| Sys Admin Extraordinaire |

2008-07-16 Initial Post

Windows Server 2003 AD

Ntds.dit is the actual file for the AD database. By default, it’s located in C:\WINDOWS\NTDS\ along with related transaction logs and checkpoint files. The database is based on ESE (Extensible Storage Engine) technology, which is also used by Exchange Server. It is not a flat file database and uses transaction logs and other database technologies. Only Administrators and system accounts have permission to C:\WINDOWS\NTDS\ by default. The files are locked by the OS during normal operation, so you wouldn't be able to make a copy of them while the OS is operating normally.

To really utilize any tools that manipulate the AD database (ntds.dit) you have to start the DC in Directory Services Restore Mode (F8 at logon). This basically starts the server without any DC-related services running so that the ntds.dit file isn’t accessed (and hence locked). This allows you to fully access the file for such things as integrity checking or offline defrag.

In Directory Services Restore Mode you actually have to log on with the local administrator password that is stored in the SAM database. This method of logon is required since AD would not be running in this mode. This would be the same as logging onto a member server using a local admin account. The only difference is that a DC will not let you do that unless it’s been started in DSRM.

When you initially promote a server to a DC, you are asked to provide a Directory Services Restore password. Ntdsutil can be used to reset the DSRM password on a running DC without any downtime.

From http://technet2.microsoft.com/. . . on 2008-07-16:

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory. Use Ntdsutil to perform database maintenance of Active Directory, manage and control single master operations, remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled, and create application directory partitions.

This entry was posted on Friday, March 19th, 2010 at 8:23 AM and is filed under Active Directory. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.