Close

Not a member yet? Register now and get started.

lock and key

Sign in to your account.

Account Login

Forgot your password?

Moving NTDS.dit and its logs to a different location

Home » Moving NTDS.dit and its logs to a different location

11 Apr Posted by tim in Active Directory | Comments
Moving NTDS.dit and its logs to a different location

Reasons for this include but are not limited to:

•You run out of disk space and want to move it away from the system disk
•You want the DB to run on a faster/more reliable hard disk (other than the system disk)
•You experience performance issues and want to seperate the DB from the core OS hard disk
•You fat-fingered the correct location of the DB file when running dcpromo to bring the DC up
The discussion brought up a few funny suggestions on how to go about that (including simply “copy and paste” the files – at least they thought about booting in DS restore mode). So here’s the outline how to do it with 2000 server and Server 2003 (For Server 2008, see below):

1. Boot into Directory Services Restore Mode (DSRM) by pressing F8 on DC reboot. That’s right, moving the database involves downtime.

2. Start ntdsutil in a CMD.

3. Enter the “File maintenance” submenu by typing “files“.

4. Move the database to a new place by typing “move db to ” where location is a path, similar to E:\NTDS\. Note that you don’t have to specify the file name – just the folder ntdsutil shall copy the files to.

[5. Move the log files to a new place place by typing “move logs to ” where location is - again - a path like E:\NTDS. This is optional, but I’d keep the transaction log files with the database.]

6. Check whether the new file location is correct, typing “info” (still in the file maintenance submenu. Give it a go. If you’ve fat-fingered it once, changes are you did twice. The “info” command also prints out where all files are stored; database and log files and how much space they need.)

7. Check integrity of the database after it has moved. Do so by typing “integrity“. This step might take a few minutes depending on how large your database is — but since your down anyway, you should take the time to ensure everything is correct.

8. Type “quit” twice and close the cmd. Now boot into normal mode again.

9. It is recommended that you back up the system state to have a current backup of the database now (it is a good thought to have a backup anyway since you clean-booted the DC and have it check for integrity. Another aspect is that when restoring an older system state, the location previous location of the NTDS.dit will be used – you’d have to move the NTDS.dit once again using ntdsutil.

Please don’t forget to check security on the folder you move the database to. It’s a bad idea to move it into a shared folders or the wwwroot. You may laugh and I must admin those two examples are a bit of extreme. The point is that you should take a moment and review the NTFS permissions of the DB folder. Don’t share it, don’t allow anyone to access it. Permissions it needs are (pasted from http://support.micro…com/kb/258062):

Windows Server 2003

Account Permissions Inheritance
System Full Control This folder, subfolders and files
Administrators Full Control This folder, subfolders and files
Creator Owner Full Control Subfolders and Files only
Local Service Create Folders / Append Data This folder and subfolders

Windows 2000

Account Permissions Inheritance
Administrators Full Control This folder, subfolders and files
System Full Control This folder, subfolders and files

A Windows Server 2008’s NTDS.dit location can be changed this way (it differs as Windows Server 2008 has the capability of stopping Active Directory and its services temporarily. This wasn’t possible with before 2008):

1. Stop the “Active Directory Domain Services” service in services.msc. It will prompt you that it’ll need to shut down other services as well (Kerberos, File Replication, DNS, ..). You want these services to stop, too, so click “Yes”.

2. Open ntdsutil. You need to activate the correct instance of ntds to perform maintenance tasks. The standard instance of Active Directory is “ntds”, so we use “activate instance ntds” as the first command.

3. Enter the File maintenance submenu by typing “files” as the second command.

4. Move the database to a new place by typing “move db to ” where location is a path, similar to E:\NTDS\. Note that you don’t have to specify the file name – just the folder ntdsutil shall copy the files to.

[5. Move the log files to a new place place by typing “move logs to ” where location is - again - a path like E:\NTDS. This is optional, but I’d keep the transaction log files with the database.]

6. Check whether the new file location is correct, typing “info“. (”info” also prints out where all files are stored; database and log files and how much space they need.)

7. Check integrity of the database after it has moved. Do so by typing “integrity“. This step might take a few minutes depending on how large your database is — but since your down anyway, you should take the time to ensure everything is correct.

8. Type “quit” twice and close the cmd. Start the “Active Directory Domain Services” service again.

9. Backup the system state. See above for reasons.

Just like with Server 2003 and 2000, check the security on the folder you move the DB to (see above). Since I haven’t found documentation that tells otherwise, I guess the permissions in Server 2003 are good for 2008 too.

Tags:
,

 


Leave a comment