Ntdsutil
Ntdsutil.exe is a command-line tool that provides
management facilities for Active Directory. Use Ntdsutil.exe to perform database
maintenance of Active Directory, manage and control single master operations,
and remove metadata left behind by domain controllers that were removed from the
network without being properly uninstalled. This tool is intended for use by
experienced administrators.
To view the command syntax, click a command:
• Authoritative restore
• Configurable settings
• Domain management
• Files
• IPDeny List
• LDAP policies
• Metadata cleanup
• Roles
• Security account management
• Semantic database analysis
• Set DSRM Password
Authoritative restore
Restores domain controllers to a specific point in time and marks objects in
Active Directory as being authoritative with respect to their replication
partners. In forests that have a functional level of Windows Server 2003 or
Windows Server 2003 interim, this option also restores backlinks for links
that were created after the functional level was raised. (For example, the
member attributes of groups to which a restored user object belongs are
updated.) On domain controllers that are running the version of Ntdsutil that
is included in Windows Support Tools that ship with Windows Server 2003
Service Pack 1 (SP1), authoritative restore creates an LDAP Data Interchange
Format (LDIF) file that can be used to restore backlinks for links that were
created before the functional level was raised.
At the authoritative restore: prompt, type any of the parameters listed under
Syntax.
Syntax
{create ldif file(s) from %s|restore database|restore database verinc %d|restore
object %s|restore object verinc %d|restore subtree %s|restore subtree %s
verinc %d}
Parameters
create ldif file(s) from %s
Available in the version of Ntdsutil that is included with Windows Server 2003
SP1. This option creates an LDIF file of link updates from the Ntdsutil-generated
text file that is named in %s. This file can be used to update backlinks on
objects in a domain other than the domain of the restored object. For example,
this file can be used to restore group membership for a user where the group
belongs to a different domain than the user.
restore database
Marks the entire Ntds.dit (both the domain and configuration directory
partitions held by the domain controller) as authoritative. The schema cannot
be authoritatively restored.
restore database verinc %d
Marks the entire Ntds.dit (both the domain and configuration directory
partitions held by the domain controller) as authoritative and increments the
version number by %d times the number of days since backup. Use this option
only to authoritatively restore over a previous, incorrect, authoritative
restore, such as an authoritative restore from a backup that contains the
problem you want to restore.
%d
A numeric value that overrides the default value of 100,000. The version
number of the object or database being authoritatively restored will be
increased by this value times the number of days since backup.
restore object %s
Marks object %s as being authoritative. When you use the version of Ntdsutil
that is included with Windows Server 2003 SP1, this option also generates a
text file that contains the distinguished name of the restored object and an
LDIF file that can be used to restore backlinks for objects that are being
authoritatively restored (such as group memberships of users).
restore object %s verinc %d
Marks object %sas being authoritative and updates links as described in
restore object %s, and also increments the version number by %d times the
number of days since backup. Use this option only to authoritatively restore
over a previous, incorrect, authoritative restore, such as an authoritative
restore from a backup that contains the problem that you want to restore.
restore subtree %s
Marks subtree %s (and all children of the subtree) as being authoritative.
When you use the version of Ntdsutil that is included with Windows Server 2003
SP1, this option also generates a text file that contains the distinguished
names of the restored objects and an LDIF file that can be used to restore
backlinks for objects that are being authoritatively restored (such as group
memberships of users).
restore subtree %s verinc %d
Marks subtree %s (and all children of the subtree) as being authoritative and
updates links as described in restore subtree %s, and also increments the
version number by %d times the number of days since backup. Use this option
only to authoritatively restore over a previous, incorrect, authoritative
restore, such as an authoritative restore from a backup that contains the
problem that you want to restore.
%s
An alphanumeric variable, either a distinguished name for a restored object or
subtree, or a file name for a text file that is used to create an LDIF file.
quit
Takes you back to the previous menu or exits the utility.
? or help
Displays help at the command prompt.
Remarks
• When you are restoring a domain controller by using backup and restore
programs, such as Ntbackup or those from other providers, the default mode for
the restore is nonauthoritative. This means that the restored server is
brought up to date with its replicas through the normal replication mechanism.
For example, if a domain controller is restored from a backup tape that is two
weeks old, when you restart it, the normal replication mechanism brings it up
to date with respect to its replication partners.
