Tuesday, September 16, 2008

Active Directory - Tasks Reference

Tasks Reference

This appendix lists all tasks, and pointers to their associated procedures, in alphabetical order. You can build tear sheets for your operations staff by cutting and pasting procedures into a separate document. These procedures can be part of an operations task assigned to an operator, or part of a task to troubleshoot an Active Directory component.

On This Page

Adding a New Site Adding a New Site
Adding a Subnet Adding a Subnet
Adding the Global Catalog to a Domain Controller and Verifying Global Catalog Readiness Adding the Global Catalog to a Domain Controller and Verifying Global Catalog Readiness
Authoritative Restore of a Subtree or Leaf Object Authoritative Restore of a Subtree or Leaf Object
Authoritative Restore of the Entire Directory Authoritative Restore of the Entire Directory
Backing Up Active Directory and Associated Components Backing Up Active Directory and Associated Components
Changing the Space Allocated to the Staging Area Changing the Space Allocated to the Staging Area
Choosing a Standby Operations Master Choosing a Standby Operations Master
Configuring a Client to Request Time from a Specific Time Source Configuring a Client to Request Time from a Specific Time Source
Configuring a Reliable Time Source on a Computer Other than the PDC Emulator Configuring a Reliable Time Source on a Computer Other than the PDC Emulator
Configuring Site Links Configuring Site Links
Configuring Time on the Forest-Root PDC Emulator Configuring Time on the Forest-Root PDC Emulator
Creating a Site Link Creating a Site Link
Creating External Trusts Creating External Trusts
Creating Shortcut Trusts Creating Shortcut Trusts
Decommissioning a Role Holder Decommissioning a Role Holder
Decommissioning Domain Controllers Decommissioning Domain Controllers
Designating Operations Master Roles Designating Operations Master Roles
Disabling the Windows Time Service Disabling the Windows Time Service
Identifying a Global Catalog Server Identifying a Global Catalog Server
Identifying a Site that has No Global Catalog Servers Identifying a Site that has No Global Catalog Servers
Identifying the Current Configuration of a Domain Controller Identifying the Current Configuration of a Domain Controller
Installing Active Directory Installing Active Directory
Moving a Domain Controller to a Different Site Moving a Domain Controller to a Different Site
Moving SYSVOL Manually Moving SYSVOL Manually
Moving SYSVOL with the Active Directory Installation Wizard Moving SYSVOL with the Active Directory Installation Wizard
Optimizing the Polling Interval Optimizing the Polling Interval
Performing a Non-Authoritative Restore Performing a Non-Authoritative Restore
Performing Active Directory Post-Installation Tasks Performing Active Directory Post-Installation Tasks
Performing Offline Defragmentation Performing Offline Defragmentation
Preparing a Domain Controller for Long Disconnection Preparing a Domain Controller for Long Disconnection
Preparing for Active Directory Installation Preparing for Active Directory Installation
Preventing Unauthorized Privilege Escalation Preventing Unauthorized Privilege Escalation
Reconnecting a Long-Disconnected Domain Controller Reconnecting a Long-Disconnected Domain Controller
Recovering a Domain Controller Through Reinstallation Recovering a Domain Controller Through Reinstallation
Reducing the Number of Client Requests Processed by the PDC Emulator Reducing the Number of Client Requests Processed by the PDC Emulator
Regulating Directory Database Growth Caused by Tombstones Regulating Directory Database Growth Caused by Tombstones
Relocating Directory Database Files Relocating Directory Database Files
Relocating the Staging Area Folder Relocating the Staging Area Folder
Removing a Lingering Object from a Global Catalog Server Removing a Lingering Object from a Global Catalog Server
Removing a Site Removing a Site
Removing Lingering Objects from an Outdated Writable Domain Controller Removing Lingering Objects from an Outdated Writable Domain Controller
Removing Manually Created Trusts Removing Manually Created Trusts
Removing the Global Catalog from a Domain Controller Removing the Global Catalog from a Domain Controller
Renaming a Domain Controller Renaming a Domain Controller
Restoring a Domain Controller Through Reinstallation and Subsequent Restore from Backup Restoring a Domain Controller Through Reinstallation and Subsequent Restore from Backup
Restoring and Rebuilding SYSVOL Restoring and Rebuilding SYSVOL
Restoring the Original Configuration of a Domain Controller Restoring the Original Configuration of a Domain Controller
Seizing Operations Master Roles Seizing Operations Master Roles
Updating the System Volume Path Updating the System Volume Path

Adding a New Site

Use the following procedures to add a new site. Procedures are explained in detail in the linked topics.

  1. Create a site object and add it to an existing site link.

  2. Associate a range of IP addresses with the site, as follows:

  3. Create a site link object, if appropriate, and add the new site and at least one other site to the site link.

  4. If, while performing procedure 1, you added the new site to an existing site link temporarily in order to create the site, remove the site from that site link.

Adding a Subnet

Use the following procedures to add a subnet. Procedures are explained in detail in the linked topics.

  1. Obtain the network address and subnet mask for the new subnet.

  2. Create a subnet object and associate it with the appropriate site.

Adding the Global Catalog to a Domain Controller and Verifying Global Catalog Readiness

Use the following procedures to add a global catalog server to a domain controller. The procedures are explained in detail in the linked topics. Some procedures are performed only when you are configuring the first global catalog server in the site or only when Windows 2000 Server SP2 is running on the domain controller that you are configuring.

  1. Stop the Net Logon service on the domain controller (SP2 only, first global catalog server in the site only).

  2. Configure the domain controller as a global catalog server. Setting the Global Catalog check box initiates the process of replicating all domains to the server.

  3. Monitor global catalog replication progress (first global catalog server in the site only).

  4. Verify successful replication to a domain controller on the global catalog server. Check for inbound replication of all partial domain directory partitions in the forest, to ensure that all domain directory partitions have replicated to the global catalog server.

  5. Verify global catalog readiness. This procedure indicates that the replication requirements have been met.

  6. Restart the Net Logon service, if needed. If you are adding the first global catalog server in a site to a domain controller that is running Windows 2000 Server SP2 and you stopped the Net Logon service prior to adding the global catalog, then restart the service now.

  7. Restart the global catalog server and verify global catalog DNS registrations by checking DNS for global catalog SRV resource records.

Authoritative Restore of a Subtree or Leaf Object

Use the following procedures to perform an authoritative restore of an Active Directory subtree or leaf object. Procedures are explained in detail in the linked topics.

  1. Restart the domain controller in Directory Services Restore Mode (locally or remotely).

  2. Restore from backup media for authoritative restore.

  3. Restore system state to an alternate location.

  4. Perform authoritative restore of the subtree or leaf object.

  5. Restore applicable portion of SYSVOL from alternate location if necessary.

  6. Verify Active Directory restore.

Authoritative Restore of the Entire Directory

Use the following procedures to perform an authoritative restore of the entire Active Directory. Procedures are explained in detail in the linked topics.

  1. Restart the domain controller in Directory Services Restore Mode (locally or remotely).

  2. Restore from backup media.

  3. Restore system state to an alternate location.

  4. Perform authoritative restore of entire directory.

  5. Restore SYSVOL from alternate location.

  6. Verify Active Directory restore.

Backing Up Active Directory and Associated Components

Use one of the following procedures to back up Active Directory and associated components. Procedures are explained in detail in the linked topics.

  1. Back up system state.

  2. Back up system state and the system disk.

Changing the Space Allocated to the Staging Area

Use the following procedures to change the amount of space that is allocated to the Staging Area folder. Procedures are explained in detail in the linked topics.

  1. Stop the File Replication service.

  2. Change the space allocated to the Staging Area folder.

  3. Start the File Replication service.

Choosing a Standby Operations Master

Procedures are explained in detail in the linked topics.

  1. Determine whether a domain controller is a global catalog server.

  2. Create a connection object.

Configuring a Client to Request Time from a Specific Time Source

The following procedures allow you to specify a time source for client computers that do not automatically synchronize through the time service. Procedures are explained in detail in the linked topics.

  1. Set a manually configured time source on a selected computer.

  2. Remove a manually configured time source on a selected computer.

Configuring a Reliable Time Source on a Computer Other than the PDC Emulator

Although the PDC emulator in the forest root domain is the authoritative time source for that forest, you can configure a reliable time source on a computer other than the PDC emulator.

Caution: The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see "Active Directory Backup and Restore" in this guide.

Configuring Site Links

Use the following procedures to configure a site link. Procedures are explained in detail in the linked topics.

  1. Configure the site link schedule to identify times during which intersite replication can occur.

  2. Configure the site link interval to identify how often replication polling can occur during the schedule window.

  3. Configure the site link cost to establish a priority for replication routing.

  4. Generate the intersite replication topology, if appropriate. By default, the KCC runs every 15 minutes to generate the replication topology. To initiate intersite replication topology generation immediately, use the following procedures to refresh the topology:

    1. Determine the ISTG role owner for the site.

    2. Generate the replication topology on the ISTG.

Configuring Time on the Forest-Root PDC Emulator

To configure time service for the forest-root PDC emulator, you might need to remove an external time source that you used previously, or, if you transferred that operations master role, you might only need to configure the time service on the new PDC emulator. To configure time on the forest-root PDC emulator, you can use the following procedures. Procedures are explained in detail in the linked topics.

  1. Configure time on the forest-root PDC emulator.

  2. Remove a time source configured on the forest-root PDC emulator.

Creating a Site Link

Use the following procedures to link sites for replication. Procedures are explained in detail in the linked topics.

  1. Determine the names of the sites you are linking.

  2. Create a site link object in the IP container and add the appropriate sites to it.

  3. Generate the intersite topology. By default, the KCC runs every 15 minutes to generate the replication topology. To initiate replication topology generation immediately, use the following procedures to refresh the intersite topology:

    1. Determine the ISTG role owner for the site.

    2. Generate the replication topology on the ISTG.

Creating External Trusts

You can create an external trust by using one of the following methods. Procedures are explained in detail in the linked topics.

  1. Create a One-way Trust (MMC Method)

  2. Create a One-way Trust (Netdom.exe Method)

  3. Create a Two-way Trust (MMC Method)

  4. Create a Two-way Trust (Netdom.exe Method)

Creating Shortcut Trusts

You can create a shortcut trust by using one of the following methods. Procedures are explained in detail in the linked topics.

  1. Create a One-way Trust (MMC Method)

  2. Create a One-way Trust (Netdom.exe Method)

  3. Create a Two-way Trust (MMC Method)

  4. Create a Two-way Trust (Netdom.exe Method)

Decommissioning a Role Holder

Procedures are explained in detail in the linked topics.

  1. Verify successful replication to a domain controller.

  2. Determine whether a domain controller is a global catalog server.

  3. Transfer the forest-level operations master roles.

  4. Transfer the domain-level operations master roles.

  5. View the current operations master role holders.

Decommissioning Domain Controllers

  1. View the current operations master role holders to see if any roles are assigned to this domain controller.

  2. Transfer the forest-level operations master roles to another domain controller in the forest root domain if this domain controller hosts either the schema master or domain naming master roles.

  3. Transfer the domain-level operations master roles if this domain controller hosts the PDC emulator, infrastructure master, or RID master.

  4. Determine whether a domain controller is a global catalog server to ensure that other domain controllers are configured as global catalog servers before you remove Active Directory.

  5. Verify DNS registration and functionality.

  6. Verify communication with other domain controllers.

  7. Verify the existence of the operations masters.

    Note: If any of the verification tests fail, do not continue until you determine and fix the problems. If these tests fail, the installation is also likely to fail.

  8. Remove Active Directory.

  9. Determine whether a server object has child objects.

  10. Delete a server object from a site.

Designating Operations Master Roles

Procedures are explained in detail in the linked topics.

  1. Verify successful replication to a domain controller.

  2. Determine whether a domain controller is a global catalog server.

  3. Transfer the forest-level operations master roles.

  4. Transfer the domain-level operations master roles.

  5. View the current operations master role holders.

Disabling the Windows Time Service

You only need to perform one procedure to disable the Windows Time service.

Identifying a Global Catalog Server

Use the following procedure to determine whether a domain controller is a global catalog server. The procedure is explained in detail in the linked topic.

  • To determine whether a domain controller is a global catalog server, check the properties on the NTDS Settings object of the respective server object.

Identifying a Site that has No Global Catalog Servers

Use the following procedure to determine whether a site has a global catalog server. The procedure is explained in detail in the linked topic.

  • To identify a site that has no global catalog servers, determine whether the site has at least one global catalog server.

Identifying the Current Configuration of a Domain Controller

Use the following procedures to identify the current configuration of the domain controller. You need to reconfigure the current configuration on the renamed domain controller after you reinstall Active Directory.

  1. Determine whether the domain controller is a global catalog server.

  2. View the operations master role holders. If roles are held by this domain controller, transfer the roles to the standby operations master prior to removing Active Directory, as follows:

  3. Determine whether the domain controller is a DNS server. Make a note of the DNS configuration so that you can reproduce it when you reinstall Active Directory.

  4. Determine the initial change notification delay. If this setting has been changed from the default on this domain controller, you need to reconfigure the setting after you rename the server and add Active Directory.

  5. Determine whether the domain controller is a preferred bridgehead server.

Caution: The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see "Active Directory Backup and Restore" in this guide.

Installing Active Directory

  1. Verify DNS registration and functionality.

  2. Verify that an IP address maps to a subnet and determine the site association.

  3. Verify communication with other domain controllers.

  4. Verify the existence of the operations masters.

    Note: If any of the verification tests fail, do not continue until you determine and fix the problems. If these tests fail, the installation is also likely to fail.

  5. Install Active Directory.

Moving a Domain Controller to a Different Site

Use the following procedures to move a domain controller to a different site. Procedures are explained in detail in the linked topics.

  1. Change the static IP address of the domain controller. This procedure includes changing all appropriate TCP/IP values, including preferred and alternate DNS servers, as well as WINS servers (if appropriate). Obtain these values from the design team.

  2. Create a delegation for the domain controller, if appropriate. If the parent DNS zone of any zone that is hosted by this DNS server contains a delegation to this DNS server, use this procedure to update the IP address in all such delegations.

  3. Verify that the IP address maps to a subnet and determine the site association to ensure that the subnet is associated with the site to which you are moving the server object.

  4. Determine whether the server is a preferred bridgehead server.

  5. If the server is a preferred bridgehead server in the current site and you do not want the server to be a preferred bridgehead server in the new site, configure the server to not be a preferred bridgehead server.

  6. Move the server object to the new site.

Moving SYSVOL Manually

Except where noted, perform these steps on the domain controller that contains the system volume that you want to move. Procedures are explained in detail in the linked topics.

Warning: This procedure can alter security settings. After you complete the procedure, the security settings on the new system volume are reset to the default settings that were established when you installed Active Directory. You must reapply any changes to the security settings on the system volume that you made since you installed Active Directory. Failure to do so can result in unauthorized access to Group Policy objects and logon and logoff scripts.

  1. Identify replication partners.

  2. On the replication partners, check the status of the shared system volume. You do not need to perform the test on every partner, but you need to perform enough tests to be confident that the shared system volumes on the partners are healthy.

  3. Verify that replication is functioning.

  4. Gather the SYSVOL path information.

  5. Stop the File Replication service.

  6. Create the SYSVOL folder structure.

  7. Set the SYSVOL path.

  8. Set the Staging Area path. If you have moved the Staging Area folder to a different location already, you do not need to do this step.

  9. Set the fRSRootPath.

  10. Prepare a domain controller for non-authoritative SYSVOL restore.

  11. Update security on the new SYSVOL.

  12. Start the File Replication service.

  13. Check the status of the shared system volume.

Moving SYSVOL with the Active Directory Installation Wizard

Use the following procedures to remove and reinstall Active Directory in order to move SYSVOL. For more information about installing and removing Active Directory, see "Managing Installation and Removal of Active Directory" in this guide. Procedures are explained in detail in the linked topics.

  1. View the current operations master role holders to see if any roles are assigned to this domain controller.

  2. If this domain controller is listed as hosting either the schema master or domain naming master roles, then transfer the forest-level roles to another domain controller in the forest root domain. Any domain controller in the forest is capable of hosting these roles but it is recommended that they remain in the forest root domain. Ensure that you place the domain naming master role on a global catalog server.

  3. If this domain controller is listed as hosting the primary domain controller (PDC) emulator, infrastructure master or relative identifier (RID) master roles, transfer the domain-level roles to another domain controller in the same domain. Do not place the infrastructure master role on a global catalog server unless all of the domain controllers host the global catalog or unless only one domain exists in the forest.

  4. Determine whether a domain controller is a global catalog server and ensure that other domain controllers are configured as global catalog servers before continuing.

  5. Verify DNS registration and functionality.

  6. Verify communication with other domain controllers.

  7. Verify the existence of the operations masters on the network.

    Note: If any of the verification tests fail, do not continue until you identify and fix the problems. If these tests fail, the decommissioning operation is also likely to fail.

  8. Remove Active Directory.

  9. Delete the server object from a site.

  10. Verify DNS registration and functionality.

    Note: If the verification test fails, do not continue until you identify and fix the problems. If the test fails, then installation is also likely to fail.

  11. Install Active Directory. Provide the wizard with the new location for SYSVOL when prompted.

  12. Verify the site assignment for the domain controller.

  13. Move a server object to a different site if the domain controller is located in the wrong site.

  14. Perform final DNS configuration for a new domain controller that is located in the forest root domain:

    1. Create a delegation for the new domain controller in the parent domain of the DNS infrastructure if a parent domain exists and a DNS server hosts it. If a DNS server does not host the parent domain, then follow the procedures outlined in the vendor documentation to add the delegation for the new domain controller.

    2. Configure the DNS client settings.

      Or

      Perform final DNS configuration for a new domain controller that is located in a child domain:

    3. Create a delegation for the new domain controller in the forest root domain.

    4. Create a secondary zone.

    5. Configure the DNS client settings.

  15. Check the status of the shared system volume.

  16. Verify DNS registration and functionality.

  17. Verify domain membership for the new domain controller.

  18. Verify communication with other domain controllers.

  19. Verify that replication is functioning.

  20. Verify the existence of the operations masters.

Optimizing the Polling Interval

You only need to perform one procedure to disable the Windows Time service.

Caution: The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see "Active Directory Backup and Restore" in this guide.

Performing a Non-Authoritative Restore

Use the following procedures to perform a non-authoritative restore of a domain controller. Procedures are explained in detail in the linked topics.

  1. Restart the domain controller in Directory Services Restore Mode (locally or remotely).

  2. Restore from backup media.

  3. Verify Active Directory restore.

Performing Active Directory Post-Installation Tasks

To perform this task, the site object must already be defined in Active Directory Sites and Services and you must know the site in which you want to place the server object.

  1. Determine whether a server object has child objects.

  2. Verify the site assignment for the domain controller.

  3. Move a server object to a different site if the domain controller is located in the wrong site.

  4. Configure DNS server recursive name resolution.

  5. Perform final DNS configuration for a new domain controller that is located in the forest root domain:

    1. Create a delegation for the new domain controller in the parent domain of the DNS infrastructure if a parent domain exists and a Microsoft DNS server hosts it. If a Microsoft DNS server does not host the parent domain, follow the procedures outlined in the vendor documentation to add the delegation for the new domain controller.

    2. Configure the DNS client settings.

      or

      Perform final DNS configuration for a new domain controller that is located in a child domain:

    3. Create a delegation for the new domain controller in the forest root domain.

    4. Create a secondary zone.

    5. Configure the DNS client settings.

  6. Check the status of the shared system volume.

  7. Verify DNS registration and functionality.

  8. Verify domain membership for the new domain controller.

  9. Verify communication with other domain controllers.

  10. Verify replication is functioning.

  11. Verify the existence of the operations masters.

Performing Offline Defragmentation

Use the following procedures to perform offline defragmentation. Procedures are explained in detail in the linked topics.

  1. Change the garbage collection logging level to 1. Check the Directory Service event log for event ID 1646, which reports the amount of disk space that you can recover by performing offline defragmentation.

  2. Back up system state. System state includes the database file and database log files as well as SYSVOL, NETLOGON, and the registry, among other things. Always ensure that a current backup exists prior to defragmenting database files.

  3. Take the domain controller offline, as follows:

  4. Compact the directory database file (offline defragmentation). As part of the offline defragmentation procedure, check directory database integrity.

  5. If database integrity check fails, perform semantic database analysis with fixup.

Preparing a Domain Controller for Long Disconnection

Perform the following procedures prior to disconnecting a domain controller. Procedures are explained in detail in the linked topics.

  1. Determine the anticipated length of the disconnection.

  2. Determine the tombstone lifetime for the forest.

  3. Determine the maximum safe disconnection period by subtracting a generous estimate of the end-to-end replication latency from the tombstone lifetime. Either find the latency estimate in the design documentation for your deployment, or request the information from a member of the design or deployment team.

    • If the anticipated time of disconnection exceeds the maximum safe disconnection period, do not disconnect the domain controller. Contact a supervisor.

    • If the estimated time of disconnection does not exceed the maximum safe disconnection time, proceed with disconnection.

  4. View the current operations master role holders to determine whether the domain controller is an operations master role holder.

  5. Transfer a domain-level operations master role, if appropriate.

  6. Transfer a forest-level operations master role, if appropriate.

  7. Prepare the domain controller for non-authoritative SYSVOL restore on the domain controller that you are disconnecting. This process ensures an up-to-date SYSVOL when the domain controller is restarted.

  8. Synchronize replication from all inbound (source) replication partners. Each connection object below the NTDS Settings object for the server you are disconnecting represents an inbound replication partner.

  9. Verify successful replication to the domain controller that you are disconnecting.

  10. Label the domain controller with the date and time of disconnection and the maximum safe disconnection period.

Caution: The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see "Active Directory Backup and Restore" in this guide.

Preparing for Active Directory Installation

To prepare for the Active Directory installation, install the DNS Server service on the server that you want to make a domain controller and gather the information that you must supply to the Active Directory Installation Wizard.

  1. Install the DNS Server service.

  2. Gather installation information, including:

    • The user name, password, and the domain that contains the user account that you intend to use to run the Active Directory Installation Wizard.

    • The name of the domain that you want the new domain controller to host.

    • Location for the Active Directory database (Ntds.dit).

    • Location for the log files.

    • Location for the Shared System Volume (SYSVOL).

    • The server administrator account name and password to use in Directory Services Restore mode.

Preventing Unauthorized Privilege Escalation

Use the following procedures to configure SID filtering. Procedures are explained in detail in the linked topics.

  1. Configure SID filtering.

  2. Remove SID filtering.

Reconnecting a Long-Disconnected Domain Controller

Follow these procedures to reconnect the domain controller. Procedures are explained in detail in the linked topics.

  1. Determine the tombstone lifetime for the forest.

  2. Determine whether the maximum safe disconnection time has been exceeded, and proceed accordingly:

    • If the domain controller has been disconnected for a period that exceeds the maximum safe disconnection period, do not reconnect the domain controller. Contact a supervisor about reinstalling the domain controller.

    • If the maximum safe time has not been exceeded, proceed with reconnecting.

  3. If the site in which you are reconnecting the domain controller has one or more other domain controllers that are authoritative for the domain, start the domain controller at any time.

  4. If the site in which you are reconnecting the domain controller has no other domain controllers that are authoritative for the domain, proceed as follows:

    1. Determine when the next intersite replication cycle is scheduled to begin by viewing the replication properties on the site link that connects this site to the next closest site that includes domain controllers for this domain.

    2. As soon as possible after the next replication cycle begins, start the domain controller.

  5. After replication is complete, verify successful replication to the domain controller (the reconnected domain controller) of the domain, configuration, and schema directory partitions. If the domain controller is a global catalog server, check for successful replication of all domain directory partitions.

In the event that a domain controller has been disconnected for a tombstone lifetime or longer but has already replicated, follow the instructions for detecting and removing lingering objects in "Removing Lingering Objects from an Outdated Writable Domain Controller."

Recovering a Domain Controller Through Reinstallation

Use the following procedures to recover a domain controller. Procedures are explained in detail in the linked topics.

  1. Clean up metadata.

  2. Reinstall Windows 2000 Server. (This procedure is not covered in this guide.)

  3. Install Active Directory. During the installation process, replication occurs, ensuring that the domain controller has an accurate and up to date copy of the Active Directory. For more information about seizing operations master roles, see "Installing Active Directory" in this guide.

Reducing the Number of Client Requests Processed by the PDC Emulator

Procedures are explained in detail in the linked topics.

  1. Change the weight for DNS SRV records in the registry.

  2. Change the priority for DNS SRV records in the registry.

Regulating Directory Database Growth Caused by Tombstones

Use the following procedures to manage removal of tombstones following bulk deletions.

  1. Change the garbage collection period to a lower interval. Decreasing the interval between garbage collections helps the system eliminate the tombstone backlog more quickly.

  2. Change the garbage collection logging level to 3. Increasing the logging level to 3 causes an event that reports the number of tombstones removed each time garbage collection occurs.

  3. Verify removal of tombstones in the event log. Check the Directory Service event log for NTDS event ID 1006, which reports the number of expired tombstones removed. When this event indicates that the number of tombstones removed is less than 5,000, the backlog has been cleared.

  4. Change the garbage collection period. When the event ID 1006 reports a number of removed tombstones less than 5,000, you can return the interval between garbage collections to the normal level.

  5. Change the garbage collection logging level, if needed. If you no longer want informational events logged for garbage collection, return the logging level to 0.

  6. Compact the directory database file (offline defragmentation), if needed. Clearing the backlog does not remove the white space created by the tombstones. Only offline defragmentation returns unused disk space to the file system.

Relocating Directory Database Files

Use the following procedures to move or copy the database file, the log files, or both. Procedures are explained in detail in the linked topics.

  1. Determine the location and size of the directory database files. Use the database size to prepare a destination location of the appropriate size. Track the respective file sizes during the move to ensure that you successfully move the correct files. Be sure to use the same method to check file sizes when you compare them. The size is reported differently, depending on whether the domain controller is online or offline, as follows:

  2. Compare the size of the directory database files to the volume size. Before moving any files in response to low disk space, verify that no other files on the volume are responsible for the condition of low disk space.

  3. Back up system state. System state includes the database file and log files as well as SYSVOL and NETLOGON shared folders, among other things. Always ensure that you have a current backup prior to moving database files.

  4. Restart the domain controller in Directory Services Restore Mode, as follows:

  5. Move the database file, the log files, or both. Move the files to a temporary destination if you need to reformat the original location, or to a permanent location if you have additional disk space. Moving the files can be performed locally by using Ntdsutil.exe or remotely (temporarily) by using a file copy, as follows:

  6. If the path to the database or log files has changed, back up system state so that the restore procedure has the correct information.

Relocating the Staging Area Folder

Except where noted, perform these procedures on the domain controller that contains the Staging Area folder that you want to relocate. Procedures are explained in detail in the linked topics.

  1. Identify replication partners.

  2. On the replication partners, check the status of the shared system volume. You do not need to perform the test on every partner, but you need to perform enough tests to be confident that the shared system volumes on the partners are healthy.

  3. Verify that replication is functioning.

  4. Gather the SYSVOL path information.

  5. Stop the File Replication service.

  6. Create the new Staging Area folder.

  7. Set the Staging Area path.

  8. Prepare a domain controller for non-authoritative SYSVOL restore.

  9. Start the File Replication service.

Removing a Lingering Object from a Global Catalog Server

Use the following procedures to identify and remove a read-only lingering object from a global catalog server that is running Windows 2000 Server with SP3. Procedures are explained in detail in the linked topics.

  1. Establish the distinguished name and GUID of the object by searching the global catalog on an attribute that can uniquely identify the object. From the distinguished name, you can identify the domain by the DC= components.

  2. Identify the GUID of a domain controller that has a writable replica of the domain of the lingering object.

  3. Delete the lingering object from the global catalog server. In this procedure, use the GUID of the object and the GUID of the writable domain controller that you identify in procedures 1 and 2.

Removing a Site

Use the following procedures to remove a site. Procedures are explained in detail in the linked topics.

  1. Determine whether the server object has child objects. If a child object appears, do not delete the server object. If a domain controller has been decommissioned and one or more child objects appears below the server object, replication might not have completed. If replication has completed and child objects exist, do not delete the server object. Contact a supervisor.

  2. Delete the server objects within the Servers container of the site that you are removing.

  3. Delete the site link object, if appropriate. Obtain this information from the design team.

  4. Associate the subnet or subnets with the appropriate site, if appropriate. If you no longer want to use the IP addresses associated with the subnet object or objects, delete the subnet objects. Obtain this information from the design team.

  5. Delete the site object.

  6. Generate the intersite replication topology, if appropriate. By default, the KCC runs every 15 minutes to generate the replication topology. To initiate intersite replication topology generation immediately, use the following procedures to refresh the topology:

    1. Determine the ISTG role owner in the site.

    2. Generate the replication topology on the ISTG.

Removing Lingering Objects from an Outdated Writable Domain Controller

Use the following process to identify and remove lingering objects after you have discovered an outdated domain controller. The initial step in the process varies according to the version of Windows 2000 Server that you are using. Procedures are explained in detail in the linked topics.

  1. Identify and delete the initial occurrence of a lingering object, as follows:

    For Windows 2000 Server with SP2:

    1. Identify a revived lingering object and its replication source on a writable domain controller. Event ID 1388 provides the distinguished name of an object that has been updated on an outdated domain controller. The message also provides the GUID of the domain controller from which the update was replicated. Use the GUID to discover the name of the source domain controller. Repeat this process on each source domain controller until you identify a source domain controller that does not have the error. This domain controller is the outdated source domain controller.

    2. Disable outbound replication on the outdated source domain controller.

    3. Delete the object from the outdated source domain controller.

    For Windows 2000 Server with SP3:

  2. Identify unknown lingering objects on an outdated domain controller. This procedure requires the following series of subprocedures to be performed sequentially:

    1. Compare the directory databases of the outdated domain controller and the domain controller that received the initial replication error.

    2. Identify the distinguished names of the objects that exist on the outdated domain controller but not on the partner domain controller.

    Note: The results of this procedure identify only objects where the numbers of objects did not agree between domain controllers. If numbers match but an object of a class was added on one domain controller and a different object of the same class was deleted on the other, and these changes did not replicate, this test cannot identify these inconsistent objects.

  3. On the outdated domain controller, view the replication metadata of objects that you identified in the previous procedure to determine whether they were created prior to the time the domain controller was disconnected or were created during the time that the domain controller was offline. If the newest date in the Org.Time/Date column is older than the date on which the domain controller was disconnected, the object is a lingering object.

  4. On the outdated domain controller, delete the objects that were created prior to the date and time that the domain controller was disconnected.

  5. Restart disabled outbound replication on the outdated domain controller (SP2 only).

  6. Synchronize replication from the outdated domain controller to the partner domain controller to replicate the deletions. Use the connection object on the replication partner that shows the name of the outdated domain controller in the From Server column. This procedure results in error messages on domain controllers that do not have the objects, but these messages can be ignored and will cease by the second replication cycle.

Removing Manually Created Trusts

You can remove a manually created trust by using one of the following methods. Procedures are explained in detail in the linked topics.

  1. Remove a manually created trust by using the Active Directory Domains and Trusts snap-in.

  2. Remove a manually created trust by using Netdom.exe.

Removing the Global Catalog from a Domain Controller

Use the following procedures to remove the global catalog from a domain controller. The procedures are explained in detail in the linked topics.

  1. Clear the Global Catalog setting.

  2. Monitor global catalog removal in Event Viewer.

Renaming a Domain Controller

Use the following procedures to rename a domain controller. You must perform these procedures directly on the domain controller; they cannot be performed remotely.

  1. Remove Active Directory. This procedure results in the domain controller becoming a member server in the domain.

  2. Rename the member server.

  3. Run the Active Directory Installation Wizard. This procedure installs Active Directory on the member server to restore it to domain controller status.

Caution: The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see "Active Directory Backup and Restore" in this guide.

Restoring a Domain Controller Through Reinstallation and Subsequent Restore from Backup

To restore a domain controller through reinstallation and subsequently restore Active Directory from backup, you must ensure that you install Windows 2000 Server on the same drive letter and on a partition that is at least as large as the partition used before the failure. You must repartition the drive if necessary. After you reinstall Windows 2000, perform a non-authoritative restore of the system state and the system disk. Procedures are explained in detail in the linked topics.

  1. Install Windows 2000 Server on the same drive letter and partition as before the failure. (This procedure is not covered in this guide.)

  2. Restore from backup media.

  3. Verify Active Directory restore.

Restoring and Rebuilding SYSVOL

Use these procedures only if you are working on a domain controller that does not have a functional SYSVOL. Procedures are explained in detail in the linked topics.

  1. Identify replication partners.

  2. Choose a partner and check the status of the SYSVOL on the partner. Because you will be copying the system volume from one of the partners, you need to make sure that the system volume you copy from the partner is up-to-date.

  3. Verify that replication is functioning on the partner.

  4. Restart the domain controller that is being repaired in Directory Services Restore Mode. If you are sitting at the console of the domain controller, locally restart a domain controller in directory services restore mode. If you are accessing the domain controller remotely using Terminal Services, remotely restart a domain controller in directory services restore mode.

  5. Gather the SYSVOL path information.

  6. Stop the File Replication service.

  7. Prepare a domain controller for non-authoritative SYSVOL restore.

  8. Import the SYSVOL folder structure.

  9. Start the File Replication service.

  10. Check the status of the shared system volume.

Restoring the Original Configuration of a Domain Controller

Use the following procedures to restore a domain controller to its original configuration.

  1. Configure the domain controller as a global catalog server, if appropriate.

  2. Transfer the domain operations master roles, if appropriate.

  3. Transfer the forest operations master roles, if appropriate.

  4. Create a delegation for the new domain controller, if appropriate. Perform this procedure in the parent domain of the domain of the DNS server, if one exists.

  5. Create a secondary DNS zone, if appropriate. Perform this procedure only if the DNS server is located in a child domain, not in the forest root domain.

  6. Change the delay for initial notification of an intrasite replication partner, if appropriate.

  7. Configure the domain controller as a preferred bridgehead server, if appropriate.

Caution: The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back up system state first. For information about backing up system state, see "Active Directory Backup and Restore" in this guide.

Seizing Operations Master Roles

Procedures are explained in detail in the linked topics.

  1. Verify that a complete end-to-end replication cycle has occurred. During the design process, you calculated the maximum end-to-end replication latency. The maximum end-to-end replication latency is the maximum amount of time it should take for replication to take place between the two domain controllers in your enterprise that are farthest from each other based on the topology of your network. If you verify that replication is functioning properly and wait this amount of time without making any additional changes to the directory then you can assume that all changes have been replicated and the domain controller is up to date.

  2. Verify successful replication to a domain controller (the domain controller that will be seizing the role).

  3. Seize the operations master role.

  4. View the current operations master role holders.

Updating the System Volume Path

Use the following procedures to change the amount of space that is allocated to the Staging Area folder. Procedures are explained in detail in the linked topics.

  1. Gather the System Volume path information.

  2. Stop the File Replication service.

  3. Set the SYSVOL path (if needed).

  4. Set the fRSRootPath (if needed).

  5. Set the Staging Area path (if needed).

  6. Start the File Replication service.

No comments: