Maintaining Active Directory on Windows 2003

Active Directory (AD) is the Microsoft implementation of directory services for use primarily intended for Windows environments. The main purpose of Active Directory is to provide a network of computers using the Windows system of centralized identification and authentication. It also allows the allocation and implementation of strategies, software distribution, and installation of critical updates by administrators. Active Directory lists the elements of a managed network such as user accounts, servers, workstations, shared folders, printers, etc.. A user can easily find shared resources, and administrators can control their use with features distribution, replication, partitioning and securing access to the resources listed. If the directors have informed the appropriate attributes, it will be possible to query the directory for example: “All color printers on this floor of the building.”

Active Directory is present on Windows 2000 Server, Windows Server 2003, Windows XP, Windows Vista and Windows Server 2008, it follows the evolution of the database account Sat A computer server that hosts the Active Directory is called “Domain Controller”.

Active Directory stores its information and settings in a centralized database. The size of an Active Directory database can vary from a few hundred objects for small facilities to millions of objects for large configurations.

In the first documents mentioning its existence Microsoft, Active Directory was first called NTDS (NT Directory Services for, or “NT Directory Services” in French). We can also still find this name in the literature covering the subject and in some AD binaries as NTDSUTIL.EXE example.

Base defragment Active Directory (AD) using Ntdsutil.

The ntdsutil utility serves maintenance of Active Directory databases. It is used for defragmentation, metadata cleanup of abandoned domain controllers or management of operations FSMO (Flexible Single Master Operations).

To fully optimize defragmentation, it is necessary to restart the server in Safe Mode.

2 modes are for maintenance AD:
ONLINE (defragmentation occurs every 12 hours, the basis is optimized, but the size remains unchanged).
OFFLINE (full optimization, defrag + optimize the size of the base AD)

Procedure for maintenance OFFLINE: (Restart the server in Safe Mode by pressing F8)

Follow the screenshots below by making the same choice.

After starting the server, open the console and type the following command: FILE NTDSUTIL

File Maintenance A prompt, type compact to% s. % S is an empty target directory. This command calls the essentutl.exe order to compact the existing base and write data in the specified directory.

– After the compacting operation enabled, copy the new ntds.dit in the% systemroot% NTDS and delete old log files located in% systemroot% NTDS

– Tap twice the quit command

– Reboot

Other maintenance commands NTDSUTIL FILES

Provides commands for managing data files and log files directory service. The data file is named Ntds.dit. At the prompt files:, type one of the parameters listed under Syntax.

{Compact to% s | header | info | intégrité | move DB to% s | move logs to% s | recover | set path backup% s | set path db% s | set path logs% s | set path working dir% s }


compact to% s (where% s identifies an empty target directory)
Called Esentutl.exe to compress the existing data file and writes the compressed file in the specified directory. The directory can be remote, that is to say mapped via the net use command or similar command. When compression is complete, archive the old data file and move the new compressed file to the original location of the file. ESENT supports online compression, but this compression only rearranges pages within the data file and does not release space for the file system. The directory service to regularly call the compression process online.

Displays the header file Ntds.dit data on the screen. This command is used to facilitate problem solving analytical database.

Analysis and reports the free space of drives installed in the system reads the registry and then reports the size of data files and log files. The directory service manages the registry, which identifies the location of data files, log files and directory service working directory.

Esentutl.exe called to perform an integrity check on the data file, which can detect all types of corruption of the low-level database. This command reads each byte of the data file, the processing of large databases can be a lengthy operation. Note that you must always run Recover before performing an integrity check.

move DB to% s (where% s identifies a target directory)
Moves the Ntds.dit data file to the new directory specified by% s and updates the registry so that the system is restarted, the directory service uses the new location.
move logs to% s (where% s identifies a target directory)
Move the log files directory service to the new directory specified by% s and updates the registry so that the system is restarted, the directory service uses the new location.

Esentutl.exe called to carry out a soft recovery of the database. Soft recovery scans the log files and ensures that all transactions that are validated are also reflected in the data file. Windows2000 Backup program truncates the log files appropriately. The logs are used to ensure that committed transactions are not lost if your system fails or if an unexpected power loss occurs. Transaction data is always written first in the log file and then in the data file. When you restart after a failure, you can rerun the log to reproduce the transactions that were committed, but who had not yet been reflected in the data file.
set path backup% s (where% s identifies a target directory)
Sets the backup target disk as the directory specified by% s. The directory service can be configured to perform an online backup from disk at regular intervals.

set path db% s (where% s identifies a target directory)
Updates the part of the registry that identifies the location and name of the data file. Use this command only to rebuild a domain controller that has lost its data file and that is not restored through normal restoration procedures.

set path logs% s (where% s identifies a target directory)
Updates the part of the registry that identifies the location of log files. Use this command only to rebuild a domain controller that has lost its log files and is not restored through normal restoration procedures.

set path working dir% s (where% s identifies a target directory)
Defines the part of the registry that identifies the directory service working directory as the directory specified by% s.
% S An alphanumeric variable, such as the name of a domain or domain controller.

Returns to the previous menu or exits the utility.


  1. gamekey says:

    Magnificent site. Lots of helpful info here. I’m sending it to several friends ans additionally sharing in delicious. And obviously, thank you on your sweat!

  2. Benita Lockette says:

    Your tips here make perfect sense and I love that you mentioned Yelp, as I may have overlooked that site. Thanks for sharing these practices!

  3. WEB DESIGN says:

    Woah this weblog is magnificent i really like studying your posts. Keep up the great paintings! You realize, lots of persons are searching round for this information, you could aid them greatly.

Leave a Comment