Active Directory is widely regarded as being maintenance free, but there are still opportunities for VARs to offer cleanup, optimization and other Active Directory management services.
Active Directory (AD) centers on the Directory Services database. This database will perform more efficiently when it is free from clutter. An AD database that has been in place for a year is likely to contain unnecessary objects. Solution providers can offer Active Directory management services that involve cleaning out these unnecessary objects, then optimizing AD for maximum performance.
Active Directory cleanup services
Unnecessary AD objects tend to fall into two main categories: user accounts and computer accounts. There are other types of objects that can be removed as part of your Active Directory management services, but user and computer accounts are the most common (and the easiest to identify).
More on Active Directory management services
Active Directory design in Windows Server
Setting up VMware user accounts for Active Directory integration
Being proactive with Active Directory health
Often, AD user accounts will exist for users who no longer work for the organization, or for users to really don't need an account. One way to identify such user accounts when performing Active Directory cleanup services is to use a free tool called AD Tidy to determine when each user last logged in.
As a word of caution, you cannot assume that it is safe to delete a user account just because a user has not logged in for an extended period of time. In larger organizations it has become a common to disable a former employee's account rather than deleting it. This is done because Exchange Server ties mailbox contents to user accounts. Therefore, if you delete a user account you will delete all of the email associated with their account as well. As such, it is best to generate a list of potentially unneeded user accounts and let your client make the decision as to which ones should be deleted. It is also best to make a backup file before removing anything from AD.
Computer accounts are a lot safer to remove. The process of joining a server or workstation to the domain creates a computer account for that machine. If a computer is decommissioned without destroying it from the domain then a computer account will remain in AD even though the computer is technically no longer participating in the domain.
When it comes to Active Directory cleanup and removing computer accounts, the one thing you need to know is that removing a computer account does not necessarily remove references to that computer account. For example, suppose that an Exchange server crashes and your client decides to replace it with a different server that has a different name. In such a situation you could safely delete the old server's computer account from AD because that server will never be used again. But, the remaining Exchange servers will still see the failed server as a part of the Exchange organization because the AD database still contains references to the server even though its computer account has been deleted. To get rid of the unwanted references to the old server, you would use the ADSI edit tool to manually edit AD.
Active Directory optimization services
Normally you don't have to do anything in regards to Active Directory optimization, because Windows Server performs an automated maintenance cycle that defragments the database on a regular basis. But when items are deleted from the AD database, they are replaced by white space. The defragmentation process consolidates all of the white space, but it does nothing to shrink the size of the database.
In most cases you won't have to worry about trying to reclaim disk space from the AD database, but there are a few special situations in which such Active Directory optimization is necessary. For example, you might want to try to shrink the AD database if there is less than 500 MB of space remaining on the volume containing the NTDS.DIT file. Likewise, you should consider shrinking the database if the remaining free disk space on the volume housing the database is equal to 20% or less of the NTDS.DIT file’s size.
If the log files happen to reside on the same volume as the database then the volume should contain at least 1 GB of free space, and should always have at least enough free space to accommodate a 20% growth of both the database and the log files.
Consolidating the AD database requires rebooting the server into Active Directory Restore Mode and using NTDSUTIL to shrink the database. A similar process can also be used to relocate the database.
You must create a full system state backup before taking the domain controller offline because performing the procedure incorrectly can destroy the domain controller. The procedure can also fail because of undetected corruption in the database.
Although Active Directory optimization can be performed manually, there are also a number of products that are designed to automate the process. If you decide to offer Active Directory management services to your customers, you can use these products to your advantage. If customers prefer to maintain their own Active Directory, you can sell them an Active Directory cleanup product.
About the expert
Brien M. Posey, MCSE, is a six-time recipient of Microsoft's Most Valuable Professional award for his work with Exchange Server, Windows Server, Internet Information Services, file systems and storage. Posey has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, he has written for TechTarget, Microsoft, MSD2D, Relevant Technologies and other technology companies. You can visit his website at www.brienposey.com.
Follow these best practices for migrating Active Directory to a new version.