Use PowerShell to Document Your Network Configuration

Use PowerShell to Document Your Network Configuration

  • Comments 3
  • Likes

Summary: Learn how to use Windows PowerShell and Active Directory cmdlets to document your Active Directory configuration.

 

Hey, Scripting Guy! QuestionHey, Scripting Guy! I recently inherited an Active Directory. By this, I mean the network administrator quit. He did not give any notice, and it appears he took any documentation he may have created with him. He may have been abducted by Martians (there seems to be quite a bit of this going on at work) for all I know. Anyway, I need a good way to easily discover information about the domain and the forest. If I could easily print it out, it would be even better. I know how to use Active Directory Users and Computers, and I have been making screen shots, but there should be a better way of doing things. Help!

—BV

 

Hey, Scripting Guy! AnswerHello BV,

Microsoft Scripting Guy Ed Wilson here. I am sorry Martians abducted your network administrator. You did not specify which version of Windows you are running, and you did not say which version of domain controllers you have. I am guessing that perhaps you do not know. To find information about your operating system, you can use the following command in Windows PowerShell:

Get-WmiObject win32_operatingsystem

Using the Active Directory Windows PowerShell cmdlets and remoting, I can easily discover information about the forest and the domain. The first thing I need to do is to enter a PSSession on the remote computer. To do this, I use the Enter-PSSession cmdlet. Next, I import the active directory module, and set my working location to the root of the C drive. These commands are shown here:

PS C:\Users\Administrator.NWTRADERS> Enter-PSSession dc1

[dc1]: PS C:\Users\Administrator\Documents> Import-Module activedirectory

[dc1]: PS C:\Users\Administrator\Documents> Set-Location c:\

After I have connected to the remote domain controller, I can use the Get-WmiObject cmdlet to verify my operating system on that computer. This command and associated output are shown here:

[dc1]: PS C:\> Get-WmiObject win32_operatingsystem

SystemDirectory : C:\Windows\system32

Organization    :

BuildNumber     : 7601

RegisteredUser  : Windows User

SerialNumber    : 55041-507-0212466-84005

Version         : 6.1.7601

Now, I want to get information about the forest. To do this, I use the Get-ADForrest cmdlet. The output from Get-ADForest includes lots of great information such as the domain naming master, forest mode, schema master, and domain controllers. This command and associated output are shown here:

[dc1]: PS C:\> Get-ADForest 

 

ApplicationPartitions : {DC=DomainDnsZones,DC=nwtraders,DC=com, DC=ForestDnsZones,DC=nwtraders,DC=com}

CrossForestReferences : {}

DomainNamingMaster    : DC1.nwtraders.com

Domains               : {nwtraders.com}

ForestMode            : Windows2008Forest

GlobalCatalogs        : {DC1.nwtraders.com}

Name                  : nwtraders.com

PartitionsContainer   : CN=Partitions,CN=Configuration,DC=nwtraders,DC=com

RootDomain            : nwtraders.com

SchemaMaster          : DC1.nwtraders.com

Sites                 : {Default-First-Site-Name}

SPNSuffixes           : {}

UPNSuffixes           : {}

The above commands and output are shown in the following figure.

Image of commands and output

Now I am interested in obtaining information about the domain. To do this, I use the Get-ADDomain cmdlet. The command returns important information such as the location of the default domain controller organizational unit, the PDC emulator, and the RID master. The command and associated output are shown here:

[dc1]: PS C:\> Get-ADDomain

 

AllowedDNSSuffixes                 : {}

ChildDomains                       : {}

ComputersContainer                 : CN=Computers,DC=nwtraders,DC=com

DeletedObjectsContainer            : CN=Deleted Objects,DC=nwtraders,DC=com

DistinguishedName                  : DC=nwtraders,DC=com

DNSRoot                            : nwtraders.com

DomainControllersContainer         : OU=Domain Controllers,DC=nwtraders,DC=com

DomainMode                         : Windows2008Domain

DomainSID                          : S-1-5-21-909705514-2746778377-2082649206

ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=nwtraders,DC=com

Forest                             : nwtraders.com

InfrastructureMaster               : DC1.nwtraders.com

LastLogonReplicationInterval       :

LinkedGroupPolicyObjects           : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=nwtraders,DC=com}

LostAndFoundContainer              : CN=LostAndFound,DC=nwtraders,DC=com

ManagedBy                          :

Name                               : nwtraders

NetBIOSName                        : NWTRADERS

ObjectClass                        : domainDNS

ObjectGUID                         : 0026d1fc-2e4d-4c35-96ce-b900e9d67e7c

ParentDomain                       :

PDCEmulator                        : DC1.nwtraders.com

QuotasContainer                    : CN=NTDS Quotas,DC=nwtraders,DC=com

ReadOnlyReplicaDirectoryServers    : {}

ReplicaDirectoryServers            : {DC1.nwtraders.com}

RIDMaster                          : DC1.nwtraders.com

SubordinateReferences              : {DC=ForestDnsZones,DC=nwtraders,DC=com, DC=DomainDnsZones,DC=nwtraders,DC=com, CN=Configuration,DC=nwtraders,DC=com}

SystemsContainer                   : CN=System,DC=nwtraders,DC=com

UsersContainer                     : CN=Users,DC=nwtraders,DC=com

From a security perspective, you should always check the domain password policy. To do this, use Get-ADDefaultDomainPasswordPolicy. Things you want to especially pay attention to are the use of complex passwords, minimum password length, password age, and password retention. Of course, you also need to check lockout policy, too. This one is important to review closely when inheriting a new network. Here are the command and associated output:

[dc1]: PS C:\> Get-ADDefaultDomainPasswordPolicy

 

ComplexityEnabled           : True

DistinguishedName           : DC=nwtraders,DC=com

LockoutDuration             : 00:30:00

LockoutObservationWindow    : 00:30:00

LockoutThreshold            : 0

MaxPasswordAge              : 42.00:00:00

MinPasswordAge              : 1.00:00:00

MinPasswordLength           : 7

objectClass                 : {domainDNS}

objectGuid                  : 0026d1fc-2e4d-4c35-96ce-b900e9d67e7c

PasswordHistoryCount        : 24

ReversibleEncryptionEnabled : False

The last major thing to check is the domain controllers themselves. To do this, use the Get-ADDomainController cmdlet. This command returns important information such as is the domain controller read-only, a global catalog server, operations master roles held, and operating system information. Here are the command and associated output:

 [dc1]: PS C:\> Get-ADDomainController -Identity dc1 

 

ComputerObjectDN           : CN=DC1,OU=Domain Controllers,DC=nwtraders,DC=com

DefaultPartition           : DC=nwtraders,DC=com

Domain                     : nwtraders.com

Enabled                    : True

Forest                     : nwtraders.com

HostName                   : DC1.nwtraders.com

InvocationId               : b51f625f-3f60-44e7-8577-8918f7396c2a

IPv4Address                : 10.0.0.1

IPv6Address                :

IsGlobalCatalog            : True

IsReadOnly                 : False

LdapPort                   : 389

Name                       : DC1

NTDSSettingsObjectDN       : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nwtraders,DC=com

OperatingSystem            : Windows Server 2008 R2 Enterprise

OperatingSystemHotfix      :

OperatingSystemServicePack : Service Pack 1

OperatingSystemVersion     : 6.1 (7601)

OperationMasterRoles       : {SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster...}

Partitions                 : {DC=ForestDnsZones,DC=nwtraders,DC=com, DC=DomainDnsZones,DC=nwtraders,DC=com, CN=Schema,CN=Configuration,DC=nwtraders,DC=com, CN=Configuration,DC=nwtraders,DC=com...}

ServerObjectDN             : CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nwtraders,DC=com

ServerObjectGuid           : 5ae1fd0e-bc2f-42a7-af62-24377114e03d

Site                       : Default-First-Site-Name

SslPort                    : 636

BV, you asked for a report. Now that we know what type of information to expect and how to obtain it, the report is as easy as redirecting the output to a text file. The associated commands are shown here.

Get-ADForest >> \\dc1\shared\AD_Doc.txt

Get-ADDomain >> \\dc1\shared\AD_Doc.txt

Get-ADDefaultDomainPasswordPolicy >> \\dc1\shared\AD_Doc.txt

Get-ADDomainController -Identity dc1 >>\\dc1\shared\AD_Doc.txt

The file as viewed in Notepad is shown here.

Image of file viewed in Notepad

 

Well, that is all there is to quickly documenting a new domain and forest. Join me tomorrow for the quick way to create and manipulate user objects in Active Directory.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

 

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • You ought to point out he may need to perform some additional steps.

    blogs.technet.com/.../install-active-directory-management-service-for-easy-powershell-access.aspx

    blogs.technet.com/.../enable-powershell-remoting-to-enable-running-commands.aspx

  • Hi Ed,

    sometimes I would prefer having been abducted by Martians ...

    The AD cmdlets provide us with a huge source of informations.

    In fact they are so useful that an administrator can't ignore them if his task is somehow related to maintain the AD. I know that there are several executable available like the ds*.exe commands, located in the System32 folder e.g. that are very powerful instruments, too.

    BUT in this case it is EXTREMELY useful that powershell returns object while the other executables only return text ( which can be piped to other commands .... aggreed ... )

    Having objects here is the door to all possible manipulations of AD objects we can think of. That's really cool :-)

    @Jeffrey: You are right, of course!

    Klaus.

  • Quote "Anyway, I need a good way to easily discover information about the domain and the forest. If I could easily print it out, it would be even better."

    If you want to discover both domain and forest information and want to be able to print this out, I recommend trying a tool called XIA Configuration:

    www.centrel-solutions.com/.../capabilities.aspx

    It can also document many other Windows Server roles and supports change tracking.

    There is a free version available for small networks.