Section 5.6. Active Directory Maintenance

5.6. Active Directory Maintenance

You need to perform two fairly common tasks on a somewhat regular basis to keep your Active Directory installation running at maximum performance and efficiency. In this section, I'll take a look at these two tasks, outline their responsibilities and actions, and then explain how to perform them.

5.6.1. Offline Defragmenting of NTDS Database

Like a hard disk, the database containing all the objects and information within Active Directory can become fragmented at times on domain controllers because different parts of the directory are being written to often and other parts are being rearranged to be read from less often. Although you might think that defragging your hard drive will defragment the NTDS.DIT file on your domain controller's hard disk automatically, this just isn't the case.

Active Directory handles online defragmenting itself, and it does an adequate job. To really clean out the database, however, and defrag it for the maximum possible gain in efficiency, you need to take the domain controller offline so that the defragmenting process can have exclusive use of the database file. This requires four steps: first, reboot the domain controller in question and get it into directory services restore mode; second, perform the actual defragmentation; third, copy the defragmented database back into the production directory; and fourth, reboot the machine. (Replication to other domain controllers in Active Directory won't be effected, as Active Directory is smart enough to work around the downed domain controller. It will receive changes when it is brought back online.)

Let's step through these steps now:

1. Reboot your domain controller.

2. As the domain controller begins to boot, press F8 to make the Startup menu appear.

3. Select Directory Services Restore Mode.

4. When the system prompts you to log in, use the domain administrator account, but use the restore mode password you created when you first promoted this domain controller to a domain controller role.

5. Open a command prompt.

6. Enter ntdsutil at the command prompt to start the offline NTDSUtil tool.

7. Enter file to enter the file maintenance context.

8. Type compact to <location>, where <location> signifies the path to the place where you want the defragmented copy of the directory stored. When defragmented, Active Directory makes a copy of the database so that if something goes wrong, you haven't messed up the production copy of the directory.

9. Look for the line "Operation completed successfully in x seconds." If you see this, type quit to exit NTDSUtil.

10. At the regular command prompt, copy the file NTDS.DIT from the location you selected in step 8 to \Windows\NTDS. Feel free to overwrite the current file at that locationit is the fragmented version.

11. Delete any files with the extension .LOG in that same directory.

12. Restart your domain controller normally, and boot Windows Server 2003 as normal.

Your database is defragmented.

5.6.2. Cleaning Directory Metadata

As your Active Directory implementation ages, you'll probably be left with some junk: old computer accounts that refer to PCs you dumped a long time ago, domain controllers you removed from service without first decommissioning them within Active Directory, and other detritus. Every so often, it's a good idea to clean out this old data so that bugs that are hard to track (and therefore are hard to troubleshoot) don't pop up, and so that future major Active Directory actions, such as renaming or removing a domain, aren't held up because of a junked-up directory.

Let's say we have a child domain, called cluster.hasselltech.local, which we want removed. To do this, we again will use the NTDSUtil tool and its "metadata cleanup" feature. To begin, go to a domain controller and log in as an enterprise administrator. Then follow these steps:

1. Open a command prompt.

2. Type ntdsutil to open the program.

3. Type metadata cleanup to enter that part of the program.

4. Type connections to receive the Server Connections prompt.

5. Enter connect to server localhost to initiate a connection with the current domain controller.

6. Type quit to exit that module.

7. Now, type select operation target and press Enter.

8. Type list domains to get a list of domains.

9. NTDSUtil will bring up a list of domains in your system. In our example, cluster.hasselltech.local comes up as domain 2. So, to set the domain in our sights to destroy, type select domain 2 and press Enter.

10. Next, you'll need to determine the site in which cluster.hasselltech.local resides. Type list sites to bring up a list like you saw in steps 8 and 9.

11. In our case, cluster.hasselltech.local resides in site CHARLOTTE, which comes up as site 3 in our list. So, type select site 3 and press Enter.

12. Now you need to get rid of the domain controllers in that domain. Find out what those machines are by typing list servers for domain in site and pressing Enter.

13. There are two domain controllers, numbered 0 and 1. You need to get rid of both, so type select server 0 and press Enter.

14. Type quit, and then type remove selected server. Confirm your choice.

15. Type select server 1 and press Enter.

16. Type remove selected server, and again confirm your choice.

17. Finally, type remove selected domain and press Enter.

18. Type quit to exit out of NTDSUtil.