11 November, 2012

Get list of GCs - Active Directory


Ok, here is the next bit. I have many domain controllers (DC) in an Active Directory forest and need to know which domain controller is a Global Catalog (GC). Read it carefully: it's not enough to list which DCs have the GC flag set, I need to know which DC is properly advertised as a GC. Why? Because having enough number of healthy GCs in a forest is essential for Exchange Address Book lookups and for Universal Group membership caching. And again, you can activate the GC flag in dssite.msc many times, if you have an AD database with size of 10+ GB, it will take time to get all the global catalog data built up and replicated across.

Obviously, if you had 2 DCs, you could look into the eventlog and see if there's any eventid 1126 in the log, but doing it every day with every domain controller, after reboot...nah, you don't want to go down that way.

First, let's get the list of DCs in a particular domain. There are many ways to do this, i.e. if you don't have Windows 2008 in your environment , you can do this:
([System.DirectoryServices.ActiveDirectory.DomainController]::findall((new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain","tatooine.com"))))

If you have 2008 DCs:
import-module ActiveDirectory
$DCs = Get-ADDomainController -filter * -DomainName tatooine.com

To list which DC is advertised as a GC, you can use the isGlobalCatalogReady RootDSE attribute, on Windos 2003 DCs:
gc dcs.txt | %{$p="" | select ComputerName,Is_GC; $p.ComputerName=$_; $p.Is_gc=(([adsi]("LDAP://" + $_ + "/RootDSE")).isGlobalCatalogReady); $p}


On Windows 2008 DCs:
$GCs = Get-ADDomainController -filter { IsGlobalCatalog -eq $True}

Let's combine this with checking which DC should really be a GC, so where the GC flag is set and have a full list of DCs with the two parameters:
- GC flag's status on the server
- Is GC ready flag on the server

$objColl = @(); $DCs | %{
   # create object with 3 properties   $psObj = "" | select ComputerName,Is_GC_Ready,Is_GC_set
   $psObj.ComputerName = $_     # get if the particular DC is advertised as a GC
   $RootDSE = ([adsi]("LDAP://" + $_ + "/RootDSE"))
   $psObj.Is_gc_ready = $RootDSE.isGlobalCatalogReady
     # enumerate the GC flag of the server
   $ntdsObj = $RootDSE.Get('dsServiceName')
   $psObj.Is_gc_set = ([adsi]"LDAP://$_/$ntdsObj").Get('options')
     $objColl += $psObj
   $psObj}

The object collection can be filtered afterwards, i.e. I want to know the list of DCs which have GC flag set but they are not advertised as GCs:
$objColl | ?{($_.Is_GC_set -eq 1) -and ($_.Is_GC_Ready -eq $false)}

Or list the DCs which do not have the GC flag set:
$objColl | ?{($_.Is_GC_set -eq 0)

Feel free to edit it and experiment with the ActiveDirectory cmdlets on Windows 2008 (Get-ADDomainController)

Clipboar friendly code:
$objColl = @(); 
$DCs | %{ 
  
      # create object with 3 properties
      $psObj = "" | select ComputerName,Is_GC_Ready,Is_GC_set
      $psObj.ComputerName = $_
  
      # get if the particular DC is advertised as a GC
      $RootDSE = ([adsi]("LDAP://" + $_ + "/RootDSE"))
      $psObj.Is_gc_ready = $RootDSE.isGlobalCatalogReady
  
      # enumerate the GC flag of the server
      $ntdsObj = $RootDSE.Get('dsServiceName')
      $psObj.Is_gc_set = ([adsi]"LDAP://$_/$ntdsObj").Get('options')
  
      $objColl += $psObj
      $psObj
}

May the force...
t
Posted by at No comments:
Labels: , , , , , , , ,

01 November, 2012

Restore GPO links with PowerShell - Active Directory

I was talking to people on an AD workshop the other day - which was a quite useful workshop BTW - and realised that most trainings and workshops show you how to perform tasks, do troubleshooting or - in this case - perform steps to restore AD in a smaller scale and they don't give you knowledge and mindset on how to do it with 1000+ objects, servers...or whatever.
For example, restore an object, a GPO, cleanup a DC from the environment...etc. But what if I have 50 GPOs to restore and they were linked to 150 OUs? While you learn the GUI way on these workshops, there's no story about an easy option to restore those GPO links on a wider scale.

In fact, there is no way to restore GPO links as such at all. You could perform authoritative restore on all the OUs but it seems overkill to me. Moreover, you would still need to find out which OUs you would need to restore.

I had some spare time during a break on the workshop so I though I'd give it a go and see how I could copy GPO links back from a DC in a Lag site to OUs on a production DC using PowerShell.

Lab:
I had 2 Windows Server 2008 Domain Controllers in the lab, one was in a Lag site with replication restricted to a small window overnight. Lag DC or Lag site means the replication is restricted to a small time window so the DC is intentionally kept behind in the replication to have live data in the system in case accidental deletion or modification happens on objects.The other DC was the production one, where I "accidentally" deleted some GPOs.
I restored the GPOs from the LAG DC with authoritatiove restore, but obviously the links disappeared.
So I had 1 DC where I still had the original state of the GPO links, but I still didn't want to go through all of them on the UI of GPMC. I wanted a quick script which would:
  • Take a list of GPO GUIDs
  • Look-up which OUs had it linked on the Lag DC
  • Go to the Production DC and add these GUIDs back to the gpLink attribute of each OU
Here's what I did (obviously, there should be some error handling and logging in there which I'll leave with the reader for now):
# List of GPO GUIDs I want to search for and restore links
$gpoGUIDsToBeResotred = @("034E8907-6058-4A19-B312-AB2A0408EDE4", "2EC45E73-E6BB-4F39-A221-E40630015B45")
$lagDC = "LAGDC"# DC name where the GPO links still exist
$prodDC = "ProdDC"# DC name where I want to create the GPO links again

# going through all GPO GUIDs 
foreach($gpoGUID in $gpoGUIDsToBeResotred){

    # Searching for OUs which have the give GPO GUID in their gpLink attribute
    Get-ADOrganizationalUnit -server $lagDC -filt 'gplink -like "*$gpoGUID*"' | %{
       $ou = $tmplinks = $null

       # bind the same OU on the Production DC where we want to restore the GPO links
       $ou = Get-ADOrganizationalUnit -server $prodDC -filter 'DistinguishedName -eq $_.DistinguishedName' -prop gplink

       # store the current content of the gpLink attribute - this is very important as we want to append the attribute, not overwrite
       $tmplinks = $ou.gplink

       # add the new content to the gplink attribute of the OU
       $ou.gplink = $tmplinks + "[LDAP://cn={$gpoGUID},cn=policies,cn=system,DC=litware,DC=com;0]"

       # commit changes
       Set-ADOrganizationalUnit -Instance $ou
    }
}


To get the GUID of a GPO, you can add a command similar to the below to the beginning of the script (you can also look it up in GPMC):
PS C:\> $gpoGUID = (get-gpo "default domain policy").id.guid

List all OUs which have a particular GPO linked:
PS C:\> Get-ADOrganizationalUnit -server lagDC -filt 'gplink -like "*$gpoGUID*"' | ft


I think, all in all, people can be glad that after so many years Microsoft finally realised that they must start building tools of their core products - such as AD - around PowerShell and move away from providing just a UI. So I'm grateful that I can now go through all my PS scripts which utilise ADSI and replace it with a cmdlet from ActiveDirectory PS module :). Although, you still need a bit of thinking and scripting to make things work.
In this example, you would wonder why I didn't use a command from the GroupPolicy Powershell module to create the GPO links. Well, because there isn't such a command. So there's still way to go for MSFT, but it's a good start.

Use this example above carefully and always test in a QA environment.

Clipboard friendly code:

 # List of GPO GUIDS I want to search for and restore links  
 $gpoGUIDsToBeResotred = @("034E8907-6058-4A19-B312-AB2A0408EDE4", "2EC45E73-E6BB-4F39-A221-E40630015B45")  
 $lagDC = "LAGDC"      # DC name where the GPO links still exist  
 $prodDC = "ProdDC"     # DC name where I want to create the GPO links again  
    
 # going through all GPO GUIDs  
 foreach($gpoGUID in $gpoGUIDsToBeResotred){  
   
      # Searching for OUs which have the give GPO GUID in their gpLink attribute  
      Get-ADOrganizationalUnit -server $lagDC -filt 'gplink -like "*$gpoGUID*"' | %{  
           $ou = $tmplinks = $null  
             
           # bind the same OU on the Production DC where we want to restore the GPO links  
           $ou = Get-ADOrganizationalUnit -server $prodDC -filter 'DistinguishedName -eq $_.DistinguishedName' -prop gplink  
             
           # store the current content of the gpLink attribute - this is very important as we want to append the attribute, not overwrite  
           $tmplinks = $ou.gplink  
             
           # add the new content to the gplink attribute of the OU  
           $ou.gplink = $tmplinks + "[LDAP://cn={$gpoGUID},cn=policies,cn=system,DC=litware,DC=com;0]"  
             
           # commit changes  
           Set-ADOrganizationalUnit -Instance $ou  
      }  
 }

May the Force...
t

Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)