Wednesday, 1 July 2015

Active Directory: DSQUERY Commands


DSQUERY Commands to query AD objects:-

 1. How to find all members for a particular group

  dsget group "<DN of the group>" -members
1a. How to find all groups for a particular member (including nested groups)

  dsget user "<DN of the user>" -memberof -expand
  dsquery user -samid "username" | dsget user -memberof -expand

2. How to find memberof , lastlogontimestamp , homemta(Mail server) , Samaccountname & so on(Repadmin /showattr <DCname> <"DN">)
 dsquery * "<DN>" -scope base -attr lastlogontimestamp memberoff

 repadmin /showattr <DCNAME> <"DN"> /attrs:lastlogon,homemta,whencreated,lastlogontimestamp,samaccountname

3. How to modify user last name.
 dsmod user <dn> -ln "<last name>"

4. How to find memberof , lastlogontimestamp , homemta(Mail server) , Samaccountname & so on for "n" number of users
 Create a batch file(for /f "eol= tokens=* delims= usebackq" %%x in (%1) do dsquery * %%x -scope base -attr sAMAccountName objectsid whencreated  lastlogontimestamp mail homeMTA memberof) e.g ds.bat

 Create a text file (All users DN e.g:dn.txt)

 Open cmd & run ds.bat dn.txt >> c:\attr.txt

5. How to find DN for n number of computers
 for /f %%x in (%1) do dsquery computer -name %%x

  (Create a batch file with line & create a txt file computer.txt

  open cmd >>>>>>batchfile computer.txt >> c:\dn.txt

6. Find Subnet with associated site.
  dsquery subnet -name <CIDR> | dsget subnet

8.How to find disabled users
  dsquery user "dc=ssig,dc=com" -disabled

  dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"

9. How to find OS?
 dsquery * <"DN"> -scope base -attr operatingSystem

10. How to find site ?
 dsquery site -name * -limit 0
 dsquery server -s <server> | dsget server -site

11. How to get tombstonelifetime ?
 dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" -scope base -attr tombstonelifetime

13. How to find mail box?

 dsquery * -filter "samaccountname=biswajit" -attr homemdb

14. How to find the GCs?
 DsQuery Server -domain contoso.com -isgc

15.How to find all the active users?

 dsquery * -filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

16.How to find users logon name by their mail address for bulk users?

 For Single user

  dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(mail=e-mailaddress))" -attr name

  For bulk users

  for /f %%x in (%1) do dsquery * domainroot -filter "(&(objectcategory=person)(objectclass=user)(mail=%%x))" -attr name


17. How to find Schema version?

  dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion
  or
  schupgr


18. How to find Site name by server name ?

  dsquery server -name test1 | dsget server -site

  dsquery server -name (provide the server name for DN) | dsget server -site
19. How to find all groups of a user is memberof without the DN's?

  dsquery user -samid anthony | dsget user -memberof | dsget group -samid

  dsquery user -samid (provide the samaccount name of the user) | dsget user -memberof | dsget group -samid

20. How to find all groups if a computer account without giving the DN's ?

  dsquery computer -name test1 | dsget computer -memberof | dsget group -samid

21. How to find PDC role holder for the existing domain ?

  dsquery server -hasfsmo PDC

22. How to find Infrastructure Master role holder existing domain ?

  dsquery server -hasfsmo INFR

23. How to find RID master role holder for existing domain ?

  dsquery server -hasfsmo RID

24. How to find Schema master role holder in a Forest ?

  dsquery server -forest -hasfsmo Schema

25. How to find Domain Naming Master in a Forest ?

  dsquery server -forest -hasfsmo Name

26. How to find if the Domain Controller is a Global Catalog (GC) or not ?

  dsquery server -name test1 | dsget server -isgc

27. How to find subnet with associated site.

  dsquery subnet -name 10.222.88.0/25 | dsget subnet
28.  How to find SID of a user?

  dsquery user -samid <bbiswas> | dsget user -sid
  dsquery * -filter (samaccountname=Biswajit) – attr sid

29.  How to find sIDHisotry of a user?

  Dsquery * -filter (samaccoutname=Bbiswas) – attr siDhistory

30.  How to find enabled computer accounts in an OU?

 dsquery computer OU=Test,DC=contoso,DC=com -limit 5000 | dsget computer -dn -disabled | find /i " no"

31.  How to count enabled computer accounts in an OU?

 dsquery computer OU=Test,DC=contoso,DC=com -limit 5000 | dsget computer -dn -disabled | find /c /i " no"

32. How to find all members for a OU.
dsquery user ou=targetOU,dc=domain,dc=com

33. How to find all groups for a OU.

dsquery group ou=targetOU,dc=domain,dc=com

34. To get the members status from the active directory group http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-components-sitefiles/10_5F00_external.png  
dsquery group -samid “Group Pre-Win2k Name” | dsget group -members | dsget user -disabled -display

35.Command to find all the subnets for the given site 
dsquery subnet -o rdn -site <site name>

36. Command to find all DCs in the given site

>>dsquery server -o rdn -site <site name>

37. Command to find all DCs in the Forest

>>dsquery server -o rdn -forest

38. To list the distinguished names of all directory partitions in the current forest
>>dsquery partition 

Below example for single domain

Below example for parent/child domain

39. To find all contacts in the organizational unit (OU)

dsquery contact OU=Sales,DC=Contoso,DC=Com

40. To list the relative distinguished names of all sites that are defined in the directory

dsquery site -limit 0

41. List of all users with primary group "Domain Users"

dsquery * -filter "(primaryGroupID=513)" -limit 0

(You can change the "primaryGroupID" as per your requirement)

513:Domain Users
514:Domain Guests
515:Domain Computers
516:Domain Controllers

42. How to find all attributes for all users?

Dsquery * -limit 0 -filter "&(objectClass=User)(objectCategory=Person)" -attr * >>output123.txt

43. Show How Many Times wrong Password has been entered on a specified domain controller.

dsquery * -filter "(sAMAccountName=jsmith)" -s MyServer -attr givenName sn badPwdCount

The badPwdCount attribute is not replicated, so a different value is saved for each user on each domain controller.

44. Expire use account.

dsquery * "dc=contoso,dc=com" -filter "(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807)) " -attr sAMAccountname displayName

Fine Granted Password Policy

45. How to find the 'PSO Applies to'

http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-components-sitefiles/10_5F00_external.png i)dsget user <user DN> -effectivepso

Example: 
C:\>dsget user "CN=bshwjt,OU=pso,DC=contoso,DC=com" -effectivepso
effectivepso
"CN=test,CN=Password Settings Container,CN=System,DC=contoso,DC=com"
dsget succeeded
("bshwjt" is the user and test is the "PSO" also see the below snap)

ii) How to find the PSO settings

 C:\>dsquery * "<CN=your pso name>,CN=Password Settings Container,CN=System,DC=contoso,DC=com" -scope base -attr *

46. Find out Account Expiry date  

dsquery user -name * -limit 0 | dsget user -samid -acctexpires

47.This example displays all attributes of the contoso.com domain object

dsquery * -filter (dc=contoso) -attr *


48.This complex example displays the names of all attributes (150) that Windows Server 2003 replicates to Global Catalog servers. (If the command displays no attributes, ensure that you typed TRUE in capital letters

dsquery * cn=Schema,cn=Configuration,dc=contoso,dc=com -filter "(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" -limit 0 -attr name


49. How to get all samaacount name ?

dsquery user -o rdn -limit 0

50.The command displays the DNS host name, the site name, and whether the server is Global Catalog (GC) server for each domain controller

dsquery server | dsget server -dnsname -site -isgc
Get all the servers in the forest

dsquery server -forest -limit 0 | dsget server -dnsname -site -isgc

51.The dsget command displays properties of users or other objects. In this example, it displays the 6 groups that explicitly list the Administrator as member

