Using ADSI Edit to View Directory Service Partitions

ADSI Edit is a utility that is part of the support tools. Once you add the support tools, ADSI Edit is available from the Start menu > Programs > Support Tools. The Windows Server 2003 version is an MMC snap-in. With Windows Server 2008, when you view the advanced properties of an object, you will see a new Attribute Editor tab. From this tab, you can edit the settings that are available in ADSI Edit. You can perform the same tasks here that you can perform in ADSIEdit, but instead of having access to all objects and attributes in your AD DS environment, you are limited to just the object selected. With either version, you can connect to domain controllers and view the Directory Service partitions.

Figure 14.6 shows the dialog box that appears when you choose the Connect To option from the ADSI Edit context menu. From here, you can name the connection you are making to anything that will help you identify the naming context you are accessing. In the Connection Point text boxes, you can enter the fully qualified name of the naming context to which you are connecting, or you can choose one of the four well-known naming contexts. If you are connecting to one of the new application partitions, identify it by its fully qualified name.

In the Computer section, choose a domain controller to connect to, or default to the domain controller you're logged in to if you are running ADSI Edit from a domain controller.

Once you choose the naming contexts and the server to which you are connecting, you see them reflected within the ADSI Edit window, as shown in Figure 14.7. You can now expand the appropriate naming context to locate the objects you need to manipulate. Later in this chapter, and in other chapters in the book, we show how to use ADSI Edit to perform administrative troubleshooting.

Figure 14.6

ADSI Edit Connection Settings dialog box

How Use Adsiedit

Figure 14.7

ADSI Edit with naming contexts added

Figure 14.7

ADSI Edit with naming contexts added

Using ADSI Edit to Remove a Computer Account

If you are unsuccessful removing a computer account by using Active Directory Users and Computers, you can use this method:

1. Open ADSI Edit.

2. Expand Domain NC.

3. Expand DC=domain,DC=tld.

4. Expand OU=Domain Controllers.

5. Right-click CN=domain controller and click Delete.

Figure 14.8 displays the Domain Controllers node within ADSI Edit and the menu items you can choose.

Figure 14.8

ADSI Edit dialog box

Figure 14.8

ADSI Edit dialog box

Open Adsi Edit

Using ADSI Edit to Remove the File Replication Service Member

To remove a File Replication Service (FRS) member, use these steps:

1. Open ADSI Edit.

2. Expand Domain NC.

3. Expand DC=domain,DC=tld.

4. Expand CN=System.

5. Expand CN=File Replication Service.

6. Expand CN=Domain System Volume.

7. Right-click the FRS member you are removing, and click Delete. Using ADSI Edit to Remove the Trust Domain Object

If you need to remove a trust because of a failure of the GUI utilities to perform the operation, use these steps:

1. Open ADSI Edit.

2. Expand Domain NC.

3. Expand DC=domain,DC=tld.

4. Expand CN=System.

5. Right-click the Trust Domain object and click Delete.

Use the DNS Snap-in to Remove DNS Records

DNS records may need to be removed manually. If so, follow these steps:

1. Locate the A record within the zone, right-click the A record, and click Delete.

2. Expand the _msdcs container, locate the CNAME record, right-click the CNAME record, and click Delete.

3. If the server was a DNS server, right-click the zone, choose Properties, and then remove the server's IP address from the Name Servers tab of the resulting dialog box.

Using Active Directory Sites and Services to Remove the Domain-Controller Object

After you have removed the domain-controller references, you may have to remove the replication object from Active Directory Sites and Services:

1. Open Active Directory Sites and Services.

2. Expand Sites.

3. Expand the server's site.

4. Expand the Servers node.

5. Right-click the domain controller and click Delete. Maintaining Security Accounts

For all of the safeguards that Microsoft has provided to ensure that identical security identifiers (SIDs) are not introduced into a domain, two accounts could still have the same SID if an administrator seizes the Relative Identifier (RID) Master role while the original RID Master is offline but still operational. If the original RID Master did not have an opportunity to receive updated replication information and is brought online, it could generate identical RIDs and allow them to be used within the domain. Any time you seize the RID Master role, you should run a check. To check for accounts that may be using identical SIDs, follow these steps:

1. Open a command prompt.

2. Type ntdsutil and press Enter.

3. Type security account management and press Enter.

4. Type check duplicate SID and press Enter.

The log file that is created from this check is placed within the directory path where you started NTDSUtil. If you changed directories to the root of the D: partition and then started NTDSUtil, you will find the dupsid.log residing there. If you are lucky, you will not have any entries within the files. If there are entries, note them and delete the duplicates. To delete a duplicate SID, follow these steps:

1. Open a command prompt.

2. Type ntdsutil and press Enter.

3. Type security account management and press Enter.

4. Type cleanup duplicate SID and press Enter.

The object with the newer globally unique identifier (GUID) is removed from the database. You will then need to re-create the account that was removed during this process.

Best Practices for Optimizing Active Directory

Active Directory is the heart of your organization's infrastructure, and you need to make sure that is it performing optimally. You should be familiar with some of the tools for troubleshooting and treating any problems you may have:

♦ When troubleshooting Directory Services, increase the logging level gradually to isolate the problem if the problem isn't apparent.

♦ Always use the Recover option in NTDSUtil to commit all transactions to the database prior to running any other utilities.

