|
|
First, you should become generally acquainted with the existing tools and the administrative tasks for which they are used. Look at Table 9.1. The tools from the Windows 2000 Server Resource Kit and Windows .NET Support Tools packs listed in this table are divided into categories depending on the basic purpose of a tool. In some cases, the grouping of tools is rather voluntary, since some utilities can be used for different purposes.
Administrative task | Tools to be used |
---|---|
| |
Browsing and editing Active Directory objects | ADSIEdit.msc, Ldp.exe, DsMod.exe, DsMove.exe, DsRm.exe, AdsVw.exe, ModifyUsers.vbs |
Querying Active Directory | DsQuery.exe, DsGet.exe, Ldp.exe, Search.vbs, UserAccount.vbs, EnumProp.exe |
Migration and restructure; manipulating Active Directory objects | ADMT, MoveTree.exe, NetDom.exe, ClonePrincipal, DsAdd.exe, AddUsers.exe, GrpCpy.exe |
Bulk import/export | CSVDE.exe, LDIFDE.exe, AddUsers.exe, CreateUsers.vbs |
Active Directory database diagnostics and maintenance | NTDSutil.exe |
Diagnosis | NetDiag.exe, NSlookup.exe, DCdiag.exe, NLtest.exe, DNSCmd.exe, RPCPing |
Replication | RepAdmin.exe, ReplMon.exe, DsaStat.exe, NTFRSutl.exe |
Active Directory security | ACLDiag.exe, DsACLs.exe, SDCheck.exe, KerbTray.exe, KList.exe |
System objects (files, shares, registry, etc.) security | SIDWalker, SublnACL.exe, ADMT |
Group Policies | GPOTool.exe, GPResult.exe |
Active Directory Migration Tool (ADMT) and AdsVw.exe (from the ADSI SDK) can be downloaded for free from the Microsoft website (see links in Appendix A). They are also included in the table. Every tool mentioned here is characterized in Table 9.2.
Toolname | Contained in | Purpose | See chapter |
---|---|---|---|
ACLDiag.exe (ACL Diagnostics) | ST | View permissions (ACLs) on a directory object. Verify delegation of administrative control, and whether the object security settings correspond to the schema defaults. | 14 |
AddUsers.exe (Add Users) | RK | Output, create, and delete multiple user accounts. Add users to groups. | 8 |
ADSIEdit.msc (ADSI Edit snap-in) (GUI tool) | ST | View and modify Active Directory objects (including application, schema, and configuration directory partitions). Set objects' ACLs. | 7 |
AdsVw.exe (Active Directory Browser) (GUI Tool) | ADSI SDK | Same as above, for both Active Directory based (Windows 2000 and Windows .NET) and Windows NT domains (SAM database). | 12 |
ClonePrincipal | ST | Create a copy of a user or group account in a different forest and retain user or group access rights to directory objects or shared resources. (Includes Clonepr.dll, Clonepr.vbs, Clonelg.vbs, Clonegg.vbs, Cloneggu.vbs, SIDHist.vbs tools.) | 13 |
CreateUsers.vbs | RK (RAS) | Create multiple user accounts in default or specified containers. | 8 |
CSVDE.exe (CSV Directory Exchange) | Sys | Export and import multiple directory objects using a file in CSV format. | 12 |
DCdiag.exe (Domain Controller Diagnostic Tool) | ST | Diagnose domain controller issues: connectivity, availability of the directory and other services, replication, etc. | 10 |
DHCPloc.exe (DHCP Server Locator Utility) | ST | Display active DHCP sewers and detect any unauthorized sewers. Find DHCP servers available to a DHCP client. | 4 |
DNScmd.exe (DNS Server Troubleshooting Tool) | ST | Check and/or modify zones and resource records on a Windows 2000/.NET DNS server. Manage the zones and the DNS server configuration. For the Windows .NET version only: Create/delete an application directory partition, control partition replication scope, move a zone to another directory partition. | 4 |
DsACLs.exe | ST | View and/or modify permissions (ACLs) on directory objects. Restore default permissions. | 14 |
DsAdd.exe* | Sys | Add to the directory a computer, contact, group, OU, or user object. | 8 |
DsaStat.exe (DSA Statistics) | ST | Compare directory partitions on two different domain controllers and display statistics or :comparisons of attributes. Global Catalog servers can also be checked. | 11 |
DsGet.exe* | Sys | Retrieve the attributes of a specific object type from the directory. | 12 |
DsMod.exe* | Sys | Modify attributes of a specific object type (computer, contact, group, OU, server, or user). | 12 |
DsMove.exe* | Sys | Rename a directory object or move it to another container. | 12 |
DsQuery.exe* | Sys | Search the directory for objects of any type and display any attributes of found objects. The most flexible command-line search tool. | 12 |
DsRm.exe* | Sys | Delete a directory object or an entire subtree. | 12 |
