Syed Jahanzaib Personal Blog to Share Knowledge !

February 15, 2015

Windows Server Active Directory CMDs and Troubleshooting – Short Notes

active directory logo.png

1# Backup Active Directory – System State in windows 2008/2016

Following is an small guide for ‘Backup and restore system state in windows 2008/2016


  1. You cannot store backup on same partition like C: . You must backup the AD in second partition or other drive. (It must be local drive, or network shared folder, but not USB)
  2. First install the backup server features from the Server Manager or via CLI like Open CMD, type powershell​ and enter
    Import Server-Manager
    Add-WindowsFeature Windows-Server-Backup
  3. After this Open command prompt and type

wbadmin start systemstatebackup -backuptarget:d:

and press enter. It will ask for confirmation, Type Y to continue

Note: You can use a different backup target of your choosing, it must be a local drive of your server.

When the backup finishes running, you should get a message that the backup completed successfully. Goto your backup drive and you will find folder name WindowsImageBackup with backup data.

# RESTORE Active Directory in Windows 2016 server (Authoritative Mode) on same machine

  • To restore backup on Freshly installed server 2008/2016, First do following
  • Rename computer name to same as the previous domain controller
  • Use the same ip address setting as it was configured on domain controller
  • Add Server Manager backup for SERVER MANAGER
  • Copy the backup folder to D: drive (make sure its structure is like D:\WindwosImageBackup\SERVER\XXXXX
  • Boot server in Directory Services Restore Mode (DSRM) by using following method …
    Open CMD and
    bcdedit /set safeboot dsrepair
    shutdown –r –t 0
    The system will reboot now,
  • Open command prompt , First you need to get backup version number so that you may restore correct version of backup, use the following command to get the version number

wbadmin get versions -backupTarget:D:

# Make sure your backups are in folder structure  like d:\windowsimagebackup\servername – and so on

  • Write down the version you need to use.
  • To restore AD in AUTHORITATIVE mode, use the following command

wbadmin start systemstaterecovery -backuptarget:d: -version:04/04/2013-15:00 –authsysvol


  1. Change the -version: to match your backup number that noted from wbadmin get version command
  2. Change -backuptarget:d: to match the partition where backup folders are residing.
  3. – To restore AD in non-authoritative mode, remove the –authsysvol syntax at the end of the command

Once the restore is complete, system will reboot automatically. it will boot in DSRM mode again as we set this flag in the starting proceedure. now use

  • bcdedit /deletevalue {default} safeboot
  • shutdown –t -0 -r

Once booted, you will see all your AD settings 🙂

Baremetal Recovery via WBADMIN Restore in new vm using network share [Updated 2-OCT-2018]


Domain Controller Name: DC01

If you have taken FULL backup of your server (EXMAPLE DC01) using WBADMIN/ Server Manager Backup wizard and stored in a network location example FILESERVER shared folder, we can restore it to the new vm [Baremetal Recovery]

Example ,

  • Create a new VM with same settings as old vm [DC01].
  • Now boot this vm via windows ISO (in my example it was 2016 gui edition) , and select REPAIR ,
  • Open CMD, and issue
    start /w wpeinit
  • Test connectivity by
    net use \\FILESERVER\WindowsImageBackup\DC01 /user:DOMAIN\ADMIN
  • Now get backup version from the shared folder
    wbadmin get versions -backupTarget:\\FILESERVER\WindowsImageBackup\DC01

If all goes correct, then it will show you the backup versions, note down the version you want to restore and use it in below CMD …

  • wbadmin start sysrecovery -version:10/02/2018-22:05 -backuptarget:\\FILESERVER\WindowsImageBackup\DC01 -machine:DC01 -recreateDisks -restoreAllVolumes

Once it shows successfull , then reboot. You may need to reboot twice in order to get all in order.

You may wan to read more here

# How to Protect/Unprotect Active Directory Objects from Accident Deletion

Enable Protection

1#- Enable protection on all active directory users

Get-ADObject -filter {(ObjectClass -eq "user")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

2# Enable protection any Organizational Unit where the setting is not already enabled

Get-ADOrganizationalUnit -filter * | Set-ADObject -ProtectedFromAccidentalDeletion:$true

3# Enable protection for groups

Get-ADObject -filter {ObjectClass -eq "user" -or ObjectClass -eq "group"} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Disable Protection

To remove protection, just change $true to $false in above commands

List Users with bad password count

Get-ADUser -filter * -Properties badPwdCount | where {$_.badpwdcount -gt 1} | Select -Property Name,badpwdcount | sort -Property name

# FSMO roles transfer by powershell cmd

Its now easier to move FSMO roles with Powershell from the 2012/2016 machine.

1) Login to any DC and open powershell as administrator
2) Execute following command

Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole 0,1,2,3,4

DC02 is the server on which you want to transfer all fsmo roles, example dc2 is our second DC and we want to move roles from the DC1 to DC2. so we will simply add Target DC which is in our case is DC2. it will become PDC , just for the sake of conversation we are using word PDC

3) Select yes to all 5 roles
4) run netdom query FSMO to check the roles

# Active Directory Health Check

Open CMD as RUN as ADMINISTRATOR, & use following commands to check active directory domain health ,

  • DCDiag /Test:DNS
  • dcdiag /s:DC1 /v
  • repadmin /showrepl
  • repadmin /replsummary
  • repadmin /showrepl SERVERNAME
  • repadmin /showrepl /errorsonly
  • repadmin /queue
  • repadmin /showoutcalls *
  • repadmin /bridgeheads * /verbose
  • repadmin /istg * /verbose

Force Sycn /Replication

The following command will Force / push immediate replication to all domain controllers in the Domain:

  • repadmin /syncall /AdeP
  • OR
  • Repadmin /syncall DC_name /APed


  • repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names)

Test FRS / DFSR repolication

  • dcdiag /test:frsevent (for FRS)
  • dcdiag /test:dfsrevent (for DFSR)

For reference , use following

Check policy match on all domains

  • gpotool /verbose

to generate group p[policy acquire on client side, use this on client computer

Goto Start/Run

  • RSoP.msc

Check from client workstation, Test

nltest /sc_query:MYDOMAIN

Backup Script with Email

I am using BLAT email tool  for sending email result.

@echo off
set srvname=DC01
set description=DC01 - Daily Status of AD Backup Data Copied in FILE_SERVER
set jobname=DC01 - Daily Status of AD Backup Data Copied in FILE_SERVER
set attachment=c:\backup\ad_backup.log
set mail-subject=DC01 - Daily Status of AD Backup Data Copied in FILE_SERVER
set mail-body=DC01 - Daily Status of AD Backup Data Copied in FILE_SERVER
set mail-to=aacableAThotmailDOTcom
set backuppath=D:\WindowsImageBackup\DC01
set footer=DC+AD Automated Backup and Email Logs Script Created by ZAIB (Pvt) Ltd. IS Dept. / Syed Jahanzaib

FOR /F "skip=1 tokens=1-6" %%A IN ('WMIC Path Win32_LocalTime Get Day^,Hour^,Minute^,Second /Format:table ^| findstr /r "."') DO (
set Milisecond=%time:~9,2%
set Day=%%A
set Hour=%%B
set Minute=%%C
set Second=%%D
set /a Start=%Day%*8640000+%Hour%*360000+%Minute%*6000+%Second%*100+%Milisecond%

rd /q %attachment%
echo Now starting AD backup using wbadmin command ...
wbadmin start systemstatebackup -backuptarget:d: -quiet
echo **************************************************
xcopy.exe D:\WindowsImageBackup\*.* T:\DC01\ad /S /D /C /Y
echo "Deleting OLD Backup Folder older then 10 days - - - - - -- - - - - - - - -- - - - - -"
PowerShell -Command "& Get-ChildItem "T:\DC01\AD\DC01" | Where-Object {$_.PSIsContainer -and $_.LastWriteTime -le [System.DateTime]::Now.AddDays(-10)} | Remove-Item -Recurse -Force"
PowerShell -Command "& Get-ChildItem "D:\WindowsImageBackup" | Where-Object {$_.PSIsContainer -and $_.LastWriteTime -le [System.DateTime]::Now.AddDays(-10)} | Remove-Item -Recurse -Force"

