Windows Server 2003 - NTDSutil Guide

NTDSutil is a Windows utility for configuring the heart of Active Directory. Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory .Use Ntdsutil to perform database maintenance of Active Directory, to manage and control single master operations, and to remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. By default, Ntdsutil is installed in the Winnt\System32 folder.

Preparation for NTDSutil

Begin by logging on at a Windows Server 2003 or 2008. We suggest that you create a new folder to hold any logs that NTDSutil creates, for example D:\ ntdsutil. Run a CMD prompt change directory to D: \ntdsutil and at the prompt type, ntdsutil. Unsurprisingly, the actual executable is called ntdsutil.exe and is found in the %systemroot%\system32 folder.

Key NTDSutil command

When you are experimenting with NTDSutil, if you get stuck remember these four little words, they will make the difference between success and frustration:
Connect to Server Server3 (Substitute your server for Server3)
Don't shorten the command to: Connect Server3 (Remember the words 'to' and 'server').

Tip: NTDSutil help tip If ever you are stuck in NTDSutil, simply type help.

Variety of NTDSutil tasks

Authoritative Restore - Major project, needs careful planning.

Configurable Settings - Not very interesting.

Domain Management - Specialist area. Create Naming Contexts and add replicas to the Application Directory Partition of DNS.

Files - Available only if you boot the server into Directory Restore Mode. Checks the integrity of NTDS.DIT and moves associated databases.

Roles = FSMO Maintenance. Which Domain Controller has which Single Operations Master? Seize roles such as PDC Emulator. Good news, for once you do get a message detailing the transfer you are about to make. My advice is to use Roles in conjunction with netdom or the Active Directory Snap-ins. My point is I could not find a way of displaying who holds which FSMO role with NTDSutil.

Reset DSRM password. If you don't know the server's Directory Service account password, then here is your change to reset to a password that you will remember.

Security Account Management. Check for duplicate SIDs

Example 1: Security Account Management (Maintenance)

Let us start gently and check for duplicate SIDs. This experiment is more for gaining experience of the NTDSutil interface than the probability of finding any duplicate SIDs. This is what I typed at the command prompt, my commands are in bold:

E:\ntdsutil>ntdsutil
ntdsutil: security account management
Security Account Maintenance: connect to server Server3
Security Account Maintenance: check duplicate sid
...
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
Security Account Maintenance:

1) In the above session I typed the full command security accounts management. However you can shorten commands thus: 'sec acc man'

Incidentally, I am inventing these shorthand commands in the sense that NTDSutil also understands:
sec ac ma or even 'secu a m'. NTDSutil's brain works by analysing your letters and if there is only one possible interpretation then it fills in the gaps and returns the service that you asked for. For example plain, 'se' will not work because there is another command which begins with se, Semantic....

2) When the command prompt shows, Security Accounts Maintenance:
Here is where you must type: 'connect to server Server3'. Be aware that even though I am sitting at Server3's console, I must remember this command : connect to server xyz.

3) When I type the instruction, 'Check Duplicate SID', don't ask me why, but you cannot shorten the command to 'chk dup sd'. Please just accept you need the full words here.

4) As ever, read the screen and take note of dupsid.log. However, you have to quit NTDSutil, or use Explorer before you can attempt to read dupsid.log. My point is that you cannot issue a command : 'notepad dupsid.log' from within NTDSutil.

Example 2: Reset password for DSRM (Directory Services Restore Mode)

Here is where I challenge you to perform a real task. Once upon a time, when your Windows server 2003 was first installed, setup asked the installer for a separate directory service restore mode password. 90% of administrators ignored the box or forgot the password. 50% of Administrator's don't realize that this Directory Services Restore Mode password is different from the normal Administrator password. The two can get out of synch because they are stored in separate databases.

Now is your chance to reset the password that will be required if ever you need to restart the server in Active Directory Restore Mode. In many ways, this is such an insignificant job, in other ways it saves frustration of being thwarted by not having the administrative password for this context.

 

E:\ntdsutil>ntdsutil
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server Server3
Please type password for DS Restore Mode Administrator Account: ********
Please confirm new password: ********
Password has been set successfully.

Reset DSRM Administrator Password: quit
ntdsutil: quit
E:\ntdsutil>

1) The key command type: 'reset password on Server3'
If NTDSutil replies with: 'Please type password for DS Restore Mode', then you know you are in the correct place.

2) To escape from NTDSutil you need just type quit, possibly 2 or three times to get back to the command prompt.