Professional Documents
Culture Documents
Active Directory Operations Guide Part I
Active Directory Operations Guide Part I
"
Chapter Number 1
Ac'nowled(e!ents
Program Managers: Stuart Kwan, Andreas Luther, Chris Macaulay, Paul Reiner Writers: Mary Hillman, Da e Kreitler, Merrilee McDonald, Randy McLaughlin, Andrea Weiss !ditors: Laura "raham and #ustin Hall Co$y !ditors: %onnie %irger, Ani&a 'elson, Dee (eodoro (est Plan: Mary Hillman and Cheryl #en&ins (esters: #ustin Hall, Da id Stern, Matt Win)erry La) Sta**: Ro)ert (hingwold and Da id Meyer La) Partners: Hewlett+Pac&ard and Cisco Systems We than& the *ollowing $eo$le *or re iewing the guide and $ro iding alua)le *eed)ac&: (adao Arima, %ill %agley, Colin %race, Duncan %ryce, #,C, Cannon, Sudarshan Chitre, Arren Conner, #ose$h Da ies, #im Do))in, Le on !si)o , !ric -it.gerald, Da id "olds, #in Huang, Khushru /rani, #,K, #aganathan, Kamal #anardhan, Asa* Kashi, William Lees, #onathan Liem, Doug Lindsey, Arun 'anda, Paul 01Connell, %oyd Peterson, Paul Rich, Murli Satago$an, San2i Sharma, Michael Snyder, Da id Stern, Mar& S.al&iewics, Kahren (e osyan, Dere& 3incent
Chapter Number 1
&ontents
&ontents........................................................................................... ) Introduction......................................................................................* +sin( the #icroso$t Operations ,ra!ewor' $or Active Directory Operations ......................................................................................................... * Audience........................................................................................... +sin( this .uide................................................................................#ana(in( Active Directory...................................................................11 Overview o$ Active Directory Operations........................................1" Plannin( $or Active Directory Operations....................................1" /ools +sed $or Active Directory Operations................................1) Operations /as's &hec'list.........................................................10 #onitorin( Active Directory............................................................."% Active Directory 1ac'up and Restore.............................................."0 1ac'in( +p Active Directory and Associated &o!ponents... .23 Per$or!in( a 4on5Authoritative Restore................................23 Per$or!in( an Authoritative Restore o$ a 6ubtree or 7ea$ Ob8ect .............................................................................................. 20 Per$or!in( an Authoritative Restore o$ 9ntire Directory.......20 Recoverin( a Do!ain &ontroller /hrou(h Reinstallation.......2* Restorin( a Do!ain &ontroller /hrou(h Reinstallation and 6ubse:uent Restore $ro! 1ac'up.........................................2#ana(in( Do!ain &ontrollers.........................................................2Installin( and Re!ovin( Active Directory...................................)% Preparin( $or Active Directory Installation.............................)5 Installin( Active Directory.....................................................)3 Per$or!in( Active Directory Post5Installation /as's..............)* Deco!!issionin( a Do!ain &ontroller..................................51 Rena!in( Do!ain &ontrollers....................................................52 Identi$yin( the &urrent &on$i(uration o$ a Do!ain &ontroller53 Rena!in( a Do!ain &ontroller.............................................5* Restorin( the Ori(inal &on$i(uration o$ a Do!ain &ontroller. 5* #ana(in( .lobal &atalo( 6ervers...............................................5Identi$yin( .lobal &atalo( 6ervers in a 6ite...........................32
Identi$yin( a 6ite /hat ;as 4o .lobal &atalo( 6ervers .........32 Addin( the .lobal &atalo( to a Do!ain &ontroller and Veri$yin( Readiness..............................................................................32 Re!ovin( the .lobal &atalo( $ro! a Do!ain &ontroller.......33 #ana(in( Operations #asters....................................................30 Desi(natin( Operations #aster Roles ...................................03 Reducin( the Wor'load on the PD& 9!ulator........................00 Deco!!issionin( a Role ;older............................................0* 6ei<in( Operations #aster Roles...........................................0&hoosin( a 6tandby Operations #aster.................................*% #ana(in( the Database.............................................................*1 Relocatin( Directory Database ,iles......................................*) Returnin( +nused Dis' 6pace $ro! the Directory Database to the ,ile 6yste!............................................................................*3 6peedin( Re!oval o$ an 9=pired5/o!bstone 1ac'lo(...........*0 #ana(in( 6>6VO7......................................................................** &han(in( the 6pace Allocated to the 6ta(in( Area...............-5 Relocatin( the 6ta(in( Area..................................................-0 #ovin( 6>6VO7 by +sin( the Active Directory Installation Wi<ard .............................................................................................. -* #ovin( 6>6VO7 #anually....................................................1%% +pdatin( the 6yste! Volu!e Path......................................1%" Restorin( and Rebuildin( 6>6VO7.......................................1%2 #ana(in( Windows /i!e 6ervice.............................................1%2 &on$i(urin( a /i!e 6ource $or the ,orest............................1%3 &on$i(urin( a Reliable /i!e 6ource on a &o!puter Other than the PD& 9!ulator......................................................................1%0 &on$i(urin( a &lient to Re:uest /i!e $ro! a 6peci$ic /i!e 6ource ............................................................................................ 1%* Opti!i<in( the Pollin( Interval............................................1%* Disablin( the Windows /i!e 6ervice...................................1%#ana(in( 7on(5Disconnected Do!ain &ontrollers...................1%Preparin( a Do!ain &ontroller $or a 7on( Disconnection....113 Reconnectin( 7on(5Disconnected Do!ain &ontrollers........11* Re!ovin( 7in(erin( Ob8ects $ro! an Outdated Writable Do!ain &ontroller............................................................................1"1 Re!ovin( 7in(erin( Ob8ects $ro! a .lobal &atalo( 6erver. 1") #ana(in( /rusts............................................................................1"3
Chapter Number 1
&reatin( 9=ternal /rusts......................................................1"* &reatin( 6hortcut /rusts.....................................................1"Re!ovin( #anually &reated /rusts ....................................12% Preventin( +nauthori<ed Privile(e 9scalation.....................12% #ana(in( 6ites..............................................................................121 Addin( a 4ew 6ite...............................................................125 Addin( a 6ubnet to the 4etwor'..........................................125 7in'in( 6ites $or Replication ...............................................123 &han(in( 6ite 7in' Properties..............................................123 #ovin( a Do!ain &ontroller to a Di$$erent 6ite...................120 Re!ovin( a 6ite..................................................................1)) /roubleshootin( Active Directory.......................................................1)0 Overview o$ Active Directory /roubleshootin(..............................1)* Prere:uisites $or /roubleshootin( Active Directory...................151 /ools $or /roubleshootin( Active Directory...............................152 ;i(h5level #ethodolo(y $or /roubleshootin( Active Directory Proble!s ...................................................................................................... 153 Docu!entin( the Proble!........................................................150 Identi$yin( the &o!ponents Involved.......................................15Veri$yin( &lient ;ealth..............................................................15Veri$yin( 4etwor' Path.............................................................13% Veri$yin( 6erver ;ealth............................................................13% Veri$yin( 6ervice ;ealth...........................................................131 Iterate the /roubleshootin( Process.........................................131 /roubleshootin( ;i(h &P+ +sa(e on a Do!ain &ontroller.............13" /roubleshootin( ;i(h &P+ +sa(e by Processes...................132 /roubleshootin( ;i(h &P+ +sa(e on a PD& 9!ulator..........13) /roubleshootin( ;i(h &P+ +sa(e on a .lobal &atalo( 6erver130 /roubleshootin( ;i(h &P+ +sa(e &aused by 9=cessive &lient 7oad ............................................................................................ 13* /roubleshootin( 6erver5Related ;i(h &P+ +sa(e................13/roubleshootin( Active Directory?Related D46 Proble!s.............10% /roubleshootin( Active Directory Replication ,ailure Due to Incorrect D46 &on$i(uration................................................102 /roubleshootin( Do!ain &ontroller 7ocator D46 Records Re(istration ,ailure.............................................................105 /roubleshootin( Active Directory Installation Wi<ard ,ailure to 7ocate Do!ain &ontroller....................................................105
/roubleshootin( ,ailure to 7ocate Do!ain &ontroller when Atte!ptin( to @oin a Do!ain...............................................103 /roubleshootin( ,R6.....................................................................103 /roubleshootin( ,R6 9vents 125%* without ,R6 9vent 125%-10/roubleshootin( ,R6 9vent 12511.......................................1*1 /roubleshootin( ,R6 9vent 125"".......................................1*1 /roubleshootin( ,R6 9vent 125"3.......................................1*1 /roubleshootin( ,R6 9vent 125)*.......................................1*" /roubleshootin( ,R6 9vent 12550.......................................1*" /roubleshootin( ,R6 9vent 12530.......................................1*" /roubleshootin( ,R6 9vent 1253*.......................................1*" /roubleshootin( ,iles 4ot Replicatin(.................................1*) Veri$yin( the ,R6 /opolo(y in Active Directory ..................1*3 /roubleshootin( #orphed ,olders.......................................1*3 /roubleshootin( the 6>6VO7 Directory @unction..................1** /roubleshootin( 9=cessive Dis' and &P+ +sa(e by 4/,R6.9A91*/roubleshootin( Active Directory Replication Proble!s................1-% /roubleshootin( 4o Inbound 4ei(hbors Repad!in.e=e 9rror1-2 /roubleshootin( Access Denied Replication 9rrors..............1-) /roubleshootin( .+ID Discrepancies...................................1-5 /roubleshootin( RP& 6erver Proble!s................................1-3 /roubleshootin( 4/D6 9vent ID 1211..................................1-3 /roubleshootin( 6ce&li 9vent ID 1"%".................................1-/roubleshootin( Active Directory Installation Wi<ard Proble!s... ."%% /roubleshootin( BAccess DeniedC 9rror #essa(es in Active Directory Installation Wi<ard..............................................."%2 /roubleshootin( Do!ain 4a!in( #aster 9rrors in Active Directory Installation Wi<ard..............................................................."%) /roubleshootin( Directory Data Proble!s....................................."%5 /roubleshootin( 7ost Do!ain Ob8ects................................."%3 /roubleshootin( Ob8ect 4a!e &on$licts..............................."%3 /roubleshootin( Windows /i!e 6ervice Proble!s........................"%0 /roubleshootin( Windows /i!e 6ervice 9rrors on a PD& 9!ulator ............................................................................................ "%*
Chapter Number 1
4ote
All re$erences to Windows "%%% include both #icroso$tF WindowsF "%%% 6erver and #icroso$tF WindowsF "%%% Advanced 6erverE unless otherwise speci$ied. /his docu!ent assu!es that you are usin( Windows "%%% with 6ervice Pac' " G6P"H or (reater.
Introduction
(his o$erations guide $ro ides guidance on how to manage and trou)leshoot Microso*t4 Windows4 5666 Acti e Directory, (hese acti ities are $art o* the o$erating $hase o* the /( li*e cycle, Although this guide s$eci*ically addresses the o$erating $hase o* the /( li*e cycle, Microso*t !nter$rise Ser ices -ramewor& $ro ides guidelines *or other $hases o* the li*e cycle, (hese $hases are listed in (a)le 7,7, /able 1.1 I/ 7i$e &ycle and #icroso$t 9nterprise 6ervices ,ra!ewor's Assistance
,or this PhaseD Plannin( #icroso$t 9nterprise 6ervices ,ra!ewor's Provides this AssistanceD Althou(h not currently a dedicated 9nterprise 6ervices $ra!ewor'E #icroso$t 1usiness Value 6ervices provide tools to assess and plan the I/ in$rastructureE prioriti<e pro8ectsE and !a'e a co!pellin( business case $or underta'in( an I/ pro8ect. #icroso$t 6olutions ,ra!ewor' provides (uidelines $or buildin( and deployin( a pro8ect. /he phases involved in this part o$ the I/ li$ecycle include 9nvisionin(E Plannin(E Developin(E and Deployin(. #icroso$t Operations ,ra!ewor' provides (uidelines $or !ana(in( production syste!s within co!ple= distributed I/ environ!ents.
Operatin(
Acti e Directory o$erations occur a*ter you $lan, )uild, and de$loy your Acti e Directory im$lementation,
into :uadrants in the o$erations li*e cycle, (a)le 7,5 lists the *our :uadrants and the area o* o$erations they co er, /able 1." #O, Operations Iuadrants
Iuadrant Operatin( 6upportin( Opti!i<in( 6ervice #ission Per$or! day5to5day tas's e$$ectively and e$$iciently. Resolve incidentsE proble!sE and in:uiries :uic'ly. Opti!i<e costE per$or!anceE capacityE and availability in the delivery o$ I/ services and drive necessary chan(esE based on the data that you collect. Introduce new service solutionsE technolo(iesE syste!sE applicationsE hardwareE and processes.
&han(in(
(his guide includes $rocesses *or o$erating Acti e Directory, -or more in*ormation a)out M0-, see the M0- lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
Audience
(his guide is *or medium and large organi.ations that ha e one or more centrali.ed /( o$erations de$artments, /t includes in*ormation that is rele ant to di**erent roles within an /( organi.ation, including /( 0$erations management and administrators, /t contains high+le el in*ormation that is re:uired in $lanning an Acti e Directory o$erations en ironment, (his in*ormation re:uires management+le el &nowledge o* the technology and /( $rocesses, /n addition, this guide contains low+le el $rocedures that are designed *or o$erators who ha e aried le els o* e<$ertise and e<$erience, Although the $rocedures $ro ide o$erator guidance *rom start to *inish, o$erators must ha e a )asic $ro*iciency with the Microso*t Management Console 8MMC9 and sna$+ins, and &now how to start $rograms and access the command line,
1%
Chapter Number 1
Read through the entire 0$erating Acti e Directory cha$ter to gain a management+ le el &nowledge o* how to o$erate Acti e Directory, !nsure that you ha e all the tools installed where o$erators use them, =se the tas& lists to schedule recurring tas&s, Create >tear sheets? *or each tas& that o$erators $er*orm within your organi.ation, Cut and $aste the tas& and its related $rocedures into a se$arate document and then either $rint these documents, or store them online, de$ending on the $re*erence o* your organi.ation, "i e the o$erator the tear sheets *or the tas& when a tas& needs to )e $er*ormed, along with in*ormation rele ant to the en ironment 8such as the name and /P address o* the domain controller in ol ed in the tas&9,
11
Microso*t4 Windows4 5666 Acti e Directory $ro ides a ro)ust directory ser ice en ironment that re:uires *ew regularly scheduled maintenance tas&s, Howe er, you might $er*orm some tas&s on a regular )asis, including )ac&ing u$ the data)ase, and adding or remo ing domain controllers, @ou can use this guide to hel$ you e**iciently o$erate your Acti e Directory en ironment,
In /his &hapter
0 er iew o* Acti e Directory 0$erations Monitoring Acti e Directory Acti e Directory %ac&u$ and Restore Managing Domain Controllers Managing (rusts Managing Sites
1"
Chapter Number 1
(his data $ro ides a starting $oint to esta)lish a )aseline *or the o$erations en ironment, and to set the $ro$er le el o* ser ice,
13
Auto!ated Actions
Automated actions $ro ide a time+sa ing method to detect and react to incidents occurring in the $roduction en ironment, /denti*y those tas&s and $rocedures that you want to automate, whether with scri$ts or a monitoring $roduct such as Microso*t 0$erations Manager 5666 8M0M9, Also identi*y the triggers, such as alerts generated )y M0M, which start the automated action, An e<am$le o* an automated action is con*iguring an agent $rocess to res$ond when it detects that the threshold *or dis& s$ace has )een e<ceeded, /n this case, the agent $rocess running on the a**ected com$uter automatically ta&es action to resol e the situation, such as deleting all the *iles in the (em$ directory, there)y returning the system to acce$ta)le conditions as de*ined in the Ser ice Le el Agreement, (he agent system also sends a message to the management ser er that includes any necessary e ent data 8the name and address o* the a**ected system, the error message, the results o* the action ta&en, and so on9, A*ter the automated action resol es the incident, the o$erations team can determine what, i* any, *urther action to ta&e, /n this e<am$le, the automated action tem$orarily resol es the incident, and the o$erations team must in estigate *urther to determine a $ermanent resolution,
Operator5Driven Actions
0$erator+dri en actions are those that are $er*ormed )y an o$erator, as o$$osed to those $er*ormed )y an automated system, 0$erator+dri en actions need to )e de*ined whene er and where er $ossi)le, so that o$erators with arying degrees o* s&ills and training can $er*orm s$eci*ic tas&s, such as changing a $assword, loading *orms into a $rinter, starting or sto$$ing $rocesses, and so on,
1)
Chapter Number 1
Active Directory Windows "%%% Installation Wi<ard Active Directory 6ites and 6ervices snap5in Active Directory +sers and &o!puters snap5 in AD6I 9ditE ##& snap5in 1ac'up Wi<ard &ontrol Panel Windows "%%% Ad!inistrative /ools Pac' Windows "%%% Ad!inistrative /ools Pac'
Windows "%%% 6upport /ools Windows "%%% syste! tool Windows "%%%
15
Dcdia(.e=e
Windows "%%% 6upport /ools and Windows 2000 Server Resource Kit
Analy<e the state o$ do!ain controllers in a $orest or enterpriseJ assist in troubleshootin( by reportin( any proble!s. #ana(e D46. &o!pare directory in$or!ation on do!ain controllers and detectsdi$$erences. #onitor events recorded in event lo(s. Replicate lo(on scripts and pro$iles between Windows "%%%?based do!ain controllers and Windows 4/ ).%?based do!ain controllers. Per$or! 7DAP operations a(ainst Active Directory. &reateE deleteE updateE and view the lin's that are stored in 8unction points. &reateE saveE and open ad!inistrative tools Gcalled ##& snap5insH that !ana(e hardwareE so$twareE and networ' co!ponents. &hec' end5to5end networ' connectivity and distributed services $unctions. Allow batch !ana(e!ent o$ trustsE 8oinin( co!puters to do!ainsE and veri$yin( trusts and secure channels. Per$or! co!!on tas's on networ' servicesE includin( stoppin(E startin(E and connectin( to networ' resources.
Windows "%%% Ad!inistrative /ools Pac' Windows 2000 Server Resource Kit
7dp.e=e 7in'd.e=e
Windows "%%% 6upport /ools Windows 2000 Server Resource Kit Windows "%%%
##&
4etdia(.e=e
Windows 2000 Server Resource Kit and Windows "%%% 6upport /ools Windows "%%% 6upport /ools
4etdo!.e=e
13
Chapter Number 1
4ltest.e=e
Windows "%%% 6upport /ools Windows "%%% Accessories Windows "%%% syste! tool
Veri$y that the locator and secure channel are $unctionin(. ViewE createE and !odi$y te=t $iles. #ana(e Active DirectoryE !ana(e sin(le !aster operationsE re!ove !etadataE create application directory partitions. View and !odi$y re(istry settin(s. Veri$y replication consistency between replication partnersE !onitor replication statusE display replication !etadataE and $orce replication events and topolo(y recalculation. Display replication topolo(yE !onitor replication statusE and $orce replication events and topolo(y recalculation. 6tartE stopE pauseE or resu!e syste! services on re!ote and local co!putersE and con$i(ures startup and recovery options $or each service. Access and !ana(e co!puters re!otely. #ana(e Windows /i!e 6ervice. Access $ilesE Web pa(esE and networ' locations.
4otepad 4tdsutil.e=e
Re(edit.e=e Repad!in.e=e
Repl!on.e=e
6ervices snap5in
17
Review the /i!e 6ynchroni<ation Report to detect inter!ittent proble!s and resolve ti!e5related alerts. Review the Authentication Report to help resolve proble!s (enerated by co!puter accounts with e=pired passwords. Review the Duplicate 6ervice Principal 4a!e Report to list all security principals that have a service principal na!e con$lict. Review a report o$ the top alerts (enerated by the Active Directory !onitorin( indicators and resolve those ite!s that occur !ost $re:uently.
Wee'ly.
Wee'ly.
1*
Chapter Number 1
Wee'ly.
Review the report that lists all trust relationships in the $orest and chec' $or obsoleteE unintendedE or bro'en trusts. Veri$y that all do!ain controllers are runnin( with the sa!e service pac' and hot $i= patches. Review all Active Directory reports and ad8ust thresholds as needed. 9=a!ine each report and deter!ine which reportsE dataE and alerts are i!portant $or your environ!ent and service level a(ree!ent. Review the Replication #onitorin( Report to veri$y that replication throu(hout the $orest occurs within acceptable li!its Review the Active Directory response ti!e reports. Review the do!ain controller dis' space reports. Review all per$or!ance related reports. /hese reports are called ;ealth #onitorin( reports in #O#. Review all per$or!ance related reports $or capacity plannin( purposes to ensure that you have enou(h capacity $or current and e=pected (rowth. /hese reports are called ;ealth #onitorin( reports in #O#. Ad8ust per$or!ance counter thresholds or disable rules that are not applicable to your environ!ent or that (enerate irrelevant alerts. Identi$y the (lobal catalo( servers in a site. 1ac' up Active Directory and associated co!ponents.
#onthly. #onthly.
#onthly.
#onthly.
#onthly. At least twice within the to!bstone li$eti!e. As needed. As needed. As needed. As needed. As needed. As needed. As needed.
Per$or! a non5authoritative restore. Per$or! an authoritative restore o$ a subtree or lea$ ob8ect. Per$or! an authoritative restore o$ the entire directory. Recover a do!ain controller throu(h reinstallation. Restore a do!ain controller throu(h reinstallation and subse:uent restore $ro! bac'up. Prepare $or Active Directory Installation. Install Active Directory.
As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed.
Per$or! Active Directory post5installation tas's. Deco!!ission a do!ain controller. Identi$y the current con$i(uration o$ a do!ain controller. Rena!e a do!ain controller. Restore the ori(inal con$i(uration o$ a do!ain controller. Add the (lobal catalo( to a do!ain controller and veri$y (lobal catalo( readiness. Re!ove the (lobal catalo( $ro! a do!ain controller. Desi(nate operations !aster roles. Reduce the wor'load on a PD& e!ulator. Deco!!ission an operations !aster role holder. 6ei<e operations !aster roles. &hoose a standby operations !aster. Relocate directory database $iles. Return unused dis' space $ro! the directory database to the $ile syste!. 6peed re!oval o$ an e=pired5to!bstone bac'lo(. &han(e the space allocated to the 6ta(in( Area $older. Relocate the 6ta(in( Area $older. #ove 6>6VO7 by usin( the Active Directory Installation Wi<ard. #ove 6>6VO7 !anually. +pdate the 6>6VO7 path. Restore and rebuild 6>6VO7. &on$i(ure a ti!e source $or the $orest. &on$i(ure a reliable ti!e source on a co!puter other than the PD& e!ulator. &on$i(ure a client to re:uest ti!e $ro! a speci$ic ti!e source. Opti!i<e the pollin( interval. Disable the Windows /i!e 6ervice. Prepare a do!ain controller $or lon( disconnection.
"%
Chapter Number 1
Reconnect a lon(5disconnected do!ain controller. Re!ove lin(erin( ob8ects $ro! an outdated writable do!ain controller. Re!ove lin(erin( ob8ects $ro! a (lobal catalo( server. &reate an e=ternal trust Gbetween a Windows "%%% do!ain and a Windows 4/ ).% do!ainE or between do!ains in di$$erent $orestsH. &reate a shortcut trust. Re!ove a !anually created trust. Prevent unauthori<ed privile(e escalation. Add a new site. Add a subnet to the networ'. 7in' sites $or replication. &han(e site lin' properties. #ove a do!ain controller to a di$$erent site. Re!ove a site.
!1
""
Chapter Number 1
nconsistent directory data. /* re$lication *ails *or an e<tended $eriod o* time, o)2ects 8&nown as lingering o)2ects and re+animated o)2ects9 can )e created in the directory and might re:uire e<tensi e diagnosis and time to eliminate, Account creation failure. A domain controller is una)le to create user or com$uter accounts i* it e<hausts its su$$ly o* relati e /Ds and the R/D master is una aila)le, !ecurity policy failure. /* the S@S30L shared *older does not re$licate $ro$erly, "rou$ Policy o)2ects and security $olicies are not $ro$erly a$$lied to clients,
7evels o$ #onitorin(
=se a cost+)ene*it analysis to determine the degree or le el o* monitoring that you need *or your en ironment, Com$are the cost o* *ormali.ing a monitoring solution with the costs associated with ser ice outages and the time that is re:uired to diagnose and resol e $ro)lems that might occur, (he le el o* monitoring also de$ends on the si.e o* your organi.ation and your ser ice le el needs, 0rgani.ations with *ew domains and domain controllers, or that do not $ro ide a critical le el o* ser ice, might only need to $eriodically chec& the health o* a single domain controller )y using the )uilt+in tools $ro ided in Windows 5666 Ser er, Larger organi.ations that ha e many domains, domain controllers, sites, or that $ro ide a critical ser ice and cannot a**ord the cost o* lost $roducti ity due to a ser ice outage, need to use an enter$rise+le el monitoring solution such as M0M, !nter$rise+le el monitoring solutions use agents or local ser ices to collect the monitoring data and consolidate the results on a central console, !nter$rise+le el monitoring solutions also ta&e ad antage o* the $hysical networ& to$ology to reduce networ& tra**ic and increase $er*ormance, /n a com$le< en ironment, directory administrators need enter$rise+le el monitoring to deri e meaning*ul data and to ma&e good decisions and analysis, -or more in*ormation a)out M0M, see htt$:;;www,microso*t,com;mom;,
6ervice57evel 1aseline
A )aseline re$resents ser ice le el needs as $er*ormance data, %y setting thresholds to indicate when the )aseline )oundaries are e<ceeded, your monitoring solution can generate alerts to in*orm the administrator o* degraded $er*ormance and 2eo$ardi.ed ser ice le els, -or e<am$le, you can use $er*ormance indicators to set a )aseline and monitor *or low dis& s$ace on the dis& dri es that contain the Acti e Directory data)ase and log *iles, and you can monitor CP= usage
!3
o* a domain controller, @ou can also monitor critical ser ices running on a domain controller, Monitoring these indicators allows the administrator to ensure ade:uate $er*ormance, (o determine an accurate )aseline, monitor and collect data *or a time $eriod that is long enough to re$resent $ea& and low usage, -or e<am$le, monitor during the time in the morning when the greatest num)er o* users log on, Monitor *or an inter al that is long enough to s$an your $assword change $olicy and any month+end or other $eriodic $rocessing that you $er*orm, Also, collect data when networ& demands are low to determine this minimal le el, %e sure to collect data when your en ironment is *unctioning $ro$erly, (o accurately assess what is acce$ta)le *or your en ironment, remo e data caused )y networ& outages or other *ailures when you esta)lish your )aseline, (he )aseline that you esta)lish *or your en ironment can change o er time as you add new a$$lications, users, hardware, and domain in*rastructure to the en ironment, and as the e<$ectations o* users change, 0 er time, the directory administrator might loo& *or trends and changes that occur, and ta&e actions designed to meet the increased demands on the system and maintain the desired le el o* ser ice, Such actions might include *ine+tuning the so*tware con*iguration and adding new hardware, Determining the thresholds when alerts are generated to noti*y the administrator that the )aseline has )een e<ceeded is a delicate )alance )etween $ro iding either too much in*ormation or not enough, (he endor o* your monitoring solution, such as M0M, can $ro ide general $er*ormance thresholds, )ut you must $eriodically ad2ust these thresholds to meet your ser ice le el re:uirements, (o ad2ust these thresholds, *irst collect and analy.e the monitoring data to determine what is acce$ta)le or usual acti ity *or your en ironment, A*ter you gather a good data sam$le and consider your ser ice le el needs, you can set meaning*ul thresholds that trigger alerts, (o determine thresholds: -or each $er*ormance indicator, collect monitoring data and determine the minimum, ma<imum and a erage alues, Analy.e the data with res$ect to your ser ice le el needs, Ad2ust thresholds to trigger alerts when indicators cross the $arameters *or acce$ta)le ser ice le els,
As you )ecome more *amiliar with the monitoring solution you choose, it )ecomes easier to correlate the thresholds that trigger the alerts to your ser ice le el deli ery, /* you are uncertain, it is usually )etter to set the thresholds low to iew a greater num)er o* alerts, As you understand the alerts you recei e and determine why you recei e them, you can increase the threshold at which alerts are generated, there)y reducing the amount o* in*ormation that you recei e *rom your monitoring solution, M0M uses thresholds that are a reasona)le starting $oint and wor& *or the ma2ority o* medium+si.ed customers, Larger organi.ations might need to increase the thresholds,
")
Chapter Number 1
as$ects o* Acti e Directory are *unctioning $ro$erly, M0M monitors all o* the im$ortant indicators, -or more in*ormation a)out monitoring Acti e Directory see: htt$:;;www,microso*t,com;ad, -or more in*ormation a)out M0M, see: htt$:;;www,microso*t,com;mom;, -or more in*ormation a)out installing M0M, see htt$:;;www,microso*t,com;mom;docs;De$loy"uide,doc,
Reports
Many im$ortant $ro)lems do not cause alerts, )ut they still re:uire $eriodic attention, @our monitoring solution might generate re$orts that dis$lay data o er time and $resent $atterns that indicate $ro)lems, Re iew the re$orts to resol e issues )e*ore they generate alerts,
!5
View and e=a!ine all new alerts on each do!ain controllerE resolvin( the! in a ti!ely $ashion. Resolve alerts indicatin( the $ollowin( services are not runnin(: ,R6E 4et 7o(onE D&E W2"/i!eE I6#69RV. #O# reports these as Active Directory 9ssential 6ervices. Resolve alerts indicatin( 6>6VO7 is not shared. Resolve alerts indicatin( that the do!ain controller is not advertisin( itsel$. Resolve alerts indicatin( ti!e synchroni<ation proble!s.
/his precaution helps you avoid service outa(es. Active Directory depends on these services. /hey !ust be runnin( on every do!ain controller.
Active Directory cannot apply .roup Policy unless 6>6VO7 is shared. Do!ain controllers !ust re(ister D46 records to be able to respond to 7DAP and other service re:uests. /he erberos authentication protocol re:uires that ti!e be synchroni<ed between all do!ain controllers and clients that use it. /he hi(hest priority alerts indicate the !ost serious ris' to your service level..
Resolve all other alerts in order o$ severity. I$ alerts are (iven errorE warnin(E and in$or!ation status si!ilar to the event lo(E resolve alerts !ar'ed error $irst.
"3
Chapter Number 1
$re:uently. Review the report that lists all trust relationships in the $orest and chec' $or obsoleteE unintendedE or bro'en trusts.
Review all per$or!ance5related reports. /hese reports are called ;ealth #onitorin( reports in #O#. Review all per$or!ance5related reports $or capacity plannin( purposes to ensure that you have enou(h capacity $or current and e=pected (rowth. /hese reports are called ;ealth #onitorin( reports in #O#.
!7
Ad8ust per$or!ance counter thresholds or disable rules that are not applicable to your environ!ent or that (enerate irrelevant alerts.
#onitorin( indicators !ust be ad8usted to suit your environ!ent. /he (oal is to provide alerts that are conciseE hi(hly relevantE and lead an operator to resolve the proble!.
"*
Chapter Number 1
4ote
1est I$ you per$or!ance use Active Directory5inte(rated practice states that D46E the Active then the DirectoryKs <one data is bac'ed lo(s and database up as part $iles o$ the should Active be on Directory separate database. dis's. I$ I$ you you have do not use Active con$i(ured your Directory5inte(rated do!ain controllers in D46E thisyou !anner !ustyou e=plicitly will have bac' up Active Directory the <one co!ponents $iles. ;oweverE spread i$ you out bac' on !ultiple up the syste! drivesE dis' alon(as such with D:LWinntL4/D6 the syste! stateE $or your <one lo(s data and is 9:LWinntL4/D6 bac'ed up as part $or your o$ the syste! database. >ou dis'. do not need to speci$y these lo( and database locations in order $or the! to be bac'ed upJ the bac'up utility I$ you installed Windows &lusterin( or &erti$icate 6ervices on will auto!atically locate and include the! when you bac' your do!ain controllerE they are also bac'ed up as part o$ up syste! state. state. Details o$ these co!ponents are not discussed in syste! this (uide.
Acti e Directory $rotects itsel* *rom restoring data older than the tom)stone li*etime )y disallowing the restore, As a result, the use*ul li*e o* a )ac&u$ is e:ui alent to the tom)stone li*etime setting *or the enter$rise,
2%
Chapter Number 1
31
A domain controller has *ailed and you cannot restart in Directory Ser ices Restore mode, /* *ailure was caused )y a hardware *ailure, you ha e resol ed the hardware $ro)lem 8*or e<am$le, )y re$lacing the dis&9, (here are other domain controllers in the domain, to ser e as re$lication $artners, (he com$uter is *unctioning only as a domain controller 8it does not run other ser er ser ices such as !<change9, and it does not contain other data that needs to )e reco ered *rom a )ac&u$,
2"
Chapter Number 1
4ote
&on$i(urin( !ultiple (lobal catalo(s servers in a $orest increases the availability o$ the syste!E but also increases replication tra$$ic and database si<e. I$ you do restore the $ailed do!ain controller and !aintain its role as a (lobal catalo( serverE you !i(ht want to re!ove any additional (lobal catalo(s servers that you con$i(ured durin( its absence.
(he domain controller is running other ser er ser ices such as !<change, or contains other data you must restore *rom a )ac&u$, @ou ha e a good )ac&u$, made within the tom)stone li*etime,
Restoring the R/D Master can result in Acti e Directory data corru$tion, so it is not recommended, Restoring the Schema Master can result in or$haned o)2ects, so it is not recommended,
Restoring *rom )ac&u$ is the only way that a domain controller that was *unctioning as a glo)al catalog at the time o* )ac&u$ can automatically )e restored to the role o* glo)al catalog, Restoring a domain controller )y reinstallation does not automatically reinstate the glo)al catalog role, /n a multi+domain en ironment, )e aware that restoring a glo)al catalog ser er *rom )ac&u$ re:uires more time than restoring a domain controller that does not host the glo)al catalog, As there are no real disad antages in con*iguring multi$le glo)al catalogs, you might want to create a new glo)al catalog in your en ironment i* you antici$ate an e<tended downtime *or the *ailed glo)al catalog ser er, Creating a new glo)al catalog ser er is $articularly rele ant i* users associated with the original glo)al catalog ser er can no longer access a glo)al catalog ser er, or i* the re:uirement *or the glo)al catalog ser ice is signi*icant in your en ironment, such as when you are running !<change 5666, -or more in*ormation a)out creating a new glo)al catalog ser er, see >Managing "lo)al Catalogs Ser ers? in this guide,
33
I!pact on (roup !e!bership Different hardware abstraction layers #(ALs$. %y de*ault, the Hal,dll is not )ac&ed u$ as $art o* system state, howe er the KernelA5,dll is, (here*ore, i* you try to restore a )ac&u$ onto a com$uter that re:uires a di**erent HAL 8*or e<am$le, to su$$ort a multi$rocessor en ironment9 com$ati)ility issues e<ist )etween the new HAL and the original KernelA5,dll, (o o ercome this incom$ati)ility, manually co$y the (al.dll *rom the original com$uter and install it on the new com$uter, (he limitation is that the new com$uter can use only a single $rocessor, ncompatible )oot.ini File. /* you )ac&u$ and restore the )oot,ini *ile, you might ha e some incom$ati)ility with your new hardware con*iguration, resulting in a *ailure to start, %e*ore you restore it, ensure that the )oot,ini *ile is correct *or your new hardware en ironment, Different *etwork or &ideo Cards. /* your new hardware has a di**erent ideo ada$ter or multi$le networ& ada$ters, then uninstall them )e*ore you restore data, When you restart the com$uterK the normal Plug and Play *unctionality ma&es the necessary changes, Disk !pace and +artition Configuration, Partitions on the new com$uter must match those on the original com$uter, S$eci*ically, all the dri e ma$$ings must )e the same and the $artition si.e must )e at least e:ual to that on the original com$uter,
2)
Chapter Number 1
I!pact on trusts and co!puter accounts (he )est way to do this is to add a *ictitious user and then delete that same *ictitious user to and *rom each grou$ that was in ol ed in the authoritati e restore, A grou$ is in ol ed in the restore i* it was either authoritati ely restored itsel* or i* it had mem)ers restored who did not ha e that grou$ de*ined as their $rimary grou$, %y doing this, you *orce the correct grou$ mem)ershi$ in*ormation to )e re$licated out *rom the source domain controller 8the domain controller on which you $er*ormed the original authoritati e restore9 and u$date the grou$ mem)ershi$ in*ormation on its re$lication $artners, (hese u$dated o)2ects re*lect the correct mem)ershi$s and also correct the in*ormation re$resented in the ,ember of ta) o* the restored user o)2ects1 $ro$erties, @ou must ensure that no additions are made to grou$ mem)ershi$ 8*or the a**ected grou$s and users9 on any o* the other domain controllers within the en ironment, /* you do not adhere to this $rocess, the accurate ersion o* the directory 8held on the domain controller where the restore was $er*ormed9 can )ecome corru$ted )y the incorrect mem)ershi$ in*ormation, /* the accurate ersion o* the directory )ecomes corru$ted, you must either u$date grou$ mem)ershi$ manually or $er*orm another authoritati e restore o* the o)2ects )y using the verinc o$tion, and $er*orm the $rocess again, /n Windows 5666, trust relationshi$s and com$uter account $asswords are negotiated at a s$eci*ied inter al 8)y de*ault A6 days *or trust relationshi$s and com$uter $asswords9, When you $er*orm an authoritati e restore, you might restore $re iously used $asswords *or the o)2ects in the Acti e Directory that maintain trust relationshi$s and com$uter accounts, /n the case o* trust relationshi$s, this can im$act communication with other domain controllers *rom other domains, causing $ermissions errors when users try to access resources in other domain, (o recti*y this, you must remo e and recreate '(LM trust relationshi$s to Windows 5666 or Windows '( B,6 domains, /n the case o* a com$uter account $assword, this can im$act communications )etween the mem)er wor&station or ser er and a domain controller o* its domain, (his e**ect might cause users on Windows '( or Windows 5666 com$uters to ha e authentication di**iculty due to an in alid com$uter account,
35
1ac' up Active Directory and associated co!ponent s. Per$or! a non5 authoritativ e restore.
1ac' up syste! state on a do!ain controller. 1ac' up syste! state and syste! dis' on a do!ain controller.
4/1ac'up. e=e
Per$or! an authoritativ e restore o$ a subtree or lea$ ob8ect. Per$or! an authoritativ e restore o$ the entire directory.
Restart the do!ain controller in Directory 6ervices Restore #ode Glocally or re!otelyH. Restore $ro! bac'up !edia. Veri$y Active Directory restore. Restart in Directory 6ervices Restore #ode. Restore $ro! bac'up !edia $or authoritative restore. Restore syste! state to an alternate location. Per$or! authoritative restore o$ the subtree or lea$ ob8ect. Restart in nor!al !ode. Restore applicable portion o$ 6>6VO7 $ro! alternate location. Veri$y Active Directory restore. Restart in Directory 6ervices Restore #ode. Restore $ro! bac'up !edia $or authoritative restore. Restore syste! state to an alternate location. Restore the database. Restart in nor!al !ode. &opy 6>6VO7 $ro! alternate location. Veri$y Active Directory restore.
4/1ac'up. e=e 4tdsutil.e= e 9vent Viewer Repad!in. e=e 4/1ac'up. e=e 4tdsutil.e= e 9vent Viewer Repad!in. e=e
As needed
As needed
As needed
23
Chapter Number 1
Restore a do!ain controller throu(h reinstallatio n and subse:uent restore $ro! bac'up. Install Windows "%%% 6erver on the sa!e drive letter and partition as be$ore the $ailureE partitionin( the drive i$ necessary. Restore $ro! bac'up !edia Gnon5authoritative restoreH. Veri$y Active Directory restore.
4tdsutil.e= As e needed Active Directory 6ites and 6ervices Active Directory +sers and &o!puters Dcpro!o.e =e 4/1ac'up. e=e As needed
37
the domain controller *rom )ac&u$ media, re$lication $artners use the standard re$lication $rotocols to u$date )oth the Acti e Directory and -RS on the restored domain controller,
2*
Chapter Number 1
1. Restart the domain controller in Directory Ser ices Restore Mode 8locally or remotely9, ". Restore *rom )ac&u$ media, 2. Restore system state to an alternate location, ). Per*orm authoritati e restore o* entire directory , 5. Restore S@S30L *rom alternate location, 3. 3eri*y Acti e Directory restore,
1andwidth &onsiderations
(he $rimary consideration when reco ering a domain controller through re$lication is )andwidth, (he )andwidth re:uired is directly $ro$ortional to the si.e o* the Acti e Directory data)ase and the time in which the domain controller is re:uired to )e at a *unctioning state, /deally, the e<isting *unctional domain controller is located in the same Acti e Directory site as the re$licating domain controller 8new domain controller9 in order to reduce networ& im$act and restore duration,
Restorin( a Do!ain &ontroller /hrou(h Reinstallation and 6ubse:uent Restore $ro! 1ac'up
/* you cannot restart a domain controller in Directory Ser ices Restore Mode, you can restore a domain controller through reinstallation and su)se:uently restore Acti e Directory *rom )ac&u$, (his o$tion is normally used on domain controllers that also run other ser ices, such as !<change, or ha e other data you want to reco er,
Procedures $or Restorin( a Do!ain &ontroller /hrou(h Reinstallation and 6ubse:uent Restore $ro! 1ac'up
(o restore a domain controller through reinstallation and su)se:uently restore Acti e Directory *rom )ac&u$, you must ensure that you install Windows 5666 Ser er on the same dri e letter and on a $artition that is at least as large as the $artition used )e*ore the *ailure, @ou must re$artition the dri e i* necessary, A*ter you reinstall Windows 5666, $er*orm a non+authoritati e restore o* the system state and the system dis&, Procedures are e<$lained in detail in the lin&ed to$ics, 1. /nstall Windows 5666 Ser er on the same dri e letter and $artition as )e*ore the *ailure, 8(his $rocedure is not co ered in this guide,9 ". Restore *rom )ac&u$ media, 2. 3eri*y Acti e Directory restore,
)%
Chapter Number 1
"1
4ote
,or better &reatin( or per$or!anceE re!ovin( a do!ain store the or lo( $orest $iles isand beyond the 4tds.dit the scope $ile o$ this on separate (uide. /his hard (uide dis's. does not cover deployin( D46 into an environ!ent that has not previously hosted a D46 in$rastructure. ,or in$or!ation about these optionsE see the Active Directory lin' on the Web Resources pa(e at http:MMwww.!icroso$t.co!MwindowsMres'itsMwebresources and the Microsoft Windows 2000 Server Deployment Planning Guide.
@ou must use Acti e DirectoryDintegrated D'S .ones, @ou must con*igure at least one domain controller as a D'S ser er,
)"
Chapter Number 1
/* your tests show that all o* these areas are con*igured and *unctioning $ro$erly, the Acti e Directory installation is success*ul,
"3
Veri$y D46 re(istration and $unctionality. Veri$y that an IP address !aps to a subnet and deter!ine the site association. Veri$y co!!unication with other do!ain controllers. Veri$y the e=istence o$ operations !asters. Install Active Directory.
))
Chapter Number 1
Deter!ine whether a server ob8ect has child ob8ects. Veri$y the site assi(n!ent o$ a do!ain controller. #ove a do!ain controller to a di$$erent site. &on$i(ure D46 server recursive na!e resolution. Per$or! $inal D46 con$i(uration. &hec' the status o$ the shared syste! volu!e. Veri$y D46 re(istration and $unctionality. Veri$y do!ain !e!bership $or the new do!ain controller. Veri$y co!!unication with other do!ain controllers. Veri$y replication is $unctionin(. Veri$y the e=istence o$ the operations !asters.
Active As Directory needed. 6ites and 6ervices D46 snap5 in Dcdia(.e=e and 4etdia(.e= e
"5
View the current operations !aster role holders. /rans$er the $orest5 level operations !aster roles. /rans$er the do!ain5 level operations !aster roles. Deter!ine whether a do!ain controller is a (lobal catalo( server. Veri$y D46 re(istration and $unctionality. Veri$y co!!unication with other do!ain controllers. Veri$y the e=istence o$ the operations !asters. Re!ove Active Directory. Deter!ine whether a server ob8ect has child ob8ects. Delete a server ob8ect $ro! a site.
Active As Directory needed. +sers and &o!puters Active Directory 6ites and 6ervices Dcdia(.e=e and 4etdia(.e= e Dcpro!o.e =e
)3
Chapter Number 1
%e*ore you install D'S ser er on a domain controller that you want to host Acti e DirectoryD integrated .ones, ensure that you already ha e other domain controllers *unctioning in the domain with at least one con*igured as a D'S ser er that uses Acti e DirectoryDintegrated .ones, -or more in*ormation a)out D'S con*iguration and o$erations master role $lacement, see Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, (o download these guides, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
6ite Place!ent
During installation, the Acti e Directory /nstallation Wi.ard attem$ts to $lace the new domain controller in the a$$ro$riate site, (he a$$ro$riate site is determined )y the domain controller1s /P address and su)net mas&, (he wi.ard uses the /P in*ormation to calculate the su)net address o* the domain controller and chec&s to see i* a su)net o)2ect e<ists in the directory *or that su)net address, /* the su)net o)2ect e<ists, the wi.ard uses it to $lace the new ser er o)2ect in the
"7
a$$ro$riate site, /* not, the wi.ard $laces the new ser er o)2ect in the same site as the domain controller that is )eing used as a source to re$licate the directory data)ase to the new domain controller, Ma&e sure the su)net o)2ect has )een created *or the desired site $rior to running the wi.ard,
Do!ain &onnectivity
During the installation $rocess, the Acti e Directory /nstallation Wi.ard needs to communicate with other domain controllers in order to 2oin the new domain controller to the domain, (he wi.ard needs to communicate with a mem)er o* the domain to recei e the initial co$y o* the directory data)ase *or the new domain controller, /t needs to communicate with the domain naming master so that the new domain controller can )e added to the domain, (he wi.ard also needs to contact the R/D master so that the new domain controller can recei e its R/D $ool, and it needs to communicate with another domain controller in order to $o$ulate the S@S30L shared *older on the new domain controller, All o* this communication de$ends on $ro$er D'S installation and con*iguration, %y using 'etdiag,e<e and Dcdiag,e<e, you can test all o* these connections $rior to starting the Acti e Directory /nstallation Wi.ard,
)*
Chapter Number 1
4ote
I$ any o$ the veri$ication tests $ailE do not continue until you deter!ine and $i= the proble!s. I$ these tests $ailE the installation is also li'ely to $ail.
(he wi.ard then as&s *or the location where you want to store the shared System 3olume 8S@S30L9, !nsure that the location has ade:uate dis& s$ace, -or more in*ormation a)out ensuring ade:uate dis& s$ace *or S@S30L, see >Managing Sys ol? later in this guide, (he wi.ard then as&s *or the $assword that is assigned to the Directory Ser ices Restore Mode administrator account, (his account is not the domain administrator account or the local administrator account on the ser er, )ut a s$ecial account that can only )e used when the domain controller starts in Directory Ser ices Restore Mode, %e*ore installation )egins, the wi.ard dis$lays a dialog )o< that summari.es the in*ormation that you su$$lied, 3eri*y that the in*ormation is correct )e*ore the installation $rocess )egins,
"
Acti e Directory Sites and Ser ices sna$+in to mo e the ser er o)2ect *or the domain controller to the $ro$er site a*ter Acti e Directory installation is com$lete, (he last dialog )o< dis$layed )y the Acti e Directory /nstallation Wi.ard lists the site where the new domain controller is installed, /* this is not the $ro$er site, you need must mo e the ser er o)2ect, -or more in*ormation a)out sites or to create a new site o)2ect, see >Managing Site (o$ology? later in this guide,
Do!ain &onnectivity
A*ter the Acti e Directory /nstallation Wi.ard *inishes, the domain controller restarts and $er*orms a *ew tas&s )e*ore it is ready to assume its role as a domain controller, /t registers itsel* with its D'S ser er so that other mem)ers o* the domain &now that it is a domain controller and can locate it, When a new domain controller *irst 2oins the networ&, it recei es S@S30L in*ormation *rom its re$lication $artners, =ntil it *inishes the initial re$lication o* the S@S30L, it does not create the '!(L0"0' and S@S30L shared *olders and does not start the 'et Logon ser ice, )oth o* which are necessary *or it to assume the role o* a domain controller, An e ent num)er 7AF7I in the -ile Re$lication Ser ice e ent log indicates that re$lication is com$lete and is wor&ing
5%
Chapter Number 1
4ote
/his process can ta'e 15 !inutes or lon(er to co!pleteE dependin( on the connection speed between the do!ain controller and its replication partners.
$ro$erly, At this $oint, the domain controller starts the 'et Logon ser ice and the domain controller )ecomes a aila)le to the domain, Domain controllers ma&e changes to the directory and re$licate these changes among themsel es through a series o* connections that are esta)lished when the domain controller 2oins the networ&, (he connections can )e generated automatically or an administrator might manually create the connections o)2ects, /* these connections are not *unctioning $ro$erly, the domain controller cannot re$licate changes to the other domain controllers and cannot recei e changes *rom other domain controllers, (o *unction $ro$erly, domain controllers must $eriodically communicate with arious o$erations masters, (he domain controllers send $assword changes to the PDC emulator, (hey recei e a R/D $ool *rom the R/D master, As their $ools are de$leted, the domain controller $eriodically re$lenishes their allocations )y sending re:uests to the R/D master, All o* these *eatures de$end u$on communication )etween the new domain controller and other domain controllers in the domain and *orest, When a new domain controller 2oins the networ&, $er*orm tests that eri*y the communication channels used )y these *eatures,
51
a.
Create a delegation *or the new domain controller in the $arent domain o* the D'S in*rastructure i* a $arent domain e<ists and a Microso*t D'S ser er hosts it, /* a Microso*t D'S ser er does not host the $arent domain, *ollow the $rocedures outlined in the endor documentation to add the delegation *or the new domain controller, Con*igure the D'S client settings,
b.
D or D Per*orm *inal D'S con*iguration *or a new domain controller that is located in a child domain: c. d. e. Create a delegation *or the new domain controller in the *orest root domain, Create a secondary .one, Con*igure the D'S client settings,
3. Chec& the status o* the shared system olume, 0. 3eri*y D'S registration and *unctionality, *. 3eri*y domain mem)ershi$ *or the new domain controller, -. 3eri*y communication with other domain controllers, 1%. 3eri*y re$lication is *unctioning, 11. 3eri*y the e<istence o* the o$erations masters,
5"
Chapter Number 1
%ecause o* this )eha ior, trans*er any o$erations master roles $rior to running the Acti e Directory /nstallation Wi.ard to decommission a domain controller so you can control o$erations master role $lacement, /* you need to trans*er any roles *rom a domain controller, understand all the recommendations *or role $lacement )e*ore $er*orming the trans*er, -or more in*ormation a)out trans*erring o$erations master roles and role $lacement, see >Managing 0$erations Master Roles? later in this guide,
Do!ain &onnectivity
During the remo al o* Acti e Directory, the Acti e Directory /nstallation Wi.ard must communicate with arious domain controllers, Any unre$licated changes to the directory must )e re$licated to another domain controller, (he wi.ard attem$ts to connect to another domain controller to re$licate these changes, (he wi.ard must contact another domain controller so that Acti e Directory can remo e the domain controller *rom the directory data)ase, /* the domain controller hosts any o$erations master roles that you chose not to trans*er, the wi.ard must contact another domain controller in order to trans*er the o$erations master roles, /* the domain controller cannot contact the other domain controllers during Acti e Directory remo al, the decommissioning o$eration *ails, As with the installation $rocess, test the communication in*rastructure $rior to running the installation wi.ard, When you remo e Acti e Directory, use the same connecti ity tests that you use during Acti e Directory installation,
53
4ote
I$ any o$ the veri$ication tests $ailE do not continue until you deter!ine and $i= the proble!s. I$ these tests $ailE the installation is also li'ely to $ail.
directory does not maintain connections to it, During the decommissioning $rocess, the Acti e Directory /nstallation Wi.ard remo es the ser er o)2ect *rom the Domain Controller container in Acti e Directory =sers and Com$uters and remo es the connection o)2ects associated with the domain controller *rom the '(DS Settings o)2ect in Acti e Directory Sites and Ser ices, (he Acti e Directory /nstallation Wi.ard does not delete the ser er o)2ect *rom the site o)2ect during the remo al o* Acti e Directory )ecause other ser ices, such as Microso*t 0$erations Manager 5666 8M0M9, use this container to store their own site+s$eci*ic in*ormation, A*ter you remo e Acti e Directory, you can use the Acti e Directory Sites and Ser ices sna$+in to sa*ely remo e the ser er o)2ect that re$resents the decommissioned domain controller in Acti e Directory Sites and Ser ices i* the ser er o)2ect container is em$ty,
5)
Chapter Number 1
Renaming the com$uter Reinstalling Acti e Directory Restoring the domain controller to its original con*iguration
When you rename a domain controller, you must reinstall any ser ices that cannot identi*y the com$uter name dynamically or that can only o$erate on a domain controller, @ou do not need to reinstall any o* the ser ices that shi$ with Windows 5666 Ser er, such as -ile and Print sharing or D'S, /t is recommended that you do not rename a domain controller unless it is a)solutely necessary, -or e<am$le, it would )e necessary to rename a domain controller i*: @ou mo ed the domain controller to another site and the name o* the domain controller needs to ma$ to the naming con ention o* the new site, (he name o* the domain controller was chosen in errorK such as when the naming con ention re:uires the site name and a deri ati e o* the domain, )ut the name includes the incorrect site or domain,
%ecause renaming a domain controller re:uires that Acti e Directory )e remo ed and then reinstalled on the com$uter, the im$act on the networ& o* renaming a domain controller is identical to the im$act o* installing Acti e Directory to create a new domain controller or glo)al catalog ser er,
55
Re!ove Active Directory. Rena!e the !e!ber server. Run the Active Directory Installation Wi<ard.
As needed.
53
Chapter Number 1
&on$i(ure the do!ain controller as a (lobal catalo( serverE i$ appropriate. /rans$er the do!ain operations !aster rolesE i$ appropriate. /rans$er the $orest operations !aster rolesE i$ appropriate. &reate a dele(ation $or the new do!ain controllerE i$ appropriate. &reate a secondary D46 <oneE i$ appropriate. &han(e the delay $or initial noti$ication o$ an intrasite replication partnerE i$ appropriate. &on$i(ure the do!ain controller as a pre$erred brid(ehead serverE i$ appropriate.
Active Directory 6ites and 6ervices Active Directory +sers and &o!puters Active Directory Do!ains and /rusts Re(edit.e=e
As needed.
57
'perations master role holder. /* the domain controller holds o$erations master roles, it is recommended that you trans*er the roles to the stand)y master *or the roles $rior to remo ing Acti e Directory, /* you do not trans*er the roles, they are trans*erred automatically, )ut you ha e no control o er the $lacement o* the roles, %y manually trans*erring the roles $rior to remo ing Acti e Directory, you control the role $lacement, -or in*ormation a)out trans*erring o$erations master roles, see >Managing 0$erations Masters? in this guide, D*! server. Remo ing Acti e Directory does not remo e the D'S Ser er ser ice i* it is installed, Howe er, when you reinstall Acti e Directory, you need to recon*igure the domain controller to assume authority *or the a$$ro$riate D'S .ones and to contain all a$$ro$riate delegations, -or in*ormation a)out con*iguring D'S ser er a*ter installing Acti e Directory, see >Managing the /nstallation and Remo al o* Acti e Directory? in this guide, nitial change notification delay. (his ser er+s$eci*ic con*iguration determines how long the domain controller waits )e*ore it signals its *irst re$lication $artner that it has changes, /* you change the de*ault initial change noti*ication delay setting on the domain controller, you need to recon*igure the setting when you reinstall Acti e Directory, +referred bridgehead server. (his con*iguration is not recommended *or domain controllers running Windows 5666 Ser er, Howe er, i* the domain controller is con*igured to )e a $re*erred )ridgehead ser er, you must recon*igure the domain controller as a $re*erred )ridgehead ser er a*ter you reinstall Acti e Directory, -or more in*ormation a)out using $re*erred )ridgehead ser ers, see >Managing Site (o$ology? in this guide,
2. Determine whether the domain controller is a D'S ser er, Ma&e a note o* the D'S con*iguration so that you can re$roduce it when you reinstall Acti e Directory,
5*
Chapter Number 1
&aution
/he re(istry editor bypasses standard sa$e(uardsE allowin( settin(s that can da!a(e your syste!E or even re:uire you to reinstall Windows. I$ you !ust edit the re(istryE bac' up system state first. For information about backing up system state, see Active Directory Backup and Restore in this guide.
). Determine the initial change noti*ication delay, /* this setting has )een changed *rom the de*ault on this domain controller, you need to recon*igure the setting a*ter you rename the ser er and add Acti e Directory, 5. Determine whether the domain controller is a $re*erred )ridgehead ser er ,
&aution
/he re(istry editor bypasses standard sa$e(uardsE allowin( settin(s that can da!a(e your syste!E or even re:uire you to reinstall Windows. I$ you !ust edit the re(istryE bac' up system state first. For information about backing up system state, see Active Directory Backup and Restore in this guide.
Windows 5666 Ser er, (echnical Resources, Planning L De$loyment, De$loying the Windows 5666 Ser er -amily, /* your de$loyment uses a di**erent D'S design, you might not use the delegations and secondary .ones descri)ed )elow, /* the domain controller is located in a child domain anywhere in the *orest, then you must: Create a delegation *or the domain controller in the *orest root domain, Create a secondary .one,
/* the domain controller is located in the *orest root domain and the *orest root domain has a $arent domain, then you must: Create a delegation *or the new domain controller in the $arent domain, -or in*ormation a)out how to con*igure D'S ser ers a*ter installing Acti e Directory, see >Com$leting Acti e Directory /nstallation? in this guide,
3%
Chapter Number 1
-or e<am$le, in a *orest that has a large hu) site, *i e domains, and thirty small )ranch sites 8some o* which are connected )y only dial+u$ connections9, glo)al catalog re$lication to the small sites ta&es considera)ly longer than re$lication o* one or two domains to a *ew well+ connected sites,
#1
Premature ad ertisement o* the glo)al catalog is an issue only *or glo)al catalog ser ers that are running Windows 5666 Ser er SP5, and only when you add the *irst glo)al catalog ser er in a site that does not include all domains, /* all domains are re$resented in the site, or i* a glo)al catalog ser er already e<ists in the site, then the new glo)al catalog ser er always has all domains $rior to ad ertising as a glo)al catalog ser er,
3"
Chapter Number 1
Add the (lobal catalo( to a do!ain controller and veri$y (lobal catalo( readiness.
$indo%s !&&& 'erver '(!) 6top the 4et 7o(on service G$irst (lobal catalo( server in the site onlyH. &on$i(ure the do!ain controller as a (lobal catalo( server. #onitor (lobal catalo( replication pro(ress G$irst (lobal catalo( server in the site onlyH. Veri$y success$ul replication to a do!ain controller. Veri$y (lobal catalo( readiness. Restart the 4et 7o(on serviceE i$ needed. Restart the (lobal catalo( server and veri$y (lobal catalo( D46 re(istrations. $indo%s !&&& 'erver '(3) &on$i(ure the do!ain controller as a (lobal catalo( server. Veri$y (lobal catalo( readiness. Restart the (lobal catalo( server and veri$y (lobal catalo( D46 re(istrations. &lear the (lobal catalo( settin(. #onitor (lobal catalo( re!oval.
4et stop As needed. Active Directory 6ites and 6ervices Dcdia(.e=e Repad!in. e=e 7dp.e=e D46 AD6I 9dit
As needed.
#3
3)
Chapter Number 1
One Dual PIII 5%%E 1 .1. /wo Iuad PIII A9O4E " .1. One Iuad PIII A9O4E " .1 $or every 5E%%% users.
When con*iguring a glo)al catalog ser er, )e sure the machine has ade:uate hard dis& s$ace, =se the in*ormation in (a)le 7,7A to determine how much storage to $ro ide *or the Acti e Directory data)ase, /able 1.12 .lobal &atalo( 6tora(e Re:uire!ents $or the Active Directory Database
6erver Do!ain controller .lobal catalo( server Active Directory database stora(e re:uire!ents %.) .1 o$ stora(e $or each 1E%%% users.
= D$ storage re#uirement +
-or e<am$le, in a *orest with two 76,666+user domains, all domain controllers need B "% o* storage, All glo)al catalog ser ers re:uire I "% o* storage, (hese re:uirements re$resent conser ati e estimates, -or a more accurate determination o* storage re:uirements, download and run the Acti e Directory Si.er (ool 8ADSi.er,e<e9, @ou can download the ADSi.er,e<e tool *rom the Acti e Directory Si.er (ool lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources;,
#5
I: All directory $artitions in the *orest are re$licated to the ser er,
De*ault occu$ancy le els *or domain controllers that are running Windows 5666 Ser er de$end on the Windows 5666 Ser er ser ice $ac& release that is installed, as *ollows: Windows 5666 Ser er SP5 or earlier: de*ault and ma<imum occu$ancy le el N B, Windows 5666 Ser er SPA: de*ault and ma<imum occu$ancy le el N I,
!<change 5666 ser ers use the glo)al catalog e<clusi ely when loo&ing u$ addresses, (here*ore, in addition to causing Acti e Directory client search $ro)lems, the condition o* a glo)al catalog ser er )eing ad ertised )e*ore it recei es all $artial re$licas can cause Address %oo& loo&u$ and mail deli ery $ro)lems *or !<change clients, (he 'ame Ser ice Pro ider /nter*ace 8'SP/9 must )e running on a glo)al catalog ser er to ena)le MAP/ access to Acti e Directory, (o ena)le 'SP/, you must restart the glo)al catalog ser er a*ter re$lication o* the $artial directory $artitions is com$lete,
At this $oint, the glo)al catalog ser er is a aila)le to res$ond to re:uests on $orts A5IG and A5IE, Howe er, in res$onse to arious tests, the local system can indicate that it is a glo)al catalog ser er as soon as re$lication re:uirements are met, )ut )e*ore D'S has )een u$dated, -or a glo)al catalog ser er that is running Windows 5666 Ser er SP5, you must also consider the re$lication re:uirements *or the occu$ancy le el, -or the *irst glo)al catalog ser er in a site, the occu$ancy le el is signi*icant i* all domains are not re$resented in the site,
33
Chapter Number 1
Restart the domain controller to ena)le 'SP/, Restarting will also start the 'et Logon ser ice automatically, 3eri*y D'S u$dates,
Procedures $or Addin( the .lobal &atalo( to a Do!ain &ontroller and Veri$yin( .lobal &atalo( Readiness
=se the *ollowing $rocedures to add a glo)al catalog ser er to a domain controller, (he $rocedures are e<$lained in detail in the lin&ed to$ics, Some $rocedures are $er*ormed only when you are con*iguring the *irst glo)al catalog ser er in the site or only when Windows 5666 Ser er SP5 is running on the domain controller that you are con*iguring, 1. Sto$ the 'et Logon ser ice on the domain controller 8SP5 only, *irst glo)al catalog ser er in the site only9, ". Con*igure the domain controller as a glo)al catalog ser er, Setting the -lobal Catalog chec& )o< initiates the $rocess o* re$licating all domains to the ser er, 2. Monitor glo)al catalog re$lication $rogress 8*irst glo)al catalog ser er in the site only9, ). 3eri*y success*ul re$lication to a domain controller on the glo)al catalog ser er, Chec& *or in)ound re$lication o* all $artial domain directory $artitions in the *orest, to ensure that all domain directory $artitions ha e re$licated to the glo)al catalog ser er, 5. 3eri*y glo)al catalog readiness, (his $rocedure indicates that the re$lication re:uirements ha e )een met, 3. Restart the 'et Logon ser ice, i* needed, /* you are adding the *irst glo)al catalog ser er in a site to a domain controller that is running Windows 5666 Ser er SP5 and you sto$$ed the 'et Logon ser ice $rior to adding the glo)al catalog, then restart the ser ice now, 0. Restart the glo)al catalog ser er and eri*y glo)al catalog D'S registrationss )y chec&ing D'S *or glo)al catalog SR3 resource records,
#7
(he $rocedure to remo e the glo)al catalog is sim$ly to clear the -lobal Catalog chec& )o< on the '(DS Settings o)2ect $ro$erties $age, As soon as you $er*orm this ste$, the domain controller sto$s ad ertising itsel* as a glo)al catalog ser er 8'et Logon de+registers the glo)al catalog+related records in D'S9 and immediately sto$s acce$ting LDAP re:uests o er $orts A5IG and A5IE, When you remo e the glo)al catalog *rom a domain controller, the KCC )egins remo ing the read+only re$licas one at a time )y means o* an asynchronous $rocess that remo es o)2ects gradually o er time, !ach time the KCC runs 8e ery 7F minutes )y de*ault9, it attem$ts the remo al o* the read+only re$lica until there are no remaining o)2ects, At an estimated rate o* 5666 o)2ects $er hour, com$lete remo al o* the glo)al catalog *rom the domain controller can ta&e *rom se eral hours to days, de$ending on the si.e o* the directory,
/n addition to the three domain+le el o$eration master roles, two o$erations master roles e<ist in each *orest: .he schema master, which go erns all changes to the schema,
3*
Chapter Number 1
Role trans$er Insu$$icient #aster Deco!!issionin( Inco!patible operations service con$i(uration o$ role level the holder do!ain chan(es $ailure controller .he domain naming master, which adds and remo es domains to and *rom the *orest, (o $er*orm these *unctions, the domain controllers hosting these o$erations master roles must )e located in areas where networ& relia)ility is high and they need to )e consistently a aila)le,
Role sei<ure
I!portant
I$ you !ust sei<e an operations !aster roleE never reattach the previous role holder to the networ' without $ollowin( the procedures in this (uide. Incorrectly reattachin( the previous role holder to the networ' can result in invalid data and corruption o$ data in the directory.
that it no longer attem$ts to $er*orm as the o$erations master while the new domain controller assumes those duties, (his $re ents the $ossi)ility o* du$licate o$erations masters e<isting on the networ& at the same time, which can lead to corru$tion in the directory, Sei.e a role only as a last resort to assign a role to a di**erent domain controller, =se this $rocess only when the $re ious o$erations master *ails and remains out o* ser ice *or an e<tended amount o* time, During a role sei.ure, the domain controller does not eri*y that re$lication is u$dated, so recent changes can )e lost, %ecause the $re ious role holder is una aila)le during the role sei.ure, it cannot &now that a new role holder e<ists, /* the $re ious role holder comes )ac& online it might still assume that it is the o$erations master, (his can result in du$licate o$erations master roles on the networ&, which can lead to corru$tion o* data in the directory and ultimately to the *ailure o* the domain or *orest, (o trans*er a role to a new domain controller, ensure that the destination domain controller is a direct re$lication $artner o* the $re ious role holder and that re$lication )etween them is u$ to date and *unctioning $ro$erly, (his minimi.es the time re:uired to com$lete the role trans*er, /* re$lication is su**iciently out o* date, the trans*er can ta&e a while, )ut it e entually *inishes,
0%
Chapter Number 1
,orest5level role place!ent on in the a (lobal $orest catalo( root do!ain server controllers in another domain, the second domain ne er )ecomes aware o* the change, (he in*rastructure master constantly monitors grou$ mem)ershi$s, loo&ing *or security $rinci$als *rom other domains, /* it *inds one, it chec&s with the security $rinci$al1s domain to eri*y that the in*ormation is u$dated, /* the in*ormation is out o* date the in*rastructure master $er*orms the u$date and then re$licates the change to the other domain controllers in its domain, (wo e<ce$tions a$$ly to this rule, -irst, i* all the domain controllers are glo)al catalog ser ers, the domain controller that hosts the in*rastructure master role is insigni*icant )ecause glo)al catalogs do re$licate the u$dated in*ormation regardless o* the domain to which they )elong, Second, i* the *orest has only one domain, the domain controller that hosts the in*rastructure master role is not needed )ecause security $rinci$als *rom other domains do not e<ist,
(he *irst domain controller created in the *orest is assigned the schema master and domain naming master roles, (o ease administration and )ac&u$ and restore $rocedures, lea e these roles on the original *orest root domain controller, Mo ing the roles to other domain controllers does not im$ro e $er*ormance, Se$arating the roles creates additional administrati e o erhead when you must identi*y the stand)y o$erations masters and when you im$lement a )ac&u$ and restore $olicy, =nli&e the PDC emulator role, *orest+le el roles rarely $lace a signi*icant )urden on the domain controller, Kee$ these roles together to $ro ide easy, $redicta)le management, /n addition to hosting the schema master and domain naming master roles, the *irst domain controller created in a *orest also hosts the glo)al catalog, /n Windows 5666 Ser er, you must lea e the domain naming master on a glo)al catalog ser er, When the domain naming master creates an o)2ect re$resenting a new domain, it uses the glo)al catalog to ensure that no other o)2ect has the same name, (he domain naming master achie es this consistency )y running on a glo)al catalog ser er, which contains a $artial re$lica o* e ery o)2ect in the *orest,
71
Do!ain5level Wor'load ad8ust!ent role place!ent absence o$ the on operations on a (lobal the a hi(her sa!e catalo( !aster per$or!ance do!ain server role controller holder do!ain controller (he three domain+le el roles are assigned to the *irst domain controller created in a new domain, !<ce$t *or the *orest root domain, lea e the roles at that location, Kee$ the roles together unless the wor&load on your o$erations master 2usti*ies the additional management )urden o* se$arating the roles, -or the *orest root domain, the *irst domain controller also hosts the two *orest+le el roles as well as the glo)al catalog, (his additional wor&load re:uires you to ta&e two $recautionary ste$s to a oid $otential $ro)lems, -irst, the domain+le el roles must not remain on a glo)al catalog ser er, /n addition, )ecause hosting all *i e roles on a single domain controller can o erload the ser er and hurt $er*ormance, trans*er the three domain+le el roles to another domain controller, %ecause all $re+Acti e Directory clients su)mit u$dates to the PDC emulator, the domain controller holding that role uses a higher num)er o* R/Ds, Place the PDC emulator and R/D master roles on the same domain controller so these two roles interact more e**iciently, /* you must se$arate the roles, you can still use a single stand)y o$erations master *or all three roles, Howe er, you must ensure that the stand)y is a re$lication $artner o* all three o* the role holders, %ac&u$ and restore $rocedures also )ecome more com$le< i* you se$arate the roles, S$ecial care must )e ta&en to restore a domain controller that hosted an o$erations master role, %y hosting the roles on a single com$uter, you minimi.e the ste$s that are re:uired to restore a role holder, Do not host the in*rastructure master on a domain controller that is acting as a glo)al catalog ser er, %ecause it is )est to &ee$ the three domain+le el roles together, a oid $utting any o* them on a glo)al catalog ser er, Host the PDC emulator role on a $ower*ul and relia)le domain controller to ensure that it is a aila)le and ca$a)le o* handling the wor&load, 0* all the o$erations master roles, the PDC emulator creates the most o erhead on the ser er that is hosting the role, /t has the most intensi e daily interaction with other systems on the networ&, (he PDC emulator has the greatest $otential to a**ect daily o$erations o* the directory, Domain controllers can )ecome o erloaded while attem$ting to ser ice client re:uests on the networ&, manage their own resources, and handle any s$eciali.ed tas&s such as $er*orming the arious o$erations master roles, (his is es$ecially true o* the domain controller holding the PDC emulator role, Pre+Acti e Directory clients and domain controllers running Windows '( B,6 rely more hea ily on the PDC emulator than Acti e Directory clients and Windows 5666 Ser er domain controllers, /* your networ&ing en ironment has $re+Acti e Directory clients and domain controllers, you might need to reduce the wor&load o* the PDC emulator, /* a domain controller )egins to indicate that it is o erloaded and the $er*ormance is a**ected, you can recon*igure the en ironment so that some tas&s are $er*ormed )y other, less+used domain controllers, %y ad2usting the domain controller1s weight in the D'S en ironment, you can con*igure the domain controller to recei e *ewer client re:uests than other domain controllers on your networ&, 0$tionally, you can ad2ust the domain controller1s $riority in the D'S en ironment so it $rocesses client re:uests only i* other D'S ser ers are una aila)le, With *ewer D'S client re:uests to $rocess, the domain controller can use more resources to $er*orm o$erations master ser ices *or the domain,
0"
Chapter Number 1
(he stand)y o$erations master is a domain controller that you identi*y as the com$uter that assumes the o$erations master role i* the original com$uter *ails, @ou do not need to $er*orm any s$ecial con*iguration ste$s or run any ty$e o* setu$ utilities to ma&e a domain controller a stand)y o$erations master, (his $recautionary $lanning ste$ hel$s ma&e your o$eration more resilient i* a $ro)lem arises that re:uires you to reassign a master o$erations role to a new domain controller, !nsure that the stand)y o$erations master is a direct re$lication $artner o* the actual o$erations master, /* the stand)y o$erations master domain controller is a direct re$lication $artner o* the original o$erations master, it most li&ely contains the most recent changes to the domain, (his reduces the time re:uired to trans*er the role to the stand)y o$erations master and, in the case o* a *ailure, reduces the chances o* losing in*ormation, ! en i* re$lication is not totally com$lete, only *ew outstanding u$dates e<ist, (hose outstanding u$dates can )e re$licated )y a normal re$lication cycle rather than re:uiring a *ull synchroni.ation, which re$licates all o* the account in*ormation in the $artition, (o guarantee that the two domain controllers are re$lication $artners, you must manually create a connection o)2ect )etween them, Although creating manual connection o)2ects is not generally recommended, in this one case it is necessary )ecause it is so im$ortant that these two domain controllers )e re$lication $artners, /* you must reassign the domain+le el o$erations master roles to the stand)y o$erations master, do not $lace the in*rastructure master role on a glo)al catalog ser er,
73
(o reduce ris&, $er*orm a role sei.ure only i* the missing o$erations master role unacce$ta)ly a**ects $er*ormance o* the directory, Calculate the e**ect )y com$aring the im$act o* the missing ser ice $ro ided )y the o$erations master to the amount o* wor& that is needed to )ring the $re ious role holder sa*ely )ac& online a*ter you $er*orm the role sei.ure, Acti e Directory continues to *unction when the o$erations master roles are not a aila)le, /* the role holder is only o**line *or a short $eriod, you might not need to sei.e the role to a new domain controller, Remem)er that returning an o$eration master to ser ice a*ter the role is sei.ed can ha e dire conse:uences i* it is not done $ro$erly, /able 1.1) Operations #aster Role ,unctionality Ris' Assess!ent
Operations #aster Role 6che!a !aster &onse:uences i$ Role is +navailable >ou cannot !a'e chan(es to the sche!a. Ris' o$ I!proper Restoration &on$lictin( chan(es can be introduced to the sche!a i$ both sche!a !asters atte!pt to !odi$y the sche!a at the sa!e ti!e. /his can result in a $ra(!ented sche!a. >ou cannot add or re!ove do!ains or clean5up !etadata. Do!ains !i(ht appear as thou(h they are still in the $orest even thou(h they are not. Password validation can rando!ly pass or $ail. Password chan(es ta'e !uch lon(er to replicate throu(hout the do!ain. Reco!!endatio n $or Returnin( to 6ervice A$ter 6ei<ure 4ot reco!!ended. &an lead to a corrupted $orest and re:uire rebuildin( the entire $orest. 4ot reco!!ended. &an re:uire rebuildin( do!ains.
PD& e!ulator
>ou cannot chan(e passwords on pre5Active Directory clients. 4o replication to Windows 4/ ).% bac'up do!ain controllers. Delays displayin( updated (roup !e!bership lists in the user inter$ace when you !ove users $ro! one (roup
Allowed. +ser authentication can be erratic $or a ti!eE but no per!anent da!a(e occurs.
In$rastructur e !aster
Displays incorrect user na!es in (roup !e!bership lists in the user inter$ace a$ter you !ove users $ro! one (roup to another.
Allowed. #ay i!pact the per$or!ance o$ the do!ain controller hostin( the roleE but no da!a(e occurs
0)
Chapter Number 1
to another. RID !aster 9ventuallyE do!ain controllers cannot create new directory ob8ects as each o$ their individual RID pools is depleted. Duplicate RID pools can be allocated to do!ain controllersE resultin( in data corruption in the directory. /his can lead to security ris's and unauthori<ed access.
to the directory. 4ot reco!!ended. &an lead to data corruption that can re:uire rebuildin( the do!ain.
75
Repad!in.e As =e needed Active Directory 6ites and 6ervices Active Directory Do!ains and /rusts Active Directory +sers and &o!puters 4tdsutil.e=e Re(edit.e=e As needed
Repad!in.e As =e needed Active Directory 6ites and 6ervices Active Directory Do!ains and /rusts Active Directory +sers and &o!puters 4tdsutil.e=e
03
Chapter Number 1
Veri$y that a co!plete end5to5end replication cycle had occurred. Veri$y success$ul replication to a do!ain controller. 6ei<e the operations !aster role. View the current operations !aster role holders. Deter!ine whether a do!ain controller is a (lobal catalo( server. &reate a connection ob8ect.
4tdsutil.e=e As needed
As needed
77
". Determine whether a domain controller is a glo)al catalog ser er , 2. (rans*er the *orest+le el o$erations master roles, ). (rans*er the domain+le el o$erations master roles, 5. 3iew the current o$erations master role holders,
0*
Chapter Number 1
Procedures $or Reducin( the 4u!ber o$ &lient Re:uests Processed by the PD& 9!ulator
Procedures are e<$lained in detail in the lin&ed to$ics, 1. Change the weight *or D'S SR3 records in the registry, ". Change the $riority *or D'S SR3 records in the registry,
controller might not )e a aila)le during that $eriod, /nstead, trans*er the o$erations master roles to a di**erent domain controller that is already $ro$erly con*igured,
*%
Chapter Number 1
controller that has the most recent u$dates *rom the current role holder, Sei.e the o$erations master role to that domain controller to minimi.e the im$act o* the role sei.ure,
*1
4ote
I$ you also set an alert thresholdE divide the above warnin( thresholds in hal$.
Designating a domain controller as a stand)y also minimi.es the ris& o* role sei.ure, %y ma&ing the o$erations master and the stand)y direct re$lication $artners, you reduce the chance o* data loss in the e ent o* a role sei.ure, there)y reducing the chances o* introducing corru$tion into the directory, When you designate a domain controller as the stand)y, *ollow all recommendations that are discussed in >"uidelines *or Role Placement? earlier in this guide, (o designate a stand)y *or the *orest+le el roles, choose a glo)al catalog ser er so it can interact more e**iciently with the domain naming master, (o designate a stand)y *or the domain+le el roles, ensure that the domain controller is not a glo)al catalog ser er so that the in*rastructure master continues to *unction $ro$erly i* you must trans*er the roles, Manually create a connection o)2ect )etween the o$erations master and the designated stand)y o$erations master to ensure that re$lication occurs )etween the two domain controllers,
*"
Chapter Number 1
Data)ase si.e: During ordinary o$eration, the data)ase remo es e<$ired tom)stones and de*ragments 8consolidates9 white s$ace, (his automatic online de*ragmentation redistri)utes and retains white s$ace *or use )y the data)ase, (he *ollowing conditions might warrant ta&ing ste$s to regulate data)ase si.e manually: (em$orary )ac&log o* e<$ired tom)stones *ollowing )ul& deletions: Large+scale deletions can tem$orarily increase the data)ase *ile si.e i* tom)stones e<$ire in larger num)ers than gar)age collection can remo e in one cycle 8F,666 tom)stones $er cycle9, A*ter o)2ects are deleted, their tom)stones are stored in the directory *or I6 days )y de*ault and cannot )e remo ed $rior to that time, Howe er, a*ter the tom)stone li*etime e<$ires, you can s$eed remo al o* the tom)stone )ac&log )y tem$orarily decreasing the de*ault gar)age collection $eriod 875 hours9, /ncreased white s$ace due to large+scale deletions: /* data is decreased signi*icantly, such as when the glo)al catalog is remo ed *rom a domain controller, white s$ace is not automatically returned to the *ile system, Although this condition does not a**ect data)ase o$eration, it does result in a larger *ile si.e, @ou can use o**line de*ragmentation to decrease the si.e o* the data)ase *ile )y returning white s$ace *rom the data)ase *ile to the *ile system,
Hardware u$grade or *ailure: /* you need to u$grade or re$lace the dis& on which the data)ase or log *iles are stored, mo e the *iles to a di**erent location, either $ermanently or tem$orarily,
-or in*ormation a)out monitoring the data)ase and log *ile $artitions *or low dis& s$ace, see >Monitoring Acti e Directory? earlier in this guide,
*3
dir As needed. 1ac'up Wi<ard /er!inal 6ervices &lient 4otepad 4tdsutil.e =e Windows 9=plorer
Return unused dis' space $ro! the directory database to the $ile syste!.
Re(istry As editor needed. 1ac'up Wi<ard net useE delE copy 4tdsutil.e =e
*)
Chapter Number 1
&han(e GdecreaseH the (arba(e collection period. &han(e GincreaseH the (arba(e collection lo((in( level. Veri$y re!oval o$ to!bstones in the event lo(. &han(e Greturn to nor!alH the (arba(e collection period. &han(e Greturn to nor!alH the (arba(e collection lo((in( level. &o!pact the directory database o$$line Go$$line de$ra(!entationHE i$ needed.
Path &onsiderations
/* the $ath to the data)ase *ile or log *iles changes as a result o* mo ing the *iles, )e sure that you: =se 'tdsutil,e<e to mo e the *iles 8rather than co$ying them9 so that the registry is u$dated with the new $ath, ! en i* you are mo ing the *iles only tem$orarily, use 'tdsutil,e<e to mo e *iles locally so that the registry is always current, Per*orm a system state )ac&u$ as soon as the mo e is com$lete so that the restore $rocedure uses the correct $ath,
*5
3eri*y that the correct $ermissions are a$$lied on the destination *older *ollowing the mo e, Re ise $ermissions to those that are re:uired to $rotect the data)ase *iles, i* needed,
6>6VO7 &onsiderations
/* you re$lace or recon*igure a dri e that stores the S@S30L *older, you must *irst mo e the S@S30L *older manually, -or in*ormation a)out mo ing S@S30L manually, see >Managing S@S30L? later in this guide,
". Com$are the si.e o* the directory data)ase *iles to the olume si.e, %e*ore mo ing any *iles in res$onse to low dis& s$ace, eri*y that no other *iles on the olume are res$onsi)le *or the condition o* low dis& s$ace, 2. %ac& u$ system state, System state includes the data)ase *ile and log *iles as well as S@S30L and '!(L0"0' shared *olders, among other things, Always ensure that you ha e a current )ac&u$ $rior to mo ing data)ase *iles, ). Restart the domain controller in Directory Ser ices Restore Mode, as *ollows: /* you are logged on to the domain controller console, locally restart the domain controller in Directory Ser ices Restore Mode, /* you are using (erminal Ser ices *or remote administration, modi*y the %oot,ini *ile on the remote ser er so that you can remotely restart the domain controller in Directory Ser ices Restore Mode,
5. Mo e the data)ase *ile, the log *iles, or )oth, Mo e the *iles to a tem$orary destination i* you need to re*ormat the original location, or to a $ermanent location i* you ha e additional dis& s$ace, Mo ing the *iles can )e $er*ormed locally )y using 'tdsutil,e<e or remotely 8tem$orarily9 )y using a *ile co$y, as *ollows: Mo e the directory data)ase *iles to a local dri e,
*3
Chapter Number 1
&aution
6ettin( the value o$ entries in the Dia(nostics sub'ey to (reater than 2 can de(rade server per$or!ance and is not reco!!ended.
Co$y the directory data)ase *iles to a remote share and )ac&, When co$ying any data)ase *iles o** the local com$uter, always co$y )oth the data)ase *ile and the log *iles,
3. /* the $ath to the data)ase or log *iles has changed, )ac& u$ system state so that the restore $rocedure has the correct in*ormation,
Returnin( +nused Dis' 6pace $ro! the Directory Database to the ,ile 6yste!
During ordinary o$eration, the white s$ace in the directory data)ase *ile )ecomes *ragmented, !ach time gar)age collection runs 8e ery 75 hours )y de*ault9, white s$ace is automatically de*ragmented online to o$timi.e its use within the data)ase *ile, (he unused dis& s$ace is there)y maintained *or the data)aseK it is not returned to the *ile system, 0nly o**line de*ragmentation can return unused dis& s$ace *rom the directory data)ase to the *ile system, When data)ase contents ha e decreased considera)ly through a )ul& deletion 8*or e<am$le, you remo e the glo)al catalog *rom a domain controller9, i* the si.e o* the data)ase )ac&u$ is signi*icantly increased due to the white s$ace, use o**line de*ragmentation to reduce the si.e o* the 'tds,dit *ile, @ou can determine how much *ree dis& s$ace is reco era)le *rom the 'tds,dit *ile )y setting the "ar)age Collection logging le el in the registry, Changing the "ar)age Collection logging le el *rom the de*ault alue o* 6 to a alue o* 7 results in e ent /D 7IBI )eing logged in the Directory Ser ice log, (his e ent descri)es the total amount o* dis& s$ace used )y the data)ase *ile as well as the amount o* *ree dis& s$ace that is reco era)le *rom the 'tds,dit *ile through o**line de*ragmentation, At "ar)age Collection logging le el 6, only critical e ents and error e ents are logged in the Directory Ser ice log, At le el 7, high+le el e ents are logged as well, ! ents can include one message *or each ma2or tas& that is $er*ormed )y the ser ice, At le el 7, the *ollowing e ents are logged *or gar)age collection: O66 and O67: re$ort when online de*ragmentation )egins and ends, res$ecti ely, 7IBI: re$orts the amount o* *ree s$ace a aila)le in the data)ase out o* the amount o* allocated s$ace,
-ollowing o**line de*ragmentation, $er*orm a data)ase integrity chec&, (he integrity command in 'tdsutil,e<e detects )inary+le el data)ase corru$tion )y reading e ery )yte in the data)ase *ile, (he $rocess ensures that the correct headers e<ist in the data)ase itsel* and that all o* the ta)les are *unctioning and consistent, (here*ore, de$ending u$on the si.e o* your 'tds,dit *ile and the domain controller hardware, the $rocess might ta&e considera)le time, /n testing en ironments, the s$eed o* 5 "% $er hour is considered to )e ty$ical, When you run the command, an online gra$h dis$lays the $ercentage com$leted,
*7
4ote
/o!bstones cannot be re!oved prior to e=piration o$ the to!bstone li$eti!e.
). Com$act the directory data)ase *ile 8o**line de*ragmentation9 , As $art o* the o**line de*ragmentation $rocedure, chec& directory data)ase integrity, 5. /* data)ase integrity chec& *ails, $er*orm semantic data)ase analysis with *i<u$,
**
Chapter Number 1
s$ace le*t )y the remo ed tom)stones to the *ile system, $er*orm o**line de*ragmentation a*ter the )ac&log is cleared,
#ana(in( 6>6VO7
(he Windows 5666 Ser er System 3olume 8S@S30L9 is a collection o* *olders and re$arse $oints in the *ile systems that e<ist on each domain controller in a domain, S@S30L $ro ides a standard location to store "rou$ Policy o)2ects 8"P0s9 and scri$ts so that the -ile Re$lication ser ice 8-RS9 can distri)ute them to other domain controllers and mem)er com$uters in a domain,
&apacity Per$or!ance
4ote
I$ you receive indications that dis' space is lowE deter!ine i$ the cause is inade:uate physical space on the dis'E or a re(istry settin( that allocates inade:uate dis' space to 6>6VO7. 1y !odi$yin( a settin( in the re(istryE you can allocate !ore dis' space to 6>6VO7 rather than relocatin( 6>6VO7 or the 6ta(in( Area. Increasin( the space allocation in the re(istry is !uch $aster and easier than relocation. ,or !ore in$or!ation about !ana(in( dis' spaceE see B#aintainin( 6u$$icient Dis' 6paceC later in this section.
-RS monitors S@S30L and i* a change occurs to any *ile stored on S@S30L, then -RS automatically re$licates the changed *ile to the S@S30L *olders on the other domain controllers in the domain, Com$uters that run Windows 5666 Ser er o)tain "P0s, logon, logo**, startu$, and shutdown scri$ts *rom the S@S30L shared *older, Windows '( B,6D)ased domain controllers and Windows+)ased clients that do not run Acti e Directory client so*tware o)tain "P0s and scri$ts *rom the '!(L0"0' shared *older, During the installation o* Acti e Directory, the *olders and re$arse $oints are automatically created in the &!ystem%oot&;S@S30L *older' -RS automatically re$licates any *iles or "P0s that are written to these *olders to the other domain controllers in the domain, to ensure that they are a aila)le and ready to )e used when a user logs on to the domain, (he day+to+day o$eration o* S@S30L is an automated $rocess that does not re:uire any human inter ention other than watching *or alerts *rom the monitoring system, 0ccasionally, you might $er*orm some system maintenance as you change your networ&, (he $rocedures you might $er*orm include: Relocating S@S30L Relocating the Staging Area Changing the si.e o* the Staging Area
(hese $rocedures in ol e mo ing S@S30L or $ortions o* S@S30L to alternate locations, @ou might $er*orm these $rocedures to maintain ca$acity and $er*ormance o* S@S30L, *or hardware maintenance, or *or data organi.ation, De$ending u$on the con*iguration o* your networ&, S@S30L can re:uire much dis& s$ace to *unction $ro$erly, During the initial de$loyment, S@S30L might )e allocated ade:uate dis& s$ace to *unction, Howe er, as your networ& grows, the re:uired ca$acity can e<ceed the a aila)le dis& s$ace, Any changes made to S@S30L are automatically re$licated to the other domain controllers in the domain, /* the *iles stored in S@S30L change *re:uently, the re$lication increases the in$ut and out$ut *or the olume where S@S30L is located, /* the olume is also host to other system *iles, such as the directory data)ase or the $age*ile, then the increased in$ut and out$ut *or the olume can im$act the $er*ormance o* the ser er,
-%
Chapter Number 1
System maintenance, such as remo al o* a dis& dri e, can re:uire you to relocate S@S30L, ! en i* the maintenance occurs on a di**erent dis& dri e, eri*y that that maintenance does not a**ect the system olume, Logical dri e letters can change a*ter you add and remo e dis&s, -RS locates S@S30L )y using $ointers stored in the directory and the registry, /* dri e letters change a*ter you add or remo e dis& dri es, )e aware that these $ointers are not automatically u$dated, Some organi.ations $re*er to control where s$eci*ic data is stored *or organi.ational $ur$oses and esta)lished )ac&u$ and restore $olicies,
%ecause the Staging Area *older holds *iles *rom all re$lication $artners, you must consider tra**ic to and *rom all $artners when you estimate the dis& s$ace re:uirements *or the Staging Area *older on each com$uter, /* re$lication must occur )etween domain controllers that are located in di**erent sites, remem)er that -RS uses the same connection o)2ects as Acti e Directory, @ou can con*igure those connection o)2ects so that re$lication can occur only during certain times o* the day, !ach connection o)2ect has an associated schedule that dictates what hours o* the day the connection is a aila)le *or re$lication, Allocate enough time in the schedule *or all Acti e Directory re$lication and all -RS re$lication to occur, /* -RS does not com$lete all outstanding re$lication re:uests when the schedule ma&es the connection a aila)le, it will hold the remaining unre$licated *iles until the ne<t time the connection )ecomes a aila)le, 0 er time, this )ac&log o* unre$licated *iles can grow to consume an enormous amount o* dis& s$ace,
-"
Chapter Number 1
Relocatin( 6>6VO7 only the and 6ta(in( the 6ta(in( Area Area
De$loyment is the )est time to determine the location o* S@S30L, Consider $er*ormance and dis& ca$acity to determine the )est location *or the S@S30L *olders, During the Acti e Directory installation, you must s$eci*y the location o* the S@S30L *olders, A*ter installation, you might need to relocate S@S30L or the Staging Area *older, Although S@S30L contains many *olders, the Staging Area re:uires the most ca$acity )ecause it is used *or re$lication, @ou can lea e S@S30L in its original location and relocate only the Staging Area, @ou can relocate the entire S@S30L *older and its associated su)trees, including the Staging Area, @ou can relocate S@S30L )y remo ing and reinstalling Acti e Directory on the domain controller or )y manually recreating S@S30L at a new location,
6top the ,ile Replication service. &han(e the space allocated to the 6ta(in( Area $older. 6tart the ,ile Replication service Identi$y replication partners. &hec' the status o$ the 6>6VO7. Veri$y replication is $unctionin(. .ather the 6>6VO7 path in$or!ation. 6top the ,ile Replication service. &reate the new 6ta(in( Area $older. 6et the 6ta(in( Area path. Prepare a do!ain controller $or non5authoritative 6>6VO7 restore. 6tart the ,ile Replication service. View the current operations !aster role holders. /rans$er the $orest5level operations !aster roles. /rans$er the do!ain5level operations !aster roles. Deter!ine whether a do!ain controller is a (lobal catalo( server. Veri$y D46 re(istration and $unctionality. Veri$y co!!unication with other do!ain controllers. Veri$y the e=istence o$ the operations !asters. Re!ove Active Directory. Delete a server ob8ect $ro! a site. Veri$y D46 re(istration and $unctionality.
Re(edit.e=e
As needed
Relocate the 6ta(in( Area $older. #ove 6>6VO7 by usin( the Active Directory Installation Wi<ard.
Active Directory 6ites and 6ervices Dcdia(.e=e Windows 9=plorer AD6I 9dit Re(edit.e=e
As needed
Active Directory +sers and &o!puters Active Directory 6ites and 6ervices Dcdia(.e=e 4etdia(.e=e D&Pro!o.e=e D46 snap5in
As needed
-)
Chapter Number 1
Install Active Directory. Veri$y the site assi(n!ent $or the do!ain controller. #ove a server ob8ect to a di$$erent site i$ the do!ain controller is located in the wron( site. Per$or! $inal D46 con$i(uration. &hec' the status o$ the shared syste! volu!e. Veri$y D46 re(istration and $unctionality. Veri$y do!ain !e!bership $or the new do!ain controller. Veri$y co!!unication with other do!ain controllers. Veri$y replication is $unctionin(. Veri$y the e=istence o$ the operations !asters. Identi$y replication partners. &hec' the status o$ the shared syste! volu!e. Veri$y replication is $unctionin(. .ather the 6>6VO7 path in$or!ation. 6top the ,ile Replication service. &reate the 6>6VO7 $older structure. 6et the 6>6VO7 path. 6et the 6ta(in( Area path. 6et the $R6RootPath. Prepare a do!ain controller $or non5authoritative 6>6VO7 restore. +pdate security on the new 6>6VO7. 6tart the ,ile Replication service. Active As Directory needed 6ites and 6ervices Dcdia(.e=e 4/1ac'up.e=e AD6I 9dit Re(edit.e=e 7in'd.e=e
&hec' the status o$ the 6>6VO7. .ather the 6>6VO7 path in$or!ation. 6top the ,ile Replication service. 6et the 6>6VO7 path. 6et the $R6RootPath. 6et the 6ta(in( Area path. 6tart the ,ile Replication service. Identi$y replication partners. &hec' the status o$ the 6>6VO7. Veri$y replication is $unctionin(. Restart the do!ain controller in Active Directory Restore #ode Glocally or re!otelyH. .ather the 6>6VO7 path in$or!ation. 6top the ,ile Replication service. Prepare the do!ain controller $or non5 authoritative 6>6VO7 restore. I!port the 6>6VO7 $older structure. 6tart the ,ile Replication service. &hec' the status o$ the shared syste! volu!e. Re(edit.e=e Windows 9=plorer AD6I 9dit 7in'd.e=e As needed
Active Directory 6ites and 6ervices Dcdia(.e=e Windows 9=plorer Re(edit.e=e 7in'd.e=e
As needed
-3
Chapter Number 1
sa e s$ace in the Staging Area *older and reduce the time that is needed to re$licate the *iles, this method re:uires ma&ing and storing a co$y o* e ery *ile $rior to re$lication and can re:uire a su)stantial amount o* dis& s$ace to store all o* the co$ies, When you e<amine the dis& s$ace that S@S30L uses, you need to e<amine )oth $hysical dis& s$ace and allocated dis& s$ace, Physical dis& s$ace re*ers to the amount o* s$ace that is a aila)le on the dis& dri e, (o $re ent S@S30L *rom using all $hysical dis& s$ace a aila)le on the dri e, an entry in the registry limits the amount o* s$ace that S@S30L can use, (his is the allocated dis& s$ace, (he de*ault si.e o* the Staging Area *older is IOF mega)ytes8M%9, (he minimum si.e is 76 M% and the ma<imum si.e is 5 tera)ytes, @ou can ad2ust the si.e limit o* the Staging Area *older )y setting the alue in &ilo)ytes 8K%9 o* the !taging !pace Limit registry entry in HK!@PLocalPMachineQSystemQCurrentControlSetQSer icesQ't-rsQParameters, -or more in*ormation a)out setting the !taging !pace Limit in the registry, see K% article C557777 in the Microso*t Knowledge %ase, (o iew the Microso*t Knowledge %ase, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, When the Staging Area *older runs out o* dis& s$ace, -RS )eha es di**erently de$ending on the ersion o* Windows 5666 Ser er that is running, /* Windows 5666 Ser er Ser ice Pac& 5 8SP59 or earlier is running, then -RS *ills the Staging Area to the limit de*ined in the registry and then sus$ends in)ound and out)ound re$lication until dis& s$ace is made a aila)le, /n this situation, you can a oid sus$ension o* re$lication )y generously estimating the amount o* dis& s$ace that S@S30L re:uires, /* Windows 5666 Ser er Ser ice Pac& A 8SPA9 is running, then -RS *ills the Staging Area to E6 $ercent o* the limit s$eci*ied in the registry and then starts remo ing the least recently used *iles to ma&e more s$ace a aila)le, While this $re ents -RS *rom sus$ending re$lication, it can a**ect the $er*ormance o* the domain controller, /* a large num)er o* *iles are constantly )eing u$dated, then -RS constantly stages, remo es, and restages *iles to maintain a aila)le dis& s$ace in the Staging Area, /n this case, ma&ing more s$ace a aila)le reduces the amount o* wor& that the domain controller $er*orms in order to &ee$ -RS *unctioning,
s$eed o* the networ&, !ach connection o)2ect has an associated schedule that allows administrators to dictate when the connection is a aila)le *or re$lication, 'etwor& administrators can limit the time that re$lication can ta&e $lace so that $rocesses that are more im$ortant to the daily o$eration o* the )usiness can use a aila)le networ& )andwidth o er a s$eci*ic connection, (his )ecomes es$ecially im$ortant i* two re$lication $artners are connected )y a slow lin& 8such as a 75G K)$s dial+u$ connection9, (he schedule ma&es it $ossi)le to limit re$lication tra**ic so that it occurs only at night or during o**+$ea& hours, -RS stages all re$lication tra**ic and waits *or the connection to )ecome a aila)le, When the connection is a aila)le, it )egins re$lication and continues until it re$licates all outstanding *iles, or the connection )ecomes una aila)le, /* many *iles are awaiting re$lication and the networ& is )usy handling other tra**ic, then -RS might not get a chance to re$licate all outstanding *iles )e*ore the schedule ma&es the connection una aila)le, /* this ha$$ens, -RS holds the remaining *iles until the schedule $ermits re$lication to continue, While -RS is waiting *or the schedule to $ermit re$lication, it continues to stage new *iles *or re$lication, (he Staging Area *older needs enough s$ace to store the staged *iles as well as to handle any )ac&log o* *iles that might not get re$licated due to limited a aila)ility o* the connection,
-*
Chapter Number 1
to the actual location that -RS uses to stage *iles, When relocating the Staging Area, you must u$date these two $arameters to $oint to the new location,
WAR4I4. 4ote
Do I$ any the not veri$ication o$ !ove the veri$ication 6>6VO7 test with $ailsE tests the do $ailE not Active do continue not Directory continue until Installation you until identi$y you Wi<ard identi$y and $i= the unless and proble!s. $i= you theco!pletely proble!s. I$ the test I$ understand these $ailsE then tests the installation $ailE ris's the and is also conse:uences deco!!issionin( li'ely to $ail. o$ deco!!issionin( operation is also li'ely the do!ain to $ail. controller in :uestion.
/* this domain controller is not hosting any additional ser ices that de$end on the directory, and your directory does not ta&e an e<tensi e amount o* time to com$lete the initial re$lication to new domain controllers, then mo ing S@S30L with the Acti e Directory /nstallation Wi.ard can sa e you time and )e easier and more relia)le than mo ing S@S30L manually,
Procedures $or #ovin( 6>6VO7 with the Active Directory Installation Wi<ard
=se the *ollowing $rocedures to remo e and reinstall Acti e Directory in order to mo e S@S30L, -or more in*ormation a)out installing and remo ing Acti e Directory, see >Managing /nstallation and Remo al o* Acti e Directory? in this guide, Procedures are e<$lained in detail in the lin&ed to$ics, 1. 3iew the current o$erations master role holders to see i* any roles are assigned to this domain controller, ". /* this domain controller is listed as hosting either the schema master or domain naming master roles, then trans*er the *orest+le el roles to another domain controller in the *orest root domain, Any domain controller in the *orest is ca$a)le o* hosting these roles )ut it is recommended that they remain in the *orest root domain, !nsure that you $lace the domain naming master role on a glo)al catalog ser er, 2. /* this domain controller is listed as hosting the $rimary domain controller 8PDC9 emulator, in*rastructure master or relati e identi*ier 8R/D9 master roles, trans*er the domain+le el roles to another domain controller in the same domain, Do not $lace the in*rastructure master role on a glo)al catalog ser er unless all o* the domain controllers host the glo)al catalog or unless only one domain e<ists in the *orest, ). Determine whether a domain controller is a glo)al catalog ser er and ensure that other domain controllers are con*igured as glo)al catalog ser ers )e*ore continuing, 5. 3eri*y D'S registration and *unctionality, 3. 3eri*y communication with other domain controllers, 0. 3eri*y the e<istence o* the o$erations masters on the networ&, *. Remo e Acti e Directory, -. Delete the ser er o)2ect *rom a site, 1%. 3eri*y D'S registration and *unctionality, 11. /nstall Acti e Directory, Pro ide the wi.ard with the new location *or S@S30L when $rom$ted, 1". 3eri*y the site assignment *or the domain controller,
1%%
Chapter Number 1
12. Mo e a ser er o)2ect to a di**erent site i* the domain controller is located in the wrong site, 1). Per*orm *inal D'S con*iguration *or a new domain controller that is located in the *orest root domain: a. Create a delegation *or the new domain controller in the $arent domain o* the D'S in*rastructure i* a $arent domain e<ists and a D'S ser er hosts it, /* a D'S ser er does not host the $arent domain, then *ollow the $rocedures outlined in the endor documentation to add the delegation *or the new domain controller, b. Con*igure the D'S client settings, D0rD Per*orm *inal D'S con*iguration *or a new domain controller that is located in a child domain: c. d. e. Create a delegation *or the new domain controller in the *orest root domain, Create a secondary .one, Con*igure the D'S client settings,
15. Chec& the status o* the shared system olume, 13. 3eri*y D'S registration and *unctionality, 10. 3eri*y domain mem)ershi$ *or the new domain controller, 1*. 3eri*y communication with other domain controllers, 1-. 3eri*y that re$lication is *unctioning, "%. 3eri*y the e<istence o* the o$erations masters,
1&1
I!portant WAR4I4.
/his procedure Re!e!berE i$ the can syste! alter security volu!es settin(s. on your A$ter do!ain you controllers co!plete are procedureE the beco!in( unsynchroni<ed the security settin(s to theon point the that new you syste! need volu!e to relocate are resetthe to the syste! de$ault volu!esE settin(s bethat sure were to troubleshoot established the when ,R6 you proble!sActive installed and resolve Directory. the issues >ou !ust that reapply cause the anysyste! chan(es volu!es to the to beco!e security settin(s unsynchroni<ed on the syste! be$ore volu!e you atte!pt that you to !ade relocate since the syste! you installed volu!es. Active Directory. ,ailure to do so can result in unauthori<ed access to .roup Policy ob8ects and lo(on and lo(o$$ scripts.
