(|(get reg value) (set reg value)) in Forest DCs

I was massaging some code to retrieve a Strict Replication Consistency ($SRC) value for my 45 DCs and if value was null, set it to “1” but I don’t have the code to set it actually. I don’t get an error but I don’t think it accomplishes what I’m aiming for:

$DCs = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() |
    Select-Object -ExpandProperty Sites |
        Select-Object -ExpandProperty Servers |
            Select-Object -ExpandProperty Name

foreach( $dc in $DCs ) 
{ 
    $SRC = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey( 'LocalMachine', $dc ).`
            OpenSubKey( 'System\CurrentControlSet\Services\NTDS\Parameters' ).`
                GetSubKeyNames()
    
    "~~~ $dc ~~~"
    
    if( $SRC.Count -eq 0 )
    {
        'Strict Replication Consistency key is empty!'
        continue
    }
    
    foreach( $int in $SRC )
    {
        '{0}: {1}' -f 
            $int,
            [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey( 'LocalMachine', $dc ).`
                OpenSubKey( "System\CurrentControlSet\Services\NTDS\Parameters\$int" ).`
                    GetValue('Strict Replication Consistency')
    }
}

Can you help me validate to retrieve the value set in the SRC reg param and if empty, set it to “1”?

thanks

If you can make use of remote powershell i would just do this:

$DCs = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() |
    Select-Object -ExpandProperty Sites |
        Select-Object -ExpandProperty Servers |
            Select-Object -ExpandProperty Name

foreach( $dc in $DCs ) 
{ 
    if ((Invoke-Command -ComputerName $dc {(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency")."Strict Replication Consistency"}) -ne 1)
    {
        Write-Host "Strict Replication Consistency key is empty! on $DC. Creating it now..."
        Invoke-Command -ComputerName $dc {Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency" -Value 1 -Force}
    }
}

If not then you can use the code I just wrote and use it in your script to do the same.

Did you find that chiseled into a rock somewhere?=D

Make your life easier by making all dc’s gc’s. (get-adforest).globalcatalogs

Or

(get-adforest).domains | % {(Get-ADDomain $_).replicadirectoryservers}

Or

Sonny,

I’ve added my Enterprise creds via a variable since I’m getting access denied for the Invoke-Command’s but not sure it’s either efficient or necessary where I’ve added plus I get an error. I’ve double checked my creds and they are correct. With each Invoke-command/Get-ItemProperty, I keep getting a popup “Windows Powershell Credential Request…” for each DC in the pipeline and would have thought my -credential $creds would have provided this. Nonetheless, after ading these credentials manaully, the error is

the provider

Strict Replication Consistency key is empty! on DC1.com. Creating it now…

The provider does not support the use of credentials. Perform the operation again without specifying credentials.

Here’s the code I added:

$DCs = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() |
    Select-Object -ExpandProperty Sites |
        Select-Object -ExpandProperty Servers |
            Select-Object -ExpandProperty Name

foreach( $dc in $DCs ) 
{ 
    if ((Invoke-Command -ComputerName $dc -Credential $creds {(Get-ItemProperty -Credential $creds HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency")."Strict Replication Consistency"}) -ne 1)
    {
        Write-Host "Strict Replication Consistency key is empty! on $DC. Creating it now..."
        Invoke-Command -ComputerName $dc -Credential $creds {Set-ItemProperty -Credential $creds HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency" -Value 1 -Force}
    }
}

Wondering if this is because of limitations of Powershell and any reg keys secured by Trusted Installer?
Thank you,

Hi Dan,

All of our DC’s are GC’s.

That’s because you’re referencing the $credentials variable inside the invoke-command scriptblock. The scriptblock runs on the remote computer and has no access to variables inside your current session unless you pass them through to the invoke-command scriptblock.

That being said i don’t think you need them inside the script block but just outside.

$DCs = [DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() |
    Select-Object -ExpandProperty Sites |
        Select-Object -ExpandProperty Servers |
            Select-Object -ExpandProperty Name

foreach( $dc in $DCs ) 
{ 
    if ((Invoke-Command -ComputerName $dc -Credential $creds {(Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency")."Strict Replication Consistency"}) -ne 1)
    {
        Write-Host "Strict Replication Consistency key is empty! on $DC. Creating it now..."
        Invoke-Command -ComputerName $dc -Credential $creds {Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Strict Replication Consistency" -Value 1 -Force}
    }
}

I’m missing the part where you configure the $creds variable. You could this:

$creds = get-credential

Which prompts for your credentials.

Very cool worked! Thanks Sonny