Tools for configuring and maintaining Active Directory

Windows Server 2008 provides various tools for configuring and maintaining Active Directory in a domain network environment. Some of the important utilities are described below:

  • NTDSUTIL

    NTDSUTIL.EXE is a command-line tool that is used to manage Active Directory. This utility is used to perform the following tasks:

    • Performing database maintenance of Active Directory
    • Managing and controlling operations master roles
    • Removing metadata left behind by domain controllers

    Note: The NTDSUTIL utility is supposed to be used by experienced administrators.

    • Important Usage
      • To move AD LDS database file to another location, use the NTDSUTIL tool. Take the following steps:
        • First stop the LDS instance.
        • Move the database.
        • Start the LDS instance again.
      • To relocate AD LDS directory partition, use the NTDSUTIL tool. Take the following steps:
        • Stop the LDS by using the net stop command.
        • Move the Database file through NTDSUTIL tool.
        • Start the directory service using the net start command.
      • If an organization unit (OU) has been deleted by mistake, it is required to perform authoritative restore of the system state data. In order to perform an authoritative restore of OU (or any other AD object), take the following steps:
        • Start the domain controller in Directory Services Restore Mode (DSRM).
        • Perform a non-authoritative restore of the system state data that contains the deleted OU.
        • Run NTDSUTIL to mark the OU as authoritative.
        • Finally start domain controller service in services (local) Microsoft Management Console.
      • To perform offline defragmentation of the AD database on a domain controller, take the following steps:
        • Open the MMC and stop the domain controller service (the critical services remain online even after stopping this service).
        • Run the NTDSUTIL tool to compact the Active Directory.
        • Move NTDS.DIT file to %SystemRoot%\NTDS folder.
        • Restart the domain controller service.
      • In order to use the NTDSUTIL tool to create a custom partition on AD, use the DNSCMD tool to configure replication of the custom partition.
      • The NDTSUTIL tool is used to add replica for a custom application directory partition to a domain controller.
      • A DSRM password can be changed through the NTDSUTIL utility.
      • To move the AD database to a new volume, open the Files option in the NTDSUTIL utility and move the NTDS.DIT file to the new volume.
  • ADSI Edit

    ADSI Edit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSI Edit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool:

    • ADSIEDIT.DLL
    • ADSIEDIT.MSC

    Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary.

    • Important Usage
      • To create an OU in the LDS instance, use the ADSI Edit tool.
      • Create multiple Password Setting objects through the ADSI Edit snap-in to create multiple password policies for user in the domain.
  • REPADMIN

    REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication on a computer running Windows. This is a command line tool that allows you to view the replication topology as seen from the perspective of each domain controller. It performs the following actions:

    • Checks replication consistency between replication partners.
    • Monitors replication status.
    • Displays replication metadata.
    • Forces replication events.
    • Knowledge Consistency Checker (KCC) recalculation
    • Important Usage
      • In order to replicate the new NS record to all the domain controllers, run the REPADMIN /syncall command from the command prompt.
      • To immediate replicate the AD information, choose either of two- From the AD Sites and Services console, select the existing connection objects and force replication. Or, use REPADMIN.EXE to force replication between the site connection objects.
      • Use the REPADMIN tool to synchronize new user information between all sites to enable new users to log on to the domain in a remote site.
  • DCPROMO

    DCPROMO is an Active Directory Installation wizard. It is used to promote member servers to domain controllers. It can also be used to demote a domain controller back to member server.

    • Important Usage
      • Only unattended installations of AD DS can be performed to install RODC on a computer running Server Core. For this, use the DCPROMO.EXE /unattend command.
      • In order to remove the AD DS role from a domain controller, run the DCPROMO utility and remove the AD DS role.
      • To configure the member servers to receive a custom application directory partition for data replication, run the DCPROMO utility on the member servers.
  • DNSCMD

    DNSCMD is a command-line tool that assists administrators in managing Windows Domain Name System (DNS). It displays and changes the properties of DNS servers, zones, and resource records. Administrators can manually modify these properties, creates and deletes zones and resource records, and forces replication events between DNS server physical memory and DNS databases and data files. Various command parameters are used to execute different management tasks. DNSCMD command can be used in scripts too for automating regular maintenance tasks.

    • Important Usage
      • To create a custom partition on AD, use the NTDSUTIL tool. Then use the DNSCMD tool to configure replication of the custom partition.
      • Run the DNSCMD /zoneexport command to copy the zone files of the DNS server.
      • Run DNSCMD /createdirectorypartition command to ensure that the new active directory integrated zone is replicated to the specified domain controllers only.
  • WBADMIN

    WBADMIN.EXE is a command-line utility for performing backup and restore operations on a Windows operating system.

  • DSDBUTIL

    DSDBUTIL is a command-line utility that is built into Windows Server 2008 to perform database maintenance of the Active Directory Domain Services (AD DS) store, facilitate configuration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and view AD LDS instances that are installed on a computer. The command is available if the AD LDS server role is installed on a server. Run DSDBUTIL command from an elevated command prompt to perform the required operations.

    • Important Usage
      • Use the DSDBUTIL.EXE tool to create installation media that corresponds to the AD LDS instance that is required to back up instead of backing up the entire volumes that contain the AD LDS instance.
  • LDP

    LDP.EXE is a Windows command-line utility that administrators use to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given search criteria.

    • Important Usage
      • Use LDP.EXE tool to test the certificate with AD LDS.

One Reply to “Tools for configuring and maintaining Active Directory”

  1. Pingback: designfloat.com

Comments are closed.