Skip to the main content.
Request demo
Request demo

ScriptRunner Blog

Strategies to find and fix errors in Active Directory

7 min read
April 20, 2022

By: Thomas Joos Apr 20, 2022 8:30:00 AM

PowerShell Active Directory PowerShell & Systems Microsoft

Table of contents

 

 
Post Featured Image

Active Directory can be managed excellently with PowerShell. Not only the creation of users and the configuration of groups is possible with PowerShell, it becomes interesting when used for Active Directory in the area of troubleshooting and optimization. Here, PowerShell offers possibilities that are hardly possible with tools in the graphical interface. PowerShell cmdlets are a valuable help to find almost all errors in Active Directory and above all to fix them in a straightforward way. In this article, we will show you the most important commands and what you can use them for.

 

PowerShell module for AD management

The PowerShell module, that integrates the Active Directory management cmdlets, is automatically installed on domain controllers. However, you can also easily install the cmdlets in Windows 10 and Windows 11. In this case, you can conveniently manage and troubleshoot Active Directory from a workstation. No downloads are required to install the PowerShell module, everything you need is already included in Windows 10/11 Pro and Enterprise.


The optional features can be found in Windows 10 and Windows 11 via "Settings\Apps". Under "Optional Features" and "Add Optional Features", "RSAT: Tools for Active Directory Domain Services and Lightweight Directory Services" is available. With the button "Install", the integration of the module takes place. By installing the feature, the PowerShell module for Active Directory is also available.


The integration is also possible on servers if no Active Directory services are installed on them. To do this, use either the Server Manager or the Windows Admin Center. Here, the PowerShell module for Active Directory can be found via "Remote Server Administration Tools\Role Management Tools\AD DS and AD LDS Tools". Of course, the easiest way to do this is to install it yourself using PowerShell. For this the command "Install-WindowsFeature RSAT-AD-PowerShell" is used. After the installation, the single commands can be displayed with the cmdlet "Get-Command -Module ActiveDirectory".

Viewing the individual cmdlets for managing Active Directory with PowerShell

Viewing the individual cmdlets for managing Active Directory with PowerShell

 

Reading out data before troubleshooting 

To troubleshoot Active Directory, it is first necessary to isolate the error. This requires information that can be quickly and easily read out from PowerShell. You can get an overview of the domain controllers with the "Get-ADDomaincontroller" cmdlet.

Viewing the Domain Controllers in PowerShell

Viewing the Domain Controllers in PowerShell

To read out the operational masters for domain and forest, use:

 
Get-ADDomain | Select InfrastructureMaster, RID-Master, PDCEmulator



Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster


It is also easy to move the operational masters in PowerShell. The "Move-ADDirectoryServerOperationMasterRole" cmdlet is used for this purpose. For more comprehensive information about the domain controllers, use the following command:

 (Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ }

Or written out:


Get-ADForest |

Select-Object -ExpandProperty Domains |

	ForEach-Object {

		Get-ADDomainController -Filter * -Server $_

	}

The code reads the properties of all domain controllers for all domains in the AD forest. Together with the other commands in this post, this helps to find the errors. These are often triggered by faulty group policies. In such a case, it may be useful to save the group policies as an HTML report:

 Get-GPOReport -All -Domain "joos.int" -ReportType HTML -Path "C:\temp\report.html"

 

Setting up a test environment 

Troubleshooting can be practiced in a test environment. Domain controllers are quick to install. To create a certain number of users at once in a test environment, use this short script:


$pass= "kennw0rt" | ConvertTo-SecureString -AsPlainText -Force



$Nummer=1..20



Foreach ($z in $Nummer) {New-AdUser -Name Schulung$z -Path "OU=Schulung, DC=Joos, DC=int" -enabled $True -ChangePasswordAtLogon $true -AccountPassword $pass}

or:


1..20 | ForEach-Object {

	New-AdUser -Name "Schulung$_" -Path "OU=Schulung, DC=Joos, DC=int" -Enabled $True -ChangePasswordAtLogon $true -AccountPassword $pass  

}

You can customize the individual environment data in the parts of the script, including the number of users you want the script to create.

 

Finding replication errors in PowerShell 

Among the most common errors in Active Directory are problems with replication. To find these, you can first display all replication connections in PowerShell with Get-ADReplicationConnection.

Viewing replication connections in Active Directory

Viewing replication connections in Active Directory

Based on this information, you can start troubleshooting. For example, if you want to view the replication errors of a domain controller, use the command below. Again, you need to specify the particular domain controller in the -Target parameter:

Get-ADReplicationFailure -Target dc01

If the error is not quite narrowed down to one domain controller, you can also include the forest and thus all domain controllers in the environment:

Get-ADReplicationFailure -Target "joos.int" -Scope Forest

View all replication errors in an Active Directory environment.

View all replication errors in an Active Directory environment

This allows you to quickly see if the environment's replication errors are concentrated on individual domain controllers, and it allows you to get down to troubleshooting. Here you can also see if individual domain controllers are failing to connect. In this case, check which DC is causing the error. You can also replicate individual objects with the "Sync-ADObject" cmdlet to find out which problems exist between which domain controllers.

 

Testing network connections between servers 

In PowerShell, you can also test network connections between computers and verify that certain ports are open and allow communication between the destination and source servers. For example, if you want to test the connection from DC01 to DC02, first enter the following command in PowerShell on DC01:

Test-NetConnection dc02

If the connection works in general, you can also test the connection to individual ports. To do this, use the "-Port" parameter. The most important ports you can test at this point between two domain controllers is:


LDAP: 389 (TCP, UDP)

LDAP: (SSL) 686 (TCP)

Globaler Katalog: 3268 (TCP)

Globaler Katalog (SSL): 3269 (TCP)

Verifying network connections between domain controllers in PowerShell.

Verifying network connections between domain controllers in PowerShell

The secure channel between domain controllers and domain is also relevant in this context. This is just as important on member servers as it is on domain controllers. Again, you can test a server in PowerShell and then repair the connection if necessary. The "-verbose" parameter will give you more information if there are errors:

Test-ComputerSecureChannel -Server dc01 -verbose

You can test a repair of the channel with the "Test-ComputerSecureChannel -Repair" cmdlet. To test the network connections, it may also be necessary to save the current external IP address of the default gateway as a variable in PowerShell. You then use the contents of the variable in a script or you can also simply display the contents by entering the variable, in this example "$ip":


$ip = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip

$ip

Displaying the external IP address of the default gateway in PowerShell

Displaying the external IP address of the default gateway in PowerShell

 

DNS and PowerShell

In PowerShell, you can also display a computer's DNS cache and clear it as well. This is especially useful if you have made adjustments to the DNS options for troubleshooting purposes and then want to clear the cache:


Get-DNSClientServerAddress



Clear-DnsClientCache

You can read out the complete network configuration in PowerShell with "Get-NetIPConfiguration". Concerning DNS servers, reading out the DNS zones is also important in this area. You can also do this in PowerShell, for example with:

Get-DnsServerZone -ComputerName dc01

 

Conclusion 

PowerShell is a powerful tool when it comes to finding and also fixing errors in Active Directory. The commands are not complicated in most cases and provide all the necessary information needed for troubleshooting. It is worthwhile for admins to familiarize themselves with the most important commands. The cmdlets are also ideal for a quick diagnosis and an initial overview of the settings and structure of an Active Directory environment.

 

 

 

Related links

 

 

Related posts
9 min read

Easy ways how to query Active Directory with PowerShell

Mar 4, 2022 by Thomas Joos
13 min read

The tools you need when troubleshooting Active Directory

Mar 30, 2023 by Damian Scoles
14 min read

10 tips for Active Directory administration with PowerShell

Jul 1, 2020 by Thomas Joos

About the author:

Thomas Joos

Thomas Joos is a freelance IT consultant and has been working in IT since 1992. He has published more than 90 practical reference books and writes for numerous IT publications such as c’t, PC Magazin, PC Welt, IT Administrator, Computerwoche and Heise Security.

Latest posts: