RE: [ActiveDir] Scripting DC cleanup?
Why? Because a DC won't become a DC if it cannot replicate with other DCs. In our disaster recovery testing, we only recover one DC from each domain. I have to remove the other DCs from AD, or the one DC will not start acting as a DC. As a side note, I found a fairly easy solution to my problem. I remembered that NTDSUtil prompts before actually removing the DC from AD. I simply wrote a text file with all the required incantations for deleting server number 1 from site number 1, and duplicated for the other 20 sites. I just answered no to the prompt for the one DC I wanted to keep. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Saturday, April 30, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? Thoughts on metadata cleanup, from many points on this thread, in importance order ... from Ken Cornenet: recover one of those during the test. This means I have to perform the ntdsutil dance outlined in KB216498 23 times to remove the phantom Why?!? This made me suspicious ... BTW ... and this is probably the most important thing I'll say all day ... so I'll indent it: I hope it is clear you should NOT NOT NOT be cleaning up metadata of DCs for live DCs. Demote the DC. Try not to use force removal ... you'll just get it wrong. When you delete meta-data for a live DC (obviously on some 2nd DC, b/c a DC will not voluntarily commit sebuku), the live DC actually decides you didn't really know what you're doing, and when it replicates in the delete of it's own DSA object, it resurrects it. I wonder if this is what you're experiencing? This was a dubious design choice back pre-Win2k RTM, when some beta customer hosed thier environment by cleaning up meta-data for DCs. I hope we retract this behavior at some future point, myself. from Marcus: Hmm... 2003 dsa seems to remove the metadata when you delete the domain controller reference from the domain controller container. Anyone else notice this? Not sure what you mean by this ... what _exactly_ are you doing? 2003 dsa isn't an action. Also are you talking 2k3 or 2k3 SP1? from joe: I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...) . In fact you can make a solution that I wouldn't do this, this is bad layering, the logic here is complicated, and the checks that we're making may not be obvious, this kind of logic should be pushed into one logical mechanism, and that mechanism should be usable (it wasn't usable in Win2k/Win2k3-RTM, but we tried to make it usable in SP1) ... further I wouldn't do this, b/c IIRC, we actually changed ntdsutil in SP1 to do more ... is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mine at the widget factory I used to work at that would do this quite well and quite fast and was called Whack-A-DC. It was used to clean up the test environment sucked off of the real environment after it was isolated from the real network. ... in fact I think we fixed it to do something very like that. In addition to several other things. from Dean Wells: ... and yet no new (even very small) features will be added within a Service Pack :) Please stop talking. (see MG again, it's when they goto Regina's house) Cheers, BrettSh [msft] Posting as is, confers no rights. On Sat, 30 Apr 2005 [EMAIL PROTECTED] wrote: Hmm... 2003 dsa seems to remove the metadata when you delete the domain controller reference from the domain controller container. Anyone else notice this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, April 27, 2005 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? yeah right ;-) however, I'm quite happy about the additions in SP1 - even though this should have been called R2 and the planned R2 would then be R3... ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Dienstag, 22. März 2005 02:55 To: Send - AD mailing list Subject: RE: [ActiveDir] Scripting DC cleanup? ... and yet no new (even very small) features will be added within a Service Pack :) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, March 21, 2005 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after
RE: [ActiveDir] Scripting DC cleanup?
Title: Message Hmm 2003 dsa seems to remove the metadata when you delete the domain controller reference from the domain controller container. Anyone else notice this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, April 27, 2005 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? yeah right;-) however, I'm quite happy about the additions in SP1 - even though this should have been called R2 and the plannedR2 would then be R3... ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Dienstag, 22. März 2005 02:55 To: Send - AD mailing list Subject: RE: [ActiveDir] Scripting DC cleanup? ... and yet no new (even very small) features will be added within a Service Pack :) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, March 21, 2005 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 18:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the real network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, March 18, 2005 10:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, March 18, 2005 9:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil connect to domain 1 do something cool build an arc ntdsutil connect to domain 2 do something cool build an arc etc etc --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 3/18/2005 7:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called metacleaner.vbs written by a gentleman at microsoft, but it did not appear to work. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject
RE: [ActiveDir] Scripting DC cleanup?
Upon re-reading this, I understand why Ken has to perform it 23 times, I thought he was doing it on the same DC over and over to get it to work, he's just forking one machine to it's own in environment from 24 DC enterprise ... duh, I'm stupid sometimes ... Cheers, BrettSh [msft] Posting as is, confers no rights ... On Sat, 30 Apr 2005, Brett Shirley wrote: Thoughts on metadata cleanup, from many points on this thread, in importance order ... from Ken Cornenet: recover one of those during the test. This means I have to perform the ntdsutil dance outlined in KB216498 23 times to remove the phantom Why?!? This made me suspicious ... BTW ... and this is probably the most important thing I'll say all day ... so I'll indent it: I hope it is clear you should NOT NOT NOT be cleaning up metadata of DCs for live DCs. Demote the DC. Try not to use force removal ... you'll just get it wrong. When you delete meta-data for a live DC (obviously on some 2nd DC, b/c a DC will not voluntarily commit sebuku), the live DC actually decides you didn't really know what you're doing, and when it replicates in the delete of it's own DSA object, it resurrects it. I wonder if this is what you're experiencing? This was a dubious design choice back pre-Win2k RTM, when some beta customer hosed thier environment by cleaning up meta-data for DCs. I hope we retract this behavior at some future point, myself. from Marcus: Hmm... 2003 dsa seems to remove the metadata when you delete the domain controller reference from the domain controller container. Anyone else notice this? Not sure what you mean by this ... what _exactly_ are you doing? 2003 dsa isn't an action. Also are you talking 2k3 or 2k3 SP1? from joe: I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...) . In fact you can make a solution that I wouldn't do this, this is bad layering, the logic here is complicated, and the checks that we're making may not be obvious, this kind of logic should be pushed into one logical mechanism, and that mechanism should be usable (it wasn't usable in Win2k/Win2k3-RTM, but we tried to make it usable in SP1) ... further I wouldn't do this, b/c IIRC, we actually changed ntdsutil in SP1 to do more ... is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mine at the widget factory I used to work at that would do this quite well and quite fast and was called Whack-A-DC. It was used to clean up the test environment sucked off of the real environment after it was isolated from the real network. ... in fact I think we fixed it to do something very like that. In addition to several other things. from Dean Wells: ... and yet no new (even very small) features will be added within a Service Pack :) Please stop talking. (see MG again, it's when they goto Regina's house) Cheers, BrettSh [msft] Posting as is, confers no rights. On Sat, 30 Apr 2005 [EMAIL PROTECTED] wrote: Hmm... 2003 dsa seems to remove the metadata when you delete the domain controller reference from the domain controller container. Anyone else notice this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, April 27, 2005 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? yeah right ;-) however, I'm quite happy about the additions in SP1 - even though this should have been called R2 and the planned R2 would then be R3... ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Dienstag, 22. März 2005 02:55 To: Send - AD mailing list Subject: RE: [ActiveDir] Scripting DC cleanup? ... and yet no new (even very small) features will be added within a Service Pack :) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, March 21, 2005 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site
RE: [ActiveDir] Scripting DC cleanup?
Huh? I'm gonna optimistically hope that that was an attempt at humor ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Saturday, April 30, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? snipped from Dean Wells: ... and yet no new (even very small) features will be added within a Service Pack :) Please stop talking. (see MG again, it's when they goto Regina's house) Cheers, BrettSh [msft] /snipped List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting DC cleanup?
It was an attempt at humor ... it wasn't anything like a hush statement, more a very dissmissive, you're saying boring things, please stop talking. See the movie MG= Mean Girls, and you'll see the reference. Sorry for the confusion. Cheers, -BrettSh [msft] Posting as is, confers no rights ... On Sat, 30 Apr 2005, Dean Wells wrote: Huh? I'm gonna optimistically hope that that was an attempt at humor ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Saturday, April 30, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? snipped from Dean Wells: ... and yet no new (even very small) features will be added within a Service Pack :) Please stop talking. (see MG again, it's when they goto Regina's house) Cheers, BrettSh [msft] /snipped List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting DC cleanup?
Title: Message yeah right;-) however, I'm quite happy about the additions in SP1 - even though this should have been called R2 and the plannedR2 would then be R3... ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Dienstag, 22. März 2005 02:55To: Send - AD mailing listSubject: RE: [ActiveDir] Scripting DC cleanup? ... and yet no new (even very small) features will be added within a Service Pack :) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Monday, March 21, 2005 7:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 18, 2005 18:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the "real" network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Friday, March 18, 2005 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do something cool" "build an arc" etc etc --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Scripting DC cleanup?
Title: Message
Have
you ever actually had to clean up dozens of DCs using
ntdsutil???
Maybe
Microsoft should implement an environment variable called
"ADMIN_BACKGROUND"
If
ADMIN_BACKGROUND is set to "unix", all tools default to "advanced" mode, and all
safety checking is turned off.
if
ADMIN_BACKGROUND is set to "mac" all tools go to training wheels mode where the
user is prompted "Are you sure?", "Are you REALLY sure?"
if
ADMIN_BACKGROUND is set to "windows", all command line utilities are
disabled.
if
ADMIN_BACKGROUND is set to "mainframe" all windows switch to green-on-black
text.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: Monday, March 21, 2005 8:44
PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Scripting DC cleanup?
I wasn't aware of that. That is kind of scary. People
should have to go through those steps in a lot of cases as they may be doing
the wrong thing...
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida PintoSent: Monday, March 21, 2005 7:46 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC
cleanup?
If you're taling about W2K3
then after installing SP1 you don't need to select the site, domain, etc. Just
select the server and kill it!
QUOTE
The Ntdsutil.exe command-line
tool for managing the Active Directory database has new commands that make it
easier to remove domain controller metadata. Preliminary steps, such as
connecting to a server, domain, and site, are no longer required. You simply
specify the server to remove. You can also specify the server on which to make
the deletion.
Cheers
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Friday, March 18, 2005 18:00To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC
cleanup?
I would recommend watching your AD to see exactly what
NTDSUTIL is doing, you can actually just get away from using it and deleting
the appropriate objects directly (hint look at the objects under the server
containers of sites...). In fact you can make a solution that is better
than ntdsutil because last I looked, it didn't get rid of FRS references, etc.
I recall a tool written by a friend of mineat the widgetfactory I
used to work at that would do this quite well and quite fast and was called
Whack-A-DC.It was used to clean up the test environment sucked off of
the real environment after it was isolated from the "real"
network.
I have been slow to duplicate anything like this as a
joeware tool because quite frankly, it is pretty dangerous stuff and would
prefer to not have my tools used in script kiddies attack tool boxes. oldcmp
specifically and very purposely avoids DCs.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken
CornetetSent: Friday, March 18, 2005 10:32 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC
cleanup?
I
guess I should have elaborated. NTDSUtil references domains, sites, and
servers by sequential numbers. In order to write a simple command file for DC
cleanup, I'd have to know what these numbers would be beforehand, and I'm not
at all sure they won't change.
What
I'd like to do is write a perl script that will figure out what these numbers
will be and write a script that I can feed into ntdsutil to do the dirty
work.
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
DesmondSent: Friday, March 18, 2005 9:40 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC
cleanup?
You can make
ntdsutil work in a script. Just make a batch file. The syntax is to put a
sapcebetween each command and put them in quotes:
ntdsutil
"connect to domain 1" "do something cool" "build an arc"
ntdsutil
"connect to domain 2" "do something cool" "build an
arc"
etc
etc
--Brian
Desmond[EMAIL PROTECTED]Payton on the web!
www.wpcp.orgv - 773.534.0034 x135f -
773.534.8101
c -
312.731.3132
From: [EMAIL PROTECTED] on
behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC
cleanup?
It's getting
close to time for our annual off-site disaster recovery test, and I'd like
to automate a dreaded chore that this testing entails. Our main domain has
about two dozen DCs. We only recover one of those during the test. This
means I have toperform the ntdsutil dance outlined in KB216498 23
RE: [ActiveDir] Scripting DC cleanup?
Title: Message Not dozens, but several. When we had to do dozens, we wrote a custom tool/script to do it. The point being anyone can use ntdsutil so it shouldn't be an easy way to torch the forest. Takes a bit more knowledge to write a tool or script to clean that same stuff up though many have done it. I recall talking to MS folks in the early stages and they indicated that the concept behind NTDSUTIL was to avoid the ease of blowing shit up that existed in RegEdit/Regedt32. It is reminiscient of some ofthe old DEC PDP and VAX command line tools to do scary things. Wouldn't the setting of "windows" simply be an alias for "mac"? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Tuesday, March 22, 2005 12:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? Have you ever actually had to clean up dozens of DCs using ntdsutil??? Maybe Microsoft should implement an environment variable called "ADMIN_BACKGROUND" If ADMIN_BACKGROUND is set to "unix", all tools default to "advanced" mode, and all safety checking is turned off. if ADMIN_BACKGROUND is set to "mac" all tools go to training wheels mode where the user is prompted "Are you sure?", "Are you REALLY sure?" if ADMIN_BACKGROUND is set to "windows", all command line utilities are disabled. if ADMIN_BACKGROUND is set to "mainframe" all windows switch to green-on-black text. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 21, 2005 8:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I wasn't aware of that. That is kind of scary. People should have to go through those steps in a lot of cases as they may be doing the wrong thing... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Monday, March 21, 2005 7:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 18, 2005 18:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the "real" network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Friday, March 18, 2005 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do som
RE: [ActiveDir] Scripting DC cleanup?
Title: Message If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 18, 2005 18:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the "real" network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Friday, March 18, 2005 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do something cool" "build an arc" etc etc --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Scripting DC cleanup?
Title: Message I wasn't aware of that. That is kind of scary. People should have to go through those steps in a lot of cases as they may be doing the wrong thing... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Monday, March 21, 2005 7:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 18, 2005 18:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the "real" network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Friday, March 18, 2005 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do something cool" "build an arc" etc etc --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Scripting DC cleanup?
Title: Message ... and yet no new (even very small) features will be added within a Service Pack :) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Monday, March 21, 2005 7:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 18, 2005 18:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the "real" network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Friday, March 18, 2005 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do something cool" "build an arc" etc etc --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Scripting DC cleanup?
Title: Message Does anyone have a test W2K3 machine they can test this on- if I remember correctly, you dont need SP1 to do this. /Siddharth From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, March 21, 2005 8:55 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Scripting DC cleanup? ... and yet no new (even very small) features will be added within a Service Pack :) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, March 21, 2005 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 18:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the real network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, March 18, 2005 10:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, March 18, 2005 9:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil connect to domain 1 do something cool build an arc ntdsutil connect to domain 2 do something cool build an arc etc etc --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 3/18/2005 7:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called metacleaner.vbs written by a gentleman at microsoft, but it did not appear to work. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Scripting DC cleanup?
Title: Message 2003 RTM - ntdsutil: me clmetadata cleanup: ? ? - Show this help informationConnections - Connect to a specific domain controllerHelp - Show this help informationQuit - Return to the prior menuRemove selected domain - Remove DS objects for selected domainRemove selected Naming Context - Remove DS objects for selected Naming ContextRemove selected server - Remove DS objects for selected serverSelect operation target - Select sites, servers, domains, roles and naming contexts 2003 SP1+R2 - ntdsutil: me clmetadata cleanup: ? ? - Show this help informationConnections - Connect to a specific domain controllerHelp - Show this help informationQuit - Return to the prior menuRemove selected domain - Remove DS objects for selected domainRemove selected Naming Context - Remove DS objects for selected Naming ContextRemove selected server - Remove DS objects for selected serverRemove selected server %s - Remove DS objects for selected serverRemove selected server %s on %s - Remove DS objects for selected serverSelect operation target - Select sites, servers, domains, roles and naming contexts --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Siddharth SawkarSent: Monday, March 21, 2005 9:01 PMTo: ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: [ActiveDir] Scripting DC cleanup? Does anyone have a test W2K3 machine they can test this on- if I remember correctly, you dont need SP1 to do this. /Siddharth From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, March 21, 2005 8:55 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Scripting DC cleanup? ... and yet no new (even very small) features will be added within a Service Pack :) --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Monday, March 21, 2005 7:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 18, 2005 18:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the "real" network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Friday, March 18, 2005 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do
RE: [ActiveDir] Scripting DC cleanup?
Title: Message My apologies- I misread and though yall meant just simply going into dssites.msc and whacking the object there, not through ntdsutil. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, March 21, 2005 9:10 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Scripting DC cleanup? 2003 RTM - ntdsutil: me cl metadata cleanup: ? ? - Show this help information Connections - Connect to a specific domain controller Help - Show this help information Quit - Return to the prior menu Remove selected domain - Remove DS objects for selected domain Remove selected Naming Context - Remove DS objects for selected Naming Context Remove selected server - Remove DS objects for selected server Select operation target - Select sites, servers, domains, roles and naming contexts 2003 SP1+R2 - ntdsutil: me cl metadata cleanup: ? ? - Show this help information Connections - Connect to a specific domain controller Help - Show this help information Quit - Return to the prior menu Remove selected domain - Remove DS objects for selected domain Remove selected Naming Context - Remove DS objects for selected Naming Context Remove selected server - Remove DS objects for selected server Remove selected server %s - Remove DS objects for selected server Remove selected server %s on %s - Remove DS objects for selected server Select operation target - Select sites, servers, domains, roles and naming contexts -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Siddharth Sawkar Sent: Monday, March 21, 2005 9:01 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Scripting DC cleanup? Does anyone have a test W2K3 machine they can test this on- if I remember correctly, you dont need SP1 to do this. /Siddharth From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, March 21, 2005 8:55 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Scripting DC cleanup? ... and yet no new (even very small) features will be added within a Service Pack :) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, March 21, 2005 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 18:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the real network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, March 18, 2005 10:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, March 18, 2005 9:40 AM To: ActiveDir@mail.activedir.org Subject: RE
RE: [ActiveDir] Scripting DC cleanup?
Can't imagine why that wouldn't be possible. NTDSUTIL is similar to NETSH in that you can run the commands from a single call. i.e. ntdsutil command command command command. Etc http://www.jsifaq.com/SUBJ/tip4600/rh4675.htm And http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan dard/proddocs/en-us/sag_ntdsutil_using.asp Will give some information about what that looks like. You can even abbreviate it. My advice for this though? Practice it several times before actually relying on it. As for Scripting it, I suppose you could, but it would likely be less effort to write it manually once. I mean, you don't build your infrastructure on roller-skates anyway right? :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, March 18, 2005 8:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have to perform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called metacleaner.vbs written by a gentleman at microsoft, but it did not appear to work. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting DC cleanup?
You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapce between each command and put them in quotes: ntdsutil connect to domain 1 do something cool build an arc ntdsutil connect to domain 2 do something cool build an arc etc etc --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 3/18/2005 7:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have to perform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called metacleaner.vbs written by a gentleman at microsoft, but it did not appear to work. attachment: winmail.dat
RE: [ActiveDir] Scripting DC cleanup?
Title: Message I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do something cool" "build an arc" etc etc --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work.
RE: [ActiveDir] Scripting DC cleanup?
Title: Message I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the "real" network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Friday, March 18, 2005 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do something cool" "build an arc" etc etc --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work.
