Tag Archives: ntdsutil

Integrity check to Detect Low Level Active Directory Database Corruption

Active Directory maintains a multi-master database. like any other database there can be data corruptions, crashes, data lost etc. In my entire career, I still did not come across with a situation that a full database recovery is required in production environment. The reason is AD DS database is keep replicating to other available Domain Controllers and it is very rare that all the available Domain Controllers crash in same time and loose data.

By running integrity check, we can identify binary level AD database corruption. This comes as part of the Ntdsutil tool which use for Active Directory database maintenance. This go through every byte of the database file. The integrity command also checks if correct headers exist in the database itself and if all of the tables are functioning and consistent. This process also run as part of Active Directory Service Restore Mode (DRSM).

This check need to run with NTDS service off. 

In order to run integrity check,

1) Log in to Domain Controller as Domain/Enterprise Administrator
2) Open PowerShell as Administrator
3) Stop NTDS service using net stop ntds
4) Type 
activate instance ntds
5) In order to exit from the utility type, quit.
6) it is also recommended to run Semantic database analysis to confirm the consistency of active directory database contents. 
7) In order to do it, 
activate instance ntds
semantic database analysis
8) If its detected any integrity issues can type go fixup to fix the errors. 
9) After process is completed, type net start ntds to start the ntds service.
This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

How to move active directory database to new location?

When we installing active directory it gives an option to select the folder path to copy the active directory database files (NTDS Folder). My advice is always to use a separate partition in server to keep this instead default C:\Windows\NTDS\ folder path. But I know most of the time during the installation people used to pay less attention for this option. But what happen if you face a situation where you need to move the active directory database to different location? For an example due to running out of disk space in drive? Can we really do that?

Yes it is, we can move it to a different location with help of ntdsutil.exe. Let’s see in details how we can do it.

For my demo I am using a DC which holds its AD database files in default C:\Windows\NTDS\ folder. I need to move it to my new disk I added to the server. So new path I need to move it is E:\ADDB

Before we start this task we need to stop the active directory domain services. So make sure you aware of the impact it will make on network operations by stopping it.

1)    Log in to the primary domain controller as domain or enterprise administrator.
2)    Server Manager > Tools > Services


3)    Once mmc loaded right click on “Active Directory Domain Services” and click stop


4)    Then it will ask if it’s okay to stop associated services. Click “yes” to continue.


Once services are stopped we can go ahead with the database move.

1)    Right click on start button and click on “Command Prompt (Admin)


2)    Once command prompt load up type ntdsutil and press enter


3)    Then type “activate instance ntds” and press enter
4)    Then type “files” and enter


5)    In the files maintenance we need to specify the command to move the db. So in my demo I need to move it to E:\ADDB so the command will be move db to E:\ADDB. If you using space in folder path make sure you put the folder path inside double colon(“”). Once it execute it will move the db file and give an output as following.


6)    As you can see it move the database files successfully. But the logs are still in NTDS folder. To move the logs type move logs to E:\ADDB


7)    Now it’s moved logs and database successfully to the new location.


8)    Now it’s time to start the Active directory domain services again. Please go to services.mmc and start the service we stopped at the beginning of this step

This completes the process of moving AD DB and its logs. If you have any questions feel free to contact me on rebeladm@live.com

Active Directory Database Optimization

Like any other database active directory database also get fragmented as its write and retrieve data from the database. It will also grow on size without clearing unused hard drive space. Well in small organization you will not feel much different but when it comes to large infrastructures it’s become issue. It needs to have regular optimization of active directory database to have better performances.

How we can do it?

In windows OS we uses the defragment tool to optimize the computer hard drive. There is similar procedure we can use to defrag active directory database.

There are two type of defragmentation use with active directory database. 

Online Defragmentation

With windows serer 2000 Microsoft introduced this method. It is runs in certain intervals (default is every 12 hours) automatically to defrag active directory database. It is part of active directory garbage collection process. It will optimize the data storage and reclaims the space for new active directory objects. But this will not reduce the size of the active directory database. The important thing is it not required to bring any service offline to do this.

Offline Defragmentation

As the name says to do this process we need stop the active directory service. To do this system will create compact version of the existing active directory database in different location. Once process is created the new defragmented database it will copy the compact version in to the original location.  Stats says it can shrink database in to 1/6th of its original size after offline fragmentation.

To do this we uses command line utility called “ntdsutil”. This is the same tool we can use to check for the active directory errors.


1)    Before do offline defragmentation you need to plan the impact properly. Since Ad service will go down you need to measure how it will affect company operations. The time it will take depends on the size of the AD database and the how bad it fragmented.
2)    It is always best to take system state backup prior to the process.

Let’s see how we can do this.

1)    First you need to log in to the primary domain controller as Domain admin or Enterprise Admin.
2)    Go to Server Manager > Tools > Services


3)    In Services.mmc right click on “Active Directory Domain Services” and click “Stop”


4)    Then it will ask if it’s okay to stop the associated services. Click yes to continue.


5)    Once services stops, right click on Start button and click “Command Prompt (Admin)


6)    Type “ntdsutil” and enter


7)    In prompt type “activate instance NTDS” and press enter


8)    Then type “files” and press enter


9)    At the file maintenance we need specify the location where NTDS compact database will save. For demo I created folder C:\CompactDB and will use it. So need to type “compact to C:\CompactDB” and press enter
10)    Then it will perform the defragment. The time it will take depends on the size of the database.


11)    When process completes type “q” and “quit” to exit from the utility.

To complete the process as screen says copy the defragmented database from C:\CompactDB\ntds.dit to C:\Windows\NTDS\ntds.dit

Also we need to remove the log files as it says. After that we have successfully defrag the AD database.

Now go to Services.mmc right click on “Active Directory Domain Services” and click “Start”.

If you have any question regarding the article feel free to contact me on rebeladm@live.com