Home
> Commands N-Z
> Commands N
NTDSUTIL
Description
| Syntax
| Parameters
| Switches
| Related
| Notes
| Examples
| Errorlevels
| Availability
Provides management facilities for Active Directory.
Use to perform database maintenance of Active Directory, manage
and control single master operations, and remove metadata left
behind by domain controllers that were removed from the network
without being properly uninstalled. Intended for use by
experienced administrators.
Syntax
- Authoritatively restore
- Restores domain controllers to a specific point in
time and mark objects in Active Directory as being
authoritative with respect to their replication
partners. Type at
Authority restore:
- Configurable settings
- Aids in modifying the TTL of dynamic data stored in
Active Directory. Type at
Configurable setting:
- Domain management
- Allows administrators who are members of the
Enterprise Administrators group to prepare
cross-reference and server objects in the directory.
Type at
Domain management:
- Files
- Provides commands for managing the directory
service data and log files. The data file is called
Ntds.dit. Type at
Files:
- IPDeny List
- Prevents the domain controller from accepting LDAP
queries from clients with specified IP addresses.
Type at
IPDeny List:
- LDAP policies
- Sets the LDAP administration limits for the
Default-Query Policy object.
Type at
LDAP policies:
- Metadata cleanup
- Cleans up metadata for retired domain controllers.
Type at
Metadata cleanup:
- Roles
- Transfers and seizes operations master roles.
Type at
Roles:
- Security account management
- Manages security identifiers (SIDs).
Type at
Security account management:
- Semantic database analysis
- Analyzes data with respect to Active Directory
semantics. Type at
Semantic database analysis:
- Set DSRM Password
- Resets the directory services restore mode (DSRM)
password on a domain controller. Type at
Set DSRM Password:
Parameters
- Authority restore
-
- ? or help
(NT2003)
- Displays command help.
- quit
(NT2003)
- Takes you back to the previous menu or
exits the utility.
- restore database
(NT2003)
- Marks the entire Ntds.dit (both the domain and
configuration directory partitions held by the domain
controller) as authoritative. The schema cannot be
authoritatively restored.
- restore database verinc %d
(NT2003)
- Marks the entire Ntds.dit (both the domain and
configuration directory partitions held by the domain
controller) as authoritative and increments the version
number by %d. Use only to authoritatively restore over a
previous, incorrect, authoritative restore, such as an
authoritative restore from a backup that contains the
problem you want to restore.
- restore subtree %s
(NT2003)
- Marks subtree (and all children of subtree) as
being authoritative. The subtree is defined by using
the fully distinguished name of the object.
- restore subtree %s verinc %d
(NT2003)
- Marks subtree (and all children of subtree) as
being authoritative and increments the version number
by %d. The subtree is defined by using the fully
distinguished name of the object. Use only to
authoritatively restore over a previous, incorrect,
authoritative restore, such as an authoritative restore
from a backup that contains the problem you want to
restore.
- Configurable setting
-
- ? or help
(NT2003)
- Displays command help.
- cancel changes
(NT2003)
- Cancels the changes made, but not yet committed.
- connections
(NT2003)
- Invokes the server connections submenu.
- list
(NT2003)
- Lists the names of the supported configurable
settings.
- quit
(NT2003)
- Takes you back to the previous menu or
exits the utility.
- set %s1 to %s2
(NT2003)
- Sets the configurable settings %s1 to the
value %s2.
- show values
(NT2003)
- Displays values of configurable settings.
- Domain management:
-
- ? or help
(NT2003)
- Displays command help.
- add nc replica %s1 [%s2]
(NT2003)
- Adds the domain controller %s2 to the replica
set for the Non-Domain Naming Context %s1. If %s2
is not specified, the domain controller that you
are connected to is used as the default.
- connections
(NT2003)
- Invokes the Connections submenu.
- create nc %s1 [%s2]
(NT2003)
- Creates the Non-Domain Naming Context %s1, on
the Domain Context %s2. If %s2 is not specified,
then the currently connected domain controller is
used. To not specify an argument enter (NULL).
- delete nc %s
(NT2003)
- Removes the Non-Domain Naming Context %s.
Before removing an Non-Domain Naming Context all
the replicas must be removed and their removal
must replicate back to the domain naming
operations master.
- list
(NT2003)
- Lists all the naming contexts that exist in
the enterprise, the schema and configuration
naming contexts, as well as all domain naming
contexts.
- list nc information %s
(NT2003)
- Prints out the reference domain, and
replication delays for the Non-Domain Naming
Context.
- list nc replicas %s
(NT2003)
- Prints the list of domain controllers in the
replica set for the Non-Domain Naming Context %s.
Remember that this is the list of domain
controllers to eventually hold replicas of the
Non-Domain Naming Contexts, and that these
replicas may not necessarily be fully replicated
yet.
- precreate %s1 %s2
(NT2003)
- Creates a cross-reference object for the
domain %s1 allowing a server named %s2 to be
promoted as the domain controller for that domain.
The domain name must be specified by using a fully
distinguished name, and the server must be named
by using the fully qualified DNS name.
- quit
(NT2003)
- Takes you back to the previous menu or
exits the utility.
- remove nc replica %s1 [%s2]
(NT2003)
- Removes the domain controller %s2 from the
replica set for the Non-Domain Naming Context %s1.
If %s2 is not specified, the currently connected
to domain controller is used.
- select operation target
(NT2003)
- Invokes the Select operation target
submenu.
- set nc reference domain %s1 %s2
(NT2003)
- Sets the reference domain of the Non-Domain
Naming Context %s1 to %s2. The domain %s2 should
be specified in a domain's DNS name format.
- set nc replicate notification delay %s %d1 %d2
(NT2003)
- Sets the Non-Domain Naming Context %s's
notification delays to %d1 and %d2 for the delay
between notifying the first domain controller of
changes and the delay of notifying subsequent
domain controllers of changes respectively.
- Files:
-
- ? or help
(NT2003)
- Displays command help.
- compact to %s
(NT2003)
- %s identifies an empty target directory.
Invokes Esentutl.exe to compact the existing
data file and writes the compacted file to the
specified directory. The directory can be remote,
that is, mapped by means of the net use command or
similar means. After compaction is complete,
archive the old data file, and move the newly
compacted file back to the original location of
the data file. ESENT supports online compaction,
but this compaction only rearranges pages within
the data file and does not release space back to
the file system. (The directory service invokes
online compaction regularly.)
- header
(NT2003)
- Writes the header of the Ntds.dit data file to
the screen. Can help support personnel analyze
database problems.
- info
(NT2003)
- Analyzes and reports the free space for the
disks that are installed in the system, reads the
registry, and then reports the sizes of the data
and log files. (The directory service maintains
the registry, which identifies the location of the
data files, log files, and directory service
working directory.)
- integrity
(NT2003)
- Invokes Esentutl.exe to perform an integrity
check on the data file, which can detect any kind
of low-level database corruption. It reads every
byte of your data file; thus it can take a long
time to process large databases.Note that you
should always run Recover before performing an
integrity check.
- move DB to %s
(NT2003)
- %s identifies a target directory. Moves the
Ntds.dit data file to the new directory specified
by %s and updates the registry so that, upon
system restart, the directory service uses the new
location.
- move logs to %s
(NT2003)
- %s identifies a target directory. Moves the
directory service log files to the new directory
specified by %s and updates the registry so that,
upon system restart, the directory service uses
the new location.
- quit
(NT2003)
- Takes you back to the previous menu or
exits the utility.
- recover
(NT2003)
- Invokes Esentutl.exe to perform a soft
recovery of the database. Soft recovery scans the
log files and ensures all committed transactions
therein are also reflected in the data file. The
Backup program truncates the log files appropriately.
Logs are used to ensure committed transactions are
not lost if your system fails or if you have
unexpected power loss. In essence, transaction
data is written first to a log file and then to
the data file. When you restart after failure, you
can rerun the log to reproduce the transactions
that were committed but hadn't made it to the data
file.
- set path backup %s
(NT2003)
- %s identifies a target directory. Sets the
disk-to-disk backup target to the directory
specified by %s. The directory service can be
configured to perform an online disk-to-disk
backup at scheduled intervals.
- set path db %s
(NT2003)
- %s identifies a target directory. Updates the
part of the registry that identifies the location
and file name of the data file. Use only to
rebuild a domain controller that has lost its data
file and that is not being restored by means of
normal restoration procedures.
- set path logs %s
(NT2003)
- %s identifies a target directory. Updates the
part of the registry that identifies the location
of the log files. Use only if you are rebuilding a
domain controller that has lost its log files and
is not being restored by means of normal
restoration procedures.
- set path working dir %s
(NT2003)
- %s identifies a target directory. Sets the
part of the registry that identifies the directory
service's working directory to the directory
specified by %s.
- IPDeny List:
-
- ? or help
(NT2003)
- Displays command help.
- add %s1 %s2
(NT2003)
- Adds an entry to the IP Deny List. %s1 is
either the host component or network component of
an IP address. If a host component is specified,
%s2 is specified as NODE; whereas if the network
component is specified, %s2 is the subnet mask.
The entries that you specify by using the add
command are not applied until you commit them by
using Commit.
- cancel
(NT2003)
- Cancels any uncommitted additions or deletions.
- commit
(NT2003)
- Commits all additions or deletions to the LDAP
policy object.
- connections
(NT2003)
- Invokes the server connections submenu.
- delete %d
(NT2003)
- Deletes the specified entry with the index
number %d. Use to display entries with the
respective index number.
- quit
(NT2003)
- Takes you back to the previous menu or
exits the utility.
- show
(NT2003)
- Shows all IP addresses that are included in
the IP Deny List.
- test %s
(NT2003)
- Determines whether the IP address specified by
%s is allowed or denied access to the domain
controller.
- LDAP policies:
-
- ? or help
(NT2003)
- Displays command help.
- cancel changes
(NT2003)
- Cancels any uncommitted modifications of the
LDAP administration limits to the default query
policy.
- commit changes
(NT2003)
- Commits all modifications of the LDAP
administration limits to the default query policy.
- connections
(NT2003)
- Invokes the server connections submenu.
- list
(NT2003)
- Lists all supported LDAP administration limits
for the domain controller.
- quit
(NT2003)
- Takes you back to the previous menu or
exits the utility.
- set %s1 to %s2
(NT2003)
- Sets the value of the LDAP administration
limit %s1 to the value %s2. Limits:
- InitRecvTimeout Initial receive
time-out (120 seconds)
- MaxConnections Maximum number of open
connections (5000)
- MaxConnIdleTime Maximum amount of time
a connection can be idle (900 seconds)
- MaxActiveQueries Maximum number of
queries that can be active at one time (20)
- MaxNotificationPerConnection Maximum
number of notifications that a client can request
for a given connection (5)
- MaxPageSize Maximum page size supported
for LDAP responses (1000 records)
- MaxQueryDuration Maximum length of time
the domain controller can execute a query
(120 seconds)
- MaxTempTableSize Maximum size of
temporary storage allocated to execute queries
(10,000 records)
- MaxResultSetSize Maximum size of the
LDAP Result Set (262144 bytes)
- MaxPoolThreads Maximum number of
threads created by the domain controller for query
execution (4 per processor)
- MaxDatagramRecv Maximum number of
datagrams that can be processed by the domain
controller simultaneously (1024)
- show values
(NT2003)
- Shows the current and proposed values for the
LDAP administration limits.
- Metadata cleanup:
-
- ? or help
(NT2003)
- Displays command help.
- connections
(NT2003)
- Invokes the server connections submenu.
- quit
(NT2003)
- Takes you back to the previous menu or
exits the utility.
- remove selected domain
(NT2003)
- Removes the metadata associated with the
domain selected in the
Select operation target submenu.
- remove selected naming context
(NT2003)
- Removes directory service objects for selected
Naming Context.
