Active Directory

Lance LingerfeltMarch 9, 2019

How to transfer FSMO Roles using PowerShell

A rare weekend post for me! HA! I am currently migrating my server environment from VMWare 6.7 to Server 2019 Hyper-V. I have a separate standalone box that I use for my VM backups and as a tertiary DC. Since I had to shut down my VMs in order to convert them, I needed to quickly move my FSMO roles from the DC Virtual Machine to the Standalone box so things would stay running.

I found this great article on how to do that quickly through PowerShell since it is a pain to go into ADUC, ADDT, and setup an MMC for the Schema snap-in.

When you create a domain, all FSMO roles assigned to the first domain controller in the forest by default. You can transfer FSMO roles from one DC to another both the Active Directory graphics snap-ins and the PowerShell command line. Moving FSMO roles using AD PowerShell has the following benefits:

You do not need to connect with a MMC snap-ins to the future role owner;
Transferring or seizing FSMO roles does not require a connection to the current or future role owner. You can run AD-PowerShell module cmdlets on a Windows Client or Server running RSAT Tools;
To seize the FSMO role (if the current owner is not available), it suffices to use an additional parameter -force.

Import the Active Directory Module Into PowerShell:

Import-Module ActiveDirectory

1	Import-Module ActiveDirectory

To get the current forest level FSMO role owners (Domain Naming Master and Schema Master roles) you can use the following PowerShell cmdlet:

Get-ADForest ldlnet.net | ft DomainNamingMaster, SchemaMaster -a -wr

1	Get-ADForest ldlnet.net \| ft DomainNamingMaster, SchemaMaster -a -wr

To view domain-wide FSMO roles (Infrastructure Master, PDC Emulator and Relative Identifier Master roles):

Get-ADDomain ldlnet.net | ft InfrastructureMaster, PDCEmulator, RIDMaster -a -wr

1	Get-ADDomain ldlnet.net \| ft InfrastructureMaster, PDCEmulator, RIDMaster -a -wr

Transfer FSMO Roles using PowerShell

To transfer FSMO roles between Active Directory domain controllers, we use the PowerShell cmdlet:
Move-ADDirectoryServerOperationMasterRole

To use the Move-ADDirectoryServerOperationMasterRole cmdlet, you must meet the following requirements:

There must be at least one DC with a version of Windows Server 2008 R2 or higher
PowerShell version 3.0 or newer
Active Directory module (2.0 or newer)

NOTE: Unlike the Ntdsutil.exe utility, the Move-ADDirectoryServerOperationMasteRole cmdlet can be performed from any domain computer to migrate the Operations Master roles if you have the appropriate rights (Domain admins and Enterprise Admins).

Import the AD Module:

Import-Module ActiveDirectory

1	Import-Module ActiveDirectory

I needed to move all the roles from one server to the other, so, I ran the following to do so:

Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster -Confirm:$False

1	Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster -Confirm:$False

NOTE: To simplify the command, you can replace the names of roles with numbers from 0 to 4. The correspondence of names and numbers is given in the table:

PDCEmulator	0
RIDMaster	1
InfrastructureMaster	2
SchemaMaster	3
DomainNamingMaster	4

So, by having knowledge of these numbers, you can simplify your cmdlet:

Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole 0,1,2,3,4 -Confirm:$False

1	Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole 0,1,2,3,4 -Confirm:$False

NOTE: In the event that the current owner of one or all of the FSMO roles fails, the forced transfer of FSMO roles is performed by the same command, but with the -Force option. Also, after the FSMO roles have been seized, the domain controller from which the roles was seized should never be connected to the domain. You will need to preform a metadata cleanup of the Schema before even thinking about putting that failed server back into production.

Once completed, I ran the previous cmdlets of Get-ADForest and Get-ADDomain to verify that the FSMO roles moved to the destination server.

As of now, my conversion to Hyper-V is going smoothly, although it takes quite a bit of time to convert the hard disks. Thanks again!

HAPPY TROUBLESHOOTING! KEEP SCRIPTING!
PLEASE COMMENT!

Reference:
How To Transfer FSMO Roles Using PowerShell

Lance LingerfeltFebruary 12, 2019February 12, 2019

Connect to all PowerShell Modules in O365 with one script

Let’s say you’re an admin that needs to connect to Office365 via PowerShell often. Now, there are many different websites or blogs that will show you how to connect to each session via PowerShell. That can cause a headache since you can end up having five different PowerShell sessions running in five different windows. You end up having to enter a username and password all those times, which can become time consuming.

I want to show you here how to combine all those sessions into one script where, if you’re security is tight enough on your computer, you don’t even have to enter credentials. This way, you can click on one icon and pull up all the O365 PowerShell commands that you’ll need to manage your organization.

First you need to download the following PowerShell Module Installation Files so that your PowerShell Database will have the correct modules installed:

Microsoft Online Service Sign-in Assistant for IT Professionals RTW
Windows Azure Active Directory Module for Windows PowerShell v2
SharePoint Online Management Shell
Skype for Business Online, Windows PowerShell Module

Next, we want to setup the CLI (Command Line Interface) to be too cool for school. I have learned it helps to have knowledge of how to customize the CLI window. You can do all of this in PowerShell ISE or Notepad, which ever you prefer. Here are the commands for the script that I use to setup the CLI:

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"
set-location c:\PowerShell
$a = (Get-Host).UI.RawUI
$a.BackgroundColor = "black"
$a.ForegroundColor = "yellow"
$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"
$curUser= (Get-ChildItem Env:\USERNAME).Value
function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")&gt;"}
$host.UI.RawUI.WindowTitle = "(Your Comapny Name) O365 PowerShell &gt;&gt; User: $curUser &gt;&gt; Current Directory: $((Get-Location).Path)"

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"

set-location c:\PowerShell

$a = (Get-Host).UI.RawUI

$a.BackgroundColor = "black"

$a.ForegroundColor = "yellow"

$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"

$curUser= (Get-ChildItem Env:\USERNAME).Value

function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")>"}

$host.UI.RawUI.WindowTitle = "(Your Comapny Name) O365 PowerShell >> User: $curUser >> Current Directory: $((Get-Location).Path)"

Next, you want to set your Execution Policy and put in your credentials so that you won’t be prompted to enter the user credentials when you run the script.

NOTE: MAKE SURE YOU KEEP YOUR SCRIPT SAFE AS THE CREDENTIALS ARE VISIBLE WITHIN THE SCRIPT IN PLAIN TEXT!

You can, alternatively, set your script to prompt for credentials every time by using the following:

$LiveCred = Get-Credential

Here is that part of the script:

#Setup Execution Policy and Credentials using your Tenant Admin Credentials
Set-ExecutionPolicy Unrestricted
$user = "tenantadmin@companyname.onmicrosoft.com"
$pass = "adminpassword"
$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force
$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

#Setup Execution Policy and Credentials using your Tenant Admin Credentials

Set-ExecutionPolicy Unrestricted

$user = "tenantadmin@companyname.onmicrosoft.com"

$pass = "adminpassword"

$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force

$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

Now we get into the importing of the modules for each O365 service:

Get the MSOnline Module:

#Set up the powershell cmdlets for Office365
Write-Host "Getting MSOnline Module" -ForegroundColor Green
Get-Module MSOnline

#Set up the powershell cmdlets for Office365

Write-Host "Getting MSOnline Module" -ForegroundColor Green

Get-Module MSOnline

Connect to the MSOnline Service:

#Connect the MS Online Service
Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green
Connect-MSOLService -Credential $LiveCred

#Connect the MS Online Service

Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green

Connect-MSOLService -Credential $LiveCred

Connect to Azure AD PowerShell:

#Connect to Azure Ad PowerShell
Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green
Connect-AzureAD -Credential $LiveCred

#Connect to Azure Ad PowerShell

Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green

Connect-AzureAD -Credential $LiveCred

Connect to SharePoint Online PowerShell:
NOTE – MAKE SURE YOU CHANGE TO YOUR COMPANY NAME IN THE URL!!

#Connect to SharePoint Online PowerShell
Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

#Connect to SharePoint Online PowerShell

Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking

Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

Connect to Exchange Online PowerShell:

#Connect to Exchange Powershell
Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

#Connect to Exchange Powershell

Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Connect to Skype For Business Online PowerShell:

#Connect the Skype For Business Online Powershell Module
Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green 
Import-Module SkypeOnlineConnector
$sfboSession = New-CsOnlineSession -Credential $LiveCred
Import-PSSession $sfboSession

#Connect the Skype For Business Online Powershell Module

Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green

Import-Module SkypeOnlineConnector

$sfboSession = New-CsOnlineSession -Credential $LiveCred

Import-PSSession $sfboSession

Connect to the Security & Compliance PowerShell:
NOTE – This one I still get “Access Denied” when trying to connect. I have looked for an answer to that issue, but have not found one. Please comment with a link if you have an answer so that I can update this script!

#Connect the Security & Compliance Center PowerShell Module
Write-Host "Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green
$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $LiveCred -Verbose -Authentication Basic -AllowRedirection
Import-PSSession $SccSession -Prefix cc

#Connect the Security & Compliance Center PowerShell Module

Write-Host "Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green

$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $LiveCred -Verbose -Authentication Basic -AllowRedirection

Import-PSSession $SccSession -Prefix cc

Lastly, put in a note to show that the PS load is completed:

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green
Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green
Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green

Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green

Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

So Here is the final script in its entirety:

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"
set-location c:\PowerShell
$a = (Get-Host).UI.RawUI
$a.BackgroundColor = "black"
$a.ForegroundColor = "yellow"
$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"
$curUser= (Get-ChildItem Env:\USERNAME).Value
function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")&gt;"}
$host.UI.RawUI.WindowTitle = "(Your Company Name) O365 PowerShell &gt;&gt; User: $curUser &gt;&gt; Current Directory: $((Get-Location).Path)"

#Setup Execution Policy and Credentials using your Tenant Admin Credentials
Set-ExecutionPolicy Unrestricted
$user = "tenantadmin@companyname.onmicrosoft.com"
$pass = "adminpassword"
$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force
$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

#Set up the powershell cmdlets for Office365
Write-Host "Getting MSOnline Module" -ForegroundColor Green
Get-Module MSOnline

#Connect the MS Online Service
Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green
Connect-MSOLService -Credential $LiveCred

#Connect to Azure Ad PowerShell
Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green
Connect-AzureAD -Credential $LiveCred

#Connect to SharePoint Online PowerShell
Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

#Connect to Exchange Powershell
Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

#Connect the Skype For Business Online Powershell Module
Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green 
Import-Module SkypeOnlineConnector
$sfboSession = New-CsOnlineSession -Credential $LiveCred
Import-PSSession $sfboSession

#Connect the Security &amp; Compliance Center PowerShell Module
Write-Host "Connecting to O365 Security &amp; Compliance Online through PowerShell"-ForegroundColor Green
$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $LiveCred -Verbose -Authentication Basic -AllowRedirection
Import-PSSession $SccSession -Prefix cc

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green
Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green
Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"

set-location c:\PowerShell

$a = (Get-Host).UI.RawUI

$a.BackgroundColor = "black"

$a.ForegroundColor = "yellow"

$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"

$curUser= (Get-ChildItem Env:\USERNAME).Value

function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")>"}

$host.UI.RawUI.WindowTitle = "(Your Company Name) O365 PowerShell >> User: $curUser >> Current Directory: $((Get-Location).Path)"

#Setup Execution Policy and Credentials using your Tenant Admin Credentials

Set-ExecutionPolicy Unrestricted

$user = "tenantadmin@companyname.onmicrosoft.com"

$pass = "adminpassword"

$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force

$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

#Set up the powershell cmdlets for Office365

Write-Host "Getting MSOnline Module" -ForegroundColor Green

Get-Module MSOnline

#Connect the MS Online Service

Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green

Connect-MSOLService -Credential $LiveCred

#Connect to Azure Ad PowerShell

Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green

Connect-AzureAD -Credential $LiveCred

#Connect to SharePoint Online PowerShell

Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking

Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

#Connect to Exchange Powershell

Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

#Connect the Skype For Business Online Powershell Module

Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green

Import-Module SkypeOnlineConnector

$sfboSession = New-CsOnlineSession -Credential $LiveCred

Import-PSSession $sfboSession

#Connect the Security & Compliance Center PowerShell Module

Write-Host "Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green

Import-PSSession $SccSession -Prefix cc

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green

Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green

Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

Now you can create your icon for your desktop so that you can easily access the script. I would save the script to your Scripts directory.

That will usually be C:\Users\’username’\Documents\WindowsPowerShell\Scripts or wherever directory you choose.

To start, right click the desktop and choose New > Shortcut
In the Target Field, enter the following for your PowerShell Shortcut, pointing to the path of your script:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -ExecutionPolicy Unrestricted -File “C:\Users\username\Documents\WindowsPowerShell\Scripts\ConnectO365All.ps1”

Click on the Advanced button and check the box: Run As Administrator
Under the General Tab, name your shortcut: (CompanyName) O365 All PowerShell
Click OK to save the shortcut to your desktop.

LAST BUT NOT LEAST, RUN THE FOLLOWING COMMAND BEFORE EXITING OR CLOSING YOUR POWERSHELL WINDOW. THIS WILL REMOVE ALL THE SESSIONS YOU’VE CONNECTED TO:

Get-PSSession | Remove-PSSession

HAPPY SCRIPTING!
LEARN, DO, LIVE!

References:
Connect to all O365 Services in one PowerShell Window
How to connect to all O365 Services through PowerShell
Connecting to Office 365 “Everything” via PowerShell

Lance LingerfeltJanuary 15, 2019

MaxConcurrentAPI Script for Netlogon Issues

I get incidents from time to time that deal with Netlogon Service Issues. For example: Semaphore Waiters, Semaphore Timeouts, Semaphore Acquires, etc…

Here is a script I got from the Microsoft Gallery
In some enterprise environments the sheer volume of NTLM authentication can produce performance bottlenecks on servers. To help make the problem easier to detect, this PowerShell script was written.

PARAM ([Switch]$CheckMaxConcurrentApi, [switch]$GetNetlogonInstances, [string]$Computer = "Localhost", [string]$Instance = "_Total", [bool]$CalcMCA = $False)
#************************************************
# CheckMaxConcurrentApiScript.ps1
# Version 1.0
# Date: 3/22/2013
# Author: Tim Springston [MSFT]
# Description:Uses .Net methods and WMI to query
#                a remote or local computer for MaxConcurrentApi
#               problems and return details back in a PSObject.
#************************************************
function CheckMaxConcurrentApi ([string]$InstanceName = "_Total", [string]$ComputerName = "localhost", [bool]$Calc = $false)
{   
	#This function takes three optional parameters to select Netlogon Instance (can be obtained by using
	#sister function GetNetlogonInstances, computer to run against and whether to run
	#MaxConcurrentApi calculation-which takes longer.
    #It returns details about the computer, whether the problem is detected, and suggested MaxConcurrentApi value.
	$ProblemDetected = $false
	$Date = Get-Date
 
	#Get role, OSVer, hotfix data.
	$cs =  gwmi -Namespace "root\cimv2" -class win32_computersystem -Impersonation 3 -ComputerName $ComputerName
	$DomainRole = $cs.domainrole
	$OSVersion = gwmi -Namespace "root\cimv2" -Class Win32_OperatingSystem -Impersonation 3 -ComputerName $ComputerName
	$bn = $OSVersion.BuildNumber
	$150Hotfix = $false
 
	#Determine how long the computer has been running since last reboot.
	$wmi = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $ComputerName
	$LocalDateTime = $wmi.LocalDateTime
	$Uptime = $wmi.ConvertToDateTime($wmi.LocalDateTime) – $wmi.ConvertToDateTime($wmi.LastBootUpTime)
	$Days = $Uptime.Days.ToString()
	$Hours = $Uptime.Hours.ToString()
	$UpTimeStatement = $Days + " days " + $Hours + " hours"
 
	#Get SystemRoot so that we can map the right drive for checking file versions.
	$objReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$ComputerName)
	$ObjRegKey = $ObjReg.OpenSubKey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion")
	$SystemRoot = $ObjRegKey.GetValue("SystemRoot")
 
	#Parse the drive letter for the remote systemroot and then map the network drive. First though
	#make sure the drive you will map to doesnt exist already.
	$Drives = gwmi -Namespace "root\cimv2"  -ComputerName $ComputerName -Impersonation Impersonate -Class Win32_LogicalDisk
	$DriveLetters = @()
	ForEach ($Drive in $Drives)
		{
		  $Caption = $Drive.Caption
		  $DriveLetters += $Caption
		  $Caption = $null
		}
 
	if ($ComputerName -ne "localhost")
		{
			$PossibleLetters = [char[]]"DEFGHIJKLMNOPQRTUVWXY" 
			$devices = get-wmiobject win32_logicaldisk | select -expand DeviceID
			$PossibleLetters | where {$DriveLetters -notcontains "$($_):"} | Select -First 1 | % {
			$AvailableDriveLetter = $_
			}
			$DriveToMap = $SystemRoot
			$DriveToMap = $DriveToMap.Replace(":\Windows","")
			$DriveToMap = "\\" + $ComputerName + "\" + $DriveToMap + "$"
			$AvailableDriveLetter = $AvailableDriveLetter  + ":"
			$NETUSEReturn = net use $AvailableDriveLetter $DriveToMap
			$RemoteSystem32Folder = $AvailableDriveLetter + "\Windows\System32"
			$NetlogonDll = $RemoteSystem32Folder + "\Netlogon.dll"
		}
		else
			{
			 $NetlogonDll = $SystemRoot + "\System32\Netlogon.dll"
			}
 
	#Check the file versions for the hotfixes.
	$FileVer = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($NetlogonDll).FileVersion
	switch -exact ($bn)
		{"6002" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363
				 $6002HotfixVer = "6.0.6002.22289"
				 if ($6002HotfixVer -eq $FileVer)
				     {$150Hotfix = $true}
				}
		"7600" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363
				$7600HotfixVer = "6.1.7600.20576"
				if ($7600HotfixVer -eq $FileVer)
					{$150Hotfix = $true}
				}
		"7601" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363
				$150Hotfix = $true
				}
		}
	if ($ComputerName -ne "localhost")
		{
		$NETUSEReturn = net use $AvailableDriveLetter /d
		}
 
	#Determine effective MaxConcurrentApi setting based on OS, hotfix presence, role and registry setting.
	$objReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $ComputerName)
	$objRegKey= $objReg.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\Netlogon\\Parameters")
	$MCARegVal = $objRegKey.GetValue('MaxConcurrentApi')
	$CurrentMCA = 0
	if  ($DomainRole -gt 1)
			{    
			if ($bn -ge 9200)
				{
				If (($MCARegVal -lt 10) -or ($MCARegVal -eq $null) -or ($MCARegVal -gt 9999))
					{$CurrentMCA = 10}
					elseif (($MCARegVal -gt 10)    -and ($MCARegVal -lt 9999))
						{$CurrentMCA = $MCARegVal}
				}
				else
					{        
					If (($MCARegVal -gt 10) -and ($150Hotfix -eq $true))
						{        
						$CurrentMCA = $MCARegVal}
						elseif (($MCARegVal -gt 10) -and ($150Hotfix -eq $false))    
							{$CurrentMCA = 2}
							elseif (( $MCARegVal -gt 2 ) -and ($MCARegVal -le 10))
								{$CurrentMCA = $MCARegVal}
								elseif ($MCARegVal -lt 2)
									{$CurrentMCA = 2}
									elseif ($MCARegVal -eq $null)
										{$CurrentMCA = 2}
					}
				}
 
	#Get a sample of the counters.
	$Category = "Netlogon"
	$CounterASHT = "Average Semaphore Hold Time"
	$CounterST = "Semaphore Timeouts"
	$CounterSA = "Semaphore Acquires"
	$CounterSH = "Semaphore Holders"
	$CounterSW = "Semaphore Waiters"
	#Query remote computer for counters.
	$NetlogonRemoteASHT = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterASHT,$InstanceName,$ComputerName)
	$NetlogonRemoteST = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterST,$InstanceName,$ComputerName)
	$NetlogonRemoteSA = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSA,$InstanceName,$ComputerName)
	$NetlogonRemoteSW = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSW,$InstanceName,$ComputerName)
	$NetlogonRemoteSH = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSH,$InstanceName,$ComputerName)
	#Cook values
	$CookedASHT = $NetlogonRemoteASHT.NextValue()
	$CookedST = $NetlogonRemoteST.NextValue()
	$CookedSA = $NetlogonRemoteSA.NextValue()
	$CookedSW = $NetlogonRemoteSW.NextValue()
	$CookedSH = $NetlogonRemoteSH.NextValue()
	if ((($CookedSW -gt 0) -and (-not($CookedSW -gt 4GB))) -or ($CookedSH -eq $CurrentMCA) -or ((($CookedST -gt 0) -and (-not($CookedST -gt 4GB))) -and (($CookedSW -gt 0) -and (-not($CookedSW -gt 4GB)))))
				{$ProblemDetected = $true}
 
	#Do a second data sample and compare results in order to run the "suggested MCA" math.
	if (($ProblemDetected -eq $true) -and ($Calc -eq $true))
		{
		Start-Sleep -Seconds 60
		$NetlogonRemoteASHT = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterASHT,$InstanceName,$ComputerName)
		$NetlogonRemoteST = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterST,$InstanceName,$ComputerName)
		$NetlogonRemoteSA = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSA,$InstanceName,$ComputerName)
		$NetlogonRemoteSW = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSW,$InstanceName,$ComputerName)
		$NetlogonRemoteSH = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSH,$InstanceName,$ComputerName)
		#Cook values
		$SecondCookedASHT = $NetlogonRemoteASHT.NextValue()
		$SecondCookedST = $NetlogonRemoteST.NextValue()
		$SecondCookedSA = $NetlogonRemoteSA.NextValue()
		$SecondCookedSW = $NetlogonRemoteSW.NextValue()
		$SecondCookedSH = $NetlogonRemoteSH.NextValue()
		#Next, calculate the suggested MCA 
	                            #using formula from http://support.microsoft.com/kb/2688798
	                            #(semaphore_acquires + semaphore_timeouts) * average_semaphore_hold_time / time_collection_length =< New_MaxConcurrentApi_setting
							 #subtract Sample1SA from Sample2SA = SampleSADelta
							 $SampleSADelta = ($SecondCookedSA - $CookedSA)
							 $SampleSTDelta = ($SecondCookedST - $CookedST)
							 $ASHT = ($SecondCookedASHT + $CookedASHT)
							 $SampleASHTDelta = ($ASHT / 2 )
							 $SamplesDeltaSAST = ($SampleSADelta + $SampleSTDelta)
							 $AllSampleDeltas = ($SampleASHTDelta * $SamplesDeltaSAST)
						     $AllSampleDeltas /= 90
							 $SuggestedMCA = $AllSampleDeltas
							 $SuggestedMCA = "{0:N0}" -f $SuggestedMCA
							 if ($SuggestedMCA -le 2)
								{$SuggestedMCA = $CurrentMCA}
		}
	#Create PSObject for returned data.
	$ReturnedData = New-Object PSObject
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Detection Time" -value $Date
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Problem Detected" -value $ProblemDetected
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Server Name" -value $cs.Name
	if ($cs.DomainRole -le 1)
		{add-member -inputobject $ReturnedData  -membertype noteproperty -name "Server Role" -value "Client"}
	if (($cs.DomainRole -eq 3) -or ($cs.DomainRole -eq 2))
		{add-member -inputobject $ReturnedData  -membertype noteproperty -name "Server Role" -value "Member Server"}
	if ($cs.DomainRole -ge 4)
		{add-member -inputobject $ReturnedData  -membertype noteproperty -name "Server Role" -value "Domain Controller"}
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Domain Name" -value $cs.Domain
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Operating System" -value $OSVersion.Caption
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Time Since Last Reboot" -value $UpTimeStatement
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Current Effective MaxConcurrentApi Setting" -value $CurrentMCA
	if ($SuggestedMCA -eq $null)
		{add-member -inputobject $ReturnedData  -membertype noteproperty -name "Suggested MaxConcurrentApi Setting (may be same as current)" -value $CurrentMCA}
		else
		{add-member -inputobject $ReturnedData  -membertype noteproperty -name "Suggested MaxConcurrentApi Setting (may be same as current)" -value $SuggestedMCA}
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Current Threads in Use (Semaphore Holders)" -value $CookedSH
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Clients Currently Waiting (Semaphore Waiters)" -value $CookedSW
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Cumulative Client Timeouts (Semaphore Timeouts) " -value $CookedST
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Cumulative MaxConcurrentApi Thread Uses (Semaphore Acquires)" -value $CookedSA
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Duration of Calls (Avg Semaphore Hold Time)" -value $CookedASHT
	return $ReturnedData
}
 
function GetNetlogonInstances ([string]$RemoteComputerName = "localhost")
	{
	 #This function takes a computer name as input (default to local computer) and returns
	 #the instances-analagous to secure channels-a computer has. 
	 #Format returned is \\hostname.domainname.com.
	 
	 if ($RemoteComputerName -eq $null)
	     {
		$LocalNetlogon = New-Object System.Diagnostics.PerformanceCounterCategory("Netlogon",$RemoteComputerName)
		$LocalInstances = $LocalNetlogon.GetInstanceNames()
	    $AllLocalInstances = @()
		foreach ($LocalInstance in $LocalInstances)
			{    
	          if ($LocalInstance -ne "_total")
	             {
				 $AllLocalInstances += $LocalInstance
				}         
			} 
			if ($AllLocalInstances -eq $null)
				{
				WriteTo-StdOut "The local computer was missing its DC perf instance so getting DC name from WMI." -shortformat
 
				$Query = "select * from win32_ntdomain where description = '" + $env:userdomain + "'"
				$v2 = get-wmiobject -query $Query
				$DCName = $v2.DomainControllerName
				$AllLocalInstances += $DCName
				WriteTo-StdOut "DCName is $AllLocalInstances" -shortformat
				}
		return $AllLocalInstances
		}
		else
		{
		$RemoteNetlogon = New-Object System.Diagnostics.PerformanceCounterCategory("Netlogon",$RemoteComputerName)
		$RemoteInstances = $RemoteNetlogon.GetInstanceNames()
		$AllRemoteInstances = @()
		foreach ($RemoteInstance in $RemoteInstances)
			{    
	          if ($RemoteInstance -ne "_Total")
	             {
				 $AllRemoteInstances += $RemoteInstance
				}
			}
			if ($AllRemoteInstances -eq $null)
				{
				#If the local computer was missing its DC perf instance so getting DC name from WMI.
				$Query = "select * from win32_ntdomain where description = '" + $env:userdomain + "'"
				$v2 = get-wmiobject -query $Query
				$DCName = $v2.DomainControllerName
				$AllRemoteInstances += $DCName
				}
		return $AllRemoteInstances
		}
	}
 
if (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total") -and ($Computer -ne "Localhost") -and ($CalcMCA -eq $true))
	{CheckMaxConcurrentApi -instancename $Instance -ComputerName $Computer -Calc $CalcMCA  | FL }
elseif (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total") -and ($Computer -ne "Localhost"))
	{CheckMaxConcurrentApi -instancename $Instance -ComputerName $Computer | FL }
elseif (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total"))
	{CheckMaxConcurrentApi -instancename $Instance  | FL}
elseif (($CheckMaxConcurrentApi) -and ($Computer -ne "Localhost"))
	{CheckMaxConcurrentApi -ComputerName $Computer  | FL}
elseif (($CheckMaxConcurrentApi) -and ($CalcMCA -eq $true))
	{CheckMaxConcurrentApi -Calc $calcmca  | FL}
elseif ($CheckMaxConcurrentApi)
	{CheckMaxConcurrentApi | FL}
if (($GetNetlogonInstances) -and ($Computer -ne "Localhost"))
	{GetNetlogonInstances  | FL}
elseif ($GetNetlogonInstances) 
{GetNetlogonInstances -RemoteComputerName $Computer | FL}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

PARAM ([Switch]$CheckMaxConcurrentApi, [switch]$GetNetlogonInstances, [string]$Computer = "Localhost", [string]$Instance = "_Total", [bool]$CalcMCA = $False)

#************************************************

# CheckMaxConcurrentApiScript.ps1

# Version 1.0

# Date: 3/22/2013

# Author: Tim Springston [MSFT]

# Description:Uses .Net methods and WMI to query

# a remote or local computer for MaxConcurrentApi

# problems and return details back in a PSObject.

#************************************************

function CheckMaxConcurrentApi ([string]$InstanceName = "_Total", [string]$ComputerName = "localhost", [bool]$Calc = $false)

{

#This function takes three optional parameters to select Netlogon Instance (can be obtained by using

#sister function GetNetlogonInstances, computer to run against and whether to run

#MaxConcurrentApi calculation-which takes longer.

#It returns details about the computer, whether the problem is detected, and suggested MaxConcurrentApi value.

$ProblemDetected = $false

$Date = Get-Date

#Get role, OSVer, hotfix data.

$cs = gwmi -Namespace "root\cimv2" -class win32_computersystem -Impersonation 3 -ComputerName $ComputerName

$DomainRole = $cs.domainrole

$OSVersion = gwmi -Namespace "root\cimv2" -Class Win32_OperatingSystem -Impersonation 3 -ComputerName $ComputerName

$bn = $OSVersion.BuildNumber

$150Hotfix = $false

#Determine how long the computer has been running since last reboot.

$wmi = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $ComputerName

$LocalDateTime = $wmi.LocalDateTime

$Uptime = $wmi.ConvertToDateTime($wmi.LocalDateTime) – $wmi.ConvertToDateTime($wmi.LastBootUpTime)

$Days = $Uptime.Days.ToString()

$Hours = $Uptime.Hours.ToString()

$UpTimeStatement = $Days + " days " + $Hours + " hours"

#Get SystemRoot so that we can map the right drive for checking file versions.

$objReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$ComputerName)

$ObjRegKey = $ObjReg.OpenSubKey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion")

$SystemRoot = $ObjRegKey.GetValue("SystemRoot")

#Parse the drive letter for the remote systemroot and then map the network drive. First though

#make sure the drive you will map to doesnt exist already.

$Drives = gwmi -Namespace "root\cimv2" -ComputerName $ComputerName -Impersonation Impersonate -Class Win32_LogicalDisk

$DriveLetters = @()

ForEach ($Drive in $Drives)

{

$Caption = $Drive.Caption

$DriveLetters += $Caption

$Caption = $null

}

if ($ComputerName -ne "localhost")

{

$PossibleLetters = [char[]]"DEFGHIJKLMNOPQRTUVWXY"

$devices = get-wmiobject win32_logicaldisk | select -expand DeviceID

$PossibleLetters | where {$DriveLetters -notcontains "$($_):"} | Select -First 1 | % {

$AvailableDriveLetter = $_

}

$DriveToMap = $SystemRoot

$DriveToMap = $DriveToMap.Replace(":\Windows","")

$DriveToMap = "\\" + $ComputerName + "\" + $DriveToMap + "$"

$AvailableDriveLetter = $AvailableDriveLetter + ":"

$NETUSEReturn = net use $AvailableDriveLetter $DriveToMap

$RemoteSystem32Folder = $AvailableDriveLetter + "\Windows\System32"

$NetlogonDll = $RemoteSystem32Folder + "\Netlogon.dll"

}

else

{

$NetlogonDll = $SystemRoot + "\System32\Netlogon.dll"

}

#Check the file versions for the hotfixes.

$FileVer = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($NetlogonDll).FileVersion

switch -exact ($bn)

{"6002" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363

$6002HotfixVer = "6.0.6002.22289"

if ($6002HotfixVer -eq $FileVer)

{$150Hotfix = $true}

}

"7600" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363

$7600HotfixVer = "6.1.7600.20576"

if ($7600HotfixVer -eq $FileVer)

{$150Hotfix = $true}

}

"7601" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363

$150Hotfix = $true

}

if ($ComputerName -ne "localhost")

{

$NETUSEReturn = net use $AvailableDriveLetter /d

}

#Determine effective MaxConcurrentApi setting based on OS, hotfix presence, role and registry setting.

$objReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $ComputerName)

$objRegKey= $objReg.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\Netlogon\\Parameters")

$MCARegVal = $objRegKey.GetValue('MaxConcurrentApi')

$CurrentMCA = 0

if ($DomainRole -gt 1)

{

if ($bn -ge 9200)

{

If (($MCARegVal -lt 10) -or ($MCARegVal -eq $null) -or ($MCARegVal -gt 9999))

{$CurrentMCA = 10}

elseif (($MCARegVal -gt 10) -and ($MCARegVal -lt 9999))

{$CurrentMCA = $MCARegVal}

}

else

{

If (($MCARegVal -gt 10) -and ($150Hotfix -eq $true))

{

$CurrentMCA = $MCARegVal}

elseif (($MCARegVal -gt 10) -and ($150Hotfix -eq $false))

{$CurrentMCA = 2}

elseif (( $MCARegVal -gt 2 ) -and ($MCARegVal -le 10))

{$CurrentMCA = $MCARegVal}

elseif ($MCARegVal -lt 2)

{$CurrentMCA = 2}

elseif ($MCARegVal -eq $null)

{$CurrentMCA = 2}

}

#Get a sample of the counters.

$Category = "Netlogon"

$CounterASHT = "Average Semaphore Hold Time"

$CounterST = "Semaphore Timeouts"

$CounterSA = "Semaphore Acquires"

$CounterSH = "Semaphore Holders"

$CounterSW = "Semaphore Waiters"

#Query remote computer for counters.

$NetlogonRemoteASHT = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterASHT,$InstanceName,$ComputerName)

$NetlogonRemoteST = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterST,$InstanceName,$ComputerName)

$NetlogonRemoteSA = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSA,$InstanceName,$ComputerName)

$NetlogonRemoteSW = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSW,$InstanceName,$ComputerName)

$NetlogonRemoteSH = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSH,$InstanceName,$ComputerName)

#Cook values

$CookedASHT = $NetlogonRemoteASHT.NextValue()

$CookedST = $NetlogonRemoteST.NextValue()

$CookedSA = $NetlogonRemoteSA.NextValue()

$CookedSW = $NetlogonRemoteSW.NextValue()

$CookedSH = $NetlogonRemoteSH.NextValue()

if ((($CookedSW -gt 0) -and (-not($CookedSW -gt 4GB))) -or ($CookedSH -eq $CurrentMCA) -or ((($CookedST -gt 0) -and (-not($CookedST -gt 4GB))) -and (($CookedSW -gt 0) -and (-not($CookedSW -gt 4GB)))))

{$ProblemDetected = $true}

#Do a second data sample and compare results in order to run the "suggested MCA" math.

if (($ProblemDetected -eq $true) -and ($Calc -eq $true))

{

Start-Sleep -Seconds 60

$NetlogonRemoteASHT = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterASHT,$InstanceName,$ComputerName)

$NetlogonRemoteST = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterST,$InstanceName,$ComputerName)

$NetlogonRemoteSA = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSA,$InstanceName,$ComputerName)

$NetlogonRemoteSW = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSW,$InstanceName,$ComputerName)

$NetlogonRemoteSH = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSH,$InstanceName,$ComputerName)

#Cook values

$SecondCookedASHT = $NetlogonRemoteASHT.NextValue()

$SecondCookedST = $NetlogonRemoteST.NextValue()

$SecondCookedSA = $NetlogonRemoteSA.NextValue()

$SecondCookedSW = $NetlogonRemoteSW.NextValue()

$SecondCookedSH = $NetlogonRemoteSH.NextValue()

#Next, calculate the suggested MCA

#using formula from http://support.microsoft.com/kb/2688798

#(semaphore_acquires + semaphore_timeouts) * average_semaphore_hold_time / time_collection_length =< New_MaxConcurrentApi_setting

#subtract Sample1SA from Sample2SA = SampleSADelta

$SampleSADelta = ($SecondCookedSA - $CookedSA)

$SampleSTDelta = ($SecondCookedST - $CookedST)

$ASHT = ($SecondCookedASHT + $CookedASHT)

$SampleASHTDelta = ($ASHT / 2 )

$SamplesDeltaSAST = ($SampleSADelta + $SampleSTDelta)

$AllSampleDeltas = ($SampleASHTDelta * $SamplesDeltaSAST)

$AllSampleDeltas /= 90

$SuggestedMCA = $AllSampleDeltas

$SuggestedMCA = "{0:N0}" -f $SuggestedMCA

if ($SuggestedMCA -le 2)

{$SuggestedMCA = $CurrentMCA}

}

#Create PSObject for returned data.

