Professional Documents
Culture Documents
Guide
Microsoft Corporation
Published: September 2008
Abstract
This operations guide provides administering and management information for
Active Directory Domain Services (AD DS) directory service technologies in the
Windows Server 2008 operating system.
Copyright information
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place, or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2008 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Contents
Active Directory Domain Services Operations Guide....................................................................25
New in This Guide......................................................................................................................... 25
Administering Active Directory Domain Services..........................................................................25
Introduction to Administering Active Directory Domain Services...................................................26
When to use this guide.............................................................................................................. 26
How to use this guide................................................................................................................ 27
Administering Domain and Forest Trusts......................................................................................27
Introduction to Administering Domain and Forest Trusts...............................................................28
Best Practices for Administering Domain and Forest Trusts.........................................................28
Managing Domain and Forest Trusts............................................................................................ 29
Creating Domain and Forest Trusts.............................................................................................. 29
New Trust Wizard terminology................................................................................................... 30
Known Issues for Creating Domain and Forest Trusts..................................................................31
Creating External Trusts............................................................................................................... 32
Create a One-Way, Incoming, External Trust for One Side of the Trust........................................34
Create a One-Way, Incoming, External Trust for Both Sides of the Trust......................................35
Create a One-Way, Outgoing, External Trust for One Side of the Trust........................................37
Create a One-Way, Outgoing, External Trust for Both Sides of the Trust......................................38
Create a Two-Way, External Trust for One Side of the Trust.........................................................40
Create a Two-Way, External Trust for Both Sides of the Trust......................................................41
Creating Shortcut Trusts............................................................................................................... 43
Create a One-Way, Incoming, Shortcut Trust for One Side of the Trust........................................44
Create a One-Way, Incoming, Shortcut Trust for Both Sides of the Trust.....................................45
Create a One-Way, Outgoing, Shortcut Trust for One Side of the Trust........................................47
Create a One-Way, Outgoing, Shortcut Trust for Both Sides of the Trust.....................................48
Restore the Windows Time Service on the Local Computer to the Default Settings...................104
Administering DFS-Replicated SYSVOL.....................................................................................105
Introduction to Administering DFS-Replicated SYSVOL.............................................................105
SYSVOL terminology and capitalization..................................................................................106
Using DFS Replication for replicating SYSVOL in Windows Server 2008...............................107
Requirements for using DFS Replication.................................................................................107
Key considerations for administering SYSVOL.......................................................................108
Relocating SYSVOL folders..................................................................................................... 109
Managing DFS-Replicated SYSVOL...........................................................................................111
Changing the Quota That Is Allocated to the SYSVOL Staging Area..........................................111
Change the Quota That Is Allocated to the SYSVOL Staging Folder..........................................112
Relocating the SYSVOL Staging Area......................................................................................... 112
Identify Replication Partners....................................................................................................... 114
Check the Status of the SYSVOL and Netlogon Shares.............................................................114
Verify Active Directory Replication............................................................................................... 115
Gather the SYSVOL Path Information......................................................................................... 116
To gather the SYSVOL path information..................................................................................117
Stop the DFS Replication Service and Netlogon Service............................................................119
Create the SYSVOL Staging Areas Folder Structure..................................................................120
Change the SYSVOL Root Path or Staging Areas Path, or Both................................................121
See Also.................................................................................................................................. 122
Start the DFS Replication Service and Netlogon Service...........................................................122
Force Replication Between Domain Controllers.........................................................................123
See Also.................................................................................................................................. 124
Relocating SYSVOL Manually.................................................................................................... 124
Identify Replication Partners....................................................................................................... 125
Check the Status of the SYSVOL and Netlogon Shares.............................................................126
Verify Active Directory Replication.............................................................................................. 127
Gather the SYSVOL Path Information........................................................................................128
To gather the SYSVOL path information..................................................................................129
Configure the Site Link Schedule to Identify Times During Which Intersite Replication Can Occur
................................................................................................................................................ 324
Configure the Site Link Interval to Identify How Often Replication Polling Can Occur During the
Schedule Window.................................................................................................................... 325
Configure the Site Link Cost to Establish a Priority for Replication Routing................................326
Determine the ISTG Role Owner for a Site.................................................................................326
Generate the Replication Topology on the ISTG.........................................................................327
Enabling Clients to Locate the Next Closest Domain Controller.................................................328
Enable Clients to Locate a Domain Controller in the Next Closest Site......................................329
Moving a Domain Controller to a Different Site...........................................................................330
TCP/IP settings........................................................................................................................ 331
DNS settings........................................................................................................................... 331
Preferred bridgehead server status......................................................................................... 331
Change the Static IP Address of a Domain Controller................................................................333
Update the IP Address for a DNS Delegation.............................................................................334
Update the IP Address for a DNS Forwarder..............................................................................335
Verify That an IP Address Maps to a Subnet and Determine the Site Association......................336
See Also.................................................................................................................................. 337
Determine Whether a Server is a Preferred Bridgehead Server.................................................337
See Also.................................................................................................................................. 337
View the List of All Preferred Bridgehead Servers......................................................................337
See Also.................................................................................................................................. 338
Configure a Server to Not Be a Preferred Bridgehead Server....................................................338
See Also.................................................................................................................................. 339
Move a Server Object to a New Site...........................................................................................339
See Also.................................................................................................................................. 340
Enabling Universal Group Membership Caching in a Site..........................................................340
Enable Universal Group Membership Caching in a Site.............................................................341
Forcing Replication..................................................................................................................... 341
Forcing replication of all directory updates over a connection.................................................342
Forcing replication of configuration updates............................................................................342
Force Replication Between Domain Controllers.........................................................................343
Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin)
................................................................................................................................................ 365
Additional considerations.................................................................................................. 366
Move the Directory Database and Log Files to a Local Drive.....................................................366
See Also.................................................................................................................................. 369
Copy the Directory Database and Log Files to a Remote Share................................................369
See Also.................................................................................................................................. 372
Returning Unused Disk Space from the Active Directory Database to the File System..............372
Change the Garbage Collection Logging Level to 1...................................................................374
See Also.................................................................................................................................. 374
Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin)
................................................................................................................................................ 375
Additional considerations.................................................................................................. 375
Compact the Directory DatabaseFfile (Offline Defragmentation)................................................376
See Also.................................................................................................................................. 379
If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup............379
Administering Domain Controllers..............................................................................................381
Additional references............................................................................................................... 381
Introduction to Administering Domain Controllers.......................................................................381
Installing Remote Server Administration Tools.........................................................................381
Installing and removing AD DS................................................................................................ 382
Adding domain controllers.................................................................................................... 382
Removing domain controllers............................................................................................... 382
Renaming domain controllers.................................................................................................. 382
Adding domain controllers to branch sites...............................................................................383
Installing from media............................................................................................................ 383
Shipping installed domain controllers to branch sites...........................................................384
Managing Domain Controllers.................................................................................................... 384
Installing Remote Server Administration Tools for AD DS...........................................................386
Installing Active Directory Domain Services Tools on a member server that is running
Windows Server 2008.......................................................................................................... 387
Installing Active Directory Domain Services Tools on a computer that is running Windows Vista
with SP1............................................................................................................................... 387
Managing Antivirus Software on Active Directory Domain Controllers........................................387
Guidelines for managing antivirus software on Active Directory domain controllers................388
Files to exclude from scanning................................................................................................389
Acknowledgments
Produced by: Microsoft Windows Server Directory and Access Services (DAS) IT Pro Content
Team
Writers: Mary Hillman, Gayana Bagdasaryan
Editor: Jim Becker
Technical reviewers: Umit Akkus, David Beach, Arren Conner, Gregoire Guetat, Xin He,
Kurt Hudson, Jessie Li, Herbert Mauerer, Joe Patterson, Ned Pyle, Wakkas Rafiq,
Ryan Sizemore, Ingolfur Arnar Strangeland, Mahesh Unnikrishnan
Additional Resources
You want to manage common Active Directory problems that are associated with
misconfiguration.
This guide assumes a basic understanding of what AD DS is, how it works, and why your
organization uses it to access, manage, and secure shared resources across your network. It
also assumes a thorough understanding of how AD DS is deployed and managed in your
organization. This includes an understanding of the mechanism your organization uses to
configure and manage Active Directory settings.
This guide can be used by organizations that have deployed Windows Server 2008. It includes
information that is relevant to different roles in an IT organization, including IT operations
managers, administrators, and operators. This information includes management-level knowledge
about AD DS and administrator-level information about the IT processes that are required to
operate it.
This guide contains detailed procedures that are designed for operators (or designated users)
who have varied levels of expertise and experience. Although the procedures provide operator
26
guidance from start to finish, operators must have a basic proficiency with Microsoft Management
Console (MMC) and MMC snap-ins. Operators must also know how to start administrative
programs and access the command line. If operators are not familiar with AD DS, it might be
necessary for IT planners, managers, or administrators to review the relevant operations in this
guide and provide the operators with the parameters or data that they must enter when they
perform the operations.
Objectives are high-level goals for administering AD DS. Each objective consists of one or
more high-level tasks that describe how the objective is accomplished. In this guide,
"Managing the Windows Time Service" is an example of an objective.
Tasks contain groups of procedures for achieving the goals of an objective. In this guide,
"Configuring a time source for the forest" is an example of a task.
Procedures provide step-by-step instructions for completing tasks. In this guide, "Configure a
domain controller in the parent domain as a reliable time source" is an example of a
procedure topic.
Read through the objectives and tasks to determine how to delegate permissions.
Determine whether you need to install tools before operators perform the procedures for each
task. Before you assign tasks to individual operators, ensure that all the tools are installed
where operators can use them.
When necessary, create tear sheets for each task that operators perform in your
organization. Cut and paste the task and its related procedures into a separate document.
Then you can either print this document or store it online.
You can use the Nltest.exe tool to display and record a list of these trusts. For more
information, see Nltest Overview (http://go.microsoft.com/fwlink/?LinkID=93567).
Before you use the procedures in these tasks, review the issues in Known Issues for Creating
Domain and Forest Trusts.
29
This domain: The domain from which you launch the New Trust Wizard. When you start the
wizard, it immediately verifies your administrative credentials in the domain for which you are
the administrator. Therefore, the wizard uses the term this domain to represent the domain
that you are currently logged on to.
Local domain / Local forest: The domain or forest where you start the New Trust Wizard.
Specified domain / Specified forest: The other domain or forest that this local domain or
local forest will trust. Although the New Trust Wizard is aware of the domain context in which
it is running, it does not have knowledge of the other domain that you want to create the
relationship with. After you type the name of the other domain or forest in the Trust Name
page, that name is used whenever the wizard refers to the specified domain or specified
forest.
Two-way trust: A trust relationship between two domains in which both domains trust each
other. For example, domain A trusts domain B, and domain B trusts domain A. All parent-child
trusts are two-way trusts.
One-way: incoming trust: A one-way trust relationship between two domains in which the
direction of the trust points toward the domain from which you start the New Trust Wizard
(and which is identified in the wizard as This domain). When the direction of the trust points
toward your domain, users in your domain can access resources in the specified domain. For
example, if you are the domain administrator in domain A and you create a one-way,
incoming trust to domain B, this provides a relationship through which users who are located
in domain A can access resources in domain B. Because this relationship is one way, users in
domain B cannot access resources in domain A.
One-way: outgoing trust: A one-way trust relationship between two domains in which the
direction of the trust points toward the domain that is identified as Specified domain in the
New Trust Wizard. When the direction of trust points toward the specified domain, users in
the specified domain can access resources in your domain. For example, if you are the
domain administrator in domain A and you create a one-way, outgoing trust to domain B, this
action provides a relationship through which users who are located in domain B can access
resources in domain A. Because this relationship is one way, users in domain A cannot
access resources in domain B.
Both sides of the trust: When you create external trusts, shortcut trusts, or forest trusts, you
have the option to create each side of the trust separately or both sides of the trust
simultaneously. If you choose to create each side of the trust separately, you must run the
New Trust Wizard twiceonce for each domain. When you create trusts separately, you must
supply the same trust password for each domain. As a security best practice, all trust
passwords should be strong passwords.
30
Trust password: An option in which both domains in a trust relationship share a password,
which is stored in the trusted domain object (TDO) object in Active Directory Domain Services
(AD DS). When you choose this option, a strong trust password is generated automatically for
you. You must use the same password when you create a trust relationship in the specified
domain. If you choose to create both sides of the trust simultaneously, you run the New Trust
Wizard once.
You cannot delegate the creation of trusts to any user who is not a member of the Domain
Admins group or the Enterprise Admins group. Even though you can grant a user the Create
TDO (Trusted Domain Object) right or the Delete TDO right in the System container of a
domain, the user will not be granted the right to create a trust. This issue occurs because
Netlogon and the trust-creation tools (Active Directory Domains and Trusts and Netdom) are
designed so that only members of the Domain Admins group and the Enterprise Admins
group can create trusts. However, any user who is a member of the Incoming Forest Trust
Builders group can create one-way, incoming forest trusts to your forest.
When you are logged on locally to a domain controller and you try to create a new trust by
using Active Directory Domains and Trusts, the operation may be unsuccessful and you may
receive the message Access denied. This issue occurs only if you are logged on locally to
the domain controller as an ordinary user (that is, you are not logged on as Administrator or
as a member of any administrative groups for the domain). By default, ordinary users are
blocked from logging on locally to a domain controller unless Group Policy is modified to
permit this.
When you use the Active Directory Domains and Trusts snap-in to create a trust, you may
receive the message Operation failed. Parameter incorrect. This issue may occur if you try
31
to establish a trust relationship when the source domain and the target domain have one or
more of the following identifiers that are the same:
NetBIOS name
To resolve this issue, do one of the following before you try to create the trust, as appropriate
to your situation:
The option to create a forest trust may not appear in the New Trust Wizard. This issue
typically occurs when one or both of the Windows Server 2008 forests are not set to the
Windows Server 2003 forest functional level or higher. For more information about forest
functional levels, see Active Directory Functional Levels Technical Reference
(http://go.microsoft.com/fwlink/?LinkId=111466).
You cannot create a trust relationship with a Microsoft Windows Small Business Server 2003
(Windows SBS) domain. For information about Windows SBS software, see Introduction to
Windows Small Business Server 2003 for Enterprise IT Pros (http://go.microsoft.com/fwlink/?
LinkId=121891).
You can create an external trust between two Windows Server 2003based or Windows
Server 2008based domains, between a Windows Server 2008based domain and a
Windows Server 2003based domain, or between a Windows Server 2003based domain or
Windows Server 2008based domain and a Windows NTbased domain. External trusts
cannot be extended implicitly to a third domain.
To create an external trust between domains in different forests, the forest functional level for
both of the forests must be set to either Windows Server 2003 or Windows Server 2008. For
more information about functional levels, see Active Directory Functional Levels Technical
Reference (http://go.microsoft.com/fwlink/?LinkId=111466).
32
To create an external trust successfully, you must set up your Domain Name System (DNS)
environment properly. If there is a root DNS server that you can make the root DNS server for
the DNS namespaces of both forests, make that server the root DNS server by ensuring that
the root zone contains delegations for each of the DNS namespaces. Also, update the root
hints of all DNS servers with the new root DNS server.
If there is no shared root DNS server and the root DNS servers for each forest DNS
namespace are running Windows Server 2003, configure DNS conditional forwarders in each
DNS namespace to route queries for names in the other namespace.
If there is no shared root DNS server and the root DNS servers for each forest DNS
namespace are not running Windows Server 2008 or Windows Server 2003 , configure DNS
secondary zones in each DNS namespace to route queries for names in the other
namespace. For more information about configuring DNS to work with AD DS, see DNS
Support for Active Directory Technical Reference (http://go.microsoft.com/fwlink/?
LinkID=106660).
For more information about external trusts, see How Domain and Forest Trusts Work
(http://go.microsoft.com/fwlink/?LinkId=111481).
Note
Trusts that are created between Windows NT 4.0 domains and AD DS domains are one
way and nontransitive, and they require NetBIOS name resolution.
Task requirements
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about how to use the Netdom command-line tool to create an external trust,
see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537).
Note
If you have the appropriate administrative credentials for each domain, you can create
both sides of an external trust at the same time. To create both sides of the trust
simultaneously, follow the appropriate procedure below that contains the words both
sides of the trust in the procedure title. For example, the procedure Create a one-way,
incoming, external trust for both sides of the trust provides the steps to follow when you
have the administrative credentials for both domains and you want to use the New Trust
Wizard to create an incoming, external trust in one operation. For more information about
how the both sides of the trust option works, see "Sides of Trust" in Appendix: New
Trust Wizard Pages.
To complete the task of creating an external trust, you can perform any of the following
procedures, depending on the requirements of your organization and the administrative
credentials that you have when you create the trust:
Create a One-Way, Incoming, External Trust for One Side of the Trust
Create a One-Way, Incoming, External Trust for Both Sides of the Trust
33
Create a One-Way, Outgoing, External Trust for One Side of the Trust
Create a One-Way, Outgoing, External Trust for Both Sides of the Trust
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of Trust page,
see "Sides of Trust" in Appendix: New Trust Wizard Pages.
8. On the Trust Password page, type the trust password twice, and then click Next.
With the administrator of the other domain, agree on a secure channel password to be
used in establishing the trust.
9. On the Trust Selections Complete page, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
11. On the Confirm Incoming Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
12. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain or specified
forest must follow the procedure Create a One-Way, Outgoing, External Trust for One
Side of the Trust, using his or her administrative credentials and the exact same trust
password that was used during this procedure.
You can create this external trust by using the New Trust Wizard in the Active Directory Domains
and Trusts snap-in or by using the Netdom command-line tool. For more information about using
the Netdom command-line tool to create an external trust, see Netdom Overview
(http://go.microsoft.com/fwlink/?LinkId=111537).
Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services
(AD DS), or equivalent, is the minimum required to complete this procedure. Review details about
using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
To create a one-way, incoming, external trust for both sides of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to establish a trust, and
then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS
name) of the external domain, and then click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain, and
then click Next.
For more information about the selections that are available on the Sides of Trust page,
see "Sides of Trust" in Appendix: New Trust Wizard Pages.
8. On the User Name and Password page, type the user name and password for the
appropriate administrator in the specified domain.
9. On the Outgoing Trust Authentication Level--Specified Domain page, do one of the
following, and then click Next:
10. On the Trust Selections Complete page, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Incoming Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.
36
click Next:
9. On the Trust Password page, type the trust password twice, and then click Next.
10. On the Trust Selections Complete page, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time that the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain or specified
forest must follow the procedure Create a One-Way, Incoming, External Trust for One
Side of the Trust, using his or her administrative credentials and the exact same trust
password that was used during this procedure.
10. On the Trust Selections Complete page, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time that the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.
39
9. On the Trust Password page, type the trust password twice, and then click Next.
10. On the Trust Selections Complete page, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time that the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
14. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain or specified
forest must follow this same procedure, using his or her administrative credentials and
the exact same trust password that was used during this procedure.
10. On the Outgoing Trust Authentication Level--Specified Domain page, do one of the
following, and then click Next:
11. On the Trust Selections Complete page, review the results, and then click Next.
12. On the Trust Creation Complete page, review the results, and then click Next.
13. On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time that the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
15. On the Completing the New Trust Wizard page, click Finish.
42
Netdom.exe
For more information about how to use the Netdom command-line tool to create a shortcut trust,
see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537).
Note
If you have the appropriate administrative credentials for each domain, you can create
both sides of a shortcut trust at the same time. To create both sides of the trust, follow the
appropriate procedure below that contains the words for both sides of the trust in the
title. For example, the procedure Create a one-way, incoming, shortcut trust for both
sides of the trust explains how to configure both sides of a shortcut trust. For more
information about how the both sides of the trust option works, see the section "Sides of
Trust" in Appendix: New Trust Wizard Pages.
To complete the task of creating a shortcut trust, perform any of the following procedures,
depending on the requirements of your organization and the administrative credentials that you
have when you create the trust:
Create a One-Way, Incoming, Shortcut Trust for One Side of the Trust
Create a One-Way, Incoming, Shortcut Trust for Both Sides of the Trust
Create a One-Way, Outgoing, Shortcut Trust for One Side of the Trust
Create a One-Way, Outgoing, Shortcut Trust for Both Sides of the Trust
43
9. On the Trust Selections Complete page, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
11. On the Confirm Incoming Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
12. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain or specified
forest must follow the procedure Create a One-Way, Outgoing, Shortcut Trust for One
Side of the Trust, using his or her administrative credentials and the exact same trust
password that was used during this procedure.
45
To create a one-way, incoming, shortcut trust for both sides of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the domain for which you want to
establish a trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS
name) of the domain, and then click Next.
5. On the Trust Type page, click External trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain, and
then click Next.
For more information about the selections that are available on the Sides of Trust page,
see "Sides of Trust" in Appendix: New Trust Wizard Pages.
8. On the User Name and Password page, type the user name and password for the
appropriate administrator in the specified domain.
9. On the Trust Selections Complete page, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
11. On the Confirm Incoming Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
12. On the Completing the New Trust Wizard page, click Finish.
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time that the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
12. On the Completing the New Trust Wizard page, click Finish.
47
Note
For this trust to function, the domain administrator for the specified domain or specified
forest must follow the procedure Create a One-Way, Incoming, Shortcut Trust for One
Side of the Trust, using his or her administrative credentials and the exact same trust
password that was used during this procedure.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain, and
then click Next.
For more information about the selections that are available on the Sides of Trust page,
see "Sides of Trust" in Appendix: New Trust Wizard Pages.
8. On the User Name and Password page, type the user name and password for the
appropriate administrator in the specified domain.
9. On the Trust Selections Complete page, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
11. On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time that the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
12. On the Completing the New Trust Wizard page, click Finish.
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time that the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain must follow
this same procedure using his or her administrative credentials and the exact same trust
password that was used during this procedure.
50
51
10. On the Trust Creation Complete page, review the results, and then click Next.
11. On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time that the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.
You can create a forest trust between two Windows Server 2003 forests, between two
Windows Server 2008 forests, or between a Windows Server 2003 forest and a Windows
Server 2008 forest. Forest trusts cannot be extended implicitly to a third forest.
To create a forest trust, the forest functional level for both of the forests that are involved in
the trust relationship must be set to Windows Server 2003. For more information about
functional levels, see the Active Directory Functional Levels Technical Reference
(http://go.microsoft.com/fwlink/?LinkID=111466).
To create a forest trust successfully, you must set up your Domain Name System (DNS)
environment properly. If there is a root DNS server that you can make the root DNS server for
the DNS namespaces of both forests, make it the root DNS server by ensuring that the root
zone contains delegations for each of the DNS namespaces. Also, update the root hints of all
DNS servers with the new root DNS server.
If there is no shared root DNS server and the root DNS servers for each forest DNS
namespace are running Windows Server 2003, configure DNS conditional forwarders in each
DNS namespace to route queries for names in the other namespace.
52
If there is no shared root DNS server and the root DNS servers for each forest DNS
namespace are not running Windows Server 2008 or Windows Server 2003, configure DNS
secondary zones in each DNS namespace to route queries for names in the other
namespace. For more information about configuring DNS to work with Active Directory
Domain Services (AD DS), see the DNS Support for Active Directory Technical Reference
(http://go.microsoft.com/fwlink/?LinkID=106660).
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about using the Netdom command-line tool to create a forest trust, see
Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537).
Note
If you have the appropriate administrative credentials for each forest, you can create both
sides of a forest trust at the same time. To create both sides of the forest trust, follow the
appropriate procedure below that contains the words for both sides of the trust in the
title. For example, the procedure Create a one-way, incoming, forest trust for both sides
of the trust explains how to configure both sides of the trust. For more information about
how the both sides of the trust option works, see "Sides of Trust" in Appendix: New
Trust Wizard Pages.
To create a forest trust, perform any one of the following procedures, depending on the
requirements of your organization and the administrative credentials that you have when you
create the trust:
Create a One-Way, Incoming, Forest Trust for One Side of the Trust
Create a One-Way, Incoming, Forest Trust for Both Sides of the Trust
Create a One-Way, Outgoing, Forest Trust for One Side of the Trust
Create a One-Way, Outgoing, Forest Trust for Both Sides of the Trust
53
A one-way, incoming, forest trust allows users in your Windows Server 2008 forest or
Windows Server 2003 forest (the forest that you are logged on to at the time that you run the New
Trust Wizard) to access resources in another Windows Server 2008 forest or
Windows Server 2003 forest. For example, if you are the administrator of the wingtiptoys.com
forest and users in that forest need to access resources in the tailspintoys.com forest, you can
use this procedure to establish one side of the relationship so that users in your forest can access
resources in any of the domains that make up the tailspintoys.com forest.
You can create this forest trust by using the New Trust Wizard in the Active Directory Domains
and Trusts snap-in or by using the Netdom command-line tool. For more information about how to
use the Netdom command-line tool to create a forest trust, see Netdom Overview
(http://go.microsoft.com/fwlink/?LinkId=111537).
Membership in Domain Admins in the forest root domain or Enterprise Admins in
Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete
this procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477. If you are a member of the Incoming Forest Trust
Builders group, you can create one-way, incoming, forest trusts to your forest. For more
information about the Incoming Forest Trust Builders group, see How Domain and Forest Trusts
Work (http://go.microsoft.com/fwlink/?LinkID=111481).
To create a one-way, incoming, forest trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the forest root domain of the forest for
which you want to establish an incoming forest trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name of the forest root
domain of the other forest, and then click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of Trust page,
see "Sides of Trust" in Appendix: New Trust Wizard Pages.
8. On the Trust Password page, type the trust password twice, and then click Next.
9. On the Trust Selections Complete page, review the results, and then click Next.
10. On the Trust Creation Complete page, review the results, and then click Next.
11. On the Confirm Incoming Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
54
12. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain (the forest
root domain in the specified forest) must complete the procedure Create a One-Way,
Outgoing, Forest Trust for One Side of the Trust, using his or her administrative
credentials and the exact same trust password that was used during this procedure.
4. On the Trust Name page, type the Domain Name System (DNS) name of the forest root
domain of the other forest, and then click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
6. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain, and
then click Next.
For more information about the selections that are available on the Sides of Trust page,
see "Sides of Trust" in Appendix: New Trust Wizard Pages.
8. On the User Name and Password page, type the user name and password for the
appropriate administrator in the specified domain.
9. On the Outgoing Trust Authentication Level--Specified Forest page, do one of the
following, and then click Next:
10. On the Trust Selections Complete page, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Incoming Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.
forest and resources in that forest need to be accessed by users in the tailspintoys.com forest,
you can use this procedure to establish one side of the relationship so that users in the
tailspintoys.com forest can access resources in any of the domains that make up the
wingtiptoys.com forest.
You can create this forest trust by using the New Trust Wizard in the Active Directory Domains
and Trusts snap-in or by using the Netdom command-line tool. For more information about using
the Netdom command-line tool to create a forest trust, see Netdom Overview
(http://go.microsoft.com/fwlink/?LinkId=111537).
Membership in Domain Admins in the forest root domain or Enterprise Admins in
Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete
this procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477. If you are a member of the Incoming Forest Trust
Builders group, you can create one-way, incoming, forest trusts to your forest. For more
information about the Incoming Forest Trust Builders group, see How Domain and Forest Trusts
Work (http://go.microsoft.com/fwlink/?LinkID=111481).
To create a one-way, outgoing, forest trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the forest root domain for which you
want to establish an outgoing forest trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name of the forest root
domain of the other forest, and then click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of Trust page,
see "Sides of Trust" in Appendix: New Trust Wizard Pages.
8. On the Outgoing Trust Authentication Level page, do one of the following, and then
click Next:
9. On the Trust Password page, type the trust password twice, and then click Next.
10. On the Trust Selections Complete page, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
57
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the domain administrator for the specified domain (the forest
root domain in the specified forest) must follow the procedure Create a One-Way,
Incoming, Forest Trust for One Side of the Trust, using his or her administrative
credentials and the exact same trust password that was used during this procedure.
2. In the console tree, right-click the forest root domain of the forest for which you want to
establish an outgoing forest trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name of the forest root
domain of the other forest, and then click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
6. On the Direction of Trust page, click One-way: outgoing, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
7. On the Sides of Trust page, click Both this domain and the specified domain, and
then click Next.
For more information about the selections that are available on the Sides of Trust page,
see "Sides of Trust" in Appendix: New Trust Wizard Pages.
8. On the User Name and Password page, type the user name and password for the
appropriate administrator in the specified domain.
9. On the Outgoing Trust Authentication Level--Local Forest page, do one of the
following, and then click Next:
10. On the Trust Selections Completepage, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time that the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
13. On the Completing the New Trust Wizard page, click Finish.
59
Create a Two-Way, Forest Trust for Both Sides of the Trust to create both sides of the trust in one
simultaneous operation.
A two-way, forest trust allows users in your forest (the forest that you are logged on to at the time
that you run the New Trust Wizard) and users in the reciprocal forest to access resources in any
of the domains in either of the two forests.
You can create this forest trust by using the New Trust Wizard in the Active Directory Domains
and Trusts snap-in or by using the Netdom command-line tool. For more information about using
the Netdom command-line tool to create a forest trust, see Netdom Overview
(http://go.microsoft.com/fwlink/?LinkId=111537).
Membership in Domain Admins in the forest root domain or Enterprise Admins in
Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete
this procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477. If you are a member of the Incoming Forest Trust
Builders group, you can create one-way, incoming, forest trusts to your forest. For more
information about the Incoming Forest Trust Builders group, see How Domain and Forest Trusts
Work (http://go.microsoft.com/fwlink/?LinkID=111481).
To create a two-way, forest trust for one side of the trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the forest root domain of the forest for which you want to
establish a two-way forest trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name of the domain,
and then click Next.
5. On the Trust Type page, click Forest trust, and then click Next.
6. On the Direction of Trust page, click Two-way, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
7. On the Sides of Trust page, click This domain only, and then click Next.
For more information about the selections that are available on the Sides of Trust page,
see "Sides of Trust" in Appendix: New Trust Wizard Pages.
8. On the Outgoing Trust Authentication Level page, do one of the following, and then
click Next:
9. On the Trust Password page, type the trust password twice, and then click Next.
10. On the Trust Selections Complete page, review the results, and then click Next.
11. On the Trust Creation Complete page, review the results, and then click Next.
12. On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
60
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
14. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the forest administrator in the specified forest must follow this
same procedure, using his or her administrative credentials and the exact same trust
password that was used during this procedure.
61
10. On the Outgoing Trust Authentication Level--Specified Forest page, do one of the
following, and then click Next:
11. On the Trust Selections Complete page, review the results, and then click Next.
12. On the Trust Creation Complete page, review the results, and then click Next.
13. On the Confirm Outgoing Trust page, do one of the following:
If you do not want to confirm this trust, click No, do not confirm the outgoing trust.
Note that if you do not confirm the trust at this stage, the secure channel will not be
established until the first time the trust is used by users.
If you want to confirm this trust, click Yes, confirm the outgoing trust, and then
supply the appropriate administrative credentials from the specified domain.
If you do not want to confirm this trust, click No, do not confirm the incoming trust.
If you want to confirm this trust, click Yes, confirm the incoming trust, and then
supply the appropriate administrative credentials from the specified domain.
15. On the Completing the New Trust Wizard page, click Finish.
62
Netdom.exe
For more information about how to use the Netdom command-line tool to create a realm trust,
see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537).
Note
The New Trust Wizard in the Active Directory Domains and Trusts snap-in does not
support the creation of both sides of a realm trust at the same time. For more information
about how the both sides of the trust option works, see the section "Sides of Trust" in
Appendix: New Trust Wizard Pages.
To create a realm trust, perform any of the following procedures, depending on the requirements
of your organization and the administrative credentials that you have when you create the trust:
You can create a realm trust by using the New Trust Wizard in the Active Directory Domains and
Trusts snap-in or by using the Netdom command-line tool. For more information about using the
Netdom command-line tool to create a realm trust, see Netdom Overview
(http://go.microsoft.com/fwlink/?LinkId=111537).
Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services
(AD DS), or equivalent, is the minimum required to complete this procedure. Review details about
using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
To create a one-way, incoming, realm trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain node for the domain for which you want to
establish a realm trust, and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name of the Kerberos
realm in uppercase characters, and then click Next.
5. On the Trust Type page, click Realm trust, and then click Next.
6. On the Transitivity of Trust page, do one of the following:
To form a trust relationship with the domain and the specified realm only, click
Nontransitive, and then click Next.
To form a trust relationship with the domain and the specified realm and all trusted
realms, click Transitive, and then click Next.
7. On the Direction of Trust page, click One-way: incoming, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
8. On the Trust Password page, type the trust password twice, and then click Next.
9. On the Trust Selections Complete page, review the results, and then click Next.
10. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the administrator of the Kerberos realm must complete the trust,
using his or her administrative credentials and the exact same trust password that was
used during this procedure.
accessed by users in the PRODUCTS.TAILSPINTOYS.com Kerberos realm, you can use this
procedure to establish a relationship so that users in the Kerberos realm can access resources in
the sales.wingtiptoys.com domain.
Note
Kerberos realm names require uppercase characters.
You can create this realm trust by using the New Trust Wizard in the Active Directory Domains
and Trusts snap-in or by using the Netdom command-line tool. For more information about using
the Netdom command-line tool to create a realm trust, see Netdom Overview
(http://go.microsoft.com/fwlink/?LinkId=111537).
Membership in Account Operators, Domain Admins, or Enterprise Admins in
Active Directory Domain Services (AD DS), or equivalent, is the minimum required to complete
this procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To create a one-way, outgoing, realm trust
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain for which you want to establish a realm trust,
and then click Properties.
3. On the Trusts tab, click New Trust, and then click Next.
4. On the Trust Name page, type the Domain Name System (DNS) name of the Kerberos
realm in uppercase characters, and then click Next.
5. On the Trust Type page, click Realm trust, and then click Next.
6. On the Transitivity of Trust page, do one of the following:
To form a trust relationship with the domain and the specified realm only, click
Nontransitive, and then click Next.
To form a trust relationship with the domain and the specified realm and all trusted
realms, click Transitive, and then click Next.
7. On the Direction of Trust page, click One-way: outgoing, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
8. On the Trust Password page, type the trust password twice, and then click Next.
9. On the Trust Selections Complete page, review the results, and then click Next.
10. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the administrator of the realm must complete the trust, using his
or her administrative credentials and the exact same trust password that was used during
this procedure.
65
To form a trust relationship with the domain and the specified realm only, click
Nontransitive, and then click Next.
To form a trust relationship with the domain and the specified realm and all trusted
realms, click Transitive, and then click Next.
7. On the Direction of Trust page, click Two-way, and then click Next.
For more information about the selections that are available on the Direction of Trust
page, see "Direction of Trust" in Appendix: New Trust Wizard Pages.
8. On the Trust Password page, type the trust password twice, and then click Next.
9. On the Trust Selections Complete page, review the results, and then click Next.
66
10. On the Completing the New Trust Wizard page, click Finish.
Note
For this trust to function, the administrator of the Kerberos realm must complete the trust,
using his or her administrative credentials and the exact same trust password that was
used during this procedure.
Netdom.exe
For more information about how to use the Netdom command-line tool to validate and remove
trusts, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537).
To complete this task, perform the following procedures:
Validate a Trust
Validate a Trust
You can validate all trusts that are made between domains, but you cannot validate realm trusts.
You can use this procedure to validate a trust by using the New Trust Wizard in the
Active Directory Domains and Trusts snap-in or by using the Netdom command-line tool. For
67
more information about how to use the Netdom command-line tool to create a realm trust, see
Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537).
Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services
(AD DS), or equivalent, is the minimum required to complete these procedures. Review details
about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Validating a trust
68
Value
Description
<TrustingDomainName>
<TrustedDomainName>
Click No, remove the trust from the local domain only.
69
If you click this option, we recommend that you repeat this procedure for the
reciprocal domain.
Click Yes, remove the trust from both the local domain and the other domain.
If you click this option, you must type a user account and password with
administrative credentials for the reciprocal domain.
Parameter
Description
<TrustingDomainName>
<TrustedDomainName>
<User>
Note
If you are using Netdom to remove a realm trust, you must add the /force option to the
end of the command (after /remove) to remove the trust successfully.
70
example, the DNS forest name fabrikam.com is a unique name suffix within the fabrikam.com
forest.
All names that are subordinate to unique name suffixes are routed implicitly. For example, if your
forest uses fabrikam.com as a unique name suffix, authentication requests for all child domains of
fabrikam.com (childDomain.fabrikam.com) will be routed because the child domains are part of
the fabrikam.com name suffix. Child names are displayed in the Active Directory Domains and
Trusts snap-in. If you want to exclude members of a child domain from authenticating in the
specified forest, you can disable name suffix routing for that name. You can also disable routing
for the forest name itself, if necessary.
For more information about name suffix routing, see Routing name suffixes across forests
(http://go.microsoft.com/fwlink/?LinkId=111725).
Note
You cannot enable a name suffix that is the same as another name in the routing list. If
the conflict is with a local UPN name suffix, you must remove the local UPN name suffix
from the list before you can enable the routing name. If the conflict is with a name that is
claimed by another trust partner, you must disable the name in the other trust before it
can be enabled for this trust.
Task requirements
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about using the Netdom command-line tool to modify name suffix routing,
see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537).
To complete this task, you can perform the following procedures:
71
Notes
When you disable a name suffix, the Domain Name System (DNS) name and all child
names of that name will be disabled.
To enable routing for a name suffix, click the suffix that you want to enable, and then
click Enable. If the Enable button is unavailable, the name suffix is already enabled.
To disable routing for a name suffix, click the suffix that you want to disable, and then
click Disable. If the Disable button is unavailable, the name suffix is already
disabled.
these procedures. Review details about using the appropriate accounts and group memberships
at http://go.microsoft.com/fwlink/?LinkId=83477.
Properties.
3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or
Domains that trust this domain (incoming trusts), click the forest trust that you want
to administer, and then click Properties.
4. On the Name Suffix Routing tab, under Name suffixes in the x.x forest, click the
unique name suffix whose subordinate name suffix you want to exclude from routing, and
then click Edit.
5. In Name suffixes to exclude from routing to x.x, click Add, type a DNS name suffix
that is subordinate to the unique name suffix, and then click OK.
For more information about how the security settings for domain and forest trusts work, see
Security Considerations for Trusts (http://go.microsoft.com/fwlink/?LinkId=111846).
filter quarantining enforced by default. These external trusts must be configured manually to
enable SID filter quarantining.
Note
You cannot turn off the default behavior in Windows Server 2003 or Windows
Server 2008 that enables SID filter quarantining for newly created external trusts.
However, under certain conditions SID filter quarantining can be disabled on such an
external trust. For information about conditions for disabling SID filter quarantining, see
Disable SID filter Quarantining.
External trusts that are created from domain controllers running Windows 2000 Server with SP3
or earlier do not enforce SID filter quarantining by default. To further secure your forest, consider
enabling SID filter quarantining on all existing external trusts that are created from domain
controllers running Windows 2000 Server SP3 or earlier. You can do this by using Netdom.exe to
enable SID filter quarantining on existing external trusts or by recreating these external trusts
from a domain controller running Windows Server 2008, Windows Server 2003, or
Windows 2000 Server with Service Pack 4 (SP4).
You can use SID filter quarantining to filter out migrated SIDs that are stored in SID history from
specific domains. For example, where an external trust relationship exists so that the one domain,
Contoso (running Windows 2000 Server domain controllers), trusts another domain, Cpandl (also
running Windows 2000 Server domain controllers), an administrator of the Contoso domain can
manually apply SID filter quarantining to the Cpandl domain, which allows all SIDs with a domain
SID from the Cpandl domain to pass but all other SIDs (such as those from migrated SIDs that
are stored in SID history) to be discarded.
Note
Do not apply SID filter quarantining to trusts within a forest that is not using either the
Windows Server 2008 or Windows Server 2003 forest functional level, because doing so
removes SIDs that are required for Active Directory replication. If the forest functional
level is Windows Server 2008 or Windows Server 2003 and quarantining is applied
between two domains within a forest, a user in the quarantined domain with universal
group memberships in other domains in the forest might not be able to access resources
in nonquarantined domains, because the group memberships from those domains are
filtered when resources are accessed across the trust relationship. Likewise, SID filter
quarantining should not be applied to forest trusts.
For more information about how SID filtering works, see Security Considerations for Trusts
(http://go.microsoft.com/fwlink/?LinkID=111846).
Task requirements
You can use either of the following tools to perform the procedures for this task:
Netdom.exe
For more information about using the Netdom command-line tool to configure SID filtering
settings, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537).
To complete this task, you can perform the following procedures:
75
You have an equally high level of confidence in the administrators who have physical access
to domain controllers in the trusted domain and the administrators with such access in the
trusting domain.
You have a strict requirement to assign universal groups to resources in the trusting domain,
even when those groups were not created in the trusted domain.
Users have been migrated to the trusted domain with their SID histories preserved, and you
want to grant those users access to resources in the trusting domain (the former domain of
the migrated users) based on the sIDHistory attribute.
For more information about how SID filtering works, see Security Considerations for Trusts
(http://go.microsoft.com/fwlink/?LinkID=111846).
You can disable SID filter quarantining by using the Netdom command-line tool. For more
information about the Netdom command-line tool, see Netdom Overview
(http://go.microsoft.com/fwlink/?LinkId=111537).
Membership in Domain Admins or Enterprise Admins in Active Directory Domain Services
(AD DS), or equivalent, is the minimum required to complete this procedure. Review details about
using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
To disable SID filter quarantining for the trusting domain
1. Open a Command Prompt.
2. At the command prompt, type the following command, and then press ENTER:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:No
/userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>
76
Parameter
Description
<TrustingDomainName>
<TrustedDomainName>
<DomainAdministratorAcct>
<DomainAdminPwd>
Note
You can enable or disable SID filter quarantining only from the trusting side of the
trust. If the trust is a two-way trust, you can also disable SID filter quarantining in
the trusted domain by using the domain administrators credentials for the trusted
domain and reversing the <TrustingDomainName> and <TrustedDomainName>
values in the command-line syntax.
See Also
Reapply SID Filter Quarantining
77
required to complete this procedure. Review details about using the appropriate accounts and
group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To reapply SID filter quarantining for the trusting domain
1. Open a Command Prompt.
2. At the command prompt, type the following command, and then press ENTER:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName>
/quarantine:Yes /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>
Term
Definition
<TrustingDomainName>
<TrustedDomainName>
<DomainAdministratorAcct>
<DomainAdminPwd>
Task requirements
Either of the following tools is required to perform the procedures for this task:
Netdom.exe
For more information about how to use the Netdom command-line tool to configure selective
authentication settings, see Netdom Overview (http://go.microsoft.com/fwlink/?LinkId=111537).
To complete this task, you can perform the following procedures:
Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest
Parameter
Description
<TrustingDomainName>
<TrustedDomainName>
<DomainAdministratorAcct>
<DomainAdminPwd>
80
forest trust, connect to a domain controller in the forest root domain of the trusted forest,
and then use Active Directory Domains and Trusts to view the authentication settings for
the outgoing side of the same trust.
To enable selective authentication over a forest trust using a command line
1. Open a Command Prompt.
2. At the command prompt, type the following command, and then press ENTER:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName>
/SelectiveAUTH:Yes /userD:<DomainAdministratorAcct>
/passwordD:<DomainAdminPwd>
Parameter
Description
<TrustingDomainName>
<TrustedDomainName>
<DomainAdministratorAcct>
<DomainAdminPwd>
3. Right-click the computer object that you want users in the trusted domain or forest to
access, and then click Properties.
4. On the Security tab, do one of the following:
In Group or user names, click the user names or group names for which you want
to grant access to this computer, select the Allow check box next to the Allowed to
Authenticate permission, and then click OK.
Click Add. In Enter the object names to select, type the name of the user object or
group object for which you want to grant access to this resource computer, and then
click OK. Select the Allow check box next to the Allowed to Authenticate
permission, and then click OK.
Direction of Trust
Sides of Trust
Direction of Trust
An administrator in one domain configures the Direction of Trust page in the New Trust Wizard
to determine whether authentication requests should be routed from this domain to a specified
domain, from the specified domain to this domain, or freely between both domains. The following
trust direction options are available on the Direction of Trust page:
Two-way. A two-way trust allows authentication requests that are sent by users in either
domain or forest to be routed successfully to resources in either of the two domains or
forests.
One-way: incoming. A one-way, incoming trust allows authentication requests that are sent
by users in your domain or forest (the domain or forest where you started the New Trust
Wizard) to be routed successfully to resources in the other domain or forest.
One-way: outgoing. A one-way, outgoing trust allows authentication requests that are sent
by users in the other domain (the domain or forest that you are indicating in the New Trust
Wizard as the specified domain or forest) to be routed successfully to resources in your
domain or forest.
85
Wizard optionTwo-way
Use this option when you want to share resources equally between two domains or forests for all
the users that reside in both domains or forests. A two-way trust allows authentication requests
that are sent by users in a trusted domain or forest to be routed successfully to the trusting
domain or forest. Both domains or forests in the trust relationship are reciprocally trusting and
trusted.
Note
Traditionally, documentation about domain and forest trusts have used the terms
trusting and trusted to help administrators pinpoint the direction of the trust. Although
this terminology is still used today to define and conceptualize how trusts work, it varies
from the terminology that is used in the New Trust Wizard to help administrators
determine the direction of trust. Instead, incoming and outgoing are used to indicate
the direction of the trust, as described in the next sections.
86
87
Sides of trust
In Windows NT 4.0 and Windows 2000, the only way to create trusts using the graphical user
interface (GUI) was incrementallyone side of the trust at a time. When you create external
trusts, shortcut trusts, realm trusts, or forest trusts in Windows Server 2003 and Windows
Server 2008, you have the option to create each side of the trust separately or both sides of the
trust simultaneously.
For computers that are joined to a domain, the first query is to a time source in the parent
domain.
Note
Computers that are not joined to a domain and are running Windows Vista are
configured to synchronize with the following external time sources by default:
time.windows.com, time.nist.gov, time-nw.nist.gov, time-a.nist.gov, and timeb.nist.gov. Computers that are not joined to a domain and are running Windows XP
or Windows XP Home Edition are configured to synchronize with time.windows.com
by default.
If the time client is in a single-domain forest, the first query is to the PDC emulator in the
domain.
All PDC emulator operations masters follow the hierarchy of domains in the selection of their
inbound time partner. A PDC emulator can synchronize its time from the PDC emulator in the
parent domain or from any domain controller in the parent domain.
For more information about time source selection, see How Windows Time Service Works
(http://go.microsoft.com/fwlink/?LinkID=117753).
The authoritative time source at the root of the forest can acquire its time either by connecting to
an installed hardware clock on the internal network or by connecting to an external NTP server,
which is connected to a hardware device. If no domain controller is configured as the authoritative
time source in the forest root domain, the domain controller that holds the PDC emulator
operations master role uses its internal clock to provide time to forest computers.
The National Institute of Standards and Technology (NIST) in Boulder, Colorado, which is
used as the external time provider by the Microsoft time server (time.windows.com). NIST
provides the Automated Computer Time Service (ACTS), which can set a computer clock with
an uncertainty of less than 10 milliseconds. For more information about NTP and for a list of
external time servers, see Set Your Computer Clock Via the Internet: NIST Internet Time
Service (ITS) (http://go.microsoft.com/fwlink/?LinkId=112035).
The U.S. Naval Observatory (USNO) Time Service Department in Washington, DC, is
another reliable source for accurate time synchronization in the United States. To see a list of
USNO servers and their descriptions, see USNO Network Time Servers
(http://go.microsoft.com/fwlink/?LinkId=112036).
You can use many other sites throughout the world for time synchronization. For more NTP
server lists and search criteria, see the NTP.Servers Web site
(http://go.microsoft.com/fwlink/?LinkId=116972).
For the most highly accurate time synchronization, configure a hardware clock, such as a radio or
Global Positioning System (GPS) device, as the time source for the PDC. There are many
90
consumer and enterprise devices that use NTP, which makes it possible for you to install the
device on an internal network for use with the PDC.
You use the w32tm command-line tool to configure Windows Time service. For a detailed
technical reference for the Windows Time service, including complete documentation of the
w32tm command-line tool and time service registry settings, see the Windows Time Service
Technical Reference (http://go.microsoft.com/fwlink/?LinkID=100940).
NTP: The client synchronizes time from an external time source. Review the values in the
NtpServer line in the output to see the name of the server or servers that the client uses for
time synchronization.
NT5DS: The client is configured to use the domain hierarchy for its time synchronization.
AllSync: The client synchronizes time from any available time source, including domain
hierarchy and external time sources.
For information about Windows Time Server Internet communication, see Windows Time Service
and Resulting Internet Communication in Windows Server 2008 (http://go.microsoft.com/fwlink/?
LinkId=116982).
You move the PDC emulator role to a different computer. In this case, you must configure the
Windows Time service for the new PDC emulator master role holder and reconfigure the
original PDC emulator master role holder to synchronize from the domain and not from an
external or internal time source.
You change the time source for the PDC emulator. For example, you change from
synchronizing with an external source to synchronizing with an internal hardware device.
In some environments, one or more domain controllers are configured to act as standby PDC
emulator role holders. If the current PDC emulator fails or is otherwise unavailable, the role can
quickly be transferred to the standby. If you anticipate moving the PDC emulator role and you
want to avoid reconfiguring the new and old PDC emulator every time the role is moved, you can
configure a domain controller in the forest root domain that is not the PDC emulator as the
reliable time source for the forest. In this way, the root of the time service stays the same and
remains properly configured.
Note
Make sure that the domain controller that you configure to be the forest time source is
highly available and, if it is not the PDC emulator, that it does not hold other operations
master roles that might have to be transferred.
Use the following recommendations for configuring the time source for the forest root domain, in
this order of preference:
1. Install a hardware clock, such as a radio or Global Positioning System (GPS) device, as the
time source for the forest root domain and configure Windows Time service (W32time) on the
PDC emulator or other domain controller to synchronize with this device. Many consumer and
92
enterprise devices are available that use NTP. You can install the device on an internal
network and configure the PDC emulator to use it as its time source.
Hardware clocks have the following advantages:
Highest accuracy, although the accuracy level of NTP servers is as high as that of
Windows Time service; that is, the effect of the higher accuracy is not appreciated.
Expense and maintenance. You must purchase and install a hardware clock, whereas
you can connect to a public time server at no cost and without hardware installation.
2. Configure the Windows Time service on the PDC emulator or other domain controller to
synchronize with an external time server. Computer clocks synchronize with external time
servers by using the NTP protocol over an IP version 4 (IPv4) or IP version 6 (IPv6) network.
You can manually configure the PDC emulator in the forest root domain to synchronize with
the external time source.
External time servers have the following advantages:
Good accuracy. Although hardware clocks have the highest accuracy, the accuracy of a
hardware clock can actually exceed the accuracy of Windows Time service; therefore, the
comparison of accuracy is not relevant.
Security risk. NTP synchronization with an external time source is not authenticated and
is therefore less secure than if the time source is inside the network.
If you are using an external time source, you can use the following sites to select an NTP server:
Set Your Computer Clock Via the Internet: NIST Internet Time Service (ITS)
(http://go.microsoft.com/fwlink/?LinkId=112035)
If you choose to implement an NTP time synchronization product other than the Windows Time
service, you must disable the Windows Time service on the forest root domain reliable time
source. All NTP servers need access to UDP port 123. If the Windows Time service is running on
a Windows Server 2003based computer or a Windows Server 2008based computer, port 123
will remain occupied for the Windows Time service.
Task requirements
The following tools are required to perform the procedures for this task:
W32tm.exe
The Windows Firewall with Advanced Security snap-in, if you need to check User Datagram
Protocol (UDP) port status
The Services snap-in, if you need to disable the Windows Time service
To configure the PDC emulator in the forest root domain to synchronize time from an external
time source, see Configure the Time Source for the Forest. If you plan to use a different
domain controller as the time source for the forest, perform this procedure on that domain
controller instead of the PDC emulator.
If the PDC emulator in the forest root domain is configured as the reliable time source for the
forest and you move the PDC emulator role to a different domain controller, see Change the
Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain.
If you are implementing a time synchronization product other than the Windows Time service
in your environment that uses NTP, see Disable the Windows Time Service to free UDP
port 123 on the network.
If you need more information about Windows Time service events, see Enable Windows Time
Service Debug Logging.
Set Your Computer Clock Via the Internet: NIST Internet Time Service (ITS)
(http://go.microsoft.com/fwlink/?LinkId=112035).
After you configure the Windows Time service on the PDC emulator, be sure to monitor the
System log in Event Viewer for W32time errors.
Note
The following procedures use the w32tm command-line tool. For more information about
the w32tm command, type w32tm /? at a command prompt or see Windows Time
Service Tools and Settings (http://go.microsoft.com/fwlink/?LinkId=112116).
Membership in the local Administrators group, or equivalent, is the minimum required to
complete this procedure locally. Membership in Domain Admins, or equivalent, is the minimum
required to complete this procedure remotely. Review details about using the appropriate
accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To configure the time source for the forest
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, confirm that the action it displays is what you want, and then click Continue.
2. To display the time difference between the local computer and the target time source and
to check NTP communication, at the command prompt, type the following command, and
then press ENTER:
w32tm /stripchart /computer:<target> /samples:<n> /dataonly
Parameter
Description
W32tm /stripchart
/computer:<target>
/samples:<n>
/dataonly
If this procedure fails, check the System event log for Time-Service errors and follow any
95
resolution steps that are provided in the More Info link in the error. It is possible that a
perimeter firewall is blocking access to the Internet time server. NTP port 123 must be
open for outbound and inbound traffic on all routers and firewalls between the PDC
emulator and the Internet. If necessary, enable debug logging for W32time, as described
in Enable Windows Time Service Debug Logging. Resolve any NTP connection issues
before you proceed to step 3.
3. To configure the PDC emulator to use an NTP time source, at the command prompt, type
the following command, and then press ENTER:
w32tm /config /manualpeerlist:<peers> /syncfromflags:manual /reliable:yes
/update
Parameter
Description
/manualpeerlist:<peers>
/syncfromflags:manual
/reliable:yes
Note
When you specify a peer in the manual peer list, do not specify a computer that uses the
forest root domain controller as its source for time, such as another domain controller in
the forest. The time service does not operate correctly if there are cycles in the time
source configuration. Peers should be external to the domain hierarchy.
After you configure the PDC emulator as the time source for the forest, log on to a client
computer in the forest root domain and perform steps 1 and 2 in the preceding procedure to
check Windows Time service performance on the PDC emulator. Use the DNS name of the PDC
emulator for the computer target in the command.
If you receive error messages, the User Datagram Protocol (UDP) ports on the PDC emulator
might be disabled or blocked. You can use the following procedure to check the port status on the
PDC emulator, if necessary.
96
If this rule is disabled (dimmed), right-click the rule, and then click Enable.
If the rule is blocked, right-click the rule, and then click Properties. Under Action,
click Allow the connections, and then click OK.
3. To check outbound UDP port status on the domain controller, click Outbound Rules.
4. Check that Active Directory Domain Controller (UDP-Out) has a status of enabled and
is not blocked:
If the rule is disabled (dimmed), right-click the rule, and then click Enable.
If the rule is blocked, right-click the rule, and then click Properties. Under Action,
click Allow the connections, and then click OK.
Or
To open only outbound UDP port 123, create a separate outbound rule for the specific
port, as follows:
a. In Windows Firewall with Advanced Security, right-click Outbound Rules, and
then click New.
b. In the New Outbound Rule Wizard, click Port, and then click Next.
c.
Click UDP, click Specific local ports, type 123, and then click Next.
d. Follow the directions in the wizard to configure the security settings and name the
rule, and then click Finish.
5. To ensure that the PDC emulator responds, on an NTP client, repeat the test in step 2 of
the procedure To configure the Windows Time service on the PDC emulator earlier in
this topic.
97
98
Parameter
Description
/syncfromflags:domhier
/reliable:no
3. At the command prompt, type the following command, and then press ENTER:
net stop w32time
4. At the command prompt, type the following command, and then press ENTER:
net start w32time
99
You can configure these computers to request time from a particular time source, such as a
domain controller in the domain. If you do not specify a source that is synchronized with the
domain, each computers internal hardware clock governs its time.
Task requirements
The following tool is required to perform the procedures for this task:
W32tm
100
101
Parameter
Description
W32tm /stripchart
/computer:<target>
/samples:<n>
/dataonly
3. Open UDP port 123 for outgoing traffic on the firewall, if necessary.
4. Open UDP port 123 (or a different port that you have selected) for incoming NTP traffic.
5. To configure a manual time source for the selected computer, at the command prompt,
type the following command, and then press ENTER:
w32tm /config /manualpeerlist:<peers> /syncfromflags:manual /update
Parameter
Description
/manualpeerlist:<peers>
/syncfromflags:manual
102
Parameter
Description
/syncfromflags:domhier
3. At the command prompt, type the following command, and then press ENTER:
net stop w32time
4. At the command prompt, type the following command, and then press ENTER:
net start w32time
103
W32tm.exe
Restore the Windows Time Service on the Local Computer to the Default Settings
3. At the command prompt, type the following command, and then press ENTER:
w32tm /unregister
4. At the command prompt, type the following command, and then press ENTER:
w32tm /register
104
5. At the command prompt, type the following command, and then press ENTER:
net start w32time
105
Note
The location of the SYSVOL directory and subdirectories is configurable during and after
Active Directory installation. The default locations under %systemroot%\SYSVOL are
used throughout this guide only as a relative reference to the location of SYSVOL files
and folders.
