Syed Jahanzaib Personal Blog to Share Knowledge !

February 15, 2015

Windows Server Active Directory CMDs and Troubleshooting – Short Notes

1# Howto enable RECYCLE BIN in Widnows 2008 Active Directory Server.

Pre requisite to enable Recycle Bin in Windows 2008 Active Directory.

1- Domain controller must be Windows 2008 R2 or later.
2- Forest and domain functional levels must be Windows Server 2008 R2, If not , then first raise functional level to windows 2008 R2 using ADUC
3- Enable Recycle Bin using Power Shell. Follow the below to do so
> Open powershell by using CMD and type powershell
> Load AD module by using following command.

Import-Module ActiveDirectory

Now activate Recycle BIN using following command

Enable-ADOptionalFeature -Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=zaib,DC=com’ -Scope ForestOrConfigurationSet -Target ‘’

Note: Change the zaib , com and to match your local domain name

Delete any single user from AD for test purpose

> Now delete any user for test purpose via AD or net command

> From Powershell , Search for deleted items using following commands (TIP: To execute commands related to AD, always load module ActiveDirectory after you launch PowerShell)

Get-ADObject -Filter {name -like “*test*” -and deleted -eq $true} -IncludeDeletedObjects

Note: Change the *test to match the name or portion of delete user name

Restore Deleted User

To restore the deleted account, use following command

Get-ADObject -Filter {name -like “*test*” -and deleted -eq $true} -IncludeDeletedObjects | Restore-ADObject

If you want to use GUI for easy access, then you can try ADRecycleBin.exe (Active Directory Recycle Bin) which allows administrators to quickly restore deleted Active Directory objects via an easy to use GUI (Graphical User Interface). This is a free Active Directory Recycle Bin tool. You can download it from

2# Backup Active Directory – System State in windows 2008

Following is an small howto of ‘Backup and restore system state in windows 2008


1- First install the backup features from the Server Manager.
2- Open command prompt and type

wbadmin start systemstatebackup -backuptarget:d:

and press enter. It will ask for confirmation, Type Y to continue

Note: You can use a different backup target of your choosing, it must be a local drive of your server.

When the backup finishes running, you should get a message that the backup completed successfully. Goto your backup drive and you will find folder name WindowsImageBackup with backup data.

3# RESTORE Active Directory in Windows 2008 (Authoritative Mode)

– To restore backup, Boot Windows 2008 in Directory Services Restore Mode (DSRM)

– Open command prompt , First you need to get backup version number so that you may restore correct version of backup, use the followign command to get the version number

wbadmin get versions

– Write down the version you need to use.

– To restore AD in AUTHORITATIVE mode (Usually used for DC), use the following command

wbadmin start systemstaterecovery -version:04/04/2013-15:00 –authsysvol

Note: Change the -version: to match your backup number that noted from wbadmin get version command

– To restore AD in non-authoritative mode, remove the –authsysvol syntax at the end of the command (Usually used at ADC)

To get mroe info, please visit for more detailed step by step guide with snapshots

4# How to Protect/Unprotect Active Directory Objects from Accident Deletion

Enable Protection

1#- Enable protection on all active directory users

Get-ADObject -filter {(ObjectClass -eq "user")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

2# Enable protection any Organizational Unit where the setting is not already enabled

Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

3# Enable protection for groups

Get-ADObject -filter {ObjectClass -eq "user" -or ObjectClass -eq "group"} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Disable Protection

To remove protection, just change $true to $false in above commands

List Users with bad password count

Get-ADUser -filter * -Properties badPwdCount | where {$_.badpwdcount -gt 1} | Select -Property Name,badpwdcount | sort -Property name

5# FSMO roles transfer by powershell cmd

Its now easier to move FSMO roles with Powershell from the 2012 machine.
1) Login to anh DC and open powershell as administrator
2) execute following command

Move-ADDirectoryServerOperationMasterRole -Identity “DC02” -OperationMasterRole 0,1,2,3,4

DC02 is the server on which you want to transfer all fsmo roles, example dc2 is our second DC and we want to move roles from the DC1 to DC2. so we will simply add Target DC which is in our case is DC2. it will become PDC , just for the sake of conversation we are using word PDC

3) Select yes to all 5 roles
4) run netdom query FSMO to check the roles

6# Active Directory Health Check

Open CMD as RUN as ADMINISTRATOR, & use following commands to check active directory domain health ,

  • DCDiag /Test:DNS
  • dcdiag /s:DC1 /v
  • repadmin /showrepl
  • repadmin /replsummary
  • repadmin /showrepl SERVERNAME
  • repadmin /showrepl /errorsonly
  • repadmin /queue
  • repadmin /showoutcalls *
  • repadmin /bridgeheads * /verbose
  • repadmin /istg * /verbose

Force Sycn /Replication

The following command will Force / push immediate replication to all domain controllers in the Domain:

  • repadmin /syncall /AdeP
  • OR
  • Repadmin /syncall DC_name /APed


  • repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names)


Test FRS / DFSR repolication

  • dcdiag /test:frsevent (for FRS)
  • dcdiag /test:dfsrevent (for DFSR)

For reference , use following

Check policy match on all domains

  • gpotool /verbose

to generate group p[policy acquire on client side, use this on client computer

Goto Start/Run

  • RSoP.msc

Backup Script with Email

I am using BLAT email tool  for sending email result.

@echo off
setlocal enableextensions enabledelayedexpansion
set starttime=%time%
set srvname=DC1
set description=DC1 - Daily Status of AD Backup Data Copied in FILE_SERVER
set jobname=DC1 - Daily Status of AD Backup Data Copied in FILE_SERVER
set attachment=c:\scripts\mail_backup_log.txt
set mail-subject=DC1 - Daily Status of AD Backup Data Copied in FILE_SERVER
set mail-body=DC1 - Daily Status of AD Backup Data Copied in FILE_SERVER
set mail-to="MYEMAIL"
set footer=DC+AD Automated Backup and Email Logs Script Created by XXX (Pvt) Ltd. IS Dept. / Syed Jahanzaib
net use T: \\FILE_SERVER\DataPark
echo Deleting OLD Backup Folder
rem rd /S /Q d:\WindowsImageBackup\
echo now running new backup script
wbadmin start systemstatebackup -backuptarget:d: -quiet
echo **************************************************
xcopy.exe D:\WindowsImageBackup\*.* T:\DC1\ad /S /D /C /Y

PowerShell -Command "& Get-ChildItem "T:\DC1\AD\DC1" | Where-Object {$_.PSIsContainer -and $_.LastWriteTime -le [System.DateTime]::Now.AddDays(-10)} | Remove-Item -Recurse -Force"
PowerShell -Command "& Get-ChildItem "D:\WindowsImageBackup" | Where-Object {$_.PSIsContainer -and $_.LastWriteTime -le [System.DateTime]::Now.AddDays(-10)} | Remove-Item -Recurse -Force"

set endtime=%time%
set total="echo Total = %tot%"

set /a hrs=%endtime:~0,2%
set /a hrs=%hrs%-%starttime:~0,2%

set /a mins=%endtime:~3,2%
set /a mins=%mins%-%starttime:~3,2%

set /a secs=%endtime:~6,2%
set /a secs=%secs%-%starttime:~6,2%

if %secs% lss 0 (
set /a secs=!secs!+60
set /a mins=!mins!-1
if %mins% lss 0 (
set /a mins=!mins!+60
set /a hrs=!hrs!-1
if %hrs% lss 0 (
set /a hrs=!hrs!+24
set /a tot=%secs%+%mins%*60+%hrs%*3600

echo End = %endtime%
echo Start = %starttime%
echo Hours = %hrs%
echo Minutes = %mins%
echo Seconds = %secs%
echo Total = %tot%

rem ##########
rem Email LOGS
rem ##########

c:\blat\blat.exe -to %mail-to% -i %srvname% -s "%mail-subject%" -body "%mail-body%|Backup Report:|Start = %starttime%|End = %endtime%|Hours = %hrs%|Minutes = %mins%||%footer%"

rem ## THE END
rem ## Syed Jahanzaib / XXX (Pvt) Ltd. / IS Dept.

Event ID 4771 : Kerberos Pre-Authentication Failed

When troubleshooting AD account lockout issues you can search thru Domain Controller security logs for audit failures and event ID 4771.

These event details will include a result code which will specify exactly what the issue is. Most common are …

  • 0x12 – client credentials have been revoked (disabled, expired, locked, etc)
  • 0x17 – password has expired
  • 0x18 – pre-authentication was invalid (bad password)


Check user group membership etc

whoami /groups

or GPResult

gpresult /r

Reset all Kerberos tickets of the user with this command:

klist purge

Syed Jahanzaib

1 Comment »

  1. Plz share some exchange server interview post…



    Comment by amandeep singh — April 3, 2013 @ 3:53 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: