Active Directory Operations Guide Part I

Active Directory Operations Guide
Part I: Active Directory Operations
Version 1.5 Developed by the Windows Resource its tea!
"
Chapter Number 1
Managing Active Directory
#icroso$t Windows "%%% #icroso$t &orporation
Managing Domain Controllers
Ac'nowled(e!ents
Program Managers: Stuart Kwan, Andreas Luther, Chris Macaulay, Paul Reiner Writers: Mary Hillman, Da e Kreitler, Merrilee McDonald, Randy McLaughlin, Andrea Weiss !ditors: Laura "raham and #ustin Hall Co$y !ditors: %onnie %irger, Ani&a 'elson, Dee (eodoro (est Plan: Mary Hillman and Cheryl #en&ins (esters: #ustin Hall, Da id Stern, Matt Win)erry La) Sta**: Ro)ert (hingwold and Da id Meyer La) Partners: Hewlett+Pac&ard and Cisco Systems We than& the *ollowing $eo$le *or re iewing the guide and $ro iding alua)le *eed)ac&: (adao Arima, %ill %agley, Colin %race, Duncan %ryce, #,C, Cannon, Sudarshan Chitre, Arren Conner, #ose$h Da ies, #im Do))in, Le on !si)o , !ric -it.gerald, Da id "olds, #in Huang, Khushru /rani, #,K, #aganathan, Kamal #anardhan, Asa* Kashi, William Lees, #onathan Liem, Doug Lindsey, Arun 'anda, Paul 01Connell, %oyd Peterson, Paul Rich, Murli Satago$an, San2i Sharma, Michael Snyder, Da id Stern, Mar& S.al&iewics, Kahren (e osyan, Dere& 3incent
Chapter Number 1
&ontents
&ontents........................................................................................... ) Introduction......................................................................................* +sin( the #icroso$t Operations ,ra!ewor' $or Active Directory Operations ......................................................................................................... * Audience........................................................................................... +sin( this .uide................................................................................#ana(in( Active Directory...................................................................11 Overview o$ Active Directory Operations........................................1" Plannin( $or Active Directory Operations....................................1" /ools +sed $or Active Directory Operations................................1) Operations /as's &hec'list.........................................................10 #onitorin( Active Directory............................................................."% Active Directory 1ac'up and Restore.............................................."0 1ac'in( +p Active Directory and Associated &o!ponents... .23 Per$or!in( a 4on5Authoritative Restore................................23 Per$or!in( an Authoritative Restore o$ a 6ubtree or 7ea$ Ob8ect .............................................................................................. 20 Per$or!in( an Authoritative Restore o$ 9ntire Directory.......20 Recoverin( a Do!ain &ontroller /hrou(h Reinstallation.......2* Restorin( a Do!ain &ontroller /hrou(h Reinstallation and 6ubse:uent Restore $ro! 1ac'up.........................................2#ana(in( Do!ain &ontrollers.........................................................2Installin( and Re!ovin( Active Directory...................................)% Preparin( $or Active Directory Installation.............................)5 Installin( Active Directory.....................................................)3 Per$or!in( Active Directory Post5Installation /as's..............)* Deco!!issionin( a Do!ain &ontroller..................................51 Rena!in( Do!ain &ontrollers....................................................52 Identi$yin( the &urrent &on$i(uration o$ a Do!ain &ontroller53 Rena!in( a Do!ain &ontroller.............................................5* Restorin( the Ori(inal &on$i(uration o$ a Do!ain &ontroller. 5* #ana(in( .lobal &atalo( 6ervers...............................................5Identi$yin( .lobal &atalo( 6ervers in a 6ite...........................32
Identi$yin( a 6ite /hat ;as 4o .lobal &atalo( 6ervers .........32 Addin( the .lobal &atalo( to a Do!ain &ontroller and Veri$yin( Readiness..............................................................................32 Re!ovin( the .lobal &atalo( $ro! a Do!ain &ontroller.......33 #ana(in( Operations #asters....................................................30 Desi(natin( Operations #aster Roles ...................................03 Reducin( the Wor'load on the PD& 9!ulator........................00 Deco!!issionin( a Role ;older............................................0* 6ei<in( Operations #aster Roles...........................................0&hoosin( a 6tandby Operations #aster.................................*% #ana(in( the Database.............................................................*1 Relocatin( Directory Database ,iles......................................*) Returnin( +nused Dis' 6pace $ro! the Directory Database to the ,ile 6yste!............................................................................*3 6peedin( Re!oval o$ an 9=pired5/o!bstone 1ac'lo(...........*0 #ana(in( 6>6VO7......................................................................** &han(in( the 6pace Allocated to the 6ta(in( Area...............-5 Relocatin( the 6ta(in( Area..................................................-0 #ovin( 6>6VO7 by +sin( the Active Directory Installation Wi<ard .............................................................................................. -* #ovin( 6>6VO7 #anually....................................................1%% +pdatin( the 6yste! Volu!e Path......................................1%" Restorin( and Rebuildin( 6>6VO7.......................................1%2 #ana(in( Windows /i!e 6ervice.............................................1%2 &on$i(urin( a /i!e 6ource $or the ,orest............................1%3 &on$i(urin( a Reliable /i!e 6ource on a &o!puter Other than the PD& 9!ulator......................................................................1%0 &on$i(urin( a &lient to Re:uest /i!e $ro! a 6peci$ic /i!e 6ource ............................................................................................ 1%* Opti!i<in( the Pollin( Interval............................................1%* Disablin( the Windows /i!e 6ervice...................................1%#ana(in( 7on(5Disconnected Do!ain &ontrollers...................1%Preparin( a Do!ain &ontroller $or a 7on( Disconnection....113 Reconnectin( 7on(5Disconnected Do!ain &ontrollers........11* Re!ovin( 7in(erin( Ob8ects $ro! an Outdated Writable Do!ain &ontroller............................................................................1"1 Re!ovin( 7in(erin( Ob8ects $ro! a .lobal &atalo( 6erver. 1") #ana(in( /rusts............................................................................1"3
Chapter Number 1
&reatin( 9=ternal /rusts......................................................1"* &reatin( 6hortcut /rusts.....................................................1"Re!ovin( #anually &reated /rusts ....................................12% Preventin( +nauthori<ed Privile(e 9scalation.....................12% #ana(in( 6ites..............................................................................121 Addin( a 4ew 6ite...............................................................125 Addin( a 6ubnet to the 4etwor'..........................................125 7in'in( 6ites $or Replication ...............................................123 &han(in( 6ite 7in' Properties..............................................123 #ovin( a Do!ain &ontroller to a Di$$erent 6ite...................120 Re!ovin( a 6ite..................................................................1)) /roubleshootin( Active Directory.......................................................1)0 Overview o$ Active Directory /roubleshootin(..............................1)* Prere:uisites $or /roubleshootin( Active Directory...................151 /ools $or /roubleshootin( Active Directory...............................152 ;i(h5level #ethodolo(y $or /roubleshootin( Active Directory Proble!s ...................................................................................................... 153 Docu!entin( the Proble!........................................................150 Identi$yin( the &o!ponents Involved.......................................15Veri$yin( &lient ;ealth..............................................................15Veri$yin( 4etwor' Path.............................................................13% Veri$yin( 6erver ;ealth............................................................13% Veri$yin( 6ervice ;ealth...........................................................131 Iterate the /roubleshootin( Process.........................................131 /roubleshootin( ;i(h &P+ +sa(e on a Do!ain &ontroller.............13" /roubleshootin( ;i(h &P+ +sa(e by Processes...................132 /roubleshootin( ;i(h &P+ +sa(e on a PD& 9!ulator..........13) /roubleshootin( ;i(h &P+ +sa(e on a .lobal &atalo( 6erver130 /roubleshootin( ;i(h &P+ +sa(e &aused by 9=cessive &lient 7oad ............................................................................................ 13* /roubleshootin( 6erver5Related ;i(h &P+ +sa(e................13/roubleshootin( Active Directory?Related D46 Proble!s.............10% /roubleshootin( Active Directory Replication ,ailure Due to Incorrect D46 &on$i(uration................................................102 /roubleshootin( Do!ain &ontroller 7ocator D46 Records Re(istration ,ailure.............................................................105 /roubleshootin( Active Directory Installation Wi<ard ,ailure to 7ocate Do!ain &ontroller....................................................105
/roubleshootin( ,ailure to 7ocate Do!ain &ontroller when Atte!ptin( to @oin a Do!ain...............................................103 /roubleshootin( ,R6.....................................................................103 /roubleshootin( ,R6 9vents 125%* without ,R6 9vent 125%-10/roubleshootin( ,R6 9vent 12511.......................................1*1 /roubleshootin( ,R6 9vent 125"".......................................1*1 /roubleshootin( ,R6 9vent 125"3.......................................1*1 /roubleshootin( ,R6 9vent 125)*.......................................1*" /roubleshootin( ,R6 9vent 12550.......................................1*" /roubleshootin( ,R6 9vent 12530.......................................1*" /roubleshootin( ,R6 9vent 1253*.......................................1*" /roubleshootin( ,iles 4ot Replicatin(.................................1*) Veri$yin( the ,R6 /opolo(y in Active Directory ..................1*3 /roubleshootin( #orphed ,olders.......................................1*3 /roubleshootin( the 6>6VO7 Directory @unction..................1** /roubleshootin( 9=cessive Dis' and &P+ +sa(e by 4/,R6.9A91*/roubleshootin( Active Directory Replication Proble!s................1-% /roubleshootin( 4o Inbound 4ei(hbors Repad!in.e=e 9rror1-2 /roubleshootin( Access Denied Replication 9rrors..............1-) /roubleshootin( .+ID Discrepancies...................................1-5 /roubleshootin( RP& 6erver Proble!s................................1-3 /roubleshootin( 4/D6 9vent ID 1211..................................1-3 /roubleshootin( 6ce&li 9vent ID 1"%".................................1-/roubleshootin( Active Directory Installation Wi<ard Proble!s... ."%% /roubleshootin( BAccess DeniedC 9rror #essa(es in Active Directory Installation Wi<ard..............................................."%2 /roubleshootin( Do!ain 4a!in( #aster 9rrors in Active Directory Installation Wi<ard..............................................................."%) /roubleshootin( Directory Data Proble!s....................................."%5 /roubleshootin( 7ost Do!ain Ob8ects................................."%3 /roubleshootin( Ob8ect 4a!e &on$licts..............................."%3 /roubleshootin( Windows /i!e 6ervice Proble!s........................"%0 /roubleshootin( Windows /i!e 6ervice 9rrors on a PD& 9!ulator ............................................................................................ "%*
Chapter Number 1
4ote
All re$erences to Windows "%%% include both #icroso$tF WindowsF "%%% 6erver and #icroso$tF WindowsF "%%% Advanced 6erverE unless otherwise speci$ied. /his docu!ent assu!es that you are usin( Windows "%%% with 6ervice Pac' " G6P"H or (reater.
Introduction
(his o$erations guide $ro ides guidance on how to manage and trou)leshoot Microso*t4 Windows4 5666 Acti e Directory, (hese acti ities are $art o* the o$erating $hase o* the /( li*e cycle, Although this guide s$eci*ically addresses the o$erating $hase o* the /( li*e cycle, Microso*t !nter$rise Ser ices -ramewor& $ro ides guidelines *or other $hases o* the li*e cycle, (hese $hases are listed in (a)le 7,7, /able 1.1 I/ 7i$e &ycle and #icroso$t 9nterprise 6ervices ,ra!ewor's Assistance
,or this PhaseD Plannin( #icroso$t 9nterprise 6ervices ,ra!ewor's Provides this AssistanceD Althou(h not currently a dedicated 9nterprise 6ervices $ra!ewor'E #icroso$t 1usiness Value 6ervices provide tools to assess and plan the I/ in$rastructureE prioriti<e pro8ectsE and !a'e a co!pellin( business case $or underta'in( an I/ pro8ect. #icroso$t 6olutions ,ra!ewor' provides (uidelines $or buildin( and deployin( a pro8ect. /he phases involved in this part o$ the I/ li$ecycle include 9nvisionin(E Plannin(E Developin(E and Deployin(. #icroso$t Operations ,ra!ewor' provides (uidelines $or !ana(in( production syste!s within co!ple= distributed I/ environ!ents.
1uildin( and Deployin(
Operatin(
Acti e Directory o$erations occur a*ter you $lan, )uild, and de$loy your Acti e Directory im$lementation,
+sin( the #icroso$t Operations ,ra!ewor' $or Active Directory Operations

Microso*t 0$erations -ramewor& 8M0-9 is a collection o* )est $ractices, $rinci$les, and models, /t $ro ides com$rehensi e technical guidance *or achie ing relia)le, a aila)le, su$$orta)le, and managea)le solutions and ser ices )uilt on Microso*t $roducts and technologies, M0- )ases its recommendations on current industry )est $ractices *or /( ser ice management, as documented and alidated )y the /( /n*rastructure Li)rary 8/(/L9 o* the Central Com$uter and (elecommunications Agency 8CC(A9, (he M0- $rocess model descri)es an o$erations li*e cycle that a$$lies to releases o* any si.e, relating to any ser ice solution, M0- identi*ies *our main areas o* o$erations, which are di ided
into :uadrants in the o$erations li*e cycle, (a)le 7,5 lists the *our :uadrants and the area o* o$erations they co er, /able 1." #O, Operations Iuadrants
Iuadrant Operatin( 6upportin( Opti!i<in( 6ervice #ission Per$or! day5to5day tas's e$$ectively and e$$iciently. Resolve incidentsE proble!sE and in:uiries :uic'ly. Opti!i<e costE per$or!anceE capacityE and availability in the delivery o$ I/ services and drive necessary chan(esE based on the data that you collect. Introduce new service solutionsE technolo(iesE syste!sE applicationsE hardwareE and processes.
&han(in(
(his guide includes $rocesses *or o$erating Acti e Directory, -or more in*ormation a)out M0-, see the M0- lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
Audience
(his guide is *or medium and large organi.ations that ha e one or more centrali.ed /( o$erations de$artments, /t includes in*ormation that is rele ant to di**erent roles within an /( organi.ation, including /( 0$erations management and administrators, /t contains high+le el in*ormation that is re:uired in $lanning an Acti e Directory o$erations en ironment, (his in*ormation re:uires management+le el &nowledge o* the technology and /( $rocesses, /n addition, this guide contains low+le el $rocedures that are designed *or o$erators who ha e aried le els o* e<$ertise and e<$erience, Although the $rocedures $ro ide o$erator guidance *rom start to *inish, o$erators must ha e a )asic $ro*iciency with the Microso*t Management Console 8MMC9 and sna$+ins, and &now how to start $rograms and access the command line,
+sin( this .uide

(o accommodate a wide /( audience, the o$erations areas are di ided into the *ollowing ty$es o* content: 0 er iew, which e<$lains what you need to consider *or o$erating an Acti e Directory com$onent, along with a list o* tas&s in ol ed in o$erating that com$onent, (as&s, which contain the ca eats that you should )e aware o* when $er*orming the tas&, along with a list of procedures involved in the task. For your convenience, a list of tasks and procedures appears in alphabetical order in Appendix A. Procedures, which a$$ear in *ull in A$$endi< % o* this document, and are o*ten re*erred to )y more than one tas&, All tas&s in this document lin& to the associated $rocedures,
-or ma<imum )ene*it in using this guide:
1%
Chapter Number 1
Read through the entire 0$erating Acti e Directory cha$ter to gain a management+ le el &nowledge o* how to o$erate Acti e Directory, !nsure that you ha e all the tools installed where o$erators use them, =se the tas& lists to schedule recurring tas&s, Create >tear sheets? *or each tas& that o$erators $er*orm within your organi.ation, Cut and $aste the tas& and its related $rocedures into a se$arate document and then either $rint these documents, or store them online, de$ending on the $re*erence o* your organi.ation, "i e the o$erator the tear sheets *or the tas& when a tas& needs to )e $er*ormed, along with in*ormation rele ant to the en ironment 8such as the name and /P address o* the domain controller in ol ed in the tas&9,
11

C H A P ( ! R ' = M % ! R 7
Microso*t4 Windows4 5666 Acti e Directory $ro ides a ro)ust directory ser ice en ironment that re:uires *ew regularly scheduled maintenance tas&s, Howe er, you might $er*orm some tas&s on a regular )asis, including )ac&ing u$ the data)ase, and adding or remo ing domain controllers, @ou can use this guide to hel$ you e**iciently o$erate your Acti e Directory en ironment,
In /his &hapter
0 er iew o* Acti e Directory 0$erations Monitoring Acti e Directory Acti e Directory %ac&u$ and Restore Managing Domain Controllers Managing (rusts Managing Sites
1"
Chapter Number 1
Overview o$ Active Directory Operations

(he goal o* o$erations is to ensure that /( ser ices are deli ered according to ser ice le el re:uirements that are agreed to )y /( management and its arious customer )usiness units, (he day+to+day o$erations o* an /( de$artment are $roacti e, and re:uire that the $ro$er $roducts and ser ices )e in $lace to identi*y and $re ent $otential $ro)lems,
Plannin( $or Active Directory Operations

(o $lan your Acti e Directory o$erations en ironment, you need to $er*orm the *ollowing tas&s: Assess the /( en ironment and esta)lish a )aseline, Determine o$erational needs, De*ine o$erations actions,
Assessin( the I/ 9nviron!ent and 9stablishin( a 1aseline

@ou must ha e a com$lete and accurate idea o* the details )ehind each ser ice that the /( de$artment deli ers in order to $ro$erly con*igure management systems and technologies, and to collect any necessary metric data, Re iew any ser ice s$eci*ications that were $roduced during the de$loyment $rocess, along with any ser ice le el re:uirements de*ined in Ser ice Le el Agreements )etween the /( organi.ation and customer )usiness units, (he *ollowing in*ormation is es$ecially use*ul when $lanning your o$erations: Ser er s$eci*ications 'etwor& s$eci*ications Logical and $hysical architectural diagrams Su$$orted a$$lications =ser statistics and re:uirements Current thresholds and $er*ormance metrics Acce$ta)le $er*ormance and outage times
(his data $ro ides a starting $oint to esta)lish a )aseline *or the o$erations en ironment, and to set the $ro$er le el o* ser ice,
13
Deter!inin( Operational 4eeds

(he Acti e Directory o$erations team must esta)lish $rocesses *or the *ollowing tas&s: Continuous monitoring and re$orting Auditing %ac&u$ and restoration Managing Acti e Directory com$onents, including: Domain controllers 8including issues relating to installation, glo)al catalog ser ers, o$erations masters, data)ase, S@S30L, Windows (ime Ser ice, and long+disconnected domain controllers9 (rusts Sites
De$inin( Operations Actions

Categori.e actions that are $er*ormed during the course o* day+to+day o$erations as *ollows: Automated actions 0$erator+dri en actions
Auto!ated Actions
Automated actions $ro ide a time+sa ing method to detect and react to incidents occurring in the $roduction en ironment, /denti*y those tas&s and $rocedures that you want to automate, whether with scri$ts or a monitoring $roduct such as Microso*t 0$erations Manager 5666 8M0M9, Also identi*y the triggers, such as alerts generated )y M0M, which start the automated action, An e<am$le o* an automated action is con*iguring an agent $rocess to res$ond when it detects that the threshold *or dis& s$ace has )een e<ceeded, /n this case, the agent $rocess running on the a**ected com$uter automatically ta&es action to resol e the situation, such as deleting all the *iles in the (em$ directory, there)y returning the system to acce$ta)le conditions as de*ined in the Ser ice Le el Agreement, (he agent system also sends a message to the management ser er that includes any necessary e ent data 8the name and address o* the a**ected system, the error message, the results o* the action ta&en, and so on9, A*ter the automated action resol es the incident, the o$erations team can determine what, i* any, *urther action to ta&e, /n this e<am$le, the automated action tem$orarily resol es the incident, and the o$erations team must in estigate *urther to determine a $ermanent resolution,
Operator5Driven Actions
0$erator+dri en actions are those that are $er*ormed )y an o$erator, as o$$osed to those $er*ormed )y an automated system, 0$erator+dri en actions need to )e de*ined whene er and where er $ossi)le, so that o$erators with arying degrees o* s&ills and training can $er*orm s$eci*ic tas&s, such as changing a $assword, loading *orms into a $rinter, starting or sto$$ing $rocesses, and so on,
1)
Chapter Number 1
/ools +sed $or Active Directory Operations

Acti e Directory o$erations in ol es using tools that are either $art o* the Windows 5666 o$erating system, the Windows 5666 Su$$ort (ools, or the Microso*t4 Windows4 5666 Ser er Resource Kit, (a)le 7,A lists the tools that are used to o$erate Acti e Directory, where the tools are *ound, and a )rie* descri$tion o* the $ur$ose o* the tool, -or in*ormation a)out installing the Windows 5666 Su$$ort (ools and the Windows 5666 Administrati e (ools Pac&, see Windows 5666 Ser er Hel$, /able 1.2 /ools +sed in Active Directory Operations
/ool Active Directory #i(ration /ool GAD#/H Active Directory Do!ains and /rusts snap5in 7ocation ,unction
htt$:;;www,microso*t,com;win #i(rate account and dows5666;downloads;tools;AD resource do!ains. M(;de*ault,as$

Windows "%%% Ad!inistrative /ools Pac' Ad!inister do!ain trustsE add user principal na!e su$$i=esE and chan(e the do!ain !ode. Install Active DirectoryE and pro!ote or de!ote do!ain controllers. Ad!inister the replication o$ directory data. Ad!inister and publish in$or!ation in the directory. ViewE !odi$yE and set access control lists on ob8ects in the directory. 1ac' up and restore data. View and !odi$y co!puterE applicationE and networ' settin(s.
Active Directory Windows "%%% Installation Wi<ard Active Directory 6ites and 6ervices snap5in Active Directory +sers and &o!puters snap5 in AD6I 9ditE ##& snap5in 1ac'up Wi<ard &ontrol Panel Windows "%%% Ad!inistrative /ools Pac' Windows "%%% Ad!inistrative /ools Pac'
Windows "%%% 6upport /ools Windows "%%% syste! tool Windows "%%%
15
Dcdia(.e=e
Windows "%%% 6upport /ools and Windows 2000 Server Resource Kit
Analy<e the state o$ do!ain controllers in a $orest or enterpriseJ assist in troubleshootin( by reportin( any proble!s. #ana(e D46. &o!pare directory in$or!ation on do!ain controllers and detectsdi$$erences. #onitor events recorded in event lo(s. Replicate lo(on scripts and pro$iles between Windows "%%%?based do!ain controllers and Windows 4/ ).%?based do!ain controllers. Per$or! 7DAP operations a(ainst Active Directory. &reateE deleteE updateE and view the lin's that are stored in 8unction points. &reateE saveE and open ad!inistrative tools Gcalled ##& snap5insH that !ana(e hardwareE so$twareE and networ' co!ponents. &hec' end5to5end networ' connectivity and distributed services $unctions. Allow batch !ana(e!ent o$ trustsE 8oinin( co!puters to do!ainsE and veri$yin( trusts and secure channels. Per$or! co!!on tas's on networ' servicesE includin( stoppin(E startin(E and connectin( to networ' resources.
D46 snap5in Dsastat.e=e
Windows "%%% Ad!inistrative /ools Pac' Windows "%%% 6upport /ools
9vent viewer 7brid(e.c!d
Windows "%%% Ad!inistrative /ools Pac' Windows 2000 Server Resource Kit
7dp.e=e 7in'd.e=e
Windows "%%% 6upport /ools Windows 2000 Server Resource Kit Windows "%%%
##&
4etdia(.e=e
Windows 2000 Server Resource Kit and Windows "%%% 6upport /ools Windows "%%% 6upport /ools
4etdo!.e=e
4et useE startE stopE delE copyE ti!e
Windows "%%% syste! tool
13
Chapter Number 1
4ltest.e=e
Windows "%%% 6upport /ools Windows "%%% Accessories Windows "%%% syste! tool
Veri$y that the locator and secure channel are $unctionin(. ViewE createE and !odi$y te=t $iles. #ana(e Active DirectoryE !ana(e sin(le !aster operationsE re!ove !etadataE create application directory partitions. View and !odi$y re(istry settin(s. Veri$y replication consistency between replication partnersE !onitor replication statusE display replication !etadataE and $orce replication events and topolo(y recalculation. Display replication topolo(yE !onitor replication statusE and $orce replication events and topolo(y recalculation. 6tartE stopE pauseE or resu!e syste! services on re!ote and local co!putersE and con$i(ures startup and recovery options $or each service. Access and !ana(e co!puters re!otely. #ana(e Windows /i!e 6ervice. Access $ilesE Web pa(esE and networ' locations.
4otepad 4tdsutil.e=e
Re(edit.e=e Repad!in.e=e
Windows "%%% syste! tool Windows "%%% 6upport /ools
Repl!on.e=e
Windows "%%% 6upport /ools
6ervices snap5in
Windows "%%% Ad!inistrative /ools Pac'
/er!inal 6ervices W2"t! Windows 9=plorer
Windows "%%% Windows "%%% syste! tool Windows "%%%
17
Operations /as's &hec'list

(a)le 7,B $ro ides a :uic& re*erence *or those $roduct maintenance tas&s that the o$erations team must $er*orm on a regular )asis, (hese tas& lists summari.e the tas&s that are re:uired to maintain Acti e Directory o$erations, /able 1.) Active Directory Operations /as's
,re:uency Daily. Daily. Daily. /as's Veri$y that all do!ain controllers are co!!unicatin( with the central !onitorin( console or collector. View and e=a!ine all new alerts on each do!ain controllerE resolvin( the! in a ti!ely $ashion. Resolve alerts indicatin( the $ollowin( services are not runnin(: ,R6E 4et 7o(onE D&E W2"/i!eE I6#69RV. #O# reports these as Active Directory 9ssential 6ervices. Resolve alerts indicatin( 6>6VO7 is not shared. Resolve alerts indicatin( that the do!ain controller is not advertisin( itsel$. Resolve alerts indicatin( ti!e synchroni<ation proble!s. Resolve all other alerts in order o$ severity. I$ alerts are (iven errorE warnin(E and in$or!ation status si!ilar to the event lo(E resolve alerts !ar'ed error $irst. Identi$y a site that has no (lobal catalo( server.
Daily. Daily. Daily. Daily.
Daily to wee'lyE dependin( on environ!ent. Wee'ly. Wee'ly.
Review the /i!e 6ynchroni<ation Report to detect inter!ittent proble!s and resolve ti!e5related alerts. Review the Authentication Report to help resolve proble!s (enerated by co!puter accounts with e=pired passwords. Review the Duplicate 6ervice Principal 4a!e Report to list all security principals that have a service principal na!e con$lict. Review a report o$ the top alerts (enerated by the Active Directory !onitorin( indicators and resolve those ite!s that occur !ost $re:uently.
Wee'ly.
Wee'ly.
1*
Chapter Number 1
Wee'ly.
Review the report that lists all trust relationships in the $orest and chec' $or obsoleteE unintendedE or bro'en trusts. Veri$y that all do!ain controllers are runnin( with the sa!e service pac' and hot $i= patches. Review all Active Directory reports and ad8ust thresholds as needed. 9=a!ine each report and deter!ine which reportsE dataE and alerts are i!portant $or your environ!ent and service level a(ree!ent. Review the Replication #onitorin( Report to veri$y that replication throu(hout the $orest occurs within acceptable li!its Review the Active Directory response ti!e reports. Review the do!ain controller dis' space reports. Review all per$or!ance related reports. /hese reports are called ;ealth #onitorin( reports in #O#. Review all per$or!ance related reports $or capacity plannin( purposes to ensure that you have enou(h capacity $or current and e=pected (rowth. /hese reports are called ;ealth #onitorin( reports in #O#. Ad8ust per$or!ance counter thresholds or disable rules that are not applicable to your environ!ent or that (enerate irrelevant alerts. Identi$y the (lobal catalo( servers in a site. 1ac' up Active Directory and associated co!ponents.
#onthly. #onthly.
#onthly.
#onthly. #onthly. #onthly. #onthly.
#onthly.
#onthly. At least twice within the to!bstone li$eti!e. As needed. As needed. As needed. As needed. As needed. As needed. As needed.
Per$or! a non5authoritative restore. Per$or! an authoritative restore o$ a subtree or lea$ ob8ect. Per$or! an authoritative restore o$ the entire directory. Recover a do!ain controller throu(h reinstallation. Restore a do!ain controller throu(h reinstallation and subse:uent restore $ro! bac'up. Prepare $or Active Directory Installation. Install Active Directory.
As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed.
Per$or! Active Directory post5installation tas's. Deco!!ission a do!ain controller. Identi$y the current con$i(uration o$ a do!ain controller. Rena!e a do!ain controller. Restore the ori(inal con$i(uration o$ a do!ain controller. Add the (lobal catalo( to a do!ain controller and veri$y (lobal catalo( readiness. Re!ove the (lobal catalo( $ro! a do!ain controller. Desi(nate operations !aster roles. Reduce the wor'load on a PD& e!ulator. Deco!!ission an operations !aster role holder. 6ei<e operations !aster roles. &hoose a standby operations !aster. Relocate directory database $iles. Return unused dis' space $ro! the directory database to the $ile syste!. 6peed re!oval o$ an e=pired5to!bstone bac'lo(. &han(e the space allocated to the 6ta(in( Area $older. Relocate the 6ta(in( Area $older. #ove 6>6VO7 by usin( the Active Directory Installation Wi<ard. #ove 6>6VO7 !anually. +pdate the 6>6VO7 path. Restore and rebuild 6>6VO7. &on$i(ure a ti!e source $or the $orest. &on$i(ure a reliable ti!e source on a co!puter other than the PD& e!ulator. &on$i(ure a client to re:uest ti!e $ro! a speci$ic ti!e source. Opti!i<e the pollin( interval. Disable the Windows /i!e 6ervice. Prepare a do!ain controller $or lon( disconnection.
"%
Chapter Number 1
As needed. As needed. As needed. As needed.
Reconnect a lon(5disconnected do!ain controller. Re!ove lin(erin( ob8ects $ro! an outdated writable do!ain controller. Re!ove lin(erin( ob8ects $ro! a (lobal catalo( server. &reate an e=ternal trust Gbetween a Windows "%%% do!ain and a Windows 4/ ).% do!ainE or between do!ains in di$$erent $orestsH. &reate a shortcut trust. Re!ove a !anually created trust. Prevent unauthori<ed privile(e escalation. Add a new site. Add a subnet to the networ'. 7in' sites $or replication. &han(e site lin' properties. #ove a do!ain controller to a di$$erent site. Re!ove a site.
As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed.
#onitorin( Active Directory

Monitoring the distri)uted Acti e Directory ser ice and the ser ices that it relies u$on hel$s maintain consistent directory data and the needed le el o* ser ice throughout the *orest, @ou can monitor im$ortant indicators to disco er and resol e minor $ro)lems )e*ore they de elo$ into $otentially lengthy ser ice outages, Most large organi.ations with many domains or remote $hysical sites re:uire an automated monitoring system such as Microso*t 0$erations Manager 5666 8M0M9 to monitor im$ortant indicators, An automated monitoring system $ro ides the necessary consolidation and timely $ro)lem resolution to administer Acti e Directory success*ully,
1ene$its $or 9nd5+sers

Monitoring Acti e Directory hel$s resol e issues in a timely manner, and users e<$erience the *ollowing )ene*its: /m$ro ed relia)ility o* $roducti ity a$$lications that rely on )ac&+end ser ers, such as e+mail, Cuic&er logon time and more relia)le resource usage, Decreased hel$ des& su$$ort issues,
!1
1ene$its $or Ad!inistrators

Monitoring Acti e Directory $ro ides administrators with a centrali.ed iew o* Acti e Directory across the entire *orest, %y monitoring im$ortant indicators, administrators can reali.e the *ollowing )ene*its: Higher customer satis*action, )ecause issues can )e resol ed )e*ore users notice $ro)lems, /ncreased ser ice le els, due to im$ro ed relia)ility and system understanding, "reater schedule *le<i)ility and a)ility to $rioriti.e wor&load, due to early noti*ication o* $ro)lems, allowing resolution o* issues while they are still a lower $riority, /ncreased a)ility *or the system to co$e with $eriodic ser ice outages, All necessary ser ices that su$$ort Acti e Directory are running on each domain controller, Data is consistent across all domain controllers and end+to+end re$lication com$letes in accordance with your ser ice le el agreements, Lightweight Directory Access Protocol 8LDAP9 :ueries res$ond :uic&ly, Domain controllers do not e<$erience high CP= usage, (he central monitoring console collects all e ents that can ad ersely a**ect Acti e Directory,
Monitoring Acti e Directory also assures administrators that:
Ris's o$ not #onitorin( Active Directory

Systematic monitoring is necessary to ensure consistent ser ice deli ery in a large en ironment with many domain controllers, domains, or $hysical sites, As a distri)uted ser ice, Acti e Directory relies u$on many interde$endent ser ices distri)uted across many de ices and in many remote locations, As you increase the si.e o* your networ& to ta&e ad antage o* the scala)ility o* Acti e Directory, monitoring )ecomes more im$ortant, /t hel$s you a oid $otentially serious $ro)lems, including: Logon failure. Logon *ailure can occur throughout the domain or *orest i* a trust relationshi$ or name resolution *ails, or i* a glo)al catalog ser er cannot determine uni ersal grou$ mem)ershi$, Account lockout. =ser and ser ice accounts can )ecome loc&ed out i* the PDC emulator is una aila)le in the domain or re$lication *ails )etween se eral domain controllers, Domain Controller failure. /* the dri e containing the 'tds,dit *ile runs out o* dis& s$ace, the domain controller sto$s *unctioning, Application failure. A$$lications that are critical to your )usiness, such as Microso*t !<change or another e+mail a$$lication, can *ail i* address )oo& :ueries into the directory *ail,
""
Chapter Number 1
nconsistent directory data. /* re$lication *ails *or an e<tended $eriod o* time, o)2ects 8&nown as lingering o)2ects and re+animated o)2ects9 can )e created in the directory and might re:uire e<tensi e diagnosis and time to eliminate, Account creation failure. A domain controller is una)le to create user or com$uter accounts i* it e<hausts its su$$ly o* relati e /Ds and the R/D master is una aila)le, !ecurity policy failure. /* the S@S30L shared *older does not re$licate $ro$erly, "rou$ Policy o)2ects and security $olicies are not $ro$erly a$$lied to clients,
7evels o$ #onitorin(
=se a cost+)ene*it analysis to determine the degree or le el o* monitoring that you need *or your en ironment, Com$are the cost o* *ormali.ing a monitoring solution with the costs associated with ser ice outages and the time that is re:uired to diagnose and resol e $ro)lems that might occur, (he le el o* monitoring also de$ends on the si.e o* your organi.ation and your ser ice le el needs, 0rgani.ations with *ew domains and domain controllers, or that do not $ro ide a critical le el o* ser ice, might only need to $eriodically chec& the health o* a single domain controller )y using the )uilt+in tools $ro ided in Windows 5666 Ser er, Larger organi.ations that ha e many domains, domain controllers, sites, or that $ro ide a critical ser ice and cannot a**ord the cost o* lost $roducti ity due to a ser ice outage, need to use an enter$rise+le el monitoring solution such as M0M, !nter$rise+le el monitoring solutions use agents or local ser ices to collect the monitoring data and consolidate the results on a central console, !nter$rise+le el monitoring solutions also ta&e ad antage o* the $hysical networ& to$ology to reduce networ& tra**ic and increase $er*ormance, /n a com$le< en ironment, directory administrators need enter$rise+le el monitoring to deri e meaning*ul data and to ma&e good decisions and analysis, -or more in*ormation a)out M0M, see htt$:;;www,microso*t,com;mom;,
Active Directory #onitorin( Durin( the Deploy!ent Phase

As a )est $ractice, de$loy monitoring with the *irst domain controller, %y integrating monitoring into the design and de$loyment $rocess, you can a oid many o* the $ro)lems that arise during de$loyment, %ecause monitoring solutions re:uire networ& connecti ity )etween the monitored ser ers and the management consoles, you must account *or $articular (CP;/P $orts and )andwidth usage, As with any so$histicated ser ice, im$lement a monitoring solution such as M0M in a la) )e*ore you de$loy it in a $roduction en ironment,
6ervice57evel 1aseline
A )aseline re$resents ser ice le el needs as $er*ormance data, %y setting thresholds to indicate when the )aseline )oundaries are e<ceeded, your monitoring solution can generate alerts to in*orm the administrator o* degraded $er*ormance and 2eo$ardi.ed ser ice le els, -or e<am$le, you can use $er*ormance indicators to set a )aseline and monitor *or low dis& s$ace on the dis& dri es that contain the Acti e Directory data)ase and log *iles, and you can monitor CP= usage
!3
o* a domain controller, @ou can also monitor critical ser ices running on a domain controller, Monitoring these indicators allows the administrator to ensure ade:uate $er*ormance, (o determine an accurate )aseline, monitor and collect data *or a time $eriod that is long enough to re$resent $ea& and low usage, -or e<am$le, monitor during the time in the morning when the greatest num)er o* users log on, Monitor *or an inter al that is long enough to s$an your $assword change $olicy and any month+end or other $eriodic $rocessing that you $er*orm, Also, collect data when networ& demands are low to determine this minimal le el, %e sure to collect data when your en ironment is *unctioning $ro$erly, (o accurately assess what is acce$ta)le *or your en ironment, remo e data caused )y networ& outages or other *ailures when you esta)lish your )aseline, (he )aseline that you esta)lish *or your en ironment can change o er time as you add new a$$lications, users, hardware, and domain in*rastructure to the en ironment, and as the e<$ectations o* users change, 0 er time, the directory administrator might loo& *or trends and changes that occur, and ta&e actions designed to meet the increased demands on the system and maintain the desired le el o* ser ice, Such actions might include *ine+tuning the so*tware con*iguration and adding new hardware, Determining the thresholds when alerts are generated to noti*y the administrator that the )aseline has )een e<ceeded is a delicate )alance )etween $ro iding either too much in*ormation or not enough, (he endor o* your monitoring solution, such as M0M, can $ro ide general $er*ormance thresholds, )ut you must $eriodically ad2ust these thresholds to meet your ser ice le el re:uirements, (o ad2ust these thresholds, *irst collect and analy.e the monitoring data to determine what is acce$ta)le or usual acti ity *or your en ironment, A*ter you gather a good data sam$le and consider your ser ice le el needs, you can set meaning*ul thresholds that trigger alerts, (o determine thresholds: -or each $er*ormance indicator, collect monitoring data and determine the minimum, ma<imum and a erage alues, Analy.e the data with res$ect to your ser ice le el needs, Ad2ust thresholds to trigger alerts when indicators cross the $arameters *or acce$ta)le ser ice le els,
As you )ecome more *amiliar with the monitoring solution you choose, it )ecomes easier to correlate the thresholds that trigger the alerts to your ser ice le el deli ery, /* you are uncertain, it is usually )etter to set the thresholds low to iew a greater num)er o* alerts, As you understand the alerts you recei e and determine why you recei e them, you can increase the threshold at which alerts are generated, there)y reducing the amount o* in*ormation that you recei e *rom your monitoring solution, M0M uses thresholds that are a reasona)le starting $oint and wor& *or the ma2ority o* medium+si.ed customers, Larger organi.ations might need to increase the thresholds,
Re:uire!ents $or #onitorin(

Managing an enter$rise+le el directory re:uires monitoring many im$ortant indicators, -ailure to monitor all o* the im$ortant indicators can create ga$s in co erage, =se any monitoring solution that )est suits your needs, )ut monitor the necessary im$ortant indicators to ensure that all
")
Chapter Number 1
as$ects o* Acti e Directory are *unctioning $ro$erly, M0M monitors all o* the im$ortant indicators, -or more in*ormation a)out monitoring Acti e Directory see: htt$:;;www,microso*t,com;ad, -or more in*ormation a)out M0M, see: htt$:;;www,microso*t,com;mom;, -or more in*ormation a)out installing M0M, see htt$:;;www,microso*t,com;mom;docs;De$loy"uide,doc,
Relationship between #onitorin( and /roubleshootin(

(he goal o* a com$rehensi e monitoring solution is to monitor all o* the im$ortant indicators and $ro ide alerts that are concise, highly rele ant, and lead an o$erator to resol e the $ro)lem, /deally, the monitoring solution alerts the o$erator only when a $ro)lem re:uires action, /n this case, monitoring alerts are the *irst indicator that a $ro)lem e<ists, /* the o$erator cannot easily resol e the $ro)lem that generated an alert, you might want to create a hel$ des& tic&et to )egin trou)leshooting and root+cause analysis, @our monitoring solution can initiate your trou)leshooting $rocesses or *lowcharts, Monitoring hel$s ensure that the Acti e Directory ser ice is a aila)le *or ser ice re:uests, Acti e Directory is designed to )e *ault tolerant and can continue to o$erate i* indi idual ser ers are una aila)le *or $eriodic maintenance or while o$erators trou)leshoot them, @ou can assure a high+degree o* relia)ility )y monitoring the distri)uted ser ices that ma&e u$ Acti e Directory, and resol ing issues as they de elo$, /n addition to $ro iding increased ser ice a aila)ility, the relationshi$ )etween monitoring and trou)leshooting increases your understanding o* the root causes o* most $ro)lems that arise, As your en ironment )ecomes more relia)le, monitoring alerts more $recisely indicate the cause o* new $ro)lems that arise,
Reports
Many im$ortant $ro)lems do not cause alerts, )ut they still re:uire $eriodic attention, @our monitoring solution might generate re$orts that dis$lay data o er time and $resent $atterns that indicate $ro)lems, Re iew the re$orts to resol e issues )e*ore they generate alerts,
,re:uency o$ #onitorin( /as's

@ou can $er*orm the daily, wee&ly, and monthly tas&s as s$eci*ied in the *ollowing ta)les, )ut you must ad2ust the *re:uency to meet the needs o* your $articular en ironment and monitoring solution,
Daily #onitorin( /as's

/able 1.5 Daily /as's and /heir I!portance
/as's Veri$y that all do!ain controllers are co!!unicatin( with the central !onitorin( console or collector. I!portance &o!!unication $ailure between the do!ain controller and the !onitorin( in$rastructure prevents you $ro! receivin( alerts so you can e=a!ine and resolve the!.
!5
View and e=a!ine all new alerts on each do!ain controllerE resolvin( the! in a ti!ely $ashion. Resolve alerts indicatin( the $ollowin( services are not runnin(: ,R6E 4et 7o(onE D&E W2"/i!eE I6#69RV. #O# reports these as Active Directory 9ssential 6ervices. Resolve alerts indicatin( 6>6VO7 is not shared. Resolve alerts indicatin( that the do!ain controller is not advertisin( itsel$. Resolve alerts indicatin( ti!e synchroni<ation proble!s.
/his precaution helps you avoid service outa(es. Active Directory depends on these services. /hey !ust be runnin( on every do!ain controller.
Active Directory cannot apply .roup Policy unless 6>6VO7 is shared. Do!ain controllers !ust re(ister D46 records to be able to respond to 7DAP and other service re:uests. /he erberos authentication protocol re:uires that ti!e be synchroni<ed between all do!ain controllers and clients that use it. /he hi(hest priority alerts indicate the !ost serious ris' to your service level..
Resolve all other alerts in order o$ severity. I$ alerts are (iven errorE warnin(E and in$or!ation status si!ilar to the event lo(E resolve alerts !ar'ed error $irst.
Wee'ly #onitorin( /as's

/able 1.3 Wee'ly /as's and /heir I!portance
/as's Review the /i!e 6ynchroni<ation Report to detect inter!ittent proble!s and resolve ti!e5related alerts. Review the Authentication Report to help resolve proble!s (enerated by co!puter accounts with e=pired passwords. Review the Duplicate 6ervice Principal 4a!e Report to list all security principals that have a service principal na!e con$lict. Review a report o$ the top alerts (enerated by the Active Directory !onitorin( indicators and resolve those ite!s that occur !ost I!portance /he erberos authentication protocol re:uires that ti!e be synchroni<ed between all do!ain controllers and clients that use it. 9=pired passwords !ust be reset to allow the co!puters to authenticate and participate in the do!ain. +ser or co!puter accounts cannot be authenticated or lo( on i$ they share an 6P4 with another account. Report shows alerts that occur !ost o$ten. ,ocusin( on the top alert (enerators si(ni$icantly reduces the nu!ber o$ alerts seen by the
"3
Chapter Number 1
$re:uently. Review the report that lists all trust relationships in the $orest and chec' $or obsoleteE unintendedE or bro'en trusts.
operator. Authentication between do!ains or $orests re:uires trust relationships.
#onthly #onitorin( /as's

/able 1.0 #onthly /as's and /heir I!portance
/as's Veri$y that all do!ain controllers are runnin( with the sa!e service pac' and hot $i= patches. Review all Active Directory reports and ad8ust thresholds as needed. 9=a!ine each report and deter!ine which reportsE dataE and alerts are i!portant $or your environ!ent and service level a(ree!ent. Review the Replication #onitorin( Report to veri$y that replication throu(hout the $orest occurs within acceptable li!its Review the Active Directory response ti!e reports. I!portance Potential issues can arise i$ distributed services are runnin( with di$$erent versions o$ so$tware. 9=a!inin( the data that is relevant to your environ!ent allows you to deter!ine the thresholds that tri((er the alerts to your service level delivery. /i!ely replication helps assure that you !eet your service level a(ree!ents. 6ervices !ust respond :uic'ly $or the syste! to $unction properly and applications such as e5!ail to wor' properly. /he drives containin( the Active Directory database and lo( $iles !ust have su$$icient $ree space to acco!!odate (rowth and routine processin(. /hese reports can help you deter!ine the baseline $or your environ!ent and ad8ust thresholds. /hese reports help you trac' (rowth trends in your environ!ent and plan $or $uture hardware and so$tware needs.
Review the do!ain controller dis' space reports.
Review all per$or!ance5related reports. /hese reports are called ;ealth #onitorin( reports in #O#. Review all per$or!ance5related reports $or capacity plannin( purposes to ensure that you have enou(h capacity $or current and e=pected (rowth. /hese reports are called ;ealth #onitorin( reports in #O#.
!7
Ad8ust per$or!ance counter thresholds or disable rules that are not applicable to your environ!ent or that (enerate irrelevant alerts.
#onitorin( indicators !ust be ad8usted to suit your environ!ent. /he (oal is to provide alerts that are conciseE hi(hly relevantE and lead an operator to resolve the proble!.
Active Directory 1ac'up and Restore

Acti e Directory is )ac&ed u$ as $art o* system state, a collection o* system com$onents that de$end on each other, @ou must )ac& u$ and restore system state com$onents together, Com$onents that com$rise the system state on a domain controller include: !ystem !tart"up Files #boot files$. (hese are the *iles re:uired *or Windows 5666 Ser er to start, !ystem registry. Class registration database of Component !ervices. (he Com$onent 0)2ect Model 8C0M9 is a )inary standard *or writing com$onent so*tware in a distri)uted systems en ironment, !%!&'L. (he system olume $ro ides a de*ault Acti e Directory location *or *iles that must )e shared *or common access throughout a domain, (he S@S30L *older on a domain controller contains: '!(L0"0' shared *olders, (hese usually host user logon scri$ts and "rou$ Policy o)2ects 8"P0s9 *or non+Windows 5666D)ased networ& clients, =ser logon scri$ts *or Windows 5666 Pro*essionalD)ased clients and clients that are running Windows EF, Windows EG, or Windows '( B,6, Windows 5666 "P0s, -ile system 2unctions, -ile Re$lication ser ice 8-RS9 staging directories and *iles that are re:uired to )e a aila)le and synchroni.ed )etween domain controllers, 'tds,dit: (he Acti e Directory data)ase, !d),ch&: (he chec&$oint *ile, !d)H,log: (he transaction logs, each 76 mega)ytes 8M%9 in si.e, Res7,log and Res5,log: Reser ed transaction logs,
Active Directory. Acti e Directory includes:
"*
Chapter Number 1
Which do!ain controllers to bac' up &ontents A(e
4ote
1est I$ you per$or!ance use Active Directory5inte(rated practice states that D46E the Active then the DirectoryKs <one data is bac'ed lo(s and database up as part $iles o$ the should Active be on Directory separate database. dis's. I$ I$ you you have do not use Active con$i(ured your Directory5inte(rated do!ain controllers in D46E thisyou !anner !ustyou e=plicitly will have bac' up Active Directory the <one co!ponents $iles. ;oweverE spread i$ you out bac' on !ultiple up the syste! drivesE dis' alon(as such with D:LWinntL4/D6 the syste! stateE $or your <one lo(s data and is 9:LWinntL4/D6 bac'ed up as part $or your o$ the syste! database. >ou dis'. do not need to speci$y these lo( and database locations in order $or the! to be bac'ed upJ the bac'up utility I$ you installed Windows &lusterin( or &erti$icate 6ervices on will auto!atically locate and include the! when you bac' your do!ain controllerE they are also bac'ed up as part o$ up syste! state. state. Details o$ these co!ponents are not discussed in syste! this (uide.
.eneral .uidelines $or 1ac'up

(he )ac&u$ tool in Windows 5666 Ser er su$$orts multi$le ty$es o* )ac&u$: normal, copy, incremental, differential, and daily, Howe er, )ecause Acti e Directory is )ac&ed u$ as $art o* system state, the only ty$e o* )ac&u$ a aila)le *or Acti e Directory is normal, A normal )ac&u$ creates a )ac&u$ o* the entire system state while the domain controller is online, /n addition, the )ac&u$ tool mar&s each *ile as a )ac&ed u$ *ile, which clears the archi e attri)ute o* the *ile,
&onsiderations $or ensurin( a (ood bac'up

(o ensure a success*ul restore *rom )ac&u$, you must &now what de*ines a good backup, At a minimum, )ac& u$ two domain controllers in each domain, one o* which should )e an o$erations master role holder 8e<cluding the relati e /D 8R/D9 master, which should not )e restored9, 'ote that )ac&u$ data *rom a domain controller can only )e used to restore that domain controller, @ou cannot use a )ac&u$ o* one domain controller to restore another, A good )ac&u$ includes at least the system state and the contents o* the system dis&, %ac&ing u$ the system dis& ensures that all the re:uired system *iles and *olders are $resent so you can success*ully restore the data, A )ac&u$ that is older than the tom)stone li*etime set in Acti e Directory is not a good )ac&u$, At a minimum, $er*orm at least two )ac&u$s within the tom)stone li*etime, (he de*ault tom)stone li*etime is I6 days, Acti e Directory incor$orates the tom)stone li*etime into the )ac&u$ and restore $rocess as a means o* $rotecting itsel* *rom inconsistent data, Deleting an o)2ect *rom Acti e Directory is a two+ste$ $rocess, When an o)2ect is deleted in Acti e Directory, the o)2ect gets con erted into a tom)stone, which is then re$licated to the other domain controllers in the en ironment to in*orm them o* the deletion, Acti e Directory $urges the tom)stone when the tom)stone li*etime is reached, /* you restore a domain controller to a state $rior to the deletion o* an o)2ect, and the tom)stone *or that o)2ect is not re$licated to the restored domain controller )e*ore the tom)stone e<$ires, the o)2ect remains $resent only on the restored domain controller, resulting in inconsistent data, (hus, you must restore the domain controller $rior to e<$iration o* the tom)stone, and allow in)ound re$lication *rom a domain controller containing the tom)stone to com$lete $rior to e<$iration o* the tom)stone,
Acti e Directory $rotects itsel* *rom restoring data older than the tom)stone li*etime )y disallowing the restore, As a result, the use*ul li*e o* a )ac&u$ is e:ui alent to the tom)stone li*etime setting *or the enter$rise,
.eneral .uidelines $or Restore

@ou can start the restore $rocess )y using either the Windows 5666 Ser er )ac&u$ utility or another su$$orted utility, @ou can $er*orm either a non+authoritati e restore or an authoritati e restore,
;ow to 6elect the Appropriate Restore #ethod

@ou select the a$$ro$riate restore method )y considering: Circumstances and characteristics o* the *ailure, (he two ma2or categories o* *ailure, *rom an Acti e Directory $ers$ecti e, are Acti e Directory data corru$tion and hardware *ailure, Acti e Directory data corru$tion occurs when the directory contains corru$t data that has )een re$licated to all domain controllers or when a large $ortion o* the Acti e Directory hierarchy has )een changed accidentally 8such as deletion o* an 0=9 and this change has re$licated to other domain controllers, Roles and *unctions o* the *ailed ser er,
4on5authoritative restore o$ Active Directory

A non+authoritati e restore returns the domain controller to its state at the time o* )ac&u$, then allows normal re$lication to o erwrite that state with any changes that ha e occurred a*ter the )ac&u$ was ta&en, A*ter you restore the system state, the domain controller :ueries its re$lication $artners, (he re$lication $artners re$licate any changes to the restored domain controller, ensuring that the domain controller has an accurate and u$dated co$y o* the Acti e Directory data)ase, 'on+authoritati e restore is the de*ault method *or restoring Acti e Directory, and you will use it in most situations that result *rom Acti e Directory data loss or corru$tion, (o $er*orm a non+ authoritati e restore, you must )e a)le to start the domain controller in Directory Ser ices Restore Mode,
4on5authoritative restore o$ 6>6VO7

When you non+authoritati ely restore the S@S30L, the local co$y o* S@S30L on the restored domain controller is com$ared with that o* its re$lication $artners, A*ter the domain controller restarts, it contacts its re$lication $artners, com$ares S@S30L in*ormation, and re$licate the any necessary changes, )ringing it u$+to+date with the other domain controllers within the domain, Per*orm a non+authoritati e restore o* S@S30L i* at least one other *unctioning domain controller e<ists in the domain, (his is the de*ault method *or restoring S@S30L and occurs automatically i* you $er*orm a non+authoritati e restore o* the Acti e Directory, /* no other *unctioning domain controller e<ists in the domain, then $er*orm a $rimary restore o* the S@S30L, A $rimary restore )uilds a new -ile Re$lication ser ice 8-RS9 data)ase )y loading the data $resent under S@S30L on the local domain controller, (his method is the same as a non+authoritati e restore, e<ce$t that the S@S30L is mar&ed $rimary,
2%
Chapter Number 1
Authoritative restore o$ Active Directory

An authoritati e restore is an e<tension o* the non+authoritati e restore $rocess, @ou must $er*orm the ste$s o* a non+authoritati e restore )e*ore you can $er*orm an authoritati e restore, (he main di**erence is that an authoritati e restore has the a)ility to increment the ersion num)er o* the attri)utes o* all o)2ects in an entire directory, all o)2ects in a su)tree, or an indi idual o)2ect 8$ro ided that it is a lea* o)2ect9 to ma&e it authoritati e in the directory, Restore the smallest unit necessary, *or e<am$le, do not restore the entire directory in order to restore a single su)tree, As with a non+authoritati e restore, a*ter a domain controller is )ac& online, it will contact its re$lication $artners to determine any changes since the time o* the last )ac&u$, Howe er, )ecause the ersion num)er o* the o)2ect attri)utes that you want to )e authoritati e will )e higher than the e<isting ersion num)ers o* the attri)ute held on re$lication $artners, the o)2ect on the restored domain controller will a$$ear to )e more recent and there*ore will )e re$licated out to the rest o* the domain controllers within the en ironment, =nli&e a non+authoritati e restore, an authoritati e restore re:uires the use o* a se$arate tool, 'tdsutil,e<e, 'o )ac&u$ utilities J including the Windows 5666 Ser er system tools J can $er*orm an authoritati e restore, An authoritati e restore will not o erwrite new o)2ects that ha e )een created a*ter the )ac&u$ was ta&en, @ou can authoritati ely restore only o)2ects *rom the con*iguration and domain+ naming conte<ts, Authoritati e restores o* schema+naming conte<ts are not su$$orted, Per*orm an authoritati e restore when human error is in ol ed, such as when an administrator accidentally deletes a num)er o* o)2ects and that change re$licates to the other domain controllers and you cannot easily recreate the o)2ects, (o $er*orm an authoritati e restore, you must start the domain controller in Directory Ser ices Restore Mode,
Authoritative restore o$ 6>6VO7

%y authoritati ely restoring the S@S30L, you are s$eci*ying that the co$y o* S@S30L that is restored *rom )ac&u$ is authoritati e *or the domain, A*ter the necessary con*igurations ha e )een made, Acti e Directory mar&s the local S@S30L as authoritati e and it is re$licated to the other domain controllers within the domain, (he authoritati e restore o* S@S30L does not occur automatically a*ter an authoritati e restore o* Acti e Directory, Additional ste$s are re:uired, As with Acti e Directory authoritati e restore, you ty$ically $er*orm an authoritati e restore o* S@S30L when human error is in ol ed and the error has re$licated to other domain controllers, -or e<am$le, you might $er*orm an authoritati e restore o* S@S30L i* an administrator has accidentally deleted an o)2ect that resides in S@S30L, such as a "rou$ Policy o)2ect,
Recover a do!ain controller throu(h reinstallation

(o reco er a domain controller through reinstallation, you do not restore the system state *rom )ac&u$ mediaK instead, you reinstall Windows, install Acti e Directory, and allow re$lication $artners to )ring the reco ered domain controller u$ to date, Reco ering a domain controller through reinstallation can :uic&ly return the com$uter to ser ice i* the *ollowing conditions e<ist:
31
A domain controller has *ailed and you cannot restart in Directory Ser ices Restore mode, /* *ailure was caused )y a hardware *ailure, you ha e resol ed the hardware $ro)lem 8*or e<am$le, )y re$lacing the dis&9, (here are other domain controllers in the domain, to ser e as re$lication $artners, (he com$uter is *unctioning only as a domain controller 8it does not run other ser er ser ices such as !<change9, and it does not contain other data that needs to )e reco ered *rom a )ac&u$,
Restore a do!ain controller throu(h reinstallation and restore $ro! bac'up

(his method in ol es *irst reinstalling Windows 5666, to ena)le you to start in Directory Ser ices Restore Mode, During the Windows 5666 Ser er setu$ $rocess, you will o)tain more in*ormation a)out the nature o* the *ailure and you can then determine whether you can reinstall Windows 5666 Ser er into the same $artition as it was $re iously installed or whether you will need to re+$artition the dri e, A*ter you success*ully reinstall Windows 5666, you can start in Directory Ser ices Restore Mode and $er*orm a normal non+authoritati e restore *rom )ac&u$ media, Restore a domain controller through reinstallation and restore the system state *rom )ac&u$ i* the *ollowing conditions e<ist: A domain controller has *ailed and you cannot restart in Directory Ser ices Restore mode, /* *ailure was caused )y a hardware *ailure, you ha e resol ed the hardware $ro)lem 8*or e<am$le, )y re$lacing the dis&9, @ou ha e the *ollowing in*ormation a)out the *ailed domain controller: Dis& con*iguration, @ou need a record o* the olumes and si.es o* the dis&s and $artitions, @ou use this in*ormation to recreate the dis& con*iguration in the case o* a com$lete dis& *ailure, @ou must recreate all dis& con*igurations $rior to restoring system state, -ailure to recreate all dis& con*igurations can cause the restore $rocess to *ail and can $re ent you *rom starting the domain controller *ollowing the restore, Com$uter name, @ou need the com$uter name to restore a domain controller o* the same name and a oid changing client con*iguration settings, Domain mem)ershi$, @ou must &now the domain name )ecause e en i* the com$uter name does not change, you might need to re+esta)lish a new com$uter account, Local Administrator $assword, @ou must &now the local com$uter1s Administrator $assword that was used when the )ac&u$ was created, Without it, you will not )e a)le to log on to the com$uter to esta)lish a domain account *or the com$uter a*ter you restore it, /* you are not $art o* the domain, you will not )e a)le to log on )y using a domain account, e en i* you are a domain administrator, (he local Administrator $assword is also re:uired to restore the system state on a domain controller,
2"
Chapter Number 1
4ote
&on$i(urin( !ultiple (lobal catalo(s servers in a $orest increases the availability o$ the syste!E but also increases replication tra$$ic and database si<e. I$ you do restore the $ailed do!ain controller and !aintain its role as a (lobal catalo( serverE you !i(ht want to re!ove any additional (lobal catalo(s servers that you con$i(ured durin( its absence.
(he domain controller is running other ser er ser ices such as !<change, or contains other data you must restore *rom a )ac&u$, @ou ha e a good )ac&u$, made within the tom)stone li*etime,
&onsiderations $or restorin( operations !asters

(o restore an o$erations master role holder, you must $er*orm one o* the *ollowing $rocedures: Restore the *ailed o$erations master *rom )ac&u$, Sei.e the role to another domain controller within the en ironment, Sei.e the o$erations master role only i* you do not intend to restore the original role holder *rom )ac&u$, -or more in*ormation a)out sei.ing o$erations master roles, see >Managing 0$erations Masters? in this guide,
Restoring the R/D Master can result in Acti e Directory data corru$tion, so it is not recommended, Restoring the Schema Master can result in or$haned o)2ects, so it is not recommended,
&onsiderations $or recoverin( (lobal catalo( servers

(o reco er the glo)al catalog ser er you can either: Restore the *ailed glo)al catalog ser er *rom )ac&u$, Assign a new glo)al catalog to com$ensate *or the loss o* the original,
Restoring *rom )ac&u$ is the only way that a domain controller that was *unctioning as a glo)al catalog at the time o* )ac&u$ can automatically )e restored to the role o* glo)al catalog, Restoring a domain controller )y reinstallation does not automatically reinstate the glo)al catalog role, /n a multi+domain en ironment, )e aware that restoring a glo)al catalog ser er *rom )ac&u$ re:uires more time than restoring a domain controller that does not host the glo)al catalog, As there are no real disad antages in con*iguring multi$le glo)al catalogs, you might want to create a new glo)al catalog in your en ironment i* you antici$ate an e<tended downtime *or the *ailed glo)al catalog ser er, Creating a new glo)al catalog ser er is $articularly rele ant i* users associated with the original glo)al catalog ser er can no longer access a glo)al catalog ser er, or i* the re:uirement *or the glo)al catalog ser ice is signi*icant in your en ironment, such as when you are running !<change 5666, -or more in*ormation a)out creating a new glo)al catalog ser er, see >Managing "lo)al Catalogs Ser ers? in this guide,
&onsiderations $or restorin( onto di$$erent hardware

/t is $ossi)le to restore a domain controller onto di**erent hardware, Howe er, you should consider the *ollowing issues:
33
I!pact on (roup !e!bership Different hardware abstraction layers #(ALs$. %y de*ault, the Hal,dll is not )ac&ed u$ as $art o* system state, howe er the KernelA5,dll is, (here*ore, i* you try to restore a )ac&u$ onto a com$uter that re:uires a di**erent HAL 8*or e<am$le, to su$$ort a multi$rocessor en ironment9 com$ati)ility issues e<ist )etween the new HAL and the original KernelA5,dll, (o o ercome this incom$ati)ility, manually co$y the (al.dll *rom the original com$uter and install it on the new com$uter, (he limitation is that the new com$uter can use only a single $rocessor, ncompatible )oot.ini File. /* you )ac&u$ and restore the )oot,ini *ile, you might ha e some incom$ati)ility with your new hardware con*iguration, resulting in a *ailure to start, %e*ore you restore it, ensure that the )oot,ini *ile is correct *or your new hardware en ironment, Different *etwork or &ideo Cards. /* your new hardware has a di**erent ideo ada$ter or multi$le networ& ada$ters, then uninstall them )e*ore you restore data, When you restart the com$uterK the normal Plug and Play *unctionality ma&es the necessary changes, Disk !pace and +artition Configuration, Partitions on the new com$uter must match those on the original com$uter, S$eci*ically, all the dri e ma$$ings must )e the same and the $artition si.e must )e at least e:ual to that on the original com$uter,
&onsiderations $or authoritative restores

Per*orming an authoritati e restore can a**ect grou$ mem)ershi$ and $asswords *or trusts and com$uter accounts, %y $er*orming an authoritati e restore, you ris& $ossi)le loss o* grou$ mem)ershi$ in*ormation, %ecause grou$ mem)ershi$ is a multi+ alued attri)ute, and )ecause o* how Acti e Directory handles lin&s, )ac& lin&s and deletions, an authoritati e restore can $roduce arying results to grou$ mem)ershi$, (hese ariations are )ased on which o)2ects re$licate *irst a*ter an authoritati e restore: the =ser o)2ect or the "rou$ o)2ect, /* the un+deletion o* the user re$licates *irst, then the grou$ mem)ershi$ in*ormation o* )oth the grou$ 8the mem)ers it contains9 and the user 8the grou$s to which the user )elongs9 will )e re$resented correctly, /* the un+deletion o* the grou$ re$licates *irst, the re$lication $artners will dro$ the addition o* the 8locally9 deleted user *rom the grou$ mem)ershi$, (he only e<ce$tion to this is the user1s $rimary grou$, which is always re$resented correctly )oth *rom the user and grou$ re*erence, @ou cannot control which o)2ect re$licates *irst a*ter you $er*orm an authoritati e restore, /* your en ironment is a**ected )y this situation, the only o$tion is to modi*y the grou$ mem)ershi$ attri)ute o* the a**ected grou$s on the domain controller where you $er*ormed the authoritati e restore, (his issue stems not *rom the integrity o* the restored data, )ut *rom the way in which the data is re$licated, %y loo&ing at this domain controller, administrators can iew the way the directory should loo& and ta&e ste$s to re$licate the accurate directory in*ormation to the other domain controllers within the domain,
2)
Chapter Number 1
I!pact on trusts and co!puter accounts (he )est way to do this is to add a *ictitious user and then delete that same *ictitious user to and *rom each grou$ that was in ol ed in the authoritati e restore, A grou$ is in ol ed in the restore i* it was either authoritati ely restored itsel* or i* it had mem)ers restored who did not ha e that grou$ de*ined as their $rimary grou$, %y doing this, you *orce the correct grou$ mem)ershi$ in*ormation to )e re$licated out *rom the source domain controller 8the domain controller on which you $er*ormed the original authoritati e restore9 and u$date the grou$ mem)ershi$ in*ormation on its re$lication $artners, (hese u$dated o)2ects re*lect the correct mem)ershi$s and also correct the in*ormation re$resented in the ,ember of ta) o* the restored user o)2ects1 $ro$erties, @ou must ensure that no additions are made to grou$ mem)ershi$ 8*or the a**ected grou$s and users9 on any o* the other domain controllers within the en ironment, /* you do not adhere to this $rocess, the accurate ersion o* the directory 8held on the domain controller where the restore was $er*ormed9 can )ecome corru$ted )y the incorrect mem)ershi$ in*ormation, /* the accurate ersion o* the directory )ecomes corru$ted, you must either u$date grou$ mem)ershi$ manually or $er*orm another authoritati e restore o* the o)2ects )y using the verinc o$tion, and $er*orm the $rocess again, /n Windows 5666, trust relationshi$s and com$uter account $asswords are negotiated at a s$eci*ied inter al 8)y de*ault A6 days *or trust relationshi$s and com$uter $asswords9, When you $er*orm an authoritati e restore, you might restore $re iously used $asswords *or the o)2ects in the Acti e Directory that maintain trust relationshi$s and com$uter accounts, /n the case o* trust relationshi$s, this can im$act communication with other domain controllers *rom other domains, causing $ermissions errors when users try to access resources in other domain, (o recti*y this, you must remo e and recreate '(LM trust relationshi$s to Windows 5666 or Windows '( B,6 domains, /n the case o* a com$uter account $assword, this can im$act communications )etween the mem)er wor&station or ser er and a domain controller o* its domain, (his e**ect might cause users on Windows '( or Windows 5666 com$uters to ha e authentication di**iculty due to an in alid com$uter account,
1ac'up and Restore /as's and Procedures

(a)le 7,G shows the tas&s and $rocedures *or )ac&u$ and restore, /able 1.* 1ac'up and Restore /as's and Procedures
/as's Procedures /ools ,re:uenc y
35
1ac' up Active Directory and associated co!ponent s. Per$or! a non5 authoritativ e restore.
1ac' up syste! state on a do!ain controller. 1ac' up syste! state and syste! dis' on a do!ain controller.
4/1ac'up. e=e
At least twice within the to!bston e li$eti!e
Per$or! an authoritativ e restore o$ a subtree or lea$ ob8ect. Per$or! an authoritativ e restore o$ the entire directory.
Restart the do!ain controller in Directory 6ervices Restore #ode Glocally or re!otelyH. Restore $ro! bac'up !edia. Veri$y Active Directory restore. Restart in Directory 6ervices Restore #ode. Restore $ro! bac'up !edia $or authoritative restore. Restore syste! state to an alternate location. Per$or! authoritative restore o$ the subtree or lea$ ob8ect. Restart in nor!al !ode. Restore applicable portion o$ 6>6VO7 $ro! alternate location. Veri$y Active Directory restore. Restart in Directory 6ervices Restore #ode. Restore $ro! bac'up !edia $or authoritative restore. Restore syste! state to an alternate location. Restore the database. Restart in nor!al !ode. &opy 6>6VO7 $ro! alternate location. Veri$y Active Directory restore.
4/1ac'up. e=e 4tdsutil.e= e 9vent Viewer Repad!in. e=e 4/1ac'up. e=e 4tdsutil.e= e 9vent Viewer Repad!in. e=e
As needed
As needed
4/1ac'up. e=e 4tdsutil.e= e 9vent Viewer Repad!in. e=e
As needed
23
Chapter Number 1
Recover a do!ain controller throu(h reinstallatio n.
&lean up !etadata. Install Windows "%%% 6erver. Install Active Directory.
Restore a do!ain controller throu(h reinstallatio n and subse:uent restore $ro! bac'up. Install Windows "%%% 6erver on the sa!e drive letter and partition as be$ore the $ailureE partitionin( the drive i$ necessary. Restore $ro! bac'up !edia Gnon5authoritative restoreH. Veri$y Active Directory restore.
4tdsutil.e= As e needed Active Directory 6ites and 6ervices Active Directory +sers and &o!puters Dcpro!o.e =e 4/1ac'up. e=e As needed
1ac'in( +p Active Directory and Associated &o!ponents

(o )ac& u$ Acti e Directory and associated com$onents on a domain controller, you can )ac& u$ only system state or you can )ac& u$ )oth system state and the system dis&,
Procedures $or 1ac'in( +p Active Directory and Associated &o!ponents

=se one o* the *ollowing $rocedures to )ac& u$ Acti e Directory and associated com$onents, Procedures are e<$lained in detail in the lin&ed to$ics, 1. %ac& u$ system state, ". %ac& u$ system state and the system dis&,
Per$or!in( a 4on5Authoritative Restore

'on+authoritati e restore is the de*ault method *or restoring Acti e Directory, and you use it in most situations that result *rom Acti e Directory data loss or corru$tion, @ou must )e a)le to start in Directory Ser ices Restore Mode to $er*orm a non+authoritati e restore, A*ter you restore
37
the domain controller *rom )ac&u$ media, re$lication $artners use the standard re$lication $rotocols to u$date )oth the Acti e Directory and -RS on the restored domain controller,
Procedures $or Per$or!in( a 4on5Authoritative Restore

=se the *ollowing $rocedures to $er*orm a non+authoritati e restore o* a domain controller, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Restart the domain controller in Directory Ser ices Restore Mode 8locally or remotely9, ". Restore *rom )ac&u$ media, 2. 3eri*y Acti e Directory restore,
Per$or!in( an Authoritative Restore o$ a 6ubtree or 7ea$ Ob8ect

An authoritati e restore o* a su)tree or lea* o)2ect restores that su)tree or lea* and mar&s it as authoritati e *or the directory, @ou )egin )y restoring *rom )ac&u$ media, 2ust as in a non+ authoritati e restore, )ut then you $er*orm additional ste$s to com$lete an authoritati e restore,
Procedures $or Authoritative Restore o$ a 6ubtree or 7ea$ Ob8ect

=se the *ollowing $rocedures to $er*orm an authoritati e restore o* an Acti e Directory su)tree or lea* o)2ect, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Restart the domain controller in Directory Ser ices Restore Mode 8locally or remotely9, ". Restore *rom )ac&u$ media *or authoritati e restore , 2. Restore system state to an alternate location, ). Per*orm authoritati e restore o* the su)tree or lea* o)2ect, 5. Restore a$$lica)le $ortion o* S@S30L *rom alternate location i* necessary, 3. 3eri*y Acti e Directory restore,
Per$or!in( an Authoritative Restore o$ 9ntire Directory

Authoritati e restore o* the entire directory is a ma2or o$eration, Per*orm an authoritati e restore o* the entire directory only a*ter consultation with a Microso*t Su$$ort $ro*essional, Do not $er*orm an authoritati e restore o* the entire directory i* only one domain controller e<ists in the domain,
Procedures $or Authoritative Restore o$ the 9ntire Directory

=se the *ollowing $rocedures to $er*orm an authoritati e restore o* the entire Acti e Directory, Procedures are e<$lained in detail in the lin&ed to$ics,
2*
Chapter Number 1
1. Restart the domain controller in Directory Ser ices Restore Mode 8locally or remotely9, ". Restore *rom )ac&u$ media, 2. Restore system state to an alternate location, ). Per*orm authoritati e restore o* entire directory , 5. Restore S@S30L *rom alternate location, 3. 3eri*y Acti e Directory restore,
Recoverin( a Do!ain &ontroller /hrou(h Reinstallation

Reco ering through reinstallation is the same $rocess as creating a new domain controller, /t does not in ol e restoring *rom )ac&u$ media, (his method relies on Acti e Directory re$lication to restore a domain controller to a wor&ing state, and is only alid i* another healthy domain controller e<ists in the same domain, (his o$tion is normally used on com$uters that *unction only as a domain controller,
1andwidth &onsiderations
(he $rimary consideration when reco ering a domain controller through re$lication is )andwidth, (he )andwidth re:uired is directly $ro$ortional to the si.e o* the Acti e Directory data)ase and the time in which the domain controller is re:uired to )e at a *unctioning state, /deally, the e<isting *unctional domain controller is located in the same Acti e Directory site as the re$licating domain controller 8new domain controller9 in order to reduce networ& im$act and restore duration,
Procedures $or Recoverin( a Do!ain &ontroller /hrou(h Reinstallation

=se the *ollowing $rocedures to reco er a domain controller, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Clean u$ metadata, ". Reinstall Windows 5666 Ser er, 8(his $rocedure is not co ered in this guide,9 2. /nstall Acti e Directory, During the installation $rocess, re$lication occurs, ensuring that the domain controller has an accurate and u$ to date co$y o* the Acti e Directory, -or more in*ormation a)out sei.ing o$erations master roles, see >/nstalling Acti e Directory? in this guide,
Restorin( a Do!ain &ontroller /hrou(h Reinstallation and 6ubse:uent Restore $ro! 1ac'up
/* you cannot restart a domain controller in Directory Ser ices Restore Mode, you can restore a domain controller through reinstallation and su)se:uently restore Acti e Directory *rom )ac&u$, (his o$tion is normally used on domain controllers that also run other ser ices, such as !<change, or ha e other data you want to reco er,
Procedures $or Restorin( a Do!ain &ontroller /hrou(h Reinstallation and 6ubse:uent Restore $ro! 1ac'up
(o restore a domain controller through reinstallation and su)se:uently restore Acti e Directory *rom )ac&u$, you must ensure that you install Windows 5666 Ser er on the same dri e letter and on a $artition that is at least as large as the $artition used )e*ore the *ailure, @ou must re$artition the dri e i* necessary, A*ter you reinstall Windows 5666, $er*orm a non+authoritati e restore o* the system state and the system dis&, Procedures are e<$lained in detail in the lin&ed to$ics, 1. /nstall Windows 5666 Ser er on the same dri e letter and $artition as )e*ore the *ailure, 8(his $rocedure is not co ered in this guide,9 ". Restore *rom )ac&u$ media, 2. 3eri*y Acti e Directory restore,
#ana(in( Do!ain &ontrollers

While indi idual domain controllers re:uire little management, your o erall o$erations en ironment might re:uire change+related tas&s, such as adding or remo ing domain controllers, or reintroducing a domain controller that has )een o**line *or more than one re$lication cycle, During your day+to+day o$erations, you might need to do some or all o* the *ollowing: /nstall and remo e Acti e Directory Rename domain controllers Manage glo)al catalog ser ers Manage o$erations masters Manage the data)ase Manage S@S30L Manage Windows (ime Ser ice Manage long+disconnected domain controllers
)%
Chapter Number 1
Installin( and Re!ovin( Active Directory

0nly domain controllers can host Acti e Directory, All ser ers that are not domain controllers must access the directory in the same manner as the wor&stations, (hey send re:uests *or in*ormation to a domain controller, which $rocesses the re:uest and returns the in*ormation )ac& to them, Domain controllers store and maintain $ortions o* the directory, (hey also ha e ser ices that allow them to directly store and retrie e in*ormation *rom the directory, (hese ser ices are re*erred to as the Acti e Directory, When you install Acti e Directory on a Windows 5666D)ased ser er, it )ecomes a Windows 5666D)ased domain controller, (he $rocess o* remo ing Acti e Directory in ol es ste$s similar to those *or installation, @ou run many o* the same tests )e*ore you remo e the directory as you run )e*ore you install the directory, (hese tests ensure that the $rocess occurs without any $ro)lems, /n the e ent that a domain controller su**ers a hardware *ailure and you $lan to ne er return it to ser ice, you must ta&e additional ste$s to remo e it *rom the directory,
/he Active Directory Installation Wi<ard

@ou install Acti e Directory )y running the Acti e Directory /nstallation Wi.ard on a Windows 5666D)ased ser er, (he wi.ard sim$li*ies the $rocess )y automating as much o* the installation $rocess as $ossi)le, During the installation, the wi.ard as&s *or the name o* the domain that you want this domain controller to host, and *or the location where you want to install re:uired *iles, (o run the Acti e Directory /nstallation Wi.ard, you must )e a mem)er o* the Domain Admins grou$,
Active Directory Installation Prere:uisites

(his guide co ers the installation o* Acti e Directory in an en ironment that is con*igured according to the )est $ractices descri)ed in Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, (o download these guides, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, (hey descri)e the $rocess o* $lanning your *orests and domains and $ro ide recommendations *or de$loying D'S, (hey also $ro ide guidelines *or estimating the num)er o* domains as well as the num)er o* domain controllers in each domain, %e*ore you )egin your installation, the *ollowing conditions must e<ist in your en ironment: @our Acti e Directory *orest must already e<ist, At least two $ro$erly *unctioning domain controllers must reside in the *orest root, @our Acti e Directory Domain must already e<ist, At least two $ro$erly *unctioning domain controllers must reside in the domain, D'S must )e *unctioning $ro$erly,
"1
4ote
,or better &reatin( or per$or!anceE re!ovin( a do!ain store the or lo( $orest $iles isand beyond the 4tds.dit the scope $ile o$ this on separate (uide. /his hard (uide dis's. does not cover deployin( D46 into an environ!ent that has not previously hosted a D46 in$rastructure. ,or in$or!ation about these optionsE see the Active Directory lin' on the Web Resources pa(e at http:MMwww.!icroso$t.co!MwindowsMres'itsMwebresources and the Microsoft Windows 2000 Server Deployment Planning Guide.
@ou must use Acti e DirectoryDintegrated D'S .ones, @ou must con*igure at least one domain controller as a D'S ser er,
Active Directory Installation Preparation

Pro$erly $re$aring *or the installation o* Acti e Directory decreases the chances o* $ro)lems during the installation $rocess and hel$s you :uic&ly com$lete the o$eration, Pre$aration includes installing and con*iguring D'S and gathering in*ormation that you need *or the installation, Con*igure all domain controllers as D'S ser ers, /nstall the D'S ser er ser ice $rior to installing Acti e Directory, -ollow the recommendations mentioned earlier so that your domain is already con*igured, D'S is *unctioning, and you ha e Acti e DirectoryDintegrated D'S .ones, /nstalling the D'S Ser er ser ice $rior to installing Acti e Directory allows the D'S Ser er ser ice to automatically start using the D'S .ones that are stored on the directory a*ter you com$lete the Acti e Directory installation, (he installation wi.ard as&s *or s$eci*ic con*iguration in*ormation, such as the domain administrator1s user name and $assword, location o* the directory data)ase and log *iles, and the $assword needed to us Directory Ser ices Restore Mode, )e*ore it )egins installing Acti e Directory, Ha e that in*ormation ready )e*ore you run the Acti e Directory /nstallation Wi.ard,
Active Directory Installation

During the installation, the Acti e Directory /nstallation Wi.ard communicates with other domain controllers to o)tain con*iguration in*ormation, (his in*ormation can come *rom any domain controller in the same domain, (he Acti e Directory /nstallation Wi.ard also communicates with the arious o$erations masters so that the new domain controller can $ro$erly 2oin the domain and )e added to the directory, -or this $rocess to succeed, the wi.ard must )e a)le to communicate with the arious domain controllers in ol ed, (est these channels o* communication $rior to installing Acti e Directory to hel$ ensure that the $rocess does not encounter $ro)lems during the installation, A*ter success*ully testing the communication $aths, the Acti e Directory /nstallation Wi.ard installs Acti e Directory on the ser er to ma&e it a domain controller, During the installation $rocess, the wi.ard as&s *or the in*ormation that you gathered during the $re$aration $hase, A*ter the wi.ard *inishes, it restarts the domain controller and the installation com$letes during the restart $rocess,
)"
Chapter Number 1
Active Directory Post5installation /as's

A*ter you com$lete the installation o* Acti e Directory, $er*orm some alidation tests to ensure that the domain controller is $ro$erly 2oined to the domain and is *unctioning as e<$ected, (he areas you must test include: Site $lacement D'S con*iguration 'etwor& connecti ity S@S30L Re$lication
/* your tests show that all o* these areas are con*igured and *unctioning $ro$erly, the Acti e Directory installation is success*ul,
Active Directory +nattended Installation

@ou can automate the Acti e Directory installation $rocess )y $er*orming an unattended installation, @ou can create an answer *ile to answer the :uestions that the Acti e Directory /nstallation Wi.ard as&s during the installation, (he installation does not re:uire user in$ut and $roceeds :uic&ly, -or more in*ormation a)out unattended installation o$tions, see >=sing the Answer -ile with the Acti e Directory /nstallation Wi.ard? in the Deployment Planning Guide,
Do!ain &ontroller Re!oval

A domain controller can )e remo ed *rom a domain in one o* two ways: )y remo ing Acti e Directory or )y a system *ailure that renders the domain controller ino$era)le so that you cannot restore it to ser ice,
Active Directory re!oval

Similarly to how you can install Acti e Directory to turn a Windows 5666D)ased ser er into a domain controller, you can remo e Acti e Directory and turn a Windows 5666D)ased domain controller )ac& into a ser er, (his $rocess remo es most o* the re*erences to the domain controller *rom the directory, @ou must manually remo e the ser er o)2ect that re$resents the domain controller *rom the com$uter container a*ter you remo e Acti e Directory, (his method $ro$erly remo es the domain controller *rom the directory,
Do!ain controller $ailure

A hardware *ailure on a domain controller can render it ino$era)le, /* the $ro)lem is se ere enough, you might ne er )e a)le to return the domain controller to ser ice, /n this case, the other domain controllers e entually recon*igure themsel es so that they can continue to re$licate directory in*ormation without the *ailed domain controller, When a domain controller is remo ed *rom the domain without remo ing Acti e Directory, all the in*ormation a)out that domain controller remains in the directory, @ou must ta&e additional ste$s to remo e this in*ormation *rom the directory,
"3
Active Directory Installation and Re!oval #ana(e!ent /as's and Procedures

(a)le 7,E shows the tas&s and $rocedures *or managing Acti e Directory installation and remo al, /able 1.- Active Directory Installation and Re!oval #ana(e!ent /as's and Procedures
/as's Prepare $or Active Directory Installation. Install Active Directory. Procedures Install the D46 6erver service. .ather installation in$or!ation. /ools &ontrol Panel ,re:uenc y As needed.
Veri$y D46 re(istration and $unctionality. Veri$y that an IP address !aps to a subnet and deter!ine the site association. Veri$y co!!unication with other do!ain controllers. Veri$y the e=istence o$ operations !asters. Install Active Directory.
Dcdia(.e=e As and needed. 4etdia(.e= e Dcpro!o.e =e
))
Chapter Number 1
Per$or! Active Directory post5 installation tas's.
Deter!ine whether a server ob8ect has child ob8ects. Veri$y the site assi(n!ent o$ a do!ain controller. #ove a do!ain controller to a di$$erent site. &on$i(ure D46 server recursive na!e resolution. Per$or! $inal D46 con$i(uration. &hec' the status o$ the shared syste! volu!e. Veri$y D46 re(istration and $unctionality. Veri$y do!ain !e!bership $or the new do!ain controller. Veri$y co!!unication with other do!ain controllers. Veri$y replication is $unctionin(. Veri$y the e=istence o$ the operations !asters.
Active As Directory needed. 6ites and 6ervices D46 snap5 in Dcdia(.e=e and 4etdia(.e= e
"5
Deco!!ission a do!ain controller.
View the current operations !aster role holders. /rans$er the $orest5 level operations !aster roles. /rans$er the do!ain5 level operations !aster roles. Deter!ine whether a do!ain controller is a (lobal catalo( server. Veri$y D46 re(istration and $unctionality. Veri$y co!!unication with other do!ain controllers. Veri$y the e=istence o$ the operations !asters. Re!ove Active Directory. Deter!ine whether a server ob8ect has child ob8ects. Delete a server ob8ect $ro! a site.
Active As Directory needed. +sers and &o!puters Active Directory 6ites and 6ervices Dcdia(.e=e and 4etdia(.e= e Dcpro!o.e =e
Preparin( $or Active Directory Installation

Pre$aration hel$s the Acti e Directory installation $roceed success*ully, (o $re$are *or the installation $rocess, you must ha e the a$$ro$riate domain in*ormation and credentials a aila)le )e*ore you start the Acti e Directory /nstallation Wi.ard, /t is recommended that you con*igure all domain controllers as D'S ser ers, @ou must ha e your D'S ser er con*iguration in*ormation a aila)le *or that $ortion o* the installation $rocess,
D46 6ervice Installation

Domain controllers use D'S to locate other domain controllers that are hosting Acti e Directory, Con*igure e ery domain controller as a D'S ser er to hel$ ensure that a D'S ser er is always a aila)le, =sing Acti e DirectoryDintegrated D'S .ones sim$li*ies the con*iguration re:uired )ecause you do not need to create the .one *iles on each D'S ser er, Acti e DirectoryDintegrated .ones are stored in the directory and are re$licated to each domain controller along with other Acti e Directory data, When you start a domain controller that also runs D'S, the D'S Ser er ser ice detects the .ones in the directory and uses them,
)3
Chapter Number 1
%e*ore you install D'S ser er on a domain controller that you want to host Acti e DirectoryD integrated .ones, ensure that you already ha e other domain controllers *unctioning in the domain with at least one con*igured as a D'S ser er that uses Acti e DirectoryDintegrated .ones, -or more in*ormation a)out D'S con*iguration and o$erations master role $lacement, see Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, (o download these guides, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
Active Directory Installation In$or!ation

"ather the in*ormation that you must su$$ly to the Acti e Directory /nstallation Wi.ard )e*ore you run the wi.ard,
Procedures $or Preparin( $or Active Directory Installation

(o $re$are *or the Acti e Directory installation, install the D'S Ser er ser ice on the ser er that you want to ma&e a domain controller and gather the in*ormation that you must su$$ly to the Acti e Directory /nstallation Wi.ard, 1. /nstall the D'S Ser er ser ice, ". "ather installation in*ormation, including: (he user name, $assword, and the domain that contains the user account that you intend to use to run the Acti e Directory /nstallation Wi.ard, (he name o* the domain that you want the new domain controller to host, Location *or the Acti e Directory data)ase 8'tds,dit9, Location *or the log *iles, Location *or the Shared System 3olume 8S@S30L9, (he ser er administrator account name and $assword to use in Directory Ser ices Restore mode,
Installin( Active Directory

@ou install Acti e Directory )y using the Acti e Directory /nstallation Wi.ard 8DCPromo,e<e9, During installation, the wi.ard contacts other domain controllers *or in*ormation that it needs to com$lete the installation, /* the wi.ard cannot communicate with other domain controllers, the installation *ails, (o hel$ ensure success*ul installation, test the communication channels $rior to running the wi.ard,
6ite Place!ent
During installation, the Acti e Directory /nstallation Wi.ard attem$ts to $lace the new domain controller in the a$$ro$riate site, (he a$$ro$riate site is determined )y the domain controller1s /P address and su)net mas&, (he wi.ard uses the /P in*ormation to calculate the su)net address o* the domain controller and chec&s to see i* a su)net o)2ect e<ists in the directory *or that su)net address, /* the su)net o)2ect e<ists, the wi.ard uses it to $lace the new ser er o)2ect in the
"7
a$$ro$riate site, /* not, the wi.ard $laces the new ser er o)2ect in the same site as the domain controller that is )eing used as a source to re$licate the directory data)ase to the new domain controller, Ma&e sure the su)net o)2ect has )een created *or the desired site $rior to running the wi.ard,
Do!ain &onnectivity
During the installation $rocess, the Acti e Directory /nstallation Wi.ard needs to communicate with other domain controllers in order to 2oin the new domain controller to the domain, (he wi.ard needs to communicate with a mem)er o* the domain to recei e the initial co$y o* the directory data)ase *or the new domain controller, /t needs to communicate with the domain naming master so that the new domain controller can )e added to the domain, (he wi.ard also needs to contact the R/D master so that the new domain controller can recei e its R/D $ool, and it needs to communicate with another domain controller in order to $o$ulate the S@S30L shared *older on the new domain controller, All o* this communication de$ends on $ro$er D'S installation and con*iguration, %y using 'etdiag,e<e and Dcdiag,e<e, you can test all o* these connections $rior to starting the Acti e Directory /nstallation Wi.ard,
/he Active Directory Installation Wi<ard

A*ter you ha e gathered all the in*ormation that you need to run the Acti e Directory /nstallation Wi.ard and $er*ormed the tests to eri*y that all o* necessary domain controllers are a aila)le, you are ready to install Acti e Directory on your ser er and turn it into a domain controller, @ou need to log on with local administrati e credentials to start the wi.ard, Start the wi.ard and su$$ly the in*ormation you gathered earlier, /* the wi.ard as&s *or in*ormation that you did not gather, such as i* you want to install D'S Ser er ser ice, it is indicating that it cannot locate the D'S ser ers, (he wi.ard assumes that none e<ist and as&s you i* you want to install one, Running the eri*ication tests $rior to using the installation wi.ard hel$s $re ent this &ind o* situation *rom ha$$ening, During the installation $rocess, the wi.ard as&s *or in*ormation that it needs to $ro$erly con*igure the new domain controller, -irst, it as&s is i* you want to install a domain controller in a new domain or an additional domain controller in an e<isting domain, %ecause this guide $ertains to adding domain controllers to domains that already e<ist, choose Additional domain controller in an existing domain, During the installation $rocess, the wi.ard needs to communicate with other domain controllers in order to add this new domain controller to the domain and get the a$$ro$riate in*ormation into the Acti e Directory data)ase, (o maintain security, you must $ro ide credentials that ha e administrati e access to the directory, 0nce your credentials are alidated, the wi.ard guides you through the *ollowing ste$s: (he wi.ard as&s *or a user name, $assword, and domain name o* the account it uses to add this domain controller to the directory, (he wi.ard then as&s *or the name o* the domain that you want this new domain controller to host, !nter the *ully :uali*ied domain name o* the a$$ro$riate domain, 'e<t, the wi.ard as&s where you want to store the Acti e Directory data)ase and the data)ase log *iles, -or )etter $er*ormance, store these *iles on se$arate hard dis&s,
)*
Chapter Number 1
4ote
I$ any o$ the veri$ication tests $ailE do not continue until you deter!ine and $i= the proble!s. I$ these tests $ailE the installation is also li'ely to $ail.
(he wi.ard then as&s *or the location where you want to store the shared System 3olume 8S@S30L9, !nsure that the location has ade:uate dis& s$ace, -or more in*ormation a)out ensuring ade:uate dis& s$ace *or S@S30L, see >Managing Sys ol? later in this guide, (he wi.ard then as&s *or the $assword that is assigned to the Directory Ser ices Restore Mode administrator account, (his account is not the domain administrator account or the local administrator account on the ser er, )ut a s$ecial account that can only )e used when the domain controller starts in Directory Ser ices Restore Mode, %e*ore installation )egins, the wi.ard dis$lays a dialog )o< that summari.es the in*ormation that you su$$lied, 3eri*y that the in*ormation is correct )e*ore the installation $rocess )egins,
Procedures $or Installin( Active Directory

1. 3eri*y D'S registration and *unctionality, ". 3eri*y that an /P address ma$s to a su)net and determine the site association , 2. 3eri*y communication with other domain controllers, ). 3eri*y the e<istence o* the o$erations masters, 5. /nstall Acti e Directory,
Per$or!in( Active Directory Post5Installation /as's

A*ter com$leting the installation o* Acti e Directory, $er*orm some alidation tests to ensure that the domain controller is $ro$erly installed into the domain and is *unctioning as e<$ected, Success*ully $assing these tests is a good indication that the new domain controller is *unctioning $ro$erly, @ou might also need to $er*orm additional tas&s regarding D'S con*iguration and hosting the glo)al catalog,
Proper 6ite Place!ent

@ou must ensure that the new domain controller is located in the $ro$er site so that a*ter the installation is com$lete, the new domain controller can locate re$lication $artners and )ecome $art o* the re$lication to$ology, During Acti e Directory installation, the wi.ard creates a ser er o)2ect *or the new domain controller in the directory and attem$ts to $lace the ser er o)2ect in the $ro$er site, (o $lace the ser er o)2ect, the wi.ard uses the current /P address and su)net mas& o* the new domain controller, /* the su)net associated with the domain controller1s /P address is not de*ined )y an e<isting su)net o)2ect, the wi.ard $laces the new ser er o)2ect in the same site as the source domain controller, which is the domain controller *rom which the new domain controller downloaded a co$y o* the directory data)ase, /* the site is not correct, you can use the
"
Acti e Directory Sites and Ser ices sna$+in to mo e the ser er o)2ect *or the domain controller to the $ro$er site a*ter Acti e Directory installation is com$lete, (he last dialog )o< dis$layed )y the Acti e Directory /nstallation Wi.ard lists the site where the new domain controller is installed, /* this is not the $ro$er site, you need must mo e the ser er o)2ect, -or more in*ormation a)out sites or to create a new site o)2ect, see >Managing Site (o$ology? later in this guide,
,inal D46 &on$i(uration

/* you installed the D'S ser er ser ice and made this domain controller a D'S ser er, you might need to $er*orm some additional con*iguration o* the D'S installation to ensure that it con*orms to the recommended $ractices, (he con*iguration that you must $er*orm de$ends u$on whether this is a new domain controller in the *orest root domain or a new domain controller in a child domain, Per*orming *inal D'S con*iguration hel$s )alance the load among your D'S ser ers and $ro ides redundancy in case a D'S ser er )ecomes una aila)le, @ou might need to add a delegation *or the new domain controller, /* your *orest root domain is a child domain in your cor$orate D'S domain structure, you must add a delegation *or the new domain controller in the *orest root1s $arent D'S domain, /* the *orest root domain has no $arent D'S domain, you do not need to add the delegation, /* the new domain controller is located in a child domain o* the *orest root domain, you must add a delegation *or the new domain controller to the *orest root domain, @ou also need to con*igure the D'S client settings on the new domain controller, Con*igure a domain controller in the *orest root domain to re*er to another D'S ser er located near)y as its $rimary D'S ser er and re*er to itsel* as the secondary D'S ser er, /* the new domain controller is located in a child domain o* the *orest root domain, con*igure the D'S client to use its own /P address as its $rimary D'S ser er address, and another local D'S ser er as the secondary ser er address, /* the new domain controller is located in a child domain )elow the *orest root, create a secondary .one to ma&e the $rocess o* locating domain controllers more relia)le, Whether or not the new domain controller is located in a $arent or child domain, you must also con*igure the D'S ser er to use either root hints or *orwarders *or recursi e name resolution, -ollow the esta)lished method on your networ&,
Do!ain &onnectivity
A*ter the Acti e Directory /nstallation Wi.ard *inishes, the domain controller restarts and $er*orms a *ew tas&s )e*ore it is ready to assume its role as a domain controller, /t registers itsel* with its D'S ser er so that other mem)ers o* the domain &now that it is a domain controller and can locate it, When a new domain controller *irst 2oins the networ&, it recei es S@S30L in*ormation *rom its re$lication $artners, =ntil it *inishes the initial re$lication o* the S@S30L, it does not create the '!(L0"0' and S@S30L shared *olders and does not start the 'et Logon ser ice, )oth o* which are necessary *or it to assume the role o* a domain controller, An e ent num)er 7AF7I in the -ile Re$lication Ser ice e ent log indicates that re$lication is com$lete and is wor&ing
5%
Chapter Number 1
4ote
/his process can ta'e 15 !inutes or lon(er to co!pleteE dependin( on the connection speed between the do!ain controller and its replication partners.
$ro$erly, At this $oint, the domain controller starts the 'et Logon ser ice and the domain controller )ecomes a aila)le to the domain, Domain controllers ma&e changes to the directory and re$licate these changes among themsel es through a series o* connections that are esta)lished when the domain controller 2oins the networ&, (he connections can )e generated automatically or an administrator might manually create the connections o)2ects, /* these connections are not *unctioning $ro$erly, the domain controller cannot re$licate changes to the other domain controllers and cannot recei e changes *rom other domain controllers, (o *unction $ro$erly, domain controllers must $eriodically communicate with arious o$erations masters, (he domain controllers send $assword changes to the PDC emulator, (hey recei e a R/D $ool *rom the R/D master, As their $ools are de$leted, the domain controller $eriodically re$lenishes their allocations )y sending re:uests to the R/D master, All o* these *eatures de$end u$on communication )etween the new domain controller and other domain controllers in the domain and *orest, When a new domain controller 2oins the networ&, $er*orm tests that eri*y the communication channels used )y these *eatures,
&on$i(ure Other Roles

A*ter the domain controller is *unctioning $ro$erly and you com$lete eri*ication tests and *inal D'S con*iguration, con*igure any additional roles, such as glo)al catalog ser er, on the domain controller, -or in*ormation a)out con*iguring a glo)al catalog ser er, see >Managing "lo)al Catalog Ser ers? later in this guide,
Procedures $or Per$or!in( Active Directory Post5Installation /as's

(o $er*orm this tas&, the site o)2ect must already )e de*ined in Acti e Directory Sites and Ser ices and you must &now the site in which you want to $lace the ser er o)2ect, 1. Determine whether a ser er o)2ect has child o)2ects, ". 3eri*y the site assignment *or the domain controller, 2. Mo e a ser er o)2ect to a di**erent site i* the domain controller is located in the wrong site, ). Con*igure D'S ser er recursi e name resolution, 5. Per*orm *inal D'S con*iguration *or a new domain controller that is located in the *orest root domain:
51
a.
Create a delegation *or the new domain controller in the $arent domain o* the D'S in*rastructure i* a $arent domain e<ists and a Microso*t D'S ser er hosts it, /* a Microso*t D'S ser er does not host the $arent domain, *ollow the $rocedures outlined in the endor documentation to add the delegation *or the new domain controller, Con*igure the D'S client settings,
b.
D or D Per*orm *inal D'S con*iguration *or a new domain controller that is located in a child domain: c. d. e. Create a delegation *or the new domain controller in the *orest root domain, Create a secondary .one, Con*igure the D'S client settings,
3. Chec& the status o* the shared system olume, 0. 3eri*y D'S registration and *unctionality, *. 3eri*y domain mem)ershi$ *or the new domain controller, -. 3eri*y communication with other domain controllers, 1%. 3eri*y re$lication is *unctioning, 11. 3eri*y the e<istence o* the o$erations masters,
Deco!!issionin( a Do!ain &ontroller

#ust as you can install Acti e Directory to ma&e a Windows 5666D)ased ser er a domain controller, you can also remo e Acti e Directory and to ma&e a Windows 5666D)ased domain controller )ac& into a ser er, Remo ing Acti e Directory is a similar $rocess to installing it, @ou use the Acti e Directory /nstallation Wi.ard and it contacts other domain controllers to co$y in*ormation *rom the domain controller that you want to decommission, As with installation, i* the domain controller cannot contact the other domain controllers during the Acti e Directory remo al, the $rocess is li&ely to *ail, Per*orm the same connecti ity tests $rior to decommissioning a domain controller as you $er*orm $rior to installing Acti e Directory, (his guide does not include $rocedures *or decommissioning the last domain controller in a domain, Decommissioning the last domain controller in a domain constitutes the remo al o* the domain *rom the *orest, -or more in*ormation a)out remo ing domains, see >Remo ing Acti e Directory? in the Windows 2 !erver Distributed !ystems Guide,
Operations #aster Role /rans$er

During the decommissioning $rocess, the Acti e Directory /nstallation Wi.ard trans*ers the o$erations master roles to other domain controllers without any user interaction, @ou do not ha e control o er which domain controller recei es the roles, (he wi.ard trans*ers the roles to any a aila)le domain controller and does not indicate which domain controller hosts them,
5"
Chapter Number 1
%ecause o* this )eha ior, trans*er any o$erations master roles $rior to running the Acti e Directory /nstallation Wi.ard to decommission a domain controller so you can control o$erations master role $lacement, /* you need to trans*er any roles *rom a domain controller, understand all the recommendations *or role $lacement )e*ore $er*orming the trans*er, -or more in*ormation a)out trans*erring o$erations master roles and role $lacement, see >Managing 0$erations Master Roles? later in this guide,
.lobal &atalo( Re!oval

/* you remo e Acti e Directory *rom a domain controller that hosts the glo)al catalog, the Acti e Directory /nstallation Wi.ard con*irms that you want to continue with remo ing Acti e Directory, (his con*irmation ensures that you are aware that you are remo ing a glo)al catalog *rom your en ironment, Do not remo e the last glo)al catalog ser er *rom your en ironment )ecause users cannot logon without an a aila)le glo)al catalog ser er, /* you are not sure, do not $roceed with remo ing Acti e Directory until you &now at least one other glo)al catalog ser er is a aila)le, -or more in*ormation a)out remo ing and creating glo)al catalog ser ers, see >Managing "lo)al Catalog Ser ers? later in the guide,
Do!ain &onnectivity
During the remo al o* Acti e Directory, the Acti e Directory /nstallation Wi.ard must communicate with arious domain controllers, Any unre$licated changes to the directory must )e re$licated to another domain controller, (he wi.ard attem$ts to connect to another domain controller to re$licate these changes, (he wi.ard must contact another domain controller so that Acti e Directory can remo e the domain controller *rom the directory data)ase, /* the domain controller hosts any o$erations master roles that you chose not to trans*er, the wi.ard must contact another domain controller in order to trans*er the o$erations master roles, /* the domain controller cannot contact the other domain controllers during Acti e Directory remo al, the decommissioning o$eration *ails, As with the installation $rocess, test the communication in*rastructure $rior to running the installation wi.ard, When you remo e Acti e Directory, use the same connecti ity tests that you use during Acti e Directory installation,
Active Directory Re!oval

A*ter you trans*er o$erations master roles and eri*y that all the necessary domain controllers are a aila)le, you can use the Acti e Directory /nstallation Wi.ard to remo e Acti e Directory, When you run the wi.ard on a ser er that is already a domain controller, it dis$lays the Remo e Acti e Directory o$tions, (he wi.ard as&s whether or not this is the last domain controller in the domain and re:uests the $assword that is assigned to the local administrator account on the ser er a*ter Acti e Directory is remo ed, 'ote that the $rocedures in this guide do not $ertain to remo ing Acti e Directory *rom the last domain controller in the domain, )ecause that action also deletes the domain *rom the *orest,
6erver Ob8ect Re!oval

A*ter remo ing Acti e Directory *rom a domain controller, the Acti e Directory /nstallation Wi.ard remo es in*ormation a)out that domain controller *rom the directory, %ecause it no longer acts as a domain controller, the ser er is not $art o* the re$lication to$ology and the
53
4ote
I$ any o$ the veri$ication tests $ailE do not continue until you deter!ine and $i= the proble!s. I$ these tests $ailE the installation is also li'ely to $ail.
directory does not maintain connections to it, During the decommissioning $rocess, the Acti e Directory /nstallation Wi.ard remo es the ser er o)2ect *rom the Domain Controller container in Acti e Directory =sers and Com$uters and remo es the connection o)2ects associated with the domain controller *rom the '(DS Settings o)2ect in Acti e Directory Sites and Ser ices, (he Acti e Directory /nstallation Wi.ard does not delete the ser er o)2ect *rom the site o)2ect during the remo al o* Acti e Directory )ecause other ser ices, such as Microso*t 0$erations Manager 5666 8M0M9, use this container to store their own site+s$eci*ic in*ormation, A*ter you remo e Acti e Directory, you can use the Acti e Directory Sites and Ser ices sna$+in to sa*ely remo e the ser er o)2ect that re$resents the decommissioned domain controller in Acti e Directory Sites and Ser ices i* the ser er o)2ect container is em$ty,
Procedures $or Deco!!issionin( Do!ain &ontrollers

1. 3iew the current o$erations master role holders to see i* any roles are assigned to this domain controller, ". (rans*er the *orest+le el o$erations master roles to another domain controller in the *orest root domain i* this domain controller hosts either the schema master or domain naming master roles, 2. (rans*er the domain+le el o$erations master roles i* this domain controller hosts the PDC emulator, in*rastructure master, or R/D master, ). Determine whether a domain controller is a glo)al catalog ser er to ensure that other domain controllers are con*igured as glo)al catalog ser ers )e*ore you remo e Acti e Directory, 5. 3eri*y D'S registration and *unctionality, 3. 3eri*y communication with other domain controllers, 0. 3eri*y the e<istence o* the o$erations masters, *. Remo e Acti e Directory, -. Determine whether a ser er o)2ect has child o)2ects, 1%. Delete a ser er o)2ect *rom a site,
Rena!in( Do!ain &ontrollers

Renaming a domain controller that is running Windows 5666 Ser er in ol es the *ollowing ste$s: Remo ing Acti e Directory
5)
Chapter Number 1
Renaming the com$uter Reinstalling Acti e Directory Restoring the domain controller to its original con*iguration
When you rename a domain controller, you must reinstall any ser ices that cannot identi*y the com$uter name dynamically or that can only o$erate on a domain controller, @ou do not need to reinstall any o* the ser ices that shi$ with Windows 5666 Ser er, such as -ile and Print sharing or D'S, /t is recommended that you do not rename a domain controller unless it is a)solutely necessary, -or e<am$le, it would )e necessary to rename a domain controller i*: @ou mo ed the domain controller to another site and the name o* the domain controller needs to ma$ to the naming con ention o* the new site, (he name o* the domain controller was chosen in errorK such as when the naming con ention re:uires the site name and a deri ati e o* the domain, )ut the name includes the incorrect site or domain,
%ecause renaming a domain controller re:uires that Acti e Directory )e remo ed and then reinstalled on the com$uter, the im$act on the networ& o* renaming a domain controller is identical to the im$act o* installing Acti e Directory to create a new domain controller or glo)al catalog ser er,
Rena!in( Do!ain &ontrollers /as's and Procedures

(a)le 7,76 lists the tas&s and $rocedures *or renaming domain controllers,
55
/able 1.1% /as's and Procedures $or Rena!in( Do!ain &ontrollers

/as's Identi$y the current con$i(uration o$ the do!ain controller. Procedures Deter!ine whether the do!ain controller is a (lobal catalo( server. View the operations !aster role holders. /rans$er $orest5level operations !aster rolesE i$ appropriate. /rans$er do!ain5 level operations !aster rolesE i$ appropriate. Deter!ine whether the do!ain controller is a D46 server. Deter!ine the initial chan(e noti$ication delay. Deter!ine whether the do!ain controller is a pre$erred brid(ehead server. /ools Active Directory 6ites and 6ervices 4tdsutil.e=e 6ervices Re(edit.e=e Reco!!en ded ,re:uency As needed.
Rena!e the do!ain controller.
Re!ove Active Directory. Rena!e the !e!ber server. Run the Active Directory Installation Wi<ard.
D&Pro!o.e= e 6yste! &ontrol Panel
As needed.
53
Chapter Number 1
Restore the ori(inal con$i(uration o$ the do!ain controller.
&on$i(ure the do!ain controller as a (lobal catalo( serverE i$ appropriate. /rans$er the do!ain operations !aster rolesE i$ appropriate. /rans$er the $orest operations !aster rolesE i$ appropriate. &reate a dele(ation $or the new do!ain controllerE i$ appropriate. &reate a secondary D46 <oneE i$ appropriate. &han(e the delay $or initial noti$ication o$ an intrasite replication partnerE i$ appropriate. &on$i(ure the do!ain controller as a pre$erred brid(ehead serverE i$ appropriate.
Active Directory 6ites and 6ervices Active Directory +sers and &o!puters Active Directory Do!ains and /rusts Re(edit.e=e
As needed.
Identi$yin( the &urrent &on$i(uration o$ a Do!ain &ontroller

%ecause renaming a domain controller in ol es remo ing and reinstalling Acti e Directory, you must )e a)le to reesta)lish the current con*iguration o* the domain controller a*ter you rename it, %e*ore you )egin, identi*y the current con*iguration o* the domain controller so that you can restore it a*ter you reinstall Acti e Directory, S$eci*ically, determine the status o* the *ollowing roles and con*igurations: -lobal catalog server. /* the domain controller is a glo)al catalog ser er, the glo)al catalog $artial directory $artitions are remo ed when you remo e Acti e directory, (here*ore, a*ter you rename the domain controller, you need to recon*igure the domain controller as a glo)al catalog ser er, -or in*ormation a)out con*iguring a domain controller as a glo)al catalog ser er, see >Managing "lo)al Catalog Ser ers? in this guide,
57
'perations master role holder. /* the domain controller holds o$erations master roles, it is recommended that you trans*er the roles to the stand)y master *or the roles $rior to remo ing Acti e Directory, /* you do not trans*er the roles, they are trans*erred automatically, )ut you ha e no control o er the $lacement o* the roles, %y manually trans*erring the roles $rior to remo ing Acti e Directory, you control the role $lacement, -or in*ormation a)out trans*erring o$erations master roles, see >Managing 0$erations Masters? in this guide, D*! server. Remo ing Acti e Directory does not remo e the D'S Ser er ser ice i* it is installed, Howe er, when you reinstall Acti e Directory, you need to recon*igure the domain controller to assume authority *or the a$$ro$riate D'S .ones and to contain all a$$ro$riate delegations, -or in*ormation a)out con*iguring D'S ser er a*ter installing Acti e Directory, see >Managing the /nstallation and Remo al o* Acti e Directory? in this guide, nitial change notification delay. (his ser er+s$eci*ic con*iguration determines how long the domain controller waits )e*ore it signals its *irst re$lication $artner that it has changes, /* you change the de*ault initial change noti*ication delay setting on the domain controller, you need to recon*igure the setting when you reinstall Acti e Directory, +referred bridgehead server. (his con*iguration is not recommended *or domain controllers running Windows 5666 Ser er, Howe er, i* the domain controller is con*igured to )e a $re*erred )ridgehead ser er, you must recon*igure the domain controller as a $re*erred )ridgehead ser er a*ter you reinstall Acti e Directory, -or more in*ormation a)out using $re*erred )ridgehead ser ers, see >Managing Site (o$ology? in this guide,
Procedures $or Identi$yin( the &urrent &on$i(uration o$ a Do!ain &ontroller

=se the *ollowing $rocedures to identi*y the current con*iguration o* the domain controller, @ou need to recon*igure the current con*iguration on the renamed domain controller a*ter you reinstall Acti e Directory, 1. Determine whether the domain controller is a glo)al catalog ser er , ". 3iew the o$erations master role holders, /* roles are held )y this domain controller, trans*er the roles to the stand)y o$erations master $rior to remo ing Acti e Directory, as *ollows: /* the domain controller holds any *orest+le el roles, trans*er *orest+le el o$erations master roles, /* the domain controller holds any domain+le el roles, trans*er domain+le el o$erations master roles,
2. Determine whether the domain controller is a D'S ser er, Ma&e a note o* the D'S con*iguration so that you can re$roduce it when you reinstall Acti e Directory,
5*
Chapter Number 1
&aution
/he re(istry editor bypasses standard sa$e(uardsE allowin( settin(s that can da!a(e your syste!E or even re:uire you to reinstall Windows. I$ you !ust edit the re(istryE bac' up system state first. For information about backing up system state, see Active Directory Backup and Restore in this guide.
). Determine the initial change noti*ication delay, /* this setting has )een changed *rom the de*ault on this domain controller, you need to recon*igure the setting a*ter you rename the ser er and add Acti e Directory, 5. Determine whether the domain controller is a $re*erred )ridgehead ser er ,
Rena!in( a Do!ain &ontroller

%e*ore you rename a domain controller, you must remo e Acti e Directory to return the domain controller to mem)er ser er status, Prior to $er*orming this $rocedure, )e sure that you ha e trans*erred any o$erations master roles that are held )y the domain controller, A*ter you remo e Acti e Directory, rename the mem)er ser er and then reinstall Acti e Directory on the mem)er ser er to restore it to domain controller status,
Procedures $or Rena!in( a Do!ain &ontroller

=se the *ollowing $rocedures to rename a domain controller, @ou must $er*orm these $rocedures directly on the domain controllerK they cannot )e $er*ormed remotely, 1. Remo e Acti e Directory, (his $rocedure results in the domain controller )ecoming a mem)er ser er in the domain, ". Rename the mem)er ser er, 2. Run the Acti e Directory /nstallation Wi.ard, (his $rocedure installs Acti e Directory on the mem)er ser er to restore it to domain controller status,
Restorin( the Ori(inal &on$i(uration o$ a Do!ain &ontroller

A*ter you ha e renamed a mem)er ser er and returned it to domain controller status, you must restore the original con*iguration o* the domain controller, /* you trans*erred any domain o$erations master roles to another domain controller in the domain $rior to renaming the domain controller, you can now trans*er them )ac& to the renamed domain controller, /* the domain controller was originally con*igured as a D'S ser er, you must restore the .one and delegation con*igurations, (he *ollowing instructions are )ased u$on )est $ractice recommendations *or D'S design, as descri)ed in >%est Practice Acti e Directory Design *or Managing Windows 'etwor&s? and >%est Practice Acti e Directory De$loyment *or Managing Windows 'etwor&s? at htt$:;;windows,microso*t,com, -ollow the lin&s under Products to
&aution
Windows 5666 Ser er, (echnical Resources, Planning L De$loyment, De$loying the Windows 5666 Ser er -amily, /* your de$loyment uses a di**erent D'S design, you might not use the delegations and secondary .ones descri)ed )elow, /* the domain controller is located in a child domain anywhere in the *orest, then you must: Create a delegation *or the domain controller in the *orest root domain, Create a secondary .one,
/* the domain controller is located in the *orest root domain and the *orest root domain has a $arent domain, then you must: Create a delegation *or the new domain controller in the $arent domain, -or in*ormation a)out how to con*igure D'S ser ers a*ter installing Acti e Directory, see >Com$leting Acti e Directory /nstallation? in this guide,
Procedures $or Restorin( the Ori(inal &on$i(uration o$ a Do!ain &ontroller

=se the *ollowing $rocedures to restore a domain controller to its original con*iguration, 1. Con*igure the domain controller as a glo)al catalog ser er, i* a$$ro$riate, ". (rans*er the domain o$erations master roles, i* a$$ro$riate, 2. (rans*er the *orest o$erations master roles, i* a$$ro$riate, ). Create a delegation *or the new domain controller, i* a$$ro$riate, Per*orm this $rocedure in the $arent domain o* the domain o* the D'S ser er, i* one e<ists, 5. Create a secondary D'S .one, i* a$$ro$riate, Per*orm this $rocedure only i* the D'S ser er is located in a child domain, not in the *orest root domain, 3. Change the delay *or initial noti*ication o* an intrasite re$lication $artner , i* a$$ro$riate, 0. Con*igure the domain controller as a $re*erred )ridgehead ser er , i* a$$ro$riate,
#ana(in( .lobal &atalo( 6ervers

Designate glo)al catalog ser ers in sites to accommodate *orest+wide directory searching and so that Acti e Directory can determine uni ersal grou$ mem)ershi$ o* nati e+mode domain clients,
3%
Chapter Number 1
.lobal &atalo( Place!ent

(o im$ro e the s$eed o* logging on and searching, $lace at least one glo)al catalog ser er in each site, and at least two glo)al catalog ser ers i* the site has multi$le domain controllers, As a )est $ractice, ma&e hal* o* all domain controllers in a site glo)al catalog ser ers i* the site contains more than three domain controllers, /* your de$loyment uses a single glo)al domain, con*igure all domain controllers as glo)al catalog ser ers, /n a single+domain *orest, con*iguring all domain controllers as glo)al catalog ser ers re:uires no additional resources, When $lacing glo)al catalog ser ers, $rimary concerns are: Does any site ha e no glo)al catalog ser ersM What domain controllers are designated as glo)al catalog ser ers in a $articular siteM
Initial .lobal &atalo( Replication

When you add a glo)al catalog ser er to a site, the Knowledge Consistency Chec&er 8KCC9 u$dates the re$lication to$ology, a*ter which re$lication o* $artial domain directory $artitions that are a aila)le within the site )egins, Re$lication o* $artial domain directory $artitions that are a aila)le only *rom other sites )egins at the ne<t scheduled inter al, Adding su)se:uent glo)al catalog ser ers within a site re:uires only intrasite re$lication and does not a**ect networ& $er*ormance, Re$lication o* the glo)al catalog $otentially a**ects networ& $er*ormance only when adding the *irst glo)al catalog ser er in the site, and the im$act aries de$ending on the *ollowing conditions: (he s$eed and relia)ility o* the wide area networ& 8WA'9 lin& or lin&s to the site, (he si.e o* the *orest,
-or e<am$le, in a *orest that has a large hu) site, *i e domains, and thirty small )ranch sites 8some o* which are connected )y only dial+u$ connections9, glo)al catalog re$lication to the small sites ta&es considera)ly longer than re$lication o* one or two domains to a *ew well+ connected sites,
.lobal &atalo( Readiness

A*ter re$lication o* the $artial domain directory $artitions, the domain controller ad ertises as a glo)al catalog ser er and )egins acce$ting :ueries on $orts A5IG and A5IE, (he re:uirements *or ad ertising as a glo)al catalog ser er di**er in Microso*t Windows 5666 Ser er Ser ice Pac& A 8SPA9 and in Windows 5666 Ser er Ser ice Pac& 5 8SP59, (he de*ault re:uirements in Windows 5666 Ser er SPA include re$lication o* all domain directory $artitions in the *orest, (he de*ault re:uirements in Windows 5666 Ser er SP5 are limited to re$lication o* the domain directory $artitions that are local to the site, /* the domain controller ad ertises as a glo)al catalog ser er )e*ore it has com$lete in*ormation *rom all domains in the *orest, it might return *alse in*ormation to a$$lications that )egin using the ser er *or *orest+wide searches, -or e<am$le, Microso*t !<change 5666 ser ers use the glo)al catalog e<clusi ely when loo&ing u$ addresses, A domain controller that ad ertises as a glo)al catalog ser er )e*ore it contains all $artial directory $artitions can cause Address %oo& loo&u$ and mail deli ery $ro)lems *or !<change clients, (o a oid this $ro)lem, ensure that the domain controller does not ad ertise as glo)al catalog ser er )e*ore it contains all $artial domain directory $artitions,
#1
Premature ad ertisement o* the glo)al catalog is an issue only *or glo)al catalog ser ers that are running Windows 5666 Ser er SP5, and only when you add the *irst glo)al catalog ser er in a site that does not include all domains, /* all domains are re$resented in the site, or i* a glo)al catalog ser er already e<ists in the site, then the new glo)al catalog ser er always has all domains $rior to ad ertising as a glo)al catalog ser er,
.lobal &atalo( Re!oval

When you remo e the glo)al catalog, the domain controller immediately sto$s ad ertising as a glo)al catalog ser er, (he KCC gradually remo es the read+only re$licas *rom the domain controller,
.lobal &atalo( 6erver #ana(e!ent /as's and Procedures

(a)le 7,77 shows the tas&s and $rocedures *or managing glo)al catalog ser ers, /able 1.11 .lobal &atalo( 6erver #ana(e!ent /as's and Procedures
/as's Identi$y the (lobal catalo( servers in a site. Identi$y a site that has no (lobal catalo( server. Procedures Deter!ine whether a do!ain controller is a (lobal catalo( server. Deter!ine whether a site has at least one (lobal catalo( server. /ools Active Directory 6ites and 6ervices 4ltest.e=e ,re:uency #onthly.
Daily to wee'lyE dependin( on environ!e nt.
3"
Chapter Number 1
Add the (lobal catalo( to a do!ain controller and veri$y (lobal catalo( readiness.
$indo%s !&&& 'erver '(!) 6top the 4et 7o(on service G$irst (lobal catalo( server in the site onlyH. &on$i(ure the do!ain controller as a (lobal catalo( server. #onitor (lobal catalo( replication pro(ress G$irst (lobal catalo( server in the site onlyH. Veri$y success$ul replication to a do!ain controller. Veri$y (lobal catalo( readiness. Restart the 4et 7o(on serviceE i$ needed. Restart the (lobal catalo( server and veri$y (lobal catalo( D46 re(istrations. $indo%s !&&& 'erver '(3) &on$i(ure the do!ain controller as a (lobal catalo( server. Veri$y (lobal catalo( readiness. Restart the (lobal catalo( server and veri$y (lobal catalo( D46 re(istrations. &lear the (lobal catalo( settin(. #onitor (lobal catalo( re!oval.
4et stop As needed. Active Directory 6ites and 6ervices Dcdia(.e=e Repad!in. e=e 7dp.e=e D46 AD6I 9dit
Re!ove the (lobal catalo( $ro! a do!ain controller.
Active Directory 6ites and 6ervices 9vent Viewer
As needed.
#3
Identi$yin( .lobal &atalo( 6ervers in a 6ite

Maintain a list o* those ser ers that are designated as glo)al catalog ser ers, Routinely chec& these ser ers to ensure that no one has changed the designation, Chec& other ser ers to ensure that no one has erroneously designated a glo)al catalog ser er,
Procedure $or Identi$yin( a .lobal &atalo( 6erver

=se the *ollowing $rocedure to determine whether a domain controller is a glo)al catalog ser er, (he $rocedure is e<$lained in detail in the lin&ed to$ic, (o determine whether a domain controller is a glo)al catalog ser er, chec& the $ro$erties on the '(DS Settings o)2ect o* the res$ecti e ser er o)2ect,
Identi$yin( a 6ite /hat ;as 4o .lobal &atalo( 6ervers

(o :uic&ly identi*y a site that has no glo)al catalog ser ers, you can $er*orm one command rather than chec& each ser er indi idually, @ou can $er*orm this test any time you add a site, or routinely i* glo)al catalog ser ers can $otentially )e remo ed ina$$ro$riately,
Procedure $or Identi$yin( a 6ite that has 4o .lobal &atalo( 6ervers

=se the *ollowing $rocedure to determine whether a site has a glo)al catalog ser er, (he $rocedure is e<$lained in detail in the lin&ed to$ic, (o identi*y a site that has no glo)al catalog ser ers, determine whether the site has at least one glo)al catalog ser er,
Addin( the .lobal &atalo( to a Do!ain &ontroller and Veri$yin( Readiness

When conditions in a site warrant adding a glo)al catalog ser er, you can con*igure a domain controller to )e a glo)al catalog ser er, Selecting the -lobal catalog setting on the '(DS Settings o)2ect $rom$ts the KCC to u$date the to$ology, A*ter the to$ology is u$dated, then read+only $artial domain directory $artitions are re$licated to the designated domain controller, When re$lication must occur )etween sites to create the glo)al catalog, the site lin& schedule determines when re$lication can occur, Minimum hardware re:uirements *or glo)al catalog ser ers de$end u$on the num)ers o* users in the site, (a)le 7,75 contains guidelines *or assessing hardware re:uirements, /able 1.1" .lobal &atalo( ;ardware Re:uire!ents
+sers in site NO 1%% 1%1 ? 5%% Do!ain controller One uniprocessor PIII 5%%E 51" #1. One uniprocessor PIII 5%%E 51" #1.
3)
Chapter Number 1
5%% ? 1E%%% 1E%%1 ? 1%E%%% P 1%E%%% users
One Dual PIII 5%%E 1 .1. /wo Iuad PIII A9O4E " .1. One Iuad PIII A9O4E " .1 $or every 5E%%% users.
When con*iguring a glo)al catalog ser er, )e sure the machine has ade:uate hard dis& s$ace, =se the in*ormation in (a)le 7,7A to determine how much storage to $ro ide *or the Acti e Directory data)ase, /able 1.12 .lobal &atalo( 6tora(e Re:uire!ents $or the Active Directory Database
6erver Do!ain controller .lobal catalo( server Active Directory database stora(e re:uire!ents %.) .1 o$ stora(e $or each 1E%%% users.
= D$ storage re#uirement +
D$ storage re#uiements for ot"er domains

5
-or e<am$le, in a *orest with two 76,666+user domains, all domain controllers need B "% o* storage, All glo)al catalog ser ers re:uire I "% o* storage, (hese re:uirements re$resent conser ati e estimates, -or a more accurate determination o* storage re:uirements, download and run the Acti e Directory Si.er (ool 8ADSi.er,e<e9, @ou can download the ADSi.er,e<e tool *rom the Acti e Directory Si.er (ool lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources;,
Occupancy 7evels and .lobal &atalo( 6erver Readiness

(he occu$ancy le el setting on a domain controller determines the criteria *or ad ertising itsel* as a glo)al catalog ser er in D'S, /* a glo)al catalog ser er ad ertises itsel* )e*ore it has synchroni.ed all read+only directory $artition re$licas, clients can recei e incorrect in*ormation, (he re:uirements o* the occu$ancy le els are as *ollows 8each higher le el includes all le els )elow it9: 6: 'o occu$ancy re:uirement, 7: An in)ound connection *or at least one read+only directory $artition in the site o* the glo)al catalog ser er is added to the designated ser er )y the KCC, ! ent /D 75IB in the Directory Ser ice log signals creation o* the in)ound connection, 5: At least one read+only directory $artition in the site is re$licated to the glo)al catalog ser er, A: /n)ound connections *or all read+only directory $artitions in the site are added )y the KCC, and at least one is re$licated to the ser er, B: All read+only directory $artitions in the site are re$licated to the ser er, F: /n)ound connections *or all read+only directory $artitions in the *orest are added )y the KCC, and all directory $artitions in the site are re$licated to the ser er,
#5
I: All directory $artitions in the *orest are re$licated to the ser er,
De*ault occu$ancy le els *or domain controllers that are running Windows 5666 Ser er de$end on the Windows 5666 Ser er ser ice $ac& release that is installed, as *ollows: Windows 5666 Ser er SP5 or earlier: de*ault and ma<imum occu$ancy le el N B, Windows 5666 Ser er SPA: de*ault and ma<imum occu$ancy le el N I,
!<change 5666 ser ers use the glo)al catalog e<clusi ely when loo&ing u$ addresses, (here*ore, in addition to causing Acti e Directory client search $ro)lems, the condition o* a glo)al catalog ser er )eing ad ertised )e*ore it recei es all $artial re$licas can cause Address %oo& loo&u$ and mail deli ery $ro)lems *or !<change clients, (he 'ame Ser ice Pro ider /nter*ace 8'SP/9 must )e running on a glo)al catalog ser er to ena)le MAP/ access to Acti e Directory, (o ena)le 'SP/, you must restart the glo)al catalog ser er a*ter re$lication o* the $artial directory $artitions is com$lete,
Veri$ication o$ .lobal &atalo( 6erver Readiness

A glo)al catalog is considered ready to ser e clients when the *ollowing e ents occur, in this order: 0ccu$ancy le el re:uirements are met )y re$licating read+only re$licas, (he isGlobal$atalog%eady rootDS! attri)ute is set to (R=!, (he 'et Logon ser ice on the domain controller has u$dated D'S with glo)al+ catalog+s$eci*ic SR3 resource records,
At this $oint, the glo)al catalog ser er is a aila)le to res$ond to re:uests on $orts A5IG and A5IE, Howe er, in res$onse to arious tests, the local system can indicate that it is a glo)al catalog ser er as soon as re$lication re:uirements are met, )ut )e*ore D'S has )een u$dated, -or a glo)al catalog ser er that is running Windows 5666 Ser er SP5, you must also consider the re$lication re:uirements *or the occu$ancy le el, -or the *irst glo)al catalog ser er in a site, the occu$ancy le el is signi*icant i* all domains are not re$resented in the site,
.lobal &atalo( Readiness in the 6P" 9nviron!ent

%ecause the de*ault occu$ancy le el re:uirement in Windows 5666 Ser er SP5 is limited to re$licating only the domain directory $artitions that are a aila)le in the local site, a glo)al catalog ser er in this en ironment might ad ertise itsel* as ready when other domains are not $resent on the ser er, -or this reason, when adding the *irst glo)al catalog to a site where all domains in the *orest are not re$resented, you must ta&e ste$s to ensure that the glo)al catalog ser er does not ad ertise itsel* )e*ore all domain directory $artitions are $resent on the ser er, as *ollows: Prior to con*iguring the domain controller to )e a glo)al catalog ser er, sto$ the 'et Logon ser ice on the domain controller, /* the 'et Logon ser ice is not running, then the ser er cannot u$date D'S $rematurely, Monitor re$lication until all domain directory $artitions are re$licated to the ser er, 3eri*y success*ul re$lication o* all domain directory $artitions in the *orest,
33
Chapter Number 1
Restart the domain controller to ena)le 'SP/, Restarting will also start the 'et Logon ser ice automatically, 3eri*y D'S u$dates,
.lobal &atalo( Readiness in the 6P2 9nviron!ent

%ecause the de*ault occu$ancy le el re:uirement in Windows 5666 Ser er SPA is le el I, a new glo)al catalog ser er does not ad ertise itsel* until all $artial domain directory $artitions in the *orest are re$licated to the ser er, /n this case, you do not ha e to sto$ the 'et Logon ser ice )e*ore con*iguring the domain controller as a glo)al catalog ser er, Howe er, you do need to restart the domain controller to ena)le 'SP/,
Procedures $or Addin( the .lobal &atalo( to a Do!ain &ontroller and Veri$yin( .lobal &atalo( Readiness
=se the *ollowing $rocedures to add a glo)al catalog ser er to a domain controller, (he $rocedures are e<$lained in detail in the lin&ed to$ics, Some $rocedures are $er*ormed only when you are con*iguring the *irst glo)al catalog ser er in the site or only when Windows 5666 Ser er SP5 is running on the domain controller that you are con*iguring, 1. Sto$ the 'et Logon ser ice on the domain controller 8SP5 only, *irst glo)al catalog ser er in the site only9, ". Con*igure the domain controller as a glo)al catalog ser er, Setting the -lobal Catalog chec& )o< initiates the $rocess o* re$licating all domains to the ser er, 2. Monitor glo)al catalog re$lication $rogress 8*irst glo)al catalog ser er in the site only9, ). 3eri*y success*ul re$lication to a domain controller on the glo)al catalog ser er, Chec& *or in)ound re$lication o* all $artial domain directory $artitions in the *orest, to ensure that all domain directory $artitions ha e re$licated to the glo)al catalog ser er, 5. 3eri*y glo)al catalog readiness, (his $rocedure indicates that the re$lication re:uirements ha e )een met, 3. Restart the 'et Logon ser ice, i* needed, /* you are adding the *irst glo)al catalog ser er in a site to a domain controller that is running Windows 5666 Ser er SP5 and you sto$$ed the 'et Logon ser ice $rior to adding the glo)al catalog, then restart the ser ice now, 0. Restart the glo)al catalog ser er and eri*y glo)al catalog D'S registrationss )y chec&ing D'S *or glo)al catalog SR3 resource records,
Re!ovin( the .lobal &atalo( $ro! a Do!ain &ontroller

/* the user $o$ulation o* a site decreases to the $oint where multi$le glo)al catalog ser ers are not re:uired, or i* a glo)al catalog ser er is )eing re$laced with a more $ower*ul machine, then you can remo e the glo)al catalog *rom the domain controller,
#7
(he $rocedure to remo e the glo)al catalog is sim$ly to clear the -lobal Catalog chec& )o< on the '(DS Settings o)2ect $ro$erties $age, As soon as you $er*orm this ste$, the domain controller sto$s ad ertising itsel* as a glo)al catalog ser er 8'et Logon de+registers the glo)al catalog+related records in D'S9 and immediately sto$s acce$ting LDAP re:uests o er $orts A5IG and A5IE, When you remo e the glo)al catalog *rom a domain controller, the KCC )egins remo ing the read+only re$licas one at a time )y means o* an asynchronous $rocess that remo es o)2ects gradually o er time, !ach time the KCC runs 8e ery 7F minutes )y de*ault9, it attem$ts the remo al o* the read+only re$lica until there are no remaining o)2ects, At an estimated rate o* 5666 o)2ects $er hour, com$lete remo al o* the glo)al catalog *rom the domain controller can ta&e *rom se eral hours to days, de$ending on the si.e o* the directory,
Procedures $or Re!ovin( the .lobal &atalo( $ro! a Do!ain &ontroller

=se the *ollowing $rocedures to remo e the glo)al catalog *rom a domain controller, (he $rocedures are e<$lained in detail in the lin&ed to$ics, 1. Clear the "lo)al Catalog setting, ". Monitor glo)al catalog remo al in ! ent 3iewer,
#ana(in( Operations #asters

0$erations masters &ee$ the directory *unctioning $ro$erly )y $er*orming s$eci*ic tas&s that no other domain controllers are $ermitted to $er*orm, %ecause o$erations masters are critical to the long+term $er*ormance o* the directory, they must )e a aila)le to all domain controllers and des&to$ clients that re:uire their ser ices, Care*ul $lacement o* your o$erations masters )ecomes more im$ortant as you add more domains and sites to )uild your *orest,
Operations #aster Roles

(hree o$erations master roles e<ist in each domain: .he primary domain controller #+DC$ emulator, (he PDC emulator $rocesses all re$lication re:uests *rom Microso*t Windows '( B,6 )ac&u$ domain controllers and $rocesses all $assword u$dates *or clients that are not running Acti e DirectoryD ena)led client so*tware, .he relative identifier #/ D$ master , (he R/D master allocates R/Ds to all domain controllers to ensure that all security $rinci$als ha e a uni:ue identi*ier, .he infrastructure master, (he in*rastructure master *or a gi en domain maintains a list o* the security $rinci$als *rom other domains that are mem)ers o* grou$s within its domain,
/n addition to the three domain+le el o$eration master roles, two o$erations master roles e<ist in each *orest: .he schema master, which go erns all changes to the schema,
3*
Chapter Number 1
Role trans$er Insu$$icient #aster Deco!!issionin( Inco!patible operations service con$i(uration o$ role level the holder do!ain chan(es $ailure controller .he domain naming master, which adds and remo es domains to and *rom the *orest, (o $er*orm these *unctions, the domain controllers hosting these o$erations master roles must )e located in areas where networ& relia)ility is high and they need to )e consistently a aila)le,
Reasons to #ove an Operations #aster Role

0$erations master role holders are $laced automatically when the *irst domain controller in a gi en domain is created, (he three domain+le el roles are assigned to the *irst domain controller created in a domain, (he two *orest+le el roles are assigned to the *irst domain controller created in a *orest, @ou might need to mo e a master o$erations role to a di**erent domain controller i* the ser ice le el )ecomes insu**icient, i* the domain controller holding the o$erations master role *ails or is decommissioned, or i* you ma&e incom$ati)le con*iguration changes, (he PDC emulator is the o$erations master role that most im$acts the $er*ormance o* a domain controller, -or clients that do not run Acti e Directory client so*tware, the PDC emulator $rocesses re:uests *or $assword changes, re$lication, and user authentication, While $ro iding su$$ort *or these clients, the domain controller continues to $er*orm its normal ser ices, such as authenticating Acti e DirectoryDena)led clients, As the networ& grows, the olume o* client re:uests can increase the wor&load *or the domain controller that hosts the PDC emulator role and its $er*ormance can su**er, (o sol e this $ro)lem, you can trans*er all or some o* the master o$eration roles to another, more $ower*ul domain controller, @ou may choose to trans*er the role to another domain controller, u$grade the hardware on the original domain controller and then trans*er the role )ac& again, /n the e ent o* a *ailure, you must decide i* you need to relocate the master o$erations roles to another domain controller or wait *or the domain controller to )e returned to ser ice, %ase that determination on the role that the domain controller hosts and the e<$ected down time, %e*ore $ermanently ta&ing a domain controller o**line, trans*er any o$erations master roles that the domain controller holds to another domain controller, Con*iguration changes to domain controllers or the networ& to$ology can result in the need to trans*er master o$erations roles, !<ce$t *or the in*rastructure master, you can assign o$erations master roles to any domain controller regardless o* any other tas&s that the domain controller $er*orms, Do not host the in*rastructure master role on a domain controller that is also acting as a glo)al catalog ser er, unless all o* the domain controllers in the domain are glo)al catalog ser ers, or unless only one domain is in the *orest, /* the domain controller hosting the in*rastructure master role is con*igured to )e a glo)al catalog ser er, you must trans*er the in*rastructure master role to another domain controller, Changes to the networ& to$ology can result in the need to trans*er o$eration master roles in order to &ee$ them in a $articular site,
&onsiderations $or #ovin( Operations #aster Roles

@ou can reassign an o$erations master role )y trans*er or, as a last resort, )y sei.ure, Role trans*er is the $re*erred method to mo e an o$erations master role *rom one domain controller to another, During a role trans*er, the two domain controllers re$licate to ensure that no in*ormation is lost, A*ter the trans*er com$letes, the $re ious role holder recon*igures itsel* so
Role sei<ure
I!portant
I$ you !ust sei<e an operations !aster roleE never reattach the previous role holder to the networ' without $ollowin( the procedures in this (uide. Incorrectly reattachin( the previous role holder to the networ' can result in invalid data and corruption o$ data in the directory.
that it no longer attem$ts to $er*orm as the o$erations master while the new domain controller assumes those duties, (his $re ents the $ossi)ility o* du$licate o$erations masters e<isting on the networ& at the same time, which can lead to corru$tion in the directory, Sei.e a role only as a last resort to assign a role to a di**erent domain controller, =se this $rocess only when the $re ious o$erations master *ails and remains out o* ser ice *or an e<tended amount o* time, During a role sei.ure, the domain controller does not eri*y that re$lication is u$dated, so recent changes can )e lost, %ecause the $re ious role holder is una aila)le during the role sei.ure, it cannot &now that a new role holder e<ists, /* the $re ious role holder comes )ac& online it might still assume that it is the o$erations master, (his can result in du$licate o$erations master roles on the networ&, which can lead to corru$tion o* data in the directory and ultimately to the *ailure o* the domain or *orest, (o trans*er a role to a new domain controller, ensure that the destination domain controller is a direct re$lication $artner o* the $re ious role holder and that re$lication )etween them is u$ to date and *unctioning $ro$erly, (his minimi.es the time re:uired to com$lete the role trans*er, /* re$lication is su**iciently out o* date, the trans*er can ta&e a while, )ut it e entually *inishes,
.uidelines $or Role Place!ent

%y im$ro$erly $lacing o$erations master role holders, you might $re ent clients *rom changing their $asswords, or )e una)le to add domains and new o)2ects, such as users and grou$s, @ou might also )e una)le to ma&e changes to the schema, /n addition, name changes might not $ro$erly a$$ear within grou$ mem)ershi$s that are dis$layed in the user inter*ace, As your en ironment changes, you must a oid the $ro)lems associated with im$ro$erly $laced o$erations master role holders, ! entually, you might need to reassign the roles to other domain controllers, Although you can assign the *orest+le el and domain+le el o$erations master roles to any domain controller in the *orest and domain res$ecti ely, im$ro$erly $lacing the in*rastructure master role can cause it to not *unction $ro$erly, 0ther im$ro$er con*igurations can increase administrati e o erhead,
Re:uire!ents $or in$rastructure !aster place!ent

Do not $lace the in*rastructure master on a domain controller that is also a glo)al catalog ser er, (he in*rastructure master u$dates the names o* security $rinci$als *rom other domains that are added to grou$s in its own domain, -or e<am$le, i* a user *rom one domain is a mem)er o* a grou$ in a second domain and the user1s name is changed in the *irst domain, then the second domain is not noti*ied that the user1s name must )e u$dated in the grou$1s mem)ershi$ list, %ecause domain controllers in one domain do not re$licate security $rinci$als to domain
0%
Chapter Number 1
,orest5level role place!ent on in the a (lobal $orest catalo( root do!ain server controllers in another domain, the second domain ne er )ecomes aware o* the change, (he in*rastructure master constantly monitors grou$ mem)ershi$s, loo&ing *or security $rinci$als *rom other domains, /* it *inds one, it chec&s with the security $rinci$al1s domain to eri*y that the in*ormation is u$dated, /* the in*ormation is out o* date the in*rastructure master $er*orms the u$date and then re$licates the change to the other domain controllers in its domain, (wo e<ce$tions a$$ly to this rule, -irst, i* all the domain controllers are glo)al catalog ser ers, the domain controller that hosts the in*rastructure master role is insigni*icant )ecause glo)al catalogs do re$licate the u$dated in*ormation regardless o* the domain to which they )elong, Second, i* the *orest has only one domain, the domain controller that hosts the in*rastructure master role is not needed )ecause security $rinci$als *rom other domains do not e<ist,
Reco!!endations $or role place!ent

Although you can assign the o$erations master roles to any domain controller, *ollow these guidelines to minimi.e administrati e o erhead and ensure the $er*ormance o* Acti e Directory, /* a domain controller that is hosting o$eration master roles *ails, *ollowing these guidelines also sim$li*ies the reco ery $rocess, "uidelines *or role $lacement include: Lea e the two *orest+le el roles on a domain controller in the *orest root domain, Place the two *orest+le el roles on a glo)al catalog ser er, Place the three domain+le el roles on the same domain controller, Do not $lace the domain+le el roles on a glo)al catalog ser er, Place the domain+le el roles on a higher $er*ormance domain controller, Ad2ust the wor&load o* the o$erations master role holder, i* necessary, Choose an additional domain controller as the stand)y o$erations master *or the *orest+le el roles and choose an additional domain controller as the stand)y *or the domain+le el roles,
(he *irst domain controller created in the *orest is assigned the schema master and domain naming master roles, (o ease administration and )ac&u$ and restore $rocedures, lea e these roles on the original *orest root domain controller, Mo ing the roles to other domain controllers does not im$ro e $er*ormance, Se$arating the roles creates additional administrati e o erhead when you must identi*y the stand)y o$erations masters and when you im$lement a )ac&u$ and restore $olicy, =nli&e the PDC emulator role, *orest+le el roles rarely $lace a signi*icant )urden on the domain controller, Kee$ these roles together to $ro ide easy, $redicta)le management, /n addition to hosting the schema master and domain naming master roles, the *irst domain controller created in a *orest also hosts the glo)al catalog, /n Windows 5666 Ser er, you must lea e the domain naming master on a glo)al catalog ser er, When the domain naming master creates an o)2ect re$resenting a new domain, it uses the glo)al catalog to ensure that no other o)2ect has the same name, (he domain naming master achie es this consistency )y running on a glo)al catalog ser er, which contains a $artial re$lica o* e ery o)2ect in the *orest,
71
Do!ain5level Wor'load ad8ust!ent role place!ent absence o$ the on operations on a (lobal the a hi(her sa!e catalo( !aster per$or!ance do!ain server role controller holder do!ain controller (he three domain+le el roles are assigned to the *irst domain controller created in a new domain, !<ce$t *or the *orest root domain, lea e the roles at that location, Kee$ the roles together unless the wor&load on your o$erations master 2usti*ies the additional management )urden o* se$arating the roles, -or the *orest root domain, the *irst domain controller also hosts the two *orest+le el roles as well as the glo)al catalog, (his additional wor&load re:uires you to ta&e two $recautionary ste$s to a oid $otential $ro)lems, -irst, the domain+le el roles must not remain on a glo)al catalog ser er, /n addition, )ecause hosting all *i e roles on a single domain controller can o erload the ser er and hurt $er*ormance, trans*er the three domain+le el roles to another domain controller, %ecause all $re+Acti e Directory clients su)mit u$dates to the PDC emulator, the domain controller holding that role uses a higher num)er o* R/Ds, Place the PDC emulator and R/D master roles on the same domain controller so these two roles interact more e**iciently, /* you must se$arate the roles, you can still use a single stand)y o$erations master *or all three roles, Howe er, you must ensure that the stand)y is a re$lication $artner o* all three o* the role holders, %ac&u$ and restore $rocedures also )ecome more com$le< i* you se$arate the roles, S$ecial care must )e ta&en to restore a domain controller that hosted an o$erations master role, %y hosting the roles on a single com$uter, you minimi.e the ste$s that are re:uired to restore a role holder, Do not host the in*rastructure master on a domain controller that is acting as a glo)al catalog ser er, %ecause it is )est to &ee$ the three domain+le el roles together, a oid $utting any o* them on a glo)al catalog ser er, Host the PDC emulator role on a $ower*ul and relia)le domain controller to ensure that it is a aila)le and ca$a)le o* handling the wor&load, 0* all the o$erations master roles, the PDC emulator creates the most o erhead on the ser er that is hosting the role, /t has the most intensi e daily interaction with other systems on the networ&, (he PDC emulator has the greatest $otential to a**ect daily o$erations o* the directory, Domain controllers can )ecome o erloaded while attem$ting to ser ice client re:uests on the networ&, manage their own resources, and handle any s$eciali.ed tas&s such as $er*orming the arious o$erations master roles, (his is es$ecially true o* the domain controller holding the PDC emulator role, Pre+Acti e Directory clients and domain controllers running Windows '( B,6 rely more hea ily on the PDC emulator than Acti e Directory clients and Windows 5666 Ser er domain controllers, /* your networ&ing en ironment has $re+Acti e Directory clients and domain controllers, you might need to reduce the wor&load o* the PDC emulator, /* a domain controller )egins to indicate that it is o erloaded and the $er*ormance is a**ected, you can recon*igure the en ironment so that some tas&s are $er*ormed )y other, less+used domain controllers, %y ad2usting the domain controller1s weight in the D'S en ironment, you can con*igure the domain controller to recei e *ewer client re:uests than other domain controllers on your networ&, 0$tionally, you can ad2ust the domain controller1s $riority in the D'S en ironment so it $rocesses client re:uests only i* other D'S ser ers are una aila)le, With *ewer D'S client re:uests to $rocess, the domain controller can use more resources to $er*orm o$erations master ser ices *or the domain,
0"
Chapter Number 1
(he stand)y o$erations master is a domain controller that you identi*y as the com$uter that assumes the o$erations master role i* the original com$uter *ails, @ou do not need to $er*orm any s$ecial con*iguration ste$s or run any ty$e o* setu$ utilities to ma&e a domain controller a stand)y o$erations master, (his $recautionary $lanning ste$ hel$s ma&e your o$eration more resilient i* a $ro)lem arises that re:uires you to reassign a master o$erations role to a new domain controller, !nsure that the stand)y o$erations master is a direct re$lication $artner o* the actual o$erations master, /* the stand)y o$erations master domain controller is a direct re$lication $artner o* the original o$erations master, it most li&ely contains the most recent changes to the domain, (his reduces the time re:uired to trans*er the role to the stand)y o$erations master and, in the case o* a *ailure, reduces the chances o* losing in*ormation, ! en i* re$lication is not totally com$lete, only *ew outstanding u$dates e<ist, (hose outstanding u$dates can )e re$licated )y a normal re$lication cycle rather than re:uiring a *ull synchroni.ation, which re$licates all o* the account in*ormation in the $artition, (o guarantee that the two domain controllers are re$lication $artners, you must manually create a connection o)2ect )etween them, Although creating manual connection o)2ects is not generally recommended, in this one case it is necessary )ecause it is so im$ortant that these two domain controllers )e re$lication $artners, /* you must reassign the domain+le el o$erations master roles to the stand)y o$erations master, do not $lace the in*rastructure master role on a glo)al catalog ser er,
6tandby operations !aster
Ra!i$ications o$ Role 6ei<ure

/* a role is sei.ed, the new role holder is con*igured to host the o$erations master role with the assum$tion that you do not intend to return the $re ious role holder to ser ice, =se role sei.ure only when the $re ious role holder is not a aila)le and you need the o$erations master role to &ee$ the directory *unctioning, %ecause the $re ious role holder is not a aila)le during a sei.ure, you cannot recon*igure the $re ious role holder and in*orm it that another domain controller is now hosting the o$erations master role, /* the $re ious role holder comes )ac& online, its )eha ior de$ends on your current ser ice $ac& le el, /* you are running Windows 5666 Ser er Ser ice Pac& 5 8SP59 or earlier, the domain controller waits *or one re$lication cycle while it attem$ts to eri*y the current role holder, /* the $re ious role holder recei es data that indicates that another domain controller is $er*orming the o$erations master role, it recon*igures itsel* so that it no longer hosts the o$erations master role and Acti e Directory *unctions $ro$erly, /* *or any reason re$lication *ails, it does not recei e any re$licated data indicating that a new o$erations master e<ists, Whether or not re$lication actually occurs, a*ter one re$lication cycle it assumes that the data it has is correct, /t lea es itsel* con*igured as the current o$erations master and attem$ts to resume its duties as the o$erations master role holder, (his results in du$licate o$erations masters on the networ&, As shown in (a)le 7,7B, this can cause serious $ro)lems in the directory, /* you are running Windows 5666 Ser er Ser ice Pac& A 8SPA9, the $re ious role holder waits *or a *ull re$lication cycle to com$lete success*ully )e*ore it resumes the role o* o$erations master, %y waiting *or a *ull re$lication cycle, it can see i* another o$erations master e<ists )e*ore it )rings itsel* )ac& online, /* the $re ious role holder detects that another o$erations master e<ists, it recon*igures itsel* so that it no longer hosts the roles in :uestion,
73
(o reduce ris&, $er*orm a role sei.ure only i* the missing o$erations master role unacce$ta)ly a**ects $er*ormance o* the directory, Calculate the e**ect )y com$aring the im$act o* the missing ser ice $ro ided )y the o$erations master to the amount o* wor& that is needed to )ring the $re ious role holder sa*ely )ac& online a*ter you $er*orm the role sei.ure, Acti e Directory continues to *unction when the o$erations master roles are not a aila)le, /* the role holder is only o**line *or a short $eriod, you might not need to sei.e the role to a new domain controller, Remem)er that returning an o$eration master to ser ice a*ter the role is sei.ed can ha e dire conse:uences i* it is not done $ro$erly, /able 1.1) Operations #aster Role ,unctionality Ris' Assess!ent
Operations #aster Role 6che!a !aster &onse:uences i$ Role is +navailable >ou cannot !a'e chan(es to the sche!a. Ris' o$ I!proper Restoration &on$lictin( chan(es can be introduced to the sche!a i$ both sche!a !asters atte!pt to !odi$y the sche!a at the sa!e ti!e. /his can result in a $ra(!ented sche!a. >ou cannot add or re!ove do!ains or clean5up !etadata. Do!ains !i(ht appear as thou(h they are still in the $orest even thou(h they are not. Password validation can rando!ly pass or $ail. Password chan(es ta'e !uch lon(er to replicate throu(hout the do!ain. Reco!!endatio n $or Returnin( to 6ervice A$ter 6ei<ure 4ot reco!!ended. &an lead to a corrupted $orest and re:uire rebuildin( the entire $orest. 4ot reco!!ended. &an re:uire rebuildin( do!ains.
Do!ain na!in( !aster
>ou cannot add or re!ove do!ains $ro! the $orest.
PD& e!ulator
>ou cannot chan(e passwords on pre5Active Directory clients. 4o replication to Windows 4/ ).% bac'up do!ain controllers. Delays displayin( updated (roup !e!bership lists in the user inter$ace when you !ove users $ro! one (roup
Allowed. +ser authentication can be erratic $or a ti!eE but no per!anent da!a(e occurs.
In$rastructur e !aster
Displays incorrect user na!es in (roup !e!bership lists in the user inter$ace a$ter you !ove users $ro! one (roup to another.
Allowed. #ay i!pact the per$or!ance o$ the do!ain controller hostin( the roleE but no da!a(e occurs
0)
Chapter Number 1
to another. RID !aster 9ventuallyE do!ain controllers cannot create new directory ob8ects as each o$ their individual RID pools is depleted. Duplicate RID pools can be allocated to do!ain controllersE resultin( in data corruption in the directory. /his can lead to security ris's and unauthori<ed access.
to the directory. 4ot reco!!ended. &an lead to data corruption that can re:uire rebuildin( the do!ain.
Operations #aster Role #ana(e!ent /as's and Procedures

(a)le 7,7F shows the tas&s and $rocedures *or managing o$erations master roles,
75
/able 1.15 Operations #aster Role #ana(e!ent /as's and Procedures

/as's Desi(nate operations !aster roles. Procedures Veri$y success$ul replication to a do!ain controller. Deter!ine whether a do!ain controller is a (lobal catalo( server. /rans$er the $orest5level operations !aster roles. /rans$er the do!ain5 level operations !aster roles. View the current operations !aster role holders. &han(e the wei(ht $or D46 6RV records in the re(istry. &han(e the priority $or D46 6RV records in the re(istry. Veri$y success$ul replication to a do!ain controller. Deter!ine whether a do!ain controller is a (lobal catalo( server. /rans$er the $orest5level operations !aster roles. /rans$er the do!ain5 level operations !aster roles. View the current operations !aster role holders. /ools ,re:uenc y
Repad!in.e As =e needed Active Directory 6ites and 6ervices Active Directory Do!ains and /rusts Active Directory +sers and &o!puters 4tdsutil.e=e Re(edit.e=e As needed
Reduce the wor'load on the PD& e!ulator.
Deco!!ission a role holder.
Repad!in.e As =e needed Active Directory 6ites and 6ervices Active Directory Do!ains and /rusts Active Directory +sers and &o!puters 4tdsutil.e=e
03
Chapter Number 1
6ei<e operations !aster roles.
Veri$y that a co!plete end5to5end replication cycle had occurred. Veri$y success$ul replication to a do!ain controller. 6ei<e the operations !aster role. View the current operations !aster role holders. Deter!ine whether a do!ain controller is a (lobal catalo( server. &reate a connection ob8ect.
4tdsutil.e=e As needed
&hoose a standby operations !aster.
Active Directory 6ites and 6ervices
As needed
Desi(natin( Operations #aster Roles

When you create a new domain, the Acti e Directory /nstallation Wi.ard automatically assigns all o* the domain+le el o$erations master roles to the *irst domain controller that is created in that domain, When you create a new *orest, the wi.ard also assigns the two *orest+le el o$erations master roles to the *irst domain controller, A*ter the domain is created and *unctioning, you might trans*er arious o$erations master roles to di**erent domain controllers to o$timi.e $er*ormance and sim$li*y administration, (rans*erring the *orest+le el and domain+le el o$erations master roles is $er*ormed as needed and go erned )y the guidelines *or $lacing o$erations master roles, %e*ore you trans*er an o$erations master role, use Re$admin,e<e with the ;showre$s o$tion to ensure that re$lication )etween the current role holder and the domain controller assuming the role is u$dated, /n addition, you must determine i* the domain controller that you intend to assume an o$erations master role is a glo)al catalog ser er, (he domain naming master, a *orest+le el role, must also host the glo)al catalog, Howe er, the in*rastructure master *or each domain must not host the glo)al catalog, Do not change the glo)al catalog con*iguration on the domain controller that you intend to assume an o$erations master role unless your /( management authori.es that change, Changing the glo)al catalog con*iguration can cause changes that can ta&e days to com$lete and the domain controller might not )e a aila)le during that $eriod, /nstead, trans*er the o$erations master roles to a di**erent domain controller that is already $ro$erly con*igured,
Procedures $or Desi(natin( Operations #aster Roles

Procedures are e<$lained in detail in the lin&ed to$ics, 1. 3eri*y success*ul re$lication to a domain controller,
77
". Determine whether a domain controller is a glo)al catalog ser er , 2. (rans*er the *orest+le el o$erations master roles, ). (rans*er the domain+le el o$erations master roles, 5. 3iew the current o$erations master role holders,
Reducin( the Wor'load on the PD& 9!ulator

@ou can con*igure a domain controller so that D'S sends the ma2ority o* client re:uests to other domain controllers, Reducing the num)er o* client re:uests hel$s reduce the wor&load on a domain controller, gi ing it more time to *unction as an o$erations master, and is es$ecially im$ortant *or the PDC emulator, 0* all the o$erations master roles, the PDC role has the highest im$act on the domain controller hosting that role, @ou might need to ta&e ste$s to &ee$ that domain controller *rom )ecoming o erloaded, (o recei e in*ormation *rom the domain, a client uses D'S to locate a domain controller and then sends the re:uest to that domain controller, %y de*ault, D'S $er*orms rudimentary load )alancing and randomi.es the distri)ution o* client re:uests so they are not always sent to the same domain controller, /* too many client re:uests are sent to a domain controller while it attem$ts to $er*orm other duties, such as those o* the PDC emulator, it can )ecome o erloaded, which has a negati e im$act on $er*ormance, (o reduce the num)er o* client re:uests that are $rocessed )y the PDC emulator, you can ad2ust its weight in the D'S en ironment or you can ad2ust its $riority in the D'S en ironment,
D46 Wei(ht Re(istry 6ettin(

Ad2usting the weight o* a domain controller to less than other domain controllers reduces the num)er o* clients that D'S re*ers to that domain controller, (he de*ault weight *or all domain controllers is 766, %y reducing this alue, D'S re*ers clients to a domain controller less *re:uently )ased on the $ro$ortion o* this alue to the alue o* other domain controllers, -or e<am$le, to con*igure the system so that the domain controller hosting the PDC emulator role recei es re:uests only hal* as many times as the other domain controllers, con*igure the weight o* the domain controller hosting the PDC emulator role to )e F6, D'S determines the weight ratio *or that domain controller to )e F6;766 8F6 *or that domain controller and 766 *or the other domain controllers9, A*ter you reduce this ratio to 7;5, D'S re*ers clients to the other domain controllers twice as o*ten as it re*ers to the domain controller with the reduced weight setting, %y reducing client re*errals, the domain controller recei es *ewer client re:uests and has more resources *or other tas&s, such as $er*orming the role o* PDC emulator,
D46 Priority Re(istry 6ettin(

Ad2usting the $riority o* the domain controller also reduces the num)er o* client re*errals, Howe er, rather than reducing it $ro$ortionally to the other domain controllers, changing the $riority causes D'S to sto$ re*erring all clients to this domain controller unless all domain controllers with a lower $riority setting are una aila)le, (o con*igure the PDC emulator in this manner, use Regedit,e<e to modi*y the ldapsrvpriority or ldapsrvweight registry entries,
0*
Chapter Number 1
Procedures $or Reducin( the 4u!ber o$ &lient Re:uests Processed by the PD& 9!ulator
Procedures are e<$lained in detail in the lin&ed to$ics, 1. Change the weight *or D'S SR3 records in the registry, ". Change the $riority *or D'S SR3 records in the registry,
Deco!!issionin( a Role ;older

When you use the Acti e Directory /nstallation Wi.ard to decommission a domain controller that currently hosts one or more o$erations master roles, the wi.ard reassigns the roles to a di**erent domain controller, When the wi.ard is run, it determines whether the domain controller currently hosts any o$erations master roles, /* it detects any o$erations master roles, it :ueries the directory *or other eligi)le domain controllers and trans*ers the roles to a new domain controller, A domain controller is eligi)le to host the domain+le el roles i* it is a mem)er o* the same domain, A domain controller is eligi)le to host a *orest+le el role i* it is a mem)er o* the same *orest, @ou cannot control which domain controller the wi.ard chooses and the wi.ard does not indicate which domain controller recei es the roles, %ecause o* this )eha ior, it is )est to trans*er the roles $rior to running the wi.ard, (hat way you can control role $lacement and can trans*er the roles according to the recommendations discussed earlier in this guide,
/rans$er to the Operations #aster 6tandby

(rans*er the o$erations master roles to the stand)y o$erations master, %y *ollowing the recommendations *or o$erations master role $lacement, the stand)y o$erations master is a direct re$lication $artner and is ready to assume the roles, Remem)er to designate a new stand)y *or the domain controller that assumes the roles,
/rans$er when 4o 6tandby Operations #aster is Ready

/* you do not *ollow the recommendations *or role $lacement and you ha e not designated a stand)y o$erations master, you must $ro$erly $re$are a domain controller to which you intend to trans*er the o$erations master roles, Pre$aring the *uture role holder is the same $rocess as $re$aring a stand)y o$erations master, @ou must manually create a connection o)2ect to ensure that it is a re$lication $artner with the current role holder and that re$lication )etween the two domain controllers is u$dated, (o determine whether the stand)y domain controller recei ed the latest re$licated u$dates *rom the current o$erations master, use Re$admin,e<e with the ;showre$s o$tion, /n addition, you must determine whether the domain controller intended to assume an o$erations master role is a glo)al catalog ser er, (he domain naming master, a *orest+le el role, must also host the glo)al catalog, Howe er, the in*rastructure master *or each domain must not host the glo)al catalog, Do not change the glo)al catalog con*iguration on the domain controller that you intend to assume an o$erations master role unless your /( management authori.es that change, Changing the glo)al catalog con*iguration can cause changes that can ta&e days to com$lete and the domain
controller might not )e a aila)le during that $eriod, /nstead, trans*er the o$erations master roles to a di**erent domain controller that is already $ro$erly con*igured,
Procedures $or Deco!!issionin( a Role ;older

Procedures are e<$lained in detail in the lin&ed to$ics, 1. 3eri*y success*ul re$lication to a domain controller, ". Determine whether a domain controller is a glo)al catalog ser er , 2. (rans*er the *orest+le el o$erations master roles, ). (rans*er the domain+le el o$erations master roles, 5. 3iew the current o$erations master role holders,
6ei<in( Operations #aster Roles

Sei.e an o$erations master role only as a last resort, /* at all $ossi)le, trans*er an o$erations master role to a new domain controller instead, Sei.e an o$erations master role only i* the current role owner is o**line and is unli&ely to return to ser ice, Role sei.ure is the act o* assigning an o$erations master role to a new domain controller without the coo$eration o* the current role holder 8usually )ecause it is o**line due to a hardware *ailure9, During role sei.ure, a new domain controller assumes the o$erations master role without communicating with the current role holder, Role sei.ure can create two conditions that can cause $ro)lems in the directory, -irst, the new role holder starts $er*orming its duties )ased on the data located in its current directory $artition, (he new role holder might not recei e changes that were made to the $re ious role holder )e*ore it went o**line i* re$lication did not com$lete $rior to the time when the original role holder went o**line, (his can cause data loss or data inconsistency into the directory data)ase, (o minimi.e the ris& o* losing data to incom$lete re$lication, do not $er*orm a role sei.ure until enough time has $assed to com$lete at least one com$lete end+to+end re$lication cycle across your networ&, Allowing enough time *or com$lete end+to+end re$lication ensures that the domain controller that assumes the role is as u$+to+date as $ossi)le, Second, the original role holder is not in*ormed that it is no longer the o$erations master role holder, which is not a $ro)lem i* the original role holder stays o**line, Howe er, i* it comes )ac& online 8*or e<am$le, i* the hardware is re$aired or the ser er is restored *rom a )ac&u$9, it might try to $er*orm the o$erations master role that it $re iously owned, (his can result in two domain controllers $er*orming the same o$erations master role simultaneously, De$ending on the role in :uestion and whether your en ironment runs Windows 5666 Ser er SP5 or Windows 5666 Ser er SPA, this can disru$t the directory ser ice, -or e<am$le, a R/D master might reallocate a du$licate R/D $ool resulting in corru$tion o* data in the directory, (he se erity o* du$licate o$erations master roles aries *rom no isi)le e**ect to the need to re)uild the entire *orest, -or more in*ormation a)out the ris&s o* returning an o$erations master to ser ice a*ter the role is sei.ed to another domain controller, see >Rami*ications o* Role Sei.ure? earlier in this guide, /* you are sei.ing a role and you ha e not designated another domain controller as the stand)y o$erations master, you can use Re$admin,e<e with the ;showre$s o$tion to identi*y a domain
*%
Chapter Number 1
controller that has the most recent u$dates *rom the current role holder, Sei.e the o$erations master role to that domain controller to minimi.e the im$act o* the role sei.ure,
Procedures $or 6ei<in( Operations #aster Roles

Procedures are e<$lained in detail in the lin&ed to$ics, 1. 3eri*y that a com$lete end+to+end re$lication cycle has occurred, During the design $rocess, you calculated the ma<imum end+to+end re$lication latency, (he ma<imum end+to+end re$lication latency is the ma<imum amount o* time it should ta&e *or re$lication to ta&e $lace )etween the two domain controllers in your enter$rise that are *arthest *rom each other )ased on the to$ology o* your networ&, /* you eri*y that re$lication is *unctioning $ro$erly and wait this amount o* time without ma&ing any additional changes to the directory then you can assume that all changes ha e )een re$licated and the domain controller is u$ to date, ". 3eri*y success*ul re$lication to a domain controller 8the domain controller that will )e sei.ing the role9, 2. Sei.e the o$erations master role, ). 3iew the current o$erations master role holders,
&hoosin( a 6tandby Operations #aster

A single domain controller can act as the stand)y o$erations master *or all o* the o$erations master roles in a domain, or you can designate a se$arate stand)y *or each o$erations master role, -ollowing the recommendations, it is )est to select one stand)y *or the *orest+le el roles and another stand)y in each domain that can )e used to host the three domain+le el roles i* their host *ails, 'o utilities or s$ecial ste$s are re:uired to designate a domain controller as a stand)y o$erations master, Howe er, the current o$erations master and the stand)y should )e well connected, (his means that the networ& connection )etween them must su$$ort at least 76 mega)it transmission rate and )e a aila)le at all times, /n addition, con*igure the current role holder and the stand)y as direct re$lication $artners )y manually creating a connection o)2ect )etween them, Con*iguring a re$lication $artner can sa e some time i* you must reassign any o$erations master roles to the stand)y o$erations master, %e*ore trans*erring a role *rom the current role holder to the stand)y o$erations master, ensure that re$lication )etween the two com$uters is *unctioning $ro$erly, %ecause they are re$lication $artners, the new o$erations master is as u$dated as the original o$erations master, thus reducing the time re:uired *or the trans*er o$eration, (o determine whether the stand)y domain controller recei ed the latest re$licated u$dates *rom the current o$erations master, use Re$admin,e<e with the ;showre$s o$tion, During role trans*er, the two domain controllers e<change any unre$licated in*ormation to ensure that no transactions are lost, /* the two domain controllers are not direct re$lication $artners, a su)stantial amount o* in*ormation might need to )e re$licated )e*ore the domain controllers com$letely synchroni.e with each other, (he role trans*er re:uires e<tra time to re$licate the outstanding transactions, /* the two domain controllers are direct re$lication $artners, *ewer outstanding transactions e<ist and the role trans*er o$eration com$letes sooner,
*1
4ote
I$ you also set an alert thresholdE divide the above warnin( thresholds in hal$.
Designating a domain controller as a stand)y also minimi.es the ris& o* role sei.ure, %y ma&ing the o$erations master and the stand)y direct re$lication $artners, you reduce the chance o* data loss in the e ent o* a role sei.ure, there)y reducing the chances o* introducing corru$tion into the directory, When you designate a domain controller as the stand)y, *ollow all recommendations that are discussed in >"uidelines *or Role Placement? earlier in this guide, (o designate a stand)y *or the *orest+le el roles, choose a glo)al catalog ser er so it can interact more e**iciently with the domain naming master, (o designate a stand)y *or the domain+le el roles, ensure that the domain controller is not a glo)al catalog ser er so that the in*rastructure master continues to *unction $ro$erly i* you must trans*er the roles, Manually create a connection o)2ect )etween the o$erations master and the designated stand)y o$erations master to ensure that re$lication occurs )etween the two domain controllers,
Procedures $or &hoosin( a 6tandby Operations #aster

Procedures are e<$lained in detail in the lin&ed to$ics, 1. Determine whether a domain controller is a glo)al catalog ser er , ". Create a connection o)2ect,
#ana(in( the Database

Acti e Directory is stored in the 'tds,dit data)ase *ile, /n addition to this *ile, the directory uses log *iles, which store transactions $rior to committing them to the data)ase *ile, -or )est $er*ormance, store the log *iles and the data)ase on se$arate hard dri es, (he directory data)ase is a sel*+maintained system, 0ther than regular )ac&u$, the directory data)ase re:uires no daily maintenance during ordinary o$eration, Howe er, you might need to manage the *ollowing conditions: Low dis& s$ace: Monitor *ree dis& s$ace on the $artition or $artitions that store the directory data)ase and logs, Pro ide warnings at the *ollowing logical+dis&+s$ace thresholds: 'tds,dit $artition: (he greater o* 56 $ercent o* the 'tds,dit *ile si.e or F66 mega)ytes 8M%9, Log *ile $artition: (he greater o* 56 $ercent o* the com)ined log *iles si.e or F66 M%, 'tds,dit and logs on the same olume: (he greater o* 7 giga)yte 8"%9 or 56 $ercent o* the com)ined 'tds,dit and log *iles si.es,
*"
Chapter Number 1
Data)ase si.e: During ordinary o$eration, the data)ase remo es e<$ired tom)stones and de*ragments 8consolidates9 white s$ace, (his automatic online de*ragmentation redistri)utes and retains white s$ace *or use )y the data)ase, (he *ollowing conditions might warrant ta&ing ste$s to regulate data)ase si.e manually: (em$orary )ac&log o* e<$ired tom)stones *ollowing )ul& deletions: Large+scale deletions can tem$orarily increase the data)ase *ile si.e i* tom)stones e<$ire in larger num)ers than gar)age collection can remo e in one cycle 8F,666 tom)stones $er cycle9, A*ter o)2ects are deleted, their tom)stones are stored in the directory *or I6 days )y de*ault and cannot )e remo ed $rior to that time, Howe er, a*ter the tom)stone li*etime e<$ires, you can s$eed remo al o* the tom)stone )ac&log )y tem$orarily decreasing the de*ault gar)age collection $eriod 875 hours9, /ncreased white s$ace due to large+scale deletions: /* data is decreased signi*icantly, such as when the glo)al catalog is remo ed *rom a domain controller, white s$ace is not automatically returned to the *ile system, Although this condition does not a**ect data)ase o$eration, it does result in a larger *ile si.e, @ou can use o**line de*ragmentation to decrease the si.e o* the data)ase *ile )y returning white s$ace *rom the data)ase *ile to the *ile system,
Hardware u$grade or *ailure: /* you need to u$grade or re$lace the dis& on which the data)ase or log *iles are stored, mo e the *iles to a di**erent location, either $ermanently or tem$orarily,
-or in*ormation a)out monitoring the data)ase and log *ile $artitions *or low dis& s$ace, see >Monitoring Acti e Directory? earlier in this guide,
.eneral .uidelines $or Directory Database #ana(e!ent

-or all data)ase management tas&s, *ollow these guidelines: Prior to $er*orming any $rocedures that a**ect the directory data)ase, )e sure that you ha e a current system state )ac&u$, -or in*ormation a)out $er*orming system state )ac&u$, see >Acti e Directory %ac&u$ and Restore? earlier in this guide, (o manage the data)ase *ile itsel*, you must ta&e the domain controller o**line )y restarting in Directory Ser ices Restore Mode, and then use 'tdsutil,e<e to manage the *ile, (o start a domain controller in Directory Ser ices Restore Mode, you must log on to the domain controller as the local Administrator, (o remotely manage the data)ase, you can use (erminal Ser ices Client to restart the domain controller in Directory Ser ices Restore Mode, '(-S Dis& Com$ression is not su$$orted *or the data)ase and log *iles,
Directory Database #ana(e!ent /as's and Procedures

(a)le 7,7I shows the tas&s and the $rocedures *or managing the data)ase,
*3
/able 1.13 Directory Database #ana(e!ent /as's and Procedures

/as's Relocate directory database $iles. Procedures Deter!ine the databasesi<e and location Gonline or o$$lineH. &o!pare si<e o$ the directory database $iles to the volu!e si<e. 1ac' up syste! state. Restart the do!ain controller in Directory 6ervices Restore #ode Glocally or re!otelyH. #ove the directory database $iles. #ove the directory database $iles to a local drive. &opy the directory database $iles to a re!ote share and bac'. I$ the path has chan(edE bac' up syste! state. &han(e the (arba(e collection lo((in( level. 1ac' up syste! state. Restart the do!ain controller in Directory 6ervices Restore #ode Glocally or re!otelyH. &o!pact the directory database o$$line Go$$line de$ra(!entationH. &hec' database inte(rity. I$ no errorsE per$or! standard se!antic database analysis. I$ errorsE per$or! se!antic database analysis with $i=up. I$ errorsE per$or! database recovery. /ools ,re:uenc y
dir As needed. 1ac'up Wi<ard /er!inal 6ervices &lient 4otepad 4tdsutil.e =e Windows 9=plorer
Return unused dis' space $ro! the directory database to the $ile syste!.
Re(istry As editor needed. 1ac'up Wi<ard net useE delE copy 4tdsutil.e =e
*)
Chapter Number 1
6peed re!oval o$ an e=pired5 to!bstone bac'lo(.
&han(e GdecreaseH the (arba(e collection period. &han(e GincreaseH the (arba(e collection lo((in( level. Veri$y re!oval o$ to!bstones in the event lo(. &han(e Greturn to nor!alH the (arba(e collection period. &han(e Greturn to nor!alH the (arba(e collection lo((in( level. &o!pact the directory database o$$line Go$$line de$ra(!entationHE i$ needed.
AD6I 9dit As needed. Re(istry editor 9vent Viewer 4tdsutil.e =e
Relocatin( Directory Database ,iles

(he *ollowing conditions re:uire mo ing data)ase *iles: Hardware maintenance: /* the $hysical dis& on which the data)ase or log *iles are stored re:uires u$grading or maintenance, the data)ase *iles must )e mo ed, either tem$orarily or $ermanently, Low dis& s$ace: When *ree dis& s$ace is low on the logical dri e that stores the data)ase *ile 8'tds,dit9, the log *iles, or )oth, *irst eri*y that no other *iles are causing the $ro)lem, /* the data)ase *ile or log *iles are the cause o* the growth, then $ro ide more dis& s$ace )y ta&ing one o* the *ollowing actions: !<$and the $artition on the dis& that currently stores the data)ase *ile, the log *iles, or )oth, (his $rocedure does not change the $ath to the *iles and does not re:uire u$dating the registry, =se 'tdsutil,e<e to mo e the data)ase *ile, the log *iles, or )oth to a larger e<isting $artition, Mo ing *iles to a di**erent $artition changes the $ath to the *iles and there*ore re:uires u$dating the registry, 'tdsutil,e<e automatically u$dates the registry when you use it to mo e data)ase *iles,
Path &onsiderations
/* the $ath to the data)ase *ile or log *iles changes as a result o* mo ing the *iles, )e sure that you: =se 'tdsutil,e<e to mo e the *iles 8rather than co$ying them9 so that the registry is u$dated with the new $ath, ! en i* you are mo ing the *iles only tem$orarily, use 'tdsutil,e<e to mo e *iles locally so that the registry is always current, Per*orm a system state )ac&u$ as soon as the mo e is com$lete so that the restore $rocedure uses the correct $ath,
*5
3eri*y that the correct $ermissions are a$$lied on the destination *older *ollowing the mo e, Re ise $ermissions to those that are re:uired to $rotect the data)ase *iles, i* needed,
6>6VO7 &onsiderations
/* you re$lace or recon*igure a dri e that stores the S@S30L *older, you must *irst mo e the S@S30L *older manually, -or in*ormation a)out mo ing S@S30L manually, see >Managing S@S30L? later in this guide,
Procedures $or Relocatin( Directory Database ,iles

=se the *ollowing $rocedures to mo e or co$y the data)ase *ile, the log *iles, or )oth, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Determine the location and si.e o* the directory data)ase *iles, =se the data)ase si.e to $re$are a destination location o* the a$$ro$riate si.e, (rac& the res$ecti e *ile si.es during the mo e to ensure that you success*ully mo e the correct *iles, %e sure to use the same method to chec& *ile si.es when you com$are them, (he si.e is re$orted di**erently, de$ending on whether the domain controller is online or o**line, as *ollows: Determine the data)ase si.e and location online, (his si.e is re$orted in )ytes, Determine the data)ase si.e and location o**line, (his si.e is re$orted in mega)ytes 8M%9, =se this method i* the domain controller is already started in Directory Ser ices Restore Mode,
". Com$are the si.e o* the directory data)ase *iles to the olume si.e, %e*ore mo ing any *iles in res$onse to low dis& s$ace, eri*y that no other *iles on the olume are res$onsi)le *or the condition o* low dis& s$ace, 2. %ac& u$ system state, System state includes the data)ase *ile and log *iles as well as S@S30L and '!(L0"0' shared *olders, among other things, Always ensure that you ha e a current )ac&u$ $rior to mo ing data)ase *iles, ). Restart the domain controller in Directory Ser ices Restore Mode, as *ollows: /* you are logged on to the domain controller console, locally restart the domain controller in Directory Ser ices Restore Mode, /* you are using (erminal Ser ices *or remote administration, modi*y the %oot,ini *ile on the remote ser er so that you can remotely restart the domain controller in Directory Ser ices Restore Mode,
5. Mo e the data)ase *ile, the log *iles, or )oth, Mo e the *iles to a tem$orary destination i* you need to re*ormat the original location, or to a $ermanent location i* you ha e additional dis& s$ace, Mo ing the *iles can )e $er*ormed locally )y using 'tdsutil,e<e or remotely 8tem$orarily9 )y using a *ile co$y, as *ollows: Mo e the directory data)ase *iles to a local dri e,
*3
Chapter Number 1
&aution
6ettin( the value o$ entries in the Dia(nostics sub'ey to (reater than 2 can de(rade server per$or!ance and is not reco!!ended.
Co$y the directory data)ase *iles to a remote share and )ac&, When co$ying any data)ase *iles o** the local com$uter, always co$y )oth the data)ase *ile and the log *iles,
3. /* the $ath to the data)ase or log *iles has changed, )ac& u$ system state so that the restore $rocedure has the correct in*ormation,
Returnin( +nused Dis' 6pace $ro! the Directory Database to the ,ile 6yste!
During ordinary o$eration, the white s$ace in the directory data)ase *ile )ecomes *ragmented, !ach time gar)age collection runs 8e ery 75 hours )y de*ault9, white s$ace is automatically de*ragmented online to o$timi.e its use within the data)ase *ile, (he unused dis& s$ace is there)y maintained *or the data)aseK it is not returned to the *ile system, 0nly o**line de*ragmentation can return unused dis& s$ace *rom the directory data)ase to the *ile system, When data)ase contents ha e decreased considera)ly through a )ul& deletion 8*or e<am$le, you remo e the glo)al catalog *rom a domain controller9, i* the si.e o* the data)ase )ac&u$ is signi*icantly increased due to the white s$ace, use o**line de*ragmentation to reduce the si.e o* the 'tds,dit *ile, @ou can determine how much *ree dis& s$ace is reco era)le *rom the 'tds,dit *ile )y setting the "ar)age Collection logging le el in the registry, Changing the "ar)age Collection logging le el *rom the de*ault alue o* 6 to a alue o* 7 results in e ent /D 7IBI )eing logged in the Directory Ser ice log, (his e ent descri)es the total amount o* dis& s$ace used )y the data)ase *ile as well as the amount o* *ree dis& s$ace that is reco era)le *rom the 'tds,dit *ile through o**line de*ragmentation, At "ar)age Collection logging le el 6, only critical e ents and error e ents are logged in the Directory Ser ice log, At le el 7, high+le el e ents are logged as well, ! ents can include one message *or each ma2or tas& that is $er*ormed )y the ser ice, At le el 7, the *ollowing e ents are logged *or gar)age collection: O66 and O67: re$ort when online de*ragmentation )egins and ends, res$ecti ely, 7IBI: re$orts the amount o* *ree s$ace a aila)le in the data)ase out o* the amount o* allocated s$ace,
-ollowing o**line de*ragmentation, $er*orm a data)ase integrity chec&, (he integrity command in 'tdsutil,e<e detects )inary+le el data)ase corru$tion )y reading e ery )yte in the data)ase *ile, (he $rocess ensures that the correct headers e<ist in the data)ase itsel* and that all o* the ta)les are *unctioning and consistent, (here*ore, de$ending u$on the si.e o* your 'tds,dit *ile and the domain controller hardware, the $rocess might ta&e considera)le time, /n testing en ironments, the s$eed o* 5 "% $er hour is considered to )e ty$ical, When you run the command, an online gra$h dis$lays the $ercentage com$leted,
*7
4ote
/o!bstones cannot be re!oved prior to e=piration o$ the to!bstone li$eti!e.
Procedures $or Per$or!in( O$$line De$ra(!entation

=se the *ollowing $rocedures to $er*orm o**line de*ragmentation, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Change the gar)age collection logging le el to 7, Chec& the Directory Ser ice e ent log *or e ent /D 7IBI, which re$orts the amount o* dis& s$ace that you can reco er )y $er*orming o**line de*ragmentation, ". %ac& u$ system state, System state includes the data)ase *ile and data)ase log *iles as well as S@S30L, '!(L0"0', and the registry, among other things, Always ensure that a current )ac&u$ e<ists $rior to de*ragmenting data)ase *iles, 2. (a&e the domain controller o**line, as *ollows: /* you are logged on to the domain controller locally, restart the domain controller in Directory Ser ices Restore Mode, /* you are using (erminal Ser ices *or remote administration, you can remotely restart the domain controller in Directory Ser ices Restore Mode a*ter modi*ying the %oot,ini *ile on the remote ser er,
). Com$act the directory data)ase *ile 8o**line de*ragmentation9 , As $art o* the o**line de*ragmentation $rocedure, chec& directory data)ase integrity, 5. /* data)ase integrity chec& *ails, $er*orm semantic data)ase analysis with *i<u$,
6peedin( Re!oval o$ an 9=pired5/o!bstone 1ac'lo(

An o)2ect that is deleted *rom Acti e Directory is stored as a tombstone, which re$resents the deleted o)2ect in the directory so that the deletion is re$licated, (om)stones remain in the directory *or a de*ault $eriod o* I6 days *rom the time o* deletion, at which $oint they e<$ire and are $ermanently remo ed )y gar)age collection, Although tom)stones use less s$ace than the *ull o)2ect, they can a**ect the si.e o* the data)ase tem$orarily *ollowing large )ul& deletions, A ma<imum o* F,666 e<$ired tom)stones can )e deleted at one time, /* the num)er o* e<$ired tom)stones e<ceeds F,666, more than one gar)age collection inter al is re:uired to clear the )ac&log, During the )ac&log, tom)stones that are no longer needed are retained, consuming data)ase s$ace,
Increased Rate o$ /o!bstone Re!oval

(he de*ault gar)age collection $eriod is 75 hours, (em$orarily decreasing the gar)age collection $eriod 8*or e<am$le, to 7 hour9 can hel$ s$eed the remo al o* e<$ired tom)stones, Howe er, setting this $eriod too low can also cause slow $er*ormance, so )e sure to return the alue to the original setting as soon as the )ac&log is cleared, (o reduce data)ase si.e )y returning the white
**
Chapter Number 1
s$ace le*t )y the remo ed tom)stones to the *ile system, $er*orm o**line de*ragmentation a*ter the )ac&log is cleared,
7o((in( o$ /o!bstone Re!oval

(he de*ault logging le el *or gar)age collection is 6, At this le el, only errors are re$orted, When gar)age collection logging is set to A, e ent /D 766I re$orts the num)er o* e<$ired tom)stones remo ed during each gar)age collection cycle, /* you want to trac& remo al o* e<$ired tom)stones, increase the logging le el to A and decrease the gar)age collection $eriod until the )ac&log is cleared, and then return the logging le el and the gar)age collection $eriod to normal,
Procedures $or Re(ulatin( Directory Database .rowth &aused by /o!bstones

=se the *ollowing $rocedures to manage remo al o* tom)stones *ollowing )ul& deletions, 1. Change the gar)age collection $eriod to a lower inter al, Decreasing the inter al )etween gar)age collections hel$s the system eliminate the tom)stone )ac&log more :uic&ly, ". Change the gar)age collection logging le el to A, /ncreasing the logging le el to A causes an e ent that re$orts the num)er o* tom)stones remo ed each time gar)age collection occurs, 2. 3eri*y remo al o* tom)stones in the e ent log, Chec& the Directory Ser ice e ent log *or '(DS e ent /D 766I, which re$orts the num)er o* e<$ired tom)stones remo ed, When this e ent indicates that the num)er o* tom)stones remo ed is less than F,666, the )ac&log has )een cleared, ). Change the gar)age collection $eriod, When the e ent /D 766I re$orts a num)er o* remo ed tom)stones less than F,666, you can return the inter al )etween gar)age collections to the normal le el, 5. Change the gar)age collection logging le el, i* needed, /* you no longer want in*ormational e ents logged *or gar)age collection, return the logging le el to 6, 3. Com$act the directory data)ase *ile 8o**line de*ragmentation9 , i* needed, Clearing the )ac&log does not remo e the white s$ace created )y the tom)stones, 0nly o**line de*ragmentation returns unused dis& s$ace to the *ile system,
#ana(in( 6>6VO7
(he Windows 5666 Ser er System 3olume 8S@S30L9 is a collection o* *olders and re$arse $oints in the *ile systems that e<ist on each domain controller in a domain, S@S30L $ro ides a standard location to store "rou$ Policy o)2ects 8"P0s9 and scri$ts so that the -ile Re$lication ser ice 8-RS9 can distri)ute them to other domain controllers and mem)er com$uters in a domain,
&apacity Per$or!ance
4ote
I$ you receive indications that dis' space is lowE deter!ine i$ the cause is inade:uate physical space on the dis'E or a re(istry settin( that allocates inade:uate dis' space to 6>6VO7. 1y !odi$yin( a settin( in the re(istryE you can allocate !ore dis' space to 6>6VO7 rather than relocatin( 6>6VO7 or the 6ta(in( Area. Increasin( the space allocation in the re(istry is !uch $aster and easier than relocation. ,or !ore in$or!ation about !ana(in( dis' spaceE see B#aintainin( 6u$$icient Dis' 6paceC later in this section.
-RS monitors S@S30L and i* a change occurs to any *ile stored on S@S30L, then -RS automatically re$licates the changed *ile to the S@S30L *olders on the other domain controllers in the domain, Com$uters that run Windows 5666 Ser er o)tain "P0s, logon, logo**, startu$, and shutdown scri$ts *rom the S@S30L shared *older, Windows '( B,6D)ased domain controllers and Windows+)ased clients that do not run Acti e Directory client so*tware o)tain "P0s and scri$ts *rom the '!(L0"0' shared *older, During the installation o* Acti e Directory, the *olders and re$arse $oints are automatically created in the &!ystem%oot&;S@S30L *older' -RS automatically re$licates any *iles or "P0s that are written to these *olders to the other domain controllers in the domain, to ensure that they are a aila)le and ready to )e used when a user logs on to the domain, (he day+to+day o$eration o* S@S30L is an automated $rocess that does not re:uire any human inter ention other than watching *or alerts *rom the monitoring system, 0ccasionally, you might $er*orm some system maintenance as you change your networ&, (he $rocedures you might $er*orm include: Relocating S@S30L Relocating the Staging Area Changing the si.e o* the Staging Area
(hese $rocedures in ol e mo ing S@S30L or $ortions o* S@S30L to alternate locations, @ou might $er*orm these $rocedures to maintain ca$acity and $er*ormance o* S@S30L, *or hardware maintenance, or *or data organi.ation, De$ending u$on the con*iguration o* your networ&, S@S30L can re:uire much dis& s$ace to *unction $ro$erly, During the initial de$loyment, S@S30L might )e allocated ade:uate dis& s$ace to *unction, Howe er, as your networ& grows, the re:uired ca$acity can e<ceed the a aila)le dis& s$ace, Any changes made to S@S30L are automatically re$licated to the other domain controllers in the domain, /* the *iles stored in S@S30L change *re:uently, the re$lication increases the in$ut and out$ut *or the olume where S@S30L is located, /* the olume is also host to other system *iles, such as the directory data)ase or the $age*ile, then the increased in$ut and out$ut *or the olume can im$act the $er*ormance o* the ser er,
-%
Chapter Number 1
System maintenance, such as remo al o* a dis& dri e, can re:uire you to relocate S@S30L, ! en i* the maintenance occurs on a di**erent dis& dri e, eri*y that that maintenance does not a**ect the system olume, Logical dri e letters can change a*ter you add and remo e dis&s, -RS locates S@S30L )y using $ointers stored in the directory and the registry, /* dri e letters change a*ter you add or remo e dis& dri es, )e aware that these $ointers are not automatically u$dated, Some organi.ations $re*er to control where s$eci*ic data is stored *or organi.ational $ur$oses and esta)lished )ac&u$ and restore $olicies,
;ardware Data Or(ani<ation #aintenance
.uidelines $or #ana(in( 6>6VO7

(o manage S@S30L, ensure that -RS $ro$erly re$licates the S@S30L data, and $ro ide enough s$ace to store S@S30L, /m$lement a monitoring system that can detect low dis& s$ace and $otential -RS disru$tions so that you can address those issues )e*ore the system sto$s re$licating, -or more in*ormation a)out monitoring S@S30L, see >Monitoring Acti e Directory? in this guide,
Dis' space !aintenance

S@S30L stores and re$licates "P0s, Distri)uted -ile System 8D-S9 in*ormation, and scri$ts, As the networ& grows, S@S30L can )egin to re:uire su)stantial storage s$ace, Although you do $lan *or storage re:uirements *or S@S30L during the $lanning stages o* de$loyment, you might need to ad2ust the storage re:uirements a*ter you de$loy additional domain controllers due to networ& growth and the way in which -RS re$licates *iles, -RS re$licates *iles )y ma&ing a tem$orary co$y o* the *iles in a Staging Area *older and then sending the co$ies to re$lication $artners, (his method a oids $ro)lems that loc&ed *iles can cause while re$lication occurs, %ecause -RS re$licates co$ies o* the *iles, the original *iles remain a aila)le *or user access during re$lication, Howe er, this method re:uires ma&ing a co$y o* e ery *ile $rior to re$lication, %ased on the si.e and num)er o* *iles in ol ed, a su)stantial amount o* dis& s$ace might )e re:uired *or tem$orary storage, When the Staging Area *older runs out o* dis& s$ace, -RS )eha es di**erently de$ending on the ersion o* Windows 5666 that is running, /* Windows 5666 Ser er Ser ice Pac& 5 8SP59 or earlier is running, then the system will sto$ re$licating until s$ace is made a aila)le, /* Windows 5666 Ser er Ser ice Pac& A 8SPA9 is running, then -RS will detect when it is a)out to run out o* dis& s$ace and start remo ing the least recently used *iles to $ro ide more s$ace, Although this $re ents the system *rom halting re$lication, it does increase in$ut and out$ut *or the ser er1s dis& and can im$act $er*ormance, -or more in*ormation a)out the changes to -RS *rom Windows 5666 Ser er SP5 to Windows 5666 Ser er SPA, see K% article CA57FFO in the Microso*t Knowledge %ase, (o iew the Microso*t Knowledge %ase, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, %oth -RS and D-S use the Staging Area *older, (o maintain su**icient dis& s$ace *or S@S30L, estimate the amount o* s$ace that D-S uses as well as the s$ace that -RS uses, -or more in*ormation a)out D-S, see >Distri)uted -ile System? in the Distributed !ystems Guide o* the Windows 2 !erver %esource (it,
%ecause the Staging Area *older holds *iles *rom all re$lication $artners, you must consider tra**ic to and *rom all $artners when you estimate the dis& s$ace re:uirements *or the Staging Area *older on each com$uter, /* re$lication must occur )etween domain controllers that are located in di**erent sites, remem)er that -RS uses the same connection o)2ects as Acti e Directory, @ou can con*igure those connection o)2ects so that re$lication can occur only during certain times o* the day, !ach connection o)2ect has an associated schedule that dictates what hours o* the day the connection is a aila)le *or re$lication, Allocate enough time in the schedule *or all Acti e Directory re$lication and all -RS re$lication to occur, /* -RS does not com$lete all outstanding re$lication re:uests when the schedule ma&es the connection a aila)le, it will hold the remaining unre$licated *iles until the ne<t time the connection )ecomes a aila)le, 0 er time, this )ac&log o* unre$licated *iles can grow to consume an enormous amount o* dis& s$ace,
Additional 6>6VO7 reco!!endations

@ou can $reser e Staging Area and )andwidth usage )y *ollowing these )est $ractices: Run Windows 5666 SP5 on all domain controllers that run -RS, /nstall Windows 5666 SPA as soon as $ossi)le, Always &ee$ -RS ser ice running, es$ecially when you ma&e )ul& changes to -RS+ re$licated *iles or *iles outside the tree on the same dri e, Do not run anti+ irus so*tware against -RS+re$licated directories, Do not ena)le -ile System "rou$ Policy on any -RS+re$licated tree, Watch *or inconsistent directories, Du$licate *olders that a$$ear in the -RS re$lication tree on multi$le domain controllers can cause inconsistent directories, Although this is not a critical $ro)lem, it can result in unantici$ated )eha ior, such as changes a$$earing to )e lost, /* this occurs, e<amine the *iles in these directories to determine which directory is the $ro$er ersion and then delete the du$licated directories *rom the tree, Do not lea e *iles o$en *or e<tended amounts o* time, -RS cannot re$licate a *ile while it is o$en, A oid using elements in scri$ts that cause a *ile to )e o$en *or an e<tended amount o* time, such as a scri$t that waits *or user in$ut )e*ore $roceeding, /* the user is not $resent when the scri$t runs, the *ile can remain o$en and cannot )e re$licated until the scri$t terminates, Do not attem$t to relocate S@S30L or the Staging Area i* the -RS en ironment on your networ& is unsta)le and you are ha ing $ro)lems with system olumes )ecoming unsynchroni.ed among re$lication $artners, (rou)leshoot the -RS $ro)lems and ensure that the en ironment is sta)le )e*ore attem$ting any relocation o$erations, During all relocation o$erations e<ce$t authoritati e restore, -RS re)uilds the S@S30L content )y re$licating data *rom its re$lication $artners, /* -RS is not *unctioning $ro$erly on the $artners, their S@S30L data may )e in alid, (his can result in in alid S@S30L data in the new location, (he relocation o$eration can also *ail )ecause -RS cannot re$licate the necessary data *rom the domain controller1s re$lication $artners,
-"
Chapter Number 1
6>6VO7 and 6ta(in( Area relocation
Relocatin( 6>6VO7 only the and 6ta(in( the 6ta(in( Area Area
De$loyment is the )est time to determine the location o* S@S30L, Consider $er*ormance and dis& ca$acity to determine the )est location *or the S@S30L *olders, During the Acti e Directory installation, you must s$eci*y the location o* the S@S30L *olders, A*ter installation, you might need to relocate S@S30L or the Staging Area *older, Although S@S30L contains many *olders, the Staging Area re:uires the most ca$acity )ecause it is used *or re$lication, @ou can lea e S@S30L in its original location and relocate only the Staging Area, @ou can relocate the entire S@S30L *older and its associated su)trees, including the Staging Area, @ou can relocate S@S30L )y remo ing and reinstalling Acti e Directory on the domain controller or )y manually recreating S@S30L at a new location,
Active Directory re!oval and reinstallation

(o relocate S@S30L, remo ing and reinstalling Acti e Directory is *ar easier and more relia)le than manually recreating S@S30L at a new location, )ut it can also )e im$ractical, (o relocate S@S30L )y using this method, you use the Acti e Directory /nstallation Wi.ard to remo e Acti e Directory *rom the domain controller then use it again to reinstall Acti e Directory on the same domain controller, During the reinstallation, $ro ide the new location *or S@S30L, (he re$lication $rocess $o$ulates the *olders with the a$$ro$riate *iles *rom another domain controller, (his method might not )e $ractical to use )ecause ha ing a large num)er o* o)2ects in your directory increases the re:uired time *or reinstallation and you might need to reinstall and recon*igure other ser ices i* the domain controller runs additional ser ices,
#anual 6>6VO7 relocation

(o manually recreate the S@S30L *older at the new location, co$y the data *rom the e<isting location to the new location and then recon*igure -RS to $oint to the new location, !nsure that you $ro$erly co$y all *iles to the new location, Manually relocate S@S30L only as a last resort, when you cannot remo e and reinstall Acti e Directory on the domain controller, /* you must $er*orm this $rocedure, ensure that the S@S30L re$lication )etween the domain controller and its re$lication $artners is as u$+to+date as $ossi)le, /* the domain controller is not re$licating $ro$erly with its $artners, do not attem$t to recreate S@S30L until you determine why re$lication is not *unctioning and ma&e the necessary *i<es, -or more in*ormation a)out recreating S@S30L manually, see K% article CA6BA66 in the Microso*t Knowledge %ase, (o iew the Microso*t Knowledge %ase, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
6>6VO7 #ana(e!ent /as's and Procedures

(a)le 7,7O shows the tas&s and $rocedures *or managing S@S30L, /able 1.10 6>6VO7 #ana(e!ent /as's and Procedures
/as's Procedures /ools ,re:uen cy
&han(e the space allocated to the 6ta(in( Area $older.
6top the ,ile Replication service. &han(e the space allocated to the 6ta(in( Area $older. 6tart the ,ile Replication service Identi$y replication partners. &hec' the status o$ the 6>6VO7. Veri$y replication is $unctionin(. .ather the 6>6VO7 path in$or!ation. 6top the ,ile Replication service. &reate the new 6ta(in( Area $older. 6et the 6ta(in( Area path. Prepare a do!ain controller $or non5authoritative 6>6VO7 restore. 6tart the ,ile Replication service. View the current operations !aster role holders. /rans$er the $orest5level operations !aster roles. /rans$er the do!ain5level operations !aster roles. Deter!ine whether a do!ain controller is a (lobal catalo( server. Veri$y D46 re(istration and $unctionality. Veri$y co!!unication with other do!ain controllers. Veri$y the e=istence o$ the operations !asters. Re!ove Active Directory. Delete a server ob8ect $ro! a site. Veri$y D46 re(istration and $unctionality.
Re(edit.e=e
As needed
Relocate the 6ta(in( Area $older. #ove 6>6VO7 by usin( the Active Directory Installation Wi<ard.
Active Directory 6ites and 6ervices Dcdia(.e=e Windows 9=plorer AD6I 9dit Re(edit.e=e
As needed
Active Directory +sers and &o!puters Active Directory 6ites and 6ervices Dcdia(.e=e 4etdia(.e=e D&Pro!o.e=e D46 snap5in
As needed
-)
Chapter Number 1
#ove 6>6VO7 !anually.
Install Active Directory. Veri$y the site assi(n!ent $or the do!ain controller. #ove a server ob8ect to a di$$erent site i$ the do!ain controller is located in the wron( site. Per$or! $inal D46 con$i(uration. &hec' the status o$ the shared syste! volu!e. Veri$y D46 re(istration and $unctionality. Veri$y do!ain !e!bership $or the new do!ain controller. Veri$y co!!unication with other do!ain controllers. Veri$y replication is $unctionin(. Veri$y the e=istence o$ the operations !asters. Identi$y replication partners. &hec' the status o$ the shared syste! volu!e. Veri$y replication is $unctionin(. .ather the 6>6VO7 path in$or!ation. 6top the ,ile Replication service. &reate the 6>6VO7 $older structure. 6et the 6>6VO7 path. 6et the 6ta(in( Area path. 6et the $R6RootPath. Prepare a do!ain controller $or non5authoritative 6>6VO7 restore. +pdate security on the new 6>6VO7. 6tart the ,ile Replication service. Active As Directory needed 6ites and 6ervices Dcdia(.e=e 4/1ac'up.e=e AD6I 9dit Re(edit.e=e 7in'd.e=e
+pdate the 6>6VO7 path. Restore and rebuild 6>6VO7.
&hec' the status o$ the 6>6VO7. .ather the 6>6VO7 path in$or!ation. 6top the ,ile Replication service. 6et the 6>6VO7 path. 6et the $R6RootPath. 6et the 6ta(in( Area path. 6tart the ,ile Replication service. Identi$y replication partners. &hec' the status o$ the 6>6VO7. Veri$y replication is $unctionin(. Restart the do!ain controller in Active Directory Restore #ode Glocally or re!otelyH. .ather the 6>6VO7 path in$or!ation. 6top the ,ile Replication service. Prepare the do!ain controller $or non5 authoritative 6>6VO7 restore. I!port the 6>6VO7 $older structure. 6tart the ,ile Replication service. &hec' the status o$ the shared syste! volu!e. Re(edit.e=e Windows 9=plorer AD6I 9dit 7in'd.e=e As needed
Active Directory 6ites and 6ervices Dcdia(.e=e Windows 9=plorer Re(edit.e=e 7in'd.e=e
As needed
&han(in( the 6pace Allocated to the 6ta(in( Area

(he Staging Area is a *older inside the S@S30L *older, -RS re$licates *iles )y ma&ing co$ies o* the *iles, storing these co$ies in the Staging Area *older, and then sending them to re$lication $artners, %ecause -RS re$licates a co$y o* the *ile, the original *ile remains a aila)le *or user access during re$lication, (he Staging Area stores *iles $rior to )eing re$licated and stores *iles that it has 2ust recei ed through re$lication, Although -RS com$resses the data and attri)utes o* the re$licated *iles to
-3
Chapter Number 1
sa e s$ace in the Staging Area *older and reduce the time that is needed to re$licate the *iles, this method re:uires ma&ing and storing a co$y o* e ery *ile $rior to re$lication and can re:uire a su)stantial amount o* dis& s$ace to store all o* the co$ies, When you e<amine the dis& s$ace that S@S30L uses, you need to e<amine )oth $hysical dis& s$ace and allocated dis& s$ace, Physical dis& s$ace re*ers to the amount o* s$ace that is a aila)le on the dis& dri e, (o $re ent S@S30L *rom using all $hysical dis& s$ace a aila)le on the dri e, an entry in the registry limits the amount o* s$ace that S@S30L can use, (his is the allocated dis& s$ace, (he de*ault si.e o* the Staging Area *older is IOF mega)ytes8M%9, (he minimum si.e is 76 M% and the ma<imum si.e is 5 tera)ytes, @ou can ad2ust the si.e limit o* the Staging Area *older )y setting the alue in &ilo)ytes 8K%9 o* the !taging !pace Limit registry entry in HK!@PLocalPMachineQSystemQCurrentControlSetQSer icesQ't-rsQParameters, -or more in*ormation a)out setting the !taging !pace Limit in the registry, see K% article C557777 in the Microso*t Knowledge %ase, (o iew the Microso*t Knowledge %ase, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, When the Staging Area *older runs out o* dis& s$ace, -RS )eha es di**erently de$ending on the ersion o* Windows 5666 Ser er that is running, /* Windows 5666 Ser er Ser ice Pac& 5 8SP59 or earlier is running, then -RS *ills the Staging Area to the limit de*ined in the registry and then sus$ends in)ound and out)ound re$lication until dis& s$ace is made a aila)le, /n this situation, you can a oid sus$ension o* re$lication )y generously estimating the amount o* dis& s$ace that S@S30L re:uires, /* Windows 5666 Ser er Ser ice Pac& A 8SPA9 is running, then -RS *ills the Staging Area to E6 $ercent o* the limit s$eci*ied in the registry and then starts remo ing the least recently used *iles to ma&e more s$ace a aila)le, While this $re ents -RS *rom sus$ending re$lication, it can a**ect the $er*ormance o* the domain controller, /* a large num)er o* *iles are constantly )eing u$dated, then -RS constantly stages, remo es, and restages *iles to maintain a aila)le dis& s$ace in the Staging Area, /n this case, ma&ing more s$ace a aila)le reduces the amount o* wor& that the domain controller $er*orms in order to &ee$ -RS *unctioning,
Other &onsiderations $or 9sti!atin( Re:uired Dis' 6pace

%oth -RS and D-S use the Staging Area *older, (he Staging S$ace Limit in the registry a$$lies to the sum o* the s$ace that is used )y D-S and -RS, (o maintain su**icient dis& s$ace *or S@S30L, estimate the amount o* s$ace that D-S uses as well as the s$ace that -RS uses, /* a *ile changes, -RS re$licates the entire *ile and not 2ust the change, /* two re$lication $artners ha e di**erent alues set *or the Staging S$ace Limit, the ma<imum si.e o* a *ile that -RS can re$licate is the lower o* the two alues, (he Staging Area *older holds *iles *rom all re$lication $artners, @ou must consider tra**ic to and *rom all $artners when you estimate the dis& s$ace re:uirements *or the Staging Area *older in each S@S30L, Acti e Directory re$lication uses connection o)2ects to esta)lish connections )etween re$lication $artners, -RS uses the same connections *or its own re$lication, (wo *actors control the rate that re$lication can ta&e $lace o er those connections: a aila)ility o* the connection and transmission
s$eed o* the networ&, !ach connection o)2ect has an associated schedule that allows administrators to dictate when the connection is a aila)le *or re$lication, 'etwor& administrators can limit the time that re$lication can ta&e $lace so that $rocesses that are more im$ortant to the daily o$eration o* the )usiness can use a aila)le networ& )andwidth o er a s$eci*ic connection, (his )ecomes es$ecially im$ortant i* two re$lication $artners are connected )y a slow lin& 8such as a 75G K)$s dial+u$ connection9, (he schedule ma&es it $ossi)le to limit re$lication tra**ic so that it occurs only at night or during o**+$ea& hours, -RS stages all re$lication tra**ic and waits *or the connection to )ecome a aila)le, When the connection is a aila)le, it )egins re$lication and continues until it re$licates all outstanding *iles, or the connection )ecomes una aila)le, /* many *iles are awaiting re$lication and the networ& is )usy handling other tra**ic, then -RS might not get a chance to re$licate all outstanding *iles )e*ore the schedule ma&es the connection una aila)le, /* this ha$$ens, -RS holds the remaining *iles until the schedule $ermits re$lication to continue, While -RS is waiting *or the schedule to $ermit re$lication, it continues to stage new *iles *or re$lication, (he Staging Area *older needs enough s$ace to store the staged *iles as well as to handle any )ac&log o* *iles that might not get re$licated due to limited a aila)ility o* the connection,
Procedures $or &han(in( the 6pace Allocated to the 6ta(in( Area

=se the *ollowing $rocedures to change the amount o* s$ace that is allocated to the Staging Area *older, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Sto$ the -ile Re$lication ser ice, ". Change the s$ace allocated to the Staging Area *older, 2. Start the -ile Re$lication ser ice,
Relocatin( the 6ta(in( Area

(he Staging Area *older is li&ely to use most o* the dis& s$ace that is allocated to S@S30L, (his is )ecause the Staging Area *older stores all in)ound and out)ound *iles, and sometimes multi$le co$ies o* those *iles, As the dis& s$ace re:uirements increase, you can allocate more s$ace until you reach 5 tera)ytes or the $hysical limit o* the dis& dri e, (he ma<imum dis& s$ace allowed *or the Staging Area is 5 tera)ytes, /* you reach the limit o* the dis& dri e and still ha e not reached the 5 (% limit, consider relocating the Staging Area *older to a di**erent dis& that has more s$ace a aila)le, %y de*ault, the Acti e Directory /nstallation Wi.ard installs the Staging Area *older within the S@S30L, (he Acti e Directory /nstallation Wi.ard creates two *olders, Staging and Staging Area, which -RS uses *or the staging $rocess, When you relocate the Staging Area, you can change the *older name, !nsure that you identi*y the $ro$er *older in case the *older is renamed in your en ironment, (wo $arameters determine the location o* the Staging Area, 0ne $arameter, *RSStagingPath, is stored in the directory and contains the $ath to the actual location that -RS uses to stage *iles, (he other $arameter is a 2unction $oint stored in the Staging Areas *older in S@S30L that lin&s
-*
Chapter Number 1
to the actual location that -RS uses to stage *iles, When relocating the Staging Area, you must u$date these two $arameters to $oint to the new location,
Procedures $or Relocatin( the 6ta(in( Area ,older

!<ce$t where noted, $er*orm these $rocedures on the domain controller that contains the Staging Area *older that you want to relocate, Procedures are e<$lained in detail in the lin&ed to$ics, 1. /denti*y re$lication $artners, ". 0n the re$lication $artners, chec& the status o* the shared system olume, @ou do not need to $er*orm the test on e ery $artner, )ut you need to $er*orm enough tests to )e con*ident that the shared system olumes on the $artners are healthy, 2. 3eri*y that re$lication is *unctioning, ). "ather the S@S30L $ath in*ormation, 5. Sto$ the -ile Re$lication ser ice, 3. Create the new Staging Area *older, 0. Set the Staging Area $ath, *. Pre$are a domain controller *or non+authoritati e S@S30L restore, -. Start the -ile Re$lication ser ice,
#ovin( 6>6VO7 by +sin( the Active Directory Installation Wi<ard

Relocate S@S30L only as a last resort, (he many ste$s in ol ed $resent many o$$ortunities to incorrectly con*igure the system, /* you must relocate S@S30L, use the Acti e Directory /nstallation Wi.ard )ecause it is *ar easier and more relia)le that manually mo ing S@S30L, (he Acti e Directory /nstallation Wi.ard as&s *or the new location and then automatically con*igures the system *or you, Although using the Acti e Directory /nstallation Wi.ard is the $re*erred method *or relocating S@S30L, it is also the least $ractical )ecause it in ol es decommissioning the domain controller, When this $rocess is used, the Acti e Directory /nstallation Wi.ard is run on the domain controller to remo e Acti e Directory, A*ter Acti e Directory is remo ed, you run the wi.ard again to reinstall Acti e Directory, During the reinstallation, the wi.ard as&s where you want to store S@S30L, @ou enter the new location and the wi.ard con*igures it *or you, =sing the Acti e Directory /nstallation Wi.ard to relocate S@S30L can )e too im$ractical *or two reasons, -irst, )ecause you are remo ing Acti e Directory and then reinstalling it, you also need to reinstall any other ser ices that de$end on Acti e Directory that are running on that domain controller, (his can amount to hours o* additional wor& and an unacce$ta)le amount o* time *or the domain controller to )e una aila)le, Second, i* a large num)er o* o)2ects e<ist in your directory, it can ta&e hours or e en days to com$lete the reinstallation when the new domain controller 2oins the networ& and com$letes the initial re$lication o* the directory,
WAR4I4. 4ote
Do I$ any the not veri$ication o$ !ove the veri$ication 6>6VO7 test with $ailsE tests the do $ailE not Active do continue not Directory continue until Installation you until identi$y you Wi<ard identi$y and $i= the unless and proble!s. $i= you theco!pletely proble!s. I$ the test I$ understand these $ailsE then tests the installation $ailE ris's the and is also conse:uences deco!!issionin( li'ely to $ail. o$ deco!!issionin( operation is also li'ely the do!ain to $ail. controller in :uestion.
/* this domain controller is not hosting any additional ser ices that de$end on the directory, and your directory does not ta&e an e<tensi e amount o* time to com$lete the initial re$lication to new domain controllers, then mo ing S@S30L with the Acti e Directory /nstallation Wi.ard can sa e you time and )e easier and more relia)le than mo ing S@S30L manually,
Procedures $or #ovin( 6>6VO7 with the Active Directory Installation Wi<ard
=se the *ollowing $rocedures to remo e and reinstall Acti e Directory in order to mo e S@S30L, -or more in*ormation a)out installing and remo ing Acti e Directory, see >Managing /nstallation and Remo al o* Acti e Directory? in this guide, Procedures are e<$lained in detail in the lin&ed to$ics, 1. 3iew the current o$erations master role holders to see i* any roles are assigned to this domain controller, ". /* this domain controller is listed as hosting either the schema master or domain naming master roles, then trans*er the *orest+le el roles to another domain controller in the *orest root domain, Any domain controller in the *orest is ca$a)le o* hosting these roles )ut it is recommended that they remain in the *orest root domain, !nsure that you $lace the domain naming master role on a glo)al catalog ser er, 2. /* this domain controller is listed as hosting the $rimary domain controller 8PDC9 emulator, in*rastructure master or relati e identi*ier 8R/D9 master roles, trans*er the domain+le el roles to another domain controller in the same domain, Do not $lace the in*rastructure master role on a glo)al catalog ser er unless all o* the domain controllers host the glo)al catalog or unless only one domain e<ists in the *orest, ). Determine whether a domain controller is a glo)al catalog ser er and ensure that other domain controllers are con*igured as glo)al catalog ser ers )e*ore continuing, 5. 3eri*y D'S registration and *unctionality, 3. 3eri*y communication with other domain controllers, 0. 3eri*y the e<istence o* the o$erations masters on the networ&, *. Remo e Acti e Directory, -. Delete the ser er o)2ect *rom a site, 1%. 3eri*y D'S registration and *unctionality, 11. /nstall Acti e Directory, Pro ide the wi.ard with the new location *or S@S30L when $rom$ted, 1". 3eri*y the site assignment *or the domain controller,
1%%
Chapter Number 1
12. Mo e a ser er o)2ect to a di**erent site i* the domain controller is located in the wrong site, 1). Per*orm *inal D'S con*iguration *or a new domain controller that is located in the *orest root domain: a. Create a delegation *or the new domain controller in the $arent domain o* the D'S in*rastructure i* a $arent domain e<ists and a D'S ser er hosts it, /* a D'S ser er does not host the $arent domain, then *ollow the $rocedures outlined in the endor documentation to add the delegation *or the new domain controller, b. Con*igure the D'S client settings, D0rD Per*orm *inal D'S con*iguration *or a new domain controller that is located in a child domain: c. d. e. Create a delegation *or the new domain controller in the *orest root domain, Create a secondary .one, Con*igure the D'S client settings,
15. Chec& the status o* the shared system olume, 13. 3eri*y D'S registration and *unctionality, 10. 3eri*y domain mem)ershi$ *or the new domain controller, 1*. 3eri*y communication with other domain controllers, 1-. 3eri*y that re$lication is *unctioning, "%. 3eri*y the e<istence o* the o$erations masters,
#ovin( 6>6VO7 #anually

