Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000...
-
Upload
alban-gibbs -
Category
Documents
-
view
227 -
download
0
Transcript of Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000...
![Page 1: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/1.jpg)
Ntdsutil.exe and the Ntdsutil.exe and the Microsoft Active Directory Microsoft Active Directory
Curtis Clay IIICurtis Clay IIICharleta McKoyCharleta McKoyWindows 2000 Directory Services TeamWindows 2000 Directory Services TeamMicrosoft CorporationMicrosoft Corporation
![Page 2: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/2.jpg)
2
The Ntdsutil ToolThe Ntdsutil Tool
Ntdsutil.exe is a command-line tool that Ntdsutil.exe is a command-line tool that provides management facilities for provides management facilities for Microsoft® Active Directory™ Microsoft® Active Directory™
By default, Ntdsutil is located in the \\Winnt\By default, Ntdsutil is located in the \\Winnt\System32 folderSystem32 folder
![Page 3: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/3.jpg)
3
Uses for NtdsutilUses for Ntdsutil
![Page 4: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/4.jpg)
4
Authoritative RestoreAuthoritative Restore
Used to recover deleted or missing objects Used to recover deleted or missing objects from Active Directory from Active Directory
Performed in DS Restore modePerformed in DS Restore mode Offers the ability to restore an entire Offers the ability to restore an entire
database or a single object database or a single object
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
![Page 5: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/5.jpg)
5
Authoritative Restore: CommandsAuthoritative Restore: Commands
![Page 6: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/6.jpg)
6
Domain ManagementDomain Management
Allows Enterprise Administrators to pre-create Allows Enterprise Administrators to pre-create cross-reference and server objects in the cross-reference and server objects in the directorydirectory
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
![Page 7: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/7.jpg)
7
Domain Management: CommandsDomain Management: Commands
![Page 8: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/8.jpg)
8
Domain Management: Domain Management: Commands (2)Commands (2) Add NC Replica %s %s Add NC Replica %s %s Create NC %s %s Create NC %s %s Remove NC Replica %s %s Remove NC Replica %s %s List List List NC information %s List NC information %s List NC Replicas %s List NC Replicas %s Pre-create %s %s Pre-create %s %s Delete NC %s Delete NC %s Set NC Reference Domain %s %s Set NC Reference Domain %s %s Set NC Replicate Notification Delay %s %d Set NC Replicate Notification Delay %s %d
%d %d
![Page 9: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/9.jpg)
9
FilesFiles
Provides commands for managing the Provides commands for managing the directory service data and log filesdirectory service data and log files
Ntds.dit is the file that holds the database for Ntds.dit is the file that holds the database for the Active Directorythe Active Directory
ESENT is a transacted database systemESENT is a transacted database system Uses log files to ensure that transactions are Uses log files to ensure that transactions are
committed to the databasecommitted to the database
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
![Page 10: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/10.jpg)
10
Files: CommandsFiles: Commands
![Page 11: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/11.jpg)
11
IP Deny ListIP Deny List
Used to deny LDAP access to specific clients Used to deny LDAP access to specific clients based on a specific IP addressbased on a specific IP address
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
![Page 12: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/12.jpg)
12
IP Deny List: CommandsIP Deny List: Commands
![Page 13: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/13.jpg)
13
LDAP PoliciesLDAP Policies
Used to specify operational limits for a Used to specify operational limits for a number of Lightweight Directory Access number of Lightweight Directory Access Protocol (LDAP) operations Protocol (LDAP) operations
These limits prevent specific operations from These limits prevent specific operations from adversely impacting the performance of the adversely impacting the performance of the serverserver
Also makes the server resilient to denial of Also makes the server resilient to denial of service attacksservice attacks
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
![Page 14: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/14.jpg)
14
LDAP Policies DefaultsLDAP Policies DefaultsInitRecvTimeout Initial receive time-out (120 seconds)
MaxConnections Maximum number of open connections (5,000)
MaxConnIdleTime Maximum amount of time a connection can be idle (900 seconds)
MaxActiveQueries Maximum number of queries that can be active at one time (20)
MaxNotificationPerConnection Maximum number of notifications that a client can request for a given connection (5)
MaxPageSize Maximum page size supported for LDAP responses (1,000 records)
![Page 15: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/15.jpg)
15
LDAP Policies Defaults (2)LDAP Policies Defaults (2)
MaxQueryDuration Maximum length of time the domain controller can execute a query (120 seconds)
MaxTempTableSize Maximum size of temporary storage allocated to execute queries (10,000 records)
MaxResultSetSize Maximum size of the LDAP Result Set (262144 bytes)
MaxPoolThreads Maximum number of threads created by the domain controller for query execution (4 per processor)
MaxDatagramRecv Maximum number of datagrams that can be processed by the domain controller simultaneously (1024)
![Page 16: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/16.jpg)
16
LDAP Policies: CommandsLDAP Policies: Commands
![Page 17: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/17.jpg)
17
Metadata CleanupMetadata Cleanup
Used to remove data or objects from the Used to remove data or objects from the Active Directory databaseActive Directory database
