Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Windows Server 2008 R2 : Manage the Active Directory Database (part 2) - Defragment the Directory Database & Audit Active Directory Service

9/10/2011 4:05:31 PM

3. Defragment the Directory Database

A directory database gets fragmented as you add, change, and delete objects to your database. Like any file system–based storage, as the directory database is changed and updated, fragments of disk space will build up so it needs to be defragmented on a routine basis to maintain optimal operation. By default, Active Directory performs an online defragmentation of the directory database every 12 hours with the garbage collection process, an automated directory database cleanup, and IT pros should be familiar with it. However, online defragmentation does not decrease the size of the NTDS.DIT database file. Instead, it shuffles the data around for easier access. Depending on how much fragmentation you actually have in the database, running an offline defragmentation—which does decrease the size of the database—could have a significant effect on the overall size of your NTDS.DIT database file.

There is a little problem associated with defragmenting databases. They have to be taken offline in order to have the fragments removed and the database resized. In Windows Server 2008 R2, there is a great feature that allows you to take the database offline without shutting down the server. It's called Restartable Active Directory, and it could not be much easier to stop and start your directory database than this. Figure 4 shows the Services tool and how you can use it to stop the Active Directory service.

  1. Start the Services tool from the Control Panel.

  2. Right-click Active Directory Domain Services, and select Stop.

Figure 4. You can use the Services tool to stop and restart Active Directory.

That's it! Now when you stop Active Directory Domain Services, any other dependent services will also be stopped. Keep in mind that while the services are stopped, they cannot fulfill their assigned role in your network. The really cool thing about Restartable AD is that while the directory services and its dependent services are stopped, other services on the local machine are not. So, perhaps you have a shared printer running on your DC. Print services still run, and print operations do not stop. Nice!

3.1. Offline Directory Defragmentation

Now that you have stopped Active Directory services, it is time to get down to the business of offline defragmentation of the directory database:

  1. Back up the database.

  2. Open a command prompt, and type NTDSUTIL.

  3. Type ACTIVATE INSTANCE NTDS.

  4. Type FILES, and press Enter.

  5. Type INFO, and press Enter. This will tell you the current location of the directory database, its size, and the size of the associated log files. Write all this down.

  6. Make a folder location that has enough drive space for the directory to be stored.

  7. Type COMPACT TO DRIVE:\DIRECTORY, and press Enter. The drive and directory are the locations you set up in step 5. If the drive path contains spaces, put the whole path in quotation marks, as in "C:\database defrag".

    A new defragmented and compacted NTDS.DIT is created in the folder you specified.

  8. Type QUIT, and press Enter.

  9. Type QUIT again, and press Enter to return to the command prompt.

  10. If defragmentation succeeds without errors, follow the NTDSUTIL prompts.

  11. Delete all log files by typing DEL x:\pathtologfiles\*.log where x is the drive letter of your drive.

  12. Overwrite the old NTDS.DIT file with the new one. Remember, you wrote down its location in step 4.

  13. Close the command prompt.

  14. Open the Services tool, and start Active Directory Domain Services.

Defragmenting your directory database using the offline NTDSUTIL process can significantly reduce the size of your database depending on how long it has been since your last offline defrag. The hard thing about offline defrag is that every network is different, so making recommendations about how often to use the offline defrag process is somewhat spurious. I recommend you get to know your directory database. Monitor its size and growth. When you think it is appropriate to defragment offline, then do it. A pattern will emerge for you, and you will find yourself using offline defragmentation on a frequency that works well for your network and your directory database. One of the cool things about offline defragmentation is that if you should happen to have an error occur during the defragmentation process, you still have your original NTDS.DIT database in place and can continue using it with no problems until you can isolate and fix any issues.