• You might need to perform an authoritative restore if an administrator
inadvertently deletes an organizational unit containing a large number of
users. If you restore the server from tape, the normal replication process
would not restore the inadvertently deleted organizational unit. Authoritative
restore allows you to mark the organizational unit as authoritative and force
the replication process to restore it to all of the other domain controllers
in the domain.
Top of page
Configurable settings
Aids in modifying the TTL of dynamic data stored in Active Directory. At the
configurable setting: prompt, type any of the parameters listed under Syntax.
Syntax
{cancel changes|connections|list|set %s to %s|show values}
Parameters
cancel changes
Cancels the changes made, but not yet committed.
connections
Invokes the server connections submenu.
list
Lists the names of the supported configurable settings.
set %s to %s
Sets the configurable settings %s1 to the value %s2.
show values
Displays values of configurable settings.
%s
An alphanumeric variable, such as a domain or domain controller name.
quit
Takes you back to the previous menu or exits the utility.
? or help
Displays help at the command prompt.
Top of page
Domain management
Allows administrators who are members of the Enterprise Administrators group
to prepare cross-reference and server objects in the directory. At the domain
management: prompt, type any of the parameters listed under Syntax.
Syntax
{add nc replica %s %s|connections|create nc %s %s|remove nc replica %s %s|list|list
nc information %s|list nc replicas %s|precreate %s %s|delete NC %s|select
operation target|set nc reference domain %s %s|set nc reference domain %s %s|set
nc replicate notification delay %s %d %d}
Parameters
add nc replica %s %s
Adds the domain controller %s2 to the replica set for the Non-Domain Naming
Context %s1. If %s2 is not specified, the domain controller that you are
connected to is used as the default.
connections
Invokes the Server connections submenu.
create nc %s %s
Creates the Non-Domain Naming Context %s1, on the DC %s2. If %s2 is not
specified, then the currently connected domain controller is used. To not
specify an argument enter (NULL).
remove nc replica %s %s
Removes the domain controller %s2 from the replica set for the Non-Domain
Naming Context %s1. If %s2 is not specified, the currently connected to domain
controller is used.
list
Lists all the naming contexts that exist in the enterprise, the schema and
configuration naming contexts, as well as all domain naming contexts.
list nc information %s
Prints out the reference domain, and replication delays for the Non-Domain
Naming Context.
list nc replicas %s
Prints the list of domain controllers in the replica set for the Non-Domain
Naming Context %s. Remember that this is the list of domain controllers to
eventually hold replicas of the Non-Domain Naming Contexts, and that these
replicas may not necessarily be fully replicated yet.
precreate %s %s
Creates a cross-reference object for the domain %s1 allowing a server named
%s2 to be promoted as the domain controller for that domain. The domain name
must be specified by using a fully distinguished name, and the server must be
named by using the fully qualified DNS name.
delete nc %s
Removes the Non-Domain Naming Context %s. Before removing an Non-Domain Naming
Context all the replicas must be removed and their removal must replicate back
to the domain naming operations master.
select operation target
Invokes the Select operation target submenu.
set nc reference domain %s %s
Sets the reference domain of the Non-Domain Naming Context %s1 to %s2. The
domain %s2 should be specified in a domain's DNS name format. Example:
widgets.microsoft.com.
set nc replicate notification delay %s %d %d
Sets the Non-Domain Naming Context %s's notification delays to %d1 and %d2 for
the delay between notifying the first domain controller of changes and the
delay of notifying subsequent domain controllers of changes respectively.
%s
An alphanumeric variable, such as a domain or domain controller name.
%d
A numeric variable, such as replication delay time periods.
quit
Takes you back to the previous menu or exits the utility.
? or help
Displays help at the command prompt.
Top of page
Files
Provides commands for managing the directory service data and log files. The
data file is called Ntds.dit. At the files: prompt, type any of the parameters
listed under Syntax.