$ReturnedData = New-Object PSObject

add-member -inputobject $ReturnedData -membertype noteproperty -name "Detection Time" -value $Date

add-member -inputobject $ReturnedData -membertype noteproperty -name "Problem Detected" -value $ProblemDetected

add-member -inputobject $ReturnedData -membertype noteproperty -name "Server Name" -value $cs.Name

if ($cs.DomainRole -le 1)

{add-member -inputobject $ReturnedData -membertype noteproperty -name "Server Role" -value "Client"}

if (($cs.DomainRole -eq 3) -or ($cs.DomainRole -eq 2))

{add-member -inputobject $ReturnedData -membertype noteproperty -name "Server Role" -value "Member Server"}

if ($cs.DomainRole -ge 4)

{add-member -inputobject $ReturnedData -membertype noteproperty -name "Server Role" -value "Domain Controller"}

add-member -inputobject $ReturnedData -membertype noteproperty -name "Domain Name" -value $cs.Domain

add-member -inputobject $ReturnedData -membertype noteproperty -name "Operating System" -value $OSVersion.Caption

add-member -inputobject $ReturnedData -membertype noteproperty -name "Time Since Last Reboot" -value $UpTimeStatement

add-member -inputobject $ReturnedData -membertype noteproperty -name "Current Effective MaxConcurrentApi Setting" -value $CurrentMCA

if ($SuggestedMCA -eq $null)

{add-member -inputobject $ReturnedData -membertype noteproperty -name "Suggested MaxConcurrentApi Setting (may be same as current)" -value $CurrentMCA}

else

{add-member -inputobject $ReturnedData -membertype noteproperty -name "Suggested MaxConcurrentApi Setting (may be same as current)" -value $SuggestedMCA}

add-member -inputobject $ReturnedData -membertype noteproperty -name "Current Threads in Use (Semaphore Holders)" -value $CookedSH

add-member -inputobject $ReturnedData -membertype noteproperty -name "Clients Currently Waiting (Semaphore Waiters)" -value $CookedSW

add-member -inputobject $ReturnedData -membertype noteproperty -name "Cumulative Client Timeouts (Semaphore Timeouts) " -value $CookedST

add-member -inputobject $ReturnedData -membertype noteproperty -name "Cumulative MaxConcurrentApi Thread Uses (Semaphore Acquires)" -value $CookedSA

add-member -inputobject $ReturnedData -membertype noteproperty -name "Duration of Calls (Avg Semaphore Hold Time)" -value $CookedASHT

return $ReturnedData

}

function GetNetlogonInstances ([string]$RemoteComputerName = "localhost")

{

#This function takes a computer name as input (default to local computer) and returns

#the instances-analagous to secure channels-a computer has.

#Format returned is \\hostname.domainname.com.

if ($RemoteComputerName -eq $null)

{

$LocalNetlogon = New-Object System.Diagnostics.PerformanceCounterCategory("Netlogon",$RemoteComputerName)

$LocalInstances = $LocalNetlogon.GetInstanceNames()

$AllLocalInstances = @()

foreach ($LocalInstance in $LocalInstances)

{

if ($LocalInstance -ne "_total")

{

$AllLocalInstances += $LocalInstance

}

if ($AllLocalInstances -eq $null)

{

WriteTo-StdOut "The local computer was missing its DC perf instance so getting DC name from WMI." -shortformat

$Query = "select * from win32_ntdomain where description = '" + $env:userdomain + "'"

$v2 = get-wmiobject -query $Query

$DCName = $v2.DomainControllerName

$AllLocalInstances += $DCName

WriteTo-StdOut "DCName is $AllLocalInstances" -shortformat

}

return $AllLocalInstances

}

else

{

$RemoteNetlogon = New-Object System.Diagnostics.PerformanceCounterCategory("Netlogon",$RemoteComputerName)

$RemoteInstances = $RemoteNetlogon.GetInstanceNames()

$AllRemoteInstances = @()

foreach ($RemoteInstance in $RemoteInstances)

{

if ($RemoteInstance -ne "_Total")

{

$AllRemoteInstances += $RemoteInstance

}

if ($AllRemoteInstances -eq $null)

{

#If the local computer was missing its DC perf instance so getting DC name from WMI.

$Query = "select * from win32_ntdomain where description = '" + $env:userdomain + "'"

$v2 = get-wmiobject -query $Query

$DCName = $v2.DomainControllerName

$AllRemoteInstances += $DCName

}

return $AllRemoteInstances

}

if (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total") -and ($Computer -ne "Localhost") -and ($CalcMCA -eq $true))

{CheckMaxConcurrentApi -instancename $Instance -ComputerName $Computer -Calc $CalcMCA | FL }

elseif (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total") -and ($Computer -ne "Localhost"))

{CheckMaxConcurrentApi -instancename $Instance -ComputerName $Computer | FL }

elseif (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total"))

{CheckMaxConcurrentApi -instancename $Instance | FL}

elseif (($CheckMaxConcurrentApi) -and ($Computer -ne "Localhost"))

{CheckMaxConcurrentApi -ComputerName $Computer | FL}

elseif (($CheckMaxConcurrentApi) -and ($CalcMCA -eq $true))

{CheckMaxConcurrentApi -Calc $calcmca | FL}

elseif ($CheckMaxConcurrentApi)

{CheckMaxConcurrentApi | FL}

if (($GetNetlogonInstances) -and ($Computer -ne "Localhost"))

{GetNetlogonInstances | FL}

elseif ($GetNetlogonInstances)

{GetNetlogonInstances -RemoteComputerName $Computer | FL}

Execution:

Now, I modified this script taking out the clear screen parameter so that I could be run against multiple servers. Place the script in your Scripts directory and name it CheckMaxConcurrentApiScript.ps1

First, in PowerShell, gather your list of servers:

$DCList = Get-ADDomainController -Filter * | Sort-Object Name | Select-Object Name

1	$DCList = Get-ADDomainController -Filter * \| Sort-Object Name \| Select-Object Name

$EXList = Get-ExchangeServer | Sort-Object Name | Select-Object Name

1	$EXList = Get-ExchangeServer \| Sort-Object Name \| Select-Object Name

Next, run the command to run the ps1 against those servers:

foreach ($DC in $DCList) { $DC.Name ; Invoke-Command -Command {C:\Scripts\CheckMaxConcurrentApiScript.ps1 -checkmaxconcurrentapi -Computer $DC.Name -CalcMCA $true} }

1	foreach ($DC in $DCList) { $DC.Name ; Invoke-Command -Command {C:\Scripts\CheckMaxConcurrentApiScript.ps1 -checkmaxconcurrentapi -Computer $DC.Name -CalcMCA $true} }

foreach ($EX in $EXList) { $EX.Name ; Invoke-Command -Command {C:\Scripts\CheckMaxConcurrentApiScript.ps1 -checkmaxconcurrentapi -Computer $EX.Name -CalcMCA $true} }