-RS is sto$$ed while the changes are made and then restarted a*ter the changes are com$leted, During the restart $rocess, -RS reads the new con*iguration in*ormation in the directory and the registry and recon*igures itsel* to use the new location, S@S30L uses an e<tensi e *older structure that must )e recreated accurately at the new location, (he easiest method is to co$y the *older structure )y using Windows !<$lorer, @ou must ensure that you co$y any *olders that may ha e s$ecial attri)utes, such as hidden *olders, (he *older structure also includes 2unction $oints, #unction $oints loo& li&e *olders when they a$$ear in Windows !<$lorer )ut they are not really *olders, #unction $oints contain lin&s to other *olders, When you o$en a 2unction in Windows !<$lorer, you see the contents o* the *older to which the 2unction is lin&ed, /* you o$en a command $rom$t and dis$lay a directory listing that contains 2unction $oints, they are designated as R#='C(/0'S, while regular *olders are designated with RD/RS, #unction $oints )eha e li&e regular *olders, When you are wor&ing in the *ile system, you ha e no indication whether you are wor&ing with a 2unction or a *older, (he di**erence )etween *olders and 2unctions a$$ears when you co$y or mo e a 2unction to a new location, %ecause a 2unction is a lin& to another location, when you co$y a 2unction to a new location, the lin& still re*ers to the original location, S@S30L contains two 2unction $oints that $oint to *olders in the S@S30L tree, When you mo e the tree to a new location, you must u$date the 2unction $oints to $oint to the new location, 0therwise, the 2unction $oints continue to $oint to the original S@S30L *olders, (he registry and Acti e Directory store $ath in*ormation that -RS uses to locate the S@S30L and the Staging Area *olders, @ou must u$date these settings to $oint to the new locations, A*ter you create the new *olders and u$date the $aths and 2unctions, ensure that the *olders get re$o$ulated with the $ro$er data, @ou can re$o$ulate the *iles stored in S@S30L at the new location is done )y re$licating the data into the new location *rom one o* the domain controller1s re$lication $artners, (he %=R-LA"S o$tion is set in the registry and when -RS restarts, it re$licates the data into the new *olders *rom one o* the re$lication $artners, %ecause this data is restored to the new location )y means o* re$lication, )e certain that the system olumes on the re$lication $artners are u$dated and *unctioning $ro$erly to ensure that the data re$licated into the new *olders is u$dated and has no errors,
1%"
Chapter Number 1
1. /denti*y re$lication $artners, ". 0n the re$lication $artners, chec& the status o* the shared system olume, @ou do not need to $er*orm the test on e ery $artner, )ut you need to $er*orm enough tests to )e con*ident that the shared system olumes on the $artners are healthy, 2. 3eri*y that re$lication is *unctioning, ). "ather the S@S30L $ath in*ormation, 5. Sto$ the -ile Re$lication ser ice, 3. Create the S@S30L *older structure, 0. Set the S@S30L $ath, *. Set the Staging Area $ath, /* you ha e mo ed the Staging Area *older to a di**erent location already, you do not need to do this ste$, -. Set the *RSRootPath, 1%. Pre$are a domain controller *or non+authoritati e S@S30L restore, 11. =$date security on the new S@S30L, 1". Start the -ile Re$lication ser ice, 12. Chec& the status o* the shared system olume,
1&3
1%)
Chapter Number 1
-ollow these )est $ractices *or con*iguring time on the *orest+root PDC emulator, in this order o* $re*erence: /nstall a hardware cloc& that uses the 'etwor& (ime Protocol 8'(P9 on an internal networ&, and synchroni.e the *orest+root PDC emulator and the stand)y PDC emulator to it, =se /PSec to securely synchroni.e with another networ& time ser er, Monitor the *orest+root PDC emulator closely to ensure that its time is accurate, Do not synchroni.e the *orest+root PDC emulator with another com$uter,
/* none o* these o$tions are acce$ta)le in your organi.ation, you can synchroni.e with an e<ternal relia)le time source, Howe er, this o$tion is not recommended, as it synchroni.es time in an unauthenticated manner, $otentially ma&ing time $ac&ets ulnera)le to an attac&er,
1&5
Local file changes create change orders with event times reflecting the advanced clock time. (hese change orders are inserted into the out)ound log )ut are not sent )ecause the com$uter with the ad anced cloc& will not 2oin with the $artners that remain at the correct time, Later, when the time on this com$uter is restored to the correct time and the com$uter is a)le to 2oin with its out)ound $artners, it sends the change orders with the ad anced e ent time, (he downstream $artner ignores these change orders )ecause the e ent time is too *ar into the *uture, (he result is that the *iles that changed while the time was ad anced are not re$licated to the other mem)ers, )ut remain on the com$uter, -urthermore, the ad anced e ent times cause the com$uter to re2ect u$dates to these *iles that originate *rom other re$lication $artners,
1%3
Chapter Number 1
&on$i(ure ti!e on the $orest5root PD& e!ulator. Re!ove a ti!e source con$i(ure on the $orest5root PD& e!ulator. &on$i(ure the selected co!puter as a reliable ti!e source.
4et ti!e
As needed
&on$i(ure a reliable ti!e source on a co!puter other than the PD& e!ulator.
Re(edit.e= e
As needed
6et a !anually con$i(ured ti!e source on a selected co!puter. Re!ove a !anually con$i(ured ti!e source on a selected co!puter. &han(e pollin( interval.
4et ti!e
As needed
As needed
As needed
1&7
4ote
6ettin( a co!puter that is already synchroni<in( $ro! the do!ain hierarchy as a reliable ti!e source can create loops in the synchroni<ation tree and cause unpredictable results.
you might only need to con*igure the time ser ice on the new PDC emulator, (o con*igure time on the *orest+root PDC emulator, you can use the *ollowing $rocedures, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Con*igure time on the *orest+root PDC emulator, ". Remo e a time source con*igured on the *orest+root PDC emulator,
&on$i(urin( a Reliable /i!e 6ource on a &o!puter Other than the PD& 9!ulator
%y de*ault, the PDC emulator in the *orest root is the authoritati e time source *or that *orest, Howe er, you might want to con*igure a di**erent com$uter in your networ& to )e authoritati e *or the *orest, in the *ollowing situations: /* you $lan to mo e the PDC 0$erations Master role, you can con*igure a relia)le time source on a di**erent com$uter $rior to the mo e8s9 to a oid resets or disru$tion o* the time ser ice, (he role o* PDC emulator can mo e )etween com$uters, which means that e ery time the role o* PDC emulator mo es, the new PDC emulator must )e manually con*igured to $oint to the e<ternal source, and the manual con*iguration must )e remo ed *rom the original PDC emulator, (o a oid this $rocess, you can set one o* the domain controllers in the $arent domain as relia)le and manually con*igure 2ust that com$uter to $oint to an e<ternal source, (hen, no matter which com$uter is the PDC emulator, the root o* the time ser ice stays the same and thus remains $ro$erly con*igured, /* you ha e security reasons *or wanting to segregate the authoritati e time com$uter,
When domain controllers loo& *or a time source to synchroni.e with, they choose a relia)le source i* one is a aila)le, /t is im$ortant to note that the automatic disco ery mechanism in the time ser ice client ne er chooses a com$uter that is not a domain controller, Clients must )e manually con*igured to use any ser er that is not a domain controller,
Procedure $or &on$i(urin( a Reliable /i!e 6ource on a &o!puter Other than the PD& 9!ulator
Although the PDC emulator in the *orest root domain is the authoritati e time source *or that *orest, you can con*igure a relia)le time source on a com$uter other than the PDC emulator, Con*igure the selected com$uter as a relia)le time source,
1%*
Chapter Number 1
&aution 4ote
#anually /he re(istry speci$ied editor bypasses ti!e sources standard are not sa$e(uardsE authenticatedE allowin( and settin(s that there$ore cancan enable da!a(e an attac'er your syste!E to !anipulate or even re:uire the ti!e you source to reinstall and thenWindows. start erberos I$ youV5 !ust replay editattac's. the re(istryE AlsoE bac' a co!puter up system state does that first. For not information synchroni<e about with backing its do!ain up system controller state, see can Active have Directory an unsynchroni<ed Backup and ti!e. Restore /his in this causes guide.erberos V5 authentication to $ailE which in turn causes other actions re:uirin( networ' authenticationE such as printin( or $ile sharin(E to $ail. When only one co!puter in the $orest root do!ain is (ettin( ti!e $ro! an e=ternal sourceE all co!puters within the $orest re!ain synchroni<ed to each otherE !a'in( replay attac's di$$icult.
Procedures $or &on$i(urin( a &lient to Re:uest /i!e $ro! a 6peci$ic /i!e 6ource
(he *ollowing $rocedures allow you to s$eci*y a time source *or client com$uters that do not automatically synchroni.e through the time ser ice, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Set a manually con*igured time source on a selected com$uter, ". Remo e a manually con*igured time source on a selected com$uter,
1&
&aution
/he re(istry editor bypasses standard sa$e(uardsE allowin( settin(s that can da!a(e your syste!E or even re:uire you to reinstall Windows. I$ you !ust edit the re(istryE bac' up system state first. For information about backing up system state, see Active Directory Backup and Restore in this guide.
11%
Chapter Number 1
o$erations master roles, Role trans*er ensures that no ga$s in master o$erations co erage occur, which can cause directory inconsistencies, -or in*ormation a)out trans*erring o$erations master roles, see >Managing 0$erations Masters? earlier in this guide,
111
/n addition, S@S30L re$lication cannot )e synchroni.ed manually, -or this reason, ensuring that S@S30L is u$dated $rior to disconnecting the domain controller is more di**icult than sim$ly u$dating S@S30L when the domain controller is reconnected, Regardless o* the length o* the disconnection, to ensure that S@S30L is synchroni.ed when the domain controller is reconnected, $re$are the domain controller to $er*orm a non+authoritati e restore o* S@S30L $rior to disconnecting it, When it restarts, non+authoritati e restore o* S@S30L occurs automatically, -or in*ormation a)out $er*orming non+authoritati e restore o* S@S30L, see >Restoring and Re)uilding S@S30L? earlier in this guide,
11"
Chapter Number 1
/* a domain controller has )een disconnected *or longer than the ma<imum sa*e time o* disconnection 8tom)stone li*etime less end+to+end re$lication latency9, do not allow the domain controller to re$licate, Reinstall Windows 5666 Ser er, (his recommendation a$$lies to all such domain controllers, regardless o* the ersion o* Windows 5666 Ser er they are running 8SPA, SP5, or earlier9, /* you de$loy Windows 5666 Ser er SPA, modi*y the registry to en*orce strict re$lication )eha ior at the time the domain controller is installed,
113
/able 1.1- /as's and Procedures $or #ana(in( 7on(5Disconnected Do!ain &ontrollers
/as's Prepare a do!ain controller $or lon( disconnectio n. Procedures Deter!ine the anticipated len(th o$ the disconnection. Deter!ine the to!bstone li$eti!e $or the $orest. Deter!ine the !a=i!u! sa$e disconnection ti!e and proceed as $ollows: I$ the esti!ated ti!e o$ disconnection e=ceeds the !a=i!u! sa$e disconnection ti!eE do not proceed with the disconnection. &ontact a supervisor. I$ the esti!ated ti!e o$ disconnection does not e=ceed the !a=i!u! sa$e disconnection ti!eE proceed with disconnection. View the current operations !aster role holders. /rans$er do!ain5level operations !aster rolesE i$ appropriate. /rans$er $orest5level operations !aster rolesE i$ appropriate. Prepare the do!ain controller $or non5 authoritative 6>6VO7 restore. 6ynchroni<e replication $ro! all inbound GsourceH replication partners. Veri$y success$ul replication to the do!ain controller. /ools AD6I 9dit Active Directory 6ites and 6ervices Repad!in.e= e Re(edit.e=e Active Directory Do!ains and /rusts Active Directory +sers and &o!puters ,re:uenc y As needed
11)
Chapter Number 1
7abel the do!ain controller with the date and ti!e o$ disconnection and the !a=i!u! sa$e disconnection period. Deter!ine the to!bstone li$eti!e $or the $orest. Deter!ine whether the !a=i!u! sa$e disconnection ti!e has been e=ceededE and proceed accordin(ly. I$ the !a=i!u! sa$e ti!e has been e=ceededE do not connect the do!ain controller. &ontact a supervisor about reinstallin( the do!ain controller. I$ the !a=i!u! sa$e ti!e has not been e=ceededE proceed with reconnectin(. I$ the site has one or !ore other do!ain controllers that are authoritative $or the do!ainE start the do!ain controller at any ti!e. I$ do!ain updates are available only $ro! a di$$erent site: Deter!ine when intersite replication is scheduled to be(in. As soon as possible a$ter the ne=t replication cycle be(insE start the do!ain controller. Veri$y success$ul replication on the reconnected do!ain controller. AD6I 9dit Active Directory 6ites and 6ervices Repad!in.e= e As needed
Re!ove
9vent Viewer
As
115
'(!: Identi$y a revived lin(erin( ob8ect and replication source on a writable do!ain controller. Disable outbound replication on the outdated source do!ain controller. Delete the ob8ect $ro! the outdated source do!ain controller. $indo%s !&&& 'erver %ith '(3: Identi$y and delete a 'nown non5replicated lin(erin( ob8ect on an outdated do!ain controller. $indo%s !&&& 'erver %ith '(! or '(3+ continue as ,ollo%s: Identi$y un'nown lin(erin( ob8ects on an outdated do!ain controller. View replication !etadata o$ the ob8ects. Delete ob8ects created prior to do!ain controller disconnection. Restart disabled outbound replication G6P" onlyH. 6ynchroni<e replication $ro! the outdated do!ain controller to a replication partner. $indo%s !&&& 'erver %ith '(!) &ontact #icroso$t Product 6upport 6ervices. $indo%s !&&& 'erver %ith '(3) 9stablish the
Active Directory 6ites and 6ervices Repad!in.e= e Dsastat.e=e Active Directory +sers and &o!puters
needed
7dp.e=e
As needed
113
Chapter Number 1
distin(uished na!e and .lobally +ni:ue Identi$ier G.+IDH o$ the ob8ect. Identi$y the .+ID o$ a do!ain controller that has a writable replica o$ the do!ain. Delete the lin(erin( ob8ect $ro! the (lobal catalo( server.
-or in*ormation a)out restoring S@S30L, see >Restoring and Re)uilding S@S30L? earlier in this guide,
117
Determine whether the domain controller holds an o$erations master role, /* the domain controller is an o$erations master, trans*er the role $rior to disconnecting, -or in*ormation a)out trans*erring o$erations master roles, see >Managing 0$erations Masters? earlier in this guide,
/* the length o* the disconnection is $redicted to )e longer than the current tom)stone li*etime, consult the design team a)out e<tending the tom)stone li*etime,
). 3iew the current o$erations master role holders to determine whether the domain controller is an o$erations master role holder, 5. (rans*er a domain+le el o$erations master role, i* a$$ro$riate, 3. (rans*er a *orest+le el o$erations master role, i* a$$ro$riate, 0. Pre$are the domain controller *or non+authoritati e S@S30L restore on the domain controller that you are disconnecting, (his $rocess ensures an u$+to+date S@S30L when the domain controller is restarted, *. Synchroni.e re$lication *rom all in)ound 8source9 re$lication $artners, !ach connection o)2ect )elow the '(DS Settings o)2ect *or the ser er you are disconnecting re$resents an in)ound re$lication $artner, -. 3eri*y success*ul re$lication to the domain controller that you are disconnecting, 1%. La)el the domain controller with the date and time o* disconnection and the ma<imum sa*e disconnection $eriod,
11*
Chapter Number 1
&aution
/he re(istry editor bypasses standard sa$e(uardsE allowin( settin(s that can da!a(e your syste!E or even re:uire you to reinstall Windows. I$ you !ust edit the re(istryE bac' up syste! state $irst. ,or in$or!ation about bac'in( up syste! stateE see BActive Directory 1ac'up and RestoreC in this (uide.
A domain controller goes o**line *ollowing the deletion o* an o)2ect on another domain controller )ut $rior to recei ing re$lication o* the tom)stone, and remains o**line *or a $eriod that e<ceeds the tom)stone li*etime, A domain controller goes o**line, an o)2ect is deleted on that domain controller, and the o)2ect tom)stone is remo ed )y gar)age collection on that domain controller $rior to the domain controller )eing reconnected to re$lication,
11
/n the latter case, an o)2ect e<ists on all domain controllers in the domain 8*or a domain+s$eci*ic o)2ect9 or *orest 8*or a con*iguration or schema o)2ect9 e)cept the reconnected domain controller, /n this case, the remedy is sim$ly to delete the o)2ect on any writa)le domain controller, Howe er, in the *irst two cases, i* the domain controller is then reconnected to the re$lication to$ology, o)2ects that e<ist nowhere else in the *orest remain on the domain controller and $otentially can )e reintroduced into the directory, /* lingering o)2ects are security $rinci$als, reintroducing them can ha e serious conse:uences, -or more in*ormation a)out how lingering o)2ects are reintroduced into the directory and how to remo e them, see >Remo ing Lingering 0)2ects *rom an 0utdated Writa)le Domain Controller,?
1"%
Chapter Number 1
I!portant
Do not use $ile copy utilities such as -copy or robocopy to update an outdated 6>6VO7.
/n the e ent that a domain controller has )een disconnected *or a tom)stone li*etime or longer )ut has already re$licated, *ollow the instructions *or detecting and remo ing lingering o)2ects in >,Remo ing Lingering 0)2ects *rom an 0utdated Writa)le Domain Controller,?
1!1
1""
Chapter Number 1
A new o)2ect or !<change mail)o< cannot )e created when the samAccountName attri)ute alue o* the new o)2ect is the same as a lingering o)2ect, An error re$orts that the o)2ect already e<ists, Re$lication succeeds with >no such o)2ect? error 8e ent /D 7AGG9 when >loose re$lication consistency? is in e**ect, (his error indicates that the source domain controller re i ed a lingering o)2ect in the directory, Re$lication *ails with a >no such o)2ect? error 8e ent /D 76GB9 when >strict re$lication consistency? is in e**ect, (his error indicates that the source domain controller tried to re$licate a lingering o)2ect,
1!3
/denti*y the domain controller that re$licated the u$date to a lingering o)2ect, =se the in*ormation in e ent /D 7AGG 8Windows 5666 Ser er with SP59 or e ent /D 76GB 8Windows 5666 Ser er with SPA9 to identi*y the source domain controller, Disa)le out)ound re$lication on the source domain controller, Delete the lingering o)2ect *rom the source domain controller, Com$are the data)ase contents o* the outdated source domain controller and an u$+ to+date re$lication $artner to determine whether the outdated source domain controller contains o)2ects that do not e<ist on its re$lication $artner, /denti*y the distinguished names o* the o)2ects that e<ist on the outdated domain controller )ut not on the re$lication $artner, !<amine metadata o* the o)2ect to determine when it was created, Delete the o)2ects that were created $rior to disconnecting the domain controller, Restart out)ound re$lication on the source domain controller,
Deletions o* the lingering o)2ects re$licate to the other domain controllers, Any domain controller that is running Windows 5666 Ser er with SP5, and that does not ha e the o)2ect, logs e ent /D 7AGG, /n this case, the missing o)2ect is re i ed as a tom)stone, and re$licates as such, (he errors on domain controllers that do not ha e the o)2ect can )e ignoredK they will cease a*ter the second re$lication cycle, /* you ha e domain controllers that are running Windows 5666 Ser er with SPA, you can set the registry to en*orce strict re$lication consistency, which ensures that lingering o)2ects do not re$licate, -or this reason, attem$ted re$lication o* the deletions will not )e acce$ted, @ou must delete lingering o)2ects *rom only the outdated domain controller, -or in*ormation a)out setting strict re$lication consistency *or domain controllers that are running Windows 5666 Ser er with SPA, see >Managing Acti e Directory /nstallation and Remo al? in this guide,
Procedures $or Re!ovin( 7in(erin( Ob8ects $ro! an Outdated Writable Do!ain &ontroller
=se the *ollowing $rocess to identi*y and remo e lingering o)2ects a*ter you ha e disco ered an outdated domain controller, (he initial ste$ in the $rocess aries according to the ersion o* Windows 5666 Ser er that you are using, Procedures are e<$lained in detail in the lin&ed to$ics, 1. /denti*y and delete the initial occurrence o* a lingering o)2ect, as *ollows: For 2indows 3444 !erver with !+35 a. /denti*y a re i ed lingering o)2ect and its re$lication source on a writa)le domain controller, ! ent /D 7AGG $ro ides the distinguished name o* an o)2ect that has )een u$dated on an outdated domain controller, (he message also $ro ides the "=/D o* the domain controller *rom which the u$date was re$licated, =se the "=/D to disco er the name o* the source domain controller, Re$eat this $rocess on each source domain controller until you identi*y a source domain controller that does not ha e the error, (his domain controller is the outdated source domain controller, b. Disa)le out)ound re$lication on the outdated source domain controller,
1")
Chapter Number 1
4ote
/he results o$ this procedure identi$y only ob8ects where the nu!bers o$ ob8ects did not a(ree between do!ain controllers. I$ nu!bers !atch but an ob8ect o$ a class was added on one do!ain controller and a di$$erent ob8ect o$ the sa!e class was deleted on the otherE and these chan(es did not replicateE this test cannot identi$y these inconsistent ob8ects.
c. Delete the o)2ect *rom the outdated source domain controller, For 2indows 3444 !erver with !+65 /denti*y and delete a &nown non+re$licated lingering o)2ect on an outdated domain controller, as identi*ied in e ent /D 76GB, (he o)2ect and source domain controller are named in the error message,
". /denti*y un&nown lingering o)2ects on an outdated domain controller, (his $rocedure re:uires the *ollowing series o* su)$rocedures to )e $er*ormed se:uentially: a. Com$are the directory data)ases o* the outdated domain controller and the domain controller that recei ed the initial re$lication error, b. /denti*y the distinguished names o* the o)2ects that e<ist on the outdated domain controller )ut not on the $artner domain controller, 2. 0n the outdated domain controller, iew the re$lication metadata o* o)2ects that you identi*ied in the $re ious $rocedure to determine whether they were created $rior to the time the domain controller was disconnected or were created during the time that the domain controller was o**line, /* the newest date in the 'rg..ime7Date column is older than the date on which the domain controller was disconnected, the o)2ect is a lingering o)2ect, ). 0n the outdated domain controller, delete the o)2ects that were created $rior to the date and time that the domain controller was disconnected, 5. Restart disa)led out)ound re$lication on the outdated domain controller 8SP5 only9, 3. Synchroni.e re$lication *rom the outdated domain controller to the $artner domain controller to re$licate the deletions, =se the connection o)2ect on the re$lication $artner that shows the name o* the outdated domain controller in the From !erver column, (his $rocedure results in error messages on domain controllers that do not ha e the o)2ects, )ut these messages can )e ignored and will cease )y the second re$lication cycle,
1!5
re$lica on the glo)al catalog ser er and nowhere else, in which case you cannot delete the o)2ect )y the normal method, (he recommended solution to this $ro)lem de$ends on the ersion o* Windows 5666 Ser er that is running on the outdated glo)al catalog ser er: 2indows 3444 !erver with !+35 Contact Microso*t Product Su$$ort Ser ices, 2indows 3444 !erver with !+65 =se Ld$,e<e to identi*y and delete the o)2ect *rom all glo)al catalog ser ers that retain the o)2ect,
1"3
Chapter Number 1
When deleting an o)2ect that has child o)2ects, you must delete the child o)2ect *irst, then delete the $arent, @ou can tell *rom the distinguished name whether the o)2ect has $arent o)2ects,
#ana(in( /rusts
(rusts re:uire little management, (rust relationshi$s )etween domains esta)lish a trusted communication $ath through which a com$uter in one domain can communicate with a com$uter
1!7
in the other domain, (rust relationshi$s allow users in the trusted domain to access resources in the trusting domain, -or e<am$le, where a one+way trust e<ists: A user who is logged on to the trusted domain can )e authenticated to connect to a resource ser er in the trusting domain, A user can use an account in the trusted domain to log on to the trusted domain *rom a com$uter in the trusting domain, A user in the trusting domain can list trusted domain security $rinci$als and add them to grou$s and access control lists 8ACLs9 on resources in the trusting domain,
Shortcut trusts )etween two domains in the same *orest, (rust relationshi$s )etween a Windows 5666 domain and a non+Windows Ker)eros realm, -or more in*ormation a)out trusts )etween a Windows 5666 domain and a non+Windows Ker)eros realm, see the Ste$+)y+Ste$ "uide to Ker)eros F 8&r)F 7,69 /ntero$era)ility lin& on the We) Resources $age at htt$:;;www,Microso*t,com;windows;res&its;we)resources, (o remo e a manually created trust, (o con*igure security identi*ier 8S/D9 *iltering to deny one domain the right to $ro ide credentials *or another domain, @ou can ena)le S/D *iltering *or e<ternal trusts, that is, trusts )etween domains in di**erent *orests, or )etween a Windows 5666 and a Windows '( B,6 domain,
@ou might also need to manage trusts *or the *ollowing reasons:
1"*
Chapter Number 1
Windows "%%% do!ain and a Windows 4/ ).% do!ainE or between do!ains in di$$erent $orestsH.
#ethodH. &reate a One5 way /rust G4etdo!.e=e #ethodH. &reate a /wo5 way /rust G##& #ethodH. &reate a /wo5 way /rust G4etdo!.e=e #ethodH. &reate a One5 way /rust G##& #ethodH. &reate a One5 way /rust G4etdo!.e=e #ethodH. &reate a /wo5 way /rust G##& #ethodH. &reate a /wo5 way /rust G4etdo!.e=e #ethodH. Re!ove a !anually created trust.
Do!ains and /rusts GWindows "% %%H 5Or5 4etdo!.e=e +ser #ana(er $or Do!ains GWindows 4/ ).%H Active Directory Do!ains and /rusts 5Or5 4etdo!.e=e As needed
As needed
As needed
1!
/t is nontransiti e,
/* you u$grade a Windows '( B,6 domain to a Windows 5666 domain, the e<isting trust relationshi$s remain in the same state,
Re:uire!ents
12%
Chapter Number 1
/t is transiti e, Credentials: Domain Admins (ool: Acti e Directory Domains and (rusts
Re:uire!ents
Re:uire!ents
Credentials: Domain Admins (ool: Acti e Directory Domains and (rusts or 'etdom,e<e,
131
@ou ha e identi*ied one or more domains in your enter$rise where $hysical security is la<, or where the domain administrators are less well trusted, @ou then isolate these less trustworthy domains )y mo ing them to other *orests, %y de*inition, all domains within a *orest must )e trustworthyK i* a domain is deemed less trustworthy than the others in the *orest, it should not )e a *orest mem)er, 0nce you ha e mo ed less trustworthy domains out o* the *orest, esta)lish e<ternal trusts to these domains, and a$$ly access control to $rotect resources, /* you are still concerned a)out S/D s$oo*ing )eing used *or $ri ilege escalation, then a$$ly S/D *iltering, Do not a$$ly S/D *iltering to domains within a *orest, as this remo es S/Ds re:uired *or Acti e Directory re$lication, and causes authentication to *ail *or users *rom domains that are transiti ely trusted through the isolated domain,
#ana(in( 6ites
An Acti e Directory site o)2ect re$resents a collection o* /nternet Protocol 8/P9 su)nets, usually constituting a $hysical Local Area 'etwor& 8LA'9, Multi$le sites are connected *or re$lication )y site lin& o)2ects, Sites are used in Acti e Directory to: !na)le clients to disco er networ& resources 8$rinters, $u)lished shares, domain controllers9 that are close to the $hysical location o* the client, reducing networ& tra**ic o er Wide Area 'etwor& 8WA'9 lin&s, 0$timi.e re$lication )etween domain controllers,
Managing sites in Acti e Directory in ol es adding new su)net, site, and site lin& o)2ects when the networ& grows, as well as con*iguring a schedule and cost *or site lin&s, @ou can modi*y the site lin& schedule, cost, or )oth, to o$timi.e intersite re$lication, When conditions no longer re:uire re$lication to a site, you can remo e the site and associated o)2ects *rom Acti e Directory, Large hu)+and+s$o&e to$ology management is )eyond the sco$e o* this documentation, -or in*ormation a)out managing Acti e Directory )ranch o**ice de$loyments that include more than 566 sites, see the >Acti e Directory %ranch 0**ice "uide Series? at htt$:;;www,microso*t,com;technet;win5666;win5&sr ;adguide;de*ault,as$, =sing the SM(P intersite re$lication trans$ort is )eyond the sco$e o* this documentation, -or in*ormation a)out SM(P re$lication, see >Acti e Directory Re$lication? in the Distributed
12"
Chapter Number 1
!ystems Guide o* the Microsoft Windows 2 !erver %esource (it and see the >Ste$+)y+Ste$ "uide to Setting u$ /SM+SM(P Re$lication,? (o download this guide, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, Automatic site co erage is a de*ault condition *or Windows 5666 domain controllers, 0$erations and guidelines documented in this guide are consistent with the ena)ling o* automatic site co erage,
133
As needed
As needed
As needed
12)
Chapter Number 1
owner $or a site. .enerate the replication topolo(y on the I6/.E i$ appropriate. &han(e the static IP address o$ the do!ain controller. &reate a dele(ation $or the do!ain controllerE i$ appropriate. Veri$y that the IP address !aps to a subnet and deter!ine the site association. Deter!ine whether the server is a pre$erred brid(ehead server. &on$i(ure the do!ain controller to not be a pre$erred brid(ehead serverE i$ appropriate. #ove the server ob8ect to a di$$erent site. #y 4etwor' Places Active Directory 6ites and 6ervices D46 snap5 in As needed
Re!ove a site.
