Active Directory Domain Administration Tools

• Active Directory Domain and Trusts: Manages trusts, domain and forest functional levels, and user principal name suffixes. It is located in administrative tools from either the control panel or the start menu
• Active Directory Schema Snap-in: This tool will not appear unless is is enabled with the command “regsvr32.exe  schmmgmt.dll”. Then it is only available by adding it to a custom-built MMC. It allows the modification of the schema for AD DS directories or AD LDS instances. It is best not to change anything here. That’s probably why it’s so difficult to find this tool.
• Active Directory Sites and Services: Active Directory Domain Controllers automatically update records between themselves, but if a domain is split between two physical locations, it may not be feasible to have the Domain Controllers choose their own replication scheme. This may result in the waste of bandwidth as they replicate across the WAN multiple times in both directions. ADSS allows an administrator to manage replication so that it only crosses the WAN once. The servers that communicate across the WAN are called bridgehead servers, and they replicate to all other Domain Controllers within their site. Active Directory Sites and Services are where you choose all of your replication schemes according to subnet. It can also be specified by server to force a direct replication between two servers in the same site.
• Active Directory Users and Computers: The tool that every one knows. It manages user, groups, and domain specific FSMO roles. FSMO stands for Flexible Single Master Operation. FSMO deals with the roles that domain controllers fulfill are…
  • RID master: Relative ID master maintains group membership when users or computers are moved between the domains. Also manages security principles. RID is part of the SID (System Identifier). Only one of these exist per domain.
  • Infrastructure master: Maintains GUID (Globally unique IDs) in the domain and maintains groups and users from other domains and their membership in local groups. Only one of these exist per domain.
  • PDC Emulator: Originally, Active Directory domains could only have on domain controller. That primary domain controller updated, deleted, and managed records in the domain. For backwards compatibility, one domain controller will still act as that primary domain controller. Only one of these exist per domain.
• ADSI Edit: Active Directory Service Interface will modify query, and edit directory objects and attributes. It is a bit obtuse, but some times required. One example is when you need to create a password settings object.
• Best Practices Analyzer: This is not just one tool, but a whole slew of tools available for download from Microsoft. It is available for lots of applications such as WSUS, DNS, Hyper-V, etc. Clearly, not all of them apply to Active Directory.
• csvde.exe: A command line tool used to bulk add users to the domain from a csv file. A csv (comma separated value) file may be created in Word, Excel, or Notepad. It may be used to move users from one domain to another and list users in the domain.
• dcdiag.exe: Diagnoses and creates a report on the status of Active Directory.
• dcpromo.exe: Command line tool used to create or remove active directory. Can also be used start the GUI version of the installation process.
• dfsradmin.exe: Used to manage Distributed File System Replication, which is only available in Windows Server 2008 functional level. This checks the replication of the SYSVOL folder, which is where the information for Active Directory is stored. In 2008 forests, DFSR replaced FRS (file replication service) which was the old method for replication.
• DNS Manager: A GUI console for managing the Domain Name Server and the records that it maintains.
• dnscmd.exe: Command line utility used to manage DNS and all of its aspects.
• dsacls.exe: This command line tool can be used to modify the ACL (access control list) on objects in Active Directory. All items in Active Directory will have NTFS permissions. This is just a way to modify them in command line.
• dsadd.exe: Command used to add users, computers, or groups to an Active Directory domain. May be used in a command or incorporated into a script.
• dsamain.exe: This command line utility is used to browse backups (.dit) of Active Directory.
• dsbutil.exe: This command line utility is installed with Active Directory Lightweight Directory Services. It is used to maintain, view, and configure AD LDS ports.
• dsget.exe: This command is used to retrieve data from Active Directory about an object.
• dsmgmt.exe: This command line utility manages application partitions and FSMO roles in Active Directory. It will also clean meta data left behind by AD DCs and LDS servers that were removed without being uninstalled.
• dsmod.exe: This command line utility is used to modify users, computers, and groups in Active Directory.
• dsmove.exe: This command will move an object to a new location in the same directory. It can also be used to rename an object.
• dsquery.exe: Command line utility to search for objects in Active Directory using defined characteristics.
• dsrm.exe: Command line utility used to remove objects from Active Directory.
• Event Viewer: A tool that has purposes other than DNS. However it does keep a record of changes in Active Directory. If auditing changes in Server 2008, it will log the old and new values for the change.
• gpfixup.exe: After renaming the domain, some Group Policy objects and Group Policy links may be not working properly. This command line utility repairs them.
• Group Policy Management Console: This console is used to create, manage, back up, and restore GPOs.
• ipconfig: While this is typically used in networking, this command line tool may indicate that the reason that users are unable to authenticate to the domain is because their network configuration is not correct.
• ksetup.exe: Not actually specific to a Windows Server operating system, this command will prepare a client for a Kerberos v5 realm instead of an Active Directory domain.
• ktpass.exe: This command line utility is used to configure a non-Windows Kerberos service  to be used with an Active Directory domain.
• ldifde.exe: This command line tool will import entries into AD LDS (Active Directory Lightweight Directory Services).
• ldp.exe: This tool is invoked from command line and opens in the GUI. It is used to perform LDAP (Lightweight Directory Access Protocol) operations against the directory.
• movetree.exe: This command line tool which may be downloaded from Microsoft is used to move objects from one domain to another in a forest. It is not available in Windows Server 2008.
• netdom.exe: This command line tool allows the management of computer and user accounts and trust relationships. This is available on client versions of Windows as well.
• nltest.exe: This command line tool is used to verify trust relationships or check replication status. This is available on client versions of Windows as well.
• nslookup.exe: Used in the command line, nslookup.exe is used to diagnose DNS problems and view information on name servers. This is available on client versions of Windows as well.
• ntdsutil.exe: This command line tool is used to perform maintenance on AD DS/AD LDS.
• repadmin.exe: This command line tool is used to check replication between domain controllers that use the FRS (File Replication Service). FRS was the replication method of the SYSVOL folder that contains all the information about the Active Directory domain. In a Windows Server 2008 forest, the replacement service is DFSR (Distributed File Replication Service).
• Server Manager: This GUI tool in Windows Server 2008 is used to manage many aspects of a Windows Server 2008. Active Directory management happens to be a part of it. It is similar to the “Manage Your Server” tool in Server 2003 or Computer Management in other operating systems.
• System Monitor: A console used to create baseline references (benchmarks) and create charts and graphs of server performance.
• ultrasound.exe: A console (not available in Windows Server 2008) that is used to troubleshoot replication of FRS. It is invoked via command line and relies on WMI (Windows Management Instrumentation.)
• w32tm.exe: Kerberos relies heavily on the fact that all systems in the domain have the same time. The command line tool w32tm.exe is used to view, manage, or diagnose problems with Windows Time. This tool is available on many Windows operating systems.
• Windows Server Backup (wbadmin.exe): Backs up or restores many parts of a windows operating system. Introduced in Server 2008. The older version was called simply called backup (ntbackup.exe). It can be used to back up the whole computer or only certain sections such as DNS, AD, AD LDS