Active Directory

Active Directory Offline Defragmentation

How do I defragment the Active Directory to make it smaller in size?

The size of NTDS.DIT will often be different sizes across the domain controllers in a domain. Remember that Active Directory is a multi-master independent model where updates are occurring in each of the domain controllers with the changes being replicated over time to the other domain controllers.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

The changed data is replicated between domain controllers, not the database, so there is no guarantee that the files are going to be the same size across all domain controllers.

Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesn’t reduce the file’s size – the database file cannot be compacted while Active Directory is mounted.

Active Directory routinely performs online database defragmentation, but this is limited to the disposal of tombstoned objects. The database file cannot be compacted while Active Directory is mounted (or online).

An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than the NTDS.DIT file on its peers.

However, defragmenting the NTDS.DIT file isn’t something you should really need to do. Normally, the database self-tunes and automatically tombstoning the records then sweeping them away when the tombstone lifetime has passed to make that space available for additional records.

Defragging the NTDS.DIT file probably won’t help your AD queries go any faster in the long run.

So why defrag it in the first place?

One reason you might want to defrag your NTDS.DIT file is to save space, for example if you deleted a large number of records at one time.

To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following steps:

  1. Back up Active Directory (AD).
  2. Reboot the server, select the OS option, and press F8 for advanced options.
  3. Select the Directory Services Restore Mode option, and press Enter. Press
  4. Enter again to start the OS.
  5. W2K will start in safe mode, with no DS running.
  6. Use the local SAM’s administrator account and password to log on.
  7. You’ll see a dialog box that says you’re in safe mode. Click OK.
  8. From the Start menu, select Run and type cmd.exe
  9. In the command window, you’ll see the following text. (Enter the commands in bold.)

C:\> ntdsutil ntdsutil: files file maintenance:info …. file maintenance:compact to c:\temp

  1. You’ll see the defragmentation process. If the process was successful, enter quit to return to the command prompt.
  2. Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the commands in bold.)

C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit

  1. Restart the computer, and boot as normal.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: