# 查看安装结果
PS C:\> Get-WindowsFeature -Name AD-Domain-Services

Display Name Name Install State
———— —- ————-
[X] Active Directory 域服务 AD-Domain-Services Installed

# 创建新林(第一台域控制器)
PS C:\> Install-ADDSForest `
-DomainName “fgedu.net.cn” `
-DomainNetBIOSName “FGEDU” `
-DomainMode “WinThreshold” `
-ForestMode “WinThreshold” `
-DatabasePath “C:\Windows\NTDS” `
-LogPath “C:\Windows\Logs” `
-SysvolPath “C:\Windows\SYSVOL” `
-InstallDNS:$true `
-NoRebootOnCompletion:$false `
-Force:$true

The target server will be configured as a domain controller
and restarted when this command is completed.

# 添加额外域控制器
PS C:\> Install-ADDSDomainController `
-DomainName “fgedu.net.cn” `
-DatabasePath “C:\Windows\NTDS” `
-LogPath “C:\Windows\Logs” `
-SysvolPath “C:\Windows\SYSVOL” `
-InstallDNS:$true `
-NoRebootOnCompletion:$false `
-Force:$true

# 验证安装
PS C:\> Get-ADDomainController -Discover

Domain : fgedu.net.cn
Forest : fgedu.net.cn
IPAddress : 192.168.1.10
Name : DC01
SiteName : Default-First-Site-Name

# 检查AD服务状态
PS C:\> Get-Service -Name “ADWS”,”NTDS”,”DNS” | Format-Table Name, Status, StartType

Name Status StartType
—- —— ———
ADWS Running Automatic
NTDS Running Automatic
DNS Running Automatic

# 检查SYSVOL共享
PS C:\> net share

Share name Resource Remark
——————————————————————————-
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
NETLOGON C:\Windows\SYSVOL\domain\SCRIPT Logon server share
S

# 检查DNS记录
PS C:\> Get-DnsServerResourceRecord -ZoneName “fgedu.net.cn” | Where-Object {$_.RecordType -eq “SRV”}

HostName RecordType Type Timestamp TimeToLive RecordData
——– ———- —- ——— ———- ———-
_ldap._tcp.Default-First- SRV 33 0 1:00:00 [0][100][389][dc01.fgedu.net.cn.]
Site._sites.dc._msdcs

Name DisplayName EmailAddress Enabled
—- ———– ———— ——-
Administrator 管理员 admin@fgedu.net.cn True
Guest 来宾 False
zhangsan 风哥1号 zhangsan@fgedu.net.cn True
lisi 风哥2号 lisi@fgedu.net.cn True
wangwu 王五 wangwu@fgedu.net.cn True

# 创建新用户
PS C:\> New-ADUser `
-Name “zhaoliu” `
-SamAccountName “zhaoliu” `
-UserPrincipalName “zhaoliu@fgedu.net.cn” `
-DisplayName “赵六” `
-EmailAddress “zhaoliu@fgedu.net.cn” `
-GivenName “六” `
-Surname “赵” `
-Department “IT部” `
-Company “风哥教育” `
-Path “OU=IT部,DC=fgedu,DC=net,DC=cn” `
-AccountPassword (ConvertTo-SecureString “Fgedu@User123” -AsPlainText -Force) `
-Enabled $true `
-ChangePasswordAtLogon $true

# 修改用户属性
PS C:\> Set-ADUser -Identity “zhaoliu” `
-Department “运维部” `
-Office “北京总部” `
-OfficePhone “010-12345678” `
-MobilePhone “13800138000”

# 重置用户密码
PS C:\> Set-ADAccountPassword -Identity “zhaoliu” `
-Reset -NewPassword (ConvertTo-SecureString “Fgedu@NewPass123” -AsPlainText -Force)

# 解锁用户账户
PS C:\> Unlock-ADAccount -Identity “zhaoliu”

# 禁用用户账户
PS C:\> Disable-ADAccount -Identity “zhaoliu”

# 启用用户账户
PS C:\> Enable-ADAccount -Identity “zhaoliu”

# 删除用户
PS C:\> Remove-ADUser -Identity “zhaoliu” -Confirm:$false

# 批量创建用户
PS C:\> $users = Import-Csv “C:\temp\users.csv”
PS C:\> foreach ($user in $users) {
New-ADUser `
-Name $user.Name `
-SamAccountName $user.SamAccountName `
-UserPrincipalName “$($user.SamAccountName)@fgedu.net.cn” `
-DisplayName $user.DisplayName `
-Department $user.Department `
-AccountPassword (ConvertTo-SecureString “Fgedu@User123” -AsPlainText -Force) `
-Enabled $true `
-Path “OU=员工,DC=fgedu,DC=net,DC=cn”
}
Write-Host “批量创建用户完成，共创建 $($users.Count) 个用户”

# 查找用户
PS C:\> Get-ADUser -Filter {Department -eq “IT部” -and Enabled -eq $true}

# 查看用户组成员身份
PS C:\> Get-ADPrincipalGroupMembership -Identity “zhangsan” | Format-Table Name, GroupScope, GroupCategory

Name GroupScope GroupCategory
—- ———- ————-
Domain Users Global Security
IT_Users Global Security
Domain Admins Global Security

Name GroupScope GroupCategory
—- ———- ————-
Administrators DomainLocal Security
Users DomainLocal Security
Domain Admins Global Security
Domain Users Global Security
Domain Computers Global Security
IT_Users Global Security
HR_Users Global Security
Finance_Users Global Security

# 创建安全组
PS C:\> New-ADGroup `
-Name “Dev_Users” `
-SamAccountName “Dev_Users” `
-GroupCategory Security `
-GroupScope Global `
-DisplayName “开发部用户组” `
-Path “OU=Groups,DC=fgedu,DC=net,DC=cn” `
-Description “开发部门用户组”

# 创建通讯组
PS C:\> New-ADGroup `
-Name “All_Staff” `
-SamAccountName “All_Staff” `
-GroupCategory Distribution `
-GroupScope Universal `
-DisplayName “全体员工” `
-Path “OU=Groups,DC=fgedu,DC=net,DC=cn”

# 添加组成员
PS C:\> Add-ADGroupMember -Identity “Dev_Users” -Members “zhangsan”,”lisi”

# 移除组成员
PS C:\> Remove-ADGroupMember -Identity “Dev_Users” -Members “lisi” -Confirm:$false

# 查看组成员
PS C:\> Get-ADGroupMember -Identity “Dev_Users” | Format-Table Name, SamAccountName, ObjectClass

Name SamAccountName ObjectClass
—- ————– ———–
风哥1号 zhangsan user
王五 wangwu user

# 查看嵌套组成员
PS C:\> Get-ADGroupMember -Identity “Dev_Users” -Recursive

# 批量添加用户到组
PS C:\> $users = Get-ADUser -Filter {Department -eq “开发部”}
PS C:\> Add-ADGroupMember -Identity “Dev_Users” -Members $users

# 删除组
PS C:\> Remove-ADGroup -Identity “Dev_Users” -Confirm:$false

# 组管理脚本
PS C:\> # 创建部门组
$departments = @(“IT”, “HR”, “Finance”, “Dev”, “Ops”)

foreach ($dept in $departments) {
$groupName = “${dept}_Users”

# 检查组是否存在
if (-not (Get-ADGroup -Filter {Name -eq $groupName} -ErrorAction SilentlyContinue)) {
New-ADGroup `
-Name $groupName `
-SamAccountName $groupName `
-GroupCategory Security `
-GroupScope Global `
-DisplayName “${dept}部门用户组” `
-Path “OU=Groups,DC=fgedu,DC=net,DC=cn”
Write-Host “创建组: $groupName”
}
}

Name DistinguishedName
—- —————–
Domain Controllers OU=Domain Controllers,DC=fgedu,DC=net,DC=cn
IT部 OU=IT部,DC=fgedu,DC=net,DC=cn
HR部 OU=HR部,DC=fgedu,DC=net,DC=cn
Finance部 OU=Finance部,DC=fgedu,DC=net,DC=cn
Groups OU=Groups,DC=fgedu,DC=net,DC=cn

# 创建OU
PS C:\> New-ADOrganizationalUnit `
-Name “Dev部” `
-Path “DC=fgedu,DC=net,DC=cn” `
-Description “开发部门” `
-ProtectedFromAccidentalDeletion $true

# 创建子OU
PS C:\> New-ADOrganizationalUnit `
-Name “Users” `
-Path “OU=Dev部,DC=fgedu,DC=net,DC=cn” `
-Description “开发部用户”

PS C:\> New-ADOrganizationalUnit `
-Name “Computers” `
-Path “OU=Dev部,DC=fgedu,DC=net,DC=cn” `
-Description “开发部计算机”

# 查看OU中的对象
PS C:\> Get-ADObject -Filter * -SearchBase “OU=IT部,DC=fgedu,DC=net,DC=cn” |
Select-Object Name, ObjectClass, DistinguishedName

Name ObjectClass DistinguishedName
—- ———- —————–
风哥1号 user CN=风哥1号,OU=IT部,DC=fgedu,DC=net,DC=cn
风哥2号 user CN=风哥2号,OU=IT部,DC=fgedu,DC=net,DC=cn
PC-001 computer CN=PC-001,OU=IT部,DC=fgedu,DC=net,DC=cn

# 移动对象到OU
PS C:\> Move-ADObject `
-Identity “CN=王五,CN=Users,DC=fgedu,DC=net,DC=cn” `
-TargetPath “OU=IT部,DC=fgedu,DC=net,DC=cn”

# 删除OU(需先禁用保护)
PS C:\> Set-ADOrganizationalUnit -Identity “OU=Dev部,DC=fgedu,DC=net,DC=cn” -ProtectedFromAccidentalDeletion $false
PS C:\> Remove-ADOrganizationalUnit -Identity “OU=Dev部,DC=fgedu,DC=net,DC=cn” -Confirm:$false

# OU结构规划脚本
PS C:\> # 创建标准OU结构
$ouStructure = @{
“IT部” = @(“Users”, “Computers”, “Groups”)
“HR部” = @(“Users”, “Computers”, “Groups”)
“Finance部” = @(“Users”, “Computers”, “Groups”)
“Dev部” = @(“Users”, “Computers”, “Groups”)
“Ops部” = @(“Users”, “Computers”, “Groups”)
}

foreach ($ou in $ouStructure.Keys) {
# 创建主OU
$ouPath = “OU=$ou,DC=fgedu,DC=net,DC=cn”
if (-not (Get-ADOrganizationalUnit -Filter {DistinguishedName -eq $ouPath} -ErrorAction SilentlyContinue)) {
New-ADOrganizationalUnit -Name $ou -Path “DC=fgedu,DC=net,DC=cn”
Write-Host “创建OU: $ou”
}

# 创建子OU
foreach ($subOU in $ouStructure[$ou]) {
$subPath = “OU=$subOU,$ouPath”
if (-not (Get-ADOrganizationalUnit -Filter {DistinguishedName -eq $subPath} -ErrorAction SilentlyContinue)) {
New-ADOrganizationalUnit -Name $subOU -Path $ouPath
Write-Host “创建子OU: $ou/$subOU”
}
}
}

DisplayName GpoStatus CreationTime
———– ——— ————
Default Domain Policy AllSettingsEnabled 2026/1/1
Default Domain Controllers… AllSettingsEnabled 2026/1/1
IT_Policy AllSettingsEnabled 2026/4/1
HR_Policy AllSettingsEnabled 2026/4/1

# 创建GPO
PS C:\> New-GPO -Name “Dev_Policy” -Comment “开发部门组策略”

Name : Dev_Policy
DisplayName : Dev_Policy
Description : 开发部门组策略
GpoStatus : AllSettingsEnabled
CreationTime : 2026/4/3 10:00:00

# 链接GPO到OU
PS C:\> New-GPLink -Name “Dev_Policy” -Target “OU=Dev部,DC=fgedu,DC=net,DC=cn” -LinkEnabled Yes

GpoId : 12345678-1234-1234-1234-123456789012
DisplayName : Dev_Policy
Enabled : True
Enforced : False
Target : OU=Dev部,DC=fgedu,DC=net,DC=cn
Order : 1

# 设置GPO权限
PS C:\> Set-GPPermission -Name “Dev_Policy” -TargetName “Dev_Users” -TargetType Group -PermissionLevel GpoApply

# 备份GPO
PS C:\> Backup-GPO -Name “Dev_Policy” -Path “C:\Backup\GPO”

DisplayName : Dev_Policy
GpoId : 12345678-1234-1234-1234-123456789012
BackupId : abc12345-1234-1234-1234-123456789012
BackupTime : 2026/4/3 10:00:00

# 恢复GPO
PS C:\> Restore-GPO -BackupId “abc12345-1234-1234-1234-123456789012” -Path “C:\Backup\GPO”

# 导入GPO设置
PS C:\> Import-GPO -BackupId “abc12345-1234-1234-1234-123456789012” -Path “C:\Backup\GPO” -TargetName “Dev_Policy_New”

# 使用组策略管理控制台(GPMC)
# 打开GPMC
PS C:\> gpmc.msc

# 常用组策略设置
# 1. 密码策略
# 计算机配置 -> Windows设置 -> 安全设置 -> 账户策略 -> 密码策略

# 2. 账户锁定策略
# 计算机配置 -> Windows设置 -> 安全设置 -> 账户策略 -> 账户锁定策略

# 3. 审核策略
# 计算机配置 -> Windows设置 -> 安全设置 -> 本地策略 -> 审核策略

# 4. 软件限制策略
# 计算机配置 -> Windows设置 -> 安全设置 -> 软件限制策略

# 5. 文件夹重定向
# 用户配置 -> Windows设置 -> 文件夹重定向

# GPO报告
PS C:\> Get-GPOReport -Name “Dev_Policy” -ReportType Html -Path “C:\Temp\Dev_Policy_Report.html”

ZoneName ZoneType IsAutoCreated IsDsIntegrated IsReverseLookupZone
——– ——– ————- ————– ——————-
0.in-addr.arpa Primary True False True
127.in-addr.arpa Primary True False True
255.in-addr.arpa Primary True False True
fgedu.net.cn Primary False True False
1.168.192.in-addr.arpa Primary False True True

# 查看DNS记录
PS C:\> Get-DnsServerResourceRecord -ZoneName “fgedu.net.cn” |
Where-Object {$_.RecordType -eq “A”} |
Format-Table HostName, RecordType, @{N=’IPAddress’;E={$_.RecordData.IPv4Address}}

HostName RecordType IPAddress
——– ———- ———
DC01 A 192.168.1.10
DC02 A 192.168.1.11
DC03 A 192.168.1.12
fgedu-web01 A 192.168.1.100
fgedu-app01 A 192.168.1.101

# 查看SRV记录
PS C:\> Get-DnsServerResourceRecord -ZoneName “fgedu.net.cn” -RRType SRV |
Format-Table HostName, RecordType, @{N=’Target’;E={$_.RecordData.DomainName}}

HostName RecordType Target
——– ———- ——
_ldap._tcp SRV dc01.fgedu.net.cn.
_ldap._tcp.dc._msdcs SRV dc01.fgedu.net.cn.
_kerberos._tcp SRV dc01.fgedu.net.cn.
_kerberos._tcp.dc._msdcs SRV dc01.fgedu.net.cn.
_ldap._tcp.Default-First-Site-Nam… SRV dc01.fgedu.net.cn.

# 添加A记录
PS C:\> Add-DnsServerResourceRecordA `
-Name “fgedu-web02” `
-IPv4Address “192.168.1.102” `
-ZoneName “fgedu.net.cn” `
-CreatePtr

# 添加CNAME记录
PS C:\> Add-DnsServerResourceRecordCName `
-Name “www” `
-HostNameAlias “fgedu-web01.fgedu.net.cn” `
-ZoneName “fgedu.net.cn”

# 删除DNS记录
PS C:\> Remove-DnsServerResourceRecord `
-Name “fgedu-web02” `
-RRType “A” `
-ZoneName “fgedu.net.cn” `
-RecordData “192.168.1.102” `
-Force

# 测试DNS解析
PS C:\> Resolve-DnsName -Name “dc01.fgedu.net.cn”

Name Type TTL Section IPAddress
—- —- — ——- ———
dc01.fgedu.net.cn A 3600 Answer 192.168.1.10

# 验证SRV记录
PS C:\> nslookup -type=srv _ldap._tcp.fgedu.net.cn
Server: dc01.fgedu.net.cn
Address: 192.168.1.10

_ldap._tcp.fgedu.net.cn SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc01.fgedu.net.cn
dc01.fgedu.net.cn internet address = 192.168.1.10

Partner Partition LastReplicationSuccess LastReplicationAttempt
——- ——— ———————- ———————-
DC02.fgedu.net.cn DC=ForestDnsZones,DC=fgedu… 2026/4/3 10:00:00 2026/4/3 10:00:00
DC02.fgedu.net.cn DC=DomainDnsZones,DC=fgedu… 2026/4/3 10:00:00 2026/4/3 10:00:00
DC02.fgedu.net.cn CN=Configuration,DC=fgedu… 2026/4/3 10:00:00 2026/4/3 10:00:00
DC02.fgedu.net.cn DC=fgedu,DC=net,DC=cn 2026/4/3 10:00:00 2026/4/3 10:00:00

# 查看复制拓扑
PS C:\> Get-ADReplicationConnection -Filter * |
Select-Object Name, ReplicateFromDirectoryServer, ReplicateToDirectoryServer

# 强制复制
PS C:\> repadmin /replicate DC02 DC01 DC=fgedu,DC=net,DC=cn

# 查看复制摘要
PS C:\> repadmin /replsummary
Replication Summary Start Time: 2026-04-03 10:00:00
Beginning data collection for replication summary, this may take awhile:
Source DSA largest delta fails/total %% error
DC01 12m:18s 0 / 5 0
DC02 12m:18s 0 / 5 0
DC03 12m:18s 0 / 5 0

# 检查复制错误
PS C:\> repadmin /showrepl * /errorsonly

# 同步所有域控制器
PS C:\> repadmin /syncall /APeD

# 查看站点
PS C:\> Get-ADReplicationSite -Filter * | Format-Table Name, Description

Name Description
—- ———–
Default-First-Site-Name 默认第一个站点

# 创建新站点
PS C:\> New-ADReplicationSite -Name “Beijing-Site” -Description “北京站点”

# 创建站点链接
PS C:\> New-ADReplicationSiteLink -Name “Beijing-Shanghai” `
-SitesIncluded “Beijing-Site”,”Shanghai-Site” `
-Cost 100 `
-ReplicationFrequencyInMinutes 15

# 复制健康检查脚本
PS C:\> # 检查所有域控制器复制状态
$DCs = Get-ADDomainController -Filter *
foreach ($dc in $DCs) {
Write-Host “检查: $($dc.Name)”
$replStatus = Get-ADReplicationPartnerMetadata -Target $dc.Name
foreach ($status in $replStatus) {
$lastSuccess = $status.LastReplicationSuccess
$hoursSince = (Get-Date) – $lastSuccess
if ($hoursSince.TotalHours -gt 1) {
Write-Host ” 警告: 与 $($status.Partner) 复制延迟超过1小时” -ForegroundColor Yellow
} else {
Write-Host ” 正常: 与 $($status.Partner) 复制正常” -ForegroundColor Green
}
}
}

# 创建备份策略
PS C:\> $policy = New-WBPolicy

# 添加备份目标
PS C:\> $backupLocation = New-WBBackupTarget -NetworkPath “\\backup-server\ADBackup”
PS C:\> Add-WBBackupTarget -Policy $policy -Target $backupLocation

# 添加系统状态备份
PS C:\> Add-WBSystemState -Policy $policy

# 设置备份时间
PS C:\> Set-WBSchedule -Policy $policy -Times “02:00”

# 执行一次性备份
PS C:\> Start-WBBackup -Policy $policy

# 查看备份历史
PS C:\> Get-WBBackupSet

BackupTime : 2026/4/3 2:00:00
BackupTarget : \\backup-server\ADBackup
BackupSetId : abc12345-1234-1234-1234-123456789012
BackupType : SystemState
Components : {Registry, COM+ Class Registration Database, Certificate Server, AD…}

# AD回收站启用
PS C:\> Enable-ADOptionalFeature -Identity “Recycle Bin Feature” `
-Scope ForestOrConfigurationSet `
-Target “fgedu.net.cn” `
-Confirm:$false

# 查看已删除对象
PS C:\> Get-ADObject -Filter {isDeleted -eq $true} -IncludeDeletedObjects -Properties * |
Select-Object Name, ObjectClass, whenChanged

# 恢复已删除对象
PS C:\> Restore-ADObject -Identity “CN=zhangsan\0ADEL:abc12345…,CN=Deleted Objects,DC=fgedu,DC=net,DC=cn”

# AD快照备份
PS C:\> ntdsutil “activate instance ntds” “snapshot” “create” “quit” “quit”
Snapshot {abc12345-1234-1234-1234-123456789012} created successfully.

# 查看快照列表
PS C:\> ntdsutil “activate instance ntds” “snapshot” “list all” “quit” “quit”
1: 2026/04/03:10:00 {abc12345-1234-1234-1234-123456789012}
Active instance: ntds

# 挂载快照
PS C:\> ntdsutil “activate instance ntds” “snapshot” “mount 1” “quit” “quit”
Snapshot {abc12345-1234-1234-1234-123456789012} mounted as C:\$SNAP_202604031000_VOLUMEC$\

# 从快照恢复对象
PS C:\> dsamain -dbpath “C:\$SNAP_202604031000_VOLUMEC$\Windows\NTDS\ntds.dit” -ldapport 33389

# 备份脚本
PS C:\> # AD自动备份脚本
$backupPath = “\\backup-server\ADBackup\$((Get-Date).ToString(‘yyyyMMdd’))”
$logFile = “C:\Logs\ADBackup_$(Get-Date -Format ‘yyyyMMdd’).log”

