Xpsupport

Alphabetical List of Tools by File Name

A B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Tools are listed by their file name, followed by their full name. If the full name begins with a different letter than the file name, thetool is also listed by its full name, followed by its file name. Hold the cursor over the name of a tool for a brief description.tool is also listed by its full name, followed by its file name. Hold the cursor over the name of a tool for a brief description.

A

Acldiag.exe (ACL Diagnostics)Acldiag.exe (ACL Diagnostics)

Active Directory Administration Tool (Ldp.exe)Active Directory Administration Tool (Ldp.exe)

Active Directory Replication Monitor (Replmon.exe)Active Directory Replication Monitor (Replmon.exe)

Addiag.exe (Application Deployment Diagnosis)Addiag.exe (Application Deployment Diagnosis)

B

No entriesNo entries

C

Compatadmin.exe (Compatibility Administration Tool)Compatadmin.exe (Compatibility Administration Tool)

D

Depends.exe (Dependency Walker)Depends.exe (Dependency Walker)

Dfsutil.exe (Distributed File System Utility)Dfsutil.exe (Distributed File System Utility)

Dhcploc.exe (DHCP Server Locator Utility)Dhcploc.exe (DHCP Server Locator Utility)

Diruse.exe (Directory Disk Usage)Diruse.exe (Directory Disk Usage)

Dmdiag.exe (Disk Manager Diagnostics)Dmdiag.exe (Disk Manager Diagnostics)

Dnscmd.exe (DNS Server Troubleshooting Tool)Dnscmd.exe (DNS Server Troubleshooting Tool)

Dsacls.exeDsacls.exe

E

Efsinfo.exe (Encrypting File System Information)Efsinfo.exe (Encrypting File System Information)

Exctrlst.exe (Extensible Performance Counter List)Exctrlst.exe (Extensible Performance Counter List)

F

Filever.exe (File Version)Filever.exe (File Version)

Ftonline.exeFtonline.exe

G

Getsid.exe (Get Security ID)Getsid.exe (Get Security ID)

Gflags.exe (Global Flags Editor)Gflags.exe (Global Flags Editor)

H, I, J, K

No entries

L

Ldp.exe (Active Directory Administration Tool)Ldp.exe (Active Directory Administration Tool)

M

Memory Pool Monitor (Poolmon.exe)Memory Pool Monitor (Poolmon.exe)

Memsnap.exe (Memory Profiling Tool)Memsnap.exe (Memory Profiling Tool)

Movetree.exe (Move Users)Movetree.exe (Move Users)

Msicuu.exe (Windows Installer Cleanup Utility)Msicuu.exe (Windows Installer Cleanup Utility)

Alphabetical List of Tools by File Name

A B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Tools are listed by their file name, followed by their full name. If the full name begins with a different letter than the file name, thetool is also listed by its full name, followed by its file name. Hold the cursor over the name of a tool for a brief description.tool is also listed by its full name, followed by its file name. Hold the cursor over the name of a tool for a brief description.

A

Acldiag.exe (ACL Diagnostics)Acldiag.exe (ACL Diagnostics)

Active Directory Administration Tool (Ldp.exe)Active Directory Administration Tool (Ldp.exe)

Active Directory Replication Monitor (Replmon.exe)Active Directory Replication Monitor (Replmon.exe)

Addiag.exe (Application Deployment Diagnosis)Addiag.exe (Application Deployment Diagnosis)

B

No entriesNo entries

C

Compatadmin.exe (Compatibility Administration Tool)Compatadmin.exe (Compatibility Administration Tool)

D

Depends.exe (Dependency Walker)Depends.exe (Dependency Walker)

Dfsutil.exe (Distributed File System Utility)Dfsutil.exe (Distributed File System Utility)

Dhcploc.exe (DHCP Server Locator Utility)Dhcploc.exe (DHCP Server Locator Utility)

Diruse.exe (Directory Disk Usage)Diruse.exe (Directory Disk Usage)

Dmdiag.exe (Disk Manager Diagnostics)Dmdiag.exe (Disk Manager Diagnostics)

Dnscmd.exe (DNS Server Troubleshooting Tool)Dnscmd.exe (DNS Server Troubleshooting Tool)

Dsacls.exeDsacls.exe

E

Efsinfo.exe (Encrypting File System Information)Efsinfo.exe (Encrypting File System Information)

Exctrlst.exe (Extensible Performance Counter List)Exctrlst.exe (Extensible Performance Counter List)

F

Filever.exe (File Version)Filever.exe (File Version)

Ftonline.exeFtonline.exe

G

Getsid.exe (Get Security ID)Getsid.exe (Get Security ID)

Gflags.exe (Global Flags Editor)Gflags.exe (Global Flags Editor)

H, I, J, K

No entries

L

Ldp.exe (Active Directory Administration Tool)Ldp.exe (Active Directory Administration Tool)

M

Memory Pool Monitor (Poolmon.exe)Memory Pool Monitor (Poolmon.exe)

Memsnap.exe (Memory Profiling Tool)Memsnap.exe (Memory Profiling Tool)

Movetree.exe (Move Users)Movetree.exe (Move Users)

Msicuu.exe (Windows Installer Cleanup Utility)Msicuu.exe (Windows Installer Cleanup Utility)

Msizap.exe (Windows Installer Zapper)Msizap.exe (Windows Installer Zapper)

N

Netcap.exe (Network Monitor Capture Utility)Netcap.exe (Network Monitor Capture Utility)

Netdiag.exe (Network Connectivity Tester)Netdiag.exe (Network Connectivity Tester)

Netdom.exe (Windows Domain Manager)Netdom.exe (Windows Domain Manager)

Nltest.exeNltest.exe

O

Oh.exe (Open Handles)Oh.exe (Open Handles)

P

Pageheap.exe (Page Heap)Pageheap.exe (Page Heap)

Performance Data Block Dump Utility (Showperf.exe)Performance Data Block Dump Utility (Showperf.exe)

Pfmon.exe (Page Fault Monitor)Pfmon.exe (Page Fault Monitor)

Pmon.exe (Process Resource Monitor)Pmon.exe (Process Resource Monitor)

Poolmon.exe (Memory Pool Monitor)Poolmon.exe (Memory Pool Monitor)

PPTP Ping (Point-to-Point Tunneling Protocol Ping Utilities)PPTP Ping (Point-to-Point Tunneling Protocol Ping Utilities)

Pstat.exe (Process and Thread Status)Pstat.exe (Process and Thread Status)

Q

Qfixapp.exe (Quick Fix Application)Qfixapp.exe (Quick Fix Application)

R

Repadmin.exe (Replication Diagnostics Tool)Repadmin.exe (Replication Diagnostics Tool)

Replmon.exe (Active Directory Replication Monitor)Replmon.exe (Active Directory Replication Monitor)

S

Sdcheck.exe (Security Descriptor Check Utility)Sdcheck.exe (Security Descriptor Check Utility)

Setx.exeSetx.exe

Showperf.exe (Performance Data Block Dump Utility)Showperf.exe (Performance Data Block Dump Utility)

SIDWalker (Security Administration Tools)SIDWalker (Security Administration Tools)

Snmputilg.exe (SNMP Troubleshooting Tool)Snmputilg.exe (SNMP Troubleshooting Tool)

Spcheck.exe (Service Pack Check)Spcheck.exe (Service Pack Check)

T, U, V

No entries

W

Windows Domain Manager (Netdom.exe)Windows Domain Manager (Netdom.exe)

Windows Installer Cleanup Utility (Msicuu.exe)Windows Installer Cleanup Utility (Msicuu.exe)

Windows Installer Zapper (Msizap.exe)Windows Installer Zapper (Msizap.exe)

X

Xcacls.exeXcacls.exe

X, Y, Z

No entries

1985-2001 Microsoft Corporation. All rights reserved.

Introduction to Support ToolsThe Windows Support Tools assist support personnel and network administrators to manage their networks and totroubleshoot problems. They are not installed with the Windows operating system; you must install them separately fromthe \Support\Tools folder of the Windows CD. This Help file provides information on the tools and shortcuts for opening orrunning these tools.

Getting Help on tools

To find Help for a tool

Click A-Z List on the button bar or click Alphabetical List of Tools on the Contents tab to display a list of tools byClick A-Z List on the button bar or click Alphabetical List of Tools on the Contents tab to display a list of tools bythe tool's file name.

Click a category on the Contents tab and then click the tool's file name.

Use the Index tab to locate a tool by either tool name or file name.

Each tool is covered in a main Help topic. Links to associated topics covering syntax, examples, or other features of thetool are available at the top of each topic for that tool. Tools with Windows interfaces may include a separate Help fileavailable from the Help menu in the tool window. For command-line tools, Help is also available by typing FileName /? atthe command prompt.