♦ Don't run an offline defragmentation on the database unless you have deleted a large number of objects or you are planning to move the database and want to reduce its size.

♦ If any domain controller fails during demotion, make sure you remove the associated metadata from the database and remove all of the object information using ADSI Edit.

♦ If the last domain controller for a domain fails during demotion, make sure you remove the associated metadata from the database.

♦ Move the transaction log files to their own drive to increase the domain controller's efficiency.

♦ If the RID Master role is inadvertently seized while the original is still functioning but offline, check for duplicate SIDs when the original is returned to the network.

Was this article helpful?

+5 -1
Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


Responses

  • Marcel
    How to connect to active directory partition using adsi.edit?
    9 years ago
  • Bruno
    How to open adsi edit?
    8 years ago
  • jordan
    Can I delete CN=Partitions adsi edit?
    8 years ago
  • jess
    How to delete a trust with adsiedit?
    8 years ago
  • may grubb
    How edit or remove in adsiedit?
    8 years ago
  • aston
    How to view domain through adsi edit?
    8 years ago
  • LEXI
    How to use active directory support tools?
    8 years ago
  • Uwe
    How to manage trust domain adsiedit?
    7 years ago
  • cindy
    How we can see application directory partition in adsiedit?
    7 years ago
  • Caradoc
    How to connect to diferrent domain using adsiedit?
    7 years ago
  • erminio
    How to view domain partitions in 2008 server?
    7 years ago
  • anssi rauhala
    How we get the connections in adsi edit?
    7 years ago
  • rowan tunnelly
    How to connect to a domain controller in adsiedit?
    7 years ago
  • Katharina
    How to connect connect to other server using adsiedit?
    7 years ago
  • janet
    Where is default naming context adsiedit?
    7 years ago
  • Haddas
    How to delete partitions cn= the directory service can perform the requested?
    7 years ago
  • pervinca
    How to clear ad sites and services from server 2008 using adsi?
    7 years ago
  • cataldo
    Where do you open adsiedit?
    7 years ago
  • pearl
    How to manage user and computer accounts using adsiedit?
    7 years ago
  • nahand
    How to view active directory partitions 2008?
    7 years ago
  • Prudenzio
    How to connect to domain partition in adsi edit?
    7 years ago
  • bell
    How to find sid in adsiedit 2008?
    7 years ago
  • amaranth
    How to open adsiedit windows server 2008?
    7 years ago
  • johnny
    Which statement we use to view public partitions of application_delete package?
    2 years ago
  • romeo
    How to trust in sid tools?
    2 years ago
  • destiny
    How to find network service in adsiedit?
    2 years ago
  • lorena
    How to check active directory domain prep adsiedit?
    1 year ago
  • otho
    How to use the asdi command?
    1 year ago
  • matta
    How to remove domain tust from adsi edit?
    1 year ago
  • chiara
    How to see domain controller partitions?
    1 year ago
  • Pentti
    How to view application partition?
    1 year ago
  • alfredo russo
    How to view application directory partition in adsi edit?
    1 year ago
  • duenna
    How to connect to dns database in adsiedit?
    1 year ago
  • Quinn
    How to view domain directory partition?
    1 year ago
  • kieran
    How to access domain partition in adsiedit?
    1 year ago
  • NOORA HUHTALA
    How to i access domain partition in adsie?
    1 year ago
  • Andrea
    How can i remove application partition from domain?
    12 months ago
  • jonatan sepp
    Where can we find the host records in adsi partitions?
    11 months ago
  • Jaana Jutila
    Can you view ad from ntdsutil?
    11 months ago
  • Michael
    How to remove a domain trust with ADSIEDIT?
    10 months ago
  • nora
    How to connec to domain naming partition?
    10 months ago
  • Mylie
    Where is domain trust object located adsi edit?
    9 months ago
  • Enrica
    Where to find trusted domain object on adsi edit?
    8 months ago
  • Anja
    Are you sure you want to remove default naming context?
    8 months ago
  • MERIMAS ZARAGAMBA
    How see roles ad adsi edit database?
    7 months ago
  • Semret
    What see rootdse partition in adsiedit?
    7 months ago
  • phillipp
    How to find AD partitions through adsi edit?
    7 months ago
  • iivari
    How to check the certificates in adsiedit?
    5 months ago
  • annett
    How to connect to forest DNS ZONE via ADSI?
    5 months ago
  • tytti
    How to check token permissions in adsi edit?
    5 months ago
  • richard
    How to check ad permission for server level through command for ADsiedit?
    4 months ago
  • ruairi
    How to check dfs partition in adsi edit?
    4 months ago
  • Jonatan
    How to check the certificates on the adsi edit?
    4 months ago
  • emmie johnstone
    How to connect to application partition from adsiedit?
    4 months ago
  • Marino Costa
    How to view partitions in adsi edit?
    4 months ago
  • Gilly
    How to find name of ad partition?
    4 months ago
  • phillipp
    How to filter adsi dnsnode dc=?
    4 months ago
  • eugene
    How to access application partition in adsi edit?
    3 months ago
  • maxima
    How to open ADSIEdit to view?
    2 months ago
  • kerstin
    How to determine domain partition by DNS sid?
    2 months ago
  • samuel craig
    How to remove a zone using ADSI EDIT in windows 20102?
    30 days ago

Post a comment