/* you must mo e the entire system olume, not 2ust the Staging Area *older, and you ha e determined that mo ing the system olume )y using the Acti e Directory /nstallation Wi.ard is im$ractical, then you can relocate the system olume manually, %ecause no utilities can automate this $rocess, you must care*ully ensure that you $ro$erly mo e all *olders and maintain the same le el o* security at the new location, Regardless o* the method used to mo e S@S30L, these e ents occur: (he -ile Re$lication ser ice is sto$$ed, (he $ro$er *older structure is created at the new location, (he S@S30L $ath in*ormation is u$dated in the directory and in the registry, De*ault security settings are set on the new *older structure, (he -ile Re$lication ser ice is restarted,
1&1
I!portant WAR4I4.
/his procedure Re!e!berE i$ the can syste! alter security volu!es settin(s. on your A$ter do!ain you controllers co!plete are procedureE the beco!in( unsynchroni<ed the security settin(s to theon point the that new you syste! need volu!e to relocate are resetthe to the syste! de$ault volu!esE settin(s bethat sure were to troubleshoot established the when ,R6 you proble!sActive installed and resolve Directory. the issues >ou !ust that reapply cause the anysyste! chan(es volu!es to the to beco!e security settin(s unsynchroni<ed on the syste! be$ore volu!e you atte!pt that you to !ade relocate since the syste! you installed volu!es. Active Directory. ,ailure to do so can result in unauthori<ed access to .roup Policy ob8ects and lo(on and lo(o$$ scripts.
-RS is sto$$ed while the changes are made and then restarted a*ter the changes are com$leted, During the restart $rocess, -RS reads the new con*iguration in*ormation in the directory and the registry and recon*igures itsel* to use the new location, S@S30L uses an e<tensi e *older structure that must )e recreated accurately at the new location, (he easiest method is to co$y the *older structure )y using Windows !<$lorer, @ou must ensure that you co$y any *olders that may ha e s$ecial attri)utes, such as hidden *olders, (he *older structure also includes 2unction $oints, #unction $oints loo& li&e *olders when they a$$ear in Windows !<$lorer )ut they are not really *olders, #unction $oints contain lin&s to other *olders, When you o$en a 2unction in Windows !<$lorer, you see the contents o* the *older to which the 2unction is lin&ed, /* you o$en a command $rom$t and dis$lay a directory listing that contains 2unction $oints, they are designated as R#='C(/0'S, while regular *olders are designated with RD/RS, #unction $oints )eha e li&e regular *olders, When you are wor&ing in the *ile system, you ha e no indication whether you are wor&ing with a 2unction or a *older, (he di**erence )etween *olders and 2unctions a$$ears when you co$y or mo e a 2unction to a new location, %ecause a 2unction is a lin& to another location, when you co$y a 2unction to a new location, the lin& still re*ers to the original location, S@S30L contains two 2unction $oints that $oint to *olders in the S@S30L tree, When you mo e the tree to a new location, you must u$date the 2unction $oints to $oint to the new location, 0therwise, the 2unction $oints continue to $oint to the original S@S30L *olders, (he registry and Acti e Directory store $ath in*ormation that -RS uses to locate the S@S30L and the Staging Area *olders, @ou must u$date these settings to $oint to the new locations, A*ter you create the new *olders and u$date the $aths and 2unctions, ensure that the *olders get re$o$ulated with the $ro$er data, @ou can re$o$ulate the *iles stored in S@S30L at the new location is done )y re$licating the data into the new location *rom one o* the domain controller1s re$lication $artners, (he %=R-LA"S o$tion is set in the registry and when -RS restarts, it re$licates the data into the new *olders *rom one o* the re$lication $artners, %ecause this data is restored to the new location )y means o* re$lication, )e certain that the system olumes on the re$lication $artners are u$dated and *unctioning $ro$erly to ensure that the data re$licated into the new *olders is u$dated and has no errors,
Procedures $or #ovin( 6>6VO7 #anually

!<ce$t where noted, $er*orm these ste$s on the domain controller that contains the system olume that you want to mo e, Procedures are e<$lained in detail in the lin&ed to$ics,
1%"
Chapter Number 1
1. /denti*y re$lication $artners, ". 0n the re$lication $artners, chec& the status o* the shared system olume, @ou do not need to $er*orm the test on e ery $artner, )ut you need to $er*orm enough tests to )e con*ident that the shared system olumes on the $artners are healthy, 2. 3eri*y that re$lication is *unctioning, ). "ather the S@S30L $ath in*ormation, 5. Sto$ the -ile Re$lication ser ice, 3. Create the S@S30L *older structure, 0. Set the S@S30L $ath, *. Set the Staging Area $ath, /* you ha e mo ed the Staging Area *older to a di**erent location already, you do not need to do this ste$, -. Set the *RSRootPath, 1%. Pre$are a domain controller *or non+authoritati e S@S30L restore, 11. =$date security on the new S@S30L, 1". Start the -ile Re$lication ser ice, 12. Chec& the status o* the shared system olume,
+pdatin( the 6yste! Volu!e Path

Due to system maintenance, you might need to u$date the system olume $ath, When you add or remo e dis& dri es, the logical dri e letters o* the other dri es on the system can change, /* either your S@S30L or Staging Area *older is located on one o* the dri es whose letter changes, -RS cannot locate them, @ou must u$date the $aths that -RS uses to locate these *olders to sol e this $ro)lem, (o change the $ath *or the system olume, ma&e changes to the registry and in the directory, Changing the Staging Area $ath re:uires a change in the directory, %oth changes re:uire that you u$date the 2unction $oints, A*ter u$dating the $ath in*ormation, you must restart -RS so it can reinitiali.e with the new alues,
Procedures $or +pdatin( the 6yste! Volu!e Path

=se the *ollowing $rocedures to change the amount o* s$ace that is allocated to the Staging Area *older, Procedures are e<$lained in detail in the lin&ed to$ics, 1. "ather the System 3olume $ath in*ormation, ". Sto$ the -ile Re$lication ser ice, 2. Set the S@S30L $ath 8i* needed9, ). Set the *RSRootPath 8i* needed9, 5. Set the Staging Area $ath 8i* needed9, 3. Start the -ile Re$lication ser ice,
1&3
Restorin( and Rebuildin( 6>6VO7

/n some cases, you must recreate or re)uild the S@S30L on a single domain controller, Attem$t to re)uild S@S30L on a single domain controller only when all other domain controllers in the domain ha e a healthy and *unctioning S@S30L, Do not attem$t to re)uild S@S30L until you correct any $ro)lems that are occurring with -RS in a domain,
Procedure $or Restorin( and Rebuildin( 6>6VO7

=se these $rocedures only i* you are wor&ing on a domain controller that does not ha e a *unctional S@S30L, Procedures are e<$lained in detail in the lin&ed to$ics, 1. /denti*y re$lication $artners, ". Choose a $artner and chec& the status o* the S@S30L on the $artner, %ecause you will )e co$ying the system olume *rom one o* the $artners, you need to ma&e sure that the system olume you co$y *rom the $artner is u$+to+date, 2. 3eri*y that re$lication is *unctioning on the $artner, ). Restart the domain controller that is )eing re$aired in Directory Ser ices Restore Mode, /* you are sitting at the console o* the domain controller, locally restart a domain controller in directory ser ices restore mode, /* you are accessing the domain controller remotely using (erminal Ser ices, remotely restart a domain controller in directory ser ices restore mode, 5. "ather the S@S30L $ath in*ormation, 3. Sto$ the -ile Re$lication ser ice, 0. Pre$are a domain controller *or non+authoritati e S@S30L restore, *. /m$ort the S@S30L *older structure, -. Start the -ile Re$lication ser ice, 1%. Chec& the status o* the shared system olume,
#ana(in( Windows /i!e 6ervice

(he Windows 5666 time ser ice, WA5(ime, re:uires little management and is installed )y de*ault on all Windows 5666D)ased com$uters, WA5(ime uses coordinated uni ersal time 8=(C9, which is )ased on an atomic time scale and is inde$endent o* time .one, 0n com$uters that are 2oined to a domain, time synchroni.ation occurs when the WA5(ime ser ice starts during system startu$, (he 'et Logon ser ice loo&s *or a domain controller that can authenticate and synchroni.e time with the client,
/i!e &on$i(uration on the ,orest5Root PD& 9!ulator

(he time ser ice uses a hierarchical relationshi$ that controls authority and ensures common time usage, %y de*ault, the PDC emulator in the *orest root domain is the authoritati e time source *or that *orest,
1%)
Chapter Number 1
-ollow these )est $ractices *or con*iguring time on the *orest+root PDC emulator, in this order o* $re*erence: /nstall a hardware cloc& that uses the 'etwor& (ime Protocol 8'(P9 on an internal networ&, and synchroni.e the *orest+root PDC emulator and the stand)y PDC emulator to it, =se /PSec to securely synchroni.e with another networ& time ser er, Monitor the *orest+root PDC emulator closely to ensure that its time is accurate, Do not synchroni.e the *orest+root PDC emulator with another com$uter,
/* none o* these o$tions are acce$ta)le in your organi.ation, you can synchroni.e with an e<ternal relia)le time source, Howe er, this o$tion is not recommended, as it synchroni.es time in an unauthenticated manner, $otentially ma&ing time $ac&ets ulnera)le to an attac&er,
6yste! /i!e #aintenance

Do not ad ance or roll )ac& the system time on Windows 5666D)ased ser ers under any circumstances, including attem$ts to: (est signi*icant time and date transitions such as @ear 5666 testing, -orce the deletion o* tom)stones 8o)2ects that ha e )een mar&ed *or deletion in the Acti e Directory9, Ma&e o)2ects on one com$uter o erride the o)2ects on another com$uter, !<tend the use*ul li*e o* a system )ac&u$, Return a com$uter to an earlier system state including schema roll)ac&, /ncor$orate test en ironments into $roduction, a*ter you test time and date transitions on la) com$uters, (rou)leshoot Acti e Directory or -ile Re$lication Ser ice 8-RS9 issues, )y ad ancing the system time o* a com$uter in an e**ort to ma&e the content o* one com$uter authoritati e o er another, Ad ancing the time can ad ersely a**ect the o$eration o* the system, and it is not a use*ul method o* resol ing Acti e Directory or -RS re$lication $ro)lems,
;ow advancin( syste! ti!e a$$ects ,R6

Ad ancing the system time a**ects -RS in the *ollowing manner: Active Directory prematurely deletes tombstones for deleted ob0ects, causing incorrect reconciliation later. When an o)2ect is deleted, it is not actually remo ed *rom the data)ase, /t is instead mar&ed *or deletion a*ter I6 days )y de*ault, (his tom)stone is re$licated to other domain controllers, When the tom)stone e<$ires, the o)2ect is then $ermanently deleted, /* the tom)stone is deleted $rematurely, then u$dates *rom re$lication $artners are inconsistent,
1&5
Local file changes create change orders with event times reflecting the advanced clock time. (hese change orders are inserted into the out)ound log )ut are not sent )ecause the com$uter with the ad anced cloc& will not 2oin with the $artners that remain at the correct time, Later, when the time on this com$uter is restored to the correct time and the com$uter is a)le to 2oin with its out)ound $artners, it sends the change orders with the ad anced e ent time, (he downstream $artner ignores these change orders )ecause the e ent time is too *ar into the *uture, (he result is that the *iles that changed while the time was ad anced are not re$licated to the other mem)ers, )ut remain on the com$uter, -urthermore, the ad anced e ent times cause the com$uter to re2ect u$dates to these *iles that originate *rom other re$lication $artners,
;ow advancin( syste! ti!e a$$ects Active Directory

Ad ancing the system time a**ects Acti e Directory in the *ollowing manner: /eplication conflicts might be incorrectly resolved. Acti e Directory uses the time ser ice to resol e re$lication con*licts, When the same attri)ute on the same o)2ect is changed on two di**erent ser ers during a latency $eriod, the most recent change is re$licated, (hus, i* you ad ance the time on a com$uter, all changes originating on that com$uter a$$ear as more recent changes and are re$licated des$ite the *act that they might not )e the most recent changes, *ame conflicts might be incorrectly resolved, Acti e Directory also uses the time ser ice to resol e name con*licts, When two di**erent o)2ects with the same name are created on two ser ers, Acti e Directory sa es the most recently created o)2ect, Ad ancing the time on a com$uter might cause Acti e Directory to sa e the wrong o)2ect sim$ly )ecause it re*lects a more recent change, /estoring from a backup might fail. %ac&u$s are only good *or the $eriod o* the tom)stone li*etime, When you )ac& u$ the system state, Acti e Directory generates an e)piry token, (he to&en is su)mitted when you restore the system state *rom the )ac&u$ and is used to eri*y that the )ac&u$ is not too old, Attem$ting to restore a )ac&u$ a*ter you ad ance the system cloc& might ma&e the )ac&u$ a$$ear too old and cause the )ac&u$ to *ail, Do not restore a )ac&u$ that you made *rom a com$uter with an ad anced time setting, Link value replication is impaired. Lin& alue re$lication uses a timestam$ to distinguish alues, Changing the system cloc& hinders this mechanism, 1erberos authentication might fail. Ker)eros authentication is )ased on cloc& synchroni.ation, -urthermore, the li*etimes o* the Ker)eros tic&ets are e<ceeded i* the cloc& is mo ed too *ar ahead,
Windows /i!e 6ervice #ana(e!ent /as's and Procedures

(a)le 7,7G lists the tas&s and $rocedures *or managing Windows (ime Ser ice, /able 1.1* Windows /i!e 6ervice #ana(e!ent /as's and Procedures
/as's Procedures /ools ,re:uenc y
1%3
Chapter Number 1
&on$i(ure a ti!e source $or the $orest.
&on$i(ure ti!e on the $orest5root PD& e!ulator. Re!ove a ti!e source con$i(ure on the $orest5root PD& e!ulator. &on$i(ure the selected co!puter as a reliable ti!e source.
4et ti!e
As needed
&on$i(ure a reliable ti!e source on a co!puter other than the PD& e!ulator.
Re(edit.e= e
As needed
&on$i(ure a client to re:uest ti!e $ro! a speci$ic ti!e source.
6et a !anually con$i(ured ti!e source on a selected co!puter. Re!ove a !anually con$i(ured ti!e source on a selected co!puter. &han(e pollin( interval.
4et ti!e
As needed
Opti!i<e the pollin( interval.
W2"t!.e= e Re(edit.e= e Active Directory 6ites and 6ervices
As needed
Disable the Windows /i!e 6ervice.
Disable ti!e service.
As needed
&on$i(urin( a /i!e 6ource $or the ,orest

A*ter initial de$loyment o* your networ&, you ty$ically only recon*igure the time ser ice on the PDC emulator in two situations: /* you mo e the PDC emulator role to a di**erent com$uter, /n this case, you must con*igure the time source on the new role holder, /* you change your time source, -or e<am$le, i* you change *rom synchroni.ing with an e<ternal source to an internal hardware de ice,
Procedures $or &on$i(urin( /i!e on the ,orest5Root PD& 9!ulator

(o con*igure time ser ice *or the *orest+root PDC emulator, you might need to remo e an e<ternal time source that you used $re iously, or, i* you trans*erred that o$erations master role,
1&7
4ote
6ettin( a co!puter that is already synchroni<in( $ro! the do!ain hierarchy as a reliable ti!e source can create loops in the synchroni<ation tree and cause unpredictable results.
you might only need to con*igure the time ser ice on the new PDC emulator, (o con*igure time on the *orest+root PDC emulator, you can use the *ollowing $rocedures, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Con*igure time on the *orest+root PDC emulator, ". Remo e a time source con*igured on the *orest+root PDC emulator,
&on$i(urin( a Reliable /i!e 6ource on a &o!puter Other than the PD& 9!ulator
%y de*ault, the PDC emulator in the *orest root is the authoritati e time source *or that *orest, Howe er, you might want to con*igure a di**erent com$uter in your networ& to )e authoritati e *or the *orest, in the *ollowing situations: /* you $lan to mo e the PDC 0$erations Master role, you can con*igure a relia)le time source on a di**erent com$uter $rior to the mo e8s9 to a oid resets or disru$tion o* the time ser ice, (he role o* PDC emulator can mo e )etween com$uters, which means that e ery time the role o* PDC emulator mo es, the new PDC emulator must )e manually con*igured to $oint to the e<ternal source, and the manual con*iguration must )e remo ed *rom the original PDC emulator, (o a oid this $rocess, you can set one o* the domain controllers in the $arent domain as relia)le and manually con*igure 2ust that com$uter to $oint to an e<ternal source, (hen, no matter which com$uter is the PDC emulator, the root o* the time ser ice stays the same and thus remains $ro$erly con*igured, /* you ha e security reasons *or wanting to segregate the authoritati e time com$uter,
When domain controllers loo& *or a time source to synchroni.e with, they choose a relia)le source i* one is a aila)le, /t is im$ortant to note that the automatic disco ery mechanism in the time ser ice client ne er chooses a com$uter that is not a domain controller, Clients must )e manually con*igured to use any ser er that is not a domain controller,
Procedure $or &on$i(urin( a Reliable /i!e 6ource on a &o!puter Other than the PD& 9!ulator
Although the PDC emulator in the *orest root domain is the authoritati e time source *or that *orest, you can con*igure a relia)le time source on a com$uter other than the PDC emulator, Con*igure the selected com$uter as a relia)le time source,
1%*
Chapter Number 1
&aution 4ote
#anually /he re(istry speci$ied editor bypasses ti!e sources standard are not sa$e(uardsE authenticatedE allowin( and settin(s that there$ore cancan enable da!a(e an attac'er your syste!E to !anipulate or even re:uire the ti!e you source to reinstall and thenWindows. start erberos I$ youV5 !ust replay editattac's. the re(istryE AlsoE bac' a co!puter up system state does that first. For not information synchroni<e about with backing its do!ain up system controller state, see can Active have Directory an unsynchroni<ed Backup and ti!e. Restore /his in this causes guide.erberos V5 authentication to $ailE which in turn causes other actions re:uirin( networ' authenticationE such as printin( or $ile sharin(E to $ail. When only one co!puter in the $orest root do!ain is (ettin( ti!e $ro! an e=ternal sourceE all co!puters within the $orest re!ain synchroni<ed to each otherE !a'in( replay attac's di$$icult.
&on$i(urin( a &lient to Re:uest /i!e $ro! a 6peci$ic /i!e 6ource

Certain com$uters do not automatically synchroni.e their time through the Windows 5666 time ser ice hierarchy, so you might want to con*igure these clients to re:uest time *rom a s$eci*ic source, /* you do not s$eci*y a source, each com$uter1s internal hardware cloc& go erns its time, (he *ollowing client com$uters do not automatically synchroni.e through the time ser ice: Client com$uters that run Windows '( B,6 Client com$uters that run ='/T Com$uters that are not mem)ers o* a domain
Procedures $or &on$i(urin( a &lient to Re:uest /i!e $ro! a 6peci$ic /i!e 6ource
(he *ollowing $rocedures allow you to s$eci*y a time source *or client com$uters that do not automatically synchroni.e through the time ser ice, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Set a manually con*igured time source on a selected com$uter, ". Remo e a manually con*igured time source on a selected com$uter,
Opti!i<in( the Pollin( Interval

%y de*ault, the time ser ice synchroni.es once e ery BF minutes until three success*ul synchroni.ations occur, then once e ery eight hours, @ou might want to change this inter al in the *ollowing situations: /* com$uters are $olling o er a $aid line, you can increase the $olling inter al, %y $olling less o*ten, you will decrease usage o* the $aid line, /* you ha e a$$lications or de ices that re:uire increased time accuracy, you can decrease the $olling inter al,
Procedure $or Opti!i<in( the Pollin( Interval

@ou only need to $er*orm one $rocedure to disa)le the Windows (ime ser ice,
1&
&aution
Change $olling inter al,
Disablin( the Windows /i!e 6ervice

/* you choose to im$lement another time synchroni.ation $roduct that uses the '(P $rotocol, you must disa)le the WA5(ime time ser ice )ecause all '(P ser ers need access to =DP $ort 75A, /* WA5(ime is running on a Windows 5666D)ased com$uter, $ort 75A remains occu$ied,
Procedure $or disablin( the Windows /i!e service

@ou only need to $er*orm one $rocedure to disa)le the Windows (ime ser ice, Disa)le time ser ice,
#ana(in( 7on(5Disconnected Do!ain &ontrollers

A disconnected domain controller is a domain controller that is not re$licating, Domain controllers can )ecome disconnected deli)erately or inad ertently, Short+term disconnections are not $ro)lematic )ecause Acti e Directory re$lication automatically u$dates domain controllers with all changes that they ha e not recei ed, Howe er, i* a domain controller must )e se$arated *rom the re$lication to$ology *or se eral wee&s, you can ta&e $reliminary ste$s to ensure a smooth reconnection, -or e<am$le, when domain controllers must )e mo ed long distances or are $re+staged and $ossi)ly stored *or a $eriod o* time $rior to )eing shi$$ed to a destination, you must $re$are them to ensure that no ga$s occur in o$erations master co erage during the disconnection and that S@S30L is u$dated when you reconnect the domain controller, /* you $lan to disconnect a domain controller *or longer than a domain controller &ee$s trac& o* o)2ect deletions, you must ta&e additional ste$s to ensure directory consistency, as descri)ed in >Pre$aring a Domain Controller *or a Long Disconnection? later in this section, %y monitoring re$lication, you can detect disconnections that occur due to networ& *ailures, ser ice *ailures, or con*iguration errors, -or in*ormation a)out im$lementing monitoring *or re$lication *ailures, see >Monitoring Acti e Directory? earlier in this guide,
Operations #aster &onsiderations

/* a domain controller holds an o$erations master role, you must trans*er the role $rior to disconnecting the domain controller, 'ormal directory *unctioning de$ends on all roles )eing acti e, so when you $lan to disconnect the domain controller, you must *irst trans*er any
11%
Chapter Number 1
o$erations master roles, Role trans*er ensures that no ga$s in master o$erations co erage occur, which can cause directory inconsistencies, -or in*ormation a)out trans*erring o$erations master roles, see >Managing 0$erations Masters? earlier in this guide,
Active Directory Replication &onsiderations

!nsure that the domain controller is u$dated )e*ore you disconnect it, /mmediately $rior to disconnecting the domain controller, *orce re$lication with all re$lication $artners and eri*y that each directory $artition re$licates to the domain controller that you are disconnecting, /* re$lication o* any directory $artition does not succeed, resol e the re$lication $ro)lem $rior to disconnecting, %y ensuring that re$lication is u$+to+date, you can ma<imi.e the $ossi)le sa*e disconnection $eriod, which cannot e<ceed the tom)stone li*etime *or the *orest, -or in*ormation a)out estimating the ma<imum sa*e disconnection $eriod, see >Pre$aring a Domain Controller *or a Long Disconnection? later in this guide,
/o!bstone 7i$eti!e and 1ac'up &onsiderations

Acti e Directory )ac&u$s are use*ul *or reco ering a domain controller *or only as long as the tom)stone li*etime, When an o)2ect is deleted, Acti e Directory re$licates the o)2ect as a tom)stone, which consists o* a small su)set o* the attri)utes o* the deleted o)2ect, (he tom)stone is retained in Acti e Directory *or I6 days )y de*ault, a*ter which it is $ermanently remo ed, %ecause a domain controller that is disconnected *or longer than the tom)stone li*etime cannot recei e deletions that occurred $rior to the )eginning o* the tom)stone li*etime, a )ac&u$ that is older than the tom)stone li*etime cannot )e used to restore Acti e Directory, When conditions )eyond your control cause a domain controller to )e disconnected longer than the tom)stone li*etime, one or more o)2ects that ha e )een deleted *rom the rest o* the directory while the domain controller was o**line might remain on the disconnected domain controller, (he )est $ractice recommendation *or reconciling this condition o* inconsistency is to reinstall Windows on the outdated domain controller and then reinstall Acti e Directory, 0therwise, the outdated domain controller can $otentially reintroduce 8reanimate9 o)2ects into Acti e Directory that were deleted while the domain controller was disconnected, -or in*ormation a)out how o)2ects )ecome reanimated in Acti e Directory, see >Reconnecting Long+Disconnected Domain Controllers? later in this guide, /* $lanned domain controller disconnections are consistently lasting longer than I6 days, alert the design team and consider e<tending the tom)stone li*etime *or the *orest,
6>6VO7 &onsistency &onsiderations

S@S30L is a *ile system *older that stores *iles that must )e a aila)le and synchroni.ed among all domain controllers, S@S30L contains the '!(L0"0' share, "rou$ Policy settings, and -ile Re$lication ser ice 8-RS9 staging directories and *iles, S@S30L is re:uired *or Acti e Directory to *unction $ro$erly, S@S30L is re$licated )y the -ile Re$lication ser ice 8-RS9, -RS has a *i<ed tom)stone li*etime o* I6 days, %ecause you cannot change this inter al, any domain controller that is disconnected *or more than I6 days $otentially has an outdated S@S30L, =$dating S@S30L re:uires $er*orming a non+authoritati e restore o* S@S30L,
111
/n addition, S@S30L re$lication cannot )e synchroni.ed manually, -or this reason, ensuring that S@S30L is u$dated $rior to disconnecting the domain controller is more di**icult than sim$ly u$dating S@S30L when the domain controller is reconnected, Regardless o* the length o* the disconnection, to ensure that S@S30L is synchroni.ed when the domain controller is reconnected, $re$are the domain controller to $er*orm a non+authoritati e restore o* S@S30L $rior to disconnecting it, When it restarts, non+authoritati e restore o* S@S30L occurs automatically, -or in*ormation a)out $er*orming non+authoritati e restore o* S@S30L, see >Restoring and Re)uilding S@S30L? earlier in this guide,
Windows "%%% 6erver with 6P2

Windows 5666 Ser er with Ser ice Pac& A 8SPA9 $ro ides the a)ility to *orce strict re$lication consistency, which $re ents outdated domain controllers *rom reintroducing o)2ects that no longer e<ist in Acti e Directory, When de$loying new domain controllers that are running Windows 5666 Ser er SPA, modi*y the registry to en*orce strict re$lication consistency, -or in*ormation a)out strict re$lication consistency, see >Remo ing Lingering 0)2ects *rom an 0utdated Writa)le Domain Controller? in this guide, -or in*ormation a)out installing domain controllers, see >/nstalling and Remo ing Acti e Directory? earlier in this guide,
1est Practice Reco!!endations $or #ana(in( 7on( Disconnections

/* you must disconnect a domain controller *or a $eriod o* se eral wee&s or months, *ollow these recommendations: Prior to disconnecting, determine the ma<imum length o* time that the domain controller will )e disconnected and su)tract a generous estimate o* the end+to+end re$lication latency, (his amount o* time is the ma<imum $eriod *or which the domain controller can sa*ely )e disconnected, Prior to disconnecting, determine the alue o* the tom)stone li*etime *or the *orest, /* you estimate the ma<imum sa*e time o* disconnection to )e longer than the tom)stone li*etime, contact a su$er isor, (he design team must determine whether to e<tend the tom)stone li*etime or re)uild the domain controller $rior to reconnecting it, Prior to disconnecting, $re$are the registry *or automatic non+authoritati e restore o* S@S30L when the domain controller restarts, /mmediately $rior to disconnecting, ensure that the domain controller re$licates success*ully with all re$lication $artners, When you disconnect the domain controller, attach a la)el to the com$uter that identi*ies the date and time o* disconnection, When reconnecting the domain controller, i* the site contains no other domain controller that is authoritati e *or the domain, time the restart o* the domain controller to coincide with the )eginning o* intersite re$lication to restore S@S30L as :uic&ly as $ossi)le, /* the site has one or more other domain controllers that are authoritati e *or the domain, start the domain controller at any time,
11"
Chapter Number 1
/* a domain controller has )een disconnected *or longer than the ma<imum sa*e time o* disconnection 8tom)stone li*etime less end+to+end re$lication latency9, do not allow the domain controller to re$licate, Reinstall Windows 5666 Ser er, (his recommendation a$$lies to all such domain controllers, regardless o* the ersion o* Windows 5666 Ser er they are running 8SPA, SP5, or earlier9, /* you de$loy Windows 5666 Ser er SPA, modi*y the registry to en*orce strict re$lication )eha ior at the time the domain controller is installed,
/as's and Procedures $or #ana(in( 7on(5Disconnected Do!ain &ontrollers

(a)le 7,7E shows the tas&s and $rocedures *or managing long disconnected domain controllers, including tas&s that address remo ing lingering o)2ects,
113
/able 1.1- /as's and Procedures $or #ana(in( 7on(5Disconnected Do!ain &ontrollers
/as's Prepare a do!ain controller $or lon( disconnectio n. Procedures Deter!ine the anticipated len(th o$ the disconnection. Deter!ine the to!bstone li$eti!e $or the $orest. Deter!ine the !a=i!u! sa$e disconnection ti!e and proceed as $ollows: I$ the esti!ated ti!e o$ disconnection e=ceeds the !a=i!u! sa$e disconnection ti!eE do not proceed with the disconnection. &ontact a supervisor. I$ the esti!ated ti!e o$ disconnection does not e=ceed the !a=i!u! sa$e disconnection ti!eE proceed with disconnection. View the current operations !aster role holders. /rans$er do!ain5level operations !aster rolesE i$ appropriate. /rans$er $orest5level operations !aster rolesE i$ appropriate. Prepare the do!ain controller $or non5 authoritative 6>6VO7 restore. 6ynchroni<e replication $ro! all inbound GsourceH replication partners. Veri$y success$ul replication to the do!ain controller. /ools AD6I 9dit Active Directory 6ites and 6ervices Repad!in.e= e Re(edit.e=e Active Directory Do!ains and /rusts Active Directory +sers and &o!puters ,re:uenc y As needed
11)
Chapter Number 1
7abel the do!ain controller with the date and ti!e o$ disconnection and the !a=i!u! sa$e disconnection period. Deter!ine the to!bstone li$eti!e $or the $orest. Deter!ine whether the !a=i!u! sa$e disconnection ti!e has been e=ceededE and proceed accordin(ly. I$ the !a=i!u! sa$e ti!e has been e=ceededE do not connect the do!ain controller. &ontact a supervisor about reinstallin( the do!ain controller. I$ the !a=i!u! sa$e ti!e has not been e=ceededE proceed with reconnectin(. I$ the site has one or !ore other do!ain controllers that are authoritative $or the do!ainE start the do!ain controller at any ti!e. I$ do!ain updates are available only $ro! a di$$erent site: Deter!ine when intersite replication is scheduled to be(in. As soon as possible a$ter the ne=t replication cycle be(insE start the do!ain controller. Veri$y success$ul replication on the reconnected do!ain controller. AD6I 9dit Active Directory 6ites and 6ervices Repad!in.e= e As needed
Reconnect a lon(5 disconnected do!ain controller.
Re!ove
$indo%s !&&& 'erver %ith
9vent Viewer
As
115
lin(erin( ob8ects $ro! an outdated writable do!ain controller.
'(!: Identi$y a revived lin(erin( ob8ect and replication source on a writable do!ain controller. Disable outbound replication on the outdated source do!ain controller. Delete the ob8ect $ro! the outdated source do!ain controller. $indo%s !&&& 'erver %ith '(3: Identi$y and delete a 'nown non5replicated lin(erin( ob8ect on an outdated do!ain controller. $indo%s !&&& 'erver %ith '(! or '(3+ continue as ,ollo%s: Identi$y un'nown lin(erin( ob8ects on an outdated do!ain controller. View replication !etadata o$ the ob8ects. Delete ob8ects created prior to do!ain controller disconnection. Restart disabled outbound replication G6P" onlyH. 6ynchroni<e replication $ro! the outdated do!ain controller to a replication partner. $indo%s !&&& 'erver %ith '(!) &ontact #icroso$t Product 6upport 6ervices. $indo%s !&&& 'erver %ith '(3) 9stablish the
Active Directory 6ites and 6ervices Repad!in.e= e Dsastat.e=e Active Directory +sers and &o!puters
needed
Re!ove lin(erin( ob8ects $ro! a (lobal catalo( server.
7dp.e=e
As needed
113
Chapter Number 1
distin(uished na!e and .lobally +ni:ue Identi$ier G.+IDH o$ the ob8ect. Identi$y the .+ID o$ a do!ain controller that has a writable replica o$ the do!ain. Delete the lin(erin( ob8ect $ro! the (lobal catalo( server.
Preparin( a Do!ain &ontroller $or a 7on( Disconnection

When you need to ta&e a domain controller o**line *or a $rolonged $eriod, $re$are the domain controller )y doing the *ollowing: !sta)lish the ma<imum sa*e disconnection $eriod, Determine the tom)stone li*etime inter al and su)tract a generous estimate o* the end+to+end re$lication latency to esta)lish the ma<imum sa*e $eriod o* disconnection, 0therwise, e en when the domain controller is reconnected $rior to the end o* the tom)stone li*etime, a tom)stone can $otentially e<$ire )e*ore reaching the reconnected domain controller, 3eri*y re$lication success on the domain controller $rior to disconnecting it, /* re$lication is not success*ul, trou)leshoot and *i< the $ro)lem $rior to disconnecting the domain controller, Modi*y the registry to $re$are the domain controller to $er*orm a non+authoritati e restore o* S@S30L when it restarts, S@S30L inconsistencies are not easily eri*ia)le $rior to disconnecting, (here*ore, )y setting the registry to restore S@S30L when the domain controller restarts, you can ensure that S@S30L reinitiali.es its mem)ershi$ in the re$lica set and u$dates its content at the earliest o$$ortunity a*ter reconnecting the domain controller, When modi*ying the registry to restore S@S30L, consider the *ollowing: /* S@S30L is the only re$lica set that is re$resented on the domain controller, modi*y the glo)al )urFlags registry entry, /* other re$lica sets are re$resented on the domain controller and you want to u$date only S@S30L, modi*y the re$lica+set+s$eci*ic )urFlags registry entry *or S@S30L,
-or in*ormation a)out restoring S@S30L, see >Restoring and Re)uilding S@S30L? earlier in this guide,
117
Determine whether the domain controller holds an o$erations master role, /* the domain controller is an o$erations master, trans*er the role $rior to disconnecting, -or in*ormation a)out trans*erring o$erations master roles, see >Managing 0$erations Masters? earlier in this guide,
/* the length o* the disconnection is $redicted to )e longer than the current tom)stone li*etime, consult the design team a)out e<tending the tom)stone li*etime,
Procedures $or Preparin( a Do!ain &ontroller $or 7on( Disconnection

Per*orm the *ollowing $rocedures $rior to disconnecting a domain controller, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Determine the antici$ated length o* the disconnection, ". Determine the tom)stone li*etime *or the *orest, 2. Determine the ma<imum sa*e disconnection $eriod )y su)tracting a generous estimate o* the end+to+end re$lication latency *rom the tom)stone li*etime, !ither *ind the latency estimate in the design documentation *or your de$loyment, or re:uest the in*ormation *rom a mem)er o* the design or de$loyment team, /* the antici$ated time o* disconnection e<ceeds the ma<imum sa*e disconnection $eriod, do not disconnect the domain controller, Contact a su$er isor, /* the estimated time o* disconnection does not e<ceed the ma<imum sa*e disconnection time, $roceed with disconnection,
). 3iew the current o$erations master role holders to determine whether the domain controller is an o$erations master role holder, 5. (rans*er a domain+le el o$erations master role, i* a$$ro$riate, 3. (rans*er a *orest+le el o$erations master role, i* a$$ro$riate, 0. Pre$are the domain controller *or non+authoritati e S@S30L restore on the domain controller that you are disconnecting, (his $rocess ensures an u$+to+date S@S30L when the domain controller is restarted, *. Synchroni.e re$lication *rom all in)ound 8source9 re$lication $artners, !ach connection o)2ect )elow the '(DS Settings o)2ect *or the ser er you are disconnecting re$resents an in)ound re$lication $artner, -. 3eri*y success*ul re$lication to the domain controller that you are disconnecting, 1%. La)el the domain controller with the date and time o* disconnection and the ma<imum sa*e disconnection $eriod,
11*
Chapter Number 1
&aution
/he re(istry editor bypasses standard sa$e(uardsE allowin( settin(s that can da!a(e your syste!E or even re:uire you to reinstall Windows. I$ you !ust edit the re(istryE bac' up syste! state $irst. ,or in$or!ation about bac'in( up syste! stateE see BActive Directory 1ac'up and RestoreC in this (uide.
Reconnectin( 7on(5Disconnected Do!ain &ontrollers

Assuming that the domain controller has not )een disconnected *or longer than the ma<imum sa*e $eriod o* disconnection 8tom)stone li*etime minus end+to+end re$lication latency9, reconnecting it to the re$lication to$ology re:uires no s$ecial $rocedures, %y de*ault, the Knowledge Consistency Chec&er 8KCC9 on a domain controller runs F minutes a*ter the domain controller starts, automatically incor$orating the reconnected domain controller into the re$lication to$ology, /* you $lan a$$ro$riately *or disconnecting and reconnecting domain controllers, no domain controller will )e disconnected *rom the re$lication to$ology *or longer than a tom)stone li*etime, Howe er, i* une<$ected e ents result in a domain controller )ecoming outdated, do not reconnect the domain controller, Do not attem$t to remo e Acti e Directory )ecause this $rocess re:uires re$lication, (o ensure directory consistency, reinstall Windows 5666 Ser er on the outdated domain controller, -or in*ormation a)out how to reinstall a domain controller that has not re$licated *or longer than a tom)stone li*etime, see >Reco ering a Domain Controller (hrough Reinstallation,? %y monitoring re$lication, you a oid une<$ected lengthy disconnections o* domain controllers, -or in*ormation a)out monitoring re$lication, see >Monitoring Acti e Directory? in this guide,
7on( Disconnections and /o!bstone 7i$eti!e

/* a domain controller remains disconnected *or longer than a tom)stone li*etime, an o)2ect that has )een deleted *rom the directory can remain on the disconnected domain controller, -or this reason, such o)2ects are called >lingering o)2ects,? Lingering o)2ects can occur in the *ollowing circumstances: A domain controller goes o**line immediately $rior to the deletion o* an o)2ect on another domain controller and remains o**line *or: A $eriod that e<ceeds the tom)stone li*etime, A $eriod that is less than the tom)stone li*etime, )ut re$lication latency e<ceeds the remaining duration o* the tom)stone li*etime,
A domain controller goes o**line *ollowing the deletion o* an o)2ect on another domain controller )ut $rior to recei ing re$lication o* the tom)stone, and remains o**line *or a $eriod that e<ceeds the tom)stone li*etime, A domain controller goes o**line, an o)2ect is deleted on that domain controller, and the o)2ect tom)stone is remo ed )y gar)age collection on that domain controller $rior to the domain controller )eing reconnected to re$lication,
11
/n the latter case, an o)2ect e<ists on all domain controllers in the domain 8*or a domain+s$eci*ic o)2ect9 or *orest 8*or a con*iguration or schema o)2ect9 e)cept the reconnected domain controller, /n this case, the remedy is sim$ly to delete the o)2ect on any writa)le domain controller, Howe er, in the *irst two cases, i* the domain controller is then reconnected to the re$lication to$ology, o)2ects that e<ist nowhere else in the *orest remain on the domain controller and $otentially can )e reintroduced into the directory, /* lingering o)2ects are security $rinci$als, reintroducing them can ha e serious conse:uences, -or more in*ormation a)out how lingering o)2ects are reintroduced into the directory and how to remo e them, see >Remo ing Lingering 0)2ects *rom an 0utdated Writa)le Domain Controller,?
1est Practice Reco!!endations $or Avoidin( 7in(erin( Ob8ects

(a&e the *ollowing $recautions to ensure that lingering o)2ects do not occur: Monitor the KCC to$ology and re$lication to ensure that long disconnections are detected, -or in*ormation a)out monitoring the KCC and re$lication, see >Monitoring Acti e Directory? earlier in this guide, !nsure that the tom)stone li*etime is not lowered )elow the de*ault o* I6 days, /* you &now that a domain controller will )e o**line *or longer than the tom)stone li*etime, consult the design team a)out increasing the tom)stone li*etime to a $eriod that sa*ely encom$asses the o**line duration $lus a generous $eriod o* re$lication latency, /nstall Windows 5666 Ser er SPA as soon as $ossi)le and ena)le strict re$lication consistency to ensure that lingering o)2ects cannot re$licate,
7on( Disconnections and 6>6VO7

/* the tom)stone li*etime has )een e<tended to longer than I6 days, S@S30L will )e outdated when you reconnect the domain controller, (he recommended $ractice is to $re$are a domain controller *or a long disconnection )y modi*ying the registry so that S@S30L is restored automatically when the domain controller is restarted, (o u$date S@S30L as soon as $ossi)le a*ter reconnecting, $lan the time that you restart the domain controller to o$timi.e the re$lication schedule, as *ollows: /* the closest re$lication $artner *or the domain is in a di**erent site, iew site lin& $ro$erties to determine the schedule and then restart the domain controller as soon as $ossi)le a*ter the schedule o$ens, /* a re$lication $artner *or the domain is a aila)le within the site, eri*y re$lication success on that $artner $rior to restarting the domain controller,
1"%
Chapter Number 1
I!portant
Do not use $ile copy utilities such as -copy or robocopy to update an outdated 6>6VO7.
/n the e ent that a domain controller has )een disconnected *or a tom)stone li*etime or longer )ut has already re$licated, *ollow the instructions *or detecting and remo ing lingering o)2ects in >,Remo ing Lingering 0)2ects *rom an 0utdated Writa)le Domain Controller,?
Procedures $or Reconnectin( a 7on(5Disconnected Do!ain &ontroller

-ollow these $rocedures to reconnect the domain controller, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Determine the tom)stone li*etime *or the *orest, ". Determine whether the ma<imum sa*e disconnection time has )een e<ceeded, and $roceed accordingly: a. /* the domain controller has )een disconnected *or a $eriod that e<ceeds the ma<imum sa*e disconnection $eriod, do not reconnect the domain controller, Contact a su$er isor a)out reinstalling the domain controller, b. /* the ma<imum sa*e time has not )een e<ceeded, $roceed with reconnecting, 2. /* the site in which you are reconnecting the domain controller has one or more other domain controllers that are authoritati e *or the domain, start the domain controller at any time, ). /* the site in which you are reconnecting the domain controller has no other domain controllers that are authoritati e *or the domain, $roceed as *ollows: a. Determine when the ne<t intersite re$lication cycle is scheduled to )egin )y iewing the re$lication $ro$erties on the site lin& that connects this site to the ne<t closest site that includes domain controllers *or this domain, b. As soon as $ossi)le a*ter the ne<t re$lication cycle )egins, start the domain controller, 5. A*ter re$lication is com$lete, eri*y success*ul re$lication to the domain controller 8the reconnected domain controller9 o* the domain, con*iguration, and schema directory $artitions, /* the domain controller is a glo)al catalog ser er, chec& *or success*ul re$lication o* all domain directory $artitions, /n the e ent that a domain controller has )een disconnected *or a tom)stone li*etime or longer )ut has already re$licated, *ollow the instructions *or detecting and remo ing lingering o)2ects in >Remo ing Lingering 0)2ects *rom an 0utdated Writa)le Domain Controller,?
1!1
Re!ovin( 7in(erin( Ob8ects $ro! an Outdated Writable Do!ain &ontroller

/* a domain controller does not re$licate *or a $eriod that is longer than the tom)stone li*etime and the domain controller is then reintroduced into the re$lication to$ology, o)2ects that ha e )een deleted *rom Acti e Directory while the domain controller was o**line can remain on the domain controller as lingering o)2ects,
&auses $or 7in(erin( Ob8ects

Lingering o)2ects can occur whene er a domain controller does not re$licate *or a $eriod that e<ceeds the tom)stone li*etime, =ne<$ectedly long disconnections can )e caused )y the *ollowing conditions: A domain controller is le*t in a storage room and *orgotten, or shi$ment o* the $re+ staged domain controller to its remote location ta&es longer than a tom)stone li*etime, Re$lication *ails and monitoring is not in $lace, -or e<am$le, i* a )ridgehead ser er is o erloaded, re$lication can )ecome )ac&logged inde*initely, WA' connections are una aila)le *or long $eriods, -or e<am$le, a domain controller on )oard a cruise shi$ might )e una)le to re$licate )ecause the shi$ is at sea *or longer than the tom)stone li*etime, "ar)age collection tam$ering, -or e<am$le: Someone changes the time on a domain controller to *orce gar)age collection, Someone changes the tom)stone li*etime to *orce gar)age collection,
Indications that a Do!ain &ontroller has 7in(erin( Ob8ects

An outdated domain controller can store lingering o)2ects with no noticea)le e**ect as long as no one u$dates the lingering o)2ect or tries to create an o)2ect with the same name in the domain or the same user $rinci$al name in the *orest, Howe er, the e<istence o* lingering o)2ects can cause $ro)lems, es$ecially i* the o)2ect is a security $rinci$al, (he *ollowing conditions indicate that a domain controller has lingering o)2ects: A deleted user or grou$ account does not disa$$ear *rom the "lo)al Address List on !<change ser ers, (here*ore, although the account name a$$ears in the list, attem$ts to send mail result in errors, !+mail messages are not deli ered to a user whose user o)2ect was mo ed )etween domains, A*ter an outdated domain controller or glo)al catalog ser er )ecomes reconnected, )oth instances o* the user o)2ect a$$ear in the glo)al catalog, %oth o)2ects ha e the same e+mail address, so e+mail messages cannot )e deli ered, A uni ersal grou$ that no longer e<ists still a$$ears in a user1s access to&en, Although the grou$ no longer e<ists, i* a user account still has the grou$ in its security to&en, the user might ha e access to a resource that you intended to )e una aila)le to that user,
1""
Chapter Number 1
A new o)2ect or !<change mail)o< cannot )e created when the samAccountName attri)ute alue o* the new o)2ect is the same as a lingering o)2ect, An error re$orts that the o)2ect already e<ists, Re$lication succeeds with >no such o)2ect? error 8e ent /D 7AGG9 when >loose re$lication consistency? is in e**ect, (his error indicates that the source domain controller re i ed a lingering o)2ect in the directory, Re$lication *ails with a >no such o)2ect? error 8e ent /D 76GB9 when >strict re$lication consistency? is in e**ect, (his error indicates that the source domain controller tried to re$licate a lingering o)2ect,
Replication o$ 7in(erin( Ob8ects

/* a user u$dates a lingering o)2ect on the outdated domain controller, the destination domain controller that recei es the re:uest *or the u$date cannot u$date the o)2ect )ecause the o)2ect does not e<ist, (he destination domain controller logs an '(DS Re$lication error in the Directory Ser ice log in ! ent 3iewer, (he error that is re$orted de$ends on the ty$e o* re$lication consistency that is in e**ect on the domain controller, (he re$lication res$onse di**ers on domain controllers that use loose re$lication consistency and domain controllers that use strict re$lication consistency, 0n domain controllers that use loose re$lication consistency 8the de*ault )eha ior with Windows 5666 Ser er SP59, the destination domain controller re:uests a *ull co$y o* the o)2ect *rom the re$lication source, /* the o)2ect is )eing modi*ied, the destination re:uests the *ull o)2ect and the o)2ect is re i ed in the directory, /* the o)2ect is )eing deleted, the destination re$licates the tom)stone, /n either case, the '(DS Re$lication e ent /D 7AGG is logged in the Directory Ser ice log )y the destination, (he error re$orts that the o)2ect )eing u$dated does not e<ist and the domain controller does not ha e enough in*ormation to create it, and so it will re:uest a com$lete co$y, (his error alerts you to the *act that you ha e at least one lingering o)2ect and gi es you the in*ormation that you need in order to locate that o)2ect and delete it i* it has )een re i ed, Deleting the re i ed o)2ect on a writa)le domain controller remo es it *rom the directory Domain controllers on which strict re$lication consistency is ena)led 8con*igura)le )eha ior with Windows 5666 Ser er SPA9 re*use re$lication *rom the outdated re$lication source, (his action sto$s re$lication *rom the outdated source and logs '(DS Re$lication e ent /D 76GB in the Directory Ser ice log, (he error re$orts that the o)2ect cannot )e u$dated and re$lication will not )e acce$ted *rom the source until the issue is resol ed, (he in*ormation in the error includes the name, "=/D, and source o* the lingering o)2ect so that you can delete the o)2ect and determine whether additional lingering o)2ects e<ist on the source, -or this error to )e logged, howe er, you must ha e modi*ied the registry to im$lement strict re$lication consistency, /n )oth cases, you can delete the identi*ied lingering o)2ect and then ta&e ste$s to identi*y and remo e all additional lingering o)2ects *rom the outdated domain controller,
6e:uence $or Re!ovin( 7in(erin( Ob8ects

(he $rocess *or remo ing lingering o)2ects *rom an outdated writa)le domain controller in ol es se eral $rocedures that must )e $er*ormed in se:uence, A*ter an error indicates the e<istence o* a lingering o)2ect, use the *ollowing general se:uence to remo e the lingering o)2ect and determine whether there are other lingering o)2ects on the source domain controller:
1!3
/denti*y the domain controller that re$licated the u$date to a lingering o)2ect, =se the in*ormation in e ent /D 7AGG 8Windows 5666 Ser er with SP59 or e ent /D 76GB 8Windows 5666 Ser er with SPA9 to identi*y the source domain controller, Disa)le out)ound re$lication on the source domain controller, Delete the lingering o)2ect *rom the source domain controller, Com$are the data)ase contents o* the outdated source domain controller and an u$+ to+date re$lication $artner to determine whether the outdated source domain controller contains o)2ects that do not e<ist on its re$lication $artner, /denti*y the distinguished names o* the o)2ects that e<ist on the outdated domain controller )ut not on the re$lication $artner, !<amine metadata o* the o)2ect to determine when it was created, Delete the o)2ects that were created $rior to disconnecting the domain controller, Restart out)ound re$lication on the source domain controller,
Deletions o* the lingering o)2ects re$licate to the other domain controllers, Any domain controller that is running Windows 5666 Ser er with SP5, and that does not ha e the o)2ect, logs e ent /D 7AGG, /n this case, the missing o)2ect is re i ed as a tom)stone, and re$licates as such, (he errors on domain controllers that do not ha e the o)2ect can )e ignoredK they will cease a*ter the second re$lication cycle, /* you ha e domain controllers that are running Windows 5666 Ser er with SPA, you can set the registry to en*orce strict re$lication consistency, which ensures that lingering o)2ects do not re$licate, -or this reason, attem$ted re$lication o* the deletions will not )e acce$ted, @ou must delete lingering o)2ects *rom only the outdated domain controller, -or in*ormation a)out setting strict re$lication consistency *or domain controllers that are running Windows 5666 Ser er with SPA, see >Managing Acti e Directory /nstallation and Remo al? in this guide,
Procedures $or Re!ovin( 7in(erin( Ob8ects $ro! an Outdated Writable Do!ain &ontroller
=se the *ollowing $rocess to identi*y and remo e lingering o)2ects a*ter you ha e disco ered an outdated domain controller, (he initial ste$ in the $rocess aries according to the ersion o* Windows 5666 Ser er that you are using, Procedures are e<$lained in detail in the lin&ed to$ics, 1. /denti*y and delete the initial occurrence o* a lingering o)2ect, as *ollows: For 2indows 3444 !erver with !+35 a. /denti*y a re i ed lingering o)2ect and its re$lication source on a writa)le domain controller, ! ent /D 7AGG $ro ides the distinguished name o* an o)2ect that has )een u$dated on an outdated domain controller, (he message also $ro ides the "=/D o* the domain controller *rom which the u$date was re$licated, =se the "=/D to disco er the name o* the source domain controller, Re$eat this $rocess on each source domain controller until you identi*y a source domain controller that does not ha e the error, (his domain controller is the outdated source domain controller, b. Disa)le out)ound re$lication on the outdated source domain controller,
1")
Chapter Number 1
4ote
/he results o$ this procedure identi$y only ob8ects where the nu!bers o$ ob8ects did not a(ree between do!ain controllers. I$ nu!bers !atch but an ob8ect o$ a class was added on one do!ain controller and a di$$erent ob8ect o$ the sa!e class was deleted on the otherE and these chan(es did not replicateE this test cannot identi$y these inconsistent ob8ects.
c. Delete the o)2ect *rom the outdated source domain controller, For 2indows 3444 !erver with !+65 /denti*y and delete a &nown non+re$licated lingering o)2ect on an outdated domain controller, as identi*ied in e ent /D 76GB, (he o)2ect and source domain controller are named in the error message,
". /denti*y un&nown lingering o)2ects on an outdated domain controller, (his $rocedure re:uires the *ollowing series o* su)$rocedures to )e $er*ormed se:uentially: a. Com$are the directory data)ases o* the outdated domain controller and the domain controller that recei ed the initial re$lication error, b. /denti*y the distinguished names o* the o)2ects that e<ist on the outdated domain controller )ut not on the $artner domain controller, 2. 0n the outdated domain controller, iew the re$lication metadata o* o)2ects that you identi*ied in the $re ious $rocedure to determine whether they were created $rior to the time the domain controller was disconnected or were created during the time that the domain controller was o**line, /* the newest date in the 'rg..ime7Date column is older than the date on which the domain controller was disconnected, the o)2ect is a lingering o)2ect, ). 0n the outdated domain controller, delete the o)2ects that were created $rior to the date and time that the domain controller was disconnected, 5. Restart disa)led out)ound re$lication on the outdated domain controller 8SP5 only9, 3. Synchroni.e re$lication *rom the outdated domain controller to the $artner domain controller to re$licate the deletions, =se the connection o)2ect on the re$lication $artner that shows the name o* the outdated domain controller in the From !erver column, (his $rocedure results in error messages on domain controllers that do not ha e the o)2ects, )ut these messages can )e ignored and will cease )y the second re$lication cycle,
Re!ovin( 7in(erin( Ob8ects $ro! a .lobal &atalo( 6erver

/* you delete a lingering o)2ect on a writa)le domain controller, the o)2ect deletion re$licates to all writa)le domain controllers in the domain as well as to all glo)al catalog ser ers, Howe er, i* a glo)al catalog ser er )ecomes outdated, lingering o)2ects can $otentially e<ist in a read+only
1!5
re$lica on the glo)al catalog ser er and nowhere else, in which case you cannot delete the o)2ect )y the normal method, (he recommended solution to this $ro)lem de$ends on the ersion o* Windows 5666 Ser er that is running on the outdated glo)al catalog ser er: 2indows 3444 !erver with !+35 Contact Microso*t Product Su$$ort Ser ices, 2indows 3444 !erver with !+65 =se Ld$,e<e to identi*y and delete the o)2ect *rom all glo)al catalog ser ers that retain the o)2ect,
&auses $or 7in(erin( Ob8ects on .lobal &atalo( 6ervers

!<cessi ely high re$lication load on a glo)al catalog ser er, in com)ination with a short intersite re$lication inter al, can result in u$dates not )eing re$licated, "lo)al catalog ser ers re$licate read+only re$licas o* all domain directory $artitions in the *orest, (he re$lication o* read+only re$licas has a lower $riority than the re$lication o* writa)le re$licas, /n addition, glo)al catalog ser ers are o*ten )ridgehead ser ers, which adds to the re$lication load, /* the re$lication load on glo)al catalog ser ers acting as )ridgehead ser ers is too high due to an e<tremely short re$lication inter al, e<cessi e num)ers o* concurrent out)ound re$lication $artners, or a com)ination o* )oth, the re$lication :ueue can )ecome )ac&logged, /* the condition $ersists, read+only re$licas can remain in the :ueue inde*initely, (hese conditions can result in lingering o)2ects on a glo)al catalog ser er, /* re$lication o* a read+only re$lica is stalled or the domain controller is disconnected *or longer than a tom)stone li*etime, the deletion o* an o)2ect *rom the corres$onding writa)le directory $artition can $otentially e<$ire without e er reaching the glo)al catalog ser er, /n this case, the only location o* this o)2ect is in the read+only re$lica on the glo)al catalog ser er, As with writa)le domain controllers, a glo)al catalog ser er that is not monitored *or re$lication can $otentially )ecome outdated, When a$$ro$riate monitoring is in $lace and sensi)le intersite re$lication schedules are con*igured, glo)al catalog ser ers are not susce$ti)le to )ecoming outdated, -or in*ormation a)out monitoring re$lication, see >Monitoring Acti e Directory? in this document, -or in*ormation a)out scheduling re$lication, see >Managing Sites? in this document,
Indications that 7in(erin( Ob8ects 9=ist on a .lobal &atalo( 6erver

(he *ollowing e ents indicate that a lingering o)2ects e<ists on a glo)al catalog ser er: A deleted user or grou$ account does not disa$$ear *rom the "lo)al Address List on !<change ser ers, !+mail messages are not deli era)le to a user whose Acti e Directory account a$$ears to )e current, A new user account or !<change mail)o< cannot )e created )ecause the o)2ect already e<ists, )ut you do not see the o)2ect in Acti e Directory, Searches that use attri)utes o* an e<isting o)2ect *ind an o)2ect o* the same name that has )een deleted *rom the domain )ut remains in an isolated glo)al catalog ser er,
1"3
Chapter Number 1
6e:uence $or Re!ovin( 7in(erin( Ob8ects $ro! a .lobal &atalo( 6erver

(o remo e a lingering o)2ect *rom a glo)al catalog ser er, you need an attri)ute alue to use *or the search to identi*y the o)2ect in the glo)al catalog, -or e<am$le, when you are trying to create a mail)o<, user account, or other o)2ect in Acti e Directory, and error messages indicate that the o)2ect already e<ists, use the name o* the o)2ect that you are trying to create, /* you &now that a deleted grou$ or user name a$$ears in the "lo)al Address List, use that name, =se the *ollowing general se:uence o* tas&s to locate and remo e a lingering o)2ect *rom a glo)al catalog ser er: =se an LDAP search to esta)lish the distinguished name and "=/D o* the du$licate 8lingering9 o)2ect, =se the distinguished name to identi*y the domain o* the o)2ect, /denti*y a writa)le domain controller *or that domain, /denti*y the "=/D o* the writa)le domain controller, Delete the o)2ect *rom the glo)al catalog ser er, (his $rocedure re:uires the $receding in*ormation, Re$eat the $re ious ste$s *or e ery o)2ect and glo)al catalog ser er that is outdated,
When deleting an o)2ect that has child o)2ects, you must delete the child o)2ect *irst, then delete the $arent, @ou can tell *rom the distinguished name whether the o)2ect has $arent o)2ects,
Procedures $or Re!ovin( a 7in(erin( Ob8ect $ro! a .lobal &atalo( 6erver

=se the *ollowing $rocedures to identi*y and remo e a read+only lingering o)2ect *rom a glo)al catalog ser er that is running Windows 5666 Ser er with SPA, Procedures are e<$lained in detail in the lin&ed to$ics, 1. !sta)lish the distinguished name and "=/D o* the o)2ect )y searching the glo)al catalog on an attri)ute that can uni:uely identi*y the o)2ect, -rom the distinguished name, you can identi*y the domain )y the DCN com$onents, ". /denti*y the "=/D o* a domain controller that has a writa)le re$lica o* the domain o* the lingering o)2ect, 2. Delete the lingering o)2ect *rom the glo)al catalog ser er, /n this $rocedure, use the "=/D o* the o)2ect and the "=/D o* the writa)le domain controller that you identi*y in $rocedures 7 and 5,
#ana(in( /rusts
(rusts re:uire little management, (rust relationshi$s )etween domains esta)lish a trusted communication $ath through which a com$uter in one domain can communicate with a com$uter
1!7
in the other domain, (rust relationshi$s allow users in the trusted domain to access resources in the trusting domain, -or e<am$le, where a one+way trust e<ists: A user who is logged on to the trusted domain can )e authenticated to connect to a resource ser er in the trusting domain, A user can use an account in the trusted domain to log on to the trusted domain *rom a com$uter in the trusting domain, A user in the trusting domain can list trusted domain security $rinci$als and add them to grou$s and access control lists 8ACLs9 on resources in the trusting domain,
.eneral .uidelines $or /rusts

When you create a Windows 5666 domain in an e<isting Windows 5666 *orest, a trust relationshi$ is esta)lished automatically, (hese trust relationshi$s are two+way and transiti e, and they should not )e remo ed, Howe er, three ty$es o* trusts must )e created manually: !<ternal trusts: (rusts )etween a Windows 5666 domain and a Windows '( B,6 domain, Any trust )etween domains in di**erent *orests, whether )oth domains are Windows 5666 or one is Windows 5666 and the other Windows '( B,6,
Shortcut trusts )etween two domains in the same *orest, (rust relationshi$s )etween a Windows 5666 domain and a non+Windows Ker)eros realm, -or more in*ormation a)out trusts )etween a Windows 5666 domain and a non+Windows Ker)eros realm, see the Ste$+)y+Ste$ "uide to Ker)eros F 8&r)F 7,69 /ntero$era)ility lin& on the We) Resources $age at htt$:;;www,Microso*t,com;windows;res&its;we)resources, (o remo e a manually created trust, (o con*igure security identi*ier 8S/D9 *iltering to deny one domain the right to $ro ide credentials *or another domain, @ou can ena)le S/D *iltering *or e<ternal trusts, that is, trusts )etween domains in di**erent *orests, or )etween a Windows 5666 and a Windows '( B,6 domain,
@ou might also need to manage trusts *or the *ollowing reasons:
/rust #ana(e!ent /as's and Procedures

(a)le 7,56 shows the tas&s and the $rocedures *or managing trusts, /able 1."% /rust #ana(e!ent /as's and Procedures
/as's &reate an e=ternal trust Gbetween a Procedures &reate a One5 way /rust G##& /ools Active Directory ,re:uenc y As needed
1"*
Chapter Number 1
Windows "%%% do!ain and a Windows 4/ ).% do!ainE or between do!ains in di$$erent $orestsH.
#ethodH. &reate a One5 way /rust G4etdo!.e=e #ethodH. &reate a /wo5 way /rust G##& #ethodH. &reate a /wo5 way /rust G4etdo!.e=e #ethodH. &reate a One5 way /rust G##& #ethodH. &reate a One5 way /rust G4etdo!.e=e #ethodH. &reate a /wo5 way /rust G##& #ethodH. &reate a /wo5 way /rust G4etdo!.e=e #ethodH. Re!ove a !anually created trust.
Do!ains and /rusts GWindows "% %%H 5Or5 4etdo!.e=e +ser #ana(er $or Do!ains GWindows 4/ ).%H Active Directory Do!ains and /rusts 5Or5 4etdo!.e=e As needed
&reate a shortcut trust.
Re!ove a !anually created trust.
Prevent unauthori<ed privile(e escalation. &on$i(ure 6ID $ilterin(.
Active Directory Do!ains and /rusts 5Or5 4etdo!.e=e 4etdo!.e=e
As needed
As needed
&reatin( 9=ternal /rusts

@ou create an e<ternal trust when you want to esta)lish a trust relationshi$ )etween Windows 5666 domains that are in di**erent *orests, or )etween a Windows 5666 domain and a Windows '( B,6 domain, An e<ternal trust relationshi$ has the *ollowing characteristics: /t is one+way, (he trust must )e esta)lished manually in each direction to create a two+way e<ternal trust relationshi$,
1!
/t is nontransiti e,
/* you u$grade a Windows '( B,6 domain to a Windows 5666 domain, the e<isting trust relationshi$s remain in the same state,
#ethods $or &reatin( the 9=ternal /rust

=se the $rocedure Create a 'ne"way .rust " ,,C ,ethod to create a trust where one domain trusts another to use its resources, =se the $rocedure Create a 'ne"way .rust " *etdom.exe ,ethod to use the su$$ort tool 'etdom,e<e to create )oth sides o* a one+way trust at once, @ou must $ro ide credentials *or )oth domains to use the 'etdom,e<e method, =se the $rocedure Create a .wo"way .rust " ,,C ,ethod *irst to create )oth $ortions con*igured in one domain, and then to create )oth $ortions con*igured in the other domain, =se the $rocedure Create a .wo"way .rust " *etdom.exe ,ethod to use the su$$ort tool 'etdom,e<e to create )oth sides o* the trust at once, @ou must $ro ide credentials *or )oth domains to use the 'etdom,e<e method, Credentials: Domain Admins @ou can create the trust when you log on to the domain, or use the Run As command to create the trust *or a di**erent domain, (ools: Acti e Directory Domains and (rusts or 'etdom,e<e 8Su$$ort (ools9,
Re:uire!ents

Procedures $or &reatin( 9=ternal /rusts

@ou can create an e<ternal trust )y using one o* the *ollowing methods, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Create a 0ne+way (rust 8MMC Method9 ". Create a 0ne+way (rust 8'etdom,e<e Method9 2. Create a (wo+way (rust 8MMC Method9 ). Create a (wo+way (rust 8'etdom,e<e Method9
&reatin( 6hortcut /rusts

A shortcut trust relationshi$ is a manually created trust that shortens the trust $ath to im$ro e the e**iciency o* users who remotely log on, A trust $ath is a chain o* multi$le trusts that ena)les trust )etween domains that are not ad2acent in the domain names$ace, -or e<am$le, i* users in domain A need to gain access to resources in domain C, you can create a direct lin& *rom domain A to domain C through a shortcut trust relationshi$, )y$assing domain % in the trust $ath, A shortcut trust relationshi$ has the *ollowing characteristics: /t can )e esta)lished )etween any two domains in the same *orest, /t must )e esta)lished manually in each direction,
12%
Chapter Number 1
/t is transiti e, Credentials: Domain Admins (ool: Acti e Directory Domains and (rusts
Re:uire!ents
Procedures $or &reatin( 6hortcut /rusts

@ou can create a shortcut trust )y using one o* the *ollowing methods, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Create a 0ne+way (rust 8MMC Method9 ". Create a 0ne+way (rust 8'etdom,e<e Method9 2. Create a (wo+way (rust 8MMC Method9 ). Create a (wo+way (rust 8'etdom,e<e Method9
Re!ovin( #anually &reated /rusts

@ou can remo e manually created trusts, )ut you cannot remo e the de*ault two+way transiti e trusts )etween domains in a *orest, /t is $articularly im$ortant to eri*y that you success*ully remo ed the trusts i* you are $lanning to re+create them,
Re:uire!ents
Credentials: Domain Admins (ool: Acti e Directory Domains and (rusts or 'etdom,e<e,
Procedure $or Re!ovin( #anually &reated /rusts

@ou can remo e a manually created trust )y using one o* the *ollowing methods, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Remo e a manually created trust )y using the Acti e Directory Domains and (rusts sna$+in, ". Remo e a manually created trust )y using 'etdom,e<e,
Preventin( +nauthori<ed Privile(e 9scalation

Security $rinci$als in Acti e Directory ha e an attri)ute called S/DHistory to which domain administrators can add users1 old S/Ds, (his is use*ul during the migration $rocess )ecause users can use their old S/Ds to access resources, administrators do not need to modi*y ACLs on large num)ers o* resources, Howe er, under some circumstances it is $ossi)le *or domain administrators to use the S/DHistory attri)ute to associate S/Ds with new user accounts, there)y granting themsel es unauthori.ed rights, @ou can con*igure S/D *iltering to $re ent this ty$e o* attac&, @ou might con*igure S/D *iltering under the *ollowing circumstances:
131
@ou ha e identi*ied one or more domains in your enter$rise where $hysical security is la<, or where the domain administrators are less well trusted, @ou then isolate these less trustworthy domains )y mo ing them to other *orests, %y de*inition, all domains within a *orest must )e trustworthyK i* a domain is deemed less trustworthy than the others in the *orest, it should not )e a *orest mem)er, 0nce you ha e mo ed less trustworthy domains out o* the *orest, esta)lish e<ternal trusts to these domains, and a$$ly access control to $rotect resources, /* you are still concerned a)out S/D s$oo*ing )eing used *or $ri ilege escalation, then a$$ly S/D *iltering, Do not a$$ly S/D *iltering to domains within a *orest, as this remo es S/Ds re:uired *or Acti e Directory re$lication, and causes authentication to *ail *or users *rom domains that are transiti ely trusted through the isolated domain,
Procedure $or Preventin( +nauthori<ed Privile(e 9scalation

=se the *ollowing $rocedures to con*igure S/D *iltering, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Con*igure S/D *iltering, ". Remo e S/D *iltering,
#ana(in( 6ites
An Acti e Directory site o)2ect re$resents a collection o* /nternet Protocol 8/P9 su)nets, usually constituting a $hysical Local Area 'etwor& 8LA'9, Multi$le sites are connected *or re$lication )y site lin& o)2ects, Sites are used in Acti e Directory to: !na)le clients to disco er networ& resources 8$rinters, $u)lished shares, domain controllers9 that are close to the $hysical location o* the client, reducing networ& tra**ic o er Wide Area 'etwor& 8WA'9 lin&s, 0$timi.e re$lication )etween domain controllers,
Managing sites in Acti e Directory in ol es adding new su)net, site, and site lin& o)2ects when the networ& grows, as well as con*iguring a schedule and cost *or site lin&s, @ou can modi*y the site lin& schedule, cost, or )oth, to o$timi.e intersite re$lication, When conditions no longer re:uire re$lication to a site, you can remo e the site and associated o)2ects *rom Acti e Directory, Large hu)+and+s$o&e to$ology management is )eyond the sco$e o* this documentation, -or in*ormation a)out managing Acti e Directory )ranch o**ice de$loyments that include more than 566 sites, see the >Acti e Directory %ranch 0**ice "uide Series? at htt$:;;www,microso*t,com;technet;win5666;win5&sr ;adguide;de*ault,as$, =sing the SM(P intersite re$lication trans$ort is )eyond the sco$e o* this documentation, -or in*ormation a)out SM(P re$lication, see >Acti e Directory Re$lication? in the Distributed
12"
Chapter Number 1
!ystems Guide o* the Microsoft Windows 2 !erver %esource (it and see the >Ste$+)y+Ste$ "uide to Setting u$ /SM+SM(P Re$lication,? (o download this guide, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, Automatic site co erage is a de*ault condition *or Windows 5666 domain controllers, 0$erations and guidelines documented in this guide are consistent with the ena)ling o* automatic site co erage,
/he && and Replication /opolo(y

(he Knowledge Consistency Chec&er 8KCC9 uses site lin& con*iguration in*ormation to ena)le and o$timi.e re$lication tra**ic )y generating a least+cost re$lication to$ology, Within a site, *or each directory $artition, the KCC )uilds a ring to$ology that minimi.es the num)er o* ho$s )etween domain controllers, %etween sites, the KCC creates a s$anning tree o* all intersite connections, (here*ore, adding sites and domains increases the $rocessing that is re:uired )y the KCC, %e*ore adding to the site to$ology, )e sure to consider the guidelines discussed in >Adding a 'ew Site? later in this document, Signi*icant changes to site to$ology can a**ect domain controller hardware re:uirements, -or more in*ormation a)out domain controller hardware re:uirements, see >Domain Controller Ca$acity Planning? in >%est Practice Acti e Directory Design *or Managing Windows 'etwor&s,? (o download this guide, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
1rid(ehead 6erver 6election

%y de*ault, )ridgehead ser ers are automatically selected )y the intersite to$ology generator 8/S("9 in each site, Alternati ely, you can use Acti e Directory Sites and Ser ices to select $re*erred )ridgehead ser ers, Howe er, it is recommended *or Windows 5666 de$loyments that you do not select preferred bridge"ead servers, Selecting $re*erred )ridgehead ser ers limits the )ridgehead ser ers that the KCC can use to those that you ha e selected, /* you use Acti e Directory Sites and Ser ices to select any $re*erred )ridgehead ser ers at all in a site, you must select as many as $ossi)le and you must select them *or all domains that must )e re$licated to a di**erent site, /* you select $re*erred )ridgehead ser ers *or a domain and all $re*erred )ridgehead ser ers *or that domain )ecome una aila)le, re$lication o* that domain to and *rom that site does not occur, /* you ha e selected one or more )ridgehead ser ers, remo ing them *rom the )ridgehead ser ers list restores the automatic selection *unctionality to the /S(",
133
6ite #ana(e!ent /as's and Procedures

(a)le 7,57 shows the tas&s and $rocedures *or managing sites, as well as the tools and the recommended *re:uency *or $er*orming each tas&, A*ter you con*igure sites, su)nets, and site lin&s *or the initial de$loyment, most site management acti ity is limited to res$onding to changes in networ& conditions, /able 1."1 6ite #ana(e!ent /as's and Procedures
/as's Add a new site. Procedures &reate a site ob8ect. &reate a subnet ob8ect and associate it with the site. ?or? Associate an e=istin( subnet ob8ect with the site. &reate a site lin' ob8ectE i$ appropriate. Re!ove the site $ro! a site lin'E i$ appropriate. Obtain the networ' address and subnet !as' $or the subnet. &reate a subnet ob8ect and associate it with a site. Deter!ine the na!es o$ the sites you are lin'in(. &reate a site lin' ob8ect. Deter!ine the I6/. role owner $or a site. .enerate the replication topolo(y on the I6/.E i$ appropriate. &on$i(ure the site lin' schedule. &on$i(ure the site lin' interval. &on$i(ure the site lin' cost. Deter!ine the I6/. role /ools Active Directory 6ites and 6ervices ,re:uenc y As needed
Add a subnet to the networ'.
As needed
7in' sites $or replication.
As needed
&han(e site lin' properties.
As needed
12)
Chapter Number 1
owner $or a site. .enerate the replication topolo(y on the I6/.E i$ appropriate. &han(e the static IP address o$ the do!ain controller. &reate a dele(ation $or the do!ain controllerE i$ appropriate. Veri$y that the IP address !aps to a subnet and deter!ine the site association. Deter!ine whether the server is a pre$erred brid(ehead server. &on$i(ure the do!ain controller to not be a pre$erred brid(ehead serverE i$ appropriate. #ove the server ob8ect to a di$$erent site. #y 4etwor' Places Active Directory 6ites and 6ervices D46 snap5 in As needed
#ove a do!ain controller to a di$$erent site.
Re!ove a site.
Deter!ine whether the server ob8ect has child ob8ects. Delete the server ob8ect or ob8ects $ro! the site. Delete the site lin' ob8ectE i$ appropriate. Associate the subnet or subnets with a di$$erent site. ?or? Delete the subnet ob8ects. Delete the site ob8ect. Deter!ine the I6/. role owner $or a site. .enerate the replication topolo(y on the I6/.E i$ appropriate.
As needed
135
Addin( a 4ew 6ite

Design teams or networ& architects might want to add sites as $art o* ongoing de$loyment, Although you ty$ically create su)nets to accommodate all address ranges in the networ&, you do not need to create sites *or e ery location, "enerally, sites are re:uired *or those locations that ha e domain controllers or other ser ers that run a$$lications that de$end on site to$ology, such as Distri)uted -ile System 8D-S9, When such locations are se$arated *rom other networ& locations )y a WA' lin&, create a site o)2ect to o$timi.e resource location, Acti e Directory re$lication, and domain controller location *or clients, When the need *or a site arises, the design team ty$ically $ro ides details a)out the $lacement and con*iguration o* site lin&s *or the new site, as well as su)net assignments or creation i* su)nets are needed, KCC calculations *or generating the intersite to$ology *or a Windows 5666 *orest can cause directory $er*ormance to su**er when the com)ined sites, site lin&s, and domains e<ceed certain limits, When these limits are reached, *ollow the site administration guidelines on the Acti e Directory %ranch 0**ice Planning "uide lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, As a general guideline, when any o* the *ollowing conditions e<ist, consult your design team )e*ore adding a new site: An e<isting site is directly connected to more than 56 sites, A )ridgehead ser er has more than 56 in)ound connections, (he *orest has 566 or more sites,
Procedures $or Addin( a 4ew 6ite

=se the *ollowing $rocedures to add a new site, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Create a site o)2ect and add it to an e<isting site lin&, ". Associate a range o* /P addresses with the site, as *ollows: Create a su)net o)2ect or o)2ects and associate them with the new site, DorD Associate an e<isting su)net o)2ect with the new site, 2. Create a site lin& o)2ect, i* a$$ro$riate, and add the new site and at least one other site to the site lin&, ). /*, while $er*orming $rocedure 7, you added the new site to an e<isting site lin& tem$orarily in order to create the site, remo e the site *rom that site lin&,
Addin( a 6ubnet to the 4etwor'

/* a new range o* /P addresses is added to the networ&, create a su)net o)2ect in Acti e Directory to corres$ond to the range o* /P addresses, When you create a new su)net o)2ect, you must
123
Chapter Number 1
associated it with a site o)2ect, @ou can either associate the su)net with an e<isting site, or create a new site *irst and then create the su)net and associate it with the new site, /* you are going to create a new site *or the new networ& segment, see >Adding a 'ew Site,?
Procedures $or Addin( a 6ubnet

=se the *ollowing $rocedures to add a su)net, Procedures are e<$lained in detail in the lin&ed to$ics, 1. 0)tain the networ& address and su)net mas& *or the new su)net, ". Create a su)net o)2ect and associate it with the a$$ro$riate site,
7in'in( 6ites $or Replication

(o lin& sites *or re$lication, create a site lin& o)2ect in the /P trans$ort container and add two or more sites to the lin&, =se a naming con ention that includes the sites that you are lin&ing, -or e<am$le, i* you want to lin& the site named Seattle to the site named %oston, you might name the site lin& S!A+%0S, A*ter you add two or more site names to a site lin& o)2ect, the )ridgehead ser ers in the res$ecti e sites re$licate )etween the sites according to the re$lication schedule, cost, and inter al settings on the site lin& o)2ect, -or in*ormation a)out modi*ying the de*ault settings, see >Changing Site Lin& Pro$erties,? At least two sites must e<ist when you create a site lin&, /* you are adding a site lin& to connect a new site to an e<isting site, create the new site *irst and then create the site lin&, -or in*ormation a)out creating a site, see >Adding a 'ew Site,?
Procedures $or &reatin( a 6ite 7in'

=se the *ollowing $rocedures to lin& sites *or re$lication, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Determine the names o* the sites you are lin&ing, ". Create a site lin& o)2ect in the /P container and add the a$$ro$riate sites to it, 2. "enerate the intersite to$ology, %y de*ault, the KCC runs e ery 7F minutes to generate the re$lication to$ology, (o initiate re$lication to$ology generation immediately, use the *ollowing $rocedures to re*resh the intersite to$ology: a. Determine the /S(" role owner *or the site, b. "enerate the re$lication to$ology on the /S(",
&han(in( 6ite 7in' Properties

(o control which sites re$licate directly with each other and when, use the cost, sc"edule, and interval $ro$erties on the site lin& o)2ect, (hese settings control intersite re$lication as *ollows:
137
!chedule5 (he time during which re$lication can occur 8the de*ault setting allows re$lication at all times9, nterval5 (he num)er o* minutes )etween re$lication $olling )y intersite re$lication $artners within the o$en schedule window 8de*ault is e ery 7G6 minutes9, Cost5 (he relati e $riority o* the lin& 8de*ault is 7669, Lower relati e cost increases the $riority o* the lin& o er other higher+cost lin&s,
Consult your design documentation *or in*ormation a)out alues to set *or site lin& $ro$erties,
Procedures $or &on$i(urin( 6ite 7in's

=se the *ollowing $rocedures to con*igure a site lin&, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Con*igure the site lin& schedule to identi*y times during which intersite re$lication can occur, ". Con*igure the site lin& inter al to identi*y how o*ten re$lication $olling can occur during the schedule window, 2. Con*igure the site lin& cost to esta)lish a $riority *or re$lication routing, ). "enerate the intersite re$lication to$ology, i* a$$ro$riate, %y de*ault, the KCC runs e ery 7F minutes to generate the re$lication to$ology, (o initiate intersite re$lication to$ology generation immediately, use the *ollowing $rocedures to re*resh the to$ology: a. Determine the /S(" role owner *or the site, b. "enerate the re$lication to$ology on the /S(",
#ovin( a Do!ain &ontroller to a Di$$erent 6ite

/* you change the /P address or the su)net+to+site association o* a domain controller a*ter Acti e Directory is installed on the ser er, the ser er o)2ect does not change sites automatically, @ou must mo e it to the new site manually, When you mo e the ser er o)2ect, the 'et Logon ser ice on the domain controller registers D'S SR3 resource records *or the a$$ro$riate site,
/&PMIP 6ettin(s
When you mo e a domain controller to a di**erent site, i* an /P address o* the domain controller is statically con*igured, then you must change the (CP;/P settings accordingly, (he /P address o* the domain controller must ma$ to a su)net o)2ect that is associated with the site to which you are mo ing the domain controller, /* the /P address o* a domain controller does not match the site in which the ser er o)2ect a$$ears, the domain controller must communicate o er a $otentially slow WA' lin& to locate resources rather than locating resources in its own site, Prior to mo ing the domain controller, ensure that the *ollowing (CP;/P client alues are a$$ro$riate *or the new location: /P address, including the su)net mas& and de*ault gateway, D'S ser er addresses,
12*
Chapter Number 1
W/'S ser er addresses 8i* a$$ro$riate9, Change the (CP;/P settings on any clients that ha e static re*erences to the domain controller as the $re*erred or alternate D'S ser er, Determine whether the $arent D'S .one o* any .one that is hosted )y this D'S ser er contains a delegation to this D'S ser er, /* yes, u$date the /P address in all such delegations, -or in*ormation a)out creating D'S delegations, see >Per*orming Acti e Directory Post+/nstallation (as&s,?
/* the domain controller that you are mo ing is a D'S ser er, you must also:
Pre$erred 1rid(ehead 6erver 6tatus

%e*ore mo ing any ser er o)2ect, chec& the ser er o)2ect to see whether it is acting as a $re*erred )ridgehead ser er *or the site, (his condition has /S(" im$lications in )oth sites, as *ollows: !ite to which you are moving the server5 /* you mo e a $re*erred )ridgehead ser er to a di**erent site, it )ecomes a $re*erred )ridgehead ser er in the new site, /* $re*erred )ridgehead ser ers are not currently in use in this site, the /S(" )eha ior in this site changes to su$$ort $re*erred )ridgehead ser ers, -or this reason, you must either con*igure the ser er to not )e a $re*erred )ridgehead ser er 8recommended9, or select additional $re*erred )ridgehead ser ers in the site 8not recommended9, !ite from which you are moving the server5 /* the ser er is the last $re*erred )ridgehead ser er in the original site *or its domain, and i* other domain controllers *or the domain are in the site, the /S(" selects a )ridgehead ser er *or the domain, /* you use $re*erred )ridgehead ser ers, always select more than one ser er as $re*erred )ridgehead ser er *or the domain, /* a*ter the remo al o* this domain controller *rom the site multi$le domain controllers remain that are hosting the same domain and only one o* them is con*igured as a $re*erred )ridgehead ser er, either con*igure the ser er to not )e a $re*erred )ridgehead ser er 8recommended9, or select additional $re*erred )ridgehead ser ers hosting the same domain in the site 8not recommended9,
13
1)%
Chapter Number 1
1"1
1)"
Chapter Number 1
1"3
1))
Chapter Number 1
4ote
I$ you select pre$erred brid(ehead servers and all selected pre$erred brid(ehead servers $or a do!ain are unavailable in the siteE the I6/. does not select a new brid(ehead server. In this caseE replication o$ this do!ain to and $ro! other sites does not occur. ;oweverE i$ no pre$erred brid(ehead server is selected $or a do!ain or transport Gthrou(h ad!inistrator error or as the result o$ !ovin( the only pre$erred brid(ehead server to a di$$erent siteHE the I6/. auto!atically selects a pre$erred brid(ehead server $or the do!ain and replication proceeds as scheduled.
Procedures $or #ovin( a Do!ain &ontroller to a Di$$erent 6ite

=se the *ollowing $rocedures to mo e a domain controller to a di**erent site, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Change the static /P address o* the domain controller, (his $rocedure includes changing all a$$ro$riate (CP;/P alues, including $re*erred and alternate D'S ser ers, as well as W/'S ser ers 8i* a$$ro$riate9, 0)tain these alues *rom the design team, ". Create a delegation *or the domain controller, i* a$$ro$riate, /* the $arent D'S .one o* any .one that is hosted )y this D'S ser er contains a delegation to this D'S ser er, use this $rocedure to u$date the /P address in all such delegations, 2. 3eri*y that the /P address ma$s to a su)net and determine the site association to ensure that the su)net is associated with the site to which you are mo ing the ser er o)2ect, ). Determine whether the ser er is a $re*erred )ridgehead ser er , 5. /* the ser er is a $re*erred )ridgehead ser er in the current site and you do not want the ser er to )e a $re*erred )ridgehead ser er in the new site, con*igure the ser er to not )e a $re*erred )ridgehead ser er, 3. Mo e the ser er o)2ect to the new site,
Re!ovin( a 6ite
/* domain controllers are no longer needed in a networ& location, you can remo e them *rom the site and then delete the site o)2ect, %e*ore deleting the site, you must remo e domain controllers *rom the site either )y remo ing it entirely or )y mo ing it to a new location, .o remove the domain controller, remo e Acti e Directory *rom the ser er and then delete the ser er o)2ect *rom the site in Acti e Directory, -or in*ormation a)out remo ing a domain controller, see >Decommissioning a Domain Controller,? .o retain the domain controller in a different location, mo e the domain controller to a di**erent site and then mo e the ser er o)2ect to the res$ecti e site in Acti e Directory, -or in*ormation a)out mo ing a domain controller, see >Mo ing a Domain Controller to a Di**erent Site,?
1"5
Domain controllers can host other a$$lications that de$end on site to$ology and $u)lish o)2ects as child o)2ects o* the res$ecti e ser er o)2ect, -or e<am$le, when M0M or Message Cueuing are running on a domain controller, these a$$lications create child o)2ects )eneath the ser er o)2ect, /n addition, a Message Cueuing ser er that is not a domain controller and is con*igured to )e a Message Cueuing Routing Ser er creates a ser er o)2ect in the Sites container, Remo ing the a$$lication *rom the ser er automatically remo es the child o)2ect )elow the res$ecti e ser er o)2ect, Howe er, the ser er o)2ect is not remo ed automatically, When all a$$lications ha e )een remo ed *rom the ser er 8no child o)2ects a$$ear )eneath the ser er o)2ect9, you can remo e the ser er o)2ect, A*ter the a$$lication is remo ed *rom the ser er, a re$lication cycle might )e re:uired )e*ore child o)2ects are no longer isi)le )elow the ser er o)2ect, A*ter you delete or mo e the ser er o)2ects )ut )e*ore you delete the site o)2ect, reconcile the *ollowing o)2ects: Su)net o)2ect or o)2ects *or the site /P addresses: /* the addresses are )eing reassigned to a di**erent site, associate the su)net o)2ect or o)2ects with that site, Any clients using the addresses *or the decommissioned site will therea*ter )e assigned automatically to the other site, /* the /P addresses will no longer )e used on the networ&, delete the corres$onding su)net o)2ect or o)2ects, /* the site you are remo ing is added to a site lin& containing only two sites, delete the site lin& o)2ect, /* the site you are remo ing is added to a site lin& that contains more than two sites, do not delete this site lin& o)2ect,
Site lin& o)2ect or o)2ects, @ou might need to delete a site lin& o)2ect, as *ollows:
%e*ore deleting a site, o)tain instructions *rom the design team *or reconnecting any other sites that might )e disconnected *rom the to$ology )y remo ing this site, /* the site you are remo ing is added to more than one site lin&, it might )e an interim site )etween other sites that are added to this site lin&, Deleting the site might disconnect the outer sites *rom each other, /n this case, the site lin&s must )e reconciled according to the instructions o* the design team,
Procedures $or Re!ovin( a 6ite

=se the *ollowing $rocedures to remo e a site, Procedures are e<$lained in detail in the lin&ed to$ics, 1. Determine whether the ser er o)2ect has child o)2ects, /* a child o)2ect a$$ears, do not delete the ser er o)2ect, /* a domain controller has )een decommissioned and one or more child o)2ects a$$ears )elow the ser er o)2ect, re$lication might not ha e com$leted, /* re$lication has com$leted and child o)2ects e<ist, do not delete the ser er o)2ect, Contact a su$er isor, ". Delete the ser er o)2ects within the Ser ers container o* the site that you are remo ing,
1)3
Chapter Number 1
2. Delete the site lin& o)2ect, i* a$$ro$riate, 0)tain this in*ormation *rom the design team, ). Associate the su)net or su)nets with the a$$ro$riate site, i* a$$ro$riate, /* you no longer want to use the /P addresses associated with the su)net o)2ect or o)2ects, delete the su)net o)2ects, 0)tain this in*ormation *rom the design team, 5. Delete the site o)2ect, 3. "enerate the intersite re$lication to$ology, i* a$$ro$riate, %y de*ault, the KCC runs e ery 7F minutes to generate the re$lication to$ology, (o initiate intersite re$lication to$ology generation immediately, use the *ollowing $rocedures to re*resh the to$ology: a. Determine the /S(" role owner in the site, b. "enerate the re$lication to$ology on the /S(",
1"7
.roubleshooting Active Directory

C H A P ( ! R ' = M % ! R 5
Although trou)leshooting any distri)uted system can )e challenging and time+consuming, a$$lying a structured methodology to Acti e Directory trou)leshooting can hel$ you :uic&ly sort through the $ossi)le causes and re eal the root cause o* any $ro)lem,
In /his &hapter
0 er iew o* Acti e Directory (rou)leshooting High+le el Methodology *or (rou)leshooting Acti e Directory Pro)lems (rou)leshooting High CP= =sage on a Domain Controller (rou)leshooting Acti e DirectoryDRelated D'S Pro)lems (rou)leshooting -RS (rou)leshooting Acti e Directory Re$lication (rou)leshooting Acti e Directory /nstallation Wi.ard Pro)lems (rou)leshooting Directory Data Pro)lems (rou)leshooting Windows (ime Ser ice Pro)lems
1)*
Chapter Number 1
Overview o$ Active Directory /roubleshootin(

Acti e Directory4directory ser ice is a distri)uted system that is com$rised o* many di**erent ser ices and de$ends on all o* the ser ices to *unction $ro$erly, (he methodology $resented in this cha$ter can ease the di**iculties inherent in identi*ying the com$uters and ser ices in ol ed in $ro)lems you might )e ha ing, and hel$ you isolate a $ro)lem to the core com$onent, /n most cases, trou)leshooting )egins when you detect one o* the *ollowing: An e ent re$orted in an e ent log, An alert generated )y a monitoring system, such as Microso*t 0$erations Manager 8M0M9, A sym$tom re$orted )y a user or noticed )y /( $ersonnel,
(his cha$ter includes trou)leshooting $rocedures *or the e ents, monitoring alerts, and sym$toms that either ha e the highest *re:uency o* occurrence or that can cause the greatest $ro)lem in your organi.ation, S$eci*ic sections *or each Acti e Directory ser ice also include trou)leshooting $rocedures *or error messages generated )y some tools that you might use in the trou)leshooting $rocess,
Respondin( to 9vents
When res$onding to e ents in the e ent logs, *irst determine the source that is listed in the e ent log, such as the 'et Logon ser ice or the -ile Re$lication ser ice 8-RS9, (a)le 5,7 shows the e ent source and /Ds, and re*erences the trou)leshooting sections *or e ents that occur most *re:uently or that cause $ro)lems with the highest se erity, /* (a)le 5,7 does not include the e ent /D that you are loo&ing *or, search *or it in the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, /able ".1 Active Directory 9vents Re$erence
9vent 6ource ,R6 9vent ID 125%*E 125%-E 1251"E 125""E 12530E 1253* 500)E 5005E 50*1E 50*2E 5*%5 1%*2E 1"35E 12**E 13)5 1%*5 Re$erence 6ee B/roubleshootin( ,R6.C
4etlo(on 4/D6 +ser9nv
6ee B/roubleshootin( Active Directory? Related D46 Proble!s.C 6ee B/roubleshootin( Active Directory Replication Proble!s.C 6ee B/roubleshootin( Active Directory Replication Proble!s.C
1"
W2"/i!e
12E 1)E 5"553E 3%5 3)
6ee B/roubleshootin( Windows /i!e 6ervice Proble!s.C
Respondin( to #onitorin( Alerts

As a )est $ractice, use a com$rehensi e monitoring system *or your en ironment, (he alerts that monitoring systems generate ary, (a)le 5,5 shows some common alerts generated )y Microso*t 0$erations Manager 8M0M9 with the Acti e Directory Management Pac& 8ADMP9 installed and $oints you to the a$$ro$riate re*erences *or trou)leshooting in*ormation, /* you are using a di**erent monitoring system, loo& *or the alert that most closely matches the alert generated )y your system, /* you do not *ind a monitoring alert in this ta)le that you need in*ormation a)out, iew the e ent logs and trou)leshoot related error e ents that you *ind, or re*er to *urther trou)leshooting instructions in the section in this guide that most closely matches the $ro)lem re$orted, /able "." Active Directory #onitorin( Alerts Re$erence
#onitorin( Alert A do!ain controller has received a si(ni$icant nu!ber o$ new replication partners. Description /his is nor!al when a co!puter is in the process o$ beco!in( a (lobal catalo( server or brid(ehead serverE or when new do!ains or do!ain controllers are added to the environ!ent. Abnor!al causes o$ this alert include replication or site lin' proble!s. /his is a hi(h priority alertE because it indicates that the do!ain controller is unusable $or the reason speci$ied in the error. Re$erence 6ee B/roubleshootin( Active Directory Replication Proble!sC $or replication troubleshootin( procedures. 6ee B#ana(in( 6itesC $or reco!!endations and procedures $or establishin( and veri$yin( sites and site lin's. I$ the alert indicates that a service is not runnin(E restart the service. I$ the alert indicates a 6>6VO7 proble!E see B/roubleshootin( ,R6C or B#ana(in( 6>6VO7C $or $urther troubleshootin( procedures or reco!!endations. I$ the alert indicates that the do!ain controller is not advertisin(E see B/roubleshootin( Active
Active Directory 9ssential 6ervices has detectedD
15%
Chapter Number 1
Directory?Related D46 Proble!s.C Active Directory (lobal catalo( search $ailed. /his is a hi(h priority alertE because i$ a (lobal catalo( server cannot be reachedE users will not be able to lo( onE and 9=chan(eKs address boo' will not $unction. A lar(e nu!ber o$ ob8ects are in the 7ostAnd,ound container. /he !onitorin( syste! has deter!ined that replication ti!es are e=ceedin( set thresholds. Veri$y that this is a (lobal catalo( server. 6ee BVeri$yin( 6erver ;ealthC to ensure the server is $unctionin( properly.
Active Directory 5 lost ob8ects warnin(.
6ee B/roubleshootin( Directory Data Proble!s.C I$ necessaryE see B#ana(in( 6itesC $or reco!!endations on settin( replication schedules or site topolo(y con$i(uration. >ou can also chan(e the threshold i$ you are satis$ied with the current schedule. 6ee BVeri$yin( 6erver ;ealthC and BVeri$yin( 4etwor' Path.C I$ necessaryE see B#ana(in( Operations #astersC to deter!ine i$ it is appropriate to sei<e the role. I$ the outa(e is e=pectedE see B#ana(in( Operations #astersC to trans$er the role be$ore the outa(e to avoid this error.
Active Directory replication is occurrin( slowly.
,ailed to pin( or bind to the Noperations !asterP role holder.
/he destination server !i(ht not be $unctionin(E or there !i(ht not be networ' connectivity.
;i(h &P+ alert.
An application or 6ee B/roubleshootin( service is consu!in( an ;i(h &P+ +sa(e on a inordinate a!ount o$ Do!ain &ontroller.C &P+. 6hort ter! connectivity proble!s can be e=pectedE but e=tended $ailures indicate a 6ee B/roubleshootin( Active Directory Replication Proble!s.C
Replication is not occurrin( Q all AD replication partners $ailed to synchroni<e.
151
proble!. Investi(ate any proble! that persists $or !ore than a $ew hours. /i!e s'ew detected. /he syste! ti!e on the servers indicated in the alert is not synchroni<ed. 6ee B/roubleshootin( Windows /i!e 6ervice Proble!s.C
Respondin( to 6y!pto!s
/* you are trou)leshooting Acti e Directory )ased on sym$toms re$orted )y users or noticed )y /( $ersonnel, you need to $er*orm some $reliminary trou)leshooting ste$s to isolate the cause o* the $ro)lem, See >High+Le el Methodology *or (rou)leshooting Acti e Directory Pro)lems? in this guide *or in*ormation a)out how to iterate the trou)leshooting $rocess until you ha e *ound the root cause and resol ed the $ro)lem, /* you ha e already determined the most li&ely source or cause o* the $ro)lem, you can re*er to the a$$ro$riate section in this guide, such as >(rou)leshooting High CP= =sage on a Domain Controller? or >(rou)leshooting Acti e Directory Re$lication Pro)lems,? !ach section contains additional trou)leshooting ste$s that allow you to *urther isolate the $ro)lem,
Prere:uisites $or /roubleshootin( Active Directory

%e*ore you )egin trou)leshooting Acti e Directory, ensure that you esta)lish $ro)lem trac&ing $rere:uisites, re iew in*ormation a)out your /( en ironment, and )ecome *amiliar with Acti e Directory conce$ts and ser ices,
Proble! /rac'in( Prere:uisites

Ha e the *ollowing mechanisms in $lace to ensure timely $ro)lem detection, handling, and resolution: Ser ice des& 8or hel$ des&9 /ncident and $ro)lem management $rocesses Continuous monitoring so*tware
-or more in*ormation a)out im$lementing a ser ice des& and incident and $ro)lem management $rocesses within your organi.ation, see the Microso*t 0$erations -ramewor& 8M0-9 lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, -or more in*ormation a)out monitoring Acti e Directory, see >Monitoring Acti e Directory? in this guide,
In$or!ation About >our I/ 9nviron!ent

!nsure that the $ersonnel $er*orming Acti e Directory trou)leshooting can easily access the *ollowing ty$es o* documentation:
15"
Chapter Number 1
Active Directory 6ervices &oncepts Acti e Directory con*iguration, including re$lication+related con*iguration documentation, Domain 'ame System 8D'S9, Dynamic Host Con*iguration Protocol 8DHCP9, and /P con*igurations, A$$lication and ser ice documentation 8such as !<change9, Administrati e model, Ser er $lacement and con*igurations, Change management logs,
Active Directory &oncepts and 6ervices

!nsure that the $ersonnel $er*orming the trou)leshooting ha e at least a )asic understanding o* Acti e Directory conce$ts and ser ices, Acti e Directory conce$ts include the *ollowing areas: 'ame resolution, including )oth D'S and 'et%/0S name resolution with )roadcasts, LMH0S(S *iles, and Windows /nternet 'ame Ser ice 8W/'S9, Re$lication 8including Microso*t4Windows 5666 Ser er nati e mode and Microso*t4Windows '(4 B,6 emulation9, (ime synchroni.ation, "rou$ Policy and -ile Re$lication ser ice 8-RS9, Core Acti e Directory, including an understanding o* the glo)al catalog, domains, and *orests, Authentication 8)oth Ker)eros authentication and LA' Manager9, Acti e Directory Microso*t Management Console 8MMC9 sna$+ins and Acti e Directory+related tools 8including o$erating system, Su$$ort, and Resource Kit tools9,
(o disco er the root cause o* $ro)lems with Acti e Directory, ensure that the $ersonnel $er*orming trou)leshooting understand common Acti e Directory o$erations li&e re$lication and $assword change and how the *ollowing $rocesses and role holders are in ol ed in these o$erations: 0$erations master roles 8including PDC emulator, relati e identi*ier 8R/D9 master, domain naming master, schema master, and in*rastructure master9, Key Distri)ution Center 8KDC9, Knowledge Consistency Chec&er 8KCC9, /ntersite (o$ology "enerator 8/S("9, (ime Re*erence Ser er 8(RS9,
%ecause Acti e Directory interacts with e<ternal ser ices and $rotocols, such as (CP;/P *or the trans$ort $rotocol, D'S *or name resolution, and -RS *or *ile re$lication o* "rou$ Policy o)2ects and logon scri$ts, accurately determining the cause o* a $ro)lem and a$$lying a solution
153
)ecomes more com$le<, !**ecti e trou)leshooting re:uires a thorough &nowledge o* these and other $rotocols, as well as the diagnostic tools associated with each $rotocol, -or more in*ormation a)out Acti e Directory, networ&ing $rotocols, and tools, see the Microsoft* Windows* 2 !erver %esource (it, @ou can o)tain additional in*ormation )y searching Microso*t,com and (ech'et, or )y ta&ing ad antage o* MCS! training classes and )oo&s,
/ools $or /roubleshootin( Active Directory

(a)le 5,A lists the tools that you can use to trou)leshoot Acti e Directory, where the tools are *ound, and a )rie* descri$tion o* the $ur$ose o* the tool, -or in*ormation a)out installing the Windows 5666 Su$$ort (ools and the Windows 5666 Administrati e (ools Pac&, see Windows 5666 Ser er Hel$, /able ".2 /ools +sed to /roubleshoot Active Directory
/ool Active Directory Do!ains and /rusts snap5in Active Directory 6ites and 6ervices snap5in Active Directory +sers and &o!puters snap5 in AD6I 9ditE ##& snap5in 1ac'up Wi<ard &ontrol Panel 7ocation Windows "%%% Ad!inistrative /ools Pac' ,unction Ad!inister do!ain trustsE add user principal na!e su$$i=esE and chan(e the do!ain !ode. Ad!inister the replication o$ directory data. Ad!inister and publish in$or!ation in the directory. ViewE !odi$yE and set access control lists GA&7sH on ob8ects in the directory. 1ac' up and restore data. View and !odi$y co!puterE applicationE and networ' settin(s. Analy<e the state o$ do!ain controllers in a $orest or enterpriseJ assist in troubleshootin( by reportin( any proble!s.
Windows "%%% Ad!inistrative /ools Pac' Windows "%%% Ad!inistrative /ools Pac'
Windows "%%% 6upport /ools Windows "%%% operatin( syste! tool Windows "%%%
Dcdia(.e=e
Windows "%%% 6upport /ools and Windows 2000 Server Resource Kit
15)
Chapter Number 1
D46 snap5in Dsastat.e=e
Windows "%%% Ad!inistrative /ools Pac' Windows "%%% 6upport /ools
#ana(e D46. &o!pare directory in$or!ation on do!ain controllers and detect di$$erences. #onitor events recorded in event lo(s. View and !ana(e networ' con$i(uration. Per$or! 7i(htwei(ht Directory Access Protocol G7DAPH operations a(ainst Active Directory. &reateE deleteE updateE and view the lin's that are stored in 8unction points. &reateE saveE and open ad!inistrative tools Gcalled ##& snap5insH that !ana(e hardwareE so$twareE and networ' co!ponents. &hec' end5to5end networ' connectivity and distributed services $unctions. Allow batch !ana(e!ent o$ trustsE 8oinin( co!puters to do!ainsE and veri$yin( trusts and secure channels. Per$or! co!!on tas's on networ' servicesE includin( stoppin(E startin(E and connectin( to networ' resources. Veri$y that the locator and secure channel are $unctionin(. #ana(e Active DirectoryE !ana(e sin(le !aster operationsE re!ove
9vent viewer Ipcon$i(.e=e 7dp.e=e
Windows "%%% Ad!inistrative /ools Pac' Windows "%%% operatin( syste! tool Windows "%%% 6upport /ools
7in'd.e=e
Windows 2000 Server Resource Kit Windows "%%%
##&
4etdia(.e=e
Windows 2000 Server Resource Kit and Windows "%%% 6upport /ools Windows "%%% 6upport /ools
4etdo!.e=e
4et useE startE stopE delE copyE ti!e
Windows "%%% operatin( syste! tool
4ltest.e=e
Windows "%%% 6upport /ools Windows "%%% operatin( syste! tool
4tdsutil.e=e
155
!etadata. 4t$rsutl.e=e Per$or!ance #onitor Windows 2000 Server Resource Kit Windows "%%% operatin( syste! tool View and !ana(e ,R6 con$i(uration. View syste! per$or!ance dataE per$or!ance lo(s and alertsE and trace lo( $iles. /race a route $ro! a source to a destination on a networ'E show the nu!ber o$ hopsE and show pac'et loss. Veri$y networ' connectivity. View and !odi$y re(istry settin(s. Veri$y replication consistency between replication partnersE !onitor replication statusE display replication !etadataE and $orce replication events and topolo(y recalculation. Display replication topolo(yE !onitor replication statusE and $orce replication events and topolo(y recalculation. #ana(e .roup Policy settin(s. 6tartE stopE pauseE or resu!e syste! services on re!ote and local co!putersE and con$i(ures startup and recovery options $or each service. #ana(e security principal na!es G6P4sH. View processes and per$or!ance data. Access and !ana(e co!puters re!otely.
Pathpin(.e=e
Windows "%%% operatin( syste! tool
Pin(.e=e Re(edit.e=e Repad!in.e=e
Windows "%%% operatin( syste! tool Windows "%%% operatin( syste! tool Windows "%%% 6upport /ools
Repl!on.e=e
Windows "%%% 6upport /ools
6ecedit.e=e 6ervices snap5in
Windows "%%% operatin( syste! tool Windows "%%% Ad!inistrative /ools Pac'
6etspn.e=e /as' #ana(er /er!inal 6ervices
Windows "%%% 6upport /ools Windows "%%% Windows "%%%
153
Chapter Number 1
W2"t! Windows 9=plorer
Windows "%%% operatin( syste! tool Windows "%%%
#ana(e Windows /i!e 6ervice. Access $ilesE Web pa(esE and networ' locations.
;i(h5level #ethodolo(y $or /roubleshootin( Active Directory Proble!s

@our entry $oint into trou)leshooting an Acti e Directory $ro)lem might )e as straight*orward as recei ing an e ent in an e ent log or an alert *rom a monitoring system, /* the e ent or alert s$eci*ied the com$onents that are in ol ed in the $ro)lem, you can start trou)leshooting the $rocess or e ent )y re*erring to the a$$ro$riate section later in this guide, Howe er, i* you are res$onding to a user call or a sym$tom noticed )y /( $ersonnel, you need to isolate the $ro)lem, @ou might also need to use the $rocess in this section i* $re ious trou)leshooting e**orts *or an e ent or alert did not sol e the $ro)lem, (here is a $ossi)ility that you are not trou)leshooting the correct com)ination o* com$onents, /n any case, you need to )e *amiliar with the high+le el methodology that *ollows *or trou)leshooting Acti e Directory, (his hel$s you to isolate the $ro)lem to the correct com$onents J or identi*y a di**erent set o* com$onents i* necessary, -igure 5,7 shows the $rocess *or trou)leshooting Acti e Directory, ,i(ure ".1 /roubleshootin( Active Directory
157
Docu!entin( the Proble!

Documenting the $ro)lem can reduce misunderstandings and hel$ you resol e issues more :uic&ly, /t $ro ides an accurate history that *acilitates endor in ol ement when necessary, (his history also hel$s in the $ro)lem management $rocess, /* a $articular $ro)lem &ee$s occurring, you can use $ast incident histories to identi*y and resol e the $ro)lem, How you )egin to document the $ro)lem de$ends on whether you are using a monitoring system, which is a )est $ractice *or Acti e Directory o$erations, /* you are not using a monitoring system, all o* your hel$ des& tic&ets will )e generated when a dissatis*ied user logs a com$laint, At this $oint, you are reacti ely trou)leshooting, and the $ro)lem is more urgent, Due to the
15*
Chapter Number 1
nature o* reacti e $ro)lem+sol ing, you might e<$erience a ser ice disru$tion at a signi*icant cost, /t is im$ortant to use a monitoring system to a oid these costs, /* you are *ollowing the )est $ractices *or o$erations and are using a monitoring system, usually the monitoring system $roacti ely alerts you )e*ore an issue escalates to a ser ice outage, A monitoring system is also li&ely to indicate the most common ways to resol e the $ro)lem, /* you are alerted to a $ro)lem )y the monitoring system, o$en a new hel$ des& tic&et and document all in*ormation raised )y the alert, including the suggested remedies, Collect as much su$$orting in*ormation *rom the monitoring system as $ossi)le, including other alerts occurring on the same com$uter or other com$uters and ser ices that might also )e in ol ed in the $ro)lem, (hen o$en a $ro)lem tic&et *or the customer call and eri*y that you ha e enough in*ormation to $roceed, (y$ically, you need in*ormation such as: Date and time o* occurrence, !rror message num)er and te<t, Client in*ormation, including: Com$uter name *or the client, =ser /D )eing used when the $ro)lem occurred, (CP;/P con*iguration, List o* D'S ser ers that that client is con*igured to use, 0$erating system ersion, ser ice $ac&, and any hot *i<es, Com$uter name *or the ser er, (CP;/P con*iguration, 0$erating system ersion, ser ice $ac&, and any hot *i<es, Domain name o* the client, Domain name o* the ser er,
Ser er in*ormation, including:
'etwor& in*ormation, including:
A$$lication name and related settings, Ser ice in ol ed in the $ro)lem, such as networ& %/0S 8'et%/0S9, D'S, Ser er Message %loc& 8SM%9, and Lightweight Directory Access Protocol 8LDAP9, (he $ro)lem is re$eata)le, /* so, include the ste$s ta&en to re$roduce the $ro)lem, 0thers are ha ing the same $ro)lem, Hel$ des& is a)le to du$licate and eri*y the issue, /nclude any trou)leshooting ste$s already ta&en )y the hel$ des&, such as using Ping to eri*y networ& connecti ity to the client or ser er,
/n addition, identi*y whether:
15
I!portant 4ote
When I$ the proble! troubleshootin( was not Active reported DirectoryE by the !onitorin( re!e!ber syste!E that the $irst open a client isnew the proble! co!puter tic'et that !a'es to correct thethe re:uest (ap in and your the !onitorin( server is covera(e the co!puter and that thenresponds co!!unicate to the the re:uest. $ailure /husE to theco!puters appropriate personnel. runnin( #icroso$t In$or!ation FRWindows derived "%%% $ro! F troubleshootin( Pro$essional or #icroso$t this FR proble! can Windows "%%% provide 6erver the can !onitorin( be either clients or proble! or serversE !ana(e!ent tea! with valuable dependin( on whether insi(ht they to are help initiatin( detect or and respondin( potentially to a prevent this proble! in the $uture. re:uest.
-or more in*ormation a)out $ro)lem tic&ets, see the Microso*t 0$erations -ramewor& 8M0-9 lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
Identi$yin( the &o!ponents Involved

/denti*y the s$eci*ic com$onents that are in ol ed in the $ro)lem, including the clients, networ& $aths, ser ers, and ser ices, (a&ing time to $ro$erly identi*y the machines and the actual $rotocols or ser ices in ol ed minimi.es the ris& o* wasting signi*icant time trying to sol e the wrong $ro)lems on the wrong com$uters, (he in*ormation you o)tained while documenting the $ro)lem is a good starting $oint, )ut the $ro)lem might re:uire additional in estigation to ensure that you ha e identi*ied the correct com$onents, /denti*ying the right com$onents can )e easy, such as when a wor&station ma&es an LDAP call to a domain controller, Howe er, it can also )e much more com$le<, such as when a wor&station that issues a net use command to a *ile ser er recei es an >Access Denied? error message, /n this last case, the wor&station is clearly the client )ecause it initiated the re:uest, (he other most a$$arent com$onents 8ser er and ser ice9 in ol ed are the *ile ser er that recei ed the re:uest, and the SM% Ser ice 8the *ile and $rint access $rotocol used )y Windows 56669, Howe er, an entirely di**erent ser er and ser ice might also )e causing the $ro)lem, Consider the $ro)lems that can occur when connecting to the ser er: D'S or W/'S might not return the correct /P address *or the intended ser er to the client, (his indicates a name resolution $ro)lem, which in ol es a di**erent ser er and ser ice, /* the client is using Ker)eros authentication as the authentication $rotocol, the Key Distri)ution Center 8KDC9 could )e returning an error, (his might indicates a time synchroni.ation $ro)lem, which in ol es the KDC and the Windows (ime Ser ice,
Know the re:uired ste$s *or all o* the $rotocols and ser ices to *unction success*ully, and )e *amiliar with the common )rea&ing $oints *or each ste$,
Veri$yin( &lient ;ealth

%ecause all client;ser er communications )egin with the client issuing a re:uest, start the trou)leshooting $rocess )y eri*ying the health o* the client com$uter that you identi*ied in the
13%
Chapter Number 1
$re ious ste$, (he client must )e correctly con*igured, connected to the networ&, and *unctioning $ro$erly, (o eri*y the client health, $er*orm the *ollowing tests: 3eri*y that the client is connected to the local area networ& 8LA'9, 3eri*y that networ& ca)les and hu)s are *irmly connected, and that any status indicators on networ& ada$ters and hu)s are re$orting acti ity, =se Per*ormance Monitor to ensure that the client1s CP= usage is not too high, 3eri*y networ& con*iguration *or the client, 3eri*y that the client1s /P con*iguration settings, including D'S and W/'S settings, are correct, Resol e any $ro)lems )e*ore continuing,
Client health $ro)lems are generally sim$le to *i<, /* you *ind a $ro)lem at this $oint, correct it )e*ore $roceeding, -or more in*ormation a)out trou)leshooting client health $ro)lems, see the +perations Guide o* the Microso*t4Windows 2 !erver %esource (it, -or more in*ormation a)out trou)leshooting networ&ing $ro)lems, see the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it,
Veri$yin( 4etwor' Path

3eri*y that the networ& $ath )etween the client and ser er is $ro$erly wor&ing, Although the $ro)lem tic&et might indicate that the hel$ des& was a)le to reach the ser er, the client is most li&ely on a di**erent networ& segment, so eri*y the networ& $ath again *rom the client, @ou can either $er*orm the *ollowing tests at the client, or use (erminal Ser ices or Remote Assistance *rom your current location to issue the commands *rom the client, Per*orm the *ollowing tests: 3eri*y networ& con*iguration, !nsure that the /P con*iguration is what it should )e, according to your records, 3eri*y networ& connecti ity )etween the client and the ser er )y using the /P address o* each com$uter, /* connecti ity is a $ro)lem, o$en a new $ro)lem tic&et as descri)ed earlier, Perimeter *irewalls, /PSec, networ& address translation 8'A(9 )etween the client and ser er, or $ersonal *irewalls li&e those included in Windows TP Pro*essional can cause connecti ity $ro)lems, /* you cannot eri*y that the ser er recei ed a re:uest, or that the client recei ed the res$onse, use 'etwor& Monitor 8'etMon9 to $er*orm a trace at the client and ser er, -or more in*ormation a)out using 'etwor& Monitor, see >Monitoring 'etwor& Per*ormance? in the +perations Guide o* the Windows 2 !erver %esource (it,
-or more in*ormation a)out trou)leshooting networ& $ro)lems, see the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it,
Veri$yin( 6erver ;ealth

(o eri*y ser er health, $er*orm the same eri*ication tests on the ser er that you do on the client, to ma&e sure that the ser er is con*igured correctly, connected to the networ&, and *unctioning $ro$erly, Per*orm the *ollowing ste$s:
1#1
3eri*y that the ser er is connected to the LA', 3eri*y that networ& ca)les and hu)s are *irmly connected, and that any status indicators on networ& ada$ters and hu)s are re$orting acti ity, 3eri*y networ& con*iguration, 3eri*y that /P con*iguration settings, including D'S and W/'S settings, are correct, Resol e any $ro)lems )e*ore continuing, 3eri*y networ& connecti ity, /* any o* the Ping or Path$ing tests *ail, see >(CP;/P (rou)leshooting? in the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it,
-or more in*ormation a)out trou)leshooting ser er health $ro)lems, see the +perations Guide o* the Windows 2 !erver %esource (it, -or more in*ormation a)out trou)leshooting networ&ing $ro)lems, see the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it,
Veri$yin( 6ervice ;ealth

-or the ser ice that you ha e identi*ied, eri*y that the: Ser ice is installed $ro$erly on the ser er, Ser ice is running, =ser has $ermissions to ma&e the re:uest,
/n addition, iew the ser ice e ent log 8ty$ically, the a$$lication e ent log9, /* you *ind any warning or error e ents in the e ent log, determine the source and re*er to the corres$onding section in this guide *or *urther trou)leshooting $rocedures, /* the e ent is not discussed in this guide, search the Microso*t Knowledge %ase, (o search the Microso*t Knowledge %ase, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, -or more in*ormation a)out trou)leshooting ser ice health $ro)lems, see the +perations Guide o* the Windows 2 !erver %esource (it,
Iterate the /roubleshootin( Process

/* the com$onents that you initially identi*ied do not re eal the root cause o* the $ro)lem, you must identi*y additional com$onents in ol ed in the $ro)lem, /denti*y the ne<t client, ser er, or ser ice that might )e in ol ed in the $ro)lem and eri*y the health o* each o* those com$onents until you reach the actual source o* the $ro)lem, @ou might need to iterate the $rocess *or trou)leshooting Acti e Directory on se eral di**erent com$onents )e*ore you success*ully identi*y the root cause, /n this case, you must >wal& the chain,? or re$eat the trou)leshooting $rocess on each com$onent that might )e in ol ed in the $ro)lem, Consider the *ollowing e<am$le, where you must iterate the trou)leshooting $rocess to identi*y the correct com$onents, A com$any has *our domain controllers 8DC7, DC5, DCA, and DCB9, DC7 re$licates to DC5, DC5 re$licates to DCA, and DCA re$licates to DCB 8this is re*erred to as transiti e re$lication9,
13"
Chapter Number 1
An administrator adds a user to Acti e Directory at DC7, Se eral hours later, the change still has not re$licated to DCB, @ou initially identi*y DCA and DCB as the client and ser er in ol ed, @our trou)leshooting indicates that DCA did not re$licate the change to DCB, A*ter eri*ying the health o* the client, the networ&, the ser er, and re$lication, you determine that they are wor&ing $ro$erly, @ou must then iterate the trou)leshooting $rocess, )ut with the ne<t lin& in the chain: DC5 and DCA, /* this $air is wor&ing $ro$erly, then you need to eri*y DC7 and DC5, A$$lying a structured a$$roach to the trou)leshooting $rocess hel$s you methodically *ind the root cause o* any distri)uted systems $ro)lem, regardless o* the client, ser er, or ser ice in ol ed,
/roubleshootin( ;i(h &P+ +sa(e on a Do!ain &ontroller

/* your monitoring system re$orts high CP= usage on a domain controller, or i* you noticed high CP= usage while eri*ying the health o* a domain controller, *ollow the trou)leshooting $rocess in this section, -igure 5,5 shows the high+le el $rocess *or trou)leshooting high CP= usage on a domain controller, (his high+le el $rocess *or trou)leshooting high CP= usage on a domain controller hel$s you determine the cause o* high CP= usage and leads to more detailed trou)leshooting tas&s, ,i(ure "." /roubleshootin( ;i(h &P+ +sa(e on a Do!ain &ontroller
1#3
/roubleshootin( ;i(h &P+ +sa(e by Processes

-igure 5,A shows the $rocess *or trou)leshooting $rocesses or ser ices that cause high CP= usage, ,i(ure ".2 /roubleshootin( ;i(h &P+ +sa(e by Processes
13)
Chapter Number 1
Procedures $or /roubleshootin( 6ervices that &onsu!e ;i(h &P+

1. =sing (as& Manager, determine whether high CP= usage is caused )y Lsass,e<e, /* it is, go to the ne<t ste$ in the *lowchart *or trou)leshooting high CP= usage on a domain controller, >(rou)leshooting High CP= =sage on a PDC !mulator,? /* high CP= usage is not caused )y Lssas,e<e, , continue with the *ollowing ste$s, ". /n (as& Manager, determine which ser ice is causing the $ro)lem, 2. /* the $ro)lem is caused )y )ac&u$ or irus scan so*tware, wait *or the ser ice to com$lete, and consider rescheduling the ser ice *or non$ea& usage hours, /* $ossi)le, change con*iguration settings on the so*tware to o$timi.e CP= usage, ). /* another ser ice is consuming high CP=, re*er to the $roduct documentation to trou)leshoot that ser ice,
/roubleshootin( ;i(h &P+ +sa(e on a PD& 9!ulator

/* Lsass,e<e is causing high CP= usage, determine i* the domain controller is the PDC emulator, /* it is, *ollow the $rocess shown in -igure 5,B *or trou)leshooting high CP= usage on a PDC emulator, /* the domain controller is not the PDC emulator, go to the ne<t ste$ in the *lowchart 8-igure 5,B9 *or trou)leshooting high CP= usage on a domain controller, >(rou)leshooting High CP= =sage on a "lo)al Catalog Ser er,?
1#5
,i(ure ".) /roubleshootin( ;i(h &P+ +sa(e on a PD& 9!ulator
Procedures $or /roubleshootin( ;i(h &P+ +sa(e on a PD& 9!ulator

1. (o determine whether the domain controller is a PDC emulator, iew the current o$erations master role holders, /* it is a PDC emulator, continue with the *ollowing ste$s, ". =se the $rocedure to trans*er the domain+le el o$erations master roles to trans*er the PDC emulator role to another domain controller, 2. /* the $ro)lem still e<ists on the original ser er a*ter trans*erring the PDC emulator role, see >(rou)leshooting Ser er+Related High CP= =sage? in this guide,
133
Chapter Number 1
). /* the $ro)lem still e<ists on the PDC emulator in its new location, determine whether account loc&out $olicy is de*ined on this domain, /* account loc&out is de*ined: a. Con*irm that all o* the a aila)le $atches are installed, /* needed, contact Microso*t Product Su$$ort Ser ices *or this in*ormation, b. !na)le auditing on the PDC emulator, -ind and remo e any )ad ser ice accounts, 5. /* you are using Systems Management Ser er 8SMS9, ensure that you ha e installed the most current SMS ser ice $ac&s, 3. /* you ha e Windows '( B,6D)ased %DCs and clients that are running Windows 5666 Pro*essional or Windows TP Pro*essional, $er*orm the *ollowing tas&s: a. /n Per*ormance Monitor, e<amine the >logon total? and >logon;sec? counters *or the ser er o)2ect under System Monitor, Do this on di**erent domain controllers in your en ironment, es$ecially on su)nets that contain )oth Windows 5666D )ased and Windows '( B,6D)ased domain controllers, Com$are these num)ers on the di**erent domain controllers to determine i* any Windows 5666D)ased domain controller is o erloaded with a large num)er o* authentication re:uests, b. Mem)er com$uters that are running Windows 5666 and Windows TP authenticate e<clusi ely with Acti e Directory domain controllers in a domain once the domain controllers are disco ered )y the mem)er com$uters, /* a Windows 5666D)ased domain controller is o erloaded )ecause the num)er o* u$graded domain controllers in the domain is not yet su**icient to withstand re:uests *rom all u$graded clients, you can alle iate the $ro)lem )y adding Windows 5666D)ased domain controllers, /* necessary, con*igure Windows '( B,6 emulation *or each Windows 5666D)ased domain controller in order to sto$ the o erloading e**ect until enough domain controllers ha e )een u$graded, Re2oin the clients that ha e disco ered u$+le el domain controllers to the domain, During your u$grade $rocess, *irst u$grade domain controllers in locations with large $o$ulations o* clients that are running Windows TP and Windows 5666, @ou also need to re2oin all Windows 5666D)ased and Windows TPD )ased domain mem)ers, /n the re2oin $rocedure, s$eci*y a 'et%/0S name *or the domain, =ntil the domain mem)ers are re2oined, they cannot contact any domain controllers in the domain, c. Con*igure Windows '( B,6 emulation *or some com$uters, @ou can con*igure com$uters that run Windows 5666 Ser ice Pac& 5 8SP59 or later to in*orm domain controllers that are running in Windows '( B,6 emulation mode to not use Windows '( B,6 emulation mode when they res$ond to re:uests *rom those com$uters, 0. /* you are still e<$eriencing $ro)lems, see >Reducing the Wor&load on the PDC !mulator? in this guide *or more in*ormation a)out changing D'S weight or $riority registry settings to reduce the wor&load *or the PDC emulator,
1#7
/roubleshootin( ;i(h &P+ +sa(e on a .lobal &atalo( 6erver

/* Lsass,e<e is causing high CP= usage on a domain controller that is not the PDC emulator, determine i* the domain controller is also a glo)al catalog ser er, /* it is, *ollow the $rocess shown in -igure 5,F *or trou)leshooting high CP= usage on a glo)al catalog ser er, /* the domain controller is not a glo)al catalog ser er, return to the ne<t ste$ in the high+le el *lowchart earlier in this section *or trou)leshooting high CP= usage on a domain controller, ,i(ure ".5 /roubleshootin( ;i(h &P+ +sa(e on a .lobal &atalo( 6erver
Procedures $or /roubleshootin( ;i(h &P+ +sa(e on a .lobal &atalo( 6erver

1. Determine whether the domain controller is a glo)al catalog ser er , /* it is, continue with the *ollowing ste$s, ". See >Managing "lo)al Catalog Ser ers? in this guide *or )ac&ground in*ormation and $rescri$ti e guidance a)out glo)al catalog ser ers, /* you do not ha e enough glo)al catalog ser ers in your en ironment, add a glo)al catalog ser er, 2. Determine whether this is a )ridgehead ser er, /* /ntersite Messaging 8/SM9 is o**, start /SM, /* necessary to manage a large num)er o* connections, con*igure additional )ridgehead ser ers,
13*
Chapter Number 1
/roubleshootin( ;i(h &P+ +sa(e &aused by 9=cessive &lient 7oad

/* Lsass,e<e is causing high CP= usage on a domain controller that is not a PDC emulator or a glo)al catalog ser er, disconnect the networ& ca)le, /* CP= usage remains high a*ter disconnecting the networ& ca)le, return to the ne<t ste$ in the *lowchart *or trou)leshooting high CP= usage on a domain controller, >(rou)leshooting Ser er+Related High CP= =sage,? /* CP= usage is at or near 6U a*ter disconnecting the networ& ca)le, *ollow the $rocess shown in -igure 5,I *or trou)leshooting high CP= usage caused )y e<cessi e client loads, ,i(ure ".3 /roubleshootin( ;i(h &P+ +sa(e &aused by 9=cessive &lient 7oad
Procedures $or /roubleshootin( &lient 7oad5Related ;i(h &P+ +sa(e

1. Re iew Best Practice Active Directory Deployment for Managing Windows Networks to determine $ro$er hardware con*iguration, /* your hardware is not ade:uate, resi.e the ser er, (o re iew the )est $ractice guidelines, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resourcesSearch under >Planning L
1#
De$loyment "uides? and download Best Practice Active Directory Deployment for Managing Windows Networks' ". 3eri*y networ& con*iguration and ensure that the D'S settings are correct, !nsure that the D'S weight and $riority registry settings that are set *or load )alancing are correct, 2. =se Ad$er*,e<e to determine the $ro)lem, a. /* Ad$er* re eals searches that are consuming high CP=, turn on ine**icient LDAP :ueries logging to identi*y a )ad a$$lication or inde<ing, b. /* Ad$er* shows that a small set o* clients is causing a high ser er load, trou)leshoot the clients, An a$$lication $ro)lem is most li&ely causing the high CP= usage, c. /* Ad$er* shows that a small set o* users is causing a high ser er load, determine what actions they are $er*orming to cause the load, ). /* you ha e Windows '( B,6 %DCs and Windows 5666 Pro*essional or Windows TP Pro*essional clients, do the *ollowing: a. Con*igure Windows '( B,6 emulation, /* a Windows 5666D)ased domain controller is o erloaded )ecause the num)er o* u$graded domain controllers in the domain is not yet su**icient to withstand re:uests *rom all u$graded clients, and i* it is not already con*igured *or Windows '( B,6 emulation mode, con*igure the domain controller *or Windows '( B,6 emulation in order to sto$ the o erloading e**ect until enough domain controllers ha e )een u$graded, During your u$grade $rocess, *irst u$grade domain controllers in locations with large $o$ulations o* clients that are running Windows TP and Windows 5666, @ou also need to re2oin all Windows 5666D)ased and Windows TPD)ased domain mem)ers, /n the re2oin $rocedure, s$eci*y a 'et%/0S name *or the domain, =ntil the domain mem)ers are re2oined, they cannot contact any domain controllers in the domain, b. Modi*y Windows '( B,6 emulation *or some com$uters, @ou can con*igure com$uters that run Windows 5666 SP5 to in*orm domain controllers that are running in Windows '( B,6 emulation mode to not use it when they res$ond to re:uests *rom those com$uters, 5. /* this is a sudden increase in CP= usage, recon*igure or resi.e the ser er,
/roubleshootin( 6erver5Related ;i(h &P+ +sa(e

/* CP= usage on the domain controller remains high a*ter disconnecting the networ& ca)le, *ollow the $rocess shown in -igure 5,O *or trou)leshooting high CP= usage caused )y $ro)lems on the ser er, ,i(ure ".0 /roubleshootin( 6erver5Related ;i(h &P+ +sa(e
10%
Chapter Number 1
Procedures $or /roubleshootin( 6erver5Related ;i(h &P+ +sa(e

1. !na)le Acti e Directory diagnostic e ent logging *or gar)age collection and security descri$tor $ro$agator 8SDPro$9, /* the num)er o* security su)o$erations $er second is greater than .ero, wait *or the $rocess to com$lete, De$ending on the num)er o* o)2ects, the amount o* time it ta&es to com$lete can ary, ". =se Ad$er*,e<e to determine the $ro)lem, 2. !ither determine what $rocess is causing the $ro)lem, or resi.e the ser er i* inade:uate hardware resources are causing the $ro)lem,
/roubleshootin( Active Directory?Related D46 Proble!s

Acti e Directory *unctionality de$ends on the $ro$er con*iguration o* the D'S in*rastructure, (his includes the *ollowing: D'S client con*iguration, including domain controllers, domain mem)ers, and other com$uters, D'S ser er and .one con*iguration and $ro$er delegations in $arent D'S .ones,
171
Presence o* D'S domain controller locator records,
(a)le 5,B shows the D'S records that are re:uired *or $ro$er Acti e Directory *unctionality, /able ".) Re:uired D46 Records
#ne!onic Pdc .& .cIpAddre ss /ype 6RV 6RV A D46 Record Sldap.Stcp.pdc.S!sdcs.NDnsDo!ai n4a!eP Sldap.Stcp.(c.S!sdcs.NDns,orest4 a!eP S(c.S!sdcs.NDns,orest4a!eP Re:uire!ents One per do!ain At least one per $orest At least one per $orest
Dsa&na!e &4A #9 dc Dc 6RV 6RV A
NDsa.uideP.S!sdcs.NDns,orest4a One per do!ain !eP controller S'erberos.Stcp.dc.S!sdcs.NDnsDo !ain4a!eP Sldap.Stcp.dc.S!sdcs.NDnsDo!ain 4a!eP NDo!ain&ontroller,ID4P At least one per do!ain At least one per do!ain One per do!ain controller Gdo!ain controllers that have !ultiple IP addresses can have !ore than one A resource recordH
-ollowing the )est $ractices recommendations regarding D'S con*iguration *rom the )eginning o* the de$loyment is &ey *or success*ul Acti e Directory de$loyment and o$erations, -or more in*ormation a)out )est $ractices *or Acti e Directory design and de$loyment, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resourcesSearch under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks , -or com$rehensi e in*ormation a)out trou)leshooting D'S $ro)lems, see >Windows 5666 D'S? in the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it, -or more in*ormation a)out trou)leshooting W/'S name resolution $ro)lems, see >Windows /nternet 'ame Ser ice? in the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it, -or an online ersion o* this )oo&, see htt$:;;www,microso*t,com;windows5666;res&it, (a)le 5,F shows common e ents and sym$toms that indicate D'S $ro)lems and $oints to sections where solutions can )e *ound,
10"
Chapter Number 1
/able ".5 4etlo(on 9vents that Indicate D46 Proble!s

9vent or 6y!pto! 4etlo(on 9vent ID 500) Root &ause /he do!ain controller cannot dyna!ically re(ister D46 records that advertise its availability as a do!ain controller. /he do!ain controller cannot dyna!ically re(ister D46 records that advertise its availability as a do!ain controller. /he do!ain controller cannot dyna!ically re(ister D46 records that advertise its availability as a do!ain controller. /he source server listed in the error !essa(e was unable to co!plete a re!ote procedure call GRP&H call to the destination server. #ost co!!onlyE this !eans that either the source server could not locate the server in D46 or the RP& inter$ace on the destination server is not wor'in(. In order to add a server to an e=istin( $orestE the Active Directory Installation Wi<ard !ust be able to $ind a do!ain controller in the do!ain or the $orest. /he $ailure !i(ht be due to bein( unable to locate a do!ain controllerE which usually indicates D46 proble!s. 6olution /roubleshoot do!ain controller locator D46 records re(istration $ailure. /roubleshoot do!ain controller locator D46 records re(istration $ailure. /roubleshoot do!ain controller locator D46 records re(istration $ailure. I$ the source server could not locate the server in D46E troubleshoot Active Directory replication $ailure due to incorrect D46 con$i(uration. I$ this is not a D46 proble!E troubleshoot RP& proble!s. /roubleshoot Active Directory Installation Wi<ard $ailure to locate do!ain controller.
4etlo(on 9vent ID 5005
4etlo(on 9vent ID 50*1
4etlo(on 9vent ID 50*2
Active Directory Installation Wi<ard $ailed because it was unable to locate a do!ain controller +nable to 8oin a do!ain
/roubleshoot $ailure to locate do!ain controller when atte!ptin( to 8oin a do!ain.
173
/roubleshootin( Active Directory Replication ,ailure Due to Incorrect D46 &on$i(uration

/m$ro$er D'S con*iguration can lead to a wide ariety o* *ailures, )ecause all Acti e Directory ser ices de$end on the a)ility o* the de ices to locate domain controllers, which is $er*ormed through D'S :ueries,
Procedures $or /roubleshootin( Active Directory Replication ,ailure Due to Incorrect D46 &on$i(uration
1. 3eri*y D'S records and determine whether all the necessary D'S records o* the source domain controller e<ist in the D'S ser er used )y the destination domain controller, ". /* the destination domain controller is a)le to resol e the necessary D'S records, the $ro)lem is most li&ely with networ& connecti ity or a sto$$ed or mal*unctioning Acti e Directory+related ser ice, =se the Ping command to eri*y networ& connecti ity )etween the source domain controller and the destination domain controller, /* the Ping command *ails, you must trou)leshoot networ& connecti ity )etween the source domain controller and the destination domain controller, -or more in*ormation a)out trou)leshooting networ& connecti ity, see >(CP;/P (rou)leshooting? in the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it, /* you are a)le to $ing the destination domain controller, trou)leshoot Acti e DirectoryD related ser ices, 3eri*y that they are started and *unctional, -or more in*ormation a)out trou)leshooting Acti e DirectoryDrelated ser ices, see >3eri*ying Ser ice Health? in this guide, or see the indi idual sections in this guide *or each ser ice, /* you are una)le to resol e the $ro)lem, contact either your designated su$$ort $ro ider or Microso*t Product Su$$ort Ser ices, 2. /* the destination domain controller is not a)le to resol e the necessary D'S records, then the $ro)lem is most li&ely with D'S con*iguration, a. 3eri*y networ& con*iguration to ensure that the $re*erred and alternate D'S ser er settings s$eci*ied in the /P con*iguration o* the destination domain controller are correct, -or more in*ormation a)out correct D'S ser er settings *or Acti e Directory, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, Search under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, b. /* the settings *or the destination domain controller are incorrect, change the con*iguration, *lush the D'S cache, and retry the o$eration that *ailed, D or D
10)
Chapter Number 1
/* the client settings *or the destination domain controller are con*igured correctly, eri*y that the $rimary .one that is authoritati e *or the C'AM! resource record *or RDSA"uidS,Pmsdcs,R-orest'ameS allows dynamic u$dates, 8DSA"uid is a alue o* the o)2ectDSA attri)ute o* the '(DS Settings container *or the Ser er o)2ect corres$onding to the source domain controller,9 At a command $rom$t on the source domain controller, ty$e the *ollowing command and $ress !'(!R:
dcdiag /test:registerindns /dnsdomain
/* the $rimary .one that is authoritati e *or the C'AM! resource record does not allow dynamic u$dates, ena)le secure dynamic u$dates on this .one, Re$eat this ste$ *or the A resource record o* the source domain controller, c. 3eri*y networ& con*iguration to ensure that the $re*erred and alternate D'S ser er settings s$eci*ied in the /P con*iguration o* the source domain controller are correct, -or more in*ormation a)out correct D'S ser er settings *or Acti e Directory, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resourcesSearch under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, d. /* the settings *or the source domain controller are incorrect, change the con*iguration, *lush the D'S cache, and sto$ and start the 'et Logon ser ice, e. 3eri*y that the re:uired D'S resource records are registered on the destination domain controller, At a command $rom$t, ty$e the *ollowing command and $ress !'(!R:
dcdiag /test:connectivity
$.
-lush the D'S cache and retry re$lication,
). /* the $ro)lem continues, it might )e due to a $ro)lem with D'S data re$lication, Re iew your D'S design to determine whether it includes end+to+end D'S re$lication, Determine whether D'S re$lication is *ailing due to an Acti e Directory re$lication *ailure, -or more in*ormation a)out detecting and trou)leshooting an Acti e Directory re$lication *ailure, see >(rou)leshooting Acti e Directory Re$lication? in this guide, 5. /* the $ro)lem continues, con*igure the /P settings o* the a**ected domain controllers so that they all ha e the same $rimary and secondary D'S ser ers, (hen sto$ and start 'et Logon, *lush the D'S cache, and retry the o$eration that *ailed, (his is a tem$orary con*iguration that you can use to reco er *rom the *ailure, )ut )e sure to return to the original con*iguration that you designed )ased on the recommendations $ro ided in Best Practice Active Directory Design for Managing Windows Networks , -or more in*ormation a)out correct D'S ser er settings *or Acti e Directory, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resourcesSearch under >Planning L
175
De$loyment "uides? and download Best Practice Active Directory Deployment for Managing Windows Networks, 3. /* the $ro)lem continues, see more D'S trou)leshooting in*ormation in >Windows 5666 D'S? in the ,$P-.P $ore Networking Guide o* the Windows 2 !erver %esource (it,
/roubleshootin( Do!ain &ontroller 7ocator D46 Records Re(istration ,ailure

Presence o* the e ent /Ds FOOB, FOOF, or FOG7 logged )y the 'et Logon ser ice in the System ! ent Log indicate that the corres$onding domain controller cannot dynamically register D'S records that ad ertise its a aila)ility as a domain controller, (he conse:uence o* this *ailure is that domain controllers, domain mem)ers, and other de ices cannot locate this domain controller, As a result, other domain controllers might not )e a)le to re$licate *rom this domain controller, /n addition, other com$uters might not )e a)le to 2oin this domain, and you might not )e a)le to add other domain controllers to this domain 8unless other domain controllers *or this domain ha e success*ully registered domain controller Locator D'S records9,
Procedures $or /roubleshootin( Do!ain &ontroller 7ocator D46 Records Re(istration ,ailure
1. 3eri*y networ& con*iguration to ensure that the $re*erred and alternate D'S ser ers s$eci*ied in the /P con*iguration o* the domain controller are correct, -or more in*ormation a)out correct D'S settings, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resourcesSearch under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, /* the $ro)lem $ersists, continue to the ne<t ste$, ". At a command $rom$t, ty$e the *ollowing command and $ress !'(!R:
dcdiag /test:registerindns /dnsdomain:FQDN /v
2. -ollow the recommendations $ro ided in the out$ut,
/roubleshootin( Active Directory Installation Wi<ard ,ailure to 7ocate Do!ain &ontroller

(o install Acti e Directory on a ser er in an e<isting Acti e Directory *orest, the ser er must )e a)le to locate a domain controller *or the same domain 8i* you are adding a domain controller to an e<isting domain9 or *or the *orest root domain,
Procedures $or /roubleshootin( Active Directory Installation Wi<ard ,ailure to 7ocate Do!ain &ontroller
1. 3eri*y networ& con*iguration to ensure that the $re*erred and alternate D'S ser ers s$eci*ied in the /P con*iguration o* the ser er that is )eing $romoted are correct, -or
103
Chapter Number 1
more in*ormation a)out correct D'S settings, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resourcesSearch under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, /* the $ro)lem $ersists, continue to the ne<t ste$, ". At a command $rom$t, ty$e one o* the *ollowing commands and $ress !'(!R:
dcdiag /test:dcpromo /dnsdomain:FQDN /NewTree /ForestRoot:Forest_Root_Domain_DNS_Name/v dcdiag /test:dcpromo /dnsdomain:FQDN /ChildDomain /v dcdiag /test:dcpromo /dnsdomain:FQDN /ReplicaDC /v
(his tests the e<isting D'S in*rastructure to see whether a domain controller can )e $romoted, 2. -ollow the recommendations $ro ided in the out$ut,
/roubleshootin( ,ailure to 7ocate Do!ain &ontroller when Atte!ptin( to @oin a Do!ain

-ailure to 2oin a com$uter to an e<isting Acti e Directory domain )ecause the com$uter cannot locate a domain controller *or the domain is usually caused )y incorrect D'S con*iguration,
Procedures $or /roubleshootin( ,ailure to 7ocate Do!ain &ontroller when Atte!ptin( to @oin a Do!ain
1. 3eri*y networ& con*iguration to ensure that the $re*erred and alternate D'S ser ers s$eci*ied in the /P con*iguration o* the com$uter attem$ting to 2oin the domain are correct, -or more in*ormation a)out correct D'S settings, see the Acti e Directory lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, Search under >Planning L De$loyment "uides? and download Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks, /* there is still a $ro)lem, continue to the ne<t ste$, ". At a command $rom$t, ty$e the *ollowing and $ress !'(!R:
netdiag /test:dsgetdc /d:DomainName /v
2. /* any o* the tests *ail, *ollow the recommendations $ro ided in the out$ut,
/roubleshootin( ,R6
-RS su$$orts a multimaster *ile re$lication model in which any com$uter can originate or acce$t changes to any other com$uter ta&ing $art in the re$lication con*iguration, %e*ore you
177
trou)leshoot -RS $ro)lems, understand the *ollowing characteristics o* multimaster *ile re$lication: %e aware o* how changes made in re$licated *ile areas, including the )ul& reset o* $ermissions or other *ile attri)utes )y administrators or a$$lications, can a**ect )andwidth, Any changes to the *ile system will e entually occur on all other mem)ers o* the re$lication set, Do not try to s$eed u$ the $rocess )y ma&ing the same change on other -RS re$lication $artners, (his could result in data errors, /*, a*ter modi*ying a *ile, you notice that it has somehow re erted )ac& to a $re ious ersion, another o$erator or a$$lication might )e ma&ing changes in the same area, o erwriting the earlier changes, /n this case, try to *ind the other o$erator or a$$lication that is causing the $ro)lem, Any *iles that you delete on one mem)er will )e deleted on all other mem)ers, /* you rename a *ile or *older so that it is mo ed out o* the re$lication tree, -RS will treat it as a deletion on the other re$lication set mem)ers )ecause the *ile or *older has disa$$eared *rom the sco$e o* the re$lica set, /* two o$erators create a *ile or *older at the same time 8or )e*ore the change has re$licated9, the *ile or *older will >mor$h,? or recei e a modi*ied name, such as *olderPnt*rsP675ABFIOG, -RS )eha es this way in order to a oid data loss in such situations, Kee$ the -RS ser ice running at all times in order to a oid a /ournal wrap condition,
(a)le 5,I shows common e ents and sym$toms that indicate -RS $ro)lems and the solution or action re:uired, /able ".3 9vents and 6y!pto!s that Indicate ,R6 Proble!s
9vent or 6y!pto! ,R6 9vent ID 125%* Root &ause ,R6 was unable to create an RP& connection to a replication partner. 6olution I$ this !essa(e is not $ollowed by an ,R6 event ID 125%-E troubleshoot ,R6 event ID 125%* without ,R6 event ID 125%-. 4o action re:uired.
,R6 9vent ID 125%,R6 9vent ID 12511 ,R6 9vent ID 125""
,R6 was able to create an RP& connection to a replication partner. /he ,R6 database is out o$ dis' space. /he sta(in( area is $ull.
/reat this as a priority 1 proble!. /roubleshoot ,R6 event ID 12511. I$ you are usin( Windows "%%% 6P" or earlierE treat this as a
10*
Chapter Number 1
priority 1 proble!. I$ you are usin( 6P2E treat this as a priority 2 proble!. /roubleshoot ,R6 event ID 125"". ,R6 9vent ID 125"3 ,R6 9vent ID 125)* ,R6 9vent ID 12550 ,R6 9vent ID 12530 ,R6 9vent ID 1253* /he 6ID cannot be deter!ined $ro! the distin(uished na!e. 6yste! cloc's are too $ar apart on replica !e!bers. Duplicate connections are con$i(ured. 9=cessive replication was detected and suppressed. @ournal wrap error. /reat this as a priority 1 proble!. /roubleshoot ,R6 event ID 125"3. /reat this as a priority 1 proble!. /roubleshoot ,R6 event ID 125)*. /reat this as a priority 1 proble!. /roubleshoot ,R6 event ID 12550. /reat this as a priority " proble!. /roubleshoot ,R6 event ID 12530. I$ you are usin( Windows "%%% 6P" or earlierE treat this as a priority " proble!. I$ you are usin( 6P2E treat this as a priority 1 proble!. /roubleshoot ,R6 event ID 1253*. /roubleshoot $iles not replicatin(.
,iles are not replicatin(
,iles can $ail to replicate $or a wide ran(e o$ underlyin( reasons: D46E $ile and $older $iltersE co!!unication issuesE topolo(y proble!sE insu$$icient dis' spaceE ,R6 servers in an error stateE or sharin( violations. I$ duplicate $olders are !anually created on !ultiple do!ain controllers be$ore they have been able to replicateE ,R6 preserves content by C!orphin(C $older na!es o$ the last $olders to be created. 6>6VO7 $olders include a reparse point that points to the correct location o$ the data. >ou !ust ta'e special steps to recover a deleted reparse
#odi$ied $older na!es on other do!ain controllers
/roubleshoot !orphed $olders.
6>6VO7 data appears on do!ain controllersE but
/roubleshoot the 6>6VO7 directory 8unction.
17
LLNdo!ainPL6>6 point. VO7 share appears to be e!pty 9=cessive dis' A service or application is or &P+ usa(e by unnecessarily chan(in( all or ,R6 !ost o$ the $iles in a replica set on a re(ular basis. ,or e=a!pleE an antivirus so$tware pac'a(e !i(ht be rewritin( the A&7 on !any $ilesE causin( ,R6 to replicate these $iles unnecessarily. /roubleshoot e=cessive dis' and &P+ usa(e by 4/,R6.e=e.
.eneral Procedures $or /roubleshootin( ,R6 Proble!s

-or trou)leshooting -RS, you can use the 't*rsutl,e<e tool in the Windows 5666 Resource Kit, With 't*rsutl, you can do the *ollowing: Show the -RS con*iguration in Acti e Directory, List the acti e re$lica sets in a domain, Show the /D ta)le, in)ound log, or out)ound log *or a com$uter hosting -RS, !<amine memory usage )y -RS, List the a$$lication $rogramming inter*ace 8AP/9 and ersion num)er *or -RS, Poll immediately, :uic&ly, or slowly *or changes to the -RS con*iguration,
't*rsutl can )e used on remote com$uters, so you can get status in*ormation o* any mem)er o* a re$lica set *rom single console, -or more in*ormation a)out trou)leshooting -RS, see the -ile Re$lication Ser ice 8-RS9 lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
/roubleshootin( ,R6 9vents 125%* without ,R6 9vent 125%-RS e ent /D 7AF6G is a warning that the -RS ser ice has )een una)le to com$lete the RPC connection to a s$eci*ic re$lication $artner, /t indicates that -RS is ha ing trou)le ena)ling re$lication with that $artner and will &ee$ trying to esta)lish the connection,
1*%
Chapter Number 1
4ote
I$ ,R6 is stopped a$ter an event ID 125%* is lo((ed and then later started at a ti!e when the co!!unication issue has been resolvedE event ID 125%- will not appear in the event lo(. In this caseE loo' $or an event indicatin( that ,R6 has startedE and ensure it is not $ollowed by another event 125%*.
A single -RS e ent /D 7AF6G does not mean anything is )ro&en or not wor&ing, as long as it is *ollowed )y -RS e ent /D 7AF6E, which indicates that the $ro)lem was resol ed, %ased on the time )etween -RS e ent /Ds 7AF6G and 7AF6E, you can determine i* a real $ro)lem needs to )e addressed, %ecause -RS ser ers gather re$lication to$ology in*ormation *rom the closest domain controller, a re$lica $artner in another site will not )e aware o* the re$lica set until the to$ology in*ormation has )een re$licated to domain controllers in that site, When the to$ology in*ormation *inally reaches that distant domain controller, the -RS $artner in that site will )e a)le to $artici$ate in the re$lica set and -RS e ent /D 7AF6E will )e logged, /ntrasite Acti e Directory re$lication $artners re$licate e ery *i e minutes, /ntersite re$lication only re$licates when the schedule is o$en 8the shortest delay is 7F minutes9, /n addition, -RS $olls the to$ology at de*ined inter als: *i e minutes on domain controllers, and one hour on other mem)er ser ers o* a re$lica set, (hese delays and schedules can delay $ro$agation o* the -RS re$lication to$ology, es$ecially in to$ologies with multi$le ho$s,
Procedures $or /roubleshootin( ,R6 9vent 125%* without 9vent 125%1. !<amine the -RS e ent /D 7AF6G to determine the machine that -RS has )een una)le to communicate with, ". Determine whether the remote machine is wor&ing $ro$erly, and eri*y that -RS is running on it, (y$e the *ollowing command at a command $rom$t on the com$uter that logged the -RS e ent /D 7AF6G and $ress !'(!R:
ntfrsutl version <FQDN of remote domain controller>
/* this *ails, chec& networ& connecti ity )y using the Ping command to $ing the *ully :uali*ied domain name 8-CD'9 o* the remote domain controller *rom the com$uter that logged the -RS e ent /D 7AF6G, /* this *ails, then trou)leshoot as a D'S or (CP;/P issue, /* it succeeds, con*irm that the -RS ser ice is started on the remote domain controller, 2. Determine whether -RS has e er )een a)le to communicate with the remote com$uter )y loo&ing *or -RS e ent /D 7AF6E in the e ent log and see i* the -RS $ro)lem correlates to recent change management to networ&ing, *irewalls, D'S con*iguration, or Acti e Directory in*rastructure, ). Determine whether anything )etween the two machines is ca$a)le o* )loc&ing RPC tra**ic, such as a *irewall or router,
1*1
5. Con*irm that Acti e Directory re$lication is wor&ing, -or more in*ormation a)out trou)leshooting Acti e Directory re$lication, see >(rou)leshooting Acti e Directory Re$lication Pro)lems? in this guide,
/roubleshootin( ,R6 9vent 12511

-RS e ent /D 7AF77 is logged when the -RS data)ase is out o* dis& s$ace, (o correct this situation, delete unnecessary *iles on the olume containing the -RS data)ase, /* this is not $ossi)le, then consider mo ing the data)ase to a larger olume with more *ree s$ace, -or more in*ormation a)out how to mo e the data)ase to a larger olume, see Knowledge %ase article C5576EA: How to Relocate the '(-RS #et Data)ase and Log -iles, (o iew this Knowledge %ase article, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
/roubleshootin( ,R6 9vent 125""

(he Staging Directory is an area where modi*ied *iles are stored tem$orarily either )e*ore )eing $ro$agated to other re$lication $artners or a*ter )eing recei ed *rom other re$lication $artners, -RS enca$sulates the data and attri)utes associated with a re$licated *ile or directory o)2ect in a staging *ile, -RS needs ade:uate dis& s$ace *or the staging area on )oth u$stream and downstream machines in order to re$licate *iles, 0n Windows 5666 SP5 and earlier, -RS e ent 7AF55 indicates that the -RS ser ice has $aused )ecause the staging area is *ull, Re$lication will resume i* dis& s$ace *or the staging area )ecomes a aila)le or i* the dis& s$ace limit *or the staging area is increased, 0n Windows 5666 SPA, you must clear the re$lication )ac&log, Reasons why the staging area might *ill u$ include: 0ne or more downstream $artners are not acce$ting changes, (his could )e a tem$orary condition due to the schedule )eing turned o** and -RS waiting *or it to o$en, or a $ermanent state )ecause the ser ice is turned o**, or the downstream $artner is in an error state, (he rate o* change in *iles e<ceeds the rate at which -RS can $rocess them, 'o o) ious changes are made to the *iles )ut the staging area is *illing u$ anyway, (o trou)leshoot this e<cessi e re$lication, see >(rou)leshooting -RS ! ent 7AFIO? in this guide, A $arent directory *or *iles that ha e a large num)er o* changes is *ailing to re$licate in so all changes to su)directories are )loc&ed,
/roubleshootin( ,R6 9vent 125"3

-RS e ent /D 7AF5I is logged when a domain controller )ecomes unreacha)le, (his $ro)lem occurs )ecause -RS $olls Acti e Directory at regular inter als to read -RS con*iguration in*ormation, During the $olling, an o$eration is $er*ormed to resol e the security identi*ier 8S/D9 o* an -RS re$lication $artner, (he )inding handle might )ecome in alid i* the )ound domain
1*"
Chapter Number 1
controller )ecomes unreacha)le o er the networ& or restarts in a single $olling inter al 8the de*ault is *i e minutes9, (o resol e this issue, sto$ and start -RS on the com$uter logging the error message,
/roubleshootin( ,R6 9vent 125)*

-RS e ent /D 7AFBG is logged when the time settings *or two re$lication $artners di**er )y more than A6 minutes, (his error could )e caused )y the selection o* an incorrect time .one on the local com$uter or its re$lication $artner, Chec& that the time .one and system cloc& are correctly set on )oth com$uters, (hey must )e within A6 minutes o* each other, )ut $re*era)ly much closer,

-RS e ent /D 7AFFO is logged when du$licate connections are detected )etween two re$lication $artners, (o resol e this $ro)lem, delete du$licate connection o)2ects )etween the direct re$lication $artners that are noted in the e ent te<t,

! ent 7AFIO in the -RS e ent log is generated on com$uters running Windows 5666 SPA when unnecessary *ile change acti ity is detected, =nnecessary *ile change acti ity means that a *ile has )een written )y some user or a$$lication, )ut no change is actually made to the *ile, -RS detects that the *ile has not changed, and maintains a count o* how o*ten this ha$$ens, /* the condition is detected more than 7F times $er hour during a three+hour $eriod, -RS logs the 7AFIO e ent, Determine the a$$lication or user that is modi*ying *ile content, -or $rocedures to trou)leshoot this issue, see >(rou)leshooting !<cessi e Dis& and CP= =sage )y '(-RS,!T!? in this guide, More in*ormation can also )e *ound in Knowledge %ase article CA7F6BF: -RS ! ent 7AFIO /s Recorded in the -RS ! ent Log with SPA, (o iew this Knowledge %ase article, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
/roubleshootin( ,R6 9vent 1253*

-RS e ent /D 7AFIG contains the *ollowing message:
The File Replication Service has detected that the replica set "1" is in JRNL_WRAP_ERROR.
'(-S maintains a s$ecial log called the '(-S =S' 2ournal, which is a high+le el descri$tion o* all the changes to *iles and directories on an '(-S olume, -RS uses this mechanism in order to trac& changes to '(-S directories o* interest, and to :ueue those changes *or re$lication to other com$uters, (he '(-S =S' 2ournal has de*ined si.e limits and will discard old log in*ormation on a *irst+in, *irst+out )asis in order to maintain its correct si.e,
1*3
/* -RS $rocessing *alls )ehind the '(-S =S' 2ournal, and i* '(-S =S' 2ournal in*ormation that -RS needed has )een discarded, then -RS enters a 2ournal wra$ condition, -RS then needs to re)uild its current re$lication state with res$ect to '(-S and other re$lication $artners, !ach *ile change on the '(-S olume occu$ies a$$ro<imately 766 )ytes in this 2ournal 8$ossi)ly more, de$ending on the *ile name si.e9, /n general, the '(-S =S' 2ournal *or an '(-S olume should )e si.ed at 75G mega)ytes 8M%9 $er 766,666 *iles )eing managed )y -RS on that '(-S olume, /n Windows 5666 SP5 and earlier, the de*ault 2ournal si.e is A5 M% and the ma<imum 2ournal si.e is 75G M%, /n Windows 5666 SPA, the de*ault 2ournal si.e is 75G M%, and the ma<imum 2ournal si.e is 76,666 M% (he 2ournal si.e can )e con*igured with a registry su)&ey, )ut &ee$ in mind that once you increase 2ournal si.e you should not lower it again )ecause this will cause a 2ournal wra$, (o learn how the =S' 2ournal si.e can )e increased see Knowledge %ase article C557777: Descri$tion o* -RS !ntries in the Registry, (o iew this Knowledge %ase article, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, -RS can encounter 2ournal wra$ conditions in the *ollowing cases: Many *iles are added at once to a re$lica tree while -RS is )usy, starting u$, or not running, 0n a ser er that is )eing used *or authoritati e restore, or as the $rimary ser er *or a new re$lica $artner, e<cessi e *ile acti ity at the start o* this $rocess can consume '(-S =S' 2ournal records, Si.e the '(-S olume at 75G M% $er 766,666 *iles )eing managed )y -RS, as mentioned a)o e, to a oid this condition, '(-S needs to )e $rocessed with Chkdsk and Chkdsk corrects the '(-S structure, /n this case, '(-S creates a new '(-S =S' 2ournal *or the olume or deletes the corru$t entries *rom the end o* the 2ournal, (he '(-S =S' 2ournal is deleted or reduced in si.e, -RS is in an error state that $re ents it *rom $rocessing changes in the '(-S =S' 2ournal,
/* -RS is e<$eriencing 2ournal wra$ errors on a $articular ser er, it cannot re$licate *iles until the condition has )een cleared, (o continue re$lication, the administrator must sto$ -RS on that ser er and $er*orm a non+authoritati e restore o* the data so that the system can synchroni.e with its re$lication $artners, -or more in*ormation a)out $er*orming a non+authoritati e restore, see >Per*orming a 'on+Authoritati e Restore? in this guide, 'ote the *ollowing: Windows 5666 SP7 cannot $er*orm this $rocess automatically, /n Windows 5666 SP5, -RS $er*orms this $rocess automatically,
1*)
Chapter Number 1
/n Windows 5666 SPA, -RS does not $er*orm this $rocess automatically, (he reason *or this change was that it was ty$ically )eing $er*ormed at times that were not $lanned )y administrators, Howe er, a registry setting is a aila)le that allows -RS to $er*orm the automatic nonauthoritati e restore, 2ust as in Windows 5666 SP5, Howe er, it is recommended to lea e this as a manual $rocess,
-or more in*ormation a)out $er*orming the nonauthoritati e restore $rocess on a ser er, see Knowledge %ase article C5E5BAG: (rou)leshooting #ournal Wra$ !rrors on S@S30L and D-S Re$lica Sets, (o iew this Knowledge %ase article, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
/roubleshootin( ,iles 4ot Replicatin(

-iles can *ail to re$licate *or a wide range o* causes, As a )est $ractice, *ind the root cause o* -RS re$lication $ro)lems,
Procedures $or /roubleshootin( ,iles that Are 4ot Replicatin(

1. 3eri*y that Acti e Directory re$lication is *unctioning, -or more in*ormation a)out trou)leshooting Acti e Directory re$lication, see >(rou)leshooting Acti e Directory Re$lication Pro)lems? in this guide, !ach domain controller must ha e at least one in)ound connection to another domain controller in the same domain, ". !<amine the e ent logs on the machines in ol ed, Resol e any $ro)lems *ound, 2. =se the *tfrsutl ver command *rom the source to the destination com$uter, and ice ersa, 3eri*y that the addresses are correct, 3eri*y RPC connecti ity )etween the source and destination, Also eri*y that -RS is running, ). =se the Ser ices administrati e console to con*irm that -RS is running on the remote com$uter, 5. /* -RS is not running, re iew the -ile Re$lication ser ice e ent log on the $ro)lem com$uter, /* the ser ice has asserted, trou)leshoot the assertion, 0therwise, restart the ser ice )y using the net start ntfrs command, 3. 3eri*y that Acti e Directory re$lication is *unctioning, /* it is not, see >(rou)leshooting Acti e Directory Re$lication Pro)lems? in this guide, 0. =se Acti e Directory Sites and Ser ices to eri*y the re$lication schedule on the connection o)2ect to con*irm that re$lication is ena)led )etween the source and destination com$uters and also that the connection is ena)led, (he connection o)2ect is the in)ound connection *rom the destination com$uter under the source com$uter1s '(-RSPM!M%!R o)2ect, -or S@S30L, the connection o)2ect resides under QSer ersQserver0nameQ'(DS Settings, *. Create a test *ile on the destination com$uter, and eri*y its re$lication to the source com$uter, ta&ing into account the schedule and lin& s$eed *or all ho$s )etween the two com$uters, -. Chec& *or *iles that are larger than the amount o* *ree s$ace on the source or destination ser er or larger than the si.e o* the staging area directory limit in the
1*5
registry, Resol e the dis& s$ace $ro)lem or increase the ma<imum staging area *ile s$ace, -or more in*ormation a)out trou)leshooting staging area $ro)lems, see >(rou)leshooting -RS ! ent 7AF55? in this guide, 1%. Chec& whether the source *ile was e<cluded *rom re$lication, Con*irm that the *ile is not encry$ted )y using !ncry$ting -ile System 8!-S9, an '(-S 2unction $oint 8as created )y Lin&d,e<e *rom the Windows 5666 Ser er Resource Kit9, or e<cluded )y a *ile or *older *ilter on the originating re$lica mem)er, /* any o* these conditions are true, -RS does not re$licate such *iles or directories, 11. Chec& whether the *ile is loc&ed on either com$uter, =se the net file command on the source and destination com$uters, (his command indicates which users are holding the *ile o$en on the networ&, )ut will not re$ort any *iles )eing held o$en )y local $rocesses, /* the *ile is loc&ed on the source com$uter, then -RS will )e una)le to read the *ile to generate the staging *ile, and re$lication will )e delayed, /* the *ile is loc&ed on the destination com$uter, then -RS will )e una)le to u$date the *ile, /n this case, -RS continues to retry the u$date until it succeeds, (he retry inter al is A6 to I6 seconds, /* *iles are )eing held o$en )y remote users, you can use the net file 8id9 7close command to *orce the *ile closed,
/* these methods do not resol e the issue, you can in estigate the -RS de)ug logs to get more details on what is causing the re$lication to *ail, -RS creates te<t+)ased logs in the Usystemroot UQde)ugQnt*rsPH,log directory to hel$ you de)ug $ro)lems, De)ug logs e**ecti ely descri)e a two+way con ersation )etween re$lication $artners, A higher alue indicates the log is more recent 8*or e<am$le, nt*rsP6667,log is oldest and nt*rsP666F,log is newest9, (o o)ser e a $articular e ent, ta&e a sna$shot o* the log *iles as close to the occurrence o* the e ent as $ossi)le, Sa e the log *iles in a di**erent directory so they can )e e<amined a*terward, De)ug lines containing the string :(: are &nown as >trac&ing records? and are ty$ically the most use*ul *or understanding why s$eci*ic *iles *ail to re$licate, @ou can redirect records o* interest to a te<t *ile using the -/'DS(R command, -or e<am$le:
findstr /I ":T:" %systemroot%\debug\ntfrs_*.log >trackingrecords.txt findstr /I "error warn fail S0" %systemroot%\debug\ntfrs_*.log >errorscan.txt
1*3
Chapter Number 1
I!portant
6>6VO7 uses ,R6 as the !eans to replicate data. When troubleshootin( ,R6E $ocus on how to enable it to run a(ainE instead o$ tryin( to BhelpC replication by !anually copyin( $iles to replication partners. /his can be used as a stop (apE but re:uires reinitiali<in( the entire replica set. #anually copyin( $iles can cause additional replication tra$$icE bac'lo(sE and potential replication con$licts. ,or !ore in$or!ation about replication con$lictsE see B/roubleshootin( #orphed ,oldersC later in this (uide.
Veri$yin( the ,R6 /opolo(y in Active Directory

%ecause -RS ser ers gather their re$lication to$ology in*ormation *rom their closest Acti e Directory domain controller, -RS re$lication relies on Acti e Directory re$lication *unctioning $ro$erly, (wo a$$roaches to eri*ying that Acti e Directory is re$licating -RS re$lication to$ology in*ormation correctly include: 3eri*y Acti e Directory re$lication is *unctioning, 3eri*y the -RS to$ology in Acti e Directory *rom multi$le ser ers,
-or more in*ormation a)out eri*ying the -RS to$ology, see the -ile Re$lication Ser ice 8-RS9 lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources,
/roubleshootin( #orphed ,olders

All *iles and *olders that -RS manages are uni:uely identi*ied internally )y a s$ecial *ile identi*ier, -RS uses these identi*iers as the canonical identi*iers o* *iles and *olders that are )eing re$licated, /* -RS recei es a change order to create a *older that already e<ists, which )y de*inition has a di**erent *ile identi*ier than the du$licate *older, -RS $rotects the con*licting change )y lea ing the original directory structure intact, and renaming the con*licting directory to a uni:ue name so that underlying *iles and *olders can )e $reser ed, (he con*licting *older will )e gi en a new name o* the *orm 1olderNameP'(-RSPRguidnameS where 1olderName was the original name o* the *older and "=/D is a uni:ue character string li&e >667aGB)5,? (wo common causes o* this condition are: A *older is created on multi$le machines in the re$lica set )e*ore the *older has )een a)le to re$licate, (his could )e due to the administrator or a$$lication du$licating *olders o* the same name on multi$le -RS mem)ers, @ou initiate an authoritati e restore on one ser er and either: Did not sto$ the ser ice on all other mem)ers o* the reinitiali.ed re$lica set )e*ore restarting -RS a*ter the authoritati e restore, or Did not set the D5 registry &ey *or the authoritati e restore on all other mem)ers o* the reinitiali.ed re$lica set )e*ore a ser er re$licated out)ound changes to reinitiali.ed mem)ers o* the re$lica set,
1*7
Manually co$ied directories with names identical to those )eing re$licated )y -RS to com$uters in the re$lica set,
-or more in*ormation a)out $er*orming an authoritati e restore, see >Acti e Directory %ac&u$ and Restore? in this guide, (o reco er *rom mor$hed *olders you ha e two o$tions: Mo e the mor$hed directories out o* the re$lica tree and )ac& in P0RP Rename the mor$hed directories, (he *irst method wor&s well *or small amounts o* data on a small num)er o* targets, Howe er, i* you miss end+to+end re$lication o* the mo e+out, this method can cause mor$hed directories, (his method also *orces all mem)ers to re+re$licate data, (he second method does not re:uire re+ re$lication o* data, Howe er, it can cause a denial+o*+ser ice condition )y gi ing an in alid $ath when the originating $ath is renamed,
Procedures $or #ovin( #orphed Directories Out o$ the Replica /ree and 1ac' In
1. Mo e all mor$hed directories out o* the tree, ". Wait *or end+to+end remo al o* data on all targets, 2. While waiting, )uild a tree containing the desired *iles and *older ersions, including $ermissions and other attri)utes, ). 3eri*y end+to+end deletion o* the >mo e+out? on all targets, otherwise you get a con*lict in the ne<t ste$, Per*orm a nonauthoritati e restore o* com$uters that did not re$licate in the deletion, Disa)le -RS on com$uters that you could not restore, -or more in*ormation a)out authoritati e and nonauthoritati e restores, see >Acti e Directory %ac&u$ and Restore? in this guide, 5. Mo e data *rom outside o* tree to inside o* the re$licated tree, =se the !C'+% or :Copy 7' command to $reser e $ermissions,
Procedures $or Rena!in( #orphed Directories

1. -rom the com$uter that originated the good series in con*lict, rename )oth the good and mor$hed ariants to a uni:ue name, ". 3eri*y end+to+end re$lication o* the rename o$eration across all mem)ers o* the set, -or those that do not get the rename within the necessary $oint in time, sto$ -RS and set the D5 registry setting *or a nonauthoritati e restore, Do not restart the com$uter at this time, 2. Mo e any *iles *rom the now renamed mor$hed *olders to the renamed good *olders, ). 3eri*y end+to+end re$lication o* the *iles in the renamed original *older, 5. Delete the original mor$hed *iles,
1**
Chapter Number 1
3. Restart -RS to start the authoritati e restore, A*ter the rename has $ro$agated, it can )e deleted, %e*ore deleting any o* the *olders, ensure that you ha e a )ac&u$ o* the original 8and com$lete9 *older,
/roubleshootin( the 6>6VO7 Directory @unction

(he S@S30L share contains two *olders that are directory 2unctions that $oint to other *olders, much li&e a sym)olic lin&,
Procedures $or /roubleshootin( the 6>6VO7 Directory @unction

1. At a command $rom$t, ty$e the *ollowing commands and $ress !'(!R:
dir <drive>:\<path>\SYSVOL\SYSVOL dir <drive>:\<path>\SYSVOL\Staging Areas
3eri*y that 2unction $oints are in $lace, (he *ollowing out$ut e<am$le shows 2unction $oints,
D:\WINNT\SYSVOL\sysvol>dir 06/26/2001 06/26/2001 06/26/2001 01:23p 01:23p 01:23p <DIR> <DIR> <JUNCTION> . .. corp.com
D:\WINNT\SYSVOL\staging areas>dir 06/26/2001 06/26/2001 06/26/2001 01:23p 01:23p 01:23p <DIR> <DIR> <JUNCTION> . .. corp.com
". /* either o* the two 2unction $oints is missing, use the Lin&d,e<e tool *rom the Windows 5666 Ser er Resource Kit to recreate them, At a command $rom$t, ty$e the *ollowing command and $ress !'(!R:
linkd <drive>:\<path>\SYSVOL\SYSVOL\<fully qualified domain name> <drive>\<path>\SYSVOL\<domain> linkd <drive>:\<path>\SYSVOL\Staging Areas\<fully qualified domain name> <drive>\<path>\SYSVOL\<domain>
3eri*y the same $ath *or staging and staging areas,
1*
&aution
/a'e (reat care when copyin( $olders that include directory 8unctions. When Acopy copies such a tree in Windows "%%%E it copies the 8unctionE not the contents o$ the $older the 8unction points to. An ad!inistrator can accidentally delete 6>6VO7 by usin( the /D 0' co!!and on a copy !ade o$ 6>6VO7. +se /D without the M6 para!eter insteadE because /D 0' will $ollow the directory 8unctionE but the /D co!!and without M6 will not.
/roubleshootin( 9=cessive Dis' and &P+ +sa(e by 4/,R6.9A9

!<tensi e re$lication generators are a$$lications or o$erations that change all or most o* the *iles in a re$lica set on a regular )asis without the changes )eing necessary, -RS monitors the =S' 2ournal *or changes, and i* it *inds a change, it has to re$licate this *ile, (he a$$lications that create e<tensi e re$lication normally rewrite the ACL 8in the case o* *ile security $olicies and anti irus so*tware9 or rewrite the *ile 8in the case o* de*ragmentation so*tware9, /n )oth cases, the content, $ermissions, and attri)utes on the *ile or directory are not really changed, -or Windows 5666 SP A, ! ent /D 7AFIO in the -RS e ent log records that this &ind o* >non change? was su$$ressed in order to $re ent unnecessary re$lication, /n ersions o* Windows 5666 earlier than SPA, e<tensi e re$lication generators were the most common reason *or staging areas to *ill u$, Administrators should still loo& *or and eliminate e<tensi e re$lication generators when using SPA, )ecause the *ile com$arison consumes dis& and *ile resources, @ou can use one o* the *ollowing methods to identi*y e<cessi e re$lication generators: Selecti ely turn o** common causes such as anti irus so*tware, de*ragmentation tools, and *ile system $olicy, and determine i* this acti ity declines, =se the File!py tool *rom the Windows 5666 Ser er Resource Kit to identi*y *ile in*ormation, /ns$ect the '(-RS=(L 0=(L0" re$ort to see which *iles are )eing re$licated, /ns$ect the =S' 2ournal trac&ing records in the -RS de)ug logs on com$uters running Windows SP5 or later with the *ollowing command:
Findstr /I ":U:" %systemroot%\debug\ntfrs_00*.log
-or more in*ormation a)out trou)leshooting e<cessi e dis& and CP= usage )y 't*rs,e<e, see the *ollowing Knowledge %ase articles: C5GBEBO: >'orton Anti3irus O,< Ma&es Changes to Security Descri$tors? C5G5OE7: >-RS: Dis& De*ragmentation Causes -RS Re$lication (ra**ic? C5OE7FI: >!**ects o* Setting -ile System Policy on a Dis& Dri e or -older? CA6OOOO: >Possi)le Causes o* a -ull -ile Re$lication Ser ice Staging Area?
(o iew these Knowledge %ase articles, see the Microso*t Knowledge %ase lin& on the We) Resources $age at htt$:;;www,microso*t,com;windows;res&its;we)resources, -or more
1-%
Chapter Number 1
in*ormation a)out trou)leshooting high CP= usage on a domain controller, see >(rou)leshooting High CP= =sage on a Domain Controller? in this guide,
/roubleshootin( Active Directory Replication Proble!s

Acti e Directory re$lication $ro)lems can ha e se eral di**erent sources, -or e<am$le, D'S $ro)lems or incorrect site con*iguration can cause Acti e Directory re$lication to *ail, (a)le 5,O shows common e ents that might indicate a $ro)lem with Acti e Directory re$lication, together with root cause and solution in*ormation, /able ".0 9vents that Indicate Active Directory Replication Proble!s
9vent 4et 7o(on 9vent ID 5*%5 Root &ause A !achine account $ailed to authenticateE which is usually caused by either !ultiple instances o$ the sa!e co!puter na!eE or the co!puter na!e has not replicated to every do!ain controller. A duplicate ob8ect is present in the Active Directory o$ the replication partner o$ the local do!ain controllerE so updatin( it is i!possible. Replication $ailed $or the reason stated in the !essa(e te=t. 6olution I$ you do not $ind !ultiple instances o$ the co!puter na!eE veri$y that replication is $unctionin( $or the do!ain that contains the co!puter account.
4/D6 9vent ID 1%*2
6ee B/roubleshootin( Directory Data Proble!sC in this (uide.
4/D6 9vent ID 1"35
+se Repad!in.e=e to $urther identi$y the proble!E and use /able =.= to deter!ine the appropriate action to ta'e $or the !essa(e (enerated by Repad!in.e=e. I$ the event !essa(e indicates a D46 loo'up $ailure or the RP& server is unavailableE see B/roubleshootin( Active Directory?Related D46
1 1
Proble!sC in this (uide. I$ the event !essa(e indicates that the tar(et account na!e is incorrectE troubleshoot .+ID discrepancies. I$ the event !essa(e indicates a ti!e di$$erence between the client and serverE synchroni<e replication $ro! the PD& e!ulator. 4/D6 9vent ID 1211 /his error occurs when the replication con$i(uration in$or!ation in Active Directory 6ites and 6ervices does not accurately re$lect the physical topolo(y o$ the networ'. /his error is usually (enerated by a lin(erin( ob8ect which resulted $ro! disconnectin( a do!ain controller $or too lon(. /roubleshoot 4/D6 event ID 1211.
4/D6 9vent ID 12**
I$ the do!ain controller does not also $unction as a (lobal catalo( serverE see BRe!ove 7in(erin( Ob8ects $ro! an Outdated Writable Do!ain &ontroller.C I$ the do!ain controller also $unctions as a (lobal catalo( serverE see BRe!ove 7in(erin( Ob8ects $ro! a .lobal &atalo( 6erver.C
4/D6 9vent ID 13)5
/his error occurs over /roubleshoot .+ID an e=istin( replication discrepancies. lin' when the .+ID o$ the 4/D6 6ettin(s ob8ect o$ a replication partner does not !atch the .+ID de$ined in the 6ervice Principal 4a!e G6P4H attributes o$ the co!puter ob8ect o$ this replication partner. A user account in one or !ore .roup Policy ob8ects G.POsH cannot be resolved to a security identi$ier G6IDH. /his error is possibly caused by a /roubleshoot 6ce&li event ID 1"%".
6ce&li event ID 1"%"
1-"
Chapter Number 1
!istyped or deleted user account re$erenced in either the +ser Ri(hts Assi(n!ent or Restricted .roups branch o$ a .PO.
.eneral .uidelines $or /roubleshootin( Replication Proble!s

(o identi*y Acti e Directory re$lication $ro)lems, use the repadmin 7showreps command, (a)le 5,G shows the error message generated )y this command, together with root cause and solution in*ormation, /able ".* Repad!in M6howreps 9rror #essa(es
Repad!in 9rror 4o inbound nei(hbors. Root &ause I$ no ite!s appear in the BInbound 4ei(hborsC section o$ the output (enerated by the repad!in Mshowreps co!!andE the do!ain controller was not able to establish replication lin's with another do!ain controller. A replication lin' e=ists between two do!ain controllersE but replication cannot be properly per$or!ed. /his proble! can be related to connectivityE D46E or authentication issues. I$ it is a D46 errorE the local do!ain controller could not resolve the .+ID?based D46 na!e o$ its replication partner. /his can be caused because no !ore end5points are available to establish the /&P session with the replication partner. /his error can also result when the replication partner can be contactedE but its RP& inter$ace is not re(istered. /his usually indicates that the do!ain controllerKs D46 na!e is re(istered but with the wron( IP 6olution 6ee B/roubleshoot 4o Inbound 4ei(hbors Repad!in.e=e 9rror.C
Access is denied.
6ee B/roubleshoot Access Denied Replication 9rrors.C 6ee B/roubleshootin( Active Directory5Related D46 Proble!s.C Also see B/roubleshoot Access Denied Replication 9rrors.C +se 4etstat to chec' the currently established sessions. ,ree up /&P sessionsE i$ necessary. &orrect the IP address and see B/roubleshootin( Active Directory?related D46 Proble!s.C
7ast atte!pt at Ndate 5 ti!eP $ailed with the B/ar(et account na!e is incorrect.C 4o !ore end point.
1 3
address. 7DAP 9rror )-. /he do!ain controller co!puter 6ee B/roubleshoot account !i(ht not be Access Denied synchroni<ed withthe ey Replication 9rrors.C Distribution &enter G D&H. /he ad!inistration tool could not contact Active Directory. 6ee B/roubleshootin( Active Directory5Related D46 Proble!s.C Wait $or replication to co!plete.
&annot open 7DAP connection to local host. AD replication has been pree!pted.
An inbound replication in pro(ress was interrupted by a hi(her priority replication re:uestE such as a re:uest (enerated !anually by usin( the repadmin 0sync co!!and.
Replication /he do!ain controller posted a postedE waitin(. replication re:uest and is waitin( $or an answer. Replication is in pro(ress $ro! this source. 7ast atte!pt Tnever was success$ul. /he && success$ully created the replication lin' between the local do!ain controller and its replication partnerE but because o$ the schedule or possible brid(ehead overloadE replication has not occurred. A lar(e bac'lo( o$ inbound replication !ust be per$or!ed on this do!ain controller.
Wait $or replication to co!plete.
Synchroni.e re$lication *rom a source domain controller,
+se the repadmin 01ueue 2domain controller3 co!!and to chec' how !any inbound synchroni<ations are in the :ueue.
-or more in*ormation a)out re$lication conce$ts, see >Acti e Directory Re$lication? in the Distributed !ystems Guide o* the Windows 2 !erver %esource (it,
/roubleshootin( 4o Inbound 4ei(hbors Repad!in.e=e 9rror

When no items a$$ear in the >in)ound neigh)ors? section o* the repadmin 7showreps command out$ut, one o* the *ollowing conditions e<ists:
1-)
Chapter Number 1
*o connection ob0ect exists to indicate which domain controller#s$ this domain controller should replicate from. (hese connection o)2ects are ty$ically created )y the KCC, Howe er, in some en ironments, administrators ha e turned o** the $art o* the KCC that creates connection o)2ects *or in)ound re$lication *rom domain controllers in other sites, relying on manual connections instead, 'ne or more connection ob0ects exist, but the domain controller is unable to contact the source domain controller to create the replication links. /n this case, the KCC logs e ents each time it runs 8)y de*ault, e ery 7F minutes9 detailing the error that occurred when it attem$ted to add the re$lication lin&s,
!nsure that a connection o)2ect has )een $ro$erly created )etween the domain controller and its re$lication $artner, /* not, then create the connection o)2ect,
Procedures $or /roubleshootin( 4o Inbound 4ei(hbors

1. 3eri*y connection o)2ect, ". /* no connection o)2ect e<ists, create a connection o)2ect, 2. A*ter you create the connection o)2ects, see >Lin&ing Sites *or Re$lication? *or $rocedures to create a site lin&, Re$lication should occur automatically at the scheduled time,
/roubleshootin( Access Denied Replication 9rrors

(his error indicates that the local domain controller *ailed to authenticate against its re$lication $artner when creating the re$lication lin& or when trying to re$licate o er an e<isting lin&, (his ty$ically ha$$ens when the domain controller has )een disconnected *rom the rest o* the networ& *or a long time and its com$uter account $assword is not synchroni.ed with the com$uter account $assword that is stored in the Acti e Directory o* its re$lication $artner,
Procedures $or /roubleshootin( Access Denied Replication 9rrors

1. Con*irm naming conte<t $ermissions on direct re$lication $artners )y using the dcdiag 7test5ntsec command, 3eri*y re$lication is *unctioning, /* re$lication is not *unctioning $ro$erly, continue with the ne<t ste$, ". Con*irm that the !nter$rise Domain Controllers grou$ contains the >access this com$uter *rom networ&? right, /* you ha e to add this right, ensure the domain has a$$lied grou$ $olicy )e*ore $roceeding, 3eri*y re$lication is *unctioning, /* re$lication is not *unctioning $ro$erly, continue with the ne<t ste$, 2. Sto$ the KDC on the local domain controller, ). Purge the tic&et cache on the local domain controller, 5. 3eri*y that the domain controller is in the Domain Controllers 0=, the de*ault domain controllers "P0 is lin&ed to the 0=, and the >access this com$uter *rom networ&? $olicy is e**ecti e in this domain, 3. Reset the com$uter account $assword on the PDC emulator,
1 5
0. Synchroni.e the domain naming conte<t o* the re$lication $artner with the PDC emulator, *. /* the repadmin 7showreps command shows no re$lication $artner, see >Lin& Sites *or Re$lication? in this guide *or $rocedures to create a re$lication lin&, -. Synchroni.e re$lication *rom a source domain controller, 1%. Start the KDC on the local domain controller, 11. /* you get a new >access denied? error message, you must create a tem$orary connection lin& )etween the domain controller and its re$lication $artner *or the naming conte<ts,
/roubleshootin( .+ID Discrepancies

When a domain controller creates a re$lication lin& with its re$lication $artner, it loo&s in its Acti e Directory *or the "=/D o* the '(DS Settings o)2ect o* its re$lication $artner, /t then chec&s whether the "=/D matches the re$lication SP' $resent in the !ervicePrincipalName o* the com$uter o)2ect o* its re$lication $artner, /* they don1t match, the re$lication lin& cannot )e esta)lished, and it logs an e ent in the Directory Ser ices e ent log, (his can ha$$en when a domain controller has )een manually remo ed *rom the Acti e Directory and then Acti e Directory is reinstalled on the domain controller, A*ter Acti e Directory is reinstalled, the domain controller gets a new "=/D *or its '(DS Settings o)2ect and creates a new re$lication SP' accordingly,
Procedures $or /roubleshootin( .+ID Discrepancies

1. /denti*y the "=/D o* the re$lication $artner, /* se eral entries are returned, this is the source o* the error, 0ne o* entries results *rom the initial installation o* Acti e Directory on the re$lication $artner, /* Acti e Directory was remo ed *rom the domain controller without running the Acti e Directory /nstallation Wi.ard, and then Acti e Directory was reinstalled on the domain controller, a new '(DS Settings o)2ect was created 8with a new "=/D9 and was re$licated to this domain controller, /n that case, determine which '(DS Settings o)2ect has the correct "=/D and delete the incorrect '(DS Settings o)2ect, ". 3eri*y that a D'S record *or the )ad '(DS Settings o)2ect has not )een created on the root D'S ser er, 3eri*y D'S records *or <re$licationP$artnerPguidS,Pmsdcs,R*orestProotPdomainPnameS, 3eri*y that only one D'S record *or 2re$licationP$artnerS,RregionalPdomainPnameS is $resent with the right "=/D, /* se eral records are $resent, delete the incorrect records, 2. /* the $re ious ste$ re ealed only one '(DS Settings o)2ect with the correct "=/D, eri*y the SP' *or the re$lication $artner on the local domain controller, /* the name does not e<ist or contains a "=/D which does not match its re$lication $artner, it must )e created in the Acti e Directory o* the local domain controller, /* the name e<ists with a di**erent "=/D, it must )e modi*ied to match the correct "=/D,
1-3
Chapter Number 1
(o do this, run ADS/ !dit or LDP on the local domain controller, Locate the SP' in the multi alued attri)ute !ervicePrincipalName o* the com$uter o)2ect o* the re$lication $artner 8C'NRcom$uterPnameS,0=NDomain Controllers,DCNdom7,DCNcom$any,DCNcom9 and change the re$lication SP' to the correct alue, ). 3eri*y that re$lication is *unctioning,
/roubleshootin( RP& 6erver Proble!s

When you $er*orm any o* the *ollowing ser er+)ased tas&s, you might recei e an error that says the RPC ser er is una aila)le: Re$lication Winlogon !na)le trusted relationshi$s Connect to domain controllers Connect to trusted domains =ser authentication D'S $ro)lems (ime synchroni.ation $ro)lem RPC ser ice is not running 'etwor& connecti ity $ro)lem
(he >RPC ser er una aila)le? error can occur *or the *ollowing reasons:
Procedures $or /roubleshootin( RP& 6erver Proble!s

1. See >(rou)leshooting Acti e DirectoryDRelated D'S Pro)lems? to identi*y and resol e D'S issues, ". See >(rou)leshooting Windows (ime Ser ice Pro)lems? to identi*y and resol e time synchroni.ation issues, 2. /* the RPC ser ice is not running, start the RPC ser ice, /* the RPC ser ice is running, sto$ and start the RPC ser ice, ). 3eri*y networ& connecti ity and resol e any issues,
/roubleshootin( 4/D6 9vent ID 1211

'(DS ! ent /D 7A77 occurs when the re$lication con*iguration in*ormation in Acti e Directory Sites and Ser ices does not accurately re*lect the $hysical to$ology o* the networ&, (he Knowledge Consistency Chec&er 8KCC9 constructs and maintains the re$lication to$ology *or Acti e Directory, (o do this, the KCC e<amines the sum o* all naming conte<ts that reside in the *orest as well as administrator+de*ined constraints *or site, site lin&, and lin& cost,
1 7
An ! ent /D 7A77 results *rom $ro)lems with re$licating an Acti e Directory domain, schema, con*iguration, or glo)al catalog naming conte<ts )etween domain controllers or sites, (his can occur *or the *ollowing reasons: Site lin& )ridging is ena)led on a networ& that does not su$$ort $hysical networ& connecti ity )etween two domain controllers in di**erent sites that are connected )y a KCC lin&, 0ne or more sites are not contained in site lin&s, Site lin&s contain all sites, )ut the site lin&s are not interconnected, (his condition is &nown as dis/ointed site links, 0ne or more domain controllers are o**line, %ridgehead domain controllers are online, )ut errors occur when they try to re$licate a re:uired naming conte<t )etween Acti e Directory sites, Administrator+de*ined $re*erred )ridgeheads are online, )ut they do not host the re:uired naming conte<ts, Pre*erred )ridgeheads are de*ined correctly )y the administrator, )ut they are currently o**line, (he )ridgehead ser er is o erloaded either )ecause the ser er is undersi.ed, too many )ranch sites are trying to re$licate changes *rom the same hu) domain controller, or the schedules on site lin&s or connection o)2ects are too *re:uent, (he KCC has )uilt an alternate $ath around an intersite connection *ailure, )ut it continues to retry the *ailing connection e ery 7F minutes,
Procedures $or /roubleshootin( 4/D6 9vent ID 1211

1. Determine i* e ent /D 7A77 is )eing logged on all domain controllers in the *orest that hold the intersite to$ology generator 8/S("9 role or 2ust on site+s$eci*ic domain controllers, a. -irst, locate /S(" role holders )y using Ldp.exe to search *or the *ollowing attri)utes:
Base DN: CN=Sites,CN=Configuration,DC=ForestRootDomainName,DC=Com Filter: (cn=NTDS Site Settings) Scope: Subtree Attributes: interSiteTopologyGenerator
b. Determine the sco$e o* the e ent )y chec&ing the Directory Ser ice e ent logs o* all /S(" role holders in the *orest, or chec& at least a signi*icant num)er o* /S(" role holders,
1-*
Chapter Number 1
4ote
6ite lin' brid(in( is enabled by de$ault. As a best practiceE leave site lin' brid(in( enabled $or $ully routed networ's.
/* e ent /D 7A77 continues to )e logged on /S(" role holders, continue with the ne<t ste$, ". See >(rou)leshooting Acti e Directory Re$lication Pro)lems? in this guide to resol e Acti e Directory re$lication *ailures in the *orest, /* e ent /D 7A77 continues to )e logged on /S(" role holders, continue with the ne<t ste$, 2. Determine i* site lin& )ridging is ena)led and the networ& is *ully routed, Site lin& )ridging is ena)led in Acti e Directory i* the *ollowing conditions are true: (he )ridge all site links chec& )o< is selected *or the /P trans$ort and the Sim$le Mail (rans*er Protocol 8SM(P9 trans$ort in Acti e Directory Sites and Ser ices, (he 'ptions attri)ute *or the /P trans$ort and the SM(P trans$ort is '=LL or set to 6 8.ero9 *or the *ollowing D' $aths: C'N/P,C'N/nter+Site (rans$orts,C'NSites,C'NCon*iguration,DCNR*orestProotPdomainS and C'NSM(P,C'N/nter+Site (rans$orts,C'NSites,C'NCon*iguration,DCNR*orestProotPdomainS,
(o determine i* a *ully routed networ& connection e<ists )etween two sites, contact your networ& administrator or Acti e Directory architect, /* site lin& )ridging is ena)led in a nonrouted en ironment, either ma&e the networ& *ully routed, or disa)le site lin& )ridging and then create the necessary sites lin&s and site lin& )ridges, -or more in*ormation a)out creating site lin&s, see >Lin& Sites *or Re$lication? in this guide, Wait *or a $eriod o* time that is twice as long as the longest re$lication inter al in the *orest, /* e ent /D 7A77 continues to )e logged on /S(" role holders, continue with the ne<t ste$, ). =se the repadmin 7showism command to eri*y that all sites are de*ined in site lin&s, -or each site, the out$ut o* the command will show a string o* three num)ers se$arated )y colons, (he num)ers re$resent RcostS:Rre$lication inter alS:Ro$tionsS, Strings with a alue o* >+7:6:6? indicate a $ossi)le missing site lin&, /* this is the case, see >Lin& Sites *or Re$lication? in this guide *or $rocedures to create a re$lication lin&, /* e ent /D 7A77 continues to )e logged on /S(" role holders, continue with the ne<t ste$, 5. Detect and remo e $re*erred )ridgeheads, Manually selecting )ridgehead ser ers can cause e ent /D 7A77K it is recommended that administrators do not manually select )ridgehead ser ers, (o search *or $re*erred )ridgehead ser ers, iew the list o* $re*erred )ridgehead ser ers, /* there are any $re*erred )ridgehead ser ers, remo e them *rom Acti e Directory Sites and Ser ices, and wait *or a $eriod o* time that is twice as long as the longest re$lication inter al in the *orest, /* e ent /D 7A77 continues to )e logged on /S(" role holders, continue with the ne<t ste$,
&aution
3. Delete connections i* the KCC is in >Connection Kee$ing? mode, and wait *or a $eriod o* time that is twice as long as the longest re$lication inter al in the *orest,
/roubleshootin( 6ce&li 9vent ID 1"%"

(he $resence o* SceCli e ent /D 7565 in the a$$lication e ent log indicates that there might )e $ro)lems with Acti e Directory re$lication, es$ecially i* the error te<t *or this message contains a WinA5 error code o* either !rror 7AA5 86<FAB9 or !rror 7AA5 86<I*c9, (he $rocedure *or trou)leshooting this e ent with either he<adecimal code is the same,
Procedure $or /roubleshootin( 6ce&li 9vent ID 1"%"

1. !na)le logging *or winlogon,log )y changing the registry &ey HK!@PL0CALPMACH/'!QSo*twareQMicroso*tQWindows'(QCurrent3ersionQWin LogonQ"P!<tensionsQR"=/D name o* CS!S, (his creates the winlogon,log *ile in the UsystemrootUQsecurityQlogs *older, ". Search the winlogon,log *ile *or errors, At a command $rom$t, ty$e the *ollowing and $ress !'(!R:
FIND /I "error" %SYSTEMROOT%\security\logs\winlogon.log
(his shows the account that is causing the $ro)lem, Determine why the account is causing the $ro)lem 8*or e<am$le, misty$ed account, deleted account, or wrong $olicy was a$$lied9, /* you determine that you need to remo e this account *rom the $olicy, continue to the ne<t ste$ to determine which $olicy and setting to change, 2. (o *ind which setting contains the unresol ed account, ty$e the *ollowing command at a command $rom$t and $ress !'(!R:
Find /I "<account>" %systemroot%\security\templates\policies\gpt*.*
(his shows the cached tem$late *rom the "P0 that contains the setting that is causing the $ro)lem, 3iew the tem$late and search *or a line that )egins with >"P0PathN? and the "=/D o* the $olicy you need to change, ). Ma$ the "=/D o* the $ro)lem "P0 to its *riendly name, =se the "$results,e<e tool *rom the Windows 2 !erver %esource (it to o)tain e<tensi e out$ut *rom the com$uter that generated the e ents, Search the results *or the "=/D you identi*ied *rom the $re ious ste$, /* you cannot *ind the "=/D in the out$ut *rom the "$results,e<e tool, use Search, )s, (y$e the *ollowing command at a command $rom$t and $ress !'(!R:
"%%
Chapter Number 1
Search.vbs LDAP://CN=Policies,CN=System,DC=<domain>,DC=<domain> /C: (ojbectClass=groupPolicyContainer) /P:name,displayName
5. Re$air or modi*y the "P0, as necessary,
/roubleshootin( Active Directory Installation Wi<ard Proble!s

Acti e Directory /nstallation Wi.ard relies on a num)er o* systems in Windows 5666 Ser er, including D'S registration and resolution, LDAP :uery and res$onse, Ker)eros authentication, Acti e Directory re$lication, -RS re$lication, and the a$$lication o* "rou$ Policy o)2ects, (his section contains some general guidelines *or trou)leshooting $ro)lems related to the Acti e Directory /nstallation Wi.ard, /* you detect an error in any o* the e ent logs or commands used during trou)leshooting, re*er to the related to$ic in this cha$ter, (a)le 5,E shows the sym$toms or errors that can occur with the Acti e Directory /nstallation Wi.ard, along with $ossi)le root causes and solutions, /able ".- Active Directory Installation Wi<ard 9rrors
6y!pto! or 9rror 4etwor' location cannot be reached. Root &ause 4etwor' connectivity proble!s. 6olution Veri$y networ' connectivity. /roubleshoot Baccess deniedC error !essa(es in Active Directory Installation Wi<ard.
Active Directory Installation ,ailed: /he operation $ailed with the $ollowin( error: /he syste! cannot $ind the $ile speci$ied.
/his error !essa(e can be caused by one or !ore o$ the $ollowin( conditions: /he de$ault 4tds.dit $ile is !issin( or not correctly located in the
U6yste!Root UL6yste!2" $older.
Incorrect per!ission on the de$ault 4tds.dit $ile. Incorrect per!issions on an e=istin( 4/D6 $older structure.
Add the A record $or the do!ain controller with
/he wi<ard cannot (ain access to the list o$
/his proble! can occur i$ a do!ain controller in
!&1
do!ains in the $orest. /he error is: /he speci$ied do!ain either does not e=ist or could not be contacted.
the do!ain has not re(istered an BAC record $or itsel$ in D46.
the ipcon,ig 0registerdns co!!and. ,lush the D46 cache on the co!puter runnin( the Active Directory Installation Wi<ard by usin( the ipcon,ig 0,lushdns co!!and. 6ee B/roubleshootin( Active Directory5Related D46 Proble!sC in this (uide. +se a 4et1IO6 na!e that does not con$lict with other co!puters or do!ains on the networ'.
D&Pro!o $ails with an Binvalid para!eterC error
In the Active Directory Installation Wi<ardE the ad!inistrator entered either a sin(le5 or !ulti5 label 4et1IO6 na!e Gsuch as &ORP or &ORP.&O#H that is identical to the Active Directory do!ain na!eE or entered a na!e that is already in use on the networ'.
9rror #essa(e: /he speci$ied do!ain either does not e=ist or could not be contacted
D46 proble!s !i(ht be preventin( na!e resolution $or the source do!ain controller. /his issue can occur because the 6>6VO7 directory is not shared out on the do!ain controller that will be used to source Active Directory.
6ee B/roubleshootin( Active Directory5 Related D46 Proble!sC in this (uide to resolve D46 issues. 6hare out the 6>6VO7 directory. /o veri$y that the 6>6VO7 directory is shared outE use the net share co!!and to see i$ the 6>6VO7 share is showin(. 1y de$aultE the 6>6VO7 share is located in the $ollowin( $older: U6yste!Root UL6ysvolL6ysvol.
/he operation $ailed because: ,ailed to
6ource do!ain controller is not trusted
/roubleshoot Baccess deniedC error !essa(es
"%"
Chapter Number 1
!odi$y the necessary properties $or the !achine account Uco!puterna!eUV BAccess DeniedC. /he operation $ailed because: /o per$or! the re:uested operationE the directory service needs to contact the Do!ain 4a!in( #aster Gserver Nserverna!ePH. /he atte!pt to contact it $ailed. /he speci$ied server cannot per$or! the re:uested operation. Active Directory Installation ,ailed. /he operation $ailed because: /he Directory 6ervice $ailed to create the ob8ect &4ONserverna!ePE&4 OPartitionsE&4O&on$i(u rationED&ONdo!ain controllerP.
$or dele(ation.
in Active Directory Installation Wi<ard.
6ervers that are bein( pro!oted to do!ain controllers !i(ht (enerate this error !essa(e when they are unable to contact the do!ain na!in( !aster role holder durin( pro!otion. /his happens while creatin( the $irst do!ain controller in a new child do!ain or in a new tree in an e=istin( $orest. 6ervers that are bein( pro!oted to do!ain controllers !i(ht (enerate this error !essa(e when they are unable to contact the do!ain na!in( !aster role holder durin( pro!otion.
/roubleshoot do!ain na!in( !aster errors in Active Directory Installation Wi<ard.
/roubleshoot do!ain na!in( !aster errors in Active Directory Installation Wi<ard.
/he replication syste! 6ee #icroso$t encountered an internal nowled(e 1ase article error. I"30**0: BInternal 9rror Runnin( Dcpro!o.e=e.C #issin( 6>6VO7 and 49/7O.O4 shares #issin( 49/7O.O4 and 6>6VO7 shares typically occur on additional do!ain controllers in an e=istin( do!ainE but can also occur on the $irst do!ain controller in a new do!ain. /he do!ain na!in( !aster $or the $orest is o$$line or cannot be contacted.
6ee #icroso$t nowled(e 1ase article I"30**0: BInternal 9rror Runnin( Dcpro!o.e=e.C Veri$y that the 4et 7o(on service is runnin(. Also see B/roubleshootin( ,R6C in this (uide.
An 7DAP read o$ operational attributes $ailed.
#a'e the current do!ain na!in( !aster accessible. I$ necessaryE see B6ei<in( Operations #aster RolesC in this
!&3
(uide.
/roubleshootin( BAccess DeniedC 9rror #essa(es in Active Directory Installation Wi<ard

(here are se eral reasons why you might recei e an >Access Denied? error message while using the Acti e Directory /nstallation Wi.ard, All ha e to do with $ermissions on the *iles or *ile structures that are necessary *or the installation and ser ice o* a domain controller,
Procedures $or /roubleshootin( BAccess DeniedC 9rror #essa(es in Active Directory Installation Wi<ard
1. 3eri*y *ile $ermissions to ma&e sure they are correct, 3eri*y that the de*ault 'tds,dit *ile $ermissions in the SystemA5 *older are:
System32\Ntds.dit BUILTIN\Users: BUILTIN\Power Users: BUILTIN\Administrators: NT AUTHORITY\SYSTEM: Everyone: Read Read Full Full Read [RX] [RX] Control [ALL] Control [ALL] [RX]
". 3eri*y *older $ermissions, /* Acti e Directory was $re iously remo ed and now you are installing it again, the USystemRootUQ'tds and USystemRootUQ'tdsQDro$ *olders will still e<ist, /* $ermissions were changed, the error message might )e caused )y the *older $ermissions, (he sim$lest resolution is to delete the original 'tds *older structure )e*ore running the Acti e Directory /nstallation Wi.ard, 0r, you can change the *older $ermissions to match the *ollowing:
%SystemRoot%\Ntds BUILTIN\Users: BUILTIN\Power Users: BUILTIN\Administrators: NT AUTHORITY\SYSTEM: CREATOR OWNER: %SystemRoot%\Ntds\Drop BUILTIN\Users: BUILTIN\Power Users: BUILTIN\Administrators: NT AUTHORITY\SYSTEM: CREATOR OWNER: Special Special Special Special Special Access Access Access Access Access [RX] [RWXD] [A] [A] [A]
Special Special Special Special Special
Access Access Access Access Access
[RX] [RWXD] [A] [A] [A]
2. 3eri*y that the current domain controllers in the domain ha e a$$lied security $olicy and the Enable computer and users accounts to be trusted for delegation user right is granted to the Administrators "rou$,
"%)
Chapter Number 1
a. /n the "rou$ Policy sna$+in, clic& Computer Configuration, clic& Windows Settings, clic& Security Settings, clic& Local Policies, and then clic& User Rights Assignment, b. -or com$uters that do not ha e this right, con*irm that "rou$ Policy o)2ects in the directory ser ice and *ile system ha e re$licated )y loo&ing *or e ent /D 7O6B in the a$$lication e ent log, and then manually a$$ly the $olicy )y ty$ing the *ollowing command: secedit /refreshpolicy machine_policy ). =se a Dc$romo answer *ile to source the $romotion *rom a deterministic domain controller, Search the Microso*t Knowledge %ase *or article C55AOFO: >=nattended Promotion and Demotion o* Windows 5666 Domain Controllers,? =se the Re$licationSourceDC $aramater in the answer *ile, 5. 3eri*y that the source domain controller is in the domain controllers 0=, (he name o* the source domain controller can )e *ound in the Dc$romo,log *ile in the USystemrootUQde)ug *older on the Windows 5666 ser er that you are trying to $romote, 3. 0$en a command $rom$t on the source domain controller, and run the "$result,e<e Resource Kit tool to eri*y that the De*ault Domain Controllers $olicy is )eing a$$lied to the source domain controller,
/roubleshootin( Do!ain 4a!in( #aster 9rrors in Active Directory Installation Wi<ard

Re$lication latency or re$lication errors can cause inconsistency in the domain naming master role owner as seen )y di**erent domain controllers in the *orest,
Procedures $or /roubleshootin( Do!ain 4a!in( #aster 9rrors in the Active Directory Installation Wi<ard
1. 3eri*y re$lication is *unctioning *or the domain naming master, ". 3eri*y the e<istence o* o$erations masters to ensure that domain controllers in the *orest are consistent a)out the com$uter name that is designated as the current domain naming master, 2. 3iew the current o$erations master role holders and con*irm that the domain naming master is a glo)al catalog ser er,
!&5
/roubleshootin( Directory Data Proble!s

Data transactions in Acti e Directory are either com$leted in *ull or not made at all, /* *or any reason an error occurs and a transaction is una)le to com$lete all o* its ste$s, the system is returned to the state that e<isted )e*ore the transaction )egan, An e<am$le o* an atomic transaction is an account trans*er transaction where money is remo ed *rom account A and $laced into account %, /* the system *ails a*ter it remo es the money *rom account A and )e*ore it $laces it into account %, the transaction $rocessing system $uts the money )ac& into account A and returns the system to its original state J that is, it rolls )ac& the transaction, (a)le 5,7B shows the ty$e o* directory data $ro)lems that can occur, along with root cause and solution, /able ".1) Directory Data Proble!s
6y!pto! 7in(erin( ob8ects Root &ause I$ a do!ain controller re!ains disconnected $or a lon(er period than the to!bstone li$eti!eE an ob8ect that has been deleted $ro! the directory can re!ain on the disconnected do!ain controller. ,or this reasonE such ob8ects are called Blin(erin( ob8ects.C 6olution 6ee B#ana(in( 7on(5 Disconnected Do!ain &ontrollersC in this (uide.
7ost ob8ects
I$ an ob8ect is created on one do!ain /roubleshoot lost controllerE and the container in which it do!ain ob8ects. was created is deleted on another do!ain controller be$ore the ob8ect has a chance to replicateE it beco!es a lost ob8ect. 7ost ob8ects are auto!atically placed in a do!ain container where you can $ind the! and either !ove or delete the!.
Ob8ect na!e I$ an ob8ect is created on one do!ain /roubleshoot con$licts controller and an ob8ect with the sa!e ob8ect na!e na!e is created in the sa!e container con$licts. on another do!ain controller be$ore replication occursE it creates an ob8ect na!e con$lict. Active Directory auto!atically chan(es the relative distin(uished na!e o$ the ob8ect with the earlier ti!esta!p to a uni:ue na!e.
"%3
Chapter Number 1
WAR4I4.
I$ you $ind collisions in the Do!ain &ontrollers O+E stop. &ontinuin( with the procedures below can cause $urther da!a(e. &ontact #icroso$t Product 6upport 6ervices $or (uidance.
/roubleshootin( 7ost Do!ain Ob8ects

/n some cases, an administrator might create or mo e an o)2ect into a container on one domain controller and another administrator might delete that same container on a di**erent domain controller )e*ore the o)2ect is re$licated, /n such cases, the o)2ect is added to the LostAnd-ound container *or the domain, (he LostAnd-oundCon*ig container in the con*iguration directory $artition ser es the same $ur$ose *or *orest+wide o)2ects,
Procedures $or /roubleshootin( 7ost Do!ain Ob8ects

1. /n Acti e Directory =sers and Com$uters, on the &iew menu, clic& Advanced Features, ". /n the console tree, clic& the LostAndFound container, Delete the o)2ect i* it is no longer needed,
2. -or each o)2ect, e<amine the 3ast (nown Parent attri)ute, (his attri)ute indicates the $re ious location o* this o)2ect, ). -or each o)2ect, do one o* the *ollowing, as a$$ro$riate: Mo e the o)2ect to the correct location, recreating the $arent i* necessary, 5. Re iew and re ise your o$erational $rocedures to ensure that o)2ect creations and deletions are coordinated,
/roubleshootin( Ob8ect 4a!e &on$licts

Acti e Directory su$$orts multimaster re$lication o* directory o)2ects )etween all domain controllers in the domain, When re$lication o* o)2ects results in name con*licts 8two o)2ects ha e the same name within the same container9, the system automatically renames one o* these accounts to a uni:ue name, -or e<am$le, o)2ect A%C is renamed to )e HC'-:guid, where >H? re$resents a reser ed character, >C'-? is a constant that indicates a con*lict resolution, and >guid? re$resents a $rinta)le re$resentation o* the ob/ectGuid attri)ute alue, (his will cause an e ent /D 755E5 to )e logged in the system e ent log on the domain controller, @ou must clean u$ Acti e Directory to resol e this error,
Procedures $or Resolvin( Ob8ect 4a!e &on$licts

1. (a&e note o* the con*licting account o)2ects, /n Acti e Directory =sers and Com$uters, delete the a$$ro$riate con*licting account o)2ects 8usually the newer one9 on a domain controller in the domain that contains the accounts,
!&7
". Rename the client com$uters whose accounts were deleted and 2oin them to the domain, a. Right+clic& ,y Computer, b. /n the !ystem +roperties dialog )o<, select the Computer *ame ta) and clic& the Change )utton, c. /n the Computer *ame Changes dialog )o<, enter a new name in the Computer name5 *ield, d. Clic& '1 to e<it the Computer *ame Changes dialog )o<, and clic& '1 to e<it the !ystem +roperties dialog )o<, e. Restart the com$uter, 2. 3eri*y that re$lication is *unctioning $ro$erly, /* re$lication is not *unctioning $ro$erly, see >(rou)leshooting Acti e Directory Re$lication Pro)lems? in this guide, /* it is, re iew and re ise your o$erational $rocedures to ensure that o)2ect creations and deletions are coordinated,
/roubleshootin( Windows /i!e 6ervice Proble!s

/* you sus$ect a time synchroni.ation $ro)lem, use the 'et (ime tool and the WA5tm tool to identi*y time errors, (a)le 5,7F shows common error messages that these commands dis$lay, their root cause, and solution, /* the time synchroni.ation $ro)lem is occurring on the PDC emulator, see >(rou)leshooting Windows (ime Ser ice !rrors on a PDC !mulator? in this guide, /able ".15 9rror #essa(es $or 4et /i!e and W2"t! /ools
/ool and 9rror 4et /i!e: &ould not locate a ti!e server. Root &ause /he !anually speci$ied ti!e source !i(ht not be in the local wor'(roup or in the do!ainE or it !i(ht not be announcin( itsel$ as a ti!e server. Althou(h you received this !essa(eE the ti!e service !i(ht still be synchroni<in( ti!e. /he ti!e service !i(ht not have been stopped be$ore a con$i(uration chan(e was !ade. +DP port 1"2 !i(ht be closed on the $irewall or 6olution Veri$y that Windows /i!e 6ervice is synchroni<in( ti!e.
6ee B#ana(in( Windows /i!e 6erviceC in this (uide $or best practice (uidelines $or con$i(urin( ti!e. /he other service usin( +DP port 1"2 !i(ht be Windows
"%*
Chapter Number 1
router between the client and the server or it is bein( used by another service. 4et /i!e: Access denied. A re!ote procedure call GRP&H $ailed to authenticateE usually because a user does not have per!ission to access the re!ote co!puter and run 4et /i!e.
/i!e 6ervice. 6top and start Windows /i!e 6ervice to solve the proble!. I$ you 'now the user na!e and password o$ an account that does have access ri(htsE establish credentials to access the re!ote co!puter to per$or! this tas'. When you use the W2"t! toolE be sure to stop and start Windows /i!e 6ervice.
W2"t!: 1ind $ailed.
/wo instances o$ the sa!e service are tryin( to start by usin( the sa!e port. /he Windows /i!e 6ervice is already usin( +DP port 1"2 Gthe de$ault port $or the ti!e serviceH. /here$oreE the W2"t! tool is not able to use the port.
/roubleshootin( Windows /i!e 6ervice 9rrors on a PD& 9!ulator

%y de*ault, no time source is con*igured on the PDC emulator, As a result, when Windows (ime Ser ice is running on the PDC emulator, it sends messages to the system e ent log indicating that it has no time source, When this error occurs, do one o* the *ollowing: Con*igure a manual time source *or the PDC emulator o* the *orest root domain, -or more in*ormation a)out con*iguring a manual time source *or the PDC emulator, see >Con*iguring a (ime Source *or the -orest? in this guide, D or D Set the PDC emulator to not synchroni.e time,

Active Directory Operations Guide Part I

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Active Directory Operations Guide Part I

Uploaded by

Copyright:

Available Formats

Active Directory Operations Guide

Part I: Active Directory Operations

Version 1.5 Developed by the Windows Resource its tea!

Managing Active Directory

#icroso$t Windows "%%% #icroso$t &orporation

Managing Domain Controllers

Managing Active Directory

Managing Domain Controllers

Managing Active Directory

Managing Domain Controllers

Managing Active Directory

1uildin( and Deployin(

+sin( the #icroso$t Operations ,ra!ewor' $or Active Directory Operations

Managing Domain Controllers

+sin( this .uide

-or ma<imum )ene*it in using this guide:

Managing Active Directory

Managing Domain Controllers

Managing Active Directory

Managing Active Directory

Overview o$ Active Directory Operations

Plannin( $or Active Directory Operations

Assessin( the I/ 9nviron!ent and 9stablishin( a 1aseline

Managing Domain Controllers

Deter!inin( Operational 4eeds

De$inin( Operations Actions

Managing Active Directory

/ools +sed $or Active Directory Operations

htt$:;;www,microso*t,com;win #i(rate account and dows5666;downloads;tools;AD resource do!ains. M(;de*ault,as$

Managing Domain Controllers

D46 snap5in Dsastat.e=e

Windows "%%% Ad!inistrative /ools Pac' Windows "%%% 6upport /ools

9vent viewer 7brid(e.c!d

4et useE startE stopE delE copyE ti!e

Windows "%%% syste! tool

Managing Active Directory

Windows "%%% syste! tool Windows "%%% 6upport /ools

Windows "%%% 6upport /ools

Windows "%%% Ad!inistrative /ools Pac'

/er!inal 6ervices W2"t! Windows 9=plorer

Windows "%%% Windows "%%% syste! tool Windows "%%%

Managing Domain Controllers

Operations /as's &hec'list

Daily. Daily. Daily. Daily.

Daily to wee'lyE dependin( on environ!ent. Wee'ly. Wee'ly.

Managing Active Directory

#onthly. #onthly. #onthly. #onthly.

Managing Domain Controllers

Managing Active Directory

As needed. As needed. As needed. As needed.

As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed. As needed.

#onitorin( Active Directory

1ene$its $or 9nd5+sers

Managing Domain Controllers

1ene$its $or Ad!inistrators

Monitoring Acti e Directory also assures administrators that:

Ris's o$ not #onitorin( Active Directory

Managing Active Directory

Active Directory #onitorin( Durin( the Deploy!ent Phase

Managing Domain Controllers

Re:uire!ents $or #onitorin(

Managing Active Directory

Relationship between #onitorin( and /roubleshootin(

htt$:;;www,microsot,com;win #i(rate account and dows5666;downloads;tools;AD resource do!ains. M(;deault,as$