Professional Documents
Culture Documents
Abstract
This operations guide provides administering and management information for Active Directory Domain Services (AD DS) directory service technologies in the Windows Server 2008 operating system.
Copyright information
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2008 Microsoft Corporation. All rights reserved. Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Active Directory Domain Services Operations Guide........................................................................1 Abstract....................................................................................................................................1 Copyright information.......................................................................................................................2 Contents..........................................................................................................................................3 Active Directory Domain Services Operations Guide......................................................................24 New in This Guide.........................................................................................................................24 Administering Active Directory Domain Services............................................................................24 Introduction to Administering Active Directory Domain Services.....................................................25 When to use this guide...............................................................................................................25 How to use this guide.................................................................................................................26 Administering Domain and Forest Trusts.......................................................................................26 Introduction to Administering Domain and Forest Trusts................................................................27 Best Practices for Administering Domain and Forest Trusts...........................................................27 Managing Domain and Forest Trusts.............................................................................................28 Creating Domain and Forest Trusts...............................................................................................28 New Trust Wizard terminology....................................................................................................29 Known Issues for Creating Domain and Forest Trusts....................................................................30 Creating External Trusts................................................................................................................31 Create a One-Way, Incoming, External Trust for One Side of the Trust..........................................33 Create a One-Way, Incoming, External Trust for Both Sides of the Trust........................................34 Create a One-Way, Outgoing, External Trust for One Side of the Trust..........................................36 Create a One-Way, Outgoing, External Trust for Both Sides of the Trust........................................37 Create a Two-Way, External Trust for One Side of the Trust...........................................................39 Create a Two-Way, External Trust for Both Sides of the Trust........................................................40 Creating Shortcut Trusts................................................................................................................42 Create a One-Way, Incoming, Shortcut Trust for One Side of the Trust..........................................43
Create a One-Way, Incoming, Shortcut Trust for Both Sides of the Trust........................................44 Create a One-Way, Outgoing, Shortcut Trust for One Side of the Trust..........................................45 Create a One-Way, Outgoing, Shortcut Trust for Both Sides of the Trust........................................47 Create a Two-Way, Shortcut Trust for One Side of the Trust...........................................................48 Create a Two-Way, Shortcut Trust for Both Sides of the Trust........................................................50 Creating Forest Trusts...................................................................................................................51 Create a One-Way, Incoming, Forest Trust for One Side of the Trust.............................................52 Create a One-Way, Incoming, Forest Trust for Both Sides of the Trust...........................................54 Create a One-Way, Outgoing, Forest Trust for One Side of the Trust.............................................55 Create a One-Way, Outgoing, Forest Trust for Both Sides of the Trust...........................................57 Create a Two-Way, Forest Trust for One Side of the Trust..............................................................58 Create a Two-Way, Forest Trust for Both Sides of the Trust...........................................................60 Creating Realm Trusts...................................................................................................................62 Create a One-Way, Incoming, Realm Trust....................................................................................62 Create a One-Way, Outgoing, Realm Trust....................................................................................64 Create a Two-Way, Realm Trust.....................................................................................................65 Configuring Domain and Forest Trusts...........................................................................................66 Validating and Removing Trusts.....................................................................................................66 Validate a Trust..............................................................................................................................67 Validating a trust.........................................................................................................................67 Remove a Manually Created Trust.................................................................................................68 Removing a manually created trust............................................................................................68 Modifying Name Suffix Routing Settings........................................................................................69 Modify Routing for a Forest Name Suffix........................................................................................70 71 Modify Routing for a Subordinate Name Suffix...............................................................................71 72 Exclude Name Suffixes from Routing to a Forest...........................................................................72 72
Securing Domain and Forest Trusts...............................................................................................73 Configuring SID Filter Quarantining on External Trusts..................................................................73 Disable SID filter Quarantining.......................................................................................................75 See Also.....................................................................................................................................76 Reapply SID Filter Quarantining....................................................................................................76 Configuring Selective Authentication Settings................................................................................77 Enable Selective Authentication over an External Trust..................................................................78 Enabling selective authentication over an external trust..............................................................78 Enable Selective Authentication over a Forest Trust.......................................................................80 Enabling selective authentication over a forest trust...................................................................80 Enable Domain-Wide Authentication over an External Trust...........................................................81 Enable Forest-Wide Authentication over a Forest Trust..................................................................82 Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest......83 Appendix: New Trust Wizard Pages...............................................................................................84 Direction of Trust........................................................................................................................84 Wizard optionTwo-way........................................................................................................84 Wizard optionOne-way: incoming........................................................................................85 Wizard optionOne-way: outgoing.........................................................................................86 Sides of trust..............................................................................................................................87 Wizard optionThis domain only............................................................................................87 Wizard optionBoth this domain and the specified domain....................................................88 Administering the Windows Time Service......................................................................................88 Introduction to Administering the Windows Time Service................................................................88 Windows time source selection...................................................................................................88 External NTP time servers..........................................................................................................89 W32tm and net time...................................................................................................................90 Managing the Windows Time Service............................................................................................90 Configuring a Time Source for the Forest.......................................................................................91 Configure the Time Source for the Forest......................................................................................93 Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain ...................................................................................................................................................97 Disable the Windows Time Service................................................................................................98
Enable Windows Time Service Debug Logging..............................................................................99 Configuring Windows-Based Clients to Synchronize Time.............................................................99 Configure a Manual Time Source for a Selected Client Computer................................................100 Configure a Client Computer for Automatic Domain Time Synchronization...................................102 Restoring the Windows Time Service to Default Settings.............................................................103 Restore the Windows Time Service on the Local Computer to the Default Settings......................103 Administering DFS-Replicated SYSVOL......................................................................................104 Introduction to Administering DFS-Replicated SYSVOL...............................................................104 SYSVOL terminology and capitalization....................................................................................104 Using DFS Replication for replicating SYSVOL in Windows Server 2008..................................105 Requirements for using DFS Replication..................................................................................106 Key considerations for administering SYSVOL.........................................................................106 Relocating SYSVOL folders......................................................................................................108 Managing DFS-Replicated SYSVOL............................................................................................109 Changing the Quota That Is Allocated to the SYSVOL Staging Area............................................110 Change the Quota That Is Allocated to the SYSVOL Staging Folder............................................110 Relocating the SYSVOL Staging Area..........................................................................................111 Identify Replication Partners........................................................................................................112 Check the Status of the SYSVOL and Netlogon Shares...............................................................113 Verify Active Directory Replication................................................................................................114 Gather the SYSVOL Path Information..........................................................................................114 To gather the SYSVOL path information....................................................................................116 Stop the DFS Replication Service and Netlogon Service..............................................................117 Create the SYSVOL Staging Areas Folder Structure....................................................................118 Change the SYSVOL Root Path or Staging Areas Path, or Both..................................................119 See Also...................................................................................................................................120 Start the DFS Replication Service and Netlogon Service.............................................................120 Force Replication Between Domain Controllers...........................................................................121 See Also...................................................................................................................................122 Relocating SYSVOL Manually......................................................................................................122
Identify Replication Partners........................................................................................................124 Check the Status of the SYSVOL and Netlogon Shares...............................................................124 Verify Active Directory Replication................................................................................................125 Gather the SYSVOL Path Information..........................................................................................126 To gather the SYSVOL path information...................................................................................127 Stop the DFS Replication Service and Netlogon Service..............................................................129 Copy SYSVOL to a New Location................................................................................................130 Create the SYSVOL Root Junction Point.....................................................................................133 Change the SYSVOL Root Path or Staging Areas Path, or Both..................................................134 See Also...................................................................................................................................135 Change the SYSVOL Netlogon Parameters.................................................................................135 Reapply Default SYSVOL Security Settings.................................................................................136 Start the DFS Replication Service and Netlogon Service.............................................................138 Force Replication Between Domain Controllers...........................................................................139 See Also...................................................................................................................................139 Updating the SYSVOL Path.........................................................................................................139 Gather the SYSVOL Path Information..........................................................................................140 To gather the SYSVOL path information...................................................................................142 Stop the DFS Replication Service and Netlogon Service..............................................................143 Change the SYSVOL Netlogon Parameters.................................................................................144 Create the SYSVOL Root Junction Point.....................................................................................145 Start the DFS Replication Service and Netlogon Service.............................................................146 Restoring and Rebuilding SYSVOL..............................................................................................147 Identify Replication Partners........................................................................................................149 Check the Status of the SYSVOL and Netlogon Shares...............................................................149 Verify Active Directory Replication................................................................................................150 Gather the SYSVOL Path Information..........................................................................................151 To gather the SYSVOL path information...................................................................................152 Restart the Domain Controller in Directory Services Restore Mode Locally..................................154
Restarting the domain controller in DSRM locally.....................................................................155 See Also...................................................................................................................................156 Restart the Domain Controller in Directory Services Restore Mode Remotely..............................157 See Also...................................................................................................................................160 Stop the DFS Replication Service and Netlogon Service..............................................................160 Import the SYSVOL Folder Structure...........................................................................................161 See Also...................................................................................................................................164 Administering the Global Catalog.................................................................................................165 Introduction to Administering the Global Catalog..........................................................................165 Global catalog hardware requirements.....................................................................................165 Global catalog placement.........................................................................................................165 Initial global catalog replication.................................................................................................165 Global catalog readiness..........................................................................................................166 Global catalog removal.............................................................................................................166 Managing the Global Catalog.......................................................................................................167 Configuring a Global Catalog Server............................................................................................167 Determine Whether a Domain Controller Is a Global Catalog Server...........................................168 Designate a Domain Controller to Be a Global Catalog Server.....................................................168 Monitor Global Catalog Replication Progress...............................................................................169 Verify Successful Replication to a Domain Controller...................................................................170 Determining Global Catalog Readiness.......................................................................................173 Verify Global Catalog Readiness..................................................................................................173 Verifying global catalog readiness............................................................................................173 Verify Global Catalog DNS Registrations.....................................................................................174 Removing the Global Catalog......................................................................................................175 Clear the Global Catalog Setting..................................................................................................175 Monitor Global Catalog Removal in Event Viewer........................................................................176 Administering Operations Master Roles.......................................................................................177 Introduction to Administering Operations Master Roles................................................................177 Guidelines for role placement...................................................................................................178 Guidelines for role transfer.......................................................................................................181
Managing Operations Master Roles.............................................................................................182 Designating a Standby Operations Master...................................................................................183 Standby operations master computer requirements..................................................................183 Replication requirements..........................................................................................................183 Determine Whether a Domain Controller Is a Global Catalog Server...........................................184 Create a Connection Object on the Operations Master and Standby............................................184 Verify Successful Replication to a Domain Controller...................................................................185 Transferring an Operations Master Role......................................................................................188 Transferring to a standby operations master.............................................................................189 Transferring an operations master role when no standby is ready.............................................189 Install the Schema Snap-in..........................................................................................................190 Transfer the Schema Master........................................................................................................191 Transfer the Domain Naming Master...........................................................................................192 Transfer the Domain-Level Operations Master Roles...................................................................193 View the Current Operations Master Role Holders.......................................................................194 Seizing an operations master role................................................................................................195 Verify Successful Replication to a Domain Controller...................................................................196 Seize the Operations Master Role...............................................................................................199 View the Current Operations Master Role Holders.......................................................................200 Reducing the Workload on the PDC Emulator Master..................................................................201 Changing the weight for DNS service (SRV) resource records in the registry............................201 Changing the priority for DNS service (SRV) resource records in the registry...........................202 Change the Weight for DNS Service (SRV) Resource Records in the Registry............................203 Change the Priority for DNS Service (SRV) Resource Records in the Registry............................203 Administering Active Directory Backup and Recovery..................................................................204 Introduction to Administering Active Directory Backup and Recovery [lhsad_ADDS_Ops_5]_ADDS_Ops_5......................................................................................205 Backing up AD DS....................................................................................................................205 Recovering AD DS...................................................................................................................205 Additional considerations..........................................................................................................206 Managing Active Directory Backup and Recovery........................................................................207
Backing Up Active Directory Domain Services.............................................................................207 Windows Server backup tools...................................................................................................207 Windows Server backup types..................................................................................................208 Contents of Windows Server backup types...........................................................................208 Criteria for using backup types..............................................................................................209 Backup guidelines....................................................................................................................210 Scheduling regular backups......................................................................................................211 Immediate (unscheduled) backup.............................................................................................212 Backup frequency.....................................................................................................................212 Backup frequency criteria......................................................................................................213 Backup latency interval.........................................................................................................213 Known Issues for Backing Up Active Directory Domain Services..................................................215 Perform a Backup of Critical Volumes of a Domain Controller by Using the GUI (Windows Server Backup)....................................................................................................................................216 Additional considerations...................................................................................................217 Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin) .................................................................................................................................................217 Additional considerations...................................................................................................218 Perform a Full Server Backup of a Domain Controller by Using the GUI (Windows Server Backup) .................................................................................................................................................218 Additional considerations...................................................................................................222 Perform a Full Server Backup of a Domain Controller by Using the Command Line (Wbadmin)...223 Additional considerations...................................................................................................223 Recovering Active Directory Domain Services..............................................................................224 Causes of disruptions...............................................................................................................224 Keys to protecting against disruptions......................................................................................225 Preventing unwanted deletions.................................................................................................225 Recovery solutions...................................................................................................................226 Solutions for configuration errorsnonauthoritative restore..................................................226 Solutions for data lossauthoritative restore........................................................................227 Recovery options with no available backup...........................................................................228 Solutions for hardware failure or file corruption......................................................................228 Recovery tasks.........................................................................................................................230 Performing Nonauthoritative Restore of Active Directory Domain Services...................................230 Nonauthoritative Restore Requirements...................................................................................231 SYSVOL restore.......................................................................................................................231 Additional references................................................................................................................232 Restart the Domain Controller in Directory Services Restore Mode Locally..................................232 Restarting the domain controller in DSRM locally.....................................................................234
See Also...................................................................................................................................235 Restart the Domain Controller in Directory Services Restore Mode Remotely..............................235 See Also...................................................................................................................................238 Restore AD DS from Backup (Nonauthoritative Restore)..............................................................238 Additional references................................................................................................................240 Verify AD DS restore....................................................................................................................240 Performing Authoritative Restore of Active Directory Objects.......................................................241 Determining objects to restore..................................................................................................242 Selecting objects to restore......................................................................................................243 Selecting application directory partitions to restore...................................................................243 Restoring group memberships after authoritative restore..........................................................244 LVR and restoration of group memberships...........................................................................244 Authoritative restore of pre-LVR group memberships and groups in different domains..........245 Files for recovering group memberships following authoritative restore.................................245 Using a global catalog server for authoritative restore...............................................................246 Recovering deletions without restoring from backup.................................................................247 Retention (merge) of new group memberships or other attributes after authoritative restore.....247 Authoritative restore procedures...............................................................................................248 Procedures for restoring after deletions have replicated........................................................249 Procedures for restoring before deletions have replicated.....................................................250 Procedures for recovering group memberships (and any other back-link attributes) in other domains.............................................................................................................................251 Additional references................................................................................................................251 Known Issues for Authoritative Restore........................................................................................252 Order of replication and dropped group memberships..............................................................252 Members added back to groups from which they were deleted.................................................253 Incorrect assignment of Exchange mailboxes...........................................................................253 Best Practices for Authoritative Restore.......................................................................................253 Restart the Domain Controller in Directory Services Restore Mode Locally..................................255 Restarting the domain controller in DSRM locally.....................................................................256 See Also...................................................................................................................................257 Restart the Domain Controller in Directory Services Restore Mode Remotely..............................257 See Also...................................................................................................................................261 Restore AD DS from Backup (Nonauthoritative Restore)..............................................................261 Additional references................................................................................................................263 Mark an Object or Objects as Authoritative..................................................................................263 Additional references................................................................................................................265
Turn Off Inbound Replication.......................................................................................................265 Additional references................................................................................................................266 Synchronize Replication with All Partners....................................................................................266 See Also...................................................................................................................................267 Run an LDIF File to Recover Back-Links......................................................................................267 Additional references................................................................................................................268 Turn on Inbound Replication........................................................................................................269 Additional references................................................................................................................269 Create an LDIF File for Recovering Back-Links for Authoritatively Restored Objects....................269 Additional references................................................................................................................270 Performing Authoritative Restore of an Application Directory Partition..........................................271 Restart the Domain Controller in Directory Services Restore Mode Remotely..............................271 See Also...................................................................................................................................275 Restart the Domain Controller in Directory Services Restore Mode Locally..................................275 Restarting the domain controller in DSRM locally.....................................................................276 See Also...................................................................................................................................277 Restore AD DS from Backup (Nonauthoritative Restore)..............................................................278 Additional references................................................................................................................279 Mark an application directory partition as authoritative.................................................................279 See Also...................................................................................................................................281 Performing a Full Server Recovery of a Domain Controller..........................................................281 Requirements for performing a full server recovery of a domain controller................................281 Performing a full server recovery of a domain controller by using the GUI................................282 Performing a full server recovery of a domain controller by using the command line.................283 Additional considerations..........................................................................................................284 Restoring a Domain Controller Through Reinstallation and Subsequent Restore from Backup.....285 Restart the Domain Controller in Directory Services Restore Mode Locally..................................286 Restarting the domain controller in DSRM locally.....................................................................287 See Also...................................................................................................................................289 Restart the Domain Controller in Directory Services Restore Mode Remotely..............................289 See Also...................................................................................................................................292 Restore AD DS from Backup (Nonauthoritative Restore)..............................................................292 Additional references................................................................................................................294 Verify AD DS restore....................................................................................................................294
Restoring a Domain Controller Through Reinstallation.................................................................295 Clean Up Server Metadata...........................................................................................................297 See Also...................................................................................................................................299 Delete a Server Object from a Site...............................................................................................300 See Also...................................................................................................................................300 Verify DNS Registration and TCP/IP Connectivity........................................................................301 Verify the Availability of the Operations Masters...........................................................................301 Install an Additional Domain Controller by Using the Windows Interface......................................303 See Also...................................................................................................................................305 Verifying Active Directory Installation............................................................................................305 Administering Intersite Replication...............................................................................................306 Introduction to Administering Intersite Replication........................................................................306 Optimizing replication between sites.........................................................................................307 Effects of site link bridging.....................................................................................................307 Effects of disabling site link bridging......................................................................................307 Optimizing domain controller location.......................................................................................308 Finding the next closest site..................................................................................................308 Forcing domain controller rediscovery...................................................................................309 Improving the logon experience in branch sites........................................................................309 See Also...................................................................................................................................310 Managing Intersite Replication.....................................................................................................310 Adding a New Site.......................................................................................................................310 Create a Site Object and Add it to an Existing Site Link................................................................311 See Also...................................................................................................................................312 Create a Subnet Object or Objects and Associate them with a Site..............................................312 Associate an Existing Subnet Object with a Site..........................................................................313 Create a Site Link Object and Add the Appropriate Sites..............................................................313 Remove a Site from a Site Link....................................................................................................314 Linking Sites for Replication.........................................................................................................314 Creating site links.....................................................................................................................315 Selecting bridgehead servers...................................................................................................315 Create a Site Link Object and Add the Appropriate Sites..............................................................316
Determine the ISTG Role Owner for a Site..................................................................................317 Generate the Replication Topology on the ISTG..........................................................................317 Designate a Server as a Preferred Bridgehead Server.................................................................318 Changing Site Link Properties......................................................................................................319 Configure the Site Link Schedule to Identify Times During Which Intersite Replication Can Occur .................................................................................................................................................319 Configure the Site Link Interval to Identify How Often Replication Polling Can Occur During the Schedule Window.....................................................................................................................320 Configure the Site Link Cost to Establish a Priority for Replication Routing..................................321 Determine the ISTG Role Owner for a Site..................................................................................321 Generate the Replication Topology on the ISTG..........................................................................322 Enabling Clients to Locate the Next Closest Domain Controller...................................................323 Enable Clients to Locate a Domain Controller in the Next Closest Site.........................................325 Moving a Domain Controller to a Different Site.............................................................................326 TCP/IP settings........................................................................................................................326 DNS settings............................................................................................................................326 Preferred bridgehead server status...........................................................................................327 Change the Static IP Address of a Domain Controller..................................................................328 Update the IP Address for a DNS Delegation...............................................................................329 Update the IP Address for a DNS Forwarder................................................................................330 Verify That an IP Address Maps to a Subnet and Determine the Site Association.........................331 See Also...................................................................................................................................332 Determine Whether a Server is a Preferred Bridgehead Server...................................................332 See Also...................................................................................................................................332 View the List of All Preferred Bridgehead Servers........................................................................333 See Also...................................................................................................................................333 Configure a Server to Not Be a Preferred Bridgehead Server......................................................333 See Also...................................................................................................................................334 Move a Server Object to a New Site............................................................................................334 See Also...................................................................................................................................335 Enabling Universal Group Membership Caching in a Site............................................................335
Enable Universal Group Membership Caching in a Site...............................................................336 Forcing Replication......................................................................................................................336 Forcing replication of all directory updates over a connection...................................................337 Forcing replication of configuration updates..............................................................................337 Force Replication Between Domain Controllers...........................................................................338 See Also...................................................................................................................................339 Update a Server with Configuration Changes..............................................................................339 Synchronize Replication with All Partners....................................................................................340 See Also...................................................................................................................................341 Verify Successful Replication to a Domain Controller...................................................................341 Removing a Site..........................................................................................................................345 Delete a Manual Connection Object.............................................................................................346 Determine Whether a Server Object Has Child Objects...............................................................347 Delete a Server Object from a Site...............................................................................................348 See Also...................................................................................................................................349 Delete a Site Link object..............................................................................................................349 Associate an Existing Subnet Object with a Site..........................................................................349 Delete a Site object......................................................................................................................350 See Also...................................................................................................................................350 Determine the ISTG Role Owner for a Site..................................................................................350 Generate the Replication Topology on the ISTG..........................................................................351 Administering the Active Directory Database................................................................................352 Introduction to Administering the Active Directory Database [lhsad]_ADDS_Ops_7.....................352 Database management conditions...........................................................................................352 Disk space monitoring recommendations.................................................................................353 Database defragmentation.......................................................................................................353 Restartable AD DS...................................................................................................................353 See Also...................................................................................................................................354 Managing the Active Directory Database.....................................................................................354 Relocating the Active Directory Database Files............................................................................354 Disk space requirements for relocating Active Directory database files.....................................355 Determine the Database Size and Location Online......................................................................357
See Also...................................................................................................................................358 Determine the Database Size and Location Offline......................................................................358 See Also...................................................................................................................................359 Compare the Size of the Directory Database Files to the Volume Size.........................................359 Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin) .................................................................................................................................................360 Additional considerations...................................................................................................361 Move the Directory Database and Log Files to a Local Drive.......................................................361 See Also...................................................................................................................................364 Copy the Directory Database and Log Files to a Remote Share...................................................364 See Also...................................................................................................................................367 Returning Unused Disk Space from the Active Directory Database to the File System.................367 Change the Garbage Collection Logging Level to 1.....................................................................369 See Also...................................................................................................................................369 Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin) .................................................................................................................................................370 Additional considerations...................................................................................................370 Compact the Directory DatabaseFfile (Offline Defragmentation)..................................................371 See Also...................................................................................................................................374 If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup...............374 Administering Domain Controllers................................................................................................375 Additional references................................................................................................................376 Introduction to Administering Domain Controllers.........................................................................376 Installing Remote Server Administration Tools..........................................................................376 Installing and removing AD DS.................................................................................................376 Adding domain controllers.....................................................................................................377 Removing domain controllers................................................................................................377 Renaming domain controllers...................................................................................................377 Adding domain controllers to branch sites................................................................................377 Installing from media.............................................................................................................378 Shipping installed domain controllers to branch sites.............................................................379 Managing Domain Controllers......................................................................................................379 Installing Remote Server Administration Tools for AD DS.............................................................381 Installing Active Directory Domain Services Tools on a member server that is running Windows Server 2008...........................................................................................................381
Installing Active Directory Domain Services Tools on a computer that is running Windows Vista with SP1...............................................................................................................................382 Managing Antivirus Software on Active Directory Domain Controllers...........................................382 Guidelines for managing antivirus software on Active Directory domain controllers...................383 Files to exclude from scanning.................................................................................................384 Preparing for Active Directory Installation.....................................................................................386 DNS configuration....................................................................................................................386 Site placement.........................................................................................................................386 Domain connectivity.................................................................................................................387 Verify DNS Infrastructure and Registrations.................................................................................388 Verify That an IP Address Maps to a Subnet and Determine the Site Association.........................390 See Also...................................................................................................................................390 Verify the Availability of the Operations Masters...........................................................................391 Installing a Domain Controller in an Existing Domain...................................................................392 See Also...................................................................................................................................393 Installing an Additional Domain Controller by Using the Windows Interface..................................393 See Also...................................................................................................................................394 Install an Additional Domain Controller by Using the Windows Interface......................................394 See Also...................................................................................................................................396 Installing an Additional Domain Controller by Using IFM..............................................................397 See Also...................................................................................................................................399 Create Installation Media by Using Ntdsutil..................................................................................399 See Also...................................................................................................................................400 Install an Additional Domain Controller by Using Installation Media..............................................400 See Also...................................................................................................................................401 Installing an Additional Domain Controller by Using Unattend Parameters...................................401 See Also...................................................................................................................................402 Create an Answer File for Unattended Domain Controller Installation...........................................402 See Also...................................................................................................................................404 Install an Additional Domain Controller by Using an Answer File..................................................404 See Also...................................................................................................................................405 Install an Additional Domain Controller by Using Unattend Parameters from the Command Line. 405 Verifying Active Directory Installation............................................................................................406
Verify That an IP Address Maps to a Subnet and Determine the Site Association.........................407 See Also...................................................................................................................................408 Configure DNS Server Forwarders..............................................................................................408 Verifying DNS Configuration........................................................................................................409 Verify DNS Server Configuration for a Domain Controller.............................................................409 See Also...................................................................................................................................410 Verify DNS Client Settings...........................................................................................................410 See Also...................................................................................................................................411 Check the Status of the SYSVOL and Netlogon Shares...............................................................411 Verify Active Directory Replication................................................................................................412 Verify a Domain Computer Account for a New Domain Controller................................................413 Adding Domain Controllers in Remote Sites................................................................................413 Best Practices for Adding Domain Controllers in Remote Sites....................................................414 Best practices for using IFM to install AD DS in the remote site................................................415 Best practices for installing domain controllers before you ship them to a remote site...............417 See Also...................................................................................................................................419 Known Issues for Adding Domain Controllers in Remote Sites.....................................................419 SYSVOL replication..................................................................................................................419 Using IFM to install a domain controller in a remote site...........................................................420 Advantages of using IFM to install a domain controller in a remote site.................................420 Issues with using IFM to install a domain controller in a remote site......................................421 Installing domain controllers before shipping them to the remote site........................................422 Advantages of installing domain controllers before shipping them to the remote site.............422 Issues with installing domain controllers before shipping them to the remote site..................422 Maintaining directory consistency when you disconnect a domain controller.........................423 Protection against lingering object replication....................................................................424 Availability of operations masters.......................................................................................424 Up to dateness of active directory replication.....................................................................425 SYSVOL consistency.........................................................................................................425 See Also...................................................................................................................................425 Preparing a Server Computer for Shipping and Installation from Media........................................425 Determining the volume for installation media...........................................................................426 Enabling Remote Desktop........................................................................................................427 Including application directory partitions...................................................................................427 See Also...................................................................................................................................428 Enable Remote Desktop..............................................................................................................428
Create a Remote Desktop Connection.........................................................................................429 See Also...................................................................................................................................430 Install an Additional Domain Controller by Using Installation Media..............................................430 See Also...................................................................................................................................431 Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection..................431 See Also...................................................................................................................................433 Determine the Tombstone Lifetime for the Forest.........................................................................433 Enable Strict Replication Consistency..........................................................................................434 Synchronize Replication with All Partners....................................................................................435 See Also...................................................................................................................................436 Reconnecting a Domain Controller After a Long-Term Disconnection...........................................436 Reconnecting an outdated domain controller............................................................................437 Updating SYSVOL....................................................................................................................437 See Also...................................................................................................................................438 Determine the Tombstone Lifetime for the Forest.........................................................................439 Move a Server Object to a New Site............................................................................................439 See Also...................................................................................................................................440 Determine When Intersite Replication Is Scheduled to Begin.......................................................440 Use Repadmin to Remove Lingering Objects...............................................................................441 Verify Successful Replication to a Domain Controller...................................................................443 Renaming a Domain Controller....................................................................................................447 Rename a Domain Controller Using System Properties...............................................................448 See Also...................................................................................................................................448 Rename a Domain Controller Using Netdom...............................................................................448 See Also...................................................................................................................................450 Update the FRS or DFS Replication Member Object....................................................................451 Decommissioning a Domain Controller........................................................................................452 Removing a domain or a forest.................................................................................................452 Protecting EFS-encrypted files.................................................................................................452 See Also...................................................................................................................................455 Verify DNS Registration and TCP/IP Connectivity........................................................................455 View the Current Operations Master Role Holders.......................................................................455
Transfer the Schema Master........................................................................................................456 Transfer the Domain Naming Master...........................................................................................457 Transfer the Domain-Level Operations Master Roles...................................................................458 Determine Whether a Domain Controller Is a Global Catalog Server...........................................460 Verify the Availability of the Operations Masters...........................................................................460 Back Up a Certificate With Its Private Key....................................................................................461 Removing a Windows Server 2008 Domain Controller from a Domain.........................................463 Removing a Windows Server 2008 domain controller by using the Windows interface.............463 Removing a Windows Server 2008 domain controller by using an answer file..........................464 Removing a Windows Server 2008 domain controller by entering unattended installation parameters at the command line...........................................................................................465 Import a Certificate......................................................................................................................465 Determine Whether a Server Object Has Child Objects...............................................................466 Delete a Server Object from a Site...............................................................................................467 See Also...................................................................................................................................468 Add the Certificates Snap-in to an MMC......................................................................................468 Adding the Certificates Snap-in to an MMC..............................................................................468 Forcing the Removal of a Domain Controller................................................................................470 Identify Replication Partners........................................................................................................471 Force Domain Controller Removal...............................................................................................472 See Also...................................................................................................................................473 Clean Up Server Metadata...........................................................................................................473 See Also...................................................................................................................................476 Administering Active Directory Domain Rename..........................................................................476 In this guide..............................................................................................................................476 Introduction to Administering Active Directory Domain Rename...................................................476 Domain rename requirements..................................................................................................477 Managing Active Directory Domain Rename................................................................................478 Preparing for the Domain Rename Operation..............................................................................478 Adjust Forest Functional Level.....................................................................................................479 Setting forest functional level to Windows Server 2003 or Windows Server 2008.....................479
Create Necessary Shortcut Trust Relationships...........................................................................480 Types of trust relationships.......................................................................................................480 Precreating parent-child trust relationships for a restructured forest..........................................481 Precreating a parent-child trust relationship...........................................................................481 Pre-creating multiple parent-child trust relationships.............................................................481 Precreating a tree-root trust relationship with the forest root domain.....................................483 Creating shortcut trust relationships......................................................................................483 Prepare DNS Zones....................................................................................................................484 Redirect Special Folders to a Standalone DFSN..........................................................................485 Relocate Roaming User Profiles to a Standalone DFSN..............................................................485 Configure Member Computers for Host Name Changes..............................................................486 Conditions for automatic computer name change.....................................................................486 Replication effects of renaming large numbers of computers....................................................487 Using Group Policy to apply the new primary DNS suffix..........................................................488 Apply the new primary DNS suffix before renaming domains.................................................488 Apply Group Policy in stages to avoid significant replication..................................................488 Configuration required before the application of Group Policy...............................................489 Configuring member computers for host name changes in large deployments..........................490 Determine the primary DNS Suffix configuration....................................................................491 Determine whether Group Policy controls the primary DNS suffix..........................................491 Configure the domain to allow a primary DNS suffix that does not match the domain name. .492 Apply Group Policy to set the primary DNS suffix..................................................................493 Prepare Certification Authorities...................................................................................................494 Exchange-Specific Steps: Prepare a Domain that Contains Exchange.........................................495 Performing the Domain Rename Operation.................................................................................496 Set Up the Control Station...........................................................................................................497 Freeze the Forest Configuration...................................................................................................498 Back Up All Domain Controllers...................................................................................................499 Generate the Current Forest Description.....................................................................................499 Specify the New Forest Description.............................................................................................501 Renaming application directory partitions.................................................................................504 DNS data.................................................................................................................................505 TAPI data.................................................................................................................................506 Specifying the source domain controllers..................................................................................506 Reviewing the new forest description........................................................................................506
Generate Domain Rename Instructions.......................................................................................507 Push Domain Rename Instructions to All Domain Controllers and Verify DNS Readiness............510 Pushing domain rename instructions to all domain controllers..................................................510 Verifying DNS readiness...........................................................................................................512 Verify Readiness of Domain Controllers.......................................................................................514 Run Domain Rename Instructions...............................................................................................516 Exchange-Specific Steps: Update the Exchange Configuration and Restart Exchange Servers...519 Unfreeze the Forest Configuration...............................................................................................519 Re-establish External Trusts........................................................................................................520 Fix Group Policy Objects and Links.............................................................................................521 Completing the Domain Rename Operation.................................................................................524 Verify Certificate Security.............................................................................................................524 Preparing URLs for CRL distribution point and Authority Information Access (AIA) extensions after a domain rename..................................................................................................................524 Verifying the use of UPNs.........................................................................................................525 Enabling certificate enrollment in a renamed domain................................................................526 Verifying the validity of CRL distribution point and AIA extensions.............................................528 Renewing subordinate and issuing CA certificates....................................................................529 Publish new CRLs....................................................................................................................529 Updating domain controller certificates.....................................................................................529 Changing the user identity for the NDES add-on......................................................................530 Perform Miscellaneous Tasks.......................................................................................................530 Back Up Domain Controllers........................................................................................................532 Restart Member Computers.........................................................................................................533 Exchange-Specific Steps: Verify the Exchange Rename and Update Active Directory Connector 534 Perform Attribute Cleanup............................................................................................................534 Rename Domain Controllers........................................................................................................535 Additional Resources for the Domain Rename Operation............................................................536 Appendix A: Command-Line Syntax for the Rendom Tool............................................................536 Appendix B: Command-Line Syntax for the Gpfixup Tool.............................................................541 Appendix C: Checklists for the Domain Rename Operation.........................................................543 Satisfying domain rename requirements...................................................................................544
Preparing for the domain rename operation..............................................................................546 Performing the domain rename operation.................................................................................548 Completing the domain rename operation................................................................................549 Appendix D: Worksheets for the Domain Rename Operation.......................................................550 Worksheet 1: Domain Name Change Information.....................................................................550 Worksheet 2: Trust Information.................................................................................................550 Worksheet 3: DNS Zone Information........................................................................................551 Worksheet 4: DFSN, Folder Redirection, and Roaming Profiles................................................551 Worksheet 5: Domain Controller Information............................................................................552 Worksheet 6: Domain Rename Execution Readiness...............................................................552 Worksheet 7: Certification Authority (CA) Information...............................................................553 Additional Resources...................................................................................................................553 Active Directory Domain Services Operations Guide - cover........................................................554 Section Heading.......................................................................................................................554 Subsection Heading..............................................................................................................554
Acknowledgments Produced by: Microsoft Windows Server Directory and Access Services (DAS) IT Pro Content Team Writers: Mary Hillman, Gayana Bagdasaryan Editor: Jim Becker Technical reviewers: Umit Akkus, David Beach, Arren Conner, Gregoire Guetat, Xin He, Kurt Hudson, Jessie Li, Herbert Mauerer, Joe Patterson, Ned Pyle, Wakkas Rafiq, Ryan Sizemore, Ingolfur Arnar Strangeland, Mahesh Unnikrishnan
Administering the Windows Time Service Administering DFS-Replicated SYSVOL Administering the Global Catalog Administering Operations Master Roles Administering Active Directory Backup and Recovery Administering Intersite Replication Administering the Active Directory Database Administering Domain Controllers Administering Active Directory Domain Rename Additional Resources
access the command line. If operators are not familiar with AD DS, it might be necessary for IT planners, managers, or administrators to review the relevant operations in this guide and provide the operators with the parameters or data that they must enter when they perform the operations.
26
You can use the Nltest.exe tool to display and record a list of these trusts. For more information, see Nltest Overview (http://go.microsoft.com/fwlink/?LinkID=93567). Back up domain controllers. Perform regular backups of domain controllers to preserve all trust relationships within a particular domain.
28
Forest-wide authentication: An authentication setting that permits unrestricted access by any users in the specified forest to all available shared resources that are located in any of the domains in the local forest. This is the default authentication setting for forest trusts. Selective authentication: An authentication setting that restricts access over an external trust or forest trust to only those users in a specified domain or specified forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the local domain or the local forest. This authentication setting must be enabled manually. Trust password: An option in which both domains in a trust relationship share a password, which is stored in the trusted domain object (TDO) object in Active Directory Domain Services (AD DS). When you choose this option, a strong trust password is generated automatically for you. You must use the same password when you create a trust relationship in the specified domain. If you choose to create both sides of the trust simultaneously, you run the New Trust Wizard once.
To resolve this issue, do one of the following before you try to create the trust, as appropriate to your situation: Rename the conflicting identifier. Use a fully qualified domain name (FQDN) if there is a NetBIOS conflict.
The option to create a forest trust may not appear in the New Trust Wizard. This issue typically occurs when one or both of the Windows Server 2008 forests are not set to the Windows Server 2003 forest functional level or higher. For more information about forest functional levels, see Active Directory Functional Levels Technical Reference (http://go.microsoft.com/fwlink/?LinkId=111466). You cannot create a trust relationship with a Microsoft Windows Small Business Server 2003 (Windows SBS) domain. For information about Windows SBS software, see Introduction to Windows Small Business Server 2003 for Enterprise IT Pros (http://go.microsoft.com/fwlink/?LinkId=121891).
31
If there is no shared root DNS server and the root DNS servers for each forest DNS namespace are running Windows Server 2003, configure DNS conditional forwarders in each DNS namespace to route queries for names in the other namespace. If there is no shared root DNS server and the root DNS servers for each forest DNS namespace are not running Windows Server 2008 or Windows Server 2003 , configure DNS secondary zones in each DNS namespace to route queries for names in the other namespace. For more information about configuring DNS to work with AD DS, see DNS Support for Active Directory Technical Reference (http://go.microsoft.com/fwlink/?LinkID=106660). For more information about external trusts, see How Domain and Forest Trusts Work (http://go.microsoft.com/fwlink/?LinkId=111481). Note Trusts that are created between Windows NT 4.0 domains and AD DS domains are one way and nontransitive, and they require NetBIOS name resolution. Task requirements You can use either of the following tools to perform the procedures for this task: Active Directory Domains and Trusts Netdom.exe
For more information about how to use the Netdom command-line tool to create an external trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Note If you have the appropriate administrative credentials for each domain, you can create both sides of an external trust at the same time. To create both sides of the trust simultaneously, follow the appropriate procedure below that contains the words both sides of the trust in the procedure title. For example, the procedure Create a one-way, incoming, external trust for both sides of the trust provides the steps to follow when you have the administrative credentials for both domains and you want to use the New Trust Wizard to create an incoming, external trust in one operation. For more information about how the both sides of the trust option works, see "Sides of Trust" in Appendix: New Trust Wizard Pages. To complete the task of creating an external trust, you can perform any of the following procedures, depending on the requirements of your organization and the administrative credentials that you have when you create the trust: Create a One-Way, Incoming, External Trust for One Side of the Trust Create a One-Way, Incoming, External Trust for Both Sides of the Trust Create a One-Way, Outgoing, External Trust for One Side of the Trust Create a One-Way, Outgoing, External Trust for Both Sides of the Trust Create a Two-Way, External Trust for One Side of the Trust Create a Two-Way, External Trust for Both Sides of the Trust
32
Create a One-Way, Incoming, External Trust for One Side of the Trust
You can use this procedure to create one side of a one-way, incoming, external trust. Although one side of a trust will be created successfully, the new trust will not function until the administrator for the reciprocal domain uses his or her credentials to create the outgoing side of the trust. If you have administrative credentials for both domains that are involved in the trust, you can use the procedure Create a One-Way, Incoming, External Trust for Both Sides of the Trust to create both sides of the trust in one simultaneous operation. A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest) or in a Windows NT 4.0 domain. For example, if you are the administrator of sales.wingtiptoys.com and users in that domain need to access resources in the marketing.tailspintoys.com domain (which is located in another forest), you can use this procedure (in conjunction with another procedure, which is executed by the administrator in the other forest) to establish one side of the relationship so that users in your domain can access resources in the marketing.tailspintoys.com domain. You can create this external trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create an external trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. To create a one-way, incoming, external trust for one side of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next. 5. On the Trust Type page, click External trust, and then click Next. 6. On the Direction of Trust page, click One-way: incoming, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click This domain only, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 33
8. On the Trust Password page, type the trust password twice, and then click Next. With the administrator of the other domain, agree on a secure channel password to be used in establishing the trust. 9. On the Trust Selections Complete page, review the results, and then click Next. 10. On the Trust Creation Complete page, review the results, and then click Next. 11. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. 12. On the Completing the New Trust Wizard page, click Finish. Note For this trust to function, the domain administrator for the specified domain or specified forest must follow the procedure Create a One-Way, Outgoing, External Trust for One Side of the Trust, using his or her administrative credentials and the exact same trust password that was used during this procedure.
Create a One-Way, Incoming, External Trust for Both Sides of the Trust
You can use this procedure to create both sides of a one-way, incoming, external trust. You must have administrative credentials for your domain as well for the reciprocal domain. If you have administrative credentials only for your domain, you can use the procedure Create a One-Way, Incoming, External Trust for One Side of the Trust to create your side of the trust. Then, have the administrator for the reciprocal domain create a one-way, outgoing, external trust from his or her domain. A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest) or in a Windows NT 4.0 domain. For example, if you are the administrator of sales.wingtiptoys.com and users in that domain need to access resources in the marketing.tailspintoys.com domain (which is located in another forest) you can use this procedure to establish a relationship so that users in your domain can access resources in the marketing.tailspintoys.com domain. You can create this external trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create an external trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about 34
using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. To create a one-way, incoming, external trust for both sides of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next. 5. On the Trust Type page, click External trust, and then click Next. 6. On the Direction of Trust page, click One-way: incoming, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain. 9. On the Outgoing Trust Authentication Level--Specified Domain page, do one of the following, and then click Next: Click Domain-wide authentication. Click Selective authentication.
10. On the Trust Selections Complete page, review the results, and then click Next. 11. On the Trust Creation Complete page, review the results, and then click Next. 12. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. 13. On the Completing the New Trust Wizard page, click Finish.
35
Create a One-Way, Outgoing, External Trust for One Side of the Trust
You can use this procedure to create one side of a one-way, outgoing, external trust. Although one side of a trust will be created successfully, the new trust will not function until the administrator for the reciprocal domain uses his or her credentials to create the incoming side of the trust. If you have administrative credentials for both domains that are involved in the trust, you can use the procedure Create a One-Way, Outgoing, External Trust for Both Sides of the Trust to create both sides of the trust in one simultaneous operation. A one-way, outgoing, external trust will allow resources in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to be accessed by users in a different Active Directory domain (outside your forest) or in a Windows NT 4.0 domain. For example, if you are the administrator of sales.wingtiptoys.com and you have resources in that domain that need to be accessed by users in the marketing.tailspintoys.com domain (which is located in another forest), you can use this procedure to establish one side of the relationship so that users in the marketing.tailspintoys.com domain can access the resources in sales.wingtiptoys.com. You can create this external trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create an external trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. To create a one-way, outgoing, external trust for one side of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the external domain, and then click Next. 5. On the Trust Type page, click External trust, and then click Next. 6. On the Direction of Trust page, click One-way: outgoing, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click This domain only, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the Outgoing Trust Authentication Level page, do one of the following, and then 36
9. On the Trust Password page, type the trust password twice, and then click Next. 10. On the Trust Selections Complete page, review the results, and then click Next. 11. On the Trust Creation Complete page, review the results, and then click Next. 12. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 13. On the Completing the New Trust Wizard page, click Finish. Note For this trust to function, the domain administrator for the specified domain or specified forest must follow the procedure Create a One-Way, Incoming, External Trust for One Side of the Trust, using his or her administrative credentials and the exact same trust password that was used during this procedure.
Create a One-Way, Outgoing, External Trust for Both Sides of the Trust
You can use this procedure to create both sides of a one-way, outgoing, external trust. You must have administrative credentials for your domain as well as for the reciprocal domain. If you have administrative credentials only for your domain, you can use the procedure Create a One-Way, Outgoing, External Trust for One Side of the Trust to create your side of the trust. Then, have the administrator for the reciprocal domain create a one-way, incoming, external trust from his or her domain. A one-way, outgoing, external trust allows resources in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to be accessed by users in a different Active Directory domain (outside your forest) or in a Windows NT 4.0 domain. For example, if you are the administrator of sales.wingtiptoys.com and you have resources in that domain that need to be accessed by users in the marketing.tailspintoys.com domain (which is located in another forest), you can use this procedure to establish one side of the relationship so that users in the marketing.tailspintoys.com domain can access the resources in sales.wingtiptoys.com. You can create this external trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create an external trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). 37
Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. To create a one-way, outgoing, external trust for both sides of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next. 5. On the Trust Type page, click External trust, and then click Next. 6. On the Direction of Trust page, click One-way: outgoing, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain. 9. On the Outgoing Trust Authentication Level--Local Domain page, do one of the following, and then click Next: Click Domain-wide authentication. Click Selective authentication.
10. On the Trust Selections Complete page, review the results, and then click Next. 11. On the Trust Creation Complete page, review the results, and then click Next. 12. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 13. On the Completing the New Trust Wizard page, click Finish.
38
9. On the Trust Password page, type the trust password twice, and then click Next. 10. On the Trust Selections Complete page, review the results, and then click Next. 11. On the Trust Creation Complete page, review the results, and then click Next. 12. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 13. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. 14. On the Completing the New Trust Wizard page, click Finish. Note For this trust to function, the domain administrator for the specified domain or specified forest must follow this same procedure, using his or her administrative credentials and the exact same trust password that was used during this procedure.
To create a two-way, external trust for both sides of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next. 5. On the Trust Type page, click External trust, and then click Next. 6. On the Direction of Trust page, click Two-way, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain. 9. On the Outgoing Trust Authentication Level--Local Domain page, do one of the following, and then click Next: Click Domain-wide authentication. Click Selective authentication.
10. On the Outgoing Trust Authentication Level--Specified Domain page, do one of the following, and then click Next: Click Domain-wide authentication. Click Selective authentication.
11. On the Trust Selections Complete page, review the results, and then click Next. 12. On the Trust Creation Complete page, review the results, and then click Next. 13. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 14. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. 41
15. On the Completing the New Trust Wizard page, click Finish.
For more information about how to use the Netdom command-line tool to create a shortcut trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Note If you have the appropriate administrative credentials for each domain, you can create both sides of a shortcut trust at the same time. To create both sides of the trust, follow the appropriate procedure below that contains the words for both sides of the trust in the title. For example, the procedure Create a one-way, incoming, shortcut trust for both sides of the trust explains how to configure both sides of a shortcut trust. For more information about how the both sides of the trust option works, see the section "Sides of Trust" in Appendix: New Trust Wizard Pages. To complete the task of creating a shortcut trust, perform any of the following procedures, depending on the requirements of your organization and the administrative credentials that you have when you create the trust: Create a One-Way, Incoming, Shortcut Trust for One Side of the Trust Create a One-Way, Incoming, Shortcut Trust for Both Sides of the Trust Create a One-Way, Outgoing, Shortcut Trust for One Side of the Trust Create a One-Way, Outgoing, Shortcut Trust for Both Sides of the Trust Create a Two-Way, Shortcut Trust for One Side of the Trust Create a Two-Way, Shortcut Trust for Both Sides of the Trust
42
Create a One-Way, Incoming, Shortcut Trust for One Side of the Trust
You can use this procedure to create one side of a one-way, incoming, shortcut trust. Although one side of a trust will be created successfully, the new trust will not function until the administrator for the reciprocal domain uses his or her credentials to create the outgoing side of the trust. If you have administrative credentials for both domains that are involved in the trust, you can use the procedure Create a One-Way, Incoming, Shortcut Trust for Both Sides of the Trust to create both sides in one simultaneous operation. A one-way, incoming, shortcut trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to more quickly access resources in another domain (which is nested within another domain tree) in your forest. For example, if you are the administrator of sales.wingtiptoys.com and users in that domain need to access resources in the marketing.tailspintoys.com domain (which is a child domain of the tailspintoys.com tree root domain), you can use this procedure to establish one side of the relationship so that users in your domain can more quickly access resources in the marketing.tailspintoys.com domain. You can create this shortcut trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create a shortcut trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. To create a one-way, incoming, shortcut trust for one side of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain node for the domain for which you want to establish a trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next. 5. On the Trust Type page, click External trust, and then click Next. 6. On the Direction of Trust page, click One-way: incoming, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click This domain only, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the Trust Password page, type the trust password twice, and then click Next. 43
9. On the Trust Selections Complete page, review the results, and then click Next. 10. On the Trust Creation Complete page, review the results, and then click Next. 11. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. 12. On the Completing the New Trust Wizard page, click Finish. Note For this trust to function, the domain administrator for the specified domain or specified forest must follow the procedure Create a One-Way, Outgoing, Shortcut Trust for One Side of the Trust, using his or her administrative credentials and the exact same trust password that was used during this procedure.
Create a One-Way, Incoming, Shortcut Trust for Both Sides of the Trust
You can use this procedure to create both sides of a one-way, incoming, shortcut trust. You must have administrative credentials for your domain as well for the reciprocal domain. If you have administrative credentials only for your domain, you can use the procedure Create a One-Way, Incoming, Shortcut Trust for One Side of the Trust to create your side of the trust. Then, have the administrator for the reciprocal domain create a one-way, outgoing, shortcut trust from his or her domain. A one-way, incoming, shortcut trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to more quickly access resources in another domain (which is nested within another domain tree) in your forest. For example, if you are the administrator of sales.wingtiptoys.com and users in that domain need to access resources in the marketing.tailspintoys.com domain (which is a child domain of the tailspintoys.com tree root domain), you can use this procedure to establish one side of the relationship so that users in your domain can more quickly access resources in the marketing.tailspintoys.com domain. You can create this shortcut trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create a shortcut trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477.
44
To create a one-way, incoming, shortcut trust for both sides of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain node for the domain for which you want to establish a trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next. 5. On the Trust Type page, click External trust, and then click Next. 6. On the Direction of Trust page, click One-way: incoming, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain. 9. On the Trust Selections Complete page, review the results, and then click Next. 10. On the Trust Creation Complete page, review the results, and then click Next. 11. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. 12. On the Completing the New Trust Wizard page, click Finish.
Create a One-Way, Outgoing, Shortcut Trust for One Side of the Trust
You can use this procedure to create one side of a one-way, outgoing, shortcut trust. Although one side of a trust will be created successfully, the new trust will not function until the administrator for the reciprocal domain uses his or her credentials to create the incoming side of the trust. If you have administrative credentials for both domains that are involved in the trust, you can use the procedure Create a One-Way, Outgoing, Shortcut Trust for Both Sides of the Trust to create both sides of the trust in one simultaneous operation. A one-way, outgoing, shortcut trust allows resources in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to be accessed more quickly by users 45
in another domain (which is nested within another domain tree) in your forest. For example, if you are the administrator of marketing.tailspintoys.com and resources in that domain need to be accessed by users in the sales.wingtiptoys.com domain (which is a child domain of the wingtiptoys.com tree root domain), you can use this procedure to establish one side of the relationship so that users in the sales.wingtiptoys.com domain can more quickly access resources in the marketing.tailspintoys.com domain. You can create this shortcut trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create a shortcut trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. To create a one-way, outgoing, shortcut trust for one side of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain for which you want to establish a trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next. 5. On the Trust Type page, click External trust, and then click Next. 6. On the Direction of Trust page, click One-way: outgoing, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click This domain only, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the Trust Password page, type the trust password twice, and then click Next. 9. On the Trust Selections Complete page, review the results, and then click Next. 10. On the Trust Creation Complete page, review the results, and then click Next. 11. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 12. On the Completing the New Trust Wizard page, click Finish.
46
Note For this trust to function, the domain administrator for the specified domain or specified forest must follow the procedure Create a One-Way, Incoming, Shortcut Trust for One Side of the Trust, using his or her administrative credentials and the exact same trust password that was used during this procedure.
Create a One-Way, Outgoing, Shortcut Trust for Both Sides of the Trust
You can this procedure to create both sides of a one-way, outgoing, shortcut trust. You must administrative credentials for your domain as well as for the reciprocal domain. If you have administrative credentials only for your domain, you can use the procedure Create a One-Way, Outgoing, Shortcut Trust for One Side of the Trust to create your side of the trust. Then, have the administrator for the reciprocal domain create a one-way, incoming, shortcut trust from his or her domain. A one-way, outgoing, shortcut trust allows resources in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to be accessed more quickly by users in another domain (which is nested within another domain tree) in your forest. For example, if you are the administrator of marketing.tailspintoys.com and resources in that domain need to be accessed by users in the sales.wingtiptoys.com domain (which is a child domain of the wingtiptoys.com tree root domain), you can use this procedure to establish one side of the relationship so that users in the sales.wingtiptoys.com domain can more quickly access resources in the marketing.tailspintoys.com domain. You can create this shortcut trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create a shortcut trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. To create a one-way, outgoing, shortcut trust for both sides of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain node for the domain for which you want to establish a trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next. 5. On the Trust Type page, click External trust, and then click Next. 47
6. On the Direction of Trust page, click One-way: outgoing, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain. 9. On the Trust Selections Complete page, review the results, and then click Next. 10. On the Trust Creation Complete page, review the results, and then click Next. 11. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 12. On the Completing the New Trust Wizard page, click Finish.
using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. To create a two-way, shortcut trust for one side of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain node for the domain for which you want to establish a trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next. 5. On the Trust Type page, click External trust, and then click Next. 6. On the Direction of Trust page, click Two-way, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click This domain only, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the Trust Password page, type the trust password twice, and then click Next. 9. On the Trust Selections Complete page, review the results, and then click Next. 10. On the Trust Creation Complete page, review the results, and then click Next. 11. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 12. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. 13. On the Completing the New Trust Wizard page, click Finish. Note For this trust to function, the domain administrator for the specified domain must follow this same procedure using his or her administrative credentials and the exact same trust password that was used during this procedure.
49
11. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 12. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. 13. On the Completing the New Trust Wizard page, click Finish.
51
If there is no shared root DNS server and the root DNS servers for each forest DNS namespace are not running Windows Server 2008 or Windows Server 2003, configure DNS secondary zones in each DNS namespace to route queries for names in the other namespace. For more information about configuring DNS to work with Active Directory Domain Services (AD DS), see the DNS Support for Active Directory Technical Reference (http://go.microsoft.com/fwlink/?LinkID=106660). You can use either of the following tools to perform the procedures for this task: Active Directory Domains and Trusts Netdom.exe
For more information about using the Netdom command-line tool to create a forest trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Note If you have the appropriate administrative credentials for each forest, you can create both sides of a forest trust at the same time. To create both sides of the forest trust, follow the appropriate procedure below that contains the words for both sides of the trust in the title. For example, the procedure Create a one-way, incoming, forest trust for both sides of the trust explains how to configure both sides of the trust. For more information about how the both sides of the trust option works, see "Sides of Trust" in Appendix: New Trust Wizard Pages. To create a forest trust, perform any one of the following procedures, depending on the requirements of your organization and the administrative credentials that you have when you create the trust: Create a One-Way, Incoming, Forest Trust for One Side of the Trust Create a One-Way, Incoming, Forest Trust for Both Sides of the Trust Create a One-Way, Outgoing, Forest Trust for One Side of the Trust Create a One-Way, Outgoing, Forest Trust for Both Sides of the Trust Create a Two-Way, Forest Trust for One Side of the Trust Create a Two-Way, Forest Trust for Both Sides of the Trust
Create a One-Way, Incoming, Forest Trust for One Side of the Trust
You can use this procedure to create one side of a one-way, incoming, forest trust. Although one side of a trust will be created successfully, the new trust will not function until the administrator for the reciprocal forest uses his or her credentials to create the outgoing side of the trust. If you have administrative credentials for both forests that are involved in the trust, you can use the procedure Create a One-Way, Incoming, Forest Trust for Both Sides of the Trust to create both sides of the trust in one simultaneous operation.
52
A one-way, incoming, forest trust allows users in your Windows Server 2008 forest or Windows Server 2003 forest (the forest that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Windows Server 2008 forest or Windows Server 2003 forest. For example, if you are the administrator of the wingtiptoys.com forest and users in that forest need to access resources in the tailspintoys.com forest, you can use this procedure to establish one side of the relationship so that users in your forest can access resources in any of the domains that make up the tailspintoys.com forest. You can create this forest trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about how to use the Netdom command-line tool to create a forest trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins in the forest root domain or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. If you are a member of the Incoming Forest Trust Builders group, you can create one-way, incoming, forest trusts to your forest. For more information about the Incoming Forest Trust Builders group, see How Domain and Forest Trusts Work (http://go.microsoft.com/fwlink/?LinkID=111481). To create a one-way, incoming, forest trust for one side of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain node for the forest root domain of the forest for which you want to establish an incoming forest trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name of the forest root domain of the other forest, and then click Next. 5. On the Trust Type page, click Forest trust, and then click Next. 6. On the Direction of Trust page, click One-way: incoming, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click This domain only, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the Trust Password page, type the trust password twice, and then click Next. 9. On the Trust Selections Complete page, review the results, and then click Next. 10. On the Trust Creation Complete page, review the results, and then click Next. 11. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then 53
supply the appropriate administrative credentials from the specified domain. 12. On the Completing the New Trust Wizard page, click Finish. Note For this trust to function, the domain administrator for the specified domain (the forest root domain in the specified forest) must complete the procedure Create a One-Way, Outgoing, Forest Trust for One Side of the Trust, using his or her administrative credentials and the exact same trust password that was used during this procedure.
Create a One-Way, Incoming, Forest Trust for Both Sides of the Trust
You can use this procedure to create both sides of a one-way, incoming, forest trust. You must have administrative credentials for your forest as well as for the reciprocal forest. If you have administrative credentials only for your forest, you can use the procedure Create a One-Way, Incoming, Forest Trust for One Side of the Trust to create your side of the trust. Then, have the administrator for the reciprocal forest create a one-way, outgoing forest trust from his or her domain. A one-way, incoming, forest trust allows users in your Windows Server 2008 forest or Windows Server 2003 forest (the forest that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Windows Server 2008 forest or Windows Server 2003 forest. For example, if you are the administrator of the wingtiptoys.com forest and users in that forest need to access resources in the tailspintoys.com forest, you can use this procedure to establish one side of the relationship so that users in your forest can access resources in any of the domains that make up the tailspintoys.com forest. You can create this forest trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create a forest trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins in the forest root domain or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. If you are a member of the Incoming Forest Trust Builders group, you can create one-way, incoming, forest trusts to your forest. For more information about the Incoming Forest Trust Builders group, see How Domain and Forest Trusts Work (http://go.microsoft.com/fwlink/?LinkID=111481). To create a one-way, incoming, forest trust for both sides of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the forest root domain of the forest for which you want to establish an incoming forest trust, and then click Properties. 54
3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name of the forest root domain of the other forest, and then click Next. 5. On the Trust Type page, click Forest trust, and then click Next. 6. On the Direction of Trust page, click One-way: incoming, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain. 9. On the Outgoing Trust Authentication Level--Specified Forest page, do one of the following, and then click Next: Click Forest-wide authentication. Click Selective authentication.
10. On the Trust Selections Complete page, review the results, and then click Next. 11. On the Trust Creation Complete page, review the results, and then click Next. 12. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. 13. On the Completing the New Trust Wizard page, click Finish.
Create a One-Way, Outgoing, Forest Trust for One Side of the Trust
You can use this procedure to create one side of a one-way, outgoing, forest trust. Although one side of a trust will be created successfully, the new trust will not function until the administrator for the reciprocal forest uses his or her credentials to create the incoming side of the trust. If you have administrative credentials for both forests that are involved in the trust, you can use the procedure Create a One-Way, Outgoing, Forest Trust for Both Sides of the Trust to create both sides of the trust in one simultaneous operation. A one-way, outgoing, forest trust allows resources in your Windows Server 2008 forest or Windows Server 2003 forest (the forest that you are logged on to at the time that you run the New 55
Trust Wizard) to be accessed by users in another Windows Server 2008 forest or Windows Server 2003 forest. For example, if you are the administrator of the wingtiptoys.com forest and resources in that forest need to be accessed by users in the tailspintoys.com forest, you can use this procedure to establish one side of the relationship so that users in the tailspintoys.com forest can access resources in any of the domains that make up the wingtiptoys.com forest. You can create this forest trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create a forest trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins in the forest root domain or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. If you are a member of the Incoming Forest Trust Builders group, you can create one-way, incoming, forest trusts to your forest. For more information about the Incoming Forest Trust Builders group, see How Domain and Forest Trusts Work (http://go.microsoft.com/fwlink/?LinkID=111481). To create a one-way, outgoing, forest trust for one side of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain node for the forest root domain for which you want to establish an outgoing forest trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name of the forest root domain of the other forest, and then click Next. 5. On the Trust Type page, click Forest trust, and then click Next. 6. On the Direction of Trust page, click One-way: outgoing, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click This domain only, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next: Click Forest-wide authentication. Click Selective authentication.
9. On the Trust Password page, type the trust password twice, and then click Next. 10. On the Trust Selections Complete page, review the results, and then click Next. 11. On the Trust Creation Complete page, review the results, and then click Next. 12. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing 56
trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 13. On the Completing the New Trust Wizard page, click Finish. Note For this trust to function, the domain administrator for the specified domain (the forest root domain in the specified forest) must follow the procedure Create a One-Way, Incoming, Forest Trust for One Side of the Trust, using his or her administrative credentials and the exact same trust password that was used during this procedure.
Create a One-Way, Outgoing, Forest Trust for Both Sides of the Trust
You can use this procedure to create both sides of a one-way, outgoing, forest trust. You must have administrative credentials for your forest as well as for the reciprocal forest. If you have administrative credentials only for your forest root domain, you can use the procedure Create a One-Way, Outgoing, Forest Trust for One Side of the Trust to create your side of the trust. Then, have the administrator for the reciprocal forest create a one-way, incoming, external trust from his or her forest. A one-way, outgoing, forest trust allows resources in your Windows Server 2008 forest or Windows Server 2003 forest (the forest that you are logged on to at the time that you run the New Trust Wizard) to be accessed by users in another Windows Server 2008 forest or Windows Server 2003 forest. For example, if you are the administrator of the wingtiptoys.com forest and resources in that forest need to be accessed by users in the tailspintoys.com forest, you can use this procedure to establish one side of the relationship so that users in the tailspintoys.com forest can access resources in any of the domains that make up the wingtiptoys.com forest. You can create this forest trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create a forest trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins in the forest root domain or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. For more information about the Incoming Forest Trust Builders group, see How Domain and Forest Trusts Work (http://go.microsoft.com/fwlink/? LinkID=111481). To create a one-way, outgoing, forest trust for both sides of the trust 1. Open Active Directory Domains and Trusts. 57
2. In the console tree, right-click the forest root domain of the forest for which you want to establish an outgoing forest trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name of the forest root domain of the other forest, and then click Next. 5. On the Trust Type page, click Forest trust, and then click Next. 6. On the Direction of Trust page, click One-way: outgoing, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain. 9. On the Outgoing Trust Authentication Level--Local Forest page, do one of the following, and then click Next: Click Forest-wide authentication. Click Selective authentication.
10. On the Trust Selections Completepage, review the results, and then click Next. 11. On the Trust Creation Complete page, review the results, and then click Next. 12. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time that the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 13. On the Completing the New Trust Wizard page, click Finish.
58
Create a Two-Way, Forest Trust for Both Sides of the Trust to create both sides of the trust in one simultaneous operation. A two-way, forest trust allows users in your forest (the forest that you are logged on to at the time that you run the New Trust Wizard) and users in the reciprocal forest to access resources in any of the domains in either of the two forests. You can create this forest trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create a forest trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins in the forest root domain or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. If you are a member of the Incoming Forest Trust Builders group, you can create one-way, incoming, forest trusts to your forest. For more information about the Incoming Forest Trust Builders group, see How Domain and Forest Trusts Work (http://go.microsoft.com/fwlink/?LinkID=111481). To create a two-way, forest trust for one side of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the forest root domain of the forest for which you want to establish a two-way forest trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name of the domain, and then click Next. 5. On the Trust Type page, click Forest trust, and then click Next. 6. On the Direction of Trust page, click Two-way, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click This domain only, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the Outgoing Trust Authentication Level page, do one of the following, and then click Next: Click Forest-wide authentication. Click Selective authentication.
9. On the Trust Password page, type the trust password twice, and then click Next. 10. On the Trust Selections Complete page, review the results, and then click Next. 11. On the Trust Creation Complete page, review the results, and then click Next. 12. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing 59
trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 13. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. 14. On the Completing the New Trust Wizard page, click Finish. Note For this trust to function, the forest administrator in the specified forest must follow this same procedure, using his or her administrative credentials and the exact same trust password that was used during this procedure.
60
To create a two-way, forest trust for both sides of the trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain node for the forest root domain for which you want to establish a trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name of the forest root domain of the other forest, and then click Next. 5. On the Trust Type page, click Forest trust, and then click Next. 6. On the Direction of Trust page, click Two-way, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 7. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next. For more information about the selections that are available on the Sides of Trust page, see "Sides of Trust" in Appendix: New Trust Wizard Pages. 8. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain. 9. On the Outgoing Trust Authentication Level--Local Forest page, do one of the following, and then click Next: Click Forest-wide authentication. Click Selective authentication.
10. On the Outgoing Trust Authentication Level--Specified Forest page, do one of the following, and then click Next: Click Forest-wide authentication. Click Selective authentication.
11. On the Trust Selections Complete page, review the results, and then click Next. 12. On the Trust Creation Complete page, review the results, and then click Next. 13. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. 14. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. 61
15. On the Completing the New Trust Wizard page, click Finish.
For more information about how to use the Netdom command-line tool to create a realm trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Note The New Trust Wizard in the Active Directory Domains and Trusts snap-in does not support the creation of both sides of a realm trust at the same time. For more information about how the both sides of the trust option works, see the section "Sides of Trust" in Appendix: New Trust Wizard Pages. To create a realm trust, perform any of the following procedures, depending on the requirements of your organization and the administrative credentials that you have when you create the trust: Create a One-Way, Incoming, Realm Trust Create a One-Way, Outgoing, Realm Trust Create a Two-Way, Realm Trust
62
Note Kerberos realm names require uppercase characters. You can create a realm trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about using the Netdom command-line tool to create a realm trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. To create a one-way, incoming, realm trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain node for the domain for which you want to establish a realm trust, and then click Properties. 3. On the Trusts tab, click New Trust, and then click Next. 4. On the Trust Name page, type the Domain Name System (DNS) name of the Kerberos realm in uppercase characters, and then click Next. 5. On the Trust Type page, click Realm trust, and then click Next. 6. On the Transitivity of Trust page, do one of the following: To form a trust relationship with the domain and the specified realm only, click Nontransitive, and then click Next. To form a trust relationship with the domain and the specified realm and all trusted realms, click Transitive, and then click Next. 7. On the Direction of Trust page, click One-way: incoming, and then click Next. For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 8. On the Trust Password page, type the trust password twice, and then click Next. 9. On the Trust Selections Complete page, review the results, and then click Next. 10. On the Completing the New Trust Wizard page, click Finish. Note For this trust to function, the administrator of the Kerberos realm must complete the trust, using his or her administrative credentials and the exact same trust password that was used during this procedure.
63
Note For this trust to function, the administrator of the realm must complete the trust, using his or her administrative credentials and the exact same trust password that was used during this procedure.
For more information about the selections that are available on the Direction of Trust page, see "Direction of Trust" in Appendix: New Trust Wizard Pages. 8. On the Trust Password page, type the trust password twice, and then click Next. 9. On the Trust Selections Complete page, review the results, and then click Next. 10. On the Completing the New Trust Wizard page, click Finish. Note For this trust to function, the administrator of the Kerberos realm must complete the trust, using his or her administrative credentials and the exact same trust password that was used during this procedure.
For more information about how to use the Netdom command-line tool to validate and remove trusts, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). To complete this task, perform the following procedures: Validate a Trust Remove a Manually Created Trust
66
Validate a Trust
You can validate all trusts that are made between domains, but you cannot validate realm trusts. You can use this procedure to validate a trust by using the New Trust Wizard in the Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For more information about how to use the Netdom command-line tool to create a realm trust, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477.
Validating a trust
Using the Windows interface Using the command line
To validate a trust using the Windows interface 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain that contains the trust that you want to validate, and then click Properties. 3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be validated, and then click Properties. 4. Click Validate. 5. Do one of the following, and then click OK: Click No, do not validate the incoming/outgoing trust. If you click this option, we recommend that you repeat this procedure for the reciprocal domain. Click Yes, validate the incoming/outgoing trust. If you click this option, you must type a user account and password with administrative credentials for the reciprocal domain. To validate a trust using the command line 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /verify
67
Value
Description
<TrustingDomainName>
Specifies the Domain Name System (DNS) name (or NetBIOS name) of the trusting domain in the trust that is being created.
Description
Value
<TrustedDomainName>
Specifies the DNS name (or NetBIOS name) of the domain that will be trusted in the trust that is being created.
To remove a manually created trust using the Windows interface 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain that contains the trust that you want to remove, and then click Properties. 3. Click the Trusts tab. 4. In either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be removed, and then click Remove. 5. Do one of the following, and then click OK: 68
Click No, remove the trust from the local domain only.
If you click this option, we recommend that you repeat this procedure for the reciprocal domain. Click Yes, remove the trust from both the local domain and the other domain. If you click this option, you must type a user account and password with administrative credentials for the reciprocal domain. To remove a manually created trust using the command line 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /remove /UserD:<User> /PasswordD:*
Parameter
Description
<TrustingDomainName>
The Domain Name System (DNS) name (or NetBIOS name) of the trusting domain in the trust that is being created. The DNS name (or NetBIOS name) of the domain that will be trusted in the trust that is being created. The account name of the user authorized to create the trust.
<TrustedDomainName>
<User>
Note If you are using Netdom to remove a realm trust, you must add the /force option to the end of the command (after /remove) to remove the trust successfully.
All names that are subordinate to unique name suffixes are routed implicitly. For example, if your forest uses fabrikam.com as a unique name suffix, authentication requests for all child domains of fabrikam.com (childDomain.fabrikam.com) will be routed because the child domains are part of the fabrikam.com name suffix. Child names are displayed in the Active Directory Domains and Trusts snap-in. If you want to exclude members of a child domain from authenticating in the specified forest, you can disable name suffix routing for that name. You can also disable routing for the forest name itself, if necessary. For more information about name suffix routing, see Routing name suffixes across forests (http://go.microsoft.com/fwlink/?LinkId=111725). Note You cannot enable a name suffix that is the same as another name in the routing list. If the conflict is with a local UPN name suffix, you must remove the local UPN name suffix from the list before you can enable the routing name. If the conflict is with a name that is claimed by another trust partner, you must disable the name in the other trust before it can be enabled for this trust. Task requirements You can use either of the following tools to perform the procedures for this task: Active Directory Domains and Trusts Netdom.exe
For more information about using the Netdom command-line tool to modify name suffix routing, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). To complete this task, you can perform the following procedures: Modify Routing for a Forest Name Suffix Modify Routing for a Subordinate Name Suffix Exclude Name Suffixes from Routing to a Forest
these procedures. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To modify routing for a forest name suffix 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the forest root domain for the forest trust that you want to administer, and then click Properties. 3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the forest trust that you want to administer, and then click Properties. 4. Click the Name Suffix Routing tab, and then, under Name suffixes in the x.x forest, do one of the following: To enable routing for a name suffix, click the suffix that you want to enable, and then click Enable. If the Enable button is unavailable, the name suffix is already enabled. To disable routing for a name suffix, click the suffix that you want to disable, and then click Disable. If the Disable button is unavailable, the name suffix is already disabled.
71
To modify routing for an existing subordinate name suffix 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the forest root domain node for the forest trust that you want to administer, and then click Properties. 3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts)or Domains that trust this domain (incoming trusts), click the forest trust that you want to administer, and then click Properties. 4. On the Name Suffix Routing tab, under Name suffixes in the x.x forest, click the forest suffix whose subordinate name suffix you want to modify for routing, and then click Edit. 5. In Existing name suffixes in x.x, click the suffix that you want to modify, and then click Enable or Disable.
To exclude name suffixes from routing to a forest 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain that you want to administer, and then click Properties. 3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) 72
or Domains that trust this domain (incoming trusts), click the forest trust that you want to administer, and then click Properties. 4. On the Name Suffix Routing tab, under Name suffixes in the x.x forest, click the unique name suffix whose subordinate name suffix you want to exclude from routing, and then click Edit. 5. In Name suffixes to exclude from routing to x.x, click Add, type a DNS name suffix that is subordinate to the unique name suffix, and then click OK.
For more information about how the security settings for domain and forest trusts work, see Security Considerations for Trusts (http://go.microsoft.com/fwlink/?LinkId=111846).
73
Note You cannot turn off the default behavior in Windows Server 2003 or Windows Server 2008 that enables SID filter quarantining for newly created external trusts. However, under certain conditions SID filter quarantining can be disabled on such an external trust. For information about conditions for disabling SID filter quarantining, see Disable SID filter Quarantining. External trusts that are created from domain controllers running Windows 2000 Server with SP3 or earlier do not enforce SID filter quarantining by default. To further secure your forest, consider enabling SID filter quarantining on all existing external trusts that are created from domain controllers running Windows 2000 Server SP3 or earlier. You can do this by using Netdom.exe to enable SID filter quarantining on existing external trusts or by recreating these external trusts from a domain controller running Windows Server 2008, Windows Server 2003, or Windows 2000 Server with Service Pack 4 (SP4). You can use SID filter quarantining to filter out migrated SIDs that are stored in SID history from specific domains. For example, where an external trust relationship exists so that the one domain, Contoso (running Windows 2000 Server domain controllers), trusts another domain, Cpandl (also running Windows 2000 Server domain controllers), an administrator of the Contoso domain can manually apply SID filter quarantining to the Cpandl domain, which allows all SIDs with a domain SID from the Cpandl domain to pass but all other SIDs (such as those from migrated SIDs that are stored in SID history) to be discarded. Note Do not apply SID filter quarantining to trusts within a forest that is not using either the Windows Server 2008 or Windows Server 2003 forest functional level, because doing so removes SIDs that are required for Active Directory replication. If the forest functional level is Windows Server 2008 or Windows Server 2003 and quarantining is applied between two domains within a forest, a user in the quarantined domain with universal group memberships in other domains in the forest might not be able to access resources in nonquarantined domains, because the group memberships from those domains are filtered when resources are accessed across the trust relationship. Likewise, SID filter quarantining should not be applied to forest trusts. For more information about how SID filtering works, see Security Considerations for Trusts (http://go.microsoft.com/fwlink/?LinkID=111846). Task requirements You can use either of the following tools to perform the procedures for this task: Active Directory Domains and Trusts Netdom.exe
For more information about using the Netdom command-line tool to configure SID filtering settings, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). To complete this task, you can perform the following procedures: Disable SID filter Quarantining Reapply SID Filter Quarantining 74
75
Parameter
Description
<TrustingDomainName>
The Domain Name System (DNS) name (or NetBIOS name) of the trusting domain in the trust that is being created. The DNS name (or NetBIOS name) of the domain that will be trusted in the trust that is being created. The user account name with the appropriate administrator credentials to modify the trust. The password of the user account in <DomainAdministratorAcct>.
<TrustedDomainName>
<DomainAdministratorAcct>
<DomainAdminPwd>
Note You can enable or disable SID filter quarantining only from the trusting side of the trust. If the trust is a two-way trust, you can also disable SID filter quarantining in the trusted domain by using the domain administrators credentials for the trusted domain and reversing the <TrustingDomainName> and <TrustedDomainName> values in the command-line syntax.
See Also
Reapply SID Filter Quarantining
To reapply SID filter quarantining for the trusting domain 1. Open a Command Prompt. 2. At the command prompt, type the following command, and then press ENTER:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:Yes /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>
Term
Definition
<TrustingDomainName>
The Domain Name System (DNS) name (or NetBIOS name) of the trusting domain in the trust that is being created. The DNS name (or NetBIOS name) of the domain that will be trusted in the trust that is being created. The user account name with the appropriate administrator credentials to modify the trust. The password of the user account in <DomainAdministratorAcct>.
<TrustedDomainName>
<DomainAdministratorAcct>
<DomainAdminPwd>
Netdom.exe
For more information about how to use the Netdom command-line tool to configure selective authentication settings, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537). To complete this task, you can perform the following procedures: Enable Selective Authentication over an External Trust Enable Selective Authentication over a Forest Trust Enable Domain-Wide Authentication over an External Trust Enable Forest-Wide Authentication over a Forest Trust
Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest
78
To enable selective authentication over an external trust using the Windows interface 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain that you want to administer, and then click Properties. 3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the external trust that you want to administer, and then click Properties. 4. On the Authentication tab, click Selective authentication, and then click OK. Note Only the authentication settings for the outgoing trust are displayed when you click Properties and then click the Authentication tab in Active Directory Domains and Trusts. To view the correct authentication settings for the incoming side of a two-way, external trust, connect to a domain controller in the trusted domain, and then use Active Directory Domains and Trusts to view the authentication settings for the outgoing side of the same trust. To enable selective authentication over an external trust using a command line 1. Open a Command Prompt. 2. At the command prompt, type the following command, and then press ENTER:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /SelectiveAUTH:Yes /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>
Parameter
Description
<TrustingDomainName>
The Domain Name System (DNS) name (or NetBIOS name) of the trusting domain in the trust that is being managed. The DNS name (or NetBIOS name) of the domain that is trusted in the trust that is being managed. The user account name with the appropriate administrator credentials to modify the trust. The password of the user account in <DomainAdministratorAcct>.
<TrustedDomainName>
<DomainAdministratorAcct>
<DomainAdminPwd>
79
To enable selective authentication over a forest trust using the Windows interface 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain node for the forest root domain, and then click Properties. 3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the forest trust that you want to administer, and then click Properties. 4. On the Authentication tab, click Selective authentication, and then click OK. Note Only the authentication settings for the outgoing trust are displayed when you click Properties and then click the Authentication tab in Active Directory Domains and Trusts. To view the correct authentication settings for the incoming side of a two-way, forest trust, 80
connect to a domain controller in the forest root domain of the trusted forest, and then use Active Directory Domains and Trusts to view the authentication settings for the outgoing side of the same trust. To enable selective authentication over a forest trust using a command line 1. Open a Command Prompt. 2. At the command prompt, type the following command, and then press ENTER:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /SelectiveAUTH:Yes /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>
Parameter
Description
<TrustingDomainName>
The Domain Name System (DNS) name (or NetBIOS name) of the trusting forest root domain in the trust that is being managed. The DNS name (or NetBIOS name) of the forest root domain that is trusted in the trust that is being managed. The user account name with the appropriate administrator credentials to modify the trust. The password of the user account in <DomainAdministratorAcct>.
<TrustedDomainName>
<DomainAdministratorAcct>
<DomainAdminPwd>
81
using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. To enable domain-wide authentication over an external trust 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click the domain that you want to administer, and then click Properties. 3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the external trust that you want to administer, and then click Properties. 4. On the Authentication tab, click Domain-wide authentication, and then click OK. Note Only the authentication settings for the outgoing trust appear when you click Properties and then click the Authentication tab in Active Directory Domains and Trusts. To view the correct authentication settings for the incoming side of a two-way, external trust, connect to a domain controller in the trusted domain and then use Active Directory Domains and Trusts to view the authentication settings for the outgoing side of the same trust.
4. On the Authentication tab, click Forest-wide authentication, and then click OK. Note Only the authentication settings for the outgoing trust are displayed when you click Properties and then click the Authentication tab in Active Directory Domains and Trusts. To view the correct authentication settings for the incoming side of a two-way, forest trust, connect to a domain controller in the trusted domain (the forest root domain in the other forest), and then use Active Directory Domains and Trusts to view the authentication settings for the outgoing side of the same trust.
Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest
For users in a trusted Windows Server 2008 or Windows Server 2003 domain or forest to be able to access resources in a trusting Windows Server 2008 or Windows Server 2003 domain or forest where the trust authentication setting has been set to selective authentication, each user must be explicitly granted the Allowed to Authenticate permission on the security descriptor of the computer objects (resource computers) that reside in the trusting domain or forest. For more information about how the Allowed to Authenticate permission works, see Security Considerations for Trusts in the Windows Server 2003 Technical Reference (http://go.microsoft.com/fwlink/?LinkId=35413). Note The Allowed to Authenticate permission can be set on computer objects that represent member servers running Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, and Windows Server 2008. You can use this procedure and the Active Directory Users and Computers snap-in from the trusting domain to enable access to resources over an external trust or forest trust that is set to selective authentication . Membership in Account Operators, Domain Admins, or Enterprise Admins in Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To grant the Allowed to Authenticate permission on computers in the trusting domain or forest 1. Open Active Directory Users and Computers. 2. In the console tree, click the Computers container or the container where your computer objects reside. 3. Right-click the computer object that you want users in the trusted domain or forest to 83
access, and then click Properties. 4. On the Security tab, do one of the following: In Group or user names, click the user names or group names for which you want to grant access to this computer, select the Allow check box next to the Allowed to Authenticate permission, and then click OK. Click Add. In Enter the object names to select, type the name of the user object or group object for which you want to grant access to this resource computer, and then click OK. Select the Allow check box next to the Allowed to Authenticate permission, and then click OK.
Direction of Trust
An administrator in one domain configures the Direction of Trust page in the New Trust Wizard to determine whether authentication requests should be routed from this domain to a specified domain, from the specified domain to this domain, or freely between both domains. The following trust direction options are available on the Direction of Trust page: Two-way. A two-way trust allows authentication requests that are sent by users in either domain or forest to be routed successfully to resources in either of the two domains or forests. One-way: incoming. A one-way, incoming trust allows authentication requests that are sent by users in your domain or forest (the domain or forest where you started the New Trust Wizard) to be routed successfully to resources in the other domain or forest. One-way: outgoing. A one-way, outgoing trust allows authentication requests that are sent by users in the other domain (the domain or forest that you are indicating in the New Trust Wizard as the specified domain or forest) to be routed successfully to resources in your domain or forest. These options are explained in the following sections.
Wizard optionTwo-way
Use this option when you want to share resources equally between two domains or forests for all the users that reside in both domains or forests. A two-way trust allows authentication requests that 84
are sent by users in a trusted domain or forest to be routed successfully to the trusting domain or forest. Both domains or forests in the trust relationship are reciprocally trusting and trusted. Note Traditionally, documentation about domain and forest trusts have used the terms trusting and trusted to help administrators pinpoint the direction of the trust. Although this terminology is still used today to define and conceptualize how trusts work, it varies from the terminology that is used in the New Trust Wizard to help administrators determine the direction of trust. Instead, incoming and outgoing are used to indicate the direction of the trust, as described in the next sections.
85
86
Sides of trust
In Windows NT 4.0 and Windows 2000, the only way to create trusts using the graphical user interface (GUI) was incrementallyone side of the trust at a time. When you create external trusts, shortcut trusts, realm trusts, or forest trusts in Windows Server 2003 and Windows Server 2008, you have the option to create each side of the trust separately or both sides of the trust simultaneously.
For computers that are joined to a domain, the first query is to a time source in the parent domain. Note Computers that are not joined to a domain and are running Windows Vista are configured to synchronize with the following external time sources by default: time.windows.com, time.nist.gov, time-nw.nist.gov, time-a.nist.gov, and time-b.nist.gov. Computers that are not joined to a domain and are running Windows XP or Windows XP Home Edition are configured to synchronize with time.windows.com by default. If the time client is in a single-domain forest, the first query is to the PDC emulator in the domain. All PDC emulator operations masters follow the hierarchy of domains in the selection of their inbound time partner. A PDC emulator can synchronize its time from the PDC emulator in the parent domain or from any domain controller in the parent domain. For more information about time source selection, see How Windows Time Service Works (http://go.microsoft.com/fwlink/?LinkID=117753). The authoritative time source at the root of the forest can acquire its time either by connecting to an installed hardware clock on the internal network or by connecting to an external NTP server, which is connected to a hardware device. If no domain controller is configured as the authoritative time source in the forest root domain, the domain controller that holds the PDC emulator operations master role uses its internal clock to provide time to forest computers.
consumer and enterprise devices that use NTP, which makes it possible for you to install the device on an internal network for use with the PDC. You use the w32tm command-line tool to configure Windows Time service. For a detailed technical reference for the Windows Time service, including complete documentation of the w32tm command-line tool and time service registry settings, see the Windows Time Service Technical Reference (http://go.microsoft.com/fwlink/?LinkID=100940).
Configuring a Time Source for the Forest Configuring Windows-Based Clients to Synchronize Time Restoring the Windows Time Service to Default Settings
and enterprise devices are available that use NTP. You can install the device on an internal network and configure the PDC emulator to use it as its time source. Hardware clocks have the following advantages: More security. You do not have to connect to the Internet. Highest accuracy, although the accuracy level of NTP servers is as high as that of Windows Time service; that is, the effect of the higher accuracy is not appreciated. Hardware clocks have the following disadvantage: Expense and maintenance. You must purchase and install a hardware clock, whereas you can connect to a public time server at no cost and without hardware installation. 2. Configure the Windows Time service on the PDC emulator or other domain controller to synchronize with an external time server. Computer clocks synchronize with external time servers by using the NTP protocol over an IP version 4 (IPv4) or IP version 6 (IPv6) network. You can manually configure the PDC emulator in the forest root domain to synchronize with the external time source. External time servers have the following advantages: Low cost or no cost. Cost is usually limited to bandwidth. Good accuracy. Although hardware clocks have the highest accuracy, the accuracy of a hardware clock can actually exceed the accuracy of Windows Time service; therefore, the comparison of accuracy is not relevant. External time servers have the following disadvantage: Security risk. NTP synchronization with an external time source is not authenticated and is therefore less secure than if the time source is inside the network. If you are using an external time source, you can use the following sites to select an NTP server: USNO NTP Network Time Servers (http://go.microsoft.com/fwlink/?LinkId=112036) Set Your Computer Clock Via the Internet: NIST Internet Time Service (ITS) (http://go.microsoft.com/fwlink/?LinkId=112035) NTP.Servers Web site (http://go.microsoft.com/fwlink/?LinkID=116972) If you choose to implement an NTP time synchronization product other than the Windows Time service, you must disable the Windows Time service on the forest root domain reliable time source. All NTP servers need access to UDP port 123. If the Windows Time service is running on a Windows Server 2003based computer or a Windows Server 2008based computer, port 123 will remain occupied for the Windows Time service. Task requirements The following tools are required to perform the procedures for this task: W32tm.exe The Windows Firewall with Advanced Security snap-in, if you need to check User Datagram Protocol (UDP) port status The Services snap-in, if you need to disable the Windows Time service To complete this task, perform the following procedures as needed: 92
To configure the PDC emulator in the forest root domain to synchronize time from an external time source, see Configure the Time Source for the Forest. If you plan to use a different domain controller as the time source for the forest, perform this procedure on that domain controller instead of the PDC emulator. If the PDC emulator in the forest root domain is configured as the reliable time source for the forest and you move the PDC emulator role to a different domain controller, see Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain. If you are implementing a time synchronization product other than the Windows Time service in your environment that uses NTP, see Disable the Windows Time Service to free UDP port 123 on the network. If you need more information about Windows Time service events, see Enable Windows Time Service Debug Logging.
Set Your Computer Clock Via the Internet: NIST Internet Time Service (ITS) (http://go.microsoft.com/fwlink/?LinkId=112035). NTP.Servers Web site (http://go.microsoft.com/fwlink/?LinkID=116972) After you configure the Windows Time service on the PDC emulator, be sure to monitor the System log in Event Viewer for W32time errors. Note The following procedures use the w32tm command-line tool. For more information about the w32tm command, type w32tm /? at a command prompt or see Windows Time Service Tools and Settings (http://go.microsoft.com/fwlink/?LinkId=112116). Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure locally. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure remotely. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To configure the time source for the forest 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 2. To display the time difference between the local computer and the target time source and to check NTP communication, at the command prompt, type the following command, and then press ENTER:
w32tm /stripchart /computer:<target> /samples:<n> /dataonly
Parameter
Description
W32tm /stripchart
Displays a strip chart of the offset between synchronizing computers. A strip chart plots two-dimensional datain this case, the local time and the offset. Specifies the Domain Name System (DNS) name or IP address of the NTP server that you are comparing the local computer's time against, such as time.windows.com or time-nw.nist.gov. Specifies the number of time samples that will be returned from the target computer to test basic NTP communication. Specifies that results show only data, not graphics.
/computer:<target>
/samples:<n>
/dataonly
94
If this procedure fails, check the System event log for Time-Service errors and follow any resolution steps that are provided in the More Info link in the error. It is possible that a perimeter firewall is blocking access to the Internet time server. NTP port 123 must be open for outbound and inbound traffic on all routers and firewalls between the PDC emulator and the Internet. If necessary, enable debug logging for W32time, as described in Enable Windows Time Service Debug Logging. Resolve any NTP connection issues before you proceed to step 3. 3. To configure the PDC emulator to use an NTP time source, at the command prompt, type the following command, and then press ENTER:
w32tm /config /manualpeerlist:<peers> /syncfromflags:manual /reliable:yes /update
Parameter
Description
Configures the computer to synchronize time. Specifies the list of DNS names or IP addresses for the NTP time source with which the PDC emulator synchronizes. (This list is referred to as the manual peer list.) For example, you can specify time.windows.com as the NTP time server. When you specify multiple peers, use a space as the delimiter and enclose the names of the peers in quotation marks. Specifies that time will be synchronized with peers in the manual peer list. Specifies that the computer is a reliable time source.
/syncfromflags:manual /reliable:yes
Note When you specify a peer in the manual peer list, do not specify a computer that uses the forest root domain controller as its source for time, such as another domain controller in the forest. The time service does not operate correctly if there are cycles in the time source configuration. Peers should be external to the domain hierarchy. After you configure the PDC emulator as the time source for the forest, log on to a client computer in the forest root domain and perform steps 1 and 2 in the preceding procedure to check Windows Time service performance on the PDC emulator. Use the DNS name of the PDC emulator for the computer target in the command. If you receive error messages, the User Datagram Protocol (UDP) ports on the PDC emulator might be disabled or blocked. You can use the following procedure to check the port status on the PDC emulator, if necessary. 95
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure locally. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure remotely. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To check UDP port status on the PDC emulator 1. To check inbound UDP port 123 status on the domain controller that is the PDC emulator, click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security. 2. Click Inbound Rules. Check that Active Directory Domain Controller - W32Time (NTP-UDP-In) has a status of enabled (green) and is not blocked: If this rule is disabled (dimmed), right-click the rule, and then click Enable. If the rule is blocked, right-click the rule, and then click Properties. Under Action, click Allow the connections, and then click OK. 3. To check outbound UDP port status on the domain controller, click Outbound Rules. 4. Check that Active Directory Domain Controller (UDP-Out) has a status of enabled and is not blocked: If the rule is disabled (dimmed), right-click the rule, and then click Enable. If the rule is blocked, right-click the rule, and then click Properties. Under Action, click Allow the connections, and then click OK. Or To open only outbound UDP port 123, create a separate outbound rule for the specific port, as follows: a. In Windows Firewall with Advanced Security, right-click Outbound Rules, and then click New. b. In the New Outbound Rule Wizard, click Port, and then click Next. c. Click UDP, click Specific local ports, type 123, and then click Next. d. Follow the directions in the wizard to configure the security settings and name the rule, and then click Finish. 5. To ensure that the PDC emulator responds, on an NTP client, repeat the test in step 2 of the procedure To configure the Windows Time service on the PDC emulator earlier in this topic.
96
Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain
The domain controller in the forest root domain that holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role is the default time source for the domain hierarchy of time sources in the forest. When you create the forest, you configure this domain controller either to connect to a manual time source (an external Network Time Protocol (NTP) server or a hardware clock device on the internal network) or to use its own internal clock as its time source. If you move the PDC emulator role to another domain controller or if you decide to configure a different domain controller as the reliable time source for the forest, you can use this procedure to change the Windows Time service (W32time) configuration on the PDC emulator that is currently configured as the reliable time source for the forest. Note The following procedure uses the w32tm command-line tool. For more information about the w32tm command, type w32tm /? at a command prompt or see Windows Time Service Tools and Settings (http://go.microsoft.com/fwlink/?LinkId=112116). Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure locally. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure remotely. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To change the Windows Time service configuration on the PDC emulator in the forest root domain 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
w32tm /config /syncfromflags:domhier /reliable:no /update
97
Parameter
Description
Configures the client to synchronize time. Specifies that time will be synchronized with the nearest time source in the domain hierarchy. Because this domain controller is in the forest root domain, it will synchronize with a reliable time source in the forest root domain. Removes the status of reliable time source.
/reliable:no
3. At the command prompt, type the following command, and then press ENTER:
net stop w32time
4. At the command prompt, type the following command, and then press ENTER:
net start w32time
98
You can configure these computers to request time from a particular time source, such as a domain controller in the domain. If you do not specify a source that is synchronized with the domain, each computers internal hardware clock governs its time. Task requirements The following tool is required to perform the procedures for this task: 99
W32tm Configure a Manual Time Source for a Selected Client Computer Configure a Client Computer for Automatic Domain Time Synchronization
100
Parameter
Description
W32tm /stripchart
Displays a strip chart of the offset between synchronizing computers. A strip chart plots two-dimensional datain this case, the local time and the offset. Specifies the Domain Name System (DNS) name or IP address of the NTP server that you are comparing the local computer's time against, such as time.windows.com. Specifies the number of time samples that will be returned from the target computer to test basic NTP communication. Specifies that results show only data, not graphics.
/computer:<target>
/samples:<n>
/dataonly
3. Open UDP port 123 for outgoing traffic on the firewall, if necessary. 4. Open UDP port 123 (or a different port that you have selected) for incoming NTP traffic. 5. To configure a manual time source for the selected computer, at the command prompt, type the following command, and then press ENTER:
w32tm /config /manualpeerlist:<peers> /syncfromflags:manual /update
Parameter
Description
Configures the computer for time synchronization. Specifies the list of Domain Name System (DNS) names or IP addresses for the NTP time source with which the primary domain controller (PDC) emulator synchronizes. (This list is referred to as the manual peer list.) For example, you can specify time.windows.com as the NTP time server. When you specify multiple peers, use a space as the delimiter and enclose the names of the peers in quotation marks. Specifies that time is synchronized with peers in the manual peer list.
/syncfromflags:manual
101
Parameter
Description
Configures the computer for time synchronization. Specifies that time is synchronized with computers in the domain hierarchy.
3. At the command prompt, type the following command, and then press ENTER:
net stop w32time
4. At the command prompt, type the following command, and then press ENTER:
net start w32time
102
Restore the Windows Time Service on the Local Computer to the Default Settings
You can use this procedure to restore the Windows Time service (W32time) on the local computer to the default settings. If you are experiencing a problem, returning to the default settings might be more efficient than troubleshooting the problem. Note The following procedure uses the w32tm command-line tool. For more information about the w32tm command, type w32tm /? at a command prompt or see Windows Time Service Tools and Settings (http://go.microsoft.com/fwlink/?LinkId=112116). Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure locally. Membership in the Domain Admins group, or equivalent, is the minimum required to complete this procedure remotely. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To restore the Windows Time service on the local computer to the default settings 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
net stop w32time
3. At the command prompt, type the following command, and then press ENTER:
w32tm /unregister
4. At the command prompt, type the following command, and then press ENTER: 103
w32tm /register
5. At the command prompt, type the following command, and then press ENTER:
net start w32time
104
Note The location of the SYSVOL directory and subdirectories is configurable during and after Active Directory installation. The default locations under %systemroot%\SYSVOL are used throughout this guide only as a relative reference to the location of SYSVOL files and folders. The %systemroot%\SYSVOL\domain and %systemroot%\SYSVOL\sysvol folders appear to contain the same content because SYSVOL uses junction points (also called reparse points). A junction point is a physical location on a hard disk that points to data that is located elsewhere on the hard disk or on another storage device. Junction points look like folders and behave like folders (in Windows Explorer they appear to be shortcuts to folders), but they are not folders. A junction point contains a link to another folder. When a program opens it, the junction point automatically redirects the program to the folder to which the junction point is linked. The redirection is completely transparent to the user and the application. For example, if you open a command prompt and type dir to list the contents of \%systemroot%\SYSVOL\sysvol, you notice a folder that is listed as <JUNCTION>. The junction point in %systemroot%\SYSVOL\sysvol links to %systemroot %\SYSVOL\domain. In this guide, in reference to SYSVOL components and folders, the capitalization that is used reflects the capitalization of the default folders and parameters as they appear in the file system, in the registry, and in Active Directory Domain Services (AD DS). For example, the default SYSVOL directory tree always appears as %systemroot%\SYSVOL\sysvol, as it appears in Windows Explorer. When the topic is specific to the sysvol shared folder, lowercase sysvol is used. Similarly, the area of SYSVOL that is historically referred to as the staging area is described in this guide as the staging areas subdirectory. In this way, the folder %systemroot%\SYSVOL\staging areas is clearly understood and distinct from the %systemroot%\SYSVOL\staging folder. Capitalization of registry parameters and Active Directory attribute names are presented as they appear in those locations.
105
SYSVOL share. When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated. To replicate only updates to files, DFS Replication uses an algorithm called remote differential compression (RDC). RDC detects changes to the data in a file and enables DFS Replication to replicate changes in the form of file blocks, without having to replicate the entire file. RDC detects insertions, removals, and rearrangements of data in files. The DFS Replication service monitors SYSVOL, and, if a change occurs to any file that is stored in SYSVOL, DFS Replication automatically replicates the file updates to the SYSVOL folders on the other domain controllers in the domain. An additional improvement is that DFS Replication does not require the version vector join (vvjoin) operation, which is performed between FRS replication partners when new connections are created. Vvjoin is a CPU-intensive operation that can affect the performance of the server and cause increased replication traffic. In Windows Server 2008, DFS Replication is the default file replication service for domains that are initially created on domain controllers running Windows Server 2008. However, in a domain that is upgraded from another operating system to Windows Server 2008, FRS is the default replication service for SYSVOL replication. To implement DFS Replication of SYSVOL after an upgrade to Windows Server 2008 domain functional level, you must perform a preliminary migration process for replication of the SYSVOL tree.
Change the space that is allocated to the staging area Change the staging area path Note You cannot use DFS Management to change the SYSVOL path. You must make this change in the registry directly. For information about changing the SYSVOL path, see Relocating SYSVOL Manually.
You can use the Diagnostic Reports features of DFS Management to implement a monitoring system to detect low disk space and other potential DFS Replication disruptions so that you can resolve these issues before the system stops replicating. The Ultrasound utility, which is a tool for monitoring FRS, cannot be used for DFS Replication. Instead, you can use the DFS Replication health reports that DFS Management generates. For information about using DFS Management to generate diagnostic reports, see Create a Diagnostic Report for DFS Replication (http://go.microsoft.com/fwlink/?LinkId=122538). Other key considerations for managing SYSVOL include the following: Capacity To manage SYSVOL, enough space must be provided to store SYSVOL. The quota that is allocated to the DFS Replication staging area is 4 gigabytes (GB) (4096 MB). The maximum size is 4 terabytes (TB) (4096 GB). Depending on the configuration of your domain, SYSVOL can require a significant amount of disk space to function properly. During the initial deployment, SYSVOL might be allocated adequate disk space to function. However, as your installation of Active Directory Domain Services (AD DS) grows in size and complexity, the required capacity can exceed the available disk space. If you receive indications that disk space is low, determine whether the cause is attributable to inadequate physical space on the disk or the DFS Management setting that limits the quota that is allocated to the staging area. If staging area disk space is low, DFS Replication encounters frequent staging area cleanup events. You can avoid this scenario by using .admx file capability to implement a Central Store in SYSVOL to store and to replicate Windows Vista policy files. For information about using this solution, see article 929841 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=122539). You can also reduce SYSVOL size and replication time by managing Administrative Templates in Group Policy. For information about using this solution, see article 813338 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=122540). Hardware maintenance System maintenance, such as removal of a disk drive, can make it necessary for you to relocate SYSVOL. Even if the maintenance occurs on a different disk drive, verify that the maintenance does not affect SYSVOL. Logical drive letters can change after you add and remove disks. DFS Replication locates SYSVOL by using paths that are stored in AD DS. If drive letters change after you add or remove disk drives, you must manually update the paths in AD DS. Backing up GPOs 107
The successful operation of Group Policy depends on the reliable operation of SYSVOL. Key components of GPOs exist in SYSVOL (in the policies subdirectory), and it is essential that these GPO components remain synchronized with related components in AD DS. Therefore, backing up only the SYSVOL component does not represent a full and complete backup of your GPOs. The Group Policy Management Console (GPMC) provides both UI-based and scriptable methods for backing up GPOs. It is important that you back up GPOs as part of your regular backup/disaster recovery processes. Soon after installation of a new domain, the default domain and default domain controllers' GPOs should be backed up. They should also be backed up after any subsequent changes are made. GPOs are included in system state backups. For information about backing up system state, see Backing Up Active Directory Domain Services. For information about backing up GPOs, see Back Up a Group Policy Object (http://go.microsoft.com/fwlink/?LinkID=122542). Relocating SYSVOL When you relocate SYSVOL, you must first copy the entire folder structure to a new location. Then, you must update the junction points and path values that are stored in the registry and in AD DS to maintain the relationships between the paths, the folders, and the junctions. As an option, you can relocate the staging area and leave the rest of SYSVOL at its original location. In this case, you must update the staging folder path in AD DS.
%systemroot%\SYSVOL\domain\scripts %systemroot%\SYSVOL\staging %systemroot%\SYSVOL\staging\domain %systemroot%\SYSVOL\staging areas %systemroot%\SYSVOL\staging areas\<FQDN>, where FQDN is the fully qualified domain name of the domain that this domain controller hosts, for example, contoso.com. %systemroot%\SYSVOL\sysvol %systemroot%\SYSVOL\sysvol\<FQDN>, where FQDN is the fully qualified domain name of the domain that this domain controller hosts, for example, contoso.com. Note If any of the folders do not appear in Windows Explorer, click Tools, and then click Folder Options. On the View tab, click Show hidden files and folders. If you use Windows Explorer to view these folders, they appear to be typical folders. If you open a command prompt and type dir to list these folders, you notice that two special folders are listed as <JUNCTION>. Both folders labeled FQDN are junction points. The junction point in %systemroot %\SYSVOL\sysvol links to %systemroot%\SYSVOL\domain. The junction in %systemroot %\SYSVOL\staging areas links to %systemroot%\SYSVOL\staging\domain. If you change the path to the folders to which the junctions are linked, you must also update the junctions, including drive letter changes and folder changes. Besides junction points linking to folders within the SYSVOL tree, the registry and AD DS also store references to folders. These references contain paths that you must update if you change the location of the folder: Registry: The SysVol Netlogon parameter in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. This registry entry stores the path to the sysvol shared folder (default %systemroot %\SYSVOL\sysvol). The Netlogon service uses this path to identify the location of the folder that it uses to create the SYSVOL and NETLOGON (scripts) share points. AD DS: Two attributes in AD DS store the paths for the SYSVOL root and staging area folders, as shown in the following table.
Directory value Default referenced location Contents
msDFSR-RootPath msDFSR-StagingPath
%systemroot\SYSVOL\domain %systemroot\SYSVOL\staging\domain
Relocating the SYSVOL Staging Area Relocating SYSVOL Manually Updating the SYSVOL Path Restoring and Rebuilding SYSVOL
4. On the Staging tab, change the value in Quota (in megabytes), and then click OK.
Regedit.exe ADSI Edit Identify Replication Partners Check the Status of the SYSVOL and Netlogon Shares Verify Active Directory Replication Gather the SYSVOL Path Information Stop the DFS Replication Service and Netlogon Service Create the SYSVOL Staging Areas Folder Structure Change the SYSVOL Root Path or Staging Areas Path, or Both Start the DFS Replication Service and Netlogon Service Force Replication Between Domain Controllers
5. Check the list to be sure that it includes %systemroot%\SYSVOL\sysvol\ (the SYSVOL share) and %systemroot%\SYSVOL\sysvol\<Domain Name>\SCRIPTS (the NETLOGON share), where <Domain Name> is the domain of the new domain controller. Note If neither %systemroot%\SYSVOL\sysvol\ nor %systemroot%\SYSVOL\sysvol\<Domain Name>\SCRIPTS are present, see Verify Active Directory Replication. 6. Verify that the proper permissions are set for SYSVOL replication. At the command prompt, type the following command, and then press ENTER:
dcdiag /test:netlogons
Look for a message that states that <ComputerName> passed test NetLogons, where <ComputerName> is the name of the domain controller. If you do not see the passed test 113
message, check the permissions that are set on the Scripts and Sysvol shared folders. For information about default SYSVOL permissions, see Reapply Default SYSVOL Security Settings.
Note For more detailed replication information, use the /v option. If this test fails, open Event Viewer and check for errors in the Directory Service log. Use the information in the ActiveDirectory_DomainService replication events to troubleshoot the problem.
you are rebuilding SYSVOL on one domain controller by importing the SYSVOL of another domain controller. Note The instructions in this procedure relate to domains in which Distributed File System (DFS) Replication is used to replicate SYSVOL. For information about relocating SYSVOL when you use File Replication Service (FRS), see Relocating SYSVOL Manually (http://go.microsoft.com/fwlink/?LinkId=122590). For more information about the folder structure and the relationships between the folders and the path information that is stored in the registry, AD DS, and the SYSVOL directory itself, see Introduction to Administering DFS-Replicated SYSVOL. You can use these procedures to locate the SYSVOL path information and then record the values in the following table. Use the rows and columns in the table according to the goals of your procedure. Record the current values and also the new values if you are moving the SYSVOL tree or the staging areas subtree or if you are rebuilding SYSVOL: Relocating the entire SYSVOL tree: Record the current and new path values in rows 1 through 5. Relocating the staging areas subtree only: Record the current and new path values in rows 2 and 5. Restoring and rebuilding SYSVOL: Record path information as follows: Record the current values from the domain controller that you are restoring in rows 1, 2, and 3. In the Current Value column in rows 4 and 5, record the values in the junction points that are located on the domain controller from which you are copying the SYSVOL folder structure. In the New Value column in rows 4 and 5, record the values in the junction points that are located on the domain controller whose SYSVOL you are rebuilding.
Parameter Current value New value
1 2 3 4 5
msDFSR-RootPath in AD DS msDFSR-StagingPath in AD DS SysVol Netlogon parameter in the registry Sysvol junction point Staging areas junction point
115
Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, change the directory to %systemroot%\SYSVOL\sysvol, or to the current location if SYSVOL has been moved from the default location. 3. To view the junction point for the sysvol folder, at the command prompt, type the following command, and then press ENTER:
dir /a:L
4. Record the current value in row 4 in the previous table. If you are moving SYSVOL, also record the new value for the new location. To determine the value in the staging areas junction point 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, change the directory to %systemroot%\SYSVOL\staging areas or to the current location if the staging areas subtree has been moved from the default location. 3. To view the junction point for the staging areas folder, at the command prompt, type the following command, and then press ENTER:
dir /a:L
4. The output identifies the <JUNCTION> folder type and the value that is stored in the staging areas junction point in brackets. For example, the default value is [Drive:\ %systemroot%\SYSVOL\staging\domain] (or, if SYSVOL has been migrated from FRS to DFS Replication, [Drive:\%systemroot%\SYSVOL_DFSR\staging\domain]). Record the current value in row 5 of the previous table. If you are moving SYSVOL or the staging areas subtree, also record the new value for the new location.
117
You can use the Windows graphical user interface (GUI) or the command line to stop the DFS Replication service and the Netlogon service. Note The staging path junction point is updated automatically when DFS Replication is restarted. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To stop the DFS Replication service or Netlogon service, or both, by using the Windows GUI 1. On the Start menu, point to Administrative Tools, and then click Services. 2. In the Name column, right-click DFS Replication or Netlogon, and then click Stop. To stop the DFS Replication service and the Netlogon service by using the command line 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
net stop dfsr
3. At the command prompt, type the following command, and then press ENTER:
net stop netlogon
After you move or restore SYSVOL, when you update the SYSVOL Netlogon path in the registry, you must also update the SysvolReady parameter in Netlogon parameters, as described in Change the SYSVOL Netlogon Parameters.
To create the SYSVOL staging areas folder structure 1. In Windows Explorer, create a new folder for the new location of the staging areas folder. 2. Navigate to the folder that represents the top of your current staging areas tree. By default, this folder is %systemroot%\SYSVOL\staging areas. 3. In the console tree, right-click the staging areas folder, and then click Copy. 4. In the console tree, navigate to the new folder that you created for the staging areas tree, right-click the folder, and then click Paste. Note This folder must be empty when you paste the staging areas folders. 5. Verify that the folder structure was copied correctly. To compare the new folder structure to the original, open a command prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 6. Change directories to the new staging areas folder. To list the contents of the folder and subfolders, type the following command, and then press ENTER:
dir /s
Ensure that all folders exist. If any folders are missing at the new location (such as \scripts), re-create them.
2. Right-click ADSI Edit, and then, if the domain whose path information you want to check is not listed, click Connect to. 3. Under Connection Point, click Select a well known Naming Context, click Default naming context, and then click OK. 4. In the console tree, expand the domain component, and then expand OU=Domain Controllers. 5. Double-click the container that represents a domain controller on which you can check the path information, double-click CN=DFSR-LocalSettings, and then click CN=Domain System Volume. 6. In the details pane, right-click CN=SYSVOL Subscription, and then click Properties. 7. Click Filter. Ensure that Show mandatory attributes is selected. Select this option if it is not selected. 8. In Attributes, double-click one or both of the following: msDFSR-RootPath to change the SYSVOL root path. msDFSR-StagingPath to change the SYSVOL staging areas path.
9. In Value, type the new folder path, and then click OK. 10. Click OK to close the CN=Subscription Properties dialog box.
See Also
Start the DFS Replication Service and Netlogon Service
To start the DFS Replication service or Netlogon service, or both, by using the command line 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. To start the DFS Replication service, at the command prompt, type the following command, and then press ENTER:
net start dfsr
3. To start the Netlogon service, at the command prompt, type the following command, and then press ENTER:
net start netlogon
Notes You can use Event Viewer to verify that DFS Replication restarted correctly. In the DFS Replication log (in Applications and Services Logs), Event ID 1004 indicates that the service restarted. Look for Event IDs 1210, 1206, and 6102 to verify that the domain controller is running and ready for service. If you moved SYSVOL to a new location or relocated the staging areas folder, look for Event IDs 4604 and 6018, which indicate success. Event ID 7036 in the System event log reports that the Netlogon service is running. This event reports on all services that are stopped or started. Also verify that the Netlogon service is sharing the sysvol (SYSVOL share) and scripts (NETLOGON share) folders. At a command prompt, type net share, and then press ENTER.
replication from the updated server. 3. Expand the Servers container to display the list of servers that are currently configured for that site. 4. Expand the server objects and click their NTDS Settings objects to display their connection objects in the details pane. Find a server that has a connection object from the server on which you made the updates. 5. Click NTDS Settings below the server object. In the details pane, right-click the connection object whose From Server is the domain controller that has the updates that you want to replicate, and then click Replicate Now. 6. When the Replicate Now message box appears, review the information, and then click OK.
See Also
Synchronize Replication with All Partners
Task requirements The following tools are required to perform the procedures for this task: Active Directory Sites and Services Net.exe Dcdiag.exe Event Viewer ADSI Edit Regedit.exe Dir.exe Windows Explorer Robocopy.exe Mklink.exe
If you choose to reapply security settings manually, the following additional tools are required: Notepad.exe Secedit.exe
To complete this task, perform the following procedures: 1. Identify Replication Partners 2. Check the Status of the SYSVOL and Netlogon Shares 3. Verify Active Directory Replication 4. Gather the SYSVOL Path Information 5. Stop the DFS Replication Service and Netlogon Service 6. Copy SYSVOL to a New Location 7. Create the SYSVOL Root Junction Point 8. Change the SYSVOL Root Path or Staging Areas Path, or Both 9. Change the SYSVOL Netlogon Parameters 10. Reapply Default SYSVOL Security Settings You can use this procedure if you want to reapply the default security settings to the SYSVOL directory. However, if you use the Robocopy command that is specified in Copy SYSVOL to a New Location, file ownership and access control list (ACL) settings are retained on the copied SYSVOL folders and files, and reapplying security settings is not required. 11. Start the DFS Replication Service and Netlogon Service 12. Check the Status of the SYSVOL and Netlogon Shares 13. Force Replication Between Domain Controllers
123
124
Membership in Domain Admins, or equivalent, is required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To check the status of the SYSVOL and Netlogon shares 1. On the Start menu, point to Administrative Tools, and then click Services. 2. Verify that the DFS Replication service and the Netlogon service have a status of Started. If a service is stopped, click Restart. 3. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 4. To verify that the SYSVOL tree includes the sysvol and scripts shared folders, at the command prompt, type the following command, and then press ENTER:
net share
5. Check the list to be sure that it includes %systemroot%\SYSVOL\sysvol\ (the SYSVOL share) and %systemroot%\SYSVOL\sysvol\<Domain Name>\SCRIPTS (the NETLOGON share), where <Domain Name> is the domain of the new domain controller. Note If neither %systemroot%\SYSVOL\sysvol\ nor %systemroot%\SYSVOL\sysvol\<Domain Name>\SCRIPTS are present, see Verify Active Directory Replication. 6. Verify that the proper permissions are set for SYSVOL replication. At the command prompt, type the following command, and then press ENTER:
dcdiag /test:netlogons
Look for a message that states that <ComputerName> passed test NetLogons, where <ComputerName> is the name of the domain controller. If you do not see the passed test message, check the permissions that are set on the Scripts and Sysvol shared folders. For information about default SYSVOL permissions, see Reapply Default SYSVOL Security Settings.
125
To verify Active Directory replication 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
dcdiag /test:replications
Note For more detailed replication information, use the /v option. If this test fails, open Event Viewer and check for errors in the Directory Service log. Use the information in the ActiveDirectory_DomainService replication events to troubleshoot the problem.
Relocating the entire SYSVOL tree: Record the current and new path values in rows 1 through 5. Relocating the staging areas subtree only: Record the current and new path values in rows 2 and 5. Restoring and rebuilding SYSVOL: Record path information as follows: Record the current values from the domain controller that you are restoring in rows 1, 2, and 3. In the Current Value column in rows 4 and 5, record the values in the junction points that are located on the domain controller from which you are copying the SYSVOL folder structure. In the New Value column in rows 4 and 5, record the values in the junction points that are located on the domain controller whose SYSVOL you are rebuilding.
Parameter Current value New value
1 2 3 4 5
msDFSR-RootPath in AD DS msDFSR-StagingPath in AD DS SysVol Netlogon parameter in the registry Sysvol junction point Staging areas junction point
Controllers. 5. Double-click the container that represents a domain controller on which you can check the path information, double-click CN=DFSR-LocalSettings, and then click CN=Domain System Volume. 6. In the details pane, right-click CN=SYSVOL Subscription, and then click Properties. 7. Click Filter. Ensure that Show mandatory attributes is selected. Select this option if it is not selected. 8. In Attributes, locate msDFSR-RootPath and msDFSR-StagingPath, and then record the current values in rows 1 and 2, respectively, in the previous table. If you are moving SYSVOL, also record the new values for the new location in both rows. If you are moving the staging areas subtree, record the new path value in row 2. 9. Click Cancel to close the CN=Subscription Properties dialog box. To determine the SysVol Netlogon parameter value in the registry 1. Click Start, click Run, type regedit, and then press ENTER. 2. In Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. 3. In the details pane, double-click SysVol. The current value is listed in Value data. 4. Record the current value in row 3 of the previous table, and then click Cancel to close the Edit String dialog box. If you are moving SYSVOL, also record the new value for the new location. 5. Close Registry Editor. To determine the value in the sysvol junction point 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, change the directory to %systemroot%\SYSVOL\sysvol, or to the current location if SYSVOL has been moved from the default location. 3. To view the junction point for the sysvol folder, at the command prompt, type the following command, and then press ENTER:
dir /a:L
4. Record the current value in row 4 in the previous table. If you are moving SYSVOL, also record the new value for the new location. To determine the value in the staging areas junction point 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click 128
Continue. 2. At the command prompt, change the directory to %systemroot%\SYSVOL\staging areas or to the current location if the staging areas subtree has been moved from the default location. 3. To view the junction point for the staging areas folder, at the command prompt, type the following command, and then press ENTER:
dir /a:L
4. The output identifies the <JUNCTION> folder type and the value that is stored in the staging areas junction point in brackets. For example, the default value is [Drive:\ %systemroot%\SYSVOL\staging\domain] (or, if SYSVOL has been migrated from FRS to DFS Replication, [Drive:\%systemroot%\SYSVOL_DFSR\staging\domain]). Record the current value in row 5 of the previous table. If you are moving SYSVOL or the staging areas subtree, also record the new value for the new location.
dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
net stop dfsr
3. At the command prompt, type the following command, and then press ENTER:
net stop netlogon
After you move or restore SYSVOL, when you update the SYSVOL Netlogon path in the registry, you must also update the SysvolReady parameter in Netlogon parameters, as described in Change the SYSVOL Netlogon Parameters.
130
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To copy SYSVOL to a new location 1. In Windows Explorer, create a new folder for the new location of SYSVOL. This folder must be empty. 2. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 3. Change directories to the existing SYSVOL directory that you want to move. By default, the path to this directory is %systemroot%\SYSVOL. 4. At the command prompt, type the following command, and then press ENTER:
robocopy <Source Folder> <Destination Folder> /copyall /mir /b /r:0 /xd "DfsrPrivate" /xf "DfsrPrivate"
131
Parameter
Description
<Source Folder>
The path to the SYSVOL directory that you are copying. The default location is %systemroot%\SYSVOL. The path to the new SYSVOL location that you created in step 1. Copies the following file information: data, attributes, time stamps, NTFS access control list (ACL), owner information, and auditing information. Mirrors the directory tree that you are copying. Copies files in backup mode. Robocopy uses backup mode to override file and folder permission settings (ACLs). Specifies performing 0 (zero) retries on failed copies. Excludes the DfsrPrivate directory from the copy. Excludes the DfsrPrivate file from the copy.
/mir /b
5. Verify that the folder structure was copied correctly. To compare the new folder structure to the original, open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 6. Verify that the folder structure was copied correctly. To compare the new folder structure to the original, change directories to the new SYSVOL folder. To list the contents of the folder and subfolders by size, type the following command, and then press ENTER:
dir /s
Compare the ouptut with the output for the original SYSVOL folder. Ensure that all folders exist and that file sizes are the same. If any folders are missing at the new location (such as \scripts), re-create them. 7. Verify that the security settings on the moved SYSVOL are the same as the settings on the original location.
132
Example: mklink
Parameter
/J contoso.com D:\ContosoRoot\SYSVOL\domain
Definition
Creates a junction point for the specified domain in the specified path location. The fully qualified domain name of the SYSVOL domain The drive letter and path to the SYSVOL root, for example, Drive:\FolderName\SYSVOL\domain or Drive:\FolderName\SYSVOL_DFSR\domain if SYSVOL has been migrated from File Replication Service (FRS) to Distributed File System (DFS) Replication
4. To verify the creation of the junction point, at the command prompt, type the following command, and then press ENTER: 133
dir /a:L
Verify the presence of the <JUNCTION> folder type and the value that you specified in step 3.
9. In Value, type the new folder path, and then click OK. 10. Click OK to close the CN=Subscription Properties dialog box. 134
See Also
Start the DFS Replication Service and Netlogon Service
135
[File Security] ;"%SystemRoot%\SYSVOL",0,"D:AR(A;OICI;FA;;;BA)" "%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA) (A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)" "%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO) (A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)" Use this file to apply the security settings to the new SYSVOL folders. Note Do not include a space between the sets of parentheses. 11. Save this file as Sysvol.inf. 12. Open a new Command Prompt. Do not use an existing command prompt that has been open on your desktop because it will not have the proper environment settings. Change the directory to the folder where you saved the Sysvol.inf file in step 11. 13. At the new command prompt, type the following command all on one line, and then press ENTER:
secedit /configure /cfg <path>\sysvol.inf /db <path>\sysvol.db /overwrite
Parameter
Description
/configure /cfg <path> (to security template) /db <path> (to database) /overwrite
Performs directed configurations. Specifies the path where you saved Sysvol.inf in step 11. Specifies the path to the database that is used to perform the security configuration. Specifies that the database should be emptied before it is imported into the security template. If this parameter is not specified, the settings in the security template are accumulated into the database. If this parameter is not specified and there are conflicting settings in the database and the template that is being imported, the template settings take precedence.
137
3. To start the Netlogon service, at the command prompt, type the following command, and then press ENTER:
net start netlogon
Notes You can use Event Viewer to verify that DFS Replication restarted correctly. In the DFS Replication log (in Applications and Services Logs), Event ID 1004 indicates that the service restarted. Look for Event IDs 1210, 1206, and 6102 to verify that the domain controller is running and ready for service. If you moved SYSVOL to a new location or relocated the staging areas folder, look for Event IDs 4604 and 6018, which indicate success. Event ID 7036 in the System event log reports that the Netlogon service is running. This event reports on all services that are stopped or started.
138
Also verify that the Netlogon service is sharing the sysvol (SYSVOL share) and scripts (NETLOGON share) folders. At a command prompt, type net share, and then press ENTER.
See Also
Synchronize Replication with All Partners
%\SYSVOL\staging areas folder is located on one of the drives whose letter changes, Distributed File System (DFS) Replication cannot locate these folders. To solve this problem, you must update the paths that DFS Replication uses to locate these folders. Before you update SYSVOL path information, you must stop the DFS Replication service and the Netlogon service. To change the path for the %systemroot%\SYSVOL\sysvol root folder and staging areas folder, you update path values in Active Directory Domain Services (AD DS). You also update the registry to change the path to the %systemroot%\SYSVOL\sysvol shared folder that is used by the Netlogon service. In addition, you must update the junction point that references the %systemroot%\SYSVOL\domain folder in the SYSVOL tree. The junction point that references the domain folder in the staging areas subdirectory (%systemroot%\SYSVOL\staging areas\DomainName) is updated automatically when you restart DFS Replication and Netlogon. After you update the path information, when you restart DFS Replication and Netlogon, the new path values are initialized. To be sure that SYSVOL is not advertised on the network before the new paths are initalized, you must also modify the SysvolReady Netlogon parameter while the services are stopped. You can make this change at the same time you update the Sysvol Netlogon path in the registry. Task requirements The following tools are required to perform the procedures for this task: Net.exe ADSI Edit Regedit.exe Dir.exe Mklink.exe
To complete this task, perform the following procedures in order: 1. Gather the SYSVOL Path Information 2. Stop the DFS Replication Service and Netlogon Service 3. Change the SYSVOL Netlogon Parameters 4. Create the SYSVOL Root Junction Point 5. Start the DFS Replication Service and Netlogon Service
original location. In this case, you must update an attribute in AD DS, but the junction point for the staging areas folder is updated automatically. You also have to record this path information when you are rebuilding SYSVOL on one domain controller by importing the SYSVOL of another domain controller. Note The instructions in this procedure relate to domains in which Distributed File System (DFS) Replication is used to replicate SYSVOL. For information about relocating SYSVOL when you use File Replication Service (FRS), see Relocating SYSVOL Manually (http://go.microsoft.com/fwlink/?LinkId=122590). For more information about the folder structure and the relationships between the folders and the path information that is stored in the registry, AD DS, and the SYSVOL directory itself, see Introduction to Administering DFS-Replicated SYSVOL. You can use these procedures to locate the SYSVOL path information and then record the values in the following table. Use the rows and columns in the table according to the goals of your procedure. Record the current values and also the new values if you are moving the SYSVOL tree or the staging areas subtree or if you are rebuilding SYSVOL: Relocating the entire SYSVOL tree: Record the current and new path values in rows 1 through 5. Relocating the staging areas subtree only: Record the current and new path values in rows 2 and 5. Restoring and rebuilding SYSVOL: Record path information as follows: Record the current values from the domain controller that you are restoring in rows 1, 2, and 3. In the Current Value column in rows 4 and 5, record the values in the junction points that are located on the domain controller from which you are copying the SYSVOL folder structure. In the New Value column in rows 4 and 5, record the values in the junction points that are located on the domain controller whose SYSVOL you are rebuilding.
Parameter Current value New value
1 2 3 4 5
msDFSR-RootPath in AD DS msDFSR-StagingPath in AD DS SysVol Netlogon parameter in the registry Sysvol junction point Staging areas junction point 141
142
To determine the value in the sysvol junction point 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, change the directory to %systemroot%\SYSVOL\sysvol, or to the current location if SYSVOL has been moved from the default location. 3. To view the junction point for the sysvol folder, at the command prompt, type the following command, and then press ENTER:
dir /a:L
4. Record the current value in row 4 in the previous table. If you are moving SYSVOL, also record the new value for the new location. To determine the value in the staging areas junction point 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, change the directory to %systemroot%\SYSVOL\staging areas or to the current location if the staging areas subtree has been moved from the default location. 3. To view the junction point for the staging areas folder, at the command prompt, type the following command, and then press ENTER:
dir /a:L
4. The output identifies the <JUNCTION> folder type and the value that is stored in the staging areas junction point in brackets. For example, the default value is [Drive:\ %systemroot%\SYSVOL\staging\domain] (or, if SYSVOL has been migrated from FRS to DFS Replication, [Drive:\%systemroot%\SYSVOL_DFSR\staging\domain]). Record the current value in row 5 of the previous table. If you are moving SYSVOL or the staging areas subtree, also record the new value for the new location.
143
services must be turned off until updates to the SYSVOL path information are complete and the SYSVOL junction point has been updated for the new location. You can use the Windows graphical user interface (GUI) or the command line to stop the DFS Replication service and the Netlogon service. Note The staging path junction point is updated automatically when DFS Replication is restarted. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To stop the DFS Replication service or Netlogon service, or both, by using the Windows GUI 1. On the Start menu, point to Administrative Tools, and then click Services. 2. In the Name column, right-click DFS Replication or Netlogon, and then click Stop. To stop the DFS Replication service and the Netlogon service by using the command line 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
net stop dfsr
3. At the command prompt, type the following command, and then press ENTER:
net stop netlogon
After you move or restore SYSVOL, when you update the SYSVOL Netlogon path in the registry, you must also update the SysvolReady parameter in Netlogon parameters, as described in Change the SYSVOL Netlogon Parameters.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To change the SYSVOL Netlogon parameters 1. Click Start, click Run, type regedit, and then press ENTER. 2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. 3. Right-click SysVol, and then click Modify. 4. In the Value data box, type the new path, including the drive letter, and then click OK. 5. Right-click SysvolReady, and then click Modify. 6. In the Value data box, type 0, and then click OK. 7. Close Registry Editor. Note The path in the SysVol registry entry points to the sysvol shared folder, which is located inside the parent SYSVOL folder that is under the root (by default, Drive:\ %systemroot%\SYSVOL\sysvol). When you update the path, ensure that it still identifies the sysvol shared folder within the parent SYSVOL folder. If you have moved the SYSVOL tree, the root folder will change. Be sure to also change the drive letter to its new value if this has changed.
Continue. 2. At the command prompt, change the directory to the new sysvol root location, for example, FolderName\SYSVOL\sysvol. 3. To create the junction point for the sysvol root, at the command prompt, type the following command, and then press ENTER:
mklink /J <FQDN> <New sysvol root junction path>
Example: mklink
Parameter
/J contoso.com D:\ContosoRoot\SYSVOL\domain
Definition
Creates a junction point for the specified domain in the specified path location. The fully qualified domain name of the SYSVOL domain The drive letter and path to the SYSVOL root, for example, Drive:\FolderName\SYSVOL\domain or Drive:\FolderName\SYSVOL_DFSR\domain if SYSVOL has been migrated from File Replication Service (FRS) to Distributed File System (DFS) Replication
4. To verify the creation of the junction point, at the command prompt, type the following command, and then press ENTER:
dir /a:L
Verify the presence of the <JUNCTION> folder type and the value that you specified in step 3.
146
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To start the DFS Replication service or Netlogon service, or both, by using the Windows GUI 1. On the Start menu, point to Administrative Tools and then click Services. 2. In the Name column, right-click DFS Replication or Netlogon, and then click Restart. To start the DFS Replication service or Netlogon service, or both, by using the command line 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. To start the DFS Replication service, at the command prompt, type the following command, and then press ENTER:
net start dfsr
3. To start the Netlogon service, at the command prompt, type the following command, and then press ENTER:
net start netlogon
Notes You can use Event Viewer to verify that DFS Replication restarted correctly. In the DFS Replication log (in Applications and Services Logs), Event ID 1004 indicates that the service restarted. Look for Event IDs 1210, 1206, and 6102 to verify that the domain controller is running and ready for service. If you moved SYSVOL to a new location or relocated the staging areas folder, look for Event IDs 4604 and 6018, which indicate success. Event ID 7036 in the System event log reports that the Netlogon service is running. This event reports on all services that are stopped or started. Also verify that the Netlogon service is sharing the sysvol (SYSVOL share) and scripts (NETLOGON share) folders. At a command prompt, type net share, and then press ENTER.
147
functioning SYSVOL. Do not attempt to rebuild SYSVOL until you correct any problems that may be occurring with Distributed File System (DFS) Replication in a domain. Use the procedures in this section only on a domain controller that does not have a functioning SYSVOL. Task requirements The following tools are required to perform the procedures for this task: Active Directory Sites and Services Event Viewer Dcdiag.exe ADSI Edit Net.exe Regedit.exe Windows Explorer Mklink.exe
To complete this task, perform the following procedures in order: 1. Identify Replication Partners You will import the SYSVOL from a replication partner. 2. Check the Status of the SYSVOL and Netlogon Shares Perform this procedure on the replication partner from which you are copying SYSVOL to make sure that the SYSVOL tree that you copy from the partner is shared and replicating properly. 3. Verify Active Directory Replication Verify that replication is working on both replication partners. 4. Gather the SYSVOL Path Information 5. Restart the domain controller in Directory Services Restore Mode (DSRM) by using one of the following methods: Restart the Domain Controller in Directory Services Restore Mode Locally If you are sitting at the console of the domain controller, restart the domain controller locally in DSRM. Restart the Domain Controller in Directory Services Restore Mode Remotely If you are accessing the domain controller remotely using Remote Desktop Connection, restart the domain controller remotely in DSRM. 6. Stop the DFS Replication Service and Netlogon Service In DSRM, the DFS Replication service is stopped automatically. You have to stop only the Netlogon service. Both services restart automatically when you restart the domain controller normally after you complete the procedure to import the SYSVOL folder structure. 7. Import the SYSVOL Folder Structure 8. Check the Status of the SYSVOL and Netlogon Shares
148
149
Membership in Domain Admins, or equivalent, is required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To check the status of the SYSVOL and Netlogon shares 1. On the Start menu, point to Administrative Tools, and then click Services. 2. Verify that the DFS Replication service and the Netlogon service have a status of Started. If a service is stopped, click Restart. 3. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 4. To verify that the SYSVOL tree includes the sysvol and scripts shared folders, at the command prompt, type the following command, and then press ENTER:
net share
5. Check the list to be sure that it includes %systemroot%\SYSVOL\sysvol\ (the SYSVOL share) and %systemroot%\SYSVOL\sysvol\<Domain Name>\SCRIPTS (the NETLOGON share), where <Domain Name> is the domain of the new domain controller. Note If neither %systemroot%\SYSVOL\sysvol\ nor %systemroot%\SYSVOL\sysvol\<Domain Name>\SCRIPTS are present, see Verify Active Directory Replication. 6. Verify that the proper permissions are set for SYSVOL replication. At the command prompt, type the following command, and then press ENTER:
dcdiag /test:netlogons
Look for a message that states that <ComputerName> passed test NetLogons, where <ComputerName> is the name of the domain controller. If you do not see the passed test message, check the permissions that are set on the Scripts and Sysvol shared folders. For information about default SYSVOL permissions, see Reapply Default SYSVOL Security Settings.
150
To verify Active Directory replication 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
dcdiag /test:replications
Note For more detailed replication information, use the /v option. If this test fails, open Event Viewer and check for errors in the Directory Service log. Use the information in the ActiveDirectory_DomainService replication events to troubleshoot the problem.
Relocating the entire SYSVOL tree: Record the current and new path values in rows 1 through 5. Relocating the staging areas subtree only: Record the current and new path values in rows 2 and 5. Restoring and rebuilding SYSVOL: Record path information as follows: Record the current values from the domain controller that you are restoring in rows 1, 2, and 3. In the Current Value column in rows 4 and 5, record the values in the junction points that are located on the domain controller from which you are copying the SYSVOL folder structure. In the New Value column in rows 4 and 5, record the values in the junction points that are located on the domain controller whose SYSVOL you are rebuilding.
Parameter Current value New value
1 2 3 4 5
msDFSR-RootPath in AD DS msDFSR-StagingPath in AD DS SysVol Netlogon parameter in the registry Sysvol junction point Staging areas junction point
Controllers. 5. Double-click the container that represents a domain controller on which you can check the path information, double-click CN=DFSR-LocalSettings, and then click CN=Domain System Volume. 6. In the details pane, right-click CN=SYSVOL Subscription, and then click Properties. 7. Click Filter. Ensure that Show mandatory attributes is selected. Select this option if it is not selected. 8. In Attributes, locate msDFSR-RootPath and msDFSR-StagingPath, and then record the current values in rows 1 and 2, respectively, in the previous table. If you are moving SYSVOL, also record the new values for the new location in both rows. If you are moving the staging areas subtree, record the new path value in row 2. 9. Click Cancel to close the CN=Subscription Properties dialog box. To determine the SysVol Netlogon parameter value in the registry 1. Click Start, click Run, type regedit, and then press ENTER. 2. In Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. 3. In the details pane, double-click SysVol. The current value is listed in Value data. 4. Record the current value in row 3 of the previous table, and then click Cancel to close the Edit String dialog box. If you are moving SYSVOL, also record the new value for the new location. 5. Close Registry Editor. To determine the value in the sysvol junction point 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, change the directory to %systemroot%\SYSVOL\sysvol, or to the current location if SYSVOL has been moved from the default location. 3. To view the junction point for the sysvol folder, at the command prompt, type the following command, and then press ENTER:
dir /a:L
4. Record the current value in row 4 in the previous table. If you are moving SYSVOL, also record the new value for the new location. To determine the value in the staging areas junction point 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click 153
Continue. 2. At the command prompt, change the directory to %systemroot%\SYSVOL\staging areas or to the current location if the staging areas subtree has been moved from the default location. 3. To view the junction point for the staging areas folder, at the command prompt, type the following command, and then press ENTER:
dir /a:L
4. The output identifies the <JUNCTION> folder type and the value that is stored in the staging areas junction point in brackets. For example, the default value is [Drive:\ %systemroot%\SYSVOL\staging\domain] (or, if SYSVOL has been migrated from FRS to DFS Replication, [Drive:\%systemroot%\SYSVOL_DFSR\staging\domain]). Record the current value in row 5 of the previous table. If you are moving SYSVOL or the staging areas subtree, also record the new value for the new location.
parameters and controls. You can use the Windows graphical user interface (GUI) or the command line to restart the domain controller in DSRM: Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can use to configure boot and startup options, including restarting in DSRM and normal mode. Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot configuration on a server that is running Windows Server 2008. You can use Bcdedit with shutdown commands to instruct the domain controller to restart in DSRM and to restart normally. When you are finished managing a domain controller in DSRM, if you have used System Configuration or Bcdedit.exe to restart the domain controller in DSRM, you must change the configuration so that the domain controller restarts in normal mode. Note A benefit of using System Configuration or Bcdedit.exe for implementing restart of a domain controller into DSRM is that normally the domain controller cannot be inadvertently restarted. This benefit is particularly useful when you are performing a nonauthoritative restore from backup followed by an authoritative restore. You can also use System Configuration or Bcdedit.exe to restart a domain controller in DSRM remotely. To use System Configuration or Bcdedit.exe and Remote Desktop Connection to restart a domain controller in DSRM remotely, see Restart the Domain Controller in Directory Services Restore Mode Remotely. Membership in the Domain Admins group is the minimum required complete the System Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account and password for DSRM is required to log on to the domain controller in DSRM. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. Important If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
in DSRM. 4. Perform procedures in DSRM. 5. When you have finished performing procedures in DSRM, restart the domain controller normally: a. On the Start menu, point to Administrative Tools, and then click System Configuration. b. On the General tab, in Startup selection, click Normal startup, and then click OK. The domain controller restarts normally. To restart a domain controller in DSRM locally by using the command line 1. Click Start, click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, and then click OK. 2. At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
4. When you are still in DSRM and you are ready to restart in normal mode, open a command prompt and type the following, and then press ENTER:
bcdedit /deletevalue safeboot
5. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
Value
Description
Configures the boot process to start in DSRM. Shuts down the server and restarts it. Returns the boot process to the previous setting.
See Also
Restart the Domain Controller in Directory Services Restore Mode Remotely
156
Admins, Domain Admins, Backup Operators, Print Operators, and Server Operators have the user right to log on locally to a domain controller by default. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Important If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. Using a domain administrative account to log on to an RODC can compromise the server. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728). To restart a domain controller in DSRM remotely by using the Windows GUI 1. Connect to the remote domain controller that is running in normal mode: a. On the Start menu, click All Programs, click Accessories, and then click Remote Desktop Connection. b. In Computer, type the name of the domain controller that you want to restart, and then click Connect. c. In the Windows Security dialog box, provide credentials for a domain administrator, and then click OK. d. When you are connected, log on to the domain controller as a domain administrator. 2. On the Start menu, point to Administrative Tools, and then click System Configuration. 3. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and then click OK. 4. In the System Configuration dialog box, click Restart. The domain controller restarts in DSRM. When the domain controller restarts, your Remote Desktop Connection is dropped. 5. Wait for a period of time that is adequate for the remote domain controller to restart, and then open Remote Desktop Connection. 6. The domain controller name should still be showing in Computer. If it is not, select it from the list, and then click Connect. 7. In the Windows Security dialog box, click Use another account. 8. In User name, type the following: MachineName\Administrator Where MachineName is the name of the domain controller. 9. In Password, type the DSRM password, and then click OK. 10. At the logon screen of the remote domain controller, click Switch User, and then click Other User. 11. Type MachineName\Administrator, and then press ENTER. 158
12. Perform procedures in DSRM. 13. When you have finished performing procedures in DSRM, restart the domain controller normally: a. On the Start menu, point to Administrative Tools, and then click System Configuration. b. On the General tab, in Startup selection, click Normal startup, and then click OK. The domain controller restarts normally. This procedure will disconnect your remote session. To restart a domain controller in DSRM remotely by using the command line 1. Connect to the remote domain controller that is running in normal mode: a. On the Start menu, click All Programs, click Accessories, and then click Remote Desktop Connection. b. In Computer, type the name of the domain controller that you want to restart, and then click Connect. c. In the Windows Security dialog box, provide credentials for a domain administrator, and then click OK. d. When you are connected, log on to the domain controller as a domain administrator. 2. Open a command prompt. At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
The domain controller restarts in DSRM. When the domain controller restarts, your Remote Desktop Connection is dropped. 4. Wait for a period of time that is adequate for the remote domain controller to restart, and then open Remote Desktop Connection. 5. The domain controller name should still be showing in Computer. If it is not, select it in the list, and then click Connect. 6. In the Windows Security dialog box, click Use another account. 7. In User name, type the following: MachineName\Administrator Where MachineName is the name of the domain controller. 8. In Password, type the DSRM password, and then click OK. 9. At the logon screen of the remote domain controller, click Switch User, and then click Other User.
159
10. Type MachineName\Administrator, and then press ENTER. 11. Perform procedures in DSRM. 12. When you have finished performing procedures in DSRM, restart the domain controller normally: a. In DSRM, open a command prompt, type the following command, and then press ENTER:
bcdedit /deletevalue safeboot
b. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 r
The domain controller restarts normally. This procedure will disconnect your remote session.
Value Description
Configures the boot process to start in DSRM. Shuts down the server and restarts it. Returns the boot process to the previous setting.
See Also
Enable Remote Desktop Create a Remote Desktop Connection Restart the Domain Controller in Directory Services Restore Mode Locally
160
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To stop the DFS Replication service or Netlogon service, or both, by using the Windows GUI 1. On the Start menu, point to Administrative Tools, and then click Services. 2. In the Name column, right-click DFS Replication or Netlogon, and then click Stop. To stop the DFS Replication service and the Netlogon service by using the command line 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
net stop dfsr
3. At the command prompt, type the following command, and then press ENTER:
net stop netlogon
After you move or restore SYSVOL, when you update the SYSVOL Netlogon path in the registry, you must also update the SysvolReady parameter in Netlogon parameters, as described in Change the SYSVOL Netlogon Parameters.
161
You have stopped the Netlogon service on the target domain controller after restarting the domain controller in DSRM. The Distributed File System (DFS) Replication service is stopped automatically when you restart the domain controller in DSRM. The default shared folder ADMIN$ must exist on the domain controller from which you plan to copy the SYSVOL folder structure. Some organizations remove this shared folder or rename it for security reasons. If this shared folder is not available, you must share the %systemroot% folder and name the share ADMIN$. Note To view the shared folders to see whether ADMIN$ is shared, on the source domain controller, open Server Manager. In the navigation pane for the domain controller, view Roles and File Services, and then click Share and Storage Management. As an alternative, you can open a command prompt and type net share at the command prompt. If the ADMIN$ share has been renamed, use the name that is assigned by your organization instead of ADMIN$ as you complete this procedure. You have determined the target domain controller values for rows 4 (Sysvol junction point) and 5 (Staging areas junction point) in the table you that created in Gather the SYSVOL Path Information. This procedure has the following follow-up requirements: If you share the %systemroot% folder on the source domain controller to complete this procedure, be sure to remove the share after the procedure is complete to maintain any security policies that are established on your network. On the target domain controller, perform the verification tests in Check the Status of the SYSVOL and Netlogon Shares. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure on the domain controller from which you are copying SYSVOL. The DSRM administrator password is the minimum required to complete this procedure on the controller to which you are importing SYSVOL. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To import the SYSVOL folder structure 1. On the domain controller to which you are importing the SYSVOL folder structure, open Windows Explorer. 2. Navigate to the existing SYSVOL folder that you are rebuilding, and then delete it. 3. Map a network drive to the ADMIN$ shared directory on the domain controller that you identified earlier as the replication partner from which you plan to copy the SYSVOL folder structure. 4. When you are connected to the ADMIN$ share, verify that a folder labeled SYSVOL appears. Right-click the SYSVOL folder, and then click Copy. 5. In the same ADMIN$ shared directory, right-click some blank space, and then click Paste. 162
6. Verify that the original SYSVOL folder and a new folder labeled SYSVOL Copy both appear. Right-click SYSVOL - Copy, and then click Rename. Type SYSVOL2, and then press ENTER. 7. Open a Command Prompt. At the command prompt, change to the drive letter that represents the connection to the remote domain controller where you created the SYSVOL2 folder. 8. Change the directory to SYSVOL2\sysvol. 9. Type dir /a:L, and then press ENTER. Verify that <JUNCTION> appears in the command output and that it is followed by the name of the domain. 10. You must update the path in this junction point so that it references the new location on the target domain controller. At the command prompt, type the following command, and then press ENTER:
mklink <FQDN> <newpath>
Where <FQDN> is the fully qualified domain name (FQDN) and <newpath> is the new value that you recorded in row 4 of the table in Gather the SYSVOL Path Information. 11. If the staging areas subfolder has been relocated and it is no longer inside the SYSVOL folder, skip steps 11 and 12, and proceed to step 13. If the staging areas subfolder has not been relocated, at a command prompt, change the directory to \SYSVOL2\staging areas under the copy of SYSVOL that you created. Type dir to list the contents, and verify that <JUNCTION> appears in the output of the dir command. 12. Update the junction so that it points to the new location on the target domain controller. At the command prompt, type the following command, and then press ENTER:
linkd <junctionname> <newpath>
Where <newpath> is the new value that you recorded in row 5 of the table in Gather the SYSVOL Path Information. 13. At the command prompt, change back to the %systemroot% directory for the domain controller that is receiving the imported SYSVOL. 14. At the command prompt, use the robocopy command-line tool to copy the contents of the \SYSVOL2 folder that you created to a new SYSVOL folder on your local drive. At the command prompt, type the following command, and then press ENTER:
robocopy <Source Folder> <Destination Folder> /copyall /mir /b /r:0 /xd "DfsrPrivate" /xf "DfsrPrivate"
163
Parameter
Description
Drive letter and path to the SYSVOL2 directory on the source domain controller. Drive letter and path to the parent location of the SYSVOL folder that you deleted in step 2 on the local domain controller. For example, if you deleted the original SYSVOL folder from C:\Windows\SYSVOL, the path in <Destination Folder> is C:\Windows. Copies the following file information: data, attributes, time stamps, NTFS access control list (ACL), owner information, and auditing information. Mirrors the directory tree that you are copying. Copies files in backup mode. Backup mode allows Robocopy to override file and folder permission settings (ACLs). Specifies performing 0 (zero) retries on failed copies. Excludes the DfsrPrivate directory from the copy. Excludes the DfsrPrivate file from the copy.
/copyall
/mir /b
15. Verify that the folder structure copied correctly. Compare the new folder structure to the SYSVOL (not SYSVOL2) folder structure on the remote (source) domain controller. Open a command prompt, and type dir /s to list the contents of the folders and subfolders. Ensure that all folders exist. 16. Delete the SYSVOL2 folder that you created on the remote domain controller. 17. If you shared the %systemroot% folder and created an ADMIN$ share on the remote domain controller, remove the ADMIN$ share. Disconnect from the remote domain controller. 18. Restart the domain controller in normal mode. When you restart the domain controller, the Netlogon service and the DFS Replication service start automatically.
See Also
Check the Status of the SYSVOL and Netlogon Shares 164
Adding subsequent global catalog servers within the same site requires only intrasite replication and does not affect network performance. Replication of the global catalog potentially affects network performance only when you add the first global catalog server in the site. The impact of this replication varies, depending on the following conditions: The speed and reliability of the WAN link or links to the site The size of the forest
For example, in a forest that has a large hub site, five domains, and thirty small branch sites (some of which are connected by only dial-up connections), global catalog replication to the small sites takes considerably longer than replication of one or two domains to a few well-connected sites.
166
You might decide to remove the global catalog from a domain controller if universal group membership caching is adequate to satisfy logon requirements in a particular site where WAN link speeds are not adequate for the global catalog. For more information, see Enabling Universal Group Membership Caching in a Site. For more information about global catalog removal, see How the Global Catalog Works (http://go.microsoft.com/fwlink/?LinkID=107063).
To complete this task, perform the following procedures. Note Some procedures are performed only when you are configuring the first global catalog server in a site. 1. Determine Whether a Domain Controller Is a Global Catalog Server 2. Designate a Domain Controller to Be a Global Catalog Server 3. Monitor Global Catalog Replication Progress 167
2. In the console tree, expand the Sites container, and then expand the site in which you are designating a global catalog server. 3. Expand the Servers container, and then expand the Server object for the domain controller that you want to designate as a global catalog server. 4. Right-click the NTDS Settings object for the target server, and then click Properties. 5. Select the Global Catalog check box, and then click OK.
Parameter
Description
Specifies the name of the global catalog server that you want to monitor. Finds the percentage of replication, and provides extended information. 169
3. Repeat this command periodically to monitor progress. If the test shows no output, replication has completed.
If @ [Never] appears in the output for a directory partition, replication of that directory partition has never succeeded from the identified source replication partner over the listed connection. Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify successful replication to a domain controller 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl <servername> /u:<domainname>\<username> /pw:*
Note The user credential parameters (/u:<domainname>\<username> /pw:*) are not required for the domain of the user if the user has opened the Command Prompt as an administrator with Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or equivalent. However, if you run the command for a domain controller in a different domain in the same Command Prompt session, you must provide credentials for an account in that domain.
170
Value
Description
repadmin /showrepl
Displays the replication status for the last time that the domain controller that is named in <servername> attempted inbound replication of Active Directory partitions. The name of the destination domain controller. Specifies the domain name and user name, separated by a backslash, for a user who has permissions to perform operations in AD DS. The single-label name of the domain of the destination domain controller. (You do not have to use a fully qualified Domain Name System (DNS) name.) The name of an administrative account in that domain. Specifies the domain password for the user named in <username>. * provides a Password: prompt when you press ENTER.
<servername> /u:
<domainname>
<username> /pw:*
3. At the Password: prompt, type the password for the user account that you provided, and then press ENTER. You can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft Excel spreadsheet. The spreadsheet displays data in the following columns: Showrepl_COLUMNS Destination DC Site Destination DC Naming Context Source DC Site Source DC Transport Type Number of Failures Last Failure Time Last Success Time Last Failure Status The following procedure creates this spreadsheet and sets column headings for improved readability.
171
To generate a repadmin /showrepl spreadsheet for all replication partners 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl * /csv >showrepl.csv
3. Open Excel. 4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open. 5. Hide or delete column A as well as the Transport Type column, as follows: 6. Select a column that you want to hide or delete. Or To delete the column, right-click the selected column, and then click Delete. 7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and then click Freeze Top Row. 8. Select the entire spreadsheet. On the Data tab, click Filter. 9. In the Last Success Time column, click the down arrow, and then click Sort Ascending. 10. In the Source DC column, click the filter down arrow, point to Text Filters, and then click Custom Filter. 11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain. In the adjacent text box, type del to eliminate from view the results for deleted domain controllers. 12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and then type the value 0. 13. Resolve replication failures. The last successful attempt should agree with the replication schedule for intersite replication, or the attempt should be within the last hour for intrasite replication. If Repadmin reports any of the following conditions, see Troubleshooting Active Directory Replication Problems (http://go.microsoft.com/fwlink/?LinkID=93582): The last successful intersite replication was before the last scheduled replication. The last intrasite replication was longer than one hour ago. Replication was never successful. To hide the column, right-click the column, and then click Hide.
172
To complete this task, perform the following procedures: 1. Verify Global Catalog Readiness 2. Verify Global Catalog DNS Registrations
173
To verify global catalog readiness using the Windows interface 1. Click Start, click Run, type Ldp, and then click OK. 2. On the Connection menu, click Connect. 3. In Connect, type the name of the server whose global catalog readiness you want to verify. 4. In Port, if 389 is not showing, type 389. 5. If the Connectionless check box is selected, clear it, and then click OK. 6. In the details pane, verify that the isGlobalCatalogReady attribute has a value of TRUE. 7. On the Connection menu, click Disconnect, and then close Ldp. To verify global catalog readiness using a command prompt 1. Open a Command Prompt. 2. At the command prompt, type the following command, and then press ENTER:
nltest /server:<servername> /dsgetdc:<domainname>
Parameter
Description
<servername>
Specifies the name of the domain controller that you have designated as a global catalog server. Specifies the name of the domain to which the server belongs.
<domainname>
3. In the Flags: line of the output, if GC appears, the global catalog server has satisfied its replication requirements.
174
To verify global catalog DNS registrations 1. Click Start, point to Administrative Tools, and then click DNS. 2. Connect to a domain controller in the forest root domain: Right-click DNS, click Connect to DNS Server, and then click The following computer. Type the computer name, and then click OK. 3. Expand Forward Lookup Zones, and then expand the forest root domain. 4. Click the _tcp container. 5. In the details pane, look in the Name column for _gc and in the Data column for the name of the server. The records that begin with _gc are global catalog service (SRV) resource records.
175
To clear the global catalog setting 1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services. 2. Expand the Sites container, and then expand the site from which you are removing a global catalog server. 3. Expand the Servers container, and then expand the Server object for the domain controller from which you want to remove the global catalog. 4. Right-click the NTDS Settings object for the target server, and then click Properties. 5. If the Global Catalog check box is selected, clear the check box, and then click OK.
176
177
Careful placement of your operations masters becomes more important as you add more domains and sites as you build your forest.
In the forest root domain, transfer the three domain-level roles from the first domain controller that you installed in the forest root domain to an additional domain controller that has a high performance level. In all other domains, leave the domain-level roles on the first domain controller. Adjust the workload of the PDC emulator, if necessary.
Prepare additional domain controllers as standby operations masters Because the operations master roles are critical to proper forest and domain function, it is important to be prepared in the event that an operations master role holder becomes inoperable or unreachable. You can prepare an additional domain controller for the forest roles in the forest root domain and an additional domain controller for the domain roles in each domain by configuring them to be optimally connected to the respective current role holder so that role transfer occurs as quickly as possible. Place domain-level roles on a high-performance domain controller 178
The PDC emulator role requires a powerful and reliable domain controller to ensure that the domain controller is available and capable of handling the workload. Of all the operations master roles, the PDC emulator role creates the most overhead on the server that is hosting the role. It has the most intensive daily interaction with other systems on the network. The PDC emulator has the greatest potential to affect daily operations of the directory. Note If an RODC is installed in the domain, the PDC emulator role must be placed on a domain controller that is running Windows Server 2008. Domain controllers can become overloaded while attempting to service client requests on the network, manage their own resources, and handle any specialized tasks, such as performing the various operations master roles. This is especially true of the domain controller that holds the PDC emulator role. Again, clients running operating systems earlier than Windows 2000 Server and domain controllers running Windows NT Server 4.0 rely more heavily on the PDC emulator than AD DS clients and domain controllers. If your networking environment has clients and domain controllers running operating systems earlier than Windows 2000 Server, you might need to reduce the workload of the PDC emulator. If a domain controller begins to indicate that it is overloaded and its performance is affected, you can reconfigure the environment so that some tasks are performed by other, less-used domain controllers. By adjusting the domain controllers weight in the Domain Name System (DNS) environment, you can configure the domain controller to receive fewer client requests than other domain controllers on your network. As an option, you can adjust the domain controllers priority in the DNS environment so that it processes client requests only if other DNS servers are unavailable. With fewer DNS client requests to process, the domain controller can use more resources to perform operations master services for the domain. Do not place domain-level roles on a global catalog server The infrastructure master is incompatible with the global catalog, and it must not be placed on a global catalog server. Because it is best to keep the three domain-level roles together for ease of administration, avoid putting any of them on a global catalog server. The infrastructure master updates objects for any attribute values with distinguished name (dn) syntax that reference objects outside the current domain. These updates are particularly important for security principal objects (users, computers, and groups). For example, suppose a user from one domain is a member of a group in a second domain and the users surname (the sn attribute on the user object) is changed in the first domain. This change usually also changes the dn attribute value of the user object, which is the value that is used in the member attribute of group objects. Because domain controllers in one domain do not replicate security principals to domain controllers in another domain, the second domain never receives the change. An out-of-date value on the member attribute of a group in another domain could result in the user whose name has changed being denied privileges. To ensure consistency between domains, the infrastructure master constantly monitors group memberships, looking for member attribute values that identify security principals from other domains. If it finds one, it compares its distinguished name with the distinguished name in the domain of the security principal to determine if the information has
179
changed. If the information on the infrastructure master is out of date, the infrastructure master performs an update and then replicates the change to the other domain controllers in its domain. Two exceptions apply to this rule: 1. If all the domain controllers are global catalog servers, the domain controller that hosts the infrastructure master role is insignificant because global catalog servers replicate updated security principal information to all other global catalog servers. 2. If the forest has only one domain, the infrastructure master role is not needed because security principals from other domains do not exist. Leave forest-level roles on the original domain controller in the forest root domain The first domain controller that is installed in the forest automatically receives the schema master and domain naming master roles. It also hosts the global catalog. To ease administration and backup and restore procedures, leave these roles on the original forest root domain controller. The roles are compatible with the global catalog, and moving the roles to other domain controllers does not improve performance. Separating the roles creates additional administrative overhead when you must identify the standby operations masters and when you implement a backup and restore policy. Unlike the PDC emulator role, forest-level roles rarely place a significant burden on the domain controller. Keep these roles together to provide easy, predictable management. In the forest root domain, transfer domain-level roles from the first domain controller The three domain-level roles are assigned to the first domain controller that is created in a new domain. In the case of the forest root domain, the first domain controller that is created in the domain hosts both forest-level roles and all three domain-level roles, as well as the global catalog. The infrastructure master role is incompatible with the global catalog. For this reason, when you install the second domain controller in the forest root domain, the Active Directory Domain Services Installation Wizard prompts you to allow the wizard to transfer the role during installation of AD DS. Following installation of the second domain controller, consider transferring the PDC emulator and RID master roles to the second domain controller, as well, to keep the three roles together for easy administration. In all other domains, leave domain-level roles on the first domain controller Except for the forest root domain, leave the domain-level roles on the first domain controller that you install in the domain and do not configure that domain controller as a global catalog server. Keep the roles together unless the workload on your operations master justifies the additional management burden of separating the roles. Because all clients running non-Windows operating systems or Windows operating systems earlier than Windows 2000 Server submit updates to the PDC emulator, the domain controller holding that role uses a higher number of RIDs when the network hosts many of these clients. Place the PDC emulator and RID master roles on the same domain controller so that these two roles interact more efficiently. If you must separate the roles, you can still use a single standby operations master for all three roles. However, you must ensure that the standby is a replication partner of all three of the role holders. 180
Backup and restore procedures also become more complex if you separate the roles. Special care must be taken to restore a domain controller that hosted an operations master role. By hosting the roles on a single computer, you minimize the steps that are required to restore a role holder. Adjust the workload of the PDC emulator operations master role holder Depending on the size of the forest or domain, you might want to configure DNS so that client requests favor domain controllers other than the PDC emulator. The PDC emulator role has the highest load demands of all the operations master roles.
Inadequate service performance The PDC emulator is the operations master role that most affects the performance of a domain controller. For clients that do not run Active Directory client software, the PDC emulator processes requests for password changes, replication, and user authentication. While it provides support for these clients, the domain controller continues to perform its normal services, such as authenticating Active Directoryenabled clients. As the network grows, the volume of client requests can increase the workload for the domain controller that hosts the PDC emulator role and its performance can suffer. To solve this problem, you can transfer all or some of the operations master roles to another, more powerful domain controller. As an alternative, you may choose to transfer the role to another domain controller, upgrade the hardware on the original domain controller, and then transfer the role back again. Operations master failure In the event of a failure of an operations role holder, you must decide if you need to relocate the operations master roles to another domain controller or wait for the domain controller to be returned to service. Base that determination on the role that the domain controller hosts and the expected downtime. Decommissioning of the domain controller Before you take a domain controller offline permanently, transfer any operations master roles that the domain controller holds to another domain controller. When you use the Active Directory Installation Wizard to decommission a domain controller that currently hosts one or more operations master roles, the wizard reassigns the roles to a different 181
domain controller. When the wizard is run, it determines whether the domain controller currently hosts any operations master roles. If it detects any operations master roles, it queries the directory for other eligible domain controllers and transfers the roles to a new domain controller. A domain controller is eligible to host the domain-level roles if it is a member of the same domain. A domain controller is eligible to host a forest-level role if it is a member of the same forest. Configuration changes Configuration changes to domain controllers or the network topology can result in the need to transfer operations master roles. Except for the infrastructure master, you can assign operations master roles to any domain controller regardless of any other tasks that the domain controller performs. Do not host the infrastructure master role on a domain controller that is also acting as a global catalog server unless all the domain controllers in the domain are global catalog servers or unless the forest has only one domain. If the domain controller that hosts the infrastructure master role is configured to be a global catalog server, you must transfer the infrastructure master role to another domain controller. Changes to the network topology can result in the need to transfer operations master roles to keep them in a particular site. Note Do not change the global catalog configuration on the domain controller that you intend to assume an operations master role unless your information technology (IT) management authorizes that change. Changing the global catalog configuration can cause changes that can take days to complete, and the domain controller might not be available during that period. Instead, transfer the operations master roles to a different domain controller that is already configured properly. You can reassign an operations master role by transfer or, as a last resort, by seizure. Important If you must seize an operations master role, never reattach the previous role holder to the network without following the procedures in this guide. Reattaching the previous role holder to the network incorrectly can result in invalid data and corruption of data in the directory.
182
Replication requirements
Before you transfer a role from the current role holder to the standby operations master, ensure that replication between the two computers is functioning properly. Because they are replication partners, the new operations master is already consistent with the original operations master, which reduces the time that is required for the transfer operation. During role transfer, the two domain controllers exchange any unreplicated information to ensure that no transactions are lost. If the two domain controllers are not direct replication partners, a substantial amount of information might have to be replicated before the domain controllers completely synchronize with each other. The role transfer requires extra time to replicate the outstanding transactions. If the two domain controllers are direct replication partners, fewer outstanding transactions exist and the role transfer operation completes sooner. Task requirements The following tools are required to perform the procedures for this task: Active Directory Sites and Services Repadmin.exe Determine Whether a Domain Controller Is a Global Catalog Server Create a Connection Object on the Operations Master and Standby Verify Successful Replication to a Domain Controller 183
184
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To create a connection object on the operations master and standby 1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services. 2. Expand the site name in which the current operations master role holder is located to display the Servers folder. 3. Expand the Servers folder to see a list of the servers in that site. 4. To create a connection object from the standby server on the current operations master, expand the name of the operations master server on which you want to create the connection object to display its NTDS Settings object. 5. Right-click NTDS Settings, click New, and then click Connection. 6. In the Find Active Directory Domain Controllers dialog box, select the name of the standby server from which you want to create the connection object, and then click OK. 7. In the New Object-Connection dialog box, enter an appropriate name for the connection object or accept the default name, and then click OK. 8. To create a connection object from the current operations master to the standby server, repeat steps 4 through 7, but in step 4, expand the name of the standby server. In step 6, select the name of the current operations master.
If @ [Never] appears in the output for a directory partition, replication of that directory partition has never succeeded from the identified source replication partner over the listed connection.
185
Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify successful replication to a domain controller 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl <servername> /u:<domainname>\<username> /pw:*
Note The user credential parameters (/u:<domainname>\<username> /pw:*) are not required for the domain of the user if the user has opened the Command Prompt as an administrator with Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or equivalent. However, if you run the command for a domain controller in a different domain in the same Command Prompt session, you must provide credentials for an account in that domain.
Value Description
repadmin /showrepl
Displays the replication status for the last time that the domain controller that is named in <servername> attempted inbound replication of Active Directory partitions. The name of the destination domain controller. Specifies the domain name and user name, separated by a backslash, for a user who has permissions to perform operations in AD DS. The single-label name of the domain of the destination domain controller. (You do not have to use a fully qualified Domain Name System (DNS) name.) The name of an administrative account in that domain. Specifies the domain password for the user named in <username>. * provides a Password: prompt when you press ENTER.
<servername> /u:
<domainname>
<username> /pw:*
186
3. At the Password: prompt, type the password for the user account that you provided, and then press ENTER. You can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft Excel spreadsheet. The spreadsheet displays data in the following columns: Showrepl_COLUMNS Destination DC Site Destination DC Naming Context Source DC Site Source DC Transport Type Number of Failures Last Failure Time Last Success Time Last Failure Status The following procedure creates this spreadsheet and sets column headings for improved readability. To generate a repadmin /showrepl spreadsheet for all replication partners 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl * /csv >showrepl.csv
3. Open Excel. 4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open. 5. Hide or delete column A as well as the Transport Type column, as follows: 6. Select a column that you want to hide or delete. Or To delete the column, right-click the selected column, and then click Delete. 7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and then click Freeze Top Row. 8. Select the entire spreadsheet. On the Data tab, click Filter. 9. In the Last Success Time column, click the down arrow, and then click Sort Ascending. 10. In the Source DC column, click the filter down arrow, point to Text Filters, and then 187 To hide the column, right-click the column, and then click Hide.
click Custom Filter. 11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain. In the adjacent text box, type del to eliminate from view the results for deleted domain controllers. 12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and then type the value 0. 13. Resolve replication failures. The last successful attempt should agree with the replication schedule for intersite replication, or the attempt should be within the last hour for intrasite replication. If Repadmin reports any of the following conditions, see Troubleshooting Active Directory Replication Problems (http://go.microsoft.com/fwlink/?LinkID=93582): The last successful intersite replication was before the last scheduled replication. The last intrasite replication was longer than one hour ago. Replication was never successful.
authorizes that change. Changing the global catalog configuration can cause changes that can take days to complete, and the domain controller might not be available during that period. Instead, transfer the operations master roles to a different domain controller that is already properly configured.
189
3. Click Start, click Run, type mmc, and then click OK. 4. On the File menu, click Add/Remove Snap-in. 5. Under Available snap-ins, click Active Directory Schema, click Add, and then click OK. 6. To save this snap-in, on the File menu, click Save. 7. In the Save As dialog box, do one of the following: To place the snap-in in the Administrative Tools folder, in File name, type a name for the snap-in, and then click Save. To save the snap-in in a location other than the Administrative Tools folder, in Save in, navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save. Caution Modifying the schema is an advanced operation that is best performed by experienced programmers and system administrators. For detailed information about modifying the schema, see Active Directory Schema (http://go.microsoft.com/fwlink/?LinkId=80809). Additional considerations To perform the Schmmgmt.dll registration portion of this procedure, you must be a member of the Domain Admins group in the domain or the Enterprise Admins group in the forest, or you must have been delegated the appropriate authority. Adding the Active Directory Schema snapin to MMC requires only membership in the Domain Users group. However, making changes to the schema requires membership in the Schema Admins group. The Windows Server 2008 Administration Tools Pack cannot be installed on computers running Windows XP Professional or Windows Server 2003.
190
191
192
You might want to transfer a domain-level operations master role if the domain controller that currently hosts the role is inadequate, has failed, or is being decommissioned. You can transfer all domain roles by using the Active Directory Users and Computers snap-in. Note You perform these procedures by using a Microsoft Management Console (MMC) snap-in, although you can also transfer these roles by using Ntdsutil.exe. For information about using Ntdsutil.exe to transfer the operations master roles, see Ntdsutil (http://go.microsoft.com/fwlink/?LinkID=120970.) For information about the ntdsutil command, can also type ? at the Ntdsutil.exe command prompt. Before you perform this procedure, you must identify the domain controller to which you will transfer the operations master role. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To transfer a domain-level operations master role 1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the top of the console tree, right-click Active Directory Users and Computers, and then click Change Active Directory Domain Controller. 3. Ensure that the correct domain name is entered in Look in this domain. The available domain controllers from this domain are listed. 4. In the Name column, click the name of the domain controller to which you want to transfer the role, and then click OK. 5. At the top of the console tree, right-click Active Directory Users and Computers, and then click Operations Masters. The name of the current operations master role holder appears in the Operations master box. The name of the domain controller to which you want to transfer the role appears in the lower box. 193
6. Click the tab for the operations master role that you want to transfer: RID, PDC, or Infrastructure. Verify the computer names that appear, and then click Change. Click Yes to transfer the role, and then click OK. 7. Repeat steps 5 and 6 for each role that you want to transfer.
4. At the server connections: prompt, type connect to server <servername>, where <servername> is the name of the domain controller that belongs to the domain that contains the operations masters. 5. After you receive confirmation of the connection, type quit, and then press ENTER to exit this menu. 6. At the fsmo ENTER.
maintenance:
operation target,
7. At the select operations target: prompt, type list then press ENTER.
The system responds with a list of the current roles and the Lightweight Directory Access Protocol (LDAP) name of the domain controllers that are currently assigned to host each role. 194
8. Type quit, and then press ENTER to exit each prompt in Ntdsutil.exe. At the ntdsutil: prompt, type quit, and then press ENTER to close the window.
To complete this task, perform the following procedure: Verify replication to the domain controller that will be seizing the role.
If @ [Never] appears in the output for a directory partition, replication of that directory partition has never succeeded from the identified source replication partner over the listed connection. Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify successful replication to a domain controller 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl <servername> /u:<domainname>\<username> /pw:*
Note The user credential parameters (/u:<domainname>\<username> /pw:*) are not required for the domain of the user if the user has opened the Command Prompt as an administrator with Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or equivalent. However, if you run the command for a domain controller in a different domain in the same Command Prompt session, you must provide credentials for an account in that domain.
196
Value
Description
repadmin /showrepl
Displays the replication status for the last time that the domain controller that is named in <servername> attempted inbound replication of Active Directory partitions. The name of the destination domain controller. Specifies the domain name and user name, separated by a backslash, for a user who has permissions to perform operations in AD DS. The single-label name of the domain of the destination domain controller. (You do not have to use a fully qualified Domain Name System (DNS) name.) The name of an administrative account in that domain. Specifies the domain password for the user named in <username>. * provides a Password: prompt when you press ENTER.
<servername> /u:
<domainname>
<username> /pw:*
3. At the Password: prompt, type the password for the user account that you provided, and then press ENTER. You can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft Excel spreadsheet. The spreadsheet displays data in the following columns: Showrepl_COLUMNS Destination DC Site Destination DC Naming Context Source DC Site Source DC Transport Type Number of Failures Last Failure Time Last Success Time Last Failure Status The following procedure creates this spreadsheet and sets column headings for improved readability.
197
To generate a repadmin /showrepl spreadsheet for all replication partners 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl * /csv >showrepl.csv
3. Open Excel. 4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open. 5. Hide or delete column A as well as the Transport Type column, as follows: 6. Select a column that you want to hide or delete. Or To delete the column, right-click the selected column, and then click Delete. 7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and then click Freeze Top Row. 8. Select the entire spreadsheet. On the Data tab, click Filter. 9. In the Last Success Time column, click the down arrow, and then click Sort Ascending. 10. In the Source DC column, click the filter down arrow, point to Text Filters, and then click Custom Filter. 11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain. In the adjacent text box, type del to eliminate from view the results for deleted domain controllers. 12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and then type the value 0. 13. Resolve replication failures. The last successful attempt should agree with the replication schedule for intersite replication, or the attempt should be within the last hour for intrasite replication. If Repadmin reports any of the following conditions, see Troubleshooting Active Directory Replication Problems (http://go.microsoft.com/fwlink/?LinkID=93582): The last successful intersite replication was before the last scheduled replication. The last intrasite replication was longer than one hour ago. Replication was never successful. To hide the column, right-click the column, and then click Hide.
198
5. At the server connections: prompt, type connect to server<servername> (where <servername> is the name of the domain controller that will assume the operations master role), and then press ENTER. 6. After you receive confirmation of the connection, type quit, and then press ENTER. 7. Depending on the role that you want to seize, at the fsmo the appropriate command, and then press ENTER.
Role Credentials
maintenance:
prompt, type
Command
Domain naming master Schema master Infrastructure master Primary domain controller (PDC) emulator RID master
Enterprise Admins Enterprise Admins Domain Admins Domain Admins Domain Admins
Seize domain naming master Seize schema master Seize infrastructure master Seize pdc Seize rid master
The system asks for confirmation. It then attempts to transfer the role. When the transfer 199
fails, some error information appears and the system proceeds with the seizure of the role. After the seizure of the role is complete, a list of the roles and the Lightweight Directory Access Protocol (LDAP) name of the server that currently holds each role appears. During seizure of the relative ID (RID) operations master role, the current role holder attempts to synchronize with its replication partners. If it cannot establish a connection with a replication partner during the seizure operation, it displays a warning and asks for confirmation that you want the seizure of the role to proceed. Click Yes to proceed. 8. Type quit, and then press ENTER. Type quit again, and then press ENTER to exit Ntdsutil.exe.
4. At the server connections: prompt, type connect to server <servername>, where <servername> is the name of the domain controller that belongs to the domain that contains the operations masters. 5. After you receive confirmation of the connection, type quit, and then press ENTER to exit this menu. 6. At the fsmo ENTER.
maintenance:
operation target,
200
7. At the select operations target: prompt, type list then press ENTER.
and
The system responds with a list of the current roles and the Lightweight Directory Access Protocol (LDAP) name of the domain controllers that are currently assigned to host each role. 8. Type quit, and then press ENTER to exit each prompt in Ntdsutil.exe. At the ntdsutil: prompt, type quit, and then press ENTER to close the window.
Changing the weight for DNS service (SRV) resource records in the registry
Changing the weight of a domain controller to a value less than that of other domain controllers reduces the number of clients that Domain Name System (DNS) refers to that domain controller. This value is stored in the LdapSrvWeight registry entry. The default value is 100, but it can range from 0 through 65535. When you lower this value on a domain controller, DNS refers clients to that domain controller less frequently based on the proportion of this value to the value on other domain controllers. For example, to configure the system so that the domain controller that hosts the PDC 201
emulator role receives requests only half as many times as other domain controllers, configure the weight of the domain controller that host the PDC emulator role to be 50. Assuming that other domain controllers use the default weight value of 100, DNS determines the weight ratio for that domain controller to be 50/100 (50 for that domain controller and 100 for the other domain controllers). After you reduce this ratio to 1/2, DNS refers clients to the other domain controllers twice as often as it refers to the domain controller with the reduced weight setting. By reducing client referrals, the domain controller receives fewer client requests and has more resources for other tasks, such as performing the role of PDC emulator.
Changing the priority for DNS service (SRV) resource records in the registry
Changing the priority of a domain controller also reduces the number of client referrals to it. However, rather than reducing access to the domain controller proportionally with regard to the other domain controllers, changing the priority causes Domain Name System (DNS) to stop referring all clients to this domain controller unless all domain controllers with a lower priority setting are unavailable. To prevent clients from sending all requests to a single domain controller, the domain controllers are assigned a priority value. This value is stored in the LdapSrvPriority registry entry. The default value is 0, but it can range from 0 through 65535. The client uses the priority value to help determine to which domain controller it sends requests. When a client uses DNS to discover a domain controller, the priority for a given domain controller is returned to the client with the rest of the DNS information. Clients always send requests to the domain controller that has the lowest priority value. If more than one domain controller has the same value, the clients randomly choose from the group of domain controllers with the same value. If no domain controllers with the lowest priority value are available, the clients send requests to the domain controller with the next highest priority. Therefore, raising the value of the LdapSrvPriority registry entry on the PDC emulator can reduce its chances of receiving client requests. Task requirements The following tool is required to perform the procedures for this task: Regedit.exe To complete this task, perform the following procedures: 1. Change the Weight for DNS Service (SRV) Resource Records in the Registry 2. Change the Priority for DNS Service (SRV) Resource Records in the Registry
202
Change the Weight for DNS Service (SRV) Resource Records in the Registry
You can use this procedure to reduce the workload on the primary domain controller (PDC) emulator operations master by changing the weight for Domain Name System (DNS) service (SRV) resource records in the registry. Caution Registry Editor bypasses standard safeguards, which allows settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back up critical volumes first. For information about backing up critical volumes, see Administering Active Directory Backup and Recovery. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To change the weight for DNS service (SRV) resource records in the registry 1. Open Registry Editor as an administrator: Click Start and then, in Start Search, type regedit. At the top of the Start menu, right-click regedit, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 2. In Registry Editor, navigate to HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. 3. Click Edit, click New, and then click DWORD (32-BIT)Value. 4. For the new value name, type LdapSrvWeight, and then press ENTER. 5. Double-click the value name that you just typed to open the Edit DWORD (32-BIT) Value dialog box. 6. Enter a value from 0 through 65535. The default value is 100. 7. Choose Decimal as the Base option, and then click OK. 8. Click File, and then click Exit to close Registry Editor.
Change the Priority for DNS Service (SRV) Resource Records in the Registry
You can use this procedure to reduce the workload on the primary domain controller (PDC) emulator operations master by changing the priority for Domain Name System (DNS) service (SRV) resource records in the registry.
203
Caution Registry Editor bypasses standard safeguards, which allows settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back up critical volumes first. For information about backing up critical volumes, see Administering Active Directory Backup and Recovery. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To change the priority for DNS SRV records in the registry 1. Open Registry Editor as an administrator: Click Start and then, in Start Search, type regedit. At the top of the Start menu, right-click regedit, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 2. In Registry Editor, navigate to HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. 3. Click Edit, click New, and then click DWORD (32-BIT) Value. 4. For the new value name, type LdapSrvPriority, and then press ENTER. 5. Double-click the value name that you just typed to open the Edit DWORD (32-BIT) Value dialog box. 6. Enter a value from 0 through 65535. The default value is 0. 7. Choose Decimal as the Base option, and then click OK. 8. Click File, and then click Exit to close Registry Editor.
204
Backing up AD DS
Backup procedures have changed in Windows Server 2008, as compared to previous versions of Windows Server. A new backup tool, Windows Server Backup, replaces NtBackup as the tool that you use to back up AD DS. You cannot use Ntbackup to back up servers running Windows Server 2008. In Windows Server 2008, you can perform three types of backup: System state backup, which includes all the files that are required to recover AD DS Critical-volumes backup, which includes all the volumes that contain system state files Full server backup, which includes all volumes on the server
You can use the Windows Server Backup graphical user interface (GUI) to perform critical-volumes backups and full server backups. You can use the Windows Server Backup command-line tool, Wbadmin.exe, to perform all types of backup, including system state backup. For more information about backing up domain controllers, see Backing Up Active Directory Domain Services.
Recovering AD DS
You can recover from Active Directory corruption or inconsistency by performing a restore operation to return AD DS to its state at the time of the latest backup. Restoring from backup as a method of recovering AD DS should not be undertaken as the primary method of recovering from an error or failure condition, but as a last resort. Assuming that a restore operation is appropriate to recover the domain controller, requirements for recovering AD DS relate to the age of the backup, as follows:
205
The primary requirement for recovering AD DS is that the backup you use must not be older than a tombstone lifetime, which is the number of days that deletions are retained in the directory. In forests that are created on servers running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with SP2, or Windows Server 2008, the default value of the tombstone lifetime is 180 days. The default value is 60 days in forests that are created on servers running Windows 2000 Server or Windows Server 2003. AD DS protects itself from restoring data that is older than the tombstone lifetime by not allowing the restore. Important Always check the tombstone lifetime value before you use a backup to restore AD DS. Even if you are sure of the default value for your environment, the tombstone lifetime value might have been changed administratively in AD DS. Use ADSI Edit to view the value in the tombstoneLifetime attribute on the object CN=Directory Service,CNWindows NT,CN=Services,CN=Configuration,DC=ForestRootDomain. Do not modify system clocks in an attempt to improperly extend the useful life of a system state backup. Skewed time can cause serious problems in cases where directory data is time sensitive. You can recover AD DS by restoring a backup in the following ways: Nonauthoritative restore: Use this process to restore AD DS to its state at the time of the backup, and then allow Active Directory replication to update the restored domain controller to the current state of AD DS. Authoritative restore: Use this process to recover objects that have been deleted from AD DS. Authoritative restore does not allow replication to overwrite the restored deletions. Instead, the restored objects replicate authoritatively to the other domain controllers in the domain. Note Be aware that additions of data that are made between the time of the backup and the authoritative restore process are not removed during the restore process. Authoritative restore focuses only on the deleted objects. Additional data is merged during the restore process. When recovering AD DS by restoring from backup is not possible, you must reinstall AD DS. Sometimes restoring from backup is possible but not feasible. For example, if a domain controller is needed quickly, it is sometimes faster to reinstall AD DS than to recover the domain controller. In cases of hardware failure or file corruption, you might have to reinstall the operating system and then either reinstall or restore AD DS. For more information about rationales and methods for recovering domain controllers, see Recovering Active Directory Domain Services.
Additional considerations
Backing Up Active Directory Domain Services Recovering Active Directory Domain Services 206
When you select Command-line Tools, you are prompted to install the required Windows PowerShell feature. You can use the Windows Server Backup command-line tool, Wbadmin.exe, to perform all types of backup, including system state backup. You can use the Windows Server Backup snap-in to back up entire volumes only, as follows: those volumes that contain system state files (critical-volumes backup) or all volumes (full server backup). The Windows Server Backup snap-in has two wizard options: a Backup Schedule Wizard and a Backup Once Wizard. To use one of the wizards for backing up critical volumes, you must know which volumes to select, or you can allow the wizard to select them when you specify that you want to enable system recovery. When you use the command-line tool for backing up critical volumes, the tool selects the correct volumes automatically. To back up system state, you must use the Wbadmin.exe command-line tool.
Critical volumes, which includes all volumes that contain system state files: The volume that hosts the boot files, which consist of the Bootmgr file and the Boot Configuration Data (BCD) store The volume that hosts the Windows operating system and the registry The volume that hosts the SYSVOL tree 208
The volume that hosts the Active Directory database The volume that hosts the Active Directory database log files
Full server, which includes all volumes on the server, including Universal Serial Bus (USB) drives. The backup does not include the volume where the backup is stored.
Can be used to recover from registry or directory service configuration errors (recover AD DS)
Yes
Yes
Yes
Can be used for full server No (bare-metal) recovery with Windows Recovery Environment (Windows RE) Can be used to recover from unbootable conditions Can be used to recover specific files and folders Can be created by using Windows Server Backup snap-in (GUI) Can be created by using Wbadmin.exe command line tool Has incremental backup support Can be stored on a DVD or on a network share if the backup is performed manually (is not a scheduled backup) Can use any of the No
Yes
Yes
Yes
Yes
No No
Yes Yes
Yes Yes
Yes
Yes
Yes
No* No
Yes Yes
? Yes**
Yes***
No
No 209
Feature
Critical-volumes backup
volumes that are included in the backup as the target volume Can be scheduled by No using the Windows Server Backup snap-in Yes Yes
* Each consecutive backup requires as much space as the first. To help manage the number of versions of system state backups that you store, you can use the wbadmin delete systemstatebackup command to remove old versions. For more information, see Wbadmin delete systemstatebackup (http://go.microsoft.com/fwlink/?LinkId=111836). ** Must be stored on a different hard disk from the source volumes, including external disks or DVDs. External storage devices must be connected to the backup computer. *** No, by default, but you can override the default by making a change in the registry. To store the system state backup on a volume that is included in the backup, you must add the AllowSSBToAnyVolume registry entry to the server that you are backing up. However, there are some known issues with storing system state backup on a volume that is included in the backup. For more information, see Known Issues for Backing Up Active Directory Domain Services.
Backup guidelines
The following guidelines for backup include the performance of backups to ensure redundancy of Active Directory data: Create daily backups of all unique data, including all domain directory partitions on global catalog servers. Create daily backups of critical volumes on at least two unique domain controllers, if possible. When you have environments with single-domain-controller forests, single-domaincontroller domains, or empty root domains, take special care to back up more often. Ensure that backups are available in sites where they are needed. Do not rely on copying a backup from a different site, which is very time consuming and can significantly delay recovery. Where domains exist in only one site, store additional backup files offsite in a secure location so that no backup file of a unique domain exists in only one physical site at any point in time. This precaution provides an extra level of redundancy in case of physical disaster or theft. Make sure that your backups are stored in a secure location at all times. Back up volumes that store Domain Name System (DNS) zones that are not Active Directoryintegrated. You must be aware of the location of DNS zones and back up DNS servers accordingly. If you use Active Directoryintegrated DNS, DNS zone data is captured as part of system state and critical-volume backups on domain controllers that are also DNS servers. 210
If you do not use Active Directoryintegrated DNS, you must back up the zone volumes on a representative set of DNS servers for each DNS zone to ensure fault tolerance for the zone. Note The DNS server stores settings in the registry. Therefore, system state or critical-volume backup is required for DNS, regardless of whether the zone data is Active Directory integrated or stored in the file system. If you have application directory partitions in your forest, make sure that you make a backup of the domain controllers that replicate those application directory partitions. Create additional backups of domains in every geographic location where: Large populations of users exist. Critical populations of users exist, such as those who support company executives or operate critical business units. Mission-critical work is performed. A wide area network (WAN) outage would disrupt business.
The elapsed time that it takes to perform either of the following tasks would be cost prohibitive because of slow link speeds, the size of the directory database, or both: To create a domain controller in its intended domain over the network. Or To copy or transport installation media from a site where a backup exists to a site that has no backup for the purpose of performing an installation from media (IFM). Note You can use a system state or critical-volumes backup to restore only the domain controller on which the backup was generated or to create a new additional domain controller in the same domain by installing from restored backup media. You cannot use a system state or critical-volumes backup to restore a different domain controller or to restore a domain controller onto different hardware. You can only use a full server backup to restore a domain controller onto different hardware.
For information about scheduling backups of AD DS in Windows Server 2008, see Scheduling Regular Full Server Backups of a Domain Controller (http://go.microsoft.com/fwlink/? LinkId=118008).
