Dsmgmt

Applies To: Windows Server 2003 R2

Dsmgmt

Provides management facilities for Active Directory Application Mode (ADAM).

To run dsmgmt, at an ADAM tools command prompt, type dsmgmt, and then press ENTER. At the dsmgmt: prompt, type one of the following commands:

  • configurable settings

  • ds behavior

  • partition management

  • LDAP policies

  • metadata cleanup

  • popups

  • quit

  • roles

  • security account management

Configurable settings

Helps to modify the Time to Live (TTL) of dynamic data that is stored in ADAM. To reach the configurable setting: prompt, at the dsmgmt: prompt, type configurable settings, and then press ENTER. Then, at the configurable setting: prompt, use the following syntax.

Syntax

{cancel changes|connections|list|set %s to %s|show values}

Parameters

  • cancel changes
    Cancels the changes that are made but that are not yet committed.
  • Connections
    Invokes the server connections submenu.
  • List
    Lists the names of the supported configurable settings.
  • set %s to %s
    Sets the configurable settings %s1 to the value %s2.
  • show values
    Displays values of configurable settings.
  • %s
    An alphanumeric variable, such as an ADAM instance name.
  • Quit
    Takes you back to the previous menu or exits the utility.
  • ? or help
    Displays help at the command prompt.

ds behavior

Enables administrators to specify whether password modifications can be made over unsecured (nonencrypted) connections. By default, password modifications over unsecured connections are not allowed. To view the ds behavior command-line options, type ? at the ds behavior: command prompt.

partition management

Enables administrators to prepare cross-reference and server objects in the directory. To reach the partition management: prompt, at the dsmgmt: prompt, type partition management, and then press ENTER. Then, at the partition management: prompt, use the following syntax.

Syntax

{add nc replica %s %s|connections|create nc %s %s|create nc %s %s %s|remove nc replica %s %s|list|list nc information %s|list nc replicas %s|precreate %s %s|delete NC %s|select operation target|set nc reference domain %s %s|set nc reference domain %s %s|set nc replicate notification delay %s %d %d}

Parameters

  • add nc replica %s %s
    Adds the ADAM instance %s2 to the replica set for the application directory partition %s1. If %s2 is not specified, the ADAM instance that you are connected to is used as the default.
  • Connections
    Invokes the Connections submenu.
  • create nc %s %s
    This command only applies to Active Directory (and not to ADAM).
  • create nc %s %s %s
    This command applies to ADAM (and not to Active Directory). Creates the application directory partition with the distinguished name specified by %s1, of an object class specified by %s2, on the ADAM instance specified by the computername:portnumber specified by %s3. If %s3 is not specified, the currently connected ADAM instance is used.
  • remove nc replica %s %s
    Removes the ADAM instance %s2 from the replica set for the application directory partition %s1. If %s2 is not specified, the ADAM instance that you are currently connected to is used.
  • List
    Lists all the naming contexts (or, directory partitions) that exist in the configuration set.
  • list nc information %s
    Prints out the reference domain and replication delays for the application directory partition.
  • list nc replicas %s
    Prints the list of ADAM instances in the replica set for application directory partition %s. Remember that this is the list of ADAM instances that will eventually hold replicas of the application directory partition and that these replicas may not necessarily be fully replicated yet.
  • precreate %s %s
    Creates a cross-reference object for the application directory partition %s1, allowing an ADAM instance named %s2 to hold a replica of that directory partition. The directory partition must be specified by a fully distinguished name, and the ADAM instance must be specified by computername:portnumber.
  • delete nc %s
    Removes the application directory partition %s. Before you remove a application directory partition, all the replicas must be removed and their removal must replicate back to the naming operations master.
  • select operation target
    Invokes the Select operation target submenu.
  • set nc reference domain %s %s
    This command does not apply to ADAM.
  • set nc replicate notification delay %s %d %d
    Sets the notification delays for the application directory partition specified by %s to %d1 and %d2 for the delay in notifying the first ADAM instance of changes and the delay in notifying subsequent ADAM instances of changes, respectively.
  • %s
    An alphanumeric variable, such as an ADAM instance name.
  • %d
    A numeric variable, such as a replication delay time period.
  • Quit
    Takes you back to the previous menu, or exits the utility.
  • ? or help
    Displays help at the command prompt.

LDAP policies

Sets the Lightweight Directory Access Protocol (LDAP) administration limits for the Default-Query Policy object. To reach the LDAP policies: prompt, at the dsmgmt: prompt, type ldap policies, and then press ENTER. At the LDAP policies: prompt, use the following syntax.

Syntax

{cancel changes|commit changes|connections|list|set %s** to** %s|show values}

Parameters

  • cancel changes
    Cancels any uncommitted modifications of the LDAP administration limits to the default query policy.
  • commit changes
    Commits all modifications of the LDAP administration limits to the default query policy.
  • Connections
    Invokes the server connections submenu.
  • List
    Lists all supported LDAP administration limits for the ADAM instance.
  • set %s1 to %s2
    Sets the value of the LDAP administration limit %s1 to the value %s2.
  • show values
    Shows the current and proposed values for the LDAP administration limits.
  • %s
    An alphanumeric variable, such as an ADAM instance name.
  • Quit
    Takes you back to the previous menu or exits the utility.
  • ? or help
    Displays help at the command prompt.

Remarks

  • The following table describes LDAP administration limits, with the default values noted in parentheses.

    Value Description

    InitRecvTimeout

    Initial receive time-out (120 seconds)

    MaxConnections

    Maximum number of open connections (5000)

    MaxConnIdleTime

    Maximum amount of time a connection can be idle (900 seconds)

    MaxActiveQueries

    Maximum number of queries that can be active at one time (20)

    MaxNotificationPerConnection

    Maximum number of notifications that a client can request for a given connection (5)

    MaxPageSize

    Maximum page size supported for LDAP responses (1000 records)

    MaxQueryDuration

    Maximum length of time the ADAM instance can execute a query (120 seconds)

    MaxTempTableSize

    Maximum size of temporary storage allocated to execute queries (10,000 records)

    MaxResultSetSize

    Maximum size of the LDAP Result Set (262,144 bytes)

    MaxPoolThreads

    Maximum number of threads created by the ADAM instance for query execution (4 per processor)

    MaxDatagramRecv

    Maximum number of datagrams that can be processed by the ADAM instance simultaneously (1024)

  • To ensure that ADAM instances can support service level guarantees, specify operational limits for a number of LDAP operations. These limits prevent specific operations from adversely affecting the performance of a server, and they also make the server resilient to denial-of-service attacks.

    LDAP policies are implemented by using objects of the class queryPolicy. Query Policy objects can be created in the container Query Policies, which is a child of the Directory Service container in the configuration naming context. For example: CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services (configuration directory partition).

    An ADAM instance uses the following three mechanisms to apply LDAP policies:

    • An ADAM instance might refer to a specific LDAP policy. The nTDSASettings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.

    • In the absence of a specific query policy being applied to an ADAM instance, the ADAM instance applies the Query Policy that has been assigned to the ADAM instance's site. The ntDSSiteSettings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.

    • In the absence of a specific ADAM instance or a site Query Policy, an ADAM instance uses the default Query Policy that is named Default-Query Policy.

    A Query Policy object includes the multivalued attributes LDAPIPDenyList and LDAPAdminLimits. An administrator can use dsmgmt to set the LDAP administration limits (but not for the IP Deny list) for the Default-Query Policy object.

metadata cleanup

Cleans up metadata for retired ADAM instances. To reach the metadata cleanup: prompt, at the dsmgmt: prompt, type metadata cleanup, and then press ENTER. At the metadata cleanup: prompt, use the following syntax.

Syntax

{connections|remove selected domain|remove selected naming context|remove selected server|select operation target}

Parameters

  • Connections
    Removes metadata associated with the domain that is selected in the Select operation target submenu.
  • remove selected domain
    This command does not apply to ADAM.
  • remove selected naming context
    Removes directory service objects for the selected naming context.
  • remove selected server
    Removes metadata associated with the ADAM instance that is selected in the Select operation target submenu.
  • select operation target
    Invokes the Select operation target submenu.
  • Quit
    Takes you back to the previous menu, or exits the utility.
  • ? or help
    Displays help at the command prompt.

Remarks

  • Metadata is maintained for each ADAM instance in a configuration set. When an ADAM instance is uninstalled, any metadata about the uninstalled ADAM instance that has been replicated to other ADAM instances is also removed. However, in some cases, metadata for the uninstalled ADAM instance can remain on the other ADAM instances in the configuration set. To remove this stale metadata, connect to an ADAM instance that holds the stale metadata, and select the uninstalled ADAM instance as the operation target.

Warning

Do not delete the metadata of existing ADAM instances.

popups {on|off}

Enables or disables interactive pop-up messages. To enable interactive pop-up messages, at the dsmgmt: prompt, type popups on. To disable pop-up messages, at the dsmgmt: prompt, type popups off.

quit

Type quit at the dsmgmt: prompt to close the dsmgmt command-line tool.

roles

Transfers and seizes operations master roles. To reach the roles: prompt, at the dsmgmt: prompt, type roles, and then press ENTER. At the roles: prompt, use the following syntax.

Note

Only the naming master and schema master roles apply to ADAM. Commands relating to the PDC, RID, and infrastructure masters do not apply to ADAM.

Syntax

{connections|seize naming master|seize infrastructure master|seize PDC|seize RID master|seize schema master|select operation target|transfer naming master|transfer infrastructure master|transfer PDC|transfer RID master|transfer schema master}

Parameters

  • connections
    Invokes the server connections submenu.
  • seize naming master
    Forces the ADAM instance to which you are connected to claim ownership of the naming operations master role without regard to the data that is associated with the role. Use only for recovery purposes.
  • seize infrastructure master
    Does not apply to ADAM.
  • seize PDC
    Does not apply to ADAM.
  • seize RID master
    Does not apply to ADAM.
  • seize schema master
    Forces the ADAM instance to which you are connected to claim ownership of the schema operations master role without regard to the data that is associated with the role. Use only for recovery purposes.
  • select operation target
    Invokes the Select operation target submenu. From within the submenu, you can list the operations master (also known as flexible single master operations, or FSMO) roles that are held by the currently connected server. For a complete list of select operation target subcommands, type ? at the select operation target: prompt.
  • transfer naming master
    Instructs the ADAM instance to which you are connected to obtain the naming role by means of controlled transfer.
  • transfer infrastructure master
    Does not apply to ADAM.
  • transfer PDC
    Does not apply to ADAM.
  • transfer RID master
    Does not apply to ADAM.
  • transfer schema master
    Instructs the ADAM instance to which you are connected to obtain the schema operations master role by means of controlled transfer.
  • quit
    Takes you back to the previous menu, or exits the utility.
  • ? or help
    Displays help at the command prompt.

Remarks

  • Although ADAM is based on a multimaster administration model, some operations support only a single master. For multimaster operations, conflict resolution ensures that after the system finishes replicating, all replicas agree on the value for a given property on a given object. However, some data, for which adequate conflict resolution is not possible, is key to the operation of the system as a whole. This data is controlled by individual ADAM instances, called operations masters.

    The following two operations master roles apply to ADAM configuration sets.

    • Schema operations master. There is a single schema operations master role for each ADAM configuration set. This role allows the operations master server to accept schema updates. There are other restrictions on schema updates.

    • Naming master. There is a single naming master role for an ADAM configuration set. The naming master role allows the owner to define new cross-reference objects that represent directory partitions in the partitions container.

  • An operations master role can only be moved by administrative involvement; it is not moved automatically. Additionally, moving a role is controlled by standard access controls. Therefore, an organization should tightly control the location and movement of operations master roles. For example, an organization with a strong information technology (IT) presence might place the schema role on a server in the IT group and configure its access control list (ACL) so that it cannot be moved at all.

    Operations master roles require two forms of management: controlled transfer and seizure.

    Use controlled transfer when you want to move a role from one server to another, perhaps to track a policy change with respect to role location or in anticipation of a server being shut down, moved, or decommissioned.

    Seizure is required when a server that is holding a role fails and you do not intend to restore it. Even in the case of a server that is recovered from a backup, the server does not assume that it owns a role (even if the backup tape says so), because the server cannot determine if the role was legitimately transferred to another server in the time period between when the backup was made and when the server failed and was recovered. The restored server assumes role ownership only if a quorum of existing servers is available during recovery and they all agree that the restored server is still the owner.

    The roles submenu in dsmgmt is used to perform controlled transfer and recovery of operations master roles. Controlled transfer is simple and safe. Because the source and destination servers are running, the system software guarantees that the operations master role token and its associated data is transferred safely. Operations master role seizure is equally simple but not as safe; you simply tell a particular ADAM instance that it is now the owner of a particular role.

    Warning

    Do not make a server a role owner by means of seizure commands if the real role holder exists on the network. Doing this can create irreconcilable conflicts for key system data. If an operations master role owner is temporarily unavailable, do not make another ADAM instance the role owner. This can result in a situation in which two computers function as the role owner, which might cause irreconcilable conflicts for key system data.

security account management

This command does not apply to ADAM.

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output