Find Server Objects Without NTDS Settings


Two for the price of one this week! Well, two ways to achieve the same outcome. 

You know, that's one of the many things I love about PowerShell - the numerous ways to arrive at the same result.

This one came from a chat I had with my esteemed colleague, Ali Sajjad.

 

What's the context?

Ali was delivering a service that helps our customers produce and test disaster recovery documentation for Active Directory. Now, when you demote a domain controller, if you look in Active Directory Sites and Services, under the Sites folder, then the <site_name> folder, e.g. Default-First-Site-Name, and then the Servers container you'll still see the name of the recently demoted domain controller! However, if you look closer it doesn't have an NTDS Settings folder like your existing domain controllers.

 

Why is this?

Well, there may be other services registered under the server object of the domain controller. When the demotion happens, the server object representing the domain controller is left in place to allow for the fact that other services might be present. If there aren't any services under the server object then it can be safely removed.

 

How to check?

The discussion with Ali concerned how to check for server objects that don't have any child settings objects. This was a result of a customer question. The result of our discussion was this code...

First up, get the distinguished name of the configuration partition. This is where the Sites and Services Information can be found.

$Config = (Get-ADRootDSE).configurationNamingContext

 

Next, use the AD PS drive to get a list of server objects from the configuration partition.

$Servers = Get-ChildItem -Path "AD:CN=Sites,$Config" -Recurse | Where-Object {$_.ObjectClass -eq "server"}

 

Now, loop through each server object found and test for the existence of a child NTDS settings object.

foreach ($Server in $Servers) {

#Test for NTDS Settings object

$Ntdsa = Get-ChildItem -Path "AD:$(($Server).DistinguishedName)" -Recurse | Where-Object {$_.ObjectClass -eq "nTDSDSA"}

 

#Check that we have an NTDS Settings object for our server

if ($Ntdsa) {

Write-Host "SUCCESS`: $(($Server).Name) - $(($Ntdsa).DistinguishedName)"

}

else {

Write-Warning "$(($Server).Name) - no NTDS settings object detected!"

}

}

 

Here's some sample output.

  

I did say two for one, didn't I? Here you go; this mini-script uses Get-ADObject, rather than the AD PS drive, to arrive at the same result.

Check Active Directory NTDS Settings (nTDSDSA) Objects

 

 

Comments (1)

Skip to main content