Domains and Forests Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In this section

  • Tools for Managing Domains and Forests

  • Domains and Forests Registry Entries

  • Domains and Forests Group Policy Settings

  • Domains and Forests WMI Classes

  • Network Ports Used by Domains and Forests

  • Related Information

Administrators can use a number of methods to configure and manage Active Directory domain and forest environments. This section contains information about the tools, registry entries, Group Policy settings, Windows Management Instrumentation (WMI) classes, and network ports that are associated with Active Directory domains and forests.

Note

  • When using Windows Server 2003 Active Directory administrative tools to connect to a domain controller running Windows 2000 you must first make sure that the Windows 2000–based domain controller to which you are connecting has Service Pack 3 or later installed. This is because Windows Server 2003 administrative tools sign and encrypt all LDAP traffic by default. If business reasons do not permit the installation of Service Pack 3 or later on domain controllers running Windows 2000 it is possible to disable this default behavior.

Tools for Managing Domains and Forests

The following tools are associated with domains and forests.

Adsiedit.exe: ADSI Edit

Category

ADSI Edit is included when you install Windows Server 2003 Support Tools.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

ADSI Edit is a Microsoft Management Console (MMC) tool that uses Active Directory Service Interfaces (ADSI), which ultimately uses the LDAP protocol. This tool can be used to view and modify directory objects in the Active Directory database.

To find more information about ADSI Edit, see “Adsiedit Overview.”

Csvde.exe: Csvde

Category

Csvde is a command-line tool that ships with Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can use Csvde to import and export data from Active Directory by using files that store data in the comma-separated value (CSV) file format. Csvde also supports batch operations that are based on CSV.

To find more information about Csvde, see Command-Line References in the “Tools and Settings Collection.”

Dcdiag.exe: Domain Controller Diagnostic Tool

Category

The Domain Controller Diagnostic Tool command-line tool (Dcdiag) is included when you install the Windows Server 2003 Support Tools.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional with Adminpak.msi installed

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can use the Domain Controller Diagnostic Tool to verify external trusts. This tool cannot be used to verify trust relationships based on the Kerberos version 5 authentication protocol; to verify Kerberos V5-based trust relationships, the recommended method is to use the Netdom tool. Using the Domain Controller Diagnostic Tool you can scope your external trust verification by site or by domain controller, check for trust establishment, check secured channel setup, and check for ticket validity between each pair of domain controllers. By default, errors are flagged. In verbose mode, successes are printed as well.

You can use the Domain Controller Diagnostic Tool to verify that there are sufficient resources for the DNS infrastructure when deploying the Windows 2000 Server or Windows Server 2003 Active Directory directory service. This tool analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting. As an end-user reporting program, the Domain Controller Diagnostic Tool queries the directory service infrastructure and uses the results to identify abnormal behavior in the system. The Domain Controller Diagnostic Tool provides a framework for executing tests to verify different functional areas of the system. This framework selects which domain controllers are tested according to scope directives from the user, such as enterprise, site, or single server.

Dcpol.msc: Domain Controller Security Policy

Category

Domain Controller Security Policy is a snap-in for MMC and is automatically installed when you install Active Directory. You can also use Domain Controller Security Policy on computers not running Active Directory by installing the Administration Tools Pack (Adminpak.msi).

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can set security settings for a domain controller in Domain Controller Security Policy.

For more information about Domain Controller Security Policy, see Help and Support Center in Windows Server 2003.

Dcpromo.exe: Active Directory Installation Wizard

Category

An Active Directory wizard that is included with Windows Server 2003 and is available from the command line or from the Configure Your Server Wizard on any computer running Windows Server 2003.

Version compatibility

This tool is compatible with computers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition.

The Active Directory Installation Wizard provides a graphical user interface for setting up a domain controller by installing Active Directory and, optionally, DNS. The Active Directory Installation Wizard can also be used on a Windows NT 4.0 primary domain controller (PDC) when upgrading it to Windows Server 2003 and forming a new forest, to raise the forest functional level to Windows Server 2003 interim, if appropriate.

Domain.msc: Active Directory Domains and Trusts

Category

An Active Directory Administrative Tools MMC snap-in that is automatically installed on all domain controllers running Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional with Adminpak.msi installed

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Note

  • You cannot run the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional, Windows XP Home Edition, or Windows XP 64-Bit Edition Version 2003 without Windows XP Service Pack 1 (SP1).

Active Directory Domains and Trusts provides a graphical interface in which you can view all domains in the forest. Using this tool, an administrator can manage each of the domains in the forest, trust relationships between domains, configure the functional level for each domain or forest, and configure the alternative user principal name (UPN) suffixes for a forest.

Active Directory Domains and Trusts can be used to accomplish most trust related tasks. It can be used to target all Active Directory domain controllers and can verify all Active Directory trust types. Trust verification takes place between two domains by enumerating all of the domain controllers in each domain. If you choose to have Active Directory Domains and Trusts create both sides of the trust at once, the trust password is automatically generated.

For more information about Active Directory Domains and Trusts, see Help in Active Directory Domains and Trusts.

Dompol.msc: Domain Security Policy

Category

Domain Security Policy is a snap-in for MMC and is automatically installed when you install Active Directory. You can also use Domain Controller Security Policy on computers not running Active Directory by installing the Administration Tools Pack (Adminpak.msi).

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Security settings for a domain are set in Domain Security Policy. Group Policy settings can be applied to lock-down which users are allowed to log on to the server as well as who can access the server from the network.

For more information about Domain Security Policy, see Help and Support Center in Windows Server 2003.

Dsa.msc: Active Directory Users and Computers

Category

An Active Directory Administrative Tools MMC snap-in that is automatically installed on all Windows Server 2003 domain controllers running Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional with Adminpak.msi installed

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Active Directory Users and Computers provides a graphical user interface that can be used to manage users and computers in Active Directory domains.

Additionally, LDAP Query can be used in this tool for the following:

  • To identify domain controllers running Windows NT 4.0

  • To connect to a domain

Dsadd.exe: Dsadd

Category

Dsadd is a command-line tool that ships with Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can use Dsadd to add specific types of objects to the directory.

To find more information about Dsadd, see Command-Line References in the “Tools and Settings Collection.”

Dsget.exe: Dsget

Category

Dsget is a command-line tool that ships with Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can use Dsget to display the selected properties of a specific object in the directory.

Dsmod.exe: Dsmod

Category

Dsmod is a command-line tool that ships with Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can use Dsmod to modify an existing object of a specific type in the directory.

To find more information about Dsmod, see Command-Line References in the “Tools and Settings Collection.”

Dsmove.exe: Dsmove

Category

Dsmove is a command-line tool that ships with Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can use Dsmove to move a single object in a domain from its current location in the directory to a new location. You can also use Dsmove to rename a single object without moving it in the directory tree.

To find more information about Dsmove, see Command-Line References in the “Tools and Settings Collection.”

Dsquery.exe: Dsquery

Category

Dsquery is a command-line tool that ships with Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can use Dsquery to perform searches against Active Directory according to specified criteria. To find more information about Dsquery, see Command-Line References in the “Tools and Settings Collection.”

Dsrm.exe: Dsrm

Category

Dsrm is a command-line tool that ships with Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can use Dsrm to delete an object of a specific type, or any general object, from the directory.

To find more information about Dsrm, see Command-Line References in the “Tools and Settings Collection.”

Dssite.msc: Active Directory Sites and Services

Category

An Active Directory Administrative Tools MMC snap-in that is automatically installed on all Windows Server 2003 domain controllers running Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional with Adminpak.msi installed

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can use Active Directory Sites and Services to create, modify, and delete site configuration objects in Active Directory, including sites, subnets, connection objects, and site links. You can also use Active Directory Sites and Services to create the intersite topology, including mapping subnet addresses to sites, creating and configuring site links, creating manual connection objects, forcing replication over a connection, setting a domain controller to be a global catalog server, and selecting preferred bridgehead servers.

For more information about Active Directory Sites and Services, see Help and Support Center in Windows Server 2003.

