Previously in this series we covered the challenges surrounding RID Depletion in Active Directory. This time around, let’s talk about DNTs.
Distinguished Name Tags (DNTs) are integer columns, maintained by the Extensible Storage Engine (ESE) within the Active Directory Database (ntds.dit). Domain Controllers use DNTs when they create objects, either locally or through replication. Each Domain Controller creates and maintains its own unique DNTs within its database when it creates objects. DNTs don’t get re-used. DNTs are not shared or replicated between Domain Controllers. Instead, what gets replicated are the computed values known by Domain Controllers, such as SIDS, GUIDs and DNs.
The DNT Challenge
In its lifetime a Domain Controller is limited to creating a maximum of approximately 2 billion DNTs over its lifespan. To be exact, a maximum of 231-255 DNTs can be created. This amounts to 2,147,483,393 DNTs. Since DNTs don’t get re-used, re-claimed or re-serialized, a Domain Controller faces its end when it reaches this limit. Since Windows Server 2012, this limit is suddenly in sight, since the maximum amount of RIDs can now also grow to this limit.
When a Domain Controller hits the limit of maximum DNTs, the Domain Controller needs to be demoted and re-promoted “over the wire”.
Domain Controllers that are installed with the Install from Media (IfM) option inherit the DNT values from the domain controller that was used to create the IFM backup.
Domain Controller Cloning under the hood uses Install from Media (IfM)
To expand the DNT Challenge, it is hard in Windows Server to see the amount of DNTs created. IT’s do-able, but it requires dumping the database or programmatically interrogate the database. These options are time consuming and impact performance and disk space.
In Windows Server 2012, Active Directory admins can more easily see the amount of DNTs created and face the DNT Challenge.
Investigating used DNTs
In Windows Server 2012, you can investigate the amount of DNTs created through the built-in Performance Monitor. Follow these steps:
- Open Performance Monitor by running perfmon.exe.
- In the left pane expand Data Collector Sets.
- Right-click User Defined and select New… and Data Collector Set from the context menu.
- Give the data collector set a useful name and then select Create manually (Advanced) before clicking Next.
- Select to Create data logs and also select Performance counter. Click Next.
- Press the Add… button.
- In the left pane select NTDS and then select only the Approximate Highest DNT. Then click Add >> and OK.
By default the <localhost> is selected in Performance Monitor. Of course, you could use one Data Collector Set to get the amounts of DNTs created on all Domain Controllers in the environment.
- Select an interval (for instance: every 24 hours) and click Finish.
- In the left pane of Performance Monitor, right-click your newly created Data Collector Set and choose Start from the context menu.
- Now, every time you want to know the amount of DNTs created on the Domain Controller, open Performance Monitor, in the left pane expand Reports, then expand User Defined and click on the name of the Data Collector Set. In the right pane, now select a report to view.
Having an easy way to query and monitor the number of DNTs created per Domain Controller is useful, since we can now have more RIDs than DNTs in Windows Server 2012.