Tag Archives: AD database

How to create Active Directory Snapshots?

In one of my previous posts I explain what system state is and how we can use it to backup active directory data. With windows 2008 server Microsoft introduces a new feature called active directory snapshots which can use to backup active directory data. Basically this tools creates a shadow copy of volumes that holds active directory data (Database and logs) using “Volume Shadow Copy Service (VSS)” running on server.

In order to create, view or restore AD snapshots, you need to be member of domain admin group or the enterprise administrator group.

Let’s see how we can create active directory snapshots.

1)    Log in the domain controller as a domain administrator or enterprise administrator with appropriate permissions.
2)    Right click on start button and select “Command Prompt (Admin)". It will open up the command line interface.

snap1

3)    In command prompt type ntdsutil and enter to open up the ntdsutil tool.

snap2

4)    Then type snapshot and press enter.

snap3

5)    In next type activate instance ntds and press enter.

snap4

6)    Then type create and press enter. It will start to create snapshot and give the similar output as following.

snap5

7)    Type and enter quit to exit from the utility. You have to do it twice.

Before we use a snapshot created by this process we need to mount it using active directory mounting tool. Let’s see how we can do it.

1)    Log in the domain controller as a domain administrator or enterprise administrator with appropriate permissions.
2)    Right click on start button and select “Command Prompt (Admin)". It will open up the command line interface.
3)    In command prompt type ntdsutil and enter to open up the ntdsutil tool.
4)    In next type activate instance ntds and press enter.
5)    Then type snapshot and press enter.

snap6

6)    Then type list all

snap7

7)    It will list down all the snapshot created.
8)    Then run command mount 2 ( this is the order number showing in list of snapshot and I needed to mount the one listed in number 2)

snap8

9)    Then as it saying it successfully mounted to the C: drive with folder $SNAP_201502260503_VOLUMEE$

snap9

10)    Then enter quit command twice to exit from utility.

Now to connect with the mounted snapshot we need to execute following,

dsamain –dbpath C:\$SNAP_201502260503_VOLUMEE$\ADDB\ntds.dit –ldapport 10000

In here the dbpath will change according to the snapshot mount you made. Ldapport is any openport in the server to run this snapshot instance.

snap10

 

Now we can access snapshot using port 10000.

Keep this open till we finish with next steps.

Let’s see how we can view the content of snapshot using active directory users and computers console.

1)    Go to server manager > tools > active directory users and computers

snap11

2)    In mmc right click on active directory users and computers option and select change domain controller option

snap12

3)    In here type the domain controller name and the port. Then click ok. Here according to my demo the port should be 10000 ( the one we use with snapshot)  

snap13

4)    As we can see here it successfully connect with the instance.

snap14

Disconnect and unmounts snapshot

In order to disconnect from the running instance, open the command line we left open and press CTRL+C

snap15

1)    Then type ntdsutil to go in to ntdsutil tool
2)    In next type activate instance ntds and press enter.
3)    Then type snapshot and press enter.
4)    Then type list all
5)    It will list down all the snapshot created.

snap16

6)    Then type unmount 2 ( this is the snapshot number I mapped before ). It will unmount the snapshot.
7)    Then enter quit command twice to exit from utility.

snap17

In this article I explain what active directory snapshot is and how we can use it for recoveries. If you have any questions feel free to contact me on rebeladm@live.com

How to move active directory database to new location?

When we installing active directory it gives an option to select the folder path to copy the active directory database files (NTDS Folder). My advice is always to use a separate partition in server to keep this instead default C:\Windows\NTDS\ folder path. But I know most of the time during the installation people used to pay less attention for this option. But what happen if you face a situation where you need to move the active directory database to different location? For an example due to running out of disk space in drive? Can we really do that?

Yes it is, we can move it to a different location with help of ntdsutil.exe. Let’s see in details how we can do it.

For my demo I am using a DC which holds its AD database files in default C:\Windows\NTDS\ folder. I need to move it to my new disk I added to the server. So new path I need to move it is E:\ADDB

Before we start this task we need to stop the active directory domain services. So make sure you aware of the impact it will make on network operations by stopping it.

