Active Directory Cookbook for windows server 2003- P51 ppt

16.10.4 See Also Recipe 16.12 for performing an offline defrag and MS KB 198793 The Active Directory Database Garbage Collection Process Recipe 16.11 Determining How Much Whitespace Is

Trang 1

1 Open LDP

2 From the menu, select Connection Connect

3 For Server, enter the name of the target domain controller

4 For Port, enter 389

5 Click OK

6 From the menu, select Connection Bind

7 Enter credentials of a user from one of the administrator groups

8 Click OK

9 From the menu, select Browse Modify

10 Leave the Dn blank

11 For Attribute, enter DoOnlineDefrag

12 For Values, enter 180

13 For Operation, select Add

14 Click Enter

15 Click Run

16.10.2.2 Using a command-line interface

Create an LDIF file called online_defrag.ldf with the following contents:

dn:

changetype: modify

replace: DoOnlineDefrag

DoOnlineDefrag: 180

-

then run the following command:

> ldifde -v -i -f online_defrag.ldf

16.10.2.3 Using VBScript

' This code kicks off an online defrag to run for up to 180 seconds

' - SCRIPT CONFIGURATION -

strDC = "<DomainControllerName>" ' e.g dc01

' - END CONFIGURATION -

set objRootDSE = GetObject("LDAP://" & strDC & "/RootDSE")

objRootDSE.Put "DoOnlineDefrag", 180

objRootDSE.SetInfo

WScript.Echo "Successfully initiated an online defrag"

16.10.3 Discussion

New to Windows Server 2003 is the ability to initiate an online defragmentation By default, the online defrag process runs every 12 hours on each domain controller This process defrags the

Active Directory database (ntds.dit) by combining whitespace generated from deleted objects,

but does not reduce the size of the database file

Trang 2

To kick off an online defrag, simply write the DoOnlineDefrag attribute to the RootDSE with a value equal to the maximum time the defrag process should run (in seconds) You must be a

member of one of the administrator groups in the domain controller's domain in order to write to this attribute

16.10.4 See Also

Recipe 16.12 for performing an offline defrag and MS KB 198793 (The Active Directory

Database Garbage Collection Process)

Recipe 16.11 Determining How Much Whitespace Is in the DIT

16.11.1 Problem

You want to find the amount of whitespace in your DIT A lot of whitespace in the DIT may mean that you could regain enough space on the disk to warrant performing an offline defrag

16.11.2 Solution

16.11.2.1 Using a graphical user interface

1 Run regedit.exe from the command line or Start Run

2 Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services

NTDS Diagnostics

3 In the right pane, double-click on 6 Garbage Collection

4 For Value data, enter 1

5 Click OK

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6

Garbage[RETURN]

Collection" /t REG_DWORD /d 1

' This code enables logging of DIT whitespace information in the event log ' - SCRIPT CONFIGURATION -

strDCName = "<DomainControllerName>" ' e.g dc1

const HKLM = &H80000002

strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"

set objReg = GetObject("winmgmts:\\" & strDCName & "\root\default:StdRegProv") objReg.SetDWORDValue HKLM, strNTDSReg, "6 Garbage Collection", 1

WScript.Echo "Garbage Collection logging set to 1"

Trang 3

By setting the 6 Garbage Collection diagnostics logging option, event 1646 will get generated after the garbage collection process runs Here is an example 1646 event:

Event Type: Information

Event Source: NTDS Database

Event Category: Garbage Collection

Event ID: 1646

Date: 5/25/2003

Time: 9:52:46 AM

User: NT AUTHORITY\ANONYMOUS LOGON

Computer: DC1

Description:

Internal event: The Active Directory database has the following amount of free hard

disk space remaining

Free hard disk space (megabytes):

100

Total allocated hard disk space (megabytes):

1024

This shows that domain controller dc1 has a 1 GB DIT file with 100 MB that is free (i.e.,

whitespace)

16.11.4 See Also

Recipe 16.12 for performing an offline defrag

Recipe 16.12 Performing an Offline Defrag to Reclaim Space

16.12.1 Problem

You want to perform an offline defrag of the Active Directory DIT to reclaim whitespace in the DIT file

1 First, reboot into Directory Services Restore Mode

2 Next, check the integrity of the DIT, as outlined in Recipe 16.7

3 Now, you are ready to perform the defrag Run the following command to create a compacted copy of the DIT file You should check to make sure the drive on which, you

Trang 4

> ntdsutil files "compact to <TempDriveAndFolder>" q q

4 Next, you need to delete the transaction log files in the current NTDS directory

> del <CurrentDriveAndFolder>\*.log

5 You may want to keep a copy of the original DIT file for a short period of time to ensure nothing catastrophic happens to the compacted DIT If you are going to copy or move the original version, be sure you have enough space in its new location

6 > move <CurrentDriveAndFolder>\ntds.dit

<TempDriveAndFolder>\ntds_orig.dit

> move <TempDriveAndFolder>\ntds.dit <CurrentDriveAndFolder>\ntds.dit

7 Repeat the steps in Recipe 16.7 to ensure the new DIT is not corrupted If it is clean, reboot into normal mode and monitor the event log If no errors are reported in the event log, make sure the domain controller is backed up as soon as possible

Performing an offline defragmentation of your domain controllers can reclaim disk space if you've deleted a large number of objects from Active Directory You should only perform an offline defrag when (and if) this occurs, e.g., following a spin-off The database will reuse whitespace and grow organically as required Typically, the database grows year over year as more objects are added, so the offline defrag should be seldom required An offline defrag always carries a small element of risk, so it should not be done unnecessarily

You might want to consider doing an offline defrag after the upgrade to Windows Server 2003

A new feature called single instance storage for security descriptors can greatly reduce the

amount of space your DIT requires With this new feature, unique security descriptors are stored once regardless of how many times they are used, whereas in Windows 2000 the same security descriptor would be stored individually on each object that uses it

The key thing to plan ahead of time is your disk space requirements If you plan on creating the compacted copy of the DIT on the same drive as the current DIT, you need to make sure that drive has 115% of the size of the DIT available If you plan on storing the original DIT on the same drive, you'll need to make sure you have at least that much space available

16.12.4 See Also

Recipe 16.2 for booting into Directory Services Restore Mode, Recipe 16.7 for checking the integrity of the DIT, MS KB 198793 (The Active Directory Database Garbage Collection

Process), MS KB 229602 (Defragmentation of the Active Directory Database), and MS KB

232122 (Performing Offline Defragmentation of the Active Directory Database)

Trang 5

Recipe 16.13 Changing the Garbage Collection

Interval

16.13.1 Problem

You want to change the default garbage collection interval

1 Open ADSI Edit

2 In the left pane, expand cn=Configuration cn=Services cn=Windows NT

3 Right-click on cn=Directory Service and select Properties

4 Edit the garbageColPeriod attribute and set it to the interval in hours that the garbage collection process should run (the default is 12 hours)

5 Click OK

Create an LDIF file called change_garbage_period.ldf with the following contents:

dn: cn=Directory Service,cn=Windows

NT,cn=Services,cn=Configuration,<ForestRootDN>

changetype: modify

replace: garbageCollPeriod

garbageCollPeriod: <IntervalInHours>

-

then run the following command:

> ldifde -v -i -f change_garbage_period.ldf

' This code changes the default garbage collection interval

intGarbageColl = <IntervalInHours>

set objRootDSE = GetObject("LDAP://RootDSE")

set objDSCont = GetObject("LDAP://cn=Directory Service,cn=Windows NT," & _ "cn=Services," & objRootDSE.Get("configurationNamingContext") ) objDSCont.Put "garbageCollPeriod", intGarbageColl

objDSCont.SetInfo

WScript.Echo "Successfully set the garbage collection interval to " & _

intGarbageColl

Trang 6

When an object is deleted from the Configuration naming context, a Domain naming context, or

an application partition, the original object is removed from Active Directory, and a tombstone object is created that contains a small subset of the object's original attributes This tombstone object remains in Active Directory for the duration of the tombstone lifetime (default is 60 days) before it gets completely removed See Recipe 16.18 for more information on the tombstone lifetime

A garbage collection process runs on each domain controller that automatically removes expired tombstone objects This process runs every 12 hours by default, but you can change it to run more or less frequently by setting the garbageCollPeriod attribute on the

cn=DirectoryService,cn=WindowsNT,cn=Services,cn=Configuration, <RootDomainDN> object

to the frequency in hours

16.13.4 See Also

Recipe 16.18 for modifying the tombstone lifetime, Recipe 16.14 for logging the number of tombstones that get garbage collected, and MS KB 198793 (The Active Directory Database Garbage Collection Process)

Recipe 16.14 Logging the Number of Expired

Tombstone Objects

16.14.1 Problem

You want to log the number of expired tombstone objects that are removed from Active

Directory during each garbage-collection cycle

1 Run regedit.exe from the command line or Start Run

2 Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services

NTDS Diagnostics

3 In the right pane, double-click on 6 Garbage Collection

4 For Value data, enter 3

5 Click OK

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6

Garbage[RETURN]

Collection" /t REG_DWORD /d 3

Trang 7

' This code enables garbage collection logging

strDCName = "<DomainControllerName>"

intValue = 3

const HKLM = &H80000002

strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"

set objReg = GetObject("winmgmts:\\" & strDCName & "\root\default:StdRegProv") objReg.SetDWORDValue HKLM, strNTDSReg, "6 Garbage Collection," intValue

WScript.Echo "Garbage Collection logging enabled"

Here is a sample event that is logged when the 6 Garbage Collection diagnostics logging level is set to 3 or higher:

