Ntdsutil

Library Scene

Ntdsutil

This is the command line reference from Microsoft. This page is for reprinted for historic purposes for people that don’t upgrade their servers but still need to know how to troubleshoot. If i have anything else to add to this it will be at the bottom.

Original URL: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753343(v=ws.11)

Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.

Ntdsutil.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use Ntdsutil.exe, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

If you have the AD LDS server role installed but not the AD DS server role, you can use the dsdbutil.exe and dsmgmt.exe command-line tools to perform the same tasks that you can perform with ntdsutil.exe. For more information about the dsdbutil command, see Dsdbutil. For more information about the dsmgmt command, see Dsmgmt.

For most of the Ntdsutil commands, you only need to type the first few characters of the command name instead than the entire command. For example, you can type either of the following commands to activate an instance for AD DS:Copy

activate instance ntds
ac i ntds

The short form for each command is listed in the following table.

Syntax

Copy

Ntdsutil [activate instance %s | authoritative restore | change service account %s1 %s2 | configurable settings | DS behavior | files | group membership evaluation | Help | ifm | ldap policies | ldap port %d | list instance | local roles | metadata cleanup | partition management | popups on | popups off | quit | roles | security account management | semantic database analysis | set DSRM password | snapshot | SSL port %d]

Commands

CommandDescription
Activate instance %sshort form: ac i %sSets NTDS or a specific AD LDS instance as the active instance.
authoritative restoreShort form: au rAuthoritatively restores the Active Directory database or AD LDS instance.
Change service account %s1 %s2Changes the AD LDS service account to user name %s1 and password %s2. Use “NULL” for a blank password. Use * to prompt the user to enter a password.
configurable settingsShort form: co sManages configurable settings.
DS behaviorShort form: ds bViews and modifies AD DS or AD LDS behavior.
filesShort form: fManages AD DS or AD LDS database files.
group membership evaluationShort form: g m eEvaluates security IDs (SIDs) in the token for a given user or group.
HelpShows this help information.
ifmShort form: iCreates installation media for writable (full) and read-only domain controllers (RODCs) and instances of AD LDS.
LDAP policiesManages Lightweight Directory Access Protocol (LDAP) protocol policies.
Ldap port %dConfigures an LDAP port for an AD LDS instance.
List instancesShort form: li iLists all AD LDS instances that are installed on a computer.
local rolesShort form: lo rManages local administrative roles on an RODC.
metadata cleanupShort form: m cCleans up objects of decommissioned servers.
partition managementShort form: pa mManages directory partitions.
Popups offShort form: po offDisables popups.
Popups onShort form: po onEnables popups.
QuitShort form: qQuits the command.
rolesShort form: rTransfers and seizes operations master roles.
security account managementShort form: sec a mManages SIDs.
semantic database analysisShort form: sem d aVerifies integrity of AD DS or AD LDS database files with respect to Active Directory semantics.
set DSRM passwordShort form: set d pResets the Directory Services Restore Mode (DSRM) administrator password.
snapshotShort form: snManages snapshots of the volumes that contain the Active Directory database and log files.
SSL port %dConfigures a Secure Sockets Layer (SSL) port for an AD LDS instance.

Did you get a clue?

If you got a clue and want to thank me, then visit the thank me page. It’s the best way to keep me publishing articles and keeping this site operation.

This site uses affiliate links. When you go to another site from here the link typically will have an affiliate code attached to it. Your actions on that site may earn a small commission for me. Read our affiliate link policy for more details.

{fin}

Scroll to Top