Syntax
{compact to %s|header|info|integrity|move DB to %s|move logs to %s|recover|set
path backup %s|set path db %s|set path logs %s|set path working dir %s}
Parameters
compact to %s (where %s identifies an empty target directory)
Invokes Esentutl.exe to compact the existing data file and writes the
compacted file to the specified directory. The directory can be remote, that
is, mapped by means of the net use command or similar means. After compaction
is complete, archive the old data file, and move the newly compacted file back
to the original location of the data file. ESENT supports online compaction,
but this compaction only rearranges pages within the data file and does not
release space back to the file system. (The directory service invokes online
compaction regularly.)
header
Writes the header of the Ntds.dit data file to the screen. This command can
help support personnel analyze database problems.
info
Analyzes and reports the free space for the disks that are installed in the
system, reads the registry, and then reports the sizes of the data and log
files. (The directory service maintains the registry, which identifies the
location of the data files, log files, and directory service working
directory.)
integrity
Invokes Esentutl.exe to perform an integrity check on the data file, which can
detect any kind of low-level database corruption. It reads every byte of your
data file; thus it can take a long time to process large databases. Note that
you should always run Recover before performing an integrity check.
move DB to %s (where %s identifies a target directory)
Moves the Ntds.dit data file to the new directory specified by %s and updates
the registry so that, upon system restart, the directory service uses the new
location.
move logs to %s (where %s identifies a target directory)
Moves the directory service log files to the new directory specified by %s and
updates the registry so that, upon system restart, the directory service uses
the new location.
recover
Invokes Esentutl.exe to perform a soft recovery of the database. Soft recovery
scans the log files and ensures all committed transactions therein are also
reflected in the data file. The Windows 2000 Backup program truncates the log
files appropriately.Logs are used to ensure committed transactions are not
lost if your system fails or if you have unexpected power loss. In essence,
transaction data is written first to a log file and then to the data file.
When you restart after failure, you can rerun the log to reproduce the
transactions that were committed but hadn't made it to the data file.
set path backup %s (where %s identifies a target directory)
Sets the disk-to-disk backup target to the directory specified by %s. The
directory service can be configured to perform an online disk-to-disk backup
at scheduled intervals.
set path db %s (where %s identifies a target directory)
Updates the part of the registry that identifies the location and file name of
the data file. Use this command only to rebuild a domain controller that has
lost its data file and that is not being restored by means of normal
restoration procedures.
set path logs %s (where %s identifies a target directory)
Updates the part of the registry that identifies the location of the log
files. Use this command only if you are rebuilding a domain controller that
has lost its log files and is not being restored by means of normal
restoration procedures.
set path working dir %s (where %s identifies a target directory)
Sets the part of the registry that identifies the directory service's working
directory to the directory specified by %s.
%s
An alphanumeric variable, such as a domain or domain controller name.
quit
Takes you back to the previous menu or exits the utility.
? or help
Displays help at the command prompt.
Caution
• Incorrectly editing the registry may severely damage your system. Before
making changes to the registry, you should back up any valued data on the
computer.
Remarks
• Active Directory is implemented on top of an indexed sequential access
method (ISAM) table manager. This is the same table manager used by Microsoft
Exchange Server, the file replication service, the security configuration
editor, the certificate server, Windows Internet Name Service (WINS), and
other Windows components. The version of the database that Windows 2000 and
Windows Server 2003, Standard Edition use is called extensible storage engine
(ESENT).
ESENT is a transacted database system that uses log files to support rollback
semantics to ensure that transactions are committed to the database. Ideally,
data and log files should be located on separate drives to improve performance
and support recovery of the data if a disk fails.
• ESENT provides its own tool for certain database file management functions
called Esentutl.exe, which is also installed in the systemroot\System32
folder. Several of the Ntdsutil file management commands invoke Esentutl,
reducing the need to learn the tool's command-line arguments. In the cases
where Ntdsutil invokes Esentutl, it brings up a separate window configured
with a large history so that you can scroll back to see all of the Esentutl
progress indicators.
Active Directory opens its files in exclusive mode. This means the files
cannot be managed while the system is operating as a domain controller.
To manage directory service files
1.
Start the computer.
2.
When the Starting Windows progress bar appears, press F8.
3.
From the Windows 2000 Advanced Options Menu, select Directory Services Restore
Mode.
Note
• Starting the computer in Directory Services Restore Mode causes your domain
controller to temporarily operate as a stand-alone server. This causes some
services to fail, especially those that are integrated with the directory
service. When operating in this mode, the security accounts manager (SAM) uses
a minimal set of user and group definitions stored in the registry. If your
domain controller is not physically secure, you should set the administrative
password for the Directory Services Restore Mode.
Top of page
IPDeny List
Prevents the domain controller from accepting LDAP queries from clients with
specified IP addresses. At the ipdeny list: prompt, type any of the parameters
listed under Syntax.
Syntax
{add %s1 %s2|cancel|commit|connections|delete %d|show|test %s}
Parameters
add %s1 %s2
Adds an entry to the IP Deny List. The first parameter %s1 is either the host
component or network component of an IP address. If a host component is
specified, the second parameter %s2 is specified as NODE; whereas if the
network component is specified, the second parameter is the subnet mask. See
the Example section. The entries that you specify by using the add command are
not applied until you commit them by using the commit command.
cancel
Cancels any uncommitted additions or deletions.
commit
Commits all additions or deletions to the LDAP policy object.
connections
Invokes the server connections submenu.
delete %d
Deletes the specified entry with the index number %d. Use the show command to
display entries with the respective index number.
%d
A numeric variable, such as replication delay time periods.
show
Shows all IP addresses that are included in the IP Deny List.
test %s
Determines whether the IP address specified by %s is allowed or denied access
to the domain controller. For example, given an IP Deny List entry of
192.168.100.0 255.255.255.0, when tested with an address of 192.168.100.10,
access is denied.
%s
An alphanumeric variable, such as a domain or domain controller name.
quit
Takes you back to the previous menu or exits the utility.
? or help
Displays help at the command prompt.
Remarks
• Similar to the LDAP administration limits, the IP Deny List only alters the
Default LDAP Policy object. The default LDAP Policy is applied to any domain
controller that has not had a specific LDAP policy applied to it or to the
site in which it belongs.
Examples
To deny access from a host with an address of 192.168.100.10, the command is:
Add 192.168.100.10 NODE
To deny access from all hosts with a network address of 192.168.100.0, the
command is:
Add 192.168.100.0 255.255.255.0
Top of page
LDAP policies
Sets the LDAP administration limits for the Default-Query Policy object. At
the LDAP policies: prompt, type any of the parameters listed under Syntax.
Syntax
{cancel changes|commit changes|connections|list|set %s to %s|show values}
Parameters
cancel changes
Cancels any uncommitted modifications of the LDAP administration limits to the
default query policy.
commit changes
Commits all modifications of the LDAP administration limits to the default
query policy.
connections
Invokes the Server connections submenu.
list
Lists all supported LDAP administration limits for the domain controller.
set %s1 to %s2
Sets the value of the LDAP administration limit %s1 to the value %s2.
show values
Shows the current and proposed values for the LDAP administration limits.
%s
An alphanumeric variable, such as a domain or domain controller name.
quit
Takes you back to the previous menu or exits the utility.
? or help
Displays help at the command prompt.
Remarks
• The following table lists and describes the LDAP administration limits, with
default values noted in parentheses.
Value Description
InitRecvTimeout
Initial receive time-out (120 seconds)
MaxConnections
Maximum number of open connections (5000)
MaxConnIdleTime
Maximum amount of time a connection can be idle (900 seconds)
MaxActiveQueries
Maximum number of queries that can be active at one time (20)
MaxNotificationPerConnection
Maximum number of notifications that a client can request for a given
connection (5)
MaxPageSize
Maximum page size supported for LDAP responses (1000 records)
MaxQueryDuration
Maximum length of time the domain controller can execute a query (120 seconds)
MaxTempTableSize
Maximum size of temporary storage allocated to execute queries (10,000
records)
MaxResultSetSize
Maximum size of the LDAP Result Set (262144 bytes)
MaxPoolThreads
Maximum number of threads created by the domain controller for query execution
(4 per processor)
MaxDatagramRecv
Maximum number of datagrams that can be processed by the domain controller
simultaneously (1024)
• To ensure that domain controllers can support service level guarantees, you
need to specify operational limits for a number of Lightweight Directory
Access Protocol (LDAP) operations. These limits prevent specific operations
from adversely impacting the performance of the server and also make the
server resilient to denial of service attacks.
LDAP policies are implemented by using objects of the class queryPolicy. Query
Policy objects can be created in the container Query Policies, which is a
child of the Directory Service container in the configuration naming context.
For example: CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services
(configuration directory partition).
A domain controller uses the following three mechanisms to apply LDAP
policies:
• A domain controller might refer to a specific LDAP policy. The nTDSASettings
object includes an optional attribute queryPolicyObject, which contains the
distinguished name of a Query Policy.
• In the absence of a specific query policy being applied to a domain
controller, the domain controller applies the Query Policy that has been
assigned to the domain controller's site. The ntDSSiteSettings object includes
an optional attribute queryPolicyObject, which contains the distinguished name
of a Query Policy.
