active directory

Active Directory Database File Compaction and Defragmentation

Active Directory is a non-relational database and its size increasing over time, the database takes more and more disk space. If you remove the objects from Active Directory, the size of database file will not be changed, but the free space (white space) can be used to store new objects in that case. As any other database, Active Directory database must be periodically maintain to reduce data fragmentation, speed up search and increase LDAP-query performance.

There are two defragment types of Active Directory database:

  • Online defragmentation – performed automatically every 12 hours. In this case, Active Directory service on a domain controller continues to work. The data in file is reorganized, free blocks are released, but the file size is not reduced.
  • Offline defragmentation – performed only manually by Active Directory Administrator, but ADDS service on a DC is not available at this time. This type of defragmentation can significantly reduce AD database file size and slightly increase AD query performance.

Let’s take a look on how to perform offline defragmentation of the AD database on a domain controller with Windows Server 2012 R2.

The Active Directory database is stored in ntds.dit file (by default it is located in the folder C:\Windows \NTDS). Let’s check current size of the existing ntds.dit file. In this case, its size is about 120 MB.

READ ALSO  Accessing Domain Controller from Local DSRM Account

ntds dit

Tip. Before you begin offline defragmentation, it is recommended to perform a full backup of ntds.dit database. You can do that using a standard Windows Server Backup (system state backup) or third-party utilities.

Before proceeding to the maintenance of Active Directory database file, you must stop AD DS domain service on current domain controller. To do this, open the Services console (Services.mmc), locate Active Directory Domain Services, right click on it and select Stop.


  1. Also you can stop ADDS using command: net stop NTDS
  2. To stop ADDS service on a domain controller with Windows Server 2003 or lower, you must restart the DC and boot into Directory Services Restore Mode using F8 key

active directory services

After that system warns you that when you will stop the AD Domain Services, the following dependent services will be stopped too:

  • Kerberos Key Distribution Center
  • Intersite Messaging
  • DNS Server
  • DFS Replication

active directory stop services

Next you need to open a Command prompt (or PowerShell) console as an Administrator.

For Active Directory maintenance use Ntdsutil.exe utility. To run it, type command:


ntdsutil powershell

Then you need to select current AD database instance and switch to the file mode, type this:

activate instance NTDS

The following command starts database compression process. As an argument of command you need to specify the folder path (in our example,  C:\Temp\NTDS-DB), in which the compressed copy of the database will be saved.

Compact to c:\temp\ntds-db

defragmentation powershell

After that AD database defragmentation process starts. Its duration depends on the database size. In our example, defragmentation was performed in one minute.

READ ALSO  Join Domain and Login over a VPN Connection

ntds dit compaction

When process is completed, сheck the current size of AD database, as you can see ntds.dit file size was reduced from 120 to 35 Mb, almost in 3.5 times!

ntds DB

Now you can replace old fragmented ntds.dit to its defragmented version and delete old AD log files from folder C:\Windows\NTDS\:

Copy c:\Temp\NTDS\ntds.dit c:\windows\ntds
Del C:\Windows\ntds\*.log

ntds log

It is highly recommended to check the resulting ntds.dit file integrity, for this purpose type the following commands in the ntdsutil session:

file maintenance

If the integrity check will give an error, it is recommended to try to fix errors using that same ntdsutil utility (semantic database analysis with fixup), or restore a previous version of the file from backup.

To finish ntdsutil session, type “q” and “quit”.

It remains to run the AD DS service and check errors in the Directory Service log using Event View:

net start ntds

ntds start

Tip. Keep in mind that defragmentation and compression of Active Directory database should be performed on all domain controllers, because file ntds.dit is physically independent on each domain controller and is not replicated between DC.

You may also like:

Active Directory auditing: No simple road to succe... Auditing Active Directory almost always finds place at the top of the administrator’s to-do list. There are a number of pressing needs that make audit...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
Deploy Windows 10 using MDT 2013 and WDS In this article we will show you how to install and configure WDS role, MDT 2013 and Windows ADK on Windows Server 2012 R2 and use it to network PXE (...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...