Problem solve Get help with specific problems with your technologies, process and projects.

Living dangerously with Ntdsutil commands in Windows Server 2008

While the Ntdsutil utility for Active Directory has been around since the days of Windows 2000, new functionality in Windows Server 2008 and R2 gives admins even more to work with.

Rumor has it that Microsoft is planning to do away with Ntdsutil.exe, a tool that has provided command-line access to a variety of Active Directory functions since Windows 2000. Ntdsutil has been invaluable throughout my experience with troubleshooting AD problems, yet I‘ve found very few admins that use it. This is despite the fact that Windows Server 2008 and R2 include a number of new options that enhance the usefulness of Ntdsutil even further.

Ntdsutil is very powerful, but it’s also dangerous. The problem with some Ntdsutil commands is that they require Active Directory to be taken offline. In Windows 2000 and 2003, this was accomplished by rebooting the domain controller (DC) and starting up in Directory Services Restore Mode (DSRM). This was the only way to run operations like the semantic database checker.

Rebooting a DC (twice) is not a desirable option, however, and it usually requires the operation to be performed during a maintenance window. While not recommended, this is fairly common practice, as booting into DSRM (essentially Safe Mode) takes everything offline.

Fortunately, Windows Server 2008 shipped with a wonderful new option for installing Active Directory as a service that can be taken offline (see Figure 1). Once Active Directory Domain Services (AD DS) is turned off, Ntdsutil can run the semantic database analysis options without a reboot.

Figure 1: Active Directory Domain Services (click to enlarge)
Active Directory Domain Services

An introduction to Ntdsutil commands
So let’s take a look at the Windows Server 2008 and R2 versions of Ntdsutil and a few of the powerful operations that could save you a support call someday:

  • Metadata cleanup -- permits the deletion of server, site, domain and naming context objects (This is very handy when you have to do a manual demotion of a DC or have some corrupt objects.)
  • Files * -- manages Active Directory database files (This isn’t a real common one, but there are some useful commands here)
  • Group membership evaluation -- dumps security info for a principal
  • Roles -- manages FSMO roles
  • IFM (Install From Media) * -- captures Active Directory snapshots to be used in the dcpromo IFM procedure
  • Semantic database analysis * -- finds and fixes database errors
  • Snapshot -- manages snapshots, including the listing, mounting and un-mounting of snapshots
  • Authoritative restore -- returns domain controllers to a specific point in time

* These operations require Active Directory Domain Services to be stopped.

NOTE: While Active Directory Lightweight Directory Services (AD LDS) has used the dsdbutil and dsmgmt utilities to manage AD LDS instances in the past, Microsoft has actually combined these tools into Ntdsutil. While I won’t discuss the AD LDS options in detail here, it’s important to be aware that all the admin functions are now in AD LDS.

There are several tips and tricks that can help admins navigate the Ntdsutil tool. For starters, the command names can be abbreviated, meaning you just need to enter enough characters to uniquely define the Ntdsutil command. For example, metadata cleanup can be entered as meta cl. Additionally, admins can recall commands using the arrow keys.

Ntdsutil options include Quit, which if selected at any menu level goes up one level, while ^C boots you out of Ntdsutil altogether. Connections will show up in various Ntdsutil commands such as metadata cleanup, as shown in Figure 2. It defines a connection to a specific domain controller. When this command shows up, simply go to the Connections menu and enter:

Connections: Con To Ser <enter DC’s name such as ATL-DC1 >

Operations will then take place on that DC’s copy of Active Directory. You can use the credentials of the logged-in user or specify alternate ones.

Figure 2: Ntdsutil metadata cleanup commands (click to enlarge)
Metadata cleanup command

Ntdsutil also has an online help component, as shown in Figure 3. I’ve used this tool many times over the years, and I always enter the question mark (?) at any menu level to get a quick display of the options.

There are also a few changes to the online help feature to note. For instance, the authoritative restore operation now requires a definition of the instance. This is due to how Ntdsutil is used to manage AD LDS partitions. If you receive an error indicating you need to specify the instance, you can use the following command:

Ntdsutil: Activate Partition ntds (or choose the appropriate AD LDS instance to manage).

Figure 3: Ntdsutil help component (click to enlarge)
Ntdsutil help component

Part two: A closer look at Ntdsutil commands in Windows 2008

You can follow on Twitter @WindowsTT.

Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and formerly for Windows File Systems.

Dig Deeper on Windows administration tools