NTDSutil is a wonderful Windows utility for configuring the heart of Active
Directory. In fact, typing the powerful NTDSutil verbs reminds me of a Unix command line.
With
NTDSutil you get instant access to the Active Directory database. Unlike GUIs, which drive me mad with their 27
'OK' buttons, NTDSutil just does what I say - instantly.
However, because these NTDSutil commands act without the usual Windows operating system checks, I exhort you to practice my examples now, don't wait until you need them in a real disaster recovery. As a
bonus of following my
tutorials, you will discover settings that you did not know existed, for example, choose a new password for DSRM (Directory Service Restore Mode).
Begin by logging on at a Windows Server (2003 best). I suggest that you create a new folder to hold any logs that NTDSutil creates, for example D:\ ntdsutil.
Run a CMD prompt change directory to D: \ntdsutil and at the prompt type, ntdsutil. Unsurprisingly, the actual executable is called ntdsutil.exe and is found in the %systemroot%\system32 folder.
With this knowledge, you could copy that ndtsutil.exe file onto
another operating system if necessary.
Key NTDSutil command
When you are experimenting with NTDSutil, if you get stuck remember these four little words, they will make the difference between success and frustration: Connect to Server BigServer (Substitute your server for
BigServer) Don't shorten the command to: Connect BigServer (Remember the words 'to' and 'server').
If
ever you are stuck in NTDSutil, simply type help.
Your mission probably involves using ntdsutil for metadata cleanup duty,
the most common task is an authoritative restore of Active Directory.
Authoritative Restore - Major project, needs careful planning
see more here.
Configurable Settings - Not very interesting.
Domain Management - Specialist area. Create Naming Contexts and add replicas to the Application Directory Partition of DNS.
Files -
Available only if you boot the server into Directory Restore Mode. Checks the integrity of NTDS.DIT and moves associated databases.
Roles = FSMO Maintenance. Which Domain Controller has which Single Operations Master? Seize roles
such as PDC Emulator. Good news, for once you do get a message detailing the transfer you are about to make. My advice is to use Roles in conjunction with netdom or the Active Directory Snap-ins. My point is I could not find a way of displaying who holds which
FSMO role with NTDSutil.
Reset DSRM password. If you don't know the server's Directory Service account password, then here is your change to
reset to a password that you will remember.
Security Account Management. Check for duplicate SIDs,
another classic Ntdsutil metadata cleanup task.
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
SolarWinds'
Network Performance Monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network
problems. Its second best feature is the ability to monitor the health of individual VMware
virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you
give this Network Performance Monitor a try.
Let us start gently and check for duplicate SIDs. This experiment is more for gaining experience of the NTDSutil interface than the probability of finding any duplicate SIDs. This
is what I typed at the command prompt, my commands are in bold:
E:\ntdsutil>ntdsutil ntdsutil: security account management Security Account Maintenance: connect to server BigServer Security Account
Maintenance: check duplicate sid ... Duplicate SID check completed successfully. Check dupsid.log for any duplicates Security Account Maintenance:
Tutorial Leaning Points
1) In the above session I typed the full command security accounts management. However you can shorten commands thus: 'sec acc man'
Incidentally, I am
inventing these shorthand commands in the sense that NTDSutil also understands: sec ac ma or even 'secu a m'. NTDSutil's brain works by analysing your letters and if there is only one possible
interpretation then it fills in the gaps and returns the service that you asked for. For example plain, 'se' will not work because there is another command which begins with se, Semantic....
2)
When the command prompt shows, Security Accounts Maintenance: Here is where you must type: 'connect to server BigServer'. Be aware that even though I am sitting at BigServer's console, I must remember this command : connect to server xyz.
3)
When I type the instruction, 'Check Duplicate SID', don't ask me why, but you cannot shorten the command to 'chk dup sd'. Please
just accept you need the full words here.
4) As ever, read the screen and take note of dupsid.log. However, you have to quit NTDSutil, or use Explorer before you can attempt to read dupsid.log. My
point is that you cannot issue a command : 'notepad dupsid.log' from within NTDSutil.
Monitor Your Network with the Real-time Traffic Analyzer
The best job for this free monitor is to check at a glance which
of
your servers are available. If there is a network problem you
want an interface to show the scope of the problem immediately.
Even when all servers and routers are available, sooner or later you will be curious to
know who, or what, is hogging the precious network's bandwidth. A GUI
showing the top 10 users makes interesting reading.
Another reason to monitor network traffic is to learn more about your
server's response times and the consumption of resources. To take the pain out of
capturing frames and analysing the raw data, Guy recommends that you download a copy of
the SolarWinds
free Real-time NetFlow Analyzer.
Here is where I challenge you to perform a real task. Once upon a time, when your Windows server 2003 was first installed, setup asked the installer for a separate directory service restore mode password.
90% of administrators ignored the box or forgot the password. 50% of Administrator's don't realize that this Directory Services Restore Mode password is different from the normal Administrator password.
The two can get out of synch because they are stored in separate databases.
Now is your chance to reset the password that will be required if ever you need to restart the server in Active Directory Restore Mode. In many ways, this is such an
insignificant job, in other ways it saves frustration of being thwarted by not having the administrative password for this context.
E:\ntdsutil>ntdsutil ntdsutil: set dsrm password Reset DSRM Administrator Password: reset password on server BigServer Please type
password for DS Restore Mode Administrator Account: ******** Please confirm new password: ******** Password has been set successfully.
1) The key command type: 'reset password on BigServer' If NTDSutil replies with: 'Please type password for DS Restore Mode', then you know you are in
the correct place.
2) To escape from NTDSutil you need just type quit, possibly 2 or three times to get back to the command prompt.
NTDSutil is a powerful command line tool to clean-up metadata. Take every opportunity to practice its Unix-like commands. If you practice with NTDSutil then you will be prepared for that day when you need to employ NTDSutil for disaster recovery tasks
such as an Authoritative Restore.
If you like this page then please share it with your friends
Guy Recommends:
SolarWinds' NPM - Network Performance Monitor
SolarWinds' performance monitor is designed for detecting network outages,
making it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps; it also helps
identifying whether the
root cause is faulty equipment, or resource overload. Give NPM a try.
If
ever you are stuck in NTDSutil, simply type help.
