AD DS Database Files

What is NTDS.dit?

AD DS Database Files

The AD DS database is stored as a file named Ntds.dit. When you promote a domain controller, you can specify the location of the file. The default location is %SystemRoot%\NTDS.

What are the NTDS files?

Within Ntds.dit are all of the partitions hosted by the domain controller: the forest schema and configuration; the domain-naming context; and, depending on the server configuration, the partial attribute set and application partitions.

In the NTDS folder are other files that support the AD DS database. The Edb*.log files are the transaction logs for AD DS. When a change must be made to the directory, it is first written to the log file. The change is committed to the directory as a transaction. If the transaction fails, it can be rolled back.

Sometimes you have to take the AD DS database offline

Certain tasks, such as an off-line defragmentation or moving the AD DS database to another drive, require you to take AD DS offline. You can use PowerShell to stop the AD DS service: Stop-Service ntds. Similarly, you can start the AD DS service: Start-Service ntds.

What is NtdsUtil.exe?

NtdsUtil has many uses

NtdsUtil.exe is a command-line tool that you can use to perform database maintenance, including the creation of snapshots, offline defragmentation, and the relocation of the database files.

You can clean up metadata

You also can use NtdsUtil.exe to clean up domain controller metadata. If a domain controller is not demoted to a member server properly, it doesn't remove important information from the directory service. However, you can use NtdsUtil.exe to clean out the remnants of the domain controller, and it is very important that you do so.

You can reset the DSRM password

NtdsUtil.exe also can reset the password used to sign in to the Directory Services Restore Mode (DSRM). This password initially is configured during the promotion of a domain controller. If you forget the password, theNtdsUtil.exe set dsrm command can reset it.