AD Operations

Windows Server 2003 Active Directory
Operations Guide
Microsoft Corporation
Published: June 2005
Updated: July 2006
Abstract
This operations guide for the Microsoft® Windows Server™ 2003 Active Directory®
directory service provides step-by-step, task-oriented information for
Windows Server 2003 and Windows Server 2003 with Service Pack 1 (SP1)
technologies. This operations guide is designed to provide information technology (IT)
operators and administrators with prescriptive guidance for operating, managing, and
troubleshooting Active Directory servers.
Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other

intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
© 2005 - 2006 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, and Active Directory are
either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
All other trademarks are property of their respective owners.

Contents
Active Directory Operations Guide...................................................................................21
Administering Active Directory Operations.......................................................................21
Introduction to Administering Active Directory..................................................................22

When to Use This Guide...............................................................................................23
How to Use this Guide.................................................................................................. 23
New in This Guide for Administering Active Directory......................................................24

New Content................................................................................................................. 24
Updated Content.......................................................................................................... 24
Administering Domain and Forest Trusts.........................................................................25
Introduction to Domain and Forest Trusts........................................................................25
Best Practices for Domain and Forest Trusts...................................................................26
Managing Domain and Forest Trusts...............................................................................27
Creating Domain and Forest Trusts.................................................................................27

New Trust Wizard Terminology.....................................................................................28
Known Issues for Creating Domain and Forest Trusts.....................................................30
Creating External Trusts.................................................................................................. 31
Create a one-way, incoming, external trust for one side of the trust................................32
Create a one-way, incoming, external trust for both sides of the trust..............................34
Create a one-way, outgoing, external trust for one side of the trust.................................36
Create a one-way, outgoing, external trust for both sides of the trust..............................38
Create a two-way, external trust for one side of the trust.................................................40
Create a two-way, external trust for both sides of the trust..............................................42
Creating Shortcut Trusts.................................................................................................. 44
Create a one-way, incoming, shortcut trust for one side of the trust................................45
Create a one-way, incoming, shortcut trust for both sides of the trust..............................47
Create a one-way, outgoing, shortcut trust for one side of the trust.................................49
Create a one-way, outgoing, shortcut trust for both sides of the trust..............................51
Create a two-way, shortcut trust for one side of the trust.................................................53
Create a two-way, shortcut trust for both sides of the trust..............................................55
Creating Forest Trusts..................................................................................................... 56
Create a one-way, incoming, forest trust for one side of the trust....................................58
Create a one-way, incoming, forest trust for both sides of the trust.................................60
Create a one-way, outgoing, forest trust for one side of the trust.....................................62
Create a one-way, outgoing, forest trust for both sides of the trust..................................64
Create a two-way, forest trust for one side of the trust.....................................................66
Create a two-way, forest trust for both sides of the trust..................................................68
Creating Realm Trusts..................................................................................................... 71
Create a one-way, incoming, realm trust..........................................................................72
Create a one-way, outgoing, realm trust..........................................................................73
Create a two-way, realm trust.......................................................................................... 74
Configuring Domain and Forest Trusts............................................................................76
Validating and removing trusts.........................................................................................76
Validate a trust................................................................................................................. 77
To validate a trust......................................................................................................... 77
Remove a manually created trust....................................................................................78

To remove a manually created trust..............................................................................79
Modifying Name Suffix Routing Settings..........................................................................80
Modify the routing status of a name suffix........................................................................81

To modify the routing status of a name suffix................................................................82
See Also....................................................................................................................... 82
Enable or disable an existing name suffix for routing.......................................................82

To enable or disable an existing name suffix for routing...............................................83
See Also....................................................................................................................... 84
Exclude name suffixes from routing to local forests.........................................................84

To exclude name suffixes from routing to local forests.................................................84
See Also....................................................................................................................... 85
Securing Domain and Forest Trusts.................................................................................85
Configuring SID Filtering Settings....................................................................................85
Disable SID filtering......................................................................................................... 87
Reapply SID filtering........................................................................................................ 88
Configuring Selective Authentication Settings..................................................................90
Enable selective authentication over an external trust.....................................................91

To enable selective authentication over an external trust.............................................91
Enable selective authentication over a forest trust...........................................................92

To enable selective authentication over a forest trust...................................................93
See Also....................................................................................................................... 93
Enable domain-wide authentication over an external trust...............................................93

To enable domain-wide authentication over an external trust.......................................94
Enable forest-wide authentication over a forest trust.......................................................95

To enable forest-wide authentication over a forest trust................................................95
Grant the Allowed to Authenticate permission on computers in the trusting domain or

forest............................................................................................................................. 96
To grant the Allowed to Authenticate permission on computers in the trusting domain or
forest......................................................................................................................... 97
Appendix: New Trust Wizard Pages.................................................................................97

Direction of Trust.......................................................................................................... 98
Sides of Trust.............................................................................................................. 101
Administering the Windows Time Service......................................................................101
Introduction to Administering the Windows Time Service...............................................102
Managing the Windows Time Service............................................................................103
Configuring a time source for the forest.........................................................................103

Configure the Windows Time service on the PDC emulator...........................................105
Change the Windows Time service configuration on the previous PDC emulator..........107
Configure a domain controller in the parent domain as a reliable time source...............108
Configure the PDC emulator to synchronize from its internal hardware clock................108
Disable the Windows Time service................................................................................109
Configuring Windows-based clients to synchronize time................................................110
Configure a manual time source for a selected client computer.....................................111
Configure a client computer for automatic domain time synchronization........................112
Restoring Windows Time service to default settings......................................................113
Restore Windows Time service on local computer to default settings............................113
Administering SYSVOL.................................................................................................. 114
Introduction to Administering SYSVOL...........................................................................115
Managing SYSVOL........................................................................................................ 119
Changing the Space Allocated to the Staging Area........................................................119
Stop the File Replication service....................................................................................120
Change the space allocated to the Staging Area folder.................................................121
Start the File Replication service....................................................................................122
Relocating the Staging Area........................................................................................... 122
Identify replication partners............................................................................................124
Check the status of the shared SYSVOL.......................................................................124
Verify replication with other domain controllers..............................................................126
Gather the SYSVOL path information............................................................................126

To gather the system volume path information...........................................................127
Reset the File Replication service staging folder to a different logical drive...................129
Relocating SYSVOL Manually.......................................................................................132


Create the SYSVOL folder structure..............................................................................140
Set the SYSVOL path.................................................................................................... 141
Set the staging area path............................................................................................... 142
Prepare a domain controller for nonauthoritative SYSVOL restart.................................143
Update security on the new SYSVOL............................................................................145
Updating the System Volume Path................................................................................147

Set the SYSVOL path.................................................................................................... 151
Set the staging area path............................................................................................... 152
Restoring and Rebuilding SYSVOL...............................................................................154
Restart the domain controller in Directory Services Restore Mode locally.....................158

See Also..................................................................................................................... 159

Import the SYSVOL folder structure...............................................................................164
Administering the Global Catalog...................................................................................167
Introduction to Administering the Global Catalog...........................................................168

Global Catalog Placement.......................................................................................... 168
Initial Global Catalog Replication................................................................................168
Global Catalog Readiness.......................................................................................... 169
Global Catalog Removal............................................................................................. 170
See Also..................................................................................................................... 170
Managing the Global Catalog......................................................................................... 170
Configuring a Global Catalog Server.............................................................................170
Determine whether a domain controller is a global catalog server.................................171
Designate a domain controller to be a global catalog server..........................................172
Monitor global catalog replication progress....................................................................173
Determining Global Catalog Readiness.........................................................................174
Verify global catalog readiness......................................................................................174

To verify global catalog readiness...............................................................................174
Verify global catalog DNS registrations..........................................................................176
Removing the Global Catalog........................................................................................ 176
Clear the global catalog setting......................................................................................177
Monitor global catalog removal in Event Viewer............................................................177
Administering Operations Master Roles.........................................................................178
Introduction to Administering Operations Master Roles.................................................178

Guidelines for Role Placement...................................................................................179
Guidelines for Role Transfer.......................................................................................182
Managing Operations Master Roles...............................................................................184

Designating a standby operations master......................................................................184
Create a connection object on the current operations master........................................186
Create a connection object on the standby operations master......................................187
Verify successful replication to a domain controller........................................................188

See Also..................................................................................................................... 191
Transferring an operations master role..........................................................................191

See Also..................................................................................................................... 195
Install the Schema snap-in............................................................................................. 196
Transfer the schema master..........................................................................................197
Transfer the domain naming master..............................................................................198
Transfer the domain-level operations master roles........................................................199
View the current operations master role holders............................................................200
Seizing an operations master role..................................................................................201

See Also..................................................................................................................... 205
Seize the operations master role...................................................................................205
Reducing the workload on the PDC emulator master....................................................208

Adjusting the Weight for DNS SRV Records in the Registry.......................................208
Adjusting the Priority for DNS SRV Records in the Registry.......................................209
Change the weight for DNS SRV records in the registry................................................210
Change the priority for DNS SRV records in the registry................................................211
Administering Active Directory Backup and Restore......................................................212
Introduction to Administering Active Directory Backup and Restore...............................212

System State Components.........................................................................................212
Purpose of Performing Regular Backups....................................................................213
Restore Requirements and Recommendations..........................................................214
Backup Guidelines...................................................................................................... 214
Backup Frequency...................................................................................................... 216
Backup Latency Interval.............................................................................................217
See Also..................................................................................................................... 218
Managing Active Directory Backup and Restore............................................................218
Backing Up Active Directory Components......................................................................218

Naming Backup Files.................................................................................................. 218
See Also..................................................................................................................... 220
Back up system state..................................................................................................... 220

See Also..................................................................................................................... 223
Back up system state and the system disk....................................................................223

See Also..................................................................................................................... 224
Performing a Nonauthoritative Restore of a Domain Controller.....................................225

See Also..................................................................................................................... 226

See Also..................................................................................................................... 227
Restart the domain controller in Directory Services Restore Mode Remotely................227

See Also..................................................................................................................... 229
Restore from backup media........................................................................................... 229

See Also..................................................................................................................... 230
Verify Active Directory restore........................................................................................ 231
Performing an Authoritative Restore of Active Directory Objects...................................231

Group Membership Restoration Following Authoritative Restore...............................232
Authoritative Restore Improvements in Windows Server 2003 SP1...........................233
Procedures for Domain Controllers Running Windows Server 2003 with SP1...........234
Procedures for Domain Controllers Running Windows Server 2003 with No Service
Pack Installed.......................................................................................................... 235

See Also..................................................................................................................... 238
Mark the object or objects authoritative.........................................................................239

Synchronize replication with all partners........................................................................241
See Also..................................................................................................................... 242
Run an LDIF file to recover back-links...........................................................................242

See Also..................................................................................................................... 243

See Also..................................................................................................................... 244
Create an LDIF file for recovering back-links for authoritatively restored objects...........244
See Also..................................................................................................................... 245
Turn off inbound replication............................................................................................ 245

See Also..................................................................................................................... 246
Turn on inbound replication............................................................................................ 246

See Also..................................................................................................................... 247
Performing an Authoritative Restore of an Application Directory Partition......................247

See Also..................................................................................................................... 249
Mark the application directory partition as authoritative.................................................249
Performing an Authoritative Restore of a Group Policy Object.......................................251
Restore a Group Policy Object.......................................................................................251
Restoring a Domain Controller Through Reinstallation and Subsequent Restore from

Backup........................................................................................................................ 252

See Also..................................................................................................................... 255
Verify Active Directory restore........................................................................................ 256
Restoring a Domain Controller Through Reinstallation..................................................256
Clean up server metadata..............................................................................................258
Delete a Server object from a site..................................................................................261
Delete a Computer object from the Domain Controllers OU..........................................262

See Also..................................................................................................................... 262
Verify DNS registration and functionality........................................................................263

Verify communication with other domain controllers......................................................263
Verify the availability of the operations masters.............................................................264
Install Active Directory.................................................................................................... 265
Administering Intersite Replication.................................................................................267
Introduction to Administering Intersite Replication.........................................................267

The KCC and Replication Topology............................................................................268
Managing Intersite Replication.......................................................................................269
Adding a New Site......................................................................................................... 269
Create a site object and add it to an existing site link....................................................270
Create a subnet object or objects and associate them with the new site.......................271
Associate an existing subnet object with the new site....................................................271
Create a site link object and add the appropriate sites..................................................272
Remove the site from the site link..................................................................................273
Linking Sites for Replication...........................................................................................273
Create a site link object and add the appropriate sites..................................................274
Determine the ISTG role owner for a site.......................................................................275
Generate the replication topology on the ISTG..............................................................275
Changing Site Link Properties........................................................................................276
Configure the site link schedule to identify times during which intersite replication can
occur........................................................................................................................... 277
Configure the site link interval to identify how often replication polling can occur during
the schedule window.................................................................................................. 278
Configure the site link cost to establish a priority for replication routing.........................278
Moving a Domain Controller to a Different Site..............................................................280

TCP/IP Settings.......................................................................................................... 281
Preferred Bridgehead Server Status...........................................................................281
Change the static IP address of a domain controller......................................................283
Create a delegation for a domain controller...................................................................284
Verify that an IP address maps to a subnet and determine the site association............285
Determine whether the server is a preferred bridgehead server....................................286
Configure the server to not be a preferred bridgehead server.......................................287
Move the Server object to the new site..........................................................................287
Removing a Site............................................................................................................. 288
Determine whether a Server object has child objects....................................................290
Delete the Site Link object.............................................................................................291
Associate the subnet or subnets with the appropriate site.............................................292
Delete the Site object..................................................................................................... 293
Administering the Active Directory Database.................................................................294
Introduction to Administering the Active Directory Database..........................................295
Managing the Active Directory Database.......................................................................296
Relocating Active Directory Database Files...................................................................297

Disk space requirements for relocating Active Directory database files......................298
Determine the database size and location online...........................................................300
Determine the database size and location offline...........................................................301
Compare the size of the directory database files to the volume size.............................302

See Also..................................................................................................................... 306

See Also..................................................................................................................... 307

See Also..................................................................................................................... 308
Move the directory database and log files to a local drive..............................................309
Copy the directory database and log files to a remote share.........................................312
Returning Unused Disk Space from the Active Directory Database to the File System. 314
Change the garbage collection logging level to 1...........................................................316

See Also..................................................................................................................... 319

See Also..................................................................................................................... 320

See Also..................................................................................................................... 322
Compact the directory database file (offline defragmentation).......................................322
If database integrity check fails, perform semantic database analysis with fixup...........326
Administering Domain Controllers..................................................................................327
Introduction to Administering Domain Controllers..........................................................327

Installing and Removing Active Directory....................................................................327
Renaming Domain Controllers....................................................................................328
Adding Domain Controllers to Remote Sites..............................................................328
Managing Domain Controllers........................................................................................329

Managing Antivirus Software on Domain Controllers..................................................330
Preparing for Active Directory Installation......................................................................334

Configuring DNS......................................................................................................... 334
Site Placement........................................................................................................... 335
Domain Connectivity................................................................................................... 335
Install the DNS Server service.......................................................................................337
Installing a Domain Controller in an Existing Domain....................................................342
Install Active Directory.................................................................................................... 343
Installing a Domain Controller in an Existing Domain Using Restored Backup Media. . .344
See Also..................................................................................................................... 347

See Also..................................................................................................................... 350
Restore system state to an alternate location................................................................350
Install Active Directory from restored backup media......................................................351

See Also..................................................................................................................... 352
Include application directory partitions in an Active Directory installation from backup

media.......................................................................................................................... 353
Adding Domain Controllers in Remote Sites..................................................................354
Known Issues for Adding Domain Controllers in Remote Sites......................................355

SYSVOL Replication................................................................................................... 356
Using Backup Media to Install Active Directory in a Remote Site...............................356
Installing Domain Controllers Before Shipping Them to the Remote Site...................360
See Also..................................................................................................................... 364
Best Practices for Adding Domain Controllers in Remote Sites.....................................364

Using Backup Media to Install Active Directory in the Remote Site............................365
Installing Domain Controllers Prior to Shipping to the Remote Site............................367
See Also..................................................................................................................... 370
Preparing a Server Computer for Shipping and Installation from Backup Media...........370
Restore the Backup to the Promotion Computer or Ship Removable Media..............372
Determine the Restore Volume...................................................................................372
Enable Remote Desktop............................................................................................. 374
Create a Domain Controller Installation Answer File..................................................374
See Also..................................................................................................................... 376

See Also..................................................................................................................... 379
Restore system state to an alternate location................................................................379

Enable Remote Desktop................................................................................................381
Create an answer file for domain controller installation..................................................382

See Also..................................................................................................................... 385
Create a Remote Desktop Connection..........................................................................385

See Also..................................................................................................................... 386
Install Active Directory from restored backup media......................................................386

See Also..................................................................................................................... 387

media.......................................................................................................................... 387
Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection...388

See Also..................................................................................................................... 390
Determine the tombstone lifetime for the forest.............................................................390
Enable strict replication consistency..............................................................................397
Synchronize replication with all partners........................................................................399

See Also..................................................................................................................... 400

See Also..................................................................................................................... 403
Reconnecting a Domain Controller After a Long-Term Disconnection...........................403

Reconnecting an Outdated Domain Controller...........................................................403
Updating SYSVOL...................................................................................................... 404
See Also..................................................................................................................... 406
Determine when intersite replication is scheduled to begin...........................................406
Use Repadmin to remove lingering objects....................................................................406

See Also..................................................................................................................... 408
See Also...................................................................................................................... 411
Performing an Unattended Installation of Active Directory.............................................412

See Also..................................................................................................................... 412
Create an answer file for domain controller installation..................................................413

See Also..................................................................................................................... 415
Install Active Directory using an answer file...................................................................415

See Also..................................................................................................................... 416
Verifying Active Directory Installation.............................................................................416
Move the Server object to the new site..........................................................................419
Configure DNS server forwarders..................................................................................420
Verifying DNS configuration...........................................................................................421
Create a delegation for a domain controller...................................................................421
Create a secondary zone............................................................................................... 422
Configure the DNS client settings..................................................................................423
Verify domain membership for a new domain controller................................................428
Renaming a Domain Controller......................................................................................429
Rename a domain controller using System Properties..................................................430

See Also..................................................................................................................... 431
Rename a domain controller using Netdom...................................................................431

See Also..................................................................................................................... 433
Update the FRS member object.....................................................................................433
Decommissioning a Domain Controller..........................................................................433
Uninstall Active Directory............................................................................................... 443
Forcing the Removal of a Domain Controller.................................................................445
Force domain controller removal....................................................................................447
Clean up server metadata..............................................................................................447
Additional Resources for Administering Active Directory................................................450
Troubleshooting Active Directory Operations.................................................................451
Configuring a Computer for Troubleshooting Active Directory........................................452

Configuration Tasks for Troubleshooting.....................................................................452
Troubleshooting Active Directory Replication Problems.................................................456

Event and Tool Solution Recommendations...............................................................456
Ruling Out the Obvious............................................................................................... 457
Correct Response to Any Outdated Server Running Windows 2000 Server..............457
Root Causes............................................................................................................... 458
General Approach to Fixing Problems........................................................................458
Monitoring Replication Health.....................................................................................459
Attempting to Resolve Problems................................................................................461
Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)................467
Tombstone Lifetime and Replication of Deletions.......................................................467
How Lingering Objects Occur.....................................................................................468
Causes of Long Disconnections.................................................................................468
Indications That a Domain Controller Has Lingering Objects.....................................470
Tool for Removing Lingering Objects..........................................................................472
See Also..................................................................................................................... 473
Event ID 1388 or 1988: A lingering object is detected....................................................473

Event ID 1388............................................................................................................. 473
Event ID 1988............................................................................................................. 475
Cause......................................................................................................................... 475
Solution....................................................................................................................... 476
A deleted account remains in the Address Book, e-mail is not received, or a duplicate
account exists............................................................................................................. 481
Solution....................................................................................................................... 481
Event ID 2042: It has been too long since this machine replicated................................483
Solution....................................................................................................................... 484
Fixing Replication Security Problems.............................................................................486
An "Access denied" or other security error has caused replication problems................487

Cause......................................................................................................................... 488
Solution....................................................................................................................... 488
Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088)......................491
Improvements to Domain Controller Name Resolution in SP1...................................491
DNS Requirements for CNAME Lookup Success......................................................493
Event ID 1925: Attempt to establish a replication link failed due to DNS lookup problem
................................................................................................................................... 495
Solution....................................................................................................................... 496
Event ID 2087: DNS lookup failure caused replication to fail.........................................496

Cause......................................................................................................................... 498
Solution....................................................................................................................... 499
Event ID 2088: DNS lookup failure occurred with replication success...........................511

Cause......................................................................................................................... 513
Solution....................................................................................................................... 513
Fixing Replication Connectivity Problems (Event ID 1925)............................................513
Event ID 1925: Attempt to establish a replication link failed due to connectivity problem
................................................................................................................................... 514
Cause......................................................................................................................... 515
Solution....................................................................................................................... 515
Fixing Replication Topology Problems (Event ID 1311)..................................................520
Event ID 1311: Replication configuration does not reflect the physical network.............521
Cause......................................................................................................................... 522
Solution....................................................................................................................... 523
Additional Resources for Troubleshooting Active Directory............................................529

Active Directory Operations Guide
The Active Directory Operations Guide provides administering and troubleshooting
information for Active Directory™ directory service technologies in the Microsoft®
Windows Server™ 2003 and Windows Server 2003 with Service Pack 1 (SP1) operating
systems.
You cannot install Active Directory on a server running Windows Server 2003,
Web Edition, but you can join the server to an Active Directory domain as a member
server. For more information about Windows Server 2003, Web Edition, see Overview of
Windows Server 2003, Web Edition, on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=9253).
Note
The Windows Server 2003 Active Directory Operations Guide is also available as
a downloadable document on the Microsoft Web site
In this guide
 Administering Active Directory Operations
 Troubleshooting Active Directory Operations
Administering Active Directory

Operations
This guide provides administering information for Active Directory in the Microsoft
Windows Server 2003 and Windows Server 2003 with Service Pack 1 (SP1) operating
systems. Information includes detailed procedures for managing domain controllers,
sites, trusts, and other components of Active Directory.
In this guide
 Introduction to Administering Active Directory
 New in This Guide for Administering Active Directory
 Administering Domain and Forest Trusts
 Administering the Windows Time Service

 Administering SYSVOL
 Administering the Global Catalog
 Administering Operations Master Roles
 Administering Active Directory Backup and Restore
 Administering Intersite Replication
 Administering the Active Directory Database
 Administering Domain Controllers
 Additional Resources for Administering Active Directory
Note
Web Edition, but you can join the server to an Active Directory domain as a
member server. For more information about Windows Server 2003, Web Edition,
see Overview of Windows Server 2003, Web Edition, on the Microsoft Web site
Acknowledgments
Key Technical Reviewers: Chris Macaulay, Nigel Cain, Arren Conner, Dmitry Dukat,
Levon Esibov, Khushru Irani, Kamal Janardhan, Gregory Johnson, William Lees, Andreas
Luther, Kevin Sims, Jeromy Statia, Eric Kool-Brown, J. K. Jaganathan, Mike Resnick,
Michael Snyder, Nathan Muggli, Yi Zhao, Christopher Westpoint, Robert Powalka,
Rob Kochman
Microsoft Most Valuable Professional (MVP) Reviewers: Joseph Shook, Thomas Bittner,
Nuo Yan, Al Mulnick, Tony Murray, Guido Grillenmeier, M. Rajesh, Todd Myrick
Introduction to Administering Active

Directory
This guide explains how to administer Microsoft Active Directory. These activities are part
of the operating phase of the information technology (IT) life cycle. If you are not familiar
with this guide, review the following sections of this introduction.
When to Use This Guide

You should use this guide when:
 You want to manage common Active Directory problems that are associated with
misconfiguration.
 You want to configure Active Directory to increase network availability.
This guide assumes a basic understanding of what Active Directory is, how it works, and
why your organization uses it to access, manage, and secure shared resources across
your network. You should also have a thorough understanding of how Active Directory is
deployed and managed in your organization. This includes an understanding of the
mechanism your organization uses to configure and manage Active Directory settings.
This guide can be used by organizations that have deployed Windows Server 2003 and
Windows Server 2003 with Service Pack 1 (SP1). It includes information that is relevant
to different roles within an IT organization, including IT operations management and
administrators. It contains high-level information that is required to plan an
Active Directory operations environment. This information provides management-level
knowledge of Active Directory and the IT processes required to operate it.
In addition, this guide contains more detailed procedures that are designed for operators
who have varied levels of expertise and experience. Although the procedures provide
operator guidance from start to finish, operators must have a basic proficiency with the
Microsoft Management Console (MMC) and snap-ins and know how to start
administrative programs and access the command line. If operators are not familiar with
Active Directory, it might be necessary for IT planners or IT managers to review the
relevant operations in this guide and provide the operators with parameters or data that
must be entered when the operation is performed.
How to Use this Guide

The operations areas are divided into the following types of content:
 Objectives are high-level goals for managing, monitoring, optimizing, and securing
Active Directory. Each objective consists of one or more high-level tasks that
describe how the objective is accomplished.
 Tasks are used to group related procedures and provide general guidance for
achieving the goals of an objective.
 Procedures provide step-by-step instructions for completing the task.
If you are an IT manager who will be delegating tasks to operators within your
organization, you will want to:
 Read through the objectives and tasks to determine how to delegate permissions and
whether you need to install tools before operators perform the procedures for each
task.
 Before assigning tasks to individual operators, ensure that you have all the tools
installed where operators can use them.
 When necessary, create “tear sheets” for each task that operators perform within
your organization. Cut and paste the task and its related procedures into a separate
document and then either print these documents or store them online, depending on
the preference of your organization.
New in This Guide for Administering

Active Directory
This operations guide is updated periodically to incorporate new content, customer
feedback, and corrections. The following sections provide details about content that is
new or updated in this version of the guide.
New Content
 August 2005: Performing an Authoritative Restore of Active Directory Objects
contains new procedures for regenerating the group memberships of restored user
objects and group objects. This functionality is available in the version of Ntdsutil.exe
that is included with Windows Server 2003 with Service Pack 1 (SP1).
 February 2006: Enable Remote Desktop contains a new procedure to enable Remote
Desktop remotely by using the registry.
 February 2006: Known Issues for Adding Domain Controllers in Remote Sites
contains the additional information that moving the Ntds.dit file takes less time than
copying the file when you restore a system state backup.
Updated Content
 April 2006: Performing an Authoritative Restore of Active Directory Objects contains
corrected information about the details of updating back-link attributes.
Administering Domain and Forest Trusts
This guide provides administrators with step-by-step instructions for managing and
securing Windows Server 2003 domain and forest trusts. The way that you create or
configure trusts plays an important role in operating and securing your network
infrastructure. How you create or configure domain and forest trusts in
Windows Server 2003 also determines how far network communications extend within a
forest or across forests.
Note
Web Edition, but you can join the server to an Active Directory domain as a
member server. For more information about Windows Server 2003, Web Edition,
see Overview of Windows Server 2003, Web Edition, on the Microsoft Web site
In this guide
 Introduction to Domain and Forest Trusts
 Best Practices for Domain and Forest Trusts
 Managing Domain and Forest Trusts
 Securing Domain and Forest Trusts
 Appendix: New Trust Wizard Pages
Acknowledgements
Produced by: Microsoft Windows Server Security and Directory Services User Assistance
team
Project Writer: Nick Pierson
Project Editor: Jim Becker
Introduction to Domain and Forest Trusts

By using Windows Server 2003 domain and forest trusts, service administrators can
create or extend collaborative relationships between two or more domains or forests.
Windows Server 2003 domains and forests can also trust Kerberos realms and other
Windows Server 2003 forests, as well as Microsoft Windows® 2000 domains and
Windows NT® 4.0 domains.
When a trust exists between two domains, the authentication mechanisms for each
domain trust the authentications coming from the other domain. Trusts help to provide
controlled access to shared resources in a resource domain (the trusting domain) by
verifying that incoming authentication requests come from a trusted authority (the trusted
domain). In this way, trusts act as bridges that allow only validated authentication
requests to travel between domains.
How a specific trust passes authentication requests depends on how it is configured.

Trust relationships can be one-way, providing access from the trusted domain to
resources in the trusting domain, or two-way, providing access from each domain to
resources in the other domain. Trusts are also either nontransitive, in which case a trust
exists only between the two trust partner domains, or transitive, in which case a trust
automatically extends to any other domains that either of the partners trusts.
In some cases, trust relationships are established automatically when domains are
created; in other cases, administrators must choose a type of trust and explicitly establish
the appropriate relationships. The specific types of trusts that are used and the structure
of the resulting trust relationships in a given trust implementation depend on such factors
as how Active Directory is organized and whether different versions of Windows coexist
on the network.
Best Practices for Domain and Forest

Trusts
The following best practices are proven to increase availability, ensure trouble-free
operations, or ease administration when you use them to administer domain and forest
trusts:
When your forest contains domain trees with many child domains and you observe
noticeable user authentication delays between the child domains, you can optimize
the user authentication process between the child domains by creating shortcut
trusts to mid-level domains in the domain tree hierarchy.
For more information, see When to create a shortcut trust on the Microsoft Web site
Keep a current list of trust relationships for future reference.
You can use the Nltest.exe tool to display and record a list of these trusts. For more
information, see "Nltest.exe: NLTest Overview" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=42642).
Perform regular backups of domain controllers to preserve all trust relationships
within a particular domain.
For more information, see Back up system state.
Managing Domain and Forest Trusts

It is necessary to manage domain and forest trusts when your organization needs to
collaborate with users or resources that are located in other domains, realms, or forests
in your organization and in other organizations. To set up an environment that takes
advantage of trusts, you must first create and configure the appropriate trusts that will
enable your organization to communicate effectively with users or resources in other
places.
The following objectives are part of managing domain and forest trusts:
 Creating Domain and Forest Trusts
 Configuring Domain and Forest Trusts
Creating Domain and Forest Trusts

In Windows Server 2003, there are four trust types that must be created manually.
External trusts, realm trusts, and forest trusts help provide interoperability with domains
outside your forest or with realms. Shortcut trusts optimize access to resources and
logons that are made between domain trees in the same forest.
The following tasks for creating domain and forest trusts are described in this objective:
 Creating External Trusts
 Creating Shortcut Trusts
 Creating Forest Trusts
 Creating Realm Trusts
Note
A trust does not inherently allow users in a trusted domain to have access to
resources in a trusting domain. Users have access when they are assigned
the appropriate permissions. In some cases, users in trusted domains may
have implicit access if the resources are assigned to Authenticated Users.
New Trust Wizard Terminology
You create trusts in Windows Server 2003 with the New Trust Wizard. Before you use the
New Trust Wizard, review the following terminology. Each highlighted term represents the
exact term as it is used in the wizard:
 This domain: The domain from which you launch the New Trust Wizard. When you
start the wizard, it immediately verifies your administrative credentials in the domain
for which you are the administrator. Therefore, the wizard uses the term “this domain”
to represent the domain that you are currently logged on to.
 Local domain / Local forest: The domain or forest where you start the New Trust
Wizard.
 Specified domain / Specified forest: The other domain or forest that this local
domain or local forest will trust. Although the New Trust Wizard is aware of the
domain context in which it is running, it does not have knowledge of the other domain
that you want to create the relationship with. After you type the name of the other
domain or forest in the Trust Name page, that name is used whenever the wizard
refers to the specified domain or specified forest.
 Two-way trust: A trust relationship between two domains in which both domains trust
each other. For example, domain A trusts domain B, and domain B trusts domain A.
All parent-child trusts are two-way trusts.
 One-way: incoming trust: A one-way trust relationship between two domains in

which the direction of the trust points toward the domain from which you start the
New Trust Wizard (and which is identified in the wizard as This domain). When the
direction of the trust points toward your domain, users in your domain can access
resources in the specified domain. For example, if you are the domain administrator
in domain A and you create a one-way, incoming trust to domain B, this provides a
relationship through which users who are located in domain A can access resources
in domain B. Because this relationship is one-way, users in domain B cannot access
resources in domain A.
 One-way: outgoing trust: A one-way trust relationship between two domains in

which the direction of the trust points toward the domain that is identified as
Specified domain in the New Trust Wizard. When the direction of trust points toward
the specified domain, users in the specified domain can access resources in your
domain. For example, if you are the domain administrator in domain A and you create
a one-way, outgoing trust to domain B, this provides a relationship through which
users who are located in domain B can access resources in domain A. Because this
relationship is one way, users in domain A cannot access resources in domain B.
 Both sides of the trust: When you create external trusts, shortcut trusts, or forest
trusts, you have the option to create each side of the trust separately or both sides of
the trust simultaneously. If you choose to create each side of the trust separately, you
must run the New Trust Wizard twice — once for each domain. When you create
trusts separately, you must supply the same trust password for each domain. As a
security best practice, all trust passwords should be strong passwords.
 Domain-wide authentication: An authentication setting that permits unrestricted

access by any users in the specified domain to all available shared resources that
are located in the local domain. This is the default authentication setting for external
trusts.
 Forest-wide authentication: An authentication setting that permits unrestricted

access by any users in the specified forest to all available shared resources that are
located in any of the domains in the local forest. This is the default authentication
setting for forest trusts.
 Selective authentication: An authentication setting that restricts access over an

external trust or forest trust to only those users in a specified domain or specified
forest who have been explicitly given authentication permissions to computer objects
(resource computers) that reside in the local domain or the local forest. This
authentication setting must be enabled manually.
 Trust password: An option in which both domains in a trust relationship share a

password, which is stored in the trusted domain object (TDO) object in
Active Directory. When you choose this option, a strong trust password is generated
automatically for you. You must use the same password when you create a trust
relationship in the specified domain. If you choose to create both sides of the trust
simultaneously, you run the New Trust Wizard once.
Known Issues for Creating Domain and

Forest Trusts
Review the following known issues before creating domain and forest trusts in
Windows Server 2003:
 You cannot delegate the creation of trusts to any user who is not a member of the
Domain Admins or Enterprise Admins groups. Even though you can grant a user the
Create TDO (Trusted Domain Object) right or the Delete TDO right in the System
container of a domain, the user will not be granted the right to create a trust. This
issue occurs because Netlogon and the trust-creation tools (Active Directory
Domains and Trusts and Netdom) are designed so that only members of the Domain
Admins group and the Enterprise Admins group can create trusts. However, any user
who is a member of the Incoming Forest Trust Builders group can create one-way,
incoming forest trusts to your forest. For more information about the Incoming Forest
Trust Builders group, see "How Domain and Forest Trusts Work" in the
Windows Server 2003 Technical Reference on the Microsoft Web site
 When you are logged on locally to a domain controller and you try to create a new
trust by using Active Directory Domains and Trusts, the operation may be
unsuccessful and you may receive the message “Access denied.” This issue occurs
only if you are logged on locally to the domain controller as an ordinary user
(meaning that the user is not logged on as Administrator or as a member of any
administrative groups for the domain). By default, ordinary users are blocked from
logging on locally to a domain controller unless Group Policy is modified to permit
this.
 When you use Active Directory Domains and Trusts to create a trust, you may
receive the message “Operation failed. Parameter incorrect.” This issue may occur if
you try to establish a trust relationship when the source domain and the target
domain have one or more of the following identifiers that are the same:
 Security identifier (SID)
 Domain Name System (DNS) name
 Network basic input/output system (NetBIOS) name
To resolve this issue, do one of the following before you try to create the trust, as
appropriate to your situation:
 Rename the conflicting identifier.
 Use a fully qualified domain name (FQDN) if there is a NetBIOS conflict.
 The option to create a forest trust does not appear in the New Trust Wizard. This
issue typically occurs when one or both of the Windows Server 2003 forests are not
set to the Windows Server 2003 forest functional level. For more information about
forest functional levels, see Active Directory Functional Levels Technical Reference
on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41698).
 There are restrictions in the number and types of trusts that can be created when you
target a Microsoft Windows Small Business Server 2003 domain.
Creating External Trusts
You can create an external trust to form a one-way or two-way, nontransitive trust with
domains that are outside your forest. External trusts are sometimes necessary when
users need access to resources that are located in a Windows NT 4.0 domain or in a
domain that is in a separate Active Directory forest that is not joined by a forest trust.
For example, if you have a Windows Server 2003–based domain whose users want to
gain access to resources that are stored in a Windows NT–based domain, you must
create a trust relationship in which the Windows NT–based domain trusts the users from
the Windows Server 2003–based domain. In this case, the Windows NT–based domain
is the trusting domain, and the Windows Server 2003–based domain is the trusted
domain.
For more information about external trusts, see "How Domain and Forest Trusts Work" in
the Windows Server 2003 Technical Reference on the Microsoft Web site
Note
Trusts that are created between Windows NT 4.0 domains and Active Directory
domains are one-way and nontransitive, and they require network basic
input/output system (NetBIOS) name resolution.
Task requirements
You can use either of the following tools to perform the procedures for this task:
 Active Directory Domains and Trusts
 Netdom.exe
For more information about how to use the Netdom command-line tool to create an
external trust, see "Netdom.exe: Windows Domain Manager" in the
Note
If you have the appropriate administrative credentials for each domain, you can
create both sides of an external trust at the same time. To create both sides of
the trust, simultaneously, follow the appropriate procedure below that contains
the words “both sides of the trust” in the procedure title. For example, the
procedure “Create a one-way, incoming, external trust for both sides of the trust”
provides the steps to follow when you have the administrative credentials for both
domains and you want to use the New Trust Wizard to create an incoming,
external trust in one operation. For more information about how the “both sides of
the trust” option works, see the section "Sides of Trust" in Appendix: New Trust
Wizard Pages.
You can create an external trust by using any of the following procedures, depending on
the requirements of your organization and the administrative credentials that you have
when you create the trust:
 Create a one-way, incoming, external trust for one side of the trust
 Create a one-way, incoming, external trust for both sides of the trust
 Create a one-way, outgoing, external trust for one side of the trust
 Create a one-way, outgoing, external trust for both sides of the trust
 Create a two-way, external trust for one side of the trust
 Create a two-way, external trust for both sides of the trust
Create a one-way, incoming, external

trust for one side of the trust
This procedure creates one side of a one-way, incoming, external trust. Although one side
of a trust will be created successfully, the new trust will not function until the administrator
for the reciprocal domain uses his or her credentials to create the second side of the
trust. If you have administrative credentials for both domains that are involved in the trust,
you can use the procedure Create a one-way, incoming, external trust for both sides of
the trust to create both sides of the trust in one simultaneous operation.
A one-way, incoming, external trust allows users in your domain (the domain that you are
logged on to at the time that you run the New Trust Wizard) to access resources in
another Active Directory domain (outside your forest) or in a Windows NT 4.0 domain.
For example, if you are the administrator of sales.wingtiptoys.com and users in that
domain need to access resources in the marketing.tailspintoys.com domain (which is
located in another forest), you can use this procedure (in conjunction with another
procedure, which is executed by the administrator in the other forest) to establish one
side of the relationship so that users in your domain can access resources in the
marketing.tailspintoys.com domain.
You can create this external trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create an external trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To create a one-way, incoming, external trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Trust Password page, type the trust password twice, and then click
Next.
With the administrator of the other domain, agree on a secure channel password
to be used in establishing the trust.
9. On the Trust Selections Completepage, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
11. On the Confirm Incoming Trust page, do one of the following:
 If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
 If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
12. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain or
specified forest must follow the procedure Create a one-way, outgoing, external
trust for one side of the trust, using his or her administrative credentials and the
exact same trust password that was used during this procedure.
Create a one-way, incoming, external

trust for both sides of the trust
This procedure creates both sides of a one-way, incoming, external trust, and it requires
you to have administrative credentials for your domain as well for the reciprocal domain.
If you have administrative credentials only for your domain, you can use the procedure
Create a one-way, incoming, external trust for one side of the trust to create your side of
the trust. Then, have the administrator for the reciprocal domain create a one-way,
outgoing, external trust from his or her domain.
A one-way, incoming, external trust allows users in your domain (the domain that you are
logged on to at the time that you run the New Trust Wizard) to access resources in
another Active Directory domain (outside your forest) or in a Windows NT 4.0 domain.
domain need to access resources in the marketing.tailspintoys.com domain (which is
located in another forest) you can use this procedure to establish a relationship so that
users in your domain can access resources in the marketing.tailspintoys.com domain.
To create a one-way, incoming, external trust for both sides of the trust
click Next.
Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain,
and then click Next.
Pages.
8. On the User Name and Password page, type the user name and password for
the appropriate administrator in the specified domain.
9. On the Outgoing Trust Authentication Level--Specified Domain page, do one

of the following, and then click Next:
 Click Domain-wide authentication.

 Click Selective authentication.
10. On the Trust Selections Complete page, review the results, and then click
Next.
incoming trust.
domain.
Create a one-way, outgoing, external

This procedure creates one side of a one-way, outgoing, external trust. Although one side
you can use the procedure Create a one-way, outgoing, external trust for both sides of
A one-way, outgoing, external trust will allow resources in your domain (the domain that
you are logged on to at the time that you run the New Trust Wizard) to be accessed by
users in a different Active Directory domain (outside your forest) or in a Windows NT 4.0
domain. For example, if you are the administrator of sales.wingtiptoys.com and you have
resources in that domain that need to be accessed by users in the
marketing.tailspintoys.com domain (which is located in another forest), you can use this
procedure to establish one side of the relationship so that users in the
marketing.tailspintoys.com domain can access the resources in sales.wingtiptoys.com.
To create a one-way, outgoing, external trust for one side of the trust
click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
Pages.
Pages.
8. On the Outgoing Trust Authentication Level page, do one of the following, and
then click Next:
Next.
12. On the Confirm Outgoing Trust page, do one of the following:
outgoing trust. Note that if you do not confirm the trust at this stage, the
secure channel will not be established until the first time the trust is used by
users.
 If you want to confirm this trust, click Yes, confirm the outgoing trust, and
domain.
Note
specified forest must follow the procedure Create a one-way, incoming, external
exact same trust passwordthat was used during this procedure.
Create a one-way, outgoing, external

This procedure creates both sides of a one-way, outgoing, external trust, and it requires
you to have administrative credentials for your domain as well as for the reciprocal
domain. If you have administrative credentials only for your domain, you can use the
procedure Create a one-way, outgoing, external trust for one side of the trust to create
your side of the trust. Then, have the administrator for the reciprocal domain create a
one-way, incoming, external trust from his or her domain.
A one-way, outgoing, external trust allows resources in your domain (the domain that you
are logged on to at the time that you run the New Trust Wizard) to be accessed by users
in a different Active Directory domain (outside your forest) or in a Windows NT 4.0
domain. For example, if you are the administrator of sales.wingtiptoys.com and you have
resources in that domain that need to be accessed by users in the
marketing.tailspintoys.com domain (which is located in another forest), you can use this
procedure to establish one side of the relationship so that users in the
marketing.tailspintoys.com domain can access the resources in sales.wingtiptoys.com.
To create a one-way, outgoing, external trust for both sides of the trust
click Next.
Pages.
Pages.
9. On the Outgoing Trust Authentication Level--Local Domain page, do one of

the following, and then click Next:
Next.
users.
domain.
Create a two-way, external trust for one
side of the trust
This procedure creates one side of a two-way, external trust. Although one side of a trust
will be created successfully, the new trust will not function until the administrator for the
reciprocal domain uses his or her credentials to create the second side of the trust. If you
have administrative credentials for both domains that are involved in the trust, you can
use the procedure Create a two-way, external trust for both sides of the trust to create
both sides of the trust in one simultaneous operation.
A two-way, external trust allows users in your domain (the domain that you are logged on
to at the time that you run the New Trust Wizard) and users in the reciprocal domain to
access resources in either of the two domains.
To create a two-way, external trust for one side of the trust

2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
click Next.
6. On the Direction of Trust page, click Two-way, and then click Next.
Pages.
Pages.
then click Next:
Next.
users.
domain.
incoming trust.
domain.
Note
specified forest must follow this same procedure, using his or her administrative
credentials and the exact same trust password that was used during this
procedure.
Create a two-way, external trust for both
sides of the trust
This procedure creates both sides of a two-way, external trust, and it requires you to have
administrative credentials for your domain as well as for the reciprocal domain. If you
have administrative credentials only for your domain, you can use the procedure Create a
two-way, external trust for one side of the trust to create your side of the trust. Then, have
the administrator for the reciprocal domain create a one-way, outgoing, external trust from
his or her domain.
A two-way, external trust allows users in your domain (the domain that you are logged on
access resources in either of the two domains.
To complete this procedure, you must be a member of the Domain Admins group or the
To create a two-way, external trust for both sides of the trust

click Next.
Pages.
Pages.
9. On the Outgoing Trust Authentication Level--Local Domain page, do one of


10. On the Outgoing Trust Authentication Level--Specified Domain page, do one

Next.
users.
domain.
incoming trust.
domain.
Creating Shortcut Trusts
A shortcut trust is a manually created trust that shortens the trust path to improve the
speed at which authentications, which are made between domain trees, are processed.
This can result in faster logon times and faster access to resources. A trust path is a
chain of multiple trusts that enables trust between domains that are not adjacent in the
domain namespace. For example, if users in domain A need to gain access to resources
in domain C, you can create a direct link from domain A to domain C through a shortcut
trust relationship, bypassing domain B in the trust path.
For more information about shortcut trusts, see "How Domain and Forest Trusts Work" in
Task requirements
 Netdom.exe
For more information about how to use the Netdom command-line tool to create a
shortcut trust, see "Netdom.exe: Windows Domain Manager" in the
Note
If you have the appropriate administrative credentials for each domain, you can
create both sides of a shortcut trust at the same time. To create both sides of the
trust, follow the appropriate procedure below that contains the words “for both
sides of the trust” in the title. For example, the procedure “Create a one-way,
incoming, shortcut trust for both sides of the trust” explains how to configure both
sides of a shortcut trust. For more information about how the “both sides of the
trust” option works, see the section "Sides of Trust" in Appendix: New Trust
Wizard Pages.
You can create a shortcut trust by using any of the following procedures, depending on
 Create a one-way, incoming, shortcut trust for one side of the trust
 Create a one-way, incoming, shortcut trust for both sides of the trust
 Create a one-way, outgoing, shortcut trust for one side of the trust
 Create a one-way, outgoing, shortcut trust for both sides of the trust
 Create a two-way, shortcut trust for one side of the trust
 Create a two-way, shortcut trust for both sides of the trust
Create a one-way, incoming, shortcut

This procedure creates one side of a one-way, incoming, shortcut trust. Although one side
you can use the procedure Create a one-way, incoming, shortcut trust for both sides of
the trust to create both sides in one simultaneous operation.
A one-way, incoming, shortcut trust allows users in your domain (the domain that you are
logged on to at the time that you run the New Trust Wizard) to more quickly access
resources in another domain (which is nested within another domain tree) in your forest.
domain need to access resources in the marketing.tailspintoys.com domain (which is a
child domain of the tailspintoys.com tree root domain), you can use this procedure to
establish one side of the relationship so that users in your domain can more quickly
access resources in the marketing.tailspintoys.com domain.
You can create this shortcut trust by using the New Trust Wizard in Active Directory
about how to use the Netdom command-line tool to create a shortcut trust, see
To create a one-way, incoming, shortcut trust for one side of the trust
click Next.
Pages.
Pages.
Next.
Next.
incoming trust.
domain.
Note
specified forest must follow the procedure Create a one-way, outgoing, shortcut
Create a one-way, incoming, shortcut
This procedure creates both sides of a one-way, incoming, shortcut trust, and it requires
you to have administrative credentials for your domain as well for the reciprocal domain.
If you have administrative credentials only for your domain, you can use the procedure
Create a one-way, incoming, shortcut trust for one side of the trust to create your side of
the trust. Then, have the administrator for the reciprocal domain create a one-way,
outgoing, shortcut trust from his or her domain.
A one-way, incoming, shortcut trust allows users in your domain (the domain that you are
logged on to at the time that you run the New Trust Wizard) to more quickly access
resources in another domain (which is nested within another domain tree) in your forest.
domain need to access resources in the marketing.tailspintoys.com domain (which is a
child domain of the tailspintoys.com tree root domain), you can use this procedure to
establish one side of the relationship so that users in your domain can more quickly
access resources in the marketing.tailspintoys.com domain.
To create a one-way, incoming, shortcut trust for both sides of the trust
click Next.
Pages.
Pages.
Next.
incoming trust.
domain.
Create a one-way, outgoing, shortcut

This procedure creates one side of a one-way, outgoing, shortcut trust. Although one side
you can use the procedure Create a one-way, outgoing, shortcut trust for both sides of
A one-way, outgoing, shortcut trust allows resources in your domain (the domain that you
are logged on to at the time that you run the New Trust Wizard) to be accessed more
quickly by users in another domain (which is nested within another domain tree) in your
forest. For example, if you are the administrator of marketing.tailspintoys.com and
resources in that domain need to be accessed by users in the sales.wingtiptoys.com
domain (which is a child domain of the wingtiptoys.com tree root domain), you can use
this procedure to establish one side of the relationship so that users in the
sales.wingtiptoys.com domain can more quickly access resources in the
To create a one-way, outgoing, shortcut trust for one side of the trust
click Next.
Pages.
Pages.
Next.
Next.
users.
domain.
Note
specified forest must follow the procedure Create a one-way, incoming, shortcut
Create a one-way, outgoing, shortcut

This procedure creates both sides of a one-way, outgoing, shortcut trust, and it requires
that you have administrative credentials for your domain as well as for the reciprocal
domain. If you have administrative credentials only for your domain, you can use the
procedure Create a one-way, outgoing, shortcut trust for one side of the trust to create
your side of the trust. Then, have the administrator for the reciprocal domain create a
one-way, incoming, shortcut trust from his or her domain.
A one-way, outgoing, shortcut trust allows resources in your domain (the domain that you
are logged on to at the time that you run the New Trust Wizard) to be accessed more
quickly by users in another domain (which is nested within another domain tree) in your
forest. For example, if you are the administrator of marketing.tailspintoys.com and
resources in that domain need to be accessed by users in the sales.wingtiptoys.com
domain (which is a child domain of the wingtiptoys.com tree root domain), you can use
this procedure to establish one side of the relationship so that users in the
sales.wingtiptoys.com domain can more quickly access resources in the
To create a one-way, outgoing, shortcut trust for both sides of the trust
click Next.
Pages.
Pages.
Next.
users.
domain.
Create a two-way, shortcut trust for one

side of the trust
This procedure creates one side of a two-way, shortcut trust. Although one side of a trust
reciprocal domain uses his or her credentials to create the second side of the trust. If you
have administrative credentials for both domains that are involved in the trust, you can
use the procedure Create a two-way, shortcut trust for both sides of the trust to create
both sides of the trust in one simultaneous operation.
A two-way, shortcut trust allows users in your domain (the domain that you are logged on
more quickly access resources in either domain (when both domains are separated by a
domain tree) in your forest.
To create a two-way, shortcut trust for one side of the trust
click Next.
Pages.
Pages.
Next.

users.
domain.
incoming trust.
domain.
Note
For this trust to function, the domain administrator for the specified domain must
follow this same procedure using his or her administrative credentials and the
Create a two-way, shortcut trust for both

sides of the trust
This procedure creates both sides of a two-way, shortcut trust, and it requires you to have
administrative credentials for your domain as well as for the reciprocal domain. If you
two-way, shortcut trust for one side of the trust to create your side of the trust. Then, have
the administrator for the reciprocal domain create a two-way, shortcut trust from his or her
domain.
A two-way, shortcut trust allows users in your domain (the domain that you are logged on
more quickly access resources in either domain (when both domains are separated by a
domain tree) in your forest.
To create a two-way, shortcut trust for both sides of the trust

click Next.
Pages.
Pages.
users.
domain.
incoming trust.
domain.
Creating Forest Trusts
In a Windows Server 2003 forest, you can link two disjoined Windows Server 2003
forests together to form a one-way or two-way, transitive trust relationship. You can use a
two-way, forest trust to form a transitive trust relationship between every domain in both
forests.
For more information about forest trusts, see "How Domain and Forest Trusts Work" in
Task requirements
The following requirements, features, or settings are necessary to create forest trusts
successfully:
 You can create a forest trust only between two Windows Server 2003 forests; forest
trusts cannot be extended implicitly to a third Windows Server 2003 forest.
 To create a forest trust, you must set the forest functional level for both of the
Windows Server 2003 forests that are involved in the trust relationship to
Windows Server 2003. For more information about functional levels, see Active
Directory Functional Levels Technical Reference on the Microsoft Web site
 To create a forest trust successfully, you must set up your Domain Name System
(DNS) environment properly. If there is a root DNS server that you can make the root
DNS server for the DNS namespaces of both forests, make it the root server by
ensuring that the root zone contains delegations for each of the DNS namespaces.
Also, update the root hints of all DNS servers with the new root DNS server.
 If there is no shared root DNS server and the root DNS servers for each forest DNS
namespace are running a member of the Windows Server 2003 family, configure
DNS conditional forwarders in each DNS namespace to route queries for names in
the other namespace.
 If there is no shared root DNS server and the root DNS servers for each forest DNS
namespace are not running a member of the Windows Server 2003 family, configure
DNS secondary zones in each DNS namespace to route queries for names in the
other namespace. For more information about configuring DNS to work with
Active Directory, see DNS Support for Active Directory Technical Reference on the
Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41699).
 Netdom.exe
For more information about how to use the Netdom command-line tool to create a forest
trust, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003
Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=41700).
Note
If you have the appropriate administrative credentials for each forest, you can
create both sides of a forest trust at the same time. To create both sides of the
forest trust, follow the appropriate procedure below that contains the words “for
both sides of the trust” in the title. For example, the procedure “Create a one-way,
incoming, forest trust for both sides of the trust” explains how to configure both
sides of the trust. For more information about how the “both sides of the trust”
option works, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
You can create a forest trust by using any one of the following procedures, depending on
 Create a one-way, incoming, forest trust for one side of the trust
 Create a one-way, incoming, forest trust for both sides of the trust
 Create a one-way, outgoing, forest trust for one side of the trust
 Create a one-way, outgoing, forest trust for both sides of the trust
 Create a two-way, forest trust for one side of the trust
 Create a two-way, forest trust for both sides of the trust
Create a one-way, incoming, forest trust

for one side of the trust
This procedure creates one side of a one-way, incoming, forest trust. Although one side
for the reciprocal forest uses his or her credentials to create the second side of the trust.
If you have administrative credentials for both forests that are involved in the trust, you
can use the procedure Create a one-way, incoming, forest trust for both sides of the trust
to create both sides of the trust in one simultaneous operation.
A one-way, incoming, forest trust allows users in your Windows Server 2003 forest (the
forest that you are logged on to at the time that you run the New Trust Wizard) to access
resources in another Windows Server 2003 forest. For example, if you are the
administrator of the wingtiptoys.com forest and users in that forest need to access
resources in the tailspintoys.com forest, you can use this procedure to establish one side
of the relationship so that users in your forest can access resources in any of the
domains that make up the tailspintoys.com forest.
You can create this forest trust by using the New Trust Wizard in Active Directory
about how to use the Netdom command-line tool to create a forest trust, see
To perform this procedure, you must be a member of the Domain Admins group (in the
forest root domain) or the Enterprise Admins group in Active Directory. If you are a
member of the Incoming Forest Trust Builders group, you can create one-way, incoming,
forest trusts to your forest. For more information about the Incoming Forest Trust Builders
group, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical
To create a one-way, incoming, forest trust for one side of the trust
click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
Pages.
Pages.
Next.
Next.

incoming trust.
domain.
Note
For this trust to function, the domain administrator for the specified domain (the
forest root domain in the specified forest) must complete the procedure Create a
one-way, outgoing, forest trust for one side of the trust, using their administrative
credentials and the exact same trust passwordthat was used during this
procedure.
Create a one-way, incoming, forest trust

for both sides of the trust
This procedure creates both sides of a one-way, incoming, forest trust, and it requires you
to have administrative credentials for your forest as well as for the reciprocal forest. If you
have administrative credentials only for your forest, you can use the procedure Create a
one-way, incoming, forest trust for one side of the trust to create your side of the trust.
Then, have the administrator for the reciprocal forest create a one-way, outgoing forest
trust from his or her domain.
A one-way, incoming, forest trust allows users in your Windows Server 2003 forest (the
forest that you are logged on to at the time that you run the New Trust Wizard) to access
resources in another Windows Server 2003 forest. For example, if you are the
administrator of the wingtiptoys.com forest and users in that forest need to access
resources in the tailspintoys.com forest, you can use this procedure to establish one side
of the relationship so that users in your forest can access resources in any of the
domains that make up the tailspintoys.com forest.
To create a one-way, incoming, forest trust for both sides of the trust
click Next.
Pages.
Pages.
9. On the Outgoing Trust Authentication Level--Specified Forest page, do one

 Click Forest-wide authentication.
Next.
incoming trust.
domain.
Create a one-way, outgoing, forest trust

for one side of the trust
This procedure creates one side of a one-way, outgoing, forest trust. Although one side of
a trust will be created successfully, the new trust will not function until the administrator
for the reciprocal forest uses his or her credentials to create the second side of the trust.
If you have administrative credentials for both forests that are involved in the trust, you
can use the procedure Create a one-way, outgoing, forest trust for both sides of the trust
to create both sides of the trust in one simultaneous operation.
A one-way, outgoing, forest trust allows resources in your Windows Server 2003 forest
(the forest that you are logged on to at the time that you run the New Trust Wizard) to be
accessed by users in another Windows Server 2003 forest. For example, if you are the
administrator of the wingtiptoys.com forest and resources in that forest need to be
accessed by users in the tailspintoys.com forest, you can use this procedure to establish
one side of the relationship so that users in the tailspintoys.com forest can access
resources in any of the domains that make up the wingtiptoys.com forest.
To create a one-way, outgoing, forest trust for one side of the trust
click Next.
Pages.
Pages.
then click Next:
Next.
Next.

users.
domain.
Note
For this trust to function, the domain administrator for the specified domain (the
forest root domain in the specified forest) must follow the procedure Create a
one-way, incoming, forest trust for one side of the trust, using his or her
administrative credentials and the exact same trust password that was used
during this procedure.
Create a one-way, outgoing, forest trust

for both sides of the trust
This procedure creates both sides of a one-way, outgoing, forest trust, and it requires you
to have administrative credentials for your forest as well as for the reciprocal forest. If you
one-way, outgoing, forest trust for one side of the trust to create your side of the trust.
Then, have the administrator for the reciprocal forest create a one-way, incoming,
external trust from his or her forest.
A one-way, outgoing, forest trust allows resources in your Windows Server 2003 forest
(the forest that you are logged on to at the time that you run the New Trust Wizard) to be
accessed by users in another Windows Server 2003 forest. For example, if you are the
administrator of the wingtiptoys.com forest and resources in that forest need to be
accessed by users in the tailspintoys.com forest, you can use this procedure to establish
one side of the relationship so that users in the tailspintoys.com forest can access
resources in any of the domains that make up the wingtiptoys.com forest.
To create a one-way, outgoing, forest trust for both sides of the trust
click Next.
Pages.
Pages.
9. On the Outgoing Trust Authentication Level--Local Forest page, do one of

users.
domain.
Create a two-way, forest trust for one

side of the trust
This procedure creates one side of a two-way, forest trust. Although one side of a trust
reciprocal forest uses his or her credentials to create the second side of the trust. If you
have administrative credentials for both forests that are involved in the trust, you can use
the procedure Create a two-way, forest trust for both sides of the trust to create both
sides of the trust in one simultaneous operation.
A two-way, forest trust allows users in your forest (the forest that you are logged on to at
the time that you run the New Trust Wizard) and users in the reciprocal forest to access
resources in any of the domains in either of the two forests.
To create a two-way, forest trust for one side of the trust

click Next.
Pages.
Pages.
then click Next:
Next.
users.
domain.
incoming trust.
domain.
Note
For this trust to function, the domain administrator in the specified forest must
follow this same procedure, using his or her administrative credentials and the
Create a two-way, forest trust for both

sides of the trust
This procedure creates both sides of a two-way, forest trust, and it requires you to have
administrative credentials for your forest as well as for the reciprocal forest. If you have
administrative credentials only for your forest, you can use the procedure Create a two-
way, forest trust for one side of the trust to create your side of the trust. Then, have the
administrator for the reciprocal forest create a one-way, outgoing forest trust from his or
her forest.
A two-way, forest trust allows users in your forest (the forest that you are logged on to at
the time that you run the New Trust Wizard) and users in the reciprocal forest to access
resources in any of the domains in either of the two forests.
To create a two-way, forest trust for both sides of the trust

click Next.
Pages.
Pages.
9. On the Outgoing Trust Authentication Level--Local Forest page, do one of

10. On the Outgoing Trust Authentication Level--Specified Forest page, do one

Next.
users.
domain.
incoming trust.
domain.
Creating Realm Trusts
You can create a realm trust to form a one-way or two-way, nontransitive or transitive
trust with non-Windows Kerberos realms in your organization. You can create the trust
when you log on to the domain, or you can use the Run as command to create the trust
for a different domain.
For more information about realm trusts, see "How Domain and Forest Trusts Work" in
Task requirements
 Netdom.exe
For more information about how to use the Netdom command-line tool to create a realm
LinkId=41700).
Note
The New Trust Wizard in Active Directory Domains and Trusts does not support
the creation of both sides of a realm trust at the same time. For more information
about how the “both sides of the trust” option works, see the section "Sides of
Trust" in Appendix: New Trust Wizard Pages.
You can create a realm trust by using any of the following procedures, depending on the
requirements of your organization and the administrative credentials that you have when
you create the trust:
 Create a one-way, incoming, realm trust
 Create a one-way, outgoing, realm trust
 Create a two-way, realm trust
Create a one-way, incoming, realm trust

A one-way, incoming realm trust allows users in your Windows Server 2003 domain (the
domain that you are logged on to at the time that you run the New Trust Wizard) to
access resources in the Kerberos realm. For example, if you are the administrator of the
sales.wingtiptoys.com domain and users in that domain need to access resources in the
Kerberos realm, you can use this procedure to establish a relationship so that users in
the sales.wingtiptoys.com domain can access resources in the Kerberos realm.
You can create this realm trust by using the New Trust Wizard in Active Directory
about how to use the Netdom command-line tool to create a realm trust, see
To create a one-way, incoming, realm trust

click Next.
5. On the Trust Type page, click Realm trust, and then click Next.
6. On the Transitivity of Trust page, do one of the following:
 To form a trust relationship with the domain and the specified realm only,
click Nontransitive, and then click Next.
 To form a trust relationship with the domain and the specified realm and all
trusted realms, click Transitive, and then click Next.
Pages.
Next.
Next.
Note
For this trust to function, the administrator of the realm must complete the trust,
using his or her administrative credentials and the exact same trust password
that was used during this procedure.
Create a one-way, outgoing, realm trust

A one-way, outgoing realm trust allows resources in your Windows Server 2003 domain
(the domain that you are logged on to at the time that you run the New Trust Wizard) to
be accessed by users in the Kerberos realm. For example, if you are the administrator of
the sales.wingtiptoys.com domain and resources in that domain need to be accessed by
users in the Kerberos realm, you can use this procedure to establish a relationship so
that users in the Kerberos realm can access resources in the sales.wingtiptoys.com
domain.
To create a one-way, outgoing, realm trust

click Next.
Pages.
Next.
Next.
Note
Create a two-way, realm trust

A two-way, realm trust allows users in your domain (the domain that you are logged on to
at the time that you run the New Trust Wizard) and users in the specified Kerberos realm
to access resources in either the domain or the Kerberos realm.
To create a two-way, realm trust
click Next.
Pages.
Next.
Next.
Note
Configuring Domain and Forest Trusts

You can remove manually created trusts, but you cannot remove the default, two-way,
transitive trusts between domains in a forest. If you remove manually created trusts, it is
particularly important to verify that you successfully removed the trusts if you are planning
to re-create them.
The following tasks for removing a manually created trust are described in this objective:
 Validating and removing trusts
 Modifying Name Suffix Routing Settings
Validating and removing trusts

After a trust has been established, you may need to verify that it is working as designed,
or that communications over the trust are working, by using Active Directory tools to
validate the trust's connectivity. It may also be necessary to remove an existing, manually
created trust when connectivity between two domains is no longer necessary.
Task requirements
 Netdom.exe
LinkId=41700).
To complete this task, perform the following procedures:
 Validate a trust
 Remove a manually created trust
Validate a trust
You can validate all trusts that are made between domains, but you cannot validate realm
trusts.
You can validate a trust by using the New Trust Wizard in Active Directory Domains and
Trusts or by using the Netdom command-line tool. For more information about how to use
the Netdom command-line tool to create a realm trust, see "Netdom.exe: Windows
Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
To validate a trust
 Using the Windows interface
 Using the command line
Using the Windows interface

2. In the console tree, right-click the domain that contains the trust that you want to
validate, and then click Properties.
3. On the Trusts tab, under either Domains trusted by this domain (outgoing
trusts) or Domains that trust this domain (incoming trusts), click the trust to
be validated, and then click Properties.
4. Click Validate.
5. Do one of the following, and then click OK:
 Click No, do not validate the incoming trust.
If you click this option, it is recommended that you repeat this procedure for
the reciprocal domain.
 Click Yes, validate the incoming trust.
If you click this option, you must type a user account and password with
administrative credentials for the reciprocal domain.
Using the command line

1. Open a Command Prompt.
2. Type the following command, and then press ENTER:
netdom trust TrustingDomainName /d:TrustedDomainName /verify
Term Definition
TrustingDomainName Specifies the Domain Name System

(DNS) name (or network basic
input/output system (NetBIOS)
name) of the trusting domain in the
trust that is being created.
TrustedDomainName Specifies the DNS name (or

NetBIOS name) of the domain that
will be trusted in the trust that is
being created.
Remove a manually created trust

It is possible to remove manually created shortcut trusts, external trusts, realm trusts, or
forest trusts. It is not possible to remove default, two-way, transitive trusts between
domains in a forest. It is particularly important to verify that you successfully remove
trusts if you are planning to re-create them.
You can remove a manually created trust by using the New Trust Wizard in
Active Directory Domains and Trusts or by using the Netdom command-line tool. For
more information about the Netdom command-line tool, see "Netdom.exe: Windows
Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft
To remove a manually created trust
 Using a command prompt

2. In the console tree, right-click the domain that contains the trust that you want to
remove, and then click Properties.
3. Click the Trusts tab.
4. In either Domains trusted by this domain (outgoing trusts) or Domains that

trust this domain (incoming trusts), click the trust to be removed, and then
click Remove.
5. Do one of the following, and then click OK:
 Click No, remove the trust from the local domain only.
If you click this option, it is recommended that you repeat this procedure for
the reciprocal domain.
 Click Yes, remove the trust from both the local domain and the other
domain.
If you click this option, you must type a user account and password with
administrative credentials for the reciprocal domain.
Using the command line

netdom trust TrustingDomainName /d:TrustedDomainName

/remove/UserD:User /PasswordD:*
Term Definition
TrustingDomainName Specifies the Domain Name System

(DNS) name (or network basic
input/output system (NetBIOS)
name) of the trusting domain in the
TrustedDomainName Specifies the DNS name (or

NetBIOS name) of the domain that
will be trusted in the trust that is
being created.
Note
If you are using Netdom to remove a realm trust, you must add the /force option
to the end of the command (after /remove) to remove the trust successfully.
Modifying Name Suffix Routing Settings

Name suffix routing is a mechanism that is used to manage how authentication requests
are routed across Windows Server 2003 forests that are joined by forest trusts. To
simplify the administration of authentication requests, when a forest trust is created, all
unique name suffixes are routed by default. A unique name suffix is a name suffix within a
forest, such as a user principal name (UPN) suffix, service principal name (SPN) suffix, or
Domain Name System (DNS) forest or domain tree name that is not subordinate to any
other name suffix. For example, the DNS forest name fabrikam.com is a unique name
suffix within the fabrikam.com forest. For more information about name suffix routing, see
Routing name suffixes across forests on the Microsoft Web site
Note
You cannot enable a name suffix that is in conflict. If the conflict is with a local
UPN name suffix, you must remove the local UPN name suffix before you can
enable the routing name. If the conflict is with a name that is claimed by another
trust partner, you must disable the name in the other trust before it can be
enabled for this trust.
Task requirements
 Netdom.exe
LinkId=41700).
To complete this task, perform any of the following procedures:
 Modify the routing status of a name suffix

 Enable or disable an existing name suffix for routing
 Exclude name suffixes from routing to local forests
Modify the routing status of a name

suffix
You can change the routing status (enabled or disabled) of a name suffix by using the
New Trust Wizard in Active Directory Domains and Trusts or by using the Netdom
command-line tool. For more information about how to use the Netdom command-line
tool to modify name suffix routing settings, see "Netdom.exe: Windows Domain Manager"
in the Windows Server 2003 Technical Reference on the Microsoft Web site
To modify the routing status of a name suffix

administer, and then click Properties.
trusts)or Domains that trust this domain (incoming trusts), click the forest
trust that you want to administer, and then click Properties.
4. On the Name Suffix Routing tab, under Name suffixes in the x.x forest, click
the suffix for which you want to modify routing status, and then click Edit.
5. In Existing name suffixes in x.x, click the suffix that you want to modify, and
then click Enable or Disable.
See Also
Enable or disable an existing name suffix

for routing
You can use this procedure to prevent authentication requests for specific name suffixes
from being routed to a forest, or you can use this procedure to allow authentication
requests for specific name suffixes to be routed to a forest. You can enable or disable an
existing name suffix for routing by using the New Trust Wizard in Active Directory
about how to use the Netdom command-line tool to modify name suffix routing settings,
see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Note
When you disable a name suffix, all children of that Domain Name System (DNS)
name will also be disabled.
To enable or disable an existing name suffix

for routing
2. In the console tree, right-click the domain that you want to administer, and then
click Properties.
trusts) or Domains that trust this domain (incoming trusts), click the forest
4. Click the Name Suffix Routing tab, and then, under Name suffixes in the x.x
forest, do one of the following:
 To enable a name suffix, click the suffix that you want to enable, and then
click Enable. If the Enable button is unavailable, the name suffix is already
enabled.
 To disable a name suffix, click the suffix that you want to disable, and then
click Disable. If the Disable button is unavailable, the name suffix is already
disabled.
See Also
Exclude name suffixes from routing to

local forests
You can exclude existing name suffixes from routing to local forests by using the New
Trust Wizard in Active Directory Domains and Trusts or by using the Netdom command-
line tool. For more information about how to use the Netdom command-line tool to modify
name suffix routing settings, see "Netdom.exe: Windows Domain Manager" in the
Note
When you exclude a name suffix, all children of that Domain Name System
(DNS) name will also be excluded.
To exclude name suffixes from routing to
local forests
click Properties.
4. On the Name Suffix Routing tab, under Name suffixes in the x.x forest, click
the unique name suffix to exclude from routing, and then click Edit.
5. In Name suffixes to exclude from routing to x.x, click Add, type a DNS name
suffix that is subordinate to the unique name suffix, and then click OK.
See Also
Securing Domain and Forest Trusts

When you create a new trust in an existing Active Directory forest, all communications
over that trust are tightly secured. However, when you create a trust between your
domain and another domain outside your forest, there are certain security issues
involved. For example, you might need to configure security identifier (SID) filtering to
deny one domain the right to provide credentials for another domain. You can enable or
disable SID filtering for external trusts or forest trusts.
The following tasks for securing domain and forest trusts are described in this objective:
 Configuring SID Filtering Settings
 Configuring Selective Authentication Settings
For more information about how the security settings for domain and forest trusts work,
see "Security Considerations for Trusts" in the Windows Server 2003 Technical
Configuring SID Filtering Settings
Security principals in Active Directory have an attribute called SIDHistory to which
domain administrators can add users’ old security identifiers (SIDs). This is useful during
Active Directory migrations because administrators do not need to modify access control
lists (ACLs) on large numbers of resources and users can use their old SIDs to access
resources. However, under some circumstances it is possible for domain administrators
to use the SIDHistory attribute to associate SIDs with new user accounts, granting
themselves unauthorized rights. To help prevent this type of attack,
Windows Server 2003 automatically enables SID filtering on all external trusts and forest
trusts that are created by a Windows Server 2003 domain controller. External trusts that
are created using domain controllers running Windows 2000 Server with Service Pack 3
(SP3) or earlier must be manually configured to enable SID filtering.
Note
You cannot turn off the default behavior in Windows Server 2003 that enables
SID filtering for newly created external and forest trusts. External trusts that are
created from domain controllers running Windows 2000 Server with SP3 or
earlier do not enforce SID filtering by default.
You can use SID filtering to filter out migrated SIDs that are stored in SIDHistory from
specific domains. For example, where an external trust relationship exists so that the
Noam domain (running Windows 2000 Server domain controllers) trusts the Acquired
domain (also running Windows 2000 Server domain controllers), an administrator of the
Noam domain can manually apply SID filtering to the Acquired domain, which allows all
SIDs with a domain SID from the Acquired domain to pass but all other SIDs (such as
those from migrated SIDs that are stored in SIDHistory) to be discarded.
Note
Do not apply SID filtering to domains within a forest, because doing so removes
SIDs that are required for Active Directory replication, and it causes
authentication to fail for users from domains that are trusted transitively through
the isolated domain.
To further secure your forest, consider enabling SID filtering on all existing external trusts
that are created by domain controllers running Windows 2000 Server SP3 or earlier. You
can do this by using Netdom.exe to enable SID filtering on existing external trusts or by
recreating these external trusts from a domain controller running Windows Server 2003
or Windows 2000 Server with Service Pack 4 (SP4) or later. For more information about
how to enable SID filtering on trusts that are created by Windows 2000 Server domain
controllers, see the Windows 2000 Active Directory Operations Guide the Microsoft Web
site (http://go.microsoft.com/fwlink/?LinkId=18545).
For more information about how SID filtering works, see "Security Considerations for
Trusts" in the Windows Server 2003 Technical Reference on the Microsoft Web site
Task requirements
 Netdom.exe
For more information about how to use the Netdom command-line tool to configure SID
filtering settings, see "Netdom.exe: Windows Domain Manager" in the
 Disable SID filtering
 Reapply SID filtering
Disable SID filtering

Although it is not recommended, you can disable security identifier (SID) filtering for an
external trust or forest trust by using the Netdom.exe tool. You should consider disabling
SID filtering only in the following situations:
 You have an equally high level of confidence in the administrators who have physical
access to domain controllers in the trusted domain and the administrators with such
access in the trusting domain.
 You have a strict requirement to assign universal groups to resources in the trusting
domain, even when those groups were not created in the trusted domain.
 Users have been migrated to the trusted domain with their SID histories preserved,
and you want to grant those users access to resources in the trusting domain based
on the SIDHistory attribute.
For more information about how SID filtering works, see "Security Considerations for
Trusts" in the Windows Server 2003 Technical Reference on the Microsoft Web site
You can disable SID filtering by using the Netdom command-line tool. For more
information about the Netdom command-line tool, see "Netdom.exe: Windows Domain
Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site
To disable SID filtering

1. To disable SID filtering for the trusting domain, open a Command Prompt.
Netdom trust TrustingDomainName /domain:TrustedDomainName

/quarantine:No /usero:domainadministratorAcct /passwordo:domainadminpwd
Value Description
TrustingDomainName The Domain Name System (DNS)

name (or network basic input/output
system (NetBIOS) name) of the
trusting domain in the trust that is
being created.
TrustedDomainName The DNS name (or NetBIOS name) of

the domain that will be trusted in the
domainadministratorAcct The user account name with the

appropriate administrator credentials
to modify the trust.
domainadminpwd The password of the user account in

domainadministratorAcct.
Note
You can enable or disable SID filtering only from the trusting side of the
trust. If the trust is a two-way trust, you can also disable SID filtering in
the trusted domain by using the domain administrator’s credentials for
the trusted domain and reversing the TrustingDomainName and
TrustedDomainName values in the command-line syntax.
Reapply SID filtering
You can reapply security identifier (SID) filtering to an external or forest trust that has had
SID filtering disabled. By default, Windows Server 2003 automatically enables SID
filtering on all external trusts and forest trusts that are created by a Windows Server 2003
domain controller. For more information about how SID filtering works, see "Security
Considerations for Trusts" in the Windows Server 2003 Technical Reference on the
You can reapply SID filtering by using the Netdom command-line tool. For more
information about the Netdom command-line tool, see "Netdom.exe: Windows Domain
Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site
To reapply SID filtering

1. To reapply SID filtering for the trusting domain, open a Command Prompt.
2. Type the following syntax, and then press ENTER:
Netdom trust TrustingDomainName /domain:TrustedDomainName

/quarantine:Yes /usero:domainadministratorAcct
/passwordo:domainadminpwd
Term Definition
TrustingDomainName The Domain Name System (DNS)

name (or network basic input/output
system (NetBIOS) name) of the
trusting domain in the trust that is
being created.
Term Definition
TrustedDomainName The DNS name (or NetBIOS name) of

the domain that will be trusted in the
domainadministratorAcct The user account name with the

appropriate administrator credentials
to modify the trust.
domainadminpwd The password of the user account in

domainadministratorAcct.
Configuring Selective Authentication

Settings
Trusts that are created between Windows Server 2003 forests can use legacy
authentication settings (settings that were used in Windows 2000 Server) or selective
authentication. Selective authentication is a security setting that can be enabled on
external trusts and forest trusts between Windows Server 2003 forests. Selective
authentication provides Active Directory administrators who manage a trusting forest
more control over which groups of users in a trusted forest can access shared resources
in the trusting forest. Because creating an external trust or forest trust provides a pathway
for all authentication requests between the forests, this increased control is especially
important when administrators need to grant access to shared resources in their
organization’s forest to a limited set of users in another organization’s forest.
For more information about how selective authentication settings work, see "Security
Task requirements
 Netdom.exe
For more information about how to use the Netdom command-line tool to configure
selective authentication settings, see "Netdom.exe: Windows Domain Manager" in the
 Enable selective authentication over an external trust
 Enable selective authentication over a forest trust
 Enable domain-wide authentication over an external trust
 Enable forest-wide authentication over a forest trust

 Grant the Allowed to Authenticate permission on computers in the trusting domain or
forest
Enable selective authentication over an

external trust
Selective authentication over an external trust restricts access to only those users in a
trusted domain who have been explicitly given authentication permissions to computer
objects (resource computers) that reside in the trusting domain. To explicitly give
authentication permissions to computer objects in the trusting domain to certain users,
administrators must grant those users the Allowed to Authenticate permission in
Active Directory. For more information, see Grant the Allowed to Authenticate permission
on computers in the trusting domain or forest. For more information about how selective
authentication works, see "Security Considerations for Trusts" in the
You can enable selective authentication over an external trust by using the New Trust
Wizard in Active Directory Domains and Trusts or by using the Netdom command-line
tool. For more information about how to use the Netdom command-line tool to configure
To enable selective authentication over an
external trust
click Properties.
trusts) or Domains that trust this domain (incoming trusts), click the external
4. On the Authentication tab, click Selective authentication, and then click OK.
Note
Only the authentication settings for the outgoing trust are displayed when you
click Properties and then click the Authentication tab in Active Directory
Domains and Trusts. To view the correct authentication settings for the incoming
side of a two-way, external trust, connect to a domain controller in the trusted
domain, and then use Active Directory Domains and Trusts to view the
authentication settings for the outgoing side of the same trust.
Enable selective authentication over a

forest trust
Selective authentication over a forest trust restricts access to only those users in a
trusted forest who have been explicitly given authentication permissions to computer
objects (resource computers) that reside in the trusting forest. To explicitly give
authentication permissions to computer objects in the trusting forest to certain users,
Administrators must grant those users the Allowed to Authenticate permission in
Active Directory. For more information, see Grant the Allowed to Authenticate permission
on computers in the trusting domain or forest. For more information about how selective
authentication works, see "Security Considerations for Trusts" in the
You can enable selective authentication over a forest trust by using the New Trust Wizard
in Active Directory Domains and Trusts or by using the Netdom command-line tool. For
more information about how to use the Netdom command-line tool to configure selective
authentication settings, see "Netdom.exe: Windows Domain Manager" in the
To complete this procedure, you must be a member of the Domain Admins group (in the
forest root domain) or the Enterprise Admins group in Active Directory.
To enable selective authentication over a

forest trust
2. In the console tree, right-click the domain node for the forest root domain, and
then click Properties.
4. On the Authentication tab, click Selective authentication, and then click OK.
Note
side of a two-way, forest trust, connect to a domain controller in the forest root
domain of the trusted forest, and then use Active Directory Domains and Trusts
to view the authentication settings for the outgoing side of the same trust.
See Also
Enable domain-wide authentication over

an external trust
The domain-wide authentication setting permits unrestricted access by any users in the
trusted domain to all available shared resources in the trusting domain. This is the default
authentication setting for external trusts, and it is representative of the way
authentications were routed — without restriction — over Windows 2000 Server trusts.
For more information about the domain-wide authentication setting, see "Security
You can enable domain-wide authentication over an external trust by using the New Trust
To enable domain-wide authentication over an

external trust
click Properties.
trusts) or Domains that trust this domain (incoming trusts), click the external
4. On the Authentication tab, click Domain-wide authentication, and then click

OK.
Note
side of a two-way, external trust, connect to a domain controller in the trusted
domain, and then use Active Directory Domains and Trusts to view the
authentication settings for the outgoing side of the same trust.
Enable forest-wide authentication over a

forest trust
The forest-wide authentication setting permits unrestricted access by any users in the
trusted forest to all available shared resources in any of the domains in the trusting forest.
This is the default authentication setting for forest trusts, and it is representative of the
way authentications were routed — without restriction — over Windows 2000 Server
trusts. For more information about the forest-wide authentication setting, see "Security
You can enable forest-wide authentication over a forest trust by using the New Trust
To enable forest-wide authentication over a

forest trust
2. In the console tree, right-click the forest root domain, and then click Properties.
4. On the Authentication tab, click Forest-wide authentication, and then click

OK.
Note
side of a two-way, forest trust, connect to a domain controller in the trusted
domain (the forest root domain in the other forest), and then use Active Directory
Domains and Trusts to view the authentication settings for the outgoing side of
the same trust.
Grant the Allowed to Authenticate

permission on computers in the
trusting domain or forest
For users in a trusted Windows Server 2003 domain or forest to be able to access
resources in a trusting Windows Server 2003 domain or forest, where the trust
authentication setting has been set to selective authentication, each user must be
explicitly granted the Allowed to Authenticate permission on the security descriptor of
the computer objects (resource computers) that reside in the trusting domain or forest.
For more information about how the Allowed to Authenticate permission works, see
"Security Considerations for Trusts" in the Windows Server 2003 Technical Reference on
the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35413).
Note
The Allowed to Authenticate permission can be set on computer objects that
represent member servers running Windows NT Server 4.0,
Windows 2000 Server, and Windows Server 2003.
Note
By default, only members of the Account Operators, Administrators, Domain
Admins, Enterprise Admins, and SYSTEM security groups that are located in the
trusting domain can modify the Allowed to Authenticate permission.
To enable access to resources over an external trust or forest trust that is set to selective
authentication, complete the following procedure by using Active Directory Users and
Computers from the trusting domain.
To grant the Allowed to Authenticate

permission on computers in the trusting
domain or forest
1. Open Active Directory Users and Computers.
2. In the console tree, click the Computers container or the container where your
computer objects reside.
3. Right-click the computer object that you want users in the trusted domain or
forest to access, and then click Properties.
4. On the Security tab, do one of the following:
 In Group or user names, click the user names or group names for which
you want to grant access to this computer, select the Allow check box next
to the Allowed to Authenticate permission, and then click OK.
 Click Add. In Enter the object names to select, type the name of the user
object or group object for which you want to grant access to this resource
computer, and then click OK. Select the Allow check box next to the
Allowed to Authenticate permission, and then click OK.
Appendix: New Trust Wizard Pages
Understanding how user input is handled during the trust creation process will help you
provide information when it is most necessary and help you better prepare for your
specific procedure. This section explains the two most complex pages in the New Trust
Wizard:
 Direction of Trust
 Sides of Trust
Direction of Trust
The Direction of Trust page in the New Trust Wizard is configured by an administrator in
one domain to determine whether authentication requests should be routed from this
domain to a specified domain, from the specified domain to this domain, or freely
between both domains. The following options are available on the Direction of Trust
page:
 Two-way: A two-way trust allows authentication requests that are sent by users in
either domain or forest to be routed successfully to resources in either of the two
domains or forests.
 One-way: incoming: A one-way, incoming trust allows authentication requests that

are sent by users in your domain or forest (the domain or forest where you started
the New Trust Wizard) to be routed successfully to resources in the other domain or
forest.
 One-way: outgoing: A one-way, outgoing trust allows authentication requests that

are sent by users in the other domain (the domain or forest that you are indicating in
the New Trust Wizard as the specified domain or forest) to be routed successfully to
resources in your domain or forest.
These options are explained in the following sections.
Wizard Option: Two-way

Use this option when you want to share resources equally between two domains or
forests for all of the users that reside in both domains or forests. A two-way trust allows
authentication requests that are sent by users in a trusted domain or forest to be routed
successfully to the trusting domain or forest.
Note
Traditionally, documentation about domain and forest trusts have used the terms
“trusting” and “trusted” to help administrators pinpoint the direction of the trust.
Although this terminology is still used today to define and conceptualize how
trusts work, it varies from the terminology that is used in the New Trust Wizard to
help administrators determine the direction of trust.
Wizard Option: One-way: incoming

Use this option when you want to allow authentication requests to be routed from your
domain or forest (referred to as “this domain” or “this forest” in the wizard) to resources
residing in a second domain or forest (referred to as “specified domain” or “specified
forest” in the wizard). “One-way” in One-way: incoming means that this selection will
create a one-way trust that can route authentications to resources in only one direction,
while user access to those resources flows in the other direction. “Incoming” in One-way:
incoming refers to the direction of the trust itself, not the direction in which authentication
requests will flow. In other words, as shown in the following illustration, a "one-way
incoming trust" means that your domain or forest will be the domain or forest that
receives access to the resources in the other domain.
Wizard Option: One-way: outgoing
Use this option when you want to allow authentication requests to be routed to your
domain or forest (referred to as “this domain” or “this forest” in the wizard) from users
residing in a second domain or forest (referred to as “specified domain” or “specified
forest” in the wizard). “One-way” in One-way: outgoing means that this selection will
create a one-way trust that can route authentications to resources in only one direction,
while user access to those resources flows in the other direction. “Outgoing” in One-way:
outgoing refers to the direction of the trust itself, not the direction in which authentication
requests will flow. In other words, as shown in the following illustration, a "one-way,
outgoing trust" means that your domain or forest will provide access to resources that are
located in your domain to users who are located in the other domain or forest.
Sides of Trust
In Windows NT 4.0 and Windows 2000, the only way to create trusts using the graphical
user interface (GUI) was incrementally — one side of the trust at a time. When you create
external trusts, shortcut trusts, realm trusts, or forest trusts in Windows Server 2003, you
now have the option to create each side of the trust separately or both sides of the trust
simultaneously.
Wizard Option: This domain only

Use this option when you want to create each side of the trust separately, which means
that you must run the New Trust Wizard twice — once for each domain in the trust.
Although the New Trust Wizard presents a different experience than previous version of
Windows Server operating systems, this option provides behavior that is similar to the
way that trusts were created in Windows NT 4.0 and Windows 2000. When you create
trusts using this method, you must supply the same trust password for each domain. As a
security best practice, all trust passwords should be strong passwords.
Wizard Option: Both this domain and the specified domain

This option provides administrators who possess the appropriate domain credentials for
both domains in the trust relationship with the option to quickly create both sides of a trust
by completing a single instance of the New Trust Wizard. When you select this option, a
strong trust password is automatically generated for you. For this selection to be
successful, the administrator running the wizard must acquire the appropriate
administrative credentials for each domain in the trust relationship
Administering the Windows Time Service

Time synchronization is critical for the proper operation of many Windows services and
line-of-business applications. The Windows® Time service uses the Network Time
Protocol (NTP) to synchronize computer clocks on the network so that an accurate clock
value, or time stamp, can be assigned to network validation and resource access
requests.
This guide provides information for administering the Windows Time service in the
Microsoft Windows Server 2003 operating system.
In this guide
 Introduction to Administering the Windows Time Service

 Managing the Windows Time Service
Acknowledgements
Published: March 2005
Applies to: Windows Server 2003
Produced by: Microsoft Windows Server User Assistance team
Writer: Shala Brandolini
Editor: Justin Hall

Introduction to Administering the
Windows Time Service
The Microsoft® Windows Server™ 2003 Windows Time service, also known as
W32Time, synchronizes the date and time for all computers running on a Windows
Server 2003 network. The service integrates NTP and time providers, making it a reliable
and scalable time service for enterprise administrators.
The purpose of the Windows Time service is to make sure that all computers that are
running Windows 2000 or later versions in an organization use a common time. To
guarantee appropriate common time usage, the Windows Time service uses a
hierarchical relationship that controls authority and does not permit loops.
By default, Windows-based computers use the following hierarchy:
 All client desktop computers nominate the authenticating domain controller as their
in-bound time partner.
 All member servers follow the same process as client desktop computers.
 Domain controllers may nominate the primary domain controller (PDC) operations
master as their in-bound time partner but may use a parent domain controller based
on stratum numbering.
 All PDC operations masters follow the hierarchy of domains in the selection of their
in-bound time partner.
Following this hierarchy, the PDC operations master at the root of the forest becomes
authoritative for the organization. The authoritative time source at the root of the forest
can acquire its time by connecting to an external NTP server, which is connected to a
hardware device by means of a telephone or the Internet. Organizations such as the
United States Naval Observatory provide NTP servers that are connected to extremely
reliable reference clocks.
If you need highly accurate time synchronization, but cannot connect to an external time
source on the Internet we recommend that you configure a hardware clock, such as a
radio or GPS device, as the time source for the PDC. There are many consumer and
enterprise devices that use the Network Time Protocol (NTP), allowing you to install the
device on an internal network for usage with the PDC.
For a detailed technical reference of the Windows Time service, including complete
documentation of the w32tm tool and the time service registry settings, see the Windows
Time Service Technical Reference on the Microsoft Web site
Managing the Windows Time Service
You initially configure the Windows 2003 Time service (W32Time) when you deploy your
Active Directory forest root domain. Thereafter, it requires little day-to-day management.
After you make changes on your network however, including when you add certain client
computers, move the PDC emulator operations master role, or simply change the time
source for you network, you might need to perform some of the following tasks:
 Configuring a time source for the forest
 Configuring Windows-based clients to synchronize time
 Restoring Windows Time service to default settings
Configuring a time source for the forest

After initial deployment of your network, you typically reconfigure the time service on the
PDC emulator only in two situations:
 If you move the PDC emulator role to a different computer. In this case, you must
configure the time service for the new PDC emulator role holder.
 If you change the time source for the PDC emulator. For example, if you change from
synchronizing with an external source to a hardware device.
Follow these best practices for configuring the time source on the forest-root PDC
emulator, in this order of preference:
 Install a hardware clock, such as a radio or GPS device, as the source for the PDC.
There are many consumer and enterprise devices that use the Network Time
Protocol (NTP), allowing you to install the device on an internal network for usage
with the PDC.
 Configure the Windows Time service to synchronize with an external time server.
External time servers allow users to synchronize computer clocks by means of dial-
up, network, and radio links.
The Microsoft time server (time.windows.com) uses NIST, the National Institute of
Standards and Technology, located in Boulder, Colorado, as its external time
provider. NIST provides the Automated Computer Time Service (ACTS), which can
set a computer clock with an uncertainty of less than 10 milliseconds. The U.S. Naval
Observatory (USNO) Time Service Department in Washington D.C. is another source
for accurate time synchronization in the United States. Many other sites exist
throughout the world that can be used for time synchronization. To find them, search
for "time synchronization" on the Internet.
Note
Because synchronization with an external time source is not authenticated, it is
less secure.
The PDC emulator of the forest root domain is customarily the authoritative time source
for the forest and the computer that is usually configured to retrieve time from an external
source. However, if the PDC emulator is not configured to retrieve time from another time
source but is the reliable time source for the domain, configure it to synchronize from its
own internal hardware clock.
The role of PDC emulator can move between computers, meaning that every time the
role of PDC emulator moves, the time service must be reconfigured on the new PDC
emulator, and the manual configuration must be removed from the original PDC emulator.
To avoid this process, configure one domain controller in the forest root domain that is not
the PDC emulator, as the reliable time source and manually configure it to point to an
external time source. Then, no matter which computer is the PDC emulator, the root of
the time service stays the same and thus remains properly configured.
If you choose to implement another time synchronization product that uses the NTP
protocol on your network, you must disable the Windows Time service. All NTP servers
need access to UDP port 123. If W32Time is running on a Windows 2003–based
computer, port 123 will remain occupied.
Task requirements
The following tools are required to perform the procedures for this task:
 W32tm.exe
 Services snap-in if you need to disable the Windows Time service
Perform the following procedures as needed to configure a time source for your forest:
1. Configure the Windows Time service on the PDC emulator
2. If you move the role of the PDC emulator to a new domain controller, Change the
Windows Time service configuration on the previous PDC emulator.
3. If you anticipate moving the PDC emulator role and do not want to reconfigure the
Windows Time service afterwards, Configure a domain controller in the parent
domain as a reliable time source.
4. If your PDC emulator is not configured to retrieve time from another time source but
is the reliable time source for the domain, Configure the PDC emulator to
synchronize from its internal hardware clock.
5. If you are implementing a time synchronization product other than the Windows Time
service in your environment that uses the NTP protocol, Disable the Windows Time
service to free UDP port 123 on the network.
Configure the Windows Time service on

the PDC emulator
Configure the Windows Time service on the PDC emulator when you deploy a new forest
root domain or when you move the role of the PDC emulator in the forest root domain to
a new domain controller. If you move the role of the PDC emulator to a new domain
controller you must also Change the Windows Time service configuration on the previous
PDC emulator.
Before you configure the time service on the PDC emulator, you can determine the time
difference between it and the source as a means to test basic NTP communication. After
completing the configuration on the PDC emulator be sure to monitor the System log in
Event Viewer for W32Time errors.
Note
For more information about the w32tm command, type w32tm /? at a command
prompt or see Windows Time Service Tools and Settings on the Microsoft Web
Administrative Credentials
To perform this procedure locally on the PDC emulator, you must be a member of the
Administrators group. To perform this procedure from a remote computer, you must be a
member of the Domain Admins group.
To configure the Windows Time service on the PDC emulator

2. Type the following command to display the time difference between the local
computer and a target computer, and then press ENTER:
w32tm /stripchart /computer:target /samples:n/dataonly

Value Definition
target Specifies the DNS name or IP address

of the NTP server that you are
comparing the local computer's time
against, such as time.windows.com.
n Specifies the number of time samples

that will be returned from the target
computer to test basic NTP
communication.
3. Open UDP port 123 for outgoing traffic if needed.
4. Open UDP port 123 (or a different port you have selected) for incoming NTP
traffic.
5. Type the following command to configure the PDC emulator and then press
ENTER:
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes

/update
where peers specifies the list of DNS names and/or IP addresses of the NTP
time source that the PDC emulator synchronizes from. For example, you can
specify time.windows.com. When specifying multiple peers, use a space as the
delimiter and enclose them in quotation marks.
Change the Windows Time service

configuration on the previous PDC
emulator
Use the following procedure to change the Windows Time service configuration on the
previous PDC emulator after you transfer the role to a new domain controller. The
previous PDC emulator will now automatically synchronize time with the domain
hierarchy, getting it's time from the new reliable time source.
Note
To change the Windows Time service configuration on the previous PDC

emulator
2. Type the following command and then press ENTER:
w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time
net start w32time
Configure a domain controller in the

parent domain as a reliable time
source
Use this procedure to configure a domain controller as a reliable time source if you
anticipate moving the PDC emulator role and do not want to reconfigure the Windows
Time service afterward. If you are configuring a domain controller as a reliable time
source for the forest root domain, perform the procedure Change the Windows Time
service configuration on the previous PDC emulator in addition to this procedure.
Although you have not moved the PDC emulator role, you must still configure the existing
PDC emulator to no longer be the reliable time source for the domain.
Note
To perform this procedure locally on the domain controller, you must be a member of the
To configure a domain controller in the parent domain as a reliable time source

2. Type the following command and press ENTER:
W32tm /config /reliable:yes /update
Configure the PDC emulator to

synchronize from its internal hardware
clock
Use the following procedure to configure the PDC emulator in the forest root domain to
synchronize from its internal hardware clock and remain the reliable time source in the
forest root domain.
Note
To configure the PDC emulator to synchronize from its internal hardware clock
w32tm /config /syncfromflags:domhier /reliable:yes /update
net stop w32time
net start w32time
Disable the Windows Time service

Use this procedure to disable the Windows Time service if you choose to implement
another time synchronization product that uses the NTP protocol.
To perform this procedure on the local computer, you must be a local Administrator on the
PDC emulator. To perform this procedure on a remote computer, you must be a member
of the Domain Admins group.
To disable the Windows Time service

1. Open the Services snap-in.
2. Right-click Windows Time, and select Properties. The Windows Time

Properties dialog box appears.
3. In the Startup type box, select Disabled from the drop-down menu.
4. Click OK. Verify that the Startup Type for the time service appears as Disabled.
Configuring Windows-based clients to
synchronize time
Certain Windows-based client computers do not automatically synchronize their time with
the Active Directory domain. The following client computers do not automatically
synchronize to the domain time by using the Windows Time service:
 Client computers that run in a pre-Windows 2000 domain environment.
 Client computers that run in a UNIX environment.
 Computers that are not joined to a domain.

Configure these computers to request time from a particular source, such as a domain
controller in the domain. If you do not specify a source that is synchronized with the
domain, each computer’s internal hardware clock governs its time.
Task requirements
The following tool is required to perform the procedures for this task:
 W32tm
Use either of the following procedures to configure your Windows-based clients to

synchronize time:
 Configure a manual time source for a selected client computer
-or-
 Configure a client computer for automatic domain time synchronization
Configure a manual time source for a

selected client computer
Before you configure a manual time source for a client computer, you can determine the
time difference between it and the source as a means to test basic NTP communication.
After completing the configuration on the selected client computer, be sure to monitor the
System log in Event Viewer for W32Time errors.
Note
To perform this procedure, you must be a member of the Administrators group on the
local computer. To perform this procedure from a remote computer, you must be a
To configure a manual time source for a selected client computer

2. Type the following command to display the time difference between the local
computer and a target computer, and then press ENTER:
w32tm /stripchart /computer:target /samples:n/dataonly
Value Definition
target Specifies the DNS name or IP address

of the NTP server that you comparing
the local computer's time against.
n Specifies the number of time samples

that will be returned from the target
computer to test basic NTP
communication.
3. Open UDP port 123 for outgoing traffic on firewall if needed.
4. Open UDP port 123 (or a different port you have selected) for incoming NTP
traffic.
5. Type the following command to configure a manual time source for the selected
computer and then press ENTER:
w32tm /config /manualpeerlist:peers /syncfromflags:manual /update
where peers specifies the list of DNS names or IP addresses of the NTP time
source(s) that the selected computer will synchronize from. When specifying
multiple peers, use a space as the delimiter and enclose them in quotation
marks.
Configure a client computer for
automatic domain time
synchronization
Some computers that are joined to a domain are configured to synchronize from a
manual time source. Use the following procedure to configure a client computer that is
currently synchronizing with a manually specified computer, to automatically synchronize
time with the domain hierarchy.
Note
To perform this procedure, you must be a member of the Administrators group on the
local computer. To perform this procedure from a remote computer, you must be a
To configure a client computer for automatic domain time synchronization


w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time

Restoring Windows Time service to
default settings
If the local Windows Time service settings are incorrectly configured, restoring the
Windows Time service to its default settings might be more efficient than troubleshooting
the problem.
Task requirements
 W32tm.exe
Perform the following procedure to restore local Windows Time service to the default
settings:
 Restore Windows Time service on local computer to default settings
Restore Windows Time service on local

computer to default settings
Use this procedure to restore the Windows Time service on the local computer to the
default settings.
Note
To perform this procedure on the local computer, you must be a member of the
Administrators group. To perform this procedure on a remote computer, you must be a
To restore Windows Time service on local computer to default settings

net stop w32time

w32tm /unregister
w32tm /register
net start w32time
Administering SYSVOL
This SYSVOL Administering guide provides administering information for the Active
Directory SYSVOL shared folder in the Microsoft Windows Server 2003 operating
system.
In this guide
 Introduction to Administering SYSVOL
 Managing SYSVOL
Acknowledgements
Updated:
Writer: Mary Hillman
Editor: Jim Becker
Introduction to Administering SYSVOL

The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and
reparse points in the file systems that exist on each domain controller in a domain.
SYSVOL provides a standard location to store important elements of Group Policy
objects (GPOs) and scripts so that the File Replication service (FRS) can distribute them
to other domain controllers within that domain.
Note
Only the Group Policy template (GPT) is replicated by SYSVOL. The Group
Policy container (GPC) is replicated through Active Directory replication. To be
effective, both parts must be available on a domain controller.
FRS monitors SYSVOL and, if a change occurs to any file stored on SYSVOL, then FRS
automatically replicates the changed file to the SYSVOL folders on the other domain
controllers in the domain.
The day-to-day operation of SYSVOL is an automated process that does not require any
human intervention other than watching for alerts from the monitoring system.
Occasionally, you might perform some system maintenance as you change your network.
This objective describes the basic tasks required for managing SYSVOL in order to
maintain capacity and performance of SYSVOL, for hardware maintenance, or for data
organization.
Key considerations for administering SYSVOL
To manage SYSVOL, ensure that FRS properly replicates the SYSVOL data and that
enough space is provided to store SYSVOL. Implement a monitoring system to detect
low disk space and potential FRS disruptions so that you can address those issues
before the system stops replicating. A useful tool for this is the Ultrasound utility, which
can be downloaded from www.microsoft.com, by searching for Ultrasound.
Other key considerations for managing SYSVOL are:
 Capacity.
Depending upon the configuration of your domain, SYSVOL can require a significant
amount of disk space to function properly. During the initial deployment, SYSVOL might
be allocated adequate disk space to function. However, as your Active Directory grows in
size and complexity, the required capacity can exceed the available disk space.
If you receive indications that disk space is low, determine if the cause is due to
inadequate physical space on the disk or a registry setting that limits the size of the
staging area. By modifying a setting in the registry, you can allocate more staging area
space, rather than relocating SYSVOL or the staging area. Increasing the space
allocation in the registry is much faster and easier than relocation
 Performance.
Any changes made to SYSVOL are automatically replicated to the other domain
controllers in the domain. If the files stored in SYSVOL change frequently, the replication
increases the input and output for the volume where SYSVOL is located. For example,
editing a GPO can potentially force a GPO-level replication. If the volume is also host to
other system files, such as the directory database or the pagefile, then the increased
input and output for the volume can impact the performance of the server.
 Hardware maintenance.
System maintenance, such as removal of a disk drive, can require you to relocate
SYSVOL. Even if the maintenance occurs on a different disk drive, verify that that
maintenance does not affect the system volume. Logical drive letters could change after
you add and remove disks. FRS locates SYSVOL by using pointers stored in the
directory and the registry. If drive letters change after you add or remove disk drives, be
aware that these pointers are not automatically updated.
 Backing up Group Policy objects (GPOs).
The successful operation of Group Policy is heavily dependant on the reliable operation
of SYSVOL. Key components of the GPO exist in the SYSVOL (in the policies
subdirectory) and it is essential that these remain in sync with related components in
Active Directory. Therefore, backing up only the SYSVOL component does not represent
a full and complete backup of your GPOs. The Group Policy Management Console
(GPMC) provides both UI-based and scriptable methods for backing up GPOs. It is
important that you back up GPOs as part of your regular backup/disaster recovery
processes. Soon after installation of a new domain, the default domain and default
domain controllers' GPOs should be backed up. They should also be backed up after any
subsequent changes are made.
Understanding the SYSVOL folder structure
Before you attempt to relocate all or portions of the system volume, you must clearly
understand the folder structure and the relationships between the folders and the path
information that is stored in the registry and the directory itself. When folders are
relocated, any associated parameters that are stored in the registry and the directory
must be updated to match the new location. The folder structure contains junctions that
might also require updating when folders get moved to a new location.
Maintaining the relationship between the folders, junctions, and stored parameters is
important when you must relocate all or portions of SYSVOL. Failure to do so can result
in files being replicated to or from the wrong location. It can also result in files failing to
replicate, yet FRS will not report any errors. Due to the configuration error, FRS looks in
the wrong location for the files that you want to replicate.
The folder structure used by the system volume uses a feature called a junction point.
Junction points look like folders and behave like folders (in Windows Explorer you cannot
distinguish them from regular folders), but they are not folders. A junction point contains a
link to another folder. When a program opens it, the junction point automatically redirects
the program to the folder to which the junction point is linked. The redirection is
completely transparent to the user and the application.
For example if you create two folders, C:\Folder1 and C:\Folder2, and create a junction
called C:\Folder3, and then link the junction back to Folder1, Windows Explorer displays
three folders:
\Folder1
\Folder2
\Folder3
If you open Folder3, Windows Explorer is redirected to Folder1 and displays the contents
of Folder1. You receive no indication of the redirection because it is transparent to the
user and to Windows Explorer. If you look at the contents of Folder1, you see that it is
exactly the same as the contents displayed when you open Folder3. If you open a
command prompt and list a directory, all three folders appear in the output. The first two
are type <DIR> and Folder3 is type <JUNCTION>. If you list a directory of Folder3, you
see the contents of Folder1.
Note
To create or update junctions, you need the Linkd.exe tool supplied with the
Windows 2000 Server Resource Kit. Linkd allows you to create, delete, update,
and view the links that are stored in junction points.
By default, the system volume is contained in the %systemroot%\SYSVOL folder. The

tree of folders contained within this folder can be extensive, depending on how your
network uses FRS. When relocating folders in the system volume, ensure that you move
all folders (including any hidden folders) and ensure that the relationships of the folders
do not change unintentionally. When you relocate folders, you need to be concerned with
the first three levels of subdirectories in order to properly update the parameters used by
FRS. These levels are affected by junction points and parameter settings. These folders
include:
 %systemroot%\SYSVOL
 %systemroot%\SYSVOL\Domain
 %systemroot%\SYSVOL\Domain\DO_NOT_REMOVE_Ntfrs_ Preinstalled_Directory
 %systemroot%\SYSVOL\Domain\Policies
 %systemroot%\SYSVOL\Domain\Scripts
 %systemroot%\SYSVOL\Staging
 %systemroot%\SYSVOL\Staging\Domain
 %systemroot%\SYSVOL\Staging Areas
 %systemroot%\SYSVOL\Staging Areas FQDN
 %systemroot%\SYSVOL\Sysvol
 %systemroot%\SYSVOL\Sysvol FQDN
(where FQDN is the fully qualified domain name of the domain that this domain controller
hosts.)
Note
If any of the folders do not appear in Windows Explorer, click Tools and then
click Folder Options. On the View tab, select Show hidden files and folders.
If you use Windows Explorer to view these folders, they appear to be typical folders. If
you open a command prompt and type dir to list these folders, you will notice two special
folders are listed as <JUNCTION>. Both folders labeled FQDN are junction points. The
junction in %systemroot%\SYSVOL\Sysvol links to %systemroot%\SYSVOL\Domain. The
junction in %systemroot%\SYSVOL\Staging Areas is linked to %systemroot
%\SYSVOL\Staging\Domain. If you change the path to the folders to which the junctions
are linked, you must also update the junctions, including drive letter changes and folder
changes.
Besides junction points linking to folders within the system volume tree, the registry and
the directory also store references to folders. These references contain paths that you
must update if you change the location of the folder. FRS uses two values that are stored
in the directory. The first value, fRSRootPath, points to the location of the policies and
scripts that are stored in SYSVOL. By default, this location is the %systemroot
%\SYSVOL\Domain folder. The second value, fRSStagingPath, points to the location of
the folders used as the staging area. By default, this location is the %systemroot
%\SYSVOL\Staging\Domain folder. The Net Logon service uses a parameter stored in
the registry to identify the location of the folder that it uses to create the SYSVOL and
NETLOGON share points. By default, this path is %systemroot%\SYSVOL\Sysvol. If you
change the paths to these folders, you must update these values.
When relocating SYSVOL, you first move the entire folder structure to a new location;
then you update all the junction points and the parameters that are stored in the registry
and the directory in order to maintain the relationships between the parameters, the
folders, and the junctions. Optionally, you can relocate the staging area and leave the rest
of the system volume at its original location. In this case, you must update the
fRSStagingPath parameter in the directory and the junction point stored at %systemroot
%\SYSVOL\staging areas.
Managing SYSVOL
The following tasks for managing SYSVOL are described in this objective:
 Changing the Space Allocated to the Staging Area
 Relocating the Staging Area
 Relocating SYSVOL Manually
 Updating the System Volume Path
 Restoring and Rebuilding SYSVOL
Changing the Space Allocated to the

Staging Area
The staging area stores files prior to being replicated and stores files that it has just
received through replication. Although FRS compresses the data and attributes of the
replicated files to save space in the Staging Area folder and reduce the time that is
needed to replicate the files, this method requires making and storing a copy of every file
prior to replication and can require a substantial amount of disk space.
The default size of the staging area is 660 megabytes (MB). The minimum size is 10 MB
and the maximum size is 2 terabytes. You can adjust the size limit of the Staging Folder
by setting the value in kilobytes (KB) of the Staging Space Limit registry entry in
HKEY_Local_Machine\System\CurrentControlSet\Services\NtFrs\Parameters. For more
information about setting the Staging Space Limit in the registry, see KB article 329491 in
the Microsoft Knowledge Base.
Task requirements
 Net.exe
 Regedit.exe
 Event Viewer
To complete this task, perform the following procedures in order:
1. Stop the File Replication service
2. Change the space allocated to the Staging Area folder

3. Start the File Replication service
Stop the File Replication service

Use this procedure to stop the File Replication service.
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
To stop the File Replication service

2. Type the following command and then press Enter:
net stop ntfrs
Change the space allocated to the

Staging Area folder
This procedure outlines the steps needed to modify the registry entry that restricts the
amount of disk space allocated to the staging area in SYSVOL.
Caution
The Registry Editor bypasses standard safeguards, allowing settings that can
damage your system or even require you to reinstall Windows. If you must edit
the registry, back up system state first. For information about backing up system
state, see Administering Active Directory Backup and Restore.
To change the space allocated to the Staging Area folder

1. Click Start, and then click Run.
2. In the Run dialog box, type regedit and then press Enter.
3. In the Registry Editor, navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parame
ters.
4. Double-click Staging Space Limit in KB to open the Edit DWord Value dialog
box.
5. In the Base frame, select Decimal.
6. For Value Data enter a value from 10000 through 2000000000. Do not use
commas. Click OK.
7. Close the Registry Editor.
Start the File Replication service

Use this procedure to restart the File Replication service and review the FRS event log to
ensure that the restart succeeded.
To perform this procedure you must be a member of the Domain Admins group in Active
Directory.
To start the File Replication service

2. Type the following command, and then press Enter:
net start ntfrs
3. You can use Event Viewer to verify that NTFRS restarted correctly. Event ID
13501 indicates that the service restarted. Look for event ID 13516 to verify that
the domain controller is running and ready for service. If you moved SYSVOL to
a new location or relocated the Staging Area folder, look for event IDs 13553 and
13556, which indicate success.
Relocating the Staging Area
By default, the Active Directory Installation Wizard installs the Staging Area folder within
the SYSVOL. The Active Directory Installation Wizard creates two folders—Staging and
Staging Area—which FRS uses for the staging process. When you relocate the staging
area, you can change the name. Ensure that you identify the proper area in case it is
renamed in your environment.
Two parameters determine the location of the staging area. One parameter,
fRSStagingPath, is stored in the directory and contains the path to the actual location that
FRS uses to stage files. The other parameter is a junction point stored in the Staging
Area folder in SYSVOL that links to the actual location that FRS uses to stage files. When
relocating the staging area, you must update these two parameters to point to the new
location.
Except where noted, perform these procedures on the domain controller that contains the
Staging Area folder that you want to relocate.
Task requirements
To perform this task it is necessary that you understand the folder structure used by the
system volume. For more information, see Introduction to Administering SYSVOL.
 Active Directory Sites and Services (Administrative Tool)
 Event Viewer
 Net.exe
 Dcdiag.exe (Windows Support Tools)
 Regedit.exe
 ADSI Edit.msc (Windows Support Tools)
 Linkd.exe (Windows Server 2003 Resource Kit Tools)
Note
To create or update junctions, you need the Linkd.exe tool supplied with
Windows Server 2003 Resource Kit Tools on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=16544. Linkd allows you to create, delete,
update, and view the links that are stored in junction points.
1. Identify replication partners

2. Check the status of the shared SYSVOL
You do not need to perform the test on every partner, but you need to perform
enough tests to be confident that the shared system volumes on the partners are
healthy.
3. Verify replication with other domain controllers
4. Gather the SYSVOL path information
5. Reset the File Replication service staging folder to a different logical drive
Identify replication partners

Use this procedure to examine the Connection objects for a domain controller and
determine its replication partners.
Directory.
To identify replication partners

1. Open Active Directory Sites and Services.
2. In the console tree, expand the Sites container to display the list of sites.
3. Double-click the site that contains the domain controller for which you want to
determine Connection objects.
Note
If you do not know the site in which the domain controller is located, open
a command prompt and type ipconfig to get the IP address of the
domain controller. Use the IP address to verify that an IP address maps
to a subnet and determine the site association.
4. Expand the Servers folder to display the list of servers in that site.
5. Expand the name of your domain controller to display its NTDS settings.
6. Double-click NTDSSettings to display the list of Connection objects in the details

pane (these represent inbound connections used for replication). The From
Server column displays the names of the domain controllers that are the
replication partners.
Check the status of the shared SYSVOL
This procedure involves checking Event Viewer to make sure that the File Replication
service is started properly and then ensuring that the SYSVOL and Net Logon shared
folders are created.
Note
You do not need to perform this procedure on every replication partner, but you
need to perform it enough times to be confident that the shared system volumes
on the replication partners are healthy.
Directory.
To check the status of the shared SYSVOL

1. Open Event Viewer.
2. In the Event Viewer tree, click File Replication Service to display the FRS
events.
3. Look for an event 13516 with a date and time stamp that corresponds with the
recent restart. It can take 15 minutes or more to appear. An event 13508
indicates that FRS is in the process of starting the service. An event 13509
indicates that the service has started successfully. Event 13516 indicates that the
service is started, the folders are shared, and the domain controller is functional.
4. To verify the shared folder is created, open a command prompt and type net
share to display a list of the shared folders on this domain controller, including
Net Logon and SYSVOL.
5. At a command prompt, type dcdiag /test:netlogons and press ENTER.
6. Look for a message that states computername passed test NetLogons where
computername is the name of the domain controller. If you do not see the test
passed message, some problem will prevent replication from functioning. This
test verifies that the proper logon privileges are set to allow replication to occur. If
this test fails, verify the permissions set on the Net Logon and SYSVOL shared
folders.
Verify replication with other domain
controllers
The tests performed in this procedure verify that different aspects of the replication
topology are working properly. They check to see that objects are replicating and they
verify that the proper logon permissions are set to allow replication to occur.
Directory.
To verify replication is functioning

dcdiag /test:replications
Note
For this set of tests, the /v option is available. However, it does not
display any significant additional information. Messages indicate that the
connectivity and replications tests passed.
3. To verify that the proper permissions are set for replication, type the following
command and then press Enter:
dcdiag /test:netlogons
Messages indicate that the connectivity and netlogons tests passed.
Gather the SYSVOL path information

%\SYSVOL\staging areas. For more information about the folder structure and the
relationships between the folders and the path information stored in the registry and the
SYSVOL directory itself see Introduction to Administering SYSVOL.
Directory.
Use the procedures below to locate the system volume path information and record the
current values in the following table.
To relocate the staging area, record the information for rows 2 and 5.
Note
To restore and rebuild SYSVOL, you will need the information from the domain
controller that you are repairing recorded in rows 1, 2, and 3. Use the junctions
located on the domain controller that you are copying from the SYSVOL folder
structure to record the current value for rows 4 and 5. The new values for rows 4
and 5 are based on the domain controller that you are repairing.
Parameter Current Value New Value
1 fRSRootPath
2 fRSStagingPath
3 Sysvol parameter in
registry
4 Sysvol junction
5 Staging junction
To gather the system volume path information

fRSRootPath and fRSStagingPath
1. Click Start, click Run, type adsiedit.msc, and then press Enter.
2. Double-click Domain [computername] (where computername is the name of this

domain controller). Verify that the Domain expands to display the domain
component (DC=) folder.
3. Click the domain component to display the containers and OUs in the details
pane.
4. Double-click OU=Domain Controllers to display the containers that represent

the domain controllers.
5. Double-click the container that represents this domain controller

(CN=computername) to display more containers.
6. Click the CN=NTFRS Subscriptions container.
7. In the details pane, right-click CN=Domain System Volume, and then click
Properties.
8. Ensure that Show mandatory attributes is selected. Select it if it is not.
9. In Attributes, locate fRSRootPath and fRSStagingPath and record the current

values in the table above.
10. Based on the folder structure discussed in detail in Introduction to Administering

SYSVOL and the new location, record the new path value for this parameter in
the table.
11. Click Cancel to close the dialog box.
SYSVOL parameter in the registry

1. Click Start, click Run, type regedit and then press ENTER.
2. In Registry Editor, navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parame
ters.
3. Sysvol appears in the details pane. The current value is listed in the Data column.
4. Record the current value in table above. Based on the folder structure discussed in
detail in Introduction to Administering SYSVOL and the new location, record the new
path value for this parameter in the table.
5. Exit Registry Editor.
SYSVOL junction
2. Change the directory to %systemroot%\SYSVOL\Sysvol.

Note
This assumes that the system volume is still in the default location. If it
has been relocated, substitute the appropriate paths into these
instructions.
3. At the command prompt, type dir. Verify that the fully qualified domain name
(FQDN) is listed as type <JUNCTION>.
4. At the command prompt, type linkd fqdn (where fqdn is the domain name listed
in the Dir output). This displays the value stored in the junction point. Press
ENTER.
5. Record the current value in table above. Based on the folder structure discussed
in detail in Introduction to Administering SYSVOL and the new location, record
the new path value for this parameter in the table.
Staging junction
2. Change the directory to %systemroot%\SYSVOL\Staging Areas.
Note
This assumes that the staging area is still in the default location. If it has
been relocated, substitute the appropriate paths into these instructions.
ENTER.
Reset the File Replication service staging

folder to a different logical drive
Use this procedure to reset the FRS Staging folder to a different logical drive.
Directory.
To reset the File Replication service staging folder to a different logical drive
1. Click Start, click Run, type adsiedit.msc, and then press ENTER.
2. Under Domain [computername], locate the NtFrs Subscriber object under the host computer
account in Active Directory. The generic path for this attribute is: CN=Replica Set
Name,CN=NTFRS Subscriptions,CN=Computername,DC=Domain Name,DC=COM.
For example, to reset the staging path for the SYSVOL replica set of domain controller \\DC1 in
the contoso.com domain, the distinguished name (also known as DN) path for the FrsStagingPath
parameter is:
CN=Domain System Volume (SYSVOL share), CN=NTFRS

Subscriptions,CN=DC1,DC=CONTOSO,DC=COM
Where (when you read the distinguished name path from right to left):
DC=CONTOSO,DC=COM is the domain hosting the computer account.
CN=DC1 is the host computer account in the domain naming context (NC).
CN=NTFRS Subscriptions is the NtfrsSubscriber object that holds the FrsStagingPath parameter.
CN=Domain System Volume (SYSVOL share) is the FRS subscriber object.
3. Right-click the CN=Domain System Volume container, and click Properties.
4. Ensure that the Show mandatory attributes check box is selected. Select it if it is not.
5. In Attributes, click fRSStagingPath, and then click Edit. The current value appears in the Value
box in the String Attribute Editor dialog box.
6. Enter the path to the new location for the FRS Staging folder in the Value box and click OK.
7. Click OK to close Properties.
8. To make sure that the staging path has been updated in the registry:
a. Click Start, click Run, and type regedit on the server where you are changing the staging
path and then press ENTER.
b. Locate the following subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica
Sets
c. Double-click Replica Sets. All replica sets are displayed as a GUID.

d. To locate the replica set you are updating the staging area for, click a GUID and, in the details
pane, find the Replica Set Name. Repeat until you find the correct replica set.
e. After you locate the correct GUID and replica set name, right-click Replica Set Stage and
then click Modify.
f. In the Value data box, type the new staging area path, and then click OK.
When the service detects a change in the staging path, event ID 13563 is logged with a series
of self-explanatory steps on how to proceed:
Event Type: Warning
Event Source: NtFrs

Event Category: None
Event ID: 13563
Date: 3/6/2005
Time: 7:13:01 PM
User: N/A
Computer: <Computer name>
Description: The File Replication service has detected that the staging path for the replica set
DOMAIN SYSTEM VOLUME (SYSVOL SHARE) has changed.
Current staging path = E:\Windows\Sysvol\Staging\Domain
New staging path = E:\Frsstage
The service will start using the new staging path after it restarts. The service is set to restart
after every restart.
It is recommended that you manually restart the service to prevent loss of data in the Staging
folder.
To manually restart the service do the following:
[1] Run "net stop ntfrs" or use the Services snap-in to stop File Replication service.
[2] Move all the staging files corresponding to replica set DOMAIN SYSTEM VOLUME
(SYSVOL SHARE) to the new staging location. If more than one replica set are sharing the
current staging folder then it is safer to copy the staging files to the new staging folder.
[3] Run "net start ntfrs" or use the Services snap-in to start File Replication service, followed
by "net start ntfrs".
9. To perform steps 1 through 3 in the event message, open a Command Prompt.

net stop ntfrs
11. Move all the staging files corresponding to replica set DOMAIN SYSTEM VOLUME (SYSVOL
SHARE) to the new staging location. If more than one replica set is sharing the current Staging
folder, then it is safer to copy the staging files to the new Staging folder.
12. At a command prompt type the following command and then press ENTER:
net start ntfrs
Microsoft recommends that you follow step 11 (step 2 in the preceding event message) because
the FRS Staging folder may contain thousands or tens of thousands of files in the original Staging
folder, all of which may be destined for one or more downstream partners. In Windows Explorer,
you can view the files in the staging folder. On the Folder Options menu, click the View tab, and
then click to select the Show hidden files and folders check box. Copy the files to the new
Staging folder, and then follow the remaining steps in the event log message.
Relocating SYSVOL Manually

If you must move the entire system volume, not just the Staging Area folder, then you can
relocate the system volume manually. Because no utilities can automate this process,
you must carefully move all folders and properly maintain the same level of security at the
new location.
You can also move SYSVOL with the Active Directory wizard, but this requires that you
remove Active Directory from the domain controller and then reinstall Active Directory
after SYSVOL has been moved. This should only be considered in extreme cases, and
only when the domain controller is not running any other services or applications.
Except where noted, perform these steps on the domain controller that contains the
system volume that you want to move.
Caution
This procedure can alter security settings. After you complete the procedure, the
security settings on the new system volume are reset to the default settings that
were established when you installed Active Directory. You must reapply any
changes to the security settings on the system volume that you made since you
installed Active Directory. This will cause additional replication traffic. Note that
failure to reset permissions can result in unauthorized access to Group Policy
objects and logon and logoff scripts.
Task Requirements
 Active Directory Sites and Services (Administrative Tools)
 Event Viewer
 Windows Explorer
 Dcdiag.exe (Windows Support Tools)
 Regedit.exe
 ADSI Edit.msc (Windows Support Tools)
 Linkd.exe (Windows Server 2003 Resource Kit Tools)
 Net.exe
 Secedit.exe
 Notepad.exe
Note
To create or update junctions, you need the Linkd.exe tool supplied with
Windows Server 2003 Resource Kit Tools on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=16544. Linkd allows you to create, delete,
update, and view the links that are stored in junction points.
6. Create the SYSVOL folder structure
7. Set the SYSVOL path
8. Set the staging area path
If you have moved the Staging Area folder to a different location already, you do not
need to do this step.
9. Prepare a domain controller for nonauthoritative SYSVOL restart
10. Update security on the new SYSVOL

Directory.

Note

Note
Directory.

events.
folders.
controllers
Directory.

Note

Directory.
Note
1 fRSRootPath
2 fRSStagingPath
registry
4 Sysvol junction
5 Staging junction


pane.


Properties.


the table.


ters.
SYSVOL junction
Note
instructions.
ENTER.
Staging junction
Note
ENTER.

Directory.
net stop ntfrs
Create the SYSVOL folder structure

Use this procedure to create the SYSVOL folder structure. The %systemroot%\SYSVOL
folder is at the top of the folder tree for the Windows system volume. To properly move
SYSVOL, you must move the %systemroot%\SYSVOL folder and its contents. A
subfolder of %systemroot%\SYSVOL is also named sysvol. Ensure that you move the
proper folder (the %systemroot%\SYSVOL folder) and not the subfolder (%systemroot
%\SYSVOL\sysvol). Do not confuse the two folders.
Directory.
To create the SYSVOL folder structure

1. In Windows Explorer, navigate to the folder that represents your current Windows
system volume. By default, this is the %systemroot%\SYSVOL folder.
2. Right-click the SYSVOL folder, and then click Copy.
3. In Windows Explorer, navigate to the new location you created in the console
tree, right-click the new location, and click Paste. You might see a dialog box
stating that some files already exist and a prompt asking whether you want to
continue copying the folder. At each such prompt, click No.
4. Verify that the folder structure was copied correctly. Compare the new folder
structure to the original by opening a command prompt, typing the following
command and pressing Enter to list the contents of the folders:
dir /s
Ensure that all folders exist. If any folders are missing at the new location (such
as \scripts), then recreate them.
Set the SYSVOL path
Use this procedure to set the new path to the system volume in the registry.
Caution
Directory.
To set the SYSVOL path

2. Navigate to
ters.
3. Right-click SysVol and click Modify.
4. In the Value data box, in the Edit String dialog box, enter the new path, including the
drive letter and click OK.
5. Close Registry Editor.
Note
The path in the registry points to the SYSVOL folder located inside the
SYSVOL folder that is under the root. When updating the path in the registry,
ensure that it still points to the SYSVOL folder inside the SYSVOL folder that is
under the root.
Set the staging area path

Use this procedure to modify the fRSStagingPath parameter for a domain controller in
Active Directory in order to change the location of the Staging Area folder on that domain
controller. Perform this procedure at the console of the domain controller that is hosting
the SYSVOL that you must reconfigure.
Directory.
To set the staging area path

pane.


Properties.
8. In Attributes, click fRSStagingPath, and then click Edit. The current value
appears in the Value box in the String Attribute Editor dialog box.
9. In the Value box, enter the complete path to the new location where you want to
locate the Staging Area folder (the path to the new folder that you created
earlier), including the drive letter and click OK.
10. Close ADSI Edit.
12. Change the directory to %systemroot%\SYSVOL\staging areas.
13. Type the following command to list the contents of the directory and then press
ENTER:
dir
Verify that <JUNCTION> appears in the DIR output.
14. Update the junction so that it points to the new location by typing the following
command and then pressing ENTER:
linkd junctionname newpath
where newpath specifies the same value that you entered for fRSStagingPath
earlier.
Prepare a domain controller for

nonauthoritative SYSVOL restart
Initiate a nonauthoritative restart of SYSVOL by modifying the value of the BurFlags
(backup/restore flags) registry entry. Changing the value to D2 (hexadecimal) or 210
(decimal) prior to disconnecting a domain controller initiates an automatic
nonauthoritative restart of SYSVOL when the domain controller is restarted.
Separate entries exist for global and replica-set-specific BurFlags, as follows:
 To initiate a nonauthoritative restart of SYSVOL when it is the only replica set that is
represented on the domain controller, set the value of the global BurFlags
(REG_DWORD) entry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameter
s\Backup/Restore\Process at Startup
 If other replica sets are represented on the domain controller and you want to update
only SYSVOL, set the value of the replica-set-specific BurFlags (REG_DWORD)
entry under
s\Cumulative Replica Sets\SYSVOL GUID
Modifying the replica-set-specific BurFlags entry requires identifying the SYSVOL GUID
in the registry.
Caution
Directory.
To prepare a domain controller for nonauthoritative SYSVOL restart

1. Click Start, click Run, type regedit and then click OK.
2. Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters
3. Expand Parameters.
4. Modify one of the BurFlags entries as follows:
To modify the global BurFlags entry:
a. Expand Backup/Restore and then click Process at Startup.
b. In the details pane, right-click BurFlags and click Modify.
c. In the Value data box, type D2 hexadecimal or 210 decimal.
d. Click OK and close Registry Editor.
To modify the replica-set-specific BurFlags entry:
a. Expand both Cumulative Replica Sets and Replica Sets.
b. Match the GUID under Replica Sets to the identical GUID under Cumulative
Replica Sets, and click the matching GUID under Cumulative Replica Sets.
c. In the details pane, right click BurFlags and click Modify.
d. In the Value data box, type D2 hexadecimal or 210 decimal.
e. Click OK and close Registry Editor.
Update security on the new SYSVOL

This procedure applies the default security settings to the new SYSVOL folders. The
settings will be the equivalent of those set by default during Active Directory installation. If
additional security settings have been applied to the system volume since Active
Directory was installed, you must reapply those settings after completing this procedure.
Caution
Failure to reapply security changes made after Active Directory was installed
might result in unauthorized access to logon and logoff scripts and Group Policy
objects.
Directory.
To update security on the new SYSVOL

2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Netlogon\Parameters.
Note the path stored under SysVol.
3. In Control Panel, double-click System.
4. On the Advanced tab, click Environment Variables.
5. Under System Variables, click New.
6. For Variable name, type sysvol.
7. For Variable value, type the path that you noted in step 2.
8. Click OK twice. Click OK again to close Properties.
9. Open Notepad and enter the following information:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=default perms for sysvol
[File Security]
;"%SystemRoot%\SYSVOL",0,"D:AR(A;OICI;FA;;;BA)"
"%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO) (A;CIOI;GA;;;BA)
(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
"%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU) (A;CIOI;GRGX;;;SO)
(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY) (A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
Use this file to apply the security settings to the new SYSVOL folders. Save this
file as Sysvol.inf.
Note
Do not include a space after (A;CIOI;GRGX;;;SO), (A;CIOI;GRGX;;;AU),
or (A;CIOI;GA;;;SY).
10. Open a new Command Prompt. Do not use an existing command prompt that
has been open on your desktop because it will not have the proper environment
settings. Change the directory to the folder where you saved the Sysvol.inf file.
11. Type the following command all on one line and then press ENTER:
SECEDIT /Configure /cfg sectemplatepath\sysvol.inf /db

sectemplatepath\sysvol.db /overwrite
where sectemplatepath specifies the path to where you saved Sysvol.inf.

Directory.

net start ntfrs
Updating the System Volume Path

When you add or remove disk drives, the logical drive letters of the other drives on the
system can change. If either your SYSVOL or Staging Area folder is located on one of the
drives whose letter changes, FRS cannot locate them. You must update the paths that
FRS uses to locate these folders in order to solve this problem. To change the path for
the system volume, you need to make changes to the registry and in the directory.
Changing the staging area path requires a change in the directory. Both changes require
that you update the junction points. After updating the path information, you must restart
File Replication service so it can reinitialize with the new values.
Task Requirements
 ADSI Edit.msc
 Net.exe
 Regedit.exe
 Linkd.exe
3. Set the SYSVOL path
4. Set the staging area path

Directory.
Note
1 fRSRootPath
2 fRSStagingPath
registry
4 Sysvol junction
5 Staging junction


pane.


Properties.


the table.


ters.
SYSVOL junction

Note
instructions.
ENTER.
Staging junction
Note
ENTER.

Directory.

net stop ntfrs
Set the SYSVOL path

Use this procedure to set the new path to the system volume in the registry.
Caution
Directory.
To set the SYSVOL path

2. Navigate to
ters.
3. Right-click SysVol and click Modify.
4. In the Value data box, in the Edit String dialog box, enter the new path, including the
drive letter and click OK.
5. Close Registry Editor.
Note
The path in the registry points to the SYSVOL folder located inside the
SYSVOL folder that is under the root. When updating the path in the registry,
ensure that it still points to the SYSVOL folder inside the SYSVOL folder that is
under the root.
Set the staging area path

Use this procedure to modify the fRSStagingPath parameter for a domain controller in
Active Directory in order to change the location of the Staging Area folder on that domain
controller. Perform this procedure at the console of the domain controller that is hosting
the SYSVOL that you must reconfigure.
Directory.
To set the staging area path

pane.

Properties.
8. In Attributes, click fRSStagingPath, and then click Edit. The current value
appears in the Value box in the String Attribute Editor dialog box.
9. In the Value box, enter the complete path to the new location where you want to
locate the Staging Area folder (the path to the new folder that you created
earlier), including the drive letter and click OK.
10. Close ADSI Edit.
12. Change the directory to %systemroot%\SYSVOL\staging areas.
13. Type the following command to list the contents of the directory and then press
ENTER:
dir
Verify that <JUNCTION> appears in the DIR output.
14. Update the junction so that it points to the new location by typing the following
command and then pressing ENTER:
where newpath specifies the same value that you entered for fRSStagingPath
earlier.

Directory.

net start ntfrs
Restoring and Rebuilding SYSVOL

If your efforts to move SYSVOL or perform certain maintenance tasks fail, you must
recreate or rebuild the SYSVOL on a single domain controller. Attempt to rebuild SYSVOL
on a single domain controller only when all other domain controllers in the domain have a
healthy and functioning SYSVOL. Do not attempt to rebuild SYSVOL until you correct any
problems that are occurring with FRS in a domain.
Use these procedures only if you are working on a domain controller that does not have a
functional SYSVOL.
Task Requirements
 Active Directory Sites and Services
 Event Viewer
 Dcdiag.exe
 ADSIEdit.msc
 Net.exe
 Regedit.exe
 Linkd.exe
 Ultrasound for monitoring
Because you will be copying the system volume from one of the partners, you need
to make sure that the system volume you copy from the partner is up to date.
4. Restart the domain controller in Directory Services Restore Mode locally

If you are sitting at the console of the domain controller, locally restart a domain
controller in Directory Services Restore Mode. If you are accessing the domain
controller remotely using Terminal Services, remotely restart a domain controller in
Directory Services Restore Mode.
7. Prepare a domain controller for nonauthoritative SYSVOL restart
8. Import the SYSVOL folder structure


Directory.

Note


Note
Directory.

events.
folders.

controllers
Directory.

Note

Restart the domain controller in Directory
Services Restore Mode locally
If you have physical access to a domain controller, you can restart the domain controller
in Directory Services Restore Mode locally. Restarting in Directory Services Restore
Mode takes the domain controller offline. In this mode, the server is not functioning as a
domain controller.
When you start Windows Server 2003 in Directory Services Restore Mode, the local
Administrator account is authenticated by the local Security Accounts Manager (SAM)
database. Therefore, logging on requires that you use the local administrator password,
not an Active Directory domain password. This password is set during Active Directory
installation when you provide the password for Directory Services Restore Mode.
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
To restart the domain controller in Directory Services Restore Mode locally

1. Restart the domain controller.
2. When the screen for selecting an operating system appears, press F8.
3. On the Windows Advanced Options menu, select Directory Services Restore

Mode.
4. When you are prompted, log on as the local administrator.
See Also
Restart the domain controller in Directory Services Restore Mode Remotely

Directory.
Note
1 fRSRootPath
2 fRSStagingPath
registry
4 Sysvol junction
5 Staging junction


pane.


Properties.


the table.


ters.
SYSVOL junction
Note
instructions.
ENTER.
Staging junction
Note
ENTER.

Directory.
net stop ntfrs

entry under
in the registry.
Caution
Directory.

2. Navigate to
Import the SYSVOL folder structure

Use this procedure to copy the SYSVOL folder structure from another domain controller.
The %systemroot%\SYSVOL folder is at the top of the folder tree for the Windows system
volume. To properly import SYSVOL, you must copy the %systemroot%\SYSVOL folder
and its contents.
To use this procedure, the default shared folder Admin$ must exist on the domain
controller from which you plan to copy the SYSVOL folder structure. Some organizations
remove this shared folder or rename it for security reasons. If this shared folder is not
available, you must share the %systemroot% folder and name the share point Admin$. If
you share the %systemroot% folder in order to complete this procedure, ensure that you
remove the share point after the procedure is complete in order to maintain any security
policies established on your network. If the Admin$ share has been renamed, then use
the name assigned by your organization instead of Admin$ while completing this
procedure.
Caution
Never copy information from the system volume on one domain controller to the
system volume on another domain controller unless you have stopped the File
Replication service and configured SYSVOL for a non-authoritative restore during
startup. Failure to do so can cause invalid data to be replicated and cause the
system volumes on various domain controllers to become inconsistent.
Directory.
To import the SYSVOL folder structure

1. Open Windows Explorer.
2. Navigate to the existing %systemroot%\SYSVOL folder that you are rebuilding

and delete it.
3. Connect to the Admin$ share on the domain controller that you identified earlier
as the replication partner from which you plan to copy the SYSVOL folder
structure.
4. Once you are connected to the Admin$ share point, verify that a folder labeled
SYSVOL appears. Right-click the SYSVOL folder, and click Copy.
5. In the same directory, find some blank space and right-click. Click Paste. You
might see a dialog box stating that some files already exist and a prompt asking
whether you want to continue copying the folder. At each such prompt, click No.
6. Verify that the original SYSVOL folder and a new folder labeled Copy of
SYSVOL both appear. Right-click Copy of SYSVOL and click Rename. Type
SYSVOL2 and press ENTER.
7. Open a command prompt. Change to the drive letter that represents the
connection to the remote domain controller where you created the SYSVOL2
folder.
8. Change the directory to SYSVOL2\sysvol.
9. Type dir and press ENTER. Verify that <JUNCTION> appears in the Dir output
and is followed by the name of the domain.
10. You must update the path in this junction so that it points to the new location.
Type the following command:
where newpath is the new value you recorded in row 4 of the table in Gather the
SYSVOL path information. Press ENTER.
11. If the staging area has been relocated and is no longer inside the SYSVOL folder,
skip steps 10 and 11 and proceed to step 12. At a command prompt, change the
directory to \SYSVOL2\staging areas under the copy of SYSVOL that you
created. Type dir to list the contents and verify that <JUNCTION> appears in the
Dir output.
12. Update the junction so that it points to the new location. Type the following
command:
where newpath is the new value that you recorded in row 5 of Table 1 while
gathering system volume path information. Press ENTER.
13. At the command prompt, change back to the %systemroot% for the domain
controller that you are repairing.
14. From the command prompt, use the Xcopy command to copy the contents of
the \SYSVOL2 folder you created to a new SYSVOL folder on your local drive.
Type the following command:
xcopy drive:\sysvol2\*.* sysvol\*.* /s /e /h /c /y
where drive is the letter representing the connection to the remote domain
controller. Press ENTER.
15. Verify that the folder structure copied correctly. Compare the new folder structure
to the SYSVOL (not the SYSVOL2) on the remote domain controller. Open a
command prompt and type dir to list the contents of the folders. Ensure that all
folders exist.
16. Remove the SYSVOL2 folder that you created on the remote domain controller.
17. Disconnect from the remote domain controller. If you had to create a shared
folder on that domain controller in order to connect to it, remove the shared
folder. Some organizations consider it a security risk to retain shared folders that
are not in use.
18. Restart the domain controller in normal mode.

Directory.

net start ntfrs
Administering the Global Catalog

This guide provides information for administering the Active Directory Global Catalog in
the Microsoft Windows Server 2003 operating system.
In this guide
 Introduction to Administering the Global Catalog
 Managing the Global Catalog
Acknowledgements
Applies to: Windows Server 2003 SP1
Editor: Jim Becker
Introduction to Administering the Global

Catalog
Designate global catalog servers in sites to accommodate forest-wide directory searching
and to facilitate domain client logons when universal groups are available (that is, when a
domain has a domain functional level of Windows Server 2003 or Windows 2000 native).
When universal groups are available in the domain, a domain controller must be able to
locate a global catalog server to process a logon request.
Global Catalog Placement

Placement of global catalog servers in sites is a deployment task when you initially
deploy your forest. As your forest grows, you might need to add more global catalog
servers. To improve the speed of logging on and searching, place at least one global
catalog server in each site and at least two global catalog servers if the site has multiple
domain controllers. As a best practice, configure half of all domain controllers in a site to
be global catalog servers if the site contains more than three domain controllers. If your
deployment uses only a single domain, configure all domain controllers as global catalog
servers. In a single-domain forest, configuring all domain controllers as global catalog
servers requires no additional resources.
When placing global catalog servers, primary concerns are:
 Does any site have no global catalog servers?
 What domain controllers are designated as global catalog servers in a particular site?
Initial Global Catalog Replication

When you add a global catalog server to a site, the Knowledge Consistency Checker
(KCC) updates the replication topology, after which replication of partial domain directory
partitions that are available within the site begins. Replication of partial domain directory
partitions that are available only from other sites begins at the next scheduled interval.
Adding subsequent global catalog servers within the same site requires only intrasite
replication and does not affect network performance. Replication of the global catalog
potentially affects network performance only when adding the first global catalog server in
the site and the impact varies depending on the following conditions:
 The speed and reliability of the wide area network (WAN) link or links to the site.
 The size of the forest.
For example, in a forest that has a large hub site, five domains, and thirty small branch
sites (some of which are connected by only dial-up connections), global catalog
replication to the small sites takes considerably longer than replication of one or two
domains to a few well-connected sites.
Global Catalog Readiness

A global catalog server is available to directory clients when it is locatable as a global
catalog server in Domain Name System (DNS). Several conditions must be met before
the global catalog server is ready to serve clients. These conditions are divided into
seven levels (numbered 0 to 6) of readiness called occupancy levels. At each level, a
specific degree of synchronization must be achieved before moving to the next level. By
default, domain controllers running Windows Server 2003 require all levels to be reached
before the global catalog is ready for use. At level 6, all partial, read-only directory
partitions have been successfully replicated to the global catalog server. When the
requirements of all occupancy levels have been satisfied, the Net Logon service on the
global catalog server registers DNS service (SRV) resource records that identify the
domain controller as a global catalog server in the site and in the forest.
In summary, a global catalog server is ready to serve clients when the following events
occur, in this order:
 Occupancy level requirements are met by replicating read-only replicas.
 The isGlobalCatalogReady rootDSE attribute is set to TRUE.
 The Net Logon service on the domain controller has updated DNS with global
catalog–specific SRV resource records.
At this point, the global catalog server begins accepting queries on ports 3268 and 3269.
Global Catalog Removal
When you remove the global catalog, the domain controller immediately stops advertising
in DNS as a global catalog server. The KCC gradually removes the read-only replicas
from the domain controller. On domain controllers running Windows Server 2003, the
global catalog partial, read-only directory partitions are removed in the background,
receiving a low priority so that high-priority services are not interrupted.
One reason that you might want to remove the global catalog from a domain controller is
the availability of universal group membership caching in Windows Server 2003, which
might eliminate the requirement for a global catalog server in a particular site.
Minimum hardware requirements for global catalog servers depend upon the numbers of
users in the site. For disk space requirements and directory database storage guidelines,
see "Assessing Disk Space and Memory Requirements" in Designing and Deploying
Directory and Security Services on the Microsoft Web site
See Also
Windows Server 2003 Technical Reference
Managing the Global Catalog

Designate global catalog servers in sites to accommodate forest-wide directory searching
and so that Active Directory can determine universal group membership of native-mode
domain clients.
The following tasks for managing the global catalog are described in this objective:
 Configuring a Global Catalog Server
 Determining Global Catalog Readiness
 Removing the Global Catalog
Configuring a Global Catalog Server

When conditions in a site warrant adding a global catalog server, you can configure a
domain controller to be a global catalog server. Selecting the global catalog setting on the
NTDS Settings object prompts the KCC to update the topology. After the topology is
updated, then read-only partial domain directory partitions are replicated to the
designated domain controller. When replication must occur between sites to create the
global catalog, the site link schedule determines when replication can occur.
Task Requirements
 Repadmin.exe
 Dcdiag.exe
Note
Some procedures are performed only when you are configuring the first global
catalog server in a site.
1. Determine whether a domain controller is a global catalog server
2. Designate a domain controller to be a global catalog server
3. Monitor global catalog replication progress
4. Verify successful replication to a domain controller
Determine whether a domain controller is

a global catalog server
Use the setting on the NTDS Settings object to indicate whether a domain controller is
designated as a global catalog server.
To perform this procedure, you must be a member of the Domain Users group in Active
Directory.
To determine whether a domain controller is a global catalog server

2. In the console tree, expand the Sites container, expand the site of the domain
controller you want to check, expand the Servers container, and then expand the
Server object.
3. Right-click the NTDS Settings object, and then click Properties.
4. On the General tab, if the Global Catalog box is selected, the domain controller
is designated as a global catalog server.
Designate a domain controller to be a

global catalog server
Setting the Global Catalog check box designates a domain controller as a global catalog
server and initiates the process of replicating all domains to the server.
To perform this procedure, you must be a member of the Domain Admins group in the
domain where you are configuring the domain controller to be a global catalog server.
To designate a domain controller to be a global catalog server

2. In the console tree expand the Sites container, and then expand the site in which
you are designating a global catalog server.
3. Expand the Servers container and then expand the Server object for the domain
controller that you want to designate as a global catalog server.
4. Right-click the NTDS Settings object for the target server, and then click
Properties.
5. Select the Global Catalog check box, and then click OK.
Monitor global catalog replication

progress
Monitor inbound replication progress to see how many (percentage) of the partial read-
only directory partitions in the forest have replicated to a new global catalog server.
Note
Exchange 2003 servers use the global catalog exclusively when looking up
addresses. Therefore, in addition to causing Active Directory client search
problems, the condition of a global catalog server being advertised before it
receives all partial replicas can cause Address Book lookup and mail delivery
problems for Exchange clients.
The Name Service Provider Interface (NSPI) must be running on a global catalog
server to enable MAPI access to Active Directory. To enable NSPI, you must
restart the global catalog server after replication of the partial directory partitions
is complete, or after occupancy requirements are met.
Directory.
To monitor global catalog replication progress

dcdiag /v /s:servername| find "%"
Value Description
servername Specifies the name of the new global

catalog server.
3. Repeat this command periodically to monitor progress. If the test shows no

output, then replication has completed.
Determining Global Catalog Readiness

After replication of the partial domain directory partitions, the domain controller advertises
as a global catalog server and begins accepting queries. If the domain controller
advertises as a global catalog server before it has complete information from all domains
in the forest, it might return false information to applications that begin using the server
for forest-wide searches. Determine if a domain controller is ready to begin advertising
itself as a global catalog server using the procedures for this task.
Task Requirements
 Ldp.exe
 Nltest.exe
 DNS snap-in
Note
The global catalog server must be restarted after replication has completed and
before readiness is determined.
1. Verify global catalog readiness
2. Verify global catalog DNS registrations
Verify global catalog readiness

When a global catalog server has satisfied replication requirements, the
isGlobalCatalogReady rootDSE attribute is set to TRUE and the global catalog is ready
to serve clients.
To perform the following procedures you must be a member of the Domain Users group.
To verify global catalog readiness

 Using a command prompt

1. Click Start, click Run, type Ldp, and then click OK.
2. On the Connection menu, click Connect.
3. In the Connect box, type the name of the server whose global catalog readiness
you want to verify.
4. In the Port box, if 389 is not showing, type 389.
5. If the Connectionless box is selected, clear it, and then click OK.
6. In the details pane, verify that the isGlobalCatalogReady attribute has a value of
TRUE.
7. On the Connection menu, click Disconnect, and then close Ldp.
Using a command prompt

nltest /server:servername /dsgetdc:domainname
Value Description
servername Specifies the name of the domain

controller you have designated as a
global catalog server.
domainname Specifies the name of the domain to

which the server belongs.
3. In the Flags: line of the output, if GC appears, then the global catalog server has
satisfied its replication requirements
Verify global catalog DNS registrations

To verify that a server is advertised as a global catalog server, verify the presence of DNS
SRV resource records for the server. Restart the global catalog server prior to checking
DNS registrations.
To perform this procedure you must be a member of the Domain Users group.
To verify global catalog DNS registrations

1. Open the DNS snap-in and connect to a domain controller in the forest root
domain.
2. Expand Forward Lookup Zones and then expand the forest root domain.
3. Click the _tcp container.
4. In the details pane, look in the Name column for _gc and in the Data column for
the name of the server. The records that begin with _gc are global catalog SRV
records.
Removing the Global Catalog

Removing the global catalog from a domain controller simply requires clearing the Global
Catalog check box on the NTDS Settings object properties page. As soon as this is
complete, the domain controller stops advertising itself as a global catalog server (Net
Logon de-registers the global catalog-related records in DNS) and it immediately stops
accepting LDAP requests over ports 3268 and 3269.
Task Requirements

1. Clear the global catalog setting
2. Monitor global catalog removal in Event Viewer
Clear the global catalog setting

Clearing the global catalog setting initiates removal of the partial directory partitions from
the directory database of the domain controller.
domain of the global catalog server.
To clear the global catalog setting

2. Expand the Sites container, and then expand the site from which you are
removing a global catalog server.
3. Expand the Servers container and then expand the Server object for the domain
controller that you want to remove as a global catalog server.
4. Right-click the NTDS Settings object for the target server, and then click
Properties.
5. If the Global Catalog check box is selected, clear the check box, and then click
OK.
Monitor global catalog removal in Event

Viewer
To verify that the global catalog has been removed from a domain controller, monitor
Event Viewer. The KCC logs Event 1268, when the global catalog has been successfully
removed.
To perform this procedure, you must be a member of the Domain Users group.
To monitor global catalog removal in Event Viewer

1. Click Start, point to Programs, Administrative Tools, and click Event Viewer.
2. Right-click Event Viewer (Local), and then click Connect to another computer.
3. In the Select Computer dialog box, click Another computer, type the name of
the server from which you removed the global catalog, and then click OK.
4. Under Event Viewer, click Directory Services log.
5. Look for NTDS KCC event ID 1268, which indicates that the global catalog is
removed from the local machine.
Administering Operations Master Roles
This guide provides information for administering Active Directory operations master roles
in the Microsoft Windows Server 2003 operating system.
In this guide
 Introduction to Administering Operations Master Roles
 Managing Operations Master Roles

Acknowledgements
Editor: Jim Becker
Introduction to Administering Operations

Master Roles
Operations masters keep the directory functioning properly by performing specific tasks
that no other domain controllers are permitted to perform.
Three operations master roles exist in each domain:
 The primary domain controller (PDC) emulator. The PDC emulator processes all
replication requests from Microsoft Windows NT 4.0 backup domain controllers. It
also processes all password updates for clients not running Active Directory–enabled
client software, plus any other directory write operations.
 The relative identifier (RID) master. The RID master allocates RID pools to all domain
controllers to ensure that new security principals can be created with a unique
identifier.
 The infrastructure master. The infrastructure master for a given domain maintains a
list of the security principals for any linked-value attributes.
In addition to the three domain-level operations master roles, two operations master roles
exist in each forest:
 The schema master, which governs all changes to the schema.
 The domain naming master, which adds and removes domains and application
partitions to and from the forest.
To perform these functions, the domain controllers hosting these operations master roles
must be consistently available and be located in areas where network reliability is high.
Careful placement of your operations masters becomes more important as you add more
domains and sites to build your forest.
Guidelines for Role Placement

By improperly placing operations master role holders, you might prevent clients from
changing their passwords or being able to add domains and new objects, such as Users
and Groups. You might also be unable to make changes to the schema. In addition,
name changes might not properly appear within group memberships that are displayed in
the user interface.
As your environment changes, you must avoid the problems associated with improperly
placed operations master role holders. Eventually, you might need to reassign the roles to
other domain controllers.
Although you can assign the forest-level and domain-level operations master roles to any
domain controller in the forest and domain respectively, improperly placing the
infrastructure master role can cause it to function improperly. Other improper
configurations can increase administrative overhead.
Although you can assign the operations master roles to any domain controller, follow
these guidelines to minimize administrative overhead and ensure the performance of
Active Directory. If a domain controller that is hosting operations master roles fails,
following these guidelines also simplifies the recovery process. Guidelines for role
placement include:
Leave the two forest-level roles on a domain controller in the forest root domain.
 Place the three domain-level roles on the same domain controller.
 Do not place the domain-level roles on a global catalog server.
 Place the domain-level roles on a higher performance domain controller.
 Adjust the workload of the operations master role holder, if necessary.

 Choose an additional domain controller as the standby operations master for the
forest-level roles and choose an additional domain controller as the standby for the
domain-level roles.
Forest-level role placement in the forest root domain
The first domain controller created in the forest is assigned the schema master and
domain naming master roles. To ease administration and backup and restore procedures,
leave these roles on the original forest root domain controller. Moving the roles to other
domain controllers does not improve performance. Separating the roles creates
additional administrative overhead when you must identify the standby operations
masters and when you implement a backup and restore policy.
Unlike the PDC emulator role, forest-level roles rarely place a significant burden on the
domain controller. Keep these roles together to provide easy, predictable management.
Forest-level role placement on a Global Catalog server
In addition to hosting the schema master and domain naming master roles, the first
domain controller created in a forest also hosts the global catalog.
Domain-level role placement on the same domain controller
The three domain-level roles are assigned to the first domain controller created in a new
domain. Except for the forest root domain, leave the roles at that location. Keep the roles
together unless the workload on your operations master justifies the additional
management burden of separating the roles.
Because all clients prior to Active Directory submit updates to the PDC emulator, the
domain controller holding that role uses a higher number of RIDs. Place the PDC
emulator and RID master roles on the same domain controller so that these two roles
interact more efficiently.
If you must separate the roles, you can still use a single standby operations master for all
three roles. However, you must ensure that the standby is a replication partner of all three
of the role holders.
Backup and restore procedures also become more complex if you separate the roles.
Special care must be taken to restore a domain controller that hosted an operations
master role. By hosting the roles on a single computer, you minimize the steps that are
required to restore a role holder.
Domain-level role absence on a Global Catalog server
Do not host the infrastructure master on a domain controller that is acting as a global
catalog server.
The infrastructure master updates the names of security principals for any domain-named
linked attributes. For example, if a user from one domain is a member of a group in a
second domain and the user’s name is changed in the first domain, then the second
domain is not notified that the user’s name must be updated in the group’s membership
list. Because domain controllers in one domain do not replicate security principals to
domain controllers in another domain, the second domain never becomes aware of the
change. The infrastructure master constantly monitors group memberships, looking for
security principals from other domains. If it finds one, it checks with the security
principal’s domain to verify that the information is updated. If the information is out of
date, the infrastructure master performs the update and then replicates the change to the
other domain controllers in its domain.
Two exceptions apply to this rule. First, if all the domain controllers are global catalog
servers, the domain controller that hosts the infrastructure master role is insignificant
because global catalogs do replicate the updated information regardless of the domain to
which they belong. Second, if the forest has only one domain, the domain controller that
hosts the infrastructure master role is not needed because security principals from other
domains do not exist.
Because it is best to keep the three domain-level roles together, avoid putting any of
them on a global catalog server.
Domain-level role placement on a higher performance domain controller
Host the PDC emulator role on a powerful and reliable domain controller to ensure that it
is available and capable of handling the workload. Of all the operations master roles, the
PDC emulator creates the most overhead on the server that is hosting the role. It has the
most intensive daily interaction with other systems on the network. The PDC emulator
has the greatest potential to affect daily operations of the directory.
Domain controllers can become overloaded while attempting to service client requests on
the network, manage their own resources, and handle any specialized tasks such as
performing the various operations master roles. This is especially true of the domain
controller holding the PDC emulator role. Again, clients prior to Active Directory and
domain controllers running Windows NT 4.0 rely more heavily on the PDC emulator than
Active Directory clients and Windows 2000 Server domain controllers. If your networking
environment has clients and domain controllers prior to Active Directory, you might need
to reduce the workload of the PDC emulator.
If a domain controller begins to indicate that it is overloaded and its performance is

affected, you can reconfigure the environment so that some tasks are performed by other,
less-used domain controllers. By adjusting the domain controller’s weight in the DNS
environment, you can configure the domain controller to receive fewer client requests
than other domain controllers on your network. Optionally, you can adjust the domain
controller’s priority in the DNS environment so that it processes client requests only if
other DNS servers are unavailable. With fewer DNS client requests to process, the
domain controller can use more resources to perform operations master services for the
domain.
Guidelines for Role Transfer

Role transfer is the preferred method to move an operations master role from one domain
controller to another. During a role transfer, the two domain controllers replicate to ensure
that no information is lost. After the transfer completes, the previous role holder
reconfigures itself so that it no longer attempts to perform as the operations master while
the new domain controller assumes those duties. This prevents the possibility of duplicate
operations masters existing on the network at the same time, which can lead to
corruption in the directory.
Reasons for moving the operations master role(s) include inadequate service
performance, failure or decommission of a domain controller hosting an operations
master role, or if dictated by configuration changes made by an administrator.
Inadequate level of service
The PDC emulator is the operations master role that most impacts the performance of a
domain controller. For clients that do not run Active Directory client software, the PDC
emulator processes requests for password changes, replication, and user authentication.
While providing support for these clients, the domain controller continues to perform its
normal services, such as authenticating Active Directory–enabled clients. As the network
grows, the volume of client requests can increase the workload for the domain controller
that hosts the PDC emulator role and its performance can suffer. To solve this problem,
you can transfer all or some of the master operations roles to another, more powerful
domain controller. Alternately, you may choose to transfer the role to another domain
controller, upgrade the hardware on the original domain controller, and then transfer the
role back again.
Master operations role holder failure
In the event of a failure, you must decide if you need to relocate the operations master
roles to another domain controller or wait for the domain controller to be returned to
service. Base that determination on the role that the domain controller hosts and the
expected downtime.
Decommissioning of the domain controller
Before permanently taking a domain controller offline, transfer any operations master
roles held by the domain controller to another domain controller.
When you use the Active Directory Installation Wizard to decommission a domain
controller that currently hosts one or more operations master roles, the wizard reassigns
the roles to a different domain controller. When the wizard is run, it determines whether
the domain controller currently hosts any operations master roles. If it detects any
operations master roles, it queries the directory for other eligible domain controllers and
transfers the roles to a new domain controller. A domain controller is eligible to host the
domain-level roles if it is a member of the same domain. A domain controller is eligible to
host a forest-level role if it is a member of the same forest.
Configuration changes
Configuration changes to domain controllers or the network topology can result in the
need to transfer master operations roles. Except for the infrastructure master, you can
assign operations master roles to any domain controller regardless of any other tasks
that the domain controller performs. Do not host the infrastructure master role on a
domain controller that is also acting as a global catalog server unless all of the domain
controllers in the domain are global catalog servers or unless only one domain is in the
forest. If the domain controller hosting the infrastructure master role is configured to be a
global catalog server, you must transfer the infrastructure master role to another domain
controller. Changes to the network topology can result in the need to transfer operations
master roles in order to keep them in a particular site.
You can reassign an operations master role by transfer or, as a last resort, by seizure.
Important
If you must seize an operations master role, never reattach the previous role
holder to the network without following the procedures in this guide. Incorrectly
reattaching the previous role holder to the network can result in invalid data and
corruption of data in the directory.
Managing Operations Master Roles

Operations masters keep the directory functioning properly by performing specific tasks
that no other domain controllers are permitted to perform.
The following tasks for managing operations master roles are described in this objective:
 Designating a standby operations master
 Transferring an operations master role
 Seizing an operations master role
 Reducing the workload on the PDC emulator master

Designating a standby operations master
A standby operations master is a domain controller that you identify as the computer that
assumes the operations master role if the original computer fails. A single domain
controller can act as the standby operations master for all of the operations master roles
in a domain, or you can designate a separate standby for each operations master role.
No utilities or special steps are required to designate a domain controller as a standby

operations master. However, the current operations master and the standby should be
well connected. This means that the network connection between them must support at
least a 10-megabit transmission rate and be available at all times. In addition, configure
the current role holder and the standby as direct replication partners by manually creating
a Connection object between them.
Configuring a replication partner can save some time if you must reassign any operations
master roles to the standby operations master. Before transferring a role from the current
role holder to the standby operations master, ensure that replication between the two
computers is functioning properly. Because they are replication partners, the new
operations master is as updated as the original operations master, thus reducing the time
required for the transfer operation.
During role transfer, the two domain controllers exchange any unreplicated information to
ensure that no transactions are lost. If the two domain controllers are not direct
replication partners, a substantial amount of information might need to be replicated
before the domain controllers completely synchronize with each other. The role transfer
requires extra time to replicate the outstanding transactions. If the two domain controllers
are direct replication partners, fewer outstanding transactions exist and the role transfer
operation completes sooner.
Designating a domain controller as a standby also minimizes the risk of role seizure. By
making the operations master and the standby direct replication partners, you reduce the
chance of data loss in the event of a role seizure, thereby reducing the chances of
introducing corruption into the directory.
When you designate a domain controller as the standby, follow all recommendations that
are discussed in Guidelines for Role Placement in Introduction to Administering
Operations Master Roles. To designate a standby for the forest-level roles, choose a
global catalog server so it can interact more efficiently with the domain naming master. To
designate a standby for the domain-level roles, ensure that the domain controller is not a
global catalog server so that the infrastructure master continues to function properly if
you must transfer the roles.
Task Requirements
 Repadmin.exe
2. Create a connection object on the current operations master
3. Create a connection object on the standby operations master

Directory.

Server object.
Create a connection object on the current
operations master
To help ensure that the current role holder and the standby operations master are
replication partners, you can manually create a Connection object between the two
domain controllers. Even if a Connection object is generated automatically, it is
recommended that you manually create one. The system can alter automatically created
Connection objects at any time. Manually created connections remain the same until an
administrator changes them.
You must know the current operations master role holder to perform the following
procedure. To determine the current operations master role holders, see View the current
operations master role holders.
Directory.
To create a connection object on the current operations master

2. Expand the site name in which the standby operations master is located to
display the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that is currently hosting the operations master
role to display its NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.

6. In the Find Domain Controllers dialog box, select the name of the standby
operations master, and then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.
Create a connection object on the
standby operations master
To help ensure that the current role holder and the standby operations master are
replication partners, you can manually create a Connection object between the two
domain controllers. Even if a Connection object is generated automatically, it is
recommended that you manually create one. The system can alter automatically created
Connection objects at any time. Manually created connections remain the same until an
administrator changes them.
Directory.
To create a Connection object on the standby operations master

2. Expand the site name in which the standby operations master is located to
display the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that you want to be the standby operations
master to display its NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the current role
holder, and then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.
Verify successful replication to a domain

controller
You can use the repadmin /showrepl command to verify successful replication to a
specific domain controller. If you are not running Repadmin on the domain controller
whose replication you are checking, you can specify a destination domain controller in
the command. Repadmin lists INBOUND NEIGHBORS for the current or specified
domain controller. INBOUND NEIGHBORS shows the distinguished name of each
directory partition for which inbound directory replication has been attempted, the site and
name of the source domain controller, and whether replication succeeded or not, as
follows:
 Last attempt @ YYYY-MM-DD HH:MM.SS was successful.
 Last attempt @ [Never] was successful.
If @ [Never] appears in the output for a directory partition, replication of that directory
partition has never succeeded from the identified source replication partner over the
listed connection.
domain of the destination domain controller.
To verify successful replication to a domain controller

repadmin /showrepl servername /u:domainname\username /pw:*
Term Definition
servername Specifies the name of the destination

domain controller.
domainname Specifies the single-label name of the

domain of the destination domain
controller. (You do not have to use a
fully qualified Domain Name System
(DNS) name.)
username Specifies the name of an

administrative account in that domain.
3. When you are prompted for a password, type the password for the user account
that you provided, and then press ENTER.
You can also use Repadmin to generate the details of replication to and from all
replication partners in a spreadsheet. The spreadsheet displays data in the following
columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
Last Failure Time
Last Success Time
Last Failure Status
The following procedure shows how to create this spreadsheet and set column headers
for improved readability.
To generate a repadmin /showrepl spreadsheet for all replication partners

repadmin /showrepl * /csv >showrepl.csv
3. Open Microsoft Excel.

4. On the File menu, click Open, navigate to showrepl.csv, and then click Open.
5. Hide or delete column A as well as the Transport Type column, as follows:
6. Select a column that you want to hide or delete.
 To hide the column, on the Format menu, click Column, and then click Hide.
Or
 To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row, and then, on the Window menu,
click Freeze Panes.
8. Select the entire spreadsheet. On the Data menu, click Filter, and then click
AutoFilter.
9. In the Last Success Time column, click the down arrow, and then click Sort
Ascending.
10. In the Source DC column, click the down arrow, and then click Custom.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not
contain. In the adjacent text box, type del to eliminate from view the results for
deleted domain controllers.
12. Repeat step 10 for the Last Failure Time column, but use the value does not
equal, and type the value 0.
13. Resolve replication failures.
The last successful attempt should agree with the replication schedule for intersite
replication, or the attempt should be within the last hour for intrasite replication.
If Repadmin reports any of the following conditions, see Troubleshooting Active Directory
Replication Problems:
 The last successful intersite replication was prior to the last scheduled replication.
 The last intrasite replication was longer than one hour ago.
 Replication was never successful.
See Also
Troubleshooting Active Directory Replication Problems
Transferring an operations master role

When you create a new domain, the Active Directory Installation Wizard automatically
assigns all of the domain-level operations master roles to the first domain controller that
is created in that domain. When you create a new forest, the wizard also assigns the two
forest-level operations master roles to the first domain controller. After the domain is
created and functioning, you might transfer various operations master roles to different
domain controllers to optimize performance and simplify administration.
The transfer of forest-level and domain-level operations master roles is performed as

needed and is governed by the guidelines for placing operations master roles. Before you
transfer an operations master role, ensure that replication between the current role holder
and the domain controller assuming the role is updated.
In addition, you must determine if the domain controller that you intend to assume an
operations master role is a global catalog server. However, the infrastructure master for
each domain must not host the global catalog.
Do not change the global catalog configuration on the domain controller that you intend to
assume an operations master role unless your IT management authorizes that change.
Changing the global catalog configuration can cause changes that can take days to
complete, and the domain controller might not be available during that period. Instead,
transfer the operations master roles to a different domain controller that is already
properly configured.
Transferring to a standby ops master
By following the recommendations for operations master role placement, the standby
operations master is a direct replication partner and is ready to assume the roles.
Remember to designate a new standby for the domain controller that assumes the roles.
Transferring an ops master role when no standby is ready
If you do not follow the recommendations for role placement and you have not
designated a standby operations master, you must properly prepare a domain controller
to which you intend to transfer the operations master roles. Preparing the future role
holder is the same process as preparing a standby operations master. You must manually
create a Connection object to ensure that it is a replication partner with the current role
holder and that replication between the two domain controllers is updated.
In addition, you must determine whether the domain controller intended to assume an
operations master role is a global catalog server. The infrastructure master for each
domain must not host the global catalog.
Task Requirements
 Repadmin.exe
 Active Directory Schema snap-in
 Active Directory Users and Computers
 Ntdsutil.exe

3. Install the Schema snap-in
4. Transfer the schema master
5. Transfer the domain naming master
6. Transfer the domain-level operations master roles
7. View the current operations master role holders

controller
follows:
listed connection.


Term Definition

domain controller.

(DNS) name.)

columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
Last Failure Time
Last Success Time
Last Failure Status
Or
click Freeze Panes.
AutoFilter.
Ascending.

See Also

Directory.

Server object.
Install the Schema snap-in

Use this procedure to install the Active Directory Schema snap-in.
To install the Active Directory Schema snap-in

Regsvr32 schmmgmt.dll
This command will register schmmgmt.dll on your computer.
3. Click Start, click Run, type mmc /a, and then click OK.
4. On the File menu, click Add/Remove Snap-in, and then click Add.
5. Under Available Standalone Snap-ins, double-click Active Directory Schema,

click Close, and then click OK.
6. To save this console, on the File menu, click Save.
7. In Save in, point to the systemroot\system32 directory.

8. In File name, type schmmgmt.msc, and then click Save.
9. To create a shortcut on your Start menu:
a. Right-click Start, click Open All Users, double-click the Programs folder,
and then double-click the Administrative Tools folder.
b. On the File menu, point to New, and then click Shortcut.
c. In the Create Shortcut Wizard, in Type the location of the item, type
schmmgmt.msc, and then click Next.
d. On the Select a Title for the Program page, in Type a name for this
shortcut, type Active Directory Schema, and then click Finish.
Caution
Modifying the schema is an advanced operation best performed by experienced
programmers and system administrators. For detailed information about
modifying the schema, see the Active Directory programmer's Guide at the
Microsoft Web site.
Transfer the schema master

Use this procedure to transfer the schema operations master role. The schema master is
a forest-wide operations master role. Before you can use the Active Directory Schema
snap-in for the first time, you must register it with the system. If you have not yet
prepared the Active Directory Schema snap-in, see Install the Schema snap-in before
you begin this procedure.
Note
This procedure is performed by using the Microsoft Management Console
(MMC), although you can also transfer this role by using Ntdsutil.exe. For
information about using Ntdsutil.exe to transfer operations master roles, type ? at
the Ntdsutil.exe command prompt.
To perform this procedure, you must be a Schema Administrator in Active Directory.

1. Open the Active Directory Schema snap-in.
2. In the console tree, right-click Active Directory Schema, and click Change
Domain Controller.
3. In the Change Domain Controller dialog box, click Specify Name. Then, in the
text box, type the name of the server to which you want to transfer the schema
master role. Click OK.
4. In the console tree, right-click Active Directory Schema. Click Operations

Master. The Change Schema Master box displays the name of the server that
is currently holding the role. The targeted domain controller is listed in the second
box.
5. Click Change. Click Yes to confirm your choice. The system confirms the
operation. Click OK again to confirm that the operation succeeded.
6. Click Close to close the Change Schema Master dialog box.
Note
Hosting the infrastructure master on a global catalog server is not
recommended. If you attempt to transfer the infrastructure master role to
a domain controller that is a global catalog, the system displays a
warning stating that this is not recommended.
Transfer the domain naming master

Use this procedure to transfer the domain naming operations master role. The domain
naming master is a forest-wide operations master role.
Note
To perform this procedure, you must be a member of the Enterprise Admins group in
Active Directory.
To transfer the domain naming master

2. In the console tree, right-click Active Directory Domains and Trusts, and then
click Connect to Domain Controller.
3. Ensure that the proper domain name is entered in the Domain box.
The available domain controllers from this domain are listed.
4. In the Name column, click the domain controller (to select it) to which you want to
transfer the role. Click OK.
5. Right-click Active Directory Domains and Trusts, and then click Operations
Master.
6. The name of the current domain naming master appears in the first text box. The
server to which you want to transfer the role should appear in the second text
box. If this is not the case, repeat steps 1 through 4.
7. Click Change. To confirm the role transfer, click Yes. Click OK again to close the
message box indicating the transfer took place. Click Close to close the Change
Operations Master dialog box.
Transfer the domain-level operations

master roles
Use this procedure to transfer the three domain-level operations master roles: the PDC
emulator, the RID master, and the infrastructure master. You can transfer all of these
roles by using the Active Directory Users and Computers console.
Note
These procedures are performed by using MMC, although you can also transfer
these roles by using Ntdsutil.exe. For information about using Ntdsutil.exe to
transfer the operations master roles, type ? at the Ntdsutil.exe command prompt.
Directory.
To transfer a domain-level operations master role

2. At the top of the console tree, right-click Active Directory Users and
Computers. Click Connect to Domain Controller.
3. In the list of available domain controllers, click the name of the server to which
you want to transfer the role, and then click OK.
Computers, point to All Tasks, and then click Operations Masters.
The name of the current operations master role holder appears in the
Operations master box. The name of the server to which you want to transfer
the role appears in the lower box.
5. Click the tab for the role you want to transfer: RID, PDC, or Infrastructure. Verify
the computer names that appear and then click Change. Click Yes to transfer the
role, and then click OK.
6. Repeat steps 4 and 5 for each role that you want to transfer.
View the current operations master role

holders
Once an operations master role has been transferred, it should be verified that the
transfer has occurred successfully throughout the domain. The change must be
replicated to all relevant domain members in order to truly take effect.
To view the current operations master role holders, use Ntdsutil.exe with the roles option.
This option displays a list of all current role holders.
To perform this procedure, you must be logged on as a User or an Administrator.
To view the current operations master role holder

1. Click Start, click Run, type ntdsutil, and then press ENTER.
2. At the ntdsutil: prompt, type roles and press ENTER.
3. At the fsmo maintenance: prompt, type connections and press ENTER.
4. At the server connections: prompt, type connect to server servername (where

servername is the name of the domain controller that belongs to the domain
containing the operations masters).
5. After receiving confirmation of the connection, type quit and press ENTER to exit
this menu.
6. At the fsmo maintenance: prompt, type select operation target and press
ENTER.
7. At the select operations target: prompt, type list roles for connected server
and press ENTER.
The system responds with a list of the current roles and the Lightweight Directory
Access Protocol (LDAP) name of the domain controllers currently assigned to
host each role.
8. Type quit and press ENTER to exit each prompt in Ntdsutil.exe. Type quit and
press ENTER at the ntdsutil: prompt to close the window.
Seizing an operations master role

Role seizure is the act of assigning an operations master role to a new domain controller
without the cooperation of the current role holder (usually because it is offline due to a
hardware failure). During role seizure, a new domain controller assumes the operations
master role without communicating with the current role holder.
Role seizure can create two conditions that can cause problems in the directory. It is for
this reason that role seizure should be performed only as a last resort. First, the new role
holder starts performing its duties based on the data located in its current directory
partition. The new role holder might not receive changes that were made to the previous
role holder before it went offline if replication did not complete prior to the time when the
original role holder went offline. This can cause data loss or introduce data inconsistency
into the directory database.
To minimize the risk of losing data to incomplete replication, do not perform a role seizure
until enough time has passed to complete at least one complete end-to-end replication
cycle across your network. Allowing enough time for complete end-to-end replication
ensures that the domain controller that assumes the role is as up-to-date as possible.
Second, the original role holder is not informed that it is no longer the operations master
role holder, which is not a problem if the original role holder stays offline. However, if it
comes back online (for example, if the hardware is repaired or the server is restored from
a backup), it might try to perform the operations master role that it previously owned. This
can result in two domain controllers performing the same operations master role
simultaneously. Depending on the role that was seized, the severity of duplicate
operations master roles varies from no visible effect to potential corruption of the Active
Directory database. Seize the operations master role to a domain controller that has the
most recent updates from the current role holder to minimize the impact of the role
seizure.
Task Requirements
 Repadmin.exe
 Ntdsutil.exe
This needs to be the domain controller that will be seizing the role.
2. Seize the operations master role

controller
follows:
listed connection.

Term Definition

domain controller.

(DNS) name.)

columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
Last Failure Time
Last Success Time

Last Failure Status


Or
click Freeze Panes.
AutoFilter.
Ascending.
See Also
Seize the operations master role

The Ntdsutil.exe command-line tool allows you to transfer and seize any operations
master role. You must use Ntdsutil.exe to seize the schema master, domain naming
master, and RID master roles. When you use Ntdsutil.exe to seize an operations master
role, it first attempts a transfer from the current role owner. If the current role owner is
unavailable, it performs the seizure.
When using Ntdsutil.exe to seize an operations master role, the procedure is nearly
identical for all roles. For more information about using Ntdsutil.exe, type ? at the
Ntdsutil.exe command prompt.
To perform this procedure, you must be a member of either the Domain Admins group or
the Enterprise Admins group in Active Directory.
To seize an operations master role

servername is the name of the domain controller that will assume the operations
master role), and press ENTER.
5. After you receive confirmation of the connection, type quit and press ENTER\.
6. Depending on the role you want to seize, at the fsmo maintenance: prompt,
type the appropriate command and press ENTER.
Role Credentials Command
Domain naming master Enterprise Admins Seize domain naming

master
Schema master Enterprise Admins Seize schema master
Infrastructure master Domain Admins Seize infrastructure

master
PDC emulator Domain Admins Seize pdc
RID master Domain Admins Seize rid master
The system asks for confirmation. It then attempts to transfer the role. When the
transfer fails, some error information appears and the system proceeds with the
seizure. After the seizure is complete, a list of the roles and the LDAP name of
the server that currently holds each role appears.
During seizure of the RID master, the current role holder attempts to synchronize
with its replication partners. If it cannot establish a connection with a replication
partner during the seizure operation, it displays a warning and confirms that you
want the role seizure to proceed. Click Yes to proceed.
7. Type quit and press ENTER. Type quit again and press ENTER to exit
Ntdsutil.exe.
holders


this menu.
ENTER.
and press ENTER.
host each role.
Reducing the workload on the PDC
emulator master
In addition to processing normal domain controller load from clients, the PDC emulator
must also process password changes. In order to mitigate some of the load that is
caused by normal domain controller traffic, the PDC can be protected, so the load is
distributed to other domain controllers that are capable of processing the requests.
You can configure DNS so that a domain controller is queried less frequently than others.
Reducing the number of client requests helps reduce the workload on a domain
controller, giving it more time to function as an operations master, and is especially
important for the PDC emulator. Of all the operations master roles, the PDC role has the
highest impact on the domain controller hosting that role.
To receive information from the domain, a client uses DNS to locate a domain controller
and then sends the request to that domain controller. By default, DNS performs
rudimentary load balancing and randomizes the distribution of client requests so they are
not always sent to the same domain controller. If too many client requests are sent to a
domain controller while it attempts to perform other duties, such as those of the PDC
emulator, it can become overloaded, which has a negative impact on performance. To
reduce the number of client requests that are processed by the PDC emulator, you can
adjust its weight or its priority in the DNS environment.
Adjusting the Weight for DNS SRV Records in

the Registry
Adjusting the weight of a domain controller to a value less than that of other domain
controllers reduces the number of clients that DNS refers to that domain controller. The
value is stored in the LdapSrvWeight registry entry. The default value is 100, but it can
range from 0 through 65535. By reducing this value, DNS refers clients to a domain
controller less frequently based on the proportion of this value to the value of other
domain controllers. For example, to configure the system so that the domain controller
hosting the PDC emulator role receives requests only half as many times as the other
domain controllers, configure the weight of the domain controller hosting the PDC
emulator role to be 50. DNS determines the weight ratio for that domain controller to be
50/100 (50 for that domain controller and 100 for the other domain controllers). After you
reduce this ratio to 1/2, DNS refers clients to the other domain controllers twice as often
as it refers to the domain controller with the reduced weight setting. By reducing client
referrals, the domain controller receives fewer client requests and has more resources for
other tasks, such as performing the role of PDC emulator.
Adjusting the Priority for DNS SRV Records in
the Registry
Adjusting the priority of the domain controller also reduces the number of client referrals.
However, rather than reducing it proportionally to the other domain controllers, changing
the priority causes DNS to stop referring all clients to this domain controller unless all
domain controllers with a lower priority setting are unavailable.
To prevent clients from sending all requests to a single domain controller, the domain
controllers are assigned a priority value. Clients always send requests to the domain
controller that has the lowest priority value. If more than one domain controller has the
same value, the clients randomly choose from the group of domain controllers with the
same value. If no domain controllers with the lowest priority value are available, then the
clients send requests to the domain controller with the next highest priority.
A domain controller's priority value is stored in its registry. When the domain controller
starts, the Net Logon service registers with the DNS server. The priority value is
registered with the rest of its DNS information. When a client uses DNS to discover a
domain controller, the priority for a given domain controller is returned to the client with
the rest of the DNS information. The client uses the priority value to help determine to
which domain controller to send requests.
The value is stored in the LdapSrvPriority registry entry. The default value is 0, but it can
range from 0 through 65535.
Note
A lower value entered for LdapSrvPriority indicates a higher priority. A domain
controller with an LdapSrvPriority setting of 100 has a lower priority than a
domain controller with a setting of 10. Therefore, clients attempt to use the
domain controller with the setting of 100 first.
Task Requirements
 Regedit.exe
1. Change the weight for DNS SRV records in the registry
2. Change the priority for DNS SRV records in the registry

Change the weight for DNS SRV records
in the registry
Use this procedure to reduce the workload on the PDC emulator master by changing the
weight for DNS SRV records in the registry.
Caution
Directory.
To change the weight for DNS SRV records in the registry


HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Click Edit, click New, and then click DWORD value.
4. For the new value name, type LdapSrvWeight, and press ENTER.
5. Double-click the value name that you just typed to open the Edit DWORD Value
dialog box.
6. Enter a value from 0 through 65535. The default value is 100.

7. Choose Decimal as the Base option, and then click OK.
8. Click File, and then click Exit to close the Registry Editor.
Change the priority for DNS SRV records
in the registry
Use this procedure to reduce the workload on the PDC emulator master by changing the
priority for DNS SRV records in the registry.
Caution
Directory.
To change the priority for DNS SRV records in the registry


HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Click Edit, click New, and then click DWORD value.
4. For the new value name, type LdapSrvPriority, and press ENTER.
5. Double-click the value name that you just typed to open the Edit DWORD Value
dialog box.
6. Enter a value from 0 through 65535. The default value is 0.

7. Choose Decimal as the Base option, and then click OK.
8. Click File, and then click Exit to close the Registry Editor.
Administering Active Directory Backup
and Restore
This Administering Active Directory Backup and Restore guide provides administering
information for Active Directory backup and restore in the Microsoft Windows Server 2003
operating system.
In this guide
 Introduction to Administering Active Directory Backup and Restore
 Managing Active Directory Backup and Restore

Acknowledgements
Editor: Jim Becker
Introduction to Administering Active

Directory Backup and Restore
Active Directory backup must be incorporated into your operations schedule for a set of
domain controllers that you identify and on which you perform routine backup operations.
Active Directory restore is not performed routinely as an operations task; it is performed

only when indicated by a failure or other condition from which a domain controller can
recover only by restoring the directory to a previous state.
System State Components

Active Directory is backed up as part of system state, a collection of system components
that depend on each other. All system state components must be backed up and restored
together.
The system state components on a domain controller include the following:
 System startup (boot) files. These files are required for Windows Server 2003 to start.
 System registry
 Class registration database of component services. The Component Object Model
(COM) is a binary standard for writing component software in a distributed systems
environment.
 System volume (SYSVOL). SYSVOL provides a default location for files that must be
shared for common access throughout a domain. The SYSVOL folder on a domain
controller contains the following:
 Net Logon shared folders. These folders usually host user logon scripts and
policy settings for network clients that are running pre–Windows 2000 operating
systems.
 User logon scripts for Active Directory–enabled clients

 System policies
 Group Policy settings
 File system junctions
 File Replication service (FRS) staging directories and files that are required to be
available and synchronized between domain controllers
 Active Directory, including the following:
 The Active Directory database (Ntds.dit)
 The checkpoint file (Edb.chk)
 The transaction logs, each 10 megabytes (MB) in size (Edb*.log)
 Reserved transaction logs (Res1.log and Res2.log)
If you installed Windows Clustering or Certificate Services on your domain controller, they
are also backed up as part of system state. Details of these components are not
discussed in this guide.
Purpose of Performing Regular Backups

You need a current, verified, and reliable backup to:
 Restore Active Directory data that becomes lost. By using an authoritative restore
process, you can restore individual objects or sets of objects (containers or directory
partitions) from their deleted state.
 Recover a domain controller that cannot start up or operate normally because of

software failure or hardware failure.
 Install Active Directory from backup media (using the dcpromo /adv command). You
can use this installation option of Dcpromo to install Active Directory on a server
running Windows Server 2003 to make that server an additional domain controller.
Use this method to quickly add a domain controller to a domain that has a large
database or that is located in sites that are separated by slow network links.
 Perform a forest recovery if forest-wide failure occurs.
Restore Requirements and Recommendations

The tombstone lifetime value in an Active Directory forest defines the default number of
days that a domain controller preserves knowledge of deleted objects. This value also
defines the useful life of a system state backup that is used for disaster recovery or
installation from backup media. Active Directory protects itself from restoring data that is
older than the tombstone lifetime by disallowing the restore.
Important
You should not modify system clocks in an attempt to improperly extend the
useful life of a system state backup.
System state restore should be undertaken as a last resort, not as primary method of
recovering from an error or failure condition.
Backup Guidelines
The following guidelines for backup include the performance of appropriate backups to
ensure redundancy of Active Directory data:
 Perform normal backup. Normal backup is the only type of backup that is available
and supported for Active Directory. The Backup tool in Windows Server 2003
supports multiple types of backup: normal, copy, incremental, differential, and daily.
You must use normal backup because Active Directory is backed up as part of
system state.
 Perform daily backups of each unique partition on at least two unique domain
controllers, with special emphasis on single-domain controller forests, single-domain
controller domains, and empty root domains.
 Where partitions exist in only one site, you can ship backup files offsite to a secure
location so that no backup file of a unique directory partition exists in only one
physical site at any point in time. This provides an extra level of redundancy.
 Make sure your backups are stored in a secure location at all times.
 Back up Domain Name System (DNS) zones. You must be aware of the location of
DNS zones and back up DNS servers accordingly. If you use Active Directory-
integrated DNS, DNS zone data is captured as part of system state on domain
controllers that are also DNS servers.
If you do not use Active Directory-integrated DNS, you must back up the zone file
directories on a representative set of DNS servers for each DNS zone to ensure fault
tolerance for the zone.
Note
The DNS server stores settings in the registry, so system state backup is
required for DNS regardless of whether the zone data is Active Directory-
integrated or stored in the file system.
 If you have application partitions in your forest, make sure that you take a backup of
the domain controllers that hold those application partitions.
 Create additional backups in every geographic location where:
 Mission-critical work is performed.
 A wide area network (WAN) outage would disrupt business.
 The elapsed time that it takes to perform either of the following tasks would be
cost-prohibitive because of slow link speeds, the size of the directory database,
or both:
To create a domain controller in its intended domain over the network.
Or
To copy or transport a system state backup from a site where a backup exists to
a site that has no backup, for the purpose of performing an installation from
backup media.
Note
A backup can be used to restore only the domain controller on which the backup
was generated or to create a new additional domain controller in the same
domain by installing from backup media. A backup cannot be used to restore a
different domain controller or to restore a domain controller onto different
hardware. Likewise, a backup that is made on a domain controller running
Windows 2000 Server cannot be used to restore a domain controller running
Windows Server 2003.
Backup Frequency
Backup frequency depends on criteria that vary for individual environments. In most
Active Directory environments, users, computers, and administrators make daily changes
to directory objects. For example, computer accounts, including domain controller
accounts, change their passwords every 30 days by default. Therefore, every day a
percentage of computer passwords changes for domain controllers. Rolling the computer
password of a domain controller back to a former state affects authentication and
replication. A percentage of user passwords might also expire on a daily basis, and if they
are lost as a result of domain controller failure, they must be reset manually. Generally,
no record of these changes exists except in Active Directory. Therefore, the more
frequently you back up domain controllers, the fewer problems you will encounter if you
need to restore.
The more Active Directory objects and domain controllers you have, the more frequent
your backups should be. For example, in a large organization, to recover from the
inadvertent deletion of a large organizational unit (OU) by restoring the domain from a
backup that is days or weeks old, you might have to re-create hundreds of accounts that
were created in that OU since the backup was taken. To avoid re-creating accounts and
potentially performing large numbers of manual password resets, ensure that recent
system state backups are always available to recover recent Create, Modify, and Delete
operations.
Frequency Criteria
Use the following criteria to assess backup frequency:
 Small environments with a single domain controller in the forest, or domains that exist
in a single physical location (that is, that have a single point of failure): create
backups at least daily.
 Medium (10 to 49 domain controllers) and large environments (50 to 1,000 or more
domain controllers): Create backups of each unique directory partition in the forest on
two different computers at least daily with an emphasis on backing up application
directory partitions, empty root domains, domain partitions in a single geographic site,
and sites that have large populations of users or that host mission-critical work.
Make backups with increasing frequency until you are confident that if you were to lose
the objects that were created or modified since the last backup, the loss would not create
an operational disruption. For this reason, major changes to the environment should
always be immediately followed by a new system state backup.
Note
It is always recommended that you have at least two domain controllers in each
domain of your Active Directory forest
Immediate Backup
In addition to regularly scheduled backups, perform an immediate backup when:
 You have moved the Active Directory database, log files, or both to a different
location on a disk.
 A domain controller is upgraded from Windows 2000 Server to Windows Server 2003
or there are any other operating system upgrades.
 A Service Pack is installed.
 A hotfix is installed that makes changes to the Active Directory database.
 A current backup is required for installing from backup media for a new domain
controller.
 The tombstone lifetime is changed administratively.
Backup Latency Interval

On domain controllers running Windows Server 2003 with Service Pack 1 (SP1), a new
event message, event ID 2089, provides the backup status of each directory partition that
a domain controller stores, including application directory partitions. Specifically, event
ID 2089 is logged in the Directory Service event log when partitions in the
Active Directory forest are not backed up with sufficient frequency, that is, within a backup
latency interval. The value for the backup latency interval is stored as a REG_DWORD
value in the Backup Latency Threshold (days) entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
By default, the value of Backup Latency Threshold (days) is half the value of the
tombstone lifetime of the forest. If halfway through the tombstone lifetime a directory
partition has not been backed up, event ID 2089 is logged in the Directory Service event
log and continues daily until the directory partition is backed up.
This event serves as a warning to administrators and monitoring applications to make

sure that domain controllers are backed up before the tombstone lifetime expires.
However, it is recommended that you take backups at a much higher frequency than the
default value of Backup Latency Threshold (days).
See Also
Installing a Domain Controller in an Existing Domain Using Restored Backup Media
Managing Active Directory Backup and

Restore
The following tasks for managing Active Directory backup and restore are described in
this objective:
 Backing Up Active Directory Components
 Performing a Nonauthoritative Restore of a Domain Controller
 Performing an Authoritative Restore of Active Directory Objects
 Performing an Authoritative Restore of an Application Directory Partition
 Performing an Authoritative Restore of a Group Policy Object
 Restoring a Domain Controller Through Reinstallation and Subsequent Restore from

Backup
 Restoring a Domain Controller Through Reinstallation
Backing Up Active Directory

Components
Active Directory is backed up as part of Microsoft Windows system state. For more
information about all Microsoft Windows system state components and Active Directory
components, see Introduction to Administering Active Directory Backup and Restore.
Naming Backup Files

To ensure the proper use of backup files, the .bkf file should have a file name that
includes the following information:
 The fully qualified computer name that includes the domain name of the domain
controller on which the backup was performed
 Whether the backup domain controller is a global catalog server

 Whether the backup domain controller contains MD5 checksum data to source the
Sysvol tree
 The date that the backup was performed
For example, you might use a file name format that is similar to the following:
X:\Fully_Qualified_Computer_Name.Build_Number.Service_Pack_Revision. [No]GC.
[No]MD5.TSL.YYYYMMDD.bkf
where
 Fully_Qualified_Computer_Name is the host name and the domain name of the

domain controller. This must be the domain name of the domain where the system
state was backed up.
 Build Number is the build number of the operating system that was backed up.
 Service_Pack_Revision is the service pack build number and the service pack
version for the operating system that was backed up.
 [No]GC indicates whether the backup originated from a global catalog or not.
 [No]MD5 indicates whether the system state backup contains MD5 checksum data
for the files and folders in the SYSVOL tree. For more information about the need for
MD5 data, see Preparing a Server Computer for Shipping and Installation from
Backup Media.
 TSL is the value in days for the tombstoneLifetime attribute when the backup was
performed. The tombstoneLifetime attribute for the forest determines both the
useful life of a system state backup and how frequently garbage collection occurs.
(Garbage collection removes tombstones from the directory permanently when their
tombstone lifetime expires.)
 YYYYMMDD is the year, month, and day that the backup was performed.
For example, suppose that you create a system state backup of a global catalog domain
controller on July 1, 2005. The domain controller is in the Contoso.com domain, and its
name is DC1. The value of the tombstone lifetime is 60 days, and MD5 data is included in
the backup. In this scenario, you might use a file name that is similar to the following:
DC1.CONTOSO.COM.3790.SP0.GC.MD5.60.2005.07.01.BKF
A system state backup that you make of DC1 on July 1, 2005, remains valid until
August 29, 2005. For the next 60 days, you can use the backup to restore an existing
domain controller or to install an additional domain controller in the Contoso.com domain.
You can save the .bkf file to a local volume or to a network share. The network share can
be on a server computer that can be installed later as a domain controller by using the
restored backup. For more information about using restored backup media for installing
domain controllers, see Installing a Domain Controller in an Existing Domain Using
Restored Backup Media.
Task requirements
 Backup or Restore Wizard (Ntbackup)
 Tape drive or other backup media
To complete this task, perform one of the following procedures, depending on your
backup needs:
 Back up system state
 Back up system state and the system disk
See Also
Adding Domain Controllers in Remote Sites
Back up system state

Ntbackup.exe provides simple and advanced options for backing up Active Directory
components. When you back up system state, you can choose to include or exclude
system-protected boot files. System-protected boot files are not used for installations
from restored backup media. When the backup file that you create is to be used for
additional domain controller installations, you can clear the advanced option to back up
system-protected files. Clearing this option decreases the size of the .bkf file, as well as
the time required to back up, restore, and copy the system state files.
Use these procedures to back up the system state only. These procedures do not back
up the system disk or any other data on the domain controller except for the system-
protected files.
Use the first procedure, "To back up system state including system-protected files," for
routine system state backup. Use the second procedure, "To back up system state
excluding system-protected files," if you want to create a smaller backup that is effective
for installing domain controllers from restored backup media.
Note
To back up system state, you must log on locally to the domain controller, or
Remote Desktop must be enabled on the remote domain controller so that you
can connect remotely.
 To perform the following two procedures, you must be a member of the Domain
Admins group or a member of the Backup Operators group.
To back up system state including system-protected files

1. To start the Windows Server 2003 backup utility, click Start, click Run, type
ntbackup, and then click OK.
This procedure provides steps for backing up in Wizard Mode. By default, the
Always Start in Wizard Mode check box is selected in the Backup or Restore
Wizard. If the Welcome to the Backup Utility Advanced Mode page appears,
click Wizard Mode to open the Backup or Restore Wizard.
2. On the Welcome to the Backup or Restore Wizard page, click Next.
3. Select Back up files and settings, and then click Next.
4. Select Let me choose what to back up, and then click Next.
5. In the Items to Back Up window, double-click My Computer.
6. In the expanded list below My Computer, check System State, and then click
Next.
7. Select a location to store the backup:
 If you are backing up to a file, type the path and file name for the backup
(.bkf) file (or click Browse to find a folder or file).
 If you are backing up to a tape unit, choose the tape that you want to use.
Note
You should not store the backup on the local hard drive. Instead,
store it in a location, such as a tape drive, away from the computer
that you are backing up.
8. Type a name for this backup according to the recommendations in Backing Up

Active Directory Components, and then click Next.
9. On the last page of the wizard, click Advanced.
10. Do not change the default options for Type of Backup. Normal should be
selected, and the check box for Backup migrated remote storage data should
remain cleared. Click Next.
11. Select Verify data after backup, and then click Next.
12. In the Backup Options dialog box, select a backup option, and then click Next.
13. If you are replacing the existing backups, select the option to allow only the
owner and administrator access to the backup data and to any backups that are
appended to this medium, and then click Next.
14. In the When to back up box, select the appropriate option for your needs, and
then click Next.
15. If you are satisfied with all of the options that are selected, click Finish to perform
the backup operation according to your selected schedule.
Note
The system state can also be backed up by using Ntbackup from a
command line with appropriate parameters. For more information, at a
command prompt type ntbackup /?.
The following procedure produces a smaller .bkf file that does not include system boot
files. By using this procedure, you can reduce the time that is required to perform the
backup and subsequent restore, as well as the amount of disk space that is required.
This method is recommended when the restored backup is to be used for installing
additional domain controllers.
To back up system state excluding system-protected files

2. On the Welcome to the Backup or Restore Wizard page, click Advanced
Mode, and then click the Backup tab.
3. In the console tree, select the System State check box.
4. In Backup media or file name, type a name for this backup according to the
recommendations in Backing Up Active Directory Components.
5. Click Start Backup, and then click Advanced.
6. Clear the Automatically back up System Protected Files with the System
State check box, and then click OK.
7. Click Start Backup.

See Also
Enable Remote Desktop
Create a Remote Desktop Connection
Back up system state and the system

disk
Use this procedure to back up both the system state and the system disk.
Note
To back up system state and the system disk, you must log on locally to the
domain controller or Remote Desktop must be enabled on the remote domain
controller so that you can connect remotely.
To perform this procedure, you must be a member of the Domain Admins group or a
member of the Backup Operators group.
To back up system state and the system disk

1. To start the Windows Server 2003 backup utility, click Start, point to Programs,
Accessories, System Tools, and then click Backup.
This procedure requires Backup Utility Advanced Mode. If the Welcome to the
Backup or Restore Wizard appears when you click Backup in step 1, clear
Always start in wizard mode, close the wizard, and then repeat step 1.
2. On the Welcome to the Backup Utility Advanced Mode page, click the
Backup Wizard (Advanced) button.
3. On the Welcome to the Backup Wizard page, click Next.
4. On the What to Back Up page, click Back up selected files, drives, or

network data, and then click Next.
5. In Items to Back Up, select the System State check box. Then, locate the drive
letter containing the system files, click the check box for it, and then click Next.
6. In Backup Type, Destination, and Name, select the backup media type by
choosing one of the following options:
 In the Select the backup type box, click File if you want to back up to a file.
If you do not have a tape backup unit installed, File is selected automatically.
Or
 Select a tape device if you want to back up to tape.
7. In the Choose a place to save your backup box, select one of the following
options, and then click Next:
 If you are backing up to a file, if you want to change the current backup file
location, click Browse to find a folder or file. If the destination folder or file
does not exist, the system creates it.
Or
 If you are backing up to a tape unit, select the tape that you want to use.
8. On the Completing the Backup Wizard page, click Advanced. Do not change
the default options for Type of Backup. Normal should be selected, and the
check box should remain cleared for Backup migrated remote storage data.
Click Next.
9. Click Verify data after backup, and then click Next.
then click Next.
See Also

Performing a Nonauthoritative Restore of
a Domain Controller
A nonauthoritative restore is the default method for restoring Active Directory. To perform
a nonauthoritative restore, you must be able to start the domain controller in Directory
Services Restore Mode. After you restore the domain controller from backup media,
replication partners use the standard replication protocols to update Active Directory and
associated information on the restored domain controller.
A nonauthoritative restore returns the domain controller to its state at the time of backup
and then allows normal replication to overwrite that state with any changes that occurred
after the backup was taken. After you restore the system state, the domain controller
queries its replication partners. The replication partners replicate any changes to the
restored domain controller, ensuring that the domain controller has an accurate and
updated copy of the Active Directory database.
A nonauthoritative restore allows the entire directory to be restored on a domain

controller, without reintroducing or changing objects that have been modified since the
backup. The most common use of a nonauthoritative restore is to bring an entire domain
controller back, often after catastrophic or debilitating hardware failures. It is uncommon
for data corruption to drive a nonauthoritative restore, unless the corruption is local and
the database cannot be successfully loaded.
If you intend to restore a deleted object (or objects), you should refer to the procedures
for an authoritative restore.
You can perform a nonauthoritative restore on a Windows Server 2003 system that is a
stand-alone server, member server, or domain controller. You must start a server in
Directory Services Restore Mode to perform a nonauthoritative restore.
Note
By performing a nonauthoritative restore on Active Directory, you automatically
perform a nonauthoritative restore of the system volume (SYSVOL); no additional
steps are required.
Task requirements
 NTBackup.exe

1. Restart the domain controller in Directory Services Restore Mode by using one of the
following methods:
 Restart the domain controller in Directory Services Restore Mode locally
 Restart the domain controller in Directory Services Restore Mode Remotely
Note
In cases in which you have to reinstall the operating system, before you
restore the directory, you do not have to perform a nonauthoritative restore in
Directory Services Restore Mode. After you reinstall the operating system,
you can perform a restore after the computer boots normally.
2. Restore from backup media

3. Verify Active Directory restore
See Also
Performing an Authoritative Restore of Active Directory Objects

domain controller.

Mode.
See Also

Services Restore Mode Remotely
If Remote Desktop is enabled on a domain controller, you can use Remote Desktop
Connection to connect to the domain controller remotely. Remote Desktop Connection
(formerly known as the Terminal Services client) is installed by default on all
Windows Server 2003 family operating systems.
If you use Remote Desktop Connection to connect to a domain controller remotely and
you want to restart the domain controller in Directory Services Restore Mode, you must
first modify the Boot.ini file on the remote server so that you do not lose the connection
when the domain controller restarts.
To restart the domain controller in Directory Services Restore Mode remotely

1. Use Remote Desktop Connection to connect to the domain controller that you
want to restart in Directory Services Restore Mode.
2. Right-click My Computer, click Properties, and then click the Advanced tab.
3. Click Settings for startup and recovery.
4. Click the Edit button to edit the startup options file.
5. Modify the default entry to include the /SAFEBOOT:DSREPAIR switch, as shown

in the following example:
multi(0)disk(0)rdisk(0)partition(2)\WINNT="W2K DC \\your server name"

/fastdetect /SAFEBOOT:DSREPAIR
Note
The /SAFEBOOT:DSREPAIR switch works for domain controllers
running Windows 2000 Server and Windows Server 2003.
6. Save the modified Boot.ini file, and then close Notepad.
7. On the Start menu, click Shut Down, and then click Restart. During the restart
process, the Terminal Services client reports that the session is disconnected.
Caution
Be sure to click Restart and not Shut Down at this step. If you click
Shut Down, you cannot restart the domain controller remotely.
8. Wait until the restart process completes on the remote domain controller, and
then reconnect the client session.
9. When the client session is reconnected, log on as the local administrator.
13. Delete the /SAFEBOOT:DSREPAIR switch from the default entry in the Boot.ini
file, save the file, and then close Notepad.
Important
If you restart the domain controller before you modify the Boot.ini file, the
domain controller remains offline.
The Boot.ini file is now returned to its original state, which starts the domain
controller normally.
See Also
Restart the domain controller in Directory Services Restore Mode locally
Restore from backup media

To restore the server, use a good backup containing the system state or the system state
and system disk.
Note
To restore from backup, you must log on locally to the domain controller or
To restore from backup media

1. Start the computer in Directory Services Restore Mode.
2. To start the Windows Server 2003 backup utility, click Start, point to
All Programs, point to Accessories, point to System Tools, and then click
Backup.
This procedure provides steps for restoring from backup in Wizard Mode. By
default, the Always Start in Wizard Mode check box is selected in the Backup
or Restore Wizard. If the Welcome to the Backup Utility Advanced Mode page
appears, click Wizard Mode to open the Backup or Restore Wizard.
4. Click Restore files and settings, and then click Next.
5. Select System State, and then click Next.
6. On the Completing the Backup or Restore Wizard page, click Advanced.
7. In Restore files to, click Original Location, and then click Next.
8. Click Leave existing files (Recommended), and then click Next.
9. In Advanced Restore Options, select the following check boxes, and then click
Next:
 Restore security settings
 Restore junction points, but not the folders and file data they reference
 Preserve existing volume mount points
10. For a primary restore of SYSVOL, also select the following check box: When
restoring replicated data sets, mark the restored data as the primary data
for all replicas.
A primary restore is required only if the domain controller that you are restoring is
the only domain controller in the domain. A primary restore is required on the first
domain controller that is being restored in a domain if you are restoring the entire
domain or forest.
11. Click Finish.
12. When the restore process is complete, click Close, and then do one of the
following:
 If you do not want to authoritatively restore any objects, click Yes to restart
the computer. The system will restart and replicate any new information that
is received since the last backup with its replication partners.
 If you want to authoritatively restore any objects or if you want to create an

LDAP Data Interchange Format (LDIF) file to restore back-links on this
domain controller, click No to remain in Directory Services Restore Mode.
For information about how to proceed with authoritative restore, see
Performing an Authoritative Restore of Active Directory Objects.
See Also
Restore system state to an alternate location

Verify Active Directory restore
After the restore is completed, use this procedure to restart the server and perform basic
verification.
To verify Active Directory restore, you must be a member of the Domain Admins group.
To verify Active Directory restore

1. After the restore operation completes, restart the computer in Start Windows
Normally mode. Active Directory and Certificate Services automatically detect
that they have been recovered from a backup. They perform an integrity check
and re-index the database.
2. After you are able to log on to the system, browse Active Directory. Verify that all
of the User objects and Group objects that were present in the directory prior to
backup are restored. Similarly, verify that files that were members of a File
Replication service (FRS) replica set and certificates that were issued by the
Certificate Services are present.
Performing an Authoritative Restore of

Active Directory Objects
On the domain controller that is being restored, an authoritative restore process returns a
designated object or container of objects to its state at the time of the backup. For
example, you might need to perform an authoritative restore if an administrator
inadvertently deletes an organizational unit (OU) containing a large number of users. If
you restore the server from backup, the normal, nonauthoritative restore process does
not restore the inadvertently deleted OU because the restored domain controller is
updated following the restore process to the current status of its replication partners,
which have deleted the OU. Recovering the deleted OU requires authoritative restore.
You can use authoritative restore to mark the OU as authoritative and let the replication
process restore it to all the other domain controllers in the domain.
When an object is marked for authoritative restore, its version number is changed so that
it is higher than the existing version number of the (deleted) object in the Active Directory
replication system. This change ensures that any data that you restore authoritatively is
replicated from the restored domain controller to other domain controllers in the forest.
An authoritative restore should not be used to restore an entire domain controller, nor
should it be used as part of a change-control infrastructure. Proper delegation of
administration and change enforcement will optimize data consistency, integrity, and
security.
It is important to ensure successful recovery of the information that is being restored.

Group membership is particularly sensitive and can be affected greatly by the procedures
that are followed during an authoritative restore.
Group Membership Restoration Following

Authoritative Restore
When a user object is inadvertently deleted, you can restore it by marking the user object
as authoritative during an authoritative restore procedure. However, depending on the
functional level of the forest at the time that any groups to which the user belongs were
created (or the forest functional level at the time that the user was added to the group, if
they are different), the user's group memberships might not be restored in the process.
Multiply this condition by hundreds or thousands of users when an OU is deleted. In this
case, additional steps are required to restore the group memberships of user accounts
that are restored.
LVR and Restoration of Group Memberships

Restoration of group memberships for user objects that are deleted and restored
authoritatively differs, depending on whether the group was created (or its membership
was updated) before or after the implementation of Windows Server 2003 functionality
called linked-value replication (LVR). LVR is a feature that is available when the forest
has a functional level of Windows Server 2003 interim or Windows Server 2003. In
groups that are created before LVR is in effect, the member attribute is replicated as a
single value. Therefore, any change to the group's membership results in replication of
the entire member attribute. In groups that are created after LVR is in effect, or in groups
that are created before LVR but that are updated after LVR is in effect, updates to the
member attribute are replicated separately. In this case, group memberships are restored
when you use Ntdsutil to authoritatively restore a user, group, or computer object.
The memberOf attribute (or any back-link attribute) is generated only because of its link
to the member attribute (or any corresponding forward-link attribute). For this reason,
restoring the membership on a user object necessarily involves updating the member
attribute on the group object to include the distinguished name of the restored user.
Note
Only the forward-link attribute value can be updated and replicated. The back-link
attribute value is generated only when it is accessed. It is not stored on the
object, and it is not replicated.
When you use the Ntdsutil command-line tool to authoritatively restore a subtree or single
object, the ability of Ntdsutil to restore the group memberships of an object that is
authoritatively restored depends on whether the group was created before or after LVR
was implemented. For example, if a user object is restored and the user belongs to group
G1 that was created before LVR was implemented and the user belongs to group G2 that
was created after LVR was implemented (the functional level of the forest was raised to
Windows Server 2003 interim or Windows Server 2003), the member attribute of G2 is
updated during authoritative restore (and, therefore, the memberOf attribute of the
restored user is updated), but the member attribute of G1 is not updated.
However, improvements in the version of Ntdsutil that is included with

Windows Server 2003 Service Pack 1 (SP1) provide the ability to also restore the
memberships of groups that were created before LVR was implemented.
Authoritative Restore Improvements in

Windows Server 2003 SP1
On a domain controller running Windows Server 2003 with SP1, Ntdsutil now creates a
text file that identifies the authoritatively restored objects and uses this file to create an
LDAP Data Interchange Format (LDIF) file. The LDIF file can be used to regenerate all
back-links on the restored objects in a forest where LVR is not in effect.
If you need to restore a large number of users (for example, if you delete an OU) in
domain X and your forest also contains domain Y and domain Z, authoritative restore
requires the restoration of domain X and then the use of Ntdsutil to generate and run the
LDIF file against a domain controller in each additional domain.
In all cases, you begin the authoritative restore process by performing a nonauthoritative
restore from backup media. Then, you perform the additional steps to complete the
authoritative restore and restore group memberships, if necessary. The steps that you
perform are different if you are restoring the objects on a domain controller running
Windows Server 2003 with SP1.
Procedures for Domain Controllers Running
Windows Server 2003 with SP1
These procedures include the use of an LDIF file to restore group memberships following
authoritative restore of the objects. If you are restoring objects that can belong to groups
in more than one domain, additional steps are required.
Task requirements
 Ntbackup.exe
 Ntdsutil.exe
 Repadmin.exe
Restore system state to return the domain controller to its state at the time of the
backup. To ensure that replication does not occur, click No at the end of the
procedure so that the domain controller does not restart.
2. Mark the object or objects authoritative
Mark the object or objects that you want to restore so that replication does not
overwrite them when you restart the domain controller.
3. Restart the domain controller normally.
4. Synchronize replication with all partners
For the newly restored object to become available and be instantiated in its restored
form on all domain controllers, successful replication must occur between the domain
controller that originates the restored changes and its partners.
Make sure that all domain controllers in the domain and all global catalog servers in
the forest have received the restored objects.
5. Use the following procedure to run the LDIF file that was created in step 2 on this
domain controller to add the missing group memberships in the domain that you have
just restored:
Run an LDIF file to recover back-links
6. If you are restoring user or group objects in a forest that has more than one domain,
perform the following steps on a domain controller in another domain:
a. Restart the domain controller in Directory Services Restore Mode locally

b. Restore from backup media
c. While still in Directory Services Restore Mode, use Ntdsutil to Create an LDIF file
for recovering back-links for authoritatively restored objects
d. Restart the domain controller normally (not in Directory Services Restore Mode).
e. Run an LDIF file to recover back-links in this domain on a different domain

controller than the one on which you created the LDIF file
7. Repeat step 6 for each additional domain.
Procedures for Domain Controllers Running

Windows Server 2003 with No Service
Pack Installed
Note
If the objects that were deleted do not include group objects, you do not have to
perform steps 3 through 10. In addition, if the groups that were deleted do not
have members among the list of deleted objects, you do not have to perform
steps 3 through10.
Restore system state to return the domain controller to its state at the time of the
backup. To ensure that replication does not occur, click No at the end of the
procedure so that the domain controller does not restart.

Mark the object or objects that you want to restore so that replication does not
overwrite them when you restart the domain controller.
3. Restart the computer normally, but in isolation. This step allows you to control
replication so that inbound replication does not update any restored object before
forcing outbound replication. You cannot turn off inbound replication in Directory
The most common way to start a computer in isolation is to remove the network
connection from the domain controller by physically removing the network cable.
Alternative methods may be possible, depending on your network hardware and
enterprise practices.
It is important to prevent the domain controller from communicating with any other
domain controller in the domain or forest. You should also isolate the domain
controller from any clients that might change an object in the directory.
4. Turn off inbound replication
This step is required only if the domain or forest functional level is Windows 2000
native or earlier. By turning off inbound replication, you ensure that no changes
replicate in to the domain controller and alter group membership.
5. Reconnect the computer to the network.
After you turn off inbound replication, it is safe to reconnect the domain controller to
the network.
If you isolated your computer by removing the network cable or by disconnecting the
network connection from the domain controller, reconnect it to bring the domain
controller back onto the network.
If you followed other procedures based on your enterprise network equipment, follow
the equipment's recommendations for reconnecting the domain controller to the
network.
6. Synchronize replication with all partners
For the newly restored object to become available and be instantiated in its restored
form on all domain controllers, successful replication must occur between the domain
controller that originates the restored changes and its partners.
Make sure that all domain controllers in the domain and all global catalog servers in
the forest have received the restored objects.
7. Restart the domain controller in Directory Services Restore Mode locally
One of the challenges of restoring objects, and their group memberships, is the fact
that the membership and object may replicate in different orders. If the membership
replicates before a user is restored, the receiving domain controller will not update
the membership because the user does not exist. To overcome the effects of this
behavior, it is necessary to mark the objects that have been restored as authoritative
a second time and once again have the information replicated out.
9. Restart the computer normally (not in Directory Services Restore Mode).
After the authoritative restore of the object or objects has completed a second time,
you can restart the domain controller in normal mode.
10. Turn on inbound replication

and system disk.
Note

Backup.

Next:

for all replicas.
domain or forest.
11. Click Finish.
following:

See Also
Mark the object or objects authoritative

In this procedure, you select which objects are to be marked authoritative to have them
replicate to other domain controllers. You must have completed a nonauthoritative restore
procedure, following which the domain controller has not been restarted and remains in
Directory Services Restore Mode. To complete this procedure, you must know the full
distinguished name of the object or objects that you want to restore.
To mark a subtree or individual object authoritative

1. In Directory Services Restore Mode, click Start, click Run, type ntdsutil, and
then press ENTER.
2. At the ntdsutil: prompt, type authoritative restore, and then press ENTER.
3. To restore a subtree or individual object, type one of the following commands, as

appropriate, and then press ENTER:
To restore a subtree (for example, an organizational unit and all child objects):
restore subtree DistinguishedName
To restore a single object:
restore object DistinguishedName
DistinguishedName
The distinguished name of the subtree or object that is to be marked
authoritative
4. Click Yes in the message box to confirm the command.
For example, if you want to restore a deleted organizational unit named

Marketing NorthAm in the corp.contoso.com domain, type:
restore subtree “OU=Marketing NorthAm,DC=corp,DC=contoso,DC=com”

(Always enclose the distinguished name in quotes when there is a space or other
special characters within the distinguished name.)
Ntdsutil attempts to mark the object as authoritative. The output message

indicates the status of the operation. The most common cause of failure is an
incorrectly specified distinguished name or a backup for which the distinguished
name does not exist (which occurs if you try to restore a deleted user that was
created after the backup).
If you are running this command on a domain controller running

Windows Server 2003 with Service Pack 1 (SP1), Ntdsutil provides output that
indicates whether a restored object has back-links that must be restored. If
objects that have back-links are found, Ntdsutil generates a set of files that you
can use to restore the back-links in this domain and in other domains, if
necessary.
The following sample output on a domain controller running

Windows Server 2003 with SP1 shows that Ntdsutil created a text file (.txt) and
an LDAP Data Interchange Format (LDIF) file (.ldf) when the marked object was
found to have back-links:
Successfully updated 3 records.
The following text file with a list of authoritatively restored

objects has been created in the current working directory:
ar_20050209-091249_objects.txt
One or more specified objects have back-links in this domain. The

following LDIF files with link restore operations have been created
in the current working directory:
ar_20050209-091249_links_Test1.com.ldf
Authoritative Restore completed successfully.
5. Make a note of the location of the .txt and .ldf files, if any. You will use the .ldf file
to restore back-links in this domain. You will use the .txt file to generate an LDIF
file to restore back-links in a different domain, if necessary. If you have other
domains in which you want to restore back-links for this restored object, make a
copy of this .txt file to use on a domain controller in another domain.
6. At the authoritative restore: and ntdsutil: prompts, type quit, and then press
ENTER.
7. Restart the domain controller in normal operating mode, as follows:
a. For a domain controller running Windows Server 2003 with no service pack
installed: Disconnect the domain controller from the network, and then restart
normally. Follow the instructions in "Procedures for Domain Controllers
Running Windows Server 2003 with No Service Pack Installed" as described
in Performing an Authoritative Restore of Active Directory Objects.
b. For a domain controller running Windows Server 2003 with SP1: Restart the
domain controller normally, and then follow the instructions in "Procedures for
Domain Controllers Running Windows Server 2003 with SP1" as described
in Performing an Authoritative Restore of Active Directory Objects.
Synchronize replication with all partners
You can use this procedure to synchronize replication with all replication partners of a
domain controller.
domain of the selected domain controller or the Enterprise Admins group in the forest, or
you must have been delegated the appropriate authority. If you want to synchronize the
configuration and schema directory partitions on a domain controller in a child domain,
you must have Domain Admins credentials in the forest root domain or Enterprise Admins
credentials in the forest.
To synchronize replication with all partners

1. At a command prompt, type the following command, and then press ENTER:
repadmin /syncall DCName /e /d /A /P /q
Term Definition
DCName The Domain Name System (DNS)

name of the domain controller on
which you want synchronize replication
with all partners
/e Enterprise; includes partners in all

sites.
/d Identifies servers by distinguished

name in messages.
/A All; synchronizes all directory partitions

that are held on the home server.
/P Pushes changes outward from the

home server.
/q Runs in quiet mode; suppresses

callback messages.
2. Check for replication errors in the output of the command in the previous step. If
there are no errors, replication is successful. For replication to complete, any
errors must be corrected.
See Also
Verify successful replication to a domain controller

Ntdsutil in Windows Server 2003 Service Pack 1 (SP1) provides new functionality for
performing authoritative restore of objects that have back-links.
The output of the authoritative restore procedure includes the name of an LDAP Data
Interchange Format (LDIF) (.ldf) file that contains the forward-links that are required so
that the group memberships (back-links) of any restored user, group, or computer objects
can be recovered. For each object or subtree that you restore, you must run the LDIF file
on a domain controller in each domain that might have group objects that are required to
recover back-links on the restored objects.
Note
This procedure is critical for recovering group memberships for deleted users,
groups, or computers, but it applies to any restored objects that have back-link
attributes.
domain of the domain controller on which you run the command.
To run an LDIF file to recover back-links following authoritative restore

1. Open a command prompt and change directories, if necessary, to the directory of
the .ldf file and its respective log files.
2. At the command prompt, type the following command, and then press ENTER:
ldifde -i -k -f FileName
FileName
The name of the .ldf file that you want to run, for example, ar_20050609-
174604_links_corp.contoso.com.ldf
See Also
Create an LDIF file for recovering back-links for authoritatively restored objects

domain controller.


Mode.
See Also
Create an LDIF file for recovering back-
links for authoritatively restored
objects
If you have authoritatively restored objects that have back-links in another domain, you
can use this procedure to create an LDAP Data Interchange Format (LDIF) file that you
can run against a domain controller in that domain to restore the back-links. Perform this
procedure on a domain controller in the domain that has the back-links.
Before you perform this procedure, you must:

 Copy the .txt file that Ntdsutil created during the authoritative restore procedure,
which you performed on the first domain controller, to a location on this domain
controller or a network share.
 Restore this domain controller from backup media.
After you restore this domain controller from backup media, perform this procedure while
the domain controller is still running in Directory Services Restore Mode.
To create an LDIF file for restoring back-links for authoritatively restored

objects
1. In Directory Services Restore Mode, click Start, click Run, type ntdsutil, and
then press ENTER.
2. At the ntdsutil: prompt, type authoritative restore, and then press ENTER.
3. At the authoritative restore: prompt, type the following command, and then
press ENTER:
create ldif files from TextFilePath
where TextFilePath is the location and file name of the .txt file that Ntdsutil
created during the initial authoritative restore of the object whose back-links you
want to restore, for example, d:\ldif\ar_20050609_091558_objects.txt.
Ntdsutil displays a message stating that one or more specified objects have
back-links in this domain and an LDIF file has been created in the current
working directory.
4. At the authoritative restore: and ntdsutil: prompts, type quit.
See Also
Turn off inbound replication

You can use this procedure to turn off inbound replication so that objects on a domain
controller cannot be updated by replication from another domain controller.
To complete this procedure, you must be a member of the Domain Admins group in the
domain of the domain controller whose replication you are disabling, or you must be a
member of the Enterprise Admins group.
To turn off inbound replication

repadmin /options ServerName +DISABLE_INBOUND_REPL
where ServerName is the network basic input/output system (NetBIOS) name of

the domain controller.
3. Verify that the option is set. The following message should appear:
New DC Options: DISABLE_INBOUND_REPL
See Also
Turn on inbound replication
Turn on inbound replication
You can use this procedure to turn on inbound replication after it has been turned off
manually.
domain of the domain controller whose replication you are enabling, or you must be a
member of the Enterprise Admins group.
To turn on inbound replication

repadmin /options ServerName -DISABLE_INBOUND_REPL
where ServerName is the network basic input/output system (NetBIOS) name of

the domain controller.
3. Verify that the option is set. The following message should appear:
Current DC options: DISABLE_INBOUND_REPL
New DC Options: <none>
Current DC Options displays the conditions that were in effect at the time that
you ran the command. New DC Options shows the effect of the command, which
is that the option to disable replication is not set.
See Also
Turn off inbound replication
Performing an Authoritative Restore of

an Application Directory Partition
Restoration of an application partition will mark all data that is present in the application
partition as authoritative for the replica set. Information that is contained within an
application partition will replicate to all domain controllers in the forest that were
previously present in the replica set. You should have a current valid backup of the
application partition prior to restoring, in the event that particular object changes are lost
because of changes since backup.
Task Requirements
 Backup.exe
 Ntdsutil.exe
2. Mark the application directory partition as authoritative

3. Restart the computer
Once the authoritative restore of the object or objects has been completed a second
time, the domain controller can be restarted in normal mode.

and system disk.
Note

Backup.
Next:
for all replicas.
domain or forest.
11. Click Finish.
following:

See Also
Mark the application directory partition

as authoritative
You can select which application directory partitions are to be marked authoritative so
that you can have them replicated to other domain controllers. To perform this procedure,
you must have completed a nonauthoritative restore procedure. After that procedure is
complete, the domain controller is not restarted, and it remains in Directory Services
Restore Mode.
To complete this procedure, you must provide the Administrator password for Directory
To mark an application directory partition as authoritative

1. In Directory Services Restore Mode, open a Command Prompt.
ntdsutil
3. At the ntdsutil: prompt, type authoritative restore, and then press ENTER. For
assistance with the Ntdsutil command line-tool, type help at any time.
4. Type List NC CRs, and then press ENTER.
Ntdsutil displays a list of the application directory partitions that are available
after the restore, along with the associated cross-references. Note the cross-
reference distinguished name and application directory partition distinguished
name that correspond to the application directory partition that you want to
restore.
5. Type restore subtree App Partition DN, where App Partition DN is the
distinguished name of the application directory partition that you want to restore.
6. In the confirmation dialog box, click Yes.
The output message indicates the status of the operation. There should be no
failures.
7. Type restore object Cross Ref DN (where Cross Ref DN is the distinguished
name of the application directory partition cross-reference that you want to
restore), and then press ENTER.
8. In the confirmation dialog box, click Yes.

The output message indicates the status of the operation. There should be no
failures.
9. Quit the Ntdsutil tool.
Performing an Authoritative Restore of a

Group Policy Object
Restoring a Group Policy Object (GPO) restores the GPO to a previous state. A restore
operation can be used in both of the following cases: the GPO was backed up but has
since been deleted, or the GPO is live and you want to roll back to a known previous
state. A restore operation retains the original GPO GUID even if the restore is recreating
a deleted GPO. This is a key difference between the restore operation and the import or
copy operations discussed in later sections of this guide.
A restore operation replaces the following components of a GPO:
 GPO settings
 ACLs on the GPO
 WMI filter links (but not the filters themselves)
The restore operation does not restore links to a SOM (Scope of Management). Any
existing links will continue to be used—for example, when restoring an existing GPO to a
previous state. However, if the user has deleted a GPO and all links to the GPO, the user
must recreate these links after restoring the GPO. To facilitate recreating these links, you
can view the report in the backup to identify all links in the domain of the GPO.
For more information, see Administering Group Policy with the GPMC on the Microsoft
Task Requirements
 Group Policy Management Console
To complete this task, perform the following procedure:
 Restore a Group Policy Object
Restore a Group Policy Object

Use this procedure to perform an authoritative restore of a Group Policy object.
To perform this procedure, you must have edit, delete , and modify permissions on the
specific Group Policy object.
To restore a Group Policy object

1. Open Group Policy Management Console (GPMC).
2. In the console tree, double-click Domains to expand the list of domains.
3. Double-click the desired domain to expand the contents of that domain.
4. Right-click Group Policy Objects, and select Manage Backups.
5. Right-click the object to be restored, and select Restore from Backup.

6. Select the backup location, click the policy backup to be restored, and then click
Restore.
7. Click OK to restore the selected GPO backup.

Restoring a Domain Controller Through
Reinstallation and Subsequent Restore
from Backup
If you cannot restart a domain controller in Directory Services Restore Mode, you can
restore it through reinstallation of the operating system and subsequent restore of
Active Directory from backup.
After you reinstall Windows Server 2003, perform a nonauthoritative restore of the
system state and the system disk. You do not need to join the computer to the domain
before performing the restore procedure. During the restore, the computer account is
reestablished automatically.
Note
The restore procedure must be performed by using the same backup tool with
which the backup was made. Procedures in this task describe using Ntbackup to
restore Active Directory, but you must use the tool that you used to create the
backup file if it is not Ntbackup.
Restore a domain controller through reinstallation and restore the system state from
backup if the following conditions exist:
 A domain controller has failed and you cannot restart in Directory Services Restore
Mode. If the failure was caused by a hardware failure, you have resolved the
hardware problem (for example, by replacing the disk).
 You have a previous backup for the failed domain controller that is not older than the
tombstone lifetime for the forest.
 The domain controller is running other server services such as Exchange, or it

contains other data that you must restore from a backup.
 You have the following information about the failed domain controller:
 Disk configuration. You need a record of the volumes and sizes of the disks and
partitions. In the case of a complete disk failure, use this information to recreate
the disk configuration. Windows Server 2003 must be reinstalled to the same
drive letter and with at least the same amount of physical drive space. Before you
restore the system state, you must recreate all disk configurations. Failure to
recreate all disk configurations can cause the restore process to fail and can
prevent you from starting the domain controller after the restore.
 Computer name. You need the computer name to restore a domain controller of
the same name and avoid changing client configuration settings.
 Password for the local computer Administrator account. You must know the local
Administrator password that was used when the backup was created. The local
Administrator password is also required to restore the system state on a domain
controller.
Task requirements
 Ntbackup.exe

1. Install Windows Server 2003.
Note
This guide does not provide information for the installation of
a. Begin with step 2 of this procedure. You cannot start the server in Directory
Services Restore Mode because Active Directory is not installed.
b. This operation requires that you log on as the local Administrator, not the
Administrator for Directory Services Restore Mode.
c. Restore the System State as described, but in normal mode.
d. When you are prompted to restart the server after you complete the restore
operation, click Yes to restart the server normally.
3. Verify Active Directory restore

and system disk.
Note

Backup.
Next:
for all replicas.
domain or forest.
11. Click Finish.
following:

See Also
Verify Active Directory restore

After the restore is completed, use this procedure to restart the server and perform basic
verification.
To verify Active Directory restore, you must be a member of the Domain Admins group.
To verify Active Directory restore

1. After the restore operation completes, restart the computer in Start Windows
Normally mode. Active Directory and Certificate Services automatically detect
that they have been recovered from a backup. They perform an integrity check
and re-index the database.
2. After you are able to log on to the system, browse Active Directory. Verify that all
of the User objects and Group objects that were present in the directory prior to
backup are restored. Similarly, verify that files that were members of a File
Replication service (FRS) replica set and certificates that were issued by the
Certificate Services are present.
Restoring a Domain Controller Through

Reinstallation
Restoring a domain controller through reinstallation is the same process as creating a
new domain controller. It does not involve restoring from backup media. This method
relies on Active Directory replication to restore a domain controller to a working state, and
it is valid only if another healthy domain controller exists in the same domain. This
method is normally used on computers that function only as a domain controller.
Restoring through reinstallation is the only method by which a domain controller that is
not part of the backup set can be restored. In addition, you might choose to use this
method instead of a nonauthoritative restore because backup media is inaccessible or
because this method is more convenient. Restoring a domain controller through
reinstallation should not be a substitute for regular backup routines.
This method of restoring a domain controller requires a complete reinstallation of the

operating system. It is recommended that before you install the operating system, you
format the entire system disk, which will remove all information on the system disk.
Ensure that any important or relevant data is moved or backed up before you perform
these actions.
Bandwidth is the primary consideration for restoring a domain controller through

reinstallation. The bandwidth that is required is directly proportional to the size of the
Active Directory database and the time in which the domain controller is required to be in
a functioning state. Ideally, the existing functional domain controller should be located in
the same Active Directory site as the replicating domain controller (the new domain
controller) to reduce the impact on the network and the time that the reinstallation takes
to complete.
Note
Before you restore a domain controller through reinstallation, ensure that
hardware failure is not the cause of the problem. If faulty hardware is not
changed, restoring through reinstallation might not solve the problems with the
domain controller.
Task requirements
 Ntdsutil.exe
 Netdiag.exe
 Dcdiag.exe
 Dcpromo.exe
1. If you plan to give the newly reinstalled domain controller the same name as the
failed computer, use the following procedure to clean up server metadata to remove
the NTDS Settings object of the failed domain controller:
Clean up server metadata
If you plan to give the new domain controller a different name, in addition to cleaning
up server metadata, perform the following additional procedures:
Delete a Server object from a site
Delete a Computer object from the Domain Controllers OU
2. Install Windows Server 2003
It is assumed that you will perform a fresh installation of Windows Server 2003.
Prepare for installation of the operating system by partitioning or reformatting your
hard disk drive, if necessary.
3. Verify DNS registration and functionality
4. Verify communication with other domain controllers
5. Verify the availability of the operations masters
6. Install Active Directory
During the installation process, replication occurs, which ensures that the domain
controller has an accurate and up-to-date copy of Active Directory. You have the
option to use the same information for this domain controller as the domain controller
that it is replacing: site placement, domain controller name, and domain membership
should remain the same. If you plan to install the domain controller under a different
name, see Installing a Domain Controller in an Existing Domain.
7. Verifying Active Directory Installation

You perform the metadata cleanup process by using Ntdsutil.exe, a command-line tool
that is automatically installed on all domain controllers. Metadata cleanup removes data
from Active Directory that identifies a domain controller to the replication system. On a
domain controller that is running Windows Server 2003 with Service Pack 1 (SP1),
metadata cleanup also removes File replication service (FRS) connections and attempts
to transfer or seize any operations master roles that the retired domain controller holds.
These additional processes are performed automatically.
 To complete this procedure, you must be a member of the Enterprise Admins group.
To clean up server metadata

1. Open a command prompt.
ntdsutil
3. At the ntdsutil: prompt, type:
metadata cleanup
4. Perform metadata cleanup as follows:
 If you are performing metadata cleanup by using the version of Ntdsutil.exe

that is included with Windows Server 2003 SP1, at the metadata cleanup:
prompt, type:
remove selected server ServerName

Or
remove selected server ServerName1 on ServerName2
Value Definition
ServerName, The distinguished name of the domain controller

ServerName1 whose metadata you want to remove, in the form
cn=ServerName,cn=Servers,cn=SiteName,
cn=Sites,cn=Configuration,dc=ForestRootDomain
Value Definition
ServerName2 The DNS name of the domain controller to which

you want to connect and from which you want to
remove server metadata

that is included with Windows Server 2003 with no service pack, perform
metadata cleanup as follows:
a. At the metadata cleanup: prompt, type:
connection
b. At the server connections: prompt, type:
connect to server Server
c. At the server connections: prompt, type:
quit
d. At the metadata cleanup: prompt, type:
select operation target
e. At the select operation target: prompt, type:
list sites
A numbered list of sites appears.
f. At the select operation target: prompt, type:
select site SiteNumber
g. At the select operation target: prompt, type:
list domains in site
A numbered list of domains in the selected site appears.
h. At the select operation target: prompt, type:
select domain DomainNumber
i. At the select operation target: prompt, type:
list servers in site
A numbered list of servers in a domain and site appears.
j. At the select operation target: prompt, type:

select server ServerNumber
k. At the select operation target: prompt, type:
quit
l. At the metadata cleanup: prompt, type:
remove selected server
Value Description
Server The DNS name of a domain

controller that you want to connect
to
SiteNumber The number associated with the

site of the server that you want to
clean up that appears in the list
DomainNumber The number associated with the

domain of the server that you want
to clean up that appears in the list
ServerNumber The number associated with the

server that you want to clean up
that appears in the list
At this point, Active Directory confirms that the domain controller was removed
successfully. If you receive an error message that indicates that the object cannot
be found, Active Directory might have already removed the domain controller.
5. At the metadata cleanup: and ntdsutil: prompts, type quit.

When no Child objects are visible below the Server object in Active Directory Sites and
Services, you can remove the Server object.
To perform this procedure, you must be a member of the Domain Admins group.
To delete a server object from a site
2. Expand the Sites container, and then expand the site from which you want to
delete a Server object.
3. If no Child objects appear below the Server object, right-click the Server object,
and then click Delete.
Important
Do not delete a Server object that has a Child object. If an NTDS
Settings or other Child object appears below the Server object you want
to delete, either replication on the domain controller on which you are
viewing the Configuration container has not occurred, or the server
whose Server object you are removing has not been properly
decommissioned.
4. Click Yes to confirm your choice.
Delete a Computer object from the

Domain Controllers OU
You can use this procedure to delete the Computer object for a failed domain controller. If
a domain controller fails and you cannot use the Dcpromo command to remove
Active Directory, you must forcefully remove Active Directory and then clean up server
metadata. When you perform Dcpromo normally, server metadata, the Computer object,
and the Server object for the domain controller are deleted automatically. After you
forcefully remove Active Directory, you must clean up server metadata for the failed
domain controller and then delete the Server object and Computer object manually.
domain of the domain controller that you are removing. O
To delete a Computer object from the Domain Controllers organizational unit

(OU)
2. Click the Domain Controllers OU.
3. In the details pane, right-click the Computer object that is associated with the
failed domain controller, click Delete, and then click Yes.
See Also
Forcing the Removal of a Domain Controller
Verify DNS registration and functionality

This procedure verifies that DNS is functioning so that other domain controllers can be
located.
Directory.
To verify DNS registration and functionality

netdiag /test:dns
Note
For a more detailed response from this command, add /v to the end of
the command.
If DNS is functioning, the last line of the response is DNS Test…..: Passed. The
verbose option lists specific information about what was tested. This information
can help with troubleshooting if the test fails.
If the test fails, do not attempt any additional steps until you determine and fix the
problem that prevents proper DNS functionality.
Verify communication with other domain
controllers
This procedure verifies that domain controllers can be located.
To perform this procedure, you must be a member of the Domain users group in Active
Directory.
To verify communication with other domain controllers

netdiag /test:dsgetdc
Note
the command.
If domain controllers are successfully located, the last line of the response is DC
discovery test……..: Passed. The verbose option lists the specific domain
controllers that are located.
problem that prevents communication with other domain controllers.
Verify the availability of the operations

masters
This procedure verifies that the operations masters can be located and that they are
online and responding.
Directory.
Note
You can use these tests prior to installing Active Directory as well as afterward.
To perform the test prior to installing Active Directory, you must use the /s option
to indicate the name of a domain controller to use. You do not need the /s option
to perform the test after installing Active Directory. The test automatically runs on
the local domain controller where you are performing the test. The commands
listed in this procedure show the /s option. If you are performing this test after
installing Active Directory, omit the /s option. For a more detailed response from
this command, you can use the verbose option by adding /v to the end of the
command to see the detailed response.
To verify the availability of the operations masters

2. Type the following command to ensure that the operations masters can be
located and then press ENTER:
dcdiag /s: domaincontroller /test:knowsofroleholders /verbose
where domaincontroller is the name of a domain controller in the domain in which

you want to add the new domain controller. The verbose option provides a
detailed list of the operations masters that were tested. Near the bottom of the
screen, a message confirms that the test succeeded. If you use the verbose
option, look carefully at the bottom part of the displayed output. The test
confirmation message appears immediately after the list of operations masters.
Press ENTER.
3. Type the following command to ensure that the operations masters are
functioning properly and are available on the network:
dcdiag /s: domaincontroller /test:fsmocheck

detailed list of the operations masters that were tested. Near the bottom of your
screen, a message confirms that the test succeeded. Press ENTER.
If these tests fail, do not attempt any additional steps until you determine and fix
the problem that prevents locating operations masters and verifying that they are
functioning properly.
Install Active Directory
Use the Active Directory Installation Wizard to install Active Directory on a member server
in your domain to create an additional domain controller in an existing domain.
To install Active Directory

1. Click Start, click Run, type dcpromo and then press ENTER.
2. The Active Directory Installation Wizard appears. At the Welcome screen, click
Next.
3. For Domain Controller Type, select Additional domain controller for an

existing domain. Click Next.
4. For Network Credentials, enter the user name, password, and domain for the
user account that has permission to add this new domain controller to the
domain. Click Next.
5. Enter the name of the domain that you want the new domain controller to host.
Click Next.
6. For Database and Log Locations, enter the paths for the locations of the
directory database (Ntds.dit) and the log files. For better performance, store the
database and log files on separate physical disk drives. Click Next.
7. For Shared System Volume, enter the path where you want to locate the system
volume (SYSVOL). Click Next.
8. Under Directory Services Restore Mode Administrator Password, enter the
password that you want to use when you need to start Directory Services
Restore Mode. Click Next.
9. The Summary screen displays a list of the items you chose. Verify that the
information is correct, and then click Next to proceed with the installation.
10. The wizard proceeds to install Active Directory. When it finishes, the wizard
displays a summary screen listing the domain and site in which the new domain
controller is a member. Verify that this information is correct. Click Finish to close
the wizard.
11. Click Restart to restart the domain controller.

12. Let the domain controller restart. If any message indicates that one or more
services has failed to start, restart the domain controller one more time. If the
initial replication cycles have not had enough time to complete during the first
restart on a new domain controller, some services may be unable to start
successfully. If the message appears during additional restarts, examine the
event logs in Event Viewer to determine the cause of the problem.
Administering Intersite Replication

This guide provides information for administering intersite replication in the Microsoft
Windows Server 2003 operating system.
In this guide
 Introduction to Administering Intersite Replication
 Managing Intersite Replication
Acknowledgements
Editor: Jim Becker
Introduction to Administering Intersite

Replication
An Active Directory Site object represents a collection of Internet Protocol (IP) subnets,
usually constituting a physical local area network (LAN). Multiple sites are connected for
replication by Site Link objects.
Sites are used in Active Directory to:

 Enable clients to discover network resources (published shares, domain controllers)
that are close to the physical location of the client, reducing network traffic over wide
area network (WAN) links.
 Optimize replication between domain controllers.
Managing sites in Active Directory involves adding new subnet, site, and site link objects
when the network grows, as well as configuring a schedule and cost for site links. You
can modify the site link schedule, cost, or both, to optimize intersite replication. When
conditions no longer require replication to a site, or clients no longer require the sites to
discover network resources, you can remove the site and associated objects from Active
Directory.
Note
Managing large hub-and-spoke topology or using the SMTP intersite replication
transport is beyond the scope of this documentation.
Managing sites:
 Enables clients to discover network resources (printers, published shares, domain

controllers) that are close to the physical location of the client, reducing network
traffic over wide area network (WAN) links.
 Optimizes replication between domain controllers.
The KCC and Replication Topology

The Knowledge Consistency Checker (KCC) uses site link configuration information to
enable and optimize replication traffic by generating a least-cost replication topology.
Within a site, for each directory partition, the KCC builds a ring topology that tries to set a
maximum number of hops (3) between any two domain controllers. Between sites, the
KCC creates a spanning tree of all intersite connections. Therefore, adding sites and
domains increases the processing that is required by the KCC. Before adding to the site
topology, be sure to consider the guidelines discussed in “Adding a new site” later in this
document.
Significant changes to site topology can affect domain controller hardware requirements.
For more information about domain controller hardware requirements, see Planning
Domain Controller Capacity on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=42682).
Bridgehead Server Selection
By default, bridgehead servers are automatically selected by the intersite topology

generator (ISTG) in each site. Alternatively, you can use Active Directory Sites and
Services to select preferred bridgehead servers. However, it is recommended for
Windows 2000 deployments that you do not select preferred bridgehead servers.
Selecting preferred bridgehead servers limits the bridgehead servers that the KCC can
use to those that you have selected. If you use Active Directory Sites and Services to
select any preferred bridgehead servers at all in a site, you must select as many as
possible and you must select them for all domains that must be replicated to a different
site. If you select preferred bridgehead servers for a domain and all preferred bridgehead
servers for that domain become unavailable, replication of that domain to and from that
site does not occur.
If you have selected one or more bridgehead servers, removing them all from the
bridgehead servers list restores the automatic selection functionality to the ISTG.
Managing Intersite Replication

The following tasks for managing intersite replication are described in this objective:
 Adding a New Site
 Linking Sites for Replication
 Changing Site Link Properties
 Moving a Domain Controller to a Different Site
 Removing a Site
Adding a New Site

Design teams or network architects might want to add sites as part of ongoing
deployment. Although you typically create subnets to accommodate all address ranges in
the network, you do not need to create sites for every location. Generally, sites are
required for those locations that have domain controllers or other servers that run
applications that depend on site topology, such as Distributed File System (DFS).
When the need for a site arises, the design team typically provides details about the
placement and configuration of site links for the new site, as well as subnet assignments
or creation if subnets are needed.
If a new range of Internet Protocol (IP) addresses is added to the network, create a
Subnet object in Active Directory to correspond to the range of IP addresses. When you
create a new Subnet object, you must associate it with a Site object. You can either
associate the subnet with an existing site or create a new site first and then create the
subnet and associate it with the new site.
Task requirements
1. Create a site object and add it to an existing site link
2. Associate a range of IP addresses with the site by using either of the following
methods:
 Create a subnet object or objects and associate them with the new site
 Associate an existing subnet object with the new site
3. If you are creating both a new site and a new site link, after you create the new site
and add it to an existing site link, Create a site link object and add the appropriate
sites. Then, remove the site from the first site link that you added it to when you
created the site, if appropriate.
4. Remove the site from the site link
Create a site object and add it to an

existing site link
To create a new site, you must create a Site object and add it to a site link.
Active Directory.
To create a site object and add it to an existing site link

2. Right-click the Sites container and then click New Site.
3. In the Name box, type the name of the site.
4. In the Link Name list, click a site link for this site, and then click OK.
5. In the Active Directory message box, read the information, and then click OK.
Create a subnet object or objects and

associate them with the new site
Create a Subnet object or objects and associate them with the new site you must have
the following information:
 The site to which the subnet is to be associated.

 The network address or any IP address in the range.
 The subnet mask.
Active Directory Sites and Services converts this information into the subnet address.
Active Directory.
To create a subnet object or objects and associate them with the new site
2. Expand the Sites container, right-click Subnets, and then click New Subnet.
3. In the New Object - Subnet dialog box, in the Address box, type the network
address or any IP address within the range of IP addresses for the subnet.
4. In the Mask box, type the subnet mask.
5. In the Site Name box, click the site to which this subnet is being associated, and
then click OK.
Associate an existing subnet object with

the new site
Associate an existing subnet with a site under the following conditions:
 When you are removing the site to which the subnet was associated.
 When you have temporarily associated the subnet with a different site and want to
associate it with its permanent site.
Active Directory.
To associate an existing subnet object with the new site

2. Expand the Sites container, and then click the Subnets container.
3. In the details pane, right-click the subnet with which you want to associate the
site, and then click Properties.
4. In the Site box, click the site with which to associate the subnet, and then click
OK.
Create a site link object and add the

appropriate sites
Use this procedure to create a Site Link object in the IP container and add the
appropriate sites. To link sites for replication, create a Site Link object in the container for
the intersite transport that will replicate the site, and add the sites to it.
To perform this procedure, you must be a member of the Enterprise Admins group.
To create a site link object

2. Expand the Sites container and then the Inter-Site Transports container.
3. Right-click IP, and then click New Site Link.
4. In the Name box, type a name for the site link.
5. In the Sites not in this site link box, click a site that you want to add to the site
link. Hold down the SHIFT key to click a second site that is adjacent in the list, or
the CTRL key to click a second site that is not adjacent in the list.
6. After selecting all of the sites that you want added to the site link, click Add, and
then click OK.
Remove the site from the site link

Use Site Link properties to remove a site from a site link.
Active Directory.
To remove a site from a site link

3. Click IP. In the details pane, right-click the site link from which you want to
remove a site, and then click Properties.
4. In the Sites in this site link box, click the site you want to remove from the site
link.
5. Click Remove, and then click OK.
Linking Sites for Replication

To link sites for replication, create a Site Link object in the IP transport container and add
two or more sites to the link. Use a naming convention that includes the sites that you are
linking. For example, if you want to link the site named Seattle to the site named Boston,
you might name the site link SEA-BOS.
After you add two or more site names to a Site Link object, the bridgehead servers in the
respective sites replicate between the sites according to the replication schedule, cost,
and interval settings on the Site Link object. For information about modifying the default
settings, see Changing Site Link Properties.
At least two sites must exist when you create a site link. If you are adding a site link to
connect a new site to an existing site, create the new site first and then create the site
link. For information about creating a site, see Adding a New Site.
Task Requirements
1. Create a site link object and add the appropriate sites
2. By default, the KCC runs every 15 minutes to generate the replication topology. To
generate the intersite topology immediately, perform the following two procedures:
 Determine the ISTG role owner for a site
 Generate the replication topology on the ISTG
Create a site link object and add the

appropriate sites
Use this procedure to create a Site Link object in the IP container and add the
appropriate sites. To link sites for replication, create a Site Link object in the container for
the intersite transport that will replicate the site, and add the sites to it.
To create a site link object

3. Right-click IP, and then click New Site Link.
4. In the Name box, type a name for the site link.
5. In the Sites not in this site link box, click a site that you want to add to the site
link. Hold down the SHIFT key to click a second site that is adjacent in the list, or
the CTRL key to click a second site that is not adjacent in the list.
6. After selecting all of the sites that you want added to the site link, click Add, and
then click OK.
Determine the ISTG role owner for a site

Use this procedure to view the NTDS Site Settings object properties and determine the
Intersite Topology Generator (ISTG) role owner for the site.
To determine the ISTG role owner for a site

2. Click the site object whose ISTG you want to determine.
3. In the details pane, right-click the NTDS Site Settings object, and then click
Properties. The current role owner appears in the Server box under Inter-Site
Topology Generator.
Generate the replication topology on the

ISTG
The Knowledge Consistency Checker (KCC) runs by default every 15 minutes. If you
want to initiate topology regeneration immediately, you can force the KCC to run as
follows:
 To generate the intersite replication topology, run the KCC on the domain controller in
the site that holds the ISTG role.
 To generate the intrasite replication topology, run the KCC on any domain controller
in the site that does not hold the ISTG role.
Note
To generate the replication topology on the ISTG, you must first complete the
procedure: Determine the ISTG role owner for a site.
To generate the replication topology on the ISTG

2. Expand the Sites container, and then expand the site that contains the server on
which you want to run the KCC.
3. Expand the Servers container, and then click the Server object for the ISTG.
4. In the details pane, right-click NTDS Settings, click All Tasks, and then click
Check Replication Topology.
5. In the Check Replication Topology message box, click OK.
Changing Site Link Properties

To control which sites replicate directly with each other and when, use the cost, schedule,
and interval properties on the Site Link object.
These settings control intersite replication as follows:
 Schedule: The time during which replication can occur (the default setting allows
replication at all times).
 Interval: The number of minutes between replication polling by intersite replication

partners within the open schedule window (default is every 180 minutes).
 Cost: The relative priority of the link (default is 100). Lower relative cost increases
the priority of the link over other higher-cost links.
Consult your design documentation for information about values to set for site link
properties.
Task Requirements

1. Configure the site link schedule to identify times during which intersite replication can
occur
2. Configure the site link interval to identify how often replication polling can occur
during the schedule window
3. Configure the site link cost to establish a priority for replication routing
4. Generate the intersite topology by performing the following two procedures:
Configure the site link schedule to

identify times during which intersite
replication can occur
Use the properties on the Site Link object to define when replication is allowed. Obtain
the schedule from your design team.
Active Directory.
To configure the site link schedule

2. Expand the Sites container and the Inter-Site Transports container, and then
click the IP container.
3. In the details pane, right-click the Site Link object you want to configure, and then
click Properties.
4. In the SiteLinkName Properties dialog box, click Change Schedule.
5. In the Schedule for SiteLinkName dialog box, select the block of days and
hours during which you want replication to occur or not occur (available or not
available), and then click the appropriate option.
6. Click OK twice.
Configure the site link interval to identify
how often replication polling can occur
during the schedule window
Use the properties on the Site Link object to determine how often during the available
replication schedule you want bridgehead servers to poll their intersite replication
partners for changes. Obtain the interval value from your design team.
Active Directory.
To configure the site link interval

click Properties.
4. In the Replicate every _____ minutes box, specify the number of minutes for
the intervals at which replication polling occurs during an open schedule, and
then click OK.
Configure the site link cost to establish a

priority for replication routing
When creating or modifying site links, use the object properties to configure the relative
cost of using the site link.
Active Directory.
To configure the site link cost
click Properties.
4. In the Cost box, specify the number for the comparative cost of using the site
link, and then click OK.


Topology Generator.

ISTG
follows:
Note

Moving a Domain Controller to a Different

Site
If you change the IP address or the subnet-to-site association of a domain controller after
Active Directory is installed on the server, the Server object does not change sites
automatically. You must move it to the new site manually. When you move the Server
object, the Net Logon service on the domain controller registers DNS SRV resource
records for the appropriate site.
TCP/IP Settings
When you move a domain controller to a different site, if an IP address of the domain
controller is statically configured, then you must change the TCP/IP settings accordingly.
The IP address of the domain controller must map to a Subnet object that is associated
with the site to which you are moving the domain controller. If the IP address of a domain
controller does not match the site in which the Server object appears, the domain
controller might be forced to communicate over a potentially slow WAN link to locate
resources rather than locating resources in its own site.
Prior to moving the domain controller, ensure that the following TCP/IP client values are
appropriate for the new location:
 IP address, including the subnet mask and default gateway
 DNS server addresses
 WINS server addresses (if appropriate)

If the domain controller that you are moving is a DNS server, you must also:
 Change the TCP/IP settings on any clients that have static references to the domain
controller as the preferred or alternate DNS server.
 Determine whether the parent DNS zone of any zone that is hosted by this DNS
server contains a delegation to this DNS server. If yes, update the IP address in all
such delegations. For information about creating DNS delegations, see Verifying
Active Directory Installation.
Preferred Bridgehead Server Status

Before moving any Server object, check the Server object to see whether it is acting as a
preferred bridgehead server for the site. This condition has ISTG implications in both
sites, as follows:
 Site to which you are moving the server: If you move a preferred bridgehead server
to a different site, it becomes a preferred bridgehead server in the new site. If
preferred bridgehead servers are not currently in use in this site, the ISTG behavior in
this site changes to support preferred bridgehead servers. For this reason, you must
either configure the server to not be a preferred bridgehead server (recommended),
or select additional preferred bridgehead servers in the site (not recommended).
Site from which you are moving the server: If the server is the last preferred bridgehead
server in the original site for its domain, and if other domain controllers for the domain are
in the site, the ISTG selects a bridgehead server for the domain. If you use preferred
bridgehead servers, always select more than one server as the preferred bridgehead
server for the domain. If, after the removal of this domain controller from the site, multiple
domain controllers remain that are hosting the same domain and only one of them is
configured as a preferred bridgehead server, either configure the server to not be a
preferred bridgehead server (recommended), or select additional preferred bridgehead
servers hosting the same domain in the site (not recommended).
Note
If you select preferred bridgehead servers and all selected preferred bridgehead
servers for a domain are unavailable in the site, the ISTG does not select a new
bridgehead server. In this case, replication of this domain to and from other sites
does not occur. However, if no preferred bridgehead server is selected for a
domain or transport (through administrator error or as the result of moving the
only preferred bridgehead server to a different site), the ISTG automatically
selects a preferred bridgehead server for the domain and replication proceeds as
scheduled.
Task Requirements
 My Network Places
 DNS snap-in
 Adsiedit.msc
1. Change the static IP address of a domain controller
2. Create a delegation for a domain controller
If the parent DNS zone of any zone that is hosted by this DNS server contains a
delegation to this DNS server, use this procedure to update the IP address in all such
delegations.
If your forest root domain has a parent DNS domain, perform this procedure on a
DNS server in the parent domain. If you just added a new domain controller to a child
domain, perform this procedure on a DNS server in the DNS parent domain. By
following recommended practices, the parent domain is the forest root domain.
3. Verify that an IP address maps to a subnet and determine the site association
4. Determine whether the server is a preferred bridgehead server
5. Configure the server to not be a preferred bridgehead server
6. Move the Server object to the new site

Change the static IP address of a domain
controller
This procedure includes changing all appropriate TCP/IP values, including preferred and
alternate DNS servers, as well as WINS servers (if appropriate). Obtain these values
from the design team.
Note
If you change the static IP address of a domain controller, you must also change
related TCP/IP settings accordingly.
domain of the domain controller whose IP address you are changing.
To change the static IP address of a domain controller

1. Log on locally to the domain controller whose IP address you want to change.
2. On the desktop, right-click My Network Places and then click Properties.
3. In the Network Connections dialog box, right-click Local Area Connection,

4. In the Local Area Connection Properties dialog box, double-click Internet

Protocol (TCP/IP).
5. In the Internet Protocol (TCP/IP) Properties dialog box, in the IP address box,
type the new address.
6. In the Subnet mask box, type the subnet mask.