Deter!ine whether the server ob8ect has child ob8ects. Delete the server ob8ect or ob8ects $ro! the site. Delete the site lin' ob8ectE i$ appropriate. Associate the subnet or subnets with a di$$erent site. ?or? Delete the subnet ob8ects. Delete the site ob8ect. Deter!ine the I6/. role owner $or a site. .enerate the replication topolo(y on the I6/.E i$ appropriate.
As needed
135
123
Chapter Number 1
associated it with a site o)2ect, @ou can either associate the su)net with an e<isting site, or create a new site *irst and then create the su)net and associate it with the new site, /* you are going to create a new site *or the new networ& segment, see >Adding a 'ew Site,?
137
!chedule5 (he time during which re$lication can occur 8the de*ault setting allows re$lication at all times9, nterval5 (he num)er o* minutes )etween re$lication $olling )y intersite re$lication $artners within the o$en schedule window 8de*ault is e ery 7G6 minutes9, Cost5 (he relati e $riority o* the lin& 8de*ault is 7669, Lower relati e cost increases the $riority o* the lin& o er other higher+cost lin&s,
Consult your design documentation *or in*ormation a)out alues to set *or site lin& $ro$erties,
/&PMIP 6ettin(s
When you mo e a domain controller to a di**erent site, i* an /P address o* the domain controller is statically con*igured, then you must change the (CP;/P settings accordingly, (he /P address o* the domain controller must ma$ to a su)net o)2ect that is associated with the site to which you are mo ing the domain controller, /* the /P address o* a domain controller does not match the site in which the ser er o)2ect a$$ears, the domain controller must communicate o er a $otentially slow WA' lin& to locate resources rather than locating resources in its own site, Prior to mo ing the domain controller, ensure that the *ollowing (CP;/P client alues are a$$ro$riate *or the new location: /P address, including the su)net mas& and de*ault gateway, D'S ser er addresses,
12*
Chapter Number 1
W/'S ser er addresses 8i* a$$ro$riate9, Change the (CP;/P settings on any clients that ha e static re*erences to the domain controller as the $re*erred or alternate D'S ser er, Determine whether the $arent D'S .one o* any .one that is hosted )y this D'S ser er contains a delegation to this D'S ser er, /* yes, u$date the /P address in all such delegations, -or in*ormation a)out creating D'S delegations, see >Per*orming Acti e Directory Post+/nstallation (as&s,?
/* the domain controller that you are mo ing is a D'S ser er, you must also:
13
1)%
Chapter Number 1
1"1
1)"
Chapter Number 1
1"3
1))
Chapter Number 1
4ote
I$ you select pre$erred brid(ehead servers and all selected pre$erred brid(ehead servers $or a do!ain are unavailable in the siteE the I6/. does not select a new brid(ehead server. In this caseE replication o$ this do!ain to and $ro! other sites does not occur. ;oweverE i$ no pre$erred brid(ehead server is selected $or a do!ain or transport Gthrou(h ad!inistrator error or as the result o$ !ovin( the only pre$erred brid(ehead server to a di$$erent siteHE the I6/. auto!atically selects a pre$erred brid(ehead server $or the do!ain and replication proceeds as scheduled.
Re!ovin( a 6ite
/* domain controllers are no longer needed in a networ& location, you can remo e them *rom the site and then delete the site o)2ect, %e*ore deleting the site, you must remo e domain controllers *rom the site either )y remo ing it entirely or )y mo ing it to a new location, .o remove the domain controller, remo e Acti e Directory *rom the ser er and then delete the ser er o)2ect *rom the site in Acti e Directory, -or in*ormation a)out remo ing a domain controller, see >Decommissioning a Domain Controller,? .o retain the domain controller in a different location, mo e the domain controller to a di**erent site and then mo e the ser er o)2ect to the res$ecti e site in Acti e Directory, -or in*ormation a)out mo ing a domain controller, see >Mo ing a Domain Controller to a Di**erent Site,?
1"5
Domain controllers can host other a$$lications that de$end on site to$ology and $u)lish o)2ects as child o)2ects o* the res$ecti e ser er o)2ect, -or e<am$le, when M0M or Message Cueuing are running on a domain controller, these a$$lications create child o)2ects )eneath the ser er o)2ect, /n addition, a Message Cueuing ser er that is not a domain controller and is con*igured to )e a Message Cueuing Routing Ser er creates a ser er o)2ect in the Sites container, Remo ing the a$$lication *rom the ser er automatically remo es the child o)2ect )elow the res$ecti e ser er o)2ect, Howe er, the ser er o)2ect is not remo ed automatically, When all a$$lications ha e )een remo ed *rom the ser er 8no child o)2ects a$$ear )eneath the ser er o)2ect9, you can remo e the ser er o)2ect, A*ter the a$$lication is remo ed *rom the ser er, a re$lication cycle might )e re:uired )e*ore child o)2ects are no longer isi)le )elow the ser er o)2ect, A*ter you delete or mo e the ser er o)2ects )ut )e*ore you delete the site o)2ect, reconcile the *ollowing o)2ects: Su)net o)2ect or o)2ects *or the site /P addresses: /* the addresses are )eing reassigned to a di**erent site, associate the su)net o)2ect or o)2ects with that site, Any clients using the addresses *or the decommissioned site will therea*ter )e assigned automatically to the other site, /* the /P addresses will no longer )e used on the networ&, delete the corres$onding su)net o)2ect or o)2ects, /* the site you are remo ing is added to a site lin& containing only two sites, delete the site lin& o)2ect, /* the site you are remo ing is added to a site lin& that contains more than two sites, do not delete this site lin& o)2ect,
Site lin& o)2ect or o)2ects, @ou might need to delete a site lin& o)2ect, as *ollows:
%e*ore deleting a site, o)tain instructions *rom the design team *or reconnecting any other sites that might )e disconnected *rom the to$ology )y remo ing this site, /* the site you are remo ing is added to more than one site lin&, it might )e an interim site )etween other sites that are added to this site lin&, Deleting the site might disconnect the outer sites *rom each other, /n this case, the site lin&s must )e reconciled according to the instructions o* the design team,
1)3
Chapter Number 1
2. Delete the site lin& o)2ect, i* a$$ro$riate, 0)tain this in*ormation *rom the design team, ). Associate the su)net or su)nets with the a$$ro$riate site, i* a$$ro$riate, /* you no longer want to use the /P addresses associated with the su)net o)2ect or o)2ects, delete the su)net o)2ects, 0)tain this in*ormation *rom the design team, 5. Delete the site o)2ect, 3. "enerate the intersite re$lication to$ology, i* a$$ro$riate, %y de*ault, the KCC runs e ery 7F minutes to generate the re$lication to$ology, (o initiate intersite re$lication to$ology generation immediately, use the *ollowing $rocedures to re*resh the to$ology: a. Determine the /S(" role owner in the site, b. "enerate the re$lication to$ology on the /S(",
1"7
Although trou)leshooting any distri)uted system can )e challenging and time+consuming, a$$lying a structured methodology to Acti e Directory trou)leshooting can hel$ you :uic&ly sort through the $ossi)le causes and re eal the root cause o* any $ro)lem,
In /his &hapter
0 er iew o* Acti e Directory (rou)leshooting High+le el Methodology *or (rou)leshooting Acti e Directory Pro)lems (rou)leshooting High CP= =sage on a Domain Controller (rou)leshooting Acti e DirectoryDRelated D'S Pro)lems (rou)leshooting -RS (rou)leshooting Acti e Directory Re$lication (rou)leshooting Acti e Directory /nstallation Wi.ard Pro)lems (rou)leshooting Directory Data Pro)lems (rou)leshooting Windows (ime Ser ice Pro)lems
1)*
Chapter Number 1
(his cha$ter includes trou)leshooting $rocedures *or the e ents, monitoring alerts, and sym$toms that either ha e the highest *re:uency o* occurrence or that can cause the greatest $ro)lem in your organi.ation, S$eci*ic sections *or each Acti e Directory ser ice also include trou)leshooting $rocedures *or error messages generated )y some tools that you might use in the trou)leshooting $rocess,
Respondin( to 9vents
When res$onding to e ents in the e ent logs, *irst determine the source that is listed in the e ent log, such as the 'et Logon ser ice or the -ile Re$lication ser ice 8-RS9, (a)le 5,7 shows the e ent source and /Ds, and re*erences the trou)leshooting sections *or e ents that occur most *re:uently or that cause $ro)lems with the highest se erity, /* (a)le 5,7 does not include the e ent /D that you are loo&ing *or, search *or it in the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, /able ".1 Active Directory 9vents Re$erence
9vent 6ource ,R6 9vent ID 125%*E 125%-E 1251"E 125""E 12530E 1253* 500)E 5005E 50*1E 50*2E 5*%5 1%*2E 1"35E 12**E 13)5 1%*5 Re$erence 6ee B/roubleshootin( ,R6.C
6ee B/roubleshootin( Active Directory? Related D46 Proble!s.C 6ee B/roubleshootin( Active Directory Replication Proble!s.C 6ee B/roubleshootin( Active Directory Replication Proble!s.C
1"
W2"/i!e
15%
Chapter Number 1
Directory?Related D46 Proble!s.C Active Directory (lobal catalo( search $ailed. /his is a hi(h priority alertE because i$ a (lobal catalo( server cannot be reachedE users will not be able to lo( onE and 9=chan(eKs address boo' will not $unction. A lar(e nu!ber o$ ob8ects are in the 7ostAnd,ound container. /he !onitorin( syste! has deter!ined that replication ti!es are e=ceedin( set thresholds. Veri$y that this is a (lobal catalo( server. 6ee BVeri$yin( 6erver ;ealthC to ensure the server is $unctionin( properly.
6ee B/roubleshootin( Directory Data Proble!s.C I$ necessaryE see B#ana(in( 6itesC $or reco!!endations on settin( replication schedules or site topolo(y con$i(uration. >ou can also chan(e the threshold i$ you are satis$ied with the current schedule. 6ee BVeri$yin( 6erver ;ealthC and BVeri$yin( 4etwor' Path.C I$ necessaryE see B#ana(in( Operations #astersC to deter!ine i$ it is appropriate to sei<e the role. I$ the outa(e is e=pectedE see B#ana(in( Operations #astersC to trans$er the role be$ore the outa(e to avoid this error.
/he destination server !i(ht not be $unctionin(E or there !i(ht not be networ' connectivity.
An application or 6ee B/roubleshootin( service is consu!in( an ;i(h &P+ +sa(e on a inordinate a!ount o$ Do!ain &ontroller.C &P+. 6hort ter! connectivity proble!s can be e=pectedE but e=tended $ailures indicate a 6ee B/roubleshootin( Active Directory Replication Proble!s.C
151
proble!. Investi(ate any proble! that persists $or !ore than a $ew hours. /i!e s'ew detected. /he syste! ti!e on the servers indicated in the alert is not synchroni<ed. 6ee B/roubleshootin( Windows /i!e 6ervice Proble!s.C
Respondin( to 6y!pto!s
/* you are trou)leshooting Acti e Directory )ased on sym$toms re$orted )y users or noticed )y /( $ersonnel, you need to $er*orm some $reliminary trou)leshooting ste$s to isolate the cause o* the $ro)lem, See >High+Le el Methodology *or (rou)leshooting Acti e Directory Pro)lems? in this guide *or in*ormation a)out how to iterate the trou)leshooting $rocess until you ha e *ound the root cause and resol ed the $ro)lem, /* you ha e already determined the most li&ely source or cause o* the $ro)lem, you can re*er to the a$$ro$riate section in this guide, such as >(rou)leshooting High CP= =sage on a Domain Controller? or >(rou)leshooting Acti e Directory Re$lication Pro)lems,? !ach section contains additional trou)leshooting ste$s that allow you to *urther isolate the $ro)lem,
-or more in*ormation a)out im$lementing a ser ice des& and incident and $ro)lem management $rocesses within your organi.ation, see the Microso*t 0$erations -ramewor& 8M0-9 lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, -or more in*ormation a)out monitoring Acti e Directory, see >Monitoring Acti e Directory? in this guide,
15"
Chapter Number 1
Active Directory 6ervices &oncepts Acti e Directory con*iguration, including re$lication+related con*iguration documentation, Domain 'ame System 8D'S9, Dynamic Host Con*iguration Protocol 8DHCP9, and /P con*igurations, A$$lication and ser ice documentation 8such as !<change9, Administrati e model, Ser er $lacement and con*igurations, Change management logs,
(o disco er the root cause o* $ro)lems with Acti e Directory, ensure that the $ersonnel $er*orming trou)leshooting understand common Acti e Directory o$erations li&e re$lication and $assword change and how the *ollowing $rocesses and role holders are in ol ed in these o$erations: 0$erations master roles 8including PDC emulator, relati e identi*ier 8R/D9 master, domain naming master, schema master, and in*rastructure master9, Key Distri)ution Center 8KDC9, Knowledge Consistency Chec&er 8KCC9, /ntersite (o$ology "enerator 8/S("9, (ime Re*erence Ser er 8(RS9,
%ecause Acti e Directory interacts with e<ternal ser ices and $rotocols, such as (CP;/P *or the trans$ort $rotocol, D'S *or name resolution, and -RS *or *ile re$lication o* "rou$ Policy o)2ects and logon scri$ts, accurately determining the cause o* a $ro)lem and a$$lying a solution
153
)ecomes more com$le<, !**ecti e trou)leshooting re:uires a thorough &nowledge o* these and other $rotocols, as well as the diagnostic tools associated with each $rotocol, -or more in*ormation a)out Acti e Directory, networ&ing $rotocols, and tools, see the Microsoft* Windows* 2 !erver %esource (it, @ou can o)tain additional in*ormation )y searching Microso*t,com and (ech'et, or )y ta&ing ad antage o* MCS! training classes and )oo&s,
Windows "%%% Ad!inistrative /ools Pac' Windows "%%% Ad!inistrative /ools Pac'
Windows "%%% 6upport /ools Windows "%%% operatin( syste! tool Windows "%%%
Dcdia(.e=e
Windows "%%% 6upport /ools and Windows 2000 Server Resource Kit
15)
Chapter Number 1
#ana(e D46. &o!pare directory in$or!ation on do!ain controllers and detect di$$erences. #onitor events recorded in event lo(s. View and !ana(e networ' con$i(uration. Per$or! 7i(htwei(ht Directory Access Protocol G7DAPH operations a(ainst Active Directory. &reateE deleteE updateE and view the lin's that are stored in 8unction points. &reateE saveE and open ad!inistrative tools Gcalled ##& snap5insH that !ana(e hardwareE so$twareE and networ' co!ponents. &hec' end5to5end networ' connectivity and distributed services $unctions. Allow batch !ana(e!ent o$ trustsE 8oinin( co!puters to do!ainsE and veri$yin( trusts and secure channels. Per$or! co!!on tas's on networ' servicesE includin( stoppin(E startin(E and connectin( to networ' resources. Veri$y that the locator and secure channel are $unctionin(. #ana(e Active DirectoryE !ana(e sin(le !aster operationsE re!ove
Windows "%%% Ad!inistrative /ools Pac' Windows "%%% operatin( syste! tool Windows "%%% 6upport /ools
7in'd.e=e
##&
4etdia(.e=e
Windows 2000 Server Resource Kit and Windows "%%% 6upport /ools Windows "%%% 6upport /ools
4etdo!.e=e
4ltest.e=e
4tdsutil.e=e
155
!etadata. 4t$rsutl.e=e Per$or!ance #onitor Windows 2000 Server Resource Kit Windows "%%% operatin( syste! tool View and !ana(e ,R6 con$i(uration. View syste! per$or!ance dataE per$or!ance lo(s and alertsE and trace lo( $iles. /race a route $ro! a source to a destination on a networ'E show the nu!ber o$ hopsE and show pac'et loss. Veri$y networ' connectivity. View and !odi$y re(istry settin(s. Veri$y replication consistency between replication partnersE !onitor replication statusE display replication !etadataE and $orce replication events and topolo(y recalculation. Display replication topolo(yE !onitor replication statusE and $orce replication events and topolo(y recalculation. #ana(e .roup Policy settin(s. 6tartE stopE pauseE or resu!e syste! services on re!ote and local co!putersE and con$i(ures startup and recovery options $or each service. #ana(e security principal na!es G6P4sH. View processes and per$or!ance data. Access and !ana(e co!puters re!otely.
Pathpin(.e=e
Windows "%%% operatin( syste! tool Windows "%%% operatin( syste! tool Windows "%%% 6upport /ools
Repl!on.e=e
Windows "%%% operatin( syste! tool Windows "%%% Ad!inistrative /ools Pac'
153
Chapter Number 1
#ana(e Windows /i!e 6ervice. Access $ilesE Web pa(esE and networ' locations.
157
15*
Chapter Number 1
nature o* reacti e $ro)lem+sol ing, you might e<$erience a ser ice disru$tion at a signi*icant cost, /t is im$ortant to use a monitoring system to a oid these costs, /* you are *ollowing the )est $ractices *or o$erations and are using a monitoring system, usually the monitoring system $roacti ely alerts you )e*ore an issue escalates to a ser ice outage, A monitoring system is also li&ely to indicate the most common ways to resol e the $ro)lem, /* you are alerted to a $ro)lem )y the monitoring system, o$en a new hel$ des& tic&et and document all in*ormation raised )y the alert, including the suggested remedies, Collect as much su$$orting in*ormation *rom the monitoring system as $ossi)le, including other alerts occurring on the same com$uter or other com$uters and ser ices that might also )e in ol ed in the $ro)lem, (hen o$en a $ro)lem tic&et *or the customer call and eri*y that you ha e enough in*ormation to $roceed, (y$ically, you need in*ormation such as: Date and time o* occurrence, !rror message num)er and te<t, Client in*ormation, including: Com$uter name *or the client, =ser /D )eing used when the $ro)lem occurred, (CP;/P con*iguration, List o* D'S ser ers that that client is con*igured to use, 0$erating system ersion, ser ice $ac&, and any hot *i<es, Com$uter name *or the ser er, (CP;/P con*iguration, 0$erating system ersion, ser ice $ac&, and any hot *i<es, Domain name o* the client, Domain name o* the ser er,
A$$lication name and related settings, Ser ice in ol ed in the $ro)lem, such as networ& %/0S 8'et%/0S9, D'S, Ser er Message %loc& 8SM%9, and Lightweight Directory Access Protocol 8LDAP9, (he $ro)lem is re$eata)le, /* so, include the ste$s ta&en to re$roduce the $ro)lem, 0thers are ha ing the same $ro)lem, Hel$ des& is a)le to du$licate and eri*y the issue, /nclude any trou)leshooting ste$s already ta&en )y the hel$ des&, such as using Ping to eri*y networ& connecti ity to the client or ser er,
15
I!portant 4ote
When I$ the proble! troubleshootin( was not Active reported DirectoryE by the !onitorin( re!e!ber syste!E that the $irst open a client isnew the proble! co!puter tic'et that !a'es to correct thethe re:uest (ap in and your the !onitorin( server is covera(e the co!puter and that thenresponds co!!unicate to the the re:uest. $ailure /husE to theco!puters appropriate personnel. runnin( #icroso$t In$or!ation FRWindows derived "%%% $ro! F troubleshootin( Pro$essional or #icroso$t this FR proble! can Windows "%%% provide 6erver the can !onitorin( be either clients or proble! or serversE !ana(e!ent tea! with valuable dependin( on whether insi(ht they to are help initiatin( detect or and respondin( potentially to a prevent this proble! in the $uture. re:uest.
-or more in*ormation a)out $ro)lem tic&ets, see the Microso*t 0$erations -ramewor& 8M0-9 lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
Know the re:uired ste$s *or all o* the $rotocols and ser ices to *unction success*ully, and )e *amiliar with the common )rea&ing $oints *or each ste$,
13%
Chapter Number 1
$re ious ste$, (he client must )e correctly con*igured, connected to the networ&, and *unctioning $ro$erly, (o eri*y the client health, $er*orm the *ollowing tests: 3eri*y that the client is connected to the local area networ& 8LA'9, 3eri*y that networ& ca)les and hu)s are *irmly connected, and that any status indicators on networ& ada$ters and hu)s are re$orting acti ity, =se Per*ormance Monitor to ensure that the client1s CP= usage is not too high, 3eri*y networ& con*iguration *or the client, 3eri*y that the client1s /P con*iguration settings, including D'S and W/'S settings, are correct, Resol e any $ro)lems )e*ore continuing,
Client health $ro)lems are generally sim$le to *i<, /* you *ind a $ro)lem at this $oint, correct it )e*ore $roceeding, -or more in*ormation a)out trou)leshooting client health $ro)lems, see the +perations Guide o* the Microso*t4Windows 2 !erver %esource (it, -or more in*ormation a)out trou)leshooting networ&ing $ro)lems, see the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it,
-or more in*ormation a)out trou)leshooting networ& $ro)lems, see the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it,
1#1
3eri*y that the ser er is connected to the LA', 3eri*y that networ& ca)les and hu)s are *irmly connected, and that any status indicators on networ& ada$ters and hu)s are re$orting acti ity, 3eri*y networ& con*iguration, 3eri*y that /P con*iguration settings, including D'S and W/'S settings, are correct, Resol e any $ro)lems )e*ore continuing, 3eri*y networ& connecti ity, /* any o* the Ping or Path$ing tests *ail, see >(CP;/P (rou)leshooting? in the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it,
-or more in*ormation a)out trou)leshooting ser er health $ro)lems, see the +perations Guide o* the Windows 2 !erver %esource (it, -or more in*ormation a)out trou)leshooting networ&ing $ro)lems, see the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it,
/n addition, iew the ser ice e ent log 8ty$ically, the a$$lication e ent log9, /* you *ind any warning or error e ents in the e ent log, determine the source and re*er to the corres$onding section in this guide *or *urther trou)leshooting $rocedures, /* the e ent is not discussed in this guide, search the Microso*t Knowledge %ase, (o search the Microso*t Knowledge %ase, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, -or more in*ormation a)out trou)leshooting ser ice health $ro)lems, see the +perations Guide o* the Windows 2 !erver %esource (it,
13"
Chapter Number 1
An administrator adds a user to Acti e Directory at DC7, Se eral hours later, the change still has not re$licated to DCB, @ou initially identi*y DCA and DCB as the client and ser er in ol ed, @our trou)leshooting indicates that DCA did not re$licate the change to DCB, A*ter eri*ying the health o* the client, the networ&, the ser er, and re$lication, you determine that they are wor&ing $ro$erly, @ou must then iterate the trou)leshooting $rocess, )ut with the ne<t lin& in the chain: DC5 and DCA, /* this $air is wor&ing $ro$erly, then you need to eri*y DC7 and DC5, A$$lying a structured a$$roach to the trou)leshooting $rocess hel$s you methodically *ind the root cause o* any distri)uted systems $ro)lem, regardless o* the client, ser er, or ser ice in ol ed,
1#3
13)
Chapter Number 1
1#5
133
Chapter Number 1
). /* the $ro)lem still e<ists on the PDC emulator in its new location, determine whether account loc&out $olicy is de*ined on this domain, /* account loc&out is de*ined: a. Con*irm that all o* the a aila)le $atches are installed, /* needed, contact Microso*t Product Su$$ort Ser ices *or this in*ormation, b. !na)le auditing on the PDC emulator, -ind and remo e any )ad ser ice accounts, 5. /* you are using Systems Management Ser er 8SMS9, ensure that you ha e installed the most current SMS ser ice $ac&s, 3. /* you ha e Windows '( B,6D)ased %DCs and clients that are running Windows 5666 Pro*essional or Windows TP Pro*essional, $er*orm the *ollowing tas&s: a. /n Per*ormance Monitor, e<amine the >logon total? and >logon;sec? counters *or the ser er o)2ect under System Monitor, Do this on di**erent domain controllers in your en ironment, es$ecially on su)nets that contain )oth Windows 5666D )ased and Windows '( B,6D)ased domain controllers, Com$are these num)ers on the di**erent domain controllers to determine i* any Windows 5666D)ased domain controller is o erloaded with a large num)er o* authentication re:uests, b. Mem)er com$uters that are running Windows 5666 and Windows TP authenticate e<clusi ely with Acti e Directory domain controllers in a domain once the domain controllers are disco ered )y the mem)er com$uters, /* a Windows 5666D)ased domain controller is o erloaded )ecause the num)er o* u$graded domain controllers in the domain is not yet su**icient to withstand re:uests *rom all u$graded clients, you can alle iate the $ro)lem )y adding Windows 5666D)ased domain controllers, /* necessary, con*igure Windows '( B,6 emulation *or each Windows 5666D)ased domain controller in order to sto$ the o erloading e**ect until enough domain controllers ha e )een u$graded, Re2oin the clients that ha e disco ered u$+le el domain controllers to the domain, During your u$grade $rocess, *irst u$grade domain controllers in locations with large $o$ulations o* clients that are running Windows TP and Windows 5666, @ou also need to re2oin all Windows 5666D)ased and Windows TPD )ased domain mem)ers, /n the re2oin $rocedure, s$eci*y a 'et%/0S name *or the domain, =ntil the domain mem)ers are re2oined, they cannot contact any domain controllers in the domain, c. Con*igure Windows '( B,6 emulation *or some com$uters, @ou can con*igure com$uters that run Windows 5666 Ser ice Pac& 5 8SP59 or later to in*orm domain controllers that are running in Windows '( B,6 emulation mode to not use Windows '( B,6 emulation mode when they res$ond to re:uests *rom those com$uters, 0. /* you are still e<$eriencing $ro)lems, see >Reducing the Wor&load on the PDC !mulator? in this guide *or more in*ormation a)out changing D'S weight or $riority registry settings to reduce the wor&load *or the PDC emulator,
1#7
13*
Chapter Number 1
1#
De$loyment "uides? and download Best Practice Active Directory Deployment for Managing Windows Networks' ". 3eri*y networ& con*iguration and ensure that the D'S settings are correct, !nsure that the D'S weight and $riority registry settings that are set *or load )alancing are correct, 2. =se Ad$er*,e<e to determine the $ro)lem, a. /* Ad$er* re eals searches that are consuming high CP=, turn on ine**icient LDAP :ueries logging to identi*y a )ad a$$lication or inde<ing, b. /* Ad$er* shows that a small set o* clients is causing a high ser er load, trou)leshoot the clients, An a$$lication $ro)lem is most li&ely causing the high CP= usage, c. /* Ad$er* shows that a small set o* users is causing a high ser er load, determine what actions they are $er*orming to cause the load, ). /* you ha e Windows '( B,6 %DCs and Windows 5666 Pro*essional or Windows TP Pro*essional clients, do the *ollowing: a. Con*igure Windows '( B,6 emulation, /* a Windows 5666D)ased domain controller is o erloaded )ecause the num)er o* u$graded domain controllers in the domain is not yet su**icient to withstand re:uests *rom all u$graded clients, and i* it is not already con*igured *or Windows '( B,6 emulation mode, con*igure the domain controller *or Windows '( B,6 emulation in order to sto$ the o erloading e**ect until enough domain controllers ha e )een u$graded, During your u$grade $rocess, *irst u$grade domain controllers in locations with large $o$ulations o* clients that are running Windows TP and Windows 5666, @ou also need to re2oin all Windows 5666D)ased and Windows TPD)ased domain mem)ers, /n the re2oin $rocedure, s$eci*y a 'et%/0S name *or the domain, =ntil the domain mem)ers are re2oined, they cannot contact any domain controllers in the domain, b. Modi*y Windows '( B,6 emulation *or some com$uters, @ou can con*igure com$uters that run Windows 5666 SP5 to in*orm domain controllers that are running in Windows '( B,6 emulation mode to not use it when they res$ond to re:uests *rom those com$uters, 5. /* this is a sudden increase in CP= usage, recon*igure or resi.e the ser er,
10%
Chapter Number 1
171
(a)le 5,B shows the D'S records that are re:uired *or $ro$er Acti e Directory *unctionality, /able ".) Re:uired D46 Records
#ne!onic Pdc .& .cIpAddre ss /ype 6RV 6RV A D46 Record Sldap.Stcp.pdc.S!sdcs.NDnsDo!ai n4a!eP Sldap.Stcp.(c.S!sdcs.NDns,orest4 a!eP S(c.S!sdcs.NDns,orest4a!eP Re:uire!ents One per do!ain At least one per $orest At least one per $orest
NDsa.uideP.S!sdcs.NDns,orest4a One per do!ain !eP controller S'erberos.Stcp.dc.S!sdcs.NDnsDo !ain4a!eP Sldap.Stcp.dc.S!sdcs.NDnsDo!ain 4a!eP NDo!ain&ontroller,ID4P At least one per do!ain At least one per do!ain One per do!ain controller Gdo!ain controllers that have !ultiple IP addresses can have !ore than one A resource recordH
-ollowing the )est $ractices recommendations regarding D'S con*iguration *rom the )eginning o* the de$loyment is &ey *or success*ul Acti e Directory de$loyment and o$erations, -or more in*ormation a)out )est $ractices *or Acti e Directory design and de$loyment, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resourcesSearch under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks , -or com$rehensi e in*ormation a)out trou)leshooting D'S $ro)lems, see >Windows 5666 D'S? in the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it, -or more in*ormation a)out trou)leshooting W/'S name resolution $ro)lems, see >Windows /nternet 'ame Ser ice? in the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it, -or an online ersion o* this )oo&, see htt$:;;www,microso*t,com;windows5666;res&it, (a)le 5,F shows common e ents and sym$toms that indicate D'S $ro)lems and $oints to sections where solutions can )e *ound,
10"
Chapter Number 1
Active Directory Installation Wi<ard $ailed because it was unable to locate a do!ain controller +nable to 8oin a do!ain
173
Procedures $or /roubleshootin( Active Directory Replication ,ailure Due to Incorrect D46 &on$i(uration
1. 3eri*y D'S records and determine whether all the necessary D'S records o* the source domain controller e<ist in the D'S ser er used )y the destination domain controller, ". /* the destination domain controller is a)le to resol e the necessary D'S records, the $ro)lem is most li&ely with networ& connecti ity or a sto$$ed or mal*unctioning Acti e Directory+related ser ice, =se the Ping command to eri*y networ& connecti ity )etween the source domain controller and the destination domain controller, /* the Ping command *ails, you must trou)leshoot networ& connecti ity )etween the source domain controller and the destination domain controller, -or more in*ormation a)out trou)leshooting networ& connecti ity, see >(CP;/P (rou)leshooting? in the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it, /* you are a)le to $ing the destination domain controller, trou)leshoot Acti e DirectoryD related ser ices, 3eri*y that they are started and *unctional, -or more in*ormation a)out trou)leshooting Acti e DirectoryDrelated ser ices, see >3eri*ying Ser ice Health? in this guide, or see the indi idual sections in this guide *or each ser ice, /* you are una)le to resol e the $ro)lem, contact either your designated su$$ort $ro ider or Microso*t Product Su$$ort Ser ices, 2. /* the destination domain controller is not a)le to resol e the necessary D'S records, then the $ro)lem is most li&ely with D'S con*iguration, a. 3eri*y networ& con*iguration to ensure that the $re*erred and alternate D'S ser er settings s$eci*ied in the /P con*iguration o* the destination domain controller are correct, -or more in*ormation a)out correct D'S ser er settings *or Acti e Directory, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, Search under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, b. /* the settings *or the destination domain controller are incorrect, change the con*iguration, *lush the D'S cache, and retry the o$eration that *ailed, D or D
10)
Chapter Number 1
/* the client settings *or the destination domain controller are con*igured correctly, eri*y that the $rimary .one that is authoritati e *or the C'AM! resource record *or RDSA"uidS,Pmsdcs,R-orest'ameS allows dynamic u$dates, 8DSA"uid is a alue o* the o)2ectDSA attri)ute o* the '(DS Settings container *or the Ser er o)2ect corres$onding to the source domain controller,9 At a command $rom$t on the source domain controller, ty$e the *ollowing command and $ress !'(!R:
dcdiag /test:registerindns /dnsdomain
/* the $rimary .one that is authoritati e *or the C'AM! resource record does not allow dynamic u$dates, ena)le secure dynamic u$dates on this .one, Re$eat this ste$ *or the A resource record o* the source domain controller, c. 3eri*y networ& con*iguration to ensure that the $re*erred and alternate D'S ser er settings s$eci*ied in the /P con*iguration o* the source domain controller are correct, -or more in*ormation a)out correct D'S ser er settings *or Acti e Directory, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resourcesSearch under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, d. /* the settings *or the source domain controller are incorrect, change the con*iguration, *lush the D'S cache, and sto$ and start the 'et Logon ser ice, e. 3eri*y that the re:uired D'S resource records are registered on the destination domain controller, At a command $rom$t, ty$e the *ollowing command and $ress !'(!R:
dcdiag /test:connectivity
$.
). /* the $ro)lem continues, it might )e due to a $ro)lem with D'S data re$lication, Re iew your D'S design to determine whether it includes end+to+end D'S re$lication, Determine whether D'S re$lication is *ailing due to an Acti e Directory re$lication *ailure, -or more in*ormation a)out detecting and trou)leshooting an Acti e Directory re$lication *ailure, see >(rou)leshooting Acti e Directory Re$lication? in this guide, 5. /* the $ro)lem continues, con*igure the /P settings o* the a**ected domain controllers so that they all ha e the same $rimary and secondary D'S ser ers, (hen sto$ and start 'et Logon, *lush the D'S cache, and retry the o$eration that *ailed, (his is a tem$orary con*iguration that you can use to reco er *rom the *ailure, )ut )e sure to return to the original con*iguration that you designed )ased on the recommendations $ro ided in Best Practice Active Directory Design for Managing Windows Networks , -or more in*ormation a)out correct D'S ser er settings *or Acti e Directory, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resourcesSearch under >Planning L
175
De$loyment "uides? and download Best Practice Active Directory Deployment for Managing Windows Networks, 3. /* the $ro)lem continues, see more D'S trou)leshooting in*ormation in >Windows 5666 D'S? in the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it,
Procedures $or /roubleshootin( Do!ain &ontroller 7ocator D46 Records Re(istration ,ailure
1. 3eri*y networ& con*iguration to ensure that the $re*erred and alternate D'S ser ers s$eci*ied in the /P con*iguration o* the domain controller are correct, -or more in*ormation a)out correct D'S settings, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resourcesSearch under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, /* the $ro)lem $ersists, continue to the ne<t ste$, ". At a command $rom$t, ty$e the *ollowing command and $ress !'(!R:
dcdiag /test:registerindns /dnsdomain:FQDN /v
Procedures $or /roubleshootin( Active Directory Installation Wi<ard ,ailure to 7ocate Do!ain &ontroller
1. 3eri*y networ& con*iguration to ensure that the $re*erred and alternate D'S ser ers s$eci*ied in the /P con*iguration o* the ser er that is )eing $romoted are correct, -or
103
Chapter Number 1
more in*ormation a)out correct D'S settings, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resourcesSearch under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, /* the $ro)lem $ersists, continue to the ne<t ste$, ". At a command $rom$t, ty$e one o* the *ollowing commands and $ress !'(!R:
dcdiag /test:dcpromo /dnsdomain:FQDN /NewTree /ForestRoot:Forest_Root_Domain_DNS_Name/v dcdiag /test:dcpromo /dnsdomain:FQDN /ChildDomain /v dcdiag /test:dcpromo /dnsdomain:FQDN /ReplicaDC /v
(his tests the e<isting D'S in*rastructure to see whether a domain controller can )e $romoted, 2. -ollow the recommendations $ro ided in the out$ut,
Procedures $or /roubleshootin( ,ailure to 7ocate Do!ain &ontroller when Atte!ptin( to @oin a Do!ain
1. 3eri*y networ& con*iguration to ensure that the $re*erred and alternate D'S ser ers s$eci*ied in the /P con*iguration o* the com$uter attem$ting to 2oin the domain are correct, -or more in*ormation a)out correct D'S settings, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, Search under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, /* there is still a $ro)lem, continue to the ne<t ste$, ". At a command $rom$t, ty$e the *ollowing and $ress !'(!R:
netdiag /test:dsgetdc /d:DomainName /v
2. /* any o* the tests *ail, *ollow the recommendations $ro ided in the out$ut,
/roubleshootin( ,R6
-RS su$$orts a multimaster *ile re$lication model in which any com$uter can originate or acce$t changes to any other com$uter ta&ing $art in the re$lication con*iguration, %e*ore you
177
trou)leshoot -RS $ro)lems, understand the *ollowing characteristics o* multimaster *ile re$lication: %e aware o* how changes made in re$licated *ile areas, including the )ul& reset o* $ermissions or other *ile attri)utes )y administrators or a$$lications, can a**ect )andwidth, Any changes to the *ile system will e entually occur on all other mem)ers o* the re$lication set, Do not try to s$eed u$ the $rocess )y ma&ing the same change on other -RS re$lication $artners, (his could result in data errors, /*, a*ter modi*ying a *ile, you notice that it has somehow re erted )ac& to a $re ious ersion, another o$erator or a$$lication might )e ma&ing changes in the same area, o erwriting the earlier changes, /n this case, try to *ind the other o$erator or a$$lication that is causing the $ro)lem, Any *iles that you delete on one mem)er will )e deleted on all other mem)ers, /* you rename a *ile or *older so that it is mo ed out o* the re$lication tree, -RS will treat it as a deletion on the other re$lication set mem)ers )ecause the *ile or *older has disa$$eared *rom the sco$e o* the re$lica set, /* two o$erators create a *ile or *older at the same time 8or )e*ore the change has re$licated9, the *ile or *older will >mor$h,? or recei e a modi*ied name, such as *olderPnt*rsP675ABFIOG, -RS )eha es this way in order to a oid data loss in such situations, Kee$ the -RS ser ice running at all times in order to a oid a /ournal wrap condition,
(a)le 5,I shows common e ents and sym$toms that indicate -RS $ro)lems and the solution or action re:uired, /able ".3 9vents and 6y!pto!s that Indicate ,R6 Proble!s
9vent or 6y!pto! ,R6 9vent ID 125%* Root &ause ,R6 was unable to create an RP& connection to a replication partner. 6olution I$ this !essa(e is not $ollowed by an ,R6 event ID 125%-E troubleshoot ,R6 event ID 125%* without ,R6 event ID 125%-. 4o action re:uired.
,R6 was able to create an RP& connection to a replication partner. /he ,R6 database is out o$ dis' space. /he sta(in( area is $ull.
/reat this as a priority 1 proble!. /roubleshoot ,R6 event ID 12511. I$ you are usin( Windows "%%% 6P" or earlierE treat this as a
10*
Chapter Number 1
priority 1 proble!. I$ you are usin( 6P2E treat this as a priority 2 proble!. /roubleshoot ,R6 event ID 125"". ,R6 9vent ID 125"3 ,R6 9vent ID 125)* ,R6 9vent ID 12550 ,R6 9vent ID 12530 ,R6 9vent ID 1253* /he 6ID cannot be deter!ined $ro! the distin(uished na!e. 6yste! cloc's are too $ar apart on replica !e!bers. Duplicate connections are con$i(ured. 9=cessive replication was detected and suppressed. @ournal wrap error. /reat this as a priority 1 proble!. /roubleshoot ,R6 event ID 125"3. /reat this as a priority 1 proble!. /roubleshoot ,R6 event ID 125)*. /reat this as a priority 1 proble!. /roubleshoot ,R6 event ID 12550. /reat this as a priority " proble!. /roubleshoot ,R6 event ID 12530. I$ you are usin( Windows "%%% 6P" or earlierE treat this as a priority " proble!. I$ you are usin( 6P2E treat this as a priority 1 proble!. /roubleshoot ,R6 event ID 1253*. /roubleshoot $iles not replicatin(.
,iles can $ail to replicate $or a wide ran(e o$ underlyin( reasons: D46E $ile and $older $iltersE co!!unication issuesE topolo(y proble!sE insu$$icient dis' spaceE ,R6 servers in an error stateE or sharin( violations. I$ duplicate $olders are !anually created on !ultiple do!ain controllers be$ore they have been able to replicateE ,R6 preserves content by C!orphin(C $older na!es o$ the last $olders to be created. 6>6VO7 $olders include a reparse point that points to the correct location o$ the data. >ou !ust ta'e special steps to recover a deleted reparse
17
LLNdo!ainPL6>6 point. VO7 share appears to be e!pty 9=cessive dis' A service or application is or &P+ usa(e by unnecessarily chan(in( all or ,R6 !ost o$ the $iles in a replica set on a re(ular basis. ,or e=a!pleE an antivirus so$tware pac'a(e !i(ht be rewritin( the A&7 on !any $ilesE causin( ,R6 to replicate these $iles unnecessarily. /roubleshoot e=cessive dis' and &P+ usa(e by 4/,R6.e=e.
't*rsutl can )e used on remote com$uters, so you can get status in*ormation o* any mem)er o* a re$lica set *rom single console, -or more in*ormation a)out trou)leshooting -RS, see the -ile Re$lication Ser ice 8-RS9 lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
/roubleshootin( ,R6 9vents 125%* without ,R6 9vent 125%-RS e ent /D 7AF6G is a warning that the -RS ser ice has )een una)le to com$lete the RPC connection to a s$eci*ic re$lication $artner, /t indicates that -RS is ha ing trou)le ena)ling re$lication with that $artner and will &ee$ trying to esta)lish the connection,
1*%
Chapter Number 1
4ote
I$ ,R6 is stopped a$ter an event ID 125%* is lo((ed and then later started at a ti!e when the co!!unication issue has been resolvedE event ID 125%- will not appear in the event lo(. In this caseE loo' $or an event indicatin( that ,R6 has startedE and ensure it is not $ollowed by another event 125%*.
A single -RS e ent /D 7AF6G does not mean anything is )ro&en or not wor&ing, as long as it is *ollowed )y -RS e ent /D 7AF6E, which indicates that the $ro)lem was resol ed, %ased on the time )etween -RS e ent /Ds 7AF6G and 7AF6E, you can determine i* a real $ro)lem needs to )e addressed, %ecause -RS ser ers gather re$lication to$ology in*ormation *rom the closest domain controller, a re$lica $artner in another site will not )e aware o* the re$lica set until the to$ology in*ormation has )een re$licated to domain controllers in that site, When the to$ology in*ormation *inally reaches that distant domain controller, the -RS $artner in that site will )e a)le to $artici$ate in the re$lica set and -RS e ent /D 7AF6E will )e logged, /ntrasite Acti e Directory re$lication $artners re$licate e ery *i e minutes, /ntersite re$lication only re$licates when the schedule is o$en 8the shortest delay is 7F minutes9, /n addition, -RS $olls the to$ology at de*ined inter als: *i e minutes on domain controllers, and one hour on other mem)er ser ers o* a re$lica set, (hese delays and schedules can delay $ro$agation o* the -RS re$lication to$ology, es$ecially in to$ologies with multi$le ho$s,
Procedures $or /roubleshootin( ,R6 9vent 125%* without 9vent 125%1. !<amine the -RS e ent /D 7AF6G to determine the machine that -RS has )een una)le to communicate with, ". Determine whether the remote machine is wor&ing $ro$erly, and eri*y that -RS is running on it, (y$e the *ollowing command at a command $rom$t on the com$uter that logged the -RS e ent /D 7AF6G and $ress !'(!R:
ntfrsutl version <FQDN of remote domain controller>
/* this *ails, chec& networ& connecti ity )y using the Ping command to $ing the *ully :uali*ied domain name 8-CD'9 o* the remote domain controller *rom the com$uter that logged the -RS e ent /D 7AF6G, /* this *ails, then trou)leshoot as a D'S or (CP;/P issue, /* it succeeds, con*irm that the -RS ser ice is started on the remote domain controller, 2. Determine whether -RS has e er )een a)le to communicate with the remote com$uter )y loo&ing *or -RS e ent /D 7AF6E in the e ent log and see i* the -RS $ro)lem correlates to recent change management to networ&ing, *irewalls, D'S con*iguration, or Acti e Directory in*rastructure, ). Determine whether anything )etween the two machines is ca$a)le o* )loc&ing RPC tra**ic, such as a *irewall or router,
1*1
5. Con*irm that Acti e Directory re$lication is wor&ing, -or more in*ormation a)out trou)leshooting Acti e Directory re$lication, see >(rou)leshooting Acti e Directory Re$lication Pro)lems? in this guide,
1*"
Chapter Number 1
controller )ecomes unreacha)le o er the networ& or restarts in a single $olling inter al 8the de*ault is *i e minutes9, (o resol e this issue, sto$ and start -RS on the com$uter logging the error message,
'(-S maintains a s$ecial log called the '(-S =S' 2ournal, which is a high+le el descri$tion o* all the changes to *iles and directories on an '(-S olume, -RS uses this mechanism in order to trac& changes to '(-S directories o* interest, and to :ueue those changes *or re$lication to other com$uters, (he '(-S =S' 2ournal has de*ined si.e limits and will discard old log in*ormation on a *irst+in, *irst+out )asis in order to maintain its correct si.e,
1*3
/* -RS $rocessing *alls )ehind the '(-S =S' 2ournal, and i* '(-S =S' 2ournal in*ormation that -RS needed has )een discarded, then -RS enters a 2ournal wra$ condition, -RS then needs to re)uild its current re$lication state with res$ect to '(-S and other re$lication $artners, !ach *ile change on the '(-S olume occu$ies a$$ro<imately 766 )ytes in this 2ournal 8$ossi)ly more, de$ending on the *ile name si.e9, /n general, the '(-S =S' 2ournal *or an '(-S olume should )e si.ed at 75G mega)ytes 8M%9 $er 766,666 *iles )eing managed )y -RS on that '(-S olume, /n Windows 5666 SP5 and earlier, the de*ault 2ournal si.e is A5 M% and the ma<imum 2ournal si.e is 75G M%, /n Windows 5666 SPA, the de*ault 2ournal si.e is 75G M%, and the ma<imum 2ournal si.e is 76,666 M% (he 2ournal si.e can )e con*igured with a registry su)&ey, )ut &ee$ in mind that once you increase 2ournal si.e you should not lower it again )ecause this will cause a 2ournal wra$, (o learn how the =S' 2ournal si.e can )e increased see Knowledge %ase article C557777: Descri$tion o* -RS !ntries in the Registry, (o iew this Knowledge %ase article, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, -RS can encounter 2ournal wra$ conditions in the *ollowing cases: Many *iles are added at once to a re$lica tree while -RS is )usy, starting u$, or not running, 0n a ser er that is )eing used *or authoritati e restore, or as the $rimary ser er *or a new re$lica $artner, e<cessi e *ile acti ity at the start o* this $rocess can consume '(-S =S' 2ournal records, Si.e the '(-S olume at 75G M% $er 766,666 *iles )eing managed )y -RS, as mentioned a)o e, to a oid this condition, '(-S needs to )e $rocessed with Chkdsk and Chkdsk corrects the '(-S structure, /n this case, '(-S creates a new '(-S =S' 2ournal *or the olume or deletes the corru$t entries *rom the end o* the 2ournal, (he '(-S =S' 2ournal is deleted or reduced in si.e, -RS is in an error state that $re ents it *rom $rocessing changes in the '(-S =S' 2ournal,
/* -RS is e<$eriencing 2ournal wra$ errors on a $articular ser er, it cannot re$licate *iles until the condition has )een cleared, (o continue re$lication, the administrator must sto$ -RS on that ser er and $er*orm a non+authoritati e restore o* the data so that the system can synchroni.e with its re$lication $artners, -or more in*ormation a)out $er*orming a non+authoritati e restore, see >Per*orming a 'on+Authoritati e Restore? in this guide, 'ote the *ollowing: Windows 5666 SP7 cannot $er*orm this $rocess automatically, /n Windows 5666 SP5, -RS $er*orms this $rocess automatically,
1*)
Chapter Number 1
/n Windows 5666 SPA, -RS does not $er*orm this $rocess automatically, (he reason *or this change was that it was ty$ically )eing $er*ormed at times that were not $lanned )y administrators, Howe er, a registry setting is a aila)le that allows -RS to $er*orm the automatic nonauthoritati e restore, 2ust as in Windows 5666 SP5, Howe er, it is recommended to lea e this as a manual $rocess,
-or more in*ormation a)out $er*orming the nonauthoritati e restore $rocess on a ser er, see Knowledge %ase article C5E5BAG: (rou)leshooting #ournal Wra$ !rrors on S@S30L and D-S Re$lica Sets, (o iew this Knowledge %ase article, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
1*5
registry, Resol e the dis& s$ace $ro)lem or increase the ma<imum staging area *ile s$ace, -or more in*ormation a)out trou)leshooting staging area $ro)lems, see >(rou)leshooting -RS ! ent 7AF55? in this guide, 1%. Chec& whether the source *ile was e<cluded *rom re$lication, Con*irm that the *ile is not encry$ted )y using !ncry$ting -ile System 8!-S9, an '(-S 2unction $oint 8as created )y Lin&d,e<e *rom the Windows 5666 Ser er Resource Kit9, or e<cluded )y a *ile or *older *ilter on the originating re$lica mem)er, /* any o* these conditions are true, -RS does not re$licate such *iles or directories, 11. Chec& whether the *ile is loc&ed on either com$uter, =se the net file command on the source and destination com$uters, (his command indicates which users are holding the *ile o$en on the networ&, )ut will not re$ort any *iles )eing held o$en )y local $rocesses, /* the *ile is loc&ed on the source com$uter, then -RS will )e una)le to read the *ile to generate the staging *ile, and re$lication will )e delayed, /* the *ile is loc&ed on the destination com$uter, then -RS will )e una)le to u$date the *ile, /n this case, -RS continues to retry the u$date until it succeeds, (he retry inter al is A6 to I6 seconds, /* *iles are )eing held o$en )y remote users, you can use the net file 8id9 7close command to *orce the *ile closed,
/* these methods do not resol e the issue, you can in estigate the -RS de)ug logs to get more details on what is causing the re$lication to *ail, -RS creates te<t+)ased logs in the Usystemroot UQde)ugQnt*rsPH,log directory to hel$ you de)ug $ro)lems, De)ug logs e**ecti ely descri)e a two+way con ersation )etween re$lication $artners, A higher alue indicates the log is more recent 8*or e<am$le, nt*rsP6667,log is oldest and nt*rsP666F,log is newest9, (o o)ser e a $articular e ent, ta&e a sna$shot o* the log *iles as close to the occurrence o* the e ent as $ossi)le, Sa e the log *iles in a di**erent directory so they can )e e<amined a*terward, De)ug lines containing the string :(: are &nown as >trac&ing records? and are ty$ically the most use*ul *or understanding why s$eci*ic *iles *ail to re$licate, @ou can redirect records o* interest to a te<t *ile using the -/'DS(R command, -or e<am$le:
findstr /I ":T:" %systemroot%\debug\ntfrs_*.log >trackingrecords.txt findstr /I "error warn fail S0" %systemroot%\debug\ntfrs_*.log >errorscan.txt
1*3
Chapter Number 1
I!portant
6>6VO7 uses ,R6 as the !eans to replicate data. When troubleshootin( ,R6E $ocus on how to enable it to run a(ainE instead o$ tryin( to BhelpC replication by !anually copyin( $iles to replication partners. /his can be used as a stop (apE but re:uires reinitiali<in( the entire replica set. #anually copyin( $iles can cause additional replication tra$$icE bac'lo(sE and potential replication con$licts. ,or !ore in$or!ation about replication con$lictsE see B/roubleshootin( #orphed ,oldersC later in this (uide.
