Tip: Essential Command-Line Tools for Managing Active Directory Follow Our Daily Tips facebook.com/TechNetTips twitter.com/TechNetTips blogs.technet.

et.com/tnmag Windows Server 2008 R2 includes several tools that let you manage Active Directory from the command line. Heres a look at the key tools and what they do. Adprep Prepares a Windows forest or domain for installation of Windows domain controllers (DCs). To prepare a forest or a domain, use adprep /forestprep and adprep /domainprep, respectively. (Note that for Windows Server 2003 SP1 or later, a domains Group Policy isnt automatically updated. To prepare Group Policy for the domain, you must use the command adprep /domainprep /gpprep. This modifies the access control entries (ACEs) for all Group Policy object (GPO) folders in the SYSVOL directory to grant read access to all enterprise domain controllers. This level of access is required to support RSoP for site-based policy. Because this security change causes the NT File Replication Service (NTFRS) to resend all GPOs to all domain controllers, you should use adprep /domainprep /gpprep only after careful planning.) Dsadd Adds computers, contacts, groups, organizational units, and users to Active Directory. Type dsadd objectname /? at a command prompt to display help information about using the command, such as dsadd computer /?. Dsget Displays properties of computers, contacts, groups, organizational units, users, sites, subnets, and servers registered in Active Directory. Type dsget objectname /? at a command prompt to display help information about using the command, such as dsget subnet /?. Dsmod Modifies properties of computers, contacts, groups, organizational units, users, and servers that exist in Active Directory. Type dsmod objectname /? at a command prompt to display help information about using the command, such as dsmod server /?. Dsmove Moves a single object to a new location within a single domain or renames the object without moving it. Type dsmove /? at a command prompt to display help information about using the command. Dsquery Uses search criteria to find computers, contacts, groups, organizational units, users, sites, subnets, and servers in Active Directory. Type dsquery /? at a command prompt to display help information about using the command. Dsrm Removes objects from Active Directory. Type dsrm /? at a command prompt to display help information about using the command. Ntdsutil Allows the user to view site, domain, and server information; manage operations masters; and perform database maintenance of Active Directory. Type ntdsutil /? at a command prompt to display help information about using the command.

From the Microsoft Press book Windows Server 2008 Administrators Pocket Consultant, Second Edition by William R. Stanek.

10. OclistMicrosoft added the command-oriented Server Core as an installation option for Server 2008, and it has its own commands. Oclist queries the installed roles on your Server Core system. To list the status of all Server Core roles, you can run the command
oclist

9. OcsetupThe Ocsetup command is used to install and remove roles and features from a Server Core system. The following example shows how to add the DHCP Server role:
start /w ocsetup DHCPServerCore

8. BcdeditLike Windows Vista, Server 2008 uses a new boot process that saves the system boot configuration in the Boot Configuration Data (BCD) store. The primary tool for editing Server 2008s BCD store is the Bcdedit command, which supports many command-line options. To list the contents of the store, run
bcdedit /enum

7. IcaclsThe Icacls command replaces the older Cacls and Xacls commands. Icacls lets you list, update, and back up the ACLs for files and directories. The following example shows how you can save the ACLs for the C:\temp directory:
icacls c:\temp /save tempacl

6. MklinkThe Mklink command creates a symbolic link in the file system that redirects all requests to a location you specify. Symbolic links are transparent to users, appearing as normal files or directories. The following example shows how to create a symbolic link named alsotemp for the C:\temp directory:
mklink /d alsotemp c:\temp

5. RobocopyA staple in the Windows Resource Kit for years, Robocopy is more capable than the standard Windows Copy and Xcopy commands, and its able to resume after network outages as well as correctly copy file attributes, alternate streams, and security information. The following example shows how to use Robocopy to create a mirrored copy of the MyData directory and all its subfolders on the share named Backups on MyServer:
robocopy "C:\MyData" "\\MyServer\Backups" /MIR /R:2 /NP

4. WbadminWbadmin is used for Server 2008 backup and restore operations. The following example shows how to use Wbadmin to perform a full system backup to the share named Backups on MyServer: wbadmin start backup -backuptarget \\MyServer\Backups
-allCritical -vssFull

3. WinRSThe WinRS command lets you open a secure command window with a remote host. All communications between the client and the host are encrypted using Kerberos or NT LAN Manager (NTLM) keys. The following example connects to the server named MyServer and displays the command shell:
winrs -r:MyServer cmd

2. AppcmdAppcmd.exe is a new command-line tool that can be found in the \ %WinDir%\System32\InetSrv directory. Appcmd is used to query, create, and

configure Microsoft IIS 7.0 server properties, Web sites, and application pools. To list all sites on the system, you can use the following command:
appcmd list sites

1. ServerManagerCmdWithout a doubt, the coolest commandline tool in Server 2008 is ServerManagerCmd.exe, which is the command-line version of the new Server Manager. This command essentially lets you script all of the Server Manager actions. To list all the installed roles and features on a Server 2008 system, you can enter
servermanagercmd.exe -query