Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation The Ntdsutil Tool Ntdsutil.exe is a command-line tool that provides management facilities for Microsoft® Active Directory™ By default, Ntdsutil is located in the \\Winnt\System32 folder 2 Uses for Ntdsutil 3 Authoritative Restore Used to recover deleted or missing objects from Active Directory Performed in DS Restore mode Offers the ability to restore an entire database or a single object Note: This command is used only in DS Restore mode 4 Authoritative Restore: Commands 5 Domain Management Allows Enterprise Administrators to pre-create cross-reference and server objects in the directory Note: This command is used only in DS Restore mode 6 Domain Management: Commands 7 Domain Management: Commands (2) Add NC Replica %s %s Create NC %s %s Remove NC Replica %s %s List List NC information %s List NC Replicas %s Pre-create %s %s Delete NC %s Set NC Reference Domain %s %s Set NC Replicate Notification Delay %s %d %d 8 Files Provides commands for managing the directory service data and log files Ntds.dit is the file that holds the database for the Active Directory ESENT is a transacted database system Uses log files to ensure that transactions are committed to the database Note: This command is used only in DS Restore mode 9 Files: Commands 10 IP Deny List Used to deny LDAP access to specific clients based on a specific IP address Note: This command is used only in DS Restore mode 11 IP Deny List: Commands 12 LDAP Policies Used to specify operational limits for a number of Lightweight Directory Access Protocol (LDAP) operations These limits prevent specific operations from adversely impacting the performance of the server Also makes the server resilient to denial of service attacks Note: This command is used only in DS Restore mode 13 LDAP Policies Defaults InitRecvTimeout Initial receive time-out (120 seconds) MaxConnections Maximum number of open connections (5,000) MaxConnIdleTime Maximum amount of time a connection can be idle (900 seconds) MaxActiveQueries Maximum number of queries that can be active at one time (20) MaxNotificationPerConnection Maximum number of notifications that a client can request for a given connection (5) MaxPageSize Maximum page size supported for LDAP responses (1,000 records) 14 LDAP Policies Defaults (2) MaxQueryDuration Maximum length of time the domain controller can execute a query (120 seconds) MaxTempTableSize Maximum size of temporary storage allocated to execute queries (10,000 records) MaxResultSetSize Maximum size of the LDAP Result Set (262144 bytes) MaxPoolThreads Maximum number of threads created by the domain controller for query execution (4 per processor) MaxDatagramRecv Maximum number of datagrams that can be processed by the domain controller simultaneously (1024) 15 LDAP Policies: Commands 16 Metadata Cleanup Used to remove data or objects from the Active Directory database The directory service maintains various metadata for each domain and server known to the forest 17 Metadata Cleanup: Commands 18 Connections: Commands 19 Roles Used to manage the placement of FSMO roles within the Active Directory 20 FSMO Roles - Scope Enterprise Wide Roles Domain naming Schema Domain Wide Roles PDC emulator Relative identifier Infrastructure 21 FSMO Roles An operations master role can only be moved by administrative involvement, it is not moved automatically Operations master roles require two forms of management: Controlled transfer Seizure 22 Roles - Commands 23 Security Account Management This option is used (rarely) to resolve duplicate relative identifiers on a domain Note: This command is used only in DS Restore mode 24 Security Account Management Commands 25 Semantic Database Analysis Analyzes the data with respect to Active Directory semantics It generates reports on the number of records present, including deleted and phantom records 26 Semantic Database Analysis Commands 27 Automate Ntdsutil Commands Ntdsutil can be scripted The following commands allow for silent operation: popups no - no user interaction popups yes - full user interaction 28 Resources Appendix C - Active Directory Diagnostic Tool (Ntdsutil.exe) http://www.microsoft.com/technet/treeview/d efault.asp?url=/TechNet/prodtechnol/window s2000serv/reskit/distsys/part5/dsgappc.asp 29 Additional Documentation Q230306 “How to Remove Orphaned Domains from Active Directory” http://support.microsoft.com/support/kb/artic les/q230/3/06.asp Q216498 “How to Remove Data in the Active Directory After an Unsuccessful Domain Controller Demotion” http://support.microsoft.com/support/kb/artic les/q216/4/98.asp Q257420 “How to Move the Ntds.dit File or Log Files” http://support.microsoft.com/support/kb/artic les/q257/4/20.asp 30 Additional Documentation (2) Q241594 “How to Perform an Authoritative Restore to a Domain Controller” http://support.microsoft.com/support/kb/artic les/q241/5/94.asp Q232122 “Offline Defragmentation of the Active Directory Database” http://support.microsoft.com/support/kb/artic les/q232/1/22.asp Q255504 “Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller” http://support.microsoft.com/support/kb/artic les/q255/5/04.asp 31 Additional Documentation (3) Q234790 “How to Find FSMO Role Holders (Servers)” http://support.microsoft.com/support/kb/artic les/q234/7/90.asp 32 Thank you for joining us for today’s Microsoft Support WebCast. For information about all upcoming Support WebCasts and access to the archived content (streaming media files, PowerPoint slides, and transcripts), please visit: http://support.microsoft.com/webcasts/ We sincerely appreciate your feedback. Please send any comments or suggestions regarding the Support WebCasts to feedback@microsoft.com and include “Support WebCasts” in the subject line.