What does Ntdsutil.exe do?
Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory. You can use Ntdsutil.exe to perform database maintenance of Active Directory, manage and control single master operations, create application directory partitions, and remove metadata left behind by domain controllers that were not successfully demoted using the Active Directory Installation wizard (DCPromo.exe).
Who does this feature apply to?
This feature applies to the Ntdsutil.exe utility, and is of interest to Active Directory administrators only.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Ntdsutil.exe no longer requires the administrator to perform the following tasks in the
ntdsutil metadata cleanup command:
- Connect to specific domain controller using
ntdsutil metadata cleanup connectionscommand.
- List and select the Active Directory domain, site, and server using the
ntdsutil metadata cleanup Select Operation Targetcommand.
Two new variations of this command are introduced in Windows Server 2003 Service Pack 1:
Ntdsutil "metadata cleanup" "remove selected server"ServerObjectWhen using this command, specify the distinguished name (DN) path of the server object (ServerObject) of the domain controller whose metadata you want to remove. The server object is the parent of the NTDS settings object in the configuration container. For example, for the domain controller named DC1 located in the default-first-site-name of the contoso.com forest, the DN path of the server object would be cn=DC1,cn=servers,cn=default-first-site-name ,cn=configuration,dc=contoso,dc=com. If the DN path contains any spaces, enclose the entire DN path in quotes.
Ntdsutil "metadata cleanup" "remove selected server"ServerObject
onTargetDCThis command is identical to the one above, except it allows the administrator to specify the domain controller (TargetDC) on which the removal is performed. TargetDC must be entered as the DNS or NetBIOS name of the domain controller.
Why is this change important? What threats does it mitigate?
This change significantly improves the usability of this command for removing metadata.
What works differently?
From the “
metadata cleanup” menu, the user no longer has to go into the “
connections” menu or the “
select operations target” menu to set up the appropriate state.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Improved Metadata Cleanup
The metadata cleanup command has been improved in Windows Server 2003 Service Pack 1 to clean up metadata in Active Directory.
What works differently? Are there any dependencies?
The existing “
remove selected server” command in the “
metadata cleanup” menu of Ntdsutil.exe has been enhanced with new functionality.
Prior to Service Pack 1, this command only performed the following operations:
- Delete the NTDS settings object for the domain controller (DC).
- Delete all manual and automatic inbound connections to the DC being removed.
- Delete the corresponding DC’s FRS member object from the sysvol replica set.
With the release of Service Pack 1, the following additional operations are performed as part of this command:
- Delete the computer account for the DC being deleted, including FRS subscriber objects.
- Delete all manual and automatic outbound Active Directory connections from the DC being removed.
- Delete inbound and outbound FRS connections from any non-sysvol FRS replica sets that the DC being deleted is a member of.
- Check whether the DC being removed holds any operations masters roles. If yes, this command will attempt to reassign (seize) the roles to an active DC that meets criteria for the operations master role(s).