Default_Web_Sites_%%i.txt

:: Forest/Domain Functional Levels
ldifde -s %server% -d cn=partitions,cn=configuration,%DomainDN% -r "((systemFlags=3)(systemFlags=-2147483648))" -l msds-behavior-version,dnsroot,ntmixeddomain,NetBIOSName -p subtree -f "Diag\Query_IIS_web_sites_%server%.txt"

:: Forest/Domain Functional Levels
dsquery * cn=partitions,cn=configuration,%DomainDN% -s %server% -filter "((systemFlags=3)(systemFlags=-2147483648))" -attr msDS-Behavior-Version Name dnsroot ntmixeddomain NetBIOSName >>"Diag\Forest-Domain_Functional_Levels_%server%.txt

:: Lookup SRV records from DNS
nslookup -type=srv _ldap._tcp.dc._msdcs.%DomainFQDN% %server% >>"Diag\Lookup_SRV_records_from_DNS_%server%.txt

:: Find when the AD was installed
dsquery * cn=configuration,%DomainDN% -s %server% -attr whencreated -scope base >>"Diag\Lookup_SRV_records_from_DNS_%server%.txt

:: Find a DC for each trusted domain
for /f "skip=1" %%i in ('"dsquery * CN=System,%DomainDN% -filter (objectClass=trustedDomain) -attr trustPartner"') do nltest /dsgetdc:%%i >> "Diag\Find_a_DC_for_each_trusted_domain_%server%.txt"

:: Verify SMB connectivity to the admin share on DCs
for /f %%i in ('dsquery server -o rdn') do @if not exist \\%%i\admin$ (echo Could not access %%i\admin$) Else (Echo %%i\admin$ exists) >> Verify_SMB_connectivity_to_DCs_%%i.txt

Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.

1 comment:

Anonymous said...

This is great man, I will try it in my W2000 environment

All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 20 years, and I know just about enough to realise that I don’t know very much.