RepoMirrors/DSInternals
1
0
Fork 0
mirror of https://github.com/MichaelGrafnetter/DSInternals synced 2025-04-01 22:48:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
e8816f1e4b
DSInternals/Documentation/PowerShell/Set-ADDBBootKey.md
Michael Grafnetter cfbaf0af94 Updated cmdlet documentation
2019-09-08 00:58:45 +02:00

3.0 KiB
Raw Blame History

external help file Module Name online version schema
DSInternals.PowerShell.dll-Help.xml DSInternals https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Set-ADDBBootKey.md 2.0.0

Set-ADDBBootKey

SYNOPSIS

Re-encrypts a ntds.dit file with a new BootKey/SysKey.

SYNTAX

Set-ADDBBootKey -OldBootKey <Byte[]> [-NewBootKey <Byte[]>] -DatabasePath <String> [-LogPath <String>]
 [<CommonParameters>]

DESCRIPTION

Decrypts the password encryption key list from the pekList domain attribute using the current/old boot key and re-encrypts it using a new one. This might be useful during some DC restore operations. Note that this procedure is highly unsupported by Microsoft.

EXAMPLES

Example 1

PS C:\> Set-ADDBBootKey -DatabasePath 'C:\Backup\Active Directory\ntds.dit' `
                        -LogPath 'C:\Backup\Active Directory' `
                        -OldBootKey 610bc29e6f62ca7004e9872cd51a0116 `
                        -NewBootKey 6ffec6b70dc863db1906a5507c0576ee

Re-encrypts the ntds.dit file with a new boot key.

PARAMETERS

-DatabasePath

Specifies the path to a domain database, for instance, C:\Windows\NTDS\ntds.dit.

Type: String
Parameter Sets: (All)
Aliases: Database, DBPath, DatabaseFilePath, DBFilePath

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-LogPath

Specifies the path to a directory where the transaction log files are located. For instance, C:\Windows\NTDS. The default log directory is the one that contains the database file itself.

Type: String
Parameter Sets: (All)
Aliases: Log, TransactionLogPath

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-NewBootKey

Specifies the new boot key (AKA system key) that will be used to re-encrypt the password encryption key (pekList) stored in the target Active Directory database.

Type: Byte[]
Parameter Sets: (All)
Aliases: NewKey, New, NewSysKey

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-OldBootKey

Specifies the current boot key (AKA system key) that will be used to decrypt the password encryption key (pekList) stored in the target Active Directory database.

Type: Byte[]
Parameter Sets: (All)
Aliases: OldKey, Old, OldSysKey

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

None

OUTPUTS

None

NOTES

RELATED LINKS

Get-BootKey New-ADDBRestoreFromMediaScript