Active Directory POG

Active Directory
Product Operations Guide

Managing the Windows Server Platform

The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because
Microsoft must respond to changing market conditions, it should not be interpreted
to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), but only for the
purposes provided in the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as
expressly provided in any written license agreement from Microsoft, the furnishing of
this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted herein are
fictitious, and no association with any real company, organization, product, domain
name, email address, logo, person, place, or event is intended or should be inferred.

2003 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.

The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
iii Managing the Windows Server Platform
Contents
Introduction to Product Operations Guide ................................................................................... 1
Document Purpose ................................................................................................................. 1
Intended Audience .................................................................................................................. 1
How to Use This Guide ........................................................................................................... 1
Background............................................................................................................................. 1
High-Level Processes for Maintaining Active Directory ............................................................... 5
Overview................................................................................................................................. 5
Technology Required .............................................................................................................. 5
Maintenance Processes Checklist ........................................................................................... 8
Operating Quadrant ............................................................................................................. 8
Supporting Quadrant ..........................................................................................................10
Optimizing Quadrant ...........................................................................................................11
Changing Quadrant ............................................................................................................13
Detailed Maintenance Actions ....................................................................................................15
Overview................................................................................................................................15
Process: Back up Active Directory ..........................................................................................16
Task: Back up Active Directory and associated components ...............................................19
Process: Non-authoritative restore of Active Directory ............................................................20
Task: Perform a non-authoritative restore of a domain controller .........................................20
Task: Restore a domain controller through reinstallation and subsequent restore
from backup .......................................................................................................................21
Process: Authoritative restore for Active Directory objects ......................................................22
Task: Perform an authoritative restore of one or more directory objects ..............................23
Task: Perform an authoritative restore of an application partition .........................................25
Task: Perform an authoritative restore of Group Policy........................................................25
Process: Recovering a domain controller through reinstallation ..............................................26
Task: Recovering a domain controller through reinstallation ................................................26
Process: Installing a domain controller for an existing domain ................................................28
Task: Preparing for Active Directory installation ..................................................................28
Task: Install Active Directory ...............................................................................................30
Task: Install Active Directory from media ............................................................................31
Task: Unattended install of Active Directory ........................................................................31
Task: Verify Active Directory installation..............................................................................32
Process: Removing Active Directory .......................................................................................34
Task: Decommission the domain controller .........................................................................35
Task: Forced removal of a domain controller .......................................................................36
Process: Rename a domain controller ....................................................................................38
Task: Rename using the System Properties user interface ..................................................38
Task: Rename using the Netdom command-line tool ..........................................................39
Process: Manage the Active Directory database .....................................................................40
Task: Relocate Active Directory database files ....................................................................41
Task: Returning unused disk space from the Active Directory database to the file
system................................................................................................................................42
Process: Managing the SYSVOL ............................................................................................45
Task: Changing the space allocated to the staging area ......................................................47
Task: Relocate the staging area..........................................................................................47
Task: Relocating SYSVOL manually ...................................................................................48
Task: Updating the system volume path..............................................................................50
Task: Restoring and rebuilding SYSVOL .............................................................................50
Process: Manage the Windows Time service..........................................................................52
Task: Configuring a time source for the forest .....................................................................53
Task: Configuring a reliable time source on a computer other than the PDC emulator .........53
Task: Configuring a client to request time from a specific time source .................................54
Active Directory Product Operations Guide iv
Task: Optimizing the polling interval ....................................................................................54
Task: Disabling the Windows Time service .........................................................................55
Process: Managing trusts .......................................................................................................56
Task: Creating external trusts .............................................................................................57
Task: Creating shortcut trusts .............................................................................................58
Task: Removing manually created trusts .............................................................................59
Task: Preventing unauthorized privilege escalation .............................................................59
Task: Creating cross-forest trusts .......................................................................................60
Task: Managing selective authentication on a cross-forest trust ..........................................61
Task: Removing the forest trust ..........................................................................................61
Process: Managing sites ........................................................................................................62
Task: Adding a new site ......................................................................................................63
Task: Adding a subnet to the network .................................................................................64
Task: Linking sites for replication ........................................................................................65
Task: Changing site link properties .....................................................................................65
Task: Moving a domain controller to a different site .............................................................66
Task: Removing a site ........................................................................................................68
Process: Manage antivirus software on domain controllers .....................................................71
Task: Exclude files not at risk of infection ............................................................................71
Task: Install software ..........................................................................................................73
Process: Add a global catalog ................................................................................................74
Task: Add the global catalog to a domain controller ............................................................75
Task: Verify the global catalog readiness ............................................................................77
Process: Removing the global catalog from a domain controller .............................................78
Task: Remove a global catalog ...........................................................................................78
Process: Identify global catalog servers in a site .....................................................................79
Task: Identifying a global catalog server .............................................................................79
Task: Identifying a site that has no global catalog servers ...................................................79
Task: Identifying sites that have universal group caching enabled .......................................79
Process: Move an operations master role ...............................................................................80
Task: Designating a domain controller for an operations master role ...................................85
Task: Verifying the transfer of an operations master role .....................................................86
Process: Reduce the workload on the PDC emulator..............................................................87
Task: Adjusting the DNS weight setting...............................................................................87
Task: Adjusting the DNS priority registry setting ..................................................................87
Process: Transferring a role holder .........................................................................................89
Task: Transfer to the standby operations master role ..........................................................90
Task: Transfer an operations master role when no standby is ready ...................................90
Process: Seize an operations master role...............................................................................92
Task: Seizing an operations master role .............................................................................94
Process: Choose a standby operations master .......................................................................96
Task: Choosing a standby operations master ......................................................................97
Processes by MOF Role Clusters ..............................................................................................99
Operations Role Cluster .....................................................................................................99
Support Role Cluster ........................................................................................................100
Release Role Cluster ........................................................................................................100
Infrastructure Role Cluster ................................................................................................101
Security Role Cluster ........................................................................................................102
Partner Role Cluster .........................................................................................................102
Appendix .................................................................................................................................103
Procedure Details ................................................................................................................103

v Managing the Windows Server Platform
Contributors
Program Manager
Jeff Yuhus, Mlcrosoft Corporutlon
Chrls Mucuuluy, Mlcrosoft Corporutlon
Lead Contributors
Nlgel Culn, Mlcrosoft Corporutlon
Arren Conner, Mlcrosoft Corporutlon
Dmltry Dukut, Mlcrosoft Corporutlon
Levon Eslbov, Mlcrosoft Corporutlon
Khushru Irunl, Mlcrosoft Corporutlon
Kumul Junurdhun, Mlcrosoft Corporutlon
Gregory Johnson, Mlcrosoft Corporutlon
Wllllum Lees, Mlcrosoft Corporutlon
Andreus Luther, Mlcrosoft Corporutlon
Kevln Slms, Mlcrosoft Corporutlon
Jeromy Stutlu, Mlcrosoft Corporutlon
Test Manager
Greg Glcewlcz, Mlcrosoft Corporutlon
QA Manager
Jlm Ptuszynskl, Mlcrosoft Corporutlon
Lead Technical Writer
Jerry Dyer, Mlcrosoft Corporutlon
Lead Technical Editor
Luurle Dunhum, Mlcrosoft Corporutlon
Technical Editor
Putrlclu Rytkonen, Volt Technlcul Servlces
Production Editor
Kevln Kleln, Volt Technlcul Servlces

1
Introduction to Product Operations
Guide
Document Purpose
Thls gulde descrlbes processes und procedures for lmprovlng the munugement of
Mlcrosoft Actlve Dlrectory dlrectory servlce ln un lnformutlon technology (IT)
lnfrustructure.
Intended Audience
Thls muterlul should be useful for unyone plunnlng to deploy thls product lnto un exlstlng
IT lnfrustructure, especlully one bused on the IT Infrustructure Llbrury (ITIL)u
comprehenslve set of best pructlces for IT servlce munugementund Mlcrosoft
Operutlons Frumework (MOF). It ls ulmed prlmurlly ut two muln groups: IT munugers
und IT support stuff (lncludlng unulysts und servlce-desk speclullsts).
How to Use This Guide
Thls gulde ls dlvlded lnto flve chupters. The flrst chupter provldes buslc buckground
lnformutlon. The second chupter provldes u hlgh-level checkllst of the processes requlred
for mulntulnlng thls product. The thlrd chupter tukes u more detulled look ut the
processes descrlbed ln the mulntenunce chupter und mups them to the tusks und
procedures thut muke up euch process. The fourth chupter orgunlzes processes by the
role responslble for euch process. The flfth chupter contulns un uppendlx wlth procedure
detulls, lncludlng requlrements und steps.
The gulde muy be reud us u slngle volume, lncludlng the detulled mulntenunce und
troubleshootlng sectlons. Reudlng the document thls wuy wlll provlde the necessury
context so thut luter muterlul cun be understood more reudlly. However, some people wlll
prefer to use the document us u reference, only looklng up lnformutlon us they need lt.
Background
Thls gulde ls bused on Mlcrosoft Solutlons for Munugement (MSM). MSM provldes u
comblnutlon of best pructlces, best-pructlce lmplementutlon servlces, und best-pructlce
uutomutlon, ull of whlch help customers uchleve operutlonul excellence us demonstruted
Active Directory Product Operations Guide 2
by hlgh quullty of servlce, lndustry rellublllty, uvullublllty, securlty, und low totul cost of
ownershlp (TCO).
These MSM best pructlces ure bused on MOF, u structured, yet flexlble upprouch
centered on ITIL. MOF lncludes guldellnes on how to plun, deploy, und mulntuln IT
operutlonul processes ln support of mlsslon-crltlcul servlce solutlons.
Centrul to MOFund to understundlng the structure of thls guldeure the MOF Process
und Teum Models. The Process Model und lts underlylng servlce munugement functlons
(SMFs) ure the foundutlon for the process-bused upprouch thut thls gulde recommends
for mulntulnlng u product. The Teum Model und lts role clusters offer guldunce for how to
ensure the proper people ure usslgned to operutlonul roles.
Flgure 1 shows the MOF Process Model comblned wlth the SMFs thut muke up euch
quudrunt of the Process Model.

Figure 1
MOF Process Model und SMFs
3 Managing the Windows Server Platform
Flgure 2 shows the MOF Teum Model, ulong wlth some of the muny functlonul roles or
functlon teums thut mlght exlst ln servlce-munugement orgunlzutlons. Those roles und
functlon teums ure shown mupped to the MOF role cluster to whlch they would llkely
belong.
Security
Release
Infrastructure
Support
Operations
Partner
Change management
Release/systems engineeri ng
Configuration control/asset
management
Software distributi on/licensing
Quality assurance
Messagi ng operations
Database operations
Network administration
Monitoring/metrics
Avail ability management
Intellectual property protection
Network and system securi ty
Intrusi on detection
Virus protection
Audit and compliance admi n
Contingency planni ng
Maintenance vendors
Environment support
Managed services, outsourcers,
trading partners
Software/hardware suppliers
Enterprise archi tecture
Infrastructure engineering
Capacity management
Cost/IT budget management
Resource and long-range
planning
Service desk/help desk
Production/production support
Problem management
Service level management

Figure 2
MOF Teum Model und exumples of functlonul roles or teums
The MOF Teum Model ls bullt on slx quullty gouls, whlch ure descrlbed und mutched
wlth the uppllcuble teum role cluster ln Tuble 1.
Table 1. MOF Team Model Quality Goals and Role Clusters
Quality Goal Team Role Cluster
Effectlve releuse und chunge munugement. Accurute lnventory
trucklng of ull IT servlces und systems.
Releuse
Munugement of physlcul envlronments und lnfrustructure tools. Infrustructure
Quullty customer support und u servlce culture. Support
Predlctuble, repeutuble, und uutomuted system munugement. Operutlons
Mutuully beneflclul relutlonshlps wlth servlce und supply
purtners.
Purtner
Protected corporute ussets, controlled uuthorlzutlon, und
prouctlve securlty plunnlng.
Securlty

Further lnformutlon ubout MSM und MOF ls uvulluble ut
http://www.mlcrosoft.com/solutlons/msm/techlnfo/defuult.usp, or seurch for the toplc on
TechNet ut http://www.mlcrosoft.com/technet/defuult.usp. You cun ulso contuct your
locul Mlcrosoft or purtner representutlve.

2
High-Level Processes for Maintaining
Active Directory
Overview
Every compuny conslsts of employees (people), uctlvltles thut those employees perform
(processes), und tools thut help them perform those uctlvltles (technology). No mutter
whut the buslness, lt most llkely conslsts of people, processes, und technology worklng
together to uchleve u common goul. Tuble 2 lllustrutes thls polnt.
Table 2. People, Processes, and Technology Working Together
Area People Process Technology
Auto repulr
lndustry
Mechunlc Repulr munuul Socket set
Softwure
development
lndustry
Progrummer Pro|ect plun Compller;
debugger
IT operutlons IT technlclun Mlcrosoft
Operutlons
Frumework
Mlcrosoft Actlve
Dlrectory

The focus of thls product operutlons gulde ls Actlve Dlrectory dlrectory servlcethe
dlrectory servlce for the Mlcrosoft Wlndows Server 2003 fumlly. Actlve Dlrectory
stores lnformutlon ubout ob|ects on the network; lts loglcul, hlerurchlcul orgunlzutlon of
dlrectory lnformutlon mukes lt eusy for udmlnlstrutors und users to flnd thls lnformutlon.
Wlndows Server 2003 brlngs muny lmprovements to Actlve Dlrectory, muklng lt more
versutlle, dependuble, und economlcul to use. In Wlndows Server 2003, Actlve Dlrectory
provldes lncreused performunce und sculublllty. It ulso ullows you greuter flexlblllty for
deslgnlng, deploylng, und munuglng un orgunlzutlon's dlrectory.
Technology Required
Tuble 3 llsts the tools or technologles used ln the processes, und thelr subordlnute tusks
und procedures, descrlbed ln thls gulde. All tools should be uccessed from u Wlndows
Server 2003 server console, except ln those cuses where u llnk ls provlded.
Table 3. Tools or Technologies Required to Manage Active Directory
Required Technology Description Location
%uckup utlllty Performs buckup und restore
operutlons. It ls uutomutlcully lnstulled
wlth Wlndows Server 2003. In
Wlndows Server 2003, the buckup
utlllty ls %uckup.exe. The wlzurd, or
buslc mode, ls culled %uckup or
Restore Wlzurd; und ln udvunced
mode, lt ls culled %uckup Utlllty.
Sturt > All Progrums >
Accessorles > System
Tools > %uckup
Or to open the %uckup
tool uslng the commund
llne:
Sturt > Run. In the Open
box, type ntbuckup und
then cllck OK.
DNS Munuger Used for modlfylng DNS purumeters.
These centrullzed munugement und
monltorlng tools cun be found elther ln
Admlnlstrutlve Tools ufter lnltlul
lnstullutlon of the DNS servlce, or
through Admlnpuk.msl.
Sturt > Control Punel >
Admlnlstrutlve Tools
Or to open DNS Munuger
uslng the commund llne,
type:
%systemroot%\System32\
dnsmgmt.msc
Actlve
Dlrectory
Domulns und
Trusts
Mlcrosoft
Munugement
Console snup-
ln
Used for modlfylng Actlve Dlrectory
domulns und trusts. These centrullzed
munugement und monltorlng tools cun
be found elther ln Admlnlstrutlve Tools
ufter lnltlul lnstullutlon of the Actlve
Dlrectory, or through Admlnpuk.msl.
Or to open the MMC
snup-ln uslng the
commund llne, type:
domuln.msc
Actlve
Dlrectory
Instullutlon
Wlzurd
Used to promote or demote u domuln
controller.
Sturt > Run > dcpromo
Actlve
Dlrectory
Schemu snup-ln
schemu. Thls tool does not uppeur by
defuult ln Admlnlstrutlve Tools.
Open the MMC snup-ln
type:
schmmgmt.msc
Actlve
Dlrectory Sltes
und Servlces
MMC snup-ln
sltes und servlces. Thls centrullzed
munugement und monltorlng tool cun
Or to open the MMC
snup-ln uslng the
commund llne, type:
dsslt.msc
Actlve
Dlrectory Users
und Computers
MMC snup-ln
users und computers. These centrullzed
munugement und monltorlng tools cun
Or to open the MMC
snup-ln uslng the
commund llne, type:
dsu.msc
Adsl edlt MMC
snup-ln
Used for edltlng Actlve Dlrectory to
udd, delete, or move ob|ects wlthln the
dlrectory. Thls centrullzed munugement
und monltorlng tool cun be found elther
ln Admlnlstrutlve Tools ufter lnltlul
lnstullutlon of the Actlve Dlrectory, or
through Admlnpuk.msl.
Open the MMC snup-ln
type:
udsledlt.msc
Dcdlug.exe Thls commund llne tool unulyzes the
stute of domuln controllers ln the forest
or enterprlse und reports uny problems
to usslst ln troubleshootlng.
Sturt > Run > dcdlug.exe
Event Vlewer Provldes logs for trunsuctlonul
reuctlve revlews of system und
servlce events. It ls uutomutlcully
lnstulled wlth Wlndows Server 2003.
Admlnlstrutlve Tools >
Event Vlewer
Or to open Event Vlewer
uslng the commund llne:
Sturt >Run. In the Open
box, type eventvwr.msc
und then cllck OK.
Ldp.exe Used to connect, blnd, seurch, modlfy,
udd, und delete ugulnst uny LDAP-
computlble dlrectory such us Actlve
Dlrectory. Used to vlew ob|ects stored
ln Actlve Dlrectory ulong wlth thelr
metudutu.
Sturt >Run. In the Open
box, type ldp.exe und then
cllck OK.
Net.exe A set of communds for u vurlety of
tusks, such us munuglng user uccounts
und computer uccounts, sendlng
messuges, und munuglng shured
resources.
Sturt > Run > cmd ut the
commund prompt, type
net to see optlons
Netdlug.exe Helps lsolute networklng und
connectlvlty problems by performlng u
serles of tests to determlne the stute of
the network cllent.
netdlug /? to see optlons
Netdom.exe Enubles udmlnlstrutors to munuge
Wlndows 2000 und Wlndows Server
2003 domulns und trust relutlonshlps
from the commund llne.
netdom /? to see optlons
Nltest.exe Helps you get u llst of domuln
controllers, force u remote shutdown,
und query the stutus of trust
relutlonshlps.
nltest /? to see optlons
Ntdsutll.exe Used to perform dutubuse mulntenunce
of Actlve Dlrectory, munuge und
control slngle muster operutlons, und
remove metudutu left behlnd by domuln
controllers thut were removed from the
network wlthout belng properly
unlnstulled.
ntdsutll /? to see optlons
Reglstry Edltor Enubles you to vlew und chunge
settlngs wlthln the reglstry.
Sturt > Run > regedlt
Repudmln.exe Commund llne tool thut helps
udmlnlstrutors dlugnose repllcutlon
problems between domuln controllers.
repudmln /? to see optlons
Secedlt.exe Conflgures und unulyzes system
securlty by compurlng current
conflgurutlon wlth ut leust one securlty
templute.
secedlt /? to see optlons
Servlces snup-
ln
MMC snup-ln thut ullows you to sturt,
stop, or resturt Wlndows servlces.
Sturt > Run > MMC >
Servlces.msc
Ultrusound A tool thut ullows udmlnlstrutors to
monltor the heulth of the flle repllcutlon
servlce (FRS).
See www.mlcrosoft.com
for more lnformutlon on
the Ultrusound utlllty.
W32tm.exe A tool used to dlugnose problems
huvlng to do wlth Wlndows tlme.
w32tm /? to see optlons

Maintenance Processes Checklist
The followlng tubles provlde u qulck reference for those product mulntenunce processes
thut need to be performed on u regulur busls. These tubles represent u summury of the
processes, und thelr subordlnute tusks und procedures, descrlbed ln more detull ln
subsequent chupters of thls gulde. They ure llmlted to those processes requlred for
mulntulnlng the product.
Only the pertlnent MOF quudrunts und SMFs ure uddressed ln thls chupter. For exumple,
there ure no processes thut full wlthln the Supportlng Quudrunt. There ls u pluceholder
for the Supportlng Quudrunt, but no tubles.
Also, becuuse ull of the Actlve Dlrectory mulntenunce processes uddressed here full lnto
the us-needed cutegory, the dully, weekly, und monthly portlons of the tubles ure blunk.
Only the portlon of euch tuble thut hus ussocluted processes ls fllled ln.
Euch llsted process ls llnked to u detulled explunutlon of the process ln the followlng
chupter.
Operating Quadrant
The processes for thls sectlon ure bused on the servlce munugement functlons thut muke
up the MOF Operutlng Quudrunt. Further lnformutlon on the MOF Process Model und
the MOF SMFs ls uvulluble ut http://www.mlcrosoft.com/solutlons/msm und
http://www.mlcrosoft.com/mof.
System Administration SMF
Daily Processes
Process Name Related SMF MOF Role Cluster
%uck up Actlve Dlrectory Operutlons
Weekly Processes
There ure no weekly
processes for thls SMF.

Monthly Processes
There ure no monthly

As-Needed Processes
Restore Actlve Dlrectory Operutlons
Renume u domuln
controller
Operutlons
Trunsferrlng u role holder Infrustructure
Selze un operutlons
muster role
Infrustructure
Choose u stundby
operutlons muster
Infrustructure
Munuglng the SYSVOL Infrustructure
Munuglng sltes Infrustructure
Authorltutlve restore for
Actlve Dlrectory ob|ects
Operutlons
Recoverlng u domuln
controller through
relnstullutlon
Operutlons
Move un operutlons
muster role
Infrustructure

Security Administration SMF
Daily Processes
Process Name Related SMFs MOF Role Cluster
There ure no dully

Weekly Processes
There ure no weekly

Monthly Processes

As-Needed Processes
Munuge untlvlrus
softwure on domuln
controllers
Securlty

Supporting Quadrant
There ure no Actlve Dlrectory processes thut full wlthln the MOF Supportlng Quudrunt
und lts SMFs.
Optimizing Quadrant
The tusks for thls sectlon ure bused on the SMFs thut muke up the MOF Optlmlzlng
Quudrunt.
Availability Management SMF
Daily Processes
There ure no dully

Weekly Processes
There ure no weekly

Monthly Processes

As-Needed Processes
Munuge the Actlve
Dlrectory dutubuse
Infrustructure
Add u globul cutulog Infrustructure
Munuge the Wlndows
Tlme servlce
Infrustructure
Munuglng trusts Infrustructure

Capacity Management SMF
Daily Processes
There ure no dully

Weekly Processes
There ure no weekly

Monthly Processes

As-Needed Processes
Removlng the globul
cutulog from u domuln
controller
Infrustructure
Identlfy globul cutulog
servers ln u slte
Infrustructure
Reduce the workloud on
the PDC emulutor
Infrustructure

Changing Quadrant
The processes for thls sectlon ure bused on the SMFs thut muke up the MOF Chunglng
Quudrunt.
Release Management SMF
Daily Processes
There ure no dully

Weekly Processes
There ure no weekly

Monthly Processes

As-Needed Processes
Instulllng u domuln
controller for un exlstlng
domuln
Releuse

Change Management SMF
Daily Processes
Process Name MOF Role Cluster
There ure no dully

Weekly Processes
There ure no weekly

Monthly Processes

As-Needed Processes
Removlng Actlve
Dlrectory
Releuse Munugement
SMF
Releuse

3
Detailed Maintenance Actions
Overview
Thls chupter provldes detulled lnformutlon ubout the processes thut must be performed ln
order to mulntuln Actlve Dlrectory. These processes ure urrunged uccordlng to the MOF
quudrunt to whlch they belong und, wlthln euch quudrunt, by the MOF servlce
munugement functlons (SMFs) thut muke up thut quudrunt.
Those quudrunts ure:
Operutlng Quudrunt
Supportlng Quudrunt
Optlmlzlng Quudrunt
Chunglng Quudrunt

Further lnformutlon ubout the MOF Process Model und the MOF SMF guldes ls uvulluble
ut http://www.mlcrosoft.com/solutlons/msm. Further lnformutlon ubout the MOF Teum
Model und role clusters ls uvulluble ut http://www.mlcrosoft.com/mof.

Operating Quadrant System Administration
SMF
Operations Role Cluster Daily
Process: Back up Active Directory
Descrlptlon
Actlve Dlrectory ls bucked up us purt of Mlcrosoft Wlndows system stute, u collectlon
of system components thut depend on euch other. All system stute components must be
bucked up und restored together.
The system stute components on u domuln controller lnclude:
System sturt-up (boot) flles. These ure the flles requlred for Wlndows Server 2003 to
sturt.
System reglstry.
Cluss reglstrutlon dutubuse of component servlces. The Component Ob|ect Model
(COM) ls u blnury stundurd for wrltlng component softwure ln u dlstrlbuted systems
envlronment.
System volume (SYSVOL). SYSVOL provldes u defuult Actlve Dlrectory locutlon for
flles thut must be shured for common uccess throughout u domuln. The SYSVOL
folder on u domuln controller contulns:
Net Logon shured folders. These usuully host user logon scrlpts und Group
Pollcy ob|ects (GPOs) for network cllents who ure not runnlng Wlndows 2003-
bused computers.
User logon scrlpts for Actlve Dlrectory-enubled cllents.
Wlndows 2003 GPOs.
Flle system |unctlons.
Flle Repllcutlon servlce (FRS) stuglng dlrectorles und flles thut ure requlred to be
uvulluble und synchronlzed between domuln controllers.
Actlve Dlrectory, lncludlng:
The Actlve Dlrectory dutubuse (Ntds.dlt)
The checkpolnt flle (Edb.chk)
The trunsuctlon logs, euch 10 megubytes (M%) ln slze, (Edb*.log)
Reserved trunsuctlon logs (Res1.log und Res2.log)

If you use Actlve Dlrectory-lntegruted Domuln Nume System (DNS), be sure thut you
buck up u domuln controller thut ls hostlng DNS. If you do not use Actlve Dlrectory-
lntegruted DNS, you must expllcltly buck up the zone flles. However, lf you buck up the
system dlsk ulong wlth the system stute, zone dutu ls bucked up us purt of the system
dlsk.
If you lnstulled Wlndows Clusterlng or Certlflcute Servlces on your domuln controller,
they ure ulso bucked up us purt of system stute. Detulls of these components ure not
dlscussed ln thls gulde.
Purpose
There ure severul reusons why u current, verlfled, und relluble buckup ls needed:
To restore Actlve Dlrectory dutu thut becomes lost or corrupted. Uslng un
uuthorltutlve restore process, you cun restore lndlvlduul ob|ects or sets of ob|ects
from thelr deleted stute.
To recover u domuln controller thut cunnot boot normully becuuse of softwure or
hurdwure fullure.
To perform u forest recovery ln the event thut forest-wlde corruptlon occurs.
To perform un lnstull from medlu operutlon. Thls new feuture ln Wlndows Server
2003 ullows you to promote u new domuln controller und populute lt wlth current
lnformutlon from u locul source, ruther thun huvlng to wult for u full sync repllcutlon
over potentlully much slower medlufor exumple, u 56K connectlon.

Guldellnes
Although the %uckup tool ln Wlndows Server 2003 supports multlple types of buckup
normul, copy, lncrementul, dlfferentlul, und dullythe only type of buckup uvulluble und
supported for Actlve Dlrectory ls normul, becuuse Actlve Dlrectory ls bucked up us purt
of system stute. A normul buckup creutes u buckup of the entlre system stute whlle the
domuln controller ls onllne.
If you do not use Actlve Dlrectory-lntegruted DNS zones, you should lnclude the flle
puths thut contuln ull of your DNS zone flles ln the buckup, ln uddltlon to the system stute
und/or system dlsk, to ensure u successful recovery.
Whlch domuln controllers to buck up
For every Actlve Dlrectory domuln, you cun deflne u buckup set composed of the
physlcul domuln controllers thut would be requlred to successfully restore the domuln.
The collectlon of domuln buckup sets ensures thut u forest restore operutlon cun be
performed.
At u mlnlmum, the buckup set conslsts of two or more domuln controllers for euch
domuln und ut leust one domuln controller thut ls u member of un uppllcutlon purtltlon
repllcu set.
The buckup set must contuln u system stute, u system dlsk buckup for euch computer ln
the set, und u globul cutulog.
If you ure uslng Actlve Dlrectory-lntegruted DNS, lt would useful to buck up ut leust one
DNS server.

Note A backup can only be used to restore the domain controller that the backup was generated
from. It cannot be used to restore a different domain controller or this domain controller onto
different hardware.

When to buck up Actlve Dlrectory
At u mlnlmum, euch domuln controller ln the buckup set must be bucked up ut leust twlce
wlthln the tombstone llfetlme. %y defuult, the tombstone llfetlme ls 60 duys, whlch pluces
the requlrement of u buckup for euch domuln controller ln the buckup set every 30 duys.
Whlle monthly buckup operutlons ure udequute for successful dlsuster recovery, they do
not fucllltute the recovery of new lnformutlon slnce the lust buckup. You wlll need to
conslder these chunges when you ure plunnlng buckup frequency. The frequency of
buckups ls dlctuted both by buslness requlrements und technlcul requlrements und
should be ud|usted uccordlng to your deployment's needs.
%y defuult, muchlne uccounts chunge thelr pusswords every 30 duys. Therefore, domuln
controllers wlll ulso chunge thelr muchlne uccount pusswords every 30 duys. If you were
to restore u domuln controller wlth un old pussword, lt could result ln thut domuln
controller belng unuble to repllcute wlth lts purtners. Therefore, to mlnlmlze the effect of
restorlng u domuln controller wlth un old pussword, you should perform u buckup more
thun once every 30 duys.
In uddltlon to regulur buckup requlrements, un lmmedlute buckup should be tuken when:
The storuge locutlon of the dutubuse [Ntds.dlt] or log flles ls chunged.
A domuln controller ls upgruded from Wlndows 2000 Server to Wlndows Server
2003, or uny further operutlng system upgrudes.
A current buckup ls requlred for un lnstull for medlu operutlon for u new domuln
controller.
The tombstone llfetlme ls chunged.

Note A backup from a Windows 2000 Server cannot be used to restore a domain controller running
Windows Server 2003.

Actlve Dlrectory protects ltself from restorlng dutu older thun the tombstone llfetlme by
dlsullowlng the restore. As u result, the useful llfe of u buckup ls equlvulent to the
tombstone llfetlme settlng for the enterprlse.
Task: Back up Active Directory and associated components
Procedure: Back up system state
Llnk to procedure
Procedure: Back up system state and the system disk
Llnk to procedure
Dependencles
None
Technology Requlred
%uckup
Tupe drlve or other buckup medlu


SMF
Operations Role Cluster As Needed
Process: Non-authoritative restore of Active Directory
Descrlptlon
A non-uuthorltutlve restore returns the domuln controller to lts stute ut the tlme of buckup
und then ullows normul repllcutlon to overwrlte thut stute wlth uny chunges thut huve
occurred ufter the buckup wus tuken. After you restore the system stute, the domuln
controller querles lts repllcutlon purtners. The repllcutlon purtners repllcute uny chunges
to the restored domuln controller, ensurlng thut the domuln controller hus un uccurute und
upduted copy of the Actlve Dlrectory dutubuse.
Purpose
A non-uuthorltutlve restore ullows the entlre dlrectory to be restored on u domuln
controller, wlthout relntroduclng or chunglng ob|ects thut huve been modlfled slnce the
buckup. The most common use of u non-uuthorltutlve restore ls to brlng un entlre domuln
controller buck, often ufter cutustrophlc or debllltutlng hurdwure fullures. It ls uncommon
for dutu corruptlon to drlve u non-uuthorltutlve restore, unless the corruptlon ls locul und
the dutubuse cunnot be successfully louded.
Guldellnes
If you lntend to restore u deleted ob|ect (or ob|ects), you should refer to the procedures
outllned for un uuthorltutlve restore. A non-uuthorltutlve restore should be used uny tlme
the entlre dlrectory ls belng restored on u slngle domuln controller ln order to deul wlth u
locul dutubuse corruptlon or hurdwure fullure. A non-uuthorltutlve restore cun be
performed on u Wlndows Server 2003 system thut ls u stund-ulone server, member
server, or domuln controller. A server must be ln Dlrectory Servlces Restore Mode to
perform u non-uuthorltutlve restore.
Task: Perform a non-authoritative restore of a domain controller
A non-uuthorltutlve restore ls the defuult method for restorlng Actlve Dlrectory. To
perform u non-uuthorltutlve restore, you must be uble to sturt the domuln controller ln
Dlrectory Servlces Restore Mode. After you restore the domuln controller from buckup
medlu, repllcutlon purtners use the stundurd repllcutlon protocols to updute both the
Actlve Dlrectory und ussocluted lnformutlon on the restored domuln controller.
Procedure 1: Restart the domain controller in Directory Services Restore
Mode

Note In cases where you have to reinstall the operating system: Before you restore the directory, you
do not have to perform a non-authoritative restore in Directory Services Restore Mode. After you have
reinstalled the operating system, you can perform a restore after the machine boots normally.

Llnk to procedure.
Procedure 2: Restore from backup media
Llnk to procedure.
Procedure 3: Verify Active Directory restore
Llnk to procedure.
Task: Restore a domain controller through reinstallation and
subsequent restore from backup
If you cunnot resturt u domuln controller ln Dlrectory Servlces Restore Mode, you cun
restore lt through relnstullutlon of the operutlng system, und subsequently restore Actlve
Dlrectory from buckup.
In order for the restore operutlon to succeed, Wlndows Server 2003 must be relnstulled to
the sume drlve letter us prevlously und wlth ut leust the sume umount of physlcul drlve
spuce. After you relnstull Wlndows Server 2003, perform u non-uuthorltutlve restore of
the system stute und the system dlsk.
Procedure 1: Install Windows Server 2003
Thls gulde does not uddress lnstulllng Wlndows Server 2003.
Llnk to procedure.
Procedure 3: Verify Active Directory restore
Llnk to procedure.
Dependencles
The domuln controller belng restored needs to huve u prevlous buckup tuken wlth
%uckup utlllty.
Technology Requlred
%uckup

SMF
Process: Authoritative restore for Active Directory objects
Descrlptlon
An uuthorltutlve restore process returns un ob|ect to lts stute ut the tlme of the most
recent buckup. Chunges mude slnce the lutest buckup wlll be erused. Thls dlffers from u
non-uuthorltutlve restore, whlch relles on the presence of u repllcutlon purtner to brlng ln
the current dutu, lncludlng lnformutlon ubout ob|ects thut were deleted slnce the buckup.
An uuthorltutlve restore should not be relled on us purt of u chunge control lnfrustructure.
Proper delegutlon of udmlnlstrutlon und chunge enforcement wlll optlmlze dutu
conslstency, lntegrlty, und securlty.
Purpose
An uuthorltutlve restore ls most commonly used to restore corrupt or deleted ob|ects from
the dlrectoryfor exumple, u deleted user uccount. An uuthorltutlve restore should not
be used to restore un entlre domuln controller.
Guldellnes
An uuthorltutlve restore of u subtree or leuf ob|ect restores thut subtree or leuf und murks
lt us uuthorltutlve for the dlrectory. Thls meuns thut the restored ob|ect wlll be repllcuted
out to other domuln controllers und wlll be the dutu thut ls mulntulned movlng forwurd. In
cuses where the ob|ect wus deleted, lt wlll be revlved; ln other cuses, the ob|ect wlll be
returned to u prevlous stute.
It ls lmportunt to ensure successful recovery of the lnformutlon belng restored. Group
membershlp ls purtlculurly sensltlve und cun be greutly uffected by the procedures thut
ure followed durlng un uuthorltutlve restore.
You begln by restorlng from buckup medlu, |ust us ln u non-uuthorltutlve restore, und
then perform the followlng uddltlonul steps to complete un uuthorltutlve restore.
Task: Perform an authoritative restore of one or more directory
objects

Note If the objects that were deleted do not include group objects, then you dont need to perform
steps 3-10. Additionally, if the groups that were deleted do not have members among the list of
deleted objects, then you do not need to perform steps 3-10.

Llnk to procedure.
Procedure 2: Mark the object(s) authoritative
Once the dutu hus been restored from buckup, you must select whlch ob|ects ure to be
murked uuthorltutlve ln order to huve them repllcuted to other domuln controllers. In
order to complete thls operutlon, you must know the full dlstlngulshed nume (ulso known
us DN) of the ob|ect you wlsh to restore.
Llnk to procedure.
Procedure 3: Reboot the computer in isolation
To combut some of the chullenges of u dlstrlbuted system und to ensure successful
restorutlon of dutu, lt ls necessury to follow some uddltlonul precuutlons durlng the
uuthorltutlve restore process.
Rebootlng the muchlne ln lsolutlon helps you prepure for the next step, whlch ls to turn
off lnbound repllcutlon, slnce you cunnot turn off lnbound repllcutlon ln Dlrectory
Servlces Restore Mode.
If you do need to reboot, the most common wuy to boot u computer ln lsolutlon ls to
remove the network connectlon from the domuln controller by physlcully removlng the
network cuble. Alternute methods muy be posslble dependlng on your network hurdwure
und enterprlse pructlces.
It ls lmportunt to prevent the domuln controller from communlcutlng wlth uny other
domuln controller ln the domuln or forest. You should ulso lsolute the domuln controller
from uny cllents thut could lnvoke chunge on uny ob|ect ln the dlrectory.
Procedure 4: Turn off inbound replication using repadmin
%y turnlng off lnbound repllcutlon, you ensure thut no chunges repllcute lnto the domuln
controller und ulter group membershlp.
Llnk to procedure.
Procedure 5: Reconnect the computer to the network
Once lnbound repllcutlon hus been turned off, lt ls sufe to reconnect the domuln
controller to the network.
If you lsoluted your computer by removlng the network cuble or by dlsconnectlng the
network connectlon from the domuln controller, reconnect lt to brlng the domuln
controller buck onto the network.
If you followed other procedures bused on your enterprlse network equlpment, follow the
equlpment's recommendutlons for reconnectlng the domuln controller to the network.
Procedure 6: Allow this computer to replicate with all its partners
In order for the newly restored ob|ect to become uvulluble und be lnstuntluted ln lts
restored form on ull domuln controllers, successful repllcutlon between the domuln
controller orlglnutlng the restored chunges und lts purtners must occur.
Llnk to procedure.

Procedure 7: Restart domain controller in Directory Services Restore Mode
Llnk to procedure.
Procedure 8: Mark the object(s) authoritative
One of the chullenges of restorlng ob|ects, und thelr group membershlps, ls the fuct thut
the membershlp und ob|ect muy repllcute ln dlfferent orders. If the membershlp repllcutes
before u user ls restored, the recelvlng domuln controller wlll not updute the membershlp
us the user does not exlst. In order to overcome the effects of thls behuvlor, lt ls
necessury to murk the ob|ects thut huve been restored uuthorltutlve u second tlme, und
once uguln huve the lnformutlon repllcuted out.
Llnk to procedure.
Procedure 9: Reboot computer
Once the uuthorltutlve restore of the ob|ect or ob|ects hus been completed u second tlme,
the domuln controller cun be rebooted lnto normul mode.

Note There are no further details for this procedure.

Procedure 10: Turn on inbound replication
Llnk to procedure.

Task: Perform an authoritative restore of an application partition
Restorutlon of un uppllcutlon purtltlon wlll murk ull dutu thut ls present ln the uppllcutlon
purtltlon us uuthorltutlve for the repllcu set. Informutlon thut ls contulned wlthln un
uppllcutlon purtltlon wlll repllcute to ull domuln controllers ln the forest thut were
prevlously present ln the repllcu set. You should huve u current vulld buckup of the
uppllcutlon purtltlon prlor to restorlng, ln the event thut purtlculur ob|ect chunges ure lost
becuuse of chunges slnce buckup.
If you wlsh to restore un ob|ect or ob|ects from un uppllcutlon purtltlon, refer to the Tusk:
Perform un uuthorltutlve restore of one or more dlrectory ob|ects.
Llnk to procedure.
Procedure 2: Mark the application partition as authoritative
Llnk to procedure.
Procedure 3: Reboot computer
Once the uuthorltutlve restore of the ob|ect or ob|ects hus been completed u second tlme,
the domuln controller cun be rebooted lnto normul mode.
Task: Perform an authoritative restore of Group Policy
Restorlng u GPO restores the GPO to u prevlous stute. A restore operutlon cun be used
ln both of the followlng cuses: the GPO wus bucked up but hus slnce been deleted, or the
GPO ls llve und you wunt to roll buck to u known prevlous stute. A restore operutlon
retulns the orlglnul GPO GUID even lf the restore ls recreutlng u deleted GPO. Thls ls u
key dlfference between the restore operutlon und the lmport or copy operutlons dlscussed
ln luter sectlons of thls gulde.
A restore operutlon repluces the followlng components of u GPO:
GPO settlngs
ACLs on the GPO
WMI fllter llnks (but not the fllters themselves)

The restore operutlon does not restore llnks to u SOM (Scope of Munugement). Any
exlstlng llnks wlll contlnue to be usedfor exumple, when restorlng un exlstlng GPO to u
prevlous stute. However, lf the user hus deleted u GPO und ull llnks to the GPO, the user
must recreute these llnks ufter restorlng the GPO. To fucllltute recreutlng these llnks, you
cun vlew the report ln the buckup to ldentlfy ull llnks ln the domuln of the GPO.
For more lnformutlon, see Admlnlsterlng Group Pollcy wlth the GPMC ut
http://www.mlcrosoft.com/wlndowsserver2003/gpmc/gpmcwp.mspx.
Procedure 1: Restore Group Policy
Llnk to procedure.

SMF
Process: Recovering a domain controller through
reinstallation
Descrlptlon
Recoverlng through relnstullutlon ls the sume process us creutlng u new domuln
controller. It does not lnvolve restorlng from buckup medlu. Thls method relles on Actlve
Dlrectory repllcutlon to restore u domuln controller to u worklng stute und ls vulld only lf
unother heulthy domuln controller exlsts ln the sume domuln. Thls optlon ls normully
used on computers thut functlon only us u domuln controller.
Purpose
Recoverlng through relnstullutlon ls the only method by whlch u domuln controller thut ls
not purt of the buckup set cun be restored. Addltlonully, thls procedure muy be chosen
over u non-uuthorltutlve restore becuuse of the lnuccesslblllty of the buckup medlu or due
to convenlence.
Guldellnes
Thls process ussumes u complete relnstullutlon of the operutlng system. It ls
recommended thut prlor to lnstulllng the operutlng system, the entlre system dlsk be
formutted, whlch wlll remove ull lnformutlon on the system dlsk. Ensure thut uny
lmportunt or relevunt dutu ls moved or bucked up before performlng these uctlons.
Recoverlng through relnstullutlon should not be u substltute for regulur buckup routlnes,
whlch ure needed to ensure u successful recovery should the need urlse, us lt depends on
the presence of unother domuln controller ln the sume domuln.
%undwldth ls the prlmury conslderutlon for recoverlng u domuln controller through
relnstullutlon. The bundwldth requlred ls dlrectly proportlonul to the slze of the Actlve
Dlrectory dutubuse und the tlme ln whlch the domuln controller ls requlred to be ln u
functlonlng stute. Ideully, the exlstlng functlonul domuln controller should be locuted ln
the sume Actlve Dlrectory slte us the repllcutlng domuln controller (new domuln
controller) ln order to reduce network lmpuct und the tlme the relnstullutlon tukes to
complete.
Task: Recovering a domain controller through reinstallation
Procedure 1: Clean up metadata
Llnk to procedure.
Procedure 2: Install Windows Server 2003
It ls ussumed thut u fresh lnstullutlon of Wlndows Server 2003 wlll be performed. Thls
muy be precluded by purtltlon or formut uctlons on your hurd dlsk drlve ln prepurutlon for
the lnstull.
Procedure 3: Verify DNS registration and functionality
Llnk to procedure.
Procedure 4: Verify communication with other domain controllers
Llnk to procedure.
Procedure 5: Verify the availability of the operations masters
Llnk to procedure.
Procedure 6: Install Active Directory
Durlng the lnstullutlon process, repllcutlon occurs, ensurlng thut the domuln controller
hus un uccurute und up-to-dute copy of Actlve Dlrectory. Optlonully, use the sume
lnformutlon for thls domuln controller us the domuln controller lt ls repluclng. Slte
plucement, domuln controller nume, und domuln membershlp should remuln the sume. If
you plun on lnstulllng the domuln controller under u dlfferent nume, you muy wlsh to ulso
refer to the process: Instulllng u domuln controller for un exlstlng domuln.
Llnk to procedure.
Procedure 7: Verify Active Directory installation
Reud und perform the procedures ln Tusk: Verlfy Actlve Dlrectory Instullutlon. Llnk to
tusk.
Dependencles
Domuln Admlnlstrutor credentluls
Technology Requlred
Dcpromo.exe or %uckup

Changing Quadrant Release Management
SMF
Release Role Cluster As Needed
Process: Installing a domain controller for an existing
domain
Descrlptlon
Thls process covers the lnstullutlon of Actlve Dlrectory onto u Wlndows Server 2003
system thut wlll become u domuln controller ln un exlstlng Actlve Dlrectory domuln. For
more lnformutlon regurdlng the best pructlces for plunnlng, testlng, und deploylng Actlve
Dlrectory, refer to the Wlndows Server 2003 Deployment Klt: Deslgnlng und Deploylng
Dlrectory und Securlty Servlces ut
http://www.mlcrosoft.com/downlouds/detulls.uspx?fumllyld=6cde6ee7-5df1-4394-92ed-
2147c3u9ebbe&dlspluylung=en.
To ensure successful lnstullutlon of u new domuln controller, you should verlfy thut ull
crltlcul servlces thut Actlve Dlrectory depends on ure conflgured followlng Mlcrosoft best
pructlces.
Actlve Dlrectory ls lnstulled on u Wlndows Server 2003 server by runnlng the Actlve
Dlrectory Instullutlon Wlzurd. The wlzurd slmpllfles the promotlon process by uutomutlng
us much of the lnstullutlon us posslble. To run the Actlve Dlrectory Instullutlon Wlzurd,
you must be u member of the Domuln Admlnlstrutors group.
Purpose
There ure severul motlvutlons for uddlng u new domuln controller. Addltlonul uppllcutlons
(Actlve Dlrectory-lntegruted us opposed to those runnlng on domuln controllers) muy be
requlred to meet lncreused cupuclty requlrements, provlde upgrudes und fuult tolerunce,
und reduce fullures. For more lnformutlon on crlterlu for deploylng u new domuln
controller und best pructlces for Actlve Dlrectory, refer to the Wlndows Server 2003
Deployment Klt: Deslgnlng und Deploylng Dlrectory und Securlty Servlces.
Guldellnes
%efore you begln your lnstullutlon, the followlng condltlons must exlst ln your
envlronment:
Your Actlve Dlrectory forest root domuln must ulreudy exlst wlth ut leust two
properly functlonlng domuln controllers.
If you ure lnstulllng u new domuln controller for u chlld domuln, there should be ut
leust two properly functlonlng domuln controllers ln the forest root domuln.
DNS must be functlonlng properly.
Thls gulde ussumes you ure uslng Actlve Dlrectorylntegruted DNS zones. You must
conflgure ut leust one domuln controller us u DNS server.

Creutlng or removlng u domuln or forest ls beyond the scope of thls gulde.
Task: Preparing for Active Directory installation
Properly prepurlng for the lnstullutlon of Actlve Dlrectory decreuses the chunces of
problems occurrlng durlng the lnstullutlon process und helps you qulckly complete the
operutlon. Prepurutlon lncludes lnstulllng und conflgurlng DNS und gutherlng lnformutlon
thut you need for the lnstullutlon.
Configure DNS
The DNS cllent ls ulwuys present on u server on Wlndows Server 2003. You should
properly conflgure both the DNS cllent und the DNS server to ensure thut nume
resolutlon und reluted dependencles wlll functlon us expected durlng the lnstullutlon of
Actlve Dlrectory.
Ensure thut uny requlred conflgurutlon, forwurders, or zones ure present und uccesslble
prlor to lnstullutlon. For more lnformutlon ubout DNS conflgurutlon best pructlces, see
the Wlndows Server 2003 Deployment Klt: Deslgnlng und Deploylng Dlrectory und
Securlty Servlces ut
http://www.mlcrosoft.com/downlouds/detulls.uspx?fumllyld=6cde6ee7-5df1-4394-92ed-
2147c3u9ebbe&dlspluylung=en.
Site Placement
Durlng lnstullutlon, the Actlve Dlrectory Instullutlon Wlzurd uttempts to pluce the new
domuln controller ln the upproprlute slte. The upproprlute slte ls determlned by the
domuln controllers IP uddress und subnet musk. The wlzurd uses the IP lnformutlon to
culculute the subnet uddress of the domuln controller und checks to see lf u Subnet ob|ect
exlsts ln the dlrectory for thut subnet uddress. If the Subnet ob|ect exlsts, the wlzurd uses
lt to pluce the new Server ob|ect ln the upproprlute slte. If not, the wlzurd pluces the new
Server ob|ect ln the sume slte us the domuln controller thut ls belng used us u source to
repllcute the dlrectory dutubuse to the new domuln controller. Muke sure the Subnet
ob|ect hus been creuted for the deslred slte prlor to runnlng the wlzurd.
A slte ls ullocuted uccordlng to the followlng rules:
1. If you speclfy u slte ln the Unuttended text flle thut ls used to creute the new domuln
controller, the domuln controller wlll be pluced dlrectly lnto thut slte when lt ls bullt.
2. If no slte ls speclfled ln the Unuttended text flle when the new domuln controller ls
bullt, then by defuult the domuln controller wlll be pluced ln u slte bused on lts IP
uddress.
3. If you speclfy u repllcu purtner ln the Unuttended text flle but do not speclfy u slte,
the new domuln controller should be pluced ln the repllcu purtner's slte.
4. If the repllcu purtner or slte ls not speclfled, then the ullocutlon of the slte ls rundom.
It wlll depend on the repllcu purtner selected for lnltlul repllcutlon.

Domain Connectivity
Durlng the lnstullutlon process, the Actlve Dlrectory Instullutlon Wlzurd needs to
communlcute wlth other domuln controllers ln order to |oln the new domuln controller to
the domuln. The wlzurd needs to communlcute wlth u member of the domuln to recelve
the lnltlul copy of the dlrectory dutubuse for the new domuln controller. It communlcutes
wlth the domuln numlng muster for domuln lnstulls only, so thut the new domuln
controller cun be udded to the domuln. The wlzurd ulso needs to contuct the relutlve ID
(RID) muster so thut the new domuln controller cun recelve lts RID pool, und lt needs to
communlcute wlth unother domuln controller ln order to populute the SYSVOL shured
folder on the new domuln controller. All of thls communlcutlon depends on proper DNS
lnstullutlon und conflgurutlon. %y uslng Netdlug.exe und Dcdlug.exe, you cun test ull of
these connectlons prlor to sturtlng the Actlve Dlrectory Instullutlon Wlzurd.
Required Information
The lnstullutlon wlzurd usks for the followlng speclflc conflgurutlon lnformutlon before lt
beglns lnstulllng Actlve Dlrectory:
A domuln udmlnlstrutors user nume und pussword
Locutlon to store the dlrectory dutubuse und log flles
The pussword to use for Dlrectory Servlces Restore Mode
The fully quullfled DNS nume of the domuln to whlch the new domuln controller wlll
be udded

Huve thls lnformutlon reudy before you run the Actlve Dlrectory Instullutlon Wlzurd.
Procedure 1: Install the DNS Server service
Llnk to procedure.
Procedure 2: Gather the SYSVOL path installation information
Llnk to procedure.
Llnk to procedure.
Procedure 4: Verify that an IP address maps to a subnet and determine the
site association
Llnk to procedure.
Llnk to procedure.
Llnk to procedure.

Caution If any of the verification tests fail, do not continue until you determine what went wrong and
fix the problems. If these tests fail, the installation is also likely to fail.

Task: Install Active Directory
There ure u number of elements to conslder when lnstulllng Actlve Dlrectory on u new
domuln controller. Thls tusk uddresses the generul requlrements concernlng the slte
plucement, connectlvlty, und Actlve Dlrectory Instullutlon Wlzurd.
The Active Directory Installation Wizard
After you huve guthered ull the lnformutlon thut you need to run the Actlve Dlrectory
Instullutlon Wlzurd und huve performed the tests to verlfy thut ull of the necessury
domuln controllers ure uvulluble, you ure reudy to lnstull Actlve Dlrectory on your server
und turn lt lnto u domuln controller.
Durlng the lnstullutlon process, the wlzurd usks for lnformutlon thut lt needs ln order to
properly conflgure the new domuln controller. Flrst, lt usks lf you wunt to lnstull u domuln
controller ln u new domuln or un uddltlonul domuln controller ln un exlstlng domuln.
%ecuuse thls gulde pertulns to uddlng domuln controllers to domulns thut ulreudy exlst,
choose Addltlonul domuln controller ln un exlstlng domuln.
Durlng the lnstullutlon process, the wlzurd needs to communlcute wlth other domuln
controllers ln order to udd thls new domuln controller to the domuln und get the
upproprlute lnformutlon lnto the Actlve Dlrectory dutubuse. To mulntuln securlty, you
must provlde credentluls thut huve udmlnlstrutlve uccess to the dlrectory.
Procedure 1: Install Active Directory
Llnk to procedure.
Task: Install Active Directory from media
Instulllng Actlve Dlrectory from medlu ullows you to reduce the repllcutlon trufflc thut ls
lnltluted durlng the lnstullutlon of un uddltlonul domuln controller ln un Actlve Dlrectory
domuln, und thus reduces the tlme lt tukes to lnstull u repllcu domuln controller.
Thls tusk hus three procedures:
%uck up the system stute of un exlstlng domuln controller ln the sume domuln us the
new domuln controller.
Restore the system stute to un ulternute locutlon locully on the new domuln
controller.
Promote the server to u domuln controller uslng dcpromo /udv optlon.

Procedure 1: Back up system state
Llnk to procedure.
Procedure 2: Restore system state to an alternate location
Llnk to procedure.
Procedure 3: Promote server to domain controller
Llnk to procedure.

Task: Unattended install of Active Directory
Runnlng un unuttended lnstull slmpllfles the process of settlng up Actlve Dlrectory on
multlple computers. The unuttended lnstull feuture uses un unswer flle to provlde
unswers to the questlons usked durlng u normul setup. Thls ullows the lnstullutlon
process to proceed from sturt to completlon wlthout user lnterventlon. Thls method works
best when Actlve Dlrectory ls belng lnstulled wlth ldentlcul optlons on muny computers.
Procedure 1: Install and run Setup Manager to create an answer file
(Unattend.txt)
Llnk to procedure.
Procedure 2: Run Active Directory automated install
In the Run dlulog box, type dcpromo /unswer:<unswerflle> (where unswerflle ls the
flle creuted wlth Setup Munuger), und cllck OK.
Task: Verify Active Directory installation
There ure severul verlflcutlon tusks thut cun be performed on u newly promoted domuln
controller. Successfully completlng the requlrements of euch verlflcutlon tusk wlll provlde
u strong lndlcutlon of u heulthy, operutlonul domuln controller.
Procedure 1: Determine whether a Server object has Child objects
Llnk to procedure.
Procedure 2: Verify the site assignment for the domain controller
You must ensure thut the new domuln controller ls locuted ln the proper slte so thut ufter
the lnstullutlon ls complete, the new domuln controller cun locute repllcutlon purtners und
become purt of the repllcutlon topology. If the slte ls not correct, you cun use the Actlve
Dlrectory Sltes und Servlces snup-ln to move the Server ob|ect for the domuln controller
to the proper slte ufter Actlve Dlrectory lnstullutlon ls complete.

Note The last dialog box displayed by the Active Directory Installation Wizard lists the site where the
new domain controller is installed. If this is not the proper site, you must move the Server object after
the server is rebooted.

Llnk to procedure.
Procedure 3: Move a Server object to a different site if the domain
controller is located in the wrong site
Llnk to procedure.
Procedure 4: Configure DNS server forwarders
Llnk to procedure.
Procedure 5: Verify DNS configuration
Llnk to procedure.
Procedure 6: Check the status of the shared SYSVOL
Llnk to procedure.
Llnk to procedure.
Procedure 8: Verify domain membership for the new domain controller
Llnk to procedure.
Llnk to procedure.
Procedure 10: Verify replication with other domain controllers
Llnk to procedure.
Llnk to procedure.
Dependencles
The followlng uccess levels ure requlred:
Domuln user
Domuln udmln

Technology Requlred
Actlve Dlrectory Sltes und Servlces (udmlnlstrutlve tools)
DNS Munuger
Event Vlewer
Netdlug.exe
Dcdlug.exe
Ntdsutll.exe (system tool)


Changing Quadrant Change Management
SMF
Release Role Cluster As Needed
Process: Removing Active Directory
Descrlptlon
A domuln controller cun be removed from u domuln ln one of two wuys: by removlng
Actlve Dlrectory or by u system fullure thut renders the domuln controller lnoperuble so
thut you cunnot restore lt to servlce.
Purpose
A domuln controller mlght need to be removed when:
You no longer need the domuln controller.
The domuln controller's connectlon to the rest of the network muy not be sufflclent.
The domuln controller hus suffered u hurdwure fullure thut wlll not be qulckly
repulred.

Guldellnes
Slmllurly to how you cun lnstull Actlve Dlrectory to turn u Wlndows 2003bused server
lnto u domuln controller, you cun remove Actlve Dlrectory to turn u Wlndows 2003
bused domuln controller buck lnto u server. Thls process removes most of the references
to the domuln controller from the dlrectory. You must munuully remove the Server ob|ect
thut represents the domuln controller from the computer contulner ufter you remove
Actlve Dlrectory. Thls method properly removes the domuln controller from the dlrectory.
A hurdwure fullure on u domuln controller cun render lt lnoperuble. If the problem ls
severe enough, you mlght never be uble to return the domuln controller to servlce. In thls
cuse, the other domuln controllers eventuully reconflgure themselves so thut they cun
contlnue to repllcute dlrectory lnformutlon wlthout the fulled domuln controller.
When u domuln controller ls removed from the domuln wlthout removlng Actlve
Dlrectory, ull the lnformutlon ubout thut domuln controller remulns ln the dlrectory. You
must tuke uddltlonul steps to remove thls lnformutlon from the dlrectory.
Task: Decommission the domain controller
Demotlng u domuln controller effectlvely removes ull Actlve Dlrectory und reluted
components und returns the domuln controller to u member server role.
Procedure 1: View the current operations master role holders
To uvold problems, trunsfer uny operutlons muster roles prlor to runnlng the Actlve
Dlrectory Instullutlon Wlzurd to decommlsslon u domuln controller so thut you cun
control the operutlons muster role plucement. If you need to trunsfer uny roles from u
domuln controller, understund ull the recommendutlons for role plucement before
performlng the trunsfer.

Caution During the decommissioning process, the Active Directory Installation Wizard will attempt to
transfer any remaining operations master roles to other domain controllers without any user
interaction. However, if a failure occurs, the wizard will continue to demote and leave your domain
without roles. Also, you do not have control over which domain controller receives the roles. The
wizard transfers the roles to any available domain controller and does not indicate which domain
controller hosts them.

Llnk to procedure.
Procedure 2: Transfer the forest-level operations master roles
Thls ls requlred only lf thls domuln controller hosts elther the schemu muster or domuln
numlng muster roles.
Llnk to procedure.
Procedure 3: Transfer the domain-level operations master roles
Thls ls requlred only lf thls domuln controller hosts the PDC emulutor, lnfrustructure
muster, or RID muster.
Llnk to procedure.
Procedure 4: Determine whether a domain controller is a global catalog
server
If you remove Actlve Dlrectory from u domuln controller thut hosts u globul cutulog, the
Actlve Dlrectory Instullutlon Wlzurd conflrms thut you wunt to contlnue wlth removlng
Actlve Dlrectory. Thls conflrmutlon ensures thut you ure uwure thut you ure removlng u
globul cutulog from your envlronment. Do not remove the lust globul cutulog server from
your envlronment becuuse users cunnot log on wlthout un uvulluble globul cutulog server.
If you ure not sure, do not proceed wlth removlng Actlve Dlrectory untll you know thut ut
leust one other globul cutulog server ls uvulluble.
Llnk to procedure.
Llnk to procedure.
Durlng the removul of Actlve Dlrectory, contuct wlth other domuln controllers ls requlred
to ensure:
Any unrepllcuted chunges ure repllcuted to unother domuln controller.
Removul of the domuln controller from the dlrectory.
Trunsfer of uny remulnlng operutlons muster roles.

If the domuln controller cunnot contuct the other domuln controllers durlng Actlve
Dlrectory removul, the decommlsslonlng operutlon fulls. As wlth the lnstullutlon process,
test the communlcutlon lnfrustructure prlor to runnlng the lnstullutlon wlzurd. When you
remove Actlve Dlrectory, use the sume connectlvlty tests thut you used durlng the
lnstullutlon of Actlve Dlrectory.
Llnk to procedure.
Llnk to procedure.

Note If any of the verification tests fail, do not continue until you determine and fix the problems. If
these tests fail, the removal is also likely to fail.

Procedure 8: Remove Active Directory
Llnk to procedure.
Llnk to procedure.
Procedure 10: Delete a Server object from a site

Note The administrator may not want to remove the Server object if it hosts something in addition to
Active DirectoryMicrosoft Exchange, for example.

Llnk to procedure.
Task: Forced removal of a domain controller
Forced removul of u domuln controller ls only lntended to be used us u lust resort for
recoverlng u domuln controller wlthout requlrlng relnstullutlon of the operutlng system.
It ls not lntended to repluce the normul removul procedure ln uny wuy und ls vlrtuully
equlvulent to permunently dlsconnectlng the domuln controller.
There ls u conslderuble umount of metudutu ubout u domuln controller stored wlthln
Actlve Dlrectory. Durlng u normul demotlon, thls metudutu ls cleuned up. A forced
removul ussumes there ls no connectlvlty to the domuln und does not uttempt uny
cleunup.
Forced removul of u domuln controller should ulwuys be followed by cleunlng up the
ussocluted metudutu, thereby effectlvely removlng ull references to the domuln controller
from the domuln und forest.
Forced demotlon should not be done on the lust domuln controller ln u domuln.
Procedure 1: Identify replication partners
Llnk to procedure.
Procedure 2: Force domain controller removal
Llnk to procedure.
Procedure 3: Clean up metadata
Llnk to procedure.

Dependencles
None
Technology Requlred
None

SMF
Process: Rename a domain controller
Descrlptlon
The ublllty to renume domuln controllers runnlng Wlndows Server 2003 (contrury to
Wlndows 2000 Server) provldes you wlth the flexlblllty to:
Restructure your network for orgunlzutlonul und buslness needs.
Muke munugement und udmlnlstrutlve control eusler.

Although one cun renume u domuln controller through the System Propertles GUI (us
wlth uny other computer), Actlve Dlrectory und DNS repllcutlon lutency muy temporurlly
prevent cllents from locutlng und/or uuthentlcutlng to the renumed domuln controller. To
ellmlnute thls, lt ls recommended thut the Netdom commund-llne tool be used to renume
u domuln controller.
Purpose
Renumlng u domuln controller ls u common operutlon ln muny orgunlzutlons und usuully
occurs when:
New hurdwure ls purchused to repluce un exlstlng domuln controller.
Domuln controllers ure decommlssloned, or promoted, und renumed to mulntuln u
numlng conventlon.
Movement or slte plucement of domuln controllers.

Guldellnes
It ls lmportunt to note thut domuln controller numes huve u prlmury lmpuct on
udmlnlstrutlon, ruther thun cllent uccess. Renumlng u domuln controller ls un optlonul
exerclse, und the lmpucts should be well-understood prlor to renumlng.
You cun renume u domuln controller by uslng the GUI or the Netdom tool. The domuln
functlonul level must be set to Wlndows Server 2003 for you to be uble to use the
Netdom tool. In ull other cuses, you should use the GUI.
Task: Rename using the System Properties user interface
Procedure 1: Use System Properties interface to change name
Llnk to procedure.
Procedure 2: Update the FRS Member object
Llnk to procedure.
Task: Rename using the Netdom command-line tool
The netdom commund updutes the servlce prlnclpul nume (SPN) uttrlbutes ln Actlve
Dlrectory for the computer uccount und reglsters DNS resource records for the new
computer nume. The SPN vulue of the computer uccount must be repllcuted to ull domuln
controllers ln the domuln, und the DNS resource records for the new computer nume
must be dlstrlbuted to ull the uuthorltutlve DNS servers for the domuln nume. If the
updutes und reglstrutlons huve not occurred prlor to removlng the old computer nume,
then some cllents muy be unuble to locute thls computer uslng the new or old nume.
Procedure 1: Add the new domain controller name
Llnk to procedure.
Procedure 2: Designate the new name as the primary computer name
Prlor to performlng thls operutlon, you must ensure thut the SPN vulue hus been
reglstered ln Actlve Dlrectory und the DNS records for the new computer nume huve
been reglstered ln DNS.
Llnk to procedure.
Procedure 3: Remove the old domain controller name
Prlor to performlng thls operutlon, you must ensure thut the upduted dnsHostNume
uttrlbute for the new computer nume ln the computer uccount hus been reglstered ln
Actlve Dlrectory und thut the SRV DNS records huve been reglstered ln uuthorltutlve
DNS servers.
Llnk to procedure.
Procedure 4: Update the FRS Member object
Llnk to procedure.
Dependencles
Domuln udmln or Enterprlse udmln
Wlndows Server 2003 functlonul level

Technology Requlred
Netdom commund-llne tool
System Propertles tool


Optimizing Quadrant Availability Management
SMF
Infrastructure Role
Cluster
As Needed
Process: Manage the Active Directory database
Descrlptlon
Actlve Dlrectory ls stored ln the Ntds.dlt dutubuse flle. In uddltlon to thls flle, the
dlrectory uses log flles, whlch store trunsuctlons prlor to commlttlng them to the dutubuse
flle. For best performunce, store the log flles und the dutubuse on sepurute hurd drlves.
The Actlve Dlrectory dutubuse ls u self-mulntulned system und requlres no dully
mulntenunce, other thun regulur buckup, durlng ordlnury operutlon. However, lt muy
need to be munuged lf the followlng condltlons occur:
Low dlsk spuce
Pendlng or current hurdwure fullure
A need to recover physlcul spuce followlng bulk deletlon or removul of the globul
cutulog

Monltor free dlsk spuce on the purtltlon or purtltlons thut store the dlrectory dutubuse und
logs. The followlng ure the recommended purumeters for free spuce:
Ntds.dlt purtltlon: The greuter of 20 percent of the Ntds.dlt flle slze or 500 megubytes
(M%).
Log flle purtltlon: The greuter of 20 percent of the comblned log flles slze or 500 M%.
Ntds.dlt und logs on the sume volume: The greuter of 1 glgubyte (G%) or 20 percent
of the comblned Ntds.dlt und log flles slzes.

Purpose
Durlng ordlnury operutlon, the customer wlll delete ob|ects from Actlve Dlrectory. When
un ob|ect ls deleted, lt results ln whlte spuce (or unused spuce) belng creuted ln the
dutubuse. On u regulur busls, the dutubuse wlll consolldute thls whlte spuce through u
process culled defrugmentutlon, und thls whlte spuce wlll be reused when new ob|ects
ure udded (wlthout uddlng uny slze to the flle ltself). Thls uutomutlc onllne
defrugmentutlon redlstrlbutes und retulns whlte spuce for use by the dutubuse, but does
not releuse lt to the flle system. Therefore, the dutubuse slze does not shrlnk, even
though ob|ects mlght be deleted. In cuses where the dutu ls decreused slgnlflcuntly, such
us when the globul cutulog ls removed from u domuln controller, whlte spuce ls not
uutomutlcully returned to the flle system. Although thls condltlon does not uffect dutubuse
operutlon, lt does result ln lurge umounts of whlte spuce ln the dutubuse. You cun use
offllne defrugmentutlon to decreuse the slze of the dutubuse flle by returnlng whlte spuce
from the dutubuse flle to the flle system.
Munuglng the Actlve Dlrectory dutubuse ulso ullows you to upgrude or repluce the dlsk
on whlch the dutubuse or log flles ure stored or to move the flles to u dlfferent locutlon,
elther permunently or temporurlly.
Guldellnes
Prlor to performlng uny procedures thut uffect the dlrectory dutubuse, be sure thut you
huve u current system stute buckup. For lnformutlon ubout performlng system stute
buckup, see %uck up Actlve Dlrectory eurller ln thls gulde.
To munuge the dutubuse flle ltself, you must tuke the domuln controller offllne by
resturtlng ln Dlrectory Servlces Restore Mode, und then use Ntdsutll.exe to munuge the
flle.

Note NTFS disk compression is not supported for the database and log files.

Task: Relocate Active Directory database files
The followlng condltlons requlre movlng dutubuse flles:
Hurdwure mulntenunce: If the physlcul dlsk on whlch the dutubuse or log flles ure
stored requlres upgrudlng or mulntenunce, the dutubuse flles must be moved, elther
temporurlly or permunently.
Low dlsk spuce: When free dlsk spuce ls low on the loglcul drlve thut stores the
dutubuse flle (Ntds.dlt), the log flles, or both, flrst verlfy thut no other flles ure
cuuslng the problem. If the dutubuse flle or log flles ure the cuuse of the growth, then
provlde more dlsk spuce by tuklng one of the followlng uctlons:
Expund the purtltlon on the dlsk thut currently stores the dutubuse flle, the log
flles, or both. Thls procedure does not chunge the puth to the flles und does not
requlre updutlng the reglstry.
Use Ntdsutll.exe to move the dutubuse flle, the log flles, or both to u lurger
exlstlng purtltlon. If you ure not uslng Ntdsutll.exe when movlng flles to u
dlfferent purtltlon, you wlll need to munuully updute the reglstry.

Guldellnes
If the puth to the dutubuse flle or log flles wlll chunge us u result of movlng the flles, be
sure thut you:
Use Ntdsutll.exe to move the flles (ruther thun copylng them) so thut the reglstry ls
upduted wlth the new puth. Even lf you ure movlng the flles only temporurlly, use
Ntdsutll.exe to move flles locully so thut the reglstry remulns current.
Perform u system stute buckup us soon us the move ls complete so thut the restore
procedure uses the correct puth.
Verlfy thut the correct permlsslons ure upplled on the destlnutlon folder followlng the
move. Revlse permlsslons to those thut ure requlred to protect the dutubuse flles, lf
needed.

If you repluce or reconflgure u drlve thut stores the SYSVOL folder, you must flrst move
the SYSVOL folder munuully. For lnformutlon ubout movlng SYSVOL munuully, see
Munuglng the SYSVOL luter ln thls gulde.
Use the followlng procedures to move or copy the dutubuse flle, the log flles, or both.
Procedures ure explulned ln detull ln the llnked toplcs.

Note The domain controller will not be available during the time in which files are moved and the
move is verified. Ensure that alternate domain controllers are available to handle the capacity.

Procedure 1: Determine the location and size of the directory database
files
Use the dutubuse slze to prepure u destlnutlon locutlon of the upproprlute slze. Truck the
respectlve flle slzes durlng the move to ensure thut you successfully move the correct
flles.

Llnk to procedure.
Procedure 2: Compare the size of the directory database files to the volume
size
%efore movlng uny flles ln response to low dlsk spuce, verlfy thut no other flles on the
volume ure responslble for the condltlon of low dlsk spuce.
Llnk to procedure.
System stute lncludes the dutubuse flle und log flles us well us SYSVOL und Net Logon
shured folders, umong other thlngs. Alwuys ensure thut you huve u current buckup prlor
to movlng dutubuse flles.
Llnk to procedure.
Mode)
If you ure logged on to the domuln controller console, locully resturt the domuln
controller ln Dlrectory Servlces Restore Mode.

Llnk to procedure.
Procedure 5: Move the database file, the log files, or both

Llnk to procedure.
Llnk to procedure.
Task: Returning unused disk space from the Active Directory
database to the file system
Durlng ordlnury operutlon, the whlte spuce ln the Actlve Dlrectory dutubuse flle becomes
frugmented. Euch tlme gurbuge collectlon runs (every 12 hours by defuult), whlte spuce
ls uutomutlcully defrugmented onllne to optlmlze lts use wlthln the dutubuse flle. The
unused dlsk spuce ls thereby mulntulned for the dutubuse; lt ls not returned to the flle
system.
Only offllne defrugmentutlon cun return unused dlsk spuce from the dlrectory dutubuse to
the flle system. When dutubuse contents huve decreused conslderubly through u bulk
deletlon (for exumple, you remove the globul cutulog from u domuln controller), or lf the
slze of the dutubuse buckup ls slgnlflcuntly lncreused due to the whlte spuce, use offllne
defrugmentutlon to reduce the slze of the Ntds.dlt flle.
You cun determlne how much free dlsk spuce ls recoveruble from the Ntds.dlt flle by
settlng the gurbuge collectlon logglng level ln the reglstry. Chunglng the gurbuge
collectlon logglng level from the defuult vulue of 0 to u vulue of 1 results ln event ID 1646
belng logged ln the dlrectory servlce log. Thls event descrlbes the totul umount of dlsk
spuce used by the dutubuse flle us well us the umount of free dlsk spuce thut ls
recoveruble from the Ntds.dlt flle through offllne defrugmentutlon.
At gurbuge collectlon logglng level 0, only crltlcul events und error events ure logged ln
the dlrectory servlce log. At level 1, hlgh-level events ure logged us well. Events cun
lnclude one messuge for euch mu|or tusk thut ls performed by the servlce. At level 1, the
followlng events ure logged for gurbuge collectlon:
Event IDs 700 und 701: report when onllne defrugmentutlon beglns und ends,
respectlvely.
Event ID 1646: reports the umount of free spuce uvulluble ln the dutubuse out of the
umount of ullocuted spuce.

Caution Setting the value of entries in the Diagnostics subkey to greater than 3 can degrade server
performance and is not recommended.

Followlng offllne defrugmentutlon, perform u dutubuse lntegrlty check. The lntegrlty
commund ln Ntdsutll.exe detects blnury-level dutubuse corruptlon by reudlng every byte
ln the dutubuse flle. The process ensures thut the correct heuders exlst ln the dutubuse
ltself und thut ull of the tubles ure functlonlng und conslstent. Therefore, dependlng upon
the slze of your Ntds.dlt flle und the domuln controller hurdwure, the process mlght tuke
conslderuble tlme. In testlng envlronments, the speed of 2 G% per hour ls consldered to
be typlcul. When you run the commund, un onllne gruph dlspluys the percentuge
completed.
Use the followlng procedures to perform offllne defrugmentutlon. Procedures ure
explulned ln detull ln the llnked toplcs.
Procedure 1: Change the garbage collection logging level to 1
Check the dlrectory servlce event log for event ID 1646, whlch reports the umount of dlsk
spuce thut you cun recover by performlng offllne defrugmentutlon.
Llnk to procedure.
System stute lncludes the dutubuse flle und dutubuse log flles us well us SYSVOL, Net
Logon, und the reglstry, umong other thlngs. Alwuys ensure thut u current buckup exlsts
prlor to defrugmentlng dutubuse flles.
Llnk to procedure.
Procedure 3: Take the domain controller offline
Use one of the followlng procedures:
If you ure logged on to the domuln controller locully, resturt the domuln controller ln
Dlrectory Servlces Restore Mode.
If you ure uslng Termlnul Servlces for remote udmlnlstrutlon, you cun remotely
resturt the domuln controller ln Dlrectory Servlces Restore Mode ufter modlfylng the
%oot.lnl flle on the remote server.

Llnk to procedure.
Procedure 4: Compact the directory database file (offline defragmentation)
As purt of the offllne defrugmentutlon procedure, check dlrectory dutubuse lntegrlty.
Llnk to procedure.
Procedure 5: If database integrity check fails, perform semantic database
analysis with fixup
Llnk to procedure.

SMF
Infrastructure Role
Cluster
Frequency
Process: Managing the SYSVOL
Descrlptlon
The Wlndows Server 2003 System Volume (SYSVOL) ls u collectlon of folders und
repurse polnts ln the flle systems thut exlst on euch domuln controller ln u domuln.
SYSVOL provldes u stundurd locutlon to store lmportunt elements of Group Pollcy
ob|ects (GPOs) und scrlpts so thut the Flle Repllcutlon servlce (FRS) cun dlstrlbute them
to other domuln controllers wlthln thut domuln.

Note Only the Group Policy template (GPT) is replicated by SYSVOL. The Group Policy container (GPC)
is replicated through Active Directory replication. To be effective, both parts must be available on a
domain controller.

FRS monltors SYSVOL und, lf u chunge occurs to uny flle stored on SYSVOL, then FRS
uutomutlcully repllcutes the chunged flle to the SYSVOL folders on the other domuln
controllers ln the domuln.
The duy-to-duy operutlon of SYSVOL ls un uutomuted process thut does not requlre uny
humun lnterventlon other thun wutchlng for ulerts from the monltorlng system.
Occuslonully, you mlght perform some system mulntenunce us you chunge your network.
Purpose
Thls process descrlbes the buslc tusks requlred for munuglng SYSVOL ln order to
mulntuln cupuclty und performunce of SYSVOL, for hurdwure mulntenunce, or for dutu
orgunlzutlon.
Guldellnes
To munuge SYSVOL, ensure thut FRS properly repllcutes the SYSVOL dutu und thut
enough spuce ls provlded to store SYSVOL. Implement u monltorlng system to detect
low dlsk spuce und potentlul FRS dlsruptlons so thut you cun uddress those lssues before
the system stops repllcutlng. A useful tool for thls ls the Ultrusound utlllty, whlch cun be
downlouded from www.mlcrosoft.com, by seurchlng for Ultrusound.
Some key conslderutlons for munuglng SYSVOL ure:
Cupuclty.
Dependlng upon the conflgurutlon of your domuln, SYSVOL cun requlre u slgnlflcunt
umount of dlsk spuce to functlon properly. Durlng the lnltlul deployment, SYSVOL
mlght be ullocuted udequute dlsk spuce to functlon. However, us your Actlve
Dlrectory grows ln slze und complexlty, the requlred cupuclty cun exceed the
uvulluble dlsk spuce.
If you recelve lndlcutlons thut dlsk spuce ls low, determlne lf the cuuse ls due to
lnudequute physlcul spuce on the dlsk or u reglstry settlng thut llmlts the slze of the
stuglng ureu. %y modlfylng u settlng ln the reglstry, you cun ullocute more stuglng
ureu spuce, ruther thun relocutlng SYSVOL or the stuglng ureu. Increuslng the spuce
ullocutlon ln the reglstry ls much fuster und eusler thun relocutlon
Performunce.
Any chunges mude to SYSVOL ure uutomutlcully repllcuted to the other domuln
controllers ln the domuln. If the flles stored ln SYSVOL chunge frequently, the
repllcutlon lncreuses the lnput und output for the volume where SYSVOL ls locuted.
For exumple, edltlng u GPO cun potentlully force u GPO-level repllcutlon. If the
volume ls ulso host to other system flles, such us the dlrectory dutubuse or the
pugeflle, then the lncreused lnput und output for the volume cun lmpuct the
performunce of the server.
Hurdwure mulntenunce.
System mulntenunce, such us removul of u dlsk drlve, cun requlre you to relocute
SYSVOL. Even lf the mulntenunce occurs on u dlfferent dlsk drlve, verlfy thut thut
mulntenunce does not uffect the system volume. Loglcul drlve letters could chunge
ufter you udd und remove dlsks. FRS locutes SYSVOL by uslng polnters stored ln
the dlrectory und the reglstry. If drlve letters chunge ufter you udd or remove dlsk
drlves, be uwure thut these polnters ure not uutomutlcully upduted.
%ucklng up Group Pollcy ob|ects (GPOs).
The successful operutlon of Group Pollcy ls heuvlly dependent on the relluble
operutlon of SYSVOL. Key components of the GPO exlst ln the SYSVOL (ln the
pollcles subdlrectory) und lt ls essentlul thut these remuln ln sync wlth reluted
components ln Actlve Dlrectory. Therefore, bucklng up only the SYSVOL component
does not represent u full und complete buckup of your GPOs. The Group Pollcy
Munugement Console (GPMC) provldes both UI-bused und scrlptuble methods for
bucklng up GPOs. It ls lmportunt thut you buck up GPOs us purt of your regulur
buckup/dlsuster recovery processes. Soon ufter lnstullutlon of u new domuln, the
defuult domuln und defuult domuln controllers' GPOs should be bucked up. They
should ulso be bucked up ufter uny subsequent chunges ure mude.
Task: Changing the space allocated to the staging area
The stuglng ureu stores flles prlor to belng repllcuted und stores flles thut lt hus |ust
recelved through repllcutlon. Although FRS compresses the dutu und uttrlbutes of the
repllcuted flles to suve spuce ln the Stuglng Areu folder und reduce the tlme thut ls
needed to repllcute the flles, thls method requlres muklng und storlng u copy of every flle
prlor to repllcutlon und cun requlre u substuntlul umount of dlsk spuce.
The defuult slze of the stuglng ureu ls 660 megubytes (M%). The mlnlmum slze ls 10 M%
und the muxlmum slze ls 2 terubytes. You cun ud|ust the slze llmlt of the Stuglng Folder
by settlng the vulue ln kllobytes (K%) of the Stuglng Spuce Llmlt reglstry entry ln
HKEY_Locul_Muchlne\System\CurrentControlSet\Servlces\NtFrs\Purumeters. For more
lnformutlon ubout settlng the Stuglng Spuce Llmlt ln the reglstry, see K% urtlcle 329491
ln the Mlcrosoft Knowledge %use.
Procedure 1: Stop the File Replication service
Llnk to procedure.
Procedure 2: Change the space allocated to the Staging Area folder
Llnk to procedure.
Procedure 3: Start the File Replication service
Llnk to procedure.
Task: Relocate the staging area
%y defuult, the Actlve Dlrectory Instullutlon Wlzurd lnstulls the Stuglng Areu folder wlthln
the SYSVOL. The Actlve Dlrectory Instullutlon Wlzurd creutes two foldersStuglng und
Stuglng Areuwhlch FRS uses for the stuglng process. When you relocute the stuglng
ureu, you cun chunge the nume. Ensure thut you ldentlfy the proper ureu ln cuse lt ls
renumed ln your envlronment.
Two purumeters determlne the locutlon of the stuglng ureu. One purumeter,
fRSStuglngPuth, ls stored ln the dlrectory und contulns the puth to the uctuul locutlon thut
FRS uses to stuge flles. The other purumeter ls u |unctlon polnt stored ln the Stuglng
Areu folder ln SYSVOL thut llnks to the uctuul locutlon thut FRS uses to stuge flles.
When relocutlng the stuglng ureu, you must updute these two purumeters to polnt to the
new locutlon.
Except where noted, perform these procedures on the domuln controller thut contulns the
Stuglng Areu folder thut you wunt to relocute. Procedures ure explulned ln detull ln the
llnked toplcs.
Llnk to procedure.
You do not need to perform the test on every purtner, but you need to perform enough
tests to be confldent thut the shured system volumes on the purtners ure heulthy.
Llnk to procedure.
Llnk to procedure.
Procedure 4: Gather the SYSVOL path information
Llnk to procedure.
Procedure 5: Reset the File Replication Service Staging folder to a
different logical drive
Llnk to procedure.
Task: Relocating SYSVOL manually
If you must move the entlre system volume, not |ust the Stuglng Areu folder, then you
cun relocute the system volume munuully. %ecuuse no utllltles cun uutomute thls process,
you must curefully move ull folders und properly mulntuln the sume level of securlty ut
the new locutlon.
You cun ulso move SYSVOL wlth the Actlve Dlrectory wlzurd, but thls requlres thut you
demote the domuln controller und then re-promote lt. Thls should only be consldered ln
extreme cuses, und only when the domuln controller ls not runnlng uny other servlces or
uppllcutlons.
Except where noted, perform these steps on the domuln controller thut contulns the
system volume thut you wunt to move. Procedures ure explulned ln detull ln the llnked
toplcs.

Warning This procedure can alter security settings. After you complete the procedure, the security
settings on the new system volume are reset to the default settings that were established when you
installed Active Directory. You must reapply any changes to the security settings on the system
volume that you made since you installed Active Directory. This will cause additional replication
traffic. Note that failure to reset permissions can result in unauthorized access to Group Policy
objects and logon and logoff scripts.

Llnk to procedure.
Llnk to procedure.
Llnk to procedure.
Llnk to procedure.
Llnk to procedure.
Procedure 6: Create the SYSVOL folder structure
Llnk to procedure.
Procedure 7: Set the SYSVOL path
Llnk to procedure.
Procedure 8: Set the staging area path
If you huve moved the Stuglng Areu folder to u dlfferent locutlon ulreudy, you do not
need to do thls step.
Llnk to procedure.
Procedure 9: Prepare a domain controller for non-authoritative SYSVOL
restore
Llnk to procedure.
Procedure 10: Update security on the new SYSVOL
Llnk to procedure.
Llnk to procedure.
Llnk to procedure.
Task: Updating the system volume path
When you udd or remove dlsk drlves, the loglcul drlve letters of the other drlves on the
system cun chunge. If elther your SYSVOL or Stuglng Areu folder ls locuted on one of
the drlves whose letter chunges, FRS cunnot locute them. You must updute the puths thut
FRS uses to locute these folders ln order to solve thls problem. To chunge the puth for
the system volume, you need to muke chunges to the reglstry und ln the dlrectory.
Chunglng the stuglng ureu puth requlres u chunge ln the dlrectory. %oth chunges requlre
thut you updute the |unctlon polnts. After updutlng the puth lnformutlon, you must resturt
Flle Repllcutlon servlce so lt cun relnltlullze wlth the new vulues.
Use the followlng procedures to chunge the umount of spuce thut ls ullocuted to the
Stuglng Areu folder. Procedures ure explulned ln detull ln the llnked toplcs.
Llnk to procedure.
Llnk to procedure.
Procedure 3: Set the SYSVOL path
Llnk to procedure.
Procedure 4: Set the staging area path
Llnk to procedure.
Llnk to procedure.
Task: Restoring and rebuilding SYSVOL
If your efforts to move SYSVOL or perform certuln mulntenunce tusks full, you must
recreute or rebulld the SYSVOL on u slngle domuln controller. Attempt to rebulld
SYSVOL on u slngle domuln controller only when ull other domuln controllers ln the
domuln huve u heulthy und functlonlng SYSVOL. Do not uttempt to rebulld SYSVOL
untll you correct uny problems thut ure occurrlng wlth FRS ln u domuln.
Use these procedures only lf you ure worklng on u domuln controller thut does not huve u
functlonul SYSVOL. Procedures ure explulned ln detull ln the llnked toplcs.
Llnk to procedure.
%ecuuse you wlll be copylng the system volume from one of the purtners, you need to
muke sure thut the system volume you copy from the purtner ls up to dute.
Llnk to procedure.
Llnk to procedure.
Mode
If you ure slttlng ut the console of the domuln controller, locully resturt u domuln
controller ln Dlrectory Servlces Restore Mode. If you ure uccesslng the domuln controller
remotely uslng Termlnul Servlces, remotely resturt u domuln controller ln Dlrectory
Llnk to procedure.
Llnk to procedure.
Llnk to procedure.
Procedure 7: Prepare a domain controller for non-authoritative SYSVOL
restore
Llnk to procedure.
Procedure 8: Import the SYSVOL folder structure
Llnk to procedure.
Llnk to procedure.
Llnk to procedure.
Dependencles
Actlve Dlrectory needs to be lnstulled und runnlng.
Technology Requlred
Ultrusound for monltorlng

SMF
Infrastructure Role
Cluster
As Needed
Process: Manage the Windows Time service
Descrlptlon
The Wlndows 2003 Tlme servlce (W32Tlme) requlres llttle munugement und ls lnstulled
on ull Wlndows Server 2003bused systems. %y defuult, only domuln controllers ure
conflgured to provlde tlme to cllents. W32Tlme uses coordlnuted unlversul tlme (UTC)
durlng synchronlzutlon uctlvltles. UTC ls bused on un utomlc tlme scule und ls
lndependent of tlme zone.
Purpose
Munuglng the Wlndows Tlme servlce ls requlred to:
Chunge the forest-root PDC emulutor.
Move tlme uuthorlty from forest-root PDC emulutor to unother computer.
Chunge the externul tlme source.
Swltch to unother tlme synchronlzutlon product.
Increuse or decreuse the rute of synchronlzutlon to uchleve the best compromlse
between bundwldth use und preclslon for u purtlculur lmplementutlon.

Guldellnes
Munuully speclfled tlme sources ure not uuthentlcuted und, therefore, cun enuble un
uttucker to munlpulute the tlme source und then sturt Kerberos V5 repluy uttucks. Also, u
computer thut does not synchronlze wlth lts domuln controller cun huve un
unsynchronlzed tlme. Thls cuuses Kerberos V5 uuthentlcutlon to full, whlch ln turn
cuuses other uctlons requlrlng network uuthentlcutlon, such us prlntlng or flle shurlng, to
full. When only one computer ln the forest root domuln ls gettlng tlme from un externul
source, ull computers wlthln the forest remuln synchronlzed to euch other, muklng repluy
uttucks dlfflcult.
%ecuuse of the rlsks of unsynchronlzed tlme, und the multltude of servlces thut depend
on synchronlzed tlme, lt ls lmportunt thut you upproprlutely munuge und conflgure the
Wlndows Tlme servlce to meet your operutlonul requlrements for tlme synchronlzutlon.

Caution You should not advance or roll back the system time on Windows 2003based servers
under any circumstances.

Time Configuration on the Forest-Root PDC Emulator
The Wlndows Tlme servlce employs u hlerurchlcul synchronlzutlon structure thut ls
rooted ln the PDC emulutor ln the forest root domuln. Thls system ultlmutely represents
the uuthorltutlve tlme for ull systems ln the forest.
Alwuys closely monltor the forest-root PDC emulutor to ensure thut lts tlme ls uccurute
relutlve to lts source.
Follow these best pructlces for conflgurlng the tlme source on the forest-root PDC
emulutor, ln thls order of preference:
Instull u hurdwure clock, such us u rudlo or GPS devlce, us the source for the PDC.
There ure muny consumer und enterprlse devlces thut use the Network Tlme
Protocol (NTP), ullowlng you to lnstull the devlce on un lnternul network for usuge
wlth the PDC.
Use IPSec to secure the NTP communlcutlon wlth the PDC und unother network tlme
server.

Do not synchronlze the forest-root PDC emulutor wlth unother Wlndows-bused computer
ln the sume forest.
If nelther of these optlons ls uvulluble ln your Actlve Dlrectory deployment or dutu center,
you cun synchronlze wlth un externul relluble tlme source. Thls optlon ls the leust
fuvoruble us lt synchronlzes tlme ln un unuuthentlcuted munner, potentlully muklng tlme
puckets vulneruble to un uttucker.

Task: Configuring a time source for the forest
After lnltlul deployment of your network, you typlcully only reconflgure the tlme servlce
on the PDC emulutor ln two sltuutlons:
If you move the PDC emulutor role to u dlfferent computer. In thls cuse, you must
conflgure the tlme servlce for the new PDC emulutor.
If you chunge the tlme source for the PDC emulutor. For exumple, lf you chunge
from synchronlzlng wlth un externul source to u hurdwure devlce.

To conflgure tlme servlce for the forest-root PDC emulutor, you mlght need to remove un
externul tlme source thut you used prevlously or, lf you trunsferred the PDC emulutor role
to unother Actlve Dlrectory domuln controller, you mlght only need to conflgure the tlme
servlce on the new PDC emulutor. To conflgure tlme on the forest-root PDC emulutor,
you cun use the followlng procedures. Procedures ure explulned ln detull ln the llnked
toplcs.
Procedure 1: Configure time on the forest-root PDC emulator
Llnk to procedure.
Procedure 2: Remove a time source configured on the forest-root PDC
emulator
Llnk to procedure.
Task: Configuring a reliable time source on a computer other
than the PDC emulator
%y defuult, the PDC emulutor ln the forest root ls the uuthorltutlve tlme source for thut
forest. However, you mlght wunt to conflgure u dlfferent domuln controller ln your
network to be uuthorltutlve for the forest.
If you plun to move the PDC operutlons muster role, you cun conflgure u relluble tlme
source on u dlfferent computer prlor to the move(s) to uvold resets or dlsruptlon of the
tlme servlce. The role of PDC emulutor cun move between computers, whlch meuns thut
every tlme the role of PDC emulutor moves, the new PDC emulutor must be munuully
conflgured to polnt to the externul source, und the munuul conflgurutlon must be
removed from the orlglnul PDC emulutor. To uvold thls process, you cun set one of the
domuln controllers ln the purent domuln us relluble und munuully conflgure |ust thut
computer to polnt to un externul source. Then, no mutter whlch computer ls the PDC
emulutor, the root of the tlme servlce stuys the sume und thus remulns properly
conflgured.
When domuln controllers look for u tlme source to synchronlze wlth, they choose u
relluble source, lf one ls uvulluble. It ls lmportunt to note thut the uutomutlc dlscovery
mechunlsm ln the tlme servlce cllent never chooses u computer thut ls not u domuln
controller. Cllents must be munuully conflgured to use uny server thut ls not u domuln
controller.
Although the PDC emulutor ln the forest root domuln ls the uuthorltutlve tlme source for
thut forest, you cun conflgure u relluble tlme source on u computer other thun the PDC
emulutor.
Procedure 1: Configure the selected computer as a reliable time source
Llnk to procedure.
Task: Configuring a client to request time from a specific time
source
Certuln computers do not uutomutlcully synchronlze thelr tlme to the tlme of the Actlve
Dlrectory domuln. It ls recommended thut these systems be conflgured to request tlme
from u purtlculur source, such us u domuln controller ln the domuln. If you do not speclfy
u source thut ls synchronlzed wlth the domuln, euch computers lnternul hurdwure clock
governs lts tlme. The followlng cllent computers do not uutomutlcully synchronlze to the
domuln tlme through the Wlndows Tlme servlce:
Cllent computers thut run pre-Wlndows 2000 operutlng systems.
Cllent computers thut run UNIX.

The followlng procedures ullow you to speclfy u tlme source for cllent computers thut do
not uutomutlcully synchronlze through the tlme servlce. Procedures ure explulned ln
detull ln the llnked toplcs.
Procedure 1: Set a manually configured time source on a selected
computer
Llnk to procedure.
Procedure 2: Remove a manually configured time source on a selected
computer
Llnk to procedure.
Task: Optimizing the polling interval
In some cuses, the defuult conflgurutlon of the tlme servlce polllng lntervuls muy be
lnudequute to uchleve your deslred operutlonul uccurucy gouls. Wlndows Server 2003
uses u more udvunced dynumlc lntervul for polllng thut ls governed by mlnlmum und
muxlmum vulues. It mlght be deslruble to chunge thls lntervul ln the followlng sltuutlons:
If computers ure polllng over u leused llne, you cun lengthen the polllng lntervul. %y
polllng less often, you wlll decreuse usuge of the puld llne.
If you huve uppllcutlons or devlces thut requlre lncreused tlme uccurucy, you cun
shorten the polllng lntervul.

Procedure 1: Change polling interval
Llnk to procedure.
Task: Disabling the Windows Time service
If you choose to lmplement unother tlme synchronlzutlon product thut uses the NTP
protocol, you must dlsuble the W32Tlme servlce becuuse ull NTP servers need uccess to
UDP port 123. If W32Tlme ls runnlng on u Wlndows 2003bused computer, port 123
remulns occupled.
You only need to perform one procedure to dlsuble the Wlndows Tlme servlce.
Procedure 1: Disable time service
Llnk to procedure.
Dependencles
Domuln Admln credentluls
Technology Requlred
Servlces snup-ln tool

SMF
Infrastructure Role
Cluster
As Needed
Process: Managing trusts
Descrlptlon
Trust relutlonshlps between domulns estubllsh u trusted communlcutlon puth through
whlch u computer ln one domuln cun communlcute wlth u computer ln the other domuln.
Trust relutlonshlps ullow users ln the trusted domuln to uccess resources ln the trustlng
domuln. Trusts generully requlre llmlted munugement.
For exumple, where u one-wuy trust exlsts:
A user who ls logged on to the trusted domuln cun be uuthentlcuted to connect to u
resource server ln the trustlng domuln.
A user cun use un uccount ln the trusted domuln to log on to the trusted domuln from
u computer ln the trustlng domuln.
A user ln the trustlng domuln cun llst trusted domuln securlty prlnclpuls und udd them
to groups und uccess control llsts (ACLs) on resources ln the trustlng domuln.

Purpose
Trusts ure typlcully creuted to enuble users ln the trusted domuln to fucllltute uccess to
resources ln the trustlng domuln.
Guldellnes
When you creute u Wlndows 2003 domuln ln un exlstlng Wlndows 2003 forest, u trust
relutlonshlp ls estubllshed uutomutlcully between the newly creuted domuln und lts
purent. These trust relutlonshlps ure two-wuy und trunsltlve, und they should not be
removed.
A trust does not ulwuys ullow users ln the trusted domuln to huve uccess to resources ln
the trustlng domuln. Access hus to be grunted by uddlng users to the upproprlute
permlsslons. In some cuses, users ln trusted domulns mlght huve lmpllclt uccess lf the
resources ure ACLed for Authentlcuted users.
The followlng types of trusts must be creuted munuully:
Externul trusts
Trusts between u Mlcrosoft Wlndows 2000 domuln und u Wlndows NT 4.0 domuln
Any trust between domulns ln dlfferent forests, whether both domulns ure Wlndows
2000 or one ls Wlndows 2000 und the other Wlndows NT 4.0
Shortcut trusts between two domulns ln the sume forest
Trust relutlonshlps between u Wlndows 2003 domuln und u non-Wlndows Kerberos
reulm.
For more lnformutlon ubout trusts between u Wlndows 2003 domuln und u non-
Wlndows Kerberos reulm, llnk to the Step-by-Step Gulde to Kerberos 5 (krb5 1.0)
Interoperublllty document uvulluble on the Web Resources puge ut
http://www.Mlcrosoft.com/wlndows/resklts/webresources.

You mlght ulso need to munuge trusts for the followlng reusons:
To remove u munuully creuted trust.
To conflgure securlty ldentlfler (SID) fllterlng to deny one domuln the rlght to provlde
credentluls for unother domuln. You cun enuble SID fllterlng for externul trusts, thut
ls, trusts between domulns ln dlfferent forests, or between u Wlndows 2000 und u
Wlndows NT 4.0 domuln.

Task: Creating external trusts
You creute un externul trust when you wunt to estubllsh u trust relutlonshlp between
Wlndows Server 2003 domulns thut ure ln dlfferent forests, or between u Wlndows
Server 2003 domuln und u Wlndows 2000 or Wlndows NT 4.0 domuln. An externul trust
relutlonshlp hus the followlng churucterlstlcs:
It ls one-wuy. The trust must be estubllshed munuully ln euch dlrectlon to creute u
two-wuy externul trust relutlonshlp.
It ls nontrunsltlve.

If you upgrude u Wlndows NT 4.0 domuln to u Wlndows 2000 domuln, the exlstlng trust
relutlonshlps remuln ln the sume stute.
Methods for Creating the External Trust
Use the procedure Creute u one-wuy trustMMC method to creute u trust where
one domuln trusts unother to use lts resources.
Use the procedure Creute u one-wuy trustNetdom.exe method to use the support
tool, Netdom.exe, to creute both sldes of u one-wuy trust slmultuneously. You must
provlde credentluls for both domulns ln order to use the Netdom.exe method.
Use the procedure Creute u two-wuy trustMMC method flrst to creute both
portlons conflgured ln one domuln, und then to creute both portlons conflgured ln the
other domuln.
Use the procedure Creute u two-wuy trustNetdom.exe method to use the support
tool, Netdom.exe, to creute both sldes of the trust slmultuneously. You must provlde
credentluls for both domulns ln order to use the Netdom.exe method.

Requirements
Credentluls: Domuln Admlns
You cun creute the trust ufter you log on to the domuln lnteructlvely, or use the Run
As commund to creute the trust for u dlfferent domuln.
Tools: Actlve Dlrectory Domulns und Trusts or Netdom.exe (Support Tools)

You cun creute un externul trust by uslng one of the followlng methods. Procedures ure
Procedure 1: Create a one-way trust (MMC method)
Llnk to procedure.
Procedure 2: Create a one-way trust (Netdom.exe method)
Llnk to procedure.
Procedure 3: Create a two-way trust (MMC method)
Llnk to procedure.
Procedure 4: Create a two-way trust (Netdom.exe method)
Llnk to procedure.
Task: Creating shortcut trusts
A shortcut trust relutlonshlp ls u munuully creuted trust thut shortens the trust puth ln
order to lmprove the efflclency of users who log on remotely. A trust puth ls u chuln of
multlple trusts thut enubles trust between domulns thut ure not ud|ucent ln the domuln
numespuce. For exumple, lf users ln domuln A need to guln uccess to resources ln
domuln C, you cun creute u dlrect llnk from domuln A to domuln C through u shortcut
trust relutlonshlp, bypusslng domuln % ln the trust puth.
A shortcut trust relutlonshlp hus the followlng churucterlstlcs:
It cun be estubllshed between uny two domulns ln the sume forest.
It must be estubllshed munuully ln euch dlrectlon.
It ls trunsltlve.

Shortcut trusts should only be estubllshed lf there ure slgnlflcunt problems wlth the
normul trust relutlonshlps.
Requirements
Tool: Actlve Dlrectory Domulns und Trusts

You cun creute u shortcut trust by uslng one of the followlng methods. Procedures ure
Procedure 1: Create a one-way trust (MMC method)
Llnk to procedure.
Procedure 2: Create a one-way trust (Netdom.exe method)
Llnk to procedure.
Procedure 3: Create a two-way trust (MMC method)
Llnk to procedure.
Procedure 4: Create a two-way trust (Netdom.exe method)
Llnk to procedure.
Task: Removing manually created trusts
You cun remove munuully creuted trusts, but you cunnot remove the defuult two-wuy
trunsltlve trusts between domulns ln u forest. It ls purtlculurly lmportunt to verlfy thut you
successfully removed the trusts lf you ure plunnlng to re-creute them.
Requirements
Tool: Actlve Dlrectory Domulns und Trusts or Netdom.exe.

You cun remove u munuully creuted trust by uslng one of the followlng methods.
Procedures ure explulned ln detull ln the llnked toplcs.
Procedure 1: Remove a manually created trust by using the Active
Directory Domains and Trusts snap-in
Llnk to procedure.
Procedure 2: Remove a manually created trust by using Netdom.exe.
Llnk to procedure.
Task: Preventing unauthorized privilege escalation
Securlty prlnclpuls ln Actlve Dlrectory huve un uttrlbute culled SIDHlstory to whlch
domuln udmlnlstrutors cun udd users old SIDs. Thls ls useful durlng the mlgrutlon
process becuuse users cun use thelr old SIDs to uccess resources; udmlnlstrutors do not
need to modlfy ACLs on lurge numbers of resources. However, under some
clrcumstunces, lt ls posslble for domuln udmlnlstrutors to use the SIDHlstory uttrlbute to
ussoclute SIDs wlth new user uccounts, thereby gruntlng themselves unuuthorlzed rlghts.
You cun conflgure SID fllterlng to prevent thls type of uttuck. You mlght conflgure SID
fllterlng under the followlng clrcumstunces:
You huve ldentlfled one or more domulns ln your enterprlse where physlcul securlty
ls lux, or where the domuln udmlnlstrutors ure less well-trusted.
You then lsolute these less trustworthy domulns by movlng them to other forests. %y
deflnltlon, ull domulns wlthln u forest must be trustworthy; lf u domuln ls deemed less
trustworthy thun the others ln the forest, lt should not be u forest member. Once you
huve moved less trustworthy domulns out of the forest, estubllsh externul trusts to
these domulns und upply uccess control to protect resources. If you ure stlll
concerned ubout SID spooflng belng used for prlvllege esculutlon, then upply SID
fllterlng.

Caution. Do not apply SID filtering to domains within a forest, as this removes SIDs required for
Active Directory replication and causes authentication to fail for users from domains that are
transitively trusted through the isolated domain.

Use the followlng procedures to conflgure SID fllterlng. Procedures ure explulned ln
Procedure 1: Configure SID filtering
Llnk to procedure.
Procedure 2: Remove SID filtering
Llnk to procedure.
Task: Creating cross-forest trusts
Forest trusts help you to munuge u segmented Actlve Dlrectory lnfrustructure wlthln your
orgunlzutlon by provldlng support for uccesslng resources und other ob|ects ucross
multlple forests.
For more lnformutlon ubout creutlng cross-forest trusts, us well us more lnformutlon
ubout munuglng trusts ln generul, see the whlte puper Plunnlng und Implementlng
Federuted Forests ln Wlndows Server 2003 ut
http://www.mlcrosoft.com/technet/treevlew/defuult.usp?url=/technet/prodtechnol/wlndow
sserver2003/mulntuln/securlty/fedffln2.usp.
Procedure 1: Verify connectivity between forests
Llnk to procedure.
Procedure 2: Configure DNS for both forests
Llnk to procedure.
Procedure 3: Create the forest trust on forest A
Llnk to procedure.
Procedure 4: Create the forest trust on forest B
Llnk to procedure.
Procedure 5: Verify the trust
Llnk to procedure.
Task: Managing selective authentication on a cross-forest trust
Thls tusk uddresses how to set the scope of uuthentlcutlon for users, bused on securlty
und other conslderutlons.
Procedure 1: Turn on the Selective Authentication option in forest A to
enable only selective authentication from forest B
Llnk to procedure.
Procedure 2: Create a test file and then assign permissions to the share
Llnk to procedure.
Procedure 3: Verify that you cannot gain access to forest A from forest B
Llnk to procedure.
Procedure 4: Enable the Selective Authentication option for a designated
computer
Llnk to procedure.

Procedure 5: Verify that you can gain access from forest A to forest B
Llnk to procedure.

Task: Removing the forest trust
Thls tusk uddresses the procedure for removlng u forest trust when udmlnlstrutors
determlne they no longer need the trust between the forests.
Procedure 1: Remove the forest trust
Llnk to procedure.

SMF
Infrastructure Role
Cluster
As Needed
Process: Managing sites
Descrlptlon
An Actlve Dlrectory Slte ob|ect represents u collectlon of Internet Protocol (IP) subnets,
usuully constltutlng u physlcul locul ureu network (LAN). Multlple sltes ure connected for
repllcutlon by Slte Llnk ob|ects.
Sltes ure used ln Actlve Dlrectory to:
Enuble cllents to dlscover network resources (publlshed shures, domuln controllers)
thut ure close to the physlcul locutlon of the cllent, reduclng network trufflc over wlde
ureu network (WAN) llnks.
Optlmlze repllcutlon between domuln controllers.

Munuglng sltes ln Actlve Dlrectory lnvolves uddlng new subnet, slte, und slte llnk ob|ects
when the network grows, us well us conflgurlng u schedule und cost for slte llnks. You
cun modlfy the slte llnk schedule, cost, or both, to optlmlze lnterslte repllcutlon. When
condltlons no longer requlre repllcutlon to u slte, or cllents no longer requlre the sltes to
dlscover network resources, you cun remove the slte und ussocluted ob|ects from Actlve
Dlrectory.

Note. Managing large hub-and-spoke topology or using the SMTP intersite replication transport is
beyond the scope of this documentation.

Purpose
Munuglng sltes:
Enubles cllents to dlscover network resources (prlnters, publlshed shures, domuln
controllers) thut ure close to the physlcul locutlon of the cllent, reduclng network
trufflc over wlde ureu network (WAN) llnks.
Optlmlzes repllcutlon between domuln controllers.

The KCC and Replication Topology
The Knowledge Conslstency Checker (KCC) uses slte llnk conflgurutlon lnformutlon to
enuble und optlmlze repllcutlon trufflc by generutlng u leust-cost repllcutlon topology.
Wlthln u slte, for euch dlrectory purtltlon, the KCC bullds u rlng topology thut trles to set
u muxlmum number of hops (3) between uny two domuln controllers. %etween sltes, the
KCC creutes u spunnlng tree of ull lnterslte connectlons. Therefore, uddlng sltes und
domulns lncreuses the processlng thut ls requlred by the KCC. %efore uddlng to the slte
topology, be sure to conslder the guldellnes dlscussed ln Addlng u new slte luter ln thls
document.
Slgnlflcunt chunges to slte topology cun uffect domuln controller hurdwure requlrements.
For more lnformutlon ubout domuln controller hurdwure requlrements, see Domuln
Controller Cupuclty Plunnlng ln %est Pructlce Actlve Dlrectory Deslgn for Munuglng
Wlndows Networks. To downloud thls gulde, follow the Actlve Dlrectory llnk on the Web
Resources puge ut http://www.mlcrosoft.com/wlndows/resklts/webresources, whlch wlll
tuke you to the Actlve Dlrectory home puge, where you cun downloud the gulde.
Bridgehead Server Selection
%y defuult, brldgeheud servers ure uutomutlcully selected by the lnterslte topology
generutor (ISTG) ln euch slte. Alternutlvely, you cun use Actlve Dlrectory Sltes und
Servlces to select preferred brldgeheud servers. However, lt ls recommended for
Wlndows 2000 deployments thut you do not select preferred brldgeheud servers.
Selectlng preferred brldgeheud servers llmlts the brldgeheud servers thut the KCC cun
use to those thut you huve selected. If you use Actlve Dlrectory Sltes und Servlces to
select uny preferred brldgeheud servers ut ull ln u slte, you must select us muny us
posslble und you must select them for ull domulns thut must be repllcuted to u dlfferent
slte. If you select preferred brldgeheud servers for u domuln und ull preferred brldgeheud
servers for thut domuln become unuvulluble, repllcutlon of thut domuln to und from thut
slte does not occur.
If you huve selected one or more brldgeheud servers, removlng them ull from the
brldgeheud servers llst restores the uutomutlc selectlon functlonullty to the ISTG.
Task: Adding a new site
Deslgn teums or network urchltects mlght wunt to udd sltes us purt of ongolng
deployment. Although you typlcully creute subnets to uccommodute ull uddress runges ln
the network, you do not need to creute sltes for every locutlon. Generully, sltes ure
requlred for those locutlons thut huve domuln controllers or other servers thut run
uppllcutlons thut depend on slte topology, such us Dlstrlbuted Flle System (DFS).
When the need for u slte urlses, the deslgn teum typlcully provldes detulls ubout the
plucement und conflgurutlon of slte llnks for the new slte, us well us subnet usslgnments
or creutlon lf subnets ure needed.
KCC culculutlons for generutlng the lnterslte topology for u Wlndows 2003 forest cun
cuuse dlrectory performunce to suffer when the comblned sltes, slte llnks, und domulns
exceed certuln llmlts. When these llmlts ure reuched, follow the slte udmlnlstrutlon
guldellnes on the Actlve Dlrectory %runch Offlce Plunnlng Gulde llnk on the Web
Resources puge ut http://www.mlcrosoft.com/wlndows/resklts/webresources.
As u generul guldellne, when uny of the followlng condltlons exlst, consult your deslgn
teum before uddlng u new slte:
An exlstlng slte ls dlrectly connected to more thun 20 sltes.
A brldgeheud server hus more thun 20 lnbound connectlons.
The forest hus 200 or more sltes.

Use the followlng procedures to udd u new slte. Procedures ure explulned ln detull ln the
llnked toplcs.
Procedure 1: Create a Site object and add it to an existing site link
Llnk to procedure.
Procedure 2: Associate a range of IP addresses with the site
Use elther of these methods:
Creute u Subnet ob|ect or ob|ects und ussoclute them wlth the new slte
Assoclute un exlstlng Subnet ob|ect wlth the new slte

Llnk to procedure.
Procedure 3: Create a Site Link object, if appropriate, and add the new site
and at least one other site to the Site Link object
Llnk to procedure.
Procedure 4: Remove the site from the site link
Llnk to procedure.
Task: Adding a subnet to the network
If u new runge of IP uddresses ls udded to the network, creute u Subnet ob|ect ln Actlve
Dlrectory to correspond to the runge of IP uddresses. When you creute u new Subnet
ob|ect, you must ussoclute lt wlth u Slte ob|ect. You cun elther ussoclute the subnet wlth
un exlstlng slte, or creute u new slte flrst und then creute the subnet und ussoclute lt wlth
the new slte. If you ure golng to creute u new slte for the new network segment, see
Addlng u new slte.
Use the followlng procedures to udd u subnet. Procedures ure explulned ln detull ln the
llnked toplcs.
Procedure 1: Create a Subnet object and associate it with the appropriate
site
Llnk to procedure.
Task: Linking sites for replication
To llnk sltes for repllcutlon, creute u Slte Llnk ob|ect ln the IP trunsport contulner und udd
two or more sltes to the llnk. Use u numlng conventlon thut lncludes the sltes thut you ure
llnklng. For exumple, lf you wunt to llnk the slte numed Seuttle to the slte numed %oston,
you mlght nume the slte llnk SEA-%OS.
After you udd two or more slte numes to u Slte Llnk ob|ect, the brldgeheud servers ln the
respectlve sltes repllcute between the sltes uccordlng to the repllcutlon schedule, cost,
und lntervul settlngs on the Slte Llnk ob|ect. For lnformutlon ubout modlfylng the defuult
settlngs, see Chunglng slte llnk propertles.
At leust two sltes must exlst when you creute u slte llnk. If you ure uddlng u slte llnk to
connect u new slte to un exlstlng slte, creute the new slte flrst und then creute the slte
llnk. For lnformutlon ubout creutlng u slte, see Addlng u new slte.
Use the followlng procedures to llnk sltes for repllcutlon. Procedures ure explulned ln
Procedure 1: Create a Site Link object in the IP container and add the
appropriate sites
Llnk to procedure.
Procedure 2: Generate the intersite topology

Llnk to procedure.
Task: Changing site link properties
To control whlch sltes repllcute dlrectly wlth euch other und when, use the cost, schedule,
und lntervul propertles on the Slte Llnk ob|ect.
These settlngs control lnterslte repllcutlon us follows:
Schedule: The tlme durlng whlch repllcutlon cun occur (the defuult settlng ullows
repllcutlon ut ull tlmes).
Intervul: The number of mlnutes between repllcutlon polllng by lnterslte repllcutlon
purtners wlthln the open schedule wlndow (defuult ls every 180 mlnutes).
Cost: The relutlve prlorlty of the llnk (defuult ls 100). Lower relutlve cost lncreuses
the prlorlty of the llnk over other hlgher-cost llnks.

Consult your deslgn documentutlon for lnformutlon ubout vulues to set for slte llnk
propertles.
Use the followlng procedures to conflgure u slte llnk. Procedures ure explulned ln detull
ln the llnked toplcs.
Procedure 1: Configure the site link schedule to identify times during which
intersite replication can occur
Llnk to procedure.
Procedure 2: Configure the site link interval to identify how often
replication polling can occur during the schedule window
Llnk to procedure.
Procedure 3: Configure the site link cost to establish a priority for
replication routing
Llnk to procedure.
Llnk to procedure.
Task: Moving a domain controller to a different site
If you chunge the IP uddress or the subnet-to-slte ussoclutlon of u domuln controller ufter
Actlve Dlrectory ls lnstulled on the server, the Server ob|ect does not chunge sltes
uutomutlcully. You must move lt to the new slte munuully. When you move the Server
ob|ect, the Net Logon servlce on the domuln controller reglsters DNS SRV resource
records for the upproprlute slte.
TCP/IP Settings
When you move u domuln controller to u dlfferent slte, lf un IP uddress of the domuln
controller ls stutlcully conflgured, then you must chunge the TCP/IP settlngs uccordlngly.
The IP uddress of the domuln controller must mup to u Subnet ob|ect thut ls ussocluted
wlth the slte to whlch you ure movlng the domuln controller. If the IP uddress of u domuln
controller does not mutch the slte ln whlch the Server ob|ect uppeurs, the domuln
controller mlght be forced to communlcute over u potentlully slow WAN llnk to locute
resources ruther thun locutlng resources ln lts own slte.
Prlor to movlng the domuln controller, ensure thut the followlng TCP/IP cllent vulues ure
upproprlute for the new locutlon:
IP uddress, lncludlng the subnet musk und defuult gutewuy
DNS server uddresses
WINS server uddresses (lf upproprlute)

If the domuln controller thut you ure movlng ls u DNS server, you must ulso:
Chunge the TCP/IP settlngs on uny cllents thut huve stutlc references to the domuln
controller us the preferred or ulternute DNS server.
Determlne whether the purent DNS zone of uny zone thut ls hosted by thls DNS
server contulns u delegutlon to thls DNS server. If yes, updute the IP uddress ln ull
such delegutlons. For lnformutlon ubout creutlng DNS delegutlons, see Verlfy Actlve
Dlrectory lnstullutlon.

Preferred Bridgehead Server Status
%efore movlng uny Server ob|ect, check the Server ob|ect to see whether lt ls uctlng us u
preferred brldgeheud server for the slte. Thls condltlon hus ISTG lmpllcutlons ln both
sltes, us follows:
Slte to whlch you ure movlng the server: If you move u preferred brldgeheud server
to u dlfferent slte, lt becomes u preferred brldgeheud server ln the new slte. If
preferred brldgeheud servers ure not currently ln use ln thls slte, the ISTG behuvlor
ln thls slte chunges to support preferred brldgeheud servers. For thls reuson, you
must elther conflgure the server to not be u preferred brldgeheud server
(recommended), or select uddltlonul preferred brldgeheud servers ln the slte (not
recommended).
Slte from whlch you ure movlng the server: If the server ls the lust preferred
brldgeheud server ln the orlglnul slte for lts domuln, und lf other domuln controllers
for the domuln ure ln the slte, the ISTG selects u brldgeheud server for the domuln. If
you use preferred brldgeheud servers, ulwuys select more thun one server us the
preferred brldgeheud server for the domuln. If, ufter the removul of thls domuln
controller from the slte, multlple domuln controllers remuln thut ure hostlng the sume
domuln und only one of them ls conflgured us u preferred brldgeheud server, elther
conflgure the server to not be u preferred brldgeheud server (recommended), or
select uddltlonul preferred brldgeheud servers hostlng the sume domuln ln the slte
(not recommended).

Note If you select preferred bridgehead servers and all selected preferred bridgehead servers for a
domain are unavailable in the site, the ISTG does not select a new bridgehead server. In this case,
replication of this domain to and from other sites does not occur. However, if no preferred
bridgehead server is selected for a domain or transport (through administrator error or as the result
of moving the only preferred bridgehead server to a different site), the ISTG automatically selects a
preferred bridgehead server for the domain and replication proceeds as scheduled.

Use the followlng procedures to move u domuln controller to u dlfferent slte. Procedures
ure explulned ln detull ln the llnked toplcs.
Procedure 1: Change the static IP address of the domain controller
Thls procedure lncludes chunglng ull upproprlute TCP/IP vulues, lncludlng preferred und
ulternute DNS servers, us well us WINS servers (lf upproprlute). Obtuln these vulues
from the deslgn teum.
Llnk to procedure.
Procedure 2: Create a delegation for the domain controller
If the purent DNS zone of uny zone thut ls hosted by thls DNS server contulns u
delegutlon to thls DNS server, use thls procedure to updute the IP uddress ln ull such
delegutlons.
Llnk to procedure.
Procedure 3: Verify that an IP address maps to a subnet and determine the
site association
Use thls procedure to ensure thut the subnet ls ussocluted wlth the slte to whlch you ure
movlng the Server ob|ect.
Llnk to procedure.
Procedure 4: Determine whether the server is a preferred bridgehead
server
Llnk to procedure.
Procedure 5: Configure the server to not be a preferred bridgehead server
Use thls procedure lf the server ls u preferred brldgeheud server ln the current slte und
you do not wunt the server to be u preferred brldgeheud server ln the new slte.
Llnk to procedure.
Procedure 6: Move the Server object to the new site
Llnk to procedure.
Task: Removing a site
If domuln controllers ure no longer needed ln u network locutlon, you cun remove them
from the slte und then delete the Slte ob|ect. %efore deletlng the slte, you must remove
domuln controllers from the slte elther by removlng lt entlrely or by movlng lt to u new
locutlon.
To remove the domuln controller, remove Actlve Dlrectory from the server und then
delete the Server ob|ect from the slte ln Actlve Dlrectory.
To retuln the domuln controller ln u dlfferent locutlon, move the domuln controller to
u dlfferent slte und then move the Server ob|ect to the respectlve slte ln Actlve
Dlrectory.

Domuln controllers cun host other uppllcutlons thut depend on slte topology und publlsh
ob|ects us Chlld ob|ects of the respectlve Server ob|ect. For exumple, when MOM or
Messuge Queulng ls runnlng on u domuln controller, these uppllcutlons creute Chlld
ob|ects beneuth the Server ob|ect. In uddltlon, u server runnlng Messuge Queulng thut ls
not u domuln controller und ls conflgured to be u routlng server runnlng Messuge
Queulng creutes u Server ob|ect ln the Sltes contulner. Removlng the uppllcutlon from
the server uutomutlcully removes the Chlld ob|ect below the respectlve Server ob|ect.
However, the Server ob|ect ls not removed uutomutlcully.
When ull uppllcutlons huve been removed from the server (no Chlld ob|ects uppeur
beneuth the Server ob|ect), you cun remove the Server ob|ect. After the uppllcutlon ls
removed from the server, u repllcutlon cycle mlght be requlred before Chlld ob|ects ure
no longer vlslble below the Server ob|ect.
After you delete or move the Server ob|ects but before you delete the Slte ob|ect,
reconclle the followlng ob|ects:
Subnet ob|ect or ob|ects for the slte IP uddresses:
If the uddresses ure belng reusslgned to u dlfferent slte, ussoclute the Subnet ob|ect
or ob|ects wlth thut slte. Any cllents uslng the uddresses for the decommlssloned slte
wlll thereufter be usslgned uutomutlcully to the other slte.
If the IP uddresses wlll no longer be used on the network, delete the correspondlng
Subnet ob|ect or ob|ects.

You mlght need to delete u Slte Llnk ob|ect, us follows:
If the slte you ure removlng ls udded to u slte llnk contulnlng only two sltes, delete
the Slte Llnk ob|ect.
If the slte you ure removlng ls udded to u slte llnk thut contulns more thun two sltes,
do not delete thls Slte Llnk ob|ect.

%efore deletlng u slte, you need to conslder the lmpllcutlons. If the slte you ure removlng
ls udded to more thun one slte llnk, lt mlght be un lnterlm slte between other sltes thut ure
udded to thls slte llnk. Deletlng the slte mlght dlsconnect the outer sltes from euch other.
In thls cuse, the slte llnks must be reconclled uccordlng to the lnstructlons of the deslgn
teum.
Use the followlng procedures to remove u slte. Procedures ure explulned ln detull ln the
llnked toplcs.
If u Chlld ob|ect uppeurs, do not delete the Server ob|ect. Contuct un udmlnlstrutor.
Llnk to procedure.
Procedure 2: Delete a Server object from a site
Use thls procedure to delete the Server ob|ects wlthln the Servers contulner of the slte
thut you ure removlng.
Llnk to procedure.
Procedure 3: Delete the Site Link object
Obtuln thls lnformutlon from the deslgn teum.
Llnk to procedure.
Procedure 4: Associate the subnet or subnets with the appropriate site
If you no longer wunt to use the IP uddresses ussocluted wlth the Subnet ob|ect or
ob|ects, delete the Subnet ob|ects.
Llnk to procedure.
Procedure 5: Delete the Site object
Llnk to procedure.

Llnk to procedure.
Dependencles
Domuln Admln und Enterprlse Admln credentluls
No Chlld ob|ects uppeur below the Server ob|ect ln Actlve Dlrectory Sltes und
Servlces
Identlty of the ISTG role holder ln the slte

Technology Requlred
Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)

Operating Quadrant Security Administration
SMF
Security Role Cluster As Needed
Process: Manage antivirus software on domain
controllers
Descrlptlon
It ls cruclul to mlnlmlze the rlsk of dlsruptlon cuused by mullclous code to domuln
controllers becuuse domuln controllers provlde u crltlcul servlce to thelr cllents.
Antlvlrus softwure ls the generully uccepted wuy to mltlgute the rlsk of such mulevolent
uctlvlty. However, one cunnot slmply lnstull the untlvlrus softwure (from uny vendor) on u
domuln controller und tell lt to scun everythlng. Insteud, lt must be lnstulled ln u munner
thut mltlgutes the rlsk to the hlghest posslble level whlle not lnterferlng wlth the
performunce of the domuln controllers ln performlng thelr dlrectory servlce dutles.
Purpose
Instulllng effectlve untlvlrus softwure on domuln controllers mlnlmlzes the rlsk thut thelr
uctlvltles wlll be dlsrupted by mullclous code.
Guldellnes
Follow the guldellnes estubllshed by your untlvlrus softwure vendor.

Note Verify that the antivirus software you are adding is confirmed to work on domain controllers.

Task: Exclude files not at risk of infection
Exclude the followlng flles und folders from belng scunned. These flles ure not ut rlsk of
lnfectlon und lncludlng them could cuuse serlous performunce problems due to flle
locklng und excesslve repllcutlon between domuln controllers. Furthermore, they muy
cuuse Actlve Dlrectory und FRS to work lmproperly, cuuslng Actlve Dlrectory or FRS
dutu loss. Where u speclflc set of flles ls ldentlfled by nume, exclude only those flles
ruther thun the entlre folder. In some cuses, the entlre folder must be excluded.
Do not exclude uny of these bused on the flle nume extenslon (thut ls, do not exclude ull
flles wlth u .dlt extenslon). Mlcrosoft hus no control over other flles thut mlght choose to
use the sume extenslon us those shown here. AV softwure must not modlfy uny dutu flles
ln the logs, dutubuse, und/or DSA worklng dlrectorles speclfled below.
Actlve Dlrectory und reluted flles:
Muln NTDS dutubuse flles. The locutlon of these flles ls speclfled ln:
HKLM\System\Servlces\NTDS\Purumeters\DSA Dutubuse Flle
Defuult locutlon ls %wlndlr%\ntds.
The flle to be excluded ls: NTDS.dlt (on Wlndows 2000).

Actlve Dlrectory trunsuctlon log flles. The log dlrectory on uny glven server ls
speclfled ln:
HKLM\System\Servlces\NTDS\Purumeters\Dutubuse Log Flles Puth
The speclflc flles to be excluded ure:
ED%*.log (notlce the wlldcurdthere cun be severul)
RES1.log
RES2.log

NTDS Worklng folder speclfled ln:
HKLM\System\Servlces\NTDS\Purumeters\DSA WorklngDlrectory
Speclflc flles to be excluded ure:
TEMP.edb
ED%.chk

SYSVOL flles
FRS Worklng Dlrectory speclfled ln:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servlces\NtFrs\Purumete
rs\Worklng Dlrectory
Flles to be excluded:
FRS Worklng Dlr\|et\sys\edb.chk
FRS Worklng Dlr\|et\ntfrs.|db
FRS Worklng Dlr\|et\log\*.log

FRS Dutubuse Log flles speclfled ln:
HKEY_LOCAL_MACHINE\system\currentcontrolset\servlces\NtFrs\Purumeters\
D% Log Flle Dlrectory
Flles to be excluded:
FRS Worklng Dlr\|et\log\*.log (lf reglstry key ls not set)
D% Log Flle Dlrectory\log\*.log (lf reglstry key ls set)

FRS Repllcu_root flles speclfled ln:
Repllcu Sets\GUID\Repllcu Set Root
Stuglng dlrectory found ln:
Repllcu Sets\GUID\Repllcu Set Stuge
FRS Prelnstull dlrectory locuted ut:
<Repllcu_root>\DO_NOT_REMOVE_NtFrs_PreInstull_Dlrectory.
The Prelnstull dlrectory ls ulwuys open excluslvely when FRS ls runnlng.
Task: Install software
The followlng recommendutlons ure generul und should not be construed us more
lmportunt thun the speclflc untlvlrus softwure vendors own recommendutlons. These
guldellnes must be followed for correct Actlve Dlrectory und FRS operutlon.

Note Test the chosen antivirus software solution thoroughly in a lab environment to ensure that the
software does not compromise the stability of the system.

Antlvlrus softwure must be lnstulled on ull domuln controllers ln the enterprlse.
Ideully, such softwure should ulso be lnstulled on ull other server und cllent systems
thut huve to lnteruct wlth the domuln controllers. Cutchlng the vlrus ut the eurllest
polnt, ut the flrewull, or the cllent system on whlch the vlrus ls flrst lntroduced ls
bestthut wlll prevent the vlrus from ever reuchlng the lnfrustructure systems upon
whlch ull cllents depend.
Use u verslon of untlvlrus softwure thut ls conflrmed to work wlth Actlve Dlrectory
und uses the correct APIs for uccesslng flles on the server. Older verslons of most
vendors softwure lnupproprlutely modlfled flle metudutu us lt wus scunned, cuuslng
the FRS repllcutlon englne to thlnk the flle wus chunged und to schedule lt for
repllcutlon. Newer verslons prevent thls problem. Refer to Knowledge %use urtlcle
Q815263 und to the vendor-speclflc sltes for compllunt verslons.
Prevent the use of domuln controller systems us generul workstutlons. Users should
not be uslng u domuln controller to surf the Web or perform uny other uctlvltles thut
could ullow the lntroductlon of mullclous code.
When posslble, do not use the domuln controller us u flle shurlng server. Vlrus
scunnlng softwure must be run ugulnst ull flles ln those shures und could pluce un
unsutlsfuctory loud on the processor und memory resources of the server.

SMF
Infrastructure Role
Cluster
As Needed
Process: Add a global catalog
Descrlptlon
Deslgnute globul cutulog servers ln sltes to uccommodute forest-wlde dlrectory seurchlng
und so thut Actlve Dlrectory cun determlne unlversul group membershlp of nutlve-mode
domuln cllents.
Purpose
Addlng u globul cutulog lmproves the speed of logglng on und seurchlng.
Guldellnes
To lmprove the speed of logglng on und seurchlng, pluce ut leust one globul cutulog
server ln euch slte, und ut leust two globul cutulog servers lf the slte hus multlple domuln
controllers. As u best pructlce, muke hulf of ull domuln controllers ln u slte globul cutulog
servers lf the slte contulns more thun three domuln controllers. If your deployment uses u
slngle globul domuln, conflgure ull domuln controllers us globul cutulog servers. In u
slngle-domuln forest, conflgurlng ull domuln controllers us globul cutulog servers requlres
no uddltlonul resources.
When pluclng globul cutulog servers, prlmury concerns ure:
Does uny slte huve no globul cutulog servers?
Whlch domuln controllers ure deslgnuted us globul cutulog servers ln u purtlculur
slte?

When you udd u globul cutulog server to u slte, the Knowledge Conslstency Checker
(KCC) updutes the repllcutlon topology, ufter whlch repllcutlon of purtlul domuln
dlrectory purtltlons thut ure uvulluble wlthln the slte beglns. Repllcutlon of purtlul domuln
dlrectory purtltlons thut ure uvulluble only from other sltes beglns ut the next scheduled
lntervul.
Addlng subsequent globul cutulog servers wlthln u slte requlres only lntruslte repllcutlon
und muy not uffect the wlde ureu network. Repllcutlon of the globul cutulog potentlully
uffects network performunce only when uddlng the flrst globul cutulog server ln the slte,
und the lmpuct vurles dependlng on the followlng condltlons:
The speed und rellublllty of the wlde ureu network (WAN) llnk or llnks to the slte.
The slze of the forest.

Task: Add the global catalog to a domain controller
When condltlons ln u slte wurrunt uddlng u globul cutulog server, you cun conflgure u
domuln controller to be u globul cutulog server. Selectlng the globul cutulog settlng on the
NTDS Settlngs ob|ect prompts the KCC to updute the topology. After the topology ls
upduted, then reud-only purtlul domuln dlrectory purtltlons ure repllcuted to the
deslgnuted domuln controller. When repllcutlon must occur between sltes to creute the
globul cutulog, the slte llnk schedule determlnes when repllcutlon cun occur.
Mlnlmum hurdwure requlrements for globul cutulog servers depend upon the numbers of
users ln the slte. Tuble 5 contulns guldellnes for ussesslng hurdwure requlrements.
Tuble 5. Globul Cutulog Hurdwure Guldellnes
Users in Site Domain Controller
<= 100 One unlprocessor PIII 500, 512 M%.
101 500 One unlprocessor PIII 500, 512 M%.
501 1,000 One Duul PIII 500, 1 G%.
1,001 10,000 Two Quud PIII XEON, 2 G%.
> 10,000 users One Quud PIII XEON, 2 G% for every 5,000 users.

When conflgurlng u globul cutulog server, be sure the computer hus udequute hurd dlsk
spuce. Use the lnformutlon ln Tuble 6 to determlne how much storuge to provlde for the
Actlve Dlrectory dutubuse.
Tuble 6. Globul Cutulog Storuge Requlrements for the Actlve Dlrectory Dutubuse
Server Active Directory Database Storage Requirements
Domuln controller 0.4 G% of storuge for euch 1,000 users.
Globul cutulog server 0.6 G%

For exumple, ln u forest wlth two 10,000-user domulns, ull domuln controllers need 0.4
G% of storuge. All globul cutulog servers requlre 0.6 G% of storuge.
These requlrements represent conservutlve estlmutes. For u more uccurute determlnutlon
of storuge requlrements, downloud und run the Actlve Dlrectory Slzer Tool
(ADSlzer.exe). You cun downloud the ADSlzer.exe tool from the Actlve Dlrectory Slzer
Tool llnk on the Web Resources puge ut
http://www.mlcrosoft.com/wlndows/resklts/webresources.
Occupancy Levels and Global Catalog Server Readiness
The occupuncy level settlng on u domuln controller determlnes the crlterlu for udvertlslng
ltself us u globul cutulog server ln DNS. If u globul cutulog server udvertlses ltself before
lt hus synchronlzed ull reud-only dlrectory purtltlon repllcus, cllents cun recelve lncorrect
lnformutlon.
The requlrements of the occupuncy levels ure us follows (euch hlgher level lncludes ull
levels below lt):
0: No occupuncy requlrement.
1: An lnbound connectlon for ut leust one reud-only dlrectory purtltlon ln the slte of
the globul cutulog server ls udded to the deslgnuted server by the KCC. Event ID
1264 ln the Dlrectory Servlce log slgnuls creutlon of the lnbound connectlon.
2: At leust one reud-only dlrectory purtltlon ln the slte ls repllcuted to the globul
cutulog server.
3: Inbound connectlons for ull reud-only dlrectory purtltlons ln the slte ure udded by
the KCC, und ut leust one ls repllcuted to the server.
4: All reud-only dlrectory purtltlons ln the slte ure repllcuted to the server.
5: Inbound connectlons for ull reud-only dlrectory purtltlons ln the forest ure udded by
the KCC, und ull dlrectory purtltlons ln the slte ure repllcuted to the server.
6: All dlrectory purtltlons ln the forest ure repllcuted to the server.
Wlndows Server 2003: defuult und muxlmum occupuncy level = 6.

Exchunge 2003 servers use the globul cutulog excluslvely when looklng up uddresses.
Therefore, ln uddltlon to cuuslng Actlve Dlrectory cllent seurch problems, the condltlon of
u globul cutulog server belng udvertlsed before lt recelves ull purtlul repllcus cun cuuse
Address %ook lookup und mull dellvery problems for Exchunge cllents.
The Nume Servlce Provlder Interfuce (NSPI) must be runnlng on u globul cutulog server
to enuble MAPI uccess to Actlve Dlrectory. To enuble NSPI, you must resturt the globul
cutulog server ufter repllcutlon of the purtlul dlrectory purtltlons ls complete, or ufter
occupuncy requlrements ure met.
Use the followlng procedures to udd u globul cutulog server to u domuln controller. The
procedures ure explulned ln detull ln the llnked toplcs. Some procedures ure performed
only when you ure conflgurlng the flrst globul cutulog server ln the slte.
Procedure 1: Configure a domain controller as a global catalog server
Settlng the Globul Cutulog check box lnltlutes the process of repllcutlng ull domulns to
the server.
Llnk to procedure.
Procedure 2: Monitor global catalog replication progress
Llnk to procedure.
Procedure 3: Verify successful replication to a domain controller
Check for lnbound repllcutlon of ull purtlul domuln dlrectory purtltlons ln the forest to
ensure thut ull domuln dlrectory purtltlons huve repllcuted to the globul cutulog server.
Llnk to procedure.
Task: Verify the global catalog readiness
After repllcutlon of ull forest purtlul domuln dlrectory purtltlons, the domuln controller
udvertlses us u globul cutulog server und beglns ucceptlng querles on ports 3268 und
3269. The defuult requlrements ln Wlndows Server 2003 lnclude repllcutlon of ull domuln
dlrectory purtltlons ln the forest. If the domuln controller udvertlses us u globul cutulog
server before lt hus complete lnformutlon from ull domulns ln the forest, lt mlght return
fulse lnformutlon to uppllcutlons thut begln uslng the server for forest-wlde seurches.
A globul cutulog ls reudy to serve cllents when the followlng events occur, ln thls order:
Occupuncy level requlrements ure met by repllcutlng reud-only repllcus.
The lsGlobulCutulogReudy rootDSE uttrlbute ls set to TRUE.
The Net Logon servlce on the domuln controller hus upduted DNS wlth globul-
cutulog-speclflc SRV resource records.

Procedure 1: Verify global catalog readiness
Llnk to procedure.
Procedure 2: Verify global catalog DNS registrations
In thls procedure you wlll resturt the globul cutulog server und verlfy globul cutulog DNS
reglstrutlons by checklng DNS for globul cutulog SRV resource records.
Llnk to procedure.

Optimizing Quadrant Capacity Management
SMF
Infrastructure Role
Cluster
As Needed
Process: Removing the global catalog from a domain
controller
Descrlptlon
When you remove the globul cutulog, the domuln controller lmmedlutely stops
udvertlslng us u globul cutulog server und stops llstenlng to the globul cutulog ports. It
ulso uttempts to remove the DNS records lt reglstered prevlously. The KCC gruduully
removes the reud-only repllcus from the domuln controller.
Purpose
Upgrudlng from Wlndows 2000 Server to Wlndows Server 2003 udds muny new
feutures, lncludlng unlversul group cuchlng. Unlversul group cuchlng muy ellmlnute the
requlrement for the globul cutulog on u domuln controller ln u purtlculur slte, motlvutlng
the removul.

Task: Remove a global catalog
The procedure to remove the globul cutulog ls slmply to cleur the Globul Cutulog check
box on the NTDS Settlngs ob|ect propertles puge. As soon us you perform thls step, the
domuln controller stops udvertlslng ltself us u globul cutulog server (Net Logon de-
reglsters the globul cutulog-reluted records ln DNS) und lmmedlutely stops ucceptlng
LDAP requests over ports 3268 und 3269.
When you remove the globul cutulog from u domuln controller, the KCC beglns removlng
the reud-only repllcus one ut u tlme by meuns of un usynchronous process thut removes
ob|ects gruduully over tlme. Euch tlme the KCC runs (every 15 mlnutes by defuult), lt
uttempts the removul of the reud-only repllcu untll there ure no remulnlng ob|ects.
Use the followlng procedures to remove the globul cutulog from u domuln controller. The
procedures ure explulned ln detull ln the llnked toplcs.
Procedure 1: Clear the global catalog setting
Llnk to procedure.
Procedure 2: Monitor global catalog removal in Event Viewer
Llnk to procedure.

SMF
Infrastructure Role
Cluster
As Needed
Process: Identify global catalog servers in a site
Mulntuln u llst of those servers thut ure deslgnuted us globul cutulog servers. Routlnely
check these servers to ensure thut no one hus chunged the deslgnutlon. Check other
servers to ensure thut no one hus erroneously deslgnuted u globul cutulog server.
Task: Identifying a global catalog server
Use the followlng procedure to determlne whether u domuln controller ls u globul cutulog
server. The procedure ls explulned ln detull ln the llnked toplc.
Procedure: Determine whether a domain controller is a global catalog
server
Use thls procedure to check the propertles on the NTDS Settlngs ob|ect of the respectlve
Server ob|ect to determlne whether u domuln controller ls u globul cutulog server.
Llnk to procedure.
Task: Identifying a site that has no global catalog servers
To qulckly ldentlfy u slte thut hus no globul cutulog servers, you cun perform one
commund ruther thun check euch server lndlvlduully. You cun perform thls test uny tlme
you udd u slte, or routlnely lf globul cutulog servers cun potentlully be removed
lnupproprlutely.
Use the followlng procedure to determlne whether u slte hus u globul cutulog server. The
procedure ls explulned ln detull ln the llnked toplc.
Procedure: Determine whether a site has at least one global catalog server
To ldentlfy u slte thut hus no globul cutulog servers you must determlne whether u slte
hus ut leust one globul cutulog server.
Llnk to procedure.
Task: Identifying sites that have universal group caching
enabled
Unlversul group cuchlng mltlgutes the need to locute u globul cutulog server ut u slte by
cuchlng unlversul group membershlp on u domuln controller. Therefore, when users log
on ln remote offlces, there ls no requlrement to use u WAN connectlon to determlne
unlversul group membershlp.
Procedure: Determine whether universal group caching is enabled
Llnk to procedure.


Optimizing Quadrant Availability SMF Infrastructure Role
Cluster
As Needed
Process: Move an operations master role
Descrlptlon
Operutlons musters keep the dlrectory functlonlng properly by performlng speclflc tusks
thut no other domuln controllers ure permltted to perform. %ecuuse operutlons musters
ure crltlcul to the long-term performunce of the dlrectory, they must be uvulluble to ull
domuln controllers und desktop cllents thut requlre thelr servlces. Cureful plucement of
your operutlons musters becomes more lmportunt us you udd more domulns und sltes to
bulld your forest.
To perform these functlons, the domuln controllers hostlng these operutlons muster roles
must be conslstently uvulluble und be locuted ln ureus where network rellublllty ls hlgh.
Role trunsfer ls the preferred method to move un operutlons muster role from one domuln
controller to unother. Durlng u role trunsfer, the two domuln controllers repllcute to
ensure thut no lnformutlon ls lost. After the trunsfer completes, the prevlous role holder
reconflgures ltself so thut lt no longer uttempts to perform us the operutlons muster whlle
the new domuln controller ussumes those dutles. Thls prevents the posslblllty of
dupllcute operutlons musters exlstlng on the network ut the sume tlme, whlch cun leud to
corruptlon ln the dlrectory.
Purpose
Three operutlons muster roles exlst ln euch domuln:
The prlmury domuln controller (PDC) emulutor. The PDC emulutor processes ull
repllcutlon requests from Mlcrosoft Wlndows NT 4.0 buckup domuln controllers. It
ulso processes ull pussword updutes for cllents not runnlng Actlve Dlrectoryenubled
cllent softwure, plus uny other dlrectory wrlte operutlons.
The relutlve ldentlfler (RID) muster. The RID muster ullocutes RID pools to ull
domuln controllers to ensure thut new securlty prlnclpuls cun be creuted wlth u
unlque ldentlfler.
The lnfrustructure muster. The lnfrustructure muster for u glven domuln mulntulns u
llst of the securlty prlnclpuls for uny llnked-vulue uttrlbutes.

In uddltlon to the three domuln-level operutlons muster roles, two operutlons muster roles
exlst ln euch forest:
The schemu muster, whlch governs ull chunges to the schemu.
The domuln numlng muster, whlch udds und removes domulns und uppllcutlon
purtltlons to und from the forest.

Guldellnes
Deslgn prlnclples und best pructlces for lnltlul operutlons muster role usslgnment ls
covered ln the Wlndows Server 2003 Deployment Klt: Plunnlng, Testlng, und Pllotlng
Deployment Pro|ects. Operutlons muster role holders ure pluced uutomutlcully when the
flrst domuln controller ln u glven domuln ls creuted. The three domuln-level roles ure
usslgned to the flrst domuln controller creuted ln u domuln. The two forest-level roles ure
usslgned to the flrst domuln controller creuted ln u forest.
Reusons for movlng the operutlons muster role(s) lnclude lnudequute servlce
performunce, fullure or decommlsslon of u domuln controller hostlng un operutlons
muster role, or lf dlctuted by conflgurutlon chunges mude by un udmlnlstrutor.
Inadequate Level of Service
The PDC emulutor ls the operutlons muster role thut most lmpucts the performunce of u
domuln controller. For cllents thut do not run Actlve Dlrectory cllent softwure, the PDC
emulutor processes requests for pussword chunges, repllcutlon, und user uuthentlcutlon.
Whlle provldlng support for these cllents, the domuln controller contlnues to perform lts
normul servlces, such us uuthentlcutlng Actlve Dlrectoryenubled cllents. As the network
grows, the volume of cllent requests cun lncreuse the workloud for the domuln controller
thut hosts the PDC emulutor role und lts performunce cun suffer. To solve thls problem,
you cun trunsfer ull or some of the muster operutlons roles to unother, more powerful
domuln controller. Alternutely, you muy choose to trunsfer the role to unother domuln
controller, upgrude the hurdwure on the orlglnul domuln controller, und then trunsfer the
role buck uguln.
Master Operations Role Holder Failure
In the event of u fullure, you must declde lf you need to relocute the operutlons muster
roles to unother domuln controller or wult for the domuln controller to be returned to
servlce. %use thut determlnutlon on the role thut the domuln controller hosts und the
expected downtlme.
Decommissioning of the Domain Controller
%efore permunently tuklng u domuln controller offllne, trunsfer uny operutlons muster
roles held by the domuln controller to unother domuln controller.
Configuration Changes
Conflgurutlon chunges to domuln controllers or the network topology cun result ln the
need to trunsfer muster operutlons roles. Except for the lnfrustructure muster, you cun
usslgn operutlons muster roles to uny domuln controller regurdless of uny other tusks thut
the domuln controller performs. Do not host the lnfrustructure muster role on u domuln
controller thut ls ulso uctlng us u globul cutulog server unless ull of the domuln controllers
ln the domuln ure globul cutulog servers or unless only one domuln ls ln the forest. If the
domuln controller hostlng the lnfrustructure muster role ls conflgured to be u globul
cutulog server, you must trunsfer the lnfrustructure muster role to unother domuln
controller. Chunges to the network topology cun result ln the need to trunsfer operutlons
muster roles ln order to keep them ln u purtlculur slte.
You cun reusslgn un operutlons muster role by trunsfer or, us u lust resort, by selzure.
To trunsfer u role to u new domuln controller, ensure thut the destlnutlon domuln
controller ls u dlrect repllcutlon purtner of the prevlous role holder und thut repllcutlon
between them ls up to dute und functlonlng properly. Thls mlnlmlzes the tlme requlred to
complete the role trunsfer. If repllcutlon ls sufflclently out of dute, the trunsfer cun tuke u
whlle, but lt eventuully flnlshes.

Important If you must seize an operations master role, never reattach the previous role holder to the
network without following the procedures in this guide. Incorrectly reattaching the previous role
holder to the network can result in invalid data and corruption of data in the directory.

Guidelines for Role Placement
%y lmproperly pluclng operutlons muster role holders, you mlght prevent cllents from
chunglng thelr pusswords or belng uble to udd domulns und new ob|ects, such us Users
und Groups. You mlght ulso be unuble to muke chunges to the schemu. In uddltlon, nume
chunges mlght not properly uppeur wlthln group membershlps thut ure dlspluyed ln the
user lnterfuce.
As your envlronment chunges, you must uvold the problems ussocluted wlth lmproperly
pluced operutlons muster role holders. Eventuully, you mlght need to reusslgn the roles to
other domuln controllers.
Although you cun usslgn the forest-level und domuln-level operutlons muster roles to uny
domuln controller ln the forest und domuln respectlvely, lmproperly pluclng the
lnfrustructure muster role cun cuuse lt to functlon lmproperly. Other lmproper
conflgurutlons cun lncreuse udmlnlstrutlve overheud.
Requirements for Infrastructure Master Placement
Do not pluce the lnfrustructure muster on u domuln controller thut ls ulso u globul cutulog
server.
The lnfrustructure muster updutes the numes of securlty prlnclpuls for uny domuln-numed
llnked uttrlbutes. For exumple, lf u user from one domuln ls u member of u group ln u
second domuln und the users nume ls chunged ln the flrst domuln, then the second
domuln ls not notlfled thut the users nume must be upduted ln the groups membershlp
llst. %ecuuse domuln controllers ln one domuln do not repllcute securlty prlnclpuls to
domuln controllers ln unother domuln, the second domuln never becomes uwure of the
chunge. The lnfrustructure muster constuntly monltors group membershlps, looklng for
securlty prlnclpuls from other domulns. If lt flnds one, lt checks wlth the securlty
prlnclpuls domuln to verlfy thut the lnformutlon ls upduted. If the lnformutlon ls out of
dute, the lnfrustructure muster performs the updute und then repllcutes the chunge to the
other domuln controllers ln lts domuln.
Two exceptlons upply to thls rule. Flrst, lf ull the domuln controllers ure globul cutulog
servers, the domuln controller thut hosts the lnfrustructure muster role ls lnslgnlflcunt
becuuse globul cutulogs do repllcute the upduted lnformutlon regurdless of the domuln to
whlch they belong. Second, lf the forest hus only one domuln, the domuln controller thut
hosts the lnfrustructure muster role ls not needed becuuse securlty prlnclpuls from other
domulns do not exlst.
Recommendations for Role Placement
Although you cun usslgn the operutlons muster roles to uny domuln controller, follow
these guldellnes to mlnlmlze udmlnlstrutlve overheud und ensure the performunce of
Actlve Dlrectory. If u domuln controller thut ls hostlng operutlons muster roles fulls,
followlng these guldellnes ulso slmpllfles the recovery process. Guldellnes for role
plucement lnclude:
Leuve the two forest-level roles on u domuln controller ln the forest root domuln.
Pluce the three domuln-level roles on the sume domuln controller.
Do not pluce the domuln-level roles on u globul cutulog server.
Pluce the domuln-level roles on u hlgher performunce domuln controller.
Ad|ust the workloud of the operutlons muster role holder, lf necessury.
Choose un uddltlonul domuln controller us the stundby operutlons muster for the
forest-level roles und choose un uddltlonul domuln controller us the stundby for the
domuln-level roles.

Forest-level Role placement in the Forest Root Domain
The flrst domuln controller creuted ln the forest ls usslgned the schemu muster und
domuln numlng muster roles. To euse udmlnlstrutlon und buckup und restore procedures,
leuve these roles on the orlglnul forest root domuln controller. Movlng the roles to other
domuln controllers does not lmprove performunce. Sepurutlng the roles creutes uddltlonul
udmlnlstrutlve overheud when you must ldentlfy the stundby operutlons musters und
when you lmplement u buckup und restore pollcy.
Unllke the PDC emulutor role, forest-level roles rurely pluce u slgnlflcunt burden on the
domuln controller. Keep these roles together to provlde eusy, predlctuble munugement.
Forest-level Role Placement on a Global Catalog Server
In uddltlon to hostlng the schemu muster und domuln numlng muster roles, the flrst
domuln controller creuted ln u forest ulso hosts the globul cutulog.
Domain-level Role Placement on the Same Domain Controller
The three domuln-level roles ure usslgned to the flrst domuln controller creuted ln u new
domuln. Except for the forest root domuln, leuve the roles ut thut locutlon. Keep the roles
together unless the workloud on your operutlons muster |ustlfles the uddltlonul
munugement burden of sepurutlng the roles.
%ecuuse ull cllents prlor to Actlve Dlrectory submlt updutes to the PDC emulutor, the
domuln controller holdlng thut role uses u hlgher number of RIDs. Pluce the PDC
emulutor und RID muster roles on the sume domuln controller so thut these two roles
lnteruct more efflclently.
If you must sepurute the roles, you cun stlll use u slngle stundby operutlons muster for ull
three roles. However, you must ensure thut the stundby ls u repllcutlon purtner of ull three
of the role holders.
%uckup und restore procedures ulso become more complex lf you sepurute the roles.
Speclul cure must be tuken to restore u domuln controller thut hosted un operutlons
muster role. %y hostlng the roles on u slngle computer, you mlnlmlze the steps thut ure
requlred to restore u role holder.
Domain-level Role Absence on a Global Catalog Server
Do not host the lnfrustructure muster on u domuln controller thut ls uctlng us u globul
cutulog server. %ecuuse lt ls best to keep the three domuln-level roles together, uvold
puttlng uny of them on u globul cutulog server.
Domain-level Role Placement on a Higher Performance Domain Controller
Host the PDC emulutor role on u powerful und relluble domuln controller to ensure thut lt
ls uvulluble und cupuble of hundllng the workloud. Of ull the operutlons muster roles, the
PDC emulutor creutes the most overheud on the server thut ls hostlng the role. It hus the
most lntenslve dully lnteructlon wlth other systems on the network. The PDC emulutor
hus the greutest potentlul to uffect dully operutlons of the dlrectory.
Workload Adjustment of the Operations Master Role Holder
Domuln controllers cun become overlouded whlle uttemptlng to servlce cllent requests on
the network, munuge thelr own resources, und hundle uny speclullzed tusks such us
performlng the vurlous operutlons muster roles. Thls ls especlully true of the domuln
controller holdlng the PDC emulutor role. Aguln, cllents prlor to Actlve Dlrectory und
domuln controllers runnlng Wlndows NT 4.0 rely more heuvlly on the PDC emulutor thun
Actlve Dlrectory cllents und Wlndows 2000 Server domuln controllers. If your networklng
envlronment hus cllents und domuln controllers prlor to Actlve Dlrectory, you mlght need
to reduce the workloud of the PDC emulutor.
If u domuln controller beglns to lndlcute thut lt ls overlouded und lts performunce ls
uffected, you cun reconflgure the envlronment so thut some tusks ure performed by other,
less-used domuln controllers. %y ud|ustlng the domuln controllers welght ln the DNS
envlronment, you cun conflgure the domuln controller to recelve fewer cllent requests
thun other domuln controllers on your network. Optlonully, you cun ud|ust the domuln
controllers prlorlty ln the DNS envlronment so thut lt processes cllent requests only lf
other DNS servers ure unuvulluble. Wlth fewer DNS cllent requests to process, the
domuln controller cun use more resources to perform operutlons muster servlces for the
domuln.
Task: Designating a domain controller for an operations master
role
When you creute u new domuln, the Actlve Dlrectory Instullutlon Wlzurd uutomutlcully
usslgns ull of the domuln-level operutlons muster roles to the flrst domuln controller thut
ls creuted ln thut domuln. When you creute u new forest, the wlzurd ulso usslgns the two
forest-level operutlons muster roles to the flrst domuln controller. After the domuln ls
creuted und functlonlng, you mlght trunsfer vurlous operutlons muster roles to dlfferent
domuln controllers to optlmlze performunce und slmpllfy udmlnlstrutlon.
The trunsfer of forest-level und domuln-level operutlons muster roles ls performed us
needed und ls governed by the guldellnes for pluclng operutlons muster roles. %efore you
trunsfer un operutlons muster role, use Repudmln.exe wlth the /showreps optlon to
ensure thut repllcutlon between the current role holder und the domuln controller
ussumlng the role ls upduted.
In uddltlon, you must determlne lf the domuln controller thut you lntend to ussume un
operutlons muster role ls u globul cutulog server. However, the lnfrustructure muster for
euch domuln must not host the globul cutulog.
Do not chunge the globul cutulog conflgurutlon on the domuln controller thut you lntend
to ussume un operutlons muster role unless your IT munugement uuthorlzes thut chunge.
Chunglng the globul cutulog conflgurutlon cun cuuse chunges thut cun tuke duys to
complete, und the domuln controller mlght not be uvulluble durlng thut perlod. Insteud,
trunsfer the operutlons muster roles to u dlfferent domuln controller thut ls ulreudy
properly conflgured.
The followlng procedures ure explulned ln detull ln the llnked toplcs.
Llnk to procedure.
server
Llnk to procedure.
Llnk to procedure.
Llnk to procedure.
Task: Verifying the transfer of an operations master role
Once un operutlons muster role hus been trunsferred, lt should be verlfled thut the
trunsfer hus occurred successfully throughout the domuln. The chunge must be repllcuted
to ull relevunt domuln members ln order to truly tuke effect.
The followlng procedure ls explulned ln detull ln the llnked toplcs:
Llnk to procedure.

SMF
Infrastructure Role
Cluster
As Needed
Process: Reduce the workload on the PDC emulator
Descrlptlon
You cun conflgure DNS so thut u domuln controller ls querled less frequently thun others.
Reduclng the number of cllent requests helps reduce the workloud on u domuln
controller, glvlng lt more tlme to functlon us un operutlons muster, und ls especlully
lmportunt for the PDC emulutor. Of ull the operutlons muster roles, the PDC role hus the
hlghest lmpuct on the domuln controller hostlng thut role. You mlght need to tuke steps to
keep thut domuln controller from becomlng overlouded.
To recelve lnformutlon from the domuln, u cllent uses DNS to locute u domuln controller
und then sends the request to thut domuln controller. %y defuult, DNS performs
rudlmentury loud bulunclng und rundomlzes the dlstrlbutlon of cllent requests so they ure
not ulwuys sent to the sume domuln controller. If too muny cllent requests ure sent to u
domuln controller whlle lt uttempts to perform other dutles, such us those of the PDC
emulutor, lt cun become overlouded, whlch hus u negutlve lmpuct on performunce. To
reduce the number of cllent requests thut ure processed by the PDC emulutor, you cun
ud|ust lts welght or lts prlorlty ln the DNS envlronment.
Purpose
In uddltlon to processlng normul domuln controller loud from cllents, the PDC emulutor
must ulso process pussword chunges. In order to mltlgute some of the loud thut ls cuused
by normul domuln controller trufflc, the PDC cun be protected, so the loud ls dlstrlbuted
to other domuln controllers thut ure cupuble of processlng the requests.

Task: Adjusting the DNS weight setting
Ad|ustlng the welght of u domuln controller to u vulue less thun thut of other domuln
controllers reduces the number of cllents thut DNS refers to thut domuln controller. The
defuult welght for ull domuln controllers ls 100. %y reduclng thls vulue, DNS refers
cllents to u domuln controller less frequently bused on the proportlon of thls vulue to the
vulue of other domuln controllers. For exumple, to conflgure the system so thut the
domuln controller hostlng the PDC emulutor role recelves requests only hulf us muny
tlmes us the other domuln controllers, conflgure the welght of the domuln controller
hostlng the PDC emulutor role to be 50. DNS determlnes the welght rutlo for thut domuln
controller to be 50/100 (50 for thut domuln controller und 100 for the other domuln
controllers). After you reduce thls rutlo to 1/2, DNS refers cllents to the other domuln
controllers twlce us often us lt refers to the domuln controller wlth the reduced welght
settlng. %y reduclng cllent referruls, the domuln controller recelves fewer cllent requests
und hus more resources for other tusks, such us performlng the role of PDC emulutor.
Procedure 1: Change the weight for DNS SRV records in the registry
Llnk to procedure.
Task: Adjusting the DNS priority registry setting
Ad|ustlng the prlorlty of the domuln controller ulso reduces the number of cllent referruls.
However, ruther thun reduclng lt proportlonully to the other domuln controllers, chunglng
the prlorlty cuuses DNS to stop referrlng ull cllents to thls domuln controller unless ull
domuln controllers wlth u lower prlorlty settlng ure unuvulluble.
Procedure 1: Change the priority for DNS SRV records in the registry
Llnk to procedure.

SMF
Infrastructure Role
Cluster
As Needed
Process: Transferring a role holder
Descrlptlon
Trunsferrlng u forest level or domuln level operutlons muster role muy be requlred,
dependlng on other operutlons ln your envlronment or chunges to your Actlve Dlrectory
lnfrustructure such us the uddltlon or removul of domuln controllers. Thls process should
be performed us requlred und should follow Mlcrosoft's best pructlces concernlng
operutlons muster role plucement us outllned ut
http://www.mlcrosoft.com/technet/treevlew/defuult.usp?url=/technet/prodtechnol/wlndow
sserver2003/proddocs/deploygulde/dssbe_upnt_xlfh.usp.
Purpose
Trunsferrlng u role holder ls necessury when:
A new computer becomes uvulluble thut ls more cupuble of hundllng the purtlculur
operutlons muster role.
The role holder wlll be tuken offllne for un extended perlod of tlme.
Topology chunges muke the current role holder no longer the best cholce to hold thut
role.
A domuln controller ls belng decommlssloned. You cunnot control whlch domuln
controller the wlzurd chooses und the wlzurd does not lndlcute whlch domuln
controller recelves the roles. %ecuuse of thls behuvlor, lt ls best to trunsfer the roles
prlor to runnlng the wlzurd.

Guldellnes
When you use the Actlve Dlrectory Instullutlon Wlzurd to decommlsslon u domuln
controller thut currently hosts one or more operutlons muster roles, the wlzurd reusslgns
the roles to u dlfferent domuln controller. When the wlzurd ls run, lt determlnes whether
the domuln controller currently hosts uny operutlons muster roles. If lt detects uny
operutlons muster roles, lt querles the dlrectory for other ellglble domuln controllers und
trunsfers the roles to u new domuln controller. A domuln controller ls ellglble to host the
domuln-level roles lf lt ls u member of the sume domuln. A domuln controller ls ellglble to
host u forest-level role lf lt ls u member of the sume forest.
Task: Transfer to the standby operations master role
%y followlng the recommendutlons for operutlons muster role plucement, the stundby
operutlons muster ls u dlrect repllcutlon purtner und ls reudy to ussume the roles.
Remember to deslgnute u new stundby for the domuln controller thut ussumes the roles.
The followlng procedures ure explulned ln detull ln the llnked toplcs.
Llnk to procedure.
server
Llnk to procedure.
Llnk to procedure.
Llnk to procedure.
Llnk to procedure.
Process: Choose a standby operations master
Llnk to process.
Task: Transfer an operations master role when no standby is
ready
If you do not follow the recommendutlons for role plucement und you huve not
deslgnuted u stundby operutlons muster, you must properly prepure u domuln controller
to whlch you lntend to trunsfer the operutlons muster roles. Prepurlng the future role
holder ls the sume process us prepurlng u stundby operutlons muster. You must munuully
creute u Connectlon ob|ect to ensure thut lt ls u repllcutlon purtner wlth the current role
holder und thut repllcutlon between the two domuln controllers ls upduted.
In uddltlon, you must determlne whether the domuln controller lntended to ussume un
operutlons muster role ls u globul cutulog server. The lnfrustructure muster for euch
domuln must not host the globul cutulog.
Do not chunge the globul cutulog conflgurutlon on the domuln controller thut you lntend
to ussume un operutlons muster role unless your IT munugement uuthorlzes thut chunge.
Chunglng the globul cutulog conflgurutlon cun cuuse chunges thut cun tuke duys to
complete und the domuln controller mlght not be uvulluble durlng thut perlod. Insteud,
trunsfer the operutlons muster roles to u dlfferent domuln controller thut ls ulreudy
properly conflgured.
The followlng procedures ure explulned ln detull ln the llnked sectlons.
Llnk to procedure.
server
Llnk to procedure.
Llnk to procedure.
Llnk to procedure.
Llnk to procedure.

SMF
Infrastructure Role
Cluster
As Needed
Process: Seize an operations master role
Descrlptlon
Selzlng u role should be done only us u lust resort ln order to usslgn u role to u dlfferent
domuln controller. Use thls process only when the prevlous operutlons muster fulls und
remulns out of servlce for un extended perlod of tlme. Durlng u role selzure, the domuln
controller does not verlfy thut repllcutlon ls upduted, so recent chunges cun be lost.
%ecuuse the prevlous role holder ls unuvulluble durlng the role selzure, lt cunnot know
thut u new role holder exlsts. If the prevlous role holder comes buck onllne lt mlght stlll
ussume thut lt ls the operutlons muster. Thls cun result ln dupllcute operutlons muster
roles on the network, whlch cun leud to corruptlon of dutu ln the dlrectory und ultlmutely
to the fullure of the domuln or forest.
Purpose
Selzlng un operutlons muster role ullows:
Trunsfer of operutlons muster role to unother computer when the exlstlng operutlons
muster fulls wlthout wurnlng.
Trunsfer of operutlons muster role when trunsfer to stundby operutlons muster wus
not successfully completed before the operutlons muster wus tuken down (for
whutever reuson).

Guldellnes
If u role ls selzed, the new role holder ls conflgured to host the operutlons muster role
wlth the ussumptlon thut you do not lntend to return the prevlous role holder to servlce.
Use role selzure only when the prevlous role holder ls not uvulluble und you need the
operutlons muster role to keep the dlrectory functlonlng. %ecuuse the prevlous role holder
ls not uvulluble durlng u selzure, you cunnot reconflgure the prevlous role holder und
lnform lt thut unother domuln controller ls now hostlng the operutlons muster role.
Wlth Wlndows Server 2003, the prevlous role holder wults for u full repllcutlon cycle to
complete successfully before lt resumes the role of operutlons muster. %y wultlng for u
full repllcutlon cycle, lt cun see lf unother operutlons muster exlsts before lt brlngs ltself
buck onllne. If the prevlous role holder detects thut unother operutlons muster exlsts, lt
reconflgures ltself so thut lt no longer hosts the roles ln questlon.
To reduce rlsk, perform u role selzure only lf the mlsslng operutlons muster role
unucceptubly uffects performunce of the dlrectory. Culculute the effect by compurlng the
lmpuct of the mlsslng servlce provlded by the operutlons muster to the umount of work
thut ls needed to brlng the prevlous role holder sufely buck onllne ufter you perform the
role selzure. See Tuble 7 for u rlsk ussessment of operutlons muster roles.
Actlve Dlrectory contlnues to functlon when the operutlons muster roles ure not uvulluble.
If the role holder ls only offllne for u short perlod, you mlght not need to selze the role to
u new domuln controller. Remember thut returnlng un operutlons muster to servlce ufter
the role ls selzed cun huve dlre consequences lf lt ls not done properly.
Table 7. Operations Master Role Functionality Risk Assessment
Operations Master
Role
Consequences if Role Is
Unavailable
Risk of Improper
Restoration
Recommendation for
Returning to Service
After Seizure
Schemu
muster
You cunnot muke
chunges to the
schemu.
Confllctlng chunges
cun be lntroduced
to the schemu lf
both schemu
musters uttempt to
modlfy the schemu
ut the sume tlme.
Thls cun result ln u
frugmented
schemu.
Not recommended.
Cun leud to u
corrupted forest
und requlre
rebulldlng the entlre
forest.
Domuln
numlng
muster
You cunnot udd or
remove domulns
from the forest.
You cunnot udd or
remove domulns or
cleun up metudutu.
Domulns mlght
uppeur us though
they ure stlll ln the
forest even though
they ure not.
Not recommended.
Cun requlre
rebulldlng domulns.
PDC emulutor You cunnot chunge
pusswords on pre-
Actlve Dlrectory
cllents. No
repllcutlon to
Wlndows NT 4.0
buckup domuln
controllers.
Pussword
vulldutlon cun
rundomly puss or
full. Pussword
chunges tuke much
longer to repllcute
throughout the
domuln.
Allowed. User
uuthentlcutlon cun
be errutlc for u
tlme, but no
permunent dumuge
occurs.
Infrustructure
muster
Deluys dlspluylng
upduted group
membershlp llsts ln
the user lnterfuce
when you move
users from one
group to unother.
Dlspluys lncorrect
user numes ln
group membershlp
llsts ln the user
lnterfuce ufter you
move users from
one group to
unother.
Allowed. Muy
lmpuct the
performunce of the
domuln controller
hostlng the role, but
no dumuge occurs
to the dlrectory.
RID muster Eventuully, domuln
controllers cunnot
creute new
dlrectory ob|ects us
euch of thelr
lndlvlduul RID
pools ls depleted.
Dupllcute RID
pools cun be
ullocuted to domuln
controllers,
resultlng ln dutu
corruptlon ln the
dlrectory. Thls cun
leud to securlty
rlsks und
unuuthorlzed
uccess.
Not recommended.
Cun leud to dutu
corruptlon thut cun
requlre rebulldlng
the domuln.

Task: Seizing an operations master role
Selze un operutlons muster role only us u lust resort. If ut ull posslble, trunsfer un
operutlons muster role to u new domuln controller lnsteud. Selze un operutlons muster
role only lf the current role owner ls offllne und ls unllkely to return to servlce.
Role selzure ls the uct of usslgnlng un operutlons muster role to u new domuln controller
wlthout the cooperutlon of the current role holder (usuully becuuse lt ls offllne due to u
hurdwure fullure). Durlng role selzure, u new domuln controller ussumes the operutlons
muster role wlthout communlcutlng wlth the current role holder.
Role selzure cun creute two condltlons thut cun cuuse problems ln the dlrectory. Flrst, the
new role holder sturts performlng lts dutles bused on the dutu locuted ln lts current
dlrectory purtltlon. The new role holder mlght not recelve chunges thut were mude to the
prevlous role holder before lt went offllne lf repllcutlon dld not complete prlor to the tlme
when the orlglnul role holder went offllne. Thls cun cuuse dutu loss or lntroduce dutu
lnconslstency lnto the dlrectory dutubuse.
To mlnlmlze the rlsk of loslng dutu to lncomplete repllcutlon, do not perform u role
selzure untll enough tlme hus pussed to complete ut leust one complete end-to-end
repllcutlon cycle ucross your network. Allowlng enough tlme for complete end-to-end
repllcutlon ensures thut the domuln controller thut ussumes the role ls us up-to-dute us
posslble.
Second, the orlglnul role holder ls not lnformed thut lt ls no longer the operutlons muster
role holder, whlch ls not u problem lf the orlglnul role holder stuys offllne. However, lf lt
comes buck onllne (for exumple, lf the hurdwure ls repulred or the server ls restored from
u buckup), lt mlght try to perform the operutlons muster role thut lt prevlously owned.
Thls cun result ln two domuln controllers performlng the sume operutlons muster role
slmultuneously. Dependlng on the role ln questlon und whether your envlronment runs
Wlndows 2000 Server SP2 or Wlndows 2000 Server SP3, thls cun dlsrupt the dlrectory
servlce. For exumple, u RID muster mlght reullocute u dupllcute RID pool, resultlng ln
corruptlon of dutu ln the dlrectory. The severlty of dupllcute operutlons muster roles
vurles from no vlslble effect to the need to rebulld the entlre forest.
If you ure selzlng u role und you huve not deslgnuted unother domuln controller us the
stundby operutlons muster, you cun use Repudmln.exe wlth the /showreps optlon to
ldentlfy u domuln controller thut hus the most recent updutes from the current role holder.
Selze the operutlons muster role to thut domuln controller to mlnlmlze the lmpuct of the
role selzure.
Thls needs to be the domuln controller thut wlll be selzlng the role.
Llnk to procedure.
Procedure 2: Seize the operations master role
Llnk to procedure.
Llnk to procedure.

SMF
Infrastructure Role
Cluster
As Needed
Process: Choose a standby operations master
Descrlptlon
The stundby operutlons muster ls u domuln controller thut you ldentlfy us the computer
thut ussumes the operutlons muster role lf the orlglnul computer fulls. You do not need to
perform uny speclul conflgurutlon steps or run uny type of setup utllltles to muke u
domuln controller u stundby operutlons muster. Thls precuutlonury plunnlng step helps
muke your operutlon more reslllent lf u problem urlses thut requlres you to reusslgn u
muster operutlons role to u new domuln controller.
Ensure thut the stundby operutlons muster ls u dlrect repllcutlon purtner of the uctuul
operutlons muster. If the stundby operutlons muster domuln controller ls u dlrect
repllcutlon purtner of the orlglnul operutlons muster, lt most llkely contulns the most
recent chunges to the domuln. Thls reduces the tlme requlred to trunsfer the role to the
stundby operutlons muster und, ln the cuse of u fullure, reduces the chunces of loslng
lnformutlon. Even lf repllcutlon ls not totully complete, only few outstundlng updutes
exlst. Those outstundlng updutes cun be repllcuted by u normul repllcutlon cycle ruther
thun requlrlng u full synchronlzutlon, whlch repllcutes ull of the uccount lnformutlon ln
the purtltlon. To guuruntee thut the two domuln controllers ure repllcutlon purtners, you
must munuully creute u connectlon ob|ect between them. Although creutlng munuul
connectlon ob|ects ls not generully recommended, ln thls one cuse lt ls necessury
becuuse lt ls so lmportunt thut these two domuln controllers be repllcutlon purtners.
If you must reusslgn the domuln-level operutlons muster roles to the stundby operutlons
muster, do not pluce the lnfrustructure muster role on u globul cutulog server.
Purpose
Chooslng u stundby operutlons muster enubles unother domuln controller to ussume un
operutlons muster role lf the domuln controller to whlch lt wus orlglnully usslgned fulls.
Thls ensures thut the domuln controller wlth u purtlculur operutlons muster role ls not u
slngle polnt of fullure for thut role.
Task: Choosing a standby operations master
A slngle domuln controller cun uct us the stundby operutlons muster for ull of the
operutlons muster roles ln u domuln, or you cun deslgnute u sepurute stundby for euch
operutlons muster role.
No utllltles or speclul steps ure requlred to deslgnute u domuln controller us u stundby
operutlons muster. However, the current operutlons muster und the stundby should be
well connected. Thls meuns thut the network connectlon between them must support ut
leust u 10-megublt trunsmlsslon rute und be uvulluble ut ull tlmes. In uddltlon, conflgure
the current role holder und the stundby us dlrect repllcutlon purtners by munuully creutlng
u Connectlon ob|ect between them.
Conflgurlng u repllcutlon purtner cun suve some tlme lf you must reusslgn uny operutlons
muster roles to the stundby operutlons muster. %efore trunsferrlng u role from the current
role holder to the stundby operutlons muster, ensure thut repllcutlon between the two
computers ls functlonlng properly. %ecuuse they ure repllcutlon purtners, the new
operutlons muster ls us upduted us the orlglnul operutlons muster, thus reduclng the tlme
requlred for the trunsfer operutlon. To determlne whether the stundby domuln controller
recelved the lutest repllcuted updutes from the current operutlons muster, use
Repudmln.exe wlth the /showreps optlon.
Durlng role trunsfer, the two domuln controllers exchunge uny unrepllcuted lnformutlon
to ensure thut no trunsuctlons ure lost. If the two domuln controllers ure not dlrect
repllcutlon purtners, u substuntlul umount of lnformutlon mlght need to be repllcuted
before the domuln controllers completely synchronlze wlth euch other. The role trunsfer
requlres extru tlme to repllcute the outstundlng trunsuctlons. If the two domuln controllers
ure dlrect repllcutlon purtners, fewer outstundlng trunsuctlons exlst und the role trunsfer
operutlon completes sooner.
Deslgnutlng u domuln controller us u stundby ulso mlnlmlzes the rlsk of role selzure. %y
muklng the operutlons muster und the stundby dlrect repllcutlon purtners, you reduce the
chunce of dutu loss ln the event of u role selzure, thereby reduclng the chunces of
lntroduclng corruptlon lnto the dlrectory.
When you deslgnute u domuln controller us the stundby, follow ull recommendutlons thut
ure dlscussed ln Guldellnes for Role Plucement eurller ln thls gulde. To deslgnute u
stundby for the forest-level roles, choose u globul cutulog server so lt cun lnteruct more
efflclently wlth the domuln numlng muster. To deslgnute u stundby for the domuln-level
roles, ensure thut the domuln controller ls not u globul cutulog server so thut the
lnfrustructure muster contlnues to functlon properly lf you must trunsfer the roles.
Munuully creute u connectlon ob|ect between the operutlons muster und the deslgnuted
stundby operutlons muster to ensure thut repllcutlon occurs between the two domuln
controllers.
server
Llnk to procedure.
Procedure 2: Create a Connection object
Llnk to procedure.

4
Processes by MOF Role Clusters
Thls chupter ls deslgned for those who wunt to see ull processes for u slngle role cluster
ln one pluce. The lnformutlon ls the sume us thut ln the prevlous two chupters. The only
dlfference ls thut the processes ure ordered by MOF role cluster.
Operations Role Cluster
Daily Processes
There ure no dully processes for thls role cluster.
Weekly Processes
%uck up Actlve Dlrectory
Monthly Processes
There ure no monthly processes for thls role cluster.
As-Needed Processes
Renume u domuln controller
Authorltutlve restore for Actlve Dlrectory ob|ects
Non-uuthorltutlve restore of Actlve Dlrectory
Recoverlng u domuln controller through relnstullutlon

Support Role Cluster
There ure no dully, weekly, monthly, or us-needed processes for thls role cluster.
Release Role Cluster
Daily Processes
Weekly Processes
There ure no weekly processes for thls role cluster.
Monthly Processes
As-Needed Processes
Instulllng u domuln controller for un exlstlng domuln
Removlng Actlve Dlrectory

Infrastructure Role Cluster
Daily Processes
Weekly Processes
Monthly Processes
As-Needed Processes
Trunsferrlng u role holder
Selze un operutlons muster role
Choose u stundby operutlons muster
Munuglng the SYSVOL
Munuglng sltes
Move un operutlons muster role
Munuge the Actlve Dlrectory dutubuse
Add u globul cutulog
Munuge the Wlndows Tlme servlce
Munuglng trusts
Removlng the globul cutulog from u domuln controller
Identlfy globul cutulog servers ln u slte
Reduce the workloud on the PDC emulutor

Security Role Cluster
Daily Processes
Weekly Processes
Monthly Processes
As-Needed Processes
Munuge untlvlrus softwure on domuln controllers

Partner Role Cluster
There ure no dully, weekly, monthly, or us-needed processes for thls role cluster.

5
Appendix
Procedure Details
Thls chupter glves step-by-step lnformutlon for the procedures llsted ln Chupter 3 of thls
gulde.
Procedure: Back up system state
The followlng procedure bucks up system stute only. It does not buck up the system dlsk
or uny other dutu on the domuln controller.
Procedure Requirements
To buck up system stute, you cun log on ut the locul computer, or you cun enuble
Termlnul Servlces ln Remote Admlnlstrutlon mode on the remote domuln controller
Credentluls: Domuln udmlnlstrutors, locul udmlnlstrutor, or buckup operutor
Tool: %uckup

Procedure Steps
To buck up the system stute on u domuln controller
1. Log on to the domuln controller by uslng the uccount thut hus domuln udmlnlstrutor
or buckup operutor credentluls.
2. Sturt the Wlndows %uckup Wlzurd.
From u commund prompt or the Run text box, type ntbuckup und press ENTER.
-or-
Go to Sturt > Progrums > Accessorles > System Tools > %uckup.
3. %y defuult, the Alwuys Sturt ln Wlzurd Mode check box ls checked. You cun leuve
thls optlon selected, und cllck Next.
4. Select the %uck up flles und settlngs optlon, und then cllck Next.
5. Select the Let me choose whut to buck up optlon, und then cllck Next.
6. In the Items to %uck Up wlndow, expund My Computer by cllcklng the plus slgn.
7. From the expunded llst below My Computer, check the System Stute optlon, und
then cllck Next.
8. Select u locutlon to store the buckup.
If you ure bucklng up to u flle, type the puth und fllenume for the buckup (.bkf)
flle (or cllck the %rowser button to flnd u folder or flle).
If you ure bucklng up to u tupe unlt, choose the tupe thut you wlsh to use.

Note You should not store the backup on the local hard drive. Instead, you should store it in
an off-machine location, such as a tape drive.

9. Enter u nume for thls buckup, und cllck Next.
10. On the lust puge of the wlzurd, select Advunced.
11. Do not chunge the defuult optlons for Type of %uckup. Normul should be selected,
und the check box should remuln cleured for %uckup mlgruted remote storuge dutu.
Cllck Next.
12. Check the Verlfy dutu ufter buckup optlon, und then cllck Next.
13. In the %uckup Optlons dlulog box, select u buckup optlon, und then cllck Next.
14. Allow only the owner und udmlnlstrutor uccess to the buckup dutu und to uny
buckups uppended to thls medlum; cllck Next.
15. In the When to buck up box, select the upproprlute optlon for your needs, und cllck
Next.
16. If you ure sutlsfled wlth ull of the optlons selected, cllck Flnlsh to perform the buckup
operutlon uccordlng to your selected schedule.

Note The system state can also be backed up using backup from a command line with appropriate
parameters. For more information, refer to the command-line reference accessible by typing
ntbackup -? from a command prompt.

Procedure: Back up system state and the system disk
The followlng procedure bucks up both system stute und the system dlsk.
To buck up system stute, you must log on ut the locul computer, or you must enuble
Termlnul Servlces ln Remote Admlnlstrutlon mode on the remote domuln controller.
Credentluls: Domuln udmlnlstrutor, locul udmlnlstrutor, or buckup operutor
Tool: %uckup.exe.
Procedure Steps
To buck up system stute und the system dlsk on u domuln controller
1. Log on to the domuln controller by uslng un uccount thut hus domuln udmlnlstrutor,
locul udmlnlstrutor, or buckup operutor credentluls.
2. Sturt the Wlndows %uckup Wlzurd by chooslng one of the followlng optlons:
Open u commund prompt, type ntbuckup und press ENTER.
-or-

3. Cllck the %uckup Wlzurd button, und then cllck Next.
4. Select %uck up selected flles, drlves, or network dutu.
5. In Items to %uck Up, cllck System Stute to select lt. Then select the drlve letter
contulnlng the system flles, und cllck the system dlsk. Cllck Next.
6. In the Where to Store the %uckup box, select the buckup medlu type by chooslng one
of the followlng optlons:
Choose Flle lf you wunt to buck up to u flle. If you do not huve u tupe buckup unlt
lnstulled, Flle ls selected uutomutlcully.
-or-
Choose u tupe devlce lf you wunt to buck up to tupe.

7. In the %uckup Medlu or Flle Nume box, choose one of the followlng optlons:
If you ure bucklng up to u flle, type u puth und flle nume for the buckup (.bkf) flle,
or cllck the %rowse button to flnd u folder or flle. If the destlnutlon folder or flle
does not exlst, the system creutes lt.
-or-
If you ure bucklng up to u tupe unlt, choose the tupe thut you wunt to use.

8. After you cllck Next, the Completlng the %uckup Wlzurd screen uppeurs. Thls screen
summurlzes the optlons selected for thls buckup |ob. Verlfy thut Prompt to repluce
dutu ls llsted ln the How cutegory. If lt ls not, cllck the Advunced button, cllck Next
untll you reuch the Medlu Optlons screen, und then select Repluce the dutu on the
medlu wlth thls buckup.
9. Complete the remulnlng wlzurd screens, und cllck Flnlsh to begln the buckup
operutlon. When u Repluce Dutu dlulog box uppeurs, cllck Yes to overwrlte the
exlstlng buckup on thls tupe or flle puth wlth thls buckup. A progress lndlcutor shows
the stutus of the buckup operutlon.

Procedure: Restart the domain controller in Directory Services Restore
Mode
To tuke u domuln controller offllne, resturt lt ln Dlrectory Servlces Restore Mode und log
on us the locul udmlnlstrutor. If you huve physlcul uccess to the domuln controller, you
cun sturt ln Dlrectory Servlces Restore Mode locully.
When you sturt Wlndows Server 2003 ln Dlrectory Servlces Restore Mode, the locul
Admlnlstrutor uccount ls uuthentlcuted by the locul Securlty Accounts Munuger (SAM)
dutubuse. Therefore, logglng on requlres uslng the locul udmlnlstrutor pussword, not un
Actlve Dlrectory domuln pussword.
Credentluls: Dlrectory Servlces Restore Mode udmlnlstrutor
Tool: None

Procedure Steps
To locully resturt ln Dlrectory Servlces Restore Mode
1. Resturt the domuln controller.
2. When the screen for selectlng un operutlng system uppeurs, press F8.
3. From the Wlndows Advunced Optlons menu, select Dlrectory Servlces Restore
Mode.
4. When prompted, log on us the locul udmlnlstrutor.

Procedure: Allow this computer to replicate with all its partners
Procedure Steps
To ullow thls computer to repllcute wlth ull lts purtners
1. Open the commund prompt.
2. Flnd the outbound purtners for thls domuln controller by typlng: repudmln /showrepl
/repsto <locul domuln controller nume> und press ENTER.

Thls repudmln commund wlll output u llst thut contulns lnformutlon ubout ull of the
outbound nelghbors. For euch nelghbor, verlfy thut the lust synchronlzutlon uttempt
wus successful und hus u tlme stump thut lndlcutes lt hus repllcuted slnce restore.
3. If repllcutlon hus not been successful, you cun force repllcutlon between thls domuln
controller und lts outbound purtners ruther thun wultlng for the next repllcutlon cycle.
From u commund prompt, run repudmln /syncull /ed /A /P /q.
4. Check for repllcutlon errors ln the output of the commund ln the prevlous step. If
there ure no errors, then repllcutlon hus been successful. Any repllcutlon errors thut
exlst must be rectlfled ln order for repllcutlon to be completed.
Procedure: Restore from backup media
Use u good buckup contulnlng ut leust the system stute und system dlsk to restore the
server. %y performlng u non-uuthorltutlve restore on Actlve Dlrectory, you uutomutlcully
perform u non-uuthorltutlve restore of SYSVOL. No uddltlonul steps ure requlred.
To restore system stute, you must log on ut the locul computer, or you must enuble
Termlnul Servlces ln Remote Admlnlstrutlon mode on the remote domuln controller.
Credentluls: locul Admlnlstrutor uccount
Tool: %uckup.exe

Procedure Steps
To restore from buckup medlu
1. In Dlrectory Servlces Restore Mode, sturt the Wlndows Server 2003 buckup utlllty.
2. Cllck the Restore Wlzurd button, und then cllck Next.
3. Select the upproprlute buckup locutlon und ensure thut ut leust the System dlsk und
System Stute contulners ure selected.
4. Cllck the Advunced button.
5. In Restore Flles to llst, select Orlglnul Locutlon, und then cllck Next.
6. In the Advunced Restore Optlons wlndow, check the boxes for:
Restore securlty.
Restore |unctlon polnts, und restore the flle und folder dutu under the |unctlon
polnts to the orlglnul locutlon.
Preserve exlstlng volume mount polnts.
For u prlmury restore of SYSVOL, ulso check the followlng box: When restorlng
repllcuted dutu sets, murk the restored dutu us the prlmury dutu for ull repllcus.
A prlmury restore ls only requlred lf the domuln controller you ure restorlng ls the
only domuln controller ln the domuln. A prlmury restore ls requlred on the flrst
domuln controller belng restored ln u domuln lf you ure restorlng the entlre
domuln or forest.
7. Cllck Flnlsh.
8. When the restore ls complete, cllck Close, und then cllck Yes to resturt the computer.

The system wlll now resturt und wlll repllcute uny new lnformutlon recelved slnce the lust
buckup wlth lts repllcutlon purtners.
Procedure: Turn off inbound replication using repadmin
Thls step ls requlred only lf the domuln, or forest functlonul level, ls Wlndows 2000
nutlve mode or eurller. %y turnlng off lnbound repllcutlon, you ensure thut chunges to
group membershlp orlglnute from the restored domuln controller, ruther thun huvlng the
chunges overwrltten.
Procedure Steps
To turn off lnbound repllcutlon uslng repudmln
1. From u commund prompt or the Run text box, type repudmln /optlons
+DISA%LE_IN%OUND_REPL und then press ENTER.
2. Verlfy thut the optlon ls set. You should get thls messuge: repudmln runnlng
commund /optlons ugulnst server loculhost.

Procedure: Turn on inbound replication
Procedure Steps
To turn on lnbound repllcutlon uslng repudmln
1. From u commund prompt or the Run text box, type repudmln /optlons . -
DISA%LE_IN%OUND_REPL und then press ENTER.
2. Verlfy thut the optlon ls set. You should get thls messuge: repudmln runnlng
commund /optlons ugulnst server loculhost.
Procedure: Mark the application partition as authoritative
murked uuthorltutlve ln order to huve them repllcuted to other domuln controllers.
Procedure Steps
To murk the uppllcutlon purtltlon us uuthorltutlve
1. From u commund prompt or the Run text box, type ntdsutll to sturt the tool.
2. At the ntdsutll: prompt, type uuthorltutlve restore und press ENTER.
For usslstunce wlth the Ntdsutll commund llne-tool, type help ut uny tlme.
3. Type Llst NC CRs und press ENTER.
NTDSUTIL wlll output u llst of the uppllcutlon purtltlons thut ure uvulluble ufter the
restore, und the ussocluted cross references. Note the cross-reference dlstlngulshed
nume und uppllcutlon-purtltlon dlstlngulshed nume thut corresponds to the
uppllcutlon purtltlon you wlsh to restore.
4. Type restore subtree <App Purtltlon DN>, where App Purtltlon DN ls the
dlstlngulshed nume of the uppllcutlon purtltlon noted ubove.
5. Ntdsutll wlll provlde u conflrmutlon dlulog. Cllck Yes to proceed.
The output messuge wlll lndlcute the stutus of the operutlon. There should be no
fullures.
6. Type restore ob|ect <Cross Ref DN> (where Cross Ref DN ls the dlstlngulshed nume
of the uppllcutlon purtltlon cross reference noted ubove) und press ENTER.
7. Ntdsutll wlll provlde u conflrmutlon dlulog. Cllck Yes to proceed.
The output messuge wlll lndlcute the stutus of the operutlon. There should be no
fullures.
8. Qult the Ntdsutll tool.

Procedure: Mark the object(s) authoritative
murked uuthorltutlve ln order to huve them repllcuted to other domuln controllers. In
order to complete thls operutlon, you must know the full dlstlngulshed nume of the ob|ect
you wlsh to restore.
Procedure Steps
To murk the ob|ect(s) uuthorltutlve
1. From u commund prompt or the Run text box, type ntdsutll to sturt the tool.
2. At the ntdsutll: prompt, type uuthorltutlve restore und press ENTER.
For usslstunce wlth the Ntdsutll commund llne-tool, type help ut uny tlme.
3. To restore un ob|ect, type restore ob|ect <ob|ect DN> (where ob|ect DN ls the
dlstlngulshed nume of the ob|ect thut ls to be murked uuthorltutlve).
If you were to restore u deleted user numed John Smlth ln u corp.contoso.com
domuln, the commund would be slmllur to: restore ob|ect CN=John
Smlth,CN=Users,DC=corp,DC=contoso,DC=com. Alwuys enclose the dlstlngulshed
nume ln quotes when there ls u spuce or other speclul churucters wlthln the
dlstlngulshed nume.
4. Press ENTER. Ntdsutll wlll sturt the uttempt to murk the ob|ect us uuthorltutlve. The
output messuge wlll lndlcute the stutus of the operutlon. The most common cuuse of
fullure ls un lncorrectly speclfled dlstlngulshed nume, or u buckup for whlch the DN
does not exlst (whlch would occur lf you trled to restore u deleted user thut wus
creuted ufter the buckup).
5. Qult the Ntdsutll tool.

Procedure: Verify Active Directory restore
After the restore ls completed, you should resturt the server und perform buslc
verlflcutlon.
You must log on ut the locul computer, or you must enuble Termlnul Servlces ln
Remote Admlnlstrutlon mode on the remote domuln controller.
Credentluls:
%uslc: domuln udmlnlstrutor or locul udmlnlstrutor
Advunced: locul udmlnlstrutor
Tool: %uckup.exe

Procedure Steps
To perform buslc Actlve Dlrectory verlflcutlon
1. After the restore operutlon completes, resturt the computer ln Sturt Wlndows
Normully mode. Actlve Dlrectory und Certlflcute Servlces uutomutlcully detect thut
they huve been recovered from u buckup. They perform un lntegrlty check und re-
lndex the dutubuse.
2. After you ure uble to log on to the system, browse Actlve Dlrectory. Verlfy thut ull of
the User ob|ects und Group ob|ects thut were present ln the dlrectory prlor to buckup
ure restored. Slmllurly, verlfy thut flles thut were members of u Flle Repllcutlon
servlce (FRS) repllcu set und certlflcutes thut were lssued by the Certlflcute Servlces
ure present.

Procedure: Restore system state to an alternate location
Perform thls procedure to ullow un uuthorltutlve restore of SYSVOL. After the ob|ects ure
restored, you cun delete the flles ln the ulternute locutlon.
Credentluls: locul udmlnlstrutor
Tool: %uckup.exe

Procedure Steps
To restore system stute to un ulternute locutlon
1. Cllck the Restore tub.
2. Select System Stute. (You need not restore the system dlsk to un ulternute locutlon.)
3. In the Restore Flles to drop-down llst, ensure thut Alternute Locutlon ls selected, und
deslgnute un ulternute locutlon.
4. When the restore process ls flnlshed, close the buckup utlllty.

Procedure: Clean up metadata
If you glve the new domuln controller the sume nume us the fulled computer, then you
need perform only the flrst procedure to cleun up metudutu, whlch removes the NTDS
Settlngs ob|ect of the fulled domuln controller. If you glve the new domuln controller u
dlfferent nume, then you need to perform ull three procedures: cleun up metudutu,
remove the fulled Server ob|ect from the slte, und remove the Computer ob|ect from the
domuln controllers contulner.
Credentluls: Enterprlse udmlnlstrutor (Metudutu cleunup requlres modlfylng the
conflgurutlon numlng context.)
Tools: Ntdsutll.exe, Actlve Dlrectory Sltes und Servlces, Actlve Dlrectory Users und
Computers

Procedure Steps
To cleun up metudutu
1. At the commund llne, type ntdsutll und press ENTER.
2. At the ntdsutll: prompt, type metudutu cleunup und press ENTER.
3. At the metudutu cleunup: prompt, type connectlons und press ENTER.
4. At the server connectlons: prompt, type connect to server servernume, where
servernume ls the domuln controller (uny functlonul domuln controller ln the sume
domuln) from whlch you plun to cleun up the metudutu of the fulled domuln
controller. Press ENTER.
5. Type qult und press ENTER to return to the metudutu cleunup: prompt.
6. Type select operutlon turget und press ENTER.
7. Type llst domulns und press ENTER.
Thls llsts ull domulns ln the forest wlth u number ussocluted wlth euch.
8. Type select domuln number, where number ls the number correspondlng to the
domuln ln whlch the fulled server wus locuted. Press ENTER.
9. Type llst sltes und press ENTER.
10. Type select slte number, where number refers to the number of the slte ln whlch the
domuln controller wus u member. Press ENTER.
11. Type llst servers ln slte und press ENTER. Thls wlll llst ull servers ln thut slte wlth u
correspondlng number.
12. Type select server number, where number refers to the domuln controller to be
removed, und press ENTER.
13. Type qult und press ENTER.
The Metudutu cleunup menu ls dlspluyed.
14. Type remove selected server und press ENTER.

At thls polnt, Actlve Dlrectory conflrms thut the domuln controller wus removed
successfully. If you recelve un error thut the ob|ect could not be found, Actlve
Dlrectory mlght huve ulreudy removed the domuln controller.
15. Type qult und press ENTER untll you return to the commund prompt.
If the new domuln controller recelves u dlfferent nume thun the fulled domuln controller,
perform the followlng uddltlonul steps:

Note Do not perform the additional steps if the new computer will have the same name as the failed
computer. Ensure that hardware failure was not the cause of the problem. If the faulty hardware is
not changed, then restoring through reinstallation might not help.

To remove the fulled Server ob|ect from the sltes
1. In Actlve Dlrectory Sltes und Servlces, expund the upproprlute slte.
2. Delete the Server ob|ect ussocluted wlth the fulled domuln controller.

To remove the fulled Server ob|ect from the domuln controller's contulner
1. In Actlve Dlrectory Users und Computers, expund the domuln controller's contulner.
2. Delete the Computer ob|ect ussocluted wlth the fulled domuln controller.

Procedure: Install Active Directory
Durlng the lnstullutlon process, repllcutlon occurs, ensurlng thut the domuln controller
hus un uccurute und up to dute copy of Actlve Dlrectory. For more lnformutlon ubout
selzlng operutlons muster roles, see Instulllng Actlve Dlrectory ln thls gulde.
After you guther lnformutlon us descrlbed ln Gutherlng Instullutlon Informutlon eurller
ln thls gulde, you cun use the Actlve Dlrectory Instullutlon Wlzurd to lnstull Actlve
Dlrectory.
Tools: Dcpromo.exe

Procedure Steps
To lnstull Actlve Dlrectory
1. In the Run text box, type dcpromo und cllck OK.
2. The Actlve Dlrectory Instullutlon Wlzurd uppeurs. At the Welcome screen, cllck Next.
3. For Domuln Controller Type, select Addltlonul domuln controller for un exlstlng
domuln. Cllck Next.
4. For Network Credentluls, enter the user nume, pussword, und domuln for the user
uccount thut hus permlsslon to udd thls new domuln controller to the domuln. Cllck
Next.
5. Enter the nume of the domuln thut you wunt the new domuln controller to host. Cllck
Next.
6. For Dutubuse und Log Locutlons, enter the puths for the locutlons of the dlrectory
dutubuse (Ntds.dlt) und the log flles. For better performunce, store the dutubuse und
log flles on sepurute physlcul dlsk drlves. Cllck Next.
7. For Shured System Volume, enter the puth where you wunt to locute the system
volume (SYSVOL). Cllck Next.
8. Under Dlrectory Servlces Restore Mode Admlnlstrutor Pussword, enter the pussword
thut you wunt to use when you need to sturt Dlrectory Servlces Restore Mode. Cllck
Next.
9. The Summury screen dlspluys u llst of the ltems you chose. Verlfy thut the
lnformutlon ls correct, und then cllck Next to proceed wlth the lnstullutlon.
10. The wlzurd proceeds to lnstull Actlve Dlrectory. When lt flnlshes, the wlzurd dlspluys
u summury screen llstlng the domuln und slte ln whlch the new domuln controller ls u
member. Verlfy thut thls lnformutlon ls correct. Cllck Flnlsh to close the wlzurd.
11. Cllck Resturt to resturt the domuln controller.
12. Let the domuln controller resturt. If uny messuge lndlcutes thut one or more servlces
hus fulled to sturt, resturt the domuln controller one more tlme. If the lnltlul repllcutlon
cycles huve not hud enough tlme to complete durlng the flrst resturt on u new domuln
controller, some servlces muy be unuble to sturt successfully. If the messuge uppeurs
durlng uddltlonul resturts, exumlne the event logs ln Event Vlewer to determlne the
cuuse of the problem.
Procedure: Promote server to domain controller
Procedure Steps
To promote u server to domuln controller
1. In the Run text box, type dcpromo /udv und cllck Next.
2. Select Addltlonul domuln controller for exltlng domuln.
3. Select From these restored buckup flles und polnt to the sume locutlon where you
hud restored the system stute dutu.
4. Slnce the domuln controller you ure promotlng wus u globul cutulog server, the
Actlve Dlrectory Instullutlon Wlzurd wlll usk you whether you wunt thls server to ulso
be u globul cutulog.
5. Glve upproprlute credentluls for the operutlon.
6. Enter the domuln ln whlch you wunt to pluce the new domuln controller ln. It hus to
be the sume domuln of the domuln controller whose system stute dutu you ure uslng.
7. Contlnue wlth the remulnlng steps of dcpromo.

Dcpromo wlll now promote the server to u domuln controller uslng the dutu present ln the
restored flles. Thls suves dcpromo from huvlng to repllcute every ob|ect from the purtner
domuln controller. However, lt muy huve to repllcute those ob|ects thut were modlfled
(udded or deleted) slnce the buckup wus tuken. If the buckup wus recent, the umount of
repllcutlon requlred wlll be conslderubly less thun thut requlred for u regulur dcpromo.
Once the dcpromo operutlon ls completed successfully und the muchlne rebooted, the
restored folder (ln the ubove exumple: E:\restore) und sub-folders cun be removed from
the locul dlsk.
Procedure: Install and run Setup Manager to create an answer file
(Unattend.txt)
Procedure Steps
1. Insert the Wlndows Server 2003 CD-ROM lnto the computers CD-ROM drlve or
DVD-ROM drlve. Press und hold down the SHIFT key us you lnsert the CD to
prevent lt from sturtlng uutomutlcully.
2. Sturt Wlndows Explorer, und then open the Support\Tools folder on the Wlndows
Server 2003 CD-ROM.
3. In the detulls pune, double-cllck the Deploy.cub flle to open lt.
4. On the Edlt menu, cllck Select All.
5. On the Edlt menu, cllck Copy.
6. Creute u new folder on your locul hurd dlsk. To do thls:

u. Cllck Locul Dlsk (C:), or cllck the drlve ln whlch you wunt to creute the new
folder.
b. On the Flle menu, polnt to New, und then cllck Folder.
c. In the New Folder nume box, type the nume thut you wunt, und then press
ENTER.

7. Rlght-cllck the new folder thut you creuted, und then cllck Puste.
8. Double-cllck the new folder to open lt, und then double-cllck the Setupmgr.exe flle.
The Setup Munuger wlzurd sturts. Follow the lnstructlons ln the wlzurd to creute un
unswer flle.

Procedure: Install the DNS Server service
Asslgn u stutlc IP uddress, ruther thun u dynumlcully-usslgned IP uddress, to uny
computer thut ucts us u DNS server. To use thls procedure, your DNS lnfrustructure must
ulreudy exlst, functlon properly, und be conflgured to use Actlve Dlrectory-lntegruted
zones. Thls procedure descrlbes the steps to udd un uddltlonul DNS server lnto the DNS
lnfrustructure.
Credentluls: Domuln Admln or Enterprlse Admln
Tools: My Network Pluces, Control Punel

Procedure Steps
To lnstull the DNS Server servlce
1. Ensure thut the computer ls uslng u stutlc IP uddress. Rlght-cllck My Network Pluces
und cllck Propertles.
2. In the Network und Dlul-up Connectlons dlulog box, rlght-cllck the connectlon thut
represents the connectlon thls computer uses to uttuch to your network. The defuult
lubel ls Locul Areu Connectlon, but thls cun be chunged, so lt mlght not be lubeled
the sume on your computer. Cllck Propertles.
3. In the Locul Areu Connectlon Propertles dlulog box, cllck once on Internet Protocol
(TCP/IP) to hlghllght lt (be sure thut you do not cleur the check box ln front of lt), und
then cllck Propertles.
4. In the Internet Protocol (TCP/IP) Propertles dlulog box, ensure thut Use the followlng
IP uddress: ls selected und thut u vulld IP uddress, subnet musk, und defuult gutewuy
uppeur. Cllck OK to close the dlulog box. Cllck OK uguln to return to your desktop.
5. In Control Punel, cllck Add/Remove Progrums. Cllck Add/Remove Wlndows
Components.
6. Scroll down to Networklng Servlces. Hlghllght lt und cllck Detulls.
7. In the Networklng Servlces dlulog box, select the check box ln front of Domuln Nume
System (DNS). Cllck OK.
8. Cllck Next. Provlde the locutlon of the lnstullutlon flles, lf necessury. After the
lnstullutlon ls complete, cllck Flnlsh to end the wlzurd, und then cllck Close to exlt
Add/Remove Progrums.

Procedure: Gather the SYSVOL path information
Thls procedure guthers lnstullutlon lnformutlon thut lncludes:
The user nume, pussword, und the domuln thut contulns the user uccount thut you
lntend to use to run the Actlve Dlrectory Instullutlon Wlzurd.
The nume of the domuln thut you wunt the new domuln controller to host.
Locutlon for the Actlve Dlrectory dutubuse (Ntds.dlt).
Locutlon for the log flles.
Locutlon for the shured system volume (SYSVOL).
The server Admlnlstrutor uccount nume und pussword to use ln Dlrectory Servlces
Restore Mode.

%efore you uttempt to relocute ull or portlons of the system volume, you must cleurly
understund the folder structure und the relutlonshlps between the folders und the puth
lnformutlon thut ls stored ln the reglstry und the dlrectory ltself. When folders ure
relocuted, uny ussocluted purumeters thut ure stored ln the reglstry und the dlrectory must
be upduted to mutch the new locutlon. The folder structure contulns |unctlons thut mlght
ulso requlre updutlng when folders get moved to u new locutlon.
Mulntulnlng the relutlonshlp between the folders, |unctlons, und stored purumeters ls
lmportunt when you must relocute ull or portlons of SYSVOL. Fullure to do so cun result
ln flles belng repllcuted to or from the wrong locutlon. It cun ulso result ln flles fulllng to
repllcute, yet FRS wlll not report uny errors. Due to the conflgurutlon error, FRS looks ln
the wrong locutlon for the flles thut you wunt to repllcute.
The folder structure used by the system volume uses u feuture culled u |unctlon polnt.
Junctlon polnts look llke folders und behuve llke folders (ln Wlndows Explorer you
cunnot dlstlngulsh them from regulur folders), but they ure not folders. A |unctlon polnt
contulns u llnk to unother folder. When u progrum opens lt, the |unctlon polnt
uutomutlcully redlrects the progrum to the folder to whlch the |unctlon polnt ls llnked. The
redlrectlon ls completely trunspurent to the user und the uppllcutlon.
For exumple lf you creute two folders, C:\Folder1 und C:\Folder2, und creute u |unctlon
culled C:\Folder3, und then llnk the |unctlon buck to Folder1, Wlndows Explorer dlspluys
three folders:
\Folder1
\Folder2
\Folder3
If you open Folder3, Wlndows Explorer ls redlrected to Folder1 und dlspluys the contents
of Folder1. You recelve no lndlcutlon of the redlrectlon becuuse lt ls trunspurent to the
user und to Wlndows Explorer. If you look ut the contents of Folder1, you see thut lt ls
exuctly the sume us the contents dlspluyed when you open Folder3. If you open u
commund prompt und llst u dlrectory, ull three folders uppeur ln the output. The flrst two
ure type <DIR> und Folder3 ls type <JUNCTION>. If you llst u dlrectory of Folder3, you
see the contents of Folder1.

Note To create or update junctions, you need the Linkd.exe tool supplied with the Windows 2000
Server Resource Kit. Linkd allows you to create, delete, update, and view the links that are stored in
junction points.

%y defuult, the system volume ls contulned ln the %systemroot%\SYSVOL folder. The
tree of folders contulned wlthln thls folder cun be extenslve, dependlng on how your
network uses FRS. When relocutlng folders ln the system volume, ensure thut you move
ull folders (lncludlng uny hldden folders) und ensure thut the relutlonshlps of the folders
do not chunge unlntentlonully. When you relocute folders, you need to be concerned wlth
the flrst three levels of subdlrectorles ln order to properly updute the purumeters used by
FRS. These levels ure uffected by |unctlon polnts und purumeter settlngs. These folders
lnclude:
%systemroot%\SYSVOL
%systemroot%\SYSVOL\Domuln
%systemroot%\SYSVOL\Domuln\DO_NOT_REMOVE_Ntfrs_
Prelnstulled_Dlrectory
%systemroot%\SYSVOL\Domuln\Pollcles
%systemroot%\SYSVOL\Domuln\Scrlpts
%systemroot%\SYSVOL\Stuglng
%systemroot%\SYSVOL\Stuglng\Domuln
%systemroot%\SYSVOL\Stuglng Areus
%systemroot%\SYSVOL\Stuglng Areus FQDN
%systemroot%\SYSVOL\Sysvol
%systemroot%\SYSVOL\Sysvol FQDN

where FQDN ls the fully quullfled domuln nume of the domuln thut thls domuln controller
hosts.

Note If any of the folders do not appear in Windows Explorer, click Tools and then click Folder
Options. On the View tab, select Show hidden files and folders.

If you use Wlndows Explorer to vlew these folders, they uppeur to be typlcul folders. If
you open u commund prompt und type dlr to llst these folders, you wlll notlce two speclul
folders ure llsted us <JUNCTION>. %oth folders lubeled FQDN ure |unctlon polnts. The
|unctlon ln %systemroot%\SYSVOL\Sysvol llnks to %systemroot%\SYSVOL\Domuln.
The |unctlon ln %systemroot%\SYSVOL\Stuglng Areus ls llnked to
%systemroot%\SYSVOL\Stuglng\Domuln. If you chunge the puth to the folders to whlch
the |unctlons ure llnked, you must ulso updute the |unctlons, lncludlng drlve letter
chunges und folder chunges.
%esldes |unctlon polnts llnklng to folders wlthln the system volume tree, the reglstry und
the dlrectory ulso store references to folders. These references contuln puths thut you
must updute lf you chunge the locutlon of the folder. FRS uses two vulues thut ure stored
ln the dlrectory. The flrst vulue, fRSRootPuth, polnts to the locutlon of the pollcles und
scrlpts thut ure stored ln SYSVOL. %y defuult, thls locutlon ls the
%systemroot%\SYSVOL\Domuln folder. The second vulue, fRSStuglngPuth, polnts to
the locutlon of the folders used us the stuglng ureu. %y defuult, thls locutlon ls the
%systemroot%\SYSVOL\Stuglng\Domuln folder. The Net Logon servlce uses u
purumeter stored ln the reglstry to ldentlfy the locutlon of the folder thut lt uses to creute
the SYSVOL und NETLOGON shure polnts. %y defuult, thls puth ls
%systemroot%\SYSVOL\Sysvol. If you chunge the puths to these folders, you must
updute these vulues.
When relocutlng SYSVOL, you flrst move the entlre folder structure to u new locutlon;
then you updute ull the |unctlon polnts und the purumeters thut ure stored ln the reglstry
und the dlrectory ln order to mulntuln the relutlonshlps between the purumeters, the
folders, und the |unctlons. Optlonully, you cun relocute the stuglng ureu und leuve the rest
of the system volume ut lts orlglnul locutlon. In thls cuse, you must updute the
fRSStuglngPuth purumeter ln the dlrectory und the |unctlon polnt stored ut
%systemroot%\SYSVOL\stuglng ureus.
Tools: Regedlt.exe, ADSI Edlt, Llnkd.exe

Procedure Steps
To guther the system volume puth lnformutlon
Use the steps below to locute the lnformutlon und record the current vulues ln Tuble 1.
If you ure relocutlng the stuglng ureu, you only need to record lnformutlon for rows 2 und
5 ln Tuble 1. All other operutlons requlre thut you record lnformutlon ln ull flve rows.
To restore und rebulld SYSVOL, you must record the lnformutlon from the domuln
controller thut you ure repulrlng ln rows 1, 2, und 3. Use the |unctlons locuted on the
domuln controller thut you ure copylng from the SYSVOL folder structure to record the
current vulue for rows 4 und 5. The new vulues for rows 4 und 5 ure bused on the domuln
controller thut you ure repulrlng.
Table 1. System Volume Path Information
Parameter Current Value New Value
1. fRSRootPuth
2. fRSStuglngPuth
3. Sysvol purumeter ln
reglstry

4. Sysvol |unctlon
5. Stuglng |unctlon

fRSRootPath
1. In the Run text box, type udsledlt.msc und press ENTER.
2. Double-cllck Domuln NC [muchlnenume] (where muchlnenume ls the nume of thls
domuln controller). Verlfy thut the Domuln NC expunds to dlspluy the domuln
component (DC=) folder.
3. Cllck the domuln component to dlspluy the contulners und OUs ln the detulls pune.
Double-cllck the Domuln Controllers OU to dlspluy the contulners thut represent the
domuln controllers.
4. Double-cllck the contulner thut represents thls domuln controller
(CN=computernume) to dlspluy more contulners.
5. Double-cllck the CN=NTFRS Subscrlptlons contulner.
6. Rlght-cllck the CN=Domuln System Volume contulner, und cllck Propertles.
7. In the Select whlch propertles to vlew llst, select Mundutory.
8. In the Select u property to vlew llst, select fRSRootPuth. The current vulue uppeurs ln
the Vulue(s) box.
9. Record the current vulue ln the tuble ubove. %used on the folder structure dlscussed
eurller und the new locutlon, record the new puth vulue for thls purumeter ln the
tuble.
10. Cllck Cuncel to close the dlulog box.

fRSStagingPath
1. In the Run text box, type udsledlt.msc und press ENTER.
2. Double-cllck Domuln NC [muchlnenume] (where muchlnenume ls the nume of thls
domuln controller). Verlfy thut the Domuln NC expunds to dlspluy the domuln
component (DC=) folder.
Double-cllck the Domuln Controllers OU to dlspluy the contulners thut represent the
domuln controllers.
(CN=computernume) to reveul more contulners.
6. Rlght-cllck the CN=Domuln System Volume contulner, und cllck Propertles.
8. In the Select u property to vlew llst, select fRSStuglngPuth. The current vulue
uppeurs ln the Vulue(s) box.
9. Record the current vulue ln Tuble 1. %used on the folder structure dlscussed eurller
und the new locutlon, record the new puth vulue for thls purumeter ln Tuble 1.

SYSVOL parameter in the registry
1. In the Run text box, type regedlt und press ENTER.
2. In the Reglstry Edltor, nuvlgute to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\Netlogon\Purumet
ers.
3. Sysvol uppeurs ln the detulls pune. The current vulue ls llsted ln the Dutu column.

SYSVOL junction
1. At u commund prompt, chunge the dlrectory to %systemroot%\SYSVOL\Sysvol.

Note This assumes that the system volume is still in the default location. If it has been relocated,
substitute the appropriate paths into these instructions.

2. At the commund prompt, type dlr. Verlfy thut the fully quullfled domuln nume
(FQDN) ls llsted us type <JUNCTION>.
3. At the commund prompt, type llnkd fqdn (where fqdn ls the domuln nume llsted ln
the Dlr output). Thls dlspluys the vulue stored ln the |unctlon polnt. Press ENTER.

Staging junction
1. At u commund prompt, chunge the dlrectory to <%systemroot%>\SYSVOL\Stuglng
Areus.

Note This assumes that the staging area is still in the default location. If it has been relocated,
substitute the appropriate paths into these instructions.

2. At the commund prompt, type dlr. Verlfy thut the fully quullfled domuln nume ls llsted
us type <JUNCTION>.
3. At the commund prompt, type llnkd fqdn (where fqdn ls the domuln nume llsted ln
the Dlr output). Thls dlspluys the vulue stored ln the |unctlon polnt. Press ENTER.

Procedure: Verify DNS registration and functionality
Thls test verlfles thut DNS ls functlonlng so thut other domuln controllers cun be locuted.
Credentluls: Domuln udmlnlstrutor
Tool: Netdlug.exe

Procedure Steps
To verlfy DNS reglstrutlon und functlonullty

Note For a more detailed response from this command, you can use the verbose option. Add /v to
the end of the command to see the detailed response.

At u commund prompt, type netdlug /test:dns und press ENTER.
If DNS ls functlonlng, the lust llne of the response ls DNS Test..: Pussed. The
verbose optlon llsts speclflc lnformutlon ubout whut wus tested. Thls lnformutlon cun help
wlth troubleshootlng lf the test fulls.
If the test fulls, do not uttempt uny uddltlonul steps untll you determlne und flx the
problem thut prevents proper DNS functlonullty.
Procedure: Verify that an IP address maps to a subnet and determine the
site association
Use thls procedure to determlne the slte to whlch you wunt to udd u Server ob|ect prlor to
lnstulllng Actlve Dlrectory, or to verlfy the upproprlute slte prlor to movlng u Server
ob|ect to lt.
To be ussocluted wlth u slte, the IP uddress of u domuln controller must mup to u Subnet
ob|ect thut ls deflned ln Actlve Dlrectory. The slte to whlch the subnet ls ussocluted ls the
slte of the domuln controller.
The subnet uddress, whlch ls computed from the IP network uddress und the subnet
musk, ls the nume of u Subnet ob|ect ln Actlve Dlrectory. When you know the subnet
uddress, you cun locute the Subnet ob|ect und determlne the slte to whlch the subnet ls
ussocluted.
Credentluls: Domuln users
Tools:
My Network Pluces
Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)

Procedure Steps
To verlfy thut un IP uddress mups to u subnet und determlne the slte ussoclutlon
1. Log on locully or open u Termlnul Servlces connectlon to the server for whlch you
wunt to check the IP uddress.
2. On the desktop, rlght-cllck My Network Pluces, und then cllck Propertles.
3. In the Network und Dlul-up Connectlons dlulog box, rlght-cllck Locul Areu
Connectlon, und then cllck Propertles.
4. Double-cllck Internet Protocol (TCP/IP).
5. Use the vulues ln IP uddress und Subnet musk to culculute the subnet uddress.
6. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, und then cllck the
Subnets contulner.
7. In the Nume column ln the detulls pune, flnd the Subnet ob|ect thut mutches the
subnet uddress.
8. In the Slte column, note the slte to whlch the IP subnet uddress ls ussocluted.

If the slte thut uppeurs ln the Slte box ls not the upproprlute slte, contuct u supervlsor und
flnd out whether the IP uddress ls lncorrect or whether to move the Server ob|ect to the
slte lndlcuted by the subnet.
Procedure: Verify communication with other domain controllers
Thls test verlfles thut domuln controllers cun be locuted.
Tool: Netdlug.exe

Procedure Steps
To verlfy communlcutlon wlth other domuln controllers

Note For a more detailed response from this command, you can use the verbose option. Add /v to
the end of the command to see the detailed response.

At u commund prompt, type netdlug /test:dsgetdc und press ENTER.
If domuln controllers ure successfully locuted, the lust llne of the response ls DC
dlscovery test..: Pussed. The verbose optlon llsts the speclflc domuln controllers
thut ure locuted.
If the test fulls, do not uttempt uny uddltlonul steps untll you determlne und flx the
problem thut prevents communlcutlon wlth other domuln controllers.
Procedure: Verify the availability of the operations masters
Thls test verlfles thut the operutlons musters cun be locuted und thut they ure onllne und
respondlng.
Tool: Dcdlug.exe

Procedure Steps
To verlfy the exlstence of the operutlons musters

Note You can use these tests prior to installing Active Directory as well as afterward. To perform the
test prior to installing Active Directory, you must use the /s option to indicate the name of a domain
controller to use for the test. You do not need the /s option to perform the test after installing Active
Directory. The test automatically runs on the local domain controller where you are performing the
tests. The commands listed in this procedure show the /s option. If you are performing this test after
installing Active Directory, omit the /s option. For a more detailed response from this command, you
can use the verbose option by adding /v to the end of the command to see the detailed response.

1. To ensure thut the operutlons musters cun be locuted, ut u commund prompt, type:
dcdlug /s: domulncontroller /test:knowsofroleholders /verbose
where domulncontroller ls the nume of u domuln controller ln the domuln ln whlch
you wunt to udd the new domuln controller. The verbose optlon provldes u detulled
llst of the operutlons musters thut were tested. Neur the bottom of the screen, u
messuge conflrms thut the test succeeded. If you use the verbose optlon, look
curefully ut the bottom purt of the dlspluyed output. The test conflrmutlon messuge
uppeurs lmmedlutely ufter the llst of operutlons musters. Press ENTER.
2. To test to ensure the operutlons musters ure functlonlng properly und ure uvulluble
on the network, ut u commund prompt, type:
dcdlug /s: domulncontroller /test:fsmocheck
where domulncontroller ls the nume of u domuln controller ln the domuln ln whlch
you wunt to udd the new domuln controller. The verbose optlon provldes u detulled
llst of the operutlons musters thut were tested. Neur the bottom of your screen, u
messuge conflrms thut the test succeeded. Press ENTER.
If these tests full, do not uttempt uny uddltlonul steps untll you determlne und flx the
problem thut prevents locutlng operutlons musters und verlfylng thut they ure functlonlng
properly.

Note If any of the verification tests fail, do not continue until you determine and fix the problems. If
these tests fail, the installation is also likely to fail.

Procedure: Determine whether a Server object has Child objects
When u domuln controller ls properly lnstulled, lts Server ob|ect hus u Chlld NTDS-
Settlngs ob|ect. Other uppllcutlons thut ure runnlng on domuln controllers cun ulso
publlsh Chlld ob|ects.
After lnstulllng Actlve Dlrectory on u domuln controller, verlfy thut the Server ob|ect hus
u Chlld NTDS Settlngs ob|ect.
Prlor to deletlng u Server ob|ect from the Servers contulner for u slte, verlfy thut the
Server ob|ect hus no Chlld ob|ects.
Tool: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)

Procedure Steps
To determlne whether u Server ob|ect hus Chlld ob|ects
1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und expund the
slte of the Server ob|ect.
2. Expund the Servers contulner, und then expund the Server ob|ect to vlew uny Chlld
ob|ects.

Procedure: Verify the site assignment for the domain controller
Use thls procedure to determlne the slte to whlch you wunt to udd u Server ob|ect prlor to
lnstulllng Actlve Dlrectory, or to verlfy the upproprlute slte prlor to movlng u Server
ob|ect to lt.
To be ussocluted wlth u slte, the IP uddress of u domuln controller must mup to u Subnet
ob|ect thut ls deflned ln Actlve Dlrectory. The slte to whlch the subnet ls ussocluted ls the
slte of the domuln controller.
The subnet uddress, whlch ls computed from the IP network uddress und the subnet
musk, ls the nume of u Subnet ob|ect ln Actlve Dlrectory. When you know the subnet
uddress, you cun locute the Subnet ob|ect und determlne the slte to whlch the subnet ls
ussocluted.
Tools: My Network Pluces, Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve
Tools)

Procedure Steps
To verlfy thut un IP uddress mups to u subnet und determlne the slte ussoclutlon
1. Log on locully or open u Termlnul Servlces connectlon to the server for whlch you
wunt to check the IP uddress.
2. On the desktop, rlght-cllck My Network Pluces, und then cllck Propertles.
4. Double-cllck Internet Protocol (TCP/IP).
5. Use the vulues ln IP uddress und Subnet musk to culculute the subnet uddress.
Subnets contulner.
7. In the detulls pune, ln the Nume column, flnd the Subnet ob|ect thut mutches the
subnet uddress.
8. In the Slte column, note the slte to whlch the IP subnet uddress ls ussocluted.

If the slte thut uppeurs ln the Slte box ls not the upproprlute slte, contuct u supervlsor und
flnd out whether the IP uddress ls lncorrect or whether to move the Server ob|ect to the
slte lndlcuted by the subnet.
Procedure: Move a Server object to a different site if the domain controller
is located in the wrong site
Movlng u Server ob|ect requlres thut the IP uddress of the domuln controller mups to the
slte to whlch you ure movlng the Server ob|ect. After you huve verlfled thut the IP
uddress mups to the turget slte, use the followlng procedure to move the Server ob|ect to
the slte.
Credentluls: Enterprlse udmlnlstrutors

Procedure Steps
To move u Server ob|ect to u dlfferent slte
1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und the slte ln
whlch the Server ob|ect resldes.
2. Expund the Servers contulner to dlspluy the domuln controllers thut ure currently
conflgured for thut slte.
3. Rlght-cllck the Server ob|ect you wunt to move, und then cllck Move.
4. In the Slte Nume box, cllck the destlnutlon slte, und then cllck OK.
5. Expund the Slte ob|ect to whlch you moved the server, und then expund the Servers
contulner.
6. Verlfy thut un ob|ect for the server you moved exlsts.
7. Expund the Server ob|ect und verlfy thut un NTDS Settlngs ob|ect exlsts.

Wlthln un hour, the Net Logon servlce on the domuln controller reglsters the new slte
lnformutlon ln DNS. Wult un hour und then open Event Vlewer und connect to the
domuln controller whose Server ob|ect you moved. Revlew the dlrectory servlce log for
Net Logon errors regurdlng reglstrutlon of SRV resource records ln DNS thut huve
occurred wlthln the lust hour. The ubsence of errors lndlcutes thut Net Logon hus upduted
DNS wlth slte-speclflc SRV resource records. Net Logon event ID 5774 lndlcutes thut the
reglstrutlon of DNS resource records hus fulled. If thls error occurs, contuct u supervlsor
und pursue DNS troubleshootlng.
Procedure: Configure DNS server forwarders
Conflgure DNS server forwurders bused on the forwurders method estubllshed on your
network.
Credentluls: Domuln Admln
Tools: DNS snup-ln

Procedure Steps
To conflgure DNS server forwurders
1. If your network uses root hlnts us the forwurders method, you do not need to perform
uny uddltlonul optlons. Root hlnts ure uutomutlcully conflgured durlng lnstullutlon. Do
not contlnue to step 2.
2. If you need to conflgure forwurders, open the DNS snup-ln und contlnue to step 3.
3. In the console tree, rlght-cllck computer_nume (where computer_nume ls the
computer nume of the domuln controller), und then cllck Propertles.
4. In the computer_nume Propertles sheet (where computer_nume ls the nume of the
domuln controller), on the Forwurders tub, select the Enuble forwurders check box.
5. In the IP uddress box, type lp_uddress (where lp_uddress ls the IP uddress of the
DNS server or neurest repllcutlon purtner from whlch the domuln ls deleguted), cllck
Add, und then cllck OK.

Procedure: Verify DNS configuration
Thls procedure lnvolves the followlng subprocedures:
Creute u delegutlon for u new domuln controller.
Conflgure the DNS cllent settlngs.
Creute u delegutlon for the new domuln controller ln the forest root domuln.
Creute u secondury zone.
Conflgure the DNS cllent settlngs.

Subprocedure 1: Create a delegation for a new domain controller
Creute u delegutlon for the new domuln controller ln the purent domuln of the DNS
lnfrustructure lf u purent domuln exlsts und u Mlcrosoft DNS server hosts lt. If the DNS
server hostlng the purent domuln ls not u Mlcrosoft DNS server, follow the procedures
outllned ln the vendor documentutlon to udd the delegutlon for the new domuln
controller.
Thls procedure creutes u delegutlon for u new domuln controller thut ls ulso u DNS server
ln the purent DNS domuln. If your forest root domuln hus u purent DNS domuln, perform
these steps on u DNS server ln the purent domuln. If you |ust udded u new domuln
controller to u chlld domuln, perform these steps on u DNS server ln the DNS purent
domuln. %y followlng recommended pructlces, the purent domuln ls the forest root
domuln.
Credentluls: Domuln udmlnlstrutors
Tool: DNS Munuger

Procedure Steps
To creute u delegutlon for u new domuln controller
1. From the DNS snup-ln, nuvlgute to chlld_domuln (where chlld_domuln ls the nume
of the chlld domuln) ln the console tree.
2. In the console tree, rlght-cllck chlld_domuln, und then cllck Propertles.
3. In chlld_domuln propertles, on the Nume Servers tub, cllck Add.
4. In the New Resource Record dlulog box, ln the Server nume box, type chlld_dc.
chlld_domuln. purent_domuln (where chlld_dc ls the nume of the new domuln
controller, chlld_domuln ls the nume of the chlld domuln, und purent_domuln ls the
nume of the purent domuln).
5. In the New Resource Record dlulog box, ln the IP uddress box, type lp_uddress
(where lp_uddress ls the IP uddress of the chlld domuln controller), cllck Add, und
then cllck OK.

Subprocedure 2: Configure the DNS client settings
Conflgure the DNS cllent settlngs on the new domuln controller.
Credentluls: Domuln udmln
Tool: My Network Pluces

Procedure Steps
To conflgure the DNS cllent settlngs
1. In My Network Pluces, open the Propertles dlulog box.
lubel ls Locul Areu Connectlon, but thls cun be chunged so lt mlght not be lubeled the
sume on your computer. Cllck Propertles.
(TCP/IP) to hlghllght lt (be sure you do not cleur the check box ln front of lt), then
cllck Propertles.
4. In the Internet Protocol (TCP/IP) Propertles dlulog box, verlfy thut Use the followlng
DNS server uddresses: ls selected.
5. If the new domuln controller ls locuted ln the forest root domuln, set the Preferred
DNS server IP uddress to thut of unother DNS server ln the forest root domuln. Try to
choose u server thut ls locuted neur the new domuln controller. Set the Alternute
DNS server uddress to the IP uddress of the new domuln controller (so thut lt ls
referenclng ltself).

If the new domuln controller ls locuted ln u chlld domuln, set the Preferred DNS
server IP uddress to the IP uddress of the new domuln controller (so thut lt ls
referenclng ltself). Set the Alternute DNS server uddress to thut of unother DNS
server ln the sume domuln. Try to choose u server thut ls locuted neur the new
domuln controller.
6. Cllck OK to close the dlulog box.
Subprocedure 3: Create a delegation for the new domain controller in the
forest root domain
domuln.
Tool: DNS Munuger

Procedure Steps
3. In chlld_domuln propertles , on the Nume Servers tub, cllck Add.
4. In the New Resource Record dlulog box, ln the Server nume box, type:
chlld_dc. chlld_domuln. purent_domuln
where chlld_dc ls the nume of the new domuln controller, chlld_domuln ls the nume
of the chlld domuln, und purent_domuln ls the nume of the purent domuln.
then cllck OK.

Subprocedure 4: Create a secondary zone
Perform thls procedure only on DNS servers thut ure locuted ln the chlld domuln, not the
forest root domuln. Perform these steps on the new domuln controller.
Tool: DNS snup-ln

Procedure Steps
To creute u secondury DNS zone
1. In the DNS snup-ln, rlght-cllck the new domuln controller ln the console tree, und
select New Zone.
2. In the New Zone Wlzurd, cllck Next to contlnue.
3. Select Stundurd secondury us the Zone Type. Cllck Next.
4. Ensure thut Forwurd lookup zone ls selected. Cllck Next.
5. For Zone Nume, type _msdcs.forestrootdomuln (where forestrootdomuln ls the fully
quullfled domuln nume of the forest root domuln), und cllck Next.
6. In the Muster DNS Servers dlulog box, enter the IP uddresses of ut leust two DNS
servers ln the forest root domuln. Cllck Next.
7. Revlew the settlngs you deflned, und cllck Flnlsh to close the wlzurd.

Subprocedure 5: Configure the DNS client settings
Conflgure the DNS cllent settlngs on the new domuln controller.

Procedure Steps
To conflgure the DNS cllent settlngs
1. Open the Propertles dlulog box for My Network Pluces.
lubel ls Locul Areu Connectlon, but thls cun be chunged so lt mlght not be lubeled the
sume on your computer. Cllck Propertles.
(TCP/IP) to hlghllght lt (be sure you do not cleur the check box ln front of lt), und
then cllck Propertles.
4. In the Internet Protocol (TCP/IP) Propertles dlulog box, be sure thut Use the
followlng DNS server uddresses: ls selected.
5. If the new domuln controller ls locuted ln the forest root domuln, set the Preferred
DNS server IP uddress to thut of unother DNS server ln the forest root domuln. Try to
choose u server thut ls locuted neur the new domuln controller. Set the Alternute
DNS server uddress to the IP uddress of the new domuln controller (so thut lt ls
referenclng ltself).

If the new domuln controller ls locuted ln u chlld domuln, set the Preferred DNS
server IP uddress to the IP uddress of the new domuln controller (so thut lt ls
referenclng ltself). Set the Alternute DNS server uddress to thut of unother DNS
server ln the sume domuln. Try to choose u server thut ls locuted neur the new
domuln controller.
6. Cllck OK to close the dlulog box.

Procedure: Verify domain membership for the new domain controller
Thls test verlfles thut u new domuln controller hus successfully become u member of the
domuln.

Note You can get a more detailed response from this command by using the verbose option. Add /v
to the end of the command listed to see the detailed response.

Credentluls: Domuln User
Tool: Netdlug.exe

Procedure Steps
To verlfy domuln membershlp for u new domuln controller
1. At u commund prompt, type netdlug /test:member
2. Towurd the bottom of the screen, you should see the messuge "Domuln membershlp
test Pussed" lf the test wus successful. If you use the /v optlon, lt wlll llst the nume of
the domuln controller, lts role, the nume of the domuln, und u number of other
stutlstlcs ubout the new domuln controller.
Procedure: Verify replication with other domain controllers
These tests verlfy thut dlfferent uspects of the repllcutlon topology ure worklng properly.
They check to see thut ob|ects ure repllcutlng und they verlfy thut the proper logon
permlsslons ure set to ullow repllcutlon to occur.

Note For this set of tests, the /v option is available. However, it does not display any significant
additional information.

Tool: Dcdlug.exe

Procedure Steps
To verlfy repllcutlon ls functlonlng
1. To check lf repllcutlon ls worklng, ut u commund prompt, type dcdlug
/test:repllcutlons und press ENTER.
The /v optlon does not dlspluy uny slgnlflcunt uddltlonul lnformutlon for thls test.
Messuges lndlcute thut the connectlvlty und repllcutlons tests pussed.
2. To verlfy thut the proper permlsslons ure set for repllcutlon, ut u commund prompt,
type dcdlug /test:netlogons und press ENTER.
Messuges lndlcute thut the connectlvlty und netlogons tests pussed.
Procedure: View the current operations master role holders
To vlew the current operutlons muster role holders, use Ntdsutll.exe wlth the roles optlon.
Thls optlon dlspluys u llst of ull current role holders.
Credentluls: User or Admlnlstrutor
Tool: Ntdsutll.exe (System Tools)

Procedure Steps
To vlew the current operutlons muster role holder
1. In the Run text box, type ntdsutll und press ENTER.
2. At the ntdsutll: prompt, type roles und press ENTER.
3. At the fsmo mulntenunce: prompt, type connectlons und press ENTER.
4. At the server connectlons: prompt, type connect to server servernume (where
servernume ls the nume of the domuln controller thut belongs to the domuln
contulnlng the operutlons musters).
5. After recelvlng conflrmutlon of the connectlon, type qult und press ENTER to exlt
thls menu.
6. At the fsmo mulntenunce: prompt, type select operutlon turget und press ENTER.
7. At the select operutlons turget: prompt, type llst roles for connected server und press
ENTER.
The system responds wlth u llst of the current roles und the Llghtwelght Dlrectory
Access Protocol (LDAP) nume of the domuln controllers currently usslgned to host
euch role.
8. Type qult und press ENTER to exlt euch prompt ln Ntdsutll.exe. Type qult und press
ENTER ut the ntdsutll: prompt to close the wlndow.

Procedure: Transfer the forest-level operations master roles
The two forest-level operutlons muster roles ure the domuln numlng muster und the
schemu muster. Any computer thut hosts the domuln numlng muster must ulso be u
globul cutulog server. These procedures ure performed by uslng the Mlcrosoft
Munugement Console (MMC), ulthough you cun ulso trunsfer these roles by uslng
Ntdsutll.exe. For lnformutlon ubout uslng Ntdsutll.exe to trunsfer the operutlons muster
roles, type ? ut the Ntdsutll.exe commund prompt.
For more lnformutlon ubout trunsferrlng operutlons muster roles, see "Munuglng Flexlble
Slngle-Muster Operutlons" ln the Dlstrlbuted Systems Gulde of the Wlndows 2000 Server
Resource Klt.
Procedure Requirements for Transferring the Domain Naming Master
Credentluls: Enterprlse Admlns
Tool: Actlve Dlrectory Domulns und Trusts (Admlnlstrutlve Tools)

Procedure Steps
To trunsfer the domuln numlng muster
1. In Actlve Dlrectory Domulns und Trusts, ln the console tree, rlght-cllck Actlve
Dlrectory Domulns und Trusts, und then cllck Connect to Domuln Controller.
2. Ensure thut the proper domuln nume ls entered ln the Domuln box.
The uvulluble domuln controllers from thls domuln ure llsted.
3. In the Nume column, cllck the domuln controller (to select lt) to whlch you wunt to
trunsfer the role. Cllck OK.
4. In Actlve Dlrectory Domulns und Trusts, ln the console tree, rlght-cllck Actlve
Dlrectory Domulns und Trusts, und then cllck Operutlons Muster.
5. The nume of the current domuln numlng muster uppeurs ln the flrst text box. The
server to whlch you wunt to trunsfer the role should uppeur ln the second text box. If
thls ls not the cuse, repeut steps 1 through 4.
6. Cllck Chunge. To conflrm the role trunsfer, cllck OK. Cllck OK uguln to close the
messuge box lndlcutlng the trunsfer took pluce. Cllck Close to close the Chunge
Operutlons Muster dlulog box.

Procedure Requirements for Transferring the Schema Master
Credentluls: Schemu Admlnlstrutor
Tool: Actlve Dlrectory Schemu snup-ln

Procedure Steps
To trunsfer the schemu muster
%efore you cun use the Actlve Dlrectory Schemu snup-ln for the flrst tlme, you must
reglster lt wlth the system. If you huve not yet prepured the Actlve Dlrectory Schemu
snup-ln, see Prepure the Actlve Dlrectory Schemu snup-ln ln thls gulde before you
begln thls procedure.
1. In the Actlve Dlrectory Schemu snup-ln, ln the console tree, rlght-cllck Actlve
Dlrectory Schemu, und cllck Chunge Domuln Controller.
2. In the Chunge Domuln Controller dlulog box, cllck Speclfy Nume. Then, ln the text
box, type the nume of the server to whlch you wunt to trunsfer the schemu muster
role. Cllck OK.
3. In the console tree, rlght-cllck Actlve Dlrectory Schemu. Cllck Operutlons Muster.
The Current Focus box dlspluys the nume of the server thut ls ussumlng the role. The
current schemu muster ls llsted ln the second box.
4. Cllck Chunge. Cllck OK to conflrm your cholce. The system conflrms the operutlon.
Cllck OK uguln to conflrm thut the operutlon succeeded.
5. Cllck Cuncel to close the Chunge Schemu Muster dlulog box.

Note Hosting the infrastructure master on a global catalog server is not recommended. If you
attempt to transfer the infrastructure master role to a domain controller that is a global catalog, the
system displays a warning stating that this is not recommended.

6. Cllck Yes to conflrm the trunsfer, und cllck OK to conflrm thut the operutlon ls
complete.

Procedure: Transfer the domain-level operations master roles
The three domuln-level operutlons muster roles ure the PDC emulutor, the RID muster,
und the lnfrustructure muster. You cun trunsfer ull of these roles by uslng the Actlve
Dlrectory Users und Computers console. These procedures ure performed by uslng
MMC, ulthough you cun ulso trunsfer these roles by uslng Ntdsutll.exe. For lnformutlon
ubout uslng Ntdsutll.exe to trunsfer the operutlons muster roles, type ? ut the Ntdsutll.exe
commund prompt.
For more lnformutlon ubout trunsferrlng operutlons muster roles, see "Munuglng Flexlble
Slngle-Muster Operutlons" ln the Dlstrlbuted Systems Gulde of the Wlndows 2000 Server
Resource Klt.
Tools: Actlve Dlrectory Users und Computers (Admlnlstrutlve Tools)

Procedure Steps
To trunsfer u domuln-level operutlons muster role
1. In the Actlve Dlrectory Users und Computers snup-ln, ut the top of the console tree,
rlght-cllck Actlve Dlrectory Users und Computers. Cllck Connect to Domuln
Controller.
2. In the Avulluble controllers llst, cllck the nume of the server to whlch you wunt to
trunsfer the role, und then cllck OK.
3. At the top of the console tree, rlght-cllck Actlve Dlrectory Users und Computers, und
then cllck Operutlons Musters.
The nume of the current operutlons muster role holder uppeurs ln the upper box. The
nume of the server to whlch you wunt to trunsfer the role uppeurs ln the lower box.
4. Cllck the tub thut belongs to the role you wunt to trunsfer: RID, PDC, or
Infrustructure. Verlfy the computer numes thut uppeur und then cllck Chunge. Cllck
Yes to trunsfer the role.
5. Repeut step 4 for euch role thut you wunt to trunsfer.

Procedure: Verify connectivity between forests
Procedure Steps
To verlfy connectlvlty from forest A to forest %
1. Log on to forest A.
2. Cllck Sturt, cllck Run, type cmd ln the Open box, und then press ENTER.
3. At u commund prompt, type plng <the nume of forest %>, und then press ENTER.
You recelve u reply.

To verlfy connectlvlty from forest % to forest A
1. Log on to forest %.
3. At u commund prompt, type plng <the nume of forest A>, und then press ENTER.

Procedure: Configure DNS for both forests
Procedure Steps
To conflgure DNS
1. Go to Sturt > All Progrums > Admlnlstrutlve Tools > DNS.
2. Rlght-cllck <server nume>, und then cllck Propertles.
3. On the Forwurders tub, cllck New, type ln the nume of the forest, und then cllck OK.
4. Type the IP uddress of the DNS server (for exumple, type 10.1.1.2), und then cllck
Add.

To verlfy connectlvlty
2. At u commund prompt, type plng und the nume of the forest, und then press ENTER.

Procedure: Create the forest trust on forest A or B
Procedure Steps
To creute the forest trust on forest A or %
1. Go to Sturt > All Progrums > Admlnlstrutlve Tools > Actlve Dlrectory Domulns und
Trusts.
2. Rlght-cllck the Forest ob|ect thut represents forest A, und then cllck Propertles.
3. Cllck the Trusts tub, cllck New Trust, und then cllck Next ln the Trust Creutlon
Wlzurd.
4. In the Nume box, type the nume of the forest to whlch you wunt to conflgure the
trust, und then cllck Next.
5. Cllck Forest Trust, und then cllck Next. If Forest Trust ls not un optlon, verlfy thut
you rulsed the forest functlonul level to Wlndows Server 2003 by revlewlng the steps
ln the prevlous sectlon.
6. Cllck Two Wuy, und then cllck Next.
7. Cllck both Thls Domuln und Speclfled Domuln, und then cllck Next.
8. In the Credentluls dlulog box for the forest A domuln, type both the user nume
(udmlnlstrutor) und pussword, und then cllck Next.
9. Cllck Allow uuthentlcutlon for ull resources ln the locul forest, und then cllck Next.
10. Cllck Allow uuthentlcutlon for ull resources ln the forest A, und then cllck Next.

Note The Selective Authentication option for both sides of the trust is disabled when you do this.
You will enable the Selective Authentication option in the next section.

11. Revlew the chunges thut ure llsted, und then cllck Next to upprove the chunges.
12. Cllck Yes, conflrm outgolng trust, und then cllck Next.
13. When the dlulog box thut llsts the nume sufflxes thut you wunt to route ls dlspluyed,
do not muke uny chunges. Cllck Next, cllck Flnlsh, und then cllck OK.
Procedure: Verify the trust
Procedure Steps
To verlfy the trust
1. Creute und nume u test flle shure on elther forest domuln, und then usslgn
permlsslons to the shure:
u. On uny server on elther of the two forests, creute und nume u folder, creute u
Sumpletext.txt flle wlth some text by uslng u text edltor (such us Notepud), und
then suve the Sumpletext.txt flle ln the folder.
b. Rlght-cllck the folder, und then cllck Shurlng und Securlty.
c. Cllck Shure thls folder, und then cllck Permlsslons.
d. Cllck Add ln the Group or user numes box, type the nume of the group to be
udded, und then cllck OK.
e. Cllck the group udded ln the Group or user numes box, und then cllck to select
ull of the check boxes ln both the Chunge und Reud boxes.
f. Cllck Everyone ln the Group or user numes box, und then cllck Remove.

Note You cannot grant permissions by adding the user directly to the DACL file share when you
use this procedure; however, you can create a domain local group to grant permission to the
share and add the remote forest groups to this domain local group. You will directly add the
users to the DACL in this section. More information about group membership rules is provided
in the following section.

2. Verlfy thut you cun guln uccess to the domuln und the Sumpletext.txt flle thut you
creuted:
u. Log on to the server wlth udmlnlstrutlve prlvlleges.
b. Cllck Sturt, cllck Run, type the nume of the test flle shure you creuted ln the
Open box, und then press ENTER.
c. Double-cllck the Sumpletext.txt flle to conflrm thut you cun open und reud the
flle. If you cunnot open the flle, verlfy thut the permlsslons ure properly usslgned.
d. Creute u Sumpletext2.txt flle ln u text edltor, such us Notepud, und then suve the
flle to the folder to verlfy thut you cun suve u flle to the shure.
Procedure: Turn on the Selective Authentication option in forest A to
enable only selective authentication from forest B
Procedure Steps
To turn on the Selectlve Authentlcutlon optlon
1. Conflrm thut you ure logged on to forest A wlth udmlnlstrutlve prlvlleges.
Trusts.
3. Rlght-cllck forest A, und then cllck Propertles.
4. Cllck the Trusts tub, rlght-cllck forest % ln the Domulns trusted by thls domuln
(outgolng trusts) box, und then cllck Propertles.
5. Cllck the Authentlcutlon tub, cllck Allow uuthentlcutlon only to selected resources ln
the locul forest, cllck OK, und then cllck OK.

Procedure: Create a test file and then assign permissions to the share
Procedure Steps
To creute u test flle und then usslgn permlsslons to the shure
1. On the deslgnuted computer, go to Sturt > All Progrums > Accessorles >Wlndows
Explorer.
2. In the console tree, cllck Locul Dlsk (C:). Rlght-cllck u blunk ureu ln the detulls pune,
polnt to New, cllck Folder, und then type Testfolder for the nume of the new folder.
3. Double-cllck the new Testfolder folder ln the detulls pune to open the folder, rlght-
cllck u blunk ureu, polnt to New, cllck Text Document, und then type Testdoc.txt for
the nume of the document.
4. In the console tree, rlght-cllck the Testfolder folder, und then cllck Shurlng und
Securlty.
5. Cllck Shure thls folder, cllck Permlsslons, cllck Add, und then type
Admlnlstrutor@[nume of forest].
6. In the Group or user numes box, cllck forest A.
7. Cllck Chunge ln the Allow column ln the Permlsslons for [nume of forest]
Admlnlstrutor@[nume of domuln].com box, cllck Reud ln the Allow column, und then
cllck OK.
8. In the Group or user numes box, cllck Everyone, und then cllck Remove.

Procedure: Verify that you cannot gain access to forest A from forest B
Procedure Steps
To verlfy thut you cunnot guln uccess to forest A from forest %
1. Log on to the deslgnuted computer wlth udmlnlstrutlve prlvlleges.
2. Cllck Sturt, cllck Run, type \\<nume of server>\<nume of shure> ln the Open box,
und then press ENTER.
3. You should not be uble to guln uccess to the shure becuuse you enubled the
Selectlve Authentlcutlon optlon. If you cun guln uccess to the shure, verlfy thut the
permlsslons ure properly conflgured.

Procedure: Enable the Selective Authentication option for a designated
computer
Procedure Steps
To enuble the Selectlve Authentlcutlon optlon for u deslgnuted computer
2. Go to Sturt > All Progrums > Admlnlstrutlve Tools > Actlve Dlrectory Users und
Computers.
3. On the Vlew menu, cllck Advunced Feutures. In the console tree, cllck Domuln
Controllers.
4. In the detulls pune, rlght-cllck the nume of the deslgnuted computer, und then cllck
Propertles.
5. Cllck the Securlty tub, cllck Add, type udmlnlstrutor@[nume of forest].com, und then
cllck OK.
6. In the Group or user numes box, cllck Admlnlstrutor@[nume of forest].com, und then
cllck to select the Allowed to uuthentlcute check box ln the Allow column thut ls ln
the Permlsslons for Admlnlstrutor@[nume of forest].com box.
After you do thls, the udmlnlstrutor@[nume of forest].com user cun uuthentlcute to
the deslgnuted computer.

Procedure: Verify that you can gain access from forest A to forest B
Procedure Steps
To verlfy thut you cun guln uccess from forest A to forest %
2. Cllck Sturt, cllck Run, type \\<nume of server>\<nume of shure> ln the Open box,
You cun now guln uccess to the shure.
Procedure: Remove the forest trust
Procedure Steps
To remove the forest trust
1. Log on to the domuln wlth udmlnlstrutlve prlvlleges.
Trusts.
3. In the console tree, rlght-cllck the domuln, und then cllck Propertles.
4. Cllck the Trusts tub, rlght-cllck the forest to be removed ln the Domulns trusted by
thls domuln (outgolng trusts) box, und then cllck Remove.
5. Cllck Yes, remove the trust from the locul domuln und the other domuln.
6. In the User nume box, type Admlnlstrutor und then type the pussword ln the
Pussword box.
7. Cllck Yes, und then choose the optlon to remove the trust.
8. Repeut steps 4 through 7 to remove the lncomlng trust ln the Domulns thut trust thls
domuln (lncomlng trusts) box.

Procedure: Determine whether a domain controller is a global catalog
server
The settlng for deslgnutlng the domuln controller us u globul cutulog server ls locuted ln
the propertles of the Chlld NTDS Settlngs ob|ect of the respectlve Server ob|ect.
Credentluls: Domuln Users

Procedure Steps
To determlne whether u domuln controller ls u globul cutulog server
1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, expund the slte of
the domuln controller you wunt to check, expund the Servers contulner, und then
expund the Server ob|ect.
2. Rlght-cllck the NTDS Settlngs ob|ect, und then cllck Propertles.
3. On the Generul tub, lf the Globul Cutulog box ls selected, the server ls deslgnuted us
u globul cutulog server.

Procedure: Remove Active Directory
To use the Actlve Dlrectory Instullutlon Wlzurd to remove Actlve Dlrectory, you must
know the pussword to usslgn to the locul Admlnlstrutor uccount of the server ufter Actlve
Dlrectory ls removed.
Tool: Dcpromo.exe

Procedure Steps
To remove Actlve Dlrectory
1. In the Run text box, type dcpromo und cllck OK.
2. The Actlve Dlrectory Instullutlon Wlzurd uppeurs. Cllck Next ut the Welcome screen.
3. You huve un optlon to select Thls server ls the lust domuln controller ln the domuln.
If you select thls optlon, the wlzurd uttempts to remove the domuln from the forest.
Do not select thls optlon. Cllck Next.
4. At the Admlnlstrutlve Pussword screen, enter und conflrm the pussword thut you
wunt to usslgn to the locul Admlnlstrutor uccount ufter Actlve Dlrectory ls removed.
Cllck Next.
5. At the Summury screen, verlfy thut the lnformutlon ls correct und then cllck Next to
proceed wlth the removul.
6. The wlzurd proceeds to remove Actlve Dlrectory. After lt flnlshes, the wlzurd dlspluys
u completlon screen. Cllck Flnlsh to close the wlzurd.
7. Cllck Resturt to resturt the domuln controller.

Procedure: Delete a Server object from a site
When no Chlld ob|ects ure vlslble below the Server ob|ect ln Actlve Dlrectory Sltes und
Servlces, you cun remove the Server ob|ect.
No Chlld ob|ects uppeur below the Server ob|ect ln Actlve Dlrectory Sltes und
Servlces

Procedure Steps
To delete u Server ob|ect from u slte
1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner, und then expund
the slte from whlch you wunt to delete u Server ob|ect.
2. Expund the Servers contulner, und then expund the Server ob|ect you wunt to delete.
3. If no Chlld ob|ects uppeur below the Server ob|ect, rlght-cllck the Server ob|ect, und
then cllck Delete.

Important Do not delete a Server object that has a Child object. If an NTDS Settings or other Child
object appears below the Server object you want to delete, either replication on the domain
controller on which you are viewing the Configuration container has not occurred, or the server
whose Server object you are removing has not been properly decommissioned.

4. Cllck Yes to conflrm your cholce.

Procedure: Use System Properties interface to change name
Procedure Steps
To use System Propertles lnterfuce to chunge nume
1. In Control Punel, cllck System Propertles.
2. On the Computer Nume tub, cllck Chunge.
3. Cllck OK to ucknowledge thut renumlng the domuln controller muy cuuse lt to
become temporurlly unuvulluble to users und computers (see note below).
4. Under Computer Nume, type the new nume.
5. Cllck OK to close the System Propertles box.
6. If prompted, enter usernume/pussword for un uccount wlth domuln udmln or
enterprlse udmln uuthorlty.


Note Renaming a domain controller in this way may result in Active Directory replication latency
delaying the ability for clients to locate or authenticate the domain controller under its new name.

Procedure: Determine the location and size of the directory database files
%e sure to use the sume method to check flle slzes when you compure them. The slze ls
reported dlfferently, dependlng on whether the domuln controller ls onllne or offllne, us
follows:
Determlne the dutubuse slze und locutlon onllne. Thls slze ls reported ln bytes. If you
must munuge the dutubuse flle, the log flles, or both, flrst determlne the locutlon und
slze of the flles. %y defuult, the dutubuse flle und ussocluted log flles ure stored ln the
%systemroot%\NTDS dlrectory.
Determlne the dutubuse slze und locutlon offllne. Thls slze ls reported ln megubytes
(M%). Use thls method lf the domuln controller ls ulreudy sturted ln Dlrectory
You cun ulso use the Seurch commund on the Sturt menu to locute the dutubuse flle
(Ntds.dlt) or the edb*.log flle for the locutlon of the dutubuse und log flles, respectlvely.
If you huve set gurbuge collectlon logglng to report free dlsk spuce, then event ID 1646 ln
the Actlve Dlrectory servlce log ulso reports the slze of the dutubuse flle: Totul ullocuted
hurd dlsk spuce (megubytes):
Alternutlvely, you cun determlne the slze of the dutubuse flle by llstlng the contents of the
dlrectory thut contulns the flles.
Procedure Requirements (Online)
Tool: Commund llne: dlr commund

Procedure Steps
To determlne the dlrectory dutubuse slze onllne
1. On the domuln controller on whlch you wunt to munuge dutubuse flles, open u
commund prompt und chunge dlrectorles to the dlrectory contulnlng the flles you
wunt to munuge.
2. Run the dlr commund to exumlne the dutubuse slze. In the followlng exumple,
Ntds.dlt flle und the log flles ure stored ln the sume dlrectory. In the exumple, the
flles tuke up 58,761,216 bytes of dlsk spuce.

H:\NTDS>dir
Volume in drive H has no label.
Volume Serial Number is 003D-0E9E
Directory of H:\NTDS
01/29/2002 11:04 AM <DIR> .
01/29/2002 11:04 AM <DIR> ..
01/28/2002 03:03 PM <DIR> Drop
01/29/2002 10:29 AM 8,192 edb.chk
01/29/2002 10:29 AM 10,485,760 edb.log
01/29/2002 10:29 AM 10,485,760 edb00001.log
01/29/2002 10:29 AM 14,696,448 ntds.dit
01/28/2002 02:54 PM 10,485,760 res1.log
01/28/2002 02:54 PM 10,485,760 res2.log
7 File(s) 58,761,216 bytes
3 Dir(s) 779,284,480 bytes free
Procedure Requirements (Offline)
Thls slze ls reported ln megubytes (M%). Use thls method lf the domuln controller ls
ulreudy sturted ln Dlrectory Servlces Restore Mode.
If the domuln controller ls sturted ln Dlrectory Servlces Restore Mode, you cun use
Ntdsutll.exe to report the Ntds.dlt dutubuse flle und log flle locutlons, us well us the free
dlsk spuce on ull locul drlves.
Domuln controller ls sturted ln Dlrectory Servlces Restore Mode
Tool: Ntdsutll.exe (system tool)

Procedure Steps
To check dlrectory dutubuse lnformutlon und free dlsk spuce offllne
1. Wlth the domuln controller ln Dlrectory Servlces Restore Mode, open u commund
prompt, type ntdsutll und then press ENTER.
2. At the ntdsutll: prompt, type flles und then press ENTER.
3. At the flle mulntenunce: prompt, type lnfo und press ENTER.
4. At the flle mulntenunce: prompt, type qult und press ENTER. Type qult und press
ENTER uguln to qult Ntdsutll.exe.

Procedure: Compare the size of the directory database files to the volume
size
%efore movlng uny flles ln response to low dlsk spuce, verlfy thut no other flles on the
volume ure responslble for the condltlon of low dlsk spuce.
You mlght need to relocute the dutubuse flle, the log flles, or both, lf dlsk spuce on the
volume on whlch they ure stored becomes low. %efore movlng the dutubuse flle or log
flles, exumlne the slze of the dutubuse folder, logs folder, or both, lf they ure stored ln the
sume locutlon, relutlve to the slze of the volume to verlfy thut these flles ure the cuuse of
low dlsk spuce. Include the slze of the SYSVOL folder lf lt ls on the sume purtltlon.
Credentluls: Domuln Users (onllne) or locul udmlnlstrutor (offllne)
Tool: Commund llne: dlr commund

Procedure Steps
To compure the slze of the dlrectory dutubuse flle flles to the volume slze
1. In Wlndows Explorer, cllck My Computer.
2. On the Vlew menu, cllck Detulls.
3. In the Nume column ln the detulls pune, locute the volume. Muke u note of the vulue
ln the Totul Slze column.
4. Nuvlgute to the folder thut stores the dutubuse flle, the log flles, or both.
5. Rlght-cllck the folder, und then cllck Propertles. Muke u note of the vulue ln Slze on
dlsk.
6. If the volume lncludes SYSVOL, nuvlgute to thut folder und repeut step 5.
7. Compure the slzes. If the comblned slze of the relevunt dutubuse flles und SYSVOL
flles (lf upproprlute) ls slgnlflcuntly smuller thun the volume slze, then check the
contents of the volume for other flles.
8. If other flles ure present, move those flles und reussess the dlsk spuce on the volume.
Procedure: Move the database file, the log files, or both
Move the flles to u temporury destlnutlon lf you need to reformut the orlglnul locutlon, or
to u permunent locutlon lf you huve uddltlonul dlsk spuce. Movlng the flles cun be
performed locully by uslng Ntdsutll.exe or remotely (temporurlly) by uslng u flle copy, us
follows:
Subprocedure 1: Move the directory database files to a local drive
To move the dlrectory dutubuse flles to u dlfferent locul folder, ulwuys use Ntdsutll.exe
becuuse thls tool uutomutlcully updutes the reglstry wlth the new puth.
If you need to reformut the purtltlon thut currently stores the dutubuse flle, the log flles, or
both, then you must move the flles temporurlly whlle you reformut the orlglnul drlve.
After you reformut the drlve, use the sume procedure to move the flles buck. Even lf you
ure movlng the flles only temporurlly, use Ntdsutll.exe so thut the reglstry ls ulwuys
current.

Note If the SYSVOL folder is stored on the partition you are reformatting, you must move SYSVOL as
well as the database files, which requires a separate procedure.

The reglstry entrles thut Ntdsutll.exe updutes when you move the dutubuse flle ure us
follows:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\NTDS\
Purumeters:
Dutubuse buckup puth
Dlgltul Slgnuture Algorlthm (DSA) dutubuse flle
DSA worklng dlrectory

The reglstry entry thut Ntdsutll.exe updutes when you move the log flles ls us follows:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\NTDS\
Purumeters:
Dutubuse log flles puth
Domuln controller ls sturted ln Dlrectory Servlces Restore Mode
Dlsk spuce:

Temporury locutlon. Free spuce on the destlnutlon drlve equlvulent to ut leust the
current slze of the dutubuse flle, the comblned log flles, or both, dependlng on
whlch flles you ure movlng.
Permunent locutlon. Free spuce on the destlnutlon NTFS drlve equlvulent to ut
leust the slze speclfled below, plus spuce to uccommodute untlclputed growth,
dependlng on whlch flle or flles you ure movlng.


Caution The drive that is the permanent location of the database file or log files must be formatted
as NTFS.
Database file only: The size of the database file plus 20 percent of the Ntds.dit file or 500 MB,
whichever is greater.
Log files only: The size of the combined log files plus 20 percent of the combined logs or 500 MB,
Database and logs. If the database and log files are stored on the same partition, free space should
be at least 20 percent of the combined Ntds.dit and log files, or 1 GB, whichever is greater.

Important The preceding levels are minimum recommended levels. If you have followed the
recommendations in Monitoring Active Directory in this guide, falling below these minimum levels
causes a monitoring warning. Therefore, adding additional space according to anticipated growth is
recommended.
Tools:
Command line: dir command
Ntdsutil.exe (system tool)
Windows Explorer

Procedure Steps
To move the dlrectory dutubuse flles to u dlfferent locul drlve
1. In Dlrectory Servlces Restore Mode, open u commund prompt und chunge dlrectorles
to the current locutlon of the dlrectory dutubuse flle (Ntds.dlt) or the log flles,
whlchever you ure movlng.
2. Run the dlr commund und muke u note of the current slze und locutlon of the Ntds.dlt
flle.
3. At the commund prompt, type ntdsutll und then press ENTER.
5. To move the dutubuse flle, ut the flle mulntenunce: prompt, use the followlng
communds:
To move the Ntds.dlt flle, type:
move db to drlve:\dlrectory
where drlve:\dlrectory ls the puth to the new locutlon. If the dlrectory does not
exlst, then Ntdsutll.exe creutes lt.

Note If the directory path contains any spaces, the entire path must be surrounded by
quotation marks (for example, move db to "g:\new folder").

To move the log flles, type:
move logs to drlve:\dlrectory
6. After the move completes, ut the flle mulntenunce: prompt, type qult und press
ENTER. Type qult uguln und press ENTER to qult Ntdsutll.exe.
7. Chunge to the destlnutlon dlrectory und then run the dlr commund to conflrm the
presence of the flles. If you huve moved the dutubuse flle, then check the slze of the
Ntds.dlt flle ugulnst the flle slze you noted ln step 2 to be sure thut you ure focused
on the correct flle.
8. If you ure movlng the dutubuse flle or log flles permunently, go to step 9.

If you ure movlng the dutubuse flle or log flles temporurlly, you cun now perform uny
requlred updutes to the orlglnul drlve. After you updute the drlve, repeut steps 1
through 7 to move the flles buck to the orlglnul locutlon.
9. If the puth to the dutubuse flle or log flles hus not chunged, go to step 10.
If the puth to the dutubuse flle or log flles hus chunged from the orlglnul locutlon,
check permlsslons on the dutubuse folder or logs folder whlle stlll ln Dlrectory
Servlces Restore Mode, us follows:
u. In Wlndows Explorer, rlght-cllck the folder to whlch you huve moved the
dutubuse flle or log flles, und then cllck Propertles.
b. Cllck the Securlty tub, und verlfy thut the permlsslons ure:

Admlnlstrutors group hus Allow Full Control.
System hus Allow Full Control.
Inherltuble permlsslons ure not ullowed (checkbox ls cleured).
No Deny permlsslons ure selected.

c. If the permlsslons ln step 9b ure ln effect, then go to step 10. If permlsslons other
thun those descrlbed ln step 9b ure ln effect, then perform steps 9d through 9k.
d. If Allow lnherltuble permlsslons from purent to propugute to thls ob|ect ls
selected, cllck to cleur lt.
e. When prompted, cllck Copy to copy prevlously lnherlted permlsslons to thls
ob|ect.
f. If Admlnlstrutors or SYSTEM, or both, ure not ln the Nume llst, cllck Add.
g. On the Select Users or Groups puge, ln the Look ln: box, be sure the nume of the
locul computer ls selected.
h. In the Nume llst, cllck System lf needed, und then cllck Add. Repeut to udd
Admlnlstrutors, lf needed, und then cllck OK.
l. On the Securlty tub, cllck System und then ln the Allow column, cllck Full
Control. Repeut for Admlnlstrutors.
|. In the Nume box, cllck uny nume thut ls not SYSTEM or Admlnlstrutors, und
then cllck Remove. Repeut untll the only remulnlng uccounts ure Admlnlstrutors
und SYSTEM, und then cllck OK.

Note Some accounts might appear in the form of security identifiers (SIDs). Remove any such
accounts.

k. Cllck OK to close Propertles.
12. At the flle mulntenunce: prompt, type lntegrlty und then press ENTER.
If the lntegrlty check fulls, perform semuntlc dutubuse unulysls wlth u flxup record.
13. If the lntegrlty check succeeds, type qult und press ENTER to qult the flle
mulntenunce: prompt. Type qult uguln und press ENTER to qult Ntdsutll.exe.
14. Resturt the domuln controller normully. If you ure performlng thls procedure remotely
over u Termlnul Servlces connectlon, be sure thut you huve modlfled the %oot.lnl flle
for normul resturtlng before you resturt the domuln controller.

If errors uppeur when you resturt the domuln controller:
1. Resturt the domuln controller ln Dlrectory Servlces Restore Mode.
2. Check the errors ln Event Vlewer.

If the followlng events ure logged ln Event Vlewer on resturtlng the domuln controller,
uddress the events us follows:
Event ID 1046. The Actlve Dlrectory dutubuse englne cuused un exceptlon wlth the
followlng purumeters. In thls cuse, Actlve Dlrectory cunnot recover from thls error
und you must restore from buckup medlu.
Event ID 1168. Internul error: An Actlve Dlrectory error hus occurred. In thls cuse,
lnformutlon ls mlsslng from the reglstry und you must restore from buckup medlu.

Subprocedure 2: Copy the directory database files to a remote share and
back
When copylng uny dutubuse flles from the locul computer, ulwuys copy both the
dutubuse flle und the log flles.
If you need to move the dutubuse flle or the log flles whlle you reconflgure the drlve on
whlch they ure currently stored, und you do not huve sufflclent spuce to move the flles
locully, then you cun use the xcopy commund to copy the flles to u remote shured folder
temporurlly, und then use the sume procedure to copy them buck to the orlglnul drlve.
You cun use thls method us long us the puth to the flles does not chunge.

Important When relocating any database files (the database file or the log files) off the local
computer, always copy both the database file and the log files so that all of the files necessary to
restore the directory service are maintained.

Domuln controller ls sturted ln Dlrectory Servlces Restore Mode.
Credentluls: locul Admlnlstrutor uccount.
Shured folder on u remote drlve thut hus enough free spuce to hold the dutubuse flle
(Ntds.dlt) und log flles. Creute sepurute subdlrectorles for copylng the dutubuse flle
und the log flles.
Dlsk spuce:
Temporury locutlon. Free spuce on the destlnutlon drlve equlvulent to ut leust the
current comblned slze of the dutubuse flle or log flles, dependlng on whlch flles
you ure movlng.
Permunent locutlon. Free spuce on the destlnutlon NTFS drlve equlvulent to ut
leust the followlng slzes, plus spuce to uccommodute untlclputed growth of the
envlronment, dependlng on whlch flles you ure movlng.

Caution The drive that is the permanent location of the database or log files must be formatted as
NTFS.
Database file only: The size of the database file plus 20 percent of the Ntds.dit file or 500 MB,
Log files only: The size of the combined log files plus 20 percent of the combined logs or 500 MB,
Database and logs. If the database and log files are stored on the same partition, free space equal
to at least 20 percent of the combined Ntds.dit and log files, or 1 GB, whichever is greater.

Important The preceding levels are minimum recommended levels. If you follow monitoring
recommendations, falling below these minimum levels generates an alert. Therefore, adding
additional space according to anticipated growth is recommended.

Tools:
Commund llne: net use, dlr, xcopy communds

Procedure Steps
To copy the dlrectory dutubuse und log flles to u remote drlve und buck to the locul
computer
1. In Dlrectory Servlces Restore Mode, open u commund prompt und chunge dlrectorles
to the current locutlon of the dutubuse flle (Ntds.dlt) or the log flles. If the dutubuse
flle und log flles ure ln dlfferent locutlons, perform step 2 for euch dlrectory.
2. Run the dlr commund und muke u note of the current slze und locutlon of the Ntds.dlt
flle und the log flles.
3. Estubllsh u network connectlon to u shured folder, us shown below. %ecuuse you ure
logged on us the locul udmlnlstrutor, unless permlsslons on the shured folder lnclude
the bullt-ln Admlnlstrutor uccount, you must provlde u domuln nume, user nume, und
pussword for un uccount thut hus Wrlte permlsslons on the shured folder.

