Lesson 7: Active Directory Support Tools

Some of the Windows 2000 Support Tools included on the Windows 2000 CD-ROM can help you monitor, maintain, and troubleshoot Active Directory. This lesson introduces you to the Windows 2000 Support Tools used to support Active Directory.

After this lesson, you will be able to

  • Install the Windows 2000 Support Tools
  • Identify the Windows 2000 Support Tools used to support Active Directory

Estimated lesson time: 10 minutes

Active Directory Support Tools

The Windows 2000 Support Tools included on the Windows 2000 CD-ROM are intended for use by Microsoft support personnel and experienced users to assist in diagnosing and resolving computer problems.

The following tools are available for support of Active Directory:

  • LDP.EXE: Active Directory Administration Tool
  • REPLMON.EXE: Active Directory Replication Monitor
  • REPADMIN.EXE: Replication Diagnostics Tool*
  • DSASTAT.EXE: Active Directory Diagnostic Tool*
  • SDCHECK.EXE: Security Descriptor Check Utility*
  • ACLDIAG.EXE: ACL Diagnostics*

*Command-prompt-only tools

LDP.EXE: Active Directory Administration Tool

The Active Directory Administration Tool allows users to perform LDAP operations, such as connect, bind, search, modify, add, and delete, against any LDAP-compatible directory, such as Active Directory. LDAP is an Internet-standard wire protocol used by Active Directory. The Active Directory Administration Tool is a graphical tool located on the Tools menu within Windows 2000 Support Tools.

In troubleshooting, the Administration Tool can be used by administrators to view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata.

REPLMON.EXE: Active Directory Replication Monitor

The Active Directory Replication Monitor tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication using a graphical interface. The Active Directory Replication Monitor is a graphical tool located on the Tools menu within Windows 2000 Support Tools.

Active Directory Replication Monitor Features

Some of the key features of the Active Directory Replication Monitor are

  • Graphical displays. Replication Monitor displays whether or not the monitored server is a global catalog server, automatically discovers the directory partitions that the monitored server hosts, graphically displays this breakdown, and shows the replication partners that are used for inbound replication for each directory partition. Replication Monitor distinguishes between direct replication partners, transitive replication partners, bridgehead servers, and servers removed from the network in the user interface. Failures from a specific replication partner are indicated by a change in the icon used for the partner.
  • Replication status history. The history of replication status per directory partition, per replication partner is recorded, generating a granular history of what occurred between two domain controllers. This history can be viewed through Replication Monitor's user interface or can be viewed offline or remotely through a text editor.
  • Property pages. For direct replication partners, a series of property pages displays the following for each partner: the name of the domain controller, its GUID, the directory partition that it replicates to the monitored server, the transport used (remote procedure call [RPC] or Simple Mail Transfer Protocol [SMTP] and distinguishes between intra- and inter-site when RPC is used), the time of the last successful and attempted replication events, update sequence number (USN) values, and any special properties of the connection between the two servers.
  • Status report generation. Administrators can generate a status report for the monitored server that includes a listing of the directory partitions for the server, the status of each replication partner (direct and transitive) for each directory partition, detail on which domain controllers the monitored server notifies when changes have been recorded, the status of any group policy objects (GPOs), the domain controllers that hold the Flexible Single Master Operations (FSMO) roles, a snapshot of the performance counters on the computer, and the registry configuration of the server (including parameters for the Knowledge Consistency Checker [KCC], Active Directory, Jet database, and LDAP). Additionally, the administrator can also choose to record (in the same report) the enterprise configuration, which includes each site, site link, site link bridge, subnet, and domain controller (regardless of domain) and the properties of each type of object just mentioned. For example, for the domain controller properties, this records the GUID that makes up the DNS record that is used in replication, the location of the computer account in Active Directory, the inter-site mail address (if it exists), the host name of the computer, and any special flags for the server (whether or not it is a global catalog server). This can be extremely helpful when troubleshooting an Active Directory replication problem.
  • Server wizard. With Server wizard, administrators can either browse for the server to monitor or explicitly enter it. The administrator can also create an .ini file, which predefines the names of the servers to monitor, which is then loaded by Replication Monitor to populate the user interface.
  • Graphical site topology. Replication Monitor displays a graphical view of the intra-site topology and, by using the context menu for a given domain controller in the view, allows the administrator to quickly display the properties of the server and any intra- and inter-site connections that exist for that server.
  • Properties display. Administrators can display the properties for the monitored server including the server name, the DNS host name of the computer, the location of the computer account in Active Directory, preferred bridgehead status, any special flags for the server (for example, if it is the Primary Domain Controller [PDC] Emulator for its domain or not), which computers it believes to hold the FSMO roles, the replication connections (Replication Monitor differentiates between administrator and automatically generated connection objects) and the reasons they were created, and the IP configuration of the monitored server.
  • Statistics and replication state polling. In Automatic Update mode, Replication Monitor polls the server at an administrator-defined interval to get the current statistics and replication state. This feature generates a history of changes for each monitored server and its replication partners and allows the administrator to see topology changes as they occur for each monitored server. In this mode, Replication Monitor also monitors the count of failed replication attempts for each replication partner. If the failure count meets or exceeds an administrator-defined value, it can write to the event log and send an e-mail notification to the administrator.
  • Replication triggering. Administrators can trigger replication on a server with a specific replication partner, with all other domain controllers in the site, or all other domain controllers intra- and inter-site.
  • KCC triggering. Administrators can trigger the Knowledge Consistency Checker (KCC) on the monitored server to recalculate the replication topology.
  • Display nonreplicated changes. Administrators can display, on demand, Active Directory changes that have not yet replicated from a given replication partner.

REPADMIN.EXE: Replication Diagnostics Tool

REPADMIN.EXE is a command-line tool that assists administrators in diagnosing replication problems between Windows 2000 domain controllers.

During normal operation, the KCC automatically manages the replication topology for each naming context held on domain controllers.

REPADMIN.EXE allows the administrator to view the replication topology as seen from the perspective of each domain controller. In addition, REPADMIN.EXE can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors.


During the normal course of operations, there is no need to manually create the replication topology. Incorrect use of this tool may adversely impact the replication topology. The major use of this tool is to monitor replication so problems such as offline servers or unavailable local area network (LAN)/wide area network (WAN) connections can be identified.

DSASTAT.EXE: Active Directory Diagnostic Tool

DSASTAT.EXE is a command-line tool that compares and detects differences between naming contexts on domain controllers.

DSASTAT.EXE can be used to compare two directory trees across replicas within the same domain or, in the case of a global catalog, across different domains. The tool retrieves capacity statistics, such as MB per server, objects per server, and MB per object class, and performs comparisons of attributes of replicated objects.

The user specifies the targeted domain controllers and additional operational parameters from the command line or from an initialization file. DSASTAT.EXE determines if domain controllers in a domain have a consistent and accurate image of their own domain. In the case of global catalogs, DSASTAT.EXE checks to see if the global catalog has a consistent image with domain controllers in other domains. As a complement to the replication monitoring tools, REPADMIN.EXE and REPLMON.EXE, DSASTAT.EXE can be used to ensure that domain controllers are up to date with one another.

SDCHECK.EXE: Security Descriptor Check Utility

SDCHECK.EXE is a command-line tool that displays the security descriptor for any object stored in the Active Directory. The security descriptor contains the ACLs defining the permissions that users have on objects stored in the Active Directory.

To enable administrators to determine the effective access controls on an object, SDCHECK.EXE also displays the object hierarchy and any ACLs that are inherited by the object from its parent.

As changes are made to the ACLs of an object or its parent, they are propagated automatically by the Active Directory. SDCHECK.EXE displays the security descriptor propagation metadata so that administrators can monitor these changes with respect to propagation of inherited ACLs as well as replication of ACLs from other domain controllers.

As a compliment to the replication monitoring tools, REPADMIN.EXE, REPLMON.EXE, and SDCHECK.EXE can be used to ensure that domain controllers are up to date with one another.


NLTEST.EXE is a command-line tool that helps perform network administrative tasks such as the following:

  • Testing trust relationships and the state of a domain controller replication in a Windows domain
  • Querying and checking on the status of trust
  • Forcing a shutdown
  • Getting a list of PDCs
  • Forcing a user account database into sync on Microsoft Windows NT Server 4.0 or earlier domain controllers (Windows 2000 domain controllers use a completely different mechanism for maintaining user accounts.)

NLTEST.EXE runs only on x86-based computers.

ACLDIAG.EXE: ACL Diagnostics

ACLDIAG.EXE is a command-line tool that helps diagnose and troubleshoot problems with permissions on Active Directory objects. It reads security attributes from ACLs and outputs information in either readable or tab-delimited format. The latter can be uploaded into a text file for searches on particular permissions, users, or groups, or into a spreadsheet or database for reporting. The tool also provides some simple cleanup functionality.

With ACLDIAG.EXE, you can

  • Compare the ACL on a directory services object to the permissions defined in the schema defaults
  • Check or fix standard delegations performed using templates from the Delegation Of Control wizard in the Active Directory Users And Computers console
  • Get effective permissions granted to a specific user or group or to all users and groups that show up in the ACL

ACLDIAG.EXE displays only the permissions of objects the user has the right to view. Because GPOs are virtual objects that have no distinguished name, this tool cannot be used on them.

For general-purpose ACL reporting and setting from the command prompt, you can also use DSACLS.EXE, another Windows 2000 Support tool.


DSACLS.EXE is a command-line tool that facilitates management of ACLs for directory services. DSACLS.EXE enables you to query and manipulate security attributes on Active Directory objects. It is the command-line equivalent of the Security page on various Active Directory snap-in tools.

Along with ACLDIAG.EXE, another Windows 2000 Support tool, DSACLS.EXE provides security configuration and diagnosis functionality on Active Directory objects from the command prompt.

Lesson Summary

In this lesson, you were introduced to the Windows 2000 Support Tools that support Active Directory.

MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
Year: 2004
Pages: 244

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net