A closer look at the Ntdsutil command-line tools for Active Directory

Dig into the slew of Ntdsutil commands in Windows Server 2008 and R2 that provide admins with improved Active Directory management.

Part one reviewed the Ntdsutil utility in Windows Server 2008 and R2 and the changes made since Windows 2000. This article continues the discussion with a deeper look at some of the most useful Ntdsutil commands, with details on how they work and what they can do for administrators.

Let’s look at a more detailed breakdown of the Ntdsutil commands in Windows Server 2008 to help further your understanding of the tool’s capabilities.

Ntdsutil: Metadata cleanup 
This option is easily the most commonly used of all Ntdsutil commands, at least in my experience. It has been around since Windows 2000 and provides operations to clean up Active Directory objects after a manual dcpromo operation. Ntdsutil metadata cleanup requires the use of the connections menu to connect to a domain controller.

Metadata cleanup also requires you to specify the site, domain, naming context and server to be defined in order to locate the object that is to be removed. This is specified in the Select operation target (SelOT) command in the metadata cleanup menu. For example, if I want to remove ATL-DC4 from the SelOT prompt, I can issue a “?” command and see the options, as shown in Figure 4.

Figure 4: Using the SelOT command (click to enlarge)
Using the SelOT command

In order to select the site, domain and server, you must list each and get a “reference number” to use in the selected command. Here is how to do it:

  • Use the List sites command:
    select operation target: list sites
    Found 6 site(s) 
    0 - CN=Alpharetta,CN=Sites,CN=Configuration,DC=Wtec, DC=adapps,DC=hp,DC=com
    1 - CN=Brussels,CN=Sites,CN=Configuration,DC=Wtec, 
    2 - CN=Melbourne,CN=Sites,CN=Configuration,DC=Wtec, 
    3 - CN=Bracknell,CN=Sites,CN=Configuration,DC=Wtec, 
    4 - CN=Roseville,CN=Sites,CN=Configuration,DC=Wtec, 
    5 - CN=Site1,CN=Sites,CN=Configuration,DC=Wtec, 
  • Now issue the Select site command. The server we want is in site 1 – Brussels: select operation target: sel site 1 (Note that “1” is the reference number for Brussels in the List sites command.)The output shows:
    Site -
    No current domain
    No current server
    No current Naming Context
  • Repeat this process for the domain and server. Each time, use the list command (such as List domains), locate the reference number of the object you want to use and issue the Select domain (#) command. When you have completed this, you will see something like the example in Figure 5. It’s a bit hard to read, but in the end you will have the site, domain and server defined.

Figure 5: Sample outcome of SelOT command (click to enlarge) 
Sample outcome of SelOT command

  • To delete the selected server object, use Quit to move back to the Ntdsutil metadata cleanup menu. In that menu, issue the remove command:

         Remove selected server

    You will get a nice popup indicating the server you are about to remove, as shown in Figure 6. Be careful with this command, however, as you are manipulating objects in the Active Directory.

Figure 6: Server Remove Confirmation Dialog (click to enlarge)
Server Remove Confirmation Dialog

Ntdsutil: Files
The Files command requires AD DS to be stopped. A few of the useful commands here include:

  • Checksum -- This performs a physical integrity check of the Jet database. Use this if you see database errors, especially in the event log. You’ll also see the semantic database checker in the main menu.
  • Integrity -- This is similar to Checksum, but runs different tests.
  • Set default folder security -- This command resets security on NTDS folders. This usually isn’t a problem unless you have accidentally messed with these folders and need to recover.
  • Move logs to %S and Move DB to %S -- These commands allow movement of a database and logs to a different path.

While these aren’t everyday commands, the Integrity and Checksum options are handy if you see database errors pop up in the event logs. You can combine these with the semantic database check, which tests database consistency.

Ntdsutil: Semantic database analysis
This very powerful command is actually quite simple to use. Anytime I see database errors reported in the event log, I run this check. There is really only one command I use with this option:

Semantic Checker: Go Fixup

This command does a full consistency check pretty quickly and, from my experience, has successfully repaired the database time after time. There are no guarantees that this will fix a given database problem, but it certainly won’t hurt anything. You can use it with the database repair options noted in the Ntdsutil: Files section above.

Ntdsutil: Group membership evaluation
This option dumps the security identifiers (SIDs) in the security token for a user or group. There are some old Resource Kit tools for this, but it’s nice to have it built into Ntdsutil. Using this requires the Set Global Catalog or Set Resource DC command to define the GC/DC to use for this operation.

Run Corp.com olseng

It will proceed through a five stage process and dump the results to C:\ olseng-20110217024622.tsv (for example) -- a text file that contains all the security information.

Ntdsutil: Roles
This is the fastest way to view, seize and transfer Flexible Single Master Operations (FSMO) roles. Here are a few tips for using this command:

  • In the FSMO Maintenance (Roles) menu, go to the Connections menu to set the connection to the domain controller that you want to transfer the role to. This is important!

         Connections: Connect to server Wtec-dc1

  • Quit back to the FSMO Maintenance menu (see Figure 7)

Figure 7: FSMO Maintenance menu (click to enlarge)
FSMO Maintenance menu

  • Figure 7 shows the options, which are pretty self explanatory.
  • To view all roles from Ntdsutil, go to the Select Operation Target menu and issue List Roles for Selected Server (see Figure 7). It’s not pretty but they are there. A cleaner way to see them is with the Netdom command:

         Netdom Query Fsmo

  • To seize the PDC role to the currently connected domain controller, you can use:

         Fsmo Maintenance: Seize PDC

Note that any seize operation will automatically try to do a transfer first. The nice thing about Ntdsutil is that you can manage all FSMO roles from one spot.

Ntdsutil: IFM
The Install From Media function is new in Windows Server 2008 and enables the building of a new domain controller with the dcpromo /ADV command much faster than in Windows 2003. Prior to this option, a backup of a DC was required, after which the restored files would be moved to the local media of the server to be promoted. The dcpromo /ADV command produces a prompt to use static restore files for initial promotion rather than going over the network. Figure 8 shows the IFM menu options, as well as an example of the creation of a full instance. Options included here are:

  • Create Full AD instance with SYSVOL, Full instance without SYSVOL
  • Create RODC instance with or without SYSVOL

Figure 8: Ntdsutil IFM snapshot (click to enlarge) 
Ntdsutil IFM snapshot

IFM creates a snapshot -- defragging the database first -- and stores it in a path of your choosing on the disk.

Create sysvol full c:\adbackup

In C:\adbackup, there will be three directories -- Active Directory, Registry and SYSVOL -- with the files to be used by dcpromo.

IFM makes it easy to get the Active Directory sources for installation from an existing DC as well as a simple copy to the server to be promoted (or re-promoted). This is very handy for promoting a server as a new or recovered DC. Once dcpromo finishes, replication will get it up to date. It is important to note that a read-only domain controller (RODC) instance can be created on a read/write DC, but only an RODC instance can be created from an RODC itself.

As you can see, Ntdsutil is very powerful. There are many more options available that I don’t have space here to discuss. Just remember that things like security, account management, partition management, LDAP policies and other options used for AD LDS partitions are all very handy commands, but Ntdsutil can also be very risky. It usually comes with warning messages to protect you from yourself. Just make sure you know what you are doing when you hit the Enter key.

Part one: Getting started with Ntdsutil

You can follow SearchWindowsServer.com on Twitter @WindowsTT.

Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and formerly for Windows File Systems.

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Enterprise Desktop
Virtual Desktop