1)    Log in to the primary domain controller as domain or enterprise administrator.
2)    Server Manager > Tools > Services

mvdb1

3)    Once mmc loaded right click on “Active Directory Domain Services” and click stop

mvdb2

4)    Then it will ask if it’s okay to stop associated services. Click “yes” to continue.

mvdb3

Once services are stopped we can go ahead with the database move.

1)    Right click on start button and click on “Command Prompt (Admin)

mvdb4

2)    Once command prompt load up type ntdsutil and press enter

mvdb5

3)    Then type “activate instance ntds” and press enter
4)    Then type “files” and enter

mvdb6

5)    In the files maintenance we need to specify the command to move the db. So in my demo I need to move it to E:\ADDB so the command will be move db to E:\ADDB. If you using space in folder path make sure you put the folder path inside double colon(“”). Once it execute it will move the db file and give an output as following.

mvdb7

6)    As you can see it move the database files successfully. But the logs are still in NTDS folder. To move the logs type move logs to E:\ADDB

mvdb8

7)    Now it’s moved logs and database successfully to the new location.

mvdb9

8)    Now it’s time to start the Active directory domain services again. Please go to services.mmc and start the service we stopped at the beginning of this step

This completes the process of moving AD DB and its logs. If you have any questions feel free to contact me on rebeladm@live.com

Active Directory Database Optimization

Like any other database active directory database also get fragmented as its write and retrieve data from the database. It will also grow on size without clearing unused hard drive space. Well in small organization you will not feel much different but when it comes to large infrastructures it’s become issue. It needs to have regular optimization of active directory database to have better performances.

How we can do it?

In windows OS we uses the defragment tool to optimize the computer hard drive. There is similar procedure we can use to defrag active directory database.

There are two type of defragmentation use with active directory database. 

Online Defragmentation

With windows serer 2000 Microsoft introduced this method. It is runs in certain intervals (default is every 12 hours) automatically to defrag active directory database. It is part of active directory garbage collection process. It will optimize the data storage and reclaims the space for new active directory objects. But this will not reduce the size of the active directory database. The important thing is it not required to bring any service offline to do this.

Offline Defragmentation

As the name says to do this process we need stop the active directory service. To do this system will create compact version of the existing active directory database in different location. Once process is created the new defragmented database it will copy the compact version in to the original location.  Stats says it can shrink database in to 1/6th of its original size after offline fragmentation.

To do this we uses command line utility called “ntdsutil”. This is the same tool we can use to check for the active directory errors.

Tips

1)    Before do offline defragmentation you need to plan the impact properly. Since Ad service will go down you need to measure how it will affect company operations. The time it will take depends on the size of the AD database and the how bad it fragmented.
2)    It is always best to take system state backup prior to the process.

Let’s see how we can do this.

1)    First you need to log in to the primary domain controller as Domain admin or Enterprise Admin.
2)    Go to Server Manager > Tools > Services

opt1

3)    In Services.mmc right click on “Active Directory Domain Services” and click “Stop”

opt2

4)    Then it will ask if it’s okay to stop the associated services. Click yes to continue.

opt3

5)    Once services stops, right click on Start button and click “Command Prompt (Admin)

opt4

6)    Type “ntdsutil” and enter

opt5

7)    In prompt type “activate instance NTDS” and press enter

opt6

8)    Then type “files” and press enter

opt7

9)    At the file maintenance we need specify the location where NTDS compact database will save. For demo I created folder C:\CompactDB and will use it. So need to type “compact to C:\CompactDB” and press enter
10)    Then it will perform the defragment. The time it will take depends on the size of the database.

opt8

11)    When process completes type “q” and “quit” to exit from the utility.

To complete the process as screen says copy the defragmented database from C:\CompactDB\ntds.dit to C:\Windows\NTDS\ntds.dit

Also we need to remove the log files as it says. After that we have successfully defrag the AD database.

Now go to Services.mmc right click on “Active Directory Domain Services” and click “Start”.

If you have any question regarding the article feel free to contact me on rebeladm@live.com