X

Use the power of PowerShell to manage Active Directory

You can use PowerShell to reduce the time it takes to perform the same tasks using GUI tools. PowerShell also helps you to perform repeated tasks, which, in turn, saves even more time. Microsoft ships more than 900 PowerShell modules to manage Active Directory environments. In this article we will explain some Active Directory PowerShell cmdlets you may find useful for your daily operational tasks. We will explain how to collect Active Directory domain and Flexible Single Master Operations (FSMO) information, Active Directory forest info, and domain controller information in an Active Directory forest.

Requirements to run PowerShell commands and scripts

Before running PowerShell commands and scripts explained in this article, please ensure you have a computer where Active Directory PowerShell modules are installed. You have created a folder by name “C:\Temp,” which will be used by the PowerShell scripts to store the reports. It is recommended that you use a computer running Windows Server 2012 R2 or later operating system to execute the PowerShell scripts explained in this article.

Collect and manage Active Directory domain info and FSMO

The Active Directory forest and domain information, including FSMO roles, can easily be collected by running Get-ADForest and Get-ADDomain PowerShell cmdlets. To retrieve Flexible Single Master Operations information from each Active Directory domain, execute the PowerShell script below from an elevated PowerShell command prompt:

Important: Since the script gathers the domain and FSMO information for all Active Directory domains, please make sure to collect all Active Directory domain names in the C:\Temp\DomainList.TXT. The script queries each domain from “C:\Temp\DomainList.TXT” file to gather the required information.


$TestCSVFile = “C:\Temp\DomainAndFSMOInfo.CSV”
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$ThisString=”Domain,NetBIOS Name,Functional Level,Forest,PDC Emulator,RID Master,Infrastructure Master”
Add-Content “$TestCSVFile” $ThisString
$GDomList = “C:\Temp\DomainList.TXT”
ForEach ($ThisDomain in Get-Content “$GDomList”)
{
$Items = Get-ADDomain -Identity $ThisDomain
IF ($Error.count -eq 0)
{
}
else
{
$ErrorOrNot=”Yes”
}
IF ($ErrorOrNot -eq “Yes”)
{
$TestText = “Please check to make sure a Domain Controller is reachable to execute AD Test.”
$SumVal = “”
$TestStatus=”Error executing AD Test”
}
else
{
$ItemCount=”NA”
$TestStatus = “Completed”
$SumVal=$ItemCount
$TestText = “Please load and check result”
ForEach ($ThisItem in $Items)
{
$FinalVal=$ThisDomain+”,”+$ThisItem.NetBIOSName+”,”+'”‘+$ThisItem.DomainMode+'”‘+”,”+$ThisItem.Forest+”,”+$ThisItem.PDCEmulator+”,”+$ThisItem.RIDMaster+”,”+$ThisItem.InfrastructureMaster
Add-Content “$TestCSVFile” $FinalVal
}
}
}
$STR = $ADTestName +”,”+$TestStartTime+”,”+$TestStatus+”,”+$SumVal +”,”+$TestText


Once the above script has finished executing, a CSV file will be created under “C:\Temp\DomainAndFSMOInfo.CSV,” which contains the Active Directory domain name, NetBIOS name of the domain, and FSMO role holder name as shown in the screenshot below:

As you can see in the report above, the script also collected “Functional Level” of the Active Directory domain apart from collecting the required information.

Active Directory forest information can be collected by simply running Get-ADForest PowerShell cmdlet. However, if you would like to store Active Directory forest information in a CSV file for reporting purposes, execute the below PowerShell script.


$TestCSVFile=”C:\Temp\ADForestInfo.CSV”
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$ThisString=”Item, Value”
Add-Content “$TestCSVFile” $ThisString
$TotNo=0
$ItemCount=0
$TestText = “Please check result”
$TestStatus=”Completed”
$SumVal = “NA”
$CurForestName = “TechGenix.com”
$R=Get-ADForest -Identity $CurForestName
IF ($Error.count -eq 0)
{
}
else
{
$ErrorOrNot=”Yes”
}
IF ($ErrorOrNot -eq “Yes”)
{
$TestStatus=”Error executing AD Test”
}
else
{
$STR = “AD Forest Name,”+$CurForestName
Add-Content “$TestCSVFile” $STR
$STR = “Forest Functional Level,”+$R.ForestMode
Add-Content “$TestCSVFile” $STR
$STR = “Forest Domains, “+'”‘+$R.Domains+'”‘
Add-Content “$TestCSVFile” $STR
$STR = “Forest Root Domain,”+$R.RootDomain
Add-Content “$TestCSVFile” $STR
$STR = “Forest Domain Naming Master,”+$R.DomainNamingMaster
Add-Content “$TestCSVFile” $STR
$STR = “Forest Schema Master,”+$R.SchemaMaster
Add-Content “$TestCSVFile” $STR
$STR = “Forest UPN Suffixes,”+'”‘+$R.UPNSuffixes+'”‘
Add-Content “$TestCSVFile” $STR
$STR = “Number of Global Catalogs,”+$R.GlobalCatalogs.Count
Add-Content “$TestCSVFile” $STR
$STR = “Number of Application Partitions,”+$R.ApplicationPartitions.Count
Add-Content “$TestCSVFile” $STR
$STR = “Number of AD Sites,”+$R.Sites.Count
Add-Content “$TestCSVFile” $STR
}


Once the above PowerShell script has been executed, a report file will be generated named ADForestInfo.CSV under th “C:\Temp” folder, which contains the Active Directory forest information. Please make sure to modify the current Active Directory forest name used by the script in $CurForestName. By default, the script uses “TechGenix.com” as the Active Directory forest.

Collecting Active Directory domain controllers information

Information for all Active Directory domain controllers can be easily collected by using the Get-ADDomainController PowerShell cmdlet as mentioned in the below PowerShell script. Before you execute the PowerShell script below, please make sure to specify Active Directory domain names in “C:\Temp\DomainList.TXT”.


$TestCSVFile=”C:\Temp\DCInfo.CSV”
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$GDomList = “C:\Temp\DomainList.TXT”
ForEach ($ThisDomain in Get-Content “$GDomList”)
{
Get-addomaincontroller -Filter * -Server $ThisDomain | Select-Object HostName, Domain, IPv4Address, IPv6Address,IsGlobalCatalog, IsReadOnly, OperatingSystem, OperatingSystemServicePack,Site,SslPort | Export-CSV “$TestCSVFile” -NoType
IF ($Error.count -eq 0)
{
}
else
{
$ErrorOrNot=”Yes”
}
IF ($ErrorOrNot -eq “Yes”)
{
$TestText = “Please check to make sure a Domain Controller is reachable to execute AD Test.”
$SumVal = “”
$TestStatus=”Error executing AD Test”
}
}


The above script queries the Active Directory domain name in the “C:\Temp\DomainList.TXT” file, executes Get-ADomainController PowerShell cmdlet against the Active Directory domain, retrieves a list of all domain controllers in the current Active Directory domain, and then saves the output in the “C:\Temp\DCInfo.CSV” file.

By using the PowerShell scripts explained in this article, you can collect Active Directory domain information with Flexible Single Master Roles, Active Directory forest information and information for all Active Directory Domain Controllers. You might want to include the scripts in your Active Directory health procedure to ensure the configuration of domain controllers is as per your record and FSMO roles are hosted on the correct domain controllers.

Photo credit: Shutterstock