Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-06-17) HOTFIX For "The Size Of The AD Increases Rapidly On A W2K8R2 DC That Hosts The DNS Server Role"

Posted by Jorge on 2011-06-17


SOURCE: The size of the Active Directory increases rapidly on a Windows Server 2008 R2-based domain controller that hosts the DNS Server role

SYMPTOMS:

Consider the following scenario:

  • You install the Active Directory Domain Services role and the DNS Server role on a computer that is running Windows Server 2008 R2.
  • The computer hosts one or more Active Directory-Integrated DNS zones.
  • The Dynamic Updates setting on the General tab of the Properties page of locally held Active Directory-integrated DNS zones is set to Secure only.
  • The same DNS records are registered and deregistered frequently. For example, the same DNS records are registered and deregistered several hundred times per day.

In this scenario, the size of Active Directory database directory information tree (.dit) files increases significantly over time. If you track the change by using the repadmin /showchanges command, you see that most of the growth in file size is contributed by deleted DNS objects.

Note An increase in size of the NTDS.dit file in the Active Directory database path is exacerbated by the following factors:

  • Large values for the Tombstone Lifetime setting
  • Large volume of dynamic update record registration that is caused by large populations of Windows and third-party DNS clients, short DHCP lease durations, or code defects that cause third-party devices to register records too often
  • The enabling of the Active Directory Recycle Bin feature

CAUSE:

The issue occurs because of incorrect Active Directory tombstoning of DNS objects.

DNS clients should reuse the existing DNS objects that are marked to be deleted when they register DNS records. The existing DNS objects are usually referred to as "reanimating objects." However, currently the DNS server service creates a new object for these DNS clients and moves the existing DNS object to the deleted objects container. Over time, this behavior causes the Active Directory DIT file size to increase significantly.

Soooo…..

If you think your AD NTDS.DIT is behaving like a rabbit and you do not like that, then get the hotfix here. (Applies to both W2K8R2 RTM and W2K8R2 SP1)

For more info see: The size of the Active Directory increases rapidly on a Windows Server 2008 R2-based domain controller that hosts the DNS Server role

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2011-06-17) HOTFIX For "The Size Of The AD Increases Rapidly On A W2K8R2 DC That Hosts The DNS Server Role"”

  1. Temati said

    Hi,

    just read your post and I wonder how to get any information about the replication changes triggered by dns.
    you wrote I can do this with repadmin /showchanges.
    But I already tried this with several parameters without luck.
    please can you give me a full command I can use for that.

    thx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: