Get-CimInstance -ClassName Win32_Product | Get-Random -Count 3 |fl
Obtaining a List of Installed Applications:
Get-CimInstance -ClassName Win32_Product |fl
Deploying and Managing Active Directory with Windows PowerShell
Chapter 1. Deploy your first forest and domain
Get-NetAdapter
Get-Member
Set-NetIPAddress
New-NetIPAddress
Set-DnsClientServerAddress
Get-NetIPAddress
Rename-Computer
Install-WindowsFeature
Get-Command
Format-Table
Update-Help
ConvertTo-SecureString
Get-NetAdapter | Get-Member
Set-NetIPInterface -InterfaceAlias "10 Network" -DHCP Disabled -PassThru
New-NetIPAddress `
-AddressFamily IPv4 `
-InterfaceAlias "10 Network" `
-IPAddress 192.168.10.2 `
-PrefixLength 24 `
-DefaultGateway 192.168.10.1
New-NetIPAddress `
-AddressFamily IPv6 `
-InterfaceAlias "10 Network" `
-IPAddress 2001:db8:0:10::2 `
-PrefixLength 64 `
-DefaultGateway 2001:db8:0:10::1
Set-DnsClientServerAddress `
-InterfaceAlias "10 Network" `
-ServerAddresses 192.168.10.2,2001:db8:0:10::2
Get-NetIPAddress -InterfaceAlias "10 Network"
Rename-Computer -NewName dc01 -Restart -Force -PassThru
Install Active Directory Domain Services
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Get-Command -Module ADDSDeployment | Format-Table Name
Name
----
Add-ADDSReadOnlyDomainControllerAccount
Install-ADDSDomain
Install-ADDSDomainController
Install-ADDSForest
Test-ADDSDomainControllerInstallation
Test-ADDSDomainControllerUninstallation
Test-ADDSDomainInstallation
Test-ADDSForestInstallation
Test-ADDSReadOnlyDomainControllerAccountCreation
Uninstall-ADDSDomainController
Update-Help -SourcePath \\dc02\PSHelp
Save-Help -DestinationPath \\dc02\PSHelp -force
Import-Module ADDSDeployment
Test-ADDSForestInstallation `
-DomainName 'afd.ink' `
-DomainNetBiosName 'afd' `
-DomainMode 6 `
-ForestMode 6 `
-NoDnsOnNetwork `
-NoRebootOnCompletion
Deploy the first domain controller and forest
Install-ADDSForest `
-DomainName 'afd.ink' `
-DomainNetBiosName 'afd' `
-DomainMode 4 `
-ForestMode 4 `
-NoDnsOnNetwork `
-SkipPreChecks `
-Force
a fuller list of the options for Install-ADDSForest:
Chapter 2. Manage DNS and DHCP
Add-DnsServerPrimaryZone
Add-DnsServerSecondaryZone
Get-DnsServerZone
Export-DnsServerZone
Set-DnsServerPrimaryZone
Set-DnsServerSecondaryZone
Add-DnsServerStubZone
Set-DnsServerStubZone
Add-DnsServerConditionalForwarderZone
Add-DnsServerZoneDelegation
Set-DnsServerZoneDelegation
Add-DnsServerResourceRecord
Add-DnsServerResourceRecordA
Add-DnsServerResourceRecordAAAA
Add-DnsServerResourceRecordCName
Add-DnsServerResourceRecordDnsKey
Add-DnsServerResourceRecordDS
Add-DnsServerResourceRecordMX
Add-DnsServerResourceRecordPtr
Get-DnsServerResourceRecord
Set-DnsServerResourceRecord
Set-DnsServerScavenging
Start-DnsServerScavenging
Get-DnsServerScavenging
Add-DhcpServerInDC
Add-DhcpServerv4Scope
Add-DhcpServerv4ExclusionRange
Set-DhcpServerv4OptionValue
Add-DhcpServerv6Scope
Add-DhcpServerv6ExclusionRange
Set-DhcpServerv6OptionValue
Create new primary zones
Add-DnsServerPrimaryZone -Name 'nipit.cn' `
-ComputerName 'dc01.afd.ink' `
-ReplicationScope 'Domain' `
-DynamicUpdate 'Secure' `
-PassThru
Creating a reverse lookup zone
Add-DnsServerPrimaryZone -NetworkID 172.16.8.0/24 `
-ReplicationScope 'Forest' `
-DynamicUpdate 'NonsecureAndSecure' `
-PassThru
Add-DnsServerPrimaryZone -NetworkID 2001:db8:0:10::/64 `
-ReplicationScope 'Forest' `
-DynamicUpdate 'Secure' `
-PassThru
Creating file-based zones uses the -ZoneFile parameter
Add-DnsServerPrimaryZone -Name 'nipict.com' `
-ZoneFile 'nipict.com.dns' `
-DynamicUpdate 'None'
Change the settings of a primary zone
Set-DnsServerPrimaryZone
Set-DnsServerPrimaryZone -Name 'nipict.com' `
-Notify 'NotifyServers' `
-NotifyServers "192.168.10.201","192.168.10.202" `
-PassThru
Get-DnsServerZone -Name ‘nipict.com’ | Format-List
Export a primary zone
Export-DnsServerZone -Name '0.1.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa' `
-Filename '0.1.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.dns'
The file is saved in the %windir%\system32\dns
Create secondary zones
Secondary DNS zones are primarily used for providing distributed DNS resolution when you are using traditional file-based DNS zones. Secondary DNS zones are used for both forward lookup and reverse lookup zones. The DnsServerSecondaryZone set of cmdlets is used to deploy and manage secondary DNS zones.
