Back to the Basics; Recovering from a Crash

cd “vmfs/volumes/datastore1/AD Security”
vmkfstools -x check “AD Security.vmdk”
vmkfstools -x repair “AD Security.vmdk”
  • Seize the FSMO roles to the backup DC
  • Setup ESXi
  • Configure the new VMs
  • Move the FSMO roles to the new DC
  • Restore the Azure AD Connect member server
  • Disable/delete the old account used for syncing
  • [If applicable] Remove the old DCs from Azure Health Monitor and add the new ones
Move-ADDirectoryServerOperationMasterRole -Identity “BackupDC4” PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, DomainNamingMaster -Force
Write-Host “Welcome to Mishky’s networking setup script for new Windows servers”
Write-Host “Please enter the below info for IPv4 to set a static IP and the right DNS”
Write-Host “FYSA Mishky also disables IPv6 & NetBIOS, because the network isn’t using them”
$IP = read-host “Please enter the server’s IP address”
$Gateway = read-host “Please enter the gateway IP address”
$ServerName = read-host “Please enter the server’s name”
#Disable IPv6
Disable-NetAdapterBinding -InterfaceAlias “Ethernet0” -ComponentID ms_tcpip6
#Disable NetBIOS
$regkey = “HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces”
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path “$regkey\$($_.pschildname)” -Name NetbiosOptions -Value 2 -Verbose}
#Set IPv4 address, gateway, & DNS servers
New-NetIPAddress -InterfaceAlias “Ethernet0” -AddressFamily IPv4 -IPAddress $IP -PrefixLength 24 -DefaultGateway $Gateway
Set-DNSClientServerAddress -InterfaceAlias “Ethernet0” -ServerAddresses (“192.168.0.101”, “192.168.0.102”, “192.168.0.104”, “<ISP DNS #1>”, “<ISP DNS #2>”)
#Rename the server
Rename-Computer -NewName $ServerName -LocalCredential Administrator -PassThru -restart -force
Write-Host “Join the test.local domain”
$User = Read-Host “Please enter your domain admin username”
Add-Computer -DomainName test.local -Credential $User -restart -force
#Prep a new folder for adding to an existing DFS namespace
$NewDirPath = “C:\Test Share”
$NewShareName = “Test Share”
try
{
Get-Item -Path $NewDirPath -ErrorAction Stop
}
catch
{
Write-Host “Dir not found. Cleared hot.” -ForegroundColor Green
}
New-Item $NewDirPath -ItemType directory
New-SMBShare -Name $NewShareName -Path $NewDirPath
#Install DFS tools
Add-WindowsFeature -Name FS-DFS-Namespace
Add-WindowsFeature -Name FS-DFS-Replication
Add-WindowsFeature -Name RSAT-DFS-Mgmt-Con
#Add a new server to DFS. BackupDC4 is already hosting the namespace \\test.local\Mishky’s Share\Test Share
$newDFSserver = “TestDC”
New-DfsnFolderTarget -Path “\\test.local\Mishky’s Share\Test Share” -TargetPath “\\$newDFSserver\Test Share” -ReferralPriorityClass SiteCostNormal
Get-DfsReplicationGroup -GroupName “test.local\Mishky’s Share\Test Share” | Get-DfsReplicatedFolder -FolderName “Test Share” | Add-DfsrMember -ComputerName $newDFSserver
Add-DfsrConnection -GroupName “test.local\Mishky’s Share\Test Share” -SourceComputerName BackupDC4 -DestinationComputerName $newDFSserver
Set-DfsrMembership -GroupName “test.local\Mishky’s Share\Test Share” -FolderName “Test Share” -ComputerName $newDFSserver -ContentPath “C:\Test Share”
#Confirm
Get-DfsReplicationGroup -GroupName “test.local\Mishky’s Share\Test Share” | Get-DfsReplicatedFolder -FolderName “Test Share” | Get-DfsrMembership
Move-ADDirectoryServerOperationMasterRole -Identity “TestDC” PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, DomainNamingMaster
#https://azurecloudai.blog/2020/08/03/roll-over-kerberos-decryption-key-for-seamless-sso-computer-account/
Set-Location “C:\Program Files\Microsoft Azure Active Directory Connect\”
Import-Module .\AzureADSSO.psd1
New-AzureADSSOAuthenticationContext
Get-AzureADSSOStatus | ConvertFrom-Json
Update-AzureADSSOForest
Get-ADUser -Filter {Name -like “*MSOL*”} -Properties * | Select-Object SamAccountName, CreateTimeStamp, Description
Disable-ADAccount MSOL_xyz
Connect-AzureAD
Set-AzureADUser -ObjectID <ID> -AccountEnabled $false
Connect-MsolService
Set-MsolUser –ObjectId <ID> -BlockCredential $true
Get-AzureADUser
Get-ADUser -Filter {Name -like “*Sync*”}
Get-AzureADUser -All $true | Where-Object {$_.DisplayName -like “*Sync*”}
Get-MsolCompanyInformation | Select DisplayName, LastDirSyncTime, LastPasswordSyncTime
Remove-AzureADUser -ObjectId <ID>
Remove-ADUser MSOL_xyz
(Get-Acl (Get-ADDomain).DistinguishedName).Access | Where-Object {$_.IdentityReference -like “*MSOL*”}
Import-Module ActiveDirectory
Set-Location AD:
#Problem = (Get-Acl “ou=vips,dc=test,dc=local”).Access | Where-Object {$_.IdentityReference -like “*S-1–5–21–4103247791–2828088783–3009141321–3631*”}
#https://ex-shell.com/2017/06/16/remove-a-usergroup-permission-on-an-ad-object-via-powershell/
$DistinguishedName = (Get-ADDomain).DistinguishedName
#$user = “domainjdoe” (to use this substitute $user for $Stale_SID on line 15)
$Stale_SID = “S-1–5–21–4103247791–2828088783–3009141321–3631”
#Collect the current ACL
$Acl = Get-Acl $DistinguishedName
#Loop each access permission in the ACL
foreach ($access in $acl.Access)
{
if ($access.IdentityReference.Value -eq $Stale_SID)
{
$acl.RemoveAccessRule($access)
}
}
#Set the ACL Back to the AD Object
set-acl $DistinguishedName -AclObject $acl

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.