ntdsutil tool

Using Ntdsutil Tool to Manage Active Directory


The NTDSutil.exe utility is one of the key tools to manage Active Directory and its database (ntds.dit file).

The NTDSutil utility can be used by AD administrators in various scenarios. Most often the utility is used to:

  • Transfer (seizing) FSMO roles in the AD domain between domain controllers;
  • Authoritative restoring of deleted objects in Active Directory;
  • Remove faulty (missing) AD domain controllers;
  • Performing AD database maintenance: checking integrity, compressing, moving the ntds.dit file or AD log files to another drive on a domain controller in order to increase performance;
  • Active Directory snapshot management;
  • Change the administrator password for the DSRM (Directory Services Restore Mode) recovery mode.

To display the basic syntax of the NTDSutil utility, open an elevated command prompt on the domain controller and run:

Ntdsutil.exe /?

Ntdsutil Tool

As you can see, the Ntdsutil utility has a few subcommands available. Let’s try to learn them in more detail with examples.

Transfer FSMO Roles Using Ntdsutil

Let me remind you that in the AD there are five FSMO (Flexible Single Master Operation) roles:

  1. Schema master;
  2. Domain naming master;
  3. RID master;
  4. PDC emulator master;
  5. Infrastructure master.

These roles can be assigned to different domain controllers in the AD forest and/or domain. The current owners of FSMO roles can be obtained using the command:

netdom query fsmo

Ntdsutil

With ntdsutil you can transfer any of the FSMO roles to another DC.

Connect to any DC and in the command prompt and then run the following commands in sequence:

Ntdsutil

ntdsutil: roles

fsmo maintenance: connections

Specify the name of the server to which you want to transfer FSMO roles (for example, hq-dc02).

server connections: connect to server hq-dc02

server connections: quit

To transfer all the FSMO you need to execute the following commands sequentially:

FSMO maintenance: transfer schema master

FSMO maintenance: transfer naming master

FSMO maintenance: transfer rid master

FSMO maintenance: transfer PDC

FSMO maintenance: transfer infrastructure master

This example the FSMO roles transfer is performed between healthy DCs, however you can force seizing of any FSMO role from a failed domain controller.

Reset DSRM Password Using Ntdsutil

If you do not know the password of the administrator account for the special boot mode of the domain controller—Directory Services Restore Mode (DSRM), you can reset this password for local or remote DC using the Ntdsutil. This scenario is described in details in the article: Accessing Domain Controller in the DSRM mode.

Offline Defragmentation and Compression of the AD Database Using Ntdsutil

With Ntdsutil, you can offline defragment and compress the AD database (ntds.dit file). This will help reduce the size of the AD database file and improve performance by rebuilding indexes. See the article: Compacting Active Directory database.

Removing Failed DC Using Ntdsutil

If you found that one you DC is faulty using the repadmin /replsum, and after checking manually that the server is failed and can not be restored, you can forcefully remove this DC from the AD. Simply delete the failed DC computer account from AD using the ADUC console from the Domain Controllers OU, and then clean up the AD database:

Ntdsutil commands

ntdsutil

metadata cleanup

connect to server specify_Your_Online_DC_name

quit

select operation target

list domains

select domain <num>

Instead of num, specify the number corresponding to the domain in which the failed DC was located.

list sites

select site <num>

Instead of the num specify the number corresponding to the AD site where your failed DC was located.

list servers in site

select server <num>

Instead of the num specify the number which refers to domain controller to be removed.

quit

remove selected server

quit

Ntdsutil exe

You may also like:

Deploy LGPO with MDT 2013 Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
FSMO Role: Infrastructure Master We continue the series of articles about FSMO roles in the Active Directory domain. This time, we will take a closer look at the FSMO role — Infrastru...
How to Setup FTP Server in Windows 10? FTP (File Transfer Protocol) is a popular Internet data transfer protocol. You can use FTP to transfer files between a remote server and a local PC. F...

Add Your Comment