The NTDSutil.exe utility is one of the key tools to manage Active Directory and its database (ntds.dit file).
The NTDSutil utility can be used by AD administrators in various scenarios. Most often the utility is used to:
- Transfer (seizing) FSMO roles in the AD domain between domain controllers;
- Authoritative restoring of deleted objects in Active Directory;
- Remove faulty (missing) AD domain controllers;
- Performing AD database maintenance: checking integrity, compressing, moving the ntds.dit file or AD log files to another drive on a domain controller in order to increase performance;
- Active Directory snapshot management;
- Change the administrator password for the DSRM (Directory Services Restore Mode) recovery mode.
To display the basic syntax of the NTDSutil utility, open an elevated command prompt on the domain controller and run:
As you can see, the Ntdsutil utility has a few subcommands available. Let’s try to learn them in more detail with examples.
Transfer FSMO Roles Using Ntdsutil
Let me remind you that in the AD there are five FSMO (Flexible Single Master Operation) roles:
These roles can be assigned to different domain controllers in the AD forest and/or domain. The current owners of FSMO roles can be obtained using the command:
netdom query fsmo
With ntdsutil you can transfer any of the FSMO roles to another DC (you can also transfer FSMO roles with Powershell).
Connect to any DC and in the command prompt and then run the following commands in sequence:
Ntdsutil ntdsutil: roles fsmo maintenance: connections
Specify the name of the server to which you want to transfer FSMO roles (for example, hq-dc02).
server connections: connect to server hq-dc02 server connections: quit
To transfer all the FSMO you need to execute the following commands sequentially:
FSMO maintenance: transfer schema master FSMO maintenance: transfer naming master FSMO maintenance: transfer rid master FSMO maintenance: transfer PDC FSMO maintenance: transfer infrastructure master
This example the FSMO roles transfer is performed between healthy DCs, however you can force seizing of any FSMO role from a failed domain controller.
Reset DSRM Password Using Ntdsutil
If you do not know the password of the administrator account for the special boot mode of the domain controller—Directory Services Restore Mode (DSRM), you can reset this password for local or remote DC using the Ntdsutil. This scenario is described in details in the article: Accessing Domain Controller in the DSRM mode.
Offline Defragmentation and Compression of the AD Database Using Ntdsutil
With Ntdsutil, you can offline defragment and compress the AD database (ntds.dit file). This will help reduce the size of the AD database file and improve performance by rebuilding indexes. See the article: Compacting Active Directory database.
Removing Failed DC Using Ntdsutil
If you found that one you DC is faulty using the repadmin /replsum, and after checking manually that the server is failed and can not be restored, you can forcefully remove this DC from the AD. Simply delete the failed DC computer account from AD using the ADUC console from the Domain Controllers OU, and then clean up the AD database:
ntdsutil metadata cleanup connect to server specify_Your_Online_DC_name quit select operation target list domains select domain <num>
Instead of num, specify the number corresponding to the domain in which the failed DC was located.
list sites select site <num>
Instead of the num specify the number corresponding to the AD site where your failed DC was located.
list servers in site select server <num>
Instead of the num specify the number which refers to domain controller to be removed.
quit remove selected server quit