511 1. Open LDP. 2. From the menu, select Connection Connect. 3. For Server, enter the name of the target domain controller. 4. For Port, enter 389. 5. Click OK. 6. From the menu, select Connection Bind. 7. Enter credentials of a user from one of the administrator groups. 8. Click OK. 9. From the menu, select Browse Modify. 10. Leave the Dn blank. 11. For Attribute, enter DoOnlineDefrag. 12. For Values, enter 180. 13. For Operation, select Add. 14. Click Enter. 15. Click Run. 16.10.2.2 Using a command-line interface Create an LDIF file called online_defrag.ldf with the following contents: dn: changetype: modify replace: DoOnlineDefrag DoOnlineDefrag: 180 - then run the following command: > ldifde -v -i -f online_defrag.ldf 16.10.2.3 Using VBScript ' This code kicks off an online defrag to run for up to 180 seconds ' SCRIPT CONFIGURATION strDC = "<DomainControllerName>" ' e.g. dc01 ' END CONFIGURATION set objRootDSE = GetObject("LDAP://" & strDC & "/RootDSE") objRootDSE.Put "DoOnlineDefrag", 180 objRootDSE.SetInfo WScript.Echo "Successfully initiated an online defrag" 16.10.3 Discussion New to Windows Server 2003 is the ability to initiate an online defragmentation. By default, the online defrag process runs every 12 hours on each domain controller. This process defrags the Active Directory database (ntds.dit) by combining whitespace generated from deleted objects, but does not reduce the size of the database file. 512 To kick off an online defrag, simply write the DoOnlineDefrag attribute to the RootDSE with a value equal to the maximum time the defrag process should run (in seconds). You must be a member of one of the administrator groups in the domain controller's domain in order to write to this attribute. 16.10.4 See Also Recipe 16.12 for performing an offline defrag and MS KB 198793 (The Active Directory Database Garbage Collection Process) Recipe 16.11 Determining How Much Whitespace Is in the DIT 16.11.1 Problem You want to find the amount of whitespace in your DIT. A lot of whitespace in the DIT may mean that you could regain enough space on the disk to warrant performing an offline defrag. 16.11.2 Solution 16.11.2.1 Using a graphical user interface 1. Run regedit.exe from the command line or Start Run. 2. Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Diagnostics. 3. In the right pane, double-click on 6 Garbage Collection. 4. For Value data, enter 1. 5. Click OK. 16.11.2.2 Using a command-line interface > reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6 Garbage[RETURN] Collection" /t REG_DWORD /d 1 16.11.2.3 Using VBScript ' This code enables logging of DIT whitespace information in the event log. ' SCRIPT CONFIGURATION strDCName = "<DomainControllerName>" ' e.g. dc1 ' END CONFIGURATION const HKLM = &H80000002 strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics" set objReg = GetObject("winmgmts:\\" & strDCName & "\root\default:StdRegProv") objReg.SetDWORDValue HKLM, strNTDSReg, "6 Garbage Collection", 1 WScript.Echo "Garbage Collection logging set to 1" 513 16.11.3 Discussion By setting the 6 Garbage Collection diagnostics logging option, event 1646 will get generated after the garbage collection process runs. Here is an example 1646 event: Event Type: Information Event Source: NTDS Database Event Category: Garbage Collection Event ID: 1646 Date: 5/25/2003 Time: 9:52:46 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: DC1 Description: Internal event: The Active Directory database has the following amount of free hard disk space remaining. Free hard disk space (megabytes): 100 Total allocated hard disk space (megabytes): 1024 This shows that domain controller dc1 has a 1 GB DIT file with 100 MB that is free (i.e., whitespace). 16.11.4 See Also Recipe 16.12 for performing an offline defrag Recipe 16.12 Performing an Offline Defrag to Reclaim Space 16.12.1 Problem You want to perform an offline defrag of the Active Directory DIT to reclaim whitespace in the DIT file. 16.12.2 Solution 16.12.2.1 Using a command-line interface 1. First, reboot into Directory Services Restore Mode. 2. Next, check the integrity of the DIT, as outlined in Recipe 16.7. 3. Now, you are ready to perform the defrag. Run the following command to create a compacted copy of the DIT file. You should check to make sure the drive on which, you create the copy has plenty of space. A rule of thumb is that it should have at least 115% of the size of the current DIT available. 514 > ntdsutil files "compact to <TempDriveAndFolder>" q q 4. Next, you need to delete the transaction log files in the current NTDS directory. > del <CurrentDriveAndFolder>\*.log 5. You may want to keep a copy of the original DIT file for a short period of time to ensure nothing catastrophic happens to the compacted DIT. If you are going to copy or move the original version, be sure you have enough space in its new location. 6. > move <CurrentDriveAndFolder>\ntds.dit <TempDriveAndFolder>\ntds_orig.dit > move <TempDriveAndFolder>\ntds.dit <CurrentDriveAndFolder>\ntds.dit 7. Repeat the steps in Recipe 16.7 to ensure the new DIT is not corrupted. If it is clean, reboot into normal mode and monitor the event log. If no errors are reported in the event log, make sure the domain controller is backed up as soon as possible. 16.12.3 Discussion Performing an offline defragmentation of your domain controllers can reclaim disk space if you've deleted a large number of objects from Active Directory. You should only perform an offline defrag when (and if) this occurs, e.g., following a spin-off. The database will reuse whitespace and grow organically as required. Typically, the database grows year over year as more objects are added, so the offline defrag should be seldom required. An offline defrag always carries a small element of risk, so it should not be done unnecessarily. You might want to consider doing an offline defrag after the upgrade to Windows Server 2003. A new feature called single instance storage for security descriptors can greatly reduce the amount of space your DIT requires. With this new feature, unique security descriptors are stored once regardless of how many times they are used, whereas in Windows 2000 the same security descriptor would be stored individually on each object that uses it. The key thing to plan ahead of time is your disk space requirements. If you plan on creating the compacted copy of the DIT on the same drive as the current DIT, you need to make sure that drive has 115% of the size of the DIT available. If you plan on storing the original DIT on the same drive, you'll need to make sure you have at least that much space available. 16.12.4 See Also Recipe 16.2 for booting into Directory Services Restore Mode, Recipe 16.7 for checking the integrity of the DIT, MS KB 198793 (The Active Directory Database Garbage Collection Process), MS KB 229602 (Defragmentation of the Active Directory Database), and MS KB 232122 (Performing Offline Defragmentation of the Active Directory Database) 515 Recipe 16.13 Changing the Garbage Collection Interval 16.13.1 Problem You want to change the default garbage collection interval. 16.13.2 Solution 16.13.2.1 Using a graphical user interface 1. Open ADSI Edit. 2. In the left pane, expand cn=Configuration cn=Services cn=Windows NT. 3. Right-click on cn=Directory Service and select Properties. 4. Edit the garbageColPeriod attribute and set it to the interval in hours that the garbage collection process should run (the default is 12 hours). 5. Click OK. 16.13.2.2 Using a command-line interface Create an LDIF file called change_garbage_period.ldf with the following contents: dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,<ForestRootDN> changetype: modify replace: garbageCollPeriod garbageCollPeriod: <IntervalInHours> - then run the following command: > ldifde -v -i -f change_garbage_period.ldf 16.13.2.3 Using VBScript ' This code changes the default garbage collection interval ' SCRIPT CONFIGURATION intGarbageColl = <IntervalInHours> ' END CONFIGURATION set objRootDSE = GetObject("LDAP://RootDSE") set objDSCont = GetObject("LDAP://cn=Directory Service,cn=Windows NT," & _ "cn=Services," & objRootDSE.Get("configurationNamingContext") ) objDSCont.Put "garbageCollPeriod", intGarbageColl objDSCont.SetInfo WScript.Echo "Successfully set the garbage collection interval to " & _ intGarbageColl 516 16.13.3 Discussion When an object is deleted from the Configuration naming context, a Domain naming context, or an application partition, the original object is removed from Active Directory, and a tombstone object is created that contains a small subset of the object's original attributes. This tombstone object remains in Active Directory for the duration of the tombstone lifetime (default is 60 days) before it gets completely removed. See Recipe 16.18 for more information on the tombstone lifetime. A garbage collection process runs on each domain controller that automatically removes expired tombstone objects. This process runs every 12 hours by default, but you can change it to run more or less frequently by setting the garbageCollPeriod attribute on the cn=DirectoryService,cn=WindowsNT,cn=Services,cn=Configuration, <RootDomainDN> object to the frequency in hours. 