Provides commands for managing the directory service data and log files. The data file is called Ntds.dit. At the files: prompt, type any of the parameters listed under Syntax.
Ntdsutil is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Syntax
[checkpoint] [checksum] [compact to %s] [dump page %d] [header] [info] [integrity] [logfile %s] [metadata] [move DB to %s] [move logs to %s] [recover] [set backup exclusion key] [set default folder security] [set path backup %s] [set path db %s] [set path logs %s] [set path working dir %s] [space usage]
Parameters
Parameter | Description |
---|---|
checkpoint |
Dumps the Jet database checkpoint file (edb.chk). This option is intended for use only by support personnel. |
checksum |
Performs Jet database physical integrity check. |
compact to %s (where %s identifies an empty target directory) |
Invokes Esentutl.exe to compact the existing data file and writes the compacted file to the specified directory. The directory can be remote, that is, mapped by means of the net use command or similar means. After compaction is complete, archive the old data file, and move the newly compacted file back to the original location of the data file. ESENT supports online compaction, but this compaction only rearranges pages within the data file and does not release space back to the file system. (The directory service invokes online compaction regularly.) |
dump page %d |
Dumps the Jet database page number specified as %d. This option is intended for use only by support personnel. |
header |
Writes the header of the Ntds.dit data file to the screen. This command can help support personnel analyze database problems. |
info |
Analyzes and reports the free space for the disks that are installed in the system, reads the registry, and then reports the sizes of the data and log files. (The directory service maintains the registry, which identifies the location of the data files, log files, and directory service working directory.) |
integrity |
Invokes Esentutl.exe to perform an integrity check on the data file, which can detect low-level database corruption. It reads every byte of your data file; thus it can take a long time to process large databases. Note that you should always run Recover before performing an integrity check. |
logfile %s |
Dumps the Jet log file %s, where %s can be the absolute path or just the log file name in the Logs folder. This option is intended for use only by support personnel. |
metadata |
Dumps the Jet database metadata. This option is intended for use only by support personnel. |
move DB to %s (where %s identifies a target directory) |
Moves the Ntds.dit data file to the new directory specified by %s and updates the registry so that, upon service restart, the directory service uses the new location. |
move logs to %s (where %s identifies a target directory) |
Moves the directory service log files to the new directory specified by %s and updates the registry so that, upon service restart, the directory service uses the new location. |
recover |
Invokes Esentutl.exe to perform a soft recovery of the database. Soft recovery scans the log files and ensures all committed transactions therein are also reflected in the data file. Logs are used to ensure committed transactions are not lost if your system fails or if you have unexpected power loss. In essence, transaction data is written first to a log file and then to the data file. When you restart after failure, you can rerun the log to reproduce the transactions that were committed but hadn't made it to the data file. |
set backup exclusion key |
Set backup exclusion key for the AD DS or AD LDS instance. This option is intended for use only by support personnel. |
set default folder security |
Rest security on NTDS folder to default values. |
set path backup %s (where %s identifies a target directory) |
Sets the disk-to-disk backup target to the directory specified by %s. The directory service can be configured to perform an online disk-to-disk backup at scheduled intervals. |
set path db %s (where %s identifies a target directory) |
Updates the part of the registry that identifies the location and file name of the data file. Use this command only to rebuild a domain controller that has lost its data file and that is not being restored by means of normal restoration procedures. |
set path logs %s (where %s identifies a target directory) |
Updates the part of the registry that identifies the location of the log files. Use this command only if you are rebuilding a domain controller that has lost its log files and is not being restored by means of normal restoration procedures. |
set path working dir %s (where %s identifies a target directory) |
Sets the part of the registry that identifies the directory service's working directory to the directory specified by %s. |
%s |
An alphanumeric variable, such as a domain or domain controller name. |
space usage |
Dumps the Jet database space usage. |
quit |
Takes you back to the previous menu or exits the utility. |
? |
Displays help at the command prompt. |
Help |
Displays help at the command prompt. |
Remarks
- Before you can run the files subcommand, you need to set NTDS
or an AD LDS instance as the active instance for ntdsutil. For
example, if the AD LDS instance that you want to restore is
named instance 1, type the following command at the ntdsutil prompt
before you run the authoritative restore subcommand:
ac in instance 1
- You need to stop the AD DS or AD LDS service before
you can run the files subcommand. To stop AD DS, click
Start, click Server Manager. In the console tree,
double-click Configuration, and then click Services.
In the details pane, right-click Active Directory Domain
Services and then click Stop.
- Active Directory is implemented on top of an indexed sequential
access method (ISAM) table manager. This is the same table manager
used by Microsoft Exchange Server, the File Replication Service
(FRS), the security configuration editor, Active Directory
Certificate Services, Windows Internet Name Service (WINS), and
other Windows components. The version of the database that
Windows 2000, Windows Server 2003, Standard Edition, and
Windows Server 2008 use is called extensible storage engine
(ESENT).
ESENT is a transacted database system that uses log files to support rollback semantics to ensure that transactions are committed to the database. Ideally, the database and log files should be located on separate drives to improve performance and support recovery of the data if a disk fails.
- ESENT provides its own tool for certain database file
management functions called Esentutl.exe, which is also installed
in the systemroot\System32 folder. Several of the Ntdsutil
file management commands invoke Esentutl, reducing the need to
learn the tool's command-line arguments. In the cases where
Ntdsutil invokes Esentutl, it brings up a separate window
configured with a large history so that you can scroll back to see
all of the Esentutl progress indicators.
Examples
To perform a Jet database physical integrity check, type:
file maintenance: checksum
To compact the Active Directory database and write the compacted file to a folder named C:\Windows\NTDS_Old, type:
file maintenance: compact to C:\Windows\NTDS_Old