Use PowerShell to sync all Active Directory sites

Here’s a quick script for you to synchronise your entire domain

Import-Module ActiveDirectory

$DCs = Get-ADDomainController -Filter *

Foreach ($DC in $DCs) {

$replicate = ‘repadmin /syncall /A /d /e ‘+$DC

iex $replicate


Just save it as a ps1 file and run it on any machine with the AD remote server admin tools installed or even a domain controller. If you are delegating rights, delegate them at the root of the domain in Active Dircetory Users and Computers and for each context that you want to replicate in ADSI Edit (see

if you only want to replicate part of the topology, use the code below:


Import-Module ActiveDirectory
$DCs =Get-ADDomainController -Filter *
$Char = [Char]34
$Scope = $Char + ‘DC=Domain,DC=com’ + $Char

Foreach ($DC in $DCs) {
$replicate = ‘repadmin /syncall /e ‘ + $DC + ‘ ‘ + $Scope
iex $replicate


Want to fully remove a feature ?

New to Windows 2012 is the ability to reduce your attack surface further by physically removing binaries from the operating system. Its really quite simple to do. Using the uninstall-windowsfeature command we append the -remove switch and that removes the install binaries from the hard drive.

If you need to add them back then, when using the install-windowsfeature command you will need to add the -source switch and make the installation source available (from a DVD or extracted ISO).

The easiest way to achieve this is to extract the sourcesSxS folder from the install DVD to a file share. The file share will need to be able to be accessed by computer accounts with Read rights. In this way, the features are available for install to any server if they have been removed.

Quick way to restart your server

Finding it a pain to navigate to the Charms | Power | Reboot command ? Want a simpler way of restarting your server  ?

start a powershell session and enter Restart-Computer.

You don’t even need Windows 2012 as it works with 2008 R2 also.

Of course, if you are really lazy you can just type the word “restart” – that works just as well 🙂

Restoring the GUI in Windows Server 2012

If you want to restore the GUI in Windows Server 2012 (and you didn’t install in core mode) you can use the following command

Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra -restore

If you did install core, you need to have the CD / ISO inserted or mounted and append the -Source switch to tell it where to get the files to perform the install of the GUI from. i.e. you enter:

Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra -Source C:Source -restart

Creating remote powershell session

Simply enter the command

Enter-PSSession –ComputerName <computer name>

This will let you control a single computer remotely, if you want to control more than one computer simultaneously then enter a command similar to the below

Invoke-Command -ScriptBlock { Get-EventLog System -Newest 5 } -Computername compname1,compname2,compname3

Where the command between the braces is the command you would like to run against the remote servers

Don’t forget, you can still enter commands against a remote computer with WinRM enabled (it’s enabled by default in Windows 2012) by entering the command:

winrs -r:<servername> <command to run>

<command to run> could even be powershell.exe to create a remote powershell session !


How can I tell if DirectAccess thinks I am internal or external to the LAN ?

DirectAcces allows you to connect to your LAN transparently from the internet. It does this through UAG when you do not have a full IPv6 deployment.

DirectAccess checks whether or not it has access to your server identified as your network locator service, typically through the URL This is excluded from the NRPT table for external clients and the name is not published or made available over the internet. So, if you can connect to to this site then you must be internal, right ? That’s pretty much correct, unless you are not using IIS for your NLS web site. DirectAccess relies not only on a 200 response from the web server (connectivity) but also upon the receipt of a properly formatted page. Just opening the page in Internet Explorer may not indicate any issue with the page itself as IE may mask the issues to present the page.

The way to know whether or not the NRPT table is in use (and hence whether DirectAccess believes itself to be internal or external to the LAN) is to run the command

netsh namespace show effectivepolicy

From an administrative command prompt. If the workstation or laptop believes itself to be on the LAN then no table will be created and the output of the command will be similar to the below.

However, running the same command when the machine is internal will produce output similar to the below.


This indicates that the NRPT table is being created and, above, you can see two entries (one for the NLS server and one for the UAG device) which should not be passed to the internal network.

If you deploy DirectAccess and internal clients which are subject to the DirectAccess GPO begin to have difficulty connecting to resources while on the LAN it may be that they cannot correctly connect with the Network Location Server and therefore build their NRPT table and attempt to pass all traffic through the public interface of the UAG device. If this cannot be contacted then communications from the client will fail. If it can be contacted and large numbers of end points are affected, performance may suffer as multiple internal clients route through the external interface.

If you want to set the policy that could be applied to a client once it leaves the LAN, simply enter the command

netsh namespace show policy