4. Tools and Utilities

Many tools are available to help monitor and troubleshoot Active Directory installations. Some of these tools are included as part of the Support Tools package which is available from the 2003 Server CD, or can be downloaded from Microsoft (2003 SP2 version). The Support Tools are particularly useful and are worth installing as standard. On Windows 2008 separate Support Tools are no longer available; many have been incorporated into the standard 2008 installation (search for Command Reference Overview in the Help and Support system to find out which as some tools haven't been included).

This list is intended as a starting point to provide brief details of tools that between them will provide a reasonable view of the health of Active Directory (plus a couple of utilities for managing accounts.) It is not intended as a definitive list as there are many other useful tools available.

ntdsutil
Use for command-line maintenance of your Active Directory database. Installed by default on domain controllers and menu driven. Although many of its functions are also available via the GUI, it's worth becoming familiar with this tool as sometimes nothing else will do. For example, it's needed for cleaning up if a domain controller isn't demoted cleanly.
dcdiag.exe
Command-line tool to perform various domain controller tests to help confirm health and diagnose problems. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.
netdiag.exe
For network-related tests and troubleshooting. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.
repadmin.exe and replmon.exe
Command-line tool to monitor and troubleshoot replication issues (repadmin.exe) and a GUI version that provides much of the same functionality (replmon.exe). Part of the Support Tools suite (2000/2003) or included by default in Windows 2008 (replmon is no longer provided).
ntfrsutl.exe
Accesses information on the ntfrs service including subscription information etc. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.
Sonar
A graphical tool to monitor the status of the File Replication Service. Look for it on the Microsoft Download Center.
ADSI Edit
Low level editor for Active Directory. Installed as part of the Support Tools for Windows Server 2000 and 2003, and installed by default when you install Active Directory on Windows Server 2008.
Group Policy Management Console (GPMC)
It's been around for a while but you need to download it separately on 2003 (it's included in 2008). An improvement on the built-in group policy editor, you need at least 2003 server or XP SP1 to run it. Download it from Microsoft.
dsadd, dsget, dsmod, dsmove, dsquery, dsrm
Built-in command-line tools included with 2003 and 2008, use /? after the command for syntax.
csvde, ldifde
Built-in command-line tools included with 2000 and above, csvde is particularly useful for dumping the contents of Active Directory into a csv file, or creating new objects from a similar file. Again, use /? after the command for help.
ADModify
Created to make it easier to do bulk operations on Active Directory objects, such as modifications, imports and exports. Requires .NET framework installed (version 2 probably). It's currently travelling the internet so download from http://ADModify.NET and check the Microsoft Exchange Team Blog for an introduction.
redirusr.exe and redircmp.exe
Built-in command-line tools included with Windows 2003 and above. Change the default containers for new user and computer objects respectively.
Account lockout and Management Tools
Microsoft have provided a number of tools in their Account lockout and Management Tools package, to help in these areas, along with a script to turn on Kerberos logging. They also provide some information on the Account Management Tools.

Up: Contents Previous: 3. Checklist for Planning, Installing and Configuring Active Directory Next: 5. Further Information, Support and Training