• In the absence of a specific domain controller or site Query Policy, a
domain controller uses the default query policy named Default-Query Policy.
A Query Policy object includes the multivalued attributes LDAPIPDenyList and
LDAPAdminLimits. Ntdsutil allows the administrator to set the LDAP
administration limits and IP Deny list for the Default-Query Policy object.
Top of page
Metadata cleanup
Cleans up metadata for failed domain controllers. When a failed domain
controller stores the only copy of one or more domains or application
directory partitions (also called "naming contexts"), metadata cleanup also
cleans up metadata for selected domains or application directory partitions.
When you use the version of Ntdsutil.exe that is included with Windows Server
2003 Service Pack 1 (SP1), metadata cleanup also removes File replication
service (FRS) connections and attempts to transfer or seize any operations
master roles that the retired domain controller holds.
At the metadata cleanup: prompt, type any of the parameters listed under
Syntax.
Syntax
{connections|remove selected domain|remove selected naming context|remove
selected server|remove selected server %s|remove selected server %s1 on
%s2|select operation target}
Parameters
Note
• When you use the version of Ntdsutil.exe that is included with Windows
Server 2003 SP1, you can remove server metadata by using the remove selected
server %s or remove selected server %s on %2 commands without first using the
Server connections and Select operation target submenus.
connections
Invokes the Server connections submenu.
remove selected domain
Removes the metadata associated with the domain selected in the Select
operation target submenu.
remove selected naming context
Removes the metadata associated with the Naming Context selected in the Select
operation target submenu.
remove selected server
Removes the metadata associated with the domain controller selected in the
Select operation target submenu.
remove selected server %s
In the version of Ntdsutil.exe that is included with Windows Server 2003 SP1,
removes directory and FRS metadata for the disabled server %s from the
directory on localhost, and attempts to transfer or seize any operations
master roles held by server %s to localhost.
remove selected server %s1 on %s2
In the version of Ntdsutil.exe that ships with Windows Server 2003 SP1,
connects to server %s2, removes directory and FRS metadata for server %s1 from
the directory on server %s2, and attempts to transfer or seize any operations
master roles held by server %s1 to server %s2.
select operation target
Invokes the Select operation target submenu.
quit
Takes you back to the previous menu or exits the utility.
? or help
Displays help at the command prompt.
Remarks
• The directory service maintains various metadata for each domain and server
known to the forest. Normally, domains and domain controllers are created by
means of promotion using the Active Directory Installation Wizard and are
removed by means of demotion using the same tool. You can invoke the Active
Directory Installation Wizard by typing dcpromo at the command prompt.
Promotion and demotion are designed to correctly clean up the appropriate
metadata. In the directory, however, you might have domain controllers that
were decommissioned incorrectly. In this case, their metadata is not cleaned
up. For example, a domain controller has failed, and rather than attempting to
restore it, you decide to retire the server. This leaves some information
about the retired domain controller in the directory. The general model of
operation is to connect to a server known to have a copy of the offending
metadata, select an operation target, and then delete the metadata of the
selected target. The version of Ntdsutil.exe that is included with Windows
Server 2003 SP1 can automatically connect to a specified server and remove
metadata for a specified target in the same step.
Caution
• Do not delete the metadata of existing domains and domain controllers.
Top of page
Roles
Transfers and seizes operations master roles. At the roles: prompt, type any
of the parameters listed under Syntax.
Syntax
{connections|seize domain naming master|seize infrastructure master|seize
PDC|seize RID master|seize schema master|select operation target|transfer
domain naming master|transfer infrastructure master|transfer PDC|transfer RID
master|transfer schema master}
Parameters
connections
Invokes the Server connections submenu.
seize domain naming master
Forces the domain controller to which you are connected to claim ownership of
the domain-naming operations master role without regard to the data associated
with the role. Use only for recovery purposes.
seize infrastructure master
Forces the domain controller to which you are connected to claim ownership of
the infrastructure operations master role without regard to the data
associated with the role. Use only for recovery purposes.
seize PDC
Forces the domain controller to which you are connected to claim ownership of
the PDC operations master role without regard to the data associated with the
role. Use only for recovery purposes.
seize RID master
Forces the domain controller to which you are connected to claim ownership of
the relative ID master role without regard to the data associated with the
role. Use only for recovery purposes.
