USING NTDSUTIL TOOL TO MANAGE ACTIVE

DIRECTORY
written by Cyril Kardashevsky March 21, 2023

NTDSUTIL is a command-line tool that Microsoft Windows Server administrators use to

manage Active Directory (AD) and its related components. It allows administrators to
perform various tasks, such as managing domains, trusts, and sites and configuring and
troubleshooting Active Directory replication.

The tool is available on all Windows Server operating systems and can be used to
manage both the local and remote AD instances. In this post, we’ll explore how to use
NTDSUTIL, some typical use case scenarios, and best practices.

Table of Contents
 Typical Use Case Scenarios
 Some Reminders Before You Begin
 Navigating the NTDSUTIL Tool and the Help System
 Using NTDSUTIL to Transfer FSMO Roles
 Using NTDSUTIL to Reset the Administrator Password for the DSRM
 Using NTDSUTIL to Maintain Active Directory Database
o Stop Services
o Compacting an Active Directory Database
o Repairing an Active Directory Database
o Start Services
 Using NTDSUTIL to Manage Active Directory Snapshots
o Creating a Snapshot
o Mount, Unmount, and Delete the Snapshot
 Using NTDSUTIL to Remove a Failed Domain Controller
 Conclusion

Typical Use Case Scenarios

NTDSUTIL is a powerful tool that can be used for a variety of purposes. Some of the
typical use case scenarios include:

 Managing Active Directory Database: NTDSUTIL can be used to manage the Active
Directory database, which includes compacting, defragmenting, and repairing the
database.
 Managing Domain Controller: It can also be used to manage domain controllers,
including transferring and seizing FSMO roles, performing authoritative restores, and
managing DNS configurations.
 Managing Active Directory Sites: NTDSUTIL can be used to manage Active Directory
sites, including creating, deleting, and configuring sites and subnets.
 Managing Active Directory Trusts: The tool can be used to manage Active Directory
trusts, including creating, modifying, and deleting trusts between domains.
Some Reminders Before You Begin
When using NTDSUTIL, it is essential to follow some best practices to ensure that the
tool is used correctly and that it does not cause any adverse effects on the Active
Directory environment. Here are some best practices to follow:

1. Always have a backup of the Active Directory database before performing any
NTDSUTIL operations. This ensures that you can restore the AD database to its
previous state in case of any errors or damage caused by the tool.
2. Understand the NTDSUTIL commands and their functions before running them. Some
commands can cause significant changes to the AD environment, and you should
ensure that you fully understand the effects of the command before running it.
3. Run the tool as a domain administrator or enterprise administrator account. This ensures
that you have the necessary privileges to perform the required tasks.
Navigating the NTDSUTIL Tool and the Help System
The NTDSUTIL tool has many subcommands available to manage different aspects of
the Active Directory. To view the help system, run the below command in an elevated
PowerShell or CMD session.

ntdsutil /?

As a result, you’ll get the list of top-level NTDSUTIL subcommands.

When you need help with a specific subcommand, you can enter the NTDSUTIL
interactive prompt and run the help command. For example, if you’d like help with the
Roles subcommand:
 # Enter the NTDSUTIL prompt

ntdsutil

# Enter the subcommand

roles

# List the help for this subcommand

help

# Exit the subcommand

# Exit the NTDSUTIL prompt

Using NTDSUTIL to Transfer FSMO Roles

One of the primary NTDSUTIL usages is transferring FSMO roles to another domain
controller. There are five FSMO Roles:
1. Schema master
2. Domain naming master
3. RID master
4. PDC emulator master
5. Infrastructure master
These roles can be assigned to different domain controllers in the forest or domain.

First, determine which server currently holds the FSMO roles.

netdom query fsmo

In this example, all the FSMO roles are owned by the DC1.theitbros.local server.

Suppose you need to transfer the FSMO roles to another domain controller, such
as DC1.theitbros.local; follow these steps.
1. Log in to any domain controller and open CMD or PowerShell as admin.
2. Run the below commands in sequence to enter the fsmo maintenance mode:
3. ntdsutil

4.

5. roles

6.

connections

7. On the server connections prompt, enter the following command. In this example, DC2 is
the target domain controller server name:
8. connect to server DC2

9.

quit

10. You’re back to the fsmo maintenance prompt. To transfer the FSMO roles, run the below
commands one at a time:
11. transfer schema master

12.

13. transfer naming master

14.

15. transfer rid master

16.

17. transfer pdc

18.

transfer infrastructure master

19. Each command will ask you to confirm the transfer operation. Click Yes.
20. In the end, DC2 will be the new owner of the FSMO roles:

21. Finally, confirm the new FSMO role owner:

netdom query fsmo

You’ve successfully used NTDSUTIL to transfer the FSMO role owner.

Note. In the above example, the FSMO role transfer is performed between healthy
DCs. But you can force seize any FSMO role from a failed domain controller.

Using NTDSUTIL to Reset the Administrator Password for the

DSRM
NTDSUTIL can be used to change the Directory Services Restore Mode (DSRM)
administrator account password, which is used to restore Active Directory in case of a
disaster. Here’s how to use NTDSUTIL for this scenario:
1. To launch NTDSUTIL, open a command prompt or PowerShell with administrative
privileges, type ntdsutil, and press Enter.
2. Type set dsrm password and press Enter.
3. Type reset password on server TargetDCName and press Enter, replacing
TargetDCName with the domain controller name you want to change the password on.
4. Type the new password for the DSRM administrator account and press Enter, then
confirm the password by typing it again and pressing Enter.
5. Type q and press Enter to exit the set dsrm password context.
6. Type q and press Enter again to exit NTDSUTIL.