7. In the Default gateway box, type the default gateway.
8. In the Preferred DNS server box, type the address of the DNS server that this
computer contacts.
9. In the Alternate DNS server box, type the address of the DNS server that this
computer contacts if the preferred server is unavailable.
10. If this domain controller uses WINS servers, click Advanced and then, in the
Advanced TCP/IP Settings dialog box, click the WINS tab.
11. If an address in the list is no longer appropriate, click the address, and then click
Edit.
12. In the TCP/IP WINS Server dialog box, type the new address, and then click OK.
13. Repeat steps 11 and 12 for all addresses that need to be changed, and then click
OK twice to close the TCP/IP WINS Server dialog box and the Advanced
TCP/IP Settings dialog box.
14. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.
Create a delegation for a domain

controller
Use this procedure to create a delegation for a new domain controller that is also a DNS
server in the parent DNS domain.
To create a delegation for a domain controller

1. Open the DNS snap-in.
2. Navigate to ChildDomain (where ChildDomain is the name of the child domain) in

the console tree.
3. In the console tree, right-click ChildDomain, and then click Properties.
4. In the ChildDomain Properties sheet, on the Name Servers tab, click Add.
5. In the New Resource Record dialog box, in the Server fully qualified domain
name (FQDN) box, type ChildDC.ChildDomain.ParentDomain (where ChildDC is
the name of the new domain controller, ChildDomain is the name of the child
domain, and ParentDomain is the name of the parent domain).
6. In the New Resource Record dialog box, in the IP address box, type IPAddress
(where IPAddress is the IP address of the child domain controller), click Add, and
then click OK.
Verify that an IP address maps to a
subnet and determine the site
association
Use this procedure to determine the site to which you want to add a Server object prior to
installing Active Directory, or to verify the appropriate site prior to moving a Server object
to it.
To be associated with a site, the IP address of a domain controller must map to a Subnet
object that is defined in Active Directory. The site to which the subnet is associated is the
site of the domain controller.
The subnet address, which is computed from the IP network address and the subnet
mask, is the name of a Subnet object in Active Directory. When you know the subnet
address, you can locate the Subnet object and determine the site to which the subnet is
associated.
To verify that an IP address maps to a subnet and determine the site

association
1. Log on locally or open a Terminal Services connection to the server for which you
want to check the IP address.
2. On the desktop, right-click My Network Places, and then click Properties.

4. Double-click Internet Protocol (TCP/IP).
5. Use the values in IP address and Subnet mask to calculate the subnet address
and then click OK.
6. Click OK again and close the Network Connections dialog box.
9. In the Name column in the details pane, find the Subnet object that matches the
subnet address.
10. In the Site column, note the site to which the IP subnet address is associated.
If the site that appears in the Site box is not the appropriate site, contact a
supervisor and find out whether the IP address is incorrect or whether to move
the Server object to the site indicated by the subnet.
Determine whether the server is a

preferred bridgehead server
Preferred bridgehead servers are distinguished by a property on the Server object that
adds the server to the preferred bridgehead server list for the IP transport.
To view the list of preferred bridgehead servers

1. Click Start, click Run, type the following command and then press ENTER:
adsiedit.msc
2. In ADSI Edit, expand the Configuration Container and then expand

CN=Configuration,DC=ForestRootDomainName, CN=Sites, and CN=Inter-Site
Transports.
3. Right-click CN=IP and then click Properties.
4. In the Attributes box, double-click bridgeheadServerListBL.

5. If any preferred bridgehead servers are selected in any site in the forest, the
Values box displays the distinguished name for each server object that is
currently selected as a preferred bridgehead server.
Configure the server to not be a preferred
bridgehead server
Use the Server object properties to remove a preferred bridgehead server from the IP
transport.
To configure the server to not be a preferred bridgehead server

2. Expand the Sites container, and then expand the site of the preferred bridgehead
server.
3. Expand the Servers node to display the list of domain controllers currently
configured for that site.
4. Right-click the server you want to remove, and then click Properties.
5. If IP appears in the list that marks this server as a bridgehead server for the IP
transport, click IP, click Remove, and then click OK.
Move the Server object to the new site

Moving a Server object requires that the IP address of the domain controller maps to the
site to which you are moving the Server object. Before performing this procedure, verify
that the IP address maps to the target site.
To move the server object to the new site

2. Expand the Sites container and the site in which the server object resides.
3. Expand the Servers container to display the domain controllers that are currently
4. Right-click the Server object you want to move, and then click Move.
5. In the Site Name box, click the destination site, and then click OK.
6. Expand the Site object to which you moved the server, and then expand the
Servers container.
7. Verify that an object for the server you moved exists.
8. Expand the Server object and verify that an NTDS Settings object exists.
Within an hour, the Net Logon service on the domain controller registers the new site
information in DNS. Wait an hour and then open Event Viewer and connect to the domain
controller whose Server object you moved. Review the directory service log for Net
Logon errors regarding registration of SRV resource records in DNS that have occurred
within the last hour. The absence of errors indicates that Net Logon has updated DNS
with site-specific SRV resource records. Net Logon event ID 5774 indicates that the
registration of DNS resource records has failed. If this error occurs, contact a supervisor
and pursue DNS troubleshooting.
Removing a Site
If domain controllers are no longer needed in a network location, you can remove them
from the site and then delete the Site object. Before deleting the site, you must remove
domain controllers from the site either by removing it entirely or by moving it to a new
location.
 To remove the domain controller, remove Active Directory from the server and then
delete the Server object from the site in Active Directory.
 To retain the domain controller in a different location, move the domain controller to a
different site and then move the Server object to the respective site in Active
Directory.
Domain controllers can host other applications that depend on site topology and publish
objects as Child objects of the respective Server object. For example, when MOM or
Message Queuing is running on a domain controller, these applications create Child
objects beneath the Server object. In addition, a server running Message Queuing that is
not a domain controller and is configured to be a routing server running Message
Queuing creates a Server object in the Sites container. Removing the application from
the server automatically removes the Child object below the respective Server object.
However, the Server object is not removed automatically.
When all applications have been removed from the server (no Child objects appear
beneath the Server object), you can remove the Server object. After the application is
removed from the server, a replication cycle might be required before Child objects are
no longer visible below the Server object.
After you delete or move the Server objects but before you delete the Site object,
reconcile the following objects:
IP addresses:
 If the addresses are being reassigned to a different site, associate the Subnet object
or objects with that site. Any clients using the addresses for the decommissioned site
will thereafter be assigned automatically to the other site.
 If the IP addresses will no longer be used on the network, delete the corresponding
Subnet object or objects.
Site Link objects:
 If the site you are removing is added to a site link containing only two sites, delete the
Site Link object.
 If the site you are removing is added to a site link that contains more than two sites,
do not delete this Site Link object.
Before removing a site, you need to consider the implications. If the site you are
removing is added to more than one site link, it might be an interim site between other
sites that are added to this site link. Deleting the site might disconnect the outer sites
from each other. In this case, the site links must be reconciled according to the
instructions of the design team.
Task Requirements
1. Determine whether a Server object has child objects
2. Delete a Server object from a site
3. Delete the Site Link object
4. Associate the subnet or subnets with the appropriate site
5. Delete the Site object

6. To avoid replication errors on bridgehead servers in other sites that received
replication from the site that has been removed, generate the intersite topology in
those sites by performing the following two procedures:
Determine whether a Server object has

child objects
After Active Directory is properly installed on a domain controller, the Server object for the
domain controller will have a Child NTDS-Settings object. Other applications that are
running on domain controllers can also publish Child objects.
Prior to deleting a Server object from the Servers container for a site, verify that the
Server object has no Child objects. If a Child object appears, do not delete the Server
object.
To determine whether a server object has child objects

2. Expand the Sites container and expand the site of the Server object.
3. Expand the Servers container, and then expand the Server object to view any
Child objects.

Important
decommissioned.
Delete the Site Link object

Use the following procedure to delete a Site Link object.
To delete a site link object

3. In the details pane, right-click the Site Link object you want to delete, and then
click Delete.

Associate the subnet or subnets with the
appropriate site
Associate an existing subnet with a site under the following conditions:
 When you are removing the site to which the subnet was associated.
 When you have temporarily associated the subnet with a different site and want to
associate it with its permanent site.
To associate the subnet or subnets with the appropriate site

3. In the details pane, right-click the subnet with which you want to associate the
site, and then click Properties.
4. In the Site box, click the site with which to associate the subnet, and then click
OK.
If the IP addresses are no longer in use, delete the Subnet object or objects with
which the addresses are associated.
Delete the Site object

Delete a Site object only after you have removed all Server objects from the site and
have reassociated the subnets with a different site. The Servers container is deleted
when you delete the site.
To delete the site object

1. Open Active Directory Sites and Services and click the Sites container.
2. In the details pane, right-click the site you want to delete, and then click Delete.
4. In the Active Directory message box, read the information, and then click Yes to
delete the site and its Servers container object.


Topology Generator.

ISTG
follows:
Note

Administering the Active Directory

Database
This guide provides information for administering the Active Directory database in the
Microsoft Windows Server 2003 operating system.
In this guide
 Introduction to Administering the Active Directory Database
 Managing the Active Directory Database
Acknowledgements

Editor: Jim Becker
Introduction to Administering the Active

Directory Database
Active Directory is stored in the Ntds.dit database file. In addition to this file, the directory
uses log files, which store transactions prior to committing them to the database file. For
best performance, store the log files and the database on separate hard drives.
The Active Directory database is a self-maintained system and requires no daily

maintenance, other than regular backup, during ordinary operation. However, it may need
to be managed if the following conditions occur:
 Low disk space
 Pending or current hardware failure
 A need to recover physical space following bulk deletion or removal of the global
catalog
Monitor free disk space on the partition or partitions that store the directory database and
logs. The following are the recommended parameters for free space:
 Ntds.dit partition: The greater of 20 percent of the Ntds.dit file size or 500 megabytes
(MB).
 Log file partition: The greater of 20 percent of the combined log files size or 500 MB.
 Ntds.dit and logs on the same volume: The greater of 1 gigabyte (GB) or 20 percent
of the combined Ntds.dit and log files sizes.
During ordinary operation, the customer will delete objects from Active Directory. When
an object is deleted, it results in white space (or unused space) being created in the
database. On a regular basis, the database will consolidate this white space through a
process called defragmentation, and this white space will be reused when new objects
are added (without adding any size to the file itself). This automatic online
defragmentation redistributes and retains white space for use by the database, but does
not release it to the file system. Therefore, the database size does not shrink, even
though objects might be deleted. In cases where the data is decreased significantly, such
as when the global catalog is removed from a domain controller, white space is not
automatically returned to the file system. Although this condition does not affect database
operation, it does result in large amounts of white space in the database. You can use
offline defragmentation to decrease the size of the database file by returning white space
from the database file to the file system.
Managing the Active Directory database also allows you to upgrade or replace the disk
on which the database or log files are stored or to move the files to a different location,
either permanently or temporarily.
Prior to performing any procedures that affect the directory database, be sure that you
have a current system state backup. For information about performing system state
backup, see Back up system state.
To manage the database file itself, you must take the domain controller offline by
restarting in Directory Services Restore Mode, and then use Ntdsutil.exe to manage the
file.
Note
NTFS disk compression is not supported for the database and log files.
Managing the Active Directory Database

The following tasks for managing the Active Directory database are described in this
objective:
 Relocating Active Directory Database Files
 Returning Unused Disk Space from the Active Directory Database to the File System
Relocating Active Directory Database

Files
The following conditions require moving database files:
 Hardware maintenance: If the physical disk on which the database or log files are
stored requires upgrading or maintenance, the database files must be moved, either
temporarily or permanently.
 Low disk space: When free disk space is low on the logical drive that stores the
database file (Ntds.dit), the log files, or both, first verify that no other files are causing
the problem. If the database file or log files are the cause of the growth, then provide
more disk space by taking one of the following actions:
 Expand the partition on the disk that currently stores the database file, the log files, or
both. This procedure does not change the path to the files and does not require
updating the registry.
 Use Ntdsutil.exe to move the database file, the log files, or both to a larger existing
partition. If you are not using Ntdsutil.exe when moving files to a different partition,
you will need to manually update the registry.
If the path to the database file or log files will change as a result of moving the files, be
sure that you:
 Use Ntdsutil.exe to move the files (rather than copying them) so that the registry is
updated with the new path. Even if you are moving the files only temporarily, use
Ntdsutil.exe to move files locally so that the registry remains current.
 Perform a system state backup as soon as the move is complete so that the restore
procedure uses the correct path.
 Verify that the correct permissions are applied on the destination folder following the
move. Revise permissions to those that are required to protect the database files, if
needed.
The registry entries that Ntdsutil.exe updates when you move the database file are as
follows:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Parameters:
 Database backup path
 Digital Signature Algorithm (DSA) database file
 DSA working directory
The registry entry that Ntdsutil.exe updates when you move the log files is as follows:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Parameters:
 Database log files path

Disk space requirements for relocating Active
Directory database files
Temporary location. Free space on the destination drive equivalent to at least the
current size of the database file, the combined log files, or both, depending on which files
you are moving.
Permanent location. Free space on the destination NTFS drive equivalent to at least the
size specified below, plus space to accommodate anticipated growth, depending on
which file or files you are moving.
Caution
The drive that is the permanent location of the database file or log files must be
formatted as NTFS.
 Database file only: The size of the database file plus 20 percent of the Ntds.dit file or
500 MB, whichever is greater.
 Log files only: The size of the combined log files plus 20 percent of the combined
logs or 500 MB, whichever is greater.
 Database and logs. If the database and log files are stored on the same partition, free
space should be at least 20 percent of the combined Ntds.dit and log files, or 1 GB,
whichever is greater.
Important
The preceding levels are minimum recommended levels. Therefore, adding
additional space according to anticipated growth is recommended.
Task Requirements
 net use
 dir
 xcopy
 Ntdsutil.exe
 Backup software
Note
If you replace or reconfigure a drive that stores the SYSVOL folder, you must first
move the SYSVOL folder manually. For information about moving SYSVOL
manually, see Relocating SYSVOL Manually.
Note
The domain controller will not be available during the time in which files are being
moved and until the move is verified. Ensure that alternate domain controllers are
available during the file relocation to handle the capacity.
1. Determine the size and location of the Active Directory database by using one of the
following procedures:
 Determine the database size and location online
 Determine the database size and location offline
2. Compare the size of the directory database files to the volume size
3. Back up system state
System state includes the database file and log files as well as SYSVOL and Net
Logon shared folders, among other things. Always ensure that you have a current
backup prior to moving database files.
4. Restart the domain controller in Directory Services Restore Mode by using one of the
following methods:
5. Move or copy the directory database and log files by performing one of the following
procedures:
 Move the directory database and log files to a local drive
 Copy the directory database and log files to a remote share
The shared folder on a remote drive must have enough free space to hold the
database file (Ntds.dit) and log files. Create separate subdirectories for copying
the database file and the log files.

Determine the database size and location
online
When determining the database size and location online, the size is reported in bytes. If
you must manage the database file, the log files, or both, first determine the location and
size of the files. By default, the database file and associated log files are stored in the
%systemroot%\NTDS directory.
Important
Be sure to use the same method to check file sizes when you compare them.
The size is reported differently, depending on whether the domain controller is
online or offline. For information about determining database size offline, see
Determine the database size and location offline.
You can also use the Search command on the Start menu to locate the database file
(Ntds.dit) or the edb*.log file for the location of the database and log files, respectively.
If you have set garbage collection logging to report free disk space, then event ID 1646 in
the Active Directory service log also reports the size of the database file: “Total allocated
hard disk space (megabytes):”
Alternatively, you can determine the size of the database file by listing the contents of the
directory that contains the files.
To determine the database size and location online

1. On the domain controller on which you want to manage database files, open a
command prompt and change directories to the directory containing the files you
want to manage.
2. Run the dir command to examine the database size. In the following example,
Ntds.dit file and the log files are stored in the same directory. In the example, the
files take up 58,761,216 bytes of disk space.
H:\NTDS>dir
Volume in drive H has no label.
Volume Serial Number is 003D-0E9E
Directory of H:\NTDS
01/29/2002 11:04 AM <DIR> .
01/29/2002 11:04 AM <DIR> ..
01/28/2002 03:03 PM <DIR> Drop
01/29/2002 10:29 AM 8,192 edb.chk
01/29/2002 10:29 AM 10,485,760 edb.log
01/29/2002 10:29 AM 10,485,760 edb00001.log
01/29/2002 10:29 AM 14,696,448 ntds.dit
01/28/2002 02:54 PM 10,485,760 res1.log

01/28/2002 02:54 PM 10,485,760 res2.log
7 File(s) 58,761,216 bytes
3 Dir(s) 779,284,480 bytes free
Determine the database size and location

offline
When determining the database size and location offline, the size is reported in
megabytes (MB). Use this method if the domain controller is already started in Directory
Important
Be sure to use the same method to check file sizes when you compare them.
The size is reported differently, depending on whether the domain controller is
online or offline. For information about determining database size offline, see
Determine the database size and location offline.
You can also use the Search command on the Start menu to locate the database file
(Ntds.dit) or the edb*.log file for the location of the database and log files, respectively.
If you have set garbage collection logging to report free disk space, then event ID 1646 in
the Active Directory service log also reports the size of the database file: “Total allocated
hard disk space (megabytes):”
Alternatively, you can determine the size of the database file by listing the contents of the
directory that contains the files.
To perform this procedure, you must be an administrator on the local computer.
To determine the database size and location offline

1. With the domain controller in Directory Services Restore Mode, open a command
prompt, type ntdsutil and then press ENTER
2. At the ntdsutil: prompt, type files and then press ENTER.
3. At the file maintenance: prompt, type info and press ENTER.
4. At the file maintenance: prompt, type quit and then press ENTER. Type quit
and then press ENTER again to quit Ntdsutil.exe.
Compare the size of the directory

database files to the volume size
Before moving any files in response to low disk space, verify that no other files on the
volume are responsible for the condition of low disk space.
You might need to relocate the database file, the log files, or both, if disk space on the
volume on which they are stored becomes low. Before moving the database file or log
files, examine the size of the database folder, logs folder, or both, if they are stored in the
same location, relative to the size of the volume to verify that these files are the cause of
low disk space. Include the size of the SYSVOL folder if it is on the same partition.
If you are online when comparing the size of the directory database files, you must be a
member of the Domain Users group. If you are offline, you must be an administrator on
the local computer.
To compare the size of the directory database files to the volume size
1. In Windows Explorer, click My Computer.
2. On the View menu, click Details.
3. In the Name column in the details pane, locate the volume. Make a note of the
value in the Total Size column.
4. Navigate to the folder that stores the database file, the log files, or both.
5. Right-click the folder, and then click Properties. Make a note of the value in Size
on disk.
6. If the volume includes SYSVOL, navigate to that folder and repeat step 5.
7. Compare the sizes. If the combined size of the relevant database files and
SYSVOL files (if appropriate) is significantly smaller than the volume size, then
check the contents of the volume for other files.
8. If other files are present, move those files and reassess the disk space on the
volume.

protected files.
Note
Next.
Note

then click Next.
Note


See Also

domain controller.


Mode.
See Also




Note
Caution
Important
See Also
Move the directory database and log files

to a local drive
Move the files to a temporary destination if you need to reformat the original location, or
to a permanent location if you have additional disk space. Moving the files can be
performed locally by using Ntdsutil.exe or remotely (temporarily) by using a file copy.
If you need to reformat the partition that currently stores the database file, the log files, or
both, then you must move the files temporarily while you reformat the original drive. After
you reformat the drive, use the same procedure to move the files back. Even if you are
moving the files only temporarily, use Ntdsutil.exe so that the registry is always current.
To perform this procedure, you must be an Administrator on the local computer.
To move the directory database and log files to a local drive

1. In Directory Services Restore Mode, open a command prompt and change
directories to the current location of the directory database file (Ntds.dit) or the
log files, whichever you are moving.
2. Run the dir command and make a note of the current size and location of the
Ntds.dit file.
3. At the command prompt, type ntdsutil and then press ENTER.
5. To move the database file, at the file maintenance: prompt, use the following
commands:
 To move the Ntds.dit file, type:
move db to drive:\directory
 To move the log files, type:
move logs to drive:\directory
where Drive:\directory specifies the path to the new location. If the directory does
not exist, then Ntdsutil.exe creates it.
Note
If the directory path contains any spaces, the entire path must be
surrounded by quotation marks (for example, move db to "g:\new
folder").
6. After the move completes, at the file maintenance: prompt, type quit and press
ENTER. Type quit again and press ENTER to quit Ntdsutil.exe.
7. Change to the destination directory and then run the dir command to confirm the
presence of the files. If you have moved the database file, then check the size of
the Ntds.dit file against the file size you noted in step 2 to be sure that you are
focused on the correct file.
8. If you are moving the database file or log files permanently, go to step 9.
If you are moving the database file or log files temporarily, you can now perform
any required updates to the original drive. After you update the drive, repeat
steps 1 through 7 to move the files back to the original location.
If the path to the database file or log files has not changed, go to step 10.
9. If the path to the database file or log files has changed from the original location,
check permissions on the database folder or logs folder while still in Directory
Services Restore Mode, as follows:
a. In Windows Explorer, right-click the folder to which you have moved the
database file or log files, and then click Properties.
b. Click the Security tab, and verify that the permissions are:
Administrators group has Allow Full Control.
System has Allow Full Control.
Inheritable permissions are not allowed (checkbox is cleared).

No Deny permissions are selected.
c. If the permissions in step 9b are in effect, then go to step 10. If permissions

other than those described in step 9b are in effect, then perform steps 9d
through 9k.
d. If Allow inheritable permissions from parent to propagate to this object

is selected, click to clear it.
e. When prompted, click Copy to copy previously inherited permissions to this

object.
f. If Administrators or SYSTEM, or both, are not in the Name list, click Add.
g. On the Select Users or Groups page, in the Look in: box, be sure the
name of the local computer is selected.
h. In the Name list, click System if needed, and then click Add. Repeat to add
Administrators, if needed, and then click OK.
i. On the Security tab, click System and then in the Allow column, click Full
Control. Repeat for Administrators.
j. In the Name box, click any name that is not SYSTEM or Administrators, and
then click Remove. Repeat until the only remaining accounts are
Administrators and SYSTEM, and then click OK.
Note
Some accounts might appear in the form of security identifiers
(SIDs). Remove any such accounts.
k. Click OK to close Properties.
12. At the file maintenance: prompt, type integrity and then press ENTER.
If the integrity check fails, perform semantic database analysis with a fixup
record.
13. If the integrity check succeeds, type quit and press ENTER to quit the file
maintenance: prompt. Type quit again and press ENTER to quit Ntdsutil.exe.
14. Restart the domain controller normally. If you are performing this procedure
remotely over a Terminal Services connection, be sure that you have modified
the Boot.ini file for normal restarting before you restart the domain controller.
If errors appear when you restart the domain controller:

a. Restart the domain controller in Directory Services Restore Mode.
b. Check the errors in Event Viewer.
If the following events are logged in Event Viewer on restarting the domain
controller, address the events as follows:
 Event ID 1046. “The Active Directory database engine caused an exception

with the following parameters.” In this case, Active Directory cannot recover
from this error and you must restore from backup media.
 Event ID 1168. “Internal error: An Active Directory error has occurred.” In this
case, information is missing from the registry and you must restore from
backup media.
Copy the directory database and log files

to a remote share
When copying any database files from the local computer, always copy both the
database file and the log files.
If you need to move the database file or the log files while you reconfigure the drive on
which they are currently stored, and you do not have sufficient space to move the files
locally, then you can use the xcopy command to copy the files to a remote shared folder
temporarily, and then use the same procedure to copy them back to the original drive.
You can use this method as long as the path to the files does not change.
Important
When relocating any database files (the database file or the log files) off the local
computer, always copy both the database file and the log files so that all of the
files necessary to restore the directory service are maintained.
To perform this procedure, you must be an Administrator on the local computer.
To copy the directory database and log files to a remote share and back to the
local computer
1. In Directory Services Restore Mode, open a command prompt and change
directories to the current location of the database file (Ntds.dit) or the log files. If
the database file and log files are in different locations, perform step 2 for each
directory.
2. Run the dir command and make a note of the current size and location of the
Ntds.dit file and the log files.
3. Establish a network connection to a shared folder, as shown below. Because you

are logged on as the local administrator, unless permissions on the shared folder
include the built-in Administrator account, you must provide a domain name, user
name, and password for an account that has Write permissions on the shared
folder.
In the example below, \\SERVER1\NTDS is the name of the shared folder. K: is

the drive that you have mapped to the shared folder. Example text that describes
information that you type is shown in bold. After typing the first line and pressing
ENTER, Ntdsutil.exe prompts you for the password. Type the password and then
press ENTER.
H:\>net use K: \\SERVER1\NTDS /user:domainName\userName *
Type the password for \\SERVER1\NTDS:
Drive K: is now connected to \\SERVER1\NTDS
The command completed successfully.
4. Use the xcopy command to copy the database file and log files to the location
you established in step 3. In the example where the database file is located in
H:\WINNT\NTDS and the share has the subdirectory database, the text you type
is shown in bold:
H:>xcopy WINNT\NTDS K:\DB
The command copies the contents of WINNT\NTDS to the subfolder database in

the shared folder described as drive K:. If the database file and log files are in
different locations, repeat the xcopy command for the log files, specifying the
subfolder for the log files.
5. Change drives to the new location and run the dir command to compare the file
sizes to those listed in step 2. Use this step to ensure that you copy the correct
set of files back to the local computer.
6. At this point, you can safely destroy data on the original local drive.
7. After the destination drive is prepared, re-establish a connection to the network

drive as described in step 3, if necessary.
8. Copy the database and log files from the remote shared folder back to the
original location on the domain controller.
12. If the integrity check fails, perform semantic database analysis with a fixup
record.
13. If the integrity check succeeds, type quit and press ENTER to quit the file
maintenance: prompt. Type quit again and press ENTER to quit Ntdsutil.exe.
14. Restart the domain controller normally. If you are performing this procedure
remotely over a Terminal Services connection, be sure that you have modified
the Boot.ini file for normal restarting before you restart the domain controller.
1. Restart the domain controller in Directory Services Restore Mode.
2. Check the errors in Event Viewer.
If the following events are logged in Event Viewer on restarting the domain controller,
respond to the events as follows:
 Event ID 1046. “The Active Directory database engine caused an exception with
the following parameters.” In this case, Active Directory cannot recover from this
error and you must restore from backup media.
case, information is missing from the registry and you must restore from backup
media.
Returning Unused Disk Space from the
Active Directory Database to the File
System
During ordinary operation, the white space in the Active Directory database file becomes
fragmented. Each time garbage collection runs (every 12 hours, by default), white space
is automatically defragmented online to optimize its use within the database file. The
unused disk space is thereby maintained for the database; it is not returned to the file
system.
Only offline defragmentation can return unused disk space from the directory database to
the file system. When database contents have decreased considerably through a bulk
deletion (for example, you remove the global catalog from a domain controller), or if the
size of the database backup is significantly increased due to the white space, use offline
defragmentation to reduce the size of the Ntds.dit file.
You can determine how much free disk space is recoverable from the Ntds.dit file by
setting the garbage collection logging level in the registry. Changing the garbage
collection logging level from the default value of 0 to a value of 1 results in event ID 1646
being logged in the directory service log. This event describes the total amount of disk
space used by the database file as well as the amount of free disk space that is
recoverable from the Ntds.dit file through offline defragmentation.
At garbage collection logging level 0, only critical events and error events are logged in
the directory service log. At level 1, high-level events are logged as well. Events can
include one message for each major task that is performed by the service. At level 1, the
following events are logged for garbage collection:
 Event IDs 700 and 701: report when online defragmentation begins and ends,
respectively.
 Event ID 1646: reports the amount of free space available in the database out of the
amount of allocated space.
Caution
Setting the value of entries in the Diagnostics subkey to greater than 3 can
degrade server performance and is not recommended.
Following offline defragmentation, perform a database integrity check. The integrity

command in Ntdsutil.exe detects binary-level database corruption by reading every byte
in the database file. The process ensures that the correct headers exist in the database
itself and that all of the tables are functioning and consistent. Therefore, depending upon
the size of your Ntds.dit file and the domain controller hardware, the process might take
considerable time. In testing environments, the speed of 2 GB per hour is considered to
be typical. When you run the command, an online graph displays the percentage
completed.
Task requirements
 Regedit.exe
 Backup software
 Ntdsutil.exe
1. Change the garbage collection logging level to 1
3. Use one of the following procedures:
If you are logged on to the domain controller locally, restart the domain controller
in Directory Services Restore Mode.
If you are using Remote Desktop Connection for remote administration, you can
restart the domain controller remotely in Directory Services Restore Mode after
modifying the Boot.ini file on the remote server.
4. Compact the directory database file (offline defragmentation)
As part of the offline defragmentation procedure, check directory database integrity.
5. If database integrity check fails, perform semantic database analysis with fixup
Change the garbage collection logging

level to 1
Check the directory service event log for event ID 1646, which reports the amount of disk
space that you can recover by performing offline defragmentation.
The garbage collection logging level is an NTDS diagnostics setting in the registry.
Caution
state, see Introduction to Administering Active Directory Backup and Restore.
To change the garbage collection logging level

2. In Registry Editor, navigate to the Garbage Collection entry in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagno
stics
3. Double-click Garbage Collection, and for the Base, click Decimal.
4. In the Value data box, type 1, and then click OK.

protected files.
Note

Next.
Note

then click Next.
Note


See Also

domain controller.


Mode.
See Also



Note
Caution

Important
See Also
Compact the directory database file

(offline defragmentation)
As part of the offline defragmentation procedure, check directory database integrity.
Performing offline defragmentation creates a new, compacted version of the database file
in a different location. This location can be either on the same computer or a network-
mapped drive. However, to avoid potential problems related to network issues, perform
this procedure locally.
After compacting the file to the temporary location, copy the compacted Ntds.dit file back
to the original location. If possible, maintain a copy of the original database file that you
have either renamed in its current location or copied to an archival location.
Note
To perform this procedure, the domain controller must be started in Directory
To perform this procedure, you must be an administrator on the local domain controller. At
the remote location, you must have Read and Write permissions on the destination drive
and the shared folder.
Disk Space
 Current database drive. Free space on the drive that contains the file equivalent to
at least 15 percent of the current size of the database for temporary storage during
the index rebuild process.
 Destination database drive. Free space equivalent to at least the current size of the
database for storage of the compacted database file.
To perform offline defragmentation of the directory database

1. In Directory Services Restore Mode, compact the database file to a local
directory or remote shared folder, as follows:
 Local directory: Go to step 2.
 Remote directory: If you are compacting the database file to a shared folder
on a remote computer, establish a network connection to the shared folder as
shown below. Because you are logged on as the local administrator, unless
permissions on the shared folder include the built-in Administrator account,
you must provide a domain name, user name, and password for a domain
account that has Write permissions on the shared folder. In the example
below, \\SERVER1\NTDS is the name of the shared folder, and K: is the drive
that you are mapping to the shared folder. After typing the first line and
pressing ENTER, Ntdsutil.exe prompts you for the password. Type the
password and then press ENTER.
H:\>net use K: \\SERVER1\NTDS /user:domainName\userName *
Type the password for \\SERVER1\NTDS:
Drive K: is now connected to \\SERVER1\NTDS
The command completed successfully.
2. Type the following command at a command prompt and then press ENTER:
ntdsutil
4. At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath

(where drive:\ LocalDirectoryPath is the path to a location on the local computer)
and then press ENTER.
If you have mapped a drive to a shared folder on a remote computer, type the
drive letter only (for example, compact to K:\).
Note
When compacting to a local drive, you must provide a path. If the path
contains any spaces, enclose the entire path in quotation marks (for
example, compact to "c:\new folder"). If the directory does not exist,
Ntdsutil.exe creates it and creates the file named Ntds.dit in that location.
5. If defragmentation completes successfully, type quit and press ENTER to quit

the file maintenance: prompt. Type quit again and press ENTER to quit
Ntdsutil.exe. Go to step 6. If defragmentation completes with errors, go to step 9.
Caution
Do not overwrite the original Ntds.dit file or delete any log files.
6. If defragmentation succeeds with no errors, then follow the Ntdsutil.exe onscreen

instructions to:
a. Delete all of the log files in the log directory by typing:
del drive:\pathToLogFiles\*.log
Note
You do not need to delete the Edb.chk file.
b. If space allows, either rename the original Ntds.dit file to preserve it or else
copy it to a different location. Avoid overwriting the original Ntds.dit file.
c. Manually copy the compacted database file to the original location, as

follows:
copy temporaryDrive:\ntds.dit
originalDrive:\pathToOriginalDatabaseFile\ntds.dit
7. Type ntdsutil and then press ENTER.
If the integrity check fails, the likely cause is that an error occurred during the
copy operation in step 6.3. Repeat steps 6.3 through step 9. If the integrity check
fails again:
 Contact Microsoft Product Support Services.
-or-
 Copy the original version of the Ntds.dit file that you preserved in step 6.2. to
the original database location and repeat the offline defragmentation
procedure.
10. If the integrity check succeeds, proceed as follows:
 If the initial compact to command failed, go back to step 4 and perform steps
4 through 9.
 If the initial compact to command succeeded, type quit and press ENTER to
quit the file maintenance: prompt, and then type quit and press ENTER
again to quit Ntdsutil.exe.
11. Restart the domain controller normally. If you are connected remotely through a
Terminal Services session, be sure that you have modified the Boot.ini file for
normal restarting before you restart the domain controller.
1. Restart the domain controller in Directory Services Restore Mode.
2. Check the errors in Event Viewer.
If the following events are logged in Event Viewer on restarting the domain controller,
respond to the events as follows:
 Event ID 1046. “The Active Directory database engine caused an exception with
the following parameters.” In this case, Active Directory cannot recover from this
error and you must restore from backup media.
case, information is missing from the registry and you must restore from backup
media.
3. Check database integrity and then proceed as follows:
If the integrity check fails, try repeating step 6.3 through step 9 above, and then
repeat the integrity check. If the integrity check fails again:
 Contact Microsoft Product Support Services.
-or-
 Copy the original version of the Ntds.dit file that you preserved in step 6.2. to the
original database location and repeat the offline defragmentation procedure.
If the integrity check succeeds, perform semantic database analysis with fixup.
4. If semantic database analysis with fixup succeeds, quit Ntdsutil.exe and restart the
domain controller normally.
If semantic database analysis with fixup fails, contact Microsoft Product Support
Services.
If database integrity check fails, perform

semantic database analysis with fixup
When you run semantic database analysis with the Go Fixup command instead of the Go
command, errors are written into Dsdit.dmp.xx log files. A progress indicator reports the
status of the check.
Note
To perform this procedure, the domain controller must be started in Directory
To perform this procedure, you must be an administrator on the local computer.
To perform semantic database analysis with fixup

1. In Directory Services Restore Mode, open a Command Prompt.

ntdsutil:
3. At the ntdsutil: prompt, type semantic database analysis and then press
ENTER.
4. At the semantic checker: prompt, type verbose on and then press ENTER.
5. At the semantic checker: prompt, type go fixup and then press ENTER.
 If errors are reported during the semantic database analysis Go Fixup phase,
perform directory database recovery.
Caution
Do not confuse the recover command with the repair command.
Never use the repair command in Ntdsutil.exe. Forest-wide data loss
can occur.
 If semantic database analysis with fixup succeeds, type quit and then type
quit again to close Ntdsutil.exe, and then restart the domain controller
normally. If you are performing this procedure remotely over a Terminal
Services connection, be sure that you have modified the Boot.ini file for
normal restarting before you restart the domain controller.
Administering Domain Controllers

This guide provides information for administering Active Directory domain controllers in
the Microsoft Windows Server 2003 operating system.
In this guide
 Introduction to Administering Domain Controllers
 Managing Domain Controllers
Acknowledgements
Editor: Jim Becker

Introduction to Administering Domain
Controllers
Although installed domain controllers require little management, your overall operations
environment might require change-related tasks such as adding or removing domain
controllers, including managing the preparation and shipment of domain controllers to
remote sites. During your day-to-day operations, you might need to do some or all of the
following:
 Install and remove Active Directory
 Rename domain controllers

 Add domain controllers to remote sites
Installing and Removing Active Directory

To create a new domain controller, install Active Directory on a computer that is running
Windows Server 2003 or Windows Server 2003 with Service Pack 1 (SP1). Installing
domain controllers to create a forest and new domains is a deployment task that you
perform when you initially deploy your forest, and it is beyond the scope of this guide.
However, as your forest grows, you might need to add more domain controllers to
existing domains.
There are several reasons for adding a new domain controller. Additional applications
(which are Active Directory–integrated as opposed to running on domain controllers)
might be required to meet increased capacity requirements, provide upgrades and fault
tolerance, and reduce failures. You might add a new site where users require a domain
controller for logging on to the domain. For more information about criteria and best
practices for deploying domain controllers, see Designing and Deploying Directory and
Security Services on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=45801).
When a domain controller is no longer needed, remove Active Directory. The process of
removing Active Directory involves steps similar to the steps for installation. You run
many of the same tests before you remove the directory as you ran before you installed
the directory. These tests ensure that the process occurs without any problems. In the
event that a domain controller suffers a hardware failure and you plan to never return it to
service, you must use a procedure that forces Active Directory removal and then take
additional steps to remove the server object and its metadata from the directory.
Renaming Domain Controllers
You often need to rename a domain controller for organizational or administrative
reasons or when the computer hardware must be replaced. Renaming a domain
controller requires that Domain Name System (DNS) resource records be updated with
the new Internet Protocol (IP)-to-host name mappings and that service principal names
(SPNs) replicate to all domain controllers in the domain. You must also update File
Replication service (FRS) objects.
Adding Domain Controllers to Remote Sites

If enough directory users are employed in a remote site, especially in a site that has slow
connectivity to the hub site, you might need to add a domain controller to the site to
provide directory access for logons and searches. Specifically, you can either install a
domain controller in the hub site and ship it to the site or install the domain controller in
the remote site. When you install the domain controller in the remote site, Active Directory
must be sourced in one of two ways:
 By Active Directory replication over the wide area network (WAN) link
 Directly from restored backup media
Assuming that the remote site is connected to a hub site by a WAN link and does not
contain a domain controller for the domain, you might want to avoid the additional time
and the performance impact of replicating the full replica of Active Directory over the
WAN when you add a new domain controller to the remote site. In this case, you can use
backup media to install Active Directory.
If you want to install a domain controller from backup media, both the source of the
backup and the target server that is to be promoted to a domain controller must be
running Windows Server 2003 or Windows Server 2003 with SP1, and the operating
system of the source of the backup and the target server must be the same. The
hardware platform (32-bit or 64-bit) of the two computers must also match. Restoring
from backup media eliminates the need to use replication to create the Active Directory
replica on the new domain controller.
Managing Domain Controllers

Managing domain controllers involves the following tasks:
 Create an additional domain controller in an existing domain. This task involves

preparation steps of gathering information and configuring the TCP/IP and Domain
Name System (DNS) client settings. You can use the following methods to install
Active Directory to create an additional domain controller in an existing domain:
 Run the Active Directory Installation Wizard, and use Active Directory replication
to create the Active Directory replica and File Replication service (FRS)
replication to create the System Volume (Sysvol) replicas.
 Run the Active Directory Installation Wizard, and use restored system state
backup media to create the Active Directory and Sysvol replicas.
 Create an answer file and use the Unattend.txt file to provide the information that
the Active Directory Installation Wizard requires.
 Perform tests to verify that Active Directory is properly installed and the domain
controller is functioning.
 Add domain controllers to remote sites. When you prepare and ship an additional
domain controller to a remote site, you can either install the domain controller before
shipping or install the domain controller in the remote site.
 When you install a domain controller in a hub site or staging site before
shipment, you must disconnect the domain controller for a period, which requires
careful preparation. When you reconnect the domain controller, Active Directory
replication brings the domain controller up to date.
 When you install the domain controller in the remote site, you can use a restored
system state backup to avoid having to replicate Active Directory over a wide
area network (WAN) link.
 Remove Active Directory from (decommission) a properly functioning domain

controller. This task includes first removing operations master roles (also known as
flexible single-master operation (FSMO) roles) and the global catalog, if necessary.
 Force the removal of a nonfunctioning domain controller from a domain. If a domain

controller is not functioning properly on the network, the Active Directory Installation
Wizard cannot contact other domain controllers and DNS servers that are required
for Active Directory removal. In this case, a special version of the wizard can be
invoked to forcefully remove objects that represent the server as a domain controller
from Active Directory.
 Rename a domain controller. You can now rename a domain controller without
removing Active Directory. New functionality is available in the Netdom tool when the
domain functional level is Windows Server 2003. This new functionality provides
better preparation for DNS and service recognition of the new domain controller
name. You can also use System Properties, which does not require a domain
functional level and does not provide the same preparation, but which relies solely on
replication to update the domain controller DNS name and service principal name
(SPN). This method can result in a longer delay before clients can use the renamed
domain controller.
In addition, to protect domain controllers from infection by viruses that can corrupt
directory data or cause software or hardware failure, an integral step in installing any
domain controller is to install antivirus software.
Managing Antivirus Software on Domain

Controllers
Because domain controllers provide critical services to their clients, it is crucial to
minimize the risk of disruption of these services caused by malicious code.
Antivirus software is the generally accepted way to mitigate the risk of such malevolent
activity. However, one cannot simply install the antivirus software (from any vendor) on a
domain controller and tell it to scan everything. Instead, it must be installed in a manner
that mitigates the risk to the highest possible level while not interfering with the
performance of the domain controllers in performing their directory service duties.
Installing effective antivirus software on domain controllers minimizes the risk that their
activities will be disrupted by malicious code.
Guidelines for Managing Antivirus Software on Domain

Controllers
Follow the guidelines established by your antivirus software vendor.
Note
Verify that the antivirus software you are adding is confirmed to work on domain
controllers.
The following recommendations are general and should not be construed as more
important than the specific antivirus software vendor’s own recommendations. These
guidelines must be followed for correct Active Directory and FRS operation.
Note
Test the chosen antivirus software solution thoroughly in a lab environment to
ensure that the software does not compromise the stability of the system.
 Antivirus software must be installed on all domain controllers in the enterprise.

Ideally, such software should also be installed on all other server and client systems
that have to interact with the domain controllers. Catching the virus at the earliest
point, at the firewall, or the client system on which the virus is first introduced is best
—that will prevent the virus from ever reaching the infrastructure systems upon which
all clients depend.
 Use a version of antivirus software that is confirmed to work with Active Directory and
uses the correct APIs for accessing files on the server. Older versions of most
vendors’ software inappropriately modified file metadata as it was scanned, causing
the FRS replication engine to think the file was changed and to schedule it for
replication. Newer versions prevent this problem. For more information about
antivirus software versions and FRS, see article 815263, "Antivirus, backup, and disk
optimization programs that are compatible with the File Replication service" in the
Microsoft Knowledge Base on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkID=4441), and see the vendor-specific sites for compliant versions.
 Prevent the use of domain controller systems as general workstations. Users should
not be using a domain controller to surf the Web or perform any other activities that
could allow the introduction of malicious code.
 When possible, do not use the domain controller as a file sharing server. Virus
scanning software must be run against all files in those shares and could place an
unsatisfactory load on the processor and memory resources of the server.
Files Not at Risk of Infection

Exclude the following files and folders from being scanned. These files are not at risk of
infection and including them could cause serious performance problems due to file
locking and excessive replication between domain controllers. Furthermore, they may
cause Active Directory and FRS to work improperly, causing Active Directory or FRS data
loss. Where a specific set of files is identified by name, exclude only those files rather
than the entire folder. In some cases, the entire folder must be excluded.
Do not exclude any of these based on the file name extension (that is, do not exclude all
files with a .dit extension). Microsoft has no control over other files that might choose to
use the same extension as those shown here. AV software must not modify any data files
in the logs, database, and/or DSA working directories specified below.
 Active Directory and related files:
 Main NTDS database files. The location of these files is specified in:
HKLM\System\Services\NTDS\Parameters\DSA Database File
Default location is %windir%\ntds.
The file to be excluded is: NTDS.dit (on Windows 2000).

 Active Directory transaction log files. The log directory on any given server is
specified in:
HKLM\System\Services\NTDS\Parameters\Database Log Files Path
The specific files to be excluded are:
 EDB*.log (notice the wildcard—there can be several)
 RES1.log
 RES2.log
 NTDS Working folder specified in:

HKLM\System\Services\NTDS\Parameters\DSA WorkingDirectory
Specific files to be excluded are:
 TEMP.edb
 EDB.chk
 SYSVOL files
 FRS Working Directory specified in:
s\Working Directory
Files to be excluded:
 FRS Working Dir\jet\sys\edb.chk
 FRS Working Dir\jet\ntfrs.jdb
 FRS Working Dir\jet\log\*.log
 FRS Database Log files specified in:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\
DB Log File Directory
Files to be excluded:
 FRS Working Dir\jet\log\*.log (if registry key is not set)
 DB Log File Directory\log\*.log (if registry key is set)
 FRS Replica_root files specified in:

Replica Sets\GUID\Replica Set Root
 Staging directory found in:
Replica Sets\GUID\Replica Set Stage
 FRS Preinstall directory located at:
<Replica_root>\DO_NOT_REMOVE_NtFrs_PreInstall_Directory.
The Preinstall directory is always open exclusively when FRS is running.
The following tasks for managing domain controllers are described in this objective:
 Preparing for Active Directory Installation
 Installing a Domain Controller in an Existing Domain
 Adding Domain Controllers in Remote Sites
 Installing a Domain Controller in an Existing Domain Using Restored Backup Media
 Performing an Unattended Installation of Active Directory
 Verifying Active Directory Installation
 Renaming a Domain Controller
 Decommissioning a Domain Controller
 Forcing the Removal of a Domain Controller
Preparing for Active Directory Installation

Properly preparing for the installation of Active Directory decreases the chances of
problems occurring during the installation process and helps you quickly complete the
operation.
There are a number of requirements for installing Active Directory on a new domain
controller in an existing domain. This task addresses general requirements with respect
to Domain Name System (DNS) configuration, placement of the domain controller in a
site, and connectivity for the Active Directory Installation Wizard.
After you have gathered all the information that you need to run the Active Directory
Installation Wizard and you have performed the tests to verify that all the necessary
domain controllers are available, you are ready to install Active Directory on your server
and create an additional domain controller in the domain.
Preparation includes installing and configuring DNS and gathering information that you
need for the installation.
Configuring DNS
The DNS client is always present on a server running Windows Server 2003. A DNS
server must be present in the forest that stores DNS data for the server. You should
properly configure both the DNS client and the DNS server to ensure that name
resolution and related dependencies will function as expected during the installation of
Active Directory.
Ensure that any required configuration, forwarders, or zones are present and accessible
prior to installation. For more information about DNS configuration best practices, see
Designing the Active Directory Logical Structure on the Microsoft Web site
Site Placement
During installation, the Active Directory Installation Wizard attempts to place the new
domain controller in the appropriate site. The appropriate site is determined by the
domain controller’s IP address and subnet mask. The wizard uses the IP information to
calculate the subnet address of the domain controller and checks to see if a Subnet
object exists in the directory for that subnet address. If the Subnet object exists, the
wizard uses it to place the new Server object in the appropriate site. If not, the wizard
places the new Server object in the same site as the domain controller that is being used
as a source to replicate the directory database to the new domain controller. Make sure
the Subnet object has been created for the desired site prior to running the wizard.
A site is allocated according to the following rules:
1. If you specify a site in the Unattended text file that is used to create the new domain
controller, the domain controller will be placed directly into that site when it is built.
2. If no site is specified in the Unattended text file when the new domain controller is
built, then by default the domain controller will be placed in a site based on its IP
address.
3. If you specify a replica partner in the Unattended text file but do not specify a site, the
new domain controller should be placed in the replica partner's site.
4. If the replica partner or site is not specified, then the allocation of the site is random.
It will depend on the replica partner selected for initial replication.
Domain Connectivity
During the installation process, the Active Directory Installation Wizard needs to
communicate with other domain controllers to join the new domain controller to the
domain. The wizard needs to communicate with a member of the domain to receive the
initial copy of the directory database for the new domain controller. It communicates with
the domain naming master for domain installs only, so that the new domain controller can
be added to the domain. The wizard also needs to contact the relative ID (RID) master so
that the new domain controller can receive its RID pool, and it needs to communicate
with another domain controller in order to populate the SYSVOL shared folder on the new
domain controller. All of this communication depends on proper DNS installation and
configuration. By using Netdiag.exe and Dcdiag.exe, you can test all of these
connections prior to starting the Active Directory Installation Wizard.
Task requirements
During the installation process, the wizard needs to communicate with other domain
controllers to add this new domain controller to the domain and get the appropriate
information into the Active Directory database. To maintain security, you must provide
credentials that allow administrative access to the directory.
Before you begin your installation, the following conditions must exist in your
environment:
 Your Active Directory forest root domain must already exist.
 If you are installing a new domain controller in a child domain, there should be at
least two properly functioning domain controllers in the forest root domain.
 DNS must be functioning properly. In this guide, it is assumed that you are using
Active Directory–integrated DNS zones. You must have configured at least one
domain controller as a DNS server.
Creating or removing a domain or forest is beyond the scope of this guide.
The following information and tools are necessary to complete this task:
 The Active Directory Installation Wizard asks for the following specific configuration
information before it begins installing Active Directory:
 A domain administrator’s user name and password
 A location to store the directory database and log files
 A location to store the shared system volume files (SYSVOL)
 The password to use for Directory Services Restore Mode

 The fully qualified DNS name of the domain to which the new domain controller
will be added
 Adsiedit.msc
 Netdiag.exe
 Dcdiag.exe
1. Install the DNS Server service

Caution
If any verification test fails, do not continue until you determine what went wrong
and fix the problems. If these tests fail, the installation is also likely to fail.
Install the DNS Server service

Assign a static IP address, rather than a dynamically-assigned IP address, to any
computer that acts as a DNS server. To perform this procedure, your DNS infrastructure
must already exist, function properly, and be configured to use Active Directory-integrated
zones. This procedure describes the steps to add an additional DNS server into the DNS
infrastructure.
To perform this procedure, you must be a member of either the Domain Admins group or
the Enterprise Admins group.
To install the DNS server service

1. Ensure that the computer is using a static IP address by right-clicking My
Network Places and then clicking Properties.
2. In the Network Connections dialog box, right-click the connection that
represents the connection this computer uses to attach to your network. The
default label is Local Area Connection, but this can be changed, so it might not
be labeled the same on your computer. Click Properties.
3. In the Local Area Connection Properties dialog box, click once on Internet
Protocol (TCP/IP) to highlight it (be sure that you do not clear the check box in
front of it), and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, ensure that Use the
following IP address: is selected and that a valid IP address, subnet mask, and
default gateway appear. Click OK to close the dialog box. Click OK again to
return to your desktop.
5. In Control Panel, click Add or Remove Programs. Click Add/Remove
Windows Components.
6. Scroll down to Networking Services. Highlight it and click Details.
7. In the Networking Services dialog box, select the check box in front of Domain
Name System (DNS). Click OK.
8. Click Next. Provide the location of the installation files, if necessary. After the
installation is complete, click Finish to end the wizard, and then click Close to
exit Add or Remove Programs.

located.
Directory.

netdiag /test:dns
Note
the command.

association
to it.
associated.

association

and then click OK.
subnet address.

controllers
Directory.

Note
the command.

masters
Directory.
Note


Press ENTER.

Installing a Domain Controller in an

Existing Domain
This task covers the installation of Active Directory onto a Windows Server 2003 system
that will become a domain controller in an existing Active Directory domain. To ensure
successful installation of a new domain controller, you should verify that all critical
services that Active Directory depends on are configured following Microsoft best
practices. For more information about best practices for planning, testing, and deploying
Active Directory, see Designing and Deploying Directory and Security Services on the
Task Requirements
The following tool is required to perform the procedure for this task:
Dcpromo.exe
To complete this task, perform the following procedure:
 Install Active Directory
You can also install Active Directory from installation media or by performing an
unattended installation. For information about completing each of these tasks, see the
following:
Performing an Unattended Installation of Active Directory
Install Active Directory

Use the Active Directory Installation Wizard to install Active Directory on a member server
in your domain to create an additional domain controller in an existing domain.
To install Active Directory

1. Click Start, click Run, type dcpromo and then press ENTER.
2. The Active Directory Installation Wizard appears. At the Welcome screen, click
Next.
3. For Domain Controller Type, select Additional domain controller for an

existing domain. Click Next.
4. For Network Credentials, enter the user name, password, and domain for the
user account that has permission to add this new domain controller to the
domain. Click Next.
5. Enter the name of the domain that you want the new domain controller to host.
Click Next.
6. For Database and Log Locations, enter the paths for the locations of the
directory database (Ntds.dit) and the log files. For better performance, store the
database and log files on separate physical disk drives. Click Next.
7. For Shared System Volume, enter the path where you want to locate the system
volume (SYSVOL). Click Next.
8. Under Directory Services Restore Mode Administrator Password, enter the

password that you want to use when you need to start Directory Services
Restore Mode. Click Next.
9. The Summary screen displays a list of the items you chose. Verify that the
information is correct, and then click Next to proceed with the installation.
10. The wizard proceeds to install Active Directory. When it finishes, the wizard
displays a summary screen listing the domain and site in which the new domain
controller is a member. Verify that this information is correct. Click Finish to close
the wizard.
12. Let the domain controller restart. If any message indicates that one or more
services has failed to start, restart the domain controller one more time. If the
initial replication cycles have not had enough time to complete during the first
restart on a new domain controller, some services may be unable to start
successfully. If the message appears during additional restarts, examine the
event logs in Event Viewer to determine the cause of the problem.
Installing a Domain Controller in an

Existing Domain Using Restored
Backup Media
When you install Active Directory from restored backup media, you can reduce the
replication traffic that is initiated during the installation of an additional domain controller
in an Active Directory domain. Reducing the replication traffic reduces the time necessary
to install the additional domain controller.
The procedures in this task are particularly useful for installing domain controllers in
remote sites. By using these procedures, you can avoid having to either replicate the
entire Active Directory replica over a wide area network (WAN) link or disconnect an
existing domain controller while it is being shipped to the remote site. If you are installing
additional domain controllers in remote sites and you want to minimize the
Active Directory and SYSVOL replication that is required during the installation from
backup media, use the information in this topic in conjunction with the information in
Adding Domain Controllers in Remote Sites.
When the domain controller that you are installing will be a Domain Name System (DNS)
server and you are using Active Directory–integrated DNS zones, the DomainDNSZones
and ForestDNSZones application directory partitions are not included in the restored
backup media by default. If you want to include application directory partitions in the
restored backup media that is used to install Active Directory, additional procedures are
required to complete the installation task. Follow the instructions for including application
directory partitions in the installation media.
Task requirements
To begin the task to install a domain controller from restored backup media without
application directory partitions, ensure that the following requirements are met:
 A Windows Server 2003–based domain controller must be running in each domain

where you will be performing installations from backup media.
 The restored system state backup that is used to create additional domain controllers
must be taken from a domain controller in the same domain as the new additional
domain controller.
 The server that is being installed as a domain controller must be running

Windows Server 2003, and the version must be the same as the domain controller
from which the backup was taken. For example, you cannot use backup media from
a domain controller running Windows Server 2003 to create a domain controller
running Windows Server 2003 with Service Pack 1 (SP1). The reverse is also true.
 The restored system state backup that is used to create additional domain controllers
must be taken on a domain controller that matches the processor type of the new
domain controller. System state backups that are taken on a domain controller that
has a 32-bit processor cannot be used to install a domain controller that has a 64-bit
processor. The reverse is also true.
 During Active Directory installation, Dcpromo checks that the value of the tombstone
lifetime in the restored system state backup matches the value on an existing domain
controller. If you plan to change the value of the tombstone lifetime, change this value
before you create the backup.
 If the domain controller that you are creating is to be a global catalog server, the
system state backup that you restore must be taken from an existing global catalog
server in the domain.
On servers that are running Windows Server 2003 with SP1, you can use restored
backup media to install a domain controller that is a DNS server (stores the
DomainDNSZones and ForestDNSZones application directory partitions) or that stores
other application directory partitions. In addition to the previous requirements, to begin
the task to install a domain controller from restored backup media that includes
application directory partitions, ensure that the following requirements are met:
 The forest functional level has been raised to Windows Server 2003.
 The domain controller on which you created the system state backup is running
 The domain controller on which you created the system state backup contains the
application directory partitions that you want to include.
 The server computer that you are installing is running Windows Server 2003 with
SP1.
 You have created an answer file that contains the distinguished names (or * for all
names) of the application directory partitions that you want to include.
 Ntbackup.exe
 Dcpromo.exe
 Ref.chm or Unattend.txt file, or both, for installations that include application directory
partitions.
To complete this task, perform the procedures for the following methods:
Back up the system state of an existing domain controller according to the

requirements described above.
2. As an option, before you restore the backup, copy the .bkf file to a CD, DVD, or other
removable media from which you will subsequently restore the backup to an alternate
location on the local hard drive of the server on which Active Directory is being
installed. You can use this media to restore the same backup to any number of
servers that will be installed as domain controllers. With this method, you restore the
backup for each domain controller that you install. Compare this method to method
3.2, in which you restore the backup only once and copy the restored files to the
removable media.
3. Restore system state to an alternate location
Select the location for the system state backup that you will use to install a new
domain controller. Use one of the following locations for restoring the system state
backup:
 Restore the .bkf file to a volume on the server that will be installed as a domain
controller. We recommend restoring to a folder named \NTDSRESTORE on the
volume that will host the Ntds.dit file when Dcpromo is run, if space permits.
Otherwise, restore to a folder named \NTDSRESTORE on a volume that has
sufficient free space. For additional criteria regarding the volume on which you
restore the backup, see Adding Domain Controllers in Remote Sites.
 Restore the .bkf file to the local hard drive of any computer, and then burn the
expanded restore tree to a CD, DVD, or other removable storage media. Install
Active Directory directly from this media. You can use this media to directly install
any number of domain controllers. With this method, you restore the backup only
once.
4. Install Active Directory from media.
Install the domain controller from the system state backup that you restored in step 3
by using one of the following methods:
 Install Active Directory from restored backup media to create a new domain
controller that does not include application directory partitions.
 Include application directory partitions in an Active Directory installation from

backup media to create a new domain controller that contains application
directory partitions. (See the special requirements described earlier in this
section.) This method uses an answer file to specify the application directory
partitions to include in the Active Directory installation. To use this method, you
must first Create an answer file for domain controller installation. You can also
include instructions to install the DNS Server service in the answer file.
See Also
Adding Domain Controllers in Remote Sites
Create an answer file for domain controller installation

protected files.
Note

Next.
Note

then click Next.
Note


See Also
Restore system state to an alternate

location
Perform this procedure to create media for installing a domain controller from restored
backup media or to allow an authoritative restore of SYSVOL. After the domain controller
installation is complete, delete the files in the alternate location.
You can restore the system state backup to an alternate location on the domain controller
from which the backup was made, a location on another computer, or a location on the
computer that you want to install as a domain controller.
To perform this procedure, you must be a member of the Backup Operators group, as
follows:
 Restore system state on a member or workgroup server: Backup Operators group on

the local computer
 Restore system state on a domain controller: Backup Operators group in the domain
To restore system state to an alternate location

1. Log on to the server that has the alternate location to which you are restoring
system state backup files.
2. Click Start, click Run, type ntbackup, and then click OK.
4. Click Restore Files and settings, and then click Next.
5. On the What to Restore page, click Browse, and then, in the Open Backup
File dialog box, click Browse again.
6. Navigate to the .bkf file that you want to restore to an alternate location. The .bkf
file can be located in a folder on the current computer, in a shared folder on the
backup computer or other network computer, or on an external drive that
contains removable media.
7. In the Select file for catalog dialog box, click the .bkf file that you want to
restore, and then click Open.
8. In the Open Backup File dialog box, click OK.
9. In Items to restore, double-click File, and then double-click the .bkf file that you
want to restore.
10. Below the .bkf file that you want to restore, select the System State check box,
and then click Next. (You do not need to restore the system disk to an alternate
location.)
12. In the Restore Files to drop-down list, click Alternate Location.

