3. Defragment the Directory Database
A directory database gets
fragmented as you add, change, and delete objects to your database.
Like any file system–based storage, as the directory database is changed
and updated, fragments of disk space will build up so it needs to be
defragmented on a routine basis to maintain optimal operation. By
default, Active Directory performs an online defragmentation of the
directory database every 12 hours with the garbage collection process,
an automated directory database cleanup, and IT pros should be familiar
with it. However, online defragmentation does not decrease the size of
the NTDS.DIT database file. Instead,
it shuffles the data around for easier access. Depending on how much
fragmentation you actually have in the database, running an offline
defragmentation—which does decrease the size of the database—could have a
significant effect on the overall size of your NTDS.DIT database file.
There is a little
problem associated with defragmenting databases. They have to be taken
offline in order to have the fragments removed and the database resized.
In Windows Server 2008 R2, there is a great feature that allows you to
take the database offline without shutting down the server. It's called
Restartable Active Directory, and it could not be much easier to stop
and start your directory database than this. Figure 4 shows the Services tool and how you can use it to stop the Active Directory service.
Start the Services tool from the Control Panel.
Right-click Active Directory Domain Services, and select Stop.
Figure 4. You can use the Services tool to stop and restart Active Directory.
That's it! Now when you stop
Active Directory Domain Services, any other dependent services will also
be stopped. Keep in mind that while the services are stopped, they
cannot fulfill their assigned role in your network. The really cool
thing about Restartable AD is that while the directory services and its
dependent services are stopped, other services on the local machine are
not. So, perhaps you have a shared printer running on your DC. Print
services still run, and print operations do not stop. Nice!
3.1. Offline Directory Defragmentation
Now that you have stopped
Active Directory services, it is time to get down to the business of
offline defragmentation of the directory database:
Open a command prompt, and type NTDSUTIL.
Type ACTIVATE INSTANCE NTDS.
Type FILES, and press Enter.
and press Enter. This will tell you the current location of the
directory database, its size, and the size of the associated log files.
Write all this down.
Make a folder location that has enough drive space for the directory to be stored.
Type COMPACT TO DRIVE:\DIRECTORY,
and press Enter. The drive and directory are the locations you set up
in step 5. If the drive path contains spaces, put the whole path in
quotation marks, as in "C:\database defrag".
A new defragmented and compacted NTDS.DIT is created in the folder you specified.
Type QUIT, and press Enter.
Type QUIT again, and press Enter to return to the command prompt.
If defragmentation succeeds without errors, follow the NTDSUTIL prompts.
Delete all log files by typing DEL x:\pathtologfiles\*.log where x is the drive letter of your drive.
Overwrite the old NTDS.DIT file with the new one. Remember, you wrote down its location in step 4.
Close the command prompt.
Open the Services tool, and start Active Directory Domain Services.
Defragmenting your directory database using the offline NTDSUTIL
process can significantly reduce the size of your database depending on
how long it has been since your last offline defrag. The hard thing
about offline defrag is that every network is different, so making
recommendations about how often to use the offline defrag process is
somewhat spurious. I recommend you get to know your directory database.
Monitor its size and growth. When you think it is appropriate to
defragment offline, then do it. A pattern will emerge for you, and you
will find yourself using offline defragmentation on a frequency that
works well for your network and your directory database. One of the cool
things about offline defragmentation is that if you should happen to
have an error occur during the defragmentation process, you still have
your original NTDS.DIT database in place and can continue using it with no problems until you can isolate and fix any issues.
4. Audit Active Directory Service
Windows Server 2008 R2 not
only allows you to audit changes to Active Directory but also allows you
to see the actual values entered into the directory before the change
was made and after the change is made. It was possible in Windows 2000
Server and Windows Server 2003 to audit directory service access to see
whether a change had been made, but this auditing allowed you to see the
results of the change only, not the "before and after" settings.
In Windows Server 2008 R2, the Audit Directory Service Access setting policy is divided into four subcategories:
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
When you want to see
changes, you will implement the Directory Service Changes Policy. This
policy will allow you to see the changes made by any security principal
including create, delete, modify, move, or undelete operations. This
policy will record not only the new values but also the original values
in the event of a modify or undelete operation. In the event of a move
operation, the original location of the object will also be logged.
You can enable auditing in
Windows Server 2008 R2 through the use of three mechanisms. First, you
can choose to enable a global audit policy for all the directory service
subcategories mentioned previously. This setting is in the default
domain controller policy on the Domain Controllers OU and is not
enabled by default on Windows Server 2008 R2 DC. Therefore, if you want
to audit directory service changes, you will need to implement this
setting. One item of note is that the ID number for directory service
changes has been updated to 4,662 instead of Windows 2000 Server and
Windows Server 2003's 566 ID designation.
Second, you can also
enable auditing through the use of system access control lists (SACLs).
The SACL of an object determines whether access to an object will or
will not be audited. It determines which operations are to be audited
and for whom. SACLs are controlled by those security administrators who
have rights to the local system. The Administrators group would hold
this right by default. So, it is technically possible to edit the access
control entry (ACE) of an object and remove the auditing requirement of
the object even though Directory Services Changes has been enabled.
Finally, there is also a set of
schema controls that you can use to create exceptions using search flag
properties for what is being audited. For more on schema auditing
exceptions, see http://technet.microsoft.com/en-us/library/cc731607.
4.1. Enable Group Policy Auditing in Group Policy Management Console
To enable directory services
auditing, you need to use Group Policy. Use the Group Policy Management
Console to make the suggested changes.
Select Start => Administrative Tools => Group Policy Management.
the console tree, double-click the name of the forest, expand Domains,
expand the name of your domain, select Domain Controllers, right-click
Default Domain Controllers Policy, and then click Edit.
Computer Configuration, expand Policies, expand Windows Settings,
expand Security Settings, expand Local Policies, and then click Audit
Policy (see Figure 5).
In the details pane, right-click Audit Directory Service Access, and then click Properties.
Select the Define These Policy Settings check box.
Under Audit These Attempts, select the Success check box, and then click OK.
Figure 5. Auditing enabled in Group Policy Management Console
4.2. Enable Auditing Using the Command Line
Although you will most
likely enable auditing using the Group Policy Management Console,
sometimes you may prefer to use the command line. Here are the steps:
Click Start, type cmd in the search box to locate the command prompt, and then right-click and choose Run As Administrator.
Type the following command, and then press Enter:
auditpol /set /subcategory:"directory service changes"
4.3. Configure Auditing in the Object SACLs
SACLs hold the real power in
auditing. They define the permissions and functions for auditing on any
given object or file location. It is possible to configure auditing of
Active Directory on the SACL:
Select Start => Administrative Tools => Active Directory Users And Computers.
Right-click the organizational unit, or any object, for which you want to enable auditing, and then click Properties.
the Security tab, click Advanced, and then click the Auditing tab. (If
you do not see the Security tab, you may need to enable Advanced
Features from the View menu.)
Click Add, and under Enter The Object Name To Select, type Authenticated Users (or any other security principal). Then click OK.
In Apply Onto, click Descendant User Objects (or any other objects).
Under Access, select the Successful check box for Write All properties.
Directory Service Changes auditing can add a powerful tool to your toolbox of management features in Window Server 2008 R2.