Using Ntdsutil Tool to Manage Active Directory

The NTDSutil.exe utility is one of the key tools to manage Active Directory and its database (ntds.dit file).

The NTDSutil utility can be used by AD administrators in various scenarios. Most often the utility is used to:

  • Transfer (seizing) FSMO roles in the AD domain between domain controllers;
  • Authoritative restoring of deleted objects in Active Directory;
  • Remove faulty (missing) AD domain controllers;
  • Performing AD database maintenance: checking integrity, compressing, moving the ntds.dit file or AD log files to another drive on a domain controller in order to increase performance;
  • Active Directory snapshot management;
  • Change the administrator password for the DSRM (Directory Services Restore Mode) recovery mode.

To display the basic syntax of the NTDSutil utility, open an elevated command prompt on the domain controller and run:

Ntdsutil.exe /?

Ntdsutil Tool


As you can see, the Ntdsutil utility has a few subcommands available. Let’s try to learn them in more detail with examples.

Transfer FSMO Roles Using Ntdsutil

Let me remind you that in the AD there are five FSMO (Flexible Single Master Operation) roles:

  1. Schema master;
  2. Domain naming master;
  3. RID master;
  4. PDC emulator master;
  5. Infrastructure master.

These roles can be assigned to different domain controllers in the AD forest and/or domain. The current owners of FSMO roles can be obtained using the command:

netdom query fsmo


With ntdsutil you can transfer any of the FSMO roles to another DC (you can also transfer FSMO roles with Powershell).

Connect to any DC and in the command prompt and then run the following commands in sequence:


ntdsutil: roles

fsmo maintenance: connections

Specify the name of the server to which you want to transfer FSMO roles (for example, hq-dc02).

server connections: connect to server hq-dc02

server connections: quit

To transfer all the FSMO you need to execute the following commands sequentially:

FSMO maintenance: transfer schema master

FSMO maintenance: transfer naming master

FSMO maintenance: transfer rid master

FSMO maintenance: transfer PDC

FSMO maintenance: transfer infrastructure master

This example the FSMO roles transfer is performed between healthy DCs, however you can force seizing of any FSMO role from a failed domain controller.

Reset DSRM Password Using Ntdsutil

If you do not know the password of the administrator account for the special boot mode of the domain controller—Directory Services Restore Mode (DSRM), you can reset this password for local or remote DC using the Ntdsutil. This scenario is described in details in the article: Accessing Domain Controller in the DSRM mode.

Offline Defragmentation and Compression of the AD Database Using Ntdsutil

With Ntdsutil, you can offline defragment and compress the AD database (ntds.dit file). This will help reduce the size of the AD database file and improve performance by rebuilding indexes. See the article: Compacting Active Directory database.


Removing Failed DC Using Ntdsutil

If you found that one you DC is faulty using the repadmin /replsum, and after checking manually that the server is failed and can not be restored, you can forcefully remove this DC from the AD. Simply delete the failed DC computer account from AD using the ADUC console from the Domain Controllers OU, and then clean up the AD database:

Ntdsutil commands


metadata cleanup

connect to server specify_Your_Online_DC_name


select operation target

list domains

select domain <num>

Instead of num, specify the number corresponding to the domain in which the failed DC was located.

list sites

select site <num>

Instead of the num specify the number corresponding to the AD site where your failed DC was located.

list servers in site

select server <num>

Instead of the num specify the number which refers to domain controller to be removed.


remove selected server


Ntdsutil exe

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.