511
1. Open LDP.
2. From the menu, select Connection Connect.
3. For Server, enter the name of the target domain controller.
4. For Port, enter 389.
5. Click OK.
6. From the menu, select Connection Bind.
7. Enter credentials of a user from one of the administrator groups.
8. Click OK.
9. From the menu, select Browse
Modify.
10. Leave the Dn blank.
11. For Attribute, enter
DoOnlineDefrag.
12. For Values, enter 180.
13. For Operation, select Add.
14. Click Enter.
15. Click Run.
16.10.2.2 Using a command-line interface
Create an LDIF file called online_defrag.ldf with the following contents:
dn:
changetype: modify
replace: DoOnlineDefrag
DoOnlineDefrag: 180
-
then run the following command:
> ldifde -v -i -f online_defrag.ldf
16.10.2.3 Using VBScript
' This code kicks off an online defrag to run for up to 180 seconds
' SCRIPT CONFIGURATION

strDC = "<DomainControllerName>" ' e.g. dc01
' END CONFIGURATION

set objRootDSE = GetObject("LDAP://" & strDC & "/RootDSE")
objRootDSE.Put "DoOnlineDefrag", 180
objRootDSE.SetInfo
WScript.Echo "Successfully initiated an online defrag"
16.10.3 Discussion
New to Windows Server 2003 is the ability to initiate an online defragmentation. By default, the
online defrag process runs every 12 hours on each domain controller. This process defrags the
Active Directory database (ntds.dit) by combining whitespace generated from deleted objects,
but does not reduce the size of the database file.

512
To kick off an online defrag, simply write the DoOnlineDefrag attribute to the RootDSE with a
value equal to the maximum time the defrag process should run (in seconds). You must be a
member of one of the administrator groups in the domain controller's domain in order to write to
this attribute.
16.10.4 See Also
Recipe 16.12 for performing an offline defrag and MS KB 198793 (The Active Directory
Database Garbage Collection Process)
Recipe 16.11 Determining How Much Whitespace Is in
the DIT
16.11.1 Problem
You want to find the amount of whitespace in your DIT. A lot of whitespace in the DIT may
mean that you could regain enough space on the disk to warrant performing an offline defrag.
16.11.2 Solution
16.11.2.1 Using a graphical user interface
1. Run regedit.exe from the command line or Start Run.
2. Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services

NTDS Diagnostics.
3. In the right pane, double-click on 6 Garbage Collection.
4. For Value data, enter 1.
5. Click OK.
16.11.2.2 Using a command-line interface
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6
Garbage[RETURN]
Collection" /t REG_DWORD /d 1
16.11.2.3 Using VBScript
' This code enables logging of DIT whitespace information in the event log.
' SCRIPT CONFIGURATION
strDCName = "<DomainControllerName>" ' e.g. dc1
' END CONFIGURATION

const HKLM = &H80000002
strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"
set objReg = GetObject("winmgmts:\\" & strDCName & "\root\default:StdRegProv")
objReg.SetDWORDValue HKLM, strNTDSReg, "6 Garbage Collection", 1
WScript.Echo "Garbage Collection logging set to 1"

513
16.11.3 Discussion
By setting the 6 Garbage Collection diagnostics logging option, event 1646 will get generated
after the garbage collection process runs. Here is an example 1646 event:
Event Type: Information
Event Source: NTDS Database
Event Category: Garbage Collection
Event ID: 1646
Date: 5/25/2003
Time: 9:52:46 AM

User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Internal event: The Active Directory database has the following amount of
free hard
disk space remaining.

Free hard disk space (megabytes):
100
Total allocated hard disk space (megabytes):
1024
This shows that domain controller dc1 has a 1 GB DIT file with 100 MB that is free (i.e.,
whitespace).
16.11.4 See Also
Recipe 16.12 for performing an offline defrag
Recipe 16.12 Performing an Offline Defrag to Reclaim
Space
16.12.1 Problem
You want to perform an offline defrag of the Active Directory DIT to reclaim whitespace in the
DIT file.
16.12.2 Solution
16.12.2.1 Using a command-line interface
1. First, reboot into Directory Services Restore Mode.
2. Next, check the integrity of the DIT, as outlined in Recipe 16.7.
3. Now, you are ready to perform the defrag. Run the following command to create a
compacted copy of the DIT file. You should check to make sure the drive on which, you
create the copy has plenty of space. A rule of thumb is that it should have at least 115%
of the size of the current DIT available.

514

> ntdsutil files "compact to <TempDriveAndFolder>" q q
4. Next, you need to delete the transaction log files in the current NTDS directory.
> del <CurrentDriveAndFolder>\*.log
5. You may want to keep a copy of the original DIT file for a short period of time to ensure
nothing catastrophic happens to the compacted DIT. If you are going to copy or move the
original version, be sure you have enough space in its new location.
6. > move <CurrentDriveAndFolder>\ntds.dit
<TempDriveAndFolder>\ntds_orig.dit
> move <TempDriveAndFolder>\ntds.dit <CurrentDriveAndFolder>\ntds.dit
7. Repeat the steps in Recipe 16.7 to ensure the new DIT is not corrupted. If it is clean,
reboot into normal mode and monitor the event log. If no errors are reported in the event
log, make sure the domain controller is backed up as soon as possible.
16.12.3 Discussion
Performing an offline defragmentation of your domain controllers can reclaim disk space if
you've deleted a large number of objects from Active Directory. You should only perform an
offline defrag when (and if) this occurs, e.g., following a spin-off. The database will reuse
whitespace and grow organically as required. Typically, the database grows year over year as
more objects are added, so the offline defrag should be seldom required. An offline defrag
always carries a small element of risk, so it should not be done unnecessarily.
You might want to consider doing an offline defrag after the upgrade to Windows Server 2003.
A new feature called single instance storage for security descriptors can greatly reduce the
amount of space your DIT requires. With this new feature, unique security descriptors are stored
once regardless of how many times they are used, whereas in Windows 2000 the same security
descriptor would be stored individually on each object that uses it.
The key thing to plan ahead of time is your disk space requirements. If you plan on creating the
compacted copy of the DIT on the same drive as the current DIT, you need to make sure that
drive has 115% of the size of the DIT available. If you plan on storing the original DIT on the
same drive, you'll need to make sure you have at least that much space available.
16.12.4 See Also
Recipe 16.2 for booting into Directory Services Restore Mode, Recipe 16.7 for checking the

integrity of the DIT, MS KB 198793 (The Active Directory Database Garbage Collection
Process), MS KB 229602 (Defragmentation of the Active Directory Database), and MS KB
232122 (Performing Offline Defragmentation of the Active Directory Database)

515
Recipe 16.13 Changing the Garbage Collection
Interval
16.13.1 Problem
You want to change the default garbage collection interval.
16.13.2 Solution
16.13.2.1 Using a graphical user interface
1. Open ADSI Edit.
2. In the left pane, expand cn=Configuration cn=Services cn=Windows NT.
3. Right-click on
cn=Directory Service and select Properties.
4. Edit the
garbageColPeriod attribute and set it to the interval in hours that the garbage
collection process should run (the default is 12 hours).
5. Click OK.
16.13.2.2 Using a command-line interface
Create an LDIF file called change_garbage_period.ldf with the following contents:
dn: cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration,<ForestRootDN>
changetype: modify
replace: garbageCollPeriod
garbageCollPeriod: <IntervalInHours>
-
then run the following command:
> ldifde -v -i -f change_garbage_period.ldf
16.13.2.3 Using VBScript

' This code changes the default garbage collection interval
' SCRIPT CONFIGURATION
intGarbageColl = <IntervalInHours>
' END CONFIGURATION

set objRootDSE = GetObject("LDAP://RootDSE")
set objDSCont = GetObject("LDAP://cn=Directory Service,cn=Windows NT," & _
"cn=Services," & objRootDSE.Get("configurationNamingContext") )
objDSCont.Put "garbageCollPeriod", intGarbageColl
objDSCont.SetInfo
WScript.Echo "Successfully set the garbage collection interval to " & _
intGarbageColl

516
16.13.3 Discussion
When an object is deleted from the Configuration naming context, a Domain naming context, or
an application partition, the original object is removed from Active Directory, and a tombstone
object is created that contains a small subset of the object's original attributes. This tombstone
object remains in Active Directory for the duration of the tombstone lifetime (default is 60 days)
before it gets completely removed. See Recipe 16.18 for more information on the tombstone
lifetime.
A garbage collection process runs on each domain controller that automatically removes expired
tombstone objects. This process runs every 12 hours by default, but you can change it to run
more or less frequently by setting the garbageCollPeriod attribute on the
cn=DirectoryService,cn=WindowsNT,cn=Services,cn=Configuration, <RootDomainDN> object
to the frequency in hours.
16.13.4 See Also
Recipe 16.18 for modifying the tombstone lifetime, Recipe 16.14 for logging the number of
tombstones that get garbage collected, and MS KB 198793 (The Active Directory Database
Garbage Collection Process)

Recipe 16.14 Logging the Number of Expired
Tombstone Objects
16.14.1 Problem
You want to log the number of expired tombstone objects that are removed from Active
Directory during each garbage-collection cycle.
16.14.2 Solution
16.14.2.1 Using a graphical user interface
1. Run regedit.exe from the command line or Start Run.
2. Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services
NTDS Diagnostics.
3. In the right pane, double-click on 6 Garbage Collection.
4. For Value data, enter 3.
5. Click OK.
16.14.2.2 Using a command-line interface
> reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6
Garbage[RETURN]
Collection" /t REG_DWORD /d 3

517
16.14.2.3 Using VBScript
' This code enables garbage collection logging.
' SCRIPT CONFIGURATION
strDCName = "<DomainControllerName>"
intValue = 3
' END CONFIGURATION

const HKLM = &H80000002
strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"
set objReg = GetObject("winmgmts:\\" & strDCName & "\root\default:StdRegProv")
objReg.SetDWORDValue HKLM, strNTDSReg, "6 Garbage Collection," intValue

WScript.Echo "Garbage Collection logging enabled"
16.14.3 Discussion
Here is a sample event that is logged when the 6 Garbage Collection diagnostics logging level is
set to 3 or higher:
Event Type: Information
Event Source: NTDS General
Event Category: Garbage Collection
Event ID: 1006
Date: 6/24/2003
Time: 11:29:31 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Internal event: Finished removing deleted objects that have expired (garbage
collection). Number of expired deleted objects that have been removed: 229.
16.14.4 See Also
Recipe 15.2 for more on diagnostics logging and Recipe 16.13 for more on the garbage-
collection process
Recipe 16.15 Determining the Size of the Active
Directory Database
16.15.1 Problem
You want to determine the size of the Active Directory database.
16.15.2 Solution
16.15.2.1 Using a command-line interface
If you are in DS Restore Mode, you can use
ntdsutil to report the size of the Active Directory
database:

518
> ntdsutil files info

If you are not in DS Restore Mode and run this command, you will receive the following error
message:
*** Error: Operation only allowed when booted in DS restore mode
"set SAFEBOOT_OPTION=DSREPAIR" to override - NOT RECOMMENDED!
As you can see, it is possible to override this failure by setting the SAFEBOOT_OPTION
environment variable to DSREPAIR, but I do not recommend this unless you know what you are
doing. By setting that environment variable, the ntdsutil command will not stop you from
performing other commands. This can be very dangerous.
Another method, which is safer and easier, is to bring up a command shell by going to Start
Run, typing cmd.exe, and pressing Enter. Then type cd <NTDSDir>, where <NTDSDir> is the full
path to the ntds.dit file. Finally, run the dir command; the output will show the size of the files.
16.15.3 Discussion
The size of the Active Directory database on a domain controller is effectively the size of the
ntds.dit file. This file can vary slightly in size between domain controllers even within the same
domain due to unreplicated changes or differences with nonreplicated data.
You should monitor the size of this file on one or more domain controllers in each domain to
ensure you have adequate disk space. Also, by knowing the average size of your DIT, you can
recognize if it spikes dramatically, perhaps due to a new application that is writing data to the
directory.
If you find that you are running out of disk space, you have a couple of options. You could move
the Active Directory files to a new drive with more capacity. Alternatively, you can perform an
offline defragmentation if the DIT file contains a lot of whitespace.
16.15.4 See Also
Recipe 16.8 for moving the DIT files, Recipe 16.11 for determining how much whitespace is in
the DIT, and Recipe 16.12 for performing an offline defragmentation of the Active Directory
database
Recipe 16.16 Searching for Deleted Objects
16.16.1 Problem
You want to search for deleted objects.


519
16.16.2 Solution
16.16.2.1 Using a graphical user interface
1. Open LDP.
2. From the menu, select Connection Connect.
3. For Server, enter the name of a domain controller you want to target (or leave blank to do
a serverless bind).
4. For Port, enter 389.
5. Click OK.
6. From the menu, select Connection Connect.
7. Enter credentials of a user that is an administrator for the domain.
8. Click OK.
9. From the menu, select Options
Controls.
10. For Windows Server 2003, select the
Return Deleted Objects control under Load
Predefined.
11. For Windows 2000, type 1.2.840.113556.1.4.417 for the Object Identifier and click
the Check In button.
12. Click OK.
13. From the menu, select Browse Search.
14. For BaseDN, enter: cn=Deleted Objects,<DomainDN>.
15. For Scope, select One Level.
16. For Filter, enter: (isDeleted=TRUE).
17. Click the Options button.
18. Under Search Call Type, select Extended.
19. Click OK.
20. Click Run.
16.16.2.2 Using a command-line interface
As of this writing, none of the standard command-line tools provide a way to search for deleted

objects.
16.16.2.3 Using VBScript
It is currently not possible to search for deleted objects with ADSI or ADO.
16.16.3 Discussion
When an object is deleted in Active Directory, it is not completely deleted. The original object is
removed, but a tombstone (deleted) object takes its place in the Deleted Objects container
within the naming context it was deleted in. See Introduction
in Chapter 16 for more on
tombstone objects.
Both the Deleted Objects container and tombstone objects themselves are hidden by default in
tools, such as Active Directory Users and Computers and ADSI Edit. To query tombstone

520
objects you have to enable the Return Deleted Objects LDAP control, which has an OID of
1.2.840.113556.1.4.417. When that control is enabled, you can perform searches for tombstone
objects by specifying a search filter that contains (isDeleted=TRUE) in it. Only members of the
administrator groups can perform searches for tombstone objects.
16.16.4 See Also
MSDN: Retrieving Deleted Objects
Recipe 16.17 Restoring a Deleted Object

This recipe must be run against a Windows Server 2003 domain controller.

16.17.1 Problem
You want to restore an object that was previously deleted.
16.17.2 Solution
16.17.2.1 Using a graphical user interface
1. Open LDP.
2. From the menu, select Connection Connect.
3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

4. For Port, enter 389.
5. Click OK.
6. From the menu, select Connection Bind.
7. Enter credentials of a user that can restore the deleted object (only administrators for the
domain by default).
8. Click OK.
9. From the menu, select Options Controls.
10. Select
Return deleted objects from the Load Predefined selection.
11. Click OK.
12. From the menu, select Browse
Modify.
13. For Dn, enter the distinguished name of the deleted object you want to restore.
14. For Attribute, enter
distinguishedName.
15. For Values, enter the original DN of the object.
16. For Operation, select Replace.
17. Click Enter.
18. For Attribute, enter
isDeleted.
19. For Values, remove any text.
20. For Operation, select Delete.
21. Click Enter.
22. Add mandatory attributes as necessary: