Because Active Directory is a non-relational database that grows in size over time, it consumes more and more disc space. The size of the database file will not change if you delete objects from Active Directory, but the vacant space (white space) can be used to store new objects. To prevent data fragmentation, speed up search, and improve LDAP query performance, the Active Directory database, like any other database, must be maintained on a regular basis.
The Active Directory database can be defragmented in two ways:
Every 12 hours, online defragmentation is performed automatically. Active Directory service on a domain controller continues to function in this instance. The file’s contents is rearranged, and free blocks are released, but the file’s size remains unchanged.
Offline defragmentation can only be done manually by an Active Directory Administrator, as the ADDS service on a DC is now unavailable. This type of defragmentation can greatly reduce the size of the AD database file and marginally improve the performance of AD queries.
Let’s look at how to use Windows Server 2012 R2 to execute offline defragmentation of the AD database on a domain controller.
The Active Directory database is stored in ntds.dit file (by default it is located in the folder C:\Windows\NTDS). Let’s check current size of the existing ntds.dit file. In this case, its size is about 120 MB.
Hint: A thorough backup of the ntds.dit database is advised before you begin offline defragmentation. You can do this with third-party applications or a normal Windows Server Backup (system state backup).
You must stop the AD DS domain service on the current domain controller before you can work on the Active Directory database file. To do so, go to Services.mmc, find Active Directory Domain Services, right-click it, and choose Stop.
- You can also use the command net stop NTDS to stop ADDS.
- You must restart the domain controller and boot into Directory Services Restore Mode using the F8 key to terminate ADDS service on a domain controller running Windows Server 2003 or earlier.
After that system warns you that when you will stop the AD Domain Services, the following dependent services will be stopped too:
- Kerberos Key Distribution Center;
- Intersite Messaging;
- DNS Server;
- DFS Replication.
Next you need to open a Command prompt (or PowerShell) console as an Administrator.
For Active Directory maintenance use Ntdsutil.exe utility. To run it, type command:
ntdsutil
Then you need to select current AD database instance and switch to the file mode, type this:
activate instance NTDSfilesThe following command starts database compression process. As an argument of command you need to specify the folder path (in our example, C:TempNTDS-DB), in which the compressed copy of the database will be saved.
Compact to c:\temp\ntds-db
After that, the defragmentation of the AD database begins. The length of time it takes is determined by the size of the database. Defragmentation was completed in one minute in our scenario.
When the operation is finished, look at the current size of the AD database, as shown by ntds. The size of the dit file was decreased by about 3.5 times, from 120 to 35 Mb!
Now you can replace old fragmented ntds.dit to its defragmented version and delete old AD log files from folder C:\Windows\NTDS:
Copy c:\Temp\NTDS\ntds.dit c:\windows\ntdsDel C:\Windows\ntds*.log
It is highly recommended to check the resulting ntds.dit file integrity, for this purpose type the following commands in the ntdsutil session:
filesfile maintenanceintegrityIf the integrity check fails, try to correct the problem with the same ntdsutil software (semantic database analysis with fixup) or restore a prior version of the file from a backup.
Type “q” and “quit” to exit the ntdsutil session.
It’s still necessary to start the AD DS service and examine the Directory Service log for issues using Event View:
net start ntds
Because the file ntds.dit is physically independent on each domain controller and is not replicated between DCs, defragmentation and compression of the Active Directory database should be conducted on all domain controllers.
