The Directory Service Comparison Tool makes use of Active Directory and Active Directory snapshots to enable the following functionality:

  • Display differences between objects in Active Directory and Active Directory Snapshots
  • Restore attribute values from snapshots to Active Directory
  • Reanimate deleted objects
  • Group membership restore [new]
    Display differences in group membership for a selected object (users, computers and groups). Allows for full or selective restore of group membership at any time.
  • Active Directory audit integration [new]
    Retrieve relevant AD audit event log entries for a specific object from all domain controllers in a domain. Filtering options allow you to find and inspect attribute specific event log entries.


Auditing feature in DSCT 1.3.2.X (click for larger version)

Auditing feature in DSCT 1.3.3.X (click for larger version)



Sneak peak of DSCT 2.0
New features in the next release of DSCT

 Download

Previous versions available at the bottom of this page.

Getting Started

  1. Start MMC and add the Directory Service Comparison Tool via the Add/Remove Snap-in dialog.
  2. Open the Connection Settings dialog and connect to your DC and snapshot. Don’t forget to specify the portnumber for the snapshot host. No objects will be displayed in DSCT unless differences are detected between the DC and the snapshot.
  3. Click the Resync button if you have just modified an object in Active Directory and want to compare it to it’s former state in the snapshot.

Requirements

  • .NET 3.5 or higher
  • MMC 3.0
  • Data sources: Active Directory and a mounted Active Directory Snapshot on Windows Server 2008 or Windows Server 2008 R2
  • Active Directory audit integration: domain controllers must be Windows Server 2008 (R2 supported). Active Directory auditing must be enabled. RODCs and domain controllers running on older operating systems will be ignored.
  • DSCT does not have to be installed on a domain controller nor does it have to be installed on a domain joined machined. A functional DNS infrastructure is recommended.
  • DSCT can be installed and run on Windows Server 2008, Windows XP SP3 (audititing feature not supported) and most likely Windows Vista (not tested yet)

Testing so far

  • x86 and x64 versions installed and tested on Windows Server 2008 x64
  • x86 version installed and tested on Windows XP SP3
  • Active Directory and snapshots on Windows Server 2008 and Windows Server 2008 R2 tested as data sources
  • Locally on a DC and on a separate (non domain joined) machine
  • Restore attribute values has been tested on several attributes including ntSecurityDescriptor, multi-value attributes like member and more normal ones like givenName, sn, accountExpires, etc.
  • Group membership restore has been tested on users, computers and groups
  • Reanimation functionality has been tested on users, groups and organizationalUnits.
  • Active Directory audit integration tested with 10 domain controllers and a total 1.2 million event log entries in the security event logs. 6 of these spread over several domain controllers were of interest. DSCT, running on a dual core machine, retrieved these in roughly 6 seconds.

Known issues in 1.3.X

  • Due to a bug in the Windows Server 2008 snapshot feature recently created snapshots will appear to be more up to date than the Active Directory instance. DSCT has a workaround for this scenario. Read this post for further information. This issue does not affect Windows Server 2008 R2.

Previous releases

Requirements for 1.2.1

  • .NET Framework 2.0
  • MMC 3.0