|
|
ICT-Hotlist Topic
Finally a ReplMon replacement from Microsoft
Published : 2019-09-29.
Last updated : 2021-04-09.
Remember the old tool Replmon? Together with DCDiag they are the tools Microsoft Active Directory (AD) experts require to troubleshoot the Windows AD DS. The AD Replication Monitor utility (Replmon.exe) was introduced with the Windows Server 2000 Support Tools many years ago as a GUI mechanism for performing certain Domain Controller administration tasks. With the release of Window Server 2008 Replmon was not included and Microsoft stopped making add-on Support Tools. On the internet there are a lot of questions such as "where do I download the Windows Server 2012 version of Replmon"? Nowhere. If you want it, you must run the old Windows Server 2003 version. If you can get it running on your computer!
Some time ago Microsoft has produced another tool named ADREPLSTATUS that worked great, was free but has become totally unusable due to expired certificates and sub-standard maintenance.
I present three solutions here: RepAdmin, ADReplStatus and Testimo.
Run REPADMIN on the command prompt
Microsoft started to include the repadmin command in Windows server 2008 and up. It is also included on any computer that has the Remote Server Administration Tools (RSAT) installed. RSAT is part of the Windows 10/11 Operating System and can be installed via Optional Features.
Possibilities
- Sync all DC's (Repadmin /syncall)
- Replicate a single specific object
- View and modify RODC password policies as well as trigger password caching
- Create, modify, and delete replication topology
- Remove lingering objects
- Manipulate Global Catalog partitions
- Set replication registry values
- Export data to Excel-ready text (REPADMIN /SHOWREPL */CSV)
The command line options:
c:\repadmin /?
Usage: repadmin [/u:{domain\user}] [/pw:{password|*}]
[/retry[:][:]]
[/csv]
Use these commands to see the help:
/? Displays a list of commands available for use in repadmin and their
description.
/help Same as /?
/?: Displays the list of possible arguments , appropriate
syntaxes and examples for the specified command .
/help: Same as /?:
/experthelp Displays a list of commands for use by advanced users only.
/listhelp Displays the variations of syntax available for the DSA_NAME,
DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp Displays a list of deprecated commands that still work but
are no longer supported by Microsoft.
Supported commands (use /? for detailed help):
/kcc Forces the KCC on targeted domain controller(s) to immediately
recalculate its inbound replication topology.
/prp This command allows an admin to view or modify the
password replication policy for RODCs.
/queue Displays inbound replication requests that the DC needs to issue
to become consistent with its source replication partners.
/replicate Triggers the immediate replication of the specified directory
partition to the destination domain controller from the source DC.
/replsingleobj Replicates a single object between any two domain
controllers that have common directory partitions.
/replsummary The replsummary operation quickly and concisely summarizes
the replication state and relative health of a forest.
/rodcpwdrepl Triggers replication of passwords for the specified user(s)
from the source (Hub DC) to one or more Read Only DC's.
/showattr Displays the attributes of an object.
/showobjmeta Displays the replication metadata for a specified object
stored in Active Directory, such as attribute ID, version
number, originating and local Update Sequence Number (USN), and
originating server's GUID and Date and Time stamp.
/showrepl Displays the replication status when specified domain controller
last attempted to inbound replicate Active Directory partitions.
/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC's copy of Active Directory shows as
committed for itself and its transitive partners.
/syncall Synchronizes a specified domain controller with all replication
partners.
Supported additional parameters:
/u: Specifies the domain and user name separated by a backslash
{domain\user} that has permissions to perform operations in
Active Directory. UPN logons not supported.
/pw: Specifies the password for the user name entered with the /u
parameter.
/retry This parameter will cause repadmin to repeat its attempt to bind
to the target dc should the first attempt fail with one of the
following error status:
1722 / 0x6ba : "The RPC Server is unavailable"
1753 / 0x6d9 : "There are no more endpoints available from the
endpoint mapper"
/csv Used with /showrepl to output results in comma separated
value format. See /csvhelp
Use the new tool ADReplStatus
ADReplStatus is an open source project by Microsoft employee Joseph Ryan Ries, it is however NOT supported or endorsed by Microsoft. The developer is currently building this new version of ADREPLSTATUS and is open for suggestions and bug reports. As a project on GitHub, everyone can contribute.
Screenshots
The new ADReplStatus right click menu and dark mode.
The new ADReplStatus Port Test dialog.
Download
The download can be found on GitHub
Testimo - PowerShell Module
Testimo is a PowerShell Module that Przemyslaw Klys wrote to asses Active Directory Forests for consulting work. Testimo needs to be flexible enough to tell where a possible problem may be without spending much time trying to find that problem.
Functions
- Forest Backup - Verify last backup time should be less than X days
- Forest Replication - Verify each DC in replication site can reach other replication members
- Forest Optional Features - Verify Optional Feature Recycle Bin should be Enabled
- Forest Optional Features- Verify Optional Feature Privileged Access Management Feature should be Enabled
- Forest Optional Features - Verify Optional Feature Laps should be enabled Configured
- Forest Sites Verification Verify each site has at least one subnet configured
- Forest Sites Verification Verify each site has at least one domain controller configured
- Forest Site Links - Verify each site link is automatic
- Forest Site Links - Verify each site link uses notifications
- Forest Site Links - Verify each site link does not use notifications
- Forest Roles Verify each FSMO holder is reachable
- Forest Orphaned/Empty Admins - Verify there are no Orphaned Admins (users/groups/computers)
- Forest Tombstone Lifetime - Verify Tombstone lifetime is greater or equal 180 days
- Domain Roles Verify each FSMO holder is reachable
- Domain Password Complexity Requirements - Verify Password Complexity Policy should be Enabled
- Domain Password Complexity Requirements - Verify Password Length should be greater than X
- Domain Password Complexity Requirements - Verify Password Threshold should be greater than X
- Domain Password Complexity Requirements - Verify Password Lockout Duration should be greater than X minutes
- Domain Password Complexity Requirements - Verify Password Lockout Observation Window should be greater than X minutes
- Domain Password Complexity Requirements - Verify Password Minimum Age should be greater than X
- Domain Password Complexity Requirements - Verify Password History Count should be greater than X
- Domain Password Complexity Requirements - Verify Password Reversible Encryption should be Disabled
- Domain Trust Availability - Verify each Trust status is OK
- Domain Trust Unconstrained TGTDelegation - Verify each Trust TGTDelegation is set to True
- Domain Kerberos Account Age - Verify Kerberos Last Password Change Should be less than 180 days
- Domain Groups: Account Operators - Verify Group is empty
- Domain Groups: Schema Admins - Verify Group is empty
- Domain User: Administrator - Verify Last Password Change should be less than 360 days or account disabled
- Domain DNS Forwarders - Verify DNS Forwarders are identical on all DNS nodes
- Domain DNS Scavenging Primary DNS Server - Verify DNS Scavenging is set to X days
- Domain DNS Scavenging Primary DNS Server - Verify DNS Scavenging State is set to True
- Domain DNS Scavenging Primary DNS Server - Verify DNS Scavenging Time is less than X days
- Domain DNS Zone Aging - Verify DNS Zone Aging is set
- Domain Well known folder - UsersContainer Verify folder is not at it's defaults.
- Domain Well known folder - ComputersContainer Verify folder is not at it's defaults.
- Domain Well known folder - DomainControllersContainer Verify folder is at it's defaults.
- Domain Well known folder - DeletedObjectsContainer Verify folder is at it's defaults.
- Domain Well known folder - SystemsContainer Verify folder is at it's defaults.
- Domain Well known folder - LostAndFoundContainer Verify folder is at it's defaults.
- Domain Well known folder - QuotasContainer Verify folder is at it's defaults.
- Domain Well known folder - ForeignSecurityPrincipalsContainer Verify folder is at it's defaults.
- Domain Orphaned Foreign Security Principals - Verify there are no orphaned FSP objects.
- Domain Orphaned/Empty Organizational Units - Verify there are no orphaned Organizational Units
- Domain Group Policy Missing Permissions - Verify Authenticated Users/Domain Computers are on each and every Group Policy
- Domain DFSR Sysvol - Verify SYSVOL is DFSR
- Domain Controller Information - Is Enabled
- Domain Controller Information - Is Global Catalog
- Domain Controller Service Status - Verify all Services are running
- Domain Controller Service Status - Verify all Services are set to automatic startup
- Domain Controller Service Status (Print Spooler) - Verify Print Spooler Service is set to disabled
- Domain Controller Service Status (Print Spooler) - Verify Print Spooler Service is stopped
- Domain Controller Ping Connectivity - Verify DC is reachable
- Domain Controller Ports - Verify Following ports 53, 88, 135, 139, 389, 445, 464, 636, 3268, 3269, 9389 are open
- Domain Controller RDP Ports - Verify Following ports 3389 (RDP) is open
- Domain Controller RDP Security - Verify NLA is enabled
- Domain Controller LDAP Connectivity - Verify all LDAP Ports are open
- Domain Controller LDAP Connectivity - Verify all LDAP SSL Ports are open
- Domain Controller Windows Firewall - Verify windows firewall is enabled for all network cards
- Domain Controller Windows Remote Management - Verify Windows Remote Management identification requests are managed
- Domain Controller Resolves internal DNS queries - Verify DNS on DC resolves Internal DNS
- Domain Controller Resolves external DNS queries - Verify DNS on DC resolves External DNS
- Domain Controller Name servers for primary domain zone Verify DNS Name servers for primary zone are identical
- Domain Controller Responds to PowerShell Queries Verify DC responds to PowerShell queries
- Domain Controller TimeSettings - Verify PDC should sync time to external source
- Domain Controller TimeSettings - Verify Non-PDC should sync time to PDC emulator
- Domain Controller TimeSettings - Verify Virtualized DCs should sync to hypervisor during boot time only
- Domain Controller Time Synchronization Internal - Verify Time Synchronization Difference to PDC less than X seconds
- Domain Controller Time Synchronization External - Verify Time Synchronization Difference to pool.ntp.org less than X seconds
- Domain Controller Disk Free - Verify OS partition Free space is at least X %
- Domain Controller Disk Free - Verify NTDS partition Free space is at least X %
- Domain Controller Operating System - Verify Windows Operating system is Windows 2012 or higher
- Domain Controller Windows Updates - Verify Last patch was installed less than 60 days ago
- Domain Controller SMB Protocols - Verify SMB v1 protocol is disabled
- Domain Controller SMB Protocols - Verify SMB v2 protocol is enabled
- Domain Controller SMB Shares - Verify default SMB shares NETLOGON/SYSVOL are visible
- Domain Controller DFSR AutoRecovery - Verify DFSR AutoRecovery is enabled
- Domain Controller Windows Roles and Features - Verify Windows Features for AD/DNS/File Services are enabled
Installation
Running Testimo on a Windows 10/11 machine, requires RSAT.
Install-Module -Name Testimo -AllowClobber -Force
Download
The download can be found on GitHub
Scripts and programming examples disclaimer
Unless stated otherwise, the script sources and programming examples provided are copyrighted freeware.
You may modify them, as long as a reference to the original code and hyperlink to the source page is included in the modified code and documentation.
However, it is not allowed to publish (copies of) scripts and programming examples on your own site, blog, vlog, or distribute them on paper or any other medium, without prior written consent.
Many of the techniques used in these scripts, including but not limited to modifying the registry or system files and settings, impose a risk of rendering the Operating System inoperable and loss of data.
Make sure you have verified full backups and the associated restore software available before running any script or programming example.
Use these scripts and programming examples entirely at your own risk. All liability claims against the author in relation to material or non-material losses caused by the use, misuse or non-use of the information provided, or the use of incorrect or incomplete information, are excluded. All content is subject to change and provided without obligation.
|