Directory Service Comparison Tool 2.0 B3
The Directory Service Comparison Tool makes use of Active Directory and Active Directory snapshots to enable the following functionality:
- Display differences between objects in Active Directory and Active Directory Snapshots
- Restore attribute values from snapshots to Active Directory
- Reanimate deleted objects
- Group membership restore
Display differences in group membership for a selected object (users, computers and groups). Allows for full or selective restore of group membership at any time. - Active Directory audit integration
Retrieve relevant AD audit event log entries for a specific object from all domain controllers in a domain. Filtering options allow you to find and inspect attribute specific event log entries. - Tree view [new]
DSCT displays added/modified/deleted objects in a familiar tree structure. Objects are color coded depending on the type of operation (the color part still needs some work, my respect to anyone who designs GUIs for a living) - Differences in the membership of a group[new]
DSCT can now show you which objects were added and removed from a group since the snapshot was taken.
A list of new features and improvements in DSCT 2.0 can be found in this post. Have fun and keep in mind that this is a beta version! Special thanks to Daniel Brad for some real world testing.
DSCT 2.0 (click for larger version)
Download
Previous versions available at the bottom of this page.
Getting Started
- Start MMC and add the Directory Service Comparison Tool via the Add/Remove Snap-in dialog.
- Open the Connection Settings dialog and connect to your DC and snapshot. Don’t forget to specify the portnumber for the snapshot host. No objects will be displayed in DSCT unless differences are detected between the DC and the snapshot.
- Click the Resync button if you have just modified an object in Active Directory and want to compare it to it’s former state in the snapshot.
Requirements
- .NET 3.5 or higher
- MMC 3.0
- Data sources: Active Directory and a mounted Active Directory Snapshot on Windows Server 2008 or Windows Server 2008 R2
- Active Directory audit integration: domain controllers must be Windows Server 2008 (R2 supported). Active Directory auditing must be enabled. RODCs and domain controllers running on older operating systems will be ignored.
- DSCT does not have to be installed on a domain controller nor does it have to be installed on a domain joined machined. A functional DNS infrastructure is recommended.
- DSCT can be installed and run on Windows Server 2008, Windows Server 2008 R2. Windows Vista and Windows 7 should work fine although this has not been tested.
Testing so far
- x86 and x64 versions installed and tested on Windows Server 2008 x64
- Active Directory and snapshots on Windows Server 2008 and Windows Server 2008 R2 tested as data sources
- Locally on a DC and on a separate (non domain joined) machine
- Restore attribute values has been tested on several attributes including ntSecurityDescriptor, multi-value attributes like member and more normal ones like givenName, sn, accountExpires, etc.
- Group membership restore has been tested on users, computers and groups
- Reanimation functionality has been tested on users, groups and organizationalUnits.
- Active Directory audit integration tested with 10 domain controllers and a total 1.2 million event log entries in the security event logs. 6 of these spread over several domain controllers were of interest. DSCT, running on a dual core machine, retrieved these in roughly 6 seconds.
Known issues
- Full membership restore of very large groups (20k+) fails on a DC running Windows Server 2008. I have not been able to reproduce this error on Windows Server 2008 R2. Needs some more investigation
- Due to a bug in the Windows Server 2008 snapshot feature recently created snapshots will appear to be more up to date than the Active Directory instance. DSCT has a workaround for this scenario. Read this post for further information. This issue does not affect Windows Server 2008 R2.
Previous releases