Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). Use Ntdsutil.exe to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.

Ntdsutil is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For most of the Ntdsutil commands, you only need to type the first few characters of the command name instead than the entire command. For example, you can type either of the following commands to activate an instance for AD DS:

activate instance ntds
ac i ntds

The short form for each command is listed in the following table.


Ntdsutil [activate instance %s | authoritative restore | change service account %s1 %s2 | configurable settings | DS behavior | files | group membership evaluation | Help | ifm | ldap policies | ldap port %d | list instance | local roles | metadata cleanup | partition management | popups on | popups off | quit | roles | security account management | semantic database analysis | set DSRM password | snapshot | SSL port %d]


Command Description

Activate instance %s

short form: ac i %s

Sets NTDS or a specific AD LDS instance as the active instance.

authoritative restore

Short form: au r

Authoritatively restores the Active Directory database or AD LDS instance.

Change service account %s1 %s2

Changes the AD LDS service account to user name %s1 and password %s2. Use "NULL" for a blank password. Use * to prompt the user to enter a password.


Short form: co s

Manages configurable settings.

DS behavior

Short form: ds b

Views and modifies AD DS or AD LDS behavior.


Short form: f

Manages AD DS or AD LDS database files.

group membership evaluation

Short form: g m e

Evaluates security IDs (SIDs) in the token for a given user or group.


Shows this help information.


Short form: i

Creates installation media for writable (full) and read-only domain controllers (RODCs) and instances of AD LDS.

LDAP policies

Manages Lightweight Directory Access Protocol (LDAP) protocol policies.

Ldap port %d

Configures an LDAP port for an AD LDS instance.

List instances

Short form: li i

Lists all AD LDS instances that are installed on a computer.

local roles

Short form: lo r

Manages local administrative roles on an RODC.

metadata cleanup

Short form: m c

Cleans up objects of decommissioned servers.

partition management

Short form: pa m

Manages directory partitions.

Popups off

Short form: po off

Disables popups.

Popups on

Short form: po on

Enables popups.


Short form: q

Quits the command.


Short form: r

Transfers and seizes operations master roles.

security account management

Short form: sec a m

Manages SIDs.

semantic database analysis

Short form: sem d a

Verifies integrity of AD DS or AD LDS database files with respect to Active Directory semantics.

set DSRM password

Short form: set d p

Resets the Directory Services Restore Mode (DSRM) administrator password.


Short form: sn

Manages snapshots of the volumes that contain the Active Directory database and log files.

SSL port %d

Configures a Secure Sockets Layer (SSL) port for an AD LDS instance.