How Active Directory Stores Data | NTDS.dit, SYSVOL & Log Files Explained

 Active Directory stores all directory information in a structured database file called NTDS.dit. This file contains data about users, computers, groups, organizational units, and other network objects. It is stored on every Domain Controller and managed by the Extensible Storage Engine (ESE).


  • NTDS.dit

NTDS.dit is the main Active Directory database file. It stores:

  • Object data (users, computers, groups, etc.)
  • Attributes (password hashes, SIDs, group memberships, etc.)
  • Schema partition
  • Configuration partition
  • Domain partition 

By default, it is located in:

%systemroot%\NTDS

The database uses a page-based structure (8 KB pages) and supports indexing for fast searches.


  •  Extensible Storage Engine (ESE)

The Extensible Storage Engine (JET Blue) is a transactional database engine.

Key features:

  • Write-ahead logging
  • Crash recovery
  • Indexed storage
  • Multi-version concurrency control

ESE ensures database integrity using transactions, meaning changes are either fully committed or rolled back.

 

  • Transaction Logs (Edb.log)

Before any change is written to NTDS.dit:

  1. The change is written to the log file (write-ahead logging).
  2. Once safely logged, it is committed to the database.
  3. The checkpoint updates.

Log files:

  • Edb.log (current log file)
  • Edbxxxxx.log (previous logs)
  • Reserved log files (Edbres00001.jrs, Edbres00002.jrs)

These logs are critical for database recovery after unexpected shutdowns.

 

  • Checkpoint File (Edb.chk)

The checkpoint file tracks:

  • Which transactions have been written from memory to disk
  • The last successfully committed log sequence

During start-up recovery:

  • AD checks the checkpoint
  • Replays any uncommitted logs
  • Restores database consistency automatically

 

  • SYSVOL and Group Policy Storage

While NTDS.dit stores directory objects, Group Policy templates are stored separately in SYSVOL.

Location:

%systemroot%\SYSVOL\sysvol

SYSVOL contains:

  • GPO templates
  • Logon scripts
  • Group Policy settings

SYSVOL replication:

  • FRS (legacy, deprecated)
  • DFS-R (modern replication engine)

  • Data Partitions in Active Directory

Active Directory uses multiple naming contexts (partitions):

  1. Schema Partition
    • Defines object types and attributes
    • Replicates forest-wide
  2. Configuration Partition
    • Stores AD site and replication topology information
    • Replicates forest-wide
  3. Domain Partition
    • Stores domain-specific objects
    • Replicates only within that domain
  4. Application Partitions
    • Optional partitions (e.g., DNS zones)
    • Replicate to selected Domain Controllers

 

  • Logical Organization

Forest

└── Tree

└── Domain

└── Organizational Units

└── Objects

This hierarchy allows delegation, scalability, and administrative boundaries.

 

  • Replication

Active Directory uses multi-master replication. 

Characteristics:

  • Update Sequence Numbers (USNs)
  • High-watermark tracking
  • Knowledge consistency checker (KCC)
  • Intrasite (RPC)
  • Intersite (RPC or SMTP)

 

Each Domain Controller maintains:

  • Invocation ID
  • USN vector table
  • Replication metadata per object

 

  • Deleted Objects 

When an object is deleted:

  1. It becomes a tombstone object.
  2. Most attributes are stripped.
  3. It remains for the tombstone lifetime.

Default tombstone lifetime:

  • 60 days (older systems)
  • 180 days (modern systems)

With Active Directory Recycle Bin enabled:

  • Objects retain more attributes.
  • Restoration is faster and more complete.

 

  • Lingering Objects

Lingering objects occur when:

  • A Domain Controller remains offline longer than the tombstone lifetime.
  • Deletion updates never replicate to that Domain Controller.
  • The offline DC comes back online with outdated objects.

Because the tombstone has already expired on other DCs, those DCs no longer have deletion metadata. As a result, the outdated DC keeps objects that should no longer exist.

Impact:

  • Replication errors (Event ID 1988)
  • Authentication inconsistencies
  • Potential reintroduction of deleted security principals
  • Directory divergence 

Detection:

  • repadmin /replsummary
  • repadmin /showrepl
  • repadmin /removelingeringobjects

Prevention:

  • Enable Strict Replication Consistency
  • Monitor replication regularly
  • Avoid keeping Domain Controllers offline beyond tombstone lifetime
  • Decommission failed DCs properly (metadata clean-up)

 

  • Database Maintenance and Health

Best practices:

  • Regular System State backups
  • Monitor NTDS database size
  • Defragmentation (offline using ntdsutil)
  • Ensure healthy disk subsystem
  • Separate database and log files onto different disks (performance and safety)


Summary: 

Active Directory storage consists of:

  • NTDS.dit (core directory database)
  • ESE database engine
  • Transaction logs for durability
  • Checkpoint tracking for recovery
  • SYSVOL for policy files
  • Multi-master replication system
  • Tombstone and Recycle Bin mechanisms
  • Protection against lingering objects

 

Together, these components ensure integrity, availability, scalability, and recoverability of the Active Directory environment.


Subscribe to my YouTube channel: www.youtube.com/@Stack_Tech

Comments

Post a Comment

Popular posts from this blog

Active Directory Overview (Windows Server) for Interview Preparation

Image
What is Active Directory ? Active Directory (AD) is Microsoft's directory service used to Manage below Network objects and Resources Manage users Manage Computers Manage Groups Control access to resources apply security policies     We can call AD as : A centralized brain of windows network Without AD: Every computer has its own users Passwords aren't Shared Policies must be configured one-by-one. With AD: one login works everywhere. Permission are controlled centrally. Security is enforced automatically. Active Directory Web Services Port number : 9389 Why Active Directory Exists ? Imagine a company having 1000 Employees: Without AD 1000 local accounts per Server. Manual access control. No central security. Difficult to Manage. With AD: One user account per employee login from any company PC Central password rules Easy onboarding or Offboarding Core Components of Active Directory ? Domain Domain Controller (DC) Objects Organizational units (OUs) Domain : A domain is a logica...
Read more

Desktop Support Interview Q&A (Beginner Level)

Image
1) What is active directory? Active directory authorizes and authenticates all users and computers in a window domain network, ensuring the security of the computer and software. Through active directory various functions can be managed like creating admin users, connecting to printers or external hard drives.   2) What is DHCP and what it is used for? DHCP stands for dynamic host configuration protocol. It is used to allocate IP addresses to a large number of the computer system in a network.   It helps in managing the large number of IPs very easily.   3) What is scope and super scope? Scope consists of an IP address like gateway IP, subnet mask, DNS server IP. It can be used to communicate with the other PCs in the network. The super scope becomes when you combine two or more scopes together.   4) What is DNS? DNS mean Domain Naming Service, and it is used for resolving IP addresses to name and names to IP address. DNS is like a translator for ...
Read more

IT Abbreviations Explained for Beginners | Most Asked in Interviews

Image
Important IT & computer-related words with their full forms — useful for S chool, College, Competitive Exams, and Interviews . COMPUTER - Common Operating Machine Purposely Used for Technological and Educational Research IT – Information Technology CPU – Central Processing Unit ALU – Arithmetic Logic Unit CU – Control Unit RAM – Random Access Memory ROM – Read Only Memory HDD – Hard Disk Drive SSD – Solid State Drive JPG/JPEG – Joint Photographic Experts Group PNG – Portable Network Graphics USB – Universal Serial Bus VDU – Visual Display Unit UPS – Uninterruptible Power Supply BIOS – Basic Input Output System CMOS – Complementary Metal Oxide Semiconductor CD – Compact Disc DVD – Digital Versatile Disc LED – Light Emitting Diode LCD – Liquid Crystal Display SMPS – Switched Mode Power Supply NIC – Network Interface Card GPU – Graphics Processing Unit OCR –...
Read more