4. Audit Active Directory Service

Windows Server 2008 R2 not only allows you to audit changes to Active Directory but also allows you to see the actual values entered into the directory before the change was made and after the change is made. It was possible in Windows 2000 Server and Windows Server 2003 to audit directory service access to see whether a change had been made, but this auditing allowed you to see the results of the change only, not the "before and after" settings.

In Windows Server 2008 R2, the Audit Directory Service Access setting policy is divided into four subcategories:

  • Directory Service Access

  • Directory Service Changes

  • Directory Service Replication

  • Detailed Directory Service Replication

When you want to see changes, you will implement the Directory Service Changes Policy. This policy will allow you to see the changes made by any security principal including create, delete, modify, move, or undelete operations. This policy will record not only the new values but also the original values in the event of a modify or undelete operation. In the event of a move operation, the original location of the object will also be logged.

You can enable auditing in Windows Server 2008 R2 through the use of three mechanisms. First, you can choose to enable a global audit policy for all the directory service subcategories mentioned previously. This setting is in the default domain controller policy on the Domain Controllers OU and is not enabled by default on Windows Server 2008 R2 DC. Therefore, if you want to audit directory service changes, you will need to implement this setting. One item of note is that the ID number for directory service changes has been updated to 4,662 instead of Windows 2000 Server and Windows Server 2003's 566 ID designation.

Second, you can also enable auditing through the use of system access control lists (SACLs). The SACL of an object determines whether access to an object will or will not be audited. It determines which operations are to be audited and for whom. SACLs are controlled by those security administrators who have rights to the local system. The Administrators group would hold this right by default. So, it is technically possible to edit the access control entry (ACE) of an object and remove the auditing requirement of the object even though Directory Services Changes has been enabled.

Finally, there is also a set of schema controls that you can use to create exceptions using search flag properties for what is being audited. For more on schema auditing exceptions, see http://technet.microsoft.com/en-us/library/cc731607.

4.1. Enable Group Policy Auditing in Group Policy Management Console

To enable directory services auditing, you need to use Group Policy. Use the Group Policy Management Console to make the suggested changes.

  1. Select Start => Administrative Tools => Group Policy Management.

  2. In the console tree, double-click the name of the forest, expand Domains, expand the name of your domain, select Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

  3. Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy (see Figure 5).

  4. In the details pane, right-click Audit Directory Service Access, and then click Properties.

  5. Select the Define These Policy Settings check box.

  6. Under Audit These Attempts, select the Success check box, and then click OK.

Figure 5. Auditing enabled in Group Policy Management Console

4.2. Enable Auditing Using the Command Line

Although you will most likely enable auditing using the Group Policy Management Console, sometimes you may prefer to use the command line. Here are the steps:

  1. Click Start, type cmd in the search box to locate the command prompt, and then right-click and choose Run As Administrator.

  2. Type the following command, and then press Enter:

    auditpol /set /subcategory:"directory service changes"
    /success:enable

4.3. Configure Auditing in the Object SACLs

SACLs hold the real power in auditing. They define the permissions and functions for auditing on any given object or file location. It is possible to configure auditing of Active Directory on the SACL:

  1. Select Start => Administrative Tools => Active Directory Users And Computers.

  2. Right-click the organizational unit, or any object, for which you want to enable auditing, and then click Properties.

  3. Click the Security tab, click Advanced, and then click the Auditing tab. (If you do not see the Security tab, you may need to enable Advanced Features from the View menu.)

  4. Click Add, and under Enter The Object Name To Select, type Authenticated Users (or any other security principal). Then click OK.

  5. In Apply Onto, click Descendant User Objects (or any other objects).

  6. Under Access, select the Successful check box for Write All properties.

  7. Click OK.

Directory Service Changes auditing can add a powerful tool to your toolbox of management features in Window Server 2008 R2.

