Prem ier Field EngineeringA Custo m er Service and Sup p o rt O rg an izatio n
The ActiveDirectory Module2008R2 and 2012
Written and Delivered by:
Gary Siepser
Microsoft Confidential
AD Module Prerequisites Server Side (We need AD Web Services)
At least one 2008 R2 or 2012 DC in the targeted domain, OR
A 2003 or 2008 DC running the Active Directory Management Gateway Service
Client Side (We need the AD PowerShell Module)
OS Requirement: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
Windows 7 and 8: Install current Remote Server Administration Tools
On Server versions, RSAT already present, just add feature
Add the ActiveDirectory Module either through the Add/Remove Features GUI or using PowerShell:
Install-WindowsFeature RSAT-AD-Powershell
To actually use the cmdlets the module must be imported
On PowerShell v2: Import-Module ActiveDirectory
PowerShell v3: you can import manually, but v2 will automatically import modules the first time you attempt to use a command from one
Microsoft Confidential
New AD CmdletsThe current set of AD Powershell cmdlets can be
classified into categories:
Account Management
Topology management
Directory object management
Provider cmdlets
New with Server 2012
Active Directory Replication and Topology Management Using Windows PowerShell
Installing AD DS Using Windows PowerShell
Removing AD DS Using Windows PowerShell
Microsoft Confidential
New AD Cmdlets
In the account management set we have cmdlets that –
Create, delete, write and read users, groups, computers, managed service accounts and Organizational units (OUs).
Manage account settings such as: expiration date, password etc.
Manage group membership, get account token groups.
Manage fine grained password policy and default domain password policy.
Microsoft Confidential
New AD Cmdlets
In the topology management set we have cmdlets that –
Discover DCs, manage FSMOs, move DCs across site and get DC info.
Manage password replication policy of RODCs.
Manage domain and forest, set forest and domain functional level.
Manage optional features.
Microsoft Confidential
New AD Cmdlets
In the directory object management set we have cmdlets that –
Create, delete, write and read all types of AD object.
Move, rename and restore AD objects.
In the Provider cmdlets set we have cmdlets that enables file-system like browsing capabilities in Active Directory PSDrive.
Microsoft Confidential
New AD Cmdlets (new for 2012)
In the Active Directory Replication and Topology Management cmdlets that-
ManageReplicationSitesSiteLinks
Similar functionality as RepAdmin.exeIn addition, the cmdlets are compatible with the
existing Windows PowerShell for Active Directory cmdlets, thus creating a streamlined experience and allowing customers to easily create automation scripts.
Microsoft Confidential
New AD Cmdlets (new for 2012)
Installing AD DS Using Windows PowerShell
Beginning with Windows Server 2012, you can install AD DS using Windows PowerShell. Dcpromo.exe is deprecated beginning with Windows Server 2012
Removing AD DS Using Windows PowerShell
Uninstall-ADDomainController for removal of Domain Controller
Deployment (install and uninstall) cmdlets are in ADDSDeployment Module
Microsoft Confidential
Getting Help with the Module
PSv3 Introduces Updatable Help
No Help included with cmdlets, needs to be updates from internet
Tricky with no direct internet connection
Can be done offline (Save-Help and target Update-Help)
Internet connection machine will only save-help for modules it has
Deployment Module only runs on DC
Likely internet connected machine wont have module, thus no “off-line” help update (copying the module manifest can make this work)
Microsoft Confidential
Connecting the Cmdlets to AD
You don’t need to do anything to connect to AD with default settings
PSDrives do add some convienence:
When you load the AD PowerShell module (import-module activedirectory), a default basic AD drive is created: AD:
Additional PS drives can be created for different flavors of AD connection, like DC vs GC, serverless vs explicit, alternate credentials to AD
Simply change the current working directory to the drive (or AD connection) you want to use, and then run the cmdlets
Example Default GC Connection Drive:New-PSDrive -Name GC -PSProvider ActiveDirectory -Root "" -Description "Global Catalog Connection" -Server "contoso.com:3268“
On a cmdlet-by-cmdlet basis you can also control these same connection related settings
Microsoft Confidential
Key Concept: Object Ouput from the Cmdlets
Cmdlets return objects with limited properties by default
Using the –Properties param to specify additional properties to bring back(i.e. ‘–properties office’ or ‘–properties *’)
Many Account Management Most ADObjects have default formatting of a listTables tend to be nicer looking so often times you must pipe to a format-table to get nice looking results(i.e. Get-ADUser –Filter * | Format-Table Name,givenname –Autosize)
Microsoft Confidential
Key Concept: The -Identity Parameter
The identity param is the default param, and position 1
Param used to target a single object
The eligible attributes vary by object type
Example for ADUser Object:
Distinguished Name
GUID (objectGUID)
Security Identifier (objectSid)
SAM User Name (sAMUserName)
More Details in: Get-Help about_ActiveDirectory_IdentityThis help topic is only viewable while module loaded
Microsoft Confidential
Key Concept: The -LDAPFilter Parameter
This paramter allows for native LDAP Filters
Can use filter created from other tools
LDAP filters use an odd syntax if you aren't already familiar with it
Must use actual attribute names from AD
Unless you are re-using old filters, or already are familiar with this syntax, I recommend using the –filter param instead of -LDAPFilter
Ex:Get-ADUser –LDAPFilter “(givenname=g*)”Get-ADUser –LDAPFilter “(|(givenname=g*)(givenname=s*))”Get-ADUser –LDAPFilter “(&(|(givenname=g*)(givenname=s*))(office=mason))”
Microsoft Confidential
Key Concept: The –Filter Parameter
This is a more PowerShell-like syntax that resembles the syntax of a Where-Object
Details can be found in the help topic: about_ActiveDirectory_Filter
We have more user friendly names for attributes that can be used, though actual AD Attributes name can also be used(to see all the friendly and AD names see: about_ActiveDirectory_ObjectModel)
Limited operators supported
Ex:Get-ADUser -Filter {surname -eq "Siepser"}
Microsoft Confidential
AD Provider
AD Provider is available once AD Module is imported:
Use common Provider cmdlets to manage AD drive:
Get-PSProvider
PS C:\> Set-location ad:PS AD:\> dir
Name ObjectClass DistinguishedName---- ----------- -----------------contoso domainDNS DC=contoso,DC=comConfiguration configuration CN=Configuration,DC=contoso,DC=comSchema dMD CN=Schema,CN=Configuration,DC=contoso,DC=comDomainDnsZones domainDNS DC=DomainDnsZones,DC=contoso,DC=comForestDnsZones domainDNS DC=ForestDnsZones,DC=contoso,DC=com
PS AD:\> cd "DC=contoso,DC=com“PS AD:\DC=contoso,DC=com\> dir | ft pschildnamePS AD:\DC=contoso,DC=com\> md “OU=Test“PS AD:\DC=contoso,DC=com\> cd “OU=Test“PS AD:\OU=Test,DC=contoso,DC=com\>
Name Capabilities Drives-------- ------------------------ActiveDirectory Include... {AD}
Microsoft Confidential
User Account Management Examples
Create UserNew-ADUser –name jpublic -SamAccountName “jpublic“ ` -GivenName “John" -Surname “Public" -DisplayName “John Public“Import-Csv c:\pristine.csv | New-ADUser –Office Miami
Modify UserSet-ADUser -Identity “jpublic" –Title “Engineer“Get-ADUser –Filter {office –eq ‘Miami’} | Set-ADUser –Office MIA
Delete User Remove-ADUser jpublicGet-ADUser –Filter {office –eq ‘Miami’} | Remove-ADUser
Targets Single AD Object Only!
Query Users
Get-ADUser -Filter * -Properties *Get-ADUser -Filter * -Properties *,msDS-ReplAttributeMetaDataGet-ADUser –Filter {office –eq ‘Los Angeles’}
Microsoft Confidential
Computer Account Management Examples
Find Stale Computer Accounts
$OneYearAgo = (Get-Date).AddYears(-1)Get-ADComputer -Filter {LastLogonTimeStamp –lt$OneYearAgo} | Disable-ADAccount
Computer Information
Get-ADComputer -Filter * -property name,OperatingSystem,` OperatingSystemServicePack,OperatingSystemVersion | Out-GridView
Search-ADAccount –ComputersOnly –AccountInactive –TimeSpan 180
OR
Microsoft Confidential
Group Management Examples
Populate Group
$ITUsers = Get-ADUser -filter {Department -eq "IT"}
Add-ADGroupMember -Identity ITCommunications -Members $ITUsersOR$ITUsers | Add-ADPrincipalGroupMembership -MemberOf ITCommunications
Create Group
New-ADGroup –name “Sales” -Path “OU=Groups,DC=Contoso,DC=com” ` -GroupScope “Global” -GroupCategory “Security”
Enumerate Group
Get-ADGroupMember ITGet-ADGroupMember IT -Recursive
Users in nested groups as well
Only members in group (includes groups)
Microsoft Confidential
Group Management (continued)
Remove From Group
$ITUsers | Remove-ADPrincipalGroupMembership -MemberOf "IT“
OR
Remove-ADGroupMember -Identity "IT" -members $ITUsers
$OrignalConfirmPreference = $ConfirmPreference$ConfirmPreference = "none"Remove-ADGroupMember -Identity "IT" -members $itusers$ConfirmPreference = $OrignalConfirmPreference
OR
Remove-ADGroupMember -Identity "IT" -members $itusers –Confirm:$False
TIP: There will be a prompt to confirm.
Consider setting $ConfirmPreference automatic variable in scripts. To suppress all confirmations or the –Comfirm:$false on any action cmdlet to suppress just that one time
Microsoft Confidential
Multi-Valued Attributes
Example:OtherTelephone
Multi-valued attribute can contain a single or multiple values
Each value must be uniqueUse Hash Table (Key/Value pair) i.e. @{}
User Telephone Numbers
New-ADUser -Path "ou=sales,ou=departments,dc=contoso,dc=com" ` -name "Sales1" -SamAccountName "Sales1" ` -UsePrincipalName "[email protected]" ` -department "sales“ -OtherAttributes ` @{otherTelephone="555-555-5555","123-456-7890"}
New-ADUser –Identity jpublic ` –Add @{otherTelephone="555-555-5555","123-456-7890"}
Microsoft Confidential
New Site Management (2012 Module) To create a new site
New-ADReplicationSite BRANCH1 This command creates the new branch office site, branch1.
To create a new site link New-ADReplicationSiteLink 'CORPORATE-BRANCH1' -SitesIncluded
CORPORATE,BRANCH1 -OtherAttributes @{'options'=1} This command created the site link to BRANCH1 and turned on the change
notification process.
To set the site link cost and replication frequency Set-ADReplicationSiteLink CORPORATE-BRANCH1 -Cost 100 -
ReplicationFrequencyInMinutes 15 This command sets the site link cost to BRANCH1 at 100 and set the replication
frequency with the site to 15 minutes.
To move a domain controller to a different site Get-ADDomainController DC2 | Move-ADDirectoryServer -Site BRANCH1 This command moves the domain controller, DC2 to the BRANCH1 site.
Microsoft Confidential
Checking Replication Status (2012 Module)
Get-ADReplicationUpToDatenessVectorTableLook at “High Water Mark”…highest USN per server and
replication partnerExample below has great variance:
DC3 not up to date, its missing many new user accounts:
PS > Get-ADReplicationUpToDatenessVectorTable * | sort Partner,Server | ft Server,UsnFilter,partner -AutoSize
Server UsnFilter partner------ --------- -------2012DC1.contoso.com 20796 CN=NTDS Settings,CN=2012DC1,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...2012DC2.child.contoso.com 22459 CN=NTDS Settings,CN=2012DC2,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...2012DC3.child.contoso.com 17039 CN=NTDS Settings,CN=2012DC2,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...2012DC2.child.contoso.com 12777 CN=NTDS Settings,CN=2012DC3,CN=Servers,CN=Branch-Office1,CN=Sites,CN=Configurati...2012DC3.child.contoso.com 13260 CN=NTDS Settings,CN=2012DC3,CN=Servers,CN=Branch-Office1,CN=Sites,CN=Configurati...
Replication Behind Replication Caught Up
PS C:\> (Get-ADUser -Filter * -server 2012dc2).Count804
PS C:\> (Get-ADUser -Filter * -server 2012dc3).Count4
PS C:\> (Get-ADUser -Filter * -server 2012dc2).Count804
PS C:\> (Get-ADUser -Filter * -server 2012dc3).Count804
The numbers are too far apart
Microsoft Confidential
Domain Controller Deployment (2012 Server)
Separate PS Module – ADDSDeploymentPS C:\> Get-Command -Module ADDSDeployment
CommandType Name ModuleName----------- ---- ----------Cmdlet Add-ADDSReadOnlyDomainControllerAccount ADDSDeploymentCmdlet Install-ADDSDomain ADDSDeploymentCmdlet Install-ADDSDomainController ADDSDeploymentCmdlet Install-ADDSForest ADDSDeploymentCmdlet Test-ADDSDomainControllerInstallation ADDSDeploymentCmdlet Test-ADDSDomainControllerUninstallation ADDSDeploymentCmdlet Test-ADDSDomainInstallation ADDSDeploymentCmdlet Test-ADDSForestInstallation ADDSDeploymentCmdlet Test-ADDSReadOnlyDomainControllerAccountCreation ADDSDeploymentCmdlet Uninstall-ADDSDomainController ADDSDeploymentInstall-ADDSDomainController -DomainName child.contoso.com -Credential (get-
credential)
In this example, you would be prompted for the safe mode password, and credentials to actually join the domain as a DC. All prompts can be answered ahead and thus suppressed
Microsoft Confidential
Thank You
Go out there and deal with the pre-reqs now
Get the module ready to roll even if don’t use it much
Once you get hooked on the “PowerShell” way, you’ll probably start hating the GUI
That doesn’t mean to avoid the GUI, you’ll just find that language based administration can really rock sometimes
Play, Play, Play and discover all the other great nuggets I haven’t found yet. This stuff is brand new
Microsoft Confidential
Resources
Active Directory Administration with Windows PowerShell: http://technet.microsoft.com/en-us/library/dd378937(v=WS.10).aspx
Active Directory PowerShell blog: http://blogs.msdn.com/b/adpowershell/
Active Directory Replication and Topology Management Using Windows PowerShell
Installing AD DS Using Windows PowerShell
Removing AD DS Using Windows PowerShell
In the Dynamic Access Control deployment documentation, look for any sections that are labeled Windows PowerShell equivalent commands
In the Active Directory Domain Services (AD DS) Virtualization documentation, see the steps for deploying a virtualized domain controller.