Active Directory Domain Services Command Fu, Part 4

As some systems administrators have already found out, on Microsoft Windows Servers some tasks cannot be performed using the Graphical User Interface (GUI). Although multiple vendors have released graphical tools to make these tasks even more tedious easier for the typical click-on-through Windows Admin, these tasks can easily be performed using the built-in command tools.

As you might have noticed already, the more complex features of Active Directory Domain Services are hidden from plain sight and into the command-line. This is especially true for Windows Server 2008, where a lot of new features are only available outside of Active Directory Users and Computers (dsa.msc), Active Directory Sites and Services (dssite.msc), Active Directory Domains and Trusts (domain.msc)… the more commonly known (graphical)management tools.

Protected Objects is visible in plain sight in Windows Server 2008. It’s the only feature not easily turned on or off with a simple built-in one-liner…

Let’s take a look at the new features in Active Directory Domain Services in Windows Server 2008 on the command-line:

In this blogpost:


adauditingConfiguring Directory changes auditing

Command to use:

  • auditpol.exe

This section only applies to Windows Server 2008 and Windows Server 2008 R2 Domain Controllers.

One of the new features in Active Directory in Windows Server 2008 is the ability to audit Directory Services changes. Although auditing of Directory Services access has been around far longer, auditing of Directory Services changes is new.

Before Windows Server 2008, using the Audit directory services access policy you could log who changed what object. In Windows Server 2008, besides the old way of auditing, you can now audit the change itself. For instance, when an attribute was changed it shows the old and the new value. To achieve this, the old policy was dived into four subcategories:

  • Directory Services Access
  • Directory Services Changes
  • Directory Services Replication
  • Detailed Directory Services Replication

To enable the Directory Services Changes policy, first you need to enable the Audit directory services access policy. Open your favourite Group Policy editor and navigate Under Computer Configuration, to Policies, to Windows Settings, to Security Settings, to Local Policies, until you reach Audit Policy. There, open the properties of the Audit directory service access policy and enable the policy, by selecting either Success, Failure or both.

To enable the Directory Services Changes subpolicy, execute the following command:

auditpol /set /subcategory:"directory service changes" /success:enable

As a response you should see “The command was successfully executed.”

Then, per Organizational Unit or object, enable auditing on the Security tab, behind the Advanced button on the Auditing tab. You don’t see the Security tab when looking at the properties of an Organization Unit? Try enabling Advanced Features first from the View menu. [H]

More information:


adreplicationTroubleshooting Directory replication

Command to use:

  • repadmin.exe

This section only applies to Windows Server 2008 and Windows Server 2008 R2 Domain Controllers.

For Windows 2000 Server and Windows Server 2003-based Domain Controllers, a graphical tool, called replmon.exe was available in the Support Tools to "troubleshoot" Active Directory replication.  The tool was widely used to view and force Active Directory replication and view the replication topology in a graphical format.

In Windows Server 2008 replmon.exe was deprecated. This means the tool is neither present nor supported for Windows Server 2008 and Windows Server 2008 R2.

The tool to use, as many command-line gurus have already found out years before Windows Server 2008 was hatched, is repadmin.exe. … and you’ve guessed it: it’s a command-line tool.

Repadmin.exe, as replmon.exe has been around since Windows 2000 Server. Just like replmon.exe, repadmin.exe it is a part of the Windows Server Support Tools.

You can use repadmin.exe to actually troubleshoot Active Directory replication. Unlike replmon.exe, repadmin.exe has actual functionality to troubleshoot. You can also use repadmin.exe to drill down on replication to the level of the replication metadata and the up-to-dateness vector, manually configure a replication topology, specify Password Replication Policies (PRPs) with Read-only Domain Controllers and enable/disable replication for a given Domain Controller.

If you desperately need the functionality to create an Active Directory replication topology diagram, you can use replmon.exe beyond Windows Server 2003.

To start of, a simple repadmin.exe command can be used to detect replication errors within the entire domain:

repadmin.exe /replsummary

The command will identify Domain Controllers that are failing inbound or outbound replication, and summerizes the results in a report. The report can be the basis of your Active Directory replication troubleshooting actions.

Suppose, one of your Domain Controllers is failing replication… now, don’t sweat… with repadmin.exe you can force synchronization immediately. For a typical replication-incapable Domain Controller issue the following command:

repadmin.exe /syncall DCName dc=domain,dc=tld

Where DCName is the name of the replication-incapable Domain Controller and the domain and top-level domainname (tld) specify the Active Directory Naming Context to synchronize.

Of course, in most serious Active Directory replication problems, forcing replication will only show more errors, pointing you in the direction of targeting specific Domain Controllers and/or objects. The 123-page Whitepaper on Monitoring and Troubleshooting Active Directory Replication with using Repadmin will help you get on your way fixing any specific issue.

Another repadmin.exe command of particular use it the command to stop and/or start inbound and/or outbound replication immediately for a specific Domain Controller. This is useful in scenarios where you want to make changes to a Domain Controller, but don’t want them replicated to other Domain Controllers. The commands are easy:

repadmin /options DCName +DISABLE_OUTBOUND_REPL
repadmin /options

repadmin /options DCName +DISABLE_INBOUND_REPL
repadmin /options

Of course, many Microsoft schema updates and preparations have checks for disabled inbound and/or outbound replication. Thus, you can’t always use the above commands in these scenarios.

And my favorite: Checking whether an Active Directory infrastructure successfully prepared the domain and forest for Windows Server 2003 and whether the changes have been replicated to all Domain Controllers. For this purpose I know the following two repadmin.exe one-liners from heart:

repadmin /showobjmeta * "CN=Windows2003Update,

repadmin /showobjmeta * "CN=Windows2003Update,

Any Domain Controller, not returning it has the object, has not yet replicated the Active Directory preparation. Until you’ve replicated the object to all Domain Controllers, it would be ill-advised to continue and promote the first Windows Server 2008 Domain Controller.

More information:


adofflinedefragCompacting Active Directory databases

Commands to use:

  • net.exe
  • copy.exe
  • ntdsutil.exe

This section only applies to Windows Server 2008 and Windows Server 2008 R2 Domain Controllers, since the functionality outlined depends on the Restartable Active Directory Domain Services feature.

One of the new features in Windows Server 2008 is the Restartable Active Directory Domain Services. After a Windows Server 2008-based Domain Controller has finished booting, the Domain Controller service can be stopped, together with its dependent services. (DNS Server, File Replication, Intersite Messaging and Kerberos Key Distribution Center) While the Domain Controller service is stopped, the server will act as any other member server, enabling you to log on locally.

With the Domain Controller service stopped, the Active Directory database can be compacted by performing an offline defragmentation.

While the Active Directory database (ntds.dit) receives an online defragmentation every time the garbage collection process is run (by default every 12 hours), this does not reduce the size on disk for the database. It merely optimizes the disk use inside the file. To reduce the size on disk, you will need to perform an offline defragmentation.

Of course, a truly great way to approach compacting the Active Directory database, is by performing the action regularly. This, of course, implies it needs to be scripted.

The following commands can be used in a batch file to compact the Active Directory database (ntds.dit) automagically in combination with scheduled tasks:

net stop NTDS /y
mkdir C:\TempNTDS
copy C:\Windows\NTDS\ntds.dit" C:\TempNTDS\ntds.old
ntdsutil.exe "act inst NTDS" files "compact to C:\TempNTDS" quit quit
del C:\Windows\NTDS\Log\*.log
copy C:\TempNTDS\ntds.dit" C:\Windows\NTDS\ntds.dit /y /v
net start NTDS
rmdir C:\TempNTDS /s /q

The above script assumes the Active Directory database and Active Directory logs are located at C:\Windows\NTDS. Of course, when you’re dealing with GBs of Active Directory database you would feel the hit in performance and would have placed the Active Directory database and logs on separate spindles. Change the commands above to reflect your situation.

Some lines in the script above may be deleted. For instance, line 3 copies the database to make sure you keep access to a viable Active Directory database. When your Active Directory database reaches several GBs in a multi-Domain Controller environment, you might want to remove that line.

Run the script manually once, to make sure the script runs without errors. There is no error exception handling present.

More information:


adsnapshotWorking with Active Directory snapshots

Commands to use:

    • ntdsutil.exe
    • dsamain.exe

This section only applies to Windows Server 2008 and Windows Server 2008 R2 Domain Controllers, since the functionality outlined depends on the Active Directory Snapshot feature.

Wouldn’t it be great when you could make a copy in time from Active Directory, so you could later mount it and see how settings were back when you made the copy? Wouldn’t it be even cooler when you could use your normal tools (Active Directory Users and Computers, AdsiEdit.msc, Ldifde.exe, etc) on such a snapshot?

With Windows Server 2008-based Domain Controllers you can! The feature is called Active Directory snapshots. As you might have guessed already… the feature requires some keystrokes on the command-line, instead of some left or right clicks.

To create a snapshot, simply spit out the following one-liner:

ntdsutil.exe "act inst NTDS" snapshot create quit quit

Whenever you’re ready to look at a snapshot, let ntdsutil.exe spit out a list of snapshots, by typing:

ntdsutil.exe snapshot "list all" quit quit

Next, you can mount the snapshot. For instance to mount the first snapshot you’ve made, type:

ntdsutil.exe snapshot "list all" "mount 2" quit quit

Of course, now you can’t just point your beloved Active Directory Users and Computers mmc to the snapshot. It isn’t connected up to the network yet. Let’s take care of that using dsamain.exe. In the output of the previous command ntdsutil.exe mentioned the location where it placed the snapshot. Now use the location in combination with dsmain.exe on an elevated command prompt:

dsamain -dbpath "C:\$SNAP_201004160314_VOLUMEC$\Windows\
NTDS\ntds.dit" -ldapport 3389

Now leave the command prompt open, because it keeps track of the mounted snapshot. You can connect your tools to DCName:13389. When done, close the snapshot using Ctrl + C.

More information:

Series Navigation

<< Active Directory Domain Services Command Fu, Part 3Active Directory Domain Services Command Fu, Part 5 >>

One Response to Active Directory Domain Services Command Fu, Part 4


    I think there is a mistake for the command:
    "repadmin /showobjmeta * "CN=Windows2003Update,

    the container "DomainUpdates" is located in the "CN=System,DC=domain,DC=tld" container and not in the "Configuration" container.

    Anyway, thanks for this post.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.