Guy Recommends
A solution to monitor, manage and archive thousands of
events that are generated by devices across the entire network.
Download FREE
trial
Windows Server 2003 - NTDSutil TutorialNTDSutil is a wonderful Windows utility for configuring the heart of Active
Directory. In fact, typing the powerful NTDSutil verbs reminds me of a Unix command line. With
NTDSutil you get instant access to the Active Directory database. Unlike GUIs, which drive me mad with their 27 OK buttons, NTDSutil just does what I say - instantly.
However, because these NTDSutil commands act without the usual Windows operating system checks, I exhort you to practice my examples now, don't wait until you need them in a real disaster recovery. As a
bonus of following my
tutorials, you will discover settings that you did not know existed, for example, choose a new password for DSRM (Directory Service Restore Mode). Tutorial Topics for NTDSutil
Begin by logging on at a Windows Server (2003 best). I suggest that you create a new folder to hold any logs that NTDSutil creates, for example D:\ ntdsutil.
Run a CMD prompt change directory to D: \ntdsutil and at the prompt type, ntdsutil. Unsurprisingly, the actual executable is called ntdsutil.exe and is found in the %systemroot%\system32 folder.
With this knowledge, you could copy that ndtsutil.exe file onto
another operating system if necessary.
 Active Directory Training. As an MCT trainer, I can thoroughly recommend
TrainSignal because they provide practical hands on
training. In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example Active Directory or go for
a combination of modules.
See more about Active Directory training
Key NTDSutil commandWhen you are experimenting with NTDSutil, if you get stuck remember these four little words, they will make the difference between success and frustration:
Connect to Server BigServer (Substitute your server for
BigServer)
Don't shorten the command to: Connect BigServer (Remember the words 'to' and 'server').  If
ever you are stuck in NTDSutil, simply type help.
Authoritative Restore - Major project, needs careful planning
see more here.
Configurable Settings - Not very interesting. Domain Management - Specialist area. Create Naming Contexts and add replicas to the Application Directory Partition of DNS. Files -
Available only if you boot the server into Directory Restore Mode. Checks the integrity of NTDS.DIT and moves associated databases. Roles = FSMO Maintenance. Which Domain Controller has which Single Operations Master? Seize roles
such as PDC Emulator. Good news, for once you do get a message detailing the transfer you are about to make. My advice is to use Roles in conjunction with netdom or the Active Directory Snap-ins. My point is I could not find a way of displaying who holds which
FSMO role with NTDSutil. Reset DSRM password. If you don't know the server's Directory Service account password, then here is your change to
reset to a password that you will remember. Security Account Management. Check for duplicate SIDs
Let us start gently and check for duplicate SIDs. This experiment is more for gaining experience of the NTDSutil interface than the probability of finding any duplicate SIDs. This
is what I typed at the command prompt, my commands are in bold:
E:\ntdsutil>ntdsutil
ntdsutil: security account management
Security Account Maintenance: connect to server BigServer
Security Account
Maintenance: check duplicate sid
...
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
Security Account Maintenance:
Tutorial Leaning Points1) In the above session I typed the full command security accounts management. However you can shorten commands thus: 'sec acc man' Incidentally, I am
inventing these shorthand commands in the sense that NTDSutil also understands:
sec ac ma or even 'secu a m'. NTDSutil's brain works by analysing your letters and if there is only one possible
interpretation then it fills in the gaps and returns the service that you asked for. For example plain, 'se' will not work because there is another command which begins with se, Semantic.... 2)
When the command prompt shows, Security Accounts Maintenance:
Here is where you must type: 'connect to server BigServerr'. Be aware that even though I am sitting at BigServer's console, I must remember this command : connect to server xyz. 3)
When I type the instruction, 'Check Duplicate SID', don't ask me why, but you cannot shorten the command to 'chk dup sd'. Please
just accept you need the full words here. 4) As ever, read the screen and take note of dupsid.log. However, you have to quit NTDSutil, or use Explorer before you can attempt to read dupsid.log. My
point is that you cannot issue a command : 'notepad dupsid.log' from within NTDSutil.
 Guy
recommends: The SolarWinds ipMonitor
My attraction to
ipMonitor is
because it inhabits that zone of part work, part
play; Guy just could not put the dashboard away. This excellent performance
monitor will get you started in the quest to remove bottlenecks on your network. SolarWinds provides this fully-functioning product free for 21 days. So
download
and install ipMonitor, then start scrutinizing your computers CPU, memory and disk
performance. You can also select from zillions more performance counters such as
fan temperature and battery level.
Installing ipMonitor is a breeze, but learn from gung-ho Guy's mistake and install SNMP
on each computer that you wish to monitor. What sealed my unreserved
recommendation of SolarWinds is their support team, you will get expert help even
when you are evaluating the ipMonitor. One last point, SolarWinds are offering a
40% discount until Sept 26th.
Download SolarWinds ipMonitor (21 days eval)
Here is where I challenge you to perform a real task. Once upon a time, when your Windows server 2003 was first installed, setup asked the installer for a separate directory service restore mode password.
90% of administrators ignored the box or forgot the password. 50% of Administrator's don't realize that this Directory Services Restore Mode password is different from the normal Administrator password.
The two can get out of synch because they are stored in separate databases. Now is your chance to reset the password that will be required if ever you need to restart the server in Active Directory Restore Mode. In many ways, this is such an
insignificant job, in other ways it saves frustration of being thwarted by not having the administrative password for this context.
E:\ntdsutil>ntdsutil
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server BigServer
Please type
password for DS Restore Mode Administrator Account: ********
Please confirm new password: ********
Password has been set successfully.
Reset DSRM Administrator Password: quit
ntdsutil:
quit
E:\ntdsutil>
Tutorial Learning Points1) The key command type: 'reset password on BigServer'
If NTDSutil replies with: 'Please type password for DS Restore Mode', then you know you are in
the correct place. 2) To escape from NTDSutil you need just type quit, possibly 2 or three times to get back to the command prompt.
NTDSutil is a powerful command line tool. Take every opportunity to practice its Unix-like commands. If you practice with NTDSutil then you will be prepared for that day when you need to employ NTDSutil for disaster recovery tasks
such as an Authoritative Restore.
See Also●
Authoritative Restore
● Windiff ●
ESEutil ●
NTDSUtil
●
Performance Monitor Tool
|