An extensive Glossary is available from the Contents tab. Links to glossary definitions that appear as pop-up windows areAn extensive Glossary is available from the Contents tab. Links to glossary definitions that appear as pop-up windows areformatted in underlined dark green text.formatted in underlined dark green text.

Understanding notation and terminology

The following topics cover the conventions for usage and notation that are observed in this document:

Procedural conventionsProcedural conventions

Notational conventionsNotational conventions

This documentation assumes you are already familiar with the Windows operating system. For more general informationabout Windows, including keyboard equivalents to menu and mouse actions, see Windows Help.

Printing topics

When you print from HTML Help, a dialog box opens asking whether you want to print the selected topic or to print theselected heading and all subtopics. Printing the selected topic is recommended. If you print a heading and subtopics, youmay encounter error messages and special formatting will be lost, but the topics still print.

Notational Conventions

Convention Meaning

bold In syntax, characters that you type exactly as shown, including commands and switches. In text,menu names and menu commands are also bold.

bold monospace Commands that you must type exactly as shown to get the results being discussed.

italic Variables for which you supply a specific value. For example, Filename.ext represents any validfile name.

Initial Capitals(Filename.ext)

Names of files should begin with an initial capital letter, for example, Filename.ext. Paths andfolders can be uppercase, lowercase, or mixed, according to how they actually appear in astandard installation of the application or the operating system.

ALL CAPITALS Used for acronyms.

monospace

Examples of code.

[ ] (squarebrackets)

In syntax descriptions, square brackets enclose optional items. If you include the item, type onlythe information between them, not the square brackets themselves.

{choice1 |choice2} (braces)

In syntax descriptions, braces enclose items which require a choice, such as {yes | no}. Typeonly one of the choices, not the braces or the dividing line.

IntroductionIntroduction

Procedural Conventions

Convention Meaning

type An instruction to type information means to press the key or keys and then press the ENTER key.

select An instruction to select information means to highlight folders, file names, text boxes, menu bars, andoptions, or to select options in a dialog box.

+ A plus sign ( + ) between two or more key names indicates that you must press the keys at the sametime; for example, ALT + TAB.

, A comma ( , ) between two or more key names indicates that you must press each key consecutively; forexample, ALT, F, X.

NoteAlerts you to supplementary information.

CautionAlerts you to possible data loss, breaches of security, or other more serious problems.

IntroductionIntroduction

Related Information on the InternetThere are many Microsoft Internet sites that provide information and updates regarding Windows XP, Windows 2000,Windows NT, Windows 98, and the Windows Resource Kits.

If you have an Internet connection and a Web browser, you can click the following links to visit these sites.

Windows Resource Kits Web Site

Windows Resource Kits (http://go.microsoft.com/fwlink/?LinkId=286) Web siteWindows Resource Kits (http://go.microsoft.com/fwlink/?LinkId=286) Web site

Windows Web Sites

Microsoft Windows (http://go.microsoft.com/fwlink/?LinkId=1681) Web siteMicrosoft Windows (http://go.microsoft.com/fwlink/?LinkId=1681) Web site

Windows 2000 Server (http://go.microsoft.com/fwlink/?LinkId=623) Web siteWindows 2000 Server (http://go.microsoft.com/fwlink/?LinkId=623) Web site

Windows NT Server (http://go.microsoft.com/fwlink/?LinkId=624) Web siteWindows NT Server (http://go.microsoft.com/fwlink/?LinkId=624) Web site

Windows NT Workstation (http://go.microsoft.com/fwlink/?LinkId=626) Web siteWindows NT Workstation (http://go.microsoft.com/fwlink/?LinkId=626) Web site

Microsoft Product Support Services (http://go.microsoft.com/fwlink/?LinkId=1679) Web siteMicrosoft Product Support Services (http://go.microsoft.com/fwlink/?LinkId=1679) Web site

Microsoft Windows Hardware Compatibility List (http://go.microsoft.com/fwlink/?LinkId=1637) Web site.Microsoft Windows Hardware Compatibility List (http://go.microsoft.com/fwlink/?LinkId=1637) Web site.

Other Microsoft Web Sites of Interest

Microsoft Knowledge Base Search (http://go.microsoft.com/fwlink/?LinkId=1633) Web site.Microsoft Knowledge Base Search (http://go.microsoft.com/fwlink/?LinkId=1633) Web site.

Microsoft Internet Explorer (http://go.microsoft.com/fwlink/?LinkId=293) Web siteMicrosoft Internet Explorer (http://go.microsoft.com/fwlink/?LinkId=293) Web site

Microsoft TechNet (http://go.microsoft.com/fwlink/?LinkId=1631) Web siteMicrosoft TechNet (http://go.microsoft.com/fwlink/?LinkId=1631) Web site

MSDN (http://go.microsoft.com/fwlink/?LinkId=1630) Web siteMSDN (http://go.microsoft.com/fwlink/?LinkId=1630) Web site

Microsoft Home Page

For any other information about Microsoft products, point your browser to:

Microsoft home page (http://go.microsoft.com/fwlink/?LinkId=1681) Web siteMicrosoft home page (http://go.microsoft.com/fwlink/?LinkId=1681) Web site

Acldiag.exe: ACL Diagnostics

Overview | Syntax | Examples | Related ToolsOverview | Syntax | Examples | Related Tools Open Command PromptOpen Command Prompt

This command-line tool detects and reports discrepancies in the Access Control Lists (ACLs) of objects in Active Directory.It can also reapply a security delegation template to an ACL, eliminating special permissions and restoring incompletedelegations.

With AclDiag, you can:

Display the Access Control Entries (ACEs) in the ACL, and inheritance and audit settings.

Display the effective permissions of users and groups to an Active Directory object.

Compare the ACL for an object in Active Directory to the default permissions defined in the schema.

Compare the ACL of an Active Directory object to a delegation template.

Reapply the delegation template to the ACL of an Active Directory object.

System Requirements

AclDiag runs on Windows 2000 and on Windows XP Professional.

The user must have permission to read permissions on Active Directory objects. To reapply a delegation template,the user must have permission to modify permissions to the Active Directory object.

File Required

Acldiag.exe

For more information

For more information about Active Directory, see the Active Directory Overview (http://go.microsoft.com/fwlink/?For more information about Active Directory, see the Active Directory Overview (http://go.microsoft.com/fwlink/?LinkId=1646).

AclDiag Syntax


acldiag "LDAP-URL" [/geteffective:{user | group | *}] [/schema] [/chkdeleg [/fixdeleg]] [/skip] [/tdo]

Parameters

Note

If you specify an object without additional parameters, AclDiag lists the Access Control Entries (ACEs) in the ACL,and inheritance and audit settings.

LDAP-URLIdentifies the Active Directory object to investigate. Enter the LDAP URL for an object in Active Directory. The LDAPURL format consists of the name of the LDAP server followed by the distinguished name of the object. The string mustbe enclosed in quotation marks.

For example, "LDAP://domain.test.microsoft.com/CN=TestAdmin,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"

/geteffective:{User | Group | *}Adds an effective rights diagnosis to the display. The effective rights diagnosis displays the effective permissions to theobject held by specified users or groups. Effective permissions are the permissions that are enforced after precedenceis applied and conflicts in rights are resolved.

Value Description

User | Group Displays the effective permissions held by the specified user or group.

* Displays the effective permissions of all users and groups in the access control list (ACL) for theobject.

/schemaAdds a schema diagnosis to the display. The schema diagnosis reports whether the object ACL includes the ACEs thatare in the schema defaults.

/chkdelegAdds a delegation diagnosis to the display. The delegation diagnosis reports whether the object ACL includes the ACEsthat are in the delegation template. A status of misconfigured indicates that at least one, but not all, ACEs in adelegation template (and in the schema default) are included in the ACL.

/fixdelegDirects AclDiag to reapply the delegation template to the object ACL, eliminating special permissions and restoringincomplete delegations. When the specified object inherits delegated permissions, this parameter reapplies thedelegation template to the object for which the delegated permissions are explictly defined.

Note

This parameter is effective only when used with the /chkdeleg parameter. Without /chkdeleg, /fixdeleg isignored, but AclDiag does not report an error.

/skipOmits the security description from the display. The security description is a list of the ACEs in the object ACL.

/tdoDisplays output in tab-delimited format. Fixed-width format is the default. Tab-delimited format is useful when theoutput is destined for a database or spreadsheet.

AclDiag Examples


To display the ACL of a user object in Active Directory, type

acldiag "LDAP://domain1.test.microsoft.com/CN=Test

Admin,CN=Users,DC=domain1,DC=test,DC=microsoft,DC=com"

To display a schema analysis of a computer object in Active Directory, type

acldiag "LDAP://domain1.test.microsoft.com/CN=MACHINE-

TEST,CN=Computers,DC=domain1,DC=test,DC=microsoft,DC=com" /schema

To display the ACL, the effective permissions for all users, and the delegation analysis of a computer object in tab-delimited format, type:

acldiag "LDAP://domain1.test.microsoft.com/CN=MACHINE-

TEST,CN=Computers,DC=domain1,DC=test,DC=microsoft,DC=com" /chkdeleg /geteffective:* /tdo

To reapply a delegation template to a group object, type

acldiag "LDAP://domain1.test.microsoft.com/"CN=Domain

Computers,CN=Users,DC=domain1,DC=test,DC=microsoft,DC=com" /chkdeleg /fixdeleg

Dsacls.exe: DsAcls


Displays and changes permissions (access control entries) in the Access Control List (ACL) of objects in Active Directory.Displays and changes permissions (access control entries) in the Access Control List (ACL) of objects in Active Directory.

DsAcls is the command-line equivalent of the Security tab in the Properties dialog box for an Active Directory object inActive Directory tools, such as Active Directory Users and Computers. You can use either tool to view and changepermissions to an Active Directory object.

Note

The ACEs that you add by using DsAcls must be object-specific permissions that override the default permissionsdefined in the Active Directory schema for that object type. Do not add ACEs unless you are well-informed aboutsecurity for Active Directory objects.

System Requirements

DsAcls runs on Windows 2000 and on Windows XP Professional.

To view an ACL, the user must have permission to read permissions on Active Directory objects. To change an ACL,the user must have permission to write permissions to the Active Directory object.

Files required

Dsacls.exe

DsAcls Syntax


dsacls "[\\Computer\]ObjectDN" [/A] [/D PermissionStatement [PermissionStatement...]] [/G PermissionStatement[PermissionStatement...]] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {user | group} [{user | group}...]] [/S [/T]] [/?]

Note

If you specify an object without additional parameters, DsAcls displays the Access Control Entries (ACEs) in the ACL.

"[\\Computer\]ObjectDN"Identifies the Active Directory object to investigate. Type the distinguished name of the object. To specify an object ona remote computer, type the computer name followed by the distinguished name. This parameter must be enclosed inquotation marks.

For example, "CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com" or"\\Server01\CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"

/AAdds ownership and auditing information to the display.

/D PermissionStatement [PermissionStatement...]/D PermissionStatement [PermissionStatement...]Denies the specified permissions to the user or group.

You can deny permissions to multiple users in each /D parameter, for example:

/D Domain1\User1:CCDC Domain1\User2:DC;computer

/G PermissionStatement [PermissionStatement...]/G PermissionStatement [PermissionStatement...]Grants specified permissions to user or group.

You can grant permissions to multiple users in each /G parameter, for example:

/G Domain1\User1:CCDC Domain1\User2:DC;computer

/I:{T | S | P}Specifies the objects to which the permissions are applied. This parameter determines whether the permissions areinheritable. T is the default.

T This object and subobjects.

S Subobjects only.

P Propagate inheritable permissions one level only.

/NProvides that the specified ACE replace the ACEs in the ACL. By default, the ACE is added to the ACL.

/P:{Y | N}Determines whether the object can inherit permissions from its parent objects. If you omit this parameter, theinheritance properties of the object are not changed.

Y The object is protected and cannot inherit permissions.

N The object is not protected and can inherit permissions.

Note

This parameter changes a property of the object, not of an ACE. To determine whether an ACE is inheritable, usethe /I parameter.

/R {user | group}Deletes all ACEs for the specified users or groups.

User can be specified as user@domain or domain\user. Group can be specified as group@domain or domain\group.

You can delete ACEs for multiple users and groups in a single /R parameter, for example, /R Domain1\User1

Domain1\User2

/SRestores the security on the object to the default for that object class as defined in Active Directory schema.

/TRestores the security on the tree of objects to the default for each object class. This parameter is valid only with the/S parameter.

/?Displays help for DsAcls.Displays help for DsAcls.

Syntax for PermissionStatement

PermissionStatements must have the following format:PermissionStatements must have the following format:

{User | Group}:Permissions[;{ObjectType | Property}][;InheritedObjectType]

where:

{User | Group}Specifies the user or group to whom the rights apply. User can be specified as user@domain or domain\user. Groupcan be specified as group@domain or domain\group.

{ObjectType | Property}Limits the permission to the specified object type or property. Enter the display name of the object type or of theproperty. If an object type or property is not specified, the permission applies to all object types and properties.

For example, /G Domain\User:CC permits the user to create all types of child objects, but /G

Domain\User:CC;computer permits the user to create only child computer objects.

InheritedObjectTypeLimits inheritance of the permission to the specified the type of object. Enter the display name of the object type. If anobject type is not specified, the permission can be inherited by all object types. This parameter is used only whenpermissions are inheritable.

For example, /G Domain\User:CC permits all types of objects to inherit the permission, but /G

Domain\User:CC;;user permits only user objects to inherit the permission.

PermissionsType one or more of the following values (without spaces).

GenericPermissions Description

GR Generic Read

GE Generic Execute

GW Generic Write

GA Generic All

SpecificPermissions Description

SD Delete

DT Delete an object and all of its children

RC Read security information

WD Change security information

WO Change owner information

LC List the children of an object

CC Create child object

If {Object | Property} is not specified to define a specific child-object type, this applies to alltypes of child objects; otherwise, it applies to the specified child-object type.

DC Delete a child object

If {Object | Property} is not specified to define a specific child-object type, this applies to alltypes of child objects; otherwise, it applies to the specified child-object type.

WS Write to self object

Meaningful only on Group objects and when {Object | Property} is a "member.".

RP Read property

If {Object | Property} is not specified to define a specific property, this applies to all properties ofthe object; otherwise, it applies to the specified property of the object.

WP Write property

If {Object | Property} is not specified to define a specific property, this applies to all properties ofthe object; otherwise, it applies to the specified property of the object.

CA Control access right

If {Object | Property} is not specified to define the specific extended right for control access, thisapplies to all meaningful control accesses on the object; otherwise, it applies to the specificextended right for that object.

LO List the object access.

Can be used to grant list access to a specific object if List Children (LC) is not granted to theparent as well. Can also be denied on specific objects to hide those objects if the user/group hasLC on the parent.

Note

Active Directory does not enforce this permission by default. The Active Directory mustbe configured to check for this permission.

DsAcls Examples


Examples of valid permissions

SDRCWDWO;;user

Delete, read security information, change security information and change ownership permissions on objects of type"user".

CCDC;group;

Create child and delete child permissions to create or delete objects of type "group".

RPWP;telephonenumber;

Read property and write property permissions on telephone number property.

Ldp.exe: Active Directory Administration Tool

Overview | Notes | UI | Examples | Related ToolsOverview | Notes | UI | Examples | Related Tools Open Command PromptOpen Command Prompt

This graphical utility is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (suchas connect, bind, search modify, add, delete) against any LDAP compatible directory, such as Active Directory. Use LDP toview objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata.

Note

LDP is a GUI-based, Windows Explorer-like utility with a scope pane on the left that is used for navigating throughthe Active Directory namespace, and a details pane on the right that is used for displaying the results of the LDAPoperations. Any text displayed in the details pane can be selected with the mouse and "copied" to the clipboard.

Corresponding UICorresponding UI

LDP comes with its own user interface.

ConceptsConcepts

It is highly recommended that you read the Understanding LDAP whitepaper on the Microsoft Web site beforeIt is highly recommended that you read the Understanding LDAP whitepaper on the Microsoft Web site beforecontinuing with this document. (http://go.microsoft.com/fwlink/?LinkId=1647)

System RequirementsSystem Requirements

The following are the system requirements for LDP:

A connection to an LDAP server.

Files Required

LDP.exe

LDP Notes


Finding Required and Optional Values for an AttributeFinding Required and Optional Values for an Attribute

The schema defines objects as well as the attributes and permissible values for each. Schema classes that containattribute information about objects can be viewed. Search the cn=Schema,cn=Configuration,dc=ForestRootDomainfor classSchema objects to view this information.

Understanding Bind Options for LDAP AuthenticationUnderstanding Bind Options for LDAP Authentication

There are several authentication methods available in LDP that allow a client to bind to an LDAP server. The bestmethod depends on several factors.

Method Description

Simple Clear text password. Try not to use this as it is not secure.

MSN MSN (Microsoft Network) authentication. This package may bring up UI to prompt the user for MSNcredentials.

DPA Normandy authentication, new MSN authentication. Same usage as MSN.

NTLM NT domain authentication. Use NULL credentials and attempt to use default logged in user credentials.

Sicily Negotiate with the server for any of: MSN, DPA, NTLM. Should be used for LDAPv2 servers only.

