Powershell: Compact the Active Directory database
We will see in this post how to automate the AD database (NTDS.dit) offline defragmentaion with Powershell under Windows 2008 server. With Windows 2008 server, you no longer need to restart the DC in DSRM mode, you just need to stop the Active Directory service.
Once the service is stopped, launch the ntdsutil.exe utility and pass it the input arguments stored in the $compactinput file. The database is compacted in the current execution directory. The result of the command is stored in the $compactresult file for analysis.
add-content $compactinput 'activate instance ntds' add-content $compactinput 'files' $compact = 'compact to '+ (get-location).path add-content $compactinput $compact add-content $compactinput 'quit' add-content $compactinput 'quit' get-content $compactinput | ntdsutil.exe > $compactresult |
If the compaction is successful the $compactresult file contains the character string “Compaction is successful. You need to:“.
Next, delete all the log files in the log directory and make a copy of the existing Ntds.dit file by renaming it Ntds.dit.old. Finally copy the compacted database file to the NTDS database directory. In order to know where those directories are located (log and NTDS database) just read the DC’s registry.
Before starting the Active Directory service an integrity check must be performed on the compacted database: Once again, launch the ntdsutil.exe utility and pass it the input arguments stored in the $integrityinput file. The result of the command is stored in the $integrityresult file for analysis:
add-content $integrityinput 'activate instance ntds' add-content $integrityinput 'files' add-content $integrityinput 'integrity' add-content $integrityinput 'quit' add-content $integrityinput 'quit' get-content $integrityinput | ntdsutil.exe > $integrityresult |
If the integrity is successful, the $integrityresult file contains the character string “Integrity check successful“. If not, repeat the compaction manually by recovering the ntds.dit.old file. In case of problems when running the script, have a look at this technet article.
If everything is OK start the Active Directory service (NTDS), and wait for the following event to show up:
In order to pause the script use the Wait-event cmdlet. Suspend the script execution until the event ID 1394 of the Directory Service logfile appears. To guess the correct syntax just read this Scripting Guy’s post:
$QueryString = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.Logfile = 'Directory Service' AND TargetInstance.EventCode = '1394'" Register-WMIEvent -query $QueryString -sourceIdentifier "AppLogEntry" $Event = Wait-Event -sourceIdentifier "AppLogEntry" -timeout 90 |
The script waits for this event for 90 seconds, if the event does not show up after this time, the script considers that the Active Directory service did not start properly ($Event.TimeGenerated is null). In that case, consult the “If errors appear when you restart AD DS” chapter of the technet article mentioned previously.
To download the full script just click on the link below:
Warning: For the script to work properly you need the following disk space requirements: Twice the size of your Ntds.dit file (Compacted Ntds + Ntds.dit.old). And remember that before performing an offline defragmentation you should check if you have a valid backup of your DC.
This post is also available in: French
