Moving NTDS.dit and its logs to a different location

Okay, since Eric complained about the lack of new blog postings here, I thought I’d catch up with some new articles. This one’s from this morning when the question arose whether it is possible to move the AD database to another location on the machine.

Reasons for this include but are not limited to:

  • You run out of disk space and want to move it away from the system disk
  • You want the DB to run on a faster/more reliable hard disk (other than the system disk)
  • You experience performance issues and want to seperate the DB from the core OS hard disk
  • You fat-fingered the correct location of the DB file when running dcpromo to bring the DC up

The discussion brought up a few funny suggestions on how to go about that (including simply “copy and paste” the files – at least they thought about booting in DS restore mode). So here’s the outline how to do it with 2000 server and Server 2003 (For Server 2008, see below):

1. Boot into Directory Services Restore Mode (DSRM) by pressing F8 on DC reboot. That’s right, moving the database involves downtime.

2. Start ntdsutil in a CMD.

3. Enter the “File maintenance” submenu by typing “files“.

4. Move the database to a new place by typing “move db to <location>” where location is a path, similar to E:\NTDS\. Note that you don’t have to specify the file name – just the folder ntdsutil shall copy the files to.

[5. Move the log files to a new place place by typing "move logs to <location>" where location is - again - a path like E:\NTDS. This is optional, but I'd keep the transaction log files with the database.]

6. Check whether the new file location is correct, typing “info” (still in the file maintenance submenu. Give it a go. If you’ve fat-fingered it once, changes are you did twice. The “info” command also prints out where all files are stored; database and log files and how much space they need.)

7. Check integrity of the database after it has moved. Do so by typing “integrity“. This step might take a few minutes depending on how large your database is — but since your down anyway, you should take the time to ensure everything is correct.

8. Type “quit” twice and close the cmd. Now boot into normal mode again.

9. It is recommended that you back up the system state to have a current backup of the database now (it is a good thought to have a backup anyway since you clean-booted the DC and have it check for integrity. Another aspect is that when restoring an older system state, the location previous location of the NTDS.dit will be used – you’d have to move the NTDS.dit once again using ntdsutil.

Please don’t forget to check security on the folder you move the database to. It’s a bad idea to move it into a shared folders or the wwwroot. You may laugh and I must admin those two examples are a bit of extreme. The point is that you should take a moment and review the NTFS permissions of the DB folder. Don’t share it, don’t allow anyone to access it. Permissions it needs are (pasted from http://support.microsoft.com/kb/258062):

Windows Server 2003

Account Permissions Inheritance
System Full Control This folder, subfolders and files
Administrators Full Control This folder, subfolders and files
Creator Owner Full Control Subfolders and Files only
Local Service Create Folders / Append Data This folder and subfolders

Windows 2000

Account Permissions Inheritance
Administrators Full Control This folder, subfolders and files
System Full Control This folder, subfolders and files

A Windows Server 2008′s NTDS.dit location can be changed this way (it differs as Windows Server 2008 has the capability of stopping Active Directory and its services temporarily. This wasn’t possible with before 2008):

1. Stop the “Active Directory Domain Services” service in services.msc. It will prompt you that it’ll need to shut down other services as well (Kerberos, File Replication, DNS, ..). You want these services to stop, too, so click “Yes”.

2. Open ntdsutil. You need to activate the correct instance of ntds to perform maintenance tasks. The standard instance of Active Directory is “ntds”, so we use “activate instance ntds” as the first command.

3. Enter the File maintenance submenu by typing “files” as the second command.

4. Move the database to a new place by typing “move db to <location>” where location is a path, similar to E:\NTDS\. Note that you don’t have to specify the file name – just the folder ntdsutil shall copy the files to.

[5. Move the log files to a new place place by typing "move logs to <location>" where location is - again - a path like E:\NTDS. This is optional, but I'd keep the transaction log files with the database.]

6. Check whether the new file location is correct, typing “info“. (“info” also prints out where all files are stored; database and log files and how much space they need.)

7. Check integrity of the database after it has moved. Do so by typing “integrity“. This step might take a few minutes depending on how large your database is — but since your down anyway, you should take the time to ensure everything is correct.

8. Type “quit” twice and close the cmd. Start the “Active Directory Domain Services” service again.

9. Backup the system state. See above for reasons.

Just like with Server 2003 and 2000, check the security on the folder you move the DB to (see above). Since I haven’t found documentation that tells otherwise, I guess the permissions in Server 2003 are good for 2008 too.

1 Comment so far

  1. Eric Jansen on February 17th, 2009

    HAHA, nice opening statement. Good info here. I actually haven’t seen the steps for 2008 yet, so that’s good stuff. I’ve only moved the database and translogs once before, and at that time, as far as I can recall, moving the sysvol was unsupported. In recently checking though, it appears that it is now supported with instructions from MS: http://support.microsoft.com/kb/842162
    There’s no way I’d go with “option two” though; It’d be far easier to demote and re-promote. Even if it was your only DC, you could just promote a virtual machine (assuming you had the resources), let everything converge, demote the original DC, then re-promote, and it’d still probably be faster (assuming the DB and SYSVOL were small because it’s a single DC environment). It goes along with Laura Hunters view of “DCPromo…it’s the new Reboot” – http://www.shutuplaura.com/journal/2008/3/17/no-joe-i-dont-consider-ad-a-commodity-service.html I agree with that view.

    -Eric