Negotiate Use GSSAPI Negotiate package to negotiate security package of either Kerberos V5 or NTLM (or anyother package the client and server negotiate). Pass in NULL credentials to specify default logged inuser. If Negotiate package is not installed on server or client, this will fall back to Sicily negotiation.

LDP UI


To start LDP

The LDP dialog box consists of two panes. The scope pane on the left side lists the base object and any child objects. Thedetails pane lists the results of the LDAP operations.

Connection MenuConnection Menu

The Connection menu Options:

Option Description

Connect Opens a dialog box that opens a session with a specified LDAP server. A connection must beestablished with an LDAP server before any other LDAP commands can be run. Enter theappropriate port number for the service you are connecting to. By default LDAP uses TCP for aconnection-oriented session. To use UDP for a connectionless session, select the Connectionlesscheckbox. By default a successful connection results in the display of the RootDSE information inthe detail pane.

Bind Opens a dialog box that authenticates to a specified LDAP server. Enter a username and passwordof an account that has permissions to the LDAP server. If you enter an invalid user, then you will beconnected with anonymous credentials. As a shortcut, use the Bind option without using theConnect option to connect, and authenticate with server last connected to.

Advance Opens the a dialog box that sets options for the authentication methods. See Bind under theOptions menu.

Disconnect Terminates an open session with a specified LDAP server. Closing the LDP application automaticallydisconnects any open sessions.

New Keeps the currently connected session, but clears the details pane. The keyboard shortcut for thisaction is CTRL+N. By default the details pane is accumulative.

Open Opens text files and places the information in the details pane.

Save Saves changes to a previously saved file.

Save as Saves the contents of the details pane to a text file. Use the Open command to view the contents ofthis file in the details pane later.

Print Prints the details pane.

NOTE

LDP can only connect to one LDAP server at a time. Using the Connect command while connected to a serverwill disconnect the current session.

Browse MenuBrowse Menu

The Browse menu Options:

AddAdd

Opens a dialog box that adds objects to Active Directory. The full distinguished name of the object must beentered, as well as all of the mandatory attributes for the class of object being added.

Option Description

DN Enter the full distinguished name of the new object.

Attribute Enter the required or optional attribute.

Values Enter the value(s) associated with the attribute. Separate multiple values for a singleattribute with a semicolon. No spaces are required.

Enter Click this button to add the entered attribute and value(s) to the Entry List section of thedialog box, and clear the Attribute and Value input boxes. Continue entering attributes andvalues until all required and desired optional attributes are on the Entry List.

Insert File Opens a dialog box that allows a text file with the appropriate attributes and values to beused.

Entry List Displays entered attributes and values.

Edit Opens a dialog box that allows changes to the selected entry from the Entry List.

Remove Deletes the selected entry from the Entry List.

Extended Select this checkbox if the object being added is part of an extended control.

Synchronous By default this checkbox is selected, requiring LDP to wait for a response from thedestination server before continuing. Clear this checkbox to allow LDP to continue before aresponse is received. Clear this checkbox when slow WAN connections are causing LDPcommands to timeout.

Run Click this button to add the current attributes and values in the Entry List to ActiveDirectory. If LDP encounters any errors, then the object will not be added and the error willdisplay in the details pane.

Delete Opens a dialog box that allows an object from Active Directory to be deleted. Attributes canbe deleted only if they are defined as optional and contain no values. Use the Editcommand to delete an attributes values.

DNDN

Option Description

Dn Enter the full distinguished name of the new object.

Extended Select this checkbox if the object being deleted is part of an extended control.


Recursive(client)

Deletes all objects in a container, but does not delete the container.

ModifyModify

Opens a dialog box that allows changes to the attributes of an object stored in Active Directory.

Option Description

Dn Enter the full distinguished name of the new object.

Attribute Enter the required or optional attribute.

Values Enter the value(s) associated with the attribute. Separate multiple values for a singleattribute with a semicolon. No spaces are required.

Insert Files Opens a dialog box that allows a text file with the appropriate attributes and values to beused.

Enter Click this button to add the entered attribute and value(s) to the Entry List section of thedialog box, and to clear the Attribute and Value input boxes. Continue entering attributesand values until all required and desired optional attributes are on the Entry List.

OperationSection

Choose between Add, Delete, and Replace. Choose Add to add a new value to an existingattribute. Choose Delete to permanently remove an attribute from the listed object.Attributes containing data cannot be deleted. Also, attempting to delete required attributesresults in an error. Choose Replace to replace an existing value with another. ChooseReplace to change listed values for an existing attribute.

Entry ListSection

Displays existing attributes and values for an object.

Edit Opens a dialog box that allows changes to the selected entry from the Entry List.

Synchronous By default this checkbox is selected requiring LDP to wait for a response from thedestination server before continuing. Clear this checkbox to allow LDP to continue before aresponse is received. Clear this checkbox when slow WAN connections are causing LDPcommands to timeout.

Extended Select this checkbox if the object being modified is part of an extended control.

Run Click this button to send the edited values in the Entry List to Active Directory.

Modify RDNModify RDN

Opens a dialog box that allows changes to an object's relative distinguished name. This option is designed tomodify leaf objects only. If you rename the container portion of the distinguished name, then the object willbe moved to the container that is named.

Option Description

Old DN Enter the current distinguished name of the object.

New DN Enter the new distinguished name for the object.

Delete Old Specifies that the old distinguished name should be removed from the LDAP directory. Thischeckbox is selected by default.


Extendedrename

Select this checkbox if the object being renamed is part of an extended control.

Run Click this button to send the change to Active Directory.

SearchSearch

Opens a dialog box that creates a customized search filter, and performs the search on the directoryinformation tree. The search base must be specified as a distinguished name, and the filter must be a validLDAP filter. Items returned from a search are separated by >> characters.

Option Description

Base DN Enter a distinguished name to specify where the search should start from.

Filter Enter the search criteria separated by LDAP search filters. Enter attributes and values to find anobject or set of objects. Note: LDAP search filters are defined in RFC 2254, and in theKnoweldge Base Article Q255602 "Browsing and Querying Using the LDP Utility" at MicrosoftKnoweldge Base Article Q255602 "Browsing and Querying Using the LDP Utility" at MicrosoftProduct Support Services (http://www.microsoft.com/).Product Support Services (http://www.microsoft.com/).

ScopeSection

Specifies how many levels the search should encompass.

Base Searches the base object only.

OneLevel

Searches objects immediately subordinate to the base object, but does not search the baseobject.

Subtree Searches the entire subtree, from the base object down to all child objects.

OptionsButton

Opens the Search Options dialog box. Allows the application of filters that allows some entriesand excludes others from the search, and allows controls that affect how the search isprocessed. See the Options menu for more details.

Run Click this button to send the search request to Active Directory.

CompareCompare

Opens a dialog box that allows the user to compare the value of an object's attribute with a specified value.The result returned is either true or false.

Option Description

DN Enter the full distinguished name of the object whose value(s) will be compared.

Attribute Enter attribute to be compared.

Values Enter the value(s) that will be compared with the existing value in Active Directory. Separatemultiple values for a single attribute with a semicolon. No spaces are required.

Synchronous By default this checkbox is selected, requiring LDP to wait for a response from thedestination server before continuing. Clear the checkbox to allow LDP to continue before aresponse is received. Clear this checkbox when slow WAN connections are causing LDPcommands to timeout.

Run Starts the comparison.

Extended OpExtended Op

Opens a dialog box that allows the user to submit an extended operation to an LDAP Directory by specifyingan LDAP Object identifier (OID) and an applicable value.

Option Description

Oid Enter the Object ID number.

Data Enter the value of the OID attribute.

Controls See Controls under the Option menu.

Send Submits the extended operation to Active Directory.

GetLastErrorGetLastError

Calls the LDAP Getlasterror function.

SecuritySecurity


Option Description

Security Descriptor Opens a dialog box that allows the viewing of access permissions on an object.

User Rights Not implemented yet.

ReplicationReplication


Option Description

ViewMetadata

Opens a dialog box that allows the viewing of replication metadata of an object. Thiscommand is useful in identifying whether the objects are up to date and replicated betweendomain controllers.

Process PendingProcess Pending

Opens a dialog box that shows the list of requests that are not finished processing.

View MenuView Menu

The View menu Options:

Option Description

Status Bar Shows or hides the Status Bar located along the bottom of the LDAP window.

Tree Opens a dialog box that specifies the base object in the scope pane. A default base objectcan be entered in the General Options dialog box in the Auto Base DN Query input box. Bydefault this input box is blank and no object is listed in the scope pane.

EnterpriseConfiguration

Opens the Live Enterprise Tree dialog box that shows a graphic display of all domains anddomain controllers in the enterprise. The dialog box indicates whether the domain controllersare online or offline by marking offline domain controllers with a red X.

Auto Refresh(min):

Enter the number of minutes that LDP should wait before refreshing the display.

Refresh Manually refreshes the display.

Options MenuOptions Menu

The Options menu Options:

Bind Options

Option Description

Function Type Specifies a category of authentication that LDP will use when choosing authentication methods.

Generic Specifies that a standard authentication protocol will be used.

Simple Specifies that no authentication protocol will be used and the password will be sent in cleartext.

Extended Not available.

Method Selects the type of authentication that LDP will use when passing credentials.

Synchronous Use this checkbox to specify that the authenticating server must respond immediately torequests. This option only works with Simple authentication.

Use auth.identit

Allows the use of alternate authentication credentials. All authentication methods except simplerequire synchronous calls.

Search Options

Option Description

Time Limit Specifies the number of milliseconds that the search can take on the server. By default themaximum is 120 seconds.

Size Limit Specifies the maximum number of bytes that the search can return. Entering a null value doesnot place a maximum size on the data returned.

Timeout (s) Specifies the number of seconds that LDP will wait for the LDAP server to respond to a searchrequest.

Timeout(ms)

Specifies the number of milliseconds that LDP will wait for the LDAP server to respond to asearch request.

Page Size Limits each page of returned data to the specified number of bytes.

Attributes Specifies which attributes will be returned in the search. Separate multiple attributes with asemicolon. Use the asterisk (*) wildcard character to indicate all attributes.

Search CallType

Specifies a call type to be used in the search. If the search will take some time, then selectingasync allows you to perform other tasks while waiting for the search to complete.

AttributesOnly

Select this checkbox to return only attributes of objects. The distinguished name will not bereturned.

ChaseReferrals

Performs a search for objects found in external LDAP driectories. By default, objects' externalLDAP directories' trusts will only return a referral instead of the actual object.

DisplayResults

Displays a detailed list of objects returned by the search. By default only a success or failure, andthe number of objects found, is displayed.

Sort Keys Selecting this button will open the Sort Keys Option dialog box. See Sort Keys in the Optionsmenu.

Controls Selecting this button will open the Controls Option dialog box.

Pending Options

Opens a dialog box that places filters on the list of processes that have not yet completed.

Option Description

All search results Specifies that all search results will be displayed.

Blocking Clear this checkbox to set a time limit.

Time Limit (sec): Specifies a time limit in seconds.

Time Limit (millisec): Specifies a time limit milliseconds

General Options

Option Description

Value ParsingSection

Binary Displays the LDAP information in its native numerical format.

String Converts the LDAP information from its native format to ASCII characters,so that it is morereadable when displayed. This is the default setting. Values that are too long to be convertedare still displayed in binary form.

LDAP VersionSection

Specifies which version of LDAP the server is using. The default is version 3.

DN ProcessingSection

Converts the distinguished names, displayed into component parts, by extending the datatypes that LDP returns when performing a command. This option is useful for LDP developers.

Buffer Size Section

Option Description

Page Specifies the number of lines returned that will be displayed by LDP per command.

Line Specifies the number of characters returned that will be displayed by LDP per command.

Auto defaultNC query

Specifies that LDP should query the default naming context when a connection to the LDAP serveris made. The default naming context is the RootDSE. This setting is used when the distinguishedname value in the View|Tree dialog box is left blank.

Virtual List View (VLV) Section

Option Description

Auto VLV browse whencontiner size is greaterthan:

Selecting this checkbox displays a pop-up window of a virtual list view, wheneverthe object count is greater than the value displayed in the input box. The defaultvalue is 100.

Connection Options

Opens a dialog box that allows the value of any option to be changed.

Option Name Enter the name of the option whose value will be reset.

Value Enter the new value for the specified option.

Set Sends the information to the LDAP Directory.

TLS Options

Starts or stops a secure session with the LDAP server using Transport Level Security (TLS).

Controls Option

Use LDAP controls to extend the functionality of LDAP.

The Object Identifier must be specified when implementing a control. To obtain a list of Object Identifiers, view thesupportedControls property in the RootDSE of a domain controller. Individual controls are described in theUnderstanding LDAP whitepaper published by Microsoft (http://www.microsoft.com/).Understanding LDAP whitepaper published by Microsoft (http://www.microsoft.com/).

NOTE

Only server controls can be sent to a server. Client controls only work with LDAP APIs.

To view a list of extended LDAP controls, search for the Knowledge Base article Q222560 "Windows 2000Extended LDAP Controls" at Microsoft Product Support Services (http://www.microsoft.com/).Extended LDAP Controls" at Microsoft Product Support Services (http://www.microsoft.com/).

Sort Keys Option

Sort Keys is a type of control that formats the display of search results.

For more information find sortKeyRequestControl in the Understanding LDAP whitepaper published by MicrosoftFor more information find sortKeyRequestControl in the Understanding LDAP whitepaper published by Microsoft(http://www.microsoft.com/).

Utilities MenuUtilities Menu

The Utilities menu Options:

Large Integer Converter For developers to convert large integers into High and Low parts.

NOTE

LDP can only connect to one LDAP server at a time. Using the Connect command while connected to a server willdisconnect the current session.

LDP UI


Example 1: Add a New Object to an LDAP DirectoryExample 1: Add a New Object to an LDAP Directory

The following example uses LDP to add a user to Active Directory.

Click the Browse menu and select Add.1.

In the Add dialog box, enter the distinguished name of the new object in the Dn input box.2.

In the Edit Entry section, add the new attributes and values. Click Enter after typing in each attribute andassociated value:

Attribute Value

userAccountControl 512

ObjectClass User

SamAccountName Testuser2

3.

Click Edit to add the attribute or value combination to the Entry List box.4.

Once all the attributes are entered, click Run to add the information to Active Directory using LDAP APIs.5.

Example 2: Search an LDAP DirectoryExample 2: Search an LDAP Directory

The following example performs several searches on Active Directory.

Click the Browse menu and select Search.

The Search dialog box opens.

1.

In this search, the LDAP directory is Active Directory, and for usernames it contains a givenName attributefor first names, and an attribute of sn for last names. To search for all users that have a first name of Johnand a last name of either Smith or Jones, use the following filter:

(&(objectClass=user)(givenName=John)(|(sn=Smith)(sn=Jones))))

2.

To search for users that have a lastname of Jones, but filter out those users that have a first name of Johnor Jane, and also filter out users that have not logged on at least 100 times. The exclamation point (!) is theNOT operator.

(&(objectClass=user)(sn=Jones)(!givenName=John)(!givenName=Jane)(!logonCount

(&(objectClass=user)(displayName=*\29))

4.

Queries support asterisk wildcards (*). To search for all users who have a surname that starts with theletter J:

(&(objectClass=user)(sn=j*))

5.

The following search is for users whose home directories are G:\Accounting. The attribute name is home-directories:

(&(objectClass=user)(home-directory=G:\5cACCOUNTING*))

6.

Example 3: Control the Returns on a Search of an LDAP DirectoryExample 3: Control the Returns on a Search of an LDAP Directory

The following example uses the Search Options dialog box to control which attributes are displayed in a search.Just a few attributes are displayed, and the rest are filtered so that they are not displayed in the details window ofLDP.

In the Attributes input box, enter the attributes to display. Enter the following:"memberof;range:1-20"objectClass;objectGUID

A range is specified for the memberof attribute. A semicolon is also used to do this so that the entire sectionmust be separated from the rest of the attributes by quotes.

Note

Separate attributes with a semicolon. No spaces are necessary. All other attributes will be filtered outof the display.

1.

All searches will display only the memberof, objectClass, and objectGUID attributes in the details pane.

Note

To return all attributes, replace any existing list of attributes with the asterisk wildcard character (*).

2.

Example 4: Viewing Replication Metadata for an ObjectExample 4: Viewing Replication Metadata for an Object

The following example uses LDP to list the replication metadata for an object in Active Directory.

Click the Browse menu and select Replication|View Metadata.

The View Metadata dialog box opens.

1.

Enter the distinguished name of the object in the Object Dn input box.2.

Click OK3.

AttID Ver Loc.USN Originating DSA Org.USN Org.Time/Date

0 1 3693 9fad4c38-2d76-44b2-84f6-f2fe384f8450 3693 2000-12-29 09:15.02

3 1 3693 9fad4c38-2d76-44b2-84f6-f2fe384f8450 3693 2000-12-29 09:15.02

d 1 3693 9fad4c38-2d76-44b2-84f6-f2fe384f8450 3693 2000-12-29 09:15.02

20001 1 3693 9fad4c38-2d76-44b2-84f6-f2fe384f8450 3693 2000-12-29 09:15.02

20002 1 3693 9fad4c38-2d76-44b2-84f6-f2fe384f8450 3693 2000-12-29 09:15.02

Movetree.exe: Active Directory Object Manager

Overview | Notes | Syntax | Examples | Related ToolsOverview | Notes | Syntax | Examples | Related Tools Open Command PromptOpen Command Prompt

This command-line tool allows administrators to move Active Directory objects such as organizational units and usersThis command-line tool allows administrators to move Active Directory objects such as organizational units and usersbetween domains in a single forest. These types of operations are performed to support domain consolidation orbetween domains in a single forest. These types of operations are performed to support domain consolidation ororganizational restructuring operations.

MoveTree allows an organizational unit to be moved with all of the linked Group Policy objects in the old domain intact.MoveTree allows an organizational unit to be moved with all of the linked Group Policy objects in the old domain intact.The Group Policy object link is moved and continues to work, and clients receive their Group Policy settings from theGroup Policy objects located in the old domain.


To move users or groups within a Windows XP Professional domain (for example, from one organizational unit toanother), use Active Directory Users and Computers, a Microsoft Management Console snap-in that is part of theanother), use Active Directory Users and Computers, a Microsoft Management Console snap-in that is part of theWindows XP Professional operating system.

Note

You must install Adminpak.msi before you can see the Active Directory Users and Computers snap-in inAdminstrative Tools.

ConceptsConcepts

For more information on Active Directory, see Using Active Directory in Help and Support Center.For more information on Active Directory, see Using Active Directory in Help and Support Center.


The following are the system requirements for MoveTree:

Windows XP Professional

Administrator rights

Files required

Movetree.dll

Movetree.exe

MoveTree Notes


Before Using MoveTreeBefore Using MoveTree

Before using MoveTree you should do the following to maintain peak performance:

Review all Group Policy objects that apply to a particular organizational unit, and make a note of the GroupPolicy settings they contain.

1.

Recreate the Group Policy objects, linked to the moved organizational unit in the new domain, with thedesired settings.

2.

Make sure to remove the Group Policy objects linked from the old domain.3.

MoveTree LimitationsMoveTree Limitations

While MoveTree can move some Active Directory objects between domains, certain objects cannot be moved.MoveTree is also unable to move certain associated data that may exist externally to Active Directory.

Detailed Limitations

Local and Domain Global GroupsLocal and Domain Global Groups

Local and Domain Global groups are not moved during a MoveTtee operation. During a MoveTree operation, allsecurity principals (for example, user accounts and groups) maintain their security identity. This means thatresources that were previously protected with ACLs do not have to have these ACLs reset. Provided that userresources that were previously protected with ACLs do not have to have these ACLs reset. Provided that userand group memberships are maintained, security of access to resources is also maintained.

Universal GroupsUniversal Groups

Universal groups are moved intact during a MoveTree operation. However, because of group membershiprules, only empty Domain Local and Global groups can be moved. Therefore it is important to save andrecreate the memberships of Domain Local and Global groups to maintain the existing resource accesspermissions.

Computer ObjectsComputer Objects

Computer objects are not moved during a MoveTree operation. Use Netdom, another Windows XP ProfessionalComputer objects are not moved during a MoveTree operation. Use Netdom, another Windows XP ProfessionalSupport Tool, to move computer accounts between domains and to join computers to domains.

Associated DataAssociated Data

Associated data that is not moved during a MoveTree operation includes policies, profiles, logon scripts, andusers' personal data. Use additional scripts or management tools, such as the Remote Administration Scripts(included in the Windows 2000 Resource Kit), in conjunction with MoveTree to perform these additional steps.

MoveTree cannot move the following objects:

system objects (identified by the objectClass being marked as systemOnly)

objects in the configuration or schema naming contextsobjects in the configuration or schema naming contexts

objects in the special containers in the domain: Builtin, ForeignSecurityPrincipal, System, LostAndFound

domain controllers or any object whose parent is a domain controllerdomain controllers or any object whose parent is a domain controller

any object with the same name as an object that already exists in the target domain

MoveTree may fail due to some of the following error conditions:

The source domain controller cannot transfer the RID role owner.The source domain controller cannot transfer the RID role owner.

The source object is locked due to another operation in progress (for example, if another user is currentlycreating child objects under the source object that is selected for the move operation).

Either the source or destination domain have invalid credentials.

The destination knows the source object is deleted but the source does not (for example, the source objecthad been deleted on a different domain controller, but due to replication latency, the source domain controllerhad been deleted on a different domain controller, but due to replication latency, the source domain controllerhas not yet received the deletion event).

There is a failure at the destination domain controller (for example, Disk Full).

A Security Accounts Manager (SAM) constraint is met (for example, Duplicate SAM Account Name or sourceA Security Accounts Manager (SAM) constraint is met (for example, Duplicate SAM Account Name or sourceobject password length does not meet the password restrictions in the target domain).

The source and destination have a schema mismatch.

When a MoveTree Operation is Paused or HaltedWhen a MoveTree Operation is Paused or Halted

During a MoveTree operation, if the process is paused or halted, then any objects that have yet to be moved remainin an orphan container in the Lost And Found container in the source domain. The Lost And Found container can beviewed in the Active Directory Users and Computers snap-in (a Windows XP Professional administrative tool) whenthe Advanced View menu option is selected. The orphan container is named using the globally unique identifierthe Advanced View menu option is selected. The orphan container is named using the globally unique identifier(GUID) of the parent container being moved and can be readily identified; it will contain the objects that were(GUID) of the parent container being moved and can be readily identified; it will contain the objects that wereselected for the MoveTree operation.

For example, if an organizational unit called "Sales" was being moved, and it has an object GUID of {123-abc}, andthe MoveTree operation were halted, then the tree structure would look like this:

Lost + Found {123-abc} Sales Sales

MoveTree ErrorLevelsMoveTree ErrorLevels

MoveTree returns ErrorLevel 0 for success and ErrorLevels 1 through 5 for different kinds of failure. These valuescan be used as criteria for branching, when the tool is used in a batch file; see Example 5: Use MoveTree in acan be used as criteria for branching, when the tool is used in a batch file; see Example 5: Use MoveTree in aBatch File in MoveTree Examples.Batch File in MoveTree Examples.

Error Level Meaning

0 Success

1 Error command line syntax

2 Error directory conflict (duplicate names, insufficient privilege, name conflict, immovable object)

3 Error - network error (DC unavailable)

4 Error system resource (Low VM, disk space)

5 Error internal processing error

MoveTree Syntax


movetree {/start | /startnocheck | /continue | /check} /s SrcDSA /d DstDSA /sdn SrcDN /ddn DstDN [/u[Domain\]Username /p Password] [/verbose] [{/? | /help}]

Parameters

/startStarts a MoveTree operation. This command includes a /check operation by default (to start a MoveTree operationwith no check, use /startnocheck). MoveTree tries to continue the operation until it completes; if there is a networkfault or if the destination domain controller becomes unavailable, then MoveTree pauses the operation. If an operationfault or if the destination domain controller becomes unavailable, then MoveTree pauses the operation. If an operationhas been paused, then it may be continued using the /continue command.

/startnocheckStarts a MoveTree operation with no /check.

/continueContinues the execution of a previously paused or failed MoveTree operation. This allows the MoveTree operation tocontinue even if a network fault or a domain controller error has interrupted the initial operation. Specifying /sdnSrcDN is optional for this command.

/checkPerforms a test run of the MoveTree operation, checking the whole tree without moving any objects. This enables theadministrator to determine if there is sufficent disk space on the destination server, if there are any conflicts withobject names or if there are any objects that could not be moved (such as Domain Local or Global groups). Theadministrator may then take remedial action before performing the actual move.

The /check command returns an error if any of the following conditions are met:

The user does not have the necessary permissions to create objects in the destination container.

The destination server does not have sufficient disk space to continue the operation.

A relative distinguished name conflict exists on the destination server.

There is a samAccountName conflict for any object that would be moved.

Any objects cannot be moved because they are built-in accounts, or they are either a Domain Local or a Globalgroup.

Any computer objects would be moved. To move computer accounts and join the computers to the domain, useAny computer objects would be moved. To move computer accounts and join the computers to the domain, useNetDom, a Windows 2000 Support Tool.NetDom, a Windows 2000 Support Tool.

/s SrcDSASpecifies the fully qualified primary DNS name of the source server in the domain from which the objects are beingSpecifies the fully qualified primary DNS name of the source server in the domain from which the objects are beingmoved (for example, Server1.Marketing.Microsoft.Com). Required for all MoveTree commands.

/d DstDSASpecifies the fully qualified primary DNS name of the destination server in the domain to which the objects are beingmoved (for example, Server2.Sales.Microsoft.Com). Required for all MoveTree commands.

/sdn SrcDNSpecifies the distinguished name of the source sub-tree (the object being moved) (for example,OU=Promotions,DC=Marketing,DC=Microsoft,DC=Com). Required for the /start, /startnocheck, and /checkcommands; optional for /continue.