FOR /F "skip=1 tokens=1-6" %%A IN ('WMIC Path Win32_LocalTime Get Day^,Hour^,Minute^,Second /Format:table ^| findstr /r "."') DO (
set Day=%%A
set Hour=%%B
set Minute=%%C
set Second=%%D
set Milisecond=%time:~9,2%
set /a End=%Day%*8640000+%Hour%*360000+%Minute%*6000+%Second%*100+%Milisecond%
set /a Diff=%End%-%Start%
set /a DiffMS=%Diff%%%100
set /a Diff=(%Diff%-%DiffMS%)/100
set /a DiffSec=%Diff%%%60
set /a Diff=(%Diff%-%Diff%%%60)/60
set /a DiffMin=%Diff%%%60
set /a Diff=(%Diff%-%Diff%%%60)/60
set /a DiffHrs=%Diff%

:: format with leading zeroes
if %DiffMS% LSS 10 set DiffMS=0%DiffMS!%
if %DiffSec% LSS 10 set DiffMS=0%DiffSec%
if %DiffMin% LSS 10 set DiffMS=0%DiffMin%
if %DiffHrs% LSS 10 set DiffMS=0%DiffHrs%

echo The Domain Controller DC01 Backup Report > %attachment%
echo.>> %attachment%
echo The Backup Script took %DiffHrs% Hours, %DiffMin% Mnts, %DiffSec% Secs >> %attachment%
echo.>> %attachment%
echo List of Folders >> %attachment%
echo.>> %attachment%
FORFILES /p %backuppath% /S /D +0 /C "cmd /c IF @isdir == TRUE echo @path" >> %attachment%
echo.>> %attachment%
echo %footer% >> %attachment%
c:\blat\blat.exe %attachment% -to %mail-to% -i %srvname% -s "%mail-subject%"

Event ID 4771 : Kerberos Pre-Authentication Failed

When troubleshooting AD account lockout issues you can search thru Domain Controller security logs for audit failures and event ID 4771.

These event details will include a result code which will specify exactly what the issue is. Most common are …

  • 0x12 – client credentials have been revoked (disabled, expired, locked, etc)
  • 0x17 – password has expired
  • 0x18 – pre-authentication was invalid (bad password)

in my particular case I modify the Kereberos time in GPO , default maximum tolerance time was 5 minutes, I extend it to 30 minutes. as showed below …

  1. Open “Group Policy Management”.
  2. Navigate to “Group Policy Objects” in the Domain being reviewed (Forest >> Domains >> Domain).
  3. Right click on the “Default Domain Policy”, select “Edit”.
  4. Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy.

“Maximum tolerance for computer clock synchronization” , set this to higher value like 30 minutes.

Event ID 4 :  The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server PC01$. The target name used was PC01$

To sort this, Frankly I’d consider disabling machine account password changes on the domain altogether. MS recommends not doing this because of the relaxed security it engenders. but if security is not much concern then try it.

In Default Domain Group Policy

Computer Configuration | Policies | Windows Settings | Admin Templates | Security Options | Domain Member

Play with following …

  • Domain member: Disable machine account password changes =  Enabled

OR increase the password age time to 999 days , [2.7 years approx]

  • Domain member: Maximum machine account password age  = 999 days


Check user group membership etc

whoami /groups

or GPResult

gpresult /r

Reset all Kerberos tickets of the user with this command:

klist purge

Syed Jahanzaib

1 Comment »

  1. Plz share some exchange server interview post…



    Comment by amandeep singh — April 3, 2013 @ 3:53 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: