Data Store Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
In this section
Data Store Tools
Data Store Registry Entries
Data Store Group Policy Settings
Data Store WMI Classes
Network Ports Used by the Data Store
This section contains information about the tools, registry entries, Group Policy settings, Windows Management Instrumentation (WMI) classes, and network ports that are associated with the data store.
Note
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to Active Directory Domain Services.
Data Store Tools
The following tools are associated with the data store.
Adsiedit.msc: ADSI Edit
Category
This tool ships with Support Tools for Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
ADSI Edit is a Microsoft Management Console (MMC) tool that you can use to view and modify directory objects.
To find more information about ADSI Edit, see Support Tools Help in Tools and Settings Collection.
Csvde.exe: Csvde
Category
This tool ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Csvde to import and export data from Active Directory by using files that store data in the comma-separated value (CSV) file format standard. Csvde also supports batch operations that are based on CSV.
To find more information about Csvde, see “Command-Line References” in Tools and Settings Collection.
Dsadd.exe: Dsadd
Category
This tool ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsadd to add specific types of objects to the directory.
To find more information about Dsadd, see “Command-Line References” in Tools and Settings Collection.
Dsget.exe: Dsget
Category
This tool ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsget to display the selected properties of a specific object in the directory.
To find more information about Dsget, see “Command-Line References” in Tools and Settings Collection.
Dsmod.exe: Dsmod
Category
This tool ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsmod to modify an existing object of a specific type in the directory.
To find more information about Dsmod, see “Command-Line References” in Tools and Settings Collection.
Dsmove.exe: Dsmove
Category
This tool ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsmove to move a single object, within a domain, from its current location in the directory to a new location. You can also use Dsmove to rename a single object without moving it in the directory tree.
To find more information about Dsmove, see “Command-Line References” in Tools and Settings Collection.
Dsquery.exe: Dsquery
Category
This tool ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsquery to query Active Directory according to specified criteria.
To find more information about Dsquery, see “Command-Line References” in Tools and Settings Collection.
Dsrm.exe: Dsrm
Category
This tool ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Dsrm to delete an object of a specific type, or any general object, from the directory.
To find more information about Dsrm, see “Command-Line References” in Tools and Settings Collection.
Ldifde.exe: Ldifde
Category
This tool ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
You can use Ldifde to create, modify, and delete directory objects on domain controllers. You can also use Ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.
To find more information about Ldifde, see “Command-Line References” in Tools and Settings Collection.
Ldp.exe: Ldp
Category
This tool ships with Support Tools for Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
Servers running:
Computers running:
|
Domain controllers running:
|
Ldp is a Lightweight Directory Access Protocol (LDAP) graphical user interface (GUI) tool that you can use to perform operations such as connect, bind, search, modify, add, and delete against any LDAP-compatible directory, such as Active Directory. You can also use Ldp to view objects that are stored in Active Directory, along with their metadata, for example, security descriptors and replication metadata.
You can use the online dbdump feature in Ldp to view values that are stored in the database while the domain controller is running. You can trigger dbdump by modifying the dumpDatabase attribute on the rootDSE.
To find more information about Ldp, see “Support Tools Help” in Tools and Settings Collection.
Ntdsutil.exe: Ntdsutil
Category
This tool ships with Windows Server 2003.
Version compatibility
| Can Be Run From | Can Be Run Against |
|---|---|
Domain controllers running:
|
Domain controllers running:
|
You can use Ntdsutil to perform Active Directory database maintenance, manage and control single master operations, and remove metadata left behind by domain controllers that are removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.
To find more information about Ntdsutil, see “Command-Line References” in Tools and Settings Collection.
Data Store Registry Entries
The following registry entries are associated with the data store.
The registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics control the logging level for the component or process that is specified in the entry name. The value for each entry is set to an integer from and including 0 (no logging) through 5 (most verbose logging).
The registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters control or contain information about the configuration of the data store.
The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
The following registry entries are located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
3 ExDS Interface Events
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that result from communication between Active Directory and Microsoft Exchange clients.
4 MAPI Interface Events
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that result from communication between Active Directory and Microsoft Exchange clients.
