Active Directory can be managed excellently with PowerShell. Not only the creation of users and the configuration of groups is possible with PowerShell, it becomes interesting when used for Active Directory in the area of troubleshooting and optimization. Here, PowerShell offers possibilities that are hardly possible with tools in the graphical interface. PowerShell cmdlets are a valuable help to find almost all errors in Active Directory and above all to fix them in a straightforward way. In this article, we will show you the most important commands and what you can use them for.
PowerShell Module for AD Management
The PowerShell module, that integrates the Active Directory management cmdlets, is automatically installed on domain controllers. However, you can also easily install the cmdlets in Windows 10 and Windows 11. In this case, you can conveniently manage and troubleshoot Active Directory from a workstation. No downloads are required to install the PowerShell module, everything you need is already included in Windows 10/11 Pro and Enterprise.
The optional features can be found in Windows 10 and Windows 11 via "Settings\Apps". Under "Optional Features" and "Add Optional Features", "RSAT: Tools for Active Directory Domain Services and Lightweight Directory Services" is available. With the button "Install", the integration of the module takes place. By installing the feature, the PowerShell module for Active Directory is also available.
The integration is also possible on servers if no Active Directory services are installed on them. To do this, use either the Server Manager or the Windows Admin Center. Here, the PowerShell module for Active Directory can be found via "Remote Server Administration Tools\Role Management Tools\AD DS and AD LDS Tools". Of course, the easiest way to do this is to install it yourself using PowerShell. For this the command "Install-WindowsFeature RSAT-AD-PowerShell" is used. After the installation, the single commands can be displayed with the cmdlet "Get-Command -Module ActiveDirectory".
Viewing the individual cmdlets for managing Active Directory with PowerShell
Reading Out Data before Troubleshooting
To troubleshoot Active Directory, it is first necessary to isolate the error. This requires information that can be quickly and easily read out from PowerShell. You can get an overview of the domain controllers with the "Get-ADDomaincontroller" cmdlet.
Viewing the Domain Controllers in PowerShell
To read out the operational masters for domain and forest, use:
It is also easy to move the operational masters in PowerShell. The "Move-ADDirectoryServerOperationMasterRole" cmdlet is used for this purpose. For more comprehensive information about the domain controllers, use the following command:
The code reads the properties of all domain controllers for all domains in the AD forest. Together with the other commands in this post, this helps to find the errors. These are often triggered by faulty group policies. In such a case, it may be useful to save the group policies as an HTML report:
Get-GPOReport -All -Domain "joos.int" -ReportType HTML -Path "C:\temp\report.html"
Setting Up Test Environment
Troubleshooting can be practiced in a test environment. Domain controllers are quick to install. To create a certain number of users at once in a test environment, use this short script:
You can customize the individual environment data in the parts of the script, including the number of users you want the script to create.
Finding Replication Errors in PowerShell
Among the most common errors in Active Directory are problems with replication. To find these, you can first display all replication connections in PowerShell with "Get-ADReplicationConnection".
Viewing replication connections in Active Directory
Based on this information, you can start troubleshooting. For example, if you want to view the replication errors of a domain controller, use the command below. Again, you need to specify the particular domain controller in the "-Taget" parameter:
Get-ADReplicationFailure -Target dc01
If the error is not quite narrowed down to one domain controller, you can also include the forest and thus all domain controllers in the environment:
View all replication errors in an Active Directory environment
This allows you to quickly see if the environment's replication errors are concentrated on individual domain controllers, and it allows you to get down to troubleshooting. Here you can also see if individual domain controllers are failing to connect. In this case, check which DC is causing the error. You can also replicate individual objects with the "Sync-ADObject" cmdlet to find out which problems exist between which domain controllers.
Testing Network Connections between Servers
In PowerShell, you can also test network connections between computers and verify that certain ports are open and allow communication between the destination and source servers. For example, if you want to test the connection from DC01 to DC02, first enter the following command in PowerShell on DC01:
If the connection works in general, you can also test the connection to individual ports. To do this, use the "-Port" parameter. The most important ports you can test at this point between two domain controllers is:
Verifying network connections between domain controllers in PowerShell
The secure channel between domain controllers and domain is also relevant in this context. This is just as important on member servers as it is on domain controllers. Again, you can test a server in PowerShell and then repair the connection if necessary. The "-verbose" parameter will give you more information if there are errors:
Test-ComputerSecureChannel -Server dc01 -verbose
You can test a repair of the channel with the "Test-ComputerSecureChannel -Repair" cmdlet. To test the network connections, it may also be necessary to save the current external IP address of the default gateway as a variable in PowerShell. You then use the contents of the variable in a script or you can also simply display the contents by entering the variable, in this example "$ip":
$ip = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
Displaying the external IP address of the default gateway in PowerShell
DNS and PowerShell
In PowerShell, you can also display a computer's DNS cache and clear it as well. This is especially useful if you have made adjustments to the DNS options for troubleshooting purposes and then want to clear the cache:
You can read out the complete network configuration in PowerShell with "Get-NetIPConfiguration". Concerning DNS servers, reading out the DNS zones is also important in this area. You can also do this in PowerShell, for example with:
Get-DnsServerZone -ComputerName dc01
PowerShell is a powerful tool when it comes to finding and also fixing errors in Active Directory. The commands are not complicated in most cases and provide all the necessary information needed for troubleshooting. It is worthwhile for admins to familiarize themselves with the most important commands. The cmdlets are also ideal for a quick diagnosis and an initial overview of the settings and structure of an Active Directory environment.
Thomas Joos is a freelance IT consultant and has been working in IT since 1992. He has published more than 90 practical reference books and writes for numerous IT publications such as c’t, PC Magazin, PC Welt, IT Administrator, Computerwoche and Heise Security.