Using NTDSUTIL to Maintain Active Directory Database

NTDSUTIL can be used to manage the Active Directory database, including compacting,
defragmenting, and repairing the database.

Note. The following tasks require that the AD database on the server is offline, so do
this only during a planned maintenance window.

Stop Services
Before doing any AD database maintenance, make sure to stop the following services.
Run the following command in an elevated PowerShell window.

# Stop the services

Stop-Service -Name Kdc, IsmServ, DNS, DFSR, NTDS

# List the status of the services

Get-Service -Name Kdc, IsmServ, DNS, DFSR, NTDS

Compacting an Active Directory Database

 The online defragmentation happens automatically every 12 hours. This task
reorganizes the data in the database and can improve its performance.

But, online defragmentation does not reduce the database file size. When the database
size grows large, it may cause performance issues, so periodically compacting the
database should be on your maintenance list.

1. In the elevated PowerShell prompt, type ntdsutil and press Enter.

2. Type activate instance ntds and press Enter.
3. Type files and press Enter.
4. After entering the file maintenance context, type compact to <path>\newdb.dit and
press Enter. Replace <path>\newdb.dit with the path where you want to save the new
database file. This command creates a new, smaller version of the database.
Once the compact database process starts, you must wait for it to finish. The duration
depends on how big the database is.

5. After compacting the database, run the following commands to copy the newly
compacted database to the original location. This command overwrites the
old ntds.dit and ntds.jfm files:
copy "c:\temp\ntds\ntds.*" "C:\Windows\NTDS"

6. Now, delete the old *.LOG files:

del C:\Windows\NTDS\*.log
 Repairing an Active Directory Database
If you suspect that the AD database has errors, you can perform a repair on it.

1. In the elevated PowerShell prompt, type ntdsutil and press Enter.

2. Type activate instance ntds and press Enter.
3. To repair the database, type semantic database analysis and press Enter.
4. Now that you’re in the semantic checker context, type go fixup and press Enter. This
command checks the ntds.dit database and automatically fixes it if needed.

Start Services
Once you’ve completed the database maintenance, you can return the AD database
online by starting the required services.

# Start the services

Start-Service -Name NTDS, Kdc, IsmServ, DNS, DFSR

# List the status of the services

Get-Service -Name Kdc, IsmServ, DNS, DFSR, NTDS

 Using NTDSUTIL to Manage Active Directory Snapshots
NTDSUTIL can be used to create and manage snapshots of Active Directory, which can
be used to recover deleted objects or restore Active Directory to a previous state.

Creating a Snapshot
1. In the elevated PowerShell prompt, type ntdsutil and press Enter.
2. Type activate instance ntds and press Enter.
3. To create a snapshot of Active Directory, type snapshot and press Enter.
4. Type create and press Enter. This command creates a new snapshot of Active
Directory.
5. Now, list all available snapshots by running list all. As you can see, the new snapshot
was created. Take note of the GUID and position number of that snapshot.

Mount, Unmount, and Delete the Snapshot

1. To mount a snapshot, type mount %s where %s is the index (position) or the GUID of
the snapshot. In this example, the snapshot we’ll mount is in index 1.
Note. The snapshot is mounted as read-only.

2. Now, open the mount path in the File Explorer to view its contents:

3. Once you’re done reviewing the snapshot, you can unmount it by running the unmount
%s command, where %s is the position or GUID of the snapshot:

4. Finally, when you no longer require the snapshot, you can delete it by running the delete
%s command, where %s is the position or GUID of the snapshot:

Using NTDSUTIL to Remove a Failed Domain Controller

When a domain controller fails and cannot be brought online again, you must ensure to
clean it up from the environment. You can use NTDSUTIL to remove a failed domain
controller.

There are several steps involved, which can be confusing, so make sure to follow the
instructions carefully.

1. Log in to a domain controller and open a PowerShell window as admin.

2. Type ntdsutil and press Enter.
3. Type metadata cleanup and press Enter.
4. Type connections and press Enter.
5. Type connect to server servername and press Enter. Replace servername with the
name of the online/healthy domain controller.
6. Type q and press Enter:

7. Type select operation target and press Enter.

8. Type list domains and press Enter. Note the domain to which the failed DC belongs. In
this example, there’s only one domain.
9. Type select domain %s and press Enter. Replace %s with the domain controller name
to which the failed DC belongs.

10. Type list sites and press Enter. Note the site to which the failed DC belongs.
11. Type select site %s and press Enter. Replace %s with the position or name of the site
to which the failed DC belongs. In this example, there is only one site.

12. Type list servers in site and press Enter. Note the name of the failed DC.
13. Type select server %s and press Enter. Replace %s with the position number or name
of the failed DC. In this example, the failed DC is DC2, which is in position 1.
14. Type quit and press Enter.

15. Type remove selected server and press Enter.

16. When asked to confirm, click Yes to confirm the removal of the failed DC.

17. Type quit and press Enter.

18. Type quit again and press Enter to exit Ntdsutil.

Removing a failed DC using ntdsutil requires careful attention to detail, as any

mistakes can have serious consequences for your Active Directory environment.
Therefore, it is recommended that you follow these instructions closely and seek
assistance from an experienced Active Directory administrator if you have any
doubts or concerns.

Conclusion
NTDSUTIL is a powerful command-line tool that allows Windows Server administrators
to manage Active Directory and its related components. It is a versatile tool that can be
used for various purposes, including managing domains, trusts, and sites and
configuring and troubleshooting Active Directory replication.
But, due to its power, it is essential to follow best practices and be aware of the cautions
when using the tool to ensure that it is used correctly and does not cause any adverse
effects on the Active Directory environment.

Source: https://theitbros.com/ntdsutil