13. In Alternate Location, type the path (or browse) to the local folder to which you
are restoring the backup, and then click Next. We recommend restoring to a
folder named NTDSRESTORE, if space permits, on the volume that will host the
Ntds.dit file when Dcpromo is run. Otherwise, restore to a folder named
\NTDSRESTORE on another volume that has sufficient free space.
14. On the How to Restore page, accept the default selection Leave existing files
(Recommended), and then click Next.
15. On the Advanced Restore Options page, accept the default selections Restore
security settings and Preserve existing volume mount points, and then click
Next.
16. On the Completing the Backup or Restore Wizard page, click Finish.
Install Active Directory from restored

backup media
Use this procedure to install Active Directory from backup media to create an additional
domain controller in an existing domain.
domain into which you are installing the additional domain controller.
To install Active Directory from restored backup media
1. Click Start, click Run, type dcpromo /adv, and then press ENTER.
2. In the Active Directory Installation Wizard, select Additional domain controller

for existing domain.
3. Select From these restored backup files, and point to the same location where
you restored the system state data.
4. If the domain controller whose system state backup you are using is a global
catalog server, the Active Directory Installation Wizard asks you whether you
want this server to also be a global catalog server.
5. Give appropriate credentials for the operation.
6. Enter the domain of the new domain controller. This domain must be the domain
of the domain controller whose system state backup you are using.
7. Complete the remaining pages of the Active Directory Installation Wizard.
Dcpromo.exe will install Active Directory using the data present in the restored
files, which eliminates the need to replicate every object from a partner domain
controller. However, objects that were modified, added, or deleted since the
backup was taken must be replicated. If the backup was recent, the amount of
replication required will be considerably less than that required for a regular
Active Directory installation.
After the installation operation completes successfully and the computer is

restarted, the folder and subfolders that contain the restored system state can be
removed from the local disk.
See Also

media
Include application directory partitions in
an Active Directory installation from
backup media
You can use this procedure to install Active Directory from restored backup media that
includes application directory partitions to create an additional domain controller in an
existing domain. In this procedure, you edit a domain controller installation answer file to
provide instructions for including application directory partitions in the installation. You
must have already created the answer file according to the directions in Create an
answer file for domain controller installation.
To include application directory partitions in an Active Directory installation

from backup media
1. Open the answer file that you created to install the domain controller.
2. To include application directory partitions that are contained in the system state
backup, add the following entry to the end of the answer file:
ApplicationPartitionsToReplicate=
3. Provide a value for ApplicationPartitionsToReplicate as follows:
 If you want to include all application directory partitions, use the value *.
 If you want to include specific application directory partitions, type the

distinguished name of each directory partition. Separate each distinguished
name with a space, and enclose the entire list in quotation marks, as shown
ApplicationPartitionsToReplicate="dc=app1,dc=contoso,dc=com
dc=app2,dc=contoso,dc=com"
4. In the entry ReplicationSourcePath=, type the path to the folder that contains
the restored system state backup files on the installation computer.
5. If you do not want Dcpromo to prompt the user for passwords, type the password
in the Password= entry for the account that you will use to install the domain
controller, type the password in the SafeModeAdminPassword= entry that you
will use to provide access to Directory Services Restore Mode, and then save the
answer file.
Note
Passwords are automatically deleted from the answer file when Dcpromo
runs.
6. Open a command prompt, and then change directories to the location of the
answer file.
dcpromo /adv /answer:"Drive:\PathToAnswerFile\AnswerFileName"
Active Directory installation occurs automatically. If you left passwords blank in

the answer file, Dcpromo prompts you for your administrative password and for
the Directory Services Restore Mode password. If you specified "no" for the
RebootOnSuccess= entry in the answer file, Dcpromo prompts you to restart
the server after installation.
Adding Domain Controllers in Remote

Sites
You can create an additional domain controller in a domain by installing Active Directory
on a server computer. When the additional domain controller is being placed in a remote
site, you can install Active Directory on the server either before or after shipping it to the
remote site, as follows:
 Ship the computer as a workgroup computer, and install Active Directory in the
remote site. Enable Remote Desktop on the computer before you ship it so that you
can perform the installation remotely. In the remote site, you can either:
 Install Active Directory from restored backup media that has been shipped to the
site on removable media or that has been restored to a location on the server
itself before shipping.
 Install Active Directory over the network.
 Install Active Directory on the server in a hub or staging site, and ship the installed
domain controller to the remote site.
Both methods have advantages and disadvantages, and both methods require care to
ensure the secure transfer of Active Directory data, whether it is installed or in the form of
backup files that are stored on the server or on removable media.
For information about the advantages and disadvantages of shipping a server to a

remote site before or after installing Active Directory, see Known Issues for Adding
Domain Controllers in Remote Sites.
For information about how best to manage adding domain controllers to remote sites for
the method you are using, see Best Practices for Adding Domain Controllers in Remote
Sites.
By following the guidelines in this guide, you can decide the best method for your
environment of adding domain controllers in remote sites. By following the instructions in
this guide, you can safely and securely install domain controllers in remote sites, either
locally or remotely.
The following tasks for adding domain controllers in remote sites are described in this
objective:
 Preparing a Server Computer for Shipping and Installation from Backup Media
 Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection
 Reconnecting a Domain Controller After a Long-Term Disconnection
Known Issues for Adding Domain

Controllers in Remote Sites
You can use the following two methods to add domain controllers in remote sites:
 Ship the member computer to the remote site, and then install Active Directory by
using the dcpromo /adv option, which uses restored system state backup media as
the source for the Active Directory installation in the remote site.
 Install Active Directory in the hub site by using the normal Dcpromo method, and then
ship the installed domain controller to the remote site.
You can use the information in this section to determine the method for adding domain
controllers in remote sites that is best for your environment. SYSVOL replication issues
potentially affect both methods, and each method has advantages and disadvantages
that are discussed in this section.
Important
Do not attempt to perform actions based only on the recommendations that are
discussed in this topic. Step-by-step guidance is provided in the task-based
topics for all actions that are recommended in this topic. Follow the See Also
links to the related task-based topics.
SYSVOL Replication
SYSVOL is a shared folder that stores files that must be available and synchronized
among all domain controllers in a domain. SYSVOL contains the NETLOGON share,
Group Policy settings, and File Replication service (FRS) staging directories and files.
The SYSVOL share is required for Active Directory to function properly.
The primary focus for both methods of installing additional domain controllers in remote
sites is to avoid the replication of Active Directory over a wide area network (WAN)
between the remote site and the hub site. Each method accomplishes this goal. However,
depending on the size of your SYSVOL, you might also be concerned about replication of
SYSVOL files over the network. Unless you follow specific instructions, the SYSVOL tree
might be created on the new domain controller through replication of the entire tree from
an existing domain controller in the domain. Regardless of which method you use to add
domain controllers to remote sites, you might want to take additional steps to manage
SYSVOL creation on the new domain controller to avoid replicating the full SYSVOL from
another domain controller in the domain.
When you install a domain controller from backup media, preliminary steps are required
to ensure that SYSVOL is created from the local copy of the restored backup media.
Similarly, preliminary steps are required to avoid full SYSVOL synchronization when you
ship an installed domain controller and restart it in the remote site. These requirements
are discussed for each method respectively in the following topics:
 Preparing a Server Computer for Shipping and Installation from Backup Media
Using Backup Media to Install Active

Directory in a Remote Site
The ability to use restored backup media to install domain controllers is a new feature in
Windows Server 2003. The method for using backup media to install domain controllers
includes the following general steps:
1. Back up system state on a domain controller in the domain in which you are adding
the new domain controller. If you want the additional domain controller to be a global
catalog server, back up a global catalog server. If you want the additional domain
controller to be a Domain Name System (DNS) server, back up a DNS server.
2. Restore the backup to an alternate location. You can restore the backup directly to
the computer that you want to install as a domain controller, or you can transfer it to
removable media.
3. Run Dcpromo with the /adv option and indicate the restored backup as the source for
the Active Directory installation.
This method of installing domain controllers in remote sites has several advantages. One
of the primary advantages of this method is that it substantially reduces the network
bandwidth requirement compared to network-based installations. This method also has a
few issues that mostly affect deployments that have a large number of remote sites. If
you deploy more than 100 remote sites, additional considerations might be necessary.
For information about large branch office deployments, see the Windows Server 2003
Active Directory Branch Office Guide on the Microsoft Web site
Advantages of Using Backup Media to Install Active

Directory in a Remote Site
The following advantages are associated with using backup media to install a domain
controller in a remote site:
 You can install many domain controllers from a single source of removable backup
media. Although you can restore backup media directly to an alternate location on the
server computer that you are going to install as a domain controller, you can also use
that media as the source for any number of domain controllers by either copying or
restoring the system state backup to removable media. For more information about
the effects of copying — as opposed to restoring — a system state backup to
removable media, see Preparing a Server Computer for Shipping and Installation
from Backup Media.
 You do not have to disconnect the domain controller from the replication topology.
Therefore, you can avoid the disadvantages that are associated with a domain
controller that does not replicate. For information about the problems that are
associated with domain controller disconnection, see Issues with Installing Domain
Controllers Before Shipping Them to the Remote Site.
 You avoid replicating the entire Active Directory over a WAN link, particularly a link
that requires a dial-up connection.
 If you enable Remote Desktop on the server before you ship it, you do not have to
employ an administrator with Domain Admins credentials in the remote site.
Issues with Using Backup Media to Install Active Directory

in Remote Sites
The following issues are associated with using backup media to install a domain
controller in a remote site:
 Domain Admins credentials and remote installation. An administrator must have

Domain Admins credentials to install Active Directory. Assuming that you do not
employ a service administrator with this level of administrative credentials in each
branch site, a domain administrator in the hub site must be able to connect remotely
to the server to perform the installation. Therefore, you must be sure to enable
Remote Desktop on the server before you ship it to the remote site.
 Time to restore the system state backup. The installation media is prepared by
restoring a system state backup to an alternate location. Therefore, preparing the
media requires taking the backup itself and restoring the backup. These tasks add
time to the installation of a single domain controller. However, if you take advantage
of the ability to transfer the restored backup files to removable media, you perform
the preliminary backup and restore processes only once to install any number of
domain controllers. In addition, you can follow instructions to prepare a smaller
backup file to further decrease the time that is required for restoring and copying
backup media. The volume on which you restore the backup on the target server also
affects the speed of the installation. Moving the Ntds.dit file is faster than copying it. If
you restore the media to the same location that will be used to host the Active
Directory database, the Ntds.dit file will be moved (as opposed to being copied) into
the new location, eliminating the additional time required to copy the file. For more
information about the criteria that affect how long installation from backup media
takes, see Preparing a Server Computer for Shipping and Installation from Backup
Media.
 Backup source for application directory partitions. When DNS zone data is
stored in application directory partitions, the replication impact can be significant if
application directory partitions must be replicated over the corporate network. System
state data that you restore from backup to an alternate location does not include
application directory partitions if the backup is performed on servers running
Windows Server 2003 with no service pack installed.
Including application directory partitions in the backup media has the following
requirements:
 The domain controller that you back up and the computer that you intend to
install as a domain controller must both be running Windows Server 2003 with
Service Pack 1 (SP1).
 The forest functional level must be set to Windows Server 2003 because linked-
value replication is required to ensure that cross-references are correctly updated
for the application directory partition replica set.
 You must use an answer file to install Active Directory because the Dcpromo user
interface (UI) does not provide an option for specifying application directory
partitions. Use the answer file to provide the distinguished names of the
application directory partitions that you want to include in the installation.
For more information about how to include application directory partitions and create
a DNS server, see Preparing a Server Computer for Shipping and Installation from
Backup Media.
 Bridgehead server load balancing. If backup media are sent to many sites and if
enough domain controllers are promoted at the same time, you might experience
performance issues with the bridgehead servers that are the source for
Active Directory and FRS replication.
Note
These issues are of concern only in situations in which hundreds of domain
controllers might be promoted at the same time and their need for
bridgehead server resources is very high. If you are deploying hundreds of
domain controllers in branch sites, see the Windows Server 2003
Active Directory Branch Office Guide on the Microsoft Web site
 Active Directory intersite replication. You cannot load-balance intersite

connections to and from the hub site until the domain controller is installed. If a
large number of domain controllers are being installed in remote sites (more than
100), manual rebalancing of connections might be required after the domain
controllers are installed. For information about how to use the Active Directory
Load Balancing (ADLB) tool to rebalance connections, see the
Windows Server 2003 Active Directory Branch Office Guide on the Microsoft Web
 FRS replication. Because FRS on the source computer uses CPU, memory, and
disk resources, the FRS recommendation is to perform a staged update on no
more than 10 branch office domain controllers at a time per source hub domain
controller. If a single domain controller functions as the source for SYSVOL
replication to more than 10 destination domain controllers, performance on the
source domain controller can decrease significantly. To balance source domain
controllers, you can use an answer file with Dcpromo to specify the source
domain controller.
Installing Domain Controllers Before Shipping

Them to the Remote Site
When you install a domain controller and then disconnect it from the network for a period
of time, you interrupt the normal replication activities of other domain controllers on the
network. This naturally creates error conditions that result from various failed operations,
such as attempts to replicate with the disconnected domain controller. As long as you are
aware of the issues that disconnections cause, you can take steps to ensure smooth
disconnection and reconnection.
Advantages of Installing Domain Controllers Before

Shipping Them to the Remote Site
The following advantages are associated with installing domain controllers before
shipping them to the remote site:
 Standardization. The process for installing domain controllers can be automated

and standardized in the hub or staging site, with the one additional step of packing
and shipping the domain controller. If you follow the instructions for safe
disconnection and reconnection, restarting the domain controller in the remote site is
all that is required.
 Branch site personnel. The requirement for personnel with Domain Admins
credentials is contained within the hub site; that is, intervention by personnel with
Domain Admins credentials is not required at the branch site.
Issues with Installing Domain Controllers Before Shipping

Them to the Remote Site
The following issues are associated with installing domain controllers and then
disconnecting them from the network while they are shipped to the remote site:
 Disconnection error conditions. After disconnection, online domain controllers in

the domain continue to attempt replication with the disconnected domain controller,
causing Active Directory and FRS errors to be generated for as long as the domain
controller is disconnected.
 Additional preparation. Additional preparation is required to ensure smooth
reconnection:
 Preparing for the nonauthoritative restart of SYSVOL.
 Ensuring an adequate tombstone lifetime to avoid the possibility of objects

remaining on the domain controller that have been permanently deleted from the
directory on all other domain controllers. The tombstone lifetime is a forest-wide
setting that determines how long an object deletion persists in the directory.
 Protection of existing accounts and metadata. You must ensure that computer
accounts and metadata for the domain controller are not deleted or improperly
modified while the domain controller is disconnected.
 Risk of lingering objects. A lingering object is an object that remains on a
disconnected domain controller after the object has been permanently deleted from
Active Directory on all connected domain controllers. Deletion updates are replicated
as tombstone objects. These objects have a limited lifetime in Active Directory, which
is defined by the tombstone lifetime. After a tombstone is permanently removed from
Active Directory, replication of the deletion it represented is no longer possible.
Therefore, if you restart a domain controller on which such an object remains,
replication does not recognize that object as a deleted object, and it remains in
Active Directory on only the reconnected domain controller and nowhere else. If you
plan to disconnect a domain controller for longer than the period of time that a
domain controller keeps track of object deletions (the tombstone lifetime), you must
take additional steps to ensure directory consistency. For more information about
lingering objects and their causes and effects, see Fixing Replication Lingering
Object Problems (Event IDs 1388, 1988, 2042).
Maintaining Directory Consistency When Disconnecting a

Domain Controller
Maintaining consistency of Active Directory data involves several related issues. Review
the following known issues before disconnecting an installed domain controller:
 Relationship of tombstone lifetime to Active Directory backup
 Protection against lingering object replication
 Availability of operations master roles in the domain and forest
 Up to dateness of Active Directory replication at the time of disconnection
 SYSVOL consistency on reconnection
For procedures to ensure that all of these issues are addressed, see the following topics:
 Reconnecting a Domain Controller After a Long-Term Disconnection
Tombstone Lifetime and Backup

Active Directory backups are useful for recovering a domain controller for only as long as
the tombstone lifetime. When an object is deleted, Active Directory replicates the object
as a tombstone, which consists of a small subset of the attributes of the deleted object.
The tombstone is retained in Active Directory for 60 days by default in a
Windows Server 2003 forest. This default value is changed in Windows Server 2003 with
Service Pack 1 (SP1). The tombstone is retained for 180 days by default in a new forest
that is created on a domain controller running Windows Server 2003 with SP1.
NTBackup.exe, the Windows Server backup utility, will not restore a system state backup
that is older than the tombstone lifetime.
The tombstone lifetime value that is in effect when a domain controller is upgraded to
Windows Server 2003 SP1 is not changed by the installation of Windows Server 2003
SP1. The existing value is maintained until you change it manually. You can determine
the value of the tombstoneLifetime attribute by viewing the properties of CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ForestRootDomain in
ADSI Edit (adsiedit.msc), which is available in Windows Support Tools. A value in
tombstoneLifetime of <Not Set> always indicates that the Windows Server 2003 default
value of 60 is in effect. If you create a new forest on a domain controller running
Windows Server 2003 with SP1, the default tombstoneLifetime value of 180 is
displayed in the UI.
When the number of days in the tombstone lifetime has passed, the tombstone is
permanently removed. Because a domain controller that is disconnected for a period that
is longer than the tombstone lifetime cannot receive deletions that occurred before the
beginning of the tombstone lifetime, a backup that is older than the tombstone lifetime
cannot be used to restore Active Directory.
When conditions beyond your control cause a domain controller to be disconnected for a
period that is longer than the tombstone lifetime, one or more objects that have been
deleted from the rest of the directory while the domain controller was offline might remain
on the disconnected domain controller.
If planned domain controller disconnections are consistently lasting longer than the
number of days in the tombstone lifetime, consider extending the tombstone lifetime for
the forest prior to disconnecting any domain controllers.
For more information about the causes and effects of lingering objects, see Fixing
Replication Lingering Object Problems (Event IDs 1388, 1988, 2042).
Protection Against Lingering Object Replication
Domain controllers that have not performed inbound replication in the previous
tombstone lifetime number of days are vulnerable to retaining lingering objects. If a
domain controller that has one or more lingering objects is reconnected to the replication
topology and a lingering object is subsequently updated on that domain controller, the
object might be recreated in Active Directory, depending on how the strict replication
consistency registry setting is configured.
A lingering object is made known to the replication system only if it is updated on the
domain controller that stores it. In this case, the source domain controller attempts
replication of an update to an object that the destination does not store. On destination
domain controllers running Windows 2000 Server with Service Pack 3 (SP3) or Service
Pack 4 (SP4) and Windows Server 2003, the strict replication consistency registry
entry (type REG_DWORD) in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters)
determines whether replication is allowed to proceed if the domain controller receives a
request for an update to an object that it does not have.
The value in the strict replication consistency registry entry determines whether
replication proceeds or is stopped, as follows:
 1 (enabled): Inbound replication of the specified directory partition from the source is
stopped on the destination. Replication of the directory partition is halted on both the
source and destination domain controllers.
 0 (disabled): The destination requests the full object from the source domain
controller and the destination domain controller reanimates a full copy of an object it
has previously deleted and permanently removed through garbage collection.
For more information about how to manage the strict replication consistency setting,
including its effects and its default values, see Fixing Replication Lingering Object
Problems (Event IDs 1388, 1988, 2042).
Up to Dateness of Active Directory Replication

Ensure that a domain controller is updated before you disconnect it. Immediately before
you disconnect the domain controller, force replication with all replication partners and
verify that each directory partition replicates to the domain controller that you are
disconnecting. If replication of any directory partition does not succeed, resolve the
replication problem before you disconnect the domain controller. By ensuring that
replication is up to date, you can maximize the possible safe disconnection period, which
cannot exceed the tombstone lifetime for the forest.
SYSVOL Consistency
SYSVOL replication cannot be synchronized manually. For this reason, ensuring that
SYSVOL is updated before you disconnect the domain controller is more difficult than
simply updating SYSVOL when the domain controller is reconnected. Regardless of the
length of the disconnection, to ensure that SYSVOL is synchronized when the domain
controller is reconnected, prepare the domain controller to perform a nonauthoritative
restart of SYSVOL before you disconnect the domain controller. When the domain
controller restarts, nonauthoritative restart of SYSVOL occurs automatically.
See Also
Preparing a Server Computer for Shipping and Installation from Backup Media
Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection
Reconnecting a Domain Controller After a Long-Term Disconnection
Best Practices for Adding Domain

Controllers in Remote Sites
By reviewing the information in Known Issues for Adding Domain Controllers in Remote
Sites, you can determine the best method to use for installing domain controllers in your
remote sites. You can use this topic to learn about the best practices for the method that
you decide to use.
Important
Do not attempt to perform actions based only on the recommendations that are
discussed in this topic. Step-by-step guidance is provided in the task-based
topics for all actions that are recommended in this topic. Follow the See Also
links to the related task-based topics.
Using Backup Media to Install Active

Directory in the Remote Site
The primary purpose of using restored backup media to install a domain controller is to
provide a local source for the domain, configuration, and schema directory partitions —
and, optionally, global catalog partial, read-only directory partitions and Domain Name
System (DNS) application directory partitions. The local source is the restored system
state backup files that reside on the server that you are installing. Updates to object
attributes that occur since the system state backup was made will replicate over the
network from an existing domain controller in the domain or forest. Although SYSVOL is
part of the system state backup, under some conditions SYSVOL is not sourced from the
backup media. Configuring SYSVOL to be sourced from local backup media is more
challenging and might not prove worthwhile. For more information about the conditions
that determine the need for SYSVOL replication, see Known Issues for Adding Domain
Controllers in Remote Sites.
To use restored backup files for installation of one or more additional domain controllers
in a domain, you can either:
 Copy ("burn") either the unrestored .bkf file or the restored backup files onto
removable media, such as a portable disk drive, CD, or DVD, which can be shipped
with the workgroup computer when it leaves the staging site or shipped separately.
 Restore system state backup to the local hard drive of the workgroup computer
before it leaves the staging site.
For information about the advantages and disadvantages of these methods, see
Preparing a Server Computer for Shipping and Installation from Backup Media.
The Dcpromo /adv option in Windows Server 2003 to install a domain controller from
backup media eliminates the Windows 2000 Server requirement to either promote the
domain controller before shipping it to the remote site or promote the domain controller in
the remote site by replicating the entire directory over a wide area network (WAN)
connection when another domain controller for the domain is not present in the site.
The following best practices are recommended to optimize data security and consistency
when you add domain controllers in remote sites:
 Upgrade to Windows Server 2003 with Service Pack 1 (SP1). If you use
Active Directory-integrated DNS or if you want other application directory partitions to
be included in the domain controller replica, upgrade the server computer to
Windows Server 2003 with SP1 before Active Directory installation. When you use
restored backup media to install a computer running Windows Server 2003 with no
service pack installed, the replica installation does not include application directory
partitions. In the case of DNS application directory partitions, the impact of replicating
these directory partitions over the WAN might be significant. When you use restored
backup media to install a computer running Windows Server 2003 with SP1, you can
use an answer file to include application directory partitions in the replica that you
install.
 Back up the type of domain controller that you want to add. You must back up
the type of domain controller that you want to add. If you want to add a global catalog
server in the remote site, back up a global catalog server in the domain. If you want
to add a DNS server, back up a DNS server in the domain.
 Take the same security precautions for shipment of removable backup media
or a server computer that contains a restored backup as you would take for
shipping an installed domain controller. For information about securing domain
controllers, see Best Practice Guide for Securing Windows Server Active Directory
Installations on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=28521).
 Minimize the time between the backup and installation. Minimizing this delay
reduces the number of updates that will be required to replicate after installation.
 Install the operating system before shipping the server to the remote site.
Installing the operating system requires expertise that might not be available at
branch sites. Ideally, installation routines are available in the staging site to automate
the operating system installation process and ensure uniformity for all domain
controllers (partition sizes, drive letter assignments, and so on). As part of the
operating system installation, apply a standardized set of hotfixes plus any available
service packs to ensure service consistency throughout the forest.
 Ship the server as a member of a workgroup rather than a member server in a

domain. If the server is joined to a domain and then stolen during shipment,
information about domain names, DNS suffixes, and number of domains in the forest
can aid attackers in attempts to compromise or steal directory data.
 Ship computers with properly configured Internet Protocol (IP), subnet mask,
and default gateway addresses. Remember to reconfigure the server with TCP/IP
settings that are appropriate to the target site, not the staging site. Specifically, the
domain controller must not point to itself for DNS.
 Enable Remote Desktop on the server computer before shipping. This best
practice assumes that you need to be able to install and manage Active Directory
remotely rather than employing an administrator with Domain Admins credentials in
each remote site.
Installing Domain Controllers Prior to

Shipping to the Remote Site
When you install Active Directory in the hub or staging site, disconnect the installed
domain controller, and then ship the computer to the remote site, you are disconnecting a
viable domain controller from the replication topology. The most significant risk from
disconnection is that the domain controller will remain offline long enough to exceed the
tombstone lifetime and thereby become capable of retaining objects that have been
permanently deleted from the directory on all other domain controllers in the domain.
Such objects, called lingering objects, cause directory inconsistency and, under certain
conditions, can be reintroduced into the directory. For information about the causes and
effects of lingering objects and how to avoid them, see Known Issues for Adding Domain
Controllers in Remote Sites.
The following best practices reduce the possibility of Active Directory consistency
problems due to lingering objects remaining on domain controllers that are disconnected
for long periods of time. Take the following precautions to avoid directory consistency
problems when you disconnect an existing domain controller and to ensure that if
inadvertent long disconnections occur, lingering objects cannot be replicated.
 Upgrade all Windows 2000 Server domain controllers to Windows Server 2003.
This process requires upgrading the forest schema by using the adprep /forestprep
command. Thereafter, you can begin upgrading domain controllers to
Windows Server 2003. The Windows Server 2003 schema update adds 25 indexed
attributes to the schema directory partition. An update of this size can cause
replication delays in a large database. For this reason, domain controllers that are
running Windows 2000 Server must be running — at a minimum — Windows 2000
Service Pack 2 (SP2) plus all additional Windows updates. However, it is highly
recommended that you install Windows 2000 Service Pack 3 (SP3) on all domain
controllers before preparing your infrastructure for upgrade to the Windows
Server 2003 operating system. For information about upgrading to
Windows Server 2003, see "Upgrading from Windows 2000 Domains to
Windows Server 2003 Domains" in the Windows Server 2003 Deployment Guide on
the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=46082).
 Enable strict replication consistency on all domain controllers. This registry

setting, which stops inbound replication of a directory partition from a source domain
controller that is suspected of having a lingering object, should be set for the forest to
prevent the reintroduction of a lingering object into the directory. You can use the
Repadmin /regkey command, which is available in the version of Windows Support
Tools that is included with Windows Server 2003 SP1, to enable this setting on a
specific domain controller or on all domain controllers in the forest, which eliminates
the need to update the registry manually.
 Monitor the Knowledge Consistency Checker (KCC) topology and replication to

ensure that unintended long disconnections are detected. By monitoring
replication, you can detect disconnections that occur as a result of network failures,
service failures, or configuration errors. Use the Active Directory Management Pack
or other monitoring application to implement a monitoring solution for your
Active Directory deployment. Event IDs to monitor include 1311, 1388, 1925, 1988,
2042, 2087, and 2088.
 Ship computers with properly configured IP, subnet mask, and default gateway
addresses. Remember to reconfigure the server with TCP/IP settings that are
appropriate to the target site, not the staging site. Specifically, the domain controller
must not point to itself for DNS.
 Configure the tombstone lifetime appropriately. Ensure that the tombstone

lifetime is not lowered below the default. The default tombstone lifetime in a forest
that was created on a domain controller running Windows 2000 Server or
Windows Server 2003 is 60 days. The default tombstone lifetime in a forest that was
created on a server running Windows Server 2003 with SP1 is 180 days. If you must
disconnect a domain controller for a period of several weeks or months, before you
disconnect the domain controller, do the following:
 Estimate the anticipated length of disconnection.
 Determine the value of the tombstone lifetime for the forest. This value is
stored in the tombstoneLifetime attribute of CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ForestRootDomai
n.
 Determine the maximum length of time that the domain controller can be
safely disconnected. From the tombstone lifetime number of days, subtract a
generous estimate of the number of days that are required for end-to-end
replication latency. The resulting amount of time is the maximum period for which
the domain controller can safely be disconnected.
 Determine whether to extend the tombstone lifetime for the forest. If you
estimate the maximum time of disconnection to be longer than the tombstone
lifetime, you must determine whether to extend the tombstone lifetime or perform
the procedure to remove lingering objects from the domain controller after it is
reconnected. If you extend the tombstone lifetime, you must also make sure that
all domain controllers have adequate disk space to store additional tombstones.
In addition, make sure that replication of the tombstone lifetime change has
reached all potential source domain controllers before you run Dcpromo to install
an additional domain controller.
 Prepare the registry for automatic nonauthoritative restart of SYSVOL when the
domain controller restarts. SYSVOL cannot be updated manually before
disconnection. By editing a registry setting, you can ensure that SYSVOL is updated
as soon as the domain controller is restarted.
 Ensure that the domain controller replicates successfully with all replication
partners. Immediately before you disconnect the domain controller, force replication
with its partners. Check that replication has succeeded before you disconnect the
domain controller.
 Label the domain controller. When you disconnect the domain controller, attach a
label to the computer that identifies the date and time of disconnection, the
destination, and the IP settings.
 When you reconnect the domain controller, restore SYSVOL as quickly as

possible. The domain controller does not serve as a domain controller until SYSVOL
has been updated through replication. If the site has one or more other domain
controllers in the same domain, start the domain controller anytime. If the site
contains no other domain controller in the same domain, time the restart of the
domain controller to coincide with the beginning of intersite replication.
 Do not allow an outdated Windows 2000 Server domain controller to replicate.

If a domain controller running any version of Windows 2000 Server has been
disconnected for longer than the maximum safe time of disconnection (the tombstone
lifetime minus end-to-end replication latency), do not allow the domain controller to
replicate. Instead, force the removal of Active Directory, perform metadata cleanup,
and then reinstall Active Directory. As an alternative, you can reinstall the domain
controller with Windows Server 2003. For more information about completing these
tasks, see Reconnecting a Domain Controller After a Long-Term Disconnection.
Note
This recommendation applies to additional domain controllers in an existing
domain. If the outdated domain controller is the only domain controller in the
domain, the recommendation is to reconnect the domain controller and follow
the instructions to remove lingering objects in article 314282, "Lingering
objects may remain after you bring an out-of-date global catalog server back
online," in the Microsoft Knowledge Base on the Microsoft Web site
 To avoid time skew issues, ensure that the system clock is synchronized with
the domain source on startup. When you start the domain controller in the remote
site, use the following command to set the hardware clock:
net time /domain:DomainName /set /y
See Also
Known Issues for Adding Domain Controllers in Remote Sites
Preparing a Server Computer for Shipping and Installation from Backup Media

Managing SYSVOL
How the Active Directory Replication Model Works
Active Directory Management Pack Technical Reference for MOM 2005
Preparing a Server Computer for

Shipping and Installation from Backup
Media
The specific guidelines for installing Active Directory from backup media are provided in
the topic Installing a Domain Controller in an Existing Domain Using Restored Backup
Media. Be sure to read that topic before performing the procedures that are specified in
this topic.
When you want to ship theserver to a remote site and install Active Directory by restoring
from backup media in the remote site, you must make certain choices regarding the
method that you use to restore the backup. You must also decide whether to use
removable media or ship the backup on the server that will become the additional domain
controller. You can use the information in this topic to make these decisions and to
prepare the server for shipping. Use the information in Installing a Domain Controller in
an Existing Domain Using Restored Backup Media to perform the actual backup, restore,
and Active Directory installation procedures.
Preparing a computer for installation in a remote site by using restored backup media
requires that you perform the following tasks:
 Begin by backing up system state on a domain controller in the domain into which
you are installing the domain controller according to the recommendations and
requirements in Installing a Domain Controller in an Existing Domain Using Restored
Backup Media.
 Determine whether to restore the system state backup onto the computer that will be
promoted or use removable media to ship the backup files separately from the
computer.
 Determine the volume on which to restore the backup media. If you have a large
Ntds.dit file, this decision can affect the amount of time necessary for Active Directory
installation. If you have a large SYSVOL, this decision can affect whether full
replication of SYSVOL occurs during Active Directory installation. The ability to use
the backup media to source SYSVOL depends on various factors. If you want to
avoid full replication of SYSVOL, additional preparation is required, as described later
in this section.
 Before you ship the server, enable Remote Desktop access on the server so that you
can install the domain controller and manage it remotely. You can also enable
Remote Desktop remotely by using the registry, but this method should be used only
as a fallback measure if, through some oversight, Remote Desktop is not enabled
prior to shipping.
 If you are installing a domain controller that is running Windows Server 2003 with
Service Pack 1 (SP1) in a forest that has a forest functional level of
Windows Server 2003 or Windows Server 2003 interim and you want to include
application directory partitions in the installation media, you can do so by creating an
answer file that contains the location of the restored backup media and then running
an unattended installation of Active Directory.
Restore the Backup to the Promotion

Computer or Ship Removable Media
When you back up system state for the purpose of creating restored backup media for
domain controller installation, you can use various methods to create the media for
shipment and installation. You can:
 Before you ship the server, restore the backup directly to a volume on the server that
you are shipping. When the server arrives at the remote site, it is ready for installation
with no further preparation.
 Copy the .bkf file onto removable media before restoration. Ship the media to the
remote site, and then restore the backup from the removable media to an alternate
location on each domain controller that you want to install. The advantage of this
method is that you retain the potential for SYSVOL to be sourced from the backup
media.
 Restore the backup to any location on any server and then copy the restored backup
to removable media, such as a CD, DVD, or portable hard drive. The advantage of
using this method is that you restore the backup only once; you can install as many
domain controllers as necessary from the same media. The disadvantage is that
copying the restored files loses the SYSVOL data that is required for sourcing
SYSVOL from the restored backup. For more information about ensuring that
SYSVOL is sourced from the restored backup, see "Seeding the SYSVOL tree from
restored files during IFM promotion" in article 311078, "How to use the Install from
Media feature to promote Windows Server 2003–based domain controllers," on the
Determine the Restore Volume
The volume on which you restore the system state backup has implications for both
Active Directory files and SYSVOL files. For faster restore, it is recommended that you
restore the backup to the volume that you will designate to host the Ntds.dit file when you
run Dcpromo, if space permits. Otherwise, restore the backup to a volume that has
sufficient free space. Restoring the backup to the volume that will store Ntds.dit, as
opposed to a different volume, affects how files are managed by the system during and
after Active Directory installation, as follows:
 Active Directory files. The volume to which you restore the Ntds.dit and NTDS log
files determines how long installation will take and whether you must delete copied
files following installation:
 If you restore the system state to a location on the same volume (drive letter) that
will ultimately host the Ntds.dit and NTDS log files, when you designate the path
for the Ntds.dit and NTDS log files during installation, the Active Directory
Installation Wizard will move the Ntds.dit and NTDS log files from the restored
location to their installed location. Moving the files is much faster than copying
the files.
 If you restore the system state to a different volume than the volume that will
ultimately host the Ntds.dit and NTDS log files, the Active Directory Installation
Wizard will copy the Ntds.dit and NTDS log files to their final location during
installation. In the case of a large Ntds.dit file, the copy process can add
significantly to the installation time. In this case, you must manually delete the
remaining files and folders in the restored folder after a successful installation. As
a best practice, we recommend that you always delete the folder that you use to
receive the restored backup, regardless of whether files are copied or moved.
 SYSVOL replication. The volume to which you restore the system state backup also
determines whether the File Replication service (FRS) uses the restored files as the
source for SYSVOL on the new domain controller or whether FRS replicates a new
copy of SYSVOL from a different domain controller in the domain. To source the
SYSVOL data from the restored backup, you must restore the system state backup to
the same volume as the drive that you specify in the Active Directory Installation
Wizard to host the SYSVOL tree. Otherwise, the data will be sourced over the
network from a domain controller that is in the same domain as the new domain
controller.
If you store the SYSVOL shared folder on a different volume from the Active Directory
files, consider the effect of copying Active Directory files, as described earlier in this
topic, as opposed to the effect of replicating the entire contents of the SYSVOL
shared folder. If avoiding replication of the SYSVOL shared folder is a goal of the
remote installation, restore the backup to a location that is on the same volume as
the drive that will contain the SYSVOL share.
If only one domain controller is installed in the domain (SYSVOL has not replicated at
least once between two domain controllers in the domain), the ability to source
SYSVOL from the restored backup media requires preliminary configuration of a
"helper" domain controller to prepare the SYSVOL before you perform the system
state backup.
Note
It is recommended that you deploy at least two domain controllers in each
domain for redundancy and failover.
For more information about how to ensure that SYSVOL is sourced from the restored
backup, see "Seeding the SYSVOL tree from restored files during IFM promotion" in
article 311078, "How to use the Install from Media feature to promote
Windows Server 2003–based domain controllers," on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=37924). To assess the effect of replication, as
opposed to additional configuration to source SYSVOL from the backup media, test both
procedures in a lab environment that mirrors your production environment in terms of
wide area network (WAN) speed and replication latency.

You can use Remote Desktop to connect to the domain controller and manage it as if you
were sitting at the console. Remote Desktop is disabled by default in
Windows Server 2003 operating systems. To install Active Directory, you must have
Domain Admins credentials in the domain into which you are adding the domain
controller. This level of service administration might not be available in the remote site. In
any case, you will want to be able to install and manage the domain controller from the
hub site.
Create a Domain Controller Installation

Answer File
If you want to include application directory partitions in the restored backup media that
you use as the source for an Active Directory installation, you must create a domain
controller installation answer file and perform an unattended Active Directory installation.
Dcpromo uses the answer file for installation instructions, including the location of
restored backup media and instructions to use these files as the source for the
installation.
If you are installing a domain controller in a remote site that will also be a DNS server,
you might want to include application directory partitions in the installation media rather
than replicating them. You can include application directory partitions in the installation
media if the following conditions apply:
 The forest has a functional level of Windows Server 2003 or Windows Server 2003
interim.
 The domain controller that you back up and the server that you are installing are both
running Windows Server 2003 with SP1.
 For creating a DNS server, your forest uses Active Directory-integrated DNS (DNS
zone data is stored in application directory partitions on DNS servers in the forest).
 The domain controller that you back up stores the application directory partitions that
you want to include.
Instructions for performing this type of installation are included in this task.
Task requirements
The following tools are necessary to complete this task:
 Ntbackup.exe
 System Control Panel
 Dcpromo.exe
 Ref.chm on the Windows Server 2003 installation CD (for unattended installations

only)
1. Back up system state on a domain controller in the domain into which you are
installing the additional domain controller. The following requirements apply for the
backup domain controller and the target server:
 The backup domain controller and target server must be running the same
version of Windows Server 2003. For example, if the domain controller that you
back up is running Windows Server 2003 with SP1, you cannot use this backup
media to install Active Directory on a server that is running Windows Server 2003
with no service pack installed.
 The backup domain controller and target server must be running on the same
hardware platform (32-bit or 64-bit).
 To install a domain controller that is a global catalog server, you must back up
system state on a global catalog server.
 To install a domain controller that is a DNS server (that is, a server that stores the
DomainDNSZones and ForestDNSZones application directory partitions), you
must back up system state on a DNS server that stores these directory partitions.
2. Restore system state to an alternate location. This location can be on the target
server or in a different location, from which the backup files can be copied to
removable media and then shipped to the remote site separately from the target
server. Follow the guidelines described in "Determine the Restore Volume" earlier in
this topic.
As an alternative, you can copy the unrestored .bkf file to removable media and then
ship the media to the remote site, where it can be restored to a location on the target
server.
When you restore, you must run Ntbackup on the server that has the alternate
location. Therefore, if you are restoring to an alternate location that is not on the
server on which the .bkf file is stored, before you run Ntbackup, do the following:
a. Share the folder that contains the .bkf file.
b. Map a connection to it from the computer on which you are running Ntbackup.
3. Enable Remote Desktop on the target server.
4. If you are installing a DNS server or a domain controller that will store any application
directory partitions, Create an answer file for domain controller installation.
5. Ship the domain controller and any prepared removable media and answer file to the
remote site. Ship these items separately and securely.
6. When the server is running in the remote site, install the domain controller as follows:
 Create a Remote Desktop Connection to the remote server.
 If you are installing a domain controller that does not require application directory
partitions to be included in the installation, Install Active Directory from restored
backup media.
 If you are installing a domain controller that will be a DNS server or that requires
other application directory partitions to be included in the installation media,
perform the procedure to Include application directory partitions in an Active
Directory installation from backup media.
7. If the domain controller is to be a DNS server, Install the DNS Server service after
Active Directory has been installed.
See Also

protected files.
Note

Next.
Note

then click Next.
Note


See Also
Restore system state to an alternate

location
Perform this procedure to create media for installing a domain controller from restored
backup media or to allow an authoritative restore of SYSVOL. After the domain controller
installation is complete, delete the files in the alternate location.
You can restore the system state backup to an alternate location on the domain controller
from which the backup was made, a location on another computer, or a location on the
computer that you want to install as a domain controller.
To perform this procedure, you must be a member of the Backup Operators group, as
follows:
 Restore system state on a member or workgroup server: Backup Operators group on

the local computer
 Restore system state on a domain controller: Backup Operators group in the domain
To restore system state to an alternate location

1. Log on to the server that has the alternate location to which you are restoring
system state backup files.
2. Click Start, click Run, type ntbackup, and then click OK.
4. Click Restore Files and settings, and then click Next.
5. On the What to Restore page, click Browse, and then, in the Open Backup
File dialog box, click Browse again.
6. Navigate to the .bkf file that you want to restore to an alternate location. The .bkf
file can be located in a folder on the current computer, in a shared folder on the
backup computer or other network computer, or on an external drive that
contains removable media.
7. In the Select file for catalog dialog box, click the .bkf file that you want to
restore, and then click Open.
8. In the Open Backup File dialog box, click OK.
9. In Items to restore, double-click File, and then double-click the .bkf file that you
want to restore.
10. Below the .bkf file that you want to restore, select the System State check box,
and then click Next. (You do not need to restore the system disk to an alternate
location.)
12. In the Restore Files to drop-down list, click Alternate Location.
13. In Alternate Location, type the path (or browse) to the local folder to which you
are restoring the backup, and then click Next. We recommend restoring to a
folder named NTDSRESTORE, if space permits, on the volume that will host the
Ntds.dit file when Dcpromo is run. Otherwise, restore to a folder named
\NTDSRESTORE on another volume that has sufficient free space.
14. On the How to Restore page, accept the default selection Leave existing files
(Recommended), and then click Next.
15. On the Advanced Restore Options page, accept the default selections Restore
security settings and Preserve existing volume mount points, and then click
Next.
16. On the Completing the Backup or Restore Wizard page, click Finish.

You can enable Remote Desktop on the server that you are installing as a domain
controller so that service administrators can manage the domain controller remotely.
Remote Desktop is disabled by default in Windows Server 2003 operating systems.
Use this procedure to enable remote desktop prior to shipping the server that will be
installed as a domain controller. If you neglected to perform this procedure prior to
shipping the server, use the procedure "To enable Remote Desktop remotely by using the
registry," later in this topic
To complete this procedure, you must be a member of the local Administrators group.
To enable Remote Desktop

1. Click Start, point to Control Panel, and then click System.Or Click Start, right-
click My Computer, and then click Properties.
2. On the Remote tab, under Remote Desktop, select the Allow users to connect
remotely to this computer check box, and then click OK.
Note
On computers running Windows Server 2003 with Service Pack 1 (SP1),
on the Remote tab, select the Enable Remote Desktop on this
computer check box.
If for any reason you neglected to perform this procedure prior to shipping the server, you
can enable Remote Desktop remotely by using the registry.
To complete this procedure, you must be a member of the local Administrators group.
To enable Remote Desktop remotely by using the registry

1. On any computer that is running a version of Windows Server 2003 or
Windows XP Professional, click Start, click Run, type regedit, and then click OK.
2. On the File menu, click Connect Network Registry.
3. In the Select Computer dialog box, type the computer name and then click
Check Names.
4. In the Enter Network Password dialog box, provide Domain Admins credentials
for the domain of the server, and then click OK.
5. After the computer name resolves, click OK.
6. In the computer node that appears in the Registry Editor, navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server.
7. In the console tree, click Terminal Server and then, in the details pane, double-
click fDenyTSConnections.
8. In the Edit DWORD Value box, in Value data, type 0, and then click OK.
9. To implement the change, reboot the server remotely, as follows:
Open a command prompt, type the following, and then press Enter:
shutdown -m \\DomainControllerName -r
Create an answer file for domain

controller installation
Use this procedure to create a text file that you can use as the answer file for an
unattended installation of a domain controller. The answer file contains sensitive
information and should be kept in a secure location.
To perform this procedure, you must be a member of the Authenticated Users group on
the local computer on which you create the answer file.
To create an answer file for domain controller installation

1. On a local computer, insert the Windows Server 2003 CD-ROM into the CD-ROM
drive or DVD-ROM drive. Press and hold down the SHIFT key as you insert the
CD to prevent it from starting automatically.
2. Start Windows Explorer, and then open the Support\Tools folder on the
Windows Server 2003 CD-ROM.
3. In the console tree, click Tools, and then, in the details pane, double-click
Deploy.cab.
4. In the details pane, right-click Ref.chm, and then click Extract.
5. In the Select a Destination dialog box, navigate to or create a new folder for the
expanded Ref.chm file, and then click Extract.
6. In its extracted location, open Ref.chm.
7. On the Contents tab in the scope pane, double-click Unattend.txt, and then
click [DCInstall].
8. In the details pane, scroll to Sample, select the entire sample, beginning at
[DCInstall], and then copy the sample.
9. Open Notepad, paste the sample into the Notepad file, and save the text file.
10. Edit the text file to contain at least the following entries (additional entries and
their descriptions are available in Ref.chm):
[DCINSTALL]
UserName=SAM account name that has Domain Admins credentials in the
target domain. This account must be used by the administrator who runs the
Dcpromo command.
Password=Password for the account name. If you leave this blank, Dcpromo
prompts the user during installation. Dcpromo deletes this value following
installation.
UserDomain=Domain name for the user account in UserName.
DatabasePath=Location of the Ntds.dit file. (The default is %systemroot%\ntds.)

If you omit this entry, Dcpromo uses the default location.
LogPath=Location of the database log files. (The default is %systemroot%\ntds.)

SYSVOLPath=Location of the shared SYSVOL tree. (The default is %systemroot

%\ntds.) If you omit this entry, Dcpromo uses the default location.
SafeModeAdminPassword=Password for the administrator account that must

be used to start the domain controller in Directory Services Restore Mode. If you
leave this blank, Dcpromo prompts the user for the password during installation.
Dcpromo deletes this value following installation. Passwords are removed from
the answer file when Dcpromo is executed.
CriticalReplicationOnly=Yes or no, to specify whether to skip noncritical

portions of replication and allow Dcpromo to complete before replication is
complete.
SiteName=The name of the Active Directory site in which this domain controller
will be placed. This site must be created in advance in the Active Directory Sites
and Services snap-in.
ReplicaOrNewDomain=Specify either Replica for an additional domain

controller in an existing domain or NewDomain for the first domain controller in a
new domain.
ReplicaDomainDNSName=The fully qualified domain name of the domain of the

new domain controller.
ReplicationSourceDC=The name of an existing domain controller in the domain

to use as the source replication partner during installation. When you install
Active Directory from restored backup media, you can use this entry in
conjunction with ReplicateFromMedia if you want to specify the domain
controller from which Active Directory changes and SYSVOL changes are
replicated.
ReplicateFromMedia=Yes for installation from media, no for installation by

replication.
ReplicationSourcePath=When the installation is by replication, the path to the

installation CD or network share. When the installation is from restored backup
media, the local drive and path to the restored backup files.
RebootOnSuccess=Yes if you want the domain controller to restart

automatically following a successful installation, no if you want to restart the
domain controller manually. If you do not want the domain controller to restart
automatically and you do not want to be prompted, use the value
NoAndNoPromptEither.
ApplicationPartitionsToReplicate=Comma-separated distinguished names,

with the entire string enclosed in quotation marks, of application directory
partitions that you want to include when you use restored backup media to install
Active Directory (or * to include all application directory partitions). Using this
entry requires Windows Server 2003 with Service Pack 1 (SP1) and
Windows Server 2003 forest functional level. For more information about using
this entry, see Include application directory partitions in an Active Directory
installation from backup media.
11. Save the answer file to the location on the installation server from which it is to
be called by Dcpromo, or save the file to a network share or removable media for
distribution.
See Also
media

If Remote Desktop is enabled on a server, you can use Remote Desktop Connection to
connect to the server and manage it remotely. Remote Desktop is disabled by default in
Windows Server 2003 operating systems.
To complete this procedure, you must have Remote Desktop permissions by being added
to the Remote Desktop Users group or you must be a member of the local Administrators
group of the computer to which you are connecting. If the computer is a domain
controller, you must have the Allow Logon Locally right applied in the Default Domain
Controllers Policy.
To create a new Remote Desktop Connection

1. On the Start menu, point to Programs or All Programs, point to Accessories,
point to Communications, and then click Remote Desktop Connection.
2. In Computer, type a computer name or Internet Protocol (IP) address, and then
click Connect. The computer can be a terminal server, or it can be a computer
running Windows XP Professional or a Windows Server 2003 operating system
that has Remote Desktop enabled and for which you have Remote Desktop
permissions.
3. In the Log On to Windows dialog box, type your user name, password, and
domain (if required), and then click OK.
See Also
Install Active Directory from restored

backup media
Use this procedure to install Active Directory from backup media to create an additional
domain controller in an existing domain.
To install Active Directory from restored backup media

1. Click Start, click Run, type dcpromo /adv, and then press ENTER.
2. In the Active Directory Installation Wizard, select Additional domain controller

for existing domain.
3. Select From these restored backup files, and point to the same location where
you restored the system state data.
4. If the domain controller whose system state backup you are using is a global
catalog server, the Active Directory Installation Wizard asks you whether you
want this server to also be a global catalog server.
5. Give appropriate credentials for the operation.
6. Enter the domain of the new domain controller. This domain must be the domain
of the domain controller whose system state backup you are using.
7. Complete the remaining pages of the Active Directory Installation Wizard.
Dcpromo.exe will install Active Directory using the data present in the restored
files, which eliminates the need to replicate every object from a partner domain
controller. However, objects that were modified, added, or deleted since the
backup was taken must be replicated. If the backup was recent, the amount of
replication required will be considerably less than that required for a regular
Active Directory installation.
After the installation operation completes successfully and the computer is

restarted, the folder and subfolders that contain the restored system state can be
removed from the local disk.
See Also

media
Include application directory partitions in

an Active Directory installation from
backup media
You can use this procedure to install Active Directory from restored backup media that
includes application directory partitions to create an additional domain controller in an
existing domain. In this procedure, you edit a domain controller installation answer file to
provide instructions for including application directory partitions in the installation. You
must have already created the answer file according to the directions in Create an
answer file for domain controller installation.
To include application directory partitions in an Active Directory installation

from backup media
1. Open the answer file that you created to install the domain controller.
2. To include application directory partitions that are contained in the system state
backup, add the following entry to the end of the answer file:
ApplicationPartitionsToReplicate=
3. Provide a value for ApplicationPartitionsToReplicate as follows:

 If you want to include all application directory partitions, use the value *.
 If you want to include specific application directory partitions, type the

distinguished name of each directory partition. Separate each distinguished
name with a space, and enclose the entire list in quotation marks, as shown
ApplicationPartitionsToReplicate="dc=app1,dc=contoso,dc=com
dc=app2,dc=contoso,dc=com"
4. In the entry ReplicationSourcePath=, type the path to the folder that contains
the restored system state backup files on the installation computer.
5. If you do not want Dcpromo to prompt the user for passwords, type the password
in the Password= entry for the account that you will use to install the domain
controller, type the password in the SafeModeAdminPassword= entry that you
will use to provide access to Directory Services Restore Mode, and then save the
answer file.
Note
Passwords are automatically deleted from the answer file when Dcpromo
runs.
6. Open a command prompt, and then change directories to the location of the
answer file.
dcpromo /adv /answer:"Drive:\PathToAnswerFile\AnswerFileName"
Active Directory installation occurs automatically. If you left passwords blank in

the answer file, Dcpromo prompts you for your administrative password and for
the Directory Services Restore Mode password. If you specified "no" for the
RebootOnSuccess= entry in the answer file, Dcpromo prompts you to restart
the server after installation.
Preparing an Existing Domain Controller
for Shipping and Long-Term
Disconnection
When you ship a domain controller to a remote site, you must disconnect it from the
network and, consequently, from the replication topology. If a domain controller must be
separated from the replication topology for a period of time that might be longer than a
tombstone lifetime, you must take preliminary steps to ensure a smooth reconnection.
Otherwise, it is possible that a long-term disconnection can result in a deleted object
being reintroduced into the directory. Such deleted objects, when they are retained on a
domain controller that has been disconnected for a period that is longer than a tombstone
lifetime, are called "lingering objects." Lingering objects that are security principals, such
as users or groups, can cause problems with Active Directory searches and e-mail
delivery. Lingering objects can also jeopardize security if a user is allowed access to a
resource by virtue of membership in a group that has been deleted. For more information
about lingering objects, see "Maintaining Directory Consistency When Disconnecting a
Domain Controller" in Known Issues for Adding Domain Controllers in Remote Sites.
By taking preliminary precautions, you can ensure that long-term disconnections do not
result in directory inconsistency from lingering objects.
1. Determine the anticipated length of the disconnection.
2. Determine the tombstone lifetime for the forest.
3. Determine the maximum safe disconnection period by subtracting a generous

estimate of the end-to-end replication latency from the tombstone lifetime. Either find
the latency estimate in the design documentation for your deployment or request the
information from a member of your design or deployment team.
 If the anticipated time of disconnection exceeds the maximum safe disconnection

period, make a decision about whether to extend the tombstone lifetime. To
change the tombstone lifetime, see Determine the tombstone lifetime for the
forest and change the value in the tombstoneLifetime attribute.
 If the estimated time of disconnection does not exceed the maximum safe
disconnection time, proceed with disconnection.
4. View the current operations master role holders to determine whether the domain
controller is an operations master role holder.
5. Transfer the domain-level operations master roles, if appropriate.

6. Transfer the schema master, if appropriate.
7. Transfer the domain naming master, if appropriate.
8. Prepare a domain controller for nonauthoritative SYSVOL restart on the domain

controller that you are disconnecting. This process ensures an up-to-date SYSVOL
when the domain controller is restarted. This process might result in a new copy of
SYSVOL being replicated from another domain controller in the domain. To avoid full
replication of SYSVOL, additional preparation is required. For more information about
ensuring that SYSVOL does not require full synchronization following restart, see
"Seeding the SYSVOL tree from restored files during IFM promotion" in article
311078, "How to use the Install from Media feature to promote Windows Server
2003-based domain controllers," in the Microsoft Knowledge Base on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=37924). These instructions are not
specific to installing from backup media, but they apply to preparing SYSVOL on any
domain controller so that full synchronization is not required.
9. Enable strict replication consistency on the domain controller that you are
disconnecting. You can use this command-line procedure as an option to enable strict
replication consistency on additional other domain controllers or on all domain
controllers in the forest.
10. Synchronize replication with all partners. Update the domain controller with the latest
changes just before you disconnect it.
11. Verify successful replication to a domain controller for the domain controller that you
are disconnecting.
12. Label the domain controller with the date and time of disconnection and the
maximum safe disconnection period.
See Also
Known Issues for Adding Domain Controllers in Remote Sites
Managing Operations Master Roles
Managing SYSVOL
Windows Server 2003 Technical Reference

Determine the tombstone lifetime for the
forest
The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on
the Directory Service object in the configuration directory partition.
To complete this procedure, you must be a member of the Domain Users group.
To determine the tombstone lifetime for the forest

1. On the Start menu, click Run, type adsiedit.msc, and then click OK.
2. In the console tree, double-click Configuration [DomainControllerName],

CN=Configuration,DC=[ForestRootDomain], CN=Services, and
CN=Windows NT.
3. Right-click CN=Directory Service, and then click Properties.
4. In the Attribute column, click tombstoneLifetime.
5. Note the value in the Value column. If the value is <not set>, the default value is
in effect as follows:
 On a domain controller in a forest that was created on a domain controller

running Windows Server 2003 with Service Pack 1 (SP1), the default value is
180 days.
 On a domain controller in a forest that was created on a domain controller

running Windows 2000 Server or Windows Server 2003, the default value is
60 days.

holders


this menu.
ENTER.
and press ENTER.
host each role.

master roles
Note
Directory.


Note

Domain Controller.

box.
Note

Note
Active Directory.

Master.

entry under
in the registry.
Caution
Directory.

2. Navigate to


Enable strict replication consistency

The setting for replication consistency is stored in the registry in the Strict Replication
Consistency entry in
Values for this entry are as follows:
 Value: 1 (0 to disable)
 Default: 1 (enabled) in a new Windows Server 2003 forest; otherwise 0.
 Data type: REG_DWORD
On domain controllers running Windows Server 2003 with Service Pack 1 (SP1), you do
not have to edit the registry directly to enable strict replication consistency. It is best to
avoid editing the registry directly if possible. You can use a Repadmin command that
enables strict replication consistency on one or all domain controllers in the forest. This
command is available only in the version of Repadmin that is included with Windows
Support Tools in Windows Server 2003 SP1. This command can be applied only on
domain controllers running Windows Server 2003 with SP1.
 To complete this procedure on a single domain controller, you must be a member of

the Domain Admins group in the domain.
 To complete this procedure on all domain controllers, you must be a member of the
Enterprise Admins group in the forest.
Requirements:
 Operating system: Windows Server 2003 with SP1
Note
To enable strict replication consistency on a domain controller that is not
running Windows Server 2003 with SP1, use a registry editor to set the value
in the Strict Replication Consistency entry to 1.
Caution
It is recommended that you do not directly edit the registry unless there is no
other alternative. Modifications to the registry are not validated by the registry
editor or by Windows before they are applied, and as a result, incorrect
values can be stored. This can result in unrecoverable errors in the system.
When possible, use Group Policy or other Windows tools, such as Microsoft
Management Console (MMC), to accomplish tasks rather than editing the
registry directly. If you must edit the registry, use extreme caution.
To enable strict replication consistency

1. Open a command prompt, type the following command, and then press ENTER:
repadmin /regkey DC_LIST {+|-}key
Term Definition
DC_LIST The name of a single domain

controller. (* applies the change to all
domain controllers in the forest.) For
the domain controller name, you can
use the Domain Name System (DNS)
name, the distinguished name of the
domain controller computer object, or
the distinguished name of the domain
controller server object.
{+|-}key + to enable and - to disable, and key is

strict. For example, +strict enables
strict replication consistency; -strict
disables it.
2. Repeat step 1 for every domain controller on which you want to enable strict
replication consistency.
Note
For more naming options and information about the syntax of the DC_LIST
parameter, at the command prompt type repadmin /listhelp.
Synchronize replication with all partners

You can use this procedure to synchronize replication with all replication partners of a
domain controller.
domain of the selected domain controller or the Enterprise Admins group in the forest, or
you must have been delegated the appropriate authority. If you want to synchronize the
configuration and schema directory partitions on a domain controller in a child domain,
you must have Domain Admins credentials in the forest root domain or Enterprise Admins
credentials in the forest.
To synchronize replication with all partners

repadmin /syncall DCName /e /d /A /P /q
Term Definition
DCName The Domain Name System (DNS)

name of the domain controller on
which you want synchronize replication
with all partners
/e Enterprise; includes partners in all

sites.
/d Identifies servers by distinguished

name in messages.
Term Definition
/A All; synchronizes all directory partitions

that are held on the home server.
/P Pushes changes outward from the

home server.
/q Runs in quiet mode; suppresses

callback messages.
2. Check for replication errors in the output of the command in the previous step. If
there are no errors, replication is successful. For replication to complete, any
errors must be corrected.
See Also
Verify successful replication to a domain controller

controller
follows:
listed connection.

Term Definition

domain controller.

(DNS) name.)

columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
Last Failure Time

Last Success Time
Last Failure Status

Or
click Freeze Panes.
AutoFilter.
Ascending.
See Also
Reconnecting a Domain Controller After

a Long-Term Disconnection
Assuming that a domain controller has not been disconnected for longer than the
maximum safe period for disconnection (tombstone lifetime minus end-to-end replication
latency), reconnecting the domain controller to the replication topology requires no
special procedures. By default, the Knowledge Consistency Checker (KCC) on a domain
controller runs five minutes after the domain controller starts, automatically incorporating
the reconnected domain controller into the replication topology.
Reconnecting an Outdated Domain Controller

If you plan appropriately for disconnecting and reconnecting domain controllers, no
domain controller will be disconnected from the replication topology for longer than a
tombstone lifetime. However, if unexpected events result in a domain controller becoming
outdated, reconnect the domain controller as follows:
 The disconnected domain controller is running Windows Server 2003, and an

authoritative domain controller running Windows Server 2003 is available in this site
or a neighboring site: Reconnect the domain controller, and immediately follow the
instructions in Use Repadmin to remove lingering objects.
 The disconnected domain controller is running Windows Server 2003, but no other
authoritative domain controller running Windows Server 2003 is available in the
domain: Reconnect the domain controller, and follow the instructions in article
314282, "Lingering objects may remain after you bring an out-of-date global catalog
server back online," in the Microsoft Knowledge Base on the Microsoft Web site
 The disconnected domain controller is running Windows 2000 Server, and another
domain controller is available in the domain: Do not reconnect the domain controller.
Instead, force Active Directory removal on the disconnected domain controller,
perform metadata cleanup, and then reinstall Active Directory. To complete these
tasks, follow the instructions in Forcing the Removal of a Domain Controller and
Installing a Domain Controller in an Existing Domain.
 The disconnected domain controller is running Windows 2000 Server, and no other
domain controller is available in the domain: If you want to recover the domain,
reconnect the domain controller, and follow the instructions in article 314282,
"Lingering objects may remain after you bring an out-of-date global catalog server
back online," in the Microsoft Knowledge Base on the Microsoft Web site
Updating SYSVOL
As described in Preparing an Existing Domain Controller for Shipping and Long-Term
Disconnection, the recommended practice to ensure consistency of SYSVOL is to modify
the registry before disconnecting the domain controller so that SYSVOL is updated
automatically when the domain controller is restarted. In addition, if you want to avoid a
full synchronization of SYSVOL through intersite replication, you must take preparatory
steps before disconnection. For information about how to ensure that SYSVOL is sourced
locally and updated over the network only for changes, see "Seeding the SYSVOL tree
from restored files during IFM promotion" in article 311078, "How to use the Install from
Media feature to promote Windows Server 2003-based domain controllers," in the
Microsoft Knowledge Base on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=37924). To update SYSVOL as soon as possible after reconnecting a domain
controller, plan the time that you restart the domain controller to optimize the replication
schedule, as follows:
 If the closest replication partner for the domain is in a different site, view site link
properties to determine the replication schedule, and then restart the domain
controller as soon as possible after replication is scheduled to start.
 If a replication partner for the domain is available within the site, verify replication
success on that partner before restarting the domain controller.
Important
Do not use file copy utilities, such as Xcopy or Robocopy, to update an outdated
SYSVOL. Copying SYSVOL files is recommended only for recreating a
nonfunctioning SYSVOL, which requires several preliminary procedures. Copying
SYSVOL files from one domain controller to another without following these
procedures causes invalid data to be replicated and causes the system volumes
on other domain controllers to become inconsistent. For information about how to
recreate a nonfunctioning SYSVOL, see Restoring and Rebuilding SYSVOL.
1. Determine the tombstone lifetime for the forest.
2. Determine whether the maximum safe disconnection time has been exceeded. The
maximum safe disconnection time should have been established at the time of
disconnection, as follows:
Subtract a generous estimate of the amount of time for end-to-end replication latency
from the tombstone lifetime. Either find the latency estimate in the design
documentation for your deployment or request the information from a member of your
design or deployment team.
3. If the maximum safe disconnection time has not been exceeded, proceed with the
reconnection process as follows:
 If the site in which you are reconnecting the domain controller has one or more
other domain controllers that are authoritative for the domain, start the domain
controller anytime.
 If the site in which you are reconnecting the domain controller has no other
domain controllers that are authoritative for the domain, proceed as follows:
Determine when intersite replication is scheduled to begin by viewing the

replication properties on the site link that connects this site to the next closest
site that includes a domain controller that is authoritative for this domain.
As soon as possible after the next replication cycle begins, start the domain
controller.
If the maximum safe disconnection time has been exceeded, proceed in the
appropriate manner according to the operating system, as described in
"Reconnecting an Outdated Domain Controller" earlier in this topic.
4. After replication is complete, Verify successful replication to a domain controller (the

reconnected domain controller) of the domain, configuration, and schema directory
partitions. If the domain controller is a global catalog server, check for successful
replication of all domain directory partitions.
See Also
Determine when intersite replication is

scheduled to begin
You can use the properties on the site link object to determine when intersite replication
between sites is scheduled to begin.
To complete this procedure, you must be a member of the Domain Users group.
To determine when intersite replication is scheduled to begin

2. In the console tree, double-click the Sites container, double-click the Inter-Site
Transports container, and then click the IP container.
3. In the details pane, right-click the site link object for which you want to view the
schedule, and then click Properties.
4. In the SiteLinkName Properties dialog box, click Change Schedule. Note the
block of days and hours during which replication is allowed (Replication
Available), and then click OK.
5. In the Replicate every _____ minutes box, note the number of minutes for the
intervals at which replication polling takes place during an open schedule
window, and then click OK.
Use Repadmin to remove lingering

objects
You can use Repadmin to remove lingering objects when you reconnect a domain
controller that has been offline for longer than a tombstone lifetime and you want to
ensure that lingering objects do not exist or, if they do, that they are removed before they
are replicated. You can also use this procedure when event ID 1388 or event ID 1988 is
logged on a domain controller. In this case, the information that you need to perform the
procedure is provided in the event. For information about removing lingering objects
when event ID 1388 or event ID 1988 has been logged, see "Fixing Replication Lingering
Object Problems (Event IDs 1388, 1988, 2042)."
If you are running the procedure preemptively, you must gather the following information
before beginning the procedure:
 Name of the server that has or might have lingering objects. This name can be the
Domain Name System (DNS) name, NetBIOS name, or distinguished name of the
domain controller.
 Globally unique identifier (GUID) of the NTDS Settings object of a domain controller
that is authoritative for the domain of the domain controller from which you want to
remove lingering objects.
If necessary, use the following procedure to determine the GUID of a domain controller.
To complete this procedure, you must be a member of the Domain Users group in the
domain of the domain controller.
To determine the GUID of a domain controller

repadmin /showreplDomainControllerName
where DomainControllerName is the NetBIOS name of the domain controller

whose GUID you want to determine.
2. In the top portion of the output, note the value in DC object GUID:
If the destination domain controller and source domain controller are both running
Windows Server 2003, you can remove lingering objects by using Repadmin. If either
domain controller is running Windows 2000 Server, follow instructions in article 314282,
"Lingering objects may remain after you bring an out-of-date global catalog server back
online," in the Microsoft Knowledge Base on the Microsoft Web site
DirectoryPartition domain.
To use Repadmin to remove lingering objects
repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition

/advisory_mode
Term Definition
ServerName The DNS name or the distinguished name of the domain controller
that has or might have lingering objects.
ServerGUID The GUID of a domain controller that has an up-to-date writable

replica of the directory partition
DirectoryPartitio The distinguished name of the domain directory partition that might
n have lingering objects. For example,
DC=RegionalDomainName,DC=ForestRootDomainName,DC=com.
Also run the command against the configuration directory partition
(CN=configuration,DC=ForestRootDomainName,DC=com), the
schema directory partition
(CN=schema,CN=configuration,DC=ForestRootDomainName), and
any application directory partitions that are hosted on the domain
controller you are checking for lingering objects.
/advisory_mode logs the lingering objects that will be removed so that you can review
them, but it does not remove them.
2. If lingering objects are found, repeat step 1 without /advisory_mode to delete the
identified lingering objects from the directory partition.
3. Repeat steps 1 and 2 for every domain controller that might have lingering objects.
Note
The ServerName parameter uses the DC_LIST syntax for repadmin, which
allows the use of * for all domain controllers in the forest and gc: for all global
catalog servers in the forest. To see the DC_LIST syntax, type
repadmin /listhelp.
See Also
Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
controller
follows:
listed connection.

Term Definition

domain controller.

(DNS) name.)
Term Definition

columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
Last Failure Time
Last Success Time
Last Failure Status


Or
click Freeze Panes.
AutoFilter.
Ascending.
See Also
Performing an Unattended Installation of
Active Directory
Running an unattended install simplifies the process of setting up Active Directory on
multiple computers. The unattended install feature uses an “answer file” to provide
answers to the questions that are asked during a normal setup. This way, the installation
process can proceed from start to completion without user intervention. This method
works best when Active Directory is installed with identical options on many computers.
This method is required if you want to include application directory partitions in
Active Directory installations from restored backup media.
Task requirements
The following tool is required to complete this task:
 Dcpromo.exe
The following files are required to complete this task:
 Ref.chm (in the Support\Tools folder on the Windows Server 2003 operating system
CD)
 Unattend.txt
 Domain controller answer file
1. Create an answer file for domain controller installation
2. Install Active Directory using an answer file
See Also
media
Create an answer file for domain
controller installation
Use this procedure to create a text file that you can use as the answer file for an
unattended installation of a domain controller. The answer file contains sensitive
information and should be kept in a secure location.
To perform this procedure, you must be a member of the Authenticated Users group on
the local computer on which you create the answer file.
To create an answer file for domain controller installation

1. On a local computer, insert the Windows Server 2003 CD-ROM into the CD-ROM
drive or DVD-ROM drive. Press and hold down the SHIFT key as you insert the
CD to prevent it from starting automatically.
2. Start Windows Explorer, and then open the Support\Tools folder on the
Windows Server 2003 CD-ROM.
3. In the console tree, click Tools, and then, in the details pane, double-click
Deploy.cab.
4. In the details pane, right-click Ref.chm, and then click Extract.
5. In the Select a Destination dialog box, navigate to or create a new folder for the
expanded Ref.chm file, and then click Extract.
6. In its extracted location, open Ref.chm.
7. On the Contents tab in the scope pane, double-click Unattend.txt, and then
click [DCInstall].
8. In the details pane, scroll to Sample, select the entire sample, beginning at
[DCInstall], and then copy the sample.
9. Open Notepad, paste the sample into the Notepad file, and save the text file.
10. Edit the text file to contain at least the following entries (additional entries and
their descriptions are available in Ref.chm):
[DCINSTALL]
UserName=SAM account name that has Domain Admins credentials in the

target domain. This account must be used by the administrator who runs the
Dcpromo command.
Password=Password for the account name. If you leave this blank, Dcpromo
prompts the user during installation. Dcpromo deletes this value following
installation.
UserDomain=Domain name for the user account in UserName.
DatabasePath=Location of the Ntds.dit file. (The default is %systemroot%\ntds.)

LogPath=Location of the database log files. (The default is %systemroot%\ntds.)

SYSVOLPath=Location of the shared SYSVOL tree. (The default is %systemroot

%\ntds.) If you omit this entry, Dcpromo uses the default location.
SafeModeAdminPassword=Password for the administrator account that must
be used to start the domain controller in Directory Services Restore Mode. If you
leave this blank, Dcpromo prompts the user for the password during installation.
Dcpromo deletes this value following installation. Passwords are removed from
the answer file when Dcpromo is executed.
CriticalReplicationOnly=Yes or no, to specify whether to skip noncritical

portions of replication and allow Dcpromo to complete before replication is
complete.
SiteName=The name of the Active Directory site in which this domain controller
will be placed. This site must be created in advance in the Active Directory Sites
and Services snap-in.
ReplicaOrNewDomain=Specify either Replica for an additional domain

controller in an existing domain or NewDomain for the first domain controller in a
new domain.
ReplicaDomainDNSName=The fully qualified domain name of the domain of the

new domain controller.
ReplicationSourceDC=The name of an existing domain controller in the domain

to use as the source replication partner during installation. When you install
Active Directory from restored backup media, you can use this entry in
conjunction with ReplicateFromMedia if you want to specify the domain
controller from which Active Directory changes and SYSVOL changes are
replicated.
ReplicateFromMedia=Yes for installation from media, no for installation by

replication.
ReplicationSourcePath=When the installation is by replication, the path to the

installation CD or network share. When the installation is from restored backup
media, the local drive and path to the restored backup files.
RebootOnSuccess=Yes if you want the domain controller to restart

automatically following a successful installation, no if you want to restart the
domain controller manually. If you do not want the domain controller to restart
automatically and you do not want to be prompted, use the value
NoAndNoPromptEither.
ApplicationPartitionsToReplicate=Comma-separated distinguished names,

with the entire string enclosed in quotation marks, of application directory
partitions that you want to include when you use restored backup media to install
Active Directory (or * to include all application directory partitions). Using this
entry requires Windows Server 2003 with Service Pack 1 (SP1) and
Windows Server 2003 forest functional level. For more information about using
this entry, see Include application directory partitions in an Active Directory
installation from backup media.
11. Save the answer file to the location on the installation server from which it is to
be called by Dcpromo, or save the file to a network share or removable media for
distribution.
See Also
media
Install Active Directory using an answer

file
You can use this procedure to perform an unattended Active Directory installation by
using an answer file.
domain of the domain controller that you are installing.
To install Active Directory using an answer file

1. Click Start, click Run, and then type dcpromo /answer:answerfile
Answerfile
The path to the answer file, including the filename.
2. Click OK.
See Also
Create an answer file for domain controller installation

media
Verifying Active Directory Installation
Verifying Active Directory Installation

There are several verification tasks that can be performed on a computer on which Active
Directory has been newly installed. Successfully completing the requirements of each
verification task will provide a strong indication of a healthy, operational domain controller.
Task Requirements
The following tools are recommended to perform the procedures for this task:
 DNS Manager
 Event Viewer
 Netdiag.exe
 Dcdiag.exe
 Ntdsutil.exe
You must ensure that the new domain controller is located in the proper site so that
after the installation is complete, the new domain controller can locate replication
partners and become part of the replication topology. If the site is not correct, you can
use the Active Directory Sites and Services snap-in to move the Server object for the
domain controller to the proper site after Active Directory installation is complete.
Note
The last dialog box displayed by the Active Directory Installation Wizard lists
the site where the new domain controller is installed. If this is not the proper
site, you must move the Server object after the server is restarted.
3. Move the Server object to the new site
4. Configure DNS server forwarders
5. Complete all procedures for the Verifying DNS configuration task.

8. Verify domain membership for a new domain controller

child objects
object.

Child objects.
association
to it.
associated.

association

and then click OK.
subnet address.
Move the Server object to the new site

Moving a Server object requires that the IP address of the domain controller maps to the
site to which you are moving the Server object. Before performing this procedure, verify
that the IP address maps to the target site.
To move the server object to the new site

2. Expand the Sites container and the site in which the server object resides.
3. Expand the Servers container to display the domain controllers that are currently
4. Right-click the Server object you want to move, and then click Move.
5. In the Site Name box, click the destination site, and then click OK.
6. Expand the Site object to which you moved the server, and then expand the
Servers container.
7. Verify that an object for the server you moved exists.
8. Expand the Server object and verify that an NTDS Settings object exists.
Within an hour, the Net Logon service on the domain controller registers the new site
information in DNS. Wait an hour and then open Event Viewer and connect to the domain
controller whose Server object you moved. Review the directory service log for Net
Logon errors regarding registration of SRV resource records in DNS that have occurred
within the last hour. The absence of errors indicates that Net Logon has updated DNS
with site-specific SRV resource records. Net Logon event ID 5774 indicates that the
registration of DNS resource records has failed. If this error occurs, contact a supervisor
and pursue DNS troubleshooting.
Configure DNS server forwarders

Configure DNS server forwarders based on the forwarders method established on your
network.
To configure DNS server forwarders

1. If your network uses root hints as the forwarders method, you do not need to
perform any additional options. Root hints are automatically configured during
installation. Do not continue to step 2.
2. If you need to configure forwarders, open the DNS snap-in and continue to step
3.
3. In the console tree, right-click ComputerName (where ComputerName is the

computer name of the domain controller), and then click Properties.
4. In the ComputerName Properties sheet (where ComputerName is the name of

the domain controller), on the Forwarders tab, select the Enable forwarders
check box.
5. In the IP address box, type IpAddress (where IpAddress is the IP address of the
DNS server or nearest replication partner from which the domain is delegated),
click Add, and then click OK.
Verifying DNS configuration

Part of verifying Active Directory installation is verifying that DNS was installed and
configured appropriately.
Task Requirements
 DNS snap-in
1. Create a delegation for a domain controller
If the parent DNS zone of any zone that is hosted by this DNS server contains a
delegation to this DNS server, use this procedure to update the IP address in all such
delegations.
If your forest root domain has a parent DNS domain, perform this procedure on a
DNS server in the parent domain. If you just added a new domain controller to a child
domain, perform this procedure on a DNS server in the DNS parent domain. By
following recommended practices, the parent domain is the forest root domain.
2. Configure the DNS client settings
3. Create a secondary zone
Create a delegation for a domain

controller
Use this procedure to create a delegation for a new domain controller that is also a DNS
server in the parent DNS domain.
To create a delegation for a domain controller

2. Navigate to ChildDomain (where ChildDomain is the name of the child domain) in

the console tree.
3. In the console tree, right-click ChildDomain, and then click Properties.
4. In the ChildDomain Properties sheet, on the Name Servers tab, click Add.
5. In the New Resource Record dialog box, in the Server fully qualified domain
name (FQDN) box, type ChildDC.ChildDomain.ParentDomain (where ChildDC is
the name of the new domain controller, ChildDomain is the name of the child
domain, and ParentDomain is the name of the parent domain).
6. In the New Resource Record dialog box, in the IP address box, type IPAddress
(where IPAddress is the IP address of the child domain controller), click Add, and
then click OK.
Create a secondary zone

Perform this procedure only on new domain controllers that are also DNS servers that
are located in the child domain, not the forest root domain.
To create a secondary zone

2. In the console tree, right-click the new domain controller and click New Zone.
3. In the New Zone Wizard, click Next to continue.
4. On the Zone Type page, select Secondary zone and click Next.
5. Ensure that Forward lookup zone is selected. Click Next.
6. For Zone name, type _msdcs.forestrootdomain (where forestrootdomain is the

fully qualified domain name of the forest root domain), and click Next.
7. In the Master DNS Servers dialog box, enter the IP addresses of at least two
DNS servers in the forest root domain. Click Next.
8. Review the settings you defined, and click Finish to close the wizard.
Configure the DNS client settings

Configure the DNS client settings on the new domain controller.
To configure the DNS client settings
1. On the desktop, right-click My Network Places and click Properties.
2. In the Network Connections dialog box, right-click the connection that

represents the connection this computer uses to attach to your network. The
default label is Local Area Connection, but this can be changed so it might not
be labeled the same on your computer. Click Properties.
3. In the Local Area Connection Properties dialog box, click once on Internet
Protocol (TCP/IP) to highlight it (be sure you do not clear the check box in front
of it), then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, verify that Use the
following DNS server addresses: is selected.
5. If the new domain controller is located in the forest root domain, set the
Preferred DNS server IP address to that of another DNS server in the forest root
domain. Try to choose a server that is located near the new domain controller.
Set the Alternate DNS server address to the IP address of the new domain
controller (so that it is referencing itself).
If the new domain controller is located in a child domain, set the Preferred DNS
server IP address to the IP address of the new domain controller (so that it is
referencing itself). Set the Alternate DNS server address to that of another DNS
server in the same domain. Try to choose a server that is located near the new
domain controller.
6. Click OK to close the dialog box.

Note
Directory.

events.
folders.

located.
Directory.

netdiag /test:dns
Note
the command.

controllers
Directory.

Note
the command.

controllers
Directory.

Note

masters
Directory.
Note


Press ENTER.

Verify domain membership for a new

domain controller
This test verifies that a new domain controller has successfully become a member of the
domain.
Note
You can get a more detailed response from this command by using the verbose
option. Add /v to the end of the command listed to see the detailed response.
To verify domain membership for a new domain controller

netdiag /test:member
3. It the test was successful you should see the following message: Domain
membership test Passed. If you use the /v option, it will list the name of the
domain controller, its role, the name of the domain, and a number of other
statistics about the new domain controller.
Renaming a Domain Controller
The ability to rename domain controllers running Windows Server 2003 (contrary to
Windows 2000 Server) provides you with the flexibility to:
 Restructure your network for organizational and business needs.
 Make management and administrative control easier.
Renaming a domain controller is a common operation in many organizations and usually

occurs when:
 New hardware is purchased to replace an existing domain controller.

 Domain controllers are decommissioned, or promoted, and renamed to maintain a
naming convention.
 Domain controllers are moved or placed in sites.
Note
It is important to note that domain controller names have a primary impact on
administration, rather than client access. Renaming a domain controller is an
optional exercise, and the impacts should be well understood prior to renaming.
Although you can use the System Properties user interface (UI) to rename a domain
controller (as you can for any computer), Active Directory and DNS replication latency
might temporarily prevent clients from locating or authenticating to the renamed domain
controller, or both. To avoid this delay, use the Netdom command-line tool to rename a
domain controller.
Task requirements
 System Properties or Netdom.exe
 Ldp.exe or Adsiedit.msc
If you want to use Netdom, the domain functional level must be set to
To complete this task, use one of the following two sets of procedures:
1. Rename a domain controller using System Properties
2. Update the FRS member object
Or
1. Rename a domain controller using Netdom

2. Update the FRS member object
Rename a domain controller using

System Properties
You can use this procedure to rename a domain controller by using the System
Properties user interface (UI).
Enterprise Admins group.
To rename a domain controller using System Properties

1. Click Start, and then click Control Panel.
2. In Control Panel, double-click System Properties.
3. On the Computer Name tab, click Change.
4. Click OK to acknowledge that renaming the domain controller may cause it to

become temporarily unavailable to users and computers. (See note below.)
5. Under Computer Name, type the new name.
6. Click OK to close the System Properties dialog box.
7. If you are prompted, provide the user name and password for an account with
Domain Admin or Enterprise Admin credentials.
Note
Renaming a domain controller in this way may result in Active Directory
replication latency, making it more difficult for clients to locate or
authenticate the domain controller under its new name.
See Also
Rename a domain controller using Netdom
Rename a domain controller using
Netdom
You can use this procedure to rename a domain controller by using the Netdom
command-line tool.
The netdom command updates the service principal name (SPN) attributes in
Active Directory for the computer account and registers Domain Name System (DNS)
resource records for the new computer name. The SPN value of the computer account
must be replicated to all domain controllers in the domain, and the DNS resource records
for the new computer name must be distributed to all the authoritative DNS servers for
the domain name. If the updates and registrations have not occurred prior to removal of
the old computer name, some clients might be unable to locate this computer using the
new name or the old name.
To rename a domain controller using Netdom

2. Type the following command to add the new domain controller name, and then
press ENTER:
netdom computername CurrentComputerName /add:NewComputerName
3. Type the following command to designate the new name as the primary
computer name, and then press ENTER:
netdom computername CurrentComputerName
/makeprimary:NewComputerName
Term Definition
CurrentComputerName The current, or primary, computer

name or Internet Protocol (IP) address
of the computer that you are renaming.
Term Definition
NewComputerName The new name for the computer. The

NewComputerName must be a fully
qualified domain name (FQDN). The
primary DNS suffix that is specified in
the FQDN for NewComputerName
must be the same as the primary DNS
suffix of CurrentComputerName, or it
must match the DNS name of the
Active Directory domain that is hosted
by this domain controller, or it must be
contained in the list of allowed DNS
suffixes that is specified in the msDS-
AllowedDNSSuffixes attribute of the
domainDns object.
4. Restart the computer.
5. After the computer restarts, open a Command Prompt.
6. Type the following command to remove the old domain controller name, and then
press ENTER:
netdom computername NewComputerName /remove:OldComputerName
Term Definition
NewComputerName The new FQDN that you added for

the computer in step 2.
OldComputerName The old FQDN of the renamed

computer.
See Also
Rename a domain controller using System Properties
Update the FRS member object
Use this procedure to update the File Replication Service (FRS) member object after
renaming a domain controller.
To update the FRS member object

1. Using Ldp.exe (or ADSI edit), find the computer object of the renamed domain
controller.
2. Do a recursive search for an object of type nTFRSSubscriber with the computer

name of "Domain System Volume (SYSVOL share)" under the Computer
object.
3. The search filter is "(&((cn=Domain System Volume (SYSVOL share))

(objectclass=ntfrssubscriber)))".
4. Find the fRSMemberReference attribute of the object returned by the search.
5. Find the object whose domain name is in the fRSMemberReference attribute.

This is the Ntfrsmember object corresponding to this domain controller.
6. Change the computer name of this Ntfrsmember object from the old name of the
domain controller to the new name of the domain controller.
Decommissioning a Domain Controller

Decommissioning a domain controller effectively removes all Active Directory and related
components and returns the domain controller to a member server role.
Task Requirements
 Ntdsutil.exe
 Active Directory Users and Computers

 Netdiag.exe
 Dcdiag.exe
To avoid problems, transfer any operations master roles prior to running the Active
Directory Installation Wizard to decommission a domain controller so that you can
control the operations master role placement. If you need to transfer any roles from a
domain controller, understand all the recommendations for role placement before
performing the transfer.
Caution
During the decommissioning process, the Active Directory Installation Wizard
will attempt to transfer any remaining operations master roles to other
domain controllers without any user interaction. However, if a failure occurs,
the wizard will continue to uninstall Active Directory and leave your domain
without roles. Also, you do not have control over which domain controller
receives the roles. The wizard transfers the roles to any available domain
controller and does not indicate which domain controller hosts them.
2. Transfer the schema master
3. Transfer the domain naming master
4. Transfer the domain-level operations master roles
If you remove Active Directory from a domain controller that hosts a global catalog,
the Active Directory Installation Wizard confirms that you want to continue with
removing Active Directory. This confirmation ensures that you are aware that you are
removing a global catalog from your environment. Do not remove the last global
catalog server from your environment because users cannot log on without an
available global catalog server. If you are not sure, do not proceed with removing
Active Directory until you know that at least one other global catalog server is
available.
During the removal of Active Directory, contact with other domain controllers is
required to ensure:
 Any unreplicated changes are replicated to another domain controller.
 Removal of the domain controller from the directory.
 Transfer of any remaining operations master roles.
If the domain controller cannot contact the other domain controllers during Active
Directory removal, the decommissioning operation fails. As with the installation
process, test the communication infrastructure prior to running the installation wizard.
When you remove Active Directory, use the same connectivity tests that you used
during the installation of Active Directory.
Important
If any of the verification tests fail, do not continue until you determine and fix
the problems. If these tests fail, the uninstallation is also likely to fail.
9. Uninstall Active Directory
11. Delete a Server object from a site
Note
The administrator may not want to remove the Server object if it hosts
something in addition to Active Directory—Microsoft Exchange, for example.

holders


this menu.
ENTER.
and press ENTER.
host each role.

Note

Domain Controller.

box.
Note

Note
Active Directory.
Master.

master roles
Note
Directory.

Directory.

Server object.


located.
Directory.

netdiag /test:dns
Note
the command.

controllers
Directory.

Note
the command.

masters
Directory.
Note


Press ENTER.

Uninstall Active Directory

To use the Active Directory Installation Wizard to remove Active Directory, you must know
the password to assign to the local Administrator account of the server after Active
Directory is removed.
To uninstall Active Directory
1. Click Start, click Run, type dcpromo and then click OK.
2. The Active Directory Installation Wizard appears. Click Next at the Welcome
screen.
3. You have an option to select This server is the last domain controller in the
domain. If you select this option, the wizard attempts to remove the domain from
the forest. Do not select this option. Click Next.
4. At the Administrative Password screen, enter and confirm the password that
you want to assign to the local Administrator account after Active Directory is
removed. Click Next.
5. At the Summary screen, verify that the information is correct and then click Next
to proceed with the removal.
6. The wizard proceeds to remove Active Directory. After it finishes, the wizard
displays a completion screen. Click Finish to close the wizard.

child objects
object.

Child objects.


Important
decommissioned.
Forcing the Removal of a Domain

Controller
Forced removal of a domain controller from Active Directory is intended to be used as a
last resort to avoid having to reinstall the operating system on a domain controller that
has failed and cannot be recovered. When a domain controller can no longer function in a
domain (that is, it is offline), you cannot remove Active Directory in the normal way, which
requires connectivity to the domain. Forced removal is not intended to replace the normal
Active Directory removal procedure in any way. It is virtually equivalent to permanently
disconnecting the domain controller.
Active Directory stores a considerable amount of metadata about a domain controller.

During the normal process of uninstalling Active Directory on a domain controller, this
metadata is removed from Active Directory through a connection to another domain
controller in the domain. A forced removal assumes that there is no connectivity to the
domain; therefore, it does not attempt any metadata removal (cleanup).
Consequently, forced removal of Active Directory from a domain controller should always
be followed by the metadata cleanup procedure, which removes all references to the
domain controller from the domain and forest.
Forced demotion should not be performed on the last domain controller in a domain.
Task Requirements
 Dcpromo.exe
 Ntdsutil.exe
1. Identify replication partners. Connect to one of these domain controllers when you
clean up server metadata in procedure 3.
2. Force domain controller removal
3. Clean up server metadata

Directory.
Note

Force domain controller removal

Use this procedure to force the removal of Active Directory from a domain controller.
To force domain controller removal

1. Click Start, click Run, type the following command and then press ENTER:
Dcpromo /forceremoval
2. At the Welcome to the Active Directory Installation Wizard page, click Next.
3. At the Force the Removal of Active Directory page, click Next.
4. In Administrator Password, type the password and confirmed password that

you want to assign to the Administrator account of the local SAM database, and
then click Next.
5. In Summary, click Next.

You perform the metadata cleanup process by using Ntdsutil.exe, a command-line tool
that is automatically installed on all domain controllers. Metadata cleanup removes data
from Active Directory that identifies a domain controller to the replication system. On a
domain controller that is running Windows Server 2003 with Service Pack 1 (SP1),
metadata cleanup also removes File replication service (FRS) connections and attempts
to transfer or seize any operations master roles that the retired domain controller holds.
These additional processes are performed automatically.
 To complete this procedure, you must be a member of the Enterprise Admins group.

1. Open a command prompt.
ntdsutil
3. At the ntdsutil: prompt, type:
metadata cleanup

that is included with Windows Server 2003 SP1, at the metadata cleanup:
prompt, type:
Or
remove selected server ServerName1 on ServerName2

Value Definition



that is included with Windows Server 2003 with no service pack, perform
metadata cleanup as follows:
a. At the metadata cleanup: prompt, type:
connection
b. At the server connections: prompt, type:
c. At the server connections: prompt, type:
quit
d. At the metadata cleanup: prompt, type:
e. At the select operation target: prompt, type:
list sites
A numbered list of sites appears.
f. At the select operation target: prompt, type:
g. At the select operation target: prompt, type:
A numbered list of domains in the selected site appears.
h. At the select operation target: prompt, type:
i. At the select operation target: prompt, type:

A numbered list of servers in a domain and site appears.
j. At the select operation target: prompt, type:
k. At the select operation target: prompt, type:
quit
l. At the metadata cleanup: prompt, type:
Value Description

to
SiteNumber The number associated with the

site of the server that you want to
clean up that appears in the list
DomainNumber The number associated with the

domain of the server that you want
to clean up that appears in the list
ServerNumber The number associated with the

server that you want to clean up
that appears in the list
At this point, Active Directory confirms that the domain controller was removed
successfully. If you receive an error message that indicates that the object cannot
be found, Active Directory might have already removed the domain controller.
5. At the metadata cleanup: and ntdsutil: prompts, type quit.

Additional Resources for Administering
Active Directory
For general information about how Active Directory works and how to deploy, monitor,
and delegate Active Directory, see the following resources:
 Active Directory Technical Reference on the Microsoft Web site

(http://go.microsoft.com/fwlink/?LinkId=26094)
 Designing and Deploying Directory and Security Services on the Microsoft Web site
 "Monitoring Active Directory Health" in the Active Directory Management Pack
Technical Reference for MOM 2005 on the Microsoft Web site
 Best Practices for Delegating Active Directory Administration on the Microsoft Web
site (http://go.microsoft.com/fwlink/?LinkId=46579)
For specific information about troubleshooting Active Directory problems, see the
following resources:
 Troubleshooting Active Directory Operations
 Identity and Directory Services Community on the Microsoft Web site

 Windows Server Active Directory Newsgroup on the Microsoft Web site

For development information about Active Directory, see the following resources:
 Active Directory Platform SDK on the Microsoft Web site

(http://go.microsoft.com/fwlink/?linkid=142)
 Lightweight Directory Access Protocol Platform SDK on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkID=2972)
 RFC Pages and Internet-Drafts on the Internet Engineering Task Force Web site
(http://go.microsoft.com/fwlink/?LinkID=121)
Note
Web addresses can change, so you might be unable to connect to the Web site
or sites mentioned here.
Troubleshooting Active Directory
Operations
This Active Directory Troubleshooting guide provides troubleshooting information for
Active Directory in the Microsoft Windows Server 2003 and Windows Server 2003 with
Service Pack 1 (SP1) operating systems.
In this guide
 Configuring a Computer for Troubleshooting Active Directory
 Troubleshooting Active Directory Replication Problems

 Additional Resources for Troubleshooting Active Directory
This initial release of the Active Directory Troubleshooting guide includes troubleshooting
recommendations and procedures for diagnosing and fixing problems that may occur with
Active Directory replication. This content focuses primarily on responses to Directory
Service event log messages and tool-based error messages that might be reported by
the Repadmin.exe and Dcdiag.exe tools, which are available in Windows Support Tools.
Installation of Windows Server 2003 with SP1 is encouraged for improved diagnostic
support in both Windows Support Tools, which you must install separately, and the
Ntdsutil.exe administrative command-line tool, which is included with the operating
system.
Acknowledgments
Key Technical Reviewers: Arren Conner, Gregory Johnson, Rob Kochman, Ajit Krishnan,
Dave Tesar
Configuring a Computer for

Before you can use advanced troubleshooting techniques to identify and fix
Active Directory problems, you must configure your computer for troubleshooting and
have a basic understanding of Windows Server 2003 troubleshooting concepts,
procedures, and tools. For information about monitoring tools for Windows Server 2003,
see Monitoring and Status Tools on the Microsoft Web site
Configuration Tasks for Troubleshooting
To configure your computer for troubleshooting, perform the following tasks:
Install Windows Server 2003 SP1
Install Windows Support Tools
Install Network Monitor
Set logging levels
Install Windows Server 2003 SP1

If possible, upgrade domain controllers to Windows Server 2003 Service Pack 1 (SP1).
To install this service pack, go to the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=9999) and follow instructions for downloading the service pack.
The advantages of running Windows Server 2003 with SP1 with regard to
troubleshooting include enhancements to the Ntdsutil command-line tool. Ntdsutil.exe
has new functionality that makes it easier to remove domain controller metadata and to
authoritatively restore directory objects.
Install Windows Support Tools

For improved diagnostic support, install Windows Support Tools that ship with
Windows Server 2003 SP1. The SP1 version of Windows Support Tools includes
enhanced versions of the Dcdiag.exe and Repadmin.exe tools. The Dcdiag.exe
command-line tool now provides new reporting on the overall health of replication with
respect to Active Directory security, as well as new Domain Name System (DNS)
diagnostic tests. You can use Repadmin.exe to manage replication consistency settings
on multiple domain controllers instead of editing the registry on individual computers.
Make sure that the SP1 version of Windows Support Tools is installed on all domain
controllers that are running Windows Server 2003 with SP1.
Options for Running SP1 Windows Support Tools

You can run Windows Support Tools that ship with Windows Server 2003 SP1 on
computers running the following operating systems:
 Windows Server 2003 with SP1
 Windows Server 2003 without SP1

You can also run some tools, such as Repadmin.exe and Dcdiag.exe, on computers
running Windows XP Professional, Windows XP Professional with SP1, or
Windows XP Professional with Service Pack 2 (SP2). Options for other tools vary by tool.
In this guide, the operating system that is required for running a tool is specified as a
prerequisite for each procedure.
Options for Installing SP1 Windows Support Tools

The SP1 version of Windows Support Tools can be installed as an .msi package only on
computers running Windows Server 2003 with SP1. To run Repadmin and Dcdiag from
computers running Windows Server 2003 without SP1 or from computers running
Windows XP Professional, you must copy the respective executable files to those
computers.
Requirements
 Administrative credentials: To complete this procedure, you must be a member of the

Builtin Administrators group.
 Operating system: Windows Server 2003 with SP1. You cannot use suptools.msi to
install the SP1 version of Windows Support Tools on a computer that is not running
To install Windows Support Tools

1. Insert the Windows CD into your CD-ROM drive.
2. If you are prompted to reinstall Windows, click No.
3. When the Welcome screen appears, click Perform additional tasks, and then
click Browse this CD.
4. Go to the \Support\Tools folder. For complete setup information, see the
Readme.htm file in this folder.
5. Double-click suptools.msi.
6. Follow the instructions that appear on your screen.
Install Network Monitor

Use Network Monitor to troubleshoot connectivity issues by tracing network traffic
between computers. For information about installing and using Network Monitor, see
Network Monitor on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=42987).
Set Logging Levels
If the information that you receive in the Directory Service log in Event Viewer is not
sufficient for troubleshooting, raise the logging levels by using the appropriate registry
entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
By default, the logging levels for all entries are set to 0, which provides the minimum
amount of information. The highest logging level is 5. Increasing the level for an entry
causes additional events to be logged in the Directory Service event log. The following
diagram shows the diagnostic entries that are available.
Directory Service Diagnostic Logging Levels
Use the following procedure to change the logging level for a diagnostic entry.
Caution
editor or by Windows before they are applied, and as a result, incorrect values
can be stored. This can result in unrecoverable errors in the system. When
possible, use Group Policy or other Windows tools, such as Microsoft
Management Console (MMC), to accomplish tasks rather than editing the registry
directly. If you must edit the registry, use extreme caution.
Requirements

Domain Admins group in the domain of the domain controller on which you are
setting the logging level.
 Tools: Regedit.exe
To change the logging level for a diagnostic entry

1. Click Start, click Run, type regedit, and then click OK.
2. Navigate to the entry for which you want to set logging in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnos
tics.
3. Double-click the entry, and for the Base click Decimal.
4. In the Value data box, type an integer from 0 through 5, and then click OK.

Replication Problems
Active Directory replication problems can have several different sources. For example,
Domain Name System (DNS) problems, networking issues, or security problems can all
cause Active Directory replication to fail.
Inbound or outbound replication failure causes Active Directory objects that represent the
replication topology, replication schedule, domain controllers, users, computers,
passwords, security groups, group memberships, and Group Policy to be inconsistent
between domain controllers. Directory inconsistency causes either operational failures or
inconsistent results, depending on the domain controller that is contacted for the
operation at hand. Active Directory depends on network connectivity, name resolution,
authentication and authorization, the directory database, the replication topology, and the
replication engine. When the root cause of a replication problem is not immediately
obvious, determining the cause among the many possible causes requires systematic
elimination of probable causes.
Event and Tool Solution Recommendations
Ideally, the red (Error) and yellow (Warning) events in the Directory Service event log
suggest the specific constraint that is causing replication failure on the source or
destination domain controller. If the event message suggests steps for a solution, try the
steps listed in the event. The Repadmin tool and other diagnostic tools also provide
information that can help you resolve replication failures.
Ruling Out the Obvious

Sometimes replication errors occur because of intentional disruptions. For example,
when you troubleshoot Active Directory replication problems, rule out intentional
disconnections and hardware failures or upgrades first.
Intentional Disconnections
If replication errors are reported by a domain controller that is attempting replication with
a domain controller that has been built in a staging site and is currently offline awaiting its
deployment in the final production site (remote), you can account for those errors. To
avoid separating a domain controller from the replication topology for extended periods,
which causes continuous errors until the domain controller is reconnected, consider
adding such computers initially as member servers and using the install-from-media
method to install Active Directory. You can back up an up-to-date domain controller to
removable media (CD/DVD or other media) and ship the media to the destination site.
Then, you can use the media to promote the domain controllers at the site, without
requiring replication. For more information about installing from media, see Installing a
Domain Controller in an Existing Domain Using Restored Backup Media.
Hardware Failures or Upgrades

If replication problems occur as a result of hardware failure (for example, failure of the
motherboard, disk subsystem, or hard drive), notify the server owner so that the
hardware problem can be resolved.
Periodic hardware upgrades can also cause domain controllers to be out of service.
Ensure that your server owners have a good system of communicating such outages in
advance.
Correct Response to Any Outdated Server
Running Windows 2000 Server
If a domain controller running Windows 2000 Server has failed for longer than the
number of days in the tombstone lifetime, the solution is always the same:
1. Move the server from the corporate network to a private network.
2. Either forcefully remove Active Directory or reinstall the operating system.
3. Remove the server metadata from Active Directory so that the server object cannot
be revived.
Note
By default, NTDS Settings objects that are deleted are revived automatically for a
period of 14 days. Therefore, if you do not remove server metadata (use Ntdsutil
to perform metadata cleanup), the server metadata is reinstated in the directory,
which prompts replication attempts to occur. In this case, errors will be logged
persistently as a result of the inability to replicate with the missing domain
controller.
Root Causes
If you rule out intentional disconnections, hardware failures, and outdated Windows 2000
domain controllers, the remainder of replication problems almost always have one of the
following root causes:
 Network connectivity: The network connection might be unavailable or network

settings are not configured properly.
 Name resolution: DNS misconfigurations are a common cause for replication failures.
 Authentication and authorization: Authentication and authorization problems cause
"Access denied" errors when a domain controller tries to connect to its replication
partner.
 Directory database (store): The directory database might not be able to process
transactions fast enough to keep up with replication timeouts.
 Replication engine: If intersite replication schedules are too short, replication queues
might be too large to process in the time that is required by the outbound replication
schedule. In this case, replication of some changes can be stalled indefinitely —
potentially, long enough to exceed the tombstone lifetime.
 Replication topology: Domain controllers must have intersite links in Active Directory
that map to real wide area network (WAN) or virtual private network (VPN)
connections. If you create objects in Active Directory for the replication topology that
are not supported by the actual site topology of your network, replication that requires
the misconfigured topology fails.
General Approach to Fixing Problems

Use the following general approach to fixing replication problems:
1. Monitor replication health daily, or use Repadmin.exe to retrieve replication status

daily.
2. Attempt to resolve any reported failure in a timely manner by using the methods
described in event messages and this guide. If software might be causing the
problem, uninstall the software before you continue with other solutions.
3. If the problem that is causing replication to fail cannot be resolved by any known
methods, remove Active Directory from the server and then reinstall Active Directory.
For more information about reinstalling Active Directory, see Decommissioning a
Domain Controller.
4. If Active Directory cannot be removed normally while connected to the network, use
one of the following methods to resolve the problem:
 Force Active Directory removal in Directory Services Restore Mode, clean up

server metadata, and then reinstall Active Directory.
 Reinstall the operating system, and rebuild the domain controller.
For more information about forcing Active Directory removal, see Forcing the
Removal of a Domain Controller.
Monitoring Replication Health

Monitoring for replication failures is critical to being able to solve replication problems
quickly and effectively. Use one of the following methods to monitor replication health:
 Use a monitoring application that you set to capture and report specific errors and
events on a daily basis.
 Use the Repadmin tool to retrieve replication status daily.

Using a Monitoring Application to Monitor Replication
Health
For all domain controllers in a forest, monitor replication health on a daily basis by using
Microsoft Operations Manager (MOM) or an equivalent monitoring application. For
information about using MOM to monitor Active Directory, see Active Directory
Management Pack Technical Reference for MOM 2005 on the Microsoft Web site
Using Repadmin to Retrieve Replication Status

Replication status is an important way for you to evaluate the status of the directory
service. If replication is working without errors, you know the domain controllers that are
online. You also know that the following systems and services are working:
 DNS infrastructure
 Kerberos
 Windows Time service (W32time)
 Remote procedure call (RPC)
 Network connectivity
Use Repadmin (Windows Support Tools) to monitor replication status daily by running a
command that assesses the replication status of all domain controllers in your forest. The
procedure generates a .csv file that you can open in Excel and filter for replication
failures.
Use the following procedure to retrieve the replication status of all domain controllers in
the forest.
Requirements

Domain Admins group in the forest root domain or the Enterprise Admins group in the
forest.
 Tools:
Repadmin.exe (Windows Support Tools)
Excel (Microsoft Office)
To retrieve replication status

2. In Excel, on the File menu, click Open.
3. In Files of type, click Text Files (*.prn;*.txt;*.csv).
4. In Look in, navigate to showrepl.csv, and then click Open.
5. In the Excel spreadsheet, right-click the column heading for

showrepl_COLUMNS (column A) and then click Hide. Repeat for the column
labeled Transport Type.
6. Select the row just under the column headings, and then, on the Window menu,
click Freeze Pane.
7. Click the upper-left corner of the spreadsheet to highlight the entire spreadsheet.
On the Data menu, point to Filter, and then click AutoFilter.
8. In the heading of the Last Success column, click the down arrow, and then click
Sort Ascending.
9. In the heading of the Source DC column, click the down arrow, and then click
Custom. In the Custom AutoFilter dialog box, complete the custom filter as
follows:
a. Under Source DC, click does not contain.
b. In the corresponding text box, type del to filter deleted domain controllers
from the spreadsheet.
10. In the heading of the Last Failure column, click the down arrow, and then click
Custom. In the Custom AutoFilter dialog box, complete the custom filter as
follows:
a. Under Last Failure, click does not equal.
b. In the corresponding text box, type 0 to filter for only domain controllers that
are experiencing failures.
For every domain controller in the forest, the spreadsheet shows the source replication
partner, the time that replication last occurred, and the time that the last replication failure
occurred for each naming context (directory partition). By using Autofilter in Excel, you
can view the replication health for working domain controllers only, failing domain
controllers only, or domain controllers that are the least or most current, and you can see
the replication partners that are replicating successfully.
Attempting to Resolve Problems
Replication problems are reported in event messages and in various error messages that
occur when an application or service attempts an operation. Ideally, these messages are
collected by your monitoring application or when you retrieve replication status.
Most replication problems are identified in the event messages that are logged in the
Directory Service event log. Replication problems might also be identified in the form of
error messages in the output of the repadmin /showrepl command.
repadmin /showrepl Error Messages That Indicate

Replication Problems
To identify Active Directory replication problems, use the repadmin /showrepl command
as described in the previous section. The following table shows error messages that are
generated by this command, along with the root causes of the errors and links to topics
that provide solutions for the errors.
repadmin /showrepl Error Messages
Repadmin error Root cause Solution
The time since last A domain controller has Event ID 2042: It has been
replication with this server failed inbound replication too long since this machine
has exceeded the with the named source replicated
tombstone lifetime. domain controller long
enough for a deletion to have
been tombstoned, replicated,
and garbage-collected from
Active Directory.
No inbound neighbors. If no items appear in the Fixing Replication

“Inbound Neighbors” section Connectivity Problems
of the output that is (Event ID 1925)
generated by repadmin
/showrepl, the domain
controller was not able to
establish replication links
with another domain
controller.
Repadmin error Root cause Solution
Access is denied. A replication link exists Fixing Replication Security

between two domain Problems
controllers, but replication
cannot be performed
properly due to an
authentication failure.
Last attempt at <date - time> This problem can be related Fixing Replication DNS
failed with the “Target to connectivity, DNS, or Lookup Problems (Event
account name is incorrect.” authentication issues. IDs 1925, 2087, 2088)
If this is a DNS error, the Fixing Replication Security
local domain controller could Problems
not resolve the globally
Fixing Replication
unique identifier (GUID)–
Connectivity Problems
based DNS name of its
(Event ID 1925)
replication partner.
LDAP Error 49. The domain controller Fixing Replication Security

computer account might not Problems
be synchronized with the
Key Distribution Center
(KDC).
Cannot open LDAP The administration tool could Fixing Replication DNS
connection to local host not contact Active Directory. Lookup Problems (Event
IDs 1925, 2087, 2088)
Active Directory replication The progress of inbound Wait for replication to

has been preempted. replication was interrupted complete. This
by a higher priority informational message
replication request, such as indicates normal operation.
a request generated
manually with the
repadmin /sync command.
Replication posted, waiting. The domain controller posted Wait for replication to
a replication request and is complete. This
waiting for an answer. informational message
Replication is in progress indicates normal operation.
from this source.
Event Messages That Indicate Active Directory Replication
Problems
The following table lists common events that might indicate problems with
Active Directory replication, along with root causes of the problems and links to topics
that provide solutions for the problems.
Events That Indicate Active Directory Replication Problems
Event ID and Root cause Solution

source
1311 — NTDS The replication Fixing Replication Topology Problems (Event

KCC configuration ID 1311)
information in
Active Directory
does not accurately
reflect the physical
topology of the
network.
1388 — NTDS Strict replication Fixing Replication Lingering Object Problems

Replication consistency is not in (Event IDs 1388, 1988, 2042)
effect, and a
lingering object has
been replicated to
the domain
controller.
1925 — NTDS The attempt to Fixing Replication Connectivity Problems

KCC establish a (Event ID 1925)
replication link for a
Fixing Replication DNS Lookup Problems
writable directory
(Event IDs 1925, 2087, 2088)
partition failed. This
event can have
different causes,
depending on the
error.
source
1988 — NTDS The local domain Fixing Replication Lingering Object Problems
Replication controller has (Event IDs 1388, 1988, 2042)
attempted to
replicate an object
from a source
domain controller
that is not present on
the local domain
controller because it
may have been
deleted and already
garbage-collected.
Replication will not
proceed for this
directory partition
with this partner until
the situation is
resolved.
2042 — NTDS Replication has not Fixing Replication Lingering Object Problems
Replication occurred with this (Event IDs 1388, 1988, 2042)
partner for a
tombstone lifetime,
and replication
cannot proceed.
2087 — NTDS Active Directory Fixing Replication DNS Lookup Problems

Replication could not resolve the (Event IDs 1925, 2087, 2088)
DNS host name of
the source domain
controller to an
Internet Protocol (IP)
address, and
replication failed.
source
2088 — NTDS Active Directory Fixing Replication DNS Lookup Problems

Replication could not resolve the (Event IDs 1925, 2087, 2088)
DNS host name of
the source domain
controller to an IP
address, but
replication
succeeded.
2095 — NTDS Update sequence For an explanation of this problem and

Replication number (USN) recommendations for solutions, see Running
rollback has Domain Controllers in Virtual Server 2005 on
occurred and the Microsoft Web site
replication has been (http://go.microsoft.com/fwlink/?LinkId=38330).
stopped. This error
indicates an
improper
Active Directory
restore, possibly of a
virtual machine file
(.vhd).
5805 — Net A machine account Fixing Replication Security Problems

Logon failed to
authenticate, which
is usually caused by
either multiple
instances of the
same computer
name or the
computer name not
replicating to every
domain controller.
For more information about replication concepts, see “Active Directory Replication
Technologies” in the Windows Server 2003 Technical Reference on the Microsoft Web
In this section
Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
Fixing Replication Security Problems
Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088)
Fixing Replication Connectivity Problems (Event ID 1925)
Fixing Replication Topology Problems (Event ID 1311)
Fixing Replication Lingering Object

Problems (Event IDs 1388, 1988, 2042)
If a domain controller does not replicate for a period of time that is longer than the
tombstone lifetime and the domain controller is then reconnected to the replication
topology, objects that were deleted from Active Directory while the domain controller was
offline can remain on the domain controller as lingering objects.
Tombstone Lifetime and Replication of

Deletions
When an object is deleted, Active Directory replicates the deletion as a tombstone object,
which consists of a small subset of the attributes of the deleted object. By inbound-
replicating this object, other domain controllers in the domain and forest become aware of
the deletion. The tombstone is retained in Active Directory for a specified period called
the tombstone lifetime. At the end of the tombstone lifetime, the tombstone is deleted
from the directory permanently.
The default value of the tombstone lifetime depends on the version of the operating
system that is running on the first domain controller that is installed in a forest, as follows:
 Windows 2000 Server or Windows Server 2003: The default value is 60 days.
 Windows Server 2003 with Service Pack 1 (SP1): The default value is 180 days.
Note
The tombstone lifetime value that is in effect when a domain controller is
upgraded to Windows Server 2003 SP1 is not changed by upgrading. The
existing value is maintained until you change it manually.
After the tombstone is removed permanently, the object deletion can no longer be
replicated. Therefore, the tombstone lifetime defines how long domain controllers in the
forest retain knowledge of a deleted object and thus the time during which a unique
deletion must be received by all direct and transitive replication partners of the originating
domain controller.
How Lingering Objects Occur

When conditions beyond your control cause a domain controller to be disconnected for a
period that is longer than the tombstone lifetime, one or more objects that are deleted
from Active Directory on all other domain controllers might remain on the disconnected
domain controller. Such objects are called lingering objects. Because the domain
controller is offline during the entire time that the tombstone is alive, the domain controller
never receives replication of the tombstone.
When it is reconnected to the replication topology, this domain controller acts as a source
replication partner that has an object that its destination partner does not have.
Replication problems occur when the object on the source domain controller is updated.
In this case, when the destination attempts to inbound-replicate the update, the
destination domain controller responds in one of two ways:
 If the destination domain controller has strict replication consistency enabled, it

recognizes that it cannot update the object and locally halts inbound replication of the
directory partition from that source domain controller.
 If the destination domain controller has strict replication consistency disabled, it

requests the full replica of the updated object. In this case, the object is reintroduced
into the directory.
Lingering objects can reside in writable or read-only partitions that are potentially
replicated between domain controllers in the same or different domains in the same
forest.
Causes of Long Disconnections

Unexpectedly long disconnections can be caused by the following conditions:
 A domain controller is left in a storage room and forgotten, or shipment of a

prestaged domain controller to its remote location takes longer than a tombstone
lifetime.
 Replication fails and monitoring is not in place. Failures can occur as follows:
 A domain controller is started and connected to the corporate intranet but

experiences inbound replication failure as a result of an underlying network
connectivity failure, name resolution failure, or authentication failure that prevents
replication from occurring.
 A bridgehead server is overloaded, and replication becomes backlogged.

Excessively high replication load on a global catalog server, in combination with a
short intersite replication interval, can result in updates not being replicated.
Note
Global catalog servers replicate read-only replicas of all domain directory
partitions in the forest. The replication of read-only replicas has a lower priority
than the replication of writable replicas. In addition, global catalog servers are
often bridgehead servers, which adds to the replication load. If the replication
load on global catalog servers acting as bridgehead servers is too high as a
result of an extremely short replication interval, excessive numbers of concurrent
outbound replication partners, or a combination of both, the replication queue can
become backlogged. If the condition persists, read-only replicas can remain in
the queue indefinitely. These conditions can result in lingering objects on a global
catalog server.
 Wide area network (WAN) connections are unavailable for long periods. For
example, a domain controller onboard a cruise ship might be unable to replicate
because the ship is at sea for longer than the tombstone lifetime.
 The reported event is a false positive because an administrator shortened the

tombstone lifetime to force tombstone deletion (garbage collection).
 The reported event is a false positive because the system clock on the source or
destination domain controller is improperly rolled forward or back in time. Clock
skews are most common following a system reboot and can have the following
causes:
 System clock battery or motherboard problems.
 The time source for a computer is improperly configured, including a time source
server configured with Windows Time service (W32time), third-party time servers,
and network routers.
 The system clock is advanced or rolled back by an administrator attempting to

extend the useful life of a system state backup or accelerate the garbage
collection of deleted objects. Make sure that the system clock reflects the actual
time and that event logs do not contain events from the future or invalid past.
Indications That a Domain Controller Has
Lingering Objects
An outdated domain controller can store lingering objects with no noticeable effect as
long as an administrator, application, or service does not update the lingering object or
attempt to create an object with the same name in the domain or with the same user
principal name (UPN) in the forest. However, the existence of lingering objects can cause
problems, especially if the object is a security principal.
Symptoms Associated with Lingering Objects

The following symptoms indicate that a domain controller has lingering objects:
 A deleted user or group account remains in the global address list (GAL) on
Exchange servers. Therefore, although the account name appears in the GAL,
attempts to send e-mail messages result in errors.
 Multiple copies of an object appear in the object picker or GAL for an object that
should be unique in the forest. Duplicate objects sometimes appear with altered
names, causing confusion on directory searches. For example, if the relative
distinguished name of two objects cannot be resolved, conflict resolution appends
"*CNF:GUID" to the name, where * represents a reserved character, CNF is a
constant that indicates a conflict resolution, and GUID represents the objectGUID
attribute value.
 E-mail messages are not delivered to a user whose Active Directory account appears
to be current. After an outdated domain controller or global catalog server becomes
reconnected, both instances of the user object appear in the global catalog. Because
both objects have the same e-mail address, e-mail messages cannot be delivered.
 A universal group that no longer exists continues to appear in a user’s access token.
Although the group no longer exists, if a user account still has the group in its security
token, the user might have access to a resource that you intended to be unavailable
to that user.
 A new object or Exchange mailbox cannot be created, but you do not see the object
in Active Directory. An error message reports that the object already exists.
 Searches that use attributes of an existing object incorrectly find multiple copies of an
object of the same name. One object has been deleted from the domain, but it
remains in an isolated global catalog server.
If an attempt is made to update a lingering object that resides in a writable directory

partition, events are logged on the destination domain controller. However, if the only
version of a lingering object exists in a read-only directory partition on a global catalog
server, the object cannot be updated and this type of event will never be triggered.
Registry Setting That Determines Whether Lingering

Objects Are Replicated
If a writable lingering object exists in your environment and an attempt is made to update
the object, the value in the strict replication consistency registry entry (type
REG_DWORD) in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
determines whether replication proceeds or is stopped, as follows:
 1 (enabled): Inbound replication of the specified directory partition from the source is
stopped on the destination.
 0 (disabled): The destination requests the full object from the source domain
controller, and the lingering object is revived in the directory as a new object.
Default Settings for Strict Replication Consistency

The default value for the strict replication consistency registry entry is determined by
the conditions under which the domain controller was installed into the forest.
Note
Raising the domain or forest functional level does not change the replication
consistency setting on any domain controller.
Strict replication consistency enabled

The value of strict replication consistency on domain controllers that are installed into
a forest defaults to enabled (1) under the following conditions:
 The forest root domain of a new forest is created by upgrading the Windows NT 4.0
primary domain controller (PDC) to Windows Server 2003 by using the
Windows Server 2003 version of Winnt32.exe.
 The forest root domain of a new forest is created by installing Active Directory on a
server running Windows Server 2003.
Strict replication consistency disabled

The value of strict replication consistency on domain controllers defaults to disabled
(0) under the following conditions:
 A domain controller running Windows 2000 Server is upgraded to
 A server running Windows 2000 Server is promoted into a Windows Server 2003
forest.
If you have a domain controller that is running Windows Server 2003 with SP1, you do
not need to edit the registry to set strict replication consistency. Instead, you can use
Repadmin to set the value for one or all domain controllers in the forest. To set strict
replication consistency for specific domain controllers or for all domain controllers, see
Event ID 1388 or 1988: A lingering object is detected.
For more information about strict replication consistency, see "How the Active Directory
Replication Model Works" in the Windows Server 2003 Technical Reference on the
Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=27636.
Tool for Removing Lingering Objects

On domain controllers running Windows Server 2003 or Windows Server 2003 with SP1,
use Repadmin.exe (in Windows Support Tools) to remove the lingering object or objects.
Windows Support Tools are available on the operating system CD in the Support\Tools
folder. The version of Repadmin that ships with Windows Server 2003 provides the option
/removelingeringobjects, which safely removes instances of lingering objects from both
writable directory partitions and read-only directory partitions.
The repadmin /removelingeringobjects command does the following:
1. Compares the directory database objects on a reference domain controller with the
objects on the target domain controller, which contains (or is suspected to contain)
lingering objects.
2. Either removes the lingering objects or logs the potential deletions to the Directory
Service event log, as follows:
 If you use the /advisory_mode parameter, events are logged in the Directory
Service event log for the objects that are found.
 If you do not use the /advisory_mode parameter, the found objects are deleted
without replicating the deletions; that is, the deletions occur only on the target
domain controller.
Choose the problem that best describes your situation from the following list, and then
step through the suggested fix:
 Event ID 1388 or 1988: A lingering object is detected

 A deleted account remains in the Address Book, e-mail is not received, or a duplicate
account exists
 Event ID 2042: It has been too long since this machine replicated
See Also
Configuring a Computer for Troubleshooting Active Directory
Event ID 1388 or 1988: A lingering object

is detected
If a destination domain controller logs event ID 1388 or event ID 1988, a lingering object
has been detected and one of two conditions exists on the destination domain controller:
 Event ID 1388: Inbound replication of the lingering object has occurred on the
destination domain controller.
 Event ID 1988: Inbound replication of the directory partition of the lingering object has
been blocked on the destination domain controller.
Event ID 1388
This event indicates that a destination domain controller that does not have strict
replication consistency enabled has received a request to update an object that does not
reside in the local copy of the Active Directory database. In response, the destination
domain controller has requested the full object from the source replication partner. In this
way, a lingering object has been replicated ("reanimated") to the destination domain
controller.
Important
When event ID 1388 occurs, if either the source domain controller (the replication
partner that is outbound-replicating the lingering object) or the destination domain
controller (the inbound replication partner that reports event ID 1388) is running
Windows 2000 Server, you cannot use the Repadmin tool to remove lingering
objects. For information about how to remove lingering objects in this case, see
article 314282, "Lingering objects may remain after you bring an out-of-date
global catalog server back online," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=41410. The procedures and information in
this article apply to the removal of lingering objects from global catalog servers
as well as from domain controllers that are not global catalog servers.
The event text identifies the source domain controller and the outdated (lingering) object.
An example version of the event text is as follows:
Event Type:Error
Event Source:NTDS Replication
Event Category:Replication
Event ID:1388
Date:2/21/2005
Time:9:19:48 AM
User:NT AUTHORITY\ANONYMOUS LOGON
Computer:DC3
Description:
Another domain controller (DC) has attempted to replicate into this DC an
object which is not present in the local Active Directory database. The
object may have been deleted and already garbage collected (a tombstone
lifetime or more has past since the object was deleted) on this DC. The
attribute set included in the update request is not sufficient to create
the object. The object will be re-requested with a full attribute set
and re-created on this DC.
Source DC (Transport-specific network address):

4a8717eb-8e58-456c-995a-c92e4add7e8e._msdcs.contoso.com
Object:
CN=InternalApps,CN=Users,DC=contoso,DC=com
Object GUID:
a21aa6d9-7e8a-4a8f-bebf-c3e38d0b733a
Directory partition:
DC=contoso,DC=com
Destination highest property USN:
20510
User Action:
Verify the continued desire for the existence of this object. To
discontinue re-creation of future similar objects, the following
registry key should be created.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication
Consistency
Event ID 1988
This event indicates that a destination domain controller that has strict replication
consistency enabled has received a request to update an object that does not exist in its
local copy of the Active Directory database. In response, the destination domain
controller has blocked replication of the directory partition containing that object from that
source domain controller. The event text identifies the source domain controller and the
outdated (lingering) object. An example version of the event text is as follows:
Event Type:Error
Event ID:1988
Date:2/21/2005
Time:9:13:44 AM
Computer:DC3
Description:
Active Directory Replication encountered the existence of objects
in the following partition that have been deleted from the local
domain controllers (DCs) Active Directory database. Not all direct
or transitive replication partners replicated in the deletion
before the tombstone lifetime number of days passed. Objects that
have been deleted and garbage collected from an Active Directory
partition but still exist in the writable partitions of other DCs
in the same domain, or read-only partitions of global catalog servers
in other domains in the forest are known as "lingering objects".
This event is being logged because the source DC contains a lingering

object which does not exist on the local DCs Active Directory database.
This replication attempt has been blocked.
The best solution to this problem is to identify and remove all

lingering objects in the forest.
Source DC (Transport-specific network address):

Object:
CN=InternalApps,CN=Users,DC=contoso,DC=com
Object GUID:
a21aa6d9-7e8a-4a8f-bebf-c3e38d0b733a
Cause
An object that has been permanently deleted from Active Directory (that is, its tombstone
has been garbage-collected) remains on a domain controller. The domain controller failed
to receive direct or transitive replication of the object deletion because it was
disconnected (offline or experiencing an inbound replication failure) from the replication
topology for a period that exceeded a tombstone lifetime. That object has been updated
on the domain controller, causing a replication notification to the replication partner that
an update is ready for replication. The replication partner has responded according to its
replication consistency setting. This notification applies to attempted replication of a
writable object. A copy of the writable lingering object might also exist on a global catalog
server.
Solution
If replication of a lingering object has been detected, you can remove the object from
Active Directory, along with any read-only replicas of the object, by identifying the domain
controllers that might store this object (including global catalog servers) and running a
repadmin command to remove lingering objects against these servers (repadmin
/removelingeringobjects). This command is available on domain controllers that are
running the version of Repadmin.exe that is included with Windows Support Tools in
If the lingering object is present in a writable or read-only directory partition on a domain

controller running Windows Server 2003 or Windows Server 2003 with Service Pack 1
(SP1), you can remove lingering objects by running the repadmin
/removelingeringobjects command against that target domain controller.
To remove lingering objects, do the following:
1. Use the event text to identify the following:
a. Directory partition of the object
b. Source domain controller that attempted replication of the lingering object
2. Install Windows Support Tools on the domain controller that received the event, if
necessary. See "Install Windows Support Tools" in Configuring a Computer for
Troubleshooting Active Directory.
3. Use Repadmin to Identify the GUID of an Authoritative Domain Controller
4. Use Repadmin to Remove Lingering Objects
5. Enable Strict Replication Consistency, if necessary.
Use Repadmin to Identify the GUID of an Authoritative

Domain Controller
To perform the procedure that removes lingering objects, you must identify the globally
unique identifier (GUID) of an up-to-date domain controller that has a writable replica of
the directory partition that contains the lingering object that has been reported. The
directory partition is identified in the event message.
The object GUID of a domain controller is stored in the objectGUID attribute of the NTDS
Settings object.
Requirements

Domain Admins group in the domain of ServerName.
 Tool: Repadmin.exe (Windows Support Tools)
To identify the GUID of a domain controller

repadmin /showrepl ServerName
where ServerName is the name of the domain controller for which you want to
display the GUID.
2. In the first section of the output, locate the objectGuid entry. Select and copy the
GUID value into a text file so that you can use it elsewhere.
Use Repadmin to Remove Lingering Objects

If the destination domain controller and source domain controller are both running
Windows Server 2003, you can remove lingering objects by using Repadmin. If either
domain controller is running Windows 2000 Server, follow instructions in the article
314282, "Lingering objects may remain after you bring an out-of-date global catalog
server back online," on the Microsoft Web site at http://go.microsoft.com/fwlink/?
LinkId=41410.
Requirements
Operating system: Windows Server 2003 for ServerName and ServerGUID
Administrative credentials: To complete this procedure, you must be a member of the

Domain Admins group in the DirectoryPartition domain.
Tool: Repadmin.exe (Windows Support Tools)
To use Repadmin to remove lingering objects

repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition

/advisory_mode
Term Definition
ServerName The name of the domain controller that has lingering objects, as
identified in the event message (event ID 1388 or event ID 1988). You
can use the Domain Name System (DNS) name or the distinguished
name.
ServerGUID The GUID of a domain controller that has an up-to-date writable

replica of the directory partition that contains the lingering object
DirectoryPartitio The distinguished name of the directory partition that is identified in

n the event message. For example,
DC=RegionalDomainName,DC=ForestRootDomainName,DC=com for
a domain directory partition,
CN=configuration,DC=ForestRootDomainName,DC=com for the
configuration directory partition, or
CN=schema,CN=configuration,DC=ForestRootDomainName,DC=com
for the schema directory partition
/advisory_mode logs the lingering objects that will be removed so that you can review
them, but it does not remove them.
2. Repeat step 1 without /advisory_mode to delete the identified lingering objects from the
directory partition.
3. Repeat steps 1 and 2 for every domain controller that might have lingering objects.
Note
The ServerName parameter uses the DC_LIST syntax for repadmin, which
allows the use of * for all domain controllers in the forest and gc: for all global
catalog servers in the forest. To see the DC_LIST syntax, type
repadmin /listhelp.
Enable Strict Replication Consistency

To ensure that lingering objects cannot be replicated if they occur, enable strict replication
consistency on all domain controllers. The setting for replication consistency is stored in
the registry on each domain controller. However, on domain controllers that are running
Windows Server 2003 with SP1, you can use Repadmin to enable strict replication
consistency on one or all domain controllers.
On domain controllers running Windows Server 2003, Windows 2000 Server with Service
Pack 3 (SP3), or Windows 2000 Server with Service Pack 4 (SP4), you must edit the
registry to enable the setting.
Use Repadmin to Enable Strict Replication Consistency

Requirements:
Operating system: Windows Server 2003 with SP1
Administrative credentials:
 To complete this procedure on a single domain controller, you must be a member of

the Domain Admins group.
 To complete this procedure on all domain controllers in the forest, you must be a
member of the Enterprise Admins group in the forest.
Tool: Repadmin.exe (Windows Support Tools that are included with

Windows Server 2003 SP1)
To use Repadmin to enable strict replication consistency

repadmin /regkey DC_LIST +strict
where DC_LIST is the name of a single domain controller. (* applies the change
to all domain controllers in the forest.) For the domain controller name, you can
use the Domain Name System (DNS) name, the distinguished name of the
domain controller computer object, or the distinguished name of the domain
controller server object.
2. If you do not use * to apply the change to all domain controllers, repeat step 1 for
every domain controller on which you want to enable strict replication
consistency.
Note
For more naming options and information about the syntax of the DC_LIST
parameter, at the command prompt, type repadmin /listhelp.
Edit the Registry to Enable Strict Replication Consistency

On a domain controller that is running Windows Server 2003 without a service pack, edit
the registry to enable strict replication consistency. The setting for replication consistency
is stored in the Strict Replication Consistency entry in
Values are as follows:
 Value: 1 (0 to disable)
 Default: 1 (enabled) in a new Windows Server 2003 forest; otherwise 0.
 Data type: REG_DWORD
Requirements:
Operating system: Windows Server 2003, Windows 2000 Server with SP3,
Windows 2000 Server with SP4
Administrative credentials: To complete this procedure, you must be a member of the
Domain Admins group.
Tool: Registry editor (for example, Regedit.exe)
Caution
To edit the registry to enable strict replication consistency

1. Open a registry editor.
2. Navigate to Strict Replication Consistency entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parame
ters.
3. Set the value in the Strict Replication Consistency entry to 1.

A deleted account remains in the
Address Book, e-mail is not received,
or a duplicate account exists
Deleted accounts remaining in the global address list (GAL), e-mail messages for existing
accounts not being received, or duplicate objects existing in Active Directory are all
symptoms that can indicate a lingering object problem. If you have no error or event that
identifies the lingering object and its directory partition (for example, event ID 1388 or
event ID 1988), you must search the global catalog for an object that you believe might
be causing the problem. When you identify the lingering object and the directory partition
of the object, you can perform the procedures to remove it.
Solution
Based on these symptoms of a lingering object, you usually have a good idea of the
name of the object and you can use the following steps to solve the problem:
 Use this name to identify the object in the global catalog.
 Identify the directory partition of the object.
 Remove all lingering objects from that directory partition on all global catalog servers
in the forest.
Identify the Duplicate (Lingering) Object

Use the following procedure to identify the duplicate (lingering) object by searching the
global catalog for its distinguished name. Use an attribute that uniquely identifies the
object for the account that is not receiving e-mail, cannot be created because it already
exists, or appears in the Address Book or in access control lists (ACLs) when it has
already been deleted.
Requirements

Domain Users group.
 Tool: Ldp.exe (Windows Support Tools)
To establish the distinguished name of an object

3. In Port, type 3268, and then click OK.
4. On the Connection menu, click Bind.
5. In the Bind dialog box, provide credentials for a user account in the forest, and
then click OK.
6. On the View menu, click Tree.
7. In the Tree View dialog box, in BaseDN, type the distinguished name of the
forest root domain, and then click OK.
8. In the console tree, right-click the forest root domain, and then click Search.
9. In the Search dialog box, in Filter, replace the default filter (objectClass=*) to
create a filter of the following form:
(attribute=value)
where attribute is the Lightweight Directory Access Protocol (LDAP) name of an

attribute and value is the value that you know or suspect to be associated with
the object that you are searching for. For example, use
(userPrincipalName=JanD@contoso.com), (sAMAccountName=JanD), or
(sn=Dryml) to locate the duplicate user object Jan Dryml. You can use the
asterisk (*) in the value field if you want to search all objects.
10. In the Scope box, click Subtree, and then click Run.
11. Click Close, and then view the results. You must identify which of the displayed
objects should be removed from Active Directory. An indication that you have
found a lingering object that exists only on a global catalog server is that the
object does not exist in a writable replica of the directory partition.
12. If necessary, repeat steps 8 through 10 to rephrase the query, and then run it
again.
Identify the Directory Partition of the Object

After you identify the distinguished name of the object that is causing problems, if it is a
domain object, identify the domain in which it is located by looking at the DC= part of the
distinguished name. For example, if the object you find has the distinguished name
CN=Jan Dryml,CN=Users,DC=Region1,DC=Contoso,DC=com, the directory partition
name for the user account is DC=Region1,DC=Contoso,DC=com.
Remove the Lingering Object
Use the directory partition name in the procedure "To use Repadmin to remove lingering
objects" to remove the lingering object from all domain controllers and global catalog
servers in the forest as described in "Event ID 1388 or 1988: A lingering object is
detected."
Event ID 2042: It has been too long since

this machine replicated
If a domain controller has not replicated with its partner for longer than a tombstone
lifetime, it is possible that a lingering object problem exists on one or both domain
controllers. When this condition occurs, inbound replication with the source partner is
stopped on the destination domain controller and event ID 2042 is logged in the Directory
Services event log. The event identifies the source domain controller and the appropriate
steps to take to either remove the outdated domain controller or remove lingering objects
and restore replication from the source domain controller.
An example of the event text is as follows:

Event Type:Error
Event ID:2042
Date:3/22/2005
Time:7:28:49 AM
Computer:DC3
Description:
It has been too long since this machine last replicated with the
named source machine. The time between replications with this source
has exceeded the tombstone lifetime. Replication has been stopped
with this source.
The reason that replication is not allowed to continue is that
the two machine's views of deleted objects may now be different.
The source machine may still have copies of objects that have
been deleted (and garbage collected) on this machine. If they
were allowed to replicate, the source machine might return
objects which have already been deleted.
Time of last successful replication:
2005-01-21 07:16:03
Invocation ID of source:
0397f6c8-f6b8-0397-0100-000000000000
Name of source:
Tombstone lifetime (days):
60
The replication operation has failed.
User Action:
Determine which of the two machines was disconnected from the

forest and is now out of date. You have three options:
1. Demote or reinstall the machine(s) that were disconnected.

2. Use the "repadmin /removelingeringobjects" tool to remove
inconsistent deleted objects and then resume replication.
3. Resume replication. Inconsistent deleted objects may be introduced.
You can continue replication by using the following registry key.
Once the systems replicate once, it is recommended that you remove
the key to reinstate the protection.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With
Divergent and Corrupt Partner
The repadmin /showrepl command also reports error 8416:

Source: Default-First-Site-Name\DC1
******* 1502 CONSECUTIVE FAILURES since 2005-01-21 07:16:00
Last error: 8614 (0x21a6):
The Active Directory cannot replicate with this server
because the time since the last replication with this server has
exceeded the tombstone lifetime.
Solution
Treat this occurrence as a lingering object condition, and do the following:
 Run the repadmin /showrepl command on the domain controller that received the
error to determine which domain controller has been disconnected for longer than a
tombstone lifetime.
 Remove lingering objects. Follow the instructions for removing lingering objects from
the source and destination domain controllers as described in Event ID 1388 or 1988:
A lingering object is detected.
 Restart replication on the destination domain controller. After you remove lingering
objects, you must restart replication on the domain controller that logged the event by
editing the registry setting that allows replication with a potentially out-of-date domain
controller. You can also perform this procedure if you do not want to wait to remove
lingering objects and you want to start replication immediately.
 Reset the registry to protect the domain controller against outdated replication. After
replication has resumed on the domain controller that logged the event, reset the
registry so that this domain controller continues to log events if replication is
attempted with a domain controller where the last successful replication occurred
longer than a tombstone lifetime ago.
Restart Replication Following Event ID 2042

To restart inbound replication on the destination domain controller following event
ID 2042, you must edit the Allow Replication With Divergent and Corrupt Partner
registry entry in
Use the following procedure to change the registry entry value. This procedure does not
require a restart of the domain controller to take effect.
Caution
Requirements

Domain Admins group in the domain of the domain controller.
 Tool: Regedit.exe
To restart replication following event ID 2042

2. Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parame
ters
3. In the details pane, create or edit the registry entry as follows:
If the registry entry exists in the details pane, modify the entry as follows:
a. In the details pane, right-click Allow Replication With Divergent and Corrupt
Partner, and then click Modify.
b. In the Value data box, type 1, and then click OK.
If the registry entry does not exist, create the entry as follows:
a. Right-click Parameters, click New, and then click DWORD Value.
b. Type the name Allow Replication With Divergent and Corrupt Partner, and
then press ENTER.
c. Double-click the entry. In the Value data box, type 1, and then click OK.
Reset the Registry to Protect Against Outdated Replication

When you are satisfied that lingering objects have been removed and replication has
occurred successfully from the source domain controller, edit the registry to return the
value in Allow Replication With Divergent and Corrupt Partner to 0.
Note
If you did not remove the lingering objects, attempting replication might result in
replication of a lingering object. If strict replication consistency is enabled on the
destination domain controller, replication with the source domain controller will be
blocked again.
Fixing Replication Security Problems

When security problems cause replication to fail, various event log messages and
Repadmin messages contain error codes that identify the problems.
The version of Dcdiag.exe that is included with Windows Support Tools in
Windows Server 2003 Service Pack 1 (SP1) provides new functionality that reports on
the overall health of replication with respect to Active Directory. Dcdiag is modified to
detect common causes of "Access denied" events, "Account unknown" events, and
similar events.
The error codes that Dcdiag detects are described in the following table. Error codes that
are marked with an asterisk (*) are not always caused by a security problem.
Error code Description
5 Access is denied.
Error code Description
1314* A required privilege is not held by the client.
1326 Logon failure: unknown user name or bad

password.
1396 Logon failure: The target account name is

incorrect.
1908 Could not find the domain controller for this

domain.
1397* Mutual authentication failed. The server's

password is out of date at the domain
controller.
1398* There is a time and/or date difference

between the client and server.
1722* The remote procedure call (RPC) server is

unavailable.
2202* The specified username is invalid.
8453 Replication access was denied.
Use the procedures in An "Access denied" or other security error has caused replication
problems to diagnose and fix replication security problems.
An "Access denied" or other security

error has caused replication problems
Replication problems that have security causes can be tested and diagnosed by using
the version of Dcdiag.exe that is included with Windows Support Tools in
Windows Server 2003 Service Pack 1 (SP1).
Cause
A replication destination domain controller cannot contact its source replication partner to
get Active Directory updates as a result of one or more security errors occurring on the
connection between the two domain controllers.
Solution
Run the replication security error diagnostic test that is available in the version of Dcdiag
in Windows Support Tools that is included in Windows Server 2003 SP1.
Test a Domain Controller for Replication Security Errors

You can test any or all domain controllers in your forest for security errors.
Requirements

Domain Admins group to test a domain controller in your domain or a member of the
Enterprise Admins group to test a domain controller in another domain.
 Tool: Dcdiag.exe (Windows Support Tools) in Windows Server 2003 SP1
 Operating system:
 Although you can run the enhanced version of Dcdiag on computers running
Windows XP Professional and Windows Server 2003 with no service pack
installed, to run the new replication security test (/test:CheckSecurityError), you
must run Dcdiag on a domain controller running Windows Server 2003 with SP1.
 You can run the new Dcdiag replication security tests against domain controllers
that are running the following operating systems:
Windows 2000 Server with Service Pack 3 (SP3)
Windows Server 2003
To test a domain controller for replication security errors

dcdiag /test:CheckSecurityError /s:DomainControllerName
where DomainControllerName is the Domain Name System (DNS) name,

network basic input/output system (NetBIOS) name, or distinguished name of the
domain controller on which you want to test.
If you do not use the /s: switch, the test is run against the local domain controller.
You can also test all domain controllers in the forest by using /e: instead of /s:.
2. Copy the report into Notepad or an equivalent text editor

3. Scroll to the Summary table near the bottom of the Dcdiag log file.
4. Note the names of all domain controllers that reported “Warn” or “Fail” status in
the Summary table.
5. Find the detailed breakout section for the problem domain controller by searching
on the string “DC: DomainControllerName”.
6. Make the required configuration changes on the domain controllers.
Rerun Dcdiag /test:CheckSecurityError with the /e: or /s: switch to validate the
configuration changes.
Test the Connection Between Two Domain Controllers for

Replication Security Errors
You can test the connection between two domain controllers in your forest for replication
security errors. The domain controller that represents the source of the inbound
connection does not have to be an existing source to run this test; that is, a connection
object from that domain controller does not have to exist on the destination domain
controller. The test is useful in the following scenarios:
 A connection exists between a source and a destination, and you receive a security
error.
 A connection should be created automatically by the Knowledge Consistency

Checker (KCC) and you want to test why the connection does not exist.
 You are trying to create a connection between two domain controllers and you
receive a security error.
 You want to determine whether a connection could be created if you wanted to add
one on this destination from the specified source.
Requirements

Domain Admins group to test the connection between domain controllers in your
domain or a member of the Enterprise Admins group to test the connection between
domain controllers in different domains.
 Tool: Dcdiag.exe (Windows Support Tools) included in Windows Server 2003 SP1
 Although you can run the enhanced version of Dcdiag on computers that are
running Windows XP Professional and Windows Server 2003 with no service
pack installed, to run the new replication security test
(/test:CheckSecurityError), you must run Dcdiag on a domain controller running
 You can run the new Dcdiag replication security tests against domain controllers
running the following operating systems:
Windows Server 2003
To test the connection between two domain controllers for replication security
errors
dcdiag /test:CheckSecurityError /ReplSource:SourceDomainControllerName
where SourceDomainControllerName is the DNS name, NetBIOS name, or

distinguished name of the real or potential "from" server that is represented by a
real or potential connection object that you want to test. This command tests the
connection between the domain controller on which you run the command and
the source domain controller.
2. Copy the report into Notepad or an equivalent text editor.
4. Note the names of all domain controllers that reported “Warn” or “Fail” status in
the Summary table
6. Make the required configuration changes on the domain controllers.
7. Rerun Dcdiag /test:CheckSecurityError

/ReplSource:SourceDomainControllerName to validate configuration changes.
Fixing Replication DNS Lookup Problems
(Event IDs 1925, 2087, 2088)
Domain controllers running Windows 2000 Server or Windows Server 2003 cannot
replicate Active Directory updates if Domain Name System (DNS) lookup failures prevent
a destination domain controller from contacting its source replication partner to request
changes. Lookup failures occur when a destination domain controller cannot resolve its
source replication partner's globally unique identifier (GUID)-based canonical name
(CNAME) resource record to an Internet Protocol (IP) address by using DNS. GUID-
based CNAME resource records are always registered in the DNS zone
_msdcs.ForestRootDomain.
The most common DNS failures occur when DNS client settings are misconfigured on the
destination or source domain controller, or the direct and intermediate DNS servers that
are used to resolve the query are misconfigured. Network problems or domain controller
disconnection problems might also be present. If the problem is due to DNS configuration
errors or replication latency, the effect on Active Directory replication is minimized by new
improvements to domain controller name resolution in Windows Server 2003 Service
Pack 1 (SP1).
Improvements to Domain Controller Name

Resolution in SP1
Domain controllers running Windows Server 2003 with SP1 have a more robust response
to DNS name resolution failures. Rather than failing on the first attempt to resolve the IP
address of a source domain controller by using its CNAME resource record, destination
domain controllers running Windows Server 2003 with SP1 use alternate names to
attempt resolution and also log events that report problems and prescribe solutions.
DNS Failure Scenarios

All domain controllers register multiple service location (SRV) resource records in DNS
as well as a host address (A) resource record for each IP address of the domain
controller, plus an additional host resource record for each IP address if the domain
controller is a global catalog server. In addition, each domain controller registers a single
CNAME resource record.
The following table shows the DNS resource records that are required for proper
Active Directory functionality.
Mnemonic Type DNS resource record
pdc SRV _ldap._tcp.pdc._msdcs.DnsDomainName
gc SRV _ldap_tcp.gc._msdcs.DnsForestRootDomainName
GcIpAddress A _gc._msdcs.DnsForestRootDomainName
DsaCname CNAME DsaGuid._msdcs.DnsForestRootDomainName
kdc SRV _kerberos._tcp.dc._msdcs.DnsDomainName
dc SRV _ldap._tcp.dc._msdcs.DnsDomainName
None A DomainControllerFQDN
In the CNAME resource record (DSA_GUID._msdcs.ForestRootDNSDomainName),

DSA_GUID is the GUID of the NTDS Settings object (also called the Directory System
Agent (DSA) object) for the domain controller. ForestRootDNSDomainName is the DNS
name of the forest where the domain controller is located. Destination domain controllers
use the CNAME resource record to identify and locate their replication partners.
The Net Logon service on the domain controller registers all SRV resource records when
the operating system starts up and at regular intervals thereafter. The DNS client service
on the domain controller registers the DNS host A resource record.
A domain controller uses the following steps to locate its replication partner:
1. The destination domain controller queries its DNS server to look for the CNAME
resource record of its replication partner. On domain controllers running
Windows 2000 Server or Windows Server 2003 with no service pack applied, if this
lookup fails to resolve the CNAME resource record to an IP address, DNS lookup
(and replication) fails.
2. On domain controllers running Windows Server 2003 with SP1, if the CNAME lookup
is unsuccessful, the domain controller looks for the DNS A resource record of its
replication partner. For example, the domain controller looks for
DC03.corp.contoso.com.
3. If the DNS A resource record lookup is unsuccessful, the domain controller performs
a network basic input/output system (NetBIOS) broadcast by using the host name of
its replication partner. For example, the domain controller uses DC03.
When lookups fail, events that describe the condition are logged in the Directory Service
event log.
DNS Events for Lookup Failure
Two new events, event ID 2087 and event ID 2088, are logged on destination domain
controllers running Windows Server 2003 with SP1:
 If all lookups fail, event ID 2087 is logged.
 If lookup succeeds but either the first or second attempt fails, event ID 2088 is
logged.
On domain controllers running Windows 2000 Server or Windows Server 2003 with no
service pack applied, the destination domain controller that cannot successfully locate its
replication partner in DNS logs event ID 1925.
Regardless of whether replication succeeds or fails, if you receive event ID 1925, event
ID 2087, or event ID 2088, you should investigate and correct the cause of the failure
because incorrect DNS configuration can affect other essential operations — including
logon authentication and access to network resources — on member computers, domain
controllers, and application servers. In addition, although fallback name resolution might
allow replication to occur, it introduces unnecessary latency and overhead into the
replication process.
DNS Requirements for CNAME Lookup

Success
Although name resolution in Windows Server 2003 with SP1 is more aggressive at
ensuring that replication can occur when a CNAME lookup fails, failure of this method
indicates that either the DNS clients or DNS servers are not configured properly. It is
important to understand the requirements for successful CNAME lookup and to ensure
that DNS is functioning accordingly.
Resolving the fully qualified, GUID-based, CNAME resource record of the source domain
controller to the current IP address of the source domain controller requires the following
DNS configurations:
1. In their respective TCP/IP client settings, the source domain controller and
destination domain controller must be configured to resolve DNS names by using
only valid DNS servers that directly host, forward, or delegate to the following DNS
zones:
a. _msdcs.ForestRootDNSDomainName, to resolve queries for computers in the

forest.
b. The DNS zone that corresponds to the primary DNS suffix of the respective
target domain controller, to resolve queries for computers in the domain. (The
source domain controller can resolve the domain name of the target domain
controller, and the reverse is also true.) The primary DNS suffix is usually the
same as the DNS name of the domain to which a computer is joined. You can
view the primary DNS suffix in the properties of My Computer.
If the DNS servers that the source domain controller is configured to use for name
resolution do not host these zones directly, the DNS servers that are used must
forward or delegate to DNS servers that do host these zones.
2. The source domain controller must have successfully registered the following
resource records:
 GUID-based CNAME resource record in the DNS zone

_msdcs.ForestRootDNSDomainName
 Host A resource record in the DNS zone that corresponds to its primary DNS
suffix
Potential Preliminary Failures Due to Replication Latency

At the time that the destination domain controller queries its DNS servers for the location
of its source replication partner, DNS configurations might be correct on both the source
and destination domain controllers, but DNS resource record registrations might be in flux
as a result of configuration changes on the source domain controller. In this case, DNS
lookup can fail as a result of replication latency, as follows:
 If the source domain controller changes the DNS server on which it registers its
CNAME and host A resource records, it is possible that the initial DNS server that the
destination domain controller queries to resolve the name of the source domain
controller is different than any of the DNS servers on which the CNAME and host A
resource records for the source domain controller are currently registered. In this
case, DNS replication latency or failures might prevent DNS records that are
successfully registered on the DNS servers that the source controller uses from being
located by the DNS server that is queried by the destination domain controller.
 If the Active Directory domain of the DNS server that the destination domain
controller uses initially has a parent-child relationship with the Active Directory
domain of the servers on which the source domain controller registers its resource
records, the forwarder and delegation configuration on both the DNS servers that the
source domain controller uses and the DNS servers that the destination domain
controller uses, as well as any intermediate DNS servers that are used to resolve the
DNS query, must be valid. Any required records on those DNS servers might be
subject to replication latency and failure.
Understanding these basic requirements for name resolution that locates the source
replication partner provides a more meaningful context for working through solutions
when you have replication DNS lookup problems. Choose a problem from the following
list that best describes your situation, and then step through the suggested fix:
Event ID 1925: Attempt to establish a replication link failed due to DNS lookup problem
Event ID 2087: DNS lookup failure caused replication to fail
Event ID 2088: DNS lookup failure occurred with replication success
Event ID 1925: Attempt to establish a

replication link failed due to DNS
lookup problem
If you receive event ID 1925 with the error message that Domain Name System (DNS)
lookup failed, inbound replication of a directory partition has failed on the destination
domain controller, and you must fix the DNS problem.

Event Type:Warning
Event Source:NTDS KCC
Event Category:Knowledge Consistency Checker
Event ID:1925
Date:3/24/2005
Time:9:15:46 AM
Computer:DC3
Description:
The attempt to establish a replication link for the following
writable directory partition failed.
CN=Configuration,DC=contoso,DC=com
Source domain controller:
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=com
Source domain controller address:
f8786828-ecf5-4b7d-ad12-8ab60178f7cd._msdcs.contoso.com
Intersite transport (if any):
This domain controller will be unable to replicate with the

source domain controller until this problem is corrected.
User Action
Verify if the source domain controller is accessible or
network connectivity is available.
Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS
lookup failure.
Solution
Proceed with DNS testing as described in "Event ID 2087: DNS lookup failure caused
replication to fail."
Event ID 2087: DNS lookup failure caused

replication to fail
When a destination domain controller running Windows Server 2003 with Service Pack 1
(SP1) receives event ID 2087 in the Directory Service event log, attempts to resolve the
globally unique identifier (GUID) in the canonical name (CNAME) resource record, the
fully qualified domain name (FQDN), and the network basic input/output system
(NetBIOS) name to the Internet Protocol (IP) address of the source domain controller
have all failed. Failure to locate the source replication partner prevents replication with
that source until the problem is fixed.

Event Type:Error
Event Category:DS RPC Client
Event ID:2087
Date:3/9/2005
Time:11:00:21 AM
Computer:DC3
Description:
Active Directory could not resolve the following DNS host name of
the source domain controller to an IP address. This error prevents
additions, deletions and changes in Active Directory from replicating
between one or more domain controllers in the forest. Security
groups, group policy, users and computers and their passwords will
be inconsistent between domain controllers until this error is
resolved, potentially affecting logon authentication and access
to network resources.

dc2
Failing DNS host name:
b0069e56-b19c-438a-8a1f-64866374dd6e._msdcs.contoso.com
NOTE: By default, only up to 10 DNS failures are shown for any

given 12 hour period, even if more than 10 failures occur. To
log all individual failure events, set the following diagnostics
registry value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
1) If the source domain controller is no longer functioning or

its operating system has been reinstalled with a different
computer name or NTDSDSA object GUID, remove the source domain
controller's metadata with ntdsutil.exe, using the steps outlined
in MSKB article 216498.
2) Confirm that the source domain controller is running Active

Directory and is accessible on the network by typing
"net view \\<source DC name>" or "ping <source DC name>".
3) Verify that the source domain controller is using a valid

DNS server for DNS services, and that the source domain
controller's host record and CNAME record are correctly
registered, using the DNS Enhanced version of DCDIAG.EXE
available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that that this destination domain controller is using

a valid DNS server for DNS services, by running the DNS Enhanced
version of DCDIAG.EXE command on the console of the destination
domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:

http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested
type was found.
Cause
Failure to resolve the current CNAME resource record of the source domain controller to
an IP address can have the following causes:
 The source domain controller is powered off, is offline, or resides on an isolated

network, and Active Directory and Domain Name System (DNS) data for the offline
domain controller has not been deleted to indicate that the domain controller is
inaccessible.
 One of the following conditions exists:
 The source domain controller has not registered its resource records in DNS.
 The destination domain controller is configured to use an invalid DNS server.
 The source domain controller is configured to use an invalid DNS server.
 The DNS server that is used by the source domain controller does not host the
correct zones or the zones are not configured to accept dynamic updates.
 The direct DNS servers that are queried by the destination domain controller
cannot resolve the IP address of the source domain controller as a result of
nonexistent or invalid forwarders or delegations.
 Active Directory has been removed on the source domain controller and then
reinstalled with the same IP address, but knowledge of the new NTDS Settings GUID
has not reached the destination domain controller.
 Active Directory has been removed on the source domain controller and then
reinstalled with a different IP address, but the current host address (A) resource
record for the IP address of the source domain controller is either not registered or
does not exist on the DNS servers that are queried by the destination domain
controller as a result of replication latency or replication error.
 The operating system of the source domain controller has been reinstalled with a
different computer name, but its metadata either has not been removed or has been
removed and not yet inbound-replicated by the destination domain controller.
Solution
First, determine whether the source domain controller is functioning. If the source domain
controller is not functioning, remove its remaining metadata from Active Directory.
If the source domain controller is functioning, continue with procedures to diagnose and
solve the DNS problem, as needed:
 Use Dcdiag to diagnose DNS problems.
 Register DNS SRV resource records plus host records.
 Synchronize replication between the source and destination domain controllers.
 Verify consistency of the NTDS Settings GUID.
Determine Whether a Domain Controller Is Functioning

To determine whether the source domain controller is functioning, use the following test.
Requirements

Domain Users group in the domain of the domain controller.
 Tools: Net view
To determine whether a domain controller is functioning

 To confirm that the domain controller is running Active Directory and is accessible
on the network, at a command prompt type the following command, and then
press ENTER:
net view \\SourceDomainControllerName
where SourceDomainControllerName is the NetBIOS name of the domain

controller.
This command displays the Netlogon and SYSVOL shares, indicating that the server is
functioning as a domain controller. If this test shows that the domain controller is not
functioning on the network, determine the nature of the disconnection and whether the
domain controller can be recovered or whether its metadata must be removed from
Active Directory manually. If the domain controller is not functioning and cannot be
restored, use the procedure in the following section, "Clean Up Domain Controller
Metadata," to delete the data from Active Directory that is associated with that server.
Clean Up Domain Controller Metadata

If tests show that the domain controller is no longer functioning but you still see objects
representing the domain controller in Active Directory Sites and Services, replication will
continue to be attempted, and you must remove these objects from Active Directory
manually. You must use Ntdsutil to clean up (delete) the metadata for the defunct domain
controller.
If the defunct domain controller is the last domain controller in the domain, you should
also remove the metadata for the domain. Allow sufficient time for all global catalog
servers in the forest to inbound-replicate the domain deletion before promoting a new
domain with the same name.
The process for cleaning up metadata is improved in the version of Ntdsutil that is
included with Windows Server 2003 SP1. Instructions for cleaning up metadata with the
Windows Server 2003 version of Ntdsutil and the Windows Server 2003 SP1 version of
Ntdsutil are provided in the following procedure.
Requirements

 Tools: Ntdsutil (System32 command-line tool)

ntdsutil
3. At the ntdsutil: command prompt, type the following command, and then press
ENTER:
metadata cleanup
Note
If you are removing domain metadata as well as server metadata, skip
the following procedure and use the procedure that begins at step a.
 If you are performing server metadata cleanup only and you are using the
version of Ntdsutil.exe that is included with Windows Server 2003 SP1, at the
metadata cleanup: command prompt, type the following, and then press
ENTER:
Or
remove selected server ServerName1onServerName2

Value Description



that is included with Windows Server 2003 with no service pack, or if you are
performing both domain metadata cleanup and server metadata cleanup,
perform metadata cleanup as follows:
a. At the metadata cleanup: command prompt, type the following command,

and then press ENTER:
connection
b. At the server connections: command prompt, type the following command,

c. At the connection: command prompt, type the following command, and then
press ENTER:
quit
d. At the metadata cleanup: command prompt, type the following command,

e. At the select operation target: command prompt, type the following

command, and then press ENTER:
list sites
f. A numbered list of sites appears. Type the following command, and then
press ENTER:
g. At the select operation target: command prompt, type the following

h. A numbered list of domains in the selected site appears. Type the following
i. At the select operation target: command prompt, type the following

j. A numbered list of servers in a domain and site is displayed. Type the

following command, and then press ENTER:
k. At the select operation target: command, type the following command, and
then press ENTER:
quit
l. At the metadata cleanup: command, type the following command, and then
press ENTER:
m. If the server whose metadata you have removed is the last domain controller
in the domain and you want to remove the domain metadata, at the
metadata cleanup: command prompt, type the following command, and
then press ENTER:
remove selected domain
Metadata for the domain that you selected in step h is removed.
n. At the metadata cleanup: and ntdsutil: command prompts, type quit, and
then press ENTER.
Value Description

to
SiteNumber The number that is associated with

the site of the server that you want
to clean up, which appears in the
list
Value Description
DomainNumber The number that is associated with

the domain of the server that you
want to clean up, which appears in
the list
ServerNumber The number that is associated with

the server that you want to clean
up, which appears in the list
Use Dcdiag to Diagnose DNS Problems

If the domain controller is functioning online, continue by using Dcdiag to diagnose and
fix DNS problems that might be interfering with Active Directory replication.
Use the following procedures to complete this process:
 Verify connectivity and basic DNS functionality.
 Verify registration of the CNAME resource record in DNS.
 Verify and enable secure dynamic updates.
Before you begin these procedures, gather the following information, which is contained
in the event ID 2087 message text:
 The FQDN of the source domain controller and destination domain controller
 The IP address of the source domain controller
The updated version of Dcdiag that is included in Windows Support Tools in

Windows Server 2003 SP1 contains tests that provide consolidated and improved testing
of basic and advanced DNS features. You can use this tool to diagnose basic DNS
functionality and dynamic updates.
When you use the enhanced SP1 version of Dcdiag for DNS testing, there are specific
requirements that do not apply to all Dcdiag tests.
Requirements
 Administrative credentials: To complete the new DNS tests that are available in the
SP1 version of Dcdiag, you must be a member of the Enterprise Admins group.
 Tools: Dcdiag.exe
 You can run the enhanced version of Dcdiag on computers running the following
operating systems:
Windows XP Professional
Windows Server 2003
 You can run the new Dcdiag DNS tests against Microsoft DNS servers that are
installed on domain controllers running the following operating systems:

Windows Server 2003
Note
You can use the /f: switch in Dcdiag commands to save the output to a text file.
Use /f:FileName to generate the file in the location that is indicated in FileName,
for example, /f:c:\Test\DnsTest.txt.
Verify Basic DNS Functionality

To verify the settings that might interfere with Active Directory replication, you can begin
by running the basic DNS test that ensures that DNS is operating properly on the domain
controller.
The basic DNS test checks the following:
 Connectivity: The test determines whether domain controllers are registered in DNS,
can be contacted by PING, and have Lightweight Directory Access Protocol / remote
procedure call (LDAP/RPC) connectivity. If the connectivity test fails on a domain
controller, no other tests are run against that domain controller. The connectivity test
is performed automatically before any other DNS test is run.
 Essential services: The test confirms that the following services are running and
available on the tested domain controller:
 DNS Client service
 Net Logon service
 Key Distribution Center (KDC) service

 DNS Server service (if DNS is installed on the domain controller)
 DNS client configuration: The test confirms that DNS servers on all adapters are
reachable.
 Resource record registrations: The test confirms that the address (A) resource record
of each domain controller is registered on at least one of the DNS servers that is
configured on the client.
 Zone and server of authority (SOA): If the domain controller is running the DNS
Server service, the test confirms that the Active Directory domain zone and SOA
record for the Active Directory domain zone are present.
 Root zone: Checks if the root (.) zone is present.
To verify basic DNS functionality

dcdiag /test:dns /s:SourceDomainControllerName /DnsBasic
where SourceDomainControllerName is the distinguished name, NetBIOS name,

or DNS name of the domain controller.
As an alternative, you can test all domain controllers in the forest by typing /e:
instead of /s:.
2. Copy the report into Notepad or an equivalent text editor.
4. Note the names of all domain controllers that report “Warn” or “Fail” status in the
Summary table.
6. Make the required configuration changes on DNS clients and DNS servers.
7. To validate the configuration changes, rerun Dcdiag /test:DNS with the /e: or /s:
switch.
If the basic DNS test shows no errors, continue by verifying that resource records that are
used to locate domain controllers are registered in DNS.
Verify Resource Record Registration

The destination domain controller uses the DNS CNAME resource record to locate its
source domain controller replication partner. Although domain controllers running
Windows Server 2003 with SP1 can locate source replication partners by using FQDNs
or, if that fails, NetBIOS names, the presence of the CNAME record is expected and
should be verified for proper DNS functioning.
You can use Dcdiag to verify registration of all resource records that are essential for
domain controller location by using the dcdiag /test:dns /DnsRecordRegistration test.
This test verifies registration of the following resource records in DNS:
 CNAME (the GUID-based resource record that locates a replication partner)
 A (the host resource record that contains the IP address of the domain controller)
 LDAP SRV (the service resource records that locate LDAP servers)
 GC SRV (the service resource records that locate global catalog servers)
 PDC SRV (the service resource records that locate primary domain controller (PDC)
operations masters)
As an alternative, you can use the following procedure to check for only the CNAME
resource record.
To verify CNAME resource record registration

1. In the DNS console, locate any domain controller that is running the DNS Server
service, where the server hosts the DNS zone with the same name as the
Active Directory domain of the domain controller.
2. In the console tree, click the zone that is named _msdcs.Dns_Domain_Name.
Note
In Windows 2000 Server DNS, _msdcs.Dns_Domain_Name is a
subdomain of the DNS zone for the Active Directory domain name. In
Windows Server 2003 DNS, _msdcs.Dns_Domain_Name is a separate
zone.
3. In the details pane, verify that the following resource records are present:
 A CNAME resource record that is named

Dsa_Guid._msdcs.Dns_Domain_Name
 A corresponding A resource record for the name of the DNS server
If the CNAME resource record is not registered, verify that dynamic updates are
functioning properly. Use the test in the following section.
Verify Dynamic Updates
If the basic DNS test shows that resource records do not exist in DNS, use the dynamic
update test to diagnose why the Net Logon service did not register the resource records
automatically. To verify that the Active Directory domain zone is configured to accept
secure dynamic updates and to perform registration of a test record
(_dcdiag_test_record), use the following procedure. The test record is deleted
automatically after the test.
To verify dynamic updates

 At a command prompt, type the following command, and then press ENTER:
dcdiag /test:dns /s:SourceDomainControllerName /DnsDynamicUpdate
where SourceDomainControllerName is the distinguished name, NetBIOS name,

or DNS name of the domain controller.
As an alternative, you can test all domain controllers by using the /e: switch
instead of the /s: switch.
If secure dynamic update is not configured, use the following procedure to configure it.
To enable secure dynamic updates

1. Open the DNS console.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, verify that the zone type is Active Directory–integrated.
4. In Dynamic Updates, click Secure only.
Register DNS Resource Records

If DNS resource records do not appear in DNS for the source domain controller, you have
verified dynamic updates, and you want to register DNS resource records immediately,
you can force the registration manually by using the following procedure. The Net Logon
service on a domain controller registers the DNS resource records that are required for
the domain controller to be located on the network. The DNS Client service registers the
host A resource record that the CNAME record points to.
Requirements

Domain Admins group in the forest root domain or a member of the Enterprise
Admins group.
 Tools: net stop/start, ipconfig
To register DNS resource records manually

1. To initiate registration of domain controller Locator resource records manually on
the source domain controller, at a command prompt type the following
commands, and then press ENTER after each command:
net stop net logon & net start net logon
2. To initiate registration of the host A resource record manually, at a command

prompt type the following command, and then press ENTER:
ipconfig /flushdns & ipconfig /registerdns
3. Wait 15 minutes, and then review events in Event Viewer to ensure proper
registration of the resource records.
Repeat the procedure in the "Verify Resource Record Registration" section earlier in this
guide to verify that the resource records appear in DNS.
Synchronize Replication Between the Source and

Destination Domain Controllers
After you complete DNS testing, use the following procedure to synchronize replication
on the inbound connection from the source domain controller to the destination domain
controller.
Requirements

Domain Admins group in the domain of the destination domain controller.
 Tool: Active Directory Sites and Services
To synchronize replication from a source domain controller

2. In the console tree, double-click the Sites container, double-click the site of the
domain controller to which you want to synchronize replication, double-click the
Servers container, double-click the server object of the domain controller, and
then click NTDS Settings.
3. In the details pane, in the From Server column, locate the connection object that
shows the name of the source domain controller.
4. Right-click the appropriate connection object, and then click Replicate Now.
5. Click OK.
If replication does not succeed, use the procedure in the following section to verify
consistency of the NTDS Settings GUID.
Verify Consistency of the NTDS Settings GUID

If you have performed all DNS tests and other tests and replication does not succeed,
use the following procedure to verify that the GUID of the NTDS Settings object that the
destination domain controller is using to locate its replication partner matches the GUID
that is currently in effect on the source domain controller itself. To perform this test, you
view the object GUID as it appears in the local directories of each domain controller.
Requirements

Domain Admins group in the domain of the destination domain controller.
 Tool: Ldp (Windows Support Tools)
To verify consistency of the NTDS Settings GUID

3. In the Connect dialog box, leave the Server box empty.
6. In the Bind dialog box, provide Enterprise Admins credentials. If it is not already
selected, click Domain.
7. In Domain, type the name of the forest root domain, and then click OK.
8. On the View menu, click Tree.
9. In the Tree View dialog box, type:
CN=Configuration,DC=Forest_Root_Domain
and then click OK.
10. Navigate to the object CN=NTDS

Settings,CN=SourceServerName,CN=Servers,CN=SiteName,
CN=Sites,CN=configuration,DC=ForestRootDomain.
11. Double-click the NTDS Settings object and, in the details pane, view the value
for the attribute objectGUID. Right-click that value, and then copy it to Notepad.
12. On the Connection menu, click Disconnect.
13. Repeat steps 2 through 11, but in step 3, type the name of the source domain
controller, for example, DC03.
14. In Notepad, compare the values of the two GUIDs.
15. If the values do not match, the destination domain controller must receive
replication of the valid GUID. Check the GUID value on other domain controllers
and attempt replication on the destination domain controller with a different
domain controller that has the correct GUID.
16. If the values match, verify that the GUID matches the GUID in the
Dsa_Guid._msdcs.Dns_Domain_Name resource record for the source domain
controller, as follows:
a. Note the primary DNS servers that each domain controller identifies in the
TCP/IP properties in their Network Settings. All the DNS servers that are
listed in the respective TCP/IP properties should be able to indirectly or
directly resolve this CNAME resource record.
b. From the servers that are listed, identify the authoritative name server or
servers for this domain zone by looking at the server names that are listed for
the name server (NS) resource records at the root of the zone. (In the DNS
console, select the forward lookup zone for the root domain, and view the NS
records in the details pane).
c. On the name server or servers obtained in step b, open the DNS console,
and double-click the forward lookup zone for the forest root domain name.
Double-click the _msdcs folder, and note the CNAME resource records that
exist for your server name.
d. If there are no records present or the records are incorrect, see article
241505, SRV Records Missing After Implementing Active Directory and
Domain Name System, on the Microsoft Web site
Event ID 2088: DNS lookup failure
occurred with replication success
When a destination domain controller running Windows Server 2003 with Service Pack 1
(SP1) receives event ID 2088 in the Directory Service event log, attempts to resolve the
globally unique identifier (GUID) in the canonical name (CNAME) resource record to an
Internet Protocol (IP) address for the source domain controller failed. However, the
destination domain controller tried other means to resolve the name and succeeded by
using either the fully qualified domain name (FQDN) or the network basic input/output
system (NetBIOS) name of the source domain controller. Although replication was
successful, the DNS problem should be diagnosed and resolved.
Event Type:Warning
Event Category:DS RPC Client
Event ID:2088
Date:3/21/2005
Time:2:29:34 PM
Computer:DC3
Description:
Active Directory could not use DNS to resolve the IP address of the
source domain controller listed below. To maintain the consistency
of Security groups, group policy, users and computers and their passwords,
Active Directory successfully replicated using the NetBIOS or fully
qualified computer name of the source domain controller.
Invalid DNS configuration may be affecting other essential operations on

member computers, domain controllers or application servers in this
Active Directory forest, including logon authentication or access to network
resources.
You should immediately resolve this DNS configuration error so that

this domain controller can resolve the IP address of the source
domain controller using DNS.
Alternate server name:

dc1
Failing DNS host name:
NOTE: By default, only up to 10 DNS failures are shown for any given
12 hour period, even if more than 10 failures occur. To log all
individual failure events, set the following diagnostics registry
value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
1) If the source domain controller is no longer functioning or its

operating system has been reinstalled with a different computer
name or NTDSDSA object GUID, remove the source domain controller's
metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
2) Confirm that the source domain controller is running Active Directory

and is accessible on the network by typing "net view \\<source DC name>"
or "ping <source DC name>".
3) Verify that the source domain controller is using a valid DNS server
for DNS services, and that the source domain controller's host record
and CNAME record are correctly registered, using the DNS Enhanced
version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
4) Verify that that this destination domain controller is using a

valid DNS server for DNS services, by running the DNS Enhanced
version of DCDIAG.EXE command on the console of the destination
domain controller, as follows:
dcdiag /test:dns
5) For further analysis of DNS error failures see KB 824449:

http://support.microsoft.com/?kbid=824449
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested
type was found
Cause
Failure to resolve the source domain controller name by using the CNAME resource
record in DNS can be due to DNS misconfigurations or delays in DNS data propagation.
Solution
Proceed with DNS testing as described in "Event ID 2087: DNS lookup failure caused
replication to fail."
Fixing Replication Connectivity Problems
(Event ID 1925)
Network connectivity problems can make it impossible for domain controllers to form
replication partnerships. Various events and errors can indicate a problem with network
connectivity that is preventing replication from occurring.
Use the procedures in Event ID 1925: Attempt to establish a replication link failed due to
connectivity problem to diagnose and fix replication connectivity problems.
Event ID 1925: Attempt to establish a

replication link failed due to
connectivity problem
The description text in event ID 1925 reports that the attempt to establish a replication
link for the following writable directory partition failed, and the description text provides
the distinguished name of the directory partition that the destination is attempting to
replicate from the source. The error code in the event gives more specific information
about the cause of the problem.

Event Type:Warning
Event ID:1925
Date:3/24/2005
Time:9:15:46 AM
Computer:DC3
Description:
The attempt to establish a replication link for the following
writable directory partition failed.
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=com
Source domain controller address:
f8786828-ecf5-4b7d-ad12-8ab60178f7cd._msdcs.contoso.com
Intersite transport (if any):
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=contoso,DC=com
This domain controller will be unable to replicate with the source
domain controller until this problem is corrected.
User Action
Verify if the source domain controller is accessible or network
connectivity is available.
Additional Data
Error value:
1908 Could not find the domain controller for this domain.
Cause
When event ID 1925 contains error 1908, "Could not find the domain controller for this
domain," Active Directory replication has failed as a result of a connectivity problem
between the domain controller that reported the error and the source domain controller
that is named in the event text.
Solution
Use the following tests to solve this problem:
 Verify wide area network (WAN) connectivity.
 Determine the maximum packet size, and change it if necessary.
 Force replication, and capture replication traffic in Network Monitor.
 Analyze network traces to see if any traffic is not reaching the source domain
controller.
Verify WAN Connectivity

Verify that there are no basic connectivity problems with the underlying network between
the domain controllers, especially if they are separated by a WAN link or firewalls. For
information about testing this type of problem, see article 310099, Description of the
Portquery.exe command-line utility, on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=69995), and see article 159211, Diagnoses and
treatment of black hole routers, on the Microsoft Web site
Determine Maximum Packet Size
By default, the Kerberos authentication protocol in Windows 2000, Windows XP, and
Windows Server 2003 uses the User Datagram Protocol (UDP) when the data can be fit
in packets of less than 2,000 bytes. Any data above this value uses TCP to carry the
packets. Packets of more than 1,500 bytes are often dropped by a device such as a
firewall on the network.
To avoid this problem, you can determine the size of packet that your network can
accommodate. Then, you can edit the registry so that the maximum number of bytes for
using UDP is set to the lowest value that you receive, less 8 bytes to account for header
size.
Use the ping command to test the size of packets that the network can accommodate.
Requirements

Domain Users group and have the Log on locally right on the domain controller.
 Tool: PING
To determine the lowest common packet size

1. From the destination domain controller, ping the source domain controller by its
Internet Protocol (IP) address. At a command prompt, type the following
ping IP_address -f -l 1472
2. From the source domain controller, use the command in step 1 to ping the
destination domain controller by its IP address.
3. If the ping command completes in both directions, no additional modification is

required.
4. If the ping command fails in either direction, monotonically lower the number that
you use in the -l parameter until you find the lowest common packet size that
works between the source and destination domain controllers.
Note
The version of Dcdiag that is included with Windows Server 2003 SP1 Support
Tools provides the following method to perform this test:
dcdiag /test:CheckSecurityError /s:SourceDomainControllerName
You can edit the registry to set the maximum size of packets to the value that you
determined by the PING method, less 8 bytes to account for header size. As an
alternative, you can edit the registry so that the maximum number of bytes for using UDP
is always exceeded and Kerberos always uses TCP.
You can change the default value of 2,000 bytes by modifying the registry entry
MaxPacketSize in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Kerberos\Parameters. Use the following procedure to change this registry setting.
Caution
Requirements

Domain Admins group in the domain of the domain controller.
 Tool: Regedit.exe change the maximum packet size
To change the maximum packet size

2. Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Kerberos\Parameters.
3. Edit or, if it does not exist in the details pane, create the entry MaxPacketSize as
follows:
 To edit the entry if it exists in the details pane:
Right-click MaxPacketSize; click Modify; and then, in the Value data box,
type 1 to force Kerberos to use TCP, or type the value that you established to
lower the value to the appropriate maximum size.
 To create the entry if it does not exist in the details pane:
Right-click Parameters, click New DWORD Value, type the name

MaxPacketSize, and then go to step 3a to edit the entry.
4. Click OK.
5. You must restart the domain controller for this change to take effect.
For information about importing an Administrative Template into Group Policy so that this
value can be set for all the Windows 2000–based, Windows Server 2003-based, or
Windows XP-based computers in the enterprise, see article 244474, "How to force
Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in
Windows 2000," on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=69997).
Capture Network Traces During Replication

Use Network Monitor to capture simultaneous traces on both source and destination
domain controllers while attempting to replicate (all traffic to and from each domain
controller; plus, set the capture buffer to a sufficiently large value). You must select the
addresses of the domain controllers from the address database and add them to the
capture filter. Start the capture, and then start replication between the two domain
controllers. Look for Kerberos fragmentation, out-of-order packets, latency, or network
traffic that originates on one side of the connection and does not arrive at the other side.
For information about installing Network Monitor, see Network Monitor on the Microsoft
Create an Address Database

To use address pairs in a capture filter, you must first build an address database. After
the database is created, you can use the addresses that are listed in the database to
specify address pairs in a capture filter.
Requirements

Domain Admins group in the forest root domain or the Enterprise Admins group.
 Tool: Network Monitor
To create an address database

1. Open Network Monitor.
2. If you are prompted, select the local network from which you want to capture data
by default.
3. On the Capture menu, click Start.
4. On the Capture menu, click Stop and View.

5. On the Display menu, click Find All Names.
6. In the Find All Names dialog box, click OK. All addresses are added to the
address database.
7. On the Window menu, click the local connection.
You can use the names in the addresses database to specify address pairs in the capture
filter.
Capture Network Frames

To capture frames that are sent from a specific computer on your network to your
computer or that are sent from your computer to a specific computer on your network,
specify one or more address pairs in a capture filter. You can monitor up to four address
pairs simultaneously.
An address pair consists of:
 The addresses of the two computers between which you want to monitor traffic.
 Arrows that specify the traffic direction that you want to monitor.
 The INCLUDE or EXCLUDE keywords, which indicate how Network Monitor should
respond to a frame that meets a filter's specifications.
Requirements

Domain Admins group in the forest root domain or the Enterprise Admins Group in
the forest.
 Tool: Network Monitor
To capture network frames

1. Open Network Monitor.
2. If you are prompted, select the local network from which you want to capture data
by default.
3. On the Capture menu, click Buffer Settings.
4. In the Capture Buffer Settings dialog box, set the buffer and frame size as
appropriate, and then click OK.
5. On the Capture menu, click Filter.
6. In the Capture Filter dialog box, double-click Address Pairs.

7. In the Address Expressions dialog box, select an address in Station 1 and an
address in Station 2 for the computers whose traffic you want to capture.
8. In the Direction box, select one of the symbols:
<--> to monitor the traffic that passes in either direction between the addresses
that you have selected.
--> or <-- to monitor only the traffic that passes in one direction between the
computers..
9. Click OK twice.
10. On the Capture menu, click Start.
Force Replication
When you have Network Monitor started to capture traffic between the two domain
controllers, use the following procedure to force synchronization between the computers
so that you can capture the replication traffic in Network Monitor.
Requirements
 Credentials: To complete this procedure, you must be a member of the Domain

Admins group in the forest root domain or the Enterprise Admins group in the forest.
 Tools: Active Directory Sites and Services (Administrative Tools)
To synchronize replication from a source domain controller

2. Double-click the Sites container, double-click the site of the domain controller to
which you want to synchronize replication, double-click the Servers container,
double-click the server object of the domain controller, and then click NTDS
Settings.
3. In the From Server column in the details pane, locate the connection object that
shows the name of the source domain controller.
4. Right-click the appropriate connection object, and then click Replicate Now.
5. Click OK.
Analyze the traces from both domain controllers to see if there is any traffic that is not
getting to the other domain controller. For information about using Network Monitor, see
Network Monitor overview on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=41936).
Fixing Replication Topology Problems
(Event ID 1311)
The Knowledge Consistency Checker (KCC) constructs and maintains the
Active Directory replication topology automatically. Every 15 minutes, the KCC examines
the sum of all directory partition replicas that reside on domain controllers in the forest, as
well as administrator-defined settings for connections, sites, and site links.
Although generation of the replication topology occurs automatically, administrative

configuration errors can result in an Active Directory replication topology that is
inconsistent with the physical connections that are available. In Active Directory it is
possible to create objects for which there is no physical network support. For example,
Active Directory Sites and Services allows you to create a site object and assign subnet
addresses that do not exist. The KCC will attempt to use these objects to create
connections between domain controllers, but replication cannot occur because the
network does not exist to support the replication topology as it is configured.
Event ID 1311 is logged in the Directory Service event log when the replication
configuration information in Active Directory does not accurately reflect the physical
topology of the network. Use the procedures in Event ID 1311: Replication configuration
does not reflect the physical network to identify and fix topology problems.
Event ID 1311: Replication configuration

does not reflect the physical network
Event ID 1311 is logged in the Directory Service log when configuration errors or
unavailable domain controllers prevent replication of a directory partition between domain
controllers in different sites.

Event Type:Error
Event ID:1311
Date:3/9/2005
Time:6:39:58 PM
Computer:DC3
Description:
The Knowledge Consistency Checker (KCC) has detected problems with
the following directory partition.
There is insufficient site connectivity information in Active Directory

Sites and Services for the KCC to create a spanning tree replication
topology. Or, one or more domain controllers with this directory
partition are unable to replicate the directory partition information.
This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the
following actions:
- Publish sufficient site connectivity information so that the
KCC can determine a route by which this directory partition can
reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains
the directory partition in this site from a domain controller
that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct

this condition, see previous events logged by the KCC that identify
the inaccessible domain controllers.
Cause
This problem can have the following causes:
 Site link bridging is enabled on a network that does not support physical network
connectivity between two domain controllers in different sites that are connected by a
site link.
 Bridge all site links is enabled in Active Directory Sites and Services, but the
network does not allow network connectivity between any two domain controllers in
the forest.
 One or more sites are not contained in a site link.
 Site links contain all sites, but the site links are not interconnected. This condition is
known as disjointed site links.
 One or more domain controllers are offline.
 Bridgehead domain controllers are online, but errors occur when they try to replicate
a required directory partition between Active Directory sites.
 Administrator-defined preferred bridgehead servers are online, but they do not host
the required directory partition. The most common misconfiguration is to define non–
global catalog servers as bridgehead servers.
 Preferred bridgeheads are defined correctly by the administrator, but they are
currently offline.
 The bridgehead server is overloaded because the server is undersized, too many
branch sites are trying to replicate changes from the same hub domain controller, or
the replication schedules on site links or connection objects are too frequent.
 The Knowledge Consistency Checker (KCC) has built an alternate path around an
intersite connection failure, but it continues to retry the failing connection every
15 minutes.
Solution
Use the following procedures for troubleshooting event ID 1311:
 Identify the scope of the problem.
 Check site link bridging.
 Determine whether the network is fully routed.
 Verify that all sites are connected.
 Check preferred bridgehead servers.
Identify the Scope of the Problem

Identify the scope of the problem by determining whether event ID 1311 is being logged
on all domain controllers in the forest that hold the intersite topology generator (ISTG)
role or just on site-specific domain controllers.
First, use the following procedure to locate the ISTG role holders for all sites.
Requirements

Domain Admins group in a domain in the forest.
 Tool: Ldp (Windows Support Tools)
To locate the ISTG role holders for all sites

3. In the Connect dialog box, leave the Server box empty.
6. In the Bind dialog box, provide Enterprise Admins credentials. Click Domain if it
is not already selected.
7. In Domain, type the name of the forest root domain, and then click OK.
8. On the Browse menu, click Search.
9. In Base dn, type:

CN=Sites,CN=Configuration,DC=Forest_Root_Domain
10. In Filter, type:
(CN=NTDS Site Settings)
11. For Scope, click Subtree.
12. Click Options, and in the Attributes box, scroll to the end of the list, type:
;interSiteTopologyGenerator
and then click OK.
13. In the Search dialog box, click Run.
14. Review the interSiteTopologyGenerator entries in the output, and make a note
of the domain controller names.
Determine the scope of the event by checking the Directory Service event logs of all
ISTG role holders in the forest, or check at least a significant number of ISTG role
holders.
If event ID 1311 continues to be logged on ISTG role holders, continue with the next step.
Check Site Link Bridging

Use the following procedure to determine if site link bridging is enabled.
Requirements

Domain Admins group in a domain in the forest.
 Tool: Active Directory Sites and Services (Administrative Tools)

Determine if site link bridging is enabled
2. In the console tree, double-click the Sites container, and then double-click the
Inter-Site Transports container.
3. Right-click the IP container. If Bridge all site links is selected, site link bridging
is enabled.
The Bridge all site links setting requires a fully routed network. If the network is not fully
routed, you must create site link bridges manually.
Determine Whether the Network Is Fully Routed

Determine whether a fully routed network connection exists between two sites.
If the network is fully routed, continue by verifying that the sites are connected.
If the network is not fully routed and site link bridging is enabled, either make the network
fully routed, or disable site link bridging and then create the necessary site links and site
link bridges. For information about creating site links, see Linking Sites for Replication.
Note
Site link bridging is enabled by default. As a best practice, leave site link bridging
enabled for fully routed networks.
Disable Site Link Bridging

If the network is not fully routed and site link bridging is enabled, use the following
procedure to disable site link bridging.
Requirements

Admins group.
Determine if site link bridging is enabled

2. In the console tree, double-click the Sites container, and then double-click the
Inter-Site Transports container.
3. Right-click the IP container. If Bridge all site links is selected, click it to disable
it.
Create a Site Link Bridge

If the network is not fully routed, be sure that you have created site links to connect all
sites. When all site links are created, use the following procedure to create a site link
bridge.
Requirements

Admins group.
To create a site link bridge

2. In the console tree, double-click the Sites container, and then expand the Inter-
Site Transports container.
3. Right-click the IP container, and then click New Site Link Bridge.
4. In Name, type a name for the site link bridge.
5. Click two or more site links to be bridged, and then click Add.
Wait for a period of time that is twice as long as the longest replication interval in the
forest. If event ID 1311 continues to be logged on ISTG role holders, continue with the
next step.
Verify That All Sites Are Connected

If the network is fully routed, use the Repadmin command-line tool to view site links to
ensure that intersite replication can occur between domain controllers in different sites.
Requirements

Enterprise Admins group or the Domain Admins group in the forest root domain.
 Tool: Repadmin.exe (Windows Support Tools)

To view site links
repadmin /showism "CN=IP,CN=Inter-Site

Transports,CN=Sites,CN=Configuration,DC=Forest_Root_Domain"
where Forest_Root_Domain is the name of the forest root domain.
2. In the output, review the information for the sites that are listed. For each site, the
output of the command shows a string of three numbers separated by colons.
The numbers represent <cost>:<replication interval>:<options>. Strings with a
value of “-1:0:0” indicate a possible missing site link.
Check Preferred Bridgehead Servers

If you have designated preferred bridgehead servers, the ISTG selects bridgehead
servers only from that list of servers. If no servers in the list for the site can replicate a
domain directory partition that has domain controllers in other sites, the ISTG selects a
bridgehead server that can replicate the domain, if one is available in the site. However, if
at least one server in the list can replicate a domain but the server is unavailable, the
ISTG does not select an alternate bridgehead server and replication of updates to that
domain does not occur in the site. In this case, you might have domain controllers that
are capable of replicating the domain, but replication does not occur because preferred
bridgehead servers have been selected and none is available for the domain.
Check the list of preferred bridgehead servers in the site, and ensure that preferred
bridgehead servers for the domain in question are available. Use the following procedure
to check the list of preferred bridgehead servers.
To see all servers that have been selected as preferred bridgehead servers in a forest,
you can use ADSI Edit to view the bridgeheadServerListBL attribute on the IP container
object.
Requirements

Domain Users group in a domain in the forest.
 Tool: Adsiedit.msc (Windows Support Tools)
To view the list of preferred bridgehead servers

1. Click Start, click Run, type adsiedit.msc, and then click OK.
2. In the console tree, double-click Configuration Container, and then double-click

CN=Configuration,DC=ForestRootDomainName, CN=Sites, and CN=Inter-
Site Transports.
3. Right-click CN=IP, and then click Properties.
4. In Attributes, double-click bridgeheadServerListBL.
5. If any preferred bridgehead servers are selected in any site in the forest, the
Values box displays the distinguished name for each server object that is
currently selected as a preferred bridgehead server.
Verify that all domain controllers in the list are online and functioning as domain
controllers.
Requirements
Domain Users group in the domain of the domain controller.
 Tool: Net view
To determine whether a domain controller is functioning

 To confirm that a domain controller is running Active Directory and is accessible
on the network, at a command prompt type the following command, and then
press ENTER:
net view \\DomainControllerName
where DomainControllerName is the network basic input/output system

(NetBIOS) name of the domain controller.
This command displays the Netlogon and SYSVOL shares, indicating that the server is
functioning as a domain controller. If this test shows that the domain controller is not
functioning on the network, determine the nature of the disconnection and whether the
domain controller can be recovered.
If a domain controller that is selected as a preferred bridgehead server is not available,

use the following procedure to select another preferred bridgehead server in the site that
can replicate the domain.
Requirements

Domain Admins group in the domain of the selected domain controller or a member
of the Enterprise Admins group.

To designate a preferred bridgehead server
2. In the console tree, double-click the Sites container, and then expand the
Servers container.
3. Right-click the server object for the domain controller that you want to make a
preferred bridgehead server, and then click Properties.
4. On the General tab, click the intersite transport or transports for which this server
will be a preferred bridgehead server, and then click Add.
Additional Resources for

For specific information about troubleshooting Active Directory problems, see the
following resources:
 Active Directory Management Pack Technical Reference for MOM 2005 on the
Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41369)
For information about Active Directory known issues and best practices, see the following
resources:
 Known Issues for Creating Domain and Forest Trusts
 Best Practices for Domain and Forest Trusts
For general information about how Active Directory works and how to manage and
configure Active Directory, see the following resources:
 Administering Active Directory Operations
 Active Directory Collection on the Microsoft Web site (http://go.microsoft.com/fwlink/?

LinkId=34157)

AD Operations

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AD Operations

Uploaded by

Copyright:

Available Formats

Windows Server 2003 Active Directory

Published: June 2005

Updated: July 2006

Microsoft may have patents, patent applications, trademarks, copyrights, or other

© 2005 - 2006 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

Administering Active Directory Operations.......................................................................21

Introduction to Administering Active Directory..................................................................22

New in This Guide for Administering Active Directory......................................................24

Administering Domain and Forest Trusts.........................................................................25

Introduction to Domain and Forest Trusts........................................................................25

Best Practices for Domain and Forest Trusts...................................................................26

Managing Domain and Forest Trusts...............................................................................27

Creating Domain and Forest Trusts.................................................................................27

Known Issues for Creating Domain and Forest Trusts.....................................................30

Creating External Trusts.................................................................................................. 31

Create a two-way, external trust for one side of the trust.................................................40

Create a two-way, external trust for both sides of the trust..............................................42

Creating Shortcut Trusts.................................................................................................. 44

Create a two-way, shortcut trust for one side of the trust.................................................53

Create a two-way, shortcut trust for both sides of the trust..............................................55

Creating Forest Trusts..................................................................................................... 56

Create a two-way, forest trust for one side of the trust.....................................................66

Create a two-way, forest trust for both sides of the trust..................................................68

Creating Realm Trusts..................................................................................................... 71

Create a one-way, incoming, realm trust..........................................................................72

Create a one-way, outgoing, realm trust..........................................................................73

Create a two-way, realm trust.......................................................................................... 74

Configuring Domain and Forest Trusts............................................................................76

Validating and removing trusts.........................................................................................76

Remove a manually created trust....................................................................................78

Modifying Name Suffix Routing Settings..........................................................................80

Modify the routing status of a name suffix........................................................................81

Enable or disable an existing name suffix for routing.......................................................82

Exclude name suffixes from routing to local forests.........................................................84

Securing Domain and Forest Trusts.................................................................................85

Configuring SID Filtering Settings....................................................................................85

Disable SID filtering......................................................................................................... 87

Reapply SID filtering........................................................................................................ 88

Configuring Selective Authentication Settings..................................................................90

Enable selective authentication over an external trust.....................................................91

Enable selective authentication over a forest trust...........................................................92

Enable domain-wide authentication over an external trust...............................................93

Enable forest-wide authentication over a forest trust.......................................................95

Grant the Allowed to Authenticate permission on computers in the trusting domain or

Appendix: New Trust Wizard Pages.................................................................................97

Administering the Windows Time Service......................................................................101

Introduction to Administering the Windows Time Service...............................................102

Managing the Windows Time Service............................................................................103

Configuring a time source for the forest.........................................................................103

Configure a domain controller in the parent domain as a reliable time source...............108

Disable the Windows Time service................................................................................109

Configuring Windows-based clients to synchronize time................................................110

Configure a manual time source for a selected client computer.....................................111

Configure a client computer for automatic domain time synchronization........................112

Restoring Windows Time service to default settings......................................................113

Restore Windows Time service on local computer to default settings............................113

Administering SYSVOL.................................................................................................. 114

Introduction to Administering SYSVOL...........................................................................115

Managing SYSVOL........................................................................................................ 119

Changing the Space Allocated to the Staging Area........................................................119

Stop the File Replication service....................................................................................120

Change the space allocated to the Staging Area folder.................................................121

Start the File Replication service....................................................................................122