Wednesday, November 28, 2007

PRIV1.HTML file in Exchange 2000

The question came today from one of my peer at work was asking a question about priv1.html file, when we are performing defrag on exchange 2000 databases. What is this file about I never know exchange would use HTML file as database. My peer knew the priv1.edb file and what it does very well; nevertheless, the HTML file seemed to him a bit abnormal.


priv1.edb, but it also has an escort file called priv1.stm. (priv1.html), for some weird reason windows reads this file as HTML file (go figure), which confuses some of the exchange administrators.

  • Priv1.edb files contain Rich Text Formatted (RTF) content messages.
  • A priv1.stm file contains non-RTF messages.

The priv1.edb holds message data from messages that are in native MAPI format, the STM file holds content for internet formatted messages. Both are required to get the database to function correctly.

The 16-GB size limit for the Exchange private mailbox store database and the 16-GB size limit for the Exchange public mailbox store database is the sum of the size of both the Priv.edb and the Priv.stm files.

When you put a limit on a mailbox,

  • You only limit the storage in the Priv.edb file.
  • You do not limit the storage in the Priv.stm file.

For example, a mailbox may appear to use only 250 MB of space in Exchange System Manager. However, the total space that the mailbox uses may be 450 MB. This difference occurs because the 200 MB of space that the Priv.stm file uses does not appear in Exchange System Manager.


When you do a defrag of the edb, the stm file is automatically also defragged.


Oz Ozugurlu

Tuesday, November 27, 2007

Event ID logs 445; Exchange databases reached the 16 GIG limits


Exchange server 2000 is not accessible. Event ID logs 445; Exchange databases reached the 16 GIG limits. This will cause interruption on the mail flow.

Event Type: Warning

Event Source: ESE

Event Category: Space Management

Event ID: 445

Date: 11/27/2007

Time: 3:51:57 PM

User: N/A

Computer: CHALBIRFS0


Information Store (5640) The database E:\Exchsrvr\mdbdata\priv1.edb has reached its maximum size of 16383 MB. If the database cannot be restarted, an offline defragmentation may be performed to reduce its size.


I would love to say here, upgrade to exchange 2007 if all it is possible, at least to Exchange 2003 to get the advantage of 75Gig limit in DB. In some cases, decision makers (Managers) are very none sense, to be honest. I have seen million of times so far same scenario. For technical people it is very frustrating to deal with manager who has no clue about current technology. Remember this is the way it is and we have to leave with this. Follow the step below

ESEUTIL /D is the immediate action we have to take in this particular issue. We bumped the DB size to 17GIG with following registry hack.

  • Click Start, click Run, and then type regedit.exe. Locate the following key in the registry: HKEY_LOCAL_MACHINE
  • CurrentControlSet
  • Services
  • MSExchangeIS
  • Private

Right click, new Dword Value, and name it "Temporary DB Size Limit" and enter value 1.Restart information store service for changes to take effect. Requires Service Pack 3 for Exchange 2000 and the following registry entry:

The C drive was out of space therefore we need to perform the Defrag to E drive, where we had plenty of free space

C:\>"C:\Program Files\Exchsrvr\BIN\ESEUTIL.EXE" -d "E:\Program Files\Exchsrvr\MD BData\priv1.edb" /te:\temp.edb

This was the Temp file is going to be created on the E Drive. Many o f you know if already the story behind the temp database. Exchange will create an empty database in this example is the Temp database and will copy good mail data into this DB. When exchange is done, it will tell you "Hey I have created brad new database, go ahead delete the original one and use this one instead."

Determine White Space Event id 1221. If it is too late and exchange databases are dismounted due to space problem, use ESEUTIL /MS determine the white space.

Space Dump with ESEUTIL /MS to determine the space. Also ensure that you have 110% free disk space associated with the Exchange database size.

You can check the integrity of your Exchange database with ESEUTIL /G

After running ESEUTIL, check the log file called "integ.raw "to see the results.

Let's talk about ISINTEG in general (Isinteg -fix -test alltests)

ISINTEG is the only repair utility that understands the Exchange database as an Exchange database (taken from MS support)

  • Isinteg understands the relationships between those tables and records that turn them into folders and messages.
  • At the end of an Isinteg fix run, you will likely see hundreds to thousands of warnings, no worries, but we need to worry if there is even one error, and rerun the Isinteg until there is no more errors are being reported.
  • Before you do this make sure,
  • The information store service is running
  • The mailbox store is dismounted
  • Isinteg -ServerName –Fix –Test alltests

Here are the final Steps:

  • Run ESEUTIL /MS (determine the space, you won't be blind)
  • Run Eseutil /P ( Hard Repair)
  • Run Eseutil /D. ( Defrag)
  • RUN Isinteg -fix -test alltests (fixes the logical problems)

    Example: isinteg -pri -fix -test alltests


Oz ozugurlu

Sunday, November 18, 2007

Active directory windows 2008, Read only DC (Domain Controllers)

The security aspect is getting more and more integrated into windows 2008 servers. Therefore, if we examine the new futures in active directory we will quickly realize, the security focus around most of the directors and DNS services. The read only DC concept is brand new; it makes me remember UNIX concept. The out the box Windows servers seems to be more robust and contains more granular delegation of task, which can be delegated to administrators.

Below some of the highlights, I have observed and wanted to share with you all.

Administrator role separation

  • Read only domain controllers (RODC) in windows 2008. More secure deployment with read only DC.
  • This is great for sites, which do not have IT support. (Providing local services, Print service, logon service)

We are not exposing full writable domain controller in the remote site (RODC)

  • RODC stores copy of the DIT database, no security principle ( no passwords). If the RODC gets compromised the DIT, Database have no passwords in it.
  • If there I changes made at the site, this wont effect the corporate site, since the DIT is read only.


  • Great improvement o the DCPROMO, ADUC Distributes files system replication (DFSR)
  • Administration roles separation
  • Delegation of DCPROMO and RODC (more granular control)

DNS Improvements

  • Backbone of AD is still DNS, and DNS have many improvements in windows 2008 AD.
  • DNS has new located Flag, (based on site cost).
  • Read –Only active directory integration zone for RODC

RODC (Read Only Domain Controller)

The DIT Database is read only. The changes must be done on the writable DC, such as password changes. RODC is primary targeted to remote sites and Edge offices. The security treads Each RODC has its own Kerberos ticketing system.

Deploying RODC Requirements

Windows 2003 forest functional mode or later, and one at least DC must be running windows 2008 server. Domain functional level must be raise to windows 2003 or later.

  • RODC needs to forward the logon request to windows 2008 server
  • One RODC per site is recommended
  • NO RODC to RODC Replication
  • No plans to support Exchange to support RODC / GC ( Global Catalog


Oz Ozugurlu

Friday, November 16, 2007

Exchange 2007 Versions and some of the futures

Exchange 2007 Standard

  • SG (Maximum of five storage groups)
  • DB (Maximum of five databases)
  • OA (Support for Outlook Anywhere) formerly known as RPC/HTTPS
  • LCR (Local continuous replication)
  • RGG (Recovery storage group)
  • Database size (No limit)
  • Exchange 2007 Standard

Exchange 2007 Enterprise

Support all futures as standard edition

  • Up to 50 SG
  • Up to 50 DB ( MS recommends one SG and one DB)
  • Why it is, recommended this way? Log files for Entire SG, if you have one SG,

    If we segregate the logs for one DB which will be better (faster) than writing logs to more than one DB

  • Consider using different spindles for best performance, even in 64Bit architecture, which is common sense.
  • SCC (single Cluster Copy)
  • LCR (Local continuous replication LCR supports 1 Database per Storage Group
  • CCR (Cluster continuous replication ) CCR only supports 1 Database per Storage Group

Coexistence Requirements

  • Exchange 5.5 is not supported. If you still have, it get rid of it.
  • All Exchange Server 2003 servers must have SP2 installed
  • All Exchange 2000 Server servers must have SP3 and post-SP3 update rollup installed


Oz ozugurlu

Thursday, November 15, 2007

Getting ready to install Exchange 2007?

Below is nice table to have it handy going trough upgrading or implementing exchange 2007.

Exchange 2007 @ Hardware Requirements


Minimum Requirements


Must be an x64 64-bit architecture server system that provides support for the Intel EM64T or AMD64 platform. The Intel Itanium IA64 platform is not supported; 32-bit x86 systems are not supported except in a management station role.

Operating system

Windows Server 2003 SP1 x64 or Windows Server 2003 R2 x64, Standard or versions. The management tools can be installed on a 32-bit Windows Server 2003 or Windows XP SP2 computer.


Minimum of 2GB RAM.

Hard disk space

Minimum of 200MB on the server's system drive. Minimum of 1.2GB on the server drive where the Exchange executables will be installed.

Optical drive

A DVD drive, local or network accessible, is required.


Exchange 2007 @ CPU Requirements

Server Role

Minimum CPU

Recommended CPU

Recommended Maximum CPU

Edge Transport

1 CPU core

2 CPU cores

4 CPU cores

Hub Transport

1 CPU core

4 CPU cores

4 CPU cores

Client Access

1 CPU core

4 CPU cores

4 CPU cores


1 CPU core

4 CPU cores

8 CPU cores

Unified Messaging

1 CPU core

4 CPU cores

4 CPU cores

Multiple roles

1 CPU core

4 CPU cores

4 CPU cores


Exchange 2007 @ Memory Requirements

Server Role

Minimum RAM

Recommended RAM

Recommended Maximum RAM

Edge Transport


Not less than 1GB per CPU core; 2GB minimum


Hub Transport


Not less than 1GB per CPU core; 2GB minimum


Client Access


Not less than 1GB per CPU core; 2GB minimum



2GB, but depends on number of storage groups

2GB plus 2MB–5MB per mailbox on the server


Unified Messaging


Not less than 1GB per CPU core; 2GB minimum


Multiple roles

2GB, but depends on number of storage groups

4GB plus 2MB–5MB per mailbox on the server




Oz ozugurlu

Microsoft Certified Technology Specialist: (MCTS ) Microsoft Exchange Server 2007

Exchange Server 2007 is Microsoft's brand-new certification that is both a one-exam certification, granting students the MCTS designation, and an entry exam for both the IT professional developer and IT professional administrator certifications.

Here what Microsoft says?

  • MCTS candidates must pass one exam that focuses on the following:
  • Installing and configuring Exchange servers
  • Creating and modifying recipients and public folders
  • Maintaining and optimizing the messaging system
  • Monitoring and reporting on the messaging system
  • Troubleshooting messaging issues
  • Managing data recovery and disaster recovery of a messaging environment

Here are the new Exams:

MCITP: Enterprise Messaging Administrator certification

  • Exam 70-236 Exchange Server 2007, Configuring
  • Exam 70-237 PRO: Designing Messaging Solutions with Microsoft Exchange Server 2007
  • Exam 70-238 PRO: Deploying Messaging Solutions with Microsoft Exchange Server 2007

Free Book & Resources to Prepare:

I hope you get all you need


Oz ozugurlu

Tuesday, November 13, 2007

WEBSENSE Detecting Blocked URL Redirection


Client cannot access to certain website within the allowed URL. Client is getting access denied within the allowed HTML pages, or some of the functions embedded into aalowed pages wont function properly.


We will figure out what exactly is getting blocked by Websense. To perform this function follows the steps below.

Note: you need to know the client IP address whom is having trouble when accessing to this URL. You can also prepare a staging PC, and simulate the same scenario, in this case you will use the staging PC's IP Address.

Log into web sense server (

  • Go to command line
  • Drill down to following directory on the Websense server
  • D:\Websense\bin>
  • Type the following command from this directory

D:\Websense\bin>TestLogServer.exe -onlyip -file test2.txt

Replace the IP address in this example to IP address of the Client PC, who is having trouble to access the problem link, or pages.

