NTDSUtil (NT Directory Service Utility)

Active Directory Domain Services management, database/metadata maintenance, etc.

Run NTDSUtil from an elevated command prompt. NTDSUtil.exe is built into Windows Server 2008 /R2. It is available if you have the AD DS or the AD LDS server role installed or if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).

This tool is intended for use by experienced administrators, NTDSUtil is very powerful, but it’s also dangerous - some commands will require Active Directory to be taken offline.

      Ntdsutil option

   activate instance %s        - Set "NTDS" or a specific AD LDS instance as the active instance.
   authoritative restore       - Authoritatively restore the DIT database.
   change service account %s1 %s2   - Change AD DS/LDS Service Account to
                                   username %s1 and password %s2.
                                   Use "NULL" for blank password, * to be prompted.
   configurable settings       - Manage configurable settings
   DS behavior                 - View and modify AD DS/LDS Behavior
   files                       - Manage AD DS/LDS database files
   group membership evaluation - Evaluate SIDs in token for a given user or group
   Help                        - Show help
   ifm                         - IFM media creation
   ldap policies               - Manage LDAP protocol policies
   ldap port %d                - Configure LDAP Port for an AD LDS Instance.
   list instance               - List all AD LDS instances installed on this machine.
   local roles                 - Local RODC roles management
   metadata cleanup            - Clean up objects of decommissioned servers
   partition management        - Manage directory partitions
   popups on                   - Disable popups
   popups off                  - Enable popups
   quit                        - Quit the utility
   roles                       - Manage NTDS role owner tokens
   security account management - Manage Security Account Database - Duplicate SID Cleanup
   semantic database analysis  - Semantic Checker
   set DSRM password           - Reset directory service restore mode administrator account password
   snapshot                    - Snapshot management
   SSL port %d                 - Configure SSL Port for an AD LDS Instance.  

For most commands, there is a short form, using the first few characters instead of the entire command, these are shown above in bold. Any abbreviation that will uniquely identify the command will work.

For example the interactive commands:

ntdsutil roles 
  "select operation target" 
      "connect to server server64" 
  "list roles for connected server"

Can be abbreviated for use in a script:

ntdsutil r "sel o t" c "co t s server64" q "l r f c s" q q q

Or a little more readably:

ntdsutil rol "sel op targ" conn "conn to serv server64" qu "li rol fo conn serv" qu qu qu

At the ntdsutil: prompt, type HELP any point to see the available commands/subcommands.

“Tyranny is always better organized than freedom” ~ Charles Peguy

Related commands

NTDSUtil - Microsoft reference page.
Repadmin - Diagnose Active Directory replication problems.

Copyright © 1999-2023 SS64.com
Some rights reserved