Ntdsutil.exe and the Ntdsutil.exe and the Microsoft Active Directory Microsoft Active Directory

Curtis Clay IIICurtis Clay IIICharleta McKoyCharleta McKoyWindows 2000 Directory Services TeamWindows 2000 Directory Services TeamMicrosoft CorporationMicrosoft Corporation

2

The Ntdsutil ToolThe Ntdsutil Tool

Ntdsutil.exe is a command-line tool that Ntdsutil.exe is a command-line tool that provides management facilities for provides management facilities for Microsoft® Active Directory™ Microsoft® Active Directory™

By default, Ntdsutil is located in the \\Winnt\By default, Ntdsutil is located in the \\Winnt\System32 folderSystem32 folder

3

Uses for NtdsutilUses for Ntdsutil

4

Authoritative RestoreAuthoritative Restore

Used to recover deleted or missing objects Used to recover deleted or missing objects from Active Directory from Active Directory

Performed in DS Restore modePerformed in DS Restore mode Offers the ability to restore an entire Offers the ability to restore an entire

database or a single object database or a single object

Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode

5

Authoritative Restore: CommandsAuthoritative Restore: Commands

6

Domain ManagementDomain Management

Allows Enterprise Administrators to pre-create Allows Enterprise Administrators to pre-create cross-reference and server objects in the cross-reference and server objects in the directorydirectory

Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode

7

Domain Management: CommandsDomain Management: Commands

8

Domain Management: Domain Management: Commands (2)Commands (2) Add NC Replica %s %s Add NC Replica %s %s Create NC %s %s Create NC %s %s Remove NC Replica %s %s Remove NC Replica %s %s List List List NC information %s List NC information %s List NC Replicas %s List NC Replicas %s Pre-create %s %s Pre-create %s %s Delete NC %s Delete NC %s Set NC Reference Domain %s %s Set NC Reference Domain %s %s Set NC Replicate Notification Delay %s %d Set NC Replicate Notification Delay %s %d

%d %d

9

FilesFiles

Provides commands for managing the Provides commands for managing the directory service data and log filesdirectory service data and log files

Ntds.dit is the file that holds the database for Ntds.dit is the file that holds the database for the Active Directorythe Active Directory

ESENT is a transacted database systemESENT is a transacted database system Uses log files to ensure that transactions are Uses log files to ensure that transactions are

committed to the databasecommitted to the database

Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode

10

Files: CommandsFiles: Commands

11

IP Deny ListIP Deny List

Used to deny LDAP access to specific clients Used to deny LDAP access to specific clients based on a specific IP addressbased on a specific IP address

Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode

12

IP Deny List: CommandsIP Deny List: Commands

13

LDAP PoliciesLDAP Policies

Used to specify operational limits for a Used to specify operational limits for a number of Lightweight Directory Access number of Lightweight Directory Access Protocol (LDAP) operations Protocol (LDAP) operations

These limits prevent specific operations from These limits prevent specific operations from adversely impacting the performance of the adversely impacting the performance of the serverserver

Also makes the server resilient to denial of Also makes the server resilient to denial of service attacksservice attacks

Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode

14

LDAP Policies DefaultsLDAP Policies DefaultsInitRecvTimeout Initial receive time-out (120 seconds)

MaxConnections Maximum number of open connections (5,000)

MaxConnIdleTime Maximum amount of time a connection can be idle (900 seconds)

MaxActiveQueries Maximum number of queries that can be active at one time (20)

MaxNotificationPerConnection Maximum number of notifications that a client can request for a given connection (5)

MaxPageSize Maximum page size supported for LDAP responses (1,000 records)

15

LDAP Policies Defaults (2)LDAP Policies Defaults (2)

MaxQueryDuration Maximum length of time the domain controller can execute a query (120 seconds)

MaxTempTableSize Maximum size of temporary storage allocated to execute queries (10,000 records)

MaxResultSetSize Maximum size of the LDAP Result Set (262144 bytes)

MaxPoolThreads Maximum number of threads created by the domain controller for query execution (4 per processor)

MaxDatagramRecv Maximum number of datagrams that can be processed by the domain controller simultaneously (1024)

16

LDAP Policies: CommandsLDAP Policies: Commands

17

Metadata CleanupMetadata Cleanup

Used to remove data or objects from the Used to remove data or objects from the Active Directory databaseActive Directory database

The directory service maintains various The directory service maintains various metadata for each domain and server known metadata for each domain and server known to the forestto the forest