The tombstone lifetime is changed administratively by changing the value in the tombstoneLifetime attribute of the object CN=Directory Service,CN=Windows NT,CN=Services,CN-Configuration,DC=ForestRootDomain. The tombstone lifetime value in an Active Directory forest defines the number of days that a domain controller preserves information about deleted objects. For this reason, this value also defines the useful life of a backup that you use for disaster recovery or installation from backup media.
Backup frequency
The frequency of your backups depends on criteria that vary for individual Active Directory environments. In most Active Directory environments, users, computers, and administrators make daily changes to directory objects, such as group membership or Group Policy. For example, computer accounts, including domain controller accounts, change their passwords every 30 days by default. Therefore, every day a percentage of computer passwords changes for domain controllers and domain client computers. Rolling the computer password of a domain controller back to a former state affects authentication and replication. A percentage of user passwords might also expire on a daily basis, and if they are lost as a result of domain controller failure, they must be reset manually. Generally, no external record of these changes exists except in AD DS. Therefore, the more frequently you back up domain controllers, the fewer problems you will encounter if you need to restore this type of information. The more Active Directory objects and domain controllers you have, the more frequent your backups should be. For example, in a large organization, to recover from the inadvertent deletion of a large organizational unit (OU) by restoring the domain from a backup that is days or weeks old, you might have to re-create hundreds of accounts that were created in that OU since the backup was made. To avoid re-creating accounts and potentially performing large numbers of manual
212
password resets, ensure that recent system state backups are always available to recover recent Create, Modify, and Delete operations.
213
To set a different Backup Latency Threshold (days) value, use Registry Editor (Regedit.exe) to create the entry as a REG_DWORD and provide the appropriate number of days. More information about the Windows Server Backup tools and backing up AD DS is available in the Step-by-Step Guide for Windows Server 2008 AD DS Backup and Recovery (http://go.microsoft.com/fwlink/?LinkId=93077), as follows: Whats New in AD DS Backup and Recovery? (http://go.microsoft.com/fwlink/? LinkId=118011) Known Issues for AD DS Backup and Recovery (http://go.microsoft.com/fwlink/? LinkID=117940) Best Practices for AD DS Backup and Recovery (http://go.microsoft.com/fwlink/? LinkId=118012) General Requirements for Backup Up and Recovering AD DS (http://go.microsoft.com/fwlink/?LinkId=118013) Scenario Overviews for Backing Up and Recovering AD DS (http://go.microsoft.com/fwlink/?LinkId=118014) Task requirements Before you back up a domain controller, see Performing an Unscheduled Backup of a Domain Controller (http://go.microsoft.com/fwlink/?LinkId=118015). The following tools, media, and credentials are required to perform the procedures for this task: Windows Server Backup: Windows Server Backup snap-in (Wbadmin.msc) Windows Server Backup command-line tool (Wbadmin.exe) Internal or external hard disk drive Shared network folder Writable DVD
Builtin Administrator credentials to schedule backups, or Backup Operator credentials to perform unscheduled backups To complete this task, you can perform the procedures in the following topics, depending on your backup needs: Perform a Backup of Critical Volumes of a Domain Controller by Using the GUI (Windows Server Backup) Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin) Perform a Full Server Backup of a Domain Controller by Using the GUI (Windows Server Backup) Perform a Full Server Backup of a Domain Controller by Using the Command Line (Wbadmin)
214
You cannot perform or schedule system state backups by using Windows Server Backup. You must use the Wbadmin.exe command-line tool. You cannot schedule weekly or monthly backups by using Windows Server Backup. However, you can use Task Scheduler to schedule manual backups that are performed at different times of the week. A system state backup and recovery includes Active Directoryintegrated Domain Name System (DNS) zones but does not include file-based DNS zones. To back up and restore filebased DNS zones, you have to back up and recover the entire volume that hosts the files. The target volume for a system state backup cannot be a source volume by default. A source volume is any volume that has a file that is included in the backup. Therefore, the target volume cannot be any volume that hosts the operating system, Ntds.dit file, Ntds log files, or SYSVOL directory. To change this restriction, you can add the AllowSSBToAnyVolume registry entry to the server. However, there are known issues with storing a system state backup on a source volume: Backups can fail. The backup can be modified during the backup process, which might cause the backup to fail. Use of target space is inefficient. Twice the amount of space is necessary for a backup than for the original data. The volume must allocate twice the amount of space for the shadow copy process. The path for adding the new registry entry is as follows: HKLM\SYSTEM\CurrentControlSet\Services\wbengine\SystemStateBackup\AllowSS BToAnyVolume Type: DWORD A value of 0 prevents the storing of system state backup on a source volume. A value of 1 allows the storing of system state backup on a source volume.
215
Perform a Backup of Critical Volumes of a Domain Controller by Using the GUI (Windows Server Backup)
You can use this procedure to back up critical volumes for a domain controller by using Windows Server Backup. You can also back up critical volumes by using the wbadmin start backup command with the -allCritical parameter. For more information, see Wbadmin start backup (http://go.microsoft.com/fwlink/?LinkId=111838). Note Windows Server Backup appears on the Administrative Tools menu by default, even if the Windows Server Backup feature is not installed. If Windows Server Backup is not installed, when you open Windows Server Backup, a message appears, saying that the tool is not installed and providing the instructions for installing Windows Server Backup. For more information about installing Windows Server Backup, see Installing Windows Server Backup (http://go.microsoft.com/fwlink/?LinkID=96495). Membership in Builtin Administrators or Backup Operators, or equivalent, is the minimum required to complete this procedure. In addition, you must have write access to the target backup location. To perform a critical-volume backup for a domain controller 1. Click Start, point to Administrative Tools, and then click Windows Server Backup. 2. If you are prompted, in the User Account Control dialog box, provide Backup Operator credentials, and then click OK. 3. On the Action menu, click Backup once. 4. In the Backup Once Wizard, on the Backup options page, click Different options, and then click Next. 5. If you are creating the first backup of the domain controller, click Next to select Different options. 6. On the Select backup configuration page, click Custom, and then click Next. 7. On the Select backup items page, select the volumes to include in the backup. If you select the Enable system recovery check box, all critical volumes are selected. As an alternative, you can clear that check box, select the individual volumes that you want to include, and then click Next. Your selection must include the volumes that store the operating system, Ntds.dit, and SYSVOL. Note If you select a volume that hosts an operating system, all volumes that store system components are also selected. 216
8. On the Specify destination type page, click Local drives or Remote shared folder, and then click Next. 9. Choose the backup location as follows: If you are backing up to a local drive, on the Select backup location page, in Backup destination, select a drive, and then click Next. If you are backing up to a remote shared folder, do the following: a. Type the path to the shared folder. b. Under Access Control, select Do not inherit or Inherit to determine access to the backup, and then click Next. c. In the Provide user credentials for Backup dialog box, provide the user name and password for a user who has write access to the shared folder, and then click OK. 10. On the Specify advanced option page, select VSS copy backup and then click Next, 11. On the Summary page, review your selections, and then click Backup. 12. After the Backup Once Wizard begins the backup, click Close at any time. The backup runs in the background and you can view backup progress at any time during the backup. The wizard closes automatically when the backup is complete.
Additional considerations
The target volume for a critical-volume backup can be a local drive, but it cannot be any of the volumes that are included in the backup.
Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin)
You can use this procedure to back up system state on a domain controller. Membership in Builtin Administrators or Backup Operators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. In addition, you must have write access to the target backup location. To perform a system state backup of a domain controller 1. Click Start, click Command Prompt, and then click Run as administrator. 2. If you are prompted, in the User Account Control dialog box, provide Backup Operator credentials, and then click OK. 3. At the command prompt, type the following command, and then press ENTER:
wbadmin start systemstatebackup -backuptarget:<targetDrive>: -quiet
217
Where <targetDrive> identifies the local volume or the letter of the physical disk drive to receive the backup. You cannot store a system state backup on a network shared drive. If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the backup operation.
Additional considerations
Be aware of the following issues when you perform a system state backup: To use Wbadmin.exe, you must install Windows Server Backup. For more information about installing Windows Server Backup, see Installing Windows Server Backup (http://go.microsoft.com/fwlink/?LinkID=96495). The target volume for a system state backup can be a local drive, but it cannot be any of the volumes that are included in the backup by default. To store the system state backup on a volume that is included in the backup, you must add the AllowSSBToAnyVolume registry entry to the server that you are backing up. There are also some prerequisites for storing system state backup on a volume that is included in the backup. For more information, see Known Issues for AD DS Backup and Recovery (http://go.microsoft.com/fwlink/? LinkID=117940).
Perform a Full Server Backup of a Domain Controller by Using the GUI (Windows Server Backup)
A full server backup captures all volumes on all locally attached volumes. Windows Server Backup treats Universal Serial Bus (USB) drives and Internet SCSI (iSCSI) devices as locally attached volumes. If the backup destination is a locally attached drive, it is excluded from the backup set. You can use this procedure to back up all the volumes on a domain controller by using the Windows Server Backup snap-in. Note Windows Server Backup appears on the Administrative Tools menu by default, even if the Windows Server Backup feature is not installed. If Windows Server Backup is not installed, when you open Windows Server Backup, a message appears, saying that the tool is not installed and providing the instructions for installing Windows Server Backup. For more information about installing Windows Server Backup, see Installing Windows Server Backup (http://go.microsoft.com/fwlink/?LinkID=96495). Membership in Builtin Administrators or Backup Operators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. In addition, you must have write access to the target backup location.
218
To perform an unscheduled full server backup of all volumes by using the graphical user interface (GUI) 1. Click Start, point to Administrative Tools, and then click Windows Server Backup. 2. If you are prompted, in the User Account Control dialog box, provide Backup Operator credentials, and then click OK. 3. On the Action menu, click Backup once. 4. In the Backup Once Wizard, on the Backup options page, click Different options, as shown in the following figure, and then click Next.
5. If you are creating the first backup of the domain controller, click Next to select Different options. 6. On the Select backup configuration page, click Full server, as shown in the following figure, and then click Next.
219
7. On the Specify destination type page, click Local drives or Remote shared folder, and then click Next. 8. Choose the backup location as follows: If you are backing up to a local drive, on the Select backup location page, in Backup destination, select a drive, and then click Next.
220
If you are backing up to a remote shared folder, on the Specify remote folder page, provide shared folder information, as shown in the following figure:
221
a. Type the path to the shared folder. b. Under Access Control, select Do not inherit or Inherit to determine access to the backup, and then click Next. c. In the Provide user credentials for Backup dialog box, provide the user name and password for a user who has write access to the shared folder, and then click OK. 9. On the Specify advanced option page, select VSS copy backup (recommended) and then click Next. 10. On the Confirmation page, review your selections, and then click Backup. 11. After the Backup Once Wizard begins the backup, click Close at any time. The backup runs in the background and you can view backup progress at any time during the backup. The wizard closes automatically when the backup is complete.
Additional considerations
The target volume for an unscheduled backup can be a local drive, but it cannot be any of the volumes that are included in the backup.
222
Perform a Full Server Backup of a Domain Controller by Using the Command Line (Wbadmin)
A full server backup captures all volumes on all locally attached volumes. Windows Server Backup treats Universal Serial Bus (USB) drives and Internet SCSI (iSCSI) devices as locally attached volumes. If the backup target is a locally attached drive, it is excluded from the backup set. You can use this procedure to back up all volumes with the Wbadmin.exe command-line tool. Membership in Builtin Administrators or Backup Operators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. In addition, you must have write access to the target backup location. To perform an unscheduled backup of all volumes by using the command line 1. Click Start, click Command Prompt, and then click Run as administrator. 2. If you are prompted, in the User Account Control dialog box, provide Backup Operator credentials, and then click OK. 3. At the command prompt, type the following command, and then press ENTER:
wbadmin start backup -include:<sourceDrive_1>:,<sourceDrive_2>:,... <sourceDrive_n>: -backuptarget:<targetDrive>: -quiet
Where: <sourceDrive_x> identifies the volume or volumes to be backed up, separated by commas and no spaces. <targetDrive> identifies the local volume or the letter of the network shared drive or physical disk drive to receive the backup. If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the restore process.
Additional considerations
Be aware of the following issues when you perform unscheduled backups: To use Wbadmin.exe, you must install Windows Server Backup. For more information about installing Windows Server Backup, see Installing Windows Server Backup (http://go.microsoft.com/fwlink/?LinkID=96495). The target volume for an unscheduled backup can be a local drive, but it cannot be any of the volumes that are included in the backup.
223
Causes of disruptions
Disruptions to directory services can be caused by many conditions on a domain controller, in a domain or forest, and with service clients and applications that use AD DS. The following are some of the conditions that can disrupt directory services: Reordering or changes to drive letters that cause the operating system, the directory service file, and logs to be unavailable in their expected locations Excessive permissions on objects in AD DS, the file system, or the registry, or explicitly defined and assigned in Group Policy Disk failure, which prevents access to or causes damage to the following sets of files: operating system, directory service and log, SYSVOL, and registry or other critical system files Inability to restart AD DS in normal mode, for example, after an unscheduled power outage or software update Antivirus utilities and other utilities, such as disk optimization utilities, which prevent unfettered access to the directory service file and logs Inability of a domain controller to respond to Lightweight Directory Access Protocol (LDAP) requests, logon requests, or replication requests Inability to boot from AD DS, for example, after an unscheduled power outage or software update Physical site disaster, such as natural disasters or virus attacks or other security attacks Accidental deletions in AD DS, the file system, or the registry Rollback to a known good point in time Corruption that is localized to a domain controller Corruption that has replicated (the worst-case scenario)
224
When you consider recovery options, the objective is to use the fastest method that results in the least intrusive and most complete recovery. Options for recovery can range from repair of individual elements to restoration of a single domain controller. In the worst-case scenario, the only option might be to recover all domain controllers in a domain or forest.
Advanced Features on the View menu, the Protect object from accidental deletion option is available on the Object tab. You can open the Properties page for each container in the domain and enable this option. Note CN=Users,DC=DomainName and CN=Computers,DC=DomainName are protected from deletion by system flags on the objects. Use this option to protect all other containers up to the domain level. Good candidates for protection are containers that store Group Policy objects (GPOs) and Active Directoryintegrated Domain Name System (DNS) zones. When you enable the Protect object from accidental deletion option, neither the container nor any child object can be deleted by any administrator or other user. An administrator with the right to log on locally to a domain controller and the right to open Active Directory Users and Computers can enable or disable the setting. Pay particular attention to protecting organizational units (OUs) that might have been created in an earlier version of Windows. When you create an OU by using Active Directory Users and Computers in Windows Server 2008, the Protect container from accidental deletion check box is selected by default. On domain controllers that are running earlier versions of Windows, you must apply the Deny access control entries (ACEs) permission on the Security tab of the properties page of the containers to implement protection from accidental deletion. For information about how to apply these access control entries (ACEs) manually, see Guarding Against Accidental Bulk Deletions in Active Directory (http://go.microsoft.com/fwlink/?LinkId=116365).
Recovery solutions
When you are faced with unacceptable directory service conditions that cannot be resolved reliably by manual updates, your recovery solutions depend on data issues, hardware issues, time constraints, and the backups that are available.
226
Note Nonauthoritative restore from backup requires that the domain controller is running in Directory Services Restore Mode (DSRM). You cannot perform this procedure by stopping AD DS.
Depending on replication conditions in the domain of the deletions, you can use the following methods to perform an authoritative restore: Nonauthoritative restore from backup, followed by authoritative restore: Unless you can isolate a domain controller that has not received the deletions, authoritative restore must be preceded by a nonauthoritative restore from backup to restore the directory to a former state that contained the deleted objects. With the deleted objects restored, you can mark them as authoritative so that replication does not overwrite them with the delete condition that still exists on the other domain controllers in the domain. Authoritative restore only: If you identify the data loss quickly and you can isolate a global catalog server in the domain where the deletion occurred that has not received replication of the deletions, you can mark the objects as authoritative on the global catalog server and avoid performing an initial restore from a backup (nonauthoritative restore). This option depends on your ability to stop inbound replication on the global catalog server before replication of the deletions is received. Global catalog servers often have longer replication latency than other domain controllers. Global catalog servers are preferred as recovery domain controllers because they store more group information. However, any latent domain controller in the domain of the deletions that has not received replication of the deletions can serve as the recovery domain controller if you want to avoid restoring from backup. For more information about performing authoritative restore without restoring from backup, see Performing Authoritative Restore of Active Directory Objects.
have widespread corruption in the file system, your best solution is also full server recovery or reinstallation. To decide whether or not to perform a full server recovery, consider the following conditions: A full server recovery reformats and repartitions all disks that are attached to the server. A full server recovery might be more time consuming than reinstalling the operating system. Reinstallation requires a cleanup of server metadata on the failed domain controller. Reinstallation results in data loss. All servers have roles and features installed. Each role has configuration state in AD DS, the file system, and the registry, and a role frequently has its own data store. For example, the server might be configured for DNS, Dynamic Host Configuration Protocol (DHCP), Windows Internet Name Service (WINS), administration tools, and registry settings for maximum transmission unit (MTU), maxPacketSize, and security. If you have to reinstall, you must either export and import all these settings or recreate them. This method is certain to be time consuming and error prone. Reinstalling and restoring criteria In general, use the following criteria to the decide whether to reinstall or restore a domain controller from backup: Reinstall the operating system under the following conditions: You do not have an available backup. You must have the domain controller back online as soon as possible and reinstallation is faster than restoring. You have exhausted all known avenues of troubleshooting a fault or error condition, and continued troubleshooting is not likely to succeed or will result in diminishing returns with more time spent. Perform a full server restore of the domain controller under the following conditions: Reinstalling will result in an unacceptable loss of data. You want to recover from localized or replicated corruption.
The domain controller is running other server services, such as Exchange, or it contains other data that you must restore from a backup. Restoring AD DS after reinstalling the operating system If you reinstall the operating system, you can restore AD DS in one of the following ways: Use Dcpromo to reinstall AD DS and allow replication from another, healthy domain controller in the domain to update the domain controller. Restore AD DS from backup (nonauthoritative restore). Then, allow replication from another, healthy domain controller in the domain to update the domain controller. This method requires less replication than reinstalling AD DS. Install AD DS from installation media. This method, called install from media (IFM), requires that you have created installation media that can be used to install AD DS. You use Ntdsutil to create the media on a healthy domain controller in the domain. In this case, recovery is faster
229
because Active Directory replication is not required. For more information about installing from media, see Installing an Additional Domain Controller by Using IFM.
Recovery tasks
This section includes the following tasks for recovering AD DS: Performing Nonauthoritative Restore of Active Directory Domain Services Performing Authoritative Restore of Active Directory Objects Performing Authoritative Restore of an Application Directory Partition Performing a Full Server Recovery of a Domain Controller Restoring a Domain Controller Through Reinstallation and Subsequent Restore from Backup Restoring a Domain Controller Through Reinstallation
230
SYSVOL restore
SYSVOL is always restored nonauthoritatively during a restore of AD DS. Restoring SYSVOL requires no additional procedures. If you deleted file system policy and have a backup of policy that you created by using Group Policy Management Console, you can recover the policy by using that tool. For information about managing Group Policy, see Group Policy Management Console (http://go.microsoft.com/fwlink/?LinkId=101634). If you deleted the Default Domain Policy or Default Domain Controllers Policy, you can use Dcgpofix.exe to rebuild the policy. For information about using Dcgpofix.exe, see Dcgpofix.exe on the Microsoft Web site (http://go.microsoft.com/fwlink/? LinkId=109291). When you use System Recovery Options in Windows Server Backup to restore a Windows Server 2008 domain controller in an environment that has Distributed File System (DFS) 231
Replication implemented, the SYSVOL restore is performed nonauthoritatively by default. To perform an authoritative restore of SYSVOL, include the -authsysvol switch in your recovery command, as shown in the following example:
wbadmin start systemstaterecovery <otheroptions> -authsysvol
If you use File Replication Service (FRS), the restore operation sets the BURFLAGS registry entries for FRS, which affects all replica sets that are replicated by FRS. Task requirements The following tools are required to perform the procedures for this task: Remote Desktop Connection (optional) Wbadmin.exe Bcdedit.exe
To complete this task, perform the following procedures: 1. Restart the domain controller in DSRM by using one of the following methods: Restart the Domain Controller in Directory Services Restore Mode Locally Or Restart the Domain Controller in Directory Services Restore Mode Remotely 2. Restore AD DS from Backup (Nonauthoritative Restore) 3. Verify AD DS restore
Additional references
Performing Authoritative Restore of Active Directory Objects Enable Remote Desktop Create a Remote Desktop Connection
registry entry. By changing the value for this entry, you can configure a domain controller so that you can log on to it with the DSRM Administrator account if the domain controller was started normally but the AD DS service is stopped for some reason. For more information about changing this registry entry, see the Windows Server 2008 Restartable AD DS Stepby-Step Guide (http://go.microsoft.com/fwlink/?LinkId=88649). You can restart a domain controller in DSRM manually by pressing the F8 key during domain controller startup, which requires watching the startup and waiting for the appropriate point in the startup to press the key. This method is tedious and can waste time if you miss the brief window of opportunity for selecting the restart mode. On domain controllers that are running Windows Server 2008, tools are available that replace the Boot.ini file that is used in earlier versions of Windows Server to modify the boot configuration parameters and controls. You can use the Windows graphical user interface (GUI) or the command line to restart the domain controller in DSRM: Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can use to configure boot and startup options, including restarting in DSRM and normal mode. Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot configuration on a server that is running Windows Server 2008. You can use Bcdedit with shutdown commands to instruct the domain controller to restart in DSRM and to restart normally. When you are finished managing a domain controller in DSRM, if you have used System Configuration or Bcdedit.exe to restart the domain controller in DSRM, you must change the configuration so that the domain controller restarts in normal mode. Note A benefit of using System Configuration or Bcdedit.exe for implementing restart of a domain controller into DSRM is that normally the domain controller cannot be inadvertently restarted. This benefit is particularly useful when you are performing a nonauthoritative restore from backup followed by an authoritative restore. You can also use System Configuration or Bcdedit.exe to restart a domain controller in DSRM remotely. To use System Configuration or Bcdedit.exe and Remote Desktop Connection to restart a domain controller in DSRM remotely, see Restart the Domain Controller in Directory Services Restore Mode Remotely. Membership in the Domain Admins group is the minimum required complete the System Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account and password for DSRM is required to log on to the domain controller in DSRM. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. Important If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728). 233
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
4. When you are still in DSRM and you are ready to restart in normal mode, open a command prompt and type the following, and then press ENTER:
bcdedit /deletevalue safeboot
5. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
Value
Description
Configures the boot process to start in DSRM. Shuts down the server and restarts it. Returns the boot process to the previous setting. 234
See Also
Restart the Domain Controller in Directory Services Restore Mode Remotely
Membership in Domain Admins, or equivalent, is the minimum required to complete the System Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account and password for DSRM and the user right to log on locally to a domain controller are required to log on to the domain controller in DSRM. Members of Account Operators, Administrators, Enterprise Admins, Domain Admins, Backup Operators, Print Operators, and Server Operators have the user right to log on locally to a domain controller by default. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Important If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. Using a domain administrative account to log on to an RODC can compromise the server. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728). To restart a domain controller in DSRM remotely by using the Windows GUI 1. Connect to the remote domain controller that is running in normal mode: a. On the Start menu, click All Programs, click Accessories, and then click Remote Desktop Connection. b. In Computer, type the name of the domain controller that you want to restart, and then click Connect. c. In the Windows Security dialog box, provide credentials for a domain administrator, and then click OK. d. When you are connected, log on to the domain controller as a domain administrator. 2. On the Start menu, point to Administrative Tools, and then click System Configuration. 3. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and then click OK. 4. In the System Configuration dialog box, click Restart. The domain controller restarts in DSRM. When the domain controller restarts, your Remote Desktop Connection is dropped. 5. Wait for a period of time that is adequate for the remote domain controller to restart, and then open Remote Desktop Connection. 6. The domain controller name should still be showing in Computer. If it is not, select it from the list, and then click Connect. 7. In the Windows Security dialog box, click Use another account. 8. In User name, type the following: MachineName\Administrator Where MachineName is the name of the domain controller. 9. In Password, type the DSRM password, and then click OK. 236
10. At the logon screen of the remote domain controller, click Switch User, and then click Other User. 11. Type MachineName\Administrator, and then press ENTER. 12. Perform procedures in DSRM. 13. When you have finished performing procedures in DSRM, restart the domain controller normally: a. On the Start menu, point to Administrative Tools, and then click System Configuration. b. On the General tab, in Startup selection, click Normal startup, and then click OK. The domain controller restarts normally. This procedure will disconnect your remote session. To restart a domain controller in DSRM remotely by using the command line 1. Connect to the remote domain controller that is running in normal mode: a. On the Start menu, click All Programs, click Accessories, and then click Remote Desktop Connection. b. In Computer, type the name of the domain controller that you want to restart, and then click Connect. c. In the Windows Security dialog box, provide credentials for a domain administrator, and then click OK. d. When you are connected, log on to the domain controller as a domain administrator. 2. Open a command prompt. At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
The domain controller restarts in DSRM. When the domain controller restarts, your Remote Desktop Connection is dropped. 4. Wait for a period of time that is adequate for the remote domain controller to restart, and then open Remote Desktop Connection. 5. The domain controller name should still be showing in Computer. If it is not, select it in the list, and then click Connect. 6. In the Windows Security dialog box, click Use another account. 7. In User name, type the following: MachineName\Administrator Where MachineName is the name of the domain controller.
237
8. In Password, type the DSRM password, and then click OK. 9. At the logon screen of the remote domain controller, click Switch User, and then click Other User. 10. Type MachineName\Administrator, and then press ENTER. 11. Perform procedures in DSRM. 12. When you have finished performing procedures in DSRM, restart the domain controller normally: a. In DSRM, open a command prompt, type the following command, and then press ENTER:
bcdedit /deletevalue safeboot
b. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 r
The domain controller restarts normally. This procedure will disconnect your remote session.
Value Description
Configures the boot process to start in DSRM. Shuts down the server and restarts it. Returns the boot process to the previous setting.
See Also
Enable Remote Desktop Create a Remote Desktop Connection Restart the Domain Controller in Directory Services Restore Mode Locally
238
Note If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728). Be sure that you know the name and location of the version of the backup that you are restoring. Backup files are named for the date and time of the backup. When you restore the backup, the version must be stated in the form MM/DD/YYYY-HH:MM (month/day/year-hour:minute), which specifies the name of backup that you want to restore. The Wbadmin.exe command-line tool does not require that you provide the target for the recovery. By specifying the backup version that you want to recover, the command proceeds to recover to the source location of the backup version that you specify. Note The systemstaterecovery command in Wbadmin.exe causes a nonauthoritative restore of SYSVOL by default (only updates to SYSVOL since the time of the backup are replicated to the recovery domain controller). If you want to restore SYSVOL authoritatively (all of SYSVOL is replicated from the recovery domain controller to other domain controllers in the domain), specify the authsysvol option in the command. The Administrator password for DSRM is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. The server must be running in DSRM. To perform a nonauthoritative restore of AD DS 1. At the Windows logon screen, click Switch User, and then click Other User. 2. Type .\administrator as the user name, type the DSRM password for the server, and then press ENTER. 3. Open a Command Prompt. 4. At the command prompt, type the following command, and then press ENTER:
wbadmin get versions -backuptarget:<targetDrive>: -machine:<BackupComputerName>
Where:
<targetDrive>:
<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was made. 5. Identify the backup version that you want to restore. You must enter this backup version exactly in the next step. 6. At the command prompt, type the following command, and then press ENTER:
wbadmin start systemstaterecovery -version:<MM/DD/YYYY-HH:MM>
239
Where:
<MM/DD/YYYY-HH:MM> <targetDrive>:
<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken. If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the restore process and then press Y to confirm that the replication engine for SYSVOL has not changed since you created the backup. After the recovery operation is complete, if you are not going to perform an authoritative restore of any restored objects, restart the server.
Additional references
Restart the Domain Controller in Directory Services Restore Mode Locally Enable Remote Desktop Create a Remote Desktop Connection Restart the Domain Controller in Directory Services Restore Mode Remotely Performing Authoritative Restore of Active Directory Objects
Verify AD DS restore
After you complete a restore of Active Directory Domain Services (AD DS), you can use this procedure to verify the restore. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify an Active Directory restorefrom backup 1. After the restore operation completes, restart the computer in Start Windows Normally mode. If you used Bcdedit.exe to configure startup in Directory Services Restore Mode (DSRM), see Restart the Domain Controller in Directory Services Restore Mode Remotely or Restart the Domain Controller in Directory Services Restore Mode Locally for information about changing the configuration back to normal startup mode. 2. After you are able to log on to the system, perform the following verification steps: At a command prompt, use the repadmin /showsig command to verify that the invocation ID has changed. The invocation ID is the directory database globally unique identifier 240
(GUID), which the Directory System Agent (DSA) uses to identify the version of the database. The invocation ID changes during the Active Directory restore process to ensure the consistency of the replication process. Verify that the previous entry appears in the retired signatures list. At a command prompt, use the repadmin /showrepl command to verify that there are no replication errors and all directory partitions are replicating properly with the required replication partners. You can determine the replication partners by selecting the NTDS Settings object for the restored server in Active Directory Sites and Services. At a command prompt, use the net share command to verify that the NETLOGON and SYSVOL shares appear. At a command prompt, use the dcdiag command to verify success of all tests on the domain controller. Use Active Directory Users and Computers to verify that the deleted objects that you wanted to recover from the backup are restored. If you have a Volume Shadow Copy Service (VSS) snapshot of the database, you can use the Active Directory database mounting tool (Dsamain.exe) to mount the database and view it through Active Directory Users and Computers to compare the objects. For information about the Active Directory database mounting tool, see the Step-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=103333).
241
Note If you can isolate a domain controller in the domain that has not received replication of the deletion, the preliminary, nonauthoritative restore from backup is not necessary. For more information, see Recovering deletions without restoring from backup. You can restore objects in domain directory partitions, application directory partitions, and the configuration directory partition, as follows: Domain directory partitions: You must restore the objects on a domain controller in the domain. Application directory partitions: You must restore the objects on a domain controller that hosts the application directory partition. If you delete an entire application directory partition, you must restore the domain naming operations master to recover the application directory partition. Configuration directory partitions: You can restore objects on any domain controller in the forest. Note You can also restore Group Policy objects (GPOs). For information about restoring GPOs, see Back Up, Restore, Import, and Copy Group Policy Objects in online Help for the Group Policy Management Console (GPMC). When an Active Directory object is marked for authoritative restore, its version number is changed so that the number is higher than the existing version number of the deleted object, which replicates as a tombstone in the Active Directory replication system. The change in version number ensures that any object that you restore authoritatively is replicated from the restored domain controller to other domain controllers in the forest, updating the tombstone object to the restored object. An authoritative restore is most commonly used to restore corrupt or deleted objects, often to recover unintentionally deleted user and group objects. An authoritative restore should not be used to restore an entire domain controller, nor should it be used as part of a change-control infrastructure. Proper delegation of administration and change enforcement will help optimize data consistency, integrity, and security.
that they contain. When inadvertent deletions or modifications occur, you can use a snapshot to compare the data in the current directory against data in the snapshot. If you take regular snapshots, you can sometimes avoid having to restore AD DS if you can identify the differences in the data and return the affected objects to their correct state. When a recovery operation is required, you can use a database snapshot to assess the differences and determine the objects that you want to authoritatively restore. For information about using VSS shadow copies and the Active Directory database mounting tool, see the Step-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=103333).
243
244
Note Although Ntdsutil restores back-links for LVR groups, replication order can result in the memberships being dropped. For more information, see Performing Authoritative Restore of Active Directory Objects.
file that is generated during authoritative restore to create an .ldf file to restore the memberships in each additional domain. ar_YYYYMMDD-HHMMSS_objects.txt, which is a text file that contains a list of the authoritatively restored objects. This file is generated for each individual object or container that you mark as authoritative. You can use this file to generate an .ldf file that you can use to recover memberships in domain local groups and universal groups (if you are not restoring a global catalog server) in other domains. This file is created on any domain controller that you authoritatively restore. Global catalog servers do not store the member attribute of domain local groups. Therefore, even if you perform the restore on a global catalog server, you must always use this file to generate an .ldf file in any domain where there are domain local groups of which restored security principals might be members. You must create a separate .ldf file for each object or container that you mark as authoritative. Note Although group memberships are restored automatically when you use Ntdsutil to recover membership in LVR groups, it is best to process the .ldf files to ensure recovery. In some cases, replication order can result in lost memberships. For more information, see Known Issues for Authoritative Restore.
controller that is not a global catalog server stores only universal group objects that are created in its own domain. Domain local groups: Security principals can be members of domain local groups that are created in any domain. Memberships in domain local groups in the recovery domain are restored automatically during authoritative restore. However, the global catalog does not store the member attribute for read-only domain local group objects. Therefore, for restored security principals that have memberships in domain local groups in other domains, you must recover these memberships by performing follow-up procedures in each additional domain.
Retention (merge) of new group memberships or other attributes after authoritative restore
The authoritative restore procedure results in a merge of authoritatively restored objects and attributes and existing objects and attributes. For example, do not expect that users that have been added to a group (after the backup that is used to restore the deleted group) will be removed by an authoritative restore of the group object. Instead, new attributes of objects that are specified in the authoritative restore are preserved during replication. Therefore, authoritative restore does not remove group memberships that were added between the time of the backup that is used for authoritative restore and the time of the restore procedure. 247
Objects and attributes are preserved during authoritative restore as follows: If an object exists in the backup, before inbound replication the post-restore directory partition contains the version of the object that exists in the restored backup. If an object was created after the backup was made and there are additional domain controllers that store the directory partition, after inbound replication the restored directory partition also includes the set of objects that were created after the backup. If an object contains new attributes that are not contained in the backup but that exist in the directory partition of an additional domain controller in the domain at the time of the restore, after inbound replication the version of the object and attributes as they existed in the backup plus any new attributes that were added to the object after the backupare preserved. Authoritative restore affects only the objects and attributes that existed at the time of the backup. This functionality applies to objects with linked attributes and nonlinked attributes alike. For example, if you are restoring an object that has attribute A and attribute B in the backup version and has attributes A, B, and C in the current directory, attribute C is retained after authoritative restore. Therefore, a group object that has the member value of User1 in the backup and has both User1 and User2 in the current directory includes both of those memberships after authoritative restore of the group object. Any post-backup memberOf or member attribute values that were added to a user or group, respectively, are not affected by replication updates after the restore procedure. If you want to remove group membershipsor any other unwanted object attributecomplete the following steps: 1. Delete the object whose updates you do not want to retain. 2. Allow the deletion to replicate throughout the forest. 3. Back up a domain controller that has received the deletion. 4. Authoritatively restore the object that you deleted from the backup that does not contain the unwanted values.
To complete this task, perform procedures according to the conditions in your environment:
Procedures for recovering group memberships (and any other back-link attributes) in other domains
249
8. If the .ldf file shows back-links for objects in other domains, perform the procedures in Procedures for recovering group memberships (and any other back-link attributes) in other domains.
250
Procedures for recovering group memberships (and any other back-link attributes) in other domains
You can recover group memberships in other domains either by adding the members manually to the respective groups or by using the text file from the original authoritative restore procedure to generate one or more .ldf files that you can use to recover back-links in other domains. Be aware that restored objects might have back-links other than group memberships. If you have restored security principal objects or other objects that have back-link attributes in a forest that has more than one domain and you do not want to restore the back-links manually, perform the following steps on a domain controller in each additional domain: Note For restored security principals, these steps are required only if the restored security principals have memberships in domain local or universal groups in a different domain from the recovery domain. If you restored the security principals on a global catalog server, you need to recover only domain local group memberships in other domains. In some cases, these accounts might be few enough that you can manually recreate the memberships instead of following these procedures. 1. Restart the Domain Controller in Directory Services Restore Mode Locally Or Restart the Domain Controller in Directory Services Restore Mode Remotely 2. Restore AD DS from Backup (Nonauthoritative Restore) When the group members were deleted, the member attribute (forward link) on any group of which they were members was removed from the group object. This procedure is required to restore the member attribute on group objects for those group members that were deleted. This attribute is required to regenerate the memberOf attribute value on the restored group members. 3. While still in DSRM, use Ntdsutil to Create an LDIF File for Recovering Back-Links for Authoritatively Restored Objects. In this procedure, you must specify the location of the .txt file that was generated by Ntdsutil during the authoritative restore procedure. 4. Restart the domain controller normally. 5. Run an LDIF File to Recover Back-Links in this domain on a domain controller other than the domain controller that you restored from backup and on which you created the LDIF file. Because you have just restored the domain controller on which you created the LDIF file from backup, perform this procedure on a different domain controller to be sure that the group objects you update are current. This procedure updates the group memberships of a restored security principal object or container of objects. Perform this procedure for each individual object or container that you marked as authoritative.
Additional references
Known Issues for Authoritative Restore 251
the authoritatively restored User X is received, perhaps only seconds later, the member attribute of the group is not updated. If replication of User X is received before Group A, the membership on Group A is retained. Use the following steps to ensure that group memberships for authoritatively restored groups and their restored members are always retained during replication after authoritative restore: 1. Ensure that all authoritatively restored objects have replicated and exist on all domain controllers in the domain. 2. Run the .ldf file on the recovery domain controller. 3. Force replication on the recovery domain controller.
Attempt to find a global catalog server to use as the recovery domain controller. Only a global catalog server can recover universal group memberships for other domains. If you cannot find a latent global catalog server or other domain controller in the domain where the deletion occurred, find the most recent system state or critical-volume backup of a global catalog server in that domain. Use this global catalog server as the recovery domain controller. In addition, locate the most recent backup of a non-global-catalog domain controller. Stop changes to groups. You are restoring individual, deleted user or computer accounts by their distinguished name (DN) paths. You are restoring a domain controller that has not received replication of the deletions. You are not restoring security groups or their parent containers. Stop making changes to security groups in the forest if all of the following statements are true:
If you are restoring security groups or organizational unit (OU) containers that host security groups or user accounts, notify users, administrators, and help desk administrators in the domain of the deletionsand in any other domains that might have group memberships for the deleted accountsto temporarily stop all changes to these objects. Create a preliminary backup. If system state or critical-volume backup is not current up to the point of the deletion, before you perform authoritative restore, create a new system state or critical-volume backup in the domain of the deletions. You can use this backup if you need to roll back your changes. Select objects as low as possible in the directory tree. When you are selecting objects to mark for authoritative restore, find the lowest possible container or set of objects to restore so that you do not roll back objects unnecessarily. For more information, see Performing Authoritative Restore of Active Directory Objects. Process the .ldf file after replication. After the authoritatively restored objects have replicated to all domain controllers in the domain, always use the Ldifde.exe tool to process the .ldf file that is generated by Ntdsutil. Even when memberships are being restored automatically by Ntdsutil for groups that use linked-value replication (LVR), processing the .ldf file ensures that memberships are retained when replicated. For more information about the effect of replication order on group memberships following authoritative restore, see Known Issues for Authoritative Restore. Note It is possible for the .ldf file to contain memberships in groups from which the restored security principal was removed before backup. For more information, see Known Issues for Authoritative Restore. Perform follow-up steps. a. Verify group memberships in the domain of the recovery domain controller and on a global catalog server in every other domain. 254 After the authoritative restore procedure is complete, perform the following steps:
b. Create a new system state or critical-volumes backup in the recovery domain. c. Notify users, administrators, and help desk administrators that they can resume making changes. d. Instruct help desk administrators to reset the passwords of restored user accounts and computer accounts whose domain passwords changed after the restored backup was created.
255
When you are finished managing a domain controller in DSRM, if you have used System Configuration or Bcdedit.exe to restart the domain controller in DSRM, you must change the configuration so that the domain controller restarts in normal mode. Note A benefit of using System Configuration or Bcdedit.exe for implementing restart of a domain controller into DSRM is that normally the domain controller cannot be inadvertently restarted. This benefit is particularly useful when you are performing a nonauthoritative restore from backup followed by an authoritative restore. You can also use System Configuration or Bcdedit.exe to restart a domain controller in DSRM remotely. To use System Configuration or Bcdedit.exe and Remote Desktop Connection to restart a domain controller in DSRM remotely, see Restart the Domain Controller in Directory Services Restore Mode Remotely. Membership in the Domain Admins group is the minimum required complete the System Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account and password for DSRM is required to log on to the domain controller in DSRM. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. Important If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
The domain controller restarts normally. To restart a domain controller in DSRM locally by using the command line 1. Click Start, click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, and then click OK. 2. At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
4. When you are still in DSRM and you are ready to restart in normal mode, open a command prompt and type the following, and then press ENTER:
bcdedit /deletevalue safeboot
5. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
Value
Description
Configures the boot process to start in DSRM. Shuts down the server and restarts it. Returns the boot process to the previous setting.
See Also
Restart the Domain Controller in Directory Services Restore Mode Remotely
257
Note By default, you must start a domain controller in DSRM to log on by using the DSRM Administrator account. However, on domain controllers that are running Windows Server 2008, you can change this behavior by modifying the DSRMAdminLogonBehavior registry entry. By changing the value for this entry, you can configure a domain controller so that you can log on to it with the DSRM Administrator account if the domain controller was started normally but the AD DS service is stopped for some reason. For more information about changing this registry entry, see the Windows Server 2008 Restartable AD DS Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=88649). On domain controllers that are running Windows Server 2008, tools are available that replace the Boot.ini file that is used in earlier versions of Windows Server to modify the boot configuration parameters and controls. You can use the Windows graphical user interface (GUI) or the command line or to restart the domain controller in DSRM: Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can use to configure boot and startup options, including restarting in DSRM and normal mode. Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot configuration on a server that is running Windows Server 2008. You can use Bcdedit with shutdown commands to instruct the domain controller to restart in DSRM and to restart normally. To restart the domain controller in DSRM remotely, you first use Remote Desktop Connection to connect to the domain controller while it is in normal startup mode. Remote Desktop Connection must be enabled on the target domain controller. After the domain controller has restarted, you can use Remote Desktop Connection to reconnect to the domain controller and then log on as the local Administrator, using the DSRM password. You can use this procedure to connect to a domain controller remotely, restart it in DSRM, and then reconnect to it as the DSRM administrator. Membership in Domain Admins, or equivalent, is the minimum required to complete the System Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account and password for DSRM and the user right to log on locally to a domain controller are required to log on to the domain controller in DSRM. Members of Account Operators, Administrators, Enterprise Admins, Domain Admins, Backup Operators, Print Operators, and Server Operators have the user right to log on locally to a domain controller by default. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Important If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. Using a domain administrative account to log on to an RODC can compromise the server. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
258
To restart a domain controller in DSRM remotely by using the Windows GUI 1. Connect to the remote domain controller that is running in normal mode: a. On the Start menu, click All Programs, click Accessories, and then click Remote Desktop Connection. b. In Computer, type the name of the domain controller that you want to restart, and then click Connect. c. In the Windows Security dialog box, provide credentials for a domain administrator, and then click OK. d. When you are connected, log on to the domain controller as a domain administrator. 2. On the Start menu, point to Administrative Tools, and then click System Configuration. 3. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and then click OK. 4. In the System Configuration dialog box, click Restart. The domain controller restarts in DSRM. When the domain controller restarts, your Remote Desktop Connection is dropped. 5. Wait for a period of time that is adequate for the remote domain controller to restart, and then open Remote Desktop Connection. 6. The domain controller name should still be showing in Computer. If it is not, select it from the list, and then click Connect. 7. In the Windows Security dialog box, click Use another account. 8. In User name, type the following: MachineName\Administrator Where MachineName is the name of the domain controller. 9. In Password, type the DSRM password, and then click OK. 10. At the logon screen of the remote domain controller, click Switch User, and then click Other User. 11. Type MachineName\Administrator, and then press ENTER. 12. Perform procedures in DSRM. 13. When you have finished performing procedures in DSRM, restart the domain controller normally: a. On the Start menu, point to Administrative Tools, and then click System Configuration. b. On the General tab, in Startup selection, click Normal startup, and then click OK. The domain controller restarts normally. This procedure will disconnect your remote session.
259
To restart a domain controller in DSRM remotely by using the command line 1. Connect to the remote domain controller that is running in normal mode: a. On the Start menu, click All Programs, click Accessories, and then click Remote Desktop Connection. b. In Computer, type the name of the domain controller that you want to restart, and then click Connect. c. In the Windows Security dialog box, provide credentials for a domain administrator, and then click OK. d. When you are connected, log on to the domain controller as a domain administrator. 2. Open a command prompt. At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
The domain controller restarts in DSRM. When the domain controller restarts, your Remote Desktop Connection is dropped. 4. Wait for a period of time that is adequate for the remote domain controller to restart, and then open Remote Desktop Connection. 5. The domain controller name should still be showing in Computer. If it is not, select it in the list, and then click Connect. 6. In the Windows Security dialog box, click Use another account. 7. In User name, type the following: MachineName\Administrator Where MachineName is the name of the domain controller. 8. In Password, type the DSRM password, and then click OK. 9. At the logon screen of the remote domain controller, click Switch User, and then click Other User. 10. Type MachineName\Administrator, and then press ENTER. 11. Perform procedures in DSRM. 12. When you have finished performing procedures in DSRM, restart the domain controller normally: a. In DSRM, open a command prompt, type the following command, and then press ENTER:
bcdedit /deletevalue safeboot
b. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 r
The domain controller restarts normally. This procedure will disconnect your remote 260
session.
Value Description
Configures the boot process to start in DSRM. Shuts down the server and restarts it. Returns the boot process to the previous setting.
See Also
Enable Remote Desktop Create a Remote Desktop Connection Restart the Domain Controller in Directory Services Restore Mode Locally
the recovery domain controller). If you want to restore SYSVOL authoritatively (all of SYSVOL is replicated from the recovery domain controller to other domain controllers in the domain), specify the authsysvol option in the command. The Administrator password for DSRM is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. The server must be running in DSRM. To perform a nonauthoritative restore of AD DS 1. At the Windows logon screen, click Switch User, and then click Other User. 2. Type .\administrator as the user name, type the DSRM password for the server, and then press ENTER. 3. Open a Command Prompt. 4. At the command prompt, type the following command, and then press ENTER:
wbadmin get versions -backuptarget:<targetDrive>: -machine:<BackupComputerName>
Where:
<targetDrive>:
<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was made. 5. Identify the backup version that you want to restore. You must enter this backup version exactly in the next step. 6. At the command prompt, type the following command, and then press ENTER:
wbadmin start systemstaterecovery -version:<MM/DD/YYYY-HH:MM> -backuptarget:<targetDrive>: -machine:<BackupComputerName> -quiet
Where:
<MM/DD/YYYY-HH:MM> <targetDrive>:
<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken. If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the restore process and then press Y to confirm that the replication engine for SYSVOL has not changed since you created the backup. After the recovery operation is complete, if you are not going to perform an authoritative restore of any restored objects, restart the server.
262
Additional references
Restart the Domain Controller in Directory Services Restore Mode Locally Enable Remote Desktop Create a Remote Desktop Connection Restart the Domain Controller in Directory Services Restore Mode Remotely Performing Authoritative Restore of Active Directory Objects
263
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To mark a subtree or individual object authoritative 1. In DSRM, click Start, click Run, type ntdsutil, and then press ENTER. 2. At the ntdsutil: prompt, type authoritative
restore,
3. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER: To restore a subtree (for example, an organizational unit (OU) and all child objects):
restore subtree <DistinguishedName>
Where <DistinguishedName> is the distinguished name of the subtree or object that is to be marked authoritative. 4. Click Yes in the message box to confirm the command. For example, if you want to restore a deleted OU named Marketing NorthAm in the corp.contoso.com domain, type:
restore subtree OU=Marketing NorthAm,DC=corp,DC=contoso,DC=com
(Always enclose the distinguished name in quotes when there is a space or other special characters within the distinguished name.) Ntdsutil attempts to mark the object as authoritative. The output message indicates the status of the operation. The most common cause of failure is an incorrectly specified distinguished name or a backup for which the distinguished name does not exist. (This occurs if you try to restore a deleted object that was created after the backup). The following sample output shows that Ntdsutil created a text file (.txt) and an LDAP Data Interchange Format (LDIF) (.ldf) file when the marked object was found to have back-links:
The following text file with a list of authoritatively restored objects has been created in the current working directory: ar_20080209-091249_objects.txt
One or more specified objects have back-links in this domain. The following LDIF files with link restore operations have been created in the current working directory: ar_20080209-091249_links_Corp.Contoso.com.ldf
264
5. Make a note of the location of the .txt and .ldf files, if any. We recommend that you use the .ldf file to restore back-links in this domain, even if restored objects are members of groups that were created before linked-value replication (LVR) was in effect. However, in all cases where any of the restored objects listed in the .txt file has memberships in groups in a different domain, you must use the .txt file to generate an .ldf file to restore back-links in those domains. If you have other domains in which you want to restore back-links for this restored object, make a copy of this .txt file to use on a domain controller in each additional domain. 6. At the authoritative ENTER.
restore:
Additional references
Run an LDIF File to Recover Back-Links
265
where <ServerName> is the NetBIOS name of the domain controller. 3. Verify that the DISABLE_INBOUND_REPL option is in effect. The following message should appear:
Current DSA options: <Whatever options are set> New DSA Options: DISABLE_INBOUND_REPL
displays the conditions that were in effect at the time that you ran the command. New DSA Options shows the effect of the command, which is that the DISABLE_INBOUND_REPL option is now in effect.
Current DSA Options
Additional references
Turn on Inbound Replication
266
Value
Description
Synchronizes a specified domain controller with all replication partners. The Domain Name System (DNS) name of the domain controller on which you want to synchronize replication with all partners. Enterprise; includes partners in all sites. Identifies servers by their distinguished names in messages. All; synchronizes all directory partitions that are held on the home server. Pushes changes outward from the home server. Runs in quiet mode; suppresses callback messages.
/e /d /A /P /q
2. Check for replication errors in the output of the command in the previous step. If there are no errors, replication is successful. For replication to complete, any errors must be corrected.
See Also
Verify Successful Replication to a Domain Controller
Restore group memberships in other domains To recover group memberships in other domains in the forest, you must first generate an .ldf file in that domain, as described in Create an LDIF File for Recovering Back-Links for Authoritatively Restored Objects. Then, use this procedure in the respective domain to recover back-links. When you recover group memberships in domains other than the domain of the deletions, you first perform a nonauthoritative restore of the domain controller to return AD DS to a state in which it contained the deleted memberships and then use the .txt file to generate the .ldf file. The domain controller that you restore from backup has old data until it has finished replicating from another domain controller in the domain. If you add users to groups on the restored computer before it is up to date, you might lose some of the changes that you make when this domain controller is updated through inbound replication. For this reason, run the .ldf file on a different, up-to-date domain controller in the same domain. Note This procedure is critical for recovering group memberships for deleted users, groups, or computers, but it applies to any restored objects that have back-link attributes. This procedure explains how to use the Ldifde tool and an .ldf file to recover back-links for authoritatively restored objects in a single domain. Perform this procedure on an up-to-date domain controller in the domain of the group or groups whose memberships you are recovering. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To run an .ldf file to recover back-links after authoritative restore 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. Change directories, if necessary, to the directory of the .ldf file and its respective log files. 2. At the command prompt, type the following command, and then press ENTER:
ldifde -i -k -f <FileName>
Where <FileName> is the name of the .ldf file that you want to run, for example, ar_20080609-174604_links_corp.contoso.com.ldf.
Additional references
Create an LDIF File for Recovering Back-Links for Authoritatively Restored Objects
268
Where <ServerName> is the NetBIOS name of the domain controller. 3. Verify that the DISABLE_INBOUND_REPL option is not in effect. The following message should appear:
Current DSA options: DISABLE_INBOUND_REPL New DSA Options: <none>
displays the conditions that were in effect at the time that you ran the command. New DSA Options shows the effect of the command, which is that the DISABLE_INBOUND_REPL option is not in effect (does not appear).
Current DSA Options
Additional references
Turn Off Inbound Replication
Create an LDIF File for Recovering BackLinks for Authoritatively Restored Objects
When you perform an authoritative restore in a domain where deletions of Active Directory objects occurred, the Ntdsutil tool generates a text (.txt) file that identifies the objects that have been
269
restored. You can use this .txt file to generate an LDAP Data Interchange Format (LDIF) file (.ldf) in other domains that might have back-links from the restored objects. This procedure generates the .ldf file that you need to recover back-links in this domain. Perform this procedure on a domain controller in the domain that might have the back-links.After you complete this procedure, you must use the Ldifde tool to run the .ldf file on a domain controller in the same domain, as described in Run an LDIF File to Recover Back-Links. Note To ensure that current group objects are updated, run the .ldf file on a domain controller other than the domain controller that you use to generate the .ldf file. Before you perform this procedure, you must: Copy the .txt file that Ntdsutil created during the authoritative restore procedure, which you performed on the first domain controller, to a location on this domain controller or a network share. Restore this domain controller from backup. After you restore this domain controller from backup, perform this procedure while the domain controller is still running in Directory Services Restore Mode (DSRM). To perform this procedure, you must provide the Administrator password for DSRM. To create an .ldf file for restoring back-links for authoritatively restored objects 1. In DSRM, click Start, click Run, type ntdsutil, and then press ENTER. 2. At the ntdsutil: prompt, type authoritative 3. At the authoritative ENTER:
restore: restore,
Where <TextFilePath> is the location and file name of the .txt file that Ntdsutil created during the initial authoritative restore of the object whose back-links you want to restore, for example, d:\ldif\ar_20080609_091558_objects.txt. Ntdsutil displays a message stating that one or more specified objects have back-links in this domain and an .ldf file has been created in the current working directory. 4. At the authoritative
restore:
Additional references
Restore AD DS from Backup (Nonauthoritative Restore) Run an LDIF File to Recover Back-Links
270
To complete this task, perform the following procedures: 1. Restart the domain controller in Directory Services Restore Mode (DSRM), as follows: Restart the Domain Controller in Directory Services Restore Mode Locally Or Restart the Domain Controller in Directory Services Restore Mode Remotely 2. Restore AD DS from Backup (Nonauthoritative Restore). Do not restart the domain controller. 3. Mark an application directory partition as authoritative 4. Restart the domain controller normally.
271
During installation of Active Directory Domain Services (AD DS), you set the Administrator password for logging on to the server in DSRM. When you start Windows Server 2008 in DSRM, you must log on by using this DSRM password for the local Administrator account. Note By default, you must start a domain controller in DSRM to log on by using the DSRM Administrator account. However, on domain controllers that are running Windows Server 2008, you can change this behavior by modifying the DSRMAdminLogonBehavior registry entry. By changing the value for this entry, you can configure a domain controller so that you can log on to it with the DSRM Administrator account if the domain controller was started normally but the AD DS service is stopped for some reason. For more information about changing this registry entry, see the Windows Server 2008 Restartable AD DS Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=88649). On domain controllers that are running Windows Server 2008, tools are available that replace the Boot.ini file that is used in earlier versions of Windows Server to modify the boot configuration parameters and controls. You can use the Windows graphical user interface (GUI) or the command line or to restart the domain controller in DSRM: Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can use to configure boot and startup options, including restarting in DSRM and normal mode. Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot configuration on a server that is running Windows Server 2008. You can use Bcdedit with shutdown commands to instruct the domain controller to restart in DSRM and to restart normally. To restart the domain controller in DSRM remotely, you first use Remote Desktop Connection to connect to the domain controller while it is in normal startup mode. Remote Desktop Connection must be enabled on the target domain controller. After the domain controller has restarted, you can use Remote Desktop Connection to reconnect to the domain controller and then log on as the local Administrator, using the DSRM password. You can use this procedure to connect to a domain controller remotely, restart it in DSRM, and then reconnect to it as the DSRM administrator. Membership in Domain Admins, or equivalent, is the minimum required to complete the System Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account and password for DSRM and the user right to log on locally to a domain controller are required to log on to the domain controller in DSRM. Members of Account Operators, Administrators, Enterprise Admins, Domain Admins, Backup Operators, Print Operators, and Server Operators have the user right to log on locally to a domain controller by default. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Important If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. Using a domain administrative account to log on to an RODC can compromise the server. 272
For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728). To restart a domain controller in DSRM remotely by using the Windows GUI 1. Connect to the remote domain controller that is running in normal mode: a. On the Start menu, click All Programs, click Accessories, and then click Remote Desktop Connection. b. In Computer, type the name of the domain controller that you want to restart, and then click Connect. c. In the Windows Security dialog box, provide credentials for a domain administrator, and then click OK. d. When you are connected, log on to the domain controller as a domain administrator. 2. On the Start menu, point to Administrative Tools, and then click System Configuration. 3. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and then click OK. 4. In the System Configuration dialog box, click Restart. The domain controller restarts in DSRM. When the domain controller restarts, your Remote Desktop Connection is dropped. 5. Wait for a period of time that is adequate for the remote domain controller to restart, and then open Remote Desktop Connection. 6. The domain controller name should still be showing in Computer. If it is not, select it from the list, and then click Connect. 7. In the Windows Security dialog box, click Use another account. 8. In User name, type the following: MachineName\Administrator Where MachineName is the name of the domain controller. 9. In Password, type the DSRM password, and then click OK. 10. At the logon screen of the remote domain controller, click Switch User, and then click Other User. 11. Type MachineName\Administrator, and then press ENTER. 12. Perform procedures in DSRM. 13. When you have finished performing procedures in DSRM, restart the domain controller normally: a. On the Start menu, point to Administrative Tools, and then click System Configuration. b. On the General tab, in Startup selection, click Normal startup, and then click OK. 273
The domain controller restarts normally. This procedure will disconnect your remote session. To restart a domain controller in DSRM remotely by using the command line 1. Connect to the remote domain controller that is running in normal mode: a. On the Start menu, click All Programs, click Accessories, and then click Remote Desktop Connection. b. In Computer, type the name of the domain controller that you want to restart, and then click Connect. c. In the Windows Security dialog box, provide credentials for a domain administrator, and then click OK. d. When you are connected, log on to the domain controller as a domain administrator. 2. Open a command prompt. At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
The domain controller restarts in DSRM. When the domain controller restarts, your Remote Desktop Connection is dropped. 4. Wait for a period of time that is adequate for the remote domain controller to restart, and then open Remote Desktop Connection. 5. The domain controller name should still be showing in Computer. If it is not, select it in the list, and then click Connect. 6. In the Windows Security dialog box, click Use another account. 7. In User name, type the following: MachineName\Administrator Where MachineName is the name of the domain controller. 8. In Password, type the DSRM password, and then click OK. 9. At the logon screen of the remote domain controller, click Switch User, and then click Other User. 10. Type MachineName\Administrator, and then press ENTER. 11. Perform procedures in DSRM. 12. When you have finished performing procedures in DSRM, restart the domain controller normally: a. In DSRM, open a command prompt, type the following command, and then press ENTER:
bcdedit /deletevalue safeboot
274
b. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 r
The domain controller restarts normally. This procedure will disconnect your remote session.
Value Description
Configures the boot process to start in DSRM. Shuts down the server and restarts it. Returns the boot process to the previous setting.
See Also
Enable Remote Desktop Create a Remote Desktop Connection Restart the Domain Controller in Directory Services Restore Mode Locally
275
startup to press the key. This method is tedious and can waste time if you miss the brief window of opportunity for selecting the restart mode. On domain controllers that are running Windows Server 2008, tools are available that replace the Boot.ini file that is used in earlier versions of Windows Server to modify the boot configuration parameters and controls. You can use the Windows graphical user interface (GUI) or the command line to restart the domain controller in DSRM: Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can use to configure boot and startup options, including restarting in DSRM and normal mode. Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot configuration on a server that is running Windows Server 2008. You can use Bcdedit with shutdown commands to instruct the domain controller to restart in DSRM and to restart normally. When you are finished managing a domain controller in DSRM, if you have used System Configuration or Bcdedit.exe to restart the domain controller in DSRM, you must change the configuration so that the domain controller restarts in normal mode. Note A benefit of using System Configuration or Bcdedit.exe for implementing restart of a domain controller into DSRM is that normally the domain controller cannot be inadvertently restarted. This benefit is particularly useful when you are performing a nonauthoritative restore from backup followed by an authoritative restore. You can also use System Configuration or Bcdedit.exe to restart a domain controller in DSRM remotely. To use System Configuration or Bcdedit.exe and Remote Desktop Connection to restart a domain controller in DSRM remotely, see Restart the Domain Controller in Directory Services Restore Mode Remotely. Membership in the Domain Admins group is the minimum required complete the System Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account and password for DSRM is required to log on to the domain controller in DSRM. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. Important If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
Configuration. 2. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and then click OK. 3. In the System Configuration dialog box, click Restart. The domain controller restarts in DSRM. 4. Perform procedures in DSRM. 5. When you have finished performing procedures in DSRM, restart the domain controller normally: a. On the Start menu, point to Administrative Tools, and then click System Configuration. b. On the General tab, in Startup selection, click Normal startup, and then click OK. The domain controller restarts normally. To restart a domain controller in DSRM locally by using the command line 1. Click Start, click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, and then click OK. 2. At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
4. When you are still in DSRM and you are ready to restart in normal mode, open a command prompt and type the following, and then press ENTER:
bcdedit /deletevalue safeboot
5. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
Value
Description
Configures the boot process to start in DSRM. Shuts down the server and restarts it. Returns the boot process to the previous setting.
See Also
Restart the Domain Controller in Directory Services Restore Mode Remotely
277
278
Where:
<targetDrive>:
<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was made. 5. Identify the backup version that you want to restore. You must enter this backup version exactly in the next step. 6. At the command prompt, type the following command, and then press ENTER:
wbadmin start systemstaterecovery -version:<MM/DD/YYYY-HH:MM> -backuptarget:<targetDrive>: -machine:<BackupComputerName> -quiet
Where:
<MM/DD/YYYY-HH:MM> <targetDrive>:
<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken. If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the restore process and then press Y to confirm that the replication engine for SYSVOL has not changed since you created the backup. After the recovery operation is complete, if you are not going to perform an authoritative restore of any restored objects, restart the server.
Additional references
Restart the Domain Controller in Directory Services Restore Mode Locally Enable Remote Desktop Create a Remote Desktop Connection Restart the Domain Controller in Directory Services Restore Mode Remotely Performing Authoritative Restore of Active Directory Objects
application directory partition that you want to replicate authoritatively to other domain controllers that host the application directory partition. This procedure has the following preliminary requirements: Before you perform this procedure, back up the domain controller that you are restoring. You should have a current valid backup of the application directory partition before restoring in case some object changes are lost as the result of changes that have occurred since the backup that you are using to restore the domain controller was made. If the entire application directory partition has been deleted, you must perform a nonauthoritative restore from backup on the domain naming operations master. You must have completed a nonauthoritative restore procedure, after which the domain controller has not been restarted and remains in Directory Services Restore Mode (DSRM). The Ntdsutil functionality that is described in this procedure is available on domain controllers that are running Windows Server 2008. To perform authoritative restore on a domain controller that is running a version of Windows Server 2003, see Performing an Authoritative Restore of Active Directory Objects (http://go.microsoft.com/fwlink/?LinkId=44194). If you are performing this procedure in DSRM, the Administrator password for DSRM is the minimum required to complete this procedure. If you are performing this procedure with AD DS stopped on the domain controller, membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To mark an application directory partition as authoritative 1. Open a Command Prompt. 2. At the command prompt, type the following command, and then press ENTER:
ntdsutil
3. At the ntdsutil: prompt, type activate instance ntds, and then press ENTER. For assistance with the Ntdsutil command line-tool, type help at any time. 4. At the ntdsutil: prompt, type authoritative 5. At the authoritative
restore: restore,
NC CRs,
Ntdsutil displays a list of directory partition distinguished names and their associated crossreference object distinguished names. Note the cross-reference distinguished name and application directory partition distinguished name that correspond to the application directory partition that you want to restore. 6. Type restore subtree <App Partition DN>, where <App Partition DN> is the distinguished name of the application directory partition that you want to restore. 7. In the confirmation dialog box, click Yes. The output message indicates the status of the operation. There should be no failures. 8. Type restore object <Cross Ref DN>, where <Cross Ref DN> is the distinguished name of the cross-reference object for the application directory partition that you want to restore, and then press ENTER. 280
9. In the confirmation dialog box, click Yes. The output message indicates the status of the operation. There should be no failures. 10. Quit the Ntdsutil tool by typing quit at each prompt.
See Also
Backing Up Active Directory Domain Services
repartition disks check box. 12. To prevent volumes that are not included in the restore from being deleted and recreated, click Exclude Disks, select the check box for the disks that you want to exclude, and then click OK. 13. Click Next, and then click Finish. 14. Select the I confirm that I want to format the disks and restore the backup check box, and then click OK.
Performing a full server recovery of a domain controller by using the command line
Use the following procedure to perform full server recovery of a domain controller from the command line. There are no administrative credential requirements. No authentication is performed when you start in Windows RE. To perform full server recovery of a domain controller (a nonauthoritative restore) by using the command line 1. Insert the Windows Server 2008 installation DVD into the disk drive, and then restart the domain controller. 2. When you are prompted, press a key to start from the DVD. 3. At the initial Windows screen, accept or select language options, the time and currency format, and a keyboard layout, and then click Next. 4. At the Install now screen, click Repair your computer. 5. In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair, and then click Next. 6. Under Choose a recovery tool, click Command Prompt. 7. At the Sources prompt, type diskpart, and then press ENTER. 8. At the Diskpart prompt, type list
vol,
9. Identify the volume from the list that corresponds to the location of the full server backup that you want to restore. The drive letters in Windows RE do not necessarily match the volumes as they appear in Windows Server 2008. 10. Type exit, and then press ENTER. 11. At the Sources prompt, type the following command, and then press ENTER:
wbadmin get versions -backupTarget:<targetDrive>: -machine:<BackupComputerName>
Where:
<targetDrive>:
<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is required, if the backup is stored on a remote computer. 12. Identify the version that you want to restore. You must enter this version exactly in the next step. 13. At the Sources prompt, type the following command, and then press ENTER:
wbadmin start sysrecovery -version:<MM/DD/YYYY-HH:MM> -backuptarget:<targetDrive>: -machine:<BackupComputerName> -restoreAllVolumes
Where:
<MM/DD/YYYY-HH:MM> <targetDrive>:
<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken. 14. When you are prompted, press Y to proceed with the restore process. 15. After the recovery operation has completed, minimize the command window, and then, in the System Recovery Options dialog box, click Restart.
Additional considerations
Be aware of the following issues when you perform a full server recovery of a domain controller: Wbadmin.exe does not require that you provide the recovery target. By specifying the backup version that you want to recover, the command proceeds to recover to the source location of the specified backup version. Backup files are named for the date and time of the backup. When you recover, the version must be stated in the form MM/DD/YYYY-HH:MM, which specifies the name of the backup that you want to recover. After the restore is completed, restart the server normally, and perform basic verification. When you restart the computer normally, AD DS and Active Directory Certificate Services (AD CS) automatically detect that they have been recovered from a backup. They perform an integrity check and index the database again. After you log on to the system, browse AD DS. Verify that the following conditions are met: All of the user objects and group objects that were present in the directory at the time of the backup are restored. Note Active Directory replication updates the objects that you restore with any changes that have been made to them since the time that the backup was taken. Files that were members of a File Replication Service (FRS) replica set and certificates that were issued by AD CS are present. 284
The Windows Time service (W32time) is synchronized correctly. The NETLOGON and SYSVOL folders are properly shared. The Preferred DNS server address is configured correctly.
Host (A) and service (SRV) resource records are registered correctly in Domain Name System (DNS).
Restoring a Domain Controller Through Reinstallation and Subsequent Restore from Backup
If you cannot restart a domain controller in Directory Services Restore Mode (DSRM), you can restore it through reinstallation of the operating system and subsequent restore of Active Directory Domain Services (AD DS) from backup. After you reinstall Windows Server 2008, perform a nonauthoritative restore of a system state or critical-volumes backup. You must have a previous backup for the failed domain controller, and the backup cannot be older than the tombstone lifetime for the forest. You do not have to join the computer to the domain before you perform the restore procedure. During the restore, the computer account is reestablished automatically. Note You must perform the restore procedure by using the same backup tool with which the backup was made. Procedures in this task describe using Windows Server Backup to restore AD DS, but you must use the tool that you used to create the backup file if it is not Windows Server Backup. Task requirements To perform the domain controller restore procedure, you must have the following information about the failed domain controller: Disk configuration. You need a record of the volumes and sizes of the disks and partitions. In the case of a complete disk failure, use this information to recreate the disk configuration. Windows Server 2008 must be reinstalled to the same drive letter and with at least the same amount of physical drive space as for the original installation. Before you restore the system state, you must recreate all disk configurations. Failure to recreate all disk configurations can cause the restore process to fail, and it can prevent you from starting the domain controller after the restore. Computer name. You need the computer name to restore a domain controller of the same name and avoid changing client configuration settings. DSRM Administrator password. You must know the DSRM Administrator password that was in use when the backup was created. The following tools are required to perform the procedures for this task: 285
To complete this task, perform the following procedures: 1. After you configure the disks appropriately, install Windows Server 2008. Note This guide does not provide information about installing Windows Server 2008. For information about installing Windows Server 2008, see Installing Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=111104). 2. Restart the server in DSRM by using one of the following methods: Note Restarting a member server in DSRM is not possible in Windows Server 2003, but it is possible in Windows Server 2008. Restart the Domain Controller in Directory Services Restore Mode Locally Or Restart the Domain Controller in Directory Services Restore Mode Remotely 3. Restore AD DS from Backup (Nonauthoritative Restore) 4. Verify AD DS restore
You can restart a domain controller in DSRM manually by pressing the F8 key during domain controller startup, which requires watching the startup and waiting for the appropriate point in the startup to press the key. This method is tedious and can waste time if you miss the brief window of opportunity for selecting the restart mode. On domain controllers that are running Windows Server 2008, tools are available that replace the Boot.ini file that is used in earlier versions of Windows Server to modify the boot configuration parameters and controls. You can use the Windows graphical user interface (GUI) or the command line to restart the domain controller in DSRM: Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can use to configure boot and startup options, including restarting in DSRM and normal mode. Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot configuration on a server that is running Windows Server 2008. You can use Bcdedit with shutdown commands to instruct the domain controller to restart in DSRM and to restart normally. When you are finished managing a domain controller in DSRM, if you have used System Configuration or Bcdedit.exe to restart the domain controller in DSRM, you must change the configuration so that the domain controller restarts in normal mode. Note A benefit of using System Configuration or Bcdedit.exe for implementing restart of a domain controller into DSRM is that normally the domain controller cannot be inadvertently restarted. This benefit is particularly useful when you are performing a nonauthoritative restore from backup followed by an authoritative restore. You can also use System Configuration or Bcdedit.exe to restart a domain controller in DSRM remotely. To use System Configuration or Bcdedit.exe and Remote Desktop Connection to restart a domain controller in DSRM remotely, see Restart the Domain Controller in Directory Services Restore Mode Remotely. Membership in the Domain Admins group is the minimum required complete the System Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account and password for DSRM is required to log on to the domain controller in DSRM. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. Important If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
287
To restart a domain controller in DSRM locally by using the Windows GUI 1. On the Start menu, point to Administrative Tools, and then click System Configuration. 2. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and then click OK. 3. In the System Configuration dialog box, click Restart. The domain controller restarts in DSRM. 4. Perform procedures in DSRM. 5. When you have finished performing procedures in DSRM, restart the domain controller normally: a. On the Start menu, point to Administrative Tools, and then click System Configuration. b. On the General tab, in Startup selection, click Normal startup, and then click OK. The domain controller restarts normally. To restart a domain controller in DSRM locally by using the command line 1. Click Start, click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, and then click OK. 2. At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
4. When you are still in DSRM and you are ready to restart in normal mode, open a command prompt and type the following, and then press ENTER:
bcdedit /deletevalue safeboot
5. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
Value
Description
Configures the boot process to start in DSRM. Shuts down the server and restarts it. Returns the boot process to the previous setting.
288
See Also
Restart the Domain Controller in Directory Services Restore Mode Remotely
Membership in Domain Admins, or equivalent, is the minimum required to complete the System Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account and password for DSRM and the user right to log on locally to a domain controller are required to log on to the domain controller in DSRM. Members of Account Operators, Administrators, Enterprise Admins, Domain Admins, Backup Operators, Print Operators, and Server Operators have the user right to log on locally to a domain controller by default. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Important If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. Using a domain administrative account to log on to an RODC can compromise the server. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728). To restart a domain controller in DSRM remotely by using the Windows GUI 1. Connect to the remote domain controller that is running in normal mode: a. On the Start menu, click All Programs, click Accessories, and then click Remote Desktop Connection. b. In Computer, type the name of the domain controller that you want to restart, and then click Connect. c. In the Windows Security dialog box, provide credentials for a domain administrator, and then click OK. d. When you are connected, log on to the domain controller as a domain administrator. 2. On the Start menu, point to Administrative Tools, and then click System Configuration. 3. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and then click OK. 4. In the System Configuration dialog box, click Restart. The domain controller restarts in DSRM. When the domain controller restarts, your Remote Desktop Connection is dropped. 5. Wait for a period of time that is adequate for the remote domain controller to restart, and then open Remote Desktop Connection. 6. The domain controller name should still be showing in Computer. If it is not, select it from the list, and then click Connect. 7. In the Windows Security dialog box, click Use another account. 8. In User name, type the following: MachineName\Administrator Where MachineName is the name of the domain controller. 9. In Password, type the DSRM password, and then click OK. 290
10. At the logon screen of the remote domain controller, click Switch User, and then click Other User. 11. Type MachineName\Administrator, and then press ENTER. 12. Perform procedures in DSRM. 13. When you have finished performing procedures in DSRM, restart the domain controller normally: a. On the Start menu, point to Administrative Tools, and then click System Configuration. b. On the General tab, in Startup selection, click Normal startup, and then click OK. The domain controller restarts normally. This procedure will disconnect your remote session. To restart a domain controller in DSRM remotely by using the command line 1. Connect to the remote domain controller that is running in normal mode: a. On the Start menu, click All Programs, click Accessories, and then click Remote Desktop Connection. b. In Computer, type the name of the domain controller that you want to restart, and then click Connect. c. In the Windows Security dialog box, provide credentials for a domain administrator, and then click OK. d. When you are connected, log on to the domain controller as a domain administrator. 2. Open a command prompt. At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
The domain controller restarts in DSRM. When the domain controller restarts, your Remote Desktop Connection is dropped. 4. Wait for a period of time that is adequate for the remote domain controller to restart, and then open Remote Desktop Connection. 5. The domain controller name should still be showing in Computer. If it is not, select it in the list, and then click Connect. 6. In the Windows Security dialog box, click Use another account. 7. In User name, type the following: MachineName\Administrator Where MachineName is the name of the domain controller.
291
8. In Password, type the DSRM password, and then click OK. 9. At the logon screen of the remote domain controller, click Switch User, and then click Other User. 10. Type MachineName\Administrator, and then press ENTER. 11. Perform procedures in DSRM. 12. When you have finished performing procedures in DSRM, restart the domain controller normally: a. In DSRM, open a command prompt, type the following command, and then press ENTER:
bcdedit /deletevalue safeboot
b. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 r
The domain controller restarts normally. This procedure will disconnect your remote session.
Value Description
Configures the boot process to start in DSRM. Shuts down the server and restarts it. Returns the boot process to the previous setting.
See Also
Enable Remote Desktop Create a Remote Desktop Connection Restart the Domain Controller in Directory Services Restore Mode Locally
292
Note If you are logging on to a read-only domain controller (RODC) locally or remotely, do not use a domain administrative account. Use only the delegated RODC administrator account. For more information about access to RODCs, see the Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728). Be sure that you know the name and location of the version of the backup that you are restoring. Backup files are named for the date and time of the backup. When you restore the backup, the version must be stated in the form MM/DD/YYYY-HH:MM (month/day/year-hour:minute), which specifies the name of backup that you want to restore. The Wbadmin.exe command-line tool does not require that you provide the target for the recovery. By specifying the backup version that you want to recover, the command proceeds to recover to the source location of the backup version that you specify. Note The systemstaterecovery command in Wbadmin.exe causes a nonauthoritative restore of SYSVOL by default (only updates to SYSVOL since the time of the backup are replicated to the recovery domain controller). If you want to restore SYSVOL authoritatively (all of SYSVOL is replicated from the recovery domain controller to other domain controllers in the domain), specify the authsysvol option in the command. The Administrator password for DSRM is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. The server must be running in DSRM. To perform a nonauthoritative restore of AD DS 1. At the Windows logon screen, click Switch User, and then click Other User. 2. Type .\administrator as the user name, type the DSRM password for the server, and then press ENTER. 3. Open a Command Prompt. 4. At the command prompt, type the following command, and then press ENTER:
wbadmin get versions -backuptarget:<targetDrive>: -machine:<BackupComputerName>
Where:
<targetDrive>:
<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was made. 5. Identify the backup version that you want to restore. You must enter this backup version exactly in the next step. 6. At the command prompt, type the following command, and then press ENTER:
wbadmin start systemstaterecovery -version:<MM/DD/YYYY-HH:MM>
293
Where:
<MM/DD/YYYY-HH:MM> <targetDrive>:
<BackupComputerName> is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken. If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the restore process and then press Y to confirm that the replication engine for SYSVOL has not changed since you created the backup. After the recovery operation is complete, if you are not going to perform an authoritative restore of any restored objects, restart the server.
Additional references
Restart the Domain Controller in Directory Services Restore Mode Locally Enable Remote Desktop Create a Remote Desktop Connection Restart the Domain Controller in Directory Services Restore Mode Remotely Performing Authoritative Restore of Active Directory Objects
Verify AD DS restore
After you complete a restore of Active Directory Domain Services (AD DS), you can use this procedure to verify the restore. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify an Active Directory restorefrom backup 1. After the restore operation completes, restart the computer in Start Windows Normally mode. If you used Bcdedit.exe to configure startup in Directory Services Restore Mode (DSRM), see Restart the Domain Controller in Directory Services Restore Mode Remotely or Restart the Domain Controller in Directory Services Restore Mode Locally for information about changing the configuration back to normal startup mode. 2. After you are able to log on to the system, perform the following verification steps: At a command prompt, use the repadmin /showsig command to verify that the invocation ID has changed. The invocation ID is the directory database globally unique identifier 294
(GUID), which the Directory System Agent (DSA) uses to identify the version of the database. The invocation ID changes during the Active Directory restore process to ensure the consistency of the replication process. Verify that the previous entry appears in the retired signatures list. At a command prompt, use the repadmin /showrepl command to verify that there are no replication errors and all directory partitions are replicating properly with the required replication partners. You can determine the replication partners by selecting the NTDS Settings object for the restored server in Active Directory Sites and Services. At a command prompt, use the net share command to verify that the NETLOGON and SYSVOL shares appear. At a command prompt, use the dcdiag command to verify success of all tests on the domain controller. Use Active Directory Users and Computers to verify that the deleted objects that you wanted to recover from the backup are restored. If you have a Volume Shadow Copy Service (VSS) snapshot of the database, you can use the Active Directory database mounting tool (Dsamain.exe) to mount the database and view it through Active Directory Users and Computers to compare the objects. For information about the Active Directory database mounting tool, see the Step-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=103333).
295
Bandwidth is the primary consideration for restoring a domain controller through reinstallation. The bandwidth that is required is directly proportional to the size of the Active Directory database and the time in which the domain controller is required to be in a functioning state. Ideally, the existing functional domain controller should be located in the same Active Directory site as the replicating domain controller (the new domain controller) to reduce the impact on the network and the time that the reinstallation takes to complete. Note Before you restore a domain controller through reinstallation, ensure that hardware failure is not the cause of the problem. If faulty hardware is not changed, restoring through reinstallation might not solve the problems with the domain controller. Task requirements The following tools are required to perform the procedures for this task: Ntdsutil.exe Dcdiag.exe Dcpromo.exe
To complete this task, perform the following procedures: 1. Use the following procedure to clean up server metadata to remove the NTDS Settings object of the failed domain controller: Clean Up Server Metadata If you plan to give the new domain controller a different name from the name of the failed domain controller, in addition to cleaning up server metadata perform the following procedure: Delete a Server Object from a Site 2. Install Windows Server 2008. A fresh installation of Windows Server 2008 is assumed. Prepare for installation of the operating system by partitioning or reformatting the hard disk drive, if necessary. Note This guide does not provide information about installing Windows Server 2008. For information about installing Windows Server 2008, see Installing Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkID=111104). 3. Verify DNS Registration and TCP/IP Connectivity 4. Verify the Availability of the Operations Masters 5. Install an Additional Domain Controller by Using the Windows Interface During the installation process, replication occurs, which ensures that the domain controller has an accurate and up-to-date copy of Active Directory Domain Services (AD DS). You have the option to use the same information for this domain controller as the domain controller that it is replacing: site placement, domain controller name, and domain membership should remain the same. If you plan to install the domain controller under a different name, see Installing a Domain Controller in an Existing Domain.
296
6. After you install AD DS, see Verifying Active Directory Installation and perform procedures for verification of the installation.
Domain Controllers. 4. In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete. 5. In the Active Directory Domain Services dialog box, click Yes to confirm the computer object deletion. 6. In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete. 7. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion. 8. If the domain controller currently holds one or more operations master (also known as flexible single master operations or FSMO) roles, click OK to move the role or roles to the domain controller that is shown. You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure. To clean up server metadata by using Ntdsutil 1. Open a command prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Enterprise Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
ntdsutil
3. At the ntdsutil: prompt, type the following command, and then press ENTER:
metadata cleanup
cleanup:
298
Value
Description
Initiates removal of objects that refer to a decommissioned domain controller. Removes objects for a specified, decommissioned domain controller from a specified server. The distinguished name of the domain controller whose metadata you want to remove, in the form cn=ServerName,cn=Servers,cn=SiteName, cn=Sites,cn=Configuration,dc=ForestRootDomain. If you specify only one server name, the objects are removed from the current domain controller. Specifies removing server metadata on <ServerName2>, the Domain Name System (DNS) name of the domain controller to which you want to connect. If you have identified replication partners in preparation for this procedure, specify a domain controller that is a replication partner of the removed domain controller.
on <ServerName2>
5. In Server Remove Configuration Dialog, review the information and warning, and then click Yes to remove the server object and metadata. At this point, Ntdsutil confirms that the domain controller was removed successfully. If you receive an error message that indicates that the object cannot be found, the domain controller might have been removed earlier. 6. At the metadata
cleanup:
7. To confirm removal of the domain controller: Open Active Directory Users and Computers. In the domain of the removed domain controller, click Domain Controllers. In the details pane, an object for the domain controller that you removed should not appear. Open Active Directory Sites and Services. Navigate to the Servers container and confirm that the server object for the domain controller that you removed does not contain an NTDS Settings object. If no child objects appear below the server object, you can delete the server object. If a child object appears, do not delete the server object because another application is using the object.
See Also
Delete a Server Object from a Site
299
See Also
Decommissioning a Domain Controller Forcing the Removal of a Domain Controller
300
Note For a more detailed response from this command, add /v to the end of the command. If the test fails, do not attempt any additional steps until you determine and fix the problem that prevents proper DNS functionality.
First, use Server Manager to add the Active Directory Domain Services server role. This part of the installation procedure installs the Dcdiag.exe command line tool. Perform this procedure after you add the server role but before you run Dcpromo.exe. Use the /s command option to indicate the name of an existing domain controller in the domain of the new domain controller. This domain controller is required to verify the ability of the server to connect to operations master role holders in the domain and forest. You do not have to use the /s option if you perform the test in this procedure after you install AD DS. The test automatically runs on the local domain controller where you are performing the test. The commands in this procedure show the /s option. If you are performing this test after you install AD DS, omit the /s option. For a more detailed response from this command, you can use the verbose option by adding /v to the end of the command. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify the availability of the operations masters 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command to ensure that the operations masters can be located, and then press ENTER:
dcdiag /s:<DomainControllerName> /test:knowsofroleholders /v
where <DomainControllerName> is the name of an existing domain controller in the domain in which you want to add the new domain controller. The verbose option provides a detailed list of the operations masters that were tested. Near the bottom of the screen, a message confirms that the test succeeded. If you use the verbose option, look carefully at the bottom part of the displayed output. The test confirmation message appears immediately after the list of operations masters. 3. Type the following command to ensure that the operations masters are functioning properly and available on the network, and then press ENTER:
dcdiag /s:<DomainControllerName> /test:fsmocheck
where <DomainControllerName> is the name of a domain controller in the domain in which you want to add the new domain controller. The verbose option provides a detailed list of the operations masters that were tested as well as other important servers, such as global catalog servers and time servers. Near the bottom of your screen, a message confirms that the test succeeded. If these tests fail, do not attempt any additional steps until you fix the problem that prevents the location of operations masters and you can verify that they are functioning properly.
302
13. On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to its IP address, and then click Next. 14. On the Additional Domain Controller Options page, make the following selections, and then click Next: DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this option. Note If you select the option to make this domain controller a DNS server, you might receive a message that indicates that a DNS delegation for the DNS server could not be created and that you should manually create a DNS delegation to the DNS server to ensure reliable name resolution. If you are installing an additional domain controller in either the forest root domain or a tree root domain, you do not have to create the DNS delegation. In this case, click Yes, and disregard the message. Global Catalog: This option is selected by default. It adds the global catalog, readonly directory partitions to the domain controller, and it enables global catalog search functionality. Read-only domain controller. This option is not selected by default. It makes the additional domain controller a read-only domain controller (RODC). 15. If you selected Use advanced mode installation on the Welcome page, the Install from Media page appears. You can provide the location of installation media to be used to create the domain controller and configure AD DS, or you can have all source replication occur over the network. Note that some data will be replicated over the network even if you install from media. For information about using this method to install the domain controller, see Installing an Additional Domain Controller by Using IFM. 16. If you selected Use advanced mode installation on the Welcome page, the Source Domain Controller page appears. Click Let the wizard choose an appropriate domain controller or click Use this specific domain controller to specify a domain controller that you want to provide as a source for replication to create the new domain controller, and then click Next. If you do not choose to install from media, all data will be replicated from this source domain controller. 17. On the Location for Database, Log Files, and SYSVOL page, type or browse to the volume and folder locations for the database file, the directory service log files, and the SYSVOL files, and then click Next. Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or other nondirectory files. 18. On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password must be used to start AD DS in Directory Services Restore Mode (DSRM) for tasks that must be performed 304
offline. 19. On the Summary page, review your selections. Click Back to change any selections, if necessary. To save the settings that you have selected to an answer file that you can use to automate subsequent Active Directory operations, click Export settings. Type the name for your answer file, and then click Save. When you are sure that your selections are accurate, click Next to install AD DS. Note If you are installing an additional domain controller in a child domain and you are using child domain credentials, the Windows Security dialog box appears because access is denied in the parent domain to update the DNS delegation in the parent zone. In this case, click the other user icon and provide administrator credentials for the parent domain, and then click OK. 20. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish. 21. You can select Reboot on completion to have the server restart automatically, or you can restart the server to complete the installation of AD DS when you are prompted to do so.
See Also
Preparing for Active Directory Installation Verifying Active Directory Installation
Dcdiag.exe Ntdsutil.exe
To complete this task, perform the following procedures: 1. Determine Whether a Server Object Has Child Objects 2. Verify That an IP Address Maps to a Subnet and Determine the Site Association Check that the new domain controller is located in the correct site so that the new domain controller can locate replication partners and become part of the replication topology. 3. Move a Server Object to a New Site If you have performed an unattended installation and the domain controller was not placed in the site that you expected, you can move the server object to the correct site. 4. Configure DNS Server Forwarders 5. Complete all procedures for the Verifying DNS Configuration task. 6. Check the Status of the SYSVOL and Netlogon Shares 7. Verify DNS Registration and TCP/IP Connectivity 8. Verify a Domain Computer Account for a New Domain Controller 9. Verify Active Directory Replication 10. Verify the Availability of the Operations Masters
306
Make it possible for clients to discover network resources (published shares, domain controllers, global catalog servers) that are close to the physical location of the client, reducing network traffic over wide area network (WAN) links. Optimize replication between domain controllers. Managing sites in AD DS involves adding new subnet, site, and site link objects when the network grows, as well as configuring a schedule and cost for site links. You can modify the site link schedule, cost, or both to optimize intersite replication. When conditions no longer require replication to a site or clients no longer require the sites to discover network resources, you can remove the site and associated objects from AD DS. Managing large hub-and-spoke topology is beyond the scope of this documentation. For information about managing branch sites, see the Planning and Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=120840).
site-costing functionality. Therefore, if you disable site link bridging and you are using File Replication Service (FRS) to replicate DFS replicas, which include the SYSVOL share, the DFS site-costing ability is also disabled. Note DFS Replication, which is available in domains that are at the Windows Server 2008 domain functional level, uses the replication topology that is defined by the administrator, which is independent of Active Directory site costing. If you turn off site link bridging, you must create site link bridges manually. For information about using manual site link bridges, see Creating a Site Link Bridge Design (http://go.microsoft.com/fwlink/?LinkId=122678). Note When you use FRS to replicate DFS replicas, you can maintain DFS site-costing functionality with Bridge all site links turned off. When the forest functional level is at least Windows Server 2003 or Windows Server 2003 interim and the ISTG in a site is running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2003 R2, or Windows Server 2008, you can use a site option to turn off automatic site link bridging for KCC operation without hampering the ability of DFS to use Intersite Messaging to calculate the cost matrix. This site option is set when you run the command repadmin /siteoptions W2K3_BRIDGES_REQUIRED. For more information about the effects of disabling site link bridging, see How Active Directory Replication Topology Works (http://go.microsoft.com/fwlink/?LinkId=93526). Do not disable Bridge all site links unless you are deploying a branch office environment. For information about branch office deployments, see RODC Placement Considerations in Planning and Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=120840).
The Try Next Closest Site Group Policy setting uses site link cost values to determine the next closest site to the site of the client. Try Next Closest Site can affect how you configure site link costs because it affects the order in which domain controllers are located. For enterprises that have many hub sites and branch offices, you can significantly reduce Active Directory traffic on the network by ensuring that clients fail over to the next closest hub site when they cannot find a domain controller in the closest hub site. For more information, see Enabling Clients to Locate the Next Closest Domain Controller (http://go.microsoft.com/fwlink/?LinkId=120711).
309
suffix is not necessarily the users domain and the identity of the users domain must be retrieved from a global catalog server. In Windows Server 2008, the best solution to this branch site scenario is to deploy a read-only domain controller (RODC) that is a global catalog server. In this case, although the global catalog must be replicated to the site, access to universal group memberships is always local and logon experience is consistent. In addition, RODCs provide more security against compromise than regular domain controllers because they are not writable. For information about deploying RODCs that are global catalog servers, see Planning and Deploying Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=120840). As an alternative to deploying the global catalog in the branch site, you can enable Universal Group Membership Caching, which means that the domain controller contacts the global catalog server only once for each user and that it caches all universal group memberships, rather than having to retrieve them at each logon. For more information about Universal Group Membership Caching, see How the Global Catalog Works (http://go.microsoft.com/fwlink/?LinkId=107063). For information about using Universal Group Membership Caching, see Enabling Universal Group Membership Caching in a Site.
See Also
Managing Intersite Replication
When a site is needed, the design team typically provides details about the placement and configuration of site links for the new site, as well as subnet assignments or creation if subnets are needed. If a new range of IP addresses is added to the network, create a subnet object in AD DS to correspond to the range of IP addresses. When you use Active Directory Sites and Services to create a new subnet object, you are required to associate the subnet with a site object. You can either associate the subnet with an existing site or create a new site first and then create the subnet and associate it with the new site. If a domain client has an IP address that does not map to a site, the client might be connected to a domain controller that is potentially far away from the client, causing slow responses for the client. Note When a domain client that has an IP address in a subnet that is not defined in AD DS connects to a domain controller, NETLOGON Event ID 5807 is generated in the System event log. The event indicates that clients have connected to the domain controller with IP addresses that do not map to a site. The text in the event provides instructions for determining the names and IP addresses of the client computers by searching the Netlogon.log file. Task requirements The following is required to perform the procedures for this task: Active Directory Sites and Services To complete this task, perform the following procedures: 1. Create a Site Object and Add it to an Existing Site Link 2. Associate a range of IP addresses with the site by using either of the following methods: Create a Subnet Object or Objects and Associate them with a Site Associate an Existing Subnet Object with a Site
3. If you are creating both a new site and a new site link, after you create the new site and add it to an existing site link, Create a Site Link Object and Add the Appropriate Sites. Then, remove the site from the first site link that you added it to when you created the site, if appropriate. 4. Remove a Site from a Site Link
details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To create a site object and add it to an existing site link 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 2. Right-click the Sites container, and then click New Site. 3. In Name, type the name of the site. 4. In Link Name, click a site link for this site, and then click OK. 5. In Active Directory Domain Services, read the information, and then click OK.
See Also
Create a Subnet Object or Objects and Associate them with a Site Moving a Domain Controller to a Different Site
Membership in the Enterprise Admins group in the forest or the Domain Admins group in the forest root domain, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To create a subnet object or objects and associate them with a site 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 2. In the console tree, expand the Sites container, right-click Subnets, and then click New Subnet. 3. In New Object - Subnet, in Prefix, type the IPv4 or IPv6 subnet prefix for the subnet. 4. In Select a site object for this prefix, click the site to be associated with the subnet, and then click OK.
312
313
To create a site link object 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 2. Expand Sites, and then expand Inter-Site Transports. 3. Right-click IP, and then click New Site Link. 4. In Name, type a name for the site link. 5. In Sites not in this site link, click a site that you want to add to the site link. Hold down the SHIFT key to click a second site that is adjacent in the list, or hold down the CTRL key to click a second site that is not adjacent in the list. 6. After you select all the sites that you want to add to the site link, click Add, and then click OK.
planning your site topology, see Designing the Site Topology for Windows Server 2008 AD DS (http://go.microsoft.com/fwlink/?LinkId=89026).
Task requirements The following is required to perform the procedures for this task: Active Directory Sites and Services To complete this task, perform the following procedures: 1. Create a Site Link Object and Add the Appropriate Sites 2. By default, the KCC runs every 15 minutes to generate the replication topology. To generate the intersite topology immediately, perform the following two procedures: Determine the ISTG Role Owner for a Site Generate the Replication Topology on the ISTG
3. If you are designating servers that will perform intersite replication, you can Designate a Server as a Preferred Bridgehead Server.
316
317
To generate the replication topology on the ISTG 1. Determine the server that holds the ISTG role for the site. 2. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 3. In the console tree, expand Sites, and then expand the site that contains the ISTG on which you want to run the KCC. 4. Expand Servers, and then click the Server object for the ISTG. 5. In the details pane, right-click NTDS Settings, click All Tasks, and then click Check Replication Topology. 6. In the Check Replication Topology message box, click OK.
Configure the Site Link Schedule to Identify Times During Which Intersite Replication Can Occur
If you need to change the schedule for Active Directory replication between sites, configure the site link object in Active Directory Domain Services (AD DS). Use the properties on the site link object to define when replication is allowed to occur between the bridgehead servers in the sites that are
319
assigned to the site link. You can use this procedure to configure the site link schedule. Obtain the site link schedule from your design team. Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To configure the site link schedule 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 2. In the console tree, expand Sites and Inter-Site Transports, and then click IP. 3. In the details pane, right-click the site link object that you want to configure, and then click Properties. 4. In the SiteLinkName Properties dialog box, click Change Schedule. 5. In the Schedule for SiteLinkName dialog box, select the block of days and hours during which you want replication to occur or not occur (that is, be available or not available), and then click the appropriate option. 6. Click OK twice.
Configure the Site Link Interval to Identify How Often Replication Polling Can Occur During the Schedule Window
Bridgehead servers initiate intersite replication by polling their replication partners. You configure the polling schedule on the site link object in Active Directory Domain Services (AD DS). You can use this procedure and the properties on the site link object to determine how often during the available replication schedule you want bridgehead servers to poll their intersite replication partners for changes. Obtain the interval value from your design team. Note Intersite connection objects also have a schedule; they inherit their schedule and interval from the site link object. Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To configure the site link interval 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 320
2. In the console tree, expand Sites and Inter-Site Transports, and then click IP. 3. In the details pane, right-click the site link object that you want to configure, and then click Properties. 4. In Replicate every _____ minutes, specify the number of minutes for the intervals at which replication polling occurs during an open schedule, and then click OK.
Configure the Site Link Cost to Establish a Priority for Replication Routing
The cost setting on a site link object determines the likelihood that replication occurs over a particular route between two site. Relication routes with the lowest cumulative cost are preferred. You can use this procedure to configure replication cost on the site link object in Active Directory Domain Services (AD DS). When you create or modify site links, use the site link object properties to configure the relative cost of using the site link. To perform this procedure, you must have site topology information that includes the cost values for the sight links that you want to manage. The cost that you set in this procedure must be determined relative to existing or planned costs of other site links. You can use any range of numbers; only their relative values (higher or lower) are important. Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To configure the site link cost 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 2. In the console tree, expand Sites and Inter-Site Transports, and then click IP. 3. In the details pane, right-click the site link object that you want to configure, and then click Properties. 4. In Cost, specify the number for the comparative cost of using the site link, and then click OK.
321
determine the identity of the ISTG role owner in a site. You can use this procedure to view the NTDS Site Settings object properties and determine the ISTG role owner for the site. Membership in Domain Users, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To determine the ISTG role owner for a site 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 2. In the console tree, click the site object whose ISTG role owner you want to determine. 3. In the details pane, right-click the NTDS Site Settings object, and then click Properties. The current role owner appears in the Server box under Inter-Site Topology Generator.
which you want to run the KCC. 4. Expand Servers, and then click the Server object for the ISTG. 5. In the details pane, right-click NTDS Settings, click All Tasks, and then click Check Replication Topology. 6. In the Check Replication Topology message box, click OK.
If no domain controller is available in the next closest site, try to find any domain controller in the domain. By default, DC Locator does not consider any site that contains a read-only domain controller (RODC) when it determines the next closest site. For example, assume that a site topology has four sites with the site link values in the following illustration. In this example, all the domain controllers are writable domain controllers.
When the Try Next Closest Site Group Policy setting is enabled in this example, if a Windows Vista or Windows Server 2008 client computer in Site_B tries to locate a domain controller, it first tries to find a domain controller in its own Site_B. If none is available in Site_B, it tries to find a domain controller in Site_A. If the setting is not enabled, the Windows Vista or Windows Server 2008 client tries to find a domain controller in Site_A, Site_C, or Site_D if no domain controller is available in Site_B. To apply the Try Next Closest Site setting, you can create a Group Policy object (GPO) and link it to the appropriate object for your organization, or you can modify the Default Domain Policy to have it affect all Windows Vista and Windows Server 2008 clients in the domain. For more information about how to set the Try Next Closest Site setting, see Enable Clients to Locate a Domain Controller in the Next Closest Site.
324
325
TCP/IP settings
When you move a domain controller to a different site, if an IP address of the domain controller is configured statically, you must change the TCP/IP settings accordingly. The IP address of the domain controller must map to a subnet object that is associated with the site to which you are moving the domain controller. If the IP address of a domain controller does not match the site in which the server object appears, the domain controller might be forced to communicate over a potentially slow wide area network (WAN) link to locate resources, rather than locating resources in its own site. Before you move the domain controller, ensure that the following TCP/IP client values are appropriate for the new location: IP address, including the subnet mask and default gateway DNS server addresses Windows Internet Name Service (WINS) server addresses (if appropriate)
If the domain controller that you are moving is a DNS server, you must also change the TCP/IP settings on any clients that have static references to the domain controller as the preferred or alternate DNS server.
DNS settings
If the domain controller is a DNS server, you must update the IP address in any DNS delegations or forwarders that reference the IP address. With dynamic update enabled, DNS updates host (A), host (AAAA), and name server (NS) resource records automatically. However, you must update delegations and forwarders as follows: Delegations: Determine whether the parent DNS zone of any zone that is hosted by this DNS server contains a delegation to this DNS server. If the parent DNS zone does contain a delegation to this DNS server, update the IP address in the name server (NS) resource record in the parent domain DNS zone that points to this DNS server. Forwarders: Determine whether the server acts as a forwarder for any DNS servers. If a DNS server uses this server as a forwarder, change the name server (NS) resource record for the forwarder on that DNS server. 326
To complete this task, perform the following procedures in order: 1. Change the Static IP Address of a Domain Controller 2. Update the IP Address for a DNS Delegation If the parent DNS zone of any zone that is hosted by this DNS server contains a delegation to this DNS server, use this procedure to update the IP address in all such delegations. If your forest root domain has a parent DNS domain, perform this procedure on a DNS server in the parent domain. If you just added a new domain controller to a child domain, perform this
327
procedure on a DNS server in the DNS parent domain. If you are following recommended practices, the parent domain is the forest root domain. 3. Update the IP Address for a DNS Forwarder If the DNS server is configured as a forwarder for any other DNS server, use this procedure to update the IP address in all forwarders. 4. Verify That an IP Address Maps to a Subnet and Determine the Site Association 5. To determine whether the server is a preferred bridgehead server, you can check a single server or you can view the entire preferred bridgehead server list: Determine Whether a Server is a Preferred Bridgehead Server View the List of All Preferred Bridgehead Servers
6. Configure a Server to Not Be a Preferred Bridgehead Server 7. Move a Server Object to a New Site
Use the DNS snap-in to update the following DNS values that apply to this domain controller: On the Forwarders tab in the properties of a DNS server, update the IP address on DNS servers for which this domain controller is designated as a forwarder. Use the procedure Update the IP Address for a DNS Delegation for all delegations to this domain controller. On the Zone Transfers tab in the properties of a forward lookup zone, update the IP address for any primary or seconday DNS zone transfers to this domain controller.
328
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To change the static IP address of a domain controller 1. Log on locally to the domain controller whose IP address you want to change. 2. Click Start, point to Administrative Tools, click Server Manager, and then click View Network Connections. 3. In the Network Connections dialog box, right-click the appropriate connection, and then click Properties. 4. In the Connection Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6). 5. In IP address, type the new address. 6. In Subnet mask, type the new subnet mask if it has changed. 7. In Default gateway, type the new default gateway. 8. In Preferred DNS server, type the address of the Domain Name System (DNS) server that this computer contacts if it has changed. 9. In Alternate DNS server, type the address of the DNS server that this computer contacts if the preferred server is unavailable. 10. If this domain controller uses WINS servers, click Advanced, and then, in the Advanced TCP/IP Settings dialog box, click the WINS tab. 11. If an address in the list is no longer appropriate, click the address, and then click Edit. 12. In the TCP/IP WINS Server dialog box, type the new address, and then click OK. 13. Repeat steps 11 and 12 for all addresses that have to be changed, and then click OK twice to close the TCP/IP WINS Server dialog box and the Advanced TCP/IP Settings dialog box. 14. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.
329
To update the IP address for a DNS delegation 1. Open the DNS snap-in: On the Start menu, point to Administrative Tools, and then click DNS. 2. In the console tree, if you are connected to a DNS server that hosts the parent zone, go to step 4. If you are not connected to a DNS server that hosts the parent zone, rightclick DNS and then click Connect to DNS Server. 3. Click The following computer, type the name of the DNS server that hosts the parent zone, and then click OK. 4. In the console tree, double-click the server node for a DNS server that hosts the parent zone, double-click Forward Lookup Zones, and then double-click the parent zone. 5. In the console tree, right-click the delegated zone of the DNS server whose IP address has changed, and then click Properties. 6. On the Name Servers tab, click the DNS server whose IP address has changed, and then click Edit. 7. In the IP Address list, click the address, and then type changes as necessary. 8. Click OK twice.
6. In the IP Address list, click the address that you want to change, and then click Edit. 7. In the IP Address list, click the address, and then type changes as necessary. 8. Click OK twice.
Verify That an IP Address Maps to a Subnet and Determine the Site Association
You can use this procedure to determine the site to which you want to add a server object before you install Active Directory Domain Services (AD DS). You can also use this procedure to verify the site after you install AD DS or before you move a server object. To be associated with a site, the IP address of a domain controller must map to a subnet object that is defined in AD DS. The site to which the subnet is associated is the site of the domain controller. The subnet address, which is computed from the IP network address and the subnet mask, is the name of a subnet object in AD DS. When you know the subnet address, you can locate the subnet object and determine the site to which the subnet is associated. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify that an IP address maps to a subnet and to determine the site association 1. Log on locally or open a Remote Desktop connection to the server for which you want to check the IP address. 2. In Server Manager, click View Network Connections. 3. Right-click the connection that represents the connection the server or domain controller uses to attach to the network, and then click Properties. 4. In the Connection Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6). 5. Use an IP subnet calculator and the values in IP address and Subnet mask to calculate the subnet address, and then click OK twice. 6. Open the Active Directory Sites and Services snap-in: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 7. Expand the Sites container, and then click the Subnets container. 8. In the Name column in the details pane, find the subnet object that matches the subnet address for the server or domain controller. 9. In the Site column, note the site to which the IP subnet address is associated. 331
If the site that appears in the Site column is not the appropriate site, contact a site administrator and find out whether the IP address is incorrect or whether you should move the server object to the site that is indicated by the subnet-to-site association.
See Also
Move a Server Object to a New Site
See Also
Configure a Server to Not Be a Preferred Bridgehead Server View the List of All Preferred Bridgehead Servers
332
See Also
Determine Whether a Server is a Preferred Bridgehead Server Configure a Server to Not Be a Preferred Bridgehead Server
333
details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To configure the server to not be a preferred bridgehead server 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 2. In the console tree, expand Sites, and then expand the site of the preferred bridgehead server. 3. Expand the Servers container to display the list of domain controllers that are currently configured for that site. 4. Right-click the server that you want to remove, and then click Properties. 5. If IP appears in the list that marks this server as a bridgehead server for the IP transport, click IP, click Remove, and then click OK.
See Also
View the List of All Preferred Bridgehead Servers
container. 7. Verify that an object for the server that you moved exists. 8. Expand the server object, and verify that an NTDS Settings object exists. Within an hour, the Net Logon service on the domain controller registers the new site information in Domain Name System (DNS). Wait an hour, and then open Event Viewer and connect to the domain controller whose server object you moved. Review the System log for NETLOGON errors regarding registration of service (SRV) resource records in DNS that have occurred within the last hour. The absence of errors indicates that the Net Logon service has updated DNS with sitespecific service (SRV) resource records. NETLOGON Event ID 5774 indicates that the dynamic registration of DNS resource records has failed. If this error occurs, contact a supervisor and pursue DNS troubleshooting.
See Also
Verify That an IP Address Maps to a Subnet and Determine the Site Association
Forcing Replication
When you need updates to be replicated sooner than the intersite replication schedule allows, or when replication between sites is impossible because of configuration errors, you can force replication to and from domain controllers. You can use the following two methods of forcing replication: Force replication of all directory partition updates from one server to another server over a connection Force replication of configuration directory partition updates from one server to another server
336
sites because you cannot write to the RODC. When you recreate the site link in the hub site and then force replication of the configuration directory partition to the site of the RODC, you enable the RODC to create connection objects from replication partners in the hub site. Task requirements The following tools are required to perform the procedures for this task: Active Directory Sites and Services Repadmin.exe
To complete this task, perform the following procedures: 1. Force Replication Between Domain Controllers 2. Update a Server with Configuration Changes 3. Synchronize Replication with All Partners 4. Verify Successful Replication to a Domain Controller
See Also
Synchronize Replication with All Partners
Where <ServerName> is the name of the domain controller that has the configuration changes that you want to replicate. The /showrepl switch provides the globally unique identifier (GUID) information that you need for step 6. 339
3. Click the Command Prompt menu in the title bar, click Edit, and then click Mark. 4. Use the cursor to select the value in DSA
object GUID.
5. Click the Command Prompt menu in the title bar, and then click Copy. Use the Paste command on the Command Prompt menu to paste this value for the <SourceDomainControllerGUID> parameter in the next step. 6. At the command prompt, type the following command, and then press ENTER:
repadmin /sync <ConfigurationDistinguishedName> <DestinationServerName> <SourceDomainControllerGUID>
Value
Description
/sync <ConfigurationDistinguishedName>
Synchronizes replication of the specified directory partition between the specified domain controllers The configuration directory partition distinguished name: CN=Configuration,DC=ForestRootDomainName The name of the domain controller that is to receive the configuration updates, for example, DC3B. The Directory System Agent (DSA) GUID of the domain controller that is forcing replication.
<DestinationServerName>
<SourceDomainControllerGUID>
340
Value
Description
Synchronizes a specified domain controller with all replication partners. The Domain Name System (DNS) name of the domain controller on which you want to synchronize replication with all partners. Enterprise; includes partners in all sites. Identifies servers by their distinguished names in messages. All; synchronizes all directory partitions that are held on the home server. Pushes changes outward from the home server. Runs in quiet mode; suppresses callback messages.
/e /d /A /P /q
2. Check for replication errors in the output of the command in the previous step. If there are no errors, replication is successful. For replication to complete, any errors must be corrected.
See Also
Verify Successful Replication to a Domain Controller
341
If @ [Never] appears in the output for a directory partition, replication of that directory partition has never succeeded from the identified source replication partner over the listed connection. Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify successful replication to a domain controller 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl <servername> /u:<domainname>\<username> /pw:*
Note The user credential parameters (/u:<domainname>\<username> /pw:*) are not required for the domain of the user if the user has opened the Command Prompt as an administrator with Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or equivalent. However, if you run the command for a domain controller in a different domain in the same Command Prompt session, you must provide credentials for an account in that domain.
342
Value
Description
repadmin /showrepl
Displays the replication status for the last time that the domain controller that is named in <servername> attempted inbound replication of Active Directory partitions. The name of the destination domain controller. Specifies the domain name and user name, separated by a backslash, for a user who has permissions to perform operations in AD DS. The single-label name of the domain of the destination domain controller. (You do not have to use a fully qualified Domain Name System (DNS) name.) The name of an administrative account in that domain. Specifies the domain password for the user named in <username>. * provides a Password: prompt when you press ENTER.
<servername> /u:
<domainname>
<username> /pw:*
3. At the Password: prompt, type the password for the user account that you provided, and then press ENTER. You can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft Excel spreadsheet. The spreadsheet displays data in the following columns: Showrepl_COLUMNS Destination DC Site Destination DC Naming Context Source DC Site Source DC Transport Type Number of Failures Last Failure Time Last Success Time Last Failure Status The following procedure creates this spreadsheet and sets column headings for improved readability.
343
To generate a repadmin /showrepl spreadsheet for all replication partners 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl * /csv >showrepl.csv
3. Open Excel. 4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open. 5. Hide or delete column A as well as the Transport Type column, as follows: 6. Select a column that you want to hide or delete. Or To delete the column, right-click the selected column, and then click Delete. 7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and then click Freeze Top Row. 8. Select the entire spreadsheet. On the Data tab, click Filter. 9. In the Last Success Time column, click the down arrow, and then click Sort Ascending. 10. In the Source DC column, click the filter down arrow, point to Text Filters, and then click Custom Filter. 11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain. In the adjacent text box, type del to eliminate from view the results for deleted domain controllers. 12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and then type the value 0. 13. Resolve replication failures. The last successful attempt should agree with the replication schedule for intersite replication, or the attempt should be within the last hour for intrasite replication. If Repadmin reports any of the following conditions, see Troubleshooting Active Directory Replication Problems (http://go.microsoft.com/fwlink/?LinkID=93582): The last successful intersite replication was before the last scheduled replication. The last intrasite replication was longer than one hour ago. Replication was never successful. To hide the column, right-click the column, and then click Hide.
344
Removing a Site
If domain controllers are no longer needed in a network location, you can remove them from the site and then delete the site object. Before you delete the site, you must remove each domain controller from the site either by removing domain controller completely or by moving it to a new location: To remove the domain controller completely, remove Active Directory Domain Services (AD DS) from the server and then delete the server object from the site in AD DS. To retain the domain controller in a different location, move the domain controller itself to the new site and then move the server object to the respective site in AD DS. Before you remove a server object from a site, check the NTDS Settings object of the server to see if the server has a manual connection object from any server in another site. If a manual connection object exists, check the source server in the other site for a corresponding manual connection object from the server that you are removing. The Knowledge Consistency Checker (KCC) does not remove manual connection objects automatically. Therefore, if you leave a manually created connection object on a server and then remove the source server for the connection, the inability of the destination server to replicate from its source replication partner will cause replication errors to be generated. If a manual connection object exists in the NTDS Settings object of a server in another site, and if the server that you are removing is the source (replicate from) server for the connection, delete that manual connection object on the destination server to avoid unnecessary replication errors after you have removed the server object. Domain controllers can host other applications that depend on site topology and publish objects as child objects of the respective server object. For example, when Microsoft Operations Manager (MOM) or Message Queuing is running on a domain controller, these applications create child objects beneath the server object. In addition, a server running Message Queuing that is not a domain controller and that is configured to be a routing server running Message Queuing creates a server object in the sites container. Removing the application from the server automatically removes the child object below the respective server object. However, the server object is not removed automatically. When all applications have been removed from the server (no child objects appear beneath the server object), you can remove the server object. After the application is removed from the server, a replication cycle might be required before child objects are no longer visible below the server object. After you delete or move the server objects but before you delete the site object, reconcile the following objects: IP addresses: If the addresses are being reassigned to a different site, associate the subnet object or objects with that site. Any clients that use the addresses for the decommissioned site will thereafter be assigned automatically to the other site. If the IP addresses will no longer be used on the network, delete the corresponding subnet object or objects. 345
Site link objects: If the site that you are removing is added to a site link that contains only two sites, delete the site link object. If the site that you are removing is added to a site link that contains more than two sites, do not delete this site link object. Before you remove a site, consider the implications. If the site that you are removing is added to more than one site link, it might be an interim site between other sites that are added to this site link. Deleting the site might disconnect the outer sites from each other. In this case, the site links must be reconciled according to the instructions of the design team. Task requirements The following tool is required to perform the procedures for this task: Active Directory Sites and Services To complete this task, perform the following procedures: 1. Delete a manual Connection object 2. Determine Whether a Server Object Has Child Objects 3. Delete a Server Object from a Site 4. Delete a Site Link object 5. Associate an Existing Subnet Object with a Site 6. Delete a Site object 7. To avoid replication errors on bridgehead servers in other sites that received replication from the site that has been removed, generate the intersite topology in those sites by performing the following two procedures: Determine the ISTG Role Owner for a Site Generate the Replication Topology on the ISTG
Tools, and then click Active Directory Sites and Services. 2. In the console tree, expand Sites, and then expand the site of the server whose manual connection object you want to delete. 3. Expand Servers, and then expand the server object whose manual connection object you want to delete. 4. Click the NTDS Settings object of the server object, and then, in the details pane, view the Name column to find a connection object that has a name other than <automatically generated>. 5. Usually, a manual connection object is named for the source server. To be sure, rightclick the connection object and then, in Replicate from, note the server name in the Server box. This is the source server from which this connection transfers replication updates to the destination server whose NTDS Settings object you have selected. 6. If you no longer want the destination server to explicitly use this server as its replication source, right-click the manual connection object, and then click Delete.
Tools, and then click Active Directory Sites and Services. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 2. In the console tree, expand the Sites container, and then expand the site of the server object. 3. Expand the Servers container, and then expand the server object to view any child objects.
See Also
Decommissioning a Domain Controller Forcing the Removal of a Domain Controller
Tools, and then click Active Directory Sites and Services. 2. In the console tree, expand the Sites container, and then click the Subnets container. 3. In the details pane, right-click the subnet with which you want to associate the site, and then click Properties. 4. In Site, click the site to associate the subnet, and then click OK.
See Also
Delete a Server Object from a Site Delete a Site Link object
350
Membership in Domain Users, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To determine the ISTG role owner for a site 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 2. In the console tree, click the site object whose ISTG role owner you want to determine. 3. In the details pane, right-click the NTDS Site Settings object, and then click Properties. The current role owner appears in the Server box under Inter-Site Topology Generator.
4. Expand Servers, and then click the Server object for the ISTG. 5. In the details pane, right-click NTDS Settings, click All Tasks, and then click Check Replication Topology. 6. In the Check Replication Topology message box, click OK.
352
Ntds.dit and logs on the same volume: The greater of 20 percent of the combined Ntds.dit and log files sizes or 1 gigabyte (GB).
Database defragmentation
During ordinary operation, you will delete objects from AD DS. When you delete an object, free (unused) disk space is created in the database. On a regular basis, the database consolidates this free disk space through a process called online defragmentation. This disk space will be reused when new objects are added (without adding any size to the file itself). This automatic online defragmentation redistributes and retains free disk space for use by the database, but does not release the disk space to the file system. Therefore, the database size does not shrink, even though objects might be deleted. In cases in which the data decreases significantly, such as when the global catalog is removed from a domain controller, free disk space is not automatically returned to the file system. Although this condition does not affect database operation, it does result in large amounts of free disk space in the database. To decrease the size of the database file by returning free disk space from the database file to the file system, you can perform an offline defragmentation of the database. Whereas online defragmentation occurs automatically while AD DS is running, offline defragmentation requires taking the domain controller offline and using the Ntdsutil.exe commandline tool to perform the procedure.
Note NTFS disk compression is not supported for the database and log files.
Restartable AD DS
On domain controllers that are running Windows Server 2008, performing offline defragmentation and other database management tasks does not require a restart of the domain controller in Directory Services Restore Mode (DSRM). You can stop the AD DS service while you perform database management procedures. This feature, called restartable AD DS, eliminates the need to restart the domain controller when you perform certain database management tasks. Services that are running on the server that depend on AD DS to function shut down before AD DS shuts down. The following services stop when you stop AD DS: DNS Server service File Replication Service (FRS) Kerberos Key Distribution Center (KDC) 353
Other services that are running on the server and that do not depend on AD DS to function, such as Dynamic Host Configuration Protocol (DHCP), remain available to satisfy client requests while AD DS is stopped. For information about restartable AD DS, see Windows Server 2008 Restartable AD DS Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=88649).
See Also
Managing the Active Directory Database
354
Expand the partition on the disk that currently stores the database file, the log files, or both. This procedure does not change the path to the files and does not require updating the registry. Use Ntdsutil.exe to move the database file, the log files, or both to a larger existing partition. If you are not using Ntdsutil.exe when you move files to a different partition, you must update the registry manually. If the path to the database file or log files will change as a result of moving the files, be sure that you: Use Ntdsutil.exe to move the files (rather than copying them) so that the registry is updated with the new path. Even if you are moving the files only temporarily, use Ntdsutil.exe to move files locally so that the registry remains current. Perform a system state or critical-volume backup as soon as the move is complete so that the restore procedure uses the correct path. Verify that the correct permissions are applied on the destination folder after the move. Revise permissions to just the permissions that are required to protect the database files, if necessary. The registry entries that Ntdsutil.exe updates when you move the database file are as follows: In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ Parameters: Database backup path Directory System Agent (DSA) database file DSA working directory
The registry entry that Ntdsutil.exe updates when you move the log files is as follows: In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ Parameters: Database log files path
355
Database file only: The size of the database file, plus 20 percent of the Ntds.dit file or 500 megabytes (MB), whichever is greater. Log files only: The size of the combined log files, plus 20 percent of the combined logs or 500 MB, whichever is greater. Database and logs. If the database and log files are stored on the same partition, free space should be at least 20 percent of the combined Ntds.dit and log files, or 1 gigabyte (GB), whichever is greater. Important The preceding levels are minimum recommended levels. Therefore, adding additional space according to anticipated growth is recommended. Task requirements The following tools are required to perform the procedures for this task: net use, net stop, net start dir xcopy Ntdsutil.exe Windows Server Backup Windows Explorer
Note If you replace or reconfigure a drive that stores the SYSVOL folder, you must first move the SYSVOL folder manually. For information about moving SYSVOL manually, see Relocating SYSVOL Manually. To complete this task, perform the following procedures: Note The domain controller will not be available during the time in which files are being moved and until the move is verified. Ensure that alternate domain controllers are available during the file relocation to handle the capacity. 1. Determine the size and location of the Active Directory database by using one of the following procedures: Determine the Database Size and Location Online Determine the Database Size and Location Offline
2. Compare the Size of the Directory Database Files to the Volume Size 3. Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin) (http://go.microsoft.com/fwlink/?LinkId=118357) System state includes the database file and log files as well as SYSVOL and Net Logon shared folders, among other things. Always ensure that you have a current system state or criticalvolume backup before you move database files.
356
4. Move or copy the directory database and log files by performing one of the following procedures: Move the Directory Database and Log Files to a Local Drive Copy the Directory Database and Log Files to a Remote Share
The shared folder on a remote drive must have enough free space to hold the database file (Ntds.dit) and log files. Create separate subdirectories for copying the database file and the log files. 5. Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin) (http://go.microsoft.com/fwlink/?LinkId=118357)
2. Change directories to the directory that contains the files that you want to manage. 3. At the command prompt, type dir, and then press ENTER to examine the database size. In the following example command output, the Ntds.dit file and the log files are stored in the same directory. In the example, the files take up 58,761,256 bytes of disk space. This output is representative of a directory database to which few objects have been added. C:\Windows\NTDS>dir Volume in drive C has no label. Volume Serial Number is 003D-0E9E Directory of C:\Windows\NTDS 01/29/2008 11:04 AM 01/29/2008 11:04 AM 01/29/2008 10:29 AM 01/29/2008 10:29 AM 01/29/2008 10:29 AM 01/29/2008 10:29 AM 01/29/2008 10:29 AM 01/29/2008 10:29 AM 01/28/2008 02:54 PM 7 File(s) 2 Dir(s) <DIR> <DIR> . ..
8,192 edb.chk 10,485,760 edb.log 10,485,760 edb00001.log 10,485,760 edbres00001.jrs 10,485,760 edbres00002.jrs 14,696,488 ntds.dit 2,113,536 temp.edb
See Also
Determine the Database Size and Location Offline
358
Important Be sure to use the same method to check file sizes when you compare them. The size is reported differently, depending on whether the domain controller is online or offline. For information about determining database size online, see Determine the Database Size and Location Online. If you have set garbage collection logging to report free disk space, Event ID 1646 in the Directory Service log also reports the size of the database file: Total allocated hard disk space (megabytes): As an alternative, you can determine the size of the database file by listing the contents of the directory that contains the files. Membership in Builtin Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To determine the database size and location offline 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
net stop ntds
Type Y to agree to stop additional services, and then press ENTER. 3. At the command prompt, type ntdsutil, and then press ENTER. 4. At the ntdsutil prompt, type activate
instance ntds,
5. At the ntdsutil prompt, type files, and then press ENTER. 6. At the file maintenance prompt, type info, and then press ENTER. Make a note of the file sizes that appear. 7. At the file maintenance prompt, type quit, and then press ENTER. Type quit, and then press ENTER again to quit Ntdsutil.exe. 8. At the command prompt, type the following command, and then press ENTER:
net start ntds
See Also
Determine the Database Size and Location Online
Compare the Size of the Directory Database Files to the Volume Size
Before you move any Active Directory database files in response to low disk space, verify that no other files on the volume are responsible for the condition of low disk space. 359
You might have to relocate the database file, the log files, or both, if disk space on the volume on which they are stored becomes low. Before you move the database file or log files, examine the size of the database folder, logs folder, or bothif they are stored in the same locationcompared to the size of the volume to verify that these files are the cause of low disk space. Include the size of the SYSVOL folder if it is on the same partition. You can use this procedure to compare the size of the directory database files to the size of the volume. If Active Directory Domain Services (AD DS) is started when you are comparing the size of the directory database files and volume, membership in Domain Admins is the minimum required to complete this procedure. If AD DS is stopped, membership in Builtin Administrators is the minimum required to complete this procedure. If the domain controller is restarted in Directory Services Restore Mode (DSRM), the DSRM administrator password is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To compare the size of the directory database files to the volume size 1. On the Start menu, click Computer. 2. In the Folders list, click Computer. 3. In the details pane, locate the volume that has low disk space. Make a note of the value in the Total Size column for that volume. 4. Navigate to the folder that stores the database file, the log files, or both. 5. Right-click the folder, and then click Properties. Make a note of the value in Size on disk. 6. If the volume includes SYSVOL, navigate to that folder and repeat step 5. 7. Compare the values of Total Size (volume) and Size on disk (database files plus SYSVOL if SYSVOL is on the same volume). If the combined size of the relevant database files and SYSVOL files (if appropriate) is significantly smaller than the volume size, check the contents of the volume for other files. 8. If other files are present, move those files and then reassess the disk space on the volume.
Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin)
You can use this procedure to back up system state on a domain controller. Membership in Builtin Administrators or Backup Operators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and
360
group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. In addition, you must have write access to the target backup location. To perform a system state backup of a domain controller 1. Click Start, click Command Prompt, and then click Run as administrator. 2. If you are prompted, in the User Account Control dialog box, provide Backup Operator credentials, and then click OK. 3. At the command prompt, type the following command, and then press ENTER:
wbadmin start systemstatebackup -backuptarget:<targetDrive>: -quiet
Where <targetDrive> identifies the local volume or the letter of the physical disk drive to receive the backup. You cannot store a system state backup on a network shared drive. If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the backup operation.
Additional considerations
Be aware of the following issues when you perform a system state backup: To use Wbadmin.exe, you must install Windows Server Backup. For more information about installing Windows Server Backup, see Installing Windows Server Backup (http://go.microsoft.com/fwlink/?LinkID=96495). The target volume for a system state backup can be a local drive, but it cannot be any of the volumes that are included in the backup by default. To store the system state backup on a volume that is included in the backup, you must add the AllowSSBToAnyVolume registry entry to the server that you are backing up. There are also some prerequisites for storing system state backup on a volume that is included in the backup. For more information, see Known Issues for AD DS Backup and Recovery (http://go.microsoft.com/fwlink/? LinkID=117940).
361
If you do not have space on the local domain controller to move the files temporarily, you can copy files to a remote share. For information about copying files to a remote share, see Copy the Directory Database and Log Files to a Remote Share. On a domain controller that is running Windows Server 2008, you do not have to restart the domain controller in Directory Services Restore Mode (DSRM) to move database files. You can stop the Active Directory Domain Services (AD DS) service and then restart the service after you move the files to their permanent location. For information about restartable AD DS, see the Windows Server 2008 Restartable AD DS Step-by-Step Guide on the Microsoft Web site at (http://go.microsoft.com/fwlink/?LinkId=88649). Membership in Builtin Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To move the directory database and log files to a local drive 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
net stop ntds
Type Y to agree to stop additional services, and then press ENTER. 3. At the command prompt, change directories to the current location of the directory database file (Ntds.dit) or the log files, whichever you are moving. 4. Run the dir command, and make a note of the current size and location of the Ntds.dit file. 5. At the command prompt, type ntdsutil, and then press ENTER. 6. At the ntdsutil prompt, type activate 8. To move the database file, at the file commands:
instance ntds,
To move the Ntds.dit file, type the following command, and then press ENTER: To move the log files, type the following command, and then press ENTER:
move db to<drive>:\<directory>
where <drive>:\<directory> specifies the path to the new location. If the directory does not exist, Ntdsutil.exe creates it. Note If the directory path contains any spaces, the entire path must be surrounded by quotation marks, for example, move db to"g:\new folder". 9. After the move completes, at the file
maintenance:
ENTER. Type quit again, and then press ENTER to quit Ntdsutil.exe. 10. Change to the destination directory, and then run the dir command to confirm the presence of the files. If you have moved the database file, check the size of the Ntds.dit file against the file size that you noted in step 4 to be sure that you are focused on the correct file. 11. If you are moving the database file or log files permanently, go to step 12. If you are moving the database file or log files temporarily, you can now perform any required updates to the original drive. After you update the drive, repeat steps 3 through 9 to move the files back to the original location. If the path to the database file or log files has not changed, go to step 13. 12. If the path to the database file or log files has changed from the original location, check permissions on the database folder or logs folder, as follows: a. In Windows Explorer, right-click the folder to which you have moved the database file or log files, and then click Properties. b. Click the Security tab, and then click Advanced. Verify that the permissions are as follows: Administrators group has Allow Full Control. SYSTEM has Allow Full Control. The Include inheritable permissions from this objects parent check box is cleared. No Deny permissions are selected. c. If the permissions in step 12b are in effect, go to step 13. If permissions other than the permissions described in step 12b are in effect, perform steps 12d through 12k. d. If Include inheritable permissions from this objects parent is selected, click Edit, click to clear the setting, and then click OK. When you are prompted, click Copy to copy previously inherited permissions to this object. e. If Administrators or SYSTEM, or both, are not in the Name list, click OK, click Edit, and then click Add. f. In From this location, be sure that the name of the domain is selected. g. In Enter the object names to select, type System, if necessary, and then click OK. Repeat to add Administrators, if necessary, and then click OK. h. On the Security tab, click System, and then, in the Allow column, click Full Control. Repeat for Administrators. i. In the Group or user names box, click any name that is not SYSTEM or Administrators, and then click Remove. Repeat until the only remaining accounts are Administrators and SYSTEM, and then click OK. Note Some accounts might appear in the form of security identifiers (SIDs). Remove any such accounts. 363
j.
13. At the command prompt, type ntdsutil, and then press ENTER. 14. At the ntdsutil prompt, type activate 16. At the file
maintenance:
15. At the ntdsutil prompt, type files, and then press ENTER. prompt, type integrity, and then press ENTER. If the integrity check fails, see If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup. 17. If the integrity check succeeds, type quit, and then press ENTER to quit the file maintenance prompt. Type quit again, and then press ENTER to quit Ntdsutil.exe. 18. At the command prompt, type the following command, and then press ENTER:
net start ntds
19. Open Event Viewer, and check the Directory Service log for errors. 20. If the following events are logged in the Directory Service log in Event Viewer when you restart AD DS, stop AD DS, and then resolve the event issues as follows: Event ID 1046. The Active Directory database engine caused an exception with the following parameters. In this case, AD DS cannot recover from this error and you must restore AD DS from backup. Event ID 1168. Internal error: An Active Directory error has occurred. In this case, information is missing from the registry and you must restore AD DS from backup.
See Also
If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup Copy the Directory Database and Log Files to a Remote Share Recovering Active Directory Domain Services
364
Important When you relocate any database files (the database file or the log files) off the local computer, always copy both the database file and the log files so that all the files that are necessary to restore the directory service are maintained. If you have enough space locally on the domain controller and you do not want to copy database files to a remote share, you can use Ntdsutil to move the files to a local folder. For information about moving the database files, see Move the Directory Database and Log Files to a Local Drive. On a domain controller that is running Windows Server 2008, you do not have to restart the domain controller in Directory Services Restore Mode (DSRM) to copy database files. You can stop the Active Directory Domain Services (AD DS) service and then restart the service after you copy the files to their permanent location. For information about restartable AD DS, see the Windows Server 2008 Restartable AD DS Step-by-Step Guide (http://go.microsoft.com/fwlink/? LinkId=88649). Membership in Builtin Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To copy the directory database and log files to a remote share and back to the local computer 1. Before you stop AD DS, prepare a shared directory on a remote server in the domain. Create separate subdirectories for the database files and log files. Allow access only to the Builtin Administrators group. 2. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 3. At the command prompt, type the following command, and then press ENTER:
net stop ntds
Type Y to agree to stop additional services, and then press ENTER. 4. At the command prompt, change directories to the current location of the database file (Ntds.dit) or the log files. If the database file and log files are in different locations, perform step 4 for each directory. 5. Run the dir command, and make a note of the current size and location of the Ntds.dit file and the log files. 6. Establish a network connection to the shared folder. After you type the following command and press ENTER, you are prompted for the password for the specified account. Type the password, and then press ENTER.
net use <NetworkDrive>: \\<ServerName>\<SharedFolderName> /user:<domainName>\<userName> *
365
Value
Description
Specifies the drive letter to use for connecting to the shared folder. The universal naming convention (UNC) name of the shared folder location, specifying the server that stores the shared folder and the name of the shared folder, separated by a backslash. Specifies the domain name and user name, separated by a backslash, for a user who has permissions to perform operations in AD DS. Provides a Type the password for \\<ServerName>\<SharedFolderName>: prompt when you press ENTER.
/user:<domainName>\<userName>
For example, if you shared the \TempCopy directory on the server named SERVER1, the following command maps network drive G: to the shared location and provides the domain and user name for user tonip5:
net use G: \\server1\tempcopy /user:contoso\tonip5 *
7. Use the xcopy command to copy the database files to the location that you established in step 6. Type the following command, and then press ENTER:
xcopy \<PathToDatabaseFiles> <NetworkDrive>:\<DatabaseSubdirectory>
This command copies the contents of the local folder for the database to the named subfolder in the remote shared folder. For example, the following command copies the database files from their location on the domain controller to the DB subdirectory on the mapped drive G:
xcopy \windows\ntds G:\DB
8. Repeat step 7 to copy the log files. For example, the following command copies the log files to the Logs subdirectory on the mapped drive G:
xcopy \windows\ntds\*.log G:\Logs
9. Change drives to the remote directory and run the dir command in each subdirectory to compare the file sizes to the file sizes that are listed in step 5. Use this step to ensure that you copy the correct set of files back to the local computer. 10. At this point, you can safely destroy data on the original local drive. 11. After the destination drive is prepared, re-establish a connection to the network drive as described in step 6, if necessary. 12. Use the method in step 7 to copy the database and log files from the remote shared folder back to the original location on the domain controller. 366
13. At the command prompt, type ntdsutil, and then press ENTER. 14. At the ntdsutil prompt, type activate 16. At the file
maintenance: instance ntds,
15. At the ntdsutil prompt, type files, and then press ENTER. prompt, type integrity, and then press ENTER. If the integrity check fails, see If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup. 17. If the integrity check succeeds, type quit, and then press ENTER to quit the file maintenance: prompt. Type quit again, and then press ENTER to quit Ntdsutil.exe. 18. At the command prompt, type the following command, and then press ENTER:
net start ntds
19. Open Event Viewer, and check the Directory Service log for errors. 20. If the following events are logged in the Directory Service log in Event Viewer when AD DS restarts, resolve the events as follows: Event ID 1046. The Active Directory database engine caused an exception with the following parameters. In this case, AD DS cannot recover from this error and you must restore AD DS from backup. Event ID 1168. Internal error: An Active Directory error has occurred. In this case, information is missing from the registry and you must restore AD DS from backup.
See Also
If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup Move the Directory Database and Log Files to a Local Drive Recovering Active Directory Domain Services
Returning Unused Disk Space from the Active Directory Database to the File System
During ordinary operation, the free disk space in the Active Directory database file becomes fragmented. Each time garbage collection runs (every 12 hours, by default), free disk space is automatically defragmented online to optimize its use within the database file. The unused disk space is maintained for the database; it is not returned to the file system. Only offline defragmentation can return unused disk space from the directory database to the file system. When database contents have decreased considerably through a bulk deletion (for example, when you remove the global catalog from a domain controller), or if the size of the database backup is significantly increased as a result of the amount of free disk space, use offline defragmentation to reduce the size of the Ntds.dit file. 367
You can determine how much free disk space is recoverable from the Ntds.dit file by setting the garbage collection logging level in the registry. Changing the garbage collection logging level from the default value of 0 to a value of 1 results in event ID 1646 being logged in the directory service log. This event describes the total amount of disk space that the database file uses as well as the amount of free disk space that is recoverable from the Ntds.dit file through offline defragmentation. At garbage collection logging level 0, only critical events and error events are logged in the Directory Service log. These events include Event IDs 700 and 701, which report when online defragmentation begins and ends, respectively. At level 1, higher-level events are logged as well. At level 1, Event ID 1646 is also reported, which indicates the amount of free space that is available in the database relative to the amount of allocated space. Caution Setting the value of entries in the Diagnostics subkey to greater than 3 can degrade server performance and is not recommended. On domain controllers that are running Windows Server 2008, offline defragmentation does not require restarting the domain controller in Directory Services Restore Mode (DSRM), as is required on domain controllers that are running versions of Windows Server 2000 and Windows Server 2003. You can use a new feature in Windows Server 2008, restartable Active Directory Domain Services (AD DS), to stop the AD DS service. When the service is stopped, services that depend on AD DS shut down automatically. However, any other services that are running on the domain controller, such as Dynamic Host Configuration Protocol (DHCP), continue to run and respond to clients. For more information about restartable AD DS, see the Windows Server 2008 Restartable AD DS Step-by-Step Guide (http://go.microsoft.com/fwlink/? LinkId=88649). After offline defragmentation completes, perform a database integrity check. The integrity command in Ntdsutil.exe detects binary-level database corruption by reading every byte in the database file. This process ensures that the correct headers exist in the database itself and that all of the tables are functioning and consistent. Therefore, depending on the size of your Ntds.dit file and the domain controller hardware, the process might take considerable time. In testing environments, the speed of 2 gigabytes (GB) per hour is considered to be typical. When you run the command, an online graph displays the percentage completed. If the database integrity check fails, you must perform semantic database analysis. Task requirements The following tools are required to perform the procedures for this task: Regedit.exe Windows Server Backup Ntdsutil.exe
To complete this task, perform the following procedures: 1. Change the Garbage Collection Logging Level to 1 2. Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin) (http://go.microsoft.com/fwlink/?LinkId=118357) 3. Compact the Directory DatabaseFfile (Offline Defragmentation) 368
As part of the offline defragmentation procedure, check directory database integrity. 4. If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup
See Also
Compact the Directory DatabaseFfile (Offline Defragmentation)
369
Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin)
You can use this procedure to back up system state on a domain controller. Membership in Builtin Administrators or Backup Operators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. In addition, you must have write access to the target backup location. To perform a system state backup of a domain controller 1. Click Start, click Command Prompt, and then click Run as administrator. 2. If you are prompted, in the User Account Control dialog box, provide Backup Operator credentials, and then click OK. 3. At the command prompt, type the following command, and then press ENTER:
wbadmin start systemstatebackup -backuptarget:<targetDrive>: -quiet
Where <targetDrive> identifies the local volume or the letter of the physical disk drive to receive the backup. You cannot store a system state backup on a network shared drive. If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the backup operation.
Additional considerations
Be aware of the following issues when you perform a system state backup: To use Wbadmin.exe, you must install Windows Server Backup. For more information about installing Windows Server Backup, see Installing Windows Server Backup (http://go.microsoft.com/fwlink/?LinkID=96495). The target volume for a system state backup can be a local drive, but it cannot be any of the volumes that are included in the backup by default. To store the system state backup on a volume that is included in the backup, you must add the AllowSSBToAnyVolume registry entry to the server that you are backing up. There are also some prerequisites for storing system state backup on a volume that is included in the backup. For more information, see Known Issues for AD DS Backup and Recovery (http://go.microsoft.com/fwlink/? LinkID=117940).
370
371
To perform offline defragmentation of the directory database 1. Compact the database file to a local directory or remote shared folder, as follows: Local directory: Go to step 2. Remote directory: If you are compacting the database file to a shared folder on a remote computer, before you stop AD DS, prepare a shared directory on a remote server in the domain. For example, create the share \\ServerName\NTDS. Allow access to only the Builtin Administrators group. On the domain controller, map a network drive to this shared folder. Important You should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy on a network drive. If the compaction of the database does not work properly, you can then easily restore the database by copying back the copy of the Ntds.dit file that you made. Do not delete this copy of the Ntds.dit file until you have verified that the domain controller starts properly. 2. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 3. At the command prompt, type the following command, and then press ENTER:
net stop ntds
Type Y to agree to stop additional services, and then press ENTER. 4. At the command prompt, type ntdsutil, and then press ENTER. 5. At the ntdsutil prompt, type activate
instance ntds,
6. At the ntdsutil prompt, type files, and then press ENTER. 7. If you are compacting the database to a local drive, at the file maintenance: prompt, type compact to <drive>:\ <LocalDirectoryPath> (where <drive>:\ <LocalDirectoryPath> is the path to a location on the local computer), and then press ENTER. If you mapped a drive to a shared folder on a remote computer, type the drive letter only, for example, compact to K:\. Note When you compact the database to a local drive, you must provide a path. If the path contains any spaces, enclose the entire path in quotation marks (for example, compact to "c:\new folder"). If the directory does not exist, Ntdsutil.exe creates the directory and then creates the file named Ntds.dit in that location. 8. If defragmentation completes successfully, type quit, and then press ENTER to quit the file maintenance: prompt. Type quit again, and then press ENTER to quit Ntdsutil.exe. Go to step 9. If defragmentation completes with errors, go to step 12. Caution 372
Do not overwrite the original Ntds.dit file or delete any log files. 9. If defragmentation succeeds with no errors, follow the Ntdsutil.exe onscreen instructions to: a. To delete all the log files in the log directory, type the following command, and then press ENTER:
del <drive>:\<pathToLogFiles>\*.log
Ntdsutil provides the correct path to the log files in the onscreen instructions. Note You do not have to delete the Edb.chk file. b. You should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy on a secured network drive. If the compaction of the database does not work properly, you can then easily restore the database by copying it back to the original location. Do not delete the copy of the Ntds.dit file until you have at least verified that the domain controller starts properly. If space allows, you can rename the original Ntds.dit file to preserve it. Avoid overwriting the original Ntds.dit file. c. Manually copy the compacted database file to the original location, as follows:
Ntdsutil provides the correct paths to the temporary and original locations of the Ntds.dit file. 10. At the command prompt, type ntdsutil, and then press ENTER. 11. At the ntdsutil: prompt, type files, and then press ENTER. 12. At the file
maintenance:
If the integrity check fails, the likely cause is that an error occurred during the copy operation in step 9.c. Repeat steps 9.c through step 12. If the integrity check fails again: Or Copy the original version of the Ntds.dit file that you preserved in step 9.b. to the original database location, and repeat the offline defragmentation procedure. 13. If the integrity check succeeds, proceed as follows: If the initial compact through 12.
to
If the initial compact to command succeeded, type quit and press ENTER to quit the file maintenance: prompt, and then type quit and press ENTER again to quit Ntdsutil.exe. 14. Restart AD DS. At the command prompt, type the following command, and then press ENTER:
net start ntds
1. Stop AD DS. At the command prompt, type the following command, and then press ENTER:
net stop ntds
Type Y to agree to stop additional services, and then press ENTER. 2. Check the errors in Event Viewer. If the following events are logged in the Directory Service log in Event Viewer when you restart AD DS, respond to the events as follows: Event ID 1046. The Active Directory database engine caused an exception with the following parameters. In this case, AD DS cannot recover from this error and you must restore from backup media. Event ID 1168. Internal error: An Active Directory error has occurred. In this case, information is missing from the registry and you must restore from backup media. 3. Check database integrity, and then proceed as follows: If the integrity check fails, try repeating step 9.c through step 12 above, and then repeat the integrity check. If the integrity check fails again: Or Copy the original version of the Ntds.dit file that you preserved in step 9.b. to the original database location and repeat the offline defragmentation procedure. If the integrity check succeeds, follow the steps in the procedure If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup. 4. If semantic database analysis with fixup succeeds, quit Ntdsutil.exe, and then restart AD DS. At the command prompt, type the following command, and then press ENTER:
net start ntds
If semantic database analysis with fixup fails, contact Microsoft Customer Service and Support.
See Also
If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup
If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup
When you move or compact the Active Directory database, if the integrity check fails, you must run a subsequent database test called semantic database analysis. When you run semantic database analysis with the Go Fixup command instead of the Go command, errors are written into Dsdit.dmp.xx log files. A progress indicator reports the status of the check. You can use this procedure to perform semantic database analysis with fixup.
374
Note To perform this procedure, Active Directory Domain Services (AD DS) must be offline. On domain controllers that are running Windows Server 2008, you can take AD DS offline by stopping the service. Otherwise, the domain controller must be started in Directory Services Restore Mode (DSRM). For information about stopping the AD DS service on domain controllers that are running Windows Server 2008, see the Windows Server 2008 Restartable AD DS Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=88649). For information about performing this procedure in DSRM, see If database integrity check fails, perform semantic database analysis with fixup on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=121568). Membership in Builtin Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To perform semantic database analysis with fixup 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
net stop ntds
Type Y to agree to stop additional services, and then press ENTER. 3. At the command prompt, type ntdsutil, and then press ENTER. 4. At the ntdsutil: prompt, type activate 5. At the ntdsutil: prompt, type semantic 6. At the semantic 7. At the semantic
checker: checker: instance ntds,
fixup,
If errors are reported during the semantic database analysis Go Fixup phase, perform directory database recovery: Go to the file maintenance: prompt, type recover, and then press ENTER. If semantic database analysis with fixup succeeds, at the semantic prompt, type quit, and then type quit again to close Ntdsutil.exe.
net start ntds checker
8. At the command prompt, type the following command, and then press ENTER:
Additional references
Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (http://go.microsoft.com/fwlink/?LinkId=86727)
376
precautions should be maintained, the stringent security measures that apply to protecting a writable domain controller are lessened. In addition, elevated administrative credentials are not required to install and manage the RODC. The information in this guide is specific to managing writable domain controllers. For information about managing RODCs, see Planning and Deploying Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=120840). When you are creating a new branch site, a local domain controller is not available to be the source for Active Directory replication. If the wide area network (WAN) connection with the closest hub site is slow or unreliable, replicating AD DS can be time consuming and might fail if the connection is lost. When you deploy the first domain controller in a branch site, if you want to avoid replicating AD DS, you have the following options: Install the domain controller in the hub site, and then ship the installed domain controller to the site. Ship the server computer to the branch site, and then install AD DS in the branch site. When you install the domain controller in the branch site, the server can receive AD DS in one of two ways: By Active Directory replication over a WAN link Directly from locally available installation media
for branch office sites. For information about using IFM to install RODCs, see Planning and Deploying Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=120840).
SYSVOL from installation media requires additional procedures. For information about the process for configuring the server to obtain SYSVOL from installation media, see article 311078 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=70809). Run the Active Directory Domain Services Installation Wizard, and use an answer file to provide the information that the Active Directory Domain Services Installation Wizard requires. You can create an answer file by using the Export feature in the Active Directory Domain Services Installation Wizard during domain controller installation. Verify installation. Perform tests to verify that AD DS is properly installed and the domain controller is functioning. Add domain controllers to remote sites. When you prepare and ship an additional domain controller to a remote site, you can either install the domain controller before shipping or install the domain controller in the remote site. This process is different if you are installing an RODC. For information about installing RODCs in remote sites, see the Step-by-Step Guide for Readonly Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728). When you install a domain controller in a hub site or staging site before shipment, you must disconnect the domain controller for a period, which requires careful preparation. When you reconnect the domain controller, Active Directory replication brings the domain controller up to date. When you install the domain controller in the remote site, you can use installation media that is prepared from an existing domain controller to avoid having to replicate AD DS over a wide area network (WAN) link. Rename a domain controller. You may have to rename a domain controller for organizational or administrative reasons. Remove AD DS from (decommission) a properly functioning domain controller. This task includes first transferring operations master roles (also known as flexible single-master operation (FSMO) roles) and the global catalog, if necessary. Force the removal of a nonfunctioning domain controller from a domain. If a domain controller is not functioning properly on the network, the Active Directory Domain Services Installation Wizard cannot contact other domain controllers and DNS servers that are required for Active Directory removal. In this case, you can invoke a special version of the wizard to forcefully remove objects from AD DS that represent the server as a domain controller. This section includes the following tasks for managing domain controllers: Installing Remote Server Administration Tools for AD DS Managing Antivirus Software on Active Directory Domain Controllers Preparing for Active Directory Installation Installing a Domain Controller in an Existing Domain Verifying Active Directory Installation Adding Domain Controllers in Remote Sites Renaming a Domain Controller Decommissioning a Domain Controller 380
Installing Active Directory Domain Services Tools on a member server that is running Windows Server 2008
You can use the following procedure to add the Active Directory Domain Services Tools component of RSAT to a member server. Membership in Builtin Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To install Active Directory Domain Services Tools on a member server 1. On the Start menu, click Server Manager. 2. Under Features Summary, click Add Features. 3. Double-click Remote Server Administration Tools, double-click Role Administration Tools, double-click Active Directory Domain Services Tools, and then click Next. 4. Click Install. 5. Click the message that indicates you must restart the server, and then click Yes to restart the server or click No to restart the server later. 6. After the server restarts, on the Installation Results page of the Resume Configuration Wizard, click Close. The Active Directory Domain Services Administration Tools are available on the Administrative Tools menu.
381
Installing Active Directory Domain Services Tools on a computer that is running Windows Vista with SP1
For information about adding the Active Directory Domain Services Tools component of RSAT to a client computer that is running Windows Vista with SP1, and to download the tools, see Microsoft Remote Server Administration Tools for Windows Vista (KB941314) (http://go.microsoft.com/fwlink/?LinkId=95703). On the download page, under Quick Details, click KB941314. Use the information and the links in the article to download the tools and select the tools that you want to install on the Windows Vista workstation.
382
The following recommendations are general and should not be construed as more important than the specific recommendations of your antivirus software vendor. These guidelines must be followed for correct Active Directory file replication operation: Antivirus software must be installed on all domain controllers in the enterprise. Ideally, such software should also be installed on all other server and client computers that have to interact with the domain controllers. Catching the virus at the earliest pointat the firewall or at the client computer on which the virus is first introducedis the best way to prevent the virus from ever reaching the infrastructure systems on which all client computers depend. Use a version of antivirus software that is confirmed to work with AD DS and that uses the correct application programming interfaces (APIs) for accessing files on the server. Some versions of antivirus software inappropriately modify file metadata as it is scanned, causing the FRS replication engine to perceive a file as having changed and to schedule it for replication. Some newer versions of antivirus software prevent this problem. For more information about antivirus software versions and FRS, see article 815263 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=120540) and see the vendor-specific sites for compliant versions. Verify antivirus compatibility with DFS Replication, as described in Testing Antivirus Application Interoperability with DFS Replication (http://go.microsoft.com/fwlink/?LinkId=122787). Note If you are using ForeFront Client Security, see article 956123 in the Microsoft Knowledge Base for a hotfix (http://go.microsoft.com/fwlink/?LinkId=131409). Prevent the use of domain controller systems as general workstations. Users should not use a domain controller to surf the Web or to perform any other activities that can allow the introduction of malicious code. Allow browsing of known safe sites only for the purpose of supporting server operation and maintenance. When possible, do not use a domain controller as a file sharing server. Virus scanning software must be run against all files in the shared folders, and it can place a large resource 383
load on the processor and memory resources of the server. For the same reason, the SYSVOL and Netlogon shares that are automatically created on domain controllers should not be used to distribute software or for to store data.
HKLM\System\Services\NTDS\Parameters\Database Log Files Path The default location is %systemroot%\ntds. Files to exclude: EDB*.log (Notice the wildcard symbol; there can be several log files.) Edbres00001.jrs Edbres00001.jrs
SYSVOL files to exclude The list in the following table shows the default locations of files and folders to be excluded or scanned for the SYSVOL directory and subdirectories when you use FRS to replicate SYSVOL.
384
Folder or File
Scan or Exclude
%systemroot%\SYSVOL %systemroot%\SYSVOL\domain %systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory %systemroot%\SYSVOL\domain\policies %systemroot%\SYSVOL\domain\scripts %systemroot%\SYSVOL\staging %systemroot%\SYSVOL\staging areas %systemroot%\SYSVOL\sysvol FRS and related files to exclude The FRS working directory that is specified in:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory Files to exclude: <FRS working directory>\jet\sys\edb.chk <FRS working directory>\jet\ntfrs.jdb <FRS Working Directory>\jet\log\*.log
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\DB Log File Directory The default location is %systemroot%\ntds. Files to exclude: <FRS working directory>\jet\log\*.log (if the registry entry is not set) <Database log file directory>\log\*.log (if the registry entry is set)
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Root The staging directory in: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage The FRS Preinstall directory at: <Replica_root>\DO_NOT_REMOVE_NtFrs_PreInstall_Directory. The Preinstall directory is always open when FRS is running. DFS Replication and related files to exclude 385
System Volume Information\DFSR folders and their contents (includes DFSR.DB). This system-protected directory contains working files for the DFS Replication service. It should not be scanned because these files are always in use by the service. <Replicated folder path>\dfsrprivate folders and their contents
DNS configuration
The DNS Client service is always present on a server running Windows Server 2008. A DNS server must be present in an Active Directory forest, and the DNS server must store DNS data for the server computer that you are installing. You should configure both the DNS client and the DNS server to ensure that name resolution and related dependencies will function as expected during the installation of AD DS. For ease of administration, install the DNS Server service when you install AD DS. When you use the Active Directory Domain Services Installation Wizard to install the DNS Server service, DNS zones, zone delegations, root hints or forwarders, and DNS client settings are configured automatically. Ensure that any required configuration, forwarders, or zones are present and accessible before installation. For more information about DNS configuration in preparation for domain controller installation, see Integrating AD DS into an Existing DNS Infrastructure (http://go.microsoft.com/fwlink/?LinkId=120585).
Site placement
During Active Directory installation, the Active Directory Domain Services Installation Wizard attempts to place the new domain controller in the appropriate site. You can select a source replication partner, the site for the new domain controller, or both when you use the wizard to install AD DS. The appropriate site is determined by the domain controllers IP address and subnet mask. 386
The wizard uses the IP information to calculate the subnet address of the domain controller. The wizard then checks to see if a subnet object exists in the directory for that subnet address. If the subnet object exists, the wizard uses it to place the new server object in the appropriate site. If the subnet object does not exist, if you do not specify a site, the wizard places the new server object in the same site as the domain controller that is being used as a source to replicate the directory database to the new domain controller. Make sure that the subnet object has been created and that it is associated with the target site before you run the wizard. For information about creating a subnet and associating it with a site, see Create a Subnet Object or Objects and Associate them with a Site.
Domain connectivity
During the installation process, the Active Directory Domain Services Installation Wizard must communicate with other domain controllers to join the new domain controller to the domain. The wizard must communicate with a member of the domain to receive the initial copy of the directory database for the new domain controller. The wizard communicates with the domain controller that holds the domain naming operations master (also known as flexible single master operations or FSMO) role for domain installations only, so that the new domain controller can be added to the domain. The wizard must also contact the relative ID (RID) operations master so that the new domain controller can receive its RID pool, and the wizard must communicate with another domain controller in the domain to populate the SYSVOL shared folder on the new domain controller. All of this communication depends on proper DNS installation and configuration. By using Dcdiag.exe, you can test all of these connections before you start the Active Directory Domain Services Installation Wizard. Task requirements During the installation process, the wizard must communicate with other domain controllers to add this new domain controller to the domain and get the appropriate information into the Active Directory database. To maintain security, you must provide credentials that allow administrative access to the directory. Before you begin your installation, the following conditions must exist in your environment: Your Active Directory forest root domain must already exist. If you are installing a new domain controller in a child domain, there should be at least two properly functioning domain controllers in the forest root domain. DNS must be functioning properly. In this guide, it is assumed that you are using Active Directoryintegrated DNS zones. You must have configured at least one domain controller as a DNS server. Creating or removing a domain or forest is beyond the scope of this guide. The following information and tools are necessary to complete this task: The Active Directory Domain Services Installation Wizard asks for the following specific configuration information before it begins installing AD DS: A domain administrators user name and password A location to store the directory database and log files 387
A location to store SYSVOL The password to use for Directory Services Restore Mode (DSRM)
The fully qualified DNS name of the domain to which the new domain controller will be added Dcdiag.exe Network Connections Active Directory Sites and Services
To complete this task, perform the following procedures: 1. Verify DNS Infrastructure and Registrations 2. Verify That an IP Address Maps to a Subnet and Determine the Site Association 3. Verify the Availability of the Operations Masters Caution If any verification test fails, do not continue until you determine what went wrong and you fix the problems. If one or more of these tests fail, the installation of AD DS is also likely to fail.
Features to install the Active Directory Domain Services Administration Tools, see Installing Remote Server Administration Tools for AD DS. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify the DNS infrastructure and registrations 1. If you do not want to install AD DS at this time but you want to perform DNS verification tests, install the Active Directory Domain Services Administrative Tools, as described in Installing Remote Server Administration Tools for AD DS, and then go to step 9. 2. If you want to install Dcdiag.exe during the installation of AD DS and run the DNS test before you run Dcpromo.exe, click Start, and then click Server Manager. 3. In Roles Summary, click Add Roles. 4. Review the information on the Before You Begin page, and then click Next. 5. On the Select Server Roles page, click Active Directory Domain Services, and then click Next. 6. Review the information on the Active Directory Domain Services page, and then click Next. 7. On the Confirm Installation Selections page, click Install. 8. On the Installation Results page, do not click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe). First, perform steps 9 and 10. When you have completed the Dcpromo test successfully, return to the Installation Results page and continue with the installation of the Active Directory Domain Services server role. 9. Open a Command Prompt window as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 10. At the command prompt, type the following command, and then press ENTER:
dcdiag /test:dcpromo /DnsDomain:<DNSDomainName> /ReplicaDC
where <DNSDomainName> is the DNS name of the domain, in the form <DomainName.ForestName>, in which you want to add a domain controller. 11. If the server does not pass the Dcpromo test, fix the reported problems before you continue with the installation of AD DS.
389
Verify That an IP Address Maps to a Subnet and Determine the Site Association
You can use this procedure to determine the site to which you want to add a server object before you install Active Directory Domain Services (AD DS). You can also use this procedure to verify the site after you install AD DS or before you move a server object. To be associated with a site, the IP address of a domain controller must map to a subnet object that is defined in AD DS. The site to which the subnet is associated is the site of the domain controller. The subnet address, which is computed from the IP network address and the subnet mask, is the name of a subnet object in AD DS. When you know the subnet address, you can locate the subnet object and determine the site to which the subnet is associated. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify that an IP address maps to a subnet and to determine the site association 1. Log on locally or open a Remote Desktop connection to the server for which you want to check the IP address. 2. In Server Manager, click View Network Connections. 3. Right-click the connection that represents the connection the server or domain controller uses to attach to the network, and then click Properties. 4. In the Connection Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6). 5. Use an IP subnet calculator and the values in IP address and Subnet mask to calculate the subnet address, and then click OK twice. 6. Open the Active Directory Sites and Services snap-in: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 7. Expand the Sites container, and then click the Subnets container. 8. In the Name column in the details pane, find the subnet object that matches the subnet address for the server or domain controller. 9. In the Site column, note the site to which the IP subnet address is associated. If the site that appears in the Site column is not the appropriate site, contact a site administrator and find out whether the IP address is incorrect or whether you should move the server object to the site that is indicated by the subnet-to-site association.
See Also
Move a Server Object to a New Site 390
where <DomainControllerName> is the name of an existing domain controller in the domain in which you want to add the new domain controller. The verbose option provides a detailed list of the operations masters that were tested. Near the bottom of the screen, a message confirms that the test succeeded. If you use the verbose option, look carefully at the bottom part of the displayed output. The test confirmation message appears immediately after the list of operations masters. 3. Type the following command to ensure that the operations masters are functioning properly and available on the network, and then press ENTER: 391
where <DomainControllerName> is the name of a domain controller in the domain in which you want to add the new domain controller. The verbose option provides a detailed list of the operations masters that were tested as well as other important servers, such as global catalog servers and time servers. Near the bottom of your screen, a message confirms that the test succeeded. If these tests fail, do not attempt any additional steps until you fix the problem that prevents the location of operations masters and you can verify that they are functioning properly.
392
Command-line installation, by using unattend parameters to specify the location of installation media. Before you perform the installation procedures, prepare the server for installation according to the instructions in Preparing for Active Directory Installation. To ensure successful installation of a new domain controller, verify that all critical services that AD DS depends on are configured according to Requirements for Installing AD DS (http://go.microsoft.com/fwlink/?LinkId=120603). If you are installing the first Windows Server 2008 domain controller in an existing Windows Server 2000 or Windows Server 2003 domain, see the domain and forest preparation information in Installing an Additional Windows Server 2008 Domain Controller (http://go.microsoft.com/fwlink/?LinkID=93254). For information about best practices for planning, testing, and deploying AD DS, see the AD DS Design Guide (http://go.microsoft.com/fwlink/?LinkID=116282) and see the AD DS Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=116283). This section includes the following tasks for installing a domain controller in an existing domain: Installing an Additional Domain Controller by Using the Windows Interface Installing an Additional Domain Controller by Using IFM Installing an Additional Domain Controller by Using Unattend Parameters
See Also
Preparing for Active Directory Installation
passwords) from the installation media. For information about using IFM to install an RODC, see Planning and Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/? LinkId=120840). You can also create installation media by restoring an Active Directory backup to an alternate location. For information about creating installation media by restoring a criticalvolume backup to an alternate location, see Restoring a Critical-Volume Backup to an Alternate Location (http://go.microsoft.com/fwlink/?LinkId=120612). Replication: You can specify a domain controller in the domain from which to replicate AD DS. To complete this task, perform one of the following procedures: Install an Additional Domain Controller by Using the Windows Interface
See Also
Installing an Additional Domain Controller by Using Unattend Parameters Installing an Additional Domain Controller by Using Unattend Parameters
You can click Use advanced mode installation to see additional installation options. Specifically, click Use advanced mode installation if you want to install from media or identify the source domain controller for Active Directory replication. 9. On the Operating System Compatibility page, review the warning about the default security settings for Windows Server 2008 domain controllers, and then click Next. 10. On the Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, and then click Next. 11. On the Network Credentials page, type the name of any existing domain in the forest where you plan to install the additional domain controller. Under Specify the account credentials to use to perform the installation, click My current logged on credentials or click Alternate credentials, and then click Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller. To install an additional domain controller, you must be a member of the Enterprise Admins group or the Domain Admins group. When you are finished providing credentials, click Next. 12. On the Select a Domain page, select the domain of the new domain controller, and then click Next. 13. On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to its IP address, and then click Next. 14. On the Additional Domain Controller Options page, make the following selections, and then click Next: DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this option. Note If you select the option to make this domain controller a DNS server, you might receive a message that indicates that a DNS delegation for the DNS server could not be created and that you should manually create a DNS delegation to the DNS server to ensure reliable name resolution. If you are installing an additional domain controller in either the forest root domain or a tree root domain, you do not have to create the DNS delegation. In this case, click Yes, and disregard the message. Global Catalog: This option is selected by default. It adds the global catalog, readonly directory partitions to the domain controller, and it enables global catalog search functionality. Read-only domain controller. This option is not selected by default. It makes the additional domain controller a read-only domain controller (RODC). 15. If you selected Use advanced mode installation on the Welcome page, the Install from Media page appears. You can provide the location of installation media to be used to create the domain controller and configure AD DS, or you can have all source replication occur over the network. Note that some data will be replicated over the network even if you 395
install from media. For information about using this method to install the domain controller, see Installing an Additional Domain Controller by Using IFM. 16. If you selected Use advanced mode installation on the Welcome page, the Source Domain Controller page appears. Click Let the wizard choose an appropriate domain controller or click Use this specific domain controller to specify a domain controller that you want to provide as a source for replication to create the new domain controller, and then click Next. If you do not choose to install from media, all data will be replicated from this source domain controller. 17. On the Location for Database, Log Files, and SYSVOL page, type or browse to the volume and folder locations for the database file, the directory service log files, and the SYSVOL files, and then click Next. Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or other nondirectory files. 18. On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password must be used to start AD DS in Directory Services Restore Mode (DSRM) for tasks that must be performed offline. 19. On the Summary page, review your selections. Click Back to change any selections, if necessary. To save the settings that you have selected to an answer file that you can use to automate subsequent Active Directory operations, click Export settings. Type the name for your answer file, and then click Save. When you are sure that your selections are accurate, click Next to install AD DS. Note If you are installing an additional domain controller in a child domain and you are using child domain credentials, the Windows Security dialog box appears because access is denied in the parent domain to update the DNS delegation in the parent zone. In this case, click the other user icon and provide administrator credentials for the parent domain, and then click OK. 20. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish. 21. You can select Reboot on completion to have the server restart automatically, or you can restart the server to complete the installation of AD DS when you are prompted to do so.
See Also
Preparing for Active Directory Installation Verifying Active Directory Installation
396
397
To create installation media for a full (writable) domain controller, you must run the ntdsutil ifm command on a writable domain controller that is running Windows Server 2008. Note You cannot run the ntdsutil ifm command on a domain controller that runs Windows Server 2003. However, you can create a system state backup of a Windows Server 2003 domain controller, restore the backup to an alternate location, and then use the dcpromo /adv command to create a Windows Server 2003 domain controller. For information about performing IFM installations on domain controllers that are running Windows Server 2003, see Installing a Domain Controller in an Existing Domain Using Restored Backup Media (http://go.microsoft.com/fwlink/? LinkId=120623). To create installation media for a read-only domain controller (RODC), you can run the ntdsutil ifm command on either a writable domain controller or an RODC that runs Windows Server 2008. For RODC installation media, Ntdsutil removes any cached secrets, such as passwords. For more information about installing and managing RODCs, see the Stepby-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/? LinkId=92728). You can use a 32-bit domain controller to generate installation media for a 64-bit domain controller, and the reverse is also true. The ability to mix processor types for IFM installations is new in Windows Server 2008. Ntdsutil.exe can create the two types of installation media, as described in the following table.
Type of installation media Parameter Description
Creates installation media for a writable domain controller or an Active Directory Lightweight Directory Services (AD LDS) instance in the folder that is identified in the path. If you are creating media in a shared folder on another computer, map a network drive to the folder before you perform the procedure. Creates installation media for an RODC in the folder that is identified in the path
Task requirements The following tools are required to perform the procedures for this task: Ntdsutil.exe 398
Dcpromo.exe
To complete this task, perform the following procedures: 1. Create Installation Media by Using Ntdsutil 2. Install an Additional Domain Controller by Using Installation Media
See Also
Verifying Active Directory Installation Adding Domain Controllers in Remote Sites
3. At the ntdsutil prompt, type the following command, and then press ENTER:
activate instance ntds
4. At the ntdsutil prompt, type the following command, and then press ENTER:
ifm
399
5. At the ifm prompt, type the command for the type of installation media that you want to create, and then press ENTER. For example, to create installation media for a read-write domain controller, type the following command:
Create full <Drive>:\<InstallationMediaFolder>
Where <Drive>:\<InstallationMediaFolder> is the path to the folder where you want the installation media to be created. You can save the installation media to a network shared folder or to removable media. When you create additional domain controllers in the domain, you can refer to the shared folder or removable media where you store the installation media as follows: In the Active Directory Domain Services Installation Wizard: on the Install from Media page In an unattended installation answer file: in the /ReplicationSourcePath parameter
See Also
Create an Answer File for Unattended Domain Controller Installation Installing an Additional Domain Controller by Using IFM
400
To install AD DS from IFM media by using the Windows interface 1. Use the procedure Install an Additional Domain Controller by Using the Windows Interface. In step 8, select Use advanced mode installation. 2. In step 15, select the install from media option and provide the location of the installation media. 3. Complete the remaining pages of the Active Directory Domain Services Installation Wizard. 4. After the installation operation completes successfully and the computer is restarted, remove the folder that contains the IFM media from the local disk. To install AD DS from IFM media by using an answer file 1. Create an answer file by using one of the following methods: During the procedure Install an Additional Domain Controller by Using the Windows Interface, select the Export settings option to save the installation settings to a file. This file is an answer file that you can use to install an additional domain controller in the same domain. Use the procedure Create an Answer File for Unattended Domain Controller Installation to create an answer file. Include the /ReplicationSourcePath parameter to specify the location of the IFM media. 2. Use the procedure Install an Additional Domain Controller by Using an Answer File to install AD DS. To install AD DS from IFM media by using unattend parameters from the command line 1. Use the procedure Install an Additional Domain Controller by Using Unattend Parameters from the Command Line to install AD DS. 2. During the procedure, use the /ReplicationSourcePath parameter to specify the location of the IFM media.
See Also
Preparing for Active Directory Installation Verifying Active Directory Installation
You can use unattend parameters in the following ways: In an answer file: You can manually create an answer file that contains unattend parameters to specify the settings for a domain controller, including such values as its name, domain, site, and whether it is a writable domain controller or read-only domain controller (RODC). You can also create an answer file automatically by exporting installation settings to a file during an Active Directory Domain Services Installation Wizard installation. Note For information about installing RODCs, see Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728) and Planning and Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/? LinkId=120840). From the command line: You can type the parameters and values manually at the command line. Running an unattended installation simplifies the process of installing and configuring Active Directory Domain Services (AD DS) on multiple computers. When you use Dcpromo to reference the answer file, the installation proceeds from start to completion without user intervention. This method is most useful when you want to install AD DS with identical options on many computers. Task requirements The following tools are required to complete this task: Text editor application Dcpromo.exe
To complete this task, perform the following procedures: 1. Create an Answer File for Unattended Domain Controller Installation 2. Install an Additional Domain Controller by Using an Answer File 3. Install an Additional Domain Controller by Using Unattend Parameters from the Command Line
See Also
Installing an Additional Domain Controller by Using IFM Installing an Additional Domain Controller by Using the Windows Interface
Server Core installation of Windows Server 2008. The answer file contains sensitive information, and it should be kept in a secure location. Notes The answer file that you use to install an additional domain controller in an existing domain must have the /ReplicaOrNewDomain and /ReplicaDomainDNSName parameters specified. The answer file that you use to install a domain controller from media must have the /ReplicationSourcePath parameter specified. Any account that has Read and Write privileges for the text editor application is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To create an answer file for installing a new domain controller 1. Open Notepad or any text editor. 2. On the first line, type [DCINSTALL], and then press ENTER. 3. Create the following entries, one entry on each line. These options are the minimum options that are required for an additional domain controller installation with Domain Name System (DNS) and the global catalog installed and configured automatically. For a complete list of unattended installation options, including default values, allowed values, and descriptions, see Promotion Operation (http://go.microsoft.com/fwlink/? LinkID=120626). UserName=SAM account name that has Domain Admins credentials in the target domain. This account must be used by the administrator who runs the Dcpromo command. UserDomain=Domain name for the user account in UserName Password=Password for the account in UserName. If you leave this blank, Dcpromo prompts the installer for a password during installation. Dcpromo deletes this value after installation. ReplicaDomainDNSName=The fully qualified domain name (FQDN) of the domain of the new domain controller. ReplicaOrNewDomain=Replica for an additional domain controller in an existing domain or NewDomain for the first domain controller in a new domain. DatabasePath=Location of the Ntds.dit filea folder on a local volume, surrounded by double quotation marks. (The default is %systemroot%\ntds.) If you omit this entry, Dcpromo uses the default location. LogPath=Location of the database log filesa folder on a local volume, surrounded by double quotation marks. (The default is %systemroot%\ntds.) If you omit this entry, Dcpromo uses the default location. SYSVOLPath=Location of the SYSVOL treea folder on a local volume, surrounded by double quotation marks. (The default is %systemroot%\SYSVOL.) If you omit this entry, Dcpromo uses the default location. 403
InstallDNS=Yes to make the domain controller a DNS server or no to create a domain controller without DNS installed. ConfirmGC=Yes to make the domain controller a global catalog server or No to create a domain controller without the global catalog read-only directory partitions. SafeModeAdminPassword=Password for the administrator account that must be used to start the domain controller in Directory Services Restore Mode (DSRM). If you leave this blank, Dcpromo prompts the installer for the password during installation. Dcpromo deletes this value after installation. Passwords are removed from the answer file when you run Dcpromo. RebootOnCompletion=Yes if you want the domain controller to restart automatically following a successful installation, no if you want to restart the domain controller manually. If you do not want the domain controller to restart automatically and you do not want to be prompted, use the value NoAndNoPromptEither. 4. If you want to include application directory partitions in the answer file, add the following parameter: ApplicationPartitionsToReplicate= Provide a value for ApplicationPartitionsToReplicate as follows: If you want to include all application directory partitions, use the value *. If you want to include specific application directory partitions, type the distinguished name of each directory partition. Separate each distinguished name with a space, and enclose the entire list in quotation marks, as shown in the following example: ApplicationPartitionsToReplicate="dc=app1,dc=contoso,dc=com dc=app2,dc=contoso,dc=com" 5. Save the answer file to the location on the installation server from which it is to be called by Dcpromo, or save the file to a network shared folder or removable media for distribution.
See Also
Install an Additional Domain Controller by Using an Answer File Install an Additional Domain Controller by Using Unattend Parameters from the Command Line
Installation Wizard by selecting the option to export the installation information to a file. For information about creating an answer file manually, see Create an Answer File for Unattended Domain Controller Installation. Note You can also use an answer file to create a new domain. After you create the answer file, use the following procedure to perform the unattended installation. You can use this procedure to install Active Directory Domain Services (AD DS) on either a full installation of Windows Server 2008 or a Server Core installation of Windows Server 2008. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To install a new domain controller by using an answer file Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. At the command prompt, type the following command, and then press ENTER:
See Also
Preparing for Active Directory Installation Create an Answer File for Unattended Domain Controller Installation Verifying Active Directory Installation
Install an Additional Domain Controller by Using Unattend Parameters from the Command Line
You can use the following procedure to install a new domain controller from the command line. In this method of installation, you type unattended installation parameters at the command line rather than creating an answer file. For a complete list of unattended installation options, including default values, allowed values, and descriptions, type dcpromo /?:Promotion at a command prompt, or see Promotion Operation (http://go.microsoft.com/fwlink/?LinkID=120626). Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
405
To install an additional domain controller by entering unattended installation parameters at the command line At a command prompt, type the following command. When you have typed all the options that are required to create the additional domain controller, press ENTER.
dcpromo /unattend /<unattendOption>:<value> /<unattendOption>:<value> ...
Where: is an option in the Promotion Operation table. Separate each <option:value> pair with a space.
<unattendOption> <value>
The following example creates an additional domain controller with the global catalog, and it installs and configures the DNS Server service:
dcpromo /unattend /InstallDns:yes /confirmGC:yes /replicaOrNewDomain:replica /databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:FH#3573.cK /rebootOnCompletion:yes
To complete this task, perform the following procedures: 1. Determine Whether a Server Object Has Child Objects 2. Verify That an IP Address Maps to a Subnet and Determine the Site Association Check that the new domain controller is located in the correct site so that the new domain controller can locate replication partners and become part of the replication topology. 406
3. Move a Server Object to a New Site If you have performed an unattended installation and the domain controller was not placed in the site that you expected, you can move the server object to the correct site. 4. Configure DNS Server Forwarders 5. Complete all procedures for the Verifying DNS Configuration task. 6. Check the Status of the SYSVOL and Netlogon Shares 7. Verify DNS Registration and TCP/IP Connectivity 8. Verify a Domain Computer Account for a New Domain Controller 9. Verify Active Directory Replication 10. Verify the Availability of the Operations Masters
Verify That an IP Address Maps to a Subnet and Determine the Site Association
You can use this procedure to determine the site to which you want to add a server object before you install Active Directory Domain Services (AD DS). You can also use this procedure to verify the site after you install AD DS or before you move a server object. To be associated with a site, the IP address of a domain controller must map to a subnet object that is defined in AD DS. The site to which the subnet is associated is the site of the domain controller. The subnet address, which is computed from the IP network address and the subnet mask, is the name of a subnet object in AD DS. When you know the subnet address, you can locate the subnet object and determine the site to which the subnet is associated. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify that an IP address maps to a subnet and to determine the site association 1. Log on locally or open a Remote Desktop connection to the server for which you want to check the IP address. 2. In Server Manager, click View Network Connections. 3. Right-click the connection that represents the connection the server or domain controller uses to attach to the network, and then click Properties. 4. In the Connection Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6). 5. Use an IP subnet calculator and the values in IP address and Subnet mask to calculate the subnet address, and then click OK twice. 6. Open the Active Directory Sites and Services snap-in: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and 407
then click Continue. 7. Expand the Sites container, and then click the Subnets container. 8. In the Name column in the details pane, find the subnet object that matches the subnet address for the server or domain controller. 9. In the Site column, note the site to which the IP subnet address is associated. If the site that appears in the Site column is not the appropriate site, contact a site administrator and find out whether the IP address is incorrect or whether you should move the server object to the site that is indicated by the subnet-to-site association.
See Also
Move a Server Object to a New Site
3. In the console tree, right-click ComputerName (where ComputerName is the computer name of the domain controller), and then click Properties. 4. In the ComputerName properties sheet (where ComputerName is the name of the domain controller), on the Forwarders tab, click Edit. 5. Click the text entry area where indicated, type an IP address or DNS name for a DNS server that will receive forwarded DNS queries, and then click OK. 6. When the IP address resolves to the servers fully qualified domain name (FQDN) on the Forwarders tab, click OK.
To complete this task, perform the following procedures: 1. Verify DNS Server Configuration for a Domain Controller 2. Verify DNS Client Settings
409
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify DNS server configuration for a domain controller 1. Open the DNS snap-in: On the Start menu, point to Administrative Tools, and then click DNS. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. Double-click Forward Lookup Zones, and verify that the zone _msdcs.ForestRootDomain and the zone for the domain of the new domain controller are present. 3. Click the domain node, and then, in the details pane, verify that host (A) resource records, IPv6 host (AAAA) resource records (if TCP/IPv6 addresses are in use), and name server (NS) resource records are present for the new domain controller. 4. To verify that the ForestDnsZones and DomainDnsZones application directory partitions replicated successfully, open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 5. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl
6. Verify that the DC=DomainDnsZones,DC=DomainName, ,DC=ForestRootDomainName,DC=com and DC=ForestDnsZones,DC=ForestRootDomainName,DC=com application directory partitions replicated successfully.
See Also
Verify DNS Client Settings
410
Note If IP version 6 (IPv6) is enabled, IPv6 addresses are used instead of IP version 4 (IPv4) addresses. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify the DNS client settings 1. In Server Manager, click View Network Connections. 2. Right-click the connection that represents the connection that the domain controller uses to attach to the network, and then click Properties. 3. In Connection Properties, double-click Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6). 4. In Internet Protocol (TCP/IP) Properties, verify that Use the following DNS server addresses is selected. 5. Verify that the Preferred DNS server IP address is the IP address of the new domain controller (so that it is referencing itself). Verify that the Alternate DNS server address is that of another DNS server in the same domain. 6. Click OK twice.
See Also
Verify DNS Server Configuration for a Domain Controller
2. Verify that the DFS Replication service and the Netlogon service have a status of Started. If a service is stopped, click Restart. 3. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 4. To verify that the SYSVOL tree includes the sysvol and scripts shared folders, at the command prompt, type the following command, and then press ENTER:
net share
5. Check the list to be sure that it includes %systemroot%\SYSVOL\sysvol\ (the SYSVOL share) and %systemroot%\SYSVOL\sysvol\<Domain Name>\SCRIPTS (the NETLOGON share), where <Domain Name> is the domain of the new domain controller. Note If neither %systemroot%\SYSVOL\sysvol\ nor %systemroot%\SYSVOL\sysvol\<Domain Name>\SCRIPTS are present, see Verify Active Directory Replication. 6. Verify that the proper permissions are set for SYSVOL replication. At the command prompt, type the following command, and then press ENTER:
dcdiag /test:netlogons
Look for a message that states that <ComputerName> passed test NetLogons, where <ComputerName> is the name of the domain controller. If you do not see the passed test message, check the permissions that are set on the Scripts and Sysvol shared folders. For information about default SYSVOL permissions, see Reapply Default SYSVOL Security Settings.
dcdiag /test:replications
Note For more detailed replication information, use the /v option. If this test fails, open Event Viewer and check for errors in the Directory Service log. Use the information in the ActiveDirectory_DomainService replication events to troubleshoot the problem.
To receive more detailed information, including the SPNs that are found for the domain controller, use the /v option.
Ship the computer as a workgroup computer, and install AD DS on it in the remote site. If you do not have administrative support in the remote site, enable Remote Desktop on the computer before you ship the computer so that you can perform the installation remotely. In the remote site, you can either: Install AD DS from installation media that has been shipped to the site on removable media. Install AD DS over the network. Install AD DS on the server in a hub or staging site, and then ship the installed domain controller to the remote site. Both methods have advantages and disadvantages, and both methods require care to ensure the secure transfer of Active Directory data, whether it is installed or in the form of removable media. For information about the advantages and disadvantages of shipping a server to a remote site before or after installing AD DS, see Known Issues for Adding Domain Controllers in Remote Sites. For recommended practices for adding domain controllers to remote sites for the method that you are using, see Best Practices for Adding Domain Controllers in Remote Sites. By reviewing issues and guidelines, you can decide the best method of adding domain controllers in remote sites for your environment. By following the instructions in this guide, you can safely and securely install domain controllers in remote sites, either locally or remotely. Note On servers that are running Windows Server 2008, you can install a read-only domain controller (RODC), which is ideal for providing AD DS in remote sites without incurring the security risks of a writable domain controller. For information about installing and managing RODCs in remote sites, see Planning and Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?LinkID=120709). This section includes the following tasks, known issues, and best practices for adding domain controllers in remote sites: Known Issues for Adding Domain Controllers in Remote Sites Best Practices for Adding Domain Controllers in Remote Sites Preparing a Server Computer for Shipping and Installation from Media Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection Reconnecting a Domain Controller After a Long-Term Disconnection
Important Do not attempt to perform actions based only on the recommendations that are described in this topic. Step-by-step guidance is provided in the task-based topics in this guide for all recommendations in this topic.
creates secure installation media by removing secrets, such as passwords, from the Active Directory data. You create the media by using Volume Shadow Copy Service (VSS), taking a fraction of the time that is required to create a backup. For information about upgrading the forest to Windows Server 2008, see the AD DS Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=116283). Note On a domain controller that is running Windows Server 2008, you cannot restore a system state backup to an alternate location. Instead, use the ntdsutil ifm command to create installation media. Create media on the type of domain controller that you want to add. You must create installation media on the type of domain controller that you want to add. If you want to add a global catalog server in the remote site, run the ntdsutil ifm command on a global catalog server in the domain. If you want to add a DNS server, run the ntdsutil ifm command on a domain controller that is a DNS server in the domain. Take the same security precautions when you ship removable installation mediaor a server computer that contains installation mediaas you would when you ship an installed domain controller. For information about securing domain controllers, see the Best Practice Guide for Securing Windows Server Active Directory Installations (http://go.microsoft.com/fwlink/?LinkId=28521). Minimize the time between media creation and installation. Minimizing this delay reduces the number of updates that will be required to replicate after installation. Install the operating system before you ship the server to the remote site. Installing the operating system requires expertise that might not be available at branch sites. Ideally, installation routines are available in the staging site to automate the operating system installation process and ensure uniformity for all domain controllers (partition sizes, drive letter assignments, and so on). As part of the operating system installation, apply a standardized set of hotfixes plus any available service packs to ensure service consistency throughout the forest. Ship the server as a member of a workgroup rather than a member server in a domain. If the server is joined to a domain and then stolen during shipment, information about domain names, DNS suffixes, and the number of domains in the forest can aid attackers in their attempts to compromise or steal directory data. Ship computers with properly configured IP, subnet mask, default gateway, and DNS server addresses. Remember to reconfigure the server with TCP/IP settings that are appropriate to the target site, not the staging site. Enable Remote Desktop on the server computer before shipping. This best practice assumes that you want to install and manage AD DS remotely rather than employing an administrator with Domain Admins credentials in each remote site.
416
Best practices for installing domain controllers before you ship them to a remote site
When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology. The most significant risk from disconnection is that the domain controller will remain offline long enough to exceed the tombstone lifetime and thereby become capable of retaining objects that have been permanently deleted from the directory on all other domain controllers in the domain. Such objects, called lingering objects, cause directory inconsistency, and, under certain conditions, they can be reintroduced into the directory. For information about the causes and effects of lingering objects and how to avoid them, see Known Issues for Adding Domain Controllers in Remote Sites. The following best practices help ensure a smooth and secure disconnection and restart. For stepby-step procedures to perform all of these best practices, see Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection and Reconnecting a Domain Controller After a Long-Term Disconnection. Configure the tombstone lifetime appropriately. Ensure that the tombstone lifetime is not lowered below the default value. The default tombstone lifetime in a forest that is created on a domain controller running Windows 2000 Server or Windows Server 2003 is 60 days. The default tombstone lifetime in a forest that is created on a server running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2003 R2, or Windows Server 2008 is 180 days. If you must disconnect a domain controller for a period of several weeks or months, before you disconnect the domain controller, do the following: Estimate the anticipated length of disconnection. Determine the value of the tombstone lifetime for the forest. This value is stored in the tombstoneLifetime attribute of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ForestRootDomain. Determine the maximum length of time that the domain controller can be disconnected safely. From the tombstone lifetime number of days, subtract a generous estimate of the number of days that are required for end-to-end replication latency. The resulting amount of time is the maximum period for which the domain controller can be disconnected safely, without danger of expired deletions (tombstones) remaining on the domain controller. Determine whether to extend the tombstone lifetime for the forest. If you estimate the maximum time of disconnection to be longer than the tombstone lifetime, you must determine whether to extend the tombstone lifetime or perform the procedure to remove lingering objects from the domain controller after it is reconnected. If you extend the tombstone lifetime, you must also make sure that all domain controllers have adequate disk space to store additional tombstones. In addition, make sure that replication of the tombstone lifetime change has reached all potential source domain controllers before you run Dcpromo to install an additional domain controller. 417
Ensure that strict replication consistency is enabled on all domain controllers. Strict replication consistency is a registry setting thatwhen it is enabledstops inbound replication of a directory partition from a source domain controller that is suspected of having a lingering object. Strict replication consistency should be enabled for the forest to prevent the reintroduction of a lingering object into the directory. You can use the repadmin /regkey command to enable this setting on a specific domain controller or on all domain controllers in the forest, as described in Enable Strict Replication Consistency. Monitor the Knowledge Consistency Checker (KCC) topology and replication to ensure that unintended long disconnections are detected. By monitoring replication, you can detect disconnections that occur as a result of network failures, service failures, or configuration errors. Use the Active Directory Management Pack or other monitoring application to implement a monitoring solution for your Active Directory deployment. Event IDs to monitor include 1311, 1388, 1925, 1988, 2042, 2087, and 2088. Ship computers with properly configured IP, subnet mask, default gateway, and DNS server addresses. Remember to reconfigure the server with TCP/IP settings that are appropriate to the target site, not the staging site. Prepare the registry for automatic nonauthoritative restore of SYSVOL when the domain controller restarts. This recommendation applies only when you use FRS to replicate SYSVOL. For FRS replication of SYSVOL, the nonauthoritative restore prevents the domain controller from having to reconcile and process deletions and modifications that took place from the time of the last SYSVOL update to the time that the domain controller is restarted in the new site, which improves synchronization time. For information about preparing for nonauthoritative restore of SYSVOL, see Prepare a domain controller for nonauthoritative SYSVOL restart (http://go.microsoft.com/fwlink/?LinkId=122831). This additional configuration is not required for Distributed File System (DFS) Replication of SYSVOL because DFS Replication processes updates differently. Ensure that the domain controller replicates successfully with all replication partners. Immediately before you disconnect the domain controller, force replication with its partners. Check that replication has succeeded before you disconnect the domain controller. Label the domain controller. When you disconnect the domain controller, attach a label to the computer that identifies the date and time of disconnection, the destination, and the IP settings. When you reconnect the domain controller, update SYSVOL as quickly as possible. The domain controller does not serve as a domain controller until SYSVOL has been updated through replication. If the site has one or more other domain controllers in the same domain, start the domain controller anytime. If the site contains no other domain controller in the same domain, time the restart of the domain controller to coincide with the beginning of intersite replication. To avoid time skew issues, ensure that the system clock is synchronized with the domain source on startup. When you start the domain controller in the remote site, use the following command to ensure that the domain controller uses the domain hierarchy to synchronize time: 418
See Also
Known Issues for Adding Domain Controllers in Remote Sites Preparing a Server Computer for Shipping and Installation from Media Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection Reconnecting a Domain Controller After a Long-Term Disconnection
SYSVOL replication
SYSVOL is a shared folder that stores files that must be available and synchronized among all domain controllers in a domain. SYSVOL contains Net Logon scripts, Group Policy settings, and either File Replication Service (FRS) or Distributed File System (DFS) Replication staging directories and files, depending on the replication method in use for replicating DFS folders. Replication of the SYSVOL folder is required for AD DS to function properly. The primary focus for both methods of installing additional domain controllers in remote sites is to avoid the replication of AD DS over a wide area network (WAN) between the remote site and the hub site. Each method accomplishes this goal. However, depending on the size of your SYSVOL, you might also be concerned about replication of SYSVOL files over the network. When you use 419
the IFM method to install a domain controller, SYSVOL is replicated from a domain controller in the domain unless you perform preliminary procedures. For information about using installation media as the source for SYSVOL during IFM installation of AD DS when you use DFS Replication to replicate SYSVOL, see Planning and Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=120840). If you use FRS to replicate SYSVOL, see article 311078 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=70809).
420
If you enable Remote Desktop on the server before you ship it, you do not have to employ an administrator with Domain Admins credentials in the remote site. You can also use Remote Server Administration Tools (RSAT) to manage AD DS remotely. You can install the tools on a member server that is running Windows Server 2008 or on a workstation that is running Windows Vista with Service Pack 1 (SP1). For information about installing these tools, see Installing Remote Server Administration Tools for AD DS. Note If you do not need a writable domain controller in a remote site, you can install a readonly domain controller (RODC) in the remote site. RODCs do not require administrative credentials for management. For information about using RODCs in remote sites, see Planning and Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?LinkID=120709).
without this additional preparation, the SYSVOL data in the installation media is deleted and SYSVOL is generated by replication. Because FRS on the source computer uses CPU, memory, and disk resources, the FRS recommendation is to perform a staged update on no more than 10 branch office domain controllers at a time for a single source hub domain controller. If a single domain controller functions as the source for SYSVOL replication to more than 10 destination domain controllers, performance on the source domain controller can decrease significantly. To balance source domain controllers, you can use an answer file with Dcpromo to specify the source domain controller. Note When you use DFS Replication to replicate SYSVOL, these conditions are not an issue. For information about performing a staged installation of RODCs, see Planning and Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=120840).
Advantages of installing domain controllers before shipping them to the remote site
The following advantages are associated with installing domain controllers before you ship them to the remote site: Standardization. The process for installing domain controllers can be automated and standardized in the hub or staging site, with the one additional step of packing and shipping the domain controller. If you follow the instructions in this guide for safe disconnection and reconnection, restarting the domain controller in the remote site is all that is required. Branch site personnel. The requirement for personnel with Domain Admins credentials is limited to the hub site.
Issues with installing domain controllers before shipping them to the remote site
The following issues are associated with installing domain controllers and then disconnecting them from the network while they are shipped to the remote site:
422
Disconnection error conditions. After disconnection, online domain controllers in the domain continue to attempt replication with the disconnected domain controller, causing AD DS and SYSVOL replication errors to be generated for as long as the domain controller is disconnected. Additional preparation. Additional preparation is required to ensure smooth reconnection: Preparing for the nonauthoritative restart of SYSVOL. To avoid full replication of SYSVOL, you can take steps to ensure that only SYSVOL updates are replicated when the domain controller starts in the branch site. Ensuring an adequate tombstone lifetime to avoid the possibility of objects remaining on the domain controller that have been permanently deleted from the directory on all other domain controllers. The tombstone lifetime is a forest-wide setting that determines how long an object deletion persists in the directory. Protection of existing accounts and metadata. You must ensure that computer accounts and metadata for the domain controller are not deleted or improperly modified while the domain controller is disconnected. Risk of lingering objects. A lingering object is an object that remains on a disconnected domain controller after the object has been permanently deleted from AD DS on all connected domain controllers. Deletion updates are replicated as tombstone objects. These objects have a limited lifetime in AD DS, which is defined by the tombstone lifetime. After a tombstone is permanently removed from Active Directory, replication of the deletion that it represented is no longer possible. Therefore, if you restart a domain controller on which such an object remains, replication does not recognize that object as a deleted object, and the object remains in AD DS on only the reconnected domain controller and nowhere else. If you plan to disconnect a domain controller for longer than the period of time that a domain controller keeps track of object deletions (the tombstone lifetime), you must take additional steps to ensure directory consistency. Caution The default value for the tombstone lifetime is 180 days. In this case, the risk is remote if the tombstone lifetime is not changed. However, because the tombstone lifetime value can be changed administratively and because the risk has such significant consequences, you should always check the tombstone lifetime setting. For more information about lingering objects and their causes and effects, see Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042) (http://go.microsoft.com/fwlink/?LinkId=120797).
Up to dateness of Active Directory replication at the time of disconnection SYSVOL consistency at reconnection Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection Reconnecting a Domain Controller After a Long-Term Disconnection
For procedures to ensure that all of these issues are resolved, see the following topics:
424
SYSVOL consistency
When you use DFS Replication for SYSVOL replication, when you restart the domain controller in the new site DFS Replication updates SYSVOL by processing the latest changes from the source domain controller. To ensure that SYSVOL is updated as quickly as possible, time the restart of the domain controller with the intersite replication schedule. When you use FRS for SYSVOL replication, in addition to timing restart according to the replication schedule preparation might be necessary to avoid an extended period of latency when SYSVOL is updated. When you restart a domain controller without this preparation, FRS reconciles and processes all deletions and modifications that took place from the time of the last SYSVOL update to the time that the domain controller is restarted in the new site. If you have a large SYSVOL, you can avoid this extra processing and replication time by preparing the domain controller for nonauthoritative SYSVOL restore before you ship the domain controller. For information about preparing the domain controller for nonauthoritative SYSVOL restore, see Prepare a domain controller for nonauthoritative SYSVOL restart (http://go.microsoft.com/fwlink/?LinkID=122831).
See Also
Preparing a Server Computer for Shipping and Installation from Media Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection Reconnecting a Domain Controller After a Long-Term Disconnection
Determine whether to create the installation media in a shared folder on the computer that will be installed or use removable media to ship the installation media separately from the computer. If you will create the media in a shared folder on the installation server, do the following: Determine the volume on which to create the media. See the criteria in Determine the volume for installation media in this topic. Create a shared folder on the server and map a network drive to the folder on the domain controller that you are using to create the media. Install the operating system on the server computer. This task is best performed in the hub site where administrative personnel are available. Enable Remote Desktop on the server before you ship it. If you want to include application directory partitions on the domain controller, prepare an answer file that contains the location of the installation media and the application directory partitions. Determine the volume on which to store the installation media on the installation server. This location affects SYSVOL replication after the installation of AD DS.
426
Note We recommend that you deploy at least two domain controllers in each domain for the purposes of redundancy and failover.
To complete this task, perform the following procedures: 1. Create Installation Media by Using Ntdsutil. Before you perform this procedure, see Installing an Additional Domain Controller by Using IFM. Perform this procedure on a domain controller that is the type of domain controller that you want to create (for example, a global catalog server or a DNS server). Specify removable media or a shared folder on the installation server as the location for the installation media. 2. Enable Remote Desktop on the installation server. 3. Ship the installation server and any prepared removable media and answer file to the remote site. Ship these items separately and securely. When the server is running in the remote site, install the domain controller as follows: 1. Create a Remote Desktop Connection to the remote server. 2. Install an Additional Domain Controller by Using Installation Media. When the domain controller restarts after installation, the Remote Desktop Connection is dropped. After the installed domain controller restarts, you must reconnect by using Remote Desktop Connection.
427
See Also
Installing an Additional Domain Controller by Using IFM
3. In the Select Computer dialog box, under Enter the object name to select, type the computer name, and then click Check Names. 4. After the computer name resolves, click OK. 5. In the computer node that appears in the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server. 6. In the console tree, click Terminal Server, and then, in the details pane, double-click fDenyTSConnections. 7. In the Edit DWORD Value box, in Value data, type 0, and then click OK. This value enables connections at the level that allows connections from computers running any version of Remote Desktop. 8. To implement the change, restart the server remotely, as follows: Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. In the User Account Control dialog box, provide Domain Admins credentials, and then click OK. At the command prompt, type the following command, and then press ENTER:
shutdown /m \\<DomainControllerName> /r
Value
Description
/m \\<DomainControllerName> /r
The name of the computer to be shut down or restarted. Shuts down and then restarts the computer.
429
To create a new Remote Desktop Connection 1. On the Start menu, point to Programs or All Programs, click Accessories, and then click Remote Desktop Connection. 2. In Computer, type a computer name or IP address, and then click Connect. 3. In the Windows Security dialog box, type your password, and then click OK. If you are not logged on with an account that is a member of the Remote Desktop Users, or equivalent, click Use another account, and then provide credentials for the appropriate account.
See Also
Enable Remote Desktop
Wizard. 4. After the installation operation completes successfully and the computer is restarted, remove the folder that contains the IFM media from the local disk. To install AD DS from IFM media by using an answer file 1. Create an answer file by using one of the following methods: During the procedure Install an Additional Domain Controller by Using the Windows Interface, select the Export settings option to save the installation settings to a file. This file is an answer file that you can use to install an additional domain controller in the same domain. Use the procedure Create an Answer File for Unattended Domain Controller Installation to create an answer file. Include the /ReplicationSourcePath parameter to specify the location of the IFM media. 2. Use the procedure Install an Additional Domain Controller by Using an Answer File to install AD DS. To install AD DS from IFM media by using unattend parameters from the command line 1. Use the procedure Install an Additional Domain Controller by Using Unattend Parameters from the Command Line to install AD DS. 2. During the procedure, use the /ReplicationSourcePath parameter to specify the location of the IFM media.
See Also
Preparing for Active Directory Installation Verifying Active Directory Installation
objects, see "Maintaining Directory Consistency When Disconnecting a Domain Controller" in Known Issues for Adding Domain Controllers in Remote Sites. By taking preliminary precautions, you can ensure that long-term disconnections do not result in directory inconsistency from lingering objects. Task requirements The following tools are required to perform the procedures for this task: ADSI Edit Ntdsutil.exe Active Directory Users and Computers Active Directory Schema Active Directory Domains and Trusts Repadmin.exe
To complete this task, perform the following procedures: 1. Determine the anticipated length of the disconnection. 2. Determine the Tombstone Lifetime for the Forest. 3. Determine the maximum safe-disconnection period by subtracting a generous estimate of the end-to-end replication latency from the tombstone lifetime. Either find the latency estimate in the design documentation for your deployment or request the information from a member of your design or deployment team. If the anticipated time of disconnection exceeds the maximum safedisconnection period, make a decision about whether to extend the tombstone lifetime. To change the tombstone lifetime, see Determine the Tombstone Lifetime for the Forest and change the value in the tombstoneLifetime attribute. If the estimated time of disconnection does not exceed the maximum safe disconnection time, proceed with preparations for disconnection. 4. View the Current Operations Master Role Holders to determine whether the domain controller is an operations master role holder. 5. Transfer the Domain-Level Operations Master Roles, if appropriate. 6. Transfer the Schema Master, if appropriate. 7. Transfer the Domain Naming Master, if appropriate. 8. If you use File Replication Service (FRS) to replicate SYSVOL, you can decrease the time required to update SYSVOL when the domain controller is restarted by performing a preliminary registry update on the server. For instructions, see Prepare a domain controller for nonauthoritative SYSVOL restart (http://go.microsoft.com/fwlink/?LinkID=122831). This procedure is not necessary if you use Distributed File System (DFS) Replication. 9. Enable Strict Replication Consistency, if necessary. If strict replication consistency is not enabled on the domain controller that you are disconnecting, use this command-line procedure to enable strict replication consistency on specific domain controllers or on all domain controllers in the forest. 432
10. Synchronize Replication with All Partners. Update the domain controller with the latest changes just before you disconnect it. 11. Verify Successful Replication to a Domain Controller for the domain controller that you are disconnecting. 12. Label the domain controller with the date and time of disconnection and the maximum safedisconnection period.
See Also
Known Issues for Adding Domain Controllers in Remote Sites Managing Operations Master Roles Managing DFS-Replicated SYSVOL Reconnecting a Domain Controller After a Long-Term Disconnection
8. Note the value in the Value column. If the value is <not set>, the default value is in effect as follows: On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2003 R2, or Windows Server 2008, the default value is 180 days. On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days.
434
Value
Description
repadmin /regkey
Enables and disables the values for the following two registry entries under HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Services\NTDS\Parameters: Strict replication consistency Allow replication with divergent and corrupt partner
<DC_LIST>
The name of a single domain controller. Or, use * to apply the change to all domain controllers in the forest. For the domain controller name, you can use the Domain Name System (DNS) name, the distinguished name of the domain controller computer object, or the distinguished name of the domain controller server object. + to enable and - to disable, and key is strict. For example, +strict enables strict replication consistency; -strict disables it.
{+|-}<key>
2. Repeat step 1 for every domain controller on which you want to enable strict replication consistency. Note For more naming options and information about the syntax of the <DC_LIST> parameter, at the command prompt, type repadmin /listhelp.
435
Value
Description
Synchronizes a specified domain controller with all replication partners. The Domain Name System (DNS) name of the domain controller on which you want to synchronize replication with all partners. Enterprise; includes partners in all sites. Identifies servers by their distinguished names in messages. All; synchronizes all directory partitions that are held on the home server. Pushes changes outward from the home server. Runs in quiet mode; suppresses callback messages.
/e /d /A /P /q
2. Check for replication errors in the output of the command in the previous step. If there are no errors, replication is successful. For replication to complete, any errors must be corrected.
See Also
Verify Successful Replication to a Domain Controller
436
Updating SYSVOL
To update SYSVOL as soon as possible after you reconnect a domain controller, plan the time that you restart the domain controller to optimize the replication schedule, as follows: If the closest replication partner for the domain is in a different site, view site link properties to determine the replication schedule, and then restart the domain controller as soon as possible after replication is scheduled to start. If a replication partner for the domain is available within the site, verify replication success on that partner before you restart the domain controller. Important If you use File Replication Service (FRS) to replicate SYSVOL, the recommended practice to reduce the time required to update SYSVOL is to modify the registry before you disconnect the domain controller so that SYSVOL is updated with only the latest file changes when you restart the domain controller. For information about preparing for SYSVOL replication when using FRS, see Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection (http://go.microsoft.com/fwlink/?LinkId=122834). 437
Task requirements The following tools are required to perform the procedures for this task: ADSI Edit Active Directory Sites and Services Repadmin.exe
To complete this task, perform the following procedures: 1. Determine the Tombstone Lifetime for the Forest. 2. Determine whether the maximum safe disconnection time has been exceeded. The maximum safe disconnection time should have been established at the time of disconnection, as follows: Subtract a generous estimate of the amount of time for end-to-end replication latency from the tombstone lifetime. Either find the latency estimate in the design documentation for your deployment or request the information from a member of your design or deployment team. 3. If the maximum safe disconnection time has not been exceeded, proceed with the reconnection process as follows: Move a Server Object to a New Site If the server object for the domain controller is still in the site where the domain controller was installed, move the server object to the site in which you are reconnecting the domain controller. If the site in which you are reconnecting the domain controller has one or more other domain controllers that are authoritative for the domain, start the domain controller anytime. If the site in which you are reconnecting the domain controller has no other domain controllers that are authoritative for the domain, proceed as follows: Determine When Intersite Replication Is Scheduled to Begin by viewing the replication properties on the site link that connects this site to the next closest site that includes a domain controller that is authoritative for this domain. As soon as possible after the next replication cycle begins, start the domain controller. If the maximum safe disconnection time has been exceeded, proceed in the appropriate manner according to the operating system, as described in "Reconnecting an Outdated Domain Controller" earlier in this topic. 4. Verify Successful Replication to a Domain Controller After replication is complete, verify replication of the domain, configuration, and schema directory partitions. If the domain controller is a global catalog server, verify replication of all domain directory partitions. If the domain controller is a Domain Name System (DNS) server, verify replication of the domain and forest DNS application directory partitions.
See Also
Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection 438
which you are moving the server object. If the IP address does not map to a subnet that is associated with the site to which you move it, the server might be forced to communicate over a potentially slow wide area network (WAN) link to locate resources rather than locating resources in its own site. Before you move the server object, verify that the IP address maps to the target site. You can use this procedure to move a server object to a new site. Membership in Enterprise Admins, or equivalent, is required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To move a server object to a new site 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. 2. In the console tree, expand Sites and the site in which the server object resides. 3. Expand Servers to display the domain controllers that are currently configured for that site. 4. Right-click the server object that you want to move, and then click Move. 5. In Site Name, click the destination site, and then click OK. 6. Expand the site object to which you moved the server, and then expand the Servers container. 7. Verify that an object for the server that you moved exists. 8. Expand the server object, and verify that an NTDS Settings object exists. Within an hour, the Net Logon service on the domain controller registers the new site information in Domain Name System (DNS). Wait an hour, and then open Event Viewer and connect to the domain controller whose server object you moved. Review the System log for NETLOGON errors regarding registration of service (SRV) resource records in DNS that have occurred within the last hour. The absence of errors indicates that the Net Logon service has updated DNS with sitespecific service (SRV) resource records. NETLOGON Event ID 5774 indicates that the dynamic registration of DNS resource records has failed. If this error occurs, contact a supervisor and pursue DNS troubleshooting.
See Also
Verify That an IP Address Maps to a Subnet and Determine the Site Association
synchronization with domain controllers in the hub site by timing the restart to coincide with intersite replication. You can use this procedure to determine when intersite replication between sites is scheduled to begin. Membership in Domain Users, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To determine when intersite replication is scheduled to begin 1. Open Active Directory Sites and Services: Click Start, point to Administrative Tools, and then click Active Directory Sites and Services. 2. In the console tree, double-click the Sites container, double-click the Inter-Site Transports container, and then click the IP container. 3. In the details pane, right-click the site link object for which you want to view the schedule, and then click Properties. 4. In the SiteLinkNameProperties dialog box, click Change Schedule. Note the block of days and hours during which replication is allowed (Replication Available), and then click OK or Cancel. 5. In Replicate every _____ minutes, note the number of minutes for the intervals at which replication polling takes place during an open schedule window, and then click OK.
running a version of either Windows Server 2003 or Windows Server 2008. If either domain controller is running Windows 2000 Server, follow the instructions in article 314282 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=37924). Use the following procedure to determine the GUID of a domain controller. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To determine the GUID of a domain controller 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At a command prompt, type the following command, and then press ENTER:
repadmin /showrepl <DomainControllerName>
Where <DomainControllerName> is the NetBIOS name of the domain controller whose GUID you want to determine. 3. In the top portion of the output, note the value in DC
object GUID:
Use the following procedure to remove lingering objects by using Repadmin. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To use Repadmin to remove lingering objects 1. At a command prompt, type the following command, and then press ENTER:
repadmin /removelingeringobjects <ServerName ServerGUID DirectoryPartition> /advisory_mode
442
Value
Description
Removes objects that have been deleted and permanently removed from replication partners but remain on this domain controller. The DNS name or the distinguished name of the domain controller that has or might have lingering objects. The GUID of a domain controller that has an up-to-date, writable replica of the directory partition The distinguished name of the domain directory partition that might have lingering objects. For example, DC=RegionalDomainName,DC=ForestRootDomainName,DC=c om. Also run the command against the configuration directory partition (CN=configuration,DC=ForestRootDomainName,DC=com), the schema directory partition (CN=schema,CN=configuration,DC=ForestRootDomainName), and any application directory partitions that are hosted on the domain controller that you are checking for lingering objects.
/advisory_mode logs the lingering objects that will be removed so that you can review them, but it does not remove them. 2. If lingering objects are found, repeat step 1 without /advisory_mode to delete the identified lingering objects from the directory partition. 3. Repeat steps 1 and 2 for every domain controller that might have lingering objects. Note The ServerName parameter uses the DC_LIST syntax for repadmin, which allows the use of * for all domain controllers in the forest and gc: for all global catalog servers in the forest. To see the DC_LIST syntax, at a command prompt, type repadmin /listhelp, and then press ENTER.
been attempted, the site and name of the source domain controller, and whether replication succeeded or not, as follows:
Last attempt @ <YYYY-MM-DD HH:MM.SS> was successful. Last attempt @ [Never] was successful.
If @ [Never] appears in the output for a directory partition, replication of that directory partition has never succeeded from the identified source replication partner over the listed connection. Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify successful replication to a domain controller 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl <servername> /u:<domainname>\<username> /pw:*
Note The user credential parameters (/u:<domainname>\<username> /pw:*) are not required for the domain of the user if the user has opened the Command Prompt as an administrator with Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or equivalent. However, if you run the command for a domain controller in a different domain in the same Command Prompt session, you must provide credentials for an account in that domain.
444
Value
Description
repadmin /showrepl
Displays the replication status for the last time that the domain controller that is named in <servername> attempted inbound replication of Active Directory partitions. The name of the destination domain controller. Specifies the domain name and user name, separated by a backslash, for a user who has permissions to perform operations in AD DS. The single-label name of the domain of the destination domain controller. (You do not have to use a fully qualified Domain Name System (DNS) name.) The name of an administrative account in that domain. Specifies the domain password for the user named in <username>. * provides a Password: prompt when you press ENTER.
<servername> /u:
<domainname>
<username> /pw:*
3. At the Password: prompt, type the password for the user account that you provided, and then press ENTER. You can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft Excel spreadsheet. The spreadsheet displays data in the following columns: Showrepl_COLUMNS Destination DC Site Destination DC Naming Context Source DC Site Source DC Transport Type Number of Failures Last Failure Time Last Success Time Last Failure Status The following procedure creates this spreadsheet and sets column headings for improved readability.
445
To generate a repadmin /showrepl spreadsheet for all replication partners 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl * /csv >showrepl.csv
3. Open Excel. 4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open. 5. Hide or delete column A as well as the Transport Type column, as follows: 6. Select a column that you want to hide or delete. Or To delete the column, right-click the selected column, and then click Delete. 7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and then click Freeze Top Row. 8. Select the entire spreadsheet. On the Data tab, click Filter. 9. In the Last Success Time column, click the down arrow, and then click Sort Ascending. 10. In the Source DC column, click the filter down arrow, point to Text Filters, and then click Custom Filter. 11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain. In the adjacent text box, type del to eliminate from view the results for deleted domain controllers. 12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and then type the value 0. 13. Resolve replication failures. The last successful attempt should agree with the replication schedule for intersite replication, or the attempt should be within the last hour for intrasite replication. If Repadmin reports any of the following conditions, see Troubleshooting Active Directory Replication Problems (http://go.microsoft.com/fwlink/?LinkID=93582): The last successful intersite replication was before the last scheduled replication. The last intrasite replication was longer than one hour ago. Replication was never successful. To hide the column, right-click the column, and then click Hide.
446
Renaming a domain controller is a common operation in many organizations, and it usually occurs when: New hardware is purchased to replace an existing domain controller. Domain controllers are decommissioned or promoted and renamed to maintain a naming convention. Domain controllers are moved or placed in sites.
Note It is important to note that domain controller names have a primary impact on administration, rather than client access. Renaming a domain controller is an optional exercise, and the effects of renaming a domain controller should be well understood before the domain controller is renamed. Although you can use System Properties to rename a domain controller (as you can for any computer), Active Directory and DNS replication latency might temporarily prevent clients from locating or authenticating (or both) to the renamed domain controller. To avoid this delay, you can use the Netdom command-line tool to rename a domain controller. Task requirements The following is required to perform the procedures for this task: System Properties or Netdom.exe Ldp.exe or ADSI Edit
If you want to use Netdom, the domain functional level must be set to Windows Server 2003 or Windows Server 2008. To complete this task, use one of the following two sets of procedures: 1. Rename a Domain Controller Using System Properties 2. Update the FRS or DFS Replication Member Object Or 1. Rename a Domain Controller Using Netdom 447
See Also
Rename a Domain Controller Using Netdom
448
name. If the updates and registrations have not occurred before the removal of the old computer name, some clients might not be able to locate this computer using the new name or the old name. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To rename a domain controller using Netdom 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command to add the new domain controller name, and then press ENTER:
netdom computername <CurrentComputerName> /add:<NewComputerName>
Value
Description
Manages the primary and alternate names for a computer. The current, or primary, fully qualified DNS name of the computer that you are renaming. Specifies that a new alternate DNS name should be added. The new fully qualified DNS name for the computer that you are renaming.
/add: <NewComputerName>
3. Type the following command to designate the new name as the primary computer name, and then press ENTER:
netdom computername <CurrentComputerName> /makeprimary:<NewComputerName>
449
Value
Description
Manages the primary and alternate names for a computer. The current, or primary, fully qualified domain name (FQDN)of the computer that you are renaming. Specifies that an existing alternate name should be made into the primary name. The new name for the computer. The NewComputerName must be a FQDN. The primary DNS suffix that is specified in the FQDN for NewComputerName must be the same as the primary DNS suffix of CurrentComputerName, or it must match the DNS name of the Active Directory domain that is hosted by this domain controller, or it must be contained in the list of allowed DNS suffixes that is specified in the msDS-AllowedDNSSuffixes attribute of the domainDns object.
/makeprimary: <NewComputerName>
4. Restart the computer. 5. After the computer restarts, open a Command Prompt. 6. At the command prompt, type the following command to remove the old domain controller name, and then press ENTER:
netdom computername <NewComputerName> /remove:<OldComputerName>
Value
Description
Manages the primary and alternate names for a computer. The new FQDN that you added for the computer in step 2. Specifies that an existing alternate name should be removed. The old FQDN of the renamed computer.
See Also
Rename a Domain Controller Using System Properties 450
then click Rename. 5. Type the new name of the domain controller. 6. To verify the name change, open ADSI Edit: On the Start menu, point to Administrative Tools, and then click ADSI Edit. View the msDFSR-MemberReference attribute of the object CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<DomainControllerName>,OU=Domain Controllers,DC=<DomainName> and confirm that the value in CN=<DomainControllerName> is the new name.
Task requirements The following tools are required to perform the procedures for this task: Dcdiag.exe Active Directory Schema Active Directory Domains and Trusts Active Directory Users and Computers Active Directory Sites and Services Ntdsutil.exe
If you must protect the recovery agent private key for encrypted files, the following additional tool is required: Certificates snap-in To complete this task, perform the following procedures: 1. Verify DNS Registration and TCP/IP Connectivity The Active Directory Domain Services Installation Wizard requires both TCP/IP connectivity and Domain Name System (DNS) to locate another domain controller in the domain. During the removal of AD DS, contact with other domain controllers is required to ensure the following: Any unreplicated changes are replicated to another domain controller. Removal of the domain controller from the directory. Transfer of any remaining operations master roles.
If the domain controller cannot contact another domain controller during Active Directory removal, the decommissioning operation fails. As with the installation process, test the communication infrastructure before you run the installation wizard. Before you remove AD DS, use the same connectivity tests that you used before you installed AD DS. 2. View the Current Operations Master Role Holders To avoid problems for client computers in the domain and forest, transfer any operations master (also known as flexible single master operations or FSMO) roles before you run the Active Directory Domain Services Installation Wizard to decommission a domain controller so that you can control the operations master role placement. If you need to transfer any operations master roles from a domain controller, review all the recommendations for role placement before you perform the transfer, as described in Introduction to Administering Operations Master Roles. Identify the domain controllers to which you will transfer each role before you perform the transfer procedures. Caution During the decommissioning process, the Active Directory Domain Services Installation Wizard checks for the presence of operations master roles. If the domain controller being decommissioned holds any operations master (also known as flexible single master operations or FSMO) role, the wizard provides a warning and attempts to transfer the role or roles to another domain controller without any user interaction. You 453
do not have control over which domain controller receives the operations master roles that are transferred, and the wizard does not indicate which domain controller receives them. If the wizard cannot transfer an operations master role, you can override the warnings and the wizard will continue to uninstall AD DS and leave your domain or forest without the role. In this case, you must seize the operations master role to another domain controller. If the domain controller holds any operations master roles, use the following procedures to transfer the role or roles: Transfer the Schema Master Transfer the Domain Naming Master Transfer the Domain-Level Operations Master Roles 3. Determine Whether a Domain Controller Is a Global Catalog Server If you remove AD DS from a domain controller that hosts the global catalog, the Active Directory Domain Services Installation Wizard confirms that you want to continue with removing AD DS. This confirmation ensures that you are aware that you are removing a global catalog server from your environment. Do not remove the last global catalog server from your environment because users cannot log on without an available global catalog server. If you are not sure, do not proceed with removing AD DS until you know that at least one other global catalog server is available. 4. Verify the Availability of the Operations Masters Verify that the operations master role holders are online and responding. Important If any verification test fails, do not continue until you determine the problems and fixthem. If these tests fail, the uninstallation is also likely to fail. 5. If the domain controller hosts encrypted documents, perform the following procedure before you remove AD DS to ensure that the encrypted files can be recovered after AD DS is removed: Back Up A Certificate With Its Private Key (http://go.microsoft.com/fwlink/?LinkId=122856). 6. Removing a Windows Server 2008 Domain Controller from a Domain You can remove AD DS by using the Windows interface, an answer file, or the command line. 7. If the domain controller hosts encrypted documents and you backed up the certificate and private key before you removed AD DS, perform the following procedure to import the certificate to the server again: Import a Certificate (http://go.microsoft.com/fwlink/?LinkID=108290). 8. Determine Whether a Server Object Has Child Objects 9. Delete a Server Object from a Site Note You may not want to remove the server object if it hosts something in addition to AD DS, for example, Microsoft Exchange. 454
See Also
Introduction to Administering Operations Master Roles
Note For a more detailed response from this command, add /v to the end of the command. If the test fails, do not attempt any additional steps until you determine and fix the problem that prevents proper DNS functionality.
After you transfer an operations master role, use this procedure to verify that the transfer has occurred successfully throughout the domain. To have full effect, the change must replicate to all domain controllers in the domain for a domain-level role and to all domain controllers in the forest for a forest-level role. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To view the current operations master role holders 1. Open Ntdsutil as an administrator: Click Start, and then, in Start Search, type ntdsutil. At the top of the Start menu, right-click ntdsutil, and then click Run as administrator. In the User Account Control dialog box, provide Domain Admins credentials, and then click OK. 2. At the ntdsutil: prompt, type roles, and then press ENTER. 3. At the fsmo
maintenance:
4. At the server connections: prompt, type connect to server <servername>, where <servername> is the name of the domain controller that belongs to the domain that contains the operations masters. 5. After you receive confirmation of the connection, type quit, and then press ENTER to exit this menu. 6. At the fsmo ENTER.
maintenance:
operation target,
7. At the select operations target: prompt, type list then press ENTER.
The system responds with a list of the current roles and the Lightweight Directory Access Protocol (LDAP) name of the domain controllers that are currently assigned to host each role. 8. Type quit, and then press ENTER to exit each prompt in Ntdsutil.exe. At the ntdsutil: prompt, type quit, and then press ENTER to close the window.
456
Before you can use the Active Directory Schema snap-in for the first time, you must register it with the system. If you have not yet prepared the Active Directory Schema snap-in, see Install the Schema Snap-in before you begin this procedure. Note You perform this procedure by using a Microsoft Management Console (MMC) snap-in, although you can also transfer this role by using Ntdsutil.exe. For information about using Ntdsutil.exe to transfer operations master roles, see Ntdsutil (http://go.microsoft.com/fwlink/?LinkId=120970). For information about the ntdsutil command, you can type ? at the Ntdsutil.exe command prompt. Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Transfer the schema master 1. Open the Active Directory Schema snap-in. 2. In the console tree, right-click Active Directory Schema, and then click Change Active Directory Domain Controller. 3. In the Change Directory Server dialog box, under Change to, click This domain Controller or AD LDS instance. 4. In the list of domain controllers, click the name of the domain controller to which you want to transfer the schema master role, and then click OK. 5. In the console tree, right-click Active Directory Schema, and then click Operations Master. The Change Schema Master box displays the name of the server that is currently holding the schema master role. The targeted domain controller is listed in the second box. 6. Click Change. Click Yes to confirm your choice. The system confirms the operation. Click OK again to confirm that the operation succeeded. 7. Click Close to close the Change Schema Master dialog box.
457
Note You perform this procedure by using a Microsoft Management Console (MMC) snap-in, although you can also transfer this role by using Ntdsutil.exe. For information about using Ntdsutil.exe to transfer operations master roles, see Ntdsutil (http://go.microsoft.com/fwlink/?LinkId=120970). For information about the ntdsutil command, you can also type ? at the Ntdsutil.exe command prompt. Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To transfer the domain naming master 1. Open Active Directory Domains and Trusts: On the Start menu, point to Administrative Tools, and then click Active Directory Domains and Trusts. If the User Account Control dialog box appears, provide Enterprise Admins credentials, if required, and then click Continue. 2. In the console tree, right-click Active Directory Domains and Trusts, and then click Change Active Directory Domain Controller. 3. Ensure that the correct domain name is entered in Look in this domain. The available domain controllers from this domain are listed. 4. In the Name column, click the domain controller to which you want to transfer the domain naming master role, and then click OK. 5. At the top of the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master. 6. The name of the current domain naming master appears in the first text box. The domain controller to which you want to transfer the domain naming master role should appear in the second text box. If this is not the case, repeat steps 1 through 4. 7. Click Change. To confirm the role transfer, click Yes. Click OK again to close the message box indicating that the transfer took place. Click Close to close the Operations Master dialog box.
You might want to transfer a domain-level operations master role if the domain controller that currently hosts the role is inadequate, has failed, or is being decommissioned. You can transfer all domain roles by using the Active Directory Users and Computers snap-in. Note You perform these procedures by using a Microsoft Management Console (MMC) snap-in, although you can also transfer these roles by using Ntdsutil.exe. For information about using Ntdsutil.exe to transfer the operations master roles, see Ntdsutil (http://go.microsoft.com/fwlink/?LinkID=120970.) For information about the ntdsutil command, can also type ? at the Ntdsutil.exe command prompt. Before you perform this procedure, you must identify the domain controller to which you will transfer the operations master role. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To transfer a domain-level operations master role 1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the top of the console tree, right-click Active Directory Users and Computers, and then click Change Active Directory Domain Controller. 3. Ensure that the correct domain name is entered in Look in this domain. The available domain controllers from this domain are listed. 4. In the Name column, click the name of the domain controller to which you want to transfer the role, and then click OK. 5. At the top of the console tree, right-click Active Directory Users and Computers, and then click Operations Masters. The name of the current operations master role holder appears in the Operations master box. The name of the domain controller to which you want to transfer the role appears in the lower box. 6. Click the tab for the operations master role that you want to transfer: RID, PDC, or Infrastructure. Verify the computer names that appear, and then click Change. Click Yes to transfer the role, and then click OK. 7. Repeat steps 5 and 6 for each role that you want to transfer.
459
test. The commands in this procedure show the /s option. If you are performing this test after you install AD DS, omit the /s option. For a more detailed response from this command, you can use the verbose option by adding /v to the end of the command. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify the availability of the operations masters 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command to ensure that the operations masters can be located, and then press ENTER:
dcdiag /s:<DomainControllerName> /test:knowsofroleholders /v
where <DomainControllerName> is the name of an existing domain controller in the domain in which you want to add the new domain controller. The verbose option provides a detailed list of the operations masters that were tested. Near the bottom of the screen, a message confirms that the test succeeded. If you use the verbose option, look carefully at the bottom part of the displayed output. The test confirmation message appears immediately after the list of operations masters. 3. Type the following command to ensure that the operations masters are functioning properly and available on the network, and then press ENTER:
dcdiag /s:<DomainControllerName> /test:fsmocheck
where <DomainControllerName> is the name of a domain controller in the domain in which you want to add the new domain controller. The verbose option provides a detailed list of the operations masters that were tested as well as other important servers, such as global catalog servers and time servers. Near the bottom of your screen, a message confirms that the test succeeded. If these tests fail, do not attempt any additional steps until you fix the problem that prevents the location of operations masters and you can verify that they are functioning properly.
461
Users or local Administrators are the minimum group memberships required to complete this procedure. Review the details in "Additional considerations" in this topic. To export a certificate with the private key 1. Open the Certificates snap-in for a user, computer, or service. 2. Do one of the following: If you are in Logical Certificate Stores view mode, in the console tree, click Certificates. If you are in Certificate purpose view mode, in the console tree, click Purpose. 3. In the details pane, click the certificate you want to export. 4. On the Action menu, point to All Tasks, and then click Export. 5. In the Certificate Export Wizard, click Yes, export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.) 6. Under Export File Format, select one of the available certificate file-format options. Also, do one or all of the following, if available, and then click Next. To include all certificates in the certification path, select the Include all certificates in the certification path if possible check box. To include all extended properties of the certificate, select Export all extended properties. To delete the private key if the export is successful, select the Delete the private key if the export is successful check box. 7. If required, In Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next. 8. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key, click Next, and then click Finish. Additional considerations User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions. To open the Certificates snap-in, see Add the Certificates Snap-in to an MMC. Strong protection (also known as iteration count) is enabled by default in the Certificate Export Wizard when you export a certificate with its associated private key. Strong protection is not compatible with older applications. After the Certificate Export Wizard is finished, the certificate will remain in the certificate store in addition to being in the newly-created file. If you want to remove the certificate from the certificate store, you will need to delete it.
462
Removing a Windows Server 2008 domain controller by entering unattended installation parameters at the command line
Removing a Windows Server 2008 domain controller by using the Windows interface
You can use the Active Directory Domain Services Installation Wizard to remove a domain controller from an existing domain. If the domain controller hosts any Active Directory-integrated DNS zones, the wizard removes those zones and by default also attempts to remove the DNS delegations for those zones that point to the domain controller. Administrative credentials To perform this procedure, you must be a member of the Domain Admins group in the domain. To remove a domain controller by using the Windows interface 1. Click Start, click Run, type dcpromo, and then press ENTER. 2. In the Welcome to the Active Directory Domain Services Installation Wizard page, click Next. 3. If the domain controller is a global catalog server, a message appears to warn you about the effect of removing a global catalog server from the environment. Click OK to continue. 4. On the Delete the Domain page, make no selection, and then click Next. 5. If the domain controller has application directory partitions, on the Application Directory Partitions page, view the application directory partitions in the list, and then remove or retain application directory partitions, as follows: If you do not want to retain any application directory partitions that are stored on the domain controller, click Next. If you want to retain an application directory partition that an application has created on the domain controller, use the application that created the partition to remove it, and then click Refresh to update the list. 6. If the Confirm Deletion page appears, select the option to delete all application directory partitions on the domain controller, and then click Next. 7. On the Remove DNS Delegation page, verify that the Delete the DNS delegations 463
pointing to this server check box is selected and then click Next. 8. If necessary, enter administrative credentials for the server that hosts the DNS zones that contain the DNS delegation for this server and then click OK. 9. On the Administrator Password page, type and confirm a secure password for the local Administrator account, and then click Next. 10. On the Summary page, to save the settings that you selected to an answer file that you can use to automate subsequent Active Directory Domain Services (AD DS) operations, click Export settings. Type a name for your answer file, and then click Save. Review your selections, and then click Next to remove AD DS. 11. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish. 12. You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS removal when you are prompted to do so.
DNSDelegationPassword=<Password for the DNS server administrative account> 4. Save the answer file to the location on the installation server from which it is to be called by dcpromo, or save the file to a network shared folder or removable media for distribution. 5. The dcpromo command to use an answer file is the same for both removing and installing a domain controller. Use the procedure "To install a new domain controller by using an answer file" to remove the domain controller.
Removing a Windows Server 2008 domain controller by entering unattended installation parameters at the command line
The dcpromo command that you use to enter unattended installation parameters at the command line is the same for both removing and installing a domain controller. Use the procedure "To install a new domain controller by entering unattended installation parameters at the command line" to remove the domain controller, but use unattended installation options that are appropriate for removing a domain controller from an existing domain. For a complete list of parameters for removing AD DS, see Demotion Operationor type dcpromo /?:Demotion at a command line.
Import a Certificate
You should only import certificates obtained from trusted sources. Importing an unreliable certificate could compromise the security of any system component that uses the imported certificate. You can import a certificate into any logical or physical store. In most cases, you will import certificates into the Personal store or the Trusted Root Certification Authorities store, depending on whether the certificate is intended for you or if it is a root CA certificate. Users or local Administrators are the minimum group memberships required to complete this procedure. Review the details in "Additional considerations" in this topic. To import a certificate 1. Open the Certificates snap-in for a user, computer, or service. 2. In the console tree, click the logical store where you want to import the certificate. 3. On the Action menu, point to All Tasks and then click Import to start the Certificate Import Wizard. 4. Type the file name containing the certificate to be imported. (You can also click Browse and navigate to the file.) 5. If it is a PKCS #12 file, do the following: Type the password used to encrypt the private key. (Optional) If you want to be able to use strong private key protection, select the 465
Enable strong private key protection check box. (Optional) If you want to back up or transport your keys at a later time, select the Mark key as exportable check box. 6. Do one of the following: If the certificate should be automatically placed in a certificate store based on the type of certificate, click Automatically select the certificate store based on the type of certificate. If you want to specify where the certificate is stored, select Place all certificates in the following store, click Browse, and choose the certificate store to use. Additional considerations User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions. To open the Certificates snap-in, see Add the Certificates Snap-in to an MMC. Enabling strong private key protection will ensure that you are prompted for a password every time the private key is used. This is useful if you want to make sure that the private key is not used without your knowledge. The file from which you import certificates will remain intact after you have completed importing the certificates. You can use Windows Explorer to delete the file if it is no longer needed.
Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To determine whether a server object has child objects 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 2. In the console tree, expand the Sites container, and then expand the site of the server object. 3. Expand the Servers container, and then expand the server object to view any child objects.
properly decommissioned. If a child object other than NTDS Settings appears below the server object that you want to delete, another application has published the object. You must contact an administrator for the application and determine the appropriate action to remove the child object. 4. Click Yes to confirm your choice.
See Also
Decommissioning a Domain Controller Forcing the Removal of a Domain Controller
Users or local Administrators are the minimum group memberships required to complete this procedure. Review the details in "Additional considerations" in this topic. To add the Certificates snap-in to an MMC for a user account 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. 3. Under Available snap-ins, double-click Certificates, and then: If you are logged on as an administrator, click My user account, and then click Finish. If you are logged on as a user, Certificates automatically loads. 4. If you have no more snap-ins to add to the console, click OK. 5. To save this console, on the File menu, click Save. Additional considerations User certificates can be managed by the user or by an administrator. Local Administrators is the minimum group memberships required to complete this procedure. Review the details in "Additional considerations" in this topic.
468
To add the Certificates snap-in to an MMC for a computer account 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. 3. Under Available snap-ins, double-click Certificates 4. Select Computer account and then click Next. 5. Do one of the following: To manage certificates for the local computer, click Local computer, and then click Finish. To manage certificates for a remote computer, click Another computer and type the name of the computer, or click Browse to select the computer name, and then click Finish. 6. If you have no more snap-ins to add to the console, click OK. 7. To save this console, on the File menu, click Save. Additional considerations To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To manage certificates for another computer, you can either create another instance of Certificates in the console, or right-click Certificates (Computer Name), and then click Connect to Another Computer. Local Administrators is the minimum group memberships required to complete this procedure. Review the details in "Additional considerations" in this topic. To add the Certificates snap-in to an MMC for a service 1. Click Start, click Start Search, type mmc, and then press ENTER. 2. On the File menu, click Add/Remove Snap-in. 3. Under Available snap-ins, double-click Certificates 4. Select Service account and then click Next. 5. Do one of the following: To manage certificates for services on your local computer, click Local computer, and then click Next. To manage certificates for service on a remote computer, click Another computer and type the name of the computer, or click Browse to select the computer name, and then click Next. 6. Select the service for which you are managing certificates. 7. Click Finish, and then click Close. 8. If you have no more snap-ins to add to the console, click OK. 469
9. To save this console, on the File menu, click Save. Additional considerations To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. To manage certificates for a service on another computer, you can either create another instance of Certificates in the console, or right-click Certificates - Service (Service Name) on Computer Name, and then click Connect to Another Computer.
cleanup, you do not have the option to select the domain controller to which the roles are transferred. The cleanup application makes the selection automatically. If role transfer fails during metadata cleanup, you must seize the role following the metadata cleanup procedure. For more information about transferring and seizing operations master roles, see Introduction to Administering Operations Master Roles. Task requirements The following is required to perform the procedures for this task: Active Directory Sites and Services Dcpromo.exe Ntdsutil.exe or Active Directory Users and Computers
To complete this task, perform the following procedures: 1. Identify Replication Partners. Use this procedure to identify a domain controller that is a replication partner of the domain controller that you are removing. Identify a replication partner in the same site, if possible. You will connect to this domain controller when you clean up server metadata. 2. Force Domain Controller Removal 3. Clean Up Server Metadata
want to identify to display its NTDS Settings object. 6. Click the NTDS Settings object to display the list of connection objects in the details pane. (These objects represent inbound connections that are used for replication to the server.) The From Server column displays the names of the domain controllers that are source replication partners for the selected server object.
If the domain controller hosts any operations master (also known as flexible single master operations or FSMO) roles or if it is a Domain Name System (DNS) server or a global catalog server, warnings appear that explain how the forced removal will affect the rest of the environment. After you read each warning, click Yes. To suppress the warnings in advance of the removal operation, type /demotefsmo:yes at the command prompt. If you forcefully removal AD DS from a server that hosts an operations master role, you must seize the role after the Dcpromo operation. For information about seizing an operations master role, see Seizing an operations master role. 2. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next. 3. On the Force the Removal of Active Directory Domain Services page, review the 472
information about forcing the removal of AD DS and metadata cleanup requirements, and then click Next. 4. On the Administrator Password page, type and confirm a secure password for the local Administrator account, and then click Next. 5. On the Summary page, review your selections. Click Back to change any selections, if necessary. To save the settings that you selected to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type a name for your answer file, and then click Save. When you are sure that your selections are accurate, click Next to remove AD DS. 6. You can select Reboot on completion to have the server restart automatically, or you can restart the server to complete the AD DS removal when you are prompted to do so. 7. Perform metadata cleanup, as described in Clean Up Server Metadata.
See Also
Seizing an operations master role
You can also use a script to clean up server metadata on most Windows operating systems. For information about using this script, see Remove Active Directory Domain Controller Metadata (http://go.microsoft.com/fwlink/?LinkID=123599). Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To clean up server metadata by using Active Directory Users and Computers 1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers. 2. If you have identified replication partners in preparation for this procedure, and if you are not connected to a replication partner of the removed domain controller whose metadata you are cleaning up, right-click Active Directory Users and Computers <DomainControllerName>, and then click Change Domain Controller. Click the name of the domain controller from which you want to remove the metadata, and then click OK. 3. Expand the domain of the domain controller that you forcibly removed, and then click Domain Controllers. 4. In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete. 5. In the Active Directory Domain Services dialog box, click Yes to confirm the computer object deletion. 6. In the Deleting Domain Controller dialog box, select This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete. 7. If the domain controller is a global catalog server, in the Delete Domain Controller dialog box, click Yes to continue with the deletion. 8. If the domain controller currently holds one or more operations master (also known as flexible single master operations or FSMO) roles, click OK to move the role or roles to the domain controller that is shown. You cannot change this domain controller. If you want to move the role to a different domain controller, you must move the role after you complete the server metadata cleanup procedure. To clean up server metadata by using Ntdsutil 1. Open a command prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Enterprise Admins credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER:
ntdsutil
3. At the ntdsutil: prompt, type the following command, and then press ENTER: 474
metadata cleanup
cleanup:
Value
Description
Initiates removal of objects that refer to a decommissioned domain controller. Removes objects for a specified, decommissioned domain controller from a specified server. The distinguished name of the domain controller whose metadata you want to remove, in the form cn=ServerName,cn=Servers,cn=SiteName, cn=Sites,cn=Configuration,dc=ForestRootDomain. If you specify only one server name, the objects are removed from the current domain controller. Specifies removing server metadata on <ServerName2>, the Domain Name System (DNS) name of the domain controller to which you want to connect. If you have identified replication partners in preparation for this procedure, specify a domain controller that is a replication partner of the removed domain controller.
on <ServerName2>
5. In Server Remove Configuration Dialog, review the information and warning, and then click Yes to remove the server object and metadata. At this point, Ntdsutil confirms that the domain controller was removed successfully. If you receive an error message that indicates that the object cannot be found, the domain controller might have been removed earlier. 6. At the metadata
cleanup:
7. To confirm removal of the domain controller: Open Active Directory Users and Computers. In the domain of the removed domain controller, click Domain Controllers. In the details pane, an object for the domain controller that you removed should not appear. Open Active Directory Sites and Services. Navigate to the Servers container and confirm that the server object for the domain controller that you removed does not contain an NTDS Settings object. If no child objects appear below the server object, you can delete the server object. If a child object appears, do not delete the server object because another 475
See Also
Delete a Server Object from a Site
In this guide
Introduction to Administering Active Directory Domain Rename Managing Active Directory Domain Rename Additional Resources for the Domain Rename Operation
476
Important It is extremely important and highly recommended that you test the domain rename operation before you perform it in a production environment. First, perform the domain rename operation that is described in this section in a test environment that has a minimum of two domains. Familiarizing yourself with the specifics of each stage in the domain rename operation in a test environment will provide you with not only a much better understanding of the operation itself but also better prepare you to troubleshoot any issues that may arise during the domain rename operation in a production forest. For more information, see Domain Rename Technical Reference (http://go.microsoft.com/fwlink/? LinkID=122922).
477
Important The Windows Server 2008 domain rename operation is not supported in an Active Directory forest that contains Exchange Server 2003, Exchange Server 2003 SP2, Exchange Server 2007, or Exchange Server 2007 SP1. Note You can use "Checklist: Satisfying Domain Rename Requirements" in Appendix C: Checklists for the Domain Rename Operation to make sure that you have met all the necessary requirements for the domain rename operation.
478
Setting forest functional level to Windows Server 2003 or Windows Server 2008
You can set the forest functional level to Windows Server 2003 if all domain controllers in the forest run either Windows Server 2003 or Windows Server 2008 operating systems. If any domain controller in the forest is still running Windows 2000, you cannot set the forest functional level to Windows Server 2003. You can set the forest functional level to Windows Server 2008 if all domain controllers in the forest run Windows Server 2008 operating system. If any domain controller in the forest is still running Windows Server 2003, you cannot set the forest functional level to Windows Server 2008. For more information, see Understanding AD DS Functional Levels (http://go.microsoft.com/fwlink/? LinkId=124107). To set the forest functional level to Windows Server 2003 or Windows Server 2008 1. Open the Active Directory Domains and Trusts snap-in: click Start, click Administrative Tools, and then click Active Directory Domains and Trusts. 2. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level. 3. In Select an available forest functional level, do one of the following: To raise the forest functional level to Windows Server 2003, click Windows Server 2003, and then click Raise. To raise the forest functional level to Windows Server 2008, click Windows Server 2008, and then click Raise. Caution Do not raise the forest functional level to Windows Server 2008 if you have, or will have, any domain controllers that are running Windows Server 2003 or earlier. After you raise the forest functional level to Windows Server 2008, you cannot change the level back to Windows Server 2003.
479
480
the hr.sales.cohowinery.com domain so that it becomes a child of the eu.cohowinery.com domain. At the same time, you want to make its child domain, payroll.hr.sales.cohowinery.com, become a direct child of its current parent domain, sales.cohowinery.com. To perform this restructure operation, you first have to create two shortcut trust relationships that will become the parent-child trust relationships for the new forest that follows the restructuring, as shown: A two-way, transitive shortcut trust relationship between the eu.cohowinery.com and hr.sales.cohowinery.com domains, which will create a two-way, transitive parent-child trust relationship between eu.cohowinery.com and hr.eu.cohowinery.com after restructuring A two-way, transitive shortcut trust relationship between the sales.cohowinery.com and payroll.hr.sales.cohowinery.com domains, which will create a two-way, transitive parent-child trust relationship between sales.cohowinery.com and payroll.sales.cohowinery.com after restructuring
482
These shortcut trusts are responsible for maintaining the two-way, transitive trust relationships that are required between the newly renamed domains when the domain rename operation is complete.
Appendix D: Worksheets for the Domain Rename Operation to document all trust relationships that are necessary to preserve full trust relationships between all the domains in the target forest. For information about how to create shortcut trust relationships, see Create a Shortcut Trust (http://go.microsoft.com/fwlink/?LinkId=124112).
484
485
To ensure that network share-based user profiles continue to work after a domain rename operation, user profiles that are located on a domain-based DFSN for a domain that is going to be renamed must be relocated to a stand-alone DFSN (also known as a server-based DFSN). Serverbased DFSNs are not affected by the domain rename operation. For information about how to create roaming user profiles, see Configuring Roaming User Profiles (http://go.microsoft.com/fwlink/?LinkID=122940).
in a renamed domain will remain unchanged. You can rename the domain controllers in a separate step after the domain rename operation is complete by using a special domain controller rename procedure. For more information about how to rename a domain controller, see Renaming a Domain Controller.
487
after the domain rename by verifying that at least one of the two conditions in Conditions for Automatic Computer Name Change is not satisfied.
488
document. The member servers that house software distribution points will change their DNS host name at that step after they are restarted. You can rename member computers one group at a time by using the following sequence of tasks: 1. Estimate the largest number of computers (N) that can be renamed in your environment so that the resulting replication traffic can be sustained by your network without becoming saturated. It is our expectation that 1000 is an acceptable number. 2. Divide the member computers in the domain to be renamed into groups. Each group should contain no more than the number of computers N estimated in step 1, so that the new primary DNS suffix can be applied to one group at a time. Note The "groups" that are specified in this step are purely imaginary entities that represent some collection of computers. There might be no actual object that corresponds to such a group in the domain. For example, the combination of two OUs , or one site, or one site plus an OU, and so on, might be used to form one group, provided that the number of computers in the group does not exceed the number N of computers that is specified in step 1. If existing sites and OUs all contain more computers than the number N that is specified in step 1, you might have to create one or more temporary OUs to group computers so that the new primary DNS suffix can be applied to one group (in this case, one or more OUs ) at a time. As an alternative, you can restrict the scope of application of Group Policy to one group by creating a temporary security group that consists of the group of computers that should receive the policy and by setting security permissions on the Group Policy object (GPO) accordingly using the security group that you just created. 3. Create a staggered schedule that determines when the new primary DNS suffix will be applied to each group of computers that you established in step 2. Ensure that there is sufficient time between two consecutive applications of the Group Policy setting Primary DNS Suffix to two different groups of computers to allow replication to occur. Replication of the updated dnsHostName and servicePrincipalName attributes on computer accounts and replication of the DNS records of the renamed computers must be completed fully during the scheduled gap. 4. Configure the domain that is being renamed to allow member computers of the domain to register the new primary DNS suffix in the dnsHostName attribute of their corresponding computer accounts in AD DS.
To configure the set of DNS suffixes that can be applied to computers in the domain, add a new value (or values) to the msDS-AllowedNDSSuffixes multivalued attribute of the domain object (the domainDns object for the domain) so that the attribute contains a list of DNS suffixes that member computers of the Active Directory domain can have. When you apply the Group Policy setting Primary DNS Suffix, you will specify one of the DNS suffixes that you have added to the msDSAllowedNDSSuffixes attribute. If you apply the Primary DNS suffix Group Policy setting to the computers in the domain to be renamed, we highly recommend that you set the DNS Suffix Search List Group Policy setting and apply it to the computers in the domain being renamed. The DNS Suffix Search List setting should contain the old primary DNS suffix, new primary DNS suffix, and potentially parent suffixes of the old and new primary DNS suffixes. (The latter depends on whether parent name spaces are being used in the organization.) For example, suppose that the old name of a domain was payroll.hr.sales.cohowinery.com (that also corresponds with the old primary DNS suffix). Also, suppose that the new name of the domain is payroll.sales.cohowinery.com (that also corresponds with the new primary DNS suffix). The DNS Suffix Search List should contain the following suffixes: payroll.hr.sales.cohowinery.com payroll.sales.cohowinery.com hr.sales.cohowinery.com sales.cohowinery.com cohowinery.com
Such configuration preserves the ability of users to resolve the DNS names of computers in the domain that is being renamed by specifying first label only of the full DNS names of computers even during the transition period when a users computer and resource server may have different primary DNS suffixes. For the same reason, if computers in another domain were configured with DNS Suffix Search List that contains the old name of a domain being renamed, during the domain rename operation those computers should be reconfigured so that DNS Suffix Search List is updated to contain both the old and new domain names.
Configure the Domain to Allow a Primary DNS Suffix that Does Not Match the Domain Name 490
To check for primary DNS suffix update configuration for a computer using the registry 1. On the Start menu, click Run. 2. In Open, type regedit, and then click OK. Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. 3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. 4. Verify whether the value of REG_RWORDSyncDomainWithMembership is 0x1. This value indicates that the primary DNS suffix changes when the domain membership changes.
491
To determine whether Group Policy specifies the primary DNS suffix by using the command line 1. To open a command prompt, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following command, and then press ENTER:
gpresult
3. In the output, under Applied Group Policy objects, check to see whether Primary DNS Suffix is listed. Or 4. Type the following command, and then press ENTER:
ipconfig /all
5. Check Primary DNS Suffix in the output. If it does not match the primary DNS suffix that is specified in Control Panel for the computer, the Primary DNS Suffix Group Policy setting is applied.
To determine whether Group Policy specifies the primary DNS suffix by using the registry 1. On the Start menu, click Run. 2. In Open, type regedit and then click OK. 3. Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\DNSclient. 4. Check for the presence of the entry Primary DNS Suffix. If a value is present, the Primary DNS Suffix Group Policy setting is applied to the computer.
Configure the domain to allow a primary DNS suffix that does not match the domain name
Before you apply Group Policy to set the primary DNS suffix for each renamed domain, create a list of the DNS suffixes that you want to use for each domain. The only primary DNS suffix available to the domain, by default, is the DNS name of the domain itself. To make these different DNS suffixes available to member computers, you must first make the DNS suffixes known to the domains in which you want to use them. You add DNS suffixes to the domain by editing the attribute msDSAllowedDNSSuffixes on the domain object to contain the additional DNS domain names that are available to be used as DNS suffixes for that domain. For you to be able to add a primary DNS suffix that is different from the current DNS domain name, your environment must meet the following requirements: All domain controllers in the domain must be running Windows Server 2003 or Windows Server 2008. For each new DNS suffix that you add, a subdomain by that name must exist in DNS.
492
Caution The same value in the msDS-AllowedDNSSuffixes attribute cannot be used for more than one domain in the forest. This undesired configuration enables a malicious administrator of a computer that is joined to one such domain to set the servicePrincipalName attribute of its computer account to the same value as the Service Principal Name (SPN) of a computer in the other domain that is configured to allow the same DNS suffix. Such a configuration prevents Kerberos authentication against both of these computers. The attribute msDS-AllowedDNSSuffixes is an attribute of the domain object. Therefore, you must set DNS suffixes for each domain whose name is going to change. To use ADSI Edit to add DNS suffixes to msDSAllowedDNSSuffixes 1. Click Start menu, click Administrative Tools, and then click ADSI Edit. 2. Double-click the domain directory partition for the domain that you want to modify. 3. Right-click Domain container object, and then click Properties. 4. On the Attribute Editor tab, in Attributes, double-click the attribute msDSAllowedDNSSuffixes. 5. In the Multi-valued String Editor dialog box, in Value to add, type a DNS suffix, and then click Add. 6. When you have added all the DNS suffixes for the domain, click OK. 7. Click OK to close the Properties dialog box for that domain. 8. In the console tree, right-click ADSI Edit, and then click Connect to. 9. Under Computer, click Select or type a domain or server. 10. Type the name of the next domain for which you want to set the primary DNS suffix, and then click OK. 11. Repeat steps 2 through 7 for that domain. 12. Repeat steps 8 through 10 to select each subsequent domain and repeat steps 2 through 7 to set the primary DNS suffix for each subsequent domain that is being renamed.
Tools, and then click Group Policy Management. 2. In Group Policy Management Editor, right-click the domain or OU that contains the group of computers to which you are applying Group Policy. 3. In Group Policy Objects, right-click the GPO that you want to contain the Primary DNS Suffix setting, and then click Edit. Note To create a new GPO that will contain the Primary DNS Suffix setting, right-click Group Policy Objects, click New, and then type a name for the object. 4. Under Computer Configuration, expand Policies and Administrative Templates, Network, and then click DNS Client. 5. In the results pane, double-click Primary DNS Suffix. 6. Click Enabled, and then in the Enter a primary DNS suffix box, type the DNS suffix for the domain whose member computers are in the group that you selected in step 2. After the Active Directory domain has been renamed and all member computers have had time to restart, you can disable the Group Policy setting that you enabled in step 6 of the previous procedure. Note The steps in the previous procedure result in naming member computers only, not domain controllers. Renaming mission-critical servers, such as domain controllers, requires special preparation that is beyond the scope of this document. For information about how to rename a domain controller, see Renaming a Domain Controller. We strongly recommend that you carefully read this Help documentation and then rename domain controllers in a renamed domain according to the specified recommendations only after the domain rename operation has completed successfully.
operation. Proceed with these steps only if you have considerable expertise in handling Microsoft CAs. If one or more of the following conditions exist at the time of domain rename, CA management is not supported: The CA is configured to have only LDAP URLs for its CDP or AIA. Because the old LDAP extensions would be invalid after the domain rename operation, all the certificates that are issued by the CA are no longer valid. As a workaround, you have to renew the existing CA hierarchy and all issued End Entity certificates. After the domain rename operation, the name constraints might not be valid. As a workaround, you will have to reissue cross-certificates with appropriate name constraints. A Request for Comments (RFC) 822style e-mail name is used in the user account. If the CA (or the certificate template) is configured to include RFC 822-style e-mail names and this name style is used in the certificates that are issued, these certificates will contain an incorrect e-mail name after domain rename operation. Any such Active Directory accounts should be changed before any certificate is issued. As a best practice, the default LDAP and HTTP URLs require no special configuration before the domain rename operation. Before you begin the domain rename operation, ensure that the certificate revocation lists (CRLs) and the CA certificates will not expire soon. If you find that they are close to expiration, complete the following tasks before the domain rename operation: 1. Renew the CA certificates. 2. Issue a new CRL with the appropriate validity period. 3. Wait until both of these previous items have propagated to all client computers. For more information, see Active Directory Certificate Services (http://go.microsoft.com/fwlink/? LinkID=122981).
Exchange Domain Rename Fix-up Tool. As part of the preliminary steps, you must move Exchange off all domain controllers and discontinue Exchange configuration changes.
Task requirements The following is required to perform the procedures for this task: Rendom.exe Repadmin.exe Gpfixup.exe Set Up the Control Station Freeze the Forest Configuration Back Up All Domain Controllers Generate the Current Forest Description Specify the New Forest Description Generate Domain Rename Instructions Push Domain Rename Instructions to All Domain Controllers and Verify DNS Readiness Verify Readiness of Domain Controllers Run Domain Rename Instructions
Exchange-Specific Steps: Update the Exchange Configuration and Restart Exchange Servers Unfreeze the Forest Configuration Re-establish External Trusts 496
497
In particular, verify that the two tools Rendom.exe and Gpfixup.exe have been copied into the working directory on the control station. 3. Install the Support Tools from the Support\Tools folder on the Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition operating system CD. (To install Support Tools, run Suptools.msi in the Support\Tools directory.) In particular, verify that the tools Rendom.exe, Repadmin.exe, Dfsutil.exe, and Gpfixup.exe are installed on the control station. To set up the control station on a Windows Server 2008 member server 1. On a local disk drive of the selected control station computer, create a working directory for the domain rename tools, for example, C:\domren. Note Each time that you use the tools in this procedure, run them from this directory. 2. To obtain the necessary tools for the domain rename operation, install the Remote Server Administration Tools Pack. For more information, see Installing or Removing the Remote Server Administration Tools Pack (http://go.microsoft.com/fwlink/?LinkId=124111). Verify that the tools Rendom.exe, Repadmin.exe, Dfsutil.exe, and Gpfixup.exe are installed on the control station in the %\Windows\System32 directory. 3. Copy Rendom.exe, Repadmin.exe, Dfsutil.exe, and Gpfixup.exe tools from the %\Windows\System32 directory into your working directory as follows:
robocopy %:\Windows\System32 C:\domren rendom.exe repadmin.exe dfsutil.exe gpfixup.exe
Adding attributes to, or removing attributes from, the set of attributes that replicate to the global catalog (the partial attribute set). 498
You can resume these activities after you successfully complete the domain rename operation. For more information see, Unfreeze the Forest Configuration.
499
<NetBiosName></NetBiosName> <DcName></DcName> </Domain> <Domain> <Guid>89cf8ae3-f4a3-453b-ac5c-cb05a76bfa40</Guid> <DNSname>sales.cohovineyard.com</DNSname> <NetBiosName>SALES</NetBiosName> <DcName></DcName> </Domain> <Domain> <!-- PartitionType:Application --> <Guid>f018941b-c899-4601-bfa7-5c017e9d31e7</Guid> <DNSname>ForestDnsZones.cohovineyard.com</DNSname> <NetBiosName></NetBiosName> <DcName></DcName> </Domain> <Domain> <!-- PartitionType:Application --> <Guid>f018941b-c899-4601-bfa7-5c017e9d31f3</Guid> <DNSname>DomainDnsZones.cohovineyard.com</DNSname> <NetBiosName></NetBiosName> <DcName></DcName> </Domain> <Domain> <! - ForestRoot --> <Guid>89cf6b34-d753-32a8-da6b-6a8e04bc48a4</Guid> <DNSname>cohovineyard.com</DNSname> <NetBiosName>COHOVINEYARD</NetBiosName> <DcName></DcName> </Domain> </Forest>
Important The functional level of the forest in which you perform the domain rename operation must be set to Windows Server 2003 or Windows Server 2008. Otherwise, the domain rename tool, Rendom.exe, reports an error and it cannot proceed with further steps. 500
Membership in the Enterprise Admins group in the current forest and the Local Administrators group (or write access to the domain rename C:\domren working directory) on the control station computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Note You can use credentials other than those credentials with which you are currently logged on. To use alternative credentials, use the /user and /pwd command-line switches of rendom, as described in Appendix A: Command-Line Syntax for the Rendom Tool. To generate the current forest description file 1. On the control station, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following command to change to the working directory, and then press ENTER:
C:\domren
3. To generate the XML-encoded forest description file, at the command prompt, type the following command, and then press ENTER:
rendom /list
4. Save a copy of the current forest description file (Domainlist.xml) that was generated in step 3 as Domainlist-save.xml for future reference by using the following copy command:
copy domainlist.xml domainlist-save.xml
Note The Rendom tool contacts the domain controller that is the current domain naming operations master role owner in the target forest to gather the information that is necessary to generate the forest description file. The command might fail if the domain naming master is unavailable or unreachable from the control station.
Furthermore, pay special attention to the fact that when the DNS name of a parent domain changes, the DNS name of its child domain should also be changed, unless you are deliberately restructuring the child domain into a new domain tree root in the forest. For example, if the root domain cohovineyard.com is renamed to cohowinery.com, the child domain sales.cohovineyard.com should also be renamed to sales.cohowinery.com, unless you want to make the domain sales.cohovineyard.com become the root of a new domain tree. Here is a sample of a forest description Domainlist.xml file before and after you edit it for domain name changes to rename the root domain from cohovineyard.com to cohowinery.com. This name change of the forest root domain also results in a renaming of the child domain from sales.cohovineyard.com to sales.cohowinery.com. Furthermore, assume that the NetBIOS name of the root domain is also being changed from COHOVINEYARD to COHOWINERY. BEFORE editing (root domain name: cohovineyard.com)
<Forest> <Domain> <!- PartitionType:Application --> <Guid>59add6bb-d0e8-499e-82b9-8aaca5d3e18b</Guid> <DNSname>DomainDnsZones.sales.cohovineyard.com</DNSname> <NetBiosName></NetBiosName> <DcName></DcName> </Domain> <Domain> <Guid>89cf8ae3-f4a3-453b-ac5c-cb05a76bfa40</Guid> <DNSname>sales.cohovineyard.com</DNSname> <NetBiosName>SALES</NetBiosName> <DcName></DcName> </Domain> <Domain> <! - PartitionType:Application --> <Guid> f018941b-c899-4601-bfa7-5c017e9d31e7</Guid> <DNSname>ForestDnsZones.cohovineyard.com</DNSname> <NetBiosName></NetBiosName> <DcName></DcName> </Domain> <Domain> <! - PartitionType:Application --> <Guid> f018941b-c899-4601-bfa7-5c017e9d31f3</Guid> <DNSname>DomainDnsZones.cohovineyard.com</DNSname>
502
<NetBiosName></NetBiosName> <DcName></DcName> </Domain> <Domain> <! - ForestRoot --> <Guid>89cf6b34-d753-32a8-da6b-6a8e04bc48a4</Guid> <DNSname>cohovineyard.com</DNSname> <NetBiosName>COHOVINEYARD</NetBiosName> <DcName></DcName> </Domain> </Forest>
503
<! - PartitionType:Application --> <Guid> f018941b-c899-4601-bfa7-5c017e9d31f3</Guid> <DNSname>DomainDnsZones.cohowinery.com</DNSname> <NetBiosName></NetBiosName> <DcName></DcName> </Domain> <Domain> <! - ForestRoot --> <Guid>89cf6b34-d753-32a8-da6b-6a8e04bc48a4</Guid> <DNSname>cohowinery.com</DNSname> <NetBiosName>COHOWINERY</NetBiosName> <DcName></DcName> </Domain> </Forest>
Note The current forest description must be available as the XML-encoded file Domainlist.xml that can be modified. Membership in the Local Administrators group (or write access to the domain rename C:\domren working directory) on the control station computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To edit the Domainlist.xml file 1. Use a simple text editor, such as Notepad.exe, to open the current forest description file Domainlist.xml that you created in Generate the Current Forest Description. 2. Edit the forest description file, replacing the current DNS or NetBIOS names of the domains and application directory partitions to be renamed with the planned new DNS or NetBIOS names. Note It is not necessary to change the NetBIOS name of a domain when its DNS name changes.
504
These directory partitions store DNS zone data. By default, application directory partitions can be used to store DNS zone data and Microsoft Telephony Application Programming Interface (TAPI) data in Active Directory Domain Services (AD DS). Other applications must be programmed to create and use application directory partitions in AD DS. Application directory partitions can exist anywhere in the domain hierarchy where a domain directory partition can exist, except for the forest root or tree root domain positions. However, when you rename a domain, an application directory partition that occurs below the renamed domain in the domain tree is not renamed automatically. You must take care to edit the names of application directory partitions if they occur below a renamed domain in the hierarchy.
DNS data
If you have Active Directoryintegrated DNS that is running on a domain controller, the DNS server might have created one or more application directory partitions to store data for DNS zones. There is one DNS-specific application directory partition dedicated for each domain (named DomainDnsZones.<domain DNS name>, where <domain DNS name> is the name of the domain), and another DNS-specific application directory partition dedicated for the entire forest (named ForestDnsZones.<forest DNS name>, where <forest DNS name> is the name of the forest root domain). Important When an Active Directory forest root domain or other domain is renamed, the corresponding DNS-specific application directory partition must be renamed. If the DNSspecific application directory partition is not renamed, new DNS servers that are added to the network will not automatically load the DNS zones that are stored in the DNS-specific application directory partition, and therefore they will not function correctly. As you can see from the contents of the sample Domainlist.xml file before and after editing, the following three DNS-specific application directory partitions in the original forest
DomainDnsZones.sales.cohovineyard.com DomainDnsZones.cohovineyard.com ForestDnsZones.cohovineyard.com
are renamed to
DomainDnsZones.sales.cohowinery.com DomainDnsZones.cohowinery.com ForestDnsZones.cohowinery.com
in the new forest as a result of the domain name sales.cohovineyard.com that is being changed to sales.cohowinery.com and the forest root domain name cohovineyard.com being changed to cohowinery.com, respectively.
505
TAPI data
If you have a Microsoft TAPI dynamic directory for a domain that is hosted by AD DS, you may have created one or more application directory partitions (one for each domain) to store TAPI application data. There is one TAPI-specific application directory partition configured for each domain. When you rename an Active Directory domain, the corresponding TAPI-specific application directory partition is not renamed automatically. We recommend that you rename a TAPI-specific application directory partition when its corresponding domain name is changed. To rename application directory partitions 1. Examine the forest description file to determine if any application directory partitions in the forest must be renamed as a result of the domain DNS name changes that are being specified. 2. Consult the documentation for the application that created the application directory partition to see if the directory partition should be renamed. Any DNS name changes for application directory partitions must also be specified in the forest description file Domainlist.xml, along with the domain directory partition name changes.
506
To review the new forest description in Domainlist.xml 1. Click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following command, and then press ENTER:
rendom /showforest
This command simply displays the contents of the Domainlist.xml file in a format that is easier to read and in which you can better see the forest structure. Use this command each time that you make any changes to the Domainlist.xml file to verify that the forest structure looks as you intended. Note It is essential at this step to specify an accurate forest description that reflects the desired changes to the forest structure, because any error at this stage will result in an unintended forest structure when the domain rename operation is complete. If your target structure is not what you intended, you must perform the entire domain rename procedure again. Note To gather the information that is necessary to process the /showforest command-line option, Rendom.exe contacts the domain controller that is the current domain naming master in the target forest. The command might fail if the domain naming master is unavailable or unreachable from the control station.
507
<DC> <Name>DC1.cohovineyard.com</Name> <State>Initial</State> <LastError>0</LastError> <Password /> <LastErrorMsg /> <FatalErrorMsg /> <Retry></Retry> </DC> <DC> <Name>DC2.cohovineyard.com</Name> <State>Initial</State> <LastError>0</LastError> <Password /> <LastErrorMsg /> <FatalErrorMsg /> <Retry></Retry> </DC> <DC> <Name>DC3.sales.cohovineyard.com</Name> <State>Initial</State> <LastError>0</LastError> <Password /> <LastErrorMsg /> <FatalErrorMsg /> <Retry></Retry> </DC> <DC> <Name>DC4.sales.cohovineyard.com</Name> <State>Initial</State>
508
<LastError>0</LastError> <Password /> <LastErrorMsg /> <FatalErrorMsg /> <Retry></Retry> </DC> </DcList>
Notice that there is an entry for every domain controller in the forest in the Dclist.xml state file, and the state of each domain controller entry (the field that is bounded by the <State></State> tags) is set to Initial at this step. This state will change independently for each domain controller as it progresses through the rest of the domain rename operation. Ensure that the following conditions are in effect before you generate domain rename instructions: The source domain controller must be available and reachable. Rendom contacts one arbitrarily chosen domain controller in each domain (or the domain controller that is designated for each domain in the <DCname></DCname> field in the Domainlist.xml file) to gather the information that is necessary to generate the domain rename instructions. The command might fail if a designated domain controller in a domain is unavailable or unreachable from the control station (or if a designated domain controller was not specified, if no domain controller in a domain is reachable from the control station). The domain naming master must be available and reachable. Rendom writes the domain rename instructions to the Partitions container in the Configuration directory partition on the domain naming master, and Rendom gathers the information that is necessary to generate the state file Dclist.xml. The command might fail if the domain naming master is unavailable or unreachable from the control station. Membership in the Enterprise Admins group in the target forest (with a write access to the Partitions container object and the cross-reference objects that are its children in the configuration directory partition) and the Local Administrators group (or a write access to the domain rename C:\domren working directory) on the control station computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Note You can use credentials other than the credentials with which you are currently logged on. To use alternative credentials, use the /user and /pwd command-line switches of rendom, as described in Appendix A: Command-Line Syntax for the Rendom Tool. To generate the domain rename instructions and upload them to the domain naming master 1. On the control station, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following to change to the working directory, and then press ENTER: 509
C:\domren
3. From within the working directory, type the following command, and then press ENTER:
rendom /upload
4. Verify that the state file Dclist.xml is created in the working directory and that it contains an entry for every domain controller in your forest.
Push Domain Rename Instructions to All Domain Controllers and Verify DNS Readiness
You can use this procedure to push domain rename instructions to all domain controllers and verify Domain Name System (DNS) readiness. In this procedure, you force Active Directory replication to push the domain rename instructions that were uploaded to the domain naming operations master in Generate Domain Rename Instructions to all domain controllers in the forest. In addition, you verify that the domain controller Locator (DC Locator) records that are registered in DNS by each domain controller for the new domain names have replicated to all DNS servers that are authoritative for those records.
To force synchronization of changes made on the domain naming master to all domain controllers in the forest 1. On the control station, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following command, and then press ENTER:
repadmin /syncall /d /e /P /q DomainNamingMaster
Note The repadmin command-line options are case sensitive. Note If read-only domain controllers (RODCs) are included in your domain, run this command one more time to ensure that the RODC new servicePrincipalName attribute is replicated to all the domain controllers in the forest.
Parameter Description
/syncall /d /e /P /q DomainNamingMaster
Synchronizes a specified domain controller with all replication partners. Identifies servers by distinguished name in messages. Enterprise, cross sites. Pushes changes outward from the home server. Quiet mode; suppresses callback messages. Specifies the DNS host name of the domain controller that is the current domain naming master for the forest.
If you do not know the DNS host name of the domain naming master, you can use the Dsquery.exe tool to discover it. Membership in the Enterprise Admins group in the target forest, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To discover the DNS host name of the domain naming master 1. On the control station, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following command, and then press ENTER:
Dsquery server -hasfsmo name
Parameter
Description
Parameter
Description
Domain Services (AD DS) that holds the specified operations master (also known as flexible single master operations (FSMO)) role. name Specifies the Active Directory domain controller name.
SRV
_ldap._tcp.pdc._msdcs.DnsDomainName
SRV
_ldap._tcp.gc._msdcs.DnsForestName
This record ensures that authentication of users and computers is functioning. For example, one DNS server might contain a record of this type that is registered by one gobal catalog, while other DNS servers might contain the records of this type that are registered by other global catalogss. It is sufficient, temporarily, if there is at least one record of this type that is present on all authoritative DNS servers. The other records will eventually replicate to all authoritative DNS servers. SRV _ldap._tcp.dc._msdcs.DnsDomainName There must be at least one resource record pertaining to at least one domain controller on all authoritative DNS servers. This record ensures that authentication of users and computers is functioning. For example, one DNS server might contain a resource record of this type that is registered by one domain controller, while other DNS servers might contain the records of this type that are registered by other domain controllers. It is sufficient, temporarily, if there is at least one record of this type present on all authoritative DNS servers. The other records will eventually replicate to all authoritative DNS servers. 513
Note The word "must" in the context of this table means do notunder any circumstances proceed with domain rename unless this requirement is fulfilled. The following two resource records are also required for authentication: KDC: A service (SRV) resource record that is owned by _kerberos._tcp.dc._msdcs.DnsDomainName. GcIpAddress: A host (A) resource record that is owned by _gc._msdcs.DnsForestName. However, because these resource records are closely linked with the global catalog and the domain controller service (SRV) resource records that are described in the table, it is sufficient to confirm the presence of the global catalog and the domain controller service (SRV) resource records to assume that these two records have also been prepublished. You can use the DcDiag.exe tool to confirm that the correct service (SRV) resource records that DC Locator uses have been registered in DNS. Membership in the Enterprise Admins group in the target forest, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To verify DNS records readiness 1. On the control station, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following command, and then press ENTER:
Dcdiag /test:DNS /DnsRecordRegistration /s:domaincontroller
For more information about dcdiag syntax and parameters, see Dcdiag Syntax (http://go.microsoft.com/fwlink/?LinkID=123103).
514
Important All domain controllers must be in the Prepared state before domain rename instructions can be run. Ensure that the following conditions are in effect before you use Rendom.exe to verify that your domain controllers are ready for the domain rename operation: The preparatory changes that are made to the Partitions container of the forests domain naming operations master during the generation of domain rename instructions must have replicated to every domain controller in the forest. This status is checked for and enforced by Rendom.exe during this step. Service (SRV) resource records, which are required for domain controller location of the renamed domains, must be registered in Domain Name System (DNS) and they must have replicated to all DNS servers. Membership in the Enterprise Admins group in the target forest (with write access to the Partitions container object and the cross-reference objects that are its children in the configuration directory partition) and the Local Administrators group (or write access to the domain rename C:\domren working directory) on the control station computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Note You can use credentials other than the credentials with which you are currently logged on. To use alternative credentials, use the /user and /pwd command-line switches of rendom, as described in Appendix A: Command-Line Syntax for the Rendom Tool. To verify the readiness of domain controllers in the forest 1. On the control station, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following command to change to the working directory, and then press ENTER:
C:\domren
3. From within the working directory, type the following command, and then press ENTER:
rendom /prepare
4. After the command finishes, examine the state file Dclist.xml to determine whether all domain controllers achieved the Prepared state. If not, repeat step 2 in this procedure until all domain controllers achieve the Prepared state. Note Each time that it runs, the Rendom tool consults the Dclist.xml state file and, it does not connect to and verify the domain controllers that are already in the Prepared state. Therefore, no redundant operations are performed when you run this command repeatedly.
515
In a large forest with a large number of domain controllers, it is very likely that all domain controllers cannot be reached from the control station at the same time. In other words, it is not likely that all domain controllers that are tracked by the state file Dclist.xml will reach the Prepared state in a single running of the rendom /prepare command. Therefore, multiple invocations of this command might be necessary to make incremental progress with groups of domain controllers that reach the Prepared state at the same time. If you determine thatfor any reasonit is impossible to make any further progress with a specific domain controller, you can remove the entry for that domain controller (bounded by the <DC></DC> tags) from the Dclist.xml file by simply editing the state file with a text editor. Remember that, when a domain controller is removed in this manner from participating in the domain rename procedure, it must be retired (that is, Active Directory Domain Services (AD DS) must be removed from domain controller) in the new forest after the domain rename operation is complete. Note Make sure that you save a copy of the state file Dclist.xml every time before you edit by using a text editor. This makes an easy fallback and recovery possible in case you make an error in editing the file. As Rendom.exe executes the various command-line options, the command execution log is cumulatively captured in a log file named Rendom.log (the default name) in the current working directory (C:\domren). When execution of a Rendom.exe command fails, examination of this log file can yield valuable information about the actual tasks that the tool performed, and at what stage or on which domain controller a problem occurred.
the Error state, the error code is written to the last error field <LastError></LastError> and a corresponding error message is written to the <FatalErrorMsg></FatalErrorMsg> field. The rendom command must be repeated until all domain controllers have either successfully executed the domain rename or you have established that one or more domain controllers are unreachable and will be removed from the forest. Important This step will cause a temporary disruption in service while the domain controllers are running the domain rename instructions and restarting after they run the instructions successfully. The Active Directory Domain Services (AD DS) service in the forest has not been disrupted up to this point in the domain rename operation. Important All domain controllers in the forest must be in the Prepared state, as indicated by the state field (<State>Prepared</State>) in the state file Dclist.xml. This state is checked for and enforced by rendom at this step. Membership in the Enterprise Admins group in the target forest (with write access to the Partitions container object and the cross-reference objects that are its children in the configuration directory partition) and the Local Administrators group (or write access to the domain rename C:\domren working directory) on the control station computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Note You can use credentials other than the credentials with which you are currently logged on. To use alternative credentials, use the /user and /pwd command-line switches of rendom, as described in Appendix A: Command-Line Syntax for the Rendom Tool. To run the domain rename instructions on all domain controllers 1. On the control station, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following command to change to the working directory, and then press ENTER:
C:\domren
3. From within the working directory, type the following command, and then press ENTER:
rendom /execute
4. When the command has finished running, examine the state file Dclist.xml to determine whether all domain controllers have reached either the Done state or the Error state. 5. If the Dclist.xml file shows any domain controllers as remaining in the Prepared state, repeat step 2 in this procedure as many times as necessary until the stopping criterion is met. 517
Important The stopping criterion for the domain rename operation is that every domain controller in the forest has reached one of the two final states of Done or Error in the Dclist.xml state file. Note Each time that you run it, the rendom /execute command consults the Dclist.xml state file and skips connecting to the domain controllers that are already in the Done or Error state. Therefore, no redundant operations are performed if you repeatedly attempt this command. If you determine that an error that has caused a domain controller to reach the Error state in the Cclist.xml file is actually a recoverable error and you think that progress can be made on that domain controller by trying to run the domain rename instructions again, you can force the rendom /execute command to run again by issuing the RPC to that domain controller (instead of skipping it) as described in the following procedure. To force rendom /execute to reissue the RPC to a domain controller in the Error state 1. On the control station, navigate to the working directory C:\domren, and using a simple text editor, such as Notepad.exe, open the Dclist.xml file. 2. In the Dclist.xml file, locate the <Retry></Retry> field in the domain controller entry for the domain controller that you think should be reissued the RPC, and then edit the Dclist.xml file so that the field reads <Retry>yes</Retry> for that entry. 3. On the control station, click Start, click Run, type cmd, and then click OK. 4. At the command prompt, type the following command to change to the working directory, and then press ENTER:
C:\domren
5. From within the working directory, type the following command, and then press ENTER:
rendom /execute
Running the rendom /execute command reissues the execute-specific RPC to that domain controller. When all the domain controllers are in either the Done or Error state (there should be no domain controller in the Prepared state), declaring the execution of the domain rename instructions to be complete is at your discretion. You can continue to retry execution attempts on domain controllers that are in the Error state if you think that they will eventually succeed. However, when you declare that the execution of the domain rename instructions is: Complete, and you will not retry the rendom /execute command, you must remove AD DS from all domain controllers that are still in the Error state. For detailed step-by-step instructions to remove the AD DS server role, see the Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (http://go.microsoft.com/fwlink/?LinkID=86716). 518
Note The Domain Name System (DNS) host names of the domain controllers in the renamed domains do not change automatically as a result of the domain rename operation. In other words, the DNS suffix in the fully qualified DNS host name of a domain controller in the renamed domain will continue to reflect the old domain name. You can use a special domain controller rename procedure, which you run as a separate post-domain-rename task, to change the DNS host name of a domain controller so that it conforms to the DNS name of the domain to which it is joined. For information about renaming domain controllers, see Renaming a Domain Controller.
Exchange-Specific Steps: Update the Exchange Configuration and Restart Exchange Servers
You can use this procedure to update the Exchange configuration and restart Exchange servers for a domain rename operation. If the domain contains servers running Microsoft Exchange Server 2003 Service Pack 1 (SP1), before you continue with step 9, run the Exchange Domain Rename Fix-up Tool (XDR-fixup). Then, restart all the servers running Exchange twice. For more information, see Microsoft Exchange Server Domain Rename Fixup (XDR-Fixup) (http://go.microsoft.com/fwlink/?LinkID=123144). Important The Windows Server 2008 domain rename operation is not supported in an Active Directory forest that contains Exchange Server 2003, Exchange Server 2003 Service Pack 2 (SP2), Exchange Server 2007, or Exchange Server 2007 SP1.
519
Important All the procedures in Run Domain Rename Instructions, including the automatic domain controller restart, must have been completed on all domain controllers in the renamed domains. Membership in the Enterprise Admins group in the target forest (with write access to the Partitions container object) is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Note You can use credentials other than the credentials with which you are currently logged on. To use alternative credentials, use the /user and /pwd command-line switches of Rendom, as described in Appendix A: Command-Line Syntax for the Rendom Tool. To unfreeze the forest configuration 1. Restart the control station computer twice to ensure that all services that are running on it learn of the new name (Domain Name System (DNS) name or NetBIOS name) of the domain of which the control station is a member. Do not restart the control station by turning its power off and then back on. 2. On the control station, click Start, click Run, type cmd, and then click OK. 3. At the command prompt, type the following command to change to the working directory, and then press ENTER:
C:\domren
4. From within the working directory, type the following command, and then press ENTER:
rendom /end
The rendom /end command connects to the domain controller that holds the domain naming operations master role and removes the attribute msDS-UpdateScript on the Partitions container.
520
Any interforest trust relationship that is established at the forest root level (a trust across forests). Any external trust relationship with a domain in another forest. All external trusts from or to the forest in which the domain rename operation occurred must be deleted and recreated. You can use the Active Directory Domains and Trusts Microsoft Management Console (MMC) snap-in to delete and recreate all such trust relationships. For more information, see Administering Domain and Forest Trusts.
important and necessary for the Software Installation and Maintenance data fix-up to work correctly. Membership in the Enterprise Admins group in the target forest is the minimum required to complete these procedures. The access check that you perform in this procedure requires that you have write access to the gpLink attribute on the site, domain, and organizational unit (OU) objects, as well as write access to the GPOs themselves. Note You can use credentials other than the credentials with which you are currently logged on. To use alternative credentials, use the /user and /pwd command-line switches of gpfixup, as described in Appendix B: Command-Line Syntax for the Gpfixup Tool. To fix up GPOs and GPO references 1. On the control station, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following command to change to the working directory, and then press ENTER:
C:\domren
3. From within the working directory, type the following command, and then press ENTER. The entire command must be typed on a single line, although it is shown on multiple lines for clarity.
gpfixup /olddns:OldDomainDnsName /newdns:NewDomainDNSName /oldnb:OldDomainNetBIOSName /newnb:NewDomainNetBIOSName /dc:DcDnsName 2>&1 >gpfixup.log
Note The command-line parameters /oldnb and /newnb are required only if the NetBIOS name of the domain changed. Otherwise, you can omit these parameters from the command line for Gpfixup. The output of the commandboth status or error outputis saved to the file Gpfixup.log, which you can display periodically to monitor the progress of the command. 4. To force replication of the Group Policy fix-up changes that are made at the domain controller that is named in DcDNSName in step 3 of this procedure to the rest of the domain controllers in the renamed domain, type the following command, and then press ENTER:
repadmin /syncall /d /e /P /q DcDnsName NewDomainDN
Where: DcDnsName is the Domain Name System (DNS) host name of the domain controller that was targeted by the gpfixup command.
NewDomainDN
is the distinguished name that corresponds to the new DNS name of 522
the renamed domain. 5. Repeat steps 2 and 3 in this procedure for every renamed domain. You can enter the commands in sequence for each renamed domain. For example, using the sample forest and domain name changes in Specify the New Forest Description, you run the gpfixup command twiceonce for the renamed cohovineyard.com domain and once for the sales.cohovineyard.com domain, as indicated in the following example:
gpfixup /olddns:cohovineyard.com /oldnb:cohovineyard /newdns:cohowinery.com
/dc:dc1.cohovineyard.com
2>&1 >gpfixup2.log
Important Run the gpfixup command only once for each renamed domain. Do not run it for renamed application directory partitions. Note The DNS host names for the domain controllers in the renamed domains that are used in these command invocations still reflect the old DNS name for the domain. As mentioned earlier, the DNS host name of a domain controller in a renamed domain does not change automatically as a result of the domain name change.
Parameter Description
gpfixup
Fixes domain name dependencies in Group Policy objects and Group Policy links after a domain rename operation. Specifies the old DNS name of the renamed domain. Specifies the new DNS name of the renamed domain. Specifies the old NETBIOS name of the renamed domain. Specifies the new NETBIOS name of the renamed domain. Contains status or error output of the command. 523
Parameter
Description
Exchange-Specific Steps: Verify the Exchange Rename and Update Active Directory Connector Perform Attribute Cleanup Rename Domain Controllers
Preparing URLs for CRL distribution point and Authority Information Access (AIA) extensions after a domain rename
To ensure that the old certificates function properly after a domain rename operation, make an alias (CNAME) resource record Domain Name System (DNS) entry that redirects the old Hypertext Transfer Protocol (HTTP) server (that services the Certificate Revocation List (CRL) of the certification authority (CA)) name query to the new DNS name for the server. This redirection 524
causes the HTTP URLs in the old certificates to be valid. Client computers can then obtain CRLs and CA certificates for verification. Note You can remove the alias (CNAME) resource record after you know that the existing certificates have been renewed. Note If you only have Lightweight Directory Access Protocol (LDAP) URLs in the certificates, all the previously issued certificates will no longer be validated. The only workaround for correcting the LDAP CRL distribution point and AIA pointers is to renew the entire CA hierarchy and reissue the End Entity certificates. Expect public key infrastructure (PKI) downtime until these issues are resolved. Membership in Account Operators, Domain Admins, or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To configure the redirecting alias DNS entry 1. Open the DNS Manager snap-in. To open DNS Manager, click Start, click Administrative Tools, and then click DNS. 2. In the console tree, expand the DNS server node, and locate the old DNS zone. 3. Right-click the old DNS zone, and then click New Alias (CNAME). 4. In Alias name, type the original fully qualified domain name (FQDN) of the HTTP server. 5. In Fully qualified domain name for target host, type the new FQDN of the HTTP server, and then click OK. At this point you can test the redirection by pinging the FQDN of the old HTTP server. The ping should be remapped to the new FQDN of the HTTP server.
Note This behavior implies that if you want to continue using implicit UPNs for user accounts, you must reissue all existing authentication certificates after the DNS name of a domain has changed and before you perform the attribute cleanup procedures. Explicit UPN: If a user account in AD DS has an explicitly assigned value for its UPN attribute, it is said to have an explicit UPN that can be used for authentication purposes. When the DNS name of a domain changes as a result of the domain rename operation, the explicit UPNs of user accounts in the domain are not affected. Therefore, if you are using explicit UPNs for user accounts, no maintenance is necessary after the domain rename operation.
Note You must perform this procedure for all the CAs in your domain. Also note that the container name depends on your domain configuration. You must also change the registry on the CA computer to reflect the new DNS name for the CA computer. Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Membership in Account Operators, Domain Admins, or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To update the DNS name of the CA computer 1. On the CA computer, click Start, click Run, type regedit to open the Registry Editor, and then locate the entry CAServerName under 526
HKLM\System\CurrentControlSet\CertSvc\Configuration\YourCAName. 2. Change the value in CAServerName to correspond to the new DNS host name. To enable proper Web enrollment for the user, you must also update the file that is used by the Active Server Pages (ASPs) for Web enrollment. The following change must be made on all the CA computers in your domain. Membership in Account Operators, Domain Admins, or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. To update the Web enrollment file 1. On the CA computer, search for the Certdat.inc file. If you have used default installation settings, this file should be located in %windir%\system32\certsrv directory. 2. Open the file, which appears as follows:
<%' CODEPAGE=65001 'UTF-8%> <%' certdat.inc - (CERT)srv web - global (DAT)a ' Copyright (C) Microsoft Corporation, 1998 - 1999 %> <%' default values for the certificate request sDefaultCompany="" sDefaultOrgUnit="" sDefaultLocality="" sDefaultState="" sDefaultCountry=""
3. Change the SServerConfig entry so that it has the NewDNSName of the CA computer. If the CA was installed with the shared folder option (which is available only if the server was upgraded to Windows Server 2008from Windows Server 2003), the file Certsrv.txt (under the shared folder) should be edited to reflect the new DNS name of the CA computer. Save a copy of this file before you edit it, open the file by using Notepad.exe, make the change to the DNS name of the CA computer, and then save the file.
527
If you have a Web proxy computer (for CA Web pages) whose DNS host name changed as a result of the domain rename operation, you have to make changes to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration Under this key there is a value named WebClientCAMachine that holds the DNS name of the CA computer. Change this value to correspond to the new DNS name. To update the Netscape revocation check mechanism On all computers where Web pages for the CA reside (for example, on the Web proxy and the CA computers) there is a file named nsrev_CANAME.asp that contains the DNS host name of the CA computer that is used by the Netscape revocation checking mechanism. Search for this file, and change the DNS host name of the CA computer that is embedded in the file. If you have used the default installations settings, this file will be in the folder %Windir %\system32\certsrv\certenroll and its content looks like the following.
<% Response.ContentType = "application/x-netscape-revocation" serialnumber = Request.QueryString set Admin = Server.CreateObject("CertificateAuthority.Admin") stat = Admin.IsValidCertificate("CAMachineDnsHostname\CANAME", serialnumber) if stat = 3 then Response.Write("0") else Response.Write("1") end if %>
Open this file with Notepad.exe, and change CAMachineDnsHostName to correspond to the new DNS host name.
extensions, as follows: a. Flexible extensions have the following format: http://<ServerDNSName>/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed >.crl b. Hard-coded extensions have the following format: http://mydnsname.mycompanyname.com/certenroll/<CAName><CRLNameSuffix><De ltaCRLAllowed>.crl 4. If the CRL distribution point and AIA extensions are flexible, you do not have to change the extensions. 5. If the CRL distribution point and AIA extensions are not flexible, change the extension URLs to reflect the new DNS name of the CA computer. 6. Repeat this procedure for every CA computer in the domain.
529
530
Then, publish a service connection point for the new application directory partition name mstapi.cohowinery.com by running the following command from a command prompt on the control station:
tapicfg publishscp /directory:mstapi.cohowinery.com /domain:cohowinery.com /forcedefault
A Digest authentication mechanism uses the DNS domain name as the realm, which is then used to precompute the Digest user password hash that is stored in AD DS. If you are using Digest authentication in a domain that was renamed by the domain rename operation, a user in that domain will not be able to use Digest authentication until the user password is changed. If you are using Digest authentication in a domain that is renamed, you must do something to cause a password reset to occur. For example, you could do the following: After you complete all the procedures in Run Domain Rename Instructions, (the domain rename instructions have all been followed and domain controllers have restarted in a renamed domain), expire all user passwords by changing domain password policy in the renamed domain. Send out e-mail that warns users that they must change their passwords immediately after they reboot their computers twice (as described in Restart Member Computers). Users change their passwords by pressing Ctrl+Alt+Del. Remove any redundant interdomain trusts within your forest. If you performed a forest restructure operation in which the existing domains were rearranged into a different tree structure, you would have created the necessary shortcut trusts to preserve complete trust between all the domains in your new forest, as described in "Pre-Creating Parent-Child Trust Relationships for a Restructured Forest" in Create Necessary Shortcut Trust Relationships. This type of a restructure can result in one or more parent-child or tree-root trust relationships remaining in your forest that reflect the old domain structure and are no longer required. Although their presence does no harm, you can use the Active Directory Domains and Trusts snap-in to remove these redundant trust relationships after the domain rename operation is complete. For more information, see Active Directory Domains and Trusts (http://go.microsoft.com/fwlink/?LinkId=124088). Fix Start menu shortcuts for Domain Security Policy and Domain Controller Security Policy Microsoft Management Console (MMC) snap-ins.
1. Click Start, click Programs, and then click Administrative Tools. 2. Right-click Domain Security Policy, and then click Properties. 3. Modify the Target field to replace the old distinguished name of the domain that appears as part of the /gpobject: parameter with the new distinguished name of the domain. 4. Click OK. Note 531
For example, if you renamed the domain cohovineyard.com to cohowinery.com, the /gpobject: parameter will have to be changed from /gpobject:"LDAP://CN={31B2F340-016D-11D2-945F00C04FB984F9},CN=Policies,CN=System,DC=cohovineyard,DC=com" to /gpobject:"LDAP://CN={31B2F340-016D-11D2-945F00C04FB984F9},CN=Policies,CN=System,DC=cohowinery,DC=com". 5. To fix the Domain Controller Security Policy snap-in shortcut, follow steps 1 through 4 above, but select Domain Controller Security Policy in step 2. Note For example, if you renamed the domain msn.com to msnzone.com, the /gpobject: parameter will have to be changed from /gpobject:"LDAP://CN= {6AC1786C-016F-11D2-945F00C04fB984F9},CN=Policies,CN=System,DC=cohovineyard,DC=com" to /gpobject:"LDAP://CN= {6AC1786C-016F-11D2-945F00C04fB984F9},CN=Policies,CN=System,DC=cohowinery,DC=com". Remove the Group Policy to set primary DNS suffix of member computers in renamed domains. If you followed the recommendations to avoid excess replication due to member computers being renamed in a large domain, as described in "Configuring Member Computers for Host Name Changes in Large Deployments" in Configure Member Computers for Host Name Changes, you might have configured and applied a Group Policy setting Primary DNS Suffix to member computers in your renamed domains. Because the intended purpose of this Group Policy setting has now been served, it can be removed. To remove this Group Policy setting, follow steps 1 through 5 of the procedure "Apply Group Policy to Set the Primary DNS Suffix" in Configure Member Computers for Host Name Changes, click Disabled, and then click OK. Remove DNS zones that are no longer needed. As a result of the domain DNS name changes that occurred during the domain rename operation, some of the DNS zones in your DNS infrastructure might no longer be necessary. For example, if there was a DNS zone with a name that matched the old DNS name of a renamed domain, there might be no more DNS resource records (service (SRV), host (A), and pointer (PTR) resource records) with the old domain suffix that have to be registered with DNS. In this case, you can remove these DNS zones that are no longer necessary.
Perform a full system state backup of all domain controllers in the forest so that you have a recoverable backup state. For more information, see the Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Backup and Recovery (http://go.microsoft.com/fwlink/?LinkId=93077). Back up GPOs If you use Group Policy, consider installing the Group Policy Management Console (GPMC). For more information, see GPMC (http://go.microsoft.com/fwlink/?LinkID=123307). GPMC makes Group Policy easier to use, and it adds functional improvements such as the ability to back up GPOs independently of the rest of Active Directory Domain Services (AD DS). GPOs that you back up with GPMC before the domain rename operation cannot be restored after domain rename. Therefore, we recommend that after a domain rename operation, you use GPMC to back up all the GPOs again. Note Saved GPMCs for a domain will no longer work after you rename a domain. If you want to use saved GPMCs, you have to re-create them after the domain rename operation.
Windows Server 2008 in the renamed domains in your forest. When you restart these computers twice, this ensures that each member computer learns of the domain name changes and propagates the changes to all applications and services that are running on the member computer. Note Each computer must be restarted by logging into the computer and by using the Shutdown/Restart administrative option. Computers must not be restarted by turning off the computers power and then turning it back on. Note Member computers on a wired local area network (LAN) can simply be restarted twice. Member computers on a wireless LAN should be connected to a wired network while you perform the two required restarts. If that is not possible, eject the wireless network card and then reinsert it after logon before each restart. Unjoin and then join any remote computers that connect to the renamed domain through a remote connection, such as dial-up and virtual private network (VPN). If there are any remote computers that are members of a renamed domain that connect to the domain through remote connection mechanisms such dial-up lines or VPNs, you will have to unjoin each member computer from the old domain name and then rejoin it to the new domain name.
Exchange-Specific Steps: Verify the Exchange Rename and Update Active Directory Connector
You can use this procedure to verify the Exchange rename and update the Active Directory Connector after a domain rename operation. If the domain contains Exchange Server 2003 Service Pack 1 (SP1) servers, follow the steps to verify the Exchange rename and update Active Directory Connector. For more information, see Microsoft Exchange Server Domain Rename Fixup (XDR-Fixup) (http://go.microsoft.com/fwlink/?LinkID=123322). Important The Windows Server 2008 domain rename operation is not supported in an Active Directory forest that contains Exchange Server 2003, Exchange Server 2003 Service Pack 2 (SP2), Exchange Server 2007, or Exchange Server 2007 SP1.
msDS-UpdateScript attributes from Active Directory Domain Services (AD DS) that were written during the domain rename operation. Important Perform this cleanup procedure only after all member computers in the renamed domains have been restarted as described in Restart Member Computers. If smart card logon is used in your environment, make sure that all authentication certificates have been renewed before this step; otherwise, authentication will start to fail for the certificates. Membership in the Enterprise Admins group in the target forest (with write access to the Partitions container object and the cross-reference objects that are its children in the configuration directory partition) and the Local Administrators group (or write access to the domain rename C:\domren working directory) on the control station computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477. Note You can use credentials other than the credentials with which you are currently logged on. To use alternative credentials, use the /user and /pwd command-line switches of rendom, as described in Appendix A: Command-Line Syntax for the Rendom Tool. To perform attribute cleanup after a domain rename 1. On the control station, click Start, click Run, type cmd, and then click OK. 2. At the command prompt, type the following command to change to the working directory, and then press ENTER:
C:\domren
3. From within the working directory, type the following command, and then press ENTER:
rendom /clean
The rendom /clean command removes the values for the msDS-DnsRootAlias and msDS-UpdateScript attributes from AD DS by connecting to the domain controller that has the domain naming operations master role. After the steps in this procedure are complete, the new forest is ready for another domain rename (or forest restructuring) operation, if necessary.
535
the old domain name. You can change the DNS host name of domain controllers in a renamed domain at a later time by using a special procedure. Modification of the computer name causes updates to the DNS and Active Directory databases. The computer performs these updates automatically. After the updated data propagates to the DNS servers and Active Directory domain controllers that a client computer uses, the client computer can locate and authenticate to the renamed domain controller computer. However, DNS and Active Directory replication latency (the time that it takes for the name change to replicate throughout the databases) might cause a temporary inability of clients to locate or authenticate the renamed domain controller. Therefore, renaming a mission-critical server, such as a domain controller, requires that you follow a computer rename preparation procedure before you rename the domain controller. This preparation procedure ensures that there will be no interruption in the ability of client computers to locate or authenticate the renamed domain controller. For more information about how to rename a domain controller, see Renaming a Domain Controller. Note If your forest contains Exchange 2003 Service Pack 1 (SP1) servers, and you chose to rename domain controllers, you must perform several Exchange-specific steps to update the Recipient Update Service and DSAccess registry keys. For more information, see Microsoft Exchange Server Domain Rename Fixup (XDR-Fixup) (http://go.microsoft.com/fwlink/?LinkID=123322).
536
[/list] [/upload] [/prepare] [/execute] [/end] [/clean] [/showforest] [/listfile:LISTFILE] [/statefile:STATEFILE] [/logfile:LOGFILE]
Parameter
Description
/? /dc:{DCNAME | DOMAIN}
Optional. Displays the Help and the version number of the tool. Optional. Specifies that the command connect to a specific domain controller, indicated by DCNAME (a Domain Name System (DNS) name or a NetBIOS name), to run the operation that is specified by one of the operation switches: /list, /upload, /prepare, /execute, or /clean. If the name of a domain is specified instead as DOMAIN, the command connects to a domain controller in that domain. Default: When this switch is not specified, connects to any domain controller in the domain to which the computer on which this command is being run belongs. If this command is run on a computer that is not a member of any domain, the /dc switch is required; otherwise, an error is returned.
/user:USERNAME
Optional. Requests that the command run in the security context of a specific user, indicated by USERNAME, that is different from the logged on user. USERNAME can currently be in only one form: domain\user, for example, ntdev\jdow. Optional. Specifies the password for the alternate security context indicated by USERNAME. If the value that is specified for this switch is *, the command prompts for the password to allow hiding of the password. This operation creates a list of the directory partitions in the forest. The list is written as text to a file using an XML format. Therefore, this command creates a textual description of the forest structure using a structured XML format. If a file name is specified with the /listfile switch, below, the forest description is written into that file. If no file name is specified, the forest 537
/pwd:{PASSWORD | *}
/list
Parameter
Description
description is written to a file named DOMAINLIST.XML in the current directory from which this command is run. If the specified file already exists, it is renamed and a new file is created. /upload Performs the following functions: Based on the new forest description that is provided in the file that is created by the /listfile switch (or the file DOMAINLIST.XML in the current directory, by default), this operation generates an instructions file in the form of a special script that will run later on every domain controller in the forest. The instructions file is not a file that is stored on the disk. Writes the autogenerated script (instructions file) to the msDS-UpdateScript attribute of the Partitions container on the domain controller that holds the domain naming operations master role. Sets the msDS DnsRootAlias attribute on the crossRef object that corresponds to every domain that is being renamed. Writes a new state file, indicated by the /statefile switch (or the file DCLIST.XML in the current directory, by default), to track the state of every domain controller in the forest. All domain controllers are marked to be in the Initial state. If the specified file already exists, it is renamed and a new file is created. The forest configuration is frozen for certain types of operations after successful completion of this command. /prepare Attempts to contact every domain controller in the forest (as tracked by the state file), and verifies the following: The correct instructions file (the special script that is uploaded by the /upload operation) has replicated to the domain controller. The changes that are dictated by the instructions file are consistent with the contents of the directory partition replicas that the domain 538
Parameter
Description
controller holds. The domain controller has authorized the running of the domain rename operation. After successful verification of the previous conditions on a given domain controller, the corresponding state for that domain controller is advanced to the Prepared state in the state file. /execute Attempts to contact every domain controller in the forest (as tracked by the state file), and executes the changes that the instructions file dictates to cause the actual domain rename to occur. After successful execution of the instructions file on a given domain controller, the corresponding state in the state file for that domain controller is advanced to Donea final state that indicates that the restructuring is finished on that domain controller. If an irrecoverable error occurs on a given domain controller, the corresponding state in the state file for that domain controller is set to Erroralso a final state, that indicates that the domain controller is not functioning and that it must have Active Directory removed. (That is, it can no longer be used as a domain controller.) The state file that this operation uses is the state file that is specified by the /statefile switch (or the file DCLIST.XML in the current directory, by default). /end Attempts to contact the domain controller that holds the domain naming operations master role of the forest, and removes the msDSUpdateScript attribute on the Partitions container. After successful removal of this attribute on the domain naming master, this operation returns a SUCCESS summary status message. The forest configuration, which was frozen for certain types of operations that follow the /upload operation, is now unfrozen. /clean Attempts to contact the domain controllers that 539
Parameter
Description
holds the domain naming operations master role of the forest, and performs the following functions: Removes all values of the msDS-DnsRootAlias attribute on all crossRef objects in the Partitions container. Removes the msDS-UpdateScript attribute on the Partitions container. After successful removal of these attributes on the domain naming master, this operation returns a SUCCESS summary status message. /showforest Requests that the forest description, which is represented by the list of its directory partitions and their hierarchy), that is contained in the list file be displayed in a user-friendly format with indentation that reflects the domain hierarchy. The list file will typically have been generated by the /list operation of this command. If a file name is specified with the /listfile switch, below, the forest description is read from that file. If no file name is specified, the forest description is assumed to be in a file named DOMAINLIST.XML in the current directory from which this command is being run. If the specified file (or the default file) does not exist, an error is reported with an indication to run the /list operation first. /listfile:LISTFILE Optional. Specifies that LISTFILE is the name of the file that holds the forest description. The list file contains a list of the directory partitions in the forest that is written as text in an XML format. You can use this switch to specify the output file for the /list operation or the input file for the /upload operation. If this switch is not specified, the forest description is assumed to be in a file named DOMAINLIST.XML in the current directory from which this command is being run. /statefile:STATEFILE Optional. Specifies that STATEFILE is the name of the file that is used to track the state of each 540
Parameter
Description
domain controller in the forest during the domain rename operation. The state file contains a list of all the domain controllers in the forest and their corresponding states that is written as text in an XML format. You can use this switch to specify the state file for the /upload, /prepare, and /execute operations. If this switch is not specified, the state of the domain controllers is assumed to be in a file that is named DCLIST.XML in the current directory from which this command is being run. /logfile:LOGFILE Optional. Specifies that LOGFILE is the name of the file that is used to write the execution log of the command as any operation runs. The contents of the log file varies, depending on which operation (/list, /upload, /prepare, /execute, /clean) is running. If this switch is not specified, the execution log is written to a file named RENDOM.LOG in the current directory from which this command is being run.
541
Parameter
Description
/? /v
Optional. Displays the Help syntax and the version number of the tool. Optional. Requests that detailed status messages be displayed. In the absence of this switch, only error messages or a brief summary status message of SUCCESS or FAILURE appears. Optional. When the domain rename operation changes the DNS name of a domain, this switch specifies the old DNS name of the renamed domain as OLDDNSNAME, (for example, olddom.contoso.com. You can use this switch if and only if you also use the /newdns switch to provide a new domain DNS name. Optional. When the domain rename operation changes the DNS name of a domain, this switch specifies the new DNS name of the renamed domain as NEWDNSNAME, for example, newdom.contoso.com. You can use this switch to specify the new domain DNS name if and only if you use the /olddns switch to provide the old domain DNS name. Optional. When the domain rename operation changes the NetBIOS name of a domain, this switch specifies the old NetBIOS name of the renamed domain as OLDFLATNAME, for example, olddom. You can use this switch if and only if you use the /newnb switch to provide a new domain NetBIOS name. Optional. When the domain rename operation changes the NetBIOS name of a domain, this switch specifies the new NetBIOS name of the renamed domain as NEWFLATNAME, for example, newdom. You can use this switch to specify the new NetBIOS name of the domain if and only if you use the /oldnb switch to provide the old NetBIOS name of the domain. Optional. Requests that only the Group Policy fix that relates to managed software installation (that is, the SI extension for Group Policy) be 542
/olddns:OLDDNSNAME
/newdns:NEWDNSNAME
/oldnb:OLDFLATNAME
/newnb:NEWFLATNAME
/sionly
Parameter
Description
performed. Skips the actions that fix up the Group Policy links and the SYSVOL paths in the GPOs. /dc:DCNAME Optional. Requests that the command connect to a specific domain controller, indicated by DCNAME (a DNS name or a NetBIOS name), to run the fix-up operation. If DCNAME is specified, it must host a writable replica of the domain directory partition, as indicated by either of the following: The DNS name NEWDNSNAME, using /newdns The NetBIOS name NEWFLATNAME, using /newnb Default: When this switch is not specified, connects to any domain controller in the renamed domain, as indicated by either NEWDNSNAME or NEWFLATNAME. You can use the function DsGetDcName() to obtain a proper domain controller for the given domain. /user:USERNAME Optional. Requests that the command run in the security context of a specific user, indicated by USERNAME, that is different from the logged on user. USERNAME can currently be specified in only one form: domain\user, for example, ntdev\jdow. Optional. Specifies the password for the alternate security context that is indicated by USERNAME. If the value that is specified for this switch is *, the command prompts for the password to allow hiding of the password.
/pwd:{PASSWORD | *}
Complete the tasks in these checklists in the order in which they are presented. If a reference link takes you to a conceptual topic, return to the checklist after you review the conceptual topic so that you can proceed with the remaining tasks.
Adjust the forest functional level. You can rename domains only in a forest in which all the domain controllers are running Windows Server 2008 Standard or Windows Server 2003 Standard Edition, Windows Server 2008 Enterprise or Windows Server 2003 Enterprise Edition, or Windows Server 2008 Datacenter or Windows Server 2003 Datacenter Edition operating systems, and the Active Directory forest functional level has been raised to either Windows Server 2003 or Windows Server 2008. The domain rename operation will not succeed if the forest functional level is set to Windows 2000 native. Obtain the necessary administrative credentials. You must have Enterprise Admins credentials to perform the various steps in the domain rename procedures. If
For more information about forest functional levels and for procedures to determine and set forest functional levels, see Enabling Windows Server 2008 Advanced Features for Active Directory Domain Services (http://go.microsoft.com/fwlink/?LinkID=105303).
The required credentials for each procedure in the domain rename operations are described throughout the topics in Managing Active Directory Domain Rename.
544
Task
Reference
you are running Microsoft Exchange, the account that you use must also have Full Exchange Administrator credentials. Set up the control station. The computer that is to be used as the control station for the domain rename operation must be a member computer (not a domain controller) that is running Windows Server 2008 Standard, Windows Server 2008 Enterprise, or Windows Server 2008 Datacenter. Configure Distributed File System (DFS) root servers. If you want to rename a domain with domain-based DFS roots, all DFS root servers must be running Windows 2000 Service Pack 3 (SP3) or a later release of Windows Server, up to Windows Server 2008. Satisfy Exchange-specific requirements: Exchange 2003 SP1: If your Active Directory forest contains only Exchange 2003 Service Pack 1 (SP1) servers, you can run the domain rename operation, but you must also use the Exchange Domain Rename Fix-up Tool to update Exchange attributes. So that you can For more information, see Distributed File System Technology Center (http://go.microsoft.com/fwlink/?LinkID=18421). Set Up the Control Station
The Exchange Domain Rename Fix-up Tool is available at Microsoft Exchange Server Domain Rename Fixup (XDR-Fixup) (http://go.microsoft.com/fwlink/?LinkID=122982).
545
Task
Reference
perform a domain rename operation, Exchange must not be installed on any domain controllers. If a domain controller is running Exchange, move the Exchange data off the domain controller and uninstall Exchange. Exchange 2003, Exchange 2000, or Exchange 5.5: The domain rename operation is not supported in an Active Directory forest that contains Exchange Server 2003, Exchange 2000, or Exchange 5.5 servers. If the domain rename tool detects Exchange 2000 servers, the tool will not proceed. The domain rename tool will not detect whether Exchange 5.5 servers exist. Therefore, do not attempt the domain rename operation if the forest contains Exchange 5.5 servers.
546
Task
Reference
You can rename domains only in a forest in which all of the domain controllers are running Windows Server 2008 Standard or Windows Server 2003 Standard Edition, Windows Server 2008 Enterprise or Windows Server 2003 Enterprise Edition, or Windows Server 2008 Datacenter or Windows Server 2003 Datacenter Edition operating systems, and the Active Directory forest functional level has been raised to either Windows Server 2003 or Windows Server 2008. The domain rename operation will not succeed if the forest functional level is set to Windows 2000 native. Create necessary shortcut trust relationships within the forest, and document all trusts. Compile a list of domains to be renamed based on the new forest structure that you want. Create shortcut trusts, if necessary. Compile a list of all existing trustsshortcut, external, and across forestsin the forest. Prepare Domain Name System (DNS) zones. Compile a list of DNS zones for the domain rename operation. Create new DNS zones as necessary as a result of the name 547 Prepare DNS Zones Create Necessary Shortcut Trust Relationships
Task
Reference
changes to be performed. Redirect Special Folders to a StandAlone Distributed File System Namespace (DFSN). Relocate Roaming User Profiles to a Stand-Alone DFSN. Prepare member computers for host name changes. Prepare certification authorities (CAs). Prepare a domain that contains Exchange. Redirect Special Folders to a Standalone DFSN Relocate Roaming User Profiles to a Standalone DFSN Configure Member Computers for Host Name Changes Prepare Certification Authorities Exchange-Specific Steps: Prepare a Domain that Contains Exchange
Set up your control station for the domain rename operation. Freeze the Forest Configuration Back up all the domain controllers in your forest. Generate the current forest description. Specify the new forest description. Generate domain rename instructions. Push domain rename instructions to all domain controllers, and verify
Set Up the Control Station Freeze the Forest Configuration Back Up All Domain Controllers Generate the Current Forest Description Specify the New Forest Description Generate Domain Rename Instructions Push Domain Rename Instructions to All Domain 548
Task
Reference
DNS readiness. Verify the readiness of the domain controllers. Execute the domain rename instructions. Update the Exchange configuration, and restart the Exchange servers. Note This is an optional, Exchange-specific task. Unfreeze the forest configuration. Re-establish external trusts. Fix Group Policy objects (GPOs) and links.
Controllers and Verify DNS Readiness Verify Readiness of Domain Controllers Run Domain Rename Instructions Exchange-Specific Steps: Update the Exchange Configuration and Restart Exchange Servers
Unfreeze the Forest Configuration Re-establish External Trusts Fix Group Policy Objects and Links
Verify certificate security. Perform certain miscellaneous procedures. Back up domain controllers. Restart all member computers. Verify the Exchange rename, and update Active Directory Connector.
Verify Certificate Security Perform Miscellaneous Tasks Back Up Domain Controllers Restart Member Computers Exchange-Specific Steps: Verify the Exchange Rename 549
Task
Reference
Note This is an optional, Exchange-specific step. Perform attribute cleanup. Rename domain controllers.
1 2 3 4 5
550
Trust direction
Trust type
Date created/removed
1 2 3 4 5
1 2 3 4 5
1 2 3 551
Domain name
4 5
1 2 3 4 5
1 2 3 552
Domain/application partition
Run Dcdiag?
Backed up?
4 5
1 2 3 4 5
Additional Resources
For general information about how Active Directory Domain Services (AD DS) works and how to deploy, manage, and troubleshoot AD DS, see the following resources: Active Directory Domain Services (http://go.microsoft.com/fwlink/?LinkId=96418) AD DS Design Guide (http://go.microsoft.com/fwlink/?LinkId=100493) AD DS Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=116283)
Best Practices for Delegating Active Directory Administration (http://go.microsoft.com/fwlink/?LinkId=46579) Active Directory Script Center (http://go.microsoft.com/fwlink/?LinkId=122875) For specific information about troubleshooting Active Directory problems, see the following resources: Troubleshooting: AD DS (http://go.microsoft.com/fwlink/?LinkId=122878) Directory Services Community (http://go.microsoft.com/fwlink/?LinkId=20151) 553
For development information about Active Directory, see the following resources: Active Directory Domain Services (http://go.microsoft.com/fwlink/?linkid=142) Lightweight Directory Access Protocol (LDAP) (http://go.microsoft.com/fwlink/? LinkID=2972) Request for Comments (RFC) Pages and Internet-Drafts on the Internet Engineering Task Force Web site (http://go.microsoft.com/fwlink/?LinkID=121)
Section Heading
Insert section body here.
Subsection Heading
Insert subsection body here.
554