Xpsupport

Alphabetical List of Tools by File Name
A B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Tools are listed by their file name, followed by their full name. If the full name begins with a different letter than the file name, the
tool is also listed by its full name, followed by its file name. Hold the cursor over the name of a tool for a brief description.tool is also listed by its full name, followed by its file name. Hold the cursor over the name of a tool for a brief description.
A
Acldiag.exe (ACL Diagnostics)Acldiag.exe (ACL Diagnostics)
Active Directory Administration Tool (Ldp.exe)Active Directory Administration Tool (Ldp.exe)
Active Directory Replication Monitor (Replmon.exe)Active Directory Replication Monitor (Replmon.exe)
Addiag.exe (Application Deployment Diagnosis)Addiag.exe (Application Deployment Diagnosis)
B
No entriesNo entries
C
Compatadmin.exe (Compatibility Administration Tool)Compatadmin.exe (Compatibility Administration Tool)
D
Depends.exe (Dependency Walker)Depends.exe (Dependency Walker)
Dfsutil.exe (Distributed File System Utility)Dfsutil.exe (Distributed File System Utility)
Dhcploc.exe (DHCP Server Locator Utility)Dhcploc.exe (DHCP Server Locator Utility)
Diruse.exe (Directory Disk Usage)Diruse.exe (Directory Disk Usage)
Dmdiag.exe (Disk Manager Diagnostics)Dmdiag.exe (Disk Manager Diagnostics)
Dnscmd.exe (DNS Server Troubleshooting Tool)Dnscmd.exe (DNS Server Troubleshooting Tool)
Dsacls.exeDsacls.exe
E
Efsinfo.exe (Encrypting File System Information)Efsinfo.exe (Encrypting File System Information)
Exctrlst.exe (Extensible Performance Counter List)Exctrlst.exe (Extensible Performance Counter List)
F
Filever.exe (File Version)Filever.exe (File Version)
Ftonline.exeFtonline.exe
G
Getsid.exe (Get Security ID)Getsid.exe (Get Security ID)
Gflags.exe (Global Flags Editor)Gflags.exe (Global Flags Editor)
H, I, J, K
No entries
L
Ldp.exe (Active Directory Administration Tool)Ldp.exe (Active Directory Administration Tool)
M
Memory Pool Monitor (Poolmon.exe)Memory Pool Monitor (Poolmon.exe)
Memsnap.exe (Memory Profiling Tool)Memsnap.exe (Memory Profiling Tool)
Movetree.exe (Move Users)Movetree.exe (Move Users)
Msicuu.exe (Windows Installer Cleanup Utility)Msicuu.exe (Windows Installer Cleanup Utility)
Alphabetical List of Tools by File Name
A B C D E F G H I J K L M N O P Q R S T U V W X Y ZA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Tools are listed by their file name, followed by their full name. If the full name begins with a different letter than the file name, the
tool is also listed by its full name, followed by its file name. Hold the cursor over the name of a tool for a brief description.tool is also listed by its full name, followed by its file name. Hold the cursor over the name of a tool for a brief description.
A
Acldiag.exe (ACL Diagnostics)Acldiag.exe (ACL Diagnostics)
Active Directory Administration Tool (Ldp.exe)Active Directory Administration Tool (Ldp.exe)
Active Directory Replication Monitor (Replmon.exe)Active Directory Replication Monitor (Replmon.exe)
Addiag.exe (Application Deployment Diagnosis)Addiag.exe (Application Deployment Diagnosis)
B
No entriesNo entries
C
Compatadmin.exe (Compatibility Administration Tool)Compatadmin.exe (Compatibility Administration Tool)
D
Depends.exe (Dependency Walker)Depends.exe (Dependency Walker)
Dfsutil.exe (Distributed File System Utility)Dfsutil.exe (Distributed File System Utility)
Dhcploc.exe (DHCP Server Locator Utility)Dhcploc.exe (DHCP Server Locator Utility)
Diruse.exe (Directory Disk Usage)Diruse.exe (Directory Disk Usage)
Dmdiag.exe (Disk Manager Diagnostics)Dmdiag.exe (Disk Manager Diagnostics)
Dnscmd.exe (DNS Server Troubleshooting Tool)Dnscmd.exe (DNS Server Troubleshooting Tool)
Dsacls.exeDsacls.exe
E
Efsinfo.exe (Encrypting File System Information)Efsinfo.exe (Encrypting File System Information)
Exctrlst.exe (Extensible Performance Counter List)Exctrlst.exe (Extensible Performance Counter List)
F
Filever.exe (File Version)Filever.exe (File Version)
Ftonline.exeFtonline.exe
G
Getsid.exe (Get Security ID)Getsid.exe (Get Security ID)
Gflags.exe (Global Flags Editor)Gflags.exe (Global Flags Editor)
H, I, J, K
No entries
L
Ldp.exe (Active Directory Administration Tool)Ldp.exe (Active Directory Administration Tool)
M
Memory Pool Monitor (Poolmon.exe)Memory Pool Monitor (Poolmon.exe)
Memsnap.exe (Memory Profiling Tool)Memsnap.exe (Memory Profiling Tool)
Movetree.exe (Move Users)Movetree.exe (Move Users)
Msicuu.exe (Windows Installer Cleanup Utility)Msicuu.exe (Windows Installer Cleanup Utility)

Msizap.exe (Windows Installer Zapper)Msizap.exe (Windows Installer Zapper)
N
Netcap.exe (Network Monitor Capture Utility)Netcap.exe (Network Monitor Capture Utility)
Netdiag.exe (Network Connectivity Tester)Netdiag.exe (Network Connectivity Tester)
Netdom.exe (Windows Domain Manager)Netdom.exe (Windows Domain Manager)
Nltest.exeNltest.exe
O
Oh.exe (Open Handles)Oh.exe (Open Handles)
P
Pageheap.exe (Page Heap)Pageheap.exe (Page Heap)
Performance Data Block Dump Utility (Showperf.exe)Performance Data Block Dump Utility (Showperf.exe)
Pfmon.exe (Page Fault Monitor)Pfmon.exe (Page Fault Monitor)
Pmon.exe (Process Resource Monitor)Pmon.exe (Process Resource Monitor)
Poolmon.exe (Memory Pool Monitor)Poolmon.exe (Memory Pool Monitor)
PPTP Ping (Point-to-Point Tunneling Protocol Ping Utilities)PPTP Ping (Point-to-Point Tunneling Protocol Ping Utilities)
Pstat.exe (Process and Thread Status)Pstat.exe (Process and Thread Status)
Q
Qfixapp.exe (Quick Fix Application)Qfixapp.exe (Quick Fix Application)
R
Repadmin.exe (Replication Diagnostics Tool)Repadmin.exe (Replication Diagnostics Tool)
Replmon.exe (Active Directory Replication Monitor)Replmon.exe (Active Directory Replication Monitor)
S
Sdcheck.exe (Security Descriptor Check Utility)Sdcheck.exe (Security Descriptor Check Utility)
Setx.exeSetx.exe
Showperf.exe (Performance Data Block Dump Utility)Showperf.exe (Performance Data Block Dump Utility)
SIDWalker (Security Administration Tools)SIDWalker (Security Administration Tools)
Snmputilg.exe (SNMP Troubleshooting Tool)Snmputilg.exe (SNMP Troubleshooting Tool)
Spcheck.exe (Service Pack Check)Spcheck.exe (Service Pack Check)
T, U, V
No entries
W
Windows Domain Manager (Netdom.exe)Windows Domain Manager (Netdom.exe)
Windows Installer Cleanup Utility (Msicuu.exe)Windows Installer Cleanup Utility (Msicuu.exe)
Windows Installer Zapper (Msizap.exe)Windows Installer Zapper (Msizap.exe)
X

Xcacls.exeXcacls.exe
X, Y, Z
No entries
©1985-2001 Microsoft Corporation. All rights reserved.

Introduction to Support Tools
The Windows Support Tools assist support personnel and network administrators to manage their networks and to
troubleshoot problems. They are not installed with the Windows operating system; you must install them separately from
the SupportTools folder of the Windows CD. This Help file provides information on the tools and shortcuts for opening or
running these tools.
Getting Help on tools
To find Help for a tool
Click A-Z List on the button bar or click Alphabetical List of Tools on the Contents tab to display a list of tools byClick A-Z List on the button bar or click Alphabetical List of Tools on the Contents tab to display a list of tools by
the tool's file name.
Click a category on the Contents tab and then click the tool's file name.
Use the Index tab to locate a tool by either tool name or file name.
Each tool is covered in a main Help topic. Links to associated topics covering syntax, examples, or other features of the
tool are available at the top of each topic for that tool. Tools with Windows interfaces may include a separate Help file
available from the Help menu in the tool window. For command-line tools, Help is also available by typing FileName /? at
the command prompt.
An extensive Glossary is available from the Contents tab. Links to glossary definitions that appear as pop-up windows areAn extensive Glossary is available from the Contents tab. Links to glossary definitions that appear as pop-up windows are
formatted in underlined dark green text.formatted in underlined dark green text.
Understanding notation and terminology
The following topics cover the conventions for usage and notation that are observed in this document:
Procedural conventionsProcedural conventions
Notational conventionsNotational conventions
This documentation assumes you are already familiar with the Windows operating system. For more general information
about Windows, including keyboard equivalents to menu and mouse actions, see Windows Help.
Printing topics
When you print from HTML Help, a dialog box opens asking whether you want to print the selected topic or to print the
selected heading and all subtopics. Printing the selected topic is recommended. If you print a heading and subtopics, you
may encounter error messages and special formatting will be lost, but the topics still print.

