At the very least, this leaves IIS 5.x users vulnerable to data interception. And while the exploit hasn't been used to take over systems to date, that could well change, according to Swa Frantzen of the Internet Storm Center.

The ability to execute code is "unexplored, but hinted about," Frantzen wrote in a blog post on SANS' Internet Storm Center security alert site.

The ISC has tracked public exploits that apparently focus on leaking protected information.

According to Microsoft, which has written up the issue in its Knowledge Base article 328832, hit-highlighting with Webhits.dll only relies on the Microsoft Windows NT ACL (Access Control List) configuration on 5.x versions.

Microsoft "strongly [recommends] that all users upgrade to IIS (Internet Information Services) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security," the company wrote in its KB article.

Microsoft is currently shipping IIS 6.0 of the Internet Information Services Server for Windows Server 2003. Microsoft is up to IIS 7.0 for Windows Vista and IIS 5.1 for Windows XP Professional.

What are the security issues with Microsoft's "Surface"?

Yet, in spite of urging upgrading in order to gain improved security, Microsoft is treating the bug as a nonissue, providing no workaround nor indications that it will patch versions 5.0 and 5.1. "This behavior is by design," the KB article asserts.

Rather than supply a patch or workaround, Microsoft published six steps to reproduce the exploit—a response that is "a bit atypical," according to Frantzen. "Microsoft is telling the world how to exploit their products being used by their customers. Not that the worst of those interested in it did not already know, but the one thing we need from Microsoft is not the exploit, but the patch or at least a decent work-around," Frantzen wrote.

The only defensive information Microsoft gives is to urge users to upgrade to 6.0—an upgrade that's neither free nor easy, Frantzen pointed out. He provided these possible workarounds:

If you don't use the Web hits functionality, a simple workaround would be to remove the script mapping for .htw files. Without a script mapping, IIS should treat the file as static content.

Try to use application-level firewalls (filters). If you have the infrastructure it can be a temporary measure till you can upgrade IIS, solving the actual problem.

URLScan, a URL filter by Microsoft can be used to stop access to .htw files and is reported by some SANS-ISC readers as being effective.

Manage rights on the confidential files or directories themselves.

Upgrade to Apache or another Web server, with or without a (cross) upgrade of the OS.

Scramble an upgrade to Windows 2003, potentially on more potent hardware.

Frantzen advised IIS 5.x users that failing to find "null.htw" in a document root directory doesn't mean much—the exploit doesn't need the file.

Microsoft hadn't delivered a statement by the time this story posted.

Source: Lisa Vaas - eWEEK

OSPF is an internal routing protocol. (While primarily used inside a single company, it can span multiple sites.) Based on RFC 2328, it's an open standard. Because of this, OSPF is available on Microsoft's Windows Server 2003 OS, Linux, and many other network devices - unlike Cisco's EIGRP routing protocol. Like other dynamic routing protocols, OSPF enables routers to disclose their available routes to other routers.

OSPF is a link-state routing protocol that runs Dijkstra's algorithm to calculate the shortest path to other networks. Taking the bandwidth of the network links into account, it uses cost as its metric. OSPF works by developing adjacencies with its neighbors, periodically sending hello packets to neighbors, flooding changes to neighbors when a link's status changes, and sending "paranoia updates" to neighbors of all recent link state changes every 30 minutes.

While OSPF is an excellent routing protocol for networks of all sizes, one of its weaknesses is that it can be quite complex to configure. On the other hand, it offers more features than simpler protocols such as RIP.

Here are some of OSPF's strengths:

* It converges quickly, compared to a distance-vector protocol.
* Routing update packets are small, as it doesn't send the entire routing table.
* It's not prone to routing loops.
* It scales very well for large networks.
* It recognizes the bandwidth of a link and takes this into account in link selection.
* It supports variable-length subnet masks (VLSM) or Classless Inter-Domain Routing (CIDR).
* It supports a long list of optional features that many others don't.

