Active Directory on Mexicali IT

Active Directory: How to Check Active Directory Health and Force Replication

Sun, 08 Mar 2026 17:00:00 -0700

A healthy Active Directory (AD) environment is the backbone of any Windows-based enterprise network. When Domain Controllers (DCs) stop communicating or fail to replicate changes properly, you will experience bizarre authentication issues, missing user accounts, and erratic GPO behaviors.

As a system administrator, knowing how to quickly diagnose AD health and manually force replication is a critical skill. This guide outlines the most essential CMD and PowerShell commands used to verify Active Directory status, assess replication health, and manually trigger synchronization between servers.

Active Directory: Adding Windows Core as a Domain Controller.

Wed, 04 Mar 2026 12:00:00 -0800

Domain Controller in Windows Core

If you’ve followed this series, you already know how to set up a primary and a secondary Domain Controller using the graphical interface (Desktop Experience). But, if we really want to take our infrastructure to the next level and minimize risks,

In this third and final installment, we’re going to deploy a Domain Controller using Windows Server Core and purely the command line (PowerShell).

Why Choose Server Core for Your Active Directory?

If you’re wondering why you should forgo the visual convenience of a graphical interface for such a critical role, the answer boils down to three fundamental pillars for any business environment:

Moving FSMO Roles

Fri, 20 Feb 2026 21:14:14 -0800

Why is it necessary to move FSMO roles?

In an Active Directory environment, not all Domain Controllers (DCs) are the same. Although most tasks are replicated multidirectionally, there are five critical roles called FSMO (Flexible Single Master Operation) that can only be run by one server at a time to prevent write conflicts and corruption in the ntds.dit database.

Moving these roles is not just an administrative whim; It is an operational necessity in the following scenarios:

FSMO Role Function

Fri, 20 Feb 2026 15:14:14 -0800

FSMO (Flexible Single Master Operations) roles are critical roles in an Active Directory environment that are assigned to one or more domain controllers to ensure that certain administrative and replication tasks are handled centrally. There are five FSMO roles, each with a specific function in the operation of Active Directory. Below, I detail the purpose of each:

1. PDC Emulator

Main Function: This role is responsible for emulating the behavior of a Windows NT Domain Controller (PDC) and is primarily used in mixed environments with earlier versions of Windows Server (such as Windows NT 4.0).
Specific Functions:
- Password Authentication: When a user changes their password, the PDC Emulator is responsible for updating the password database.
- Time Synchronization: The PDC Emulator is the primary server for time synchronization in the domain, as it is assumed to be the time source for the entire domain.
- Group Policies: It is responsible for managing certain types of group policies and password administration.
- Master Password Change Copy: This is the only server authorized to receive password changes across the entire domain. This means that if other domain controllers experience replication issues, passwords will not be synchronized correctly.

2. RID Master

Main Function: The RID Master is responsible for assigning ranges of unique identifiers (RIDs) to domain controllers within the domain. RIDs are part of the unique identifier of an object in Active Directory (such as a user or group).
Specific Functions:
- RID Assignment: Every object in Active Directory has a unique RID that is assigned when the object is created. The RID Master is the only one that can assign blocks of RIDs to other domain controllers.
- If the RID Master is offline for a period of time, other domain controllers will not be able to create new objects in the directory because they will not be able to obtain new RIDs.

3. Infrastructure Master

Main Function: The Infrastructure Master is responsible for maintaining references to objects in other domains within Active Directory. This role is essential for trust relationships between domains.
Specific Functions:
- Cross-domain references: If an object in one domain has a reference to an object in another domain (for example, if a user is in a group in another domain), the Infrastructure Master ensures that these references are up to date.
- If the Infrastructure Master is in a domain that is also a Global Catalog Server, it will not be able to perform its job correctly, as the Global Catalog already manages object information for the entire forest.

4. Schema Master

Main Function: The Schema Master is responsible for managing changes to the Active Directory schema. The schema is the definition of all object types and attributes that can be stored in Active Directory.
Specific Functions:
- Schema Modifications: If you want to add a new type of object or attribute to Active Directory (for example, a new account type or a new property for users), that change must be made through the Schema Master.
- Schema Modifications: Only a domain controller with the Schema Master role can apply changes to the schema. Other domain controllers cannot.

5. Domain Naming Master

Main Function: The Domain Naming Master is responsible for managing domain name changes within the Active Directory forest.
Specific Functions:
- Creating and Deleting Domains: If you need to add a new domain or delete one in the Active Directory forest, the Domain Naming Master is the role responsible for this process.
- Domain Name Changes: Any attempt to change a domain name or domain structure within a forest is performed through the Domain Naming Master.

Summary of FSMO Role Functions

Role	Main Function
PDC Emulator	Time synchronization, password management, group policies, and PDC emulation in mixed environments.
RID Master	Assigns blocks of RIDs to domain controllers to create objects.
Infrastructure Master	Maintains object references across domains.
Schema Master	Makes modifications to the Active Directory schema (adding new attributes or object classes).
Domain Naming Master	Manages the creation and deletion of domains in a forest.

How Many Domain Controllers Should Have These Roles?

Ideally, there should only be one domain controller with each of these roles within a domain or forest to avoid conflicts and ensure that operations are performed centrally.
However, in large or complex environments, FSMO roles can be moved to other domain controllers if necessary for availability or performance reasons. This is usually done using tools such as ntdsutil or PowerShell.

