NTDS.dit – Server Geeks (2024)

Active Directory files and their functions

Ntds.dit

Ntds.dit is the main AD database file. NTDS stands for NT Directory Services. The DIT stands for Directory Information Tree. The Ntds.dit file on a particular domain controller contains all naming contexts hosted by that domain controller, including the Configuration and Schema naming contexts. A Global Catalog server stores the partial naming context replicas in the Ntds.dit right along with the full Domain naming context for its domain.

Edb.log

Edb.log is a transaction log. Any changes made to objects in Active Directory are first saved to a transaction log. During non-peak times in CPU activity, the database engine commits the transactions into the main Ntds.dit database. This ensures that the database can be recovered in the event of a system crash. Entries that have not been committed to Ntds.dit are kept in memory to improve performance. Transaction log files used by the ESE (Extensible Storage Engine is an Indexed Sequential Access Method (ISAM) data storage technology from Microsoft. ESE is the core of Microsoft Exchange Server and Active Directory.) engine are always 10MB.

Edbxxxxx.log

These are auxiliary transaction logs used to store changes if the main Edb.log file gets full before it can be flushed to Ntds.dit. The xxxxx stands for a sequential number in hex. When the Edb.log file fills up, an Edbtemp.log file is opened. The original Edb.log file is renamed to Edb00001.log, and Edbtemp.log is renamed to Edb.log file, and the process starts over again. Excess log files are deleted after they have been committed. You may see more than one Edbxxxxx.log file if a busy domain controller has many updates pending.

Edb.chk

Edb.chk is a checkpoint file. It is used by the transaction logging system to mark the point at which updates are transferred from the log files to Ntds.dit. As transactions are committed, the checkpoint moves forward in the Edb.chk file. If the system terminates abnormally, the pointer tells the system how far along a given set of commits had progressed before the termination.

Res1.log and Res2.log

Res1.log and Res2.log are reserve log files. If the hard drive fills to capacity just as the system is attempting to create an Edbxxxxx.log file, the space reserved by the Res log files is used. The system then puts a dire warning on the screen prompting you to take action to free up disk space quickly before Active Directory gets corrupted. You should never let a volume containing Active Directory files get even close to being full. File fragmentation is a big performance thief, and fragmentation increases exponentially as free space diminishes. Also, you may run into problems as you run out of drive space with online database defragmentation (compaction). This can cause Active Directory to stop working if the indexes cannot be rebuilt.

Temp.edb

This is a scratch pad used to store information about in-progress transactions and to hold pages pulled out of Ntds.dit during compaction.

Schema.ini

This file is used to initialize the Ntds.dit during the initial promotion of a domain controller. It is not used after that has been accomplished

When you delete an object from AD, it gets tombstoned i.e. not deleted but stored in tombstone for a period of time in case you want to restore it back (180 days in win 2008 by default). Once 180 days completes that object is considered to be of no use any more and can be cleaned from the database and free up some space. The cleanup process is done by Garbage Collection. Garbage collection in ActiveDirectory Domain Services (ADDS) is the process of removing deleted objects (tombstones) from the directory database. This process results in free disk space in the directory database.

By default, this free space is not reported in EventViewer. To see the amount of free disk space that can be made available to the file system by offline defragmentation, you can change the garbage collection logging level so that the disk space is reported in the Directory Service event log. After you change the logging level, check the Directory Service event log for EventID1646, which reports the amount of disk space that you can recover by performing offline defragmentation.

The garbage collection logging level is an NTDS diagnostics setting in the registry. You can use this procedure to change the garbage collection logging level to 1 so that you can view EventID1646 in Event Viewer.

How to change the garbage collection logging level

1. ClickStart, clickRun, typeregedit, and then press ENTER.
   
2. In Registry Editor, navigate to theGarbage Collectionentry inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
   

3. Double-clickGarbage Collection. In theValue databox, type1, and then clickOK.
   

   
   

Now you must wait for the on-line defrag to occur on the NTDS.dit database. Then Event 1646 shows up in the Directory Service Log.

Active Directory Partition

AD database is stored in one file i.e. ntds.dit. However, the AD database is divided up into partitions for better replication and administration.

Different categories of data are stored in replicas of different directory partitions, as follows:

1. Domain data: It is stored in domain directory partitions.
   

   1. Domain Directory Partition: Every domain controller stores one writable domain directory partition. It replicates data with DC’s in the same domain. Active Directory Users and Computers obtains it data from this partition. All Domain Controllers in that domain replicate changes to each other regardless of whether the Domain Controller is a global catalog server.
      

      
      

   2. Global Catalog Directory Partition: A domain controller that is a global catalog server stores one writable domain directory partition and a partial, read-only replica of every other domain in the forest. Global catalog read-only replicas contain a partial set of attributes for every object in the domain. It Replicates GC data with all GC’s in the forest. The Global Catalog Partition is created automatically by software on the Domain Controller. This software copies some of the attributes for each object in the Global Catalog Partition. This information is replicated to other Domain Controllers inside and outside the domain. This is how, given enough time, all Global Catalog servers will have a partial replicate of all objects in the domain.
      

      Note: Partial Attribute Set data – Need to be added in schema edit window (don’t use ADSIedit, use schema management from mmc after running regsvr32 schmmgmt.dll in run command)
      

2. Configuration data: Every domain controller stores one writable Configuration Directory Partition that stores forest-wide data controlling site and replication operations. Replicates with all DC’s in the forest. This partition contains configuration information for the whole forest. For example, it contains information about sites in the forest and partition defined in the Active Directory database.

3. Schema data: Every domain controller stores one writable Schema Partition that stores schema definitions for the forest. The schema partitions define what can be stored in the Active Directory database. It essentially defines the layout of the database.
Although the schema directory partition is writable, schema updates are allowed on only the domain controller that holds the role of schema operations master.

4.Application data: Domain controllers that are running Windows Server2003 or above can store data inside AD database called Application directory partitions. Application directory partition replicas can be replicated to any set of domain controllers in a forest, irrespective of domain. The application partition is created by Applications to store their data. It is different from any other partition in that the application can choose which Domain Controller or Controllers to store the data on. The advantage for the application storing the data this way is that the application has access to the same replicate and fault tolerance used by the Domain Controllers. An example of an Application is DNS Integrated Active Directory Zones. When this zone type is used, the data is stored in an application partition. Replicates with any specified DC in which app has created the separate partition. E.g. AD integrated DNS will have an Application directory partition in AD. Similarly, Exchange 2010