WRISH

This is Part 10 of a series on Active Directory Forest recovery; a new password for your domain. Rest KrbTGT password twice And finally, just in case someone still has a ticket lying around waiting to be used on your restored domain, sort that right out and update your KrbTGT password. function Reset-KrbtgtPasswordTwice{ [CmdletBinding( SupportsShouldProcess = $true, ConfirmImpact = 'High')]param() $targetPassword = (ConvertTo-SecureString "!7Dm$(get-random -minimum 10000000000000000 -maximum 1000000000000000000)$(get-random -minimum 10000000000000000 -maximum 1000000000000000000)#*&" -AsPlainText -Force) Write-Warning "Resetting the KRBTGT password twice without allowing replication of the update may result in Domain Controllers that cannot replicate if they have temporarily lost connectivity.

This is Part 9 of a series on Active Directory Forest recovery; trust no-one, or at least no peer domains. Reset Intraforest trust passwords To avoid accidentally permitting interforest authentication with a Domain Controller that hasn’t been restored yet we need to reset the Intra-Forest trust passwords to a common value on both sides. This way the restored domains will all talk with the same hash. Update the trust shared secret to something actually secret before running this command.

This is Part 8 of a series on Active Directory Forest recovery; make your DC lonely. Metadata Cleanup all other DCs Its not recovered until all the DCs are alive, but first, you have to kill them off with Metadata cleanup. Unfortunately the powershell commands won’t just delete a Domain Controller for you. So its up to NTDSUTIL automation to do the work again. You will need to run these in the Console host, not the PowerShell ISE.

This one-liner will download the Office 365 IP list XML file and extract the IPv4 addresses for EOP and Exchange Online.

This is Part 7 of a series on Active Directory Forest recovery; you need to have your FSMOs under control. Seize all FSMO roles The roles you seize will depend on if you are in a parent or child domain, the script below leverages NTDSUTIL to seize all roles for a forest root domain, and the Infrastructure Master, PDC and RID Master for Child domains. It also updates the FSMO owner attribute on your Application partitions (usually just Forest DNS zones and Domain DNS Zones)

This is Part 6 of a series on Active Directory Forest recovery, in today’s exciting adventure we raise your RID pools by 100k and invalidate the current RID pool. Raise RID Pools Allocation Resource Identifiers are handed out whenever you create objects you can assign security to, if you are knee deep in restoration of your forest, you’ll want to make sure you don’t accidentally grant access to something unexpectedly by re-using a list SID.

Just a list of useful oneliners for powershell server and AD management. Obviously some are not actually oneliners, but hey they’re quick!

This is Part 5 of a series on Active Directory Forest recovery which requires brining up restored DCs in their own network; bring them up with good manners and we all benefit. Disable Global Catalog Now this step is strictly for Multi-Domain Forest recoveries. If your domains replicate cross domain boundaries, they’ll start complaining about their USNs and nobody wants that. If you’ve got yourself a nice simple single Domain environment, don’t sweat it and move on your Global Catalog can merrily sing into the night air without anybody noticing.

There are many ways to throw a spanner. But if you really must throw it with powershell you’ll want it to result in an object.

The versatility of objects can give much to legacy commands that still linger in the Windows administration world. This short tutorial should teach you to turn most legacy commands into one or more commandlets in some concise code.

This is Part 4 of a multi part blog post on Domain Recovery and DC Isolation with the aid of Powershell in todays installment we learn that Directory Services Restore Mode (DSRM) is not actually needed to perform a full forest recovery. Reset DSRM Password Another typically unnecessary step is getting your hands on your DSRM password - if you don’t already have it. DSRM password is only used in DSRM mode, which you don’t need for this fun exercise, but why not have it just in case!