/ddn DstDNSpecifies the distinguished name of the destination sub-tree (to which the object is being moved) (for example,OU=Promotions,DC=Sales,DC=Microsoft,DC=Com). Required for all MoveTree commands.

/u [Domain\]Username /p PasswordRuns MoveTree under the credentials of a valid Username and Password. Optionally, a Domain can be specified as well.If these optional arguments are not provided, MoveTree uses the credentials of the currently logged-on user.

/verbose

Runs MoveTree in verbose mode, which displays more details about the operation as it runs. Optional.

/? or /helpDisplays this information on a command-line syntax screen.

MoveTree Examples


These examples assume the following scenario:

In the Marketing domain, there is a server called "Server1" and an organizational unit called "Promotions". In the SalesIn the Marketing domain, there is a server called "Server1" and an organizational unit called "Promotions". In the Salesdomain, there is a server called "Server2". The desired operation is to move the "Promotions" organizational unit from theMarketing domain to the Sales domain, and rename the new organizational unit "Sales Promotions".

Example 1: Perform MoveTree Operation Test Run and MoveExample 1: Perform MoveTree Operation Test Run and Move

You want to move the Promotions organizational unit from the Marketing domain to the Sales domain and renamethe Promotions organizational unit to Sales Promotions. You decide that you want to do a test run and only performthe move if the test executes without errors. Type the following at the command line:

movetree /start /s Server1.Marketing.Microsoft.Com /d Server2.Sales.Microsoft.com /sdn

OU=Promotions,DC=Marketing,DC=Microsoft,DC=Com /ddn OU=Sales

Promotions,DC=Sales,DC=Microsoft,DC=Com

Example 2: Move Tree without TestExample 2: Move Tree without Test

You want to move the Promotions organizational unit from the Marketing domain to the Sales domain and renamethe Promotions organizational unit to Sales Promotions. You decide to do the move without doing a test run first.Type the following at the command line:

movetree /startnocheck /s Server1.Marketing.Microsoft.Com /d

Server2.Sales.Microsoft.Com /sdn OU=Promotions,DC=Sales,DC=Microsoft,DC=Com /ddn

OU=Sales Promotions,DC=Sales,DC=Microsoft,DC=Com

Example 3: Resume a Failed MoveTree OperationExample 3: Resume a Failed MoveTree Operation

A previous MoveTree operation between Server1 in the Marketing domain and Server2 in the Sales domain failedwhile the objects were being moved into the "Sales Promotion" organizational unit. To resume a failed the failedoperation, type the following at the command line:

movetree /continue /s Server1.Marketing.Microsoft.Com /d Server2.Sales.Microsoft.Com

/ddn OU=Sales Promotions,DC=Sales,DC=Microsoft,DC=Com

Example 4: Test a MoveTree OperationExample 4: Test a MoveTree Operation

Eventually you would like to move the Promotions organizational unit from the Marketing domain to the Salesdomain, renaming it to Sales Promotions. You decide to do a test run and get verbose output to study before youperform the actual move. To perform this test using the credentials of Microsoft\administrator with the password"********" type the following at the command line:

movetree /check /s Server1.Marketing.Microsoft.Com /d Server2.Sales.Microsoft.Com /sdn

OU=Promotions,DC=Sales,DC=Microsoft,DC=Com /ddn OU=Sales

Promotions,DC=Sales,DC=Microsoft,DC=Com /verbose /u Microsoft\administrator /p ********Promotions,DC=Sales,DC=Microsoft,DC=Com /verbose /u Microsoft\administrator /p ********

Example 5: Use MoveTree in a Batch FileExample 5: Use MoveTree in a Batch File

You want to move the Promotions organizational unit from the Marketing domain to the Sales domain and renamethe Promotions organizational unit to Sales Promotions. You decide that you want to do a test run and only performthe move if the test executes without errors, but you would like to do this from a batch file. Create a batch file withthe following content:

movetree /check /s Server1.Marketing.Microsoft.Com

/d Server2.Sales.Microsoft.Com /sdn OU=Promotions,DC=Marketing,DC=Microsoft,DC=Com /ddn OU=Sales Promotions,DC=Sales,DC=Microsoft,DC=Comif errorlevel 0 goto startgoto exit:startmovetree /start /s Server1.Marketing.Microsoft.Com /d Server2.Sales.Microsoft.Com /sdn OU=Promotions,DC=Marketing,DC=Microsoft,DC=Com /ddn OU=Sales Promotions ,DC=Sales,DC=Microsoft,DC=Com:exit

For more information about error in MoveTree, see MoveTree ErrorLevels in MoveTree Notes.For more information about error in MoveTree, see MoveTree ErrorLevels in MoveTree Notes.

Repadmin.exe: Replication Diagnostics Tool


This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.

Administrators can use RepAdmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) asAdministrators can use RepAdmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) asseen from the perspective of each domain controller. In addition, RepAdmin can be used to manually create thereplication topology (although in normal practice this should not be necessary), to force replication events betweendomain controllers, and to view both the replication metadata and up-to-datedness vectors.

Normally, the Knowledge Consistency Checker (KCC) manages the replication topology for each naming context held ondomain controllers.

Important

During the normal course of operations, there is no need to manually create the replication topology. Incorrect useof this tool may adversely impact the replication topology. The primary use of this tool is to monitor replication sothat problems such as offline servers or unavailable LAN/WAN connections can be identified.that problems such as offline servers or unavailable LAN/WAN connections can be identified.


RepAdmin is used to troubleshoot replication issues in Active Directory. Many of the actions performed at thecommand line with RepAdmin can be accomplished with ReplMon.command line with RepAdmin can be accomplished with ReplMon.

ConceptsConcepts

For more information on replication, see Introduction to Performance in the Help and Support Center.For more information on replication, see Introduction to Performance in the Help and Support Center.


The following are the system requirements for RepAdmin:

Windows XP Professional

Administrator rights on the domain controller

File Required

Repadmin.exe

RepAdmin Notes


RepAdmin TerminologyRepAdmin Terminology

The following terminology is used in discussing RepAdmin syntax:

NamingContext refers to the directory partitions that are part of Active Directory. This includes the threeNamingContext refers to the directory partitions that are part of Active Directory. This includes the threeread/write naming contexts domain, schema and configuration and the optional read-only namingcontext, the Global Catalog. A naming context is specified by the distinguished name of its root (for example,DC=MyDomain,DC=Microsoft,DC=Com).

GUID (Globally Unique Identifier) refers to the 128-bit number used to uniquely identify objects stored in theGUID (Globally Unique Identifier) refers to the 128-bit number used to uniquely identify objects stored in thedirectory (for example, fa1a9e6e-2e14-11d2-aa9b-bbfc0a30094c). The GUID is sometimes referred to in thesyntax line as a Universally Unique Identifier (UUID). For the purposes of RepAdmin these two terms aresynonymous. DN is an X.500 distinguished name (for example, CN=Server1,CN=Firstsynonymous. DN is an X.500 distinguished name (for example, CN=Server1,CN=FirstSite,CN=Configuration,DC=Microsoft,DC=Com).

Difference Between the objectGUID and the InvocationIDDifference Between the objectGUID and the InvocationID

In the RepAdmin Examples the objectGUID and the InvocationID returned by the showreps and other operationsare identical hexadecimal numbers. However, they are not the same thing. An objectGUID is a unique identifier foran object that will never change. Initially the two are the same, however when Active Directory is backed up theInvocation ID will change.

RepAdmin Syntax


RepAdmin uses the following general syntax:

repadmin Operation Parameters [/u:{domain\\user}] [/pw:{password|*}]

/uSpecifies the username that has permissions to perform operations in Active Directory.

/pwSpecifies the password for the username entered with the u parameter.

OperationsOperations

Repadmin bindRepadmin bind

Connects to and displays the replication features for a directory partition on a domain controller.

repadmin /bind [DSA]

Parameters

DSASpecifies the host name of the domain controller (Directory Server Agent).Specifies the host name of the domain controller (Directory Server Agent).

Repadmin failcacheRepadmin failcache

Dispays a list of failed replication events detected by the Knowledge Consistency Checker.

repadmin /failcache [DSA]

Parameters


Repadmin getchangesRepadmin getchanges

Displays changes from a specified directory partition or changes to a specified object. Syntax 1 saves changes to adirectory partition. If this information is saved to a file the getchanges operation can be run again for comparison.Syntax 2 shows changes to a specified object.

Syntax 1

repadmin /getchanges NamingContext [SourceDSA] [/cookie: File]

Syntax 2

repadmin /getchanges NamingContext [DestDSA] SourceDSAobjectGUID [/verbose] [/statistics]

Parameters

NamingContextSpecifies the distinguished name of the directory partition.

SourceDSASpecifies the host name of the domain controller that hosts the directory partition (Directory Server Agent)whose changes you want to view.

/cookie: FileSpecifies a name for the file to which list changes are saved.

DestDSASpecifies the host name of the domain controller that hosts the object (Directory Server Agent) whose changesyou want to view.

SourceDSAobjectGUIDSpecifies the unique hexadecimal number that identifies the object whose changes will be listed. The objectGUIDcan be retrieved by using the /showreps operation.

/verboseLists detailed information.

/statisticsDisplays a summary of information about changes instead of a list of individual changes.

Remarks

The information from Syntax 1 can be saved to a file for later comparison.

Examples

See Example 6: Create a File to Determine What Changes Have Occurred Over a Period of Time.See Example 6: Create a File to Determine What Changes Have Occurred Over a Period of Time.

Repadmin kccRepadmin kcc

Forces the Knowledge Consistency Checker to recalculate replication topology for a specified domain controller. Bydefault this recalculation occurs every 15 minutes.

repadmin /kcc [DSA] [/async]

Parameters

DSASpecifies the host name of the domain controller (Directory Server Agent).

/asyncSpecifies that replication will be asynchronous. This means that RepAdmin will start the replication event, but itdoes not expect an immediate response from the destination domain controller. Use this parameter when thereare slow links between domain controllers.are slow links between domain controllers.

Repadmin propcheckRepadmin propcheck

Compares properties of specified domain controllers to determine if they are up to date with each other. The sourcedomain controller contains the original information that needs to be checked. The destination domain controller datawill be compared to the source domain controller data.

repadmin /propcheck NamingContext OriginatingDSAInvocationID OriginatingUSN [DestDSA]

Parameters

NamingContextSpecifies the distinguished name of the directory partition on the source domain controller.

OriginatingDSAInvocationIDSpecifies the unique hexadecimal number that identifies an object on a source domain controller. InvocationIDcan be retrieved by using the /showreps operation.

OriginatingUSNSpecifies the USN for the object on the source domain controller. The USN is for the object whose InvocationID isalready listed.

DestDSASpecifies the host name of the destination domain controller (Directory Server Agent) from which to enumeratethe host DSAs.the host DSAs.

Repadmin queueRepadmin queue

Displays tasks waiting in the replication queue.

repadmin /queue [DSA]

Parameters


Repadmin showcertRepadmin showcert

Displays the server certificates loaded on a specified domain controller

repadmin /showcert [DSA]

Parameters


Repadmin showconnRepadmin showconn

Displays the connection objects for a specified domain controller. Default is local site.

repadmin /showconn [DSA] [{ContainerDN|DSAGUID}]

Parameters


ContainerDNSpecifies the distinguished name of the container.

DSAGUIDSpecifies the unique hexadecimal number that identifies the domain controller. The DSA GUID can be retrievedusing the /showreps operation.

Examples

See Example 7: Display the Connection Objects for a Server.See Example 7: Display the Connection Objects for a Server.

Repadmin showctxRepadmin showctx

Displays a list of computers that have opened sessions with a specified domain controller.

repadmin /showctx [DSA] [/nocache]

Parameters


/nocacheSpecifies that GUIDs are left in hexadecimal form. By default GUIDs are translated into strings.

Examples

See Example 9: Display the Context Handles for the Replication Process.See Example 9: Display the Context Handles for the Replication Process.

Repadmin showismRepadmin showism

Displays intersite messaging routes calculated by the Knowledge Consistency Checker (KCC). This operation cannotbe executed remotely.

repadmin /showism [TransportDN] [/verbose]

Parameters

TransportDN

Specifies whether the mail server is using SMTP or RPCs to send messages.

/verboseLists detailed information.Lists detailed information.

Repadmin showmetaRepadmin showmeta

Displays the replication metadata for a specified object stored in Active Directory such as attribute ID, versionnumber, originating and local Update Sequence Number (USN), and originating server's GUID and date/time stamp.By comparing the replication metadata for the same object on different domain controllers, an administrator candetermine whether replication has taken place.

repadmin /showmeta ObjectDN [DSA] [/nocache]

Parameters

ObjectDNSpecifies the distinguished name of the object.

DSASpecifies the host name of the domain controller that hosts the object (Directory Server Agent).

/nocacheSpecifies that GUIDs are left in hexadecimal form. By default GUIDs are translated into strings.Specifies that GUIDs are left in hexadecimal form. By default GUIDs are translated into strings.

Repadmin showmsgRepadmin showmsg

Displays the error message for a given error number.

repadmin /showmsg Win32Error

Parameters

Win32ErrorSpecifies the number of the Win32 error.Specifies the number of the Win32 error.

Repadmin showrepsRepadmin showreps

Displays the replication partners for each directory partition on the specified domain controller. Helps theadministrator build a visual representation of the replication topology and see the role of each domain controller inthe replication process.

repadmin /showreps [NamingContext] [DSA] [SourceDSAobjectGUID] [/verbose] [/unreplicated][/nocache]

Parameters



SourceDSAobjectGUIDSpecifies the unique hexadecimal number that identifies the object whose replication events will be listed.

/verboseLists detailed information.

/unreplicatedShows pending changes.


Examples

See Example 1: Display the Replication Partners of a Server.See Example 1: Display the Replication Partners of a Server.

Repadmin showsigRepadmin showsig

Displays the replication signature for a specified domain controller.

repadmin /showsig [DSA]

Parameters


Examples

See Example 8: Display the Replication Signature for a Server.See Example 8: Display the Replication Signature for a Server.

Repadmin showtimeRepadmin showtime

Converts a directory service time value to string format for both the local and the UTC time zones.

repadmin /showtime [DSTimeValue]

Parameters

DSTimeValueSpecifies the time value that needs to be converted.

Remarks

With parameters omitted, repadmin /showtime displays the current system time in both the directoryservice format and string format.

The string format displays both the local and UTC time zones.The string format displays both the local and UTC time zones.

Repadmin showvectorRepadmin showvector

Displays the highest Update Sequence Number (USN) for the specified domain controller. This information showshow up to date a replica is with its replication partners.

repadmin /showvector NamingContext [DSA] [/nocache]

Parameters




Examples

See Example 4: Display the Highest Update Sequence Number on a Server.See Example 4: Display the Highest Update Sequence Number on a Server.

Repadmin syncRepadmin sync

Starts a replication event for the specified directory partition between the source and destination domain controllers.The source DSA UUID can be determined when viewing the replication partners with the repadmin /showrepsThe source DSA UUID can be determined when viewing the replication partners with the repadmin /showrepscommand.

repadmin /sync NamingContext DestDSA SourceDSAUUID [/force] [/async] [/full] [/addref] [/allsources]

Parameters


destDSASpecifies the host name of the domain controller (Directory Server Agent) with which you want to replicate.

SourceDSAUUIDSpecifies the unique hexadecimal number that identifies the object whose changes will be listed. The objectGUIDcan be retrieved using the /showreps operation.

/forceOverrides the normal replication schedule.

/asyncSpecifies that the replication will be asynchronous. This means that RepAdmin will start the replication event, butit does not expect an immediate response from the destination domain controller. Use this parameter when thereare slow links between domain controllers.

/fullForces a full replication of all objects from the destination domain controller.

/addrefDirects the source to check for a notification entry on the source. If the source does not have a notification entryfor this destination, one is added.

/allsourcesA given destination may have multiple sources for the same naming context. Directs the destination to sync withall sources instead of just one.

Examples

See Example 2: Force a Replication Event Between Two Replication Partners.See Example 2: Force a Replication Event Between Two Replication Partners.

Repadmin syncallRepadmin syncall

Synchronizes a specified domain controller with all replication partners.

repadmin /syncall DestDSA [NamingContext] [Flags]

Parameters

DestDSASpecifies the host name of the domain controller (Directory Server Agent) to synchronize with all replicationpartners.


FlagsPerforms specific actions during the replication.

/a Abort if any server is unavailable

/d ID servers by DN in messages

/e Enterprise, cross sites

/h Print this help screen

/i Iterate indefinitely

/I Perform showreps on each server pair in path instead of syncing

/j Sync adjacent servers only

/p Pause for possible user abort after every message

/P Push changes outward from home server

/q Quiet mode, suppress callback messages

/Q Very quiet, report fatal errors only

/s Do not sync

/S Skip initial server-response check

Examples

See Example 3: Force a Replication Event for a Specified Directory Partition with All of its Replication Partners.See Example 3: Force a Replication Event for a Specified Directory Partition with All of its Replication Partners.

RepAdmin Examples


Example 1: Display the Replication Partners of a ServerExample 1: Display the Replication Partners of a Server

The following example uses the showreps operation of RepAdmin to display the replication partners of Server1.This command is also used to find the objectGUID and InvocationID for a server for use with other operations.

No parameters are required for the showreps operation. A remote connection is assumed so the server name (DSAin the syntax) is in

Documents

Xpsupport