Active directory tools

ntdsutil

Use for command-line maintenance of your Active Directory database. Installed by default on domain controllers and menu driven. Although many of its functions are also available via the GUI, it's worth becoming familiar with this tool as sometimes nothing else will do. For example, it's needed for cleaning up if a domain controller isn't demoted cleanly.

dcdiag.exe

Command-line tool to perform various domain controller tests to help confirm health and diagnose problems. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.

netdiag.exe

For network-related tests and troubleshooting. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.

repadmin.exe and replmon.exe

Command-line tool to monitor and troubleshoot replication issues (repadmin.exe) and a GUI version that provides much of the same functionality (replmon.exe). Part of the Support Tools suite (2000/2003) or included by default in Windows 2008 (replmon is no longer provided).

ntfrsutl.exe

Accesses information on the ntfrs service including subscription information etc. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.

Sonar

A graphical tool to monitor the status of the File Replication Service. Look for it on the Microsoft Download Center.

ADSI Edit

Low level editor for Active Directory. Installed as part of the Support Tools for Windows Server 2000 and 2003, and installed by default when you install Active Directory on Windows Server 2008.

Group Policy Management Console (GPMC)

It's been around for a while but you need to download it separately on 2003 (it's included in 2008). An improvement on the built-in group policy editor, you need at least 2003 server or XP SP1 to run it. Download it from Microsoft.

dsadd, dsget, dsmod, dsmove, dsquery, dsrm

Built-in command-line tools included with 2003 and 2008, use /? after the command for syntax.

csvde, ldifde

Built-in command-line tools included with 2000 and above, csvde is particularly useful for dumping the contents of Active Directory into a csv file, or creating new objects from a similar file. Again, use /? after the command for help.

ADModify

Created to make it easier to do bulk operations on Active Directory objects, such as modifications, imports and exports. Requires .NET framework installed (version 2 probably). It's currently travelling the internet so download from http://ADModify.NET and check the Microsoft Exchange Team Blog for an introduction.

redirusr.exe and redircmp.exe

Built-in command-line tools included with Windows 2003 and above. Change the default containers for new user and computer objects respectively.

Account lockout and Management Tools

Microsoft have provided a number of tools in their Account lockout and Management Tools package, to help in these areas, along with a script to turn on Kerberos logging. They also provide some information on the Account Management Tools.