viii

Books

Contents
Chapter 7 Command-Line, Support, and
Microsoft Windows Server 2003 Resource Kit Tools . . . . . . . . . . . . . . . . . 123
Windows 2003 Built-In Command-Line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Built-In Command-Line Event-Log Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Eventcreate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Eventquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Eventtriggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Built-In AD Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Dsadd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Dsadd User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Dsquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Dsquery User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Windows 2003 Support Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Support Tools Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
AD Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Dcdiag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Dcdiag with Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Dcdiag with Dcpromo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Replmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Windows 2003 Resource Kit Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Active Directory Users and Computers Enancement Tools . . . . . . . . . . . . . . . . . . . . 139
Acctinfo.dll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Rcontrolad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Event Manipulation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Custreasonedit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
EventCombMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Next: Special Domain Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
 123

Chapter 7:

Command-Line, Support, and

Microsoft Windows Server 2003
Resource Kit Tools
GUI is good. Command-line is better. What’s in the box is tasty. But add-ons are sweeter. Poetry
aside, those lines indicate what this chapter offers. I’ll review how to work with some key Windows
Server 2003 (Windows 2003) tools that offer great benefits – if you know how to use them.
I discuss selected command-line tools, support tools, and resource kit tools. From these tool
sources, you’ll be able to build a custom toolkit tailored to your environment.

Windows 2003 Built-In Command-Line Tools

The advantage of command-line tools is that you can use them without a GUI. This option is helpful
when you use Telnet or, as I discussed in Chapter 6, when you use the Special Administration
Console (SAC) through Windows 2003’s Emergency Management Services (EMS). Additionally, some
tools can run under a normal user context and are therefore useful inside logon or startup scripts.
The downside of command-line tools is the learning curve. The tool names are hard to
remember, and the multiple options that the tools offer can be equally baffling. However, although
command-line tools can be cumbersome, their benefits typically outweigh their drawbacks.
When it comes to Windows 2003, the Microsoft development team got command-line tools right.
Although not all GUI options are scriptable, those that are scriptable are well implemented and
equally well documented.
To get a list of the command-line utilities available in Windows 2003, open the Help and Support
Center and locate the Command-line reference A-Z, which Figure 7.1 shows. (Notice, however, that
the last tool in the alphabet is Xcopy. Perhaps Windows 2006 will have commands that start with
Y and Z.)

Brought to you by NetIQ and Windows & .NET Magazine eBooks

124 Windows 2003: Active Directory Administration Essentials

Figure 7.1
The Help and Support Center list of command-line tools

j Tip
Typically, to reach the list of command-line utilities, I type
command line reference

in the search window.

You can also immediately locate the Help and Support Center list of command-line utilities by
opening a command prompt and typing
hh ntcmds.chm

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools 125

Windows 2003 offers a bevy of command-line tools – almost too many. To keep the command-
line tool section of the chapter manageable, I’ll limit my discussion to those tools that help you
manage the event log and Active Directory (AD).

n Note Don’t let the myriad options that each tool offers befuddle you. Almost every tool has a /?
option that lists the tool’s options. Alternatively, you can click the name of a tool listed in
Figure 7.1 to display that tool’s command-line options.

Built-In Command-Line Event-Log Tools

The event log is perhaps the most underutilized Windows troubleshooting tool. Event logs record
more useful knowledge than almost any other tool. The problem is that you have to keep checking
them. Although third-party tools can help you consolidate and manage your event logs, you can also
improve your event-log experience with some of the built-in tools at your disposal. I’ll examine three
built-in tools that can help you manage your event logs: Eventcreate, Eventquery, and Eventtriggers.

Eventcreate
Eventcreate lets an administrator create a custom event in a specified event log. If you’re a batch file
junky, and you want to have the status of your jobs reported to the event log, you’ll want to use the
Eventcreate tool.
The Eventcreate syntax from the Help file reads

eventcreate [/s Computer [/u Domain\User [/p Password]] {[/l {APPLICATION | SYSTEM}] |
[/so SrcName]} /t {ERROR | WARNING | INFORMATION} /id EventID /d Description

n Note According to Microsoft’s formatting legend, italics indicate information the user must supply;
boldface indicates something the user must type exactly as shown; an ellipsis indicates a
parameter that can be repeated in a command; brackets indicate optional items; braces
indicate choices from which the user must choose one only; and Courier font indicates code or
program output.

Figure 7.2 shows a sample batch file script that, if a flag file is found, reports the finding to
the event log.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

126 Windows 2003: Active Directory Administration Essentials

Figure 7.2
Deploying Eventcreate

When the script reports the finding to the event log, the result appears in the format that
Figure 7.3 shows.

Figure 7.3
Result of an Eventcreate finding

The Eventcreate tool is handy, but it becomes even handier when you use it with utilities such as
Eventquery and EventCombMT. (I discuss EventCombMT in the Windows 2003 resource kit utilities
section toward the end of the chapter.)

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools 127

Eventquery
Eventquery’s purpose is to query event logs on Windows 2003 servers for information already in the
logs – including information you set the event logs to capture through Eventcreate. However, if you
try to use the Eventquery tool without preparation, you get the message that Figure 7.4 shows. You
first need to change the default command processor.

Figure 7.4
Changing the default command processor

At the command prompt, type

cscript //H:CSCRIPT //S

which changes the command processor from the interactive GUI script processor to CScript.
The Eventquery syntax from the Help file reads

eventquery[.vbs] [/s Computer [/u Domain\User [/p Password]]] [/fi FilterName] [/fo {TABLE |
LIST | CSV}] [/r EventRange [/nh] [/v] [/l [APPLICATION] [SYSTEM] [SECURITY] ["DNS server"]
[UserDefinedLog] [DirectoryLogName] [*] ]

If I want to query all events that have event ID 106 in the Application log of the server I’m currently
on, for example, I can type
eventquery.vbs /FI “ID eq 106” /l Application

and get the results that Figure 7.5 shows. Note that the response is available because I entered event
ID 106 onto this server with Eventcreate.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

128 Windows 2003: Active Directory Administration Essentials

Figure 7.5
Querying a server with Eventquery

Eventtriggers
The Eventtriggers tool ties your event-management efforts together. That is, when an event you want
to monitor pops into the event log, you can have Eventtriggers notify you or set a command to
execute automatically. It’s like having someone dedicated to monitoring the server logs and acting
upon them if necessary.
The Eventtriggers tool includes three commands:
• Eventtriggers create
• Eventtriggers query
• Eventtriggers delete

For monitoring and notification to occur, you must first create the Eventtrigger, which will then
monitor and act upon the occurrence of logged events that meet the criteria you set up. After you
create some triggers, you can see them at work by using the Eventtriggers query command. You can
delete Eventtriggers with the Eventtriggers delete command.
As an example, I’ll create an Eventtrigger for event ID 106. That is, if event ID 106 appears in the
Application log, Eventtriggers fires off a batch file in response. In this example, I use the syntax
eventtriggers /create /tr “FilePresent” /l application /eid 106 /tk
\\vmserver2\share\gobatch.cmd

which Figure 7.6 shows. This syntax creates a trigger named FilePresent and checks the Application
log for event ID 106. If Eventtriggers finds event ID 106, it automatically triggers the command
gobatch.cmd

which you can also see in Figure 7.6.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools 129

Figure 7.6
Deploying Eventtriggers to trigger actions based on events

n Note You also have available the command Evntcmd, which converts events to SNMP traps, or
notifications. Evntcmd might be useful if you have many SNMP-related devices – and a
management station that’s configured to address SNMP traps. For more information about
SNMP traps, refer to my eBook The Definitive Guide to Enterprise Manageability, which NetIQ
also sponsors. You’ll find the eBook at http://www.netiq.com/offers/ebook/default.asp and the
SNMP information in Chapter 5.

To test my Eventtrigger command syntax, I used the same command that I used when I
experimented with Eventcreate. That is, I created an event with event ID 106, then watched my
trigger react and execute the batch file. (The batch file that Eventtrigger triggers might send an email,
display a pop-up, or perform any number of actions.)

Built-In AD Management Tools

Microsoft has included a suite of command-line AD management tools in Windows 2003’s base
installation. Without your having to write custom scripts, these commands help you perform basic
directory maintenance. I think you’ll find the following built-in AD management tools and their
functions particularly useful.
• Dsadd – Adds objects to the directory
• Dsmove – Moves objects from their current directory location to a new location
• Dsget – Gets information about and displays the properties of directory objects
• Dsmod – Modifies specific attributes of objects already present in the directory
• Dsquery – Locates directory objects that fit specified criteria
• Dsrm – Removes objects or a portion of a directory subtree

Brought to you by NetIQ and Windows & .NET Magazine eBooks

130 Windows 2003: Active Directory Administration Essentials

Although I lack the space to explore all the built-in tools and their commands in detail, I’ll show
you the essential “ropes” with two of the tools and you can take it from there. I’ll discuss the Dsadd
tool’s Dsadd user command and the Dsquery tool’s Dsquery user command.

