A Few of My Favorite Things: NTSDUtil
Compaq knows a thing or two about troubleshooting large networks. Here are some of the utilities and programs it uses most and likes best for Windows 2000.
NTDSUtil is a command-line utility
in Win2K that provides directory-management features
not implemented in any of the graphical tools
found in the basic OS. It’s located in the WINNT\SYSTEM32
This brief overview of NTDSUtil covers
Floating Single Master Operations (FSMO) seizure
using NTDSUtil. For additional information on
the operation of each FSMO role, refer to Microsoft
TechNet article Q197132, “Windows 2000 AD FSMO
One word of caution: NTDSUTIL is
a powerful tool and, in a live Active Directory
environment, should be used by only experienced
administrators (see the figure).
do a lot for you, but be careful in there!
NTDSUtil has three core functions:
- AD database management.
- Management of FSMO roles.
- Cleaning up of metadata left
behind by failed domain controllers (DCs), (in
other words DCs removed from the network without
NTDSUtil is run from the command
prompt without any arguments and then parses keyboard
input after it’s invoked. Microsoft has attempted
to make the commands as simple as possible. For
instance, to issue the command:
roles for connected server
it’s only necessary to enter enough
of each word to make the command unique. Thus,
you’d only need to type in:
r f c s
to execute the command. NTDSUTIL
has a number of menus. At each level you can enter
“?” or “h” to list commands available from that
menu or sub-menu. Entering “q” will return you
to the previous menu or, if you’re at the outermost
menu, will exit the program.
If a DC that hosts an FSMO role becomes
unavailable, it may be necessary to seize the
affected role and reassign it to another DC. There
can be hidden problems involved in this process,
so it’s always worth ensuring that the FSMO role
will be unavailable for an extended period of
time before deciding to seize the affected role.
The impact of a missing FSMO role will depend
on a number of factors; so if the DC will only
be unavailable for a few hours, you may not want
to reassign the role.
The DC performing the seizure should
ideally have a current replica of the role object
set, as the current FSMO isn’t involved in the
role seizure. This could be checked using a tool
like ReplMon. If the DC assuming the FSMO role
is based on an older version of the role object
set, then some data may be lost.
Patrick Lownds, MCSE, MCSE+I, is
a technology consultant for Compaq who works with
the Technology Consulting Group.