seize schema master
Forces the domain controller to which you are connected to claim ownership of
the schema operations master role without regard to the data associated with
the role. Use only for recovery purposes.
select operation target
Invokes the Select operation target submenu.
transfer domain naming master
Instructs the domain controller to which you are connected to obtain the
domain-naming role by means of controlled transfer.
transfer infrastructure master
Instructs the domain controller to which you are connected to obtain the
infrastructure operations master role by means of controlled transfer.
transfer PDC
Instructs the domain controller to which you are connected to obtain the PDC
operations master by means of controlled transfer.
transfer RID master
Instructs the domain controller to which you are connected to obtain the
relative ID master role by means of controlled transfer.
transfer schema master
Instructs the domain controller to which you are connected to obtain the
schema operations master role by means of controlled transfer.
quit
Takes you back to the previous menu or exits the utility.
? or help
Displays help at the command prompt.
Remarks
• Although Active Directory is based on a multimaster administration model,
some operations support only a single master. For multimaster operations,
conflict resolution ensures that after the system finishes replicating, all
replicas agree on the value for a given property on a given object. However,
some data, for which adequate conflict resolution is not possible, is key to
the operation of the system as a whole. This data is controlled by individual
domain controllers called operations masters. These domain controllers are
referred to as holding a particular operations master role.
Following are the five operations master roles, some are enterprise-wide and
some are per domain:
• Schema Operations Master. There is a single schema operations master role
for the entire enterprise. This role allows the operations master server to
accept schema updates. There are other restrictions on schema updates.
• Relative ID Master. There is one relative ID master per domain. Each domain
controller in a domain has the ability to create security principals. Each
security principal is assigned a relative ID. Each domain controller is
allocated a small set of relative IDs out of a domain-wide relative ID pool.
The relative ID master role allows the domain controller to allocate new
subpools out of the domain-wide relative ID pool.
• Domain-Naming Master. There is a single domain-naming master role for the
entire enterprise. The domain-naming master role allows the owner to define
new cross-reference objects representing domains in the Partitions container.
• PDC Operations Master. There is one primary domain controller (PDC)
operations master role per domain. The owner of the PDC operations master role
identifies which domain controller in a domain performs Windows NT 4.0 PDC
activities in support of Windows NT 4.0 backup domain controllers and clients
using earlier versions of Windows.
• Infrastructure Master. There is one infrastructure master role per domain.
The owner of this role ensures the referential integrity of objects with
attributes that contain distinguished names of other objects that might exist
in other domains. Because Active Directory allows objects to be moved or
renamed, the infrastructure master periodically checks for object
modifications and maintains the referential integrity of these objects.
• An operations master role can only be moved by administrative involvement;
it is not moved automatically. Additionally, moving a role is controlled by
standard access controls. Thus a corporation should tightly control the
location and movement of operations master roles. For example, an organization
with a strong IT presence might place the schema role on a server in the IT
group and configure its access control list (ACL) so that it cannot be moved
at all.
Operations master roles require two forms of management: controlled transfer
and seizure.
Use controlled transfer when you want to move a role from one server to
another, perhaps to track a policy change with respect to role location or in
anticipation of a server being shut down, moved, or decommissioned.
Seizure is required when a server that is holding a role fails and you do not
intend to restore it. Even in the case of a server recovered from a backup,
the server does not assume that it owns a role (even if the backup tape says
so), because the server cannot determine if the role was legitimately
transferred to another server in the time period between when the backup was
made and the server failed and was recovered. The restored server assumes role
ownership only if a quorum of existing servers is available during recovery
and they all agree that the restored server is still the owner.
The Roles submenu in Ntdsutil is used to perform controlled transfer and
recovery of operations master roles. Controlled transfer is simple and safe.
Because the source and destination servers are running, the system software
guarantees that the operations master role token and its associated data is
transferred atomically. Operations master role seizure is equally simple but
not as safe. You simply tell a particular domain controller that it is now the
owner of a particular role.
Caution
• Do not make a server a role owner by means of seizure commands if the real
role holder exists on the network. Doing this could create irreconcilable
conflicts for key system data. If an operations master role owner is
temporarily unavailable, do not make another domain controller the role owner.
This could result in a situation where two computers function as the role
owner, which might cause irreconcilable conflicts for key system data.
Top of page
Security account
management
Manages security identifiers (SIDs). At the security account management:
prompt, type any of the parameters listed under Syntax.
Syntax
{check duplicate SID|cleanup duplicate SID|connect to server %s|log file %s}
Parameters
check duplicate SID
Checks the domain for any objects that have duplicate security identifiers.
cleanup duplicate SID
Deletes all objects that have duplicate security identifiers and logs these
entries into the log file.
connect to server %s
Connects to server, NetBIOS name or DNS host name.
log file %s
Sets the log file to %s. If a log file is not explicitly set, the log file
defaults to Dupsid.log.
%s
An alphanumeric variable, such as a domain or domain controller name.
quit
Takes you back to the previous menu or exits the utility.
? or help
Displays help at the command prompt.
Remarks
• Each security account (users, groups, and computers) is identified by a
unique security identifier (SID). Use a SID to uniquely identify a security
account and to perform access checks against resources, such as files, file
directories, printers, Exchange mailboxes, Microsoft SQL server databases,
objects stored in Active Directory, or any data that is protected by the
Windows Server 2003, Standard Edition security model.
A SID is made up of header information and a set of relative identifiers that
identify the domain and the security account. Within a domain, each domain
controller is capable of creating accounts and issuing each account a unique
security identifier. Each domain controller maintains a pool of relative IDs
that is used in the creation of security identifiers. When 80 percent of the
relative ID pool is consumed, the domain controller requests a new pool of
relative identifiers from the relative ID operations master. This ensures that
the same pool of relative IDs is never allocated to different domain
controllers and prevents the allocation of duplicate security identifiers.
However, because it is possible (but rare) for a duplicate relative ID pool to
be allocated, you need to identify those accounts that have been issued
duplicate security identifiers so that you prevent undesirable application of
security.
One cause of duplicate relative ID pools is when the administrator seizes the
relative ID master role while the original relative ID master is operational
but temporarily disconnected from the network. In normal practice, after one
replication cycle, the relative ID master role is assumed by just one domain
controller, but it is possible that before the role ownership is resolved, two
different domain controllers might each request a new relative ID pool and be
allocated the same relative ID pool.
Top of page
Semantic database
analysis
Analyzes data with respect to Active Directory semantics. At the semantic
database analysis: prompt, type any of the parameters listed under Syntax.
Syntax
{get %d|go|verbose %s}
Parameters
get %d
Retrieves record number %d from the Ntds.dit.
go
Starts the semantic analysis of the Ntds.dit. A report is generated and
written to a file named Dsdit.dmp.n, in the current directory, where n is an
integer incremented each time that you carry out the command.
verbose %s
Toggles verbose mode on or off.
%d
A numeric variable, such as replication delay time periods.
%s
An alphanumeric variable, such as a domain or domain controller name.
quit
Takes you back to the previous menu or exits the utility.
? or help
Displays help at the command prompt.
Remarks
• Unlike the file management commands described earlier, which test the
integrity of the database with respect to the ESENT database semantics, the
semantic analysis analyzes the data with respect to Active Directory
semantics. It generates reports on the number of records present, including
deleted and phantom records.
Note
• End users should not use this command except when Microsoft requests them to
use it as an aid to fault diagnosis.
Top of page
Set DSRM Password
Resets the directory services restore mode (DSRM) password on a domain
controller. At the Reset DSRM Administrator Password: prompt, type any of the
following parameters listed under Syntax.
Syntax
Reset Password on server %s
Parameters
Reset Password on server %s
Prompts for a new DSRM password for a domain controller. Use NULL as the
domain controller name to reset the DSRM password on the current server. After
entering this parameter, the Please type password for DS Restore Mode
Administrator Account: prompt appears. At this prompt, type the desired new
DSRM password.
%s
An alphanumeric variable, such as a domain or domain controller name.
quit
Takes you back to the previous menu or exits the utility.
? or help
Displays help at the command prompt.
Remarks
• The DSRM password on a domain controller is initially set when the Active
Directory Installation Wizard (Dcpromo) is run on a server to promote it to a
domain controller.
• If the domain controller is in directory services restore mode, you cannot
reset the DSRM password on a domain controller using ntdsutil.
Remarks
• By default, Ntdsutil.exe is installed in the systemroot\System32 folder. For
more information about Ntdsutil.exe, see Using Ntdsutil.
• If the variable has spaces in it, enclose it in parentheses, instead of
quotation marks, as follows:
connect to server (xxx yyy)
Top of page
|