Active Directory Domain Services management, database/metadata maintenance, etc.
Run NTDSUtil from an elevated command prompt. NTDSUtil.exe is built into Windows Server 2008 /R2. It is available if you have the AD DS or the AD LDS server role installed or if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).
This tool is intended for use by experienced administrators, NTDSUtil is very powerful, but it’s also dangerous - some commands will require Active Directory to be taken offline.
Syntax Ntdsutil option Options activate instance %s - Set "NTDS" or a specific AD LDS instance as the active instance. authoritative restore - Authoritatively restore the DIT database. change service account %s1 %s2 - Change AD DS/LDS Service Account to username %s1 and password %s2. Use "NULL" for blank password, * to be prompted. configurable settings - Manage configurable settings DS behavior - View and modify AD DS/LDS Behavior files - Manage AD DS/LDS database files group membership evaluation - Evaluate SIDs in token for a given user or group Help - Show help ifm - IFM media creation ldap policies - Manage LDAP protocol policies ldap port %d - Configure LDAP Port for an AD LDS Instance. list instance - List all AD LDS instances installed on this machine. local roles - Local RODC roles management metadata cleanup - Clean up objects of decommissioned servers partition management - Manage directory partitions popups on - Disable popups popups off - Enable popups quit - Quit the utility roles - Manage NTDS role owner tokens security account management - Manage Security Account Database - Duplicate SID Cleanup semantic database analysis - Semantic Checker set DSRM password - Reset directory service restore mode administrator account password snapshot - Snapshot management SSL port %d - Configure SSL Port for an AD LDS Instance.
For most commands, there is a short form, using the first few characters instead of the entire command, these are shown above in bold. Any abbreviation that will uniquely identify the command will work.
For example the interactive commands:
ntdsutil roles "select operation target" "connections" "connect to server server64" quit "list roles for connected server" quit quit quit
Can be abbreviated for use in a script:
ntdsutil r "sel o t" c "co t s server64" q "l r f c s" q q q
Or a little more readably:
ntdsutil rol "sel op targ" conn "conn to serv server64" qu "li rol fo conn serv" qu qu qu
At the ntdsutil: prompt, type HELP any point to see the available commands/subcommands.
“Tyranny is always better organized than freedom” ~ Charles Peguy
NTDSUtil - Microsoft reference page
Repadmin - Diagnose Active Directory replication problems.