Being proactive with Active Directory health

Leave a comment

August 1, 2011 by Rakesh Boraiah

Companies go out of their way to ensure proper Active Directory backup procedures, various redundancy solutions and anything else that will help prevent or mitigate a disaster. For the most part, these are mainly reactive solutions.

Many engineers have become so complacent with backup that they’ve forgotten one very important element, which is to keep Active Directory healthy in the first place. When AD becomes corrupt, it can be restored from a snapshot or repaired with Ntdsutil.exe.

Being proactive doesn’t mean that planning for a disaster goes out the window. Key elements to disaster prevention include maintaining good backups and making sure snapshots are done on a storage area network, where available. However, there are certain tips and tricks within AD’s functionality that will help keep the entire environment more stable and healthy.

Protecting AD against “accidental” object deletion

Almost every engineer has made a mistake within Active Directory. Sometimes it’s a simple misspelling of a user’s name and other times it can be a bit more serious. There have been instances where an administrator logs into AD to perform some type of management and then accidentally deletes an entire organizational unit (OU). What if that OU contains 3000 users? Now what?

In many situations, the administrator would then have to restore the AD database or try to find the latest AD snapshot. However, in Windows Server 2008 R2, Microsoft gives IT administrators a great option designed to protect Active Directory objects from being accidentally deleted. This option is available for all objects that are manageable through Active Directory Users and Computers, and is enabled by default when you create a new OU. By selecting the “Protect container from accidental deletion” option, an access control entry is added to the access control list on the object.

Note: By default, the accidental deletion protection is enabled by default only for OUs, and notfor user objects. This means that if you attempt to delete one or more user objects, even if you’re located inside a protected OU, you will succeed.

With that mentioned, to protect user, group, or computer objects from accidental deletion, you must manually enable this option in the object’s properties. Change the view in ADUC so that it shows the advanced features, open the object’s Properties window, and click on the Object tab. There you can select the accidental deletion protection option.

Managing AD size by performing off-line defragmentation

There are preset AD functions that work in the background to keep the environment healthy. For example, the online maintenance cycle keeps the database in check regularly and without administrator interaction. However, although the data within the database is regularly defragmented, the database itself has a tendency to increase in size over time.

This is especially true if administrators periodically purge database records. For example, it’s quite possible to have a 4 GB Active Directory database that contains less than 1 GB of data, and over 3 GB of empty space. This space can be reclaimed by performing an off-line defragmentation.

In Windows Server 2008, the Active Directory is a service. Any time that you want to perform maintenance on the Active Directory database, you can take it off-line by simply stopping the Active Directory Domain Service.

It’s always a good idea to begin the process by performing a full system state backup. Once a successful backup is verified, open Windows Explorer and navigate to the C:\Windows\NTDS folder. The Active Directory database is stored in the NTDS.DIT file. You should make note of the size of this file so that you can go back later on and figure out how much space you have reclaimed.

At this point, you should open the Service Control Manager, and stop the Active Directory Domain Services service. After that’s complete, you will see a message telling you that a number of dependency services also need to be stopped. Click “Yes” to stop these additional services.

Once all of the necessary services have been stopped, open Command Prompt on the server, and enter the following commands:

Activate Instance NTDS

At this point, you should see a summary of the files that are used by the Active Directory database. You can now begin the defragmentation process by entering the following command:

Compact to c:\windows\ntds\defragged

Keep in mind that depending on the size of your database, this process can take quite a while to complete, and the domain controller that you are defragmenting is unavailable until the Active Directory Domain Services and all of the dependency services are brought back online.

When the process completes, go to the C:\Windows\NTDS folder and rename the NTDS.DIT file to NTDS.OLD. You can delete this file later on, but hang onto it for right now just in case anything goes wrong with the defragmented copy of the database. Now, copy the defragmented database from C:\Windows\NTDS\Defragged to C:\Windows\NTDS.

Finally, restart the Active Directory Domain Services (the dependency services will restart automatically). Now, you can reference back to see the reduction in space.

Proactive Tips and Best Practices

There are many ways to keep your AD environment humming. Given its critical nature, every avenue should be taken to make sure Active Directory does not go down. Below is a brief list of some ways to be proactive when it comes to AD stability, security, and health:

  • Rename or disable the Administrator account (and guest account) in each domain to prevent attacks on your domains.
  • Manage the security relationship between two forests and simplify security administration and authentication across forests.
  • Place at least one domain controller in every site, and make at least one domain controller in each site a global catalog.
    • Sites that do not have their own domain controllers and at least one global catalog are dependent on other sites for directory information and are less efficient.
  • Use global groups or universal groups instead of domain local groups when specifying permissions on domain directory objects replicated to the global catalog.
  • Always have current backups and verify their consistency.
  • To provide additional protection for the Active Directory schema, remove all users from the Schema Admins group, and add a user to the group only when schema changes need to be made. Once the change has been made remove the user from the group.
  • Always monitor AD health by ensuring proper permissions, good OU management, and performing preventative maintenances.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: