Archive for March, 2019

Collection of Web resources about dig usage:

Download dig (part of Bind):

Some commands:

What is the website’s IP address ?

dig +short

How to identify the name servers associated with a domain ?

dig NS +short

What does the delegation path to my zone look like ?

dig +trace

Which Mail Server is responsible for a domain ?

dig MX

Which value is in cache in a given resolver ?

dig @

Which domain name is this IP associated with ?

dig +short -x

Which are the name servers of a TLD ?

dig +short NS nl.

When will the cache of an answer expire ?

dig +noall +answer

Is the zone synchronized to all my NS ?

dig +nssearch

Is a zone existing on this name server ?

dig SOA

Using Dig to Retrieve Different Record Types?

dig srv


How to Troubleshoot Active Directory Replication Issues

In the previous article:

we explained all the methodology to troubleshoot AD replication:

This second article will deep dive with the most well known and out of the box AD utility called REPADMIN.exe

This utility recommended to run as Domain Administrator or Enterprise Administrator.

repadmin /replsummary /bydest

above command summarizes the replication status for all domain controllers based on the replication destination. This parameter does not display the source domain controller.

repadmin /replsummary /bysrc

above command summarizes the replication status for all domain controllers based on the replication source. This parameter does not display the destination domain controller.

repadmin /showrepl

above command shows the replication partners for serverdc1.mydomain.comand the status of last sync attempt.

repadmin /showrepl /errorsonly

above command will list down the replication partners which have replication errors (last sync attempt failed)

we also can view results in CSV format.

repadmin /showrepl /csv

repadmin /syncall serverdc1 dc=mydomain,dc=com

above command initiates domain directory partition synchronization with all replication partners of serverdc1.

It will also indicate if there were any issues by doing it.

repadmin /queue

above command shows if there are any unprocessed inbound replications requests. If system keep que requests it can be due to high number of AD changes, System resource issue or too many replication partners.

repadmin /showchanges serverpdc1 e4f89917-5fff-40a8-scc2-b148b60d9359 dc=mydomain,dc=com

above command list down the changes which are not replicated between server serverpdc1 and serverdc1. In here serverdc1 is the source server and it is listed with object GUID.
repadmin /replicate serverdc1 serverpdc1 dc=mydomain,dc=com

above command initiate immediate directory partition replication from serverpdc1 to serverdc1.

Apart from the repadmin, there are certain PowerShell cmdlets which we can use to troubleshoot replication issues. Get-ADReplicationFailure cmdlet is one of those which can collect data about replication failures.

Get-ADReplicationFailure -Target serverdc1

Above command will collect information about replication failures associated with serverdc1.
This also can do with multiple servers.

Get-ADReplicationFailure -Target serverdc1,serverpdc1

Further we can target all the domain controllers in the domain.

Get-ADReplicationFailure -Target “” -Scope Domain

Or even entire forest

Get-ADReplicationFailure -Target “” -Scope Forest

Get-ADReplicationConnection cmdlet can list down replication partner details for the given domain controller.

Get-ADReplicationConnection -Filter *

Above command will list down all replication connection for the domain controller you logged in.

We also can filter the replication connections based on the attributes.

Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq “serverdc1”}

Above command will list down the replication connections with destination server as serverdc1.
We also can force sync object between domain controllers.

Sync-ADObject -object “foo” -source serverdc1 -destination serverpdc1

Above command will sync user object foo from serverdc1 to serverpdc1

Best practices for DNS forwarding:

To create a conditional forwarder zone in powershell:

read this reference doc:


To create a conditional forwarder zone (stored in the registry of the DNS Server):

Add-DnsServerConditionalForwarderZone -Name “” -MasterServers 2001:4898:7020:f100:458f:e6a2:fcaf:698c, -PassThru

ZoneName                            ZoneType        IsAutoCreated   IsDsIntegrated  IsReverseLookupZone  IsSigned

——–                            ——–        ————-   ————–  ——————-  ——–                         Forwarder       False           False           False


This command creates an Active Directory-integrated conditional forwarder zone for

Add-DnsServerConditionalForwarderZone -Name “” -ReplicationScope “Forest” -MasterServers 2001:4898:7020:f100:458f:e6a2:fcaf:698c,


To change an existing conditional forwarder zone, use the cmdlet:


Good articles to explain the differences and how to merge the S&C Sensitivity labels and AIP labels,


MS technet:

S&C labels:

AIP labels:

Azure Cloud shell



On first launch Cloud Shell prompts to create a resource group, storage account, and Azure Files share on your behalf. This is a one-time step and will be automatically attached for all sessions. A single file share can be mapped and will be used by both Bash and PowerShell in Cloud Shell.

Read more to learn how to mount a new or existing storage account.

  • Cloud Shell runs on a temporary host provided on a per-session, per-user basis
  • Cloud Shell times out after 20 minutes without interactive activity
  • Cloud Shell requires an Azure file share to be mounted
  • Cloud Shell uses the same Azure file share for both Bash and PowerShell
  • Cloud Shell is assigned one machine per user account
  • Cloud Shell persists $HOME using a 5-GB image held in your file share
  • Permissions are set as a regular Linux user in Bash

Learn more about features in Bash in Cloud Shell and PowerShell in Cloud Shell.

Azure cloud shell limitations:



How to access Azure cloud shell from Visual Studio Code ?

On a windows computer

Install VS code:

then install NodeJS:

then on VS Code install the extension “Azure Account



Azure DevOps

Azure DevOps Services provides development collaboration tools including high-performance pipelines, free private Git repositories, configurable Kanban boards, and extensive automated and continuous testing capabilities. For the on-premises platform, Azure DevOps Server (previously named Visual Studio Team Foundation Server), see Azure DevOps Server Documentation.

Main portal:

Azure devOps and AzureAD groups (security of O365groups):


Devops and identities management:


Azure Sentinel

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel comes with a number of connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft Threat Protection solutions, and Microsoft 365 sources, including Office 365, Azure AD, Azure ATP, and Microsoft Cloud App Security, and more.

In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Azure Sentinel as well.