(|(get reg value) (set reg value)) in Forest DCs

This topic contains 6 replies, has 3 voices, and was last updated by Profile photo of Jeff Taylor Jeff Taylor 1 month ago.

  • Author
    Posts
  • #56645
    Profile photo of Jeff Taylor
    Jeff Taylor
    Participant

    I was massaging some code to retrieve a Strict Replication Consistency ($SRC) value for my 45 DCs and if value was null, set it to "1" but I don't have the code to set it actually. I don't get an error but I don't think it accomplishes what I'm aiming for:

    $DCs = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() |
        Select-Object -ExpandProperty Sites |
            Select-Object -ExpandProperty Servers |
                Select-Object -ExpandProperty Name
    
    foreach( $dc in $DCs ) 
    { 
        $SRC = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey( 'LocalMachine', $dc ).`
                OpenSubKey( 'System\CurrentControlSet\Services\NTDS\Parameters' ).`
                    GetSubKeyNames()
        
        "~~~ $dc ~~~"
        
        if( $SRC.Count -eq 0 )
        {
            'Strict Replication Consistency key is empty!'
            continue
        }
        
        foreach( $int in $SRC )
        {
            '{0}: {1}' -f 
                $int,
                [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey( 'LocalMachine', $dc ).`
                    OpenSubKey( "System\CurrentControlSet\Services\NTDS\Parameters\$int" ).`
                        GetValue('Strict Replication Consistency')
        }
    }

    Can you help me validate to retrieve the value set in the SRC reg param and if empty, set it to "1"?

    thanks

  • #56662
    Profile photo of Sonny Puijk
    Sonny Puijk
    Participant

    If you can make use of remote powershell i would just do this:

    $DCs = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() |
        Select-Object -ExpandProperty Sites |
            Select-Object -ExpandProperty Servers |
                Select-Object -ExpandProperty Name
    
    foreach( $dc in $DCs ) 
    { 
        if ((Invoke-Command -ComputerName $dc {(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency")."Strict Replication Consistency"}) -ne 1)
        {
            Write-Host "Strict Replication Consistency key is empty! on $DC. Creating it now..."
            Invoke-Command -ComputerName $dc {Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency" -Value 1 -Force}
        }
    }
    

    If not then you can use the code I just wrote and use it in your script to do the same.

    • #56731
      Profile photo of Jeff Taylor
      Jeff Taylor
      Participant

      Sonny,

      I've added my Enterprise creds via a variable since I'm getting access denied for the Invoke-Command's but not sure it's either efficient or necessary where I've added plus I get an error. I've double checked my creds and they are correct. With each Invoke-command/Get-ItemProperty, I keep getting a popup "Windows Powershell Credential Request..." for each DC in the pipeline and would have thought my -credential $creds would have provided this. Nonetheless, after ading these credentials manaully, the error is

      the provider
      Strict Replication Consistency key is empty! on DC1.com. Creating it now...
      The provider does not support the use of credentials. Perform the operation again without specifying credentials.

      Here's the code I added:

      $DCs = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() |
          Select-Object -ExpandProperty Sites |
              Select-Object -ExpandProperty Servers |
                  Select-Object -ExpandProperty Name
      
      foreach( $dc in $DCs ) 
      { 
          if ((Invoke-Command -ComputerName $dc -Credential $creds {(Get-ItemProperty -Credential $creds HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency")."Strict Replication Consistency"}) -ne 1)
          {
              Write-Host "Strict Replication Consistency key is empty! on $DC. Creating it now..."
              Invoke-Command -ComputerName $dc -Credential $creds {Set-ItemProperty -Credential $creds HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency" -Value 1 -Force}
          }
      }

      Wondering if this is because of limitations of Powershell and any reg keys secured by Trusted Installer?
      Thank you,

    • #56749
      Profile photo of Sonny Puijk
      Sonny Puijk
      Participant

      That's because you're referencing the $credentials variable inside the invoke-command scriptblock. The scriptblock runs on the remote computer and has no access to variables inside your current session unless you pass them through to the invoke-command scriptblock.

      That being said i don't think you need them inside the script block but just outside.

      $DCs = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() |
          Select-Object -ExpandProperty Sites |
              Select-Object -ExpandProperty Servers |
                  Select-Object -ExpandProperty Name
      
      foreach( $dc in $DCs ) 
      { 
          if ((Invoke-Command -ComputerName $dc -Credential $creds {(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency")."Strict Replication Consistency"}) -ne 1)
          {
              Write-Host "Strict Replication Consistency key is empty! on $DC. Creating it now..."
              Invoke-Command -ComputerName $dc -Credential $creds {Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency" -Value 1 -Force}
          }
      }
      

      I'm missing the part where you configure the $creds variable. You could this:

      $creds = get-credential
      

      Which prompts for your credentials.

    • #56839
      Profile photo of Jeff Taylor
      Jeff Taylor
      Participant

      Very cool worked! Thanks Sonny

  • #56693
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Did you find that chiseled into a rock somewhere?=D

    Make your life easier by making all dc's gc's. (get-adforest).globalcatalogs

    Or

    (get-adforest).domains | % {(Get-ADDomain $_).replicadirectoryservers}

    Or

    [system.directoryservices.activedirectory.Forest]::GetCurrentForest().domains.domaincontrollers.name

    • #56732
      Profile photo of Jeff Taylor
      Jeff Taylor
      Participant

      Hi Dan,

      All of our DC's are GC's.

You must be logged in to reply to this topic.