As already mentioned in the previous blog post on RID Improvements in Windows Server 2012, Active Directory environments are sometimes cathedrals of Microsoft technology; they’re big, they’re old and a lot of effort has been put into them to get them into the shape they’re in today.
In these environments, changes in the indexability of objects and their attributes may sometimes have a big effect on the availability of Domain Controllers to serve clients and replicate changes. In these environments, index creation almost results in a Denial of Service (DoS) of Active Directory, when all Domain Controllers are semi-simultaneously busy (re)creating indices in the database. And isn’t that ironic? These indices were built into Active Directory to speed up the performance in the first place.
So, when do changes in indexability of objects and attributes occur? Basically, three scenarios exist where Domain Controllers will (re)build indices:
- When a Domain Controller is shut down inappropriately, when a Domain Controller is restored from an improper backup or when a Domain Controller has been converted to a virtual machine without bringing it offline.
- When an Active Directory admin makes a change in the schema to make an attribute indexable.
- When an Active Directory admin performs a schema update, for instance to accommodate Domain Controllers running newer versions of Windows Server, or to introduce Exchange Server or Lync Server in the current environment.
In the latter two scenarios, Windows Server 2012 helps out.
On Domain Controllers running Windows Server 2012, index creation can be deferred to a time when it’s more convenient. The feature is called Deferred Index Creation.
The way the Active Directory team has built this into Windows Server 2012 is by using a bit in the DSHeuristic attribute in the Directory Services object.
Enabling Deferred Index Creation
Deferred Index Creation can be enabled by changing the 18th bit from 0 to 1. Here’s how:
- Run ldp.exe.
- Click the Connection menu and click Connect. Use the default port 389. When connected, go back to the Connection menu and click Bind… Bind as an enterprise administrator.
- Click the View menu and click Tree, then for the Base DN select the domain naming context from the drop-down list. Click Ok.
- In the navigation pane, drill down into the CN=Configuration container, then CN=Services, CN=Windows NT and there click the CN=Directory Services object.
- Double-click the CN=Directory Services object.
- Check the object attribute listing on the right side to determine whether the dsHeuristics attribute is already set. If it is set, copy the existing value to the clipboard.
- Right-click the Directory Service objects on the left side, and then click Modify.
- As the attribute name, type dsHeuristics.
- As a value, type 000000000100000001. Replace the zeros in the first part of the value with what you may already have in dsHeuristics. Make sure that you have the correct count of digits up to the "1"; To enable Deferred Index Creation the 18th bit needs to be set.
To verify that the correct characters are being modified, every tenth character must be set to the number of characters up to that point divided by ten; The tenth character must be 1, the twentieth character must be 2, the thirtieth character must be 3, and so on.
- If the attribute already existed, click Replace in the Operation box. Otherwise, click Add.
- Press ENTER on the right to the Operation group to add it to the LDAP transaction.
- Click Run to apply the change to the object:
- When successful, the output will be:
ldap_modify_s(ld, 'CN=Directory Service,CN=Windows NT,CN=Services,
Modified "CN=Directory Service,CN=Windows NT,CN=Services,
After this change is replicated to all Domain Controllers, they will defer Index Creation by default. This will result in the following behavior:
- Windows Server 2012-based Domain Controllers will defer building indices until they receive the UpdateSchemaNow rootDSE mod. . This triggers the rebuilding of the schema cache.
- Windows Server 2012-based Domain Controllers will defer building indices until they are rebooted. This requires that the schema cache be rebuilt and, in turn, the deferred indices.
In addition, any attribute that is in a deferred index state will be logged in the event Log every 24 hours on each of the Domain Controllers with Deferred Index Creation enabled. The following event-ids are used:
- event-id 2944: index deferred – logged once
- event-id 2945: index still pending – logged every 24 hours
Performing a UpdateSchemaNow rootDSE mod
Having Deferred Index Creation enabled allows for greater control over which Domain Controller will build indices at what moment in time. However, rebooting Domain Controllers as a means seams worse than the initial problem, since without Deferred Index Creation, Domain Controllers would be unavailable, but wouldn’t need to be rebooted.
With Deferred Index Creation enabled, Domain Controllers don’t need to be rebooted, although in some scenarios it might be the easiest way. For instance when Schema Updates are part of a service window that also includes applying Windows Updates and thus rebooting servers.
Domain Controllers with Deferred Index Creation enabled can be set to build the indices with the UpdateSchemaNow rootDSE mod. Perform the following steps to do so:
- Run adsiedit.msc.
- Right-click the ADSI Edit text in the top of the left most pane and select Connect to… from the context menu.
- Leave the Default Naming Context as name, but select the Select a well known Naming Context: option and change it to RootDSE from the pull down list.
- Right-click the RootDSE and choose Update Schema Now from the context menu:
When the Domain Controller has built the index event-id 1137 is logged in the event log. It will indicate the index has been created. But you might already be familiar with this event-id, since it’s not a new event-id.
Deferred Index Creation can help in large Active Directory environments to prevent unavailable Domain Controllers due to the building of indices after schema updates.
Deferred Index Creation allows for greater control over which Domain Controller will build indices at what moment in time, but as an Active Directory admin, you will need to signal each Domain Controller to create indices or reboot them before they will.
Related DirTeam posts
Related KnowledgeBase articles
How to Index an Attribute in Active Directory
Default Active Directory Attributes in the Windows 2000 Schema
Indexing in Active Directory
rootDSE Modify Operations
ADSI Edit (adsiedit.msc)