Download Center
For anyone who has ever dredged through Microsoft's Web site for useful tools, the company's Download Center provides a welcome one-stop source that's a pleasure to use. You can find practically every available standalone tool at this site, as well as links to toolsets that have their own Web areas.
Command Prompt Here. A utility I like to install on all my administrative consoles is Command Prompt Here, a simple tool that you can find among the Microsoft PowerToys for Windows XP. (See the sidebar "Get Your Command-Line Utilities Here!" for download information.) Command Prompt Here adds a context menu item in Windows Explorer that lets you launch a command prompt from whatever folder you've right-clicked on.
Dsrevoke. Have you ever granted permissions to a user or group (say, with the Active Directory Delegation of Control wizard) somewhere in a domain, but now you need to revoke those permissions? Searching through the domain and removing security principals can be tedious. Dsrevoke essentially undoes the actions of the Delegation of Control wizard or its equivalent. You can use
dsrevoke /report <security principal>
to generate a report of the access control entries (ACEs) that have been set on all domain and OU objects under the domain's root. Suppose the user Barbara Seville has been granted permissions to create, manage, and delete user accounts in the Staff OU. Figure 2 shows the results of Dsrevoke /report for Barbara. To remove her permissions, simply change the /report option to /remove. Dsrevoke will display her permissions, as with /report, then confirm the deletion. Enter Y for Yes to remove her ACEs.
Note that, like the Delegation of Control Wizard, this tool works only for permissions granted on the OU; if you granted permissions explicitly to objects or containers (such as Computers) instead of letting the OU's permissions inherit to the objects, you'll have to remove the permissions on your own.
DCGPOFix and Recreatedefpol. Should you encounter severe problems with the default Group Policy Objects (GPOs) in your domain—the default domain policy and the default domain controllers policy—you can use Windows 2003's DCGPOFix or Win2K's Recreatedefpol to restore them to their default state. DCGPOFix can restore the default domain policy (/target:domain), the default domain controllers policy (/target:DC), or both (/target:both).
If you have to use the /target:both option, you'll probably need more than these tools to straighten things out. To prepare yourself for a rough situation in which you've lost one or more GPOs, take advantage of a fringe benefit of Microsoft's Group Policy Management Console (GPMC), which comes with a great set of command-line scripts and the ability to write more of your own. With no extra effort, you can back up and restore individual GPOs or all GPOs in the domain, copy individual GPOs, and generate reports on one GPO or all the GPOs in a domain in the GPMC's familiar settings format. You can even save the entire Group Policy environment—GPOs, settings, links, permissions—to an XML file with a sample script, and restore it with another script.
Repadmin. A Microsoft Product Support Services (PSS) mainstay, Repadmin is the kitchen sink of replication-troubleshooting tools. This tool has so many commands (59), options, and switches that it needs three levels of Help. The /oldhelp switch displays the original syntax and options, some of which have been replaced by newer commands described in /help. (The original ones still work.) If you don't dig into the syntax, you might find yourself running a less useful version and never know it. For example, every Repadmin user seems to first learn about the /showreps switch. It's still there in Windows 2003, but a newer version—/showrepl—has a handy /errorsonly option that prevents the necessity of wading through pages of connection-object information to find errors.
The /experthelp switch lets you access undocumented, advanced Repadmin options that are dangerously powerful. In fact, the /experthelp switch itself is undocumented. The safeties are off now, so attempt these operations only in a test forest until you're familiar with them. (You get no confirmation dialog boxes that ask, "Do you really want to delete that naming
context?")
One useful /experthelp command is /options. This command lets you create a Global Catalog (GC) server with the simple command
repadmin /options <dcname> +is_gc
You can reverse the operation by changing the plus (+) to a minus (-). You can quickly disable replication to a DC with the command
repadmin /options <dcname>
+disable_inbound_replication
and from a DC with the command
repadmin /options <dcname>
+disable_outbound_replication
Also, you can use the /options switch to check the status of any of these operations, as follows:
repadmin /options <dcname>
A great new Repadmin command for Windows 2003 is /replsummary. This command provides a quick summary of the replication health of all the DCs in your forest, in a table-like format. The tool runs quickly, even in large forests, and you can add the /errorsonly option to limit the output to unhealthy DCs. The /bridgeheads option lists details about bridgehead servers. (With no options, the /replsummary command reports on all bridgeheads in the forest.) The /querysites option lets you determine the site link cost between two or more sites in the forest—helpful functionality for determining the least-cost route in a complicated site topology. Many more Repadmin commands await you, and time spent studying them can be rewarding.
Resource Kit
Unlike the Support Tools, the resource kit tools aren't on the installation media. Although they're slightly less crucial than the native OS utilities and Support Tools, many resource kit tools are so handy that I also recommend installing them on every server.
ADLB. The resource kit's Active Directory Load Balancing (ADLB) tool is new to Windows 2003 because it influences a new behavior in the OS. Win2K designates a single DC in each site as the bridgehead server, which handles the connection objects between its site and the sites that the Knowledge Consistency Checker (KCC) decides it should be connected to. If you have many sites, this situation can lead to a scalability problem: The overhead of being a bridgehead server to a lot of branch office sites can load down a DC. Windows 2003 resolves that problem by permitting all DCs in a site to be bridgehead servers for the directory partitions they host, so multiple DCs can handle the connection-object load. The OS initially makes random selections but unfortunately it never rebalances them. Therefore, if the DC configuration in a site changes—for example, if you add a newer, more powerful DC—the distribution of intersite connection objects never changes. ADLB examines and rebalances the distribution of intersite connections between DCs in a site. Before you use ADLB, you need to complete your Windows 2003 DC upgrades so that it will operate evenly on all DCs. The tool won't load-balance Win2K DCs.
The simplest way to run ADLB is with the parameters /server:DcName /site:SiteName. The tool will then report on the connection objects for the target site and suggest changes. (The server you specify can be any DC that's a member of the forest.) Note that ADLB will make changes to the bridgehead configuration only when you add the /commit parameter. You can perform all ADLB operations (except /commit) without elevated rights, which makes your bridgehead-balancing investigations a little less cumbersome.
Register
Ken
kibbage July 09, 2005 (Article Rating: