Active Directory

############################################

Commands to check network time:

w32tm /query /configuration   (Returns in-depth config. )

> w32tm /query /source <            (present NTP server)

> w32tm /query /status <      (check config)

> w32tm /config /syncfromflags:domhier /update <  (Point to DC for time update)

> W32tm /config /manualpeerlist:2.ie.pool.ntp.org,0x8,3.ie.pool.ntp.org,0x2 /syncfromflags:manual /reliable:yes <                         (Set Internet as source - for serverless or VPN devices)

> w32tm /config /update <      (Force update)

> W32tm /resync <                  (resync time ASP)

> W32rm /TZ <             (current Timezone values)

Where client is receiving time from.

net time \\<DC_name_or_IP> /set /y

Sets time on client, however client may over ride values again if source is wrong if first place.

############################################

Bitlocker – retro save bitlocker key.

To record an existing Bitlocker key to Active Directory.

From elevated command prompt, discover the unique “Numerical Password ID.” Contained within { }

manage-bde -protectors -get c:

Extract the “numerical password ID” and paste into brackets like below.

manage-bde -protectors -adbackup c: -id {DF5478C7-8C3A-4DCA-9279-C1505F49C72E}

Now the key should be recorded in AD against the computer's Bitlocker Recovery tab

############################################

Find users UPN

WMIC ComputerSystem Get UserName

whoami /upn

############################################

Set up user-attribute–based filtering

---

The user attribute-based filtering procedure can be applied to only user objects. Contacts and groups use complex filtering rules that are beyond the scope of this article.
Filtering out specific users requires that you update the user objects in your on-premises organization that you do not want to synchronize to the cloud. You can filter based on any user object attribute.
For example, you could add the string “NoSync” to the extensionAttribute15 user attribute for each user in your on-premises organization that you don’t want to sync to the cloud. In this example, after you have configured the on-premises user, you create a filter rule in Identity Manager to exclude the “NoSync” users from the synchronization process.
The following procedure describes how to configure user filtering using the “NoSync” string on extensionAttrtibute15.

Step 1: Configure the on-premises user object

---

1. In Active Directory Users and Computers, in the View menu, select Advanced Features, and then open the property page for the user.
2. On the Attribute Editor tab, set extensionAttribute15 to NoSync.

Step 2: Configure filtering on the Active Directory Connector

---

1. Log on to the computer that is running directory synchronization by using an account that is a member of the MIISAdmins local security group.
2. Open Identity Manager by double-clicking miisclient.exe that is located in the following folder:
   • %ProgramFiles%\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell
3. In Identity Manager, click Management Agents, and then double-click Active Directory Connector.
4. Click Configure Connector Filter, and then do the following:
   1. Select user in the Data Source Object Type grid, and then click New.
   2. In Filter for user, on the Data Source attribute, select extensionAttribute15; for Operator, select Equals, and then type NoSync in the Value field.
   3. Click Add Condition, and then click OK.
5. On the SourceAD properties page, click OK.
6. Perform a full sync: on the Management Agent tab, right-click Active Directory Connector, click Run, click Full Import Full Sync, and then click OK.

############################################
Check / identify FSMO role holders

From a DC cmd prompt, run

netdom query /domain:<DOMAIN> fsmo

############################################

Determine AD-DS or Exchange Server Schema Version.

Active Directory schema version

To find the current Active Directory schema version, use one of the following methods.
Note The internal root domain that we use in this example is “domain.local.”

Method 1. Use ADSIEdit.msc or LDP.exe

Move to the following location:

CN=Schema,CN=Configuration,DC=domain,DC=local

Then, review the current objectVersion attribute.

Method 2. Use the DSQuery command line tool

dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion

The following diagram maps between the objectVersion attribute value and the Active Directory schema commutability:

13 -> Windows 2000 Server

30 -> Windows Server 2003 RTM, Windows Server 2003 with Service Pack 1, Windows Server 2003 with Service Pack 2

31 -> Windows Server 2003 R2

44 -> Windows Server 2008 RTM

47 -> Windows Server 2008 R2

56 -> Windows Server 2012 RTM

Exchange Server schema version

To find the current Exchange Server schema version, use one of the following methods:
Note The internal root domain that we use in this example is “domain.local.”

Method 1. Use ADSIEdit.msc or LDP.exe

Move to the following location:

CN=ms-Exch-Schema-Version-Pt,CN=Schema,CN=Configuration,DC=domain,DC=local

Then, review the current rangeUpper attribute.

Method 2. Use the DSQuery command line tool

dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr rangeUpper

The following table maps between the rangeUpper attribute value and the Exchange Server schema commutability:

Collapse this tableExpand this table

Exchange Server version	Forest “rangeUpper” attribute of ms-Exch-Schema-Version-Pt	Forest “objectVersion” attribute of Organization container	Domain “objectVersion” attribute on Microsoft Exchange System Objects
Exchange 2000 Server RTM	4397	Not applicable	4406
Exchange 2000 Server SP3	4406	Not applicable	4406
Exchange Server 2003 RTM	6870	6903	6936
Exchange Server 2003 SP1	6870	6903	6936
Exchange Server 2003 SP2	6870	6903	6936
Exchange Server 2007 RTM	10637	10666	10628
Exchange Server 2007 SP1	11116	11221	11221
Exchange Server 2007 SP2	14622	11222	11221
Exchange Server 2007 SP3	14625	11222	11221
Exchange Server 2010 RTM	14622	12640	12639
ExchangeServer 2010 SP1	14726	13214	13040
Exchange Server 2010 SP2	14732	14247	13040
Exchange Server 2013	15137	15449	13236

############################################

How to Reset Active Directory Administrator Password

Things you’ll need:

• Physical access to the server
• Your 2008 install DVD

Step One: Launch recovery console

Put your install DVD in the drive and reboot the server. Make sure you press the key to boot off the DVD. Once it loads, choose your language, then click Repair your computer. Click Command Prompt

Step Two: Do a bit of file jiggery-pokery

Run the following commands in the command prompt:

C: cd windows\system32 move Utilman.exe Utilman.bak copy Cmd.exe Utilman.exe

Basically we’re moving Utilman out of the way temporarily and replacing it with cmd.exe (command prompt). Close the command prompt and click Reboot.

Step Three: Do the password reset

Start up your server as normal, and after you press CTRL-ALT-DELETE and have the login screen up, press Windows-U and the command prompt will come up. Type the following:

net user [username] [password]

Where [username] is the username you want to reset the password for, and [password] is the new password. Close the command prompt and log in with the new password!

Step Four: Close that back-door

We want to move the files back to where they were, otherwise anyone could go Windows-U to get an administrator’s command prompt. Unfortunately Utilman.exe is a protected file so you can’t move it back while in Windows. Reboot back into the recovery console as in Step One, and run the following commands:

C: cd windows\system32 del Utilman.exe move Utilman.bak Utilman.exe