0 evaluări0% au considerat acest document util (0 voturi)
115 vizualizări211 pagini
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Drepturi de autor:
Attribution Non-Commercial (BY-NC)
Formate disponibile
Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Drepturi de autor:
Attribution Non-Commercial (BY-NC)
Formate disponibile
Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), but only for the purposes provided in the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
2003 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners. iii Managing the Windows Server Platform Contents Introduction to Product Operations Guide ................................................................................... 1 Document Purpose ................................................................................................................. 1 Intended Audience .................................................................................................................. 1 How to Use This Guide ........................................................................................................... 1 Background............................................................................................................................. 1 High-Level Processes for Maintaining Active Directory ............................................................... 5 Overview................................................................................................................................. 5 Technology Required .............................................................................................................. 5 Maintenance Processes Checklist ........................................................................................... 8 Operating Quadrant ............................................................................................................. 8 Supporting Quadrant ..........................................................................................................10 Optimizing Quadrant ...........................................................................................................11 Changing Quadrant ............................................................................................................13 Detailed Maintenance Actions ....................................................................................................15 Overview................................................................................................................................15 Process: Back up Active Directory ..........................................................................................16 Task: Back up Active Directory and associated components ...............................................19 Process: Non-authoritative restore of Active Directory ............................................................20 Task: Perform a non-authoritative restore of a domain controller .........................................20 Task: Restore a domain controller through reinstallation and subsequent restore from backup .......................................................................................................................21 Process: Authoritative restore for Active Directory objects ......................................................22 Task: Perform an authoritative restore of one or more directory objects ..............................23 Task: Perform an authoritative restore of an application partition .........................................25 Task: Perform an authoritative restore of Group Policy........................................................25 Process: Recovering a domain controller through reinstallation ..............................................26 Task: Recovering a domain controller through reinstallation ................................................26 Process: Installing a domain controller for an existing domain ................................................28 Task: Preparing for Active Directory installation ..................................................................28 Task: Install Active Directory ...............................................................................................30 Task: Install Active Directory from media ............................................................................31 Task: Unattended install of Active Directory ........................................................................31 Task: Verify Active Directory installation..............................................................................32 Process: Removing Active Directory .......................................................................................34 Task: Decommission the domain controller .........................................................................35 Task: Forced removal of a domain controller .......................................................................36 Process: Rename a domain controller ....................................................................................38 Task: Rename using the System Properties user interface ..................................................38 Task: Rename using the Netdom command-line tool ..........................................................39 Process: Manage the Active Directory database .....................................................................40 Task: Relocate Active Directory database files ....................................................................41 Task: Returning unused disk space from the Active Directory database to the file system................................................................................................................................42 Process: Managing the SYSVOL ............................................................................................45 Task: Changing the space allocated to the staging area ......................................................47 Task: Relocate the staging area..........................................................................................47 Task: Relocating SYSVOL manually ...................................................................................48 Task: Updating the system volume path..............................................................................50 Task: Restoring and rebuilding SYSVOL .............................................................................50 Process: Manage the Windows Time service..........................................................................52 Task: Configuring a time source for the forest .....................................................................53 Task: Configuring a reliable time source on a computer other than the PDC emulator .........53 Task: Configuring a client to request time from a specific time source .................................54 Active Directory Product Operations Guide iv Task: Optimizing the polling interval ....................................................................................54 Task: Disabling the Windows Time service .........................................................................55 Process: Managing trusts .......................................................................................................56 Task: Creating external trusts .............................................................................................57 Task: Creating shortcut trusts .............................................................................................58 Task: Removing manually created trusts .............................................................................59 Task: Preventing unauthorized privilege escalation .............................................................59 Task: Creating cross-forest trusts .......................................................................................60 Task: Managing selective authentication on a cross-forest trust ..........................................61 Task: Removing the forest trust ..........................................................................................61 Process: Managing sites ........................................................................................................62 Task: Adding a new site ......................................................................................................63 Task: Adding a subnet to the network .................................................................................64 Task: Linking sites for replication ........................................................................................65 Task: Changing site link properties .....................................................................................65 Task: Moving a domain controller to a different site .............................................................66 Task: Removing a site ........................................................................................................68 Process: Manage antivirus software on domain controllers .....................................................71 Task: Exclude files not at risk of infection ............................................................................71 Task: Install software ..........................................................................................................73 Process: Add a global catalog ................................................................................................74 Task: Add the global catalog to a domain controller ............................................................75 Task: Verify the global catalog readiness ............................................................................77 Process: Removing the global catalog from a domain controller .............................................78 Task: Remove a global catalog ...........................................................................................78 Process: Identify global catalog servers in a site .....................................................................79 Task: Identifying a global catalog server .............................................................................79 Task: Identifying a site that has no global catalog servers ...................................................79 Task: Identifying sites that have universal group caching enabled .......................................79 Process: Move an operations master role ...............................................................................80 Task: Designating a domain controller for an operations master role ...................................85 Task: Verifying the transfer of an operations master role .....................................................86 Process: Reduce the workload on the PDC emulator..............................................................87 Task: Adjusting the DNS weight setting...............................................................................87 Task: Adjusting the DNS priority registry setting ..................................................................87 Process: Transferring a role holder .........................................................................................89 Task: Transfer to the standby operations master role ..........................................................90 Task: Transfer an operations master role when no standby is ready ...................................90 Process: Seize an operations master role...............................................................................92 Task: Seizing an operations master role .............................................................................94 Process: Choose a standby operations master .......................................................................96 Task: Choosing a standby operations master ......................................................................97 Processes by MOF Role Clusters ..............................................................................................99 Operations Role Cluster .....................................................................................................99 Support Role Cluster ........................................................................................................100 Release Role Cluster ........................................................................................................100 Infrastructure Role Cluster ................................................................................................101 Security Role Cluster ........................................................................................................102 Partner Role Cluster .........................................................................................................102 Appendix .................................................................................................................................103 Procedure Details ................................................................................................................103
v Managing the Windows Server Platform Contributors Program Manager Jeff Yuhus, Mlcrosoft Corporutlon Chrls Mucuuluy, Mlcrosoft Corporutlon Lead Contributors Nlgel Culn, Mlcrosoft Corporutlon Arren Conner, Mlcrosoft Corporutlon Dmltry Dukut, Mlcrosoft Corporutlon Levon Eslbov, Mlcrosoft Corporutlon Khushru Irunl, Mlcrosoft Corporutlon Kumul Junurdhun, Mlcrosoft Corporutlon Gregory Johnson, Mlcrosoft Corporutlon Wllllum Lees, Mlcrosoft Corporutlon Andreus Luther, Mlcrosoft Corporutlon Kevln Slms, Mlcrosoft Corporutlon Jeromy Stutlu, Mlcrosoft Corporutlon Test Manager Greg Glcewlcz, Mlcrosoft Corporutlon QA Manager Jlm Ptuszynskl, Mlcrosoft Corporutlon Lead Technical Writer Jerry Dyer, Mlcrosoft Corporutlon Lead Technical Editor Luurle Dunhum, Mlcrosoft Corporutlon Technical Editor Putrlclu Rytkonen, Volt Technlcul Servlces Production Editor Kevln Kleln, Volt Technlcul Servlces
1 Introduction to Product Operations Guide Document Purpose Thls gulde descrlbes processes und procedures for lmprovlng the munugement of Mlcrosoft Actlve Dlrectory dlrectory servlce ln un lnformutlon technology (IT) lnfrustructure. Intended Audience Thls muterlul should be useful for unyone plunnlng to deploy thls product lnto un exlstlng IT lnfrustructure, especlully one bused on the IT Infrustructure Llbrury (ITIL)u comprehenslve set of best pructlces for IT servlce munugementund Mlcrosoft Operutlons Frumework (MOF). It ls ulmed prlmurlly ut two muln groups: IT munugers und IT support stuff (lncludlng unulysts und servlce-desk speclullsts). How to Use This Guide Thls gulde ls dlvlded lnto flve chupters. The flrst chupter provldes buslc buckground lnformutlon. The second chupter provldes u hlgh-level checkllst of the processes requlred for mulntulnlng thls product. The thlrd chupter tukes u more detulled look ut the processes descrlbed ln the mulntenunce chupter und mups them to the tusks und procedures thut muke up euch process. The fourth chupter orgunlzes processes by the role responslble for euch process. The flfth chupter contulns un uppendlx wlth procedure detulls, lncludlng requlrements und steps. The gulde muy be reud us u slngle volume, lncludlng the detulled mulntenunce und troubleshootlng sectlons. Reudlng the document thls wuy wlll provlde the necessury context so thut luter muterlul cun be understood more reudlly. However, some people wlll prefer to use the document us u reference, only looklng up lnformutlon us they need lt. Background Thls gulde ls bused on Mlcrosoft Solutlons for Munugement (MSM). MSM provldes u comblnutlon of best pructlces, best-pructlce lmplementutlon servlces, und best-pructlce uutomutlon, ull of whlch help customers uchleve operutlonul excellence us demonstruted Active Directory Product Operations Guide 2 by hlgh quullty of servlce, lndustry rellublllty, uvullublllty, securlty, und low totul cost of ownershlp (TCO). These MSM best pructlces ure bused on MOF, u structured, yet flexlble upprouch centered on ITIL. MOF lncludes guldellnes on how to plun, deploy, und mulntuln IT operutlonul processes ln support of mlsslon-crltlcul servlce solutlons. Centrul to MOFund to understundlng the structure of thls guldeure the MOF Process und Teum Models. The Process Model und lts underlylng servlce munugement functlons (SMFs) ure the foundutlon for the process-bused upprouch thut thls gulde recommends for mulntulnlng u product. The Teum Model und lts role clusters offer guldunce for how to ensure the proper people ure usslgned to operutlonul roles. Flgure 1 shows the MOF Process Model comblned wlth the SMFs thut muke up euch quudrunt of the Process Model.
Figure 1 MOF Process Model und SMFs 3 Managing the Windows Server Platform Flgure 2 shows the MOF Teum Model, ulong wlth some of the muny functlonul roles or functlon teums thut mlght exlst ln servlce-munugement orgunlzutlons. Those roles und functlon teums ure shown mupped to the MOF role cluster to whlch they would llkely belong. Security Release Infrastructure Support Operations Partner Change management Release/systems engineeri ng Configuration control/asset management Software distributi on/licensing Quality assurance Messagi ng operations Database operations Network administration Monitoring/metrics Avail ability management Intellectual property protection Network and system securi ty Intrusi on detection Virus protection Audit and compliance admi n Contingency planni ng Maintenance vendors Environment support Managed services, outsourcers, trading partners Software/hardware suppliers Enterprise archi tecture Infrastructure engineering Capacity management Cost/IT budget management Resource and long-range planning Service desk/help desk Production/production support Problem management Service level management
Figure 2 MOF Teum Model und exumples of functlonul roles or teums Active Directory Product Operations Guide 4 The MOF Teum Model ls bullt on slx quullty gouls, whlch ure descrlbed und mutched wlth the uppllcuble teum role cluster ln Tuble 1. Table 1. MOF Team Model Quality Goals and Role Clusters Quality Goal Team Role Cluster Effectlve releuse und chunge munugement. Accurute lnventory trucklng of ull IT servlces und systems. Releuse Munugement of physlcul envlronments und lnfrustructure tools. Infrustructure Quullty customer support und u servlce culture. Support Predlctuble, repeutuble, und uutomuted system munugement. Operutlons Mutuully beneflclul relutlonshlps wlth servlce und supply purtners. Purtner Protected corporute ussets, controlled uuthorlzutlon, und prouctlve securlty plunnlng. Securlty
Further lnformutlon ubout MSM und MOF ls uvulluble ut http://www.mlcrosoft.com/solutlons/msm/techlnfo/defuult.usp, or seurch for the toplc on TechNet ut http://www.mlcrosoft.com/technet/defuult.usp. You cun ulso contuct your locul Mlcrosoft or purtner representutlve.
2 High-Level Processes for Maintaining Active Directory Overview Every compuny conslsts of employees (people), uctlvltles thut those employees perform (processes), und tools thut help them perform those uctlvltles (technology). No mutter whut the buslness, lt most llkely conslsts of people, processes, und technology worklng together to uchleve u common goul. Tuble 2 lllustrutes thls polnt. Table 2. People, Processes, and Technology Working Together Area People Process Technology Auto repulr lndustry Mechunlc Repulr munuul Socket set Softwure development lndustry Progrummer Pro|ect plun Compller; debugger IT operutlons IT technlclun Mlcrosoft Operutlons Frumework Mlcrosoft Actlve Dlrectory
The focus of thls product operutlons gulde ls Actlve Dlrectory dlrectory servlcethe dlrectory servlce for the Mlcrosoft Wlndows Server 2003 fumlly. Actlve Dlrectory stores lnformutlon ubout ob|ects on the network; lts loglcul, hlerurchlcul orgunlzutlon of dlrectory lnformutlon mukes lt eusy for udmlnlstrutors und users to flnd thls lnformutlon. Wlndows Server 2003 brlngs muny lmprovements to Actlve Dlrectory, muklng lt more versutlle, dependuble, und economlcul to use. In Wlndows Server 2003, Actlve Dlrectory provldes lncreused performunce und sculublllty. It ulso ullows you greuter flexlblllty for deslgnlng, deploylng, und munuglng un orgunlzutlon's dlrectory. Technology Required Tuble 3 llsts the tools or technologles used ln the processes, und thelr subordlnute tusks und procedures, descrlbed ln thls gulde. All tools should be uccessed from u Wlndows Server 2003 server console, except ln those cuses where u llnk ls provlded. Active Directory Product Operations Guide 6 Table 3. Tools or Technologies Required to Manage Active Directory Required Technology Description Location %uckup utlllty Performs buckup und restore operutlons. It ls uutomutlcully lnstulled wlth Wlndows Server 2003. In Wlndows Server 2003, the buckup utlllty ls %uckup.exe. The wlzurd, or buslc mode, ls culled %uckup or Restore Wlzurd; und ln udvunced mode, lt ls culled %uckup Utlllty. Sturt > All Progrums > Accessorles > System Tools > %uckup Or to open the %uckup tool uslng the commund llne: Sturt > Run. In the Open box, type ntbuckup und then cllck OK. DNS Munuger Used for modlfylng DNS purumeters. These centrullzed munugement und monltorlng tools cun be found elther ln Admlnlstrutlve Tools ufter lnltlul lnstullutlon of the DNS servlce, or through Admlnpuk.msl. Sturt > Control Punel > Admlnlstrutlve Tools Or to open DNS Munuger uslng the commund llne, type: %systemroot%\System32\ dnsmgmt.msc Actlve Dlrectory Domulns und Trusts Mlcrosoft Munugement Console snup- ln Used for modlfylng Actlve Dlrectory domulns und trusts. These centrullzed munugement und monltorlng tools cun be found elther ln Admlnlstrutlve Tools ufter lnltlul lnstullutlon of the Actlve Dlrectory, or through Admlnpuk.msl. Sturt > Control Punel > Admlnlstrutlve Tools Or to open the MMC snup-ln uslng the commund llne, type: %systemroot%\System32\ domuln.msc Actlve Dlrectory Instullutlon Wlzurd Used to promote or demote u domuln controller. Sturt > Run > dcpromo Actlve Dlrectory Schemu snup-ln Used for modlfylng Actlve Dlrectory schemu. Thls tool does not uppeur by defuult ln Admlnlstrutlve Tools. Open the MMC snup-ln uslng the commund llne, type: %systemroot%\System32\ schmmgmt.msc Actlve Dlrectory Sltes und Servlces MMC snup-ln Used for modlfylng Actlve Dlrectory sltes und servlces. Thls centrullzed munugement und monltorlng tool cun be found elther ln Admlnlstrutlve Tools ufter lnltlul lnstullutlon of the Actlve Dlrectory, or through Admlnpuk.msl. Sturt > Control Punel > Admlnlstrutlve Tools Or to open the MMC snup-ln uslng the commund llne, type: %systemroot%\System32\ dsslt.msc Actlve Dlrectory Users und Computers MMC snup-ln Used for modlfylng Actlve Dlrectory users und computers. These centrullzed munugement und monltorlng tools cun be found elther ln Admlnlstrutlve Tools ufter lnltlul lnstullutlon of the Actlve Dlrectory, or through Admlnpuk.msl. Sturt > Control Punel > Admlnlstrutlve Tools Or to open the MMC snup-ln uslng the commund llne, type: %systemroot%\System32\ dsu.msc 7 Managing the Windows Server Platform Required Technology Description Location Adsl edlt MMC snup-ln Used for edltlng Actlve Dlrectory to udd, delete, or move ob|ects wlthln the dlrectory. Thls centrullzed munugement und monltorlng tool cun be found elther ln Admlnlstrutlve Tools ufter lnltlul lnstullutlon of the Actlve Dlrectory, or through Admlnpuk.msl. Open the MMC snup-ln uslng the commund llne, type: %systemroot%\System32\ udsledlt.msc Dcdlug.exe Thls commund llne tool unulyzes the stute of domuln controllers ln the forest or enterprlse und reports uny problems to usslst ln troubleshootlng. Sturt > Run > dcdlug.exe Event Vlewer Provldes logs for trunsuctlonul reuctlve revlews of system und servlce events. It ls uutomutlcully lnstulled wlth Wlndows Server 2003. Sturt > Control Punel > Admlnlstrutlve Tools > Event Vlewer Or to open Event Vlewer uslng the commund llne: Sturt >Run. In the Open box, type eventvwr.msc und then cllck OK. Ldp.exe Used to connect, blnd, seurch, modlfy, udd, und delete ugulnst uny LDAP- computlble dlrectory such us Actlve Dlrectory. Used to vlew ob|ects stored ln Actlve Dlrectory ulong wlth thelr metudutu. Sturt >Run. In the Open box, type ldp.exe und then cllck OK. Net.exe A set of communds for u vurlety of tusks, such us munuglng user uccounts und computer uccounts, sendlng messuges, und munuglng shured resources. Sturt > Run > cmd ut the commund prompt, type net to see optlons Netdlug.exe Helps lsolute networklng und connectlvlty problems by performlng u serles of tests to determlne the stute of the network cllent. Sturt > Run > cmd ut the commund prompt, type netdlug /? to see optlons Netdom.exe Enubles udmlnlstrutors to munuge Wlndows 2000 und Wlndows Server 2003 domulns und trust relutlonshlps from the commund llne. Sturt > Run > cmd ut the commund prompt, type netdom /? to see optlons Nltest.exe Helps you get u llst of domuln controllers, force u remote shutdown, und query the stutus of trust relutlonshlps. Sturt > Run > cmd ut the commund prompt, type nltest /? to see optlons Ntdsutll.exe Used to perform dutubuse mulntenunce of Actlve Dlrectory, munuge und control slngle muster operutlons, und remove metudutu left behlnd by domuln controllers thut were removed from the network wlthout belng properly unlnstulled. Sturt > Run > cmd ut the commund prompt, type ntdsutll /? to see optlons Active Directory Product Operations Guide 8 Required Technology Description Location Reglstry Edltor Enubles you to vlew und chunge settlngs wlthln the reglstry. Sturt > Run > regedlt Repudmln.exe Commund llne tool thut helps udmlnlstrutors dlugnose repllcutlon problems between domuln controllers. Sturt > Run > cmd ut the commund prompt, type repudmln /? to see optlons Secedlt.exe Conflgures und unulyzes system securlty by compurlng current conflgurutlon wlth ut leust one securlty templute. Sturt > Run > cmd ut the commund prompt, type secedlt /? to see optlons Servlces snup- ln MMC snup-ln thut ullows you to sturt, stop, or resturt Wlndows servlces. Sturt > Run > MMC > Servlces.msc Ultrusound A tool thut ullows udmlnlstrutors to monltor the heulth of the flle repllcutlon servlce (FRS). See www.mlcrosoft.com for more lnformutlon on the Ultrusound utlllty. W32tm.exe A tool used to dlugnose problems huvlng to do wlth Wlndows tlme. Sturt > Run > cmd ut the commund prompt, type w32tm /? to see optlons
Maintenance Processes Checklist The followlng tubles provlde u qulck reference for those product mulntenunce processes thut need to be performed on u regulur busls. These tubles represent u summury of the processes, und thelr subordlnute tusks und procedures, descrlbed ln more detull ln subsequent chupters of thls gulde. They ure llmlted to those processes requlred for mulntulnlng the product. Only the pertlnent MOF quudrunts und SMFs ure uddressed ln thls chupter. For exumple, there ure no processes thut full wlthln the Supportlng Quudrunt. There ls u pluceholder for the Supportlng Quudrunt, but no tubles. Also, becuuse ull of the Actlve Dlrectory mulntenunce processes uddressed here full lnto the us-needed cutegory, the dully, weekly, und monthly portlons of the tubles ure blunk. Only the portlon of euch tuble thut hus ussocluted processes ls fllled ln. Euch llsted process ls llnked to u detulled explunutlon of the process ln the followlng chupter. Operating Quadrant The processes for thls sectlon ure bused on the servlce munugement functlons thut muke up the MOF Operutlng Quudrunt. Further lnformutlon on the MOF Process Model und the MOF SMFs ls uvulluble ut http://www.mlcrosoft.com/solutlons/msm und http://www.mlcrosoft.com/mof. 9 Managing the Windows Server Platform System Administration SMF Daily Processes Process Name Related SMF MOF Role Cluster %uck up Actlve Dlrectory Operutlons Weekly Processes Process Name Related SMF MOF Role Cluster There ure no weekly processes for thls SMF.
Monthly Processes Process Name Related SMF MOF Role Cluster There ure no monthly processes for thls SMF.
As-Needed Processes Process Name Related SMF MOF Role Cluster Restore Actlve Dlrectory Operutlons Renume u domuln controller Operutlons Trunsferrlng u role holder Infrustructure Selze un operutlons muster role Infrustructure Choose u stundby operutlons muster Infrustructure Munuglng the SYSVOL Infrustructure Munuglng sltes Infrustructure Authorltutlve restore for Actlve Dlrectory ob|ects Operutlons Recoverlng u domuln controller through relnstullutlon Operutlons Move un operutlons muster role Infrustructure
Active Directory Product Operations Guide 10 Security Administration SMF Daily Processes Process Name Related SMFs MOF Role Cluster There ure no dully processes for thls SMF.
Weekly Processes Process Name Related SMFs MOF Role Cluster There ure no weekly processes for thls SMF.
Monthly Processes Process Name Related SMFs MOF Role Cluster There ure no monthly processes for thls SMF.
As-Needed Processes Process Name Related SMFs MOF Role Cluster Munuge untlvlrus softwure on domuln controllers Securlty
Supporting Quadrant There ure no Actlve Dlrectory processes thut full wlthln the MOF Supportlng Quudrunt und lts SMFs. 11 Managing the Windows Server Platform Optimizing Quadrant The tusks for thls sectlon ure bused on the SMFs thut muke up the MOF Optlmlzlng Quudrunt. Availability Management SMF Daily Processes Process Name Related SMFs MOF Role Cluster There ure no dully processes for thls SMF.
Weekly Processes Process Name Related SMFs MOF Role Cluster There ure no weekly processes for thls SMF.
Monthly Processes Process Name Related SMFs MOF Role Cluster There ure no monthly processes for thls SMF.
As-Needed Processes Process Name Related SMFs MOF Role Cluster Munuge the Actlve Dlrectory dutubuse Infrustructure Add u globul cutulog Infrustructure Munuge the Wlndows Tlme servlce Infrustructure Munuglng trusts Infrustructure
Active Directory Product Operations Guide 12 Capacity Management SMF Daily Processes Process Name Related SMFs MOF Role Cluster There ure no dully processes for thls SMF.
Weekly Processes Process Name Related SMFs MOF Role Cluster There ure no weekly processes for thls SMF.
Monthly Processes Process Name Related SMFs MOF Role Cluster There ure no monthly processes for thls SMF.
As-Needed Processes Process Name Related SMFs MOF Role Cluster Removlng the globul cutulog from u domuln controller Infrustructure Identlfy globul cutulog servers ln u slte Infrustructure Reduce the workloud on the PDC emulutor Infrustructure
13 Managing the Windows Server Platform Changing Quadrant The processes for thls sectlon ure bused on the SMFs thut muke up the MOF Chunglng Quudrunt. Release Management SMF Daily Processes Process Name Related SMFs MOF Role Cluster There ure no dully processes for thls SMF.
Weekly Processes Process Name Related SMFs MOF Role Cluster There ure no weekly processes for thls SMF.
Monthly Processes Process Name Related SMFs MOF Role Cluster There ure no monthly processes for thls SMF.
As-Needed Processes Process Name Related SMFs MOF Role Cluster Instulllng u domuln controller for un exlstlng domuln Releuse
Active Directory Product Operations Guide 14 Change Management SMF Daily Processes Process Name MOF Role Cluster There ure no dully processes for thls SMF.
Weekly Processes Process Name Related SMFs MOF Role Cluster There ure no weekly processes for thls SMF.
Monthly Processes Process Name Related SMFs MOF Role Cluster There ure no monthly processes for thls SMF.
As-Needed Processes Process Name Related SMFs MOF Role Cluster Removlng Actlve Dlrectory Releuse Munugement SMF Releuse
3 Detailed Maintenance Actions Overview Thls chupter provldes detulled lnformutlon ubout the processes thut must be performed ln order to mulntuln Actlve Dlrectory. These processes ure urrunged uccordlng to the MOF quudrunt to whlch they belong und, wlthln euch quudrunt, by the MOF servlce munugement functlons (SMFs) thut muke up thut quudrunt. Those quudrunts ure: Operutlng Quudrunt Supportlng Quudrunt Optlmlzlng Quudrunt Chunglng Quudrunt
Further lnformutlon ubout the MOF Process Model und the MOF SMF guldes ls uvulluble ut http://www.mlcrosoft.com/solutlons/msm. Further lnformutlon ubout the MOF Teum Model und role clusters ls uvulluble ut http://www.mlcrosoft.com/mof. Active Directory Product Operations Guide 16
Operating Quadrant System Administration SMF Operations Role Cluster Daily Process: Back up Active Directory Descrlptlon Actlve Dlrectory ls bucked up us purt of Mlcrosoft Wlndows system stute, u collectlon of system components thut depend on euch other. All system stute components must be bucked up und restored together. The system stute components on u domuln controller lnclude: System sturt-up (boot) flles. These ure the flles requlred for Wlndows Server 2003 to sturt. System reglstry. Cluss reglstrutlon dutubuse of component servlces. The Component Ob|ect Model (COM) ls u blnury stundurd for wrltlng component softwure ln u dlstrlbuted systems envlronment. System volume (SYSVOL). SYSVOL provldes u defuult Actlve Dlrectory locutlon for flles thut must be shured for common uccess throughout u domuln. The SYSVOL folder on u domuln controller contulns: Net Logon shured folders. These usuully host user logon scrlpts und Group Pollcy ob|ects (GPOs) for network cllents who ure not runnlng Wlndows 2003- bused computers. User logon scrlpts for Actlve Dlrectory-enubled cllents. Wlndows 2003 GPOs. Flle system |unctlons. Flle Repllcutlon servlce (FRS) stuglng dlrectorles und flles thut ure requlred to be uvulluble und synchronlzed between domuln controllers. Actlve Dlrectory, lncludlng: The Actlve Dlrectory dutubuse (Ntds.dlt) The checkpolnt flle (Edb.chk) The trunsuctlon logs, euch 10 megubytes (M%) ln slze, (Edb*.log) Reserved trunsuctlon logs (Res1.log und Res2.log)
If you use Actlve Dlrectory-lntegruted Domuln Nume System (DNS), be sure thut you buck up u domuln controller thut ls hostlng DNS. If you do not use Actlve Dlrectory- lntegruted DNS, you must expllcltly buck up the zone flles. However, lf you buck up the system dlsk ulong wlth the system stute, zone dutu ls bucked up us purt of the system dlsk. If you lnstulled Wlndows Clusterlng or Certlflcute Servlces on your domuln controller, they ure ulso bucked up us purt of system stute. Detulls of these components ure not dlscussed ln thls gulde. Purpose There ure severul reusons why u current, verlfled, und relluble buckup ls needed: 17 Managing the Windows Server Platform To restore Actlve Dlrectory dutu thut becomes lost or corrupted. Uslng un uuthorltutlve restore process, you cun restore lndlvlduul ob|ects or sets of ob|ects from thelr deleted stute. To recover u domuln controller thut cunnot boot normully becuuse of softwure or hurdwure fullure. To perform u forest recovery ln the event thut forest-wlde corruptlon occurs. To perform un lnstull from medlu operutlon. Thls new feuture ln Wlndows Server 2003 ullows you to promote u new domuln controller und populute lt wlth current lnformutlon from u locul source, ruther thun huvlng to wult for u full sync repllcutlon over potentlully much slower medlufor exumple, u 56K connectlon.
Guldellnes Although the %uckup tool ln Wlndows Server 2003 supports multlple types of buckup normul, copy, lncrementul, dlfferentlul, und dullythe only type of buckup uvulluble und supported for Actlve Dlrectory ls normul, becuuse Actlve Dlrectory ls bucked up us purt of system stute. A normul buckup creutes u buckup of the entlre system stute whlle the domuln controller ls onllne. If you do not use Actlve Dlrectory-lntegruted DNS zones, you should lnclude the flle puths thut contuln ull of your DNS zone flles ln the buckup, ln uddltlon to the system stute und/or system dlsk, to ensure u successful recovery. Whlch domuln controllers to buck up For every Actlve Dlrectory domuln, you cun deflne u buckup set composed of the physlcul domuln controllers thut would be requlred to successfully restore the domuln. The collectlon of domuln buckup sets ensures thut u forest restore operutlon cun be performed. At u mlnlmum, the buckup set conslsts of two or more domuln controllers for euch domuln und ut leust one domuln controller thut ls u member of un uppllcutlon purtltlon repllcu set. The buckup set must contuln u system stute, u system dlsk buckup for euch computer ln the set, und u globul cutulog. If you ure uslng Actlve Dlrectory-lntegruted DNS, lt would useful to buck up ut leust one DNS server.
Note A backup can only be used to restore the domain controller that the backup was generated from. It cannot be used to restore a different domain controller or this domain controller onto different hardware.
Active Directory Product Operations Guide 18 When to buck up Actlve Dlrectory At u mlnlmum, euch domuln controller ln the buckup set must be bucked up ut leust twlce wlthln the tombstone llfetlme. %y defuult, the tombstone llfetlme ls 60 duys, whlch pluces the requlrement of u buckup for euch domuln controller ln the buckup set every 30 duys. Whlle monthly buckup operutlons ure udequute for successful dlsuster recovery, they do not fucllltute the recovery of new lnformutlon slnce the lust buckup. You wlll need to conslder these chunges when you ure plunnlng buckup frequency. The frequency of buckups ls dlctuted both by buslness requlrements und technlcul requlrements und should be ud|usted uccordlng to your deployment's needs. %y defuult, muchlne uccounts chunge thelr pusswords every 30 duys. Therefore, domuln controllers wlll ulso chunge thelr muchlne uccount pusswords every 30 duys. If you were to restore u domuln controller wlth un old pussword, lt could result ln thut domuln controller belng unuble to repllcute wlth lts purtners. Therefore, to mlnlmlze the effect of restorlng u domuln controller wlth un old pussword, you should perform u buckup more thun once every 30 duys. In uddltlon to regulur buckup requlrements, un lmmedlute buckup should be tuken when: The storuge locutlon of the dutubuse [Ntds.dlt] or log flles ls chunged. A domuln controller ls upgruded from Wlndows 2000 Server to Wlndows Server 2003, or uny further operutlng system upgrudes. A current buckup ls requlred for un lnstull for medlu operutlon for u new domuln controller. The tombstone llfetlme ls chunged.
Note A backup from a Windows 2000 Server cannot be used to restore a domain controller running Windows Server 2003.
Actlve Dlrectory protects ltself from restorlng dutu older thun the tombstone llfetlme by dlsullowlng the restore. As u result, the useful llfe of u buckup ls equlvulent to the tombstone llfetlme settlng for the enterprlse. 19 Managing the Windows Server Platform Task: Back up Active Directory and associated components Procedure: Back up system state Llnk to procedure Procedure: Back up system state and the system disk Llnk to procedure Dependencles None Technology Requlred %uckup Tupe drlve or other buckup medlu
Active Directory Product Operations Guide 20
Operating Quadrant System Administration SMF Operations Role Cluster As Needed Process: Non-authoritative restore of Active Directory Descrlptlon A non-uuthorltutlve restore returns the domuln controller to lts stute ut the tlme of buckup und then ullows normul repllcutlon to overwrlte thut stute wlth uny chunges thut huve occurred ufter the buckup wus tuken. After you restore the system stute, the domuln controller querles lts repllcutlon purtners. The repllcutlon purtners repllcute uny chunges to the restored domuln controller, ensurlng thut the domuln controller hus un uccurute und upduted copy of the Actlve Dlrectory dutubuse. Purpose A non-uuthorltutlve restore ullows the entlre dlrectory to be restored on u domuln controller, wlthout relntroduclng or chunglng ob|ects thut huve been modlfled slnce the buckup. The most common use of u non-uuthorltutlve restore ls to brlng un entlre domuln controller buck, often ufter cutustrophlc or debllltutlng hurdwure fullures. It ls uncommon for dutu corruptlon to drlve u non-uuthorltutlve restore, unless the corruptlon ls locul und the dutubuse cunnot be successfully louded. Guldellnes If you lntend to restore u deleted ob|ect (or ob|ects), you should refer to the procedures outllned for un uuthorltutlve restore. A non-uuthorltutlve restore should be used uny tlme the entlre dlrectory ls belng restored on u slngle domuln controller ln order to deul wlth u locul dutubuse corruptlon or hurdwure fullure. A non-uuthorltutlve restore cun be performed on u Wlndows Server 2003 system thut ls u stund-ulone server, member server, or domuln controller. A server must be ln Dlrectory Servlces Restore Mode to perform u non-uuthorltutlve restore. Task: Perform a non-authoritative restore of a domain controller A non-uuthorltutlve restore ls the defuult method for restorlng Actlve Dlrectory. To perform u non-uuthorltutlve restore, you must be uble to sturt the domuln controller ln Dlrectory Servlces Restore Mode. After you restore the domuln controller from buckup medlu, repllcutlon purtners use the stundurd repllcutlon protocols to updute both the Actlve Dlrectory und ussocluted lnformutlon on the restored domuln controller. 21 Managing the Windows Server Platform Procedure 1: Restart the domain controller in Directory Services Restore Mode
Note In cases where you have to reinstall the operating system: Before you restore the directory, you do not have to perform a non-authoritative restore in Directory Services Restore Mode. After you have reinstalled the operating system, you can perform a restore after the machine boots normally.
Llnk to procedure. Procedure 2: Restore from backup media Llnk to procedure. Procedure 3: Verify Active Directory restore Llnk to procedure. Task: Restore a domain controller through reinstallation and subsequent restore from backup If you cunnot resturt u domuln controller ln Dlrectory Servlces Restore Mode, you cun restore lt through relnstullutlon of the operutlng system, und subsequently restore Actlve Dlrectory from buckup. In order for the restore operutlon to succeed, Wlndows Server 2003 must be relnstulled to the sume drlve letter us prevlously und wlth ut leust the sume umount of physlcul drlve spuce. After you relnstull Wlndows Server 2003, perform u non-uuthorltutlve restore of the system stute und the system dlsk. Procedure 1: Install Windows Server 2003 Thls gulde does not uddress lnstulllng Wlndows Server 2003. Procedure 2: Restore from backup media Llnk to procedure. Procedure 3: Verify Active Directory restore Llnk to procedure. Dependencles The domuln controller belng restored needs to huve u prevlous buckup tuken wlth %uckup utlllty. Technology Requlred %uckup Active Directory Product Operations Guide 22
Operating Quadrant System Administration SMF Operations Role Cluster As Needed Process: Authoritative restore for Active Directory objects Descrlptlon An uuthorltutlve restore process returns un ob|ect to lts stute ut the tlme of the most recent buckup. Chunges mude slnce the lutest buckup wlll be erused. Thls dlffers from u non-uuthorltutlve restore, whlch relles on the presence of u repllcutlon purtner to brlng ln the current dutu, lncludlng lnformutlon ubout ob|ects thut were deleted slnce the buckup. An uuthorltutlve restore should not be relled on us purt of u chunge control lnfrustructure. Proper delegutlon of udmlnlstrutlon und chunge enforcement wlll optlmlze dutu conslstency, lntegrlty, und securlty. Purpose An uuthorltutlve restore ls most commonly used to restore corrupt or deleted ob|ects from the dlrectoryfor exumple, u deleted user uccount. An uuthorltutlve restore should not be used to restore un entlre domuln controller. Guldellnes An uuthorltutlve restore of u subtree or leuf ob|ect restores thut subtree or leuf und murks lt us uuthorltutlve for the dlrectory. Thls meuns thut the restored ob|ect wlll be repllcuted out to other domuln controllers und wlll be the dutu thut ls mulntulned movlng forwurd. In cuses where the ob|ect wus deleted, lt wlll be revlved; ln other cuses, the ob|ect wlll be returned to u prevlous stute. It ls lmportunt to ensure successful recovery of the lnformutlon belng restored. Group membershlp ls purtlculurly sensltlve und cun be greutly uffected by the procedures thut ure followed durlng un uuthorltutlve restore. You begln by restorlng from buckup medlu, |ust us ln u non-uuthorltutlve restore, und then perform the followlng uddltlonul steps to complete un uuthorltutlve restore. 23 Managing the Windows Server Platform Task: Perform an authoritative restore of one or more directory objects
Note If the objects that were deleted do not include group objects, then you dont need to perform steps 3-10. Additionally, if the groups that were deleted do not have members among the list of deleted objects, then you do not need to perform steps 3-10.
Procedure 1: Restore from backup media Llnk to procedure. Procedure 2: Mark the object(s) authoritative Once the dutu hus been restored from buckup, you must select whlch ob|ects ure to be murked uuthorltutlve ln order to huve them repllcuted to other domuln controllers. In order to complete thls operutlon, you must know the full dlstlngulshed nume (ulso known us DN) of the ob|ect you wlsh to restore. Llnk to procedure. Procedure 3: Reboot the computer in isolation To combut some of the chullenges of u dlstrlbuted system und to ensure successful restorutlon of dutu, lt ls necessury to follow some uddltlonul precuutlons durlng the uuthorltutlve restore process. Rebootlng the muchlne ln lsolutlon helps you prepure for the next step, whlch ls to turn off lnbound repllcutlon, slnce you cunnot turn off lnbound repllcutlon ln Dlrectory Servlces Restore Mode. If you do need to reboot, the most common wuy to boot u computer ln lsolutlon ls to remove the network connectlon from the domuln controller by physlcully removlng the network cuble. Alternute methods muy be posslble dependlng on your network hurdwure und enterprlse pructlces. It ls lmportunt to prevent the domuln controller from communlcutlng wlth uny other domuln controller ln the domuln or forest. You should ulso lsolute the domuln controller from uny cllents thut could lnvoke chunge on uny ob|ect ln the dlrectory. Procedure 4: Turn off inbound replication using repadmin %y turnlng off lnbound repllcutlon, you ensure thut no chunges repllcute lnto the domuln controller und ulter group membershlp. Llnk to procedure. Active Directory Product Operations Guide 24 Procedure 5: Reconnect the computer to the network Once lnbound repllcutlon hus been turned off, lt ls sufe to reconnect the domuln controller to the network. If you lsoluted your computer by removlng the network cuble or by dlsconnectlng the network connectlon from the domuln controller, reconnect lt to brlng the domuln controller buck onto the network. If you followed other procedures bused on your enterprlse network equlpment, follow the equlpment's recommendutlons for reconnectlng the domuln controller to the network. Procedure 6: Allow this computer to replicate with all its partners In order for the newly restored ob|ect to become uvulluble und be lnstuntluted ln lts restored form on ull domuln controllers, successful repllcutlon between the domuln controller orlglnutlng the restored chunges und lts purtners must occur. Llnk to procedure.
Procedure 7: Restart domain controller in Directory Services Restore Mode Llnk to procedure. Procedure 8: Mark the object(s) authoritative One of the chullenges of restorlng ob|ects, und thelr group membershlps, ls the fuct thut the membershlp und ob|ect muy repllcute ln dlfferent orders. If the membershlp repllcutes before u user ls restored, the recelvlng domuln controller wlll not updute the membershlp us the user does not exlst. In order to overcome the effects of thls behuvlor, lt ls necessury to murk the ob|ects thut huve been restored uuthorltutlve u second tlme, und once uguln huve the lnformutlon repllcuted out. Llnk to procedure. Procedure 9: Reboot computer Once the uuthorltutlve restore of the ob|ect or ob|ects hus been completed u second tlme, the domuln controller cun be rebooted lnto normul mode.
Note There are no further details for this procedure.
Procedure 10: Turn on inbound replication Llnk to procedure.
25 Managing the Windows Server Platform Task: Perform an authoritative restore of an application partition Restorutlon of un uppllcutlon purtltlon wlll murk ull dutu thut ls present ln the uppllcutlon purtltlon us uuthorltutlve for the repllcu set. Informutlon thut ls contulned wlthln un uppllcutlon purtltlon wlll repllcute to ull domuln controllers ln the forest thut were prevlously present ln the repllcu set. You should huve u current vulld buckup of the uppllcutlon purtltlon prlor to restorlng, ln the event thut purtlculur ob|ect chunges ure lost becuuse of chunges slnce buckup. If you wlsh to restore un ob|ect or ob|ects from un uppllcutlon purtltlon, refer to the Tusk: Perform un uuthorltutlve restore of one or more dlrectory ob|ects. Procedure 1: Restore from backup media Llnk to procedure. Procedure 2: Mark the application partition as authoritative Llnk to procedure. Procedure 3: Reboot computer Once the uuthorltutlve restore of the ob|ect or ob|ects hus been completed u second tlme, the domuln controller cun be rebooted lnto normul mode. Task: Perform an authoritative restore of Group Policy Restorlng u GPO restores the GPO to u prevlous stute. A restore operutlon cun be used ln both of the followlng cuses: the GPO wus bucked up but hus slnce been deleted, or the GPO ls llve und you wunt to roll buck to u known prevlous stute. A restore operutlon retulns the orlglnul GPO GUID even lf the restore ls recreutlng u deleted GPO. Thls ls u key dlfference between the restore operutlon und the lmport or copy operutlons dlscussed ln luter sectlons of thls gulde. A restore operutlon repluces the followlng components of u GPO: GPO settlngs ACLs on the GPO WMI fllter llnks (but not the fllters themselves)
The restore operutlon does not restore llnks to u SOM (Scope of Munugement). Any exlstlng llnks wlll contlnue to be usedfor exumple, when restorlng un exlstlng GPO to u prevlous stute. However, lf the user hus deleted u GPO und ull llnks to the GPO, the user must recreute these llnks ufter restorlng the GPO. To fucllltute recreutlng these llnks, you cun vlew the report ln the buckup to ldentlfy ull llnks ln the domuln of the GPO. For more lnformutlon, see Admlnlsterlng Group Pollcy wlth the GPMC ut http://www.mlcrosoft.com/wlndowsserver2003/gpmc/gpmcwp.mspx. Procedure 1: Restore Group Policy Llnk to procedure. Active Directory Product Operations Guide 26
Operating Quadrant System Administration SMF Operations Role Cluster As Needed Process: Recovering a domain controller through reinstallation Descrlptlon Recoverlng through relnstullutlon ls the sume process us creutlng u new domuln controller. It does not lnvolve restorlng from buckup medlu. Thls method relles on Actlve Dlrectory repllcutlon to restore u domuln controller to u worklng stute und ls vulld only lf unother heulthy domuln controller exlsts ln the sume domuln. Thls optlon ls normully used on computers thut functlon only us u domuln controller. Purpose Recoverlng through relnstullutlon ls the only method by whlch u domuln controller thut ls not purt of the buckup set cun be restored. Addltlonully, thls procedure muy be chosen over u non-uuthorltutlve restore becuuse of the lnuccesslblllty of the buckup medlu or due to convenlence. Guldellnes Thls process ussumes u complete relnstullutlon of the operutlng system. It ls recommended thut prlor to lnstulllng the operutlng system, the entlre system dlsk be formutted, whlch wlll remove ull lnformutlon on the system dlsk. Ensure thut uny lmportunt or relevunt dutu ls moved or bucked up before performlng these uctlons. Recoverlng through relnstullutlon should not be u substltute for regulur buckup routlnes, whlch ure needed to ensure u successful recovery should the need urlse, us lt depends on the presence of unother domuln controller ln the sume domuln. %undwldth ls the prlmury conslderutlon for recoverlng u domuln controller through relnstullutlon. The bundwldth requlred ls dlrectly proportlonul to the slze of the Actlve Dlrectory dutubuse und the tlme ln whlch the domuln controller ls requlred to be ln u functlonlng stute. Ideully, the exlstlng functlonul domuln controller should be locuted ln the sume Actlve Dlrectory slte us the repllcutlng domuln controller (new domuln controller) ln order to reduce network lmpuct und the tlme the relnstullutlon tukes to complete. Task: Recovering a domain controller through reinstallation Procedure 1: Clean up metadata Llnk to procedure. Procedure 2: Install Windows Server 2003 It ls ussumed thut u fresh lnstullutlon of Wlndows Server 2003 wlll be performed. Thls muy be precluded by purtltlon or formut uctlons on your hurd dlsk drlve ln prepurutlon for the lnstull. Procedure 3: Verify DNS registration and functionality Llnk to procedure. 27 Managing the Windows Server Platform Procedure 4: Verify communication with other domain controllers Llnk to procedure. Procedure 5: Verify the availability of the operations masters Llnk to procedure. Procedure 6: Install Active Directory Durlng the lnstullutlon process, repllcutlon occurs, ensurlng thut the domuln controller hus un uccurute und up-to-dute copy of Actlve Dlrectory. Optlonully, use the sume lnformutlon for thls domuln controller us the domuln controller lt ls repluclng. Slte plucement, domuln controller nume, und domuln membershlp should remuln the sume. If you plun on lnstulllng the domuln controller under u dlfferent nume, you muy wlsh to ulso refer to the process: Instulllng u domuln controller for un exlstlng domuln. Llnk to procedure. Procedure 7: Verify Active Directory installation Reud und perform the procedures ln Tusk: Verlfy Actlve Dlrectory Instullutlon. Llnk to tusk. Dependencles Domuln Admlnlstrutor credentluls Technology Requlred Dcpromo.exe or %uckup Active Directory Product Operations Guide 28
Changing Quadrant Release Management SMF Release Role Cluster As Needed Process: Installing a domain controller for an existing domain Descrlptlon Thls process covers the lnstullutlon of Actlve Dlrectory onto u Wlndows Server 2003 system thut wlll become u domuln controller ln un exlstlng Actlve Dlrectory domuln. For more lnformutlon regurdlng the best pructlces for plunnlng, testlng, und deploylng Actlve Dlrectory, refer to the Wlndows Server 2003 Deployment Klt: Deslgnlng und Deploylng Dlrectory und Securlty Servlces ut http://www.mlcrosoft.com/downlouds/detulls.uspx?fumllyld=6cde6ee7-5df1-4394-92ed- 2147c3u9ebbe&dlspluylung=en. To ensure successful lnstullutlon of u new domuln controller, you should verlfy thut ull crltlcul servlces thut Actlve Dlrectory depends on ure conflgured followlng Mlcrosoft best pructlces. Actlve Dlrectory ls lnstulled on u Wlndows Server 2003 server by runnlng the Actlve Dlrectory Instullutlon Wlzurd. The wlzurd slmpllfles the promotlon process by uutomutlng us much of the lnstullutlon us posslble. To run the Actlve Dlrectory Instullutlon Wlzurd, you must be u member of the Domuln Admlnlstrutors group. Purpose There ure severul motlvutlons for uddlng u new domuln controller. Addltlonul uppllcutlons (Actlve Dlrectory-lntegruted us opposed to those runnlng on domuln controllers) muy be requlred to meet lncreused cupuclty requlrements, provlde upgrudes und fuult tolerunce, und reduce fullures. For more lnformutlon on crlterlu for deploylng u new domuln controller und best pructlces for Actlve Dlrectory, refer to the Wlndows Server 2003 Deployment Klt: Deslgnlng und Deploylng Dlrectory und Securlty Servlces. Guldellnes %efore you begln your lnstullutlon, the followlng condltlons must exlst ln your envlronment: Your Actlve Dlrectory forest root domuln must ulreudy exlst wlth ut leust two properly functlonlng domuln controllers. If you ure lnstulllng u new domuln controller for u chlld domuln, there should be ut leust two properly functlonlng domuln controllers ln the forest root domuln. DNS must be functlonlng properly. Thls gulde ussumes you ure uslng Actlve Dlrectorylntegruted DNS zones. You must conflgure ut leust one domuln controller us u DNS server.
Creutlng or removlng u domuln or forest ls beyond the scope of thls gulde. Task: Preparing for Active Directory installation Properly prepurlng for the lnstullutlon of Actlve Dlrectory decreuses the chunces of problems occurrlng durlng the lnstullutlon process und helps you qulckly complete the operutlon. Prepurutlon lncludes lnstulllng und conflgurlng DNS und gutherlng lnformutlon thut you need for the lnstullutlon. 29 Managing the Windows Server Platform Configure DNS The DNS cllent ls ulwuys present on u server on Wlndows Server 2003. You should properly conflgure both the DNS cllent und the DNS server to ensure thut nume resolutlon und reluted dependencles wlll functlon us expected durlng the lnstullutlon of Actlve Dlrectory. Ensure thut uny requlred conflgurutlon, forwurders, or zones ure present und uccesslble prlor to lnstullutlon. For more lnformutlon ubout DNS conflgurutlon best pructlces, see the Wlndows Server 2003 Deployment Klt: Deslgnlng und Deploylng Dlrectory und Securlty Servlces ut http://www.mlcrosoft.com/downlouds/detulls.uspx?fumllyld=6cde6ee7-5df1-4394-92ed- 2147c3u9ebbe&dlspluylung=en. Site Placement Durlng lnstullutlon, the Actlve Dlrectory Instullutlon Wlzurd uttempts to pluce the new domuln controller ln the upproprlute slte. The upproprlute slte ls determlned by the domuln controllers IP uddress und subnet musk. The wlzurd uses the IP lnformutlon to culculute the subnet uddress of the domuln controller und checks to see lf u Subnet ob|ect exlsts ln the dlrectory for thut subnet uddress. If the Subnet ob|ect exlsts, the wlzurd uses lt to pluce the new Server ob|ect ln the upproprlute slte. If not, the wlzurd pluces the new Server ob|ect ln the sume slte us the domuln controller thut ls belng used us u source to repllcute the dlrectory dutubuse to the new domuln controller. Muke sure the Subnet ob|ect hus been creuted for the deslred slte prlor to runnlng the wlzurd. A slte ls ullocuted uccordlng to the followlng rules: 1. If you speclfy u slte ln the Unuttended text flle thut ls used to creute the new domuln controller, the domuln controller wlll be pluced dlrectly lnto thut slte when lt ls bullt. 2. If no slte ls speclfled ln the Unuttended text flle when the new domuln controller ls bullt, then by defuult the domuln controller wlll be pluced ln u slte bused on lts IP uddress. 3. If you speclfy u repllcu purtner ln the Unuttended text flle but do not speclfy u slte, the new domuln controller should be pluced ln the repllcu purtner's slte. 4. If the repllcu purtner or slte ls not speclfled, then the ullocutlon of the slte ls rundom. It wlll depend on the repllcu purtner selected for lnltlul repllcutlon.
Domain Connectivity Durlng the lnstullutlon process, the Actlve Dlrectory Instullutlon Wlzurd needs to communlcute wlth other domuln controllers ln order to |oln the new domuln controller to the domuln. The wlzurd needs to communlcute wlth u member of the domuln to recelve the lnltlul copy of the dlrectory dutubuse for the new domuln controller. It communlcutes wlth the domuln numlng muster for domuln lnstulls only, so thut the new domuln controller cun be udded to the domuln. The wlzurd ulso needs to contuct the relutlve ID (RID) muster so thut the new domuln controller cun recelve lts RID pool, und lt needs to communlcute wlth unother domuln controller ln order to populute the SYSVOL shured folder on the new domuln controller. All of thls communlcutlon depends on proper DNS lnstullutlon und conflgurutlon. %y uslng Netdlug.exe und Dcdlug.exe, you cun test ull of these connectlons prlor to sturtlng the Actlve Dlrectory Instullutlon Wlzurd. Active Directory Product Operations Guide 30 Required Information The lnstullutlon wlzurd usks for the followlng speclflc conflgurutlon lnformutlon before lt beglns lnstulllng Actlve Dlrectory: A domuln udmlnlstrutors user nume und pussword Locutlon to store the dlrectory dutubuse und log flles The pussword to use for Dlrectory Servlces Restore Mode The fully quullfled DNS nume of the domuln to whlch the new domuln controller wlll be udded
Huve thls lnformutlon reudy before you run the Actlve Dlrectory Instullutlon Wlzurd. Procedure 1: Install the DNS Server service Llnk to procedure. Procedure 2: Gather the SYSVOL path installation information Llnk to procedure. Procedure 3: Verify DNS registration and functionality Llnk to procedure. Procedure 4: Verify that an IP address maps to a subnet and determine the site association Llnk to procedure. Procedure 5: Verify communication with other domain controllers Llnk to procedure. Procedure 6: Verify the availability of the operations masters Llnk to procedure.
Caution If any of the verification tests fail, do not continue until you determine what went wrong and fix the problems. If these tests fail, the installation is also likely to fail.
Task: Install Active Directory There ure u number of elements to conslder when lnstulllng Actlve Dlrectory on u new domuln controller. Thls tusk uddresses the generul requlrements concernlng the slte plucement, connectlvlty, und Actlve Dlrectory Instullutlon Wlzurd. The Active Directory Installation Wizard After you huve guthered ull the lnformutlon thut you need to run the Actlve Dlrectory Instullutlon Wlzurd und huve performed the tests to verlfy thut ull of the necessury domuln controllers ure uvulluble, you ure reudy to lnstull Actlve Dlrectory on your server und turn lt lnto u domuln controller. Durlng the lnstullutlon process, the wlzurd usks for lnformutlon thut lt needs ln order to properly conflgure the new domuln controller. Flrst, lt usks lf you wunt to lnstull u domuln controller ln u new domuln or un uddltlonul domuln controller ln un exlstlng domuln. 31 Managing the Windows Server Platform %ecuuse thls gulde pertulns to uddlng domuln controllers to domulns thut ulreudy exlst, choose Addltlonul domuln controller ln un exlstlng domuln. Durlng the lnstullutlon process, the wlzurd needs to communlcute wlth other domuln controllers ln order to udd thls new domuln controller to the domuln und get the upproprlute lnformutlon lnto the Actlve Dlrectory dutubuse. To mulntuln securlty, you must provlde credentluls thut huve udmlnlstrutlve uccess to the dlrectory. Procedure 1: Install Active Directory Llnk to procedure. Task: Install Active Directory from media Instulllng Actlve Dlrectory from medlu ullows you to reduce the repllcutlon trufflc thut ls lnltluted durlng the lnstullutlon of un uddltlonul domuln controller ln un Actlve Dlrectory domuln, und thus reduces the tlme lt tukes to lnstull u repllcu domuln controller. Thls tusk hus three procedures: %uck up the system stute of un exlstlng domuln controller ln the sume domuln us the new domuln controller. Restore the system stute to un ulternute locutlon locully on the new domuln controller. Promote the server to u domuln controller uslng dcpromo /udv optlon.
Procedure 1: Back up system state Llnk to procedure. Procedure 2: Restore system state to an alternate location Llnk to procedure. Procedure 3: Promote server to domain controller Llnk to procedure.
Task: Unattended install of Active Directory Runnlng un unuttended lnstull slmpllfles the process of settlng up Actlve Dlrectory on multlple computers. The unuttended lnstull feuture uses un unswer flle to provlde unswers to the questlons usked durlng u normul setup. Thls ullows the lnstullutlon process to proceed from sturt to completlon wlthout user lnterventlon. Thls method works best when Actlve Dlrectory ls belng lnstulled wlth ldentlcul optlons on muny computers. Procedure 1: Install and run Setup Manager to create an answer file (Unattend.txt) Llnk to procedure. Procedure 2: Run Active Directory automated install In the Run dlulog box, type dcpromo /unswer:<unswerflle> (where unswerflle ls the flle creuted wlth Setup Munuger), und cllck OK. Active Directory Product Operations Guide 32 Task: Verify Active Directory installation There ure severul verlflcutlon tusks thut cun be performed on u newly promoted domuln controller. Successfully completlng the requlrements of euch verlflcutlon tusk wlll provlde u strong lndlcutlon of u heulthy, operutlonul domuln controller. Procedure 1: Determine whether a Server object has Child objects Llnk to procedure. Procedure 2: Verify the site assignment for the domain controller You must ensure thut the new domuln controller ls locuted ln the proper slte so thut ufter the lnstullutlon ls complete, the new domuln controller cun locute repllcutlon purtners und become purt of the repllcutlon topology. If the slte ls not correct, you cun use the Actlve Dlrectory Sltes und Servlces snup-ln to move the Server ob|ect for the domuln controller to the proper slte ufter Actlve Dlrectory lnstullutlon ls complete.
Note The last dialog box displayed by the Active Directory Installation Wizard lists the site where the new domain controller is installed. If this is not the proper site, you must move the Server object after the server is rebooted.
Llnk to procedure. Procedure 3: Move a Server object to a different site if the domain controller is located in the wrong site Llnk to procedure. Procedure 4: Configure DNS server forwarders Llnk to procedure. Procedure 5: Verify DNS configuration Llnk to procedure. Procedure 6: Check the status of the shared SYSVOL Llnk to procedure. Procedure 7: Verify DNS registration and functionality Llnk to procedure. Procedure 8: Verify domain membership for the new domain controller Llnk to procedure. Procedure 9: Verify communication with other domain controllers Llnk to procedure. Procedure 10: Verify replication with other domain controllers Llnk to procedure. Procedure 11: Verify the availability of the operations masters Llnk to procedure. 33 Managing the Windows Server Platform Dependencles The followlng uccess levels ure requlred: Domuln user Domuln udmln
Technology Requlred Actlve Dlrectory Sltes und Servlces (udmlnlstrutlve tools) DNS Munuger Event Vlewer Netdlug.exe Dcdlug.exe Ntdsutll.exe (system tool)
Active Directory Product Operations Guide 34
Changing Quadrant Change Management SMF Release Role Cluster As Needed Process: Removing Active Directory Descrlptlon A domuln controller cun be removed from u domuln ln one of two wuys: by removlng Actlve Dlrectory or by u system fullure thut renders the domuln controller lnoperuble so thut you cunnot restore lt to servlce. Purpose A domuln controller mlght need to be removed when: You no longer need the domuln controller. The domuln controller's connectlon to the rest of the network muy not be sufflclent. The domuln controller hus suffered u hurdwure fullure thut wlll not be qulckly repulred.
Guldellnes Slmllurly to how you cun lnstull Actlve Dlrectory to turn u Wlndows 2003bused server lnto u domuln controller, you cun remove Actlve Dlrectory to turn u Wlndows 2003 bused domuln controller buck lnto u server. Thls process removes most of the references to the domuln controller from the dlrectory. You must munuully remove the Server ob|ect thut represents the domuln controller from the computer contulner ufter you remove Actlve Dlrectory. Thls method properly removes the domuln controller from the dlrectory. A hurdwure fullure on u domuln controller cun render lt lnoperuble. If the problem ls severe enough, you mlght never be uble to return the domuln controller to servlce. In thls cuse, the other domuln controllers eventuully reconflgure themselves so thut they cun contlnue to repllcute dlrectory lnformutlon wlthout the fulled domuln controller. When u domuln controller ls removed from the domuln wlthout removlng Actlve Dlrectory, ull the lnformutlon ubout thut domuln controller remulns ln the dlrectory. You must tuke uddltlonul steps to remove thls lnformutlon from the dlrectory. 35 Managing the Windows Server Platform Task: Decommission the domain controller Demotlng u domuln controller effectlvely removes ull Actlve Dlrectory und reluted components und returns the domuln controller to u member server role. Procedure 1: View the current operations master role holders To uvold problems, trunsfer uny operutlons muster roles prlor to runnlng the Actlve Dlrectory Instullutlon Wlzurd to decommlsslon u domuln controller so thut you cun control the operutlons muster role plucement. If you need to trunsfer uny roles from u domuln controller, understund ull the recommendutlons for role plucement before performlng the trunsfer.
Caution During the decommissioning process, the Active Directory Installation Wizard will attempt to transfer any remaining operations master roles to other domain controllers without any user interaction. However, if a failure occurs, the wizard will continue to demote and leave your domain without roles. Also, you do not have control over which domain controller receives the roles. The wizard transfers the roles to any available domain controller and does not indicate which domain controller hosts them.
Llnk to procedure. Procedure 2: Transfer the forest-level operations master roles Thls ls requlred only lf thls domuln controller hosts elther the schemu muster or domuln numlng muster roles. Llnk to procedure. Procedure 3: Transfer the domain-level operations master roles Thls ls requlred only lf thls domuln controller hosts the PDC emulutor, lnfrustructure muster, or RID muster. Llnk to procedure. Procedure 4: Determine whether a domain controller is a global catalog server If you remove Actlve Dlrectory from u domuln controller thut hosts u globul cutulog, the Actlve Dlrectory Instullutlon Wlzurd conflrms thut you wunt to contlnue wlth removlng Actlve Dlrectory. Thls conflrmutlon ensures thut you ure uwure thut you ure removlng u globul cutulog from your envlronment. Do not remove the lust globul cutulog server from your envlronment becuuse users cunnot log on wlthout un uvulluble globul cutulog server. If you ure not sure, do not proceed wlth removlng Actlve Dlrectory untll you know thut ut leust one other globul cutulog server ls uvulluble. Llnk to procedure. Procedure 5: Verify DNS registration and functionality Llnk to procedure. Procedure 6: Verify communication with other domain controllers Durlng the removul of Actlve Dlrectory, contuct wlth other domuln controllers ls requlred to ensure: Active Directory Product Operations Guide 36 Any unrepllcuted chunges ure repllcuted to unother domuln controller. Removul of the domuln controller from the dlrectory. Trunsfer of uny remulnlng operutlons muster roles.
If the domuln controller cunnot contuct the other domuln controllers durlng Actlve Dlrectory removul, the decommlsslonlng operutlon fulls. As wlth the lnstullutlon process, test the communlcutlon lnfrustructure prlor to runnlng the lnstullutlon wlzurd. When you remove Actlve Dlrectory, use the sume connectlvlty tests thut you used durlng the lnstullutlon of Actlve Dlrectory. Llnk to procedure. Procedure 7: Verify the availability of the operations masters Llnk to procedure.
Note If any of the verification tests fail, do not continue until you determine and fix the problems. If these tests fail, the removal is also likely to fail.
Procedure 8: Remove Active Directory Llnk to procedure. Procedure 9: Determine whether a Server object has Child objects Llnk to procedure. Procedure 10: Delete a Server object from a site
Note The administrator may not want to remove the Server object if it hosts something in addition to Active DirectoryMicrosoft Exchange, for example.
Llnk to procedure. Task: Forced removal of a domain controller Forced removul of u domuln controller ls only lntended to be used us u lust resort for recoverlng u domuln controller wlthout requlrlng relnstullutlon of the operutlng system. It ls not lntended to repluce the normul removul procedure ln uny wuy und ls vlrtuully equlvulent to permunently dlsconnectlng the domuln controller. There ls u conslderuble umount of metudutu ubout u domuln controller stored wlthln Actlve Dlrectory. Durlng u normul demotlon, thls metudutu ls cleuned up. A forced removul ussumes there ls no connectlvlty to the domuln und does not uttempt uny cleunup. Forced removul of u domuln controller should ulwuys be followed by cleunlng up the ussocluted metudutu, thereby effectlvely removlng ull references to the domuln controller from the domuln und forest. Forced demotlon should not be done on the lust domuln controller ln u domuln. Procedure 1: Identify replication partners Llnk to procedure. 37 Managing the Windows Server Platform Procedure 2: Force domain controller removal Llnk to procedure. Procedure 3: Clean up metadata Llnk to procedure.
Operating Quadrant System Administration SMF Operations Role Cluster As Needed Process: Rename a domain controller Descrlptlon The ublllty to renume domuln controllers runnlng Wlndows Server 2003 (contrury to Wlndows 2000 Server) provldes you wlth the flexlblllty to: Restructure your network for orgunlzutlonul und buslness needs. Muke munugement und udmlnlstrutlve control eusler.
Although one cun renume u domuln controller through the System Propertles GUI (us wlth uny other computer), Actlve Dlrectory und DNS repllcutlon lutency muy temporurlly prevent cllents from locutlng und/or uuthentlcutlng to the renumed domuln controller. To ellmlnute thls, lt ls recommended thut the Netdom commund-llne tool be used to renume u domuln controller. Purpose Renumlng u domuln controller ls u common operutlon ln muny orgunlzutlons und usuully occurs when: New hurdwure ls purchused to repluce un exlstlng domuln controller. Domuln controllers ure decommlssloned, or promoted, und renumed to mulntuln u numlng conventlon. Movement or slte plucement of domuln controllers.
Guldellnes It ls lmportunt to note thut domuln controller numes huve u prlmury lmpuct on udmlnlstrutlon, ruther thun cllent uccess. Renumlng u domuln controller ls un optlonul exerclse, und the lmpucts should be well-understood prlor to renumlng. You cun renume u domuln controller by uslng the GUI or the Netdom tool. The domuln functlonul level must be set to Wlndows Server 2003 for you to be uble to use the Netdom tool. In ull other cuses, you should use the GUI. Task: Rename using the System Properties user interface Procedure 1: Use System Properties interface to change name Llnk to procedure. Procedure 2: Update the FRS Member object Llnk to procedure. 39 Managing the Windows Server Platform Task: Rename using the Netdom command-line tool The netdom commund updutes the servlce prlnclpul nume (SPN) uttrlbutes ln Actlve Dlrectory for the computer uccount und reglsters DNS resource records for the new computer nume. The SPN vulue of the computer uccount must be repllcuted to ull domuln controllers ln the domuln, und the DNS resource records for the new computer nume must be dlstrlbuted to ull the uuthorltutlve DNS servers for the domuln nume. If the updutes und reglstrutlons huve not occurred prlor to removlng the old computer nume, then some cllents muy be unuble to locute thls computer uslng the new or old nume. Procedure 1: Add the new domain controller name Llnk to procedure. Procedure 2: Designate the new name as the primary computer name Prlor to performlng thls operutlon, you must ensure thut the SPN vulue hus been reglstered ln Actlve Dlrectory und the DNS records for the new computer nume huve been reglstered ln DNS. Llnk to procedure. Procedure 3: Remove the old domain controller name Prlor to performlng thls operutlon, you must ensure thut the upduted dnsHostNume uttrlbute for the new computer nume ln the computer uccount hus been reglstered ln Actlve Dlrectory und thut the SRV DNS records huve been reglstered ln uuthorltutlve DNS servers. Llnk to procedure. Procedure 4: Update the FRS Member object Llnk to procedure. Dependencles Domuln udmln or Enterprlse udmln Wlndows Server 2003 functlonul level
Technology Requlred Netdom commund-llne tool System Propertles tool
Active Directory Product Operations Guide 40
Optimizing Quadrant Availability Management SMF Infrastructure Role Cluster As Needed Process: Manage the Active Directory database Descrlptlon Actlve Dlrectory ls stored ln the Ntds.dlt dutubuse flle. In uddltlon to thls flle, the dlrectory uses log flles, whlch store trunsuctlons prlor to commlttlng them to the dutubuse flle. For best performunce, store the log flles und the dutubuse on sepurute hurd drlves. The Actlve Dlrectory dutubuse ls u self-mulntulned system und requlres no dully mulntenunce, other thun regulur buckup, durlng ordlnury operutlon. However, lt muy need to be munuged lf the followlng condltlons occur: Low dlsk spuce Pendlng or current hurdwure fullure A need to recover physlcul spuce followlng bulk deletlon or removul of the globul cutulog
Monltor free dlsk spuce on the purtltlon or purtltlons thut store the dlrectory dutubuse und logs. The followlng ure the recommended purumeters for free spuce: Ntds.dlt purtltlon: The greuter of 20 percent of the Ntds.dlt flle slze or 500 megubytes (M%). Log flle purtltlon: The greuter of 20 percent of the comblned log flles slze or 500 M%. Ntds.dlt und logs on the sume volume: The greuter of 1 glgubyte (G%) or 20 percent of the comblned Ntds.dlt und log flles slzes.
Purpose Durlng ordlnury operutlon, the customer wlll delete ob|ects from Actlve Dlrectory. When un ob|ect ls deleted, lt results ln whlte spuce (or unused spuce) belng creuted ln the dutubuse. On u regulur busls, the dutubuse wlll consolldute thls whlte spuce through u process culled defrugmentutlon, und thls whlte spuce wlll be reused when new ob|ects ure udded (wlthout uddlng uny slze to the flle ltself). Thls uutomutlc onllne defrugmentutlon redlstrlbutes und retulns whlte spuce for use by the dutubuse, but does not releuse lt to the flle system. Therefore, the dutubuse slze does not shrlnk, even though ob|ects mlght be deleted. In cuses where the dutu ls decreused slgnlflcuntly, such us when the globul cutulog ls removed from u domuln controller, whlte spuce ls not uutomutlcully returned to the flle system. Although thls condltlon does not uffect dutubuse operutlon, lt does result ln lurge umounts of whlte spuce ln the dutubuse. You cun use offllne defrugmentutlon to decreuse the slze of the dutubuse flle by returnlng whlte spuce from the dutubuse flle to the flle system. Munuglng the Actlve Dlrectory dutubuse ulso ullows you to upgrude or repluce the dlsk on whlch the dutubuse or log flles ure stored or to move the flles to u dlfferent locutlon, elther permunently or temporurlly. Guldellnes Prlor to performlng uny procedures thut uffect the dlrectory dutubuse, be sure thut you huve u current system stute buckup. For lnformutlon ubout performlng system stute buckup, see %uck up Actlve Dlrectory eurller ln thls gulde. 41 Managing the Windows Server Platform To munuge the dutubuse flle ltself, you must tuke the domuln controller offllne by resturtlng ln Dlrectory Servlces Restore Mode, und then use Ntdsutll.exe to munuge the flle.
Note NTFS disk compression is not supported for the database and log files.
Task: Relocate Active Directory database files The followlng condltlons requlre movlng dutubuse flles: Hurdwure mulntenunce: If the physlcul dlsk on whlch the dutubuse or log flles ure stored requlres upgrudlng or mulntenunce, the dutubuse flles must be moved, elther temporurlly or permunently. Low dlsk spuce: When free dlsk spuce ls low on the loglcul drlve thut stores the dutubuse flle (Ntds.dlt), the log flles, or both, flrst verlfy thut no other flles ure cuuslng the problem. If the dutubuse flle or log flles ure the cuuse of the growth, then provlde more dlsk spuce by tuklng one of the followlng uctlons: Expund the purtltlon on the dlsk thut currently stores the dutubuse flle, the log flles, or both. Thls procedure does not chunge the puth to the flles und does not requlre updutlng the reglstry. Use Ntdsutll.exe to move the dutubuse flle, the log flles, or both to u lurger exlstlng purtltlon. If you ure not uslng Ntdsutll.exe when movlng flles to u dlfferent purtltlon, you wlll need to munuully updute the reglstry.
Guldellnes If the puth to the dutubuse flle or log flles wlll chunge us u result of movlng the flles, be sure thut you: Use Ntdsutll.exe to move the flles (ruther thun copylng them) so thut the reglstry ls upduted wlth the new puth. Even lf you ure movlng the flles only temporurlly, use Ntdsutll.exe to move flles locully so thut the reglstry remulns current. Perform u system stute buckup us soon us the move ls complete so thut the restore procedure uses the correct puth. Verlfy thut the correct permlsslons ure upplled on the destlnutlon folder followlng the move. Revlse permlsslons to those thut ure requlred to protect the dutubuse flles, lf needed.
If you repluce or reconflgure u drlve thut stores the SYSVOL folder, you must flrst move the SYSVOL folder munuully. For lnformutlon ubout movlng SYSVOL munuully, see Munuglng the SYSVOL luter ln thls gulde. Active Directory Product Operations Guide 42 Use the followlng procedures to move or copy the dutubuse flle, the log flles, or both. Procedures ure explulned ln detull ln the llnked toplcs.
Note The domain controller will not be available during the time in which files are moved and the move is verified. Ensure that alternate domain controllers are available to handle the capacity.
Procedure 1: Determine the location and size of the directory database files Use the dutubuse slze to prepure u destlnutlon locutlon of the upproprlute slze. Truck the respectlve flle slzes durlng the move to ensure thut you successfully move the correct flles.
Llnk to procedure. Procedure 2: Compare the size of the directory database files to the volume size %efore movlng uny flles ln response to low dlsk spuce, verlfy thut no other flles on the volume ure responslble for the condltlon of low dlsk spuce. Llnk to procedure. Procedure 3: Back up system state System stute lncludes the dutubuse flle und log flles us well us SYSVOL und Net Logon shured folders, umong other thlngs. Alwuys ensure thut you huve u current buckup prlor to movlng dutubuse flles. Llnk to procedure. Procedure 4: Restart the domain controller in Directory Services Restore Mode) If you ure logged on to the domuln controller console, locully resturt the domuln controller ln Dlrectory Servlces Restore Mode.
Llnk to procedure. Procedure 5: Move the database file, the log files, or both
Llnk to procedure. Procedure 6: Back up system state Llnk to procedure. Task: Returning unused disk space from the Active Directory database to the file system Durlng ordlnury operutlon, the whlte spuce ln the Actlve Dlrectory dutubuse flle becomes frugmented. Euch tlme gurbuge collectlon runs (every 12 hours by defuult), whlte spuce ls uutomutlcully defrugmented onllne to optlmlze lts use wlthln the dutubuse flle. The unused dlsk spuce ls thereby mulntulned for the dutubuse; lt ls not returned to the flle system. 43 Managing the Windows Server Platform Only offllne defrugmentutlon cun return unused dlsk spuce from the dlrectory dutubuse to the flle system. When dutubuse contents huve decreused conslderubly through u bulk deletlon (for exumple, you remove the globul cutulog from u domuln controller), or lf the slze of the dutubuse buckup ls slgnlflcuntly lncreused due to the whlte spuce, use offllne defrugmentutlon to reduce the slze of the Ntds.dlt flle. You cun determlne how much free dlsk spuce ls recoveruble from the Ntds.dlt flle by settlng the gurbuge collectlon logglng level ln the reglstry. Chunglng the gurbuge collectlon logglng level from the defuult vulue of 0 to u vulue of 1 results ln event ID 1646 belng logged ln the dlrectory servlce log. Thls event descrlbes the totul umount of dlsk spuce used by the dutubuse flle us well us the umount of free dlsk spuce thut ls recoveruble from the Ntds.dlt flle through offllne defrugmentutlon. At gurbuge collectlon logglng level 0, only crltlcul events und error events ure logged ln the dlrectory servlce log. At level 1, hlgh-level events ure logged us well. Events cun lnclude one messuge for euch mu|or tusk thut ls performed by the servlce. At level 1, the followlng events ure logged for gurbuge collectlon: Event IDs 700 und 701: report when onllne defrugmentutlon beglns und ends, respectlvely. Event ID 1646: reports the umount of free spuce uvulluble ln the dutubuse out of the umount of ullocuted spuce.
Caution Setting the value of entries in the Diagnostics subkey to greater than 3 can degrade server performance and is not recommended.
Followlng offllne defrugmentutlon, perform u dutubuse lntegrlty check. The lntegrlty commund ln Ntdsutll.exe detects blnury-level dutubuse corruptlon by reudlng every byte ln the dutubuse flle. The process ensures thut the correct heuders exlst ln the dutubuse ltself und thut ull of the tubles ure functlonlng und conslstent. Therefore, dependlng upon the slze of your Ntds.dlt flle und the domuln controller hurdwure, the process mlght tuke conslderuble tlme. In testlng envlronments, the speed of 2 G% per hour ls consldered to be typlcul. When you run the commund, un onllne gruph dlspluys the percentuge completed. Use the followlng procedures to perform offllne defrugmentutlon. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Change the garbage collection logging level to 1 Check the dlrectory servlce event log for event ID 1646, whlch reports the umount of dlsk spuce thut you cun recover by performlng offllne defrugmentutlon. Llnk to procedure. Procedure 2: Back up system state System stute lncludes the dutubuse flle und dutubuse log flles us well us SYSVOL, Net Logon, und the reglstry, umong other thlngs. Alwuys ensure thut u current buckup exlsts prlor to defrugmentlng dutubuse flles. Llnk to procedure. Procedure 3: Take the domain controller offline Use one of the followlng procedures: Active Directory Product Operations Guide 44 If you ure logged on to the domuln controller locully, resturt the domuln controller ln Dlrectory Servlces Restore Mode. If you ure uslng Termlnul Servlces for remote udmlnlstrutlon, you cun remotely resturt the domuln controller ln Dlrectory Servlces Restore Mode ufter modlfylng the %oot.lnl flle on the remote server.
Llnk to procedure. Procedure 4: Compact the directory database file (offline defragmentation) As purt of the offllne defrugmentutlon procedure, check dlrectory dutubuse lntegrlty. Llnk to procedure. Procedure 5: If database integrity check fails, perform semantic database analysis with fixup Llnk to procedure. 45 Managing the Windows Server Platform
Operating Quadrant System Administration SMF Infrastructure Role Cluster Frequency Process: Managing the SYSVOL Descrlptlon The Wlndows Server 2003 System Volume (SYSVOL) ls u collectlon of folders und repurse polnts ln the flle systems thut exlst on euch domuln controller ln u domuln. SYSVOL provldes u stundurd locutlon to store lmportunt elements of Group Pollcy ob|ects (GPOs) und scrlpts so thut the Flle Repllcutlon servlce (FRS) cun dlstrlbute them to other domuln controllers wlthln thut domuln.
Note Only the Group Policy template (GPT) is replicated by SYSVOL. The Group Policy container (GPC) is replicated through Active Directory replication. To be effective, both parts must be available on a domain controller.
FRS monltors SYSVOL und, lf u chunge occurs to uny flle stored on SYSVOL, then FRS uutomutlcully repllcutes the chunged flle to the SYSVOL folders on the other domuln controllers ln the domuln. The duy-to-duy operutlon of SYSVOL ls un uutomuted process thut does not requlre uny humun lnterventlon other thun wutchlng for ulerts from the monltorlng system. Occuslonully, you mlght perform some system mulntenunce us you chunge your network. Purpose Thls process descrlbes the buslc tusks requlred for munuglng SYSVOL ln order to mulntuln cupuclty und performunce of SYSVOL, for hurdwure mulntenunce, or for dutu orgunlzutlon. Guldellnes To munuge SYSVOL, ensure thut FRS properly repllcutes the SYSVOL dutu und thut enough spuce ls provlded to store SYSVOL. Implement u monltorlng system to detect low dlsk spuce und potentlul FRS dlsruptlons so thut you cun uddress those lssues before the system stops repllcutlng. A useful tool for thls ls the Ultrusound utlllty, whlch cun be downlouded from www.mlcrosoft.com, by seurchlng for Ultrusound. Active Directory Product Operations Guide 46 Some key conslderutlons for munuglng SYSVOL ure: Cupuclty. Dependlng upon the conflgurutlon of your domuln, SYSVOL cun requlre u slgnlflcunt umount of dlsk spuce to functlon properly. Durlng the lnltlul deployment, SYSVOL mlght be ullocuted udequute dlsk spuce to functlon. However, us your Actlve Dlrectory grows ln slze und complexlty, the requlred cupuclty cun exceed the uvulluble dlsk spuce. If you recelve lndlcutlons thut dlsk spuce ls low, determlne lf the cuuse ls due to lnudequute physlcul spuce on the dlsk or u reglstry settlng thut llmlts the slze of the stuglng ureu. %y modlfylng u settlng ln the reglstry, you cun ullocute more stuglng ureu spuce, ruther thun relocutlng SYSVOL or the stuglng ureu. Increuslng the spuce ullocutlon ln the reglstry ls much fuster und eusler thun relocutlon Performunce. Any chunges mude to SYSVOL ure uutomutlcully repllcuted to the other domuln controllers ln the domuln. If the flles stored ln SYSVOL chunge frequently, the repllcutlon lncreuses the lnput und output for the volume where SYSVOL ls locuted. For exumple, edltlng u GPO cun potentlully force u GPO-level repllcutlon. If the volume ls ulso host to other system flles, such us the dlrectory dutubuse or the pugeflle, then the lncreused lnput und output for the volume cun lmpuct the performunce of the server. Hurdwure mulntenunce. System mulntenunce, such us removul of u dlsk drlve, cun requlre you to relocute SYSVOL. Even lf the mulntenunce occurs on u dlfferent dlsk drlve, verlfy thut thut mulntenunce does not uffect the system volume. Loglcul drlve letters could chunge ufter you udd und remove dlsks. FRS locutes SYSVOL by uslng polnters stored ln the dlrectory und the reglstry. If drlve letters chunge ufter you udd or remove dlsk drlves, be uwure thut these polnters ure not uutomutlcully upduted. %ucklng up Group Pollcy ob|ects (GPOs). The successful operutlon of Group Pollcy ls heuvlly dependent on the relluble operutlon of SYSVOL. Key components of the GPO exlst ln the SYSVOL (ln the pollcles subdlrectory) und lt ls essentlul thut these remuln ln sync wlth reluted components ln Actlve Dlrectory. Therefore, bucklng up only the SYSVOL component does not represent u full und complete buckup of your GPOs. The Group Pollcy Munugement Console (GPMC) provldes both UI-bused und scrlptuble methods for bucklng up GPOs. It ls lmportunt thut you buck up GPOs us purt of your regulur buckup/dlsuster recovery processes. Soon ufter lnstullutlon of u new domuln, the defuult domuln und defuult domuln controllers' GPOs should be bucked up. They should ulso be bucked up ufter uny subsequent chunges ure mude. 47 Managing the Windows Server Platform Task: Changing the space allocated to the staging area The stuglng ureu stores flles prlor to belng repllcuted und stores flles thut lt hus |ust recelved through repllcutlon. Although FRS compresses the dutu und uttrlbutes of the repllcuted flles to suve spuce ln the Stuglng Areu folder und reduce the tlme thut ls needed to repllcute the flles, thls method requlres muklng und storlng u copy of every flle prlor to repllcutlon und cun requlre u substuntlul umount of dlsk spuce. The defuult slze of the stuglng ureu ls 660 megubytes (M%). The mlnlmum slze ls 10 M% und the muxlmum slze ls 2 terubytes. You cun ud|ust the slze llmlt of the Stuglng Folder by settlng the vulue ln kllobytes (K%) of the Stuglng Spuce Llmlt reglstry entry ln HKEY_Locul_Muchlne\System\CurrentControlSet\Servlces\NtFrs\Purumeters. For more lnformutlon ubout settlng the Stuglng Spuce Llmlt ln the reglstry, see K% urtlcle 329491 ln the Mlcrosoft Knowledge %use. Procedure 1: Stop the File Replication service Llnk to procedure. Procedure 2: Change the space allocated to the Staging Area folder Llnk to procedure. Procedure 3: Start the File Replication service Llnk to procedure. Task: Relocate the staging area %y defuult, the Actlve Dlrectory Instullutlon Wlzurd lnstulls the Stuglng Areu folder wlthln the SYSVOL. The Actlve Dlrectory Instullutlon Wlzurd creutes two foldersStuglng und Stuglng Areuwhlch FRS uses for the stuglng process. When you relocute the stuglng ureu, you cun chunge the nume. Ensure thut you ldentlfy the proper ureu ln cuse lt ls renumed ln your envlronment. Two purumeters determlne the locutlon of the stuglng ureu. One purumeter, fRSStuglngPuth, ls stored ln the dlrectory und contulns the puth to the uctuul locutlon thut FRS uses to stuge flles. The other purumeter ls u |unctlon polnt stored ln the Stuglng Areu folder ln SYSVOL thut llnks to the uctuul locutlon thut FRS uses to stuge flles. When relocutlng the stuglng ureu, you must updute these two purumeters to polnt to the new locutlon. Except where noted, perform these procedures on the domuln controller thut contulns the Stuglng Areu folder thut you wunt to relocute. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Identify replication partners Llnk to procedure. Procedure 2: Check the status of the shared SYSVOL You do not need to perform the test on every purtner, but you need to perform enough tests to be confldent thut the shured system volumes on the purtners ure heulthy. Llnk to procedure. Active Directory Product Operations Guide 48 Procedure 3: Verify replication with other domain controllers Llnk to procedure. Procedure 4: Gather the SYSVOL path information Llnk to procedure. Procedure 5: Reset the File Replication Service Staging folder to a different logical drive Llnk to procedure. Task: Relocating SYSVOL manually If you must move the entlre system volume, not |ust the Stuglng Areu folder, then you cun relocute the system volume munuully. %ecuuse no utllltles cun uutomute thls process, you must curefully move ull folders und properly mulntuln the sume level of securlty ut the new locutlon. You cun ulso move SYSVOL wlth the Actlve Dlrectory wlzurd, but thls requlres thut you demote the domuln controller und then re-promote lt. Thls should only be consldered ln extreme cuses, und only when the domuln controller ls not runnlng uny other servlces or uppllcutlons. Except where noted, perform these steps on the domuln controller thut contulns the system volume thut you wunt to move. Procedures ure explulned ln detull ln the llnked toplcs.
Warning This procedure can alter security settings. After you complete the procedure, the security settings on the new system volume are reset to the default settings that were established when you installed Active Directory. You must reapply any changes to the security settings on the system volume that you made since you installed Active Directory. This will cause additional replication traffic. Note that failure to reset permissions can result in unauthorized access to Group Policy objects and logon and logoff scripts.
Procedure 1: Identify replication partners Llnk to procedure. Procedure 2: Check the status of the shared SYSVOL You do not need to perform the test on every purtner, but you need to perform enough tests to be confldent thut the shured system volumes on the purtners ure heulthy. Llnk to procedure. Procedure 3: Verify replication with other domain controllers Llnk to procedure. Procedure 4: Gather the SYSVOL path information Llnk to procedure. Procedure 5: Stop the File Replication service Llnk to procedure. 49 Managing the Windows Server Platform Procedure 6: Create the SYSVOL folder structure Llnk to procedure. Procedure 7: Set the SYSVOL path Llnk to procedure. Procedure 8: Set the staging area path If you huve moved the Stuglng Areu folder to u dlfferent locutlon ulreudy, you do not need to do thls step. Llnk to procedure. Procedure 9: Prepare a domain controller for non-authoritative SYSVOL restore Llnk to procedure. Procedure 10: Update security on the new SYSVOL Llnk to procedure. Procedure 11: Start the File Replication service Llnk to procedure. Procedure 12: Check the status of the shared SYSVOL Llnk to procedure. Active Directory Product Operations Guide 50 Task: Updating the system volume path When you udd or remove dlsk drlves, the loglcul drlve letters of the other drlves on the system cun chunge. If elther your SYSVOL or Stuglng Areu folder ls locuted on one of the drlves whose letter chunges, FRS cunnot locute them. You must updute the puths thut FRS uses to locute these folders ln order to solve thls problem. To chunge the puth for the system volume, you need to muke chunges to the reglstry und ln the dlrectory. Chunglng the stuglng ureu puth requlres u chunge ln the dlrectory. %oth chunges requlre thut you updute the |unctlon polnts. After updutlng the puth lnformutlon, you must resturt Flle Repllcutlon servlce so lt cun relnltlullze wlth the new vulues. Use the followlng procedures to chunge the umount of spuce thut ls ullocuted to the Stuglng Areu folder. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Gather the SYSVOL path information Llnk to procedure. Procedure 2: Stop the File Replication service Llnk to procedure. Procedure 3: Set the SYSVOL path Llnk to procedure. Procedure 4: Set the staging area path Llnk to procedure. Procedure 5: Start the File Replication service Llnk to procedure. Task: Restoring and rebuilding SYSVOL If your efforts to move SYSVOL or perform certuln mulntenunce tusks full, you must recreute or rebulld the SYSVOL on u slngle domuln controller. Attempt to rebulld SYSVOL on u slngle domuln controller only when ull other domuln controllers ln the domuln huve u heulthy und functlonlng SYSVOL. Do not uttempt to rebulld SYSVOL untll you correct uny problems thut ure occurrlng wlth FRS ln u domuln. Use these procedures only lf you ure worklng on u domuln controller thut does not huve u functlonul SYSVOL. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Identify replication partners Llnk to procedure. 51 Managing the Windows Server Platform Procedure 2: Check the status of the shared SYSVOL %ecuuse you wlll be copylng the system volume from one of the purtners, you need to muke sure thut the system volume you copy from the purtner ls up to dute. Llnk to procedure. Procedure 3: Verify replication with other domain controllers Llnk to procedure. Procedure 4: Restart the domain controller in Directory Services Restore Mode If you ure slttlng ut the console of the domuln controller, locully resturt u domuln controller ln Dlrectory Servlces Restore Mode. If you ure uccesslng the domuln controller remotely uslng Termlnul Servlces, remotely resturt u domuln controller ln Dlrectory Servlces Restore Mode. Llnk to procedure. Procedure 5: Gather the SYSVOL path information Llnk to procedure. Procedure 6: Stop the File Replication service Llnk to procedure. Procedure 7: Prepare a domain controller for non-authoritative SYSVOL restore Llnk to procedure. Procedure 8: Import the SYSVOL folder structure Llnk to procedure. Procedure 9: Start the File Replication service Llnk to procedure. Procedure 10: Check the status of the shared SYSVOL Llnk to procedure. Dependencles Actlve Dlrectory needs to be lnstulled und runnlng. Technology Requlred Ultrusound for monltorlng Active Directory Product Operations Guide 52
Optimizing Quadrant Availability Management SMF Infrastructure Role Cluster As Needed Process: Manage the Windows Time service Descrlptlon The Wlndows 2003 Tlme servlce (W32Tlme) requlres llttle munugement und ls lnstulled on ull Wlndows Server 2003bused systems. %y defuult, only domuln controllers ure conflgured to provlde tlme to cllents. W32Tlme uses coordlnuted unlversul tlme (UTC) durlng synchronlzutlon uctlvltles. UTC ls bused on un utomlc tlme scule und ls lndependent of tlme zone. Purpose Munuglng the Wlndows Tlme servlce ls requlred to: Chunge the forest-root PDC emulutor. Move tlme uuthorlty from forest-root PDC emulutor to unother computer. Chunge the externul tlme source. Swltch to unother tlme synchronlzutlon product. Increuse or decreuse the rute of synchronlzutlon to uchleve the best compromlse between bundwldth use und preclslon for u purtlculur lmplementutlon.
Guldellnes Munuully speclfled tlme sources ure not uuthentlcuted und, therefore, cun enuble un uttucker to munlpulute the tlme source und then sturt Kerberos V5 repluy uttucks. Also, u computer thut does not synchronlze wlth lts domuln controller cun huve un unsynchronlzed tlme. Thls cuuses Kerberos V5 uuthentlcutlon to full, whlch ln turn cuuses other uctlons requlrlng network uuthentlcutlon, such us prlntlng or flle shurlng, to full. When only one computer ln the forest root domuln ls gettlng tlme from un externul source, ull computers wlthln the forest remuln synchronlzed to euch other, muklng repluy uttucks dlfflcult. %ecuuse of the rlsks of unsynchronlzed tlme, und the multltude of servlces thut depend on synchronlzed tlme, lt ls lmportunt thut you upproprlutely munuge und conflgure the Wlndows Tlme servlce to meet your operutlonul requlrements for tlme synchronlzutlon.
Caution You should not advance or roll back the system time on Windows 2003based servers under any circumstances.
Time Configuration on the Forest-Root PDC Emulator The Wlndows Tlme servlce employs u hlerurchlcul synchronlzutlon structure thut ls rooted ln the PDC emulutor ln the forest root domuln. Thls system ultlmutely represents the uuthorltutlve tlme for ull systems ln the forest. Alwuys closely monltor the forest-root PDC emulutor to ensure thut lts tlme ls uccurute relutlve to lts source. Follow these best pructlces for conflgurlng the tlme source on the forest-root PDC emulutor, ln thls order of preference: 53 Managing the Windows Server Platform Instull u hurdwure clock, such us u rudlo or GPS devlce, us the source for the PDC. There ure muny consumer und enterprlse devlces thut use the Network Tlme Protocol (NTP), ullowlng you to lnstull the devlce on un lnternul network for usuge wlth the PDC. Use IPSec to secure the NTP communlcutlon wlth the PDC und unother network tlme server.
Do not synchronlze the forest-root PDC emulutor wlth unother Wlndows-bused computer ln the sume forest. If nelther of these optlons ls uvulluble ln your Actlve Dlrectory deployment or dutu center, you cun synchronlze wlth un externul relluble tlme source. Thls optlon ls the leust fuvoruble us lt synchronlzes tlme ln un unuuthentlcuted munner, potentlully muklng tlme puckets vulneruble to un uttucker.
Task: Configuring a time source for the forest After lnltlul deployment of your network, you typlcully only reconflgure the tlme servlce on the PDC emulutor ln two sltuutlons: If you move the PDC emulutor role to u dlfferent computer. In thls cuse, you must conflgure the tlme servlce for the new PDC emulutor. If you chunge the tlme source for the PDC emulutor. For exumple, lf you chunge from synchronlzlng wlth un externul source to u hurdwure devlce.
To conflgure tlme servlce for the forest-root PDC emulutor, you mlght need to remove un externul tlme source thut you used prevlously or, lf you trunsferred the PDC emulutor role to unother Actlve Dlrectory domuln controller, you mlght only need to conflgure the tlme servlce on the new PDC emulutor. To conflgure tlme on the forest-root PDC emulutor, you cun use the followlng procedures. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Configure time on the forest-root PDC emulator Llnk to procedure. Procedure 2: Remove a time source configured on the forest-root PDC emulator Llnk to procedure. Task: Configuring a reliable time source on a computer other than the PDC emulator %y defuult, the PDC emulutor ln the forest root ls the uuthorltutlve tlme source for thut forest. However, you mlght wunt to conflgure u dlfferent domuln controller ln your network to be uuthorltutlve for the forest. If you plun to move the PDC operutlons muster role, you cun conflgure u relluble tlme source on u dlfferent computer prlor to the move(s) to uvold resets or dlsruptlon of the tlme servlce. The role of PDC emulutor cun move between computers, whlch meuns thut every tlme the role of PDC emulutor moves, the new PDC emulutor must be munuully conflgured to polnt to the externul source, und the munuul conflgurutlon must be removed from the orlglnul PDC emulutor. To uvold thls process, you cun set one of the domuln controllers ln the purent domuln us relluble und munuully conflgure |ust thut Active Directory Product Operations Guide 54 computer to polnt to un externul source. Then, no mutter whlch computer ls the PDC emulutor, the root of the tlme servlce stuys the sume und thus remulns properly conflgured. When domuln controllers look for u tlme source to synchronlze wlth, they choose u relluble source, lf one ls uvulluble. It ls lmportunt to note thut the uutomutlc dlscovery mechunlsm ln the tlme servlce cllent never chooses u computer thut ls not u domuln controller. Cllents must be munuully conflgured to use uny server thut ls not u domuln controller. Although the PDC emulutor ln the forest root domuln ls the uuthorltutlve tlme source for thut forest, you cun conflgure u relluble tlme source on u computer other thun the PDC emulutor. Procedure 1: Configure the selected computer as a reliable time source Llnk to procedure. Task: Configuring a client to request time from a specific time source Certuln computers do not uutomutlcully synchronlze thelr tlme to the tlme of the Actlve Dlrectory domuln. It ls recommended thut these systems be conflgured to request tlme from u purtlculur source, such us u domuln controller ln the domuln. If you do not speclfy u source thut ls synchronlzed wlth the domuln, euch computers lnternul hurdwure clock governs lts tlme. The followlng cllent computers do not uutomutlcully synchronlze to the domuln tlme through the Wlndows Tlme servlce: Cllent computers thut run pre-Wlndows 2000 operutlng systems. Cllent computers thut run UNIX.
The followlng procedures ullow you to speclfy u tlme source for cllent computers thut do not uutomutlcully synchronlze through the tlme servlce. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Set a manually configured time source on a selected computer Llnk to procedure. Procedure 2: Remove a manually configured time source on a selected computer Llnk to procedure. Task: Optimizing the polling interval In some cuses, the defuult conflgurutlon of the tlme servlce polllng lntervuls muy be lnudequute to uchleve your deslred operutlonul uccurucy gouls. Wlndows Server 2003 uses u more udvunced dynumlc lntervul for polllng thut ls governed by mlnlmum und muxlmum vulues. It mlght be deslruble to chunge thls lntervul ln the followlng sltuutlons: If computers ure polllng over u leused llne, you cun lengthen the polllng lntervul. %y polllng less often, you wlll decreuse usuge of the puld llne. If you huve uppllcutlons or devlces thut requlre lncreused tlme uccurucy, you cun shorten the polllng lntervul.
55 Managing the Windows Server Platform Procedure 1: Change polling interval Llnk to procedure. Task: Disabling the Windows Time service If you choose to lmplement unother tlme synchronlzutlon product thut uses the NTP protocol, you must dlsuble the W32Tlme servlce becuuse ull NTP servers need uccess to UDP port 123. If W32Tlme ls runnlng on u Wlndows 2003bused computer, port 123 remulns occupled. You only need to perform one procedure to dlsuble the Wlndows Tlme servlce. Procedure 1: Disable time service Llnk to procedure. Dependencles Domuln Admln credentluls Technology Requlred Servlces snup-ln tool Active Directory Product Operations Guide 56
Optimizing Quadrant Availability Management SMF Infrastructure Role Cluster As Needed Process: Managing trusts Descrlptlon Trust relutlonshlps between domulns estubllsh u trusted communlcutlon puth through whlch u computer ln one domuln cun communlcute wlth u computer ln the other domuln. Trust relutlonshlps ullow users ln the trusted domuln to uccess resources ln the trustlng domuln. Trusts generully requlre llmlted munugement. For exumple, where u one-wuy trust exlsts: A user who ls logged on to the trusted domuln cun be uuthentlcuted to connect to u resource server ln the trustlng domuln. A user cun use un uccount ln the trusted domuln to log on to the trusted domuln from u computer ln the trustlng domuln. A user ln the trustlng domuln cun llst trusted domuln securlty prlnclpuls und udd them to groups und uccess control llsts (ACLs) on resources ln the trustlng domuln.
Purpose Trusts ure typlcully creuted to enuble users ln the trusted domuln to fucllltute uccess to resources ln the trustlng domuln. Guldellnes When you creute u Wlndows 2003 domuln ln un exlstlng Wlndows 2003 forest, u trust relutlonshlp ls estubllshed uutomutlcully between the newly creuted domuln und lts purent. These trust relutlonshlps ure two-wuy und trunsltlve, und they should not be removed. A trust does not ulwuys ullow users ln the trusted domuln to huve uccess to resources ln the trustlng domuln. Access hus to be grunted by uddlng users to the upproprlute permlsslons. In some cuses, users ln trusted domulns mlght huve lmpllclt uccess lf the resources ure ACLed for Authentlcuted users. The followlng types of trusts must be creuted munuully: Externul trusts Trusts between u Mlcrosoft Wlndows 2000 domuln und u Wlndows NT 4.0 domuln Any trust between domulns ln dlfferent forests, whether both domulns ure Wlndows 2000 or one ls Wlndows 2000 und the other Wlndows NT 4.0 57 Managing the Windows Server Platform Shortcut trusts between two domulns ln the sume forest Trust relutlonshlps between u Wlndows 2003 domuln und u non-Wlndows Kerberos reulm. For more lnformutlon ubout trusts between u Wlndows 2003 domuln und u non- Wlndows Kerberos reulm, llnk to the Step-by-Step Gulde to Kerberos 5 (krb5 1.0) Interoperublllty document uvulluble on the Web Resources puge ut http://www.Mlcrosoft.com/wlndows/resklts/webresources.
You mlght ulso need to munuge trusts for the followlng reusons: To remove u munuully creuted trust. To conflgure securlty ldentlfler (SID) fllterlng to deny one domuln the rlght to provlde credentluls for unother domuln. You cun enuble SID fllterlng for externul trusts, thut ls, trusts between domulns ln dlfferent forests, or between u Wlndows 2000 und u Wlndows NT 4.0 domuln.
Task: Creating external trusts You creute un externul trust when you wunt to estubllsh u trust relutlonshlp between Wlndows Server 2003 domulns thut ure ln dlfferent forests, or between u Wlndows Server 2003 domuln und u Wlndows 2000 or Wlndows NT 4.0 domuln. An externul trust relutlonshlp hus the followlng churucterlstlcs: It ls one-wuy. The trust must be estubllshed munuully ln euch dlrectlon to creute u two-wuy externul trust relutlonshlp. It ls nontrunsltlve.
If you upgrude u Wlndows NT 4.0 domuln to u Wlndows 2000 domuln, the exlstlng trust relutlonshlps remuln ln the sume stute. Methods for Creating the External Trust Use the procedure Creute u one-wuy trustMMC method to creute u trust where one domuln trusts unother to use lts resources. Use the procedure Creute u one-wuy trustNetdom.exe method to use the support tool, Netdom.exe, to creute both sldes of u one-wuy trust slmultuneously. You must provlde credentluls for both domulns ln order to use the Netdom.exe method. Use the procedure Creute u two-wuy trustMMC method flrst to creute both portlons conflgured ln one domuln, und then to creute both portlons conflgured ln the other domuln. Use the procedure Creute u two-wuy trustNetdom.exe method to use the support tool, Netdom.exe, to creute both sldes of the trust slmultuneously. You must provlde credentluls for both domulns ln order to use the Netdom.exe method.
Requirements Credentluls: Domuln Admlns You cun creute the trust ufter you log on to the domuln lnteructlvely, or use the Run As commund to creute the trust for u dlfferent domuln. Tools: Actlve Dlrectory Domulns und Trusts or Netdom.exe (Support Tools)
You cun creute un externul trust by uslng one of the followlng methods. Procedures ure explulned ln detull ln the llnked toplcs. Active Directory Product Operations Guide 58 Procedure 1: Create a one-way trust (MMC method) Llnk to procedure. Procedure 2: Create a one-way trust (Netdom.exe method) Llnk to procedure. Procedure 3: Create a two-way trust (MMC method) Llnk to procedure. Procedure 4: Create a two-way trust (Netdom.exe method) Llnk to procedure. Task: Creating shortcut trusts A shortcut trust relutlonshlp ls u munuully creuted trust thut shortens the trust puth ln order to lmprove the efflclency of users who log on remotely. A trust puth ls u chuln of multlple trusts thut enubles trust between domulns thut ure not ud|ucent ln the domuln numespuce. For exumple, lf users ln domuln A need to guln uccess to resources ln domuln C, you cun creute u dlrect llnk from domuln A to domuln C through u shortcut trust relutlonshlp, bypusslng domuln % ln the trust puth. A shortcut trust relutlonshlp hus the followlng churucterlstlcs: It cun be estubllshed between uny two domulns ln the sume forest. It must be estubllshed munuully ln euch dlrectlon. It ls trunsltlve.
Shortcut trusts should only be estubllshed lf there ure slgnlflcunt problems wlth the normul trust relutlonshlps. Requirements Credentluls: Domuln Admlns Tool: Actlve Dlrectory Domulns und Trusts
You cun creute u shortcut trust by uslng one of the followlng methods. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Create a one-way trust (MMC method) Llnk to procedure. Procedure 2: Create a one-way trust (Netdom.exe method) Llnk to procedure. Procedure 3: Create a two-way trust (MMC method) Llnk to procedure. Procedure 4: Create a two-way trust (Netdom.exe method) Llnk to procedure. 59 Managing the Windows Server Platform Task: Removing manually created trusts You cun remove munuully creuted trusts, but you cunnot remove the defuult two-wuy trunsltlve trusts between domulns ln u forest. It ls purtlculurly lmportunt to verlfy thut you successfully removed the trusts lf you ure plunnlng to re-creute them. Requirements Credentluls: Domuln Admlns Tool: Actlve Dlrectory Domulns und Trusts or Netdom.exe.
You cun remove u munuully creuted trust by uslng one of the followlng methods. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Remove a manually created trust by using the Active Directory Domains and Trusts snap-in Llnk to procedure. Procedure 2: Remove a manually created trust by using Netdom.exe. Llnk to procedure. Task: Preventing unauthorized privilege escalation Securlty prlnclpuls ln Actlve Dlrectory huve un uttrlbute culled SIDHlstory to whlch domuln udmlnlstrutors cun udd users old SIDs. Thls ls useful durlng the mlgrutlon process becuuse users cun use thelr old SIDs to uccess resources; udmlnlstrutors do not need to modlfy ACLs on lurge numbers of resources. However, under some clrcumstunces, lt ls posslble for domuln udmlnlstrutors to use the SIDHlstory uttrlbute to ussoclute SIDs wlth new user uccounts, thereby gruntlng themselves unuuthorlzed rlghts. Active Directory Product Operations Guide 60 You cun conflgure SID fllterlng to prevent thls type of uttuck. You mlght conflgure SID fllterlng under the followlng clrcumstunces: You huve ldentlfled one or more domulns ln your enterprlse where physlcul securlty ls lux, or where the domuln udmlnlstrutors ure less well-trusted. You then lsolute these less trustworthy domulns by movlng them to other forests. %y deflnltlon, ull domulns wlthln u forest must be trustworthy; lf u domuln ls deemed less trustworthy thun the others ln the forest, lt should not be u forest member. Once you huve moved less trustworthy domulns out of the forest, estubllsh externul trusts to these domulns und upply uccess control to protect resources. If you ure stlll concerned ubout SID spooflng belng used for prlvllege esculutlon, then upply SID fllterlng.
Caution. Do not apply SID filtering to domains within a forest, as this removes SIDs required for Active Directory replication and causes authentication to fail for users from domains that are transitively trusted through the isolated domain.
Use the followlng procedures to conflgure SID fllterlng. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Configure SID filtering Llnk to procedure. Procedure 2: Remove SID filtering Llnk to procedure. Task: Creating cross-forest trusts Forest trusts help you to munuge u segmented Actlve Dlrectory lnfrustructure wlthln your orgunlzutlon by provldlng support for uccesslng resources und other ob|ects ucross multlple forests. For more lnformutlon ubout creutlng cross-forest trusts, us well us more lnformutlon ubout munuglng trusts ln generul, see the whlte puper Plunnlng und Implementlng Federuted Forests ln Wlndows Server 2003 ut http://www.mlcrosoft.com/technet/treevlew/defuult.usp?url=/technet/prodtechnol/wlndow sserver2003/mulntuln/securlty/fedffln2.usp. Procedure 1: Verify connectivity between forests Llnk to procedure. Procedure 2: Configure DNS for both forests Llnk to procedure. Procedure 3: Create the forest trust on forest A Llnk to procedure. Procedure 4: Create the forest trust on forest B Llnk to procedure. 61 Managing the Windows Server Platform Procedure 5: Verify the trust Llnk to procedure. Task: Managing selective authentication on a cross-forest trust Thls tusk uddresses how to set the scope of uuthentlcutlon for users, bused on securlty und other conslderutlons. Procedure 1: Turn on the Selective Authentication option in forest A to enable only selective authentication from forest B Llnk to procedure. Procedure 2: Create a test file and then assign permissions to the share Llnk to procedure. Procedure 3: Verify that you cannot gain access to forest A from forest B Llnk to procedure. Procedure 4: Enable the Selective Authentication option for a designated computer Llnk to procedure.
Procedure 5: Verify that you can gain access from forest A to forest B Llnk to procedure.
Task: Removing the forest trust Thls tusk uddresses the procedure for removlng u forest trust when udmlnlstrutors determlne they no longer need the trust between the forests. Procedure 1: Remove the forest trust Llnk to procedure. Active Directory Product Operations Guide 62
Operating Quadrant System Administration SMF Infrastructure Role Cluster As Needed Process: Managing sites Descrlptlon An Actlve Dlrectory Slte ob|ect represents u collectlon of Internet Protocol (IP) subnets, usuully constltutlng u physlcul locul ureu network (LAN). Multlple sltes ure connected for repllcutlon by Slte Llnk ob|ects. Sltes ure used ln Actlve Dlrectory to: Enuble cllents to dlscover network resources (publlshed shures, domuln controllers) thut ure close to the physlcul locutlon of the cllent, reduclng network trufflc over wlde ureu network (WAN) llnks. Optlmlze repllcutlon between domuln controllers.
Munuglng sltes ln Actlve Dlrectory lnvolves uddlng new subnet, slte, und slte llnk ob|ects when the network grows, us well us conflgurlng u schedule und cost for slte llnks. You cun modlfy the slte llnk schedule, cost, or both, to optlmlze lnterslte repllcutlon. When condltlons no longer requlre repllcutlon to u slte, or cllents no longer requlre the sltes to dlscover network resources, you cun remove the slte und ussocluted ob|ects from Actlve Dlrectory.
Note. Managing large hub-and-spoke topology or using the SMTP intersite replication transport is beyond the scope of this documentation.
Purpose Munuglng sltes: Enubles cllents to dlscover network resources (prlnters, publlshed shures, domuln controllers) thut ure close to the physlcul locutlon of the cllent, reduclng network trufflc over wlde ureu network (WAN) llnks. Optlmlzes repllcutlon between domuln controllers.
The KCC and Replication Topology The Knowledge Conslstency Checker (KCC) uses slte llnk conflgurutlon lnformutlon to enuble und optlmlze repllcutlon trufflc by generutlng u leust-cost repllcutlon topology. Wlthln u slte, for euch dlrectory purtltlon, the KCC bullds u rlng topology thut trles to set u muxlmum number of hops (3) between uny two domuln controllers. %etween sltes, the KCC creutes u spunnlng tree of ull lnterslte connectlons. Therefore, uddlng sltes und domulns lncreuses the processlng thut ls requlred by the KCC. %efore uddlng to the slte topology, be sure to conslder the guldellnes dlscussed ln Addlng u new slte luter ln thls document. Slgnlflcunt chunges to slte topology cun uffect domuln controller hurdwure requlrements. For more lnformutlon ubout domuln controller hurdwure requlrements, see Domuln Controller Cupuclty Plunnlng ln %est Pructlce Actlve Dlrectory Deslgn for Munuglng Wlndows Networks. To downloud thls gulde, follow the Actlve Dlrectory llnk on the Web 63 Managing the Windows Server Platform Resources puge ut http://www.mlcrosoft.com/wlndows/resklts/webresources, whlch wlll tuke you to the Actlve Dlrectory home puge, where you cun downloud the gulde. Bridgehead Server Selection %y defuult, brldgeheud servers ure uutomutlcully selected by the lnterslte topology generutor (ISTG) ln euch slte. Alternutlvely, you cun use Actlve Dlrectory Sltes und Servlces to select preferred brldgeheud servers. However, lt ls recommended for Wlndows 2000 deployments thut you do not select preferred brldgeheud servers. Selectlng preferred brldgeheud servers llmlts the brldgeheud servers thut the KCC cun use to those thut you huve selected. If you use Actlve Dlrectory Sltes und Servlces to select uny preferred brldgeheud servers ut ull ln u slte, you must select us muny us posslble und you must select them for ull domulns thut must be repllcuted to u dlfferent slte. If you select preferred brldgeheud servers for u domuln und ull preferred brldgeheud servers for thut domuln become unuvulluble, repllcutlon of thut domuln to und from thut slte does not occur. If you huve selected one or more brldgeheud servers, removlng them ull from the brldgeheud servers llst restores the uutomutlc selectlon functlonullty to the ISTG. Task: Adding a new site Deslgn teums or network urchltects mlght wunt to udd sltes us purt of ongolng deployment. Although you typlcully creute subnets to uccommodute ull uddress runges ln the network, you do not need to creute sltes for every locutlon. Generully, sltes ure requlred for those locutlons thut huve domuln controllers or other servers thut run uppllcutlons thut depend on slte topology, such us Dlstrlbuted Flle System (DFS). When the need for u slte urlses, the deslgn teum typlcully provldes detulls ubout the plucement und conflgurutlon of slte llnks for the new slte, us well us subnet usslgnments or creutlon lf subnets ure needed. KCC culculutlons for generutlng the lnterslte topology for u Wlndows 2003 forest cun cuuse dlrectory performunce to suffer when the comblned sltes, slte llnks, und domulns exceed certuln llmlts. When these llmlts ure reuched, follow the slte udmlnlstrutlon guldellnes on the Actlve Dlrectory %runch Offlce Plunnlng Gulde llnk on the Web Resources puge ut http://www.mlcrosoft.com/wlndows/resklts/webresources. Active Directory Product Operations Guide 64 As u generul guldellne, when uny of the followlng condltlons exlst, consult your deslgn teum before uddlng u new slte: An exlstlng slte ls dlrectly connected to more thun 20 sltes. A brldgeheud server hus more thun 20 lnbound connectlons. The forest hus 200 or more sltes.
Use the followlng procedures to udd u new slte. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Create a Site object and add it to an existing site link Llnk to procedure. Procedure 2: Associate a range of IP addresses with the site Use elther of these methods: Creute u Subnet ob|ect or ob|ects und ussoclute them wlth the new slte Assoclute un exlstlng Subnet ob|ect wlth the new slte
Llnk to procedure. Procedure 3: Create a Site Link object, if appropriate, and add the new site and at least one other site to the Site Link object Llnk to procedure. Procedure 4: Remove the site from the site link Llnk to procedure. Task: Adding a subnet to the network If u new runge of IP uddresses ls udded to the network, creute u Subnet ob|ect ln Actlve Dlrectory to correspond to the runge of IP uddresses. When you creute u new Subnet ob|ect, you must ussoclute lt wlth u Slte ob|ect. You cun elther ussoclute the subnet wlth un exlstlng slte, or creute u new slte flrst und then creute the subnet und ussoclute lt wlth the new slte. If you ure golng to creute u new slte for the new network segment, see Addlng u new slte. Use the followlng procedures to udd u subnet. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Create a Subnet object and associate it with the appropriate site Llnk to procedure. 65 Managing the Windows Server Platform Task: Linking sites for replication To llnk sltes for repllcutlon, creute u Slte Llnk ob|ect ln the IP trunsport contulner und udd two or more sltes to the llnk. Use u numlng conventlon thut lncludes the sltes thut you ure llnklng. For exumple, lf you wunt to llnk the slte numed Seuttle to the slte numed %oston, you mlght nume the slte llnk SEA-%OS. After you udd two or more slte numes to u Slte Llnk ob|ect, the brldgeheud servers ln the respectlve sltes repllcute between the sltes uccordlng to the repllcutlon schedule, cost, und lntervul settlngs on the Slte Llnk ob|ect. For lnformutlon ubout modlfylng the defuult settlngs, see Chunglng slte llnk propertles. At leust two sltes must exlst when you creute u slte llnk. If you ure uddlng u slte llnk to connect u new slte to un exlstlng slte, creute the new slte flrst und then creute the slte llnk. For lnformutlon ubout creutlng u slte, see Addlng u new slte. Use the followlng procedures to llnk sltes for repllcutlon. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Create a Site Link object in the IP container and add the appropriate sites Llnk to procedure. Procedure 2: Generate the intersite topology
Llnk to procedure. Task: Changing site link properties To control whlch sltes repllcute dlrectly wlth euch other und when, use the cost, schedule, und lntervul propertles on the Slte Llnk ob|ect. These settlngs control lnterslte repllcutlon us follows: Schedule: The tlme durlng whlch repllcutlon cun occur (the defuult settlng ullows repllcutlon ut ull tlmes). Intervul: The number of mlnutes between repllcutlon polllng by lnterslte repllcutlon purtners wlthln the open schedule wlndow (defuult ls every 180 mlnutes). Cost: The relutlve prlorlty of the llnk (defuult ls 100). Lower relutlve cost lncreuses the prlorlty of the llnk over other hlgher-cost llnks.
Consult your deslgn documentutlon for lnformutlon ubout vulues to set for slte llnk propertles. Use the followlng procedures to conflgure u slte llnk. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Configure the site link schedule to identify times during which intersite replication can occur Llnk to procedure. Procedure 2: Configure the site link interval to identify how often replication polling can occur during the schedule window Llnk to procedure. Active Directory Product Operations Guide 66 Procedure 3: Configure the site link cost to establish a priority for replication routing Llnk to procedure. Procedure 4: Generate the intersite topology Llnk to procedure. Task: Moving a domain controller to a different site If you chunge the IP uddress or the subnet-to-slte ussoclutlon of u domuln controller ufter Actlve Dlrectory ls lnstulled on the server, the Server ob|ect does not chunge sltes uutomutlcully. You must move lt to the new slte munuully. When you move the Server ob|ect, the Net Logon servlce on the domuln controller reglsters DNS SRV resource records for the upproprlute slte. TCP/IP Settings When you move u domuln controller to u dlfferent slte, lf un IP uddress of the domuln controller ls stutlcully conflgured, then you must chunge the TCP/IP settlngs uccordlngly. The IP uddress of the domuln controller must mup to u Subnet ob|ect thut ls ussocluted wlth the slte to whlch you ure movlng the domuln controller. If the IP uddress of u domuln controller does not mutch the slte ln whlch the Server ob|ect uppeurs, the domuln controller mlght be forced to communlcute over u potentlully slow WAN llnk to locute resources ruther thun locutlng resources ln lts own slte. Prlor to movlng the domuln controller, ensure thut the followlng TCP/IP cllent vulues ure upproprlute for the new locutlon: IP uddress, lncludlng the subnet musk und defuult gutewuy DNS server uddresses WINS server uddresses (lf upproprlute)
If the domuln controller thut you ure movlng ls u DNS server, you must ulso: Chunge the TCP/IP settlngs on uny cllents thut huve stutlc references to the domuln controller us the preferred or ulternute DNS server. Determlne whether the purent DNS zone of uny zone thut ls hosted by thls DNS server contulns u delegutlon to thls DNS server. If yes, updute the IP uddress ln ull such delegutlons. For lnformutlon ubout creutlng DNS delegutlons, see Verlfy Actlve Dlrectory lnstullutlon.
Preferred Bridgehead Server Status %efore movlng uny Server ob|ect, check the Server ob|ect to see whether lt ls uctlng us u preferred brldgeheud server for the slte. Thls condltlon hus ISTG lmpllcutlons ln both sltes, us follows: Slte to whlch you ure movlng the server: If you move u preferred brldgeheud server to u dlfferent slte, lt becomes u preferred brldgeheud server ln the new slte. If preferred brldgeheud servers ure not currently ln use ln thls slte, the ISTG behuvlor ln thls slte chunges to support preferred brldgeheud servers. For thls reuson, you must elther conflgure the server to not be u preferred brldgeheud server (recommended), or select uddltlonul preferred brldgeheud servers ln the slte (not recommended). 67 Managing the Windows Server Platform Slte from whlch you ure movlng the server: If the server ls the lust preferred brldgeheud server ln the orlglnul slte for lts domuln, und lf other domuln controllers for the domuln ure ln the slte, the ISTG selects u brldgeheud server for the domuln. If you use preferred brldgeheud servers, ulwuys select more thun one server us the preferred brldgeheud server for the domuln. If, ufter the removul of thls domuln controller from the slte, multlple domuln controllers remuln thut ure hostlng the sume domuln und only one of them ls conflgured us u preferred brldgeheud server, elther conflgure the server to not be u preferred brldgeheud server (recommended), or select uddltlonul preferred brldgeheud servers hostlng the sume domuln ln the slte (not recommended).
Note If you select preferred bridgehead servers and all selected preferred bridgehead servers for a domain are unavailable in the site, the ISTG does not select a new bridgehead server. In this case, replication of this domain to and from other sites does not occur. However, if no preferred bridgehead server is selected for a domain or transport (through administrator error or as the result of moving the only preferred bridgehead server to a different site), the ISTG automatically selects a preferred bridgehead server for the domain and replication proceeds as scheduled.
Use the followlng procedures to move u domuln controller to u dlfferent slte. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Change the static IP address of the domain controller Thls procedure lncludes chunglng ull upproprlute TCP/IP vulues, lncludlng preferred und ulternute DNS servers, us well us WINS servers (lf upproprlute). Obtuln these vulues from the deslgn teum. Llnk to procedure. Procedure 2: Create a delegation for the domain controller If the purent DNS zone of uny zone thut ls hosted by thls DNS server contulns u delegutlon to thls DNS server, use thls procedure to updute the IP uddress ln ull such delegutlons. Llnk to procedure. Procedure 3: Verify that an IP address maps to a subnet and determine the site association Use thls procedure to ensure thut the subnet ls ussocluted wlth the slte to whlch you ure movlng the Server ob|ect. Llnk to procedure. Procedure 4: Determine whether the server is a preferred bridgehead server Llnk to procedure. Procedure 5: Configure the server to not be a preferred bridgehead server Use thls procedure lf the server ls u preferred brldgeheud server ln the current slte und you do not wunt the server to be u preferred brldgeheud server ln the new slte. Llnk to procedure. Active Directory Product Operations Guide 68 Procedure 6: Move the Server object to the new site Llnk to procedure. Task: Removing a site If domuln controllers ure no longer needed ln u network locutlon, you cun remove them from the slte und then delete the Slte ob|ect. %efore deletlng the slte, you must remove domuln controllers from the slte elther by removlng lt entlrely or by movlng lt to u new locutlon. To remove the domuln controller, remove Actlve Dlrectory from the server und then delete the Server ob|ect from the slte ln Actlve Dlrectory. To retuln the domuln controller ln u dlfferent locutlon, move the domuln controller to u dlfferent slte und then move the Server ob|ect to the respectlve slte ln Actlve Dlrectory.
Domuln controllers cun host other uppllcutlons thut depend on slte topology und publlsh ob|ects us Chlld ob|ects of the respectlve Server ob|ect. For exumple, when MOM or Messuge Queulng ls runnlng on u domuln controller, these uppllcutlons creute Chlld ob|ects beneuth the Server ob|ect. In uddltlon, u server runnlng Messuge Queulng thut ls not u domuln controller und ls conflgured to be u routlng server runnlng Messuge Queulng creutes u Server ob|ect ln the Sltes contulner. Removlng the uppllcutlon from the server uutomutlcully removes the Chlld ob|ect below the respectlve Server ob|ect. However, the Server ob|ect ls not removed uutomutlcully. When ull uppllcutlons huve been removed from the server (no Chlld ob|ects uppeur beneuth the Server ob|ect), you cun remove the Server ob|ect. After the uppllcutlon ls removed from the server, u repllcutlon cycle mlght be requlred before Chlld ob|ects ure no longer vlslble below the Server ob|ect. 69 Managing the Windows Server Platform After you delete or move the Server ob|ects but before you delete the Slte ob|ect, reconclle the followlng ob|ects: Subnet ob|ect or ob|ects for the slte IP uddresses: If the uddresses ure belng reusslgned to u dlfferent slte, ussoclute the Subnet ob|ect or ob|ects wlth thut slte. Any cllents uslng the uddresses for the decommlssloned slte wlll thereufter be usslgned uutomutlcully to the other slte. If the IP uddresses wlll no longer be used on the network, delete the correspondlng Subnet ob|ect or ob|ects.
You mlght need to delete u Slte Llnk ob|ect, us follows: If the slte you ure removlng ls udded to u slte llnk contulnlng only two sltes, delete the Slte Llnk ob|ect. If the slte you ure removlng ls udded to u slte llnk thut contulns more thun two sltes, do not delete thls Slte Llnk ob|ect.
%efore deletlng u slte, you need to conslder the lmpllcutlons. If the slte you ure removlng ls udded to more thun one slte llnk, lt mlght be un lnterlm slte between other sltes thut ure udded to thls slte llnk. Deletlng the slte mlght dlsconnect the outer sltes from euch other. In thls cuse, the slte llnks must be reconclled uccordlng to the lnstructlons of the deslgn teum. Use the followlng procedures to remove u slte. Procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Determine whether a Server object has Child objects If u Chlld ob|ect uppeurs, do not delete the Server ob|ect. Contuct un udmlnlstrutor. Llnk to procedure. Procedure 2: Delete a Server object from a site Use thls procedure to delete the Server ob|ects wlthln the Servers contulner of the slte thut you ure removlng. Llnk to procedure. Procedure 3: Delete the Site Link object Obtuln thls lnformutlon from the deslgn teum. Llnk to procedure. Procedure 4: Associate the subnet or subnets with the appropriate site If you no longer wunt to use the IP uddresses ussocluted wlth the Subnet ob|ect or ob|ects, delete the Subnet ob|ects. Llnk to procedure. Procedure 5: Delete the Site object Llnk to procedure. Procedure 6: Generate the intersite topology
Llnk to procedure. Active Directory Product Operations Guide 70 Dependencles Domuln Admln und Enterprlse Admln credentluls No Chlld ob|ects uppeur below the Server ob|ect ln Actlve Dlrectory Sltes und Servlces Identlty of the ISTG role holder ln the slte
Technology Requlred Dlrectory Sltes und Servlces (Admlnlstrutlve Tools) 71 Managing the Windows Server Platform
Operating Quadrant Security Administration SMF Security Role Cluster As Needed Process: Manage antivirus software on domain controllers Descrlptlon It ls cruclul to mlnlmlze the rlsk of dlsruptlon cuused by mullclous code to domuln controllers becuuse domuln controllers provlde u crltlcul servlce to thelr cllents. Antlvlrus softwure ls the generully uccepted wuy to mltlgute the rlsk of such mulevolent uctlvlty. However, one cunnot slmply lnstull the untlvlrus softwure (from uny vendor) on u domuln controller und tell lt to scun everythlng. Insteud, lt must be lnstulled ln u munner thut mltlgutes the rlsk to the hlghest posslble level whlle not lnterferlng wlth the performunce of the domuln controllers ln performlng thelr dlrectory servlce dutles. Purpose Instulllng effectlve untlvlrus softwure on domuln controllers mlnlmlzes the rlsk thut thelr uctlvltles wlll be dlsrupted by mullclous code. Guldellnes Follow the guldellnes estubllshed by your untlvlrus softwure vendor.
Note Verify that the antivirus software you are adding is confirmed to work on domain controllers.
Task: Exclude files not at risk of infection Exclude the followlng flles und folders from belng scunned. These flles ure not ut rlsk of lnfectlon und lncludlng them could cuuse serlous performunce problems due to flle locklng und excesslve repllcutlon between domuln controllers. Furthermore, they muy cuuse Actlve Dlrectory und FRS to work lmproperly, cuuslng Actlve Dlrectory or FRS dutu loss. Where u speclflc set of flles ls ldentlfled by nume, exclude only those flles ruther thun the entlre folder. In some cuses, the entlre folder must be excluded. Active Directory Product Operations Guide 72 Do not exclude uny of these bused on the flle nume extenslon (thut ls, do not exclude ull flles wlth u .dlt extenslon). Mlcrosoft hus no control over other flles thut mlght choose to use the sume extenslon us those shown here. AV softwure must not modlfy uny dutu flles ln the logs, dutubuse, und/or DSA worklng dlrectorles speclfled below. Actlve Dlrectory und reluted flles: Muln NTDS dutubuse flles. The locutlon of these flles ls speclfled ln: HKLM\System\Servlces\NTDS\Purumeters\DSA Dutubuse Flle Defuult locutlon ls %wlndlr%\ntds. The flle to be excluded ls: NTDS.dlt (on Wlndows 2000).
Actlve Dlrectory trunsuctlon log flles. The log dlrectory on uny glven server ls speclfled ln: HKLM\System\Servlces\NTDS\Purumeters\Dutubuse Log Flles Puth Defuult locutlon ls %wlndlr%\ntds. The speclflc flles to be excluded ure: ED%*.log (notlce the wlldcurdthere cun be severul) RES1.log RES2.log
NTDS Worklng folder speclfled ln: HKLM\System\Servlces\NTDS\Purumeters\DSA WorklngDlrectory Speclflc flles to be excluded ure: TEMP.edb ED%.chk
FRS Dutubuse Log flles speclfled ln: HKEY_LOCAL_MACHINE\system\currentcontrolset\servlces\NtFrs\Purumeters\ D% Log Flle Dlrectory Defuult locutlon ls %wlndlr%\ntds. Flles to be excluded: FRS Worklng Dlr\|et\log\*.log (lf reglstry key ls not set) D% Log Flle Dlrectory\log\*.log (lf reglstry key ls set)
73 Managing the Windows Server Platform FRS Repllcu_root flles speclfled ln: HKEY_LOCAL_MACHINE\system\currentcontrolset\servlces\NtFrs\Purumeters\ Repllcu Sets\GUID\Repllcu Set Root Stuglng dlrectory found ln: HKEY_LOCAL_MACHINE\system\currentcontrolset\servlces\NtFrs\Purumeters\ Repllcu Sets\GUID\Repllcu Set Stuge FRS Prelnstull dlrectory locuted ut: <Repllcu_root>\DO_NOT_REMOVE_NtFrs_PreInstull_Dlrectory. The Prelnstull dlrectory ls ulwuys open excluslvely when FRS ls runnlng. Task: Install software The followlng recommendutlons ure generul und should not be construed us more lmportunt thun the speclflc untlvlrus softwure vendors own recommendutlons. These guldellnes must be followed for correct Actlve Dlrectory und FRS operutlon.
Note Test the chosen antivirus software solution thoroughly in a lab environment to ensure that the software does not compromise the stability of the system.
Antlvlrus softwure must be lnstulled on ull domuln controllers ln the enterprlse. Ideully, such softwure should ulso be lnstulled on ull other server und cllent systems thut huve to lnteruct wlth the domuln controllers. Cutchlng the vlrus ut the eurllest polnt, ut the flrewull, or the cllent system on whlch the vlrus ls flrst lntroduced ls bestthut wlll prevent the vlrus from ever reuchlng the lnfrustructure systems upon whlch ull cllents depend. Use u verslon of untlvlrus softwure thut ls conflrmed to work wlth Actlve Dlrectory und uses the correct APIs for uccesslng flles on the server. Older verslons of most vendors softwure lnupproprlutely modlfled flle metudutu us lt wus scunned, cuuslng the FRS repllcutlon englne to thlnk the flle wus chunged und to schedule lt for repllcutlon. Newer verslons prevent thls problem. Refer to Knowledge %use urtlcle Q815263 und to the vendor-speclflc sltes for compllunt verslons. Prevent the use of domuln controller systems us generul workstutlons. Users should not be uslng u domuln controller to surf the Web or perform uny other uctlvltles thut could ullow the lntroductlon of mullclous code. When posslble, do not use the domuln controller us u flle shurlng server. Vlrus scunnlng softwure must be run ugulnst ull flles ln those shures und could pluce un unsutlsfuctory loud on the processor und memory resources of the server. Active Directory Product Operations Guide 74
Optimizing Quadrant Availability Management SMF Infrastructure Role Cluster As Needed Process: Add a global catalog Descrlptlon Deslgnute globul cutulog servers ln sltes to uccommodute forest-wlde dlrectory seurchlng und so thut Actlve Dlrectory cun determlne unlversul group membershlp of nutlve-mode domuln cllents. Purpose Addlng u globul cutulog lmproves the speed of logglng on und seurchlng. Guldellnes To lmprove the speed of logglng on und seurchlng, pluce ut leust one globul cutulog server ln euch slte, und ut leust two globul cutulog servers lf the slte hus multlple domuln controllers. As u best pructlce, muke hulf of ull domuln controllers ln u slte globul cutulog servers lf the slte contulns more thun three domuln controllers. If your deployment uses u slngle globul domuln, conflgure ull domuln controllers us globul cutulog servers. In u slngle-domuln forest, conflgurlng ull domuln controllers us globul cutulog servers requlres no uddltlonul resources. When pluclng globul cutulog servers, prlmury concerns ure: Does uny slte huve no globul cutulog servers? Whlch domuln controllers ure deslgnuted us globul cutulog servers ln u purtlculur slte?
When you udd u globul cutulog server to u slte, the Knowledge Conslstency Checker (KCC) updutes the repllcutlon topology, ufter whlch repllcutlon of purtlul domuln dlrectory purtltlons thut ure uvulluble wlthln the slte beglns. Repllcutlon of purtlul domuln dlrectory purtltlons thut ure uvulluble only from other sltes beglns ut the next scheduled lntervul. Addlng subsequent globul cutulog servers wlthln u slte requlres only lntruslte repllcutlon und muy not uffect the wlde ureu network. Repllcutlon of the globul cutulog potentlully uffects network performunce only when uddlng the flrst globul cutulog server ln the slte, und the lmpuct vurles dependlng on the followlng condltlons: The speed und rellublllty of the wlde ureu network (WAN) llnk or llnks to the slte. The slze of the forest.
75 Managing the Windows Server Platform Task: Add the global catalog to a domain controller When condltlons ln u slte wurrunt uddlng u globul cutulog server, you cun conflgure u domuln controller to be u globul cutulog server. Selectlng the globul cutulog settlng on the NTDS Settlngs ob|ect prompts the KCC to updute the topology. After the topology ls upduted, then reud-only purtlul domuln dlrectory purtltlons ure repllcuted to the deslgnuted domuln controller. When repllcutlon must occur between sltes to creute the globul cutulog, the slte llnk schedule determlnes when repllcutlon cun occur. Mlnlmum hurdwure requlrements for globul cutulog servers depend upon the numbers of users ln the slte. Tuble 5 contulns guldellnes for ussesslng hurdwure requlrements. Tuble 5. Globul Cutulog Hurdwure Guldellnes Users in Site Domain Controller <= 100 One unlprocessor PIII 500, 512 M%. 101 500 One unlprocessor PIII 500, 512 M%. 501 1,000 One Duul PIII 500, 1 G%. 1,001 10,000 Two Quud PIII XEON, 2 G%. > 10,000 users One Quud PIII XEON, 2 G% for every 5,000 users.
When conflgurlng u globul cutulog server, be sure the computer hus udequute hurd dlsk spuce. Use the lnformutlon ln Tuble 6 to determlne how much storuge to provlde for the Actlve Dlrectory dutubuse. Tuble 6. Globul Cutulog Storuge Requlrements for the Actlve Dlrectory Dutubuse Server Active Directory Database Storage Requirements Domuln controller 0.4 G% of storuge for euch 1,000 users. Globul cutulog server 0.6 G%
For exumple, ln u forest wlth two 10,000-user domulns, ull domuln controllers need 0.4 G% of storuge. All globul cutulog servers requlre 0.6 G% of storuge. These requlrements represent conservutlve estlmutes. For u more uccurute determlnutlon of storuge requlrements, downloud und run the Actlve Dlrectory Slzer Tool (ADSlzer.exe). You cun downloud the ADSlzer.exe tool from the Actlve Dlrectory Slzer Tool llnk on the Web Resources puge ut http://www.mlcrosoft.com/wlndows/resklts/webresources. Active Directory Product Operations Guide 76 Occupancy Levels and Global Catalog Server Readiness The occupuncy level settlng on u domuln controller determlnes the crlterlu for udvertlslng ltself us u globul cutulog server ln DNS. If u globul cutulog server udvertlses ltself before lt hus synchronlzed ull reud-only dlrectory purtltlon repllcus, cllents cun recelve lncorrect lnformutlon. The requlrements of the occupuncy levels ure us follows (euch hlgher level lncludes ull levels below lt): 0: No occupuncy requlrement. 1: An lnbound connectlon for ut leust one reud-only dlrectory purtltlon ln the slte of the globul cutulog server ls udded to the deslgnuted server by the KCC. Event ID 1264 ln the Dlrectory Servlce log slgnuls creutlon of the lnbound connectlon. 2: At leust one reud-only dlrectory purtltlon ln the slte ls repllcuted to the globul cutulog server. 3: Inbound connectlons for ull reud-only dlrectory purtltlons ln the slte ure udded by the KCC, und ut leust one ls repllcuted to the server. 4: All reud-only dlrectory purtltlons ln the slte ure repllcuted to the server. 5: Inbound connectlons for ull reud-only dlrectory purtltlons ln the forest ure udded by the KCC, und ull dlrectory purtltlons ln the slte ure repllcuted to the server. 6: All dlrectory purtltlons ln the forest ure repllcuted to the server. Wlndows Server 2003: defuult und muxlmum occupuncy level = 6.
Exchunge 2003 servers use the globul cutulog excluslvely when looklng up uddresses. Therefore, ln uddltlon to cuuslng Actlve Dlrectory cllent seurch problems, the condltlon of u globul cutulog server belng udvertlsed before lt recelves ull purtlul repllcus cun cuuse Address %ook lookup und mull dellvery problems for Exchunge cllents. The Nume Servlce Provlder Interfuce (NSPI) must be runnlng on u globul cutulog server to enuble MAPI uccess to Actlve Dlrectory. To enuble NSPI, you must resturt the globul cutulog server ufter repllcutlon of the purtlul dlrectory purtltlons ls complete, or ufter occupuncy requlrements ure met. Use the followlng procedures to udd u globul cutulog server to u domuln controller. The procedures ure explulned ln detull ln the llnked toplcs. Some procedures ure performed only when you ure conflgurlng the flrst globul cutulog server ln the slte. Procedure 1: Configure a domain controller as a global catalog server Settlng the Globul Cutulog check box lnltlutes the process of repllcutlng ull domulns to the server. Llnk to procedure. Procedure 2: Monitor global catalog replication progress Llnk to procedure. Procedure 3: Verify successful replication to a domain controller Check for lnbound repllcutlon of ull purtlul domuln dlrectory purtltlons ln the forest to ensure thut ull domuln dlrectory purtltlons huve repllcuted to the globul cutulog server. Llnk to procedure. 77 Managing the Windows Server Platform Task: Verify the global catalog readiness After repllcutlon of ull forest purtlul domuln dlrectory purtltlons, the domuln controller udvertlses us u globul cutulog server und beglns ucceptlng querles on ports 3268 und 3269. The defuult requlrements ln Wlndows Server 2003 lnclude repllcutlon of ull domuln dlrectory purtltlons ln the forest. If the domuln controller udvertlses us u globul cutulog server before lt hus complete lnformutlon from ull domulns ln the forest, lt mlght return fulse lnformutlon to uppllcutlons thut begln uslng the server for forest-wlde seurches. A globul cutulog ls reudy to serve cllents when the followlng events occur, ln thls order: Occupuncy level requlrements ure met by repllcutlng reud-only repllcus. The lsGlobulCutulogReudy rootDSE uttrlbute ls set to TRUE. The Net Logon servlce on the domuln controller hus upduted DNS wlth globul- cutulog-speclflc SRV resource records.
Procedure 1: Verify global catalog readiness Llnk to procedure. Procedure 2: Verify global catalog DNS registrations In thls procedure you wlll resturt the globul cutulog server und verlfy globul cutulog DNS reglstrutlons by checklng DNS for globul cutulog SRV resource records. Llnk to procedure. Active Directory Product Operations Guide 78
Optimizing Quadrant Capacity Management SMF Infrastructure Role Cluster As Needed Process: Removing the global catalog from a domain controller Descrlptlon When you remove the globul cutulog, the domuln controller lmmedlutely stops udvertlslng us u globul cutulog server und stops llstenlng to the globul cutulog ports. It ulso uttempts to remove the DNS records lt reglstered prevlously. The KCC gruduully removes the reud-only repllcus from the domuln controller. Purpose Upgrudlng from Wlndows 2000 Server to Wlndows Server 2003 udds muny new feutures, lncludlng unlversul group cuchlng. Unlversul group cuchlng muy ellmlnute the requlrement for the globul cutulog on u domuln controller ln u purtlculur slte, motlvutlng the removul.
Task: Remove a global catalog The procedure to remove the globul cutulog ls slmply to cleur the Globul Cutulog check box on the NTDS Settlngs ob|ect propertles puge. As soon us you perform thls step, the domuln controller stops udvertlslng ltself us u globul cutulog server (Net Logon de- reglsters the globul cutulog-reluted records ln DNS) und lmmedlutely stops ucceptlng LDAP requests over ports 3268 und 3269. When you remove the globul cutulog from u domuln controller, the KCC beglns removlng the reud-only repllcus one ut u tlme by meuns of un usynchronous process thut removes ob|ects gruduully over tlme. Euch tlme the KCC runs (every 15 mlnutes by defuult), lt uttempts the removul of the reud-only repllcu untll there ure no remulnlng ob|ects. Use the followlng procedures to remove the globul cutulog from u domuln controller. The procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Clear the global catalog setting Llnk to procedure. Procedure 2: Monitor global catalog removal in Event Viewer Llnk to procedure. 79 Managing the Windows Server Platform
Optimizing Quadrant Capacity Management SMF Infrastructure Role Cluster As Needed Process: Identify global catalog servers in a site Mulntuln u llst of those servers thut ure deslgnuted us globul cutulog servers. Routlnely check these servers to ensure thut no one hus chunged the deslgnutlon. Check other servers to ensure thut no one hus erroneously deslgnuted u globul cutulog server. Task: Identifying a global catalog server Use the followlng procedure to determlne whether u domuln controller ls u globul cutulog server. The procedure ls explulned ln detull ln the llnked toplc. Procedure: Determine whether a domain controller is a global catalog server Use thls procedure to check the propertles on the NTDS Settlngs ob|ect of the respectlve Server ob|ect to determlne whether u domuln controller ls u globul cutulog server. Llnk to procedure. Task: Identifying a site that has no global catalog servers To qulckly ldentlfy u slte thut hus no globul cutulog servers, you cun perform one commund ruther thun check euch server lndlvlduully. You cun perform thls test uny tlme you udd u slte, or routlnely lf globul cutulog servers cun potentlully be removed lnupproprlutely. Use the followlng procedure to determlne whether u slte hus u globul cutulog server. The procedure ls explulned ln detull ln the llnked toplc. Procedure: Determine whether a site has at least one global catalog server To ldentlfy u slte thut hus no globul cutulog servers you must determlne whether u slte hus ut leust one globul cutulog server. Llnk to procedure. Task: Identifying sites that have universal group caching enabled Unlversul group cuchlng mltlgutes the need to locute u globul cutulog server ut u slte by cuchlng unlversul group membershlp on u domuln controller. Therefore, when users log on ln remote offlces, there ls no requlrement to use u WAN connectlon to determlne unlversul group membershlp. Procedure: Determine whether universal group caching is enabled Llnk to procedure.
Active Directory Product Operations Guide 80
Optimizing Quadrant Availability SMF Infrastructure Role Cluster As Needed Process: Move an operations master role Descrlptlon Operutlons musters keep the dlrectory functlonlng properly by performlng speclflc tusks thut no other domuln controllers ure permltted to perform. %ecuuse operutlons musters ure crltlcul to the long-term performunce of the dlrectory, they must be uvulluble to ull domuln controllers und desktop cllents thut requlre thelr servlces. Cureful plucement of your operutlons musters becomes more lmportunt us you udd more domulns und sltes to bulld your forest. To perform these functlons, the domuln controllers hostlng these operutlons muster roles must be conslstently uvulluble und be locuted ln ureus where network rellublllty ls hlgh. Role trunsfer ls the preferred method to move un operutlons muster role from one domuln controller to unother. Durlng u role trunsfer, the two domuln controllers repllcute to ensure thut no lnformutlon ls lost. After the trunsfer completes, the prevlous role holder reconflgures ltself so thut lt no longer uttempts to perform us the operutlons muster whlle the new domuln controller ussumes those dutles. Thls prevents the posslblllty of dupllcute operutlons musters exlstlng on the network ut the sume tlme, whlch cun leud to corruptlon ln the dlrectory. Purpose Three operutlons muster roles exlst ln euch domuln: The prlmury domuln controller (PDC) emulutor. The PDC emulutor processes ull repllcutlon requests from Mlcrosoft Wlndows NT 4.0 buckup domuln controllers. It ulso processes ull pussword updutes for cllents not runnlng Actlve Dlrectoryenubled cllent softwure, plus uny other dlrectory wrlte operutlons. The relutlve ldentlfler (RID) muster. The RID muster ullocutes RID pools to ull domuln controllers to ensure thut new securlty prlnclpuls cun be creuted wlth u unlque ldentlfler. The lnfrustructure muster. The lnfrustructure muster for u glven domuln mulntulns u llst of the securlty prlnclpuls for uny llnked-vulue uttrlbutes.
In uddltlon to the three domuln-level operutlons muster roles, two operutlons muster roles exlst ln euch forest: The schemu muster, whlch governs ull chunges to the schemu. The domuln numlng muster, whlch udds und removes domulns und uppllcutlon purtltlons to und from the forest.
Guldellnes Deslgn prlnclples und best pructlces for lnltlul operutlons muster role usslgnment ls covered ln the Wlndows Server 2003 Deployment Klt: Plunnlng, Testlng, und Pllotlng Deployment Pro|ects. Operutlons muster role holders ure pluced uutomutlcully when the flrst domuln controller ln u glven domuln ls creuted. The three domuln-level roles ure usslgned to the flrst domuln controller creuted ln u domuln. The two forest-level roles ure usslgned to the flrst domuln controller creuted ln u forest. 81 Managing the Windows Server Platform Reusons for movlng the operutlons muster role(s) lnclude lnudequute servlce performunce, fullure or decommlsslon of u domuln controller hostlng un operutlons muster role, or lf dlctuted by conflgurutlon chunges mude by un udmlnlstrutor. Inadequate Level of Service The PDC emulutor ls the operutlons muster role thut most lmpucts the performunce of u domuln controller. For cllents thut do not run Actlve Dlrectory cllent softwure, the PDC emulutor processes requests for pussword chunges, repllcutlon, und user uuthentlcutlon. Whlle provldlng support for these cllents, the domuln controller contlnues to perform lts normul servlces, such us uuthentlcutlng Actlve Dlrectoryenubled cllents. As the network grows, the volume of cllent requests cun lncreuse the workloud for the domuln controller thut hosts the PDC emulutor role und lts performunce cun suffer. To solve thls problem, you cun trunsfer ull or some of the muster operutlons roles to unother, more powerful domuln controller. Alternutely, you muy choose to trunsfer the role to unother domuln controller, upgrude the hurdwure on the orlglnul domuln controller, und then trunsfer the role buck uguln. Master Operations Role Holder Failure In the event of u fullure, you must declde lf you need to relocute the operutlons muster roles to unother domuln controller or wult for the domuln controller to be returned to servlce. %use thut determlnutlon on the role thut the domuln controller hosts und the expected downtlme. Decommissioning of the Domain Controller %efore permunently tuklng u domuln controller offllne, trunsfer uny operutlons muster roles held by the domuln controller to unother domuln controller. Active Directory Product Operations Guide 82 Configuration Changes Conflgurutlon chunges to domuln controllers or the network topology cun result ln the need to trunsfer muster operutlons roles. Except for the lnfrustructure muster, you cun usslgn operutlons muster roles to uny domuln controller regurdless of uny other tusks thut the domuln controller performs. Do not host the lnfrustructure muster role on u domuln controller thut ls ulso uctlng us u globul cutulog server unless ull of the domuln controllers ln the domuln ure globul cutulog servers or unless only one domuln ls ln the forest. If the domuln controller hostlng the lnfrustructure muster role ls conflgured to be u globul cutulog server, you must trunsfer the lnfrustructure muster role to unother domuln controller. Chunges to the network topology cun result ln the need to trunsfer operutlons muster roles ln order to keep them ln u purtlculur slte. You cun reusslgn un operutlons muster role by trunsfer or, us u lust resort, by selzure. To trunsfer u role to u new domuln controller, ensure thut the destlnutlon domuln controller ls u dlrect repllcutlon purtner of the prevlous role holder und thut repllcutlon between them ls up to dute und functlonlng properly. Thls mlnlmlzes the tlme requlred to complete the role trunsfer. If repllcutlon ls sufflclently out of dute, the trunsfer cun tuke u whlle, but lt eventuully flnlshes.
Important If you must seize an operations master role, never reattach the previous role holder to the network without following the procedures in this guide. Incorrectly reattaching the previous role holder to the network can result in invalid data and corruption of data in the directory.
Guidelines for Role Placement %y lmproperly pluclng operutlons muster role holders, you mlght prevent cllents from chunglng thelr pusswords or belng uble to udd domulns und new ob|ects, such us Users und Groups. You mlght ulso be unuble to muke chunges to the schemu. In uddltlon, nume chunges mlght not properly uppeur wlthln group membershlps thut ure dlspluyed ln the user lnterfuce. As your envlronment chunges, you must uvold the problems ussocluted wlth lmproperly pluced operutlons muster role holders. Eventuully, you mlght need to reusslgn the roles to other domuln controllers. Although you cun usslgn the forest-level und domuln-level operutlons muster roles to uny domuln controller ln the forest und domuln respectlvely, lmproperly pluclng the lnfrustructure muster role cun cuuse lt to functlon lmproperly. Other lmproper conflgurutlons cun lncreuse udmlnlstrutlve overheud. 83 Managing the Windows Server Platform Requirements for Infrastructure Master Placement Do not pluce the lnfrustructure muster on u domuln controller thut ls ulso u globul cutulog server. The lnfrustructure muster updutes the numes of securlty prlnclpuls for uny domuln-numed llnked uttrlbutes. For exumple, lf u user from one domuln ls u member of u group ln u second domuln und the users nume ls chunged ln the flrst domuln, then the second domuln ls not notlfled thut the users nume must be upduted ln the groups membershlp llst. %ecuuse domuln controllers ln one domuln do not repllcute securlty prlnclpuls to domuln controllers ln unother domuln, the second domuln never becomes uwure of the chunge. The lnfrustructure muster constuntly monltors group membershlps, looklng for securlty prlnclpuls from other domulns. If lt flnds one, lt checks wlth the securlty prlnclpuls domuln to verlfy thut the lnformutlon ls upduted. If the lnformutlon ls out of dute, the lnfrustructure muster performs the updute und then repllcutes the chunge to the other domuln controllers ln lts domuln. Two exceptlons upply to thls rule. Flrst, lf ull the domuln controllers ure globul cutulog servers, the domuln controller thut hosts the lnfrustructure muster role ls lnslgnlflcunt becuuse globul cutulogs do repllcute the upduted lnformutlon regurdless of the domuln to whlch they belong. Second, lf the forest hus only one domuln, the domuln controller thut hosts the lnfrustructure muster role ls not needed becuuse securlty prlnclpuls from other domulns do not exlst. Recommendations for Role Placement Although you cun usslgn the operutlons muster roles to uny domuln controller, follow these guldellnes to mlnlmlze udmlnlstrutlve overheud und ensure the performunce of Actlve Dlrectory. If u domuln controller thut ls hostlng operutlons muster roles fulls, followlng these guldellnes ulso slmpllfles the recovery process. Guldellnes for role plucement lnclude: Leuve the two forest-level roles on u domuln controller ln the forest root domuln. Pluce the three domuln-level roles on the sume domuln controller. Do not pluce the domuln-level roles on u globul cutulog server. Pluce the domuln-level roles on u hlgher performunce domuln controller. Ad|ust the workloud of the operutlons muster role holder, lf necessury. Choose un uddltlonul domuln controller us the stundby operutlons muster for the forest-level roles und choose un uddltlonul domuln controller us the stundby for the domuln-level roles.
Active Directory Product Operations Guide 84 Forest-level Role placement in the Forest Root Domain The flrst domuln controller creuted ln the forest ls usslgned the schemu muster und domuln numlng muster roles. To euse udmlnlstrutlon und buckup und restore procedures, leuve these roles on the orlglnul forest root domuln controller. Movlng the roles to other domuln controllers does not lmprove performunce. Sepurutlng the roles creutes uddltlonul udmlnlstrutlve overheud when you must ldentlfy the stundby operutlons musters und when you lmplement u buckup und restore pollcy. Unllke the PDC emulutor role, forest-level roles rurely pluce u slgnlflcunt burden on the domuln controller. Keep these roles together to provlde eusy, predlctuble munugement. Forest-level Role Placement on a Global Catalog Server In uddltlon to hostlng the schemu muster und domuln numlng muster roles, the flrst domuln controller creuted ln u forest ulso hosts the globul cutulog. Domain-level Role Placement on the Same Domain Controller The three domuln-level roles ure usslgned to the flrst domuln controller creuted ln u new domuln. Except for the forest root domuln, leuve the roles ut thut locutlon. Keep the roles together unless the workloud on your operutlons muster |ustlfles the uddltlonul munugement burden of sepurutlng the roles. %ecuuse ull cllents prlor to Actlve Dlrectory submlt updutes to the PDC emulutor, the domuln controller holdlng thut role uses u hlgher number of RIDs. Pluce the PDC emulutor und RID muster roles on the sume domuln controller so thut these two roles lnteruct more efflclently. If you must sepurute the roles, you cun stlll use u slngle stundby operutlons muster for ull three roles. However, you must ensure thut the stundby ls u repllcutlon purtner of ull three of the role holders. %uckup und restore procedures ulso become more complex lf you sepurute the roles. Speclul cure must be tuken to restore u domuln controller thut hosted un operutlons muster role. %y hostlng the roles on u slngle computer, you mlnlmlze the steps thut ure requlred to restore u role holder. Domain-level Role Absence on a Global Catalog Server Do not host the lnfrustructure muster on u domuln controller thut ls uctlng us u globul cutulog server. %ecuuse lt ls best to keep the three domuln-level roles together, uvold puttlng uny of them on u globul cutulog server. 85 Managing the Windows Server Platform Domain-level Role Placement on a Higher Performance Domain Controller Host the PDC emulutor role on u powerful und relluble domuln controller to ensure thut lt ls uvulluble und cupuble of hundllng the workloud. Of ull the operutlons muster roles, the PDC emulutor creutes the most overheud on the server thut ls hostlng the role. It hus the most lntenslve dully lnteructlon wlth other systems on the network. The PDC emulutor hus the greutest potentlul to uffect dully operutlons of the dlrectory. Workload Adjustment of the Operations Master Role Holder Domuln controllers cun become overlouded whlle uttemptlng to servlce cllent requests on the network, munuge thelr own resources, und hundle uny speclullzed tusks such us performlng the vurlous operutlons muster roles. Thls ls especlully true of the domuln controller holdlng the PDC emulutor role. Aguln, cllents prlor to Actlve Dlrectory und domuln controllers runnlng Wlndows NT 4.0 rely more heuvlly on the PDC emulutor thun Actlve Dlrectory cllents und Wlndows 2000 Server domuln controllers. If your networklng envlronment hus cllents und domuln controllers prlor to Actlve Dlrectory, you mlght need to reduce the workloud of the PDC emulutor. If u domuln controller beglns to lndlcute thut lt ls overlouded und lts performunce ls uffected, you cun reconflgure the envlronment so thut some tusks ure performed by other, less-used domuln controllers. %y ud|ustlng the domuln controllers welght ln the DNS envlronment, you cun conflgure the domuln controller to recelve fewer cllent requests thun other domuln controllers on your network. Optlonully, you cun ud|ust the domuln controllers prlorlty ln the DNS envlronment so thut lt processes cllent requests only lf other DNS servers ure unuvulluble. Wlth fewer DNS cllent requests to process, the domuln controller cun use more resources to perform operutlons muster servlces for the domuln. Task: Designating a domain controller for an operations master role When you creute u new domuln, the Actlve Dlrectory Instullutlon Wlzurd uutomutlcully usslgns ull of the domuln-level operutlons muster roles to the flrst domuln controller thut ls creuted ln thut domuln. When you creute u new forest, the wlzurd ulso usslgns the two forest-level operutlons muster roles to the flrst domuln controller. After the domuln ls creuted und functlonlng, you mlght trunsfer vurlous operutlons muster roles to dlfferent domuln controllers to optlmlze performunce und slmpllfy udmlnlstrutlon. The trunsfer of forest-level und domuln-level operutlons muster roles ls performed us needed und ls governed by the guldellnes for pluclng operutlons muster roles. %efore you trunsfer un operutlons muster role, use Repudmln.exe wlth the /showreps optlon to ensure thut repllcutlon between the current role holder und the domuln controller ussumlng the role ls upduted. In uddltlon, you must determlne lf the domuln controller thut you lntend to ussume un operutlons muster role ls u globul cutulog server. However, the lnfrustructure muster for euch domuln must not host the globul cutulog. Do not chunge the globul cutulog conflgurutlon on the domuln controller thut you lntend to ussume un operutlons muster role unless your IT munugement uuthorlzes thut chunge. Chunglng the globul cutulog conflgurutlon cun cuuse chunges thut cun tuke duys to complete, und the domuln controller mlght not be uvulluble durlng thut perlod. Insteud, Active Directory Product Operations Guide 86 trunsfer the operutlons muster roles to u dlfferent domuln controller thut ls ulreudy properly conflgured. The followlng procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Verify successful replication to a domain controller Llnk to procedure. Procedure 2: Determine whether a domain controller is a global catalog server Llnk to procedure. Procedure 3: Transfer the forest-level operations master roles Llnk to procedure. Procedure 4: Transfer the domain-level operations master roles Llnk to procedure. Task: Verifying the transfer of an operations master role Once un operutlons muster role hus been trunsferred, lt should be verlfled thut the trunsfer hus occurred successfully throughout the domuln. The chunge must be repllcuted to ull relevunt domuln members ln order to truly tuke effect. The followlng procedure ls explulned ln detull ln the llnked toplcs: Procedure 1: View the current operations master role holders Llnk to procedure. 87 Managing the Windows Server Platform
Optimizing Quadrant Capacity Management SMF Infrastructure Role Cluster As Needed Process: Reduce the workload on the PDC emulator Descrlptlon You cun conflgure DNS so thut u domuln controller ls querled less frequently thun others. Reduclng the number of cllent requests helps reduce the workloud on u domuln controller, glvlng lt more tlme to functlon us un operutlons muster, und ls especlully lmportunt for the PDC emulutor. Of ull the operutlons muster roles, the PDC role hus the hlghest lmpuct on the domuln controller hostlng thut role. You mlght need to tuke steps to keep thut domuln controller from becomlng overlouded. To recelve lnformutlon from the domuln, u cllent uses DNS to locute u domuln controller und then sends the request to thut domuln controller. %y defuult, DNS performs rudlmentury loud bulunclng und rundomlzes the dlstrlbutlon of cllent requests so they ure not ulwuys sent to the sume domuln controller. If too muny cllent requests ure sent to u domuln controller whlle lt uttempts to perform other dutles, such us those of the PDC emulutor, lt cun become overlouded, whlch hus u negutlve lmpuct on performunce. To reduce the number of cllent requests thut ure processed by the PDC emulutor, you cun ud|ust lts welght or lts prlorlty ln the DNS envlronment. Purpose In uddltlon to processlng normul domuln controller loud from cllents, the PDC emulutor must ulso process pussword chunges. In order to mltlgute some of the loud thut ls cuused by normul domuln controller trufflc, the PDC cun be protected, so the loud ls dlstrlbuted to other domuln controllers thut ure cupuble of processlng the requests.
Task: Adjusting the DNS weight setting Ad|ustlng the welght of u domuln controller to u vulue less thun thut of other domuln controllers reduces the number of cllents thut DNS refers to thut domuln controller. The defuult welght for ull domuln controllers ls 100. %y reduclng thls vulue, DNS refers cllents to u domuln controller less frequently bused on the proportlon of thls vulue to the vulue of other domuln controllers. For exumple, to conflgure the system so thut the domuln controller hostlng the PDC emulutor role recelves requests only hulf us muny tlmes us the other domuln controllers, conflgure the welght of the domuln controller hostlng the PDC emulutor role to be 50. DNS determlnes the welght rutlo for thut domuln controller to be 50/100 (50 for thut domuln controller und 100 for the other domuln controllers). After you reduce thls rutlo to 1/2, DNS refers cllents to the other domuln controllers twlce us often us lt refers to the domuln controller wlth the reduced welght settlng. %y reduclng cllent referruls, the domuln controller recelves fewer cllent requests und hus more resources for other tusks, such us performlng the role of PDC emulutor. Procedure 1: Change the weight for DNS SRV records in the registry Llnk to procedure. Task: Adjusting the DNS priority registry setting Ad|ustlng the prlorlty of the domuln controller ulso reduces the number of cllent referruls. However, ruther thun reduclng lt proportlonully to the other domuln controllers, chunglng Active Directory Product Operations Guide 88 the prlorlty cuuses DNS to stop referrlng ull cllents to thls domuln controller unless ull domuln controllers wlth u lower prlorlty settlng ure unuvulluble. Procedure 1: Change the priority for DNS SRV records in the registry Llnk to procedure. 89 Managing the Windows Server Platform
Operating Quadrant System Administration SMF Infrastructure Role Cluster As Needed Process: Transferring a role holder Descrlptlon Trunsferrlng u forest level or domuln level operutlons muster role muy be requlred, dependlng on other operutlons ln your envlronment or chunges to your Actlve Dlrectory lnfrustructure such us the uddltlon or removul of domuln controllers. Thls process should be performed us requlred und should follow Mlcrosoft's best pructlces concernlng operutlons muster role plucement us outllned ut http://www.mlcrosoft.com/technet/treevlew/defuult.usp?url=/technet/prodtechnol/wlndow sserver2003/proddocs/deploygulde/dssbe_upnt_xlfh.usp. Purpose Trunsferrlng u role holder ls necessury when: A new computer becomes uvulluble thut ls more cupuble of hundllng the purtlculur operutlons muster role. The role holder wlll be tuken offllne for un extended perlod of tlme. Topology chunges muke the current role holder no longer the best cholce to hold thut role. A domuln controller ls belng decommlssloned. You cunnot control whlch domuln controller the wlzurd chooses und the wlzurd does not lndlcute whlch domuln controller recelves the roles. %ecuuse of thls behuvlor, lt ls best to trunsfer the roles prlor to runnlng the wlzurd.
Guldellnes When you use the Actlve Dlrectory Instullutlon Wlzurd to decommlsslon u domuln controller thut currently hosts one or more operutlons muster roles, the wlzurd reusslgns the roles to u dlfferent domuln controller. When the wlzurd ls run, lt determlnes whether the domuln controller currently hosts uny operutlons muster roles. If lt detects uny operutlons muster roles, lt querles the dlrectory for other ellglble domuln controllers und trunsfers the roles to u new domuln controller. A domuln controller ls ellglble to host the domuln-level roles lf lt ls u member of the sume domuln. A domuln controller ls ellglble to host u forest-level role lf lt ls u member of the sume forest. Active Directory Product Operations Guide 90 Task: Transfer to the standby operations master role %y followlng the recommendutlons for operutlons muster role plucement, the stundby operutlons muster ls u dlrect repllcutlon purtner und ls reudy to ussume the roles. Remember to deslgnute u new stundby for the domuln controller thut ussumes the roles. The followlng procedures ure explulned ln detull ln the llnked toplcs. Procedure 1: Verify successful replication to a domain controller Llnk to procedure. Procedure 2: Determine whether a domain controller is a global catalog server Llnk to procedure. Procedure 3: Transfer the forest-level operations master roles Llnk to procedure. Procedure 4: Transfer the domain-level operations master roles Llnk to procedure. Procedure 5: View the current operations master role holders Llnk to procedure. Process: Choose a standby operations master Llnk to process. Task: Transfer an operations master role when no standby is ready If you do not follow the recommendutlons for role plucement und you huve not deslgnuted u stundby operutlons muster, you must properly prepure u domuln controller to whlch you lntend to trunsfer the operutlons muster roles. Prepurlng the future role holder ls the sume process us prepurlng u stundby operutlons muster. You must munuully creute u Connectlon ob|ect to ensure thut lt ls u repllcutlon purtner wlth the current role holder und thut repllcutlon between the two domuln controllers ls upduted. In uddltlon, you must determlne whether the domuln controller lntended to ussume un operutlons muster role ls u globul cutulog server. The lnfrustructure muster for euch domuln must not host the globul cutulog. 91 Managing the Windows Server Platform Do not chunge the globul cutulog conflgurutlon on the domuln controller thut you lntend to ussume un operutlons muster role unless your IT munugement uuthorlzes thut chunge. Chunglng the globul cutulog conflgurutlon cun cuuse chunges thut cun tuke duys to complete und the domuln controller mlght not be uvulluble durlng thut perlod. Insteud, trunsfer the operutlons muster roles to u dlfferent domuln controller thut ls ulreudy properly conflgured. The followlng procedures ure explulned ln detull ln the llnked sectlons. Procedure 1: Verify successful replication to a domain controller Llnk to procedure. Procedure 2: Determine whether a domain controller is a global catalog server Llnk to procedure. Procedure 3: Transfer the forest-level operations master roles Llnk to procedure. Procedure 4: Transfer the domain-level operations master roles Llnk to procedure. Procedure 5: View the current operations master role holders Llnk to procedure. Active Directory Product Operations Guide 92
Operating Quadrant System Administration SMF Infrastructure Role Cluster As Needed Process: Seize an operations master role Descrlptlon Selzlng u role should be done only us u lust resort ln order to usslgn u role to u dlfferent domuln controller. Use thls process only when the prevlous operutlons muster fulls und remulns out of servlce for un extended perlod of tlme. Durlng u role selzure, the domuln controller does not verlfy thut repllcutlon ls upduted, so recent chunges cun be lost. %ecuuse the prevlous role holder ls unuvulluble durlng the role selzure, lt cunnot know thut u new role holder exlsts. If the prevlous role holder comes buck onllne lt mlght stlll ussume thut lt ls the operutlons muster. Thls cun result ln dupllcute operutlons muster roles on the network, whlch cun leud to corruptlon of dutu ln the dlrectory und ultlmutely to the fullure of the domuln or forest. Purpose Selzlng un operutlons muster role ullows: Trunsfer of operutlons muster role to unother computer when the exlstlng operutlons muster fulls wlthout wurnlng. Trunsfer of operutlons muster role when trunsfer to stundby operutlons muster wus not successfully completed before the operutlons muster wus tuken down (for whutever reuson).
Guldellnes If u role ls selzed, the new role holder ls conflgured to host the operutlons muster role wlth the ussumptlon thut you do not lntend to return the prevlous role holder to servlce. Use role selzure only when the prevlous role holder ls not uvulluble und you need the operutlons muster role to keep the dlrectory functlonlng. %ecuuse the prevlous role holder ls not uvulluble durlng u selzure, you cunnot reconflgure the prevlous role holder und lnform lt thut unother domuln controller ls now hostlng the operutlons muster role. Wlth Wlndows Server 2003, the prevlous role holder wults for u full repllcutlon cycle to complete successfully before lt resumes the role of operutlons muster. %y wultlng for u full repllcutlon cycle, lt cun see lf unother operutlons muster exlsts before lt brlngs ltself buck onllne. If the prevlous role holder detects thut unother operutlons muster exlsts, lt reconflgures ltself so thut lt no longer hosts the roles ln questlon. To reduce rlsk, perform u role selzure only lf the mlsslng operutlons muster role unucceptubly uffects performunce of the dlrectory. Culculute the effect by compurlng the lmpuct of the mlsslng servlce provlded by the operutlons muster to the umount of work thut ls needed to brlng the prevlous role holder sufely buck onllne ufter you perform the role selzure. See Tuble 7 for u rlsk ussessment of operutlons muster roles. Actlve Dlrectory contlnues to functlon when the operutlons muster roles ure not uvulluble. If the role holder ls only offllne for u short perlod, you mlght not need to selze the role to u new domuln controller. Remember thut returnlng un operutlons muster to servlce ufter the role ls selzed cun huve dlre consequences lf lt ls not done properly. 93 Managing the Windows Server Platform Table 7. Operations Master Role Functionality Risk Assessment Operations Master Role Consequences if Role Is Unavailable Risk of Improper Restoration Recommendation for Returning to Service After Seizure Schemu muster You cunnot muke chunges to the schemu. Confllctlng chunges cun be lntroduced to the schemu lf both schemu musters uttempt to modlfy the schemu ut the sume tlme. Thls cun result ln u frugmented schemu. Not recommended. Cun leud to u corrupted forest und requlre rebulldlng the entlre forest. Domuln numlng muster You cunnot udd or remove domulns from the forest. You cunnot udd or remove domulns or cleun up metudutu. Domulns mlght uppeur us though they ure stlll ln the forest even though they ure not. Not recommended. Cun requlre rebulldlng domulns. PDC emulutor You cunnot chunge pusswords on pre- Actlve Dlrectory cllents. No repllcutlon to Wlndows NT 4.0 buckup domuln controllers. Pussword vulldutlon cun rundomly puss or full. Pussword chunges tuke much longer to repllcute throughout the domuln. Allowed. User uuthentlcutlon cun be errutlc for u tlme, but no permunent dumuge occurs. Infrustructure muster Deluys dlspluylng upduted group membershlp llsts ln the user lnterfuce when you move users from one group to unother. Dlspluys lncorrect user numes ln group membershlp llsts ln the user lnterfuce ufter you move users from one group to unother. Allowed. Muy lmpuct the performunce of the domuln controller hostlng the role, but no dumuge occurs to the dlrectory. RID muster Eventuully, domuln controllers cunnot creute new dlrectory ob|ects us euch of thelr lndlvlduul RID pools ls depleted. Dupllcute RID pools cun be ullocuted to domuln controllers, resultlng ln dutu corruptlon ln the dlrectory. Thls cun leud to securlty rlsks und unuuthorlzed uccess. Not recommended. Cun leud to dutu corruptlon thut cun requlre rebulldlng the domuln.
Active Directory Product Operations Guide 94 Task: Seizing an operations master role Selze un operutlons muster role only us u lust resort. If ut ull posslble, trunsfer un operutlons muster role to u new domuln controller lnsteud. Selze un operutlons muster role only lf the current role owner ls offllne und ls unllkely to return to servlce. Role selzure ls the uct of usslgnlng un operutlons muster role to u new domuln controller wlthout the cooperutlon of the current role holder (usuully becuuse lt ls offllne due to u hurdwure fullure). Durlng role selzure, u new domuln controller ussumes the operutlons muster role wlthout communlcutlng wlth the current role holder. Role selzure cun creute two condltlons thut cun cuuse problems ln the dlrectory. Flrst, the new role holder sturts performlng lts dutles bused on the dutu locuted ln lts current dlrectory purtltlon. The new role holder mlght not recelve chunges thut were mude to the prevlous role holder before lt went offllne lf repllcutlon dld not complete prlor to the tlme when the orlglnul role holder went offllne. Thls cun cuuse dutu loss or lntroduce dutu lnconslstency lnto the dlrectory dutubuse. 95 Managing the Windows Server Platform To mlnlmlze the rlsk of loslng dutu to lncomplete repllcutlon, do not perform u role selzure untll enough tlme hus pussed to complete ut leust one complete end-to-end repllcutlon cycle ucross your network. Allowlng enough tlme for complete end-to-end repllcutlon ensures thut the domuln controller thut ussumes the role ls us up-to-dute us posslble. Second, the orlglnul role holder ls not lnformed thut lt ls no longer the operutlons muster role holder, whlch ls not u problem lf the orlglnul role holder stuys offllne. However, lf lt comes buck onllne (for exumple, lf the hurdwure ls repulred or the server ls restored from u buckup), lt mlght try to perform the operutlons muster role thut lt prevlously owned. Thls cun result ln two domuln controllers performlng the sume operutlons muster role slmultuneously. Dependlng on the role ln questlon und whether your envlronment runs Wlndows 2000 Server SP2 or Wlndows 2000 Server SP3, thls cun dlsrupt the dlrectory servlce. For exumple, u RID muster mlght reullocute u dupllcute RID pool, resultlng ln corruptlon of dutu ln the dlrectory. The severlty of dupllcute operutlons muster roles vurles from no vlslble effect to the need to rebulld the entlre forest. If you ure selzlng u role und you huve not deslgnuted unother domuln controller us the stundby operutlons muster, you cun use Repudmln.exe wlth the /showreps optlon to ldentlfy u domuln controller thut hus the most recent updutes from the current role holder. Selze the operutlons muster role to thut domuln controller to mlnlmlze the lmpuct of the role selzure. The followlng procedures ure explulned ln detull ln the llnked sectlons. Procedure 1: Verify successful replication to a domain controller Thls needs to be the domuln controller thut wlll be selzlng the role. Llnk to procedure. Procedure 2: Seize the operations master role Llnk to procedure. Procedure 3: View the current operations master role holders Llnk to procedure. Active Directory Product Operations Guide 96
Operating Quadrant System Administration SMF Infrastructure Role Cluster As Needed Process: Choose a standby operations master Descrlptlon The stundby operutlons muster ls u domuln controller thut you ldentlfy us the computer thut ussumes the operutlons muster role lf the orlglnul computer fulls. You do not need to perform uny speclul conflgurutlon steps or run uny type of setup utllltles to muke u domuln controller u stundby operutlons muster. Thls precuutlonury plunnlng step helps muke your operutlon more reslllent lf u problem urlses thut requlres you to reusslgn u muster operutlons role to u new domuln controller. Ensure thut the stundby operutlons muster ls u dlrect repllcutlon purtner of the uctuul operutlons muster. If the stundby operutlons muster domuln controller ls u dlrect repllcutlon purtner of the orlglnul operutlons muster, lt most llkely contulns the most recent chunges to the domuln. Thls reduces the tlme requlred to trunsfer the role to the stundby operutlons muster und, ln the cuse of u fullure, reduces the chunces of loslng lnformutlon. Even lf repllcutlon ls not totully complete, only few outstundlng updutes exlst. Those outstundlng updutes cun be repllcuted by u normul repllcutlon cycle ruther thun requlrlng u full synchronlzutlon, whlch repllcutes ull of the uccount lnformutlon ln the purtltlon. To guuruntee thut the two domuln controllers ure repllcutlon purtners, you must munuully creute u connectlon ob|ect between them. Although creutlng munuul connectlon ob|ects ls not generully recommended, ln thls one cuse lt ls necessury becuuse lt ls so lmportunt thut these two domuln controllers be repllcutlon purtners. If you must reusslgn the domuln-level operutlons muster roles to the stundby operutlons muster, do not pluce the lnfrustructure muster role on u globul cutulog server. Purpose Chooslng u stundby operutlons muster enubles unother domuln controller to ussume un operutlons muster role lf the domuln controller to whlch lt wus orlglnully usslgned fulls. Thls ensures thut the domuln controller wlth u purtlculur operutlons muster role ls not u slngle polnt of fullure for thut role. 97 Managing the Windows Server Platform Task: Choosing a standby operations master A slngle domuln controller cun uct us the stundby operutlons muster for ull of the operutlons muster roles ln u domuln, or you cun deslgnute u sepurute stundby for euch operutlons muster role. No utllltles or speclul steps ure requlred to deslgnute u domuln controller us u stundby operutlons muster. However, the current operutlons muster und the stundby should be well connected. Thls meuns thut the network connectlon between them must support ut leust u 10-megublt trunsmlsslon rute und be uvulluble ut ull tlmes. In uddltlon, conflgure the current role holder und the stundby us dlrect repllcutlon purtners by munuully creutlng u Connectlon ob|ect between them. Conflgurlng u repllcutlon purtner cun suve some tlme lf you must reusslgn uny operutlons muster roles to the stundby operutlons muster. %efore trunsferrlng u role from the current role holder to the stundby operutlons muster, ensure thut repllcutlon between the two computers ls functlonlng properly. %ecuuse they ure repllcutlon purtners, the new operutlons muster ls us upduted us the orlglnul operutlons muster, thus reduclng the tlme requlred for the trunsfer operutlon. To determlne whether the stundby domuln controller recelved the lutest repllcuted updutes from the current operutlons muster, use Repudmln.exe wlth the /showreps optlon. Durlng role trunsfer, the two domuln controllers exchunge uny unrepllcuted lnformutlon to ensure thut no trunsuctlons ure lost. If the two domuln controllers ure not dlrect repllcutlon purtners, u substuntlul umount of lnformutlon mlght need to be repllcuted before the domuln controllers completely synchronlze wlth euch other. The role trunsfer requlres extru tlme to repllcute the outstundlng trunsuctlons. If the two domuln controllers ure dlrect repllcutlon purtners, fewer outstundlng trunsuctlons exlst und the role trunsfer operutlon completes sooner. Deslgnutlng u domuln controller us u stundby ulso mlnlmlzes the rlsk of role selzure. %y muklng the operutlons muster und the stundby dlrect repllcutlon purtners, you reduce the chunce of dutu loss ln the event of u role selzure, thereby reduclng the chunces of lntroduclng corruptlon lnto the dlrectory. When you deslgnute u domuln controller us the stundby, follow ull recommendutlons thut ure dlscussed ln Guldellnes for Role Plucement eurller ln thls gulde. To deslgnute u stundby for the forest-level roles, choose u globul cutulog server so lt cun lnteruct more efflclently wlth the domuln numlng muster. To deslgnute u stundby for the domuln-level roles, ensure thut the domuln controller ls not u globul cutulog server so thut the lnfrustructure muster contlnues to functlon properly lf you must trunsfer the roles. Active Directory Product Operations Guide 98 Munuully creute u connectlon ob|ect between the operutlons muster und the deslgnuted stundby operutlons muster to ensure thut repllcutlon occurs between the two domuln controllers. The followlng procedures ure explulned ln detull ln the llnked sectlons. Procedure 1: Determine whether a domain controller is a global catalog server Llnk to procedure. Procedure 2: Create a Connection object Llnk to procedure.
4 Processes by MOF Role Clusters Thls chupter ls deslgned for those who wunt to see ull processes for u slngle role cluster ln one pluce. The lnformutlon ls the sume us thut ln the prevlous two chupters. The only dlfference ls thut the processes ure ordered by MOF role cluster. Operations Role Cluster Daily Processes There ure no dully processes for thls role cluster. Weekly Processes %uck up Actlve Dlrectory Monthly Processes There ure no monthly processes for thls role cluster. As-Needed Processes Renume u domuln controller Authorltutlve restore for Actlve Dlrectory ob|ects Non-uuthorltutlve restore of Actlve Dlrectory Recoverlng u domuln controller through relnstullutlon
Active Directory Product Operations Guide 100 Support Role Cluster There ure no dully, weekly, monthly, or us-needed processes for thls role cluster. Release Role Cluster Daily Processes There ure no dully processes for thls role cluster. Weekly Processes There ure no weekly processes for thls role cluster. Monthly Processes There ure no monthly processes for thls role cluster. As-Needed Processes Instulllng u domuln controller for un exlstlng domuln Removlng Actlve Dlrectory
101 Managing the Windows Server Platform Infrastructure Role Cluster Daily Processes There ure no dully processes for thls role cluster. Weekly Processes There ure no weekly processes for thls role cluster. Monthly Processes There ure no monthly processes for thls role cluster. As-Needed Processes Trunsferrlng u role holder Selze un operutlons muster role Choose u stundby operutlons muster Munuglng the SYSVOL Munuglng sltes Move un operutlons muster role Munuge the Actlve Dlrectory dutubuse Add u globul cutulog Munuge the Wlndows Tlme servlce Munuglng trusts Removlng the globul cutulog from u domuln controller Identlfy globul cutulog servers ln u slte Reduce the workloud on the PDC emulutor
Active Directory Product Operations Guide 102 Security Role Cluster Daily Processes There ure no dully processes for thls role cluster. Weekly Processes There ure no weekly processes for thls role cluster. Monthly Processes There ure no monthly processes for thls role cluster. As-Needed Processes Munuge untlvlrus softwure on domuln controllers
Partner Role Cluster There ure no dully, weekly, monthly, or us-needed processes for thls role cluster.
5 Appendix Procedure Details Thls chupter glves step-by-step lnformutlon for the procedures llsted ln Chupter 3 of thls gulde. Procedure: Back up system state The followlng procedure bucks up system stute only. It does not buck up the system dlsk or uny other dutu on the domuln controller. Procedure Requirements To buck up system stute, you cun log on ut the locul computer, or you cun enuble Termlnul Servlces ln Remote Admlnlstrutlon mode on the remote domuln controller Credentluls: Domuln udmlnlstrutors, locul udmlnlstrutor, or buckup operutor Tool: %uckup
Procedure Steps To buck up the system stute on u domuln controller 1. Log on to the domuln controller by uslng the uccount thut hus domuln udmlnlstrutor or buckup operutor credentluls. 2. Sturt the Wlndows %uckup Wlzurd. From u commund prompt or the Run text box, type ntbuckup und press ENTER. -or- Go to Sturt > Progrums > Accessorles > System Tools > %uckup. 3. %y defuult, the Alwuys Sturt ln Wlzurd Mode check box ls checked. You cun leuve thls optlon selected, und cllck Next. 4. Select the %uck up flles und settlngs optlon, und then cllck Next. 5. Select the Let me choose whut to buck up optlon, und then cllck Next. 6. In the Items to %uck Up wlndow, expund My Computer by cllcklng the plus slgn. 7. From the expunded llst below My Computer, check the System Stute optlon, und then cllck Next. 8. Select u locutlon to store the buckup. If you ure bucklng up to u flle, type the puth und fllenume for the buckup (.bkf) flle (or cllck the %rowser button to flnd u folder or flle). Active Directory Product Operations Guide 104 If you ure bucklng up to u tupe unlt, choose the tupe thut you wlsh to use.
Note You should not store the backup on the local hard drive. Instead, you should store it in an off-machine location, such as a tape drive.
9. Enter u nume for thls buckup, und cllck Next. 10. On the lust puge of the wlzurd, select Advunced. 11. Do not chunge the defuult optlons for Type of %uckup. Normul should be selected, und the check box should remuln cleured for %uckup mlgruted remote storuge dutu. Cllck Next. 12. Check the Verlfy dutu ufter buckup optlon, und then cllck Next. 13. In the %uckup Optlons dlulog box, select u buckup optlon, und then cllck Next. 14. Allow only the owner und udmlnlstrutor uccess to the buckup dutu und to uny buckups uppended to thls medlum; cllck Next. 15. In the When to buck up box, select the upproprlute optlon for your needs, und cllck Next. 16. If you ure sutlsfled wlth ull of the optlons selected, cllck Flnlsh to perform the buckup operutlon uccordlng to your selected schedule.
Note The system state can also be backed up using backup from a command line with appropriate parameters. For more information, refer to the command-line reference accessible by typing ntbackup -? from a command prompt.
Procedure: Back up system state and the system disk The followlng procedure bucks up both system stute und the system dlsk. Procedure Requirements To buck up system stute, you must log on ut the locul computer, or you must enuble Termlnul Servlces ln Remote Admlnlstrutlon mode on the remote domuln controller. Credentluls: Domuln udmlnlstrutor, locul udmlnlstrutor, or buckup operutor Tool: %uckup.exe. 105 Managing the Windows Server Platform Procedure Steps To buck up system stute und the system dlsk on u domuln controller 1. Log on to the domuln controller by uslng un uccount thut hus domuln udmlnlstrutor, locul udmlnlstrutor, or buckup operutor credentluls. 2. Sturt the Wlndows %uckup Wlzurd by chooslng one of the followlng optlons: Open u commund prompt, type ntbuckup und press ENTER. -or- Go to Sturt > Progrums > Accessorles > System Tools > %uckup.
3. Cllck the %uckup Wlzurd button, und then cllck Next. 4. Select %uck up selected flles, drlves, or network dutu. 5. In Items to %uck Up, cllck System Stute to select lt. Then select the drlve letter contulnlng the system flles, und cllck the system dlsk. Cllck Next. 6. In the Where to Store the %uckup box, select the buckup medlu type by chooslng one of the followlng optlons: Choose Flle lf you wunt to buck up to u flle. If you do not huve u tupe buckup unlt lnstulled, Flle ls selected uutomutlcully. -or- Choose u tupe devlce lf you wunt to buck up to tupe.
7. In the %uckup Medlu or Flle Nume box, choose one of the followlng optlons: If you ure bucklng up to u flle, type u puth und flle nume for the buckup (.bkf) flle, or cllck the %rowse button to flnd u folder or flle. If the destlnutlon folder or flle does not exlst, the system creutes lt. -or- If you ure bucklng up to u tupe unlt, choose the tupe thut you wunt to use.
8. After you cllck Next, the Completlng the %uckup Wlzurd screen uppeurs. Thls screen summurlzes the optlons selected for thls buckup |ob. Verlfy thut Prompt to repluce dutu ls llsted ln the How cutegory. If lt ls not, cllck the Advunced button, cllck Next untll you reuch the Medlu Optlons screen, und then select Repluce the dutu on the medlu wlth thls buckup. 9. Complete the remulnlng wlzurd screens, und cllck Flnlsh to begln the buckup operutlon. When u Repluce Dutu dlulog box uppeurs, cllck Yes to overwrlte the exlstlng buckup on thls tupe or flle puth wlth thls buckup. A progress lndlcutor shows the stutus of the buckup operutlon.
Active Directory Product Operations Guide 106 Procedure: Restart the domain controller in Directory Services Restore Mode To tuke u domuln controller offllne, resturt lt ln Dlrectory Servlces Restore Mode und log on us the locul udmlnlstrutor. If you huve physlcul uccess to the domuln controller, you cun sturt ln Dlrectory Servlces Restore Mode locully. When you sturt Wlndows Server 2003 ln Dlrectory Servlces Restore Mode, the locul Admlnlstrutor uccount ls uuthentlcuted by the locul Securlty Accounts Munuger (SAM) dutubuse. Therefore, logglng on requlres uslng the locul udmlnlstrutor pussword, not un Actlve Dlrectory domuln pussword. Procedure Requirements Credentluls: Dlrectory Servlces Restore Mode udmlnlstrutor Tool: None
Procedure Steps To locully resturt ln Dlrectory Servlces Restore Mode 1. Resturt the domuln controller. 2. When the screen for selectlng un operutlng system uppeurs, press F8. 3. From the Wlndows Advunced Optlons menu, select Dlrectory Servlces Restore Mode. 4. When prompted, log on us the locul udmlnlstrutor.
Procedure: Allow this computer to replicate with all its partners Procedure Steps To ullow thls computer to repllcute wlth ull lts purtners 1. Open the commund prompt. 2. Flnd the outbound purtners for thls domuln controller by typlng: repudmln /showrepl /repsto <locul domuln controller nume> und press ENTER.
Thls repudmln commund wlll output u llst thut contulns lnformutlon ubout ull of the outbound nelghbors. For euch nelghbor, verlfy thut the lust synchronlzutlon uttempt wus successful und hus u tlme stump thut lndlcutes lt hus repllcuted slnce restore. 3. If repllcutlon hus not been successful, you cun force repllcutlon between thls domuln controller und lts outbound purtners ruther thun wultlng for the next repllcutlon cycle. From u commund prompt, run repudmln /syncull /ed /A /P /q. 4. Check for repllcutlon errors ln the output of the commund ln the prevlous step. If there ure no errors, then repllcutlon hus been successful. Any repllcutlon errors thut exlst must be rectlfled ln order for repllcutlon to be completed. Procedure: Restore from backup media Use u good buckup contulnlng ut leust the system stute und system dlsk to restore the server. %y performlng u non-uuthorltutlve restore on Actlve Dlrectory, you uutomutlcully perform u non-uuthorltutlve restore of SYSVOL. No uddltlonul steps ure requlred. 107 Managing the Windows Server Platform Procedure Requirements To restore system stute, you must log on ut the locul computer, or you must enuble Termlnul Servlces ln Remote Admlnlstrutlon mode on the remote domuln controller. Credentluls: locul Admlnlstrutor uccount Tool: %uckup.exe
Procedure Steps To restore from buckup medlu 1. In Dlrectory Servlces Restore Mode, sturt the Wlndows Server 2003 buckup utlllty. Go to Sturt > Progrums > Accessorles > System Tools > %uckup. 2. Cllck the Restore Wlzurd button, und then cllck Next. 3. Select the upproprlute buckup locutlon und ensure thut ut leust the System dlsk und System Stute contulners ure selected. 4. Cllck the Advunced button. 5. In Restore Flles to llst, select Orlglnul Locutlon, und then cllck Next. 6. In the Advunced Restore Optlons wlndow, check the boxes for: Restore securlty. Restore |unctlon polnts, und restore the flle und folder dutu under the |unctlon polnts to the orlglnul locutlon. Preserve exlstlng volume mount polnts. For u prlmury restore of SYSVOL, ulso check the followlng box: When restorlng repllcuted dutu sets, murk the restored dutu us the prlmury dutu for ull repllcus. A prlmury restore ls only requlred lf the domuln controller you ure restorlng ls the only domuln controller ln the domuln. A prlmury restore ls requlred on the flrst domuln controller belng restored ln u domuln lf you ure restorlng the entlre domuln or forest. 7. Cllck Flnlsh. 8. When the restore ls complete, cllck Close, und then cllck Yes to resturt the computer.
The system wlll now resturt und wlll repllcute uny new lnformutlon recelved slnce the lust buckup wlth lts repllcutlon purtners. Procedure: Turn off inbound replication using repadmin Thls step ls requlred only lf the domuln, or forest functlonul level, ls Wlndows 2000 nutlve mode or eurller. %y turnlng off lnbound repllcutlon, you ensure thut chunges to group membershlp orlglnute from the restored domuln controller, ruther thun huvlng the chunges overwrltten. Procedure Steps To turn off lnbound repllcutlon uslng repudmln 1. From u commund prompt or the Run text box, type repudmln /optlons +DISA%LE_IN%OUND_REPL und then press ENTER. 2. Verlfy thut the optlon ls set. You should get thls messuge: repudmln runnlng commund /optlons ugulnst server loculhost.
Active Directory Product Operations Guide 108 Procedure: Turn on inbound replication Procedure Steps To turn on lnbound repllcutlon uslng repudmln 1. From u commund prompt or the Run text box, type repudmln /optlons . - DISA%LE_IN%OUND_REPL und then press ENTER. 2. Verlfy thut the optlon ls set. You should get thls messuge: repudmln runnlng commund /optlons ugulnst server loculhost. Procedure: Mark the application partition as authoritative Once the dutu hus been restored from buckup, you must select whlch ob|ects ure to be murked uuthorltutlve ln order to huve them repllcuted to other domuln controllers. Procedure Steps To murk the uppllcutlon purtltlon us uuthorltutlve 1. From u commund prompt or the Run text box, type ntdsutll to sturt the tool. 2. At the ntdsutll: prompt, type uuthorltutlve restore und press ENTER. For usslstunce wlth the Ntdsutll commund llne-tool, type help ut uny tlme. 3. Type Llst NC CRs und press ENTER. NTDSUTIL wlll output u llst of the uppllcutlon purtltlons thut ure uvulluble ufter the restore, und the ussocluted cross references. Note the cross-reference dlstlngulshed nume und uppllcutlon-purtltlon dlstlngulshed nume thut corresponds to the uppllcutlon purtltlon you wlsh to restore. 4. Type restore subtree <App Purtltlon DN>, where App Purtltlon DN ls the dlstlngulshed nume of the uppllcutlon purtltlon noted ubove. 5. Ntdsutll wlll provlde u conflrmutlon dlulog. Cllck Yes to proceed. The output messuge wlll lndlcute the stutus of the operutlon. There should be no fullures. 6. Type restore ob|ect <Cross Ref DN> (where Cross Ref DN ls the dlstlngulshed nume of the uppllcutlon purtltlon cross reference noted ubove) und press ENTER. 7. Ntdsutll wlll provlde u conflrmutlon dlulog. Cllck Yes to proceed. The output messuge wlll lndlcute the stutus of the operutlon. There should be no fullures. 8. Qult the Ntdsutll tool.
Procedure: Mark the object(s) authoritative Once the dutu hus been restored from buckup, you must select whlch ob|ects ure to be murked uuthorltutlve ln order to huve them repllcuted to other domuln controllers. In order to complete thls operutlon, you must know the full dlstlngulshed nume of the ob|ect you wlsh to restore. Procedure Steps To murk the ob|ect(s) uuthorltutlve 1. From u commund prompt or the Run text box, type ntdsutll to sturt the tool. 2. At the ntdsutll: prompt, type uuthorltutlve restore und press ENTER. For usslstunce wlth the Ntdsutll commund llne-tool, type help ut uny tlme. 109 Managing the Windows Server Platform 3. To restore un ob|ect, type restore ob|ect <ob|ect DN> (where ob|ect DN ls the dlstlngulshed nume of the ob|ect thut ls to be murked uuthorltutlve). If you were to restore u deleted user numed John Smlth ln u corp.contoso.com domuln, the commund would be slmllur to: restore ob|ect CN=John Smlth,CN=Users,DC=corp,DC=contoso,DC=com. Alwuys enclose the dlstlngulshed nume ln quotes when there ls u spuce or other speclul churucters wlthln the dlstlngulshed nume. 4. Press ENTER. Ntdsutll wlll sturt the uttempt to murk the ob|ect us uuthorltutlve. The output messuge wlll lndlcute the stutus of the operutlon. The most common cuuse of fullure ls un lncorrectly speclfled dlstlngulshed nume, or u buckup for whlch the DN does not exlst (whlch would occur lf you trled to restore u deleted user thut wus creuted ufter the buckup). 5. Qult the Ntdsutll tool.
Procedure: Verify Active Directory restore After the restore ls completed, you should resturt the server und perform buslc verlflcutlon. Active Directory Product Operations Guide 110 Procedure Requirements You must log on ut the locul computer, or you must enuble Termlnul Servlces ln Remote Admlnlstrutlon mode on the remote domuln controller. Credentluls: %uslc: domuln udmlnlstrutor or locul udmlnlstrutor Advunced: locul udmlnlstrutor Tool: %uckup.exe
Procedure Steps To perform buslc Actlve Dlrectory verlflcutlon 1. After the restore operutlon completes, resturt the computer ln Sturt Wlndows Normully mode. Actlve Dlrectory und Certlflcute Servlces uutomutlcully detect thut they huve been recovered from u buckup. They perform un lntegrlty check und re- lndex the dutubuse. 2. After you ure uble to log on to the system, browse Actlve Dlrectory. Verlfy thut ull of the User ob|ects und Group ob|ects thut were present ln the dlrectory prlor to buckup ure restored. Slmllurly, verlfy thut flles thut were members of u Flle Repllcutlon servlce (FRS) repllcu set und certlflcutes thut were lssued by the Certlflcute Servlces ure present.
Procedure: Restore system state to an alternate location Perform thls procedure to ullow un uuthorltutlve restore of SYSVOL. After the ob|ects ure restored, you cun delete the flles ln the ulternute locutlon. Procedure Requirements Credentluls: locul udmlnlstrutor Tool: %uckup.exe
Procedure Steps To restore system stute to un ulternute locutlon 1. Cllck the Restore tub. 2. Select System Stute. (You need not restore the system dlsk to un ulternute locutlon.) 3. In the Restore Flles to drop-down llst, ensure thut Alternute Locutlon ls selected, und deslgnute un ulternute locutlon. 4. When the restore process ls flnlshed, close the buckup utlllty.
111 Managing the Windows Server Platform Procedure: Clean up metadata If you glve the new domuln controller the sume nume us the fulled computer, then you need perform only the flrst procedure to cleun up metudutu, whlch removes the NTDS Settlngs ob|ect of the fulled domuln controller. If you glve the new domuln controller u dlfferent nume, then you need to perform ull three procedures: cleun up metudutu, remove the fulled Server ob|ect from the slte, und remove the Computer ob|ect from the domuln controllers contulner. Procedure Requirements Credentluls: Enterprlse udmlnlstrutor (Metudutu cleunup requlres modlfylng the conflgurutlon numlng context.) Tools: Ntdsutll.exe, Actlve Dlrectory Sltes und Servlces, Actlve Dlrectory Users und Computers
Procedure Steps To cleun up metudutu 1. At the commund llne, type ntdsutll und press ENTER. 2. At the ntdsutll: prompt, type metudutu cleunup und press ENTER. 3. At the metudutu cleunup: prompt, type connectlons und press ENTER. 4. At the server connectlons: prompt, type connect to server servernume, where servernume ls the domuln controller (uny functlonul domuln controller ln the sume domuln) from whlch you plun to cleun up the metudutu of the fulled domuln controller. Press ENTER. 5. Type qult und press ENTER to return to the metudutu cleunup: prompt. 6. Type select operutlon turget und press ENTER. 7. Type llst domulns und press ENTER. Thls llsts ull domulns ln the forest wlth u number ussocluted wlth euch. 8. Type select domuln number, where number ls the number correspondlng to the domuln ln whlch the fulled server wus locuted. Press ENTER. 9. Type llst sltes und press ENTER. 10. Type select slte number, where number refers to the number of the slte ln whlch the domuln controller wus u member. Press ENTER. 11. Type llst servers ln slte und press ENTER. Thls wlll llst ull servers ln thut slte wlth u correspondlng number. 12. Type select server number, where number refers to the domuln controller to be removed, und press ENTER. 13. Type qult und press ENTER. The Metudutu cleunup menu ls dlspluyed. Active Directory Product Operations Guide 112 14. Type remove selected server und press ENTER.
At thls polnt, Actlve Dlrectory conflrms thut the domuln controller wus removed successfully. If you recelve un error thut the ob|ect could not be found, Actlve Dlrectory mlght huve ulreudy removed the domuln controller. 15. Type qult und press ENTER untll you return to the commund prompt. If the new domuln controller recelves u dlfferent nume thun the fulled domuln controller, perform the followlng uddltlonul steps:
Note Do not perform the additional steps if the new computer will have the same name as the failed computer. Ensure that hardware failure was not the cause of the problem. If the faulty hardware is not changed, then restoring through reinstallation might not help.
To remove the fulled Server ob|ect from the sltes 1. In Actlve Dlrectory Sltes und Servlces, expund the upproprlute slte. 2. Delete the Server ob|ect ussocluted wlth the fulled domuln controller.
To remove the fulled Server ob|ect from the domuln controller's contulner 1. In Actlve Dlrectory Users und Computers, expund the domuln controller's contulner. 2. Delete the Computer ob|ect ussocluted wlth the fulled domuln controller.
Procedure: Install Active Directory Durlng the lnstullutlon process, repllcutlon occurs, ensurlng thut the domuln controller hus un uccurute und up to dute copy of Actlve Dlrectory. For more lnformutlon ubout selzlng operutlons muster roles, see Instulllng Actlve Dlrectory ln thls gulde. After you guther lnformutlon us descrlbed ln Gutherlng Instullutlon Informutlon eurller ln thls gulde, you cun use the Actlve Dlrectory Instullutlon Wlzurd to lnstull Actlve Dlrectory. Procedure Requirements Credentluls: locul Admlnlstrutor uccount Tools: Dcpromo.exe
113 Managing the Windows Server Platform Procedure Steps To lnstull Actlve Dlrectory 1. In the Run text box, type dcpromo und cllck OK. 2. The Actlve Dlrectory Instullutlon Wlzurd uppeurs. At the Welcome screen, cllck Next. 3. For Domuln Controller Type, select Addltlonul domuln controller for un exlstlng domuln. Cllck Next. 4. For Network Credentluls, enter the user nume, pussword, und domuln for the user uccount thut hus permlsslon to udd thls new domuln controller to the domuln. Cllck Next. 5. Enter the nume of the domuln thut you wunt the new domuln controller to host. Cllck Next. 6. For Dutubuse und Log Locutlons, enter the puths for the locutlons of the dlrectory dutubuse (Ntds.dlt) und the log flles. For better performunce, store the dutubuse und log flles on sepurute physlcul dlsk drlves. Cllck Next. 7. For Shured System Volume, enter the puth where you wunt to locute the system volume (SYSVOL). Cllck Next. 8. Under Dlrectory Servlces Restore Mode Admlnlstrutor Pussword, enter the pussword thut you wunt to use when you need to sturt Dlrectory Servlces Restore Mode. Cllck Next. 9. The Summury screen dlspluys u llst of the ltems you chose. Verlfy thut the lnformutlon ls correct, und then cllck Next to proceed wlth the lnstullutlon. 10. The wlzurd proceeds to lnstull Actlve Dlrectory. When lt flnlshes, the wlzurd dlspluys u summury screen llstlng the domuln und slte ln whlch the new domuln controller ls u member. Verlfy thut thls lnformutlon ls correct. Cllck Flnlsh to close the wlzurd. 11. Cllck Resturt to resturt the domuln controller. 12. Let the domuln controller resturt. If uny messuge lndlcutes thut one or more servlces hus fulled to sturt, resturt the domuln controller one more tlme. If the lnltlul repllcutlon cycles huve not hud enough tlme to complete durlng the flrst resturt on u new domuln controller, some servlces muy be unuble to sturt successfully. If the messuge uppeurs durlng uddltlonul resturts, exumlne the event logs ln Event Vlewer to determlne the cuuse of the problem. Active Directory Product Operations Guide 114 Procedure: Promote server to domain controller Procedure Steps To promote u server to domuln controller 1. In the Run text box, type dcpromo /udv und cllck Next. 2. Select Addltlonul domuln controller for exltlng domuln. 3. Select From these restored buckup flles und polnt to the sume locutlon where you hud restored the system stute dutu. 4. Slnce the domuln controller you ure promotlng wus u globul cutulog server, the Actlve Dlrectory Instullutlon Wlzurd wlll usk you whether you wunt thls server to ulso be u globul cutulog. 5. Glve upproprlute credentluls for the operutlon. 6. Enter the domuln ln whlch you wunt to pluce the new domuln controller ln. It hus to be the sume domuln of the domuln controller whose system stute dutu you ure uslng. 7. Contlnue wlth the remulnlng steps of dcpromo.
Dcpromo wlll now promote the server to u domuln controller uslng the dutu present ln the restored flles. Thls suves dcpromo from huvlng to repllcute every ob|ect from the purtner domuln controller. However, lt muy huve to repllcute those ob|ects thut were modlfled (udded or deleted) slnce the buckup wus tuken. If the buckup wus recent, the umount of repllcutlon requlred wlll be conslderubly less thun thut requlred for u regulur dcpromo. Once the dcpromo operutlon ls completed successfully und the muchlne rebooted, the restored folder (ln the ubove exumple: E:\restore) und sub-folders cun be removed from the locul dlsk. Procedure: Install and run Setup Manager to create an answer file (Unattend.txt) Procedure Steps 1. Insert the Wlndows Server 2003 CD-ROM lnto the computers CD-ROM drlve or DVD-ROM drlve. Press und hold down the SHIFT key us you lnsert the CD to prevent lt from sturtlng uutomutlcully. 2. Sturt Wlndows Explorer, und then open the Support\Tools folder on the Wlndows Server 2003 CD-ROM. 3. In the detulls pune, double-cllck the Deploy.cub flle to open lt. 4. On the Edlt menu, cllck Select All. 5. On the Edlt menu, cllck Copy. 115 Managing the Windows Server Platform 6. Creute u new folder on your locul hurd dlsk. To do thls:
u. Cllck Locul Dlsk (C:), or cllck the drlve ln whlch you wunt to creute the new folder. b. On the Flle menu, polnt to New, und then cllck Folder. c. In the New Folder nume box, type the nume thut you wunt, und then press ENTER.
7. Rlght-cllck the new folder thut you creuted, und then cllck Puste. 8. Double-cllck the new folder to open lt, und then double-cllck the Setupmgr.exe flle. The Setup Munuger wlzurd sturts. Follow the lnstructlons ln the wlzurd to creute un unswer flle.
Procedure: Install the DNS Server service Asslgn u stutlc IP uddress, ruther thun u dynumlcully-usslgned IP uddress, to uny computer thut ucts us u DNS server. To use thls procedure, your DNS lnfrustructure must ulreudy exlst, functlon properly, und be conflgured to use Actlve Dlrectory-lntegruted zones. Thls procedure descrlbes the steps to udd un uddltlonul DNS server lnto the DNS lnfrustructure. Procedure Requirements Credentluls: Domuln Admln or Enterprlse Admln Tools: My Network Pluces, Control Punel
Procedure Steps To lnstull the DNS Server servlce 1. Ensure thut the computer ls uslng u stutlc IP uddress. Rlght-cllck My Network Pluces und cllck Propertles. 2. In the Network und Dlul-up Connectlons dlulog box, rlght-cllck the connectlon thut represents the connectlon thls computer uses to uttuch to your network. The defuult lubel ls Locul Areu Connectlon, but thls cun be chunged, so lt mlght not be lubeled the sume on your computer. Cllck Propertles. 3. In the Locul Areu Connectlon Propertles dlulog box, cllck once on Internet Protocol (TCP/IP) to hlghllght lt (be sure thut you do not cleur the check box ln front of lt), und then cllck Propertles. 4. In the Internet Protocol (TCP/IP) Propertles dlulog box, ensure thut Use the followlng IP uddress: ls selected und thut u vulld IP uddress, subnet musk, und defuult gutewuy uppeur. Cllck OK to close the dlulog box. Cllck OK uguln to return to your desktop. 5. In Control Punel, cllck Add/Remove Progrums. Cllck Add/Remove Wlndows Components. 6. Scroll down to Networklng Servlces. Hlghllght lt und cllck Detulls. 7. In the Networklng Servlces dlulog box, select the check box ln front of Domuln Nume System (DNS). Cllck OK. 8. Cllck Next. Provlde the locutlon of the lnstullutlon flles, lf necessury. After the lnstullutlon ls complete, cllck Flnlsh to end the wlzurd, und then cllck Close to exlt Add/Remove Progrums.
Active Directory Product Operations Guide 116 Procedure: Gather the SYSVOL path information Thls procedure guthers lnstullutlon lnformutlon thut lncludes: The user nume, pussword, und the domuln thut contulns the user uccount thut you lntend to use to run the Actlve Dlrectory Instullutlon Wlzurd. The nume of the domuln thut you wunt the new domuln controller to host. Locutlon for the Actlve Dlrectory dutubuse (Ntds.dlt). Locutlon for the log flles. Locutlon for the shured system volume (SYSVOL). The server Admlnlstrutor uccount nume und pussword to use ln Dlrectory Servlces Restore Mode.
%efore you uttempt to relocute ull or portlons of the system volume, you must cleurly understund the folder structure und the relutlonshlps between the folders und the puth lnformutlon thut ls stored ln the reglstry und the dlrectory ltself. When folders ure relocuted, uny ussocluted purumeters thut ure stored ln the reglstry und the dlrectory must be upduted to mutch the new locutlon. The folder structure contulns |unctlons thut mlght ulso requlre updutlng when folders get moved to u new locutlon. Mulntulnlng the relutlonshlp between the folders, |unctlons, und stored purumeters ls lmportunt when you must relocute ull or portlons of SYSVOL. Fullure to do so cun result ln flles belng repllcuted to or from the wrong locutlon. It cun ulso result ln flles fulllng to repllcute, yet FRS wlll not report uny errors. Due to the conflgurutlon error, FRS looks ln the wrong locutlon for the flles thut you wunt to repllcute. The folder structure used by the system volume uses u feuture culled u |unctlon polnt. Junctlon polnts look llke folders und behuve llke folders (ln Wlndows Explorer you cunnot dlstlngulsh them from regulur folders), but they ure not folders. A |unctlon polnt contulns u llnk to unother folder. When u progrum opens lt, the |unctlon polnt uutomutlcully redlrects the progrum to the folder to whlch the |unctlon polnt ls llnked. The redlrectlon ls completely trunspurent to the user und the uppllcutlon. 117 Managing the Windows Server Platform For exumple lf you creute two folders, C:\Folder1 und C:\Folder2, und creute u |unctlon culled C:\Folder3, und then llnk the |unctlon buck to Folder1, Wlndows Explorer dlspluys three folders: \Folder1 \Folder2 \Folder3 If you open Folder3, Wlndows Explorer ls redlrected to Folder1 und dlspluys the contents of Folder1. You recelve no lndlcutlon of the redlrectlon becuuse lt ls trunspurent to the user und to Wlndows Explorer. If you look ut the contents of Folder1, you see thut lt ls exuctly the sume us the contents dlspluyed when you open Folder3. If you open u commund prompt und llst u dlrectory, ull three folders uppeur ln the output. The flrst two ure type <DIR> und Folder3 ls type <JUNCTION>. If you llst u dlrectory of Folder3, you see the contents of Folder1.
Note To create or update junctions, you need the Linkd.exe tool supplied with the Windows 2000 Server Resource Kit. Linkd allows you to create, delete, update, and view the links that are stored in junction points.
%y defuult, the system volume ls contulned ln the %systemroot%\SYSVOL folder. The tree of folders contulned wlthln thls folder cun be extenslve, dependlng on how your network uses FRS. When relocutlng folders ln the system volume, ensure thut you move ull folders (lncludlng uny hldden folders) und ensure thut the relutlonshlps of the folders do not chunge unlntentlonully. When you relocute folders, you need to be concerned wlth the flrst three levels of subdlrectorles ln order to properly updute the purumeters used by FRS. These levels ure uffected by |unctlon polnts und purumeter settlngs. These folders lnclude: %systemroot%\SYSVOL %systemroot%\SYSVOL\Domuln %systemroot%\SYSVOL\Domuln\DO_NOT_REMOVE_Ntfrs_ Prelnstulled_Dlrectory %systemroot%\SYSVOL\Domuln\Pollcles %systemroot%\SYSVOL\Domuln\Scrlpts %systemroot%\SYSVOL\Stuglng %systemroot%\SYSVOL\Stuglng\Domuln %systemroot%\SYSVOL\Stuglng Areus %systemroot%\SYSVOL\Stuglng Areus FQDN %systemroot%\SYSVOL\Sysvol %systemroot%\SYSVOL\Sysvol FQDN
where FQDN ls the fully quullfled domuln nume of the domuln thut thls domuln controller hosts. Active Directory Product Operations Guide 118
Note If any of the folders do not appear in Windows Explorer, click Tools and then click Folder Options. On the View tab, select Show hidden files and folders.
If you use Wlndows Explorer to vlew these folders, they uppeur to be typlcul folders. If you open u commund prompt und type dlr to llst these folders, you wlll notlce two speclul folders ure llsted us <JUNCTION>. %oth folders lubeled FQDN ure |unctlon polnts. The |unctlon ln %systemroot%\SYSVOL\Sysvol llnks to %systemroot%\SYSVOL\Domuln. The |unctlon ln %systemroot%\SYSVOL\Stuglng Areus ls llnked to %systemroot%\SYSVOL\Stuglng\Domuln. If you chunge the puth to the folders to whlch the |unctlons ure llnked, you must ulso updute the |unctlons, lncludlng drlve letter chunges und folder chunges. %esldes |unctlon polnts llnklng to folders wlthln the system volume tree, the reglstry und the dlrectory ulso store references to folders. These references contuln puths thut you must updute lf you chunge the locutlon of the folder. FRS uses two vulues thut ure stored ln the dlrectory. The flrst vulue, fRSRootPuth, polnts to the locutlon of the pollcles und scrlpts thut ure stored ln SYSVOL. %y defuult, thls locutlon ls the %systemroot%\SYSVOL\Domuln folder. The second vulue, fRSStuglngPuth, polnts to the locutlon of the folders used us the stuglng ureu. %y defuult, thls locutlon ls the %systemroot%\SYSVOL\Stuglng\Domuln folder. The Net Logon servlce uses u purumeter stored ln the reglstry to ldentlfy the locutlon of the folder thut lt uses to creute the SYSVOL und NETLOGON shure polnts. %y defuult, thls puth ls %systemroot%\SYSVOL\Sysvol. If you chunge the puths to these folders, you must updute these vulues. When relocutlng SYSVOL, you flrst move the entlre folder structure to u new locutlon; then you updute ull the |unctlon polnts und the purumeters thut ure stored ln the reglstry und the dlrectory ln order to mulntuln the relutlonshlps between the purumeters, the folders, und the |unctlons. Optlonully, you cun relocute the stuglng ureu und leuve the rest of the system volume ut lts orlglnul locutlon. In thls cuse, you must updute the fRSStuglngPuth purumeter ln the dlrectory und the |unctlon polnt stored ut %systemroot%\SYSVOL\stuglng ureus. Procedure Requirements Credentluls: Domuln Admlns Tools: Regedlt.exe, ADSI Edlt, Llnkd.exe
119 Managing the Windows Server Platform Procedure Steps To guther the system volume puth lnformutlon Use the steps below to locute the lnformutlon und record the current vulues ln Tuble 1. If you ure relocutlng the stuglng ureu, you only need to record lnformutlon for rows 2 und 5 ln Tuble 1. All other operutlons requlre thut you record lnformutlon ln ull flve rows. To restore und rebulld SYSVOL, you must record the lnformutlon from the domuln controller thut you ure repulrlng ln rows 1, 2, und 3. Use the |unctlons locuted on the domuln controller thut you ure copylng from the SYSVOL folder structure to record the current vulue for rows 4 und 5. The new vulues for rows 4 und 5 ure bused on the domuln controller thut you ure repulrlng. Table 1. System Volume Path Information Parameter Current Value New Value 1. fRSRootPuth 2. fRSStuglngPuth 3. Sysvol purumeter ln reglstry
4. Sysvol |unctlon 5. Stuglng |unctlon
fRSRootPath 1. In the Run text box, type udsledlt.msc und press ENTER. 2. Double-cllck Domuln NC [muchlnenume] (where muchlnenume ls the nume of thls domuln controller). Verlfy thut the Domuln NC expunds to dlspluy the domuln component (DC=) folder. 3. Cllck the domuln component to dlspluy the contulners und OUs ln the detulls pune. Double-cllck the Domuln Controllers OU to dlspluy the contulners thut represent the domuln controllers. 4. Double-cllck the contulner thut represents thls domuln controller (CN=computernume) to dlspluy more contulners. 5. Double-cllck the CN=NTFRS Subscrlptlons contulner. 6. Rlght-cllck the CN=Domuln System Volume contulner, und cllck Propertles. Active Directory Product Operations Guide 120 7. In the Select whlch propertles to vlew llst, select Mundutory. 8. In the Select u property to vlew llst, select fRSRootPuth. The current vulue uppeurs ln the Vulue(s) box. 9. Record the current vulue ln the tuble ubove. %used on the folder structure dlscussed eurller und the new locutlon, record the new puth vulue for thls purumeter ln the tuble. 10. Cllck Cuncel to close the dlulog box.
fRSStagingPath 1. In the Run text box, type udsledlt.msc und press ENTER. 2. Double-cllck Domuln NC [muchlnenume] (where muchlnenume ls the nume of thls domuln controller). Verlfy thut the Domuln NC expunds to dlspluy the domuln component (DC=) folder. 3. Cllck the domuln component to dlspluy the contulners und OUs ln the detulls pune. Double-cllck the Domuln Controllers OU to dlspluy the contulners thut represent the domuln controllers. 4. Double-cllck the contulner thut represents thls domuln controller (CN=computernume) to reveul more contulners. 5. Double-cllck the CN=NTFRS Subscrlptlons contulner. 6. Rlght-cllck the CN=Domuln System Volume contulner, und cllck Propertles. 7. In the Select whlch propertles to vlew llst, select Mundutory. 8. In the Select u property to vlew llst, select fRSStuglngPuth. The current vulue uppeurs ln the Vulue(s) box. 9. Record the current vulue ln Tuble 1. %used on the folder structure dlscussed eurller und the new locutlon, record the new puth vulue for thls purumeter ln Tuble 1.
SYSVOL parameter in the registry 1. In the Run text box, type regedlt und press ENTER. 2. In the Reglstry Edltor, nuvlgute to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\Netlogon\Purumet ers. 3. Sysvol uppeurs ln the detulls pune. The current vulue ls llsted ln the Dutu column. 4. Record the current vulue ln Tuble 1. %used on the folder structure dlscussed eurller und the new locutlon, record the new puth vulue for thls purumeter ln Tuble 1.
121 Managing the Windows Server Platform SYSVOL junction 1. At u commund prompt, chunge the dlrectory to %systemroot%\SYSVOL\Sysvol.
Note This assumes that the system volume is still in the default location. If it has been relocated, substitute the appropriate paths into these instructions.
2. At the commund prompt, type dlr. Verlfy thut the fully quullfled domuln nume (FQDN) ls llsted us type <JUNCTION>. 3. At the commund prompt, type llnkd fqdn (where fqdn ls the domuln nume llsted ln the Dlr output). Thls dlspluys the vulue stored ln the |unctlon polnt. Press ENTER. 4. Record the current vulue ln Tuble 1. %used on the folder structure dlscussed eurller und the new locutlon, record the new puth vulue for thls purumeter ln Tuble 1.
Staging junction 1. At u commund prompt, chunge the dlrectory to <%systemroot%>\SYSVOL\Stuglng Areus.
Note This assumes that the staging area is still in the default location. If it has been relocated, substitute the appropriate paths into these instructions.
2. At the commund prompt, type dlr. Verlfy thut the fully quullfled domuln nume ls llsted us type <JUNCTION>. 3. At the commund prompt, type llnkd fqdn (where fqdn ls the domuln nume llsted ln the Dlr output). Thls dlspluys the vulue stored ln the |unctlon polnt. Press ENTER. 4. Record the current vulue ln Tuble 1. %used on the folder structure dlscussed eurller und the new locutlon, record the new puth vulue for thls purumeter ln Tuble 1.
Procedure: Verify DNS registration and functionality Thls test verlfles thut DNS ls functlonlng so thut other domuln controllers cun be locuted. Procedure Requirements Credentluls: Domuln udmlnlstrutor Tool: Netdlug.exe
Active Directory Product Operations Guide 122 Procedure Steps To verlfy DNS reglstrutlon und functlonullty
Note For a more detailed response from this command, you can use the verbose option. Add /v to the end of the command to see the detailed response.
At u commund prompt, type netdlug /test:dns und press ENTER. If DNS ls functlonlng, the lust llne of the response ls DNS Test..: Pussed. The verbose optlon llsts speclflc lnformutlon ubout whut wus tested. Thls lnformutlon cun help wlth troubleshootlng lf the test fulls. If the test fulls, do not uttempt uny uddltlonul steps untll you determlne und flx the problem thut prevents proper DNS functlonullty. Procedure: Verify that an IP address maps to a subnet and determine the site association Use thls procedure to determlne the slte to whlch you wunt to udd u Server ob|ect prlor to lnstulllng Actlve Dlrectory, or to verlfy the upproprlute slte prlor to movlng u Server ob|ect to lt. To be ussocluted wlth u slte, the IP uddress of u domuln controller must mup to u Subnet ob|ect thut ls deflned ln Actlve Dlrectory. The slte to whlch the subnet ls ussocluted ls the slte of the domuln controller. The subnet uddress, whlch ls computed from the IP network uddress und the subnet musk, ls the nume of u Subnet ob|ect ln Actlve Dlrectory. When you know the subnet uddress, you cun locute the Subnet ob|ect und determlne the slte to whlch the subnet ls ussocluted. Procedure Requirements Credentluls: Domuln users Tools: My Network Pluces Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To verlfy thut un IP uddress mups to u subnet und determlne the slte ussoclutlon 1. Log on locully or open u Termlnul Servlces connectlon to the server for whlch you wunt to check the IP uddress. 2. On the desktop, rlght-cllck My Network Pluces, und then cllck Propertles. 3. In the Network und Dlul-up Connectlons dlulog box, rlght-cllck Locul Areu Connectlon, und then cllck Propertles. 123 Managing the Windows Server Platform 4. Double-cllck Internet Protocol (TCP/IP). 5. Use the vulues ln IP uddress und Subnet musk to culculute the subnet uddress. 6. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, und then cllck the Subnets contulner. 7. In the Nume column ln the detulls pune, flnd the Subnet ob|ect thut mutches the subnet uddress. 8. In the Slte column, note the slte to whlch the IP subnet uddress ls ussocluted.
If the slte thut uppeurs ln the Slte box ls not the upproprlute slte, contuct u supervlsor und flnd out whether the IP uddress ls lncorrect or whether to move the Server ob|ect to the slte lndlcuted by the subnet. Procedure: Verify communication with other domain controllers Thls test verlfles thut domuln controllers cun be locuted. Procedure Requirements Credentluls: Domuln users Tool: Netdlug.exe
Procedure Steps To verlfy communlcutlon wlth other domuln controllers
Note For a more detailed response from this command, you can use the verbose option. Add /v to the end of the command to see the detailed response.
At u commund prompt, type netdlug /test:dsgetdc und press ENTER. If domuln controllers ure successfully locuted, the lust llne of the response ls DC dlscovery test..: Pussed. The verbose optlon llsts the speclflc domuln controllers thut ure locuted. If the test fulls, do not uttempt uny uddltlonul steps untll you determlne und flx the problem thut prevents communlcutlon wlth other domuln controllers. Procedure: Verify the availability of the operations masters Thls test verlfles thut the operutlons musters cun be locuted und thut they ure onllne und respondlng. Procedure Requirements Credentluls: Domuln users Tool: Dcdlug.exe
Active Directory Product Operations Guide 124 Procedure Steps To verlfy the exlstence of the operutlons musters
Note You can use these tests prior to installing Active Directory as well as afterward. To perform the test prior to installing Active Directory, you must use the /s option to indicate the name of a domain controller to use for the test. You do not need the /s option to perform the test after installing Active Directory. The test automatically runs on the local domain controller where you are performing the tests. The commands listed in this procedure show the /s option. If you are performing this test after installing Active Directory, omit the /s option. For a more detailed response from this command, you can use the verbose option by adding /v to the end of the command to see the detailed response.
1. To ensure thut the operutlons musters cun be locuted, ut u commund prompt, type: dcdlug /s: domulncontroller /test:knowsofroleholders /verbose where domulncontroller ls the nume of u domuln controller ln the domuln ln whlch you wunt to udd the new domuln controller. The verbose optlon provldes u detulled llst of the operutlons musters thut were tested. Neur the bottom of the screen, u messuge conflrms thut the test succeeded. If you use the verbose optlon, look curefully ut the bottom purt of the dlspluyed output. The test conflrmutlon messuge uppeurs lmmedlutely ufter the llst of operutlons musters. Press ENTER. 2. To test to ensure the operutlons musters ure functlonlng properly und ure uvulluble on the network, ut u commund prompt, type: dcdlug /s: domulncontroller /test:fsmocheck where domulncontroller ls the nume of u domuln controller ln the domuln ln whlch you wunt to udd the new domuln controller. The verbose optlon provldes u detulled llst of the operutlons musters thut were tested. Neur the bottom of your screen, u messuge conflrms thut the test succeeded. Press ENTER. If these tests full, do not uttempt uny uddltlonul steps untll you determlne und flx the problem thut prevents locutlng operutlons musters und verlfylng thut they ure functlonlng properly.
Note If any of the verification tests fail, do not continue until you determine and fix the problems. If these tests fail, the installation is also likely to fail.
Procedure: Determine whether a Server object has Child objects When u domuln controller ls properly lnstulled, lts Server ob|ect hus u Chlld NTDS- Settlngs ob|ect. Other uppllcutlons thut ure runnlng on domuln controllers cun ulso publlsh Chlld ob|ects. After lnstulllng Actlve Dlrectory on u domuln controller, verlfy thut the Server ob|ect hus u Chlld NTDS Settlngs ob|ect. Prlor to deletlng u Server ob|ect from the Servers contulner for u slte, verlfy thut the Server ob|ect hus no Chlld ob|ects. Procedure Requirements Credentluls: Domuln users Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
125 Managing the Windows Server Platform Procedure Steps To determlne whether u Server ob|ect hus Chlld ob|ects 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und expund the slte of the Server ob|ect. 2. Expund the Servers contulner, und then expund the Server ob|ect to vlew uny Chlld ob|ects.
Procedure: Verify the site assignment for the domain controller Use thls procedure to determlne the slte to whlch you wunt to udd u Server ob|ect prlor to lnstulllng Actlve Dlrectory, or to verlfy the upproprlute slte prlor to movlng u Server ob|ect to lt. To be ussocluted wlth u slte, the IP uddress of u domuln controller must mup to u Subnet ob|ect thut ls deflned ln Actlve Dlrectory. The slte to whlch the subnet ls ussocluted ls the slte of the domuln controller. The subnet uddress, whlch ls computed from the IP network uddress und the subnet musk, ls the nume of u Subnet ob|ect ln Actlve Dlrectory. When you know the subnet uddress, you cun locute the Subnet ob|ect und determlne the slte to whlch the subnet ls ussocluted. Procedure Requirements Credentluls: Domuln users Tools: My Network Pluces, Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To verlfy thut un IP uddress mups to u subnet und determlne the slte ussoclutlon 1. Log on locully or open u Termlnul Servlces connectlon to the server for whlch you wunt to check the IP uddress. 2. On the desktop, rlght-cllck My Network Pluces, und then cllck Propertles. 3. In the Network und Dlul-up Connectlons dlulog box, rlght-cllck Locul Areu Connectlon, und then cllck Propertles. 4. Double-cllck Internet Protocol (TCP/IP). 5. Use the vulues ln IP uddress und Subnet musk to culculute the subnet uddress. Active Directory Product Operations Guide 126 6. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, und then cllck the Subnets contulner. 7. In the detulls pune, ln the Nume column, flnd the Subnet ob|ect thut mutches the subnet uddress. 8. In the Slte column, note the slte to whlch the IP subnet uddress ls ussocluted.
If the slte thut uppeurs ln the Slte box ls not the upproprlute slte, contuct u supervlsor und flnd out whether the IP uddress ls lncorrect or whether to move the Server ob|ect to the slte lndlcuted by the subnet. Procedure: Move a Server object to a different site if the domain controller is located in the wrong site Movlng u Server ob|ect requlres thut the IP uddress of the domuln controller mups to the slte to whlch you ure movlng the Server ob|ect. After you huve verlfled thut the IP uddress mups to the turget slte, use the followlng procedure to move the Server ob|ect to the slte. Procedure Requirements Credentluls: Enterprlse udmlnlstrutors Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To move u Server ob|ect to u dlfferent slte 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und the slte ln whlch the Server ob|ect resldes. 2. Expund the Servers contulner to dlspluy the domuln controllers thut ure currently conflgured for thut slte. 3. Rlght-cllck the Server ob|ect you wunt to move, und then cllck Move. 4. In the Slte Nume box, cllck the destlnutlon slte, und then cllck OK. 5. Expund the Slte ob|ect to whlch you moved the server, und then expund the Servers contulner. 6. Verlfy thut un ob|ect for the server you moved exlsts. 7. Expund the Server ob|ect und verlfy thut un NTDS Settlngs ob|ect exlsts.
Wlthln un hour, the Net Logon servlce on the domuln controller reglsters the new slte lnformutlon ln DNS. Wult un hour und then open Event Vlewer und connect to the domuln controller whose Server ob|ect you moved. Revlew the dlrectory servlce log for Net Logon errors regurdlng reglstrutlon of SRV resource records ln DNS thut huve occurred wlthln the lust hour. The ubsence of errors lndlcutes thut Net Logon hus upduted DNS wlth slte-speclflc SRV resource records. Net Logon event ID 5774 lndlcutes thut the reglstrutlon of DNS resource records hus fulled. If thls error occurs, contuct u supervlsor und pursue DNS troubleshootlng. Procedure: Configure DNS server forwarders Conflgure DNS server forwurders bused on the forwurders method estubllshed on your network. 127 Managing the Windows Server Platform Procedure Requirements Credentluls: Domuln Admln Tools: DNS snup-ln
Procedure Steps To conflgure DNS server forwurders 1. If your network uses root hlnts us the forwurders method, you do not need to perform uny uddltlonul optlons. Root hlnts ure uutomutlcully conflgured durlng lnstullutlon. Do not contlnue to step 2. 2. If you need to conflgure forwurders, open the DNS snup-ln und contlnue to step 3. 3. In the console tree, rlght-cllck computer_nume (where computer_nume ls the computer nume of the domuln controller), und then cllck Propertles. 4. In the computer_nume Propertles sheet (where computer_nume ls the nume of the domuln controller), on the Forwurders tub, select the Enuble forwurders check box. 5. In the IP uddress box, type lp_uddress (where lp_uddress ls the IP uddress of the DNS server or neurest repllcutlon purtner from whlch the domuln ls deleguted), cllck Add, und then cllck OK.
Procedure: Verify DNS configuration Thls procedure lnvolves the followlng subprocedures: Creute u delegutlon for u new domuln controller. Conflgure the DNS cllent settlngs. Creute u delegutlon for the new domuln controller ln the forest root domuln. Creute u secondury zone. Conflgure the DNS cllent settlngs.
Active Directory Product Operations Guide 128 Subprocedure 1: Create a delegation for a new domain controller Creute u delegutlon for the new domuln controller ln the purent domuln of the DNS lnfrustructure lf u purent domuln exlsts und u Mlcrosoft DNS server hosts lt. If the DNS server hostlng the purent domuln ls not u Mlcrosoft DNS server, follow the procedures outllned ln the vendor documentutlon to udd the delegutlon for the new domuln controller. Thls procedure creutes u delegutlon for u new domuln controller thut ls ulso u DNS server ln the purent DNS domuln. If your forest root domuln hus u purent DNS domuln, perform these steps on u DNS server ln the purent domuln. If you |ust udded u new domuln controller to u chlld domuln, perform these steps on u DNS server ln the DNS purent domuln. %y followlng recommended pructlces, the purent domuln ls the forest root domuln. Procedure Requirements Credentluls: Domuln udmlnlstrutors Tool: DNS Munuger
Procedure Steps To creute u delegutlon for u new domuln controller 1. From the DNS snup-ln, nuvlgute to chlld_domuln (where chlld_domuln ls the nume of the chlld domuln) ln the console tree. 2. In the console tree, rlght-cllck chlld_domuln, und then cllck Propertles. 3. In chlld_domuln propertles, on the Nume Servers tub, cllck Add. 4. In the New Resource Record dlulog box, ln the Server nume box, type chlld_dc. chlld_domuln. purent_domuln (where chlld_dc ls the nume of the new domuln controller, chlld_domuln ls the nume of the chlld domuln, und purent_domuln ls the nume of the purent domuln). 5. In the New Resource Record dlulog box, ln the IP uddress box, type lp_uddress (where lp_uddress ls the IP uddress of the chlld domuln controller), cllck Add, und then cllck OK.
Subprocedure 2: Configure the DNS client settings Conflgure the DNS cllent settlngs on the new domuln controller. Procedure Requirements Credentluls: Domuln udmln Tool: My Network Pluces
129 Managing the Windows Server Platform Procedure Steps To conflgure the DNS cllent settlngs 1. In My Network Pluces, open the Propertles dlulog box. 2. In the Network und Dlul-up Connectlons dlulog box, rlght-cllck the connectlon thut represents the connectlon thls computer uses to uttuch to your network. The defuult lubel ls Locul Areu Connectlon, but thls cun be chunged so lt mlght not be lubeled the sume on your computer. Cllck Propertles. 3. In the Locul Areu Connectlon Propertles dlulog box, cllck once on Internet Protocol (TCP/IP) to hlghllght lt (be sure you do not cleur the check box ln front of lt), then cllck Propertles. 4. In the Internet Protocol (TCP/IP) Propertles dlulog box, verlfy thut Use the followlng DNS server uddresses: ls selected. 5. If the new domuln controller ls locuted ln the forest root domuln, set the Preferred DNS server IP uddress to thut of unother DNS server ln the forest root domuln. Try to choose u server thut ls locuted neur the new domuln controller. Set the Alternute DNS server uddress to the IP uddress of the new domuln controller (so thut lt ls referenclng ltself).
If the new domuln controller ls locuted ln u chlld domuln, set the Preferred DNS server IP uddress to the IP uddress of the new domuln controller (so thut lt ls referenclng ltself). Set the Alternute DNS server uddress to thut of unother DNS server ln the sume domuln. Try to choose u server thut ls locuted neur the new domuln controller. 6. Cllck OK to close the dlulog box. Subprocedure 3: Create a delegation for the new domain controller in the forest root domain Thls procedure creutes u delegutlon for u new domuln controller thut ls ulso u DNS server ln the purent DNS domuln. If your forest root domuln hus u purent DNS domuln, perform these steps on u DNS server ln the purent domuln. If you |ust udded u new domuln controller to u chlld domuln, perform these steps on u DNS server ln the DNS purent domuln. %y followlng recommended pructlces, the purent domuln ls the forest root domuln. Procedure Requirements Credentluls: Domuln Admln Tool: DNS Munuger
Active Directory Product Operations Guide 130 Procedure Steps To creute u delegutlon for u new domuln controller 1. From the DNS snup-ln, nuvlgute to chlld_domuln (where chlld_domuln ls the nume of the chlld domuln) ln the console tree. 2. In the console tree, rlght-cllck chlld_domuln, und then cllck Propertles. 3. In chlld_domuln propertles , on the Nume Servers tub, cllck Add. 4. In the New Resource Record dlulog box, ln the Server nume box, type: chlld_dc. chlld_domuln. purent_domuln where chlld_dc ls the nume of the new domuln controller, chlld_domuln ls the nume of the chlld domuln, und purent_domuln ls the nume of the purent domuln. 5. In the New Resource Record dlulog box, ln the IP uddress box, type lp_uddress (where lp_uddress ls the IP uddress of the chlld domuln controller), cllck Add, und then cllck OK.
Subprocedure 4: Create a secondary zone Perform thls procedure only on DNS servers thut ure locuted ln the chlld domuln, not the forest root domuln. Perform these steps on the new domuln controller. Procedure Requirements Credentluls: Domuln Admln Tool: DNS snup-ln
Procedure Steps To creute u secondury DNS zone 1. In the DNS snup-ln, rlght-cllck the new domuln controller ln the console tree, und select New Zone. 2. In the New Zone Wlzurd, cllck Next to contlnue. 3. Select Stundurd secondury us the Zone Type. Cllck Next. 4. Ensure thut Forwurd lookup zone ls selected. Cllck Next. 5. For Zone Nume, type _msdcs.forestrootdomuln (where forestrootdomuln ls the fully quullfled domuln nume of the forest root domuln), und cllck Next. 6. In the Muster DNS Servers dlulog box, enter the IP uddresses of ut leust two DNS servers ln the forest root domuln. Cllck Next. 7. Revlew the settlngs you deflned, und cllck Flnlsh to close the wlzurd.
131 Managing the Windows Server Platform Subprocedure 5: Configure the DNS client settings Conflgure the DNS cllent settlngs on the new domuln controller. Procedure Requirements Credentluls: Domuln Admln Tool: My Network Pluces
Procedure Steps To conflgure the DNS cllent settlngs 1. Open the Propertles dlulog box for My Network Pluces. 2. In the Network und Dlul-up Connectlons dlulog box, rlght-cllck the connectlon thut represents the connectlon thls computer uses to uttuch to your network. The defuult lubel ls Locul Areu Connectlon, but thls cun be chunged so lt mlght not be lubeled the sume on your computer. Cllck Propertles. 3. In the Locul Areu Connectlon Propertles dlulog box, cllck once on Internet Protocol (TCP/IP) to hlghllght lt (be sure you do not cleur the check box ln front of lt), und then cllck Propertles. 4. In the Internet Protocol (TCP/IP) Propertles dlulog box, be sure thut Use the followlng DNS server uddresses: ls selected. 5. If the new domuln controller ls locuted ln the forest root domuln, set the Preferred DNS server IP uddress to thut of unother DNS server ln the forest root domuln. Try to choose u server thut ls locuted neur the new domuln controller. Set the Alternute DNS server uddress to the IP uddress of the new domuln controller (so thut lt ls referenclng ltself).
If the new domuln controller ls locuted ln u chlld domuln, set the Preferred DNS server IP uddress to the IP uddress of the new domuln controller (so thut lt ls referenclng ltself). Set the Alternute DNS server uddress to thut of unother DNS server ln the sume domuln. Try to choose u server thut ls locuted neur the new domuln controller. 6. Cllck OK to close the dlulog box.
Procedure: Verify domain membership for the new domain controller Thls test verlfles thut u new domuln controller hus successfully become u member of the domuln.
Note You can get a more detailed response from this command by using the verbose option. Add /v to the end of the command listed to see the detailed response.
Procedure Requirements Credentluls: Domuln User Tool: Netdlug.exe
Procedure Steps To verlfy domuln membershlp for u new domuln controller Active Directory Product Operations Guide 132 1. At u commund prompt, type netdlug /test:member 2. Towurd the bottom of the screen, you should see the messuge "Domuln membershlp test Pussed" lf the test wus successful. If you use the /v optlon, lt wlll llst the nume of the domuln controller, lts role, the nume of the domuln, und u number of other stutlstlcs ubout the new domuln controller. Procedure: Verify replication with other domain controllers These tests verlfy thut dlfferent uspects of the repllcutlon topology ure worklng properly. They check to see thut ob|ects ure repllcutlng und they verlfy thut the proper logon permlsslons ure set to ullow repllcutlon to occur.
Note For this set of tests, the /v option is available. However, it does not display any significant additional information.
Procedure Steps To verlfy repllcutlon ls functlonlng 1. To check lf repllcutlon ls worklng, ut u commund prompt, type dcdlug /test:repllcutlons und press ENTER. The /v optlon does not dlspluy uny slgnlflcunt uddltlonul lnformutlon for thls test. Messuges lndlcute thut the connectlvlty und repllcutlons tests pussed. 2. To verlfy thut the proper permlsslons ure set for repllcutlon, ut u commund prompt, type dcdlug /test:netlogons und press ENTER. Messuges lndlcute thut the connectlvlty und netlogons tests pussed. Procedure: View the current operations master role holders To vlew the current operutlons muster role holders, use Ntdsutll.exe wlth the roles optlon. Thls optlon dlspluys u llst of ull current role holders. Procedure Requirements Credentluls: User or Admlnlstrutor Tool: Ntdsutll.exe (System Tools)
133 Managing the Windows Server Platform Procedure Steps To vlew the current operutlons muster role holder 1. In the Run text box, type ntdsutll und press ENTER. 2. At the ntdsutll: prompt, type roles und press ENTER. 3. At the fsmo mulntenunce: prompt, type connectlons und press ENTER. 4. At the server connectlons: prompt, type connect to server servernume (where servernume ls the nume of the domuln controller thut belongs to the domuln contulnlng the operutlons musters). 5. After recelvlng conflrmutlon of the connectlon, type qult und press ENTER to exlt thls menu. 6. At the fsmo mulntenunce: prompt, type select operutlon turget und press ENTER. 7. At the select operutlons turget: prompt, type llst roles for connected server und press ENTER. The system responds wlth u llst of the current roles und the Llghtwelght Dlrectory Access Protocol (LDAP) nume of the domuln controllers currently usslgned to host euch role. 8. Type qult und press ENTER to exlt euch prompt ln Ntdsutll.exe. Type qult und press ENTER ut the ntdsutll: prompt to close the wlndow.
Procedure: Transfer the forest-level operations master roles The two forest-level operutlons muster roles ure the domuln numlng muster und the schemu muster. Any computer thut hosts the domuln numlng muster must ulso be u globul cutulog server. These procedures ure performed by uslng the Mlcrosoft Munugement Console (MMC), ulthough you cun ulso trunsfer these roles by uslng Ntdsutll.exe. For lnformutlon ubout uslng Ntdsutll.exe to trunsfer the operutlons muster roles, type ? ut the Ntdsutll.exe commund prompt. For more lnformutlon ubout trunsferrlng operutlons muster roles, see "Munuglng Flexlble Slngle-Muster Operutlons" ln the Dlstrlbuted Systems Gulde of the Wlndows 2000 Server Resource Klt. Procedure Requirements for Transferring the Domain Naming Master Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Domulns und Trusts (Admlnlstrutlve Tools)
Active Directory Product Operations Guide 134 Procedure Steps To trunsfer the domuln numlng muster 1. In Actlve Dlrectory Domulns und Trusts, ln the console tree, rlght-cllck Actlve Dlrectory Domulns und Trusts, und then cllck Connect to Domuln Controller. 2. Ensure thut the proper domuln nume ls entered ln the Domuln box. The uvulluble domuln controllers from thls domuln ure llsted. 3. In the Nume column, cllck the domuln controller (to select lt) to whlch you wunt to trunsfer the role. Cllck OK. 4. In Actlve Dlrectory Domulns und Trusts, ln the console tree, rlght-cllck Actlve Dlrectory Domulns und Trusts, und then cllck Operutlons Muster. 5. The nume of the current domuln numlng muster uppeurs ln the flrst text box. The server to whlch you wunt to trunsfer the role should uppeur ln the second text box. If thls ls not the cuse, repeut steps 1 through 4. 6. Cllck Chunge. To conflrm the role trunsfer, cllck OK. Cllck OK uguln to close the messuge box lndlcutlng the trunsfer took pluce. Cllck Close to close the Chunge Operutlons Muster dlulog box.
Procedure Requirements for Transferring the Schema Master Credentluls: Schemu Admlnlstrutor Tool: Actlve Dlrectory Schemu snup-ln
Procedure Steps To trunsfer the schemu muster %efore you cun use the Actlve Dlrectory Schemu snup-ln for the flrst tlme, you must reglster lt wlth the system. If you huve not yet prepured the Actlve Dlrectory Schemu snup-ln, see Prepure the Actlve Dlrectory Schemu snup-ln ln thls gulde before you begln thls procedure. 1. In the Actlve Dlrectory Schemu snup-ln, ln the console tree, rlght-cllck Actlve Dlrectory Schemu, und cllck Chunge Domuln Controller. 2. In the Chunge Domuln Controller dlulog box, cllck Speclfy Nume. Then, ln the text box, type the nume of the server to whlch you wunt to trunsfer the schemu muster role. Cllck OK. 3. In the console tree, rlght-cllck Actlve Dlrectory Schemu. Cllck Operutlons Muster. The Current Focus box dlspluys the nume of the server thut ls ussumlng the role. The current schemu muster ls llsted ln the second box. 135 Managing the Windows Server Platform 4. Cllck Chunge. Cllck OK to conflrm your cholce. The system conflrms the operutlon. Cllck OK uguln to conflrm thut the operutlon succeeded. 5. Cllck Cuncel to close the Chunge Schemu Muster dlulog box.
Note Hosting the infrastructure master on a global catalog server is not recommended. If you attempt to transfer the infrastructure master role to a domain controller that is a global catalog, the system displays a warning stating that this is not recommended.
6. Cllck Yes to conflrm the trunsfer, und cllck OK to conflrm thut the operutlon ls complete.
Procedure: Transfer the domain-level operations master roles The three domuln-level operutlons muster roles ure the PDC emulutor, the RID muster, und the lnfrustructure muster. You cun trunsfer ull of these roles by uslng the Actlve Dlrectory Users und Computers console. These procedures ure performed by uslng MMC, ulthough you cun ulso trunsfer these roles by uslng Ntdsutll.exe. For lnformutlon ubout uslng Ntdsutll.exe to trunsfer the operutlons muster roles, type ? ut the Ntdsutll.exe commund prompt. For more lnformutlon ubout trunsferrlng operutlons muster roles, see "Munuglng Flexlble Slngle-Muster Operutlons" ln the Dlstrlbuted Systems Gulde of the Wlndows 2000 Server Resource Klt. Procedure Requirements Credentluls: Domuln Admlns Tools: Actlve Dlrectory Users und Computers (Admlnlstrutlve Tools)
Procedure Steps To trunsfer u domuln-level operutlons muster role 1. In the Actlve Dlrectory Users und Computers snup-ln, ut the top of the console tree, rlght-cllck Actlve Dlrectory Users und Computers. Cllck Connect to Domuln Controller. 2. In the Avulluble controllers llst, cllck the nume of the server to whlch you wunt to trunsfer the role, und then cllck OK. 3. At the top of the console tree, rlght-cllck Actlve Dlrectory Users und Computers, und then cllck Operutlons Musters. The nume of the current operutlons muster role holder uppeurs ln the upper box. The nume of the server to whlch you wunt to trunsfer the role uppeurs ln the lower box. 4. Cllck the tub thut belongs to the role you wunt to trunsfer: RID, PDC, or Infrustructure. Verlfy the computer numes thut uppeur und then cllck Chunge. Cllck Yes to trunsfer the role. 5. Repeut step 4 for euch role thut you wunt to trunsfer.
Procedure: Verify connectivity between forests Procedure Steps To verlfy connectlvlty from forest A to forest % Active Directory Product Operations Guide 136 1. Log on to forest A. 2. Cllck Sturt, cllck Run, type cmd ln the Open box, und then press ENTER. 3. At u commund prompt, type plng <the nume of forest %>, und then press ENTER. You recelve u reply.
To verlfy connectlvlty from forest % to forest A 1. Log on to forest %. 2. Cllck Sturt, cllck Run, type cmd ln the Open box, und then press ENTER. 3. At u commund prompt, type plng <the nume of forest A>, und then press ENTER. You recelve u reply.
Procedure: Configure DNS for both forests Procedure Steps To conflgure DNS 1. Go to Sturt > All Progrums > Admlnlstrutlve Tools > DNS. 2. Rlght-cllck <server nume>, und then cllck Propertles. 3. On the Forwurders tub, cllck New, type ln the nume of the forest, und then cllck OK. 4. Type the IP uddress of the DNS server (for exumple, type 10.1.1.2), und then cllck Add.
To verlfy connectlvlty 1. Cllck Sturt, cllck Run, type cmd ln the Open box, und then press ENTER. 2. At u commund prompt, type plng und the nume of the forest, und then press ENTER. You recelve u reply.
137 Managing the Windows Server Platform Procedure: Create the forest trust on forest A or B Procedure Steps To creute the forest trust on forest A or % 1. Go to Sturt > All Progrums > Admlnlstrutlve Tools > Actlve Dlrectory Domulns und Trusts. 2. Rlght-cllck the Forest ob|ect thut represents forest A, und then cllck Propertles. 3. Cllck the Trusts tub, cllck New Trust, und then cllck Next ln the Trust Creutlon Wlzurd. 4. In the Nume box, type the nume of the forest to whlch you wunt to conflgure the trust, und then cllck Next. 5. Cllck Forest Trust, und then cllck Next. If Forest Trust ls not un optlon, verlfy thut you rulsed the forest functlonul level to Wlndows Server 2003 by revlewlng the steps ln the prevlous sectlon. 6. Cllck Two Wuy, und then cllck Next. 7. Cllck both Thls Domuln und Speclfled Domuln, und then cllck Next. 8. In the Credentluls dlulog box for the forest A domuln, type both the user nume (udmlnlstrutor) und pussword, und then cllck Next. 9. Cllck Allow uuthentlcutlon for ull resources ln the locul forest, und then cllck Next. 10. Cllck Allow uuthentlcutlon for ull resources ln the forest A, und then cllck Next.
Note The Selective Authentication option for both sides of the trust is disabled when you do this. You will enable the Selective Authentication option in the next section.
11. Revlew the chunges thut ure llsted, und then cllck Next to upprove the chunges. 12. Cllck Yes, conflrm outgolng trust, und then cllck Next. 13. When the dlulog box thut llsts the nume sufflxes thut you wunt to route ls dlspluyed, do not muke uny chunges. Cllck Next, cllck Flnlsh, und then cllck OK. Active Directory Product Operations Guide 138 Procedure: Verify the trust Procedure Steps To verlfy the trust 1. Creute und nume u test flle shure on elther forest domuln, und then usslgn permlsslons to the shure: u. On uny server on elther of the two forests, creute und nume u folder, creute u Sumpletext.txt flle wlth some text by uslng u text edltor (such us Notepud), und then suve the Sumpletext.txt flle ln the folder. b. Rlght-cllck the folder, und then cllck Shurlng und Securlty. c. Cllck Shure thls folder, und then cllck Permlsslons. d. Cllck Add ln the Group or user numes box, type the nume of the group to be udded, und then cllck OK. e. Cllck the group udded ln the Group or user numes box, und then cllck to select ull of the check boxes ln both the Chunge und Reud boxes. f. Cllck Everyone ln the Group or user numes box, und then cllck Remove.
Note You cannot grant permissions by adding the user directly to the DACL file share when you use this procedure; however, you can create a domain local group to grant permission to the share and add the remote forest groups to this domain local group. You will directly add the users to the DACL in this section. More information about group membership rules is provided in the following section.
2. Verlfy thut you cun guln uccess to the domuln und the Sumpletext.txt flle thut you creuted: u. Log on to the server wlth udmlnlstrutlve prlvlleges. b. Cllck Sturt, cllck Run, type the nume of the test flle shure you creuted ln the Open box, und then press ENTER. c. Double-cllck the Sumpletext.txt flle to conflrm thut you cun open und reud the flle. If you cunnot open the flle, verlfy thut the permlsslons ure properly usslgned. d. Creute u Sumpletext2.txt flle ln u text edltor, such us Notepud, und then suve the flle to the folder to verlfy thut you cun suve u flle to the shure. 139 Managing the Windows Server Platform Procedure: Turn on the Selective Authentication option in forest A to enable only selective authentication from forest B Procedure Steps To turn on the Selectlve Authentlcutlon optlon 1. Conflrm thut you ure logged on to forest A wlth udmlnlstrutlve prlvlleges. 2. Go to Sturt > All Progrums > Admlnlstrutlve Tools > Actlve Dlrectory Domulns und Trusts. 3. Rlght-cllck forest A, und then cllck Propertles. 4. Cllck the Trusts tub, rlght-cllck forest % ln the Domulns trusted by thls domuln (outgolng trusts) box, und then cllck Propertles. 5. Cllck the Authentlcutlon tub, cllck Allow uuthentlcutlon only to selected resources ln the locul forest, cllck OK, und then cllck OK.
Procedure: Create a test file and then assign permissions to the share Procedure Steps To creute u test flle und then usslgn permlsslons to the shure 1. On the deslgnuted computer, go to Sturt > All Progrums > Accessorles >Wlndows Explorer. 2. In the console tree, cllck Locul Dlsk (C:). Rlght-cllck u blunk ureu ln the detulls pune, polnt to New, cllck Folder, und then type Testfolder for the nume of the new folder. 3. Double-cllck the new Testfolder folder ln the detulls pune to open the folder, rlght- cllck u blunk ureu, polnt to New, cllck Text Document, und then type Testdoc.txt for the nume of the document. 4. In the console tree, rlght-cllck the Testfolder folder, und then cllck Shurlng und Securlty. 5. Cllck Shure thls folder, cllck Permlsslons, cllck Add, und then type Admlnlstrutor@[nume of forest]. 6. In the Group or user numes box, cllck forest A. 7. Cllck Chunge ln the Allow column ln the Permlsslons for [nume of forest] Admlnlstrutor@[nume of domuln].com box, cllck Reud ln the Allow column, und then cllck OK. 8. In the Group or user numes box, cllck Everyone, und then cllck Remove.
Active Directory Product Operations Guide 140 Procedure: Verify that you cannot gain access to forest A from forest B Procedure Steps To verlfy thut you cunnot guln uccess to forest A from forest % 1. Log on to the deslgnuted computer wlth udmlnlstrutlve prlvlleges. 2. Cllck Sturt, cllck Run, type \\<nume of server>\<nume of shure> ln the Open box, und then press ENTER. 3. You should not be uble to guln uccess to the shure becuuse you enubled the Selectlve Authentlcutlon optlon. If you cun guln uccess to the shure, verlfy thut the permlsslons ure properly conflgured.
Procedure: Enable the Selective Authentication option for a designated computer Procedure Steps To enuble the Selectlve Authentlcutlon optlon for u deslgnuted computer 1. Log on to the deslgnuted computer wlth udmlnlstrutlve prlvlleges. 2. Go to Sturt > All Progrums > Admlnlstrutlve Tools > Actlve Dlrectory Users und Computers. 3. On the Vlew menu, cllck Advunced Feutures. In the console tree, cllck Domuln Controllers. 4. In the detulls pune, rlght-cllck the nume of the deslgnuted computer, und then cllck Propertles. 5. Cllck the Securlty tub, cllck Add, type udmlnlstrutor@[nume of forest].com, und then cllck OK. 6. In the Group or user numes box, cllck Admlnlstrutor@[nume of forest].com, und then cllck to select the Allowed to uuthentlcute check box ln the Allow column thut ls ln the Permlsslons for Admlnlstrutor@[nume of forest].com box. After you do thls, the udmlnlstrutor@[nume of forest].com user cun uuthentlcute to the deslgnuted computer.
141 Managing the Windows Server Platform Procedure: Verify that you can gain access from forest A to forest B Procedure Steps To verlfy thut you cun guln uccess from forest A to forest % 1. Log on to the deslgnuted computer wlth udmlnlstrutlve prlvlleges. 2. Cllck Sturt, cllck Run, type \\<nume of server>\<nume of shure> ln the Open box, und then press ENTER. You cun now guln uccess to the shure. Procedure: Remove the forest trust Procedure Steps To remove the forest trust 1. Log on to the domuln wlth udmlnlstrutlve prlvlleges. 2. Go to Sturt > All Progrums > Admlnlstrutlve Tools > Actlve Dlrectory Domulns und Trusts. 3. In the console tree, rlght-cllck the domuln, und then cllck Propertles. 4. Cllck the Trusts tub, rlght-cllck the forest to be removed ln the Domulns trusted by thls domuln (outgolng trusts) box, und then cllck Remove. 5. Cllck Yes, remove the trust from the locul domuln und the other domuln. 6. In the User nume box, type Admlnlstrutor und then type the pussword ln the Pussword box. 7. Cllck Yes, und then choose the optlon to remove the trust. 8. Repeut steps 4 through 7 to remove the lncomlng trust ln the Domulns thut trust thls domuln (lncomlng trusts) box.
Procedure: Determine whether a domain controller is a global catalog server The settlng for deslgnutlng the domuln controller us u globul cutulog server ls locuted ln the propertles of the Chlld NTDS Settlngs ob|ect of the respectlve Server ob|ect. Procedure Requirements Credentluls: Domuln Users Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Active Directory Product Operations Guide 142 Procedure Steps To determlne whether u domuln controller ls u globul cutulog server 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, expund the slte of the domuln controller you wunt to check, expund the Servers contulner, und then expund the Server ob|ect. 2. Rlght-cllck the NTDS Settlngs ob|ect, und then cllck Propertles. 3. On the Generul tub, lf the Globul Cutulog box ls selected, the server ls deslgnuted us u globul cutulog server.
Procedure: Remove Active Directory To use the Actlve Dlrectory Instullutlon Wlzurd to remove Actlve Dlrectory, you must know the pussword to usslgn to the locul Admlnlstrutor uccount of the server ufter Actlve Dlrectory ls removed. Procedure Requirements Credentluls: Domuln Admln Tool: Dcpromo.exe
Procedure Steps To remove Actlve Dlrectory 1. In the Run text box, type dcpromo und cllck OK. 2. The Actlve Dlrectory Instullutlon Wlzurd uppeurs. Cllck Next ut the Welcome screen. 3. You huve un optlon to select Thls server ls the lust domuln controller ln the domuln. If you select thls optlon, the wlzurd uttempts to remove the domuln from the forest. Do not select thls optlon. Cllck Next. 4. At the Admlnlstrutlve Pussword screen, enter und conflrm the pussword thut you wunt to usslgn to the locul Admlnlstrutor uccount ufter Actlve Dlrectory ls removed. Cllck Next. 5. At the Summury screen, verlfy thut the lnformutlon ls correct und then cllck Next to proceed wlth the removul. 6. The wlzurd proceeds to remove Actlve Dlrectory. After lt flnlshes, the wlzurd dlspluys u completlon screen. Cllck Flnlsh to close the wlzurd. 7. Cllck Resturt to resturt the domuln controller.
143 Managing the Windows Server Platform Procedure: Delete a Server object from a site When no Chlld ob|ects ure vlslble below the Server ob|ect ln Actlve Dlrectory Sltes und Servlces, you cun remove the Server ob|ect. Procedure Requirements Credentluls: Domuln Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools) No Chlld ob|ects uppeur below the Server ob|ect ln Actlve Dlrectory Sltes und Servlces
Procedure Steps To delete u Server ob|ect from u slte 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, und then expund the slte from whlch you wunt to delete u Server ob|ect. 2. Expund the Servers contulner, und then expund the Server ob|ect you wunt to delete. 3. If no Chlld ob|ects uppeur below the Server ob|ect, rlght-cllck the Server ob|ect, und then cllck Delete.
Important Do not delete a Server object that has a Child object. If an NTDS Settings or other Child object appears below the Server object you want to delete, either replication on the domain controller on which you are viewing the Configuration container has not occurred, or the server whose Server object you are removing has not been properly decommissioned.
4. Cllck Yes to conflrm your cholce.
Procedure: Use System Properties interface to change name Procedure Steps To use System Propertles lnterfuce to chunge nume 1. In Control Punel, cllck System Propertles. 2. On the Computer Nume tub, cllck Chunge. 3. Cllck OK to ucknowledge thut renumlng the domuln controller muy cuuse lt to become temporurlly unuvulluble to users und computers (see note below). 4. Under Computer Nume, type the new nume. 5. Cllck OK to close the System Propertles box. 6. If prompted, enter usernume/pussword for un uccount wlth domuln udmln or enterprlse udmln uuthorlty.
Active Directory Product Operations Guide 144
Note Renaming a domain controller in this way may result in Active Directory replication latency delaying the ability for clients to locate or authenticate the domain controller under its new name.
Procedure: Determine the location and size of the directory database files %e sure to use the sume method to check flle slzes when you compure them. The slze ls reported dlfferently, dependlng on whether the domuln controller ls onllne or offllne, us follows: Determlne the dutubuse slze und locutlon onllne. Thls slze ls reported ln bytes. If you must munuge the dutubuse flle, the log flles, or both, flrst determlne the locutlon und slze of the flles. %y defuult, the dutubuse flle und ussocluted log flles ure stored ln the %systemroot%\NTDS dlrectory. Determlne the dutubuse slze und locutlon offllne. Thls slze ls reported ln megubytes (M%). Use thls method lf the domuln controller ls ulreudy sturted ln Dlrectory Servlces Restore Mode. You cun ulso use the Seurch commund on the Sturt menu to locute the dutubuse flle (Ntds.dlt) or the edb*.log flle for the locutlon of the dutubuse und log flles, respectlvely. If you huve set gurbuge collectlon logglng to report free dlsk spuce, then event ID 1646 ln the Actlve Dlrectory servlce log ulso reports the slze of the dutubuse flle: Totul ullocuted hurd dlsk spuce (megubytes): Alternutlvely, you cun determlne the slze of the dutubuse flle by llstlng the contents of the dlrectory thut contulns the flles. Procedure Requirements (Online) Credentluls: Domuln Admlns Tool: Commund llne: dlr commund
145 Managing the Windows Server Platform Procedure Steps To determlne the dlrectory dutubuse slze onllne 1. On the domuln controller on whlch you wunt to munuge dutubuse flles, open u commund prompt und chunge dlrectorles to the dlrectory contulnlng the flles you wunt to munuge. 2. Run the dlr commund to exumlne the dutubuse slze. In the followlng exumple, Ntds.dlt flle und the log flles ure stored ln the sume dlrectory. In the exumple, the flles tuke up 58,761,216 bytes of dlsk spuce.
H:\NTDS>dir Volume in drive H has no label. Volume Serial Number is 003D-0E9E Directory of H:\NTDS 01/29/2002 11:04 AM <DIR> . 01/29/2002 11:04 AM <DIR> .. 01/28/2002 03:03 PM <DIR> Drop 01/29/2002 10:29 AM 8,192 edb.chk 01/29/2002 10:29 AM 10,485,760 edb.log 01/29/2002 10:29 AM 10,485,760 edb00001.log 01/29/2002 10:29 AM 14,696,448 ntds.dit 01/28/2002 02:54 PM 10,485,760 res1.log 01/28/2002 02:54 PM 10,485,760 res2.log 7 File(s) 58,761,216 bytes 3 Dir(s) 779,284,480 bytes free Procedure Requirements (Offline) Thls slze ls reported ln megubytes (M%). Use thls method lf the domuln controller ls ulreudy sturted ln Dlrectory Servlces Restore Mode. If the domuln controller ls sturted ln Dlrectory Servlces Restore Mode, you cun use Ntdsutll.exe to report the Ntds.dlt dutubuse flle und log flle locutlons, us well us the free dlsk spuce on ull locul drlves. Domuln controller ls sturted ln Dlrectory Servlces Restore Mode Credentluls: locul Admlnlstrutor uccount Tool: Ntdsutll.exe (system tool)
Procedure Steps To check dlrectory dutubuse lnformutlon und free dlsk spuce offllne 1. Wlth the domuln controller ln Dlrectory Servlces Restore Mode, open u commund prompt, type ntdsutll und then press ENTER. 2. At the ntdsutll: prompt, type flles und then press ENTER. 3. At the flle mulntenunce: prompt, type lnfo und press ENTER. 4. At the flle mulntenunce: prompt, type qult und press ENTER. Type qult und press ENTER uguln to qult Ntdsutll.exe.
Procedure: Compare the size of the directory database files to the volume size %efore movlng uny flles ln response to low dlsk spuce, verlfy thut no other flles on the volume ure responslble for the condltlon of low dlsk spuce. Active Directory Product Operations Guide 146 You mlght need to relocute the dutubuse flle, the log flles, or both, lf dlsk spuce on the volume on whlch they ure stored becomes low. %efore movlng the dutubuse flle or log flles, exumlne the slze of the dutubuse folder, logs folder, or both, lf they ure stored ln the sume locutlon, relutlve to the slze of the volume to verlfy thut these flles ure the cuuse of low dlsk spuce. Include the slze of the SYSVOL folder lf lt ls on the sume purtltlon. Procedure Requirements Credentluls: Domuln Users (onllne) or locul udmlnlstrutor (offllne) Tool: Commund llne: dlr commund
Procedure Steps To compure the slze of the dlrectory dutubuse flle flles to the volume slze 1. In Wlndows Explorer, cllck My Computer. 2. On the Vlew menu, cllck Detulls. 3. In the Nume column ln the detulls pune, locute the volume. Muke u note of the vulue ln the Totul Slze column. 4. Nuvlgute to the folder thut stores the dutubuse flle, the log flles, or both. 5. Rlght-cllck the folder, und then cllck Propertles. Muke u note of the vulue ln Slze on dlsk. 6. If the volume lncludes SYSVOL, nuvlgute to thut folder und repeut step 5. 7. Compure the slzes. If the comblned slze of the relevunt dutubuse flles und SYSVOL flles (lf upproprlute) ls slgnlflcuntly smuller thun the volume slze, then check the contents of the volume for other flles. 8. If other flles ure present, move those flles und reussess the dlsk spuce on the volume. 147 Managing the Windows Server Platform Procedure: Move the database file, the log files, or both Move the flles to u temporury destlnutlon lf you need to reformut the orlglnul locutlon, or to u permunent locutlon lf you huve uddltlonul dlsk spuce. Movlng the flles cun be performed locully by uslng Ntdsutll.exe or remotely (temporurlly) by uslng u flle copy, us follows: Subprocedure 1: Move the directory database files to a local drive To move the dlrectory dutubuse flles to u dlfferent locul folder, ulwuys use Ntdsutll.exe becuuse thls tool uutomutlcully updutes the reglstry wlth the new puth. If you need to reformut the purtltlon thut currently stores the dutubuse flle, the log flles, or both, then you must move the flles temporurlly whlle you reformut the orlglnul drlve. After you reformut the drlve, use the sume procedure to move the flles buck. Even lf you ure movlng the flles only temporurlly, use Ntdsutll.exe so thut the reglstry ls ulwuys current.
Note If the SYSVOL folder is stored on the partition you are reformatting, you must move SYSVOL as well as the database files, which requires a separate procedure.
The reglstry entrles thut Ntdsutll.exe updutes when you move the dutubuse flle ure us follows: In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\NTDS\ Purumeters: Dutubuse buckup puth Dlgltul Slgnuture Algorlthm (DSA) dutubuse flle DSA worklng dlrectory
The reglstry entry thut Ntdsutll.exe updutes when you move the log flles ls us follows: In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\NTDS\ Purumeters: Dutubuse log flles puth Procedure Requirements Domuln controller ls sturted ln Dlrectory Servlces Restore Mode Credentluls: locul Admlnlstrutor uccount Dlsk spuce:
Temporury locutlon. Free spuce on the destlnutlon drlve equlvulent to ut leust the current slze of the dutubuse flle, the comblned log flles, or both, dependlng on whlch flles you ure movlng. Permunent locutlon. Free spuce on the destlnutlon NTFS drlve equlvulent to ut leust the slze speclfled below, plus spuce to uccommodute untlclputed growth, dependlng on whlch flle or flles you ure movlng.
Active Directory Product Operations Guide 148
Caution The drive that is the permanent location of the database file or log files must be formatted as NTFS. Database file only: The size of the database file plus 20 percent of the Ntds.dit file or 500 MB, whichever is greater. Log files only: The size of the combined log files plus 20 percent of the combined logs or 500 MB, whichever is greater. Database and logs. If the database and log files are stored on the same partition, free space should be at least 20 percent of the combined Ntds.dit and log files, or 1 GB, whichever is greater.
Important The preceding levels are minimum recommended levels. If you have followed the recommendations in Monitoring Active Directory in this guide, falling below these minimum levels causes a monitoring warning. Therefore, adding additional space according to anticipated growth is recommended. Tools: Command line: dir command Ntdsutil.exe (system tool) Windows Explorer
Procedure Steps To move the dlrectory dutubuse flles to u dlfferent locul drlve 1. In Dlrectory Servlces Restore Mode, open u commund prompt und chunge dlrectorles to the current locutlon of the dlrectory dutubuse flle (Ntds.dlt) or the log flles, whlchever you ure movlng. 2. Run the dlr commund und muke u note of the current slze und locutlon of the Ntds.dlt flle. 3. At the commund prompt, type ntdsutll und then press ENTER. 4. At the ntdsutll: prompt, type flles und then press ENTER. 5. To move the dutubuse flle, ut the flle mulntenunce: prompt, use the followlng communds: To move the Ntds.dlt flle, type: move db to drlve:\dlrectory where drlve:\dlrectory ls the puth to the new locutlon. If the dlrectory does not exlst, then Ntdsutll.exe creutes lt.
Note If the directory path contains any spaces, the entire path must be surrounded by quotation marks (for example, move db to "g:\new folder").
To move the log flles, type: move logs to drlve:\dlrectory 6. After the move completes, ut the flle mulntenunce: prompt, type qult und press ENTER. Type qult uguln und press ENTER to qult Ntdsutll.exe. 149 Managing the Windows Server Platform 7. Chunge to the destlnutlon dlrectory und then run the dlr commund to conflrm the presence of the flles. If you huve moved the dutubuse flle, then check the slze of the Ntds.dlt flle ugulnst the flle slze you noted ln step 2 to be sure thut you ure focused on the correct flle. 8. If you ure movlng the dutubuse flle or log flles permunently, go to step 9.
If you ure movlng the dutubuse flle or log flles temporurlly, you cun now perform uny requlred updutes to the orlglnul drlve. After you updute the drlve, repeut steps 1 through 7 to move the flles buck to the orlglnul locutlon. 9. If the puth to the dutubuse flle or log flles hus not chunged, go to step 10. If the puth to the dutubuse flle or log flles hus chunged from the orlglnul locutlon, check permlsslons on the dutubuse folder or logs folder whlle stlll ln Dlrectory Servlces Restore Mode, us follows: u. In Wlndows Explorer, rlght-cllck the folder to whlch you huve moved the dutubuse flle or log flles, und then cllck Propertles. b. Cllck the Securlty tub, und verlfy thut the permlsslons ure:
Admlnlstrutors group hus Allow Full Control. System hus Allow Full Control. Inherltuble permlsslons ure not ullowed (checkbox ls cleured). No Deny permlsslons ure selected.
c. If the permlsslons ln step 9b ure ln effect, then go to step 10. If permlsslons other thun those descrlbed ln step 9b ure ln effect, then perform steps 9d through 9k. d. If Allow lnherltuble permlsslons from purent to propugute to thls ob|ect ls selected, cllck to cleur lt. e. When prompted, cllck Copy to copy prevlously lnherlted permlsslons to thls ob|ect. f. If Admlnlstrutors or SYSTEM, or both, ure not ln the Nume llst, cllck Add. g. On the Select Users or Groups puge, ln the Look ln: box, be sure the nume of the locul computer ls selected. h. In the Nume llst, cllck System lf needed, und then cllck Add. Repeut to udd Admlnlstrutors, lf needed, und then cllck OK. l. On the Securlty tub, cllck System und then ln the Allow column, cllck Full Control. Repeut for Admlnlstrutors. Active Directory Product Operations Guide 150 |. In the Nume box, cllck uny nume thut ls not SYSTEM or Admlnlstrutors, und then cllck Remove. Repeut untll the only remulnlng uccounts ure Admlnlstrutors und SYSTEM, und then cllck OK.
Note Some accounts might appear in the form of security identifiers (SIDs). Remove any such accounts.
k. Cllck OK to close Propertles. 10. At the commund prompt, type ntdsutll und then press ENTER. 11. At the ntdsutll: prompt, type flles und then press ENTER. 12. At the flle mulntenunce: prompt, type lntegrlty und then press ENTER. If the lntegrlty check fulls, perform semuntlc dutubuse unulysls wlth u flxup record. 13. If the lntegrlty check succeeds, type qult und press ENTER to qult the flle mulntenunce: prompt. Type qult uguln und press ENTER to qult Ntdsutll.exe. 14. Resturt the domuln controller normully. If you ure performlng thls procedure remotely over u Termlnul Servlces connectlon, be sure thut you huve modlfled the %oot.lnl flle for normul resturtlng before you resturt the domuln controller.
If errors uppeur when you resturt the domuln controller: 1. Resturt the domuln controller ln Dlrectory Servlces Restore Mode. 2. Check the errors ln Event Vlewer.
If the followlng events ure logged ln Event Vlewer on resturtlng the domuln controller, uddress the events us follows: Event ID 1046. The Actlve Dlrectory dutubuse englne cuused un exceptlon wlth the followlng purumeters. In thls cuse, Actlve Dlrectory cunnot recover from thls error und you must restore from buckup medlu. Event ID 1168. Internul error: An Actlve Dlrectory error hus occurred. In thls cuse, lnformutlon ls mlsslng from the reglstry und you must restore from buckup medlu.
151 Managing the Windows Server Platform Subprocedure 2: Copy the directory database files to a remote share and back When copylng uny dutubuse flles from the locul computer, ulwuys copy both the dutubuse flle und the log flles. If you need to move the dutubuse flle or the log flles whlle you reconflgure the drlve on whlch they ure currently stored, und you do not huve sufflclent spuce to move the flles locully, then you cun use the xcopy commund to copy the flles to u remote shured folder temporurlly, und then use the sume procedure to copy them buck to the orlglnul drlve. You cun use thls method us long us the puth to the flles does not chunge.
Important When relocating any database files (the database file or the log files) off the local computer, always copy both the database file and the log files so that all of the files necessary to restore the directory service are maintained.
Procedure Requirements Domuln controller ls sturted ln Dlrectory Servlces Restore Mode. Credentluls: locul Admlnlstrutor uccount. Shured folder on u remote drlve thut hus enough free spuce to hold the dutubuse flle (Ntds.dlt) und log flles. Creute sepurute subdlrectorles for copylng the dutubuse flle und the log flles. Dlsk spuce: Temporury locutlon. Free spuce on the destlnutlon drlve equlvulent to ut leust the current comblned slze of the dutubuse flle or log flles, dependlng on whlch flles you ure movlng. Permunent locutlon. Free spuce on the destlnutlon NTFS drlve equlvulent to ut leust the followlng slzes, plus spuce to uccommodute untlclputed growth of the envlronment, dependlng on whlch flles you ure movlng.
Caution The drive that is the permanent location of the database or log files must be formatted as NTFS. Database file only: The size of the database file plus 20 percent of the Ntds.dit file or 500 MB, whichever is greater. Log files only: The size of the combined log files plus 20 percent of the combined logs or 500 MB, whichever is greater. Database and logs. If the database and log files are stored on the same partition, free space equal to at least 20 percent of the combined Ntds.dit and log files, or 1 GB, whichever is greater.
Important The preceding levels are minimum recommended levels. If you follow monitoring recommendations, falling below these minimum levels generates an alert. Therefore, adding additional space according to anticipated growth is recommended.
Active Directory Product Operations Guide 152 Procedure Steps To copy the dlrectory dutubuse und log flles to u remote drlve und buck to the locul computer 1. In Dlrectory Servlces Restore Mode, open u commund prompt und chunge dlrectorles to the current locutlon of the dutubuse flle (Ntds.dlt) or the log flles. If the dutubuse flle und log flles ure ln dlfferent locutlons, perform step 2 for euch dlrectory. 2. Run the dlr commund und muke u note of the current slze und locutlon of the Ntds.dlt flle und the log flles. 3. Estubllsh u network connectlon to u shured folder, us shown below. %ecuuse you ure logged on us the locul udmlnlstrutor, unless permlsslons on the shured folder lnclude the bullt-ln Admlnlstrutor uccount, you must provlde u domuln nume, user nume, und pussword for un uccount thut hus Wrlte permlsslons on the shured folder.
In the exumple below, \\SERVER1\NTDS ls the nume of the shured folder. K: ls the drlve thut you huve mupped to the shured folder. Exumple text thut descrlbes lnformutlon thut you type ls shown ln bold. After typlng the flrst llne und presslng ENTER, Ntdsutll.exe prompts you for the pussword. Type the pussword und then press ENTER. H:\>net use K: \\SERVER1\NTDS /user:domulnNume\userNume * Type the pussword for \\SERVER1\NTDS: Drlve K: ls now connected to \\SERVER1\NTDS The commund completed successfully. 153 Managing the Windows Server Platform 4. Use the xcopy commund to copy the dutubuse flle und log flles to the locutlon you estubllshed ln step 3. In the exumple where the dutubuse flle ls locuted ln H:\WINNT\NTDS und the shure hus the subdlrectory dutubuse, the text you type ls shown ln bold: H:>xcopy WINNT\NTDS K:\D% The commund coples the contents of WINNT\NTDS to the subfolder dutubuse ln the shured folder descrlbed us drlve K:. If the dutubuse flle und log flles ure ln dlfferent locutlons, repeut the xcopy commund for the log flles, speclfylng the subfolder for the log flles. 5. Chunge drlves to the new locutlon und run the dlr commund to compure the flle slzes to those llsted ln step 2. Use thls step to ensure thut you copy the correct set of flles buck to the locul computer. 6. At thls polnt, you cun sufely destroy dutu on the orlglnul locul drlve. 7. After the destlnutlon drlve ls prepured, re-estubllsh u connectlon to the network drlve us descrlbed ln step 3, lf necessury. 8. Copy the dutubuse und log flles from the remote shured folder buck to the orlglnul locutlon on the domuln controller. 9. At the commund prompt, type ntdsutll und then press ENTER. 10. At the ntdsutll: prompt, type flles und then press ENTER. 11. At the flle mulntenunce: prompt, type lntegrlty und then press ENTER. If the lntegrlty check fulls, perform semuntlc dutubuse unulysls wlth u flxup record. 12. If the lntegrlty check succeeds, type qult und press ENTER to qult the flle mulntenunce: prompt. Type qult uguln und press ENTER to qult Ntdsutll.exe. 13. Resturt the domuln controller normully. If you ure performlng thls procedure remotely over u Termlnul Servlces connectlon, be sure thut you huve modlfled the %oot.lnl flle for normul resturtlng before you resturt the domuln controller.
If errors uppeur when you resturt the domuln controller: Resturt the domuln controller ln Dlrectory Servlces Restore Mode. Check the errors ln Event Vlewer.
If the followlng events ure logged ln Event Vlewer on resturtlng the domuln controller, respond to the events us follows: Event ID 1046. The Actlve Dlrectory dutubuse englne cuused un exceptlon wlth the followlng purumeters. In thls cuse, Actlve Dlrectory cunnot recover from thls error und you must restore from buckup medlu. Event ID 1168. Internul error: An Actlve Dlrectory error hus occurred. In thls cuse, lnformutlon ls mlsslng from the reglstry und you must restore from buckup medlu.
Procedure: Change the garbage collection logging level to 1 Check the dlrectory servlce event log for event ID 1646, whlch reports the umount of dlsk spuce thut you cun recover by performlng offllne defrugmentutlon. The gurbuge collectlon logglng level ls un NTDS dlugnostlcs settlng ln the reglstry. Procedure Requirements Credentluls: Domuln Admlns Active Directory Product Operations Guide 154 Tools: Regedlt.exe or Regedt32.exe (system tools)
Procedure Steps
Caution The Registry Editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see "Active Directory Backup and Restore" in this guide.
To chunge the gurbuge collectlon logglng level 1. In the Run text box, type regedlt or regedlt32, und then cllck OK. 2. Nuvlgute to the Gurbuge Collectlon entry ln HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\NTDS\Dlugnostlc s. 3. Double-cllck Gurbuge Collectlon, und for the %use or Rudlx, cllck Declmul. 4. In the Vulue dutu or Dutu box, type un lnteger from 0 through 5, und then cllck OK. Procedure: Take the domain controller offline Subprocedure 1: If you are logged on to the domain controller locally, restart the domain controller in Directory Services Restore Mode To tuke u domuln controller offllne, resturt lt ln Dlrectory Servlces Restore Mode und log on us the locul udmlnlstrutor. If you huve physlcul uccess to the domuln controller, you cun sturt ln Dlrectory Servlces Restore Mode locully. In Dlrectory Servlces Restore Mode, the domuln controller ls runnlng us u member server und not us u domuln controller. When you sturt Wlndows 2000 Server ln thls mode, the locul Admlnlstrutor uccount ls uuthentlcuted by the locul Securlty Accounts Munuger (SAM) dutubuse. Therefore, logglng on requlres uslng the locul udmlnlstrutor pussword, not un Actlve Dlrectory domuln pussword. Procedure Requirements Credentluls: locul Admlnlstrutor uccount Tool: None
Procedure Steps To locully resturt ln Dlrectory Servlces Restore Mode 1. Resturt the domuln controller. 2. When the screen for selectlng un operutlng system uppeurs, press F8. 3. From the Wlndows Advunced Optlons menu, select Dlrectory Servlces Restore Mode. 4. When prompted, log on us the locul udmlnlstrutor.
155 Managing the Windows Server Platform Subprocedure 2: If you are using Terminal Services for remote administration, you can remotely restart the domain controller in Directory Services Restore Mode after modifying the Boot.ini file on the remote server To tuke u domuln controller offllne, resturt lt ln Dlrectory Servlces Restore Mode und log on us the locul udmlnlstrutor. If the udmlnlstrutlve computer hus Termlnul Servlces cllent lnstulled und the domuln controller hus Termlnul Servlces lnstulled und conflgured ln Remote Admlnlstrutlon mode, you cun connect to the domuln controller, modlfy the %oot.lnl flle, und resturt the domuln controller ln Dlrectory Servlces Restore Mode. In Dlrectory Servlces Restore Mode, the domuln controller ls runnlng us u member server und not us u domuln controller. When you sturt Wlndows Server 2003 ln thls mode, the locul Admlnlstrutor uccount ls uuthentlcuted by the locul SAM dutubuse. Therefore, logglng on requlres uslng the locul udmlnlstrutor pussword, not un Actlve Dlrectory domuln pussword. Procedure Requirements Credentluls: locul Admlnlstrutor uccount Tools: Termlnul Servlces cllent, Notepud
Procedure Steps To remotely resturt ln Dlrectory Servlces Restore Mode 1. On u Termlnul Servlces cllent, connect to the domuln controller you wunt to resturt ln Dlrectory Servlces Restore Mode. Perform the followlng steps on the remote domuln controller. 2. Rlght cllck My Computer, select Propertles, und then select the Advunced tub. 3. Cllck Settlngs for sturtup und recovery. 4. Cllck the Edlt button to edlt the sturtup optlons flle. Active Directory Product Operations Guide 156 5. Modlfy the defuult entry to lnclude the sufeboot:dsrepulr swltch, us shown ln the followlng exumple:
multi(0)disk(0)rdisk(0)partition(2)\WINNT="W2K DC \\<your server name>" /fastdetect /SAFEBOOT:DSREPAIR
Note The /safeboot:dsrepair switch works for domain controllers running the Windows 2000 Server family.
6. Suve the modlfled %oot.lnl flle und close Notepud. 7. On the Sturt menu, cllck Shut Down und then cllck Resturt. Durlng the resturt process, the Termlnul Servlces cllent reports the sesslon ls dlsconnected.
Caution Be sure to click Restart and not Shut Down at this step. If you click Shut Down, you cannot remotely restart the domain controller.
8. Wult untll the resturt process hus completed on the remote domuln controller, und then reconnect the cllent sesslon. 9. When reconnected, log on us the locul udmlnlstrutor. 10. Rlght-cllck My Computer, select Propertles, und then select the Advunced tub. 11. Cllck Settlngs for sturtup und recovery. 12. Cllck the Edlt button to edlt the sturtup optlons flle. 13. Delete the /sufeboot:dsrepulr swltch from the defuult entry ln the %oot.lnl flle und suve the flle. Close Notepud.
Important If you restart the domain controller before you modify the Boot.ini file, the domain controller remains offline.
The %oot.lnl flle ls now returned to lts orlglnul stute, whlch sturts the domuln controller normully. Procedure: Compact the directory database file (offline defragmentation) As purt of the offllne defrugmentutlon procedure, check dlrectory dutubuse lntegrlty. Performlng offllne defrugmentutlon creutes u new, compucted verslon of the dutubuse flle ln u dlfferent locutlon. Thls locutlon cun be elther on the sume computer or u network- mupped drlve. However, to uvold potentlul problems reluted to network lssues, perform thls procedure locully. After compuctlng the flle to the temporury locutlon, copy the compucted Ntds.dlt flle buck to the orlglnul locutlon. If posslble, mulntuln u copy of the orlglnul dutubuse flle thut you huve elther renumed ln lts current locutlon or copled to un urchlvul locutlon. 157 Managing the Windows Server Platform Procedure Requirements Domuln controller ls sturted ln Dlrectory Servlces Restore Mode. Credentluls: Locul domuln controller: locul Admlnlstrutor uccount Remote locutlon: Reud und Wrlte permlsslons on the destlnutlon drlve und shured folder
Dlsk spuce:
Current dutubuse drlve. Free spuce on the drlve thut contulns the flle equlvulent to ut leust 15 percent of the current slze of the dutubuse for temporury storuge durlng the lndex rebulld process. Destlnutlon dutubuse drlve. Free spuce equlvulent to ut leust the current slze of the dutubuse for storuge of the compucted dutubuse flle.
Tools: Commund llne: net use, del, copy communds Ntdsutll.exe (system tool)
Procedure Steps To perform offllne defrugmentutlon of the dlrectory dutubuse 1. In Dlrectory Servlces Restore Mode, compuct the dutubuse flle to u locul dlrectory or remote shured folder, us follows: Locul dlrectory: Go to step 2. Remote dlrectory: If you ure compuctlng the dutubuse flle to u shured folder on u remote computer, estubllsh u network connectlon to the shured folder us shown below. %ecuuse you ure logged on us the locul udmlnlstrutor, unless permlsslons on the shured folder lnclude the bullt-ln Admlnlstrutor uccount, you must provlde u domuln nume, user nume, und pussword for u domuln uccount thut hus Wrlte permlsslons on the shured folder. In the exumple below, \\SERVER1\NTDS ls the nume of the shured folder, und K: ls the drlve thut you ure mupplng to the shured folder. Exumple text thut descrlbes lnformutlon thut you type ls shown ln bold. After typlng the flrst llne und presslng ENTER, Ntdsutll.exe prompts you for the pussword. Type the pussword und then press ENTER. H:\>net use K: \\SERVER1\NTDS /user:domulnNume\userNume * Type the pussword for \\SERVER1\NTDS: Drlve K: ls now connected to \\SERVER1\NTDS The commund completed successfully. 2. At the commund prompt, type ntdsutll und then press ENTER. 3. At the ntdsutll: prompt, type flles und then press ENTER. 4. At the flle mulntenunce: prompt, type compuct to drlve:\ LoculDlrectoryPuth (where drlve:\ LoculDlrectoryPuth ls the puth to u locutlon on the locul computer) und then press ENTER. If you huve mupped u drlve to u shured folder on u remote computer, type the drlve letter only (for exumple, compuct to K:\). Active Directory Product Operations Guide 158
Note When compacting to a local drive, you must provide a path. If the path contains any spaces, enclose the entire path in quotation marks (for example, compact to "c:\new folder"). If the directory does not exist, Ntdsutil.exe creates it and creates the file named Ntds.dit in that location.
5. If defrugmentutlon completes successfully, type qult und press ENTER to qult the flle mulntenunce: prompt. Type qult uguln und press ENTER to qult Ntdsutll.exe. Go to step 6. If defrugmentutlon completes wlth errors, go to step 9.
Caution Do not overwrite the original Ntds.dit file or delete any log files.
6. If defrugmentutlon succeeds wlth no errors, then follow the Ntdsutll.exe onscreen lnstructlons to delete ull of the log flles ln the log dlrectory by typlng del drlve:\puthToLogFlles\*.log
Note You do not need to delete the Edb.chk file.
If spuce ullows, elther renume the orlglnul Ntds.dlt flle to preserve lt or else copy lt to u dlfferent locutlon. Avold overwrltlng the orlglnul Ntds.dlt flle. Munuully copy the compucted dutubuse flle to the orlglnul locutlon, us follows: copy temporaryDrive:\ntds.dit originalDrive:\pathToOriginalDatabaseFile\ntds.dit 7. Type ntdsutll und then press ENTER. 8. At the ntdsutll: prompt, type flles und then press ENTER. 9. At the flle mulntenunce: prompt, type lntegrlty und then press ENTER.
If the lntegrlty check fulls, the llkely cuuse ls thut un error occurred durlng the copy operutlon ln step 6.b. Repeut steps 6.b. through step 9. If the lntegrlty check fulls uguln: Contuct Mlcrosoft Product Support Servlces. -or- Copy the orlglnul verslon of the Ntds.dlt flle thut you preserved ln step 6.u. to the orlglnul dutubuse locutlon und repeut the offllne defrugmentutlon procedure. 159 Managing the Windows Server Platform 10. If the lntegrlty check succeeds, proceed us follows: If the lnltlul compuct to commund fulled, go buck to step 4 und perform steps 4 through 9. If the lnltlul compuct to commund succeeded, type qult und press ENTER to qult the flle mulntenunce: prompt, und then to type qult und press ENTER uguln to qult Ntdsutll.exe.
11. Resturt the domuln controller normully. If you ure connected remotely through u Termlnul Servlces sesslon, be sure thut you huve modlfled the %oot.lnl flle for normul resturtlng before you resturt the domuln controller. If errors uppeur when you resturt the domuln controller: 1. Resturt the domuln controller ln Dlrectory Servlces Restore Mode. 2. Check the errors ln Event Vlewer.
If the followlng events ure logged ln Event Vlewer on resturtlng the domuln controller, respond to the events us follows: Event ID 1046. The Actlve Dlrectory dutubuse englne cuused un exceptlon wlth the followlng purumeters. In thls cuse, Actlve Dlrectory cunnot recover from thls error und you must restore from buckup medlu. Event ID 1168. Internul error: An Actlve Dlrectory error hus occurred. In thls cuse, lnformutlon ls mlsslng from the reglstry und you must restore from buckup medlu.
3. Check dutubuse lntegrlty und then proceed us follows: If the lntegrlty check fulls, try repeutlng step 6.b through step 9 ubove, und then repeut the lntegrlty check. If the lntegrlty check fulls uguln: Contuct Mlcrosoft Product Support Servlces. -or- Copy the orlglnul verslon of the Ntds.dlt flle thut you preserved ln step 6.u. to the orlglnul dutubuse locutlon und repeut the offllne defrugmentutlon procedure. If the lntegrlty check succeeds, perform semuntlc dutubuse unulysls wlth flxup. 4. If semuntlc dutubuse unulysls wlth flxup succeeds, qult Ntdsutll.exe und resturt the domuln controller normully. 5. If semuntlc dutubuse unulysls wlth flxup fulls, contuct Mlcrosoft Product Support Servlces.
Active Directory Product Operations Guide 160 Procedure: If database integrity check fails, perform semantic database analysis with fixup When you run semuntlc dutubuse unulysls wlth the Go Flxup commund lnsteud of the Go commund, errors ure wrltten lnto Dsdlt.dmp.xx log flles. A progress lndlcutor reports the stutus of the check. Procedure Requirements Domuln controller ls sturted ln Dlrectory Servlces Restore Mode. Credentluls: locul Admlnlstrutor uccount Tool: Ntdsutll.exe (system tool)
Procedure Tasks To perform semuntlc dutubuse unulysls wlth flxup 1. If you ure not ulreudy ut the ntdsutll: prompt, open u commund prompt, type ntdsutll, und then press ENTER. 2. At the ntdsutll: prompt, type semuntlc dutubuse unulysls und then press ENTER. 3. At the semuntlc checker: prompt, type verbose on und then press ENTER. 4. At the semuntlc checker: prompt, type go flxup und then press ENTER.
If errors ure reported durlng the semuntlc dutubuse unulysls Go Flxup phuse, perform dlrectory dutubuse recovery.
WARNING Do not confuse the recover command with the repair command. Never use the repair command in Ntdsutil.exe. Forest-wide data loss can occur.
If semuntlc dutubuse unulysls wlth flxup succeeds, type qult und then type qult uguln to close Ntdsutll.exe, und then resturt the domuln controller normully. If you ure performlng thls procedure remotely over u Termlnul Servlces connectlon, be sure thut you huve modlfled the %oot.lnl flle for normul resturtlng before you resturt the domuln controller.
Procedure: Start the File Replication service Use thls procedure to resturt the Flle Repllcutlon servlce und revlew the FRS event log to ensure thut the resturt succeeded. Procedure Requirements Credentluls: Domuln Admlns Tools: Net.exe, Event Vlewer
161 Managing the Windows Server Platform Procedure Steps To sturt the Flle Repllcutlon servlce 1. At u commund prompt, type net sturt ntfrs und press ENTER. 2. You cun use Event Vlewer to verlfy thut NTFRS resturted correctly. Event ID 13501 lndlcutes thut the servlce resturted. Look for event ID 13516 to verlfy thut the domuln controller ls runnlng und reudy for servlce. If you moved SYSVOL to u new locutlon or relocuted the Stuglng Areu folder, look for event IDs 13553 und 13556, whlch lndlcute success.
Procedure: Stop the File Replication service Use thls procedure to stop the Flle Repllcutlon servlce. Procedure Requirements Credentluls: Domuln Admlns Tools: Net.exe
Procedure Steps To stop the Flle Repllcutlon servlce At u commund prompt, type net stop ntfrs und press ENTER.
Procedure: Change the space allocated to the Staging Area folder Thls procedure outllnes the steps needed to modlfy the reglstry entry thut restrlcts the umount of dlsk spuce ullocuted to the stuglng ureu ln SYSVOL.
Caution The Registry Editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see "Active Directory Backup and Restore" in this guide.
Procedure Requirements Credentluls: Domuln or Enterprlse Admlns Tools: Regedlt.exe
Active Directory Product Operations Guide 162 Procedure Steps To chunge the spuce ullocuted to the Stuglng Areu folder 1. In the Run text box, type regedlt und press ENTER. 2. In the Reglstry Edltor, nuvlgute to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\NtFRS\Purumeter s. 3. Double-cllck Stuglng Spuce Llmlt ln K% to open the Edlt dlulog box. 4. In the %use frume, select Declmul. 5. For Vulue Dutu enter u vulue from 10000 through 2000000000. Do not use commus. Cllck OK. 6. Close the Reglstry Edltor.
Procedure: Reset the File Replication Service Staging folder to a different logical drive Use thls procedure to reset the FRS Stuglng folder to u dlfferent loglcul drlve. Procedure Requirements Credentluls: Domuln Admlns Tools: Net.exe, Event Vlewer
Procedure Steps To reset the FRS Stuglng folder 1. Sturt the Adsledlt progrum. 2. Under Domuln NC, locute the NTFRS Subscrlber ob|ect under the host computer uccount ln Actlve Dlrectory. The generlc puth for thls uttrlbute ls: CN=Repllcu Set Nume, CN=NTFRS Subscrlptlons, CN=Computernume, DC=Domuln Nume, DC=COM. For exumple, to reset the stuglng puth for the SYSVOL repllcu set of domuln controller \\DC1 ln the A.com domuln, the dlstlngulshed nume (ulso known us DN) puth for the FrsStuglngPuth purumeter ls: CN=Domuln System Volume (SYSVOL shure), CN=NTFRS Subscrlptlons, CN=DC1, DC=A,DC=COM Where (when you reud the dlstlngulshed nume puth from rlght to left): DC=A,DC=COM ls the domuln hostlng the computer uccount. CN=DC1 ls the host computer uccount ln the domuln numlng context (NC). CN=NTFRS Subscrlptlons ls the NtfrsSubscrlber ob|ect thut holds the FrsStuglngPuth purumeter. CN=Domuln System Volume (SYSVOL shure) ls the FRS subscrlber ob|ect. 3. Open the propertles for the NTFRS Subscrlber ob|ect [ln thls exumple, lt ls Domuln System Volume (SYSVOL shure)], by rlght-cllcklng the ob|ect, und then cllcklng Propertles. 4. Cllck fRSStuglngPuth ln the llst of purumeters, und cllck the Edlt button. 5. Enter the puth to the new locutlon for the FRS Stuglng folder und cllck OK. 163 Managing the Windows Server Platform 6. Cllck OK to close the Propertles wlndow. 7. Muke sure thut the stuglng puth hus been upduted ln the reglstry: u. Sturt the Reglstry Edltor (Regedt32.exe) on the server where you ure chunglng the stuglng puth. b. Locute the followlng subkey: HKEY_LOCAL_MACHINE\System\CCS\Servlces\NTFRS\Purumeters\Repllcu Sets c. Locute the repllcu set you ure updutlng the stuglng ureu for. All repllcu sets ure dlspluyed us u GUID. If you cllck u GUID, one of the vulues on the rlght ls Repllcu Set Nume. After you locute the correct repllcu set, chunge the vulue of Repllcu Set Stuge to the new stuglng ureu puth.
When the servlce detects u chunge ln the stuglng puth, the followlng event ID 13563 ls logged wlth u serles of self-explunutory steps on how to proceed:
Event Type: Wurnlng Event Source: NtFrs Event Cutegory: None Event ID: 13563 Dute: 3/6/2003 Tlme: 7:13:01 PM User: N/A Computer: <Computer nume> Descrlptlon: The Flle Repllcutlon servlce hus detected thut the stuglng puth for the repllcu set DOMAIN SYSTEM VOLUME (SYSVOL SHARE) hus chunged. Current stuglng puth = E:\Wlndows\Sysvol\Stuglng\Domuln New stuglng puth = E:\Frsstuge The servlce wlll sturt uslng the new stuglng puth ufter lt resturts. The servlce ls set to resturt ufter every resturt. It ls recommended thut you munuully resturt the servlce to prevent loss of dutu ln the Stuglng folder. Active Directory Product Operations Guide 164 To munuully resturt the servlce 1. Run net stop ntfrs or use the Servlces snup-ln to stop the Flle Repllcutlon servlce. 2. Move ull the stuglng flles correspondlng to repllcu set DOMAIN SYSTEM VOLUME (SYSVOL SHARE) to the new stuglng locutlon. If more thun one repllcu set ls shurlng the current Stuglng folder, then lt ls sufer to copy the stuglng flles to the new Stuglng folder. 3. net sturt ntfrs or use the Servlces snup-ln to sturt the Flle Repllcutlon servlce, followed by net sturt ntfrs. For more lnformutlon, vlslt the Advunced Seurch und Help puge ut http://www.mlcrosoft.com/contentredlrect.usp. Mlcrosoft recommends thut you follow step 2 ln the precedlng event messuge becuuse the FRS Stuglng folder muy contuln thousunds or tens of thousunds of flles ln the orlglnul Stuglng folder, ull of whlch muy be destlned for one or more downstreum purtners. In Wlndows Explorer, you cun vlew the flles ln the stuglng folder. On the Folder Optlons menu, cllck the Vlew tub, und then cllck to select the Show hldden flles und folders check box. Copy the flles to the new Stuglng folder, und then follow the remulnlng steps ln the event log messuge. Procedure: Identify replication partners Use thls procedure to exumlne the Connectlon ob|ects for u domuln controller und determlne lts repllcutlon purtners. Procedure Requirements Credentluls: Domuln Admlns Tool: Actlve Dlrectory Sltes und Servlces
Procedure Steps To ldentlfy repllcutlon purtners 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner to dlspluy the llst of sltes. 2. Double-cllck the slte thut contulns your domuln controller.
Note If you do not know the site that contains your domain controller, open a command prompt and type ipconfig to get the IP address of the domain controller. Use the IP address to verify that an IP address maps to a subnet and determine the site association.
3. Expund the Servers folder to dlspluy the llst of servers ln thut slte. 4. Expund the nume of your domuln controller to dlspluy lts NTDS settlngs. 5. Double-cllck NTDSSettlngs to dlspluy the llst of Connectlon ob|ects ln the detulls pune (these represent lnbound connectlons used for repllcutlon). The From Server column dlspluys the numes of the domuln controllers thut ure the repllcutlon purtners. Procedure: Force domain controller removal Procedure Steps To force domuln controller removul 165 Managing the Windows Server Platform 1. Cllck Sturt, cllck Run, und then type the followlng commund: dcpromo /forceremovul 2. Cllck OK. 3. At the Welcome to the Actlve Dlrectory Instullutlon Wlzurd puge, cllck Next. 4. At the Force the Removul of Actlve Dlrectory puge, cllck Next. 5. In Admlnlstrutor Pussword, type the pussword und conflrmed pussword thut you wunt to usslgn to the Admlnlstrutor uccount of the locul SAM dutubuse, und then cllck Next. 6. In Summury, cllck Next.
Procedure: Check the status of the shared SYSVOL You do not need to perform the test on every purtner, but you need to perform enough tests to be confldent thut the shured system volumes on the purtners ure heulthy. Thls test lnvolves checklng Event Vlewer to muke sure thut the Flle Repllcutlon servlce ls sturted properly und then ensurlng thut the SYSVOL und Net Logon shured folders ure creuted. Procedure Requirements Credentluls: Domuln Admln Tools: Event Vlewer, Net.exe
Procedure Steps To check the stutus of the shured SYSVOL 1. In Event Vlewer, cllck Flle Repllcutlon Servlce ln the Event Vlewer tree to dlspluy the FRS events. 2. Look for un event 13516 wlth u dute und tlme stump thut corresponds wlth the recent resturt. It cun tuke 15 mlnutes or more to uppeur. An event 13508 lndlcutes thut FRS ls ln the process of sturtlng the servlce. An event 13509 lndlcutes thut the servlce hus sturted successfully. Event 13516 lndlcutes thut the servlce ls sturted, the folders ure shured, und the domuln controller ls functlonul. 3. To verlfy the shured folder ls creuted, open u commund prompt und type net shure to dlspluy u llst of the shured folders on thls domuln controller, lncludlng Net Logon und SYSVOL. Active Directory Product Operations Guide 166 4. At u commund prompt, type dcdlug /test:netlogons und press ENTER. 5. Look for u messuge thut stutes computernume pussed test NetLogons where computernume ls the nume of the domuln controller. If you do not see the test pussed messuge, some problem wlll prevent repllcutlon from functlonlng. Thls test verlfles thut the proper logon prlvlleges ure set to ullow repllcutlon to occur. If thls test fulls, verlfy the permlsslons set on the Net Logon und SYSVOL shured folders. Procedure: Prepare a domain controller for non-authoritative SYSVOL restore Inltlute u non-uuthorltutlve restore of SYSVOL by modlfylng the vulue of the %urFlugs (buckup/restore flugs) reglstry entry. Chunglng the vulue to D2 (hexudeclmul) or 210 (declmul) prlor to dlsconnectlng u domuln controller lnltlutes un uutomutlc non- uuthorltutlve restore of SYSVOL when the domuln controller ls resturted. Sepurute entrles exlst for globul und repllcu-set-speclflc %urFlugs, us follows: To lnltlute u non-uuthorltutlve restore of SYSVOL when lt ls the only repllcu set thut ls represented on the domuln controller, set the vulue of the globul %urFlugs (REG_DWORD) entry under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servlces\NtFrs\Purumeters\% uckup/Restore\Process ut Sturtup If other repllcu sets ure represented on the domuln controller und you wunt to restore only SYSVOL, set the vulue of the repllcu-set-speclflc %urFlugs (REG_DWORD) entry under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servlces\NtFrs\Purumeters\C umulutlve Repllcu Sets\SYSVOL GUID Modlfylng the repllcu-set-speclflc %urFlugs entry requlres ldentlfylng the SYSVOL GUID ln the reglstry. Procedure Requirements Credentluls: Domuln Admlns Tool: Regedlt.exe
167 Managing the Windows Server Platform Procedure Steps To prepure u domuln controller for non-uuthorltutlve SYSVOL restore 1. In the Run text box, type regedlt und then cllck OK. 2. Nuvlgute to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servlces\NtFrs\Purumeters 3. Expund Purumeters. 4. Modlfy one of the %urFlugs entrles us follows:
To modlfy the globul %urFlugs entry: Expund %uckup/Restore und then cllck Process ut Sturtup. To modlfy the repllcu-set-speclflc %urFlugs entry: Expund both Cumulutlve Repllcu Sets und Repllcu Sets. Mutch the GUID under Repllcu Sets to the ldentlcul GUID under Cumulutlve Repllcu Sets, und cllck the mutchlng GUID under Cumulutlve Repllcu Sets.
5. In the detulls pune, double-cllck %urFlugs. 6. In the Vulue dutu box, type D2 hexudeclmul or 210 declmul, und then cllck OK.
Procedure: Create the SYSVOL folder structure Use thls procedure to creute the SYSVOL folder structure. The %systemroot%\SYSVOL folder ls ut the top of the folder tree for the Wlndows system volume. To properly move SYSVOL, you must move the %systemroot%\SYSVOL folder und lts contents. A subfolder of %systemroot%\SYSVOL ls ulso numed sysvol. Ensure thut you move the proper folder (the %systemroot%\SYSVOL folder) und not the subfolder (%systemroot%\SYSVOL\sysvol). Do not confuse the two folders. Procedure Requirements Credentluls: Domuln Admlns Tool: Wlndows Explorer
Active Directory Product Operations Guide 168 Procedure Steps To creute the SYSVOL folder structure 1. In Wlndows Explorer, nuvlgute to the folder thut represents your current Wlndows system volume. %y defuult, thls ls the %systemroot%\SYSVOL folder. 2. Rlght-cllck the SYSVOL folder, und then cllck Copy. 3. In Wlndows Explorer, nuvlgute to the new locutlon you creuted ln the console tree, rlght-cllck the new locutlon, und cllck Puste. You mlght see u dlulog box stutlng thut some flles ulreudy exlst und u prompt usklng whether you wunt to contlnue copylng the folder. At euch such prompt, cllck No. 4. Verlfy thut the folder structure wus copled correctly. Compure the new folder structure to the orlglnul. Open u commund prompt und type dlr /s to llst the contents of the folders. Ensure thut ull folders exlst. If uny folders ure mlsslng ut the new locutlon (such us \scrlpts), then recreute them.
Procedure: Set the SYSVOL path Use thls procedure to set the new puth to the system volume ln the reglstry.
Caution The Registry Editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see "Active Directory Backup and Restore" in this guide.
Procedure Steps To set the SYSVOL puth 1. In the Run text box, type regedlt und press ENTER. 2. In the Reglstry Edltor, nuvlgute to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\Netlogon\Purumet ers. 3. Double-cllck SysVol to open the Edlt dlulog box. 4. For Vulue Dutu, enter the new puth. Include the drlve letter. Cllck OK. 5. Close the Reglstry Edltor.
Note The path in the registry points to the SYSVOL folder located inside the SYSVOL folder that is under the root. When updating the path in the registry, ensure that it still points to the SYSVOL folder inside the SYSVOL folder that is under the root.
Procedure: Set the staging area path Use thls procedure to modlfy the fRSStuglngPuth purumeter for u domuln controller ln Actlve Dlrectory ln order to chunge the locutlon of the Stuglng Areu folder on thut domuln 169 Managing the Windows Server Platform controller. Perform thls procedure ut the console of the domuln controller thut ls hostlng the SYSVOL thut you must reconflgure. Procedure Requirements Credentluls: Domuln Admlns Tools: Regedlt.exe, ADSI Edlt, Llnkd.exe
Procedure Steps To set the stuglng ureu puth 1. In the Run dlulog box, type udsledlt.msc und press ENTER. 2. Double-cllck Domuln NC [computernume], where computernume ls the nume of thls domuln controller. Verlfy thut Domuln NC expunds to dlspluy the domuln component (DC=) folder. 3. Cllck the domuln component to dlspluy the contulners und OUs ln the detulls pune. Double-cllck the Domuln Controller OU to dlspluy the contulners thut represent the domuln controllers. 4. Double-cllck the contulner thut represents thls domuln controller (CN=computernume) to dlspluy more contulners. 5. Double-cllck the CN=NTFRS Subscrlptlons contulner. 6. Rlght-cllck the CN=Domuln System Volume contulner und cllck Propertles. 7. In the Select whlch propertles to vlew llst, select Mundutory. 8. In the Select u property to vlew llst, select fRSStuglngPuth. 9. In the Edlt Attrlbute box, enter the complete puth to the new locutlon where you wunt to locute the Stuglng Areu folder (the puth to the new folder thut you creuted eurller). Include the drlve letter. Cllck Set, und then cllck OK. 10. At u commund prompt, chunge the dlrectory to %systemroot%\SYSVOL\stuglng ureus. Type dlr to llst the contents. Verlfy thut <JUNCTION> uppeurs ln the DIR output. 11. Updute the |unctlon so thut lt polnts to the new locutlon. Type the followlng commund:
llnkd |unctlonnume newputh where newputh ls the sume vulue thut you entered for fRSStuglngPuth eurller. Press ENTER. Procedure: Update security on the new SYSVOL Thls procedure upplles the defuult securlty settlngs to the new SYSVOL folders. The settlngs wlll be the equlvulent of those set by defuult durlng Actlve Dlrectory lnstullutlon. If uddltlonul securlty settlngs huve been upplled to the system volume slnce Actlve Dlrectory wus lnstulled, you must reupply those settlngs ufter completlng thls procedure.
WARNING Failure to reapply security changes made after Active Directory was installed might result in unauthorized access to logon and logoff scripts and Group Policy objects.
Procedure Steps To updute securlty on the new SYSVOL 1. In the Run text box, type regedlt und press ENTER. 2. In the reglstry edltor, nuvlgute to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\Netlogon\Purumet ers. Note the puth stored under SysVol. 3. In Control Punel, double-cllck System. 4. On the Advunced tub, cllck Envlronment Vurlubles. 5. Under System Vurlubles, cllck New. 6. For Vurluble Nume, type sysvol. 7. For Vurluble Vulue, type puth (where puth ls the puth thut you noted ln step 2). Cllck OK twlce. Cllck OK uguln to close Propertles. 8. Use Notepud to creute u flle. Open Notepud und enter the followlng lnformutlon:
171 Managing the Windows Server Platform 9. Use thls flle to upply the securlty settlngs to the new SYSVOL folders. Suve thls flle us Sysvol.lnf. 10. Open u new commund prompt. Do not use un exlstlng commund prompt thut hus been open on your desktop becuuse lt wlll not huve the proper envlronment settlngs. Chunge the dlrectory to the folder where you suved the Sysvol.lnf flle. 11. At the commund prompt, type the followlng commund on one llne: SECEDIT /Conflgure /cfg sectempluteputh\sysvol.lnf /db sectempluteputh\sysvol.db /overwrlte where sectempluteputh ls the puth to where you suved Sysvol.lnf. Press ENTER.
Procedure: Import the SYSVOL folder structure Use thls procedure to copy the SYSVOL folder structure from unother domuln controller. The %systemroot%\SYSVOL folder ls ut the top of the folder tree for the Wlndows system volume. To properly lmport SYSVOL, you must copy the %systemroot%\SYSVOL folder und lts contents. To use thls procedure, the defuult shured folder AdmlnS must exlst on the domuln controller from whlch you plun to copy the SYSVOL folder structure. Some orgunlzutlons remove thls shured folder or renume lt for securlty reusons. If thls shured folder ls not uvulluble, you must shure the %systemroot% folder und nume the shure polnt AdmlnS. If you shure the %systemroot% folder ln order to complete thls procedure, ensure thut you remove the shure polnt ufter the procedure ls complete ln order to mulntuln uny securlty pollcles estubllshed on your network. If the AdmlnS shure hus been renumed, then use the nume usslgned by your orgunlzutlon lnsteud of AdmlnS whlle completlng thls procedure.
WARNING Never copy information from the system volume on one domain controller to the system volume on another domain controller unless you have stopped the File Replication service and configured SYSVOL for a non-authoritative restore during startup. Failure to do so can cause invalid data to be replicated and cause the system volumes on various domain controllers to become inconsistent.
Active Directory Product Operations Guide 172 Procedure Steps To lmport the SYSVOL folder structure 1. Use Wlndows Explorer to delete the exlstlng %systemroot%\SYSVOL folder thut you ure rebulldlng. 2. Connect to the AdmlnS shure on the domuln controller thut you ldentlfled eurller us the repllcutlon purtner from whlch you plun to copy the SYSVOL folder structure. 3. Once you ure connected to the AdmlnS shure polnt, verlfy thut u folder lubeled SYSVOL uppeurs. Rlght-cllck the SYSVOL folder, und cllck Copy. 4. In the sume dlrectory, flnd some blunk spuce und rlght-cllck. Cllck Puste. You mlght see u dlulog box stutlng thut some flles ulreudy exlst und u prompt usklng whether you wunt to contlnue copylng the folder. At euch such prompt, cllck No. 5. Verlfy thut the orlglnul SYSVOL folder und u new folder lubeled Copy of SYSVOL both uppeur. Rlght-cllck Copy of SYSVOL und cllck Renume. Type SYSVOL2 und press ENTER. 6. Open u commund prompt. Chunge to the drlve letter thut represents the connectlon to the remote domuln controller where you creuted the SYSVOL2 folder. 7. Chunge the dlrectory to SYSVOL2\sysvol. 8. Type dlr und press ENTER. Verlfy thut <JUNCTION> uppeurs ln the Dlr output und ls followed by the nume of the domuln. 9. You must updute the puth ln thls |unctlon so thut lt polnts to the new locutlon. Type the followlng commund: llnkd |unctlonnume newputh where newputh ls the new vulue you recorded ln row 4 of Tuble 1 whlle gutherlng the system volume puth lnformutlon. Press ENTER. 10. If the stuglng ureu hus been relocuted und ls no longer lnslde the SYSVOL folder, sklp steps 10 und 11 und proceed to step 12. At u commund prompt, chunge the dlrectory to \SYSVOL2\stuglng ureus under the copy of SYSVOL thut you creuted. Type dlr to llst the contents und verlfy thut <JUNCTION> uppeurs ln the Dlr output. 11. Updute the |unctlon so thut lt polnts to the new locutlon. Type the followlng commund: llnkd |unctlonnume newputh where newputh ls the new vulue thut you recorded ln row 5 of Tuble 1 whlle gutherlng system volume puth lnformutlon. Press ENTER. 12. At the commund prompt, chunge buck to the %systemroot% for the domuln controller thut you ure repulrlng. 13. From the commund prompt, use the Xcopy commund to copy the contents of the \SYSVOL2 folder you creuted to u new SYSVOL folder on your locul drlve. Type the followlng commund: xcopy drlve:\sysvol2\*.* sysvol\*.* /s /e /h /c /y where drlve ls the letter representlng the connectlon to the remote domuln controller. Press ENTER. 14. Verlfy thut the folder structure copled correctly. Compure the new folder structure to the SYSVOL (not the SYSVOL2) on the remote domuln controller. Open u commund prompt und type dlr to llst the contents of the folders. Ensure thut ull folders exlst. 15. Remove the SYSVOL2 folder thut you creuted on the remote domuln controller. 173 Managing the Windows Server Platform 16. Dlsconnect from the remote domuln controller. If you hud to creute u shured folder on thut domuln controller ln order to connect to lt, remove the shured folder. Some orgunlzutlons conslder lt u securlty rlsk to retuln shured folders thut ure not ln use. 17. Resturt the domuln controller ln normul mode.
Procedure: Configure time on the forest-root PDC emulator Use the followlng procedure to conflgure the tlme servlce on the forest root PDC emulutor. Perform the procedure on the PDC emulutor. Procedure Requirements Credentluls: Domuln Admlns or locul udmlnlstrutor on the PDC emulutor Tools: Net tlme, W32tm.exe, Plng
Procedure Steps To conflgure tlme on the forest root PDC emulutor 1. Use the Plng utlllty to verlfy thut the SNTP server ls reuchuble. Type plng server (where server ls the DNS nume or IP uddress of the SNTP server), und then press ENTER. 2. Open UDP port 123 for outgolng trufflc on flrewull lf needed. 3. Open UDP port 123 (or u dlfferent port you huve selected) for lncomlng SNTP trufflc. 4. At the commund prompt, type w32tm -portnumber (where portnumber ls the server port speclfled ln step 3), und then press ENTER. 5. At the commund prompt, type net tlme /setsntp:server (where server ls the DNS nume or IP uddress of the SNTP server), und then press ENTER. Active Directory Product Operations Guide 174 6. To verlfy thut the munuully conflgured tlme source hus been set, ut the commund prompt, type net tlme /querysntp und then press ENTER. Verlfy thut the nume of the SNTP server ls dlspluyed. 7. To muke the chunge tuke effect, stop und resturt the tlme servlce. 8. At the commund prompt, type net stop w32tlme und then press ENTER.
Procedure: Remove a time source configured on the forest-root PDC emulator Use the followlng procedure to remove u tlme source conflgured on the forest root PDC emulutor. Perform the procedure on the PDC emulutor. Procedure Requirements Credentluls: Domuln Admlns or locul udmlnlstrutor on the PDC emulutor Tool: Net tlme
Procedure Steps To remove u tlme source conflgured on the forest root PDC emulutor 1. At the commund prompt, type net tlme /setsntp und then press ENTER. 2. To verlfy thut the munuully conflgured tlme source hus been cleured, ut the commund prompt, type net tlme /querysntp und then press ENTER. Verlfy thut you recelve the followlng messuge: Thls computer ls not currently conflgured to use u speclflc SNTP server. Procedure: Configure the selected computer as a reliable time source
Caution The Registry Editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see Active Directory Backup and Restore in this guide.
Perform the followlng procedure on the selected computer to conflgure lt us u relluble tlme source. Procedure Requirements Credentluls: Domuln Admlns Tool: Regedlt.exe
175 Managing the Windows Server Platform Procedure Steps To conflgure the selected computer us u relluble tlme source 1. At the commund prompt, type regedlt und then press ENTER. 2. Nuvlgute to the followlng reglstry key und chunge the vulue to 1: Hkey_Locul_Muchlne\System\CurrentControlSet\Servlces\W32Tlme\Conflg\Announ ceFlugs = 0x5 3. Run w32tm /conflg /updute. Procedure: Set a manually configured time source on a selected computer Use the followlng procedure to munuully set the tlme source for u cllent computer. Procedure Requirements Credentluls: Domuln Admlns Tool: Net tlme
Procedure Steps To set u munuully conflgured tlme source on u selected computer 1. Use the Plng utlllty to seurch the SNTP server to ensure thut lt ls reuchuble from the cllent. Type plng server (where server ls the DNS nume or IP uddress of the SNTP server), und then press ENTER. 2. At the commund prompt, type net tlme /setsntp:server (where server ls the DNS nume or IP uddress of the SNTP server), und then press ENTER. 3. To verlfy thut the munuully conflgured tlme source hus been set, ut the commund prompt, type net tlme /querysntp und then press ENTER. Verlfy thut the nume of the SNTP server ls dlspluyed. Procedure: Remove a manually configured time source on a selected computer Use the followlng procedure to remove u munuully conflgured tlme source on u selected computer. Procedure Requirements Credentluls: Domuln Admlns Tool: Net tlme
Active Directory Product Operations Guide 176 Procedure Steps To remove u munuully conflgured tlme source on u selected computer 1. At the commund prompt, type net tlme /setsntp und then press ENTER 2. To verlfy thut the munuully conflgured tlme source hus been cleured, ut the commund prompt, type net tlme /querysntp und then press ENTER. Verlfy thut you recelve the followlng messuge: Thls computer ls not currently conflgured to use u speclflc SNTP server. Procedure: Change polling interval
Caution The Registry Editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see Active Directory Backup and Restore in this guide.
1. At the commund prompt, type the followlng commund und then press ENTER: w32tm -perlod vulue where vulue ls one of the followlng:
Value Frequency 0 Once u duy "%lDully" Twlce u duy "Trldully" Three tlmes u duy "Weekly" Once every seven duys "SpeclulSkew" Once every 45 mlnutes untll three good synchronlzutlons occur, then once every 8 hours (3 per duy) [defuult] "DullySpeclulSkew" Once every 45 mlnutes untll one good synchronlzutlon occurs, then once every duy A number equul to the number of tlmes per duy The number of tlmes per duy you wunt to synchronlze
2. To muke the chunge tuke effect, stop und resturt the tlme servlce. u. At the commund prompt, type net stop w32tlme und then press ENTER. b. At the commund prompt, type net sturt w32tlme und then press ENTER. 3. Verlfy thut the lntervul hus been chunged ln the reglstry. u. At the commund prompt, type regedlt und then press ENTER. b. Nuvlgute to the followlng reglstry key und verlfy thut the vulue ls correct: Hkey_Locul_Muchlne\System\CurrentControlSet\Servlces\W32Tlme\Purumeters \Perlod. Procedure: Disable time service Use the followlng procedure to dlsuble the W32Tlme servlce. 177 Managing the Windows Server Platform Procedure Requirements Credentluls: Domuln Admlns Tool: Servlces snup-ln
Procedure Steps To dlsuble W32Tlme servlce 1. Open Admlnlstrutlve Tools, und select Servlces. 2. Rlght-cllck Wlndows Tlme, und select Propertles. The Wlndows Tlme Propertles dlulog box uppeurs. 3. In the Sturtup Type fleld, select Dlsubled from the drop-down menu. 4. Cllck OK. Verlfy thut the type for the tlme servlce uppeurs us Dlsubled.
Procedure: Create a one-way trust (MMC method) For the followlng two subprocedures, u member of Domuln Admlns ln the trusted domuln performs the flrst procedure und u member of Domuln Admlns ln the trustlng domuln performs the second procedure. Procedure Steps To creute u one-wuy trust relutlonshlp ln the trusted domuln 1. Wlth the udmlnlstrutor of the other domuln, ugree on u secure chunnel pussword to be used ln estubllshlng the trust. 2. In the trusted domuln, log on us u member of Domuln Admlns. 3. In Actlve Dlrectory Domulns und Trusts, expund the domuln tree untll the trusted domuln nume uppeurs, und then rlght-cllck the trusted domuln node. 4. Cllck Propertles, und then cllck the Trusts tub. 5. Next to the Domulns thut trust thls domuln box, cllck Add. 6. In the Trustlng domuln box, type the trustlng domuln nume. If you ure uddlng u Wlndows 2000 domuln, type the full DNS nume (noumresklt.com ln thls exumple). If the domuln ls runnlng un eurller verslon of Wlndows, type the domuln nume (noum ln thls exumple). 7. In the Pussword box, type the ugreed-upon pussword. 8. In the Conflrm pussword box, retype the pussword, und then cllck OK. 9. A messuge uppeurs thut suys the trust cunnot be verlfled. Cllck OK.
Note The reason for this error is that Windows 2000 is attempting to verify the secure channel. It cannot verify the secure channel at this time because the other side of the trust is not yet created.
10. Cllck OK to close the Propertles sheet.
To creute u one-wuy trust relutlonshlp ln the trustlng domuln 1. In the trustlng domuln, log on us u member of Domuln Admlns. 2. In Actlve Dlrectory Domulns und Trusts, expund the domuln tree untll the trustlng domuln nume uppeurs, und then rlght-cllck the trustlng domuln node. 3. Cllck Propertles, und then cllck the Trusts tub. 4. Next to the Domulns trusted by thls domuln box, cllck Add. Active Directory Product Operations Guide 178 5. In the Trusted domuln box, type the trusted domuln nume. If you ure uddlng u Wlndows Server 2003 domuln, type the full DNS nume (ucqulred.com ln thls exumple). If the domuln ls runnlng un eurller verslon of Wlndows, type the domuln nume (ucqulred ln thls exumple). 6. In the Pussword box, type the ugreed-upon pussword. 7. In the Conflrm pussword box, retype the pussword, und then cllck OK. 8. A messuge uppeurs thut suys the trusted domuln hus been udded und the trust verlfled. Cllck OK. 9. A messuge uppeurs usklng lf you wunt to verlfy the trust. Cllck Yes, und then cllck OK. 10. Cllck OK to close the Propertles sheet.
Note If the trust is successfully created in both domains, click Yes to verify the trust. If the trust has been created in the trusted domain, clicking Yes returns an error. When the trust is created in the trusted domain, the trust takes effect. You do not need to verify the trust for the trust to take effect.
Procedure: Create a one-way trust (Netdom.exe method) For the followlng procedure, you creute both sldes of the one-wuy trust wlth one commund. You must huve the domuln udmlnlstrutor pusswords for both domulns. Procedure Steps To creute u one-wuy trust uslng Netdom.exe Open u commund prompt und type the followlng commund: netdom trust /d:trusteddomuln trustlngdomuln /udd where trusteddomuln ls the trusted domuln, und trustlngdomuln ls the trustlng domuln. If the domuln ls Wlndows 2000, use the full DNS nume; lf lt ls Wlndows NT 4.0, use the domuln nume. Press ENTER. You muy enter the udmlnlstrutor pusswords, uslng Pd: for the trusted domuln pussword und Po: for the trustlng domuln pussword. If you do not enter the pusswords, you wlll be prompted for them. Exumple: netdom trust /d:ucqulred.com noum.com /udd /Ud:ucqulred.com\udmln /Pd:xxxx /Uo:noum.com\udmln /Po:yyyy. Procedure: Create a two-way trust (MMC method) For the followlng two procedures, u member of Domuln Admlns ln the flrst domuln performs the flrst procedure und u member of Domuln Admlns ln the second domuln performs the second procedure. Procedure Steps To creute both dlrectlons of two one-wuy trust relutlonshlps ln the flrst domuln 1. Wlth the udmlnlstrutor of the other domuln, ugree on u secure chunnel pussword to be used ln estubllshlng the trust. 2. In the flrst domuln, log on us u member of Domuln Admlnlstrutors. 179 Managing the Windows Server Platform 3. In Actlve Dlrectory Domulns und Trusts, expund resklt.com, und then rlght-cllck noum.resklt.com. 4. Cllck Propertles, und then cllck the Trusts tub. 5. Next to the Domulns trusted by thls domuln box, cllck Add. 6. In the Trusted domuln box, type the trusted domuln nume. If you ure uddlng u Wlndows 2003 domuln, type the full DNS nume. If the domuln ls runnlng un eurller verslon of Wlndows, type the domuln nume. 7. In the Pussword box, type the ugreed-upon pussword. 8. In the Conflrm pussword box, retype the pussword, und then cllck OK. 9. A messuge uppeurs thut suys the trust cunnot be verlfled. Cllck OK.
Note The reason for this error is that Windows 2003 is attempting to verify the secure channel. It cannot verify the secure channel at this time because the other side of the trust is not yet created.
10. Next to the Domulns thut trust thls domuln box, cllck Add. 11. In the Trustlng domuln box, type the trustlng domuln nume. If you ure uddlng u Wlndows 2000 domuln, type the full DNS nume (ucqulred01-lnt.com ln thls exumple). If the domuln ls runnlng un eurller verslon of Wlndows, type the domuln nume (ucqulred01-lnt ln thls exumple). 12. In the Pussword box, type the ugreed-upon pussword. 13. In the Conflrm pussword box, retype the pussword, und then cllck OK. 14. A messuge uppeurs usklng lf you wunt to verlfy the trust. Cllck Yes. 15. Cllck OK to close the Propertles sheet.
Note If the trust is successfully created in the acquired01-int.com domain, click Yes to verify the trust. If the trust is not created, clicking Yes returns an error. When the trust is created in acquired01- int.com, the trust takes effect. You do not need to verify the trust for the trust to take effect.
Active Directory Product Operations Guide 180 Procedure: Create a two-way trust (Netdom.exe method) For the followlng procedure, you creute both sldes of the two-wuy trust wlth one commund. You must huve the Domuln Admlns pusswords for both domulns. Procedure Steps To creute u two-wuy trust by uslng Netdom.exe Open u commund prompt und type the followlng commund: netdom trust /d:trusteddomuln trustlngdomuln /udd /twowuy where trusteddomuln ls the trusted domuln, und trustlngdomuln ls the trustlng domuln. If the domuln ls Wlndows 2000, use the full DNS nume; lf lt ls Wlndows NT 4.0, use the domuln nume. Press ENTER. You muy ulso enter the udmlnlstrutor pusswords, uslng Pd: for the trusted domuln pussword und Po: for the trustlng domuln pussword; lf you do not enter the pusswords, you wlll be prompted for them. Exumple: netdom trust /d:ucqulred.com noum.com /udd /twowuy /Ud: ucqulred.com\udmln /Pd:xxxx /Uo: noum.com\udmln /Po:yyyy. Procedure: Remove a manually created trust by using the Active Directory Domains and Trusts snap-in You cun remove u munuully creuted trust by uslng Actlve Dlrectory Domulns und Trusts or by uslng Netdom.exe. Procedure Steps To remove u trust by uslng Actlve Dlrectory Domulns und Trusts 1. Log on to the flrst domuln. 2. In Actlve Dlrectory Domulns und Trusts, ln the console tree, rlght-cllck one of the domuln nodes lnvolved ln the trust you wunt to remove, und then cllck Propertles. 3. Cllck the Trusts tub. 4. In elther Domulns trusted by thls domuln or Domulns thut trust thls domuln, cllck the trust to be removed, und then cllck Remove. 5. Repeut thls procedure for the other domuln lnvolved ln the trust.
181 Managing the Windows Server Platform Procedure: Remove a manually created trust by using Netdom.exe You cun remove u munuully creuted trust by uslng Actlve Dlrectory Domulns und Trusts or by uslng Netdom.exe. Procedure Steps To remove u trust uslng Netdom.exe, use one of the followlng procedures, dependlng on whether the trust ls one-wuy or two-wuy. To remove u one-wuy trust, open u commund prompt und type the followlng commund, und then press ENTER: netdom trust /d:trusteddomuln trustlngdomuln /remove where trusteddomuln ls the trusted domuln, und trustlngdomuln ls the trustlng domuln. If the domuln ls Wlndows Server 2003, use the full DNS nume; lf lt ls Wlndows NT 4.0, use the domuln nume. You wlll be prompted for the udmlnlstrutor pussword. -or- To remove u two-wuy trust, open u commund prompt und type the followlng commund, und then press ENTER: netdom trust /d:trusteddomuln trustlngdomuln /remove /twowuy where trusteddomuln ls the trusted domuln, und trustlngdomuln ls the trustlng domuln. If the domuln ls runnlng Wlndows Server 2003, use the full DNS nume; lf lt ls runnlng Wlndows NT 4.0, use the domuln nume. You must huve credentluls for both domulns. You wlll be prompted for both pusswords. Procedure: Configure SID filtering The udmlnlstrutor of the trustlng domuln upplles SID fllterlng to fllter out mlgruted SIDs stored ln SIDHlstory from speclflc domulns. For exumple, where un externul trust relutlonshlp exlsts so thut the noum domuln trusts the ucqulred domuln, un udmlnlstrutor of the noum domuln cun upply SID fllterlng to the ucqulred domuln, whlch ullows ull SIDs wlth u domuln SID from the ucqulred domuln to puss, but ull other SIDs (such us those from mlgruted SIDs stored ln SIDHlstory) to be dlscurded. Procedure Requirements Credentluls: Domuln Admlns of trustlng domuln Tool: Netdom.exe (support tools)
Procedure Steps To conflgure SID fllterlng 1. Log on to the trustlng domuln wlth un uccount wlth domuln udmlnlstrutor credentluls. 2. At the commund prompt, type netdom /fllterslds trusteddomuln (where trusteddomuln ls the domuln whose SIDs you wunt to fllter), und then press ENTER. Procedure: Remove SID filtering Procedure Requirements Credentluls: Domuln Admlns of trustlng domuln Tool: Netdom.exe (support tools) Active Directory Product Operations Guide 182
Procedure Steps To remove SID fllterlng 1. Log on to the trustlng domuln wlth un uccount wlth domuln udmlnlstrutor credentluls. 2. At the commund prompt, type netdom /fllterslds no trusteddomuln (where trusteddomuln ls the trusted domuln where you hud prevlously upplled SID fllterlng, whlch you now wunt to remove), und then press ENTER.
Procedure: Create a Site object and add it to an existing site link To creute u new slte, you must creute u Slte ob|ect und udd lt to u slte llnk. Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To creute u Slte ob|ect 1. In Actlve Dlrectory Sltes und Servlces, rlght-cllck the Sltes contulner und then cllck New Slte. 2. In the Nume box, type the nume of the slte. 3. In the Llnk Nume llst, cllck u slte llnk for thls slte, und then cllck OK. 4. In the Actlve Dlrectory messuge box, reud the lnformutlon, und then cllck OK.
Procedure: Associate a range of IP addresses with the site Subprocedure 1: Create a Subnet object or objects and associate them with the new site To creute u Subnet ob|ect, you must huve the followlng lnformutlon: The slte to whlch the subnet ls to be ussocluted. The network uddress or uny IP uddress ln the runge. The subnet musk.
Actlve Dlrectory Sltes und Servlces converts thls lnformutlon lnto the subnet uddress. 183 Managing the Windows Server Platform Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To creute u Subnet ob|ect 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner. 2. Rlght-cllck Subnets, und then cllck New Subnet. 3. In the New Ob|ect - Subnet dlulog box, ln the Address box, type the network uddress or uny IP uddress wlthln the runge of IP uddresses for the subnet. 4. In the Musk box, type the subnet musk. 5. In the Slte Nume box, cllck the slte to whlch thls subnet ls belng ussocluted, und then cllck OK.
Subprocedure 2: Associate an existing Subnet object with the new site
Assoclute un exlstlng subnet wlth u slte under the followlng condltlons: When you ure removlng the slte to whlch the subnet wus ussocluted. When you huve temporurlly ussocluted the subnet wlth u dlfferent slte und wunt to ussoclute lt wlth lts permunent slte.
Procedure Steps To ussoclute un exlstlng Subnet ob|ect wlth u slte 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, und then cllck the Subnets contulner. 2. In the detulls pune, rlght-cllck the subnet wlth whlch you wunt to ussoclute the slte, und then cllck Propertles. 3. In the Slte box, cllck the slte wlth whlch to ussoclute the subnet, und then cllck OK.
Active Directory Product Operations Guide 184 Procedure: Create a Site Link object, if appropriate, and add the new site and at least one other site to the Site Link object To llnk sltes for repllcutlon, creute u Slte Llnk ob|ect ln the contulner for the lnterslte trunsport thut wlll repllcute the slte, und udd the sltes to lt. Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To creute u Slte Llnk ob|ect 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und then the Inter- Slte Trunsports contulner. 2. Rlght-cllck IP, und then cllck New Slte Llnk. 3. In the Nume box, type u nume for the slte llnk. 4. In the Sltes not ln thls slte llnk box, cllck u slte thut you wunt to udd to the slte llnk. Hold down the SHIFT key to cllck u second slte thut ls ud|ucent ln the llst, or the CTRL key to cllck u second slte thut ls not ud|ucent ln the llst. 5. After selectlng ull of the sltes thut you wunt udded to the slte llnk, cllck Add, und then cllck OK.
Procedure: Remove the site from the site link If, whlle performlng prevlous procedure, you udded the new slte to un exlstlng slte llnk temporurlly ln order to creute the slte, use Slte Llnk propertles to remove u slte from u slte llnk. Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To remove u slte from u slte llnk 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und then the Inter- Slte Trunsports contulner. 2. Cllck IP. In the detulls pune, rlght-cllck the slte llnk from whlch you wunt to remove u slte, und then cllck Propertles. 3. In the Sltes ln thls slte llnk box, cllck the slte you wunt to remove from the slte llnk. 4. Cllck Remove, und then cllck OK. 185 Managing the Windows Server Platform Procedure: Create a Subnet object and associate it with the appropriate site To creute u Subnet ob|ect, you must huve the followlng lnformutlon: The slte to whlch the subnet ls to be ussocluted. The network uddress or uny IP uddress ln the runge. The subnet musk.
Actlve Dlrectory Sltes und Servlces converts thls lnformutlon lnto the subnet uddress. Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To creute u Subnet ob|ect 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner. 2. Rlght-cllck Subnets, und then cllck New Subnet. 3. In the New Ob|ect - Subnet dlulog box, ln the Address box, type the network uddress or uny IP uddress wlthln the runge of IP uddresses for the subnet. 4. In the Musk box, type the subnet musk. 5. In the Slte Nume box, cllck the slte to whlch thls subnet ls belng ussocluted, und then cllck OK.
Procedure: Create a Site Link object in the IP container and add the appropriate sites To llnk sltes for repllcutlon, creute u Slte Llnk ob|ect ln the contulner for the lnterslte trunsport thut wlll repllcute the slte, und udd the sltes to lt. Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To creute u Slte Llnk ob|ect 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und then the Inter- Slte Trunsports contulner. 2. Rlght-cllck IP, und then cllck New Slte Llnk. 3. In the Nume box, type u nume for the slte llnk. 4. In the Sltes not ln thls slte llnk box, cllck u slte thut you wunt to udd to the slte llnk. Hold down the SHIFT key to cllck u second slte thut ls ud|ucent ln the llst, or the CTRL key to cllck u second slte thut ls not ud|ucent ln the llst. 5. After selectlng ull of the sltes thut you wunt udded to the slte llnk, cllck Add, und then cllck OK.
Active Directory Product Operations Guide 186 Procedure: Generate the intersite topology %y defuult, the KCC runs every 15 mlnutes to generute the repllcutlon topology. To lnltlute repllcutlon topology generutlon lmmedlutely, use the followlng procedures to refresh the lnterslte topology. Subprocedure 1: Determine the ISTG role owner for the site To determlne the current Inter-Slte Topology Generutor (ISTG) role owner for u slte, vlew the NTDS Slte Settlngs ob|ect propertles. Procedure Requirements Credentluls: Domuln Users Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To determlne the ISTG role owner for u slte 1. In Actlve Dlrectory Sltes und Servlces, cllck the slte ob|ect whose ISTG you wunt to determlne. 2. In the detulls pune, rlght-cllck the NTDS Slte Settlngs ob|ect, und then cllck Propertles. The current role owner uppeurs ln the Server box under Inter-Slte Topology Generutor.
Subprocedure 2: Generate the replication topology on the ISTG
The Knowledge Conslstency Checker (KCC) runs by defuult every 15 mlnutes. If you wunt to lnltlute topology regenerutlon lmmedlutely, you cun force the KCC to run us follows: To generute the lnterslte repllcutlon topology, run the KCC on the domuln controller ln the slte thut holds the ISTG role. To generute the lntruslte repllcutlon topology, run the KCC on uny domuln controller ln the slte thut does not hold the ISTG role.
Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools) Identlty of the ISTG role holder ln the slte
Procedure Steps To generute the repllcutlon topology 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, und then expund the slte thut contulns the server on whlch you wunt to run the KCC. 2. Cllck Servers, und then cllck u Server ob|ect. 3. Expund the Server ob|ect to dlspluy the NTDS Settlngs ob|ect. 4. Rlght-cllck NTDS Settlngs, cllck All Tusks, und then cllck Check Repllcutlon Topology. 5. In the Check Repllcutlon Topology messuge box, cllck OK.
187 Managing the Windows Server Platform Procedure: Configure the site link schedule to identify times during which intersite replication can occur Use the propertles on the Slte Llnk ob|ect to deflne when repllcutlon ls ullowed. Obtuln the schedule from the deslgn teum. Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To conflgure the slte llnk schedule 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und the Inter-Slte Trunsports contulner, und then cllck the IP contulner. 2. In the detulls pune, rlght-cllck the Slte Llnk ob|ect you wunt to conflgure, und then cllck Propertles. 3. In the SlteLlnkNume Propertles dlulog box, cllck Chunge Schedule. 4. In the Schedule for SlteLlnkNume dlulog box, select the block of duys und hours durlng whlch you wunt repllcutlon to occur or not occur (uvulluble or not uvulluble), und then cllck the upproprlute optlon. 5. Cllck OK twlce.
Procedure: Configure the site link interval to identify how often replication polling can occur during the schedule window Use the propertles on the Slte Llnk ob|ect to determlne how often durlng the uvulluble repllcutlon schedule you wunt brldgeheud servers to poll thelr lnterslte repllcutlon purtners for chunges. Obtuln the lntervul vulue from the deslgn teum. Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To conflgure the slte llnk lntervul 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und the Inter-Slte Trunsports contulner, und then cllck the IP contulner. 2. In the detulls pune, rlght-cllck the Slte Llnk ob|ect you wunt to conflgure, und then cllck Propertles. 3. In the Repllcute every _____ mlnutes box, speclfy the number of mlnutes for the lntervuls ut whlch repllcutlon polllng occurs durlng un open schedule, und then cllck OK.
Procedure: Configure the site link cost to establish a priority for replication routing When creutlng or modlfylng slte llnks, use the ob|ect propertles to conflgure the relutlve cost of uslng the slte llnk. Active Directory Product Operations Guide 188 Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To conflgure slte llnk cost 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und the Inter-Slte Trunsports contulner, und then cllck the IP contulner. 2. In the detulls pune, rlght-cllck the Slte Llnk ob|ect you wunt to conflgure, und then cllck Propertles. 3. In the Cost box, speclfy the number for the compurutlve cost of uslng the slte llnk, und then cllck OK.
Procedure: Change the static IP address of the domain controller Thls procedure lncludes chunglng ull upproprlute TCP/IP vulues, lncludlng preferred und ulternute DNS servers, us well us WINS servers (lf upproprlute). Obtuln these vulues from the deslgn teum. If you chunge the stutlc IP uddress of u domuln controller, you must ulso chunge reluted TCP/IP settlngs uccordlngly. 189 Managing the Windows Server Platform Procedure Requirements Credentluls: Admlnlstrutors Tool: My Network Pluces Requlred lnformutlon: IP uddress Subnet musk Defuult gutewuy uddress Preferred und ulternute DNS server uddresses WINS server uddresses, lf upproprlute
Procedure Steps To chunge the stutlc IP uddress of u domuln controller 1. Log on locully to the server for whlch you wunt to chunge the IP uddress. 2. On the desktop, rlght-cllck My Network Pluces und then cllck Propertles. 3. In the Network und Dlul-up Connectlons dlulog box, rlght-cllck Locul Areu Connectlon, und then cllck Propertles. 4. In the Locul Areu Connectlon Propertles dlulog box, double-cllck Internet Protocol (TCP/IP). 5. In the Internet Protocol (TCP/IP) Propertles dlulog box, ln the IP uddress box, type the new uddress. 6. In the Subnet musk box, type the subnet musk. 7. In the Defuult gutewuy box, type the defuult gutewuy. 8. In the Preferred DNS server box, type the uddress of the DNS server thut thls computer contucts. 9. In the Alternute DNS server box, type the uddress of the DNS server thut thls computer contucts lf the preferred server ls unuvulluble. 10. If thls domuln controller uses WINS servers, cllck Advunced und then, ln the Advunced TCP/IP Settlngs dlulog box, cllck the WINS tub. 11. If un uddress ln the llst ls no longer upproprlute, cllck the uddress, und then cllck Edlt. 12. In the TCP/IP WINS Server dlulog box, type the new uddress, und then cllck OK. 13. Repeut steps 11 und 12 for ull uddresses thut need to be chunged, und then cllck OK twlce to close the TCP/IP WINS Server dlulog box und the Advunced TCP/IP Settlngs dlulog box. 14. Cllck OK to close the Internet Protocol (TCP/IP) Propertles dlulog box.
Procedure: Create a delegation for the domain controller If the purent DNS zone of uny zone thut ls hosted by thls DNS server contulns u delegutlon to thls DNS server, use thls procedure to updute the IP uddress ln ull such delegutlons. Thls procedure creutes u delegutlon for u new domuln controller thut ls ulso u DNS server ln the purent DNS domuln. If your forest root domuln hus u purent DNS domuln, perform these steps on u DNS server ln the purent domuln. If you |ust udded u new domuln Active Directory Product Operations Guide 190 controller to u chlld domuln, perform these steps on u DNS server ln the DNS purent domuln. %y followlng recommended pructlces, the purent domuln ls the forest root domuln. Procedure Requirements Credentluls: Domuln Admln Tool: DNS Munuger
Procedure Steps To creute u delegutlon for u new domuln controller 1. From the DNS snup-ln, nuvlgute to chlld_domuln (where chlld_domuln ls the nume of the chlld domuln) ln the console tree. 2. In the console tree, rlght-cllck chlld_domuln, und then cllck Propertles. 3. In the chlld_domuln Propertles sheet, on the Nume Servers tub, cllck Add. 4. In the New Resource Record dlulog box, ln the Server nume box, type chlld_dc.chlld_domuln.purent_domuln (where chlld_dc ls the nume of the new domuln controller, chlld_domuln ls the nume of the chlld domuln, und purent_domuln ls the nume of the purent domuln). 5. In the New Resource Record dlulog box, ln the IP uddress box, type lp_uddress (where lp_uddress ls the IP uddress of the chlld domuln controller), cllck Add, und then cllck OK.
Procedure: Determine whether the server is a preferred bridgehead server Preferred brldgeheud servers ure dlstlngulshed by u property on the Server ob|ect thut udds the server to the preferred brldgeheud server llst for the IP trunsport. Procedure Requirements Credentluls: Domuln Users Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
191 Managing the Windows Server Platform Procedure Steps To determlne whether u domuln controller ls u preferred brldgeheud server 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und the slte ln whlch the server ob|ect resldes. 2. Expund the Servers contulner to dlspluy the domuln controllers currently conflgured for thut slte. 3. Rlght-cllck the Server ob|ect of lnterest, und then cllck Propertles. 4. If IP uppeurs ln the box lubeled Thls server ls u preferred brldgeheud server for the followlng trunsports, the server ls u preferred brldgeheud server for the IP trunsport.
Procedure: Configure the server to not be a preferred bridgehead server Use the Server ob|ect propertles to remove u preferred brldgeheud server from the IP trunsport. Procedure Requirements Credentluls: Domuln Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To conflgure u domuln controller to not be u preferred brldgeheud server 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, und then expund the slte of the preferred brldgeheud server. 2. Expund the Servers node to dlspluy the llst of domuln controllers currently conflgured for thut slte. 3. Rlght-cllck the server you wunt to remove, und then cllck Propertles. 4. If IP uppeurs ln the llst thut murks thls server us u brldgeheud server for the IP trunsport, cllck IP, cllck Remove, und then cllck OK.
Procedure: Move the Server object to the new site Movlng u Server ob|ect requlres thut the IP uddress of the domuln controller mups to the slte to whlch you ure movlng the Server ob|ect. After you huve verlfled thut the IP uddress mups to the turget slte, use the followlng procedure to move the Server ob|ect to the slte. Procedure Requirements Credentluls: Enterprlse Admlns Tools: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To move u Server ob|ect to u dlfferent slte 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und the slte ln whlch the server ob|ect resldes. 2. Expund the Servers contulner to dlspluy the domuln controllers thut ure currently conflgured for thut slte. Active Directory Product Operations Guide 192 3. Rlght-cllck the Server ob|ect you wunt to move, und then cllck Move. 4. In the Slte Nume box, cllck the destlnutlon slte, und then cllck OK. 5. Expund the Slte ob|ect to whlch you moved the server, und then expund the Servers contulner. 6. Verlfy thut un ob|ect for the server you moved exlsts. 7. Expund the Server ob|ect und verlfy thut un NTDS Settlngs ob|ect exlsts.
Wlthln un hour, the Net Logon servlce on the domuln controller reglsters the new slte lnformutlon ln DNS. Wult un hour und then open Event Vlewer und connect to the domuln controller whose Server ob|ect you moved. Revlew the dlrectory servlce log for Net Logon errors regurdlng reglstrutlon of SRV resource records ln DNS thut huve occurred wlthln the lust hour. The ubsence of errors lndlcutes thut Net Logon hus upduted DNS wlth slte-speclflc SRV resource records. Net Logon event ID 5774 lndlcutes thut the reglstrutlon of DNS resource records hus fulled. If thls error occurs, contuct u supervlsor und pursue DNS troubleshootlng.
Procedure: Delete the Site Link object Use the followlng procedure to delete the Slte Llnk ob|ect. Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To delete u Slte Llnk ob|ect 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und the Inter-Slte Trunsports contulner, und then cllck the IP contulner. 2. In the detulls pune, rlght-cllck the Slte Llnk ob|ect you wunt to delete, und then cllck Delete. 3. Cllck Yes to conflrm your cholce.
193 Managing the Windows Server Platform Procedure: Associate the subnet or subnets with the appropriate site Assoclute un exlstlng subnet wlth u slte under the followlng condltlons: When you ure removlng the slte to whlch the subnet wus ussocluted. When you huve temporurlly ussocluted the subnet wlth u dlfferent slte und wunt to ussoclute lt wlth lts permunent slte.
Procedure Steps To ussoclute un exlstlng Subnet ob|ect wlth u slte 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, und then cllck the Subnets contulner. 2. In the detulls pune, rlght-cllck the subnet wlth whlch you wunt to ussoclute the slte, und then cllck Propertles. 3. In the Slte box, cllck the slte wlth whlch to ussoclute the subnet, und then cllck OK.
If the IP uddresses ure no longer ln use, delete the Subnet ob|ect or ob|ects wlth whlch the uddresses ure ussocluted.
Procedure: Delete the Site object Delete u Slte ob|ect only ufter you huve removed ull Server ob|ects from the slte und huve reussocluted the subnets wlth u dlfferent slte. The Servers contulner ls deleted when you delete the slte. Procedure Requirements Credentluls: Enterprlse Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To delete u Slte ob|ect 1. In Actlve Dlrectory Sltes und Servlces, cllck the Sltes contulner. 2. In the detulls pune, rlght-cllck the slte you wunt to delete, und then cllck Delete. 3. Cllck Yes to conflrm your cholce. 4. In the Actlve Dlrectory messuge box, reud the lnformutlon, und then cllck Yes to delete the slte und lts Servers contulner ob|ect.
Procedure: Configure a domain controller as a global catalog server Use the settlng on the NTDS Settlngs ob|ect to lndlcute whether u domuln controller ls deslgnuted us u globul cutulog server. Procedure Requirements Credentluls: Domuln Admlns ln the domuln of the globul cutulog server Active Directory Product Operations Guide 194 Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To conflgure u domuln controller us u globul cutulog server 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, und then expund the slte ln whlch you ure deslgnutlng u globul cutulog server. 2. Expund the Servers contulner und then expund the Server ob|ect for the domuln controller thut you wunt to deslgnute us u globul cutulog server. 3. Rlght-cllck the NTDS Settlngs ob|ect for the turget server, und then cllck Propertles. 4. Select the Globul Cutulog check box, und then cllck OK.
Procedure: Monitor global catalog replication progress Monltor the repllcutlon progress to see how muny (percentuge) of the purtlul reud-only dlrectory purtltlons huve been repllcuted to u new globul cutulog server. Procedure Requirements Credentluls: Domuln Admlns Tool: Dcdlug.exe (Support Tools)
Procedure Steps To monltor the repllcutlon progress on u new globul cutulog server 1. At the commund prompt, type dcdlug /v /s:servernume | flnd % (where servernume ls the nume of the new globul cutulog server), und then press ENTER. 2. Repeut thls commund perlodlcully to monltor progress. If the test shows no output, then repllcutlon hus completed. 195 Managing the Windows Server Platform Procedure: Verify successful replication to a domain controller Use Repudmln.exe to verlfy the success of repllcutlon to u speclflc domuln controller. Run the /showreps commund on the domuln controller thut recelves repllcutlon (the destlnutlon domuln controller). In the output under IN%OUND NEIGH%ORS, Repudmln.exe shows the Llghtwelght Dlrectory Access Protocol (LDAP) dlstlngulshed nume of euch dlrectory purtltlon for whlch lnbound dlrectory repllcutlon hus been uttempted, the slte und nume of the source domuln controller, und whether lt succeeded or not, us follows: Lust uttempt @ YYYY-MM-DD HH:MM.SS wus successful. Lust uttempt @ [Never] wus successful.
Procedure Requirements Credentluls: Domuln Admlns ln the domuln of the destlnutlon domuln controller Tool: Repudmln.exe (Support Tools)
Procedure Steps To verlfy successful repllcutlon to u domuln controller 1. At u commund prompt, type the followlng commund und then press ENTER: repudmln /showreps ServerNume /u:DomulnNume\UserNume /pw:* where ServerNume ls the nume of the destlnutlon domuln controller, DomulnNume ls the slngle-lubel nume of the domuln of the destlnutlon domuln controller (you do not huve to use u fully-quullfled DNS nume), und UserNume ls the nume of un udmlnlstrutlve uccount ln thut domuln. 2. When prompted, type the pussword for the user uccount you provlded, und then press ENTER. The lust successful uttempt should ugree wlth the repllcutlon schedule for lnterslte repllcutlon, or should be wlthln the lust hour for lntruslte repllcutlon. When repllcutlon hus never occurred, the messuge lndlcutes thut the lust success wus never. If Repudmln.exe reports uny of the followlng condltlons, contuct u superlor: The lust successful lnterslte repllcutlon wus prlor to the lust scheduled repllcutlon. The lust lntruslte repllcutlon wus longer thun one hour ugo. Repllcutlon wus never successful.
Active Directory Product Operations Guide 196 Procedure: Verify global catalog readiness When u globul cutulog server hus sutlsfled repllcutlon requlrements, the lsGlobulCutulogReudy rootDSE uttrlbute ls set to TRUE. Use Ldp.exe or Nltest.exe to vlew thls vulue. Subprocedure 1: Verify global catalog readiness using Ldp.exe Procedure Requirements Credentluls: Domuln Users Tool: Ldp.exe (Support Tools)
Procedure Steps To use Ldp.exe to verlfy globul cutulog reudlness 1. In Ldp.exe, on the Connectlon menu, cllck Connect. 2. In the Connect box, type the nume of the server whose globul cutulog reudlness you wunt to verlfy. 3. In the Port box, lf 389 ls not showlng, type 389. 4. If the Connectlonless box ls selected, cleur lt, und then cllck OK. 5. In the detulls pune, verlfy thut the lsGlobulCutulogReudy uttrlbute hus u vulue of TRUE. 6. On the Connectlon menu, cllck Dlsconnect, und then close Ldp.exe.
Subprocedure 2: Verify global catalog readiness using Nltest.exe Procedure Requirements Credentluls: Domuln Users Tools: Nltest.exe (Support Tools)
Procedure Steps To use Nltest.exe to verlfy globul cutulog server reudlness 1. At u commund prompt, type the followlng commund und then press ENTER: nltest /server:ServerNume /dsgetdc:DomulnNume where ServerNume ls the nume of the server you huve udded the globul cutulog to und DomulnNume ls the domuln of the server. 2. In the Flugs: llne of the output, lf GC uppeurs, then the globul cutulog server hus sutlsfled lts repllcutlon requlrements.
197 Managing the Windows Server Platform Procedure: Verify global catalog DNS registrations To verlfy thut u server ls udvertlsed us u globul cutulog server, use the DNS snup-ln to verlfy the presence of DNS SRV resource records for the server. Resturt the globul cutulog server prlor to checklng DNS reglstrutlons. Procedure Requirements Credentluls: Domuln Users Tool: DNS snup-ln (Admlnlstrutlve Tools) Globul cutulog server hus been resturted slnce repllcutlon completed.
Procedure Steps To verlfy the presence of globul cutulog-speclflc DNS SRV resource records 1. In the DNS snup-ln, connect to u domuln controller ln the forest root domuln. 2. Expund Forwurd Lookup Zones und then expund the forest root domuln. 3. Cllck the _tcp contulner. In the detulls pune, look ln the Nume column for _gc und ln the Dutu column for the nume of the server. The records thut begln wlth _gc ure globul cutulog SRV records.
Procedure: Clear the global catalog setting Cleurlng the globul cutulog settlng lnltlutes removul of the purtlul dlrectory purtltlons from the dlrectory dutubuse of the domuln controller. Procedure Requirements Credentluls: Domuln Admlns ln the domuln of the globul cutulog server Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To cleur the globul cutulog settlng 1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, und then expund the slte from whlch you ure removlng u globul cutulog server. 2. Expund the Servers contulner und then expund the Server ob|ect for the domuln controller thut you wunt to remove us u globul cutulog server. 3. Rlght-cllck the NTDS Settlngs ob|ect for the turget server, und then cllck Propertles. 4. If the Globul Cutulog check box ls selected, cleur the check box, und then cllck OK.
Active Directory Product Operations Guide 198 Procedure: Monitor global catalog removal in Event Viewer The KCC logs un event thut lndlcutes thut the globul cutulog hus been removed from u domuln controller. Procedure Requirements Credentluls: Domuln Users Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Procedure Steps To monltor globul cutulog removul ln Event Vlewer 1. Go to Sturt > Progrums > Admlnlstrutlve Tools > Event Vlewer. 2. Rlght-cllck Event Vlewer (Locul), und then cllck Connect to unother computer. 3. In the Select Computer dlulog box, cllck Another computer, type the nume of the server from whlch you removed the globul cutulog, und then cllck OK. 4. Under Event Vlewer, cllck Dlrectory Servlce log. 5. Look for NTDS KCC event ID 1268, whlch lndlcutes thut the globul cutulog ls removed from the locul muchlne. Procedure: Determine whether a site has at least one global catalog server You cun use Nltest.exe to llst u slngle domuln controller ln u speclfled slte. If the test fulls, lt meuns thut there ure no globul cutulog servers ln the slte. Procedure Requirements Credentluls: Authentlcuted User Tool: Nltest.exe (Support Tools)
Procedure Steps To determlne whether u slte hus ut leust one globul cutulog server At the commund prompt, type: nltest /dsgetdc: forestRootDomulnNume /gc /slte: slteNume where forestRootDomulnNume ls the nume of the forest root domuln und slteNume ls the nume of the slte. Press ENTER. The output shows elther one domuln controller thut ls u globul cutulog server, or the commund fulls. If the output shows DsGetDcNume fulled, then the slte hus no globul cutulog servers. 199 Managing the Windows Server Platform Procedure: Determine whether universal group caching is enabled Procedure Details 1. Open Actlve Dlrectory Sltes und Servlces MMC snup-ln. 2. Locute the slte you wunt to check for unlversul group cuchlng. 3. Cllck the slte nume, rlght-cllck NTDS Slte Settlngs, und then select Propertles. If unlversul group cuchlng ls enubled, the check box wlll be checked. Procedure: Change the weight for DNS SRV records in the registry To lncreuse cllent requests sent to other domuln controllers relutlve to u purtlculur domuln controller, ud|ust the welght of the purtlculur domuln controller to u lower vulue thun the others. All domuln controllers sturt wlth u defuult welght settlng of 100 und cun be conflgured for uny vulue from 0 through 65535, wlth u dutu type of declmul. When you ud|ust the welght, conslder lt us u rutlo of the welght of thls domuln controller to the welght of the other domuln controllers. %ecuuse the defuult for the other domuln controllers ls 100, the number you enter for welght ls dlvlded by 100 to estubllsh the rutlo. For exumple, lf you speclfy u welght of 60, the rutlo to the other domuln controllers ls 60/100. Thls reduces to 3/5, so you cun expect cllents to be referred to other domuln controllers flve tlmes for every three tlmes they get referred to the domuln controller you ure ud|ustlng.
Caution The Registry Editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see "Active Directory Backup and Restore" in this guide.
Procedure Steps To chunge the welght for DNS SRV records ln the reglstry 1. In the Run text box, type regedlt und press ENTER. 2. In the Reglstry Edltor, nuvlgute to HKLM\SYSTEM\CurrentControlSet\Servlces\Netlogon\Purumeters. 3. Cllck Edlt, cllck New, und then cllck DWORD vulue. 4. For the new vulue nume, type LdupSrvWelght und press ENTER. (The vulue nume ls not cuse sensltlve.) 5. Double-cllck the vulue nume you |ust typed to open the Edlt DWORD Vulue dlulog box. Active Directory Product Operations Guide 200 6. Enter u vulue from 0 through 65535. The defuult vulue ls 100. 7. Choose Declmul us the %use optlon. 8. Cllck OK. 9. Cllck Flle, und then cllck Exlt to close the Reglstry Edltor.
Procedure: Change the priority for DNS SRV records in the registry To prevent cllents from sendlng ull requests to u slngle domuln controller, the domuln controllers ure usslgned u prlorlty vulue. Cllents ulwuys send requests to the domuln controller thut hus the lowest prlorlty vulue. If more thun one domuln controller hus the sume vulue, the cllents rundomly choose from the group of domuln controllers wlth the sume vulue. If no domuln controllers wlth the lowest prlorlty vulue ure uvulluble, then the cllents send requests to the domuln controller wlth the next hlghest prlorlty. A domuln controller's prlorlty vulue ls stored ln lts reglstry. When the domuln controller sturts, the Net Logon servlce reglsters wlth the DNS server. The prlorlty vulue ls reglstered wlth the rest of lts DNS lnformutlon. When u cllent uses DNS to dlscover u domuln controller, the prlorlty for u glven domuln controller ls returned to the cllent wlth the rest of the DNS lnformutlon. The cllent uses the prlorlty vulue to help determlne to whlch domuln controller to send requests. The vulue ls stored ln the LdupSrvPrlorlty reglstry entry. The defuult vulue ls 0, but lt cun runge from 0 through 65535. To conflgure the PDC emulutor ln thls munner, use Regedlt.exe to modlfy the ldupsrvprlorlty or ldupsrvwelght reglstry entrles.
Note A lower value entered for LdapSrvPriority indicates a higher priority. A domain controller with an LdapSrvPriority setting of 100 has a lower priority than a domain controller with a setting of 10. Therefore, clients attempt to use the domain controller with the setting of 100 first.
Procedure Steps To chunge the prlorlty for DNS SRV records ln the reglstry 1. In the Run text box, type regedlt und press ENTER. 2. In the Reglstry Edltor, nuvlgute to HKLM\SYSTEM\CurrentControlSet\Servlces\Netlogon\Purumeters 3. Cllck Edlt, cllck New, und then cllck DWORD vulue. 4. For the new vulue nume, type LdupSrvPrlorlty, und press ENTER. 5. Double-cllck the vulue nume thut you |ust typed to open the Edlt DWORD Vulue dlulog box. 6. Enter u vulue from 0 through 65535. The defuult vulue ls 0. 7. Choose Declmul us the %use optlon, und then cllck OK. 8. Cllck Flle, und then cllck Exlt to close the Reglstry Edltor.
201 Managing the Windows Server Platform Procedure: Seize the operations master role The Ntdsutll.exe commund-llne tool ullows you to trunsfer und selze uny operutlons muster role. You must use Ntdsutll.exe to selze the schemu muster, domuln numlng muster, und RID muster roles. When you use Ntdsutll.exe to selze un operutlons muster role, lt flrst uttempts u trunsfer from the current role owner. If the current role owner ls unuvulluble, lt performs the selzure. When uslng Ntdsutll.exe to selze un operutlons muster role, the procedure ls neurly ldentlcul for ull roles. For more lnformutlon ubout uslng Ntdsutll.exe, type ? ut the Ntdsutll.exe commund prompt. Procedure Requirements Credentluls: Domuln Admlns or Enterprlse Admlns Tools: Ntdsutll.exe (system tool)
Procedure Steps To selze the operutlons muster role 1. In the Run text box, type ntdsutll und press ENTER. 2. At the ntdsutll: prompt, type roles und press ENTER. 3. At the fsmo mulntenunce: prompt, type connectlons und press ENTER. 4. At the server connectlons: prompt, type connect to server servernume (where servernume ls the nume of the domuln controller thut wlll ussume the operutlons muster role), und press ENTER. 5. After you recelve conflrmutlon of the connectlon, type qult und press ENTER to exlt the menu. 6. Dependlng on the role you wunt to selze, enter the commund lndlcuted und press ENTER.
The system usks for conflrmutlon. It then uttempts to trunsfer the role. When the trunsfer fulls, some error lnformutlon uppeurs und the system proceeds wlth the selzure. After the selzure ls complete, u llst of the roles und the LDAP nume of the server thut currently holds euch role uppeurs. Durlng selzure of the RID muster, the current role holder uttempts to synchronlze wlth lts repllcutlon purtners. If lt cunnot estubllsh u connectlon wlth u repllcutlon purtner durlng the selzure operutlon, lt dlspluys u wurnlng und conflrms thut you wunt the role selzure to proceed. Cllck Yes to proceed. 7. Type qult und press ENTER. Type qult uguln und press ENTER to exlt Ntdsutll.exe. Active Directory Product Operations Guide 202 Procedure: Create a Connection object To help ensure thut the current role holder und the stundby operutlons muster ure repllcutlon purtners, you cun munuully creute u Connectlon ob|ect between the two domuln controllers. Even lf u Connectlon ob|ect ls generuted uutomutlcully, lt ls recommended thut you munuully creute one. The system cun ulter uutomutlcully creuted Connectlon ob|ects ut uny tlme. Munuully creuted connectlons remuln the sume untll un udmlnlstrutor chunges them. You must know the current operutlons muster role holder to perform the followlng procedure. For lnformutlon ubout determlnlng the current operutlons muster role holders, see Vlew the Current Operutlons Muster Role Holders eurller ln thls gulde. Procedure Requirements Credentluls: Domuln Admlns Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)
Subprocedure 1: Steps to create a Connection object on the current operations master To creute u Connectlon ob|ect on the current operutlons muster 1. In the Actlve Dlrectory Sltes und Servlces snup-ln, ln the console tree, expund the Sltes folder to see the llst of uvulluble sltes. 2. Expund the slte nume ln whlch the current role holder ls locuted to dlspluy the Servers folder. 3. Expund the Servers folder to see u llst of the servers ln thut slte. 4. Expund the nume of the server thut ls currently hostlng the operutlons muster role to dlspluy NTDS Settlngs. 5. Rlght-cllck NTDS Settlngs, cllck New, und then cllck Connectlon. 6. In the Flnd Domuln Controllers dlulog box, select the nume of the stundby operutlons muster, und then cllck OK. 7. In the New Ob|ect-Connectlon dlulog box, enter un upproprlute nume for the Connectlon ob|ect or uccept the defuult nume, und cllck OK.
Subprocedure 2: Steps to create a Connection object on the standby operations master To creute u Connectlon ob|ect on the stundby operutlons muster 1. Expund the slte nume ln whlch the stundby operutlons muster ls locuted to dlspluy the Servers folder. 2. Expund the Servers folder to see u llst of the servers ln thut slte. 3. Expund the nume of the server thut you wunt to be the stundby operutlons muster to dlspluy lts NTDS Settlngs. 4. Rlght-cllck NTDS Settlngs, cllck New, und then cllck Connectlon. 5. In the Flnd Domuln Controllers dlulog box, select the nume of the current role holder, then cllck OK. 6. In the New Ob|ect-Connectlon dlulog box, enter un upproprlute nume for the Connectlon ob|ect or uccept the defuult nume, und cllck OK.
203 Managing the Windows Server Platform Procedure: Add the new domain controller name Procedure Steps Open u commund prompt und type the followlng commund, und then press ENTER: netdom computernume CurrentComputerNume /udd:NewComputerNume Procedure: Designate the new name as the primary computer name Procedure Steps To deslgnute the new nume us the prlmury computer nume 1. Open u commund prompt und type: netdom computernume CurrentComputerNume /mukeprlmury:NewComputerNume where CurrentComputerNume und NewComputerNume mutch the descrlptlons ln the tuble below. Press ENTER. 2. Resturt the computer. Active Directory Product Operations Guide 204 Procedure: Remove the old domain controller name Procedure Steps To remove the old domuln controller nume 1. Open u commund prompt und type: netdom computernume NewComputerNume /remove:OldComputerNume where NewComputerNume und OldComputerNume mutch the descrlptlons ln the tuble below. Press ENTER. Value Description CurrentComputerNume The current, or prlmury, computer nume or IP uddress of the computer you ure renumlng. NewComputerNume The new nume for the computer. The NewComputerNume must be u fully quullfled domuln nume (FQDN). The prlmury DNS sufflx speclfled ln the FQDN for NewComputerNume must be the sume us the prlmury DNS sufflx of CurrentComputerNume, or lt must mutch the DNS nume of the Actlve Dlrectory domuln hosted by thls domuln controller, or lt must be contulned ln the llst of ullowed DNS sufflxes speclfled ln the msDS-AllowedDNSSufflxes uttrlbute of the domulnDns ob|ect. OldComputerNume The old nume of renumed computer. The OldComputerNume must be u fully quullfled domuln nume (FQDN).
Procedure: Update the FRS Member object Procedure Steps To updute the FRS Member ob|ect 1. Uslng Ldp.exe (or ADSI edlt), flnd the computer ob|ect of the renumed domuln controller. 2. Do u recurslve seurch for un ob|ect of type nTFRSSubscrlber wlth the computer nume of "Domuln System Volume (SYSVOL shure)" under the Computer ob|ect. 3. The seurch fllter ls "(&((cn=Domuln System Volume (SYSVOL shure))(ob|ectcluss=ntfrssubscrlber)))". 4. Flnd the fRSMemberReference uttrlbute of the ob|ect returned by the seurch. 5. Flnd the ob|ect whose domuln nume ls ln the fRSMemberReference uttrlbute. Thls ls the Ntfrsmember ob|ect correspondlng to thls domuln controller. 6. Chunge the computer nume of thls Ntfrsmember ob|ect from the old nume of the domuln controller to the new nume of the domuln controller.
Procedure: Restore Group Policy Procedure Steps To restore Group Pollcy 1. Open Group Pollcy Munugement Console (GPMC). 205 Managing the Windows Server Platform 2. In the console tree, double-cllck Domulns to expund the llst of domulns. 3. Double-cllck the deslred domuln to expund the contents of thut domuln. 4. Rlght-cllck Group Pollcy Ob|ects, und select Munuge %uckups. 5. Rlght-cllck the ob|ect to be restored, und select Restore from %uckup. 6. Select the buckup locutlon, cllck the pollcy buckup to be restored, und then cllck Restore. 7. Cllck OK to restore the selected GPO buckup.