AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment
Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1
Use DumpADObj.ps1 to display attribute values of an object in the specified Active Directory Domain Services (AD DS) forest.
In cross-forest Active Directory Certificate Services (AD CS) deployments, use DumpADObj.ps1 to troubleshoot certificate enrollment or PKI object synchronization problems.
The program LDIFDE.EXE is required for DumpADObj.ps1 to access objects in AD DS.
Saving DumpADObj.ps1
To save DumpADObj.ps1 to a file
Click Copy Code at the top of the code section.
Start Notepad.
On the Edit menu, click Paste.
On the File menu, click Save.
Type a path for the file, type the file name DumpADObj.ps1, and click Save.
# This script dumps certificate template/CA information using ldifde.exe
# Command line arguments
$ForestName = ""
$DCName = ""
$ObjectType = ""
$ObjectName = ""
$OutFile = ""
function ParseCommandLine()
{
if (10 -gt $Script:args.Count)
{
write-warning "Not enough arguments"
Usage
exit 87
}
for($i = 0; $i -lt $Script:args.Count; $i++)
{
switch($Script:args[$i].ToLower())
{
-forest
{
$i++
$Script:ForestName = $Script:args[$i]
}
-dc
{
$i++
$Script:DCName = $Script:args[$i]
}
-type
{
$i++
$Script:ObjectType = $Script:args[$i]
}
-cn
{
$i++
$Script:ObjectName = $Script:args[$i]
}
-file
{
$i++
$Script:OutFile = $Script:args[$i]
}
default
{
write-warning ("Unknown parameter: " + $Script:args[$i])
Usage
exit 87
}
}
}
}
function Usage()
{
write-host ""
write-host "Script to display attribute values of certificate template or CA object in AD"
write-host ""
write-host "dumpadobj.ps1 -forest <DNS name> -dc <DC name> -type <template|CA> -cn <Name> -file <output file>"
write-host ""
write-host "-forest -- DNS of the forest to process object from"
write-host "-dc -- DNS or NetBios name of the DC to target"
write-host "-type -- Template or CA"
write-host "-cn -- Template or CA name"
write-host "-file -- Output file"
write-host ""
}
#########################################################
# Main script code
#########################################################
# All errors are fatal by default unless there is anoter 'trap' with 'continue'
trap
{
write-error "The script has encountered a fatal error. Terminating script."
break
}
ParseCommandLine
write-host ""
write-host "Effective settings:"
write-host ""
write-host " Forest: $ForestName"
write-host " DC: $DCName"
write-host " Type: $ObjectType"
write-host " Name: $ObjectName"
write-host " File: $OutFile"
write-host ""
# Set type specific variables
switch($ObjectType.ToLower())
{
"template"
{
$ObjectContainerCN = ",CN=Certificate Templates"
$ObjectSchema = "pKICertificateTemplate"
}
"ca"
{
$ObjectContainerCN = ",CN=Enrollment Services"
$ObjectSchema = "pKIEnrollmentService"
}
default
{
write-warning ("Unknown object type: " + $ObjectType)
Usage
exit 87
}
}
# Build full DN for the object
$ForestDN = "DC=" + $ForestName.Replace(".", ",DC=")
$ObjectFullDN = "CN=" + $ObjectName + $ObjectContainerCN + ",CN=Public Key Services,CN=Services,CN=Configuration," + $ForestDN
# Build list of attributes to display
$ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext Forest, $ForestName
$SchemaDE = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]::FindByName($ForestContext, $ObjectSchema).GetDirectoryEntry()
$AttrList = $SchemaDE.systemMayContain
if($null -ne $SchemaDE.mayContain)
{
$MayContain = $SchemaDE.mayContain
foreach($attr in $MayContain)
{
[void]$AttrList.Add($attr)
}
}
if (-1 -eq $AttrList.IndexOf("displayName"))
{
[void]$AttrList.Add("displayName")
}
if (-1 -eq $AttrList.IndexOf("flags"))
{
[void]$AttrList.Add("flags")
}
if ($ObjectType.ToLower().Equals("template") -and -1 -eq $AttrList.IndexOf("revision"))
{
[void]$AttrList.Add("revision")
}
$SB = New-Object System.Text.StringBuilder
for($i = 0; $i -lt $AttrList.Count; $i++)
{
[void]$SB.Append($AttrList[$i])
if($i -lt ($AttrList.Count - 1))
{
[void]$SB.Append(",")
}
}
$AttrListString = $SB.ToString()
# Build command line and execute
$CommandLine = "-d """ + $ObjectFullDN + """ -p Base -l """ + $AttrListString + """ -f """ + $OutFile + """ -s " + $DCName
Invoke-Expression "ldifde.exe $CommandLine" > ldifde.out.txt
type "$OutFile"
Related topics
AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2
AD CS: Deploying Cross-forest Certificate Enrollment
AD CS: Managing Cross-forest Certificate Enrollment
AD CS: Troubleshooting Cross-forest Certificate Enrollment
AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment