This is a bunch of command line tools for troubleshooting Microsoft Active Directory. Shared from the pcman.net website.

FSMO Roles

ntdsutilroles Connections “Connect to server %logonserver%” Quit
“selectOperation Target” “List roles for conn server” Quit Quit Quit

[JDH: This is really a series of steps, not a single command

expression]

Domain Controllers

Nltest /dclist:%userdnsdomain%

Domain Controller IP Configuration

for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do psexec \%i ipconfig /all

Stale computer accounts

dsquery computer domainroot -stalepwd 180 -limit 0

Stale user accounts

dsquery user domainroot -stalepwd 180 -limit 0

Disabled user accounts

dsquery user domainroot -disabled -limit 0

AD Database disk usage

for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do dir \%iadmin$ntds

Global Catalog Servers from DNS

dnscmd %logonserver% /enumrecords %userdnsdomain% _tcp | find /i “3268”

Global Catalog Servers from AD

dsquery * “CN=Configuration,DC=forestRootDomain” -filter “(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))”

Users with no logon script

dsquery * domainroot
-filter”(&(objectCategory=Person)(objectClass=User)(!scriptPath=*))”-limit
0 -attr sAMAccountName sn givenName pwdLastSet distinguishedName

User accounts with no pwd required

dsquery * domainroot -filter “(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))”

User accounts with no pwd expiry

dsquery * domainroot -filter”(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))”

User accounts that are disabled

dsquery * domainroot -filter “(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))”

DNS Information

for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do dnscmd %i /info

DNS Zone Detailed information

dnscmd /zoneinfo %userdnsdomain%

Garbage Collection and tombstone

dsquery * “cn=Directory
Service,cn=WindowsNT,cn=Services,cn=Configuration,DC=forestRootDomain”
-attrgarbageCollPeriod tombstoneLifetime

Netsh authorised DHCP Servers

netsh dhcp show server

DSQuery authorised DHCP Servers

Dsquery * “cn=NetServices,cn=Services,cn=Configuration, DC=forestRootDomain” -attr dhcpServers

DHCP server information

netsh dhcp server \DHCP_SERVER show all

DHCP server dump

netsh dhcp server \DHCP_SERVER dump

WINS serer information

Netsh wins server \WINS_SERVER dump

Group Policy Verification Tool

gpotool.exe /checkacl /verbose

AD OU membership

dsquery computer -limit 0

AD OU membership

dsquery user -limit 0

List Service Principal Names

for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do setspn -L %i

Compare DC Replica Object Count

dsastat ?s:DC1;DC2;… ?b:Domain ?gcattrs:objectclass ?p:999

Check AD ACLs

acldiag dc=domainTree

NTFRS Replica Sets

for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do ntfrsutl sets %i

NTFRS DS View

for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do ntfrsutl ds %i

Domain Controllers per site

Dsquery * “CN=Sites,CN=Configuration,DC=forestRootDomain” -filter (objectCategory=Server)

DNS Zones in AD

for /f %i in (‘dsquery server -o rdn’) do Dsquery * -s %i domainroot -filter (objectCategory=dnsZone)

Enumerate DNS Server Zones

for /f %i in (‘dsquery server -o rdn’) do dnscmd %i /enumzones

Subnet information

Dsquery subnet ?limit 0

List Organisational Units

Dsquery OU

ACL on all OUs

For /f “delims=|” %i in (‘dsquery OU’) do acldiag %i

Domain Trusts

nltest /domain_trusts /v

Print DNS Zones

dnscmd DNSServer /zoneprint DNSZone

Active DHCP leases

For /f %i in (DHCPServers.txt) do for /f “delims=- ” %j in
(‘”netshdhcp server \%i show scope | find /i “active””’) do netsh dhcp
server\%i scope %j show clientsv5

DHCP Server Active Scope Info

For /f %i in (DHCPServers.txt) do netsh dhcp server \%i show scope | find /i “active”

Resolve DHCP clients hostnames

for /f “tokens=1,2,3 delims=,” %i in (Output from ‘Find Subnets
fromDHCP clients’) do @for /f “tokens=2 delims=: ” %m in (‘”nslookup %j
|find /i “Name:””’) do echo %m,%j,%k,%i

Find two online PCs per subnet

Echo. > TwoClientsPerSubnet.txt & for /f
“tokens=1,2,3,4delims=, ” %i in (‘”find /i “pc” ‘Output from Resolve
DHCP clientshostnames’”’) do for /f “tokens=3 skip=1 delims=: ” %m in
(‘”Find /i /c”%l” TwoClientsPerSubnet.txt”’) do If %m LEQ 1 for /f %p in
(‘”ping -n1 %i | find /i /c “(0% loss””’) do If %p==1 Echo %i,%j,%k,%l

AD Subnet and Site Information

dsquery * “CN=Subnets,CN=Sites,CN=Configuration,DC=forestRootDomain” -attr cn siteObject description location

AD Site Information

dsquery * “CN=Sites,CN=Configuration,DC=forestRootDomain” -attr cn description location -filter (objectClass=site)

Printer Queue Objects in AD

dsquery * domainroot -filter “(objectCategory=printQueue)” -limit 0

Group Membership with user details

dsget group “groupDN” -members | dsget user -samid -fn -mi -ln -display -empid -desc -office -tel -email -title -dept -mgr

Total DHCP Scopes

find /i “subnet” “Output from DHCP server information” | find /i “subnet”

Site Links and Cost

dsquery * “CN=Sites,CN=Configuration,DC=forestRootDomain” -attr cn
costdescription replInterval siteList -filter (objectClass=siteLink)

Time gpresult

timethis gpresult /v

Check time against Domain

w32tm /monitor /computers:ForestRootPDC

Domain Controller Diagnostics

dcdiag /s:%logonserver% /v /e /c

Domain Replication Bridgeheads

repadmin /bridgeheads

Replication Failures from KCC

repadmin /failcache

Inter-site Topology servers per site

Repadmin /istg * /verbose

Replication latency

repadmin /latency /verbose

Queued replication requests

repadmin /queue *

Show connections for a DC

repadmin /showconn *

Replication summary

Repadmin /replsummary

Show replication partners

repadmin /showrepl * /all

All DCs in the forest

repadmin /viewlist *

ISTG from AD attributes

dsquery * “CN=NTDS Site Settings,CN=siteName,CN=Sites,CN=Configuration,DC=forestRootDomain” -attr interSiteTopologyGenerator

Return the object if KCC Intra/Inter site is disabled for each site

Dsquery site | dsquery * -attr * -filter “(|(Options:1.2.840.113556.1.4.803:=1)(Options:1.2.840.113556.1.4.803:=16))”

Find all connection objects

dsquery * forestRoot -filter (objectCategory=nTDSConnection) ?attr distinguishedName fromServer whenCreated displayName

Find all connection schedules

adfind -b “cn=Configuration,dc=qraps,dc=com,dc=au” -f “objectcategory=ntdsConnection” cn Schedule -csv

Software Information for each server

for /f %i in (Output from ‘Domain Controllers’) do psinfo \%i
&filever \%iadmin$explorer.exe
\%iadmin$system32vbscript.dll\%iadmin$system32kernel32.dll
\%iadmin$system32wbemwinmgmt.exe\%iadmin$system32oleaut32.dll

Check Terminal Services Delete Temp on Exit flag

For /f %i in (Output from ‘Domain Controllers’) do Reg
query”\%iHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminalServer”
/v DeleteTempDirsOnExit

F

or each XP workstation, query the current site and what Group Policy info

@dsquery * domainroot
-filter”(&(objectCategory=Computer)(operatingSystem=Windows
XPProfessional))” -limit 0 -attr cn > Workstations.txt & @For
/f%i in (Workstations.txt) do @ping %i -n 1 >NUL & @if
ErrorLevel0 If NOT ErrorLevel 1 @Echo %i & for /f “tokens=3” %k in
(‘”regquery
“\%ihklmsoftwaremicrosoftwindowscurrentversiongrouppolicyhistory”
/v DCName | Find /i “DCName””’) do @for /f %m in(‘”nltest /server:%i
/dsgetsite | find /i /v “completedsuccessfully””’) do @echo %i,%k,%m

Information on existing GPOs

dsquery * “CN=Policies,CN=System,domainRoot”
-filter”(objectCategory=groupPolicyContainer)” -attr displayName
cnwhenCreated gPCFileSysPath

Copy all Group Policy .pol files

for /f “tokens=1-8 delims=” %i in (‘dir /b
/s\%userdnsdomain%sysvol%userdnsdomain%policies*.pol’) do @echo
copy\%i%j%k%l%m%n%o %m_%n.pol

Domain Controller Netlogon entries

for /f %i in (‘dsquery server /o rdn’) do echo %i & reg query\%ihklmsystemcurrentcontrolsetservicesnetlogonparameters

WINS Statistics

for /f “tokens=1,2 delims=,” %i in (WINSServers.txt) do netsh wins server \%i show statistics

WINS Record counts per server

for /f “tokens=1,2 delims=,” %i in (WINSServers.txt) do netsh wins server \%i show reccount %i

WINS Server Information

for /f “tokens=2 delims=,” %i in (WINSServers.txt) do netsh wins server \%i show info

WINS Server Dump

for /f “tokens=2 delims=,” %i in (WINSServers.txt) do netsh wins server \%i dump

WINS Static Records per Server

netsh wins server \LocalWINSServer show database servers={} rectype=1

Find policy display name given the GUID

dsquery * “CN=Policies,CN=System,DC=domainRoot” -filter (objectCategory=groupPolicyContainer) -attr Name displayName

Find empty groups

dsquery * -filter “&(objectCategory=group)(!member=*)” -limit
0-attr whenCreated whenChanged groupType sAMAccountNamedistinguishedName
memberOf

Find remote NIC bandwidth

wmic /node:%server% path Win32_PerfRawData_Tcpip_NetworkInterface GET Name,CurrentBandwidth

Find remote free physical memory

wmic /node:%Computer% path Win32_OperatingSystem GET FreePhysicalMemory

Find remote system information

SystemInfo /s %Computer%

Disk statistics, including the number of files on the filesystem

chkdsk /i /c

Query IIS web sites

iisweb /s %Server% /query “Default Web Site”

Check port state and connectivity

portqry -n %server% -e %endpoint% -v

Forest/Domain Functional Levels

ldifde -d cn=partitions,cn=configuration,dc=%domain%
-r”(|(systemFlags=3)(systemFlags=-2147483648))”
-lmsds-behavior-version,dnsroot,ntmixeddomain,NetBIOSName -p subtree
-fcon

Forest/Domain Functional Levels

dsquery * cn=partitions,cn=configuration,dc=%domain%
-filter”(|(systemFlags=3)(systemFlags=-2147483648))”
-attrmsDS-Behavior-Version

Name dnsroot ntmixeddomain NetBIOSName

Find the parent of a process

wmic path Win32_Process WHERE Name=’notepad.exe’ GET Name,ParentProcessId

Lookup SRV records from DNS

nslookup -type=srv _ldap._tcp.dc._msdcs.{domainRoot}

Find when the AD was installed

dsquery * cn=configuration,DC=forestRootDomain -attr whencreated -scope base

Enumerate the trusts from the specified domain

dsquery * “CN=System,DC=domainRoot” -filter “(objectClass=trustedDomain)” -attr trustPartner flatName

Find a DC for each trusted domain

for /f “skip=1” %i in (‘”dsquery * CN=System,DC=domainRoot
-filter(objectClass=trustedDomain) -attr trustPartner”’) do nltest
/dsgetdc:%i

Check the notification packages installed on all DCs

for /f %i in (‘dsquery server /o rdn’) do @for /f “tokens=4″ %m
in(‘”reg
query\%iHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
/v”Notification Packages” | find /i “Notification””’) do @echo %i,%m

List ACLs in SDDL format

setacl -on %filepath% -ot file -actn list -lst f:sddl

Find out if a user account is currently enabled or disabled

dsquery user DC=%userdnsdomain:.=,DC=% -name %username% | dsget user -disabled -dn

Find servers in the domain

dsquery * domainroot -filter “(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*Server*))” -limit 0

Open DS query window

rundll32 dsquery,OpenQueryWindow