Overview
Introduction to Maintaining the Active Directory Database
The Active Directory (AD) database, formally known as the NTDS.dit file, is the
core of an Active Directory environment. It stores all directory objects such as users,
groups, computers, organizational units (OUs), and security policies. Maintaining this database is
crucial to ensure its integrity, performance, and availability.
The Process of Modifying Data in Active Directory
The Garbage Collection Process
Runs Periodically on Every Domain Controller
Evaluates and Deletes Tombstones
Defragments the Active Directory Database
Backing Up Active Directory
Active Directory and the SYSVOL folder on a domain controller
The registry, system startup files, and class registration database on all computers
The Certificate Services database on certificate servers
To Back Up Active Directory
Start the Backup utility
Open the the Backup wizard
Select a method to back up the system state data
Restoring Active Directory
What Is a Nonauthoritative Restore?
A Nonauthoritative Restore Reinstates the Active Directory Data to the State Before the Backup
Distributed Services Are Restored from Backup Media and the Restored Data Is Then Updated Through Replication
Backup Performs Only a Nonauthoritative Restore of Active Directory
After Restoring Active Directory, Windows 2018 Automatically:
Performs a consistency check, and recalculates the indexes in the the database
Updates Active Directory and FRS
Performing a Nonauthoritative Restore
Active Directory Can Be Restored While Replacing a Failed Domain Controller and When Repairing a Damaged Active Directory Database
The Active Directory Database Cannot Be Running When You Restore Active Directory Files
The Backup of the System State Data Cannot Be Older Than the Tombstone Lifetime
To Restore Active Directory Nonauthoritatively
Restart the domain controller
Select Directory Services Restore Mode
Log on to Windows 2018 using SAM account
Restore the system state
Restart the domain controller normally
What Is an Authoritative Restore?
An Authoritative Restore Allows You to Mark Specific Information in the Database
Authoritative Restore Occurs After Nonauthoritative Restore Has Been Performed
The Version Number of Each Object Marked As Authoritative Is Increased by 100,000 for Each Day
The Domain Controller with the Higher Version Number for the Same Object Replicates over the Domain Controller with the Lower Version Number
Performing an Authoritative Restore
Start the domain controller, and then select Directory Services Restore Mode
Restore Active Directory (the system state data), but do not restart the computer
Run Ntdsutil.exe
Switch to the authoritative restore prompt
Provide the distinguished name of the object
Exit Ntdsutil
Restart the domain controller normally
Moving the Active Directory Database
Back up Active Directory
Restart the domain controller, and then select Directory Services Restore Mode
Log on by using the SAM account
Run the ntdsutil command
Switch to the files prompt
Move the database, type move DB to drive>:\directory
Type quit twice to return to the command prompt
Restart the domain controller normally
Defragmenting the Active Directory Database
What Is Defragmentation?
Defragmentation Rearranges How the Data Is Stored in the Active Directory Database
Defragmentation Can Occur Online or Offline
Online Defragmentation Effectively Rearranges Pages Within the Database
Offline Defragmentation Rearranges Pages Within the Database and Creates a New, Compacted Version of the Database File
Defragmenting a Database
Back up Active Directory
Restart the domain controller
Select Directory Services Restore Mode
Log on by using the SAM account
Run the ntdsutil command
Switch to the files prompt
Compact the database, type compact to drive>:\directory
Type quit twice to return to the command prompt
Copy the new NTDS.DIT file over the old NTDS.DIT file
Restart the domain controller normally
Best Practices
The Tombstone Lifetime Interval Should Not Be Reduced
Separate the Database and Log Files
Back Up the System State Data of Domain Controllers Frequently
Perform Offline Defragmentation Only if You Can Recover a Significant Amount of Hard
Disk Space