18

Metadata Cleanup: CommandsMetadata Cleanup: Commands

19

Connections: CommandsConnections: Commands

20

RolesRoles

Used to manage the placement of FSMO roles Used to manage the placement of FSMO roles within the Active Directorywithin the Active Directory

21

FSMO Roles - ScopeFSMO Roles - Scope

Enterprise Wide RolesEnterprise Wide Roles Domain naming Domain naming SchemaSchema

Domain Wide RolesDomain Wide Roles PDC emulatorPDC emulator Relative identifierRelative identifier InfrastructureInfrastructure

22

FSMO RolesFSMO Roles

An operations master role can only be moved An operations master role can only be moved by administrative involvement, it is not by administrative involvement, it is not moved automaticallymoved automatically

Operations master roles require two forms of Operations master roles require two forms of management: management: Controlled transfer Controlled transfer SeizureSeizure

23

Roles - CommandsRoles - Commands

24

Security Account ManagementSecurity Account Management

This option is used (rarely) to resolve This option is used (rarely) to resolve duplicate relative identifiers on a domainduplicate relative identifiers on a domain

Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode

25

Security Account Management - Security Account Management - CommandsCommands

26

Semantic Database AnalysisSemantic Database Analysis

Analyzes the data with respect to Active Analyzes the data with respect to Active Directory semanticsDirectory semantics

It generates reports on the number of records It generates reports on the number of records present, including deleted and phantom present, including deleted and phantom recordsrecords

27

Semantic Database Analysis - Semantic Database Analysis - CommandsCommands

28

Automate Ntdsutil Commands Automate Ntdsutil Commands

Ntdsutil can be scriptedNtdsutil can be scripted The following commands allow for silent The following commands allow for silent

operation:operation: popups no - no user interactionpopups no - no user interaction popups yes - full user interactionpopups yes - full user interaction

29

ResourcesResources

Appendix C - Active Directory Diagnostic Appendix C - Active Directory Diagnostic Tool (Ntdsutil.exe) Tool (Ntdsutil.exe) http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/distsys/part5/dsgappc.asp

30

Additional DocumentationAdditional Documentation

Q230306 “How to Remove Orphaned Q230306 “How to Remove Orphaned Domains from Active Directory” Domains from Active Directory” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q230/3/06.aspes/q230/3/06.asp

Q216498 “How to Remove Data in the Active Q216498 “How to Remove Data in the Active Directory After an Unsuccessful Domain Directory After an Unsuccessful Domain Controller Demotion” Controller Demotion” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q216/4/98.aspes/q216/4/98.asp

Q257420 “How to Move the Ntds.dit File or Q257420 “How to Move the Ntds.dit File or Log Files” Log Files” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q257/4/20.aspes/q257/4/20.asp

31

Additional Documentation (2)Additional Documentation (2)

Q241594 “How to Perform an Authoritative Q241594 “How to Perform an Authoritative Restore to a Domain Controller” Restore to a Domain Controller” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q241/5/94.asp es/q241/5/94.asp

Q232122 “Offline Defragmentation of the Q232122 “Offline Defragmentation of the Active Directory Database” Active Directory Database” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q232/1/22.aspes/q232/1/22.asp

Q255504 “Using Ntdsutil.exe to Seize or Q255504 “Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller” Transfer FSMO Roles to a Domain Controller” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q255/5/04.aspes/q255/5/04.asp

32

Additional Documentation (3)Additional Documentation (3)

Q234790 “How to Find FSMO Role Holders Q234790 “How to Find FSMO Role Holders (Servers)” (Servers)” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q234/7/90.aspes/q234/7/90.asp

Thank you for joining us for today’s Microsoft SupportThank you for joining us for today’s Microsoft SupportWebCast.WebCast.

For information about all upcoming Support WebCasts For information about all upcoming Support WebCasts and access to the archived content (streaming mediaand access to the archived content (streaming mediafiles, PowerPoint slides, and transcripts), please visit: files, PowerPoint slides, and transcripts), please visit: http://support.microsoft.com/webcasts/http://support.microsoft.com/webcasts/

We sincerely appreciate your feedback. Please send any We sincerely appreciate your feedback. Please send any comments or suggestions regarding the Support comments or suggestions regarding the Support WebCasts to feedback@microsoft.com and includeWebCasts to feedback@microsoft.com and include““Support WebCasts” in the subject line.Support WebCasts” in the subject line.