Modify an Active Directory domain.
Syntax
Set-ADDomain [-Identity] ADDomain
[-Add hashtable] [-Clear string[]] [-Remove hashtable]
[-Replace hashtable] [-AllowedDNSSuffixes hashtable]
[-AuthType {Negotiate | Basic}] [-Credential PSCredential]
[-LastLogonReplicationInterval TimeSpan]
[-ManagedBy ADPrincipal] [-PassThru] [-Server string]
[-Confirm] [-WhatIf] [CommonParameters]
Set-ADDomain -Instance ADDomain [-AllowedDNSSuffixes hashtable]
[-AuthType {Negotiate | Basic}] [-Credential PSCredential]
[-LastLogonReplicationInterval TimeSpan]
[-ManagedBy ADPrincipal] [-PassThru] [-Server string]
[-Confirm] [-WhatIf] [CommonParameters]
Key
-Add hashtable
Add values to add to an object property.
Use this for properties that cannot be modified using a cmdlet parameter.
To modify an object property, use the LDAP provider name.
Specify multiple values as a comma-separated list of values
Specify more than one property by separating them with a semicolon
The format for this parameter is
-Add @{Attribute1LDAPName=value1, value2,... ; Attribute2LDAPName=value1, value2,... }
If the -Add, -Remove, -Replace and -Clear parameters are used together, the operations
will always be performed in the order: -Remove then -Add then -Replace then -Clear
-AllowedDNSSuffixes hashtable
Modify the list of domain name server (DNS) suffixes that are allowed in a domain.
This parameter sets the value of the msDS-AllowedDNSSuffixes attribute of the domainDNS object.
Syntax to add, remove, replace, or clear DNS suffix values:
To add values:
-AllowedDNSSuffixes @{Add=value1,value2,...}
To remove values:
-AllowedDNSSuffixes @{Remove=value3,value4,...}
To replace values:
-AllowedDNSSuffixes @{Replace=value1,value2,...}
To clear all values:
-AllowedDNSSuffixes $null
Specify more than one change using a list separated by semicolons:
@{Add=value1,value2,...};@{Remove=value3,value4,...}
If the -Add, -Remove, -Replace and -Clear parameters are used together, the operations
will always be performed in the order: -Remove then -Add then -Replace then -Clear
example of adding and removing DNS suffixes for a domain:
-AllowedDNSSuffixes@{Add= "corp.contoso.com,SS64.com"};@{Remove="corpnet.SS64.com"}
-AuthType {Negotiate | Basic}
The authentication method to use: Negotiate (or 0), Basic (or 1)
A Secure Sockets Layer (SSL) connection is required for Basic authentication.
-Clear string[]
An array of object properties that will be cleared.
Use this parameter to clear properties that cannot be modified using a cmdlet parameter.
To modify an object property, use the LDAP provider name.
Modify more than one property by specifying a comma-separated list.
Example: Clear the value for the Phone-Office-Other attribute (LDAP provider name: 'otherTelephone')
-Clear otherTelephone
If the -Add, -Remove, -Replace and -Clear parameters are used together, the operations
will always be performed in the order: -Remove then -Add then -Replace then -Clear
-Credential PSCredential
The user account credentials to use to perform this task.
The default credentials are those of the currently logged on user unless the
cmdlet is run from an Active Directory PowerShell provider drive.
If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
Type a user name, such as "User64" or "Domain64\User64" or specify a
PSCredential object such as one generated by Get-Credential
If a user name is specified, the cmdlet will prompt for a password.
-Identity ADDomain
An AD domain object, provide one of the following values:
(The identifier in parentheses is the LDAP provider name for the attribute.)
Distinguished Name
Example: DC=aberdeen,DC=SS64,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d92495f22
Security Identifier (objectSid)
Example: S-1-5-21-3164297888-301567370-
DNS domain name
Example: aberdeen.SS64.com
NetBIOS domain name
Example: aberdeen
The cmdlet searches the default naming context or partition to find the object.
If two or more objects are found, the cmdlet returns a non-terminating error.
This parameter can also get this object through the pipeline or you can set this
parameter to an object instance.
This example shows how to set the parameter to a distinguished name.
-Identity "aberdeen.SS64.com"
This example shows how to set this parameter to a optional feature object instance named "domainInstance".
-Identity $domainInstance
-Instance ADDomain
Specifies a modified copy of a domain object to use to update the actual AD domain object.
When this parameter is used, any modifications made to the modified copy of the object are
also made to the corresponding AD object. This will only update the object properties that have changed.
The -Instance parameter can only update domain objects that have been retrieved with Get-ADDomain
you cannot specify other parameters that set properties on the object.
Example
# Retrieve a local instance of the object.
$domainInstance = Get-ADComputer -Identity "SS64domain"
# Modify one or more properties of the object instance.
$domainInstance.ManagedBy = "JaneJacobsGroup"
# Save the changes
Set-ADDomain -Instance $domainInstance
-LastLogonReplicationInterval TimeSpan
The time, in days, within which the last logon time of an account must be replicated
across all domain controllers in the domain. This parameter sets the LastLogonReplicationInterval
property for a domain. The LDAP provider name (ldapDisplayName) for this property is
msDS-LogonTimeSyncInterval. The last logon replication interval must be at least one day.
Setting this replication interval to a low value can significantly increase domain-wide replication.
-ManagedBy ADPrincipal
The user or group that manages the object by providing one of the following property values.
Note: The identifier in parentheses is the LDAP provider name for the property.
Distinguished Name
Example: CN=demo1,OU=Europe,CN=Users,DC=corp,DC=ss64,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-64-3265277888-301567356-523410843-1244
SAM Account Name (sAMAccountName)
Example: demo1
This parameter sets the Active Directory attribute with an LDAP provider Name of "managedBy".
-PassThru
Returns the new or modified object.
By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.
-Remove hashtable
Remove values from an object property.
Use this for properties that cannot be modified using a cmdlet parameter.
To modify an object property, use the LDAP provider name.
Specify multiple values as a comma-separated list of values
Specify more than one property by separating them with a semicolon
The format for this parameter is
-Remove @{Attribute1LDAPName=value1, value2,... ; Attribute2LDAPName=value1, value2,... }
If the -Add, -Remove, -Replace and -Clear parameters are used together, the operations
will always be performed in the order: -Remove then -Add then -Replace then -Clear
-Replace hashtable
Replace values for an object property.
Use this for properties that cannot be modified using a cmdlet parameter.
To modify an object property, use the LDAP provider name.
Specify multiple values as a comma-separated list of values
Specify more than one property by separating them with a semicolon
The format for this parameter is
-Replace @{Attribute1LDAPName=value1, value2,... ; Attribute2LDAPName=value1, value2,... }
If the -Add, -Remove, -Replace and -Clear parameters are used together, the operations
will always be performed in the order: -Remove then -Add then -Replace then -Clear
-Server string
The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
NetBIOS name, Fully qualified directory server name (with or without port number)
-Confirm
Prompt for confirmation before executing the command.
-WhatIf
Describe what would happen if you executed the command, without actually executing the command.
Set-ADDomain modifies the properties of an AD domain. Commonly used property values may be set using the cmdlet parameters, other property values can be modified by using the -Add, -Replace, -Clear and -Remove parameters.
The -Identity parameter specifies the domain to modify. Specify a domain by its distinguished name (DN), GUID, security identifier (SID), DNS domain name, or NetBIOS name.
The -Instance parameter provides a way to update a domain object by applying the changes made to a copy of the domain object. When you set the -Instance parameter to a copy of an AD domain object that has been modified, Set-ADDomain can then save the changes to the original domain object. To get a copy of the object to modify, use Get-ADDomain. When you specify the -Instance parameter you should not pass the identity parameter.
The following examples show how to modify the ManagedBy property of a domain object by using three methods:
-By specifying the -Identity and the -ManagedBy parameters
-By passing a domain object through the pipeline and specifying the -ManagedBy parameter
-By specifying the -Instance parameter.
Method 1: Modify the ManagedBy property for the Aberdeen domain by using the -Identity and -ManagedBy parameters.
Set-ADDomain -Identity Aberdeen -ManagedBy JaneJacobs
Method 2: Modify the ManagedBy property for the Aberdeen domain by passing the Aberdeen domain through the pipeline and specifying the -ManagedBy parameter.
Get-ADDomain Aberdeen | Set-ADDomain -ManagedBy JaneJacobs
Method 3: Modify the ManagedBy property for the Aberdeen domain by using the PowerShell command line to modify a local instance of the Aberdeen domain. Then set the -Instance parameter to the local instance.
$domain = Get-ADDomain Aberdeen
$domain.ManagedBy = JaneJacobs
Set-ADDomain -Instance $domain.
Set the value of AllowedDNSSuffixes to {"SS64.com","corp.SS64.com"} in domain "SS64":
PS C:\> Set-ADDomain -Identity SS64 -AllowedDNSSuffixes @{Replace="SS64.com","corp.SS64.com"}
Add the value "corp.ss64.com" to the AllowedDNSSuffixes in domain "SS64":
PS C:\> Set-ADDomain -Identity SS64 -AllowedDNSSuffixes @{Add="corp.SS64.com"}
Set the ManagedBy property in domain "SS64":
PS C:\> Set-ADDomain -Identity SS64 -ManagedBy 'CN=Domain Admins,CN=Users,DC=SS64,DC=COM'
“In order to be an immaculate member of a flock of sheep, one must above all be a sheep oneself” ~ Albert Einstein
Get-adDomain - Get an AD domain.
Get-adDomainController - Get one or more AD domain controllers, based on name or search criteria.