Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). Use Ntdsutil.exe to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.
Ntdsutil is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For most of the Ntdsutil commands, you only need to type the first few characters of the command name instead than the entire command. For example, you can type either of the following commands to activate an instance for AD DS:
activate instance ntds ac i ntds
The short form for each command is listed in the following table.
Syntax
Ntdsutil [activate instance %s | authoritative restore | change service account %s1 %s2 | configurable settings | DS behavior | files | group membership evaluation | Help | ifm | ldap policies | ldap port %d | list instance | local roles | metadata cleanup | partition management | popups on | popups off | quit | roles | security account management | semantic database analysis | set DSRM password | snapshot | SSL port %d]
Commands
Command | Description |
---|---|
Activate instance %s short form: ac i %s |
Sets NTDS or a specific AD LDS instance as the active instance. |
Short form: au r |
Authoritatively restores the Active Directory database or AD LDS instance. |
Change service account %s1 %s2 |
Changes the AD LDS service account to user name %s1 and password %s2. Use "NULL" for a blank password. Use * to prompt the user to enter a password. |
Short form: co s |
Manages configurable settings. |
Short form: ds b |
Views and modifies AD DS or AD LDS behavior. |
Short form: f |
Manages AD DS or AD LDS database files. |
Short form: g m e |
Evaluates security IDs (SIDs) in the token for a given user or group. |
Help |
Shows this help information. |
Short form: i |
Creates installation media for writable (full) and read-only domain controllers (RODCs) and instances of AD LDS. |
Manages Lightweight Directory Access Protocol (LDAP) protocol policies. |
|
Ldap port %d |
Configures an LDAP port for an AD LDS instance. |
List instances Short form: li i |
Lists all AD LDS instances that are installed on a computer. |
Short form: lo r |
Manages local administrative roles on an RODC. |
Short form: m c |
Cleans up objects of decommissioned servers. |
Short form: pa m |
Manages directory partitions. |
Popups off Short form: po off |
Disables popups. |
Popups on Short form: po on |
Enables popups. |
Quit Short form: q |
Quits the command. |
Short form: r |
Transfers and seizes operations master roles. |
Short form: sec a m |
Manages SIDs. |
Short form: sem d a |
Verifies integrity of AD DS or AD LDS database files with respect to Active Directory semantics. |
Short form: set d p |
Resets the Directory Services Restore Mode (DSRM) administrator password. |
Short form: sn |
Manages snapshots of the volumes that contain the Active Directory database and log files. |
SSL port %d |
Configures a Secure Sockets Layer (SSL) port for an AD LDS instance. |