Common commands and concepts of ad


The common command set of active directory server is as follows:

net accounts   View the role of the first domain controller
net accounts    View computer roles
net share       View share
Netdom query FSMO verify operation host role

get-ADforest|FL globalcatalogs   Query all global catalog servers in the current forest
Get-ADDomaincontroller|FT name,ISglobalcatalog   Verify that the login domain controller is a global catalog server

dsquery site    Query all sites in the current domain
dsquery server    : Verify how many local controllers are in the network
Dsquery server – isgc to verify the global catalog server in the network
dsquery ou     View created organizational units
dsquery server -isgc    View all deployed domain controllers in the current network
dsquery computer   – inactive 9 |dsmod computer -disabled yes   Disable computers that have not logged in for more than 63 days

dcdiag / test:netlogons      View SYSVOL share permissions


Ad domain three-tier management system:


Note: organizational units can be nested, that is, organizational units can be created in organizational units. The main difference between an organizational unit and a group is that objects in an organizational unit cannot belong to other organizational units, while objects in a group can belong to other groups.

Explanation of LDAP terms commonly used in Ad

DN: distinguished name. The distinguished name of an entry is called “DN” or distinguished name. DN has three attributes: CN, ou and DC.
DC (Domain Component)
Cn: common name, generally user name or server name, up to 80 characters in Chinese;
Ou: organization unit is the organization unit, which can have up to four levels, and each level can have up to 32 characters in Chinese;
O: Organization is the name of an organization, which can be 3-64 characters long
C: Country is the name of the country, optional, 2 characters long
Uid: userid. The attribute of the object is uid. For example, the employee’s name is ZSQ, and his uid is z02691. When querying with LDAP, you can use CN or uid.

For example: CN = test, Ou = developer, DC = domainname, DC = com
In the above code, CN = test may represent a user name, Ou = developer represents an organizational unit in active directory.
The meaning of this sentence may be that the test object is in the developer organizational unit of the domain.

Group type:
Security group: used to set the user or computer account collection with security related tasks.
Communication group: a group used for communication between users.
Group scope:
Domain local group: it is mainly used to set access rights. Only resources in the same domain can be assigned to domain local group.
Global group: used to organize users and add multiple user accounts with the same permissions to the same global group. It can be seen in the forest and can be used in this domain or other domains with trust relationship.
Universal Group: user accounts, global groups and other universal groups from any domain in the forest, which are available in the whole forest.
The authorization rules can use agdlp rules, that is, the user account joins the global group, then joins the global group to the domain local group, and finally grants permissions to the domain local group











 FSMO (operations master role)

The main functions include: schema modification, add / rename domain, production SID, user authentication, global catalog and other special functions.

The role of schema master is to define all domain object properties, or database fields and storage methods, and scope forest level.

The role of domain naming master is responsible for controlling the addition or deletion of domains in the domain forest and the scope forest level.

The role of PDC host is compatible with low version domain controller, giving priority to be the primary domain browser, giving priority to the replication permission of active directory database (default 5 minutes), time synchronization, and preventing repeated application of group policy. The domain has only one PDC host role.

The role of rid master is to create objects (users, groups, computers, etc.) in the domain. Each object has a unique SID, including domain ID and rid. It can access and migrate domain objects across domains, and confirm the uniqueness of domain objects through rid master.

The infrastructure host role is responsible for updating references to cross domain objects.