Microsoft

Taking out the Active Directory trash

As you know, Active Directory is basically one big database. To keep it tuned properly, you must maintain it like any normal database. In this Daily Feature, Jim Boyce shows you how Active Directory reacts when you delete records from it.


The size of Active Directory (AD) depends on the number and type of objects it contains. As more objects are added, the directory grows in size. There is generally no appreciable change in performance as the size of the directory grows, and in general, there’s little performance reason to reduce the directory size. Storage capacity is, however, a consideration. In this Daily Feature, I’ll take a look at what AD does when you remove entries from it.

What do you want on your tombstone?
When objects are deleted from the directory, they are not immediately removed. Instead, the directory service removes the majority of the object’s attributes and tags the object as tombstoned. The tombstone state indicates that the object has been deleted but not removed from the directory, much like a deleted file is removed from the file allocation table but the data is not actually removed from the drive. The directory service moves tombstoned objects to the Deleted Objects container, where they remain until the garbage collection process removes the objects. Garbage collection also defragments the database, essentially rearranging the data to be contiguous, and thereby reducing the size of the database file. The primary consideration isn’t performance but rather keeping disk utilization to a manageable size.

Time to take out the garbage
The garbage collection process by default runs every 12 hours on a DC. The length of time tombstoned objects remain in the directory service before being deleted is 60 days (by default). The tombstone lifetime must be significantly longer than the garbage collection frequency to ensure that deletion of objects is replicated to other DCs. These default values ensure that the tombstoned state of the objects is replicated and the objects are deleted from all DCs, because it is extremely unlikely that it will take 60 days for a single replication to complete.

While you don’t need to change the garbage collection interval or the tombstone lifetime, you can do so if your domain structure or replication scheme warrants it. For example, you might prefer to reduce the garbage collection interval to 24 hours to reduce server load and reduce the tombstone lifetime to 30 days to free up disk space more frequently. The maximum garbage collection interval is one-third of the tombstone lifetime. If you set the tombstone lifetime to 30 days, for example, the garbage collection interval will be 10 days, even if you’ve specified a larger value.

You can use the ADSI Edit tool included with the Windows 2000 Support Tools (located in the Support\Tools folder of the Windows 2000 CD) to modify the settings for garbage collection and tombstone lifetime. The values are attributes of the cn=Directory Service,cn=Windows NT,cn=Services,
cn=Configuration,dc=ForestRootDomain object, and the attributes to change are tombstoneLifetime and garbageCollPeriod.

Defragmenting the Active Directory database
When AD performs the garbage collection process, it defragments the database; although it does not free up space on the disk, it simply restructures the existing data within the file. You use the Ntdsutil.exe command-line tool included with Windows 2000 to perform the defragmentation. While you can run Ntdsutil while the server is online, you must defragment the database with the directory service offline to recover disk space.

To start the server in Directory Services Restore Mode to perform the defragmentation, press [F8] at startup to display the Windows 2000 Advanced Options menu. Select Directory Services Restore Mode and press [Enter]. After the server boots, run the Ntdsutil utility to defragment the database. Ntdsutil is an interactive console program that performs several actions on the database.

When you perform a defragmentation, Ntdsutil creates a new copy of the Ntds.dit database file in a different folder. You then replace the old file with the new one and restart the server. You should retain the old Ntds.dit file in case you experience problems with the new file. Also, compare the file size between the old and new files to determine how much space you’ve freed through the defragmentation.

In addition, you can configure Windows 2000 to log the amount of space that would be freed by an offline defragmentation to the Directory Service event log during garbage collection. You’ll need to tweak the registry to accomplish this. Open the Registry Editor and set the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
NTDS\Diagnostics\Garbage Collection to 1. Then, check the log after the next garbage collection to verify that the directory service is logging the data.

As explained above, Ntdsutil.exe is an interactive utility. Type Ntdsutil.exe at a console prompt and then enter Help to view the command options. You use the Files command to defragment the database.

Conclusion
AD is essentially a big database. As with any database, you have to do a little work to maintain it properly. In this Daily Feature, I’ve shown you how to defragment the Active Directory database and how garbage collection works.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox