Proactive Directory Maintenance and Data Store Protection

AD DS is a distributed database that contains information about the users, the computers, the servers, the services, and more that run in your network, hence its categorization as a network operating system (NOS) as well as a lightweight directory access protocol (LDAP) directory service. Because of this, administration activities can be shared amongst several members of your organization:

Use the buttons below to navigate through the lesson


Users can update their own records. If a user uses the Search Active Directory feature to locate his or her own account record, he or she will be allowed to change information such as phone number, location, and so on.

Security and distribution group managers, can automatically manage group content if you assign this user right to them. This is a good approach for reducing the workload system administrators face when managing a NOS directory service.

Password resets could be managed by the help desk. Each time a password needs to be reset, the help desk needs to get involved.

Directory and DNS service availability is the core of the system administrator’s responsibilities and should be the focus of most of his or her efforts. After all, system administrators are there to manage the availability of services and the data the directory
contains, not to manage the data itself.

Twelve Categories of AD DS Administration

When you consider it, Active Directory administration or management covers twelve major activities. These activities and their breadth of coverage are outlined in the following list, which also outlines which tasks focus on data or content management and which are concentrated on service administration.

  1. User and Group Account Administration (Data) – This includes user password resets, user creation and deactivation, user group creation, and membership management. Should be delegated to the help desk.
  2. Endpoint Device Administration (Data) – All computers in a Windows network environment must have a computer account. This is how they interact with the directory and how the directory interacts with them. Should be delegated to technicians.
  3. Networked Service Administration (Data and Service) – This includes publication of network file shares, printers, distributed file shares (DFS), application directory partitions, and so on. Should be delegated to the administrator of each service type.
  4. Group Policy Object (GPO) Management (Service) – GPOs provide the most powerful model for object management in Windows Server 2008. Should be delegated to appropriate technicians, but a central GPO steward should control GPO proliferation.
  5. DNS Administration (Service) – DNS is now tied closely to the directory, and the operation is based on a properly functioning dynamic DNS service. Because DNS is integrated with the directory, DNS administration is the responsibility of the domain administrator.
  6. Active Directory Topology and Replication Management (Service) – Replication is at the very core of the directory service operation. It covers the configuration of subnets, sites, site links, site link bridges, and bridgehead servers. You should rely heavily on the Knowledge Consistency Checker (KCC), a service that automatically generates replication topologies based on the rules and guidelines you give it to control replication. This is the responsibility of the domain administrator.
  7. Active Directory Configuration Management (Service) – Configuration administration involves forest, domain, and organizational unit (OU) design and implementation. It also involves Flexible Single Master of Operations (FSMO) roles, global catalog servers, and DCs, including RODCs because these servers define the configuration of each forest. One last activity that is related to configuration management is time synchronization. AD DS relies on the PDC Emulator role to synchronize time in the network. These tasks are the responsibility of the forest and domain administrators.
  8. Active Directory Schema Management (Service) – AD DS is a database, albeit a distributed one. As such, it includes a database schema. Schema modifications are not done lightly because added objects cannot normally be removed although they can be deactivated, renamed, and reused. This is the responsibility of the forest administrator.
  9. Information Management (Data) – This refers to the population of the directory with information about the objects it contains. User objects, shared folders, and computer objects can include owners; groups can include managers; printers and computers can include location tracking information. The Active Directory Schema Management console can be used to add or remove content from the global catalog and determine whether an object should be indexed. You can also assign NTDS quotas to make sure no one adds or extracts more information than permitted in the directory. Delegate as many of the information management tasks as possible.
  10. Security Administration (Service) – Security administration covers everything from setting Domain Account policies and assigning user rights to managing trusts as well as access control list (ACL) and access control entry (ACE) administration. This is the responsibility of the domain administrator or designated operators to whom it has been delegated.
  11. Database Management (Service) – Database management involves Ntds.dit maintenance and AD DS object protection as well as GPO protection. Includes managing the LostandFound and LostandFoundConfig containers, which are designed to collect homeless objects in your directory. Also includes compacting the directory database on each DC. Although AD DS regularly compacts its own database automatically, it is good practice to compact it manually. This is the responsibility of the domain administrator.
  12. AD Reporting (Service and Data) – Generate reports from your directory to know how it is structured, what it contains, and how it runs. There is no default centralized reporting tool, but you can export data at several levels of the directory. You can also generate GPO reports with the Group Policy Management console. This is the responsibility of the domain administrator and the GPO steward.

