What does Ntdsutil.exe do?

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory. You can use Ntdsutil.exe to perform database maintenance of Active Directory, manage and control single master operations, create application directory partitions, and remove metadata left behind by domain controllers that were not successfully demoted using the Active Directory Installation wizard (DCPromo.exe).

Who does this feature apply to?

This feature applies to the Ntdsutil.exe utility, and is of interest to Active Directory administrators only.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

General Improvements

Detailed description

Ntdsutil.exe no longer requires the administrator to perform the following tasks in the ntdsutil metadata cleanup command:

  • Connect to specific domain controller using ntdsutil metadata cleanup connectionscommand.
  • List and select the Active Directory domain, site, and server using the ntdsutil metadata cleanup Select Operation Target command.

Two new variations of this command are introduced in Windows Server 2003 Service Pack 1:

  • Ntdsutil "metadata cleanup" "remove selected server"ServerObjectWhen using this command, specify the distinguished name (DN) path of the server object (ServerObject) of the domain controller whose metadata you want to remove. The server object is the parent of the NTDS settings object in the configuration container. For example, for the domain controller named DC1 located in the default-first-site-name of the contoso.com forest, the DN path of the server object would be cn=DC1,cn=servers,cn=default-first-site-name ,cn=configuration,dc=contoso,dc=com. If the DN path contains any spaces, enclose the entire DN path in quotes.
  • Ntdsutil "metadata cleanup" "remove selected server"ServerObject on TargetDCThis command is identical to the one above, except it allows the administrator to specify the domain controller (TargetDC) on which the removal is performed. TargetDC must be entered as the DNS or NetBIOS name of the domain controller.

Why is this change important? What threats does it mitigate?

This change significantly improves the usability of this command for removing metadata.

What works differently?

From the “metadata cleanup” menu, the user no longer has to go into the “connections” menu or the “select operations target” menu to set up the appropriate state.

What existing functionality is changing in Windows Server 2003 Service Pack 1?

Improved Metadata Cleanup

Detailed description

The metadata cleanup command has been improved in Windows Server 2003 Service Pack 1 to clean up metadata in Active Directory.

What works differently? Are there any dependencies?

The existing “remove selected server” command in the “metadata cleanup” menu of Ntdsutil.exe has been enhanced with new functionality.

Prior to Service Pack 1, this command only performed the following operations:

  • Delete the NTDS settings object for the domain controller (DC).
  • Delete all manual and automatic inbound connections to the DC being removed.
  • Delete the corresponding DC’s FRS member object from the sysvol replica set.

With the release of Service Pack 1, the following additional operations are performed as part of this command:

  • Delete the computer account for the DC being deleted, including FRS subscriber objects.
  • Delete all manual and automatic outbound Active Directory connections from the DC being removed.
  • Delete inbound and outbound FRS connections from any non-sysvol FRS replica sets that the DC being deleted is a member of.
  • Check whether the DC being removed holds any operations masters roles. If yes, this command will attempt to reassign (seize) the roles to an active DC that meets criteria for the operations master role(s).

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts


Azure Password Reset – The Password you’ve selected does not meet your Active Directory password policy

This is a common error message when you try to reset a password from Azure management port or Self service portal.  The error message is very clear here – “The Password you’ve selected does not Read more…


Azure – Your account is temporarily locked to prevent unauthorized use

Here is the another common error message when dealing with directory and password synchronization.  Error Message: Your account is temporarily locked to prevent unauthorized use. Try again later. Contact Customer Support if the problem persists Read more…


Verify Service Status Remotely Using Local Account – PowerShell Script

I have modified one of my previously published script – Stop, Start, Disable Service Remotely–PowerShell Script (http://portal.sivarajan.com/2011/05/stop-start-disable-service.html) to use Local account (instead of a domain account) to verify the status of the service.   Input Read more…