Note: The -memberof -expand combination recursively expands the list of groups of which the user is a member. In this example, the Users group is added to the list because Domain Users is a member of the Users group.

dsget user cn=Administrator,cn=Users,dc=contoso,dc=com -memberof 

52.The output of the dsquery command can be used as input for the dsget command by using a pipe ( | ). In this example, the SAM account name and the security ID (SID) of each user is displayed.

dsquery user | dsget user -samid -sid -limit 0 >> c:\Allusers-samid-sid.txt

53. How to find RODC ?

dsquery server -isreadonly

Dsquery for exchange server

54. How to find the Schema Version for Exchange Servers.

dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr rangeUpper

55.How to find lastLogonTimestamp for all users for a domain

dsquery * -filter "&(objectClass=person)(objectCategory=user)" -attr cn lastLogonTimestamp -limit 0

56. Inactive users are go to disable state

dsquery * <ou> -filter "(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807))" | dsmod user -disabled yes  

57.ADDS existing connection point objects
dsquery * forestroot -filter (objectclass=serviceconnectionpoint)

58. Find all Hyper-V hosts in your forest
C:\>dsquery * forestroot -filter "&(cn=Microsoft Hyper-V)(objectCategory=serviceconnectionpoint)" -attr servicebindinginformation >> c:\hyper-v.txt

59. Find all windows virtual machine in your forest
C:\>dsquery * forestroot -filter "&(cn=windows virtual machine)(objectCategory=serviceconnectionpoint)" -limit 0 -attr * >> c:\allvirtualPCs.txt
60.Extract the all groups from an OU with Group Scope & Group Type. Find the below snap for your reference.

C:\>dsquery group "ou=test,dc=gs,dc=com" -limit 0 | dsget group -samid -scope -secgrp

61.The following example displays a list of users of the Organigation Unit "Techie Sol",
can then be forwarded to dsget that can provide detailed information about objects.
In the example, the requested user list is headed by the pipe symbol after dsget that
-outputs then the sAMAccountName for all users and email address.
If you wanted to carry out modifications to the information returned by DSQuery user list,
we could send the result to dsmod, which for us is making changes to all users.
In following Image shows the changes in the command ensures that all users of DSQuery
-user list must change their passwords in next logon.

Another way to get the user attributes from an OU. Find the below snap & dsquery for that.

C:\>dsquery * "ou=test,DC=contoso,DC=com" -filter "(&(objectcategory=person)(objectclass=user))" -limit 0
-attr samaccountname description department title

62.retrieve the DN of all users in the domain that are not direct members of a specified group
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(!(memberOf=Groupname,ou=West,
dc=Contoso,dc=com))) -limit 0 > NotInGroup.txt

63. How to open DSQUERY GUI Window

rundll32 dsquery,OpenQueryWindow

DNS application partition

64. How to find the DNS servers from DomainDNSZones & ForestDNSzones

C:\>dsquery * DC=DomainDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy
C:\>dsquery * DC=forestDnsZones,DC=contoso,DC=com -scope base -attr msDs-masteredBy

65.Finding the Functional Levels of Active Directory

dsquery * "DC=contoso,DC=com" -scope base -attr msDS-Behavior-Version ntMixedDomain
0, 0        Windows 2000 Native domain Level
0, 1        Windows 2000 Mixed domain Level
2, 0        Windows 2003 Domain Level
3, 0        Windows 2008 Domain Level
4, 0        Windows 2008 R2 Domain Level
Posted by at No comments:

Wednesday, 24 June 2015

Install and Configure NLB (WLBS) on Windows Server 2008

In this article I will load balance 2 servers and take you through the process step-by-step. Load Balancing takes 2 or more servers and lets them share one IP address so both servers can serve client requests. At the end of this article you should be able to configure NLB.
Gathering Information
Log onto both of the servers and run IPCONFIG /ALL from the command prompt. We need the name, domain and IP address of each server that will be in the NLB Cluster. We will also need to make up an additional name for the cluster in this example we will use SERVER-LB for the virtual cluster name.
The 2 servers we will be Load Balancing are PL2008-01 and PL2008-02. The virtual cluster name will be PL2008-V. So if this was a web server users would go to http://PL2008-V, depending how we configure NLB either PL2008-01, PL2008-02 or both servers will service the web request.
SERVER NAME
IP ADDRESS
TYPE
PL2008-01.pintolake.net
192.168.1.180
Server 1
PL2008-02.pintolake.net
192.168.1.181
Server 2
PL2008-V.pintolake.net
192.168.1.182
Virtual cluster name and IP address of Servers 1/2
 
In this example both servers only have one network card. If you have multiple network cards you will still be able to load balance the 2 servers. You need to configure one NIC per server for NLB, both NIC’s should be on the same VLAN and be they should able to contact each other.
PL2008-01
PL2008-02
Installation of NLB feature on all NLB nodes
This should be done on ALL NODES in the NLB Cluster. In this case we are performing this installation on PL2008-01 and PL2008-02.
Open Server Manager, you can open this several different ways in Windows Server 2008. Probably the quickest way to open Server Manager is to right click "My Computer" and choose "Manage", another way is open "Control Panel" go to "Program and Features" and select "Turn Windows features on or off". A third way to open it is "Server Manager" option under Administrative Tools.
  • Select "Features" from the Server Manager menu on the left
  • Press "Add Features"
  • Select the checkbox next to "Network Load Balancing"
  • Press "Next"
  • Press "Install"
Installation will proceed to install the necessary components
Installation has successes. It is highly recommended that you repeat this process on all nodes in the NLB cluster at this point before continuing with configuration
  • Press "Close"
NOTE: Network Load Balancing may also be installed from a command prompt with elevated privileges (right click on the command prompt in the Start menu and select Run as administrator) by running theservermanagercmd -install nlb command.
For example:
C:\Windows\system32>servermanagercmd -install nlb

......

Start Installation...

[Installation] Succeeded: [Network Load Balancing].

<100/100>

Success: Installation succeeded.
 
Configuring NLB on NODE 1 (PL2008-01)
Network Load Balanced clusters are built using the Network Load Balancing Manager which you can start from Start -> All Programs -> Administrative Tools menu or from a command prompt by executing nlbmgr.
  • Under the Cluster Menu option select "New"
  • Enter the first node in the cluster which is PL2008-01
  • Press "Connect"
You will have the option to choose which network adapter you want to use, the NIC should be on the same subnet as the other servers in the NLB cluster
  • Press "Next"
  • Enter the Priority ID as, 1 (each node in the NLB cluster should have a UNIQUE ID)
  • Make sure the correct adapter was selected under "Dedicated IP Address"
  • Select "Started" for the "Initial host state" (this tells NLB whether you want this node to participate in the cluster at startup)
  • Press "Next"
  • Press "Add"
  • Enter the Cluster IP and Subnet mask
  • Press "OK"
You can add multiple IP Addresses for the cluster, enter as many as you want.
  • Make sure the "Cluster IP addresses" are correct
  • Press "Next"
  • Select the IP Address for this cluster
  • Enter the NLB address "PL2008-V.pintolake.net"
  • Enter "Unicast" as the "Cluster operation mode"
  • Press "Next"
Unicast vs Multicast
Unicast/Multicast is the way the MAC address for the Virtual IP is presented to the routers. In my experience I have almost always used Multicast, which if you use you should enter a persistent ARP entry on all upstream switches or you will not be able to ping the servers remotely.
In the unicast method:
  • The cluster adapters for all cluster hosts are assigned the same unicast MAC address.
  • The outgoing MAC address for each packet is modified, based on the cluster host’s priority setting, to prevent upstream switches from discovering that all cluster hosts have the same MAC address.
In the multicast method:
  • The cluster adapter for each cluster host retains the original hardware unicast MAC address (as specified by the hardware manufacture of the network adapter).
  • The cluster adapters for all cluster hosts are assigned a multicast MAC address.
  • The multicast MAC is derived from the cluster’s IP address.
  • Communication between cluster hosts is not affected, because each cluster host retains a unique MAC address.
Selecting the Unicast or Multicast Method of Distributing Incoming Requestshttp://technet.microsoft.com/en-us/library/cc782694.aspx

I am leaving all the default for the port rules; by default its set to all ports with Single affinity, which is sticky. For more information on Port Rules, see my Note below.
  • Press "Finish"
NOTE: Add/Edit Port Rule Settings
For most scenarios I would keep the default settings. The most important setting is probably the filtering mode. "Single" works well for most web application, it maintains a users session on one server so if the user server requests go to PL2008-01, PL2008-02 will continue to serve that request for the duration of the session.
None
  • You want to ensure even load balancing among cluster hosts
  • Client traffic is stateless (for example, HTTP traffic).
Single
  • You want to ensure that requests from a specific client (IP address) are sent to the same cluster host.
  • Client state is maintained across TCP connections (for example, HTTPS traffic).
Class C
  • Client requests from a Class C IP address range (instead of a single IP address) are sent to the same cluster host.
  • Clients use multiple proxy servers to access the cluster, and they appear to have multiple IP addresses within the same Class C IP address range.
  • Client state is maintained across TCP connections (for example, HTTPS traffic).
For more information on this please see this TechNet article:
Specifying the Affinity and Load-Balancing Behavior of the Custom Port Rule http://technet.microsoft.com/en-us/library/cc759039.aspx
You should see a couple of things in the NLB Manager, this will let us know that this node successfully converged on our new PL2008-V.pintolake.net NLB Cluster
  • Make sure the node’s status changes to "Converged"
  • Make sure you see a "succeeded" message in the log window
Configuring NLB for NODE 2 (PL2008-02)
We will configure PL2008-02 from PL2008-01. If we wanted to configure this from PL2008-02 then we would need to connect to the PL2008-V cluster first then add the host to the cluster.
  • Right click the cluster name "PL2008-V.pintolake.net" and select "Add Host to Cluster"
  • Enter PL2008-02 and press "Connect"
A list of Network adapters will show up
  • Select the network adapter you want to use for Load Balancing
  • Press "Next"
This step is very important; each node in the NLB cluster should have a unique identifier. This identifier is used to identify the node in the cluster.
  • Enter the Priority ID as, 2 (each node in the NLB cluster should have a UNIQUE ID)
  • Make sure the correct adapter was selected under "Dedicated IP Address"
  • Select "Started" for the "Initial host state" (this tells NLB whether you want this node to participate in the cluster at startup)
  • Press "Next"
  • Press "Finish"
You should see a couple of things in the NLB Manager, this will let us know that both nodes successfully converged on our new PL2008-V.pintolake.net NLB Cluster
  • Make sure that both node’s status changes to "Converged"
  • Make sure each node has a unique "host priority" ID
  • Make sure each node is "started" under "initial host state"
  • Make sure you see a "succeeded" message in the log window for the second node
A closer look at the configuration information for this NLB cluster
Testing
  • Go to the command prompt and type "wlbs query", as you can see HOST 1 and HOST 2 converged successfully on the cluster. This means things are working well.
  • Ping each server locally and remotely
  • Ping the virtual IP locally and remotely – you should do this three times from each location. If you cannot ping remotely you may need to add a static ARP entry in your switches and/or routers where the host machines reside
    • 1 – Both nodes up
    • 2 – Node 1 down
    • 3 – Node 2 down
NLB Documentation (from Windows Help)
Availability, scalability, and clustering technologies
Windows Server 2008 provides two clustering technologies: failover clusters and Network Load Balancing (NLB). Failover clusters primarily provide high availability; Network Load Balancing provides scalability and at the same time helps increase availability of Web-based services.
Your choice of cluster technologies (failover clusters or Network Load Balancing) depends primarily on whether the applications you run have long-running in-memory state:
Failover clusters are designed for applications that have long-running in-memory state, or that have large, frequently updated data states. These are called stateful applications, and they include database applications and messaging applications. Typical uses for failover clusters include file servers, print servers, database servers, and messaging servers.
Network Load Balancing is intended for applications that do not have long-running in-memory state. These are called stateless applications. A stateless application treats each client request as an independent operation, and therefore it can load-balance each request independently. Stateless applications often have read-only data or data that changes infrequently. Front-end Web servers, virtual private networks (VPNs), File Transfer Protocol (FTP) servers, and firewall and proxy servers typically use Network Load Balancing. Network Load Balancing clusters can also support other TCP- or UDP-based services and applications.
Network Load Balancing overview
The Network Load Balancing (NLB) service enhances the availability and scalability of Internet server applications such as those used on Web, FTP, firewall, proxy, virtual private network (VPN), and other mission-critical servers.
What are NLB clusters?
A single computer running Windows can provide a limited level of server reliability and scalable performance. However, by combining the resources of two or more computers running one of the products in Windows Server 2008 into a single virtual cluster, NLB can deliver the reliability and performance that Web servers and other mission-critical servers need.
Each host runs a separate copy of the desired server applications (such as applications for Web, FTP, and Telnet servers). NLB distributes incoming client requests across the hosts in the cluster. The load weight to be handled by each host can be configured as necessary. You can also add hosts dynamically to the cluster to handle increased load. In addition, NLB can direct all traffic to a designated single host, which is called the default host.
NLB allows all of the computers in the cluster to be addressed by the same set of cluster IP addresses, and it maintains a set of unique, dedicated IP addresses for each host. For load-balanced applications, when a host fails or goes offline, the load is automatically redistributed among the computers that are still operating. When a computer fails or goes offline unexpectedly, active connections to the failed or offline server are lost. However, if you bring a host down intentionally, you can use the drainstop command to service all active connections prior to bringing the computer offline. In any case, when it is ready, the offline computer can transparently rejoin the cluster and regain its share of the workload, which allows the other computers in the cluster to handle less traffic.
Hardware and software considerations for NLB clusters
  • NLB is installed as a standard Windows networking driver component.
  • NLB requires no hardware changes to enable and run.
  • NLB Manager enables you to create new NLB clusters and to configure and manage clusters and all of the cluster’s hosts from a single remote or local computer.
  • NLB lets clients access the cluster by using a single, logical Internet name and virtual IP address—known as the cluster IP address (it retains individual names for each computer). NLB allows multiple virtual IP addresses for multihomed servers.
Note:
In the case of virtual clusters, the servers do not need to be multihomed to have multiple virtual IP addresses.
NLB can be bound to multiple network adapters, which allows you to configure multiple independent clusters on each host. Support for multiple network adapters is different from virtual clusters in that virtual clusters allow you to configure multiple clusters on a single network adapter.
Installing the NLB feature
To use Network Load Balancing (NLB), a computer must have only TCP/IP on the adapter on which NLB is installed. Do not add any other protocols (for example, IPX) to this adapter. NLB can load balance any application or service that uses TCP/IP as its network protocol and is associated with a specific Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port.
To install and configure NLB, you must use an account that is listed in the Administrators group on each host. If you are not using an account in the Administrators group as you install and configure each host, you will be prompted to provide the logon credentials for such an account. To set up an account that NLB Manager will use by default: in NLB Manager, expand the Options menu, and then click Credentials. We recommend that this account not be used for any other purpose.
You can use Initial Configuration Tasks or Server Manager to install NLB. To install NLB, in the list of tasks, click Add features and in the list of features in the wizard, click Network Load Balancing.
Managing NLB
Server roles and features are managed by using Microsoft Management Console (MMC) snap-ins. To open the Network Load Balancing Manager snap-in, click Start, click Administrative Tools, and then click Network Load Balancing Manager. You can also open Network Load Balancing Manager by typing Nlbmgr at a command prompt.
Posted by at No comments:
Subscribe to: Posts (Atom)