Title: Ntdsutil'exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Director
1Ntdsutil.exe and the Microsoft Active Directory
Curtis Clay IIICharleta McKoyWindows 2000
Directory Services TeamMicrosoft Corporation
2The Ntdsutil Tool
- Ntdsutil.exe is a command-line tool that provides
management facilities for Microsoft Active
Directory - By default, Ntdsutil is located in the
\\Winnt\System32 folder
3Uses for Ntdsutil
4Authoritative Restore
- Used to recover deleted or missing objects from
Active Directory - Performed in DS Restore mode
- Offers the ability to restore an entire database
or a single object - Note This command is used only in DS Restore
mode
5Authoritative Restore Commands
6Domain Management
- Allows Enterprise Administrators to pre-create
cross-reference and server objects in the
directory - Note This command is used only in DS Restore
mode
7Domain Management Commands
8Domain Management Commands (2)
- Add NC Replica s s
- Create NC s s
- Remove NC Replica s s
- List
- List NC information s
- List NC Replicas s
- Pre-create s s
- Delete NC s
- Set NC Reference Domain s s
- Set NC Replicate Notification Delay s d d
9Files
- Provides commands for managing the directory
service data and log files - Ntds.dit is the file that holds the database for
the Active Directory - ESENT is a transacted database system
- Uses log files to ensure that transactions are
committed to the database - Note This command is used only in DS Restore mode
10Files Commands
11IP Deny List
- Used to deny LDAP access to specific clients
based on a specific IP address - Note This command is used only in DS Restore mode
12IP Deny List Commands
13LDAP Policies
- Used to specify operational limits for a number
of Lightweight Directory Access Protocol (LDAP)
operations - These limits prevent specific operations from
adversely impacting the performance of the server - Also makes the server resilient to denial of
service attacks - Note This command is used only in DS Restore
mode
14LDAP Policies Defaults
- InitRecvTimeout
- Initial receive time-out (120 seconds)
- MaxConnections
- Maximum number of open connections (5,000)
- MaxConnIdleTime
- Maximum amount of time a connection can be idle
(900 seconds) - MaxActiveQueries
- Maximum number of queries that can be active at
one time (20) - MaxNotificationPerConnection
- Maximum number of notifications that a client can
request for a given connection (5) - MaxPageSize
- Maximum page size supported for LDAP responses
(1,000 records)
15LDAP Policies Defaults (2)
- MaxQueryDuration
- Maximum length of time the domain controller can
execute a query (120 seconds) - MaxTempTableSize
- Maximum size of temporary storage allocated to
execute queries (10,000 records) - MaxResultSetSize
- Maximum size of the LDAP Result Set (262144
bytes) - MaxPoolThreads
- Maximum number of threads created by the domain
controller for query execution (4 per processor) - MaxDatagramRecv
- Maximum number of datagrams that can be processed
by the domain controller simultaneously (1024)
16LDAP Policies Commands
17Metadata Cleanup
- Used to remove data or objects from the Active
Directory database - The directory service maintains various metadata
for each domain and server known to the forest
18Metadata Cleanup Commands
19Connections Commands
20Roles
- Used to manage the placement of FSMO roles within
the Active Directory
21FSMO Roles - Scope
- Enterprise Wide Roles
- Domain naming
- Schema
- Domain Wide Roles
- PDC emulator
- Relative identifier
- Infrastructure
22FSMO Roles
- An operations master role can only be moved by
administrative involvement, it is not moved
automatically - Operations master roles require two forms of
management - Controlled transfer
- Seizure
23Roles - Commands
24Security Account Management
- This option is used (rarely) to resolve duplicate
relative identifiers on a domain - Note This command is used only in DS Restore
mode
25Security Account Management - Commands
26Semantic Database Analysis
- Analyzes the data with respect to Active
Directory semantics - It generates reports on the number of records
present, including deleted and phantom records
27Semantic Database Analysis - Commands
28Automate Ntdsutil Commands
- Ntdsutil can be scripted
- The following commands allow for silent
operation - popups no - no user interaction
- popups yes - full user interaction
29Resources
- Appendix C - Active Directory Diagnostic Tool
(Ntdsutil.exe) http//www.microsoft.com/technet/t
reeview/default.asp?url/TechNet/prodtechnol/windo
ws2000serv/reskit/distsys/part5/dsgappc.asp
30Additional Documentation
- Q230306 How to Remove Orphaned Domains from
Active Directory http//support.microsoft.com/sup
port/kb/articles/q230/3/06.asp - Q216498 How to Remove Data in the Active
Directory After an Unsuccessful Domain Controller
Demotion http//support.microsoft.com/support/kb
/articles/q216/4/98.asp - Q257420 How to Move the Ntds.dit File or Log
Files http//support.microsoft.com/support/kb/ar
ticles/q257/4/20.asp
31Additional Documentation (2)
- Q241594 How to Perform an Authoritative Restore
to a Domain Controller http//support.microsoft.
com/support/kb/articles/q241/5/94.asp - Q232122 Offline Defragmentation of the Active
Directory Database http//support.microsoft.com/
support/kb/articles/q232/1/22.asp - Q255504 Using Ntdsutil.exe to Seize or Transfer
FSMO Roles to a Domain Controller
http//support.microsoft.com/support/kb/articles/q
255/5/04.asp
32Additional Documentation (3)
- Q234790 How to Find FSMO Role Holders
(Servers) http//support.microsoft.com/support/kb
/articles/q234/7/90.asp
33Thank you for joining us for todays Microsoft
Support WebCast. For information about all
upcoming Support WebCasts and access to the
archived content (streaming media files,
PowerPoint slides, and transcripts), please
visit http//support.microsoft.com/webcasts/ We
sincerely appreciate your feedback. Please send
any comments or suggestions regarding the
Support WebCasts to feedback_at_microsoft.com and
include Support WebCasts in the subject line.