Tuesday, January 20, 2009

One batch file for Active Directory diagnostics

One batch file for Active Directory diagnostics.
Simply set the variables for DCs, and it will collect information about your Active Directory environment. This is useful for troubleshooting, benchmarking, analysis and history. All operations are read-only.

:: Changes:
:: 21/09/2006, Initial version
:: 18/02/2008, Updated commands to be more generic and use variables for DC/DN/FQDN commands
:: 19/02/2008, Updated 'Subnet Information' to return a mapping of subnet to site.
:: 20/02/2008, Updated 'Find all connection objects' to provide more information
:: Author:
:: Wayne Martin
:: Use:
:: Perform various diagnostic commands against a domain and capture the output for analysis and history
:: Notes:
:: Most commands will work against a 2000 domain, but some are targeted at 2003-only functionality
:: Requires:
:: acldiag.exe
:: AdFind.exe
:: adrestore.exe
:: dcdiag.exe
:: dnscmd.exe
:: dsastat.exe
:: gpotool.exe
:: ldifde.exe
:: netdiag.exe
:: nltest.exe
:: psexec.exe
:: Psinfo.exe
:: repadmin.exe
:: setspn.exe


Set Server=%DC1%
Set SecondDc=%DC2%
Set ThirdDC=%DC3%
Set TimeServer=%TIME%
Set DomainDN=DC=domain,DC=com
Set DomainFQDN=domain.com

:: Make the directory for the output
If not Exist .\Diag md Diag

:: FSMO Roles
ntdsutil roles Connections "Connect to server %Server%" Quit "select Operation Target" "List roles for conn server" Quit Quit Quit >>"Diag\FSMO_Roles_%Server%.txt

:: Domain Controllers
Nltest /dclist:%userdnsdomain% >>"Diag\Domain_Controllers_%computername%.txt

:: Domain Controller IP Configuration
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do psexec \\%%i /s ipconfig /all >>"Diag\Domain_Controller_IP_Configuration_%%i.txt

:: Domain Controller SystemInfo
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do systeminfo /s %%i >>"Diag\Domain_Controller_SystemInfo_%%i.txt

:: AD Database disk usage
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do dir \\%%i\admin$\ntds >>"Diag\AD_Database_disk_usage_%%i.txt

:: Global Catalog Servers from DNS
dnscmd %Server% /enumrecords %userdnsdomain% _tcp find /i "3268" >>"Diag\Global_Catalog_Servers_from_DNS_%Server.txt

:: Global Catalog Servers from AD
dsquery * "CN=Configuration,%DomainDN%" -s %Server% -filter "(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))" >>"Diag\Global_Catalog_Servers_from_AD_%Server%.txt

:: DNS Information
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do dnscmd %%i /info >>"Diag\DNS_Information_%%i.txt

:: DNS Zone Detailed information
dnscmd %Server% /zoneinfo %userdnsdomain% >>"Diag\DNS_Zone_Detailed_information_%server%.txt

:: Garbage Collection and tombstone
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,%DomainDN%" -s %Server% -attr garbageCollPeriod tombstoneLifetime >>"Diag\Garbage_Collection_and_tombstone_%server%.txt

:: Group Policy Verification Tool
gpotool.exe /checkacl /verbose >>"Diag\Group_Policy_Verification_Tool.txt

:: AD OU membership
dsquery computer -s %Server% -limit 0 1>>"Diag\AD_OU_membership_%server%.txt

:: AD OU membership
dsquery user -s %Server% -limit 0 1>>"Diag\AD_OU_membership_%server%.txt

:: List Service Principal Names
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do setspn -L %%i >>"Diag\List_Service_Principal_Names_%%i.txt

:: Compare DC Replica Object Count
dsastat -s:%server%;%SecondDC%;%ThirdDC% -p:999 >>"Diag\Compare_DC_Replica_Object_Count.txt

:: Check AD ACLs
acldiag %DomainDN% >>"Diag\Check_AD_ACLs.txt

:: NTFRS Replica Sets
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do ntfrsutl sets %%i >>"Diag\NTFRS_Replica_Sets_%%i.txt

:: NTFRS DS View
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do ntfrsutl ds %%i >>"Diag\NTFRS_DS_View_%%i.txt

:: Domain Controllers per site
Dsquery * "CN=Sites,CN=Configuration,%DomainDN%" -s %server% -filter (objectCategory=Server) >>"Diag\Domain_Controllers_per_site_%%i.txt

:: DNS Zones in AD
for /f %%i in ('dsquery server -o rdn') do Dsquery * -s %%i domainroot -filter (objectCategory=dnsZone) >>"Diag\DNS_Zones_in_AD_%%i.txt

:: Enumerate DNS Server Zones
for /f %%i in ('dsquery server -o rdn') do dnscmd %%i /enumzones >>"Diag\Enumerate_DNS_Server_Zones_%%i.txt

:: Subnet information
dsquery * "CN=Subnets,CN=Sites,CN=Configuration,%DomainDN%" -s %server% -attr cn siteObject description location >>"Diag\Subnet_information_%server%.txt
::Dsquery subnet -s %server% >>"Diag\Subnet_information_%server%.txt

:: List Organisational Units
Dsquery OU -s %server% >>"Diag\List_Organisational_Units_%server%.txt

:: ACL on all OUs
For /f "delims=" %%i in ('dsquery OU -s -s %server%') do acldiag %%i >>"Diag\ACL_on_all_OUs.txt

:: Domain Trusts
nltest /domain_trusts /v /server:%server% >>"Diag\Domain_Trusts_%server%.txt

:: Print DNS Zones
dnscmd %Server% /zoneprint %DomainFQDN% >>"Diag\Print_DNS_Zones_%server%.txt

:: AD Subnet and Site Information
dsquery * "CN=Subnets,CN=Sites,CN=Configuration,%DomainDN%" -s %server% -attr cn siteObject description location >>"Diag\AD_Subnet_and_Site_Information_%server%.txt

:: AD Site Information
dsquery * "CN=Sites,CN=Configuration,%DomainDN%" -s %server% -attr cn description location -filter (objectClass=site) >>"Diag\AD_Site_Information_%server%.txt

:: Printer Queue Objects in AD
dsquery * domainroot -filter "(objectCategory=printQueue)" -s %server% -limit 0 1>>"Diag\Printer_Queue_Objects_in_AD_%server%.txt

:: Group Membership with user details
dsget group groupDN -members dsget user -samid -fn -mi -ln -display -empid -desc -office -tel -email -title -dept -mgr >>"Diag\Group_Membership_with_user_details_%server%.txt

:: Site Links and Cost
dsquery * "CN=Sites,CN=Configuration,%DomainDN%" -s %server% -attr cn cost description replInterval siteList -filter (objectClass=siteLink) >>"Diag\Site_Links_and_Cost_%server%.txt

:: Check time against Domain
w32tm /monitor /computers:%server%,%SecondDC%,%ThirdDC%,%TimeServer% >>"Diag\Check_time_against_Domain.txt

:: Domain Controller Diagnostics
for %%i in (%server% %SecondDC% %ThirdDC%) do dcdiag /s:%%i /v /e /c >>"Diag\Domain_Controller_Diagnostics_%%i.txt

:: Domain Replication Bridgeheads
repadmin /bridgeheads >>"Diag\Domain_Replication_Bridgeheads.txt

:: Replication Failures from KCC
repadmin /failcache >>"Diag\Replication_Failures_from_KCC.txt

:: Inter-site Topology servers per site
Repadmin /istg * /verbose >>"Diag\Inter-site_Topology_servers_per_site.txt

:: Replication latency
repadmin /latency /verbose >>"Diag\Replication_latency.txt

:: Queued replication requests
repadmin /queue * >>"Diag\Queued_replication_requests.txt

:: Show connections for a DC
repadmin /showconn * >>"Diag\Show_connections_for_a_DC.txt

:: Replication summary
Repadmin /replsummary >>"Diag\Replication_summary.txt

:: Show replication partners
repadmin /showrepl * /all >>"Diag\Show_replication_partners.txt

:: All DCs in the forest
repadmin /viewlist * >>"Diag\All_DCs_in_the_forest.txt

:: ISTG from AD attributes
dsquery * "CN=NTDS Site Settings,CN=CLB,CN=Sites,CN=Configuration,%DomainDN%" -s %server% -attr interSiteTopologyGenerator >>"Diag\ISTG_from_AD_attributes_%server%.txt

:: Return the object if KCC Intra/Inter site is disabled for each site
Dsquery site dsquery * -attr * -s %server% -filter "((Options:1.2.840.113556.1.4.803:=1)(Options:1.2.840.113556.1.4.803:=16))" >> "Diag\Return_the_object_if_KCC_Intra-Inter_site_is_disabled_for_each_site_%server%.txt"

:: Find all connection objects
::dsquery * forestRoot -s %server% -filter (objectCategory=nTDSConnection) -attr distinguishedName fromServer whenCreated displayName >>"Diag\Find_all_connection_objects_%server%.txt
dsquery * "CN=Servers,CN=%SITECODE%,CN=Sites,CN=Configuration,%DomainDN%" -attr fromServer cn >>"Diag\Find_all_connection_objects_%server%.txt

:: Find all connection schedules
adfind -b "CN=Configuration,%DomainDN%" -f "objectcategory=ntdsConnection" cn Schedule -csv >>"Diag\Find_all_connection_schedules_%server%.txt

:: Software Information for each server
for /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do psinfo \\%%i > ServerInfo_%%i.txt & filever \\%%i\admin$\explorer.exe \\%%i\admin$\system32\vbscript.dll \\%%i\admin$\system32\kernel32.dll \\%%i\admin$\system32\wbem\winmgmt.exe \\%%i\admin$\system32\oleaut32.dll >>"Diag\Software_Information_for_each_server_%%i.txt

:: Check Terminal Services Delete Temp on Exit flag
For /f %%i in ('dsquery server -domain %userdnsdomain% -o rdn') do Reg query "\\%%i\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v DeleteTempDirsOnExit >>"Diag\Check_Terminal_Services_Delete_Temp_on_Exit_flag_%%i.txt

:: Information on existing GPO's
dsquery * "CN=Policies,CN=System,%DomainDN%" -s %server% -filter "(objectCategory=groupPolicyContainer)" -attr displayName cn whenCreated gPCFileSysPath >>"Diag\Information_on_existing_GPOs_%server%.txt

:: Domain Controller Netlogon entries
for /f %%i in ('dsquery server /o rdn') do echo %%i & reg query \\%%i\hklm\system\currentcontrolset\services\netlogon\parameters >>"Diag\Domain_Controller_Netlogon_entries_%%i.txt

:: Find empty groups
dsquery * -s %server% -filter "&(objectCategory=group)(!member=*)" -limit 0 -attr whenCreated whenChanged groupType sAMAccountName distinguishedName memberOf >>"Diag\Find_empty_groups.txt

:: Disk statistics, including the number of files on the filesystem
for %%i in (%server% %SecondDC% %ThirdDC%) do psexec \\%%i chkdsk C: /i /c >>"Diag\CheckDisk_%%i.txt
for %%i in (%server% %SecondDC% %ThirdDC%) do psexec \\%%i defrag C: -a -v >>"Diag\CheckDisk_%%i.txt

:: Query IIS web sites
for /f %%i in ('dsquery server /o rdn') do iisweb /s %%i /query "Default Web Site" >>"Diag\IIS_Default_Web_Sites_%%i.txt

:: Forest/Domain Functional Levels
ldifde -s %server% -d cn=partitions,cn=configuration,%DomainDN% -r "((systemFlags=3)(systemFlags=-2147483648))" -l msds-behavior-version,dnsroot,ntmixeddomain,NetBIOSName -p subtree -f "Diag\Query_IIS_web_sites_%server%.txt"

:: Forest/Domain Functional Levels
dsquery * cn=partitions,cn=configuration,%DomainDN% -s %server% -filter "((systemFlags=3)(systemFlags=-2147483648))" -attr msDS-Behavior-Version Name dnsroot ntmixeddomain NetBIOSName >>"Diag\Forest-Domain_Functional_Levels_%server%.txt

:: Lookup SRV records from DNS
nslookup -type=srv _ldap._tcp.dc._msdcs.%DomainFQDN% %server% >>"Diag\Lookup_SRV_records_from_DNS_%server%.txt

:: Find when the AD was installed
dsquery * cn=configuration,%DomainDN% -s %server% -attr whencreated -scope base >>"Diag\Lookup_SRV_records_from_DNS_%server%.txt

:: Find a DC for each trusted domain
for /f "skip=1" %%i in ('"dsquery * CN=System,%DomainDN% -filter (objectClass=trustedDomain) -attr trustPartner"') do nltest /dsgetdc:%%i >> "Diag\Find_a_DC_for_each_trusted_domain_%server%.txt"

:: Verify SMB connectivity to the admin share on DCs
for /f %%i in ('dsquery server -o rdn') do @if not exist \\%%i\admin$ (echo Could not access %%i\admin$) Else (Echo %%i\admin$ exists) >> Verify_SMB_connectivity_to_DCs_%%i.txt


No comments: