Professional Documents
Culture Documents
AD Operations
AD Operations
Operations Guide
Microsoft Corporation
Abstract
This operations guide for the Microsoft® Windows Server™ 2003 Active Directory®
directory service provides step-by-step, task-oriented information for
Windows Server 2003 and Windows Server 2003 with Service Pack 1 (SP1)
technologies. This operations guide is designed to provide information technology (IT)
operators and administrators with prescriptive guidance for operating, managing, and
troubleshooting Active Directory servers.
Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, and Active Directory are
either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
Create a one-way, incoming, external trust for one side of the trust................................32
Create a one-way, incoming, external trust for both sides of the trust..............................34
Create a one-way, outgoing, external trust for one side of the trust.................................36
Create a one-way, outgoing, external trust for both sides of the trust..............................38
Create a one-way, incoming, shortcut trust for one side of the trust................................45
Create a one-way, incoming, shortcut trust for both sides of the trust..............................47
Create a one-way, outgoing, shortcut trust for one side of the trust.................................49
Create a one-way, outgoing, shortcut trust for both sides of the trust..............................51
Create a one-way, incoming, forest trust for one side of the trust....................................58
Create a one-way, incoming, forest trust for both sides of the trust.................................60
Create a one-way, outgoing, forest trust for one side of the trust.....................................62
Create a one-way, outgoing, forest trust for both sides of the trust..................................64
Validate a trust................................................................................................................. 77
To validate a trust......................................................................................................... 77
Change the Windows Time service configuration on the previous PDC emulator..........107
Configure the PDC emulator to synchronize from its internal hardware clock................108
Reset the File Replication service staging folder to a different logical drive...................129
Create an LDIF file for recovering back-links for authoritatively restored objects...........244
See Also..................................................................................................................... 245
Create a subnet object or objects and associate them with the new site.......................271
Configure the site link schedule to identify times during which intersite replication can
occur........................................................................................................................... 277
Configure the site link interval to identify how often replication polling can occur during
the schedule window.................................................................................................. 278
Configure the site link cost to establish a priority for replication routing.........................278
Verify that an IP address maps to a subnet and determine the site association............285
Compare the size of the directory database files to the volume size.............................302
Returning Unused Disk Space from the Active Directory Database to the File System. 314
If database integrity check fails, perform semantic database analysis with fixup...........326
Verify that an IP address maps to a subnet and determine the site association............339
Verify communication with other domain controllers......................................................340
Installing a Domain Controller in an Existing Domain Using Restored Backup Media. . .344
See Also..................................................................................................................... 347
Preparing a Server Computer for Shipping and Installation from Backup Media...........370
Restore the Backup to the Promotion Computer or Ship Removable Media..............372
Determine the Restore Volume...................................................................................372
Enable Remote Desktop............................................................................................. 374
Create a Domain Controller Installation Answer File..................................................374
See Also..................................................................................................................... 376
Verify that an IP address maps to a subnet and determine the site association............418
Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)................467
Tombstone Lifetime and Replication of Deletions.......................................................467
How Lingering Objects Occur.....................................................................................468
Causes of Long Disconnections.................................................................................468
Indications That a Domain Controller Has Lingering Objects.....................................470
Tool for Removing Lingering Objects..........................................................................472
See Also..................................................................................................................... 473
A deleted account remains in the Address Book, e-mail is not received, or a duplicate
account exists............................................................................................................. 481
Solution....................................................................................................................... 481
Event ID 2042: It has been too long since this machine replicated................................483
Solution....................................................................................................................... 484
Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088)......................491
Improvements to Domain Controller Name Resolution in SP1...................................491
DNS Requirements for CNAME Lookup Success......................................................493
Event ID 1925: Attempt to establish a replication link failed due to DNS lookup problem
................................................................................................................................... 495
Solution....................................................................................................................... 496
Event ID 1925: Attempt to establish a replication link failed due to connectivity problem
................................................................................................................................... 514
Cause......................................................................................................................... 515
Solution....................................................................................................................... 515
Event ID 1311: Replication configuration does not reflect the physical network.............521
Cause......................................................................................................................... 522
Solution....................................................................................................................... 523
You cannot install Active Directory on a server running Windows Server 2003,
Web Edition, but you can join the server to an Active Directory domain as a member
server. For more information about Windows Server 2003, Web Edition, see Overview of
Windows Server 2003, Web Edition, on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=9253).
Note
The Windows Server 2003 Active Directory Operations Guide is also available as
a downloadable document on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=63079).
In this guide
In this guide
Note
You cannot install Active Directory on a server running Windows Server 2003,
Web Edition, but you can join the server to an Active Directory domain as a
member server. For more information about Windows Server 2003, Web Edition,
see Overview of Windows Server 2003, Web Edition, on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=9253).
Acknowledgments
Key Technical Reviewers: Chris Macaulay, Nigel Cain, Arren Conner, Dmitry Dukat,
Levon Esibov, Khushru Irani, Kamal Janardhan, Gregory Johnson, William Lees, Andreas
Luther, Kevin Sims, Jeromy Statia, Eric Kool-Brown, J. K. Jaganathan, Mike Resnick,
Michael Snyder, Nathan Muggli, Yi Zhao, Christopher Westpoint, Robert Powalka,
Rob Kochman
Microsoft Most Valuable Professional (MVP) Reviewers: Joseph Shook, Thomas Bittner,
Nuo Yan, Al Mulnick, Tony Murray, Guido Grillenmeier, M. Rajesh, Todd Myrick
This guide assumes a basic understanding of what Active Directory is, how it works, and
why your organization uses it to access, manage, and secure shared resources across
your network. You should also have a thorough understanding of how Active Directory is
deployed and managed in your organization. This includes an understanding of the
mechanism your organization uses to configure and manage Active Directory settings.
This guide can be used by organizations that have deployed Windows Server 2003 and
Windows Server 2003 with Service Pack 1 (SP1). It includes information that is relevant
to different roles within an IT organization, including IT operations management and
administrators. It contains high-level information that is required to plan an
Active Directory operations environment. This information provides management-level
knowledge of Active Directory and the IT processes required to operate it.
In addition, this guide contains more detailed procedures that are designed for operators
who have varied levels of expertise and experience. Although the procedures provide
operator guidance from start to finish, operators must have a basic proficiency with the
Microsoft Management Console (MMC) and snap-ins and know how to start
administrative programs and access the command line. If operators are not familiar with
Active Directory, it might be necessary for IT planners or IT managers to review the
relevant operations in this guide and provide the operators with parameters or data that
must be entered when the operation is performed.
Objectives are high-level goals for managing, monitoring, optimizing, and securing
Active Directory. Each objective consists of one or more high-level tasks that
describe how the objective is accomplished.
Tasks are used to group related procedures and provide general guidance for
achieving the goals of an objective.
If you are an IT manager who will be delegating tasks to operators within your
organization, you will want to:
Read through the objectives and tasks to determine how to delegate permissions and
whether you need to install tools before operators perform the procedures for each
task.
Before assigning tasks to individual operators, ensure that you have all the tools
installed where operators can use them.
When necessary, create “tear sheets” for each task that operators perform within
your organization. Cut and paste the task and its related procedures into a separate
document and then either print these documents or store them online, depending on
the preference of your organization.
New Content
August 2005: Performing an Authoritative Restore of Active Directory Objects
contains new procedures for regenerating the group memberships of restored user
objects and group objects. This functionality is available in the version of Ntdsutil.exe
that is included with Windows Server 2003 with Service Pack 1 (SP1).
February 2006: Enable Remote Desktop contains a new procedure to enable Remote
Desktop remotely by using the registry.
February 2006: Known Issues for Adding Domain Controllers in Remote Sites
contains the additional information that moving the Ntds.dit file takes less time than
copying the file when you restore a system state backup.
Updated Content
April 2006: Performing an Authoritative Restore of Active Directory Objects contains
corrected information about the details of updating back-link attributes.
Administering Domain and Forest Trusts
This guide provides administrators with step-by-step instructions for managing and
securing Windows Server 2003 domain and forest trusts. The way that you create or
configure trusts plays an important role in operating and securing your network
infrastructure. How you create or configure domain and forest trusts in
Windows Server 2003 also determines how far network communications extend within a
forest or across forests.
Note
You cannot install Active Directory on a server running Windows Server 2003,
Web Edition, but you can join the server to an Active Directory domain as a
member server. For more information about Windows Server 2003, Web Edition,
see Overview of Windows Server 2003, Web Edition, on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=9253).
In this guide
Acknowledgements
Produced by: Microsoft Windows Server Security and Directory Services User Assistance
team
When your forest contains domain trees with many child domains and you observe
noticeable user authentication delays between the child domains, you can optimize
the user authentication process between the child domains by creating shortcut
trusts to mid-level domains in the domain tree hierarchy.
For more information, see When to create a shortcut trust on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=42644).
You can use the Nltest.exe tool to display and record a list of these trusts. For more
information, see "Nltest.exe: NLTest Overview" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=42642).
Perform regular backups of domain controllers to preserve all trust relationships
within a particular domain.
The following objectives are part of managing domain and forest trusts:
The following tasks for creating domain and forest trusts are described in this objective:
Note
A trust does not inherently allow users in a trusted domain to have access to
resources in a trusting domain. Users have access when they are assigned
the appropriate permissions. In some cases, users in trusted domains may
have implicit access if the resources are assigned to Authenticated Users.
New Trust Wizard Terminology
You create trusts in Windows Server 2003 with the New Trust Wizard. Before you use the
New Trust Wizard, review the following terminology. Each highlighted term represents the
exact term as it is used in the wizard:
This domain: The domain from which you launch the New Trust Wizard. When you
start the wizard, it immediately verifies your administrative credentials in the domain
for which you are the administrator. Therefore, the wizard uses the term “this domain”
to represent the domain that you are currently logged on to.
Local domain / Local forest: The domain or forest where you start the New Trust
Wizard.
Specified domain / Specified forest: The other domain or forest that this local
domain or local forest will trust. Although the New Trust Wizard is aware of the
domain context in which it is running, it does not have knowledge of the other domain
that you want to create the relationship with. After you type the name of the other
domain or forest in the Trust Name page, that name is used whenever the wizard
refers to the specified domain or specified forest.
Two-way trust: A trust relationship between two domains in which both domains trust
each other. For example, domain A trusts domain B, and domain B trusts domain A.
All parent-child trusts are two-way trusts.
You cannot delegate the creation of trusts to any user who is not a member of the
Domain Admins or Enterprise Admins groups. Even though you can grant a user the
Create TDO (Trusted Domain Object) right or the Delete TDO right in the System
container of a domain, the user will not be granted the right to create a trust. This
issue occurs because Netlogon and the trust-creation tools (Active Directory
Domains and Trusts and Netdom) are designed so that only members of the Domain
Admins group and the Enterprise Admins group can create trusts. However, any user
who is a member of the Incoming Forest Trust Builders group can create one-way,
incoming forest trusts to your forest. For more information about the Incoming Forest
Trust Builders group, see "How Domain and Forest Trusts Work" in the
Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=35356).
When you are logged on locally to a domain controller and you try to create a new
trust by using Active Directory Domains and Trusts, the operation may be
unsuccessful and you may receive the message “Access denied.” This issue occurs
only if you are logged on locally to the domain controller as an ordinary user
(meaning that the user is not logged on as Administrator or as a member of any
administrative groups for the domain). By default, ordinary users are blocked from
logging on locally to a domain controller unless Group Policy is modified to permit
this.
When you use Active Directory Domains and Trusts to create a trust, you may
receive the message “Operation failed. Parameter incorrect.” This issue may occur if
you try to establish a trust relationship when the source domain and the target
domain have one or more of the following identifiers that are the same:
To resolve this issue, do one of the following before you try to create the trust, as
appropriate to your situation:
The option to create a forest trust does not appear in the New Trust Wizard. This
issue typically occurs when one or both of the Windows Server 2003 forests are not
set to the Windows Server 2003 forest functional level. For more information about
forest functional levels, see Active Directory Functional Levels Technical Reference
on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41698).
There are restrictions in the number and types of trusts that can be created when you
target a Microsoft Windows Small Business Server 2003 domain.
Creating External Trusts
You can create an external trust to form a one-way or two-way, nontransitive trust with
domains that are outside your forest. External trusts are sometimes necessary when
users need access to resources that are located in a Windows NT 4.0 domain or in a
domain that is in a separate Active Directory forest that is not joined by a forest trust.
For example, if you have a Windows Server 2003–based domain whose users want to
gain access to resources that are stored in a Windows NT–based domain, you must
create a trust relationship in which the Windows NT–based domain trusts the users from
the Windows Server 2003–based domain. In this case, the Windows NT–based domain
is the trusting domain, and the Windows Server 2003–based domain is the trusted
domain.
For more information about external trusts, see "How Domain and Forest Trusts Work" in
the Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=35356).
Note
Trusts that are created between Windows NT 4.0 domains and Active Directory
domains are one-way and nontransitive, and they require network basic
input/output system (NetBIOS) name resolution.
Task requirements
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about how to use the Netdom command-line tool to create an
external trust, see "Netdom.exe: Windows Domain Manager" in the
Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=41700).
Note
If you have the appropriate administrative credentials for each domain, you can
create both sides of an external trust at the same time. To create both sides of
the trust, simultaneously, follow the appropriate procedure below that contains
the words “both sides of the trust” in the procedure title. For example, the
procedure “Create a one-way, incoming, external trust for both sides of the trust”
provides the steps to follow when you have the administrative credentials for both
domains and you want to use the New Trust Wizard to create an incoming,
external trust in one operation. For more information about how the “both sides of
the trust” option works, see the section "Sides of Trust" in Appendix: New Trust
Wizard Pages.
You can create an external trust by using any of the following procedures, depending on
the requirements of your organization and the administrative credentials that you have
when you create the trust:
Create a one-way, incoming, external trust for one side of the trust
Create a one-way, incoming, external trust for both sides of the trust
Create a one-way, outgoing, external trust for one side of the trust
Create a one-way, outgoing, external trust for both sides of the trust
Create a two-way, external trust for one side of the trust
A one-way, incoming, external trust allows users in your domain (the domain that you are
logged on to at the time that you run the New Trust Wizard) to access resources in
another Active Directory domain (outside your forest) or in a Windows NT 4.0 domain.
For example, if you are the administrator of sales.wingtiptoys.com and users in that
domain need to access resources in the marketing.tailspintoys.com domain (which is
located in another forest), you can use this procedure (in conjunction with another
procedure, which is executed by the administrator in the other forest) to establish one
side of the relationship so that users in your domain can access resources in the
marketing.tailspintoys.com domain.
You can create this external trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create an external trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To create a one-way, incoming, external trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Trust Password page, type the trust password twice, and then click
Next.
With the administrator of the other domain, agree on a secure channel password
to be used in establishing the trust.
9. On the Trust Selections Completepage, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
12. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain or
specified forest must follow the procedure Create a one-way, outgoing, external
trust for one side of the trust, using his or her administrative credentials and the
exact same trust password that was used during this procedure.
A one-way, incoming, external trust allows users in your domain (the domain that you are
logged on to at the time that you run the New Trust Wizard) to access resources in
another Active Directory domain (outside your forest) or in a Windows NT 4.0 domain.
For example, if you are the administrator of sales.wingtiptoys.com and users in that
domain need to access resources in the marketing.tailspintoys.com domain (which is
located in another forest) you can use this procedure to establish a relationship so that
users in your domain can access resources in the marketing.tailspintoys.com domain.
You can create this external trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create an external trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To create a one-way, incoming, external trust for both sides of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain,
and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the User Name and Password page, type the user name and password for
the appropriate administrator in the specified domain.
10. On the Trust Selections Complete page, review the results, and then click
Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
13. On the Completing the New Trust Wizard page, click Finish.
A one-way, outgoing, external trust will allow resources in your domain (the domain that
you are logged on to at the time that you run the New Trust Wizard) to be accessed by
users in a different Active Directory domain (outside your forest) or in a Windows NT 4.0
domain. For example, if you are the administrator of sales.wingtiptoys.com and you have
resources in that domain that need to be accessed by users in the
marketing.tailspintoys.com domain (which is located in another forest), you can use this
procedure to establish one side of the relationship so that users in the
marketing.tailspintoys.com domain can access the resources in sales.wingtiptoys.com.
You can create this external trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create an external trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To create a one-way, outgoing, external trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Outgoing Trust Authentication Level page, do one of the following, and
then click Next:
9. On the Trust Password page, type the trust password twice, and then click
Next.
10. On the Trust Selections Completepage, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
outgoing trust. Note that if you do not confirm the trust at this stage, the
secure channel will not be established until the first time the trust is used by
users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
13. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain or
specified forest must follow the procedure Create a one-way, incoming, external
trust for one side of the trust, using his or her administrative credentials and the
exact same trust passwordthat was used during this procedure.
A one-way, outgoing, external trust allows resources in your domain (the domain that you
are logged on to at the time that you run the New Trust Wizard) to be accessed by users
in a different Active Directory domain (outside your forest) or in a Windows NT 4.0
domain. For example, if you are the administrator of sales.wingtiptoys.com and you have
resources in that domain that need to be accessed by users in the
marketing.tailspintoys.com domain (which is located in another forest), you can use this
procedure to establish one side of the relationship so that users in the
marketing.tailspintoys.com domain can access the resources in sales.wingtiptoys.com.
You can create this external trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create an external trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To create a one-way, outgoing, external trust for both sides of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain,
and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the User Name and Password page, type the user name and password for
the appropriate administrator in the specified domain.
10. On the Trust Selections Complete page, review the results, and then click
Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
outgoing trust. Note that if you do not confirm the trust at this stage, the
secure channel will not be established until the first time the trust is used by
users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
13. On the Completing the New Trust Wizard page, click Finish.
Create a two-way, external trust for one
side of the trust
This procedure creates one side of a two-way, external trust. Although one side of a trust
will be created successfully, the new trust will not function until the administrator for the
reciprocal domain uses his or her credentials to create the second side of the trust. If you
have administrative credentials for both domains that are involved in the trust, you can
use the procedure Create a two-way, external trust for both sides of the trust to create
both sides of the trust in one simultaneous operation.
A two-way, external trust allows users in your domain (the domain that you are logged on
to at the time that you run the New Trust Wizard) and users in the reciprocal domain to
access resources in either of the two domains.
You can create this external trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create an external trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click Two-way, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Outgoing Trust Authentication Level page, do one of the following, and
then click Next:
9. On the Trust Password page, type the trust password twice, and then click
Next.
10. On the Trust Selections Completepage, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
outgoing trust. Note that if you do not confirm the trust at this stage, the
secure channel will not be established until the first time the trust is used by
users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
14. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain or
specified forest must follow this same procedure, using his or her administrative
credentials and the exact same trust password that was used during this
procedure.
Create a two-way, external trust for both
sides of the trust
This procedure creates both sides of a two-way, external trust, and it requires you to have
administrative credentials for your domain as well as for the reciprocal domain. If you
have administrative credentials only for your domain, you can use the procedure Create a
two-way, external trust for one side of the trust to create your side of the trust. Then, have
the administrator for the reciprocal domain create a one-way, outgoing, external trust from
his or her domain.
A two-way, external trust allows users in your domain (the domain that you are logged on
to at the time that you run the New Trust Wizard) and users in the reciprocal domain to
access resources in either of the two domains.
You can create this external trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create an external trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
2. In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click Two-way, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain,
and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the User Name and Password page, type the user name and password for
the appropriate administrator in the specified domain.
11. On the Trust Selections Complete page, review the results, and then click
Next.
12. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
outgoing trust. Note that if you do not confirm the trust at this stage, the
secure channel will not be established until the first time the trust is used by
users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
15. On the Completing the New Trust Wizard page, click Finish.
Creating Shortcut Trusts
A shortcut trust is a manually created trust that shortens the trust path to improve the
speed at which authentications, which are made between domain trees, are processed.
This can result in faster logon times and faster access to resources. A trust path is a
chain of multiple trusts that enables trust between domains that are not adjacent in the
domain namespace. For example, if users in domain A need to gain access to resources
in domain C, you can create a direct link from domain A to domain C through a shortcut
trust relationship, bypassing domain B in the trust path.
For more information about shortcut trusts, see "How Domain and Forest Trusts Work" in
the Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=35356).
Task requirements
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about how to use the Netdom command-line tool to create a
shortcut trust, see "Netdom.exe: Windows Domain Manager" in the
Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=41700).
Note
If you have the appropriate administrative credentials for each domain, you can
create both sides of a shortcut trust at the same time. To create both sides of the
trust, follow the appropriate procedure below that contains the words “for both
sides of the trust” in the title. For example, the procedure “Create a one-way,
incoming, shortcut trust for both sides of the trust” explains how to configure both
sides of a shortcut trust. For more information about how the “both sides of the
trust” option works, see the section "Sides of Trust" in Appendix: New Trust
Wizard Pages.
You can create a shortcut trust by using any of the following procedures, depending on
the requirements of your organization and the administrative credentials that you have
when you create the trust:
Create a one-way, incoming, shortcut trust for one side of the trust
Create a one-way, incoming, shortcut trust for both sides of the trust
Create a one-way, outgoing, shortcut trust for one side of the trust
Create a one-way, outgoing, shortcut trust for both sides of the trust
A one-way, incoming, shortcut trust allows users in your domain (the domain that you are
logged on to at the time that you run the New Trust Wizard) to more quickly access
resources in another domain (which is nested within another domain tree) in your forest.
For example, if you are the administrator of sales.wingtiptoys.com and users in that
domain need to access resources in the marketing.tailspintoys.com domain (which is a
child domain of the tailspintoys.com tree root domain), you can use this procedure to
establish one side of the relationship so that users in your domain can more quickly
access resources in the marketing.tailspintoys.com domain.
You can create this shortcut trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a shortcut trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To create a one-way, incoming, shortcut trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Trust Password page, type the trust password twice, and then click
Next.
9. On the Trust Selections Complete page, review the results, and then click
Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
12. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain or
specified forest must follow the procedure Create a one-way, outgoing, shortcut
trust for one side of the trust, using his or her administrative credentials and the
exact same trust password that was used during this procedure.
Create a one-way, incoming, shortcut
trust for both sides of the trust
This procedure creates both sides of a one-way, incoming, shortcut trust, and it requires
you to have administrative credentials for your domain as well for the reciprocal domain.
If you have administrative credentials only for your domain, you can use the procedure
Create a one-way, incoming, shortcut trust for one side of the trust to create your side of
the trust. Then, have the administrator for the reciprocal domain create a one-way,
outgoing, shortcut trust from his or her domain.
A one-way, incoming, shortcut trust allows users in your domain (the domain that you are
logged on to at the time that you run the New Trust Wizard) to more quickly access
resources in another domain (which is nested within another domain tree) in your forest.
For example, if you are the administrator of sales.wingtiptoys.com and users in that
domain need to access resources in the marketing.tailspintoys.com domain (which is a
child domain of the tailspintoys.com tree root domain), you can use this procedure to
establish one side of the relationship so that users in your domain can more quickly
access resources in the marketing.tailspintoys.com domain.
You can create this shortcut trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a shortcut trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To create a one-way, incoming, shortcut trust for both sides of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain,
and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the User Name and Password page, type the user name and password for
the appropriate administrator in the specified domain.
9. On the Trust Selections Complete page, review the results, and then click
Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
12. On the Completing the New Trust Wizard page, click Finish.
You can create this shortcut trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a shortcut trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To create a one-way, outgoing, shortcut trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Trust Password page, type the trust password twice, and then click
Next.
9. On the Trust Selections Complete page, review the results, and then click
Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
outgoing trust. Note that if you do not confirm the trust at this stage, the
secure channel will not be established until the first time the trust is used by
users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
12. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain or
specified forest must follow the procedure Create a one-way, incoming, shortcut
trust for one side of the trust, using his or her administrative credentials and the
exact same trust password that was used during this procedure.
A one-way, outgoing, shortcut trust allows resources in your domain (the domain that you
are logged on to at the time that you run the New Trust Wizard) to be accessed more
quickly by users in another domain (which is nested within another domain tree) in your
forest. For example, if you are the administrator of marketing.tailspintoys.com and
resources in that domain need to be accessed by users in the sales.wingtiptoys.com
domain (which is a child domain of the wingtiptoys.com tree root domain), you can use
this procedure to establish one side of the relationship so that users in the
sales.wingtiptoys.com domain can more quickly access resources in the
marketing.tailspintoys.com domain.
You can create this shortcut trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a shortcut trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To create a one-way, outgoing, shortcut trust for both sides of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain,
and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the User Name and Password page, type the user name and password for
the appropriate administrator in the specified domain.
9. On the Trust Selections Complete page, review the results, and then click
Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
outgoing trust. Note that if you do not confirm the trust at this stage, the
secure channel will not be established until the first time the trust is used by
users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
12. On the Completing the New Trust Wizard page, click Finish.
A two-way, shortcut trust allows users in your domain (the domain that you are logged on
to at the time that you run the New Trust Wizard) and users in the reciprocal domain to
more quickly access resources in either domain (when both domains are separated by a
domain tree) in your forest.
You can create this shortcut trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a shortcut trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To create a two-way, shortcut trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click Two-way, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Trust Password page, type the trust password twice, and then click
Next.
9. On the Trust Selections Completepage, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
13. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain must
follow this same procedure using his or her administrative credentials and the
exact same trust passwordthat was used during this procedure.
A two-way, shortcut trust allows users in your domain (the domain that you are logged on
to at the time that you run the New Trust Wizard) and users in the reciprocal domain to
more quickly access resources in either domain (when both domains are separated by a
domain tree) in your forest.
You can create this shortcut trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a shortcut trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click Two-way, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain,
and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the User Name and Password page, type the user name and password for
the appropriate administrator in the specified domain.
9. On the Trust Selections Completepage, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
outgoing trust. Note that if you do not confirm the trust at this stage, the
secure channel will not be established until the first time the trust is used by
users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
13. On the Completing the New Trust Wizard page, click Finish.
Creating Forest Trusts
In a Windows Server 2003 forest, you can link two disjoined Windows Server 2003
forests together to form a one-way or two-way, transitive trust relationship. You can use a
two-way, forest trust to form a transitive trust relationship between every domain in both
forests.
For more information about forest trusts, see "How Domain and Forest Trusts Work" in
the Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=35356).
Task requirements
The following requirements, features, or settings are necessary to create forest trusts
successfully:
You can create a forest trust only between two Windows Server 2003 forests; forest
trusts cannot be extended implicitly to a third Windows Server 2003 forest.
To create a forest trust, you must set the forest functional level for both of the
Windows Server 2003 forests that are involved in the trust relationship to
Windows Server 2003. For more information about functional levels, see Active
Directory Functional Levels Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=41698).
To create a forest trust successfully, you must set up your Domain Name System
(DNS) environment properly. If there is a root DNS server that you can make the root
DNS server for the DNS namespaces of both forests, make it the root server by
ensuring that the root zone contains delegations for each of the DNS namespaces.
Also, update the root hints of all DNS servers with the new root DNS server.
If there is no shared root DNS server and the root DNS servers for each forest DNS
namespace are running a member of the Windows Server 2003 family, configure
DNS conditional forwarders in each DNS namespace to route queries for names in
the other namespace.
If there is no shared root DNS server and the root DNS servers for each forest DNS
namespace are not running a member of the Windows Server 2003 family, configure
DNS secondary zones in each DNS namespace to route queries for names in the
other namespace. For more information about configuring DNS to work with
Active Directory, see DNS Support for Active Directory Technical Reference on the
Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41699).
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about how to use the Netdom command-line tool to create a forest
trust, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003
Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=41700).
Note
If you have the appropriate administrative credentials for each forest, you can
create both sides of a forest trust at the same time. To create both sides of the
forest trust, follow the appropriate procedure below that contains the words “for
both sides of the trust” in the title. For example, the procedure “Create a one-way,
incoming, forest trust for both sides of the trust” explains how to configure both
sides of the trust. For more information about how the “both sides of the trust”
option works, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
You can create a forest trust by using any one of the following procedures, depending on
the requirements of your organization and the administrative credentials that you have
when you create the trust:
Create a one-way, incoming, forest trust for one side of the trust
Create a one-way, incoming, forest trust for both sides of the trust
Create a one-way, outgoing, forest trust for one side of the trust
Create a one-way, outgoing, forest trust for both sides of the trust
A one-way, incoming, forest trust allows users in your Windows Server 2003 forest (the
forest that you are logged on to at the time that you run the New Trust Wizard) to access
resources in another Windows Server 2003 forest. For example, if you are the
administrator of the wingtiptoys.com forest and users in that forest need to access
resources in the tailspintoys.com forest, you can use this procedure to establish one side
of the relationship so that users in your forest can access resources in any of the
domains that make up the tailspintoys.com forest.
You can create this forest trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a forest trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group (in the
forest root domain) or the Enterprise Admins group in Active Directory. If you are a
member of the Incoming Forest Trust Builders group, you can create one-way, incoming,
forest trusts to your forest. For more information about the Incoming Forest Trust Builders
group, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35356).
To create a one-way, incoming, forest trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Trust Password page, type the trust password twice, and then click
Next.
9. On the Trust Selections Complete page, review the results, and then click
Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
12. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain (the
forest root domain in the specified forest) must complete the procedure Create a
one-way, outgoing, forest trust for one side of the trust, using their administrative
credentials and the exact same trust passwordthat was used during this
procedure.
You can create this forest trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a forest trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group (in the
forest root domain) or the Enterprise Admins group in Active Directory. If you are a
member of the Incoming Forest Trust Builders group, you can create one-way, incoming,
forest trusts to your forest. For more information about the Incoming Forest Trust Builders
group, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35356).
To create a one-way, incoming, forest trust for both sides of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain,
and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the User Name and Password page, type the user name and password for
the appropriate administrator in the specified domain.
10. On the Trust Selections Complete page, review the results, and then click
Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
13. On the Completing the New Trust Wizard page, click Finish.
A one-way, outgoing, forest trust allows resources in your Windows Server 2003 forest
(the forest that you are logged on to at the time that you run the New Trust Wizard) to be
accessed by users in another Windows Server 2003 forest. For example, if you are the
administrator of the wingtiptoys.com forest and resources in that forest need to be
accessed by users in the tailspintoys.com forest, you can use this procedure to establish
one side of the relationship so that users in the tailspintoys.com forest can access
resources in any of the domains that make up the wingtiptoys.com forest.
You can create this forest trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a forest trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group (in the
forest root domain) or the Enterprise Admins group in Active Directory. If you are a
member of the Incoming Forest Trust Builders group, you can create one-way, incoming,
forest trusts to your forest. For more information about the Incoming Forest Trust Builders
group, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35356).
To create a one-way, outgoing, forest trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Outgoing Trust Authentication Level page, do one of the following, and
then click Next:
9. On the Trust Password page, type the trust password twice, and then click
Next.
10. On the Trust Selections Complete page, review the results, and then click
Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
13. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain (the
forest root domain in the specified forest) must follow the procedure Create a
one-way, incoming, forest trust for one side of the trust, using his or her
administrative credentials and the exact same trust password that was used
during this procedure.
You can create this forest trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a forest trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group (in the
forest root domain) or the Enterprise Admins group in Active Directory. If you are a
member of the Incoming Forest Trust Builders group, you can create one-way, incoming,
forest trusts to your forest. For more information about the Incoming Forest Trust Builders
group, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35356).
To create a one-way, outgoing, forest trust for both sides of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain,
and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the User Name and Password page, type the user name and password for
the appropriate administrator in the specified domain.
10. On the Trust Selections Completepage, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
outgoing trust. Note that if you do not confirm the trust at this stage, the
secure channel will not be established until the first time the trust is used by
users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
13. On the Completing the New Trust Wizard page, click Finish.
You can create this forest trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a forest trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group (in the
forest root domain) or the Enterprise Admins group in Active Directory. If you are a
member of the Incoming Forest Trust Builders group, you can create one-way, incoming,
forest trusts to your forest. For more information about the Incoming Forest Trust Builders
group, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35356).
2. In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
6. On the Direction of Trust page, click Two-way, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Outgoing Trust Authentication Level page, do one of the following, and
then click Next:
Click Forest-wide authentication.
9. On the Trust Password page, type the trust password twice, and then click
Next.
10. On the Trust Selections Completepage, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
outgoing trust. Note that if you do not confirm the trust at this stage, the
secure channel will not be established until the first time the trust is used by
users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
14. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator in the specified forest must
follow this same procedure, using his or her administrative credentials and the
exact same trust passwordthat was used during this procedure.
A two-way, forest trust allows users in your forest (the forest that you are logged on to at
the time that you run the New Trust Wizard) and users in the reciprocal forest to access
resources in any of the domains in either of the two forests.
You can create this forest trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a forest trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group (in the
forest root domain) or the Enterprise Admins group in Active Directory. If you are a
member of the Incoming Forest Trust Builders group, you can create one-way, incoming,
forest trusts to your forest. For more information about the Incoming Forest Trust Builders
group, see "How Domain and Forest Trusts Work" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35356).
2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
6. On the Direction of Trust page, click Two-way, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain,
and then click Next.
For more information about the selections that are available on the Sides of
Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard
Pages.
8. On the User Name and Password page, type the user name and password for
the appropriate administrator in the specified domain.
11. On the Trust Selections Complete page, review the results, and then click
Next.
12. On the Trust Creation Complete page, review the results, and then click Next.
If you do not want to confirm this trust, click No, do not confirm the
outgoing trust. Note that if you do not confirm the trust at this stage, the
secure channel will not be established until the first time the trust is used by
users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and
then supply the appropriate administrative credentials from the specified
domain.
If you do not want to confirm this trust, click No, do not confirm the
incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and
then supply the appropriate administrative credentials from the specified
domain.
15. On the Completing the New Trust Wizard page, click Finish.
Creating Realm Trusts
You can create a realm trust to form a one-way or two-way, nontransitive or transitive
trust with non-Windows Kerberos realms in your organization. You can create the trust
when you log on to the domain, or you can use the Run as command to create the trust
for a different domain.
For more information about realm trusts, see "How Domain and Forest Trusts Work" in
the Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=35356).
Task requirements
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about how to use the Netdom command-line tool to create a realm
trust, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003
Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=41700).
Note
The New Trust Wizard in Active Directory Domains and Trusts does not support
the creation of both sides of a realm trust at the same time. For more information
about how the “both sides of the trust” option works, see the section "Sides of
Trust" in Appendix: New Trust Wizard Pages.
You can create a realm trust by using any of the following procedures, depending on the
requirements of your organization and the administrative credentials that you have when
you create the trust:
You can create this realm trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a realm trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click Realm trust, and then click Next.
To form a trust relationship with the domain and the specified realm only,
click Nontransitive, and then click Next.
To form a trust relationship with the domain and the specified realm and all
trusted realms, click Transitive, and then click Next.
7. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Trust Password page, type the trust password twice, and then click
Next.
9. On the Trust Selections Complete page, review the results, and then click
Next.
10. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the administrator of the realm must complete the trust,
using his or her administrative credentials and the exact same trust password
that was used during this procedure.
You can create this realm trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a realm trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
2. In the console tree, right-click the domain that you want to establish a trust with,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click Realm trust, and then click Next.
6. On the Transitivity of Trust page, do one of the following:
To form a trust relationship with the domain and the specified realm only,
click Nontransitive, and then click Next.
To form a trust relationship with the domain and the specified realm and all
trusted realms, click Transitive, and then click Next.
7. On the Direction of Trust page, click One-way: outgoing, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Trust Password page, type the trust password twice, and then click
Next.
9. On the Trust Selections Complete page, review the results, and then click
Next.
10. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the administrator of the realm must complete the trust,
using his or her administrative credentials and the exact same trust password
that was used during this procedure.
You can create this realm trust by using the New Trust Wizard in Active Directory
Domains and Trusts or by using the Netdom command-line tool. For more information
about how to use the Netdom command-line tool to create a realm trust, see
"Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To create a two-way, realm trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the domain that you want to
establish a trust with, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or
network basic input/output system (NetBIOS) name) of the domain, and then
click Next.
5. On the Trust Type page, click Realm trust, and then click Next.
To form a trust relationship with the domain and the specified realm only,
click Nontransitive, and then click Next.
To form a trust relationship with the domain and the specified realm and all
trusted realms, click Transitive, and then click Next.
7. On the Direction of Trust page, click Two-way, and then click Next.
For more information about the selections that are available on the Direction of
Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard
Pages.
8. On the Trust Password page, type the trust password twice, and then click
Next.
9. On the Trust Selections Complete page, review the results, and then click
Next.
10. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the administrator of the realm must complete the trust,
using his or her administrative credentials and the exact same trust password
that was used during this procedure.
The following tasks for removing a manually created trust are described in this objective:
Task requirements
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about how to use the Netdom command-line tool to create a realm
trust, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003
Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=41700).
Validate a trust
Validate a trust
You can validate all trusts that are made between domains, but you cannot validate realm
trusts.
You can validate a trust by using the New Trust Wizard in Active Directory Domains and
Trusts or by using the Netdom command-line tool. For more information about how to use
the Netdom command-line tool to create a realm trust, see "Netdom.exe: Windows
Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To validate a trust
Using the Windows interface
2. In the console tree, right-click the domain that contains the trust that you want to
validate, and then click Properties.
3. On the Trusts tab, under either Domains trusted by this domain (outgoing
trusts) or Domains that trust this domain (incoming trusts), click the trust to
be validated, and then click Properties.
4. Click Validate.
If you click this option, it is recommended that you repeat this procedure for
the reciprocal domain.
If you click this option, you must type a user account and password with
administrative credentials for the reciprocal domain.
Term Definition
You can remove a manually created trust by using the New Trust Wizard in
Active Directory Domains and Trusts or by using the Netdom command-line tool. For
more information about the Netdom command-line tool, see "Netdom.exe: Windows
Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To remove a manually created trust
Using the Windows interface
2. In the console tree, right-click the domain that contains the trust that you want to
remove, and then click Properties.
Click No, remove the trust from the local domain only.
If you click this option, it is recommended that you repeat this procedure for
the reciprocal domain.
Click Yes, remove the trust from both the local domain and the other
domain.
If you click this option, you must type a user account and password with
administrative credentials for the reciprocal domain.
Note
If you are using Netdom to remove a realm trust, you must add the /force option
to the end of the command (after /remove) to remove the trust successfully.
Note
You cannot enable a name suffix that is in conflict. If the conflict is with a local
UPN name suffix, you must remove the local UPN name suffix before you can
enable the routing name. If the conflict is with a name that is claimed by another
trust partner, you must disable the name in the other trust before it can be
enabled for this trust.
Task requirements
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about how to use the Netdom command-line tool to create a realm
trust, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003
Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=41700).
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
2. In the console tree, right-click the domain node for the domain that you want to
administer, and then click Properties.
3. On the Trusts tab, under either Domains trusted by this domain (outgoing
trusts)or Domains that trust this domain (incoming trusts), click the forest
trust that you want to administer, and then click Properties.
4. On the Name Suffix Routing tab, under Name suffixes in the x.x forest, click
the suffix for which you want to modify routing status, and then click Edit.
5. In Existing name suffixes in x.x, click the suffix that you want to modify, and
then click Enable or Disable.
See Also
Note
When you disable a name suffix, all children of that Domain Name System (DNS)
name will also be disabled.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
3. On the Trusts tab, under either Domains trusted by this domain (outgoing
trusts) or Domains that trust this domain (incoming trusts), click the forest
trust that you want to administer, and then click Properties.
4. Click the Name Suffix Routing tab, and then, under Name suffixes in the x.x
forest, do one of the following:
To enable a name suffix, click the suffix that you want to enable, and then
click Enable. If the Enable button is unavailable, the name suffix is already
enabled.
To disable a name suffix, click the suffix that you want to disable, and then
click Disable. If the Disable button is unavailable, the name suffix is already
disabled.
See Also
Note
When you exclude a name suffix, all children of that Domain Name System
(DNS) name will also be excluded.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To exclude name suffixes from routing to
local forests
Using the Windows interface
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain that you want to administer, and then
click Properties.
3. On the Trusts tab, under either Domains trusted by this domain (outgoing
trusts) or Domains that trust this domain (incoming trusts), click the forest
trust that you want to administer, and then click Properties.
4. On the Name Suffix Routing tab, under Name suffixes in the x.x forest, click
the unique name suffix to exclude from routing, and then click Edit.
5. In Name suffixes to exclude from routing to x.x, click Add, type a DNS name
suffix that is subordinate to the unique name suffix, and then click OK.
See Also
The following tasks for securing domain and forest trusts are described in this objective:
For more information about how the security settings for domain and forest trusts work,
see "Security Considerations for Trusts" in the Windows Server 2003 Technical
Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35413).
Configuring SID Filtering Settings
Security principals in Active Directory have an attribute called SIDHistory to which
domain administrators can add users’ old security identifiers (SIDs). This is useful during
Active Directory migrations because administrators do not need to modify access control
lists (ACLs) on large numbers of resources and users can use their old SIDs to access
resources. However, under some circumstances it is possible for domain administrators
to use the SIDHistory attribute to associate SIDs with new user accounts, granting
themselves unauthorized rights. To help prevent this type of attack,
Windows Server 2003 automatically enables SID filtering on all external trusts and forest
trusts that are created by a Windows Server 2003 domain controller. External trusts that
are created using domain controllers running Windows 2000 Server with Service Pack 3
(SP3) or earlier must be manually configured to enable SID filtering.
Note
You cannot turn off the default behavior in Windows Server 2003 that enables
SID filtering for newly created external and forest trusts. External trusts that are
created from domain controllers running Windows 2000 Server with SP3 or
earlier do not enforce SID filtering by default.
You can use SID filtering to filter out migrated SIDs that are stored in SIDHistory from
specific domains. For example, where an external trust relationship exists so that the
Noam domain (running Windows 2000 Server domain controllers) trusts the Acquired
domain (also running Windows 2000 Server domain controllers), an administrator of the
Noam domain can manually apply SID filtering to the Acquired domain, which allows all
SIDs with a domain SID from the Acquired domain to pass but all other SIDs (such as
those from migrated SIDs that are stored in SIDHistory) to be discarded.
Note
Do not apply SID filtering to domains within a forest, because doing so removes
SIDs that are required for Active Directory replication, and it causes
authentication to fail for users from domains that are trusted transitively through
the isolated domain.
To further secure your forest, consider enabling SID filtering on all existing external trusts
that are created by domain controllers running Windows 2000 Server SP3 or earlier. You
can do this by using Netdom.exe to enable SID filtering on existing external trusts or by
recreating these external trusts from a domain controller running Windows Server 2003
or Windows 2000 Server with Service Pack 4 (SP4) or later. For more information about
how to enable SID filtering on trusts that are created by Windows 2000 Server domain
controllers, see the Windows 2000 Active Directory Operations Guide the Microsoft Web
site (http://go.microsoft.com/fwlink/?LinkId=18545).
For more information about how SID filtering works, see "Security Considerations for
Trusts" in the Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=35413).
Task requirements
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about how to use the Netdom command-line tool to configure SID
filtering settings, see "Netdom.exe: Windows Domain Manager" in the
Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=41700).
You have an equally high level of confidence in the administrators who have physical
access to domain controllers in the trusted domain and the administrators with such
access in the trusting domain.
You have a strict requirement to assign universal groups to resources in the trusting
domain, even when those groups were not created in the trusted domain.
Users have been migrated to the trusted domain with their SID histories preserved,
and you want to grant those users access to resources in the trusting domain based
on the SIDHistory attribute.
For more information about how SID filtering works, see "Security Considerations for
Trusts" in the Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=35413).
You can disable SID filtering by using the Netdom command-line tool. For more
information about the Netdom command-line tool, see "Netdom.exe: Windows Domain
Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
Value Description
Note
You can enable or disable SID filtering only from the trusting side of the
trust. If the trust is a two-way trust, you can also disable SID filtering in
the trusted domain by using the domain administrator’s credentials for
the trusted domain and reversing the TrustingDomainName and
TrustedDomainName values in the command-line syntax.
Reapply SID filtering
You can reapply security identifier (SID) filtering to an external or forest trust that has had
SID filtering disabled. By default, Windows Server 2003 automatically enables SID
filtering on all external trusts and forest trusts that are created by a Windows Server 2003
domain controller. For more information about how SID filtering works, see "Security
Considerations for Trusts" in the Windows Server 2003 Technical Reference on the
Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35413).
You can reapply SID filtering by using the Netdom command-line tool. For more
information about the Netdom command-line tool, see "Netdom.exe: Windows Domain
Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
Term Definition
For more information about how selective authentication settings work, see "Security
Considerations for Trusts" in the Windows Server 2003 Technical Reference on the
Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35413).
