Documentation · Governance · Evidence

AD DS Command Reference

Selected public-safe documentation pages from a private technical documentation hub. The focus is documented, controlled and reviewable technical delivery.

Portfolio narrative Cybersecurity perspective AI agent boundaries Identity security

AD DS Command Reference

This document collects practical command-line references for Active Directory Domain Services troubleshooting and operations.

The examples use placeholder names such as domain.local, DC1, DC2 and example OU paths. Replace them with environment-specific values only in private or customer-specific documentation.

Scope

This is a learning and reference document for AD DS troubleshooting commands.

It does not include customer environment data, production domain names, credential identifiers or privileged operational evidence.

FSMO

netdom query fsmo
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster

FSMO transfer or seizure

Graceful transfer should be preferred when the original role holder is available.

Move-ADDirectoryServerOperationMasterRole `
  -Identity "DC2" `
  -OperationMasterRole SchemaMaster,RIDMaster,PDCEmulator,InfrastructureMaster,DomainNamingMaster

Forced seizure should be used only when the original role holder will not return.

Move-ADDirectoryServerOperationMasterRole `
  -Identity "DC2" `
  -OperationMasterRole SchemaMaster,RIDMaster,PDCEmulator,InfrastructureMaster,DomainNamingMaster `
  -Force

Replication

repadmin /replsummary
repadmin /showrepl
repadmin /syncall /AeD
repadmin /queue
repadmin /showrepl * /csv > replreport.csv

Secure channel

nltest /sc_query:domain.local
nltest /sc_reset:domain.local

Test-ComputerSecureChannel -Verbose
Test-ComputerSecureChannel -Repair

Domain controller health

dcdiag /v
dcdiag /test:dns /v
dcdiag /s:DC1 /v

DNS

nslookup domain.local
nslookup -type=SRV _ldap._tcp.domain.local
nslookup -type=SRV _kerberos._tcp.domain.local
nslookup -type=SRV _gc._tcp.domain.local

ipconfig /registerdns
net stop netlogon
net start netlogon

Group Policy

gpupdate /force
gpresult /r
gpresult /h report.html

Get-GPInheritance -Target "OU=Sales,DC=domain,DC=local"
Get-GPO -Name "PasswordPolicy" | Get-GPOReport -ReportType Html -Path report.html

Fine-Grained Password Policy

Get-ADFineGrainedPasswordPolicy -Filter *
Get-ADUserResultantPasswordPolicy username

New-ADFineGrainedPasswordPolicy `
  -Name "ExecPolicy" `
  -Precedence 1 `
  -MinPasswordLength 12 `
  -ComplexityEnabled $true `
  -LockoutThreshold 3 `
  -LockoutDuration "00:30:00" `
  -PasswordHistoryCount 24

Add-ADFineGrainedPasswordPolicySubject `
  -Identity "ExecPolicy" `
  -Subjects "ExecutiveUsers"

Event Viewer

eventvwr.msc

Quick troubleshooting flow

1. DNS and SRV record checks
2. Secure channel check
3. Replication check
4. FSMO role holder check
5. Group Policy resultant set check
6. Event log review