Other -----------------
- Windows Server 2008 R2 : Manage the Active Directory Database (part 1) - Maintain FSMO Roles & Transfer FSMO Roles
- Windows Server 2008 R2 : Troubleshoot Group Policy
- Microsoft Lync Server 2010 Edge : Edge Installation
- Microsoft Lync Server 2010 Edge : Edge Overview
- Updating Objects and Virtualization with Dynamics NAV : Virtualization with Dynamics NAV
- Updating Objects and Virtualization with Dynamics NAV : Objects in NAV
- SQL Server 2005 : SQLCLR Security and Reliability Features (part 3) - Granting Cross-Assembly Privileges
- SQL Server 2005 : SQLCLR Security and Reliability Features (part 2) - Selective Privilege Escalation via Assembly References
- SQL Server 2005 : SQLCLR Security and Reliability Features (part 1) - The Quest for Code Safety
- SQL Server 2005 : Wrapping Code to Promote Cross-Tier Reuse
- SharePoint 2010 Search : Setting Up the Crawler - Crawling Exchange Public Folders & Crawling Line-of-Business Data
- SharePoint 2010 Search : Setting Up the Crawler - Crawling File Shares & Crawling Web Sites
- Migrating to Windows Small Business Server 2011 Standard : Migrating Settings and Data (part 5) - Re-Enabling Folder Redirection
- Migrating to Windows Small Business Server 2011 Standard : Migrating Settings and Data (part 4) - Migrating Users and Groups
- Migrating to Windows Small Business Server 2011 Standard : Migrating Settings and Data (part 3) - Migrate Network Settings & Migrate Exchange Mailboxes and Settings
- Migrating to Windows Small Business Server 2011 Standard : Migrating Settings and Data (part 2) - Configure the Network
- Migrating to Windows Small Business Server 2011 Standard : Migrating Settings and Data (part 1) - Starting the Migration Wizard
- Migrating to Windows Small Business Server 2011 Standard : Creating a Migration Answer File
- Microsoft Dynamics CRM 2011 : Copying Campaign Records & Using Quick Campaigns
- Microsoft Dynamics CRM 2011 : Managing Campaigns and Quick Campaigns - Relating Campaigns & Creating Campaign Templates
 
 
Most view of day
- SharePoint 2010 : Packaging and Deployment Model - Working with Packages
- Windows Phone 8 : Phone-Specific Design (part 1) - The ApplicationBar in Blend
- Microsoft Visio 2010 : Working with Data - Creating Reports (part 1) - Introducing the Report Definition Wizard
- Client Access to Exchange Server 2007 : Getting the Most Out of the Microsoft Outlook Client - Understanding RPC Over HTTPS in Outlook 2007
- Sharepoint 2013 : Backup and Restore (part 1) - Site Collection Backups
- Understanding IPv6 (part 2) - Understanding ICMPv6 Messages, Understanding Neighbor Discovery
- Sharepoint 2013 : Branding with the Design Manager (part 2) - Creating a Brand
- Windows Server 2003 : Protecting Hosts with Windows Host Firewalls - Routing and Remote Access Basic Firewall
- Sharepoint 2013 : Get to a Site’s Permission Management Page (part 1)
- Windows Server 2012 : Implementing DNSSEC (part 2) - How DNSSEC works,Deploying DNSSEC
Top 10
- Windows Phone 8 : Configuring Mailbox Settings (part 5) - Configuring Automatic Replies
- Windows Phone 8 : Configuring Mailbox Settings (part 4) - Lightening the Display,Changing the Mailbox Sync Settings
- Windows Phone 8 : Configuring Mailbox Settings (part 3) - Message Signatures, Blind CCing Yourself
- Windows Phone 8 : Configuring Mailbox Settings (part 2) - Unlinking Mailboxes, Conversation View
- Windows Phone 8 : Configuring Mailbox Settings (part 1) - Linking Mailboxes
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 6) - Tracking installed roles, role services, and features
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 5) - Installing components at the prompt
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 4) - Managing server binaries
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 3) - Adding server roles and features
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 2) - Installing components with Server Manager - Viewing configured roles and role services
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro