the activedirectory module 2008r2 and 2012 written and delivered by: gary siepser

Prem ier Field EngineeringA Custo m er Service and Sup p o rt O rg an izatio n

The ActiveDirectory Module2008R2 and 2012

Written and Delivered by:

Gary Siepser

Microsoft Confidential

AD Module Prerequisites Server Side (We need AD Web Services)

At least one 2008 R2 or 2012 DC in the targeted domain, OR

A 2003 or 2008 DC running the Active Directory Management Gateway Service

Client Side (We need the AD PowerShell Module)

OS Requirement: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

Windows 7 and 8: Install current Remote Server Administration Tools

On Server versions, RSAT already present, just add feature

Add the ActiveDirectory Module either through the Add/Remove Features GUI or using PowerShell:

Install-WindowsFeature RSAT-AD-Powershell

To actually use the cmdlets the module must be imported

On PowerShell v2: Import-Module ActiveDirectory

PowerShell v3: you can import manually, but v2 will automatically import modules the first time you attempt to use a command from one


New AD CmdletsThe current set of AD Powershell cmdlets can be

classified into categories:

Account Management

Topology management

Directory object management

Provider cmdlets

New with Server 2012

Active Directory Replication and Topology Management Using Windows PowerShell

Installing AD DS Using Windows PowerShell

Removing AD DS Using Windows PowerShell


New AD Cmdlets

In the account management set we have cmdlets that –

Create, delete, write and read users, groups, computers, managed service accounts and Organizational units (OUs).

Manage account settings such as: expiration date, password etc.

Manage group membership, get account token groups.

Manage fine grained password policy and default domain password policy.


New AD Cmdlets

In the topology management set we have cmdlets that –

Discover DCs, manage FSMOs, move DCs across site and get DC info.

Manage password replication policy of RODCs.

Manage domain and forest, set forest and domain functional level.

Manage optional features.


New AD Cmdlets

In the directory object management set we have cmdlets that –

Create, delete, write and read all types of AD object.

Move, rename and restore AD objects.

In the Provider cmdlets set we have cmdlets that enables file-system like browsing capabilities in Active Directory PSDrive.


New AD Cmdlets (new for 2012)

In the Active Directory Replication and Topology Management cmdlets that-

ManageReplicationSitesSiteLinks

Similar functionality as RepAdmin.exeIn addition, the cmdlets are compatible with the

existing Windows PowerShell for Active Directory cmdlets, thus creating a streamlined experience and allowing customers to easily create automation scripts.


New AD Cmdlets (new for 2012)


Beginning with Windows Server 2012, you can install AD DS using Windows PowerShell. Dcpromo.exe is deprecated beginning with Windows Server 2012


Uninstall-ADDomainController for removal of Domain Controller

Deployment (install and uninstall) cmdlets are in ADDSDeployment Module


Getting Help with the Module

PSv3 Introduces Updatable Help

No Help included with cmdlets, needs to be updates from internet

Tricky with no direct internet connection

Can be done offline (Save-Help and target Update-Help)

Internet connection machine will only save-help for modules it has

Deployment Module only runs on DC

Likely internet connected machine wont have module, thus no “off-line” help update (copying the module manifest can make this work)


Connecting the Cmdlets to AD

You don’t need to do anything to connect to AD with default settings

PSDrives do add some convienence:

When you load the AD PowerShell module (import-module activedirectory), a default basic AD drive is created: AD:

Additional PS drives can be created for different flavors of AD connection, like DC vs GC, serverless vs explicit, alternate credentials to AD

Simply change the current working directory to the drive (or AD connection) you want to use, and then run the cmdlets

Example Default GC Connection Drive:New-PSDrive -Name GC -PSProvider ActiveDirectory -Root "" -Description "Global Catalog Connection" -Server "contoso.com:3268“

On a cmdlet-by-cmdlet basis you can also control these same connection related settings


Key Concept: Object Ouput from the Cmdlets

Cmdlets return objects with limited properties by default

Using the –Properties param to specify additional properties to bring back(i.e. ‘–properties office’ or ‘–properties *’)

Many Account Management Most ADObjects have default formatting of a listTables tend to be nicer looking so often times you must pipe to a format-table to get nice looking results(i.e. Get-ADUser –Filter * | Format-Table Name,givenname –Autosize)


Key Concept: The -Identity Parameter

The identity param is the default param, and position 1

Param used to target a single object

The eligible attributes vary by object type

Example for ADUser Object:

Distinguished Name

GUID (objectGUID)

Security Identifier (objectSid)

SAM User Name (sAMUserName)

More Details in: Get-Help about_ActiveDirectory_IdentityThis help topic is only viewable while module loaded


Key Concept: The -LDAPFilter Parameter

This paramter allows for native LDAP Filters

Can use filter created from other tools

LDAP filters use an odd syntax if you aren't already familiar with it

Must use actual attribute names from AD

Unless you are re-using old filters, or already are familiar with this syntax, I recommend using the –filter param instead of -LDAPFilter

Ex:Get-ADUser –LDAPFilter “(givenname=g*)”Get-ADUser –LDAPFilter “(|(givenname=g*)(givenname=s*))”Get-ADUser –LDAPFilter “(&(|(givenname=g*)(givenname=s*))(office=mason))”


Key Concept: The –Filter Parameter

This is a more PowerShell-like syntax that resembles the syntax of a Where-Object

Details can be found in the help topic: about_ActiveDirectory_Filter

We have more user friendly names for attributes that can be used, though actual AD Attributes name can also be used(to see all the friendly and AD names see: about_ActiveDirectory_ObjectModel)

Limited operators supported

Ex:Get-ADUser -Filter {surname -eq "Siepser"}


AD Provider

AD Provider is available once AD Module is imported:

Use common Provider cmdlets to manage AD drive:

Get-PSProvider

PS C:\> Set-location ad:PS AD:\> dir

Name ObjectClass DistinguishedName---- ----------- -----------------contoso domainDNS DC=contoso,DC=comConfiguration configuration CN=Configuration,DC=contoso,DC=comSchema dMD CN=Schema,CN=Configuration,DC=contoso,DC=comDomainDnsZones domainDNS DC=DomainDnsZones,DC=contoso,DC=comForestDnsZones domainDNS DC=ForestDnsZones,DC=contoso,DC=com

PS AD:\> cd "DC=contoso,DC=com“PS AD:\DC=contoso,DC=com\> dir | ft pschildnamePS AD:\DC=contoso,DC=com\> md “OU=Test“PS AD:\DC=contoso,DC=com\> cd “OU=Test“PS AD:\OU=Test,DC=contoso,DC=com\>

Name Capabilities Drives-------- ------------------------ActiveDirectory Include... {AD}


User Account Management Examples

Create UserNew-ADUser –name jpublic -SamAccountName “jpublic“ ` -GivenName “John" -Surname “Public" -DisplayName “John Public“Import-Csv c:\pristine.csv | New-ADUser –Office Miami

Modify UserSet-ADUser -Identity “jpublic" –Title “Engineer“Get-ADUser –Filter {office –eq ‘Miami’} | Set-ADUser –Office MIA

Delete User Remove-ADUser jpublicGet-ADUser –Filter {office –eq ‘Miami’} | Remove-ADUser

Targets Single AD Object Only!

Query Users

Get-ADUser -Filter * -Properties *Get-ADUser -Filter * -Properties *,msDS-ReplAttributeMetaDataGet-ADUser –Filter {office –eq ‘Los Angeles’}


Computer Account Management Examples

Find Stale Computer Accounts

$OneYearAgo = (Get-Date).AddYears(-1)Get-ADComputer -Filter {LastLogonTimeStamp –lt$OneYearAgo} | Disable-ADAccount

Computer Information

Get-ADComputer -Filter * -property name,OperatingSystem,` OperatingSystemServicePack,OperatingSystemVersion | Out-GridView

Search-ADAccount –ComputersOnly –AccountInactive –TimeSpan 180

OR


Group Management Examples

Populate Group

$ITUsers = Get-ADUser -filter {Department -eq "IT"}

Add-ADGroupMember -Identity ITCommunications -Members $ITUsersOR$ITUsers | Add-ADPrincipalGroupMembership -MemberOf ITCommunications

Create Group

New-ADGroup –name “Sales” -Path “OU=Groups,DC=Contoso,DC=com” ` -GroupScope “Global” -GroupCategory “Security”

Enumerate Group

Get-ADGroupMember ITGet-ADGroupMember IT -Recursive

Users in nested groups as well

Only members in group (includes groups)


Group Management (continued)

Remove From Group

$ITUsers | Remove-ADPrincipalGroupMembership -MemberOf "IT“

OR

Remove-ADGroupMember -Identity "IT" -members $ITUsers

$OrignalConfirmPreference = $ConfirmPreference$ConfirmPreference = "none"Remove-ADGroupMember -Identity "IT" -members $itusers$ConfirmPreference = $OrignalConfirmPreference

OR

Remove-ADGroupMember -Identity "IT" -members $itusers –Confirm:$False

TIP: There will be a prompt to confirm.

Consider setting $ConfirmPreference automatic variable in scripts. To suppress all confirmations or the –Comfirm:$false on any action cmdlet to suppress just that one time


Multi-Valued Attributes

Example:OtherTelephone

Multi-valued attribute can contain a single or multiple values

Each value must be uniqueUse Hash Table (Key/Value pair) i.e. @{}

User Telephone Numbers

New-ADUser -Path "ou=sales,ou=departments,dc=contoso,dc=com" ` -name "Sales1" -SamAccountName "Sales1" ` -UsePrincipalName "[email protected]" ` -department "sales“ -OtherAttributes ` @{otherTelephone="555-555-5555","123-456-7890"}

New-ADUser –Identity jpublic ` –Add @{otherTelephone="555-555-5555","123-456-7890"}


New Site Management (2012 Module) To create a new site

New-ADReplicationSite BRANCH1 This command creates the new branch office site, branch1.