Performing Offline Maintenance

One significant change in AD DS from previous versions is the transformation of the DC role into a controllable service. In previous versions of Windows Server, the DC role was monolithic: to stop the service, you needed to stop the DC as a whole. This meant that when you needed to perform maintenance on the Ntds.dit database, the database that contains the directory store, you needed to shut down a DC and restart it in Directory Services Repair Mode. Because of this, there was no way to automate the database maintenance operations. Consequently, most domain administrators never performed any database maintenance at all. Performing no maintenance is not a valid approach to systems management.

Every database works the same way. As new records are added, the database allocates additional space to store information associated with the record. However, when the record is deleted, the allocated space is not recovered. You need to perform database compaction activities to recover this space. The AD DS service does perform some automatic database compaction, but this compaction does not recover lost space within the database; it only rearranges data to make it easier to access. To recover lost space, you must take the database offline and run a compaction and defragmentation sequence against it.

However, with AD DS and Windows Server 2008, the AD DS service is now a manageable service that can be started and stopped like all Windows Server services.

This means that to perform database maintenance activities, you no longer need to shut down the DC to restart it in Directory Services Repair Mode. It also means that because the service behaves natively, you can script the defragmentation and compaction operations through basic command-line tools.

Note that to stop the AD DS service, the DC must be able to communicate with another DC that is running the service. If not, you will not be able to stop the service. AD DS includes automatic checks and verifications that ensure that at least one DC is available at all times; otherwise, no one will be able to log on to the network.

Perform Database Maintenance

  1. Log on to your Server with the domain administrator account.
  2. Use Windows Explorer to create a C:\Temp and a C:\OrignalNTDS folder. You will use these folders as temporary locations for the compacted and the original database.
  3. In Server Manager, expand the Configuration node and click Services.
  4. Locate the Active Directory Domain Services service (it should be first on the list) and right-click it to select Stop.
  5. In the Stop Other Services dialog box, click Yes.The server will stop the service. Remember that if the service cannot contact another writable DC, it will not be able to stop; otherwise, no one would be able to log on to the domain.
  6. Launch an elevated command prompt by right-clicking Command Prompt in the Start menu and choosing Run As Administrator.
  7. Begin by compacting the database. Type the following commands:
    1. ntdsutil
    2. activate instance NTDS
    3. files
    4. compact to C:\temp
      The Ntdsutil.exe will compact the database and copy it to the new location. In very large directories, this operation can take some time.
  8. Type the following after the compaction operation is complete:
    quit and then quit again.
  9. Now, delete all the log files. Type the following:
    cd %systemroot%\ntds
    del *.log
    You delete the log files because you will be replacing the Ntds.dit file with the newly compacted file, and the existing log files will not work with the newly compacted database.
  10. Now, back up the Ntds.dit file to protect it in case something goes wrong. Type the following: copy ntds.dit \originalntds
  11. Copy the newly compacted database to the original NTDS folder. Making sure you are still within the %SystemRoot%\NTDS folder, type the following:
    copy c:\temp\ntds.dit
  12. Finally, verify the integrity of the new Ntds.dit file.
    After this is done, you will also perform a semantic database analysis to verify the data within the database. Type the following:
    ntdsutil
    activate instance NTDS
    files
    integrity
    quit
    semantic database analysis
    go fixup
    quit
    quit
    Note that if the integrity check fails, you must recopy the original Ntds.dit back to this folder because the newly compacted file is corrupt. If you do not do so, your DC will no longer be operational.
  13. Return to Server Manager, expand the Configuration node, and click Services.
  14. Locate the Active Directory Domain Services service (it should be first on the list) and right-click it to select Start.
    Your server is back online and ready to deliver authentication services to the network. It can take several minutes for the dependent services to restart. Delete the Ntds.dit located in the Original NTDS folder because it is no longer valid.

Built-in Directory Protection Measures

Data protection is also a very important aspect of proactive systems management, and it is essential for AD DS. As you know, each account stored in the AD DS database is a unique object because it is tied to a specific and unique security identifier (SID). This means that when an account is deleted, you cannot simply re-create it. Although the account will appear the same, it will be a completely different object to AD DS and, as such, will not retain the properties or attributes of the formerly deleted object. Group memberships, passwords, attribute settings, and more will be completely different for the object.

This is one very good reason to reassign accounts rather than re-creating them when people change positions in your network. Reassigning them automatically grants the new person the same rights as the previous account owner. Re-creating an account means you have to dig in and identify all the access rights required by the role in your network. Re-creation is a lot more work.

It is difficult to lose data within the directory because of the multimaster replication model. When a change is performed in one location, it is automatically replicated to all other locations.

However, this same replication model can also cause issues. When an operator deletes an object, especially by mistake, it will be deleted in the entire directory and might need to be restored from backup to be recovered.

However, AD DS includes four features that enable you to recover information without resorting to backups:
Each of these provides a means of protecting and recovering the information in the directory database.

Protecting AD DS Objects

By default, every new object in AD DS can be protected from deletion when it is created. In every case, you must specifically assign this feature to the object.

When you create objects through batch processes or through a migration process, it will not be protected unless you assign the feature during the creation process. When you create an object interactively, you must also assign protection explicitly.

Object protection is assigned or removed on the Object
tab, which can be viewed only when you have Advanced Features turned on in the View menu of the Active Directory Users And Computers console.

Note that container objects such as OUs have this option enabled by default because they form part of your directory structure.

After object protection is assigned, you will not be able to delete the object accidentally.

This also means that it cannot be moved from one location to the other.

In fact, this option assigns two Deny permissions to the Everyone group: Deny Delete and Deny Delete subtree.

Remember that in AD DS, deny permissions override every allow permission.The only way you can move or delete this object from this point on is if you uncheck the protection feature.

This is a useful feature for organizations that delegate object administration to technical staff.

In fact, you might consider making this feature part of the user account template you create to assist in the creation of user accounts in your directory.

When you audit directory changes in Windows Server 2008, you automatically log old and new values of an attribute each time an object is modified.

Further, because the AD DS audit policy in Windows Server 2008 now logs four subcategories of service access, you can control the assignment of this policy at a more granular level than in previous versions of Windows Server.

The subcategory that controls attribute captures is Directory Service Changes. When enabled, it captures creation, modification, move, and undeletion operations on an object. Each operation is assigned a specific event ID in Directory Services Event Log.

This feature turns Event Log into a record-keeping system for directory changes, enabling you to maintain extensive records on the changes that have been made in your directory.

It is also useful for fixing modifications that have been performed erroneously.

When an object is modified, at least two events are logged. The first will list the former value, and the second most recent will list the new value. Use the two to correct modifications that should not have been made.

Using Quest Object Restore for Active Directory

Deleted objects are not immediately removed from the directory when they are deleted. Instead, they are tombstoned and moved to a special hidden container. You can access this container with special tools but not with the normal Active Directory consoles. You can, however, use a utility from Quest Software, Quest Object Restore for Active Directory, to access the tombstone container through a graphical console and locate objects you want to restore. This utility is free; at the time of writing however, it expires every six months and must be removed and reinstalled to work again.

Download and install Quest restore for active directory available from http://www.quest.com/object-restore-for-active-directory
One time registration is required.

Quest Object Restore for Active Directory displays the tombstone container in AD DS. Because all objects are tombstoned for a period of 180 days by default, you can restore these objects any time before they are destroyed by directory database cleanup operations. However, as with the Ldp.exe tool, this procedure recovers the object and retains the original SID for the object as well, but it does not retain all group memberships and other values, so you must modify the object before you enable it.
However, using this tool is much simpler than using the Ldp.exe procedure.

For the purposes of this demo we will delete a user account.

Select Yes to confirm.

Start Quest software.

Expand Quest Object Restore

Click the domain to display deleted objects.

If the domain is not displayed Right click Quest Object Restore and select Connect to and type in your domain name.

Right click the deleted object and select Restore.

Click OK to confirm.

The user object has been restored.

The original SID for the object is restored, but it does not retain all group memberships and other values. These will need to be re-entered.