Information Tree (DIT) is implemented as a transactional database
using the Extensible Storage Engine (ESE). The primary database file
is named ntds.dit and by default
is stored in %SystemRoot%\NTDS,
but can be relocated during the initial promotion process or manually
ntdsutil command (see Recipe 16.8 for more details).
Each database write transaction is initially stored in a log file called edb.log, which is stored in the same directory as ntds.dit. That log file can grow to 10 MB in size after which additional log files are created (e.g., edb00001.log), each growing to up to 10 MB. After the transactions in the log files are committed to the database, the files are rotated. These log files are useful when a domain controller is shut down unexpectedly. When the DC comes back online, Active Directory can replay the log files and apply any transactions that may have not previously been written to disk. The edb.chk file stores the last committed transaction, which can be used to determine the transactions in the log files that have yet to be committed. Two 10 MB placeholder files called res1.log and res2.log are used if the disk runs out of space and Active Directory needs to commit changes.
In order to recover portions of Active Directory, or the entire directory itself, you need to have a solid backup strategy in place. You can back up Active Directory while it is online, which ...