© 2024 SkillPoint IT. All rights reserved.
Module 13: Maintaining the Active Directory Database in Windows Server
The Active Directory database (NTDS.dit) is the core of your Windows Server domain infrastructure. It contains all objects like users, computers, groups, and policies. Regular maintenance is critical for performance, stability, and data integrity.
Where Is the AD Database Stored?
The main database file is located at:
C:\Windows\NTDS\NTDS.dit
Key AD Database Maintenance Tasks
1. Monitoring Database Health
Use tools like:
dcdiag— Tests domain controller healthEvent Viewer → Directory Service Logs — Look for error/warning events related to replication or NTDS
💡 Set up alerts for Event IDs like 2108, 1084, or 2042
2. Backing Up the AD Database
Back up the system state regularly using:
Windows Server Backup (
wbadmin)Third-party solutions (Veeam, Acronis, etc.)
PowerShell Example:
wbadmin start systemstatebackup -backupTarget:D: -quiet
3. Performing Offline Defragmentation
Over time, the database becomes fragmented. To reduce size and improve performance:
Steps:
Reboot DC into Directory Services Restore Mode (DSRM)
Run
ntdsutilUse the following commands:
ntdsutil
activate instance ntds
files
compact to D:\ADCompact
Replace the old NTDS.dit with the compacted one after backup.
⚠️ Warning: Only perform this during a planned maintenance window.
4. Cleaning Up Metadata and Orphaned Objects
Use ntdsutil to remove:
Stale domain controller entries
Unused metadata from demoted or failed DCs
ntdsutil
metadata cleanup
Introduction to Maintaining the Active Directory Database
The Active Directory (AD) database, formally known as the NTDS.dit file, is the core of an Active Directory environment. It stores all directory objects such as users, groups, computers, organizational units (OUs), and security policies. Maintaining this database is crucial to ensure its integrity, performance, and availability.
The Process of Modifying Data in Active Directory: How Changes Are Handled
Active Directory (AD) is a distributed database that stores and manages information about networked resources. When an object—such as a user, group, or computer—is modified, AD follows a multi-step process to ensure the change is applied correctly and consistently across all domain controllers (DCs).
What Can Be Modified in AD?
Common directory object modifications include:
Updating user attributes (name, password, group membership)
Creating or deleting OUs
Moving objects between containers
Changing group policies
Modifying computer accounts
Step-by-Step: How Modifications Happen in Active Directory
1. Client Sends a Request
A user or admin (via GUI, script, or PowerShell) initiates a change—for example, modifying a user’s department.
2. DC Receives and Processes the Update
The domain controller where the change was made logs the modification in its local NTDS.dit database and updates the Update Sequence Number (USN).
3. Replication Is Triggered
Once the change is committed, AD’s multi-master replication model ensures the update is replicated to other domain controllers.
Replication occurs:
Immediately within the same site (intra-site)
On schedule between sites (inter-site)
4. Conflict Resolution (If Needed)
If the same object was modified on multiple DCs, AD uses the USN + timestamp + DC GUID to resolve conflicts—typically favoring the most recent change.
5. Change Propagates Across Domain
Other domain controllers apply the change to their local databases, ensuring consistency across the network.
Understanding the Garbage Collection Process in Active Directory
Garbage Collection (GC) is an internal cleanup process in Active Directory that permanently removes deleted (tombstoned) objects from the AD database after a defined retention period. It helps optimize database size, maintain performance, and keep the directory consistent.
How Object Deletion Works in Active Directory
When you delete an object (e.g., a user or computer), it isn’t immediately erased from the database. Instead, it is:
Marked as a tombstone object
Hidden from directory searches
Retained for a specific period (called the tombstone lifetime)
After that period, Garbage Collection runs and removes these tombstoned objects permanently.
When Does Garbage Collection Run?
By default, Garbage Collection runs every 12 hours on each domain controller.
You can view or adjust this schedule in the registry:
Registry Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
- Runs Periodically on Every Domain Controller
- Evaluates and Deletes Tombstones
- Defragments the Active Directory Database
Backing Up Active Directory: Methods, Best Practices & Recovery Tips
Active Directory (AD) is the backbone of identity, authentication, and authorization in a Windows Server environment. Without reliable backups, any corruption or failure could result in significant downtime or data loss.
