The best cmdlets for PowerShell

The Horse's Mouth

Testing the Conditions for Active Directory

The cmdlet Test-ADDSDomainControllerInstallation [1] tests whether the conditions for installing a domain controller are met. For a read-only domain controller, you would do the same thing using Test-ADDSReadOnlyDomainControllerAccountCreation [2].

To test the conditions for installing a new domain in Active Directory, you would instead use Test-ADDSDomainInstallation (Figure 3). Test-ADDSForestInstallation does the same for a new forest based on Windows Server 2012. To run the tests, you must still enter passwords in different places. The cmdlet here only accepts this as secure input. An example of the command is:

Figure 3: Successfully testing the conditions for installing a new domain controller.
Test-ADDSDomainControllerInstallation -Domainname <DNS-name of domain> -SafeModeAdministratorPassword <SecureString>

To install a new domain controller, use the Install-ADDSDomainController cmdlet. For this command to work, you need to specify the name of the domain and configure the password for Directory Services Restore Mode as a SecureString . The following command does the trick:

Install-ADDSDomainController -DomainName <DNS name of domain> -SafeModeAdministratorPassword (read-host -prompt "Password"-assecurestring)

To demote a domain controller, again your best option is UnInstall-ADDSDomainController. You need to specify at least the local administrator's password, which is defined as a SecureString . The syntax looks like this:

UnInstall-ADDSDomainController -LocalAdministratorPassword (read-host -prompt "Password" -assecurestring)

The get-help UnInstall-ADDSDomainController cmdlet gives you more information on the command. You can also name, reboot, and add servers to domains in PowerShell. To do this, PowerShell provides the following cmdlets:

  • Rename-Computer -Name <Computername>
  • Add-Computer -DomainName <domain name>
  • Restart-Computer

You can also set up replication in PowerShell. For a list of the available commands, type get-command *adreplication*, and to display help for the cmdlets, use the get-help cmdlet.

You can also create sites in PowerShell with the use of the New-ADReplicationSite <location> command, and you can create new site links, for example, like this:

New-ADReplicationSiteLink CORPORATE-BRANCH1 -SitesIncluded CORPORATE,BRANCH1 -OtherAttributes @{'options'=1}

You can also set the metric of the time frame for synchronization in the same command line by setting the appropriate switches:

Set-ADReplicationSiteLink CORPORATE-BRANCH1 -Cost 100 -ReplicationFrequencyInMinutes 15

This call sets the metric to 100 and the replication interval to 15 minutes.

Testing Replication in PowerShell

To discover the replication status, you can use the Get-ADReplicationUpToDatenessVectorTable <server name> cmdlet. For a list of all your servers, do this:

Get-ADReplicationUpToDatenessVectorTable * | sort Partner,Server | ft Partner,Server,UsnFilter

Use the following two cmdlets to view the individual sites and the domain controllers at these sites:

  • Get-ADReplicationSite -Filter * | ft <Name>
  • Get-ADDomainController -Filter * | ft <Hostname>,<Site>

To view the replication connections in PowerShell, use the Get-ADReplicationConnection command. PowerShell will also give you detailed information on the individual sites on request. To do this, use Get-ADReplicationSite -Filter *. Other interesting cmdlets in this area are:

  • Get-ADReplicationPartnerMetadata
  • Get-ADReplicationFailure
  • Get-ADReplicationQueueOperation

PowerShell Web Access

Windows PowerShell Web Access provides a web-based Windows PowerShell console. In this way, you can run PowerShell commands and scripts from a console in a web browser. You can even use PowerShell Web Access to access the PowerShell on your servers remotely on a smartphone or tablet, which means you can use all the cmdlets that are available on the server. When you install Windows PowerShell Web Access using PowerShell, the administration tools for IIS are not added:

Install-WindowsFeature -Name WindowsPowershellWebAccess -ComputerName <Servername> -IncludeManagementTools -Restart

The next step is to set up the gateway for PowerShell Web Access. The Install-PswaWebApplication cmdlet provides a quick approach to configuring this. You can install a self-signed SSL certificate with the option -UseTestCertificate. Running this cmdlet installs the PowerShell Web Access web application in the Default Web Site container of IIS; then, you can access the PSWA website on https://<servername>/pswa .

After installing PowerShell Web Access and setting up the gateway with the website and the certificate, you still need to allow users to access PowerShell via Web Access. In a PowerShell session that was opened with the administrative role, run the commands shown in Listing 1.

Listing 1

Allowing Web Access

$applicationPoolName = "<name of application pool for PSWA>"
$authorizationFile = "C:\windows\web\powershellwebaccess\data\AuthorizationRules.xml"
c:\windows\system32\icacls.exe $authorizationFile /grant ('"' + "IIS AppPool\$applicationPoolName" + '":R') > $null

Authorization rules allow a user to access a computer on the network. Access is limited to a specific session configuration. The cmdlet:

Add-PswaAuthorizationRule -UserName Contoso\administrator -ComputerName -ConfigurationName microsoft.powershell

grants the "administrator" user in the "contoso" domain access for managing the "" computer and use of the "Microsoft.PowerShell" session configuration.

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus