The AD Directory Information Tree (DIT) is implemented as a transactional database using the Extensible Storage Engine (ESE). The primary database file is named ntds.dit and is stored in the %SystemRoot%NTDS folder by default, but it can be relocated during the initial promotion process or manually via ntdsutil (see Moving the DIT Files for more details).
Each database write transaction is initially stored in a logfile named edb.log, which is stored in the same directory as ntds.dit by default, though you can modify this either during or after the initial promotion process. That logfile can grow to 10 MB in size, after which additional logfiles are created (e.g., edb00001.log), each of which can also grow to up to 10 MB in size. After the transactions in the logfiles are committed to the database, the logfiles are purged, beginning with the log containing the oldest transactions. This process is referred to as circular logging. These logfiles are useful when a domain controller is shut down unexpectedly because when the DC comes back online, Active Directory can replay the logfiles and apply any transactions that might not have been written to disk before the DC shut down. The edb.chk file stores information about the last transaction that was actually committed to the database; AD uses this information to determine which transactions in the logfiles still need to be committed. Finally, two 10 MB files called edbres00001.jrs and edbres00002.jrs are used as placeholders in case the disk runs out of space; if this happens, these files are deleted to free up enough space to allow Active Directory to commit any final changes before the DC is shut down.
In order to recover portions of Active Directory, or the entire directory itself, you need to have a solid backup strategy in place. You can back up Active Directory while it is online, which means you do not need to worry about scheduling regular downtime simply to perform backups. Restoring Active Directory is also a relatively simple process. You can restore a single object, an entire subtree, or the entire database if necessary. For a detailed discussion on backing up and restoring Active Directory, see Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly).
You also need to be familiar with how deleted objects are treated in
Active Directory, which can affect your backup procedures. By default, the
Active Directory Recycle Bin is not enabled. When the Active Directory
Recycle Bin is not enabled and an object is requested to be deleted, it is
actually marked as a tombstone and moved to the Deleted Objects container. This
tombstone object has most of the original object’s
attribute values removed to save space in the NTDS.DIT file. These objects are stored in the
cn=Deleted Objects container in the
naming context that the original object was located in. The deleted object
is named using the following format:
<OrigName>�ADEL:
<ObjectGUID>, where
<OrigName> is the original RDN of the
object, <ObjectGUID> is the GUID of the
object, and �A is a null-terminated
character. For example, if you deleted the jsmith user object, its tombstone object would
have a distinguished name similar to the following:
cn=jsmith�ADEL:fce1ca8e-a5ec-4a29-96e1-c8013e533d2c,cn=Deleted↵ Objects,dc=adatum,dc=com
If the Active Directory Recycle Bin is enabled, a deleted object becomes logically deleted while the link-valued and non-link-valued attributes are maintained. Thus, during the deleted object lifetime, deleted objects can be restored to the exact state that they were in prior to the deletion. (This includes group membership information, too.) The restore process for deleted objects becomes much simpler and cleaner with the Active Directory Recycle Bin.
In Windows Server 2012, the AD DS service can be stopped to perform some (but not all) maintenance operations without needing to reboot the domain controller into DSRM. Some of the operations you can perform on a 2012 DC while the AD DS service is stopped include:
You can stop the Active Directory Domain Services service using
familiar interfaces such as the Services MMC snap-in, Server Manager, the
net stop command-line utility, or the
Stop-Service PowerShell cmdlet. Be
aware that when you stop the Active Directory Domain Services service, one
or more of the following dependent services will be stopped as well; you
will need to take this into consideration when restarting the AD DS
service so that all associated services are also restarted:
File Replication
Kerberos Key Distribution Center
Intersite Messaging
DNS Server (on DCs that are running the DNS Server service)
DFS Replication
After a period of time known as the tombstone lifetime (180 days is the default for Windows Server 2012), the tombstone object is finally removed from Active Directory. At that point, remnants of the former object do not exist in Active Directory.
Tombstone objects are important to understand with regard to your backup strategy because you should not keep backups longer than the tombstone lifetime. If you attempt to restore a backup that is older than the tombstone lifetime, it may introduce objects that were deleted but for which a tombstone object no longer exists. Under normal conditions, if you do a nonauthoritative restore from backup, objects that were valid when the backup was taken but that were subsequently deleted will be deleted during the first replication cycle after the DC is rebooted normally. If the tombstone object has already expired (e.g., the backup is older than 180 days), Active Directory has no way to determine whether the object was previously deleted and will read it. Reinjected deleted objects are referred to as lingering or zombie objects.
The tombstone lifetime value is stored in the tombstoneLifetime attribute on the following
object: cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration,
<ForestRootDN>.
Deleted objects are generally stored in the respective Deleted Objects container of their naming
context. You can view deleted objects by using the Active Directory
Administrative Center and browsing to the Deleted Objects container. Table 16-1 contains some of the
attributes that are stored with deleted objects.
Note
The attributes that are preserved in tombstone objects are
determined by attributeSchema
objects that have bit 3 enabled (8 in decimal) in the searchFlags attribute.
Table 16-1. Useful attributes of deleted objects
Attribute | Description |
|---|---|
| The value for this
attribute is |
| The value for this
attribute is |
| Distinguished name of container the object was contained in. |
| RDN of the object’s current location. |
| This attribute is
retained when the original object is deleted. This applies only
to |
| This attribute is
retained when the original object is deleted. This applies only
to |
| This attribute is
retained when the original object is deleted. This applies only
to |
| This attribute is
retained when the original object is deleted. This applies only
to |
To aid in Active Directory backup and recovery, Windows Server 2012 includes a snapshot feature that allows you to take point-in-time snapshots of the Active Directory database and then mount those snapshots to view the contents and compare them to the current contents of the AD database. Using scripts or third-party tools, you can even copy information from an Active Directory snapshot directly into the live AD database without needing to reboot the domain controller to perform a traditional restore operation.
The following PowerShell example will start a one-time System State backup, saving the backup data on the E: volume.
$wbPolicy = New-WBPolicy Set-WBSchedule -Policy $wbPolicy -Schedule 23:59 Add-WBSystemState -Policy $wbPolicy $wbTarget = New-WBBackupTarget -VolumePath E: Add-WBBackupTarget -Policy $wbPolicy -Target $wbTarget Start-WBBackup -Policy $wbPolicy
The wbadmin command can be used
to create a System State backup of the Active Directory database. In
addition, there is a Windows Server Backup GUI tool that can be used to
perform the backup. Alternately, Windows PowerShell cmdlets are
available to configure one-time and scheduled backup jobs. The steps in
this recipe assume that you have installed the Windows Server Backup
feature. To install the Windows Server Backup feature using PowerShell,
run the following command.
Add-WindowsFeature Windows-Server-Backup -IncludeAllSubFeature
Creating an Active Directory Snapshot for information on creating Active Directory snapshots; Mounting an Active Directory Snapshot for more on mounting and using snapshots
The Active Directory Domain Services snapshot feature leverages the Volume Shadow Copy Service (VSS) to allow administrators to create “shadow copies” of the Active Directory database. Once a snapshot has been created, you can use the ntdsutil and dsamain command-line utilities to mount the snapshot as a read-only copy of the Active Directory database. Once the snapshot is mounted, you can view it using customary tools such as ADSI Edit and LDP, as well as using third-party tools to copy information from a snapshot into a live Active Directory database.
Mounting an Active Directory Snapshot for more on mounting and using snapshots
You want to mount a snapshot of the Active Directory database that you created previously using either ntdsutil or a System State backup.
If you want to view a snapshot in ntdsutil, you must first mount the snapshot within ntdsutil as follows:
> ntdsutil > activate instance ntds > snapshot > list all
The list all command
generates a list of snapshots that have been created on the domain
controller in question, each with a corresponding number. You will
then issue the mount<Number>
command to mount the snapshot that you want. Once the snapshot is
mounted, ntdsutil will list the physical path
that the database has been mounted to, such as
C:$SNAP_200808011002_VOLUMEC$.
Once you have mounted the snapshot you want, you’ll use the
dsamain command to expose the
snapshot as an LDAP server. When using dsamain, you will need to provide an
alternate LDAP port since 389 is in use by the live AD database. You
can also specify an alternate LDAPS port, Global Catalog port, and
secure Global Catalog port. Use the dsamain tool
as follows:
> dsamain /dbpath "<Path to database file>" /ldapport<Port Number>
The mounted snapshot will be exposed as an LDAP server as long as the command window remains open. Use Ctrl-C to “switch off” the snapshot functionality.
The dsamain utility can be used to expose an Active Directory snapshot that has been created using ntdsutil, or it can use the contents of a System State backup that has been restored to an alternate location on the local hard drive. Network or UNC paths are not supported. Once a snapshot or restored backup is exposed using dsamain, it can be accessed in a read-only manner using Active Directory tools such as LDP or ADSI Edit, as well as scripts and PowerShell.
Creating an Active Directory Snapshot for more on creating snapshots; Accessing Active Directory Snapshot Data for more on accessing and manipulating information contained in a snapshot
You want to access data contained within a snapshot of the Active Directory database that you created previously using either ntdsutil or a System State backup.
Launch LDP.exe and then connect to the server with a snapshot mounted, using the appropriate port number.
Select Connection→Bind and then click OK.
Click View→Tree. Select the Base DN you would like to view snapshot data from.
Expand the snapshot tree to view the containers and objects available in the snapshot.
An Active Directory snapshot provides a read-only view of the Active Directory database as it existed at a particular point in time, whether the snapshot was created using ntdsutil or whether you are using dsamain to mount the ntds.dit contained in a System State backup. While Windows does not provide a method to perform a simple GUI “cut-and-paste” to insert values from a snapshot into a live Active Directory database, you can do so using scripting, PowerShell, or a third-party tool. You can also view the contents of a snapshot using tools such as ADSI Edit by simply indicating the alternate LDAP port number that you specified when you mounted the snapshot.
Mounting an Active Directory Snapshot for more on mounting and using snapshots; “Active Directory Explorer v1.14” (another tool for working with snapshots)
To enter DS Repair Mode, press F8 after the power-on self-test (POST), which will bring up a menu, as shown in Figure 16-1. From the menu, select Directory Services Repair Mode.
The Active Directory database is live and locked by the system whenever a domain controller is booted into normal mode. In DS Repair Mode, Active Directory does not start up and the database files (e.g., ntds.dit) are not locked. The restartable AD DS service allows you to perform certain maintenance tasks, such as performing an offline defrag, without needing to reboot the domain controller into DSRM. However, certain critical operations, such as an authoritative restore, still need to be performed in Directory Services Repair Mode.
It is not always practical to be logged in to the console of the server when you need to reboot it into DS Repair Mode. You can use Remote Desktop Connection to log on to the machine remotely while it is in DSRM mode.
Note
Directory Services Repair Mode was referred to as Directory Services Restore Mode in previous versions of Windows.
You want to reset the DS Repair Mode administrator password. This password is set individually (i.e., not replicated) on each domain controller and is initially configured when you promote a server to a domain controller.
Using ntdsutil, you can change the DS Repair Mode administrator password of a domain controller while it is live (i.e., not in DS Repair Mode). Another benefit of this option is that you can run it against a remote domain controller. Use the following command sequence to reset the password on a domain controller named DC1:
> ntdsutil > set dsrm password > reset password on server DC1
However, if you are already in DSRM and would like to change the password, the ntdsutil option is not available. To change the DSRM password once you are already logged in, use the following command:
net user Administrator "<Password>"You may be thinking that having a separate DS Repair Mode administrator password can be quite a pain. Yet another thing you have to maintain and update on a regular basis, right? But if you think about it, you’ll see that it is quite necessary.
Generally, you boot a domain controller into DS Repair Mode when you need to perform some type of maintenance on the Active Directory database. To do this, the database needs to be offline. But if the database is offline, then there is no way to authenticate against it. Because of this, the system has to use another authentication repository, so it reverts back to the legacy SAM database. The DS Repair Mode administrator account and password are stored in the SAM database, just as with standalone Windows servers.
The one disadvantage to the solutions presented in this recipe is that you have to reset the DSRM password on one machine at a time. To automate this process on all domain controllers, the following PowerShell command will synchronize the DSRM password with the current password of the domain Administrator account:
Get-ADDomainController -Filter * | ForEach-Object {Invoke-Command -ComputerName $_.Name -ScriptBlock {ntdsutil "set dsrm password" "sync from domain account Administrator" "Q" "Q"}}TechNet Article cc754363, “set DSRM password” for resetting the DSRM password on a domain controller
You want to perform a nonauthoritative restore of a domain controller. This can be useful if you want to quickly restore a domain controller that failed due to a hardware problem.
To perform a system state recovery, you will need to know the
date and timestamp of the system state backup that you want to recover
from. You can perform a nonauthoritative restore by rebooting the DC
into DSRM or by stopping the Active Directory Domain Services service;
you can stop this service from the Services MMC snap-in, from Server
Manager, or by using the net stop
command-line utility. The following command syntax performs a system
state recovery:
> wbadmin start systemstaterecovery -version:<BackupDate>-<BackupTime>If you encounter a failed domain controller that you cannot bring back up (e.g., multiple hard disks fail), you have two options for restoring it. One option is to remove the domain controller completely from Active Directory (as outlined in Removing an Unsuccessfully Demoted Domain Controller) and then promote it back in. This is known as the restore from replication method, because you are essentially bringing up a brand-new domain controller and letting replication restore all the data on the server. After performing the steps described in Removing an Unsuccessfully Demoted Domain Controller, you can also use the Install From Media option described in Promoting a Server to a Windows Server 2012 Domain Controller from Media to expedite this process.
The other option is described in this recipe’s solution. You can restore the domain controller from a good backup. This method involves restoring the System State and any necessary system drive(s) and then rebooting. As long as the domain controller comes up clean, it should start participating in Active Directory replication once again and replicate any changes that have occurred since the backup was taken. This method is generally the fastest for restoring a domain controller, particularly if the server is the only DC located in a remote site.
For a detailed discussion of the advantages and disadvantages of each option, see Active Directory, Fifth Edition, by Brian Desmond et al. (O’Reilly).
Restarting a Domain Controller in Directory Services Repair Mode for getting into Directory Services Repair Mode
You want to perform an authoritative restore of one or more objects, but not the entire Active Directory database. For the GUI solution, this recipe assumes that the Active Directory Recycle Bin was enabled prior to the deletion. If you have not enabled the AD Recycle Bin, you can do so from the Tasks pane in the Active Directory Administrative Center.
To restore a single object, run the following commands:
> ntdsutil > activate instance ntds > auth restore > restore object cn=jsmith,ou=Sales,dc=adatum,dc=com > q
To restore an entire subtree, run the following commands:
> ntdsutil > activate instance ntds > auth restore > restore subtree ou=Sales,dc=adatum,dc=com > q
Restart the computer.
There are some issues related to restoring user, group, computer, and trust objects that you should be aware of. See MS KB 216243 and MS KB 280079 for more information.
If an administrator or user accidentally deletes an important object or entire subtree from Active Directory, you can restore it. Fortunately, the process isn’t very painful. The key is to have a good backup that contains the objects you want to restore.
To restore one or more objects, you need to follow the same steps as when performing a nonauthoritative restore. The only difference is that after you do the restore, you need to use ntdsutil to mark the objects in question as authoritative on the restored domain controller. After you reboot the domain controller, it will then receive information from its replication partners and process updates for any objects that have been changed since the backup that was restored on the machine, except for the objects or subtrees that were marked as authoritative. For those objects, Active Directory modifies the restored objects in such a way that they will become authoritative and replicate out to the other domain controllers.
Note
Performing an authoritative restore of user or group objects will require additional
considerations, as detailed in MS KB 280079. (Authoritative restore
of groups can result in inconsistent membership information across
domain controllers.)
You can also use ntdsutil without first doing a restore in situations where an object has accidentally been deleted, but the change has not yet replicated to all domain controllers. The trick here is that you need to find a domain controller that has not had the deletion replicated yet, and either stop it from replicating or make the object authoritative before it sends its replication updates. Take a look at Enabling and Disabling Replication for more information on controlling inbound and outbound replication on a domain controller.
If the Active Directory Recycle Bin is not enabled, then the PowerShell solution will restore the object without the link-valued and some of the non-link-valued attributes. However, if the Active Directory Recycle Bin was enabled prior to the object deletion, then the PowerShell solution will restore the object to its original state, which includes the link-valued and the non-link-valued attributes.
Restarting a Domain Controller in Directory Services Repair Mode for booting into Directory Services Repair Mode; Undeleting a Single Object for restoring a deleted object; MS KB 216243 (Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts); MS KB 280079 (Authoritative Restore of Groups Can Result in Inconsistent Membership Information Across Domain Controllers)
You want to perform a complete authoritative restore of the Active Directory database because a significant failure has occurred.
First, reboot into Directory Services Repair Mode (DSRM)—see Restarting a Domain Controller in Directory Services Repair Mode for more information. Then, once in DSRM, run the following command to restore the entire database:
> wbadmin start systemstaterecovery -version:<BackupDate>-<BackupTime> -authsysvol
For example, to restore a backup from 02/14/2013 at 08:56pm, run the following command:
> wbadmin start systemstaterecovery -version:02/14/2013-20:56 -authsysvol > activate instance ntds
Restart the computer.
In a production environment, you should never have to perform an authoritative restore of the entire Active Directory database unless you have encountered a drastic situation such as a forest recovery scenario. It is a drastic measure, and you will almost inevitably lose data as a result. Before you even attempt such a restore, you may want to contact Microsoft Support to make sure that all options have been exhausted. However, you should still test the authoritative restore process in a lab environment and make sure that you have the steps properly documented in case you ever do need to use it.
Restarting a Domain Controller in Directory Services Repair Mode for getting into Directory Services Repair Mode; MB KB 216243 (Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts); MS KB 280079 (Authoritative Restore of Groups Can Result in Inconsistent Membership Information Across Domain Controllers)
You want to check the integrity and semantics of the DIT file to verify that there is no corruption or bad entries.
This recipe can be performed while the Active Directory Domain
Services service is in a stopped state; it is not necessary to reboot
the DC into DSRM. To stop the AD DS service, use
services.msc, or issue the net stop command.
Once the DC is prepared as needed, run the following commands:
> ntdsutil > activate instance ntds > files > integrity > quit > semantic database analysis > verbose on > go > quit > quit
The Active Directory DIT file (ntds.dit) is implemented as a transactional database. Microsoft uses the ESE database (also called JET Blue) for Active Directory, which has been used for years in other products such as Microsoft Exchange.
Since the Active Directory DIT is ultimately a database, it can
suffer from many of the same issues as traditional databases. The
ntdsutil integrity command checks for
any low-level database corruption and ensures that the database headers
are correct and the tables are in a consistent state. It reads every
byte of the database and can take quite a while to complete, depending
on how large the DIT file is.
Whereas the ntdsutil integrity
command verifies the overall structure and health of the database files,
the ntdsutil semantics command looks
at the contents of the database. It will verify, among other things,
reference counts, replication metadata, and security descriptors. If any
errors are reported back, you can run go
fixup to attempt to correct them. You should have a recent
backup handy before doing this and perform this step only as a
troubleshooting option, preferably under the direction of a Microsoft
PSS engineer, since in the worst case the corruption cannot be fixed or
the state of your AD database may even become worse after the go fixup command completes.
Restarting a Domain Controller in Directory Services Repair Mode for booting into Directory Services Repair Mode; MS KB 315136 (How to Complete a Semantic Database Analysis for the Active Directory Database by Using Ntdsutil.exe)
This recipe can be performed while the Active Directory Domain
Services service is in a stopped state; it is not necessary to reboot
the DC into DSRM. Once the service is stopped, run the following
commands, in which <DriveAndFolder>
is the new location where you want to move the files (e.g.,
d:NTDS):
> ntdsutil > activate instance ntds > files > move db to "<DriveAndFolder>" > move logs to "<DriveAndFolder>" > q > q
You can move the Active Directory database file (ntds.dit) independently of the logfiles. The first command in the solution moves the database, and the second moves the logs. You may also want to consider running an integrity check against the database after you’ve moved it to ensure that nothing went wrong during the move. See Checking the DIT File’s Integrity for more details.
Restarting a Domain Controller in Directory Services Repair Mode for booting into Directory Services Repair Mode; Checking the DIT File’s Integrity for checking DIT file integrity
You need to repair or perform a soft recovery of the Active Directory DIT because a power failure or some other failure caused the domain controller to enter an unstable state.
This recipe can be performed while the Active Directory Domain Services service is in a stopped state; it is not necessary to reboot the DC into DSRM. Once the service is stopped, run the following commands:
> ntdsutil > activate instance ntds > files > recover > q > q
If the recover operation is successful, you should then check the integrity of the AD database (see Checking the DIT File’s Integrity).
Hopefully, you will never need to recover or repair your Active
Directory database. However, a recovery may be needed after a domain
controller unexpectedly shuts down, perhaps due to a power loss, and
certain changes were never committed to the database. When it boots back
up, a soft recovery is automatically done in an attempt to reapply any
changes that were contained in the transaction logfiles. Since Active
Directory does this automatically, it is unlikely that running the
ntdsutil recover command will be of
much help.
We recommend that you use extreme caution when performing a repair and you may wish to engage Microsoft Support first in case something goes wrong. If you try the repair, and it makes things worse, you should consider rebuilding the domain controller from scratch. See Removing an Unsuccessfully Demoted Domain Controller for forcibly removing a failed domain controller from your domain.
Checking the DIT File’s Integrity for checking the integrity of the DIT file
You want to initiate an online defragmentation to optimize the disk space that’s being used by the ntds.dit file.
From the menu, select Connection→Connect.
For Server, enter the name of the target domain controller.
For Port, enter
389.Click OK.
From the menu, select Connection→Bind.
Enter the credentials of an administrative user or accept the default and log on with the current user credentials.
Click OK.
From the menu, select Browse→Modify.
Leave the Dn blank.
For Attribute, enter
DoOnlineDefrag.For Values, enter
180.For Operation, select Add.
Click Enter.
Click Run.
By default, the online defrag process runs every 12 hours on each domain controller after the garbage collection process completes. This process defrags the Active Directory database (ntds.dit) by combining whitespace generated from deleted objects but does not reduce the size of the database file.
To start an online defrag, simply write the DoOnlineDefrag attribute to the RootDSE with a
value equal to the maximum time the defrag process should run (in
seconds). You must be a member of the Domain Admins
group in the domain controller’s domain in order to write to this
attribute.
Performing an Offline Defrag to Reclaim Space for performing an offline defrag; MS KB 198793 (The Active Directory Database Garbage Collection Process)
This recipe can be performed while the Active Directory Domain Services service is in a stopped state; it is not necessary to reboot the DC into DSRM. Once the service is stopped, to perform an integrity check of the Active Directory database, enter the following:
> esentutl /g "<PathToNTDS.DIT>"/!10240 /8 /oTo perform a recovery of the AD database, enter the following:
> esentutl /r "<PathToNTDS.DIT>" /!10240 /8 /oTo perform a repair of the database, use the following syntax:
> esentutl /p "<PathToNTDS.DIT>" /!10240 /8 /oWhen attempting to recover the ntds.dit database, you may occasionally encounter a situation where ntdsutil is unable to repair whatever damage has occurred. You may run into error messages similar to the following:
Operation failed because the database was inconsistent. Initialize jet database failed; cannot access file. Error while performing soft recovery.
Because the AD database is based on the ESE, you also have access
to the esentutl database utility, which can perform
a number of operations against the ntds.dit file, including defragmentation,
database recovery or repair, and integrity checks. (For a complete
description of each operation, type esentutl
/? at the command line.)
If the ntdsutil recovery options listed elsewhere in this chapter fail, you can attempt to repair AD using this ESE utility. Many of the operations that you can perform with esentutl have the potential to exacerbate data loss, so be certain that you have a viable backup in place before attempting any of them. In fact, in some cases it may actually be easier and quicker to simply restore from a known good backup to get your domain or forest back online again.
You want to create another reserve file on the disk containing the ntds.dit file to guard against AD failures caused by running out of disk space.
The following command will create an empty reserve file, 250 MB in size, in the same directory as the ntds.dit file:
> fsutil file createnew <PathToNTDS.DIT>
eservefile 256000000For example, the following will create the reserve file in c:windows tds:
> fsutil file createnew c:windows tds eservefile 256000000
By default, Active Directory creates two files called ebdres00001.jrs and edbres00002.jrs in the same directory as the ntds.dit database. Each of these files is 10 MB in size and is used to hold in reserve the last 20 MB of space on the drive hosting the AD database files. If a domain controller runs out of space on that drive, Active Directory will use the space being held by ebdres00001.jrs and edbres00002.jrs to commit any uncommitted transactions before shutting down so that no information is lost. If you wish to set aside more space than this, you can create a reserve file to set aside additional space; this reserve file can then be manually deleted to free up disk space. This can provide an additional safeguard against a user or administrator inadvertently filling up the drive that’s hosting the ntds.dit file, or guard against a virus or a malicious user performing a denial-of-service attack by intentionally filling up the drive.
Note
To prevent accidental or malicious bloating of the ntds.dit file itself, you can also establish quotas to restrict the number of objects that can be created by a user.
Creating a Quota for more on creating Active Directory quotas; Changing How Tombstone Objects Count Against Quota Usage for configuring how tombstoned objects affect quotas
You want to find the amount of whitespace in your DIT. A lot of whitespace in the DIT may mean that you could regain enough space on the disk to warrant performing an offline defrag.
By setting the 6 Garbage Collection diagnostics logging option, event 1646 will get generated after the garbage collection process runs. Here is a sample 1646 event:
Event Type: Information Event Source: NTDS Database Event Category: Garbage Collection Event ID: 1646 Date: 11/25/2012 Time: 9:52:46 AM User: NT AUTHORITYANONYMOUS LOGON Computer: DC1 Description: Internal event: The Active Directory database has the following amount of↵ free hard disk space remaining. Free hard disk space (megabytes): 100 Total allocated hard disk space (megabytes): 1024
This shows that domain controller Dc1 has a 1 GB DIT file with 100 MB that is free (i.e., whitespace).
Performing an Offline Defrag to Reclaim Space for performing an offline defrag
You want to perform an offline defrag of the Active Directory DIT to reclaim whitespace in the DIT file.
This recipe can be performed while the Active Directory Domain Services service is in a stopped state; it is not necessary to reboot the DC into DSRM.
Once the AD DS service is stopped, check the integrity of the DIT as outlined in Checking the DIT File’s Integrity.
Now, you are ready to perform the defrag operation. Run the following command to create a compacted copy of the DIT file. You should check to make sure the drive on which you create the copy has plenty of space. A rule of thumb is that it should have at least 115 percent of the size of the current DIT available:
> ntdsutil "activate instance ntds" files "compact to
<TempDriveAndFolder>"↵ q qDelete the transaction logfiles in the current NTDS directory:
> del
<CurrentDriveAndFolder>*.logYou may want to keep a copy of the original DIT file for a short period of time to ensure that nothing catastrophic happens to the compacted DIT. This does not replace the need for a System State backup and a backup of the domain controller’s system drive; it is simply a temporary measure to provide a fallback if the move process itself goes wrong. If you are going to copy or move the original version, be sure you have enough space in its new location:
> move
<CurrentDriveAndFolder>tds.dit<TempDriveAndFolder>tds_orig.dit > move<TempDriveAndFolder>tds.dit<CurrentDriveAndFolder>tds.ditRepeat the steps in Checking the DIT File’s Integrity to ensure that the new DIT file is not corrupted. If it is clean, reboot into normal mode and monitor the event log. If no errors are reported in the event log, make sure the domain controller is backed up as soon as possible.
Performing an offline defragmentation of your domain controllers can reclaim disk space if you’ve deleted a large number of objects from Active Directory. You should perform an offline defrag when (and if) this occurs only if you actively require the disk space back—for example, when following a spin-off in which you’ve migrated a large number of objects into a separate domain. The database will reuse whitespace and grow organically as required. Typically, the database grows year over year as more objects are added, so an offline defrag should seldom be required. An offline defrag always carries a small element of risk, so it should not be done unnecessarily.
The key thing to plan ahead of time is your disk space requirements. If you plan to create the compacted copy of the DIT on the same drive as the current DIT, you need to make sure that drive has 115 percent of the size of the DIT available. If you plan to store the original DIT on the same drive, you’ll need to make sure you have at least that much space available.
Checking the DIT File’s Integrity for checking the integrity of the DIT; MS KB 198793 (The Active Directory Database Garbage Collection Process); MS KB 229602 (Defragmentation of the Active Directory Database); MS KB 232122 (Performing Offline Defragmentation of the Active Directory Database)
Create an LDIF file called change_garbage_period.ldf with the following contents:
dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,↵ <ForestRootDN>changetype: modify replace: garbageCollPeriod garbageCollPeriod:<IntervalInHours>-
Then run the following command:
> ldifde -v -i -f change_garbage_period.ldf
You can also modify the garbage collection period using AdMod:
> adfind -config -rb "cn=Directory Service,cn=Windows NT,cn=Services" -s base -dsq | admod garbageCollPeriod::<IntervalInHours>In an environment where the Active Directory Recycle Bin is not
enabled, when an object is deleted from the Configuration naming
context, a Domain naming context, or an application partition, the
object is tombstoned by renaming the object, moving
it to the Deleted Object container,
and clearing the value of most of its attributes to save space in the
ntds.dit file. This tombstone
object remains in Active Directory for the duration of the tombstone
lifetime (180 days for Windows Server 2012) before it gets completely
removed. See Modifying the Tombstone Lifetime for a Domain for
more information on the tombstone lifetime.
A garbage collection process runs on each domain controller that
automatically removes expired tombstone objects. This process runs every
12 hours by default, but you can change it to run more or less
frequently by setting the garbageCollPeriod attribute on the following
object to the frequency in hours:
"cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,<RootDomainDN>"Logging the Number of Expired Tombstone Objects for logging the number of tombstones that get garbage-collected; Modifying the Tombstone Lifetime for a Domain for modifying the tombstone lifetime; MS KB 198793 (The Active Directory Database Garbage Collection Process)
You want to log the number of expired tombstone objects that are removed from Active Directory during each garbage collection cycle.
Here is a sample event that is logged when the 6 Garbage Collection diagnostics logging level is set to 3 or higher:
Event Type: Information Event Source: NTDS General Event Category: Garbage Collection Event ID: 1006 Date: 11/24/2012 Time: 11:29:31 AM User: NT AUTHORITYANONYMOUS LOGON Computer: DC1 Description: Internal event: Finished removing deleted objects that have expired (garbage collection). Number of expired deleted objects that have been removed: 229.
Enabling Diagnostics Logging for more on diagnostics logging; Changing the Garbage Collection Interval for more on the garbage collection process
This recipe can be performed while the Active Directory Domain Services service is in a stopped state; it is not necessary to reboot the DC into DSRM. Once the service is stopped, you can display file information using the following syntax:
> ntdsutil > activate instance ntds > files > info > quit > quit
When you are finished, don’t forget to restart the AD DS service, as well as any dependent services that halted when you stopped Active Directory Domain Services.
The size of the Active Directory database on a domain controller is the size of the ntds.dit file. This file can vary slightly in size between domain controllers, even within the same domain, due to unreplicated changes, differences with nonreplicated data, and whitespace from purged objects.
You should monitor the size of this file on one or more domain controllers in each of your domains to ensure that you have adequate disk space. Also, by knowing the average size of your DIT, you can quickly recognize if it spikes dramatically, perhaps due to a new application that is writing data to the directory.
If you find that you are running out of disk space, you have a couple of options. You could move the Active Directory files to a new drive with more capacity. Alternatively, you can perform an offline defragmentation if the DIT file contains a lot of whitespace.
Moving the DIT Files for moving the DIT files; Determining How Much Whitespace Is in the DIT for determining how much whitespace is in the DIT; Performing an Offline Defrag to Reclaim Space for performing an offline defragmentation of the Active Directory database
When an object is deleted in Active Directory, it is not really
deleted, at least not immediately. The object is renamed, most of its
attributes are cleared, and it is moved to the Deleted Objects container within the naming
context that it was deleted from. See this chapter’s Introduction for more on tombstone objects.
Note
Not all objects are moved to the Deleted Objects container. If you are unable
to find a given deleted object, open the search scope to the whole
naming context the object previously existed in.
Both the Deleted Objects
container and tombstone objects themselves are hidden by default in
tools such as ADUC and ADSI Edit. Only members of the administrator
groups can perform searches for tombstone objects.
You want to undelete an object that has been deleted from your Active Directory domain. This recipe assumes that the Active Directory Recycle Bin has been enabled. If you have not enabled the AD Recycle Bin, you can do so from the Tasks pane in the Active Directory Administrative Center.
To restore all deleted user objects, run the following PowerShell command:
Get-ADObject -Filter {(isDeleted -eq $true) -and (ObjectClass -eq "user") -and (ObjectClass -ne "computer")} -IncludeDeletedObjects | Restore-ADObjectThe filter option can be expanded to reduce the number of objects returned, or to return only specific objects.
Another option when restoring a single object is to perform a System State restore on a domain controller, and then to use ntdsutil to mark the individual object as authoritative. This has the downside of causing downtime on a domain controller, since you’ll need to reboot it into Directory Services Repair Mode to perform the restore.
Microsoft also offers the adrestore command-line utility that will enumerate the deleted objects in a domain and give you the option to undelete them.
“Step 2: Restore a Deleted Active Directory Object”; the other recipes in this chapter for more on AD backups, restores, snapshots, and disaster recovery
You want to undelete a container object such as an OU that contained other objects when it was deleted.
Use the steps in Undeleting a Single Object to first undelete the container object. Then undelete each individual child object that was contained within the container, specifying the container’s DN in the restored object’s DN. Alternately, perform a System State restore and use ntdsutil to mark the restored OU as authoritative, as described in Performing an Authoritative Restore of an Object or Subtree.
When you delete an Active Directory container object, it also
deletes any child objects that are housed within that container.
Restoring an OU and all of the child objects, for example, therefore
requires you to restore both the container itself as well as all of the
child objects contained within it. This is relatively simple to perform
using Windows PowerShell since you can restrict your query to those
objects that have the appropriate value listed in the lastKnownParent attribute.
Create an LDIF file called change_tombstone_lifetime.ldf with the following contents:
dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,<ForestRootDN>changetype: modify replace: tombstoneLifetime tombstoneLifetime:<NumberOfDays>-
Then run the following command:
> ldifde -v -i -f change_tombstone_lifetime.ldf
You can also make this change using AdMod, as follows:
> admod -b "cn=Directory Service,cn=WindowsNT,cn=Services,cn=Configuration,<ForestRootDN>" tombstoneLifetime::<NumberOfDays>
The default tombstone lifetime for Windows 2008 and later is set to 180 days. It is not recommended that you decrease the tombstone lifetime unless you have a very good reason for doing so, since decreasing this value below the 180-day default also decreases the length of time a backup of Active Directory is good for. See this chapter’s Introduction and Searching for Deleted Objects for more information on tombstone (deleted) objects and the tombstone lifetime.
Changing the Garbage Collection Interval for more on the garbage collection process; MS KB 198793 (The Active Directory Database Garbage Collection Process); MS KB 314282 (Lingering Objects May Remain After You Bring an Out-of-Date Global Catalog Server Back Online)