16.13.4 See Also Recipe 16.18 for modifying the tombstone lifetime, Recipe 16.14 for logging the number of tombstones that get garbage collected, and MS KB 198793 (The Active Directory Database Garbage Collection Process) Recipe 16.14 Logging the Number of Expired Tombstone Objects 16.14.1 Problem You want to log the number of expired tombstone objects that are removed from Active Directory during each garbage-collection cycle. 16.14.2 Solution 16.14.2.1 Using a graphical user interface 1. Run regedit.exe from the command line or Start Run. 2. Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Diagnostics. 3. In the right pane, double-click on 6 Garbage Collection. 4. For Value data, enter 3. 5. Click OK. 16.14.2.2 Using a command-line interface > reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6 Garbage[RETURN] Collection" /t REG_DWORD /d 3 517 16.14.2.3 Using VBScript ' This code enables garbage collection logging. ' SCRIPT CONFIGURATION strDCName = "<DomainControllerName>" intValue = 3 ' END CONFIGURATION const HKLM = &H80000002 strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics" set objReg = GetObject("winmgmts:\\" & strDCName & "\root\default:StdRegProv") objReg.SetDWORDValue HKLM, strNTDSReg, "6 Garbage Collection," intValue WScript.Echo "Garbage Collection logging enabled" 16.14.3 Discussion Here is a sample event that is logged when the 6 Garbage Collection diagnostics logging level is set to 3 or higher: Event Type: Information Event Source: NTDS General Event Category: Garbage Collection Event ID: 1006 Date: 6/24/2003 Time: 11:29:31 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: DC1 Description: Internal event: Finished removing deleted objects that have expired (garbage collection). Number of expired deleted objects that have been removed: 229. 16.14.4 See Also Recipe 15.2 for more on diagnostics logging and Recipe 16.13 for more on the garbage- collection process Recipe 16.15 Determining the Size of the Active Directory Database 16.15.1 Problem You want to determine the size of the Active Directory database. 16.15.2 Solution 16.15.2.1 Using a command-line interface If you are in DS Restore Mode, you can use ntdsutil to report the size of the Active Directory database: 518 > ntdsutil files info If you are not in DS Restore Mode and run this command, you will receive the following error message: *** Error: Operation only allowed when booted in DS restore mode "set SAFEBOOT_OPTION=DSREPAIR" to override - NOT RECOMMENDED! As you can see, it is possible to override this failure by setting the SAFEBOOT_OPTION environment variable to DSREPAIR, but I do not recommend this unless you know what you are doing. By setting that environment variable, the ntdsutil command will not stop you from performing other commands. This can be very dangerous. Another method, which is safer and easier, is to bring up a command shell by going to Start Run, typing cmd.exe, and pressing Enter. Then type cd <NTDSDir>, where <NTDSDir> is the full path to the ntds.dit file. Finally, run the dir command; the output will show the size of the files. 16.15.3 Discussion The size of the Active Directory database on a domain controller is effectively the size of the ntds.dit file. This file can vary slightly in size between domain controllers even within the same domain due to unreplicated changes or differences with nonreplicated data. You should monitor the size of this file on one or more domain controllers in each domain to ensure you have adequate disk space. Also, by knowing the average size of your DIT, you can recognize if it spikes dramatically, perhaps due to a new application that is writing data to the directory. If you find that you are running out of disk space, you have a couple of options. You could move the Active Directory files to a new drive with more capacity. Alternatively, you can perform an offline defragmentation if the DIT file contains a lot of whitespace. 16.15.4 See Also Recipe 16.8 for moving the DIT files, Recipe 16.11 for determining how much whitespace is in the DIT, and Recipe 16.12 for performing an offline defragmentation of the Active Directory database Recipe 16.16 Searching for Deleted Objects 16.16.1 Problem You want to search for deleted objects. 519 16.16.2 Solution 16.16.2.1 Using a graphical user interface 1. Open LDP. 2. From the menu, select Connection Connect. 3. For Server, enter the name of a domain controller you want to target (or leave blank to do a serverless bind). 4. For Port, enter 389. 5. Click OK. 6. From the menu, select Connection Connect. 7. Enter credentials of a user that is an administrator for the domain. 8. Click OK. 9. From the menu, select Options Controls. 10. For Windows Server 2003, select the Return Deleted Objects control under Load Predefined. 11. For Windows 2000, type 1.2.840.113556.1.4.417 for the Object Identifier and click the Check In button. 12. Click OK. 13. From the menu, select Browse Search. 14. For BaseDN, enter: cn=Deleted Objects,<DomainDN>. 15. For Scope, select One Level. 16. For Filter, enter: (isDeleted=TRUE). 17. Click the Options button. 18. Under Search Call Type, select Extended. 19. Click OK. 20. Click Run. 16.16.2.2 Using a command-line interface As of this writing, none of the standard command-line tools provide a way to search for deleted objects. 16.16.2.3 Using VBScript It is currently not possible to search for deleted objects with ADSI or ADO. 16.16.3 Discussion When an object is deleted in Active Directory, it is not completely deleted. The original object is removed, but a tombstone (deleted) object takes its place in the Deleted Objects container within the naming context it was deleted in. See Introduction in Chapter 16 for more on tombstone objects. Both the Deleted Objects container and tombstone objects themselves are hidden by default in tools, such as Active Directory Users and Computers and ADSI Edit. To query tombstone 520 objects you have to enable the Return Deleted Objects LDAP control, which has an OID of 1.2.840.113556.1.4.417. When that control is enabled, you can perform searches for tombstone objects by specifying a search filter that contains (isDeleted=TRUE) in it. Only members of the administrator groups can perform searches for tombstone objects. 16.16.4 See Also MSDN: Retrieving Deleted Objects Recipe 16.17 Restoring a Deleted Object This recipe must be run against a Windows Server 2003 domain controller. 16.17.1 Problem You want to restore an object that was previously deleted. 16.17.2 Solution 16.17.2.1 Using a graphical user interface 1. Open LDP. 2. From the menu, select Connection Connect. 3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind). 4. For Port, enter 389. 5. Click OK. 6. From the menu, select Connection Bind. 7. Enter credentials of a user that can restore the deleted object (only administrators for the domain by default). 8. Click OK. 9. From the menu, select Options Controls. 10. Select Return deleted objects from the Load Predefined selection. 11. Click OK. 12. From the menu, select Browse Modify. 13. For Dn, enter the distinguished name of the deleted object you want to restore. 14. For Attribute, enter distinguishedName. 15. For Values, enter the original DN of the object. 16. For Operation, select Replace. 17. Click Enter. 18. For Attribute, enter isDeleted. 19. For Values, remove any text. 20. For Operation, select Delete. 21. Click Enter. 22. Add mandatory attributes as necessary: . Recipe 16.12 for performing an offline defrag Recipe 16.12 Performing an Offline Defrag to Reclaim Space 16.12.1 Problem You want to perform an offline defrag of the Active Directory DIT. and Recipe 16.12 for performing an offline defragmentation of the Active Directory database Recipe 16.16 Searching for Deleted Objects 16.16.1 Problem You want to search for deleted objects administrator for the domain. 8. Click OK. 9. From the menu, select Options Controls. 10. For Windows Server 2003, select the Return Deleted Objects control under Load Predefined. 11. For Windows