Configure OSPF

Some may find OSPF configuration intimidating, so let's look at how to make it easy. Let's start with a basic network: Our network example has two routers - one in San Diego (192.168.1.0 /24) and one in Dallas (192.168.2.0 /24). Between these two routers, there's a point-to-point T1 circuit with IP network address 1.1.1.0/30. The San Diego router's WAN interface is 1.1.1.1, and the Dallas router's WAN interface is 1.1.1.2.

We'll begin by configuring the router in San Diego. The first step to configuring OSPF is to use the router ospf command when in Global Configuration Mode. Here's an example:

Router(config)# router ospf {process number}
Router(config-router)#

While it doesn't matter which process number you use, I recommend keeping it the same on all OSPF routers on your network. I usually use 100 to keep everything simple. However, if you use different process numbers, OSPF will still work and exchange all routes - unlike EIGRP.

After entering OSPF Configuration Mode, the most common next step is to specify which networks OSPF will advertise, which you can do using the network command. Here's an example:

Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
Router(config-router)# network 1.1.1.0 0.0.0.3 area 0

The first parameter is the network ID, and the second parameter is the inverse mask. The inverse mask - or wildcard mask - is the inverse of the subnet mask. It tells OSPF what range of interfaces the IP addresses given will apply to. Therefore, you can have one network statement that covers multiple interfaces.

You also need to specify the area, which is how OSPF organizes networks. All traffic must flow through area 0. In a small network, it's logical to put all networks in area 0, as we did in the example.

After you've configured each side of the network, the routers will exchange routes and form adjacencies. You should see a statement in the log file or console that looks something like the following:

*Mar  1 02:53:33.370: %OSPF-5-ADJCHG: Process 100, Nbr 1.1.1.1 
  on Ethernet0/0 from LOADING to FULL, Loading Done

To make sure you see these types of messages, use the log-adjacency-changes command in your OSPF router configuration. This command causes OSPF to enter information into the router's log file whenever it loses or regains connectivity with its neighbors. Here's an example:

Router(config-router)# log-adjacency-changes

Check the status of OSPF

After you've configured OSPF, you need to know how to check its status. Here are some common OSPF commands, along with links to their Cisco documentation and sample output from our example:

* show ip ospf
* show ip ospf neighbor
* show ip ospf interface
* show ip route ospf

For more information on OSPF, see Cisco's OSPF Design Guide and Cisco's OSPF Documentation.

Know the EIGRP basics

Let's start with the fundamentals of EIGRP and discuss how to configure this protocol.

What type of routing protocol is EIGRP?
EIGRP is a hybrid-distance-vector routing protocol. It's primarily a distance-vector routing protocol, but it also uses the same composite metrics as Interior Gateway Routing Protocol (IGRP). EIGRP uses the Diffusing-Update Algorithm (DUAL) to perform look-free routing and calculate the shortest path.

How does EIGRP work?
With EIGRP, two routers form a neighbor relationship and exchange routes. Hello packets ("keepalives") are present between the two routers; they serve to let each side know if the other goes down or if the link between them goes down.

Typically, these keepalives between neighbors are multicast packets. The type of multicast used is Reliable Transport Protocol (RTP), and communication takes place using the reserved IP address 224.0.0.10.

How do I configure EIGRP?
Like OSPF, EIGRP uses autonomous system numbers to identify areas of the network that are under a single administrative domain. In other words, these network areas are under the control of a single part of the company or a certain group.

To activate EIGRP on your router and enter its Configuration Mode, use the router eigrp command while in Global Configuration Mode. Here's an example:

Router(config)# router eigrp {AS number}
Router(config-router)#

It doesn't matter which Autonomous System (AS) number you use - as long as it's the same on all routers that will be talking to each other. Valid options for the AS number are 1 to 65535. While you can configure more than one AS on a single router, Cisco doesn't recommend this approach

After entering the EIGRP Configuration Mode, a network administrator's most common task is to specify which networks EIGRP will advertise. You can accomplish this using the network command. Here's an example:

Router(config-router)# network 10.0.0.0 0.255.255.255

The first parameter is the network IP address; the second parameter is the inverse mask. The inverse mask (or wildcard mask) is the inverse of the subnet mask.

This command is similar to the OSPF network command. It tells OSPF which range of interfaces the specified IP addresses will apply to. So, you can have one network statement that covers multiple interfaces. However, unlike OSPF, EIGRP does not use areas.

How do I see what's going on with EIGRP?
After you've configured EIGRP, you need to know how to check its status. Here's a list of the most common EIGRP commands as well as links to their Cisco documentation:

* show ip eigrp neighbors
* show ip eigrp interfaces
* show ip eigrp topology
* show ip eigrp traffic

Study the vocabulary

Now that you know how to configure EIGRP and you're familiar with common commands, let's define some words you may run across while working with EIGRP.

What is the topology table?
Essentially, the topology table is the EIGRP database of available routes received from neighbors. It shows the metric for these routes as well as the feasible distance to these networks. The topology table contains a lot of information about successors, feasible successors, and feasible distance.

What is a successor?
A successor is the neighbor with the best path to a destination.

What is a feasible successor?
A feasible successor is the neighbor or neighbors that have other loop-free paths to a destination that aren't a preferred as the successor's path.

What is the feasible distance?
The feasible distance is the metric of a network advertised by the connected neighbor plus the cost to get there.

What is an adjacency?
An adjacency is when two neighbors form a relationship and are exchanging routes.

Get more specific

Now let's take a look at some specifics about using EIGRP.

Does EIGRP use split horizon?
Split horizon is a loop-prevention method. Essentially, when using split horizon, a routing protocol tries to prevent a routing loop. It does this by not advertising a route from an interface from which it received an advertisement for that route.

EIGRP uses split horizon, but you can disable it if necessary. To do so, use the no ip split-horizon eigrp {AS number} command. Keep in mind that the no ip split-horizoncommand doesn't affect EIGRP, as it would RIP. Link-state routing protocols such as OSPF and the Intermediate System-to-Intermediate System (IS-IS) protocol don't use split horizon.

Does EIGRP support VLSM or CIDR?
EIGRP carries the subnet mask in the routing update, and it does support both variable length subnet masks (VLSM) and Classless Inter-Domain Routing (CIDR). In other words, you can subnet your network from the classful boundaries (where a class A network is 10.0.0.0 with a 255.0.0.0 subnet mask, etc.), and EIGRP will work fine. (Lack of support for VLSM and CIDR are limitations of RIP and IGRP.)

By default, EIGRP summarizes networks at the classful boundaries. You can disable this by using the no auto-summary command in Router Configuration Mode.

What is the administrative distance (AD) and routing table code for EIGRP?
An entry in the routing table for EIGRP looks something like the following:

D       10.93.103.0/24 [90/5542656] via 10.226.100.1, 00:30:54, Serial5/0

The D at the beginning tells you that this is EIGRP. The 90 is the administrative distance for this EIGRP route. This is the default administrative distance for EIGRP.

What happens when EIGRP is "stuck in active"?
"Stuck in active" is a common issue with EIGRP. In fact, it's so common that Cisco has an acronym for it: SIA. Cisco has also created a support page for SIA; however, Cisco login information is required.

Essentially, SIA occurs when an EIGRP router doesn't receive a query reply sent to its neighbor after three minutes. When this happens, you'll see "DUAL-3-SIA" in the log file. Troubleshooting this can be quite complex, so I would refer to the Cisco documentations.

However, Windows Server 2003 supports two types of clustering; traditional clustering and Network Load Balancing. The latter is far less expensive and complicated to deploy than traditional clustering.

Network Load Balancing is primarily used to provide scalability and fault tolerance to servers hosting Web applications, such as Outlook Web Access. OWA allows a user to access their Exchange mailbox through a Web site (which is designed to look just like Outlook).

For companies with many remote users, OWA is critical. Such companies will often cluster their OWA servers using Network Load Balancing; this allows OWA to service more requests than would be possible using a single server, while eliminating a single point of failure.

Requirements for implementation

Requirement #1: The servers making up the Network Load Balancing cluster (called nodes) must all be running duplicate copies of the same hosted application. Network Load Balancing is typically used for Web servers because cluster nodes cannot contain any data. (The reason for this: It is difficult to predict which server will service in-bound requests).

If data were stored on individual cluster nodes, then each server would contain a subset of the total data, and there would be no easy way of consolidating this data. Instead, data is typically stored on a back-end server, where it is centrally accessible by all cluster nodes.

To see how this works, let's look at the OWA server. OWA acts as a front-end interface to an Exchange Server organization. But the OWA server does not contain any user data. It merely hosts the OWA Web site, and acts as an interface to a back-end mailbox server. All of the user's mailboxes are stored on the back-end Exchange Server, so they can be centrally accessible to any front-end OWA server.

(By the way, back-end Exchange Servers can also be clustered, but not with Network Load Balancing. Clustering back-end servers requires the use of traditional clustering, which is beyond the scope of this article.)

Requirement #2: A Network Load Balancing cluster must contain 2 to 32 nodes. The number that will be appropriate for your cluster depends on the level of activity you expect your hosted application to receive. If you're unsure how many nodes you need, you can create a two-node cluster, then add additional nodes as the workload increases.

Requirement #3: Each cluster node must have two IP addresses. The first IP address works just like any other IP address. It is unique to the individual server, and must not be duplicated. The other IP address is shared by all of the nodes in the cluster.

To see how this works, say you have a two-node cluster hosting a Web application. The DNS server that is authoritative for your domain must be configured so that the record pointing to the Web application references the IP address that is shared by all nodes in the cluster. Now, when users access the Web application, they are taken directly to the cluster's IP address.

When the request arrives, all the hosts in the cluster receive and process the request. The Network Load Balancing service runs an algorithm to determine which of the nodes should respond to the request. Each node performs this calculation independently, without communicating with the others. Communications with the other cluster nodes are required any time a node is added to or removed from the cluster, as well as on a periodic basis to gauge the health of each node. When nodes are added or removed, the algorithm that determines which host responds to a request is changed to reflect the new number of nodes.

One last thing: Network Load Balancing clusters will only provide fault tolerance as long as a failure is related to one of the nodes in the cluster. Other types of failures will still result in downtime. If you're implementing a Network Load Balancing cluster, I recommend having multiple Internet connections, routers, firewalls and switches. In order to provide true fault tolerance, you must have redundancy outside of the cluster.

Remember: True scalability and fault tolerance are only achieved so long as there is redundancy outside of the cluster, and any backend databases are able to keep pace with the cluster.

Before we continue this discussion, it is important to note that "DFS" previously referred to shares and namespace management. Beginning with the Windows Sever 2003 R2 release, "DFS" is an umbrella term that refers to both namespaces and replication. The term "DFSR", at lease as it is used at this time, refers to the new replication engine.

The only bad thing about DFSR is its name. It makes it very confusing to refer to the replication engine that has the same name (DFS) as the namespace. So there is an old DFS, a new DFS with DFSR and a new management console. However, once you dig into the new console, it is easy to distinguish them.

DFS Management Console

One of the hardest things about DFS has been figuring out the terminology. Terms like DFS root, root target, root replica, link, link target, etc. are not intuitive and are difficult to understand. The new management console is much more simplistic. Figure 1 shows the new console. Note the left column shows two items: Namespace and Replication. Wow -- terms that actually make sense! You can see the namespaces defined (formerly known as DFS Roots) under Namespaces, and under Replication, you see the folders replicated (formerly known as Links). In Figure 1 you can also see the servers that host this namespace (formerly known as Root Targets or replicas).

Figure 1

There is a cool replication wizard that lets you configure the replication with common sense terms, and you can monitor the replication status all within this console. This is shown at least in part in Figure 2 where we can see the properties of the replicated folder, DATA. Note the tabs:

• Memberships - List of all servers replicating this folder (formerly known as Link targets) along with the path of the folder, if replication is enabled or disabled on that member, and the staging quota size
• Connections - Data about replication (who is the sending member, who is the receiving member, their respective sites, etc.)
• Replicated Folders - The name of the replicated folder, publication status and namespace path
• Delegation - Security (who has permissions to the folder and how it was granted)

Figure 2

Interoperability between Windows 2003 and Windows 2003/R2 DFS

It should be fairly obvious that with a new DFS replication engine, namespaces can only use one or the other -- not both. Even with the new DFS installed, you can still use FRS to replicate DFS data just like you always did. Note in Figure 3, if you look in Administrative Tools, you'll see the old DFS Management snap-in, called Distributed File System in the tools list, as well as the new R2 console, called DFS Management. Simply use DFS Management to configure with the DFSR replication engine, and use Distributed File System snap-in (the old one) to use FRS.

Figure 3

For example, let's say you have five Windows 2003 SP1 DFS servers hosting a folder called Documents. You want to start upgrading them to R2 and eventually use the new DFS. You can upgrade them at whatever schedule you see fit and just not change anything. They will still replicate using FRS under the old definitions. Once they are all upgraded, install DFS from the Windows Components under Control Panel \ Add-Remove Programs on each one. Open up the new DFS Management console and add the namespace just like you did in the old snap-in. No need to reconfigure the namespace. Just right click on the Replication option in the left panel of the console and answer the wizard's questions to configure replication.

NOTE: It is possible - thought not recommended - to have two different replication topologies for a single namespace, but on different servers. Suppose in the previous scenario you upgrade servers S1, S2 and S3 but it will be a while before you can upgrade S4 and S5 and you want to try out the new DFS. So you install the new DFS on S1, S2 and S3, then go into the new DFS Management snap-in on S1 and configure replication for the Documents folder for S1, S2 and S3. You now have a split brain replication. S1, S2 and S3 will replicate their Documents folder with each other and S4 and S5 will replicate their documents folder between themselves. However, if you add files to the directory on S4, it won't replicate to S1 and vise-versa. The problems here are obvious. The recommendation then, is to replicate folders with like data in either the old DFS or the new DFSR, but not both. Be careful during migration to plan your move and not have this happen.

I ran through the wizard and configured replication topology for a folder. It was very easy, very intuitive and it didn't use the words Root, Replica, link or target once. I highly recommend you migrate to the new DFS to take advantage of these features as well as the new "Remote Differential Compression" which allows sending only the changes made to a file rather than the whole file - a huge improvement in performance and reduction of network load.

There are many other reasons you'll like the new DFS that we'll discuss in future articles. Check out the FAQ and the other information on the Microsoft web site noted at the start of this article.

Admin B, on the other hand, decides to head to the command-line. She creates a text file called ous.txt with the Distinguished Name (DN) of each OU on a separate line, like this:

  ou=Finance,dc=mycompany,dc=com
  ou=Payroll,ou=Finance,dc=mycompany,dc=com
  ou=Marketing,dc=mycompany,dc=com
  ou=Training,dc=mycompany,dc=com

…and so on.

Admin B then uses a simple for loop that cycles through the OUs in the text file and creates each one in turn, like this:

  for /f %i in (C:\ous.txt) do dsadd ou "%i"

While it may take a little extra time to format that ous.txt file appropriately and to proofread it for correctness, it'll more than pay off in the end when the process of actually creating those 1,000 OUs ends up taking less than a minute. Using a script for this process is also much less error-prone, since there's no chance that you'll mistype "Training" as "Tarining" because it's the twentieth time you've had to type it into the ADUC wizard and your eyes have gone crossed.

What's that, you say? Still not convinced? You're only running a small AD deployment and the odds of you needing to create 1,000 OUs in a single go are quite slim indeed? Try this one on for size then.

You've been asked to deploy a software application to your clients that requires at least 512MB of RAM to run comfortably, and you need to know how many of your current workstations have less than this. So you open up ADUC, right-click on the domain and click Find. Hmm, seems the only options you can search for here are the computer name, role, description, and operating system version. Out of luck? Not by a long shot. You can use the Windows Management Instrumentation (WMI) to loop through the computers in your domain and grab the information you need. To obtain the total amount of memory installed on your local computer, for example, you'd use something like this:

  Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")

    Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_LogicalMemoryConfiguration",
    "WQL", _ wbemFlagReturnImmediately + wbemFlagForwardOnly)

For Each objItem In colItems

 WScript.Echo "Total Installed Memory: " & objItem.TotalPhysicalMemory
   WScript.Echo

  Next

Next

Now, before your eyes start to glaze over because there's just no way that you have time to learn something that looks so confusing, here's a secret: you can find ready-made scripts to do most of the things you need just by searching the Internet. To help you get started, there's the TechNet Script Center Repository, a plethora of free scripts to be found at Lissware.net, and an excellent collection of Active Directory-specific scripts from RallenHome.com. The Microsoft "Scripting Guys" who run the Microsoft site I just mentioned also host a number of webcasts each month to help you get started with administrative scripting.

While I know that we're all overworked administrators with not much time left in the day to pick up a new skill like VBScript or learning a host of new command-line utilities, I can promise you that the time you spend now to learn these useful tools will end up saving you hours spent doing the "point-and-click shuffle" in the long-run. Scripting also lends itself quite well to automation: you can create a script to check for unused computer or user accounts on your domain once a quarter, or to parse your server event logs looking for red flag error messages. The more you can automate tasks such as these, the better your network will run and the more time you can devote to more involved tasks (or maybe just going home at 5:30 to play with your kids or your dog once in awhile!)

O.K. - so now you know the boring stuff - let's look at a few simple commands. Note that just by typing LDIFDE at a command prompt on a server, the help file will be output. The LDIFDE command contains several basic components:

    LDIFDE
  -i    import
   (default option is export)
    -f (file name)     name of import or export file)
    -s  (server name)   name of server to bind to for the operation
    -d (Ldap path)    Distinguished name for the path to the object(s) desired
    -r  (ldap object filter)     Filter the results using common ldap filters
    -l  (ldap attribute filter)  lists attributes to be returned on the object
    in the object filter.

Examples

Here are some basic examples you can cut your teeth on.

This first command will dump the entire AD into a file called ADdump.ldf. Note that since export is the default, we don't have to give it an export option. The -f option directs the output to ADdump.ldf and the -s option binds to the domain controller ATL-DC01 for the operation. If the -s option is missing it will bind to the DC you are executing the command from (assuming you are on a DC).

   LDIFDE –f ADdump.ldf –s ATL-DC01

This is an interesting command. Since users have read access to the directory, any user can put LDIFDE.exe on his or her workstation and dump the entire AD into a text file. This seems like a bit of a security hole -- especially if you store private data like Social Security numbers, Employee Badge Numbers, etc. that could be exposed with the dump of the user objects. There is no way around this as users must have read privileges. As one Admin put it, "At some point, you have to trust the users."

Obviously, you don't want to dump the entire AD and then sort through piles of data to find what you are looking for. LDIFDE uses common LDAP filters to narrow the search. Here are a few examples of how you can use the LDAP filters.

Suppose you want to get the attributes of all users in the Americas OU in the Corp.net domain. Using the -d and the -r command options described previously, the command would look like this:

   Ldifde –f users.ldf –s hpqnet-dc4 –d "OU=USA, dc=corp,dc=net" –r "(objectClass=user)"

Note that for the -d option, the LDAP path is the distinguished name (DN) for the OU. The -r option defines the objectClass. In this case, we just want Users. This would dump all attributes of all users. The data returned from one user would look similar to this:

    dn: CN=Steve Vai,OU=Americas,DC=Corp,DC=Net
    changetype: add
    AccountExpires: 9223372036854775807
    badPasswordTime: 0
    badPwdCount: 0
    codePage: 0
    cn: Gary Olsen
    countryCode: 0
    displayName: Steve Vai
    givenName: Steve
    instanceType: 4
    lastLogoff: 0
    lastLogon: 0
    logonCount: 0
    distinguishedName: CN=Steve Vai,CN=Users, ,DC=Company,DC=com
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Company,DC=com
    objectClass: user
    objectGUID:: 4QiWdzpEYk2UTNL6iz/msA==
    objectSid:: AQUAAAAAAAUVAAAA/j9VVfSHVADdy8sQWwQAAA==
    primaryGroupID: 513
    pwdLastSet: 126270827951240348
    name: Steve Vai

Note the values of the objectGUID, objectSid, pwdLastSet, and AccountExpires attributes are unintelligible. There is some data that has to be reformatted via a script to get the right data. This will be discussed in a future article.

This article has given you some basics. You could use the same sample command and replace the User objectClass with Computer, or any other valid objectClass. There are also ways to filter certain attributes, such as returning only the street address, or perhaps return only users with a surname beginning with "A". These advanced operations require a bit more digging into LDAP search syntax. In the next few articles, I will give you a brief tutorial on LDAP searches and how to implement them in LDIFDE commands.

What do you want on your tombstone?
When objects are deleted from the directory, they are not immediately removed. Instead, the directory service removes the majority of the object's attributes and tags the object as tombstoned. The tombstone state indicates that the object has been deleted but not removed from the directory, much like a deleted file is removed from the file allocation table but the data is not actually removed from the drive. The directory service moves tombstoned objects to the Deleted Objects container, where they remain until the garbage collection process removes the objects. Garbage collection also defragments the database, essentially rearranging the data to be contiguous, and thereby reducing the size of the database file. The primary consideration isn't performance but rather keeping disk utilization to a manageable size.

Time to take out the garbage
The garbage collection process by default runs every 12 hours on a Domain Controller. The length of time tombstoned objects remain in the directory service before being deleted is 60 days (by default). The tombstone lifetime must be significantly longer than the garbage collection frequency to ensure that deletion of objects is replicated to other DCs. These default values ensure that the tombstoned state of the objects is replicated and the objects are deleted from all DCs, because it is extremely unlikely that it will take 60 days for a single replication to complete.

While you don't need to change the garbage collection interval or the tombstone lifetime, you can do so if your domain structure or replication scheme warrants it. For example, you might prefer to reduce the garbage collection interval to 24 hours to reduce server load and reduce the tombstone lifetime to 30 days to free up disk space more frequently. The maximum garbage collection interval is one-third of the tombstone lifetime. If you set the tombstone lifetime to 30 days, for example, the garbage collection interval will be 10 days, even if you've specified a larger value.

You can use the ADSI Edit tool included with the Windows 2000 Support Tools (located in the Support\Tools folder of the Windows 2000 CD) to modify the settings for garbage collection and tombstone lifetime. The values are attributes of the cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=ForestRootDomain object, and the attributes to change are tombstoneLifetime and garbageCollPeriod.

Defragmenting the Active Directory database
When AD performs the garbage collection process, it defragments the database; although it does not free up space on the disk, it simply restructures the existing data within the file. You use the Ntdsutil.exe command-line tool included with Windows 2000 to perform the defragmentation. While you can run Ntdsutil while the server is online, you must defragment the database with the directory service offline to recover disk space.

To start the server in Directory Services Restore Mode to perform the defragmentation, press [F8] at startup to display the Windows 2000 Advanced Options menu. Select Directory Services Restore Mode and press [Enter]. After the server boots, run the Ntdsutil utility to defragment the database. Ntdsutil is an interactive console program that performs several actions on the database.

When you perform a defragmentation, Ntdsutil creates a new copy of the Ntds.dit database file in a different folder. You then replace the old file with the new one and restart the server. You should retain the old Ntds.dit file in case you experience problems with the new file. Also, compare the file size between the old and new files to determine how much space you've freed through the defragmentation.

In addition, you can configure Windows 2000 to log the amount of space that would be freed by an offline defragmentation to the Directory Service event log during garbage collection. You'll need to tweak the registry to accomplish this. Open the Registry Editor and set the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\Garbage Collection to 1. Then, check the log after the next garbage collection to verify that the directory service is logging the data.

As explained above, Ntdsutil.exe is an interactive utility. Type Ntdsutil.exe at a console prompt and then enter Help to view the command options. You use the Files command to defragment the database.