Ntdsutil'exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Director - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Ntdsutil'exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Director

Description:

IP Deny List. Used to deny LDAP access to specific clients based on a specific IP address ... IP Deny List: Commands. 13. LDAP Policies ... – PowerPoint PPT presentation

Number of Views:181
Avg rating:3.0/5.0
Slides: 34
Provided by: MicrosoftC2
Category:

less

Transcript and Presenter's Notes

Title: Ntdsutil'exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Director


1
Ntdsutil.exe and the Microsoft Active Directory
Curtis Clay IIICharleta McKoyWindows 2000
Directory Services TeamMicrosoft Corporation
2
The Ntdsutil Tool
  • Ntdsutil.exe is a command-line tool that provides
    management facilities for Microsoft Active
    Directory
  • By default, Ntdsutil is located in the
    \\Winnt\System32 folder


3
Uses for Ntdsutil
4
Authoritative Restore
  • Used to recover deleted or missing objects from
    Active Directory
  • Performed in DS Restore mode
  • Offers the ability to restore an entire database
    or a single object
  • Note This command is used only in DS Restore
    mode

5
Authoritative Restore Commands
6
Domain Management
  • Allows Enterprise Administrators to pre-create
    cross-reference and server objects in the
    directory
  • Note This command is used only in DS Restore
    mode

7
Domain Management Commands
8
Domain Management Commands (2)
  • Add NC Replica s s
  • Create NC s s
  • Remove NC Replica s s
  • List
  • List NC information s
  • List NC Replicas s
  • Pre-create s s
  • Delete NC s
  • Set NC Reference Domain s s
  • Set NC Replicate Notification Delay s d d

9
Files
  • Provides commands for managing the directory
    service data and log files
  • Ntds.dit is the file that holds the database for
    the Active Directory
  • ESENT is a transacted database system
  • Uses log files to ensure that transactions are
    committed to the database
  • Note This command is used only in DS Restore mode

10
Files Commands
11
IP Deny List
  • Used to deny LDAP access to specific clients
    based on a specific IP address
  • Note This command is used only in DS Restore mode

12
IP Deny List Commands
13
LDAP Policies
  • Used to specify operational limits for a number
    of Lightweight Directory Access Protocol (LDAP)
    operations
  • These limits prevent specific operations from
    adversely impacting the performance of the server
  • Also makes the server resilient to denial of
    service attacks
  • Note This command is used only in DS Restore
    mode

14
LDAP Policies Defaults
  • InitRecvTimeout
  • Initial receive time-out (120 seconds)
  • MaxConnections
  • Maximum number of open connections (5,000)
  • MaxConnIdleTime
  • Maximum amount of time a connection can be idle
    (900 seconds)
  • MaxActiveQueries
  • Maximum number of queries that can be active at
    one time (20)
  • MaxNotificationPerConnection
  • Maximum number of notifications that a client can
    request for a given connection (5)
  • MaxPageSize
  • Maximum page size supported for LDAP responses
    (1,000 records)

15
LDAP Policies Defaults (2)
  • MaxQueryDuration
  • Maximum length of time the domain controller can
    execute a query (120 seconds)
  • MaxTempTableSize
  • Maximum size of temporary storage allocated to
    execute queries (10,000 records)
  • MaxResultSetSize
  • Maximum size of the LDAP Result Set (262144
    bytes)
  • MaxPoolThreads
  • Maximum number of threads created by the domain
    controller for query execution (4 per processor)
  • MaxDatagramRecv
  • Maximum number of datagrams that can be processed
    by the domain controller simultaneously (1024)

16
LDAP Policies Commands
17
Metadata Cleanup
  • Used to remove data or objects from the Active
    Directory database
  • The directory service maintains various metadata
    for each domain and server known to the forest

18
Metadata Cleanup Commands
19
Connections Commands
20
Roles
  • Used to manage the placement of FSMO roles within
    the Active Directory

21
FSMO Roles - Scope
  • Enterprise Wide Roles
  • Domain naming
  • Schema
  • Domain Wide Roles
  • PDC emulator
  • Relative identifier
  • Infrastructure

22
FSMO Roles
  • An operations master role can only be moved by
    administrative involvement, it is not moved
    automatically
  • Operations master roles require two forms of
    management
  • Controlled transfer
  • Seizure

23
Roles - Commands
24
Security Account Management
  • This option is used (rarely) to resolve duplicate
    relative identifiers on a domain
  • Note This command is used only in DS Restore
    mode

25
Security Account Management - Commands
26
Semantic Database Analysis
  • Analyzes the data with respect to Active
    Directory semantics
  • It generates reports on the number of records
    present, including deleted and phantom records

27
Semantic Database Analysis - Commands
28
Automate Ntdsutil Commands
  • Ntdsutil can be scripted
  • The following commands allow for silent
    operation
  • popups no - no user interaction
  • popups yes - full user interaction

29
Resources
  • Appendix C - Active Directory Diagnostic Tool
    (Ntdsutil.exe) http//www.microsoft.com/technet/t
    reeview/default.asp?url/TechNet/prodtechnol/windo
    ws2000serv/reskit/distsys/part5/dsgappc.asp

30
Additional Documentation
  • Q230306 How to Remove Orphaned Domains from
    Active Directory http//support.microsoft.com/sup
    port/kb/articles/q230/3/06.asp
  • Q216498 How to Remove Data in the Active
    Directory After an Unsuccessful Domain Controller
    Demotion http//support.microsoft.com/support/kb
    /articles/q216/4/98.asp
  • Q257420 How to Move the Ntds.dit File or Log
    Files http//support.microsoft.com/support/kb/ar
    ticles/q257/4/20.asp

31
Additional Documentation (2)
  • Q241594 How to Perform an Authoritative Restore
    to a Domain Controller http//support.microsoft.
    com/support/kb/articles/q241/5/94.asp
  • Q232122 Offline Defragmentation of the Active
    Directory Database http//support.microsoft.com/
    support/kb/articles/q232/1/22.asp
  • Q255504 Using Ntdsutil.exe to Seize or Transfer
    FSMO Roles to a Domain Controller
    http//support.microsoft.com/support/kb/articles/q
    255/5/04.asp

32
Additional Documentation (3)
  • Q234790 How to Find FSMO Role Holders
    (Servers) http//support.microsoft.com/support/kb
    /articles/q234/7/90.asp

33
Thank you for joining us for todays Microsoft
Support WebCast. For information about all
upcoming Support WebCasts and access to the
archived content (streaming media files,
PowerPoint slides, and transcripts), please
visit http//support.microsoft.com/webcasts/ We
sincerely appreciate your feedback. Please send
any comments or suggestions regarding the
Support WebCasts to feedback_at_microsoft.com and
include Support WebCasts in the subject line.
Write a Comment
User Comments (0)
About PowerShow.com