none
NTDS.dit security

    Question

  • Hi everyone

    I need to improve the security of my ntds.dit file of my domain controllers. Is there any way of changing the name of the ntds.dit file or changing it´s default location?

    Monday, April 22, 2013 2:38 PM

Answers

  • You cannot rename the Active Directory database files however you can move them to wherever you need:

    http://technet.microsoft.com/en-us/library/cc782948(v=ws.10).aspx

    That said, I personally don't see how this improves security on a DC.

    • Proposed as answer by VenkatSP Monday, April 22, 2013 2:50 PM
    • Marked as answer by 朱鸿文 Monday, April 29, 2013 2:42 AM
    Monday, April 22, 2013 2:49 PM
  • As other expert mentioned you can move / change the default location of NTDS.dit or other log file to different location, however make sure you check the Registry settings after completing the process. Because if registry paths of NTDS is configured wrongly, you cannot login into server and you'll receive 0XC00002e1 stop error (KB 258062). So take backup of registry before you do any changes to registry.
    • Marked as answer by 朱鸿文 Monday, April 29, 2013 2:43 AM
    Monday, April 22, 2013 2:56 PM
  • Why do you thin you will gain any additional security by doing that? Enable BitLocker Drive Encryption in the drive hosting the database instead, note that sensitive information in ntds.dit is already encrypted.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Proposed as answer by Meinolf Weber Monday, April 22, 2013 5:44 PM
    • Marked as answer by 朱鸿文 Monday, April 29, 2013 2:43 AM
    Monday, April 22, 2013 4:49 PM
  • Hi everyone

    I need to improve the security of my ntds.dit file of my domain controllers. Is there any way of changing the name of the ntds.dit file or changing it´s default location?

    In addition to others,simply renaming or moving the NTDS.DIT to other location will not provide any kind of security at all. You can refer one more article concerning security of the DC's data.

    http://blogs.technet.com/b/askpfeplat/archive/2012/09/26/what-can-be-used-to-keep-active-directory-data-secure.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by 朱鸿文 Monday, April 29, 2013 2:43 AM
    Tuesday, April 23, 2013 3:14 AM
    Moderator

All replies

  • You cannot rename the Active Directory database files however you can move them to wherever you need:

    http://technet.microsoft.com/en-us/library/cc782948(v=ws.10).aspx

    That said, I personally don't see how this improves security on a DC.

    • Proposed as answer by VenkatSP Monday, April 22, 2013 2:50 PM
    • Marked as answer by 朱鸿文 Monday, April 29, 2013 2:42 AM
    Monday, April 22, 2013 2:49 PM
  • As other expert mentioned you can move / change the default location of NTDS.dit or other log file to different location, however make sure you check the Registry settings after completing the process. Because if registry paths of NTDS is configured wrongly, you cannot login into server and you'll receive 0XC00002e1 stop error (KB 258062). So take backup of registry before you do any changes to registry.
    • Marked as answer by 朱鸿文 Monday, April 29, 2013 2:43 AM
    Monday, April 22, 2013 2:56 PM
  • Why do you thin you will gain any additional security by doing that? Enable BitLocker Drive Encryption in the drive hosting the database instead, note that sensitive information in ntds.dit is already encrypted.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    • Proposed as answer by Meinolf Weber Monday, April 22, 2013 5:44 PM
    • Marked as answer by 朱鸿文 Monday, April 29, 2013 2:43 AM
    Monday, April 22, 2013 4:49 PM
  • Hi everyone

    I need to improve the security of my ntds.dit file of my domain controllers. Is there any way of changing the name of the ntds.dit file or changing it´s default location?

    In addition to others,simply renaming or moving the NTDS.DIT to other location will not provide any kind of security at all. You can refer one more article concerning security of the DC's data.

    http://blogs.technet.com/b/askpfeplat/archive/2012/09/26/what-can-be-used-to-keep-active-directory-data-secure.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by 朱鸿文 Monday, April 29, 2013 2:43 AM
    Tuesday, April 23, 2013 3:14 AM
    Moderator
  • chris,

        is there a chance that bitlocker may corrupt AD database?  Is there a chance that corrupted data getting replicated across all domain controllers?  I would like to know the impact on deploying bitlocker on domain controllers.

    Friday, October 25, 2013 3:23 AM
  • No - Bitlocker would not corrupt the AD database (NTDS.dit) - Enabling Bitlocker on DCs and the drive containing the NTDS.dit database is fully supported.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Tuesday, October 29, 2013 3:13 AM
  • thanks chris ..another simple query..should we install bitlocker and then promote to DC or promote and then install.  Also, what is the preferred key storage option? TPM or USB?
    Wednesday, October 30, 2013 2:47 AM
  • Enable Bitlocker before promoting the server to a DC. Use TPM otherwise it would be hard to service the DC (e.g. required restarts for maintenance, software updates etc)

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, October 30, 2013 7:05 AM
  • chris,

      while attempting to turn on bit locker (OS partition) on a member server , there are two options on recovery file ; Save to a file and Save to USB drive.  I am attempting to select "save to file "option and trying to save it in a shared folder on a different domain controller (root domain ). The file is not getting saved and says " file not found".  Any idea on this issue? i want the recovery file to be stored on a shared folder on the root domain controller.

    Wednesday, November 6, 2013 11:28 PM
  • Hi All,

    I'm testing Bitlocker on RODC (VM) in my lab environment. I moved the ntds.dit, sysvol and log folder to a different volume (R:) than the system volume (C:) and encrypt the volume. After Bitlocker has been enabled on r: . the server will BSOD during boot up - complaining it cannot start AD DS because device not functioning.

    When I boot up in DSRM and suspend BitLocker on R: , it can boot up without issues - it will BSOD again during boot up if I resume Bitlocker on R:

    So I assume that BitLocker on data volume is unlocked later than the time ntds.dit/log/sysvol required to be accessed during boot up.

    Any workaround for this, or did I missed some important steps?

    Thanks in advance.

    Wednesday, November 13, 2013 4:35 AM