Goatee PFE

Blog of Microsoft Premier Field Engineer Ashley McGlone featuring PowerShell scripts for Active Directory.

Freaky neat Active Directory site links with PowerShell

Freaky neat Active Directory site links with PowerShell

  • Comments 5
  • Likes

Author's note:  Before you dismiss this article you should know that the top two areas where I find issues for AD health are replication and DNS.  If you're short on time skip to the bottom section "But Wait… There's More" and run that report in your environment.  Otherwise I think you'll get a lot of value from this content.

Freaky Neat

MonkIn my role as a Microsoft Premier Field Engineer I get to see what our customers do with Active Directory, both good and bad. Some admins are neat freaks about keeping everything pretty. (Imagine Adrian Monk as an AD admin.)  Others barely have time to open Facebook at work, and neatness is not a priority. Those are just the facts of IT life.  Consequently one area we frequently clean up is AD replication. You can see my former articles here on cleaning up replication settings.

What is hiding in your site links?

Today's post will help you clean up site link descriptions and give you some nice reporting capability. For a quick overview of the terminology you can read the landmark TechNet article How Replication Works. To make a long story short admins create sites and then link them together with site links. Like most things in life change happens, and we don't go back to clean up afterwards. I commonly find orphaned site links, mondo links with too many sites, and site link descriptions that haven't been updated to reflect their member sites. (Use the free AD Topology Diagrammer to get a really cool Visio diagram of your sites and links.)

Some folks like to set their site link description field to list each of the member sites in the link. If that is you, then you'll love this script.  Today's script enumerates all of the member sites in a site link and then concatenates their names into the description of the site link.  Also, it will make a note in the description for any site links that have change notification enabled.  Now that's handy!

Here is a screenshot from my lab showing what the descriptions can look like:

image

The Code

First let's list the sitelinks:

# List all sitelinks            
Get-ADObject -LDAPFilter '(objectClass=siteLink)' ` 
    -SearchBase (Get-ADRootDSE).ConfigurationNamingContext ` 
    -Property Name, Cost, Description, Sitelist |            
    Format-List Name, Cost, Description, Sitelist

Now let's update the descriptions:

# One ridiculous line of code            
# Broken down for readability            
Get-ADObject -LDAPFilter '(&(objectClass=siteLink)(siteList=*))' ` 
    -SearchBase (Get-ADRootDSE).ConfigurationNamingContext ` 
    -Property Name, Cost, Sitelist, Options |            
    ForEach {            
        Set-ADObject -Identity $_.DistinguishedName -Replace @{            
            Description=$(            
                $s="";            
                ForEach ($site in $_.sitelist) {            
                    $s += "$($site.SubString(3,$site.IndexOf(",")-3)) <--> "            
                };            
                $s.SubString(0,$s.Length-6)            
            )+$(            
                If ($_.Options -band 1) {' (Notify)'}            
            )            
        }            
    }

Some site links have been orphaned and emptied by deleting the member sites and forgetting to delete the associated site link. For those here is a modified line that will update their description to 'EMPTY SITE LINK'.

# Flag empty site links            
Get-ADObject -LDAPFilter '(&(objectClass=siteLink)(!siteList=*))' ` 
    -SearchBase (Get-ADRootDSE).ConfigurationNamingContext ` 
    -Property Name, Sitelist, Options |            
    % {Set-ADObject -Identity $_.DistinguishedName ` 
    -Replace @{Description='EMPTY SITE LINK'+` 
    $(If ($_.Options -band 1) {' (Notify)'})}}

The real magic in these lines are the LDAP filters:

  • All sitelinks: '(objectClass=siteLink)'
  • Sitelinks with member sites: '(&(objectClass=siteLink)(siteList=*))'
  • Sitelinks without member sites: '(&(objectClass=siteLink)(!siteList=*))'

Once you have imported the ActiveDirectory module you can type Get-Help about_ActiveDirectory_filter for more information on creating LDAP filter syntax.

But wait… there's more!

In the script file attached at the end of the post I have included all of the scripts above plus some bonus content.  There is a site report script that will give you some schweet stats on your AD sites.  Use it to find those sites that are not in a site link, missing subnets, or do not have a DC.  The output looks like this:

Name     SiteLinkCount SubnetCount DCCount IsEmpty WhenCreated  Description
----     ------------- ----------- ------- ------- -----------  -----------
Bogus1               1           0       0    True 10/6/2010    Test site
Bogus2               0           0       0    True 1/25/2011    Test site
Bogus3               0           0       0    True 1/25/2011    Test site
Kentucky             3           1       2   False 4/13/2010    Kentucky
Lonely               2           1       1   False 2/17/2011    Remote site
Ohio                 2           2       2   False 4/13/2010    Ohio

Armed with this handy little report you will know where to begin your site, subnet, and site link remediation activities.

The Fine Print

This version of the script works with PowerShell v2 in your environment today. In AD PowerShell v3 there are new cmdlets to work with site links directly.

If you're one of those who likes to note WAN speeds on site link descriptions, then you have a couple options:

  • Don't run the script. It will overwrite your notes in the descriptions.
  • Export the descriptions, run this script, then manually add back the WAN speeds.

Unless you schedule this script to run as a scheduled task, you'll need to run it again any time you update sites or site links. The descriptions are only as good as the last run of the script.

Currently the script inserts '<-->' between the site names. Feel free to edit this to your liking.

If you have 1,000,000,000 sites jammed into a single site link, then it is likely that the concatenated description string will be too long and break the script.  Don't do that if you can avoid it.

Running this script is harmless to your environment's functionality, but it will overwrite your existing site link descriptions. As always you should test it in a lab first.

Can you help me?  Yes!

If you would like to have me or another Microsoft PFE come check out the health of your Active Directory environment, then contact your Microsoft Premier Technical Account Manager (TAM) for booking what we call an ADRAP - Active Directory Risk and Health Assessment Program. You'll get a detailed report of what's right and what's wrong in your AD world. Plus, we'll explain how to get healthy and stay healthy. If you like we can even assist with the cleanup, too.

For more information about becoming a Microsoft Premier customer email PremSale@microsoft.com.  Tell them GoateePFE sent you.

Attachment: SiteLink Description Updates And Reports.p-s-1.txt

Can you help me?  Yes!

If you would like to have me or another Microsoft PFE visit your company and assist with the ideas presented in this blog post, then contact your Microsoft Premier Technical Account Manager (TAM) for booking information.

For more information about becoming a Microsoft Premier customer email PremSale@microsoft.com.  Tell them GoateePFE sent you.

Sharing Links
Comments
  • Thanks, but most things you do here does this module with just one line: Active Directory Replication PowerShell Module 2.01 gallery.technet.microsoft.com/.../780a2272-06f9-4895-827e-9f56bc9272c4

  • Hello Sven,

    Thanks for the feedback.  Raimund's module is great for PowerShell v2, and most of that functionality is now in PowerShell v3.  My examples above are also one line of code for those who prefer out-of-the-box usage.

    GoateePFE

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment