1. Ntdsutil.exe and the Microsoft Active Directory Curtis Clay III Charleta McKoy Windows 2000 Directory Services Team Microsoft Corporation

2. 2 The Ntdsutil Tool  Ntdsutil.exe is a command-line tool that provides management facilities for Microsoft® Active Directory™  By default, Ntdsutil is located in the \\Winnt\System32 folder

3. 3 Uses for Ntdsutil

4. 4 Authoritative Restore  Used to recover deleted or missing objects from Active Directory  Performed in DS Restore mode  Offers the ability to restore an entire database or a single object  Note: This command is used only in DS Restore mode

5. 5 Authoritative Restore: Commands

6. 6 Domain Management  Allows Enterprise Administrators to pre-create cross-reference and server objects in the directory  Note: This command is used only in DS Restore mode

7. 7 Domain Management: Commands

8. 8 Domain Management: Commands (2)  Add NC Replica %s %s  Create NC %s %s  Remove NC Replica %s %s  List  List NC information %s  List NC Replicas %s  Pre-create %s %s  Delete NC %s  Set NC Reference Domain %s %s  Set NC Replicate Notification Delay %s %d %d

9. 9 Files  Provides commands for managing the directory service data and log files  Ntds.dit is the file that holds the database for the Active Directory  ESENT is a transacted database system Uses log files to ensure that transactions are committed to the database Uses log files to ensure that transactions are committed to the database  Note: This command is used only in DS Restore mode

10. 10 Files: Commands

11. 11 IP Deny List  Used to deny LDAP access to specific clients based on a specific IP address  Note: This command is used only in DS Restore mode

12. 12 IP Deny List: Commands

13. 13 LDAP Policies  Used to specify operational limits for a number of Lightweight Directory Access Protocol (LDAP) operations  These limits prevent specific operations from adversely impacting the performance of the server  Also makes the server resilient to denial of service attacks  Note: This command is used only in DS Restore mode

14. 14 LDAP Policies Defaults InitRecvTimeout Initial receive time-out (120 seconds) MaxConnections Maximum number of open connections (5,000) MaxConnIdleTime Maximum amount of time a connection can be idle (900 seconds) MaxActiveQueries Maximum number of queries that can be active at one time (20) MaxNotificationPerConnection Maximum number of notifications that a client can request for a given connection (5) MaxPageSize Maximum page size supported for LDAP responses (1,000 records)

15. 15 LDAP Policies Defaults (2) MaxQueryDuration Maximum length of time the domain controller can execute a query (120 seconds) MaxTempTableSize Maximum size of temporary storage allocated to execute queries (10,000 records) MaxResultSetSize Maximum size of the LDAP Result Set (262144 bytes) MaxPoolThreads Maximum number of threads created by the domain controller for query execution (4 per processor) MaxDatagramRecv Maximum number of datagrams that can be processed by the domain controller simultaneously (1024)

16. 16 LDAP Policies: Commands

17. 17 Metadata Cleanup  Used to remove data or objects from the Active Directory database  The directory service maintains various metadata for each domain and server known to the forest

18. 18 Metadata Cleanup: Commands

19. 19 Connections: Commands

20. 20 Roles  Used to manage the placement of FSMO roles within the Active Directory

21. 21 FSMO Roles - Scope Enterprise Wide Roles  Domain naming  Schema Domain Wide Roles  PDC emulator  Relative identifier  Infrastructure

22. 22 FSMO Roles  An operations master role can only be moved by administrative involvement, it is not moved automatically  Operations master roles require two forms of management: Controlled transfer Controlled transfer Seizure Seizure

23. 23 Roles - Commands

24. 24 Security Account Management  This option is used (rarely) to resolve duplicate relative identifiers on a domain  Note: This command is used only in DS Restore mode

25. 25 Security Account Management - Commands

26. 26 Semantic Database Analysis  Analyzes the data with respect to Active Directory semantics  It generates reports on the number of records present, including deleted and phantom records

27. 27 Semantic Database Analysis - Commands

28. 28 Automate Ntdsutil Commands  Ntdsutil can be scripted  The following commands allow for silent operation: popups no - no user interaction popups no - no user interaction popups yes - full user interaction popups yes - full user interaction

29. 29 Resources  Appendix C - Active Directory Diagnostic Tool (Ntdsutil.exe) http://www.microsoft.com/technet/treeview/d efault.asp?url=/TechNet/prodtechnol/window s2000serv/reskit/distsys/part5/dsgappc.asp http://www.microsoft.com/technet/treeview/d efault.asp?url=/TechNet/prodtechnol/window s2000serv/reskit/distsys/part5/dsgappc.asp http://www.microsoft.com/technet/treeview/d efault.asp?url=/TechNet/prodtechnol/window s2000serv/reskit/distsys/part5/dsgappc.asp

30. 30 Additional Documentation  Q230306 “How to Remove Orphaned Domains from Active Directory” http://support.microsoft.com/support/kb/artic les/q230/3/06.asp http://support.microsoft.com/support/kb/artic les/q230/3/06.asp http://support.microsoft.com/support/kb/artic les/q230/3/06.asp  Q216498 “How to Remove Data in the Active Directory After an Unsuccessful Domain Controller Demotion” http://support.microsoft.com/support/kb/artic les/q216/4/98.asp http://support.microsoft.com/support/kb/artic les/q216/4/98.asp http://support.microsoft.com/support/kb/artic les/q216/4/98.asp  Q257420 “How to Move the Ntds.dit File or Log Files” http://support.microsoft.com/support/kb/artic les/q257/4/20.asp http://support.microsoft.com/support/kb/artic les/q257/4/20.asp http://support.microsoft.com/support/kb/artic les/q257/4/20.asp

31. 31 Additional Documentation (2)  Q241594 “How to Perform an Authoritative Restore to a Domain Controller” http://support.microsoft.com/support/kb/artic les/q241/5/94.asp http://support.microsoft.com/support/kb/artic les/q241/5/94.asp http://support.microsoft.com/support/kb/artic les/q241/5/94.asp  Q232122 “Offline Defragmentation of the Active Directory Database” http://support.microsoft.com/support/kb/artic les/q232/1/22.asp http://support.microsoft.com/support/kb/artic les/q232/1/22.asp http://support.microsoft.com/support/kb/artic les/q232/1/22.asp  Q255504 “Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller” http://support.microsoft.com/support/kb/artic les/q255/5/04.asp http://support.microsoft.com/support/kb/artic les/q255/5/04.asp http://support.microsoft.com/support/kb/artic les/q255/5/04.asp

32. 32 Additional Documentation (3)  Q234790 “How to Find FSMO Role Holders (Servers)” http://support.microsoft.com/support/kb/artic les/q234/7/90.asp http://support.microsoft.com/support/kb/artic les/q234/7/90.asp http://support.microsoft.com/support/kb/artic les/q234/7/90.asp

33. Thank you for joining us for today’s Microsoft Support WebCast. For information about all upcoming Support WebCasts and access to the archived content (streaming media files, PowerPoint slides, and transcripts), please visit: http://support.microsoft.com/webcasts/ We sincerely appreciate your feedback. Please send any comments or suggestions regarding the Support WebCasts to feedback@microsoft.com and include feedback@microsoft.com “Support WebCasts” in the subject line.