Write-Output “开始AD备份: $(Get-Date)” | Out-File $logFile

# 创建备份策略
$policy = New-WBPolicy
Add-WBSystemState -Policy $policy
$target = New-WBBackupTarget -NetworkPath $backupPath
Add-WBBackupTarget -Policy $policy -Target $target

# 执行备份
Start-WBBackup -Policy $policy

Write-Output “AD备份完成: $(Get-Date)” | Out-File $logFile -Append

# 发送通知
Send-MailMessage -To “admin@fgedu.net.cn” -Subject “AD备份完成” -Body “AD备份已完成，请检查日志” -From “backup@fgedu.net.cn” -SmtpServer “mail.fgedu.net.cn”

Domain Controller Diagnosis
Performing initial setup:
* Identified AD Forest.
Gathering information…
Doing primary tests

Testing server: Default-First-Site\DC01
Starting test: Connectivity
……………………. DC01 passed test Connectivity
Starting test: DNS
DNS Tests are running and not hung
PASS: All the DNS entries required for the DC are registered
……………………. DC01 passed test DNS

# 检查AD服务
PS C:\> Get-Service -Name “NTDS”,”ADWS”,”DNS”,”KDC” | Format-Table Name, Status

Name Status
—- ——
NTDS Running
ADWS Running
DNS Running
KDC Running

# 检查网络端口
PS C:\> Test-NetConnection -ComputerName “DC01” -Port 389
ComputerName : DC01
RemoteAddress : 192.168.1.10
RemotePort : 389
InterfaceAlias : Ethernet
SourceAddress : 192.168.1.100
TcpTestSucceeded : True

# 检查Kerberos
PS C:\> klist tickets
Current LogonId is 0:0x12345
Cached Tickets: (2)
#0> Client: zhangsan @ FGEDU.NET.CN
Server: krbtgt/FGEDU.NET.CN @ FGEDU.NET.CN
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 4/3/2026 10:00:00 (local)
End Time: 4/3/2026 20:00:00 (local)
Renew Time: 4/10/2026 10:00:00 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96

# 检查时间同步
PS C:\> w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 2 (secondary reference – syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0156250s
Root Dispersion: 0.0156250s
ReferenceId: 0x0A0A0A0A (source IP: 10.10.10.10)
Last Successful Sync Time: 4/3/2026 10:00:00 AM
Source: time.fgedu.net.cn
Poll Interval: 6 (64s)

# 重置计算机账户
PS C:\> Reset-ComputerMachinePassword -Server “DC01” -Credential (Get-Credential)

# AD健康检查脚本
PS C:\> # AD综合健康检查
Write-Host “AD健康检查报告” -ForegroundColor Cyan
Write-Host “==========================================” -ForegroundColor Cyan

# 1. 检查域控制器状态
Write-Host “`n1. 域控制器状态” -ForegroundColor Yellow
Get-ADDomainController -Filter * | ForEach-Object {
$status = if (Test-Connection -ComputerName $_.Name -Count 1 -Quiet) { “在线” } else { “离线” }
Write-Host ” $($_.Name): $status”
}

# 2. 检查复制状态
Write-Host “`n2. 复制状态” -ForegroundColor Yellow
repadmin /replsummary /bysrc | Select-String -Pattern “Source DSA|fails”

# 3. 检查服务状态
Write-Host “`n3. 关键服务状态” -ForegroundColor Yellow
Get-Service -Name “NTDS”,”ADWS”,”DNS”,”KDC” | ForEach-Object {
$color = if ($_.Status -eq “Running”) { “Green” } else { “Red” }
Write-Host ” $($_.Name): $($_.Status)” -ForegroundColor $color
}

# 4. 检查DNS
Write-Host “`n4. DNS解析测试” -ForegroundColor Yellow
$dnsResult = Resolve-DnsName -Name “fgedu.net.cn” -ErrorAction SilentlyContinue
if ($dnsResult) {
Write-Host ” DNS解析正常” -ForegroundColor Green
} else {
Write-Host ” DNS解析失败” -ForegroundColor Red
}

# 5. 检查FSMO角色
Write-Host “`n5. FSMO角色持有者” -ForegroundColor Yellow
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster

Write-Host “`n==========================================” -ForegroundColor Cyan