Upload
alban-gibbs
View
227
Download
0
Embed Size (px)
Citation preview
Ntdsutil.exe and the Ntdsutil.exe and the Microsoft Active Directory Microsoft Active Directory
Curtis Clay IIICurtis Clay IIICharleta McKoyCharleta McKoyWindows 2000 Directory Services TeamWindows 2000 Directory Services TeamMicrosoft CorporationMicrosoft Corporation
2
The Ntdsutil ToolThe Ntdsutil Tool
Ntdsutil.exe is a command-line tool that Ntdsutil.exe is a command-line tool that provides management facilities for provides management facilities for Microsoft® Active Directory™ Microsoft® Active Directory™
By default, Ntdsutil is located in the \\Winnt\By default, Ntdsutil is located in the \\Winnt\System32 folderSystem32 folder
3
Uses for NtdsutilUses for Ntdsutil
4
Authoritative RestoreAuthoritative Restore
Used to recover deleted or missing objects Used to recover deleted or missing objects from Active Directory from Active Directory
Performed in DS Restore modePerformed in DS Restore mode Offers the ability to restore an entire Offers the ability to restore an entire
database or a single object database or a single object
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
5
Authoritative Restore: CommandsAuthoritative Restore: Commands
6
Domain ManagementDomain Management
Allows Enterprise Administrators to pre-create Allows Enterprise Administrators to pre-create cross-reference and server objects in the cross-reference and server objects in the directorydirectory
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
7
Domain Management: CommandsDomain Management: Commands
8
Domain Management: Domain Management: Commands (2)Commands (2) Add NC Replica %s %s Add NC Replica %s %s Create NC %s %s Create NC %s %s Remove NC Replica %s %s Remove NC Replica %s %s List List List NC information %s List NC information %s List NC Replicas %s List NC Replicas %s Pre-create %s %s Pre-create %s %s Delete NC %s Delete NC %s Set NC Reference Domain %s %s Set NC Reference Domain %s %s Set NC Replicate Notification Delay %s %d Set NC Replicate Notification Delay %s %d
%d %d
9
FilesFiles
Provides commands for managing the Provides commands for managing the directory service data and log filesdirectory service data and log files
Ntds.dit is the file that holds the database for Ntds.dit is the file that holds the database for the Active Directorythe Active Directory
ESENT is a transacted database systemESENT is a transacted database system Uses log files to ensure that transactions are Uses log files to ensure that transactions are
committed to the databasecommitted to the database
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
10
Files: CommandsFiles: Commands
11
IP Deny ListIP Deny List
Used to deny LDAP access to specific clients Used to deny LDAP access to specific clients based on a specific IP addressbased on a specific IP address
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
12
IP Deny List: CommandsIP Deny List: Commands
13
LDAP PoliciesLDAP Policies
Used to specify operational limits for a Used to specify operational limits for a number of Lightweight Directory Access number of Lightweight Directory Access Protocol (LDAP) operations Protocol (LDAP) operations
These limits prevent specific operations from These limits prevent specific operations from adversely impacting the performance of the adversely impacting the performance of the serverserver
Also makes the server resilient to denial of Also makes the server resilient to denial of service attacksservice attacks
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
14
LDAP Policies DefaultsLDAP Policies DefaultsInitRecvTimeout Initial receive time-out (120 seconds)
MaxConnections Maximum number of open connections (5,000)
MaxConnIdleTime Maximum amount of time a connection can be idle (900 seconds)
MaxActiveQueries Maximum number of queries that can be active at one time (20)
MaxNotificationPerConnection Maximum number of notifications that a client can request for a given connection (5)
MaxPageSize Maximum page size supported for LDAP responses (1,000 records)
15
LDAP Policies Defaults (2)LDAP Policies Defaults (2)
MaxQueryDuration Maximum length of time the domain controller can execute a query (120 seconds)
MaxTempTableSize Maximum size of temporary storage allocated to execute queries (10,000 records)
MaxResultSetSize Maximum size of the LDAP Result Set (262144 bytes)
MaxPoolThreads Maximum number of threads created by the domain controller for query execution (4 per processor)
MaxDatagramRecv Maximum number of datagrams that can be processed by the domain controller simultaneously (1024)
16
LDAP Policies: CommandsLDAP Policies: Commands
17
Metadata CleanupMetadata Cleanup
Used to remove data or objects from the Used to remove data or objects from the Active Directory databaseActive Directory database
The directory service maintains various The directory service maintains various metadata for each domain and server known metadata for each domain and server known to the forestto the forest
18
Metadata Cleanup: CommandsMetadata Cleanup: Commands
19
Connections: CommandsConnections: Commands
20
RolesRoles
Used to manage the placement of FSMO roles Used to manage the placement of FSMO roles within the Active Directorywithin the Active Directory
21
FSMO Roles - ScopeFSMO Roles - Scope
Enterprise Wide RolesEnterprise Wide Roles Domain naming Domain naming SchemaSchema
Domain Wide RolesDomain Wide Roles PDC emulatorPDC emulator Relative identifierRelative identifier InfrastructureInfrastructure
22
FSMO RolesFSMO Roles
An operations master role can only be moved An operations master role can only be moved by administrative involvement, it is not by administrative involvement, it is not moved automaticallymoved automatically
Operations master roles require two forms of Operations master roles require two forms of management: management: Controlled transfer Controlled transfer SeizureSeizure
23
Roles - CommandsRoles - Commands
24
Security Account ManagementSecurity Account Management
This option is used (rarely) to resolve This option is used (rarely) to resolve duplicate relative identifiers on a domainduplicate relative identifiers on a domain
Note: This command is used only in DS Restore modeNote: This command is used only in DS Restore mode
25
Security Account Management - Security Account Management - CommandsCommands
26
Semantic Database AnalysisSemantic Database Analysis
Analyzes the data with respect to Active Analyzes the data with respect to Active Directory semanticsDirectory semantics
It generates reports on the number of records It generates reports on the number of records present, including deleted and phantom present, including deleted and phantom recordsrecords
27
Semantic Database Analysis - Semantic Database Analysis - CommandsCommands
28
Automate Ntdsutil Commands Automate Ntdsutil Commands
Ntdsutil can be scriptedNtdsutil can be scripted The following commands allow for silent The following commands allow for silent
operation:operation: popups no - no user interactionpopups no - no user interaction popups yes - full user interactionpopups yes - full user interaction
29
ResourcesResources
Appendix C - Active Directory Diagnostic Appendix C - Active Directory Diagnostic Tool (Ntdsutil.exe) Tool (Ntdsutil.exe) http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/distsys/part5/dsgappc.asp
30
Additional DocumentationAdditional Documentation
Q230306 “How to Remove Orphaned Q230306 “How to Remove Orphaned Domains from Active Directory” Domains from Active Directory” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q230/3/06.aspes/q230/3/06.asp
Q216498 “How to Remove Data in the Active Q216498 “How to Remove Data in the Active Directory After an Unsuccessful Domain Directory After an Unsuccessful Domain Controller Demotion” Controller Demotion” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q216/4/98.aspes/q216/4/98.asp
Q257420 “How to Move the Ntds.dit File or Q257420 “How to Move the Ntds.dit File or Log Files” Log Files” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q257/4/20.aspes/q257/4/20.asp
31
Additional Documentation (2)Additional Documentation (2)
Q241594 “How to Perform an Authoritative Q241594 “How to Perform an Authoritative Restore to a Domain Controller” Restore to a Domain Controller” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q241/5/94.asp es/q241/5/94.asp
Q232122 “Offline Defragmentation of the Q232122 “Offline Defragmentation of the Active Directory Database” Active Directory Database” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q232/1/22.aspes/q232/1/22.asp
Q255504 “Using Ntdsutil.exe to Seize or Q255504 “Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller” Transfer FSMO Roles to a Domain Controller” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q255/5/04.aspes/q255/5/04.asp
32
Additional Documentation (3)Additional Documentation (3)
Q234790 “How to Find FSMO Role Holders Q234790 “How to Find FSMO Role Holders (Servers)” (Servers)” http://support.microsoft.com/support/kb/articlhttp://support.microsoft.com/support/kb/articles/q234/7/90.aspes/q234/7/90.asp
Thank you for joining us for today’s Microsoft SupportThank you for joining us for today’s Microsoft SupportWebCast.WebCast.
For information about all upcoming Support WebCasts For information about all upcoming Support WebCasts and access to the archived content (streaming mediaand access to the archived content (streaming mediafiles, PowerPoint slides, and transcripts), please visit: files, PowerPoint slides, and transcripts), please visit: http://support.microsoft.com/webcasts/http://support.microsoft.com/webcasts/
We sincerely appreciate your feedback. Please send any We sincerely appreciate your feedback. Please send any comments or suggestions regarding the Support comments or suggestions regarding the Support WebCasts to [email protected] and includeWebCasts to [email protected] and include““Support WebCasts” in the subject line.Support WebCasts” in the subject line.