Active Directory Directory Services Maintenance Utility (NTDSUtil.exe)

(ntdsutil.exe)
Applies To:Windows Server 2003 with SP1
What does Ntdsutil.exe do?
Ntdsutil.exeis a command-linetool that provides management facilities for Active Directory. You can use Ntdsutil.exeto
perform database maintenance of Active Directory, manageand control single master operations,createapplication directory
partitions,and remove metadata left behind by domain controllers that were not successfully demoted using the Active
Directory Installation wizard (DCPromo.exe).
Who does this feature apply to?
This featureapplies to the Ntdsutil.exe utility,and is of interest to Active Directory administrators only.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
General Improvements
Detailed description
Ntdsutil.exe no longer requires theadministrator to perform thefollowing tasks in the ntdsutil metadata cleanup command:
Connect to specific domain controller using ntdsutil metadata cleanup connectionscommand.
Listand select the Active Directory domain, site,and server using the ntdsutil metadata cleanup Select Operation
Target command.
Two new variations of this command areintroduced in Windows Server 2003 Service Pack 1:
Ntdsutil “metadata cleanup” “remove selected server”ServerObject
When using this command, specify the distinguished name(DN) path of theserver object (ServerObject) of the domain
controller whose metadata you want to remove.Theserver object is the parent of the NTDS settings object in the
configuration container.For example, for the domain controller named DC1 located in the default-first-site-name of the
contoso.com forest, the DN path of theserver object would becn=DC1,cn=servers,cn=default-first-site-name
,cn=configuration,dc=contoso,dc=com. If the DN path contains any spaces,enclosetheentire DN path in quotes.
Ntdsutil “metadata cleanup” “remove selected server”ServerObject on TargetDC
This command is identical to the oneabove,except itallows theadministrator to specify the domain controller
(TargetDC) on which theremoval is performed.TargetDC must beentered as the DNS or NetBIOS name of the domain
controller.
Why is this change important? What threats does it mitigate?
This changesignificantly improves the usability of this command for removing metadata.
What works differently?
From the“metadata cleanup” menu, the user no longer has to go into the“connections” menu or the”select operations
target” menu to set up theappropriatestate.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Improved Metadata Cleanup
Detailed description
The metadata cleanup command has been improved in Windows Server 2003 Service Pack 1 to clean up metadata in Active
Directory.
What works differently? Are there any dependencies?
Theexisting “remove selected server” command in the”metadata cleanup” menu of Ntdsutil.exe has been enhanced with
new functionality.
Prior to Service Pack 1, this command only performed thefollowing operations:
Deletethe NTDS settings object for the domain controller (DC).
Deleteall manual and automatic inbound connections to the DC being removed.
Deletethecorresponding DC’s FRS member object from thesysvol replica set.
With therelease ofService Pack 1, thefollowing additional operations are performed as part of this command:
Deletethecomputer account for the DC being deleted, including FRS subscriber objects.
Deleteall manual and automatic outbound Active Directory connections from the DC being removed.
Deleteinbound and outbound FRS connections from any non-sysvol FRS replica sets that the DC being deleted is a
member of.
Check whether the DC being removed holds any operations masters roles. If yes, this command will attempt to reassign
(seize) theroles to an active DC that meets criteria for the operations master role(s).