Not dozens, but several. When we had to do dozens, we wrote
a custom tool/script to do it. The point being anyone can use ntdsutil so it
shouldn't be an easy way to torch the forest. Takes a bit more knowledge to
write a tool or script to clean that same stuff up though many have done
it.
I recall talking to MS folks in the early stages and they
indicated that the concept behind NTDSUTIL was to avoid the ease of blowing shit
up that existed in RegEdit/Regedt32. It is reminiscient of some of the old
DEC PDP and VAX command line tools to do scary things.
Wouldn't the setting of "windows" simply be an alias
for "mac"?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, March 22, 2005 12:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting DC cleanup?
Have
you ever actually had to clean up dozens of DCs using
ntdsutil???
Maybe
Microsoft should implement an environment variable called
"ADMIN_BACKGROUND"
If
ADMIN_BACKGROUND is set to "unix", all tools default to "advanced" mode, and all
safety checking is turned off.
if
ADMIN_BACKGROUND is set to "mac" all tools go to training wheels mode where the
user is prompted "Are you sure?", "Are you REALLY sure?"
if
ADMIN_BACKGROUND is set to "windows", all command line utilities are
disabled.
if
ADMIN_BACKGROUND is set to "mainframe" all windows switch to green-on-black
text.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 21, 2005 8:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting DC cleanup?I wasn't aware of that. That is kind of scary. People should have to go through those steps in a lot of cases as they may be doing the wrong thing...
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto
Sent: Monday, March 21, 2005 7:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting DC cleanup?If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it!QUOTEThe Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion.CheersJorge
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, March 18, 2005 18:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting DC cleanup?I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...) . In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mine at the widget factory I used to work at that would do this quite well and quite fast and was called Whack-A-DC. It was used to clean up the test environment sucked off of the real environment after it was isolated from the "real" network.I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs.joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Friday, March 18, 2005 10:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting DC cleanup?I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change.What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work.-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, March 18, 2005 9:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting DC cleanup?You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapce between each command and put them in quotes:ntdsutil "connect to domain 1" "do something cool" "build an arc"ntdsutil "connect to domain 2" "do something cool" "build an arc"etc etc--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
v - 773.534.0034 x135
f - 773.534.8101c - 312.731.3132
From: [EMAIL PROTECTED] on behalf of Ken Cornetet
Sent: Fri 3/18/2005 7:33 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Scripting DC cleanup?It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have to perform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs.Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil?I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
