Active Directory Database Management

You should also be aware of a process that runs on domain controllers every 12 hours by default. The process is referred to as Garbage Collection, and its job is to delete objects that are tombstoned, as well as to defragment the AD database. A tombstoned item is one that has been recently deleted. Note that objects are not immediately removed from AD once deleted. Instead, they are tombstoned, or marked. Objects are actually removed from the database after the tombstone lifetime has passed, which is 60 days by default. As such, you should note that even after deleting an item, the AD database wouldn’t immediately get any smaller – try looking again in 60 days, once the object has actually been removed. The purpose of tombstoning is to allow the change to be replicated to all domain controllers. The tombstone lifetime interval can be changed by using the ADSI Edit tool, but you probably shouldn’t. If you want to restore an item to the database, you can only do it from a backup made from within the tombstone lifetime – AD doesn’t keep any record of objects that have removed after tombstoning.

The defragmentation of the AD database done by the Garbage Collection process simply rearranges how data is written to the database, while also compacting it. It does not actually rearrange how the database is written to the hard disk, as is the case with a traditional defragmentation. This can be done as something called an ‘offline defragmentation’, which we’ll look at shortly.

Backing up the Active Directory database is obviously an important part of maintaining it. The actual backup is performed using the Backup tool by choosing to backup something referred to as System State Data. On a domain controller, System State Data includes the AD database, the SYSVOL folder, the registry, system startup files, class registration database, and the certificate services database if the system is running certificate services. As shown below, the backup is as simple as checking off one box in the Backup program:

In order to backup System State, note that you must have the right to Backup files and folders. By default Administrators, Backup Operators, and Server Operators have these rights. You should also note that System State data can only be backed up for the local server using the Backup program (remote System State data backups are not supported using Backup).

Restoring Active Directory is actually a little trickier than you might think. First of all, to do any type of restore, you will need to boot the server in Directory Service Restore Mode, found in the advanced startup options. The two modes of restore that exist are what are referred to as an Authoritative and Non-Authoritative restore.

A Non-Authoritative Restore simply restores Active Directory to the state it was in when this backup was done, and allows replication to overwrite any changes that have occurred in the meantime. For example, lets say that you backed up AD on a domain controller yesterday, and the domain controller crashed later that day. In the meantime, you deleted a number of users via a different domain controller. When you would do the Non-Authoritative restore, the entire database would be restore (including the users who were deleted). However, once replication would occur, the users would be deleted in the newly restored database, as they had been while it was offline. The backup program only does Non-Authoritative restores.

This begs the question – what if I accidentally delete a user account and want to restore it? For this purpose, the Authoritative restore exists. Remember that in a Non-Authoritative restore, other domain controllers who would assume I had incorrect (old) information would overwrite the restored user. In an Authoritative restore, what I am doing is restoring an object (such as a user or OU) and marking this copy as the information that other domain controllers should pay attention to. It is accomplished by giving this restored object a version number that is increased by 100,000 for every day between the backup and restore occurring. As such, the authoritatively restored version certainly has the highest version number, and will ‘overrule’ the deletion noted by the other DCs.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.