The %systemroot%\SYSVOL\domain and %systemroot%\SYSVOL\sysvol folders appear to
contain the same content because SYSVOL uses junction points (also called reparse points). A
junction point is a physical location on a hard disk that points to data that is located elsewhere on
the hard disk or on another storage device. Junction points look like folders and behave like
folders (in Windows Explorer they appear to be shortcuts to folders), but they are not folders. A
junction point contains a link to another folder. When a program opens it, the junction point
automatically redirects the program to the folder to which the junction point is linked. The
redirection is completely transparent to the user and the application. For example, if you open a
command prompt and type dir to list the contents of \%systemroot%\SYSVOL\sysvol, you notice
a folder that is listed as <JUNCTION>. The junction point in %systemroot%\SYSVOL\sysvol links
to %systemroot%\SYSVOL\domain.
In this guide, in reference to SYSVOL components and folders, the capitalization that is used
reflects the capitalization of the default folders and parameters as they appear in the file system,
in the registry, and in Active Directory Domain Services (AD DS). For example, the default
SYSVOL directory tree always appears as %systemroot%\SYSVOL\sysvol, as it appears in
Windows Explorer. When the topic is specific to the sysvol shared folder, lowercase sysvol is
used. Similarly, the area of SYSVOL that is historically referred to as the staging area is
described in this guide as the staging areas subdirectory. In this way, the folder %systemroot
%\SYSVOL\staging areas is clearly understood and distinct from the %systemroot
%\SYSVOL\staging folder. Capitalization of registry parameters and Active Directory attribute
names are presented as they appear in those locations.
entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of
the file is replicated.
To replicate only updates to files, DFS Replication uses an algorithm called remote differential
compression (RDC). RDC detects changes to the data in a file and enables DFS Replication to
replicate changes in the form of file blocks, without having to replicate the entire file. RDC detects
insertions, removals, and rearrangements of data in files. The DFS Replication service monitors
SYSVOL, and, if a change occurs to any file that is stored in SYSVOL, DFS Replication
automatically replicates the file updates to the SYSVOL folders on the other domain controllers in
the domain. An additional improvement is that DFS Replication does not require the version
vector join (vvjoin) operation, which is performed between FRS replication partners when new
connections are created. Vvjoin is a CPU-intensive operation that can affect the performance of
the server and cause increased replication traffic.
In Windows Server 2008, DFS Replication is the default file replication service for domains that
are initially created on domain controllers running Windows Server 2008. However, in a domain
that is upgraded from another operating system to Windows Server 2008, FRS is the default
replication service for SYSVOL replication. To implement DFS Replication of SYSVOL after an
upgrade to Windows Server 2008 domain functional level, you must perform a preliminary
migration process for replication of the SYSVOL tree.
You can use the Diagnostic Reports features of DFS Management to implement a monitoring
system to detect low disk space and other potential DFS Replication disruptions so that you can
resolve these issues before the system stops replicating. The Ultrasound utility, which is a tool for
monitoring FRS, cannot be used for DFS Replication. Instead, you can use the DFS Replication
health reports that DFS Management generates. For information about using DFS Management
to generate diagnostic reports, see Create a Diagnostic Report for DFS Replication
(http://go.microsoft.com/fwlink/?LinkId=122538).
Other key considerations for managing SYSVOL include the following:
Capacity
To manage SYSVOL, enough space must be provided to store SYSVOL. The quota that is
allocated to the DFS Replication staging area is 4 gigabytes (GB) (4096 MB). The maximum
size is 4 terabytes (TB) (4096 GB). Depending on the configuration of your domain, SYSVOL
can require a significant amount of disk space to function properly. During the initial
deployment, SYSVOL might be allocated adequate disk space to function. However, as your
installation of Active Directory Domain Services (AD DS) grows in size and complexity, the
required capacity can exceed the available disk space.
If you receive indications that disk space is low, determine whether the cause is attributable to
inadequate physical space on the disk or the DFS Management setting that limits the quota
that is allocated to the staging area. If staging area disk space is low, DFS Replication
encounters frequent staging area cleanup events. You can avoid this scenario by using .admx
file capability to implement a Central Store in SYSVOL to store and to replicate
Windows Vista policy files. For information about using this solution, see article 929841 in the
Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=122539). You can also
reduce SYSVOL size and replication time by managing Administrative Templates in Group
Policy. For information about using this solution, see article 813338 in the Microsoft
Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=122540).
Hardware maintenance
System maintenance, such as removal of a disk drive, can make it necessary for you to
relocate SYSVOL. Even if the maintenance occurs on a different disk drive, verify that the
maintenance does not affect SYSVOL. Logical drive letters can change after you add and
remove disks. DFS Replication locates SYSVOL by using paths that are stored in AD DS. If
drive letters change after you add or remove disk drives, you must manually update the paths
in AD DS.
Backing up GPOs
108
The successful operation of Group Policy depends on the reliable operation of SYSVOL. Key
components of GPOs exist in SYSVOL (in the policies subdirectory), and it is essential that
these GPO components remain synchronized with related components in AD DS. Therefore,
backing up only the SYSVOL component does not represent a full and complete backup of
your GPOs. The Group Policy Management Console (GPMC) provides both UI-based and
scriptable methods for backing up GPOs. It is important that you back up GPOs as part of
your regular backup/disaster recovery processes. Soon after installation of a new domain, the
default domain and default domain controllers' GPOs should be backed up. They should also
be backed up after any subsequent changes are made. GPOs are included in system state
backups. For information about backing up system state, see Backing Up Active Directory
Domain Services. For information about backing up GPOs, see Back Up a Group Policy
Object (http://go.microsoft.com/fwlink/?LinkID=122542).
Relocating SYSVOL
When you relocate SYSVOL, you must first copy the entire folder structure to a new location.
Then, you must update the junction points and path values that are stored in the registry and
in AD DS to maintain the relationships between the paths, the folders, and the junctions. As
an option, you can relocate the staging area and leave the rest of SYSVOL at its original
location. In this case, you must update the staging folder path in AD DS.
%systemroot%\SYSVOL\domain\scripts
%systemroot%\SYSVOL\staging
%systemroot%\SYSVOL\staging\domain
%systemroot%\SYSVOL\staging areas
%systemroot%\SYSVOL\staging areas\<FQDN>, where FQDN is the fully qualified domain name
of the domain that this domain controller hosts, for example, contoso.com.
%systemroot%\SYSVOL\sysvol
%systemroot%\SYSVOL\sysvol\<FQDN>, where FQDN is the fully qualified domain name of the
domain that this domain controller hosts, for example, contoso.com.
Note
If any of the folders do not appear in Windows Explorer, click Tools, and then click
Folder Options. On the View tab, click Show hidden files and folders.
If you use Windows Explorer to view these folders, they appear to be typical folders. If you open a
command prompt and type dir to list these folders, you notice that two special folders are listed
as <JUNCTION>. Both folders labeled FQDN are junction points. The junction point in
%systemroot%\SYSVOL\sysvol links to %systemroot%\SYSVOL\domain. The junction in
%systemroot%\SYSVOL\staging areas links to %systemroot%\SYSVOL\staging\domain. If you
change the path to the folders to which the junctions are linked, you must also update the
junctions, including drive letter changes and folder changes.
Besides junction points linking to folders within the SYSVOL tree, the registry and AD DS also
store references to folders. These references contain paths that you must update if you change
the location of the folder:
AD DS: Two attributes in AD DS store the paths for the SYSVOL root and staging area
folders, as shown in the following table.
Directory value
Contents
msDFSR-RootPath
%systemroot\SYSVOL\domain
msDFSR-StagingPath
%systemroot\SYSVOL\staging\domain
DFS Management
4. On the Staging tab, change the value in Quota (in megabytes), and then click OK.
A junction point that is stored in the staging areas folder in SYSVOL that links to the actual
location that DFS Replication uses to stage files.
After you move the staging areas folders, you must change the staging folder path in AD DS. The
staging junction point is updated automatically to reference the new location when you restart the
DFS Replication service and Netlogon service. You do not have to update the staging junction
point manually. After you move the staging areas folders, force replication of the changes to a
replication partner in the domain.
Except where noted, perform these procedures on the domain controller that contains the staging
folder that you want to relocate.
Task requirements
An understanding of the SYSVOL folder structure is necessary for this task. For information about
the SYSVOL folder structure, see Introduction to Administering DFS-Replicated SYSVOL.
The following tools are required to perform the procedures for this task:
Event Viewer
Net.exe
Dcdiag.exe
112
Regedit.exe
ADSI Edit
Look for a message that states that <ComputerName> passed test NetLogons, where
<ComputerName> is the name of the domain controller. If you do not see the passed test
message, check the permissions that are set on the Scripts and Sysvol shared folders.
114
For information about default SYSVOL permissions, see Reapply Default SYSVOL
Security Settings.
Note
For more detailed replication information, use the
/v
option.
If this test fails, open Event Viewer and check for errors in the Directory Service log. Use
the information in the ActiveDirectory_DomainService replication events to troubleshoot
the problem.
Note
The instructions in this procedure relate to domains in which Distributed File System
(DFS) Replication is used to replicate SYSVOL. For information about relocating
SYSVOL when you use File Replication Service (FRS), see Relocating SYSVOL
Manually (http://go.microsoft.com/fwlink/?LinkId=122590).
For more information about the folder structure and the relationships between the folders and the
path information that is stored in the registry, AD DS, and the SYSVOL directory itself, see
Introduction to Administering DFS-Replicated SYSVOL.
You can use these procedures to locate the SYSVOL path information and then record the values
in the following table. Use the rows and columns in the table according to the goals of your
procedure. Record the current values and also the new values if you are moving the SYSVOL
tree or the staging areas subtree or if you are rebuilding SYSVOL:
Relocating the entire SYSVOL tree: Record the current and new path values in rows 1
through 5.
Relocating the staging areas subtree only: Record the current and new path values in rows 2
and 5.
Record the current values from the domain controller that you are restoring in rows 1, 2,
and 3.
In the Current Value column in rows 4 and 5, record the values in the junction points that
are located on the domain controller from which you are copying the SYSVOL folder
structure.
In the New Value column in rows 4 and 5, record the values in the junction points that are
located on the domain controller whose SYSVOL you are rebuilding.
Parameter
msDFSR-RootPath in
AD DS
msDFSR-StagingPath in
AD DS
SysVol Netlogon
parameter in the registry
Current value
New value
116
117
4. Record the current value in row 4 in the previous table. If you are moving SYSVOL, also
record the new value for the new location.
To determine the value in the staging areas junction point
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, change the directory to %systemroot%\SYSVOL\staging areas
or to the current location if the staging areas subtree has been moved from the default
location.
3. To view the junction point for the staging areas folder, at the command prompt, type the
following command, and then press ENTER:
dir /a:L
4. The output identifies the <JUNCTION> folder type and the value that is stored in the
staging areas junction point in brackets. For example, the default value is [Drive:\
%systemroot%\SYSVOL\staging\domain] (or, if SYSVOL has been migrated from FRS to
DFS Replication, [Drive:\%systemroot%\SYSVOL_DFSR\staging\domain]). Record the
current value in row 5 of the previous table. If you are moving SYSVOL or the staging
areas subtree, also record the new value for the new location.
118
You can use the Windows graphical user interface (GUI) or the command line to stop the
DFS Replication service and the Netlogon service.
Note
The staging path junction point is updated automatically when DFS Replication is
restarted.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To stop the DFS Replication service or Netlogon service, or both, by using the Windows
GUI
1. On the Start menu, point to Administrative Tools, and then click Services.
2. In the Name column, right-click DFS Replication or Netlogon, and then click Stop.
To stop the DFS Replication service and the Netlogon service by using the command
line
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
net stop dfsr
3. At the command prompt, type the following command, and then press ENTER:
net stop netlogon
After you move or restore SYSVOL, when you update the SYSVOL Netlogon path in the registry,
you must also update the SysvolReady parameter in Netlogon parameters, as described in
Change the SYSVOL Netlogon Parameters.
119
Ensure that all folders exist. If any folders are missing at the new location (such as
\scripts), re-create them.
To change the SYSVOL root path or the staging areas path, or both
1. Click Start, point to Administrative Tools, and then click ADSI Edit.
2. Right-click ADSI Edit, and then, if the domain whose path information you want to check
is not listed, click Connect to.
3. Under Connection Point, click Select a well known Naming Context, click Default
naming context, and then click OK.
4. In the console tree, expand the domain component, and then expand OU=Domain
Controllers.
5. Double-click the container that represents a domain controller on which you can check
the path information, double-click CN=DFSR-LocalSettings, and then click CN=Domain
System Volume.
6. In the details pane, right-click CN=SYSVOL Subscription, and then click Properties.
7. Click Filter. Ensure that Show mandatory attributes is selected. Select this option if it is
not selected.
8. In Attributes, double-click one or both of the following:
9. In Value, type the new folder path, and then click OK.
10. Click OK to close the CN=Subscription Properties dialog box.
See Also
Start the DFS Replication Service and Netlogon Service
121
To start the DFS Replication service or Netlogon service, or both, by using the Windows
GUI
1. On the Start menu, point to Administrative Tools and then click Services.
2. In the Name column, right-click DFS Replication or Netlogon, and then click Restart.
To start the DFS Replication service or Netlogon service, or both, by using the
command line
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. To start the DFS Replication service, at the command prompt, type the following
command, and then press ENTER:
net start dfsr
3. To start the Netlogon service, at the command prompt, type the following command, and
then press ENTER:
net start netlogon
Notes
You can use Event Viewer to verify that DFS Replication restarted correctly. In the
DFS Replication log (in Applications and Services Logs), Event ID 1004 indicates that the
service restarted. Look for Event IDs 1210, 1206, and 6102 to verify that the domain
controller is running and ready for service. If you moved SYSVOL to a new location or
relocated the staging areas folder, look for Event IDs 4604 and 6018, which indicate
success. Event ID 7036 in the System event log reports that the Netlogon service is
running. This event reports on all services that are stopped or started.
Also verify that the Netlogon service is sharing the sysvol (SYSVOL share) and scripts
(NETLOGON share) folders. At a command prompt, type net share, and then press
ENTER.
122
See Also
Synchronize Replication with All Partners
procedure retains security settings. After you move the SYSVOL tree, verify that the security
settings on the relocated SYSVOL folders match the settings on the original SYSVOL folder
structure. As an alternative, you can reapply security settings on the moved SYSVOL.
When you have completed SYSVOL relocation, force replication from the updated domain
controller to a replication partner in the domain.
Task requirements
The following tools are required to perform the procedures for this task:
Net.exe
Dcdiag.exe
Event Viewer
ADSI Edit
Regedit.exe
Dir.exe
Windows Explorer
Robocopy.exe
Mklink.exe
If you choose to reapply security settings manually, the following additional tools are required:
Notepad.exe
Secedit.exe
125
Look for a message that states that <ComputerName> passed test NetLogons, where
<ComputerName> is the name of the domain controller. If you do not see the passed test
message, check the permissions that are set on the Scripts and Sysvol shared folders.
For information about default SYSVOL permissions, see Reapply Default SYSVOL
Security Settings.
126
Note
For more detailed replication information, use the
/v
option.
If this test fails, open Event Viewer and check for errors in the Directory Service log. Use
the information in the ActiveDirectory_DomainService replication events to troubleshoot
the problem.
127
Relocating the entire SYSVOL tree: Record the current and new path values in rows 1
through 5.
Relocating the staging areas subtree only: Record the current and new path values in rows 2
and 5.
Record the current values from the domain controller that you are restoring in rows 1, 2,
and 3.
In the Current Value column in rows 4 and 5, record the values in the junction points that
are located on the domain controller from which you are copying the SYSVOL folder
structure.
In the New Value column in rows 4 and 5, record the values in the junction points that are
located on the domain controller whose SYSVOL you are rebuilding.
Parameter
msDFSR-RootPath in
AD DS
msDFSR-StagingPath in
AD DS
SysVol Netlogon
parameter in the registry
Current value
New value
4. In the tree view, expand the domain component, and then expand OU=Domain
Controllers.
5. Double-click the container that represents a domain controller on which you can check
the path information, double-click CN=DFSR-LocalSettings, and then click CN=Domain
System Volume.
6. In the details pane, right-click CN=SYSVOL Subscription, and then click Properties.
7. Click Filter. Ensure that Show mandatory attributes is selected. Select this option if it is
not selected.
8. In Attributes, locate msDFSR-RootPath and msDFSR-StagingPath, and then record
the current values in rows 1 and 2, respectively, in the previous table. If you are moving
SYSVOL, also record the new values for the new location in both rows. If you are moving
the staging areas subtree, record the new path value in row 2.
9. Click Cancel to close the CN=Subscription Properties dialog box.
To determine the SysVol Netlogon parameter value in the registry
1. Click Start, click Run, type regedit, and then press ENTER.
2. In Registry Editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter
s.
3. In the details pane, double-click SysVol. The current value is listed in Value data.
4. Record the current value in row 3 of the previous table, and then click Cancel to close
the Edit String dialog box. If you are moving SYSVOL, also record the new value for the
new location.
5. Close Registry Editor.
To determine the value in the sysvol junction point
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, change the directory to %systemroot%\SYSVOL\sysvol, or to
the current location if SYSVOL has been moved from the default location.
3. To view the junction point for the sysvol folder, at the command prompt, type the following
command, and then press ENTER:
dir /a:L
4. Record the current value in row 4 in the previous table. If you are moving SYSVOL, also
record the new value for the new location.
To determine the value in the staging areas junction point
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
129
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, change the directory to %systemroot%\SYSVOL\staging areas
or to the current location if the staging areas subtree has been moved from the default
location.
3. To view the junction point for the staging areas folder, at the command prompt, type the
following command, and then press ENTER:
dir /a:L
4. The output identifies the <JUNCTION> folder type and the value that is stored in the
staging areas junction point in brackets. For example, the default value is [Drive:\
%systemroot%\SYSVOL\staging\domain] (or, if SYSVOL has been migrated from FRS to
DFS Replication, [Drive:\%systemroot%\SYSVOL_DFSR\staging\domain]). Record the
current value in row 5 of the previous table. If you are moving SYSVOL or the staging
areas subtree, also record the new value for the new location.
130
To stop the DFS Replication service and the Netlogon service by using the command
line
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
net stop dfsr
3. At the command prompt, type the following command, and then press ENTER:
net stop netlogon
After you move or restore SYSVOL, when you update the SYSVOL Netlogon path in the registry,
you must also update the SysvolReady parameter in Netlogon parameters, as described in
Change the SYSVOL Netlogon Parameters.
