Product Reviews

A Few of My Favorite Things: NTSDUtil

Compaq knows a thing or two about troubleshooting large networks. Here are some of the utilities and programs it uses most and likes best for Windows 2000.

NTDSUtil is a command-line utility in Win2K that provides directory-management features not implemented in any of the graphical tools found in the basic OS. It’s located in the WINNT\SYSTEM32 directory.

This brief overview of NTDSUtil covers Floating Single Master Operations (FSMO) seizure using NTDSUtil. For additional information on the operation of each FSMO role, refer to Microsoft TechNet article Q197132, “Windows 2000 AD FSMO Roles.”

One word of caution: NTDSUTIL is a powerful tool and, in a live Active Directory environment, should be used by only experienced administrators (see the figure).

NTDSUtil
NTDSUtil can do a lot for you, but be careful in there!

NTDSUtil has three core functions:

  • AD database management.
  • Management of FSMO roles.
  • Cleaning up of metadata left behind by failed domain controllers (DCs), (in other words DCs removed from the network without being installed).

NTDSUtil is run from the command prompt without any arguments and then parses keyboard input after it’s invoked. Microsoft has attempted to make the commands as simple as possible. For instance, to issue the command:

list roles for connected server

it’s only necessary to enter enough of each word to make the command unique. Thus, you’d only need to type in:

li r f c s

to execute the command. NTDSUTIL has a number of menus. At each level you can enter “?” or “h” to list commands available from that menu or sub-menu. Entering “q” will return you to the previous menu or, if you’re at the outermost menu, will exit the program.

If a DC that hosts an FSMO role becomes unavailable, it may be necessary to seize the affected role and reassign it to another DC. There can be hidden problems involved in this process, so it’s always worth ensuring that the FSMO role will be unavailable for an extended period of time before deciding to seize the affected role. The impact of a missing FSMO role will depend on a number of factors; so if the DC will only be unavailable for a few hours, you may not want to reassign the role.

The DC performing the seizure should ideally have a current replica of the role object set, as the current FSMO isn’t involved in the role seizure. This could be checked using a tool like ReplMon. If the DC assuming the FSMO role is based on an older version of the role object set, then some data may be lost.

About the Author

Patrick Lownds, MCSE, MCSE+I, is a technology consultant for Compaq who works with the Technology Consulting Group.

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.