Troubleshooting the Active Directory DIT database file using NTDSutil

  • Article

While we seldom manually do it, there may be time where one needs to do some fixes during troubleshoots of AD database file - The C:\Windows\NTDS\ntds.dit. DIT stands for Directory Information Tree. Here are some scenarios that one may see:

  1. How do you perform an offline defragmentation of the AD database file? net stop ntds, activate instance ntds (This is provided that you are on a Windows Server version that has restartable AD, else if you are on an earlier version of Windows Server that doesn't support restartable AD such as Windows 2000 Server, reboot it into Directory Service Restore Mode, then goto ntdsutil, File, you will be prompted to File Maintenance prompt, type help and you will notice there are a different sets of commands available in here. Notice that there is a command that says compact to %s where %s refers to the new path of your compacted (defragmented) copy of the ntds.dit. So type compact to k:\ntds, where k:\ntds is the new location you will place the compacted (defragmented) copy of the ntds.dit after defragmentation. You will see a bar showing the defragmentation status until completion. This is a brief process. Then it will prompt you to copy the defragmented copy of the ntds.dit to its existing location, and you need to delete all log files at its existing location. Note that online defrag takes place every 12 hourly depends on Windows Servers versions and releases. Offline defrag, however, can free up space. You need to stop your AD service before doing this or boot into the Directory Service Restore Mode on earlier version of Windows Server running as a DC. 
  2. How do you perform integrity check of your ntds.dit? Assuming in a restartable AD DC, follow the above steps, type ntdsutil, File, integrity, you will see the integrity scan process until completion, after which the tool will prompt you to perform a semantic database analysis. You can follow it.
  3. This leads us to how do you perform a semantic database analysis of the AD database file? Answer: Go to ntdsutil, type semantic database analysis. If this is too long for typing, note that all commands and sub-commands in ntdsutil tool can be typed as abbreviated commands, i.e. semantic database analysis can be typed as sem data analy as long as the command is recognized as un-ambiguous. At the Semantic database analysis prompt, type go or go fixup. It will say Opening DIT database ...done. Summary is written into a log file dsdit.dmp. IDs scanned and records scanned are displayed.
  4. How do you seize the FSMO (Flexible Single Master Operation) roles of your domain when a safe transfers of these roles doesn't work due to permanently shutdown / unavailability of DC holding these roles? Go to ntdsutil, type role. Type help so that you can see a list of specific commands associated with the role prompt. Note that before you can seize a particular FSMO role, you need to make connection to the remaining online DC that you intend to make it the FSMO role holder. In this case, for example, you would typically make connection back to the local machine/DC itself, therefore, type connection, then at the Server connect prompt, type connect to server <DCName in FQDN> i.e. connect to DC2.hello.com this is because all communications between DCs take place via FQDN (Fully Qualified Domain Name) instead f NetBIOS name. Note that for transferring of FSMO roles, you need to make connection. And to make connection, you need to make sure that the DC that you are going to make it the new FSMO role holder has its ADDS service started. Otherwise you will fail in making connection. Assuming that you have your ADDS started (unlike the above ntdsutil, File scenarios), type connection, type connect to server <FQDN>, then a message will pop up saying that you are connected to the target DC with the locally logged on credential. Then type q to quit back to prior prompt, namely FSMO maintenance prompt, type seize <FSMOName> i.e. Seize Infrastructure master, seize naming master (refers to Domain Naming Master), seize PDC (for PDC Emulator), seize RID master, seize schema master, for all the respective FSMO roles that you want to seize. Note that a Role Seizure Confirmation Dialog will appear, confirm it. You will see that it will attempt a safe transfer before seizure. If the transfer is successful, it's done otherwise a seizure will ensue.
  5. How do you reset your DSRM (Directory Service Restore Mode) Administrator password? This is the password we typically assign during the DC promotion process. It is the password logon credential to be used in the event that your AD domain is shutdown, and you need a local credential to logon to the local machine, namely the DC, for troubleshooting purposes, for example, one that is using the NTDSutil tool. To do this, you don't need your ADDS service shutdown. Therefore just type ntdsutil, followed by set dsrm password, then type reset password on server localhost (Note that ocalhost is accepted). It will put you at the password reset prompt now. Type your desired password. Note that you will need to comply with the existing password policy requirements in your domain, namely the password complexity policy. Let say you type Pa$$w0rd and it is accepted, the tool will note that you with a password successfully set message.
  6. How do you create installation media for writable and read-only domain controllers that run Windows Server 2008? Answer: Type ntdsutil, activate instance ntds, then type ifm. At the ifm prompt, you will have options to create IFM media for full AD DC or AD/LDS instance with or without defragmenting; you can also create IFM media for RODC (Read-only domain controller). At the same time, you can create IFM media with Sysvol for full AD DC with or without defragmenting into a folder.
  7. How do you cleanup server metadata? On a DC, type ntdsutil, type metadata cleanup. The couple of options that you have are: Remove AD DS objects for selected domain, Remove objects for selected naming context, Remove objects for selected servers. You can choose to select operation target in here. Metadata cleanup removes data from Active Directory that identifies a domain controller to the replication system. This procedure is required only for Active Directory domain controllers that were not successfully demoted using Dcpromo. On a DC that is running Windows Server 2003 with SP1, metadata cleanup also removes File replication service (FRS) connections and attempts to transfer or seize any operations master roles that the retired domain controller holds.
  8. Other configurable options in the NTDSutil tool on Windows Server 2012 are:
  • Authoritative restore of the DIT database
  • Change of AD DS/LDS Service Accounts
  • Configurable settings management
  • AD DS/LDS behavior
  • Group membership evaluation
  • Evaluating SIDs in token for a given user or group
  • LDAP protocol policies
  • Configuration of LDAP Port for an AD LDS instance
  • Local RODC role management
  • Directory partitions management
  • Security account management - Duplicate SID cleanup
  • Snapshot management
  • SSL Port configuration for a AD LDS instance

Common question (Which doesn't need NTDSutil tool): How do you undefined the AD domain password policy i.e. Maximum password length, Minimum password age, Enforce password history? Set the threshold to 0 for each of these i.e. Maximum password length, Minimum password age, Enforce password history undefines them.

Ken Sim, Technical Evangelist, Microsoft Corporation, MCT