Notational Conventions
Convention Meaning
bold In syntax, characters that you type exactly as shown, including commands and switches. In text,
menu names and menu commands are also bold.
bold monospace Commands that you must type exactly as shown to get the results being discussed.
italic Variables for which you supply a specific value. For example, Filename.ext represents any valid
file name.
Initial Capitals
(Filename.ext)
Names of files should begin with an initial capital letter, for example, Filename.ext. Paths and
folders can be uppercase, lowercase, or mixed, according to how they actually appear in a
standard installation of the application or the operating system.
ALL CAPITALS Used for acronyms.
monospace
Examples of code.
[ ] (square
brackets)
In syntax descriptions, square brackets enclose optional items. If you include the item, type only
the information between them, not the square brackets themselves.
{choice1 |
choice2} (braces)
In syntax descriptions, braces enclose items which require a choice, such as {yes | no}. Type
only one of the choices, not the braces or the dividing line.
IntroductionIntroduction

Procedural Conventions
Convention Meaning
type An instruction to type information means to press the key or keys and then press the ENTER key.
select An instruction to select information means to highlight folders, file names, text boxes, menu bars, and
options, or to select options in a dialog box.
+ A plus sign ( + ) between two or more key names indicates that you must press the keys at the same
time; for example, ALT + TAB.
, A comma ( , ) between two or more key names indicates that you must press each key consecutively; for
example, ALT, F, X.
Note
Alerts you to supplementary information.
Caution
Alerts you to possible data loss, breaches of security, or other more serious problems.
IntroductionIntroduction

Related Information on the Internet
There are many Microsoft Internet sites that provide information and updates regarding Windows XP, Windows 2000,
Windows NT, Windows 98, and the Windows Resource Kits.
If you have an Internet connection and a Web browser, you can click the following links to visit these sites.
Windows Resource Kits Web Site
Windows Resource Kits (http://go.microsoft.com/fwlink/?LinkId=286) Web siteWindows Resource Kits (http://go.microsoft.com/fwlink/?LinkId=286) Web site
Windows Web Sites
Microsoft Windows (http://go.microsoft.com/fwlink/?LinkId=1681) Web siteMicrosoft Windows (http://go.microsoft.com/fwlink/?LinkId=1681) Web site
Windows 2000 Server (http://go.microsoft.com/fwlink/?LinkId=623) Web siteWindows 2000 Server (http://go.microsoft.com/fwlink/?LinkId=623) Web site
Windows NT Server (http://go.microsoft.com/fwlink/?LinkId=624) Web siteWindows NT Server (http://go.microsoft.com/fwlink/?LinkId=624) Web site
Windows NT Workstation (http://go.microsoft.com/fwlink/?LinkId=626) Web siteWindows NT Workstation (http://go.microsoft.com/fwlink/?LinkId=626) Web site
Microsoft Product Support Services (http://go.microsoft.com/fwlink/?LinkId=1679) Web siteMicrosoft Product Support Services (http://go.microsoft.com/fwlink/?LinkId=1679) Web site
Microsoft Windows Hardware Compatibility List (http://go.microsoft.com/fwlink/?LinkId=1637) Web site.Microsoft Windows Hardware Compatibility List (http://go.microsoft.com/fwlink/?LinkId=1637) Web site.
Other Microsoft Web Sites of Interest
Microsoft Knowledge Base Search (http://go.microsoft.com/fwlink/?LinkId=1633) Web site.Microsoft Knowledge Base Search (http://go.microsoft.com/fwlink/?LinkId=1633) Web site.
Microsoft Internet Explorer (http://go.microsoft.com/fwlink/?LinkId=293) Web siteMicrosoft Internet Explorer (http://go.microsoft.com/fwlink/?LinkId=293) Web site
Microsoft TechNet (http://go.microsoft.com/fwlink/?LinkId=1631) Web siteMicrosoft TechNet (http://go.microsoft.com/fwlink/?LinkId=1631) Web site
MSDN (http://go.microsoft.com/fwlink/?LinkId=1630) Web siteMSDN (http://go.microsoft.com/fwlink/?LinkId=1630) Web site
Microsoft Home Page
For any other information about Microsoft products, point your browser to:
Microsoft home page (http://go.microsoft.com/fwlink/?LinkId=1681) Web siteMicrosoft home page (http://go.microsoft.com/fwlink/?LinkId=1681) Web site

Acldiag.exe: ACL Diagnostics
Overview | Syntax | Examples | Related ToolsOverview | Syntax | Examples | Related Tools Open Command PromptOpen Command Prompt
This command-line tool detects and reports discrepancies in the Access Control Lists (ACLs) of objects in Active Directory.
It can also reapply a security delegation template to an ACL, eliminating special permissions and restoring incomplete
delegations.
With AclDiag, you can:
Display the Access Control Entries (ACEs) in the ACL, and inheritance and audit settings.
Display the effective permissions of users and groups to an Active Directory object.
Compare the ACL for an object in Active Directory to the default permissions defined in the schema.
Compare the ACL of an Active Directory object to a delegation template.
Reapply the delegation template to the ACL of an Active Directory object.
System Requirements
AclDiag runs on Windows 2000 and on Windows XP Professional.
The user must have permission to read permissions on Active Directory objects. To reapply a delegation template,
the user must have permission to modify permissions to the Active Directory object.
File Required
Acldiag.exe
For more information
For more information about Active Directory, see the Active Directory Overview (http://go.microsoft.com/fwlink/?For more information about Active Directory, see the Active Directory Overview (http://go.microsoft.com/fwlink/?
LinkId=1646).

AclDiag Syntax
acldiag "LDAP-URL" [/geteffective:{user | group | *}] [/schema] [/chkdeleg [/fixdeleg]] [/skip] [/tdo]
Parameters
Note
If you specify an object without additional parameters, AclDiag lists the Access Control Entries (ACEs) in the ACL,
and inheritance and audit settings.
LDAP-URL
Identifies the Active Directory object to investigate. Enter the LDAP URL for an object in Active Directory. The LDAP
URL format consists of the name of the LDAP server followed by the distinguished name of the object. The string must
be enclosed in quotation marks.
For example, "LDAP://domain.test.microsoft.com/CN=Test
Admin,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"
/geteffective:{User | Group | *}
Adds an effective rights diagnosis to the display. The effective rights diagnosis displays the effective permissions to the
object held by specified users or groups. Effective permissions are the permissions that are enforced after precedence
is applied and conflicts in rights are resolved.
Value Description
User | Group Displays the effective permissions held by the specified user or group.
* Displays the effective permissions of all users and groups in the access control list (ACL) for the
object.
/schema
Adds a schema diagnosis to the display. The schema diagnosis reports whether the object ACL includes the ACEs that
are in the schema defaults.
/chkdeleg
Adds a delegation diagnosis to the display. The delegation diagnosis reports whether the object ACL includes the ACEs
that are in the delegation template. A status of misconfigured indicates that at least one, but not all, ACEs in a
delegation template (and in the schema default) are included in the ACL.
/fixdeleg
Directs AclDiag to reapply the delegation template to the object ACL, eliminating special permissions and restoring
incomplete delegations. When the specified object inherits delegated permissions, this parameter reapplies the
delegation template to the object for which the delegated permissions are explictly defined.
Note
This parameter is effective only when used with the /chkdeleg parameter. Without /chkdeleg, /fixdeleg is
ignored, but AclDiag does not report an error.
/skip
Omits the security description from the display. The security description is a list of the ACEs in the object ACL.
/tdo
Displays output in tab-delimited format. Fixed-width format is the default. Tab-delimited format is useful when the
output is destined for a database or spreadsheet.

AclDiag Examples
To display the ACL of a user object in Active Directory, type
acldiag "LDAP://domain1.test.microsoft.com/CN=Test
Admin,CN=Users,DC=domain1,DC=test,DC=microsoft,DC=com"
To display a schema analysis of a computer object in Active Directory, type
acldiag "LDAP://domain1.test.microsoft.com/CN=MACHINE-
TEST,CN=Computers,DC=domain1,DC=test,DC=microsoft,DC=com" /schema
To display the ACL, the effective permissions for all users, and the delegation analysis of a computer object in tab-
delimited format, type:
acldiag "LDAP://domain1.test.microsoft.com/CN=MACHINE-
TEST,CN=Computers,DC=domain1,DC=test,DC=microsoft,DC=com" /chkdeleg /geteffective:* /tdo
To reapply a delegation template to a group object, type
acldiag "LDAP://domain1.test.microsoft.com/"CN=Domain
Computers,CN=Users,DC=domain1,DC=test,DC=microsoft,DC=com" /chkdeleg /fixdeleg

Dsacls.exe: DsAcls
Displays and changes permissions (access control entries) in the Access Control List (ACL) of objects in Active Directory.Displays and changes permissions (access control entries) in the Access Control List (ACL) of objects in Active Directory.
DsAcls is the command-line equivalent of the Security tab in the Properties dialog box for an Active Directory object in
Active Directory tools, such as Active Directory Users and Computers. You can use either tool to view and change
permissions to an Active Directory object.
Note
The ACEs that you add by using DsAcls must be object-specific permissions that override the default permissions
defined in the Active Directory schema for that object type. Do not add ACEs unless you are well-informed about
security for Active Directory objects.
System Requirements
DsAcls runs on Windows 2000 and on Windows XP Professional.
To view an ACL, the user must have permission to read permissions on Active Directory objects. To change an ACL,
the user must have permission to write permissions to the Active Directory object.
Files required
Dsacls.exe

DsAcls Syntax
dsacls "[Computer]ObjectDN" [/A] [/D PermissionStatement [PermissionStatement...]] [/G PermissionStatement
[PermissionStatement...]] [/I:{T | S | P}] [/N] [/P:{Y | N}] [/R {user | group} [{user | group}...]] [/S [/T]] [/?]
Note
If you specify an object without additional parameters, DsAcls displays the Access Control Entries (ACEs) in the ACL.
"[Computer]ObjectDN"
Identifies the Active Directory object to investigate. Type the distinguished name of the object. To specify an object on
a remote computer, type the computer name followed by the distinguished name. This parameter must be enclosed in
quotation marks.
For example, "CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com" or
"Server01CN=Jeff Akers,CN=Users,DC=domain,DC=test,DC=microsoft,DC=com"
/A
Adds ownership and auditing information to the display.
/D PermissionStatement [PermissionStatement...]/D PermissionStatement [PermissionStatement...]
Denies the specified permissions to the user or group.
You can deny permissions to multiple users in each /D parameter, for example:
/D Domain1User1:CCDC Domain1User2:DC;computer
/G PermissionStatement [PermissionStatement...]/G PermissionStatement [PermissionStatement...]
Grants specified permissions to user or group.
You can grant permissions to multiple users in each /G parameter, for example:
/G Domain1User1:CCDC Domain1User2:DC;computer
/I:{T | S | P}
Specifies the objects to which the permissions are applied. This parameter determines whether the permissions are
inheritable. T is the default.
T This object and subobjects.
S Subobjects only.
P Propagate inheritable permissions one level only.
/N
Provides that the specified ACE replace the ACEs in the ACL. By default, the ACE is added to the ACL.
/P:{Y | N}
Determines whether the object can inherit permissions from its parent objects. If you omit this parameter, the
inheritance properties of the object are not changed.
Y The object is protected and cannot inherit permissions.
N The object is not protected and can inherit permissions.
Note
This parameter changes a property of the object, not of an ACE. To determine whether an ACE is inheritable, use
the /I parameter.
/R {user | group}
Deletes all ACEs for the specified users or groups.
User can be specified as user@domain or domainuser. Group can be specified as group@domain or domaingroup.
You can delete ACEs for multiple users and groups in a single /R parameter, for example, /R Domain1User1

