Richard Siddaway's Blog

S.DS.AD - Domain

We looked at AD Forests last time – moving along we come to domains. We can discover the current domain in a similar manner to the forest

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$dom

The standard output includes

Forest                  : Manticore.org
DomainControllers       : {CSDC1.Manticore.org, DC02.Manticore.org}
Children                : {}
DomainMode              : Windows2008Domain
Parent                  :
PdcRoleOwner            : DC02.Manticore.org
RidRoleOwner            : DC02.Manticore.org
InfrastructureRoleOwner : DC02.Manticore.org
Name                    : Manticore.org

Notice that this includes the FSMO roles for the domain – just as the forest class reports them at that level.  To see all of the FSMO roles affecting a particular domain try

#create hash table
$roles = @{}

# Get the Forest
$for = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$roles["SchemaMaster"] = $for.SchemaRoleOwner
$roles["DomainNamingMaster"] = $for.NamingRoleOwner

# Get the Domain
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$roles["PDCEmulator"] = $dom.PdcRoleOwner
$roles["RIDMaster"] = $dom.RidRoleOwner
$roles["InfrastructureMaster"] = $dom.InfrastructureRoleOwner

$roles

Create an empty hash table. Get the current forest and pick off the schema and domain naming roles. Get the current domain and pick off the PDC Emulator, RID and Infrastructure masters

Looking at the domain object we can use it to find the domain controllers in the domain

$dom.FindAllDomainControllers()

will display the following for each domain controller

Forest                     : Manticore.org
CurrentTime                : 14/12/2008 16:56:16
HighestCommittedUsn        : 680096
OSVersion                  : Windows Server® 2008 Standard
Roles                      : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain                     : Manticore.org
IPAddress                  : fe80::f564:22dd:b7d9:4ea%9
SiteName                   : Site1
SyncFromAllServersCallback :
InboundConnections         : {CSDC1}
OutboundConnections        : {DC02}
Name                       : DC02.Manticore.org
Partitions                 : {DC=Manticore,DC=org, CN=Configuration,DC=Manticore,DC=org, CN=Schema,CN=Configuration,DC=
                             Manticore,DC=org, DC=DomainDnsZones,DC=Manticore,DC=org...}

What it doesn’t show by default is the global catalog status of the domain controllers.  We can discover that by looking at the domaincontrollers property of the domain object.  It actually returns a collection of domain controller objects so all we need to do is

$dom.DomainControllers | foreach { "{0}  Global Catalog = {1}" -f $_.Name, $_.IsGlobalCatalog() }

Take the domain controllers and pipe it into a foreach.  We can then use a fomatted string to display the domain controller and whether is is a global catalog server as well.

Other methods available on the domain object include

CreateLocalSideOfTrustRelationship
CreateTrustRelationship
DeleteLocalSideOfTrustRelationship
DeleteTrustRelationship
FindAllDiscoverableDomainControllers
FindAllDomainControllers
FindDomainController
GetAllTrustRelationships
GetDirectoryEntry
GetSelectiveAuthenticationStatus
GetSidFilteringStatus
GetTrustRelationship
RaiseDomainFunctionality
RepairTrustRelationship
SetSelectiveAuthenticationStatus
SetSidFilteringStatus
UpdateLocalSideOfTrustRelationship
UpdateTrustRelationship
VerifyOutboundTrustRelationship
VerifyTrustRelationship

Notice how many are concerned with trust relationships.  Having dipped into the domain object next up on our tour is the domain controller

S.DS.AD - Forest

System.DirectoryServices.ActiveDirectory – its a bit of a mouthful so I’m going to abbreviate it to S.SD.AD – is a .NET namespace that works with Active Directory.  Unlike System.DirectoryServices it is not an ADSI wrapper but works through non-LDAP protocols to access AD.  It is designed for administering the structure of AD – forests, domains, sites, domain controllers etc rather than with the data inside AD such as users and groups. Browsing the namespace on MSDN http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory.aspx will show the full scope of the namespace.  Over a series of posts I’ll show what we can do with this namespace. One thing to note is that some of the functionality does not appear to work correctly with Windows 2008.

We will start at the top of the Active Directory tree with the forest. All of my examples are created on Windows 2008 machines – they should run on previous versions.

You will need to be running PowerShell with elevated privileges and have the appropriate rights in AD to make any changes using S.DS.AD.

$for = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$for

will show the basic information for the current forest

Name                  : Manticore.org
Sites                 : {Default-First-Site-Name, Site1}
Domains               : {Manticore.org}
GlobalCatalogs        : {CSDC1.Manticore.org, DC02.Manticore.org}
ApplicationPartitions : {DC=ForestDnsZones,DC=Manticore,DC=org, DC=DomainDnsZones,DC=Manticore,DC=org}
ForestMode            : Windows2008Forest
RootDomain            : Manticore.org
Schema                : CN=Schema,CN=Configuration,DC=Manticore,DC=org
SchemaRoleOwner       : DC02.Manticore.org
NamingRoleOwner       : DC02.Manticore.org

There are a number of methods available for working with various aspects of AD

CreateLocalSideOfTrustRelationship
CreateTrustRelationship
DeleteLocalSideOfTrustRelationship
DeleteTrustRelationship
FindAllDiscoverableGlobalCatalogs
FindAllGlobalCatalogs
FindGlobalCatalog
GetAllTrustRelationships
GetHashCode
GetSelectiveAuthenticationStatus
GetSidFilteringStatus
GetTrustRelationship
RaiseForestFunctionality
RepairTrustRelationship
SetSelectiveAuthenticationStatus
SetSidFilteringStatus
UpdateLocalSideOfTrustRelationship
UpdateTrustRelationship
VerifyOutboundTrustRelationship
VerifyTrustRelationship

for instance

PS> $for.FindAllGlobalCatalogs()

Forest                     : Manticore.org
CurrentTime                : 12/12/2008 19:58:13
HighestCommittedUsn        : 368801
OSVersion                  : Windows Server® 2008 Enterprise
Roles                      : {}
Domain                     : Manticore.org
IPAddress                  : 10.10.54.99
SiteName                   : Site1
SyncFromAllServersCallback :
InboundConnections         : {DC02}
OutboundConnections        : {CSDC1}
Name                       : CSDC1.Manticore.org
Partitions                 : {DC=Manticore,DC=org, CN=Configuration,DC=Manticore,DC=org, CN=Schema,CN=Configuration,DC=
                             Manticore,DC=org, DC=DomainDnsZones,DC=Manticore,DC=org...}

will display this information for all global catalogs. 

It is possible to connect to other forests using the getforest() method to connect to a specific forest.

$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Forest
$context = New-Object -TypeName System.DirectoryServices.ActiveDirectory.DirectoryContext -ArgumentList $type, "manticore.org"
$for = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($context)
$for

Next time we will look at domains

System.DirectoryServices.ActiveDirectory

This namespace seems to be poorly understood by PowerShell users compared to the System.DirectoryServices namespace.  There is a white paper and some sample code available at
http://msdn.microsoft.com/en-us/library/bb267453.aspx and https://www.microsoft.com/downloads/details.aspx?FamilyID=1F37FBAC-BA9F-47EF-A556-52A9DE8FEFBC&displaylang=en  respectively.

The examples aren’t in Powershell but it is a start.

Active Directory 4th edition

Father Christmas came early this year with the delivery of a copy of Active Directory 4th edition by Brian Desmond, Joe Richards, Robbie Allen and Alistair G Lowe-Norris for review.

Quick flip through and it looks to have some interesting contents – the chapters showing the differences between the various versions of Active Directory will be useful.  The third part of the book covers scripting and this edition incorporates PowerShell.

I publish a full review once I’ve had time to read it.

Event logs

PowerShell gives a way to read the contents of the event logs using Get-EventLog.  If we just use something like

Get-EventLog -LogName Scripts

we can see the entries in the event log.  These come through as objects of type System.Diagnostics.EventLogEntry and have the properties we are used to seeing in the event viewer utility.

If we want to work with the event log itself we can use WMI as I have shown in previous posts. Alternatively, we can use Get-EventLog like this

$log = Get-EventLog -List | Where{$_.Log -eq "Scripts"}

This will give is an object of type System.Diagnostics.EventLog.  Piping $log through Get-Member will show us what we can do with this object.

We find methods to clear the log - $log.clear(); modify the overflowpolicy, write events.  There are properties to control the maximum size of the log and the overflowaction. The source for the log can also be manipulated.

What is missing is a method to backup the event log – for that we need to stick with WMI.

Event log entries

A recent post on the forums was asking about the error message they received when attempting to use get-eventlog on an empty log.  The log can be tested before attempting to read

$log = "Scripts"
$n = (Get-EventLog -List | where{$_.log -eq $log}).Entries.count
if ($n -gt 0){Get-EventLog -LogName $log} else {"$log log is empty"}

Use the Entries property of the event log and count the entries.  If its empty then display the message otherwise get the entries

Social Bookmarking

I have had to stop using the social book marking tool I’ve been using as it does not seem to be compatible with the latest version of Live Writer.  Its not because I don’t want to be sociable – honest.

Its a bit of a lottery

At some stage in the not too distant future I may need to determine who will be doing a particular task when. The task is rotated between a number of individuals and deciding the order of can be fun. In order to make it impartial I decided to script the drawing of lots.

#Requires -version 2.0
$names = @("fred","joe","john")
$l = $names.length
$order = @()
while ($order.length -lt $l){
    $rand = Get-Random -Minimum 0 -Maximum $l        

   if ($names[$rand] -ne ""){
        $order += $names[$rand]   
        $names[$rand] = ""
    }
}
$order

This script will run happily in version 2 but not version 1 which is why the first line has the requires keyword.

An array with the names is defined and an empty array to hold the results. I then define a loop which checks the length of the array holding the results against the length of the original array. I only use the variable to make it a bit more readable.

A random number is generated between 0 and the length of the array holding the names.  The  maximum returned value is ALWAYS less than the value defined by the maximum parameter.

I then check to see if that names has been selected. If it hasn’t I add it to the results and blank it in the list of names to show it has been used. When all the names have been chosen I display the results.

Apologies

Apologies if you have problems connecting - spaces has been updated yet again and yet again it has caused issues.   We may be OK for a while now.