DumpFSMOs.cmd | RK | Display the FSMO roles known to the specified domain controller. | 8 |
EnumProp.exe | RK | Display some or all attributes (including GUIDs, SIDs, and security descriptor) of an Active Directory object specified by its distinguished name. (The LDAP provider is used.) | — |
GPOTool.exe (Group Policy Verification Tool) | RK | Test consistency of GPOs and check their replication in a domain. | 15 |
GPResult.exe (Group Policy Results) | RK (Windows 2000) Sys (Windows .NET) | View group policy settings applied to a user and/or computer | 15 |
GPUpdate.exe* | Sys | Re-apply computer and/or user group policy | 8 |
GrpCpy.exe (GUI Tool) | RK | Copy users from one group to another in the same or another domain | — |
KerbTray.exe (Kerberos Tray) (GUI tool) | RK | Display and purge all cached Kerberos tickets for authenticated services | 14 |
KList.exe (Kerberos List) | RK | Same as above. Can purge only specified tickets | 14 |
Ksetup.exe (Kerberos Setup) | ST | Configure Windows 2000 clients to use an MIT Kerberos server instead of a Windows 2000 domain | — |
KTPass.exe (Kerberos Keytab Setup) | ST | Configure a non-Windows 2000 (UNIX) Kerberos service as a security principal in the Windows 2000 Active Directory | — |
LDIFDE.exe | Sys | Export and import one or more directory objects using a file in LDIF format. Modify attributes of object(s) | 12 |
Ldp.exe (Active Directory Administration Tool) (GUI tool) | ST | Perform LDAP operations against any LDAP-compliant directory such a Active Directory | 12 |
ModifyUsers.vbs | RK (RAS) | Modify specified attributes of multiple domain users. An input text file with defined values can be used | — |
MoveTree.exe (Active Directory Object Manager) | ST | Move directory objects, such as user accounts, OUs, and universal groups from one domain to another in the same forest | 13 |
NetDiag.exe (Network Connectivity Tester | ST | Test various networking and connectivity issues (protocols, binding, DNS, WINS, and many others) on client computers | 11 |
NetDom.exe (Windows Domain Manager) | ST | Manage and verify trusts and secure channels; join, move, and remove computer accounts | 12 |
NLtest.exe (NLTest) | ST | List domain controllers for a domain, query for, trusted domains, query and reset secure: channels between domain computers, force; replication to Windows NT 4.0 BDCs | 11 |
NTDSutil.exe (Active Directory Diagnostic Tool) | Sys | Manage Active Directory database files, operations masters, orphaned domains and controllers. Perform authoritative restore | 10 |
NTFRSutl.exe | RK | Manage the File Replication Service (including SYSVOL and DFS roots replication) | 11 |
RepAdmin.exe (Replication Diagnostics Tool) | ST | Display replication partners, metadata and connections, force replication of directory partitions, trigger KCC | 11 |
ReplMon.exe (Active Directory Replication Monitor) (GUI tool) | ST | Monitor and force replication, display replication metadata, topology, and domain controller information | 11 |
RPingc.exe (GUI tool), and RPings.exe (RPC Ping: Connectivity Verification Tool) | RK | Test RPC connectivity between clients and RPC servers | 11 |
SDCheck.exe (Security Descriptor Check Utility) | ST | Verify a directory object's ACL inheritance and replication of the security descriptor from one domain controller to another | 14 |
Search.vbs | ST | Search for a object against an LDAP server | 12 |
Security Administration tools (SIDWalker) | ST | Modify SIDs specified in the ACLs of files, shares, and registry keys. Grant access rights on objects to specified users and groups. (Include ShowAccs.exe, SIDWalk.exe, and SIDWalk.msc tools.) | — |
SublnACL.exe | RK | Display security descriptors for files, registry keys, or services. Change security information such as owner of an object, domain name, or SID | — |
UserAccount.vbs | RK (RAS) | Displays information on normal, locked out, and disabled user accounts in a domain | — |
Note | Windows 2000 servers provide a few "traditional" utilities for administering Windows NT 4.0 domains: Server Manager (srvmgr.exe), User Manager (usrmgr.exe), and System Policy Editor (poledit.exe). These tools have not been included in the current version of Windows .NET servers. The Windows 2000 Server Resource Kit also contains the Domain Monitor (dommon.exe). All named tools are the updated versions that differ from their Windows NT 4.0 counterparts. This may be important in some cases. Windows .NET servers do not and, most likely, will not contain the utilities listed, but all of them can safely run on Windows .NET-based computers within AD-based domains. |
|
|