NTDSUtil is a command-line tool used primarily for managing Active Directory databases. It is useful for performing database maintenance of Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). Administrators widely use NTDSUtil for tasks such as managing and manipulating Active Directory files, metadata cleaning in case of decommissioned domain controllers, and authoritatively restoring AD data, among other advanced directory management functions.


To use NTDSUtil, you need to open a command prompt window with elevated permissions (as an administrator). Once started, it functions in an interactive mode:

ntdsutil [subcommand]

Subcommands and options are entered in an interactive mode rather than as part of the initial command.


NTDSUtil contains numerous subcommands, each pertaining to different aspects of Active Directory management:

  • activate instance {instanceName}: Activates the specified AD DS or AD LDS instance.
  • files: Manages AD database files.
  • metadata cleanup: Removes metadata left behind by domain controllers that were removed from the network without being properly uninstalled.
  • roles: Administers operations master roles.
  • security account management: Manages security descriptors and password policies for AD LDS.
  • domain management: Adds and manages application partitions.

Typically, the commands would be used within the NTDSUtil interactive environment.


Entering NTDSUtil interactive mode:


Activating a specific AD LDS instance:

ntdsutil: activate instance ntds

Performing Metadata Cleanup:

ntdsutil: metadata cleanup

In each case, after running a command, further context-sensitive commands can be used depending on the task at hand.

Common Issues

Permission Errors: NTDSUtil requires administrative privileges. Running it without such privileges will result in errors. Always open the command prompt window as an administrator.

Syntax errors: Due to its interactive and sensitive nature, incorrect syntax can lead to severe consequences. Ensure each command is typed correctly, and the required instances or roles are specified accurately.


NTDSUtil can be paired with other CMD commands or scripts to automate AD tasks. For example, automating the cleanup of server metadata after routine decommissions:

ECHO Starting NTDSUtil commands
ntdsutil "metadata cleanup" "remove selected server <ServerName>" q q
ECHO Metadata cleanup complete
  • dcdiag: Assesses the state of domain controllers in a forest and reports any potential issues.
  • repadmin: Diagnoses replication issues between Windows domain controllers.

For further detailed information, refer to the Microsoft Official Documentation for NTDSUtil.

Utilizing this command should be part of regular maintenance and oversight activities aimed at keeping an Active Directory environment healthy and properly managed.