Ntdsutil.exe and the Microsoft Active Directory

advertisement
Ntdsutil.exe and the
Microsoft Active Directory
Curtis Clay III
Charleta McKoy
Windows 2000 Directory Services Team
Microsoft Corporation
The Ntdsutil Tool


Ntdsutil.exe is a command-line tool that
provides management facilities for
Microsoft® Active Directory™
By default, Ntdsutil is located in the
\\Winnt\System32 folder
2
Uses for Ntdsutil
3
Authoritative Restore




Used to recover deleted or missing objects
from Active Directory
Performed in DS Restore mode
Offers the ability to restore an entire
database or a single object
Note: This command is used only in DS Restore mode
4
Authoritative Restore: Commands
5
Domain Management

Allows Enterprise Administrators to pre-create
cross-reference and server objects in the
directory

Note: This command is used only in DS Restore mode
6
Domain Management: Commands
7
Domain Management:
Commands (2)










Add NC Replica %s %s
Create NC %s %s
Remove NC Replica %s %s
List
List NC information %s
List NC Replicas %s
Pre-create %s %s
Delete NC %s
Set NC Reference Domain %s %s
Set NC Replicate Notification Delay %s %d
%d
8
Files



Provides commands for managing the
directory service data and log files
Ntds.dit is the file that holds the database for
the Active Directory
ESENT is a transacted database system


Uses log files to ensure that transactions are
committed to the database
Note: This command is used only in DS Restore mode
9
Files: Commands
10
IP Deny List

Used to deny LDAP access to specific clients
based on a specific IP address

Note: This command is used only in DS Restore mode
11
IP Deny List: Commands
12
LDAP Policies




Used to specify operational limits for a
number of Lightweight Directory Access
Protocol (LDAP) operations
These limits prevent specific operations from
adversely impacting the performance of the
server
Also makes the server resilient to denial of
service attacks
Note: This command is used only in DS Restore mode
13
LDAP Policies Defaults
InitRecvTimeout
Initial receive time-out (120 seconds)
MaxConnections
Maximum number of open connections (5,000)
MaxConnIdleTime
Maximum amount of time a connection can be idle (900 seconds)
MaxActiveQueries
Maximum number of queries that can be active at one time (20)
MaxNotificationPerConnection
Maximum number of notifications that a client can request for a given
connection (5)
MaxPageSize
Maximum page size supported for LDAP responses (1,000 records)
14
LDAP Policies Defaults (2)
MaxQueryDuration
Maximum length of time the domain controller can execute a query (120
seconds)
MaxTempTableSize
Maximum size of temporary storage allocated to execute queries (10,000
records)
MaxResultSetSize
Maximum size of the LDAP Result Set (262144 bytes)
MaxPoolThreads
Maximum number of threads created by the domain controller for query
execution (4 per processor)
MaxDatagramRecv
Maximum number of datagrams that can be processed by the domain
controller simultaneously (1024)
15
LDAP Policies: Commands
16
Metadata Cleanup


Used to remove data or objects from the
Active Directory database
The directory service maintains various
metadata for each domain and server known
to the forest
17
Metadata Cleanup: Commands
18
Connections: Commands
19
Roles

Used to manage the placement of FSMO
roles within the Active Directory
20
FSMO Roles - Scope
Enterprise Wide Roles


Domain naming
Schema
Domain Wide Roles



PDC emulator
Relative identifier
Infrastructure
21
FSMO Roles


An operations master role can only be moved
by administrative involvement, it is not
moved automatically
Operations master roles require two forms of
management:


Controlled transfer
Seizure
22
Roles - Commands
23
Security Account Management

This option is used (rarely) to resolve
duplicate relative identifiers on a domain

Note: This command is used only in DS Restore mode
24
Security Account Management Commands
25
Semantic Database Analysis


Analyzes the data with respect to Active
Directory semantics
It generates reports on the number of records
present, including deleted and phantom
records
26
Semantic Database Analysis Commands
27
Automate Ntdsutil Commands


Ntdsutil can be scripted
The following commands allow for silent
operation:


popups no - no user interaction
popups yes - full user interaction
28
Resources

Appendix C - Active Directory Diagnostic
Tool (Ntdsutil.exe)
http://www.microsoft.com/technet/treeview/d
efault.asp?url=/TechNet/prodtechnol/window
s2000serv/reskit/distsys/part5/dsgappc.asp
29
Additional Documentation



Q230306 “How to Remove Orphaned
Domains from Active Directory”
http://support.microsoft.com/support/kb/artic
les/q230/3/06.asp
Q216498 “How to Remove Data in the Active
Directory After an Unsuccessful Domain
Controller Demotion”
http://support.microsoft.com/support/kb/artic
les/q216/4/98.asp
Q257420 “How to Move the Ntds.dit File or
Log Files”
http://support.microsoft.com/support/kb/artic
les/q257/4/20.asp
30
Additional Documentation (2)



Q241594 “How to Perform an Authoritative
Restore to a Domain Controller”
http://support.microsoft.com/support/kb/artic
les/q241/5/94.asp
Q232122 “Offline Defragmentation of the
Active Directory Database”
http://support.microsoft.com/support/kb/artic
les/q232/1/22.asp
Q255504 “Using Ntdsutil.exe to Seize or
Transfer FSMO Roles to a Domain Controller”
http://support.microsoft.com/support/kb/artic
les/q255/5/04.asp
31
Additional Documentation (3)

Q234790 “How to Find FSMO Role Holders
(Servers)”
http://support.microsoft.com/support/kb/artic
les/q234/7/90.asp
32
Thank you for joining us for today’s Microsoft Support
WebCast.
For information about all upcoming Support WebCasts
and access to the archived content (streaming media
files, PowerPoint slides, and transcripts), please visit:
http://support.microsoft.com/webcasts/
We sincerely appreciate your feedback. Please send any
comments or suggestions regarding the Support
WebCasts to feedback@microsoft.com and include
“Support WebCasts” in the subject line.
Download