############################################
Commands to check network time:
w32tm /query /configuration (Returns in-depth config. )
> w32tm /query /source < (present NTP server) > w32tm /query /status < (check config) > w32tm /config /syncfromflags:domhier /update < (Point to DC for time update) > W32tm /config /manualpeerlist:2.ie.pool.ntp.org,0x8,3.ie.pool.ntp.org,0x2 /syncfromflags:manual /reliable:yes < (Set Internet as source - for serverless or VPN devices) > w32tm /config /update < (Force update) > W32tm /resync < (resync time ASP) > W32rm /TZ < (current Timezone values)
Where client is receiving time from.
net time \\<DC_name_or_IP> /set /y
Sets time on client, however client may over ride values again if source is wrong if first place.
############################################
Bitlocker – retro save bitlocker key.
To record an existing Bitlocker key to Active Directory.
From elevated command prompt, discover the unique “Numerical Password ID.” Contained within { }
manage-bde -protectors -get c:
Extract the “numerical password ID” and paste into brackets like below.
manage-bde -protectors -adbackup c: -id {DF5478C7-8C3A-4DCA-9279-C1505F49C72E}
Now the key should be recorded in AD against the computer's Bitlocker Recovery tab
############################################
Find users UPN
WMIC ComputerSystem Get UserName
whoami /upn
############################################
Set up user-attribute–based filtering
The user attribute-based filtering procedure can be applied to only user objects. Contacts and groups use complex filtering rules that are beyond the scope of this article.
Filtering out specific users requires that you update the user objects in your on-premises organization that you do not want to synchronize to the cloud. You can filter based on any user object attribute.
For example, you could add the string “NoSync” to the extensionAttribute15 user attribute for each user in your on-premises organization that you don’t want to sync to the cloud. In this example, after you have configured the on-premises user, you create a filter rule in Identity Manager to exclude the “NoSync” users from the synchronization process.
The following procedure describes how to configure user filtering using the “NoSync” string on extensionAttrtibute15.
- In Active Directory Users and Computers, in the View menu, select Advanced Features, and then open the property page for the user.
- On the Attribute Editor tab, set extensionAttribute15 to NoSync.
- Log on to the computer that is running directory synchronization by using an account that is a member of the MIISAdmins local security group.
- Open Identity Manager by double-clicking miisclient.exe that is located in the following folder:
- %ProgramFiles%\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell
- In Identity Manager, click Management Agents, and then double-click Active Directory Connector.
- Click Configure Connector Filter, and then do the following:
- Select user in the Data Source Object Type grid, and then click New.
- In Filter for user, on the Data Source attribute, select extensionAttribute15; for Operator, select Equals, and then type NoSync in the Value field.
- Click Add Condition, and then click OK.
- On the SourceAD properties page, click OK.
- Perform a full sync: on the Management Agent tab, right-click Active Directory Connector, click Run, click Full Import Full Sync, and then click OK.
############################################
Check / identify FSMO role holders
From a DC cmd prompt, run
netdom query /domain:<DOMAIN> fsmo
############################################
Determine AD-DS or Exchange Server Schema Version.
Active Directory schema version
To find the current Active Directory schema version, use one of the following methods.
Note The internal root domain that we use in this example is “domain.local.”
Method 1. Use ADSIEdit.msc or LDP.exe
Move to the following location:
CN=Schema,CN=Configuration,DC=domain,DC=local
Then, review the current objectVersion attribute.
Method 2. Use the DSQuery command line tool
dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion
The following diagram maps between the objectVersion attribute value and the Active Directory schema commutability:
Exchange Server schema version
To find the current Exchange Server schema version, use one of the following methods:
Note The internal root domain that we use in this example is “domain.local.”
Method 1. Use ADSIEdit.msc or LDP.exe
Move to the following location:
CN=ms-Exch-Schema-Version-Pt,CN=Schema,CN=Configuration,DC=domain,DC=local
Then, review the current rangeUpper attribute.
Method 2. Use the DSQuery command line tool
dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr rangeUpper
The following table maps between the rangeUpper attribute value and the Exchange Server schema commutability:
Exchange Server version | Forest “rangeUpper” attribute of ms-Exch-Schema-Version-Pt | Forest “objectVersion” attribute of Organization container | Domain “objectVersion” attribute on Microsoft Exchange System Objects |
Exchange 2000 Server RTM | 4397 | Not applicable | 4406 |
Exchange 2000 Server SP3 | 4406 | Not applicable | 4406 |
Exchange Server 2003 RTM | 6870 | 6903 | 6936 |
Exchange Server 2003 SP1 | 6870 | 6903 | 6936 |
Exchange Server 2003 SP2 | 6870 | 6903 | 6936 |
Exchange Server 2007 RTM | 10637 | 10666 | 10628 |
Exchange Server 2007 SP1 | 11116 | 11221 | 11221 |
Exchange Server 2007 SP2 | 14622 | 11222 | 11221 |
Exchange Server 2007 SP3 | 14625 | 11222 | 11221 |
Exchange Server 2010 RTM | 14622 | 12640 | 12639 |
ExchangeServer 2010 SP1 | 14726 | 13214 | 13040 |
Exchange Server 2010 SP2 | 14732 | 14247 | 13040 |
Exchange Server 2013 | 15137 | 15449 | 13236 |
############################################
How to Reset Active Directory Administrator Password
Things you’ll need:
- Physical access to the server
- Your 2008 install DVD
Step One: Launch recovery console
Put your install DVD in the drive and reboot the server. Make sure you press the key to boot off the DVD. Once it loads, choose your language, then click Repair your computer. Click Command Prompt
Step Two: Do a bit of file jiggery-pokery
Run the following commands in the command prompt:
C: cd windows\system32 move Utilman.exe Utilman.bak copy Cmd.exe Utilman.exe
Basically we’re moving Utilman out of the way temporarily and replacing it with cmd.exe (command prompt). Close the command prompt and click Reboot.
Step Three: Do the password reset
Start up your server as normal, and after you press CTRL-ALT-DELETE and have the login screen up, press Windows-U and the command prompt will come up. Type the following:
net user [username] [password]
Where [username] is the username you want to reset the password for, and [password] is the new password. Close the command prompt and log in with the new password!
Step Four: Close that back-door
We want to move the files back to where they were, otherwise anyone could go Windows-U to get an administrator’s command prompt. Unfortunately Utilman.exe is a protected file so you can’t move it back while in Windows. Reboot back into the recovery console as in Step One, and run the following commands:
C: cd windows\system32 del Utilman.exe move Utilman.bak Utilman.exe