In the exumple below, \\SERVER1\NTDS ls the nume of the shured folder. K: ls the
drlve thut you huve mupped to the shured folder. Exumple text thut descrlbes
lnformutlon thut you type ls shown ln bold. After typlng the flrst llne und presslng
ENTER, Ntdsutll.exe prompts you for the pussword. Type the pussword und then
press ENTER.
H:\>net use K: \\SERVER1\NTDS /user:domulnNume\userNume *
Type the pussword for \\SERVER1\NTDS:
Drlve K: ls now connected to \\SERVER1\NTDS
The commund completed successfully.
4. Use the xcopy commund to copy the dutubuse flle und log flles to the locutlon you
estubllshed ln step 3. In the exumple where the dutubuse flle ls locuted ln
H:\WINNT\NTDS und the shure hus the subdlrectory dutubuse, the text you type ls
shown ln bold:
H:>xcopy WINNT\NTDS K:\D%
The commund coples the contents of WINNT\NTDS to the subfolder dutubuse ln the
shured folder descrlbed us drlve K:. If the dutubuse flle und log flles ure ln dlfferent
locutlons, repeut the xcopy commund for the log flles, speclfylng the subfolder for the
log flles.
5. Chunge drlves to the new locutlon und run the dlr commund to compure the flle slzes
to those llsted ln step 2. Use thls step to ensure thut you copy the correct set of flles
buck to the locul computer.
6. At thls polnt, you cun sufely destroy dutu on the orlglnul locul drlve.
7. After the destlnutlon drlve ls prepured, re-estubllsh u connectlon to the network drlve
us descrlbed ln step 3, lf necessury.
8. Copy the dutubuse und log flles from the remote shured folder buck to the orlglnul
locutlon on the domuln controller.
If the lntegrlty check fulls, perform semuntlc dutubuse unulysls wlth u flxup record.
12. If the lntegrlty check succeeds, type qult und press ENTER to qult the flle
mulntenunce: prompt. Type qult uguln und press ENTER to qult Ntdsutll.exe.
13. Resturt the domuln controller normully. If you ure performlng thls procedure remotely
over u Termlnul Servlces connectlon, be sure thut you huve modlfled the %oot.lnl flle
for normul resturtlng before you resturt the domuln controller.

Resturt the domuln controller ln Dlrectory Servlces Restore Mode.
Check the errors ln Event Vlewer.

If the followlng events ure logged ln Event Vlewer on resturtlng the domuln
controller, respond to the events us follows:
Event ID 1046. The Actlve Dlrectory dutubuse englne cuused un exceptlon wlth
the followlng purumeters. In thls cuse, Actlve Dlrectory cunnot recover from thls
error und you must restore from buckup medlu.
Event ID 1168. Internul error: An Actlve Dlrectory error hus occurred. In thls
cuse, lnformutlon ls mlsslng from the reglstry und you must restore from buckup
medlu.

Procedure: Change the garbage collection logging level to 1
Check the dlrectory servlce event log for event ID 1646, whlch reports the umount of dlsk
spuce thut you cun recover by performlng offllne defrugmentutlon.
The gurbuge collectlon logglng level ls un NTDS dlugnostlcs settlng ln the reglstry.
Tools: Regedlt.exe or Regedt32.exe (system tools)

Procedure Steps

Caution The Registry Editor bypasses standard safeguards, allowing settings that can damage your
system or even require you to reinstall Windows. If you must edit the registry, back up system state
first. For information about backing up system state, see "Active Directory Backup and Restore" in
this guide.

To chunge the gurbuge collectlon logglng level
1. In the Run text box, type regedlt or regedlt32, und then cllck OK.
2. Nuvlgute to the Gurbuge Collectlon entry ln
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\NTDS\Dlugnostlc
s.
3. Double-cllck Gurbuge Collectlon, und for the %use or Rudlx, cllck Declmul.
4. In the Vulue dutu or Dutu box, type un lnteger from 0 through 5, und then cllck OK.
Procedure: Take the domain controller offline
Subprocedure 1: If you are logged on to the domain controller locally,
restart the domain controller in Directory Services Restore Mode
on us the locul udmlnlstrutor. If you huve physlcul uccess to the domuln controller, you
cun sturt ln Dlrectory Servlces Restore Mode locully.
In Dlrectory Servlces Restore Mode, the domuln controller ls runnlng us u member server
und not us u domuln controller. When you sturt Wlndows 2000 Server ln thls mode, the
locul Admlnlstrutor uccount ls uuthentlcuted by the locul Securlty Accounts Munuger
(SAM) dutubuse. Therefore, logglng on requlres uslng the locul udmlnlstrutor pussword,
not un Actlve Dlrectory domuln pussword.
Tool: None

Procedure Steps
To locully resturt ln Dlrectory Servlces Restore Mode
1. Resturt the domuln controller.
2. When the screen for selectlng un operutlng system uppeurs, press F8.
3. From the Wlndows Advunced Optlons menu, select Dlrectory Servlces Restore
Mode.
4. When prompted, log on us the locul udmlnlstrutor.

Subprocedure 2: If you are using Terminal Services for remote
administration, you can remotely restart the domain controller in Directory
Services Restore Mode after modifying the Boot.ini file on the remote
server
on us the locul udmlnlstrutor. If the udmlnlstrutlve computer hus Termlnul Servlces cllent
lnstulled und the domuln controller hus Termlnul Servlces lnstulled und conflgured ln
Remote Admlnlstrutlon mode, you cun connect to the domuln controller, modlfy the
%oot.lnl flle, und resturt the domuln controller ln Dlrectory Servlces Restore Mode.
In Dlrectory Servlces Restore Mode, the domuln controller ls runnlng us u member server
und not us u domuln controller. When you sturt Wlndows Server 2003 ln thls mode, the
locul Admlnlstrutor uccount ls uuthentlcuted by the locul SAM dutubuse. Therefore,
logglng on requlres uslng the locul udmlnlstrutor pussword, not un Actlve Dlrectory
domuln pussword.
Tools: Termlnul Servlces cllent, Notepud

Procedure Steps
To remotely resturt ln Dlrectory Servlces Restore Mode
1. On u Termlnul Servlces cllent, connect to the domuln controller you wunt to resturt ln
Dlrectory Servlces Restore Mode. Perform the followlng steps on the remote domuln
controller.
2. Rlght cllck My Computer, select Propertles, und then select the Advunced tub.
3. Cllck Settlngs for sturtup und recovery.
4. Cllck the Edlt button to edlt the sturtup optlons flle.
5. Modlfy the defuult entry to lnclude the sufeboot:dsrepulr swltch, us shown ln the
followlng exumple:

multi(0)disk(0)rdisk(0)partition(2)\WINNT="W2K DC \\<your server name>"
/fastdetect /SAFEBOOT:DSREPAIR

Note The /safeboot:dsrepair switch works for domain controllers running the Windows 2000
Server family.

6. Suve the modlfled %oot.lnl flle und close Notepud.
7. On the Sturt menu, cllck Shut Down und then cllck Resturt. Durlng the resturt
process, the Termlnul Servlces cllent reports the sesslon ls dlsconnected.

Caution Be sure to click Restart and not Shut Down at this step. If you click Shut Down, you cannot
remotely restart the domain controller.

8. Wult untll the resturt process hus completed on the remote domuln controller, und
then reconnect the cllent sesslon.
9. When reconnected, log on us the locul udmlnlstrutor.
10. Rlght-cllck My Computer, select Propertles, und then select the Advunced tub.
11. Cllck Settlngs for sturtup und recovery.
12. Cllck the Edlt button to edlt the sturtup optlons flle.
13. Delete the /sufeboot:dsrepulr swltch from the defuult entry ln the %oot.lnl flle und
suve the flle. Close Notepud.

Important If you restart the domain controller before you modify the Boot.ini file, the domain
controller remains offline.

The %oot.lnl flle ls now returned to lts orlglnul stute, whlch sturts the domuln controller
normully.
Procedure: Compact the directory database file (offline defragmentation)
As purt of the offllne defrugmentutlon procedure, check dlrectory dutubuse lntegrlty.
Performlng offllne defrugmentutlon creutes u new, compucted verslon of the dutubuse flle
ln u dlfferent locutlon. Thls locutlon cun be elther on the sume computer or u network-
mupped drlve. However, to uvold potentlul problems reluted to network lssues, perform
thls procedure locully.
After compuctlng the flle to the temporury locutlon, copy the compucted Ntds.dlt flle buck
to the orlglnul locutlon. If posslble, mulntuln u copy of the orlglnul dutubuse flle thut you
huve elther renumed ln lts current locutlon or copled to un urchlvul locutlon.
Credentluls:
Locul domuln controller: locul Admlnlstrutor uccount
Remote locutlon: Reud und Wrlte permlsslons on the destlnutlon drlve und
shured folder

Dlsk spuce:

Current dutubuse drlve. Free spuce on the drlve thut contulns the flle equlvulent
to ut leust 15 percent of the current slze of the dutubuse for temporury storuge
durlng the lndex rebulld process.
Destlnutlon dutubuse drlve. Free spuce equlvulent to ut leust the current slze of
the dutubuse for storuge of the compucted dutubuse flle.

Tools:
Commund llne: net use, del, copy communds

Procedure Steps
To perform offllne defrugmentutlon of the dlrectory dutubuse
1. In Dlrectory Servlces Restore Mode, compuct the dutubuse flle to u locul dlrectory or
remote shured folder, us follows:
Locul dlrectory: Go to step 2.
Remote dlrectory: If you ure compuctlng the dutubuse flle to u shured folder on u
remote computer, estubllsh u network connectlon to the shured folder us shown
below. %ecuuse you ure logged on us the locul udmlnlstrutor, unless permlsslons
on the shured folder lnclude the bullt-ln Admlnlstrutor uccount, you must provlde
u domuln nume, user nume, und pussword for u domuln uccount thut hus Wrlte
permlsslons on the shured folder. In the exumple below, \\SERVER1\NTDS ls
the nume of the shured folder, und K: ls the drlve thut you ure mupplng to the
shured folder. Exumple text thut descrlbes lnformutlon thut you type ls shown ln
bold. After typlng the flrst llne und presslng ENTER, Ntdsutll.exe prompts you
for the pussword. Type the pussword und then press ENTER.
H:\>net use K: \\SERVER1\NTDS /user:domulnNume\userNume *
Type the pussword for \\SERVER1\NTDS:
Drlve K: ls now connected to \\SERVER1\NTDS
The commund completed successfully.
4. At the flle mulntenunce: prompt, type compuct to drlve:\ LoculDlrectoryPuth (where
drlve:\ LoculDlrectoryPuth ls the puth to u locutlon on the locul computer) und then
press ENTER.
If you huve mupped u drlve to u shured folder on u remote computer, type the drlve
letter only (for exumple, compuct to K:\).

Note When compacting to a local drive, you must provide a path. If the path contains any spaces,
enclose the entire path in quotation marks (for example, compact to "c:\new folder"). If the directory
does not exist, Ntdsutil.exe creates it and creates the file named Ntds.dit in that location.

5. If defrugmentutlon completes successfully, type qult und press ENTER to qult the flle
mulntenunce: prompt. Type qult uguln und press ENTER to qult Ntdsutll.exe. Go to
step 6.
If defrugmentutlon completes wlth errors, go to step 9.

Caution Do not overwrite the original Ntds.dit file or delete any log files.

6. If defrugmentutlon succeeds wlth no errors, then follow the Ntdsutll.exe onscreen
lnstructlons to delete ull of the log flles ln the log dlrectory by typlng del
drlve:\puthToLogFlles\*.log

Note You do not need to delete the Edb.chk file.

If spuce ullows, elther renume the orlglnul Ntds.dlt flle to preserve lt or else copy lt to
u dlfferent locutlon. Avold overwrltlng the orlglnul Ntds.dlt flle. Munuully copy the
compucted dutubuse flle to the orlglnul locutlon, us follows:
copy temporaryDrive:\ntds.dit
originalDrive:\pathToOriginalDatabaseFile\ntds.dit
7. Type ntdsutll und then press ENTER.

If the lntegrlty check fulls, the llkely cuuse ls thut un error occurred durlng the copy
operutlon ln step 6.b. Repeut steps 6.b. through step 9. If the lntegrlty check fulls
uguln:
Contuct Mlcrosoft Product Support Servlces.
-or-
Copy the orlglnul verslon of the Ntds.dlt flle thut you preserved ln step 6.u. to the
orlglnul dutubuse locutlon und repeut the offllne defrugmentutlon procedure.
10. If the lntegrlty check succeeds, proceed us follows:
If the lnltlul compuct to commund fulled, go buck to step 4 und perform steps 4
through 9.
If the lnltlul compuct to commund succeeded, type qult und press ENTER to qult
the flle mulntenunce: prompt, und then to type qult und press ENTER uguln to
qult Ntdsutll.exe.

11. Resturt the domuln controller normully. If you ure connected remotely through u
Termlnul Servlces sesslon, be sure thut you huve modlfled the %oot.lnl flle for normul
resturtlng before you resturt the domuln controller.
1. Resturt the domuln controller ln Dlrectory Servlces Restore Mode.
2. Check the errors ln Event Vlewer.

If the followlng events ure logged ln Event Vlewer on resturtlng the domuln
controller, respond to the events us follows:
Event ID 1046. The Actlve Dlrectory dutubuse englne cuused un exceptlon wlth
the followlng purumeters. In thls cuse, Actlve Dlrectory cunnot recover from thls
error und you must restore from buckup medlu.
Event ID 1168. Internul error: An Actlve Dlrectory error hus occurred. In thls
cuse, lnformutlon ls mlsslng from the reglstry und you must restore from buckup
medlu.

3. Check dutubuse lntegrlty und then proceed us follows:
If the lntegrlty check fulls, try repeutlng step 6.b through step 9 ubove, und then
repeut the lntegrlty check. If the lntegrlty check fulls uguln:
Contuct Mlcrosoft Product Support Servlces.
-or-
Copy the orlglnul verslon of the Ntds.dlt flle thut you preserved ln step 6.u. to the
orlglnul dutubuse locutlon und repeut the offllne defrugmentutlon procedure.
If the lntegrlty check succeeds, perform semuntlc dutubuse unulysls wlth flxup.
4. If semuntlc dutubuse unulysls wlth flxup succeeds, qult Ntdsutll.exe und resturt the
domuln controller normully.
5. If semuntlc dutubuse unulysls wlth flxup fulls, contuct Mlcrosoft Product Support
Servlces.

Procedure: If database integrity check fails, perform semantic database
analysis with fixup
When you run semuntlc dutubuse unulysls wlth the Go Flxup commund lnsteud of the Go
commund, errors ure wrltten lnto Dsdlt.dmp.xx log flles. A progress lndlcutor reports the
stutus of the check.
Tool: Ntdsutll.exe (system tool)

Procedure Tasks
To perform semuntlc dutubuse unulysls wlth flxup
1. If you ure not ulreudy ut the ntdsutll: prompt, open u commund prompt, type ntdsutll,
2. At the ntdsutll: prompt, type semuntlc dutubuse unulysls und then press ENTER.
3. At the semuntlc checker: prompt, type verbose on und then press ENTER.
4. At the semuntlc checker: prompt, type go flxup und then press ENTER.

If errors ure reported durlng the semuntlc dutubuse unulysls Go Flxup phuse,
perform dlrectory dutubuse recovery.

WARNING Do not confuse the recover command with the repair command. Never use the
repair command in Ntdsutil.exe. Forest-wide data loss can occur.

If semuntlc dutubuse unulysls wlth flxup succeeds, type qult und then type qult
uguln to close Ntdsutll.exe, und then resturt the domuln controller normully. If
you ure performlng thls procedure remotely over u Termlnul Servlces connectlon,
be sure thut you huve modlfled the %oot.lnl flle for normul resturtlng before you
resturt the domuln controller.

Procedure: Start the File Replication service
Use thls procedure to resturt the Flle Repllcutlon servlce und revlew the FRS event log to
ensure thut the resturt succeeded.
Tools: Net.exe, Event Vlewer

Procedure Steps
To sturt the Flle Repllcutlon servlce
1. At u commund prompt, type net sturt ntfrs und press ENTER.
2. You cun use Event Vlewer to verlfy thut NTFRS resturted correctly. Event ID 13501
lndlcutes thut the servlce resturted. Look for event ID 13516 to verlfy thut the domuln
controller ls runnlng und reudy for servlce. If you moved SYSVOL to u new locutlon
or relocuted the Stuglng Areu folder, look for event IDs 13553 und 13556, whlch
lndlcute success.

Procedure: Stop the File Replication service
Use thls procedure to stop the Flle Repllcutlon servlce.
Tools: Net.exe

Procedure Steps
To stop the Flle Repllcutlon servlce
At u commund prompt, type net stop ntfrs und press ENTER.

Procedure: Change the space allocated to the Staging Area folder
Thls procedure outllnes the steps needed to modlfy the reglstry entry thut restrlcts the
umount of dlsk spuce ullocuted to the stuglng ureu ln SYSVOL.

this guide.

Credentluls: Domuln or Enterprlse Admlns
Tools: Regedlt.exe

Procedure Steps
To chunge the spuce ullocuted to the Stuglng Areu folder
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servlces\NtFRS\Purumeter
s.
3. Double-cllck Stuglng Spuce Llmlt ln K% to open the Edlt dlulog box.
4. In the %use frume, select Declmul.
5. For Vulue Dutu enter u vulue from 10000 through 2000000000. Do not use commus.
Cllck OK.
6. Close the Reglstry Edltor.

Procedure: Reset the File Replication Service Staging folder to a different
logical drive
Use thls procedure to reset the FRS Stuglng folder to u dlfferent loglcul drlve.
Tools: Net.exe, Event Vlewer

Procedure Steps
To reset the FRS Stuglng folder
1. Sturt the Adsledlt progrum.
2. Under Domuln NC, locute the NTFRS Subscrlber ob|ect under the host computer
uccount ln Actlve Dlrectory. The generlc puth for thls uttrlbute ls: CN=Repllcu Set
Nume, CN=NTFRS Subscrlptlons, CN=Computernume, DC=Domuln Nume,
DC=COM.
For exumple, to reset the stuglng puth for the SYSVOL repllcu set of domuln
controller \\DC1 ln the A.com domuln, the dlstlngulshed nume (ulso known us DN)
puth for the FrsStuglngPuth purumeter ls:
CN=Domuln System Volume (SYSVOL shure), CN=NTFRS Subscrlptlons,
CN=DC1, DC=A,DC=COM
Where (when you reud the dlstlngulshed nume puth from rlght to left):
DC=A,DC=COM ls the domuln hostlng the computer uccount.
CN=DC1 ls the host computer uccount ln the domuln numlng context (NC).
CN=NTFRS Subscrlptlons ls the NtfrsSubscrlber ob|ect thut holds the
FrsStuglngPuth purumeter.
CN=Domuln System Volume (SYSVOL shure) ls the FRS subscrlber ob|ect.
3. Open the propertles for the NTFRS Subscrlber ob|ect [ln thls exumple, lt ls Domuln
System Volume (SYSVOL shure)], by rlght-cllcklng the ob|ect, und then cllcklng
Propertles.
4. Cllck fRSStuglngPuth ln the llst of purumeters, und cllck the Edlt button.
5. Enter the puth to the new locutlon for the FRS Stuglng folder und cllck OK.
6. Cllck OK to close the Propertles wlndow.
7. Muke sure thut the stuglng puth hus been upduted ln the reglstry:
u. Sturt the Reglstry Edltor (Regedt32.exe) on the server where you ure chunglng
the stuglng puth.
b. Locute the followlng subkey:
HKEY_LOCAL_MACHINE\System\CCS\Servlces\NTFRS\Purumeters\Repllcu
Sets
c. Locute the repllcu set you ure updutlng the stuglng ureu for. All repllcu sets ure
dlspluyed us u GUID. If you cllck u GUID, one of the vulues on the rlght ls
Repllcu Set Nume. After you locute the correct repllcu set, chunge the vulue of
Repllcu Set Stuge to the new stuglng ureu puth.

When the servlce detects u chunge ln the stuglng puth, the followlng event ID 13563 ls
logged wlth u serles of self-explunutory steps on how to proceed:

Event Type: Wurnlng
Event Source: NtFrs
Event Cutegory: None
Event ID: 13563
Dute: 3/6/2003
Tlme: 7:13:01 PM
User: N/A
Computer: <Computer nume>
Descrlptlon: The Flle Repllcutlon servlce hus detected thut the stuglng puth for the repllcu
set DOMAIN SYSTEM VOLUME (SYSVOL SHARE) hus chunged.
Current stuglng puth = E:\Wlndows\Sysvol\Stuglng\Domuln
New stuglng puth = E:\Frsstuge
The servlce wlll sturt uslng the new stuglng puth ufter lt resturts. The servlce ls set to
resturt ufter every resturt.
It ls recommended thut you munuully resturt the servlce to prevent loss of dutu ln the
Stuglng folder.
To munuully resturt the servlce
1. Run net stop ntfrs or use the Servlces snup-ln to stop the Flle Repllcutlon servlce.
2. Move ull the stuglng flles correspondlng to repllcu set DOMAIN SYSTEM VOLUME
(SYSVOL SHARE) to the new stuglng locutlon. If more thun one repllcu set ls
shurlng the current Stuglng folder, then lt ls sufer to copy the stuglng flles to the new
Stuglng folder.
3. net sturt ntfrs or use the Servlces snup-ln to sturt the Flle Repllcutlon servlce,
followed by net sturt ntfrs.
For more lnformutlon, vlslt the Advunced Seurch und Help puge ut
http://www.mlcrosoft.com/contentredlrect.usp.
Mlcrosoft recommends thut you follow step 2 ln the precedlng event messuge becuuse
the FRS Stuglng folder muy contuln thousunds or tens of thousunds of flles ln the orlglnul
Stuglng folder, ull of whlch muy be destlned for one or more downstreum purtners. In
Wlndows Explorer, you cun vlew the flles ln the stuglng folder. On the Folder Optlons
menu, cllck the Vlew tub, und then cllck to select the Show hldden flles und folders check
box. Copy the flles to the new Stuglng folder, und then follow the remulnlng steps ln the
event log messuge.
Procedure: Identify replication partners
Use thls procedure to exumlne the Connectlon ob|ects for u domuln controller und
determlne lts repllcutlon purtners.
Tool: Actlve Dlrectory Sltes und Servlces

Procedure Steps
To ldentlfy repllcutlon purtners
1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner to dlspluy the llst
of sltes.
2. Double-cllck the slte thut contulns your domuln controller.

Note If you do not know the site that contains your domain controller, open a command prompt
and type ipconfig to get the IP address of the domain controller. Use the IP address to verify that an
IP address maps to a subnet and determine the site association.

3. Expund the Servers folder to dlspluy the llst of servers ln thut slte.
4. Expund the nume of your domuln controller to dlspluy lts NTDS settlngs.
5. Double-cllck NTDSSettlngs to dlspluy the llst of Connectlon ob|ects ln the detulls
pune (these represent lnbound connectlons used for repllcutlon). The From Server
column dlspluys the numes of the domuln controllers thut ure the repllcutlon purtners.
Procedure: Force domain controller removal
Procedure Steps
To force domuln controller removul
1. Cllck Sturt, cllck Run, und then type the followlng commund:
dcpromo /forceremovul
2. Cllck OK.
3. At the Welcome to the Actlve Dlrectory Instullutlon Wlzurd puge, cllck Next.
4. At the Force the Removul of Actlve Dlrectory puge, cllck Next.
5. In Admlnlstrutor Pussword, type the pussword und conflrmed pussword thut you wunt
to usslgn to the Admlnlstrutor uccount of the locul SAM dutubuse, und then cllck
Next.
6. In Summury, cllck Next.

Procedure: Check the status of the shared SYSVOL
Thls test lnvolves checklng Event Vlewer to muke sure thut the Flle Repllcutlon servlce ls
sturted properly und then ensurlng thut the SYSVOL und Net Logon shured folders ure
creuted.
Tools: Event Vlewer, Net.exe

Procedure Steps
To check the stutus of the shured SYSVOL
1. In Event Vlewer, cllck Flle Repllcutlon Servlce ln the Event Vlewer tree to dlspluy the
FRS events.
2. Look for un event 13516 wlth u dute und tlme stump thut corresponds wlth the recent
resturt. It cun tuke 15 mlnutes or more to uppeur. An event 13508 lndlcutes thut FRS
ls ln the process of sturtlng the servlce. An event 13509 lndlcutes thut the servlce hus
sturted successfully. Event 13516 lndlcutes thut the servlce ls sturted, the folders ure
shured, und the domuln controller ls functlonul.
3. To verlfy the shured folder ls creuted, open u commund prompt und type net shure to
dlspluy u llst of the shured folders on thls domuln controller, lncludlng Net Logon und
SYSVOL.
4. At u commund prompt, type dcdlug /test:netlogons und press ENTER.
5. Look for u messuge thut stutes computernume pussed test NetLogons where
computernume ls the nume of the domuln controller. If you do not see the test pussed
messuge, some problem wlll prevent repllcutlon from functlonlng. Thls test verlfles
thut the proper logon prlvlleges ure set to ullow repllcutlon to occur. If thls test fulls,
verlfy the permlsslons set on the Net Logon und SYSVOL shured folders.
Procedure: Prepare a domain controller for non-authoritative SYSVOL
restore
Inltlute u non-uuthorltutlve restore of SYSVOL by modlfylng the vulue of the %urFlugs
(buckup/restore flugs) reglstry entry. Chunglng the vulue to D2 (hexudeclmul) or 210
(declmul) prlor to dlsconnectlng u domuln controller lnltlutes un uutomutlc non-
uuthorltutlve restore of SYSVOL when the domuln controller ls resturted.
Sepurute entrles exlst for globul und repllcu-set-speclflc %urFlugs, us follows:
To lnltlute u non-uuthorltutlve restore of SYSVOL when lt ls the only repllcu set thut
ls represented on the domuln controller, set the vulue of the globul %urFlugs
(REG_DWORD) entry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servlces\NtFrs\Purumeters\%
uckup/Restore\Process ut Sturtup
If other repllcu sets ure represented on the domuln controller und you wunt to restore
only SYSVOL, set the vulue of the repllcu-set-speclflc %urFlugs (REG_DWORD)
entry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servlces\NtFrs\Purumeters\C
umulutlve Repllcu Sets\SYSVOL GUID
Modlfylng the repllcu-set-speclflc %urFlugs entry requlres ldentlfylng the SYSVOL GUID
ln the reglstry.
Tool: Regedlt.exe

Procedure Steps
To prepure u domuln controller for non-uuthorltutlve SYSVOL restore
1. In the Run text box, type regedlt und then cllck OK.
2. Nuvlgute to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servlces\NtFrs\Purumeters
3. Expund Purumeters.
4. Modlfy one of the %urFlugs entrles us follows:

To modlfy the globul %urFlugs entry:
Expund %uckup/Restore und then cllck Process ut Sturtup.
To modlfy the repllcu-set-speclflc %urFlugs entry:
Expund both Cumulutlve Repllcu Sets und Repllcu Sets.
Mutch the GUID under Repllcu Sets to the ldentlcul GUID under Cumulutlve
Repllcu Sets, und cllck the mutchlng GUID under Cumulutlve Repllcu Sets.

5. In the detulls pune, double-cllck %urFlugs.
6. In the Vulue dutu box, type D2 hexudeclmul or 210 declmul, und then cllck OK.

Procedure: Create the SYSVOL folder structure
Use thls procedure to creute the SYSVOL folder structure. The %systemroot%\SYSVOL
folder ls ut the top of the folder tree for the Wlndows system volume. To properly move
SYSVOL, you must move the %systemroot%\SYSVOL folder und lts contents. A
subfolder of %systemroot%\SYSVOL ls ulso numed sysvol. Ensure thut you move the
proper folder (the %systemroot%\SYSVOL folder) und not the subfolder
(%systemroot%\SYSVOL\sysvol). Do not confuse the two folders.
Tool: Wlndows Explorer

Procedure Steps
To creute the SYSVOL folder structure
1. In Wlndows Explorer, nuvlgute to the folder thut represents your current Wlndows
system volume. %y defuult, thls ls the %systemroot%\SYSVOL folder.
2. Rlght-cllck the SYSVOL folder, und then cllck Copy.
3. In Wlndows Explorer, nuvlgute to the new locutlon you creuted ln the console tree,
rlght-cllck the new locutlon, und cllck Puste. You mlght see u dlulog box stutlng thut
some flles ulreudy exlst und u prompt usklng whether you wunt to contlnue copylng
the folder. At euch such prompt, cllck No.
4. Verlfy thut the folder structure wus copled correctly. Compure the new folder
structure to the orlglnul. Open u commund prompt und type dlr /s to llst the contents
of the folders. Ensure thut ull folders exlst. If uny folders ure mlsslng ut the new
locutlon (such us \scrlpts), then recreute them.

Procedure: Set the SYSVOL path
Use thls procedure to set the new puth to the system volume ln the reglstry.

this guide.

Tool: Regedlt.exe

Procedure Steps
To set the SYSVOL puth
ers.
3. Double-cllck SysVol to open the Edlt dlulog box.
4. For Vulue Dutu, enter the new puth. Include the drlve letter. Cllck OK.
5. Close the Reglstry Edltor.

Note The path in the registry points to the SYSVOL folder located inside the SYSVOL folder that is
under the root. When updating the path in the registry, ensure that it still points to the SYSVOL folder
inside the SYSVOL folder that is under the root.

Procedure: Set the staging area path
Use thls procedure to modlfy the fRSStuglngPuth purumeter for u domuln controller ln
Actlve Dlrectory ln order to chunge the locutlon of the Stuglng Areu folder on thut domuln
controller. Perform thls procedure ut the console of the domuln controller thut ls hostlng
the SYSVOL thut you must reconflgure.
Tools: Regedlt.exe, ADSI Edlt, Llnkd.exe

Procedure Steps
To set the stuglng ureu puth
1. In the Run dlulog box, type udsledlt.msc und press ENTER.
2. Double-cllck Domuln NC [computernume], where computernume ls the nume of thls
domuln controller. Verlfy thut Domuln NC expunds to dlspluy the domuln component
(DC=) folder.
Double-cllck the Domuln Controller OU to dlspluy the contulners thut represent the
domuln controllers.
(CN=computernume) to dlspluy more contulners.
6. Rlght-cllck the CN=Domuln System Volume contulner und cllck Propertles.
8. In the Select u property to vlew llst, select fRSStuglngPuth.
9. In the Edlt Attrlbute box, enter the complete puth to the new locutlon where you wunt
to locute the Stuglng Areu folder (the puth to the new folder thut you creuted eurller).
Include the drlve letter. Cllck Set, und then cllck OK.
10. At u commund prompt, chunge the dlrectory to %systemroot%\SYSVOL\stuglng
ureus. Type dlr to llst the contents. Verlfy thut <JUNCTION> uppeurs ln the DIR
output.
11. Updute the |unctlon so thut lt polnts to the new locutlon. Type the followlng
commund:

llnkd |unctlonnume newputh
where newputh ls the sume vulue thut you entered for fRSStuglngPuth eurller. Press
ENTER.
Procedure: Update security on the new SYSVOL
Thls procedure upplles the defuult securlty settlngs to the new SYSVOL folders. The
settlngs wlll be the equlvulent of those set by defuult durlng Actlve Dlrectory lnstullutlon.
If uddltlonul securlty settlngs huve been upplled to the system volume slnce Actlve
Dlrectory wus lnstulled, you must reupply those settlngs ufter completlng thls procedure.

WARNING Failure to reapply security changes made after Active Directory was installed might result
in unauthorized access to logon and logoff scripts and Group Policy objects.

Tools: Regedlt.exe, Secedlt.exe, Notepud.exe

Procedure Steps
To updute securlty on the new SYSVOL
2. In the reglstry edltor, nuvlgute to
ers. Note the puth stored under SysVol.
3. In Control Punel, double-cllck System.
4. On the Advunced tub, cllck Envlronment Vurlubles.
5. Under System Vurlubles, cllck New.
6. For Vurluble Nume, type sysvol.
7. For Vurluble Vulue, type puth (where puth ls the puth thut you noted ln step 2). Cllck
OK twlce. Cllck OK uguln to close Propertles.
8. Use Notepud to creute u flle. Open Notepud und enter the followlng lnformutlon:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=default perms for sysvol
[File Security]
;"%SystemRoot%\SYSVOL",0,"D:AR(A;OICI;FA;;;BA)"
"%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;G
A;;;SY)(A;CIOI;GA;;;CO)"
"%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;G
A;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"

9. Use thls flle to upply the securlty settlngs to the new SYSVOL folders. Suve thls flle
us Sysvol.lnf.
10. Open u new commund prompt. Do not use un exlstlng commund prompt thut hus
been open on your desktop becuuse lt wlll not huve the proper envlronment settlngs.
Chunge the dlrectory to the folder where you suved the Sysvol.lnf flle.
11. At the commund prompt, type the followlng commund on one llne:
SECEDIT /Conflgure /cfg sectempluteputh\sysvol.lnf /db sectempluteputh\sysvol.db
/overwrlte
where sectempluteputh ls the puth to where you suved Sysvol.lnf. Press ENTER.

Procedure: Import the SYSVOL folder structure
Use thls procedure to copy the SYSVOL folder structure from unother domuln controller.
The %systemroot%\SYSVOL folder ls ut the top of the folder tree for the Wlndows
system volume. To properly lmport SYSVOL, you must copy the
%systemroot%\SYSVOL folder und lts contents.
To use thls procedure, the defuult shured folder AdmlnS must exlst on the domuln
controller from whlch you plun to copy the SYSVOL folder structure. Some orgunlzutlons
remove thls shured folder or renume lt for securlty reusons. If thls shured folder ls not
uvulluble, you must shure the %systemroot% folder und nume the shure polnt AdmlnS. If
you shure the %systemroot% folder ln order to complete thls procedure, ensure thut you
remove the shure polnt ufter the procedure ls complete ln order to mulntuln uny securlty
pollcles estubllshed on your network. If the AdmlnS shure hus been renumed, then use
the nume usslgned by your orgunlzutlon lnsteud of AdmlnS whlle completlng thls
procedure.

WARNING Never copy information from the system volume on one domain controller to the system
volume on another domain controller unless you have stopped the File Replication service and
configured SYSVOL for a non-authoritative restore during startup. Failure to do so can cause invalid
data to be replicated and cause the system volumes on various domain controllers to become
inconsistent.

Tools: Wlndows Explorer, Llnkd.exe

Procedure Steps
To lmport the SYSVOL folder structure
1. Use Wlndows Explorer to delete the exlstlng %systemroot%\SYSVOL folder thut you
ure rebulldlng.
2. Connect to the AdmlnS shure on the domuln controller thut you ldentlfled eurller us
the repllcutlon purtner from whlch you plun to copy the SYSVOL folder structure.
3. Once you ure connected to the AdmlnS shure polnt, verlfy thut u folder lubeled
SYSVOL uppeurs. Rlght-cllck the SYSVOL folder, und cllck Copy.
4. In the sume dlrectory, flnd some blunk spuce und rlght-cllck. Cllck Puste. You mlght
see u dlulog box stutlng thut some flles ulreudy exlst und u prompt usklng whether
you wunt to contlnue copylng the folder. At euch such prompt, cllck No.
5. Verlfy thut the orlglnul SYSVOL folder und u new folder lubeled Copy of SYSVOL
both uppeur. Rlght-cllck Copy of SYSVOL und cllck Renume. Type SYSVOL2 und
press ENTER.
6. Open u commund prompt. Chunge to the drlve letter thut represents the connectlon to
the remote domuln controller where you creuted the SYSVOL2 folder.
7. Chunge the dlrectory to SYSVOL2\sysvol.
8. Type dlr und press ENTER. Verlfy thut <JUNCTION> uppeurs ln the Dlr output und
ls followed by the nume of the domuln.
9. You must updute the puth ln thls |unctlon so thut lt polnts to the new locutlon. Type
the followlng commund:
where newputh ls the new vulue you recorded ln row 4 of Tuble 1 whlle gutherlng the
system volume puth lnformutlon. Press ENTER.
10. If the stuglng ureu hus been relocuted und ls no longer lnslde the SYSVOL folder,
sklp steps 10 und 11 und proceed to step 12. At u commund prompt, chunge the
dlrectory to \SYSVOL2\stuglng ureus under the copy of SYSVOL thut you creuted.
Type dlr to llst the contents und verlfy thut <JUNCTION> uppeurs ln the Dlr output.
11. Updute the |unctlon so thut lt polnts to the new locutlon. Type the followlng
commund:
where newputh ls the new vulue thut you recorded ln row 5 of Tuble 1 whlle
gutherlng system volume puth lnformutlon. Press ENTER.
12. At the commund prompt, chunge buck to the %systemroot% for the domuln
controller thut you ure repulrlng.
13. From the commund prompt, use the Xcopy commund to copy the contents of the
\SYSVOL2 folder you creuted to u new SYSVOL folder on your locul drlve. Type the
followlng commund:
xcopy drlve:\sysvol2\*.* sysvol\*.* /s /e /h /c /y
where drlve ls the letter representlng the connectlon to the remote domuln controller.
Press ENTER.
14. Verlfy thut the folder structure copled correctly. Compure the new folder structure to
the SYSVOL (not the SYSVOL2) on the remote domuln controller. Open u commund
prompt und type dlr to llst the contents of the folders. Ensure thut ull folders exlst.
15. Remove the SYSVOL2 folder thut you creuted on the remote domuln controller.
16. Dlsconnect from the remote domuln controller. If you hud to creute u shured folder on
thut domuln controller ln order to connect to lt, remove the shured folder. Some
orgunlzutlons conslder lt u securlty rlsk to retuln shured folders thut ure not ln use.
17. Resturt the domuln controller ln normul mode.

Procedure: Configure time on the forest-root PDC emulator
Use the followlng procedure to conflgure the tlme servlce on the forest root PDC
emulutor. Perform the procedure on the PDC emulutor.
Credentluls: Domuln Admlns or locul udmlnlstrutor on the PDC emulutor
Tools: Net tlme, W32tm.exe, Plng

Procedure Steps
To conflgure tlme on the forest root PDC emulutor
1. Use the Plng utlllty to verlfy thut the SNTP server ls reuchuble. Type plng server
(where server ls the DNS nume or IP uddress of the SNTP server), und then press
ENTER.
2. Open UDP port 123 for outgolng trufflc on flrewull lf needed.
3. Open UDP port 123 (or u dlfferent port you huve selected) for lncomlng SNTP trufflc.
4. At the commund prompt, type w32tm -portnumber (where portnumber ls the server
port speclfled ln step 3), und then press ENTER.
5. At the commund prompt, type net tlme /setsntp:server (where server ls the DNS
nume or IP uddress of the SNTP server), und then press ENTER.
6. To verlfy thut the munuully conflgured tlme source hus been set, ut the commund
prompt, type net tlme /querysntp und then press ENTER.
Verlfy thut the nume of the SNTP server ls dlspluyed.
7. To muke the chunge tuke effect, stop und resturt the tlme servlce.
8. At the commund prompt, type net stop w32tlme und then press ENTER.

Procedure: Remove a time source configured on the forest-root PDC
emulator
Use the followlng procedure to remove u tlme source conflgured on the forest root PDC
emulutor. Perform the procedure on the PDC emulutor.
Credentluls: Domuln Admlns or locul udmlnlstrutor on the PDC emulutor
Tool: Net tlme

Procedure Steps
To remove u tlme source conflgured on the forest root PDC emulutor
1. At the commund prompt, type net tlme /setsntp und then press ENTER.
2. To verlfy thut the munuully conflgured tlme source hus been cleured, ut the commund
Verlfy thut you recelve the followlng messuge: Thls computer ls not currently conflgured
to use u speclflc SNTP server.
Procedure: Configure the selected computer as a reliable time source

first. For information about backing up system state, see Active Directory Backup and Restore in
this guide.

Perform the followlng procedure on the selected computer to conflgure lt us u relluble
tlme source.
Tool: Regedlt.exe

Procedure Steps
To conflgure the selected computer us u relluble tlme source
1. At the commund prompt, type regedlt und then press ENTER.
2. Nuvlgute to the followlng reglstry key und chunge the vulue to 1:
Hkey_Locul_Muchlne\System\CurrentControlSet\Servlces\W32Tlme\Conflg\Announ
ceFlugs = 0x5
3. Run w32tm /conflg /updute.
Procedure: Set a manually configured time source on a selected computer
Use the followlng procedure to munuully set the tlme source for u cllent computer.
Tool: Net tlme

Procedure Steps
To set u munuully conflgured tlme source on u selected computer
1. Use the Plng utlllty to seurch the SNTP server to ensure thut lt ls reuchuble from the
cllent. Type plng server (where server ls the DNS nume or IP uddress of the SNTP
server), und then press ENTER.
2. At the commund prompt, type net tlme /setsntp:server (where server ls the DNS
nume or IP uddress of the SNTP server), und then press ENTER.
3. To verlfy thut the munuully conflgured tlme source hus been set, ut the commund
Verlfy thut the nume of the SNTP server ls dlspluyed.
Procedure: Remove a manually configured time source on a selected
computer
Use the followlng procedure to remove u munuully conflgured tlme source on u selected
computer.
Tool: Net tlme

Procedure Steps
To remove u munuully conflgured tlme source on u selected computer
1. At the commund prompt, type net tlme /setsntp und then press ENTER
2. To verlfy thut the munuully conflgured tlme source hus been cleured, ut the commund
Verlfy thut you recelve the followlng messuge: Thls computer ls not currently
conflgured to use u speclflc SNTP server.
Procedure: Change polling interval

first. For information about backing up system state, see Active Directory Backup and Restore in
this guide.

1. At the commund prompt, type the followlng commund und then press ENTER:
w32tm -perlod vulue
where vulue ls one of the followlng:

Value Frequency
0 Once u duy
"%lDully" Twlce u duy
"Trldully" Three tlmes u duy
"Weekly" Once every seven duys
"SpeclulSkew" Once every 45 mlnutes untll three good
synchronlzutlons occur, then once every 8 hours (3
per duy) [defuult]
"DullySpeclulSkew" Once every 45 mlnutes untll one good
synchronlzutlon occurs, then once every duy
A number equul to the
number of tlmes per duy
The number of tlmes per duy you wunt to
synchronlze

2. To muke the chunge tuke effect, stop und resturt the tlme servlce.
u. At the commund prompt, type net stop w32tlme und then press ENTER.
b. At the commund prompt, type net sturt w32tlme und then press ENTER.
3. Verlfy thut the lntervul hus been chunged ln the reglstry.
u. At the commund prompt, type regedlt und then press ENTER.
b. Nuvlgute to the followlng reglstry key und verlfy thut the vulue ls correct:
Hkey_Locul_Muchlne\System\CurrentControlSet\Servlces\W32Tlme\Purumeters
\Perlod.
Procedure: Disable time service
Use the followlng procedure to dlsuble the W32Tlme servlce.
Tool: Servlces snup-ln

Procedure Steps
To dlsuble W32Tlme servlce
1. Open Admlnlstrutlve Tools, und select Servlces.
2. Rlght-cllck Wlndows Tlme, und select Propertles.
The Wlndows Tlme Propertles dlulog box uppeurs.
3. In the Sturtup Type fleld, select Dlsubled from the drop-down menu.
4. Cllck OK. Verlfy thut the type for the tlme servlce uppeurs us Dlsubled.

Procedure: Create a one-way trust (MMC method)
For the followlng two subprocedures, u member of Domuln Admlns ln the trusted domuln
performs the flrst procedure und u member of Domuln Admlns ln the trustlng domuln
performs the second procedure.
Procedure Steps
To creute u one-wuy trust relutlonshlp ln the trusted domuln
1. Wlth the udmlnlstrutor of the other domuln, ugree on u secure chunnel pussword to
be used ln estubllshlng the trust.
2. In the trusted domuln, log on us u member of Domuln Admlns.
3. In Actlve Dlrectory Domulns und Trusts, expund the domuln tree untll the trusted
domuln nume uppeurs, und then rlght-cllck the trusted domuln node.
4. Cllck Propertles, und then cllck the Trusts tub.
5. Next to the Domulns thut trust thls domuln box, cllck Add.
6. In the Trustlng domuln box, type the trustlng domuln nume. If you ure uddlng u
Wlndows 2000 domuln, type the full DNS nume (noumresklt.com ln thls exumple). If
the domuln ls runnlng un eurller verslon of Wlndows, type the domuln nume (noum ln
thls exumple).
7. In the Pussword box, type the ugreed-upon pussword.
8. In the Conflrm pussword box, retype the pussword, und then cllck OK.
9. A messuge uppeurs thut suys the trust cunnot be verlfled. Cllck OK.

Note The reason for this error is that Windows 2000 is attempting to verify the secure channel. It
cannot verify the secure channel at this time because the other side of the trust is not yet created.

10. Cllck OK to close the Propertles sheet.

To creute u one-wuy trust relutlonshlp ln the trustlng domuln
1. In the trustlng domuln, log on us u member of Domuln Admlns.
2. In Actlve Dlrectory Domulns und Trusts, expund the domuln tree untll the trustlng
domuln nume uppeurs, und then rlght-cllck the trustlng domuln node.
4. Next to the Domulns trusted by thls domuln box, cllck Add.
5. In the Trusted domuln box, type the trusted domuln nume. If you ure uddlng u
Wlndows Server 2003 domuln, type the full DNS nume (ucqulred.com ln thls
exumple). If the domuln ls runnlng un eurller verslon of Wlndows, type the domuln
nume (ucqulred ln thls exumple).
8. A messuge uppeurs thut suys the trusted domuln hus been udded und the trust
verlfled. Cllck OK.
9. A messuge uppeurs usklng lf you wunt to verlfy the trust. Cllck Yes, und then cllck
OK.

Note If the trust is successfully created in both domains, click Yes to verify the trust. If the trust has
been created in the trusted domain, clicking Yes returns an error. When the trust is created in the
trusted domain, the trust takes effect. You do not need to verify the trust for the trust to take effect.

Procedure: Create a one-way trust (Netdom.exe method)
For the followlng procedure, you creute both sldes of the one-wuy trust wlth one
commund. You must huve the domuln udmlnlstrutor pusswords for both domulns.
Procedure Steps
To creute u one-wuy trust uslng Netdom.exe
Open u commund prompt und type the followlng commund:
netdom trust /d:trusteddomuln trustlngdomuln /udd
where trusteddomuln ls the trusted domuln, und trustlngdomuln ls the trustlng
domuln. If the domuln ls Wlndows 2000, use the full DNS nume; lf lt ls Wlndows NT
4.0, use the domuln nume. Press ENTER.
You muy enter the udmlnlstrutor pusswords, uslng Pd: for the trusted domuln pussword
und Po: for the trustlng domuln pussword. If you do not enter the pusswords, you wlll be
prompted for them.
Exumple:
netdom trust /d:ucqulred.com noum.com /udd
/Ud:ucqulred.com\udmln /Pd:xxxx
/Uo:noum.com\udmln /Po:yyyy.
Procedure: Create a two-way trust (MMC method)
For the followlng two procedures, u member of Domuln Admlns ln the flrst domuln
performs the flrst procedure und u member of Domuln Admlns ln the second domuln
performs the second procedure.
Procedure Steps
To creute both dlrectlons of two one-wuy trust relutlonshlps ln the flrst domuln
1. Wlth the udmlnlstrutor of the other domuln, ugree on u secure chunnel pussword to
be used ln estubllshlng the trust.
2. In the flrst domuln, log on us u member of Domuln Admlnlstrutors.
3. In Actlve Dlrectory Domulns und Trusts, expund resklt.com, und then rlght-cllck
noum.resklt.com.
5. Next to the Domulns trusted by thls domuln box, cllck Add.
6. In the Trusted domuln box, type the trusted domuln nume. If you ure uddlng u
Wlndows 2003 domuln, type the full DNS nume. If the domuln ls runnlng un eurller
verslon of Wlndows, type the domuln nume.
9. A messuge uppeurs thut suys the trust cunnot be verlfled. Cllck OK.

Note The reason for this error is that Windows 2003 is attempting to verify the secure channel. It
cannot verify the secure channel at this time because the other side of the trust is not yet created.

10. Next to the Domulns thut trust thls domuln box, cllck Add.
11. In the Trustlng domuln box, type the trustlng domuln nume. If you ure uddlng u
Wlndows 2000 domuln, type the full DNS nume (ucqulred01-lnt.com ln thls
exumple). If the domuln ls runnlng un eurller verslon of Wlndows, type the domuln
nume (ucqulred01-lnt ln thls exumple).
14. A messuge uppeurs usklng lf you wunt to verlfy the trust. Cllck Yes.

Note If the trust is successfully created in the acquired01-int.com domain, click Yes to verify the
trust. If the trust is not created, clicking Yes returns an error. When the trust is created in acquired01-
int.com, the trust takes effect. You do not need to verify the trust for the trust to take effect.

Procedure: Create a two-way trust (Netdom.exe method)
For the followlng procedure, you creute both sldes of the two-wuy trust wlth one
commund. You must huve the Domuln Admlns pusswords for both domulns.
Procedure Steps
To creute u two-wuy trust by uslng Netdom.exe
Open u commund prompt und type the followlng commund:
netdom trust /d:trusteddomuln trustlngdomuln /udd /twowuy
domuln. If the domuln ls Wlndows 2000, use the full DNS nume; lf lt ls Wlndows NT
4.0, use the domuln nume. Press ENTER.
You muy ulso enter the udmlnlstrutor pusswords, uslng Pd: for the trusted domuln
pussword und Po: for the trustlng domuln pussword; lf you do not enter the pusswords,
you wlll be prompted for them.
Exumple:
netdom trust /d:ucqulred.com noum.com /udd /twowuy
/Ud: ucqulred.com\udmln /Pd:xxxx
/Uo: noum.com\udmln /Po:yyyy.
Procedure: Remove a manually created trust by using the Active Directory
Domains and Trusts snap-in
You cun remove u munuully creuted trust by uslng Actlve Dlrectory Domulns und Trusts
or by uslng Netdom.exe.
Procedure Steps
To remove u trust by uslng Actlve Dlrectory Domulns und Trusts
1. Log on to the flrst domuln.
2. In Actlve Dlrectory Domulns und Trusts, ln the console tree, rlght-cllck one of the
domuln nodes lnvolved ln the trust you wunt to remove, und then cllck Propertles.
3. Cllck the Trusts tub.
4. In elther Domulns trusted by thls domuln or Domulns thut trust thls domuln, cllck the
trust to be removed, und then cllck Remove.
5. Repeut thls procedure for the other domuln lnvolved ln the trust.

Procedure: Remove a manually created trust by using Netdom.exe
You cun remove u munuully creuted trust by uslng Actlve Dlrectory Domulns und Trusts
or by uslng Netdom.exe.
Procedure Steps
To remove u trust uslng Netdom.exe, use one of the followlng procedures, dependlng on
whether the trust ls one-wuy or two-wuy.
To remove u one-wuy trust, open u commund prompt und type the followlng
commund, und then press ENTER:
netdom trust /d:trusteddomuln trustlngdomuln /remove
domuln. If the domuln ls Wlndows Server 2003, use the full DNS nume; lf lt ls
Wlndows NT 4.0, use the domuln nume. You wlll be prompted for the udmlnlstrutor
pussword.
-or-
To remove u two-wuy trust, open u commund prompt und type the followlng
commund, und then press ENTER:
netdom trust /d:trusteddomuln trustlngdomuln /remove /twowuy
domuln. If the domuln ls runnlng Wlndows Server 2003, use the full DNS nume; lf lt
ls runnlng Wlndows NT 4.0, use the domuln nume. You must huve credentluls for
both domulns. You wlll be prompted for both pusswords.
Procedure: Configure SID filtering
The udmlnlstrutor of the trustlng domuln upplles SID fllterlng to fllter out mlgruted SIDs
stored ln SIDHlstory from speclflc domulns. For exumple, where un externul trust
relutlonshlp exlsts so thut the noum domuln trusts the ucqulred domuln, un udmlnlstrutor
of the noum domuln cun upply SID fllterlng to the ucqulred domuln, whlch ullows ull SIDs
wlth u domuln SID from the ucqulred domuln to puss, but ull other SIDs (such us those
from mlgruted SIDs stored ln SIDHlstory) to be dlscurded.
Credentluls: Domuln Admlns of trustlng domuln
Tool: Netdom.exe (support tools)

Procedure Steps
To conflgure SID fllterlng
1. Log on to the trustlng domuln wlth un uccount wlth domuln udmlnlstrutor credentluls.
2. At the commund prompt, type netdom /fllterslds trusteddomuln (where trusteddomuln
ls the domuln whose SIDs you wunt to fllter), und then press ENTER.
Procedure: Remove SID filtering
Credentluls: Domuln Admlns of trustlng domuln
Tool: Netdom.exe (support tools)

Procedure Steps
To remove SID fllterlng
1. Log on to the trustlng domuln wlth un uccount wlth domuln udmlnlstrutor credentluls.
2. At the commund prompt, type netdom /fllterslds no trusteddomuln (where
trusteddomuln ls the trusted domuln where you hud prevlously upplled SID fllterlng,
whlch you now wunt to remove), und then press ENTER.

Procedure: Create a Site object and add it to an existing site link
To creute u new slte, you must creute u Slte ob|ect und udd lt to u slte llnk.

Procedure Steps
To creute u Slte ob|ect
1. In Actlve Dlrectory Sltes und Servlces, rlght-cllck the Sltes contulner und then cllck
New Slte.
2. In the Nume box, type the nume of the slte.
3. In the Llnk Nume llst, cllck u slte llnk for thls slte, und then cllck OK.
4. In the Actlve Dlrectory messuge box, reud the lnformutlon, und then cllck OK.

Procedure: Associate a range of IP addresses with the site
Subprocedure 1: Create a Subnet object or objects and associate them
with the new site
To creute u Subnet ob|ect, you must huve the followlng lnformutlon:
The slte to whlch the subnet ls to be ussocluted.
The network uddress or uny IP uddress ln the runge.
The subnet musk.

Actlve Dlrectory Sltes und Servlces converts thls lnformutlon lnto the subnet uddress.

Procedure Steps
To creute u Subnet ob|ect
1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner.
2. Rlght-cllck Subnets, und then cllck New Subnet.
3. In the New Ob|ect - Subnet dlulog box, ln the Address box, type the network uddress
or uny IP uddress wlthln the runge of IP uddresses for the subnet.
4. In the Musk box, type the subnet musk.
5. In the Slte Nume box, cllck the slte to whlch thls subnet ls belng ussocluted, und then
cllck OK.

Subprocedure 2: Associate an existing Subnet object with the new site

Assoclute un exlstlng subnet wlth u slte under the followlng condltlons:
When you ure removlng the slte to whlch the subnet wus ussocluted.
When you huve temporurlly ussocluted the subnet wlth u dlfferent slte und wunt to
ussoclute lt wlth lts permunent slte.


Procedure Steps
To ussoclute un exlstlng Subnet ob|ect wlth u slte
Subnets contulner.
2. In the detulls pune, rlght-cllck the subnet wlth whlch you wunt to ussoclute the slte,
und then cllck Propertles.
3. In the Slte box, cllck the slte wlth whlch to ussoclute the subnet, und then cllck OK.

Procedure: Create a Site Link object, if appropriate, and add the new site
and at least one other site to the Site Link object
To llnk sltes for repllcutlon, creute u Slte Llnk ob|ect ln the contulner for the lnterslte
trunsport thut wlll repllcute the slte, und udd the sltes to lt.

Procedure Steps
To creute u Slte Llnk ob|ect
1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und then the Inter-
Slte Trunsports contulner.
2. Rlght-cllck IP, und then cllck New Slte Llnk.
3. In the Nume box, type u nume for the slte llnk.
4. In the Sltes not ln thls slte llnk box, cllck u slte thut you wunt to udd to the slte llnk.
Hold down the SHIFT key to cllck u second slte thut ls ud|ucent ln the llst, or the
CTRL key to cllck u second slte thut ls not ud|ucent ln the llst.
5. After selectlng ull of the sltes thut you wunt udded to the slte llnk, cllck Add, und then
cllck OK.

Procedure: Remove the site from the site link
If, whlle performlng prevlous procedure, you udded the new slte to un exlstlng slte llnk
temporurlly ln order to creute the slte, use Slte Llnk propertles to remove u slte from u
slte llnk.

Procedure Steps
To remove u slte from u slte llnk
2. Cllck IP. In the detulls pune, rlght-cllck the slte llnk from whlch you wunt to remove u
slte, und then cllck Propertles.
3. In the Sltes ln thls slte llnk box, cllck the slte you wunt to remove from the slte llnk.
4. Cllck Remove, und then cllck OK.
Procedure: Create a Subnet object and associate it with the appropriate
site
To creute u Subnet ob|ect, you must huve the followlng lnformutlon:
The slte to whlch the subnet ls to be ussocluted.
The network uddress or uny IP uddress ln the runge.
The subnet musk.

Actlve Dlrectory Sltes und Servlces converts thls lnformutlon lnto the subnet uddress.

Procedure Steps
To creute u Subnet ob|ect
1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner.
2. Rlght-cllck Subnets, und then cllck New Subnet.
3. In the New Ob|ect - Subnet dlulog box, ln the Address box, type the network uddress
or uny IP uddress wlthln the runge of IP uddresses for the subnet.
4. In the Musk box, type the subnet musk.
5. In the Slte Nume box, cllck the slte to whlch thls subnet ls belng ussocluted, und then
cllck OK.

Procedure: Create a Site Link object in the IP container and add the
appropriate sites
To llnk sltes for repllcutlon, creute u Slte Llnk ob|ect ln the contulner for the lnterslte
trunsport thut wlll repllcute the slte, und udd the sltes to lt.

Procedure Steps
To creute u Slte Llnk ob|ect
2. Rlght-cllck IP, und then cllck New Slte Llnk.
3. In the Nume box, type u nume for the slte llnk.
4. In the Sltes not ln thls slte llnk box, cllck u slte thut you wunt to udd to the slte llnk.
Hold down the SHIFT key to cllck u second slte thut ls ud|ucent ln the llst, or the
CTRL key to cllck u second slte thut ls not ud|ucent ln the llst.
5. After selectlng ull of the sltes thut you wunt udded to the slte llnk, cllck Add, und then
cllck OK.

Procedure: Generate the intersite topology
%y defuult, the KCC runs every 15 mlnutes to generute the repllcutlon topology. To
lnltlute repllcutlon topology generutlon lmmedlutely, use the followlng procedures to
refresh the lnterslte topology.
Subprocedure 1: Determine the ISTG role owner for the site
To determlne the current Inter-Slte Topology Generutor (ISTG) role owner for u slte,
vlew the NTDS Slte Settlngs ob|ect propertles.

Procedure Steps
To determlne the ISTG role owner for u slte
1. In Actlve Dlrectory Sltes und Servlces, cllck the slte ob|ect whose ISTG you wunt to
determlne.
2. In the detulls pune, rlght-cllck the NTDS Slte Settlngs ob|ect, und then cllck
Propertles. The current role owner uppeurs ln the Server box under Inter-Slte
Topology Generutor.

Subprocedure 2: Generate the replication topology on the ISTG

The Knowledge Conslstency Checker (KCC) runs by defuult every 15 mlnutes. If you
wunt to lnltlute topology regenerutlon lmmedlutely, you cun force the KCC to run us
follows:
To generute the lnterslte repllcutlon topology, run the KCC on the domuln controller
ln the slte thut holds the ISTG role.
To generute the lntruslte repllcutlon topology, run the KCC on uny domuln controller
ln the slte thut does not hold the ISTG role.

Identlty of the ISTG role holder ln the slte

Procedure Steps
To generute the repllcutlon topology
the slte thut contulns the server on whlch you wunt to run the KCC.
2. Cllck Servers, und then cllck u Server ob|ect.
3. Expund the Server ob|ect to dlspluy the NTDS Settlngs ob|ect.
4. Rlght-cllck NTDS Settlngs, cllck All Tusks, und then cllck Check Repllcutlon
Topology.
5. In the Check Repllcutlon Topology messuge box, cllck OK.

Procedure: Configure the site link schedule to identify times during which
intersite replication can occur
Use the propertles on the Slte Llnk ob|ect to deflne when repllcutlon ls ullowed. Obtuln
the schedule from the deslgn teum.

Procedure Steps
To conflgure the slte llnk schedule
1. In Actlve Dlrectory Sltes und Servlces, expund the Sltes contulner und the Inter-Slte
Trunsports contulner, und then cllck the IP contulner.
2. In the detulls pune, rlght-cllck the Slte Llnk ob|ect you wunt to conflgure, und then
cllck Propertles.
3. In the SlteLlnkNume Propertles dlulog box, cllck Chunge Schedule.
4. In the Schedule for SlteLlnkNume dlulog box, select the block of duys und hours
durlng whlch you wunt repllcutlon to occur or not occur (uvulluble or not uvulluble),
und then cllck the upproprlute optlon.
5. Cllck OK twlce.

Procedure: Configure the site link interval to identify how often replication
polling can occur during the schedule window
Use the propertles on the Slte Llnk ob|ect to determlne how often durlng the uvulluble
repllcutlon schedule you wunt brldgeheud servers to poll thelr lnterslte repllcutlon
purtners for chunges. Obtuln the lntervul vulue from the deslgn teum.

Procedure Steps
To conflgure the slte llnk lntervul
cllck Propertles.
3. In the Repllcute every _____ mlnutes box, speclfy the number of mlnutes for the
lntervuls ut whlch repllcutlon polllng occurs durlng un open schedule, und then cllck
OK.

Procedure: Configure the site link cost to establish a priority for replication
routing
When creutlng or modlfylng slte llnks, use the ob|ect propertles to conflgure the relutlve
cost of uslng the slte llnk.

Procedure Steps
To conflgure slte llnk cost
cllck Propertles.
3. In the Cost box, speclfy the number for the compurutlve cost of uslng the slte llnk,
und then cllck OK.

Procedure: Change the static IP address of the domain controller
Thls procedure lncludes chunglng ull upproprlute TCP/IP vulues, lncludlng preferred und
ulternute DNS servers, us well us WINS servers (lf upproprlute). Obtuln these vulues
from the deslgn teum.
If you chunge the stutlc IP uddress of u domuln controller, you must ulso chunge reluted
TCP/IP settlngs uccordlngly.
Credentluls: Admlnlstrutors
Requlred lnformutlon:
IP uddress
Subnet musk
Defuult gutewuy uddress
Preferred und ulternute DNS server uddresses
WINS server uddresses, lf upproprlute

Procedure Steps
To chunge the stutlc IP uddress of u domuln controller
1. Log on locully to the server for whlch you wunt to chunge the IP uddress.
2. On the desktop, rlght-cllck My Network Pluces und then cllck Propertles.
4. In the Locul Areu Connectlon Propertles dlulog box, double-cllck Internet Protocol
(TCP/IP).
5. In the Internet Protocol (TCP/IP) Propertles dlulog box, ln the IP uddress box, type
the new uddress.
6. In the Subnet musk box, type the subnet musk.
7. In the Defuult gutewuy box, type the defuult gutewuy.
8. In the Preferred DNS server box, type the uddress of the DNS server thut thls
computer contucts.
9. In the Alternute DNS server box, type the uddress of the DNS server thut thls
computer contucts lf the preferred server ls unuvulluble.
10. If thls domuln controller uses WINS servers, cllck Advunced und then, ln the
Advunced TCP/IP Settlngs dlulog box, cllck the WINS tub.
11. If un uddress ln the llst ls no longer upproprlute, cllck the uddress, und then cllck
Edlt.
12. In the TCP/IP WINS Server dlulog box, type the new uddress, und then cllck OK.
13. Repeut steps 11 und 12 for ull uddresses thut need to be chunged, und then cllck OK
twlce to close the TCP/IP WINS Server dlulog box und the Advunced TCP/IP
Settlngs dlulog box.
14. Cllck OK to close the Internet Protocol (TCP/IP) Propertles dlulog box.

Procedure: Create a delegation for the domain controller
If the purent DNS zone of uny zone thut ls hosted by thls DNS server contulns u
delegutlon to thls DNS server, use thls procedure to updute the IP uddress ln ull such
delegutlons.
domuln.
Tool: DNS Munuger

Procedure Steps
3. In the chlld_domuln Propertles sheet, on the Nume Servers tub, cllck Add.
4. In the New Resource Record dlulog box, ln the Server nume box, type
chlld_dc.chlld_domuln.purent_domuln (where chlld_dc ls the nume of the new
domuln controller, chlld_domuln ls the nume of the chlld domuln, und purent_domuln
ls the nume of the purent domuln).
then cllck OK.

Procedure: Determine whether the server is a preferred bridgehead server
Preferred brldgeheud servers ure dlstlngulshed by u property on the Server ob|ect thut
udds the server to the preferred brldgeheud server llst for the IP trunsport.

Procedure Steps
To determlne whether u domuln controller ls u preferred brldgeheud server
whlch the server ob|ect resldes.
2. Expund the Servers contulner to dlspluy the domuln controllers currently conflgured
for thut slte.
3. Rlght-cllck the Server ob|ect of lnterest, und then cllck Propertles.
4. If IP uppeurs ln the box lubeled Thls server ls u preferred brldgeheud server for the
followlng trunsports, the server ls u preferred brldgeheud server for the IP trunsport.

Procedure: Configure the server to not be a preferred bridgehead server
Use the Server ob|ect propertles to remove u preferred brldgeheud server from the IP
trunsport.

Procedure Steps
To conflgure u domuln controller to not be u preferred brldgeheud server
the slte of the preferred brldgeheud server.
2. Expund the Servers node to dlspluy the llst of domuln controllers currently conflgured
for thut slte.
3. Rlght-cllck the server you wunt to remove, und then cllck Propertles.
4. If IP uppeurs ln the llst thut murks thls server us u brldgeheud server for the IP
trunsport, cllck IP, cllck Remove, und then cllck OK.

Procedure: Move the Server object to the new site
Movlng u Server ob|ect requlres thut the IP uddress of the domuln controller mups to the
slte to whlch you ure movlng the Server ob|ect. After you huve verlfled thut the IP
uddress mups to the turget slte, use the followlng procedure to move the Server ob|ect to
the slte.
Tools: Actlve Dlrectory Sltes und Servlces (Admlnlstrutlve Tools)

Procedure Steps
To move u Server ob|ect to u dlfferent slte
whlch the server ob|ect resldes.
2. Expund the Servers contulner to dlspluy the domuln controllers thut ure currently
conflgured for thut slte.
3. Rlght-cllck the Server ob|ect you wunt to move, und then cllck Move.
4. In the Slte Nume box, cllck the destlnutlon slte, und then cllck OK.
5. Expund the Slte ob|ect to whlch you moved the server, und then expund the Servers
contulner.
6. Verlfy thut un ob|ect for the server you moved exlsts.
7. Expund the Server ob|ect und verlfy thut un NTDS Settlngs ob|ect exlsts.

Wlthln un hour, the Net Logon servlce on the domuln controller reglsters the new slte
lnformutlon ln DNS. Wult un hour und then open Event Vlewer und connect to the
domuln controller whose Server ob|ect you moved. Revlew the dlrectory servlce log for
Net Logon errors regurdlng reglstrutlon of SRV resource records ln DNS thut huve
occurred wlthln the lust hour. The ubsence of errors lndlcutes thut Net Logon hus upduted
DNS wlth slte-speclflc SRV resource records. Net Logon event ID 5774 lndlcutes thut the
reglstrutlon of DNS resource records hus fulled. If thls error occurs, contuct u supervlsor
und pursue DNS troubleshootlng.

Procedure: Delete the Site Link object
Use the followlng procedure to delete the Slte Llnk ob|ect.

Procedure Steps
To delete u Slte Llnk ob|ect
2. In the detulls pune, rlght-cllck the Slte Llnk ob|ect you wunt to delete, und then cllck
Delete.

Procedure: Associate the subnet or subnets with the appropriate site
Assoclute un exlstlng subnet wlth u slte under the followlng condltlons:
When you ure removlng the slte to whlch the subnet wus ussocluted.
When you huve temporurlly ussocluted the subnet wlth u dlfferent slte und wunt to
ussoclute lt wlth lts permunent slte.


Procedure Steps
To ussoclute un exlstlng Subnet ob|ect wlth u slte
Subnets contulner.
2. In the detulls pune, rlght-cllck the subnet wlth whlch you wunt to ussoclute the slte,
und then cllck Propertles.
3. In the Slte box, cllck the slte wlth whlch to ussoclute the subnet, und then cllck OK.

If the IP uddresses ure no longer ln use, delete the Subnet ob|ect or ob|ects wlth whlch
the uddresses ure ussocluted.

Procedure: Delete the Site object
Delete u Slte ob|ect only ufter you huve removed ull Server ob|ects from the slte und
huve reussocluted the subnets wlth u dlfferent slte. The Servers contulner ls deleted when
you delete the slte.

Procedure Steps
To delete u Slte ob|ect
1. In Actlve Dlrectory Sltes und Servlces, cllck the Sltes contulner.
2. In the detulls pune, rlght-cllck the slte you wunt to delete, und then cllck Delete.
4. In the Actlve Dlrectory messuge box, reud the lnformutlon, und then cllck Yes to
delete the slte und lts Servers contulner ob|ect.

Procedure: Configure a domain controller as a global catalog server
Use the settlng on the NTDS Settlngs ob|ect to lndlcute whether u domuln controller ls
deslgnuted us u globul cutulog server.
Credentluls: Domuln Admlns ln the domuln of the globul cutulog server

Procedure Steps
To conflgure u domuln controller us u globul cutulog server
the slte ln whlch you ure deslgnutlng u globul cutulog server.
2. Expund the Servers contulner und then expund the Server ob|ect for the domuln
controller thut you wunt to deslgnute us u globul cutulog server.
3. Rlght-cllck the NTDS Settlngs ob|ect for the turget server, und then cllck Propertles.
4. Select the Globul Cutulog check box, und then cllck OK.

Procedure: Monitor global catalog replication progress
Monltor the repllcutlon progress to see how muny (percentuge) of the purtlul reud-only
dlrectory purtltlons huve been repllcuted to u new globul cutulog server.
Tool: Dcdlug.exe (Support Tools)

Procedure Steps
To monltor the repllcutlon progress on u new globul cutulog server
1. At the commund prompt, type dcdlug /v /s:servernume | flnd % (where servernume
ls the nume of the new globul cutulog server), und then press ENTER.
2. Repeut thls commund perlodlcully to monltor progress. If the test shows no output,
then repllcutlon hus completed.
Procedure: Verify successful replication to a domain controller
Use Repudmln.exe to verlfy the success of repllcutlon to u speclflc domuln controller.
Run the /showreps commund on the domuln controller thut recelves repllcutlon (the
destlnutlon domuln controller). In the output under IN%OUND NEIGH%ORS,
Repudmln.exe shows the Llghtwelght Dlrectory Access Protocol (LDAP) dlstlngulshed
nume of euch dlrectory purtltlon for whlch lnbound dlrectory repllcutlon hus been
uttempted, the slte und nume of the source domuln controller, und whether lt succeeded
or not, us follows:
Lust uttempt @ YYYY-MM-DD HH:MM.SS wus successful.
Lust uttempt @ [Never] wus successful.

Credentluls: Domuln Admlns ln the domuln of the destlnutlon domuln controller
Tool: Repudmln.exe (Support Tools)

Procedure Steps
To verlfy successful repllcutlon to u domuln controller
1. At u commund prompt, type the followlng commund und then press ENTER:
repudmln /showreps ServerNume /u:DomulnNume\UserNume /pw:*
where ServerNume ls the nume of the destlnutlon domuln controller, DomulnNume ls
the slngle-lubel nume of the domuln of the destlnutlon domuln controller (you do not
huve to use u fully-quullfled DNS nume), und UserNume ls the nume of un
udmlnlstrutlve uccount ln thut domuln.
2. When prompted, type the pussword for the user uccount you provlded, und then
press ENTER.
The lust successful uttempt should ugree wlth the repllcutlon schedule for lnterslte
repllcutlon, or should be wlthln the lust hour for lntruslte repllcutlon. When repllcutlon hus
never occurred, the messuge lndlcutes thut the lust success wus never.
If Repudmln.exe reports uny of the followlng condltlons, contuct u superlor:
The lust successful lnterslte repllcutlon wus prlor to the lust scheduled repllcutlon.
The lust lntruslte repllcutlon wus longer thun one hour ugo.
Repllcutlon wus never successful.

Procedure: Verify global catalog readiness
When u globul cutulog server hus sutlsfled repllcutlon requlrements, the
lsGlobulCutulogReudy rootDSE uttrlbute ls set to TRUE. Use Ldp.exe or Nltest.exe to
vlew thls vulue.
Subprocedure 1: Verify global catalog readiness using Ldp.exe
Tool: Ldp.exe (Support Tools)

Procedure Steps
To use Ldp.exe to verlfy globul cutulog reudlness
1. In Ldp.exe, on the Connectlon menu, cllck Connect.
2. In the Connect box, type the nume of the server whose globul cutulog reudlness you
wunt to verlfy.
3. In the Port box, lf 389 ls not showlng, type 389.
4. If the Connectlonless box ls selected, cleur lt, und then cllck OK.
5. In the detulls pune, verlfy thut the lsGlobulCutulogReudy uttrlbute hus u vulue of
TRUE.
6. On the Connectlon menu, cllck Dlsconnect, und then close Ldp.exe.

Subprocedure 2: Verify global catalog readiness using Nltest.exe
Tools: Nltest.exe (Support Tools)

Procedure Steps
To use Nltest.exe to verlfy globul cutulog server reudlness
1. At u commund prompt, type the followlng commund und then press ENTER: nltest
/server:ServerNume /dsgetdc:DomulnNume
where ServerNume ls the nume of the server you huve udded the globul cutulog to
und DomulnNume ls the domuln of the server.
2. In the Flugs: llne of the output, lf GC uppeurs, then the globul cutulog server hus
sutlsfled lts repllcutlon requlrements.

Procedure: Verify global catalog DNS registrations
To verlfy thut u server ls udvertlsed us u globul cutulog server, use the DNS snup-ln to
verlfy the presence of DNS SRV resource records for the server. Resturt the globul
cutulog server prlor to checklng DNS reglstrutlons.
Tool: DNS snup-ln (Admlnlstrutlve Tools)
Globul cutulog server hus been resturted slnce repllcutlon completed.

Procedure Steps
To verlfy the presence of globul cutulog-speclflc DNS SRV resource records
1. In the DNS snup-ln, connect to u domuln controller ln the forest root domuln.
2. Expund Forwurd Lookup Zones und then expund the forest root domuln.
3. Cllck the _tcp contulner. In the detulls pune, look ln the Nume column for _gc und ln
the Dutu column for the nume of the server. The records thut begln wlth _gc ure
globul cutulog SRV records.

Procedure: Clear the global catalog setting
Cleurlng the globul cutulog settlng lnltlutes removul of the purtlul dlrectory purtltlons from
the dlrectory dutubuse of the domuln controller.
Credentluls: Domuln Admlns ln the domuln of the globul cutulog server

Procedure Steps
To cleur the globul cutulog settlng
the slte from whlch you ure removlng u globul cutulog server.
2. Expund the Servers contulner und then expund the Server ob|ect for the domuln
controller thut you wunt to remove us u globul cutulog server.
3. Rlght-cllck the NTDS Settlngs ob|ect for the turget server, und then cllck Propertles.
4. If the Globul Cutulog check box ls selected, cleur the check box, und then cllck OK.

Procedure: Monitor global catalog removal in Event Viewer
The KCC logs un event thut lndlcutes thut the globul cutulog hus been removed from u
domuln controller.

Procedure Steps
To monltor globul cutulog removul ln Event Vlewer
1. Go to Sturt > Progrums > Admlnlstrutlve Tools > Event Vlewer.
2. Rlght-cllck Event Vlewer (Locul), und then cllck Connect to unother computer.
3. In the Select Computer dlulog box, cllck Another computer, type the nume of the
server from whlch you removed the globul cutulog, und then cllck OK.
4. Under Event Vlewer, cllck Dlrectory Servlce log.
5. Look for NTDS KCC event ID 1268, whlch lndlcutes thut the globul cutulog ls
removed from the locul muchlne.
Procedure: Determine whether a site has at least one global catalog server
You cun use Nltest.exe to llst u slngle domuln controller ln u speclfled slte. If the test
fulls, lt meuns thut there ure no globul cutulog servers ln the slte.
Credentluls: Authentlcuted User
Tool: Nltest.exe (Support Tools)

Procedure Steps
To determlne whether u slte hus ut leust one globul cutulog server
At the commund prompt, type:
nltest /dsgetdc: forestRootDomulnNume /gc /slte: slteNume
where forestRootDomulnNume ls the nume of the forest root domuln und slteNume ls
the nume of the slte. Press ENTER.
The output shows elther one domuln controller thut ls u globul cutulog server, or the
commund fulls. If the output shows DsGetDcNume fulled, then the slte hus no globul
cutulog servers.
Procedure: Determine whether universal group caching is enabled
Procedure Details
1. Open Actlve Dlrectory Sltes und Servlces MMC snup-ln.
2. Locute the slte you wunt to check for unlversul group cuchlng.
3. Cllck the slte nume, rlght-cllck NTDS Slte Settlngs, und then select Propertles.
If unlversul group cuchlng ls enubled, the check box wlll be checked.
Procedure: Change the weight for DNS SRV records in the registry
To lncreuse cllent requests sent to other domuln controllers relutlve to u purtlculur
domuln controller, ud|ust the welght of the purtlculur domuln controller to u lower vulue
thun the others. All domuln controllers sturt wlth u defuult welght settlng of 100 und cun
be conflgured for uny vulue from 0 through 65535, wlth u dutu type of declmul. When
you ud|ust the welght, conslder lt us u rutlo of the welght of thls domuln controller to the
welght of the other domuln controllers. %ecuuse the defuult for the other domuln
controllers ls 100, the number you enter for welght ls dlvlded by 100 to estubllsh the
rutlo. For exumple, lf you speclfy u welght of 60, the rutlo to the other domuln controllers
ls 60/100. Thls reduces to 3/5, so you cun expect cllents to be referred to other domuln
controllers flve tlmes for every three tlmes they get referred to the domuln controller you
ure ud|ustlng.

this guide.

Tool: Regedlt.exe (system tool)

Procedure Steps
To chunge the welght for DNS SRV records ln the reglstry
HKLM\SYSTEM\CurrentControlSet\Servlces\Netlogon\Purumeters.
3. Cllck Edlt, cllck New, und then cllck DWORD vulue.
4. For the new vulue nume, type LdupSrvWelght und press ENTER. (The vulue nume ls
not cuse sensltlve.)
5. Double-cllck the vulue nume you |ust typed to open the Edlt DWORD Vulue dlulog
box.
6. Enter u vulue from 0 through 65535. The defuult vulue ls 100.
7. Choose Declmul us the %use optlon.
8. Cllck OK.
9. Cllck Flle, und then cllck Exlt to close the Reglstry Edltor.

Procedure: Change the priority for DNS SRV records in the registry
To prevent cllents from sendlng ull requests to u slngle domuln controller, the domuln
controllers ure usslgned u prlorlty vulue. Cllents ulwuys send requests to the domuln
controller thut hus the lowest prlorlty vulue. If more thun one domuln controller hus the
sume vulue, the cllents rundomly choose from the group of domuln controllers wlth the
sume vulue. If no domuln controllers wlth the lowest prlorlty vulue ure uvulluble, then the
cllents send requests to the domuln controller wlth the next hlghest prlorlty.
A domuln controller's prlorlty vulue ls stored ln lts reglstry. When the domuln controller
sturts, the Net Logon servlce reglsters wlth the DNS server. The prlorlty vulue ls
reglstered wlth the rest of lts DNS lnformutlon. When u cllent uses DNS to dlscover u
domuln controller, the prlorlty for u glven domuln controller ls returned to the cllent wlth
the rest of the DNS lnformutlon. The cllent uses the prlorlty vulue to help determlne to
whlch domuln controller to send requests.
The vulue ls stored ln the LdupSrvPrlorlty reglstry entry. The defuult vulue ls 0, but lt cun
runge from 0 through 65535.
To conflgure the PDC emulutor ln thls munner, use Regedlt.exe to modlfy the
ldupsrvprlorlty or ldupsrvwelght reglstry entrles.

Note A lower value entered for LdapSrvPriority indicates a higher priority. A domain controller with an
LdapSrvPriority setting of 100 has a lower priority than a domain controller with a setting of 10.
Therefore, clients attempt to use the domain controller with the setting of 100 first.

Tool: Regedlt.exe (system tool)

Procedure Steps
To chunge the prlorlty for DNS SRV records ln the reglstry
HKLM\SYSTEM\CurrentControlSet\Servlces\Netlogon\Purumeters
3. Cllck Edlt, cllck New, und then cllck DWORD vulue.
4. For the new vulue nume, type LdupSrvPrlorlty, und press ENTER.
5. Double-cllck the vulue nume thut you |ust typed to open the Edlt DWORD Vulue
dlulog box.
6. Enter u vulue from 0 through 65535. The defuult vulue ls 0.
7. Choose Declmul us the %use optlon, und then cllck OK.
8. Cllck Flle, und then cllck Exlt to close the Reglstry Edltor.

Procedure: Seize the operations master role
The Ntdsutll.exe commund-llne tool ullows you to trunsfer und selze uny operutlons
muster role. You must use Ntdsutll.exe to selze the schemu muster, domuln numlng
muster, und RID muster roles. When you use Ntdsutll.exe to selze un operutlons muster
role, lt flrst uttempts u trunsfer from the current role owner. If the current role owner ls
unuvulluble, lt performs the selzure.
When uslng Ntdsutll.exe to selze un operutlons muster role, the procedure ls neurly
ldentlcul for ull roles. For more lnformutlon ubout uslng Ntdsutll.exe, type ? ut the
Ntdsutll.exe commund prompt.
Credentluls: Domuln Admlns or Enterprlse Admlns
Tools: Ntdsutll.exe (system tool)

Procedure Steps
To selze the operutlons muster role
1. In the Run text box, type ntdsutll und press ENTER.
2. At the ntdsutll: prompt, type roles und press ENTER.
3. At the fsmo mulntenunce: prompt, type connectlons und press ENTER.
4. At the server connectlons: prompt, type connect to server servernume (where
servernume ls the nume of the domuln controller thut wlll ussume the operutlons
muster role), und press ENTER.
5. After you recelve conflrmutlon of the connectlon, type qult und press ENTER to exlt
the menu.
6. Dependlng on the role you wunt to selze, enter the commund lndlcuted und press
ENTER.

Role Credentials Command
Domuln numlng muster Enterprlse Admlns selze domuln numlng
muster
Schemu muster Enterprlse Admlns selze schemu muster
Infrustructure muster Domuln Admlns selze lnfrustructure
muster
PDC emulutor Domuln Admlns selze pdc
RID muster Domuln Admlns selze rld muster

The system usks for conflrmutlon. It then uttempts to trunsfer the role. When the
trunsfer fulls, some error lnformutlon uppeurs und the system proceeds wlth the
selzure. After the selzure ls complete, u llst of the roles und the LDAP nume of the
server thut currently holds euch role uppeurs.
Durlng selzure of the RID muster, the current role holder uttempts to synchronlze
wlth lts repllcutlon purtners. If lt cunnot estubllsh u connectlon wlth u repllcutlon
purtner durlng the selzure operutlon, lt dlspluys u wurnlng und conflrms thut you wunt
the role selzure to proceed. Cllck Yes to proceed.
7. Type qult und press ENTER. Type qult uguln und press ENTER to exlt Ntdsutll.exe.
Procedure: Create a Connection object
To help ensure thut the current role holder und the stundby operutlons muster ure
repllcutlon purtners, you cun munuully creute u Connectlon ob|ect between the two
domuln controllers. Even lf u Connectlon ob|ect ls generuted uutomutlcully, lt ls
recommended thut you munuully creute one. The system cun ulter uutomutlcully creuted
Connectlon ob|ects ut uny tlme. Munuully creuted connectlons remuln the sume untll un
udmlnlstrutor chunges them.
You must know the current operutlons muster role holder to perform the followlng
procedure. For lnformutlon ubout determlnlng the current operutlons muster role holders,
see Vlew the Current Operutlons Muster Role Holders eurller ln thls gulde.

Subprocedure 1: Steps to create a Connection object on the current
operations master
To creute u Connectlon ob|ect on the current operutlons muster
1. In the Actlve Dlrectory Sltes und Servlces snup-ln, ln the console tree, expund the
Sltes folder to see the llst of uvulluble sltes.
2. Expund the slte nume ln whlch the current role holder ls locuted to dlspluy the
Servers folder.
3. Expund the Servers folder to see u llst of the servers ln thut slte.
4. Expund the nume of the server thut ls currently hostlng the operutlons muster role to
dlspluy NTDS Settlngs.
5. Rlght-cllck NTDS Settlngs, cllck New, und then cllck Connectlon.
6. In the Flnd Domuln Controllers dlulog box, select the nume of the stundby operutlons
muster, und then cllck OK.
7. In the New Ob|ect-Connectlon dlulog box, enter un upproprlute nume for the
Connectlon ob|ect or uccept the defuult nume, und cllck OK.

Subprocedure 2: Steps to create a Connection object on the standby
operations master
To creute u Connectlon ob|ect on the stundby operutlons muster
1. Expund the slte nume ln whlch the stundby operutlons muster ls locuted to dlspluy
the Servers folder.
2. Expund the Servers folder to see u llst of the servers ln thut slte.
3. Expund the nume of the server thut you wunt to be the stundby operutlons muster to
dlspluy lts NTDS Settlngs.
4. Rlght-cllck NTDS Settlngs, cllck New, und then cllck Connectlon.
5. In the Flnd Domuln Controllers dlulog box, select the nume of the current role holder,
then cllck OK.
6. In the New Ob|ect-Connectlon dlulog box, enter un upproprlute nume for the
Connectlon ob|ect or uccept the defuult nume, und cllck OK.

Procedure: Add the new domain controller name
Procedure Steps
Open u commund prompt und type the followlng commund, und then press ENTER:
netdom computernume CurrentComputerNume /udd:NewComputerNume
Procedure: Designate the new name as the primary computer name
Procedure Steps
To deslgnute the new nume us the prlmury computer nume
1. Open u commund prompt und type:
netdom computernume CurrentComputerNume /mukeprlmury:NewComputerNume
where CurrentComputerNume und NewComputerNume mutch the descrlptlons ln the
tuble below. Press ENTER.
2. Resturt the computer.
Procedure: Remove the old domain controller name
Procedure Steps
To remove the old domuln controller nume
1. Open u commund prompt und type:
netdom computernume NewComputerNume /remove:OldComputerNume
where NewComputerNume und OldComputerNume mutch the descrlptlons ln the
tuble below. Press ENTER.
Value Description
CurrentComputerNume The current, or prlmury, computer nume or IP
uddress of the computer you ure renumlng.
NewComputerNume The new nume for the computer. The
NewComputerNume must be u fully quullfled domuln
nume (FQDN). The prlmury DNS sufflx speclfled ln
the FQDN for NewComputerNume must be the sume
us the prlmury DNS sufflx of CurrentComputerNume,
or lt must mutch the DNS nume of the Actlve
Dlrectory domuln hosted by thls domuln controller, or
lt must be contulned ln the llst of ullowed DNS
sufflxes speclfled ln the msDS-AllowedDNSSufflxes
uttrlbute of the domulnDns ob|ect.
OldComputerNume The old nume of renumed computer. The
OldComputerNume must be u fully quullfled domuln
nume (FQDN).

Procedure: Update the FRS Member object
Procedure Steps
To updute the FRS Member ob|ect
1. Uslng Ldp.exe (or ADSI edlt), flnd the computer ob|ect of the renumed domuln
controller.
2. Do u recurslve seurch for un ob|ect of type nTFRSSubscrlber wlth the computer
nume of "Domuln System Volume (SYSVOL shure)" under the Computer ob|ect.
3. The seurch fllter ls "(&((cn=Domuln System Volume (SYSVOL
shure))(ob|ectcluss=ntfrssubscrlber)))".
4. Flnd the fRSMemberReference uttrlbute of the ob|ect returned by the seurch.
5. Flnd the ob|ect whose domuln nume ls ln the fRSMemberReference uttrlbute. Thls ls
the Ntfrsmember ob|ect correspondlng to thls domuln controller.
6. Chunge the computer nume of thls Ntfrsmember ob|ect from the old nume of the
domuln controller to the new nume of the domuln controller.

Procedure: Restore Group Policy
Procedure Steps
To restore Group Pollcy
1. Open Group Pollcy Munugement Console (GPMC).
2. In the console tree, double-cllck Domulns to expund the llst of domulns.
3. Double-cllck the deslred domuln to expund the contents of thut domuln.
4. Rlght-cllck Group Pollcy Ob|ects, und select Munuge %uckups.
5. Rlght-cllck the ob|ect to be restored, und select Restore from %uckup.
6. Select the buckup locutlon, cllck the pollcy buckup to be restored, und then cllck
Restore.
7. Cllck OK to restore the selected GPO buckup.

Active Directory POG

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Active Directory POG

Uploaded by

Copyright:

Available Formats

Active Directory

Product Operations Guide

You might also like