-or more in*ormation a)out eri*ying the -RS to$ology, see the -ile Re$lication Ser ice 8-RS9 lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
1*7
Manually co$ied directories with names identical to those )eing re$licated )y -RS to com$uters in the re$lica set,
-or more in*ormation a)out $er*orming an authoritati e restore, see >Acti e Directory %ac&u$ and Restore? in this guide, (o reco er *rom mor$hed *olders you ha e two o$tions: Mo e the mor$hed directories out o* the re$lica tree and )ac& in P0RP Rename the mor$hed directories, (he *irst method wor&s well *or small amounts o* data on a small num)er o* targets, Howe er, i* you miss end+to+end re$lication o* the mo e+out, this method can cause mor$hed directories, (his method also *orces all mem)ers to re+re$licate data, (he second method does not re:uire re+ re$lication o* data, Howe er, it can cause a denial+o*+ser ice condition )y gi ing an in alid $ath when the originating $ath is renamed,
Procedures $or #ovin( #orphed Directories Out o$ the Replica /ree and 1ac' In
1. Mo e all mor$hed directories out o* the tree, ". Wait *or end+to+end remo al o* data on all targets, 2. While waiting, )uild a tree containing the desired *iles and *older ersions, including $ermissions and other attri)utes, ). 3eri*y end+to+end deletion o* the >mo e+out? on all targets, otherwise you get a con*lict in the ne<t ste$, Per*orm a nonauthoritati e restore o* com$uters that did not re$licate in the deletion, Disa)le -RS on com$uters that you could not restore, -or more in*ormation a)out authoritati e and nonauthoritati e restores, see >Acti e Directory %ac&u$ and Restore? in this guide, 5. Mo e data *rom outside o* tree to inside o* the re$licated tree, =se the !C'+% or :Copy 7' command to $reser e $ermissions,
1**
Chapter Number 1
3. Restart -RS to start the authoritati e restore, A*ter the rename has $ro$agated, it can )e deleted, %e*ore deleting any o* the *olders, ensure that you ha e a )ac&u$ o* the original 8and com$lete9 *older,
3eri*y that 2unction $oints are in $lace, (he *ollowing out$ut e<am$le shows 2unction $oints,
D:\WINNT\SYSVOL\sysvol>dir 06/26/2001 06/26/2001 06/26/2001 01:23p 01:23p 01:23p <DIR> <DIR> <JUNCTION> . .. corp.com
D:\WINNT\SYSVOL\staging areas>dir 06/26/2001 06/26/2001 06/26/2001 01:23p 01:23p 01:23p <DIR> <DIR> <JUNCTION> . .. corp.com
". /* either o* the two 2unction $oints is missing, use the Lin&d,e<e tool *rom the Windows 5666 Ser er Resource Kit to recreate them, At a command $rom$t, ty$e the *ollowing command and $ress !'(!R:
linkd <drive>:\<path>\SYSVOL\SYSVOL\<fully qualified domain name> <drive>\<path>\SYSVOL\<domain> linkd <drive>:\<path>\SYSVOL\Staging Areas\<fully qualified domain name> <drive>\<path>\SYSVOL\<domain>
1*
&aution
/a'e (reat care when copyin( $olders that include directory 8unctions. When Acopy copies such a tree in Windows "%%%E it copies the 8unctionE not the contents o$ the $older the 8unction points to. An ad!inistrator can accidentally delete 6>6VO7 by usin( the /D 0' co!!and on a copy !ade o$ 6>6VO7. +se /D without the M6 para!eter insteadE because /D 0' will $ollow the directory 8unctionE but the /D co!!and without M6 will not.
-or more in*ormation a)out trou)leshooting e<cessi e dis& and CP= usage )y 't*rs,e<e, see the *ollowing Knowledge %ase articles: C5GBEBO: >'orton Anti3irus O,< Ma&es Changes to Security Descri$tors? C5G5OE7: >-RS: Dis& De*ragmentation Causes -RS Re$lication (ra**ic? C5OE7FI: >!**ects o* Setting -ile System Policy on a Dis& Dri e or -older? CA6OOOO: >Possi)le Causes o* a -ull -ile Re$lication Ser ice Staging Area?
(o iew these Knowledge %ase articles, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, -or more
1-%
Chapter Number 1
in*ormation a)out trou)leshooting high CP= usage on a domain controller, see >(rou)leshooting High CP= =sage on a Domain Controller? in this guide,
+se Repad!in.e=e to $urther identi$y the proble!E and use /able =.= to deter!ine the appropriate action to ta'e $or the !essa(e (enerated by Repad!in.e=e. I$ the event !essa(e indicates a D46 loo'up $ailure or the RP& server is unavailableE see B/roubleshootin( Active Directory?Related D46
1 1
Proble!sC in this (uide. I$ the event !essa(e indicates that the tar(et account na!e is incorrectE troubleshoot .+ID discrepancies. I$ the event !essa(e indicates a ti!e di$$erence between the client and serverE synchroni<e replication $ro! the PD& e!ulator. 4/D6 9vent ID 1211 /his error occurs when the replication con$i(uration in$or!ation in Active Directory 6ites and 6ervices does not accurately re$lect the physical topolo(y o$ the networ'. /his error is usually (enerated by a lin(erin( ob8ect which resulted $ro! disconnectin( a do!ain controller $or too lon(. /roubleshoot 4/D6 event ID 1211.
I$ the do!ain controller does not also $unction as a (lobal catalo( serverE see BRe!ove 7in(erin( Ob8ects $ro! an Outdated Writable Do!ain &ontroller.C I$ the do!ain controller also $unctions as a (lobal catalo( serverE see BRe!ove 7in(erin( Ob8ects $ro! a .lobal &atalo( 6erver.C
/his error occurs over /roubleshoot .+ID an e=istin( replication discrepancies. lin' when the .+ID o$ the 4/D6 6ettin(s ob8ect o$ a replication partner does not !atch the .+ID de$ined in the 6ervice Principal 4a!e G6P4H attributes o$ the co!puter ob8ect o$ this replication partner. A user account in one or !ore .roup Policy ob8ects G.POsH cannot be resolved to a security identi$ier G6IDH. /his error is possibly caused by a /roubleshoot 6ce&li event ID 1"%".
1-"
Chapter Number 1
!istyped or deleted user account re$erenced in either the +ser Ri(hts Assi(n!ent or Restricted .roups branch o$ a .PO.
Access is denied.
6ee B/roubleshoot Access Denied Replication 9rrors.C 6ee B/roubleshootin( Active Directory5Related D46 Proble!s.C Also see B/roubleshoot Access Denied Replication 9rrors.C +se 4etstat to chec' the currently established sessions. ,ree up /&P sessionsE i$ necessary. &orrect the IP address and see B/roubleshootin( Active Directory?related D46 Proble!s.C
7ast atte!pt at Ndate 5 ti!eP $ailed with the B/ar(et account na!e is incorrect.C 4o !ore end point.
1 3
address. 7DAP 9rror )-. /he do!ain controller co!puter 6ee B/roubleshoot account !i(ht not be Access Denied synchroni<ed withthe ey Replication 9rrors.C Distribution &enter G D&H. /he ad!inistration tool could not contact Active Directory. 6ee B/roubleshootin( Active Directory5Related D46 Proble!s.C Wait $or replication to co!plete.
&annot open 7DAP connection to local host. AD replication has been pree!pted.
An inbound replication in pro(ress was interrupted by a hi(her priority replication re:uestE such as a re:uest (enerated !anually by usin( the repadmin 0sync co!!and.
Replication /he do!ain controller posted a postedE waitin(. replication re:uest and is waitin( $or an answer. Replication is in pro(ress $ro! this source. 7ast atte!pt Tnever was success$ul. /he && success$ully created the replication lin' between the local do!ain controller and its replication partnerE but because o$ the schedule or possible brid(ehead overloadE replication has not occurred. A lar(e bac'lo( o$ inbound replication !ust be per$or!ed on this do!ain controller.
+se the repadmin 01ueue 2domain controller3 co!!and to chec' how !any inbound synchroni<ations are in the :ueue.
-or more in*ormation a)out re$lication conce$ts, see >Acti e Directory Re$lication? in the Distributed !ystems Guide o* the Windows 2 !erver %esource (it,
1-)
Chapter Number 1
*o connection ob0ect exists to indicate which domain controller#s$ this domain controller should replicate from. (hese connection o)2ects are ty$ically created )y the KCC, Howe er, in some en ironments, administrators ha e turned o** the $art o* the KCC that creates connection o)2ects *or in)ound re$lication *rom domain controllers in other sites, relying on manual connections instead, 'ne or more connection ob0ects exist, but the domain controller is unable to contact the source domain controller to create the replication links. /n this case, the KCC logs e ents each time it runs 8)y de*ault, e ery 7F minutes9 detailing the error that occurred when it attem$ted to add the re$lication lin&s,
!nsure that a connection o)2ect has )een $ro$erly created )etween the domain controller and its re$lication $artner, /* not, then create the connection o)2ect,
1 5
0. Synchroni.e the domain naming conte<t o* the re$lication $artner with the PDC emulator, *. /* the repadmin 7showreps command shows no re$lication $artner, see >Lin& Sites *or Re$lication? in this guide *or $rocedures to create a re$lication lin&, -. Synchroni.e re$lication *rom a source domain controller, 1%. Start the KDC on the local domain controller, 11. /* you get a new >access denied? error message, you must create a tem$orary connection lin& )etween the domain controller and its re$lication $artner *or the naming conte<ts,
1-3
Chapter Number 1
(o do this, run ADS/ !dit or LDP on the local domain controller, Locate the SP' in the multi alued attri)ute !ervicePrincipalName o* the com$uter o)2ect o* the re$lication $artner 8C'NRcom$uterPnameS,0=NDomain Controllers,DCNdom7,DCNcom$any,DCNcom9 and change the re$lication SP' to the correct alue, ). 3eri*y that re$lication is *unctioning,
(he >RPC ser er una aila)le? error can occur *or the *ollowing reasons:
1 7
An ! ent /D 7A77 results *rom $ro)lems with re$licating an Acti e Directory domain, schema, con*iguration, or glo)al catalog naming conte<ts )etween domain controllers or sites, (his can occur *or the *ollowing reasons: Site lin& )ridging is ena)led on a networ& that does not su$$ort $hysical networ& connecti ity )etween two domain controllers in di**erent sites that are connected )y a KCC lin&, 0ne or more sites are not contained in site lin&s, Site lin&s contain all sites, )ut the site lin&s are not interconnected, (his condition is &nown as dis/ointed site links, 0ne or more domain controllers are o**line, %ridgehead domain controllers are online, )ut errors occur when they try to re$licate a re:uired naming conte<t )etween Acti e Directory sites, Administrator+de*ined $re*erred )ridgeheads are online, )ut they do not host the re:uired naming conte<ts, Pre*erred )ridgeheads are de*ined correctly )y the administrator, )ut they are currently o**line, (he )ridgehead ser er is o erloaded either )ecause the ser er is undersi.ed, too many )ranch sites are trying to re$licate changes *rom the same hu) domain controller, or the schedules on site lin&s or connection o)2ects are too *re:uent, (he KCC has )uilt an alternate $ath around an intersite connection *ailure, )ut it continues to retry the *ailing connection e ery 7F minutes,
b. Determine the sco$e o* the e ent )y chec&ing the Directory Ser ice e ent logs o* all /S(" role holders in the *orest, or chec& at least a signi*icant num)er o* /S(" role holders,
1-*
Chapter Number 1
4ote
6ite lin' brid(in( is enabled by de$ault. As a best practiceE leave site lin' brid(in( enabled $or $ully routed networ's.
/* e ent /D 7A77 continues to )e logged on /S(" role holders, continue with the ne<t ste$, ". See >(rou)leshooting Acti e Directory Re$lication Pro)lems? in this guide to resol e Acti e Directory re$lication *ailures in the *orest, /* e ent /D 7A77 continues to )e logged on /S(" role holders, continue with the ne<t ste$, 2. Determine i* site lin& )ridging is ena)led and the networ& is *ully routed, Site lin& )ridging is ena)led in Acti e Directory i* the *ollowing conditions are true: (he )ridge all site links chec& )o< is selected *or the /P trans$ort and the Sim$le Mail (rans*er Protocol 8SM(P9 trans$ort in Acti e Directory Sites and Ser ices, (he 'ptions attri)ute *or the /P trans$ort and the SM(P trans$ort is '=LL or set to 6 8.ero9 *or the *ollowing D' $aths: C'N/P,C'N/nter+Site (rans$orts,C'NSites,C'NCon*iguration,DCNR*orestProotPdomainS and C'NSM(P,C'N/nter+Site (rans$orts,C'NSites,C'NCon*iguration,DCNR*orestProotPdomainS,
(o determine i* a *ully routed networ& connection e<ists )etween two sites, contact your networ& administrator or Acti e Directory architect, /* site lin& )ridging is ena)led in a nonrouted en ironment, either ma&e the networ& *ully routed, or disa)le site lin& )ridging and then create the necessary sites lin&s and site lin& )ridges, -or more in*ormation a)out creating site lin&s, see >Lin& Sites *or Re$lication? in this guide, Wait *or a $eriod o* time that is twice as long as the longest re$lication inter al in the *orest, /* e ent /D 7A77 continues to )e logged on /S(" role holders, continue with the ne<t ste$, ). =se the repadmin 7showism command to eri*y that all sites are de*ined in site lin&s, -or each site, the out$ut o* the command will show a string o* three num)ers se$arated )y colons, (he num)ers re$resent RcostS:Rre$lication inter alS:Ro$tionsS, Strings with a alue o* >+7:6:6? indicate a $ossi)le missing site lin&, /* this is the case, see >Lin& Sites *or Re$lication? in this guide *or $rocedures to create a re$lication lin&, /* e ent /D 7A77 continues to )e logged on /S(" role holders, continue with the ne<t ste$, 5. Detect and remo e $re*erred )ridgeheads, Manually selecting )ridgehead ser ers can cause e ent /D 7A77K it is recommended that administrators do not manually select )ridgehead ser ers, (o search *or $re*erred )ridgehead ser ers, iew the list o* $re*erred )ridgehead ser ers, /* there are any $re*erred )ridgehead ser ers, remo e them *rom Acti e Directory Sites and Ser ices, and wait *or a $eriod o* time that is twice as long as the longest re$lication inter al in the *orest, /* e ent /D 7A77 continues to )e logged on /S(" role holders, continue with the ne<t ste$,
&aution
/he re(istry editor bypasses standard sa$e(uardsE allowin( settin(s that can da!a(e your syste!E or even re:uire you to reinstall Windows. I$ you !ust edit the re(istryE bac' up system state first. For information about backing up system state, see Active Directory Backup and Restore in this guide.
3. Delete connections i* the KCC is in >Connection Kee$ing? mode, and wait *or a $eriod o* time that is twice as long as the longest re$lication inter al in the *orest,
(his shows the account that is causing the $ro)lem, Determine why the account is causing the $ro)lem 8*or e<am$le, misty$ed account, deleted account, or wrong $olicy was a$$lied9, /* you determine that you need to remo e this account *rom the $olicy, continue to the ne<t ste$ to determine which $olicy and setting to change, 2. (o *ind which setting contains the unresol ed account, ty$e the *ollowing command at a command $rom$t and $ress !'(!R:
Find /I "<account>" %systemroot%\security\templates\policies\gpt*.*
(his shows the cached tem$late *rom the "P0 that contains the setting that is causing the $ro)lem, 3iew the tem$late and search *or a line that )egins with >"P0PathN? and the "=/D o* the $olicy you need to change, ). Ma$ the "=/D o* the $ro)lem "P0 to its *riendly name, =se the "$results,e<e tool *rom the Windows 2 !erver %esource (it to o)tain e<tensi e out$ut *rom the com$uter that generated the e ents, Search the results *or the "=/D you identi*ied *rom the $re ious ste$, /* you cannot *ind the "=/D in the out$ut *rom the "$results,e<e tool, use Search, )s, (y$e the *ollowing command at a command $rom$t and $ress !'(!R:
"%%
Chapter Number 1
Active Directory Installation ,ailed: /he operation $ailed with the $ollowin( error: /he syste! cannot $ind the $ile speci$ied.
/his error !essa(e can be caused by one or !ore o$ the $ollowin( conditions: /he de$ault 4tds.dit $ile is !issin( or not correctly located in the
U6yste!Root UL6yste!2" $older.
Incorrect per!ission on the de$ault 4tds.dit $ile. Incorrect per!issions on an e=istin( 4/D6 $older structure.
Add the A record $or the do!ain controller with
!&1
do!ains in the $orest. /he error is: /he speci$ied do!ain either does not e=ist or could not be contacted.
the do!ain has not re(istered an BAC record $or itsel$ in D46.
the ipcon,ig 0registerdns co!!and. ,lush the D46 cache on the co!puter runnin( the Active Directory Installation Wi<ard by usin( the ipcon,ig 0,lushdns co!!and. 6ee B/roubleshootin( Active Directory5Related D46 Proble!sC in this (uide. +se a 4et1IO6 na!e that does not con$lict with other co!puters or do!ains on the networ'.
In the Active Directory Installation Wi<ardE the ad!inistrator entered either a sin(le5 or !ulti5 label 4et1IO6 na!e Gsuch as &ORP or &ORP.&O#H that is identical to the Active Directory do!ain na!eE or entered a na!e that is already in use on the networ'.
9rror #essa(e: /he speci$ied do!ain either does not e=ist or could not be contacted
D46 proble!s !i(ht be preventin( na!e resolution $or the source do!ain controller. /his issue can occur because the 6>6VO7 directory is not shared out on the do!ain controller that will be used to source Active Directory.
6ee B/roubleshootin( Active Directory5 Related D46 Proble!sC in this (uide to resolve D46 issues. 6hare out the 6>6VO7 directory. /o veri$y that the 6>6VO7 directory is shared outE use the net share co!!and to see i$ the 6>6VO7 share is showin(. 1y de$aultE the 6>6VO7 share is located in the $ollowin( $older: U6yste!Root UL6ysvolL6ysvol.
"%"
Chapter Number 1
!odi$y the necessary properties $or the !achine account Uco!puterna!eUV BAccess DeniedC. /he operation $ailed because: /o per$or! the re:uested operationE the directory service needs to contact the Do!ain 4a!in( #aster Gserver Nserverna!ePH. /he atte!pt to contact it $ailed. /he speci$ied server cannot per$or! the re:uested operation. Active Directory Installation ,ailed. /he operation $ailed because: /he Directory 6ervice $ailed to create the ob8ect &4ONserverna!ePE&4 OPartitionsE&4O&on$i(u rationED&ONdo!ain controllerP.
$or dele(ation.
6ervers that are bein( pro!oted to do!ain controllers !i(ht (enerate this error !essa(e when they are unable to contact the do!ain na!in( !aster role holder durin( pro!otion. /his happens while creatin( the $irst do!ain controller in a new child do!ain or in a new tree in an e=istin( $orest. 6ervers that are bein( pro!oted to do!ain controllers !i(ht (enerate this error !essa(e when they are unable to contact the do!ain na!in( !aster role holder durin( pro!otion.
/he replication syste! 6ee #icroso$t encountered an internal nowled(e 1ase article error. I"30**0: BInternal 9rror Runnin( Dcpro!o.e=e.C #issin( 6>6VO7 and 49/7O.O4 shares #issin( 49/7O.O4 and 6>6VO7 shares typically occur on additional do!ain controllers in an e=istin( do!ainE but can also occur on the $irst do!ain controller in a new do!ain. /he do!ain na!in( !aster $or the $orest is o$$line or cannot be contacted.
6ee #icroso$t nowled(e 1ase article I"30**0: BInternal 9rror Runnin( Dcpro!o.e=e.C Veri$y that the 4et 7o(on service is runnin(. Also see B/roubleshootin( ,R6C in this (uide.
#a'e the current do!ain na!in( !aster accessible. I$ necessaryE see B6ei<in( Operations #aster RolesC in this
!&3
(uide.
Procedures $or /roubleshootin( BAccess DeniedC 9rror #essa(es in Active Directory Installation Wi<ard
1. 3eri*y *ile $ermissions to ma&e sure they are correct, 3eri*y that the de*ault 'tds,dit *ile $ermissions in the SystemA5 *older are:
System32\Ntds.dit BUILTIN\Users: BUILTIN\Power Users: BUILTIN\Administrators: NT AUTHORITY\SYSTEM: Everyone: Read Read Full Full Read [RX] [RX] Control [ALL] Control [ALL] [RX]
". 3eri*y *older $ermissions, /* Acti e Directory was $re iously remo ed and now you are installing it again, the USystemRootUQ'tds and USystemRootUQ'tdsQDro$ *olders will still e<ist, /* $ermissions were changed, the error message might )e caused )y the *older $ermissions, (he sim$lest resolution is to delete the original 'tds *older structure )e*ore running the Acti e Directory /nstallation Wi.ard, 0r, you can change the *older $ermissions to match the *ollowing:
%SystemRoot%\Ntds BUILTIN\Users: BUILTIN\Power Users: BUILTIN\Administrators: NT AUTHORITY\SYSTEM: CREATOR OWNER: %SystemRoot%\Ntds\Drop BUILTIN\Users: BUILTIN\Power Users: BUILTIN\Administrators: NT AUTHORITY\SYSTEM: CREATOR OWNER: Special Special Special Special Special Access Access Access Access Access [RX] [RWXD] [A] [A] [A]
2. 3eri*y that the current domain controllers in the domain ha e a$$lied security $olicy and the Enable computer and users accounts to be trusted for delegation user right is granted to the Administrators "rou$,
"%)
Chapter Number 1
a. /n the "rou$ Policy sna$+in, clic& Computer Configuration, clic& Windows Settings, clic& Security Settings, clic& Local Policies, and then clic& User Rights Assignment, b. -or com$uters that do not ha e this right, con*irm that "rou$ Policy o)2ects in the directory ser ice and *ile system ha e re$licated )y loo&ing *or e ent /D 7O6B in the a$$lication e ent log, and then manually a$$ly the $olicy )y ty$ing the *ollowing command: secedit /refreshpolicy machine_policy ). =se a Dc$romo answer *ile to source the $romotion *rom a deterministic domain controller, Search the Microso*t Knowledge %ase *or article C55AOFO: >=nattended Promotion and Demotion o* Windows 5666 Domain Controllers,? =se the Re$licationSourceDC $aramater in the answer *ile, 5. 3eri*y that the source domain controller is in the domain controllers 0=, (he name o* the source domain controller can )e *ound in the Dc$romo,log *ile in the USystemrootUQde)ug *older on the Windows 5666 ser er that you are trying to $romote, 3. 0$en a command $rom$t on the source domain controller, and run the "$result,e<e Resource Kit tool to eri*y that the De*ault Domain Controllers $olicy is )eing a$$lied to the source domain controller,
Procedures $or /roubleshootin( Do!ain 4a!in( #aster 9rrors in the Active Directory Installation Wi<ard
1. 3eri*y re$lication is *unctioning *or the domain naming master, ". 3eri*y the e<istence o* o$erations masters to ensure that domain controllers in the *orest are consistent a)out the com$uter name that is designated as the current domain naming master, 2. 3iew the current o$erations master role holders and con*irm that the domain naming master is a glo)al catalog ser er,
!&5
7ost ob8ects
I$ an ob8ect is created on one do!ain /roubleshoot lost controllerE and the container in which it do!ain ob8ects. was created is deleted on another do!ain controller be$ore the ob8ect has a chance to replicateE it beco!es a lost ob8ect. 7ost ob8ects are auto!atically placed in a do!ain container where you can $ind the! and either !ove or delete the!.
Ob8ect na!e I$ an ob8ect is created on one do!ain /roubleshoot con$licts controller and an ob8ect with the sa!e ob8ect na!e na!e is created in the sa!e container con$licts. on another do!ain controller be$ore replication occursE it creates an ob8ect na!e con$lict. Active Directory auto!atically chan(es the relative distin(uished na!e o$ the ob8ect with the earlier ti!esta!p to a uni:ue na!e.
"%3
Chapter Number 1
WAR4I4.
I$ you $ind collisions in the Do!ain &ontrollers O+E stop. &ontinuin( with the procedures below can cause $urther da!a(e. &ontact #icroso$t Product 6upport 6ervices $or (uidance.
2. -or each o)2ect, e<amine the 3ast (nown Parent attri)ute, (his attri)ute indicates the $re ious location o* this o)2ect, ). -or each o)2ect, do one o* the *ollowing, as a$$ro$riate: Mo e the o)2ect to the correct location, recreating the $arent i* necessary, 5. Re iew and re ise your o$erational $rocedures to ensure that o)2ect creations and deletions are coordinated,
!&7
". Rename the client com$uters whose accounts were deleted and 2oin them to the domain, a. Right+clic& ,y Computer, b. /n the !ystem +roperties dialog )o<, select the Computer *ame ta) and clic& the Change )utton, c. /n the Computer *ame Changes dialog )o<, enter a new name in the Computer name5 *ield, d. Clic& '1 to e<it the Computer *ame Changes dialog )o<, and clic& '1 to e<it the !ystem +roperties dialog )o<, e. Restart the com$uter, 2. 3eri*y that re$lication is *unctioning $ro$erly, /* re$lication is not *unctioning $ro$erly, see >(rou)leshooting Acti e Directory Re$lication Pro)lems? in this guide, /* it is, re iew and re ise your o$erational $rocedures to ensure that o)2ect creations and deletions are coordinated,
6ee B#ana(in( Windows /i!e 6erviceC in this (uide $or best practice (uidelines $or con$i(urin( ti!e. /he other service usin( +DP port 1"2 !i(ht be Windows
"%*
Chapter Number 1
router between the client and the server or it is bein( used by another service. 4et /i!e: Access denied. A re!ote procedure call GRP&H $ailed to authenticateE usually because a user does not have per!ission to access the re!ote co!puter and run 4et /i!e.
/i!e 6ervice. 6top and start Windows /i!e 6ervice to solve the proble!. I$ you 'now the user na!e and password o$ an account that does have access ri(htsE establish credentials to access the re!ote co!puter to per$or! this tas'. When you use the W2"t! toolE be sure to stop and start Windows /i!e 6ervice.
/wo instances o$ the sa!e service are tryin( to start by usin( the sa!e port. /he Windows /i!e 6ervice is already usin( +DP port 1"2 Gthe de$ault port $or the ti!e serviceH. /here$oreE the W2"t! tool is not able to use the port.