1	foreach ($EX in $EXList) { $EX.Name ; Invoke-Command -Command {C:\Scripts\CheckMaxConcurrentApiScript.ps1 -checkmaxconcurrentapi -Computer $EX.Name -CalcMCA $true} }

Sample Output:

DC03
Detection Time : 12/13/2018 7:56:16 PM
Problem Detected : False
Server Name : DC03
Server Role : Domain Controller
Domain Name : ldlnet.org
Operating System : Microsoft Windows Server 2008 R2 Enterprise
Time Since Last Reboot : 4 days 22 hours
Current Effective MaxConcurrentApi Setting : 10
Suggested MaxConcurrentApi Setting (may be same as current) : 10
Current Threads in Use (Semaphore Holders) : 0
Clients Currently Waiting (Semaphore Waiters) : 0
Cumulative Client Timeouts (Semaphore Timeouts) : 17
Cumulative MaxConcurrentApi Thread Uses (Semaphore Acquires) : 3493999
Duration of Calls (Avg Semaphore Hold Time) : 0

EXCH02
Detection Time : 12/13/2018 8:00:53 PM
Problem Detected : False
Server Name : EXCH02
Server Role : Member Server
Domain Name : ldlnet.org
Operating System : Microsoft Windows Server 2008 R2 Standard
Time Since Last Reboot : 4 days 23 hours
Current Effective MaxConcurrentApi Setting : 10
Suggested MaxConcurrentApi Setting (may be same as current) : 10
Current Threads in Use (Semaphore Holders) : 0
Clients Currently Waiting (Semaphore Waiters) : 0
Cumulative Client Timeouts (Semaphore Timeouts) : 570
Cumulative MaxConcurrentApi Thread Uses (Semaphore Acquires) : 1682257
Duration of Calls (Avg Semaphore Hold Time) : 0

Hopefully, this script will assist you with gathering the needed information to help you balance the netlogon load between your servers when needed in your environment.

HAPPY TROUBLESHOOTING!

Lance LingerfeltJanuary 10, 2019January 29, 2019

Protected AD Groups and the problems they can cause accounts

I have run into this issue over the years with accounts being in the Domain Admins group and having issues running PowerShell cmdlets as well as not being able to connect to ActiveSync from a mobile device with the account.

These issues are due to the AdminSDHolder Template in AD and the SDProp Process that is run every 60 Minutes in AD.
This is explained in fantastic detail through the following Microsoft article: Protected Accounts & Groups In Active Directory

Here is an example of an issue that occurred in one of the environments that I was managing. A user was trying to run the following AD cmdlet in PowerShell on DC01:

Set-ADUser lancel -Server dc01.ldlnet.org -Replace @{title="Senior Operations Engineer"}

1	Set-ADUser lancel -Server dc01.ldlnet.org -Replace @{title="Senior Operations Engineer"}

The user got the following error when the cmdlet was executed:

Set-ADUser : Insufficient access rights to perform the operation
At line:1 char:1
+ Set-ADUser lancel -Server dc01.ldlnet.org -Replace @{title=”Senior O …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (lancel:ADUser) [Set-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.SetADUser

The issue was that the admin account used to run the cmdlet was in the Domain Admins group and was not inheriting permissions per the AdminSDHolder template that was applied to the account:

I checked to see that the admin account was in a protected group:

I next went to the Security Tab > Advanced Button and saw that the Enable Inheritance button was visible:

I’ve circled where to look in the window.

This verifies that the account is protected due to being in the Domain Admins group. Now, there are two workarounds for this particular error that we were experiencing.

Click the Enable Inheritance button. This will cause the permissions to be inherited temporarily. When SDProp is cycled again, the account will lose any inherited permissions and will be essentially “broken” again. This is not good if you’re going to be running cmdlets regularly to modify AD Accounts.
The preferred method to work around this issue is to set the -Server parameter to point to a different DC than the one you are on. So, essentially, we tell the cmdlet to execute on DC02 when running the cmdlet from DC01.

Set-ADUser lancel -Server dc02.ldlnet.org -Replace @{title="Senior Operations Engineer"}

1	Set-ADUser lancel -Server dc02.ldlnet.org -Replace @{title="Senior Operations Engineer"}

Either method will allow the cmdlet to execute successfully and modify the object. You would think that Microsoft would have noticed this issue with running an admin cmdlet for Active Directory, but they have not fixed this issue as of yet nor do i think they plan to. I would just go with workaround number two and remain sane.

Another example of this Protected Group issue comes with an account in a Protected Group that has a mailbox not being able to connect to Exchange ActiveSync when setting up their mobile device.

You usually get a 500 error on the device that you cannot connect.
You will also see event 1053 in Event Viewer alluding to not having sufficient access to create the container for the user in AD.

Read this page for more information: Exchange ActiveSync Permissions Issue with Protected Groups

So, in your endeavors admins, keep this in mind when running into these types of problems. Happy Troubleshooting!

Lance LingerfeltJanuary 4, 2019January 28, 2019

PowerShell Script to log NETLOGON Events 5719 and 5783, then test the Secure Channel to verify connectivity

In my support role, we would get nightly alerts showing disconnection to the PDC from other DCs and Exchange Servers, giving the following events:

DC02
10/31/2018 23:20:28 5719
NETLOGON
This computer was not able to set up a secure session with a domain controller in domain LDLNET due to the following:
The remote procedure call was cancelled.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the
secure session to any domain controller in the specified domain.

DC03
10/31/2018 23:18:58 5783
NETLOGON
The session setup to the Windows NT or Windows 2000 Domain Controller \\DC01.LDLNET.ORG for the domain LDLNET is not responsive. The current RPC call from Netlogon on \\DC03 to \\DC01.ldlnet.org has been cancelled.

In order to validate the secure channel, you normally run the nltest command (you can also run the Test-ComputerSecureChannel PowerShell cmdlet) to verify the connectivity to the PDC on the secure channel. The scenario is though that multiple DCs or Exchange servers are having multiple events at a similar time due to a network hiccup that brought the secure channel offline between the two Servers.

Our team at the time was getting a lot of alerts generated and it was taking an inordinate amount of time to validate and test. In an effort to provide an efficient solution for this issue, I compiled a PowerShell ps1 script to first validate the events posted in the past three hours, and then secondly, test all the DCs and Exchange Servers for the Secure Channel Connectivity:

NOTE: This script needs to be run on a server that has the Exchange and Active Directory RSAT tools for PowerShell.

