Windows Server 2003 - NTDSutil TutorialNTDSutil is a wonderful Windows utility for configuring the heart of Active
Directory. In fact, typing the powerful NTDSutil verbs reminds me of a Unix command line. With
NTDSutil you get instant access to the Active Directory database. Unlike GUIs, which drive me mad with their 27 OK buttons, NTDSutil just does what I say - instantly.
However, because these NTDSutil commands act without the usual Windows operating system checks, I exhort you to practice my examples now, don't wait until you need them in a real disaster recovery. As a
bonus of following my
tutorials, you will discover settings that you did not know existed, for example, choose a new password for DSRM (Directory Service Restore Mode). Tutorial Topics for NTDSutil
‡
Begin by logging on at a Windows Server (2003 best). I suggest that you create a new folder to hold any logs that NTDSutil creates, for example D:\ ntdsutil.
Run a CMD prompt change directory to D: \ntdsutil and at the prompt type, ntdsutil. Unsurprisingly, the actual executable is called ntdsutil.exe and is found in the %systemroot%\system32 folder.
With this knowledge, you could copy that ndtsutil.exe file onto
another operating system if necessary.
Key NTDSutil commandWhen you are experimenting with NTDSutil, if you get stuck remember these four little words, they will make the difference between success and frustration:
Connect to Server BigServer (Substitute your server for
BigServer)
Don't shorten the command to: Connect BigServer (Remember the words 'to' and 'server').  If
ever you are stuck in NTDSutil, simply type help.
Authoritative Restore - Major project, needs careful planning
see more here.
Configurable Settings - Not very interesting. Domain Management - Specialist area. Create Naming Contexts and add replicas to the Application Directory Partition of DNS. Files -
Available only if you boot the server into Directory Restore Mode. Checks the integrity of NTDS.DIT and moves associated databases. Roles = FSMO Maintenance. Which Domain Controller has which Single Operations Master? Seize roles
such as PDC Emulator. Good news, for once you do get a message detailing the transfer you are about to make. My advice is to use Roles in conjunction with netdom or the Active Directory Snap-ins. My point is I could not find a way of displaying who holds which
FSMO role with NTDSutil. Reset DSRM password. If you don't know the server's Directory Service account password, then here is your change to
reset to a password that you will remember. Security Account Management. Check for duplicate SIDs
Guy Recommends: SolarWinds Engineer's Toolset v10
The Engineer's Toolset v10 provides a
comprehensive console of utilities for troubleshooting computer problems. Guy says
it helps me monitor what's occurring on the network, and the tools
teaches me more about how the system literally operates.
There are so many good gadgets, it's like having free rein of a
sweetshop. Thankfully the utilities are displayed logically: monitoring, discovery, diagnostic, and Cisco tools.
Download your copy of the Engineer's Toolset v 10
Let us start gently and check for duplicate SIDs. This experiment is more for gaining experience of the NTDSutil interface than the probability of finding any duplicate SIDs. This
is what I typed at the command prompt, my commands are in bold:
E:\ntdsutil>ntdsutil
ntdsutil: security account management
Security Account Maintenance: connect to server BigServer
Security Account
Maintenance: check duplicate sid
...
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
Security Account Maintenance:
Tutorial Leaning Points1) In the above session I typed the full command security accounts management. However you can shorten commands thus: 'sec acc man' Incidentally, I am
inventing these shorthand commands in the sense that NTDSutil also understands:
sec ac ma or even 'secu a m'. NTDSutil's brain works by analysing your letters and if there is only one possible
interpretation then it fills in the gaps and returns the service that you asked for. For example plain, 'se' will not work because there is another command which begins with se, Semantic.... 2)
When the command prompt shows, Security Accounts Maintenance:
Here is where you must type: 'connect to server BigServerr'. Be aware that even though I am sitting at BigServer's console, I must remember this command : connect to server xyz. 3)
When I type the instruction, 'Check Duplicate SID', don't ask me why, but you cannot shorten the command to 'chk dup sd'. Please
just accept you need the full words here. 4) As ever, read the screen and take note of dupsid.log. However, you have to quit NTDSutil, or use Explorer before you can attempt to read dupsid.log. My
point is that you cannot issue a command : 'notepad dupsid.log' from within NTDSutil.
 Guy
recommends: The SolarWinds ipMonitor
I am attracted to
ipMonitor
because it inhabits that zone of part work, part play; Guy just could not put
the dashboard away. This excellent performance monitor will get you
started in the quest to remove bottlenecks on your network. SolarWinds
provides this fully-functioning product free for 21 days. So download and
install ipMonitor, then start scrutinizing your computers CPU, memory and disk
performance.
Installing ipMonitor is a breeze, but learn from gung-ho Guy's mistake, and
install SNMP on each computer that you wish to monitor. What sealed my
unreserved recommendation of SolarWinds is their support team, you will get
expert help even when you are evaluating the ipMonitor.
Download SolarWinds ipMonitor (21 days eval)
Here is where I challenge you to perform a real task. Once upon a time, when your Windows server 2003 was first installed, setup asked the installer for a separate directory service restore mode password.
90% of administrators ignored the box or forgot the password. 50% of Administrator's don't realize that this Directory Services Restore Mode password is different from the normal Administrator password.
The two can get out of synch because they are stored in separate databases. Now is your chance to reset the password that will be required if ever you need to restart the server in Active Directory Restore Mode. In many ways, this is such an
insignificant job, in other ways it saves frustration of being thwarted by not having the administrative password for this context.
E:\ntdsutil>ntdsutil
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server BigServer
Please type
password for DS Restore Mode Administrator Account: ********
Please confirm new password: ********
Password has been set successfully.
Reset DSRM Administrator Password: quit
ntdsutil:
quit
E:\ntdsutil>
Tutorial Learning Points1) The key command type: 'reset password on BigServer'
If NTDSutil replies with: 'Please type password for DS Restore Mode', then you know you are in
the correct place. 2) To escape from NTDSutil you need just type quit, possibly 2 or three times to get back to the command prompt.
NTDSutil is a powerful command line tool. Take every opportunity to practice its Unix-like commands. If you practice with NTDSutil then you will be prepared for that day when you need to employ NTDSutil for disaster recovery tasks
such as an Authoritative Restore.
See Also●
Authoritative Restore
● Windiff ●
ESEutil ●
NTDSUtil
●
Performance Monitor Tool
|
