icetray - Fotolia
Windows Server Active Directory is nothing new. First introduced in Windows 2000 Server, it is a staple of the Windows Server OS. Some organizations have had Active Directory in place for 15 years or more. As Active Directory databases age, they will accumulate clutter and corruption from partially removed user accounts, failed application installations or other administrative mistakes.
Problems that aren't specific to Active Directory (AD) can add to the clutter. For example, an organization's Exchange Server could fail catastrophically; due to expenses or other factors, the company may decide to retire that server. But, because the server was not taken offline gracefully, there may be references to it in Active Directory. These lingering references can cause problems with anything from load balancing to Exchange Server version upgrades.
Active Directory management tools that are built into the Windows Server OS will display clutter and corruption, but these tools cannot remove unwanted data from Active Directory. This may be due to a broken chain of relational objects, or it could be due to internal safeguards that are designed to protect an Active Directory database against potentially destructive administrative actions.
Active Directory features include:
- Support for the X.500 standard for global directories;
- The capability for secure extension of network operations to the Web;
- A hierarchical organization that provides a single point of access for system administration (management of user accounts, clients, servers and applications) to reduce redundancy and errors;
- An object-oriented storage organization, which allows easier access to information;
- Support for the LDAP to enable inter-directory operability; and
- Designed to be backward compatible and forward compatible.
Clean the Active Directory database with ADSI Edit
Microsoft ADSI Edit is a free tool for cleaning an Active Directory database, even if the usual AD management tools can't. ADSI Edit is essentially a Lightweight Directory Access Protocol (LDAP) editor for the Active Directory database.
ADSI Edit bypasses the safeguards built into the usual management tools, making it very powerful and potentially very destructive. So before using ADSI Edit, it's important to create a backup of the AD database. When used incorrectly, ADSI Edit can destroy Active Directory.
By default, ADSI Edit is included in Windows Server. To access the tool, enter the adsiedit.msc command into a domain controller's Run prompt. You can run ADSI Edit on a member server, but doing so usually requires manually registering the adsiedit.dll file before using it.
After loading ADSI Edit, connect to Active Directory by right-clicking on the ADSI Edit container and choosing Connect to from the shortcut menu (Figure 1).
Next, choose the naming context and the server or domain you want to edit. For example, select the default naming context and the default computer (Figure 2). Click OK to load the AD database.
In Figure 3, ADSI Edit displays the same containers that are available through the standard Active Directory management tools. Click on the container to expand any of containers to access the objects or its sub containers.
The management functions you can perform using ADSI Edit vary by object type. Most repairs involve deleting unwanted objects, but there are other actions available, such as resetting a user's password.
To see the management actions available for an object or a container, right click on that object or container for the context menu (Figure 4). Standard management actions usually include move, delete, rename and properties.
Prepare for Active Directory in the cloud
Create strong Active Directory password policies
Manage end user identity with Azure AD