Identify Replication Partners. After you relocate SYSVOL, you will force replication of the
changes to replication partners so that SYSVOL is updated as soon as possible on other
domain controllers.
Check the Status of the SYSVOL and Netlogon Shares. Make sure that the sysvol and scrips
folders are shared on the domain controller.
Verify Active Directory Replication. Make sure that you resolve any replication issues before
you move SYSVOL.
Gather the SYSVOL Path Information. You must have the current path information, and you
must also document the new location.
131
Stop the DFS Replication Service and Netlogon Service. Do not make any changes to the
SYSVOL location while these services are running.
Note
The destination folder must be empty.
132
Parameter
Description
<Source Folder>
<Destination Folder>
/copyall
/mir
/b
/r:0
/xd "DfsrPrivate"
/xf "DfsrPrivate"
5. Verify that the folder structure was copied correctly. To compare the new folder structure
to the original, open a Command Prompt as an administrator: On the Start menu, rightclick Command Prompt, and then click Run as administrator. If the User Account
Control dialog box appears, provide Domain Admins credentials, if required, and then
click Continue.
6. Verify that the folder structure was copied correctly. To compare the new folder structure
to the original, change directories to the new SYSVOL folder. To list the contents of the
folder and subfolders by size, type the following command, and then press ENTER:
dir /s
Compare the ouptut with the output for the original SYSVOL folder. Ensure that all folders
exist and that file sizes are the same. If any folders are missing at the new location (such
as \scripts), re-create them.
7. Verify that the security settings on the moved SYSVOL are the same as the settings on
the original location.
133
Example: mklink
/J contoso.com D:\ContosoRoot\SYSVOL\domain
Parameter
Definition
mklink /J
<FQDN>
4. To verify the creation of the junction point, at the command prompt, type the following
command, and then press ENTER:
dir /a:L
134
Verify the presence of the <JUNCTION> folder type and the value that you specified in
step 3.
9. In Value, type the new folder path, and then click OK.
10. Click OK to close the CN=Subscription Properties dialog box.
135
See Also
Start the DFS Replication Service and Netlogon Service
136
Parameter
Description
/configure
/overwrite
138
3. To start the Netlogon service, at the command prompt, type the following command, and
then press ENTER:
net start netlogon
Notes
You can use Event Viewer to verify that DFS Replication restarted correctly. In the
DFS Replication log (in Applications and Services Logs), Event ID 1004 indicates that the
service restarted. Look for Event IDs 1210, 1206, and 6102 to verify that the domain
controller is running and ready for service. If you moved SYSVOL to a new location or
relocated the staging areas folder, look for Event IDs 4604 and 6018, which indicate
success. Event ID 7036 in the System event log reports that the Netlogon service is
running. This event reports on all services that are stopped or started.
Also verify that the Netlogon service is sharing the sysvol (SYSVOL share) and scripts
(NETLOGON share) folders. At a command prompt, type net share, and then press
ENTER.
139
See Also
Synchronize Replication with All Partners
staging areas folder, you update path values in Active Directory Domain Services (AD DS). You
also update the registry to change the path to the %systemroot%\SYSVOL\sysvol shared folder
that is used by the Netlogon service. In addition, you must update the junction point that
references the %systemroot%\SYSVOL\domain folder in the SYSVOL tree. The junction point
that references the domain folder in the staging areas subdirectory (%systemroot
%\SYSVOL\staging areas\DomainName) is updated automatically when you restart
DFS Replication and Netlogon.
After you update the path information, when you restart DFS Replication and Netlogon, the new
path values are initialized. To be sure that SYSVOL is not advertised on the network before the
new paths are initalized, you must also modify the SysvolReady Netlogon parameter while the
services are stopped. You can make this change at the same time you update the Sysvol
Netlogon path in the registry.
Task requirements
The following tools are required to perform the procedures for this task:
Net.exe
ADSI Edit
Regedit.exe
Dir.exe
Mklink.exe
Note
The instructions in this procedure relate to domains in which Distributed File System
(DFS) Replication is used to replicate SYSVOL. For information about relocating
SYSVOL when you use File Replication Service (FRS), see Relocating SYSVOL
Manually (http://go.microsoft.com/fwlink/?LinkId=122590).
For more information about the folder structure and the relationships between the folders and the
path information that is stored in the registry, AD DS, and the SYSVOL directory itself, see
Introduction to Administering DFS-Replicated SYSVOL.
You can use these procedures to locate the SYSVOL path information and then record the values
in the following table. Use the rows and columns in the table according to the goals of your
procedure. Record the current values and also the new values if you are moving the SYSVOL
tree or the staging areas subtree or if you are rebuilding SYSVOL:
Relocating the entire SYSVOL tree: Record the current and new path values in rows 1
through 5.
Relocating the staging areas subtree only: Record the current and new path values in rows 2
and 5.
Record the current values from the domain controller that you are restoring in rows 1, 2,
and 3.
In the Current Value column in rows 4 and 5, record the values in the junction points that
are located on the domain controller from which you are copying the SYSVOL folder
structure.
In the New Value column in rows 4 and 5, record the values in the junction points that are
located on the domain controller whose SYSVOL you are rebuilding.
Parameter
msDFSR-RootPath in
AD DS
msDFSR-StagingPath in
AD DS
SysVol Netlogon
parameter in the registry
Current value
New value
142
143
4. Record the current value in row 4 in the previous table. If you are moving SYSVOL, also
record the new value for the new location.
To determine the value in the staging areas junction point
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, change the directory to %systemroot%\SYSVOL\staging areas
or to the current location if the staging areas subtree has been moved from the default
location.
3. To view the junction point for the staging areas folder, at the command prompt, type the
following command, and then press ENTER:
dir /a:L
4. The output identifies the <JUNCTION> folder type and the value that is stored in the
staging areas junction point in brackets. For example, the default value is [Drive:\
%systemroot%\SYSVOL\staging\domain] (or, if SYSVOL has been migrated from FRS to
DFS Replication, [Drive:\%systemroot%\SYSVOL_DFSR\staging\domain]). Record the
current value in row 5 of the previous table. If you are moving SYSVOL or the staging
areas subtree, also record the new value for the new location.
144
You can use the Windows graphical user interface (GUI) or the command line to stop the
DFS Replication service and the Netlogon service.
Note
The staging path junction point is updated automatically when DFS Replication is
restarted.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To stop the DFS Replication service or Netlogon service, or both, by using the Windows
GUI
1. On the Start menu, point to Administrative Tools, and then click Services.
2. In the Name column, right-click DFS Replication or Netlogon, and then click Stop.
To stop the DFS Replication service and the Netlogon service by using the command
line
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
net stop dfsr
3. At the command prompt, type the following command, and then press ENTER:
net stop netlogon
After you move or restore SYSVOL, when you update the SYSVOL Netlogon path in the registry,
you must also update the SysvolReady parameter in Netlogon parameters, as described in
Change the SYSVOL Netlogon Parameters.
145
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, change the directory to the new sysvol root location, for
example, FolderName\SYSVOL\sysvol.
3. To create the junction point for the sysvol root, at the command prompt, type the following
command, and then press ENTER:
mklink /J <FQDN> <New sysvol root junction path>
Example: mklink
/J contoso.com D:\ContosoRoot\SYSVOL\domain
Parameter
Definition
mklink /J
<FQDN>
4. To verify the creation of the junction point, at the command prompt, type the following
command, and then press ENTER:
dir /a:L
Verify the presence of the <JUNCTION> folder type and the value that you specified in
step 3.
147
3. To start the Netlogon service, at the command prompt, type the following command, and
then press ENTER:
net start netlogon
Notes
You can use Event Viewer to verify that DFS Replication restarted correctly. In the
DFS Replication log (in Applications and Services Logs), Event ID 1004 indicates that the
service restarted. Look for Event IDs 1210, 1206, and 6102 to verify that the domain
controller is running and ready for service. If you moved SYSVOL to a new location or
relocated the staging areas folder, look for Event IDs 4604 and 6018, which indicate
success. Event ID 7036 in the System event log reports that the Netlogon service is
running. This event reports on all services that are stopped or started.
Also verify that the Netlogon service is sharing the sysvol (SYSVOL share) and scripts
(NETLOGON share) folders. At a command prompt, type net share, and then press
ENTER.
Use the procedures in this section only on a domain controller that does not have a functioning
SYSVOL.
Task requirements
The following tools are required to perform the procedures for this task:
Event Viewer
Dcdiag.exe
ADSI Edit
Net.exe
Regedit.exe
Windows Explorer
Mklink.exe
149
150
Look for a message that states that <ComputerName> passed test NetLogons, where
<ComputerName> is the name of the domain controller. If you do not see the passed test
message, check the permissions that are set on the Scripts and Sysvol shared folders.
For information about default SYSVOL permissions, see Reapply Default SYSVOL
Security Settings.
151
Note
For more detailed replication information, use the
/v
option.
If this test fails, open Event Viewer and check for errors in the Directory Service log. Use
the information in the ActiveDirectory_DomainService replication events to troubleshoot
the problem.
152
Relocating the entire SYSVOL tree: Record the current and new path values in rows 1
through 5.
Relocating the staging areas subtree only: Record the current and new path values in rows 2
and 5.
Record the current values from the domain controller that you are restoring in rows 1, 2,
and 3.
In the Current Value column in rows 4 and 5, record the values in the junction points that
are located on the domain controller from which you are copying the SYSVOL folder
structure.
In the New Value column in rows 4 and 5, record the values in the junction points that are
located on the domain controller whose SYSVOL you are rebuilding.
Parameter
msDFSR-RootPath in
AD DS
msDFSR-StagingPath in
AD DS
SysVol Netlogon
parameter in the registry
Current value
New value
4. In the tree view, expand the domain component, and then expand OU=Domain
Controllers.
5. Double-click the container that represents a domain controller on which you can check
the path information, double-click CN=DFSR-LocalSettings, and then click CN=Domain
System Volume.
6. In the details pane, right-click CN=SYSVOL Subscription, and then click Properties.
7. Click Filter. Ensure that Show mandatory attributes is selected. Select this option if it is
not selected.
8. In Attributes, locate msDFSR-RootPath and msDFSR-StagingPath, and then record
the current values in rows 1 and 2, respectively, in the previous table. If you are moving
SYSVOL, also record the new values for the new location in both rows. If you are moving
the staging areas subtree, record the new path value in row 2.
9. Click Cancel to close the CN=Subscription Properties dialog box.
To determine the SysVol Netlogon parameter value in the registry
1. Click Start, click Run, type regedit, and then press ENTER.
2. In Registry Editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter
s.
3. In the details pane, double-click SysVol. The current value is listed in Value data.
4. Record the current value in row 3 of the previous table, and then click Cancel to close
the Edit String dialog box. If you are moving SYSVOL, also record the new value for the
new location.
5. Close Registry Editor.
To determine the value in the sysvol junction point
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, change the directory to %systemroot%\SYSVOL\sysvol, or to
the current location if SYSVOL has been moved from the default location.
3. To view the junction point for the sysvol folder, at the command prompt, type the following
command, and then press ENTER:
dir /a:L
4. Record the current value in row 4 in the previous table. If you are moving SYSVOL, also
record the new value for the new location.
To determine the value in the staging areas junction point
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
154
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, change the directory to %systemroot%\SYSVOL\staging areas
or to the current location if the staging areas subtree has been moved from the default
location.
3. To view the junction point for the staging areas folder, at the command prompt, type the
following command, and then press ENTER:
dir /a:L
4. The output identifies the <JUNCTION> folder type and the value that is stored in the
staging areas junction point in brackets. For example, the default value is [Drive:\
%systemroot%\SYSVOL\staging\domain] (or, if SYSVOL has been migrated from FRS to
DFS Replication, [Drive:\%systemroot%\SYSVOL_DFSR\staging\domain]). Record the
current value in row 5 of the previous table. If you are moving SYSVOL or the staging
areas subtree, also record the new value for the new location.
On domain controllers that are running Windows Server 2008, tools are available that replace the
Boot.ini file that is used in earlier versions of Windows Server to modify the boot configuration
parameters and controls. You can use the Windows graphical user interface (GUI) or the
command line to restart the domain controller in DSRM:
Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can
use to configure boot and startup options, including restarting in DSRM and normal mode.
Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot
configuration on a server that is running Windows Server 2008. You can use Bcdedit with
shutdown commands to instruct the domain controller to restart in DSRM and to restart
normally.
When you are finished managing a domain controller in DSRM, if you have used System
Configuration or Bcdedit.exe to restart the domain controller in DSRM, you must change the
configuration so that the domain controller restarts in normal mode.
Note
A benefit of using System Configuration or Bcdedit.exe for implementing restart of a
domain controller into DSRM is that normally the domain controller cannot be
inadvertently restarted. This benefit is particularly useful when you are performing a
nonauthoritative restore from backup followed by an authoritative restore.
You can also use System Configuration or Bcdedit.exe to restart a domain controller in DSRM
remotely. To use System Configuration or Bcdedit.exe and Remote Desktop Connection to restart
a domain controller in DSRM remotely, see Restart the Domain Controller in Directory Services
Restore Mode Remotely.
Membership in the Domain Admins group is the minimum required complete the System
Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account
and password for DSRM is required to log on to the domain controller in DSRM. Review details
about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Important
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
account. For more information about access to RODCs, see the Step-by-Step Guide for
Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
4. When you are still in DSRM and you are ready to restart in normal mode, open a
command prompt and type the following, and then press ENTER:
bcdedit /deletevalue safeboot
5. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
Value
Description
shutdown t 0 -r
/deletevalue safeboot
See Also
Restart the Domain Controller in Directory Services Restore Mode Remotely
157
Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can
use to configure boot and startup options, including restarting in DSRM and normal mode.
Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot
configuration on a server that is running Windows Server 2008. You can use Bcdedit with
shutdown commands to instruct the domain controller to restart in DSRM and to restart
normally.
To restart the domain controller in DSRM remotely, you first use Remote Desktop Connection to
connect to the domain controller while it is in normal startup mode. Remote Desktop Connection
must be enabled on the target domain controller. After the domain controller has restarted, you
can use Remote Desktop Connection to reconnect to the domain controller and then log on as
the local Administrator, using the DSRM password.
You can use this procedure to connect to a domain controller remotely, restart it in DSRM, and
then reconnect to it as the DSRM administrator.
Membership in Domain Admins, or equivalent, is the minimum required to complete the System
Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account
and password for DSRM and the user right to log on locally to a domain controller are required to
log on to the domain controller in DSRM. Members of Account Operators, Administrators,
158
Enterprise Admins, Domain Admins, Backup Operators, Print Operators, and Server Operators
have the user right to log on locally to a domain controller by default. Review details about using
the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Important
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
account. Using a domain administrative account to log on to an RODC can compromise
the server. For more information about access to RODCs, see the Step-by-Step Guide for
Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
To restart a domain controller in DSRM remotely by using the Windows GUI
1. Connect to the remote domain controller that is running in normal mode:
a. On the Start menu, click All Programs, click Accessories, and then click Remote
Desktop Connection.
b. In Computer, type the name of the domain controller that you want to restart, and
then click Connect.
c.
In the Windows Security dialog box, provide credentials for a domain administrator,
and then click OK.
d. When you are connected, log on to the domain controller as a domain administrator.
2. On the Start menu, point to Administrative Tools, and then click System
Configuration.
3. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and
then click OK.
4. In the System Configuration dialog box, click Restart. The domain controller restarts in
DSRM. When the domain controller restarts, your Remote Desktop Connection is
dropped.
5. Wait for a period of time that is adequate for the remote domain controller to restart, and
then open Remote Desktop Connection.
6. The domain controller name should still be showing in Computer. If it is not, select it from
the list, and then click Connect.
7. In the Windows Security dialog box, click Use another account.
8. In User name, type the following:
MachineName\Administrator
Where MachineName is the name of the domain controller.
9. In Password, type the DSRM password, and then click OK.
10. At the logon screen of the remote domain controller, click Switch User, and then click
Other User.
11. Type MachineName\Administrator, and then press ENTER.
159
In the Windows Security dialog box, provide credentials for a domain administrator,
and then click OK.
d. When you are connected, log on to the domain controller as a domain administrator.
2. Open a command prompt. At the command prompt, type the following command, and
then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
The domain controller restarts in DSRM. When the domain controller restarts, your
Remote Desktop Connection is dropped.
4. Wait for a period of time that is adequate for the remote domain controller to restart, and
then open Remote Desktop Connection.
5. The domain controller name should still be showing in Computer. If it is not, select it in
the list, and then click Connect.
6. In the Windows Security dialog box, click Use another account.
7. In User name, type the following:
MachineName\Administrator
Where MachineName is the name of the domain controller.
8. In Password, type the DSRM password, and then click OK.
9. At the logon screen of the remote domain controller, click Switch User, and then click
Other User.
10. Type MachineName\Administrator, and then press ENTER.
11. Perform procedures in DSRM.
160
12. When you have finished performing procedures in DSRM, restart the domain controller
normally:
a. In DSRM, open a command prompt, type the following command, and then press
ENTER:
bcdedit /deletevalue safeboot
b. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 r
The domain controller restarts normally. This procedure will disconnect your remote
session.
Value
Description
shutdown t 0 -r
See Also
Enable Remote Desktop
Create a Remote Desktop Connection
Restart the Domain Controller in Directory Services Restore Mode Locally
161
3. At the command prompt, type the following command, and then press ENTER:
net stop netlogon
After you move or restore SYSVOL, when you update the SYSVOL Netlogon path in the registry,
you must also update the SysvolReady parameter in Netlogon parameters, as described in
Change the SYSVOL Netlogon Parameters.
You have identified a replication partner domain controller whose SYSVOL folder structure
you will copy.
You have restarted the domain controller to which you are importing SYSVOL in Directory
Services Restore Mode (DSRM).
162
You have stopped the Netlogon service on the target domain controller after restarting the
domain controller in DSRM. The Distributed File System (DFS) Replication service is stopped
automatically when you restart the domain controller in DSRM.
The default shared folder ADMIN$ must exist on the domain controller from which you plan to
copy the SYSVOL folder structure. Some organizations remove this shared folder or rename
it for security reasons. If this shared folder is not available, you must share the %systemroot
% folder and name the share ADMIN$.
Note
To view the shared folders to see whether ADMIN$ is shared, on the source domain
controller, open Server Manager. In the navigation pane for the domain controller,
view Roles and File Services, and then click Share and Storage Management. As
an alternative, you can open a command prompt and type net share at the command
prompt.
If the ADMIN$ share has been renamed, use the name that is assigned by your organization
instead of ADMIN$ as you complete this procedure.
You have determined the target domain controller values for rows 4 (Sysvol junction point)
and 5 (Staging areas junction point) in the table you that created in Gather the SYSVOL Path
Information.
If you share the %systemroot% folder on the source domain controller to complete this
procedure, be sure to remove the share after the procedure is complete to maintain any
security policies that are established on your network.
On the target domain controller, perform the verification tests in Check the Status of the
SYSVOL and Netlogon Shares.
6. Verify that the original SYSVOL folder and a new folder labeled SYSVOL Copy both
appear. Right-click SYSVOL - Copy, and then click Rename. Type SYSVOL2, and then
press ENTER.
