I'm Bill Detwiler, In this episode of TR Dojo, I'll share five things you should know before you degunk your Active directory database.
Your first consideration when undertaking an Active Directory database repair or cleansing, is to make sure that it actually needs it. Remember that erratic Active Directory behavior isn't always related to a corrupt database and you should always look for the simple solutions first.
For example, in a situation in which you can't create or remove a domain, make sure that the domain controller hosting the FSMO roles for the domain isn't down and that the user who's attempting to perform the operation has the necessary permissions.
Once you've verified that all the necessary servers are up and everyone has the right permissions, the next layer of troubleshooting is to verify that DNS is functioning properly since Active Directory is completely dependent on it.
If your DNS server fails, it will be only a matter of time before Active Directory begins to have problems too. If you're receiving error messages such as Domain Not Found, Server Not Available, or RPC Server is Unavailable, you may have a DNS server issue.
The third thing you should know before rushing into an Active Directory cleansing, understand the power of the command-line Domain Controller Diagnostics Tool (or DCDIAG). This utility performs a number of diagnostic tests that could turn up valuable clues to the cause of the problems you're experiencing. Using DCDIAG is a good way to diagnose issues that you suspect could be AD-related, but aren't 100-percent sure.
Besides the DCDIAG utility, there is another tool that you should know about before you start removing entries that you think may be clogging up your Active Directory database -- NTDSUTIL.
While it might seem like a good idea to get rid of old entries to servers that no longer exist, doing it manually with ADSI Edit could do more harm than good.
Active Directory is a relational database, so removing an entry for an extinct server can orphan other database entries and cause a whole slew of unforeseen problems. A better approach is often to use the NTDSUTIL tool's METADATA CLEANUP option.
Check the blog notes for a link to this Microsoft TechNet article on NTDSUTIL. It contains a full set of instructions on how to use the tool's METADATA CLEANUP feature.
Lastly, if the need arises to restore an Active Directory database on a domain controller, make sure you know the difference between an authoritative and non-authoritative restore.
During a non-authoritative restoration, the DC is restored to the point at which it existed when the backup was made and then brought into a current state through replication. Other domain controllers replicate any missing entries to the recently restored domain controller.
An authoritative restore on the other hand, does not backfill a restored domain controller using data from other domain controllers.
Instead, you are effectively telling Windows that the restored domain controller contains the desired data and that you want to remove any subsequent data from the other domain controllers in the organization.
Wanting to clean up your Active Directory database and get rid of obsolete data is a good idea, but make sure your approach is methodical -- and most importantly -- make sure you have a reliable backup in case things go wrong.
For more Active Directory maintenance tips and tricks, including tips on using ADSI Edit, check out Brien Posey's article, "10 things you should know about degunking your Active Directory database." I'll link to it from the TR Dojo Blog.
And as always, for more teachings on your path to becoming an IT Ninja, visit trdojo.techrepublic.com, or you can follow me on Twitter at twitter.com/billdetwiler.
Thanks for visiting the TR Dojo.
