Sunday, December 29, 2013

Windows Server 2012 - Active Directory - NTDSUTIL, part 1

The NTDSUTIL tool can be used for various operations concerning Active Directory and the ntds.dit database. Some of the more familiar uses are transferring - or seizing - FSMO roles and restoring Active Directory objects.
Based on experiences with the ESEUTIL tool used on Exchange databases, I wanted to learn more about maintenance of the ntds.dit database with NTDSUTIL.
After some research and consultation, it looks like executing the commands that follow are usually not part of a scheduled maintenance plan. In general, the Active Directory database is rather robust and errors are not common. When they do occur, it is most often due to hardware errors such as bad blocks on a disk or perhaps improper shutdown.
In comparison, I encountered "SLINK" (Event ID 1025) errors in Exchange from time to time and was advised to run the following command:

Isinteg -test -alltests

If there were warnings or errors, we would attempt to resolve them with this command:

Isinteg -fix -test -alltests

I would also test database integrity with eseutil /g

The database would have to be indicated in either case but since that is not the subject of this post, I'm not going to provide all the details. The subject has been discussed more than once in the Exchange TechNet forums:

Error on database - EventID 1025 SLINK::ecupdate

So... how could we verify the health of the Active Directory ntds.dit database?

NTDSUTIL - general observations

If we have not used the NTDSUTIL tool since Windows 2003, the syntax (that changed with Windows 2008 already) may confuse us.
What if I want to verify the checksum of the ntds.dit database? I'll present that in just a moment but for now, let's simply attempt to run the command:

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: files
Active Instance not set. To set an active instance use "Activate Instance ".
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: files
Service "NTDS" is running. Stop the service before binding to this Active Directory database.


Here we encounter two obstacles (highlighted in red above).

First, since Windows 2008, we have to "activate" an "instance" of ntds before we can execute any commands.

Second, as with Windows 2003 (and 2000), we cannot run NTDSUTIL against an active database (except to change the Directory Service Restore Mode  password - we'll see that later). But, unlike with Windows 2003, at least we no longer need to boot into DSRM. We can stop and start Active Directory, and more precisely the NTDS service, without restarting the entire server.

For years, I would use the following combination to stop and start services (NTDS in this case):

net stop ntds
net start ntds

These commands function but there are some obstacles:

PS C:\> net stop ntds

The following services are dependent on the Active Directory Domain Services service.
Stopping the Active Directory Domain Services service will also stop these services.

   Kerberos Key Distribution Center
   Intersite Messaging
   DNS Server
   DFS Replication

Do you want to continue this operation? (Y/N) [N]: Y

The Kerberos Key Distribution Center service was stopped successfully.
The Intersite Messaging service is stopping.
The Intersite Messaging service was stopped successfully.

The DNS Server service is stopping.
The DNS Server service was stopped successfully.

.The DFS Replication service was stopped successfully.
The Active Directory Domain Services service is stopping.
The Active Directory Domain Services service was stopped successfully.

After running the NTDSUTIL commands (that we'll see in a second - I promise!), we would have to restart the Active Directory Domain Services:

PS C:\> net start ntds

The Active Directory Domain Services service is starting...
The Active Directory Domain Services service was started successfully.


But what about the other services that were stopped?

Apparently, they are restarted when the NTDS service is restarted - which I was not sure would be the case. What follows is a "snip" from the output of the Get-Service cmdlet:

Running  DFSR               DFS Replication
Running  DNS                DNS Server
Running  IsmServ            Intersite Messaging
Running  Kdc                Kerberos Key Distribution Center

But since we are at Windows 2012 and the recommendation is to use Powershell, let's use these cmdlets to stop and (re)start services:

PS C:\> stop-service ntds

stop-service : Cannot stop service 'Active Directory Domain Services (ntds)' because it has dependent services. It can only be stopped if the Force flag is set. [...]

So we have to force shutdown with the... -force flag.

PS C:\> stop-service ntds -force

Now - finally - we are ready to try some NTDSUTIL commands

NTDSUTIL - files

The following command verifies the "checksum" of the database:

PS C:\> ntdsutil
C:\Windows\system32\ntdsutil.exe: activate instance ntds
Active instance set to "ntds".
C:\Windows\system32\ntdsutil.exe: files
file maintenance: checksum
Doing checksum validation for db: C:\Windows\NTDS\ntds.dit.

File: C:\Windows\NTDS\ntds.dit
                     Checksum Status (% complete)
          0    10   20   30   40   50   60   70   80   90  100

3074 pages seen.
0 bad checksums.
0 correctable checksums
905 uninitialized pages.
0 wrong page numbers.

As we can see, the database is just fine at this level.


There is another command that checks the "integrity" of the database. But first, Microsoft documentation states that before running the integrity command (below) we should run the "ntdsutil files recover" command. This commands "ensures all committed transactions [...] are reflected in the data file."

 Since we are still in "ntdsutil, files" , we can simply enter the command as follows:
file maintenance: recover
Initiating RECOVERY mode...
          Log files: C:\Windows\NTDS.
         System files: C:\Windows\NTDS.
Performing soft recovery...
Database recovery is successful.
It is recommended you run semantic database analysis
to ensure semantic database consistency as well.


So we have not yet run the integrity check and NTDSUTIL suggests yet another test. We'll look at that in a moment. For now, let's check database "integrity" - or consistency-  with the following command:

file maintenance: integrity
Doing Integrity Check for db: C:\Windows\NTDS\ntds.dit.
Checking database integrity.

                     Scanning  Status (% complete)
          0    10   20   30   40   50   60   70   80   90  100

Integrity check successful.

It is recommended you run semantic database analysis
to ensure semantic database consistency as well.


Some notes...
  • This test scans the entire ntds.dit file, the database as a whole, so, if it is large, it can take some time, possibly 2 GB / hour.
  • It looks for binary corruption at a "low level".
  • It may be the equivalent of eseutil /g in Exchange (?)
  • Once again, it is recommended to run the "semantic database analysis" command, so with no further ado, we'll do just that:

C:\Windows\system32\ntdsutil.exe: semantic database analysis
semantic checker: go
Fixup mode is turned off

Writing summary into log file dsdit.dmp.0
SDs scanned:            123
Records scanned:       3806
Processing records..Done. Elapsed time 0 seconds.


Yes, after we enter "semantic database analysis" we have to enter go at the "semantic checker" prompt. The reader may have noted that there is not much data to be analyzed. That is correct. This is a test domain controller with very few objects in the ntds.dit database.
If errors are indicated, we can attempt to repair them with the "go fixup" command. And yes, we would enter that exactly where we entered the "go" above.


Here ends my first blog post about the NTDSUTIL tool. In part 2, I'll look at some other uses of the tool: resetting the DSRM password, checking for duplicate SIDs and offline defragmentation.


NTDSUTIL Files commands

Tuesday, December 24, 2013

Windows Server 2012 - Active Directory - FSMO role transfer

Transfering the "Flexible Single Master Operations" (FSMO) roles

Note: if you do not know what the "FSMO" roles are, or wish to know more, please see this link:

Operations master roles

This is a well-known subject among Active Directory administrators.

Even before Windows 2012, there was no lack of choice in the methods allowing us to transfer the FSMO roles:

If there were only two domain controllers, we could simply demote one with DCPROMO. If the domain controller to be demoted held the FSMO roles, the demotion process would transfer the roles to the other domain controller.

If there were more than one domain controller, we could transfer the roles with various graphic interfaces...

Transferring roles with the graphic interface

We need to use three different "tools" to transfer all the FSMO roles.
  • Active Directory Users and Computers for the PDCe, RID Master and Infrastructure Master roles
  • Active Directory Domains and Trusts for the Domain Naming Master
  • Active Directory Schema - after registering a certain dll...

We'll first transfer the PDC emulator, the RID Master and Infrastructure Master in Active Directory Users and Computers (ADUC).

1. Connect to ADUC, right-click on the domain and select "Operations Masters" in the menu:

2. Attempt to change the Operations Master and observe the error message:

If we happen to be connected to the current role holder, we must first target the domain controller to which the roles will be transferred.

3. This time, select "Change Domain Controller":

4. Connect to the domain controller to which you intend to transfer the roles:

5. Now go back to the menu (as illustrated above) and select "Operations Masters".

6. We'll use the RID Master as an example below. Note that the other domain controller is now the "target" as opposed to the same domain controller. Click on "Change" and confirm. Repeat the same operations for the PDCe and the Infrastructure Master.

7. For the Domain Naming Master, we need to perform the same type of operation but in the Active Directory Domains and Trusts MMC.

8. For the Schema Master, we need to register a .dll file and then create add "Active Directory Schema to a Microsoft Management Console (mmc). We then would proceed as we did for the other roles above.

Note: there should be a confirmation message (which can be closed - not shown above) indicating that the registration was successful. I'll assume the reader knows how to add "snap-ins" to a MMC. If not, please search for instructions online.

We can confirm the new owner (or "holder") of the roles in the graphic interfaces themselves or use the concise "netdom query fsmo" command


PS C:\> netdom query fsmo

Schema master       

Domain naming master


RID pool manager

Infrastructure master


PS C:\> netdom query fsmo

Schema master       

Domain naming master


RID pool manager

Infrastructure master

Of course, this command could also be used to confirm successful transfers after using the command line to move the roles from one domain controller to another.

Transferring roles with NTDSUTIL (command line interface)

We can transfer the roles at the command line using ndtsutil as shown below.

But first some notes:

Since Windows Server 2008, we must activate an "instance" of ntds with the command...

activate instance ntds

This was not necessary with Windows 2003.

Second, the syntax for the Domain Naming master has changed.

With Windows 2003, we would enter:

transfer domain naming master

Since Windows 2008, we must enter

transfer naming master

Having clarified those points, let's enter the sequence of commands that transfers the roles (I will double space for readability - the text in bold represents the commands to enter):

PS C:\> ntdsutil

C:\Windows\system32\ntdsutil.exe: activate instance ntds

Active instance set to "ntds".

C:\Windows\system32\ntdsutil.exe: roles

fsmo maintenance: connections

server connections: connect to server DC-004

Binding to DC-004 ...

Connected to DC-004 using credentials of locally logged on user.

server connections: quit

Note: at this point, depending on the role we want to transfer, we enter all or any of the following:

fsmo maintenance: transfer schema master

fsmo maintenance: transfer naming master

fsmo maintenance: transfer rid master

fsmo maintenance: transfer pdc

fsmo maintenance: transfer infrastructure master

Once the command is entered (and Enter is pressed), ntdsutil produces some rather verbose output indicating which domain controller holds which roles. In the case of the Schema Master we would see something like this:

fsmo maintenance: transfer schema master

Server "DC-004" knows about 5 roles

Schema - CN=NTDS Settings,CN=DC-004,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

Naming Master - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

PDC - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

RID - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

Infrastructure - CN=NTDS Settings,CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz

In this case, we can see (if we look carefully) that DC-004 is now the Schema Master but DC-001 still holds the other operations roles.

Transferring roles with Powershell

With Powershell version 3 (part of Windows Server 2012)  and version 4 (Windows Server 2012 R2), we can use the "Move-ADDirectoryServerOperationMasterRole" cmdlet to transfer or "move" the operations roles. We can either type the entire name of the role...

Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole

Or the number that represent the roles:

  • PDCEmulator = 0
  • RIDMaster = 1
  • InfrastructureMaster = 2
  • SchemaMaster = 3
  • DomainNamingMaster = 4

So if we wanted to transfer all the roles to domain controller DC-001, we would enter this:

PS C:\>Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4

Despite the rather long cmdlet (of which we only need to type the first 8 letters or so, and then tab), the rest of the complete command can be rather concise if we use (and know) the numbers.

This cmdlet works quite nicely as we can see here.

At first, DC-004 holds the roles:

PS C:\> netdom query fsmo

Schema master       
Domain naming master
RID pool manager  
Infrastructure master

We transfer them to DC-001...

PS C:\> Move-ADDirectoryServerOperationMasterRole -id DC-001 -OperationMasterRole 0,1,2,3,4

Move Operation Master Role
Do you want to move role 'PDCEmulator' to server '' ?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A

We confirm the transfers with...

PS C:\> netdom query fsmo

Schema master        
Domain naming master
RID pool manager  
Infrastructure master


Transferring the roles by domain controller demotion

Lastly, if we only have two domain controllers or have no preference for the new/future FSMO holder, we can demote the current holder and the roles will be transferred to another domain controller automatically. I will not detail the demotion of a domain controller here but this is what netdom query fsmo shows after the process:

PS C:\> netdom query fsmo

Schema master           
Domain naming master
RID pool manager      
Infrastructure master  


So after demoting DC-001, the FSMO roles are automatically transferred to DC-004. No manual intervention was necessary.

Sunday, December 22, 2013

Windows Server 2012 - Active Directory - adding a second domain controller

Best practice, concerning domain controllers, is to have at least two so if one is unavailable, clients can still authenticate to the network. Moreover, both should be global catalog servers since the presence of a global catalog server is a pre-requisite for a successful logon.

Note: if you are interested in the crucial role of the Global Catalog, here is a link with more information on the subject:

Global Catalog information

A second domain controller can be added using Server Manager (Add Roles or Features) or PowerShell cmdlets. In what will be one of my more concise blog posts, I'll demonstrate how a second domain controller can be added at the command line.

Although not strictly necessary, I'll first rename the server (that already happens to be a domain member) so its new name will reflect its status as a domain controller:

We could use the netdom /renamecomputer command but since this is Windows Server 2012, I'll opt for the Powershell cmdlet instead:

PS C:\> Rename-Computer DC-004

WARNING: The changes will take effect after you restart the computer SVR-004.

PS C:\> Restart-Computer

So we indicate the new name of the computer after the Rename-Computer cmdlet and then restart the computer with the aptly named Restart-Computer cmdlet - elementary, obvious and almost self-explanatory.

Once the computer restarts, we'll logon with domain administrator credentials and enter the following Powershell cmdlet to install the necessary files for the domain controller role:

PS C:\> Add-WindowsFeature AD-Domain-Services -IncludeManagementTools

IP address and DNS

We also need to make sure (this may be the case already) that the primary (or secondary) DNS server parameter in the TCP/IP settings designates the first domain controller:

PS C:\> Set-DnsClientServerAddress "Ethernet" -ServerAddresses

This is in the context of our single - and soon double - domain controller scenario. If there were other domain controllers, we could designate one of them as well, assuming they are also a DNS server, which is currently the most common domain controller configuration.

Promotion of the server to domain controller

Now we can promote the server to a domain controller with the following command:

Note: we enter the password for Directory Services Restore Mode when prompted.

PS C:\> Install-ADDSDomainController -DomainName -SafeModeAdministratorPassword (read-host -prompt "Password:" -AsSecureString)

Password:: **********

In my experience, the above command was enough to create a second domain controller that was also a DNS server and a Global Catalog. It seems that the domain controller promotion default values obtain this result.
Here, for example, we can see that the new domain controller is configured as a global catalog server by default:

PS C:\> dsquery server -isgc



Various parameters can be indicated explicitly if we want. We would see many of these if we used the graphic interface to promote the server to domain controller status.
We can indicate the database path (or location) for the Active Directory database (the ntds.dit file and associated files):

-DatabasePath 'C:\Windows\NTDS'

We can indicate if we want the domain controller to be a DNS server also. If for some reason we did not, we could change the value below to $false


This parameter will eliminate some of the informational messages displayed during the process:


The server will reboot automatically once the initial promotion process is complete. If we do not want the server to reboot, we can enter this:


Here we can designate the site. In this case, the default site name is used:

-SiteName 'Default-First-Site-Name'

Lastly, we can prevent a newly promoted domain controller from being a global catalog server as well with this parameter:



The Install-ADDSDomainController cmdlet

This link provides a complete list of various parameters, most optional, that can be used with the cmdlet.

Thursday, December 19, 2013

Windows Server 2012 - Hyper-V - installation of role, creation of a virtual server

Some time ago, I worked with VMware ESXi 4.1. Although the underlying concepts of virtualization are probably similar, Hyper-V is a new world for me. I thought I'd start by simply installing the role and creating a virtual server.

Warning: this will be very basic for anyone having more experience than I with Hyper-V so unless you are interested in how to install the role and create an virtual server, you may prefer other sources, be it other blogs or TechNet articles.

 Installation of the Hyper-V Role

First, we go to Server Manager (which may open automatically on logon) and in the upper right-hand corner, select "Manage" and then "Add Roles and Features". We can click "Next" on the "Before you begin" page. This will bring us to the "Select installation type" page which is shown (in part) below.

Select "Role based or Feature based installation".
Note: because of the way images are rendered on Blogger, I usually do not capture - and post - entire screenshots. It might be helpful to follow the steps with the interface open in front of you. It should also be understood that after doing whatever is necessary at a given step, we click on "Next" (or whatever the command might be). I will not waste time specifying "Click Next" for every single screenshot.

In this scenario, I have two servers on which I could install the Hyper-V role. Since "Best Practice" mandates that we "let domain controllers be domain controllers" and do not complicate their management with other roles, we'll select the other server (SVR-003) for our Hyper-V host. This will also illustrate how we can manage remote servers via Server Manager. In the following screenshots, we will, in fact, be acting on SVR-003.

Select Hyper-V for the role, note the features that will be added (include Management Tools), and click on "Next", as shown in the three illustrations below:

We can click "Next" on the "Features" page (I made no additional selections and the Hyper-V role was installed all the same):

On virtual server hosts, there is often more than one network interface (or "NIC"). One may be used for the "production" network (the network that provides services to users) and one may be part of a management network. On the following screens, we have the option to select the interfaces we want to use.

Here I select the adapter:

The next option requires some thought about the future role of the Hyper-V host. As this is a strictly practice environment in which I will not configure a cluster (or probably perform migrations) it does not matter, but in a production network we have to take the following into consideration. In summary, if the server will be part of a cluster, we should not enable the "live migration" function at this point:

On this screen, we configure the location of the virtual machine configuration files and the virtual hard disk files. I have simply created a folder on a separate physical drive of my server. In other environments, the files might be located on a SAN (Storage Area Network):

The following screens summarize the operations to be performed and offer the option to restart the server automatically:

Creation of a virtual server

What follows is a simple example of the creation of a virtual server in which I will use a Windows 2008 R2 DVD as the source for the operating system. In reality, it might be more likely that a .iso image file would be used.

First, we open Server Manager, go to "Tools" and select "Hyper-V Manager":

Then (in the Action pane) Actions | New | Virtual Machine:

Note: in fact, there are a couple options here:
  • We can select Action | New | Virtual Machine
  • We can right click on the SVR-003 icon (opposite left-side pane), then "New" | "Virtual Machine"
  • In the Action pane, New | Virtual Machine

The "Before you begin" page informs us that we could create a virtual machine with default values by clicking "Finish", or "Next" to configure custom options. In most cases, we would click "Next" since it is unlikely the default values would suit the various virtual machines we might wish to create. Furthermore, "Next" will allow us to see - and learn - the different options.

Now we select a name for the virtual machine. The assistant suggests a name that identifies the role or the operating system. I'll simply name my virtual machine "vSvr-01-W2K8":

Next, we specify the amount of memory to be allocated to the server. 1024 MB should suffice for a practice Windows 2008 (R2) server:

We have to select a virtual switch for the virtual server (the virtual switch connects virtual machines among themselves and also with the physical network):

As for storage, I'll create a virtual disk for the server on the physical E: drive of the host server:

We can install the guest operating right now or later - I'll opt for "later":

The following screen summarizes the guest server configuration:

Now I'll attempt to boot from a Windows 2008 R2 DVD (we could also use an .iso file).

In the Action Pane, select the virtual server (vSvr-01-W2K8 in our case), and choose "Start" in the options below the icon.

To see the progress of the installation, click "Connect" as shown here (in the Action pane):


No luck! We get an error message:


So we have to adjust the settings for the CD/DVD drive.

We have two choices: a virtual drive and a physical drive. The virtual drive is selected by default. Most likely, we would have a set of .iso files for the creation of virtual machines. However, the use of physical media (like a DVD) is possible. So I'll select the Physical CD/DVD drive in the settings of the guest:

Now I'll click Start again.

To see the progress of the installation click "Connect" as we already did above.

This time, the installation begins successfully:

From this point on, the installation process of the guest machine is identical to that of a physical server:


Hyper-V is a world in itself and there is a multitude of aspects that could be examined. As for me, I may take a look at some of these aspects later. For now, I need to concentrate on Active Directory, Exchange and possibly... vCenter and ESXi (for professional reasons).