Dsadd
Dsadd gives you a simple way to add several kinds of entities to AD quickly. The six Dsadd
commands are
• Dsadd computer
• Dsadd contact
• Dsadd group
• Dsadd OU
• Dsadd user
• Dsadd quota
Dsadd User
The Dsadd user syntax from the Help file looks a little daunting. It reads

dsadd user UserDN [-samid SAMName] [-upn UPN] [-fn FirstName] [-mi Initial] [-ln LastName]
[-display DisplayName] [-empid EmployeeID] [-pwd {Password | *}] [-desc Description]
[-memberof Group;...] [-office Office] [-tel PhoneNumber] [-email Email] [-hometel
HomePhoneNumber] [-pager PagerNumber] [-mobile CellPhoneNumber] [-fax FaxNumber]
[-iptel IPPhoneNumber] [-webpg WebPage] [-title Title] [-dept Department] [-company Company]
[-mgr Manager] [-hmdir HomeDirectory] [-hmdrv DriveLetter:] [-profile ProfilePath] [-loscr
ScriptPath] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}]
[-pwdneverexpires {yes | no}] [-acctexpires NumberOfDays] [-disabled {yes | no}] [{-s Server |
-d Domain}] [-u UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}]

Don’t let the extreme set of options deter you from deploying this command. You’ll find that
Dsadd goes well beyond the capabilities of the old Net user command. With Dsadd, you can set
virtually every option typically found in a user object.
For example, you can create a new user object for Jane Martin in DomainA’s marketing
organizational unit (OU). In this example, her first name is Jane, her middle initial is A, and her last
name is Martin. She is a member of the Backup Operators group, and her telephone number is
302-555-1212. You would use the syntax
Dsadd user cn=Jane_Martin,ou=marketing,dc=domaina,dc=com -fn Jane mi A -ln Martin
display “Jane Martin” memberof “cn=Backup Operators,cn=builtin,dc=domaina,dc=com”
tel “302-555-1212”

which Figure 7.7 shows.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools 131

Figure 7.7
Deploying Dsadd user to add user accounts anywhere in AD

j Tip
Dsadd is particular about its input requirements, especially when you specify the distinguished
name (DN) of the account you want to create and the group or groups to which you want to
add that user account. When you use Dsadd, you’ll need to be precise.

Dsquery
The powerful Dsquery tool lets you search all of AD for specific object types. The Dsquery tool’s
commands are
• Dsquery computer
• Dsquery contact
• Dsquery group
• Dsquery OU
• Dsquery site
• Dsquery server
• Dsquery user
• Dsquery quota
• Dsquery partition

You can also use Dsquery * – which provides a global search through your entire AD.
Again, because I don’t have unlimited space for examples, I’ll restrict my example to one
Dsquery command – Dsquery user.
Dsquery User
You’ll probably use the Dsquery user command often. This useful command helps you locate user
objects in the directory.
The syntax from the Help file reads

Brought to you by NetIQ and Windows & .NET Magazine eBooks

132 Windows 2003: Active Directory Administration Essentials

dsquery user [{StartNode | forestroot | domainroot}] [-o {dn | rdn | upn | samid}] [-scope
{subtree | onelevel | base}] [-name Name] [-desc Description] [-upn UPN] [-samid SAMName]
[-inactive NumberOfWeeks] [-stalepwd NumberOfDays] [-disabled] [{-s Server | -d Domain}]
[-u UserName] [-p {Password | *}] [-q] [-r] [-gc] [-limit NumberOfObjects] [{-uc | -uco | -uci}]

The best news is that you can keep this syntax very short to get a quick result back. For
example, if you want to check the location of all the users in your domain named Jane, you would
simply type
dsquery user name Jane*

Figure 7.8 shows the results of that query: all the DNs in your domain that include “Jane” in the
name. This kind of DN-related query is particularly handy for backup and recovery purposes should
you need to perform an authoritative restore, which I discussed in the Chapter 6.

Figure 7.8
Deploying Dsquery user to locate users in AD

Windows 2003 Support Tools

The support tools are an important element in maintaining server and AD health. You’ll discover
an excellent set of advanced tools available as an additional install but free on the Windows 2003
CD-ROM.

Support Tools Installation

To locate the support tools, navigate to <cd-rom>:\Support\Tools and launch SUPTOOLS.MSI, which
Figure 7.9 shows.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools 133

Figure 7.9
Locate SUPTOOLS.MSI

j Tip
Note that this tools folder also holds automated deployment tools – in Deploy.cab – which you
can explore if you feel adventurous.

After you’ve installed Suptools.msi, you’ll see the results in the Start menu as Windows Support
Tools. You won’t find the specific tools listed. You’ll need to launch the Suptools.msi Help file, which
then displays the list of tools, as Figure 7.10 shows.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

134 Windows 2003: Active Directory Administration Essentials

Figure 7.10
List of Support Tools in the Help and Support Center

n Note You can get to the screen that Figure 7.10 shows either by starting with Suptools.msi in the
Start menu (then launching Suptools.msi’s Help file) or by going to the Help and Support
Center.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools 135

AD Tools
Many of the support tools exist to help you manage AD. You can get a list of AD-related tools by
clicking the Active Directory Management Tools subset, which you can see in Figure 7.10. The tools
listed in the Active Directory Management Tools subset tools are deeply capable; exploring one or
two tools in any depth could fill a chapter.
Some of the tools that I consider AD management tools don’t appear in this tool subset but in
other categories. Dcdiag, the first tool I discuss, is a case in point.

j Tip
You’ll want to examine the Alphabetical List of Tools highlighted in Figure 7.10 to get a feel for
all the tools available.

With your custom toolkit in mind, I’ll discuss a few of the most important tools for day-to-day
AD management. After I discuss Dcdiag, I’ll discuss its Active Directory Management Tools subset
diagnostic counterpart: Active Directory Replication Monitor (Replmon).

Dcdiag
Dcdiag is the Swiss Army knife of AD testing. You carry out most tests by using the syntax
dcdiag /test: <test>

where <test> can be any one of a huge number of options.

For example, you can test whether a domain controller (DC) is healthy (by using the Advertising
switch), whether the topology between DCs is kosher (by using the Topology and Replication
switches), which DCs hold which Flexible Single-Master Operation (FSMO, aka Operations Master)
roles (by using the FSMOCheck switch), and much more.
Dcdiag with Replication
Sometimes, replication between DCs suddenly stops for no apparent reason. You can often find the
cause by checking DNS, but discovering the extent of the problem can be difficult. If you use the
syntax
dcdiag /test:Replication

you get results that resemble those shown in Figure 7.11. Results that indicate individual replication
problems can help you gauge the extent of the overall problem (in this case, no replication problems
exist).

Brought to you by NetIQ and Windows & .NET Magazine eBooks

136 Windows 2003: Active Directory Administration Essentials

Figure 7.11
Deploying Dcdiag

If you suspect replication problems, you can also carry out the test with the /v switch. This
switch enables verbose output, which can help you see precisely where problems lie.
Dcdiag with Dcpromo
When you bring up new DCs at other sites, you might face a familiar challenge: problems that might
be either on the server that you want to promote or in the domain itself. All you know is that
something is preventing the promotion of the server to DC. Dcdiag with the /test:DCPROMO switch
can help. If you want to create a new replica DC, you use the syntax

dcdiag /test:DCPROMO /DNSDomain:<domainname> /replicadc

from the machine you want to promote to DC. If your DC-to-be passes all tests to be promoted,
you’ll see the results that Figure 7.12 shows. You can then proceed knowing that the promotion is
likely to work.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools 137

Figure 7.12
Deploying Dcdiag with the /test:DCPROMO switch

Replmon
If Dcdiag is the Swiss Army knife of command-line AD diagnostics, then Replmon fills a similar role –
but with a GUI. You begin deploying Replmon by loading all the DCs in the domain. You do so by
clicking Edit, clicking Add Monitored Server, and continuing through the Add Monitored Server
Wizard. After you’ve loaded all DCs, you’re prepared to run some tests. For example, you can
right-click a DC and run a test that generates a report, such as Check Replication Topology, which
Figure 7.13 shows.
Figure 7.13
Deploying Replmon for AD diagnostics

Brought to you by NetIQ and Windows & .NET Magazine eBooks

138 Windows 2003: Active Directory Administration Essentials

You can use Replmon to perform a host of validation tests. One powerful function is Synchronize
Each Directory Partition with All Servers, which you see listed in Figure 7.13. When you select and
initiate this function, the Synchronizing Naming Context with Replication Partners dialog box that you
see in Figure 7.14 will appear and offer three synchronization options.

Figure 7.14
The Synchronize Naming Context with Replication Partners dialog box

AD replication is usually “pull only” – that is, each DC in a site will pull the latest data from its
partners. You can change the replication mode by selecting the Push mode option that Figure 7.14
shows. Additionally, instead of waiting for replication to occur more widely, you can force replication
over site boundaries by selecting the Cross site boundaries option that Figure 7.14 shows.

n Note Replmon lets you perform a one-time “push” replication through the Push mode option that
Figure 7.14 shows.

d Caution
I’ve never encountered a need to use the first option that Figure 7.14 shows, Disables transitive
replication. I typically want replication to occur everywhere, so I don’t select that option.

You’ll want to familiarize yourself with Replmon, which is one of the most useful tools for
troubleshooting AD problems. Be aware, however, that the Help function in Replmon is nonexistent.
You might want to search on the tool name to access some of the many articles about deploying
Replmon.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools 139

Windows 2003 Resource Kit Utilities

The Windows resource kits have always offered tools that perform various kinds of “magic.”
Historically, Microsoft made some tools available for download, but you had to purchase the resource
kit and the resource kit documentation to get most of the tools.
With Windows 2003, Microsoft is apparently giving away the bulk of the resource kit utilities and
making others available as they’re produced. To start developing your resource kit, go to
http://download.microsoft.com/download/8/e/c/8ec3a7d8-05b4-440a-a71e-ca3ee25fe057/rktools.exe
and download and install the resource kit on your computer.

j Tip
Also available – as a separate download – is the Microsoft Internet Information Services (IIS)
6.0 Resource Kit. For an overview of the resource kit and to download it, go to

http://www.microsoft.com/downloads/details.aspx?familyid=80a1b6e6-829e-49b7-8c02-
333d9c148e69&displaylang=en

Some of the utilities in the resource kit are command-line tools, others are GUI tools, and still
others fall into a different category. I’ll explore tools from the third category first.

Active Directory Users and Computers Enhancement Tools

Two great resource kit tools enhance the capability of the Active Directory Users and Computers
console – the tool you use each and every day. I’ll give you an overview of both Acctinfo.dll and
Rcontrolad.

Acctinfo.dll
Acctinfo.dll isn’t a program you can simply double-click and run. Rather, it attaches itself to the Active
Directory Users and Computers console to extend the console’s capabilities. Acctinfo.dll displays all
sorts of interesting account information about the most recent user logon. Previously, you would have
needed scripting to get this information.
However, to get to these account information properties, you’ll first need to complete the
following steps:
1. Copy Acctinfo.dll to \%systemroot%\system32
2. Then, use the syntax
regsvr32 acctinfo.dll

n Note You’ll need to repeat both steps to add Acctinfo.dll to each individual system.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

140 Windows 2003: Active Directory Administration Essentials

j Tip
If you want to remove Acctinfo.dll, simply use the syntax

regsvr32 /u acctinfo.dll

After you register Acctinfo.dll, you’ll be able to see the newly available information on the
Additional Account Info tab in the dialog box that Figure 7.15 shows.

Figure 7.15
The Additional Account Info tab

Without needing to use scripting, you can access lots of information (e.g., when the user’s
password next expires, when the user most recently logged on, what the user account’s SID is).
One interesting and useful feature is the Set PW On Site DC button that you can see in Figure
7.15. When you click the Set PW On Site DC button, the dialog box that Figure 7.16 shows will
appear. You can then change the user’s password directly on the DC that the user uses for validation.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools 141

Figure 7.16
The Change Password On a DC In the Users Site dialog box

If you use the Set PW On Site DC feature to change passwords, users will be able to access their
newly changed passwords right away. They won’t need to wait for replication from the PDC-Emulator
to this DC.

Rcontrolad
Rcontrolad is a tool that lets you control another useful little tool. When you double-click Rcontrolad,
it expands into several files. First, you run the rcontrol_setup.exe program as a Domain Administrator.
Second, you copy the included rcontrol.exe to the location from which you deploy your Active
Directory Users and Computers console. You’ll then be able to right-click any XP or Windows 2003
computer and select Remote Control, as Figure 7.17 shows.
Figure 7.17
Selecting Remote Control after deploying Rcontrolad

Brought to you by NetIQ and Windows & .NET Magazine eBooks

142 Windows 2003: Active Directory Administration Essentials

After Rcontrolad is installed, you can control target computers remotely. When you do, you’ll be
connected through Terminal Services to the remote computer, as Figure 7.18 shows.

Figure 7.18
Connecting to the remote computer

Rcontrolad is a handy alternative to manually adding each machine to the Control Panel Remote
Desktop applet.

Event Manipulation Tools

In Chapter 1, I discussed the new Server Event Tracking feature, which lets administrators enter (and
thereby better track) the reasons for restarting or rebooting a server. In this final section of Chapter 7,
I discuss how you can extend that record-keeping capability and also leverage what you learned in
this chapter about the Eventcreate, Eventquery, and Eventtriggers tools.

Custreasonedit
The Custreasonedit tool lets you extend the Server Event Tracking feature’s list of possible reasons for
shutting down and restarting a server. To use Custreasonedit to add to the list of reasons, you must
first introduce sample reasons to this computer. You do so by right-clicking the samplereasons.reg file
in Windows Explorer and selecting Merge, as Figure 7.19 shows.
Figure 7.19
Expanding the samplereason.reg file

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools 143

Use the syntax

custreasonedit /i

to launch the tool’s GUI, as Figure 7.20 shows.

Figure 7.20
Introducing custom reasons for shutdown

After you’ve run custreasonedit /i, you can see the sample reasons and add your own. Simply
type in the Title and Description, pick the Reason Category, select which check boxes you want to
have shown by default, and click Add. After you’ve tailored the list, click Export to export to a
registry file. Then, merge the resulting registry file back into the system registry – and your reasons
will be customized.

j Tip
The Custreasonedit process I describe customizes the reasons for this machine only. However,
the readme.chm file tells you how to distribute the updated reasons list to multiple machines.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

144 Windows 2003: Active Directory Administration Essentials

EventCombMT
You’ve learned how to use the Eventcreate tool to capture selected events in the event log. Now,
you might want a centralized way to locate these (and other) events across multiple servers. The
EventCombMT tool lets you perform event searches easily.
After you run EventCombMT, you can right-click in the left window and select the types of
servers on which to query events, as Figure 7.21 shows (highlighted in yellow).

Figure 7.21
Selecting servers to search

As Figure 7.22 shows, you can select the log files to search (highlighted in orange), the event
types (highlighted in green), any specific event IDs or event ID ranges (highlighted in yellow), or text
within an event (highlighted in blue). In this example, I’m checking one DC for event ID 105 and
event ID 106 in the Application, System, and Security logs.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 7 Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit Tools 145

Figure 7.22
Entering the types of events for the search

When you click Search in EventCombMT, the tool will query all the servers specified for the
criteria you established. When the search is finished, the Temp directory will contain several files, and
the Temp directory window will be exposed automatically. Open up a log file, such as the file Figure
7.23 shows, to see the events returned from the search – including those you created with the
Evencreate tool.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

146 Windows 2003: Active Directory Administration Essentials

Figure 7.23
Logged events that match the criteria you establish

n Note The resource kit tools are downloadable, but Microsoft doesn’t support them 100 percent.
Should you need assistance with them, you’ll get “best-effort” support.

Next: Special Domain Operations

You can perform administrative tasks countless ways. However, familiarizing yourself with the
command-line tools, support tools, and resource kit tools can really be a lifesaver. You can then
better leverage the event logs to figure out what’s happening in your environment. Best of all, all the
commands and tools I’ve discussed in this chapter are free. However, no “centralized storage”
mechanism for events exists yet – for that you’ll still need a third-party tool.
In the final chapter of Windows 2003: Active Directory Administration Essentials, I consider some
operations you’ll probably perform rarely, such as transferring or seizing server roles, addressing DC
promotions that fail partway through, cleaning up the metabase, and renaming DCs and domains. I’ll
discuss how to perform these operations safely.

Brought to you by NetIQ and Windows & .NET Magazine eBooks