7. Open a Command Prompt. At the command prompt, change to the drive letter that
represents the connection to the remote domain controller where you created the
SYSVOL2 folder.
8. Change the directory to SYSVOL2\sysvol.
9. Type dir /a:L, and then press ENTER. Verify that <JUNCTION> appears in the command
output and that it is followed by the name of the domain.
10. You must update the path in this junction point so that it references the new location on
the target domain controller. At the command prompt, type the following command, and
then press ENTER:
mklink <FQDN> <newpath>
Where <FQDN> is the fully qualified domain name (FQDN) and <newpath> is the new value
that you recorded in row 4 of the table in Gather the SYSVOL Path Information.
11. If the staging areas subfolder has been relocated and it is no longer inside the SYSVOL
folder, skip steps 11 and 12, and proceed to step 13. If the staging areas subfolder has
not been relocated, at a command prompt, change the directory to \SYSVOL2\staging
areas under the copy of SYSVOL that you created. Type dir to list the contents, and
verify that <JUNCTION> appears in the output of the dir command.
12. Update the junction so that it points to the new location on the target domain controller. At
the command prompt, type the following command, and then press ENTER:
linkd <junctionname> <newpath>
Where <newpath> is the new value that you recorded in row 5 of the table in Gather the
SYSVOL Path Information.
13. At the command prompt, change back to the %systemroot% directory for the domain
controller that is receiving the imported SYSVOL.
14. At the command prompt, use the robocopy command-line tool to copy the contents of
the \SYSVOL2 folder that you created to a new SYSVOL folder on your local drive. At the
command prompt, type the following command, and then press ENTER:
robocopy <Source Folder> <Destination Folder> /copyall /mir /b /r:0 /xd
"DfsrPrivate" /xf "DfsrPrivate"
164
Parameter
Description
<Source Folder>
<Destination Folder>
/copyall
/mir
/b
/r:0
/xd "DfsrPrivate"
/xf "DfsrPrivate"
15. Verify that the folder structure copied correctly. Compare the new folder structure to the
SYSVOL (not SYSVOL2) folder structure on the remote (source) domain controller. Open
a command prompt, and type dir /s to list the contents of the folders and subfolders.
Ensure that all folders exist.
16. Delete the SYSVOL2 folder that you created on the remote domain controller.
17. If you shared the %systemroot% folder and created an ADMIN$ share on the remote
domain controller, remove the ADMIN$ share. Disconnect from the remote domain
controller.
18. Restart the domain controller in normal mode.
When you restart the domain controller, the Netlogon service and the DFS Replication
service start automatically.
165
See Also
Check the Status of the SYSVOL and Netlogon Shares
166
The speed and reliability of the WAN link or links to the site
For example, in a forest that has a large hub site, five domains, and thirty small branch sites
(some of which are connected by only dial-up connections), global catalog replication to the small
sites takes considerably longer than replication of one or two domains to a few well-connected
sites.
The global catalog receives replication of read-only replicas to the required occupancy level.
The Net Logon service on the domain controller has updated DNS with global-catalogspecific service (SRV) resource records.
At this point, the global catalog server begins accepting queries on ports 3268 and 3269.
gradually removes the read-only replicas from the domain controller. On domain controllers
running Windows Server 2008 or Windows Server 2003, the global catalog, partial, read-only
directory partitions are removed in the background, and they receive a low priority so that highpriority services are not interrupted.
You might decide to remove the global catalog from a domain controller if universal group
membership caching is adequate to satisfy logon requirements in a particular site where WAN link
speeds are not adequate for the global catalog. For more information, see Enabling Universal
Group Membership Caching in a Site.
For more information about global catalog removal, see How the Global Catalog Works
(http://go.microsoft.com/fwlink/?LinkID=107063).
Repadmin.exe
Dcdiag.exe
168
Note
Some procedures are performed only when you are configuring the first global catalog
server in a site.
1. Determine Whether a Domain Controller Is a Global Catalog Server
2. Designate a Domain Controller to Be a Global Catalog Server
3. Monitor Global Catalog Replication Progress
4. Verify Successful Replication to a Domain Controller
170
Parameter
Description
s:<servername>
/v | find "%"
3. Repeat this command periodically to monitor progress. If the test shows no output,
replication has completed.
If @ [Never] appears in the output for a directory partition, replication of that directory partition has
never succeeded from the identified source replication partner over the listed connection.
Membership in Enterprise Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To verify successful replication to a domain controller
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl <servername> /u:<domainname>\<username> /pw:*
Note
The user credential parameters (/u:<domainname>\<username> /pw:*) are not
required for the domain of the user if the user has opened the Command Prompt
as an administrator with Domain Admins credentials or is logged on to the
171
Description
repadmin /showrepl
<servername>
/u:
<domainname>
<username>
/pw:*
3. At the Password: prompt, type the password for the user account that you provided, and
then press ENTER.
You can also use repadmin to generate the details of replication to and from all replication
partners in a Microsoft Excel spreadsheet. The spreadsheet displays data in the following
columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
172
Number of Failures
Last Failure Time
Last Success Time
Last Failure Status
The following procedure creates this spreadsheet and sets column headings for improved
readability.
To generate a repadmin /showrepl spreadsheet for all replication partners
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl * /csv >showrepl.csv
3. Open Excel.
4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open.
5. Hide or delete column A as well as the Transport Type column, as follows:
6. Select a column that you want to hide or delete.
To hide the column, right-click the column, and then click Hide.
Or
To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and
then click Freeze Top Row.
8. Select the entire spreadsheet. On the Data tab, click Filter.
9. In the Last Success Time column, click the down arrow, and then click Sort Ascending.
10. In the Source DC column, click the filter down arrow, point to Text Filters, and then click
Custom Filter.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain.
In the adjacent text box, type del to eliminate from view the results for deleted domain
controllers.
12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and
then type the value 0.
13. Resolve replication failures.
The last successful attempt should agree with the replication schedule for intersite replication, or
the attempt should be within the last hour for intrasite replication.
If Repadmin reports any of the following conditions, see Troubleshooting Active Directory
Replication Problems (http://go.microsoft.com/fwlink/?LinkID=93582):
The last successful intersite replication was before the last scheduled replication.
The last intrasite replication was longer than one hour ago.
173
Ldp.exe
Nltest.exe
DNS snap-in
Parameter
Description
<servername>
<domainname>
3. In the Flags: line of the output, if GC appears, the global catalog server has satisfied its
replication requirements.
175
177
The primary domain controller (PDC) emulator operations master. The PDC emulator
operations master processes all replication requests from Windows NT Server 4.0 backup
domain controllers (BDCs). It also processes all password updates for clients not running
Active Directoryenabled client software, plus any other directory write operations. The PDC
emulator receives preferential replication of password changes that are performed by other
domain controllers in the domain, and it is the source for the latest password information
whenever a logon attempt fails as a result of a bad password. For this reason, of all
operations master roles, the PDC emulator operations master role has the highest impact on
the performance of the domain controller that hosts that role. The PDC emulator in the forest
root domain is also the default Windows Time service (W32time) time source for the forest.
The relative ID (RID) operations master. The RID master allocates RID pools to all domain
controllers to ensure that new security principals can be created with a unique identifier.
The infrastructure operations master. The infrastructure master manages references from
objects in its domain to objects in other domains. It also updates group-to-user references
when the members of groups are renamed or changed.
In addition to the three domain-level operations master roles, two operations master roles exist in
each forest:
The schema operations master. The schema master governs all changes to the schema.
The domain naming operations master. The domain naming master adds and removes
domain directory partitions and application directory partitions to and from the forest.
To perform their respective operations, the domain controllers that host operations master roles
must be consistently available and they must be located in areas where network reliability is high.
Careful placement of your operations masters becomes more important as you add more
domains and sites as you build your forest.
178
Configure an additional domain controller as the standby operations master for the forestlevel roles. Configure an additional domain controller as the standby operations master for
the domain-level roles.
Leave the two forest-level roles on a domain controller in the forest root domain.
In the forest root domain, transfer the three domain-level roles from the first domain controller
that you installed in the forest root domain to an additional domain controller that has a high
performance level.
In all other domains, leave the domain-level roles on the first domain controller.
has the most intensive daily interaction with other systems on the network. The PDC emulator
has the greatest potential to affect daily operations of the directory.
Note
If an RODC is installed in the domain, the PDC emulator role must be placed on a
domain controller that is running Windows Server 2008.
Domain controllers can become overloaded while attempting to service client requests on the
network, manage their own resources, and handle any specialized tasks, such as performing the
various operations master roles. This is especially true of the domain controller that holds the
PDC emulator role. Again, clients running operating systems earlier than Windows 2000 Server
and domain controllers running Windows NT Server 4.0 rely more heavily on the PDC emulator
than AD DS clients and domain controllers. If your networking environment has clients and
domain controllers running operating systems earlier than Windows 2000 Server, you might need
to reduce the workload of the PDC emulator.
If a domain controller begins to indicate that it is overloaded and its performance is affected, you
can reconfigure the environment so that some tasks are performed by other, less-used domain
controllers. By adjusting the domain controllers weight in the Domain Name System (DNS)
environment, you can configure the domain controller to receive fewer client requests than other
domain controllers on your network. As an option, you can adjust the domain controllers priority
in the DNS environment so that it processes client requests only if other DNS servers are
unavailable. With fewer DNS client requests to process, the domain controller can use more
resources to perform operations master services for the domain.
Do not place domain-level roles on a global catalog server
The infrastructure master is incompatible with the global catalog, and it must not be placed on a
global catalog server. Because it is best to keep the three domain-level roles together for ease of
administration, avoid putting any of them on a global catalog server.
The infrastructure master updates objects for any attribute values with distinguished name (dn)
syntax that reference objects outside the current domain. These updates are particularly
important for security principal objects (users, computers, and groups). For example, suppose a
user from one domain is a member of a group in a second domain and the users surname (the
sn attribute on the user object) is changed in the first domain. This change usually also changes
the dn attribute value of the user object, which is the value that is used in the member attribute of
group objects. Because domain controllers in one domain do not replicate security principals to
domain controllers in another domain, the second domain never receives the change. An out-ofdate value on the member attribute of a group in another domain could result in the user whose
name has changed being denied privileges. To ensure consistency between domains, the
infrastructure master constantly monitors group memberships, looking for member attribute
values that identify security principals from other domains. If it finds one, it compares its
distinguished name with the distinguished name in the domain of the security principal to
determine if the information has changed. If the information on the infrastructure master is out of
date, the infrastructure master performs an update and then replicates the change to the other
domain controllers in its domain.
Two exceptions apply to this rule:
180
1. If all the domain controllers are global catalog servers, the domain controller that hosts the
infrastructure master role is insignificant because global catalog servers replicate updated
security principal information to all other global catalog servers.
2. If the forest has only one domain, the infrastructure master role is not needed because
security principals from other domains do not exist.
Leave forest-level roles on the original domain controller in the forest root domain
The first domain controller that is installed in the forest automatically receives the schema master
and domain naming master roles. It also hosts the global catalog. To ease administration and
backup and restore procedures, leave these roles on the original forest root domain controller.
The roles are compatible with the global catalog, and moving the roles to other domain controllers
does not improve performance. Separating the roles creates additional administrative overhead
when you must identify the standby operations masters and when you implement a backup and
restore policy.
Unlike the PDC emulator role, forest-level roles rarely place a significant burden on the domain
controller. Keep these roles together to provide easy, predictable management.
In the forest root domain, transfer domain-level roles from the first domain controller
The three domain-level roles are assigned to the first domain controller that is created in a new
domain. In the case of the forest root domain, the first domain controller that is created in the
domain hosts both forest-level roles and all three domain-level roles, as well as the global
catalog. The infrastructure master role is incompatible with the global catalog. For this reason,
when you install the second domain controller in the forest root domain, the Active Directory
Domain Services Installation Wizard prompts you to allow the wizard to transfer the role during
installation of AD DS. Following installation of the second domain controller, consider transferring
the PDC emulator and RID master roles to the second domain controller, as well, to keep the
three roles together for easy administration.
In all other domains, leave domain-level roles on the first domain controller
Except for the forest root domain, leave the domain-level roles on the first domain controller that
you install in the domain and do not configure that domain controller as a global catalog server.
Keep the roles together unless the workload on your operations master justifies the additional
management burden of separating the roles.
Because all clients running non-Windows operating systems or Windows operating systems
earlier than Windows 2000 Server submit updates to the PDC emulator, the domain controller
holding that role uses a higher number of RIDs when the network hosts many of these clients.
Place the PDC emulator and RID master roles on the same domain controller so that these two
roles interact more efficiently.
If you must separate the roles, you can still use a single standby operations master for all three
roles. However, you must ensure that the standby is a replication partner of all three of the role
holders.
Backup and restore procedures also become more complex if you separate the roles. Special
care must be taken to restore a domain controller that hosted an operations master role. By
hosting the roles on a single computer, you minimize the steps that are required to restore a role
holder.
181
Adjust the workload of the PDC emulator operations master role holder
Depending on the size of the forest or domain, you might want to configure DNS so that client
requests favor domain controllers other than the PDC emulator. The PDC emulator role has the
highest load demands of all the operations master roles.
domain controller is eligible to host the domain-level roles if it is a member of the same domain. A
domain controller is eligible to host a forest-level role if it is a member of the same forest.
Configuration changes
Configuration changes to domain controllers or the network topology can result in the need to
transfer operations master roles. Except for the infrastructure master, you can assign operations
master roles to any domain controller regardless of any other tasks that the domain controller
performs. Do not host the infrastructure master role on a domain controller that is also acting as a
global catalog server unless all the domain controllers in the domain are global catalog servers or
unless the forest has only one domain. If the domain controller that hosts the infrastructure
master role is configured to be a global catalog server, you must transfer the infrastructure master
role to another domain controller. Changes to the network topology can result in the need to
transfer operations master roles to keep them in a particular site.
Note
Do not change the global catalog configuration on the domain controller that you intend to
assume an operations master role unless your information technology (IT) management
authorizes that change. Changing the global catalog configuration can cause changes
that can take days to complete, and the domain controller might not be available during
that period. Instead, transfer the operations master roles to a different domain controller
that is already configured properly.
You can reassign an operations master role by transfer or, as a last resort, by seizure.
Important
If you must seize an operations master role, never reattach the previous role holder to the
network without following the procedures in this guide. Reattaching the previous role
holder to the network incorrectly can result in invalid data and corruption of data in the
directory.
183
Replication requirements
Before you transfer a role from the current role holder to the standby operations master, ensure
that replication between the two computers is functioning properly. Because they are replication
partners, the new operations master is already consistent with the original operations master,
which reduces the time that is required for the transfer operation.
During role transfer, the two domain controllers exchange any unreplicated information to ensure
that no transactions are lost. If the two domain controllers are not direct replication partners, a
substantial amount of information might have to be replicated before the domain controllers
completely synchronize with each other. The role transfer requires extra time to replicate the
outstanding transactions. If the two domain controllers are direct replication partners, fewer
outstanding transactions exist and the role transfer operation completes sooner.
Task requirements
The following tools are required to perform the procedures for this task:
Repadmin.exe
A manual connection object that designates the standby server as the From Server on the
NTDS Settings object of the operations master
A manual connection object that designates the operations master server as the From Server
on the NTDS Settings object of the standby server
185
Administrative credentials
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To create a connection object on the operations master and standby
1. Click Start, point to Administrative Tools, and then click Active Directory Sites and
Services.
2. Expand the site name in which the current operations master role holder is located to
display the Servers folder.
3. Expand the Servers folder to see a list of the servers in that site.
4. To create a connection object from the standby server on the current operations master,
expand the name of the operations master server on which you want to create the
connection object to display its NTDS Settings object.
5. Right-click NTDS Settings, click New, and then click Connection.
6. In the Find Active Directory Domain Controllers dialog box, select the name of the
standby server from which you want to create the connection object, and then click OK.
7. In the New Object-Connection dialog box, enter an appropriate name for the connection
object or accept the default name, and then click OK.
8. To create a connection object from the current operations master to the standby server,
repeat steps 4 through 7, but in step 4, expand the name of the standby server. In step 6,
select the name of the current operations master.
If @ [Never] appears in the output for a directory partition, replication of that directory partition has
never succeeded from the identified source replication partner over the listed connection.
186
Note
The user credential parameters (/u:<domainname>\<username> /pw:*) are not
required for the domain of the user if the user has opened the Command Prompt
as an administrator with Domain Admins credentials or is logged on to the
domain controller as a member of Domain Admins or equivalent. However, if you
run the command for a domain controller in a different domain in the same
Command Prompt session, you must provide credentials for an account in that
domain.
187
Value
Description
repadmin /showrepl
<servername>
/u:
<domainname>
<username>
/pw:*
3. At the Password: prompt, type the password for the user account that you provided, and
then press ENTER.
You can also use repadmin to generate the details of replication to and from all replication
partners in a Microsoft Excel spreadsheet. The spreadsheet displays data in the following
columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
Last Failure Time
Last Success Time
Last Failure Status
188
The following procedure creates this spreadsheet and sets column headings for improved
readability.
To generate a repadmin /showrepl spreadsheet for all replication partners
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl * /csv >showrepl.csv
3. Open Excel.
4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open.
5. Hide or delete column A as well as the Transport Type column, as follows:
6. Select a column that you want to hide or delete.
To hide the column, right-click the column, and then click Hide.
Or
To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and
then click Freeze Top Row.
8. Select the entire spreadsheet. On the Data tab, click Filter.
9. In the Last Success Time column, click the down arrow, and then click Sort Ascending.
10. In the Source DC column, click the filter down arrow, point to Text Filters, and then click
Custom Filter.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain.
In the adjacent text box, type del to eliminate from view the results for deleted domain
controllers.
12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and
then type the value 0.
13. Resolve replication failures.
The last successful attempt should agree with the replication schedule for intersite replication, or
the attempt should be within the last hour for intrasite replication.
If Repadmin reports any of the following conditions, see Troubleshooting Active Directory
Replication Problems (http://go.microsoft.com/fwlink/?LinkID=93582):
The last successful intersite replication was before the last scheduled replication.
The last intrasite replication was longer than one hour ago.
189
infrastructure master role, make sure that the target domain controller is not a global catalog
server. Preparing the future operations master role holder is the same process as preparing a
standby operations master. You must manually create a connection object to ensure that the
standby operations master is a replication partner with the current role holder and that replication
between the two domain controllers is updated.
Task requirements
The following are required to perform the procedures for this task:
Repadmin.exe
Ntdsutil.exe
3. Click Start, click Run, type mmc, and then click OK.
191
To place the snap-in in the Administrative Tools folder, in File name, type a name
for the snap-in, and then click Save.
To save the snap-in in a location other than the Administrative Tools folder, in Save
in, navigate to a location for the snap-in. In File name, type a name for the snap-in,
and then click Save.
Caution
Modifying the schema is an advanced operation that is best performed by experienced
programmers and system administrators. For detailed information about modifying the
schema, see Active Directory Schema (http://go.microsoft.com/fwlink/?LinkId=80809).
Additional considerations
To perform the Schmmgmt.dll registration portion of this procedure, you must be a member of
the Domain Admins group in the domain or the Enterprise Admins group in the forest, or you
must have been delegated the appropriate authority. Adding the Active Directory Schema
snap-in to MMC requires only membership in the Domain Users group. However, making
changes to the schema requires membership in the Schema Admins group.
The Windows Server 2008 Administration Tools Pack cannot be installed on computers
running Windows XP Professional or Windows Server 2003.
192
You might want to transfer a domain-level operations master role if the domain controller that
currently hosts the role is inadequate, has failed, or is being decommissioned. You can transfer all
domain roles by using the Active Directory Users and Computers snap-in.
Note
You perform these procedures by using a Microsoft Management Console (MMC) snapin, although you can also transfer these roles by using Ntdsutil.exe. For information about
using Ntdsutil.exe to transfer the operations master roles, see Ntdsutil
(http://go.microsoft.com/fwlink/?LinkID=120970.) For information about the ntdsutil
command, can also type ? at the Ntdsutil.exe command prompt.
194
Before you perform this procedure, you must identify the domain controller to which you will
transfer the operations master role.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To transfer a domain-level operations master role
1. Open Active Directory Users and Computers: On the Start menu, point to
Administrative Tools, and then click Active Directory Users and Computers. If the
User Account Control dialog box appears, provide Domain Admins credentials, if
required, and then click Continue.
2. At the top of the console tree, right-click Active Directory Users and Computers, and
then click Change Active Directory Domain Controller.
3. Ensure that the correct domain name is entered in Look in this domain.
The available domain controllers from this domain are listed.
4. In the Name column, click the name of the domain controller to which you want to
transfer the role, and then click OK.
5. At the top of the console tree, right-click Active Directory Users and Computers, and
then click Operations Masters.
The name of the current operations master role holder appears in the Operations
master box. The name of the domain controller to which you want to transfer the role
appears in the lower box.
6. Click the tab for the operations master role that you want to transfer: RID, PDC, or
Infrastructure. Verify the computer names that appear, and then click Change. Click Yes
to transfer the role, and then click OK.
7. Repeat steps 5 and 6 for each role that you want to transfer.
195
maintenance:
4. At the server
maintenance:
quit,
operation target,
and then
The system responds with a list of the current roles and the Lightweight Directory Access
Protocol (LDAP) name of the domain controllers that are currently assigned to host each
role.
8. Type quit, and then press ENTER to exit each prompt in Ntdsutil.exe. At the
prompt, type quit, and then press ENTER to close the window.
ntdsutil:
Data loss or directory inconsistency as a result of replication latency. The new role
holder starts performing its duties based on the data that is located in its current directory
partition. If replication did not complete before the time that the original role holder went
offline, the new role holder might not have received the latest changes.
196
To minimize the risk of losing data to incomplete replication, do not perform a role seizure
until enough time has passed to complete at least one end-to-end replication cycle across
your network. Allowing enough time for complete end-to-end replication ensures that the
domain controller that assumes the role is as up to date as possible.
Two domain controllers performing the same role. Because the original role holder is
offline when role seizure occurs, the original role holder is not informed that it is no longer the
operations master role holder, which is not a problem if the original role holder stays offline.
However, if the original role holder comes back onlinefor example, if the hardware is
repaired or the server is restored from a backup)it might try to perform the operations
master role that it previously owned. If two domain controllers are performing the same
operations master role simultaneously, the severity of the effect from duplicate operations
master roles varies, depending on the role that was seized. The effect can range from no
visible effect to potential corruption of the Active Directory database. Do not allow a former
operations master role holder whose role has been seized to return to an online domain
controller.
Task requirements
The following is required to perform the procedures for this task:
Repadmin.exe
Ntdsutil.exe
If @ [Never] appears in the output for a directory partition, replication of that directory partition has
never succeeded from the identified source replication partner over the listed connection.
197
Note
The user credential parameters (/u:<domainname>\<username> /pw:*) are not
required for the domain of the user if the user has opened the Command Prompt
as an administrator with Domain Admins credentials or is logged on to the
domain controller as a member of Domain Admins or equivalent. However, if you
run the command for a domain controller in a different domain in the same
Command Prompt session, you must provide credentials for an account in that
domain.
198
Value
Description
repadmin /showrepl
<servername>
/u:
<domainname>
<username>
/pw:*
3. At the Password: prompt, type the password for the user account that you provided, and
then press ENTER.
You can also use repadmin to generate the details of replication to and from all replication
partners in a Microsoft Excel spreadsheet. The spreadsheet displays data in the following
columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
Last Failure Time
Last Success Time
Last Failure Status
199
The following procedure creates this spreadsheet and sets column headings for improved
readability.
To generate a repadmin /showrepl spreadsheet for all replication partners
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl * /csv >showrepl.csv
3. Open Excel.
4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open.
5. Hide or delete column A as well as the Transport Type column, as follows:
6. Select a column that you want to hide or delete.
To hide the column, right-click the column, and then click Hide.
Or
To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and
then click Freeze Top Row.
8. Select the entire spreadsheet. On the Data tab, click Filter.
9. In the Last Success Time column, click the down arrow, and then click Sort Ascending.
10. In the Source DC column, click the filter down arrow, point to Text Filters, and then click
Custom Filter.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain.
In the adjacent text box, type del to eliminate from view the results for deleted domain
controllers.
12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and
then type the value 0.
13. Resolve replication failures.
The last successful attempt should agree with the replication schedule for intersite replication, or
the attempt should be within the last hour for intrasite replication.
If Repadmin reports any of the following conditions, see Troubleshooting Active Directory
Replication Problems (http://go.microsoft.com/fwlink/?LinkID=93582):
The last successful intersite replication was before the last scheduled replication.
The last intrasite replication was longer than one hour ago.
200
maintenance:
5. At the server
quit,
fsmo maintenance:
Role
Credentials
Command
Enterprise Admins
Schema master
Enterprise Admins
Infrastructure master
Domain Admins
Domain Admins
Seize pdc
RID master
Domain Admins
The system asks for confirmation. It then attempts to transfer the role. When the transfer
201
fails, some error information appears and the system proceeds with the seizure of the
role. After the seizure of the role is complete, a list of the roles and the Lightweight
Directory Access Protocol (LDAP) name of the server that currently holds each role
appears.
During seizure of the relative ID (RID) operations master role, the current role holder
attempts to synchronize with its replication partners. If it cannot establish a connection
with a replication partner during the seizure operation, it displays a warning and asks for
confirmation that you want the seizure of the role to proceed. Click Yes to proceed.
8. Type quit, and then press ENTER. Type quit again, and then press ENTER to exit
Ntdsutil.exe.
maintenance:
4. At the server
maintenance:
quit,
operation target,
and then
The system responds with a list of the current roles and the Lightweight Directory Access
Protocol (LDAP) name of the domain controllers that are currently assigned to host each
role.
8. Type quit, and then press ENTER to exit each prompt in Ntdsutil.exe. At the
prompt, type quit, and then press ENTER to close the window.
ntdsutil:
on other domain controllers. For example, to configure the system so that the domain controller
that hosts the PDC emulator role receives requests only half as many times as other domain
controllers, configure the weight of the domain controller that host the PDC emulator role to be
50. Assuming that other domain controllers use the default weight value of 100, DNS determines
the weight ratio for that domain controller to be 50/100 (50 for that domain controller and 100 for
the other domain controllers). After you reduce this ratio to 1/2, DNS refers clients to the other
domain controllers twice as often as it refers to the domain controller with the reduced weight
setting. By reducing client referrals, the domain controller receives fewer client requests and has
more resources for other tasks, such as performing the role of PDC emulator.
Regedit.exe
204
205
Caution
Registry Editor bypasses standard safeguards, which allows settings that can damage
your system or even require you to reinstall Windows. If you must edit the registry, back
up critical volumes first. For information about backing up critical volumes, see
Administering Active Directory Backup and Recovery.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To change the priority for DNS SRV records in the registry
1. Open Registry Editor as an administrator: Click Start and then, in Start Search, type
regedit. At the top of the Start menu, right-click regedit, and then click Run as
administrator. If the User Account Control dialog box appears, confirm that the action
it displays is what you want, and then click Continue.
2. In Registry Editor, navigate to
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
3. Click Edit, click New, and then click DWORD (32-BIT) Value.
4. For the new value name, type LdapSrvPriority, and then press ENTER.
5. Double-click the value name that you just typed to open the Edit DWORD (32-BIT) Value
dialog box.
6. Enter a value from 0 through 65535. The default value is 0.
7. Choose Decimal as the Base option, and then click OK.
8. Click File, and then click Exit to close Registry Editor.
206
Backing up AD DS
Backup procedures have changed in Windows Server 2008, as compared to previous versions of
Windows Server. A new backup tool, Windows Server Backup, replaces NtBackup as the tool that
you use to back up AD DS. You cannot use Ntbackup to back up servers running Windows
Server 2008.
In Windows Server 2008, you can perform three types of backup:
System state backup, which includes all the files that are required to recover AD DS
Critical-volumes backup, which includes all the volumes that contain system state files
You can use the Windows Server Backup graphical user interface (GUI) to perform criticalvolumes backups and full server backups. You can use the Windows Server Backup commandline tool, Wbadmin.exe, to perform all types of backup, including system state backup.
For more information about backing up domain controllers, see Backing Up Active Directory
Domain Services.
Recovering AD DS
You can recover from Active Directory corruption or inconsistency by performing a restore
operation to return AD DS to its state at the time of the latest backup. Restoring from backup as a
method of recovering AD DS should not be undertaken as the primary method of recovering from
an error or failure condition, but as a last resort. Assuming that a restore operation is appropriate
to recover the domain controller, requirements for recovering AD DS relate to the age of the
backup, as follows:
207
The primary requirement for recovering AD DS is that the backup you use must not be older
than a tombstone lifetime, which is the number of days that deletions are retained in the
directory. In forests that are created on servers running Windows Server 2003 with Service
Pack 1 (SP1), Windows Server 2003 with SP2, or Windows Server 2008, the default value of
the tombstone lifetime is 180 days. The default value is 60 days in forests that are created on
servers running Windows 2000 Server or Windows Server 2003. AD DS protects itself from
restoring data that is older than the tombstone lifetime by not allowing the restore.
Important
Always check the tombstone lifetime value before you use a backup to restore
AD DS. Even if you are sure of the default value for your environment, the tombstone
lifetime value might have been changed administratively in AD DS. Use ADSI Edit to
view the value in the tombstoneLifetime attribute on the object CN=Directory
Service,CN-Windows NT,CN=Services,CN=Configuration,DC=ForestRootDomain.
Do not modify system clocks in an attempt to improperly extend the useful life of a system
state backup. Skewed time can cause serious problems in cases where directory data is time
sensitive.
Nonauthoritative restore: Use this process to restore AD DS to its state at the time of the
backup, and then allow Active Directory replication to update the restored domain controller
to the current state of AD DS.
Authoritative restore: Use this process to recover objects that have been deleted from
AD DS. Authoritative restore does not allow replication to overwrite the restored deletions.
Instead, the restored objects replicate authoritatively to the other domain controllers in the
domain.
Note
Be aware that additions of data that are made between the time of the backup and
the authoritative restore process are not removed during the restore process.
Authoritative restore focuses only on the deleted objects. Additional data is merged
during the restore process.
When recovering AD DS by restoring from backup is not possible, you must reinstall AD DS.
Sometimes restoring from backup is possible but not feasible. For example, if a domain controller
is needed quickly, it is sometimes faster to reinstall AD DS than to recover the domain controller.
In cases of hardware failure or file corruption, you might have to reinstall the operating system
and then either reinstall or restore AD DS.
For more information about rationales and methods for recovering domain controllers, see
Recovering Active Directory Domain Services.
Additional considerations
Windows Server Backup (Wbadmin.msc), a graphical user interface (GUI) snap-in that is
available on the Administrative Tools menu
You can use the Windows Server Backup GUI to perform critical-volumes backups and full
server backups.
Note
You can perform a system state backup only by using the Wbadmin.exe commandline tool.
Command-line Tools, which is required to install the Wbadmin.exe command-line tool for
Windows Server Backup. Command-line Tools refers to a set of Windows PowerShell tools.
209
When you select Command-line Tools, you are prompted to install the required Windows
PowerShell feature.
You can use the Windows Server Backup command-line tool, Wbadmin.exe, to perform all
types of backup, including system state backup.
You can use the Windows Server Backup snap-in to back up entire volumes only, as follows:
those volumes that contain system state files (critical-volumes backup) or all volumes (full server
backup). The Windows Server Backup snap-in has two wizard options: a Backup Schedule
Wizard and a Backup Once Wizard.
To use one of the wizards for backing up critical volumes, you must know which volumes to
select, or you can allow the wizard to select them when you specify that you want to enable
system recovery. When you use the command-line tool for backing up critical volumes, the tool
selects the correct volumes automatically.
To back up system state, you must use the Wbadmin.exe command-line tool.
System state, which includes all the files that are required to recover AD DS. System state
includes at least the following data, plus additional data, depending on the server roles that
are installed:
Registry
Boot files
SYSVOL directory
Critical volumes, which includes all volumes that contain system state files:
The volume that hosts the boot files, which consist of the Bootmgr file and the Boot
Configuration Data (BCD) store
The volume that hosts the Windows operating system and the registry
The volume that hosts the Active Directory database log files
Full server, which includes all volumes on the server, including Universal Serial Bus (USB)
drives. The backup does not include the volume where the backup is stored.
Critical-volumes
backup
Yes
Yes
Yes
No
Yes
Yes
No
Yes
Yes
No
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
No*
Yes
No
Yes
Yes**
211
Feature
Critical-volumes
backup
No
No
Can be scheduled by
using the Windows
Server Backup snap-in
Yes
Yes
No
* Each consecutive backup requires as much space as the first. To help manage the number of
versions of system state backups that you store, you can use the wbadmin delete
systemstatebackup command to remove old versions. For more information, see Wbadmin
delete systemstatebackup (http://go.microsoft.com/fwlink/?LinkId=111836).
** Must be stored on a different hard disk from the source volumes, including external disks or
DVDs. External storage devices must be connected to the backup computer.
*** No, by default, but you can override the default by making a change in the registry. To store
the system state backup on a volume that is included in the backup, you must add the
AllowSSBToAnyVolume registry entry to the server that you are backing up. However, there are
some known issues with storing system state backup on a volume that is included in the backup.
For more information, see Known Issues for Backing Up Active Directory Domain Services.
Backup guidelines
The following guidelines for backup include the performance of backups to ensure redundancy of
Active Directory data:
Create daily backups of all unique data, including all domain directory partitions on global
catalog servers.
Create daily backups of critical volumes on at least two unique domain controllers, if possible.
When you have environments with single-domain-controller forests, single-domain-controller
domains, or empty root domains, take special care to back up more often.
Ensure that backups are available in sites where they are needed. Do not rely on copying a
backup from a different site, which is very time consuming and can significantly delay
recovery.
Where domains exist in only one site, store additional backup files offsite in a secure location
so that no backup file of a unique domain exists in only one physical site at any point in time.
This precaution provides an extra level of redundancy in case of physical disaster or theft.
Make sure that your backups are stored in a secure location at all times.
Back up volumes that store Domain Name System (DNS) zones that are not
Active Directoryintegrated. You must be aware of the location of DNS zones and back up
DNS servers accordingly. If you use Active Directoryintegrated DNS, DNS zone data is
212
captured as part of system state and critical-volume backups on domain controllers that are
also DNS servers.
If you do not use Active Directoryintegrated DNS, you must back up the zone volumes on a
representative set of DNS servers for each DNS zone to ensure fault tolerance for the zone.
Note
The DNS server stores settings in the registry. Therefore, system state or critical-volume
backup is required for DNS, regardless of whether the zone data is Active Directory
integrated or stored in the file system.
If you have application directory partitions in your forest, make sure that you make a backup
of the domain controllers that replicate those application directory partitions.
Critical populations of users exist, such as those who support company executives or
operate critical business units.
The elapsed time that it takes to perform either of the following tasks would be cost
prohibitive because of slow link speeds, the size of the directory database, or both:
To create a domain controller in its intended domain over the network.
Or
To copy or transport installation media from a site where a backup exists to a site that has
no backup for the purpose of performing an installation from media (IFM).
Note
You can use a system state or critical-volumes backup to restore only the domain
controller on which the backup was generated or to create a new additional domain
controller in the same domain by installing from restored backup media. You cannot use a
system state or critical-volumes backup to restore a different domain controller or to
restore a domain controller onto different hardware. You can only use a full server backup
to restore a domain controller onto different hardware.
Recover a domain controller that cannot start up or operate normally because of software
failure, hardware failure, or administrative error. For example, an administrator might have set
overly restrictive permissions, either explicitly or by using a security policy, that deny the
operating system access to the Ntds.dit file and log files.
213
Install AD DS from installation media that you create by using the ntdsutil ifm command. For
information about installing a domain controller from installation media, see Installing an
Additional Domain Controller by Using IFM.
For information about scheduling backups of AD DS in Windows Server 2008, see Scheduling
Regular Full Server Backups of a Domain Controller (http://go.microsoft.com/fwlink/?
LinkId=118008).
You have moved the Active Directory database, log files, or both to a different location on a
disk.
A current backup is required for installing from backup media for a new domain controller.
Backup frequency
The frequency of your backups depends on criteria that vary for individual Active Directory
environments. In most Active Directory environments, users, computers, and administrators make
daily changes to directory objects, such as group membership or Group Policy. For example,
computer accounts, including domain controller accounts, change their passwords every 30 days
by default. Therefore, every day a percentage of computer passwords changes for domain
controllers and domain client computers. Rolling the computer password of a domain controller
back to a former state affects authentication and replication. A percentage of user passwords
might also expire on a daily basis, and if they are lost as a result of domain controller failure, they
must be reset manually. Generally, no external record of these changes exists except in AD DS.
Therefore, the more frequently you back up domain controllers, the fewer problems you will
encounter if you need to restore this type of information.
The more Active Directory objects and domain controllers you have, the more frequent your
backups should be. For example, in a large organization, to recover from the inadvertent deletion
of a large organizational unit (OU) by restoring the domain from a backup that is days or weeks
214
old, you might have to re-create hundreds of accounts that were created in that OU since the
backup was made. To avoid re-creating accounts and potentially performing large numbers of
manual password resets, ensure that recent system state backups are always available to
recover recent Create, Modify, and Delete operations.
Small environments with a single domain controller in the forest or domains that exist in a
single physical location (that is, domains that have a single point of failure): create backups at
least daily.
Medium (10 to 49 domain controllers) and large environments (50 to 1,000 or more domain
controllers): Create backups of each unique directory partition in the forest on two different
computers at least daily with an emphasis on backing up application directory partitions,
empty root domains, domains in a single geographic site, and sites that have large
populations of users or that host mission-critical work.
Make backups with increasing frequency until you are confident that if you lose the objects that
were created or modified since the last backup, the loss would not create a disruption of your
operations. Major changes to the environment should always be immediately followed by a new
system state backup.
Note
We always recommend that you have at least two domain controllers in each domain of
your Active Directory forest.
