Windows – Active Directory (AD) Tools available to help you debug Issues

May 14, 2013

Use for command-line maintenance of your Active Directory database. Installed by default on domain controllers and menu driven.
Although many of its functions are also available via the GUI, it’s worth becoming familiar with this tool as sometimes nothing else will do.
For example, it’s needed for cleaning up if a domain controller isn’t demoted cleanly.

Command-line tool to perform various domain controller tests to help confirm health and diagnose problems.
Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.

For network-related tests and troubleshooting. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.

repadmin.exe & replmon.exe
Command-line tool to monitor and troubleshoot replication issues (repadmin.exe) and a GUI version that provides much of the same functionality (replmon.exe).

Part of the Support Tools suite (2000/2003)
or included by default in Windows 2008 (replmon is no longer provided).

Accesses information on the ntfrs service including subscription information etc. Part of the Support Tools suite (2000/2003)
or included by default in Windows 2008.

A graphical tool to monitor the status of the File Replication Service. Look for it on the Microsoft Download Center.

Low level editor for Active Directory. Installed as part of the Support Tools for Windows Server 2000 and 2003,
and installed by default when you install Active Directory on Windows Server 2008.

Group Policy Management Console (GPMC)
It’s been around for a while but you need to download it separately on 2003 (it’s included in 2008).
An improvement on the built-in group policy editor, you need at least 2003 server or XP SP1 to run it. Download it from Microsoft.

dsadd, dsget, dsmod, dsmove, dsquery, dsrm
Built-in command-line tools included with 2003 and 2008, use /? after the command for syntax.

csvde & ldifde
Built-in command-line tools included with 2000 and above, csvde is particularly useful for dumping the contents of Active Directory into a csv file,
or creating new objects from a similar file. Again, use /? after the command for help.

Created to make it easier to do bulk operations on Active Directory objects, such as modifications, imports and exports.
Requires .NET framework installed (version 2 probably). It’s currently travelling the internet
so download from http://ADModify.NET and check the Microsoft Exchange Team Blog for an introduction.

redirusr.exe and redircmp.exe
Built-in command-line tools included with Windows 2003 and above. Change the default containers for new user and computer objects respectively.

Contains tools that assist you in managing accounts and in troubleshooting account lockouts.
Use these tools in conjunction with the Account Passwords and Policies white paper.

ALTools.exe includes:

Helps isolate and troubleshoot account lockouts and to change a user’s password on a domain controller in that user’s site.
It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).

On the client computer, helps determine a process or application that is sending wrong credentials.

Caution: Do not use this tool on servers that host network applications or services. Also, you should not use ALockout.dll on Exchange servers, because it may prevent the Exchange store from starting.
ALoInfo.exe. Displays all user account names and the age of their passwords.

Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.

Gathers specific events from event logs of several different machines to one central location.

Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs.
LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes.
It directs the output to a comma-separated value (.csv) file that you can sort further, if needed.