Professional Documents
Culture Documents
Using Ntdsutil Tool To Manage Active Directory
Using Ntdsutil Tool To Manage Active Directory
DIRECTORY
written by Cyril Kardashevsky March 21, 2023
The tool is available on all Windows Server operating systems and can be used to
manage both the local and remote AD instances. In this post, we’ll explore how to use
NTDSUTIL, some typical use case scenarios, and best practices.
Table of Contents
Typical Use Case Scenarios
Some Reminders Before You Begin
Navigating the NTDSUTIL Tool and the Help System
Using NTDSUTIL to Transfer FSMO Roles
Using NTDSUTIL to Reset the Administrator Password for the DSRM
Using NTDSUTIL to Maintain Active Directory Database
o Stop Services
o Compacting an Active Directory Database
o Repairing an Active Directory Database
o Start Services
Using NTDSUTIL to Manage Active Directory Snapshots
o Creating a Snapshot
o Mount, Unmount, and Delete the Snapshot
Using NTDSUTIL to Remove a Failed Domain Controller
Conclusion
Managing Active Directory Database: NTDSUTIL can be used to manage the Active
Directory database, which includes compacting, defragmenting, and repairing the
database.
Managing Domain Controller: It can also be used to manage domain controllers,
including transferring and seizing FSMO roles, performing authoritative restores, and
managing DNS configurations.
Managing Active Directory Sites: NTDSUTIL can be used to manage Active Directory
sites, including creating, deleting, and configuring sites and subnets.
Managing Active Directory Trusts: The tool can be used to manage Active Directory
trusts, including creating, modifying, and deleting trusts between domains.
Some Reminders Before You Begin
When using NTDSUTIL, it is essential to follow some best practices to ensure that the
tool is used correctly and that it does not cause any adverse effects on the Active
Directory environment. Here are some best practices to follow:
1. Always have a backup of the Active Directory database before performing any
NTDSUTIL operations. This ensures that you can restore the AD database to its
previous state in case of any errors or damage caused by the tool.
2. Understand the NTDSUTIL commands and their functions before running them. Some
commands can cause significant changes to the AD environment, and you should
ensure that you fully understand the effects of the command before running it.
3. Run the tool as a domain administrator or enterprise administrator account. This ensures
that you have the necessary privileges to perform the required tasks.
Navigating the NTDSUTIL Tool and the Help System
The NTDSUTIL tool has many subcommands available to manage different aspects of
the Active Directory. To view the help system, run the below command in an elevated
PowerShell or CMD session.
ntdsutil /?
When you need help with a specific subcommand, you can enter the NTDSUTIL
interactive prompt and run the help command. For example, if you’d like help with the
Roles subcommand:
# Enter the NTDSUTIL prompt
ntdsutil
roles
help
In this example, all the FSMO roles are owned by the DC1.theitbros.local server.
Suppose you need to transfer the FSMO roles to another domain controller, such
as DC1.theitbros.local; follow these steps.
1. Log in to any domain controller and open CMD or PowerShell as admin.
2. Run the below commands in sequence to enter the fsmo maintenance mode:
3. ntdsutil
4.
5. roles
6.
connections
7. On the server connections prompt, enter the following command. In this example, DC2 is
the target domain controller server name:
8. connect to server DC2
9.
quit
10. You’re back to the fsmo maintenance prompt. To transfer the FSMO roles, run the below
commands one at a time:
11. transfer schema master
12.
14.
16.
18.
19. Each command will ask you to confirm the transfer operation. Click Yes.
20. In the end, DC2 will be the new owner of the FSMO roles:
Note. The following tasks require that the AD database on the server is offline, so do
this only during a planned maintenance window.
Stop Services
Before doing any AD database maintenance, make sure to stop the following services.
Run the following command in an elevated PowerShell window.
But, online defragmentation does not reduce the database file size. When the database
size grows large, it may cause performance issues, so periodically compacting the
database should be on your maintenance list.
5. After compacting the database, run the following commands to copy the newly
compacted database to the original location. This command overwrites the
old ntds.dit and ntds.jfm files:
copy "c:\temp\ntds\ntds.*" "C:\Windows\NTDS"
Start Services
Once you’ve completed the database maintenance, you can return the AD database
online by starting the required services.
Creating a Snapshot
1. In the elevated PowerShell prompt, type ntdsutil and press Enter.
2. Type activate instance ntds and press Enter.
3. To create a snapshot of Active Directory, type snapshot and press Enter.
4. Type create and press Enter. This command creates a new snapshot of Active
Directory.
5. Now, list all available snapshots by running list all. As you can see, the new snapshot
was created. Take note of the GUID and position number of that snapshot.
2. Now, open the mount path in the File Explorer to view its contents:
3. Once you’re done reviewing the snapshot, you can unmount it by running the unmount
%s command, where %s is the position or GUID of the snapshot:
4. Finally, when you no longer require the snapshot, you can delete it by running the delete
%s command, where %s is the position or GUID of the snapshot:
There are several steps involved, which can be confusing, so make sure to follow the
instructions carefully.
10. Type list sites and press Enter. Note the site to which the failed DC belongs.
11. Type select site %s and press Enter. Replace %s with the position or name of the site
to which the failed DC belongs. In this example, there is only one site.
12. Type list servers in site and press Enter. Note the name of the failed DC.
13. Type select server %s and press Enter. Replace %s with the position number or name
of the failed DC. In this example, the failed DC is DC2, which is in position 1.
14. Type quit and press Enter.
Conclusion
NTDSUTIL is a powerful command-line tool that allows Windows Server administrators
to manage Active Directory and its related components. It is a versatile tool that can be
used for various purposes, including managing domains, trusts, and sites and
configuring and troubleshooting Active Directory replication.
But, due to its power, it is essential to follow best practices and be aware of the cautions
when using the tool to ensure that it is used correctly and does not cause any adverse
effects on the Active Directory environment.
Source: https://theitbros.com/ntdsutil