To create a new site link New-ADReplicationSiteLink 'CORPORATE-BRANCH1' -SitesIncluded

CORPORATE,BRANCH1 -OtherAttributes @{'options'=1} This command created the site link to BRANCH1 and turned on the change

notification process.

To set the site link cost and replication frequency Set-ADReplicationSiteLink CORPORATE-BRANCH1 -Cost 100 -

ReplicationFrequencyInMinutes 15 This command sets the site link cost to BRANCH1 at 100 and set the replication

frequency with the site to 15 minutes.

To move a domain controller to a different site Get-ADDomainController DC2 | Move-ADDirectoryServer -Site BRANCH1 This command moves the domain controller, DC2 to the BRANCH1 site.


Checking Replication Status (2012 Module)

Get-ADReplicationUpToDatenessVectorTableLook at “High Water Mark”…highest USN per server and

replication partnerExample below has great variance:

DC3 not up to date, its missing many new user accounts:

PS > Get-ADReplicationUpToDatenessVectorTable * | sort Partner,Server | ft Server,UsnFilter,partner -AutoSize

Server UsnFilter partner------ --------- -------2012DC1.contoso.com 20796 CN=NTDS Settings,CN=2012DC1,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...2012DC2.child.contoso.com 22459 CN=NTDS Settings,CN=2012DC2,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...2012DC3.child.contoso.com 17039 CN=NTDS Settings,CN=2012DC2,CN=Servers,CN=HQ,CN=Sites,CN=Configuration,DC=contos...2012DC2.child.contoso.com 12777 CN=NTDS Settings,CN=2012DC3,CN=Servers,CN=Branch-Office1,CN=Sites,CN=Configurati...2012DC3.child.contoso.com 13260 CN=NTDS Settings,CN=2012DC3,CN=Servers,CN=Branch-Office1,CN=Sites,CN=Configurati...

Replication Behind Replication Caught Up

PS C:\> (Get-ADUser -Filter * -server 2012dc2).Count804




The numbers are too far apart


Domain Controller Deployment (2012 Server)

Separate PS Module – ADDSDeploymentPS C:\> Get-Command -Module ADDSDeployment

CommandType Name ModuleName----------- ---- ----------Cmdlet Add-ADDSReadOnlyDomainControllerAccount ADDSDeploymentCmdlet Install-ADDSDomain ADDSDeploymentCmdlet Install-ADDSDomainController ADDSDeploymentCmdlet Install-ADDSForest ADDSDeploymentCmdlet Test-ADDSDomainControllerInstallation ADDSDeploymentCmdlet Test-ADDSDomainControllerUninstallation ADDSDeploymentCmdlet Test-ADDSDomainInstallation ADDSDeploymentCmdlet Test-ADDSForestInstallation ADDSDeploymentCmdlet Test-ADDSReadOnlyDomainControllerAccountCreation ADDSDeploymentCmdlet Uninstall-ADDSDomainController ADDSDeploymentInstall-ADDSDomainController -DomainName child.contoso.com -Credential (get-

credential)

In this example, you would be prompted for the safe mode password, and credentials to actually join the domain as a DC. All prompts can be answered ahead and thus suppressed


Thank You

Go out there and deal with the pre-reqs now

Get the module ready to roll even if don’t use it much

Once you get hooked on the “PowerShell” way, you’ll probably start hating the GUI

That doesn’t mean to avoid the GUI, you’ll just find that language based administration can really rock sometimes

Play, Play, Play and discover all the other great nuggets I haven’t found yet. This stuff is brand new


Resources

Active Directory Administration with Windows PowerShell: http://technet.microsoft.com/en-us/library/dd378937(v=WS.10).aspx

Active Directory PowerShell blog: http://blogs.msdn.com/b/adpowershell/

Active Directory Replication and Topology Management Using Windows PowerShell



In the Dynamic Access Control deployment documentation, look for any sections that are labeled Windows PowerShell equivalent commands

In the Active Directory Domain Services (AD DS) Virtualization documentation, see the steps for deploying a virtualized domain controller.

http://technet.microsoft.com/en-us/library/dd378937(v=WS.10).aspx

http://blogs.msdn.com/b/adpowershell/

http://technet.microsoft.com/library/hh831757



http://technet.microsoft.com/en-us/library/hh472162#BKMK_PS

http://technet.microsoft.com/en-us/library/hh472162#BKMK_PS

http://technet.microsoft.com/en-us/library/hh472163#BKMK_RemovePS

http://technet.microsoft.com/en-us/library/hh472163#BKMK_RemovePS


http://technet.microsoft.com/en-us/library/hh831734#steps_deploy_vdc

the activedirectory module 2008r2 and 2012 written and delivered by: gary siepser

Documents