A secondary DNS zone is a read-only zone and depends on transferring the data for the zone from another DNS server. That other server must be configured to allow zone transfers.
Add-DnsServerSecondaryZone –Name 0.1.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa `
-ZoneFile "0.1.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.dns" `
-LoadExisting `
-MasterServers 192.168.10.2,2001:db8:0:10::2 `
-PassThru
Set-DnsServerSecondaryZone -Name 0.1.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa `
-MasterServers 192.168.10.3,2001:db8:0:10::3 `
-PassThru
Set-DnsServerPrimaryZone -Name 'nipit.cn' `
-SecureSecondaries TransferToZoneNameServer `
-PassThru
Add-DnsServerStubZone -Name nipict.com `
-MasterServers 192.168.10.4 `
-ReplicationScope Domain `
-PassThru
Set-DnsServerStubZone -Name nipict.com `
-LocalMasters 192.168.10.201,192.168.10.202 `
-PassThru
Configure conditional forwards
Add-DnsServerConditionalForwarderZone -Name nipict.com`
-MasterServers 192.168.10.2,2001:db8::10:2 `
-ForwarderTimeout 5 `
-ReplicationScope "Forest" `
-Recursion $False `
-PassThru
Set-DnsServerConditionalForwarderZone -Name nipict.com `
-MasterServers 192.168.10.3,2001:db8::10:3 `
-PassThru
To remove a conditional forward, use the Remove-DnsServerZone
Manage zone delegation
Add-DnsServerZoneDelegation -Name nipict.com `
-ChildZoneName Engineering `
-IPAddress 192.168.10.12,2001:db8:0:10::c `
-NameServer dc01.afd.ink`
-PassThru
Set-DnsServerZoneDelegation -Name nipict.com `
-ChildZoneName Engineering `
-IPAddress 192.168.10.13,2001:db8:0:10::d `
-NameServer dc02.afd.ink`
-PassThru
Manage DNS records
Get-Help Add-DnsServerResourceRecord* | ft -auto Name,Synopsis
Name Synopsis
---- --------
Add-DnsServerResourceRecord Adds a resource record of a specified type to...
Add-DnsServerResourceRecordA Adds a type A resource record to a DNS zone.
Add-DnsServerResourceRecordAAAA Adds a type AAAA resource record to a DNS server.
Add-DnsServerResourceRecordCName Adds a type CNAME resource record to a DNS zone.
Add-DnsServerResourceRecordDnsKey Adds a type DNSKEY resource record to a DNS zone.
Add-DnsServerResourceRecordDS Adds a type DS resource record to a DNS zone.
Add-DnsServerResourceRecordMX Adds an MX resource record to a DNS server.
Add-DnsServerResourceRecordPtr Adds a type PTR resource record to a DNS server.
Add-DnsServerResourceRecord -ZoneName "afd.ink" `
-A `
-Name wds-11 `
-IPv4Address 192.168.10.11 `
-CreatePtr `
-PassThru
Add-DnsServerResourceRecordA -ZoneName "afd.ink" `
-Name wds-11 `
-IPv4Address 192.168.10.11 `
-CreatePtr `
-PassThru
Add-DnsServerResourceRecord -ZoneName "afd.ink" `
-AAAA `
-Name wds-11 `
-IPv6Address 2001:db8:0:10::b `
-CreatePtr `
-PassThru
Add-DnsServerResourceRecord -ZoneName "afd.ink" `
-CName `
-Name wds `
-HostNameAlias wds-11.afd.ink `
-PassThru
Add-DnsServerResourceRecord -ZoneName "afd.ink" `
-Name "." `
-MX `
-MailExchange mail.afd.ink`
-Preference 10
Add-DnsServerResourceRecord -ZoneName "afd.ink" `
-Name "." `
-MX `
-MailExchange mail2.afd.ink`
-Preference 20
Add-DnsServerResourceRecord Parameters for SRV records:
Add-DnsServerResourceRecord -ZoneName "afd.ink" `
-Name _nntp._tcp `
-SRV `
-DomainName "edge-1.afd.ink" `
-Port 119 `
-Priority 0 `
-Weight 0 `
-PassThru
HostName RecordType Timestamp TimeToLive RecordData
-------- ---------- --------- ---------- ----------
_nntp._tcp SRV 0 01:00:00 [0][0][119][edge-1.afd.ink.]
Configure zone scavenging and aging (配置区域清理和老化)
Set-DnsServerScavenging -ScavengingState:$True `
-ScavengingInterval 4:00:00:00 `
-RefreshInterval 3:00:00:00 `
-NoRefreshInterval 0 `
-ApplyOnAllZones `
-PassThru
Get-DnsServerScavenging
Start-DnsServerScavenging
Deploy DHCP
Install-WindowsFeature -ComputerName dc01 `
-Name DHCP `
-IncludeAllSubFeature `
-IncludeManagementTools
Add-DhcpServerInDC -DnsName 'dc01.afd.ink' -PassThru
Add-DhcpServerv4Scope -Name "afd-dhcp" `
-ComputerName "dc01" `
-Description "Default IPv4 Scope for afd.ink" `
-StartRange "172.16.8.100" `
-EndRange "172.16.8.200" `
-SubNetMask "255.255.255.0" `
-State Active `
-Type DHCP `
-PassThru
Add-DhcpServerv4ExclusionRange -ScopeID "172.16.8.0" `
-ComputerName "dc01" `
-StartRange "172.16.8.100" `
-EndRange "172.16.8.120" `
-PassThru
Set-DhcpServerv4OptionValue -ScopeID 172.16.8.0 `
-ComputerName "dc01" `
-DnsDomain "afd.ink" `
-DnsServer "172.16.8.10" `
-Router "172.16.8.1" `
-PassThru
Add-DhcpServerv6Scope -Name "afd-IPv6-Default" `
-ComputerName "dc01" `
-Description "Default IPv6 Scope for afd.ink" `
-Prefix 2001:db8:0:10:: `
-State Active `
-PassThru
Add-DhcpServerv6ExclusionRange –ComputerName dc01 `
-Prefix 2001:db8:0:10:: `
-StartRange 2001:db8:0:10::1 `
-EndRange 2001:db8:0:10::20 `
-PassThru
Set-DhcpServerv6OptionValue -Prefix 2001:db8:0:10:: `
-ComputerName "dc01" `
-DnsServer 2001:db8:0:10::1 `
-DomainSearchList "afd.ink" `
-PassThru
Chapter 3. Create and manage users and groups
ADUser
ADGroup
ADGroupMember
ADAccountPassword
ADPrincipalGroupMembership
ADObject
ADComputer
Import-CSV
ConvertTo-SecureString
Get-Command
Test-Path
Read-Host
Write-Host
Create users
New-ADUser
Get-ADUser -Identity Administrator
$SecurePW = Read-Host -Prompt "Enter a password" -asSecureString
New-ADUser -Name "gazh" `
-AccountPassword $SecurePW `
-SamAccountName 'gazh' `
-DisplayName 'gazh' `
-Enabled $True `
-PassThru `
-PasswordNeverExpires $True `
-UserPrincipalName 'gazh'
$SuperUserGroups = @()
$SuperUserGroups = (Get-ADUser -Identity "Administrator" -Properties * ).MemberOf
ForEach ($Group in $SuperUserGroups ) {
Add-ADGroupMember -Identity $Group -Members "gazh"
}
(Get-ADUser -Identity gazh -Properties *).MemberOf
New-ADGroup –Name 'Accounting Users' `
-Description 'Security Group for all accounting users' `
-DisplayName 'Accounting Users' `
-GroupCategory Security `
-GroupScope Universal `
-SAMAccountName 'AccountingUsers' `
-PassThru
Add-ADGroupMember [-Identity]
[-AuthType {Negotiate | Basic}] [-Credential PSCredential>]
[-Partition
[-Confirm] [-WhatIf] [
Add-ADGroupMember -Identity AccountingUsers -Members Dave,Stanley -PassThru
