This is the command line reference from Microsoft. This page is for reprinted for historic purposes for people that don’t upgrade their servers but still need to know how to troubleshoot. If i have anything else to add to this it will be at the bottom.
Original URL: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753343(v=ws.11)
Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8
Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.
Ntdsutil.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).
To use Ntdsutil.exe, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
If you have the AD LDS server role installed but not the AD DS server role, you can use the dsdbutil.exe and dsmgmt.exe command-line tools to perform the same tasks that you can perform with ntdsutil.exe. For more information about the dsdbutil command, see Dsdbutil. For more information about the dsmgmt command, see Dsmgmt.
For most of the Ntdsutil commands, you only need to type the first few characters of the command name instead than the entire command. For example, you can type either of the following commands to activate an instance for AD DS:Copy
activate instance ntds ac i ntds
The short form for each command is listed in the following table.
Ntdsutil [activate instance %s | authoritative restore | change service account %s1 %s2 | configurable settings | DS behavior | files | group membership evaluation | Help | ifm | ldap policies | ldap port %d | list instance | local roles | metadata cleanup | partition management | popups on | popups off | quit | roles | security account management | semantic database analysis | set DSRM password | snapshot | SSL port %d]
|Activate instance %sshort form: ac i %s||Sets NTDS or a specific AD LDS instance as the active instance.|
|authoritative restoreShort form: au r||Authoritatively restores the Active Directory database or AD LDS instance.|
|Change service account %s1 %s2||Changes the AD LDS service account to user name %s1 and password %s2. Use “NULL” for a blank password. Use * to prompt the user to enter a password.|
|configurable settingsShort form: co s||Manages configurable settings.|
|DS behaviorShort form: ds b||Views and modifies AD DS or AD LDS behavior.|
|filesShort form: f||Manages AD DS or AD LDS database files.|
|group membership evaluationShort form: g m e||Evaluates security IDs (SIDs) in the token for a given user or group.|
|Help||Shows this help information.|
|ifmShort form: i||Creates installation media for writable (full) and read-only domain controllers (RODCs) and instances of AD LDS.|
|LDAP policies||Manages Lightweight Directory Access Protocol (LDAP) protocol policies.|
|Ldap port %d||Configures an LDAP port for an AD LDS instance.|
|List instancesShort form: li i||Lists all AD LDS instances that are installed on a computer.|
|local rolesShort form: lo r||Manages local administrative roles on an RODC.|
|metadata cleanupShort form: m c||Cleans up objects of decommissioned servers.|
|partition managementShort form: pa m||Manages directory partitions.|
|Popups offShort form: po off||Disables popups.|
|Popups onShort form: po on||Enables popups.|
|QuitShort form: q||Quits the command.|
|rolesShort form: r||Transfers and seizes operations master roles.|
|security account managementShort form: sec a m||Manages SIDs.|
|semantic database analysisShort form: sem d a||Verifies integrity of AD DS or AD LDS database files with respect to Active Directory semantics.|
|set DSRM passwordShort form: set d p||Resets the Directory Services Restore Mode (DSRM) administrator password.|
|snapshotShort form: sn||Manages snapshots of the volumes that contain the Active Directory database and log files.|
|SSL port %d||Configures a Secure Sockets Layer (SSL) port for an AD LDS instance.|
Did you get a clue?
If you got a clue and want to thank me, then visit the thank me page. It’s the best way to keep me publishing articles and keeping this site operation.
This site uses affiliate links. When you go to another site from here the link typically will have an affiliate code attached to it. Your actions on that site may earn a small commission for me. Read our affiliate link policy for more details.