Test Active Directory en vrac

– Réplication AD :
 Repadmin /replsum pour la forêt
 Repadmin /showrepl au niveau des dc
 Repadmin /removelingeringobjects SIN1ADC03 /advisory_mode
– Réplication du SYSVOL : SONAR – Ultrasound – Dfsrmon – dfsrmgmt
– Réplication DNS :
 dnslint /ad <ip du dc> /s <ip du dns>
 dcdiag /test:DNS -e
– Base NTDS.dit/performance/service : BPA
– Sauvegarde de l’état du système : repadmin /showbackup
– Diagnostique général : dcdiag /e

*************************** DIVERS *********************************
#Base NTDS.dit/performance/service :
BPA
#Sauvegarde de l’état du système :
repadmin /showbackup

Netdom /query FSMO

Get-WmiObject -class « Win32_TSGeneralSetting » -Namespace root\cimv2\terminalservices -Filter « TerminalName=’RDP-tcp’”

#Identify the ISTG covering each site by running this command:
repadmin /istg

******************** troubelshooting GPO *********************
http://www.it-connect.fr/les-gpo-ne-sappliquent-pas-14-pistes-a-etudier/#J_Le_loopback_processing

*******************   Réplication DNS   ********************
dnslint /ad <ip du dc> /s <ip du dns>
dcdiag /test :DNS -e

******************   Réplication AD   *********************
Forcer_réplication_AD
repadmin /syncall /APeD

Repadmin /replsum pour la forêt
Repadmin /showrepl au niveau des dc
Repadmin /removelingeringobjects SIN1ADC03 /advisory_mode
Réplication du SYSVOL
SONAR – Ultrasound – Dfsrmon – dfsrmgmt

#full test :
dcdiag /c

DCDIAG /Test:KCCEvent
repadmin /failcache site:<nomsite>
repadmin /bind <DCname>
repadmin /syncall
repadmin /kcc
repadmin /prp view <dc1> <dc2>

#quick test :
DCDIAG /Test:KnowsOfRoleHolders

#check to see which domain controllers that the Directory Service Agent thinks are holding the roles
DCDIAG /Test:KnowsofRoleHolders /v

#check the integrity of a domain controller’s machine account
DCDIAG /Test:MachineAccount

/FixMachineAccount –> resets the accounts various flags
If that does not correct the problem, then you can always try recreating the machine account –> /RecreateMachineAccount

#The Naming Context Security Descriptors Test
#If the security descriptors are invalid, then replication may fail. You can run this test by entering the following command:
DCDIAG /Test:NCSecDesc

#NetLogons
#It checks to see that replication is not failing because of insufficient logon privileges. You can run this test by entering the following command:
DCDIAG /Test:NetLogons

#The Objects Replicated Test
#used to confirm that machine accounts have replicated across all of your domain controllers, but it can also be used to check to see if other types of objects have replicated as well.
#If the object that you are looking up is something other than a machine account, then you will also have to know the object’s naming context. The syntax for this test looks something like this:
DCDiag /Test:ObjectsReplicated /ObjectDN:<object’s distinguished name> /N:<object’s naming context>

#The Outbound Secure Channels Test
#Secure channel is an authenticated remote procedure call (RPC) connection between two machines in a domain with an established security context used for signing and encrypting RPC packets
DCDIAG /Test:OutboundSecureChannels /TestDomain:<yourdomain>
#will only check the domain controllers within the current site. You can force the test to check external sites by adding the /NoRestriction switch to the test.
netsh http show sslcert
nltest  /SC_QUERY:domainname
nltest  /SC_reset:domainname /server:dcname
netdom reset hostname /domain:domainname /server:dcname

********************************     TOOLS    *********************************
Vérifie la santé d’un DC
DCDIAG

Vérifie les enregistrements DNS dynamiques, liste les zones DNS
DNSCMD

Visualise et modifie les ACL sur les objets AD
DSAACLS

Permet de comparer deux arborescences AD et de fournir des statistiques
DCAStats

Liste les GPOs d’un domaine et vérifie leur état sur tous les DCs
GPOTOOL

Vérifie, liste et purge les tickets Kerberos
KLIST

Vérifie de bout en bout le réseau et les fonctions de services distribuées
NETDIAG

Affiche la topologie de réplication, force la réplication et le recalcul du KCC
REPLMon

Teste les relations d’approbation et l’état de réplication d’un DC. Permet
également de tester et réinitialiser le canal sécurisé du service NetLogon
établi entre le client et le DC
NLTest

Cet article Test Active Directory en vrac est apparu en premier sur IT Consult.