- remove selected server
(NT2003)
- Removes the metadata associated with the
domain selected in the
Select operation target submenu.
- select operation target
(NT2003)
- Invokes the Select operation target
submenu.
- Roles:
-
- ? or help
(NT2003)
- Displays command help.
- connections
(NT2003)
- Invokes the server connections submenu.
- quit
(NT2003)
- Takes you back to the previous menu or
exits the utility.
- seize domain naming master
(NT2003)
- Forces the domain controller to which you are
connected to claim ownership of the domain-naming
operations master role without regard to the data
associated with the role. Use only for recovery
purposes.
- seize infrastructure master
(NT2003)
- Forces the domain controller to which you are
connected to claim ownership of the infrastructure
operations master role without regard to the data
associated with the role. Use only for recovery
purposes.
- seize PDC
(NT2003)
- Forces the domain controller to which you are
connected to claim ownership of the PDC operations
master role without regard to the data associated
with the role. Use only for recovery purposes.
- seize RID master
(NT2003)
- Forces the domain controller to which you are
connected to claim ownership of the relative ID
master role without regard to the data associated
with the role. Use only for recovery purposes.
- seize schema master
(NT2003)
- Forces the domain controller to which you are
connected to claim ownership of the schema
operations master role without regard to the data
associated with the role. Use only for recovery
purposes.
- select operation target
(NT2003)
- Invokes the Select operation target
submenu.
- transfer domain naming master
(NT2003)
- Instructs the domain controller to which you
are connected to obtain the domain-naming role by
means of controlled transfer.
- transfer infrastructure master
(NT2003)
- Instructs the domain controller to which you
are connected to obtain the infrastructure
operations master role by means of controlled
transfer.
- transfer PDC
(NT2003)
- Instructs the domain controller to which you
are connected to obtain the PDC operations master
by means of controlled transfer.
- transfer RID master
(NT2003)
- Instructs the domain controller to which you
are connected to obtain the relative ID master
role by means of controlled transfer.
- transfer schema master
(NT2003)
- Instructs the domain controller to which you
are connected to obtain the schema operations
master role by means of controlled transfer.
- Security account management:
-
- ? or help
(NT2003)
- Displays command help.
- check duplicate SID
(NT2003)
- Checks the domain for any objects that have
duplicate security identifiers.
- cleanup duplicate SID
(NT2003)
- Deletes all objects that have duplicate
security identifiers and logs these entries into
the log file.
- connect to server %s
(NT2003)
- Connects to server, NetBIOS name or DNS host
name.
- log file %s
(NT2003)
- Sets the log file to %s. If a log file is not
explicitly set, the log file defaults to Dupsid.log.
- quit
(NT2003)
- Takes you back to the previous menu or
exits the utility.
- Semantic database analysis:
-
- ? or help
(NT2003)
- Displays command help.
- get %d
(NT2003)
- Retrieves record number %d from the Ntds.dit.
- go
(NT2003)
- Starts the semantic analysis of the Ntds.dit.
A report is generated and written to a file named
Dsdit.dmp.n, in the current directory, where n is
an integer incremented each time that you carry
out the command.
- quit
(NT2003)
- Takes you back to the previous menu or
exits the utility.
- verbose %s
(NT2003)
- Toggles verbose mode on or off.
- Set DSRM Password:
-
- ? or help
(NT2003)
- Displays command help.
- quit
(NT2003)
- Takes you back to the previous menu or
exits the utility.
- Reset Password on server %s
(NT2003)
- Prompts for a new DSRM password for a domain
controller. Use NULL as the domain controller name
to reset the DSRM password on the current server.
After entering this parameter, the Please type
password for DS Restore Mode Administrator
Account: prompt appears. Type the desired new
DSRM password at the prompt.
Switches
none.
Related
none.
Notes
none.
Examples
none.
Errorlevels
none.
Availability
- External
-
- DOS
-
none
- Windows
-
none
- Windows NT
-
NT2003
Last Updated: 2003/07/28
Direct corrections or suggestions to:
Rick Lively