Active Directory POG

Managing the Windows Server Platform
Active Directory
Product Operations Guide
The information contained in this document represents the current
view of Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES

NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE
INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the

user. Without limiting the rights under copyright, this document may
be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), but only for the purposes
provided in the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks,

copyrights, or other intellectual property rights covering subject matter
in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not
give you any license to these patents, trademarks, copyrights, or other
intellectual property.
Unless otherwise noted, the example companies, organizations,

products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real
company, organization, product, domain name, email address, logo,
person, place, or event is intended or should be inferred.
2003 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, Windows NT, and Windows

Server are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may

be the trademarks of their respective owners.
iii Managing the Windows Server Platform
Contents
1......................................................................................................................................................1
Introduction to Product Operations Guide.......................................................................................1
Introduction to Product Operations Guide.......................................................................................1
Document Purpose......................................................................................................................1
Document Purpose.........................................................................................................................1
Intended Audience......................................................................................................................1
Intended Audience..........................................................................................................................1
How to Use This Guide................................................................................................................1
How to Use This Guide...................................................................................................................1
Background.................................................................................................................................2
Background.....................................................................................................................................2
2......................................................................................................................................................5
High-Level Processes for Maintaining
Active Directory...............................................................................................................................5
High-Level Processes for Maintaining
Active Directory...............................................................................................................................5
Overview.....................................................................................................................................5
Overview.........................................................................................................................................5
Technology Required..................................................................................................................6
Technology Required......................................................................................................................6
Maintenance Processes Checklist...............................................................................................9
Maintenance Processes Checklist..................................................................................................9
Operating Quadrant..................................................................................................10
Operating Quadrant...................................................................................................................10
Supporting Quadrant.................................................................................................12
Supporting Quadrant.................................................................................................................12
Optimizing Quadrant.................................................................................................13
Optimizing Quadrant..................................................................................................................13
Changing Quadrant...................................................................................................15
Changing Quadrant...................................................................................................................15
3....................................................................................................................................................17
Detailed Maintenance Actions.......................................................................................................17
Detailed Maintenance Actions.......................................................................................................17
Overview...................................................................................................................................17
Overview.......................................................................................................................................17
Process: Back up Active Directory ...........................................................................................18
Process: Back up Active Directory ...............................................................................................18
Task: Back up Active Directory and associated components....................................21
Task: Back up Active Directory and associated components....................................................21
Process: Non-authoritative restore of Active Directory..............................................................22
Process: Non-authoritative restore of Active Directory..................................................................22
Task: Perform a non-authoritative restore of a domain controller.............................22
Task: Perform a non-authoritative restore of a domain controller..............................................22
Task: Restore a domain controller through reinstallation and subsequent restore
from backup..............................................................................................................23
Task: Restore a domain controller through reinstallation and subsequent restore from backup
..................................................................................................................................................23
Process: Authoritative restore for Active Directory objects........................................................24
Process: Authoritative restore for Active Directory objects............................................................24
Task: Perform an authoritative restore of one or more directory objects...................25
Task: Perform an authoritative restore of one or more directory objects...................................25
Task: Perform an authoritative restore of an application partition.............................27
Task: Perform an authoritative restore of an application partition..............................................27
Active Directory Product Operations Guide iv
Task: Perform an authoritative restore of Group Policy............................................27

Task: Perform an authoritative restore of Group Policy.............................................................27
Process: Recovering a domain controller through reinstallation................................................28
Process: Recovering a domain controller through reinstallation...................................................28
Task: Recovering a domain controller through reinstallation....................................28
Task: Recovering a domain controller through reinstallation.....................................................28
Process: Installing a domain controller for an existing domain..................................................30
Process: Installing a domain controller for an existing domain......................................................30
Task: Preparing for Active Directory installation........................................................31
Task: Preparing for Active Directory installation........................................................................31
Task: Install Active Directory.....................................................................................33
Task: Install Active Directory.....................................................................................................33
Task: Install Active Directory from media..................................................................33
Task: Install Active Directory from media..................................................................................33
Task: Unattended install of Active Directory..............................................................34
Task: Unattended install of Active Directory..............................................................................34
Task: Verify Active Directory installation...................................................................34
Task: Verify Active Directory installation....................................................................................34
Process: Removing Active Directory.........................................................................................36
Process: Removing Active Directory.............................................................................................36
Task: Decommission the domain controller..............................................................37
Task: Decommission the domain controller...............................................................................37
Task: Forced removal of a domain controller............................................................38
Task: Forced removal of a domain controller............................................................................38
Process: Rename a domain controller.......................................................................................40
Process: Rename a domain controller..........................................................................................40
Task: Rename using the System Properties user interface......................................40
Task: Rename using the System Properties user interface.......................................................40
Task: Rename using the Netdom command-line tool...............................................41
Task: Rename using the Netdom command-line tool................................................................41
Process: Manage the Active Directory database.......................................................................42
Process: Manage the Active Directory database..........................................................................42
Task: Relocate Active Directory database files.........................................................43
Task: Relocate Active Directory database files.........................................................................43
Task: Returning unused disk space from the Active Directory database to the file
system......................................................................................................................44
Task: Returning unused disk space from the Active Directory database to the file system.......44
Process: Managing the SYSVOL..............................................................................................47
Process: Managing the SYSVOL..................................................................................................47
Task: Changing the space allocated to the staging area..........................................49
Task: Changing the space allocated to the staging area...........................................................49
Task: Relocate the staging area...............................................................................49
Task: Relocate the staging area................................................................................................49
Task: Relocating SYSVOL manually.........................................................................50
Task: Relocating SYSVOL manually.........................................................................................50
Task: Updating the system volume path...................................................................52
Task: Updating the system volume path....................................................................................52
Task: Restoring and rebuilding SYSVOL..................................................................52
Task: Restoring and rebuilding SYSVOL...................................................................................52
Process: Manage the Windows Time service............................................................................54
Process: Manage the Windows Time service...............................................................................54
Task: Configuring a time source for the forest..........................................................55
Task: Configuring a time source for the forest...........................................................................55
Task: Configuring a reliable time source on a computer other than the PDC emulator
..................................................................................................................................55
Task: Configuring a reliable time source on a computer other than the PDC emulator.............55
v Managing the Windows Server Platform
Task: Configuring a client to request time from a specific time source.....................56

Task: Configuring a client to request time from a specific time source......................................56
Task: Optimizing the polling interval.........................................................................57
Task: Optimizing the polling interval..........................................................................................57
Task: Disabling the Windows Time service...............................................................57
Task: Disabling the Windows Time service...............................................................................57
Process: Managing trusts..........................................................................................................58
Process: Managing trusts..............................................................................................................58
Task: Creating external trusts...................................................................................59
Task: Creating external trusts....................................................................................................59
Task: Creating shortcut trusts...................................................................................60
Task: Creating shortcut trusts....................................................................................................60
Task: Removing manually created trusts..................................................................61
Task: Removing manually created trusts...................................................................................61
Task: Preventing unauthorized privilege escalation..................................................61
Task: Preventing unauthorized privilege escalation..................................................................61
Task: Creating cross-forest trusts.............................................................................62
Task: Creating cross-forest trusts..............................................................................................62
Task: Managing selective authentication on a cross-forest trust...............................63
Task: Managing selective authentication on a cross-forest trust...............................................63
Task: Removing the forest trust................................................................................63
Task: Removing the forest trust.................................................................................................63
Process: Managing sites...........................................................................................................64
Process: Managing sites...............................................................................................................64
Task: Adding a new site ...........................................................................................65
Task: Adding a new site ...........................................................................................................65
Task: Adding a subnet to the network.......................................................................66
Task: Adding a subnet to the network.......................................................................................66
Task: Linking sites for replication..............................................................................67
Task: Linking sites for replication..............................................................................................67
Task: Changing site link properties...........................................................................67
Task: Changing site link properties...........................................................................................67
Task: Moving a domain controller to a different site..................................................68
Task: Moving a domain controller to a different site..................................................................68
Task: Removing a site..............................................................................................70
Task: Removing a site...............................................................................................................70
Process: Manage antivirus software on domain controllers.......................................................73
Process: Manage antivirus software on domain controllers..........................................................73
Task: Exclude files not at risk of infection.................................................................73
Task: Exclude files not at risk of infection..................................................................................73
Task: Install software................................................................................................75
Task: Install software.................................................................................................................75
Process: Add a global catalog...................................................................................................76
Process: Add a global catalog.......................................................................................................76
Task: Add the global catalog to a domain controller.................................................77
Task: Add the global catalog to a domain controller..................................................................77
Task: Verify the global catalog readiness.................................................................79
Task: Verify the global catalog readiness..................................................................................79
Process: Removing the global catalog from a domain controller...............................................80
Process: Removing the global catalog from a domain controller..................................................80
Task: Remove a global catalog.................................................................................80
Task: Remove a global catalog.................................................................................................80
Process: Identify global catalog servers in a site.......................................................................81
Process: Identify global catalog servers in a site..........................................................................81
Task: Identifying a global catalog server...................................................................81
Task: Identifying a global catalog server...................................................................................81
Active Directory Product Operations Guide vi
Task: Identifying a site that has no global catalog servers .......................................81

Task: Identifying a site that has no global catalog servers .......................................................81
Task: Identifying sites that have universal group caching enabled...........................81
Task: Identifying sites that have universal group caching enabled............................................81
Process: Move an operations master role.................................................................................83
Process: Move an operations master role.....................................................................................83
Task: Designating a domain controller for an operations master role.......................88
Task: Designating a domain controller for an operations master role........................................88
Task: Verifying the transfer of an operations master role..........................................89
Task: Verifying the transfer of an operations master role..........................................................89
Process: Reduce the workload on the PDC emulator................................................................90
Process: Reduce the workload on the PDC emulator...................................................................90
Task: Adjusting the DNS weight setting....................................................................90
Task: Adjusting the DNS weight setting.....................................................................................90
Task: Adjusting the DNS priority registry setting.......................................................91
Task: Adjusting the DNS priority registry setting.......................................................................91
Process: Transferring a role holder...........................................................................................92
Process: Transferring a role holder...............................................................................................92
Task: Transfer to the standby operations master role...............................................93
Task: Transfer to the standby operations master role...............................................................93
Task: Transfer an operations master role when no standby is ready........................93
Task: Transfer an operations master role when no standby is ready........................................93
Process: Seize an operations master role.................................................................................95
Process: Seize an operations master role.....................................................................................95
Task: Seizing an operations master role...................................................................97
Task: Seizing an operations master role...................................................................................97
Process: Choose a standby operations master.........................................................................99
Process: Choose a standby operations master.............................................................................99
Task: Choosing a standby operations master.........................................................100
Task: Choosing a standby operations master.........................................................................100
4..................................................................................................................................................102
Processes by MOF Role Clusters...............................................................................................102
Processes by MOF Role Clusters...............................................................................................102
Operations Role Cluster..........................................................................................102
Operations Role Cluster..........................................................................................................102
Support Role Cluster...............................................................................................103
Support Role Cluster...............................................................................................................103
Release Role Cluster..............................................................................................103
Release Role Cluster...............................................................................................................103
Infrastructure Role Cluster......................................................................................104
Infrastructure Role Cluster.......................................................................................................104
Security Role Cluster..............................................................................................105
Security Role Cluster...............................................................................................................105
Partner Role Cluster...............................................................................................105
Partner Role Cluster................................................................................................................105
5..................................................................................................................................................106
Appendix.....................................................................................................................................106
Appendix.....................................................................................................................................106
Procedure Details....................................................................................................................106
Procedure Details.......................................................................................................................106
vii Managing the Windows Server Platform
Contributors
Program Manager
Jeff Yuhas, Microsoft Corporation
Chris Macaulay, Microsoft Corporation
Lead Contributors
Nigel Cain, Microsoft Corporation
Arren Conner, Microsoft Corporation
Dmitry Dukat, Microsoft Corporation
Levon Esibov, Microsoft Corporation
Khushru Irani, Microsoft Corporation
Kamal Janardhan, Microsoft Corporation
Gregory Johnson, Microsoft Corporation
William Lees, Microsoft Corporation
Andreas Luther, Microsoft Corporation
Kevin Sims, Microsoft Corporation
Jeromy Statia, Microsoft Corporation
Test Manager
Greg Gicewicz, Microsoft Corporation
QA Manager
Jim Ptaszynski, Microsoft Corporation
Lead Technical Writer

Jerry Dyer, Microsoft Corporation
Lead Technical Editor

Laurie Dunham, Microsoft Corporation
Technical Editor
Patricia Rytkonen, Volt Technical Services
Production Editor
Kevin Klein, Volt Technical Services
1
Introduction to Product
Operations Guide
Document Purpose
This guide describes processes and procedures for improving the
management of Microsoft® Active Directory® directory service in an
information technology (IT) infrastructure.
Intended Audience
This material should be useful for anyone planning to deploy this product
into an existing IT infrastructure, especially one based on the IT
Infrastructure Library (ITIL)—a comprehensive set of best practices for IT
service management—and Microsoft Operations Framework (MOF). It is
aimed primarily at two main groups: IT managers and IT support staff
(including analysts and service-desk specialists).
How to Use This Guide

This guide is divided into five chapters. The first chapter provides basic
background information. The second chapter provides a high-level
checklist of the processes required for maintaining this product. The third
chapter takes a more detailed look at the processes described in the
maintenance chapter and maps them to the tasks and procedures that
make up each process. The fourth chapter organizes processes by the role
responsible for each process. The fifth chapter contains an appendix with
procedure details, including requirements and steps.
The guide may be read as a single volume, including the detailed
maintenance and troubleshooting sections. Reading the document this
way will provide the necessary context so that later material can be
understood more readily. However, some people will prefer to use the
document as a reference, only looking up information as they need it.
Active Directory Product Operations Guide 2
Background
This guide is based on Microsoft Solutions for Management (MSM). MSM
provides a combination of best practices, best-practice implementation
services, and best-practice automation, all of which help customers
achieve operational excellence as demonstrated by high quality of service,
industry reliability, availability, security, and low total cost of ownership
(TCO).
These MSM best practices are based on MOF, a structured, yet flexible
approach centered on ITIL. MOF includes guidelines on how to plan,
deploy, and maintain IT operational processes in support of mission-critical
service solutions.
Central to MOF—and to understanding the structure of this guide—are the
MOF Process and Team Models. The Process Model and its underlying
service management functions (SMFs) are the foundation for the process-
based approach that this guide recommends for maintaining a product.
The Team Model and its role clusters offer guidance for how to ensure the
proper people are assigned to operational roles.
Figure 1 shows the MOF Process Model combined with the SMFs that make
up each quadrant of the Process Model.
Figure 1
MOF Process Model and SMFs
3 Managing the Windows Server Platform
Figure 2 shows the MOF Team Model, along with some of the many
functional roles or function teams that might exist in service-management
organizations. Those roles and function teams are shown mapped to the
MOF role cluster to which they would likely belong.
 Change management
 Release/systems engineering
 Configuration control/asset
management
 Software distribution/licensing
 Intellectual property protection  Quality assurance  Enterprise architecture
 Network and system security  Infrastructure engineering
 Intrusion detection  Capacity management
 Virus protection Release  Cost/IT budget management
 Audit and compliance admin  Resource and long-range
 Contingency planning planning
Security Infrastructure
Partner Support
 Maintenance vendors  Service desk/help desk

 Environment support  Production/production support
 Managed services, outsourcers, Operations  Problem management
trading partners  Service level management
 Software/hardware suppliers
 Messaging operations
 Database operations
 Network administration
 Monitoring/metrics
 Availability management
Figure 2
MOF Team Model and examples of functional roles or teams
The MOF Team Model is built on six quality goals, which are described and
matched with the applicable team role cluster in Table 1.
Table 1. MOF Team Model Quality Goals and Role Clusters
Quality Goal Team Role Cluster
Effective release and change management. Release
Accurate inventory tracking of all IT services and
systems.
Management of physical environments and Infrastructure
infrastructure tools.
Quality customer support and a service culture. Support
Predictable, repeatable, and automated system Operations
management.
Mutually beneficial relationships with service and Partner
supply partners.
Protected corporate assets, controlled authorization, Security
and proactive security planning.
Further information about MSM and MOF is available at

http://www.microsoft.com/solutions/msm/techinfo/default.asp, or search
for the topic on TechNet at http://www.microsoft.com/technet/default.asp.
You can also contact your local Microsoft or partner representative.
2
High-Level Processes for
Maintaining
Active Directory
Overview
Every company consists of employees (people), activities that those
employees perform (processes), and tools that help them perform those
activities (technology). No matter what the business, it most likely consists
of people, processes, and technology working together to achieve a
common goal. Table 2 illustrates this point.
Table 2. People, Processes, and Technology Working Together
Area People Process Technology
Auto repair Mechanic Repair manual Socket set

industry
Software Programmer Project plan Compiler;
development debugger
industry
IT operations IT technician Microsoft Microsoft
Operations Active
Framework Directory
The focus of this product operations guide is Active Directory® directory

service—the directory service for the Microsoft Windows Server™ 2003
family. Active Directory stores information about objects on the network;
its logical, hierarchical organization of directory information makes it easy
for administrators and users to find this information. Windows Server 2003
brings many improvements to Active Directory, making it more versatile,
dependable, and economical to use. In Windows Server 2003, Active
Directory provides increased performance and scalability. It also allows
you greater flexibility for designing, deploying, and managing an
organization's directory.
Technology Required
Table 3 lists the tools or technologies used in the processes, and their
subordinate tasks and procedures, described in this guide. All tools should
be accessed from a Windows Server 2003 server console, except in those
cases where a link is provided.
Table 3. Tools or Technologies Required to Manage Active Directory
Required Description Location
Technology
Backup Performs backup and restore Start > All
utility operations. It is automatically Programs >
installed with Windows Accessories >
Server 2003. In Windows Server System Tools >
2003, the backup utility is Backup
Backup.exe. The wizard, or basic Or to open the Backup
mode, is called Backup or
tool using the
Restore Wizard; and in command line:
advanced mode, it is called
Backup Utility. Start > Run. In the
Open box, type
ntbackup and then
click OK.
DNS Used for modifying DNS Start > Control
Manager parameters. These centralized Panel >
management and monitoring Administrative
tools can be found either in Tools
Administrative Tools after initial Or to open DNS
installation of the DNS service, Manager using the
or through Adminpak.msi. command line, type:
%systemroot
%\System32\
dnsmgmt.msc
Active Used for modifying Active Start > Control
Directory Directory domains and trusts. Panel >
Domains and These centralized management Administrative
Trusts and monitoring tools can be Tools
Microsoft found either in Administrative Or to open the MMC
Management Tools after initial installation of snap-in using the
Console the Active Directory, or through command line, type:
snap-in Adminpak.msi.
%systemroot
%\System32\
domain.msc
Active Used to promote or demote a Start > Run >
Directory domain controller. dcpromo
Installation
Wizard

Technology
Active Used for modifying Active Open the MMC snap-
Directory Directory schema. This tool does in using the command
Schema not appear by default in line, type:
snap-in Administrative Tools. %systemroot
%\System32\
schmmgmt.msc
Directory Directory sites and services. Panel >
Sites and This centralized management Administrative
Services and monitoring tool can be found Tools
MMC snap-in either in Administrative Tools Or to open the MMC
after initial installation of the snap-in using the
Active Directory, or through command line, type:
Adminpak.msi.
%systemroot
%\System32\
dssit.msc
Directory Directory users and computers. Panel >
Users and These centralized management Administrative
Computers and monitoring tools can be Tools
MMC snap-in found either in Administrative Or to open the MMC
Tools after initial installation of snap-in using the
the Active Directory, or through command line, type:
Adminpak.msi.
%systemroot
%\System32\
dsa.msc
Adsi edit Used for editing Active Directory Open the MMC snap-
MMC snap-in to add, delete, or move objects in using the command
within the directory. This line, type:
centralized management and %systemroot
monitoring tool can be found %\System32\
either in Administrative Tools adsiedit.msc
after initial installation of the
Active Directory, or through
Adminpak.msi.
Dcdiag.exe This command line tool analyzes Start > Run >
the state of domain controllers in dcdiag.exe
the forest or enterprise and
reports any problems to assist in
troubleshooting.

Technology
Event Viewer Provides logs for transactional Start > Control
reactive reviews of system and Panel >
service events. It is Administrative
automatically installed with Tools > Event
Windows Server 2003. Viewer
Or to open Event
Viewer using the
command line:
Start >Run. In the
Open box, type
eventvwr.msc and
then click OK.
Ldp.exe Used to connect, bind, search, Start >Run. In the
modify, add, and delete against Open box, type
any LDAP-compatible directory ldp.exe and then
such as Active Directory. Used to click OK.
view objects stored in Active
Directory along with their
metadata.
Net.exe A set of commands for a variety Start > Run > cmd
of tasks, such as managing user at the command
accounts and computer prompt, type net to
accounts, sending messages, see options
and managing shared resources.
Netdiag.exe Helps isolate networking and Start > Run > cmd
connectivity problems by at the command
performing a series of tests to prompt, type netdiag
determine the state of the /? to see options
network client.
Netdom.exe Enables administrators to Start > Run > cmd
manage Windows 2000 and at the command
Windows Server 2003 domains prompt, type netdom
and trust relationships from the /? to see options
command line.
Nltest.exe Helps you get a list of domain Start > Run > cmd
controllers, force a remote at the command
shutdown, and query the status prompt, type
of trust relationships. nltest /? to see
options
Ntdsutil.exe Used to perform database Start > Run > cmd
maintenance of Active Directory, at the command
manage and control single prompt, type ntdsutil
master operations, and remove /? to see options
metadata left behind by domain
controllers that were removed
from the network without being
properly uninstalled.

Technology
Registry Enables you to view and change Start > Run >
Editor settings within the registry. regedit
Repadmin.ex Command line tool that helps Start > Run > cmd
e administrators diagnose at the command
replication problems between prompt, type
domain controllers. repadmin /? to see
options
Secedit.exe Configures and analyzes system Start > Run > cmd
security by comparing current at the command
configuration with at least one prompt, type
security template. secedit /? to see
options
Services MMC snap-in that allows you to Start > Run > MMC
snap-in start, stop, or restart Windows > Services.msc
services.
Ultrasound A tool that allows administrators See
to monitor the health of the file www.microsoft.com
replication service (FRS). for more information
on the Ultrasound
utility.
W32tm.exe A tool used to diagnose Start > Run > cmd
problems having to do with at the command
Windows time. prompt, type
w32tm /? to see
options
Maintenance Processes Checklist

The following tables provide a quick reference for those product
maintenance processes that need to be performed on a regular basis.
These tables represent a summary of the processes, and their subordinate
tasks and procedures, described in more detail in subsequent chapters of
this guide. They are limited to those processes required for maintaining
the product.
Only the pertinent MOF quadrants and SMFs are addressed in this chapter.
For example, there are no processes that fall within the Supporting
Quadrant. There is a placeholder for the Supporting Quadrant, but no
tables.
Also, because all of the Active Directory maintenance processes
addressed here fall into the as-needed category, the daily, weekly, and
monthly portions of the tables are blank. Only the portion of each table
that has associated processes is filled in.
Each listed process is linked to a detailed explanation of the process in the
following chapter.
Operating Quadrant
The processes for this section are based on the service management
functions that make up the MOF Operating Quadrant. Further information
on the MOF Process Model and the MOF SMFs is available at
http://www.microsoft.com/solutions/msm and
http://www.microsoft.com/mof.
System Administration SMF

Daily Processes
Process Name Related SMF MOF Role Cluster
Back up Active Operations
Directory
Weekly Processes
There are no weekly
processes for this
SMF.
Monthly Processes
There are no monthly
processes for this
SMF.
As-Needed Processes
Restore Active Operations
Directory
Rename a domain Operations
controller
Transferring a role Infrastructure
holder
Seize an operations Infrastructure
master role
Choose a standby Infrastructure
operations master
Managing the SYSVOL Infrastructure
Managing sites Infrastructure
Authoritative restore Operations
for Active Directory
objects
Recovering a domain Operations
controller through
reinstallation
Move an operations Infrastructure
master role
Security Administration SMF

Daily Processes
Process Name Related SMFs MOF Role Cluster
There are no daily
processes for this
SMF.
Weekly Processes
There are no weekly
processes for this
SMF.
Monthly Processes
processes for this
SMF.
As-Needed Processes
Manage antivirus Security
software on domain
controllers
Supporting Quadrant
There are no Active Directory processes that fall within the MOF
Supporting Quadrant and its SMFs.
Optimizing Quadrant
The tasks for this section are based on the SMFs that make up the MOF
Optimizing Quadrant.
Availability Management SMF

Daily Processes
There are no daily
processes for this
SMF.
Weekly Processes
There are no weekly
processes for this
SMF.
Monthly Processes
processes for this
SMF.
As-Needed Processes
Manage the Active Infrastructure
Directory database
Add a global catalog Infrastructure
Manage the Windows Infrastructure
Time service
Managing trusts Infrastructure
Capacity Management SMF

Daily Processes
There are no daily
processes for this
SMF.
Weekly Processes
There are no weekly
processes for this
SMF.
Monthly Processes
processes for this
SMF.
As-Needed Processes
Removing the global Infrastructure
catalog from a
domain controller
Identify global catalog Infrastructure
servers in a site
Reduce the workload Infrastructure
on the PDC emulator
Changing Quadrant
The processes for this section are based on the SMFs that make up the
MOF Changing Quadrant.
Release Management SMF

Daily Processes
There are no daily
processes for this
SMF.
Weekly Processes
There are no weekly
processes for this
SMF.
Monthly Processes
processes for this
SMF.
As-Needed Processes
Installing a domain Release
controller for an
existing domain
Change Management SMF

Daily Processes
Process Name MOF Role Cluster
There are no daily
processes for this
SMF.
Weekly Processes
There are no weekly
processes for this
SMF.
Monthly Processes
processes for this
SMF.
As-Needed Processes
Removing Active Release Management Release
Directory SMF
3
Detailed Maintenance
Actions
Overview
This chapter provides detailed information about the processes that must
be performed in order to maintain Active Directory. These processes are
arranged according to the MOF quadrant to which they belong and, within
each quadrant, by the MOF service management functions (SMFs) that
make up that quadrant.
Those quadrants are:
● Operating Quadrant
● Supporting Quadrant
● Optimizing Quadrant
● Changing Quadrant
Further information about the MOF Process Model and the MOF SMF guides
is available at http://www.microsoft.com/solutions/msm. Further
information about the MOF Team Model and role clusters is available at
http://www.microsoft.com/mof.
Operating System Operations Role Daily

Quadrant Administration SMF Cluster
Process: Back up Active Directory

Description
Active Directory is backed up as part of Microsoft Windows® system state,
a collection of system components that depend on each other. All system
state components must be backed up and restored together.
The system state components on a domain controller include:
● System start-up (boot) files. These are the files required for Windows
Server 2003 to start.
● System registry.
● Class registration database of component services. The Component
Object Model (COM) is a binary standard for writing component
software in a distributed systems environment.
● System volume (SYSVOL). SYSVOL provides a default Active Directory
location for files that must be shared for common access throughout a
domain. The SYSVOL folder on a domain controller contains:
● Net Logon shared folders. These usually host user logon scripts and
Group Policy objects (GPOs) for network clients who are not running
Windows 2003-based computers.
● User logon scripts for Active Directory-enabled clients.
● Windows 2003 GPOs.
● File system junctions.
● File Replication service (FRS) staging directories and files that are
required to be available and synchronized between domain
controllers.
● Active Directory, including:
● The Active Directory database (Ntds.dit)
● The checkpoint file (Edb.chk)
● The transaction logs, each 10 megabytes (MB) in size, (Edb*.log)
● Reserved transaction logs (Res1.log and Res2.log)
If you use Active Directory-integrated Domain Name System (DNS), be

sure that you back up a domain controller that is hosting DNS. If you do
not use Active Directory-integrated DNS, you must explicitly back up the
zone files. However, if you back up the system disk along with the system
state, zone data is backed up as part of the system disk.
If you installed Windows Clustering or Certificate Services on your domain
controller, they are also backed up as part of system state. Details of
these components are not discussed in this guide.
Purpose
There are several reasons why a current, verified, and reliable backup is
needed:
● To restore Active Directory data that becomes lost or corrupted. Using

an authoritative restore process, you can restore individual objects or
sets of objects from their deleted state.
● To recover a domain controller that cannot boot normally because of
software or hardware failure.
● To perform a forest recovery in the event that forest-wide corruption
occurs.
● To perform an install from media operation. This new feature in
Windows Server 2003 allows you to promote a new domain controller
and populate it with current information from a local source, rather
than having to wait for a full sync replication over potentially much
slower media—for example, a 56K connection.
Guidelines
Although the Backup tool in Windows Server 2003 supports multiple types
of backup—normal, copy, incremental, differential, and daily—the only
type of backup available and supported for Active Directory is normal,
because Active Directory is backed up as part of system state. A normal
backup creates a backup of the entire system state while the domain
controller is online.
If you do not use Active Directory-integrated DNS zones, you should
include the file paths that contain all of your DNS zone files in the backup,
in addition to the system state and/or system disk, to ensure a successful
recovery.
Which domain controllers to back up
For every Active Directory domain, you can define a backup set composed
of the physical domain controllers that would be required to successfully
restore the domain. The collection of domain backup sets ensures that a
forest restore operation can be performed.
At a minimum, the backup set consists of two or more domain controllers
for each domain and at least one domain controller that is a member of an
application partition replica set.
The backup set must contain a system state, a system disk backup for
each computer in the set, and a global catalog.
If you are using Active Directory-integrated DNS, it would useful to back
up at least one DNS server.
Note A backup can only be used to restore the domain controller that the backup
was generated from. It cannot be used to restore a different domain controller or
this domain controller onto different hardware.
When to back up Active Directory

At a minimum, each domain controller in the backup set must be backed
up at least twice within the tombstone lifetime. By default, the tombstone
lifetime is 60 days, which places the requirement of a backup for each
domain controller in the backup set every 30 days.
While monthly backup operations are adequate for successful disaster
recovery, they do not facilitate the recovery of new information since the
last backup. You will need to consider these changes when you are
planning backup frequency. The frequency of backups is dictated both by
business requirements and technical requirements and should be adjusted
according to your deployment's needs.
By default, machine accounts change their passwords every 30 days.
Therefore, domain controllers will also change their machine account
passwords every 30 days. If you were to restore a domain controller with
an old password, it could result in that domain controller being unable to
replicate with its partners. Therefore, to minimize the effect of restoring a
domain controller with an old password, you should perform a backup
more than once every 30 days.
In addition to regular backup requirements, an immediate backup should
be taken when:
● The storage location of the database [Ntds.dit] or log files is changed.
● A domain controller is upgraded from Windows 2000 Server to
Windows Server 2003, or any further operating system upgrades.
● A current backup is required for an install for media operation for a
new domain controller.
● The tombstone lifetime is changed.
Note A backup from a Windows 2000 Server cannot be used to restore a domain
controller running Windows Server 2003.
Active Directory protects itself from restoring data older than the
tombstone lifetime by disallowing the restore. As a result, the useful life of
a backup is equivalent to the tombstone lifetime setting for the enterprise.
Task: Back up Active Directory and associated

components
Procedure: Back up system state
Link to procedure
Procedure: Back up system state and the system disk

Link to procedure
Dependencies
None
Technology Required
● Backup
● Tape drive or other backup media
Operating System Operations Role As Needed

Process: Non-authoritative restore of Active

Directory
Description
A non-authoritative restore returns the domain controller to its state at the
time of backup and then allows normal replication to overwrite that state
with any changes that have occurred after the backup was taken. After
you restore the system state, the domain controller queries its replication
partners. The replication partners replicate any changes to the restored
domain controller, ensuring that the domain controller has an accurate
and updated copy of the Active Directory database.
Purpose
A non-authoritative restore allows the entire directory to be restored on a
domain controller, without reintroducing or changing objects that have
been modified since the backup. The most common use of a non-
authoritative restore is to bring an entire domain controller back, often
after catastrophic or debilitating hardware failures. It is uncommon for
data corruption to drive a non-authoritative restore, unless the corruption
is local and the database cannot be successfully loaded.
Guidelines
If you intend to restore a deleted object (or objects), you should refer to
the procedures outlined for an authoritative restore. A non-authoritative
restore should be used any time the entire directory is being restored on a
single domain controller in order to deal with a local database corruption
or hardware failure. A non-authoritative restore can be performed on a
Windows Server 2003 system that is a stand-alone server, member server,
or domain controller. A server must be in Directory Services Restore Mode
to perform a non-authoritative restore.
Task: Perform a non-authoritative restore of a domain

controller
A non-authoritative restore is the default method for restoring Active
Directory. To perform a non-authoritative restore, you must be able to
start the domain controller in Directory Services Restore Mode. After you
restore the domain controller from backup media, replication partners use
the standard replication protocols to update both the Active Directory and
associated information on the restored domain controller.
Procedure 1: Restart the domain controller in Directory Services

Restore Mode
Note In cases where you have to reinstall the operating system: Before you restore
the directory, you do not have to perform a non-authoritative restore in Directory
Services Restore Mode. After you have reinstalled the operating system, you can
perform a restore after the machine boots normally.
Link to procedure.
Procedure 2: Restore from backup media

Link to procedure.
Procedure 3: Verify Active Directory restore

Link to procedure.
Task: Restore a domain controller through reinstallation

and subsequent restore from backup
If you cannot restart a domain controller in Directory Services Restore
Mode, you can restore it through reinstallation of the operating system,
and subsequently restore Active Directory from backup.
In order for the restore operation to succeed, Windows Server 2003 must
be reinstalled to the same drive letter as previously and with at least the
same amount of physical drive space. After you reinstall Windows Server
2003, perform a non-authoritative restore of the system state and the
system disk.
Procedure 1: Install Windows Server 2003

This guide does not address installing Windows Server 2003.

Link to procedure.
Procedure 3: Verify Active Directory restore

Link to procedure.
Dependencies
The domain controller being restored needs to have a previous backup
taken with Backup utility.
Technology Required
Backup

Process: Authoritative restore for Active Directory

objects
Description
An authoritative restore process returns an object to its state at the time
of the most recent backup. Changes made since the latest backup will be
erased. This differs from a non-authoritative restore, which relies on the
presence of a replication partner to bring in the current data, including
information about objects that were deleted since the backup.
An authoritative restore should not be relied on as part of a change control
infrastructure. Proper delegation of administration and change
enforcement will optimize data consistency, integrity, and security.
Purpose
An authoritative restore is most commonly used to restore corrupt or
deleted objects from the directory—for example, a deleted user account.
An authoritative restore should not be used to restore an entire domain
controller.
Guidelines
An authoritative restore of a subtree or leaf object restores that subtree or
leaf and marks it as authoritative for the directory. This means that the
restored object will be replicated out to other domain controllers and will
be the data that is maintained moving forward. In cases where the object
was deleted, it will be revived; in other cases, the object will be returned
to a previous state.
It is important to ensure successful recovery of the information being
restored. Group membership is particularly sensitive and can be greatly
affected by the procedures that are followed during an authoritative
restore.
You begin by restoring from backup media, just as in a non-authoritative
restore, and then perform the following additional steps to complete an
authoritative restore.
Task: Perform an authoritative restore of one or more

directory objects
Note If the objects that were deleted do not include group objects, then you don’t
need to perform steps 3-10. Additionally, if the groups that were deleted do not
have members among the list of deleted objects, then you do not need to perform
steps 3-10.

Link to procedure.
Procedure 2: Mark the object(s) authoritative

Once the data has been restored from backup, you must select which
objects are to be marked authoritative in order to have them replicated to
other domain controllers. In order to complete this operation, you must
know the full distinguished name (also known as DN) of the object you
wish to restore.
Link to procedure.
Procedure 3: Reboot the computer in isolation

To combat some of the challenges of a distributed system and to ensure
successful restoration of data, it is necessary to follow some additional
precautions during the authoritative restore process.
Rebooting the machine in isolation helps you prepare for the next step,
which is to turn off inbound replication, since you cannot turn off inbound
replication in Directory Services Restore Mode.
If you do need to reboot, the most common way to boot a computer in
isolation is to remove the network connection from the domain controller
by physically removing the network cable. Alternate methods may be
possible depending on your network hardware and enterprise practices.
It is important to prevent the domain controller from communicating with
any other domain controller in the domain or forest. You should also
isolate the domain controller from any clients that could invoke change on
any object in the directory.
Procedure 4: Turn off inbound replication using repadmin

By turning off inbound replication, you ensure that no changes replicate
into the domain controller and alter group membership.
Link to procedure.
Procedure 5: Reconnect the computer to the network

Once inbound replication has been turned off, it is safe to reconnect the
domain controller to the network.
If you isolated your computer by removing the network cable or by
disconnecting the network connection from the domain controller,
reconnect it to bring the domain controller back onto the network.
If you followed other procedures based on your enterprise network
equipment, follow the equipment's recommendations for reconnecting the
domain controller to the network.
Procedure 6: Allow this computer to replicate with all its partners

In order for the newly restored object to become available and be
instantiated in its restored form on all domain controllers, successful
replication between the domain controller originating the restored
changes and its partners must occur.
Link to procedure.
Procedure 7: Restart domain controller in Directory Services

Restore Mode
Link to procedure.
Procedure 8: Mark the object(s) authoritative

One of the challenges of restoring objects, and their group memberships,
is the fact that the membership and object may replicate in different
orders. If the membership replicates before a user is restored, the
receiving domain controller will not update the membership as the user
does not exist. In order to overcome the effects of this behavior, it is
necessary to mark the objects that have been restored authoritative a
second time, and once again have the information replicated out.
Link to procedure.
Procedure 9: Reboot computer

Once the authoritative restore of the object or objects has been completed
a second time, the domain controller can be rebooted into normal mode.
Note There are no further details for this procedure.
Procedure 10: Turn on inbound replication

Link to procedure.
Task: Perform an authoritative restore of an application

partition
Restoration of an application partition will mark all data that is present in
the application partition as authoritative for the replica set. Information
that is contained within an application partition will replicate to all domain
controllers in the forest that were previously present in the replica set. You
should have a current valid backup of the application partition prior to
restoring, in the event that particular object changes are lost because of
changes since backup.
If you wish to restore an object or objects from an application partition,
refer to the Task: “Perform an authoritative restore of one or more
directory objects.”

Link to procedure.
Procedure 2: Mark the application partition as authoritative

Link to procedure.
Procedure 3: Reboot computer

Once the authoritative restore of the object or objects has been completed
a second time, the domain controller can be rebooted into normal mode.
Task: Perform an authoritative restore of Group Policy

Restoring a GPO restores the GPO to a previous state. A restore operation
can be used in both of the following cases: the GPO was backed up but
has since been deleted, or the GPO is live and you want to roll back to a
known previous state. A restore operation retains the original GPO GUID
even if the restore is recreating a deleted GPO. This is a key difference
between the restore operation and the import or copy operations
discussed in later sections of this guide.
A restore operation replaces the following components of a GPO:
● GPO settings
● ACLs on the GPO
● WMI filter links (but not the filters themselves)
The restore operation does not restore links to a SOM (Scope of

Management). Any existing links will continue to be used—for example,
when restoring an existing GPO to a previous state. However, if the user
has deleted a GPO and all links to the GPO, the user must recreate these
links after restoring the GPO. To facilitate recreating these links, you can
view the report in the backup to identify all links in the domain of the GPO.
For more information, see Administering Group Policy with the GPMC at
http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx.
Procedure 1: Restore Group Policy

Link to procedure.

Process: Recovering a domain controller through

reinstallation
Description
Recovering through reinstallation is the same process as creating a new
domain controller. It does not involve restoring from backup media. This
method relies on Active Directory replication to restore a domain
controller to a working state and is valid only if another healthy domain
controller exists in the same domain. This option is normally used on
computers that function only as a domain controller.
Purpose
Recovering through reinstallation is the only method by which a domain
controller that is not part of the backup set can be restored. Additionally,
this procedure may be chosen over a non-authoritative restore because of
the inaccessibility of the backup media or due to convenience.
Guidelines
This process assumes a complete reinstallation of the operating system. It
is recommended that prior to installing the operating system, the entire
system disk be formatted, which will remove all information on the system
disk. Ensure that any important or relevant data is moved or backed up
before performing these actions.
Recovering through reinstallation should not be a substitute for regular
backup routines, which are needed to ensure a successful recovery should
the need arise, as it depends on the presence of another domain controller
in the same domain.
Bandwidth is the primary consideration for recovering a domain controller
through reinstallation. The bandwidth required is directly proportional to
the size of the Active Directory database and the time in which the domain
controller is required to be in a functioning state. Ideally, the existing
functional domain controller should be located in the same Active
Directory site as the replicating domain controller (new domain controller)
in order to reduce network impact and the time the reinstallation takes to
complete.
Task: Recovering a domain controller through

reinstallation
Procedure 1: Clean up metadata
Link to procedure.
Procedure 2: Install Windows Server 2003

It is assumed that a fresh installation of Windows Server 2003 will be
performed. This may be precluded by partition or format actions on your
hard disk drive in preparation for the install.
Procedure 3: Verify DNS registration and functionality

Link to procedure.
Procedure 4: Verify communication with other domain controllers

Link to procedure.
Procedure 5: Verify the availability of the operations masters

Link to procedure.
Procedure 6: Install Active Directory

During the installation process, replication occurs, ensuring that the
domain controller has an accurate and up-to-date copy of Active Directory.
Optionally, use the same information for this domain controller as the
domain controller it is replacing. Site placement, domain controller name,
and domain membership should remain the same. If you plan on installing
the domain controller under a different name, you may wish to also refer
to the process: “Installing a domain controller for an existing domain.”
Link to procedure.
Procedure 7: Verify Active Directory installation

Read and perform the procedures in “Task: Verify Active Directory
Installation.” Link to task.
Dependencies
Domain Administrator credentials
Technology Required
Dcpromo.exe or Backup
Changing Quadrant Release Release Role As Needed

Management SMF Cluster
Process: Installing a domain controller for an

existing domain
Description
This process covers the installation of Active Directory onto a Windows
Server 2003 system that will become a domain controller in an existing
Active Directory domain. For more information regarding the best
practices for planning, testing, and deploying Active Directory, refer to the
Windows Server 2003 Deployment Kit: Designing and Deploying Directory
and Security Services at
http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-
5df1-4394-92ed-2147c3a9ebbe&displaylang=en.
To ensure successful installation of a new domain controller, you should
verify that all critical services that Active Directory depends on are
configured following Microsoft best practices.
Active Directory is installed on a Windows Server 2003 server by running
the Active Directory Installation Wizard. The wizard simplifies the
promotion process by automating as much of the installation as possible.
To run the Active Directory Installation Wizard, you must be a member of
the Domain Administrators group.
Purpose
There are several motivations for adding a new domain controller.
Additional applications (Active Directory-integrated as opposed to those
running on domain controllers) may be required to meet increased
capacity requirements, provide upgrades and fault tolerance, and reduce
failures. For more information on criteria for deploying a new domain
controller and best practices for Active Directory, refer to the Windows
Server 2003 Deployment Kit: Designing and Deploying Directory and
Security Services.
Guidelines
Before you begin your installation, the following conditions must exist in
your environment:
● Your Active Directory forest root domain must already exist with at
least two properly functioning domain controllers.
● If you are installing a new domain controller for a child domain, there
should be at least two properly functioning domain controllers in the
forest root domain.
● DNS must be functioning properly.
● This guide assumes you are using Active Directory–integrated DNS
zones. You must configure at least one domain controller as a DNS
server.
Creating or removing a domain or forest is beyond the scope of this guide.

Task: Preparing for Active Directory installation

Properly preparing for the installation of Active Directory decreases the
chances of problems occurring during the installation process and helps
you quickly complete the operation. Preparation includes installing and
configuring DNS and gathering information that you need for the
installation.
Configure DNS
The DNS client is always present on a server on Windows Server 2003. You
should properly configure both the DNS client and the DNS server to
ensure that name resolution and related dependencies will function as
expected during the installation of Active Directory.
Ensure that any required configuration, forwarders, or zones are present
and accessible prior to installation. For more information about DNS
configuration best practices, see the Windows Server 2003 Deployment
Kit: Designing and Deploying Directory and Security Services at
http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-
5df1-4394-92ed-2147c3a9ebbe&displaylang=en.
Site Placement
During installation, the Active Directory Installation Wizard attempts to
place the new domain controller in the appropriate site. The appropriate
site is determined by the domain controller’s IP address and subnet mask.
The wizard uses the IP information to calculate the subnet address of the
domain controller and checks to see if a Subnet object exists in the
directory for that subnet address. If the Subnet object exists, the wizard
uses it to place the new Server object in the appropriate site. If not, the
wizard places the new Server object in the same site as the domain
controller that is being used as a source to replicate the directory
database to the new domain controller. Make sure the Subnet object has
been created for the desired site prior to running the wizard.
A site is allocated according to the following rules:
1. If you specify a site in the Unattended text file that is used to create
the new domain controller, the domain controller will be placed directly
into that site when it is built.
2. If no site is specified in the Unattended text file when the new domain
controller is built, then by default the domain controller will be placed
in a site based on its IP address.
3. If you specify a replica partner in the Unattended text file but do not
specify a site, the new domain controller should be placed in the
replica partner's site.
4. If the replica partner or site is not specified, then the allocation of the
site is random. It will depend on the replica partner selected for initial
replication.
Domain Connectivity
During the installation process, the Active Directory Installation Wizard
needs to communicate with other domain controllers in order to join the
new domain controller to the domain. The wizard needs to communicate
with a member of the domain to receive the initial copy of the directory
database for the new domain controller. It communicates with the domain
naming master for domain installs only, so that the new domain controller
can be added to the domain. The wizard also needs to contact the relative
ID (RID) master so that the new domain controller can receive its RID pool,
and it needs to communicate with another domain controller in order to
populate the SYSVOL shared folder on the new domain controller. All of
this communication depends on proper DNS installation and configuration.
By using Netdiag.exe and Dcdiag.exe, you can test all of these
connections prior to starting the Active Directory Installation Wizard.
Required Information
The installation wizard asks for the following specific configuration
information before it begins installing Active Directory:
● A domain administrator’s user name and password
● Location to store the directory database and log files
● The password to use for Directory Services Restore Mode
● The fully qualified DNS name of the domain to which the new domain
controller will be added
Have this information ready before you run the Active Directory
Installation Wizard.
Procedure 1: Install the DNS Server service

Link to procedure.
Procedure 2: Gather the SYSVOL path installation information

Link to procedure.

Link to procedure.
Procedure 4: Verify that an IP address maps to a subnet and

determine the site association
Link to procedure.

Link to procedure.

Link to procedure.
Caution If any of the verification tests fail, do not continue until you determine
what went wrong and fix the problems. If these tests fail, the installation is also
likely to fail.
Task: Install Active Directory

There are a number of elements to consider when installing Active
Directory on a new domain controller. This task addresses the general
requirements concerning the site placement, connectivity, and Active
Directory Installation Wizard.
The Active Directory Installation Wizard

After you have gathered all the information that you need to run the
Active Directory Installation Wizard and have performed the tests to verify
that all of the necessary domain controllers are available, you are ready to
install Active Directory on your server and turn it into a domain controller.
During the installation process, the wizard asks for information that it
needs in order to properly configure the new domain controller. First, it
asks if you want to install a domain controller in a new domain or an
additional domain controller in an existing domain. Because this guide
pertains to adding domain controllers to domains that already exist,
choose Additional domain controller in an existing domain.
During the installation process, the wizard needs to communicate with
other domain controllers in order to add this new domain controller to the
domain and get the appropriate information into the Active Directory
database. To maintain security, you must provide credentials that have
administrative access to the directory.
Procedure 1: Install Active Directory

Link to procedure.
Task: Install Active Directory from media

Installing Active Directory from media allows you to reduce the replication
traffic that is initiated during the installation of an additional domain
controller in an Active Directory domain, and thus reduces the time it
takes to install a replica domain controller.
This task has three procedures:
● Back up the system state of an existing domain controller in the same
domain as the new domain controller.
● Restore the system state to an alternate location locally on the new
domain controller.
● Promote the server to a domain controller using dcpromo /adv option.
Procedure 1: Back up system state

Link to procedure.
Procedure 2: Restore system state to an alternate location

Link to procedure.
Procedure 3: Promote server to domain controller

Link to procedure.
Task: Unattended install of Active Directory

Running an unattended install simplifies the process of setting up Active
Directory on multiple computers. The unattended install feature uses an
“answer file” to provide answers to the questions asked during a normal
setup. This allows the installation process to proceed from start to
completion without user intervention. This method works best when Active
Directory is being installed with identical options on many computers.
Procedure 1: Install and run Setup Manager to create an answer

file (Unattend.txt)
Link to procedure.
Procedure 2: Run Active Directory automated install

● In the Run dialog box, type dcpromo /answer:<answerfile> (where
answerfile is the file created with Setup Manager), and click OK.
Task: Verify Active Directory installation

There are several verification tasks that can be performed on a newly
promoted domain controller. Successfully completing the requirements of
each verification task will provide a strong indication of a healthy,
operational domain controller.
Procedure 1: Determine whether a Server object has Child

objects
Link to procedure.
Procedure 2: Verify the site assignment for the domain controller

You must ensure that the new domain controller is located in the proper
site so that after the installation is complete, the new domain controller
can locate replication partners and become part of the replication
topology. If the site is not correct, you can use the Active Directory Sites
and Services snap-in to move the Server object for the domain controller
to the proper site after Active Directory installation is complete.
Note The last dialog box displayed by the Active Directory Installation Wizard lists
the site where the new domain controller is installed. If this is not the proper site,
you must move the Server object after the server is rebooted.
Link to procedure.
Procedure 3: Move a Server object to a different site if the

domain controller is located in the wrong site
Link to procedure.
Procedure 4: Configure DNS server forwarders

Link to procedure.
Procedure 5: Verify DNS configuration

Link to procedure.
Procedure 6: Check the status of the shared SYSVOL

Link to procedure.

Link to procedure.
Procedure 8: Verify domain membership for the new domain

controller
Link to procedure.

Link to procedure.
Procedure 10: Verify replication with other domain controllers

Link to procedure.

Link to procedure.
Dependencies
The following access levels are required:
● Domain user
● Domain admin
Technology Required
● Active Directory Sites and Services (administrative tools)
● DNS Manager
● Event Viewer
● Netdiag.exe
● Dcdiag.exe
● Ntdsutil.exe (system tool)
Changing Quadrant Change Release Role As Needed

Management SMF Cluster
Process: Removing Active Directory

Description
A domain controller can be removed from a domain in one of two ways: by
removing Active Directory or by a system failure that renders the domain
controller inoperable so that you cannot restore it to service.
Purpose
A domain controller might need to be removed when:
● You no longer need the domain controller.
● The domain controller's connection to the rest of the network may not
be sufficient.
● The domain controller has suffered a hardware failure that will not be
quickly repaired.
Guidelines
Similarly to how you can install Active Directory to turn a Windows 2003–
based server into a domain controller, you can remove Active Directory to
turn a Windows 2003–based domain controller back into a server. This
process removes most of the references to the domain controller from the
directory. You must manually remove the Server object that represents
the domain controller from the computer container after you remove
Active Directory. This method properly removes the domain controller
from the directory.
A hardware failure on a domain controller can render it inoperable. If the
problem is severe enough, you might never be able to return the domain
controller to service. In this case, the other domain controllers eventually
reconfigure themselves so that they can continue to replicate directory
information without the failed domain controller.
When a domain controller is removed from the domain without removing
Active Directory, all the information about that domain controller remains
in the directory. You must take additional steps to remove this information
from the directory.
Task: Decommission the domain controller

Demoting a domain controller effectively removes all Active Directory and
related components and returns the domain controller to a member server
role.
Procedure 1: View the current operations master role holders

To avoid problems, transfer any operations master roles prior to running
the Active Directory Installation Wizard to decommission a domain
controller so that you can control the operations master role placement. If
you need to transfer any roles from a domain controller, understand all
the recommendations for role placement before performing the transfer.
Caution During the decommissioning process, the Active Directory Installation

Wizard will attempt to transfer any remaining operations master roles to other
domain controllers without any user interaction. However, if a failure occurs, the
wizard will continue to demote and leave your domain without roles. Also, you do
not have control over which domain controller receives the roles. The wizard
transfers the roles to any available domain controller and does not indicate which
domain controller hosts them.
Link to procedure.
Procedure 2: Transfer the forest-level operations master roles

This is required only if this domain controller hosts either the schema
master or domain naming master roles.
Link to procedure.
Procedure 3: Transfer the domain-level operations master roles

This is required only if this domain controller hosts the PDC emulator,
infrastructure master, or RID master.
Link to procedure.
Procedure 4: Determine whether a domain controller is a global

catalog server
If you remove Active Directory from a domain controller that hosts a
global catalog, the Active Directory Installation Wizard confirms that you
want to continue with removing Active Directory. This confirmation
ensures that you are aware that you are removing a global catalog from
your environment. Do not remove the last global catalog server from your
environment because users cannot log on without an available global
catalog server. If you are not sure, do not proceed with removing Active
Directory until you know that at least one other global catalog server is
available.
Link to procedure.

Link to procedure.

During the removal of Active Directory, contact with other domain
controllers is required to ensure:
● Any unreplicated changes are replicated to another domain controller.
● Removal of the domain controller from the directory.
● Transfer of any remaining operations master roles.
If the domain controller cannot contact the other domain controllers

during Active Directory removal, the decommissioning operation fails. As
with the installation process, test the communication infrastructure prior
to running the installation wizard. When you remove Active Directory, use
the same connectivity tests that you used during the installation of Active
Directory.
Link to procedure.

Link to procedure.
Note If any of the verification tests fail, do not continue until you determine and fix
the problems. If these tests fail, the removal is also likely to fail.
Procedure 8: Remove Active Directory

Link to procedure.

objects
Link to procedure.
Procedure 10: Delete a Server object from a site
Note The administrator may not want to remove the Server object if it hosts
something in addition to Active Directory—Microsoft Exchange, for example.
Link to procedure.
Task: Forced removal of a domain controller

Forced removal of a domain controller is only intended to be used as a last
resort for recovering a domain controller without requiring reinstallation of
the operating system.
It is not intended to replace the normal removal procedure in any way and
is virtually equivalent to permanently disconnecting the domain controller.
There is a considerable amount of metadata about a domain controller
stored within Active Directory. During a normal demotion, this metadata is
cleaned up. A forced removal assumes there is no connectivity to the
domain and does not attempt any cleanup.
Forced removal of a domain controller should always be followed by

cleaning up the associated metadata, thereby effectively removing all
references to the domain controller from the domain and forest.
Forced demotion should not be done on the last domain controller in a
domain.
Procedure 1: Identify replication partners

Link to procedure.
Procedure 2: Force domain controller removal

Link to procedure.
Procedure 3: Clean up metadata

Link to procedure.
Dependencies
None
Technology Required
None

Process: Rename a domain controller

Description
The ability to rename domain controllers running Windows Server 2003
(contrary to Windows 2000 Server) provides you with the flexibility to:
● Restructure your network for organizational and business needs.
● Make management and administrative control easier.
Although one can rename a domain controller through the System

Properties GUI (as with any other computer), Active Directory and DNS
replication latency may temporarily prevent clients from locating and/or
authenticating to the renamed domain controller. To eliminate this, it is
recommended that the Netdom command-line tool be used to rename a
domain controller.
Purpose
Renaming a domain controller is a common operation in many
organizations and usually occurs when:
● New hardware is purchased to replace an existing domain controller.
● Domain controllers are decommissioned, or promoted, and renamed to
maintain a naming convention.
● Movement or site placement of domain controllers.
Guidelines
It is important to note that domain controller names have a primary
impact on administration, rather than client access. Renaming a domain
controller is an optional exercise, and the impacts should be well-
understood prior to renaming.
You can rename a domain controller by using the GUI or the Netdom tool.
The domain functional level must be set to Windows Server 2003 for you
to be able to use the Netdom tool. In all other cases, you should use the
GUI.
Task: Rename using the System Properties user

interface
Procedure 1: Use System Properties interface to change name
Link to procedure.
Procedure 2: Update the FRS Member object

Link to procedure.
Task: Rename using the Netdom command-line tool

The netdom command updates the service principal name (SPN)
attributes in Active Directory for the computer account and registers DNS
resource records for the new computer name. The SPN value of the
computer account must be replicated to all domain controllers in the
domain, and the DNS resource records for the new computer name must
be distributed to all the authoritative DNS servers for the domain name. If
the updates and registrations have not occurred prior to removing the old
computer name, then some clients may be unable to locate this computer
using the new or old name.
Procedure 1: Add the new domain controller name

Link to procedure.
Procedure 2: Designate the new name as the primary computer

name
Prior to performing this operation, you must ensure that the SPN value has
been registered in Active Directory and the DNS records for the new
computer name have been registered in DNS.
Link to procedure.
Procedure 3: Remove the old domain controller name

Prior to performing this operation, you must ensure that the updated
dnsHostName attribute for the new computer name in the computer
account has been registered in Active Directory and that the SRV DNS
records have been registered in authoritative DNS servers.
Link to procedure.
Procedure 4: Update the FRS Member object

Link to procedure.
Dependencies
● Domain admin or Enterprise admin
● Windows Server 2003 functional level
Technology Required
● Netdom command-line tool
● System Properties tool
Optimizing Availability Infrastructure Role As Needed

Quadrant Management SMF Cluster
Process: Manage the Active Directory database

Description
Active Directory is stored in the Ntds.dit database file. In addition to this
file, the directory uses log files, which store transactions prior to
committing them to the database file. For best performance, store the log
files and the database on separate hard drives.
The Active Directory database is a self-maintained system and requires no
daily maintenance, other than regular backup, during ordinary operation.
However, it may need to be managed if the following conditions occur:
● Low disk space
● Pending or current hardware failure
● A need to recover physical space following bulk deletion or removal of
the global catalog
Monitor free disk space on the partition or partitions that store the
directory database and logs. The following are the recommended
parameters for free space:
● Ntds.dit partition: The greater of 20 percent of the Ntds.dit file size or
500 megabytes (MB).
● Log file partition: The greater of 20 percent of the combined log files
size or 500 MB.
● Ntds.dit and logs on the same volume: The greater of 1 gigabyte (GB)
or 20 percent of the combined Ntds.dit and log files sizes.
Purpose
During ordinary operation, the customer will delete objects from Active
Directory. When an object is deleted, it results in white space (or unused
space) being created in the database. On a regular basis, the database
will consolidate this white space through a process called
defragmentation, and this white space will be reused when new objects
are added (without adding any size to the file itself). This automatic online
defragmentation redistributes and retains white space for use by the
database, but does not release it to the file system. Therefore, the
database size does not shrink, even though objects might be deleted. In
cases where the data is decreased significantly, such as when the global
catalog is removed from a domain controller, white space is not
automatically returned to the file system. Although this condition does not
affect database operation, it does result in large amounts of white space
in the database. You can use offline defragmentation to decrease the size
of the database file by returning white space from the database file to the
file system.
Managing the Active Directory database also allows you to upgrade or

replace the disk on which the database or log files are stored or to move
the files to a different location, either permanently or temporarily.
Guidelines
Prior to performing any procedures that affect the directory database, be
sure that you have a current system state backup. For information about
performing system state backup, see “Back up Active Directory” earlier in
this guide.
To manage the database file itself, you must take the domain controller
offline by restarting in Directory Services Restore Mode, and then use
Ntdsutil.exe to manage the file.
Note NTFS disk compression is not supported for the database and log files.
Task: Relocate Active Directory database files

The following conditions require moving database files:
● Hardware maintenance: If the physical disk on which the database or
log files are stored requires upgrading or maintenance, the database
files must be moved, either temporarily or permanently.
● Low disk space: When free disk space is low on the logical drive that
stores the database file (Ntds.dit), the log files, or both, first verify that
no other files are causing the problem. If the database file or log files
are the cause of the growth, then provide more disk space by taking
one of the following actions:
● Expand the partition on the disk that currently stores the database
file, the log files, or both. This procedure does not change the path
to the files and does not require updating the registry.
● Use Ntdsutil.exe to move the database file, the log files, or both to
a larger existing partition. If you are not using Ntdsutil.exe when
moving files to a different partition, you will need to manually
update the registry.
Guidelines
If the path to the database file or log files will change as a result of moving
the files, be sure that you:
● Use Ntdsutil.exe to move the files (rather than copying them) so that
the registry is updated with the new path. Even if you are moving the
files only temporarily, use Ntdsutil.exe to move files locally so that the
registry remains current.
● Perform a system state backup as soon as the move is complete so
that the restore procedure uses the correct path.
● Verify that the correct permissions are applied on the destination
folder following the move. Revise permissions to those that are
required to protect the database files, if needed.
If you replace or reconfigure a drive that stores the SYSVOL folder, you
must first move the SYSVOL folder manually. For information about
moving SYSVOL manually, see “Managing the SYSVOL” later in this guide.
Use the following procedures to move or copy the database file, the log
files, or both. Procedures are explained in detail in the linked topics.
Note The domain controller will not be available during the time in which files are
moved and the move is verified. Ensure that alternate domain controllers are
available to handle the capacity.
Procedure 1: Determine the location and size of the directory

database files
Use the database size to prepare a destination location of the appropriate
size. Track the respective file sizes during the move to ensure that you
successfully move the correct files.
Link to procedure.
Procedure 2: Compare the size of the directory database files to

the volume size
Before moving any files in response to low disk space, verify that no other
files on the volume are responsible for the condition of low disk space.
Link to procedure.

System state includes the database file and log files as well as SYSVOL
and Net Logon shared folders, among other things. Always ensure that you
have a current backup prior to moving database files.
Link to procedure.

Restore Mode)
If you are logged on to the domain controller console, locally restart the
domain controller in Directory Services Restore Mode.
Link to procedure.
Procedure 5: Move the database file, the log files, or both

Link to procedure.

Link to procedure.
Task: Returning unused disk space from the Active

Directory database to the file system
During ordinary operation, the white space in the Active Directory
database file becomes fragmented. Each time garbage collection runs
(every 12 hours by default), white space is automatically defragmented

online to optimize its use within the database file. The unused disk space
is thereby maintained for the database; it is not returned to the file
system.
Only offline defragmentation can return unused disk space from the
directory database to the file system. When database contents have
decreased considerably through a bulk deletion (for example, you remove
the global catalog from a domain controller), or if the size of the database
backup is significantly increased due to the white space, use offline
defragmentation to reduce the size of the Ntds.dit file.
You can determine how much free disk space is recoverable from the
Ntds.dit file by setting the garbage collection logging level in the registry.
Changing the garbage collection logging level from the default value of 0
to a value of 1 results in event ID 1646 being logged in the directory
service log. This event describes the total amount of disk space used by
the database file as well as the amount of free disk space that is
recoverable from the Ntds.dit file through offline defragmentation.
At garbage collection logging level 0, only critical events and error events
are logged in the directory service log. At level 1, high-level events are
logged as well. Events can include one message for each major task that
is performed by the service. At level 1, the following events are logged for
garbage collection:
● Event IDs 700 and 701: report when online defragmentation begins
and ends, respectively.
● Event ID 1646: reports the amount of free space available in the
database out of the amount of allocated space.
Caution Setting the value of entries in the Diagnostics subkey to greater than 3
can degrade server performance and is not recommended.
Following offline defragmentation, perform a database integrity check. The

integrity command in Ntdsutil.exe detects binary-level database
corruption by reading every byte in the database file. The process ensures
that the correct headers exist in the database itself and that all of the
tables are functioning and consistent. Therefore, depending upon the size
of your Ntds.dit file and the domain controller hardware, the process might
take considerable time. In testing environments, the speed of 2 GB per
hour is considered to be typical. When you run the command, an online
graph displays the percentage completed.
Use the following procedures to perform offline defragmentation.
Procedures are explained in detail in the linked topics.
Procedure 1: Change the garbage collection logging level to 1

Check the directory service event log for event ID 1646, which reports the
amount of disk space that you can recover by performing offline
defragmentation.
Link to procedure.

System state includes the database file and database log files as well as
SYSVOL, Net Logon, and the registry, among other things. Always ensure
that a current backup exists prior to defragmenting database files.
Link to procedure.
Procedure 3: Take the domain controller offline

Use one of the following procedures:
● If you are logged on to the domain controller locally, restart the
● If you are using Terminal Services for remote administration, you can
remotely restart the domain controller in Directory Services Restore
Mode after modifying the Boot.ini file on the remote server.
Link to procedure.
Procedure 4: Compact the directory database file (offline

defragmentation)
As part of the offline defragmentation procedure, check directory
database integrity.
Link to procedure.
Procedure 5: If database integrity check fails, perform semantic

database analysis with fixup
Link to procedure.
Operating System Infrastructure Role Frequency

Process: Managing the SYSVOL

Description
The Windows Server 2003 System Volume (SYSVOL) is a collection of
folders and reparse points in the file systems that exist on each domain
controller in a domain. SYSVOL provides a standard location to store
important elements of Group Policy objects (GPOs) and scripts so that the
File Replication service (FRS) can distribute them to other domain
controllers within that domain.
Note Only the Group Policy template (GPT) is replicated by SYSVOL. The Group
Policy container (GPC) is replicated through Active Directory replication. To be
effective, both parts must be available on a domain controller.
FRS monitors SYSVOL and, if a change occurs to any file stored on

SYSVOL, then FRS automatically replicates the changed file to the SYSVOL
folders on the other domain controllers in the domain.
The day-to-day operation of SYSVOL is an automated process that does
not require any human intervention other than watching for alerts from
the monitoring system. Occasionally, you might perform some system
maintenance as you change your network.
Purpose
This process describes the basic tasks required for managing SYSVOL in
order to maintain capacity and performance of SYSVOL, for hardware
maintenance, or for data organization.
Guidelines
To manage SYSVOL, ensure that FRS properly replicates the SYSVOL data
and that enough space is provided to store SYSVOL. Implement a
monitoring system to detect low disk space and potential FRS disruptions
so that you can address those issues before the system stops replicating.
A useful tool for this is the Ultrasound utility, which can be downloaded
from www.microsoft.com, by searching for Ultrasound.
Some key considerations for managing SYSVOL are:

● Capacity.
Depending upon the configuration of your domain, SYSVOL can require
a significant amount of disk space to function properly. During the
initial deployment, SYSVOL might be allocated adequate disk space to
function. However, as your Active Directory grows in size and
complexity, the required capacity can exceed the available disk space.
If you receive indications that disk space is low, determine if the cause
is due to inadequate physical space on the disk or a registry setting
that limits the size of the staging area. By modifying a setting in the
registry, you can allocate more staging area space, rather than
relocating SYSVOL or the staging area. Increasing the space allocation
in the registry is much faster and easier than relocation
● Performance.
Any changes made to SYSVOL are automatically replicated to the other
domain controllers in the domain. If the files stored in SYSVOL change
frequently, the replication increases the input and output for the
volume where SYSVOL is located. For example, editing a GPO can
potentially force a GPO-level replication. If the volume is also host to
other system files, such as the directory database or the pagefile, then
the increased input and output for the volume can impact the
performance of the server.
● Hardware maintenance.
System maintenance, such as removal of a disk drive, can require you
to relocate SYSVOL. Even if the maintenance occurs on a different disk
drive, verify that that maintenance does not affect the system volume.
Logical drive letters could change after you add and remove disks. FRS
locates SYSVOL by using pointers stored in the directory and the
registry. If drive letters change after you add or remove disk drives, be
aware that these pointers are not automatically updated.
● Backing up Group Policy objects (GPOs).
The successful operation of Group Policy is heavily dependent on the
reliable operation of SYSVOL. Key components of the GPO exist in the
SYSVOL (in the policies subdirectory) and it is essential that these
remain in sync with related components in Active Directory. Therefore,
backing up only the SYSVOL component does not represent a full and
complete backup of your GPOs. The Group Policy Management Console
(GPMC) provides both UI-based and scriptable methods for backing up
GPOs. It is important that you back up GPOs as part of your regular
backup/disaster recovery processes. Soon after installation of a new
domain, the default domain and default domain controllers' GPOs
should be backed up. They should also be backed up after any
subsequent changes are made.
Task: Changing the space allocated to the staging area

The staging area stores files prior to being replicated and stores files that
it has just received through replication. Although FRS compresses the data
and attributes of the replicated files to save space in the Staging Area
folder and reduce the time that is needed to replicate the files, this
method requires making and storing a copy of every file prior to
replication and can require a substantial amount of disk space.
The default size of the staging area is 660 megabytes (MB). The minimum
size is 10 MB and the maximum size is 2 terabytes. You can adjust the size
limit of the Staging Folder by setting the value in kilobytes (KB) of the
Staging Space Limit registry entry in
HKEY_Local_Machine\System\CurrentControlSet\Services\NtFrs\Par
ameters. For more information about setting the Staging Space Limit in
the registry, see KB article 329491 in the Microsoft Knowledge Base.
Procedure 1: Stop the File Replication service

Link to procedure.
Procedure 2: Change the space allocated to the Staging Area

folder
Link to procedure.
Procedure 3: Start the File Replication service

Link to procedure.
Task: Relocate the staging area

By default, the Active Directory Installation Wizard installs the Staging
Area folder within the SYSVOL. The Active Directory Installation Wizard
creates two folders—Staging and Staging Area—which FRS uses for the
staging process. When you relocate the staging area, you can change the
name. Ensure that you identify the proper area in case it is renamed in
your environment.
Two parameters determine the location of the staging area. One
parameter, fRSStagingPath, is stored in the directory and contains the
path to the actual location that FRS uses to stage files. The other
parameter is a junction point stored in the Staging Area folder in SYSVOL
that links to the actual location that FRS uses to stage files. When
relocating the staging area, you must update these two parameters to
point to the new location.
Except where noted, perform these procedures on the domain controller

that contains the Staging Area folder that you want to relocate.

Link to procedure.

You do not need to perform the test on every partner, but you need to
perform enough tests to be confident that the shared system volumes on
the partners are healthy.
Link to procedure.

Link to procedure.
Procedure 4: Gather the SYSVOL path information

Link to procedure.
Procedure 5: Reset the File Replication Service Staging folder to

a different logical drive
Link to procedure.
Task: Relocating SYSVOL manually

If you must move the entire system volume, not just the Staging Area
folder, then you can relocate the system volume manually. Because no
utilities can automate this process, you must carefully move all folders
and properly maintain the same level of security at the new location.
You can also move SYSVOL with the Active Directory wizard, but this
requires that you demote the domain controller and then re-promote it.
This should only be considered in extreme cases, and only when the
domain controller is not running any other services or applications.
Except where noted, perform these steps on the domain controller that
contains the system volume that you want to move. Procedures are
explained in detail in the linked topics.
Warning This procedure can alter security settings. After you complete the
procedure, the security settings on the new system volume are reset to the default
settings that were established when you installed Active Directory. You must
reapply any changes to the security settings on the system volume that you made
since you installed Active Directory. This will cause additional replication traffic.
Note that failure to reset permissions can result in unauthorized access to Group
Policy objects and logon and logoff scripts.

Link to procedure.

Link to procedure.

Link to procedure.

Link to procedure.

Link to procedure.
Procedure 6: Create the SYSVOL folder structure

Link to procedure.
Procedure 7: Set the SYSVOL path

Link to procedure.
Procedure 8: Set the staging area path

If you have moved the Staging Area folder to a different location already,
you do not need to do this step.
Link to procedure.
Procedure 9: Prepare a domain controller for non-authoritative

SYSVOL restore
Link to procedure.
Procedure 10: Update security on the new SYSVOL

Link to procedure.

Link to procedure.

Link to procedure.
Task: Updating the system volume path

When you add or remove disk drives, the logical drive letters of the other
drives on the system can change. If either your SYSVOL or Staging Area
folder is located on one of the drives whose letter changes, FRS cannot
locate them. You must update the paths that FRS uses to locate these
folders in order to solve this problem. To change the path for the system
volume, you need to make changes to the registry and in the directory.
Changing the staging area path requires a change in the directory. Both
changes require that you update the junction points. After updating the
path information, you must restart File Replication service so it can
reinitialize with the new values.
Use the following procedures to change the amount of space that is
allocated to the Staging Area folder. Procedures are explained in detail in
the linked topics.

Link to procedure.

Link to procedure.
Procedure 3: Set the SYSVOL path

Link to procedure.
Procedure 4: Set the staging area path

Link to procedure.

Link to procedure.
Task: Restoring and rebuilding SYSVOL

If your efforts to move SYSVOL or perform certain maintenance tasks fail,
you must recreate or rebuild the SYSVOL on a single domain controller.
Attempt to rebuild SYSVOL on a single domain controller only when all
other domain controllers in the domain have a healthy and functioning
SYSVOL. Do not attempt to rebuild SYSVOL until you correct any problems
that are occurring with FRS in a domain.
Use these procedures only if you are working on a domain controller that
does not have a functional SYSVOL. Procedures are explained in detail in
the linked topics.

Link to procedure.

Because you will be copying the system volume from one of the partners,
you need to make sure that the system volume you copy from the partner
is up to date.
Link to procedure.

Link to procedure.

Restore Mode
If you are sitting at the console of the domain controller, locally restart a
domain controller in Directory Services Restore Mode. If you are accessing
the domain controller remotely using Terminal Services, remotely restart a
Link to procedure.

Link to procedure.

Link to procedure.
Procedure 7: Prepare a domain controller for non-authoritative

SYSVOL restore
Link to procedure.
Procedure 8: Import the SYSVOL folder structure

Link to procedure.

Link to procedure.

Link to procedure.
Dependencies
Active Directory needs to be installed and running.
Technology Required
Ultrasound for monitoring

Process: Manage the Windows Time service

Description
The Windows 2003 Time service (W32Time) requires little management
and is installed on all Windows Server 2003–based systems. By default,
only domain controllers are configured to provide time to clients.
W32Time uses coordinated universal time (UTC) during synchronization
activities. UTC is based on an atomic time scale and is independent of
time zone.
Purpose
Managing the Windows Time service is required to:
● Change the forest-root PDC emulator.
● Move time authority from forest-root PDC emulator to another
computer.
● Change the external time source.
● Switch to another time synchronization product.
● Increase or decrease the rate of synchronization to achieve the best
compromise between bandwidth use and precision for a particular
implementation.
Guidelines
Manually specified time sources are not authenticated and, therefore, can
enable an attacker to manipulate the time source and then start Kerberos
V5 replay attacks. Also, a computer that does not synchronize with its
domain controller can have an unsynchronized time. This causes Kerberos
V5 authentication to fail, which in turn causes other actions requiring
network authentication, such as printing or file sharing, to fail. When only
one computer in the forest root domain is getting time from an external
source, all computers within the forest remain synchronized to each other,
making replay attacks difficult.
Because of the risks of unsynchronized time, and the multitude of services
that depend on synchronized time, it is important that you appropriately
manage and configure the Windows Time service to meet your operational
requirements for time synchronization.
Caution You should not advance or roll back the system time on Windows 2003–
based servers under any circumstances.
Time Configuration on the Forest-Root PDC Emulator

The Windows Time service employs a hierarchical synchronization
structure that is rooted in the PDC emulator in the forest root domain. This
system ultimately represents the authoritative time for all systems in the
forest.
Always closely monitor the forest-root PDC emulator to ensure that its
time is accurate relative to its source.
Follow these best practices for configuring the time source on the forest-
root PDC emulator, in this order of preference:
● Install a hardware clock, such as a radio or GPS device, as the source
for the PDC. There are many consumer and enterprise devices that use
the Network Time Protocol (NTP), allowing you to install the device on
an internal network for usage with the PDC.
● Use IPSec to secure the NTP communication with the PDC and another
network time server.
Do not synchronize the forest-root PDC emulator with another Windows-

based computer in the same forest.
If neither of these options is available in your Active Directory deployment
or data center, you can synchronize with an external reliable time source.
This option is the least favorable as it synchronizes time in an
unauthenticated manner, potentially making time packets vulnerable to
an attacker.
Task: Configuring a time source for the forest

After initial deployment of your network, you typically only reconfigure the
time service on the PDC emulator in two situations:
● If you move the PDC emulator role to a different computer. In this case,
you must configure the time service for the new PDC emulator.
● If you change the time source for the PDC emulator. For example, if
you change from synchronizing with an external source to a hardware
device.
To configure time service for the forest-root PDC emulator, you might
need to remove an external time source that you used previously or, if you
transferred the PDC emulator role to another Active Directory domain
controller, you might only need to configure the time service on the new
PDC emulator. To configure time on the forest-root PDC emulator, you can
use the following procedures. Procedures are explained in detail in the
linked topics.
Procedure 1: Configure time on the forest-root PDC emulator

Link to procedure.
Procedure 2: Remove a time source configured on the forest-root

PDC emulator
Link to procedure.
Task: Configuring a reliable time source on a computer

other than the PDC emulator
By default, the PDC emulator in the forest root is the authoritative time
source for that forest. However, you might want to configure a different
domain controller in your network to be authoritative for the forest.
If you plan to move the PDC operations master role, you can configure a
reliable time source on a different computer prior to the move(s) to avoid
resets or disruption of the time service. The role of PDC emulator can
move between computers, which means that every time the role of PDC
emulator moves, the new PDC emulator must be manually configured to
point to the external source, and the manual configuration must be
removed from the original PDC emulator. To avoid this process, you can
set one of the domain controllers in the parent domain as reliable and
manually configure just that computer to point to an external source.
Then, no matter which computer is the PDC emulator, the root of the time
service stays the same and thus remains properly configured.
When domain controllers look for a time source to synchronize with, they
choose a reliable source, if one is available. It is important to note that the
automatic discovery mechanism in the time service client never chooses a
computer that is not a domain controller. Clients must be manually
configured to use any server that is not a domain controller.
Although the PDC emulator in the forest root domain is the authoritative
time source for that forest, you can configure a reliable time source on a
computer other than the PDC emulator.
Procedure 1: Configure the selected computer as a reliable time

source
Link to procedure.
Task: Configuring a client to request time from a

specific time source
Certain computers do not automatically synchronize their time to the time
of the Active Directory domain. It is recommended that these systems be
configured to request time from a particular source, such as a domain
controller in the domain. If you do not specify a source that is
synchronized with the domain, each computer’s internal hardware clock
governs its time. The following client computers do not automatically
synchronize to the domain time through the Windows Time service:
● Client computers that run pre-Windows 2000 operating systems.
● Client computers that run UNIX.
The following procedures allow you to specify a time source for client
computers that do not automatically synchronize through the time service.
Procedure 1: Set a manually configured time source on a

selected computer
Link to procedure.
Procedure 2: Remove a manually configured time source on a

selected computer
Link to procedure.
Task: Optimizing the polling interval

In some cases, the default configuration of the time service polling
intervals may be inadequate to achieve your desired operational accuracy
goals. Windows Server 2003 uses a more advanced dynamic interval for
polling that is governed by minimum and maximum values. It might be
desirable to change this interval in the following situations:
● If computers are polling over a leased line, you can lengthen the
polling interval. By polling less often, you will decrease usage of the
paid line.
● If you have applications or devices that require increased time
accuracy, you can shorten the polling interval.
Procedure 1: Change polling interval

Link to procedure.
Task: Disabling the Windows Time service

If you choose to implement another time synchronization product that
uses the NTP protocol, you must disable the W32Time service because all
NTP servers need access to UDP port 123. If W32Time is running on a
Windows 2003–based computer, port 123 remains occupied.
You only need to perform one procedure to disable the Windows Time
service.
Procedure 1: Disable time service

Link to procedure.
Dependencies
Domain Admin credentials
Technology Required
Services snap-in tool

Process: Managing trusts

Description
Trust relationships between domains establish a trusted communication
path through which a computer in one domain can communicate with a
computer in the other domain. Trust relationships allow users in the
trusted domain to access resources in the trusting domain. Trusts
generally require limited management.
For example, where a one-way trust exists:
● A user who is logged on to the trusted domain can be authenticated to
connect to a resource server in the trusting domain.
● A user can use an account in the trusted domain to log on to the
trusted domain from a computer in the trusting domain.
● A user in the trusting domain can list trusted domain security principals
and add them to groups and access control lists (ACLs) on resources in
the trusting domain.
Purpose
Trusts are typically created to enable users in the trusted domain to
facilitate access to resources in the trusting domain.
Guidelines
When you create a Windows 2003 domain in an existing Windows 2003
forest, a trust relationship is established automatically between the newly
created domain and its parent. These trust relationships are two-way and
transitive, and they should not be removed.
A trust does not always allow users in the trusted domain to have access
to resources in the trusting domain. Access has to be granted by adding
users to the appropriate permissions. In some cases, users in trusted
domains might have implicit access if the resources are ACLed for
Authenticated users.
The following types of trusts must be created manually:
● External trusts
● Trusts between a Microsoft Windows 2000 domain and a Windows NT®
4.0 domain
● Any trust between domains in different forests, whether both domains
are Windows 2000 or one is Windows 2000 and the other Windows NT
4.0
● Shortcut trusts between two domains in the same forest

● Trust relationships between a Windows 2003 domain and a non-
Windows Kerberos realm.
For more information about trusts between a Windows 2003 domain
and a non-Windows Kerberos realm, link to the Step-by-Step Guide to
Kerberos 5 (krb5 1.0) Interoperability document available on the Web
Resources page at
http://www.Microsoft.com/windows/reskits/webresources.
You might also need to manage trusts for the following reasons:
● To remove a manually created trust.
● To configure security identifier (SID) filtering to deny one domain the
right to provide credentials for another domain. You can enable SID
filtering for external trusts, that is, trusts between domains in different
forests, or between a Windows 2000 and a Windows NT 4.0 domain.
Task: Creating external trusts

You create an external trust when you want to establish a trust
relationship between Windows Server 2003 domains that are in different
forests, or between a Windows Server 2003 domain and a Windows 2000
or Windows NT 4.0 domain. An external trust relationship has the following
characteristics:
● It is one-way. The trust must be established manually in each direction
to create a two-way external trust relationship.
● It is nontransitive.
If you upgrade a Windows NT 4.0 domain to a Windows 2000 domain, the

existing trust relationships remain in the same state.
Methods for Creating the External Trust

● Use the procedure “Create a one-way trust—MMC method” to create a
trust where one domain trusts another to use its resources.
● Use the procedure “Create a one-way trust—Netdom.exe method” to
use the support tool, Netdom.exe, to create both sides of a one-way
trust simultaneously. You must provide credentials for both domains in
order to use the Netdom.exe method.
● Use the procedure “Create a two-way trust—MMC method” first to
create both portions configured in one domain, and then to create both
portions configured in the other domain.
● Use the procedure “Create a two-way trust—Netdom.exe method” to
use the support tool, Netdom.exe, to create both sides of the trust
simultaneously. You must provide credentials for both domains in order
to use the Netdom.exe method.
Requirements
● Credentials: Domain Admins
● You can create the trust after you log on to the domain interactively, or
use the Run As command to create the trust for a different domain.
● Tools: Active Directory Domains and Trusts or Netdom.exe (Support

Tools)
You can create an external trust by using one of the following methods.
Procedure 1: Create a one-way trust (MMC method)

Link to procedure.
Procedure 2: Create a one-way trust (Netdom.exe method)

Link to procedure.
Procedure 3: Create a two-way trust (MMC method)

Link to procedure.
Procedure 4: Create a two-way trust (Netdom.exe method)

Link to procedure.
Task: Creating shortcut trusts

A shortcut trust relationship is a manually created trust that shortens the
trust path in order to improve the efficiency of users who log on remotely.
A trust path is a chain of multiple trusts that enables trust between
domains that are not adjacent in the domain namespace. For example, if
users in domain A need to gain access to resources in domain C, you can
create a direct link from domain A to domain C through a shortcut trust
relationship, bypassing domain B in the trust path.
A shortcut trust relationship has the following characteristics:
● It can be established between any two domains in the same forest.
● It must be established manually in each direction.
● It is transitive.
Shortcut trusts should only be established if there are significant problems

with the normal trust relationships.
Requirements
● Tool: Active Directory Domains and Trusts
You can create a shortcut trust by using one of the following methods.
Procedure 1: Create a one-way trust (MMC method)

Link to procedure.
Procedure 2: Create a one-way trust (Netdom.exe method)

Link to procedure.
Procedure 3: Create a two-way trust (MMC method)

Link to procedure.
Procedure 4: Create a two-way trust (Netdom.exe method)

Link to procedure.
Task: Removing manually created trusts

You can remove manually created trusts, but you cannot remove the
default two-way transitive trusts between domains in a forest. It is
particularly important to verify that you successfully removed the trusts if
you are planning to re-create them.
Requirements
● Tool: Active Directory Domains and Trusts or Netdom.exe.
You can remove a manually created trust by using one of the following
methods. Procedures are explained in detail in the linked topics.
Procedure 1: Remove a manually created trust by using the

Active Directory Domains and Trusts snap-in
Link to procedure.
Procedure 2: Remove a manually created trust by using

Netdom.exe.
Link to procedure.
Task: Preventing unauthorized privilege escalation

Security principals in Active Directory have an attribute called SIDHistory
to which domain administrators can add users’ old SIDs. This is useful
during the migration process because users can use their old SIDs to
access resources; administrators do not need to modify ACLs on large
numbers of resources. However, under some circumstances, it is possible
for domain administrators to use the SIDHistory attribute to associate SIDs
with new user accounts, thereby granting themselves unauthorized rights.
You can configure SID filtering to prevent this type of attack. You might
configure SID filtering under the following circumstances:
● You have identified one or more domains in your enterprise where
physical security is lax, or where the domain administrators are less
well-trusted.
● You then isolate these less trustworthy domains by moving them to
other forests. By definition, all domains within a forest must be
trustworthy; if a domain is deemed less trustworthy than the others in
the forest, it should not be a forest member. Once you have moved
less trustworthy domains out of the forest, establish external trusts to
these domains and apply access control to protect resources. If you are
still concerned about SID spoofing being used for privilege escalation,
then apply SID filtering.
Caution. Do not apply SID filtering to domains within a forest, as this removes SIDs
required for Active Directory replication and causes authentication to fail for users
from domains that are transitively trusted through the isolated domain.
Use the following procedures to configure SID filtering. Procedures are

Procedure 1: Configure SID filtering

Link to procedure.
Procedure 2: Remove SID filtering

Link to procedure.
Task: Creating cross-forest trusts

Forest trusts help you to manage a segmented Active Directory
infrastructure within your organization by providing support for accessing
resources and other objects across multiple forests.
For more information about creating cross-forest trusts, as well as more
information about managing trusts in general, see the white paper
Planning and Implementing Federated Forests in Windows Server 2003 at
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/windowsserver2003/maintain/security/fedffin2.a
sp.
Procedure 1: Verify connectivity between forests

Link to procedure.
Procedure 2: Configure DNS for both forests

Link to procedure.
Procedure 3: Create the forest trust on forest A

Link to procedure.
Procedure 4: Create the forest trust on forest B

Link to procedure.
Procedure 5: Verify the trust

Link to procedure.
Task: Managing selective authentication on a cross-

forest trust
This task addresses how to set the scope of authentication for users,
based on security and other considerations.
Procedure 1: Turn on the Selective Authentication option in forest

A to enable only selective authentication from forest B
Link to procedure.
Procedure 2: Create a test file and then assign permissions to the

share
Link to procedure.
Procedure 3: Verify that you cannot gain access to forest A from

forest B
Link to procedure.
Procedure 4: Enable the Selective Authentication option for a

designated computer
Link to procedure.
Procedure 5: Verify that you can gain access from forest A to

forest B
Link to procedure.
Task: Removing the forest trust

This task addresses the procedure for removing a forest trust when
administrators determine they no longer need the trust between the
forests.
Procedure 1: Remove the forest trust

Link to procedure.
Operating System Infrastructure Role As Needed

Process: Managing sites

Description
An Active Directory Site object represents a collection of Internet Protocol
(IP) subnets, usually constituting a physical local area network (LAN).
Multiple sites are connected for replication by Site Link objects.
Sites are used in Active Directory to:
● Enable clients to discover network resources (published shares,
domain controllers) that are close to the physical location of the client,
reducing network traffic over wide area network (WAN) links.
● Optimize replication between domain controllers.
Managing sites in Active Directory involves adding new subnet, site, and
site link objects when the network grows, as well as configuring a
schedule and cost for site links. You can modify the site link schedule,
cost, or both, to optimize intersite replication. When conditions no longer
require replication to a site, or clients no longer require the sites to
discover network resources, you can remove the site and associated
objects from Active Directory.
Note. Managing large hub-and-spoke topology or using the SMTP intersite

replication transport is beyond the scope of this documentation.
Purpose
Managing sites:
● Enables clients to discover network resources (printers, published
shares, domain controllers) that are close to the physical location of
the client, reducing network traffic over wide area network (WAN) links.
● Optimizes replication between domain controllers.
The KCC and Replication Topology

The Knowledge Consistency Checker (KCC) uses site link configuration
information to enable and optimize replication traffic by generating a
least-cost replication topology. Within a site, for each directory partition,
the KCC builds a ring topology that tries to set a maximum number of
hops (3) between any two domain controllers. Between sites, the KCC
creates a spanning tree of all intersite connections. Therefore, adding sites
and domains increases the processing that is required by the KCC. Before
adding to the site topology, be sure to consider the guidelines discussed in
“Adding a new site” later in this document.
Significant changes to site topology can affect domain controller hardware
requirements. For more information about domain controller hardware
requirements, see “Domain Controller Capacity Planning” in Best Practice
Active Directory Design for Managing Windows Networks. To download

this guide, follow the Active Directory link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources, which will take
you to the Active Directory home page, where you can download the
guide.
Bridgehead Server Selection

By default, bridgehead servers are automatically selected by the intersite
topology generator (ISTG) in each site. Alternatively, you can use Active
Directory Sites and Services to select preferred bridgehead servers.
However, it is recommended for Windows 2000 deployments that you do
not select preferred bridgehead servers.
Selecting preferred bridgehead servers limits the bridgehead servers that
the KCC can use to those that you have selected. If you use Active
Directory Sites and Services to select any preferred bridgehead servers at
all in a site, you must select as many as possible and you must select
them for all domains that must be replicated to a different site. If you
select preferred bridgehead servers for a domain and all preferred
bridgehead servers for that domain become unavailable, replication of
that domain to and from that site does not occur.
If you have selected one or more bridgehead servers, removing them all
from the bridgehead servers list restores the automatic selection
functionality to the ISTG.
Task: Adding a new site

Design teams or network architects might want to add sites as part of
ongoing deployment. Although you typically create subnets to
accommodate all address ranges in the network, you do not need to
create sites for every location. Generally, sites are required for those
locations that have domain controllers or other servers that run
applications that depend on site topology, such as Distributed File System
(DFS).
When the need for a site arises, the design team typically provides details
about the placement and configuration of site links for the new site, as
well as subnet assignments or creation if subnets are needed.
KCC calculations for generating the intersite topology for a Windows 2003
forest can cause directory performance to suffer when the combined sites,
site links, and domains exceed certain limits. When these limits are
reached, follow the site administration guidelines on the Active Directory
Branch Office Planning Guide link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
As a general guideline, when any of the following conditions exist, consult

your design team before adding a new site:
● An existing site is directly connected to more than 20 sites.
● A bridgehead server has more than 20 inbound connections.
● The forest has 200 or more sites.
Use the following procedures to add a new site. Procedures are explained
in detail in the linked topics.
Procedure 1: Create a Site object and add it to an existing site

link
Link to procedure.
Procedure 2: Associate a range of IP addresses with the site

Use either of these methods:
● Create a Subnet object or objects and associate them with the new site
● Associate an existing Subnet object with the new site
Link to procedure.
Procedure 3: Create a Site Link object, if appropriate, and add

the new site and at least one other site to the Site Link object
Link to procedure.
Procedure 4: Remove the site from the site link

Link to procedure.
Task: Adding a subnet to the network

If a new range of IP addresses is added to the network, create a Subnet
object in Active Directory to correspond to the range of IP addresses.
When you create a new Subnet object, you must associate it with a Site
object. You can either associate the subnet with an existing site, or create
a new site first and then create the subnet and associate it with the new
site. If you are going to create a new site for the new network segment,
see “Adding a new site.”
Use the following procedures to add a subnet. Procedures are explained in
detail in the linked topics.
Procedure 1: Create a Subnet object and associate it with the

appropriate site
Link to procedure.
Task: Linking sites for replication

To link sites for replication, create a Site Link object in the IP transport
container and add two or more sites to the link. Use a naming convention
that includes the sites that you are linking. For example, if you want to link
the site named Seattle to the site named Boston, you might name the site
link SEA-BOS.
After you add two or more site names to a Site Link object, the bridgehead
servers in the respective sites replicate between the sites according to the
replication schedule, cost, and interval settings on the Site Link object. For
information about modifying the default settings, see “Changing site link
properties.”
At least two sites must exist when you create a site link. If you are adding
a site link to connect a new site to an existing site, create the new site
first and then create the site link. For information about creating a site,
see “Adding a new site.”
Use the following procedures to link sites for replication. Procedures are
Procedure 1: Create a Site Link object in the IP container and add

the appropriate sites
Link to procedure.
Procedure 2: Generate the intersite topology

Link to procedure.
Task: Changing site link properties

To control which sites replicate directly with each other and when, use the
cost, schedule, and interval properties on the Site Link object.
These settings control intersite replication as follows:
● Schedule: The time during which replication can occur (the default
setting allows replication at all times).
● Interval: The number of minutes between replication polling by
intersite replication partners within the open schedule window (default
is every 180 minutes).
● Cost: The relative priority of the link (default is 100). Lower relative
cost increases the priority of the link over other higher-cost links.
Consult your design documentation for information about values to set for
site link properties.
Use the following procedures to configure a site link. Procedures are
Procedure 1: Configure the site link schedule to identify times

during which intersite replication can occur
Link to procedure.
Procedure 2: Configure the site link interval to identify how often

replication polling can occur during the schedule window
Link to procedure.
Procedure 3: Configure the site link cost to establish a priority for

replication routing
Link to procedure.

Link to procedure.
Task: Moving a domain controller to a different site

If you change the IP address or the subnet-to-site association of a domain
controller after Active Directory is installed on the server, the Server
object does not change sites automatically. You must move it to the new
site manually. When you move the Server object, the Net Logon service on
the domain controller registers DNS SRV resource records for the
appropriate site.
TCP/IP Settings
When you move a domain controller to a different site, if an IP address of
the domain controller is statically configured, then you must change the
TCP/IP settings accordingly. The IP address of the domain controller must
map to a Subnet object that is associated with the site to which you are
moving the domain controller. If the IP address of a domain controller does
not match the site in which the Server object appears, the domain
controller might be forced to communicate over a potentially slow WAN
link to locate resources rather than locating resources in its own site.
Prior to moving the domain controller, ensure that the following TCP/IP
client values are appropriate for the new location:
● IP address, including the subnet mask and default gateway
● DNS server addresses
● WINS server addresses (if appropriate)
If the domain controller that you are moving is a DNS server, you must
also:
● Change the TCP/IP settings on any clients that have static references
to the domain controller as the preferred or alternate DNS server.
● Determine whether the parent DNS zone of any zone that is hosted by
this DNS server contains a delegation to this DNS server. If yes, update
the IP address in all such delegations. For information about creating
DNS delegations, see “Verify Active Directory installation.”
Preferred Bridgehead Server Status

Before moving any Server object, check the Server object to see whether
it is acting as a preferred bridgehead server for the site. This condition has
ISTG implications in both sites, as follows:
● Site to which you are moving the server: If you move a preferred
bridgehead server to a different site, it becomes a preferred
bridgehead server in the new site. If preferred bridgehead servers are
not currently in use in this site, the ISTG behavior in this site changes
to support preferred bridgehead servers. For this reason, you must
either configure the server to not be a preferred bridgehead server
(recommended), or select additional preferred bridgehead servers in
the site (not recommended).
● Site from which you are moving the server: If the server is the last
preferred bridgehead server in the original site for its domain, and if
other domain controllers for the domain are in the site, the ISTG
selects a bridgehead server for the domain. If you use preferred
bridgehead servers, always select more than one server as the
preferred bridgehead server for the domain. If, after the removal of
this domain controller from the site, multiple domain controllers
remain that are hosting the same domain and only one of them is
configured as a preferred bridgehead server, either configure the
server to not be a preferred bridgehead server (recommended), or
select additional preferred bridgehead servers hosting the same
domain in the site (not recommended).
Note If you select preferred bridgehead servers and all selected preferred
bridgehead servers for a domain are unavailable in the site, the ISTG does not select
a new bridgehead server. In this case, replication of this domain to and from other
sites does not occur. However, if no preferred bridgehead server is selected for a
domain or transport (through administrator error or as the result of moving the only
preferred bridgehead server to a different site), the ISTG automatically selects a
preferred bridgehead server for the domain and replication proceeds as scheduled.
Use the following procedures to move a domain controller to a different

site. Procedures are explained in detail in the linked topics.
Procedure 1: Change the static IP address of the domain

controller
This procedure includes changing all appropriate TCP/IP values, including
preferred and alternate DNS servers, as well as WINS servers (if
appropriate). Obtain these values from the design team.
Link to procedure.
Procedure 2: Create a delegation for the domain controller

If the parent DNS zone of any zone that is hosted by this DNS server
contains a delegation to this DNS server, use this procedure to update the
IP address in all such delegations.
Link to procedure.
Procedure 3: Verify that an IP address maps to a subnet and

Use this procedure to ensure that the subnet is associated with the site to
which you are moving the Server object.
Link to procedure.
Procedure 4: Determine whether the server is a preferred

bridgehead server
Link to procedure.
Procedure 5: Configure the server to not be a preferred

bridgehead server
Use this procedure if the server is a preferred bridgehead server in the
current site and you do not want the server to be a preferred bridgehead
server in the new site.
Link to procedure.
Procedure 6: Move the Server object to the new site

Link to procedure.
Task: Removing a site

If domain controllers are no longer needed in a network location, you can
remove them from the site and then delete the Site object. Before deleting
the site, you must remove domain controllers from the site either by
removing it entirely or by moving it to a new location.
● To remove the domain controller, remove Active Directory from the
server and then delete the Server object from the site in Active
Directory.
● To retain the domain controller in a different location, move the
domain controller to a different site and then move the Server object
to the respective site in Active Directory.
Domain controllers can host other applications that depend on site

topology and publish objects as Child objects of the respective Server
object. For example, when MOM or Message Queuing is running on a
domain controller, these applications create Child objects beneath the
Server object. In addition, a server running Message Queuing that is not a
domain controller and is configured to be a routing server running
Message Queuing creates a Server object in the Sites container. Removing
the application from the server automatically removes the Child object
below the respective Server object. However, the Server object is not
removed automatically.
When all applications have been removed from the server (no Child
objects appear beneath the Server object), you can remove the Server
object. After the application is removed from the server, a replication
cycle might be required before Child objects are no longer visible below
the Server object.
After you delete or move the Server objects but before you delete the Site
object, reconcile the following objects:
Subnet object or objects for the site IP addresses:
● If the addresses are being reassigned to a different site, associate the
Subnet object or objects with that site. Any clients using the addresses
for the decommissioned site will thereafter be assigned automatically
to the other site.
● If the IP addresses will no longer be used on the network, delete the
corresponding Subnet object or objects.
You might need to delete a Site Link object, as follows:

● If the site you are removing is added to a site link containing only two
sites, delete the Site Link object.
● If the site you are removing is added to a site link that contains more
than two sites, do not delete this Site Link object.
Before deleting a site, you need to consider the implications. If the site
you are removing is added to more than one site link, it might be an
interim site between other sites that are added to this site link. Deleting
the site might disconnect the outer sites from each other. In this case, the
site links must be reconciled according to the instructions of the design
team.
Use the following procedures to remove a site. Procedures are explained
in detail in the linked topics.

objects
If a Child object appears, do not delete the Server object. Contact an
administrator.
Link to procedure.
Procedure 2: Delete a Server object from a site

Use this procedure to delete the Server objects within the Servers
container of the site that you are removing.
Link to procedure.
Procedure 3: Delete the Site Link object

Obtain this information from the design team.
Link to procedure.
Procedure 4: Associate the subnet or subnets with the

appropriate site
If you no longer want to use the IP addresses associated with the Subnet
object or objects, delete the Subnet objects.
Link to procedure.
Procedure 5: Delete the Site object

Link to procedure.

Link to procedure.
Dependencies
● Domain Admin and Enterprise Admin credentials
● No Child objects appear below the Server object in Active Directory
Sites and Services
● Identity of the ISTG role holder in the site
Technology Required
Directory Sites and Services (Administrative Tools)
Operating Security Security Role As Needed

Process: Manage antivirus software on domain

controllers
Description
It is crucial to minimize the risk of disruption caused by malicious code to
domain controllers because domain controllers provide a critical service to
their clients.
Antivirus software is the generally accepted way to mitigate the risk of
such malevolent activity. However, one cannot simply install the antivirus
software (from any vendor) on a domain controller and tell it to scan
everything. Instead, it must be installed in a manner that mitigates the
risk to the highest possible level while not interfering with the
performance of the domain controllers in performing their directory
service duties.
Purpose
Installing effective antivirus software on domain controllers minimizes the
risk that their activities will be disrupted by malicious code.
Guidelines
Follow the guidelines established by your antivirus software vendor.
Note Verify that the antivirus software you are adding is confirmed to work on
domain controllers.
Task: Exclude files not at risk of infection

Exclude the following files and folders from being scanned. These files are
not at risk of infection and including them could cause serious
performance problems due to file locking and excessive replication
between domain controllers. Furthermore, they may cause Active
Directory and FRS to work improperly, causing Active Directory or FRS
data loss. Where a specific set of files is identified by name, exclude only
those files rather than the entire folder. In some cases, the entire folder
must be excluded.
Do not exclude any of these based on the file name extension (that is, do
not exclude all files with a .dit extension). Microsoft has no control over
other files that might choose to use the same extension as those shown
here. AV software must not modify any data files in the logs, database,
and/or DSA working directories specified below.
● Active Directory and related files:
● Main NTDS database files. The location of these files is specified in:
HKLM\System\Services\NTDS\Parameters\DSA Database File
Default location is %windir%\ntds.
The file to be excluded is: NTDS.dit (on Windows 2000).
● Active Directory transaction log files. The log directory on any given
server is specified in:
HKLM\System\Services\NTDS\Parameters\Database Log Files Path
The specific files to be excluded are:
● EDB*.log (notice the wildcard—there can be several)
● RES1.log
● RES2.log
● NTDS Working folder specified in:
HKLM\System\Services\NTDS\Parameters\DSA WorkingDirectory
Specific files to be excluded are:
● TEMP.edb
● EDB.chk
● SYSVOL files
● FRS Working Directory specified in:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
NtFrs\Parameters\Working Directory
Files to be excluded:
● FRS Working Dir\jet\sys\edb.chk
● FRS Working Dir\jet\ntfrs.jdb
● FRS Working Dir\jet\log\*.log
● FRS Database Log files specified in:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\Nt
Frs\Parameters\DB Log File Directory
Files to be excluded:
● FRS Working Dir\jet\log\*.log (if registry key is not set)
● DB Log File Directory\log\*.log (if registry key is set)
● FRS Replica_root files specified in:

Frs\Parameters\Replica Sets\GUID\Replica Set Root
● Staging directory found in:
Frs\Parameters\Replica Sets\GUID\Replica Set Stage
● FRS Preinstall directory located at:
<Replica_root>\DO_NOT_REMOVE_NtFrs_PreInstall_Directory.
The Preinstall directory is always open exclusively when FRS is
running.
Task: Install software

The following recommendations are general and should not be construed
as more important than the specific antivirus software vendor’s own
recommendations. These guidelines must be followed for correct Active
Directory and FRS operation.
Note Test the chosen antivirus software solution thoroughly in a lab environment
to ensure that the software does not compromise the stability of the system.
● Antivirus software must be installed on all domain controllers in the

enterprise. Ideally, such software should also be installed on all other
server and client systems that have to interact with the domain
controllers. Catching the virus at the earliest point, at the firewall, or
the client system on which the virus is first introduced is best—that will
prevent the virus from ever reaching the infrastructure systems upon
which all clients depend.
● Use a version of antivirus software that is confirmed to work with
Active Directory and uses the correct APIs for accessing files on the
server. Older versions of most vendors’ software inappropriately
modified file metadata as it was scanned, causing the FRS replication
engine to think the file was changed and to schedule it for replication.
Newer versions prevent this problem. Refer to Knowledge Base article
Q815263 and to the vendor-specific sites for compliant versions.
● Prevent the use of domain controller systems as general workstations.
Users should not be using a domain controller to surf the Web or
perform any other activities that could allow the introduction of
malicious code.
● When possible, do not use the domain controller as a file sharing
server. Virus scanning software must be run against all files in those
shares and could place an unsatisfactory load on the processor and
memory resources of the server.

Process: Add a global catalog

Description
Designate global catalog servers in sites to accommodate forest-wide
directory searching and so that Active Directory can determine universal
group membership of native-mode domain clients.
Purpose
Adding a global catalog improves the speed of logging on and searching.
Guidelines
To improve the speed of logging on and searching, place at least one
global catalog server in each site, and at least two global catalog servers if
the site has multiple domain controllers. As a best practice, make half of
all domain controllers in a site global catalog servers if the site contains
more than three domain controllers. If your deployment uses a single
global domain, configure all domain controllers as global catalog servers.
In a single-domain forest, configuring all domain controllers as global
catalog servers requires no additional resources.
When placing global catalog servers, primary concerns are:
● Does any site have no global catalog servers?
● Which domain controllers are designated as global catalog servers in a
particular site?
When you add a global catalog server to a site, the Knowledge

Consistency Checker (KCC) updates the replication topology, after which
replication of partial domain directory partitions that are available within
the site begins. Replication of partial domain directory partitions that are
available only from other sites begins at the next scheduled interval.
Adding subsequent global catalog servers within a site requires only
intrasite replication and may not affect the wide area network. Replication
of the global catalog potentially affects network performance only when
adding the first global catalog server in the site, and the impact varies
depending on the following conditions:
● The speed and reliability of the wide area network (WAN) link or links
to the site.
● The size of the forest.
Task: Add the global catalog to a domain controller

When conditions in a site warrant adding a global catalog server, you can
configure a domain controller to be a global catalog server. Selecting the
global catalog setting on the NTDS Settings object prompts the KCC to
update the topology. After the topology is updated, then read-only partial
domain directory partitions are replicated to the designated domain
controller. When replication must occur between sites to create the global
catalog, the site link schedule determines when replication can occur.
Minimum hardware requirements for global catalog servers depend upon
the numbers of users in the site. Table 5 contains guidelines for assessing
hardware requirements.
Table 5. Global Catalog Hardware Guidelines
Users in Site Domain Controller
<= 100 One uniprocessor PIII 500, 512 MB.
101 – 500 One uniprocessor PIII 500, 512 MB.
501 – 1,000 One Dual PIII 500, 1 GB.
1,001 – 10,000 Two Quad PIII XEON, 2 GB.
> 10,000 users One Quad PIII XEON, 2 GB for every 5,000
users.
When configuring a global catalog server, be sure the computer has

adequate hard disk space. Use the information in Table 6 to determine
how much storage to provide for the Active Directory database.
Table 6. Global Catalog Storage Requirements for the Active Directory
Database
Server Active Directory Database Storage Requirements
Domain controller 0.4 GB of storage for each 1,000 users.
Global catalog server 0.6 GB
For example, in a forest with two 10,000-user domains, all domain

controllers need 0.4 GB of storage. All global catalog servers require 0.6
GB of storage.
These requirements represent conservative estimates. For a more
accurate determination of storage requirements, download and run the
Active Directory Sizer Tool (ADSizer.exe). You can download the
ADSizer.exe tool from the Active Directory Sizer Tool link on the Web
Resources page at
http://www.microsoft.com/windows/reskits/webresources.
Occupancy Levels and Global Catalog Server Readiness

The occupancy level setting on a domain controller determines the criteria
for advertising itself as a global catalog server in DNS. If a global catalog
server advertises itself before it has synchronized all read-only directory
partition replicas, clients can receive incorrect information.
The requirements of the occupancy levels are as follows (each higher level
includes all levels below it):
● 0: No occupancy requirement.
● 1: An inbound connection for at least one read-only directory partition
in the site of the global catalog server is added to the designated
server by the KCC. Event ID 1264 in the Directory Service log signals
creation of the inbound connection.
● 2: At least one read-only directory partition in the site is replicated to
the global catalog server.
● 3: Inbound connections for all read-only directory partitions in the site
are added by the KCC, and at least one is replicated to the server.
● 4: All read-only directory partitions in the site are replicated to the
server.
● 5: Inbound connections for all read-only directory partitions in the
forest are added by the KCC, and all directory partitions in the site are
replicated to the server.
● 6: All directory partitions in the forest are replicated to the server.
● Windows Server 2003: default and maximum occupancy level = 6.
Exchange 2003 servers use the global catalog exclusively when looking up
addresses. Therefore, in addition to causing Active Directory client search
problems, the condition of a global catalog server being advertised before
it receives all partial replicas can cause Address Book lookup and mail
delivery problems for Exchange clients.
The Name Service Provider Interface (NSPI) must be running on a global
catalog server to enable MAPI access to Active Directory. To enable NSPI,
you must restart the global catalog server after replication of the partial
directory partitions is complete, or after occupancy requirements are met.
Use the following procedures to add a global catalog server to a domain
controller. The procedures are explained in detail in the linked topics.
Some procedures are performed only when you are configuring the first
global catalog server in the site.
Procedure 1: Configure a domain controller as a global catalog

server
Setting the Global Catalog check box initiates the process of replicating
all domains to the server.
Link to procedure.
Procedure 2: Monitor global catalog replication progress

Link to procedure.
Procedure 3: Verify successful replication to a domain controller

Check for inbound replication of all partial domain directory partitions in
the forest to ensure that all domain directory partitions have replicated to
the global catalog server.
Link to procedure.
Task: Verify the global catalog readiness

After replication of all forest partial domain directory partitions, the
domain controller advertises as a global catalog server and begins
accepting queries on ports 3268 and 3269. The default requirements in
Windows Server 2003 include replication of all domain directory partitions
in the forest. If the domain controller advertises as a global catalog server
before it has complete information from all domains in the forest, it might
return false information to applications that begin using the server for
forest-wide searches.
A global catalog is ready to serve clients when the following events occur,
in this order:
● Occupancy level requirements are met by replicating read-only
replicas.
● The isGlobalCatalogReady rootDSE attribute is set to TRUE.
● The Net Logon service on the domain controller has updated DNS with
global-catalog-specific SRV resource records.
Procedure 1: Verify global catalog readiness

Link to procedure.
Procedure 2: Verify global catalog DNS registrations

In this procedure you will restart the global catalog server and verify
global catalog DNS registrations by checking DNS for global catalog SRV
resource records.
Link to procedure.
Optimizing Capacity Infrastructure Role As Needed

Process: Removing the global catalog from a

domain controller
Description
When you remove the global catalog, the domain controller immediately
stops advertising as a global catalog server and stops listening to the
global catalog ports. It also attempts to remove the DNS records it
registered previously. The KCC gradually removes the read-only replicas
from the domain controller.
Purpose
Upgrading from Windows 2000 Server to Windows Server 2003 adds many
new features, including universal group caching. Universal group caching
may eliminate the requirement for the global catalog on a domain
controller in a particular site, motivating the removal.
Task: Remove a global catalog

The procedure to remove the global catalog is simply to clear the Global
Catalog check box on the NTDS Settings object properties page. As
soon as you perform this step, the domain controller stops advertising
itself as a global catalog server (Net Logon de-registers the global catalog-
related records in DNS) and immediately stops accepting LDAP requests
over ports 3268 and 3269.
When you remove the global catalog from a domain controller, the KCC
begins removing the read-only replicas one at a time by means of an
asynchronous process that removes objects gradually over time. Each
time the KCC runs (every 15 minutes by default), it attempts the removal
of the read-only replica until there are no remaining objects.
Use the following procedures to remove the global catalog from a domain
controller. The procedures are explained in detail in the linked topics.
Procedure 1: Clear the global catalog setting

Link to procedure.
Procedure 2: Monitor global catalog removal in Event Viewer

Link to procedure.

Process: Identify global catalog servers in a site

Maintain a list of those servers that are designated as global catalog
servers. Routinely check these servers to ensure that no one has changed
the designation. Check other servers to ensure that no one has
erroneously designated a global catalog server.
Task: Identifying a global catalog server

Use the following procedure to determine whether a domain controller is a
global catalog server. The procedure is explained in detail in the linked
topic.
Procedure: Determine whether a domain controller is a global

catalog server
Use this procedure to check the properties on the NTDS Settings object of
the respective Server object to determine whether a domain controller is a
global catalog server.
Link to procedure.
Task: Identifying a site that has no global catalog

servers
To quickly identify a site that has no global catalog servers, you can
perform one command rather than check each server individually. You can
perform this test any time you add a site, or routinely if global catalog
servers can potentially be removed inappropriately.
Use the following procedure to determine whether a site has a global
catalog server. The procedure is explained in detail in the linked topic.
Procedure: Determine whether a site has at least one global

catalog server
To identify a site that has no global catalog servers you must determine
whether a site has at least one global catalog server.
Link to procedure.
Task: Identifying sites that have universal group

caching enabled
Universal group caching mitigates the need to locate a global catalog
server at a site by caching universal group membership on a domain
controller. Therefore, when users log on in remote offices, there is no
requirement to use a WAN connection to determine universal group
membership.
Procedure: Determine whether universal group caching is

enabled
Link to procedure.
Optimizing Availability SMF Infrastructure Role As Needed

Quadrant Cluster
Process: Move an operations master role

Description
Operations masters keep the directory functioning properly by performing
specific tasks that no other domain controllers are permitted to perform.
Because operations masters are critical to the long-term performance of
the directory, they must be available to all domain controllers and desktop
clients that require their services. Careful placement of your operations
masters becomes more important as you add more domains and sites to
build your forest.
To perform these functions, the domain controllers hosting these
operations master roles must be consistently available and be located in
areas where network reliability is high.
Role transfer is the preferred method to move an operations master role
from one domain controller to another. During a role transfer, the two
domain controllers replicate to ensure that no information is lost. After the
transfer completes, the previous role holder reconfigures itself so that it
no longer attempts to perform as the operations master while the new
domain controller assumes those duties. This prevents the possibility of
duplicate operations masters existing on the network at the same time,
which can lead to corruption in the directory.
Purpose
Three operations master roles exist in each domain:
● The primary domain controller (PDC) emulator. The PDC emulator
processes all replication requests from Microsoft Windows NT 4.0
backup domain controllers. It also processes all password updates for
clients not running Active Directory–enabled client software, plus any
other directory write operations.
● The relative identifier (RID) master. The RID master allocates RID pools
to all domain controllers to ensure that new security principals can be
created with a unique identifier.
● The infrastructure master. The infrastructure master for a given
domain maintains a list of the security principals for any linked-value
attributes.
In addition to the three domain-level operations master roles, two

operations master roles exist in each forest:
● The schema master, which governs all changes to the schema.
● The domain naming master, which adds and removes domains and
application partitions to and from the forest.
Guidelines
Design principles and best practices for initial operations master role
assignment is covered in the Windows Server 2003 Deployment Kit:
Planning, Testing, and Piloting Deployment Projects. Operations master

role holders are placed automatically when the first domain controller in a
given domain is created. The three domain-level roles are assigned to the
first domain controller created in a domain. The two forest-level roles are
assigned to the first domain controller created in a forest.
Reasons for moving the operations master role(s) include inadequate
service performance, failure or decommission of a domain controller
hosting an operations master role, or if dictated by configuration changes
made by an administrator.
Inadequate Level of Service

The PDC emulator is the operations master role that most impacts the
performance of a domain controller. For clients that do not run Active
Directory client software, the PDC emulator processes requests for
password changes, replication, and user authentication. While providing
support for these clients, the domain controller continues to perform its
normal services, such as authenticating Active Directory–enabled clients.
As the network grows, the volume of client requests can increase the
workload for the domain controller that hosts the PDC emulator role and
its performance can suffer. To solve this problem, you can transfer all or
some of the master operations roles to another, more powerful domain
controller. Alternately, you may choose to transfer the role to another
domain controller, upgrade the hardware on the original domain
controller, and then transfer the role back again.
Master Operations Role Holder Failure

In the event of a failure, you must decide if you need to relocate the
operations master roles to another domain controller or wait for the
domain controller to be returned to service. Base that determination on
the role that the domain controller hosts and the expected downtime.
Decommissioning of the Domain Controller

Before permanently taking a domain controller offline, transfer any
operations master roles held by the domain controller to another domain
controller.
Configuration Changes
Configuration changes to domain controllers or the network topology can
result in the need to transfer master operations roles. Except for the
infrastructure master, you can assign operations master roles to any
domain controller regardless of any other tasks that the domain controller
performs. Do not host the infrastructure master role on a domain
controller that is also acting as a global catalog server unless all of the
domain controllers in the domain are global catalog servers or unless only
one domain is in the forest. If the domain controller hosting the
infrastructure master role is configured to be a global catalog server, you
must transfer the infrastructure master role to another domain controller.
Changes to the network topology can result in the need to transfer
operations master roles in order to keep them in a particular site.
You can reassign an operations master role by transfer or, as a last resort,
by seizure.
To transfer a role to a new domain controller, ensure that the destination
domain controller is a direct replication partner of the previous role holder
and that replication between them is up to date and functioning properly.
This minimizes the time required to complete the role transfer. If
replication is sufficiently out of date, the transfer can take a while, but it
eventually finishes.
Important If you must seize an operations master role, never reattach the
previous role holder to the network without following the procedures in this guide.
Incorrectly reattaching the previous role holder to the network can result in invalid
data and corruption of data in the directory.
Guidelines for Role Placement

By improperly placing operations master role holders, you might prevent
clients from changing their passwords or being able to add domains and
new objects, such as Users and Groups. You might also be unable to make
changes to the schema. In addition, name changes might not properly
appear within group memberships that are displayed in the user interface.
As your environment changes, you must avoid the problems associated
with improperly placed operations master role holders. Eventually, you
might need to reassign the roles to other domain controllers.
Although you can assign the forest-level and domain-level operations
master roles to any domain controller in the forest and domain
respectively, improperly placing the infrastructure master role can cause it
to function improperly. Other improper configurations can increase
administrative overhead.
Requirements for Infrastructure Master Placement

Do not place the infrastructure master on a domain controller that is also
a global catalog server.
The infrastructure master updates the names of security principals for any
domain-named linked attributes. For example, if a user from one domain is
a member of a group in a second domain and the user’s name is changed
in the first domain, then the second domain is not notified that the user’s
name must be updated in the group’s membership list. Because domain
controllers in one domain do not replicate security principals to domain
controllers in another domain, the second domain never becomes aware
of the change. The infrastructure master constantly monitors group
memberships, looking for security principals from other domains. If it finds
one, it checks with the security principal’s domain to verify that the
information is updated. If the information is out of date, the infrastructure
master performs the update and then replicates the change to the other
domain controllers in its domain.
Two exceptions apply to this rule. First, if all the domain controllers are
global catalog servers, the domain controller that hosts the infrastructure
master role is insignificant because global catalogs do replicate the
updated information regardless of the domain to which they belong.
Second, if the forest has only one domain, the domain controller that hosts
the infrastructure master role is not needed because security principals
from other domains do not exist.
Recommendations for Role Placement

Although you can assign the operations master roles to any domain
controller, follow these guidelines to minimize administrative overhead
and ensure the performance of Active Directory. If a domain controller
that is hosting operations master roles fails, following these guidelines
also simplifies the recovery process. Guidelines for role placement include:
● Leave the two forest-level roles on a domain controller in the forest
root domain.
● Place the three domain-level roles on the same domain controller.
● Do not place the domain-level roles on a global catalog server.
● Place the domain-level roles on a higher performance domain
controller.
● Adjust the workload of the operations master role holder, if necessary.
● Choose an additional domain controller as the standby operations
master for the forest-level roles and choose an additional domain
controller as the standby for the domain-level roles.
Forest-level Role placement in the Forest Root Domain

The first domain controller created in the forest is assigned the schema
master and domain naming master roles. To ease administration and
backup and restore procedures, leave these roles on the original forest
root domain controller. Moving the roles to other domain controllers does
not improve performance. Separating the roles creates additional
administrative overhead when you must identify the standby operations
masters and when you implement a backup and restore policy.
Unlike the PDC emulator role, forest-level roles rarely place a significant
burden on the domain controller. Keep these roles together to provide
easy, predictable management.
Forest-level Role Placement on a Global Catalog Server

In addition to hosting the schema master and domain naming master
roles, the first domain controller created in a forest also hosts the global
catalog.
Domain-level Role Placement on the Same Domain Controller

The three domain-level roles are assigned to the first domain controller
created in a new domain. Except for the forest root domain, leave the
roles at that location. Keep the roles together unless the workload on your
operations master justifies the additional management burden of
separating the roles.
Because all clients prior to Active Directory submit updates to the PDC
emulator, the domain controller holding that role uses a higher number of
RIDs. Place the PDC emulator and RID master roles on the same domain
controller so that these two roles interact more efficiently.
If you must separate the roles, you can still use a single standby
operations master for all three roles. However, you must ensure that the
standby is a replication partner of all three of the role holders.
Backup and restore procedures also become more complex if you
separate the roles. Special care must be taken to restore a domain
controller that hosted an operations master role. By hosting the roles on a
single computer, you minimize the steps that are required to restore a role
holder.
Domain-level Role Absence on a Global Catalog Server

Do not host the infrastructure master on a domain controller that is acting
as a global catalog server. Because it is best to keep the three domain-
level roles together, avoid putting any of them on a global catalog server.
Domain-level Role Placement on a Higher Performance Domain

Controller
Host the PDC emulator role on a powerful and reliable domain controller to
ensure that it is available and capable of handling the workload. Of all the
operations master roles, the PDC emulator creates the most overhead on
the server that is hosting the role. It has the most intensive daily
interaction with other systems on the network. The PDC emulator has the
greatest potential to affect daily operations of the directory.
Workload Adjustment of the Operations Master Role Holder

Domain controllers can become overloaded while attempting to service
client requests on the network, manage their own resources, and handle
any specialized tasks such as performing the various operations master
roles. This is especially true of the domain controller holding the PDC
emulator role. Again, clients prior to Active Directory and domain
controllers running Windows NT 4.0 rely more heavily on the PDC emulator
than Active Directory clients and Windows 2000 Server domain
controllers. If your networking environment has clients and domain
controllers prior to Active Directory, you might need to reduce the
workload of the PDC emulator.
If a domain controller begins to indicate that it is overloaded and its
performance is affected, you can reconfigure the environment so that
some tasks are performed by other, less-used domain controllers. By
adjusting the domain controller’s weight in the DNS environment, you can
configure the domain controller to receive fewer client requests than other
domain controllers on your network. Optionally, you can adjust the domain
controller’s priority in the DNS environment so that it processes client
requests only if other DNS servers are unavailable. With fewer DNS client
requests to process, the domain controller can use more resources to
perform operations master services for the domain.
Task: Designating a domain controller for an operations

master role
When you create a new domain, the Active Directory Installation Wizard
automatically assigns all of the domain-level operations master roles to
the first domain controller that is created in that domain. When you create
a new forest, the wizard also assigns the two forest-level operations
master roles to the first domain controller. After the domain is created and
functioning, you might transfer various operations master roles to
different domain controllers to optimize performance and simplify
administration.
The transfer of forest-level and domain-level operations master roles is
performed as needed and is governed by the guidelines for placing
operations master roles. Before you transfer an operations master role,
use Repadmin.exe with the /showreps option to ensure that replication
between the current role holder and the domain controller assuming the
role is updated.
In addition, you must determine if the domain controller that you intend to
assume an operations master role is a global catalog server. However, the
infrastructure master for each domain must not host the global catalog.
Do not change the global catalog configuration on the domain controller
that you intend to assume an operations master role unless your IT
management authorizes that change. Changing the global catalog
configuration can cause changes that can take days to complete, and the
domain controller might not be available during that period. Instead,
transfer the operations master roles to a different domain controller that is
already properly configured.
The following procedures are explained in detail in the linked topics.

Link to procedure.

catalog server
Link to procedure.

Link to procedure.

Link to procedure.
Task: Verifying the transfer of an operations master role

Once an operations master role has been transferred, it should be verified
that the transfer has occurred successfully throughout the domain. The
change must be replicated to all relevant domain members in order to
truly take effect.
The following procedure is explained in detail in the linked topics:

Link to procedure.

Process: Reduce the workload on the PDC

emulator
Description
You can configure DNS so that a domain controller is queried less
frequently than others. Reducing the number of client requests helps
reduce the workload on a domain controller, giving it more time to
function as an operations master, and is especially important for the PDC
emulator. Of all the operations master roles, the PDC role has the highest
impact on the domain controller hosting that role. You might need to take
steps to keep that domain controller from becoming overloaded.
To receive information from the domain, a client uses DNS to locate a
domain controller and then sends the request to that domain controller.
By default, DNS performs rudimentary load balancing and randomizes the
distribution of client requests so they are not always sent to the same
domain controller. If too many client requests are sent to a domain
controller while it attempts to perform other duties, such as those of the
PDC emulator, it can become overloaded, which has a negative impact on
performance. To reduce the number of client requests that are processed
by the PDC emulator, you can adjust its weight or its priority in the DNS
environment.
Purpose
In addition to processing normal domain controller load from clients, the
PDC emulator must also process password changes. In order to mitigate
some of the load that is caused by normal domain controller traffic, the
PDC can be protected, so the load is distributed to other domain
controllers that are capable of processing the requests.
Task: Adjusting the DNS weight setting

Adjusting the weight of a domain controller to a value less than that of
other domain controllers reduces the number of clients that DNS refers to
that domain controller. The default weight for all domain controllers is
100. By reducing this value, DNS refers clients to a domain controller less
frequently based on the proportion of this value to the value of other
domain controllers. For example, to configure the system so that the
domain controller hosting the PDC emulator role receives requests only
half as many times as the other domain controllers, configure the weight
of the domain controller hosting the PDC emulator role to be 50. DNS
determines the weight ratio for that domain controller to be 50/100 (50 for
that domain controller and 100 for the other domain controllers). After you
reduce this ratio to 1/2, DNS refers clients to the other domain controllers
twice as often as it refers to the domain controller with the reduced weight
setting. By reducing client referrals, the domain controller receives fewer
client requests and has more resources for other tasks, such as
performing the role of PDC emulator.
Procedure 1: Change the weight for DNS SRV records in the

registry
Link to procedure.
Task: Adjusting the DNS priority registry setting

Adjusting the priority of the domain controller also reduces the number of
client referrals. However, rather than reducing it proportionally to the
other domain controllers, changing the priority causes DNS to stop
referring all clients to this domain controller unless all domain controllers
with a lower priority setting are unavailable.
Procedure 1: Change the priority for DNS SRV records in the

registry
Link to procedure.

Process: Transferring a role holder

Description
Transferring a forest level or domain level operations master role may be
required, depending on other operations in your environment or changes
to your Active Directory infrastructure such as the addition or removal of
domain controllers. This process should be performed as required and
should follow Microsoft's best practices concerning operations master role
placement as outlined at
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/windowsserver2003/proddocs/deployguide/dssb
e_upnt_xlfh.asp.
Purpose
Transferring a role holder is necessary when:
● A new computer becomes available that is more capable of handling
the particular operations master role.
● The role holder will be taken offline for an extended period of time.
● Topology changes make the current role holder no longer the best
choice to hold that role.
● A domain controller is being decommissioned. You cannot control
which domain controller the wizard chooses and the wizard does not
indicate which domain controller receives the roles. Because of this
behavior, it is best to transfer the roles prior to running the wizard.
Guidelines
When you use the Active Directory Installation Wizard to decommission a
domain controller that currently hosts one or more operations master
roles, the wizard reassigns the roles to a different domain controller. When
the wizard is run, it determines whether the domain controller currently
hosts any operations master roles. If it detects any operations master
roles, it queries the directory for other eligible domain controllers and
transfers the roles to a new domain controller. A domain controller is
eligible to host the domain-level roles if it is a member of the same
domain. A domain controller is eligible to host a forest-level role if it is a
member of the same forest.
Task: Transfer to the standby operations master role

By following the recommendations for operations master role placement,
the standby operations master is a direct replication partner and is ready
to assume the roles. Remember to designate a new standby for the
domain controller that assumes the roles.
The following procedures are explained in detail in the linked topics.

Link to procedure.

catalog server
Link to procedure.

Link to procedure.

Link to procedure.

Link to procedure.
Process: Choose a standby operations master

Link to process.
Task: Transfer an operations master role when no

standby is ready
If you do not follow the recommendations for role placement and you have
not designated a standby operations master, you must properly prepare a
domain controller to which you intend to transfer the operations master
roles. Preparing the future role holder is the same process as preparing a
standby operations master. You must manually create a Connection object
to ensure that it is a replication partner with the current role holder and
that replication between the two domain controllers is updated.
In addition, you must determine whether the domain controller intended
to assume an operations master role is a global catalog server. The
infrastructure master for each domain must not host the global catalog.
Do not change the global catalog configuration on the domain controller

that you intend to assume an operations master role unless your IT
management authorizes that change. Changing the global catalog
configuration can cause changes that can take days to complete and the
domain controller might not be available during that period. Instead,
transfer the operations master roles to a different domain controller that is
already properly configured.
The following procedures are explained in detail in the linked sections.

Link to procedure.

catalog server
Link to procedure.

Link to procedure.

Link to procedure.

Link to procedure.

Process: Seize an operations master role

Description
Seizing a role should be done only as a last resort in order to assign a role
to a different domain controller. Use this process only when the previous
operations master fails and remains out of service for an extended period
of time. During a role seizure, the domain controller does not verify that
replication is updated, so recent changes can be lost. Because the
previous role holder is unavailable during the role seizure, it cannot know
that a new role holder exists. If the previous role holder comes back online
it might still assume that it is the operations master. This can result in
duplicate operations master roles on the network, which can lead to
corruption of data in the directory and ultimately to the failure of the
domain or forest.
Purpose
Seizing an operations master role allows:
● Transfer of operations master role to another computer when the
existing operations master fails without warning.
● Transfer of operations master role when transfer to standby operations
master was not successfully completed before the operations master
was taken down (for whatever reason).
Guidelines
If a role is seized, the new role holder is configured to host the operations
master role with the assumption that you do not intend to return the
previous role holder to service. Use role seizure only when the previous
role holder is not available and you need the operations master role to
keep the directory functioning. Because the previous role holder is not
available during a seizure, you cannot reconfigure the previous role holder
and inform it that another domain controller is now hosting the operations
master role.
With Windows Server 2003, the previous role holder waits for a full
replication cycle to complete successfully before it resumes the role of
operations master. By waiting for a full replication cycle, it can see if
another operations master exists before it brings itself back online. If the
previous role holder detects that another operations master exists, it
reconfigures itself so that it no longer hosts the roles in question.
To reduce risk, perform a role seizure only if the missing operations
master role unacceptably affects performance of the directory. Calculate
the effect by comparing the impact of the missing service provided by the
operations master to the amount of work that is needed to bring the
previous role holder safely back online after you perform the role seizure.
See Table 7 for a risk assessment of operations master roles.
Active Directory continues to function when the operations master roles

are not available. If the role holder is only offline for a short period, you
might not need to seize the role to a new domain controller. Remember
that returning an operations master to service after the role is seized can
have dire consequences if it is not done properly.
Table 7. Operations Master Role Functionality Risk Assessment
Operations Consequences if Risk of Improper Recommendation
Master Role Role Is Restoration for Returning to
Unavailable Service After
Seizure
Schema You cannot Conflicting Not
master make changes changes can be recommended.
to the schema. introduced to Can lead to a
the schema if corrupted forest
both schema and require
masters attempt rebuilding the
to modify the entire forest.
schema at the
same time. This
can result in a
fragmented
schema.
Domain You cannot add You cannot add Not
naming or remove or remove recommended.
master domains from domains or Can require
the forest. clean up rebuilding
metadata. domains.
Domains might
appear as
though they are
still in the forest
even though
they are not.
PDC You cannot Password Allowed. User
emulator change validation can authentication
passwords on randomly pass can be erratic
pre-Active or fail. Password for a time, but
Directory changes take no permanent
clients. No much longer to damage occurs.
replication to replicate
Windows NT 4.0 throughout the
backup domain domain.
controllers.
Operations Consequences if Risk of Improper Recommendation

Master Role Role Is Restoration for Returning to
Unavailable Service After
Seizure
Infrastructu Delays Displays Allowed. May
re master displaying incorrect user impact the
updated group names in group performance of
membership membership the domain
lists in the user lists in the user controller
interface when interface after hosting the role,
you move users you move users but no damage
from one group from one group occurs to the
to another. to another. directory.
RID master Eventually, Duplicate RID Not
domain pools can be recommended.
controllers allocated to Can lead to data
cannot create domain corruption that
new directory controllers, can require
objects as each resulting in data rebuilding the
of their corruption in the domain.
individual RID directory. This
pools is can lead to
depleted. security risks
and
unauthorized
access.
Task: Seizing an operations master role

Seize an operations master role only as a last resort. If at all possible,
transfer an operations master role to a new domain controller instead.
Seize an operations master role only if the current role owner is offline and
is unlikely to return to service.
Role seizure is the act of assigning an operations master role to a new
domain controller without the cooperation of the current role holder
(usually because it is offline due to a hardware failure). During role
seizure, a new domain controller assumes the operations master role
without communicating with the current role holder.
Role seizure can create two conditions that can cause problems in the
directory. First, the new role holder starts performing its duties based on
the data located in its current directory partition. The new role holder
might not receive changes that were made to the previous role holder
before it went offline if replication did not complete prior to the time when
the original role holder went offline. This can cause data loss or introduce
data inconsistency into the directory database.
To minimize the risk of losing data to incomplete replication, do not

perform a role seizure until enough time has passed to complete at least
one complete end-to-end replication cycle across your network. Allowing
enough time for complete end-to-end replication ensures that the domain
controller that assumes the role is as up-to-date as possible.
Second, the original role holder is not informed that it is no longer the
operations master role holder, which is not a problem if the original role
holder stays offline. However, if it comes back online (for example, if the
hardware is repaired or the server is restored from a backup), it might try
to perform the operations master role that it previously owned. This can
result in two domain controllers performing the same operations master
role simultaneously. Depending on the role in question and whether your
environment runs Windows 2000 Server SP2 or Windows 2000 Server SP3,
this can disrupt the directory service. For example, a RID master might
reallocate a duplicate RID pool, resulting in corruption of data in the
directory. The severity of duplicate operations master roles varies from no
visible effect to the need to rebuild the entire forest.
If you are seizing a role and you have not designated another domain
controller as the standby operations master, you can use Repadmin.exe
with the /showreps option to identify a domain controller that has the
most recent updates from the current role holder. Seize the operations
master role to that domain controller to minimize the impact of the role
seizure.

This needs to be the domain controller that will be seizing the role.
Link to procedure.
Procedure 2: Seize the operations master role

Link to procedure.

Link to procedure.

Process: Choose a standby operations master

Description
The standby operations master is a domain controller that you identify as
the computer that assumes the operations master role if the original
computer fails. You do not need to perform any special configuration steps
or run any type of setup utilities to make a domain controller a standby
operations master. This precautionary planning step helps make your
operation more resilient if a problem arises that requires you to reassign a
master operations role to a new domain controller.
Ensure that the standby operations master is a direct replication partner
of the actual operations master. If the standby operations master domain
controller is a direct replication partner of the original operations master,
it most likely contains the most recent changes to the domain. This
reduces the time required to transfer the role to the standby operations
master and, in the case of a failure, reduces the chances of losing
information. Even if replication is not totally complete, only few
outstanding updates exist. Those outstanding updates can be replicated
by a normal replication cycle rather than requiring a full synchronization,
which replicates all of the account information in the partition. To
guarantee that the two domain controllers are replication partners, you
must manually create a connection object between them. Although
creating manual connection objects is not generally recommended, in this
one case it is necessary because it is so important that these two domain
controllers be replication partners.
If you must reassign the domain-level operations master roles to the
standby operations master, do not place the infrastructure master role on
a global catalog server.
Purpose
Choosing a standby operations master enables another domain controller
to assume an operations master role if the domain controller to which it
was originally assigned fails. This ensures that the domain controller with
a particular operations master role is not a single point of failure for that
role.
Task: Choosing a standby operations master

A single domain controller can act as the standby operations master for all
of the operations master roles in a domain, or you can designate a
separate standby for each operations master role.
No utilities or special steps are required to designate a domain controller
as a standby operations master. However, the current operations master
and the standby should be well connected. This means that the network
connection between them must support at least a 10-megabit
transmission rate and be available at all times. In addition, configure the
current role holder and the standby as direct replication partners by
manually creating a Connection object between them.
Configuring a replication partner can save some time if you must reassign
any operations master roles to the standby operations master. Before
transferring a role from the current role holder to the standby operations
master, ensure that replication between the two computers is functioning
properly. Because they are replication partners, the new operations
master is as updated as the original operations master, thus reducing the
time required for the transfer operation. To determine whether the
standby domain controller received the latest replicated updates from the
current operations master, use Repadmin.exe with the /showreps option.
During role transfer, the two domain controllers exchange any
unreplicated information to ensure that no transactions are lost. If the two
domain controllers are not direct replication partners, a substantial
amount of information might need to be replicated before the domain
controllers completely synchronize with each other. The role transfer
requires extra time to replicate the outstanding transactions. If the two
domain controllers are direct replication partners, fewer outstanding
transactions exist and the role transfer operation completes sooner.
Designating a domain controller as a standby also minimizes the risk of
role seizure. By making the operations master and the standby direct
replication partners, you reduce the chance of data loss in the event of a
role seizure, thereby reducing the chances of introducing corruption into
the directory.
When you designate a domain controller as the standby, follow all
recommendations that are discussed in “Guidelines for Role Placement”
earlier in this guide. To designate a standby for the forest-level roles,
choose a global catalog server so it can interact more efficiently with the
domain naming master. To designate a standby for the domain-level roles,
ensure that the domain controller is not a global catalog server so that the
infrastructure master continues to function properly if you must transfer
the roles.
Manually create a connection object between the operations master and

the designated standby operations master to ensure that replication
occurs between the two domain controllers.

catalog server
Link to procedure.
Procedure 2: Create a Connection object

Link to procedure.
4
Processes by MOF Role
Clusters
This chapter is designed for those who want to see all processes for a
single role cluster in one place. The information is the same as that in the
previous two chapters. The only difference is that the processes are
ordered by MOF role cluster.
Operations Role Cluster

Daily Processes
There are no daily processes for this role cluster.
Weekly Processes
Back up Active Directory
Monthly Processes
There are no monthly processes for this role cluster.
As-Needed Processes
Rename a domain controller
Authoritative restore for Active Directory objects
Non-authoritative restore of Active Directory
Recovering a domain controller through reinstallation
Support Role Cluster

There are no daily, weekly, monthly, or as-needed processes for this role
cluster.
Release Role Cluster

Daily Processes
Weekly Processes
There are no weekly processes for this role cluster.
Monthly Processes
As-Needed Processes
Installing a domain controller for an existing domain
Removing Active Directory
Infrastructure Role Cluster

Daily Processes
Weekly Processes
Monthly Processes
As-Needed Processes
Transferring a role holder
Seize an operations master role
Choose a standby operations master
Managing the SYSVOL
Managing sites
Move an operations master role
Manage the Active Directory database
Add a global catalog
Manage the Windows Time service
Managing trusts
Removing the global catalog from a domain controller
Identify global catalog servers in a site
Reduce the workload on the PDC emulator
Security Role Cluster

Daily Processes
Weekly Processes
Monthly Processes
As-Needed Processes
Manage antivirus software on domain controllers
Partner Role Cluster

There are no daily, weekly, monthly, or as-needed processes for this role
cluster.
5
Appendix
Procedure Details
This chapter gives step-by-step information for the procedures listed in
Chapter 3 of this guide.
Procedure: Back up system state

The following procedure backs up system state only. It does not back up
the system disk or any other data on the domain controller.
Procedure Requirements
● To back up system state, you can log on at the local computer, or you
can enable Terminal Services in Remote Administration mode on the
remote domain controller
● Credentials: Domain administrators, local administrator, or backup
operator
● Tool: Backup
Procedure Steps
To back up the system state on a domain controller
1. Log on to the domain controller by using the account that has domain
administrator or backup operator credentials.
2. Start the Windows Backup Wizard.
● From a command prompt or the Run text box, type ntbackup and
press ENTER.
-or-
● Go to Start > Programs > Accessories > System Tools >
Backup.
3. By default, the Always Start in Wizard Mode check box is checked.
You can leave this option selected, and click Next.
4. Select the Back up files and settings option, and then click Next.
5. Select the Let me choose what to back up option, and then click
Next.
6. In the Items to Back Up window, expand My Computer by clicking the

plus sign.
7. From the expanded list below My Computer, check the System
State option, and then click Next.
8. Select a location to store the backup.
● If you are backing up to a file, type the path and filename for the
backup (.bkf) file (or click the Browser button to find a folder or
file).
● If you are backing up to a tape unit, choose the tape that you wish
to use.
Note You should not store the backup on the local hard drive. Instead, you
should store it in an off-machine location, such as a tape drive.
9. Enter a name for this backup, and click Next.

10. On the last page of the wizard, select Advanced.
11. Do not change the default options for Type of Backup. Normal
should be selected, and the check box should remain cleared for
Backup migrated remote storage data. Click Next.
12. Check the Verify data after backup option, and then click Next.
13. In the Backup Options dialog box, select a backup option, and then
click Next.
14. Allow only the owner and administrator access to the backup data and
to any backups appended to this medium; click Next.
15. In the When to back up box, select the appropriate option for your
needs, and click Next.
16. If you are satisfied with all of the options selected, click Finish to
perform the backup operation according to your selected schedule.
Note The system state can also be backed up using backup from a command line
with appropriate parameters. For more information, refer to the command-line
reference accessible by typing ntbackup -? from a command prompt.
Procedure: Back up system state and the system disk

The following procedure backs up both system state and the system disk.
● To back up system state, you must log on at the local computer, or you
must enable Terminal Services in Remote Administration mode on the
remote domain controller.
● Credentials: Domain administrator, local administrator, or backup
operator
● Tool: Backup.exe.
Procedure Steps
To back up system state and the system disk on a domain
controller
1. Log on to the domain controller by using an account that has domain
administrator, local administrator, or backup operator credentials.
2. Start the Windows Backup Wizard by choosing one of the following
options:
● Open a command prompt, type ntbackup and press ENTER.
-or-
● Go to Start > Programs > Accessories > System Tools >
Backup.
3. Click the Backup Wizard button, and then click Next.
4. Select Back up selected files, drives, or network data.
5. In Items to Back Up, click System State to select it. Then select the
drive letter containing the system files, and click the system disk. Click
Next.
6. In the Where to Store the Backup box, select the backup media
type by choosing one of the following options:
● Choose File if you want to back up to a file. If you do not have a
tape backup unit installed, File is selected automatically.
-or-
● Choose a tape device if you want to back up to tape.
7. In the Backup Media or File Name box, choose one of the following
options:
● If you are backing up to a file, type a path and file name for the
backup (.bkf) file, or click the Browse button to find a folder or file.
If the destination folder or file does not exist, the system creates it.
-or-
● If you are backing up to a tape unit, choose the tape that you want
to use.
8. After you click Next, the Completing the Backup Wizard screen
appears. This screen summarizes the options selected for this backup
job. Verify that Prompt to replace data is listed in the How
category. If it is not, click the Advanced button, click Next until you
reach the Media Options screen, and then select Replace the data on
the media with this backup.
9. Complete the remaining wizard screens, and click Finish to begin the
backup operation. When a Replace Data dialog box appears, click
Yes to overwrite the existing backup on this tape or file path with this
backup. A progress indicator shows the status of the backup operation.
Procedure: Restart the domain controller in Directory Services

Restore Mode
To take a domain controller offline, restart it in Directory Services Restore
Mode and log on as the local administrator. If you have physical access to
the domain controller, you can start in Directory Services Restore Mode
locally.
When you start Windows Server 2003 in Directory Services Restore Mode,
the local Administrator account is authenticated by the local Security
Accounts Manager (SAM) database. Therefore, logging on requires using
the local administrator password, not an Active Directory domain
password.
● Credentials: Directory Services Restore Mode administrator
● Tool: None
Procedure Steps
To locally restart in Directory Services Restore Mode
1. Restart the domain controller.
2. When the screen for selecting an operating system appears, press F8.
3. From the Windows Advanced Options menu, select Directory
Services Restore Mode.
4. When prompted, log on as the local administrator.
Procedure: Allow this computer to replicate with all its partners
Procedure Steps
To allow this computer to replicate with all its partners
1. Open the command prompt.
2. Find the outbound partners for this domain controller by typing:
repadmin /showrepl /repsto <local domain controller name> and
press ENTER.
This repadmin command will output a list that contains information
about all of the outbound neighbors. For each neighbor, verify that the
last synchronization attempt was successful and has a time stamp that
indicates it has replicated since restore.
3. If replication has not been successful, you can force replication
between this domain controller and its outbound partners rather than
waiting for the next replication cycle. From a command prompt, run
repadmin /syncall /ed /A /P /q.
4. Check for replication errors in the output of the command in the
previous step. If there are no errors, then replication has been
successful. Any replication errors that exist must be rectified in order
for replication to be completed.
Procedure: Restore from backup media

Use a good backup containing at least the system state and system disk
to restore the server. By performing a non-authoritative restore on Active
Directory, you automatically perform a non-authoritative restore of
SYSVOL. No additional steps are required.
● To restore system state, you must log on at the local computer, or you
must enable Terminal Services in Remote Administration mode on the
remote domain controller.
● Credentials: local Administrator account
● Tool: Backup.exe
Procedure Steps
To restore from backup media
1. In Directory Services Restore Mode, start the Windows Server 2003
backup utility. Go to Start > Programs > Accessories > System
Tools > Backup.
2. Click the Restore Wizard button, and then click Next.
3. Select the appropriate backup location and ensure that at least the
System disk and System State containers are selected.
4. Click the Advanced button.
5. In Restore Files to list, select Original Location, and then click
Next.
6. In the Advanced Restore Options window, check the boxes for:
● Restore security.
● Restore junction points, and restore the file and folder data
under the junction points to the original location.
● Preserve existing volume mount points.
● For a primary restore of SYSVOL, also check the following box:
When restoring replicated data sets, mark the restored data
as the primary data for all replicas.
A primary restore is only required if the domain controller you are
restoring is the only domain controller in the domain. A primary
restore is required on the first domain controller being restored in a
domain if you are restoring the entire domain or forest.
7. Click Finish.
8. When the restore is complete, click Close, and then click Yes to
restart the computer.
The system will now restart and will replicate any new information
received since the last backup with its replication partners.
Procedure: Turn off inbound replication using repadmin

This step is required only if the domain, or forest functional level, is
Windows 2000 native mode or earlier. By turning off inbound replication,
you ensure that changes to group membership originate from the restored
domain controller, rather than having the changes overwritten.
Procedure Steps
To turn off inbound replication using repadmin
1. From a command prompt or the Run text box, type repadmin
/options +DISABLE_INBOUND_REPL and then press ENTER.
2. Verify that the option is set. You should get this message: repadmin
running command /options against server localhost.
Procedure: Turn on inbound replication
Procedure Steps
To turn on inbound replication using repadmin
1. From a command prompt or the Run text box, type repadmin
/options . -DISABLE_INBOUND_REPL and then press ENTER.
2. Verify that the option is set. You should get this message: repadmin
running command /options against server localhost.
Procedure: Mark the application partition as authoritative

other domain controllers.
Procedure Steps
To mark the application partition as authoritative
1. From a command prompt or the Run text box, type ntdsutil to start
the tool.
2. At the ntdsutil: prompt, type authoritative restore and press
ENTER.
For assistance with the Ntdsutil command line-tool, type help at any
time.
3. Type List NC CRs and press ENTER.
NTDSUTIL will output a list of the application partitions that are
available after the restore, and the associated cross references. Note
the cross-reference distinguished name and application-partition
distinguished name that corresponds to the application partition you
wish to restore.
4. Type restore subtree <App Partition DN>, where App Partition
DN is the distinguished name of the application partition noted above.
5. Ntdsutil will provide a confirmation dialog. Click Yes to proceed.
The output message will indicate the status of the operation. There
should be no failures.
6. Type restore object <Cross Ref DN> (where Cross Ref DN is the
distinguished name of the application partition cross reference noted
above) and press ENTER.
7. Ntdsutil will provide a confirmation dialog. Click Yes to proceed.

The output message will indicate the status of the operation. There
should be no failures.
8. Quit the Ntdsutil tool.
Procedure: Mark the object(s) authoritative

other domain controllers. In order to complete this operation, you must
know the full distinguished name of the object you wish to restore.
Procedure Steps
To mark the object(s) authoritative
1. From a command prompt or the Run text box, type ntdsutil to start
the tool.
2. At the ntdsutil: prompt, type authoritative restore and press
ENTER.
For assistance with the Ntdsutil command line-tool, type help at any
time.
3. To restore an object, type restore object <object DN> (where object
DN is the distinguished name of the object that is to be marked
authoritative).
If you were to restore a deleted user named John Smith in a
corp.contoso.com domain, the command would be similar to: restore
object “CN=John
Smith,CN=Users,DC=corp,DC=contoso,DC=com”. Always enclose
the distinguished name in quotes when there is a space or other
special characters within the distinguished name.
4. Press ENTER. Ntdsutil will start the attempt to mark the object as
authoritative. The output message will indicate the status of the
operation. The most common cause of failure is an incorrectly specified
distinguished name, or a backup for which the DN does not exist
(which would occur if you tried to restore a deleted user that was
created after the backup).
5. Quit the Ntdsutil tool.
Procedure: Verify Active Directory restore

After the restore is completed, you should restart the server and perform
basic verification.
● You must log on at the local computer, or you must enable Terminal
Services in Remote Administration mode on the remote domain
controller.
● Credentials:
● Basic: domain administrator or local administrator
● Advanced: local administrator
Procedure Steps
To perform basic Active Directory verification
1. After the restore operation completes, restart the computer in Start
Windows Normally mode. Active Directory and Certificate Services
automatically detect that they have been recovered from a backup.
They perform an integrity check and re-index the database.
2. After you are able to log on to the system, browse Active Directory.
Verify that all of the User objects and Group objects that were present
in the directory prior to backup are restored. Similarly, verify that files
that were members of a File Replication service (FRS) replica set and
certificates that were issued by the Certificate Services are present.
Procedure: Restore system state to an alternate location

Perform this procedure to allow an authoritative restore of SYSVOL. After
the objects are restored, you can delete the files in the alternate location.
● Credentials: local administrator
Procedure Steps
To restore system state to an alternate location
1. Click the Restore tab.
2. Select System State. (You need not restore the system disk to an
alternate location.)
3. In the Restore Files to drop-down list, ensure that Alternate
Location is selected, and designate an alternate location.
4. When the restore process is finished, close the backup utility.
Procedure: Clean up metadata

If you give the new domain controller the same name as the failed
computer, then you need perform only the first procedure to clean up
metadata, which removes the NTDS Settings object of the failed domain
controller. If you give the new domain controller a different name, then
you need to perform all three procedures: clean up metadata, remove the
failed Server object from the site, and remove the Computer object from
the domain controller’s container.
● Credentials: Enterprise administrator (Metadata cleanup requires
modifying the configuration naming context.)
● Tools: Ntdsutil.exe, Active Directory Sites and Services, Active
Directory Users and Computers
Procedure Steps
To clean up metadata
1. At the command line, type ntdsutil and press ENTER.
2. At the ntdsutil: prompt, type metadata cleanup and press ENTER.
3. At the metadata cleanup: prompt, type connections and press
ENTER.
4. At the server connections: prompt, type connect to server
servername, where servername is the domain controller (any
functional domain controller in the same domain) from which you plan
to clean up the metadata of the failed domain controller. Press ENTER.
5. Type quit and press ENTER to return to the metadata cleanup:
prompt.
6. Type select operation target and press ENTER.
7. Type list domains and press ENTER.
This lists all domains in the forest with a number associated with each.
8. Type select domain number, where number is the number
corresponding to the domain in which the failed server was located.
Press ENTER.
9. Type list sites and press ENTER.
10. Type select site number, where number refers to the number of the
site in which the domain controller was a member. Press ENTER.
11. Type list servers in site and press ENTER. This will list all servers in
that site with a corresponding number.
12. Type select server number, where number refers to the domain
controller to be removed, and press ENTER.
13. Type quit and press ENTER.
The Metadata cleanup menu is displayed.
14. Type remove selected server and press ENTER.

At this point, Active Directory confirms that the domain controller was
removed successfully. If you receive an error that the object could not
be found, Active Directory might have already removed the domain
controller.
15. Type quit and press ENTER until you return to the command prompt.
If the new domain controller receives a different name than the failed
domain controller, perform the following additional steps:
Note Do not perform the additional steps if the new computer will have the same
name as the failed computer. Ensure that hardware failure was not the cause of the
problem. If the faulty hardware is not changed, then restoring through reinstallation
might not help.
To remove the failed Server object from the sites

1. In Active Directory Sites and Services, expand the appropriate site.
2. Delete the Server object associated with the failed domain controller.
To remove the failed Server object from the domain controller's

container
1. In Active Directory Users and Computers, expand the domain
controller's container.
2. Delete the Computer object associated with the failed domain
controller.
Procedure: Install Active Directory

During the installation process, replication occurs, ensuring that the
domain controller has an accurate and up to date copy of Active Directory.
For more information about seizing operations master roles, see “Installing
Active Directory” in this guide.
After you gather information as described in “Gathering Installation
Information” earlier in this guide, you can use the Active Directory
Installation Wizard to install Active Directory.
● Tools: Dcpromo.exe
Procedure Steps
To install Active Directory
1. In the Run text box, type dcpromo and click OK.
2. The Active Directory Installation Wizard appears. At the Welcome
screen, click Next.
3. For Domain Controller Type, select Additional domain controller
for an existing domain. Click Next.
4. For Network Credentials, enter the user name, password, and
domain for the user account that has permission to add this new
domain controller to the domain. Click Next.
5. Enter the name of the domain that you want the new domain controller
to host. Click Next.
6. For Database and Log Locations, enter the paths for the locations of
the directory database (Ntds.dit) and the log files. For better
performance, store the database and log files on separate physical disk
drives. Click Next.
7. For Shared System Volume, enter the path where you want to locate
the system volume (SYSVOL). Click Next.
8. Under Directory Services Restore Mode Administrator
Password, enter the password that you want to use when you need to
start Directory Services Restore Mode. Click Next.
9. The Summary screen displays a list of the items you chose. Verify that
the information is correct, and then click Next to proceed with the
installation.
10. The wizard proceeds to install Active Directory. When it finishes, the
wizard displays a summary screen listing the domain and site in which
the new domain controller is a member. Verify that this information is
correct. Click Finish to close the wizard.
11. Click Restart to restart the domain controller.
12. Let the domain controller restart. If any message indicates that one or
more services has failed to start, restart the domain controller one
more time. If the initial replication cycles have not had enough time to
complete during the first restart on a new domain controller, some
services may be unable to start successfully. If the message appears
during additional restarts, examine the event logs in Event Viewer to
determine the cause of the problem.
Procedure: Promote server to domain controller
Procedure Steps
To promote a server to domain controller
1. In the Run text box, type dcpromo /adv and click Next.
2. Select Additional domain controller for exiting domain.
3. Select From these restored backup files and point to the same
location where you had restored the system state data.
4. Since the domain controller you are promoting was a global catalog
server, the Active Directory Installation Wizard will ask you whether
you want this server to also be a global catalog.
5. Give appropriate credentials for the operation.
6. Enter the domain in which you want to place the new domain controller
in. It has to be the same domain of the domain controller whose
system state data you are using.
7. Continue with the remaining steps of dcpromo.
Dcpromo will now promote the server to a domain controller using the
data present in the restored files. This saves dcpromo from having to
replicate every object from the partner domain controller. However, it may
have to replicate those objects that were modified (added or deleted)
since the backup was taken. If the backup was recent, the amount of
replication required will be considerably less than that required for a
regular dcpromo.
Once the dcpromo operation is completed successfully and the machine
rebooted, the restored folder (in the above example: E:\restore) and sub-
folders can be removed from the local disk.
Procedure: Install and run Setup Manager to create an answer

file (Unattend.txt)
Procedure Steps
1. Insert the Windows Server 2003 CD-ROM into the computer’s CD-ROM
drive or DVD-ROM drive. Press and hold down the SHIFT key as you
insert the CD to prevent it from starting automatically.
2. Start Windows Explorer, and then open the Support\Tools folder on the
Windows Server 2003 CD-ROM.
3. In the details pane, double-click the Deploy.cab file to open it.
4. On the Edit menu, click Select All.
5. On the Edit menu, click Copy.
6. Create a new folder on your local hard disk. To do this:

a. Click Local Disk (C:), or click the drive in which you want to create
the new folder.
b. On the File menu, point to New, and then click Folder.
c. In the New Folder name box, type the name that you want, and
then press ENTER.
7. Right-click the new folder that you created, and then click Paste.
8. Double-click the new folder to open it, and then double-click the
Setupmgr.exe file. The Setup Manager wizard starts. Follow the
instructions in the wizard to create an answer file.
Procedure: Install the DNS Server service

Assign a static IP address, rather than a dynamically-assigned IP address,
to any computer that acts as a DNS server. To use this procedure, your
DNS infrastructure must already exist, function properly, and be
configured to use Active Directory-integrated zones. This procedure
describes the steps to add an additional DNS server into the DNS
infrastructure.
● Credentials: Domain Admin or Enterprise Admin
● Tools: My Network Places, Control Panel
Procedure Steps
To install the DNS Server service
1. Ensure that the computer is using a static IP address. Right-click My
Network Places and click Properties.
2. In the Network and Dial-up Connections dialog box, right-click the
connection that represents the connection this computer uses to
attach to your network. The default label is Local Area Connection,
but this can be changed, so it might not be labeled the same on your
computer. Click Properties.
3. In the Local Area Connection Properties dialog box, click once on
Internet Protocol (TCP/IP) to highlight it (be sure that you do not
clear the check box in front of it), and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, ensure that
Use the following IP address: is selected and that a valid IP
address, subnet mask, and default gateway appear. Click OK to close
the dialog box. Click OK again to return to your desktop.
5. In Control Panel, click Add/Remove Programs. Click Add/Remove
Windows Components.
6. Scroll down to Networking Services. Highlight it and click Details.
7. In the Networking Services dialog box, select the check box in front
of Domain Name System (DNS). Click OK.
8. Click Next. Provide the location of the installation files, if necessary.

After the installation is complete, click Finish to end the wizard, and
then click Close to exit Add/Remove Programs.
Procedure: Gather the SYSVOL path information

This procedure gathers installation information that includes:
● The user name, password, and the domain that contains the user
account that you intend to use to run the Active Directory Installation
Wizard.
● The name of the domain that you want the new domain controller to
host.
● Location for the Active Directory database (Ntds.dit).
● Location for the log files.
● Location for the shared system volume (SYSVOL).
● The server Administrator account name and password to use in
Directory Services Restore Mode.
Before you attempt to relocate all or portions of the system volume, you
must clearly understand the folder structure and the relationships
between the folders and the path information that is stored in the registry
and the directory itself. When folders are relocated, any associated
parameters that are stored in the registry and the directory must be
updated to match the new location. The folder structure contains junctions
that might also require updating when folders get moved to a new
location.
Maintaining the relationship between the folders, junctions, and stored
parameters is important when you must relocate all or portions of SYSVOL.
Failure to do so can result in files being replicated to or from the wrong
location. It can also result in files failing to replicate, yet FRS will not report
any errors. Due to the configuration error, FRS looks in the wrong location
for the files that you want to replicate.
The folder structure used by the system volume uses a feature called a
junction point. Junction points look like folders and behave like folders (in
Windows Explorer you cannot distinguish them from regular folders), but
they are not folders. A junction point contains a link to another folder.
When a program opens it, the junction point automatically redirects the
program to the folder to which the junction point is linked. The redirection
is completely transparent to the user and the application.
For example if you create two folders, C:\Folder1 and C:\Folder2, and
create a junction called C:\Folder3, and then link the junction back to
Folder1, Windows Explorer displays three folders:
\Folder1
\Folder2
\Folder3
If you open Folder3, Windows Explorer is redirected to Folder1 and
displays the contents of Folder1. You receive no indication of the
redirection because it is transparent to the user and to Windows Explorer.
If you look at the contents of Folder1, you see that it is exactly the same
as the contents displayed when you open Folder3. If you open a command
prompt and list a directory, all three folders appear in the output. The first
two are type <DIR> and Folder3 is type <JUNCTION>. If you list a
directory of Folder3, you see the contents of Folder1.
Note To create or update junctions, you need the Linkd.exe tool supplied with the
Windows 2000 Server Resource Kit. Linkd allows you to create, delete, update, and
view the links that are stored in junction points.
By default, the system volume is contained in the %systemroot%\SYSVOL

folder. The tree of folders contained within this folder can be extensive,
depending on how your network uses FRS. When relocating folders in the
system volume, ensure that you move all folders (including any hidden
folders) and ensure that the relationships of the folders do not change
unintentionally. When you relocate folders, you need to be concerned with
the first three levels of subdirectories in order to properly update the
parameters used by FRS. These levels are affected by junction points and
parameter settings. These folders include:
● %systemroot%\SYSVOL
● %systemroot%\SYSVOL\Domain
● %systemroot%\SYSVOL\Domain\DO_NOT_REMOVE_Ntfrs_
Preinstalled_Directory
● %systemroot%\SYSVOL\Domain\Policies
● %systemroot%\SYSVOL\Domain\Scripts
● %systemroot%\SYSVOL\Staging
● %systemroot%\SYSVOL\Staging\Domain
● %systemroot%\SYSVOL\Staging Areas
● %systemroot%\SYSVOL\Staging Areas FQDN
● %systemroot%\SYSVOL\Sysvol
● %systemroot%\SYSVOL\Sysvol FQDN
where FQDN is the fully qualified domain name of the domain that this
domain controller hosts.
Note If any of the folders do not appear in Windows Explorer, click Tools and then
click Folder Options. On the View tab, select Show hidden files and folders.
If you use Windows Explorer to view these folders, they appear to be

typical folders. If you open a command prompt and type dir to list these
folders, you will notice two special folders are listed as <JUNCTION>. Both
folders labeled FQDN are junction points. The junction in %systemroot
%\SYSVOL\Sysvol links to %systemroot%\SYSVOL\Domain. The junction in
%systemroot%\SYSVOL\Staging Areas is linked to %systemroot
%\SYSVOL\Staging\Domain. If you change the path to the folders to which
the junctions are linked, you must also update the junctions, including
drive letter changes and folder changes.
Besides junction points linking to folders within the system volume tree,
the registry and the directory also store references to folders. These
references contain paths that you must update if you change the location
of the folder. FRS uses two values that are stored in the directory. The first
value, fRSRootPath, points to the location of the policies and scripts that
are stored in SYSVOL. By default, this location is the %systemroot
%\SYSVOL\Domain folder. The second value, fRSStagingPath, points to the
location of the folders used as the staging area. By default, this location is
the %systemroot%\SYSVOL\Staging\Domain folder. The Net Logon service
uses a parameter stored in the registry to identify the location of the
folder that it uses to create the SYSVOL and NETLOGON share points. By
default, this path is %systemroot%\SYSVOL\Sysvol. If you change the
paths to these folders, you must update these values.
When relocating SYSVOL, you first move the entire folder structure to a
new location; then you update all the junction points and the parameters
that are stored in the registry and the directory in order to maintain the
relationships between the parameters, the folders, and the junctions.
Optionally, you can relocate the staging area and leave the rest of the
system volume at its original location. In this case, you must update the
fRSStagingPath parameter in the directory and the junction point stored at
%systemroot%\SYSVOL\staging areas.
● Tools: Regedit.exe, ADSI Edit, Linkd.exe
Procedure Steps
To gather the system volume path information
Use the steps below to locate the information and record the current
values in Table 1.
If you are relocating the staging area, you only need to record information
for rows 2 and 5 in Table 1. All other operations require that you record
information in all five rows.
To restore and rebuild SYSVOL, you must record the information from the
domain controller that you are repairing in rows 1, 2, and 3. Use the
junctions located on the domain controller that you are copying from the
SYSVOL folder structure to record the current value for rows 4 and 5. The
new values for rows 4 and 5 are based on the domain controller that you
are repairing.
Table 1. System Volume Path Information
Parameter Current Value New Value
1. fRSRootPath
2. fRSStagingPath
3. Sysvol parameter
in registry
4. Sysvol junction
5. Staging junction
fRSRootPath
1. In the Run text box, type adsiedit.msc and press ENTER.
2. Double-click Domain NC [machinename] (where machinename is the
name of this domain controller). Verify that the Domain NC expands
to display the domain component (DC=) folder.
3. Click the domain component to display the containers and OUs in the
details pane. Double-click the Domain Controllers OU to display the
containers that represent the domain controllers.
4. Double-click the container that represents this domain controller
(CN=computername) to display more containers.
5. Double-click the CN=NTFRS Subscriptions container.
6. Right-click the CN=Domain System Volume container, and click
Properties.
7. In the Select which properties to view list, select Mandatory.

8. In the Select a property to view list, select fRSRootPath. The
current value appears in the Value(s) box.
9. Record the current value in the table above. Based on the folder
structure discussed earlier and the new location, record the new path
value for this parameter in the table.
10. Click Cancel to close the dialog box.
fRSStagingPath
1. In the Run text box, type adsiedit.msc and press ENTER.
2. Double-click Domain NC [machinename] (where machinename is the
name of this domain controller). Verify that the Domain NC expands
to display the domain component (DC=) folder.
details pane. Double-click the Domain Controllers OU to display the
(CN=computername) to reveal more containers.
6. Right-click the CN=Domain System Volume container, and click
Properties.
8. In the Select a property to view list, select fRSStagingPath. The
current value appears in the Value(s) box.
9. Record the current value in Table 1. Based on the folder structure
discussed earlier and the new location, record the new path value for
this parameter in Table 1.
SYSVOL parameter in the registry

1. In the Run text box, type regedit and press ENTER.
2. In the Registry Editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Net
logon\Parameters.
3. Sysvol appears in the details pane. The current value is listed in the
Data column.
SYSVOL junction
1. At a command prompt, change the directory to %systemroot
%\SYSVOL\Sysvol.
Note This assumes that the system volume is still in the default location. If it has
been relocated, substitute the appropriate paths into these instructions.
2. At the command prompt, type dir. Verify that the fully qualified
domain name (FQDN) is listed as type <JUNCTION>.
3. At the command prompt, type linkd fqdn (where fqdn is the domain
name listed in the Dir output). This displays the value stored in the
junction point. Press ENTER.
Staging junction
1. At a command prompt, change the directory to <%systemroot
%>\SYSVOL\Staging Areas.
Note This assumes that the staging area is still in the default location. If it has
been relocated, substitute the appropriate paths into these instructions.
2. At the command prompt, type dir. Verify that the fully qualified
domain name is listed as type <JUNCTION>.
3. At the command prompt, type linkd fqdn (where fqdn is the domain
name listed in the Dir output). This displays the value stored in the
junction point. Press ENTER.
Procedure: Verify DNS registration and functionality

This test verifies that DNS is functioning so that other domain controllers
can be located.
● Credentials: Domain administrator
● Tool: Netdiag.exe
Procedure Steps
To verify DNS registration and functionality
Note For a more detailed response from this command, you can use the verbose
option. Add /v to the end of the command to see the detailed response.
● At a command prompt, type netdiag /test:dns and press ENTER.

If DNS is functioning, the last line of the response is “DNS Test…..:
Passed.” The verbose option lists specific information about what was
tested. This information can help with troubleshooting if the test fails.
If the test fails, do not attempt any additional steps until you determine
and fix the problem that prevents proper DNS functionality.
Procedure: Verify that an IP address maps to a subnet and

Use this procedure to determine the site to which you want to add a
Server object prior to installing Active Directory, or to verify the
appropriate site prior to moving a Server object to it.
To be associated with a site, the IP address of a domain controller must
map to a Subnet object that is defined in Active Directory. The site to
which the subnet is associated is the site of the domain controller.
The subnet address, which is computed from the IP network address and
the subnet mask, is the name of a Subnet object in Active Directory. When
you know the subnet address, you can locate the Subnet object and
determine the site to which the subnet is associated.
● Credentials: Domain users
● Tools:
● My Network Places
● Active Directory Sites and Services (Administrative Tools)
Procedure Steps
To verify that an IP address maps to a subnet and determine the
site association
1. Log on locally or open a Terminal Services connection to the server for
which you want to check the IP address.
2. On the desktop, right-click My Network Places, and then click
Properties.
3. In the Network and Dial-up Connections dialog box, right-click
Local Area Connection, and then click Properties.
4. Double-click Internet Protocol (TCP/IP).

5. Use the values in IP address and Subnet mask to calculate the
subnet address.
6. In Active Directory Sites and Services, expand the Sites container, and
then click the Subnets container.
7. In the Name column in the details pane, find the Subnet object that
matches the subnet address.
8. In the Site column, note the site to which the IP subnet address is
associated.
If the site that appears in the Site box is not the appropriate site, contact
a supervisor and find out whether the IP address is incorrect or whether to
move the Server object to the site indicated by the subnet.
Procedure: Verify communication with other domain controllers

This test verifies that domain controllers can be located.
Procedure Steps
To verify communication with other domain controllers
Note For a more detailed response from this command, you can use the verbose
option. Add /v to the end of the command to see the detailed response.
● At a command prompt, type netdiag /test:dsgetdc and press ENTER.

If domain controllers are successfully located, the last line of the response
is “DC discovery test……..: Passed.” The verbose option lists the specific
domain controllers that are located.
If the test fails, do not attempt any additional steps until you determine
and fix the problem that prevents communication with other domain
controllers.
Procedure: Verify the availability of the operations masters

This test verifies that the operations masters can be located and that they
are online and responding.
● Tool: Dcdiag.exe
Procedure Steps
To verify the existence of the operations masters
Note You can use these tests prior to installing Active Directory as well as
afterward. To perform the test prior to installing Active Directory, you must use the
/s option to indicate the name of a domain controller to use for the test. You do not
need the /s option to perform the test after installing Active Directory. The test
automatically runs on the local domain controller where you are performing the
tests. The commands listed in this procedure show the /s option. If you are
performing this test after installing Active Directory, omit the /s option. For a more
detailed response from this command, you can use the verbose option by adding /v
to the end of the command to see the detailed response.
1. To ensure that the operations masters can be located, at a command

prompt, type:
dcdiag /s: domaincontroller /test:knowsofroleholders /verbose
where domaincontroller is the name of a domain controller in the
domain in which you want to add the new domain controller. The
verbose option provides a detailed list of the operations masters that
were tested. Near the bottom of the screen, a message confirms that
the test succeeded. If you use the verbose option, look carefully at the
bottom part of the displayed output. The test confirmation message
appears immediately after the list of operations masters. Press ENTER.
2. To test to ensure the operations masters are functioning properly and
are available on the network, at a command prompt, type:
dcdiag /s: domaincontroller /test:fsmocheck
where domaincontroller is the name of a domain controller in the
domain in which you want to add the new domain controller. The
verbose option provides a detailed list of the operations masters that
were tested. Near the bottom of your screen, a message confirms that
the test succeeded. Press ENTER.
If these tests fail, do not attempt any additional steps until you determine
and fix the problem that prevents locating operations masters and
verifying that they are functioning properly.
Note If any of the verification tests fail, do not continue until you determine and fix
the problems. If these tests fail, the installation is also likely to fail.
Procedure: Determine whether a Server object has Child objects

When a domain controller is properly installed, its Server object has a
Child NTDS-Settings object. Other applications that are running on domain
controllers can also publish Child objects.
After installing Active Directory on a domain controller, verify that the
Server object has a Child NTDS Settings object.
Prior to deleting a Server object from the Servers container for a site,
verify that the Server object has no Child objects.
● Tool: Active Directory Sites and Services (Administrative Tools)
Procedure Steps
To determine whether a Server object has Child objects
1. In Active Directory Sites and Services, expand the Sites container and
expand the site of the Server object.
2. Expand the Servers container, and then expand the Server object to
view any Child objects.
Procedure: Verify the site assignment for the domain controller

Use this procedure to determine the site to which you want to add a
Server object prior to installing Active Directory, or to verify the
appropriate site prior to moving a Server object to it.
To be associated with a site, the IP address of a domain controller must
map to a Subnet object that is defined in Active Directory. The site to
which the subnet is associated is the site of the domain controller.
The subnet address, which is computed from the IP network address and
the subnet mask, is the name of a Subnet object in Active Directory. When
you know the subnet address, you can locate the Subnet object and
determine the site to which the subnet is associated.
● Tools: My Network Places, Active Directory Sites and Services
(Administrative Tools)
Procedure Steps
To verify that an IP address maps to a subnet and determine the
site association
1. Log on locally or open a Terminal Services connection to the server for
which you want to check the IP address.
2. On the desktop, right-click My Network Places, and then click
Properties.
4. Double-click Internet Protocol (TCP/IP).
5. Use the values in IP address and Subnet mask to calculate the
subnet address.
7. In the details pane, in the Name column, find the Subnet object that
matches the subnet address.
8. In the Site column, note the site to which the IP subnet address is
associated.
If the site that appears in the Site box is not the appropriate site, contact
a supervisor and find out whether the IP address is incorrect or whether to
move the Server object to the site indicated by the subnet.
Procedure: Move a Server object to a different site if the domain

controller is located in the wrong site
Moving a Server object requires that the IP address of the domain
controller maps to the site to which you are moving the Server object.
After you have verified that the IP address maps to the target site, use the
following procedure to move the Server object to the site.
● Credentials: Enterprise administrators
Procedure Steps
To move a Server object to a different site
the site in which the Server object resides.
2. Expand the Servers container to display the domain controllers that
are currently configured for that site.
3. Right-click the Server object you want to move, and then click Move.
4. In the Site Name box, click the destination site, and then click OK.
5. Expand the Site object to which you moved the server, and then
expand the Servers container.
6. Verify that an object for the server you moved exists.
7. Expand the Server object and verify that an NTDS Settings object
exists.
Within an hour, the Net Logon service on the domain controller registers
the new site information in DNS. Wait an hour and then open Event Viewer
and connect to the domain controller whose Server object you moved.
Review the directory service log for Net Logon errors regarding
registration of SRV resource records in DNS that have occurred within the
last hour. The absence of errors indicates that Net Logon has updated DNS
with site-specific SRV resource records. Net Logon event ID 5774 indicates
that the registration of DNS resource records has failed. If this error
occurs, contact a supervisor and pursue DNS troubleshooting.
Procedure: Configure DNS server forwarders

Configure DNS server forwarders based on the forwarders method
established on your network.
● Credentials: Domain Admin
● Tools: DNS snap-in
Procedure Steps
To configure DNS server forwarders
1. If your network uses root hints as the forwarders method, you do not
need to perform any additional options. Root hints are automatically
configured during installation. Do not continue to step 2.
2. If you need to configure forwarders, open the DNS snap-in and
continue to step 3.
3. In the console tree, right-click computer_name (where computer_name
is the computer name of the domain controller), and then click
Properties.
4. In the computer_name Properties sheet (where computer_name is
the name of the domain controller), on the Forwarders tab, select the
Enable forwarders check box.
5. In the IP address box, type ip_address (where ip_address is the IP
address of the DNS server or nearest replication partner from which
the domain is delegated), click Add, and then click OK.
Procedure: Verify DNS configuration

This procedure involves the following subprocedures:
● Create a delegation for a new domain controller.
● Configure the DNS client settings.
● Create a delegation for the new domain controller in the forest root
domain.
● Create a secondary zone.
● Configure the DNS client settings.
Subprocedure 1: Create a delegation for a new domain controller

Create a delegation for the new domain controller in the parent domain of
the DNS infrastructure if a parent domain exists and a Microsoft DNS
server hosts it. If the DNS server hosting the parent domain is not a
Microsoft DNS server, follow the procedures outlined in the vendor
documentation to add the delegation for the new domain controller.
This procedure creates a delegation for a new domain controller that is
also a DNS server in the parent DNS domain. If your forest root domain
has a parent DNS domain, perform these steps on a DNS server in the
parent domain. If you just added a new domain controller to a child
domain, perform these steps on a DNS server in the DNS parent domain.
By following recommended practices, the parent domain is the forest root
domain.
● Credentials: Domain administrators
● Tool: DNS Manager
Procedure Steps
To create a delegation for a new domain controller
1. From the DNS snap-in, navigate to child_domain (where child_domain
is the name of the child domain) in the console tree.
2. In the console tree, right-click child_domain, and then click
Properties.
3. In child_domain properties, on the Name Servers tab, click Add.
4. In the New Resource Record dialog box, in the Server name box,
type child_dc. child_domain. parent_domain (where child_dc is the
name of the new domain controller, child_domain is the name of the
child domain, and parent_domain is the name of the parent domain).
5. In the New Resource Record dialog box, in the IP address box, type
ip_address (where ip_address is the IP address of the child domain
controller), click Add, and then click OK.
Subprocedure 2: Configure the DNS client settings

Configure the DNS client settings on the new domain controller.
● Credentials: Domain admin
● Tool: My Network Places
Procedure Steps
To configure the DNS client settings
1. In My Network Places, open the Properties dialog box.
but this can be changed so it might not be labeled the same on your
Internet Protocol (TCP/IP) to highlight it (be sure you do not clear
the check box in front of it), then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, verify that
Use the following DNS server addresses: is selected.
5. If the new domain controller is located in the forest root domain, set
the Preferred DNS server IP address to that of another DNS server in
the forest root domain. Try to choose a server that is located near the
new domain controller. Set the Alternate DNS server address to the IP
address of the new domain controller (so that it is referencing itself).
If the new domain controller is located in a child domain, set the
Preferred DNS server IP address to the IP address of the new domain
controller (so that it is referencing itself). Set the Alternate DNS server
address to that of another DNS server in the same domain. Try to
choose a server that is located near the new domain controller.
6. Click OK to close the dialog box.
Subprocedure 3: Create a delegation for the new domain

controller in the forest root domain
domain.
Procedure Steps
Properties.
3. In child_domain properties , on the Name Servers tab, click Add.
type:
child_dc. child_domain. parent_domain
where child_dc is the name of the new domain controller, child_domain
is the name of the child domain, and parent_domain is the name of the
parent domain.
Subprocedure 4: Create a secondary zone

Perform this procedure only on DNS servers that are located in the child
domain, not the forest root domain. Perform these steps on the new
domain controller.
● Tool: DNS snap-in
Procedure Steps
To create a secondary DNS zone
1. In the DNS snap-in, right-click the new domain controller in the console
tree, and select New Zone.
2. In the New Zone Wizard, click Next to continue.
3. Select Standard secondary as the Zone Type. Click Next.
4. Ensure that Forward lookup zone is selected. Click Next.
5. For Zone Name, type _msdcs.forestrootdomain (where
forestrootdomain is the fully qualified domain name of the forest root
domain), and click Next.
6. In the Master DNS Servers dialog box, enter the IP addresses of at
least two DNS servers in the forest root domain. Click Next.
7. Review the settings you defined, and click Finish to close the wizard.
Subprocedure 5: Configure the DNS client settings

Configure the DNS client settings on the new domain controller.
Procedure Steps
To configure the DNS client settings
1. Open the Properties dialog box for My Network Places.
but this can be changed so it might not be labeled the same on your
Internet Protocol (TCP/IP) to highlight it (be sure you do not clear
the check box in front of it), and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, be sure
that Use the following DNS server addresses: is selected.
5. If the new domain controller is located in the forest root domain, set
the Preferred DNS server IP address to that of another DNS server in
the forest root domain. Try to choose a server that is located near the
new domain controller. Set the Alternate DNS server address to the IP
address of the new domain controller (so that it is referencing itself).
If the new domain controller is located in a child domain, set the
Preferred DNS server IP address to the IP address of the new domain
controller (so that it is referencing itself). Set the Alternate DNS server
address to that of another DNS server in the same domain. Try to
choose a server that is located near the new domain controller.
6. Click OK to close the dialog box.
Procedure: Verify domain membership for the new domain

controller
This test verifies that a new domain controller has successfully become a
member of the domain.
Note You can get a more detailed response from this command by using the
verbose option. Add /v to the end of the command listed to see the detailed
response.
● Credentials: Domain User
Procedure Steps
To verify domain membership for a new domain controller
1. At a command prompt, type netdiag /test:member
2. Toward the bottom of the screen, you should see the message
"Domain membership test Passed" if the test was successful. If you use
the /v option, it will list the name of the domain controller, its role, the
name of the domain, and a number of other statistics about the new
domain controller.
Procedure: Verify replication with other domain controllers

These tests verify that different aspects of the replication topology are
working properly. They check to see that objects are replicating and they
verify that the proper logon permissions are set to allow replication to
occur.
Note For this set of tests, the /v option is available. However, it does not display
any significant additional information.
● Tool: Dcdiag.exe
Procedure Steps
To verify replication is functioning
1. To check if replication is working, at a command prompt, type
dcdiag /test:replications and press ENTER.
The /v option does not display any significant additional information for
this test. Messages indicate that the connectivity and replications tests
passed.
2. To verify that the proper permissions are set for replication, at a
command prompt, type dcdiag /test:netlogons and press ENTER.
Messages indicate that the connectivity and netlogons tests passed.
Procedure: View the current operations master role holders

To view the current operations master role holders, use Ntdsutil.exe with
the roles option. This option displays a list of all current role holders.
● Credentials: User or Administrator
● Tool: Ntdsutil.exe (System Tools)
Procedure Steps
To view the current operations master role holder
1. In the Run text box, type ntdsutil and press ENTER.
2. At the ntdsutil: prompt, type roles and press ENTER.
3. At the fsmo maintenance: prompt, type connections and press
ENTER.
servername (where servername is the name of the domain controller
that belongs to the domain containing the operations masters).
5. After receiving confirmation of the connection, type quit and press
ENTER to exit this menu.
6. At the fsmo maintenance: prompt, type select operation target
and press ENTER.
7. At the select operations target: prompt, type list roles for
connected server and press ENTER.
The system responds with a list of the current roles and the
Lightweight Directory Access Protocol (LDAP) name of the domain
controllers currently assigned to host each role.
8. Type quit and press ENTER to exit each prompt in Ntdsutil.exe. Type
quit and press ENTER at the ntdsutil: prompt to close the window.
Procedure: Transfer the forest-level operations master roles

The two forest-level operations master roles are the domain naming
master and the schema master. Any computer that hosts the domain
naming master must also be a global catalog server. These procedures are
performed by using the Microsoft Management Console (MMC), although
you can also transfer these roles by using Ntdsutil.exe. For information
about using Ntdsutil.exe to transfer the operations master roles, type ? at
the Ntdsutil.exe command prompt.
For more information about transferring operations master roles, see
"Managing Flexible Single-Master Operations" in the Distributed Systems
Guide of the Windows 2000 Server Resource Kit.
Procedure Requirements for Transferring the Domain Naming

Master
● Credentials: Enterprise Admins
● Tool: Active Directory Domains and Trusts (Administrative Tools)
Procedure Steps
To transfer the domain naming master
1. In Active Directory Domains and Trusts, in the console tree, right-click
Active Directory Domains and Trusts, and then click Connect to
Domain Controller.
2. Ensure that the proper domain name is entered in the Domain box.
The available domain controllers from this domain are listed.
3. In the Name column, click the domain controller (to select it) to which
you want to transfer the role. Click OK.
Active Directory Domains and Trusts, and then click Operations
Master.
5. The name of the current domain naming master appears in the first
text box. The server to which you want to transfer the role should
appear in the second text box. If this is not the case, repeat steps 1
through 4.
6. Click Change. To confirm the role transfer, click OK. Click OK again to
close the message box indicating the transfer took place. Click Close
to close the Change Operations Master dialog box.
Procedure Requirements for Transferring the Schema Master

● Credentials: Schema Administrator
● Tool: Active Directory Schema snap-in
Procedure Steps
To transfer the schema master
Before you can use the Active Directory Schema snap-in for the first time,
you must register it with the system. If you have not yet prepared the
Active Directory Schema snap-in, see “Prepare the Active Directory
Schema snap-in” in this guide before you begin this procedure.
1. In the Active Directory Schema snap-in, in the console tree, right-click
Active Directory Schema, and click Change Domain Controller.
2. In the Change Domain Controller dialog box, click Specify Name.
Then, in the text box, type the name of the server to which you want to
transfer the schema master role. Click OK.
3. In the console tree, right-click Active Directory Schema. Click
Operations Master. The Current Focus box displays the name of
the server that is assuming the role. The current schema master is
listed in the second box.
4. Click Change. Click OK to confirm your choice. The system confirms

the operation. Click OK again to confirm that the operation succeeded.
5. Click Cancel to close the Change Schema Master dialog box.
Note Hosting the infrastructure master on a global catalog server is not

recommended. If you attempt to transfer the infrastructure master role to a
domain controller that is a global catalog, the system displays a warning stating
that this is not recommended.
6. Click Yes to confirm the transfer, and click OK to confirm that the
operation is complete.
Procedure: Transfer the domain-level operations master roles

The three domain-level operations master roles are the PDC emulator, the
RID master, and the infrastructure master. You can transfer all of these
roles by using the Active Directory Users and Computers console. These
procedures are performed by using MMC, although you can also transfer
these roles by using Ntdsutil.exe. For information about using Ntdsutil.exe
to transfer the operations master roles, type ? at the Ntdsutil.exe
command prompt.
For more information about transferring operations master roles, see
"Managing Flexible Single-Master Operations" in the Distributed Systems
Guide of the Windows 2000 Server Resource Kit.
● Tools: Active Directory Users and Computers (Administrative Tools)
Procedure Steps
To transfer a domain-level operations master role
1. In the Active Directory Users and Computers snap-in, at the top of
the console tree, right-click Active Directory Users and Computers.
Click Connect to Domain Controller.
2. In the Available controllers list, click the name of the server to which
you want to transfer the role, and then click OK.
3. At the top of the console tree, right-click Active Directory Users and
Computers, and then click Operations Masters.
The name of the current operations master role holder appears in the
upper box. The name of the server to which you want to transfer the
role appears in the lower box.
4. Click the tab that belongs to the role you want to transfer: RID, PDC, or
Infrastructure. Verify the computer names that appear and then click
Change. Click Yes to transfer the role.
5. Repeat step 4 for each role that you want to transfer.
Procedure: Verify connectivity between forests
Procedure Steps
To verify connectivity from forest A to forest B
1. Log on to forest A.
2. Click Start, click Run, type cmd in the Open box, and then press
ENTER.
3. At a command prompt, type ping <the name of forest B>, and then
press ENTER.
You receive a reply.
To verify connectivity from forest B to forest A

1. Log on to forest B.
ENTER.
3. At a command prompt, type ping <the name of forest A>, and then
press ENTER.
Procedure: Configure DNS for both forests
Procedure Steps
To configure DNS
1. Go to Start > All Programs > Administrative Tools > DNS.
2. Right-click <server name>, and then click Properties.
3. On the Forwarders tab, click New, type in the name of the forest, and
then click OK.
4. Type the IP address of the DNS server (for example, type 10.1.1.2),
and then click Add.
To verify connectivity
ENTER.
2. At a command prompt, type ping and the name of the forest, and then
press ENTER.
Procedure: Create the forest trust on forest A or B
Procedure Steps
To create the forest trust on forest A or B
1. Go to Start > All Programs > Administrative Tools > Active
Directory Domains and Trusts.
2. Right-click the Forest object that represents forest A, and then click
Properties.
3. Click the Trusts tab, click New Trust, and then click Next in the
Trust Creation Wizard.
4. In the Name box, type the name of the forest to which you want to
configure the trust, and then click Next.
5. Click Forest Trust, and then click Next. If Forest Trust is not an
option, verify that you raised the forest functional level to Windows
Server 2003 by reviewing the steps in the previous section.
6. Click Two Way, and then click Next.
7. Click both This Domain and Specified Domain, and then click Next.
8. In the Credentials dialog box for the forest A domain, type both the
user name (administrator) and password, and then click Next.
9. Click Allow authentication for all resources in the local forest, and
then click Next.
10. Click Allow authentication for all resources in the forest A, and
then click Next.
Note The Selective Authentication option for both sides of the trust is disabled
when you do this. You will enable the Selective Authentication option in the next
section.
11. Review the changes that are listed, and then click Next to approve the
changes.
12. Click Yes, confirm outgoing trust, and then click Next.
13. When the dialog box that lists the name suffixes that you want to route
is displayed, do not make any changes. Click Next, click Finish, and
then click OK.
Procedure: Verify the trust
Procedure Steps
To verify the trust
1. Create and name a test file share on either forest domain, and then
assign permissions to the share:
a. On any server on either of the two forests, create and name a
folder, create a Sampletext.txt file with some text by using a text
editor (such as Notepad), and then save the Sampletext.txt file in
the folder.
b. Right-click the folder, and then click Sharing and Security.
c. Click Share this folder, and then click Permissions.
d. Click Add in the Group or user names box, type the name of the
group to be added, and then click OK.
e. Click the group added in the Group or user names box, and then
click to select all of the check boxes in both the Change and Read
boxes.
f. Click Everyone in the Group or user names box, and then click
Remove.
Note You cannot grant permissions by adding the user directly to the DACL
file share when you use this procedure; however, you can create a domain
local group to grant permission to the share and add the remote forest groups
to this domain local group. You will directly add the users to the DACL in this
section. More information about group membership rules is provided in the
following section.
2. Verify that you can gain access to the domain and the Sampletext.txt
file that you created:
a. Log on to the server with administrative privileges.
b. Click Start, click Run, type the name of the test file share you
created in the Open box, and then press ENTER.
c. Double-click the Sampletext.txt file to confirm that you can open
and read the file. If you cannot open the file, verify that the
permissions are properly assigned.
d. Create a Sampletext2.txt file in a text editor, such as Notepad,
and then save the file to the folder to verify that you can save a file
to the share.
Procedure: Turn on the Selective Authentication option in forest

A to enable only selective authentication from forest B
Procedure Steps
To turn on the Selective Authentication option
1. Confirm that you are logged on to forest A with administrative
privileges.
3. Right-click forest A, and then click Properties.
4. Click the Trusts tab, right-click forest B in the Domains trusted by
this domain (outgoing trusts) box, and then click Properties.
5. Click the Authentication tab, click Allow authentication only to
selected resources in the local forest, click OK, and then click OK.
Procedure: Create a test file and then assign permissions to the

share
Procedure Steps
To create a test file and then assign permissions to the share
1. On the designated computer, go to Start > All Programs >
Accessories >Windows Explorer.
2. In the console tree, click Local Disk (C:). Right-click a blank area in
the details pane, point to New, click Folder, and then type Testfolder
for the name of the new folder.
3. Double-click the new Testfolder folder in the details pane to open the
folder, right-click a blank area, point to New, click Text Document,
and then type Testdoc.txt for the name of the document.
4. In the console tree, right-click the Testfolder folder, and then click
Sharing and Security.
5. Click Share this folder, click Permissions, click Add, and then type
Administrator@[name of forest].
6. In the Group or user names box, click forest A.
7. Click Change in the Allow column in the Permissions for [name of
forest] Administrator@[name of domain].com box, click Read in the
Allow column, and then click OK.
8. In the Group or user names box, click Everyone, and then click
Remove.
Procedure: Verify that you cannot gain access to forest A from

forest B
Procedure Steps
To verify that you cannot gain access to forest A from forest B
1. Log on to the designated computer with administrative privileges.
2. Click Start, click Run, type \\<name of server>\<name of share>
in the Open box, and then press ENTER.
3. You should not be able to gain access to the share because you
enabled the Selective Authentication option. If you can gain access
to the share, verify that the permissions are properly configured.
Procedure: Enable the Selective Authentication option for a

designated computer
Procedure Steps
To enable the Selective Authentication option for a designated
computer
Directory Users and Computers.
3. On the View menu, click Advanced Features. In the console tree,
click Domain Controllers.
4. In the details pane, right-click the name of the designated computer,
and then click Properties.
5. Click the Security tab, click Add, type administrator@[name of
forest].com, and then click OK.
6. In the Group or user names box, click Administrator@[name of
forest].com, and then click to select the Allowed to authenticate
check box in the Allow column that is in the Permissions for
Administrator@[name of forest].com box.
After you do this, the administrator@[name of forest].com user can
authenticate to the designated computer.
Procedure: Verify that you can gain access from forest A to forest
B
Procedure Steps
To verify that you can gain access from forest A to forest B
2. Click Start, click Run, type \\<name of server>\<name of share>
in the Open box, and then press ENTER.
You can now gain access to the share.
Procedure: Remove the forest trust
Procedure Steps
To remove the forest trust
1. Log on to the domain with administrative privileges.
3. In the console tree, right-click the domain, and then click Properties.
4. Click the Trusts tab, right-click the forest to be removed in the
Domains trusted by this domain (outgoing trusts) box, and then
click Remove.
5. Click Yes, remove the trust from the local domain and the other
domain.
6. In the User name box, type Administrator and then type the
password in the Password box.
7. Click Yes, and then choose the option to remove the trust.
8. Repeat steps 4 through 7 to remove the incoming trust in the
Domains that trust this domain (incoming trusts) box.
Procedure: Determine whether a domain controller is a global

catalog server
The setting for designating the domain controller as a global catalog
server is located in the properties of the Child NTDS Settings object of the
respective Server object.
● Credentials: Domain Users
Procedure Steps
To determine whether a domain controller is a global catalog
server
1. In Active Directory Sites and Services, expand the Sites container,
expand the site of the domain controller you want to check, expand
the Servers container, and then expand the Server object.
2. Right-click the NTDS Settings object, and then click Properties.
3. On the General tab, if the Global Catalog box is selected, the server
is designated as a global catalog server.
Procedure: Remove Active Directory

To use the Active Directory Installation Wizard to remove Active Directory,
you must know the password to assign to the local Administrator account
of the server after Active Directory is removed.
● Tool: Dcpromo.exe
Procedure Steps
To remove Active Directory
1. In the Run text box, type dcpromo and click OK.
2. The Active Directory Installation Wizard appears. Click Next at the
Welcome screen.
3. You have an option to select “This server is the last domain controller
in the domain.” If you select this option, the wizard attempts to remove
the domain from the forest. Do not select this option. Click Next.
4. At the Administrative Password screen, enter and confirm the
password that you want to assign to the local Administrator account
after Active Directory is removed. Click Next.
5. At the Summary screen, verify that the information is correct and then
click Next to proceed with the removal.
6. The wizard proceeds to remove Active Directory. After it finishes, the
wizard displays a completion screen. Click Finish to close the wizard.
7. Click Restart to restart the domain controller.
Procedure: Delete a Server object from a site

When no Child objects are visible below the Server object in Active
Directory Sites and Services, you can remove the Server object.
● No Child objects appear below the Server object in Active Directory
Sites and Services
Procedure Steps
To delete a Server object from a site
then expand the site from which you want to delete a Server object.
2. Expand the Servers container, and then expand the Server object
you want to delete.
3. If no Child objects appear below the Server object, right-click the
Server object, and then click Delete.
Important Do not delete a Server object that has a Child object. If an NTDS
Settings or other Child object appears below the Server object you want to delete,
either replication on the domain controller on which you are viewing the
Configuration container has not occurred, or the server whose Server object you
are removing has not been properly decommissioned.
4. Click Yes to confirm your choice.
Procedure: Use System Properties interface to change name
Procedure Steps
To use System Properties interface to change name
1. In Control Panel, click System Properties.
2. On the Computer Name tab, click Change.
3. Click OK to acknowledge that renaming the domain controller may
cause it to become temporarily unavailable to users and computers
(see note below).
4. Under Computer Name, type the new name.
5. Click OK to close the System Properties box.
6. If prompted, enter username/password for an account with domain
admin or enterprise admin authority.
Note Renaming a domain controller in this way may result in Active Directory
replication latency delaying the ability for clients to locate or authenticate the
domain controller under its new name.
Procedure: Determine the location and size of the directory

database files
Be sure to use the same method to check file sizes when you compare
them. The size is reported differently, depending on whether the domain
controller is online or offline, as follows:
● Determine the database size and location online. This size is
reported in bytes. If you must manage the database file, the log files,
or both, first determine the location and size of the files. By default,
the database file and associated log files are stored in the
%systemroot%\NTDS directory.
● Determine the database size and location offline. This size is
reported in megabytes (MB). Use this method if the domain controller
is already started in Directory Services Restore Mode.
You can also use the Search command on the Start menu to locate the
database file (Ntds.dit) or the edb*.log file for the location of the database
and log files, respectively.
If you have set garbage collection logging to report free disk space, then
event ID 1646 in the Active Directory service log also reports the size of
the database file: “Total allocated hard disk space (megabytes):”
Alternatively, you can determine the size of the database file by listing the
contents of the directory that contains the files.
Procedure Requirements (Online)

● Tool: Command line: dir command
Procedure Steps
To determine the directory database size online
1. On the domain controller on which you want to manage database files,
open a command prompt and change directories to the directory
containing the files you want to manage.
2. Run the dir command to examine the database size. In the following
example, Ntds.dit file and the log files are stored in the same directory.
In the example, the files take up 58,761,216 bytes of disk space.
H:\NTDS>dir
Volume in drive H has no label.
Volume Serial Number is 003D-0E9E
Directory of H:\NTDS
01/29/2002 11:04 AM <DIR> .
01/29/2002 11:04 AM <DIR> ..
01/28/2002 03:03 PM <DIR> Drop
01/29/2002 10:29 AM 8,192 edb.chk
01/29/2002 10:29 AM 10,485,760 edb.log
01/29/2002 10:29 AM 10,485,760 edb00001.log
01/29/2002 10:29 AM 14,696,448 ntds.dit
01/28/2002 02:54 PM 10,485,760 res1.log
01/28/2002 02:54 PM 10,485,760 res2.log
7 File(s) 58,761,216 bytes
3 Dir(s) 779,284,480 bytes free
Procedure Requirements (Offline)

This size is reported in megabytes (MB). Use this method if the domain
controller is already started in Directory Services Restore Mode.
If the domain controller is started in Directory Services Restore Mode, you
can use Ntdsutil.exe to report the Ntds.dit database file and log file
locations, as well as the free disk space on all local drives.
● Domain controller is started in Directory Services Restore Mode
● Tool: Ntdsutil.exe (system tool)
Procedure Steps
To check directory database information and free disk space
offline
1. With the domain controller in Directory Services Restore Mode, open a
command prompt, type ntdsutil and then press ENTER.
2. At the ntdsutil: prompt, type files and then press ENTER.
3. At the file maintenance: prompt, type info and press ENTER.
4. At the file maintenance: prompt, type quit and press ENTER. Type
quit and press ENTER again to quit Ntdsutil.exe.
Procedure: Compare the size of the directory database files to

the volume size
Before moving any files in response to low disk space, verify that no other
files on the volume are responsible for the condition of low disk space.
You might need to relocate the database file, the log files, or both, if disk
space on the volume on which they are stored becomes low. Before
moving the database file or log files, examine the size of the database
folder, logs folder, or both, if they are stored in the same location, relative
to the size of the volume to verify that these files are the cause of low disk
space. Include the size of the SYSVOL folder if it is on the same partition.
● Credentials: Domain Users (online) or local administrator (offline)
● Tool: Command line: dir command
Procedure Steps
To compare the size of the directory database file files to the
volume size
1. In Windows Explorer, click My Computer.
2. On the View menu, click Details.
3. In the Name column in the details pane, locate the volume. Make a
note of the value in the Total Size column.
4. Navigate to the folder that stores the database file, the log files, or
both.
5. Right-click the folder, and then click Properties. Make a note of the
value in Size on disk.
6. If the volume includes SYSVOL, navigate to that folder and repeat step
5.
7. Compare the sizes. If the combined size of the relevant database files
and SYSVOL files (if appropriate) is significantly smaller than the
volume size, then check the contents of the volume for other files.
8. If other files are present, move those files and reassess the disk space
on the volume.
Procedure: Move the database file, the log files, or both

Move the files to a temporary destination if you need to reformat the
original location, or to a permanent location if you have additional disk
space. Moving the files can be performed locally by using Ntdsutil.exe or
remotely (temporarily) by using a file copy, as follows:
Subprocedure 1: Move the directory database files to a local

drive
To move the directory database files to a different local folder, always use
Ntdsutil.exe because this tool automatically updates the registry with the
new path.
If you need to reformat the partition that currently stores the database
file, the log files, or both, then you must move the files temporarily while
you reformat the original drive. After you reformat the drive, use the same
procedure to move the files back. Even if you are moving the files only
temporarily, use Ntdsutil.exe so that the registry is always current.
Note If the SYSVOL folder is stored on the partition you are reformatting, you must
move SYSVOL as well as the database files, which requires a separate procedure.
The registry entries that Ntdsutil.exe updates when you move the
database file are as follows:
● In
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NT
DS\
Parameters:
● Database backup path
● Digital Signature Algorithm (DSA) database file
● DSA working directory
The registry entry that Ntdsutil.exe updates when you move the log files is
as follows:
● In
DS\
Parameters:
● Database log files path
● Domain controller is started in Directory Services Restore Mode
● Disk space:
● Temporary location. Free space on the destination drive
equivalent to at least the current size of the database file, the
combined log files, or both, depending on which files you are
moving.
● Permanent location. Free space on the destination NTFS drive

equivalent to at least the size specified below, plus space to
accommodate anticipated growth, depending on which file or files
you are moving.
Caution The drive that is the permanent location of the database file or log files
must be formatted as NTFS.
● Database file only: The size of the database file plus 20 percent of the Ntds.dit file
or 500 MB, whichever is greater.
● Log files only: The size of the combined log files plus 20 percent of the combined
logs or 500 MB, whichever is greater.
● Database and logs. If the database and log files are stored on the same partition,
free space should be at least 20 percent of the combined Ntds.dit and log files, or
1 GB, whichever is greater.
Important The preceding levels are minimum recommended levels. If you have
followed the recommendations in “Monitoring Active Directory” in this guide, falling
below these minimum levels causes a monitoring warning. Therefore, adding
additional space according to anticipated growth is recommended.
● Tools:
● Command line: dir command
● Windows Explorer
Procedure Steps
To move the directory database files to a different local drive
1. In Directory Services Restore Mode, open a command prompt and
change directories to the current location of the directory database file
(Ntds.dit) or the log files, whichever you are moving.
2. Run the dir command and make a note of the current size and location
of the Ntds.dit file.
3. At the command prompt, type ntdsutil and then press ENTER.
5. To move the database file, at the file maintenance: prompt, use the
following commands:
● To move the Ntds.dit file, type:
move db to drive:\directory
where drive:\directory is the path to the new location. If the
directory does not exist, then Ntdsutil.exe creates it.
Note If the directory path contains any spaces, the entire path must be
surrounded by quotation marks (for example, move db to "g:\new folder").
● To move the log files, type:

move logs to drive:\directory
6. After the move completes, at the file maintenance: prompt, type

quit and press ENTER. Type quit again and press ENTER to quit
Ntdsutil.exe.
7. Change to the destination directory and then run the dir command to
confirm the presence of the files. If you have moved the database file,
then check the size of the Ntds.dit file against the file size you noted in
step 2 to be sure that you are focused on the correct file.
8. If you are moving the database file or log files permanently, go to step
9.
If you are moving the database file or log files temporarily, you can
now perform any required updates to the original drive. After you
update the drive, repeat steps 1 through 7 to move the files back to
the original location.
9. If the path to the database file or log files has not changed, go to step
10.
If the path to the database file or log files has changed from the
original location, check permissions on the database folder or logs
folder while still in Directory Services Restore Mode, as follows:
a. In Windows Explorer, right-click the folder to which you have moved
the database file or log files, and then click Properties.
b. Click the Security tab, and verify that the permissions are:
● Administrators group has Allow Full Control.
● System has Allow Full Control.
● Inheritable permissions are not allowed (checkbox is cleared).
● No Deny permissions are selected.
c. If the permissions in step 9b are in effect, then go to step 10. If
permissions other than those described in step 9b are in effect,
then perform steps 9d through 9k.
d. If Allow inheritable permissions from parent to propagate to
this object is selected, click to clear it.
e. When prompted, click Copy to copy previously inherited
permissions to this object.
f. If Administrators or SYSTEM, or both, are not in the Name list, click
Add.
g. On the Select Users or Groups page, in the Look in: box, be sure
the name of the local computer is selected.
h. In the Name list, click System if needed, and then click Add.
Repeat to add Administrators, if needed, and then click OK.
i. On the Security tab, click System and then in the Allow column,
click Full Control. Repeat for Administrators.
j. In the Name box, click any name that is not SYSTEM or

Administrators, and then click Remove. Repeat until the only
remaining accounts are Administrators and SYSTEM, and then click
OK.
Note Some accounts might appear in the form of security identifiers (SIDs).
Remove any such accounts.
k. Click OK to close Properties.

12. At the file maintenance: prompt, type integrity and then press
ENTER.
If the integrity check fails, perform semantic database analysis with a
fixup record.
13. If the integrity check succeeds, type quit and press ENTER to quit the
file maintenance: prompt. Type quit again and press ENTER to quit
Ntdsutil.exe.
14. Restart the domain controller normally. If you are performing this
procedure remotely over a Terminal Services connection, be sure that
you have modified the Boot.ini file for normal restarting before you
restart the domain controller.
If errors appear when you restart the domain controller:

1. Restart the domain controller in Directory Services Restore Mode.
2. Check the errors in Event Viewer.
If the following events are logged in Event Viewer on restarting the

domain controller, address the events as follows:
● Event ID 1046. “The Active Directory database engine caused an
exception with the following parameters.” In this case, Active Directory
cannot recover from this error and you must restore from backup
media.
● Event ID 1168. “Internal error: An Active Directory error has occurred.”
In this case, information is missing from the registry and you must
restore from backup media.
Subprocedure 2: Copy the directory database files to a remote

share and back
When copying any database files from the local computer, always copy
both the database file and the log files.
If you need to move the database file or the log files while you reconfigure
the drive on which they are currently stored, and you do not have
sufficient space to move the files locally, then you can use the xcopy
command to copy the files to a remote shared folder temporarily, and
then use the same procedure to copy them back to the original drive. You
can use this method as long as the path to the files does not change.
Important When relocating any database files (the database file or the log files) off
the local computer, always copy both the database file and the log files so that all of
the files necessary to restore the directory service are maintained.
● Domain controller is started in Directory Services Restore Mode.
● Credentials: local Administrator account.
● Shared folder on a remote drive that has enough free space to hold the
database file (Ntds.dit) and log files. Create separate subdirectories for
copying the database file and the log files.
● Disk space:
● Temporary location. Free space on the destination drive equivalent
to at least the current combined size of the database file or log files,
depending on which files you are moving.
● Permanent location. Free space on the destination NTFS drive
equivalent to at least the following sizes, plus space to accommodate
anticipated growth of the environment, depending on which files you
are moving.
Caution The drive that is the permanent location of the database or log files must
be formatted as NTFS.
● Database file only: The size of the database file plus 20 percent of the Ntds.dit file
or 500 MB, whichever is greater.
● Log files only: The size of the combined log files plus 20 percent of the combined
logs or 500 MB, whichever is greater.
● Database and logs. If the database and log files are stored on the same partition,
free space equal to at least 20 percent of the combined Ntds.dit and log files, or 1
GB, whichever is greater.
Important The preceding levels are minimum recommended levels. If you follow
monitoring recommendations, falling below these minimum levels generates an
alert. Therefore, adding additional space according to anticipated growth is
recommended.
● Tools:
● Command line: net use, dir, xcopy commands
Procedure Steps
To copy the directory database and log files to a remote drive and
back to the local computer
1. In Directory Services Restore Mode, open a command prompt and
change directories to the current location of the database file (Ntds.dit)
or the log files. If the database file and log files are in different
locations, perform step 2 for each directory.
2. Run the dir command and make a note of the current size and location
of the Ntds.dit file and the log files.
3. Establish a network connection to a shared folder, as shown below.
Because you are logged on as the local administrator, unless
permissions on the shared folder include the built-in Administrator
account, you must provide a domain name, user name, and password
for an account that has Write permissions on the shared folder.
In the example below, \\SERVER1\NTDS is the name of the shared
folder. K: is the drive that you have mapped to the shared folder.
Example text that describes information that you type is shown in bold.
After typing the first line and pressing ENTER, Ntdsutil.exe prompts
you for the password. Type the password and then press ENTER.
H:\>net use K: \\SERVER1\NTDS /user:domainName\userName *
Type the password for \\SERVER1\NTDS:
Drive K: is now connected to \\SERVER1\NTDS
The command completed successfully.
4. Use the xcopy command to copy the database file and log files to the
location you established in step 3. In the example where the database
file is located in H:\WINNT\NTDS and the share has the subdirectory
database, the text you type is shown in bold:
H:>xcopy WINNT\NTDS K:\DB
The command copies the contents of WINNT\NTDS to the subfolder
database in the shared folder described as drive K:. If the database file
and log files are in different locations, repeat the xcopy command for
the log files, specifying the subfolder for the log files.
5. Change drives to the new location and run the dir command to
compare the file sizes to those listed in step 2. Use this step to ensure
that you copy the correct set of files back to the local computer.
6. At this point, you can safely destroy data on the original local drive.
7. After the destination drive is prepared, re-establish a connection to the
network drive as described in step 3, if necessary.
8. Copy the database and log files from the remote shared folder back to
the original location on the domain controller.
ENTER.
If the integrity check fails, perform semantic database analysis with a
fixup record.
12. If the integrity check succeeds, type quit and press ENTER to quit the
file maintenance: prompt. Type quit again and press ENTER to quit
Ntdsutil.exe.
13. Restart the domain controller normally. If you are performing this
procedure remotely over a Terminal Services connection, be sure that
you have modified the Boot.ini file for normal restarting before you
● Restart the domain controller in Directory Services Restore Mode.
● Check the errors in Event Viewer.
domain controller, respond to the events as follows:
exception with the following parameters.” In this case, Active
Directory cannot recover from this error and you must restore from
backup media.
● Event ID 1168. “Internal error: An Active Directory error has
occurred.” In this case, information is missing from the registry and
you must restore from backup media.
Procedure: Change the garbage collection logging level to 1

Check the directory service event log for event ID 1646, which reports the
amount of disk space that you can recover by performing offline
defragmentation.
The garbage collection logging level is an NTDS diagnostics setting in the
registry.
● Tools: Regedit.exe or Regedt32.exe (system tools)
Procedure Steps
Caution The Registry Editor bypasses standard safeguards, allowing settings that
can damage your system or even require you to reinstall Windows. If you must edit
the registry, back up system state first. For information about backing up system
state, see "Active Directory Backup and Restore" in this guide.
To change the garbage collection logging level

1. In the Run text box, type regedit or regedit32, and then click OK.
2. Navigate to the Garbage Collection entry in
DS\Diagnostics.
3. Double-click Garbage Collection, and for the Base or Radix, click
Decimal.
4. In the Value data or Data box, type an integer from 0 through 5, and
then click OK.
Procedure: Take the domain controller offline

Subprocedure 1: If you are logged on to the domain controller
locally, restart the domain controller in Directory Services
Restore Mode
Mode and log on as the local administrator. If you have physical access to
the domain controller, you can start in Directory Services Restore Mode
locally.
In Directory Services Restore Mode, the domain controller is running as a
member server and not as a domain controller. When you start Windows
2000 Server in this mode, the local Administrator account is authenticated
by the local Security Accounts Manager (SAM) database. Therefore,
logging on requires using the local administrator password, not an Active
Directory domain password.
● Tool: None
Procedure Steps
To locally restart in Directory Services Restore Mode
1. Restart the domain controller.
2. When the screen for selecting an operating system appears, press F8.
3. From the Windows Advanced Options menu, select Directory
Services Restore Mode.
4. When prompted, log on as the local administrator.
Subprocedure 2: If you are using Terminal Services for remote

administration, you can remotely restart the domain controller in
Directory Services Restore Mode after modifying the Boot.ini file
on the remote server
Mode and log on as the local administrator. If the administrative computer
has Terminal Services client installed and the domain controller has
Terminal Services installed and configured in Remote Administration
mode, you can connect to the domain controller, modify the Boot.ini file,
and restart the domain controller in Directory Services Restore Mode.
In Directory Services Restore Mode, the domain controller is running as a
member server and not as a domain controller. When you start Windows
Server 2003 in this mode, the local Administrator account is authenticated
by the local SAM database. Therefore, logging on requires using the local
administrator password, not an Active Directory domain password.
● Tools: Terminal Services client, Notepad
Procedure Steps
To remotely restart in Directory Services Restore Mode
1. On a Terminal Services client, connect to the domain controller you
want to restart in Directory Services Restore Mode. Perform the
following steps on the remote domain controller.
2. Right click My Computer, select Properties, and then select the
Advanced tab.
3. Click Settings for startup and recovery.
4. Click the Edit button to edit the startup options file.
5. Modify the default entry to include the safeboot:dsrepair switch, as

shown in the following example:
multi(0)disk(0)rdisk(0)partition(2)\WINNT="W2K DC \\<your server name>" /fastdetect
/SAFEBOOT:DSREPAIR
Note The /safeboot:dsrepair switch works for domain controllers running the
Windows 2000 Server family.
6. Save the modified Boot.ini file and close Notepad.

7. On the Start menu, click Shut Down and then click Restart. During
the restart process, the Terminal Services client reports the session is
disconnected.
Caution Be sure to click Restart and not Shut Down at this step. If you click
Shut Down, you cannot remotely restart the domain controller.
8. Wait until the restart process has completed on the remote domain
controller, and then reconnect the client session.
9. When reconnected, log on as the local administrator.
10. Right-click My Computer, select Properties, and then select the
Advanced tab.
11. Click Settings for startup and recovery.
12. Click the Edit button to edit the startup options file.
13. Delete the /safeboot:dsrepair switch from the default entry in the
Boot.ini file and save the file. Close Notepad.
Important If you restart the domain controller before you modify the Boot.ini file,
the domain controller remains offline.
The Boot.ini file is now returned to its original state, which starts the
domain controller normally.
Procedure: Compact the directory database file (offline

defragmentation)
As part of the offline defragmentation procedure, check directory
database integrity.
Performing offline defragmentation creates a new, compacted version of
the database file in a different location. This location can be either on the
same computer or a network-mapped drive. However, to avoid potential
problems related to network issues, perform this procedure locally.
After compacting the file to the temporary location, copy the compacted
Ntds.dit file back to the original location. If possible, maintain a copy of the
original database file that you have either renamed in its current location
or copied to an archival location.
● Credentials:
● Local domain controller: local Administrator account
● Remote location: Read and Write permissions on the destination
drive and shared folder
● Disk space:
● Current database drive. Free space on the drive that contains
the file equivalent to at least 15 percent of the current size of the
database for temporary storage during the index rebuild process.
● Destination database drive. Free space equivalent to at least
the current size of the database for storage of the compacted
database file.
● Tools:
● Command line: net use, del, copy commands
Procedure Steps
To perform offline defragmentation of the directory database
1. In Directory Services Restore Mode, compact the database file to a
local directory or remote shared folder, as follows:
● Local directory: Go to step 2.
● Remote directory: If you are compacting the database file to a
shared folder on a remote computer, establish a network
connection to the shared folder as shown below. Because you are
logged on as the local administrator, unless permissions on the
shared folder include the built-in Administrator account, you must
provide a domain name, user name, and password for a domain
account that has Write permissions on the shared folder. In the
example below, \\SERVER1\NTDS is the name of the shared folder,
and K: is the drive that you are mapping to the shared folder.
Example text that describes information that you type is shown in
bold. After typing the first line and pressing ENTER, Ntdsutil.exe
prompts you for the password. Type the password and then press
ENTER.
H:\>net use K: \\SERVER1\NTDS
/user:domainName\userName *
Type the password for \\SERVER1\NTDS:
Drive K: is now connected to \\SERVER1\NTDS
The command completed successfully.
4. At the file maintenance: prompt, type compact to drive:\
LocalDirectoryPath (where drive:\ LocalDirectoryPath is the path to a
location on the local computer) and then press ENTER.
If you have mapped a drive to a shared folder on a remote computer,

type the drive letter only (for example, compact to K:\).
Note When compacting to a local drive, you must provide a path. If the path
contains any spaces, enclose the entire path in quotation marks (for example,
compact to "c:\new folder"). If the directory does not exist, Ntdsutil.exe creates
it and creates the file named Ntds.dit in that location.
5. If defragmentation completes successfully, type quit and press ENTER

to quit the file maintenance: prompt. Type quit again and press
ENTER to quit Ntdsutil.exe. Go to step 6.
If defragmentation completes with errors, go to step 9.
Caution Do not overwrite the original Ntds.dit file or delete any log files.
6. If defragmentation succeeds with no errors, then follow the

Ntdsutil.exe onscreen instructions to delete all of the log files in the log
directory by typing del drive:\pathToLogFiles\*.log
Note You do not need to delete the Edb.chk file.
If space allows, either rename the original Ntds.dit file to preserve it or

else copy it to a different location. Avoid overwriting the original
Ntds.dit file. Manually copy the compacted database file to the original
location, as follows:
copy temporaryDrive:\ntds.dit originalDrive:\pathToOriginalDatabaseFile\ntds.dit
7. Type ntdsutil and then press ENTER.
ENTER.
If the integrity check fails, the likely cause is that an error occurred
during the copy operation in step 6.b. Repeat steps 6.b. through step
9. If the integrity check fails again:
● Contact Microsoft Product Support Services.
-or-
● Copy the original version of the Ntds.dit file that you preserved in
step 6.a. to the original database location and repeat the offline
defragmentation procedure.
10. If the integrity check succeeds, proceed as follows:

● If the initial compact to command failed, go back to step 4 and
perform steps 4 through 9.
● If the initial compact to command succeeded, type quit and press
ENTER to quit the file maintenance: prompt, and then to type quit
and press ENTER again to quit Ntdsutil.exe.
11. Restart the domain controller normally. If you are connected remotely
through a Terminal Services session, be sure that you have modified
the Boot.ini file for normal restarting before you restart the domain
controller.
1. Restart the domain controller in Directory Services Restore Mode.
2. Check the errors in Event Viewer.
domain controller, respond to the events as follows:
exception with the following parameters.” In this case, Active
Directory cannot recover from this error and you must restore from
backup media.
● Event ID 1168. “Internal error: An Active Directory error has
occurred.” In this case, information is missing from the registry and
you must restore from backup media.
3. Check database integrity and then proceed as follows:
If the integrity check fails, try repeating step 6.b through step 9 above,
and then repeat the integrity check. If the integrity check fails again:
● Contact Microsoft Product Support Services.
-or-
● Copy the original version of the Ntds.dit file that you preserved in
step 6.a. to the original database location and repeat the offline
defragmentation procedure.
If the integrity check succeeds, perform semantic database analysis
with fixup.
4. If semantic database analysis with fixup succeeds, quit Ntdsutil.exe
and restart the domain controller normally.
5. If semantic database analysis with fixup fails, contact Microsoft
Product Support Services.
Procedure: If database integrity check fails, perform semantic

database analysis with fixup
When you run semantic database analysis with the Go Fixup command
instead of the Go command, errors are written into Dsdit.dmp.xx log files.
A progress indicator reports the status of the check.
● Tool: Ntdsutil.exe (system tool)
Procedure Tasks
To perform semantic database analysis with fixup
1. If you are not already at the ntdsutil: prompt, open a command
prompt, type ntdsutil, and then press ENTER.
2. At the ntdsutil: prompt, type semantic database analysis and then
press ENTER.
3. At the semantic checker: prompt, type verbose on and then press
ENTER.
4. At the semantic checker: prompt, type go fixup and then press
ENTER.
● If errors are reported during the semantic database analysis Go
Fixup phase, perform directory database recovery.
WARNING Do not confuse the recover command with the repair command.
Never use the repair command in Ntdsutil.exe. Forest-wide data loss can
occur.
● If semantic database analysis with fixup succeeds, type quit and

then type quit again to close Ntdsutil.exe, and then restart the
domain controller normally. If you are performing this procedure
remotely over a Terminal Services connection, be sure that you
have modified the Boot.ini file for normal restarting before you
Procedure: Start the File Replication service

Use this procedure to restart the File Replication service and review the
FRS event log to ensure that the restart succeeded.
● Tools: Net.exe, Event Viewer
Procedure Steps
To start the File Replication service
1. At a command prompt, type net start ntfrs and press ENTER.
2. You can use Event Viewer to verify that NTFRS restarted correctly.
Event ID 13501 indicates that the service restarted. Look for event ID
13516 to verify that the domain controller is running and ready for
service. If you moved SYSVOL to a new location or relocated the
Staging Area folder, look for event IDs 13553 and 13556, which
indicate success.
Procedure: Stop the File Replication service

Use this procedure to stop the File Replication service.
● Tools: Net.exe
Procedure Steps
To stop the File Replication service
● At a command prompt, type net stop ntfrs and press ENTER.
Procedure: Change the space allocated to the Staging Area folder

This procedure outlines the steps needed to modify the registry entry that
restricts the amount of disk space allocated to the staging area in SYSVOL.
● Credentials: Domain or Enterprise Admins
● Tools: Regedit.exe
Procedure Steps
To change the space allocated to the Staging Area folder
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtF
RS\Parameters.
3. Double-click Staging Space Limit in KB to open the Edit dialog box.
4. In the Base frame, select Decimal.
5. For Value Data enter a value from 10000 through 2000000000. Do
not use commas. Click OK.
6. Close the Registry Editor.
Procedure: Reset the File Replication Service Staging folder to a

different logical drive
Use this procedure to reset the FRS Staging folder to a different logical
drive.
● Tools: Net.exe, Event Viewer
Procedure Steps
To reset the FRS Staging folder
1. Start the Adsiedit program.
2. Under Domain NC, locate the NTFRS Subscriber object under the
host computer account in Active Directory. The generic path for this
attribute is: CN=Replica Set Name, CN=NTFRS Subscriptions,
CN=Computername, DC=Domain Name, DC=COM.
For example, to reset the staging path for the SYSVOL replica set of
domain controller \\DC1 in the A.com domain, the distinguished name
(also known as DN) path for the FrsStagingPath parameter is:
CN=Domain System Volume (SYSVOL share), CN=NTFRS
Subscriptions, CN=DC1, DC=A,DC=COM
Where (when you read the distinguished name path from right to left):
DC=A,DC=COM is the domain hosting the computer account.
CN=DC1 is the host computer account in the domain naming context
(NC).
CN=NTFRS Subscriptions is the NtfrsSubscriber object that holds the
FrsStagingPath parameter.
CN=Domain System Volume (SYSVOL share) is the FRS subscriber
object.
3. Open the properties for the NTFRS Subscriber object [in this
example, it is Domain System Volume (SYSVOL share)], by right-
clicking the object, and then clicking Properties.
4. Click fRSStagingPath in the list of parameters, and click the Edit

button.
5. Enter the path to the new location for the FRS Staging folder and click
OK.
6. Click OK to close the Properties window.
7. Make sure that the staging path has been updated in the registry:
a. Start the Registry Editor (Regedt32.exe) on the server where you
are changing the staging path.
b. Locate the following subkey:
HKEY_LOCAL_MACHINE\System\CCS\Services\NTFRS\Paramet
ers\Replica Sets
c. Locate the replica set you are updating the staging area for. All
replica sets are displayed as a GUID. If you click a GUID, one of the
values on the right is Replica Set Name. After you locate the
correct replica set, change the value of Replica Set Stage to the
new staging area path.
When the service detects a change in the staging path, the following
event ID 13563 is logged with a series of self-explanatory steps on how to
proceed:
Event Type: Warning

Event Source: NtFrs
Event Category: None
Event ID: 13563
Date: 3/6/2003
Time: 7:13:01 PM
User: N/A
Computer: <Computer name>
Description: The File Replication service has detected that the staging path
for the replica set DOMAIN SYSTEM VOLUME (SYSVOL SHARE) has changed.
Current staging path = E:\Windows\Sysvol\Staging\Domain
New staging path = E:\Frsstage
The service will start using the new staging path after it restarts. The
service is set to restart after every restart.
It is recommended that you manually restart the service to prevent loss of
data in the Staging folder.
To manually restart the service

1. Run net stop ntfrs or use the Services snap-in to stop the File
Replication service.
2. Move all the staging files corresponding to replica set DOMAIN SYSTEM
VOLUME (SYSVOL SHARE) to the new staging location. If more than one
replica set is sharing the current Staging folder, then it is safer to copy
the staging files to the new Staging folder.
3. net start ntfrs or use the Services snap-in to start the File Replication
service, followed by net start ntfrs.
For more information, visit the Advanced Search and Help page at
http://www.microsoft.com/contentredirect.asp.
Microsoft recommends that you follow step 2 in the preceding event
message because the FRS Staging folder may contain thousands or tens of
thousands of files in the original Staging folder, all of which may be
destined for one or more downstream partners. In Windows Explorer, you
can view the files in the staging folder. On the Folder Options menu,
click the View tab, and then click to select the Show hidden files and
folders check box. Copy the files to the new Staging folder, and then
follow the remaining steps in the event log message.
Procedure: Identify replication partners

Use this procedure to examine the Connection objects for a domain
controller and determine its replication partners.
● Tool: Active Directory Sites and Services
Procedure Steps
To identify replication partners
1. In Active Directory Sites and Services, expand the Sites container to
display the list of sites.
2. Double-click the site that contains your domain controller.
Note If you do not know the site that contains your domain controller, open a
command prompt and type ipconfig to get the IP address of the domain
controller. Use the IP address to verify that an IP address maps to a subnet and
determine the site association.
3. Expand the Servers folder to display the list of servers in that site.
4. Expand the name of your domain controller to display its NTDS
settings.
5. Double-click NTDSSettings to display the list of Connection objects in
the details pane (these represent inbound connections used for
replication). The From Server column displays the names of the
domain controllers that are the replication partners.
Procedure: Force domain controller removal
Procedure Steps
To force domain controller removal
1. Click Start, click Run, and then type the following command:
dcpromo /forceremoval
2. Click OK.
3. At the Welcome to the Active Directory Installation Wizard page,
click Next.
4. At the Force the Removal of Active Directory page, click Next.
5. In Administrator Password, type the password and confirmed
password that you want to assign to the Administrator account of the
local SAM database, and then click Next.
6. In Summary, click Next.
Procedure: Check the status of the shared SYSVOL

This test involves checking Event Viewer to make sure that the File
Replication service is started properly and then ensuring that the SYSVOL
and Net Logon shared folders are created.
● Tools: Event Viewer, Net.exe
Procedure Steps
To check the status of the shared SYSVOL
1. In Event Viewer, click File Replication Service in the Event Viewer
tree to display the FRS events.
2. Look for an event 13516 with a date and time stamp that corresponds
with the recent restart. It can take 15 minutes or more to appear. An
event 13508 indicates that FRS is in the process of starting the service.
An event 13509 indicates that the service has started successfully.
Event 13516 indicates that the service is started, the folders are
shared, and the domain controller is functional.
3. To verify the shared folder is created, open a command prompt and
type net share to display a list of the shared folders on this domain
controller, including Net Logon and SYSVOL.
4. At a command prompt, type dcdiag /test:netlogons and press

ENTER.
5. Look for a message that states “computername passed test
NetLogons” where computername is the name of the domain
controller. If you do not see the test passed message, some problem
will prevent replication from functioning. This test verifies that the
proper logon privileges are set to allow replication to occur. If this test
fails, verify the permissions set on the Net Logon and SYSVOL shared
folders.
Procedure: Prepare a domain controller for non-authoritative

SYSVOL restore
Initiate a non-authoritative restore of SYSVOL by modifying the value of
the BurFlags (backup/restore flags) registry entry. Changing the value to
D2 (hexadecimal) or 210 (decimal) prior to disconnecting a domain
controller initiates an automatic non-authoritative restore of SYSVOL when
the domain controller is restarted.
Separate entries exist for global and replica-set-specific BurFlags, as
follows:
● To initiate a non-authoritative restore of SYSVOL when it is the only
replica set that is represented on the domain controller, set the value
of the global BurFlags (REG_DWORD) entry under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtF
rs\Parameters\Backup/Restore\Process at Startup
● If other replica sets are represented on the domain controller and you
want to restore only SYSVOL, set the value of the replica-set-specific
BurFlags (REG_DWORD) entry under
rs\Parameters\Cumulative Replica Sets\SYSVOL GUID
Modifying the replica-set-specific BurFlags entry requires identifying the
SYSVOL GUID in the registry.
● Tool: Regedit.exe
Procedure Steps
To prepare a domain controller for non-authoritative SYSVOL
restore
1. In the Run text box, type regedit and then click OK.
2. Navigate to
rs\Parameters
3. Expand Parameters.
4. Modify one of the BurFlags entries as follows:
To modify the global BurFlags entry:
● Expand Backup/Restore and then click Process at Startup.
To modify the replica-set-specific BurFlags entry:
● Expand both Cumulative Replica Sets and Replica Sets.
● Match the GUID under Replica Sets to the identical GUID under
Cumulative Replica Sets, and click the matching GUID under
Cumulative Replica Sets.
5. In the details pane, double-click BurFlags.
6. In the Value data box, type D2 hexadecimal or 210 decimal, and
then click OK.
Procedure: Create the SYSVOL folder structure

Use this procedure to create the SYSVOL folder structure. The
%systemroot%\SYSVOL folder is at the top of the folder tree for the
Windows system volume. To properly move SYSVOL, you must move the
%systemroot%\SYSVOL folder and its contents. A subfolder of
%systemroot%\SYSVOL is also named sysvol. Ensure that you move the
proper folder (the %systemroot%\SYSVOL folder) and not the subfolder
(%systemroot%\SYSVOL\sysvol). Do not confuse the two folders.
● Tool: Windows Explorer
Procedure Steps
To create the SYSVOL folder structure
1. In Windows Explorer, navigate to the folder that represents your
current Windows system volume. By default, this is the %systemroot
%\SYSVOL folder.
2. Right-click the SYSVOL folder, and then click Copy.
3. In Windows Explorer, navigate to the new location you created in the
console tree, right-click the new location, and click Paste. You might
see a dialog box stating that some files already exist and a prompt
asking whether you want to continue copying the folder. At each such
prompt, click No.
4. Verify that the folder structure was copied correctly. Compare the new
folder structure to the original. Open a command prompt and type
dir /s to list the contents of the folders. Ensure that all folders exist. If
any folders are missing at the new location (such as \scripts), then
recreate them.
Procedure: Set the SYSVOL path

Use this procedure to set the new path to the system volume in the
registry.
Procedure Steps
To set the SYSVOL path
logon\Parameters.
3. Double-click SysVol to open the Edit dialog box.
4. For Value Data, enter the new path. Include the drive letter. Click OK.
5. Close the Registry Editor.
Note The path in the registry points to the SYSVOL folder located inside the
SYSVOL folder that is under the root. When updating the path in the registry, ensure
that it still points to the SYSVOL folder inside the SYSVOL folder that is under the
root.
Procedure: Set the staging area path

Use this procedure to modify the fRSStagingPath parameter for a domain
controller in Active Directory in order to change the location of the Staging
Area folder on that domain controller. Perform this procedure at the
console of the domain controller that is hosting the SYSVOL that you must
reconfigure.
● Tools: Regedit.exe, ADSI Edit, Linkd.exe
Procedure Steps
To set the staging area path
1. In the Run dialog box, type adsiedit.msc and press ENTER.
2. Double-click Domain NC [computername], where computername is
the name of this domain controller. Verify that Domain NC expands to
display the domain component (DC=) folder.
details pane. Double-click the Domain Controller OU to display the
(CN=computername) to display more containers.
6. Right-click the CN=Domain System Volume container and click
Properties.
8. In the Select a property to view list, select fRSStagingPath.
9. In the Edit Attribute box, enter the complete path to the new location
where you want to locate the Staging Area folder (the path to the new
folder that you created earlier). Include the drive letter. Click Set, and
then click OK.
10. At a command prompt, change the directory to %systemroot
%\SYSVOL\staging areas. Type dir to list the contents. Verify that
<JUNCTION> appears in the DIR output.
11. Update the junction so that it points to the new location. Type the
following command:
linkd junctionname newpath
where newpath is the same value that you entered for fRSStagingPath
earlier. Press ENTER.
Procedure: Update security on the new SYSVOL

This procedure applies the default security settings to the new SYSVOL
folders. The settings will be the equivalent of those set by default during
Active Directory installation. If additional security settings have been
applied to the system volume since Active Directory was installed, you
must reapply those settings after completing this procedure.
WARNING Failure to reapply security changes made after Active Directory was
installed might result in unauthorized access to logon and logoff scripts and Group
Policy objects.
● Tools: Regedit.exe, Secedit.exe, Notepad.exe
Procedure Steps
To update security on the new SYSVOL
2. In the registry editor, navigate to
logon\Parameters. Note the path stored under SysVol.
3. In Control Panel, double-click System.
4. On the Advanced tab, click Environment Variables.
5. Under System Variables, click New.
6. For Variable Name, type sysvol.
7. For Variable Value, type path (where path is the path that you noted
in step 2). Click OK twice. Click OK again to close Properties.
8. Use Notepad to create a file. Open Notepad and enter the following
information:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=default perms for sysvol
[File Security]
;"%SystemRoot%\SYSVOL",0,"D:AR(A;OICI;FA;;;BA)"
"%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)
(A;CIOI;GA;;;CO)"
"%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)
(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
9. Use this file to apply the security settings to the new SYSVOL folders.
Save this file as Sysvol.inf.
10. Open a new command prompt. Do not use an existing command
prompt that has been open on your desktop because it will not have
the proper environment settings. Change the directory to the folder
where you saved the Sysvol.inf file.
11. At the command prompt, type the following command on one line:
SECEDIT /Configure /cfg sectemplatepath\sysvol.inf /db
sectemplatepath\sysvol.db /overwrite
where sectemplatepath is the path to where you saved Sysvol.inf.
Press ENTER.
Procedure: Import the SYSVOL folder structure

Use this procedure to copy the SYSVOL folder structure from another
domain controller. The %systemroot%\SYSVOL folder is at the top of the
folder tree for the Windows system volume. To properly import SYSVOL,
you must copy the %systemroot%\SYSVOL folder and its contents.
To use this procedure, the default shared folder Admin$ must exist on the
domain controller from which you plan to copy the SYSVOL folder
structure. Some organizations remove this shared folder or rename it for
security reasons. If this shared folder is not available, you must share the
%systemroot% folder and name the share point Admin$. If you share the
%systemroot% folder in order to complete this procedure, ensure that you
remove the share point after the procedure is complete in order to
maintain any security policies established on your network. If the Admin$
share has been renamed, then use the name assigned by your
organization instead of Admin$ while completing this procedure.
WARNING Never copy information from the system volume on one domain
controller to the system volume on another domain controller unless you have
stopped the File Replication service and configured SYSVOL for a non-authoritative
restore during startup. Failure to do so can cause invalid data to be replicated and
cause the system volumes on various domain controllers to become inconsistent.
● Tools: Windows Explorer, Linkd.exe
Procedure Steps
To import the SYSVOL folder structure
1. Use Windows Explorer to delete the existing %systemroot%\SYSVOL
folder that you are rebuilding.
2. Connect to the Admin$ share on the domain controller that you
identified earlier as the replication partner from which you plan to copy
the SYSVOL folder structure.
3. Once you are connected to the Admin$ share point, verify that a folder
labeled SYSVOL appears. Right-click the SYSVOL folder, and click
Copy.
4. In the same directory, find some blank space and right-click. Click
Paste. You might see a dialog box stating that some files already exist
and a prompt asking whether you want to continue copying the folder.
At each such prompt, click No.
5. Verify that the original SYSVOL folder and a new folder labeled Copy of
SYSVOL both appear. Right-click Copy of SYSVOL and click Rename.
Type SYSVOL2 and press ENTER.
6. Open a command prompt. Change to the drive letter that represents
the connection to the remote domain controller where you created the
SYSVOL2 folder.
7. Change the directory to SYSVOL2\sysvol.
8. Type dir and press ENTER. Verify that <JUNCTION> appears in the Dir
output and is followed by the name of the domain.
9. You must update the path in this junction so that it points to the new
location. Type the following command:
where newpath is the new value you recorded in row 4 of Table 1 while
gathering the system volume path information. Press ENTER.
10. If the staging area has been relocated and is no longer inside the
SYSVOL folder, skip steps 10 and 11 and proceed to step 12. At a
command prompt, change the directory to \SYSVOL2\staging areas
under the copy of SYSVOL that you created. Type dir to list the
contents and verify that <JUNCTION> appears in the Dir output.
11. Update the junction so that it points to the new location. Type the
following command:
where newpath is the new value that you recorded in row 5 of Table 1
while gathering system volume path information. Press ENTER.
12. At the command prompt, change back to the %systemroot% for the
domain controller that you are repairing.
13. From the command prompt, use the Xcopy command to copy the
contents of the \SYSVOL2 folder you created to a new SYSVOL folder on
your local drive. Type the following command:
xcopy drive:\sysvol2\*.* sysvol\*.* /s /e /h /c /y
where drive is the letter representing the connection to the remote

domain controller. Press ENTER.
14. Verify that the folder structure copied correctly. Compare the new
folder structure to the SYSVOL (not the SYSVOL2) on the remote
domain controller. Open a command prompt and type dir to list the
contents of the folders. Ensure that all folders exist.
15. Remove the SYSVOL2 folder that you created on the remote domain
controller.
16. Disconnect from the remote domain controller. If you had to create a
shared folder on that domain controller in order to connect to it,
remove the shared folder. Some organizations consider it a security
risk to retain shared folders that are not in use.
17. Restart the domain controller in normal mode.
Procedure: Configure time on the forest-root PDC emulator

Use the following procedure to configure the time service on the forest
root PDC emulator. Perform the procedure on the PDC emulator.
● Credentials: Domain Admins or local administrator on the PDC
emulator
● Tools: Net time, W32tm.exe, Ping
Procedure Steps
To configure time on the forest root PDC emulator
1. Use the Ping utility to verify that the SNTP server is reachable. Type
ping server (where server is the DNS name or IP address of the SNTP
server), and then press ENTER.
2. Open UDP port 123 for outgoing traffic on firewall if needed.
3. Open UDP port 123 (or a different port you have selected) for incoming
SNTP traffic.
4. At the command prompt, type w32tm -portnumber (where
portnumber is the server port specified in step 3), and then press
ENTER.
5. At the command prompt, type net time /setsntp:server (where
server is the DNS name or IP address of the SNTP server), and then
press ENTER.
6. To verify that the manually configured time source has been set, at the
command prompt, type net time /querysntp and then press ENTER.
Verify that the name of the SNTP server is displayed.
7. To make the change take effect, stop and restart the time service.
8. At the command prompt, type net stop w32time and then press
ENTER.
Procedure: Remove a time source configured on the forest-root

PDC emulator
Use the following procedure to remove a time source configured on the
forest root PDC emulator. Perform the procedure on the PDC emulator.
● Credentials: Domain Admins or local administrator on the PDC
emulator
● Tool: Net time
Procedure Steps
To remove a time source configured on the forest root PDC
emulator
1. At the command prompt, type net time /setsntp and then press
ENTER.
2. To verify that the manually configured time source has been cleared,
at the command prompt, type net time /querysntp and then press
ENTER.
Verify that you receive the following message: “This computer is not
currently configured to use a specific SNTP server.”
Procedure: Configure the selected computer as a reliable time

source
state, see “Active Directory Backup and Restore” in this guide.
Perform the following procedure on the selected computer to configure it

as a reliable time source.
Procedure Steps
To configure the selected computer as a reliable time source
1. At the command prompt, type regedit and then press ENTER.
2. Navigate to the following registry key and change the value to 1:
Hkey_Local_Machine\System\CurrentControlSet\Services\W32Ti
me\Config\AnnounceFlags = 0x5
3. Run w32tm /config /update.
Procedure: Set a manually configured time source on a selected

computer
Use the following procedure to manually set the time source for a client
computer.
● Tool: Net time
Procedure Steps
To set a manually configured time source on a selected computer
1. Use the Ping utility to search the SNTP server to ensure that it is
reachable from the client. Type ping server (where server is the DNS
name or IP address of the SNTP server), and then press ENTER.
2. At the command prompt, type net time /setsntp:server (where
server is the DNS name or IP address of the SNTP server), and then
press ENTER.
3. To verify that the manually configured time source has been set, at the
command prompt, type net time /querysntp and then press ENTER.
Verify that the name of the SNTP server is displayed.
Procedure: Remove a manually configured time source on a

selected computer
Use the following procedure to remove a manually configured time source
on a selected computer.
● Tool: Net time
Procedure Steps
To remove a manually configured time source on a selected
computer
1. At the command prompt, type net time /setsntp and then press
ENTER
2. To verify that the manually configured time source has been cleared,
at the command prompt, type net time /querysntp and then press
ENTER.
Verify that you receive the following message: “This computer is not
currently configured to use a specific SNTP server.”
Procedure: Change polling interval
state, see “Active Directory Backup and Restore” in this guide.
1. At the command prompt, type the following command and then press
ENTER:
w32tm -period value
where value is one of the following:
Value Frequency
0 Once a day
"BiDaily" Twice a day
"Tridaily" Three times a day
"Weekly" Once every seven days
"SpecialSkew" Once every 45 minutes until three good
synchronizations occur, then once every 8
hours (3 per day) [default]
"DailySpecialSkew" Once every 45 minutes until one good
synchronization occurs, then once every
day
A number equal to the The number of times per day you want to
number of times per synchronize
day
2. To make the change take effect, stop and restart the time service.
a. At the command prompt, type net stop w32time and then press
ENTER.
b. At the command prompt, type net start w32time and then press
ENTER.
3. Verify that the interval has been changed in the registry.
a. At the command prompt, type regedit and then press ENTER.
b. Navigate to the following registry key and verify that the value is
correct:
Hkey_Local_Machine\System\CurrentControlSet\Services\W3
2Time\Parameters\Period.
Procedure: Disable time service

Use the following procedure to disable the W32Time service.
● Tool: Services snap-in
Procedure Steps
To disable W32Time service
1. Open Administrative Tools, and select Services.
2. Right-click Windows Time, and select Properties.
The Windows Time Properties dialog box appears.
3. In the Startup Type field, select Disabled from the drop-down menu.
4. Click OK. Verify that the type for the time service appears as
“Disabled.”
Procedure: Create a one-way trust (MMC method)

For the following two subprocedures, a member of Domain Admins in the
trusted domain performs the first procedure and a member of Domain
Admins in the trusting domain performs the second procedure.
Procedure Steps
To create a one-way trust relationship in the trusted domain
1. With the administrator of the other domain, agree on a secure channel
password to be used in establishing the trust.
2. In the trusted domain, log on as a member of Domain Admins.
3. In Active Directory Domains and Trusts, expand the domain tree until
the trusted domain name appears, and then right-click the trusted
domain node.
4. Click Properties, and then click the Trusts tab.
5. Next to the Domains that trust this domain box, click Add.
6. In the Trusting domain box, type the trusting domain name. If you
are adding a Windows 2000 domain, type the full DNS name
(noamreskit.com in this example). If the domain is running an earlier
version of Windows, type the domain name (noam in this example).
7. In the Password box, type the agreed-upon password.
8. In the Confirm password box, retype the password, and then click
OK.
9. A message appears that says the trust cannot be verified. Click OK.
Note The reason for this error is that Windows 2000 is attempting to verify the
secure channel. It cannot verify the secure channel at this time because the other
side of the trust is not yet created.
10. Click OK to close the Properties sheet.
To create a one-way trust relationship in the trusting domain

1. In the trusting domain, log on as a member of Domain Admins.
2. In Active Directory Domains and Trusts, expand the domain tree until
the trusting domain name appears, and then right-click the trusting
domain node.
4. Next to the Domains trusted by this domain box, click Add.
5. In the Trusted domain box, type the trusted domain name. If you are
adding a Windows Server 2003 domain, type the full DNS name
(acquired.com in this example). If the domain is running an earlier
version of Windows, type the domain name (acquired in this
example).
OK.
8. A message appears that says the trusted domain has been added and
the trust verified. Click OK.
9. A message appears asking if you want to verify the trust. Click Yes,
and then click OK.
Note If the trust is successfully created in both domains, click Yes to verify the
trust. If the trust has been created in the trusted domain, clicking Yes returns an
error. When the trust is created in the trusted domain, the trust takes effect. You do
not need to verify the trust for the trust to take effect.
Procedure: Create a one-way trust (Netdom.exe method)

For the following procedure, you create both sides of the one-way trust
with one command. You must have the domain administrator passwords
for both domains.
Procedure Steps
To create a one-way trust using Netdom.exe
● Open a command prompt and type the following command:
netdom trust /d:trusteddomain trustingdomain /add
where trusteddomain is the trusted domain, and trustingdomain is the
trusting domain. If the domain is Windows 2000, use the full DNS
name; if it is Windows NT 4.0, use the domain name. Press ENTER.
You may enter the administrator passwords, using Pd: for the trusted
domain password and Po: for the trusting domain password. If you do not
enter the passwords, you will be prompted for them.
Example:
netdom trust /d:acquired.com noam.com /add
/Ud:acquired.com\admin /Pd:xxxx
/Uo:noam.com\admin /Po:yyyy.
Procedure: Create a two-way trust (MMC method)

For the following two procedures, a member of Domain Admins in the first
domain performs the first procedure and a member of Domain Admins in
the second domain performs the second procedure.
Procedure Steps
To create both directions of two one-way trust relationships in the
first domain
1. With the administrator of the other domain, agree on a secure channel
password to be used in establishing the trust.
2. In the first domain, log on as a member of Domain Administrators.
3. In Active Directory Domains and Trusts, expand reskit.com, and then
right-click noam.reskit.com.
5. Next to the Domains trusted by this domain box, click Add.
6. In the Trusted domain box, type the trusted domain name. If you are
adding a Windows 2003 domain, type the full DNS name. If the domain
is running an earlier version of Windows, type the domain name.
OK.
9. A message appears that says the trust cannot be verified. Click OK.
Note The reason for this error is that Windows 2003 is attempting to verify the
secure channel. It cannot verify the secure channel at this time because the other
side of the trust is not yet created.
10. Next to the Domains that trust this domain box, click Add.
11. In the Trusting domain box, type the trusting domain name. If you
are adding a Windows 2000 domain, type the full DNS name
(acquired01-int.com in this example). If the domain is running an
earlier version of Windows, type the domain name (acquired01-int in
this example).
OK.
14. A message appears asking if you want to verify the trust. Click Yes.
Note If the trust is successfully created in the acquired01-int.com domain, click

Yes to verify the trust. If the trust is not created, clicking Yes returns an error.
When the trust is created in acquired01-int.com, the trust takes effect. You do not
need to verify the trust for the trust to take effect.
Procedure: Create a two-way trust (Netdom.exe method)

For the following procedure, you create both sides of the two-way trust
with one command. You must have the Domain Admins passwords for
both domains.
Procedure Steps
To create a two-way trust by using Netdom.exe
● Open a command prompt and type the following command:
netdom trust /d:trusteddomain trustingdomain /add /twoway
trusting domain. If the domain is Windows 2000, use the full DNS
name; if it is Windows NT 4.0, use the domain name. Press ENTER.
You may also enter the administrator passwords, using Pd: for the trusted
domain password and Po: for the trusting domain password; if you do not
enter the passwords, you will be prompted for them.
Example:
netdom trust /d:acquired.com noam.com /add /twoway
/Ud: acquired.com\admin /Pd:xxxx
/Uo: noam.com\admin /Po:yyyy.
Procedure: Remove a manually created trust by using the Active

Directory Domains and Trusts snap-in
You can remove a manually created trust by using Active Directory
Domains and Trusts or by using Netdom.exe.
Procedure Steps
To remove a trust by using Active Directory Domains and Trusts
1. Log on to the first domain.
one of the domain nodes involved in the trust you want to remove, and
then click Properties.
3. Click the Trusts tab.
4. In either Domains trusted by this domain or Domains that trust
this domain, click the trust to be removed, and then click Remove.
5. Repeat this procedure for the other domain involved in the trust.
Procedure: Remove a manually created trust by using

Netdom.exe
You can remove a manually created trust by using Active Directory
Domains and Trusts or by using Netdom.exe.
Procedure Steps
To remove a trust using Netdom.exe, use one of the following procedures,
depending on whether the trust is one-way or two-way.
● To remove a one-way trust, open a command prompt and type the
following command, and then press ENTER:
netdom trust /d:trusteddomain trustingdomain /remove
trusting domain. If the domain is Windows Server 2003, use the full
DNS name; if it is Windows NT 4.0, use the domain name. You will be
prompted for the administrator password.
-or-
● To remove a two-way trust, open a command prompt and type the
following command, and then press ENTER:
netdom trust /d:trusteddomain trustingdomain /remove /twoway
trusting domain. If the domain is running Windows Server 2003, use
the full DNS name; if it is running Windows NT 4.0, use the domain
name. You must have credentials for both domains. You will be
prompted for both passwords.
Procedure: Configure SID filtering

The administrator of the trusting domain applies SID filtering to filter out
migrated SIDs stored in SIDHistory from specific domains. For example,
where an external trust relationship exists so that the noam domain trusts
the acquired domain, an administrator of the noam domain can apply SID
filtering to the acquired domain, which allows all SIDs with a domain SID
from the acquired domain to pass, but all other SIDs (such as those from
migrated SIDs stored in SIDHistory) to be discarded.
● Credentials: Domain Admins of trusting domain
● Tool: Netdom.exe (support tools)
Procedure Steps
To configure SID filtering
1. Log on to the trusting domain with an account with domain
administrator credentials.
2. At the command prompt, type netdom /filtersids trusteddomain
(where trusteddomain is the domain whose SIDs you want to filter),
and then press ENTER.
Procedure: Remove SID filtering
● Credentials: Domain Admins of trusting domain
● Tool: Netdom.exe (support tools)
Procedure Steps
To remove SID filtering
1. Log on to the trusting domain with an account with domain
administrator credentials.
2. At the command prompt, type netdom /filtersids no trusteddomain
(where trusteddomain is the trusted domain where you had previously
applied SID filtering, which you now want to remove), and then press
ENTER.
Procedure: Create a Site object and add it to an existing site link

To create a new site, you must create a Site object and add it to a site
link.
Procedure Steps
To create a Site object
1. In Active Directory Sites and Services, right-click the Sites container
and then click New Site.
2. In the Name box, type the name of the site.
3. In the Link Name list, click a site link for this site, and then click OK.
4. In the Active Directory message box, read the information, and then
click OK.
Procedure: Associate a range of IP addresses with the site

Subprocedure 1: Create a Subnet object or objects and associate
them with the new site
To create a Subnet object, you must have the following information:
● The site to which the subnet is to be associated.
● The network address or any IP address in the range.
● The subnet mask.
Active Directory Sites and Services converts this information into the
subnet address.
Procedure Steps
To create a Subnet object
1. In Active Directory Sites and Services, expand the Sites container.
2. Right-click Subnets, and then click New Subnet.
3. In the New Object - Subnet dialog box, in the Address box, type the
network address or any IP address within the range of IP addresses for
the subnet.
4. In the Mask box, type the subnet mask.
5. In the Site Name box, click the site to which this subnet is being
associated, and then click OK.
Subprocedure 2: Associate an existing Subnet object with the

new site
Associate an existing subnet with a site under the following conditions:
● When you are removing the site to which the subnet was associated.
● When you have temporarily associated the subnet with a different site
and want to associate it with its permanent site.
Procedure Steps
To associate an existing Subnet object with a site
2. In the details pane, right-click the subnet with which you want to
associate the site, and then click Properties.
3. In the Site box, click the site with which to associate the subnet, and
then click OK.
Procedure: Create a Site Link object, if appropriate, and add the

new site and at least one other site to the Site Link object
To link sites for replication, create a Site Link object in the container for
the intersite transport that will replicate the site, and add the sites to it.
Procedure Steps
To create a Site Link object
then the Inter-Site Transports container.
2. Right-click IP, and then click New Site Link.
3. In the Name box, type a name for the site link.
4. In the Sites not in this site link box, click a site that you want to add
to the site link. Hold down the SHIFT key to click a second site that is
adjacent in the list, or the CTRL key to click a second site that is not
adjacent in the list.
5. After selecting all of the sites that you want added to the site link, click
Add, and then click OK.
Procedure: Remove the site from the site link

If, while performing previous procedure, you added the new site to an
existing site link temporarily in order to create the site, use Site Link
properties to remove a site from a site link.
Procedure Steps
To remove a site from a site link
2. Click IP. In the details pane, right-click the site link from which you
want to remove a site, and then click Properties.
3. In the Sites in this site link box, click the site you want to remove
from the site link.
4. Click Remove, and then click OK.
Procedure: Create a Subnet object and associate it with the

appropriate site
To create a Subnet object, you must have the following information:
● The site to which the subnet is to be associated.
● The network address or any IP address in the range.
● The subnet mask.
Active Directory Sites and Services converts this information into the
subnet address.
Procedure Steps
To create a Subnet object
1. In Active Directory Sites and Services, expand the Sites container.
2. Right-click Subnets, and then click New Subnet.
3. In the New Object - Subnet dialog box, in the Address box, type the
network address or any IP address within the range of IP addresses for
the subnet.
4. In the Mask box, type the subnet mask.
5. In the Site Name box, click the site to which this subnet is being
associated, and then click OK.
Procedure: Create a Site Link object in the IP container and add

the appropriate sites
To link sites for replication, create a Site Link object in the container for
the intersite transport that will replicate the site, and add the sites to it.
Procedure Steps
To create a Site Link object
2. Right-click IP, and then click New Site Link.
3. In the Name box, type a name for the site link.
4. In the Sites not in this site link box, click a site that you want to add
to the site link. Hold down the SHIFT key to click a second site that is
adjacent in the list, or the CTRL key to click a second site that is not
adjacent in the list.
5. After selecting all of the sites that you want added to the site link, click
Add, and then click OK.
Procedure: Generate the intersite topology

By default, the KCC runs every 15 minutes to generate the replication
topology. To initiate replication topology generation immediately, use the
following procedures to refresh the intersite topology.
Subprocedure 1: Determine the ISTG role owner for the site

To determine the current Inter-Site Topology Generator (ISTG) role owner
for a site, view the NTDS Site Settings object properties.
Procedure Steps
To determine the ISTG role owner for a site
1. In Active Directory Sites and Services, click the site object whose ISTG
you want to determine.
2. In the details pane, right-click the NTDS Site Settings object, and
then click Properties. The current role owner appears in the Server
box under Inter-Site Topology Generator.
Subprocedure 2: Generate the replication topology on the ISTG

The Knowledge Consistency Checker (KCC) runs by default every 15
minutes. If you want to initiate topology regeneration immediately, you
can force the KCC to run as follows:
● To generate the intersite replication topology, run the KCC on the
domain controller in the site that holds the ISTG role.
● To generate the intrasite replication topology, run the KCC on any
domain controller in the site that does not hold the ISTG role.
● Identity of the ISTG role holder in the site
Procedure Steps
To generate the replication topology
then expand the site that contains the server on which you want to run
the KCC.
2. Click Servers, and then click a Server object.
3. Expand the Server object to display the NTDS Settings object.
4. Right-click NTDS Settings, click All Tasks, and then click Check
Replication Topology.
5. In the Check Replication Topology message box, click OK.
Procedure: Configure the site link schedule to identify times

during which intersite replication can occur
Use the properties on the Site Link object to define when replication is
allowed. Obtain the schedule from the design team.
Procedure Steps
To configure the site link schedule
the Inter-Site Transports container, and then click the IP container.
2. In the details pane, right-click the Site Link object you want to
configure, and then click Properties.
3. In the SiteLinkName Properties dialog box, click Change
Schedule.
4. In the Schedule for SiteLinkName dialog box, select the block of
days and hours during which you want replication to occur or not occur
(available or not available), and then click the appropriate option.
5. Click OK twice.
Procedure: Configure the site link interval to identify how often

replication polling can occur during the schedule window
Use the properties on the Site Link object to determine how often during
the available replication schedule you want bridgehead servers to poll
their intersite replication partners for changes. Obtain the interval value
from the design team.
Procedure Steps
To configure the site link interval
3. In the Replicate every _____ minutes box, specify the number of

minutes for the intervals at which replication polling occurs during an
open schedule, and then click OK.
Procedure: Configure the site link cost to establish a priority for

replication routing
When creating or modifying site links, use the object properties to
configure the relative cost of using the site link.
Procedure Steps
To configure site link cost
3. In the Cost box, specify the number for the comparative cost of using
the site link, and then click OK.
Procedure: Change the static IP address of the domain controller

This procedure includes changing all appropriate TCP/IP values, including
preferred and alternate DNS servers, as well as WINS servers (if
appropriate). Obtain these values from the design team.
If you change the static IP address of a domain controller, you must also
change related TCP/IP settings accordingly.
● Credentials: Administrators
● Required information:
● IP address
● Subnet mask
● Default gateway address
● Preferred and alternate DNS server addresses
● WINS server addresses, if appropriate
Procedure Steps
To change the static IP address of a domain controller
1. Log on locally to the server for which you want to change the IP
address.
2. On the desktop, right-click My Network Places and then click
Properties.
4. In the Local Area Connection Properties dialog box, double-click
Internet Protocol (TCP/IP).
5. In the Internet Protocol (TCP/IP) Properties dialog box, in the IP
address box, type the new address.
6. In the Subnet mask box, type the subnet mask.
7. In the Default gateway box, type the default gateway.
8. In the Preferred DNS server box, type the address of the DNS server
that this computer contacts.
9. In the Alternate DNS server box, type the address of the DNS server
that this computer contacts if the preferred server is unavailable.
10. If this domain controller uses WINS servers, click Advanced and then,
in the Advanced TCP/IP Settings dialog box, click the WINS tab.
11. If an address in the list is no longer appropriate, click the address, and
then click Edit.
12. In the TCP/IP WINS Server dialog box, type the new address, and
then click OK.
13. Repeat steps 11 and 12 for all addresses that need to be changed, and
then click OK twice to close the TCP/IP WINS Server dialog box and
the Advanced TCP/IP Settings dialog box.
14. Click OK to close the Internet Protocol (TCP/IP) Properties dialog
box.
Procedure: Create a delegation for the domain controller

If the parent DNS zone of any zone that is hosted by this DNS server
contains a delegation to this DNS server, use this procedure to update the
IP address in all such delegations.

domain.
Procedure Steps
Properties.
3. In the child_domain Properties sheet, on the Name Servers tab,
click Add.
type child_dc.child_domain.parent_domain (where child_dc is the name
of the new domain controller, child_domain is the name of the child
domain, and parent_domain is the name of the parent domain).
Procedure: Determine whether the server is a preferred

bridgehead server
Preferred bridgehead servers are distinguished by a property on the
Server object that adds the server to the preferred bridgehead server list
for the IP transport.
Procedure Steps
To determine whether a domain controller is a preferred
bridgehead server
the site in which the server object resides.
2. Expand the Servers container to display the domain controllers
currently configured for that site.
3. Right-click the Server object of interest, and then click Properties.
4. If IP appears in the box labeled This server is a preferred
bridgehead server for the following transports, the server is a
preferred bridgehead server for the IP transport.
Procedure: Configure the server to not be a preferred bridgehead

server
Use the Server object properties to remove a preferred bridgehead server
from the IP transport.
Procedure Steps
To configure a domain controller to not be a preferred bridgehead
server
then expand the site of the preferred bridgehead server.
2. Expand the Servers node to display the list of domain controllers
currently configured for that site.
3. Right-click the server you want to remove, and then click Properties.
4. If IP appears in the list that marks this server as a bridgehead server
for the IP transport, click IP, click Remove, and then click OK.
Procedure: Move the Server object to the new site

Moving a Server object requires that the IP address of the domain
controller maps to the site to which you are moving the Server object.
After you have verified that the IP address maps to the target site, use the
following procedure to move the Server object to the site.
● Tools: Active Directory Sites and Services (Administrative Tools)
Procedure Steps
To move a Server object to a different site
the site in which the server object resides.
2. Expand the Servers container to display the domain controllers that
are currently configured for that site.
3. Right-click the Server object you want to move, and then click Move.
4. In the Site Name box, click the destination site, and then click OK.
5. Expand the Site object to which you moved the server, and then
expand the Servers container.
6. Verify that an object for the server you moved exists.
7. Expand the Server object and verify that an NTDS Settings object
exists.
Within an hour, the Net Logon service on the domain controller registers
the new site information in DNS. Wait an hour and then open Event Viewer
and connect to the domain controller whose Server object you moved.
Review the directory service log for Net Logon errors regarding
registration of SRV resource records in DNS that have occurred within the
last hour. The absence of errors indicates that Net Logon has updated DNS
with site-specific SRV resource records. Net Logon event ID 5774 indicates
that the registration of DNS resource records has failed. If this error
occurs, contact a supervisor and pursue DNS troubleshooting.
Procedure: Delete the Site Link object

Use the following procedure to delete the Site Link object.
Procedure Steps
To delete a Site Link object
2. In the details pane, right-click the Site Link object you want to delete,
and then click Delete.
Procedure: Associate the subnet or subnets with the appropriate

site
Associate an existing subnet with a site under the following conditions:
● When you are removing the site to which the subnet was associated.
● When you have temporarily associated the subnet with a different site
and want to associate it with its permanent site.
Procedure Steps
To associate an existing Subnet object with a site
2. In the details pane, right-click the subnet with which you want to
associate the site, and then click Properties.
3. In the Site box, click the site with which to associate the subnet, and
then click OK.
If the IP addresses are no longer in use, delete the Subnet object or

objects with which the addresses are associated.
Procedure: Delete the Site object

Delete a Site object only after you have removed all Server objects from
the site and have reassociated the subnets with a different site. The
Servers container is deleted when you delete the site.
Procedure Steps
To delete a Site object
1. In Active Directory Sites and Services, click the Sites container.
2. In the details pane, right-click the site you want to delete, and then
click Delete.
4. In the Active Directory message box, read the information, and then
click Yes to delete the site and its Servers container object.
Procedure: Configure a domain controller as a global catalog

server
Use the setting on the NTDS Settings object to indicate whether a domain
controller is designated as a global catalog server.
● Credentials: Domain Admins in the domain of the global catalog server
Procedure Steps
To configure a domain controller as a global catalog server
then expand the site in which you are designating a global catalog
server.
2. Expand the Servers container and then expand the Server object for
the domain controller that you want to designate as a global catalog
server.
3. Right-click the NTDS Settings object for the target server, and then
click Properties.
4. Select the Global Catalog check box, and then click OK.
Procedure: Monitor global catalog replication progress

Monitor the replication progress to see how many (percentage) of the
partial read-only directory partitions have been replicated to a new global
catalog server.
● Tool: Dcdiag.exe (Support Tools)
Procedure Steps
To monitor the replication progress on a new global catalog
server
1. At the command prompt, type dcdiag /v /s:servername | find “%”
(where servername is the name of the new global catalog server), and
then press ENTER.
2. Repeat this command periodically to monitor progress. If the test
shows no output, then replication has completed.
Procedure: Verify successful replication to a domain controller

Use Repadmin.exe to verify the success of replication to a specific domain
controller. Run the /showreps command on the domain controller that
receives replication (the destination domain controller). In the output
under INBOUND NEIGHBORS, Repadmin.exe shows the Lightweight
Directory Access Protocol (LDAP) distinguished name of each directory
partition for which inbound directory replication has been attempted, the
site and name of the source domain controller, and whether it succeeded
or not, as follows:
● Last attempt @ YYYY-MM-DD HH:MM.SS was successful.
● Last attempt @ [Never] was successful.
● Credentials: Domain Admins in the domain of the destination domain
controller
● Tool: Repadmin.exe (Support Tools)
Procedure Steps
To verify successful replication to a domain controller
1. At a command prompt, type the following command and then press
ENTER:
repadmin /showreps ServerName /u:DomainName\UserName /pw:*
where ServerName is the name of the destination domain controller,
DomainName is the single-label name of the domain of the destination
domain controller (you do not have to use a fully-qualified DNS name),
and UserName is the name of an administrative account in that
domain.
2. When prompted, type the password for the user account you provided,
and then press ENTER.
The last successful attempt should agree with the replication schedule for
intersite replication, or should be within the last hour for intrasite
replication. When replication has never occurred, the message indicates
that the last success was never.
If Repadmin.exe reports any of the following conditions, contact a
superior:
● The last successful intersite replication was prior to the last scheduled
replication.
● The last intrasite replication was longer than one hour ago.
● Replication was never successful.
Procedure: Verify global catalog readiness

When a global catalog server has satisfied replication requirements, the
isGlobalCatalogReady rootDSE attribute is set to TRUE. Use Ldp.exe or
Nltest.exe to view this value.
Subprocedure 1: Verify global catalog readiness using Ldp.exe
● Tool: Ldp.exe (Support Tools)
Procedure Steps
To use Ldp.exe to verify global catalog readiness
1. In Ldp.exe, on the Connection menu, click Connect.
2. In the Connect box, type the name of the server whose global catalog
readiness you want to verify.
3. In the Port box, if 389 is not showing, type 389.
4. If the Connectionless box is selected, clear it, and then click OK.
5. In the details pane, verify that the isGlobalCatalogReady attribute
has a value of TRUE.
6. On the Connection menu, click Disconnect, and then close Ldp.exe.
Subprocedure 2: Verify global catalog readiness using Nltest.exe
● Tools: Nltest.exe (Support Tools)
Procedure Steps
To use Nltest.exe to verify global catalog server readiness
1. At a command prompt, type the following command and then press
ENTER: nltest /server:ServerName /dsgetdc:DomainName
where ServerName is the name of the server you have added the
global catalog to and DomainName is the domain of the server.
2. In the Flags: line of the output, if GC appears, then the global catalog
server has satisfied its replication requirements.
Procedure: Verify global catalog DNS registrations

To verify that a server is advertised as a global catalog server, use the
DNS snap-in to verify the presence of DNS SRV resource records for the
server. Restart the global catalog server prior to checking DNS
registrations.
● Tool: DNS snap-in (Administrative Tools)
● Global catalog server has been restarted since replication completed.
Procedure Steps
To verify the presence of global catalog-specific DNS SRV
resource records
1. In the DNS snap-in, connect to a domain controller in the forest root
domain.
2. Expand Forward Lookup Zones and then expand the forest root
domain.
3. Click the _tcp container. In the details pane, look in the Name column
for _gc and in the Data column for the name of the server. The records
that begin with _gc are global catalog SRV records.
Procedure: Clear the global catalog setting

Clearing the global catalog setting initiates removal of the partial directory
partitions from the directory database of the domain controller.
● Credentials: Domain Admins in the domain of the global catalog server
Procedure Steps
To clear the global catalog setting
then expand the site from which you are removing a global catalog
server.
2. Expand the Servers container and then expand the Server object for
the domain controller that you want to remove as a global catalog
server.
3. Right-click the NTDS Settings object for the target server, and then
click Properties.
4. If the Global Catalog check box is selected, clear the check box, and
then click OK.
Procedure: Monitor global catalog removal in Event Viewer

The KCC logs an event that indicates that the global catalog has been
removed from a domain controller.
Procedure Steps
To monitor global catalog removal in Event Viewer
1. Go to Start > Programs > Administrative Tools > Event Viewer.
2. Right-click Event Viewer (Local), and then click Connect to
another computer.
3. In the Select Computer dialog box, click Another computer, type
the name of the server from which you removed the global catalog,
and then click OK.
4. Under Event Viewer, click Directory Service log.
5. Look for NTDS KCC event ID 1268, which indicates that the global
catalog is removed from the local machine.
Procedure: Determine whether a site has at least one global

catalog server
You can use Nltest.exe to list a single domain controller in a specified site.
If the test fails, it means that there are no global catalog servers in the
site.
● Credentials: Authenticated User
● Tool: Nltest.exe (Support Tools)
Procedure Steps
To determine whether a site has at least one global catalog server
● At the command prompt, type:
nltest /dsgetdc: forestRootDomainName /gc /site: siteName
where forestRootDomainName is the name of the forest root domain
and siteName is the name of the site. Press ENTER.
The output shows either one domain controller that is a global catalog
server, or the command fails. If the output shows DsGetDcName failed,
then the site has no global catalog servers.
Procedure: Determine whether universal group caching is

enabled
Procedure Details
1. Open Active Directory Sites and Services MMC snap-in.
2. Locate the site you want to check for universal group caching.
3. Click the site name, right-click NTDS Site Settings, and then select
Properties.
If universal group caching is enabled, the check box will be checked.
Procedure: Change the weight for DNS SRV records in the

registry
To increase client requests sent to other domain controllers relative to a
particular domain controller, adjust the weight of the particular domain
controller to a lower value than the others. All domain controllers start
with a default weight setting of 100 and can be configured for any value
from 0 through 65535, with a data type of decimal. When you adjust the
weight, consider it as a ratio of the weight of this domain controller to the
weight of the other domain controllers. Because the default for the other
domain controllers is 100, the number you enter for weight is divided by
100 to establish the ratio. For example, if you specify a weight of 60, the
ratio to the other domain controllers is 60/100. This reduces to 3/5, so you
can expect clients to be referred to other domain controllers five times for
every three times they get referred to the domain controller you are
adjusting.
● Tool: Regedit.exe (system tool)
Procedure Steps
To change the weight for DNS SRV records in the registry
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter
s.
3. Click Edit, click New, and then click DWORD value.
4. For the new value name, type LdapSrvWeight and press ENTER. (The
value name is not case sensitive.)
5. Double-click the value name you just typed to open the Edit DWORD
Value dialog box.
6. Enter a value from 0 through 65535. The default value is 100.

7. Choose Decimal as the Base option.
8. Click OK.
9. Click File, and then click Exit to close the Registry Editor.
Procedure: Change the priority for DNS SRV records in the

registry
To prevent clients from sending all requests to a single domain controller,
the domain controllers are assigned a priority value. Clients always send
requests to the domain controller that has the lowest priority value. If
more than one domain controller has the same value, the clients randomly
choose from the group of domain controllers with the same value. If no
domain controllers with the lowest priority value are available, then the
clients send requests to the domain controller with the next highest
priority.
A domain controller's priority value is stored in its registry. When the
domain controller starts, the Net Logon service registers with the DNS
server. The priority value is registered with the rest of its DNS information.
When a client uses DNS to discover a domain controller, the priority for a
given domain controller is returned to the client with the rest of the DNS
information. The client uses the priority value to help determine to which
domain controller to send requests.
The value is stored in the LdapSrvPriority registry entry. The default value
is 0, but it can range from 0 through 65535.
To configure the PDC emulator in this manner, use Regedit.exe to modify
the ldapsrvpriority or ldapsrvweight registry entries.
Note A lower value entered for LdapSrvPriority indicates a higher priority. A domain
controller with an LdapSrvPriority setting of 100 has a lower priority than a domain
controller with a setting of 10. Therefore, clients attempt to use the domain
controller with the setting of 100 first.
● Tool: Regedit.exe (system tool)
Procedure Steps
To change the priority for DNS SRV records in the registry
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter
s
3. Click Edit, click New, and then click DWORD value.
4. For the new value name, type LdapSrvPriority, and press ENTER.
5. Double-click the value name that you just typed to open the Edit
DWORD Value dialog box.
6. Enter a value from 0 through 65535. The default value is 0.
7. Choose Decimal as the Base option, and then click OK.
8. Click File, and then click Exit to close the Registry Editor.
Procedure: Seize the operations master role

The Ntdsutil.exe command-line tool allows you to transfer and seize any
operations master role. You must use Ntdsutil.exe to seize the schema
master, domain naming master, and RID master roles. When you use
Ntdsutil.exe to seize an operations master role, it first attempts a transfer
from the current role owner. If the current role owner is unavailable, it
performs the seizure.
When using Ntdsutil.exe to seize an operations master role, the procedure
is nearly identical for all roles. For more information about using
Ntdsutil.exe, type ? at the Ntdsutil.exe command prompt.
● Credentials: Domain Admins or Enterprise Admins
● Tools: Ntdsutil.exe (system tool)
Procedure Steps
To seize the operations master role
1. In the Run text box, type ntdsutil and press ENTER.
2. At the ntdsutil: prompt, type roles and press ENTER.
3. At the fsmo maintenance: prompt, type connections and press
ENTER.
servername (where servername is the name of the domain controller
that will assume the operations master role), and press ENTER.
5. After you receive confirmation of the connection, type quit and press
ENTER to exit the menu.
6. Depending on the role you want to seize, enter the command indicated
and press ENTER.
Role Credentials Command

Domain naming Enterprise Admins seize domain
master naming master
Schema master Enterprise Admins seize schema
master
Infrastructure Domain Admins seize
master infrastructure
master
PDC emulator Domain Admins seize pdc
RID master Domain Admins seize rid master
The system asks for confirmation. It then attempts to transfer the role.
When the transfer fails, some error information appears and the
system proceeds with the seizure. After the seizure is complete, a list
of the roles and the LDAP name of the server that currently holds each
role appears.
During seizure of the RID master, the current role holder attempts to
synchronize with its replication partners. If it cannot establish a
connection with a replication partner during the seizure operation, it
displays a warning and confirms that you want the role seizure to
proceed. Click Yes to proceed.
7. Type quit and press ENTER. Type quit again and press ENTER to exit
Ntdsutil.exe.
Procedure: Create a Connection object

To help ensure that the current role holder and the standby operations
master are replication partners, you can manually create a Connection
object between the two domain controllers. Even if a Connection object is
generated automatically, it is recommended that you manually create
one. The system can alter automatically created Connection objects at any
time. Manually created connections remain the same until an
administrator changes them.
You must know the current operations master role holder to perform the
following procedure. For information about determining the current
operations master role holders, see “View the Current Operations Master
Role Holders” earlier in this guide.
Subprocedure 1: Steps to create a Connection object on the

current operations master
To create a Connection object on the current operations master
1. In the Active Directory Sites and Services snap-in, in the console tree,
expand the Sites folder to see the list of available sites.
2. Expand the site name in which the current role holder is located to
display the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. Expand the name of the server that is currently hosting the operations
master role to display NTDS Settings.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Domain Controllers dialog box, select the name of the
standby operations master, and then click OK.
7. In the New Object-Connection dialog box, enter an appropriate
name for the Connection object or accept the default name, and click
OK.
Subprocedure 2: Steps to create a Connection object on the

standby operations master
To create a Connection object on the standby operations master
1. Expand the site name in which the standby operations master is
located to display the Servers folder.
2. Expand the Servers folder to see a list of the servers in that site.
3. Expand the name of the server that you want to be the standby
operations master to display its NTDS Settings.
4. Right-click NTDS Settings, click New, and then click Connection.
5. In the Find Domain Controllers dialog box, select the name of the
current role holder, then click OK.
6. In the New Object-Connection dialog box, enter an appropriate
name for the Connection object or accept the default name, and click
OK.
Procedure: Add the new domain controller name
Procedure Steps
● Open a command prompt and type the following command, and then
press ENTER:
netdom computername CurrentComputerName
/add:NewComputerName
Procedure: Designate the new name as the primary computer

name
Procedure Steps
To designate the new name as the primary computer name
1. Open a command prompt and type:
netdom computername CurrentComputerName
/makeprimary:NewComputerName where CurrentComputerName and
NewComputerName match the descriptions in the table below. Press
ENTER.
2. Restart the computer.
Procedure: Remove the old domain controller name
Procedure Steps
To remove the old domain controller name
1. Open a command prompt and type:
netdom computername NewComputerName
/remove:OldComputerName
where NewComputerName and OldComputerName match the
descriptions in the table below. Press ENTER.
Value Description
CurrentComputerNam The current, or primary, computer name or
e IP address of the computer you are
renaming.
NewComputerName The new name for the computer. The
NewComputerName must be a fully qualified
domain name (FQDN). The primary DNS
suffix specified in the FQDN for
NewComputerName must be the same as
the primary DNS suffix of
CurrentComputerName, or it must match the
DNS name of the Active Directory domain
hosted by this domain controller, or it must
be contained in the list of allowed DNS
suffixes specified in the msDS-
AllowedDNSSuffixes attribute of the
domainDns object.
OldComputerName The old name of renamed computer. The
OldComputerName must be a fully qualified
domain name (FQDN).
Procedure: Update the FRS Member object
Procedure Steps
To update the FRS Member object
1. Using Ldp.exe (or ADSI edit), find the computer object of the renamed
domain controller.
2. Do a recursive search for an object of type nTFRSSubscriber with the
computer name of "Domain System Volume (SYSVOL share)" under the
Computer object.
3. The search filter is "(&((cn=Domain System Volume (SYSVOL share))
(objectclass=ntfrssubscriber)))".
4. Find the fRSMemberReference attribute of the object returned by
the search.
5. Find the object whose domain name is in the fRSMemberReference
attribute. This is the Ntfrsmember object corresponding to this domain
controller.
6. Change the computer name of this Ntfrsmember object from the old
name of the domain controller to the new name of the domain
controller.
Procedure: Restore Group Policy
Procedure Steps
To restore Group Policy
1. Open Group Policy Management Console (GPMC).
2. In the console tree, double-click Domains to expand the list of
domains.
3. Double-click the desired domain to expand the contents of that
domain.
4. Right-click Group Policy Objects, and select Manage Backups.
5. Right-click the object to be restored, and select Restore from
Backup.
6. Select the backup location, click the policy backup to be restored, and
then click Restore.
7. Click OK to restore the selected GPO backup.

Active Directory POG

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Active Directory POG

Diunggah oleh

Hak Cipta:

Format Tersedia

Managing the Windows Server Platform

This document is for informational purposes only. MICROSOFT MAKES

Complying with all applicable copyright laws is the responsibility of the

Microsoft may have patents, patent applications, trademarks,

Unless otherwise noted, the example companies, organizations,

2003 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows

The names of actual companies and products mentioned herein may

Task: Perform an authoritative restore of Group Policy............................................27

Task: Configuring a client to request time from a specific time source.....................56

Task: Identifying a site that has no global catalog servers .......................................81

Lead Technical Writer

Lead Technical Editor

How to Use This Guide

 Maintenance vendors  Service desk/help desk

Further information about MSM and MOF is available at

Auto repair Mechanic Repair manual Socket set

The focus of this product operations guide is Active Directory® directory

Required Description Location

Required Description Location

Required Description Location

Maintenance Processes Checklist

System Administration SMF

Security Administration SMF

Availability Management SMF

Capacity Management SMF

Release Management SMF

Change Management SMF

Operating System Operations Role Daily

Process: Back up Active Directory

If you use Active Directory-integrated Domain Name System (DNS), be

● To restore Active Directory data that becomes lost or corrupted. Using

When to back up Active Directory

Task: Back up Active Directory and associated

Procedure: Back up system state and the system disk

Operating System Operations Role As Needed

Process: Non-authoritative restore of Active

Task: Perform a non-authoritative restore of a domain

Procedure 1: Restart the domain controller in Directory Services

Procedure 2: Restore from backup media

Procedure 3: Verify Active Directory restore

Task: Restore a domain controller through reinstallation

Procedure 1: Install Windows Server 2003

Procedure 2: Restore from backup media

Procedure 3: Verify Active Directory restore

Operating System Operations Role As Needed

Process: Authoritative restore for Active Directory

Task: Perform an authoritative restore of one or more

Procedure 1: Restore from backup media

Procedure 2: Mark the object(s) authoritative

Procedure 3: Reboot the computer in isolation

Procedure 4: Turn off inbound replication using repadmin

Procedure 5: Reconnect the computer to the network

Procedure 6: Allow this computer to replicate with all its partners

Procedure 7: Restart domain controller in Directory Services

Procedure 8: Mark the object(s) authoritative

Procedure 9: Reboot computer

Note There are no further details for this procedure.

Procedure 10: Turn on inbound replication

Task: Perform an authoritative restore of an application

Procedure 1: Restore from backup media

Procedure 2: Mark the application partition as authoritative

Procedure 3: Reboot computer