Ldifde.exe: Ldifde

Category

Ldifde is a command-line tool that ships with Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

You can use Ldifde to create, modify, and delete directory objects on domain controllers. You can also use Ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.

To find more information about Ldifde, see Command-Line References in the “Tools and Settings Collection.”

Ldp.exe: Ldp

Category

Ldp is included when you install Windows Server 2003 Support Tools.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Ldp is a Lightweight Directory Access Protocol (LDAP) graphical user interface (GUI) tool that you can use to perform operations such as connect, bind, search, modify, add, and delete against any LDAP-compatible directory, such as Active Directory. You can also use Ldp to view objects that are stored in Active Directory, along with their metadata, such as security descriptors and replication metadata.

To find more information about Ldp, see “Windows Support Tools.”

Netdiag.exe: Network Connectivity Tester

Category

The Network Connectivity Tester command-line tool (Netdiag) is included when you install Windows Server 2003 Support Tools.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional with Adminpak.msi installed

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

The Netdiag command-line tool examines .dll files, output from other tools, and the system registry to find potential problems. You can use Netdiag to troubleshoot connectivity over the secured channel that exists between a workstation and a domain controller.

For the various trust related tasks that can be performed using this tool, see the table Trust Tools Comparison by Task earlier in this section. To find more information about Netdiag, see “Windows Support Tools.”

Netdom.exe: Windows Domain Manager

Category

The Windows Domain Manager command-line tool (Netdom) is included when you install Windows Server 2003 Support Tools.

Version compatibility

This tool is compatible with computers running Windows XP Professional; Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.

Netdom is a command-line tool that allows you to create and manage Active Directory trust relationships (except forest trusts) and can help reduce the number of steps needed to create a trust by using Active Directory Domains and Trusts. You can also use the Netdom command line tool to complete batch management of trusts, join computers to domains, verify trusts (including forest trusts) and secured channels, and obtain information about the status of trusts.

Netdom can be targeted at all Active Directory domain controllers and can verify all Active Directory trust types. Verification is accomplished between two domains by enumerating the domain controllers in each domain. If you choose to have Netdom create both sides of the trust at once the trust password is automatically generated.

To find more information about Netdom, see “Windows Support Tools.”

Nltest.exe: NLTest

Category

The NLTest command-line tool is included when you install Windows Server 2003 Support Tools.

Version compatibility

This tool is compatible with computers running Windows XP Professional; Windows Server 2003, Standard Edition; Windows Server 2003, Web Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.

You can use the NLTest command-line tool to perform trust-related network administrative tasks such as testing the trust relationship between a Windows–based computer that is a member of a domain and the domain controller on which its computer account is located. In domains where an external trust is defined, NLTest can be used to test the trust relationship between all domain controllers in the trusting domain and a domain controller in the trusted domain. Nltest can also be used to verify any secured channel.

To find more information about NLTest, see “Windows Support Tools.”

Ntdsutil.exe: Ntdsutil

Category

Ntdsutil is a command-line tool that ships with Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Ntdsutil.exe provides management capabilities for Active Directory. You can use Ntdsutil.exe to perform Active Directory database maintenance, manage and control single-master operations, and remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Active Directory. You can also use Ntdsutil to create application directory partitions and perform authoritative restore operations. This tool is intended for use by experienced administrators.

To find more information about Ntdsutil, see Command-Line References in the “Tools and Settings Collection.”

Repadmin: Repadmin

Category

Repadmin is included when you install Windows Server 2003 Support Tools.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Administrators can use Repadmin to monitor and manage replication between domain controllers. You can determine the last successful replication of all directory partitions, identify inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally manage Active Directory replication topology. You can use Repadmin to force replication of an entire directory partition or of a single object. You can also list domain controllers in a site.

To find more information about Repadmin, at a command prompt type repadmin /? or see Command-Line References in the Tools and Settings Collection.

Schmmgmt.msc: Active Directory Schema

Category

An Active Directory Administrative Tools MMCsnap-in that is automatically installed on all domain controllers running Windows Server 2003.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional with Adminpak.msi installed

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Active Directory Schema is a graphical user interface that can be used to manage Active Directory objects and their associated attributes. The Active Directory Schema snap-in allows members of the Schema Admins group to manage the schema through a graphical interface. You can create and modify classes and attributes and also specify what attributes are indexed and what attributes are replicated to the Global Catalog. The tool should only be used in a test environment because it does not permit the user to set some important values on new schema objects.

Before the snap-in can be used, it must be registered so that it appears as an available snap-in for MMC.

Setspn.exe: Setspn

Category

Setspn is included when you install Windows Server 2003 Support Tools.

Version compatibility
Can Be Run From Can Be Run Against

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

Servers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

Computers running:

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows 2000 Datacenter Server

Administrators can use this command-line tool to read, modify, and delete values in the servicePrincipalNames attribute on an Active Directory service account object.

To find more information about Setspn, see “Windows Support Tools.”

Domains and Forests Registry Entries

The following registry entries are associated with domains and forests.

Domains and Forests Group Policy Settings

The following tables list and describe the Group Policy settings that are associated with domains and forests.

Group Policy Settings Associated with Data Store

Group Policy Setting Description

Audit Directory Services Access

When it is enabled, this Group Policy setting causes successful and failed directory access events to be logged in the Directory Service event log.

Group Policy Settings Associated with Active Directory Searches

Group Policy Setting Description

Maximum size of Active Directory searches

Specifies the maximum number of objects that the system displays in response to a command to browse or search Active Directory.

This policy affects all browse displays that are associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes that are used to set permissions for user or group objects in Active Directory.

If you enable this policy, you can use it to limit the number of objects that are returned from an Active Directory search.

If you disable this policy or if you do not configure it, the system displays up to 10,000 objects.

Enable filter in Find dialog box

Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results.

If you enable this policy, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it.

Hide Active Directory folder

Hides the Active Directory folder in My Network Places.

The Active Directory folder displays Active Directory objects in a browse window.

If you enable this policy, the Active Directory folder does not appear in the My Network Places folder.

If you disable this policy or if you do not configure it, the Active Directory folder appears in the My Network Places folder.

Group Policy Settings Associated with Global Catalogs

Group Policy Setting Description

Automated Site Coverage by the DC Locator DNS SRV Records

Determines whether domain controllers dynamically register DC Locator site-specific SRV resource records for the closest sites where no domain controller for the same domain exists (or no global catalog server for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate domain controllers.

Sites Covered by the GC Locator DNS SRV Records

Specifies the sites for which global catalog servers should register the site-specific GC Locator SRV resource records in DNS. These records are registered in addition to the site-specific SRV resource records registered for the site where the global catalog server is located and, if the global catalog server is appropriately configured, for the sites without a global catalog server in the same forest for which this global catalog server is the closest global catalog server. These records are registered by Net Logon service.

If this policy is not configured, it is not applied to any global catalog servers and global catalog servers use their local configuration.

Group Policy Settings Associated with Replication

Group Policy Setting Description

Account Lockout Policy:

  • Account lockout duration

  • Account lockout threshold

  • Reset account lockout counter after

Changes to these settings in the Domain Security Policy trigger urgent replication.

Password Policy:

  • Enforce password history

  • Maximum password age

  • Minimum password age

  • Minimum password length

  • Password must meet complexity requirements

  • Store passwords using reversible encryption

Changes to these settings in the Domain Security Policy trigger urgent replication.

Contact PDC on logon failure

Account lockout and domain password changes rely on contacting the primary domain controller (PDC) emulator urgently to update the PDC emulator with the change. If Contact PDC on logon failure is disabled, replication of password changes to the PDC emulator occurs non-urgently.

Group Policy Settings Associated with Interactive Logon

Group Policy Setting Description

Password Policy:

  • Enforce password history

  • Maximum password age

  • Minimum password age

  • Minimum password length

  • Password must meet complexity requirements

  • Store password using reversible encryption for all users in the domain

Changes to the Password Policy settings control:

  • The strength and complexity required of the password of every user

Audit Policy:

  • Audit account logon events

  • Audit account management

  • Audit logon events

Changes to the Audit Policy settings control:

  • Auditing of logons and log offs

  • Auditing of password and permissions changes

User Rights Assignment:

  • Access the computer from the network

  • Deny logon as a batch job

  • Deny logon as a service

  • Deny logon locally

  • Deny logon through terminal services

  • Logon as a batch job

  • Logon as a service

  • Logon locally

Changes to the User Rights Assignment settings control:

  • Which users are allowed or disallowed to log on to perform different tasks, including logging on as a batch job and a service

  • Which users are allowed or disallowed to logon locally or through terminal services, as well as who can or cannot access the computer from the network

Security Options:

  • Accounts: Limit local accounts use of blank passwords to console logon only

  • Domain member: Maximum machine account password age

  • Domain member: Require strong (in Windows 2000 or later) session key

  • Interactive logon: Do not display last user name

  • Interactive logon: Do not require CTRL+ALT+DEL

  • Interactive logon: Message Text for users attempting to log on

  • Interactive logon: Message title for users attempting to log on

  • Interactive logon: Number of previous logons to cache (in case the domain controller is not available)

  • Interactive logon: Require domain controller authentication to unlock workstation

  • Interactive logon: Smart card removal behavior

  • Recovery console: Allow automatic administrative logon

  • Shutdown: Allow system to be shut down without having to log on

Changes to the Security Options settings control:

  • Message text and title displayed by the GINA during an interactive logon

  • Domain member settings

  • Authentication settings, including allowing or disallowing blank passwords and password age

Group Policy Settings Associated with Access Tokens

Group Policy Setting Description

User Rights Assignment:

  • Create a token object

  • Replace a process level token

Changes to these settings control:

  • Calling APIs to create tokens.

  • Whether a process can replace a token.

Audit Policy:

  • Audit policy change

  • Audit privilege use

  • Audit process tracking

Changes to this setting will:

  • Generate audits when rights are assigned with one of the tools discussed earlier.

  • Enable audit privilege use. Will log when SeAssignPrimaryTokenPrivilege was used.

  • Create an audit for assigning a primary token that contains the two processes involved and the identity of the token assigned.

Security Options:

  • Network access: Let Everyone permissions apply to anonymous users

Changes to this setting affect whether Everyone is in the token for anonymous users.

Group Policy User Rights Assignment Settings Associated with Kerberos

Group Policy Setting Description

Impersonate a client after authentication

Windows 2000 security setting that was first introduced in Windows 2000 SP4. When you assign this user right to a user, you permit programs that run on behalf of that user to impersonate a client. This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes.

By default, members of the Administrators group and the System account are assigned this user right. The following components also are assigned this user right:

  • Services that are started by the Service Control Manager

  • Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account

Group Policy Kerberos Policy Settings Associated with Kerberos

Group Policy Setting Description

Enforce user logon restrictions

Determines whether the KDC validates every request for a session ticket against the user rights policy on the target computer. When this policy is enabled, the user requesting the session ticket must have the right to either Log on locally or to Access this computer from network. Validation of each request is optional because the extra step takes time and might slow network access to services. By default, this policy is enabled.

Maximum lifetime for service ticket

Determines the maximum amount of time (in minutes) that a ticket granted for a service (that is, a session ticket) can be used to access the service. If the setting is zero minutes, the ticket never expires. Otherwise, the setting must be greater than ten minutes and less than the setting for Maximum lifetime for user ticket. By default, the setting is 600 minutes (10 hours).

Maximum lifetime for user ticket

Determines the maximum amount of time (in hours) that a ticket-granting ticket (TGT) for a user can be used. When a TGT expires, a new one must be requested or the existing one must be renewed. By default, the setting is ten hours.

Maximum lifetime for user ticket renewal

Determines the longest period of time (in days) that a TGT can be used if it is repeatedly renewed. By default, the setting is seven days.

Maximum tolerance for computer clock synchronization

Determines the maximum difference (in minutes) that the Kerberos V5 protocol tolerates between the clock time on a client and the clock time on a server while still considering the two clocks synchronous. By default, the setting is five minutes.

To find more information about these Group Policy settings, see Group Policy Settings Reference in the “Tools and Settings Collection” or see “Account Policy Settings.”

Domains and Forests WMI Classes

Windows Management Instrumentation (WMI) provides access to information about certain objects in a Windows 2000 Server or Windows Server 2003 operating system. WMI providers and classes represent the managed resources on a computer and are used by administrators and developers for scripting and monitoring purposes. The following tables list and describe the WMI classes that are associated with Active Directory domains and forests.

WMI Classes Associated with Data Store, Service Principal Names (SPNs) and Active Directory Searches

Class Name Namespace Version Compatibility

rootDSE

root\directory\LDAP

Domain controllers running:

  • Windows Server 2003

  • Windows 2000 Server

DS_LDAP_Class_Containment

root\directory\LDAP

Domain controllers running:

  • Windows Server 2003

  • Windows 2000 Server

DS_LDAP_Instance_Containment

root\directory\LDAP

Domain controllers running:

  • Windows Server 2003

  • Windows 2000 Server

WMI Classes Associated with Active Directory Replication

Class Name Namespace Version Compatibility

MSAD_DomainController

\\root\MicrosoftActiveDirectory

Domain controllers running:

  • Windows Server 2003

  • Windows 2000 Server

MSAD_NamingContext

\\root\MicrosoftActiveDirectory

Domain controllers running:

  • Windows Server 2003

  • Windows 2000 Server

MSAD_ReplNeighbor

\\root\MicrosoftActiveDirectory

Domain controllers running:

  • Windows Server 2003

  • Windows 2000 Server

MSAD_ReplCursor

\\root\MicrosoftActiveDirectory

Domain controllers running:

  • Windows Server 2003

  • Windows 2000 Server

MSAD_ReplPendingOp

\\root\MicrosoftActiveDirectory

Domain controllers running:

  • Windows Server 2003

  • Windows 2000 Server

WMI Classes Associated with Trusts

Class Name Namespace Version Compatibility

Microsoft_TrustProvider

root\microsoftactivedirectory

Domain controllers running Windows Server 2003

Microsoft_DomainTrustStatus

root\microsoftactivedirectory

Domain controllers running Windows Server 2003

Microsoft_LocalDomainInfo

root\microsoftactivedirectory

  • Domain controllers running Windows Server 2003

WMI Classes Associated with Interactive Logon

Class Name Namespace Version Compatibility

Win32_LogonSession

\root\cimv2

Computers running:

  • Windows Server 2003

  • Windows XP

Win32_LogonSessionMappedDisk

\root\cimv2

Computers running:

  • Windows Server 2003

  • Windows XP

Win32_NetworkLoginProfile

\root\cimv2

Computers running:

  • Windows Server 2003

  • Windows XP

WMI Classes Associated with Access Tokens

Class Name Namespace Version Compatibility

Win32_TokenGroups

\root\cimv2

Computers running:

  • Windows Server 2003

  • Windows XP

Win32_TokenPrivileges

\root\cimv2

Computers running:

  • Windows Server 2003

  • Windows XP

For more information about these WMI classes, see the WMI SDK documentation on MSDN.

Network Ports Used by Domains and Forests

The following tables list the network ports associated with domains and forests.

Port Assignments for Raising Active Directory Functional Levels

Service Name UDP TCP

LDAP

389

389

LDAP SSL

N/A

636

Port Assignments for Data Store

Service Name UDP TCP

LDAP

389

389

LDAP SSL

N/A

636

RPC Endpoint Mapper

135

135

Global Catalog LDAP

N/A

3268

Global Catalog LDAP SSL

N/A

3269

Port Assignments for Service Publication and SPNs

Service Name UDP TCP

LDAP

389

389

LDAP SSL

N/A

636

RPC Endpoint Mapper

135

135

Global Catalog LDAP

N/A

3268

Global Catalog LDAP SSL

N/A

3269

Kerberos

88

88

Port Assignments for Raising Active Directory Searches

Service Name UDP TCP

LDAP

389

389

LDAP SSL

N/A

636

Global Catalog LDAP

N/A

3268

Global Catalog LDAP SSL

N/A

3269

Port Assignments for Global Catalogs

Service Name UDP TCP

LDAP

N/A

3268

LDAP

N/A

3269 (global catalog Secure Sockets Layer [SSL])

LDAP

389

389

LDAP

N/A

686 (SSL)

RPC/REPL

135

135 (endpoint mapper)

Kerberos

88

88

DNS

53

53

SMB over IP

445

445

Port Assignments for Replication

Service Name UDP TCP

LDAP

389

389

LDAP

N/A

686 (SSL)

RPC/REPL

N/A

135 (endpoint mapper)

LDAP

N/A

3268

Kerberos

88

88

DNS

53

53

SMB over IP

445

445

Port Assignments for Operations Masters

Service Name UDP TCP

LDAP

389

389

LDAP

N/A

686 (SSL)

RPC/REPL

N/A

135 (endpoint mapper)

Netlogon

N/A

137

Kerberos

88

88

DNS

53

53

SMB over IP

445

445

Port Assignments for Interactive Logon

Service Name UDP TCP

Kerberos

88

88

Local Security Authority (LSA) RPC

Dynamic RPC

Dynamic RPC

NTLM

Dynamic

Dynamic

Port Assignments for Kerberos V5 Protocol

Service Name UDP TCP

DNS

53

53

Kerberos

88

88

Port Assignment for DC Locator

Service Name UDP TCP

LDAP

389

389

The following table shows the list of ports that might need to be opened before you establish trusts.

Ports Required for Trusts

Task Outbound Ports Inbound Ports From–To

Set up trusts on both sides from the internal forest

LDAP (389 UDP and TCP)

Microsoft SMB (445 TCP)

Kerberos (88 UDP)

Endpoint resolution — portmapper (135 TCP) Net Logon fixed port

 N/A

Internal domain domain controllers–External domain domain controllers (all ports)

Trust validation from the internal forest domain controller to the external forest domain controller (outgoing trust only)

LDAP (389 UDP)

Microsoft SMB (445 TCP)

Endpoint resolution — portmapper (135 TCP) Net Logon fixed port

 N/A

Internal domain domain controllers–External domain domain controllers (all ports)

Use Object picker on the external forest to add objects that are in an internal forest to groups and DACLs

 N/A

LDAP (389 UDP and TCP)

Windows NT Server 4.0 directory service fixed port

Net Logon fixed port

Kerberos (88 UDP)

Endpoint resolution portmapper (135 TCP)

External server–Internal domain PDCs (Kerberos)

External domain domain controllers–Internal domain domain controllers (Net Logon)

Set up trust on the external forest from the external forest

 N/A

LDAP (389 UDP and TCP)

Microsoft SMB (445 TCP)

Kerberos (88 UDP)

External domain domain controllers–Internal domain domain controllers (all ports)

Use Kerberos authentication (internal forest client to external forest)

Kerberos (88 UDP)

 N/A

Internal client–External domain domain controllers (all ports)

Use NTLM authentication (internal forest client to external forest)

 N/A

Endpoint resolution – portmapper (135 TCP) Net Logon fixed port

External domain domain controllers–Internal domain domain controllers (all ports)

Join a domain from a computer in the internal network to an external domain

LDAP (389 UDP and TCP)

Microsoft SMB (445 TCP)

Kerberos (88 UDP)

Endpoint resolution — portmapper (135 TCP) Net Logon fixed port

Windows NT Server 4.0 directory service fixed port

 N/A

Internal client–External domain domain controllers (all ports)

The following resources contain additional information that is relevant to this section.

  • Windows Support Tools

  • Command-Line References in the Tools and Settings Collection for information about DSQuery and Ntdsutil.

  • Microsoft Platform SDK on MSDN for more information about many WMI classes that are associated with the DNS Server service.

  • Group Policy Settings Reference in the Tools and Settings Collection for information about Group Policy settings that are associated with the DNS Client service.

  • Registry Reference in the Tools and Settings Collection for information about registry entries that are associated with DNS.