Domain1User2
/S
Restores the security on the object to the default for that object class as defined in Active Directory schema.
/T
Restores the security on the tree of objects to the default for each object class. This parameter is valid only with the
/S parameter.
/?
Displays help for DsAcls.Displays help for DsAcls.
Syntax for PermissionStatement
PermissionStatements must have the following format:PermissionStatements must have the following format:
{User | Group}:Permissions[;{ObjectType | Property}][;InheritedObjectType]
where:
{User | Group}
Specifies the user or group to whom the rights apply. User can be specified as user@domain or domainuser. Group
can be specified as group@domain or domaingroup.
{ObjectType | Property}
Limits the permission to the specified object type or property. Enter the display name of the object type or of the
property. If an object type or property is not specified, the permission applies to all object types and properties.
For example, /G DomainUser:CC permits the user to create all types of child objects, but /G
DomainUser:CC;computer permits the user to create only child computer objects.
InheritedObjectType
Limits inheritance of the permission to the specified the type of object. Enter the display name of the object type. If an
object type is not specified, the permission can be inherited by all object types. This parameter is used only when
permissions are inheritable.
For example, /G DomainUser:CC permits all types of objects to inherit the permission, but /G
DomainUser:CC;;user permits only user objects to inherit the permission.
Permissions
Type one or more of the following values (without spaces).
Generic
Permissions Description
GR Generic Read
GE Generic Execute
GW Generic Write
GA Generic All
Specific
Permissions Description
SD Delete
DT Delete an object and all of its children
RC Read security information
WD Change security information
WO Change owner information
LC List the children of an object
CC Create child object
If {Object | Property} is not specified to define a specific child-object type, this applies to all
types of child objects; otherwise, it applies to the specified child-object type.

DC Delete a child object
If {Object | Property} is not specified to define a specific child-object type, this applies to all
types of child objects; otherwise, it applies to the specified child-object type.
WS Write to self object
Meaningful only on Group objects and when {Object | Property} is a "member.".
RP Read property
If {Object | Property} is not specified to define a specific property, this applies to all properties of
the object; otherwise, it applies to the specified property of the object.
WP Write property
If {Object | Property} is not specified to define a specific property, this applies to all properties of
the object; otherwise, it applies to the specified property of the object.
CA Control access right
If {Object | Property} is not specified to define the specific extended right for control access, this
applies to all meaningful control accesses on the object; otherwise, it applies to the specific
extended right for that object.
LO List the object access.
Can be used to grant list access to a specific object if List Children (LC) is not granted to the
parent as well. Can also be denied on specific objects to hide those objects if the user/group has
LC on the parent.
Note
Active Directory does not enforce this permission by default. The Active Directory must
be configured to check for this permission.

DsAcls Examples
Examples of valid permissions
SDRCWDWO;;user
Delete, read security information, change security information and change ownership permissions on objects of type
"user".
CCDC;group;
Create child and delete child permissions to create or delete objects of type "group".
RPWP;telephonenumber;
Read property and write property permissions on telephone number property.

Ldp.exe: Active Directory Administration Tool
Overview | Notes | UI | Examples | Related ToolsOverview | Notes | UI | Examples | Related Tools Open Command PromptOpen Command Prompt
This graphical utility is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such
as connect, bind, search modify, add, delete) against any LDAP compatible directory, such as Active Directory. Use LDP to
view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata.
Note
LDP is a GUI-based, Windows Explorer-like utility with a scope pane on the left that is used for navigating through
the Active Directory namespace, and a details pane on the right that is used for displaying the results of the LDAP
operations. Any text displayed in the details pane can be selected with the mouse and "copied" to the clipboard.
Corresponding UICorresponding UI
LDP comes with its own user interface.
ConceptsConcepts
It is highly recommended that you read the Understanding LDAP whitepaper on the Microsoft Web site beforeIt is highly recommended that you read the Understanding LDAP whitepaper on the Microsoft Web site before
continuing with this document. (http://go.microsoft.com/fwlink/?LinkId=1647)
System RequirementsSystem Requirements
The following are the system requirements for LDP:
A connection to an LDAP server.
Files Required
LDP.exe

LDP Notes
Finding Required and Optional Values for an AttributeFinding Required and Optional Values for an Attribute
The schema defines objects as well as the attributes and permissible values for each. Schema classes that contain
attribute information about objects can be viewed. Search the cn=Schema,cn=Configuration,dc=ForestRootDomain
for classSchema objects to view this information.
Understanding Bind Options for LDAP AuthenticationUnderstanding Bind Options for LDAP Authentication
There are several authentication methods available in LDP that allow a client to bind to an LDAP server. The best
method depends on several factors.
Method Description
Simple Clear text password. Try not to use this as it is not secure.
MSN MSN (Microsoft Network) authentication. This package may bring up UI to prompt the user for MSN
credentials.
DPA Normandy authentication, new MSN authentication. Same usage as MSN.
NTLM NT domain authentication. Use NULL credentials and attempt to use default logged in user credentials.
Sicily Negotiate with the server for any of: MSN, DPA, NTLM. Should be used for LDAPv2 servers only.
Negotiate Use GSSAPI Negotiate package to negotiate security package of either Kerberos V5 or NTLM (or any
other package the client and server negotiate). Pass in NULL credentials to specify default logged in
user. If Negotiate package is not installed on server or client, this will fall back to Sicily negotiation.

LDP UI
To start LDP
The LDP dialog box consists of two panes. The scope pane on the left side lists the base object and any child objects. The
details pane lists the results of the LDAP operations.
Connection MenuConnection Menu
The Connection menu Options:
Option Description
Connect Opens a dialog box that opens a session with a specified LDAP server. A connection must be
established with an LDAP server before any other LDAP commands can be run. Enter the
appropriate port number for the service you are connecting to. By default LDAP uses TCP for a
connection-oriented session. To use UDP for a connectionless session, select the Connectionless
checkbox. By default a successful connection results in the display of the RootDSE information in
the detail pane.
Bind Opens a dialog box that authenticates to a specified LDAP server. Enter a username and password
of an account that has permissions to the LDAP server. If you enter an invalid user, then you will be
connected with anonymous credentials. As a shortcut, use the Bind option without using the
Connect option to connect, and authenticate with server last connected to.
Advance Opens the a dialog box that sets options for the authentication methods. See Bind under the
Options menu.
Disconnect Terminates an open session with a specified LDAP server. Closing the LDP application automatically
disconnects any open sessions.
New Keeps the currently connected session, but clears the details pane. The keyboard shortcut for this
action is CTRL+N. By default the details pane is accumulative.
Open Opens text files and places the information in the details pane.
Save Saves changes to a previously saved file.
Save as Saves the contents of the details pane to a text file. Use the Open command to view the contents of
this file in the details pane later.
Print Prints the details pane.
NOTE
LDP can only connect to one LDAP server at a time. Using the Connect command while connected to a server
will disconnect the current session.
Browse MenuBrowse Menu
The Browse menu Options:
AddAdd
Opens a dialog box that adds objects to Active Directory. The full distinguished name of the object must be
entered, as well as all of the mandatory attributes for the class of object being added.

Option Description
DN Enter the full distinguished name of the new object.
Attribute Enter the required or optional attribute.
Values Enter the value(s) associated with the attribute. Separate multiple values for a single
attribute with a semicolon. No spaces are required.
Enter Click this button to add the entered attribute and value(s) to the Entry List section of the
dialog box, and clear the Attribute and Value input boxes. Continue entering attributes and
values until all required and desired optional attributes are on the Entry List.
Insert File Opens a dialog box that allows a text file with the appropriate attributes and values to be
used.
Entry List Displays entered attributes and values.
Edit Opens a dialog box that allows changes to the selected entry from the Entry List.
Remove Deletes the selected entry from the Entry List.
Extended Select this checkbox if the object being added is part of an extended control.
Synchronous By default this checkbox is selected, requiring LDP to wait for a response from the
destination server before continuing. Clear this checkbox to allow LDP to continue before a
response is received. Clear this checkbox when slow WAN connections are causing LDP
commands to timeout.
Run Click this button to add the current attributes and values in the Entry List to Active
Directory. If LDP encounters any errors, then the object will not be added and the error will
display in the details pane.
Delete Opens a dialog box that allows an object from Active Directory to be deleted. Attributes can
be deleted only if they are defined as optional and contain no values. Use the Edit
command to delete an attributes values.
DNDN
Option Description
Dn Enter the full distinguished name of the new object.
Extended Select this checkbox if the object being deleted is part of an extended control.
Recursive
(client)
Deletes all objects in a container, but does not delete the container.
ModifyModify
Opens a dialog box that allows changes to the attributes of an object stored in Active Directory.

Option Description
Dn Enter the full distinguished name of the new object.
Attribute Enter the required or optional attribute.
Values Enter the value(s) associated with the attribute. Separate multiple values for a single
attribute with a semicolon. No spaces are required.
Insert Files Opens a dialog box that allows a text file with the appropriate attributes and values to be
used.
Enter Click this button to add the entered attribute and value(s) to the Entry List section of the
dialog box, and to clear the Attribute and Value input boxes. Continue entering attributes
and values until all required and desired optional attributes are on the Entry List.
Operation
Section
Choose between Add, Delete, and Replace. Choose Add to add a new value to an existing
attribute. Choose Delete to permanently remove an attribute from the listed object.
Attributes containing data cannot be deleted. Also, attempting to delete required attributes
results in an error. Choose Replace to replace an existing value with another. Choose
Replace to change listed values for an existing attribute.
Entry List
Section
Displays existing attributes and values for an object.
Edit Opens a dialog box that allows changes to the selected entry from the Entry List.
Synchronous By default this checkbox is selected requiring LDP to wait for a response from the
Extended Select this checkbox if the object being modified is part of an extended control.
Run Click this button to send the edited values in the Entry List to Active Directory.
Modify RDNModify RDN
Opens a dialog box that allows changes to an object's relative distinguished name. This option is designed to
modify leaf objects only. If you rename the container portion of the distinguished name, then the object will
be moved to the container that is named.
Option Description
Old DN Enter the current distinguished name of the object.
New DN Enter the new distinguished name for the object.
Delete Old Specifies that the old distinguished name should be removed from the LDAP directory. This
checkbox is selected by default.
Extended
rename
Select this checkbox if the object being renamed is part of an extended control.
Run Click this button to send the change to Active Directory.
SearchSearch
Opens a dialog box that creates a customized search filter, and performs the search on the directory
information tree. The search base must be specified as a distinguished name, and the filter must be a valid
LDAP filter. Items returned from a search are separated by >> characters.

Option Description
Base DN Enter a distinguished name to specify where the search should start from.
Filter Enter the search criteria separated by LDAP search filters. Enter attributes and values to find an
object or set of objects. Note: LDAP search filters are defined in RFC 2254, and in the
Knoweldge Base Article Q255602 "Browsing and Querying Using the LDP Utility" at MicrosoftKnoweldge Base Article Q255602 "Browsing and Querying Using the LDP Utility" at Microsoft
Product Support Services (http://www.microsoft.com/).Product Support Services (http://www.microsoft.com/).
Scope
Section
Specifies how many levels the search should encompass.
Base Searches the base object only.
One
Level
Searches objects immediately subordinate to the base object, but does not search the base
object.
Subtree Searches the entire subtree, from the base object down to all child objects.
Options
Button
Opens the Search Options dialog box. Allows the application of filters that allows some entries
and excludes others from the search, and allows controls that affect how the search is
processed. See the Options menu for more details.
Run Click this button to send the search request to Active Directory.
CompareCompare
Opens a dialog box that allows the user to compare the value of an object's attribute with a specified value.
The result returned is either true or false.
Option Description
DN Enter the full distinguished name of the object whose value(s) will be compared.
Attribute Enter attribute to be compared.
Values Enter the value(s) that will be compared with the existing value in Active Directory. Separate
multiple values for a single attribute with a semicolon. No spaces are required.
destination server before continuing. Clear the checkbox to allow LDP to continue before a
Run Starts the comparison.
Extended OpExtended Op
Opens a dialog box that allows the user to submit an extended operation to an LDAP Directory by specifying
an LDAP Object identifier (OID) and an applicable value.
Option Description
Oid Enter the Object ID number.
Data Enter the value of the OID attribute.
Controls See Controls under the Option menu.
Send Submits the extended operation to Active Directory.
GetLastErrorGetLastError
Calls the LDAP Getlasterror function.
SecuritySecurity
Option Description
Security Descriptor Opens a dialog box that allows the viewing of access permissions on an object.
User Rights Not implemented yet.

ReplicationReplication
Option Description
View
Metadata
Opens a dialog box that allows the viewing of replication metadata of an object. This
command is useful in identifying whether the objects are up to date and replicated between
domain controllers.
Process PendingProcess Pending
Opens a dialog box that shows the list of requests that are not finished processing.
View MenuView Menu
The View menu Options:
Option Description
Status Bar Shows or hides the Status Bar located along the bottom of the LDAP window.
Tree Opens a dialog box that specifies the base object in the scope pane. A default base object
can be entered in the General Options dialog box in the Auto Base DN Query input box. By
default this input box is blank and no object is listed in the scope pane.
Enterprise
Configuration
Opens the Live Enterprise Tree dialog box that shows a graphic display of all domains and
domain controllers in the enterprise. The dialog box indicates whether the domain controllers
are online or offline by marking offline domain controllers with a red X.
Auto Refresh
(min):
Enter the number of minutes that LDP should wait before refreshing the display.
Refresh Manually refreshes the display.
Options MenuOptions Menu
The Options menu Options:
Bind Options
Option Description
Function Type Specifies a category of authentication that LDP will use when choosing authentication methods.
Generic Specifies that a standard authentication protocol will be used.
Simple Specifies that no authentication protocol will be used and the password will be sent in clear
text.
Extended Not available.
Method Selects the type of authentication that LDP will use when passing credentials.
Synchronous Use this checkbox to specify that the authenticating server must respond immediately to
requests. This option only works with Simple authentication.
Use auth.
identit
Allows the use of alternate authentication credentials. All authentication methods except simple
require synchronous calls.
Search Options

Option Description
Time Limit Specifies the number of milliseconds that the search can take on the server. By default the
maximum is 120 seconds.
Size Limit Specifies the maximum number of bytes that the search can return. Entering a null value does
not place a maximum size on the data returned.
Timeout (s) Specifies the number of seconds that LDP will wait for the LDAP server to respond to a search
request.
Timeout
(ms)
Specifies the number of milliseconds that LDP will wait for the LDAP server to respond to a
search request.
Page Size Limits each page of returned data to the specified number of bytes.
Attributes Specifies which attributes will be returned in the search. Separate multiple attributes with a
semicolon. Use the asterisk (*) wildcard character to indicate all attributes.
Search Call
Type
Specifies a call type to be used in the search. If the search will take some time, then selecting
async allows you to perform other tasks while waiting for the search to complete.
Attributes
Only
Select this checkbox to return only attributes of objects. The distinguished name will not be
returned.
Chase
Referrals
Performs a search for objects found in external LDAP driectories. By default, objects' external
LDAP directories' trusts will only return a referral instead of the actual object.
Display
Results
Displays a detailed list of objects returned by the search. By default only a success or failure, and
the number of objects found, is displayed.
Sort Keys Selecting this button will open the Sort Keys Option dialog box. See Sort Keys in the Options
menu.
Controls Selecting this button will open the Controls Option dialog box.
Pending Options
Opens a dialog box that places filters on the list of processes that have not yet completed.
Option Description
All search results Specifies that all search results will be displayed.
Blocking Clear this checkbox to set a time limit.
Time Limit (sec): Specifies a time limit in seconds.
Time Limit (millisec): Specifies a time limit milliseconds
General Options
Option Description
Value Parsing
Section
Binary Displays the LDAP information in its native numerical format.
String Converts the LDAP information from its native format to ASCII characters,so that it is more
readable when displayed. This is the default setting. Values that are too long to be converted
are still displayed in binary form.
LDAP Version
Section
Specifies which version of LDAP the server is using. The default is version 3.
DN Processing
Section
Converts the distinguished names, displayed into component parts, by extending the data
types that LDP returns when performing a command. This option is useful for LDP developers.
Buffer Size Section
Option Description
Page Specifies the number of lines returned that will be displayed by LDP per command.
Line Specifies the number of characters returned that will be displayed by LDP per command.
Auto default
NC query
Specifies that LDP should query the default naming context when a connection to the LDAP server
is made. The default naming context is the RootDSE. This setting is used when the distinguished
name value in the View|Tree dialog box is left blank.
Virtual List View (VLV) Section

Option Description
Auto VLV browse when
continer size is greater
than:
Selecting this checkbox displays a pop-up window of a virtual list view, whenever
the object count is greater than the value displayed in the input box. The default
value is 100.
Connection Options
Opens a dialog box that allows the value of any option to be changed.
Option Name Enter the name of the option whose value will be reset.
Value Enter the new value for the specified option.
Set Sends the information to the LDAP Directory.
TLS Options
Starts or stops a secure session with the LDAP server using Transport Level Security (TLS).
Controls Option
Use LDAP controls to extend the functionality of LDAP.
The Object Identifier must be specified when implementing a control. To obtain a list of Object Identifiers, view the
supportedControls property in the RootDSE of a domain controller. Individual controls are described in the
Understanding LDAP whitepaper published by Microsoft (http://www.microsoft.com/).Understanding LDAP whitepaper published by Microsoft (http://www.microsoft.com/).
NOTE
Only server controls can be sent to a server. Client controls only work with LDAP APIs.
To view a list of extended LDAP controls, search for the Knowledge Base article Q222560 "Windows 2000
Extended LDAP Controls" at Microsoft Product Support Services (http://www.microsoft.com/).Extended LDAP Controls" at Microsoft Product Support Services (http://www.microsoft.com/).
Sort Keys Option
Sort Keys is a type of control that formats the display of search results.
For more information find sortKeyRequestControl in the Understanding LDAP whitepaper published by MicrosoftFor more information find sortKeyRequestControl in the Understanding LDAP whitepaper published by Microsoft
(http://www.microsoft.com/).
Utilities MenuUtilities Menu
The Utilities menu Options:
Large Integer Converter For developers to convert large integers into High and Low parts.
NOTE
LDP can only connect to one LDAP server at a time. Using the Connect command while connected to a server will
disconnect the current session.

LDP UI
Example 1: Add a New Object to an LDAP DirectoryExample 1: Add a New Object to an LDAP Directory
The following example uses LDP to add a user to Active Directory.
Click the Browse menu and select Add.1.
In the Add dialog box, enter the distinguished name of the new object in the Dn input box.2.
In the Edit Entry section, add the new attributes and values. Click Enter after typing in each attribute and
associated value:
Attribute Value
userAccountControl 512
ObjectClass User
SamAccountName Testuser2
3.
Click Edit to add the attribute or value combination to the Entry List box.4.
Once all the attributes are entered, click Run to add the information to Active Directory using LDAP APIs.5.
Example 2: Search an LDAP DirectoryExample 2: Search an LDAP Directory
The following example performs several searches on Active Directory.
Click the Browse menu and select Search.
The Search dialog box opens.
1.
In this search, the LDAP directory is Active Directory, and for usernames it contains a givenName attribute
for first names, and an attribute of sn for last names. To search for all users that have a first name of John
and a last name of either Smith or Jones, use the following filter:
(&(objectClass=user)(givenName=John)(|(sn=Smith)(sn=Jones))))
2.
To search for users that have a lastname of Jones, but filter out those users that have a first name of John
or Jane, and also filter out users that have not logged on at least 100 times. The exclamation point (!) is the
NOT operator.
(&(objectClass=user)(sn=Jones)(!givenName=John)(!givenName=Jane)(!logonCount<=100))
Note
To search for reserved characters as part of an attribute value, you must precede the reserved
character with an escape character. Use the following escape characters to represent the associated
characters:
Character Escape characters
* 2a
( 28
) 29
5c
NUL 00
3.
To search for all of the users whose display names end in a close parenthesis character, use the following
search:
4.

(&(objectClass=user)(displayName=*29))
4.
Queries support asterisk wildcards (*). To search for all users who have a surname that starts with the
letter J:
(&(objectClass=user)(sn=j*))
5.
The following search is for users whose home directories are G:Accounting. The attribute name is home-
directories:
(&(objectClass=user)(home-directory=G:5cACCOUNTING*))
6.
Example 3: Control the Returns on a Search of an LDAP DirectoryExample 3: Control the Returns on a Search of an LDAP Directory
The following example uses the Search Options dialog box to control which attributes are displayed in a search.
Just a few attributes are displayed, and the rest are filtered so that they are not displayed in the details window of
LDP.
In the Attributes input box, enter the attributes to display. Enter the following:
"memberof;range:1-20"objectClass;objectGUID
A range is specified for the memberof attribute. A semicolon is also used to do this so that the entire section
must be separated from the rest of the attributes by quotes.
Note
Separate attributes with a semicolon. No spaces are necessary. All other attributes will be filtered out
of the display.
1.
All searches will display only the memberof, objectClass, and objectGUID attributes in the details pane.
Note
To return all attributes, replace any existing list of attributes with the asterisk wildcard character (*).
2.
Example 4: Viewing Replication Metadata for an ObjectExample 4: Viewing Replication Metadata for an Object
The following example uses LDP to list the replication metadata for an object in Active Directory.
Click the Browse menu and select Replication|View Metadata.
The View Metadata dialog box opens.
1.
Enter the distinguished name of the object in the Object Dn input box.2.
Click OK3.
AttID Ver Loc.USN Originating DSA Org.USN Org.Time/Date
0 1 3693 9fad4c38-2d76-44b2-84f6-f2fe384f8450 3693 2000-12-29 09:15.02
3 1 3693 9fad4c38-2d76-44b2-84f6-f2fe384f8450 3693 2000-12-29 09:15.02
d 1 3693 9fad4c38-2d76-44b2-84f6-f2fe384f8450 3693 2000-12-29 09:15.02
20001 1 3693 9fad4c38-2d76-44b2-84f6-f2fe384f8450 3693 2000-12-29 09:15.02
20002 1 3693 9fad4c38-2d76-44b2-84f6-f2fe384f8450 3693 2000-12-29 09:15.02

Movetree.exe: Active Directory Object Manager
Overview | Notes | Syntax | Examples | Related ToolsOverview | Notes | Syntax | Examples | Related Tools Open Command PromptOpen Command Prompt
This command-line tool allows administrators to move Active Directory objects such as organizational units and usersThis command-line tool allows administrators to move Active Directory objects such as organizational units and users
between domains in a single forest. These types of operations are performed to support domain consolidation orbetween domains in a single forest. These types of operations are performed to support domain consolidation or
organizational restructuring operations.
MoveTree allows an organizational unit to be moved with all of the linked Group Policy objects in the old domain intact.MoveTree allows an organizational unit to be moved with all of the linked Group Policy objects in the old domain intact.
The Group Policy object link is moved and continues to work, and clients receive their Group Policy settings from the
Group Policy objects located in the old domain.
To move users or groups within a Windows XP Professional domain (for example, from one organizational unit to
another), use Active Directory Users and Computers, a Microsoft Management Console snap-in that is part of theanother), use Active Directory Users and Computers, a Microsoft Management Console snap-in that is part of the
Windows XP Professional operating system.
Note
You must install Adminpak.msi before you can see the Active Directory Users and Computers snap-in in
Adminstrative Tools.
ConceptsConcepts
For more information on Active Directory, see Using Active Directory in Help and Support Center.For more information on Active Directory, see Using Active Directory in Help and Support Center.
The following are the system requirements for MoveTree:
Windows XP Professional
Administrator rights
Files required
Movetree.dll
Movetree.exe

MoveTree Notes
Before Using MoveTreeBefore Using MoveTree
Before using MoveTree you should do the following to maintain peak performance:
Review all Group Policy objects that apply to a particular organizational unit, and make a note of the Group
Policy settings they contain.
1.
Recreate the Group Policy objects, linked to the moved organizational unit in the new domain, with the
desired settings.
2.
Make sure to remove the Group Policy objects linked from the old domain.3.
MoveTree LimitationsMoveTree Limitations
While MoveTree can move some Active Directory objects between domains, certain objects cannot be moved.
MoveTree is also unable to move certain associated data that may exist externally to Active Directory.
Detailed Limitations
Local and Domain Global GroupsLocal and Domain Global Groups
Local and Domain Global groups are not moved during a MoveTtee operation. During a MoveTree operation, all
security principals (for example, user accounts and groups) maintain their security identity. This means that
resources that were previously protected with ACLs do not have to have these ACLs reset. Provided that userresources that were previously protected with ACLs do not have to have these ACLs reset. Provided that user
and group memberships are maintained, security of access to resources is also maintained.
Universal GroupsUniversal Groups
Universal groups are moved intact during a MoveTree operation. However, because of group membership
rules, only empty Domain Local and Global groups can be moved. Therefore it is important to save and
recreate the memberships of Domain Local and Global groups to maintain the existing resource access
permissions.
Computer ObjectsComputer Objects
Computer objects are not moved during a MoveTree operation. Use Netdom, another Windows XP ProfessionalComputer objects are not moved during a MoveTree operation. Use Netdom, another Windows XP Professional
Support Tool, to move computer accounts between domains and to join computers to domains.
Associated DataAssociated Data
Associated data that is not moved during a MoveTree operation includes policies, profiles, logon scripts, and
users' personal data. Use additional scripts or management tools, such as the Remote Administration Scripts
(included in the Windows 2000 Resource Kit), in conjunction with MoveTree to perform these additional steps.
MoveTree cannot move the following objects:
system objects (identified by the objectClass being marked as systemOnly)
objects in the configuration or schema naming contextsobjects in the configuration or schema naming contexts
objects in the special containers in the domain: Builtin, ForeignSecurityPrincipal, System, LostAndFound
domain controllers or any object whose parent is a domain controllerdomain controllers or any object whose parent is a domain controller
any object with the same name as an object that already exists in the target domain
MoveTree may fail due to some of the following error conditions:

The source domain controller cannot transfer the RID role owner.The source domain controller cannot transfer the RID role owner.
The source object is locked due to another operation in progress (for example, if another user is currently
creating child objects under the source object that is selected for the move operation).
Either the source or destination domain have invalid credentials.
The destination knows the source object is deleted but the source does not (for example, the source object
had been deleted on a different domain controller, but due to replication latency, the source domain controllerhad been deleted on a different domain controller, but due to replication latency, the source domain controller
has not yet received the deletion event).
There is a failure at the destination domain controller (for example, Disk Full).
A Security Accounts Manager (SAM) constraint is met (for example, Duplicate SAM Account Name or sourceA Security Accounts Manager (SAM) constraint is met (for example, Duplicate SAM Account Name or source
object password length does not meet the password restrictions in the target domain).
The source and destination have a schema mismatch.
When a MoveTree Operation is Paused or HaltedWhen a MoveTree Operation is Paused or Halted
During a MoveTree operation, if the process is paused or halted, then any objects that have yet to be moved remain
in an orphan container in the Lost And Found container in the source domain. The Lost And Found container can be
viewed in the Active Directory Users and Computers snap-in (a Windows XP Professional administrative tool) when
the Advanced View menu option is selected. The orphan container is named using the globally unique identifierthe Advanced View menu option is selected. The orphan container is named using the globally unique identifier
(GUID) of the parent container being moved and can be readily identified; it will contain the objects that were(GUID) of the parent container being moved and can be readily identified; it will contain the objects that were
selected for the MoveTree operation.
For example, if an organizational unit called "Sales" was being moved, and it has an object GUID of {123-abc}, and
the MoveTree operation were halted, then the tree structure would look like this:
Lost + Found
{123-abc}
SalesSales
MoveTree ErrorLevelsMoveTree ErrorLevels
MoveTree returns ErrorLevel 0 for success and ErrorLevels 1 through 5 for different kinds of failure. These values
can be used as criteria for branching, when the tool is used in a batch file; see Example 5: Use MoveTree in acan be used as criteria for branching, when the tool is used in a batch file; see Example 5: Use MoveTree in a
Batch File in MoveTree Examples.Batch File in MoveTree Examples.
Error Level Meaning
0 Success
1 Error – command line syntax
2 Error – directory conflict (duplicate names, insufficient privilege, name conflict, immovable object)
3 Error - network error (DC unavailable)
4 Error – system resource (Low VM, disk space)
5 Error – internal processing error

MoveTree Syntax
movetree {/start | /startnocheck | /continue | /check} /s SrcDSA /d DstDSA /sdn SrcDN /ddn DstDN [/u
[Domain]Username /p Password] [/verbose] [{/? | /help}]
Parameters
/start
Starts a MoveTree operation. This command includes a /check operation by default (to start a MoveTree operation
with no check, use /startnocheck). MoveTree tries to continue the operation until it completes; if there is a network
fault or if the destination domain controller becomes unavailable, then MoveTree pauses the operation. If an operationfault or if the destination domain controller becomes unavailable, then MoveTree pauses the operation. If an operation
has been paused, then it may be continued using the /continue command.
/startnocheck
Starts a MoveTree operation with no /check.
/continue
Continues the execution of a previously paused or failed MoveTree operation. This allows the MoveTree operation to
continue even if a network fault or a domain controller error has interrupted the initial operation. Specifying /sdn
SrcDN is optional for this command.
/check
Performs a test run of the MoveTree operation, checking the whole tree without moving any objects. This enables the
administrator to determine if there is sufficent disk space on the destination server, if there are any conflicts with
object names or if there are any objects that could not be moved (such as Domain Local or Global groups). The
administrator may then take remedial action before performing the actual move.
The /check command returns an error if any of the following conditions are met:
The user does not have the necessary permissions to create objects in the destination container.
The destination server does not have sufficient disk space to continue the operation.
A relative distinguished name conflict exists on the destination server.
There is a samAccountName conflict for any object that would be moved.
Any objects cannot be moved because they are built-in accounts, or they are either a Domain Local or a Global
group.
Any computer objects would be moved. To move computer accounts and join the computers to the domain, useAny computer objects would be moved. To move computer accounts and join the computers to the domain, use
NetDom, a Windows 2000 Support Tool.NetDom, a Windows 2000 Support Tool.
/s SrcDSA
Specifies the fully qualified primary DNS name of the source server in the domain from which the objects are beingSpecifies the fully qualified primary DNS name of the source server in the domain from which the objects are being
moved (for example, Server1.Marketing.Microsoft.Com). Required for all MoveTree commands.
/d DstDSA
Specifies the fully qualified primary DNS name of the destination server in the domain to which the objects are being
moved (for example, Server2.Sales.Microsoft.Com). Required for all MoveTree commands.
/sdn SrcDN
Specifies the distinguished name of the source sub-tree (the object being moved) (for example,
OU=Promotions,DC=Marketing,DC=Microsoft,DC=Com). Required for the /start, /startnocheck, and /check
commands; optional for /continue.
/ddn DstDN
Specifies the distinguished name of the destination sub-tree (to which the object is being moved) (for example,
OU=Promotions,DC=Sales,DC=Microsoft,DC=Com). Required for all MoveTree commands.
/u [Domain]Username /p Password
Runs MoveTree under the credentials of a valid Username and Password. Optionally, a Domain can be specified as well.
If these optional arguments are not provided, MoveTree uses the credentials of the currently logged-on user.
/verbose

Runs MoveTree in verbose mode, which displays more details about the operation as it runs. Optional.
/? or /help
Displays this information on a command-line syntax screen.

MoveTree Examples
These examples assume the following scenario:
In the Marketing domain, there is a server called "Server1" and an organizational unit called "Promotions". In the SalesIn the Marketing domain, there is a server called "Server1" and an organizational unit called "Promotions". In the Sales
domain, there is a server called "Server2". The desired operation is to move the "Promotions" organizational unit from the
Marketing domain to the Sales domain, and rename the new organizational unit "Sales Promotions".
Example 1: Perform MoveTree Operation Test Run and MoveExample 1: Perform MoveTree Operation Test Run and Move
You want to move the Promotions organizational unit from the Marketing domain to the Sales domain and rename
the Promotions organizational unit to Sales Promotions. You decide that you want to do a test run and only perform
the move if the test executes without errors. Type the following at the command line:
movetree /start /s Server1.Marketing.Microsoft.Com /d Server2.Sales.Microsoft.com /sdn
OU=Promotions,DC=Marketing,DC=Microsoft,DC=Com /ddn OU=Sales
Promotions,DC=Sales,DC=Microsoft,DC=Com
Example 2: Move Tree without TestExample 2: Move Tree without Test
the Promotions organizational unit to Sales Promotions. You decide to do the move without doing a test run first.
Type the following at the command line:
movetree /startnocheck /s Server1.Marketing.Microsoft.Com /d
Server2.Sales.Microsoft.Com /sdn OU=Promotions,DC=Sales,DC=Microsoft,DC=Com /ddn
OU=Sales Promotions,DC=Sales,DC=Microsoft,DC=Com
Example 3: Resume a Failed MoveTree OperationExample 3: Resume a Failed MoveTree Operation
A previous MoveTree operation between Server1 in the Marketing domain and Server2 in the Sales domain failed
while the objects were being moved into the "Sales Promotion" organizational unit. To resume a failed the failed
operation, type the following at the command line:
movetree /continue /s Server1.Marketing.Microsoft.Com /d Server2.Sales.Microsoft.Com
/ddn OU=Sales Promotions,DC=Sales,DC=Microsoft,DC=Com
Example 4: Test a MoveTree OperationExample 4: Test a MoveTree Operation
Eventually you would like to move the Promotions organizational unit from the Marketing domain to the Sales
domain, renaming it to Sales Promotions. You decide to do a test run and get verbose output to study before you
perform the actual move. To perform this test using the credentials of Microsoftadministrator with the password
"********" type the following at the command line:
movetree /check /s Server1.Marketing.Microsoft.Com /d Server2.Sales.Microsoft.Com /sdn
OU=Promotions,DC=Sales,DC=Microsoft,DC=Com /ddn OU=Sales
Promotions,DC=Sales,DC=Microsoft,DC=Com /verbose /u Microsoftadministrator /p ********Promotions,DC=Sales,DC=Microsoft,DC=Com /verbose /u Microsoftadministrator /p ********
Example 5: Use MoveTree in a Batch FileExample 5: Use MoveTree in a Batch File
the Promotions organizational unit to Sales Promotions. You decide that you want to do a test run and only perform
the move if the test executes without errors, but you would like to do this from a batch file. Create a batch file with
the following content:
movetree /check
/s Server1.Marketing.Microsoft.Com

/d Server2.Sales.Microsoft.Com
/sdn OU=Promotions,DC=Marketing,DC=Microsoft,DC=Com
/ddn OU=Sales Promotions,DC=Sales,DC=Microsoft,DC=Com
if errorlevel 0 goto start
goto exit
:start
movetree /start
/s Server1.Marketing.Microsoft.Com
/d Server2.Sales.Microsoft.Com
/sdn OU=Promotions,DC=Marketing,DC=Microsoft,DC=Com
/ddn OU=Sales Promotions ,DC=Sales,DC=Microsoft,DC=Com
:exit
For more information about error in MoveTree, see MoveTree ErrorLevels in MoveTree Notes.For more information about error in MoveTree, see MoveTree ErrorLevels in MoveTree Notes.

Repadmin.exe: Replication Diagnostics Tool
This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.
Administrators can use RepAdmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) asAdministrators can use RepAdmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as
seen from the perspective of each domain controller. In addition, RepAdmin can be used to manually create the
replication topology (although in normal practice this should not be necessary), to force replication events between
domain controllers, and to view both the replication metadata and up-to-datedness vectors.
Normally, the Knowledge Consistency Checker (KCC) manages the replication topology for each naming context held on
domain controllers.
Important
During the normal course of operations, there is no need to manually create the replication topology. Incorrect use
of this tool may adversely impact the replication topology. The primary use of this tool is to monitor replication so
that problems such as offline servers or unavailable LAN/WAN connections can be identified.that problems such as offline servers or unavailable LAN/WAN connections can be identified.
RepAdmin is used to troubleshoot replication issues in Active Directory. Many of the actions performed at the
command line with RepAdmin can be accomplished with ReplMon.command line with RepAdmin can be accomplished with ReplMon.
ConceptsConcepts
For more information on replication, see Introduction to Performance in the Help and Support Center.For more information on replication, see Introduction to Performance in the Help and Support Center.
The following are the system requirements for RepAdmin:
Windows XP Professional
Administrator rights on the domain controller
File Required
Repadmin.exe

RepAdmin Notes
RepAdmin TerminologyRepAdmin Terminology
The following terminology is used in discussing RepAdmin syntax:
NamingContext refers to the directory partitions that are part of Active Directory. This includes the threeNamingContext refers to the directory partitions that are part of Active Directory. This includes the three
read/write naming contexts — domain, schema and configuration — and the optional read-only naming
context, the Global Catalog. A naming context is specified by the distinguished name of its root (for example,
DC=MyDomain,DC=Microsoft,DC=Com).
GUID (Globally Unique Identifier) refers to the 128-bit number used to uniquely identify objects stored in theGUID (Globally Unique Identifier) refers to the 128-bit number used to uniquely identify objects stored in the
directory (for example, fa1a9e6e-2e14-11d2-aa9b-bbfc0a30094c). The GUID is sometimes referred to in the
syntax line as a Universally Unique Identifier (UUID). For the purposes of RepAdmin these two terms are
synonymous. DN is an X.500 distinguished name (for example, CN=Server1,CN=Firstsynonymous. DN is an X.500 distinguished name (for example, CN=Server1,CN=First
Site,CN=Configuration,DC=Microsoft,DC=Com).
Difference Between the objectGUID and the InvocationIDDifference Between the objectGUID and the InvocationID
In the RepAdmin Examples the objectGUID and the InvocationID returned by the showreps and other operations
are identical hexadecimal numbers. However, they are not the same thing. An objectGUID is a unique identifier for
an object that will never change. Initially the two are the same, however when Active Directory is backed up the
Invocation ID will change.

RepAdmin Syntax
RepAdmin uses the following general syntax:
repadmin Operation Parameters [/u:{domainuser}] [/pw:{password|*}]
/u
Specifies the username that has permissions to perform operations in Active Directory.
/pw
Specifies the password for the username entered with the u parameter.
OperationsOperations
Repadmin bindRepadmin bind
Connects to and displays the replication features for a directory partition on a domain controller.
repadmin /bind [DSA]
Parameters
DSA
Specifies the host name of the domain controller (Directory Server Agent).Specifies the host name of the domain controller (Directory Server Agent).
Repadmin failcacheRepadmin failcache
Dispays a list of failed replication events detected by the Knowledge Consistency Checker.
repadmin /failcache [DSA]
Parameters
DSA
Repadmin getchangesRepadmin getchanges
Displays changes from a specified directory partition or changes to a specified object. Syntax 1 saves changes to a
directory partition. If this information is saved to a file the getchanges operation can be run again for comparison.
Syntax 2 shows changes to a specified object.
Syntax 1
repadmin /getchanges NamingContext [SourceDSA] [/cookie: File]
Syntax 2
repadmin /getchanges NamingContext [DestDSA] SourceDSAobjectGUID [/verbose] [/statistics]
Parameters
NamingContext
Specifies the distinguished name of the directory partition.
SourceDSA
Specifies the host name of the domain controller that hosts the directory partition (Directory Server Agent)
whose changes you want to view.
/cookie: File
Specifies a name for the file to which list changes are saved.

DestDSA
Specifies the host name of the domain controller that hosts the object (Directory Server Agent) whose changes
you want to view.
SourceDSAobjectGUID
Specifies the unique hexadecimal number that identifies the object whose changes will be listed. The objectGUID
can be retrieved by using the /showreps operation.
/verbose
Lists detailed information.
/statistics
Displays a summary of information about changes instead of a list of individual changes.
Remarks
The information from Syntax 1 can be saved to a file for later comparison.
Examples
See Example 6: Create a File to Determine What Changes Have Occurred Over a Period of Time.See Example 6: Create a File to Determine What Changes Have Occurred Over a Period of Time.
Repadmin kccRepadmin kcc
Forces the Knowledge Consistency Checker to recalculate replication topology for a specified domain controller. By
default this recalculation occurs every 15 minutes.
repadmin /kcc [DSA] [/async]
Parameters
DSA
Specifies the host name of the domain controller (Directory Server Agent).
/async
Specifies that replication will be asynchronous. This means that RepAdmin will start the replication event, but it
does not expect an immediate response from the destination domain controller. Use this parameter when there
are slow links between domain controllers.are slow links between domain controllers.
Repadmin propcheckRepadmin propcheck
Compares properties of specified domain controllers to determine if they are up to date with each other. The source
domain controller contains the original information that needs to be checked. The destination domain controller data
will be compared to the source domain controller data.
repadmin /propcheck NamingContext OriginatingDSAInvocationID OriginatingUSN [DestDSA]
Parameters
NamingContext
Specifies the distinguished name of the directory partition on the source domain controller.
OriginatingDSAInvocationID
Specifies the unique hexadecimal number that identifies an object on a source domain controller. InvocationID
can be retrieved by using the /showreps operation.
OriginatingUSN
Specifies the USN for the object on the source domain controller. The USN is for the object whose InvocationID is
already listed.
DestDSA
Specifies the host name of the destination domain controller (Directory Server Agent) from which to enumerate
the host DSAs.the host DSAs.
Repadmin queueRepadmin queue
Displays tasks waiting in the replication queue.
repadmin /queue [DSA]

Parameters
DSA
Repadmin showcertRepadmin showcert
Displays the server certificates loaded on a specified domain controller
repadmin /showcert [DSA]
Parameters
DSA
Repadmin showconnRepadmin showconn
Displays the connection objects for a specified domain controller. Default is local site.
repadmin /showconn [DSA] [{ContainerDN|DSAGUID}]
Parameters
DSA
ContainerDN
Specifies the distinguished name of the container.
DSAGUID
Specifies the unique hexadecimal number that identifies the domain controller. The DSA GUID can be retrieved
using the /showreps operation.
Examples
See Example 7: Display the Connection Objects for a Server.See Example 7: Display the Connection Objects for a Server.
Repadmin showctxRepadmin showctx
Displays a list of computers that have opened sessions with a specified domain controller.
repadmin /showctx [DSA] [/nocache]
Parameters
DSA
/nocache
Specifies that GUIDs are left in hexadecimal form. By default GUIDs are translated into strings.
Examples
See Example 9: Display the Context Handles for the Replication Process.See Example 9: Display the Context Handles for the Replication Process.
Repadmin showismRepadmin showism
Displays intersite messaging routes calculated by the Knowledge Consistency Checker (KCC). This operation cannot
be executed remotely.
repadmin /showism [TransportDN] [/verbose]
Parameters
TransportDN

Specifies whether the mail server is using SMTP or RPCs to send messages.
/verbose
Lists detailed information.Lists detailed information.
Repadmin showmetaRepadmin showmeta
Displays the replication metadata for a specified object stored in Active Directory such as attribute ID, version
number, originating and local Update Sequence Number (USN), and originating server's GUID and date/time stamp.
By comparing the replication metadata for the same object on different domain controllers, an administrator can
determine whether replication has taken place.
repadmin /showmeta ObjectDN [DSA] [/nocache]
Parameters
ObjectDN
Specifies the distinguished name of the object.
DSA
Specifies the host name of the domain controller that hosts the object (Directory Server Agent).
/nocache
Specifies that GUIDs are left in hexadecimal form. By default GUIDs are translated into strings.Specifies that GUIDs are left in hexadecimal form. By default GUIDs are translated into strings.
Repadmin showmsgRepadmin showmsg
Displays the error message for a given error number.
repadmin /showmsg Win32Error
Parameters
Win32Error
Specifies the number of the Win32 error.Specifies the number of the Win32 error.
Repadmin showrepsRepadmin showreps
Displays the replication partners for each directory partition on the specified domain controller. Helps the
administrator build a visual representation of the replication topology and see the role of each domain controller in
the replication process.
repadmin /showreps [NamingContext] [DSA] [SourceDSAobjectGUID] [/verbose] [/unreplicated]
[/nocache]
Parameters
NamingContext
DSA
SourceDSAobjectGUID
Specifies the unique hexadecimal number that identifies the object whose replication events will be listed.
/verbose
Lists detailed information.
/unreplicated
Shows pending changes.
/nocache
Examples
See Example 1: Display the Replication Partners of a Server.See Example 1: Display the Replication Partners of a Server.

Repadmin showsigRepadmin showsig
Displays the replication signature for a specified domain controller.
repadmin /showsig [DSA]
Parameters
DSA
Examples
See Example 8: Display the Replication Signature for a Server.See Example 8: Display the Replication Signature for a Server.
Repadmin showtimeRepadmin showtime
Converts a directory service time value to string format for both the local and the UTC time zones.
repadmin /showtime [DSTimeValue]
Parameters
DSTimeValue
Specifies the time value that needs to be converted.
Remarks
With parameters omitted, repadmin /showtime displays the current system time in both the directory
service format and string format.
The string format displays both the local and UTC time zones.The string format displays both the local and UTC time zones.
Repadmin showvectorRepadmin showvector
Displays the highest Update Sequence Number (USN) for the specified domain controller. This information shows
how up to date a replica is with its replication partners.
repadmin /showvector NamingContext [DSA] [/nocache]
Parameters
NamingContext
DSA
/nocache
Examples
See Example 4: Display the Highest Update Sequence Number on a Server.See Example 4: Display the Highest Update Sequence Number on a Server.
Repadmin syncRepadmin sync
Starts a replication event for the specified directory partition between the source and destination domain controllers.
The source DSA UUID can be determined when viewing the replication partners with the repadmin /showrepsThe source DSA UUID can be determined when viewing the replication partners with the repadmin /showreps
command.
repadmin /sync NamingContext DestDSA SourceDSAUUID [/force] [/async] [/full] [/addref] [/allsources]
Parameters
NamingContext

destDSA
Specifies the host name of the domain controller (Directory Server Agent) with which you want to replicate.
SourceDSAUUID
Specifies the unique hexadecimal number that identifies the object whose changes will be listed. The objectGUID
can be retrieved using the /showreps operation.
/force
Overrides the normal replication schedule.
/async
Specifies that the replication will be asynchronous. This means that RepAdmin will start the replication event, but
it does not expect an immediate response from the destination domain controller. Use this parameter when there
are slow links between domain controllers.
/full
Forces a full replication of all objects from the destination domain controller.
/addref
Directs the source to check for a notification entry on the source. If the source does not have a notification entry
for this destination, one is added.
/allsources
A given destination may have multiple sources for the same naming context. Directs the destination to sync with
all sources instead of just one.
Examples
See Example 2: Force a Replication Event Between Two Replication Partners.See Example 2: Force a Replication Event Between Two Replication Partners.
Repadmin syncallRepadmin syncall
Synchronizes a specified domain controller with all replication partners.
repadmin /syncall DestDSA [NamingContext] [Flags]
Parameters
DestDSA
Specifies the host name of the domain controller (Directory Server Agent) to synchronize with all replication
partners.
NamingContext
Flags
Performs specific actions during the replication.
/a Abort if any server is unavailable
/d ID servers by DN in messages
/e Enterprise, cross sites
/h Print this help screen
/i Iterate indefinitely
/I Perform showreps on each server pair in path instead of syncing
/j Sync adjacent servers only
/p Pause for possible user abort after every message
/P Push changes outward from home server
/q Quiet mode, suppress callback messages
/Q Very quiet, report fatal errors only
/s Do not sync
/S Skip initial server-response check
Examples
See Example 3: Force a Replication Event for a Specified Directory Partition with All of its Replication Partners.See Example 3: Force a Replication Event for a Specified Directory Partition with All of its Replication Partners.

RepAdmin Examples
Example 1: Display the Replication Partners of a ServerExample 1: Display the Replication Partners of a Server
The following example uses the showreps operation of RepAdmin to display the replication partners of Server1.
This command is also used to find the objectGUID and InvocationID for a server for use with other operations.
No parameters are required for the showreps operation. A remote connection is assumed so the server name (DSA
in the syntax) is included. Type the following at the command line:
repadmin /showreps server1.microsoft.com
Press enter and the following output is displayed:
Building7aserver1
DSA Options : IS_GC
objectGUID : 415db077-le28-4855-b225-c5bb9af6f50b
InvocationID: 415db077-le28-4855-b225-c5bb9af6f50b
==== INBOUND NEIGHBORS ======================================
CN=Schema,CN=Configuration,DC=microsoft,Dc=com
Building7bserver2 via RPC
objectGuid: e55c6c85-85bb-495a-a0d3-020a44c3afe7
last attempt @ 2001-08-26 11:47.15 was successful.
CN=Configuration,DC=microsoft,Dc=com
@nbsp last attempt @ 2001-08-26 12:02.30 was successful.
DC=microsoft,Dc=com
last attempt @ 2001-08-26 11:48.16 was successful.
==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============
CN=Schema,CN=Configuration,DC=microsoft,Dc=com
CN=Configuration,DC=microsoft,Dc=com
DC=microsoft,Dc=com

