Updated: April 17, 2012
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008
Provides commands for managing the directory service data and log files. The data file is called Ntds.dit. At the
files: prompt, type any of the parameters listed under “Syntax.”
This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsdbutil is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813).
To use either of these tools, you must run them command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
[checkpoint] [checksum] [compact to %s] [dump page %d] [header] [info] [integrity] [logfile %s] [metadata] [move DB to %s] [move logs to %s] [recover] [set backup exclusion key] [set default folder security] [set path backup %s] [set path db %s] [set path logs %s] [set path working dir %s] [space usage]
Dumps the Jet database checkpoint file (edb.chk). This option is intended for use only by support personnel.
Performs Jet database physical integrity check.
compact to %s (where %s identifies an empty target directory)
Invokes Esentutl.exe to compact the existing data file and writes the compacted file to the specified directory. The directory can be remote, that is, mapped by means of the net use command or similar means. After compaction is complete, archive the old data file and move the newly compacted file back to the original location of the data file. ESENT supports online compaction, but this compaction only rearranges pages within the data file and does not release space back to the file system. (The directory service invokes online compaction regularly.)
dump page %d
Dumps the Jet database page number specified as %d. This option is intended for use only by support personnel.
Writes the header of the Ntds.dit data file to the screen. This command can help support personnel analyze database problems.
Analyzes and reports the free space for the disks that are installed in the system, reads the registry, and then reports the sizes of the data and log files. (The directory service maintains the registry, which identifies the location of the data files, log files, and directory service working directory.)
Invokes Esentutl.exe to perform an integrity check on the data file, which can detect low-level database corruption. It reads every byte of your data file; thus it can take a long time to process large databases. Note that you should always run Recover before performing an integrity check.
Dumps the Jet log file %s, where %s can be the absolute path or just the log file name in the Logs folder. This option is intended for use only by support personnel.
Dumps the Jet database metadata. This option is intended for use only by support personnel.
move DB to %s (where %s identifies a target directory)
Moves the Ntds.dit data file to the new directory specified by %s and updates the registry so that, upon service restart, the directory service uses the new location.
move logs to %s (where %s identifies a target directory)
Moves the directory service log files to the new directory specified by %s, and updates the registry so that, upon service restart, the directory service uses the new location.
Invokes Esentutl.exe to perform a soft recovery of the database. Soft recovery scans the log files and ensures all committed transactions therein are also reflected in the data file. Logs are used to ensure committed transactions are not lost if your system fails or if you have unexpected power loss. In essence, transaction data is written first to a log file and then to the data file. When you restart after failure, you can rerun the log to reproduce the transactions that were committed but hadn't made it to the data file.
set backup exclusion key
Sets the backup exclusion key for the AD DS or AD LDS instance. This option is intended for use only by support personnel.
set default folder security
Resets security on the NTDS folder to default values.
set path backup %s (where %s identifies a target directory)
Sets the disk-to-disk backup target to the directory specified by %s. The directory service can be configured to perform an online, disk-to-disk backup at scheduled intervals.
set path db %s (where %s identifies a target directory)
Updates the part of the registry that identifies the location and file name of the data file. Use this command only to rebuild a domain controller that has lost its data file and that is not being restored by means of normal restoration procedures.
set path logs %s (where %s identifies a target directory)
Updates the part of the registry that identifies the location of the log files. Use this command only if you are rebuilding a domain controller that has lost its log files and is not being restored by means of normal restoration procedures.
set path working dir %s (where %s identifies a target directory)
Sets the part of the registry that identifies the directory service's working directory to the directory specified by %s.
An alphanumeric variable, such as a domain or domain controller name.
Dumps the Jet database space usage.
Takes you back to the previous menu or exits the utility.
Displays Help at the command prompt.
Displays Help at the command prompt.
Before you can run the files subcommand, set NTDS or an AD LDS instance as the active instance for Ntdsutil. For example, if the AD LDS instance that you want to restore is named instance 1, type the following command at the
ntdsutil:prompt before you run the authoritative restore subcommand, and then press ENTER:
ac in instance 1
You must stop the AD DS or AD LDS service before you can run the files subcommand. To stop AD DS, click Start, click Server Manager. In the console tree, double-click Configuration, and then click Services. In the details pane, right-click Active Directory Domain Services, and then click Stop.
AD DS is implemented on top of an indexed sequential access method (ISAM) table manager. This is the same table manager used by Microsoft Exchange Server, File Replication Service (FRS), the security configuration editor, Active Directory Certificate Services (AD CS), Windows Internet Name Service (WINS), and other Windows components. The version of the database that Windows 2000, Windows Server 2003, and Windows Server 2008 use is called the extensible storage engine (ESENT).
ESENT is a transacted database system that uses log files to support rollback semantics to ensure that transactions are committed to the database. Ideally, the database and log files should be located on separate drives to improve performance and support recovery of the data if a disk fails.
ESENT provides its own tool for certain database file management functions, called Esentutl.exe, which is also installed in the systemroot\System32 folder. Several of the Ntdsutil file management commands invoke Esentutl, reducing the need to learn the tool's command-line arguments. In the cases where Ntdsutil invokes Esentutl, it brings up a separate window configured with a large history so that you can scroll back to see all of the Esentutl progress indicators.
Ntdsutil does not correctly handle special characters, such as the apostrophe character ('), that you can enter at the ntdsutil: prompt at the command line. In some situations, there may be an alternative workaround. For more information, see local roles (http://go.microsoft.com/fwlink/?LinkId=157320).
To perform a Jet database physical integrity check, type the following command, and then press ENTER:
file maintenance: checksum
To compact the Active Directory database and write the compacted file to a folder named C:\Windows\NTDS_Old, type the following command, and then press ENTER:
file maintenance: compact to C:\Windows\NTDS_Old