Active Directory is a non-relational database and its size increasing over time, the database takes more and more disk space. If you remove the objects from Active Directory, the size of database file will not be changed, but the free space (white space) can be used to store new objects in that case. As any other database, Active Directory database must be periodically maintain to reduce data fragmentation, speed up search and increase LDAP query performance.
There are two defragment types of Active Directory database:
- Online defragmentation – performed automatically every 12 hours. In this case, Active Directory service on a domain controller continues to work. The data in file is reorganized, free blocks are released, but the file size is not reduced.
- Offline defragmentation – performed only manually by Active Directory Administrator, but ADDS service on a DC is not available at this time. This type of defragmentation can significantly reduce AD database file size and slightly increase AD query performance.
Let’s take a look on how to perform offline defragmentation of the AD database on a domain controller with Windows Server 2012 R2.
The Active Directory database is stored in ntds.dit file (by default it is located in the folder C:\Windows\NTDS). Let’s check current size of the existing ntds.dit file. In this case, its size is about 120 MB.
Tip. Before you begin offline defragmentation, it is recommended to perform a full backup of ntds.dit database. You can do that using a standard Windows Server Backup (system state backup) or third-party utilities.
Before proceeding to the maintenance of Active Directory database file, you must stop AD DS domain service on current domain controller. To do this, open the Services console (Services.mmc), locate Active Directory Domain Services, right click on it and select Stop.
- Also you can stop ADDS using command: net stop NTDS
- To stop ADDS service on a domain controller with Windows Server 2003 or lower, you must restart the DC and boot into Directory Services Restore Mode using F8 key
After that system warns you that when you will stop the AD Domain Services, the following dependent services will be stopped too:
- Kerberos Key Distribution Center;
- Intersite Messaging;
- DNS Server;
- DFS Replication.
Next you need to open a Command prompt (or PowerShell) console as an Administrator.
For Active Directory maintenance use Ntdsutil.exe utility. To run it, type command:
Then you need to select current AD database instance and switch to the file mode, type this:
activate instance NTDS
The following command starts database compression process. As an argument of command you need to specify the folder path (in our example, C:TempNTDS-DB), in which the compressed copy of the database will be saved.
Compact to c:\temp\ntds-db
After that AD database defragmentation process starts. Its duration depends on the database size. In our example, defragmentation was performed in one minute.
When process is completed, сheck the current size of AD database, as you can see ntds.dit file size was reduced from 120 to 35 Mb, almost in 3.5 times!
Now you can replace old fragmented ntds.dit to its defragmented version and delete old AD log files from folder C:\Windows\NTDS:
Copy c:\Temp\NTDS\ntds.dit c:\windows\ntds
It is highly recommended to check the resulting ntds.dit file integrity, for this purpose type the following commands in the ntdsutil session:
If the integrity check will give an error, it is recommended to try to fix errors using that same ntdsutil utility (semantic database analysis with fixup), or restore a previous version of the file from backup.
To finish ntdsutil session, type “q” and “quit”.
It remains to run the AD DS service and check errors in the Directory Service log using Event View:
net start ntds
Tip. Keep in mind that defragmentation and compression of Active Directory database should be performed on all domain controllers, because file ntds.dit is physically independent on each domain controller and is not replicated between DC.