Recently, a friend asked me to help look at some issues in his customer’s Active Directory (AD). The customer’s AD consisted of a root domain and three Tree domains. I ran my AD documentation script and found there were many issues when running that script in a multiple domain forest.

To fix these issues, I created a similar forest in my lab. I have never seen Tree domains before.

Here are a few screenshots from my new forest with three Tree domains.

Running the 3.04 AD doc script in the root domain using -ADForest.

Running the 3.04 AD doc script in a tree domain using -ADForest.

Running the 3.04 AD doc script in a tree domain using -ADDomain.

Version 3.04 24-Mar-2021

• Change the wording for schema extensions from “Just because a schema extension is Present does not mean it is in use.” to “Just because a schema extension is Present does not mean that the product is in use.”
• Only process and output Foreign Security Principal data for the Root Domain
• Only process the Appendix Domain Controller DNS Info if -DCDNSInfo is true. No need for an empty table and Appendix otherwise
• Removed a few warnings from the console output that were not warnings
• The following fixes are for running the script in a Forest with multiple domains
• When creating the array that contains all domain controllers, don’t sort after each domain as sorting changed the Type of the arraylist after the first domain was processed
  • This caused the three Appendixes to only contain the data for the DCs in the first domain
• When outputting domain controllers, sort the DCs by domain name and DC name
  • Put the DCs in domain name order, don’t put every DC in the Root domain
  • Change the header to reflect the actual domain name
• When retrieving Inherited GPOs, add the Domain name to the cmdlet
• When running in a child or tree domain, only the domain entered was used when calculating the number of domains in the forest
  • That is now fixed
• When running in a child or tree domain and using -ADForest, compare the root domain’s name to the name entered for -ADForest
  • If they are not the same, abort the script and state to rerun the script with -ADDomain and not -ADForest
• Updated the help text
• Updated the ReadMe file

I want to thank Michael B. Smith for the code review and for David McSpadden for testing in his single domain forest to make sure I didn’t break anything. I had a couple of people offer to test the script in their multiple domain forests, but I never heard from them after sending them the script for testing.

If you run the script in a multiple domain forest and have questions or issues, please email me. webster at carlwebster dot com.

You can always find the most current script by going to https://www.carlwebster.com/where-to-get-copies-of-the-documentation-scripts/

Thanks

Webster