PowerShell Archives - Page 3 of 5

Systems Admin

Backup and Restore Group Policy Objects (GPOs)

GPOs can be deleted in two clicks; AD replicates the deletion to every DC, SYSVOL files vanish, and clients drop the policy at next refresh. AD Recycle Bin restores the container in AD but not the SYSVOL GPT files where the actual policy settings live - so per-GPO backup is its own discipline. Walks the full GPMC lifecycle: Back Up All... for a fleet snapshot, Back Up... for one GPO before a risky edit, Manage Backups... for preview-then-restore (View Settings opens an HTML report, Restore overwrites the live GPO), and the manual re-link step that the backup does NOT capture. Plus the PowerShell-only equivalent (Backup-GPO -All / Restore-GPO -Name) for scheduled / scripted use. Includes the four pitfalls (no description = uninformative Manage Backups list, backup-on-the-DC-fails-with-the-DC trap, untested-backup wishful thinking, View-Settings-first habit) and the link-map documentation gotcha.

Systems Admin

Change the Retention Period in AD Recycle Bin

AD Recycle Bin defaults to a 180-day recovery window - long enough that 'please restore the user my predecessor deleted last quarter' lands on day 181. Two attributes on CN=Directory Service control end-to-end retention: msDS-DeletedObjectLifetime (Recycle Bin window, fully recoverable with Restore-ADObject) and tombstoneLifetime (permanent-death horizon, garbage collection cutoff). Walks the ADSI Edit edit: connect to the Configuration partition, navigate CN=Configuration / CN=Services / CN=Windows NT / CN=Directory Service, raise both attributes from 180 to 365 (always tombstoneLifetime first - the directory enforces DOL

Systems Admin

Reset the Directory Services Restore Mode (DSRM) Password

The DSRM password is the local-Administrator credential a domain controller uses when AD is offline - the only account that works during authoritative restores, ntds.dit corruption recovery, or last-DC rebuilds. Forgetting it means none of those recoveries work when you actually need them. This article walks the full reset + verify cycle on a real DC: rotate the password with ntdsutil (set dsrm password / reset password on server null - takes one minute, no reboot, no downtime), then prove the new credential works by rebooting into DSRM via F8 or 'bcdedit /set safeboot dsrepair', signing in as .\\administrator with the new password, observing the directory is offline (NTDS / Intersite Messaging / DFSR / KDC stopped, dsa.msc red-crossed), then rebooting back to normal with 'bcdedit /deletevalue safeboot'. Includes the multi-DC rotation pattern, the local-admin-vs-DSRM-vs-domain-admin distinction, and why storing the DSRM password in an AD-integrated vault is a circular dependency.

Systems Admin

Fixed: Trust Relationship Between Workstation and Domain Failed

Every domain-joined Windows machine shares a machine-account password with the domain controller; the password rotates every 30 days, and when the local and DC copies drift apart the secure channel collapses and logon dies with: The trust relationship between this workstation and the primary domain failed. Four working fixes, ordered heaviest to lightest. Solution 1 - drop the machine to a workgroup and rejoin the domain (always works, two reboots). Solution 2 - Reset-ComputerMachinePassword -Credential from PowerShell (one command, no reboot, the cleanest fix). Solution 3 - cache a domain credential in Credential Manager (a workaround, not a fix - the underlying drift is still there). Solution 4 - right-click the computer object in dsa.msc and pick Reset Account, then reboot the client (the right answer when the desktop is unreachable). Includes the four root causes (long offline gap, snapshot restore, cloning without sysprep, replication lag) and which solution best matches each.

Systems Admin

Restart Remote Computer with PowerShell

When a remote Windows box hangs and nobody is on site to power-cycle it, the fastest fix is Restart-Computer -ComputerName from your own PowerShell. The default refuses to kick logged-on users; the -Force switch overrides that. Verify with a continuous ping (ping -t) that walks the box through online -> timeout -> back-online states, or use the more PowerShell-native Test-Connection. The article also walks the longer-form alternative: full PowerShell Remoting via Enable-PSRemoting on the target, Enter-PSSession for interactive shells, Invoke-Command for single-shot fleet operations, and the TrustedHosts caveat for workgroup boxes. Includes the common pitfalls (forgetting -Force, expecting workgroup PSRemoting to work without TrustedHosts, restarting DCs without checking replication).

Systems Admin

Convert MBR to GPT without Data Loss

MBR caps at 2 TB per disk and four primary partitions; GPT lifts both ceilings (9.4 ZB, 128 primary partitions). For data disks on a running Windows Server, the right tool is DiskGenius - free, online, three clicks per disk, no data movement, no reboot. This article walks the workflow: identify MBR disks with Get-Disk, convert with DiskGenius (right-click - Convert To GUID Partition Table - Save All - Yes), repeat for each disk, verify with Get-Disk, restart the server when the maintenance window allows. Includes why mbr2gpt.exe is the wrong tool for data disks (it is system-disk-only and requires WinPE), the gotchas (skipping Save All, converting from the wrong DAG node, BIOS-only servers and the system-disk constraint), and the difference between the in-place metadata-only conversion DiskGenius does and the copy-everything-over fresh-GPT-disk migration Microsoft suggests.

Systems Admin

Remove Orphaned SIDs with PowerShell

An orphaned SID is an ACL entry whose underlying user, group, or computer was deleted but the access control entry was left behind. They show up as raw S-1-5-21-... numbers on the Security tab of AD objects and clutter audit reports without breaking access control. This article ships a complete RemoveOrphanedSID-AD.ps1 PowerShell script that recursively walks AD objects, identifies ACEs whose IdentityReference is a domain-prefixed SID that no longer resolves, and either lists or removes them. Includes the two-pass workflow (list, then remove), the -WhatIf dry-run mode, the AD: PowerShell drive provider details, why RemoveAccessRuleSpecific is the right method, and the common pitfalls (running -Remove first, scoping to forest before testing on one OU, confusing this with file-system ACL cleanup).

Systems Admin

Troubleshoot On-Premise Active Directory (DNS Edition)

The three most common AD-DNS failure modes and how to fix each: clients pointing at the wrong DNS server (point at a peer DC + loopback, never the DC's own external IP); the AD-integrated zone gone missing (recreate as Primary AD-integrated, restart Netlogon to re-register SRV records, verify with dcdiag /test:dns); and inter-DC replication broken (repadmin /replsummary, /showrepl, /syncall /A /e /P, plus time skew and firewall checks). Includes the four-tool diagnostic kit (nslookup SRV / dcdiag / repadmin / Event Viewer Directory Service) and 7 common pitfalls.

Systems Admin

Manage Hyper-V VM Checkpoints

How Hyper-V checkpoints actually work (differencing-disk chain), when to use them (lab rollback, patch dry-run, demo reset, short-term oh-no insurance), why they aren't a backup, the Production vs Standard distinction (default Production - app-consistent via VSS - safe for most workloads except DC/SQL/Exchange replicas), the GUI flow for create / revert / apply / merge, the Edit Disk wizard for manual merge of orphaned chains, the PowerShell equivalents (Checkpoint-VM, Restore-VMSnapshot, Remove-VMSnapshot), and 7 common pitfalls (don't snapshot a DC, USN rollback, long-lived checkpoints, disk-space crunch, revert vs running VM).

Systems Admin

Configure Disk and Volumes in Windows Server

How to add a new disk to a Windows Server, bring it online, initialize it as GPT, create one or more volumes (NTFS / ReFS), and the design choices that decide whether the storage stays predictable or gets weird six months later. Walks the Hyper-V add-disk flow, the Server Manager bring-online + initialize + New Volume Wizard procedure, the NTFS vs ReFS trade-off (general purpose vs resilient / VM-host / backup), the PowerShell equivalent (Get-Disk / Initialize-Disk / New-Partition / Format-Volume), and 7 common pitfalls (MBR by accident, Disk Management on Storage Spaces, wrong file system, forgot Bring Online after reboot, drive-letter collision).

Systems Admin

Clean Up Stale DNS Records with PowerShell

One PowerShell script that walks every Primary forward zone on a DNS server and removes every record (A, NS, SRV, CNAME, PTR) that names or points at a demoted host - in one pass. Covers why scavenging alone doesn't catch them, the manual DNS Manager review (zone Properties Name Servers, DomainDnsZones host records, _msdcs SRV records under sites), the full Remove-DNSRecords.ps1 with -WhatIf-first usage, the trailing-dot trap on SRV/NS data, verification with Resolve-DnsName + dcdiag /test:dns, and 7 common pitfalls (skipped -WhatIf, missed trailing dot, non-Primary zones, reverse zones, scavenging assumptions, downstream-DNS confusion, client caches).

Systems Admin

Change the IP Address of a Domain Controller

Three GUI clicks to set a new IP, four CLI commands (ipconfig /flushdns, /registerdns, nltest /dsregdns, dcdiag /fix) to re-register with DNS, and one downstream-consumer audit afterwards. Walks the pre-flight (second DC, console access not RDP, replication health, downstream-consumers list), the GUI procedure with screenshots, the PowerShell-only equivalent (Remove-NetIPAddress / New-NetIPAddress / Set-DnsClientServerAddress), DNS-pointer trap (don't point at the DC's old IP), the SRV-records-need-nltest /dsregdns trap, and 7 common pitfalls (RDP'd into it, peer DCs caching old IP, stale scavenger window, FSMO concerns).

Tag: PowerShell