FSMO Role Verification

To verify which server is managing each FSMO role, you can use the following PowerShell command:

Active Directory: SYSVOL Folder not replicating

Mon, 13 Feb 2023 22:39:01 -0800

Introduction

The SYSVOL directory is a folder on Windows domain controllers that contains information and data necessary for the logon system and other Active Directory functions to work correctly. SYSVOL is essential for domain controller replication and the consistency of Active Directory data across the domain.

When SYSVOL replication fails between domain controllers, it can cause serious problems with Active Directory functionality, such as the failure to create Group Policy Objects (GPOs). If these GPOs are not reflected across the different domain controllers, it can become a major issue.

Active Directory: Password Settings Objects (PSOs)

Fri, 13 Jan 2023 22:39:01 -0800

Introduction

Active Directory (AD) is a Microsoft directory service that allows system administrators to centralize the management of users, groups, and resources on a network.

One of AD’s features is the ability to configure Password Settings Objects (PSOs) to establish security policies for user passwords.

Password Security Objects (PSOs) are different from password policies that can be added via Group Policy Objects (GPOs). PSOs can be used for specific purposes, such as setting a password shorter than the one specified by your domain’s password policy. This can be helpful if you have a system that doesn’t support the currently configured password policy. PSOs can also be used to strengthen passwords for a particular group, such as by increasing the password length or locking users after a single failed login attempt. The options are numerous and should be tailored to your specific needs.

ADDS: Configure and Promote a Second Domain Controller

Fri, 31 Dec 2021 22:39:01 -0800

Introduction

In this post, we’ll see how to configure and promote a second domain controller.

Having a second domain controller is crucial, as it serves as a backup in case the primary controller fails. Redundancy is always beneficial; without an extra domain controller, if the primary controller fails, all users could lose access to the various systems.

To avoid this, we’ll walk you through this task step by step. While this isn’t limited to just a second controller, you can also follow the same steps to add additional controllers.

GPO: How to Configure Password Policies

Thu, 02 Sep 2021 22:39:01 -0800

Introduction

In this post, I will show you how to create a GPO to meet the minimum requirements for password policies.

The first step is to access Group Policy Management.

Group Policy Management

Right-click on Group Policy Objects and select New.

Give it a name related to what you want to do.

Select the created GPO, right-click, and select Edit.

Within the computer settings, expand the following options: Policies, Windows Settings, Security Settings, Account Policies, and select Password Policy.

ADDS: Install, Configure, and Promote a Domain Controller

Sat, 28 Aug 2021 22:39:01 -0800

Introduction

In this post, we’ll see how to install the ADDS (Active Directory Domain Services) role and how to promote our new domain controller.

A domain controller will help us manage user authentication, apply policies, assign roles, and create administrative groups within our company.

To do this, it’s recommended to follow some prerequisites before continuing with the role installation.

We’ll need to assign a descriptive name to our domain controller.

GPO: Enable script execution.

Sat, 28 Aug 2021 22:39:01 -0800

Introduction

PowerShell script execution is disabled by default on domain-joined computers. If you attempt to run a script, you will receive a message stating that the policy is restricted.

Disallowed Scripts

As administrators, we may want to implement scheduled tasks to perform certain automations, so it is necessary to be able to run scripts without restrictions.

While it’s true that we can manually modify these values â€‹â€‹within the computer or bypass the script as shown in the image.

Active Directory: Delegation of Control.

Thu, 19 Aug 2021 14:00:00 -0800

Introduction

Scenario

Delegation of control in Active Directory can be very helpful when managing a large number of users from different locations. System administrators can delegate permissions to IT staff in different branches so they can manage users in their city. This is especially useful when permissions are delegated and your company doesn’t need everything centralized.

For this example, let’s consider the following: My organization is divided into three cities: Ensenada, Tijuana, and Mexicali, with the latter being the main headquarters. Each city has IT staff, and we, as IT administrators, want to delegate user responsibility to the IT staff in Tijuana and Ensenada. To do this, I’ve created a security group for each city: IT-Tijuana and IT-Ensenada. Within these groups, I’ve added the corresponding staff for each city. These groups will serve as the basis for delegating control to the desired OUs (Organizational Units).

GPO: Maintain the Domain Admins group or other groups as local administrators within computers.

Thu, 19 Aug 2021 14:00:00 -0800

Introduction

Situation

This is something I’ve seen in different places: sometimes, certain users with administrator privileges on a domain-joined computer delete the Domain Admins group or other groups required by the organization, whether for checking the computer’s status or for deploying software like SCCM.

One of the basic rules is: Never make users local administrators. However, if it’s necessary and you want to ensure that the desired group always has local administrator privileges on your computer, the solution is to apply a Group Policy Object (GPO) to handle this automatically. It doesn’t matter if the user deletes the local administrator group(s) from their computer; when a GPO is applied, it will automatically add the required groups back to the computer’s administrators group.

PowerShell: How to add all users from an OU to a security group

Sat, 14 Aug 2021 14:00:00 -0800

Introduction

Sometimes it’s necessary to add all members of an Organizational Unit (OU) to a security group in Active Directory, but how can we do this using PowerShell?

Solution

Run the following command:


Get-ADUser -SearchBase "OU=IT,OU=Networkingzone_Users,DC=NETWORKINGZONE,DC=NET" -Filter * |
ForEach-Object {Add-ADGroupMember -Identity 'Security-Test-Group' -Members $_}

As you can see in the image, I only have 7 users within the IT OU and in this example all users from that OU will be added to the “Security-Test-Group”.