New features in Active Directory Domain Services in Windows Server 2012, Part 18: DNTs Exposed

Previously in this series we covered the challenges surrounding RID Depletion in Active Directory. This time around, let’s talk about DNTs.

About DNTs

Distinguished Name Tags (DNTs) are integer columns, maintained by the Extensible Storage Engine (ESE) within the Active Directory Database (ntds.dit). Domain Controllers use DNTs when they create objects, either locally or through replication. Each Domain Controller creates and maintains its own unique DNTs within its database when it creates objects. DNTs don’t get re-used. DNTs are not shared or replicated between Domain Controllers. Instead, what gets replicated are the computed values known by Domain Controllers, such as SIDS, GUIDs and DNs.

The DNT Challenge

In its lifetime a Domain Controller is limited to creating a maximum of approximately 2 billion DNTs over its lifespan. To be exact, a maximum of 231-255 DNTs can be created. This amounts to 2,147,483,393 DNTs. Since DNTs don’t get re-used, re-claimed  or re-serialized, a Domain Controller faces its end when it reaches this limit. Since Windows Server 2012, this limit is suddenly in sight, since the maximum amount of RIDs can now also grow to this limit.

When a Domain Controller hits the limit of maximum DNTs, the Domain Controller needs to be demoted and re-promoted “over the wire”.

Domain Controllers that are installed with the Install from Media (IfM) option inherit the DNT values from the domain controller that was used to create the IFM backup.

Domain Controller Cloning under the hood uses Install from Media (IfM)

To expand the DNT Challenge, it is hard in Windows Server to see the amount of DNTs created. IT’s do-able, but it requires dumping the database or programmatically interrogate the database. These options are time consuming and impact performance and disk space.


What’s New

In Windows Server 2012, Active Directory admins can more easily see the amount of DNTs created and face the DNT Challenge.

Investigating used DNTs

In Windows Server 2012, you can investigate the amount of DNTs created through the built-in Performance Monitor. Follow these steps:

  • Open Performance Monitor by running perfmon.exe.
  • In the left pane expand Data Collector Sets.
  • Right-click User Defined and select New… and Data Collector Set from the context menu.
  • Give the data collector set a useful name and then select Create manually (Advanced) before clicking Next.
  • Select to Create data logs and also select Performance counter. Click Next.
  • Press the Add… button.
  • In the left pane select NTDS and then select only the Approximate Highest DNT. Then click Add >> and OK.

By default the <localhost> is selected in Performance Monitor. Of course, you could use one Data Collector Set to get the amounts of DNTs created on all Domain Controllers in the environment.

  • Select an interval (for instance: every 24 hours) and click Finish.
  • In the left pane of Performance Monitor, right-click your newly created Data Collector Set and choose Start from the context menu.
  • Now, every time you want to know the amount of DNTs created on the Domain Controller, open Performance Monitor, in the left pane expand Reports, then expand User Defined and click on the name of the Data Collector Set. In the right pane, now select a report to view.



Having an easy way to query and monitor the number of DNTs created per Domain Controller is useful, since we can now have more RIDs than DNTs in Windows Server 2012.

Further reading

How can I determine my current DNT?
Active Directory Maximum Limits – Scalability
ExpertGlossary: Distinguished Name Tag (DNT)
[ActiveDir] DNTs and Replication

Series Navigation

<< New features in Active Directory Domain Services in Windows Server 2012, Part 16: Active Directory-based ActivationNew features in Active Directory Domain Services in Windows Server 2012, Part 19: Offline Domain Join Improvements >>

One Response to New features in Active Directory Domain Services in Windows Server 2012, Part 18: DNTs Exposed


    Hi Sander,

    This is the only site which quenched my investigation on Directory Services and I am following giants like Mark Minasi, Ace Fekay and Adam Carter.
    and I found everything I wanted on Directory Services.


leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.