SearchWindowsServer.com

A closer look at the Ntdsutil command-line tools for Active Directory

By Gary Olsen

Part one reviewed the Ntdsutil utility in Windows Server 2008 and R2 and the changes made since Windows 2000. This article continues the discussion with a deeper look at some of the most useful Ntdsutil commands, with details on how they work and what they can do for administrators.

Let’s look at a more detailed breakdown of the Ntdsutil commands in Windows Server 2008 to help further your understanding of the tool’s capabilities.

Ntdsutil: Metadata cleanup 
This option is easily the most commonly used of all Ntdsutil commands, at least in my experience. It has been around since Windows 2000 and provides operations to clean up Active Directory objects after a manual dcpromo operation. Ntdsutil metadata cleanup requires the use of the connections menu to connect to a domain controller.

Metadata cleanup also requires you to specify the site, domain, naming context and server to be defined in order to locate the object that is to be removed. This is specified in the Select operation target (SelOT) command in the metadata cleanup menu. For example, if I want to remove ATL-DC4 from the SelOT prompt, I can issue a “?” command and see the options, as shown in Figure 4.

Figure 4: Using the SelOT command (click to enlarge)
Using the SelOT command

In order to select the site, domain and server, you must list each and get a “reference number” to use in the selected command. Here is how to do it:

Figure 5: Sample outcome of SelOT command (click to enlarge) 
Sample outcome of SelOT command

Figure 6: Server Remove Confirmation Dialog (click to enlarge)
Server Remove Confirmation Dialog

Ntdsutil: Files
The Files command requires AD DS to be stopped. A few of the useful commands here include:

While these aren’t everyday commands, the Integrity and Checksum options are handy if you see database errors pop up in the event logs. You can combine these with the semantic database check, which tests database consistency.

Ntdsutil: Semantic database analysis
This very powerful command is actually quite simple to use. Anytime I see database errors reported in the event log, I run this check. There is really only one command I use with this option:

Semantic Checker: Go Fixup

This command does a full consistency check pretty quickly and, from my experience, has successfully repaired the database time after time. There are no guarantees that this will fix a given database problem, but it certainly won’t hurt anything. You can use it with the database repair options noted in the Ntdsutil: Files section above.

Ntdsutil: Group membership evaluation
This option dumps the security identifiers (SIDs) in the security token for a user or group. There are some old Resource Kit tools for this, but it’s nice to have it built into Ntdsutil. Using this requires the Set Global Catalog or Set Resource DC command to define the GC/DC to use for this operation.

Run Corp.com olseng

It will proceed through a five stage process and dump the results to C:\ olseng-20110217024622.tsv (for example) -- a text file that contains all the security information.

Ntdsutil: Roles
This is the fastest way to view, seize and transfer Flexible Single Master Operations (FSMO) roles. Here are a few tips for using this command:

Figure 7: FSMO Maintenance menu (click to enlarge)
FSMO Maintenance menu

Note that any seize operation will automatically try to do a transfer first. The nice thing about Ntdsutil is that you can manage all FSMO roles from one spot.

Ntdsutil: IFM
The Install From Media function is new in Windows Server 2008 and enables the building of a new domain controller with the dcpromo /ADV command much faster than in Windows 2003. Prior to this option, a backup of a DC was required, after which the restored files would be moved to the local media of the server to be promoted. The dcpromo /ADV command produces a prompt to use static restore files for initial promotion rather than going over the network. Figure 8 shows the IFM menu options, as well as an example of the creation of a full instance. Options included here are:

Figure 8: Ntdsutil IFM snapshot (click to enlarge) 
Ntdsutil IFM snapshot

IFM creates a snapshot -- defragging the database first -- and stores it in a path of your choosing on the disk.

Create sysvol full c:\adbackup

In C:\adbackup, there will be three directories -- Active Directory, Registry and SYSVOL -- with the files to be used by dcpromo.

IFM makes it easy to get the Active Directory sources for installation from an existing DC as well as a simple copy to the server to be promoted (or re-promoted). This is very handy for promoting a server as a new or recovered DC. Once dcpromo finishes, replication will get it up to date. It is important to note that a read-only domain controller (RODC) instance can be created on a read/write DC, but only an RODC instance can be created from an RODC itself.

As you can see, Ntdsutil is very powerful. There are many more options available that I don’t have space here to discuss. Just remember that things like security, account management, partition management, LDAP policies and other options used for AD LDS partitions are all very handy commands, but Ntdsutil can also be very risky. It usually comes with warning messages to protect you from yourself. Just make sure you know what you are doing when you hit the Enter key.

Part one: Getting started with Ntdsutil

You can follow SearchWindowsServer.com on Twitter @WindowsTT.

ABOUT THE AUTHOR
Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and formerly for Windows File Systems.

22 Feb 2011

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement