Active Directory Directory Services Maintenance Utility (NTDSUtil.exe)

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Active Directory Directory Services Maintenance Utility (NTDSUtil.exe)

Viewing 0 reply threads
  • Author
    • #2187

      Applies To:Windows Server 2003 with SP1
      What does Ntdsutil.exe do?
      Ntdsutil.exeis a command-linetool that provides management facilities for Active Directory. You can use Ntdsutil.exeto
      perform database maintenance of Active Directory, manageand control single master operations,createapplication directory
      partitions,and remove metadata left behind by domain controllers that were not successfully demoted using the Active
      Directory Installation wizard (DCPromo.exe).
      Who does this feature apply to?
      This featureapplies to the Ntdsutil.exe utility,and is of interest to Active Directory administrators only.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      General Improvements
      Detailed description
      Ntdsutil.exe no longer requires theadministrator to perform thefollowing tasks in the ntdsutil metadata cleanup command:
      Connect to specific domain controller using ntdsutil metadata cleanup connectionscommand.
      Listand select the Active Directory domain, site,and server using the ntdsutil metadata cleanup Select Operation
      Target command.
      Two new variations of this command areintroduced in Windows Server 2003 Service Pack 1:
      Ntdsutil “metadata cleanup” “remove selected server”ServerObject
      When using this command, specify the distinguished name(DN) path of theserver object (ServerObject) of the domain
      controller whose metadata you want to remove.Theserver object is the parent of the NTDS settings object in the
      configuration container.For example, for the domain controller named DC1 located in the default-first-site-name of the forest, the DN path of theserver object would becn=DC1,cn=servers,cn=default-first-site-name
      ,cn=configuration,dc=contoso,dc=com. If the DN path contains any spaces,enclosetheentire DN path in quotes.
      Ntdsutil “metadata cleanup” “remove selected server”ServerObject on TargetDC
      This command is identical to the oneabove,except itallows theadministrator to specify the domain controller
      (TargetDC) on which theremoval is performed.TargetDC must beentered as the DNS or NetBIOS name of the domain
      Why is this change important? What threats does it mitigate?
      This changesignificantly improves the usability of this command for removing metadata.
      What works differently?
      From the“metadata cleanup” menu, the user no longer has to go into the“connections” menu or the”select operations
      target” menu to set up theappropriatestate.
      What existing functionality is changing in Windows Server 2003 Service Pack 1?
      Improved Metadata Cleanup
      Detailed description
      The metadata cleanup command has been improved in Windows Server 2003 Service Pack 1 to clean up metadata in Active
      What works differently? Are there any dependencies?
      Theexisting “remove selected server” command in the”metadata cleanup” menu of Ntdsutil.exe has been enhanced with
      new functionality.
      Prior to Service Pack 1, this command only performed thefollowing operations:
      Deletethe NTDS settings object for the domain controller (DC).
      Deleteall manual and automatic inbound connections to the DC being removed.
      Deletethecorresponding DC’s FRS member object from thesysvol replica set.
      With therelease ofService Pack 1, thefollowing additional operations are performed as part of this command:
      Deletethecomputer account for the DC being deleted, including FRS subscriber objects.
      Deleteall manual and automatic outbound Active Directory connections from the DC being removed.
      Deleteinbound and outbound FRS connections from any non-sysvol FRS replica sets that the DC being deleted is a
      member of.
      Check whether the DC being removed holds any operations masters roles. If yes, this command will attempt to reassign
      (seize) theroles to an active DC that meets criteria for the operations master role(s).

Viewing 0 reply threads
  • You must be logged in to reply to this topic.