Task requirements
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about how to use the Netdom command-line tool to configure
selective authentication settings, see "Netdom.exe: Windows Domain Manager" in the
Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=41700).
You can enable selective authentication over an external trust by using the New Trust
Wizard in Active Directory Domains and Trusts or by using the Netdom command-line
tool. For more information about how to use the Netdom command-line tool to configure
selective authentication settings, see "Netdom.exe: Windows Domain Manager" in the
Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
To enable selective authentication over an
external trust
Using the Windows interface
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain that you want to administer, and then
click Properties.
3. On the Trusts tab, under either Domains trusted by this domain (outgoing
trusts) or Domains that trust this domain (incoming trusts), click the external
trust that you want to administer, and then click Properties.
4. On the Authentication tab, click Selective authentication, and then click OK.
Note
Only the authentication settings for the outgoing trust are displayed when you
click Properties and then click the Authentication tab in Active Directory
Domains and Trusts. To view the correct authentication settings for the incoming
side of a two-way, external trust, connect to a domain controller in the trusted
domain, and then use Active Directory Domains and Trusts to view the
authentication settings for the outgoing side of the same trust.
You can enable selective authentication over a forest trust by using the New Trust Wizard
in Active Directory Domains and Trusts or by using the Netdom command-line tool. For
more information about how to use the Netdom command-line tool to configure selective
authentication settings, see "Netdom.exe: Windows Domain Manager" in the
Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group (in the
forest root domain) or the Enterprise Admins group in Active Directory.
2. In the console tree, right-click the domain node for the forest root domain, and
then click Properties.
3. On the Trusts tab, under either Domains trusted by this domain (outgoing
trusts) or Domains that trust this domain (incoming trusts), click the forest
trust that you want to administer, and then click Properties.
4. On the Authentication tab, click Selective authentication, and then click OK.
Note
Only the authentication settings for the outgoing trust are displayed when you
click Properties and then click the Authentication tab in Active Directory
Domains and Trusts. To view the correct authentication settings for the incoming
side of a two-way, forest trust, connect to a domain controller in the forest root
domain of the trusted forest, and then use Active Directory Domains and Trusts
to view the authentication settings for the outgoing side of the same trust.
See Also
You can enable domain-wide authentication over an external trust by using the New Trust
Wizard in Active Directory Domains and Trusts or by using the Netdom command-line
tool. For more information about how to use the Netdom command-line tool to configure
selective authentication settings, see "Netdom.exe: Windows Domain Manager" in the
Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
2. In the console tree, right-click the domain that you want to administer, and then
click Properties.
3. On the Trusts tab, under either Domains trusted by this domain (outgoing
trusts) or Domains that trust this domain (incoming trusts), click the external
trust that you want to administer, and then click Properties.
Note
Only the authentication settings for the outgoing trust are displayed when you
click Properties and then click the Authentication tab in Active Directory
Domains and Trusts. To view the correct authentication settings for the incoming
side of a two-way, external trust, connect to a domain controller in the trusted
domain, and then use Active Directory Domains and Trusts to view the
authentication settings for the outgoing side of the same trust.
You can enable forest-wide authentication over a forest trust by using the New Trust
Wizard in Active Directory Domains and Trusts or by using the Netdom command-line
tool. For more information about how to use the Netdom command-line tool to configure
selective authentication settings, see "Netdom.exe: Windows Domain Manager" in the
Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=41700).
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
3. On the Trusts tab, under either Domains trusted by this domain (outgoing
trusts) or Domains that trust this domain (incoming trusts), click the forest
trust that you want to administer, and then click Properties.
Note
Only the authentication settings for the outgoing trust are displayed when you
click Properties and then click the Authentication tab in Active Directory
Domains and Trusts. To view the correct authentication settings for the incoming
side of a two-way, forest trust, connect to a domain controller in the trusted
domain (the forest root domain in the other forest), and then use Active Directory
Domains and Trusts to view the authentication settings for the outgoing side of
the same trust.
Note
The Allowed to Authenticate permission can be set on computer objects that
represent member servers running Windows NT Server 4.0,
Windows 2000 Server, and Windows Server 2003.
Note
By default, only members of the Account Operators, Administrators, Domain
Admins, Enterprise Admins, and SYSTEM security groups that are located in the
trusting domain can modify the Allowed to Authenticate permission.
To enable access to resources over an external trust or forest trust that is set to selective
authentication, complete the following procedure by using Active Directory Users and
Computers from the trusting domain.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
2. In the console tree, click the Computers container or the container where your
computer objects reside.
3. Right-click the computer object that you want users in the trusted domain or
forest to access, and then click Properties.
In Group or user names, click the user names or group names for which
you want to grant access to this computer, select the Allow check box next
to the Allowed to Authenticate permission, and then click OK.
Click Add. In Enter the object names to select, type the name of the user
object or group object for which you want to grant access to this resource
computer, and then click OK. Select the Allow check box next to the
Allowed to Authenticate permission, and then click OK.
Appendix: New Trust Wizard Pages
Understanding how user input is handled during the trust creation process will help you
provide information when it is most necessary and help you better prepare for your
specific procedure. This section explains the two most complex pages in the New Trust
Wizard:
Direction of Trust
Sides of Trust
Direction of Trust
The Direction of Trust page in the New Trust Wizard is configured by an administrator in
one domain to determine whether authentication requests should be routed from this
domain to a specified domain, from the specified domain to this domain, or freely
between both domains. The following options are available on the Direction of Trust
page:
Two-way: A two-way trust allows authentication requests that are sent by users in
either domain or forest to be routed successfully to resources in either of the two
domains or forests.
This guide provides information for administering the Windows Time service in the
Microsoft Windows Server 2003 operating system.
In this guide
Acknowledgements
The purpose of the Windows Time service is to make sure that all computers that are
running Windows 2000 or later versions in an organization use a common time. To
guarantee appropriate common time usage, the Windows Time service uses a
hierarchical relationship that controls authority and does not permit loops.
All client desktop computers nominate the authenticating domain controller as their
in-bound time partner.
All member servers follow the same process as client desktop computers.
Domain controllers may nominate the primary domain controller (PDC) operations
master as their in-bound time partner but may use a parent domain controller based
on stratum numbering.
All PDC operations masters follow the hierarchy of domains in the selection of their
in-bound time partner.
Following this hierarchy, the PDC operations master at the root of the forest becomes
authoritative for the organization. The authoritative time source at the root of the forest
can acquire its time by connecting to an external NTP server, which is connected to a
hardware device by means of a telephone or the Internet. Organizations such as the
United States Naval Observatory provide NTP servers that are connected to extremely
reliable reference clocks.
If you need highly accurate time synchronization, but cannot connect to an external time
source on the Internet we recommend that you configure a hardware clock, such as a
radio or GPS device, as the time source for the PDC. There are many consumer and
enterprise devices that use the Network Time Protocol (NTP), allowing you to install the
device on an internal network for usage with the PDC.
For a detailed technical reference of the Windows Time service, including complete
documentation of the w32tm tool and the time service registry settings, see the Windows
Time Service Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=40648).
Managing the Windows Time Service
You initially configure the Windows 2003 Time service (W32Time) when you deploy your
Active Directory forest root domain. Thereafter, it requires little day-to-day management.
After you make changes on your network however, including when you add certain client
computers, move the PDC emulator operations master role, or simply change the time
source for you network, you might need to perform some of the following tasks:
If you move the PDC emulator role to a different computer. In this case, you must
configure the time service for the new PDC emulator role holder.
If you change the time source for the PDC emulator. For example, if you change from
synchronizing with an external source to a hardware device.
Follow these best practices for configuring the time source on the forest-root PDC
emulator, in this order of preference:
Install a hardware clock, such as a radio or GPS device, as the source for the PDC.
There are many consumer and enterprise devices that use the Network Time
Protocol (NTP), allowing you to install the device on an internal network for usage
with the PDC.
Configure the Windows Time service to synchronize with an external time server.
External time servers allow users to synchronize computer clocks by means of dial-
up, network, and radio links.
The Microsoft time server (time.windows.com) uses NIST, the National Institute of
Standards and Technology, located in Boulder, Colorado, as its external time
provider. NIST provides the Automated Computer Time Service (ACTS), which can
set a computer clock with an uncertainty of less than 10 milliseconds. The U.S. Naval
Observatory (USNO) Time Service Department in Washington D.C. is another source
for accurate time synchronization in the United States. Many other sites exist
throughout the world that can be used for time synchronization. To find them, search
for "time synchronization" on the Internet.
Note
Because synchronization with an external time source is not authenticated, it is
less secure.
The PDC emulator of the forest root domain is customarily the authoritative time source
for the forest and the computer that is usually configured to retrieve time from an external
source. However, if the PDC emulator is not configured to retrieve time from another time
source but is the reliable time source for the domain, configure it to synchronize from its
own internal hardware clock.
The role of PDC emulator can move between computers, meaning that every time the
role of PDC emulator moves, the time service must be reconfigured on the new PDC
emulator, and the manual configuration must be removed from the original PDC emulator.
To avoid this process, configure one domain controller in the forest root domain that is not
the PDC emulator, as the reliable time source and manually configure it to point to an
external time source. Then, no matter which computer is the PDC emulator, the root of
the time service stays the same and thus remains properly configured.
If you choose to implement another time synchronization product that uses the NTP
protocol on your network, you must disable the Windows Time service. All NTP servers
need access to UDP port 123. If W32Time is running on a Windows 2003–based
computer, port 123 will remain occupied.
Task requirements
The following tools are required to perform the procedures for this task:
W32tm.exe
Perform the following procedures as needed to configure a time source for your forest:
2. If you move the role of the PDC emulator to a new domain controller, Change the
Windows Time service configuration on the previous PDC emulator.
3. If you anticipate moving the PDC emulator role and do not want to reconfigure the
Windows Time service afterwards, Configure a domain controller in the parent
domain as a reliable time source.
4. If your PDC emulator is not configured to retrieve time from another time source but
is the reliable time source for the domain, Configure the PDC emulator to
synchronize from its internal hardware clock.
5. If you are implementing a time synchronization product other than the Windows Time
service in your environment that uses the NTP protocol, Disable the Windows Time
service to free UDP port 123 on the network.
Before you configure the time service on the PDC emulator, you can determine the time
difference between it and the source as a means to test basic NTP communication. After
completing the configuration on the PDC emulator be sure to monitor the System log in
Event Viewer for W32Time errors.
Note
For more information about the w32tm command, type w32tm /? at a command
prompt or see Windows Time Service Tools and Settings on the Microsoft Web
site (http://go.microsoft.com/fwlink/?LinkId=42984).
Administrative Credentials
To perform this procedure locally on the PDC emulator, you must be a member of the
Administrators group. To perform this procedure from a remote computer, you must be a
member of the Domain Admins group.
2. Type the following command to display the time difference between the local
computer and a target computer, and then press ENTER:
4. Open UDP port 123 (or a different port you have selected) for incoming NTP
traffic.
5. Type the following command to configure the PDC emulator and then press
ENTER:
where peers specifies the list of DNS names and/or IP addresses of the NTP
time source that the PDC emulator synchronizes from. For example, you can
specify time.windows.com. When specifying multiple peers, use a space as the
delimiter and enclose them in quotation marks.
Administrative Credentials
To perform this procedure locally on the PDC emulator, you must be a member of the
Administrators group. To perform this procedure from a remote computer, you must be a
member of the Domain Admins group.
Administrative Credentials
To perform this procedure locally on the domain controller, you must be a member of the
Administrators group. To perform this procedure from a remote computer, you must be a
member of the Domain Admins group.
Note
For more information about the w32tm command, type w32tm /? at a command
prompt or see Windows Time Service Tools and Settings on the Microsoft Web
site (http://go.microsoft.com/fwlink/?LinkId=42984).
Administrative Credentials
To perform this procedure locally on the PDC emulator, you must be a member of the
Administrators group. To perform this procedure from a remote computer, you must be a
member of the Domain Admins group.
To configure the PDC emulator to synchronize from its internal hardware clock
1. Open a Command Prompt.
Administrative Credentials
To perform this procedure on the local computer, you must be a local Administrator on the
PDC emulator. To perform this procedure on a remote computer, you must be a member
of the Domain Admins group.
3. In the Startup type box, select Disabled from the drop-down menu.
4. Click OK. Verify that the Startup Type for the time service appears as Disabled.
Configuring Windows-based clients to
synchronize time
Certain Windows-based client computers do not automatically synchronize their time with
the Active Directory domain. The following client computers do not automatically
synchronize to the domain time by using the Windows Time service:
Task requirements
The following tool is required to perform the procedures for this task:
W32tm
-or-
Administrative Credentials
To perform this procedure, you must be a member of the Administrators group on the
local computer. To perform this procedure from a remote computer, you must be a
member of the Domain Admins group.
2. Type the following command to display the time difference between the local
computer and a target computer, and then press ENTER:
Value Definition
4. Open UDP port 123 (or a different port you have selected) for incoming NTP
traffic.
5. Type the following command to configure a manual time source for the selected
computer and then press ENTER:
where peers specifies the list of DNS names or IP addresses of the NTP time
source(s) that the selected computer will synchronize from. When specifying
multiple peers, use a space as the delimiter and enclose them in quotation
marks.
Configure a client computer for
automatic domain time
synchronization
Some computers that are joined to a domain are configured to synchronize from a
manual time source. Use the following procedure to configure a client computer that is
currently synchronizing with a manually specified computer, to automatically synchronize
time with the domain hierarchy.
Note
For more information about the w32tm command, type w32tm /? at a command
prompt or see Windows Time Service Tools and Settings on the Microsoft Web
site (http://go.microsoft.com/fwlink/?LinkId=42984).
Administrative Credentials
To perform this procedure, you must be a member of the Administrators group on the
local computer. To perform this procedure from a remote computer, you must be a
member of the Domain Admins group.
Task requirements
The following tools are required to perform the procedures for this task:
W32tm.exe
Perform the following procedure to restore local Windows Time service to the default
settings:
Note
For more information about the w32tm command, type w32tm /? at a command
prompt or see Windows Time Service Tools and Settings on the Microsoft Web
site (http://go.microsoft.com/fwlink/?LinkId=42984).
Administrative Credentials
To perform this procedure on the local computer, you must be a member of the
Administrators group. To perform this procedure on a remote computer, you must be a
member of the Domain Admins group.
w32tm /unregister
w32tm /register
Administering SYSVOL
This SYSVOL Administering guide provides administering information for the Active
Directory SYSVOL shared folder in the Microsoft Windows Server 2003 operating
system.
In this guide
Managing SYSVOL
Acknowledgements
Updated:
Note
Only the Group Policy template (GPT) is replicated by SYSVOL. The Group
Policy container (GPC) is replicated through Active Directory replication. To be
effective, both parts must be available on a domain controller.
FRS monitors SYSVOL and, if a change occurs to any file stored on SYSVOL, then FRS
automatically replicates the changed file to the SYSVOL folders on the other domain
controllers in the domain.
The day-to-day operation of SYSVOL is an automated process that does not require any
human intervention other than watching for alerts from the monitoring system.
Occasionally, you might perform some system maintenance as you change your network.
This objective describes the basic tasks required for managing SYSVOL in order to
maintain capacity and performance of SYSVOL, for hardware maintenance, or for data
organization.
To manage SYSVOL, ensure that FRS properly replicates the SYSVOL data and that
enough space is provided to store SYSVOL. Implement a monitoring system to detect
low disk space and potential FRS disruptions so that you can address those issues
before the system stops replicating. A useful tool for this is the Ultrasound utility, which
can be downloaded from www.microsoft.com, by searching for Ultrasound.
Capacity.
Depending upon the configuration of your domain, SYSVOL can require a significant
amount of disk space to function properly. During the initial deployment, SYSVOL might
be allocated adequate disk space to function. However, as your Active Directory grows in
size and complexity, the required capacity can exceed the available disk space.
If you receive indications that disk space is low, determine if the cause is due to
inadequate physical space on the disk or a registry setting that limits the size of the
staging area. By modifying a setting in the registry, you can allocate more staging area
space, rather than relocating SYSVOL or the staging area. Increasing the space
allocation in the registry is much faster and easier than relocation
Performance.
Any changes made to SYSVOL are automatically replicated to the other domain
controllers in the domain. If the files stored in SYSVOL change frequently, the replication
increases the input and output for the volume where SYSVOL is located. For example,
editing a GPO can potentially force a GPO-level replication. If the volume is also host to
other system files, such as the directory database or the pagefile, then the increased
input and output for the volume can impact the performance of the server.
Hardware maintenance.
System maintenance, such as removal of a disk drive, can require you to relocate
SYSVOL. Even if the maintenance occurs on a different disk drive, verify that that
maintenance does not affect the system volume. Logical drive letters could change after
you add and remove disks. FRS locates SYSVOL by using pointers stored in the
directory and the registry. If drive letters change after you add or remove disk drives, be
aware that these pointers are not automatically updated.
Backing up Group Policy objects (GPOs).
The successful operation of Group Policy is heavily dependant on the reliable operation
of SYSVOL. Key components of the GPO exist in the SYSVOL (in the policies
subdirectory) and it is essential that these remain in sync with related components in
Active Directory. Therefore, backing up only the SYSVOL component does not represent
a full and complete backup of your GPOs. The Group Policy Management Console
(GPMC) provides both UI-based and scriptable methods for backing up GPOs. It is
important that you back up GPOs as part of your regular backup/disaster recovery
processes. Soon after installation of a new domain, the default domain and default
domain controllers' GPOs should be backed up. They should also be backed up after any
subsequent changes are made.
Before you attempt to relocate all or portions of the system volume, you must clearly
understand the folder structure and the relationships between the folders and the path
information that is stored in the registry and the directory itself. When folders are
relocated, any associated parameters that are stored in the registry and the directory
must be updated to match the new location. The folder structure contains junctions that
might also require updating when folders get moved to a new location.
Maintaining the relationship between the folders, junctions, and stored parameters is
important when you must relocate all or portions of SYSVOL. Failure to do so can result
in files being replicated to or from the wrong location. It can also result in files failing to
replicate, yet FRS will not report any errors. Due to the configuration error, FRS looks in
the wrong location for the files that you want to replicate.
The folder structure used by the system volume uses a feature called a junction point.
Junction points look like folders and behave like folders (in Windows Explorer you cannot
distinguish them from regular folders), but they are not folders. A junction point contains a
link to another folder. When a program opens it, the junction point automatically redirects
the program to the folder to which the junction point is linked. The redirection is
completely transparent to the user and the application.
For example if you create two folders, C:\Folder1 and C:\Folder2, and create a junction
called C:\Folder3, and then link the junction back to Folder1, Windows Explorer displays
three folders:
\Folder1
\Folder2
\Folder3
If you open Folder3, Windows Explorer is redirected to Folder1 and displays the contents
of Folder1. You receive no indication of the redirection because it is transparent to the
user and to Windows Explorer. If you look at the contents of Folder1, you see that it is
exactly the same as the contents displayed when you open Folder3. If you open a
command prompt and list a directory, all three folders appear in the output. The first two
are type <DIR> and Folder3 is type <JUNCTION>. If you list a directory of Folder3, you
see the contents of Folder1.
Note
To create or update junctions, you need the Linkd.exe tool supplied with the
Windows 2000 Server Resource Kit. Linkd allows you to create, delete, update,
and view the links that are stored in junction points.
%systemroot%\SYSVOL
%systemroot%\SYSVOL\Domain
%systemroot%\SYSVOL\Domain\DO_NOT_REMOVE_Ntfrs_ Preinstalled_Directory
%systemroot%\SYSVOL\Domain\Policies
%systemroot%\SYSVOL\Domain\Scripts
%systemroot%\SYSVOL\Staging
%systemroot%\SYSVOL\Staging\Domain
%systemroot%\SYSVOL\Staging Areas
%systemroot%\SYSVOL\Sysvol
%systemroot%\SYSVOL\Sysvol FQDN
(where FQDN is the fully qualified domain name of the domain that this domain controller
hosts.)
Note
If any of the folders do not appear in Windows Explorer, click Tools and then
click Folder Options. On the View tab, select Show hidden files and folders.
If you use Windows Explorer to view these folders, they appear to be typical folders. If
you open a command prompt and type dir to list these folders, you will notice two special
folders are listed as <JUNCTION>. Both folders labeled FQDN are junction points. The
junction in %systemroot%\SYSVOL\Sysvol links to %systemroot%\SYSVOL\Domain. The
junction in %systemroot%\SYSVOL\Staging Areas is linked to %systemroot
%\SYSVOL\Staging\Domain. If you change the path to the folders to which the junctions
are linked, you must also update the junctions, including drive letter changes and folder
changes.
Besides junction points linking to folders within the system volume tree, the registry and
the directory also store references to folders. These references contain paths that you
must update if you change the location of the folder. FRS uses two values that are stored
in the directory. The first value, fRSRootPath, points to the location of the policies and
scripts that are stored in SYSVOL. By default, this location is the %systemroot
%\SYSVOL\Domain folder. The second value, fRSStagingPath, points to the location of
the folders used as the staging area. By default, this location is the %systemroot
%\SYSVOL\Staging\Domain folder. The Net Logon service uses a parameter stored in
the registry to identify the location of the folder that it uses to create the SYSVOL and
NETLOGON share points. By default, this path is %systemroot%\SYSVOL\Sysvol. If you
change the paths to these folders, you must update these values.
When relocating SYSVOL, you first move the entire folder structure to a new location;
then you update all the junction points and the parameters that are stored in the registry
and the directory in order to maintain the relationships between the parameters, the
folders, and the junctions. Optionally, you can relocate the staging area and leave the rest
of the system volume at its original location. In this case, you must update the
fRSStagingPath parameter in the directory and the junction point stored at %systemroot
%\SYSVOL\staging areas.
Managing SYSVOL
The following tasks for managing SYSVOL are described in this objective:
The default size of the staging area is 660 megabytes (MB). The minimum size is 10 MB
and the maximum size is 2 terabytes. You can adjust the size limit of the Staging Folder
by setting the value in kilobytes (KB) of the Staging Space Limit registry entry in
HKEY_Local_Machine\System\CurrentControlSet\Services\NtFrs\Parameters. For more
information about setting the Staging Space Limit in the registry, see KB article 329491 in
the Microsoft Knowledge Base.
Task requirements
The following tools are required to perform the procedures for this task:
Net.exe
Regedit.exe
Event Viewer
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
Caution
The Registry Editor bypasses standard safeguards, allowing settings that can
damage your system or even require you to reinstall Windows. If you must edit
the registry, back up system state first. For information about backing up system
state, see Administering Active Directory Backup and Restore.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
4. Double-click Staging Space Limit in KB to open the Edit DWord Value dialog
box.
6. For Value Data enter a value from 10000 through 2000000000. Do not use
commas. Click OK.
Administrative Credentials
To perform this procedure you must be a member of the Domain Admins group in Active
Directory.
3. You can use Event Viewer to verify that NTFRS restarted correctly. Event ID
13501 indicates that the service restarted. Look for event ID 13516 to verify that
the domain controller is running and ready for service. If you moved SYSVOL to
a new location or relocated the Staging Area folder, look for event IDs 13553 and
13556, which indicate success.
Relocating the Staging Area
By default, the Active Directory Installation Wizard installs the Staging Area folder within
the SYSVOL. The Active Directory Installation Wizard creates two folders—Staging and
Staging Area—which FRS uses for the staging process. When you relocate the staging
area, you can change the name. Ensure that you identify the proper area in case it is
renamed in your environment.
Two parameters determine the location of the staging area. One parameter,
fRSStagingPath, is stored in the directory and contains the path to the actual location that
FRS uses to stage files. The other parameter is a junction point stored in the Staging
Area folder in SYSVOL that links to the actual location that FRS uses to stage files. When
relocating the staging area, you must update these two parameters to point to the new
location.
Except where noted, perform these procedures on the domain controller that contains the
Staging Area folder that you want to relocate.
Task requirements
To perform this task it is necessary that you understand the folder structure used by the
system volume. For more information, see Introduction to Administering SYSVOL.
The following tools are required to perform the procedures for this task:
Event Viewer
Net.exe
Regedit.exe
Note
To create or update junctions, you need the Linkd.exe tool supplied with
Windows Server 2003 Resource Kit Tools on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=16544. Linkd allows you to create, delete,
update, and view the links that are stored in junction points.
You do not need to perform the test on every partner, but you need to perform
enough tests to be confident that the shared system volumes on the partners are
healthy.
5. Reset the File Replication service staging folder to a different logical drive
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. In the console tree, expand the Sites container to display the list of sites.
3. Double-click the site that contains the domain controller for which you want to
determine Connection objects.
Note
If you do not know the site in which the domain controller is located, open
a command prompt and type ipconfig to get the IP address of the
domain controller. Use the IP address to verify that an IP address maps
to a subnet and determine the site association.
4. Expand the Servers folder to display the list of servers in that site.
5. Expand the name of your domain controller to display its NTDS settings.
Note
You do not need to perform this procedure on every replication partner, but you
need to perform it enough times to be confident that the shared system volumes
on the replication partners are healthy.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. In the Event Viewer tree, click File Replication Service to display the FRS
events.
3. Look for an event 13516 with a date and time stamp that corresponds with the
recent restart. It can take 15 minutes or more to appear. An event 13508
indicates that FRS is in the process of starting the service. An event 13509
indicates that the service has started successfully. Event 13516 indicates that the
service is started, the folders are shared, and the domain controller is functional.
4. To verify the shared folder is created, open a command prompt and type net
share to display a list of the shared folders on this domain controller, including
Net Logon and SYSVOL.
6. Look for a message that states computername passed test NetLogons where
computername is the name of the domain controller. If you do not see the test
passed message, some problem will prevent replication from functioning. This
test verifies that the proper logon privileges are set to allow replication to occur. If
this test fails, verify the permissions set on the Net Logon and SYSVOL shared
folders.
Verify replication with other domain
controllers
The tests performed in this procedure verify that different aspects of the replication
topology are working properly. They check to see that objects are replicating and they
verify that the proper logon permissions are set to allow replication to occur.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
dcdiag /test:replications
Note
For this set of tests, the /v option is available. However, it does not
display any significant additional information. Messages indicate that the
connectivity and replications tests passed.
3. To verify that the proper permissions are set for replication, type the following
command and then press Enter:
dcdiag /test:netlogons
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
Use the procedures below to locate the system volume path information and record the
current values in the following table.
To relocate the staging area, record the information for rows 2 and 5.
Note
To restore and rebuild SYSVOL, you will need the information from the domain
controller that you are repairing recorded in rows 1, 2, and 3. Use the junctions
located on the domain controller that you are copying from the SYSVOL folder
structure to record the current value for rows 4 and 5. The new values for rows 4
and 5 are based on the domain controller that you are repairing.
1 fRSRootPath
2 fRSStagingPath
3 Sysvol parameter in
registry
4 Sysvol junction
5 Staging junction
3. Click the domain component to display the containers and OUs in the details
pane.
7. In the details pane, right-click CN=Domain System Volume, and then click
Properties.
8. Ensure that Show mandatory attributes is selected. Select it if it is not.
4. Record the current value in table above. Based on the folder structure discussed in
detail in Introduction to Administering SYSVOL and the new location, record the new
path value for this parameter in the table.
SYSVOL junction
1. Open a Command Prompt.
3. At the command prompt, type dir. Verify that the fully qualified domain name
(FQDN) is listed as type <JUNCTION>.
4. At the command prompt, type linkd fqdn (where fqdn is the domain name listed
in the Dir output). This displays the value stored in the junction point. Press
ENTER.
5. Record the current value in table above. Based on the folder structure discussed
in detail in Introduction to Administering SYSVOL and the new location, record
the new path value for this parameter in the table.
Staging junction
1. Open a Command Prompt.
Note
This assumes that the staging area is still in the default location. If it has
been relocated, substitute the appropriate paths into these instructions.
3. At the command prompt, type dir. Verify that the fully qualified domain name
(FQDN) is listed as type <JUNCTION>.
4. At the command prompt, type linkd fqdn (where fqdn is the domain name listed
in the Dir output). This displays the value stored in the junction point. Press
ENTER.
5. Record the current value in table above. Based on the folder structure discussed
in detail in Introduction to Administering SYSVOL and the new location, record
the new path value for this parameter in the table.
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
To reset the File Replication service staging folder to a different logical drive
1. Click Start, click Run, type adsiedit.msc, and then press ENTER.
2. Under Domain [computername], locate the NtFrs Subscriber object under the host computer
account in Active Directory. The generic path for this attribute is: CN=Replica Set
Name,CN=NTFRS Subscriptions,CN=Computername,DC=Domain Name,DC=COM.
For example, to reset the staging path for the SYSVOL replica set of domain controller \\DC1 in
the contoso.com domain, the distinguished name (also known as DN) path for the FrsStagingPath
parameter is:
Where (when you read the distinguished name path from right to left):
CN=DC1 is the host computer account in the domain naming context (NC).
CN=NTFRS Subscriptions is the NtfrsSubscriber object that holds the FrsStagingPath parameter.
4. Ensure that the Show mandatory attributes check box is selected. Select it if it is not.
5. In Attributes, click fRSStagingPath, and then click Edit. The current value appears in the Value
box in the String Attribute Editor dialog box.
6. Enter the path to the new location for the FRS Staging folder in the Value box and click OK.
8. To make sure that the staging path has been updated in the registry:
a. Click Start, click Run, and type regedit on the server where you are changing the staging
path and then press ENTER.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica
Sets
e. After you locate the correct GUID and replica set name, right-click Replica Set Stage and
then click Modify.
f. In the Value data box, type the new staging area path, and then click OK.
When the service detects a change in the staging path, event ID 13563 is logged with a series
of self-explanatory steps on how to proceed:
Date: 3/6/2005
Time: 7:13:01 PM
User: N/A
Description: The File Replication service has detected that the staging path for the replica set
DOMAIN SYSTEM VOLUME (SYSVOL SHARE) has changed.
The service will start using the new staging path after it restarts. The service is set to restart
after every restart.
It is recommended that you manually restart the service to prevent loss of data in the Staging
folder.
[1] Run "net stop ntfrs" or use the Services snap-in to stop File Replication service.
[2] Move all the staging files corresponding to replica set DOMAIN SYSTEM VOLUME
(SYSVOL SHARE) to the new staging location. If more than one replica set are sharing the
current staging folder then it is safer to copy the staging files to the new staging folder.
[3] Run "net start ntfrs" or use the Services snap-in to start File Replication service, followed
by "net start ntfrs".
11. Move all the staging files corresponding to replica set DOMAIN SYSTEM VOLUME (SYSVOL
SHARE) to the new staging location. If more than one replica set is sharing the current Staging
folder, then it is safer to copy the staging files to the new Staging folder.
12. At a command prompt type the following command and then press ENTER:
Microsoft recommends that you follow step 11 (step 2 in the preceding event message) because
the FRS Staging folder may contain thousands or tens of thousands of files in the original Staging
folder, all of which may be destined for one or more downstream partners. In Windows Explorer,
you can view the files in the staging folder. On the Folder Options menu, click the View tab, and
then click to select the Show hidden files and folders check box. Copy the files to the new
Staging folder, and then follow the remaining steps in the event log message.
You can also move SYSVOL with the Active Directory wizard, but this requires that you
remove Active Directory from the domain controller and then reinstall Active Directory
after SYSVOL has been moved. This should only be considered in extreme cases, and
only when the domain controller is not running any other services or applications.
Except where noted, perform these steps on the domain controller that contains the
system volume that you want to move.
Caution
This procedure can alter security settings. After you complete the procedure, the
security settings on the new system volume are reset to the default settings that
were established when you installed Active Directory. You must reapply any
changes to the security settings on the system volume that you made since you
installed Active Directory. This will cause additional replication traffic. Note that
failure to reset permissions can result in unauthorized access to Group Policy
objects and logon and logoff scripts.
Task Requirements
The following tools are required to perform the procedures for this task:
Event Viewer
Windows Explorer
Regedit.exe
ADSI Edit.msc (Windows Support Tools)
Net.exe
Secedit.exe
Notepad.exe
Note
To create or update junctions, you need the Linkd.exe tool supplied with
Windows Server 2003 Resource Kit Tools on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=16544. Linkd allows you to create, delete,
update, and view the links that are stored in junction points.
If you have moved the Staging Area folder to a different location already, you do not
need to do this step.
9. Prepare a domain controller for nonauthoritative SYSVOL restart
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. In the console tree, expand the Sites container to display the list of sites.
3. Double-click the site that contains the domain controller for which you want to
determine Connection objects.
Note
If you do not know the site in which the domain controller is located, open
a command prompt and type ipconfig to get the IP address of the
domain controller. Use the IP address to verify that an IP address maps
to a subnet and determine the site association.
4. Expand the Servers folder to display the list of servers in that site.
5. Expand the name of your domain controller to display its NTDS settings.
Note
You do not need to perform this procedure on every replication partner, but you
need to perform it enough times to be confident that the shared system volumes
on the replication partners are healthy.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. In the Event Viewer tree, click File Replication Service to display the FRS
events.
3. Look for an event 13516 with a date and time stamp that corresponds with the
recent restart. It can take 15 minutes or more to appear. An event 13508
indicates that FRS is in the process of starting the service. An event 13509
indicates that the service has started successfully. Event 13516 indicates that the
service is started, the folders are shared, and the domain controller is functional.
4. To verify the shared folder is created, open a command prompt and type net
share to display a list of the shared folders on this domain controller, including
Net Logon and SYSVOL.
6. Look for a message that states computername passed test NetLogons where
computername is the name of the domain controller. If you do not see the test
passed message, some problem will prevent replication from functioning. This
test verifies that the proper logon privileges are set to allow replication to occur. If
this test fails, verify the permissions set on the Net Logon and SYSVOL shared
folders.
Verify replication with other domain
controllers
The tests performed in this procedure verify that different aspects of the replication
topology are working properly. They check to see that objects are replicating and they
verify that the proper logon permissions are set to allow replication to occur.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
dcdiag /test:replications
Note
For this set of tests, the /v option is available. However, it does not
display any significant additional information. Messages indicate that the
connectivity and replications tests passed.
3. To verify that the proper permissions are set for replication, type the following
command and then press Enter:
dcdiag /test:netlogons
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
Use the procedures below to locate the system volume path information and record the
current values in the following table.
To relocate the staging area, record the information for rows 2 and 5.
Note
To restore and rebuild SYSVOL, you will need the information from the domain
controller that you are repairing recorded in rows 1, 2, and 3. Use the junctions
located on the domain controller that you are copying from the SYSVOL folder
structure to record the current value for rows 4 and 5. The new values for rows 4
and 5 are based on the domain controller that you are repairing.
1 fRSRootPath
2 fRSStagingPath
3 Sysvol parameter in
registry
4 Sysvol junction
5 Staging junction
3. Click the domain component to display the containers and OUs in the details
pane.
7. In the details pane, right-click CN=Domain System Volume, and then click
Properties.
3. Sysvol appears in the details pane. The current value is listed in the Data column.
4. Record the current value in table above. Based on the folder structure discussed in
detail in Introduction to Administering SYSVOL and the new location, record the new
path value for this parameter in the table.
SYSVOL junction
1. Open a Command Prompt.
Note
This assumes that the system volume is still in the default location. If it
has been relocated, substitute the appropriate paths into these
instructions.
3. At the command prompt, type dir. Verify that the fully qualified domain name
(FQDN) is listed as type <JUNCTION>.
4. At the command prompt, type linkd fqdn (where fqdn is the domain name listed
in the Dir output). This displays the value stored in the junction point. Press
ENTER.
5. Record the current value in table above. Based on the folder structure discussed
in detail in Introduction to Administering SYSVOL and the new location, record
the new path value for this parameter in the table.
Staging junction
1. Open a Command Prompt.
Note
This assumes that the staging area is still in the default location. If it has
been relocated, substitute the appropriate paths into these instructions.
3. At the command prompt, type dir. Verify that the fully qualified domain name
(FQDN) is listed as type <JUNCTION>.
4. At the command prompt, type linkd fqdn (where fqdn is the domain name listed
in the Dir output). This displays the value stored in the junction point. Press
ENTER.
5. Record the current value in table above. Based on the folder structure discussed
in detail in Introduction to Administering SYSVOL and the new location, record
the new path value for this parameter in the table.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
To stop the File Replication service
1. Open a Command Prompt.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
3. In Windows Explorer, navigate to the new location you created in the console
tree, right-click the new location, and click Paste. You might see a dialog box
stating that some files already exist and a prompt asking whether you want to
continue copying the folder. At each such prompt, click No.
4. Verify that the folder structure was copied correctly. Compare the new folder
structure to the original by opening a command prompt, typing the following
command and pressing Enter to list the contents of the folders:
dir /s
Ensure that all folders exist. If any folders are missing at the new location (such
as \scripts), then recreate them.
Set the SYSVOL path
Use this procedure to set the new path to the system volume in the registry.
Caution
The Registry Editor bypasses standard safeguards, allowing settings that can
damage your system or even require you to reinstall Windows. If you must edit
the registry, back up system state first. For information about backing up system
state, see Administering Active Directory Backup and Restore.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parame
ters.
4. In the Value data box, in the Edit String dialog box, enter the new path, including the
drive letter and click OK.
Note
The path in the registry points to the SYSVOL folder located inside the
SYSVOL folder that is under the root. When updating the path in the registry,
ensure that it still points to the SYSVOL folder inside the SYSVOL folder that is
under the root.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. Click the domain component to display the containers and OUs in the details
pane.
6. In the details pane, right-click CN=Domain System Volume, and then click
Properties.
8. In Attributes, click fRSStagingPath, and then click Edit. The current value
appears in the Value box in the String Attribute Editor dialog box.
9. In the Value box, enter the complete path to the new location where you want to
locate the Staging Area folder (the path to the new folder that you created
earlier), including the drive letter and click OK.
13. Type the following command to list the contents of the directory and then press
ENTER:
dir
14. Update the junction so that it points to the new location by typing the following
command and then pressing ENTER:
where newpath specifies the same value that you entered for fRSStagingPath
earlier.
To initiate a nonauthoritative restart of SYSVOL when it is the only replica set that is
represented on the domain controller, set the value of the global BurFlags
(REG_DWORD) entry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameter
s\Backup/Restore\Process at Startup
If other replica sets are represented on the domain controller and you want to update
only SYSVOL, set the value of the replica-set-specific BurFlags (REG_DWORD)
entry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameter
s\Cumulative Replica Sets\SYSVOL GUID
Modifying the replica-set-specific BurFlags entry requires identifying the SYSVOL GUID
in the registry.
Caution
The Registry Editor bypasses standard safeguards, allowing settings that can
damage your system or even require you to reinstall Windows. If you must edit
the registry, back up system state first. For information about backing up system
state, see Administering Active Directory Backup and Restore.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters
3. Expand Parameters.
b. Match the GUID under Replica Sets to the identical GUID under Cumulative
Replica Sets, and click the matching GUID under Cumulative Replica Sets.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Netlogon\Parameters.
7. For Variable value, type the path that you noted in step 2.
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
[File Security]
;"%SystemRoot%\SYSVOL",0,"D:AR(A;OICI;FA;;;BA)"
"%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO) (A;CIOI;GA;;;BA)
(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
"%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU) (A;CIOI;GRGX;;;SO)
(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY) (A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
Use this file to apply the security settings to the new SYSVOL folders. Save this
file as Sysvol.inf.
Note
Do not include a space after (A;CIOI;GRGX;;;SO), (A;CIOI;GRGX;;;AU),
or (A;CIOI;GA;;;SY).
10. Open a new Command Prompt. Do not use an existing command prompt that
has been open on your desktop because it will not have the proper environment
settings. Change the directory to the folder where you saved the Sysvol.inf file.
11. Type the following command all on one line and then press ENTER:
Administrative Credentials
To perform this procedure you must be a member of the Domain Admins group in Active
Directory.
3. You can use Event Viewer to verify that NTFRS restarted correctly. Event ID
13501 indicates that the service restarted. Look for event ID 13516 to verify that
the domain controller is running and ready for service. If you moved SYSVOL to
a new location or relocated the Staging Area folder, look for event IDs 13553 and
13556, which indicate success.
Task Requirements
The following tools are required to perform the procedures for this task:
ADSI Edit.msc
Net.exe
Regedit.exe
Linkd.exe
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
Use the procedures below to locate the system volume path information and record the
current values in the following table.
To relocate the staging area, record the information for rows 2 and 5.
Note
To restore and rebuild SYSVOL, you will need the information from the domain
controller that you are repairing recorded in rows 1, 2, and 3. Use the junctions
located on the domain controller that you are copying from the SYSVOL folder
structure to record the current value for rows 4 and 5. The new values for rows 4
and 5 are based on the domain controller that you are repairing.
1 fRSRootPath
2 fRSStagingPath
3 Sysvol parameter in
registry
4 Sysvol junction
5 Staging junction
3. Click the domain component to display the containers and OUs in the details
pane.
7. In the details pane, right-click CN=Domain System Volume, and then click
Properties.
8. Ensure that Show mandatory attributes is selected. Select it if it is not.
4. Record the current value in table above. Based on the folder structure discussed in
detail in Introduction to Administering SYSVOL and the new location, record the new
path value for this parameter in the table.
SYSVOL junction
1. Open a Command Prompt.
3. At the command prompt, type dir. Verify that the fully qualified domain name
(FQDN) is listed as type <JUNCTION>.
4. At the command prompt, type linkd fqdn (where fqdn is the domain name listed
in the Dir output). This displays the value stored in the junction point. Press
ENTER.
5. Record the current value in table above. Based on the folder structure discussed
in detail in Introduction to Administering SYSVOL and the new location, record
the new path value for this parameter in the table.
Staging junction
1. Open a Command Prompt.
Note
This assumes that the staging area is still in the default location. If it has
been relocated, substitute the appropriate paths into these instructions.
3. At the command prompt, type dir. Verify that the fully qualified domain name
(FQDN) is listed as type <JUNCTION>.
4. At the command prompt, type linkd fqdn (where fqdn is the domain name listed
in the Dir output). This displays the value stored in the junction point. Press
ENTER.
5. Record the current value in table above. Based on the folder structure discussed
in detail in Introduction to Administering SYSVOL and the new location, record
the new path value for this parameter in the table.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
Caution
The Registry Editor bypasses standard safeguards, allowing settings that can
damage your system or even require you to reinstall Windows. If you must edit
the registry, back up system state first. For information about backing up system
state, see Administering Active Directory Backup and Restore.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parame
ters.
4. In the Value data box, in the Edit String dialog box, enter the new path, including the
drive letter and click OK.
Note
The path in the registry points to the SYSVOL folder located inside the
SYSVOL folder that is under the root. When updating the path in the registry,
ensure that it still points to the SYSVOL folder inside the SYSVOL folder that is
under the root.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. Click the domain component to display the containers and OUs in the details
pane.
6. In the details pane, right-click CN=Domain System Volume, and then click
Properties.
8. In Attributes, click fRSStagingPath, and then click Edit. The current value
appears in the Value box in the String Attribute Editor dialog box.
9. In the Value box, enter the complete path to the new location where you want to
locate the Staging Area folder (the path to the new folder that you created
earlier), including the drive letter and click OK.
13. Type the following command to list the contents of the directory and then press
ENTER:
dir
14. Update the junction so that it points to the new location by typing the following
command and then pressing ENTER:
where newpath specifies the same value that you entered for fRSStagingPath
earlier.
Administrative Credentials
To perform this procedure you must be a member of the Domain Admins group in Active
Directory.
3. You can use Event Viewer to verify that NTFRS restarted correctly. Event ID
13501 indicates that the service restarted. Look for event ID 13516 to verify that
the domain controller is running and ready for service. If you moved SYSVOL to
a new location or relocated the Staging Area folder, look for event IDs 13553 and
13556, which indicate success.
Task Requirements
The following tools are required to perform the procedures for this task:
Event Viewer
Dcdiag.exe
ADSIEdit.msc
Net.exe
Regedit.exe
Windows Explorer
Linkd.exe
Because you will be copying the system volume from one of the partners, you need
to make sure that the system volume you copy from the partner is up to date.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. In the console tree, expand the Sites container to display the list of sites.
3. Double-click the site that contains the domain controller for which you want to
determine Connection objects.
Note
If you do not know the site in which the domain controller is located, open
a command prompt and type ipconfig to get the IP address of the
domain controller. Use the IP address to verify that an IP address maps
to a subnet and determine the site association.
4. Expand the Servers folder to display the list of servers in that site.
5. Expand the name of your domain controller to display its NTDS settings.
Note
You do not need to perform this procedure on every replication partner, but you
need to perform it enough times to be confident that the shared system volumes
on the replication partners are healthy.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. In the Event Viewer tree, click File Replication Service to display the FRS
events.
3. Look for an event 13516 with a date and time stamp that corresponds with the
recent restart. It can take 15 minutes or more to appear. An event 13508
indicates that FRS is in the process of starting the service. An event 13509
indicates that the service has started successfully. Event 13516 indicates that the
service is started, the folders are shared, and the domain controller is functional.
4. To verify the shared folder is created, open a command prompt and type net
share to display a list of the shared folders on this domain controller, including
Net Logon and SYSVOL.
6. Look for a message that states computername passed test NetLogons where
computername is the name of the domain controller. If you do not see the test
passed message, some problem will prevent replication from functioning. This
test verifies that the proper logon privileges are set to allow replication to occur. If
this test fails, verify the permissions set on the Net Logon and SYSVOL shared
folders.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
dcdiag /test:replications
Note
For this set of tests, the /v option is available. However, it does not
display any significant additional information. Messages indicate that the
connectivity and replications tests passed.
3. To verify that the proper permissions are set for replication, type the following
command and then press Enter:
dcdiag /test:netlogons
When you start Windows Server 2003 in Directory Services Restore Mode, the local
Administrator account is authenticated by the local Security Accounts Manager (SAM)
database. Therefore, logging on requires that you use the local administrator password,
not an Active Directory domain password. This password is set during Active Directory
installation when you provide the password for Directory Services Restore Mode.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
2. When the screen for selecting an operating system appears, press F8.
See Also
Restart the domain controller in Directory Services Restore Mode Remotely
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
Use the procedures below to locate the system volume path information and record the
current values in the following table.
To relocate the staging area, record the information for rows 2 and 5.
Note
To restore and rebuild SYSVOL, you will need the information from the domain
controller that you are repairing recorded in rows 1, 2, and 3. Use the junctions
located on the domain controller that you are copying from the SYSVOL folder
structure to record the current value for rows 4 and 5. The new values for rows 4
and 5 are based on the domain controller that you are repairing.
1 fRSRootPath
2 fRSStagingPath
3 Sysvol parameter in
registry
4 Sysvol junction
5 Staging junction
7. In the details pane, right-click CN=Domain System Volume, and then click
Properties.
3. Sysvol appears in the details pane. The current value is listed in the Data column.
4. Record the current value in table above. Based on the folder structure discussed in
detail in Introduction to Administering SYSVOL and the new location, record the new
path value for this parameter in the table.
SYSVOL junction
1. Open a Command Prompt.
Note
This assumes that the system volume is still in the default location. If it
has been relocated, substitute the appropriate paths into these
instructions.
3. At the command prompt, type dir. Verify that the fully qualified domain name
(FQDN) is listed as type <JUNCTION>.
4. At the command prompt, type linkd fqdn (where fqdn is the domain name listed
in the Dir output). This displays the value stored in the junction point. Press
ENTER.
5. Record the current value in table above. Based on the folder structure discussed
in detail in Introduction to Administering SYSVOL and the new location, record
the new path value for this parameter in the table.
Staging junction
1. Open a Command Prompt.
Note
This assumes that the staging area is still in the default location. If it has
been relocated, substitute the appropriate paths into these instructions.
3. At the command prompt, type dir. Verify that the fully qualified domain name
(FQDN) is listed as type <JUNCTION>.
4. At the command prompt, type linkd fqdn (where fqdn is the domain name listed
in the Dir output). This displays the value stored in the junction point. Press
ENTER.
5. Record the current value in table above. Based on the folder structure discussed
in detail in Introduction to Administering SYSVOL and the new location, record
the new path value for this parameter in the table.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
To stop the File Replication service
1. Open a Command Prompt.
To initiate a nonauthoritative restart of SYSVOL when it is the only replica set that is
represented on the domain controller, set the value of the global BurFlags
(REG_DWORD) entry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameter
s\Backup/Restore\Process at Startup
If other replica sets are represented on the domain controller and you want to update
only SYSVOL, set the value of the replica-set-specific BurFlags (REG_DWORD)
entry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameter
s\Cumulative Replica Sets\SYSVOL GUID
Modifying the replica-set-specific BurFlags entry requires identifying the SYSVOL GUID
in the registry.
Caution
The Registry Editor bypasses standard safeguards, allowing settings that can
damage your system or even require you to reinstall Windows. If you must edit
the registry, back up system state first. For information about backing up system
state, see Administering Active Directory Backup and Restore.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters
3. Expand Parameters.
b. Match the GUID under Replica Sets to the identical GUID under Cumulative
Replica Sets, and click the matching GUID under Cumulative Replica Sets.
To use this procedure, the default shared folder Admin$ must exist on the domain
controller from which you plan to copy the SYSVOL folder structure. Some organizations
remove this shared folder or rename it for security reasons. If this shared folder is not
available, you must share the %systemroot% folder and name the share point Admin$. If
you share the %systemroot% folder in order to complete this procedure, ensure that you
remove the share point after the procedure is complete in order to maintain any security
policies established on your network. If the Admin$ share has been renamed, then use
the name assigned by your organization instead of Admin$ while completing this
procedure.
Caution
Never copy information from the system volume on one domain controller to the
system volume on another domain controller unless you have stopped the File
Replication service and configured SYSVOL for a non-authoritative restore during
startup. Failure to do so can cause invalid data to be replicated and cause the
system volumes on various domain controllers to become inconsistent.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
3. Connect to the Admin$ share on the domain controller that you identified earlier
as the replication partner from which you plan to copy the SYSVOL folder
structure.
4. Once you are connected to the Admin$ share point, verify that a folder labeled
SYSVOL appears. Right-click the SYSVOL folder, and click Copy.
5. In the same directory, find some blank space and right-click. Click Paste. You
might see a dialog box stating that some files already exist and a prompt asking
whether you want to continue copying the folder. At each such prompt, click No.
6. Verify that the original SYSVOL folder and a new folder labeled Copy of
SYSVOL both appear. Right-click Copy of SYSVOL and click Rename. Type
SYSVOL2 and press ENTER.
7. Open a command prompt. Change to the drive letter that represents the
connection to the remote domain controller where you created the SYSVOL2
folder.
8. Change the directory to SYSVOL2\sysvol.
9. Type dir and press ENTER. Verify that <JUNCTION> appears in the Dir output
and is followed by the name of the domain.
10. You must update the path in this junction so that it points to the new location.
Type the following command:
where newpath is the new value you recorded in row 4 of the table in Gather the
SYSVOL path information. Press ENTER.
11. If the staging area has been relocated and is no longer inside the SYSVOL folder,
skip steps 10 and 11 and proceed to step 12. At a command prompt, change the
directory to \SYSVOL2\staging areas under the copy of SYSVOL that you
created. Type dir to list the contents and verify that <JUNCTION> appears in the
Dir output.
12. Update the junction so that it points to the new location. Type the following
command:
where newpath is the new value that you recorded in row 5 of Table 1 while
gathering system volume path information. Press ENTER.
13. At the command prompt, change back to the %systemroot% for the domain
controller that you are repairing.
14. From the command prompt, use the Xcopy command to copy the contents of
the \SYSVOL2 folder you created to a new SYSVOL folder on your local drive.
Type the following command:
where drive is the letter representing the connection to the remote domain
controller. Press ENTER.
15. Verify that the folder structure copied correctly. Compare the new folder structure
to the SYSVOL (not the SYSVOL2) on the remote domain controller. Open a
command prompt and type dir to list the contents of the folders. Ensure that all
folders exist.
16. Remove the SYSVOL2 folder that you created on the remote domain controller.
17. Disconnect from the remote domain controller. If you had to create a shared
folder on that domain controller in order to connect to it, remove the shared
folder. Some organizations consider it a security risk to retain shared folders that
are not in use.
Administrative Credentials
To perform this procedure you must be a member of the Domain Admins group in Active
Directory.
3. You can use Event Viewer to verify that NTFRS restarted correctly. Event ID
13501 indicates that the service restarted. Look for event ID 13516 to verify that
the domain controller is running and ready for service. If you moved SYSVOL to
a new location or relocated the Staging Area folder, look for event IDs 13553 and
13556, which indicate success.
In this guide
Acknowledgements
Published: March 2005
What domain controllers are designated as global catalog servers in a particular site?
Adding subsequent global catalog servers within the same site requires only intrasite
replication and does not affect network performance. Replication of the global catalog
potentially affects network performance only when adding the first global catalog server in
the site and the impact varies depending on the following conditions:
The speed and reliability of the wide area network (WAN) link or links to the site.
For example, in a forest that has a large hub site, five domains, and thirty small branch
sites (some of which are connected by only dial-up connections), global catalog
replication to the small sites takes considerably longer than replication of one or two
domains to a few well-connected sites.
In summary, a global catalog server is ready to serve clients when the following events
occur, in this order:
The Net Logon service on the domain controller has updated DNS with global
catalog–specific SRV resource records.
At this point, the global catalog server begins accepting queries on ports 3268 and 3269.
Global Catalog Removal
When you remove the global catalog, the domain controller immediately stops advertising
in DNS as a global catalog server. The KCC gradually removes the read-only replicas
from the domain controller. On domain controllers running Windows Server 2003, the
global catalog partial, read-only directory partitions are removed in the background,
receiving a low priority so that high-priority services are not interrupted.
One reason that you might want to remove the global catalog from a domain controller is
the availability of universal group membership caching in Windows Server 2003, which
might eliminate the requirement for a global catalog server in a particular site.
Minimum hardware requirements for global catalog servers depend upon the numbers of
users in the site. For disk space requirements and directory database storage guidelines,
see "Assessing Disk Space and Memory Requirements" in Designing and Deploying
Directory and Security Services on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=45434).
See Also
Windows Server 2003 Technical Reference
The following tasks for managing the global catalog are described in this objective:
Task Requirements
The following tools are required to perform the procedures for this task:
Repadmin.exe
Dcdiag.exe
To complete this task, perform the following procedures:
Note
Some procedures are performed only when you are configuring the first global
catalog server in a site.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group in Active
Directory.
2. In the console tree, expand the Sites container, expand the site of the domain
controller you want to check, expand the Servers container, and then expand the
Server object.
4. On the General tab, if the Global Catalog box is selected, the domain controller
is designated as a global catalog server.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain where you are configuring the domain controller to be a global catalog server.
2. In the console tree expand the Sites container, and then expand the site in which
you are designating a global catalog server.
3. Expand the Servers container and then expand the Server object for the domain
controller that you want to designate as a global catalog server.
4. Right-click the NTDS Settings object for the target server, and then click
Properties.
5. Select the Global Catalog check box, and then click OK.
The Name Service Provider Interface (NSPI) must be running on a global catalog
server to enable MAPI access to Active Directory. To enable NSPI, you must
restart the global catalog server after replication of the partial directory partitions
is complete, or after occupancy requirements are met.
Administrative Credentials
To perform this procedure you must be a member of the Domain Admins group in Active
Directory.
Value Description
Task Requirements
The following tools are required to perform the procedures for this task:
Ldp.exe
Nltest.exe
DNS snap-in
Note
The global catalog server must be restarted after replication has completed and
before readiness is determined.
Administrative Credentials
To perform the following procedures you must be a member of the Domain Users group.
3. In the Connect box, type the name of the server whose global catalog readiness
you want to verify.
5. If the Connectionless box is selected, clear it, and then click OK.
6. In the details pane, verify that the isGlobalCatalogReady attribute has a value of
TRUE.
Value Description
3. In the Flags: line of the output, if GC appears, then the global catalog server has
satisfied its replication requirements
To perform this procedure you must be a member of the Domain Users group.
2. Expand Forward Lookup Zones and then expand the forest root domain.
4. In the details pane, look in the Name column for _gc and in the Data column for
the name of the server. The records that begin with _gc are global catalog SRV
records.
Task Requirements
The following tool is required to perform the procedures for this task:
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the global catalog server.
2. Expand the Sites container, and then expand the site from which you are
removing a global catalog server.
3. Expand the Servers container and then expand the Server object for the domain
controller that you want to remove as a global catalog server.
4. Right-click the NTDS Settings object for the target server, and then click
Properties.
5. If the Global Catalog check box is selected, clear the check box, and then click
OK.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
2. Right-click Event Viewer (Local), and then click Connect to another computer.
3. In the Select Computer dialog box, click Another computer, type the name of
the server from which you removed the global catalog, and then click OK.
5. Look for NTDS KCC event ID 1268, which indicates that the global catalog is
removed from the local machine.
Administering Operations Master Roles
This guide provides information for administering Active Directory operations master roles
in the Microsoft Windows Server 2003 operating system.
In this guide
The primary domain controller (PDC) emulator. The PDC emulator processes all
replication requests from Microsoft Windows NT 4.0 backup domain controllers. It
also processes all password updates for clients not running Active Directory–enabled
client software, plus any other directory write operations.
The relative identifier (RID) master. The RID master allocates RID pools to all domain
controllers to ensure that new security principals can be created with a unique
identifier.
The infrastructure master. The infrastructure master for a given domain maintains a
list of the security principals for any linked-value attributes.
In addition to the three domain-level operations master roles, two operations master roles
exist in each forest:
The domain naming master, which adds and removes domains and application
partitions to and from the forest.
To perform these functions, the domain controllers hosting these operations master roles
must be consistently available and be located in areas where network reliability is high.
Careful placement of your operations masters becomes more important as you add more
domains and sites to build your forest.
As your environment changes, you must avoid the problems associated with improperly
placed operations master role holders. Eventually, you might need to reassign the roles to
other domain controllers.
Although you can assign the forest-level and domain-level operations master roles to any
domain controller in the forest and domain respectively, improperly placing the
infrastructure master role can cause it to function improperly. Other improper
configurations can increase administrative overhead.
Although you can assign the operations master roles to any domain controller, follow
these guidelines to minimize administrative overhead and ensure the performance of
Active Directory. If a domain controller that is hosting operations master roles fails,
following these guidelines also simplifies the recovery process. Guidelines for role
placement include:
Leave the two forest-level roles on a domain controller in the forest root domain.
The first domain controller created in the forest is assigned the schema master and
domain naming master roles. To ease administration and backup and restore procedures,
leave these roles on the original forest root domain controller. Moving the roles to other
domain controllers does not improve performance. Separating the roles creates
additional administrative overhead when you must identify the standby operations
masters and when you implement a backup and restore policy.
Unlike the PDC emulator role, forest-level roles rarely place a significant burden on the
domain controller. Keep these roles together to provide easy, predictable management.
In addition to hosting the schema master and domain naming master roles, the first
domain controller created in a forest also hosts the global catalog.
The three domain-level roles are assigned to the first domain controller created in a new
domain. Except for the forest root domain, leave the roles at that location. Keep the roles
together unless the workload on your operations master justifies the additional
management burden of separating the roles.
Because all clients prior to Active Directory submit updates to the PDC emulator, the
domain controller holding that role uses a higher number of RIDs. Place the PDC
emulator and RID master roles on the same domain controller so that these two roles
interact more efficiently.
If you must separate the roles, you can still use a single standby operations master for all
three roles. However, you must ensure that the standby is a replication partner of all three
of the role holders.
Backup and restore procedures also become more complex if you separate the roles.
Special care must be taken to restore a domain controller that hosted an operations
master role. By hosting the roles on a single computer, you minimize the steps that are
required to restore a role holder.
Do not host the infrastructure master on a domain controller that is acting as a global
catalog server.
The infrastructure master updates the names of security principals for any domain-named
linked attributes. For example, if a user from one domain is a member of a group in a
second domain and the user’s name is changed in the first domain, then the second
domain is not notified that the user’s name must be updated in the group’s membership
list. Because domain controllers in one domain do not replicate security principals to
domain controllers in another domain, the second domain never becomes aware of the
change. The infrastructure master constantly monitors group memberships, looking for
security principals from other domains. If it finds one, it checks with the security
principal’s domain to verify that the information is updated. If the information is out of
date, the infrastructure master performs the update and then replicates the change to the
other domain controllers in its domain.
Two exceptions apply to this rule. First, if all the domain controllers are global catalog
servers, the domain controller that hosts the infrastructure master role is insignificant
because global catalogs do replicate the updated information regardless of the domain to
which they belong. Second, if the forest has only one domain, the domain controller that
hosts the infrastructure master role is not needed because security principals from other
domains do not exist.
Because it is best to keep the three domain-level roles together, avoid putting any of
them on a global catalog server.
Host the PDC emulator role on a powerful and reliable domain controller to ensure that it
is available and capable of handling the workload. Of all the operations master roles, the
PDC emulator creates the most overhead on the server that is hosting the role. It has the
most intensive daily interaction with other systems on the network. The PDC emulator
has the greatest potential to affect daily operations of the directory.
Domain controllers can become overloaded while attempting to service client requests on
the network, manage their own resources, and handle any specialized tasks such as
performing the various operations master roles. This is especially true of the domain
controller holding the PDC emulator role. Again, clients prior to Active Directory and
domain controllers running Windows NT 4.0 rely more heavily on the PDC emulator than
Active Directory clients and Windows 2000 Server domain controllers. If your networking
environment has clients and domain controllers prior to Active Directory, you might need
to reduce the workload of the PDC emulator.
Reasons for moving the operations master role(s) include inadequate service
performance, failure or decommission of a domain controller hosting an operations
master role, or if dictated by configuration changes made by an administrator.
The PDC emulator is the operations master role that most impacts the performance of a
domain controller. For clients that do not run Active Directory client software, the PDC
emulator processes requests for password changes, replication, and user authentication.
While providing support for these clients, the domain controller continues to perform its
normal services, such as authenticating Active Directory–enabled clients. As the network
grows, the volume of client requests can increase the workload for the domain controller
that hosts the PDC emulator role and its performance can suffer. To solve this problem,
you can transfer all or some of the master operations roles to another, more powerful
domain controller. Alternately, you may choose to transfer the role to another domain
controller, upgrade the hardware on the original domain controller, and then transfer the
role back again.
In the event of a failure, you must decide if you need to relocate the operations master
roles to another domain controller or wait for the domain controller to be returned to
service. Base that determination on the role that the domain controller hosts and the
expected downtime.
Before permanently taking a domain controller offline, transfer any operations master
roles held by the domain controller to another domain controller.
When you use the Active Directory Installation Wizard to decommission a domain
controller that currently hosts one or more operations master roles, the wizard reassigns
the roles to a different domain controller. When the wizard is run, it determines whether
the domain controller currently hosts any operations master roles. If it detects any
operations master roles, it queries the directory for other eligible domain controllers and
transfers the roles to a new domain controller. A domain controller is eligible to host the
domain-level roles if it is a member of the same domain. A domain controller is eligible to
host a forest-level role if it is a member of the same forest.
Configuration changes
Configuration changes to domain controllers or the network topology can result in the
need to transfer master operations roles. Except for the infrastructure master, you can
assign operations master roles to any domain controller regardless of any other tasks
that the domain controller performs. Do not host the infrastructure master role on a
domain controller that is also acting as a global catalog server unless all of the domain
controllers in the domain are global catalog servers or unless only one domain is in the
forest. If the domain controller hosting the infrastructure master role is configured to be a
global catalog server, you must transfer the infrastructure master role to another domain
controller. Changes to the network topology can result in the need to transfer operations
master roles in order to keep them in a particular site.
You can reassign an operations master role by transfer or, as a last resort, by seizure.
Important
If you must seize an operations master role, never reattach the previous role
holder to the network without following the procedures in this guide. Incorrectly
reattaching the previous role holder to the network can result in invalid data and
corruption of data in the directory.
The following tasks for managing operations master roles are described in this objective:
Configuring a replication partner can save some time if you must reassign any operations
master roles to the standby operations master. Before transferring a role from the current
role holder to the standby operations master, ensure that replication between the two
computers is functioning properly. Because they are replication partners, the new
operations master is as updated as the original operations master, thus reducing the time
required for the transfer operation.
During role transfer, the two domain controllers exchange any unreplicated information to
ensure that no transactions are lost. If the two domain controllers are not direct
replication partners, a substantial amount of information might need to be replicated
before the domain controllers completely synchronize with each other. The role transfer
requires extra time to replicate the outstanding transactions. If the two domain controllers
are direct replication partners, fewer outstanding transactions exist and the role transfer
operation completes sooner.
Designating a domain controller as a standby also minimizes the risk of role seizure. By
making the operations master and the standby direct replication partners, you reduce the
chance of data loss in the event of a role seizure, thereby reducing the chances of
introducing corruption into the directory.
When you designate a domain controller as the standby, follow all recommendations that
are discussed in Guidelines for Role Placement in Introduction to Administering
Operations Master Roles. To designate a standby for the forest-level roles, choose a
global catalog server so it can interact more efficiently with the domain naming master. To
designate a standby for the domain-level roles, ensure that the domain controller is not a
global catalog server so that the infrastructure master continues to function properly if
you must transfer the roles.
Task Requirements
The following tools are required to perform the procedures for this task:
Repadmin.exe
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group in Active
Directory.
2. In the console tree, expand the Sites container, expand the site of the domain
controller you want to check, expand the Servers container, and then expand the
Server object.
4. On the General tab, if the Global Catalog box is selected, the domain controller
is designated as a global catalog server.
Create a connection object on the current
operations master
To help ensure that the current role holder and the standby operations master are
replication partners, you can manually create a Connection object between the two
domain controllers. Even if a Connection object is generated automatically, it is
recommended that you manually create one. The system can alter automatically created
Connection objects at any time. Manually created connections remain the same until an
administrator changes them.
You must know the current operations master role holder to perform the following
procedure. To determine the current operations master role holders, see View the current
operations master role holders.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. Expand the site name in which the standby operations master is located to
display the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that is currently hosting the operations master
role to display its NTDS Settings.
7. In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.
Create a connection object on the
standby operations master
To help ensure that the current role holder and the standby operations master are
replication partners, you can manually create a Connection object between the two
domain controllers. Even if a Connection object is generated automatically, it is
recommended that you manually create one. The system can alter automatically created
Connection objects at any time. Manually created connections remain the same until an
administrator changes them.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. Expand the site name in which the standby operations master is located to
display the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that you want to be the standby operations
master to display its NTDS Settings.
6. In the Find Domain Controllers dialog box, select the name of the current role
holder, and then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.
If @ [Never] appears in the output for a directory partition, replication of that directory
partition has never succeeded from the identified source replication partner over the
listed connection.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the destination domain controller.
Term Definition
3. When you are prompted for a password, type the password for the user account
that you provided, and then press ENTER.
You can also use Repadmin to generate the details of replication to and from all
replication partners in a spreadsheet. The spreadsheet displays data in the following
columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
The following procedure shows how to create this spreadsheet and set column headers
for improved readability.
To hide the column, on the Format menu, click Column, and then click Hide.
Or
To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row, and then, on the Window menu,
click Freeze Panes.
8. Select the entire spreadsheet. On the Data menu, click Filter, and then click
AutoFilter.
9. In the Last Success Time column, click the down arrow, and then click Sort
Ascending.
10. In the Source DC column, click the down arrow, and then click Custom.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not
contain. In the adjacent text box, type del to eliminate from view the results for
deleted domain controllers.
12. Repeat step 10 for the Last Failure Time column, but use the value does not
equal, and type the value 0.
13. Resolve replication failures.
The last successful attempt should agree with the replication schedule for intersite
replication, or the attempt should be within the last hour for intrasite replication.
If Repadmin reports any of the following conditions, see Troubleshooting Active Directory
Replication Problems:
The last successful intersite replication was prior to the last scheduled replication.
The last intrasite replication was longer than one hour ago.
See Also
Troubleshooting Active Directory Replication Problems
In addition, you must determine if the domain controller that you intend to assume an
operations master role is a global catalog server. However, the infrastructure master for
each domain must not host the global catalog.
Do not change the global catalog configuration on the domain controller that you intend to
assume an operations master role unless your IT management authorizes that change.
Changing the global catalog configuration can cause changes that can take days to
complete, and the domain controller might not be available during that period. Instead,
transfer the operations master roles to a different domain controller that is already
properly configured.
Transferring to a standby ops master
By following the recommendations for operations master role placement, the standby
operations master is a direct replication partner and is ready to assume the roles.
Remember to designate a new standby for the domain controller that assumes the roles.
If you do not follow the recommendations for role placement and you have not
designated a standby operations master, you must properly prepare a domain controller
to which you intend to transfer the operations master roles. Preparing the future role
holder is the same process as preparing a standby operations master. You must manually
create a Connection object to ensure that it is a replication partner with the current role
holder and that replication between the two domain controllers is updated.
In addition, you must determine whether the domain controller intended to assume an
operations master role is a global catalog server. The infrastructure master for each
domain must not host the global catalog.
Task Requirements
The following tools are required to perform the procedures for this task:
Repadmin.exe
Ntdsutil.exe
If @ [Never] appears in the output for a directory partition, replication of that directory
partition has never succeeded from the identified source replication partner over the
listed connection.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the destination domain controller.
3. When you are prompted for a password, type the password for the user account
that you provided, and then press ENTER.
You can also use Repadmin to generate the details of replication to and from all
replication partners in a spreadsheet. The spreadsheet displays data in the following
columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
The following procedure shows how to create this spreadsheet and set column headers
for improved readability.
To generate a repadmin /showrepl spreadsheet for all replication partners
1. Open a Command Prompt.
4. On the File menu, click Open, navigate to showrepl.csv, and then click Open.
To hide the column, on the Format menu, click Column, and then click Hide.
Or
To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row, and then, on the Window menu,
click Freeze Panes.
8. Select the entire spreadsheet. On the Data menu, click Filter, and then click
AutoFilter.
9. In the Last Success Time column, click the down arrow, and then click Sort
Ascending.
10. In the Source DC column, click the down arrow, and then click Custom.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not
contain. In the adjacent text box, type del to eliminate from view the results for
deleted domain controllers.
12. Repeat step 10 for the Last Failure Time column, but use the value does not
equal, and type the value 0.
The last successful attempt should agree with the replication schedule for intersite
replication, or the attempt should be within the last hour for intrasite replication.
If Repadmin reports any of the following conditions, see Troubleshooting Active Directory
Replication Problems:
The last successful intersite replication was prior to the last scheduled replication.
The last intrasite replication was longer than one hour ago.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group in Active
Directory.
2. In the console tree, expand the Sites container, expand the site of the domain
controller you want to check, expand the Servers container, and then expand the
Server object.
4. On the General tab, if the Global Catalog box is selected, the domain controller
is designated as a global catalog server.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group in Active Directory.
Regsvr32 schmmgmt.dll
3. Click Start, click Run, type mmc /a, and then click OK.
4. On the File menu, click Add/Remove Snap-in, and then click Add.
a. Right-click Start, click Open All Users, double-click the Programs folder,
and then double-click the Administrative Tools folder.
c. In the Create Shortcut Wizard, in Type the location of the item, type
schmmgmt.msc, and then click Next.
d. On the Select a Title for the Program page, in Type a name for this
shortcut, type Active Directory Schema, and then click Finish.
Caution
Modifying the schema is an advanced operation best performed by experienced
programmers and system administrators. For detailed information about
modifying the schema, see the Active Directory programmer's Guide at the
Microsoft Web site.
Administrative Credentials
2. In the console tree, right-click Active Directory Schema, and click Change
Domain Controller.
3. In the Change Domain Controller dialog box, click Specify Name. Then, in the
text box, type the name of the server to which you want to transfer the schema
master role. Click OK.
5. Click Change. Click Yes to confirm your choice. The system confirms the
operation. Click OK again to confirm that the operation succeeded.
Note
Hosting the infrastructure master on a global catalog server is not
recommended. If you attempt to transfer the infrastructure master role to
a domain controller that is a global catalog, the system displays a
warning stating that this is not recommended.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group in
Active Directory.
2. In the console tree, right-click Active Directory Domains and Trusts, and then
click Connect to Domain Controller.
3. Ensure that the proper domain name is entered in the Domain box.
4. In the Name column, click the domain controller (to select it) to which you want to
transfer the role. Click OK.
5. Right-click Active Directory Domains and Trusts, and then click Operations
Master.
6. The name of the current domain naming master appears in the first text box. The
server to which you want to transfer the role should appear in the second text
box. If this is not the case, repeat steps 1 through 4.
7. Click Change. To confirm the role transfer, click Yes. Click OK again to close the
message box indicating the transfer took place. Click Close to close the Change
Operations Master dialog box.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. At the top of the console tree, right-click Active Directory Users and
Computers. Click Connect to Domain Controller.
3. In the list of available domain controllers, click the name of the server to which
you want to transfer the role, and then click OK.
4. At the top of the console tree, right-click Active Directory Users and
Computers, point to All Tasks, and then click Operations Masters.
The name of the current operations master role holder appears in the
Operations master box. The name of the server to which you want to transfer
the role appears in the lower box.
5. Click the tab for the role you want to transfer: RID, PDC, or Infrastructure. Verify
the computer names that appear and then click Change. Click Yes to transfer the
role, and then click OK.
6. Repeat steps 4 and 5 for each role that you want to transfer.
To view the current operations master role holders, use Ntdsutil.exe with the roles option.
This option displays a list of all current role holders.
Administrative Credentials
5. After receiving confirmation of the connection, type quit and press ENTER to exit
this menu.
6. At the fsmo maintenance: prompt, type select operation target and press
ENTER.
7. At the select operations target: prompt, type list roles for connected server
and press ENTER.
The system responds with a list of the current roles and the Lightweight Directory
Access Protocol (LDAP) name of the domain controllers currently assigned to
host each role.
8. Type quit and press ENTER to exit each prompt in Ntdsutil.exe. Type quit and
press ENTER at the ntdsutil: prompt to close the window.
Role seizure can create two conditions that can cause problems in the directory. It is for
this reason that role seizure should be performed only as a last resort. First, the new role
holder starts performing its duties based on the data located in its current directory
partition. The new role holder might not receive changes that were made to the previous
role holder before it went offline if replication did not complete prior to the time when the
original role holder went offline. This can cause data loss or introduce data inconsistency
into the directory database.
To minimize the risk of losing data to incomplete replication, do not perform a role seizure
until enough time has passed to complete at least one complete end-to-end replication
cycle across your network. Allowing enough time for complete end-to-end replication
ensures that the domain controller that assumes the role is as up-to-date as possible.
Second, the original role holder is not informed that it is no longer the operations master
role holder, which is not a problem if the original role holder stays offline. However, if it
comes back online (for example, if the hardware is repaired or the server is restored from
a backup), it might try to perform the operations master role that it previously owned. This
can result in two domain controllers performing the same operations master role
simultaneously. Depending on the role that was seized, the severity of duplicate
operations master roles varies from no visible effect to potential corruption of the Active
Directory database. Seize the operations master role to a domain controller that has the
most recent updates from the current role holder to minimize the impact of the role
seizure.
Task Requirements
Repadmin.exe
Ntdsutil.exe
This needs to be the domain controller that will be seizing the role.
If @ [Never] appears in the output for a directory partition, replication of that directory
partition has never succeeded from the identified source replication partner over the
listed connection.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the destination domain controller.
Term Definition
3. When you are prompted for a password, type the password for the user account
that you provided, and then press ENTER.
You can also use Repadmin to generate the details of replication to and from all
replication partners in a spreadsheet. The spreadsheet displays data in the following
columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
The following procedure shows how to create this spreadsheet and set column headers
for improved readability.
4. On the File menu, click Open, navigate to showrepl.csv, and then click Open.
Or
To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row, and then, on the Window menu,
click Freeze Panes.
8. Select the entire spreadsheet. On the Data menu, click Filter, and then click
AutoFilter.
9. In the Last Success Time column, click the down arrow, and then click Sort
Ascending.
10. In the Source DC column, click the down arrow, and then click Custom.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not
contain. In the adjacent text box, type del to eliminate from view the results for
deleted domain controllers.
12. Repeat step 10 for the Last Failure Time column, but use the value does not
equal, and type the value 0.
The last successful attempt should agree with the replication schedule for intersite
replication, or the attempt should be within the last hour for intrasite replication.
If Repadmin reports any of the following conditions, see Troubleshooting Active Directory
Replication Problems:
The last successful intersite replication was prior to the last scheduled replication.
The last intrasite replication was longer than one hour ago.
See Also
Troubleshooting Active Directory Replication Problems
When using Ntdsutil.exe to seize an operations master role, the procedure is nearly
identical for all roles. For more information about using Ntdsutil.exe, type ? at the
Ntdsutil.exe command prompt.
Administrative Credentials
To perform this procedure, you must be a member of either the Domain Admins group or
the Enterprise Admins group in Active Directory.
To seize an operations master role
1. Click Start, click Run, type ntdsutil, and then press ENTER.
5. After you receive confirmation of the connection, type quit and press ENTER\.
6. Depending on the role you want to seize, at the fsmo maintenance: prompt,
type the appropriate command and press ENTER.
The system asks for confirmation. It then attempts to transfer the role. When the
transfer fails, some error information appears and the system proceeds with the
seizure. After the seizure is complete, a list of the roles and the LDAP name of
the server that currently holds each role appears.
During seizure of the RID master, the current role holder attempts to synchronize
with its replication partners. If it cannot establish a connection with a replication
partner during the seizure operation, it displays a warning and confirms that you
want the role seizure to proceed. Click Yes to proceed.
7. Type quit and press ENTER. Type quit again and press ENTER to exit
Ntdsutil.exe.
View the current operations master role
holders
Once an operations master role has been transferred, it should be verified that the
transfer has occurred successfully throughout the domain. The change must be
replicated to all relevant domain members in order to truly take effect.
To view the current operations master role holders, use Ntdsutil.exe with the roles option.
This option displays a list of all current role holders.
Administrative Credentials
To perform this procedure, you must be logged on as a User or an Administrator.
5. After receiving confirmation of the connection, type quit and press ENTER to exit
this menu.
6. At the fsmo maintenance: prompt, type select operation target and press
ENTER.
7. At the select operations target: prompt, type list roles for connected server
and press ENTER.
The system responds with a list of the current roles and the Lightweight Directory
Access Protocol (LDAP) name of the domain controllers currently assigned to
host each role.
8. Type quit and press ENTER to exit each prompt in Ntdsutil.exe. Type quit and
press ENTER at the ntdsutil: prompt to close the window.
Reducing the workload on the PDC
emulator master
In addition to processing normal domain controller load from clients, the PDC emulator
must also process password changes. In order to mitigate some of the load that is
caused by normal domain controller traffic, the PDC can be protected, so the load is
distributed to other domain controllers that are capable of processing the requests.
You can configure DNS so that a domain controller is queried less frequently than others.
Reducing the number of client requests helps reduce the workload on a domain
controller, giving it more time to function as an operations master, and is especially
important for the PDC emulator. Of all the operations master roles, the PDC role has the
highest impact on the domain controller hosting that role.
To receive information from the domain, a client uses DNS to locate a domain controller
and then sends the request to that domain controller. By default, DNS performs
rudimentary load balancing and randomizes the distribution of client requests so they are
not always sent to the same domain controller. If too many client requests are sent to a
domain controller while it attempts to perform other duties, such as those of the PDC
emulator, it can become overloaded, which has a negative impact on performance. To
reduce the number of client requests that are processed by the PDC emulator, you can
adjust its weight or its priority in the DNS environment.
To prevent clients from sending all requests to a single domain controller, the domain
controllers are assigned a priority value. Clients always send requests to the domain
controller that has the lowest priority value. If more than one domain controller has the
same value, the clients randomly choose from the group of domain controllers with the
same value. If no domain controllers with the lowest priority value are available, then the
clients send requests to the domain controller with the next highest priority.
A domain controller's priority value is stored in its registry. When the domain controller
starts, the Net Logon service registers with the DNS server. The priority value is
registered with the rest of its DNS information. When a client uses DNS to discover a
domain controller, the priority for a given domain controller is returned to the client with
the rest of the DNS information. The client uses the priority value to help determine to
which domain controller to send requests.
The value is stored in the LdapSrvPriority registry entry. The default value is 0, but it can
range from 0 through 65535.
Note
A lower value entered for LdapSrvPriority indicates a higher priority. A domain
controller with an LdapSrvPriority setting of 100 has a lower priority than a
domain controller with a setting of 10. Therefore, clients attempt to use the
domain controller with the setting of 100 first.
Task Requirements
The following tool is required to perform the procedures for this task:
Regedit.exe
Caution
The Registry Editor bypasses standard safeguards, allowing settings that can
damage your system or even require you to reinstall Windows. If you must edit
the registry, back up system state first. For information about backing up system
state, see Administering Active Directory Backup and Restore.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
4. For the new value name, type LdapSrvWeight, and press ENTER.
5. Double-click the value name that you just typed to open the Edit DWORD Value
dialog box.
8. Click File, and then click Exit to close the Registry Editor.
Change the priority for DNS SRV records
in the registry
Use this procedure to reduce the workload on the PDC emulator master by changing the
priority for DNS SRV records in the registry.
Caution
The Registry Editor bypasses standard safeguards, allowing settings that can
damage your system or even require you to reinstall Windows. If you must edit
the registry, back up system state first. For information about backing up system
state, see Administering Active Directory Backup and Restore.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
4. For the new value name, type LdapSrvPriority, and press ENTER.
5. Double-click the value name that you just typed to open the Edit DWORD Value
dialog box.
8. Click File, and then click Exit to close the Registry Editor.
Administering Active Directory Backup
and Restore
This Administering Active Directory Backup and Restore guide provides administering
information for Active Directory backup and restore in the Microsoft Windows Server 2003
operating system.
In this guide
System startup (boot) files. These files are required for Windows Server 2003 to start.
System registry
Class registration database of component services. The Component Object Model
(COM) is a binary standard for writing component software in a distributed systems
environment.
System volume (SYSVOL). SYSVOL provides a default location for files that must be
shared for common access throughout a domain. The SYSVOL folder on a domain
controller contains the following:
Net Logon shared folders. These folders usually host user logon scripts and
policy settings for network clients that are running pre–Windows 2000 operating
systems.
File Replication service (FRS) staging directories and files that are required to be
available and synchronized between domain controllers
If you installed Windows Clustering or Certificate Services on your domain controller, they
are also backed up as part of system state. Details of these components are not
discussed in this guide.
Restore Active Directory data that becomes lost. By using an authoritative restore
process, you can restore individual objects or sets of objects (containers or directory
partitions) from their deleted state.
Important
You should not modify system clocks in an attempt to improperly extend the
useful life of a system state backup.
System state restore should be undertaken as a last resort, not as primary method of
recovering from an error or failure condition.
Backup Guidelines
The following guidelines for backup include the performance of appropriate backups to
ensure redundancy of Active Directory data:
Perform normal backup. Normal backup is the only type of backup that is available
and supported for Active Directory. The Backup tool in Windows Server 2003
supports multiple types of backup: normal, copy, incremental, differential, and daily.
You must use normal backup because Active Directory is backed up as part of
system state.
Perform daily backups of each unique partition on at least two unique domain
controllers, with special emphasis on single-domain controller forests, single-domain
controller domains, and empty root domains.
Where partitions exist in only one site, you can ship backup files offsite to a secure
location so that no backup file of a unique directory partition exists in only one
physical site at any point in time. This provides an extra level of redundancy.
Make sure your backups are stored in a secure location at all times.
Back up Domain Name System (DNS) zones. You must be aware of the location of
DNS zones and back up DNS servers accordingly. If you use Active Directory-
integrated DNS, DNS zone data is captured as part of system state on domain
controllers that are also DNS servers.
If you do not use Active Directory-integrated DNS, you must back up the zone file
directories on a representative set of DNS servers for each DNS zone to ensure fault
tolerance for the zone.
Note
The DNS server stores settings in the registry, so system state backup is
required for DNS regardless of whether the zone data is Active Directory-
integrated or stored in the file system.
If you have application partitions in your forest, make sure that you take a backup of
the domain controllers that hold those application partitions.
The elapsed time that it takes to perform either of the following tasks would be
cost-prohibitive because of slow link speeds, the size of the directory database,
or both:
Or
To copy or transport a system state backup from a site where a backup exists to
a site that has no backup, for the purpose of performing an installation from
backup media.
Note
A backup can be used to restore only the domain controller on which the backup
was generated or to create a new additional domain controller in the same
domain by installing from backup media. A backup cannot be used to restore a
different domain controller or to restore a domain controller onto different
hardware. Likewise, a backup that is made on a domain controller running
Windows 2000 Server cannot be used to restore a domain controller running
Windows Server 2003.
Backup Frequency
Backup frequency depends on criteria that vary for individual environments. In most
Active Directory environments, users, computers, and administrators make daily changes
to directory objects. For example, computer accounts, including domain controller
accounts, change their passwords every 30 days by default. Therefore, every day a
percentage of computer passwords changes for domain controllers. Rolling the computer
password of a domain controller back to a former state affects authentication and
replication. A percentage of user passwords might also expire on a daily basis, and if they
are lost as a result of domain controller failure, they must be reset manually. Generally,
no record of these changes exists except in Active Directory. Therefore, the more
frequently you back up domain controllers, the fewer problems you will encounter if you
need to restore.
The more Active Directory objects and domain controllers you have, the more frequent
your backups should be. For example, in a large organization, to recover from the
inadvertent deletion of a large organizational unit (OU) by restoring the domain from a
backup that is days or weeks old, you might have to re-create hundreds of accounts that
were created in that OU since the backup was taken. To avoid re-creating accounts and
potentially performing large numbers of manual password resets, ensure that recent
system state backups are always available to recover recent Create, Modify, and Delete
operations.
Frequency Criteria
Use the following criteria to assess backup frequency:
Small environments with a single domain controller in the forest, or domains that exist
in a single physical location (that is, that have a single point of failure): create
backups at least daily.
Medium (10 to 49 domain controllers) and large environments (50 to 1,000 or more
domain controllers): Create backups of each unique directory partition in the forest on
two different computers at least daily with an emphasis on backing up application
directory partitions, empty root domains, domain partitions in a single geographic site,
and sites that have large populations of users or that host mission-critical work.
Make backups with increasing frequency until you are confident that if you were to lose
the objects that were created or modified since the last backup, the loss would not create
an operational disruption. For this reason, major changes to the environment should
always be immediately followed by a new system state backup.
Note
It is always recommended that you have at least two domain controllers in each
domain of your Active Directory forest
Immediate Backup
In addition to regularly scheduled backups, perform an immediate backup when:
You have moved the Active Directory database, log files, or both to a different
location on a disk.
A domain controller is upgraded from Windows 2000 Server to Windows Server 2003
or there are any other operating system upgrades.
A Service Pack is installed.
A current backup is required for installing from backup media for a new domain
controller.
By default, the value of Backup Latency Threshold (days) is half the value of the
tombstone lifetime of the forest. If halfway through the tombstone lifetime a directory
partition has not been backed up, event ID 2089 is logged in the Directory Service event
log and continues daily until the directory partition is backed up.
The fully qualified computer name that includes the domain name of the domain
controller on which the backup was performed
For example, you might use a file name format that is similar to the following:
X:\Fully_Qualified_Computer_Name.Build_Number.Service_Pack_Revision. [No]GC.
[No]MD5.TSL.YYYYMMDD.bkf
where
Service_Pack_Revision is the service pack build number and the service pack
version for the operating system that was backed up.
[No]GC indicates whether the backup originated from a global catalog or not.
[No]MD5 indicates whether the system state backup contains MD5 checksum data
for the files and folders in the SYSVOL tree. For more information about the need for
MD5 data, see Preparing a Server Computer for Shipping and Installation from
Backup Media.
TSL is the value in days for the tombstoneLifetime attribute when the backup was
performed. The tombstoneLifetime attribute for the forest determines both the
useful life of a system state backup and how frequently garbage collection occurs.
(Garbage collection removes tombstones from the directory permanently when their
tombstone lifetime expires.)
YYYYMMDD is the year, month, and day that the backup was performed.
For example, suppose that you create a system state backup of a global catalog domain
controller on July 1, 2005. The domain controller is in the Contoso.com domain, and its
name is DC1. The value of the tombstone lifetime is 60 days, and MD5 data is included in
the backup. In this scenario, you might use a file name that is similar to the following:
DC1.CONTOSO.COM.3790.SP0.GC.MD5.60.2005.07.01.BKF
A system state backup that you make of DC1 on July 1, 2005, remains valid until
August 29, 2005. For the next 60 days, you can use the backup to restore an existing
domain controller or to install an additional domain controller in the Contoso.com domain.
You can save the .bkf file to a local volume or to a network share. The network share can
be on a server computer that can be installed later as a domain controller by using the
restored backup. For more information about using restored backup media for installing
domain controllers, see Installing a Domain Controller in an Existing Domain Using
Restored Backup Media.
Task requirements
The following tools are required to perform the procedures for this task:
To complete this task, perform one of the following procedures, depending on your
backup needs:
Back up system state
See Also
Installing a Domain Controller in an Existing Domain Using Restored Backup Media
Use these procedures to back up the system state only. These procedures do not back
up the system disk or any other data on the domain controller except for the system-
protected files.
Use the first procedure, "To back up system state including system-protected files," for
routine system state backup. Use the second procedure, "To back up system state
excluding system-protected files," if you want to create a smaller backup that is effective
for installing domain controllers from restored backup media.
Note
To back up system state, you must log on locally to the domain controller, or
Remote Desktop must be enabled on the remote domain controller so that you
can connect remotely.
Administrative credentials
To perform the following two procedures, you must be a member of the Domain
Admins group or a member of the Backup Operators group.
This procedure provides steps for backing up in Wizard Mode. By default, the
Always Start in Wizard Mode check box is selected in the Backup or Restore
Wizard. If the Welcome to the Backup Utility Advanced Mode page appears,
click Wizard Mode to open the Backup or Restore Wizard.
4. Select Let me choose what to back up, and then click Next.
6. In the expanded list below My Computer, check System State, and then click
Next.
If you are backing up to a file, type the path and file name for the backup
(.bkf) file (or click Browse to find a folder or file).
If you are backing up to a tape unit, choose the tape that you want to use.
Note
You should not store the backup on the local hard drive. Instead,
store it in a location, such as a tape drive, away from the computer
that you are backing up.
10. Do not change the default options for Type of Backup. Normal should be
selected, and the check box for Backup migrated remote storage data should
remain cleared. Click Next.
11. Select Verify data after backup, and then click Next.
12. In the Backup Options dialog box, select a backup option, and then click Next.
13. If you are replacing the existing backups, select the option to allow only the
owner and administrator access to the backup data and to any backups that are
appended to this medium, and then click Next.
14. In the When to back up box, select the appropriate option for your needs, and
then click Next.
15. If you are satisfied with all of the options that are selected, click Finish to perform
the backup operation according to your selected schedule.
Note
The system state can also be backed up by using Ntbackup from a
command line with appropriate parameters. For more information, at a
command prompt type ntbackup /?.
The following procedure produces a smaller .bkf file that does not include system boot
files. By using this procedure, you can reduce the time that is required to perform the
backup and subsequent restore, as well as the amount of disk space that is required.
This method is recommended when the restored backup is to be used for installing
additional domain controllers.
4. In Backup media or file name, type a name for this backup according to the
recommendations in Backing Up Active Directory Components.
6. Clear the Automatically back up System Protected Files with the System
State check box, and then click OK.
Note
To back up system state and the system disk, you must log on locally to the
domain controller or Remote Desktop must be enabled on the remote domain
controller so that you can connect remotely.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or a
member of the Backup Operators group.
This procedure requires Backup Utility Advanced Mode. If the Welcome to the
Backup or Restore Wizard appears when you click Backup in step 1, clear
Always start in wizard mode, close the wizard, and then repeat step 1.
2. On the Welcome to the Backup Utility Advanced Mode page, click the
Backup Wizard (Advanced) button.
5. In Items to Back Up, select the System State check box. Then, locate the drive
letter containing the system files, click the check box for it, and then click Next.
6. In Backup Type, Destination, and Name, select the backup media type by
choosing one of the following options:
In the Select the backup type box, click File if you want to back up to a file.
If you do not have a tape backup unit installed, File is selected automatically.
Or
7. In the Choose a place to save your backup box, select one of the following
options, and then click Next:
If you are backing up to a file, if you want to change the current backup file
location, click Browse to find a folder or file. If the destination folder or file
does not exist, the system creates it.
Or
If you are backing up to a tape unit, select the tape that you want to use.
8. On the Completing the Backup Wizard page, click Advanced. Do not change
the default options for Type of Backup. Normal should be selected, and the
check box should remain cleared for Backup migrated remote storage data.
Click Next.
10. In the Backup Options dialog box, select a backup option, and then click Next.
11. If you are replacing the existing backups, select the option to allow only the
owner and administrator access to the backup data and to any backups that are
appended to this medium, and then click Next.
12. In the When to back up box, select the appropriate option for your needs, and
then click Next.
13. If you are satisfied with all of the options that are selected, click Finish to perform
the backup operation according to your selected schedule.
See Also
Enable Remote Desktop
A nonauthoritative restore returns the domain controller to its state at the time of backup
and then allows normal replication to overwrite that state with any changes that occurred
after the backup was taken. After you restore the system state, the domain controller
queries its replication partners. The replication partners replicate any changes to the
restored domain controller, ensuring that the domain controller has an accurate and
updated copy of the Active Directory database.
If you intend to restore a deleted object (or objects), you should refer to the procedures
for an authoritative restore.
You can perform a nonauthoritative restore on a Windows Server 2003 system that is a
stand-alone server, member server, or domain controller. You must start a server in
Directory Services Restore Mode to perform a nonauthoritative restore.
Note
By performing a nonauthoritative restore on Active Directory, you automatically
perform a nonauthoritative restore of the system volume (SYSVOL); no additional
steps are required.
Task requirements
The following tool is required to perform the procedures for this task:
NTBackup.exe
Note
In cases in which you have to reinstall the operating system, before you
restore the directory, you do not have to perform a nonauthoritative restore in
Directory Services Restore Mode. After you reinstall the operating system,
you can perform a restore after the computer boots normally.
See Also
Performing an Authoritative Restore of Active Directory Objects
When you start Windows Server 2003 in Directory Services Restore Mode, the local
Administrator account is authenticated by the local Security Accounts Manager (SAM)
database. Therefore, logging on requires that you use the local administrator password,
not an Active Directory domain password. This password is set during Active Directory
installation when you provide the password for Directory Services Restore Mode.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
To restart the domain controller in Directory Services Restore Mode locally
1. Restart the domain controller.
2. When the screen for selecting an operating system appears, press F8.
See Also
Restart the domain controller in Directory Services Restore Mode Remotely
If you use Remote Desktop Connection to connect to a domain controller remotely and
you want to restart the domain controller in Directory Services Restore Mode, you must
first modify the Boot.ini file on the remote server so that you do not lose the connection
when the domain controller restarts.
When you start Windows Server 2003 in Directory Services Restore Mode, the local
Administrator account is authenticated by the local Security Accounts Manager (SAM)
database. Therefore, logging on requires that you use the local administrator password,
not an Active Directory domain password. This password is set during Active Directory
installation when you provide the password for Directory Services Restore Mode.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
Note
The /SAFEBOOT:DSREPAIR switch works for domain controllers
running Windows 2000 Server and Windows Server 2003.
7. On the Start menu, click Shut Down, and then click Restart. During the restart
process, the Terminal Services client reports that the session is disconnected.
Caution
Be sure to click Restart and not Shut Down at this step. If you click
Shut Down, you cannot restart the domain controller remotely.
8. Wait until the restart process completes on the remote domain controller, and
then reconnect the client session.
10. Right-click My Computer, click Properties, and then click the Advanced tab.
12. Click the Edit button to edit the startup options file.
13. Delete the /SAFEBOOT:DSREPAIR switch from the default entry in the Boot.ini
file, save the file, and then close Notepad.
Important
If you restart the domain controller before you modify the Boot.ini file, the
domain controller remains offline.
The Boot.ini file is now returned to its original state, which starts the domain
controller normally.
See Also
Enable Remote Desktop
Note
To restore from backup, you must log on locally to the domain controller or
Remote Desktop must be enabled on the remote domain controller so that you
can connect remotely.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
2. To start the Windows Server 2003 backup utility, click Start, point to
All Programs, point to Accessories, point to System Tools, and then click
Backup.
This procedure provides steps for restoring from backup in Wizard Mode. By
default, the Always Start in Wizard Mode check box is selected in the Backup
or Restore Wizard. If the Welcome to the Backup Utility Advanced Mode page
appears, click Wizard Mode to open the Backup or Restore Wizard.
7. In Restore files to, click Original Location, and then click Next.
8. Click Leave existing files (Recommended), and then click Next.
9. In Advanced Restore Options, select the following check boxes, and then click
Next:
Restore junction points, but not the folders and file data they reference
10. For a primary restore of SYSVOL, also select the following check box: When
restoring replicated data sets, mark the restored data as the primary data
for all replicas.
A primary restore is required only if the domain controller that you are restoring is
the only domain controller in the domain. A primary restore is required on the first
domain controller that is being restored in a domain if you are restoring the entire
domain or forest.
12. When the restore process is complete, click Close, and then do one of the
following:
If you do not want to authoritatively restore any objects, click Yes to restart
the computer. The system will restart and replicate any new information that
is received since the last backup with its replication partners.
See Also
Restart the domain controller in Directory Services Restore Mode locally
Administrative credentials
To verify Active Directory restore, you must be a member of the Domain Admins group.
2. After you are able to log on to the system, browse Active Directory. Verify that all
of the User objects and Group objects that were present in the directory prior to
backup are restored. Similarly, verify that files that were members of a File
Replication service (FRS) replica set and certificates that were issued by the
Certificate Services are present.
When an object is marked for authoritative restore, its version number is changed so that
it is higher than the existing version number of the (deleted) object in the Active Directory
replication system. This change ensures that any data that you restore authoritatively is
replicated from the restored domain controller to other domain controllers in the forest.
An authoritative restore should not be used to restore an entire domain controller, nor
should it be used as part of a change-control infrastructure. Proper delegation of
administration and change enforcement will optimize data consistency, integrity, and
security.
The memberOf attribute (or any back-link attribute) is generated only because of its link
to the member attribute (or any corresponding forward-link attribute). For this reason,
restoring the membership on a user object necessarily involves updating the member
attribute on the group object to include the distinguished name of the restored user.
Note
Only the forward-link attribute value can be updated and replicated. The back-link
attribute value is generated only when it is accessed. It is not stored on the
object, and it is not replicated.
When you use the Ntdsutil command-line tool to authoritatively restore a subtree or single
object, the ability of Ntdsutil to restore the group memberships of an object that is
authoritatively restored depends on whether the group was created before or after LVR
was implemented. For example, if a user object is restored and the user belongs to group
G1 that was created before LVR was implemented and the user belongs to group G2 that
was created after LVR was implemented (the functional level of the forest was raised to
Windows Server 2003 interim or Windows Server 2003), the member attribute of G2 is
updated during authoritative restore (and, therefore, the memberOf attribute of the
restored user is updated), but the member attribute of G1 is not updated.
If you need to restore a large number of users (for example, if you delete an OU) in
domain X and your forest also contains domain Y and domain Z, authoritative restore
requires the restoration of domain X and then the use of Ntdsutil to generate and run the
LDIF file against a domain controller in each additional domain.
In all cases, you begin the authoritative restore process by performing a nonauthoritative
restore from backup media. Then, you perform the additional steps to complete the
authoritative restore and restore group memberships, if necessary. The steps that you
perform are different if you are restoring the objects on a domain controller running
Windows Server 2003 with SP1.
Procedures for Domain Controllers Running
Windows Server 2003 with SP1
These procedures include the use of an LDIF file to restore group memberships following
authoritative restore of the objects. If you are restoring objects that can belong to groups
in more than one domain, additional steps are required.
Task requirements
The following tools are required to perform the procedures for this task:
Ntbackup.exe
Ntdsutil.exe
Repadmin.exe
Restore system state to return the domain controller to its state at the time of the
backup. To ensure that replication does not occur, click No at the end of the
procedure so that the domain controller does not restart.
Mark the object or objects that you want to restore so that replication does not
overwrite them when you restart the domain controller.
For the newly restored object to become available and be instantiated in its restored
form on all domain controllers, successful replication must occur between the domain
controller that originates the restored changes and its partners.
Make sure that all domain controllers in the domain and all global catalog servers in
the forest have received the restored objects.
5. Use the following procedure to run the LDIF file that was created in step 2 on this
domain controller to add the missing group memberships in the domain that you have
just restored:
6. If you are restoring user or group objects in a forest that has more than one domain,
perform the following steps on a domain controller in another domain:
c. While still in Directory Services Restore Mode, use Ntdsutil to Create an LDIF file
for recovering back-links for authoritatively restored objects
d. Restart the domain controller normally (not in Directory Services Restore Mode).
Note
If the objects that were deleted do not include group objects, you do not have to
perform steps 3 through 10. In addition, if the groups that were deleted do not
have members among the list of deleted objects, you do not have to perform
steps 3 through10.
Restore system state to return the domain controller to its state at the time of the
backup. To ensure that replication does not occur, click No at the end of the
procedure so that the domain controller does not restart.
3. Restart the computer normally, but in isolation. This step allows you to control
replication so that inbound replication does not update any restored object before
forcing outbound replication. You cannot turn off inbound replication in Directory
Services Restore Mode.
The most common way to start a computer in isolation is to remove the network
connection from the domain controller by physically removing the network cable.
Alternative methods may be possible, depending on your network hardware and
enterprise practices.
It is important to prevent the domain controller from communicating with any other
domain controller in the domain or forest. You should also isolate the domain
controller from any clients that might change an object in the directory.
This step is required only if the domain or forest functional level is Windows 2000
native or earlier. By turning off inbound replication, you ensure that no changes
replicate in to the domain controller and alter group membership.
After you turn off inbound replication, it is safe to reconnect the domain controller to
the network.
If you isolated your computer by removing the network cable or by disconnecting the
network connection from the domain controller, reconnect it to bring the domain
controller back onto the network.
If you followed other procedures based on your enterprise network equipment, follow
the equipment's recommendations for reconnecting the domain controller to the
network.
For the newly restored object to become available and be instantiated in its restored
form on all domain controllers, successful replication must occur between the domain
controller that originates the restored changes and its partners.
Make sure that all domain controllers in the domain and all global catalog servers in
the forest have received the restored objects.
One of the challenges of restoring objects, and their group memberships, is the fact
that the membership and object may replicate in different orders. If the membership
replicates before a user is restored, the receiving domain controller will not update
the membership because the user does not exist. To overcome the effects of this
behavior, it is necessary to mark the objects that have been restored as authoritative
a second time and once again have the information replicated out.
After the authoritative restore of the object or objects has completed a second time,
you can restart the domain controller in normal mode.
Note
To restore from backup, you must log on locally to the domain controller or
Remote Desktop must be enabled on the remote domain controller so that you
can connect remotely.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
2. To start the Windows Server 2003 backup utility, click Start, point to
All Programs, point to Accessories, point to System Tools, and then click
Backup.
This procedure provides steps for restoring from backup in Wizard Mode. By
default, the Always Start in Wizard Mode check box is selected in the Backup
or Restore Wizard. If the Welcome to the Backup Utility Advanced Mode page
appears, click Wizard Mode to open the Backup or Restore Wizard.
7. In Restore files to, click Original Location, and then click Next.
9. In Advanced Restore Options, select the following check boxes, and then click
Next:
Restore junction points, but not the folders and file data they reference
A primary restore is required only if the domain controller that you are restoring is
the only domain controller in the domain. A primary restore is required on the first
domain controller that is being restored in a domain if you are restoring the entire
domain or forest.
12. When the restore process is complete, click Close, and then do one of the
following:
If you do not want to authoritatively restore any objects, click Yes to restart
the computer. The system will restart and replicate any new information that
is received since the last backup with its replication partners.
See Also
Restart the domain controller in Directory Services Restore Mode locally
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
2. At the ntdsutil: prompt, type authoritative restore, and then press ENTER.
To restore a subtree (for example, an organizational unit and all child objects):
DistinguishedName
The distinguished name of the subtree or object that is to be marked
authoritative
5. Make a note of the location of the .txt and .ldf files, if any. You will use the .ldf file
to restore back-links in this domain. You will use the .txt file to generate an LDIF
file to restore back-links in a different domain, if necessary. If you have other
domains in which you want to restore back-links for this restored object, make a
copy of this .txt file to use on a domain controller in another domain.
6. At the authoritative restore: and ntdsutil: prompts, type quit, and then press
ENTER.
7. Restart the domain controller in normal operating mode, as follows:
a. For a domain controller running Windows Server 2003 with no service pack
installed: Disconnect the domain controller from the network, and then restart
normally. Follow the instructions in "Procedures for Domain Controllers
Running Windows Server 2003 with No Service Pack Installed" as described
in Performing an Authoritative Restore of Active Directory Objects.
b. For a domain controller running Windows Server 2003 with SP1: Restart the
domain controller normally, and then follow the instructions in "Procedures for
Domain Controllers Running Windows Server 2003 with SP1" as described
in Performing an Authoritative Restore of Active Directory Objects.
Synchronize replication with all partners
You can use this procedure to synchronize replication with all replication partners of a
domain controller.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the selected domain controller or the Enterprise Admins group in the forest, or
you must have been delegated the appropriate authority. If you want to synchronize the
configuration and schema directory partitions on a domain controller in a child domain,
you must have Domain Admins credentials in the forest root domain or Enterprise Admins
credentials in the forest.
Term Definition
2. Check for replication errors in the output of the command in the previous step. If
there are no errors, replication is successful. For replication to complete, any
errors must be corrected.
See Also
Verify successful replication to a domain controller
The output of the authoritative restore procedure includes the name of an LDAP Data
Interchange Format (LDIF) (.ldf) file that contains the forward-links that are required so
that the group memberships (back-links) of any restored user, group, or computer objects
can be recovered. For each object or subtree that you restore, you must run the LDIF file
on a domain controller in each domain that might have group objects that are required to
recover back-links on the restored objects.
Note
This procedure is critical for recovering group memberships for deleted users,
groups, or computers, but it applies to any restored objects that have back-link
attributes.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the domain controller on which you run the command.
2. At the command prompt, type the following command, and then press ENTER:
ldifde -i -k -f FileName
FileName
The name of the .ldf file that you want to run, for example, ar_20050609-
174604_links_corp.contoso.com.ldf
See Also
Create an LDIF file for recovering back-links for authoritatively restored objects
When you start Windows Server 2003 in Directory Services Restore Mode, the local
Administrator account is authenticated by the local Security Accounts Manager (SAM)
database. Therefore, logging on requires that you use the local administrator password,
not an Active Directory domain password. This password is set during Active Directory
installation when you provide the password for Directory Services Restore Mode.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
2. When the screen for selecting an operating system appears, press F8.
See Also
Restart the domain controller in Directory Services Restore Mode Remotely
Create an LDIF file for recovering back-
links for authoritatively restored
objects
If you have authoritatively restored objects that have back-links in another domain, you
can use this procedure to create an LDAP Data Interchange Format (LDIF) file that you
can run against a domain controller in that domain to restore the back-links. Perform this
procedure on a domain controller in the domain that has the back-links.
After you restore this domain controller from backup media, perform this procedure while
the domain controller is still running in Directory Services Restore Mode.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
3. At the authoritative restore: prompt, type the following command, and then
press ENTER:
where TextFilePath is the location and file name of the .txt file that Ntdsutil
created during the initial authoritative restore of the object whose back-links you
want to restore, for example, d:\ldif\ar_20050609_091558_objects.txt.
Ntdsutil displays a message stating that one or more specified objects have
back-links in this domain and an LDIF file has been created in the current
working directory.
4. At the authoritative restore: and ntdsutil: prompts, type quit.
See Also
Restore from backup media
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group in the
domain of the domain controller whose replication you are disabling, or you must be a
member of the Enterprise Admins group.
3. Verify that the option is set. The following message should appear:
See Also
Turn on inbound replication
Turn on inbound replication
You can use this procedure to turn on inbound replication after it has been turned off
manually.
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group in the
domain of the domain controller whose replication you are enabling, or you must be a
member of the Enterprise Admins group.
3. Verify that the option is set. The following message should appear:
Current DC Options displays the conditions that were in effect at the time that
you ran the command. New DC Options shows the effect of the command, which
is that the option to disable replication is not set.
See Also
Turn off inbound replication
Task Requirements
The following tools are required to perform the procedures for this task:
Backup.exe
Ntdsutil.exe
Once the authoritative restore of the object or objects has been completed a second
time, the domain controller can be restarted in normal mode.
Note
To restore from backup, you must log on locally to the domain controller or
Remote Desktop must be enabled on the remote domain controller so that you
can connect remotely.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
2. To start the Windows Server 2003 backup utility, click Start, point to
All Programs, point to Accessories, point to System Tools, and then click
Backup.
This procedure provides steps for restoring from backup in Wizard Mode. By
default, the Always Start in Wizard Mode check box is selected in the Backup
or Restore Wizard. If the Welcome to the Backup Utility Advanced Mode page
appears, click Wizard Mode to open the Backup or Restore Wizard.
7. In Restore files to, click Original Location, and then click Next.
9. In Advanced Restore Options, select the following check boxes, and then click
Next:
Restore junction points, but not the folders and file data they reference
10. For a primary restore of SYSVOL, also select the following check box: When
restoring replicated data sets, mark the restored data as the primary data
for all replicas.
A primary restore is required only if the domain controller that you are restoring is
the only domain controller in the domain. A primary restore is required on the first
domain controller that is being restored in a domain if you are restoring the entire
domain or forest.
12. When the restore process is complete, click Close, and then do one of the
following:
If you do not want to authoritatively restore any objects, click Yes to restart
the computer. The system will restart and replicate any new information that
is received since the last backup with its replication partners.
Administrative credentials
To complete this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
ntdsutil
3. At the ntdsutil: prompt, type authoritative restore, and then press ENTER. For
assistance with the Ntdsutil command line-tool, type help at any time.
Ntdsutil displays a list of the application directory partitions that are available
after the restore, along with the associated cross-references. Note the cross-
reference distinguished name and application directory partition distinguished
name that correspond to the application directory partition that you want to
restore.
5. Type restore subtree App Partition DN, where App Partition DN is the
distinguished name of the application directory partition that you want to restore.
The output message indicates the status of the operation. There should be no
failures.
7. Type restore object Cross Ref DN (where Cross Ref DN is the distinguished
name of the application directory partition cross-reference that you want to
restore), and then press ENTER.
GPO settings
The restore operation does not restore links to a SOM (Scope of Management). Any
existing links will continue to be used—for example, when restoring an existing GPO to a
previous state. However, if the user has deleted a GPO and all links to the GPO, the user
must recreate these links after restoring the GPO. To facilitate recreating these links, you
can view the report in the backup to identify all links in the domain of the GPO.
For more information, see Administering Group Policy with the GPMC on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=17528).
Task Requirements
The following tool is required to perform the procedures for this task:
Administrative credentials
To perform this procedure, you must have edit, delete , and modify permissions on the
specific Group Policy object.
After you reinstall Windows Server 2003, perform a nonauthoritative restore of the
system state and the system disk. You do not need to join the computer to the domain
before performing the restore procedure. During the restore, the computer account is
reestablished automatically.
Note
The restore procedure must be performed by using the same backup tool with
which the backup was made. Procedures in this task describe using Ntbackup to
restore Active Directory, but you must use the tool that you used to create the
backup file if it is not Ntbackup.
Restore a domain controller through reinstallation and restore the system state from
backup if the following conditions exist:
A domain controller has failed and you cannot restart in Directory Services Restore
Mode. If the failure was caused by a hardware failure, you have resolved the
hardware problem (for example, by replacing the disk).
You have a previous backup for the failed domain controller that is not older than the
tombstone lifetime for the forest.
You have the following information about the failed domain controller:
Disk configuration. You need a record of the volumes and sizes of the disks and
partitions. In the case of a complete disk failure, use this information to recreate
the disk configuration. Windows Server 2003 must be reinstalled to the same
drive letter and with at least the same amount of physical drive space. Before you
restore the system state, you must recreate all disk configurations. Failure to
recreate all disk configurations can cause the restore process to fail and can
prevent you from starting the domain controller after the restore.
Computer name. You need the computer name to restore a domain controller of
the same name and avoid changing client configuration settings.
Password for the local computer Administrator account. You must know the local
Administrator password that was used when the backup was created. The local
Administrator password is also required to restore the system state on a domain
controller.
Task requirements
The following tool is required to perform the procedures for this task:
Ntbackup.exe
Note
This guide does not provide information for the installation of
Windows Server 2003.
a. Begin with step 2 of this procedure. You cannot start the server in Directory
Services Restore Mode because Active Directory is not installed.
b. This operation requires that you log on as the local Administrator, not the
Administrator for Directory Services Restore Mode.
d. When you are prompted to restart the server after you complete the restore
operation, click Yes to restart the server normally.
Note
To restore from backup, you must log on locally to the domain controller or
Remote Desktop must be enabled on the remote domain controller so that you
can connect remotely.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
2. To start the Windows Server 2003 backup utility, click Start, point to
All Programs, point to Accessories, point to System Tools, and then click
Backup.
This procedure provides steps for restoring from backup in Wizard Mode. By
default, the Always Start in Wizard Mode check box is selected in the Backup
or Restore Wizard. If the Welcome to the Backup Utility Advanced Mode page
appears, click Wizard Mode to open the Backup or Restore Wizard.
7. In Restore files to, click Original Location, and then click Next.
9. In Advanced Restore Options, select the following check boxes, and then click
Next:
Restore junction points, but not the folders and file data they reference
Preserve existing volume mount points
10. For a primary restore of SYSVOL, also select the following check box: When
restoring replicated data sets, mark the restored data as the primary data
for all replicas.
A primary restore is required only if the domain controller that you are restoring is
the only domain controller in the domain. A primary restore is required on the first
domain controller that is being restored in a domain if you are restoring the entire
domain or forest.
12. When the restore process is complete, click Close, and then do one of the
following:
If you do not want to authoritatively restore any objects, click Yes to restart
the computer. The system will restart and replicate any new information that
is received since the last backup with its replication partners.
See Also
Restart the domain controller in Directory Services Restore Mode locally
Administrative credentials
To verify Active Directory restore, you must be a member of the Domain Admins group.
2. After you are able to log on to the system, browse Active Directory. Verify that all
of the User objects and Group objects that were present in the directory prior to
backup are restored. Similarly, verify that files that were members of a File
Replication service (FRS) replica set and certificates that were issued by the
Certificate Services are present.
Restoring through reinstallation is the only method by which a domain controller that is
not part of the backup set can be restored. In addition, you might choose to use this
method instead of a nonauthoritative restore because backup media is inaccessible or
because this method is more convenient. Restoring a domain controller through
reinstallation should not be a substitute for regular backup routines.
Note
Before you restore a domain controller through reinstallation, ensure that
hardware failure is not the cause of the problem. If faulty hardware is not
changed, restoring through reinstallation might not solve the problems with the
domain controller.
Task requirements
The following tools are required to perform the procedures for this task:
Ntdsutil.exe
Netdiag.exe
Dcdiag.exe
Dcpromo.exe
1. If you plan to give the newly reinstalled domain controller the same name as the
failed computer, use the following procedure to clean up server metadata to remove
the NTDS Settings object of the failed domain controller:
If you plan to give the new domain controller a different name, in addition to cleaning
up server metadata, perform the following additional procedures:
It is assumed that you will perform a fresh installation of Windows Server 2003.
Prepare for installation of the operating system by partitioning or reformatting your
hard disk drive, if necessary.
During the installation process, replication occurs, which ensures that the domain
controller has an accurate and up-to-date copy of Active Directory. You have the
option to use the same information for this domain controller as the domain controller
that it is replacing: site placement, domain controller name, and domain membership
should remain the same. If you plan to install the domain controller under a different
name, see Installing a Domain Controller in an Existing Domain.
Administrative credentials
To complete this procedure, you must be a member of the Enterprise Admins group.
ntdsutil
metadata cleanup
Value Definition
connection
quit
list sites
quit
Value Description
At this point, Active Directory confirms that the domain controller was removed
successfully. If you receive an error message that indicates that the object cannot
be found, Active Directory might have already removed the domain controller.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
To delete a server object from a site
1. Open Active Directory Sites and Services.
2. Expand the Sites container, and then expand the site from which you want to
delete a Server object.
3. If no Child objects appear below the Server object, right-click the Server object,
and then click Delete.
Important
Do not delete a Server object that has a Child object. If an NTDS
Settings or other Child object appears below the Server object you want
to delete, either replication on the domain controller on which you are
viewing the Configuration container has not occurred, or the server
whose Server object you are removing has not been properly
decommissioned.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the domain controller that you are removing. O
3. In the details pane, right-click the Computer object that is associated with the
failed domain controller, click Delete, and then click Yes.
See Also
Forcing the Removal of a Domain Controller
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
netdiag /test:dns
Note
For a more detailed response from this command, add /v to the end of
the command.
If DNS is functioning, the last line of the response is DNS Test…..: Passed. The
verbose option lists specific information about what was tested. This information
can help with troubleshooting if the test fails.
If the test fails, do not attempt any additional steps until you determine and fix the
problem that prevents proper DNS functionality.
Verify communication with other domain
controllers
This procedure verifies that domain controllers can be located.
Administrative Credentials
To perform this procedure, you must be a member of the Domain users group in Active
Directory.
netdiag /test:dsgetdc
Note
For a more detailed response from this command, add /v to the end of
the command.
If domain controllers are successfully located, the last line of the response is DC
discovery test……..: Passed. The verbose option lists the specific domain
controllers that are located.
If the test fails, do not attempt any additional steps until you determine and fix the
problem that prevents communication with other domain controllers.
Administrative Credentials
To perform this procedure, you must be a member of the Domain users group in Active
Directory.
Note
You can use these tests prior to installing Active Directory as well as afterward.
To perform the test prior to installing Active Directory, you must use the /s option
to indicate the name of a domain controller to use. You do not need the /s option
to perform the test after installing Active Directory. The test automatically runs on
the local domain controller where you are performing the test. The commands
listed in this procedure show the /s option. If you are performing this test after
installing Active Directory, omit the /s option. For a more detailed response from
this command, you can use the verbose option by adding /v to the end of the
command to see the detailed response.
2. Type the following command to ensure that the operations masters can be
located and then press ENTER:
3. Type the following command to ensure that the operations masters are
functioning properly and are available on the network:
If these tests fail, do not attempt any additional steps until you determine and fix
the problem that prevents locating operations masters and verifying that they are
functioning properly.
Install Active Directory
Use the Active Directory Installation Wizard to install Active Directory on a member server
in your domain to create an additional domain controller in an existing domain.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
2. The Active Directory Installation Wizard appears. At the Welcome screen, click
Next.
4. For Network Credentials, enter the user name, password, and domain for the
user account that has permission to add this new domain controller to the
domain. Click Next.
5. Enter the name of the domain that you want the new domain controller to host.
Click Next.
6. For Database and Log Locations, enter the paths for the locations of the
directory database (Ntds.dit) and the log files. For better performance, store the
database and log files on separate physical disk drives. Click Next.
7. For Shared System Volume, enter the path where you want to locate the system
volume (SYSVOL). Click Next.
8. Under Directory Services Restore Mode Administrator Password, enter the
password that you want to use when you need to start Directory Services
Restore Mode. Click Next.
9. The Summary screen displays a list of the items you chose. Verify that the
information is correct, and then click Next to proceed with the installation.
10. The wizard proceeds to install Active Directory. When it finishes, the wizard
displays a summary screen listing the domain and site in which the new domain
controller is a member. Verify that this information is correct. Click Finish to close
the wizard.
In this guide
Acknowledgements
Managing sites in Active Directory involves adding new subnet, site, and site link objects
when the network grows, as well as configuring a schedule and cost for site links. You
can modify the site link schedule, cost, or both, to optimize intersite replication. When
conditions no longer require replication to a site, or clients no longer require the sites to
discover network resources, you can remove the site and associated objects from Active
Directory.
Note
Managing large hub-and-spoke topology or using the SMTP intersite replication
transport is beyond the scope of this documentation.
Managing sites:
Significant changes to site topology can affect domain controller hardware requirements.
For more information about domain controller hardware requirements, see Planning
Domain Controller Capacity on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=42682).
Selecting preferred bridgehead servers limits the bridgehead servers that the KCC can
use to those that you have selected. If you use Active Directory Sites and Services to
select any preferred bridgehead servers at all in a site, you must select as many as
possible and you must select them for all domains that must be replicated to a different
site. If you select preferred bridgehead servers for a domain and all preferred bridgehead
servers for that domain become unavailable, replication of that domain to and from that
site does not occur.
If you have selected one or more bridgehead servers, removing them all from the
bridgehead servers list restores the automatic selection functionality to the ISTG.
Removing a Site
When the need for a site arises, the design team typically provides details about the
placement and configuration of site links for the new site, as well as subnet assignments
or creation if subnets are needed.
If a new range of Internet Protocol (IP) addresses is added to the network, create a
Subnet object in Active Directory to correspond to the range of IP addresses. When you
create a new Subnet object, you must associate it with a Site object. You can either
associate the subnet with an existing site or create a new site first and then create the
subnet and associate it with the new site.
Task requirements
The following tool is required to perform the procedures for this task:
2. Associate a range of IP addresses with the site by using either of the following
methods:
Create a subnet object or objects and associate them with the new site
3. If you are creating both a new site and a new site link, after you create the new site
and add it to an existing site link, Create a site link object and add the appropriate
sites. Then, remove the site from the first site link that you added it to when you
created the site, if appropriate.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group in
Active Directory.
4. In the Link Name list, click a site link for this site, and then click OK.
5. In the Active Directory message box, read the information, and then click OK.
Active Directory Sites and Services converts this information into the subnet address.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group in
Active Directory.
To create a subnet object or objects and associate them with the new site
1. Open Active Directory Sites and Services.
2. Expand the Sites container, right-click Subnets, and then click New Subnet.
3. In the New Object - Subnet dialog box, in the Address box, type the network
address or any IP address within the range of IP addresses for the subnet.
4. In the Mask box, type the subnet mask.
5. In the Site Name box, click the site to which this subnet is being associated, and
then click OK.
When you have temporarily associated the subnet with a different site and want to
associate it with its permanent site.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group in
Active Directory.
2. Expand the Sites container, and then click the Subnets container.
3. In the details pane, right-click the subnet with which you want to associate the
site, and then click Properties.
4. In the Site box, click the site with which to associate the subnet, and then click
OK.
To perform this procedure, you must be a member of the Enterprise Admins group.
2. Expand the Sites container and then the Inter-Site Transports container.
5. In the Sites not in this site link box, click a site that you want to add to the site
link. Hold down the SHIFT key to click a second site that is adjacent in the list, or
the CTRL key to click a second site that is not adjacent in the list.
6. After selecting all of the sites that you want added to the site link, click Add, and
then click OK.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group in
Active Directory.
2. Expand the Sites container and then the Inter-Site Transports container.
3. Click IP. In the details pane, right-click the site link from which you want to
remove a site, and then click Properties.
4. In the Sites in this site link box, click the site you want to remove from the site
link.
After you add two or more site names to a Site Link object, the bridgehead servers in the
respective sites replicate between the sites according to the replication schedule, cost,
and interval settings on the Site Link object. For information about modifying the default
settings, see Changing Site Link Properties.
At least two sites must exist when you create a site link. If you are adding a site link to
connect a new site to an existing site, create the new site first and then create the site
link. For information about creating a site, see Adding a New Site.
Task Requirements
The following tool is required to perform the procedures for this task:
2. By default, the KCC runs every 15 minutes to generate the replication topology. To
generate the intersite topology immediately, perform the following two procedures:
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group.
2. Expand the Sites container and then the Inter-Site Transports container.
5. In the Sites not in this site link box, click a site that you want to add to the site
link. Hold down the SHIFT key to click a second site that is adjacent in the list, or
the CTRL key to click a second site that is not adjacent in the list.
6. After selecting all of the sites that you want added to the site link, click Add, and
then click OK.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
3. In the details pane, right-click the NTDS Site Settings object, and then click
Properties. The current role owner appears in the Server box under Inter-Site
Topology Generator.
To generate the intersite replication topology, run the KCC on the domain controller in
the site that holds the ISTG role.
To generate the intrasite replication topology, run the KCC on any domain controller
in the site that does not hold the ISTG role.
Note
To generate the replication topology on the ISTG, you must first complete the
procedure: Determine the ISTG role owner for a site.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group.
2. Expand the Sites container, and then expand the site that contains the server on
which you want to run the KCC.
3. Expand the Servers container, and then click the Server object for the ISTG.
4. In the details pane, right-click NTDS Settings, click All Tasks, and then click
Check Replication Topology.
Schedule: The time during which replication can occur (the default setting allows
replication at all times).
Consult your design documentation for information about values to set for site link
properties.
Task Requirements
The following tool is required to perform the procedures for this task:
2. Configure the site link interval to identify how often replication polling can occur
during the schedule window
3. Configure the site link cost to establish a priority for replication routing
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group in
Active Directory.
2. Expand the Sites container and the Inter-Site Transports container, and then
click the IP container.
3. In the details pane, right-click the Site Link object you want to configure, and then
click Properties.
5. In the Schedule for SiteLinkName dialog box, select the block of days and
hours during which you want replication to occur or not occur (available or not
available), and then click the appropriate option.
6. Click OK twice.
Configure the site link interval to identify
how often replication polling can occur
during the schedule window
Use the properties on the Site Link object to determine how often during the available
replication schedule you want bridgehead servers to poll their intersite replication
partners for changes. Obtain the interval value from your design team.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group in
Active Directory.
2. Expand the Sites container and the Inter-Site Transports container, and then
click the IP container.
3. In the details pane, right-click the Site Link object you want to configure, and then
click Properties.
4. In the Replicate every _____ minutes box, specify the number of minutes for
the intervals at which replication polling occurs during an open schedule, and
then click OK.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group in
Active Directory.
To configure the site link cost
1. Open Active Directory Sites and Services.
2. Expand the Sites container and the Inter-Site Transports container, and then
click the IP container.
3. In the details pane, right-click the Site Link object you want to configure, and then
click Properties.
4. In the Cost box, specify the number for the comparative cost of using the site
link, and then click OK.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
3. In the details pane, right-click the NTDS Site Settings object, and then click
Properties. The current role owner appears in the Server box under Inter-Site
Topology Generator.
To generate the intrasite replication topology, run the KCC on any domain controller
in the site that does not hold the ISTG role.
Note
To generate the replication topology on the ISTG, you must first complete the
procedure: Determine the ISTG role owner for a site.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group.
2. Expand the Sites container, and then expand the site that contains the server on
which you want to run the KCC.
3. Expand the Servers container, and then click the Server object for the ISTG.
4. In the details pane, right-click NTDS Settings, click All Tasks, and then click
Check Replication Topology.
TCP/IP Settings
When you move a domain controller to a different site, if an IP address of the domain
controller is statically configured, then you must change the TCP/IP settings accordingly.
The IP address of the domain controller must map to a Subnet object that is associated
with the site to which you are moving the domain controller. If the IP address of a domain
controller does not match the site in which the Server object appears, the domain
controller might be forced to communicate over a potentially slow WAN link to locate
resources rather than locating resources in its own site.
Prior to moving the domain controller, ensure that the following TCP/IP client values are
appropriate for the new location:
Change the TCP/IP settings on any clients that have static references to the domain
controller as the preferred or alternate DNS server.
Determine whether the parent DNS zone of any zone that is hosted by this DNS
server contains a delegation to this DNS server. If yes, update the IP address in all
such delegations. For information about creating DNS delegations, see Verifying
Active Directory Installation.
Site to which you are moving the server: If you move a preferred bridgehead server
to a different site, it becomes a preferred bridgehead server in the new site. If
preferred bridgehead servers are not currently in use in this site, the ISTG behavior in
this site changes to support preferred bridgehead servers. For this reason, you must
either configure the server to not be a preferred bridgehead server (recommended),
or select additional preferred bridgehead servers in the site (not recommended).
Site from which you are moving the server: If the server is the last preferred bridgehead
server in the original site for its domain, and if other domain controllers for the domain are
in the site, the ISTG selects a bridgehead server for the domain. If you use preferred
bridgehead servers, always select more than one server as the preferred bridgehead
server for the domain. If, after the removal of this domain controller from the site, multiple
domain controllers remain that are hosting the same domain and only one of them is
configured as a preferred bridgehead server, either configure the server to not be a
preferred bridgehead server (recommended), or select additional preferred bridgehead
servers hosting the same domain in the site (not recommended).
Note
If you select preferred bridgehead servers and all selected preferred bridgehead
servers for a domain are unavailable in the site, the ISTG does not select a new
bridgehead server. In this case, replication of this domain to and from other sites
does not occur. However, if no preferred bridgehead server is selected for a
domain or transport (through administrator error or as the result of moving the
only preferred bridgehead server to a different site), the ISTG automatically
selects a preferred bridgehead server for the domain and replication proceeds as
scheduled.
Task Requirements
My Network Places
DNS snap-in
Adsiedit.msc
If the parent DNS zone of any zone that is hosted by this DNS server contains a
delegation to this DNS server, use this procedure to update the IP address in all such
delegations.
If your forest root domain has a parent DNS domain, perform this procedure on a
DNS server in the parent domain. If you just added a new domain controller to a child
domain, perform this procedure on a DNS server in the DNS parent domain. By
following recommended practices, the parent domain is the forest root domain.
3. Verify that an IP address maps to a subnet and determine the site association
Note
If you change the static IP address of a domain controller, you must also change
related TCP/IP settings accordingly.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the domain controller whose IP address you are changing.
5. In the Internet Protocol (TCP/IP) Properties dialog box, in the IP address box,
type the new address.
8. In the Preferred DNS server box, type the address of the DNS server that this
computer contacts.
9. In the Alternate DNS server box, type the address of the DNS server that this
computer contacts if the preferred server is unavailable.
10. If this domain controller uses WINS servers, click Advanced and then, in the
Advanced TCP/IP Settings dialog box, click the WINS tab.
11. If an address in the list is no longer appropriate, click the address, and then click
Edit.
12. In the TCP/IP WINS Server dialog box, type the new address, and then click OK.
13. Repeat steps 11 and 12 for all addresses that need to be changed, and then click
OK twice to close the TCP/IP WINS Server dialog box and the Advanced
TCP/IP Settings dialog box.
14. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
4. In the ChildDomain Properties sheet, on the Name Servers tab, click Add.
5. In the New Resource Record dialog box, in the Server fully qualified domain
name (FQDN) box, type ChildDC.ChildDomain.ParentDomain (where ChildDC is
the name of the new domain controller, ChildDomain is the name of the child
domain, and ParentDomain is the name of the parent domain).
6. In the New Resource Record dialog box, in the IP address box, type IPAddress
(where IPAddress is the IP address of the child domain controller), click Add, and
then click OK.
Verify that an IP address maps to a
subnet and determine the site
association
Use this procedure to determine the site to which you want to add a Server object prior to
installing Active Directory, or to verify the appropriate site prior to moving a Server object
to it.
To be associated with a site, the IP address of a domain controller must map to a Subnet
object that is defined in Active Directory. The site to which the subnet is associated is the
site of the domain controller.
The subnet address, which is computed from the IP network address and the subnet
mask, is the name of a Subnet object in Active Directory. When you know the subnet
address, you can locate the Subnet object and determine the site to which the subnet is
associated.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
5. Use the values in IP address and Subnet mask to calculate the subnet address
and then click OK.
8. Expand the Sites container, and then click the Subnets container.
9. In the Name column in the details pane, find the Subnet object that matches the
subnet address.
10. In the Site column, note the site to which the IP subnet address is associated.
If the site that appears in the Site box is not the appropriate site, contact a
supervisor and find out whether the IP address is incorrect or whether to move
the Server object to the site indicated by the subnet.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
adsiedit.msc
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
2. Expand the Sites container, and then expand the site of the preferred bridgehead
server.
3. Expand the Servers node to display the list of domain controllers currently
configured for that site.
4. Right-click the server you want to remove, and then click Properties.
5. If IP appears in the list that marks this server as a bridgehead server for the IP
transport, click IP, click Remove, and then click OK.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group.
2. Expand the Sites container and the site in which the server object resides.
3. Expand the Servers container to display the domain controllers that are currently
configured for that site.
4. Right-click the Server object you want to move, and then click Move.
5. In the Site Name box, click the destination site, and then click OK.
6. Expand the Site object to which you moved the server, and then expand the
Servers container.
8. Expand the Server object and verify that an NTDS Settings object exists.
Within an hour, the Net Logon service on the domain controller registers the new site
information in DNS. Wait an hour and then open Event Viewer and connect to the domain
controller whose Server object you moved. Review the directory service log for Net
Logon errors regarding registration of SRV resource records in DNS that have occurred
within the last hour. The absence of errors indicates that Net Logon has updated DNS
with site-specific SRV resource records. Net Logon event ID 5774 indicates that the
registration of DNS resource records has failed. If this error occurs, contact a supervisor
and pursue DNS troubleshooting.
Removing a Site
If domain controllers are no longer needed in a network location, you can remove them
from the site and then delete the Site object. Before deleting the site, you must remove
domain controllers from the site either by removing it entirely or by moving it to a new
location.
To remove the domain controller, remove Active Directory from the server and then
delete the Server object from the site in Active Directory.
To retain the domain controller in a different location, move the domain controller to a
different site and then move the Server object to the respective site in Active
Directory.
Domain controllers can host other applications that depend on site topology and publish
objects as Child objects of the respective Server object. For example, when MOM or
Message Queuing is running on a domain controller, these applications create Child
objects beneath the Server object. In addition, a server running Message Queuing that is
not a domain controller and is configured to be a routing server running Message
Queuing creates a Server object in the Sites container. Removing the application from
the server automatically removes the Child object below the respective Server object.
However, the Server object is not removed automatically.
When all applications have been removed from the server (no Child objects appear
beneath the Server object), you can remove the Server object. After the application is
removed from the server, a replication cycle might be required before Child objects are
no longer visible below the Server object.
After you delete or move the Server objects but before you delete the Site object,
reconcile the following objects:
IP addresses:
If the addresses are being reassigned to a different site, associate the Subnet object
or objects with that site. Any clients using the addresses for the decommissioned site
will thereafter be assigned automatically to the other site.
If the IP addresses will no longer be used on the network, delete the corresponding
Subnet object or objects.
If the site you are removing is added to a site link containing only two sites, delete the
Site Link object.
If the site you are removing is added to a site link that contains more than two sites,
do not delete this Site Link object.
Before removing a site, you need to consider the implications. If the site you are
removing is added to more than one site link, it might be an interim site between other
sites that are added to this site link. Deleting the site might disconnect the outer sites
from each other. In this case, the site links must be reconciled according to the
instructions of the design team.
Task Requirements
The following tool is required to perform the procedures for this task:
Prior to deleting a Server object from the Servers container for a site, verify that the
Server object has no Child objects. If a Child object appears, do not delete the Server
object.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
2. Expand the Sites container and expand the site of the Server object.
3. Expand the Servers container, and then expand the Server object to view any
Child objects.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
To delete a server object from a site
1. Open Active Directory Sites and Services.
2. Expand the Sites container, and then expand the site from which you want to
delete a Server object.
3. If no Child objects appear below the Server object, right-click the Server object,
and then click Delete.
Important
Do not delete a Server object that has a Child object. If an NTDS
Settings or other Child object appears below the Server object you want
to delete, either replication on the domain controller on which you are
viewing the Configuration container has not occurred, or the server
whose Server object you are removing has not been properly
decommissioned.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group.
2. Expand the Sites container and the Inter-Site Transports container, and then
click the IP container.
3. In the details pane, right-click the Site Link object you want to delete, and then
click Delete.
When you are removing the site to which the subnet was associated.
When you have temporarily associated the subnet with a different site and want to
associate it with its permanent site.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group.
2. Expand the Sites container, and then click the Subnets container.
3. In the details pane, right-click the subnet with which you want to associate the
site, and then click Properties.
4. In the Site box, click the site with which to associate the subnet, and then click
OK.
If the IP addresses are no longer in use, delete the Subnet object or objects with
which the addresses are associated.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group.
4. In the Active Directory message box, read the information, and then click Yes to
delete the site and its Servers container object.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
3. In the details pane, right-click the NTDS Site Settings object, and then click
Properties. The current role owner appears in the Server box under Inter-Site
Topology Generator.
To generate the intersite replication topology, run the KCC on the domain controller in
the site that holds the ISTG role.
To generate the intrasite replication topology, run the KCC on any domain controller
in the site that does not hold the ISTG role.
Note
To generate the replication topology on the ISTG, you must first complete the
procedure: Determine the ISTG role owner for a site.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group.
2. Expand the Sites container, and then expand the site that contains the server on
which you want to run the KCC.
3. Expand the Servers container, and then click the Server object for the ISTG.
4. In the details pane, right-click NTDS Settings, click All Tasks, and then click
Check Replication Topology.
In this guide
Introduction to Administering the Active Directory Database
Acknowledgements
A need to recover physical space following bulk deletion or removal of the global
catalog
Monitor free disk space on the partition or partitions that store the directory database and
logs. The following are the recommended parameters for free space:
Ntds.dit partition: The greater of 20 percent of the Ntds.dit file size or 500 megabytes
(MB).
Log file partition: The greater of 20 percent of the combined log files size or 500 MB.
Ntds.dit and logs on the same volume: The greater of 1 gigabyte (GB) or 20 percent
of the combined Ntds.dit and log files sizes.
During ordinary operation, the customer will delete objects from Active Directory. When
an object is deleted, it results in white space (or unused space) being created in the
database. On a regular basis, the database will consolidate this white space through a
process called defragmentation, and this white space will be reused when new objects
are added (without adding any size to the file itself). This automatic online
defragmentation redistributes and retains white space for use by the database, but does
not release it to the file system. Therefore, the database size does not shrink, even
though objects might be deleted. In cases where the data is decreased significantly, such
as when the global catalog is removed from a domain controller, white space is not
automatically returned to the file system. Although this condition does not affect database
operation, it does result in large amounts of white space in the database. You can use
offline defragmentation to decrease the size of the database file by returning white space
from the database file to the file system.
Managing the Active Directory database also allows you to upgrade or replace the disk
on which the database or log files are stored or to move the files to a different location,
either permanently or temporarily.
Prior to performing any procedures that affect the directory database, be sure that you
have a current system state backup. For information about performing system state
backup, see Back up system state.
To manage the database file itself, you must take the domain controller offline by
restarting in Directory Services Restore Mode, and then use Ntdsutil.exe to manage the
file.
Note
NTFS disk compression is not supported for the database and log files.
Returning Unused Disk Space from the Active Directory Database to the File System
Hardware maintenance: If the physical disk on which the database or log files are
stored requires upgrading or maintenance, the database files must be moved, either
temporarily or permanently.
Low disk space: When free disk space is low on the logical drive that stores the
database file (Ntds.dit), the log files, or both, first verify that no other files are causing
the problem. If the database file or log files are the cause of the growth, then provide
more disk space by taking one of the following actions:
Expand the partition on the disk that currently stores the database file, the log files, or
both. This procedure does not change the path to the files and does not require
updating the registry.
Use Ntdsutil.exe to move the database file, the log files, or both to a larger existing
partition. If you are not using Ntdsutil.exe when moving files to a different partition,
you will need to manually update the registry.
If the path to the database file or log files will change as a result of moving the files, be
sure that you:
Use Ntdsutil.exe to move the files (rather than copying them) so that the registry is
updated with the new path. Even if you are moving the files only temporarily, use
Ntdsutil.exe to move files locally so that the registry remains current.
Perform a system state backup as soon as the move is complete so that the restore
procedure uses the correct path.
Verify that the correct permissions are applied on the destination folder following the
move. Revise permissions to those that are required to protect the database files, if
needed.
The registry entries that Ntdsutil.exe updates when you move the database file are as
follows:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Parameters:
The registry entry that Ntdsutil.exe updates when you move the log files is as follows:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Parameters:
Permanent location. Free space on the destination NTFS drive equivalent to at least the
size specified below, plus space to accommodate anticipated growth, depending on
which file or files you are moving.
Caution
The drive that is the permanent location of the database file or log files must be
formatted as NTFS.
Database file only: The size of the database file plus 20 percent of the Ntds.dit file or
500 MB, whichever is greater.
Log files only: The size of the combined log files plus 20 percent of the combined
logs or 500 MB, whichever is greater.
Database and logs. If the database and log files are stored on the same partition, free
space should be at least 20 percent of the combined Ntds.dit and log files, or 1 GB,
whichever is greater.
Important
The preceding levels are minimum recommended levels. Therefore, adding
additional space according to anticipated growth is recommended.
Task Requirements
The following tools are required to perform the procedures for this task:
net use
dir
xcopy
Ntdsutil.exe
Backup software
Windows Explorer
Note
If you replace or reconfigure a drive that stores the SYSVOL folder, you must first
move the SYSVOL folder manually. For information about moving SYSVOL
manually, see Relocating SYSVOL Manually.
Note
The domain controller will not be available during the time in which files are being
moved and until the move is verified. Ensure that alternate domain controllers are
available during the file relocation to handle the capacity.
1. Determine the size and location of the Active Directory database by using one of the
following procedures:
2. Compare the size of the directory database files to the volume size
System state includes the database file and log files as well as SYSVOL and Net
Logon shared folders, among other things. Always ensure that you have a current
backup prior to moving database files.
4. Restart the domain controller in Directory Services Restore Mode by using one of the
following methods:
5. Move or copy the directory database and log files by performing one of the following
procedures:
The shared folder on a remote drive must have enough free space to hold the
database file (Ntds.dit) and log files. Create separate subdirectories for copying
the database file and the log files.
Important
Be sure to use the same method to check file sizes when you compare them.
The size is reported differently, depending on whether the domain controller is
online or offline. For information about determining database size offline, see
Determine the database size and location offline.
You can also use the Search command on the Start menu to locate the database file
(Ntds.dit) or the edb*.log file for the location of the database and log files, respectively.
If you have set garbage collection logging to report free disk space, then event ID 1646 in
the Active Directory service log also reports the size of the database file: “Total allocated
hard disk space (megabytes):”
Alternatively, you can determine the size of the database file by listing the contents of the
directory that contains the files.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
2. Run the dir command to examine the database size. In the following example,
Ntds.dit file and the log files are stored in the same directory. In the example, the
files take up 58,761,216 bytes of disk space.
H:\NTDS>dir
Directory of H:\NTDS
01/29/2002 11:04 AM <DIR> .
Important
Be sure to use the same method to check file sizes when you compare them.
The size is reported differently, depending on whether the domain controller is
online or offline. For information about determining database size offline, see
Determine the database size and location offline.
You can also use the Search command on the Start menu to locate the database file
(Ntds.dit) or the edb*.log file for the location of the database and log files, respectively.
If you have set garbage collection logging to report free disk space, then event ID 1646 in
the Active Directory service log also reports the size of the database file: “Total allocated
hard disk space (megabytes):”
Alternatively, you can determine the size of the database file by listing the contents of the
directory that contains the files.
Administrative Credentials
4. At the file maintenance: prompt, type quit and then press ENTER. Type quit
and then press ENTER again to quit Ntdsutil.exe.
You might need to relocate the database file, the log files, or both, if disk space on the
volume on which they are stored becomes low. Before moving the database file or log
files, examine the size of the database folder, logs folder, or both, if they are stored in the
same location, relative to the size of the volume to verify that these files are the cause of
low disk space. Include the size of the SYSVOL folder if it is on the same partition.
Administrative Credentials
If you are online when comparing the size of the directory database files, you must be a
member of the Domain Users group. If you are offline, you must be an administrator on
the local computer.
To compare the size of the directory database files to the volume size
1. In Windows Explorer, click My Computer.
3. In the Name column in the details pane, locate the volume. Make a note of the
value in the Total Size column.
4. Navigate to the folder that stores the database file, the log files, or both.
5. Right-click the folder, and then click Properties. Make a note of the value in Size
on disk.
6. If the volume includes SYSVOL, navigate to that folder and repeat step 5.
7. Compare the sizes. If the combined size of the relevant database files and
SYSVOL files (if appropriate) is significantly smaller than the volume size, then
check the contents of the volume for other files.
8. If other files are present, move those files and reassess the disk space on the
volume.
Use these procedures to back up the system state only. These procedures do not back
up the system disk or any other data on the domain controller except for the system-
protected files.
Use the first procedure, "To back up system state including system-protected files," for
routine system state backup. Use the second procedure, "To back up system state
excluding system-protected files," if you want to create a smaller backup that is effective
for installing domain controllers from restored backup media.
Note
To back up system state, you must log on locally to the domain controller, or
Remote Desktop must be enabled on the remote domain controller so that you
can connect remotely.
Administrative credentials
To perform the following two procedures, you must be a member of the Domain
Admins group or a member of the Backup Operators group.
To back up system state including system-protected files
1. To start the Windows Server 2003 backup utility, click Start, click Run, type
ntbackup, and then click OK.
This procedure provides steps for backing up in Wizard Mode. By default, the
Always Start in Wizard Mode check box is selected in the Backup or Restore
Wizard. If the Welcome to the Backup Utility Advanced Mode page appears,
click Wizard Mode to open the Backup or Restore Wizard.
4. Select Let me choose what to back up, and then click Next.
6. In the expanded list below My Computer, check System State, and then click
Next.
If you are backing up to a file, type the path and file name for the backup
(.bkf) file (or click Browse to find a folder or file).
If you are backing up to a tape unit, choose the tape that you want to use.
Note
You should not store the backup on the local hard drive. Instead,
store it in a location, such as a tape drive, away from the computer
that you are backing up.
10. Do not change the default options for Type of Backup. Normal should be
selected, and the check box for Backup migrated remote storage data should
remain cleared. Click Next.
11. Select Verify data after backup, and then click Next.
12. In the Backup Options dialog box, select a backup option, and then click Next.
13. If you are replacing the existing backups, select the option to allow only the
owner and administrator access to the backup data and to any backups that are
appended to this medium, and then click Next.
14. In the When to back up box, select the appropriate option for your needs, and
then click Next.
15. If you are satisfied with all of the options that are selected, click Finish to perform
the backup operation according to your selected schedule.
Note
The system state can also be backed up by using Ntbackup from a
command line with appropriate parameters. For more information, at a
command prompt type ntbackup /?.
The following procedure produces a smaller .bkf file that does not include system boot
files. By using this procedure, you can reduce the time that is required to perform the
backup and subsequent restore, as well as the amount of disk space that is required.
This method is recommended when the restored backup is to be used for installing
additional domain controllers.
4. In Backup media or file name, type a name for this backup according to the
recommendations in Backing Up Active Directory Components.
6. Clear the Automatically back up System Protected Files with the System
State check box, and then click OK.
See Also
Enable Remote Desktop
When you start Windows Server 2003 in Directory Services Restore Mode, the local
Administrator account is authenticated by the local Security Accounts Manager (SAM)
database. Therefore, logging on requires that you use the local administrator password,
not an Active Directory domain password. This password is set during Active Directory
installation when you provide the password for Directory Services Restore Mode.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
2. When the screen for selecting an operating system appears, press F8.
See Also
Restart the domain controller in Directory Services Restore Mode Remotely
If you use Remote Desktop Connection to connect to a domain controller remotely and
you want to restart the domain controller in Directory Services Restore Mode, you must
first modify the Boot.ini file on the remote server so that you do not lose the connection
when the domain controller restarts.
When you start Windows Server 2003 in Directory Services Restore Mode, the local
Administrator account is authenticated by the local Security Accounts Manager (SAM)
database. Therefore, logging on requires that you use the local administrator password,
not an Active Directory domain password. This password is set during Active Directory
installation when you provide the password for Directory Services Restore Mode.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
2. Right-click My Computer, click Properties, and then click the Advanced tab.
Note
The /SAFEBOOT:DSREPAIR switch works for domain controllers
running Windows 2000 Server and Windows Server 2003.
7. On the Start menu, click Shut Down, and then click Restart. During the restart
process, the Terminal Services client reports that the session is disconnected.
Caution
Be sure to click Restart and not Shut Down at this step. If you click
Shut Down, you cannot restart the domain controller remotely.
8. Wait until the restart process completes on the remote domain controller, and
then reconnect the client session.
10. Right-click My Computer, click Properties, and then click the Advanced tab.
12. Click the Edit button to edit the startup options file.
13. Delete the /SAFEBOOT:DSREPAIR switch from the default entry in the Boot.ini
file, save the file, and then close Notepad.
Important
If you restart the domain controller before you modify the Boot.ini file, the
domain controller remains offline.
The Boot.ini file is now returned to its original state, which starts the domain
controller normally.
See Also
Enable Remote Desktop
If you need to reformat the partition that currently stores the database file, the log files, or
both, then you must move the files temporarily while you reformat the original drive. After
you reformat the drive, use the same procedure to move the files back. Even if you are
moving the files only temporarily, use Ntdsutil.exe so that the registry is always current.
Administrative Credentials
To perform this procedure, you must be an Administrator on the local computer.
2. Run the dir command and make a note of the current size and location of the
Ntds.dit file.
5. To move the database file, at the file maintenance: prompt, use the following
commands:
move db to drive:\directory
where Drive:\directory specifies the path to the new location. If the directory does
not exist, then Ntdsutil.exe creates it.
Note
If the directory path contains any spaces, the entire path must be
surrounded by quotation marks (for example, move db to "g:\new
folder").
6. After the move completes, at the file maintenance: prompt, type quit and press
ENTER. Type quit again and press ENTER to quit Ntdsutil.exe.
7. Change to the destination directory and then run the dir command to confirm the
presence of the files. If you have moved the database file, then check the size of
the Ntds.dit file against the file size you noted in step 2 to be sure that you are
focused on the correct file.
8. If you are moving the database file or log files permanently, go to step 9.
If you are moving the database file or log files temporarily, you can now perform
any required updates to the original drive. After you update the drive, repeat
steps 1 through 7 to move the files back to the original location.
If the path to the database file or log files has not changed, go to step 10.
9. If the path to the database file or log files has changed from the original location,
check permissions on the database folder or logs folder while still in Directory
Services Restore Mode, as follows:
a. In Windows Explorer, right-click the folder to which you have moved the
database file or log files, and then click Properties.
b. Click the Security tab, and verify that the permissions are:
f. If Administrators or SYSTEM, or both, are not in the Name list, click Add.
g. On the Select Users or Groups page, in the Look in: box, be sure the
name of the local computer is selected.
h. In the Name list, click System if needed, and then click Add. Repeat to add
Administrators, if needed, and then click OK.
i. On the Security tab, click System and then in the Allow column, click Full
Control. Repeat for Administrators.
j. In the Name box, click any name that is not SYSTEM or Administrators, and
then click Remove. Repeat until the only remaining accounts are
Administrators and SYSTEM, and then click OK.
Note
Some accounts might appear in the form of security identifiers
(SIDs). Remove any such accounts.
10. At the command prompt, type ntdsutil and then press ENTER.
11. At the ntdsutil: prompt, type files and then press ENTER.
12. At the file maintenance: prompt, type integrity and then press ENTER.
If the integrity check fails, perform semantic database analysis with a fixup
record.
13. If the integrity check succeeds, type quit and press ENTER to quit the file
maintenance: prompt. Type quit again and press ENTER to quit Ntdsutil.exe.
14. Restart the domain controller normally. If you are performing this procedure
remotely over a Terminal Services connection, be sure that you have modified
the Boot.ini file for normal restarting before you restart the domain controller.
If the following events are logged in Event Viewer on restarting the domain
controller, address the events as follows:
Event ID 1168. “Internal error: An Active Directory error has occurred.” In this
case, information is missing from the registry and you must restore from
backup media.
If you need to move the database file or the log files while you reconfigure the drive on
which they are currently stored, and you do not have sufficient space to move the files
locally, then you can use the xcopy command to copy the files to a remote shared folder
temporarily, and then use the same procedure to copy them back to the original drive.
You can use this method as long as the path to the files does not change.
Important
When relocating any database files (the database file or the log files) off the local
computer, always copy both the database file and the log files so that all of the
files necessary to restore the directory service are maintained.
Administrative Credentials
To copy the directory database and log files to a remote share and back to the
local computer
1. In Directory Services Restore Mode, open a command prompt and change
directories to the current location of the database file (Ntds.dit) or the log files. If
the database file and log files are in different locations, perform step 2 for each
directory.
2. Run the dir command and make a note of the current size and location of the
Ntds.dit file and the log files.
4. Use the xcopy command to copy the database file and log files to the location
you established in step 3. In the example where the database file is located in
H:\WINNT\NTDS and the share has the subdirectory database, the text you type
is shown in bold:
5. Change drives to the new location and run the dir command to compare the file
sizes to those listed in step 2. Use this step to ensure that you copy the correct
set of files back to the local computer.
6. At this point, you can safely destroy data on the original local drive.
8. Copy the database and log files from the remote shared folder back to the
original location on the domain controller.
10. At the ntdsutil: prompt, type files and then press ENTER.
11. At the file maintenance: prompt, type integrity and then press ENTER.
12. If the integrity check fails, perform semantic database analysis with a fixup
record.
13. If the integrity check succeeds, type quit and press ENTER to quit the file
maintenance: prompt. Type quit again and press ENTER to quit Ntdsutil.exe.
14. Restart the domain controller normally. If you are performing this procedure
remotely over a Terminal Services connection, be sure that you have modified
the Boot.ini file for normal restarting before you restart the domain controller.
If the following events are logged in Event Viewer on restarting the domain controller,
respond to the events as follows:
Event ID 1046. “The Active Directory database engine caused an exception with
the following parameters.” In this case, Active Directory cannot recover from this
error and you must restore from backup media.
Event ID 1168. “Internal error: An Active Directory error has occurred.” In this
case, information is missing from the registry and you must restore from backup
media.
Returning Unused Disk Space from the
Active Directory Database to the File
System
During ordinary operation, the white space in the Active Directory database file becomes
fragmented. Each time garbage collection runs (every 12 hours, by default), white space
is automatically defragmented online to optimize its use within the database file. The
unused disk space is thereby maintained for the database; it is not returned to the file
system.
Only offline defragmentation can return unused disk space from the directory database to
the file system. When database contents have decreased considerably through a bulk
deletion (for example, you remove the global catalog from a domain controller), or if the
size of the database backup is significantly increased due to the white space, use offline
defragmentation to reduce the size of the Ntds.dit file.
You can determine how much free disk space is recoverable from the Ntds.dit file by
setting the garbage collection logging level in the registry. Changing the garbage
collection logging level from the default value of 0 to a value of 1 results in event ID 1646
being logged in the directory service log. This event describes the total amount of disk
space used by the database file as well as the amount of free disk space that is
recoverable from the Ntds.dit file through offline defragmentation.
At garbage collection logging level 0, only critical events and error events are logged in
the directory service log. At level 1, high-level events are logged as well. Events can
include one message for each major task that is performed by the service. At level 1, the
following events are logged for garbage collection:
Event IDs 700 and 701: report when online defragmentation begins and ends,
respectively.
Event ID 1646: reports the amount of free space available in the database out of the
amount of allocated space.
Caution
Setting the value of entries in the Diagnostics subkey to greater than 3 can
degrade server performance and is not recommended.
Task requirements
The following tools are required to perform the procedures for this task:
Regedit.exe
Backup software
Ntdsutil.exe
To complete this task, perform the following procedures:
If you are logged on to the domain controller locally, restart the domain controller
in Directory Services Restore Mode.
If you are using Remote Desktop Connection for remote administration, you can
restart the domain controller remotely in Directory Services Restore Mode after
modifying the Boot.ini file on the remote server.
5. If database integrity check fails, perform semantic database analysis with fixup
The garbage collection logging level is an NTDS diagnostics setting in the registry.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group.
Caution
The Registry Editor bypasses standard safeguards, allowing settings that can
damage your system or even require you to reinstall Windows. If you must edit
the registry, back up system state first. For information about backing up system
state, see Introduction to Administering Active Directory Backup and Restore.
Use these procedures to back up the system state only. These procedures do not back
up the system disk or any other data on the domain controller except for the system-
protected files.
Use the first procedure, "To back up system state including system-protected files," for
routine system state backup. Use the second procedure, "To back up system state
excluding system-protected files," if you want to create a smaller backup that is effective
for installing domain controllers from restored backup media.
Note
To back up system state, you must log on locally to the domain controller, or
Remote Desktop must be enabled on the remote domain controller so that you
can connect remotely.
Administrative credentials
To perform the following two procedures, you must be a member of the Domain
Admins group or a member of the Backup Operators group.
This procedure provides steps for backing up in Wizard Mode. By default, the
Always Start in Wizard Mode check box is selected in the Backup or Restore
Wizard. If the Welcome to the Backup Utility Advanced Mode page appears,
click Wizard Mode to open the Backup or Restore Wizard.
4. Select Let me choose what to back up, and then click Next.
6. In the expanded list below My Computer, check System State, and then click
Next.
If you are backing up to a file, type the path and file name for the backup
(.bkf) file (or click Browse to find a folder or file).
If you are backing up to a tape unit, choose the tape that you want to use.
Note
You should not store the backup on the local hard drive. Instead,
store it in a location, such as a tape drive, away from the computer
that you are backing up.
10. Do not change the default options for Type of Backup. Normal should be
selected, and the check box for Backup migrated remote storage data should
remain cleared. Click Next.
11. Select Verify data after backup, and then click Next.
12. In the Backup Options dialog box, select a backup option, and then click Next.
13. If you are replacing the existing backups, select the option to allow only the
owner and administrator access to the backup data and to any backups that are
appended to this medium, and then click Next.
14. In the When to back up box, select the appropriate option for your needs, and
then click Next.
15. If you are satisfied with all of the options that are selected, click Finish to perform
the backup operation according to your selected schedule.
Note
The system state can also be backed up by using Ntbackup from a
command line with appropriate parameters. For more information, at a
command prompt type ntbackup /?.
The following procedure produces a smaller .bkf file that does not include system boot
files. By using this procedure, you can reduce the time that is required to perform the
backup and subsequent restore, as well as the amount of disk space that is required.
This method is recommended when the restored backup is to be used for installing
additional domain controllers.
4. In Backup media or file name, type a name for this backup according to the
recommendations in Backing Up Active Directory Components.
6. Clear the Automatically back up System Protected Files with the System
State check box, and then click OK.
When you start Windows Server 2003 in Directory Services Restore Mode, the local
Administrator account is authenticated by the local Security Accounts Manager (SAM)
database. Therefore, logging on requires that you use the local administrator password,
not an Active Directory domain password. This password is set during Active Directory
installation when you provide the password for Directory Services Restore Mode.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
2. When the screen for selecting an operating system appears, press F8.
See Also
Restart the domain controller in Directory Services Restore Mode Remotely
Restart the domain controller in Directory
Services Restore Mode Remotely
If Remote Desktop is enabled on a domain controller, you can use Remote Desktop
Connection to connect to the domain controller remotely. Remote Desktop Connection
(formerly known as the Terminal Services client) is installed by default on all
Windows Server 2003 family operating systems.
If you use Remote Desktop Connection to connect to a domain controller remotely and
you want to restart the domain controller in Directory Services Restore Mode, you must
first modify the Boot.ini file on the remote server so that you do not lose the connection
when the domain controller restarts.
When you start Windows Server 2003 in Directory Services Restore Mode, the local
Administrator account is authenticated by the local Security Accounts Manager (SAM)
database. Therefore, logging on requires that you use the local administrator password,
not an Active Directory domain password. This password is set during Active Directory
installation when you provide the password for Directory Services Restore Mode.
Administrative credentials
To perform this procedure, you must provide the Administrator password for Directory
Services Restore Mode.
2. Right-click My Computer, click Properties, and then click the Advanced tab.
3. Click Settings for startup and recovery.
Note
The /SAFEBOOT:DSREPAIR switch works for domain controllers
running Windows 2000 Server and Windows Server 2003.
6. Save the modified Boot.ini file, and then close Notepad.
7. On the Start menu, click Shut Down, and then click Restart. During the restart
process, the Terminal Services client reports that the session is disconnected.
Caution
Be sure to click Restart and not Shut Down at this step. If you click
Shut Down, you cannot restart the domain controller remotely.
8. Wait until the restart process completes on the remote domain controller, and
then reconnect the client session.
12. Click the Edit button to edit the startup options file.
13. Delete the /SAFEBOOT:DSREPAIR switch from the default entry in the Boot.ini
file, save the file, and then close Notepad.
Important
If you restart the domain controller before you modify the Boot.ini file, the
domain controller remains offline.
The Boot.ini file is now returned to its original state, which starts the domain
controller normally.
See Also
Enable Remote Desktop
After compacting the file to the temporary location, copy the compacted Ntds.dit file back
to the original location. If possible, maintain a copy of the original database file that you
have either renamed in its current location or copied to an archival location.
Note
To perform this procedure, the domain controller must be started in Directory
Services Restore Mode.
Administrative Credentials
To perform this procedure, you must be an administrator on the local domain controller. At
the remote location, you must have Read and Write permissions on the destination drive
and the shared folder.
Disk Space
Current database drive. Free space on the drive that contains the file equivalent to
at least 15 percent of the current size of the database for temporary storage during
the index rebuild process.
Destination database drive. Free space equivalent to at least the current size of the
database for storage of the compacted database file.
Remote directory: If you are compacting the database file to a shared folder
on a remote computer, establish a network connection to the shared folder as
shown below. Because you are logged on as the local administrator, unless
permissions on the shared folder include the built-in Administrator account,
you must provide a domain name, user name, and password for a domain
account that has Write permissions on the shared folder. In the example
below, \\SERVER1\NTDS is the name of the shared folder, and K: is the drive
that you are mapping to the shared folder. After typing the first line and
pressing ENTER, Ntdsutil.exe prompts you for the password. Type the
password and then press ENTER.
H:\>net use K: \\SERVER1\NTDS /user:domainName\userName *
2. Type the following command at a command prompt and then press ENTER:
ntdsutil
If you have mapped a drive to a shared folder on a remote computer, type the
drive letter only (for example, compact to K:\).
Note
When compacting to a local drive, you must provide a path. If the path
contains any spaces, enclose the entire path in quotation marks (for
example, compact to "c:\new folder"). If the directory does not exist,
Ntdsutil.exe creates it and creates the file named Ntds.dit in that location.
Caution
Do not overwrite the original Ntds.dit file or delete any log files.
del drive:\pathToLogFiles\*.log
Note
You do not need to delete the Edb.chk file.
b. If space allows, either rename the original Ntds.dit file to preserve it or else
copy it to a different location. Avoid overwriting the original Ntds.dit file.
copy temporaryDrive:\ntds.dit
originalDrive:\pathToOriginalDatabaseFile\ntds.dit
9. At the file maintenance: prompt, type integrity and then press ENTER.
If the integrity check fails, the likely cause is that an error occurred during the
copy operation in step 6.3. Repeat steps 6.3 through step 9. If the integrity check
fails again:
Contact Microsoft Product Support Services.
-or-
Copy the original version of the Ntds.dit file that you preserved in step 6.2. to
the original database location and repeat the offline defragmentation
procedure.
If the initial compact to command failed, go back to step 4 and perform steps
4 through 9.
If the initial compact to command succeeded, type quit and press ENTER to
quit the file maintenance: prompt, and then type quit and press ENTER
again to quit Ntdsutil.exe.
11. Restart the domain controller normally. If you are connected remotely through a
Terminal Services session, be sure that you have modified the Boot.ini file for
normal restarting before you restart the domain controller.
If the following events are logged in Event Viewer on restarting the domain controller,
respond to the events as follows:
Event ID 1046. “The Active Directory database engine caused an exception with
the following parameters.” In this case, Active Directory cannot recover from this
error and you must restore from backup media.
Event ID 1168. “Internal error: An Active Directory error has occurred.” In this
case, information is missing from the registry and you must restore from backup
media.
If the integrity check fails, try repeating step 6.3 through step 9 above, and then
repeat the integrity check. If the integrity check fails again:
-or-
Copy the original version of the Ntds.dit file that you preserved in step 6.2. to the
original database location and repeat the offline defragmentation procedure.
If the integrity check succeeds, perform semantic database analysis with fixup.
4. If semantic database analysis with fixup succeeds, quit Ntdsutil.exe and restart the
domain controller normally.
If semantic database analysis with fixup fails, contact Microsoft Product Support
Services.
Note
To perform this procedure, the domain controller must be started in Directory
Services Restore Mode.
Administrative Credentials
3. At the ntdsutil: prompt, type semantic database analysis and then press
ENTER.
4. At the semantic checker: prompt, type verbose on and then press ENTER.
5. At the semantic checker: prompt, type go fixup and then press ENTER.
If errors are reported during the semantic database analysis Go Fixup phase,
perform directory database recovery.
Caution
Do not confuse the recover command with the repair command.
Never use the repair command in Ntdsutil.exe. Forest-wide data loss
can occur.
If semantic database analysis with fixup succeeds, type quit and then type
quit again to close Ntdsutil.exe, and then restart the domain controller
normally. If you are performing this procedure remotely over a Terminal
Services connection, be sure that you have modified the Boot.ini file for
normal restarting before you restart the domain controller.
In this guide
Acknowledgements
There are several reasons for adding a new domain controller. Additional applications
(which are Active Directory–integrated as opposed to running on domain controllers)
might be required to meet increased capacity requirements, provide upgrades and fault
tolerance, and reduce failures. You might add a new site where users require a domain
controller for logging on to the domain. For more information about criteria and best
practices for deploying domain controllers, see Designing and Deploying Directory and
Security Services on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=45801).
When a domain controller is no longer needed, remove Active Directory. The process of
removing Active Directory involves steps similar to the steps for installation. You run
many of the same tests before you remove the directory as you ran before you installed
the directory. These tests ensure that the process occurs without any problems. In the
event that a domain controller suffers a hardware failure and you plan to never return it to
service, you must use a procedure that forces Active Directory removal and then take
additional steps to remove the server object and its metadata from the directory.
Renaming Domain Controllers
You often need to rename a domain controller for organizational or administrative
reasons or when the computer hardware must be replaced. Renaming a domain
controller requires that Domain Name System (DNS) resource records be updated with
the new Internet Protocol (IP)-to-host name mappings and that service principal names
(SPNs) replicate to all domain controllers in the domain. You must also update File
Replication service (FRS) objects.
By Active Directory replication over the wide area network (WAN) link
Assuming that the remote site is connected to a hub site by a WAN link and does not
contain a domain controller for the domain, you might want to avoid the additional time
and the performance impact of replicating the full replica of Active Directory over the
WAN when you add a new domain controller to the remote site. In this case, you can use
backup media to install Active Directory.
If you want to install a domain controller from backup media, both the source of the
backup and the target server that is to be promoted to a domain controller must be
running Windows Server 2003 or Windows Server 2003 with SP1, and the operating
system of the source of the backup and the target server must be the same. The
hardware platform (32-bit or 64-bit) of the two computers must also match. Restoring
from backup media eliminates the need to use replication to create the Active Directory
replica on the new domain controller.
Run the Active Directory Installation Wizard, and use Active Directory replication
to create the Active Directory replica and File Replication service (FRS)
replication to create the System Volume (Sysvol) replicas.
Run the Active Directory Installation Wizard, and use restored system state
backup media to create the Active Directory and Sysvol replicas.
Create an answer file and use the Unattend.txt file to provide the information that
the Active Directory Installation Wizard requires.
Perform tests to verify that Active Directory is properly installed and the domain
controller is functioning.
Add domain controllers to remote sites. When you prepare and ship an additional
domain controller to a remote site, you can either install the domain controller before
shipping or install the domain controller in the remote site.
When you install a domain controller in a hub site or staging site before
shipment, you must disconnect the domain controller for a period, which requires
careful preparation. When you reconnect the domain controller, Active Directory
replication brings the domain controller up to date.
When you install the domain controller in the remote site, you can use a restored
system state backup to avoid having to replicate Active Directory over a wide
area network (WAN) link.
Rename a domain controller. You can now rename a domain controller without
removing Active Directory. New functionality is available in the Netdom tool when the
domain functional level is Windows Server 2003. This new functionality provides
better preparation for DNS and service recognition of the new domain controller
name. You can also use System Properties, which does not require a domain
functional level and does not provide the same preparation, but which relies solely on
replication to update the domain controller DNS name and service principal name
(SPN). This method can result in a longer delay before clients can use the renamed
domain controller.
In addition, to protect domain controllers from infection by viruses that can corrupt
directory data or cause software or hardware failure, an integral step in installing any
domain controller is to install antivirus software.
Antivirus software is the generally accepted way to mitigate the risk of such malevolent
activity. However, one cannot simply install the antivirus software (from any vendor) on a
domain controller and tell it to scan everything. Instead, it must be installed in a manner
that mitigates the risk to the highest possible level while not interfering with the
performance of the domain controllers in performing their directory service duties.
Installing effective antivirus software on domain controllers minimizes the risk that their
activities will be disrupted by malicious code.
Note
Verify that the antivirus software you are adding is confirmed to work on domain
controllers.
The following recommendations are general and should not be construed as more
important than the specific antivirus software vendor’s own recommendations. These
guidelines must be followed for correct Active Directory and FRS operation.
Note
Test the chosen antivirus software solution thoroughly in a lab environment to
ensure that the software does not compromise the stability of the system.
Use a version of antivirus software that is confirmed to work with Active Directory and
uses the correct APIs for accessing files on the server. Older versions of most
vendors’ software inappropriately modified file metadata as it was scanned, causing
the FRS replication engine to think the file was changed and to schedule it for
replication. Newer versions prevent this problem. For more information about
antivirus software versions and FRS, see article 815263, "Antivirus, backup, and disk
optimization programs that are compatible with the File Replication service" in the
Microsoft Knowledge Base on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkID=4441), and see the vendor-specific sites for compliant versions.
Prevent the use of domain controller systems as general workstations. Users should
not be using a domain controller to surf the Web or perform any other activities that
could allow the introduction of malicious code.
When possible, do not use the domain controller as a file sharing server. Virus
scanning software must be run against all files in those shares and could place an
unsatisfactory load on the processor and memory resources of the server.
Main NTDS database files. The location of these files is specified in:
RES1.log
RES2.log
TEMP.edb
EDB.chk
SYSVOL files
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameter
s\Working Directory
Files to be excluded:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\
DB Log File Directory
Files to be excluded:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\
Replica Sets\GUID\Replica Set Stage
<Replica_root>\DO_NOT_REMOVE_NtFrs_PreInstall_Directory.
The following tasks for managing domain controllers are described in this objective:
Preparing for Active Directory Installation
There are a number of requirements for installing Active Directory on a new domain
controller in an existing domain. This task addresses general requirements with respect
to Domain Name System (DNS) configuration, placement of the domain controller in a
site, and connectivity for the Active Directory Installation Wizard.
After you have gathered all the information that you need to run the Active Directory
Installation Wizard and you have performed the tests to verify that all the necessary
domain controllers are available, you are ready to install Active Directory on your server
and create an additional domain controller in the domain.
Preparation includes installing and configuring DNS and gathering information that you
need for the installation.
Configuring DNS
The DNS client is always present on a server running Windows Server 2003. A DNS
server must be present in the forest that stores DNS data for the server. You should
properly configure both the DNS client and the DNS server to ensure that name
resolution and related dependencies will function as expected during the installation of
Active Directory.
Ensure that any required configuration, forwarders, or zones are present and accessible
prior to installation. For more information about DNS configuration best practices, see
Designing the Active Directory Logical Structure on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=25466).
Site Placement
During installation, the Active Directory Installation Wizard attempts to place the new
domain controller in the appropriate site. The appropriate site is determined by the
domain controller’s IP address and subnet mask. The wizard uses the IP information to
calculate the subnet address of the domain controller and checks to see if a Subnet
object exists in the directory for that subnet address. If the Subnet object exists, the
wizard uses it to place the new Server object in the appropriate site. If not, the wizard
places the new Server object in the same site as the domain controller that is being used
as a source to replicate the directory database to the new domain controller. Make sure
the Subnet object has been created for the desired site prior to running the wizard.
1. If you specify a site in the Unattended text file that is used to create the new domain
controller, the domain controller will be placed directly into that site when it is built.
2. If no site is specified in the Unattended text file when the new domain controller is
built, then by default the domain controller will be placed in a site based on its IP
address.
3. If you specify a replica partner in the Unattended text file but do not specify a site, the
new domain controller should be placed in the replica partner's site.
4. If the replica partner or site is not specified, then the allocation of the site is random.
It will depend on the replica partner selected for initial replication.
Domain Connectivity
During the installation process, the Active Directory Installation Wizard needs to
communicate with other domain controllers to join the new domain controller to the
domain. The wizard needs to communicate with a member of the domain to receive the
initial copy of the directory database for the new domain controller. It communicates with
the domain naming master for domain installs only, so that the new domain controller can
be added to the domain. The wizard also needs to contact the relative ID (RID) master so
that the new domain controller can receive its RID pool, and it needs to communicate
with another domain controller in order to populate the SYSVOL shared folder on the new
domain controller. All of this communication depends on proper DNS installation and
configuration. By using Netdiag.exe and Dcdiag.exe, you can test all of these
connections prior to starting the Active Directory Installation Wizard.
Task requirements
During the installation process, the wizard needs to communicate with other domain
controllers to add this new domain controller to the domain and get the appropriate
information into the Active Directory database. To maintain security, you must provide
credentials that allow administrative access to the directory.
Before you begin your installation, the following conditions must exist in your
environment:
If you are installing a new domain controller in a child domain, there should be at
least two properly functioning domain controllers in the forest root domain.
DNS must be functioning properly. In this guide, it is assumed that you are using
Active Directory–integrated DNS zones. You must have configured at least one
domain controller as a DNS server.
The following information and tools are necessary to complete this task:
The Active Directory Installation Wizard asks for the following specific configuration
information before it begins installing Active Directory:
My Network Places
Adsiedit.msc
Netdiag.exe
Dcdiag.exe
3. Verify that an IP address maps to a subnet and determine the site association
Caution
If any verification test fails, do not continue until you determine what went wrong
and fix the problems. If these tests fail, the installation is also likely to fail.
Administrative Credentials
To perform this procedure, you must be a member of either the Domain Admins group or
the Enterprise Admins group.
3. In the Local Area Connection Properties dialog box, click once on Internet
Protocol (TCP/IP) to highlight it (be sure that you do not clear the check box in
front of it), and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, ensure that Use the
following IP address: is selected and that a valid IP address, subnet mask, and
default gateway appear. Click OK to close the dialog box. Click OK again to
return to your desktop.
5. In Control Panel, click Add or Remove Programs. Click Add/Remove
Windows Components.
7. In the Networking Services dialog box, select the check box in front of Domain
Name System (DNS). Click OK.
8. Click Next. Provide the location of the installation files, if necessary. After the
installation is complete, click Finish to end the wizard, and then click Close to
exit Add or Remove Programs.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
netdiag /test:dns
Note
For a more detailed response from this command, add /v to the end of
the command.
If DNS is functioning, the last line of the response is DNS Test…..: Passed. The
verbose option lists specific information about what was tested. This information
can help with troubleshooting if the test fails.
If the test fails, do not attempt any additional steps until you determine and fix the
problem that prevents proper DNS functionality.
To be associated with a site, the IP address of a domain controller must map to a Subnet
object that is defined in Active Directory. The site to which the subnet is associated is the
site of the domain controller.
The subnet address, which is computed from the IP network address and the subnet
mask, is the name of a Subnet object in Active Directory. When you know the subnet
address, you can locate the Subnet object and determine the site to which the subnet is
associated.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
5. Use the values in IP address and Subnet mask to calculate the subnet address
and then click OK.
8. Expand the Sites container, and then click the Subnets container.
9. In the Name column in the details pane, find the Subnet object that matches the
subnet address.
10. In the Site column, note the site to which the IP subnet address is associated.
If the site that appears in the Site box is not the appropriate site, contact a
supervisor and find out whether the IP address is incorrect or whether to move
the Server object to the site indicated by the subnet.
Administrative Credentials
To perform this procedure, you must be a member of the Domain users group in Active
Directory.
netdiag /test:dsgetdc
Note
For a more detailed response from this command, add /v to the end of
the command.
If domain controllers are successfully located, the last line of the response is DC
discovery test……..: Passed. The verbose option lists the specific domain
controllers that are located.
If the test fails, do not attempt any additional steps until you determine and fix the
problem that prevents communication with other domain controllers.
Administrative Credentials
To perform this procedure, you must be a member of the Domain users group in Active
Directory.
Note
You can use these tests prior to installing Active Directory as well as afterward.
To perform the test prior to installing Active Directory, you must use the /s option
to indicate the name of a domain controller to use. You do not need the /s option
to perform the test after installing Active Directory. The test automatically runs on
the local domain controller where you are performing the test. The commands
listed in this procedure show the /s option. If you are performing this test after
installing Active Directory, omit the /s option. For a more detailed response from
this command, you can use the verbose option by adding /v to the end of the
command to see the detailed response.
2. Type the following command to ensure that the operations masters can be
located and then press ENTER:
3. Type the following command to ensure that the operations masters are
functioning properly and are available on the network:
Task Requirements
The following tool is required to perform the procedure for this task:
Dcpromo.exe
You can also install Active Directory from installation media or by performing an
unattended installation. For information about completing each of these tasks, see the
following:
Installing a Domain Controller in an Existing Domain Using Restored Backup Media
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
2. The Active Directory Installation Wizard appears. At the Welcome screen, click
Next.
4. For Network Credentials, enter the user name, password, and domain for the
user account that has permission to add this new domain controller to the
domain. Click Next.
5. Enter the name of the domain that you want the new domain controller to host.
Click Next.
6. For Database and Log Locations, enter the paths for the locations of the
directory database (Ntds.dit) and the log files. For better performance, store the
database and log files on separate physical disk drives. Click Next.
7. For Shared System Volume, enter the path where you want to locate the system
volume (SYSVOL). Click Next.
9. The Summary screen displays a list of the items you chose. Verify that the
information is correct, and then click Next to proceed with the installation.
10. The wizard proceeds to install Active Directory. When it finishes, the wizard
displays a summary screen listing the domain and site in which the new domain
controller is a member. Verify that this information is correct. Click Finish to close
the wizard.
12. Let the domain controller restart. If any message indicates that one or more
services has failed to start, restart the domain controller one more time. If the
initial replication cycles have not had enough time to complete during the first
restart on a new domain controller, some services may be unable to start
successfully. If the message appears during additional restarts, examine the
event logs in Event Viewer to determine the cause of the problem.
The procedures in this task are particularly useful for installing domain controllers in
remote sites. By using these procedures, you can avoid having to either replicate the
entire Active Directory replica over a wide area network (WAN) link or disconnect an
existing domain controller while it is being shipped to the remote site. If you are installing
additional domain controllers in remote sites and you want to minimize the
Active Directory and SYSVOL replication that is required during the installation from
backup media, use the information in this topic in conjunction with the information in
Adding Domain Controllers in Remote Sites.
When the domain controller that you are installing will be a Domain Name System (DNS)
server and you are using Active Directory–integrated DNS zones, the DomainDNSZones
and ForestDNSZones application directory partitions are not included in the restored
backup media by default. If you want to include application directory partitions in the
restored backup media that is used to install Active Directory, additional procedures are
required to complete the installation task. Follow the instructions for including application
directory partitions in the installation media.
Task requirements
To begin the task to install a domain controller from restored backup media without
application directory partitions, ensure that the following requirements are met:
The restored system state backup that is used to create additional domain controllers
must be taken from a domain controller in the same domain as the new additional
domain controller.
The restored system state backup that is used to create additional domain controllers
must be taken on a domain controller that matches the processor type of the new
domain controller. System state backups that are taken on a domain controller that
has a 32-bit processor cannot be used to install a domain controller that has a 64-bit
processor. The reverse is also true.
During Active Directory installation, Dcpromo checks that the value of the tombstone
lifetime in the restored system state backup matches the value on an existing domain
controller. If you plan to change the value of the tombstone lifetime, change this value
before you create the backup.
If the domain controller that you are creating is to be a global catalog server, the
system state backup that you restore must be taken from an existing global catalog
server in the domain.
On servers that are running Windows Server 2003 with SP1, you can use restored
backup media to install a domain controller that is a DNS server (stores the
DomainDNSZones and ForestDNSZones application directory partitions) or that stores
other application directory partitions. In addition to the previous requirements, to begin
the task to install a domain controller from restored backup media that includes
application directory partitions, ensure that the following requirements are met:
The forest functional level has been raised to Windows Server 2003.
The domain controller on which you created the system state backup is running
Windows Server 2003 with SP1.
The domain controller on which you created the system state backup contains the
application directory partitions that you want to include.
The server computer that you are installing is running Windows Server 2003 with
SP1.
You have created an answer file that contains the distinguished names (or * for all
names) of the application directory partitions that you want to include.
The following tools are required to perform the procedures for this task:
Ntbackup.exe
Dcpromo.exe
Ref.chm or Unattend.txt file, or both, for installations that include application directory
partitions.
To complete this task, perform the procedures for the following methods:
2. As an option, before you restore the backup, copy the .bkf file to a CD, DVD, or other
removable media from which you will subsequently restore the backup to an alternate
location on the local hard drive of the server on which Active Directory is being
installed. You can use this media to restore the same backup to any number of
servers that will be installed as domain controllers. With this method, you restore the
backup for each domain controller that you install. Compare this method to method
3.2, in which you restore the backup only once and copy the restored files to the
removable media.
Select the location for the system state backup that you will use to install a new
domain controller. Use one of the following locations for restoring the system state
backup:
Restore the .bkf file to a volume on the server that will be installed as a domain
controller. We recommend restoring to a folder named \NTDSRESTORE on the
volume that will host the Ntds.dit file when Dcpromo is run, if space permits.
Otherwise, restore to a folder named \NTDSRESTORE on a volume that has
sufficient free space. For additional criteria regarding the volume on which you
restore the backup, see Adding Domain Controllers in Remote Sites.
Restore the .bkf file to the local hard drive of any computer, and then burn the
expanded restore tree to a CD, DVD, or other removable storage media. Install
Active Directory directly from this media. You can use this media to directly install
any number of domain controllers. With this method, you restore the backup only
once.
Install the domain controller from the system state backup that you restored in step 3
by using one of the following methods:
Install Active Directory from restored backup media to create a new domain
controller that does not include application directory partitions.
See Also
Adding Domain Controllers in Remote Sites
Use these procedures to back up the system state only. These procedures do not back
up the system disk or any other data on the domain controller except for the system-
protected files.
Use the first procedure, "To back up system state including system-protected files," for
routine system state backup. Use the second procedure, "To back up system state
excluding system-protected files," if you want to create a smaller backup that is effective
for installing domain controllers from restored backup media.
Note
To back up system state, you must log on locally to the domain controller, or
Remote Desktop must be enabled on the remote domain controller so that you
can connect remotely.
Administrative credentials
To perform the following two procedures, you must be a member of the Domain
Admins group or a member of the Backup Operators group.
This procedure provides steps for backing up in Wizard Mode. By default, the
Always Start in Wizard Mode check box is selected in the Backup or Restore
Wizard. If the Welcome to the Backup Utility Advanced Mode page appears,
click Wizard Mode to open the Backup or Restore Wizard.
4. Select Let me choose what to back up, and then click Next.
6. In the expanded list below My Computer, check System State, and then click
Next.
If you are backing up to a file, type the path and file name for the backup
(.bkf) file (or click Browse to find a folder or file).
If you are backing up to a tape unit, choose the tape that you want to use.
Note
You should not store the backup on the local hard drive. Instead,
store it in a location, such as a tape drive, away from the computer
that you are backing up.
10. Do not change the default options for Type of Backup. Normal should be
selected, and the check box for Backup migrated remote storage data should
remain cleared. Click Next.
11. Select Verify data after backup, and then click Next.
12. In the Backup Options dialog box, select a backup option, and then click Next.
13. If you are replacing the existing backups, select the option to allow only the
owner and administrator access to the backup data and to any backups that are
appended to this medium, and then click Next.
14. In the When to back up box, select the appropriate option for your needs, and
then click Next.
15. If you are satisfied with all of the options that are selected, click Finish to perform
the backup operation according to your selected schedule.
Note
The system state can also be backed up by using Ntbackup from a
command line with appropriate parameters. For more information, at a
command prompt type ntbackup /?.
The following procedure produces a smaller .bkf file that does not include system boot
files. By using this procedure, you can reduce the time that is required to perform the
backup and subsequent restore, as well as the amount of disk space that is required.
This method is recommended when the restored backup is to be used for installing
additional domain controllers.
4. In Backup media or file name, type a name for this backup according to the
recommendations in Backing Up Active Directory Components.
6. Clear the Automatically back up System Protected Files with the System
State check box, and then click OK.
You can restore the system state backup to an alternate location on the domain controller
from which the backup was made, a location on another computer, or a location on the
computer that you want to install as a domain controller.
Administrative credentials
To perform this procedure, you must be a member of the Backup Operators group, as
follows:
Restore system state on a domain controller: Backup Operators group in the domain
2. Click Start, click Run, type ntbackup, and then click OK.
5. On the What to Restore page, click Browse, and then, in the Open Backup
File dialog box, click Browse again.
6. Navigate to the .bkf file that you want to restore to an alternate location. The .bkf
file can be located in a folder on the current computer, in a shared folder on the
backup computer or other network computer, or on an external drive that
contains removable media.
7. In the Select file for catalog dialog box, click the .bkf file that you want to
restore, and then click Open.
9. In Items to restore, double-click File, and then double-click the .bkf file that you
want to restore.
10. Below the .bkf file that you want to restore, select the System State check box,
and then click Next. (You do not need to restore the system disk to an alternate
location.)
11. On the Completing the Backup or Restore Wizard page, click Advanced.
14. On the How to Restore page, accept the default selection Leave existing files
(Recommended), and then click Next.
15. On the Advanced Restore Options page, accept the default selections Restore
security settings and Preserve existing volume mount points, and then click
Next.
16. On the Completing the Backup or Restore Wizard page, click Finish.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain into which you are installing the additional domain controller.
To install Active Directory from restored backup media
1. Click Start, click Run, type dcpromo /adv, and then press ENTER.
3. Select From these restored backup files, and point to the same location where
you restored the system state data.
4. If the domain controller whose system state backup you are using is a global
catalog server, the Active Directory Installation Wizard asks you whether you
want this server to also be a global catalog server.
6. Enter the domain of the new domain controller. This domain must be the domain
of the domain controller whose system state backup you are using.
Dcpromo.exe will install Active Directory using the data present in the restored
files, which eliminates the need to replicate every object from a partner domain
controller. However, objects that were modified, added, or deleted since the
backup was taken must be replicated. If the backup was recent, the amount of
replication required will be considerably less than that required for a regular
Active Directory installation.
See Also
Restore system state to an alternate location
To perform this procedure, you must be a member of the Domain Admins group in the
domain into which you are installing the additional domain controller.
2. To include application directory partitions that are contained in the system state
backup, add the following entry to the end of the answer file:
ApplicationPartitionsToReplicate=
If you want to include all application directory partitions, use the value *.
ApplicationPartitionsToReplicate="dc=app1,dc=contoso,dc=com
dc=app2,dc=contoso,dc=com"
4. In the entry ReplicationSourcePath=, type the path to the folder that contains
the restored system state backup files on the installation computer.
5. If you do not want Dcpromo to prompt the user for passwords, type the password
in the Password= entry for the account that you will use to install the domain
controller, type the password in the SafeModeAdminPassword= entry that you
will use to provide access to Directory Services Restore Mode, and then save the
answer file.
Note
Passwords are automatically deleted from the answer file when Dcpromo
runs.
6. Open a command prompt, and then change directories to the location of the
answer file.
7. At the command prompt, type the following command, and then press ENTER:
Ship the computer as a workgroup computer, and install Active Directory in the
remote site. Enable Remote Desktop on the computer before you ship it so that you
can perform the installation remotely. In the remote site, you can either:
Install Active Directory from restored backup media that has been shipped to the
site on removable media or that has been restored to a location on the server
itself before shipping.
Install Active Directory on the server in a hub or staging site, and ship the installed
domain controller to the remote site.
Both methods have advantages and disadvantages, and both methods require care to
ensure the secure transfer of Active Directory data, whether it is installed or in the form of
backup files that are stored on the server or on removable media.
For information about how best to manage adding domain controllers to remote sites for
the method you are using, see Best Practices for Adding Domain Controllers in Remote
Sites.
By following the guidelines in this guide, you can decide the best method for your
environment of adding domain controllers in remote sites. By following the instructions in
this guide, you can safely and securely install domain controllers in remote sites, either
locally or remotely.
The following tasks for adding domain controllers in remote sites are described in this
objective:
Preparing a Server Computer for Shipping and Installation from Backup Media
Ship the member computer to the remote site, and then install Active Directory by
using the dcpromo /adv option, which uses restored system state backup media as
the source for the Active Directory installation in the remote site.
Install Active Directory in the hub site by using the normal Dcpromo method, and then
ship the installed domain controller to the remote site.
You can use the information in this section to determine the method for adding domain
controllers in remote sites that is best for your environment. SYSVOL replication issues
potentially affect both methods, and each method has advantages and disadvantages
that are discussed in this section.
Important
Do not attempt to perform actions based only on the recommendations that are
discussed in this topic. Step-by-step guidance is provided in the task-based
topics for all actions that are recommended in this topic. Follow the See Also
links to the related task-based topics.
SYSVOL Replication
SYSVOL is a shared folder that stores files that must be available and synchronized
among all domain controllers in a domain. SYSVOL contains the NETLOGON share,
Group Policy settings, and File Replication service (FRS) staging directories and files.
The SYSVOL share is required for Active Directory to function properly.
The primary focus for both methods of installing additional domain controllers in remote
sites is to avoid the replication of Active Directory over a wide area network (WAN)
between the remote site and the hub site. Each method accomplishes this goal. However,
depending on the size of your SYSVOL, you might also be concerned about replication of
SYSVOL files over the network. Unless you follow specific instructions, the SYSVOL tree
might be created on the new domain controller through replication of the entire tree from
an existing domain controller in the domain. Regardless of which method you use to add
domain controllers to remote sites, you might want to take additional steps to manage
SYSVOL creation on the new domain controller to avoid replicating the full SYSVOL from
another domain controller in the domain.
When you install a domain controller from backup media, preliminary steps are required
to ensure that SYSVOL is created from the local copy of the restored backup media.
Similarly, preliminary steps are required to avoid full SYSVOL synchronization when you
ship an installed domain controller and restart it in the remote site. These requirements
are discussed for each method respectively in the following topics:
Preparing a Server Computer for Shipping and Installation from Backup Media
2. Restore the backup to an alternate location. You can restore the backup directly to
the computer that you want to install as a domain controller, or you can transfer it to
removable media.
3. Run Dcpromo with the /adv option and indicate the restored backup as the source for
the Active Directory installation.
This method of installing domain controllers in remote sites has several advantages. One
of the primary advantages of this method is that it substantially reduces the network
bandwidth requirement compared to network-based installations. This method also has a
few issues that mostly affect deployments that have a large number of remote sites. If
you deploy more than 100 remote sites, additional considerations might be necessary.
For information about large branch office deployments, see the Windows Server 2003
Active Directory Branch Office Guide on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=42506).
You can install many domain controllers from a single source of removable backup
media. Although you can restore backup media directly to an alternate location on the
server computer that you are going to install as a domain controller, you can also use
that media as the source for any number of domain controllers by either copying or
restoring the system state backup to removable media. For more information about
the effects of copying — as opposed to restoring — a system state backup to
removable media, see Preparing a Server Computer for Shipping and Installation
from Backup Media.
You do not have to disconnect the domain controller from the replication topology.
Therefore, you can avoid the disadvantages that are associated with a domain
controller that does not replicate. For information about the problems that are
associated with domain controller disconnection, see Issues with Installing Domain
Controllers Before Shipping Them to the Remote Site.
You avoid replicating the entire Active Directory over a WAN link, particularly a link
that requires a dial-up connection.
If you enable Remote Desktop on the server before you ship it, you do not have to
employ an administrator with Domain Admins credentials in the remote site.
Time to restore the system state backup. The installation media is prepared by
restoring a system state backup to an alternate location. Therefore, preparing the
media requires taking the backup itself and restoring the backup. These tasks add
time to the installation of a single domain controller. However, if you take advantage
of the ability to transfer the restored backup files to removable media, you perform
the preliminary backup and restore processes only once to install any number of
domain controllers. In addition, you can follow instructions to prepare a smaller
backup file to further decrease the time that is required for restoring and copying
backup media. The volume on which you restore the backup on the target server also
affects the speed of the installation. Moving the Ntds.dit file is faster than copying it. If
you restore the media to the same location that will be used to host the Active
Directory database, the Ntds.dit file will be moved (as opposed to being copied) into
the new location, eliminating the additional time required to copy the file. For more
information about the criteria that affect how long installation from backup media
takes, see Preparing a Server Computer for Shipping and Installation from Backup
Media.
Backup source for application directory partitions. When DNS zone data is
stored in application directory partitions, the replication impact can be significant if
application directory partitions must be replicated over the corporate network. System
state data that you restore from backup to an alternate location does not include
application directory partitions if the backup is performed on servers running
Windows Server 2003 with no service pack installed.
Including application directory partitions in the backup media has the following
requirements:
The domain controller that you back up and the computer that you intend to
install as a domain controller must both be running Windows Server 2003 with
Service Pack 1 (SP1).
The forest functional level must be set to Windows Server 2003 because linked-
value replication is required to ensure that cross-references are correctly updated
for the application directory partition replica set.
You must use an answer file to install Active Directory because the Dcpromo user
interface (UI) does not provide an option for specifying application directory
partitions. Use the answer file to provide the distinguished names of the
application directory partitions that you want to include in the installation.
For more information about how to include application directory partitions and create
a DNS server, see Preparing a Server Computer for Shipping and Installation from
Backup Media.
Bridgehead server load balancing. If backup media are sent to many sites and if
enough domain controllers are promoted at the same time, you might experience
performance issues with the bridgehead servers that are the source for
Active Directory and FRS replication.
Note
These issues are of concern only in situations in which hundreds of domain
controllers might be promoted at the same time and their need for
bridgehead server resources is very high. If you are deploying hundreds of
domain controllers in branch sites, see the Windows Server 2003
Active Directory Branch Office Guide on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=42506).
FRS replication. Because FRS on the source computer uses CPU, memory, and
disk resources, the FRS recommendation is to perform a staged update on no
more than 10 branch office domain controllers at a time per source hub domain
controller. If a single domain controller functions as the source for SYSVOL
replication to more than 10 destination domain controllers, performance on the
source domain controller can decrease significantly. To balance source domain
controllers, you can use an answer file with Dcpromo to specify the source
domain controller.
Branch site personnel. The requirement for personnel with Domain Admins
credentials is contained within the hub site; that is, intervention by personnel with
Domain Admins credentials is not required at the branch site.
Protection of existing accounts and metadata. You must ensure that computer
accounts and metadata for the domain controller are not deleted or improperly
modified while the domain controller is disconnected.
Risk of lingering objects. A lingering object is an object that remains on a
disconnected domain controller after the object has been permanently deleted from
Active Directory on all connected domain controllers. Deletion updates are replicated
as tombstone objects. These objects have a limited lifetime in Active Directory, which
is defined by the tombstone lifetime. After a tombstone is permanently removed from
Active Directory, replication of the deletion it represented is no longer possible.
Therefore, if you restart a domain controller on which such an object remains,
replication does not recognize that object as a deleted object, and it remains in
Active Directory on only the reconnected domain controller and nowhere else. If you
plan to disconnect a domain controller for longer than the period of time that a
domain controller keeps track of object deletions (the tombstone lifetime), you must
take additional steps to ensure directory consistency. For more information about
lingering objects and their causes and effects, see Fixing Replication Lingering
Object Problems (Event IDs 1388, 1988, 2042).
For procedures to ensure that all of these issues are addressed, see the following topics:
Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection
The tombstone lifetime value that is in effect when a domain controller is upgraded to
Windows Server 2003 SP1 is not changed by the installation of Windows Server 2003
SP1. The existing value is maintained until you change it manually. You can determine
the value of the tombstoneLifetime attribute by viewing the properties of CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ForestRootDomain in
ADSI Edit (adsiedit.msc), which is available in Windows Support Tools. A value in
tombstoneLifetime of <Not Set> always indicates that the Windows Server 2003 default
value of 60 is in effect. If you create a new forest on a domain controller running
Windows Server 2003 with SP1, the default tombstoneLifetime value of 180 is
displayed in the UI.
When the number of days in the tombstone lifetime has passed, the tombstone is
permanently removed. Because a domain controller that is disconnected for a period that
is longer than the tombstone lifetime cannot receive deletions that occurred before the
beginning of the tombstone lifetime, a backup that is older than the tombstone lifetime
cannot be used to restore Active Directory.
When conditions beyond your control cause a domain controller to be disconnected for a
period that is longer than the tombstone lifetime, one or more objects that have been
deleted from the rest of the directory while the domain controller was offline might remain
on the disconnected domain controller.
If planned domain controller disconnections are consistently lasting longer than the
number of days in the tombstone lifetime, consider extending the tombstone lifetime for
the forest prior to disconnecting any domain controllers.
For more information about the causes and effects of lingering objects, see Fixing
Replication Lingering Object Problems (Event IDs 1388, 1988, 2042).
Protection Against Lingering Object Replication
Domain controllers that have not performed inbound replication in the previous
tombstone lifetime number of days are vulnerable to retaining lingering objects. If a
domain controller that has one or more lingering objects is reconnected to the replication
topology and a lingering object is subsequently updated on that domain controller, the
object might be recreated in Active Directory, depending on how the strict replication
consistency registry setting is configured.
A lingering object is made known to the replication system only if it is updated on the
domain controller that stores it. In this case, the source domain controller attempts
replication of an update to an object that the destination does not store. On destination
domain controllers running Windows 2000 Server with Service Pack 3 (SP3) or Service
Pack 4 (SP4) and Windows Server 2003, the strict replication consistency registry
entry (type REG_DWORD) in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters)
determines whether replication is allowed to proceed if the domain controller receives a
request for an update to an object that it does not have.
The value in the strict replication consistency registry entry determines whether
replication proceeds or is stopped, as follows:
1 (enabled): Inbound replication of the specified directory partition from the source is
stopped on the destination. Replication of the directory partition is halted on both the
source and destination domain controllers.
0 (disabled): The destination requests the full object from the source domain
controller and the destination domain controller reanimates a full copy of an object it
has previously deleted and permanently removed through garbage collection.
For more information about how to manage the strict replication consistency setting,
including its effects and its default values, see Fixing Replication Lingering Object
Problems (Event IDs 1388, 1988, 2042).
See Also
Preparing a Server Computer for Shipping and Installation from Backup Media
Important
Do not attempt to perform actions based only on the recommendations that are
discussed in this topic. Step-by-step guidance is provided in the task-based
topics for all actions that are recommended in this topic. Follow the See Also
links to the related task-based topics.
To use restored backup files for installation of one or more additional domain controllers
in a domain, you can either:
Copy ("burn") either the unrestored .bkf file or the restored backup files onto
removable media, such as a portable disk drive, CD, or DVD, which can be shipped
with the workgroup computer when it leaves the staging site or shipped separately.
Restore system state backup to the local hard drive of the workgroup computer
before it leaves the staging site.
For information about the advantages and disadvantages of these methods, see
Preparing a Server Computer for Shipping and Installation from Backup Media.
The Dcpromo /adv option in Windows Server 2003 to install a domain controller from
backup media eliminates the Windows 2000 Server requirement to either promote the
domain controller before shipping it to the remote site or promote the domain controller in
the remote site by replicating the entire directory over a wide area network (WAN)
connection when another domain controller for the domain is not present in the site.
The following best practices are recommended to optimize data security and consistency
when you add domain controllers in remote sites:
Upgrade to Windows Server 2003 with Service Pack 1 (SP1). If you use
Active Directory-integrated DNS or if you want other application directory partitions to
be included in the domain controller replica, upgrade the server computer to
Windows Server 2003 with SP1 before Active Directory installation. When you use
restored backup media to install a computer running Windows Server 2003 with no
service pack installed, the replica installation does not include application directory
partitions. In the case of DNS application directory partitions, the impact of replicating
these directory partitions over the WAN might be significant. When you use restored
backup media to install a computer running Windows Server 2003 with SP1, you can
use an answer file to include application directory partitions in the replica that you
install.
Back up the type of domain controller that you want to add. You must back up
the type of domain controller that you want to add. If you want to add a global catalog
server in the remote site, back up a global catalog server in the domain. If you want
to add a DNS server, back up a DNS server in the domain.
Take the same security precautions for shipment of removable backup media
or a server computer that contains a restored backup as you would take for
shipping an installed domain controller. For information about securing domain
controllers, see Best Practice Guide for Securing Windows Server Active Directory
Installations on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=28521).
Minimize the time between the backup and installation. Minimizing this delay
reduces the number of updates that will be required to replicate after installation.
Install the operating system before shipping the server to the remote site.
Installing the operating system requires expertise that might not be available at
branch sites. Ideally, installation routines are available in the staging site to automate
the operating system installation process and ensure uniformity for all domain
controllers (partition sizes, drive letter assignments, and so on). As part of the
operating system installation, apply a standardized set of hotfixes plus any available
service packs to ensure service consistency throughout the forest.
Ship computers with properly configured Internet Protocol (IP), subnet mask,
and default gateway addresses. Remember to reconfigure the server with TCP/IP
settings that are appropriate to the target site, not the staging site. Specifically, the
domain controller must not point to itself for DNS.
Enable Remote Desktop on the server computer before shipping. This best
practice assumes that you need to be able to install and manage Active Directory
remotely rather than employing an administrator with Domain Admins credentials in
each remote site.
The following best practices reduce the possibility of Active Directory consistency
problems due to lingering objects remaining on domain controllers that are disconnected
for long periods of time. Take the following precautions to avoid directory consistency
problems when you disconnect an existing domain controller and to ensure that if
inadvertent long disconnections occur, lingering objects cannot be replicated.
Upgrade all Windows 2000 Server domain controllers to Windows Server 2003.
This process requires upgrading the forest schema by using the adprep /forestprep
command. Thereafter, you can begin upgrading domain controllers to
Windows Server 2003. The Windows Server 2003 schema update adds 25 indexed
attributes to the schema directory partition. An update of this size can cause
replication delays in a large database. For this reason, domain controllers that are
running Windows 2000 Server must be running — at a minimum — Windows 2000
Service Pack 2 (SP2) plus all additional Windows updates. However, it is highly
recommended that you install Windows 2000 Service Pack 3 (SP3) on all domain
controllers before preparing your infrastructure for upgrade to the Windows
Server 2003 operating system. For information about upgrading to
Windows Server 2003, see "Upgrading from Windows 2000 Domains to
Windows Server 2003 Domains" in the Windows Server 2003 Deployment Guide on
the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=46082).
Determine the value of the tombstone lifetime for the forest. This value is
stored in the tombstoneLifetime attribute of CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ForestRootDomai
n.
Determine the maximum length of time that the domain controller can be
safely disconnected. From the tombstone lifetime number of days, subtract a
generous estimate of the number of days that are required for end-to-end
replication latency. The resulting amount of time is the maximum period for which
the domain controller can safely be disconnected.
Determine whether to extend the tombstone lifetime for the forest. If you
estimate the maximum time of disconnection to be longer than the tombstone
lifetime, you must determine whether to extend the tombstone lifetime or perform
the procedure to remove lingering objects from the domain controller after it is
reconnected. If you extend the tombstone lifetime, you must also make sure that
all domain controllers have adequate disk space to store additional tombstones.
In addition, make sure that replication of the tombstone lifetime change has
reached all potential source domain controllers before you run Dcpromo to install
an additional domain controller.
Prepare the registry for automatic nonauthoritative restart of SYSVOL when the
domain controller restarts. SYSVOL cannot be updated manually before
disconnection. By editing a registry setting, you can ensure that SYSVOL is updated
as soon as the domain controller is restarted.
Ensure that the domain controller replicates successfully with all replication
partners. Immediately before you disconnect the domain controller, force replication
with its partners. Check that replication has succeeded before you disconnect the
domain controller.
Label the domain controller. When you disconnect the domain controller, attach a
label to the computer that identifies the date and time of disconnection, the
destination, and the IP settings.
Note
This recommendation applies to additional domain controllers in an existing
domain. If the outdated domain controller is the only domain controller in the
domain, the recommendation is to reconnect the domain controller and follow
the instructions to remove lingering objects in article 314282, "Lingering
objects may remain after you bring an out-of-date global catalog server back
online," in the Microsoft Knowledge Base on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=37924).
To avoid time skew issues, ensure that the system clock is synchronized with
the domain source on startup. When you start the domain controller in the remote
site, use the following command to set the hardware clock:
See Also
Known Issues for Adding Domain Controllers in Remote Sites
Preparing a Server Computer for Shipping and Installation from Backup Media
When you want to ship theserver to a remote site and install Active Directory by restoring
from backup media in the remote site, you must make certain choices regarding the
method that you use to restore the backup. You must also decide whether to use
removable media or ship the backup on the server that will become the additional domain
controller. You can use the information in this topic to make these decisions and to
prepare the server for shipping. Use the information in Installing a Domain Controller in
an Existing Domain Using Restored Backup Media to perform the actual backup, restore,
and Active Directory installation procedures.
Preparing a computer for installation in a remote site by using restored backup media
requires that you perform the following tasks:
Begin by backing up system state on a domain controller in the domain into which
you are installing the domain controller according to the recommendations and
requirements in Installing a Domain Controller in an Existing Domain Using Restored
Backup Media.
Determine whether to restore the system state backup onto the computer that will be
promoted or use removable media to ship the backup files separately from the
computer.
Determine the volume on which to restore the backup media. If you have a large
Ntds.dit file, this decision can affect the amount of time necessary for Active Directory
installation. If you have a large SYSVOL, this decision can affect whether full
replication of SYSVOL occurs during Active Directory installation. The ability to use
the backup media to source SYSVOL depends on various factors. If you want to
avoid full replication of SYSVOL, additional preparation is required, as described later
in this section.
Before you ship the server, enable Remote Desktop access on the server so that you
can install the domain controller and manage it remotely. You can also enable
Remote Desktop remotely by using the registry, but this method should be used only
as a fallback measure if, through some oversight, Remote Desktop is not enabled
prior to shipping.
If you are installing a domain controller that is running Windows Server 2003 with
Service Pack 1 (SP1) in a forest that has a forest functional level of
Windows Server 2003 or Windows Server 2003 interim and you want to include
application directory partitions in the installation media, you can do so by creating an
answer file that contains the location of the restored backup media and then running
an unattended installation of Active Directory.
Before you ship the server, restore the backup directly to a volume on the server that
you are shipping. When the server arrives at the remote site, it is ready for installation
with no further preparation.
Copy the .bkf file onto removable media before restoration. Ship the media to the
remote site, and then restore the backup from the removable media to an alternate
location on each domain controller that you want to install. The advantage of this
method is that you retain the potential for SYSVOL to be sourced from the backup
media.
Restore the backup to any location on any server and then copy the restored backup
to removable media, such as a CD, DVD, or portable hard drive. The advantage of
using this method is that you restore the backup only once; you can install as many
domain controllers as necessary from the same media. The disadvantage is that
copying the restored files loses the SYSVOL data that is required for sourcing
SYSVOL from the restored backup. For more information about ensuring that
SYSVOL is sourced from the restored backup, see "Seeding the SYSVOL tree from
restored files during IFM promotion" in article 311078, "How to use the Install from
Media feature to promote Windows Server 2003–based domain controllers," on the
Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=37924).
Determine the Restore Volume
The volume on which you restore the system state backup has implications for both
Active Directory files and SYSVOL files. For faster restore, it is recommended that you
restore the backup to the volume that you will designate to host the Ntds.dit file when you
run Dcpromo, if space permits. Otherwise, restore the backup to a volume that has
sufficient free space. Restoring the backup to the volume that will store Ntds.dit, as
opposed to a different volume, affects how files are managed by the system during and
after Active Directory installation, as follows:
Active Directory files. The volume to which you restore the Ntds.dit and NTDS log
files determines how long installation will take and whether you must delete copied
files following installation:
If you restore the system state to a location on the same volume (drive letter) that
will ultimately host the Ntds.dit and NTDS log files, when you designate the path
for the Ntds.dit and NTDS log files during installation, the Active Directory
Installation Wizard will move the Ntds.dit and NTDS log files from the restored
location to their installed location. Moving the files is much faster than copying
the files.
If you restore the system state to a different volume than the volume that will
ultimately host the Ntds.dit and NTDS log files, the Active Directory Installation
Wizard will copy the Ntds.dit and NTDS log files to their final location during
installation. In the case of a large Ntds.dit file, the copy process can add
significantly to the installation time. In this case, you must manually delete the
remaining files and folders in the restored folder after a successful installation. As
a best practice, we recommend that you always delete the folder that you use to
receive the restored backup, regardless of whether files are copied or moved.
SYSVOL replication. The volume to which you restore the system state backup also
determines whether the File Replication service (FRS) uses the restored files as the
source for SYSVOL on the new domain controller or whether FRS replicates a new
copy of SYSVOL from a different domain controller in the domain. To source the
SYSVOL data from the restored backup, you must restore the system state backup to
the same volume as the drive that you specify in the Active Directory Installation
Wizard to host the SYSVOL tree. Otherwise, the data will be sourced over the
network from a domain controller that is in the same domain as the new domain
controller.
If you store the SYSVOL shared folder on a different volume from the Active Directory
files, consider the effect of copying Active Directory files, as described earlier in this
topic, as opposed to the effect of replicating the entire contents of the SYSVOL
shared folder. If avoiding replication of the SYSVOL shared folder is a goal of the
remote installation, restore the backup to a location that is on the same volume as
the drive that will contain the SYSVOL share.
If only one domain controller is installed in the domain (SYSVOL has not replicated at
least once between two domain controllers in the domain), the ability to source
SYSVOL from the restored backup media requires preliminary configuration of a
"helper" domain controller to prepare the SYSVOL before you perform the system
state backup.
Note
It is recommended that you deploy at least two domain controllers in each
domain for redundancy and failover.
For more information about how to ensure that SYSVOL is sourced from the restored
backup, see "Seeding the SYSVOL tree from restored files during IFM promotion" in
article 311078, "How to use the Install from Media feature to promote
Windows Server 2003–based domain controllers," on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=37924). To assess the effect of replication, as
opposed to additional configuration to source SYSVOL from the backup media, test both
procedures in a lab environment that mirrors your production environment in terms of
wide area network (WAN) speed and replication latency.
The forest has a functional level of Windows Server 2003 or Windows Server 2003
interim.
The domain controller that you back up and the server that you are installing are both
running Windows Server 2003 with SP1.
For creating a DNS server, your forest uses Active Directory-integrated DNS (DNS
zone data is stored in application directory partitions on DNS servers in the forest).
The domain controller that you back up stores the application directory partitions that
you want to include.
Instructions for performing this type of installation are included in this task.
Task requirements
Ntbackup.exe
Dcpromo.exe
1. Back up system state on a domain controller in the domain into which you are
installing the additional domain controller. The following requirements apply for the
backup domain controller and the target server:
The backup domain controller and target server must be running the same
version of Windows Server 2003. For example, if the domain controller that you
back up is running Windows Server 2003 with SP1, you cannot use this backup
media to install Active Directory on a server that is running Windows Server 2003
with no service pack installed.
The backup domain controller and target server must be running on the same
hardware platform (32-bit or 64-bit).
To install a domain controller that is a global catalog server, you must back up
system state on a global catalog server.
To install a domain controller that is a DNS server (that is, a server that stores the
DomainDNSZones and ForestDNSZones application directory partitions), you
must back up system state on a DNS server that stores these directory partitions.
2. Restore system state to an alternate location. This location can be on the target
server or in a different location, from which the backup files can be copied to
removable media and then shipped to the remote site separately from the target
server. Follow the guidelines described in "Determine the Restore Volume" earlier in
this topic.
As an alternative, you can copy the unrestored .bkf file to removable media and then
ship the media to the remote site, where it can be restored to a location on the target
server.
When you restore, you must run Ntbackup on the server that has the alternate
location. Therefore, if you are restoring to an alternate location that is not on the
server on which the .bkf file is stored, before you run Ntbackup, do the following:
b. Map a connection to it from the computer on which you are running Ntbackup.
4. If you are installing a DNS server or a domain controller that will store any application
directory partitions, Create an answer file for domain controller installation.
5. Ship the domain controller and any prepared removable media and answer file to the
remote site. Ship these items separately and securely.
6. When the server is running in the remote site, install the domain controller as follows:
If you are installing a domain controller that does not require application directory
partitions to be included in the installation, Install Active Directory from restored
backup media.
If you are installing a domain controller that will be a DNS server or that requires
other application directory partitions to be included in the installation media,
perform the procedure to Include application directory partitions in an Active
Directory installation from backup media.
7. If the domain controller is to be a DNS server, Install the DNS Server service after
Active Directory has been installed.
See Also
Installing a Domain Controller in an Existing Domain Using Restored Backup Media
Use these procedures to back up the system state only. These procedures do not back
up the system disk or any other data on the domain controller except for the system-
protected files.
Use the first procedure, "To back up system state including system-protected files," for
routine system state backup. Use the second procedure, "To back up system state
excluding system-protected files," if you want to create a smaller backup that is effective
for installing domain controllers from restored backup media.
Note
To back up system state, you must log on locally to the domain controller, or
Remote Desktop must be enabled on the remote domain controller so that you
can connect remotely.
Administrative credentials
To perform the following two procedures, you must be a member of the Domain
Admins group or a member of the Backup Operators group.
This procedure provides steps for backing up in Wizard Mode. By default, the
Always Start in Wizard Mode check box is selected in the Backup or Restore
Wizard. If the Welcome to the Backup Utility Advanced Mode page appears,
click Wizard Mode to open the Backup or Restore Wizard.
2. On the Welcome to the Backup or Restore Wizard page, click Next.
4. Select Let me choose what to back up, and then click Next.
6. In the expanded list below My Computer, check System State, and then click
Next.
If you are backing up to a file, type the path and file name for the backup
(.bkf) file (or click Browse to find a folder or file).
If you are backing up to a tape unit, choose the tape that you want to use.
Note
You should not store the backup on the local hard drive. Instead,
store it in a location, such as a tape drive, away from the computer
that you are backing up.
10. Do not change the default options for Type of Backup. Normal should be
selected, and the check box for Backup migrated remote storage data should
remain cleared. Click Next.
11. Select Verify data after backup, and then click Next.
12. In the Backup Options dialog box, select a backup option, and then click Next.
13. If you are replacing the existing backups, select the option to allow only the
owner and administrator access to the backup data and to any backups that are
appended to this medium, and then click Next.
14. In the When to back up box, select the appropriate option for your needs, and
then click Next.
15. If you are satisfied with all of the options that are selected, click Finish to perform
the backup operation according to your selected schedule.
Note
The system state can also be backed up by using Ntbackup from a
command line with appropriate parameters. For more information, at a
command prompt type ntbackup /?.
The following procedure produces a smaller .bkf file that does not include system boot
files. By using this procedure, you can reduce the time that is required to perform the
backup and subsequent restore, as well as the amount of disk space that is required.
This method is recommended when the restored backup is to be used for installing
additional domain controllers.
4. In Backup media or file name, type a name for this backup according to the
recommendations in Backing Up Active Directory Components.
6. Clear the Automatically back up System Protected Files with the System
State check box, and then click OK.
See Also
Enable Remote Desktop
Administrative credentials
To perform this procedure, you must be a member of the Backup Operators group, as
follows:
Restore system state on a domain controller: Backup Operators group in the domain
2. Click Start, click Run, type ntbackup, and then click OK.
5. On the What to Restore page, click Browse, and then, in the Open Backup
File dialog box, click Browse again.
6. Navigate to the .bkf file that you want to restore to an alternate location. The .bkf
file can be located in a folder on the current computer, in a shared folder on the
backup computer or other network computer, or on an external drive that
contains removable media.
7. In the Select file for catalog dialog box, click the .bkf file that you want to
restore, and then click Open.
8. In the Open Backup File dialog box, click OK.
9. In Items to restore, double-click File, and then double-click the .bkf file that you
want to restore.
10. Below the .bkf file that you want to restore, select the System State check box,
and then click Next. (You do not need to restore the system disk to an alternate
location.)
11. On the Completing the Backup or Restore Wizard page, click Advanced.
13. In Alternate Location, type the path (or browse) to the local folder to which you
are restoring the backup, and then click Next. We recommend restoring to a
folder named NTDSRESTORE, if space permits, on the volume that will host the
Ntds.dit file when Dcpromo is run. Otherwise, restore to a folder named
\NTDSRESTORE on another volume that has sufficient free space.
14. On the How to Restore page, accept the default selection Leave existing files
(Recommended), and then click Next.
15. On the Advanced Restore Options page, accept the default selections Restore
security settings and Preserve existing volume mount points, and then click
Next.
16. On the Completing the Backup or Restore Wizard page, click Finish.
Use this procedure to enable remote desktop prior to shipping the server that will be
installed as a domain controller. If you neglected to perform this procedure prior to
shipping the server, use the procedure "To enable Remote Desktop remotely by using the
registry," later in this topic
Administrative credentials
To complete this procedure, you must be a member of the local Administrators group.
2. On the Remote tab, under Remote Desktop, select the Allow users to connect
remotely to this computer check box, and then click OK.
Note
On computers running Windows Server 2003 with Service Pack 1 (SP1),
on the Remote tab, select the Enable Remote Desktop on this
computer check box.
If for any reason you neglected to perform this procedure prior to shipping the server, you
can enable Remote Desktop remotely by using the registry.
Administrative credentials
To complete this procedure, you must be a member of the local Administrators group.
3. In the Select Computer dialog box, type the computer name and then click
Check Names.
4. In the Enter Network Password dialog box, provide Domain Admins credentials
for the domain of the server, and then click OK.
7. In the console tree, click Terminal Server and then, in the details pane, double-
click fDenyTSConnections.
8. In the Edit DWORD Value box, in Value data, type 0, and then click OK.
Open a command prompt, type the following, and then press Enter:
shutdown -m \\DomainControllerName -r
Administrative credentials
To perform this procedure, you must be a member of the Authenticated Users group on
the local computer on which you create the answer file.
2. Start Windows Explorer, and then open the Support\Tools folder on the
Windows Server 2003 CD-ROM.
3. In the console tree, click Tools, and then, in the details pane, double-click
Deploy.cab.
5. In the Select a Destination dialog box, navigate to or create a new folder for the
expanded Ref.chm file, and then click Extract.
7. On the Contents tab in the scope pane, double-click Unattend.txt, and then
click [DCInstall].
8. In the details pane, scroll to Sample, select the entire sample, beginning at
[DCInstall], and then copy the sample.
9. Open Notepad, paste the sample into the Notepad file, and save the text file.
10. Edit the text file to contain at least the following entries (additional entries and
their descriptions are available in Ref.chm):
[DCINSTALL]
UserName=SAM account name that has Domain Admins credentials in the
target domain. This account must be used by the administrator who runs the
Dcpromo command.
Password=Password for the account name. If you leave this blank, Dcpromo
prompts the user during installation. Dcpromo deletes this value following
installation.
SiteName=The name of the Active Directory site in which this domain controller
will be placed. This site must be created in advance in the Active Directory Sites
and Services snap-in.
11. Save the answer file to the location on the installation server from which it is to
be called by Dcpromo, or save the file to a network share or removable media for
distribution.
See Also
Include application directory partitions in an Active Directory installation from backup
media
Administrative credentials
To complete this procedure, you must have Remote Desktop permissions by being added
to the Remote Desktop Users group or you must be a member of the local Administrators
group of the computer to which you are connecting. If the computer is a domain
controller, you must have the Allow Logon Locally right applied in the Default Domain
Controllers Policy.
2. In Computer, type a computer name or Internet Protocol (IP) address, and then
click Connect. The computer can be a terminal server, or it can be a computer
running Windows XP Professional or a Windows Server 2003 operating system
that has Remote Desktop enabled and for which you have Remote Desktop
permissions.
3. In the Log On to Windows dialog box, type your user name, password, and
domain (if required), and then click OK.
See Also
Enable Remote Desktop
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain into which you are installing the additional domain controller.
3. Select From these restored backup files, and point to the same location where
you restored the system state data.
4. If the domain controller whose system state backup you are using is a global
catalog server, the Active Directory Installation Wizard asks you whether you
want this server to also be a global catalog server.
6. Enter the domain of the new domain controller. This domain must be the domain
of the domain controller whose system state backup you are using.
Dcpromo.exe will install Active Directory using the data present in the restored
files, which eliminates the need to replicate every object from a partner domain
controller. However, objects that were modified, added, or deleted since the
backup was taken must be replicated. If the backup was recent, the amount of
replication required will be considerably less than that required for a regular
Active Directory installation.
See Also
Restore system state to an alternate location
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain into which you are installing the additional domain controller.
2. To include application directory partitions that are contained in the system state
backup, add the following entry to the end of the answer file:
ApplicationPartitionsToReplicate=
ApplicationPartitionsToReplicate="dc=app1,dc=contoso,dc=com
dc=app2,dc=contoso,dc=com"
4. In the entry ReplicationSourcePath=, type the path to the folder that contains
the restored system state backup files on the installation computer.
5. If you do not want Dcpromo to prompt the user for passwords, type the password
in the Password= entry for the account that you will use to install the domain
controller, type the password in the SafeModeAdminPassword= entry that you
will use to provide access to Directory Services Restore Mode, and then save the
answer file.
Note
Passwords are automatically deleted from the answer file when Dcpromo
runs.
6. Open a command prompt, and then change directories to the location of the
answer file.
7. At the command prompt, type the following command, and then press ENTER:
By taking preliminary precautions, you can ensure that long-term disconnections do not
result in directory inconsistency from lingering objects.
If the estimated time of disconnection does not exceed the maximum safe
disconnection time, proceed with disconnection.
4. View the current operations master role holders to determine whether the domain
controller is an operations master role holder.
9. Enable strict replication consistency on the domain controller that you are
disconnecting. You can use this command-line procedure as an option to enable strict
replication consistency on additional other domain controllers or on all domain
controllers in the forest.
10. Synchronize replication with all partners. Update the domain controller with the latest
changes just before you disconnect it.
11. Verify successful replication to a domain controller for the domain controller that you
are disconnecting.
12. Label the domain controller with the date and time of disconnection and the
maximum safe disconnection period.
See Also
Known Issues for Adding Domain Controllers in Remote Sites
Managing SYSVOL
Administrative Credentials
To complete this procedure, you must be a member of the Domain Users group.
5. Note the value in the Value column. If the value is <not set>, the default value is
in effect as follows:
Administrative Credentials
5. After receiving confirmation of the connection, type quit and press ENTER to exit
this menu.
6. At the fsmo maintenance: prompt, type select operation target and press
ENTER.
7. At the select operations target: prompt, type list roles for connected server
and press ENTER.
The system responds with a list of the current roles and the Lightweight Directory
Access Protocol (LDAP) name of the domain controllers currently assigned to
host each role.
8. Type quit and press ENTER to exit each prompt in Ntdsutil.exe. Type quit and
press ENTER at the ntdsutil: prompt to close the window.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. At the top of the console tree, right-click Active Directory Users and
Computers. Click Connect to Domain Controller.
3. In the list of available domain controllers, click the name of the server to which
you want to transfer the role, and then click OK.
4. At the top of the console tree, right-click Active Directory Users and
Computers, point to All Tasks, and then click Operations Masters.
The name of the current operations master role holder appears in the
Operations master box. The name of the server to which you want to transfer
the role appears in the lower box.
5. Click the tab for the role you want to transfer: RID, PDC, or Infrastructure. Verify
the computer names that appear and then click Change. Click Yes to transfer the
role, and then click OK.
6. Repeat steps 4 and 5 for each role that you want to transfer.
Administrative Credentials
2. In the console tree, right-click Active Directory Schema, and click Change
Domain Controller.
3. In the Change Domain Controller dialog box, click Specify Name. Then, in the
text box, type the name of the server to which you want to transfer the schema
master role. Click OK.
5. Click Change. Click Yes to confirm your choice. The system confirms the
operation. Click OK again to confirm that the operation succeeded.
Note
Hosting the infrastructure master on a global catalog server is not
recommended. If you attempt to transfer the infrastructure master role to
a domain controller that is a global catalog, the system displays a
warning stating that this is not recommended.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group in
Active Directory.
2. In the console tree, right-click Active Directory Domains and Trusts, and then
click Connect to Domain Controller.
3. Ensure that the proper domain name is entered in the Domain box.
4. In the Name column, click the domain controller (to select it) to which you want to
transfer the role. Click OK.
5. Right-click Active Directory Domains and Trusts, and then click Operations
Master.
6. The name of the current domain naming master appears in the first text box. The
server to which you want to transfer the role should appear in the second text
box. If this is not the case, repeat steps 1 through 4.
7. Click Change. To confirm the role transfer, click Yes. Click OK again to close the
message box indicating the transfer took place. Click Close to close the Change
Operations Master dialog box.
To initiate a nonauthoritative restart of SYSVOL when it is the only replica set that is
represented on the domain controller, set the value of the global BurFlags
(REG_DWORD) entry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameter
s\Backup/Restore\Process at Startup
If other replica sets are represented on the domain controller and you want to update
only SYSVOL, set the value of the replica-set-specific BurFlags (REG_DWORD)
entry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameter
s\Cumulative Replica Sets\SYSVOL GUID
Modifying the replica-set-specific BurFlags entry requires identifying the SYSVOL GUID
in the registry.
Caution
The Registry Editor bypasses standard safeguards, allowing settings that can
damage your system or even require you to reinstall Windows. If you must edit
the registry, back up system state first. For information about backing up system
state, see Administering Active Directory Backup and Restore.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. Navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters
3. Expand Parameters.
b. Match the GUID under Replica Sets to the identical GUID under Cumulative
Replica Sets, and click the matching GUID under Cumulative Replica Sets.
Value: 1 (0 to disable)
On domain controllers running Windows Server 2003 with Service Pack 1 (SP1), you do
not have to edit the registry directly to enable strict replication consistency. It is best to
avoid editing the registry directly if possible. You can use a Repadmin command that
enables strict replication consistency on one or all domain controllers in the forest. This
command is available only in the version of Repadmin that is included with Windows
Support Tools in Windows Server 2003 SP1. This command can be applied only on
domain controllers running Windows Server 2003 with SP1.
Administrative credentials
Requirements:
Note
To enable strict replication consistency on a domain controller that is not
running Windows Server 2003 with SP1, use a registry editor to set the value
in the Strict Replication Consistency entry to 1.
Caution
It is recommended that you do not directly edit the registry unless there is no
other alternative. Modifications to the registry are not validated by the registry
editor or by Windows before they are applied, and as a result, incorrect
values can be stored. This can result in unrecoverable errors in the system.
When possible, use Group Policy or other Windows tools, such as Microsoft
Management Console (MMC), to accomplish tasks rather than editing the
registry directly. If you must edit the registry, use extreme caution.
Term Definition
Note
For more naming options and information about the syntax of the DC_LIST
parameter, at the command prompt type repadmin /listhelp.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the selected domain controller or the Enterprise Admins group in the forest, or
you must have been delegated the appropriate authority. If you want to synchronize the
configuration and schema directory partitions on a domain controller in a child domain,
you must have Domain Admins credentials in the forest root domain or Enterprise Admins
credentials in the forest.
Term Definition
2. Check for replication errors in the output of the command in the previous step. If
there are no errors, replication is successful. For replication to complete, any
errors must be corrected.
See Also
Verify successful replication to a domain controller
If @ [Never] appears in the output for a directory partition, replication of that directory
partition has never succeeded from the identified source replication partner over the
listed connection.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the destination domain controller.
Term Definition
3. When you are prompted for a password, type the password for the user account
that you provided, and then press ENTER.
You can also use Repadmin to generate the details of replication to and from all
replication partners in a spreadsheet. The spreadsheet displays data in the following
columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
The following procedure shows how to create this spreadsheet and set column headers
for improved readability.
4. On the File menu, click Open, navigate to showrepl.csv, and then click Open.
To hide the column, on the Format menu, click Column, and then click Hide.
Or
To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row, and then, on the Window menu,
click Freeze Panes.
8. Select the entire spreadsheet. On the Data menu, click Filter, and then click
AutoFilter.
9. In the Last Success Time column, click the down arrow, and then click Sort
Ascending.
10. In the Source DC column, click the down arrow, and then click Custom.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not
contain. In the adjacent text box, type del to eliminate from view the results for
deleted domain controllers.
12. Repeat step 10 for the Last Failure Time column, but use the value does not
equal, and type the value 0.
The last successful attempt should agree with the replication schedule for intersite
replication, or the attempt should be within the last hour for intrasite replication.
If Repadmin reports any of the following conditions, see Troubleshooting Active Directory
Replication Problems:
The last successful intersite replication was prior to the last scheduled replication.
The last intrasite replication was longer than one hour ago.
See Also
Troubleshooting Active Directory Replication Problems
The disconnected domain controller is running Windows Server 2003, but no other
authoritative domain controller running Windows Server 2003 is available in the
domain: Reconnect the domain controller, and follow the instructions in article
314282, "Lingering objects may remain after you bring an out-of-date global catalog
server back online," in the Microsoft Knowledge Base on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=37924).
The disconnected domain controller is running Windows 2000 Server, and another
domain controller is available in the domain: Do not reconnect the domain controller.
Instead, force Active Directory removal on the disconnected domain controller,
perform metadata cleanup, and then reinstall Active Directory. To complete these
tasks, follow the instructions in Forcing the Removal of a Domain Controller and
Installing a Domain Controller in an Existing Domain.
The disconnected domain controller is running Windows 2000 Server, and no other
domain controller is available in the domain: If you want to recover the domain,
reconnect the domain controller, and follow the instructions in article 314282,
"Lingering objects may remain after you bring an out-of-date global catalog server
back online," in the Microsoft Knowledge Base on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=37924).
Updating SYSVOL
As described in Preparing an Existing Domain Controller for Shipping and Long-Term
Disconnection, the recommended practice to ensure consistency of SYSVOL is to modify
the registry before disconnecting the domain controller so that SYSVOL is updated
automatically when the domain controller is restarted. In addition, if you want to avoid a
full synchronization of SYSVOL through intersite replication, you must take preparatory
steps before disconnection. For information about how to ensure that SYSVOL is sourced
locally and updated over the network only for changes, see "Seeding the SYSVOL tree
from restored files during IFM promotion" in article 311078, "How to use the Install from
Media feature to promote Windows Server 2003-based domain controllers," in the
Microsoft Knowledge Base on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=37924). To update SYSVOL as soon as possible after reconnecting a domain
controller, plan the time that you restart the domain controller to optimize the replication
schedule, as follows:
If the closest replication partner for the domain is in a different site, view site link
properties to determine the replication schedule, and then restart the domain
controller as soon as possible after replication is scheduled to start.
If a replication partner for the domain is available within the site, verify replication
success on that partner before restarting the domain controller.
Important
Do not use file copy utilities, such as Xcopy or Robocopy, to update an outdated
SYSVOL. Copying SYSVOL files is recommended only for recreating a
nonfunctioning SYSVOL, which requires several preliminary procedures. Copying
SYSVOL files from one domain controller to another without following these
procedures causes invalid data to be replicated and causes the system volumes
on other domain controllers to become inconsistent. For information about how to
recreate a nonfunctioning SYSVOL, see Restoring and Rebuilding SYSVOL.
2. Determine whether the maximum safe disconnection time has been exceeded. The
maximum safe disconnection time should have been established at the time of
disconnection, as follows:
Subtract a generous estimate of the amount of time for end-to-end replication latency
from the tombstone lifetime. Either find the latency estimate in the design
documentation for your deployment or request the information from a member of your
design or deployment team.
3. If the maximum safe disconnection time has not been exceeded, proceed with the
reconnection process as follows:
If the site in which you are reconnecting the domain controller has one or more
other domain controllers that are authoritative for the domain, start the domain
controller anytime.
If the site in which you are reconnecting the domain controller has no other
domain controllers that are authoritative for the domain, proceed as follows:
As soon as possible after the next replication cycle begins, start the domain
controller.
If the maximum safe disconnection time has been exceeded, proceed in the
appropriate manner according to the operating system, as described in
"Reconnecting an Outdated Domain Controller" earlier in this topic.
Administrative Credentials
To complete this procedure, you must be a member of the Domain Users group.
2. In the console tree, double-click the Sites container, double-click the Inter-Site
Transports container, and then click the IP container.
3. In the details pane, right-click the site link object for which you want to view the
schedule, and then click Properties.
4. In the SiteLinkName Properties dialog box, click Change Schedule. Note the
block of days and hours during which replication is allowed (Replication
Available), and then click OK.
5. In the Replicate every _____ minutes box, note the number of minutes for the
intervals at which replication polling takes place during an open schedule
window, and then click OK.
If you are running the procedure preemptively, you must gather the following information
before beginning the procedure:
Name of the server that has or might have lingering objects. This name can be the
Domain Name System (DNS) name, NetBIOS name, or distinguished name of the
domain controller.
Globally unique identifier (GUID) of the NTDS Settings object of a domain controller
that is authoritative for the domain of the domain controller from which you want to
remove lingering objects.
If necessary, use the following procedure to determine the GUID of a domain controller.
Administrative Credentials
To complete this procedure, you must be a member of the Domain Users group in the
domain of the domain controller.
repadmin /showreplDomainControllerName
2. In the top portion of the output, note the value in DC object GUID:
If the destination domain controller and source domain controller are both running
Windows Server 2003, you can remove lingering objects by using Repadmin. If either
domain controller is running Windows 2000 Server, follow instructions in article 314282,
"Lingering objects may remain after you bring an out-of-date global catalog server back
online," in the Microsoft Knowledge Base on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=37924).
Administrative Credentials
To complete this procedure, you must be a member of the Domain Admins group in the
DirectoryPartition domain.
To use Repadmin to remove lingering objects
1. At a command prompt, type the following command, and then press ENTER:
Term Definition
ServerName The DNS name or the distinguished name of the domain controller
that has or might have lingering objects.
DirectoryPartitio The distinguished name of the domain directory partition that might
n have lingering objects. For example,
DC=RegionalDomainName,DC=ForestRootDomainName,DC=com.
Also run the command against the configuration directory partition
(CN=configuration,DC=ForestRootDomainName,DC=com), the
schema directory partition
(CN=schema,CN=configuration,DC=ForestRootDomainName), and
any application directory partitions that are hosted on the domain
controller you are checking for lingering objects.
/advisory_mode logs the lingering objects that will be removed so that you can review
them, but it does not remove them.
2. If lingering objects are found, repeat step 1 without /advisory_mode to delete the
identified lingering objects from the directory partition.
3. Repeat steps 1 and 2 for every domain controller that might have lingering objects.
Note
The ServerName parameter uses the DC_LIST syntax for repadmin, which
allows the use of * for all domain controllers in the forest and gc: for all global
catalog servers in the forest. To see the DC_LIST syntax, type
repadmin /listhelp.
See Also
Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
Verify successful replication to a domain
controller
You can use the repadmin /showrepl command to verify successful replication to a
specific domain controller. If you are not running Repadmin on the domain controller
whose replication you are checking, you can specify a destination domain controller in
the command. Repadmin lists INBOUND NEIGHBORS for the current or specified
domain controller. INBOUND NEIGHBORS shows the distinguished name of each
directory partition for which inbound directory replication has been attempted, the site and
name of the source domain controller, and whether replication succeeded or not, as
follows:
Last attempt @ YYYY-MM-DD HH:MM.SS was successful.
If @ [Never] appears in the output for a directory partition, replication of that directory
partition has never succeeded from the identified source replication partner over the
listed connection.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the destination domain controller.
Term Definition
3. When you are prompted for a password, type the password for the user account
that you provided, and then press ENTER.
You can also use Repadmin to generate the details of replication to and from all
replication partners in a spreadsheet. The spreadsheet displays data in the following
columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
The following procedure shows how to create this spreadsheet and set column headers
for improved readability.
4. On the File menu, click Open, navigate to showrepl.csv, and then click Open.
To hide the column, on the Format menu, click Column, and then click Hide.
Or
To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row, and then, on the Window menu,
click Freeze Panes.
8. Select the entire spreadsheet. On the Data menu, click Filter, and then click
AutoFilter.
9. In the Last Success Time column, click the down arrow, and then click Sort
Ascending.
10. In the Source DC column, click the down arrow, and then click Custom.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not
contain. In the adjacent text box, type del to eliminate from view the results for
deleted domain controllers.
12. Repeat step 10 for the Last Failure Time column, but use the value does not
equal, and type the value 0.
The last successful attempt should agree with the replication schedule for intersite
replication, or the attempt should be within the last hour for intrasite replication.
If Repadmin reports any of the following conditions, see Troubleshooting Active Directory
Replication Problems:
The last successful intersite replication was prior to the last scheduled replication.
The last intrasite replication was longer than one hour ago.
See Also
Troubleshooting Active Directory Replication Problems
Performing an Unattended Installation of
Active Directory
Running an unattended install simplifies the process of setting up Active Directory on
multiple computers. The unattended install feature uses an “answer file” to provide
answers to the questions that are asked during a normal setup. This way, the installation
process can proceed from start to completion without user intervention. This method
works best when Active Directory is installed with identical options on many computers.
This method is required if you want to include application directory partitions in
Active Directory installations from restored backup media.
Task requirements
Dcpromo.exe
Ref.chm (in the Support\Tools folder on the Windows Server 2003 operating system
CD)
Unattend.txt
See Also
Include application directory partitions in an Active Directory installation from backup
media
Create an answer file for domain
controller installation
Use this procedure to create a text file that you can use as the answer file for an
unattended installation of a domain controller. The answer file contains sensitive
information and should be kept in a secure location.
Administrative credentials
To perform this procedure, you must be a member of the Authenticated Users group on
the local computer on which you create the answer file.
2. Start Windows Explorer, and then open the Support\Tools folder on the
Windows Server 2003 CD-ROM.
3. In the console tree, click Tools, and then, in the details pane, double-click
Deploy.cab.
5. In the Select a Destination dialog box, navigate to or create a new folder for the
expanded Ref.chm file, and then click Extract.
7. On the Contents tab in the scope pane, double-click Unattend.txt, and then
click [DCInstall].
8. In the details pane, scroll to Sample, select the entire sample, beginning at
[DCInstall], and then copy the sample.
9. Open Notepad, paste the sample into the Notepad file, and save the text file.
10. Edit the text file to contain at least the following entries (additional entries and
their descriptions are available in Ref.chm):
[DCINSTALL]
SiteName=The name of the Active Directory site in which this domain controller
will be placed. This site must be created in advance in the Active Directory Sites
and Services snap-in.
11. Save the answer file to the location on the installation server from which it is to
be called by Dcpromo, or save the file to a network share or removable media for
distribution.
See Also
Include application directory partitions in an Active Directory installation from backup
media
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group in the
domain of the domain controller that you are installing.
2. Click OK.
See Also
Create an answer file for domain controller installation
Task Requirements
The following tools are recommended to perform the procedures for this task:
DNS Manager
Event Viewer
Netdiag.exe
Dcdiag.exe
Ntdsutil.exe
2. Verify that an IP address maps to a subnet and determine the site association
You must ensure that the new domain controller is located in the proper site so that
after the installation is complete, the new domain controller can locate replication
partners and become part of the replication topology. If the site is not correct, you can
use the Active Directory Sites and Services snap-in to move the Server object for the
domain controller to the proper site after Active Directory installation is complete.
Note
The last dialog box displayed by the Active Directory Installation Wizard lists
the site where the new domain controller is installed. If this is not the proper
site, you must move the Server object after the server is restarted.
Prior to deleting a Server object from the Servers container for a site, verify that the
Server object has no Child objects. If a Child object appears, do not delete the Server
object.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
2. Expand the Sites container and expand the site of the Server object.
3. Expand the Servers container, and then expand the Server object to view any
Child objects.
Verify that an IP address maps to a
subnet and determine the site
association
Use this procedure to determine the site to which you want to add a Server object prior to
installing Active Directory, or to verify the appropriate site prior to moving a Server object
to it.
To be associated with a site, the IP address of a domain controller must map to a Subnet
object that is defined in Active Directory. The site to which the subnet is associated is the
site of the domain controller.
The subnet address, which is computed from the IP network address and the subnet
mask, is the name of a Subnet object in Active Directory. When you know the subnet
address, you can locate the Subnet object and determine the site to which the subnet is
associated.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
5. Use the values in IP address and Subnet mask to calculate the subnet address
and then click OK.
8. Expand the Sites container, and then click the Subnets container.
9. In the Name column in the details pane, find the Subnet object that matches the
subnet address.
10. In the Site column, note the site to which the IP subnet address is associated.
If the site that appears in the Site box is not the appropriate site, contact a
supervisor and find out whether the IP address is incorrect or whether to move
the Server object to the site indicated by the subnet.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group.
2. Expand the Sites container and the site in which the server object resides.
3. Expand the Servers container to display the domain controllers that are currently
configured for that site.
4. Right-click the Server object you want to move, and then click Move.
5. In the Site Name box, click the destination site, and then click OK.
6. Expand the Site object to which you moved the server, and then expand the
Servers container.
8. Expand the Server object and verify that an NTDS Settings object exists.
Within an hour, the Net Logon service on the domain controller registers the new site
information in DNS. Wait an hour and then open Event Viewer and connect to the domain
controller whose Server object you moved. Review the directory service log for Net
Logon errors regarding registration of SRV resource records in DNS that have occurred
within the last hour. The absence of errors indicates that Net Logon has updated DNS
with site-specific SRV resource records. Net Logon event ID 5774 indicates that the
registration of DNS resource records has failed. If this error occurs, contact a supervisor
and pursue DNS troubleshooting.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
2. If you need to configure forwarders, open the DNS snap-in and continue to step
3.
5. In the IP address box, type IpAddress (where IpAddress is the IP address of the
DNS server or nearest replication partner from which the domain is delegated),
click Add, and then click OK.
Task Requirements
The following tools are required to perform the procedures for this task:
DNS snap-in
My Network Places
If the parent DNS zone of any zone that is hosted by this DNS server contains a
delegation to this DNS server, use this procedure to update the IP address in all such
delegations.
If your forest root domain has a parent DNS domain, perform this procedure on a
DNS server in the parent domain. If you just added a new domain controller to a child
domain, perform this procedure on a DNS server in the DNS parent domain. By
following recommended practices, the parent domain is the forest root domain.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
4. In the ChildDomain Properties sheet, on the Name Servers tab, click Add.
5. In the New Resource Record dialog box, in the Server fully qualified domain
name (FQDN) box, type ChildDC.ChildDomain.ParentDomain (where ChildDC is
the name of the new domain controller, ChildDomain is the name of the child
domain, and ParentDomain is the name of the parent domain).
6. In the New Resource Record dialog box, in the IP address box, type IPAddress
(where IPAddress is the IP address of the child domain controller), click Add, and
then click OK.
To perform this procedure, you must be a member of the Domain Admins group.
2. In the console tree, right-click the new domain controller and click New Zone.
4. On the Zone Type page, select Secondary zone and click Next.
7. In the Master DNS Servers dialog box, enter the IP addresses of at least two
DNS servers in the forest root domain. Click Next.
8. Review the settings you defined, and click Finish to close the wizard.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
To configure the DNS client settings
1. On the desktop, right-click My Network Places and click Properties.
3. In the Local Area Connection Properties dialog box, click once on Internet
Protocol (TCP/IP) to highlight it (be sure you do not clear the check box in front
of it), then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, verify that Use the
following DNS server addresses: is selected.
5. If the new domain controller is located in the forest root domain, set the
Preferred DNS server IP address to that of another DNS server in the forest root
domain. Try to choose a server that is located near the new domain controller.
Set the Alternate DNS server address to the IP address of the new domain
controller (so that it is referencing itself).
If the new domain controller is located in a child domain, set the Preferred DNS
server IP address to the IP address of the new domain controller (so that it is
referencing itself). Set the Alternate DNS server address to that of another DNS
server in the same domain. Try to choose a server that is located near the new
domain controller.
Note
You do not need to perform this procedure on every replication partner, but you
need to perform it enough times to be confident that the shared system volumes
on the replication partners are healthy.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
2. In the Event Viewer tree, click File Replication Service to display the FRS
events.
3. Look for an event 13516 with a date and time stamp that corresponds with the
recent restart. It can take 15 minutes or more to appear. An event 13508
indicates that FRS is in the process of starting the service. An event 13509
indicates that the service has started successfully. Event 13516 indicates that the
service is started, the folders are shared, and the domain controller is functional.
4. To verify the shared folder is created, open a command prompt and type net
share to display a list of the shared folders on this domain controller, including
Net Logon and SYSVOL.
6. Look for a message that states computername passed test NetLogons where
computername is the name of the domain controller. If you do not see the test
passed message, some problem will prevent replication from functioning. This
test verifies that the proper logon privileges are set to allow replication to occur. If
this test fails, verify the permissions set on the Net Logon and SYSVOL shared
folders.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
netdiag /test:dns
Note
For a more detailed response from this command, add /v to the end of
the command.
If DNS is functioning, the last line of the response is DNS Test…..: Passed. The
verbose option lists specific information about what was tested. This information
can help with troubleshooting if the test fails.
If the test fails, do not attempt any additional steps until you determine and fix the
problem that prevents proper DNS functionality.
Administrative Credentials
To perform this procedure, you must be a member of the Domain users group in Active
Directory.
netdiag /test:dsgetdc
Note
For a more detailed response from this command, add /v to the end of
the command.
If domain controllers are successfully located, the last line of the response is DC
discovery test……..: Passed. The verbose option lists the specific domain
controllers that are located.
If the test fails, do not attempt any additional steps until you determine and fix the
problem that prevents communication with other domain controllers.
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
dcdiag /test:replications
Note
For this set of tests, the /v option is available. However, it does not
display any significant additional information. Messages indicate that the
connectivity and replications tests passed.
3. To verify that the proper permissions are set for replication, type the following
command and then press Enter:
dcdiag /test:netlogons
Administrative Credentials
To perform this procedure, you must be a member of the Domain users group in Active
Directory.
Note
You can use these tests prior to installing Active Directory as well as afterward.
To perform the test prior to installing Active Directory, you must use the /s option
to indicate the name of a domain controller to use. You do not need the /s option
to perform the test after installing Active Directory. The test automatically runs on
the local domain controller where you are performing the test. The commands
listed in this procedure show the /s option. If you are performing this test after
installing Active Directory, omit the /s option. For a more detailed response from
this command, you can use the verbose option by adding /v to the end of the
command to see the detailed response.
2. Type the following command to ensure that the operations masters can be
located and then press ENTER:
3. Type the following command to ensure that the operations masters are
functioning properly and are available on the network:
If these tests fail, do not attempt any additional steps until you determine and fix
the problem that prevents locating operations masters and verifying that they are
functioning properly.
Note
You can get a more detailed response from this command by using the verbose
option. Add /v to the end of the command listed to see the detailed response.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
netdiag /test:member
3. It the test was successful you should see the following message: Domain
membership test Passed. If you use the /v option, it will list the name of the
domain controller, its role, the name of the domain, and a number of other
statistics about the new domain controller.
Renaming a Domain Controller
The ability to rename domain controllers running Windows Server 2003 (contrary to
Windows 2000 Server) provides you with the flexibility to:
Note
It is important to note that domain controller names have a primary impact on
administration, rather than client access. Renaming a domain controller is an
optional exercise, and the impacts should be well understood prior to renaming.
Although you can use the System Properties user interface (UI) to rename a domain
controller (as you can for any computer), Active Directory and DNS replication latency
might temporarily prevent clients from locating or authenticating to the renamed domain
controller, or both. To avoid this delay, use the Netdom command-line tool to rename a
domain controller.
Task requirements
The following tools are required to perform the procedures for this task:
Ldp.exe or Adsiedit.msc
If you want to use Netdom, the domain functional level must be set to
Windows Server 2003.
To complete this task, use one of the following two sets of procedures:
Or
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group.
7. If you are prompted, provide the user name and password for an account with
Domain Admin or Enterprise Admin credentials.
Note
Renaming a domain controller in this way may result in Active Directory
replication latency, making it more difficult for clients to locate or
authenticate the domain controller under its new name.
See Also
Rename a domain controller using Netdom
Rename a domain controller using
Netdom
You can use this procedure to rename a domain controller by using the Netdom
command-line tool.
The netdom command updates the service principal name (SPN) attributes in
Active Directory for the computer account and registers Domain Name System (DNS)
resource records for the new computer name. The SPN value of the computer account
must be replicated to all domain controllers in the domain, and the DNS resource records
for the new computer name must be distributed to all the authoritative DNS servers for
the domain name. If the updates and registrations have not occurred prior to removal of
the old computer name, some clients might be unable to locate this computer using the
new name or the old name.
Administrative credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group.
2. Type the following command to add the new domain controller name, and then
press ENTER:
3. Type the following command to designate the new name as the primary
computer name, and then press ENTER:
netdom computername CurrentComputerName
/makeprimary:NewComputerName
Term Definition
6. Type the following command to remove the old domain controller name, and then
press ENTER:
Term Definition
See Also
Rename a domain controller using System Properties
Update the FRS member object
Use this procedure to update the File Replication Service (FRS) member object after
renaming a domain controller.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group or the
Enterprise Admins group.
6. Change the computer name of this Ntfrsmember object from the old name of the
domain controller to the new name of the domain controller.
Task Requirements
The following tools are required to perform the procedures for this task:
Ntdsutil.exe
Netdiag.exe
Dcdiag.exe
To avoid problems, transfer any operations master roles prior to running the Active
Directory Installation Wizard to decommission a domain controller so that you can
control the operations master role placement. If you need to transfer any roles from a
domain controller, understand all the recommendations for role placement before
performing the transfer.
Caution
During the decommissioning process, the Active Directory Installation Wizard
will attempt to transfer any remaining operations master roles to other
domain controllers without any user interaction. However, if a failure occurs,
the wizard will continue to uninstall Active Directory and leave your domain
without roles. Also, you do not have control over which domain controller
receives the roles. The wizard transfers the roles to any available domain
controller and does not indicate which domain controller hosts them.
If you remove Active Directory from a domain controller that hosts a global catalog,
the Active Directory Installation Wizard confirms that you want to continue with
removing Active Directory. This confirmation ensures that you are aware that you are
removing a global catalog from your environment. Do not remove the last global
catalog server from your environment because users cannot log on without an
available global catalog server. If you are not sure, do not proceed with removing
Active Directory until you know that at least one other global catalog server is
available.
During the removal of Active Directory, contact with other domain controllers is
required to ensure:
Any unreplicated changes are replicated to another domain controller.
If the domain controller cannot contact the other domain controllers during Active
Directory removal, the decommissioning operation fails. As with the installation
process, test the communication infrastructure prior to running the installation wizard.
When you remove Active Directory, use the same connectivity tests that you used
during the installation of Active Directory.
Important
If any of the verification tests fail, do not continue until you determine and fix
the problems. If these tests fail, the uninstallation is also likely to fail.
Note
The administrator may not want to remove the Server object if it hosts
something in addition to Active Directory—Microsoft Exchange, for example.
To view the current operations master role holders, use Ntdsutil.exe with the roles option.
This option displays a list of all current role holders.
Administrative Credentials
5. After receiving confirmation of the connection, type quit and press ENTER to exit
this menu.
6. At the fsmo maintenance: prompt, type select operation target and press
ENTER.
7. At the select operations target: prompt, type list roles for connected server
and press ENTER.
The system responds with a list of the current roles and the Lightweight Directory
Access Protocol (LDAP) name of the domain controllers currently assigned to
host each role.
8. Type quit and press ENTER to exit each prompt in Ntdsutil.exe. Type quit and
press ENTER at the ntdsutil: prompt to close the window.
Note
This procedure is performed by using the Microsoft Management Console
(MMC), although you can also transfer this role by using Ntdsutil.exe. For
information about using Ntdsutil.exe to transfer operations master roles, type ? at
the Ntdsutil.exe command prompt.
Administrative Credentials
2. In the console tree, right-click Active Directory Schema, and click Change
Domain Controller.
3. In the Change Domain Controller dialog box, click Specify Name. Then, in the
text box, type the name of the server to which you want to transfer the schema
master role. Click OK.
5. Click Change. Click Yes to confirm your choice. The system confirms the
operation. Click OK again to confirm that the operation succeeded.
Note
Hosting the infrastructure master on a global catalog server is not
recommended. If you attempt to transfer the infrastructure master role to
a domain controller that is a global catalog, the system displays a
warning stating that this is not recommended.
Note
This procedure is performed by using the Microsoft Management Console
(MMC), although you can also transfer this role by using Ntdsutil.exe. For
information about using Ntdsutil.exe to transfer operations master roles, type ? at
the Ntdsutil.exe command prompt.
Administrative Credentials
To perform this procedure, you must be a member of the Enterprise Admins group in
Active Directory.
To transfer the domain naming master
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click Active Directory Domains and Trusts, and then
click Connect to Domain Controller.
3. Ensure that the proper domain name is entered in the Domain box.
4. In the Name column, click the domain controller (to select it) to which you want to
transfer the role. Click OK.
5. Right-click Active Directory Domains and Trusts, and then click Operations
Master.
6. The name of the current domain naming master appears in the first text box. The
server to which you want to transfer the role should appear in the second text
box. If this is not the case, repeat steps 1 through 4.
7. Click Change. To confirm the role transfer, click Yes. Click OK again to close the
message box indicating the transfer took place. Click Close to close the Change
Operations Master dialog box.
Note
These procedures are performed by using MMC, although you can also transfer
these roles by using Ntdsutil.exe. For information about using Ntdsutil.exe to
transfer the operations master roles, type ? at the Ntdsutil.exe command prompt.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
To transfer a domain-level operations master role
1. Open Active Directory Users and Computers.
2. At the top of the console tree, right-click Active Directory Users and
Computers. Click Connect to Domain Controller.
3. In the list of available domain controllers, click the name of the server to which
you want to transfer the role, and then click OK.
4. At the top of the console tree, right-click Active Directory Users and
Computers, point to All Tasks, and then click Operations Masters.
The name of the current operations master role holder appears in the
Operations master box. The name of the server to which you want to transfer
the role appears in the lower box.
5. Click the tab for the role you want to transfer: RID, PDC, or Infrastructure. Verify
the computer names that appear and then click Change. Click Yes to transfer the
role, and then click OK.
6. Repeat steps 4 and 5 for each role that you want to transfer.
To perform this procedure, you must be a member of the Domain Users group in Active
Directory.
2. In the console tree, expand the Sites container, expand the site of the domain
controller you want to check, expand the Servers container, and then expand the
Server object.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
netdiag /test:dns
Note
For a more detailed response from this command, add /v to the end of
the command.
If DNS is functioning, the last line of the response is DNS Test…..: Passed. The
verbose option lists specific information about what was tested. This information
can help with troubleshooting if the test fails.
If the test fails, do not attempt any additional steps until you determine and fix the
problem that prevents proper DNS functionality.
Administrative Credentials
To perform this procedure, you must be a member of the Domain users group in Active
Directory.
netdiag /test:dsgetdc
Note
For a more detailed response from this command, add /v to the end of
the command.
If domain controllers are successfully located, the last line of the response is DC
discovery test……..: Passed. The verbose option lists the specific domain
controllers that are located.
If the test fails, do not attempt any additional steps until you determine and fix the
problem that prevents communication with other domain controllers.
To perform this procedure, you must be a member of the Domain users group in Active
Directory.
Note
You can use these tests prior to installing Active Directory as well as afterward.
To perform the test prior to installing Active Directory, you must use the /s option
to indicate the name of a domain controller to use. You do not need the /s option
to perform the test after installing Active Directory. The test automatically runs on
the local domain controller where you are performing the test. The commands
listed in this procedure show the /s option. If you are performing this test after
installing Active Directory, omit the /s option. For a more detailed response from
this command, you can use the verbose option by adding /v to the end of the
command to see the detailed response.
2. Type the following command to ensure that the operations masters can be
located and then press ENTER:
3. Type the following command to ensure that the operations masters are
functioning properly and are available on the network:
If these tests fail, do not attempt any additional steps until you determine and fix
the problem that prevents locating operations masters and verifying that they are
functioning properly.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
To uninstall Active Directory
1. Click Start, click Run, type dcpromo and then click OK.
2. The Active Directory Installation Wizard appears. Click Next at the Welcome
screen.
3. You have an option to select This server is the last domain controller in the
domain. If you select this option, the wizard attempts to remove the domain from
the forest. Do not select this option. Click Next.
4. At the Administrative Password screen, enter and confirm the password that
you want to assign to the local Administrator account after Active Directory is
removed. Click Next.
5. At the Summary screen, verify that the information is correct and then click Next
to proceed with the removal.
6. The wizard proceeds to remove Active Directory. After it finishes, the wizard
displays a completion screen. Click Finish to close the wizard.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Users group.
2. Expand the Sites container and expand the site of the Server object.
3. Expand the Servers container, and then expand the Server object to view any
Child objects.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
2. Expand the Sites container, and then expand the site from which you want to
delete a Server object.
3. If no Child objects appear below the Server object, right-click the Server object,
and then click Delete.
Important
Do not delete a Server object that has a Child object. If an NTDS
Settings or other Child object appears below the Server object you want
to delete, either replication on the domain controller on which you are
viewing the Configuration container has not occurred, or the server
whose Server object you are removing has not been properly
decommissioned.
Consequently, forced removal of Active Directory from a domain controller should always
be followed by the metadata cleanup procedure, which removes all references to the
domain controller from the domain and forest.
Forced demotion should not be performed on the last domain controller in a domain.
Task Requirements
The following tools are required to perform the procedures for this task:
Dcpromo.exe
Ntdsutil.exe
1. Identify replication partners. Connect to one of these domain controllers when you
clean up server metadata in procedure 3.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group in Active
Directory.
To identify replication partners
1. Open Active Directory Sites and Services.
2. In the console tree, expand the Sites container to display the list of sites.
3. Double-click the site that contains the domain controller for which you want to
determine Connection objects.
Note
If you do not know the site in which the domain controller is located, open
a command prompt and type ipconfig to get the IP address of the
domain controller. Use the IP address to verify that an IP address maps
to a subnet and determine the site association.
4. Expand the Servers folder to display the list of servers in that site.
5. Expand the name of your domain controller to display its NTDS settings.
Administrative Credentials
To perform this procedure, you must be a member of the Domain Admins group.
Dcpromo /forceremoval
2. At the Welcome to the Active Directory Installation Wizard page, click Next.
Administrative credentials
To complete this procedure, you must be a member of the Enterprise Admins group.
ntdsutil
metadata cleanup
Or
connection
quit
list sites
quit
Value Description
At this point, Active Directory confirms that the domain controller was removed
successfully. If you receive an error message that indicates that the object cannot
be found, Active Directory might have already removed the domain controller.
Designing and Deploying Directory and Security Services on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=27638)
"Monitoring Active Directory Health" in the Active Directory Management Pack
Technical Reference for MOM 2005 on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=43127)
Best Practices for Delegating Active Directory Administration on the Microsoft Web
site (http://go.microsoft.com/fwlink/?LinkId=46579)
For specific information about troubleshooting Active Directory problems, see the
following resources:
For development information about Active Directory, see the following resources:
Lightweight Directory Access Protocol Platform SDK on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkID=2972)
RFC Pages and Internet-Drafts on the Internet Engineering Task Force Web site
(http://go.microsoft.com/fwlink/?LinkID=121)
Note
Web addresses can change, so you might be unable to connect to the Web site
or sites mentioned here.
Troubleshooting Active Directory
Operations
This Active Directory Troubleshooting guide provides troubleshooting information for
Active Directory in the Microsoft Windows Server 2003 and Windows Server 2003 with
Service Pack 1 (SP1) operating systems.
In this guide
This initial release of the Active Directory Troubleshooting guide includes troubleshooting
recommendations and procedures for diagnosing and fixing problems that may occur with
Active Directory replication. This content focuses primarily on responses to Directory
Service event log messages and tool-based error messages that might be reported by
the Repadmin.exe and Dcdiag.exe tools, which are available in Windows Support Tools.
Installation of Windows Server 2003 with SP1 is encouraged for improved diagnostic
support in both Windows Support Tools, which you must install separately, and the
Ntdsutil.exe administrative command-line tool, which is included with the operating
system.
Acknowledgments
Key Technical Reviewers: Arren Conner, Gregory Johnson, Rob Kochman, Ajit Krishnan,
Dave Tesar
The advantages of running Windows Server 2003 with SP1 with regard to
troubleshooting include enhancements to the Ntdsutil command-line tool. Ntdsutil.exe
has new functionality that makes it easier to remove domain controller metadata and to
authoritatively restore directory objects.
Make sure that the SP1 version of Windows Support Tools is installed on all domain
controllers that are running Windows Server 2003 with SP1.
Requirements
Operating system: Windows Server 2003 with SP1. You cannot use suptools.msi to
install the SP1 version of Windows Support Tools on a computer that is not running
Windows Server 2003 with SP1.
3. When the Welcome screen appears, click Perform additional tasks, and then
click Browse this CD.
4. Go to the \Support\Tools folder. For complete setup information, see the
Readme.htm file in this folder.
5. Double-click suptools.msi.
By default, the logging levels for all entries are set to 0, which provides the minimum
amount of information. The highest logging level is 5. Increasing the level for an entry
causes additional events to be logged in the Directory Service event log. The following
diagram shows the diagnostic entries that are available.
Use the following procedure to change the logging level for a diagnostic entry.
Caution
It is recommended that you do not directly edit the registry unless there is no
other alternative. Modifications to the registry are not validated by the registry
editor or by Windows before they are applied, and as a result, incorrect values
can be stored. This can result in unrecoverable errors in the system. When
possible, use Group Policy or other Windows tools, such as Microsoft
Management Console (MMC), to accomplish tasks rather than editing the registry
directly. If you must edit the registry, use extreme caution.
Requirements
Tools: Regedit.exe
4. In the Value data box, type an integer from 0 through 5, and then click OK.
Inbound or outbound replication failure causes Active Directory objects that represent the
replication topology, replication schedule, domain controllers, users, computers,
passwords, security groups, group memberships, and Group Policy to be inconsistent
between domain controllers. Directory inconsistency causes either operational failures or
inconsistent results, depending on the domain controller that is contacted for the
operation at hand. Active Directory depends on network connectivity, name resolution,
authentication and authorization, the directory database, the replication topology, and the
replication engine. When the root cause of a replication problem is not immediately
obvious, determining the cause among the many possible causes requires systematic
elimination of probable causes.
Event and Tool Solution Recommendations
Ideally, the red (Error) and yellow (Warning) events in the Directory Service event log
suggest the specific constraint that is causing replication failure on the source or
destination domain controller. If the event message suggests steps for a solution, try the
steps listed in the event. The Repadmin tool and other diagnostic tools also provide
information that can help you resolve replication failures.
Intentional Disconnections
If replication errors are reported by a domain controller that is attempting replication with
a domain controller that has been built in a staging site and is currently offline awaiting its
deployment in the final production site (remote), you can account for those errors. To
avoid separating a domain controller from the replication topology for extended periods,
which causes continuous errors until the domain controller is reconnected, consider
adding such computers initially as member servers and using the install-from-media
method to install Active Directory. You can back up an up-to-date domain controller to
removable media (CD/DVD or other media) and ship the media to the destination site.
Then, you can use the media to promote the domain controllers at the site, without
requiring replication. For more information about installing from media, see Installing a
Domain Controller in an Existing Domain Using Restored Backup Media.
Periodic hardware upgrades can also cause domain controllers to be out of service.
Ensure that your server owners have a good system of communicating such outages in
advance.
Correct Response to Any Outdated Server
Running Windows 2000 Server
If a domain controller running Windows 2000 Server has failed for longer than the
number of days in the tombstone lifetime, the solution is always the same:
3. Remove the server metadata from Active Directory so that the server object cannot
be revived.
Note
By default, NTDS Settings objects that are deleted are revived automatically for a
period of 14 days. Therefore, if you do not remove server metadata (use Ntdsutil
to perform metadata cleanup), the server metadata is reinstated in the directory,
which prompts replication attempts to occur. In this case, errors will be logged
persistently as a result of the inability to replicate with the missing domain
controller.
Root Causes
If you rule out intentional disconnections, hardware failures, and outdated Windows 2000
domain controllers, the remainder of replication problems almost always have one of the
following root causes:
Name resolution: DNS misconfigurations are a common cause for replication failures.
Authentication and authorization: Authentication and authorization problems cause
"Access denied" errors when a domain controller tries to connect to its replication
partner.
Directory database (store): The directory database might not be able to process
transactions fast enough to keep up with replication timeouts.
Replication engine: If intersite replication schedules are too short, replication queues
might be too large to process in the time that is required by the outbound replication
schedule. In this case, replication of some changes can be stalled indefinitely —
potentially, long enough to exceed the tombstone lifetime.
Replication topology: Domain controllers must have intersite links in Active Directory
that map to real wide area network (WAN) or virtual private network (VPN)
connections. If you create objects in Active Directory for the replication topology that
are not supported by the actual site topology of your network, replication that requires
the misconfigured topology fails.
2. Attempt to resolve any reported failure in a timely manner by using the methods
described in event messages and this guide. If software might be causing the
problem, uninstall the software before you continue with other solutions.
3. If the problem that is causing replication to fail cannot be resolved by any known
methods, remove Active Directory from the server and then reinstall Active Directory.
For more information about reinstalling Active Directory, see Decommissioning a
Domain Controller.
4. If Active Directory cannot be removed normally while connected to the network, use
one of the following methods to resolve the problem:
For more information about forcing Active Directory removal, see Forcing the
Removal of a Domain Controller.
Use a monitoring application that you set to capture and report specific errors and
events on a daily basis.
DNS infrastructure
Kerberos
Network connectivity
Use Repadmin (Windows Support Tools) to monitor replication status daily by running a
command that assesses the replication status of all domain controllers in your forest. The
procedure generates a .csv file that you can open in Excel and filter for replication
failures.
Use the following procedure to retrieve the replication status of all domain controllers in
the forest.
Requirements
Tools:
6. Select the row just under the column headings, and then, on the Window menu,
click Freeze Pane.
7. Click the upper-left corner of the spreadsheet to highlight the entire spreadsheet.
On the Data menu, point to Filter, and then click AutoFilter.
8. In the heading of the Last Success column, click the down arrow, and then click
Sort Ascending.
9. In the heading of the Source DC column, click the down arrow, and then click
Custom. In the Custom AutoFilter dialog box, complete the custom filter as
follows:
b. In the corresponding text box, type del to filter deleted domain controllers
from the spreadsheet.
10. In the heading of the Last Failure column, click the down arrow, and then click
Custom. In the Custom AutoFilter dialog box, complete the custom filter as
follows:
b. In the corresponding text box, type 0 to filter for only domain controllers that
are experiencing failures.
For every domain controller in the forest, the spreadsheet shows the source replication
partner, the time that replication last occurred, and the time that the last replication failure
occurred for each naming context (directory partition). By using Autofilter in Excel, you
can view the replication health for working domain controllers only, failing domain
controllers only, or domain controllers that are the least or most current, and you can see
the replication partners that are replicating successfully.
Attempting to Resolve Problems
Replication problems are reported in event messages and in various error messages that
occur when an application or service attempts an operation. Ideally, these messages are
collected by your monitoring application or when you retrieve replication status.
Most replication problems are identified in the event messages that are logged in the
Directory Service event log. Replication problems might also be identified in the form of
error messages in the output of the repadmin /showrepl command.
The time since last A domain controller has Event ID 2042: It has been
replication with this server failed inbound replication too long since this machine
has exceeded the with the named source replicated
tombstone lifetime. domain controller long
enough for a deletion to have
been tombstoned, replicated,
and garbage-collected from
Active Directory.
Last attempt at <date - time> This problem can be related Fixing Replication DNS
failed with the “Target to connectivity, DNS, or Lookup Problems (Event
account name is incorrect.” authentication issues. IDs 1925, 2087, 2088)
If this is a DNS error, the Fixing Replication Security
local domain controller could Problems
not resolve the globally
Fixing Replication
unique identifier (GUID)–
Connectivity Problems
based DNS name of its
(Event ID 1925)
replication partner.
Cannot open LDAP The administration tool could Fixing Replication DNS
connection to local host not contact Active Directory. Lookup Problems (Event
IDs 1925, 2087, 2088)
Replication posted, waiting. The domain controller posted Wait for replication to
a replication request and is complete. This
waiting for an answer. informational message
Replication is in progress indicates normal operation.
from this source.
Event Messages That Indicate Active Directory Replication
Problems
The following table lists common events that might indicate problems with
Active Directory replication, along with root causes of the problems and links to topics
that provide solutions for the problems.
1988 — NTDS The local domain Fixing Replication Lingering Object Problems
Replication controller has (Event IDs 1388, 1988, 2042)
attempted to
replicate an object
from a source
domain controller
that is not present on
the local domain
controller because it
may have been
deleted and already
garbage-collected.
Replication will not
proceed for this
directory partition
with this partner until
the situation is
resolved.
2042 — NTDS Replication has not Fixing Replication Lingering Object Problems
Replication occurred with this (Event IDs 1388, 1988, 2042)
partner for a
tombstone lifetime,
and replication
cannot proceed.
For more information about replication concepts, see “Active Directory Replication
Technologies” in the Windows Server 2003 Technical Reference on the Microsoft Web
site (http://go.microsoft.com/fwlink/?LinkId=41950).
In this section
Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088)
The default value of the tombstone lifetime depends on the version of the operating
system that is running on the first domain controller that is installed in a forest, as follows:
Windows 2000 Server or Windows Server 2003: The default value is 60 days.
Windows Server 2003 with Service Pack 1 (SP1): The default value is 180 days.
Note
The tombstone lifetime value that is in effect when a domain controller is
upgraded to Windows Server 2003 SP1 is not changed by upgrading. The
existing value is maintained until you change it manually.
After the tombstone is removed permanently, the object deletion can no longer be
replicated. Therefore, the tombstone lifetime defines how long domain controllers in the
forest retain knowledge of a deleted object and thus the time during which a unique
deletion must be received by all direct and transitive replication partners of the originating
domain controller.
When it is reconnected to the replication topology, this domain controller acts as a source
replication partner that has an object that its destination partner does not have.
Replication problems occur when the object on the source domain controller is updated.
In this case, when the destination attempts to inbound-replicate the update, the
destination domain controller responds in one of two ways:
Lingering objects can reside in writable or read-only partitions that are potentially
replicated between domain controllers in the same or different domains in the same
forest.
Replication fails and monitoring is not in place. Failures can occur as follows:
Note
Global catalog servers replicate read-only replicas of all domain directory
partitions in the forest. The replication of read-only replicas has a lower priority
than the replication of writable replicas. In addition, global catalog servers are
often bridgehead servers, which adds to the replication load. If the replication
load on global catalog servers acting as bridgehead servers is too high as a
result of an extremely short replication interval, excessive numbers of concurrent
outbound replication partners, or a combination of both, the replication queue can
become backlogged. If the condition persists, read-only replicas can remain in
the queue indefinitely. These conditions can result in lingering objects on a global
catalog server.
Wide area network (WAN) connections are unavailable for long periods. For
example, a domain controller onboard a cruise ship might be unable to replicate
because the ship is at sea for longer than the tombstone lifetime.
The reported event is a false positive because the system clock on the source or
destination domain controller is improperly rolled forward or back in time. Clock
skews are most common following a system reboot and can have the following
causes:
The time source for a computer is improperly configured, including a time source
server configured with Windows Time service (W32time), third-party time servers,
and network routers.
Multiple copies of an object appear in the object picker or GAL for an object that
should be unique in the forest. Duplicate objects sometimes appear with altered
names, causing confusion on directory searches. For example, if the relative
distinguished name of two objects cannot be resolved, conflict resolution appends
"*CNF:GUID" to the name, where * represents a reserved character, CNF is a
constant that indicates a conflict resolution, and GUID represents the objectGUID
attribute value.
E-mail messages are not delivered to a user whose Active Directory account appears
to be current. After an outdated domain controller or global catalog server becomes
reconnected, both instances of the user object appear in the global catalog. Because
both objects have the same e-mail address, e-mail messages cannot be delivered.
A universal group that no longer exists continues to appear in a user’s access token.
Although the group no longer exists, if a user account still has the group in its security
token, the user might have access to a resource that you intended to be unavailable
to that user.
A new object or Exchange mailbox cannot be created, but you do not see the object
in Active Directory. An error message reports that the object already exists.
Searches that use attributes of an existing object incorrectly find multiple copies of an
object of the same name. One object has been deleted from the domain, but it
remains in an isolated global catalog server.
1 (enabled): Inbound replication of the specified directory partition from the source is
stopped on the destination.
0 (disabled): The destination requests the full object from the source domain
controller, and the lingering object is revived in the directory as a new object.
Note
Raising the domain or forest functional level does not change the replication
consistency setting on any domain controller.
The forest root domain of a new forest is created by upgrading the Windows NT 4.0
primary domain controller (PDC) to Windows Server 2003 by using the
Windows Server 2003 version of Winnt32.exe.
The forest root domain of a new forest is created by installing Active Directory on a
server running Windows Server 2003.
A server running Windows 2000 Server is promoted into a Windows Server 2003
forest.
If you have a domain controller that is running Windows Server 2003 with SP1, you do
not need to edit the registry to set strict replication consistency. Instead, you can use
Repadmin to set the value for one or all domain controllers in the forest. To set strict
replication consistency for specific domain controllers or for all domain controllers, see
Event ID 1388 or 1988: A lingering object is detected.
For more information about strict replication consistency, see "How the Active Directory
Replication Model Works" in the Windows Server 2003 Technical Reference on the
Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=27636.
1. Compares the directory database objects on a reference domain controller with the
objects on the target domain controller, which contains (or is suspected to contain)
lingering objects.
2. Either removes the lingering objects or logs the potential deletions to the Directory
Service event log, as follows:
If you use the /advisory_mode parameter, events are logged in the Directory
Service event log for the objects that are found.
If you do not use the /advisory_mode parameter, the found objects are deleted
without replicating the deletions; that is, the deletions occur only on the target
domain controller.
Choose the problem that best describes your situation from the following list, and then
step through the suggested fix:
Event ID 2042: It has been too long since this machine replicated
See Also
Configuring a Computer for Troubleshooting Active Directory
Event ID 1388: Inbound replication of the lingering object has occurred on the
destination domain controller.
Event ID 1988: Inbound replication of the directory partition of the lingering object has
been blocked on the destination domain controller.
Event ID 1388
This event indicates that a destination domain controller that does not have strict
replication consistency enabled has received a request to update an object that does not
reside in the local copy of the Active Directory database. In response, the destination
domain controller has requested the full object from the source replication partner. In this
way, a lingering object has been replicated ("reanimated") to the destination domain
controller.
Important
When event ID 1388 occurs, if either the source domain controller (the replication
partner that is outbound-replicating the lingering object) or the destination domain
controller (the inbound replication partner that reports event ID 1388) is running
Windows 2000 Server, you cannot use the Repadmin tool to remove lingering
objects. For information about how to remove lingering objects in this case, see
article 314282, "Lingering objects may remain after you bring an out-of-date
global catalog server back online," on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=41410. The procedures and information in
this article apply to the removal of lingering objects from global catalog servers
as well as from domain controllers that are not global catalog servers.
The event text identifies the source domain controller and the outdated (lingering) object.
An example version of the event text is as follows:
Event Type:Error
Event Source:NTDS Replication
Event Category:Replication
Event ID:1388
Date:2/21/2005
Time:9:19:48 AM
User:NT AUTHORITY\ANONYMOUS LOGON
Computer:DC3
Description:
Another domain controller (DC) has attempted to replicate into this DC an
object which is not present in the local Active Directory database. The
object may have been deleted and already garbage collected (a tombstone
lifetime or more has past since the object was deleted) on this DC. The
attribute set included in the update request is not sufficient to create
the object. The object will be re-requested with a full attribute set
and re-created on this DC.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication
Consistency
Event ID 1988
This event indicates that a destination domain controller that has strict replication
consistency enabled has received a request to update an object that does not exist in its
local copy of the Active Directory database. In response, the destination domain
controller has blocked replication of the directory partition containing that object from that
source domain controller. The event text identifies the source domain controller and the
outdated (lingering) object. An example version of the event text is as follows:
Event Type:Error
Event Source:NTDS Replication
Event Category:Replication
Event ID:1988
Date:2/21/2005
Time:9:13:44 AM
User:NT AUTHORITY\ANONYMOUS LOGON
Computer:DC3
Description:
Active Directory Replication encountered the existence of objects
in the following partition that have been deleted from the local
domain controllers (DCs) Active Directory database. Not all direct
or transitive replication partners replicated in the deletion
before the tombstone lifetime number of days passed. Objects that
have been deleted and garbage collected from an Active Directory
partition but still exist in the writable partitions of other DCs
in the same domain, or read-only partitions of global catalog servers
in other domains in the forest are known as "lingering objects".
Cause
An object that has been permanently deleted from Active Directory (that is, its tombstone
has been garbage-collected) remains on a domain controller. The domain controller failed
to receive direct or transitive replication of the object deletion because it was
disconnected (offline or experiencing an inbound replication failure) from the replication
topology for a period that exceeded a tombstone lifetime. That object has been updated
on the domain controller, causing a replication notification to the replication partner that
an update is ready for replication. The replication partner has responded according to its
replication consistency setting. This notification applies to attempted replication of a
writable object. A copy of the writable lingering object might also exist on a global catalog
server.
Solution
If replication of a lingering object has been detected, you can remove the object from
Active Directory, along with any read-only replicas of the object, by identifying the domain
controllers that might store this object (including global catalog servers) and running a
repadmin command to remove lingering objects against these servers (repadmin
/removelingeringobjects). This command is available on domain controllers that are
running the version of Repadmin.exe that is included with Windows Support Tools in
Windows Server 2003.
2. Install Windows Support Tools on the domain controller that received the event, if
necessary. See "Install Windows Support Tools" in Configuring a Computer for
Troubleshooting Active Directory.
The object GUID of a domain controller is stored in the objectGUID attribute of the NTDS
Settings object.
Requirements
where ServerName is the name of the domain controller for which you want to
display the GUID.
2. In the first section of the output, locate the objectGuid entry. Select and copy the
GUID value into a text file so that you can use it elsewhere.
Requirements
ServerName The name of the domain controller that has lingering objects, as
identified in the event message (event ID 1388 or event ID 1988). You
can use the Domain Name System (DNS) name or the distinguished
name.
/advisory_mode logs the lingering objects that will be removed so that you can review
them, but it does not remove them.
2. Repeat step 1 without /advisory_mode to delete the identified lingering objects from the
directory partition.
3. Repeat steps 1 and 2 for every domain controller that might have lingering objects.
Note
The ServerName parameter uses the DC_LIST syntax for repadmin, which
allows the use of * for all domain controllers in the forest and gc: for all global
catalog servers in the forest. To see the DC_LIST syntax, type
repadmin /listhelp.
Administrative credentials:
where DC_LIST is the name of a single domain controller. (* applies the change
to all domain controllers in the forest.) For the domain controller name, you can
use the Domain Name System (DNS) name, the distinguished name of the
domain controller computer object, or the distinguished name of the domain
controller server object.
2. If you do not use * to apply the change to all domain controllers, repeat step 1 for
every domain controller on which you want to enable strict replication
consistency.
Note
For more naming options and information about the syntax of the DC_LIST
parameter, at the command prompt, type repadmin /listhelp.
Value: 1 (0 to disable)
Requirements:
Operating system: Windows Server 2003, Windows 2000 Server with SP3,
Windows 2000 Server with SP4
Administrative credentials: To complete this procedure, you must be a member of the
Domain Admins group.
Caution
It is recommended that you do not directly edit the registry unless there is no
other alternative. Modifications to the registry are not validated by the registry
editor or by Windows before they are applied, and as a result, incorrect values
can be stored. This can result in unrecoverable errors in the system. When
possible, use Group Policy or other Windows tools, such as Microsoft
Management Console (MMC), to accomplish tasks rather than editing the registry
directly. If you must edit the registry, use extreme caution.
Solution
Based on these symptoms of a lingering object, you usually have a good idea of the
name of the object and you can use the following steps to solve the problem:
Remove all lingering objects from that directory partition on all global catalog servers
in the forest.
Requirements
5. In the Bind dialog box, provide credentials for a user account in the forest, and
then click OK.
7. In the Tree View dialog box, in BaseDN, type the distinguished name of the
forest root domain, and then click OK.
8. In the console tree, right-click the forest root domain, and then click Search.
9. In the Search dialog box, in Filter, replace the default filter (objectClass=*) to
create a filter of the following form:
(attribute=value)
10. In the Scope box, click Subtree, and then click Run.
11. Click Close, and then view the results. You must identify which of the displayed
objects should be removed from Active Directory. An indication that you have
found a lingering object that exists only on a global catalog server is that the
object does not exist in a writable replica of the directory partition.
12. If necessary, repeat steps 8 through 10 to rephrase the query, and then run it
again.
User Action:
Solution
Treat this occurrence as a lingering object condition, and do the following:
Run the repadmin /showrepl command on the domain controller that received the
error to determine which domain controller has been disconnected for longer than a
tombstone lifetime.
Remove lingering objects. Follow the instructions for removing lingering objects from
the source and destination domain controllers as described in Event ID 1388 or 1988:
A lingering object is detected.
Restart replication on the destination domain controller. After you remove lingering
objects, you must restart replication on the domain controller that logged the event by
editing the registry setting that allows replication with a potentially out-of-date domain
controller. You can also perform this procedure if you do not want to wait to remove
lingering objects and you want to start replication immediately.
Reset the registry to protect the domain controller against outdated replication. After
replication has resumed on the domain controller that logged the event, reset the
registry so that this domain controller continues to log events if replication is
attempted with a domain controller where the last successful replication occurred
longer than a tombstone lifetime ago.
Use the following procedure to change the registry entry value. This procedure does not
require a restart of the domain controller to take effect.
Caution
It is recommended that you do not directly edit the registry unless there is no
other alternative. Modifications to the registry are not validated by the registry
editor or by Windows before they are applied, and as a result, incorrect values
can be stored. This can result in unrecoverable errors in the system. When
possible, use Group Policy or other Windows tools, such as Microsoft
Management Console (MMC), to accomplish tasks rather than editing the registry
directly. If you must edit the registry, use extreme caution.
Requirements
Tool: Regedit.exe
2. Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parame
ters
If the registry entry exists in the details pane, modify the entry as follows:
a. In the details pane, right-click Allow Replication With Divergent and Corrupt
Partner, and then click Modify.
If the registry entry does not exist, create the entry as follows:
b. Type the name Allow Replication With Divergent and Corrupt Partner, and
then press ENTER.
c. Double-click the entry. In the Value data box, type 1, and then click OK.
Note
If you did not remove the lingering objects, attempting replication might result in
replication of a lingering object. If strict replication consistency is enabled on the
destination domain controller, replication with the source domain controller will be
blocked again.
The error codes that Dcdiag detects are described in the following table. Error codes that
are marked with an asterisk (*) are not always caused by a security problem.
5 Access is denied.
Error code Description
Use the procedures in An "Access denied" or other security error has caused replication
problems to diagnose and fix replication security problems.
Cause
A replication destination domain controller cannot contact its source replication partner to
get Active Directory updates as a result of one or more security errors occurring on the
connection between the two domain controllers.
Solution
Run the replication security error diagnostic test that is available in the version of Dcdiag
in Windows Support Tools that is included in Windows Server 2003 SP1.
Requirements
Operating system:
Although you can run the enhanced version of Dcdiag on computers running
Windows XP Professional and Windows Server 2003 with no service pack
installed, to run the new replication security test (/test:CheckSecurityError), you
must run Dcdiag on a domain controller running Windows Server 2003 with SP1.
You can run the new Dcdiag replication security tests against domain controllers
that are running the following operating systems:
If you do not use the /s: switch, the test is run against the local domain controller.
You can also test all domain controllers in the forest by using /e: instead of /s:.
4. Note the names of all domain controllers that reported “Warn” or “Fail” status in
the Summary table.
5. Find the detailed breakout section for the problem domain controller by searching
on the string “DC: DomainControllerName”.
Rerun Dcdiag /test:CheckSecurityError with the /e: or /s: switch to validate the
configuration changes.
A connection exists between a source and a destination, and you receive a security
error.
You are trying to create a connection between two domain controllers and you
receive a security error.
You want to determine whether a connection could be created if you wanted to add
one on this destination from the specified source.
Requirements
Tool: Dcdiag.exe (Windows Support Tools) included in Windows Server 2003 SP1
Operating system:
Although you can run the enhanced version of Dcdiag on computers that are
running Windows XP Professional and Windows Server 2003 with no service
pack installed, to run the new replication security test
(/test:CheckSecurityError), you must run Dcdiag on a domain controller running
Windows Server 2003 with SP1.
You can run the new Dcdiag replication security tests against domain controllers
running the following operating systems:
To test the connection between two domain controllers for replication security
errors
1. At a command prompt, type the following command, and then press ENTER:
3. Scroll to the Summary table near the bottom of the Dcdiag log file.
4. Note the names of all domain controllers that reported “Warn” or “Fail” status in
the Summary table
5. Find the detailed breakout section for the problem domain controller by searching
on the string “DC: DomainControllerName”.
The following table shows the DNS resource records that are required for proper
Active Directory functionality.
Mnemonic Type DNS resource record
gc SRV _ldap_tcp.gc._msdcs.DnsForestRootDomainName
GcIpAddress A _gc._msdcs.DnsForestRootDomainName
dc SRV _ldap._tcp.dc._msdcs.DnsDomainName
None A DomainControllerFQDN
The Net Logon service on the domain controller registers all SRV resource records when
the operating system starts up and at regular intervals thereafter. The DNS client service
on the domain controller registers the DNS host A resource record.
A domain controller uses the following steps to locate its replication partner:
1. The destination domain controller queries its DNS server to look for the CNAME
resource record of its replication partner. On domain controllers running
Windows 2000 Server or Windows Server 2003 with no service pack applied, if this
lookup fails to resolve the CNAME resource record to an IP address, DNS lookup
(and replication) fails.
2. On domain controllers running Windows Server 2003 with SP1, if the CNAME lookup
is unsuccessful, the domain controller looks for the DNS A resource record of its
replication partner. For example, the domain controller looks for
DC03.corp.contoso.com.
3. If the DNS A resource record lookup is unsuccessful, the domain controller performs
a network basic input/output system (NetBIOS) broadcast by using the host name of
its replication partner. For example, the domain controller uses DC03.
When lookups fail, events that describe the condition are logged in the Directory Service
event log.
DNS Events for Lookup Failure
Two new events, event ID 2087 and event ID 2088, are logged on destination domain
controllers running Windows Server 2003 with SP1:
If lookup succeeds but either the first or second attempt fails, event ID 2088 is
logged.
On domain controllers running Windows 2000 Server or Windows Server 2003 with no
service pack applied, the destination domain controller that cannot successfully locate its
replication partner in DNS logs event ID 1925.
Regardless of whether replication succeeds or fails, if you receive event ID 1925, event
ID 2087, or event ID 2088, you should investigate and correct the cause of the failure
because incorrect DNS configuration can affect other essential operations — including
logon authentication and access to network resources — on member computers, domain
controllers, and application servers. In addition, although fallback name resolution might
allow replication to occur, it introduces unnecessary latency and overhead into the
replication process.
Resolving the fully qualified, GUID-based, CNAME resource record of the source domain
controller to the current IP address of the source domain controller requires the following
DNS configurations:
1. In their respective TCP/IP client settings, the source domain controller and
destination domain controller must be configured to resolve DNS names by using
only valid DNS servers that directly host, forward, or delegate to the following DNS
zones:
b. The DNS zone that corresponds to the primary DNS suffix of the respective
target domain controller, to resolve queries for computers in the domain. (The
source domain controller can resolve the domain name of the target domain
controller, and the reverse is also true.) The primary DNS suffix is usually the
same as the DNS name of the domain to which a computer is joined. You can
view the primary DNS suffix in the properties of My Computer.
If the DNS servers that the source domain controller is configured to use for name
resolution do not host these zones directly, the DNS servers that are used must
forward or delegate to DNS servers that do host these zones.
2. The source domain controller must have successfully registered the following
resource records:
If the source domain controller changes the DNS server on which it registers its
CNAME and host A resource records, it is possible that the initial DNS server that the
destination domain controller queries to resolve the name of the source domain
controller is different than any of the DNS servers on which the CNAME and host A
resource records for the source domain controller are currently registered. In this
case, DNS replication latency or failures might prevent DNS records that are
successfully registered on the DNS servers that the source controller uses from being
located by the DNS server that is queried by the destination domain controller.
If the Active Directory domain of the DNS server that the destination domain
controller uses initially has a parent-child relationship with the Active Directory
domain of the servers on which the source domain controller registers its resource
records, the forwarder and delegation configuration on both the DNS servers that the
source domain controller uses and the DNS servers that the destination domain
controller uses, as well as any intermediate DNS servers that are used to resolve the
DNS query, must be valid. Any required records on those DNS servers might be
subject to replication latency and failure.
Understanding these basic requirements for name resolution that locates the source
replication partner provides a more meaningful context for working through solutions
when you have replication DNS lookup problems. Choose a problem from the following
list that best describes your situation, and then step through the suggested fix:
Event ID 1925: Attempt to establish a replication link failed due to DNS lookup problem
Directory partition:
CN=Configuration,DC=contoso,DC=com
Source domain controller:
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=com
Source domain controller address:
f8786828-ecf5-4b7d-ad12-8ab60178f7cd._msdcs.contoso.com
Intersite transport (if any):
User Action
Verify if the source domain controller is accessible or
network connectivity is available.
Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS
lookup failure.
Solution
Proceed with DNS testing as described in "Event ID 2087: DNS lookup failure caused
replication to fail."
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
dcdiag /test:dns
dcdiag /test:dns
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested
type was found.
Cause
Failure to resolve the current CNAME resource record of the source domain controller to
an IP address can have the following causes:
The source domain controller has not registered its resource records in DNS.
The DNS server that is used by the source domain controller does not host the
correct zones or the zones are not configured to accept dynamic updates.
The direct DNS servers that are queried by the destination domain controller
cannot resolve the IP address of the source domain controller as a result of
nonexistent or invalid forwarders or delegations.
Active Directory has been removed on the source domain controller and then
reinstalled with the same IP address, but knowledge of the new NTDS Settings GUID
has not reached the destination domain controller.
Active Directory has been removed on the source domain controller and then
reinstalled with a different IP address, but the current host address (A) resource
record for the IP address of the source domain controller is either not registered or
does not exist on the DNS servers that are queried by the destination domain
controller as a result of replication latency or replication error.
The operating system of the source domain controller has been reinstalled with a
different computer name, but its metadata either has not been removed or has been
removed and not yet inbound-replicated by the destination domain controller.
Solution
First, determine whether the source domain controller is functioning. If the source domain
controller is not functioning, remove its remaining metadata from Active Directory.
If the source domain controller is functioning, continue with procedures to diagnose and
solve the DNS problem, as needed:
Use Dcdiag to diagnose DNS problems.
Requirements
This command displays the Netlogon and SYSVOL shares, indicating that the server is
functioning as a domain controller. If this test shows that the domain controller is not
functioning on the network, determine the nature of the disconnection and whether the
domain controller can be recovered or whether its metadata must be removed from
Active Directory manually. If the domain controller is not functioning and cannot be
restored, use the procedure in the following section, "Clean Up Domain Controller
Metadata," to delete the data from Active Directory that is associated with that server.
The process for cleaning up metadata is improved in the version of Ntdsutil that is
included with Windows Server 2003 SP1. Instructions for cleaning up metadata with the
Windows Server 2003 version of Ntdsutil and the Windows Server 2003 SP1 version of
Ntdsutil are provided in the following procedure.
Requirements
ntdsutil
3. At the ntdsutil: command prompt, type the following command, and then press
ENTER:
metadata cleanup
Note
If you are removing domain metadata as well as server metadata, skip
the following procedure and use the procedure that begins at step a.
If you are performing server metadata cleanup only and you are using the
version of Ntdsutil.exe that is included with Windows Server 2003 SP1, at the
metadata cleanup: command prompt, type the following, and then press
ENTER:
Or
connection
c. At the connection: command prompt, type the following command, and then
press ENTER:
quit
list sites
f. A numbered list of sites appears. Type the following command, and then
press ENTER:
h. A numbered list of domains in the selected site appears. Type the following
command, and then press ENTER:
k. At the select operation target: command, type the following command, and
then press ENTER:
quit
l. At the metadata cleanup: command, type the following command, and then
press ENTER:
m. If the server whose metadata you have removed is the last domain controller
in the domain and you want to remove the domain metadata, at the
metadata cleanup: command prompt, type the following command, and
then press ENTER:
n. At the metadata cleanup: and ntdsutil: command prompts, type quit, and
then press ENTER.
Value Description
Before you begin these procedures, gather the following information, which is contained
in the event ID 2087 message text:
The FQDN of the source domain controller and destination domain controller
When you use the enhanced SP1 version of Dcdiag for DNS testing, there are specific
requirements that do not apply to all Dcdiag tests.
Requirements
Administrative credentials: To complete the new DNS tests that are available in the
SP1 version of Dcdiag, you must be a member of the Enterprise Admins group.
Tools: Dcdiag.exe
Operating system:
You can run the enhanced version of Dcdiag on computers running the following
operating systems:
Windows XP Professional
You can run the new Dcdiag DNS tests against Microsoft DNS servers that are
installed on domain controllers running the following operating systems:
Note
You can use the /f: switch in Dcdiag commands to save the output to a text file.
Use /f:FileName to generate the file in the location that is indicated in FileName,
for example, /f:c:\Test\DnsTest.txt.
Connectivity: The test determines whether domain controllers are registered in DNS,
can be contacted by PING, and have Lightweight Directory Access Protocol / remote
procedure call (LDAP/RPC) connectivity. If the connectivity test fails on a domain
controller, no other tests are run against that domain controller. The connectivity test
is performed automatically before any other DNS test is run.
Essential services: The test confirms that the following services are running and
available on the tested domain controller:
DNS client configuration: The test confirms that DNS servers on all adapters are
reachable.
Resource record registrations: The test confirms that the address (A) resource record
of each domain controller is registered on at least one of the DNS servers that is
configured on the client.
Zone and server of authority (SOA): If the domain controller is running the DNS
Server service, the test confirms that the Active Directory domain zone and SOA
record for the Active Directory domain zone are present.
As an alternative, you can test all domain controllers in the forest by typing /e:
instead of /s:.
3. Scroll to the Summary table near the bottom of the Dcdiag log file.
4. Note the names of all domain controllers that report “Warn” or “Fail” status in the
Summary table.
5. Find the detailed breakout section for the problem domain controller by searching
on the string “DC: DomainControllerName”.
6. Make the required configuration changes on DNS clients and DNS servers.
7. To validate the configuration changes, rerun Dcdiag /test:DNS with the /e: or /s:
switch.
If the basic DNS test shows no errors, continue by verifying that resource records that are
used to locate domain controllers are registered in DNS.
You can use Dcdiag to verify registration of all resource records that are essential for
domain controller location by using the dcdiag /test:dns /DnsRecordRegistration test.
This test verifies registration of the following resource records in DNS:
A (the host resource record that contains the IP address of the domain controller)
LDAP SRV (the service resource records that locate LDAP servers)
GC SRV (the service resource records that locate global catalog servers)
PDC SRV (the service resource records that locate primary domain controller (PDC)
operations masters)
As an alternative, you can use the following procedure to check for only the CNAME
resource record.
Note
In Windows 2000 Server DNS, _msdcs.Dns_Domain_Name is a
subdomain of the DNS zone for the Active Directory domain name. In
Windows Server 2003 DNS, _msdcs.Dns_Domain_Name is a separate
zone.
3. In the details pane, verify that the following resource records are present:
If the CNAME resource record is not registered, verify that dynamic updates are
functioning properly. Use the test in the following section.
Verify Dynamic Updates
If the basic DNS test shows that resource records do not exist in DNS, use the dynamic
update test to diagnose why the Net Logon service did not register the resource records
automatically. To verify that the Active Directory domain zone is configured to accept
secure dynamic updates and to perform registration of a test record
(_dcdiag_test_record), use the following procedure. The test record is deleted
automatically after the test.
As an alternative, you can test all domain controllers by using the /e: switch
instead of the /s: switch.
If secure dynamic update is not configured, use the following procedure to configure it.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, verify that the zone type is Active Directory–integrated.
Requirements
3. Wait 15 minutes, and then review events in Event Viewer to ensure proper
registration of the resource records.
Repeat the procedure in the "Verify Resource Record Registration" section earlier in this
guide to verify that the resource records appear in DNS.
Requirements
2. In the console tree, double-click the Sites container, double-click the site of the
domain controller to which you want to synchronize replication, double-click the
Servers container, double-click the server object of the domain controller, and
then click NTDS Settings.
3. In the details pane, in the From Server column, locate the connection object that
shows the name of the source domain controller.
4. Right-click the appropriate connection object, and then click Replicate Now.
5. Click OK.
If replication does not succeed, use the procedure in the following section to verify
consistency of the NTDS Settings GUID.
Requirements
6. In the Bind dialog box, provide Enterprise Admins credentials. If it is not already
selected, click Domain.
7. In Domain, type the name of the forest root domain, and then click OK.
CN=Configuration,DC=Forest_Root_Domain
13. Repeat steps 2 through 11, but in step 3, type the name of the source domain
controller, for example, DC03.
15. If the values do not match, the destination domain controller must receive
replication of the valid GUID. Check the GUID value on other domain controllers
and attempt replication on the destination domain controller with a different
domain controller that has the correct GUID.
16. If the values match, verify that the GUID matches the GUID in the
Dsa_Guid._msdcs.Dns_Domain_Name resource record for the source domain
controller, as follows:
a. Note the primary DNS servers that each domain controller identifies in the
TCP/IP properties in their Network Settings. All the DNS servers that are
listed in the respective TCP/IP properties should be able to indirectly or
directly resolve this CNAME resource record.
b. From the servers that are listed, identify the authoritative name server or
servers for this domain zone by looking at the server names that are listed for
the name server (NS) resource records at the root of the zone. (In the DNS
console, select the forward lookup zone for the root domain, and view the NS
records in the details pane).
c. On the name server or servers obtained in step b, open the DNS console,
and double-click the forward lookup zone for the forest root domain name.
Double-click the _msdcs folder, and note the CNAME resource records that
exist for your server name.
d. If there are no records present or the records are incorrect, see article
241505, SRV Records Missing After Implementing Active Directory and
Domain Name System, on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=69994).
Event ID 2088: DNS lookup failure
occurred with replication success
When a destination domain controller running Windows Server 2003 with Service Pack 1
(SP1) receives event ID 2088 in the Directory Service event log, attempts to resolve the
globally unique identifier (GUID) in the canonical name (CNAME) resource record to an
Internet Protocol (IP) address for the source domain controller failed. However, the
destination domain controller tried other means to resolve the name and succeeded by
using either the fully qualified domain name (FQDN) or the network basic input/output
system (NetBIOS) name of the source domain controller. Although replication was
successful, the DNS problem should be diagnosed and resolved.
An example of the event text is as follows:
Event Type:Warning
Event Source:NTDS Replication
Event Category:DS RPC Client
Event ID:2088
Date:3/21/2005
Time:2:29:34 PM
User:NT AUTHORITY\ANONYMOUS LOGON
Computer:DC3
Description:
Active Directory could not use DNS to resolve the IP address of the
source domain controller listed below. To maintain the consistency
of Security groups, group policy, users and computers and their passwords,
Active Directory successfully replicated using the NetBIOS or fully
qualified computer name of the source domain controller.
NOTE: By default, only up to 10 DNS failures are shown for any given
12 hour period, even if more than 10 failures occur. To log all
individual failure events, set the following diagnostics registry
value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
3) Verify that the source domain controller is using a valid DNS server
for DNS services, and that the source domain controller's host record
and CNAME record are correctly registered, using the DNS Enhanced
version of DCDIAG.EXE available on http://www.microsoft.com/dns
dcdiag /test:dns
dcdiag /test:dns
Additional Data
Error value:
11004 The requested name is valid, but no data of the requested
type was found
Cause
Failure to resolve the source domain controller name by using the CNAME resource
record in DNS can be due to DNS misconfigurations or delays in DNS data propagation.
Solution
Proceed with DNS testing as described in "Event ID 2087: DNS lookup failure caused
replication to fail."
Fixing Replication Connectivity Problems
(Event ID 1925)
Network connectivity problems can make it impossible for domain controllers to form
replication partnerships. Various events and errors can indicate a problem with network
connectivity that is preventing replication from occurring.
Use the procedures in Event ID 1925: Attempt to establish a replication link failed due to
connectivity problem to diagnose and fix replication connectivity problems.
Directory partition:
CN=Configuration,DC=contoso,DC=com
Source domain controller:
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=com
Source domain controller address:
f8786828-ecf5-4b7d-ad12-8ab60178f7cd._msdcs.contoso.com
Intersite transport (if any):
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=contoso,DC=com
This domain controller will be unable to replicate with the source
domain controller until this problem is corrected.
User Action
Verify if the source domain controller is accessible or network
connectivity is available.
Additional Data
Error value:
1908 Could not find the domain controller for this domain.
Cause
When event ID 1925 contains error 1908, "Could not find the domain controller for this
domain," Active Directory replication has failed as a result of a connectivity problem
between the domain controller that reported the error and the source domain controller
that is named in the event text.
Solution
Use the following tests to solve this problem:
Analyze network traces to see if any traffic is not reaching the source domain
controller.
To avoid this problem, you can determine the size of packet that your network can
accommodate. Then, you can edit the registry so that the maximum number of bytes for
using UDP is set to the lowest value that you receive, less 8 bytes to account for header
size.
Use the ping command to test the size of packets that the network can accommodate.
Requirements
Tool: PING
2. From the source domain controller, use the command in step 1 to ping the
destination domain controller by its IP address.
4. If the ping command fails in either direction, monotonically lower the number that
you use in the -l parameter until you find the lowest common packet size that
works between the source and destination domain controllers.
Note
The version of Dcdiag that is included with Windows Server 2003 SP1 Support
Tools provides the following method to perform this test:
You can edit the registry to set the maximum size of packets to the value that you
determined by the PING method, less 8 bytes to account for header size. As an
alternative, you can edit the registry so that the maximum number of bytes for using UDP
is always exceeded and Kerberos always uses TCP.
You can change the default value of 2,000 bytes by modifying the registry entry
MaxPacketSize in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Kerberos\Parameters. Use the following procedure to change this registry setting.
Caution
It is recommended that you do not directly edit the registry unless there is no
other alternative. Modifications to the registry are not validated by the registry
editor or by Windows before they are applied, and as a result, incorrect values
can be stored. This can result in unrecoverable errors in the system. When
possible, use Group Policy or other Windows tools, such as Microsoft
Management Console (MMC), to accomplish tasks rather than editing the registry
directly. If you must edit the registry, use extreme caution.
Requirements
2. Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Kerberos\Parameters.
3. Edit or, if it does not exist in the details pane, create the entry MaxPacketSize as
follows:
Right-click MaxPacketSize; click Modify; and then, in the Value data box,
type 1 to force Kerberos to use TCP, or type the value that you established to
lower the value to the appropriate maximum size.
4. Click OK.
5. You must restart the domain controller for this change to take effect.
For information about importing an Administrative Template into Group Policy so that this
value can be set for all the Windows 2000–based, Windows Server 2003-based, or
Windows XP-based computers in the enterprise, see article 244474, "How to force
Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in
Windows 2000," on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=69997).
For information about installing Network Monitor, see Network Monitor on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=42987).
Requirements
2. If you are prompted, select the local network from which you want to capture data
by default.
6. In the Find All Names dialog box, click OK. All addresses are added to the
address database.
You can use the names in the addresses database to specify address pairs in the capture
filter.
The addresses of the two computers between which you want to monitor traffic.
Arrows that specify the traffic direction that you want to monitor.
The INCLUDE or EXCLUDE keywords, which indicate how Network Monitor should
respond to a frame that meets a filter's specifications.
Requirements
2. If you are prompted, select the local network from which you want to capture data
by default.
4. In the Capture Buffer Settings dialog box, set the buffer and frame size as
appropriate, and then click OK.
<--> to monitor the traffic that passes in either direction between the addresses
that you have selected.
--> or <-- to monitor only the traffic that passes in one direction between the
computers..
9. Click OK twice.
Force Replication
When you have Network Monitor started to capture traffic between the two domain
controllers, use the following procedure to force synchronization between the computers
so that you can capture the replication traffic in Network Monitor.
Requirements
2. Double-click the Sites container, double-click the site of the domain controller to
which you want to synchronize replication, double-click the Servers container,
double-click the server object of the domain controller, and then click NTDS
Settings.
3. In the From Server column in the details pane, locate the connection object that
shows the name of the source domain controller.
4. Right-click the appropriate connection object, and then click Replicate Now.
5. Click OK.
Analyze the traces from both domain controllers to see if there is any traffic that is not
getting to the other domain controller. For information about using Network Monitor, see
Network Monitor overview on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=41936).
Fixing Replication Topology Problems
(Event ID 1311)
The Knowledge Consistency Checker (KCC) constructs and maintains the
Active Directory replication topology automatically. Every 15 minutes, the KCC examines
the sum of all directory partition replicas that reside on domain controllers in the forest, as
well as administrator-defined settings for connections, sites, and site links.
Event ID 1311 is logged in the Directory Service event log when the replication
configuration information in Active Directory does not accurately reflect the physical
topology of the network. Use the procedures in Event ID 1311: Replication configuration
does not reflect the physical network to identify and fix topology problems.
Directory partition:
CN=Configuration,DC=contoso,DC=com
User Action
Use Active Directory Sites and Services to perform one of the
following actions:
- Publish sufficient site connectivity information so that the
KCC can determine a route by which this directory partition can
reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains
the directory partition in this site from a domain controller
that contains the same directory partition in another site.
Cause
This problem can have the following causes:
Site link bridging is enabled on a network that does not support physical network
connectivity between two domain controllers in different sites that are connected by a
site link.
Bridge all site links is enabled in Active Directory Sites and Services, but the
network does not allow network connectivity between any two domain controllers in
the forest.
Site links contain all sites, but the site links are not interconnected. This condition is
known as disjointed site links.
Bridgehead domain controllers are online, but errors occur when they try to replicate
a required directory partition between Active Directory sites.
Administrator-defined preferred bridgehead servers are online, but they do not host
the required directory partition. The most common misconfiguration is to define non–
global catalog servers as bridgehead servers.
Preferred bridgeheads are defined correctly by the administrator, but they are
currently offline.
The bridgehead server is overloaded because the server is undersized, too many
branch sites are trying to replicate changes from the same hub domain controller, or
the replication schedules on site links or connection objects are too frequent.
The Knowledge Consistency Checker (KCC) has built an alternate path around an
intersite connection failure, but it continues to retry the failing connection every
15 minutes.
Solution
Use the following procedures for troubleshooting event ID 1311:
First, use the following procedure to locate the ISTG role holders for all sites.
Requirements
6. In the Bind dialog box, provide Enterprise Admins credentials. Click Domain if it
is not already selected.
7. In Domain, type the name of the forest root domain, and then click OK.
12. Click Options, and in the Attributes box, scroll to the end of the list, type:
;interSiteTopologyGenerator
14. Review the interSiteTopologyGenerator entries in the output, and make a note
of the domain controller names.
Determine the scope of the event by checking the Directory Service event logs of all
ISTG role holders in the forest, or check at least a significant number of ISTG role
holders.
If event ID 1311 continues to be logged on ISTG role holders, continue with the next step.
Requirements
2. In the console tree, double-click the Sites container, and then double-click the
Inter-Site Transports container.
3. Right-click the IP container. If Bridge all site links is selected, site link bridging
is enabled.
The Bridge all site links setting requires a fully routed network. If the network is not fully
routed, you must create site link bridges manually.
If the network is fully routed, continue by verifying that the sites are connected.
If the network is not fully routed and site link bridging is enabled, either make the network
fully routed, or disable site link bridging and then create the necessary site links and site
link bridges. For information about creating site links, see Linking Sites for Replication.
Note
Site link bridging is enabled by default. As a best practice, leave site link bridging
enabled for fully routed networks.
Requirements
2. In the console tree, double-click the Sites container, and then double-click the
Inter-Site Transports container.
3. Right-click the IP container. If Bridge all site links is selected, click it to disable
it.
Requirements
2. In the console tree, double-click the Sites container, and then expand the Inter-
Site Transports container.
3. Right-click the IP container, and then click New Site Link Bridge.
5. Click two or more site links to be bridged, and then click Add.
Wait for a period of time that is twice as long as the longest replication interval in the
forest. If event ID 1311 continues to be logged on ISTG role holders, continue with the
next step.
Requirements
2. In the output, review the information for the sites that are listed. For each site, the
output of the command shows a string of three numbers separated by colons.
The numbers represent <cost>:<replication interval>:<options>. Strings with a
value of “-1:0:0” indicate a possible missing site link.
Check the list of preferred bridgehead servers in the site, and ensure that preferred
bridgehead servers for the domain in question are available. Use the following procedure
to check the list of preferred bridgehead servers.
To see all servers that have been selected as preferred bridgehead servers in a forest,
you can use ADSI Edit to view the bridgeheadServerListBL attribute on the IP container
object.
Requirements
5. If any preferred bridgehead servers are selected in any site in the forest, the
Values box displays the distinguished name for each server object that is
currently selected as a preferred bridgehead server.
Verify that all domain controllers in the list are online and functioning as domain
controllers.
Requirements
Administrative credentials: To complete this procedure, you must be a member of the
Domain Users group in the domain of the domain controller.
This command displays the Netlogon and SYSVOL shares, indicating that the server is
functioning as a domain controller. If this test shows that the domain controller is not
functioning on the network, determine the nature of the disconnection and whether the
domain controller can be recovered.
Requirements
2. In the console tree, double-click the Sites container, and then expand the
Servers container.
3. Right-click the server object for the domain controller that you want to make a
preferred bridgehead server, and then click Properties.
4. On the General tab, click the intersite transport or transports for which this server
will be a preferred bridgehead server, and then click Add.
Active Directory Management Pack Technical Reference for MOM 2005 on the
Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=41369)
For information about Active Directory known issues and best practices, see the following
resources:
For general information about how Active Directory works and how to manage and
configure Active Directory, see the following resources: