Using ntdsutil to Move Ad Ds Database Files

To perform this operation, you must boot your domain controller into directory service restore mode (or use the restartable AD DS services trick described earlier) and use ntdsutil to move files elsewhere:

1. Click Start | Run, type ntdsutil, and press enter. This will launch the ntdsutil command-line interface.

2. Type the Activate Instance "NTDS" command and press enter. This will set the active instance to AD DS.

3. Issue the Files command to switch to the file manipulation command context.

4. Type info and press enter to display information about current location of AD DS files.

5. You have four choices: Move DB to <location>, Move Logs to <location>, Set Path DB <path>, and Set Path Logs <path>. You can either use the Move command to move files and automatically adjust Registry settings, or use the Set Path command to adjust the Registry settings and relocate files later manually. When you have files sitting on the disk and you want to move them, the Move command is the best choice. If you restored AD files from backup onto a drive that has more space, then the Set Path command makes more sense. <Location> and <path> are the same—the utility is expecting a full path, including the volume letter, where you wish to move the files or correct the Registry, with exception of the Set Path DB <path> command— it requires a full path along with the AD DS filename (ntds.dit by default).

6. Type info and press enter to display information about the current location of AD DS files. Make note of the difference with the output you received in Step 4.

7. Type quit and press enter (repeat twice to quit ntdsutil).

8. Restart AD DS services to bring AD DS online.

If you are familiar with database technologies, you may be wondering by now if there is a way to check the integrity of an Active Directory database, and if it is possible to repair a corrupt database. The answer is yes to both questions. Even healthy RAID arrays may throw occasional read or write errors under heavy stress, especially if storage technology is relatively new and firmware / drivers are not kept up to date.

If you suspect an AD database integrity problem, especially after read/write errors have been posted to the system log, you should research your hardware options and probably move database and log files to another volume, on another controller / set of physical disks. Then, using ntdsutil, you can choose one of the following options to perform database diagnostics and repair operations in the Files command context: integrity and recover.

■ Integrity This command is used to verify the integrity of the Active Directory database (data file). It will run a logical and physical inconsistency scan in an attempt to find any header or table inconsistencies or damage. The integrity check will read the entire data store, and thus if your database files are large, be sure to allow enough time to perform the integrity check.

■ Recover The recovery process is your next step if integrity verification yielded some problems. This operation is also performed automatically if the last shutdown was not graceful. It scans the log files and attempts to replay them against the main data file. Every time an ESE database is started, it is automatically marked as "dirty shutdown." Unless you shut down the involved processes gracefully, this state will remain unchanged and will be detected the next time the database is initiated, and the recovery process will be attempted by the system automatically. If this process fails, your next best option is to restore from the latest backup and replay the transaction logs to "roll forward" all the changes that have occurred since the latest backup.

If you do not have a backup, or if transaction logs are damaged and cannot be replayed, that is where the plot thickens. If restoring from a backup is an option but log files are damaged, you may need to restore from backup and forget about rolling forward your transactions to the point of failure—we are assuming here that simply throwing one domain controller out, and substituting it with another, and letting it replicate from other domain controllers is not an option. If your environment has multiple domain controllers in each domain, this may not be a big issue because most of the changes will get replicated from other domain controllers. If backups do not exist, you may need to run a repair process.

■ Repair The repair process is used to perform a low-level physical repair of the main database file when it is determined to be damaged or corrupted. This process does not replay transaction logs. This should only be used as your last resort because there is a high chance of losing some data, which may result in logical inconsistencies in the database. Always perform integrity checking after repair and after offline defragmentation.

Recover and integrity database operations are performed using ntdsutil. It calls out to the esentutl.exe tool that does the actual database work. This tool cannot work against the database while Active Directory is running, so you will have to restart the server and choose Directory Services Recovery Mode (or, again, stop AD DS). Repair and offline defragmentation options are not available through ntdsutil, and should rarely if ever be used on domain controller databases. However, these operations can be performed directly through esentutl.exe maintenance tool.

Output from a help screen of the esentutl tool is shown here:

Extensible Storage Engine Utilities for Microsoft(R) Windows(R) Version 6.C

Copyright (C) Microsoft Corporation. All Rights Reserved.

DESCRIPTION: Database utilities for the Extensible Storage Engine for




Defragmentation: ESENTUTL /d <database name> [options]

Recovery: ESENTUTL /r <logfile base name> [options]

Integrity: ESENTUTL /g <database name> [options]

Checksum: ESENTUTL /k <file name> [options]

Repair: ESENTUTL /p <database name> [options]

File Dump: ESENTUTL /m[mode-modifier] <filename>

Copy File: ESENTUTL /y <source file> [options]

<<<<< Press a key for more help >\>\>\>

D=Defragmentation, R=Recovery, G=inteGrity, K=checKsum,P=rePair, M=file duMp,



Note the defragmentation option. Active Directory will run the defragmentation process automatically; this is called online defragmentation. "Online" means that the Active Directory database will not be taken offline but will service user requests normally, although maybe a bit slower than usual due to higher than normal disk activity and memory usage. However, online defrags are usually not as effective as offline defrags. If you are running low on space, and there are no hardware upgrades on the horizon, you may want to try an offline defrag first, by using the esentutl tool. You could also try compacting the database, using the ntdsutil, Files context, compact command.

Generally speaking, offline defrags are not something you should do often. Defragmentation should always be followed by an integrity check, and unless there is a problem, this should be left to the online maintenance process.

Semantic Database Analysis performs the logical scan of information specific to Active Directory, such as

■ Synchronization state of each naming context

■ Presence of GUID numbers for each object

■ Deleted objects' dates

■ SID numbers of security principals

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


  • leon
    How many times do the ntdsutil files integrity?
    9 years ago
  • Katharina
    How to move DS log files windows server 2008?
    9 years ago
  • Elias McKay
    How relocate active directory database using ntdsutil.exe?
    9 years ago

Post a comment