Daily Cup of Tech

When the domain controllers died, there were a number of very important Active Directory tools that we needed to use in order to get our systems back up and running properly. Unfortunately, we needed to find a lot of these tools on our own and on-the-fly.

Since we found these to be useful, I thought I would put up a list and brief description of some of these tools so that when you find yourself in a similar situation, you will not be scrambling.

Be aware that a lot of these are command line tools that do not have a pretty GUI. But, if you are in the process of recovering a Windows 2003 domain controller, I am certain that you have a pretty good grasp of the command line.

• accexp - tool to quickly check whether a user account (not password) has expired or not.
• acldiag -find and reports discrepancies in security (Access Control Lists) of AD objects. Can also reapply ACLs in AD.
• adfind - query tool for AD.
• admod - extremely power tool for modifying Active Directory. Be very careful with this tool and know what you are doing!
• adprep - prepares an active directory schema’s forest and domain for Windows 2003 and Windows 2003 R2. (Be aware that there is a difference.)
• adqueueloop - near real time replication monitor.
• adsiedit - a GUI based low level editor for Active Directory.
• appmgmts.dll - an MMC extension to gpedit.dll that provides settings for Software Installation Group Policy.
• atsn - site and subnet information for a given IP address.
• auth - test authentication of a user ID.
• changepw - password change tool.
• clonepr - help migrate users and groups from Windows NT 4.0 domains to Windows 2000/2003 Active Directory.
• dcdiag - performs an analysis on a domain controller and reports and errors or inconsistencies that it may be experiencing.
• dcpromo - I’m sure you are aware of this utility but I just thought that I would include it for completeness. It allows you to promote or demote a Windows server as a domain controller.
• dsacls - display and change the permissions on Active Directory objects.
• dsastat - compares and detects differences between naming contexts on domain controllers.
• dskquota.dll - an MMC extension to gpedit.dll that provides settings for Disk Quota Group Policy.
• dsquery - queries Active Directory according to specified criteria. Very good for digging deep in Active Directory.
• exchmbx - manages Active Directory portions of Exchange Servers.
• expire - force account passwords to expire.
• fdeploy.dll - an MMC extension to gpedit.dll that provides settings for Folder Redirection Group Policy.
• findexpacc - locate accounts that are expired or have expired passwords.
• findpdc - find the PDC of a domain and test it to make sure it is responding to NetLogon requests.
• gcchk - locate Active Directory consistency issues.
• getuserinfo - retrieve info about user accounts from Windows machines.
• gpedit.dll - an MMC snap-in designed to edit Group Policy objects.
• gpresult - displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer.
• gptext.dll - an MMC extension to gpedit.dll that provides settings for Scripts, IP Security, and Wireless Group Policy.
• gpupdate - update all or a portion of the group policy on a Windows system (both desktop and server operating systems)
• iedkcs32.dll - an MMC extension to gpedit.dll that provides settings for Internet Explorer Maintenance Group Policy.
• ldp - a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory.
• memberof - query tool to determine what groups a user is in.
• movetree - enables administrators to move Active Directory objects such as contacts between domains in a single forest.
• ntdsutil - a Swiss army knife of management tools for Active Directory. Get to know this tool well!
• ntfrsutl - dumps the internal tables, thread and memory information for the NT File Replication Service (NTFRS). It runs against local and remote servers.
• oldcmp - used to find and cleanup old computer accounts that haven’t been used.
• psomgr - manage Fine Grain Password Policy Password Settings Objects in Longhorn Server and Domain Password Policy for any version Active Directory Domain.
• repadmin - view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller.
• replmon - GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication.
• scecli.dll - an MMC extension to gpedit.dll that provides settings for Security Settings Group Policy.
• sdcheck - displays the security descriptor for any object stored in Active Directory. The security descriptor contains the access control lists (ACLs) defining the permissions that users have on objects stored in Active Directory.
• search - performs searches against a Lightweight Directory Access Protocol (LDAP) server.
• secdata - query tool to pull some of the important security attributes for user and computer objects and output in CSV format.
• seinteractivelogonright - configure system to allow specific user/group to logon locally.
• setspn - allows you to read, modify, and delete the Service Principal Names (SPN) directory property for an Active Directory service account.
• sidtoname - resolve SIDs to friendly display names.
• unlock - show you currently locked accounts and unlock accounts. One simple command to unlock all locked accounts in a domain.
• username - output current user’s DN as well as other userid formats.

Trackback link - http://www.dailycupoftech.com/2007/07/26/server-failure-lesson-10-useful-active-directory-tools/trackback/