6 Garbage Collection
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that are generated when objects that are marked for deletion are actually deleted.
7 Internal Configuration
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of internal operations.
8 Directory Access
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of read and write operations to directory objects from all sources.
9 Internal Processing
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that are related to internal directory service operations.
11 Initialization/Termination
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that are generated by starting and stopping Active Directory.
12 Service Control
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of Active Directory service events.
13 Name Resolution
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that are generated by the resolution of addresses and Active Directory names.
14 Backup
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that are related to backing up Active Directory. Specifically, controls the logging of events that occur when Extensible Storage Engine (ESE) database records are read or written during backup.
16 LDAP Interface Events
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that are related to LDAP.
18 Global Catalog
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that are related to the global catalog.
22 DS RPC Client
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that are related to communication between Directory System Agents (DSAs). Examples of such communication include replication and the forwarding of look-ups to a global catalog. Examples of logged events include remote procedure call (RPC) errors, canceled calls, Domain Name System (DNS) resolution failures, and service principal name (SPN)–related operations.
23 DS RPC Server
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that are related to a DSA acting as an RPC server. A DSA acts as an RPC server, for example, during outbound replication, replication setup operations, cross-domain moves, and membership queries or when a client makes a look-up call.
24 DS Schema
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls the logging of events that are related to schema errors and operations. Such errors and operations include schema additions, deletions, modifications, look-up errors, look-up failures, and caching errors.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
The following registry entries are located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
Configuration NC
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Contains the distinguished name of the configuration directory partition.
Database Backup Path
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Determines the directory that is used as the target directory when online backups of the directory database are performed.
Database Log Files Path
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Determines the directory path that is used to store Active Directory log files.
Database Logging/Recovery
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Controls a Microsoft Jet database engine parameter called JET_paramRecovery that determines whether database operations are logged.
DS Drive Mappings
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Used to track local drive mapping names, so that the database file can be located if drive mappings are modified.
DSA Database File
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Determines the file that is used by the domain controller for storing Active Directory objects.
DSA Working Directory
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Determines the working directory of Active Directory.
Hierarchy Table Recalculation Interval (minutes)
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Determines how frequently the hierarchy table for the directory database is built. The hierarchy table is used only by the Messaging API (MAPI) interface.
Ldapserverintegrity
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Determines whether connection integrity is required (by means of checksum-signed packets) for LDAP connections.
Machine DN Name
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Contains the distinguished name of the computer on which the domain controller is running.
Root Domain
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Contains the distinguished name of the root domain of the Active Directory forest to which the domain controller is connected.
Schema Version
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows 2000 Server; Windows 2000 Advanced Server; Windows 2000 Datacenter Server; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Contains the schema version for which a particular operating system is configured.
System Schema Version
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Domain controllers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition.
Contains the version of the schema at the time that a backup is taken. This value is used to prevent an incompatible schema version from being restored from backup.
Data Store Group Policy Settings
The following table lists and describes the Group Policy settings that are associated with the data store.
Group Policy Settings Associated with the Data Store
| Group Policy Setting | Description |
|---|---|
Audit Directory Services Access |
When it is enabled, this Group Policy setting causes successful and failed directory access events to be logged in the Directory Service event log. |
Data Store WMI Classes
The following table lists and describes the WMI classes that are associated with the data store.
WMI Classes Associated with the Data Store
| Class Name | Namespace | Version Compatibility |
|---|---|---|
rootDSE |
root\directory\LDAP |
Domain controllers running:
|
DS_LDAP_Class_Containment |
root\directory\LDAP |
Domain controllers running:
|
DS_LDAP_Instance_Containment |
root\directory\LDAP |
Domain controllers running:
|
For more information about these WMI classes, see “Mapping Active Directory to WMI” in the WMI SDK documentation on MSDN.
Network Ports Used by the Data Store
The network ports that are used by the data store are listed in the following table.
Port Assignments for the Data Store
| Service Name | UDP | TCP |
|---|---|---|
LDAP |
None |
389 |
LDAP SSL |
None |
636 |
RPC Endpoint Mapper |
135 |
135 |
Global Catalog LDAP |
None |
3268 |
Global Catalog LDAP SSL |
None |
3269 |