objectGuid: e55c6c85-85bb-495a-a0d3-020a44c3afe7objectGuid: e55c6c85-85bb-495a-a0d3-020a44c3afe7
Example 2: Force a Replication Event Between Two Replication PartnersExample 2: Force a Replication Event Between Two Replication Partners
The following example uses the sync operation of RepAdmin to force the domain directory partition for Microsoft.com on Server1 to
replicate with the domain directory partition on Server2. This makes Server2, the source, and Server1, the destination server.
The required parameters for the sync operation are the name of the directory partition (NamingContext in the syntax), the name o
server that will receive changes (Destination_DSA in the syntax), and the objectGUID of the directory partition that will send the ch
(Source_DSAUUID in the syntax). Type the following at the command prompt:
repadmin /sync dc=microsoft,dc=com server1.microsoft.com e55c6c85-85bb-495a-a0d3-020a44c3afe7
Sync from e55c6c85-85bb-495a-a0d3-020a44c3afe7 to server1.microsoft.com completed successfSync from e55c6c85-85bb-495a-a0d3-020a44c3afe7 to server1.microsoft.com completed successf
Example 3: Force a Replication Event for a Specified Directory Partition with All of Its Replication PartnersExample 3: Force a Replication Event for a Specified Directory Partition with All of Its Replication Partners
The following example uses the syncall operation of RepAdmin to force the domain directory partition for
Microsoft.com on Server1 to replicate with all of its replication partners.
The required parameters for the syncall operation are the server name (DestDSA in the syntax). The name of the
directory partition (NamingContext in the syntax) that will be synchronized is included also. If this name is not
included, then all directory partitions are synchronized. Type the following at the command line:
repadmin /syncall server1.microsoft.com dc=microsoft,dc=com
CALLBACK MESSAGE: SyncAll Finished.CALLBACK MESSAGE: SyncAll Finished.
Example 4: Display the Highest Update Sequence Number on a ServerExample 4: Display the Highest Update Sequence Number on a Server
The following example uses the showvector operation of RepAdmin to show the highest USNs for a specified
directory partition on each replication partner. In this example, there are only two replication partners and the
directory partition is the domain directory partition for the Microsoft.com domain.
The only required parameter for the showvector operation is the name of the directory partition (NamingContext in
the syntax). A remote connection is assumed so a server name (DSA in the syntax) is also included. Type the
following at the command prompt:
repadmin /showvector dc=microsoft,dc=com server2.microsoft.com
Building7aserver1 @ USN 173259
Building7bserver2 @ USN 51830Building7bserver2 @ USN 51830
Example 5: View Unreplicated Changes Between Two ServersExample 5: View Unreplicated Changes Between Two Servers
The following example uses the getchanges operation of RepAdmin to show changes that have not yet replicated
between Server1 and Server2. In this example Server1 is the source server and is sending the changes while
Server2 is the destination server and is receiving the changes.
This is one implementation of the getchanges operation. For another implementation of this operation see ExampleThis is one implementation of the getchanges operation. For another implementation of this operation see Example

6: Create a File to Determine What Changes Have Occurred Over a Period of Time.6: Create a File to Determine What Changes Have Occurred Over a Period of Time.
The required parameters for this version of the getchanges operation are the name of the directory partition
(referred to in the syntax line as naming context) and the objectGuid of the directory partition on the source server
(referred to as Source_DSA_UUID in the syntax line). A remote connection is assumed so the destination server
name (referred to in the syntax line as Dest DSA) is also included. Type the following at the command prompt:
repadmin /getchanges dc=microsoft,dc=com server2.microsoft.com 415db077-1e28-4588-b225-
c5bb9af6f50b
Building starting position from destination server server2.microsoft.com
Source Neighbor:
dc=microsoft, dc=com
Building7aserver1 via RPC
objectGuid: 415db077-1e28-4588-b225-c5bb9af6f50b
Address: 415db077-1e28-4588-b225-c5bb9af6f50b._msdcs.microsoft.com
ntdsDsa invocationID: 415db077-1e28-4588-b225-c5bb9af6f50b
WRITEABLE DO SCHEDULE SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
USNs: 173257/OU, 173257/PU
Last attempt @ 2001-08-26 12:44.11 was successful.
Destination's Up To Dateness Vector:
4 @ USN 173277
b @ USN 51810
==== Source DSA: 415db077-1e28-4588-b225-c5bb9af6f50b._msdcs.microsoft.com ====
No changes.No changes.
Example 6: Create a File to Determine What Changes Have Occurred Over a Period of TimeExample 6: Create a File to Determine What Changes Have Occurred Over a Period of Time
The following example uses the getchanges operation of RepAdmin to create a file that records replication changes.
By running the getchanges operation later you can compare the file created earlier to the current replication state.
This is one implementation of the getchanges operation. For another implementation of this operation see ExampleThis is one implementation of the getchanges operation. For another implementation of this operation see Example
5: View Unreplicated Changes Between Two Servers.5: View Unreplicated Changes Between Two Servers.
The only required parameter for this version of the getchanges operation is the name of the directory partition
(NamingContext in the syntax) on which the check should be performed. In this example, the check is performed
remotely so the server name (SourceDSA in the syntax) is included as well as the /cookie parameter, along with
the name of the file to be created. Type the following at the command prompt:
repadmin /getchanges dc=microsoft,dc=com server2.microsoft.com /cookie:microsoft.txt
Using cookie from file microsoft.txt (132 bytes)
==== Source DSA: server2.microsoft.com ====
No changes.
Using cookie from file microsoft.txt (132 bytes)Using cookie from file microsoft.txt (132 bytes)

Example 7: Display the Connection Objects for a ServerExample 7: Display the Connection Objects for a Server
The following example uses the showconn operation of RepAdmin to show connection objects for a server.
No parameters are required for showconn operation. In this example, a remote connection is assumed so the
server name (DSA in the syntax) is specified. All connection objects for Server2 are shown. Type the following at the
command prompt:
repadmin /showconn server2.microsoft.com
Show Connection Objects
CN=Building7b,CN=Sites,CN=Configuration,DC=microsoftDc=com:
server2febe8edf-85b6-4744-902a-1754c1401ac2
enabledConnection: TRUE
fromServer: Building7aserver1
TransportType: IP
options: isGenerated overrideNotifyDefault
ReplicatesNC: CN=Configuration,DC=microsoft,DC=com
ReplicatesNC: DC=microsoft,DC=com
whenChanged: 20000526193849.0Z
whenCreated: 20000526193849.0ZwhenCreated: 20000526193849.0Z
Example 8: Display the Replication Signature for a ServerExample 8: Display the Replication Signature for a Server
The following example uses the showsig operation of RepAdmin to show the replication signature for a server.
No parameters are required for the showsig operation. In this example, a remote connection is assumed so the
server name (DSA in the syntax) is specified. Type the following at the command prompt:
repadmin /showsig server1.microsoft.com
Press Enter and the following output is displayed:
Building7aserver1
415db077-1e28-4588-b255-c5bb9af6f50b (current)
No retired signatures.No retired signatures.
Example 9: Display the Context Handles for the Replication ProcessExample 9: Display the Context Handles for the Replication Process
The following example uses the showctx operation of RepAdmin to show the open connections to the server that
are established by remote servers.
No parameters are required for the showctx operation. This example specifies the directory partition
(NamingContext in the syntax) and the server name (DSA in the syntax) on which the check should be performed.
Type the following at the command prompt:
repadmin /showctx server2.microsoft.com
Press enter and the output similar to the following is displayed:
6 open handles.
NTDSAPI client @ 157.59.128.201 (PID 948) (Handle 0x5c925c8)

bound, refs=1, lasted used 2000-05-26 10:23.9
Building7aserver1 @ 157.59.128.242 (PID 256) (Handle 0x914e100)
NTDSAPI client @ 127.0.0.1 (PID 1368) (Handle 0x5c92330)
NOT bound, refs=0, lasted used 2000-05-26 13:41.52
NTDSAPI client @ 157.59.128.201 (PID 244) (Handle 0x5c5bd08)
NTDSAPI client @ 127.0.0.1 (PID 1420) (Handle 0x91b88e8)
NTDSAPI client @ 127.0.0.1 (PID 1356) (Handle 0x5c8e290)

Replmon.exe: Active Directory Replication Monitor
Overview | Notes | UI | Examples | Related ToolsOverview | Notes | UI | Examples | Related Tools Run ToolRun Tool
This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization
between domain controllers, view the topology in a graphical format, and monitor the status and performance of domainbetween domain controllers, view the topology in a graphical format, and monitor the status and performance of domain
controller replication.controller replication.
You can use ReplMon to do the following:
See when a replication partner fails.
View the history of successful and failed replication changes for troubleshooting purposes.
View the properties of directory replication partners.
Create your own applications or scripts written in Visual Basic Scripting Edition (VBScripts) to extract specific data
out of Active Directory and act on it.
View a snapshot of the performance counters on the computer, and the registry configuration of the server.View a snapshot of the performance counters on the computer, and the registry configuration of the server.
Generate status reports that include direct and transitive replication partners and detail a record of changes.
Find all direct and transitive replication partners on the network.
Display replication topology.
Poll replication partners and generate individual histories of successful and failed replication events.
Force replication.
Trigger the Knowledge Consistency Checker to recalculate the replication topology.
Display changes that have not yet replicated from a given replication partner.
Display a list of the trust relationships maintained by the domain controller being monitored.
Display the metadata of an Active Directory objects' attributes.
Monitor replication status of domain controllers from multiple forests.
Note
Installing ReplMon in a directory other than the default might result in errors. For more information, see InstallingInstalling ReplMon in a directory other than the default might result in errors. For more information, see Installing
ReplMon.ReplMon.
ReplMon provides its own user interface. See ReplMon UI for more information.ReplMon provides its own user interface. See ReplMon UI for more information.
ConceptsConcepts
For more information about deploying and using Active Directory, see the Active Directory OverviewFor more information about deploying and using Active Directory, see the Active Directory Overview
(http://go.microsoft.com/fwlink/?LinkId=1646) Web site.
The following are the system requirements for ReplMon:
ReplMon must be installed on a computer running Windows XP Professionalr. The computer can be a domain
controller, member server, member workstation, or standalone computer.
Files Required
Comctl32.ocx
Comdlg32.ocx

Ctl3d32.dll
Iadstools.dll – component DLL that hosts the functions used by ReplMon
Iadstools.doc - documentation for IADsTools
Replmon.exe
Tabctl32.ocx

Xpsupport

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Xpsupport

Similar to Xpsupport (20)

More from Adil Jafri

More from Adil Jafri (20)

Xpsupport