Get-ADGroupMember -Identity AccountingUsers
New-ADGroup –Name 'Managers' `
-Description 'Security Group for all Managers' `
-DisplayName 'Managers' `
-GroupCategory Security `
-GroupScope Universal `
-SAMAccountName 'Managers' `
-PassThru
$ManagerArray = (Get-ADUser -Filter {Description -like "*Manager*" } `
-Properties Description).SAMAccountName
Add-ADGroupMember -Identity "Managers" -Members $ManagerArray -PassThru
Get-ADGroupMember -Identity Managers | ft -auto SAMAccountName,Name,Description
Get-ADGroupMember -Identity Managers | Get-Member
Get-ADGroupMember -Identity Managers `
| Get-ADUser -Properties Description `
| Format-Table -auto SAMAccountName,Name,Description
Remove-ADPrincipalGroupMembership -Identity Alfie `
-MemberOf "Enterprise Admins",`
"Schema Admins",`
"Group Policy Creator Owners" `
-PassThru
(Get-ADUser -Identity Alfie -Properties MemberOf).MemberOf
Create and manage OU
New-ADOrganizationalUnit
New-ADOrganizationalUnit -Name Engineering `
-Description 'Engineering department users and computers' `
-DisplayName 'Engineering Department' `
-ProtectedFromAccidentalDeletion $True `
-Path "DC=afd,DC=ink" `
-PassThru
Add computers and users to an OU
Get-Command -Module ActiveDirectory -Verb Move | ft -auto CommandType,Name
CommandType Name
----------- ----
Cmdlet Move-ADDirectoryServer
Cmdlet Move-ADDirectoryServerOperationMasterRole
Cmdlet Move-ADObject
Move-ADObject [-Identity]
[-Confirm] [-AuthType ADAuthType>] [-Credential
[-Partition
[-TargetServer
Get-ADUser -Filter {Description -like "*Engineering*" }
Get-ADOrganizationalUnit -Filter {Name -eq "Engineering" }
Get-ADUser -Filter {Description -like "*Engineering*" } | Move-ADObject `
-TargetPath (Get-ADOrganizationalUnit -Filter {Name -eq "Engineering" }) `
-WhatIf
Get-ADUser -Filter {Description -like "*Engineering*" } | Move-ADObject `
-TargetPath (Get-ADOrganizationalUnit -Filter {Name -eq "Engineering" })
Get-ADComputer -Filter {Description -like "*Harold*" }
Get-ADUser, Get-ADGroup, Get-ADComputer, Get-ADServiceAccount, Get-ADOrganizationalUnit, or Get-ADFineGrainedPasswordPolicy
Move-ADObject -Identity "46df71bd-ba88-4b26-9091-b8db6e07261a" `
-TargetPath " OU=Engineering,DC=afd,DC=ink" `
-PassThru
Chapter 4. Deploy additional domain controllers
ADDSDomainController
ADDSDomainControllerInstallation
ADDCCloningExclusionApplicationList
ADComputer
ADGroupMember
ADDCCloningExcludedApplicationList
ADDCCloneConfigFile
ADComputerServiceAccount
ADServiceAccount
ADDirectoryServerOperationMasterRole
ADDomain
ADForest
ADDomainController
Get-NetAdapter
Set-NetIPInterface
New-NetIPAddress
Set-DnsClientServerAddress
Get-WindowsFeature
Install-WindowsFeature
Get-Credential
Add-Computer
Rename-Computer
Import-Module
Restart-Computer
Stop-Computer
Stop-VM
1. Configure networking
Get-NetAdapter
$Nic = Get-NetAdapter -Name Ethernet0
$Nic | Set-NetIPInterface -DHCP Disabled
$Nic | New-NetIPAddress -AddressFamily IPv4 `
-IPAddress 172.16.8.19 `
-PrefixLength 24 `
-type Unicast `
-DefaultGateway 172.16.8.1
Set-DnsClientServerAddress -InterfaceAlias $Nic.Name `
-ServerAddresses 172.16.8.10,172.16.8.20 `
-PassThru
$NIC | New-NetIPAddress -AddressFamily IPv6 `
-IPAddress 2001:db8:0:10::9 `
-PrefixLength 64 `
-type Unicast `
-DefaultGateway 2001:db8:0:10::1
2. Install the Active Directory role on the server
Get-WindowsFeature `
| Where-Object {$_.DisplayName -match "Active" `
-AND $_.InstallState -eq "Available" } `
| Format-Table -auto DisplayName,Name,InstallState
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
update-Help -SourcePath \\dc01\pshelp -force
3. Join the server to the domain
Rename-Computer dc02 -Force -Restart
$domCred = Get-Credential -UserName "afd\gazh" `
-Message "Enter the Domain password for gazh."
Add-Computer -DomainName "afd.ink" `
-Credential $domCred -NewName ex19 -restart
4. Promote the server to a domain controller
Install-ADDSDomainController
Test-ADDSDomainControllerInstallation `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "afd.ink" `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SiteName "Default-First-Site-Name" `
-SysvolPath "C:\Windows\SYSVOL" `
-InstallDns:$true `
-Force
Install-ADDSDomainController `
-SkipPreChecks `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "afd.ink" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SiteName "Default-First-Site-Name" `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true
Manage FSMO roles
five flexible single master operations (FSMO) roles in Windows domains.
Schema master,Domain naming master,RID master,PDC emulator,Infrastructure master
Transfer FSMO roles
Typically, the PDC emulator and the RID master roles for each domain reside on a single domain controller, and the two forest-wide roles, schema master and domain naming master, reside on a single domain controller.
Get-ADForest -Identity afd.ink
Get-ADDomain -Identity afd.ink
Get-ADDomainController -Identity dc01
Move-ADDirectoryServerOperationMasterRole -OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster -Identity dc02
Move-ADDirectoryServerOperationMasterRole -OperationMasterRole SchemaMaster,DomainNamingMaster -Identity 'dc02'
Seize FSMO roles
Seizing the operations master roles uses the same command as transferring the roles, except that seizing uses the -Force parameter.
Move-ADDirectoryServerOperationMasterRole -OperationMaster PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster -Identity dc02 -Force
Chapter 5. Deploy read-only domain controllers (RODCs)
ADDSReadOnlyDomainControllerAccount
ADDSDomainController
Add-ADDSReadOnlyDomainControllerAccount `
-DomainControllerAccountName "rodc03" `
-DomainName "afd.ink" `
-SiteName "Default-First-Site-Name" `
-DelegatedAdministratorAccountName "afd\gazh" `
-InstallDNS `
-AllowPasswordReplicationAccountName "gazh","gan","ericz"
Add-ADDSReadOnlyDomainControllerAccount
Test-ADDSReadOnlyDomainControllerAccount
Rename-Computer -NewName rodc03 -Restart -Force
Install-WindowsFeature `
-Name AD-Domain-Services `
-IncludeAllSubFeature `
-IncludeManagementTools
$domCred = Get-Credential -UserName "afd\gazh" `
-Message "Enter your domain credentials"
Install-ADDSDomainController -DomainName "afd.ink" `
-Credential $domCred `
-Force `
-UseExistingAccount:$True
ntdsutil
activate instance ntds
ifm
create sysvol RODC "C:\IFM"
quit
quit
ntdsutil "activate instance ntds" ifm "create sysvol RODC C:\IFM" q q
Add-ADDSReadOnlyDomainControllerAccount `
-DomainControllerAccountName "rodc03" `
-DomainName "afd.ink" `
-SiteName "Default-First-Site-Name" `
-DelegatedAdministratorAccountName "afd\gazh" `
-InstallDNS `
-AllowPasswordReplicationAccountName "gan","gazh","ericz"
Install-WindowsFeature -Name AD-Domain-Services `
-IncludeAllSubFeature `
-IncludeManagementTools
$Nic = Get-NetAdapter -Name Ethernet
$Nic | New-NetIPAddress -AddressFamily IPv4 `
-IPAddress 192.168.10.201 `
-PrefixLength 24 `
-type Unicast `
-DefaultGateway 192.168.10.1
Set-DnsClientServerAddress -InterfaceAlias $Nic.Name `
-ServerAddresses 192.168.10.2,2001:db8:0:10::2 `
-PassThru
$Nic | New-NetIPAddress -AddressFamily IPv6 `
-IPAddress 2001:db8:0:10::c9 `
-PrefixLength 64 `
-type Unicast `
-DefaultGateway 2001:db8:0:10::1
Rename-Computer -NewName rodc03 -Restart -Force