Event Type: Information

Event Source: NTDS General

Event Category: Garbage Collection

Event ID: 1006

Date: 6/24/2003

Time: 11:29:31 AM

User: NT AUTHORITY\ANONYMOUS LOGON

Computer: DC1

Description:

Internal event: Finished removing deleted objects that have expired (garbage collection) Number of expired deleted objects that have been removed: 229

16.14.4 See Also

Recipe 15.2 for more on diagnostics logging and Recipe 16.13 for more on the

garbage-collection process

Recipe 16.15 Determining the Size of the Active

Directory Database

16.15.1 Problem

You want to determine the size of the Active Directory database

If you are in DS Restore Mode, you can use ntdsutil to report the size of the Active Directory

Trang 8

> ntdsutil files info

If you are not in DS Restore Mode and run this command, you will receive the following error message:

*** Error: Operation only allowed when booted in DS restore mode

"set SAFEBOOT_OPTION=DSREPAIR" to override - NOT RECOMMENDED!

As you can see, it is possible to override this failure by setting the SAFEBOOT_OPTION

environment variable to DSREPAIR, but I do not recommend this unless you know what you are doing By setting that environment variable, the ntdsutil command will not stop you from performing other commands This can be very dangerous

Another method, which is safer and easier, is to bring up a command shell by going to Start Run, typing cmd.exe, and pressing Enter Then type cd<NTDSDir>, where <NTDSDir> is the full

path to the ntds.dit file Finally, run the dir command; the output will show the size of the files

The size of the Active Directory database on a domain controller is effectively the size of the

ntds.dit file This file can vary slightly in size between domain controllers even within the same

domain due to unreplicated changes or differences with nonreplicated data

You should monitor the size of this file on one or more domain controllers in each domain to ensure you have adequate disk space Also, by knowing the average size of your DIT, you can recognize if it spikes dramatically, perhaps due to a new application that is writing data to the directory

If you find that you are running out of disk space, you have a couple of options You could move the Active Directory files to a new drive with more capacity Alternatively, you can perform an offline defragmentation if the DIT file contains a lot of whitespace

16.15.4 See Also

Recipe 16.8 for moving the DIT files, Recipe 16.11 for determining how much whitespace is in the DIT, and Recipe 16.12 for performing an offline defragmentation of the Active Directory database

Recipe 16.16 Searching for Deleted Objects

16.16.1 Problem

You want to search for deleted objects

Trang 9

1 Open LDP

3 For Server, enter the name of a domain controller you want to target (or leave blank to do

a serverless bind)

5 Click OK

7 Enter credentials of a user that is an administrator for the domain

8 Click OK

9 From the menu, select Options Controls

10 For Windows Server 2003, select the Return Deleted Objects control under Load Predefined

11 For Windows 2000, type 1.2.840.113556.1.4.417 for the Object Identifier and click the Check In button

12 Click OK

13 From the menu, select Browse Search

14 For BaseDN, enter: cn=Deleted Objects,<DomainDN>

15 For Scope, select One Level

16 For Filter, enter: (isDeleted=TRUE)

17 Click the Options button

18 Under Search Call Type, select Extended

19 Click OK

20 Click Run

As of this writing, none of the standard command-line tools provide a way to search for deleted objects

It is currently not possible to search for deleted objects with ADSI or ADO

When an object is deleted in Active Directory, it is not completely deleted The original object is removed, but a tombstone (deleted) object takes its place in the Deleted Objects container within the naming context it was deleted in See Introduction in Chapter 16 for more on

tombstone objects

Trang 10

objects you have to enable the Return Deleted Objects LDAP control, which has an OID of 1.2.840.113556.1.4.417 When that control is enabled, you can perform searches for tombstone objects by specifying a search filter that contains (isDeleted=TRUE) in it Only members of the administrator groups can perform searches for tombstone objects

16.16.4 See Also

MSDN: Retrieving Deleted Objects

Recipe 16.17 Restoring a Deleted Object

This recipe must be run against a Windows Server 2003 domain controller

16.17.1 Problem

You want to restore an object that was previously deleted

1 Open LDP

3 For Server, enter the name of a domain controller (or leave blank to do a serverless bind)

5 Click OK

6 From the menu, select Connection Bind

7 Enter credentials of a user that can restore the deleted object (only administrators for the domain by default)

8 Click OK

9 From the menu, select Options Controls

10 Select Return deleted objects from the Load Predefined selection

11 Click OK

12 From the menu, select Browse Modify

13 For Dn, enter the distinguished name of the deleted object you want to restore

14 For Attribute, enter distinguishedName

15 For Values, enter the original DN of the object

16 For Operation, select Replace

17 Click Enter

18 For Attribute, enter isDeleted

19 For Values, remove any text

20 For Operation, select Delete

21 Click Enter

22 Add mandatory attributes as necessary:

Định dạng
Số trang	10
Dung lượng	35,66 KB