The directory service maintains various The directory service maintains various metadata for each domain and server known metadata for each domain and server known to the forestto the forest
![Page 18: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/18.jpg)
18
Metadata Cleanup: CommandsMetadata Cleanup: Commands
![Page 19: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/19.jpg)
19
Connections: CommandsConnections: Commands
![Page 20: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/20.jpg)
20
RolesRoles
Used to manage the placement of FSMO roles Used to manage the placement of FSMO roles within the Active Directorywithin the Active Directory
![Page 21: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/21.jpg)
21
FSMO Roles - ScopeFSMO Roles - Scope
Enterprise Wide RolesEnterprise Wide Roles Domain naming Domain naming SchemaSchema
Domain Wide RolesDomain Wide Roles PDC emulatorPDC emulator Relative identifierRelative identifier InfrastructureInfrastructure
![Page 22: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/22.jpg)
22
FSMO RolesFSMO Roles
An operations master role can only be moved An operations master role can only be moved by administrative involvement, it is not by administrative involvement, it is not moved automaticallymoved automatically
Operations master roles require two forms of Operations master roles require two forms of management: management: Controlled transfer Controlled transfer SeizureSeizure
![Page 23: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/23.jpg)
23
Roles - CommandsRoles - Commands
![Page 24: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/24.jpg)
24
Security Account ManagementSecurity Account Management
This option is used (rarely) to resolve This option is used (rarely) to resolve duplicate relative identifiers on a domainduplicate relative identifiers on a domain
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
![Page 25: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/25.jpg)
25
Security Account Management - Security Account Management - CommandsCommands
![Page 26: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/26.jpg)
26
Semantic Database AnalysisSemantic Database Analysis
Analyzes the data with respect to Active Analyzes the data with respect to Active Directory semanticsDirectory semantics
It generates reports on the number of records It generates reports on the number of records present, including deleted and phantom present, including deleted and phantom recordsrecords
![Page 27: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/27.jpg)
27
Semantic Database Analysis - Semantic Database Analysis - CommandsCommands
![Page 28: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/28.jpg)
28
Automate Ntdsutil Commands Automate Ntdsutil Commands
Ntdsutil can be scriptedNtdsutil can be scripted The following commands allow for silent The following commands allow for silent
operation:operation: popups no - no user interactionpopups no - no user interaction popups yes - full user interactionpopups yes - full user interaction
![Page 29: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/29.jpg)
29
ResourcesResources
Appendix C - Active Directory Diagnostic Appendix C - Active Directory Diagnostic Tool (Ntdsutil.exe) Tool (Ntdsutil.exe) http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/distsys/part5/dsgappc.asp
![Page 30: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/30.jpg)
30
Additional DocumentationAdditional Documentation
Q230306 “How to Remove Orphaned Q230306 “How to Remove Orphaned Domains from Active Directory” Domains from Active Directory” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q230/3/06.aspes/q230/3/06.asp
Q216498 “How to Remove Data in the Active Q216498 “How to Remove Data in the Active Directory After an Unsuccessful Domain Directory After an Unsuccessful Domain Controller Demotion” Controller Demotion” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q216/4/98.aspes/q216/4/98.asp
Q257420 “How to Move the Ntds.dit File or Q257420 “How to Move the Ntds.dit File or Log Files” Log Files” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q257/4/20.aspes/q257/4/20.asp
![Page 31: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/31.jpg)
31
Additional Documentation (2)Additional Documentation (2)
Q241594 “How to Perform an Authoritative Q241594 “How to Perform an Authoritative Restore to a Domain Controller” Restore to a Domain Controller” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q241/5/94.asp es/q241/5/94.asp
Q232122 “Offline Defragmentation of the Q232122 “Offline Defragmentation of the Active Directory Database” Active Directory Database” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q232/1/22.aspes/q232/1/22.asp
Q255504 “Using Ntdsutil.exe to Seize or Q255504 “Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller” Transfer FSMO Roles to a Domain Controller” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q255/5/04.aspes/q255/5/04.asp
![Page 32: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/32.jpg)
32
Additional Documentation (3)Additional Documentation (3)
Q234790 “How to Find FSMO Role Holders Q234790 “How to Find FSMO Role Holders (Servers)” (Servers)” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q234/7/90.aspes/q234/7/90.asp
![Page 33: Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation.](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649da05503460f94a8b4e1/html5/thumbnails/33.jpg)
Thank you for joining us for today’s Microsoft SupportThank you for joining us for today’s Microsoft SupportWebCast.WebCast.
For information about all upcoming Support WebCasts For information about all upcoming Support WebCasts and access to the archived content (streaming mediaand access to the archived content (streaming mediafiles, PowerPoint slides, and transcripts), please visit: files, PowerPoint slides, and transcripts), please visit: http://support.microsoft.com/webcasts/http://support.microsoft.com/webcasts/
We sincerely appreciate your feedback. Please send any We sincerely appreciate your feedback. Please send any comments or suggestions regarding the Support comments or suggestions regarding the Support WebCasts to [email protected] and includeWebCasts to [email protected] and include““Support WebCasts” in the subject line.Support WebCasts” in the subject line.