Active Directory Directory Services Maintenance Utility (NTDSUtil.exe)

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Active Directory Directory Services Maintenance Utility (NTDSUtil.exe)

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 1 year, 11 months ago.

  • Author
  • #2187


    Applies To:Windows Server 2003 with SP1
    What does Ntdsutil.exe do?
    Ntdsutil.exeis a command-linetool that provides management facilities for Active Directory. You can use Ntdsutil.exeto
    perform database maintenance of Active Directory, manageand control single master operations,createapplication directory
    partitions,and remove metadata left behind by domain controllers that were not successfully demoted using the Active
    Directory Installation wizard (DCPromo.exe).
    Who does this feature apply to?
    This featureapplies to the Ntdsutil.exe utility,and is of interest to Active Directory administrators only.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    General Improvements
    Detailed description
    Ntdsutil.exe no longer requires theadministrator to perform thefollowing tasks in the ntdsutil metadata cleanup command:
    Connect to specific domain controller using ntdsutil metadata cleanup connectionscommand.
    Listand select the Active Directory domain, site,and server using the ntdsutil metadata cleanup Select Operation
    Target command.
    Two new variations of this command areintroduced in Windows Server 2003 Service Pack 1:
    Ntdsutil “metadata cleanup” “remove selected server”ServerObject
    When using this command, specify the distinguished name(DN) path of theserver object (ServerObject) of the domain
    controller whose metadata you want to remove.Theserver object is the parent of the NTDS settings object in the
    configuration container.For example, for the domain controller named DC1 located in the default-first-site-name of the forest, the DN path of theserver object would becn=DC1,cn=servers,cn=default-first-site-name
    ,cn=configuration,dc=contoso,dc=com. If the DN path contains any spaces,enclosetheentire DN path in quotes.
    Ntdsutil “metadata cleanup” “remove selected server”ServerObject on TargetDC
    This command is identical to the oneabove,except itallows theadministrator to specify the domain controller
    (TargetDC) on which theremoval is performed.TargetDC must beentered as the DNS or NetBIOS name of the domain
    Why is this change important? What threats does it mitigate?
    This changesignificantly improves the usability of this command for removing metadata.
    What works differently?
    From the“metadata cleanup” menu, the user no longer has to go into the“connections” menu or the”select operations
    target” menu to set up theappropriatestate.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    Improved Metadata Cleanup
    Detailed description
    The metadata cleanup command has been improved in Windows Server 2003 Service Pack 1 to clean up metadata in Active
    What works differently? Are there any dependencies?
    Theexisting “remove selected server” command in the”metadata cleanup” menu of Ntdsutil.exe has been enhanced with
    new functionality.
    Prior to Service Pack 1, this command only performed thefollowing operations:
    Deletethe NTDS settings object for the domain controller (DC).
    Deleteall manual and automatic inbound connections to the DC being removed.
    Deletethecorresponding DC’s FRS member object from thesysvol replica set.
    With therelease ofService Pack 1, thefollowing additional operations are performed as part of this command:
    Deletethecomputer account for the DC being deleted, including FRS subscriber objects.
    Deleteall manual and automatic outbound Active Directory connections from the DC being removed.
    Deleteinbound and outbound FRS connections from any non-sysvol FRS replica sets that the DC being deleted is a
    member of.
    Check whether the DC being removed holds any operations masters roles. If yes, this command will attempt to reassign
    (seize) theroles to an active DC that meets criteria for the operations master role(s).

You must be logged in to reply to this topic.