Managing Active Directory Files
The Microsoft® Windows® 2000 directory service is implemented on top of an indexed sequential access method (ISAM) table manager. This is the same table manager used by Microsoft® Exchange Server, the file replication service, the security configuration editor, the certificate server, Windows Internet Name Service (WINS), and other Windows 2000 components. The version of the database that Windows 2000 uses is called extensible storage engine (ESENT)
ESENT is a transacted database system that uses log files to support rollback semantics to ensure that transactions are committed to the database. Ideally, data and log files should be located on separate drives to improve performance and support recovery of the data if a disk fails.
The data file is called Ntds.dit. The Files menu of Ntdsutil provides commands for managing the directory service data and log files.
ESENT provides its own tool for certain database file management functions called Esentutl.exe, which is also installed in the Winnt\System32 folder. Several of the Ntdsutil file management commands invoke Esentutl, reducing the need to learn that tool's command-line arguments. In the cases where Ntdsutil invokes Esentutl, it brings up a separate window configured with a large history so that you can scroll back to see all of the Esentutl progress indicators.
The Windows 2000 directory service opens its files in exclusive mode. This means the files cannot be managed while the system is operating as a domain controller.
To manage directory service files
Start the computer.
When the Starting Windows progress bar appears, press F8.
From the Windows 2000 Advanced Options Menu , select Directory Services Restore Mode .
.gif "note-icon")
Note
Starting the computer in Directory Services Restore Mode causes your domain controller to temporarily operate as a stand-alone server. This causes some services to fail, especially those that are integrated with the directory service. When operating in this mode, the security accounts manager (SAM) uses a minimal set of user and group definitions stored in the registry. If your domain controller is not physically secure, you should set the administrative password for the Directory Services Restore Mode.
Table C.1 lists and describes the file management commands.
Table C.1 File Management Commands
Command |
Description |
|---|---|
Compact to %s |
Invokes Esentutl.exe to compact the existing data file and writes the compacted file to the specified directory. The directory can be remote, that is, mapped by means of the net use command or similar means. After compaction is complete, archive the old data file, and move the newly compacted file back to the original location of the data file. |
Header |
Writes the header of the Ntds.dit data file to the screen. This command can help support personnel analyze database problems. |
Info |
Analyzes and reports the free space for the disks that are installed in the system, reads the registry, and then reports the sizes of the data and log files. (The directory service maintains the registry, which identifies the location of the data files, log files, and directory service working directory.) |
Integrity |
Invokes Esentutl.exe to perform an integrity check on the data file, which can detect any kind of low-level database corruption. It reads every byte of your data file; thus it can take a long time to process large databases. |
Move DB to %s |
Moves the Ntds.dit data file to the new directory specified by % s and updates the registry so that, upon system restart, the directory service uses the new location. |
Move logs to %s |
Moves the directory service log files to the new directory specified by % s and updates the registry so that, upon system restart, the directory service uses the new location. |
Recover |
Invokes Esentutl.exe to perform a soft recovery of the database. Soft recovery scans the log files and ensures all committed transactions therein are also reflected in the data file. The Windows 2000 Backup program truncates the log files appropriately. |
Repair |
Invokes Esentutl.exe to perform a low-level repair of the data file. Use the repair command only on the advice of qualified service personnel, as it can cause data loss. Furthermore, this can only repair what ESENT knows about. This means that its notion of repair might eliminate some data that is key to the safe operation of the directory service. |
Set path backup %s |
Sets the disk-to-disk backup target to the directory specified by % s . The directory service can be configured to perform an online disk-to-disk backup at scheduled intervals. |
Set path DB %s |
Updates the part of the registry that identifies the location and file name of the data file. Use this command only to rebuild a domain controller that has lost its data file and that is not being restored by means of normal restoration procedures. |
Set path logs %s |
Updates the part of the registry that identifies the location of the log files. Use this command only if you are rebuilding a domain controller that has lost its log files and is not being restored by means of normal restoration procedures. |
Set path working dir %s |
Sets the part of the registry that identifies the directory service's working directory to the directory specified by % s . |