Backing up AD ensures you can:
Recover from server failure
Restore deleted users, groups, or GPOs
Rebuild a domain controller
Maintain business continuity
What to Back Up in Active Directory
To fully protect AD, you need to back up the System State, which includes:
Active Directory database (NTDS.dit)
SYSVOL folder (Group Policies and login scripts)
Registry
Boot files
Certificate Services (if installed)
COM+ Class registration database
How to Back Up Active Directory
Using Windows Server Backup (GUI Method)
Open Windows Server Backup
Select Backup Once or Backup Schedule
Choose Custom > Add System State
Select a destination drive (preferably external or network)
Start the backup
- Active Directory and the SYSVOL folder on a domain controller
- The registry, system startup files, and class registration database on all computers
- The Certificate Services database on certificate servers
- Start the Backup utility
- Open the the Backup wizard
- Select a method to back up the system state data
Restoring Active Directory: Step-by-Step Recovery Guide for Windows Server
Why Restore Active Directory?
Restoring Active Directory (AD) is crucial when:
A domain controller fails
The AD database becomes corrupted
Critical objects (users, OUs, GPOs) are accidentally deleted
A ransomware or malware incident impacts system state
Types of Active Directory Restore
Non-Authoritative Restore
Used when a DC fails or becomes corrupted
Restores AD data to a previous state
Other domain controllers overwrite it with the latest replicated data
✅ Best for restoring a failed domain controller
Authoritative Restore
Used to recover deleted AD objects like OUs or users
Prevents restored objects from being overwritten by replication
Best for recovering accidentally deleted data
Pre-Restore Requirements
Before restoring, ensure:
You have a recent system state backup
You know the DSRM (Directory Services Restore Mode) password
The target server has matching OS and domain settings
How to Perform a Non-Authoritative Restore (Step-by-Step)
Reboot the Domain Controller
Press F8 during startup → Choose Directory Services Restore Mode (DSRM)
Log In with the DSRM account
This is the local admin password set during DC promotion
Launch Windows Server Backup or PowerShell
GUI: Restore → System State
PowerShell:
wbadmin start systemstaterecovery -version:<BackupVersion> -quiet
Restart the Server Normally
AD will replicate missing changes from other domain controllers
How to Perform an Authoritative Restore (Step-by-Step)
Use this when specific objects (like an entire OU) were deleted and must override replication.
Follow steps 1–3 above to complete a non-authoritative restore
After restoration, open Command Prompt → Run:
ntdsutil
Enter the authoritative restore context:
authoritative restore
restore subtree “OU=Sales,DC=yourdomain,DC=com”
Exit and restart the server — the restored objects will replicate across all DCs
- What Is a Nonauthoritative Restore?
- A Nonauthoritative Restore Reinstates the Active Directory Data to the State Before the Backup
- Distributed Services Are Restored from Backup Media and the Restored Data Is Then Updated Through Replication
- Backup Performs Only a Nonauthoritative Restore of Active Directory
- After Restoring Active Directory, Windows 2018 Automatically:
- Performing a Nonauthoritative Restore
- Active Directory Can Be Restored While Replacing a Failed Domain Controller and When Repairing a Damaged Active Directory Database
- The Active Directory Database Cannot Be Running When You Restore Active Directory Files
- The Backup of the System State Data Cannot Be Older Than the Tombstone Lifetime
- Restart the domain controller
- Select Directory Services Restore Mode
- Log on to Windows 2018 using SAM account
- Restore the system state
- Restart the domain controller normally
- What Is an Authoritative Restore?
- An Authoritative Restore Allows You to Mark Specific Information in the Database
- Authoritative Restore Occurs After Nonauthoritative Restore Has Been Performed
- The Version Number of Each Object Marked As Authoritative Is Increased by 100,000 for Each Day
- The Domain Controller with the Higher Version Number for the Same Object Replicates over the Domain Controller with the Lower Version Number
- Performing an Authoritative Restore
- Start the domain controller, and then select Directory Services Restore Mode
- Restore Active Directory (the system state data), but do not restart the computer
- Run Ntdsutil.exe
- Switch to the authoritative restore prompt
- Provide the distinguished name of the object
- Exit Ntdsutil
- Restart the domain controller normally
Moving the Active Directory Database (NTDS.dit) in Windows Server Safely
What Is NTDS.dit and Why Move It?
The NTDS.dit file is the main Active Directory database that stores all domain objects—users, groups, computers, and more. By default, it’s located at:
C:\Windows\NTDS\
Reasons to Move the AD Database
🚀 Improve disk performance (move to faster drive/SSD)
🧼 Free up space on the system partition
🔄 Reallocate storage as part of infrastructure upgrades
🔐 Enhance security by isolating critical directory files
Important Pre-Requisites
Before moving the NTDS database:
Take a full system state backup
Ensure the new target drive is formatted with NTFS
Plan a downtime window — AD services will be stopped
Know the Directory Services Restore Mode (DSRM) password
How to Move the NTDS.dit Database Using ntdsutilStep-by-Step Guide:
Open Command Prompt as Administrator
Launch
ntdsutil:
c:/ntdsutil
Activate the NTDS instance:
c:/activate instance ntds
Enter file management:
c:/files
Move the database:
c:/move db to D:\AD\Database
Move the log files (optional but recommended):
c:/move logs to D:\AD\Logs
Type
quittwice to exitntdsutil.Reboot the server to complete the operation.
Verify Database Move
After reboot:
Confirm new file locations:
NTDS.dit in
D:\AD\DatabaseLog files in
D:\AD\Logs
Check Event Viewer → Directory Service log for confirmation
Ensure AD services start properly and replication works
- Back up Active Directory
- Restart the domain controller, and then select Directory Services Restore Mode
- Log on by using the SAM account
- Run the ntdsutil command
- Switch to the files prompt
- Move the database, type move DB to drive>:\directory
- Type quit twice to return to the command prompt
- Restart the domain controller normally
Defragmenting the Active Directory Database (NTDS.dit) in Windows Server
The NTDS.dit file stores Active Directory data. Over time, as users, groups, and objects are deleted, empty space builds up in the database, affecting performance and disk usage.
Defragmentation helps:
🧼 Remove unused space
🚀 Improve read/write performance
📦 Reduce physical file size
🔄 Optimize replication speed and system stability
Before You Begin (Checklist)
💾 Take a system state backup
🔐 Know the DSRM (Directory Services Restore Mode) password
🧭 Schedule maintenance downtime (offline process)
🎯 Have a target folder with enough free space for the compacted DB
🛠️ Steps: Offline Defragmentation of NTDS.dit
✅ Step-by-Step Guide:
Reboot into Directory Services Restore Mode (DSRM)
Restart your server
Press
F8> Choose Directory Services Restore Mode
Log in with the DSRM local administrator account
Open Command Prompt as Administrator
Run
ntdsutil:
ntdsutil
activate instance ntds
files
Compact the database:
compact to D:\ADBackup
This creates a defragmented NTDS.dit in the specified folder
Ensure the destination has ample free space
Replace the original NTDS.dit with the compacted one:
Backup the original:
move C:\Windows\NTDS\ntds.dit C:\Backup\
Copy the compacted file:
copy D:\ADBackup\ntds.dit C:\Windows\NTDS\
Exit
ntdsutiland reboot the server normally
🔍 How to Confirm the Defragmentation Was Successful
Check file size reduction on
NTDS.ditReview Event Viewer > Directory Services for startup success
Ensure AD services and replication are functioning normally
- What Is Defragmentation?
- Defragmentation Rearranges How the Data Is Stored in the Active Directory Database
- Defragmentation Can Occur Online or Offline
- Online Defragmentation Effectively Rearranges Pages Within the Database
- Offline Defragmentation Rearranges Pages Within the Database and Creates a New, Compacted Version of the Database File
- Defragmenting a Database
- Back up Active Directory
- Restart the domain controller
- Select Directory Services Restore Mode
- Log on by using the SAM account
- Run the ntdsutil command
- Switch to the files prompt
- Compact the database, type compact to drive>:\directory
- Type quit twice to return to the command prompt
- Copy the new NTDS.DIT file over the old NTDS.DIT file
- Restart the domain controller normally
Best Practices
The Tombstone Lifetime Interval Should Not Be Reduced
Separate the Database and Log Files
Back Up the System State Data of Domain Controllers Frequently
Perform Offline Defragmentation Only if You Can Recover a Significant Amount of Hard
Disk Space
Disk Space
Add comment