If you are using Active Directory then you will obviously know that this controls your domain with servers called domain controllers, this service is broken down into a database with some log files, let’s get into the understanding and logic, If you’re just interested in the commandments, their further down the article (look for the little spaceship for Mission control)
ADDS Database
The database is called NTDS.dit usually when building domain controllers, I have a separate logical drive for the database and then another drive for the log files, which will be ntds.log and ntds.edb
Logical Drives
I would always put my database on One of those logical drives (and no, I would not use D:) I always tend to use N:
In the same fashion, I would therefore put my log files on the next drive up, which in this case would be M:
When the rollers installed, these will sit in a folder called NTDS then on the N: you will have the Ntds.dit
NTDS.dit File
This file contains all your Active Directory information which will include all your objects that include items like uses, groups, computers, group policies and all your ADDS information.
Least privileged access
Domain controller access should really using the least administrative privilege methodology be restricted to a couple of people for remote and local access, many of the actions you need to do no longer require you logging in to the server you can do them all remotely.
ADDS is a Database
Active directory is essentially a glorified database that got its roots from Microsoft Access, and like any other database it requires optimization and maintenance task running, which includes defragmentation.
Defragmentation types
There are two types of defragmentation for active directory. The first one that happens. Every 12 hours is an online defragmentation that will not reduce the size of the database but optimize internal file structure, However, this will not free white space and unused space and change the size of ntds.dit - This is good for day-to-day maintenance, but depending on the usage of your database, you may need to consider an off-line fragmentation.
Off-line defragmentation : manual intervention
Off-line defragmentation is the next level up in maintenance, This is where white spaces rearranged and unused spaced is released, and the size of your ntds.dit file can be reduced, however this additional maintenance does mean it comes with one downside - the domain controller has to be off-line when you’re running off-line defragmentation.
Single or multiple domain controllers
If you only have a single domain controller, which is absolutely not recommended, then wildest do fragmentation runs. You will have a complete domain outage, during this time, no one will be able to login Because you’re authentication provider is off-line (This is why we always use N+1)
Multiple domain controller considerations
If you have recommended configuration of multiple the domain controllers then you will still require a single demand controller at time to have an outage while this defragmentation is run.
Note : Multiple the domain controllers will prevent outages to Active Directory, unfortunately, it will not prevent outages to applications outages where you have pointed that application at a single domain controller
Running DNS on those domain controllers?
I would also like to point out here if you’re taking a domain controller off-line then you may also have the DNS server role installed, so remember that when you take it offline - it you have clients only pointing at a single domain controller serving DNS the again DNS will fail and without DNS there is no ADDS.
Seriously, considered DNS
In my years of managing Active Directory it is very rare for services to fail without outside influence Or other malicious activity going on, The majority of the problems with act directory always come down to Windows updates (Where it would appear, Microsoft don’t test them properly before deploying them) or issues with DNS.
DNS is absolutely critical to active directory operating correctly, We required DNS to look up all the records in order to find services and look up all the different type of DNS records, when you login to your domain The first job your computer needs to do you get the IP address - It really doesn’t care what name you’re using because it needs to look up the record to locate the services that provide that authentication process.
Non-ADDS Example
Think of it like directory services (118) where you used to be able to call that service give a name, and they would give you the number that would get you in contact with that name - that is all DNS does in a nutshell.
You have forward record lookups that take names and convert them into IP addresses, and the opposite to this you have reverse record lookups that will take an IP and convert it into a name.
NTDS.dit misconceptions with other domain controllers
If you have multiple domain controllers usually distributed across multiple sites, then you may think that the NTDS.dit file is replicated to all the domain controllers to ensure the databases consistent.
This is actually a common misconception that is also incorrect, when you join at the domain controller to a pre-existing domain at the end of the set up you will notice that it replicates its critical objects and then other attributes over to the newly promoted domain controller.
Once this replication is complete, the domain controller does not come online and start serving requests until the reboot, this is because the reboot it needed to get a consistency check, which is done by verifying the internal data of the ntds.dit with another domain controller.
When completing the off-line defragmentation is there a specific order?
Excellent question, But the answer to this is no there is not a specific order you need to do the off-line defragmentation, you may draw the conclusion that you need to do your FSMO role holder first or possibly make sure the PDC is done as a priority.
However, it’s not really a rule, however is probably recommended not to have the domain controllers with any FSMO roles offline for extended period of time because that could cause issues elsewhere, for example, if you have the schema master off-line then, you will not be able to write new schema modifications/updates to your ADDS until it’s back online, please remember updating objects does not require the schema master.
How do I determine the order I perform the half mile fragmentation?
This comes down to assessing the impact to your company, personally, I would always do this out of hours because those are your domain controllers is lower out of hours, however, remember, if you have applications pointing you get a single domain controller as discussed earlier that application application will be off-line until the server has come back online after it’s off-line defragmentation.
Back up before off-line defragmentation
Yes, this one is not rocket science but it’s always worth having a backup of your critical active directory files before attempting to perform an offline defragmentation just in case something goes wrong, though slim, it’s always better to have a backup.
I would also recommend using server backup, The application that’s built into windows which you can add as role on the server, to then back up your ntds.dit and relevant log files, the reason I recommend this solution is I’ve seen lots of these fully featured backup solutions back up your ntds.dit Which sounds fantastic but when you come to restore this, when something goes wrong in directory restore mode, Windows does not accept the back up because it wasn’t backed up correctly.
If you have a custom backup solution, please ensure using a test demand controller that you can successfully restore your backups and that your server then comes online and nothing is corrupt, having a backup that you can’t restore is really not helpful to anybody - and if this goes wrong, you will falsely be under the impression you can restore from a back up.
🚀 Mission Control : Performing the Offline Degragmentation
Step 1: Preparation
Note : This process helps optimize your AD database by reclaiming unused space and potentially improving performance.
Schedule Downtime:
Since the domain controller will need to be rebooted in Directory Services Restore Mode (DSRM), schedule a downtime window that minimally impacts operations.
Backup the Domain Controller:
Before proceeding with any operations, ensure that you have a full backup of the domain controller. This is crucial for recovery in case anything goes wrong, we covered this earlier in the guide.
Step 2 : Reboot the Domain Controller in Directory Services Restore Mode (DSRM)
Reboot the Domain Controller in DSRM:
Reboot the domain controller and press `F8` during the boot process to bring up the Advanced Boot Options menu then select Directory Services Restore Mode (DSRM) and boot into that mode.
Log in using DSRM Credentials:
Log in with the DSRM administrator account. This account was created during the promotion of the server to a domain controller and the password should be a safe place like a password manager
Step 3: Perform the Offline Defragmentation
Once logged in, open the Command Prompt with administrative privileges, then you need will to stop the Active Directory Domain Services, to complete this type the following command and press Enter:
net stop ntds
Then we need to navigate to the NTDS directory where the `ntds.dit` file is stored. Typically, it's located at `N:\NTDS` complete this with the following command:
cd N:\NTDS
Then we need to run the `ntdsutil` Tool:
ntdsutil
Next up we need to activate the instance with this:
activate instance ntds
Next, we need to initiate the Defragmentation with the following command:
compact to <path>
Replace `<path>` with the directory where you want the compacted `ntds.dit` file to be saved, in the example that will be:
compact to N:\NTDS
Once the defragmentation is complete, replace the old `ntds.dit` file with the compacted version. Rename the original `ntds.dit` file as a backup, and then move the compacted file to the NTDS directory (usually it will use the temp directory in c:\temp)
move N:\NTDS\ntds.dit N:\NTDS\ntds.dit.old
move C:\Temp\ntds.dit N:\NTDS\ntds.dit
Exit `ntdsutil - to complete this type `quit` twice to exit the `ntdsutil` tool.
Step 4: Restart Services on the Domain Controller
Ensure you can start the Active Directory services and you get no errors with this command:
net start ntds
If you do get error ensure you check out the system event log as well as the Dirtectory Services in the event log, you have probably not copyied the file to the correction location.
Step 5 : Reboot the Domain Controller:
Reboot the domain controller to bring it back into normal operation, on reboot the services will start automatically and no user intervention is required.
Step 6 : Check Event Logs:
After the server is back online, check the Event Viewer for any errors related to Active Directory to ensure everything is running smoothly.
Step 5: Repeat for Other Domain Controllers
Perform the same process on other domain controllers as needed. Each DC will require its downtime, and the same steps must be repeated to defragment its ntds.dit file - this will be step 2-6
Step 6: Verify Replication
Once all DCs are back online, verify that Active Directory replication is functioning correctly using the following command:
repadmin /replsummary
This will show you the replication of all the domain controllers and it should be heatlhy like this:
repadmin /showsreps
This will show you the last replication attempt as below:
If you get the error below then you are not running it on a domain controller:
LDAP error 81 (Server Down) Win32 Err 58.