When client is accessing the link the web sense will detect the exact URL and all you need to do is to allow the requested address by the browser by adding it to corporate allowed list

This will resolve the issue, and client will be able to access the full functionality of the website


Oz ozugurlu

DNS clients send two types of queries Iterative and Recursive queries

Let's try to understand two types of queries are being used by DNS server for name resolutions.

Iterative queries
(query the best answer)

  • Client expects best answer from server
  • DNS server does not query other DNS servers
  • May refer client to another DNS server
  • Typically sent by DNS servers, not Microsoft Windows clients

Let us say our DNS name space is This mean our domain controller will be Authoritative for and all domain controller, which are running DNS, will know any type of question they maybe asked by client for their own DNS name space.

We will perform Iterative query to the DNS servers for, and will look into each step and observer what happens.

  • Client makes iterative query to one of the DC's/DNS servers on
  • Since the DC/DNS serve does not own the DNS name space, it informs Client as follows
  • I am not authoritative for this DNS Name Space (, but I do know who the Authoritative server is, for ( DNS server did the query and got an IP address for DNS server, who owns the records for and hands out the IP address of the DNS server does Authoritative for
  • Client now does know the IP address of the Authoritative DNS server for and ask this DNS server same question, I need to get to, your IP is given to me as Authoritative DNS server, can provide me the resources I am trying to access.
  • The DNS server replies, I am not authoritative for, but I do know who the Authoritative server is, here is the IP Address go ask him.
  • Finally Client has the IP address for the DNS server, who is authoritative for

    Client ask the same question, server pulls out the IP address for the requested resources, and hands it to the client and finally happy end, Client can open direct TCP/IP connection to this resource server.

As you can see client is doing all the heavy lifting, client needs to go to different DNS server each time, client get partial answer and finally client is able to locate the resource server IP Addresses.

Recursive queries

We will use same story for recursive query. The DNS server will perform the heavy lifting; client is talking too at the first time. If we were the ask same question, to the DNS server we are talking too,

Where is the same process will be performed by a DNS server and when DNS server is able to locate the IP address for requested namespace, DNS server will return this information to the client, so that client can open direct TCP/IP connection to that server.

Just like, you have a personal secretary and you want to find the phone number of your best body "James" from high school. You ask your secretary to get you James number, your secretary calls your high school, gets information about James home address, She lookup up on the yellow book locates the phone number calls the number , figures out James in no longer living there, but people give her a number where he can be reached at. She makes sure James is available on that number, and turns the number to you. Now you call your body James and start talking to him. Your secretary has done all the heavy lifting for you, which she used Recursive queries to get the James number.

  • Now if you are not able to have a secretary, you have to call the Scholl first.
  • Scholl gives you a number to call.
  • You call that number second.
  • The people who live in that home give you another number to cal.
  • Finally, you call that number and able talk to your body. This would be iterative query.


Oz ozugurlu

How to Reset Directory Services Recovery Mode password on a Domain Controller

DSRM is being configured at the first time, when a server promoted to be a domain controller. Often time administrators make up a password and this password gets forgotten and when it is needed, resetting DSRM password will be necessary. This process is very straight forward. Do not confuse this password with Domain administrator password. When DSRM mode is initiated, the local administrator account is authenticated by the SAM (Security account manager).

Go to command Line and follow the steps below. (NTSUTIL is part of windows 2003 support tools)


ntdsutil: set dsrm password

  • Reset DSRM Administrator Password: reset password on server dc1
  • Please type password for DS Restore Mode Administrator Account: ***********
  • Please confirm new password: ***********
  • Password has been set successfully.

How to Move .DIT Database to another location

In this scenario the drive holds the NTDS.DIT database is going out of space and we need to move it to different drive.

  • Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
  • At the Ntdsutil command prompt, type files, and then presses ENTER.
  • At the file maintenance command prompt, type move DB to new location (where new location is an existing folder that you have created for this purpose), and then press ENTER.
  • To quit Ntdsutil, type quit, and then press ENTER.
  • Restart the computer

How to Move Log Files

Use the move logs to command to move the directory service log files to another folder. For the new settings to take effect, restart the computer after you move the log files.

  • Ntdsutil
  • type files Press Enter (maintenance command prompt)
  • Move files to E:\NTDS\Logs ( this is the directory I have created on the second Hard drive, my logs are located on C drive and I am moving them from C drive to E drive.



Oz ozugurlu

Friday, November 9, 2007

The KKC (Knowledge Consistency Checker)

The KKC (Knowledge Consistency Checker) is a build in process which creates the replication topology in active directory Forest. By default the KCC runs every 15 minute intervals and dictates the replication routes from a domain controller to another DC. To make it simpler, if you have a domain controller in site-B and you have created a user here. The user object is going to be added .DIT database on this domain controller. IF there is a domain controller on Site-A and they are not able to see the user object created on Site-B, this is because the replication is not happening form Site-B domain controller to the Site-A domain controller. There might ne number of different reasons why KCC cannot or don't want to create the KCC connection from site-B to Site-A. Thumb of rule is the figured out what culprit is.

Creating manual connections might save the day. The issue regarding AD replication might be connected to Exchange. A user go created the RUS is not stamping the user; therefore SMTP Proxy address never gets generated.

Note: Microsoft does not recommend creating manual connections, since KCC is automated process and design to figured out the best path for replication, Microsoft recommends

To create a manual connection goes to site and services, Extend Site, click server object, select NTDS settings

  • Make a right click
  • New active directory connection
  • Select a domain controller from the list, click ok and finish.

Wait for changes gets replication in the AD topology. On the connector and choose replicate now.

The Purpose of KCC

Data integrity is maintained by tracking changes on each domain controller and updating other domain controllers in a systematic way. Active Directory replication uses a connection topology that is created automatically, which makes optimal use of beneficial network connections and frees the administrators from having to make such decisions.

What replicates with KCC?

  • Each combination of directory partitions that must be replicated
  • Domain controllers that store the same domain directory partition must have connections to each other
  • all domain controllers must be able to replicate the schema and configuration directory partitions

The routes for the following combinations of directory partitions are aggregated to arrive at the overall topology

  • Configuration and schema within a site.
  • Each domain directory partition within a site.
  • Global Catalog read-only, partial directory partitions within a site.
  • Configuration and schema between sites.
  • Each domain directory partition between sites.
  • Global Catalog read-only, partial directory partitions between sites.

Terminology with KCC

  • KCC runs every 15 minutes.
  • The domain controllers that replicate directly with each other are called replication partners
  • these partnerships are added, removed, or modified automatically, as necessary, on the basis of what domain controllers are available and how close they are to each other on the network
  • KCC creates connections that enable domain controllers to replicate with each other
  • A connection defines a one-way, inbound route
  • Connection objects are created automatically by the KCC; they can also be created manually.
  • Site Links

    For replication to occur between two sites, a link must be established between the sites. Site links are not generated automatically and can be created in Active Directory Sites and Services. Unless a site link is in place, the KCC cannot create connections automatically between computers in the two sites, and replication between the sites cannot take place. Each site link contains the schedule that determines when replication can occur between the sites that it connects. The Active Directory Sites and Services user interface guarantees that every site is placed in at least one site link. A site link can contain more than two sites, in which case all the sites are equally well connected

  • Bridgehead Servers

    To communicate across site links, the KCC automatically designates a single server, called the bridgehead server, in each site to perform site-to-site replication. Subsequent replication occurs by replication within a site. When you establish site links, you can designate the bridgehead servers that you want to receive replication between sites. By designating a specific server to receive replication between sites, rather than using any available server, you can specify the most beneficial conditions for the connection between sites. Bridgehead servers ensure that most replication occurs within sites rather than between sites.


Oz ozugurlu

Monday, November 5, 2007

BlackBerry restart services in RDC order

Here is the correct way of starting blackberry services. (RDC), the rest of the services can be restarted on any order after following the RDC rule.Restart the Black Berry Services in this order below

  • Router

Blackberry Router

Service establishes connections, Manages the connection to the wireless network for the BlackBerry Enterprise Server. Also routes data to handhelds that are connected through the BlackBerry Handheld Manager.

BlackBerry Dispatcher

Establish connection to Exchange, Performs data encryption and compression services for all data that the BlackBerry Enterprise Server sends or receives.


Controls all other services, Monitors key BlackBerry Enterprise Server components and restarts them if they stop responding.

Other services can be started in any order,

BlackBerry Alert

When configured, sends alerts when events at the specified level occur on the

BlackBerry Enterprise Server.

BlackBerry attachment

Converts attachments into a format that can be viewed on the handheld.

BlackBerry Database Consistency Service

Synchronizes data between the BlackBerry Manager database and user


Blackberry Mobil data service

Provides secure access to online content and applications on the corporate

intranet or Internet through the BlackBerry Enterprise Server.

BlackBerry Policy service

Supports wireless IT Policy, service books, and third-party application delivery for

the BlackBerry Enterprise Server.

BlackBerry Synchronization service

Synchronizes PIM application data wirelessly between the handheld and the mail



Oz oozugurlu

BlackBerry How to test mail flow on Users Handheld

Here is the situation, users calls and complain not getting messages to their handheld. Most of the time there is a problem with either BlackBerry or the wireless provider. Time to time the problem is cause by end user. If this is the case how we can identify the message is getting to handheld even though we don't have the handheld in front of us. Here is nice trick we learned from RIM support.

Problem: user is assuming not getting mail to this handheld

Solution: Generate Automatic confirmation e-mail to determine if test mail ever makes the handheld

From your outlook compose a new mail message to the user who is having trouble as shown below

Do not forget the brackets on the Subject line, and ask the user to reply the message.

  • To : Effected user
  • Subject: <Confirm>

This is going to generate automatic mail reply back to you as soon as the message hits the user handheld with subject line "BlackBerry Delivery Confirmation" and some details in the body of the confirmation e-mail

I think this is real slick



Thursday, November 1, 2007

Defragging Active Directory .DIT Database

What are the reasons, why we would ever need to defrag .DIT database. In my case the DC (domain Controller) going out of space on C drive, and there is a little space letf on the other available drive.The other important reason in this case, the DC having big replication issues , and .DIT database seems to be reached 6GIG in size, Although , other DC's have .DIT database size in 2GIG.If you remember I have mentioned many times in my previous articles about , .DIT database, Which is partitioned database. How does Exchange related to .DIT database. Exchange Utilizes all partitions in the .DIT database. The partitions in the .DIT database follows as below.

  • Domain
  • Configuration
  • Schema
  • Application ( .DIT 2003 Only)

In my example the DC , which is having heavy replication problems need defragmetation on the .DIT database. You may ask yourself why .DIT database reached 6GIG ( the actual size o fthe .DIT database is less than 1GIG) on this Domain Controller.

Lets take a look a little closer the reasons. DLT objects (Distributed Link Tracking) in active directory.

  • Distributed Link Tracking is a service that was introduced in Windows 2000 and is now also available in Windows XP and .NET servers (including the most recent post beta-3 release). The service was intended to resolve problems with outdated shortcuts. These problems applied to both shell shortcuts (such as ones located in Desktop, Favorites, Start Menu, and Recent folders) as well as OLE application links (such as an Excel spreadsheet stored within a Word document)
  • Dltpurge.vbs (Q315229)
  • You can use the Distributed Link Tracking Server service and the Distributed Link Tracking Client service to track links to files on NTFS-formatted partitions. Distributed Link Tracking tracks links in scenarios where the link is made to a file on an NTFS volume, such as shell shortcuts and OLE links. If that file is renamed, moved to another volume on the same computer, moved to another computer, or moved in other similar scenarios, Windows uses Distributed Link Tracking to find the file. When you access a link that has moved, Distributed Link Tracking locates the link; you are unaware that the file has moved, or that Distributed Link Tracking is used to find the moved file.
  • Distributed Link Tracking consists of a client service and a server service. The Distributed Link Tracking Server service runs exclusively on Windows Server-based domain controllers. It stores information in Active Directory, and it provides services to help the Distributed Link Tracking Client service. The Distributed Link Tracking Client service runs on all Windows 2000-based and Microsoft Windows XP-based computers, including those in workgroup environments or those that are not in a workgroup. It provides the sole interaction with Distributed Link Tracking servers.

    Distributed Link Tracking clients occasionally provide the Distributed Link Tracking Server service with information about file links, which the Distributed Link Tracking Server service stores in Active Directory. Distributed Link Tracking clients also may query the Distributed Link Tracking Server service for that information when a shell shortcut or an OLE link cannot be resolved. Distributed Link Tracking clients prompt the Distributed Link Tracking server to update links every 30 days. The Distributed Link Tracking Server service scavenges objects that have not been updated in 90 days

    When a file that is referenced by a link is moved to another volume (on the same computer or on a different computer), the Distributed Link Tracking client notifies the Distributed Link Tracking server, which creates a linkTrackOMTEntry object in Active Directory. A linkTrackVolEntry object is created in Active Directory for every NTFS volume in the domain.

What Microsoft recommends for the DLT in windows 2000 based servers

  • Turn off the Distributed Link Tracking Server service on all domain controllers (this is the default configuration on all Windows Server 2003-based servers).


  • The Directory Information Tree (DIT) size on domain controllers is not reduced until the following actions are completed
  • Deleted objects are stored in the Deleted Objects container until the tombstone lifetime expires. The default value for a tombstone lifetime is 60 days, the minimum value is 2 days, and the minimum value that is recommended by Microsoft for production domains is 30 to 45 days
  • Garbage collection has run to completion
  • You use Ntdsutil.exe to defragment the Ntds.dit file in Dsrepair mode

How to defrag The Directory Information Tree (DIT) database.

Before , I get to this you must read following articles

A sample customer experience , it is so unbelivable the place I work currenlty is 4 times worst than , what Microsoft talks about in the article. Seriousily thre DL object in one domain exides 379.000 DLT object in my case.

Anatomy of DLT object deletion

DLT objects themselves contain very few attributes and use very little space in Active Directory. When an object is marked for deletion (tombstoned), all the unnecessary attributes are stripped away, except for those necessary to track the object until it is purged from Active Directory.

In the case of the link-tracking objects, marking the object for deletion only amounts to two attributes being removed: dscorepropagationdata and objectcategory. The deletion of the two attributes results in an initial savings of 34 bytes. However, the process of marking the link-tracking object for deletion also updates the object by adding an IS_DELETED attribute (4 bytes), and by mangling the RDN and the "common name" attributes, causing each of those attributes to grow by about 80 bytes. In addition, the "replication metadata" attribute also grows by about 50 bytes to reflect the updates performed on this object. So, by marking a link-tracking object for deletion, the object will end up growing by approximately 200 bytes. The NTDS.DIT will not exhibit a reduction in size until the deleted objects have tombstoned, been garbage collected and an offline defragmentation performed.


  1. Rebot the server , Press F8 and select Directory Services Restore Mode option.
  2. Use Administrator account to get in to Directory services restore mode.
  3. This is special mode, the .DIT database if isolated from multi master replication model theory
  4. Go to Command line, any type
  5. NTDSUTIL ( enter)
  6. Files
  7. File maintanace: compact to c:\temp (Enter)
  8. Watch the bar similar Exchange Defragmentation process
  9. copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit ( you woulod think window would do it autimaticly , just like in exchange, but you have to perform this manually
  10. restart the Domain Controller


Oz ozugurlu