Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by (eMicrosoft Community Contributo)
  • When: 7 Nov 2012 8:13 PM
  • Last revision by (eMicrosoft Community Contributo)
  • When: 7 Jun 2013 6:01 AM
  • Revisions: 28
  • Comments: 11
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  Active Directory Administration One Liners

Active Directory Administration One Liners

Active Directory Administration One Liners

Table of Contents

 

1.DCDIAG

 

To deploy an additional domain controller:
Dcdiag /test:dcpromo /DnsDomain:domain_name.com /ReplicaDC
To deploy a child domain:
Dcdiag /test:dcpromo /DnsDomain:child_domain_name.forest.com /ChildDomain
Test the FSMO
Dcdiag /s:<DomainControllerName> /test:fsmocheck
Check DNS
Dcdiag /test:dns
Check for missing and duplicate SPNs as well as other errors
Dcdiag /test:checksecurityerror
Check the rid pool
dcdiag /s:server /v /test:ridmanager

2. NSLOOKUP

Test SRV records

cmd---nslookup
 set q=srv
 _ldap._tcp.dc._msdcs.yourdomain.com
 _ldap._tcp.gc._msdcs.yourdomain.com
 _ldap._tcp.pdc._msdcs.yourdomain.com

Command to Troubleshoot DNS Issues

3. Repadmin

 

Disable replication
Repadmin /options <dc-fqdn> +DISABLE_OUTBOUND_REPL
Enable replication
Repadmin /options <dc-fqdn> -DISABLE_OUTBOUND_REPL

4. W32TM


Time sync issue in DC
w32tm /config /manualpeerlist:<DC1.contoso.com> /syncfromflags:manual /update

Need to run non PDC.
w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover
net stop w32time && net start w32time

5. NLTEST

How to find the site for a Server
nltest /server:%computername% /dsgetsite
nltest /dsgetdc:contoso.com

How to find DCs IP addresses

nltest/dnsgetdc:contoso.com

Returns only those domains that are in the same forest as the primary domain.

nltest /trusted_domains /forest

Reset the netlogon secure channel

nltest /sc_reset:<domainname>

NLTEST to test the trust relationship between a workstation and domain

 

6. PortQuery


PortQry.exe -n 10.236.214.136 -e 53 -p both
Portqry -n DC1.Contoso.com -o 135,137,138,139,389,445,88,636,3268,3269,53 -p both

7.How to check the delegation

Dsrevoke /Report OU=test,DC=gs,DC=Com gs\bshwjt
 ACLDiag.exe "OU=Employee,DC=Contoso,DC=Com" /chkdeleg

For details see the below links.
http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-
permissions.aspx
http://msmvps.com/blogs/acefekay/archive/2012/02/07/active-directory-server-2008-r2-you-do-not-have-permission-to-modify-the-group.aspx

8. DNSlint

All DCs GUID/CNAME & IP addresses

dnslint /ad /s localhost

9.RUNAS

runas /user:<domain\username> cmd





, , , , , , , [Edit tags]
Leave a Comment
  • Please add 3 and 5 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 14 Jan 2013 5:40 PM

    Ed Price - MSFT edited Revision 16. Comment: Added TOC and tags

  • 11 Dec 2012 7:21 AM

    Fernando Lugão Veltem edited Revision 15. Comment: removed (en-US) from the title

Page 1 of 1 (2 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 8 Nov 2012 5:16 PM

    Nice! Is there a one-liner to find to who is delegated what access on an Active Directory object?

  • Posted by
    on 16 Nov 2012 1:06 AM

    I could save this as a remind. Thanks.

  • Posted by
    on 21 Nov 2012 9:11 PM

    Nice and informative article. I would like to add some more here.

    dsquery server -isgc to check GCs in the domain.

    repadmin /replsum * /bysrc /bydest /sort:delta this command is for AD Replication Health check

    Thanks.

  • Posted by
    on 11 Dec 2012 6:45 AM

    Yes John, here is the one liner

    ACLDiag.exe "OU=Employee,DC=Contoso,DC=Com" /chkdeleg

  • Posted by
    on 11 Dec 2012 7:21 AM

    Fernando Lugão Veltem edited Revision 15. Comment: removed (en-US) from the title

  • Posted by
    on 14 Jan 2013 5:40 PM

    Ed Price - MSFT edited Revision 16. Comment: Added TOC and tags

  • Posted by
    on 2 Feb 2013 12:28 AM

    Find and compare the domain controllers ; there should not be any orphaned DC.

    dsquery server -limit 0 >> Dsquery-Dcs.txt

    repadmin /replsummary * >> repl.txt

    nltest /dclist:contoso.com >> nltest-Dcs.txt

    dsquery * DC=DomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy >> domaindnszones-DCs.txt

    dsquery * DC=fomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy >> forestdnszones-DCs.txt

    Check the all DNS

    dcdiag /e /v /test:dns

  • Posted by
    on 2 Feb 2013 12:38 AM

    Find and compare the domain controllers ; there should not be any orphaned DC.

    dsquery server -limit 0 >> Dsquery-Dcs.txt

    repadmin /replsummary * >> repl.txt

    nltest /dclist:contoso.com >> nltest-Dcs.txt

    dsquery * DC=DomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy >> domaindnszones-DCs.txt

    dsquery * DC=fomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy >> forestdnszones-DCs.txt

    Check the all DNS

    dcdiag /e /v /test:dns

  • Posted by
    on 7 Mar 2013 2:01 AM

    good One ,is there Any Diagramatic structure for representing AD

  • Posted by
    on 20 Jun 2013 6:16 PM

    can you try this & let me now.

  • Posted by
    on 20 Jun 2013 6:17 PM

    DCDIAG /V /C /D /E /s:dcname >> dcdiag-DCS.txt

Page 1 of 1 (11 items)