This is Part 10 of a series on Active Directory Forest recovery; a new password for your domain.
Rest KrbTGT password twice And finally, just in case someone still has a ticket lying around waiting to be used on your restored domain, sort that right out and update your KrbTGT password.
function Reset-KrbtgtPasswordTwice{ [CmdletBinding( SupportsShouldProcess = $true, ConfirmImpact = 'High')]param() $targetPassword = (ConvertTo-SecureString "!7Dm$(get-random -minimum 10000000000000000 -maximum 1000000000000000000)$(get-random -minimum 10000000000000000 -maximum 1000000000000000000)#*&" -AsPlainText -Force) Write-Warning "Resetting the KRBTGT password twice without allowing replication of the update may result in Domain Controllers that cannot replicate if they have temporarily lost connectivity.
This is Part 9 of a series on Active Directory Forest recovery; trust no-one, or at least no peer domains.
Reset Intraforest trust passwords To avoid accidentally permitting interforest authentication with a Domain Controller that hasn’t been restored yet we need to reset the Intra-Forest trust passwords to a common value on both sides. This way the restored domains will all talk with the same hash. Update the trust shared secret to something actually secret before running this command.
This is Part 8 of a series on Active Directory Forest recovery; make your DC lonely.
Metadata Cleanup all other DCs Its not recovered until all the DCs are alive, but first, you have to kill them off with Metadata cleanup. Unfortunately the powershell commands won’t just delete a Domain Controller for you. So its up to NTDSUTIL automation to do the work again. You will need to run these in the Console host, not the PowerShell ISE.
This is Part 7 of a series on Active Directory Forest recovery; you need to have your FSMOs under control.
Seize all FSMO roles The roles you seize will depend on if you are in a parent or child domain, the script below leverages NTDSUTIL to seize all roles for a forest root domain, and the Infrastructure Master, PDC and RID Master for Child domains. It also updates the FSMO owner attribute on your Application partitions (usually just Forest DNS zones and Domain DNS Zones)
This is Part 6 of a series on Active Directory Forest recovery, in today’s exciting adventure we raise your RID pools by 100k and invalidate the current RID pool.
Raise RID Pools Allocation Resource Identifiers are handed out whenever you create objects you can assign security to, if you are knee deep in restoration of your forest, you’ll want to make sure you don’t accidentally grant access to something unexpectedly by re-using a list SID.
This is Part 5 of a series on Active Directory Forest recovery which requires brining up restored DCs in their own network; bring them up with good manners and we all benefit.
Disable Global Catalog Now this step is strictly for Multi-Domain Forest recoveries. If your domains replicate cross domain boundaries, they’ll start complaining about their USNs and nobody wants that. If you’ve got yourself a nice simple single Domain environment, don’t sweat it and move on your Global Catalog can merrily sing into the night air without anybody noticing.
This is Part 4 of a multi part blog post on Domain Recovery and DC Isolation with the aid of Powershell in todays installment we learn that Directory Services Restore Mode (DSRM) is not actually needed to perform a full forest recovery.
Reset DSRM Password Another typically unnecessary step is getting your hands on your DSRM password - if you don’t already have it. DSRM password is only used in DSRM mode, which you don’t need for this fun exercise, but why not have it just in case!
This is Part 3 of a multi part blog post automating AD Forest Recovery, take your forest to rehab, sit it down and force it not to have any AD corruption.
Activate Administrator Account Now I am not one for a false sense of security, but people building environments that I support are. That is why, more often than not, the Administrator account is renamed, the password is divided in 2 and stored at different ends of the earth, one under the 6 watchful eyes of Cerberus the other stuffed in a filing cabinet lost to the ages.
This is Part 2 of a multi part blog post covering the steps to Isolate a Domain Controller - if not emotionally, then logically.
Reset your DFSR SYSVol State A DC booting into it’s own little world wont become healthy until SYSVOL has completed a sync with a partner in its domain, now this step is optional if your domain is temporary, but if you ever want to promote a new DC, or have a beautiful clear DCDIAG, then you’ll need to force SYSVOL into a synced state.
Dragging a single Domain Controller by its nostril into an isolated network can be time consuming. For testing or disaster recovery, the steps are the same, and while well documented almost everywhere, there don’t seem to be any quick and dirty tools to do the steps for you. That is why I wrote this series of powershell functions that can be applied to a DC you have restored in your Virtual environment to get your test Forest up and running quickly.
RISH