Tag: cmd

How to Enable Active Directory Recycle Bin

Published on by sysadminpointLeave a comment

How to Enable Active Directory Recycle Bin

Active Directory Recycle Bin enables a feature for administrators to restore deleted objects.

Finding Domain Naming Master Server

We recommend enabling Recycle Bin feature on your DC with Domain Naming Master role. In order to get what domain controller holds this role, you need to use netdom.exe application with following parameters (run it in cmd):

netdom.exe query fsmo

Alternatively, this can be achieved in PowerShell console under elevated privileges:

Import-Module ActiveDirectory

Get-ADForest | Format-List DomainNamingMaster

How to Enable Recycle Bin in AD Administrative Center.

To do this, you need a domain admin user account. Start AD Administrative Center(start->run->dsac.exe).

Click on your domain name and in the “Tasks” pane click “Enable Recycle Bin…“.

Alternatively, right-click your domain in overview, and click “Enable Recycle Bin…”.

The confirmation window appears, which tells us that Recycle Bin can only be enabled once without a disabling option. Click OK.

After enabling the bin we need to refresh ADAC window click OK in appeared warning and refresh ADAC by clicking on refresh button in top right corner of the window:

You will see that new container named “Deleted Objects” appears near “Computers” container.

How to Enable Recycle Bin in PowerShell Console.

Recycle Bin can also be enabled with PowerShell console. You need to run PowerShell.exe under elevated permissions and type in the following code:

Import-Module ActiveDirectory

Enable-ADOptionalFeature -Identity “CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=office,DC=local” -Scope ForestOrConfigurationSet –Target “office.local

Replace office, local, office.local with your own domain parameters. System will ask for confirmation, type in “y” to continue and “Deleted Objects” container appears.

So now after an AD object is deleted it’s “isDeleted” attribute is set to “true”, however it’s “isRecycled” attribute is untouched. With these parameters deleted object moves to “Deleted Objects” from where you can easily restore it by right-clicking it and selecting restore.

In 60 days the recycle lifetime expires, and “isRecycled” parameter changes to “true“, in this case an object is deleted permanently.

How to Troubleshoot AD Replication using Repadmin Tool

Published on by sysadminpointLeave a comment

How to Troubleshoot AD Replication using Repadmin Tool

Repadmin is a cmd application for diagnosing AD replication issues. Via Repadmin it is easy to view replication topology for every domain controller. And use this knowledge to manually change it and initiate replication communications between controllers. With Repadmin you can easily check replication metadata and relevance vectors (up-to-dateness (UTDVEC)).

Repadmin.exe is a built-in feature in Windows Server environment starting from 2008. It comes with AD Directory Services role and also can be setup in client OSes like Windows 10 with RSAT.

Command List

Repadmin.exe has lots of commands, lets focus on most popular ones:

  • /syncall – used to synchronize a certain DC with others
  • /prp – if you have a Password Replication Policy (PRP), this command helps to manage it
  • /queue – Shows the current queue of replication
  • /replicate – this command helps to perform replication from one DC to another
  • /replsingleobj – This command is handy if you need to replicate only one certain object between DCs
  • /replsummary – Shows a report of a current state of replication and health in AD
  • /showattr – is used when you need to see object attributes
  • /showbackup – this setting displays the last backup time
  • /showrepl – If you need to know current replication status use this one

How to Get General Replication Status

Let’s start from overall state of replication, run elevated cmd.exe (start->run->cmd.exe) and type in the following command:

repadmin.exe /replsummary

The output will show you any replication failures that exist in your AD environment.

How to Force Replication

Suppose you have replication failures and you need to force a replication after fixing networking connections failure. In elevated Command Prompt (cmd.exe) on any DC run:

repadmin.exe /syncall /Aped

In addition to /syncall command we have few flags that will synchronize all partitions (/A), using push notifications (/p), in enterprise mode across Active Directory sites (/e) using distinguished names instead of DNS names (/d).

How to Manage Inbound and Outbound Replication

It is possible to disable inbound and/or outbound replication with a possibility to reenable it later. To achieve that run the following commands in cmd under admin rights:

repadmin.exe /options DC01 +DISABLE_INBOUND_REPL

Disables inbound replication on a DC01

repadmin.exe /options DC01 +DISABLE_OUTBOUND_REPL

Disables outbound replication on a DC01

repadmin.exe /options DC01 -DISABLE_INBOUND_REPL

Enables inbound replication on a DC01

repadmin.exe /options DC01 -DISABLE_OUTBOUND_REPL

Enables outbound replication on a DC01

For example, the option to disable outbound replication is a good way to perform schema updates without the need to rebuild the entire Active Directory forest.

Credits: https://serverspace.us/support/help/how-to-troubleshoot-ad-replication-using-repadmin-tool/

.