Using Ntdsutil

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Using Ntdsutil

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory. Use Ntdsutil to perform database maintenance of Active Directory, manage and control single master operations, remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled, and create application directory partitions. The tool has a series of menus that allow you to move between different management tasks. This tool is intended to be used by experienced administrators. By default, Ntdsutil is installed in the systemroot\System32 folder and can be accessed at the command prompt. For command-line information about the Ntdsutil command-line tool, see Ntdsutil.

You can invoke Ntdsutil from the command prompt with no arguments. Rather than support and extend an ever-increasing set of cryptic command-line arguments, the tool parses keyboard input after you invoke it. For example, you can type the following:

  • list roles for connected server

  • connect to server xxx

For convenience, you need only specify enough of each word to make it unique with respect to any other words that you can enter in that specific menu. Thus, as you become more familiar with the tool, you could type li r f c s rather than list roles for connected server.

Processing command input

Ntdsutil processes as input all the arguments that you type when you start the program. For example, if you type the following:

  • ntdsutil help connections help quit quit

Ntdsutil does the following steps:

  1. Invokes Ntdsutil.exe.

  2. Displays its Help information.

  3. Invokes the Connections submenu.

  4. Displays its Help information.

  5. Closes the Connections submenu and returns to the top-level menu.

  6. Quits the program.

Automating Ntdsutil commands

You can automate Ntdsutil by creating batch files or scripts that contain a series of Ntdsutil commands. Many Ntdsutil commands that perform writes, open by default a message that asks users if they really want to perform a particular operation. When these messages appear, the program will pause and wait for keyboard input. Use the Popups %s command to disable these messages when running Ntdsutil from a batch file or script. For example, to disable these messages, type the following:

  • popups off

To reenable the display of these messages, type the following:

  • popups on

It is good practice to disable these messages only when you are scripting Ntdsutil commands and to reenable them as soon as you finish scripting.

Errors in Ntdsutil

Ntdsutil does not provide error level kick back or fail overs. The only way to verify that changes were made is to parse, then view the log file.

Availability of access token limitation option in Ntdsutil

A special version of Ntdsutil is available that includes the group membership evaluation option, which you can use to address access token limitation problems.

Windows Server 2003 and Windows 2000 Server environments that contain complex group structures can encounter problems with an access token limitation during authentication. This problem can result in the inability of a user to log on or access resources.

The version of Ntdsutil that includes the group membership evaluation option is available for download on the Microsoft Web site. To download the tool, and for detailed information about the access token limitation issue and how to use the group membership evaluation option in Ntdsutil, see Addressing Problems Due to Access Token Limitation on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=62237).