Ntdsutil
Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.
ntdsutil.exe is found in the %systemroot%\system32 folder.
Preparation for NTDSutil:
Begin by logging on at a Windows Server (2003 best). I suggest that you create a new folder to hold any logs that NTDSutil creates, for example D:\ ntdsutil. Run a CMD prompt change directory to D: \ntdsutil and at the prompt type, ntdsutil. Unsurprisingly, the actual executable is called ntdsutil.exe and is found in the %systemroot%\system32 folder. With this knowledge, you could copy that ndtsutil.exe file onto another operating system if necessary.Variety of NTDSutil tasks:
1- Authoritative Restore - Major project, needs careful planning see more here.2- Security Account Management. Check for duplicate SIDs
3- Reset DSRM password. If you don't know the server's Directory Service account password, then here is your change to reset to a password that you will remember.
4- Files - Available only if you boot the server into Directory Restore Mode. Checks the integrity of NTDS.DIT and moves associated databases.
5- Roles = FSMO Maintenance. Which Domain Controller has which Single Operations Master? Seize roles such as PDC Emulator. Good news, for once you do get a message detailing the transfer you are about to make. My advice is to use Roles in conjunction with netdom or the Active Directory Snap-ins. My point is I could not find a way of displaying who holds which FSMO role with NTDSutil.
1-Authoritative Restore:
a) Go to directory service restore mode.
b) D:\ntdsutil>ntdsutil
ntdsutil: authoritative restore
authoritative restore: restore object OU=bosses,DC=ourdom,DC=com
ntdsutil: authoritative restore
authoritative restore: restore object OU=bosses,DC=ourdom,DC=com
c) Restart in normal mode.
d) Restore applicable portion of SYSVOL from alternate location.
e) Verify Active Directory restore using event viewer.
f) Use repadmin.
2- check for duplicate SIDs:
D:\ntdsutil>ntdsutil
ntdsutil: security account management
Security Account Maintenance: connect to server BigServer
Security Account Maintenance: check duplicate sid
…
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
Security Account Maintenance: quit
ntdsutil: security account management
Security Account Maintenance: connect to server BigServer
Security Account Maintenance: check duplicate sid
…
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
Security Account Maintenance: quit
3- Reset password for DSRM (Directory Services Restore Mode)
Here is where I challenge you to perform a real task. Once upon a time, when your Windows server 2003 was first installed, setup asked the installer for a separate directory service restore mode password. 90% of administrators ignored the box or forgot the password. 50% of Administrator's don't realize that this Directory Services Restore Mode password is different from the normal Administrator password. The two can get out of synch because they are stored in separate databases.Now is your chance to reset the password that will be required if ever you need to restart the server in Active Directory Restore Mode. In many ways, this is such an insignificant job, in other ways it saves frustration of being thwarted by not having the administrative password for this context.
E:\ntdsutil>ntdsutil
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server BigServer
Please type password for DS Restore Mode Administrator Account: ********
Please confirm new password: ********
Password has been set successfully.
Reset DSRM Administrator Password: quit
ntdsutil: quit
E:\ntdsutil>restart computer.
4- To move the data file to another folder, follow these steps:
- Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
- At the Ntdsutil command prompt, type files, and then press ENTER.
- At the file maintenance command prompt, type move DB to d:\temp (where temp is an existing folder that you have created for this purpose), and then press ENTER.
- To quit Ntdsutil, type quit, and then press ENTER.
- Restart the computer.
5- To move the log files, follow these steps:
- Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
- At the Ntdsutil command prompt, type files, and then press ENTER.
- At the file maintenance command prompt, type move logs to d:\temp (where temp is an existing folder that you have created for this purpose), and then press ENTER.
- Type quit, and then press ENTER.
- Restart the computer.