#Start Script
 
#Import Active Directory Module
Write-Host
Write-Host "Importing the Active Directory Module" -ForegroundColor Green
Import-Module ActiveDirectory

#Import Exchange Module
    Write-Host "Loading the Exchange Snap-In"
    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue
    . $env:ExchangeInstallPath\bin\RemoteExchange.ps1
    Connect-ExchangeServer -auto -AllowClobber
 
#Get the list of DCs in the domain
Write-Host
Write-Host "Getting the list of DCs for LDLNET" -ForegroundColor Magenta
$DCList = Get-ADDomainController -Filter * | Sort-Object Name | Select-Object Name

#Get the list of Exchange Servers in the domain
Write-Host
Write-Host "Getting the list of Exchange Servers for LDLNET" -ForegroundColor Magenta
$EXList = Get-ExchangeServer | Sort-Object Name | Select-Object Name
 
#Run the command against each server to pull the Events from Event Logging. Make sure you have the StartTime;Endtime parameters correct. This gets events for the past three hours.
Write-Host
Write-Host "Getting a list of 5719 and 5783 Events from the DCs for the past three hours." -ForegroundColor DarkCyan
foreach ($DC in $DCList) {
try{
    echo $DC.name
    $Event = Get-Winevent -ComputerName $DC.name -FilterHashTable @{LogName="System";StartTime=((get-date).addhours(-3));id='5719','5783'} -ErrorAction Stop | foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n"  + $_.ProviderName + "`n" + $_.message + "`n"}
    Write-Host "$Event" -ForegroundColor Red 
    }
    Catch{Write-Host "No Events Found For This Server" -ForegroundColor Green
		Write-Host}
}

#Run the command against each server to pull the Events from Event Logging. Make sure you have the StartTime;Endtime parameters correct. This gets events for the past three hours.
Write-Host
Write-Host "Getting a list of 5719 and 5783 Events from the Exchange Servers for the past three hours." -ForegroundColor DarkCyan
foreach ($EX in $EXList) {
try{
    echo $EX.Name
    $Event = Get-Winevent -ComputerName $EX.name -FilterHashTable @{LogName="System";StartTime=((get-date).addhours(-3));id='5719','5783'} -ErrorAction Stop | foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n" + $_.ProviderName + "`n"  + $_.message + "`n"}
     Write-Host "$Event" -ForegroundColor Red 
     }
    Catch{Write-Host "No Events Found For This Server" -ForegroundColor Green
    Write-Host}
}
 
#Run the Secure Channel Test for the DCs. Make sure you modify the nltest command for your domain fqdn.
Start-Sleep -Seconds 2
Write-Host
Write-Host "Testing Secure Channel for the DCs in LDLNET" -ForegroundColor Cyan
foreach ($DC in $DCList) {
try{
	echo $DC.name
	$Test = Invoke-Command -ComputerName $DC.Name -ScriptBlock {nltest /sc_verify:ldlnet.org} -ErrorAction Stop | Out-String -Stream
	Write-Host "$Test" -ForegroundColor Yellow 
	}
	Catch{Write-Host "Secure Channel Test Failed For This Server" -ForegroundColor Red}
}

#Run the Secure Channel Test for the Exchange Servers. Make sure you modify the nltest command for your domain fqdn.
Start-Sleep -Seconds 2
Write-Host
Write-Host "Testing Secure Channel for the Exchange Servers in LDLNET" -ForegroundColor Cyan
foreach ($EX in $EXList) {
try{
	echo $EX.name
	$Test = Invoke-Command -ComputerName $EX.Name -ScriptBlock {nltest /sc_verify:ldlnet.org} -ErrorAction Stop | Out-String -Stream
	Write-Host "$Test" -ForegroundColor Yellow 
	}
	Catch{Write-Host "Secure Channel Test Failed For This Server" -ForegroundColor Red}
}

#End of Script

#Start Script

#Import Active Directory Module

Write-Host

Write-Host "Importing the Active Directory Module" -ForegroundColor Green

Import-Module ActiveDirectory

#Import Exchange Module

Write-Host "Loading the Exchange Snap-In"

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue

. $env:ExchangeInstallPath\bin\RemoteExchange.ps1

Connect-ExchangeServer -auto -AllowClobber

#Get the list of DCs in the domain

Write-Host

Write-Host "Getting the list of DCs for LDLNET" -ForegroundColor Magenta

$DCList = Get-ADDomainController -Filter * | Sort-Object Name | Select-Object Name

#Get the list of Exchange Servers in the domain

Write-Host

Write-Host "Getting the list of Exchange Servers for LDLNET" -ForegroundColor Magenta

$EXList = Get-ExchangeServer | Sort-Object Name | Select-Object Name

#Run the command against each server to pull the Events from Event Logging. Make sure you have the StartTime;Endtime parameters correct. This gets events for the past three hours.

Write-Host

Write-Host "Getting a list of 5719 and 5783 Events from the DCs for the past three hours." -ForegroundColor DarkCyan

foreach ($DC in $DCList) {

try{

echo $DC.name

$Event = Get-Winevent -ComputerName $DC.name -FilterHashTable @{LogName="System";StartTime=((get-date).addhours(-3));id='5719','5783'} -ErrorAction Stop | foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n" + $_.ProviderName + "`n" + $_.message + "`n"}

Write-Host "$Event" -ForegroundColor Red

}

Catch{Write-Host "No Events Found For This Server" -ForegroundColor Green

Write-Host}

}

#Run the command against each server to pull the Events from Event Logging. Make sure you have the StartTime;Endtime parameters correct. This gets events for the past three hours.

Write-Host

Write-Host "Getting a list of 5719 and 5783 Events from the Exchange Servers for the past three hours." -ForegroundColor DarkCyan

foreach ($EX in $EXList) {

try{

echo $EX.Name

$Event = Get-Winevent -ComputerName $EX.name -FilterHashTable @{LogName="System";StartTime=((get-date).addhours(-3));id='5719','5783'} -ErrorAction Stop | foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n" + $_.ProviderName + "`n" + $_.message + "`n"}

Write-Host "$Event" -ForegroundColor Red

}

Catch{Write-Host "No Events Found For This Server" -ForegroundColor Green

Write-Host}

}

#Run the Secure Channel Test for the DCs. Make sure you modify the nltest command for your domain fqdn.

Start-Sleep -Seconds 2

Write-Host

Write-Host "Testing Secure Channel for the DCs in LDLNET" -ForegroundColor Cyan

foreach ($DC in $DCList) {

try{

echo $DC.name

$Test = Invoke-Command -ComputerName $DC.Name -ScriptBlock {nltest /sc_verify:ldlnet.org} -ErrorAction Stop | Out-String -Stream

Write-Host "$Test" -ForegroundColor Yellow

}

Catch{Write-Host "Secure Channel Test Failed For This Server" -ForegroundColor Red}

}

#Run the Secure Channel Test for the Exchange Servers. Make sure you modify the nltest command for your domain fqdn.

Start-Sleep -Seconds 2

Write-Host

Write-Host "Testing Secure Channel for the Exchange Servers in LDLNET" -ForegroundColor Cyan

foreach ($EX in $EXList) {

try{

echo $EX.name

$Test = Invoke-Command -ComputerName $EX.Name -ScriptBlock {nltest /sc_verify:ldlnet.org} -ErrorAction Stop | Out-String -Stream

Write-Host "$Test" -ForegroundColor Yellow

}

Catch{Write-Host "Secure Channel Test Failed For This Server" -ForegroundColor Red}

}

#End of Script

I can’t really put out the output since it will have customer PII, but you will see where it will list the DC/Exchange Server Name, show the events, then run the test. You can then troubleshoot from there. Also, know that the secure channel test will FAIL when run on the PDC Emulator DC. The PDC Emulator cannot run a secure channel test on itself.

Please, if you have any questions or comments, please leave some feedback! Happy Troubleshooting!

Transfer FSMO Roles using PowerShell

HAPPY TROUBLESHOOTING! KEEP SCRIPTING!PLEASE COMMENT!

HAPPY SCRIPTING!LEARN, DO, LIVE!

Execution:

Sample Output:

HAPPY TROUBLESHOOTING!

Cookies Notice for itblog.ldlnet.net

HAPPY TROUBLESHOOTING! KEEP SCRIPTING!
PLEASE COMMENT!

HAPPY SCRIPTING!
LEARN, DO, LIVE!