Windows Server 2003 - NTDSutil Tutorial
NTDSutil Metadata Cleanup Utility
NTDSutil is a wonderful Windows utility for configuring the heart of Active Directory. In fact, typing the powerful NTDSutil verbs reminds me of a Unix command line.
With NTDSutil you get instant access to the Active Directory database. Unlike GUIs, which drive me mad with their 27 'OK' buttons, NTDSutil just does what I say - instantly. However, because these NTDSutil commands act without the usual Windows operating system checks, I exhort you to practice my examples now, don't wait until you need them in a real disaster recovery. As a bonus of following my tutorials, you will discover settings that you did not know existed, for example, choose a new password for DSRM (Directory Service Restore Mode).
Tutorial Topics for NTDSutil
Begin by logging on at a Windows Server (2003 best). I suggest that you create a new folder to hold any logs that NTDSutil creates, for example D:\ ntdsutil. Run a CMD prompt change directory to D: \ntdsutil and at the prompt type, ntdsutil. Unsurprisingly, the actual executable is called ntdsutil.exe and is found in the %systemroot%\system32 folder. With this knowledge, you could copy that ndtsutil.exe file onto another operating system if necessary.
Key NTDSutil command
When you are experimenting with NTDSutil, if you get stuck remember these four little words, they will make the difference between success and frustration:
If ever you are stuck in NTDSutil, simply type help.
Your mission probably involves using ntdsutil for metadata cleanup duty, the most common task is an authoritative restore of Active Directory.
Authoritative Restore - Major project, needs careful planning see more here.
Configurable Settings - Not very interesting.
Domain Management - Specialist area. Create Naming Contexts and add replicas to the Application Directory Partition of DNS.
Files - Available only if you boot the server into Directory Restore Mode. Checks the integrity of NTDS.DIT and moves associated databases.
Roles = FSMO Maintenance. Which Domain Controller has which Single Operations Master? Seize roles such as PDC Emulator. Good news, for once you do get a message detailing the transfer you are about to make. My advice is to use Roles in conjunction with netdom or the Active Directory Snap-ins. My point is I could not find a way of displaying who holds which FSMO role with NTDSutil.
Reset DSRM password. If you don't know the server's Directory Service account password, then here is your change to reset to a password that you will remember.
Security Account Management. Check for duplicate SIDs, another classic Ntdsutil metadata cleanup task.
SolarWinds' Network Performance Monitor will help you discover what's happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.
Let us start gently and check for duplicate SIDs. This experiment is more for gaining experience of the NTDSutil interface than the probability of finding any duplicate SIDs. This is what I typed at the command prompt, my commands are in bold:
Tutorial Leaning Points
1) In the above session I typed the full command security accounts management. However you can shorten commands thus: 'sec acc man'
Incidentally, I am
inventing these shorthand commands in the sense that NTDSutil also understands:
When the command prompt shows, Security Accounts Maintenance:
3) When I type the instruction, 'Check Duplicate SID', don't ask me why, but you cannot shorten the command to 'chk dup sd'. Please just accept you need the full words here.
4) As ever, read the screen and take note of dupsid.log. However, you have to quit NTDSutil, or use Explorer before you can attempt to read dupsid.log. My point is that you cannot issue a command : 'notepad dupsid.log' from within NTDSutil.
The best job for this free monitor is to check at a glance which of your servers are available. If there is a network problem you want an interface to show the scope of the problem immediately.
Even when all servers and routers are available, sooner or later you will be curious to know who, or what, is hogging the precious network's bandwidth. A GUI showing the top 10 users makes interesting reading.
Another reason to monitor network traffic is to learn more about your server's response times and the consumption of resources. To take the pain out of capturing frames and analysing the raw data, Guy recommends that you download a copy of the SolarWinds free Real-time NetFlow Analyzer.
Here is where I challenge you to perform a real task. Once upon a time, when your Windows server 2003 was first installed, setup asked the installer for a separate directory service restore mode password. 90% of administrators ignored the box or forgot the password. 50% of Administrator's don't realize that this Directory Services Restore Mode password is different from the normal Administrator password. The two can get out of synch because they are stored in separate databases.
Now is your chance to reset the password that will be required if ever you need to restart the server in Active Directory Restore Mode. In many ways, this is such an insignificant job, in other ways it saves frustration of being thwarted by not having the administrative password for this context.
Tutorial Learning Points
1) The key command type: 'reset password on BigServer'
2) To escape from NTDSutil you need just type quit, possibly 2 or three times to get back to the command prompt.
NTDSutil is a powerful command line tool to clean-up metadata. Take every opportunity to practice its Unix-like commands. If you practice with NTDSutil then you will be prepared for that day when you need to employ NTDSutil for disaster recovery tasks such as an Authoritative Restore.
If you like this page then please share it with your friends
See more Windows tools