215
this setting to reflect that frequency, and monitoring Event ID 2089, you ensure the backup
frequency that is established in your organization.
To set a different Backup Latency Threshold (days) value, use Registry Editor (Regedit.exe) to
create the entry as a REG_DWORD and provide the appropriate number of days.
More information about the Windows Server Backup tools and backing up AD DS is available in
the Step-by-Step Guide for Windows Server 2008 AD DS Backup and Recovery
(http://go.microsoft.com/fwlink/?LinkId=93077), as follows:
Task requirements
Before you back up a domain controller, see Performing an Unscheduled Backup of a Domain
Controller (http://go.microsoft.com/fwlink/?LinkId=118015).
The following tools, media, and credentials are required to perform the procedures for this task:
Writable DVD
To complete this task, you can perform the procedures in the following topics, depending on your
backup needs:
Perform a Backup of Critical Volumes of a Domain Controller by Using the GUI (Windows
Server Backup)
Perform a System State Backup of a Domain Controller by Using the Command Line
(Wbadmin)
Perform a Full Server Backup of a Domain Controller by Using the GUI (Windows Server
Backup)
Perform a Full Server Backup of a Domain Controller by Using the Command Line
(Wbadmin)
216
Windows Server Backup tools are not installed automatically. You must use Server Manager
to install the Windows Server Backup Features, which include the Windows Server Backup
snap-in (Wbadmin.msc) and the Wbadmin.exe component of Windows PowerShell
command-line tools.
You cannot perform or schedule system state backups by using Windows Server Backup.
You must use the Wbadmin.exe command-line tool.
You cannot schedule weekly or monthly backups by using Windows Server Backup.
However, you can use Task Scheduler to schedule manual backups that are performed at
different times of the week.
A system state backup and recovery includes Active Directoryintegrated Domain Name
System (DNS) zones but does not include file-based DNS zones. To back up and restore filebased DNS zones, you have to back up and recover the entire volume that hosts the files.
The target volume for a system state backup cannot be a source volume by default. A source
volume is any volume that has a file that is included in the backup. Therefore, the target
volume cannot be any volume that hosts the operating system, Ntds.dit file, Ntds log files, or
SYSVOL directory. To change this restriction, you can add the AllowSSBToAnyVolume
registry entry to the server. However, there are known issues with storing a system state
backup on a source volume:
Backups can fail. The backup can be modified during the backup process, which might
cause the backup to fail.
Use of target space is inefficient. Twice the amount of space is necessary for a backup
than for the original data. The volume must allocate twice the amount of space for the
shadow copy process.
The path for adding the new registry entry is as follows:
HKLM\SYSTEM\CurrentControlSet\Services\wbengine\SystemStateBackup\AllowS
SBToAnyVolume
Type: DWORD
A value of 0 prevents the storing of system state backup on a source volume. A value of 1
allows the storing of system state backup on a source volume.
217
8. On the Specify destination type page, click Local drives or Remote shared folder,
and then click Next.
9. Choose the backup location as follows:
If you are backing up to a local drive, on the Select backup location page, in
Backup destination, select a drive, and then click Next.
In the Provide user credentials for Backup dialog box, provide the user name and
password for a user who has write access to the shared folder, and then click OK.
10. On the Specify advanced option page, select VSS copy backup and then click Next,
11. On the Summary page, review your selections, and then click Backup.
12. After the Backup Once Wizard begins the backup, click Close at any time. The backup
runs in the background and you can view backup progress at any time during the backup.
The wizard closes automatically when the backup is complete.
Additional considerations
The target volume for a critical-volume backup can be a local drive, but it cannot be any of the
volumes that are included in the backup.
219
Where <targetDrive> identifies the local volume or the letter of the physical disk drive to
receive the backup. You cannot store a system state backup on a network shared drive.
If you do not specify the -quiet parameter, you are prompted to press Y to proceed with
the backup operation.
Additional considerations
Be aware of the following issues when you perform a system state backup:
To use Wbadmin.exe, you must install Windows Server Backup. For more information about
installing Windows Server Backup, see Installing Windows Server Backup
(http://go.microsoft.com/fwlink/?LinkID=96495).
The target volume for a system state backup can be a local drive, but it cannot be any of the
volumes that are included in the backup by default. To store the system state backup on a
volume that is included in the backup, you must add the AllowSSBToAnyVolume registry
entry to the server that you are backing up. There are also some prerequisites for storing
system state backup on a volume that is included in the backup. For more information, see
Known Issues for AD DS Backup and Recovery (http://go.microsoft.com/fwlink/?
LinkID=117940).
To perform an unscheduled full server backup of all volumes by using the graphical
user interface (GUI)
1. Click Start, point to Administrative Tools, and then click Windows Server Backup.
2. If you are prompted, in the User Account Control dialog box, provide Backup Operator
credentials, and then click OK.
3. On the Action menu, click Backup once.
4. In the Backup Once Wizard, on the Backup options page, click Different options, as
shown in the following figure, and then click Next.
5. If you are creating the first backup of the domain controller, click Next to select Different
options.
6. On the Select backup configuration page, click Full server, as shown in the following
figure, and then click Next.
221
7. On the Specify destination type page, click Local drives or Remote shared folder,
and then click Next.
8. Choose the backup location as follows:
If you are backing up to a local drive, on the Select backup location page, in
Backup destination, select a drive, and then click Next.
222
If you are backing up to a remote shared folder, on the Specify remote folder page,
provide shared folder information, as shown in the following figure:
223
In the Provide user credentials for Backup dialog box, provide the user name and
password for a user who has write access to the shared folder, and then click OK.
9. On the Specify advanced option page, select VSS copy backup (recommended) and
then click Next.
10. On the Confirmation page, review your selections, and then click Backup.
11. After the Backup Once Wizard begins the backup, click Close at any time. The backup
runs in the background and you can view backup progress at any time during the backup.
The wizard closes automatically when the backup is complete.
Additional considerations
The target volume for an unscheduled backup can be a local drive, but it cannot be any of the
volumes that are included in the backup.
224
Where:
<sourceDrive_x>
<targetDrive>
If you do not specify the -quiet parameter, you are prompted to press Y to proceed with
the restore process.
Additional considerations
Be aware of the following issues when you perform unscheduled backups:
To use Wbadmin.exe, you must install Windows Server Backup. For more information about
installing Windows Server Backup, see Installing Windows Server Backup
(http://go.microsoft.com/fwlink/?LinkID=96495).
The target volume for an unscheduled backup can be a local drive, but it cannot be any of the
volumes that are included in the backup.
225
Causes of disruptions
Disruptions to directory services can be caused by many conditions on a domain controller, in a
domain or forest, and with service clients and applications that use AD DS. The following are
some of the conditions that can disrupt directory services:
Reordering or changes to drive letters that cause the operating system, the directory service
file, and logs to be unavailable in their expected locations
Excessive permissions on objects in AD DS, the file system, or the registry, or explicitly
defined and assigned in Group Policy
Disk failure, which prevents access to or causes damage to the following sets of files:
operating system, directory service and log, SYSVOL, and registry or other critical system
files
Inability to restart AD DS in normal mode, for example, after an unscheduled power outage or
software update
Antivirus utilities and other utilities, such as disk optimization utilities, which prevent
unfettered access to the directory service file and logs
Inability to boot from AD DS, for example, after an unscheduled power outage or software
update
Physical site disaster, such as natural disasters or virus attacks or other security attacks
226
Back up the volumes that are required to recover AD DS and the entire domain controller.
Back up all critical domain controllers, as described in Backing Up Active Directory Domain
Services.
Back up on a daily schedule and when significant changes are made to the registry or the
directory.
Before you introduce configuration changes on domain controllers in production, test your
configuration changes in a lab or on a test computer that mirrors the production environment in
the same way that you test hardware configuration, service pack and software update revisions,
performance load, and so on. Some configuration changes have immediate implications; some
are apparent when a single event or operation occurs (such as a reboot or service startup); and
some have chained implications (for example, if X and Y both occur, then Z occurs). Other
changes have time-based or threshold-based implications. Be sure that you are aware of all the
effects of a configuration change before you implement it in production.
For more information about backup recommendations, see Backing Up Active Directory Domain
Services.
The most common causes of directory service disruption requiring recovery are administrative
error and hardware failure. The best defense against these problems is prevention. You can
prevent disruptions by taking steps to protect against easily avoidable problems:
Use the Protect object from accidental deletion option in Windows Server 2008 to prevent
inadvertent deletions of critical data. For more information, see Preventing unwanted
deletions in this topic.
When you consider recovery options, the objective is to use the fastest method that results in the
least intrusive and most complete recovery. Options for recovery can range from repair of
individual elements to restoration of a single domain controller. In the worst-case scenario, the
only option might be to recover all domain controllers in a domain or forest.
Windows Vista. When you enable Advanced Features on the View menu, the Protect object
from accidental deletion option is available on the Object tab. You can open the Properties
page for each container in the domain and enable this option.
Note
CN=Users,DC=DomainName and CN=Computers,DC=DomainName are protected from
deletion by system flags on the objects.
Use this option to protect all other containers up to the domain level. Good candidates for
protection are containers that store Group Policy objects (GPOs) and Active Directoryintegrated
Domain Name System (DNS) zones. When you enable the Protect object from accidental
deletion option, neither the container nor any child object can be deleted by any administrator or
other user. An administrator with the right to log on locally to a domain controller and the right to
open Active Directory Users and Computers can enable or disable the setting.
Pay particular attention to protecting organizational units (OUs) that might have been created in
an earlier version of Windows. When you create an OU by using Active Directory Users and
Computers in Windows Server 2008, the Protect container from accidental deletion check box
is selected by default. On domain controllers that are running earlier versions of Windows, you
must apply the Deny access control entries (ACEs) permission on the Security tab of the
properties page of the containers to implement protection from accidental deletion. For
information about how to apply these access control entries (ACEs) manually, see Guarding
Against Accidental Bulk Deletions in Active Directory (http://go.microsoft.com/fwlink/?
LinkId=116365).
Recovery solutions
When you are faced with unacceptable directory service conditions that cannot be resolved
reliably by manual updates, your recovery solutions depend on data issues, hardware issues,
time constraints, and the backups that are available.
228
Note
Nonauthoritative restore from backup requires that the domain controller is running in
Directory Services Restore Mode (DSRM). You cannot perform this procedure by
stopping AD DS.
Depending on replication conditions in the domain of the deletions, you can use the following
methods to perform an authoritative restore:
Nonauthoritative restore from backup, followed by authoritative restore: Unless you can
isolate a domain controller that has not received the deletions, authoritative restore must be
preceded by a nonauthoritative restore from backup to restore the directory to a former state
that contained the deleted objects. With the deleted objects restored, you can mark them as
authoritative so that replication does not overwrite them with the delete condition that still
exists on the other domain controllers in the domain.
Authoritative restore only: If you identify the data loss quickly and you can isolate a global
catalog server in the domain where the deletion occurred that has not received replication of
the deletions, you can mark the objects as authoritative on the global catalog server and
avoid performing an initial restore from a backup (nonauthoritative restore). This option
depends on your ability to stop inbound replication on the global catalog server before
replication of the deletions is received. Global catalog servers often have longer replication
latency than other domain controllers. Global catalog servers are preferred as recovery
domain controllers because they store more group information. However, any latent domain
controller in the domain of the deletions that has not received replication of the deletions can
serve as the recovery domain controller if you want to avoid restoring from backup. For more
information about performing authoritative restore without restoring from backup, see
Performing Authoritative Restore of Active Directory Objects.
you have widespread corruption in the file system, your best solution is also full server recovery
or reinstallation. To decide whether or not to perform a full server recovery, consider the following
conditions:
A full server recovery reformats and repartitions all disks that are attached to the server.
A full server recovery might be more time consuming than reinstalling the operating system.
Reinstallation results in data loss. All servers have roles and features installed. Each role has
configuration state in AD DS, the file system, and the registry, and a role frequently has its
own data store. For example, the server might be configured for DNS, Dynamic Host
Configuration Protocol (DHCP), Windows Internet Name Service (WINS), administration
tools, and registry settings for maximum transmission unit (MTU), maxPacketSize, and
security. If you have to reinstall, you must either export and import all these settings or
recreate them. This method is certain to be time consuming and error prone.
You must have the domain controller back online as soon as possible and reinstallation is
faster than restoring.
You have exhausted all known avenues of troubleshooting a fault or error condition, and
continued troubleshooting is not likely to succeed or will result in diminishing returns with
more time spent.
Perform a full server restore of the domain controller under the following conditions:
The domain controller is running other server services, such as Exchange, or it contains
other data that you must restore from a backup.
Use Dcpromo to reinstall AD DS and allow replication from another, healthy domain controller
in the domain to update the domain controller.
Restore AD DS from backup (nonauthoritative restore). Then, allow replication from another,
healthy domain controller in the domain to update the domain controller. This method requires
less replication than reinstalling AD DS.
Install AD DS from installation media. This method, called install from media (IFM), requires
that you have created installation media that can be used to install AD DS. You use Ntdsutil to
create the media on a healthy domain controller in the domain. In this case, recovery is faster
because Active Directory replication is not required. For more information about installing
from media, see Installing an Additional Domain Controller by Using IFM.
231
Recovery tasks
This section includes the following tasks for recovering AD DS:
Performing Nonauthoritative Restore of Active Directory Domain Services
Performing Authoritative Restore of Active Directory Objects
Performing Authoritative Restore of an Application Directory Partition
Performing a Full Server Recovery of a Domain Controller
Restoring a Domain Controller Through Reinstallation and Subsequent Restore from Backup
Restoring a Domain Controller Through Reinstallation
database management tasks does not require restarting the domain controller in Directory
Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after
simply stopping the AD DS service in regular startup mode. You must be able to start the domain
controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started
in DSRM, you must first reinstall the operating system. If you need to reinstall the operating
system and then restore AD DS, see Restoring a Domain Controller Through Reinstallation or
Restoring a Domain Controller Through Reinstallation.
To perform a nonauthoritative restore, you need one of the following types of backup for your
backup source:
System state backup: Use this type of backup to restore AD DS. If you have reinstalled the
operating system, you must use a critical-volumes or full server backup. If you are restoring a
system state backup, use the wbadmin start systemstaterecovery command.
Critical-volumes backup: A critical-volumes backup includes all data on all volumes that
contain operating system and registry files, boot files, SYSVOL files, or Active Directory files.
Use this type of backup if you want to restore more than the system state. To restore a
critical-volumes backup, use the wbadmin start recovery command.
Full server backup: Use this type of backup only if you cannot start the server or you do not
have a system state or critical-volumes backup. A full server backup is generally larger than a
critical-volumes backup. Restoring a full server backup not only rolls back data in AD DS to
the time of backup, but it also rolls back all data in all other volumes. Rolling back this
additional data is not necessary to achieve nonauthoritative restore of AD DS. For information
about performing a full server backup for disaster recovery, see Performing a Full Server
Recovery of a Domain Controller on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=116206).
SYSVOL restore
SYSVOL is always restored nonauthoritatively during a restore of AD DS. Restoring SYSVOL
requires no additional procedures. If you deleted file system policy and have a backup of policy
that you created by using Group Policy Management Console, you can recover the policy by
using that tool. For information about managing Group Policy, see Group Policy Management
Console (http://go.microsoft.com/fwlink/?LinkId=101634). If you deleted the Default Domain
Policy or Default Domain Controllers Policy, you can use Dcgpofix.exe to rebuild the policy. For
information about using Dcgpofix.exe, see Dcgpofix.exe on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=109291).
When you use System Recovery Options in Windows Server Backup to restore a Windows
Server 2008 domain controller in an environment that has Distributed File System (DFS)
Replication implemented, the SYSVOL restore is performed nonauthoritatively by default. To
perform an authoritative restore of SYSVOL, include the -authsysvol switch in your recovery
command, as shown in the following example:
wbadmin start systemstaterecovery <otheroptions> -authsysvol
If you use File Replication Service (FRS), the restore operation sets the BURFLAGS registry
entries for FRS, which affects all replica sets that are replicated by FRS.
233
Task requirements
The following tools are required to perform the procedures for this task:
Wbadmin.exe
Bcdedit.exe
Additional references
You can restart a domain controller in DSRM manually by pressing the F8 key during domain
controller startup, which requires watching the startup and waiting for the appropriate point in the
startup to press the key. This method is tedious and can waste time if you miss the brief window
of opportunity for selecting the restart mode.
On domain controllers that are running Windows Server 2008, tools are available that replace the
Boot.ini file that is used in earlier versions of Windows Server to modify the boot configuration
parameters and controls. You can use the Windows graphical user interface (GUI) or the
command line to restart the domain controller in DSRM:
Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can
use to configure boot and startup options, including restarting in DSRM and normal mode.
Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot
configuration on a server that is running Windows Server 2008. You can use Bcdedit with
shutdown commands to instruct the domain controller to restart in DSRM and to restart
normally.
When you are finished managing a domain controller in DSRM, if you have used System
Configuration or Bcdedit.exe to restart the domain controller in DSRM, you must change the
configuration so that the domain controller restarts in normal mode.
Note
A benefit of using System Configuration or Bcdedit.exe for implementing restart of a
domain controller into DSRM is that normally the domain controller cannot be
inadvertently restarted. This benefit is particularly useful when you are performing a
nonauthoritative restore from backup followed by an authoritative restore.
You can also use System Configuration or Bcdedit.exe to restart a domain controller in DSRM
remotely. To use System Configuration or Bcdedit.exe and Remote Desktop Connection to restart
a domain controller in DSRM remotely, see Restart the Domain Controller in Directory Services
Restore Mode Remotely.
Membership in the Domain Admins group is the minimum required complete the System
Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account
and password for DSRM is required to log on to the domain controller in DSRM. Review details
about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Important
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
account. For more information about access to RODCs, see the Step-by-Step Guide for
Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
235
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
4. When you are still in DSRM and you are ready to restart in normal mode, open a
command prompt and type the following, and then press ENTER:
bcdedit /deletevalue safeboot
5. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
Value
Description
shutdown t 0 -r
/deletevalue safeboot
236
See Also
Restart the Domain Controller in Directory Services Restore Mode Remotely
Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can
use to configure boot and startup options, including restarting in DSRM and normal mode.
Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot
configuration on a server that is running Windows Server 2008. You can use Bcdedit with
shutdown commands to instruct the domain controller to restart in DSRM and to restart
normally.
To restart the domain controller in DSRM remotely, you first use Remote Desktop Connection to
connect to the domain controller while it is in normal startup mode. Remote Desktop Connection
must be enabled on the target domain controller. After the domain controller has restarted, you
can use Remote Desktop Connection to reconnect to the domain controller and then log on as
the local Administrator, using the DSRM password.
You can use this procedure to connect to a domain controller remotely, restart it in DSRM, and
then reconnect to it as the DSRM administrator.
237
Membership in Domain Admins, or equivalent, is the minimum required to complete the System
Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account
and password for DSRM and the user right to log on locally to a domain controller are required to
log on to the domain controller in DSRM. Members of Account Operators, Administrators,
Enterprise Admins, Domain Admins, Backup Operators, Print Operators, and Server Operators
have the user right to log on locally to a domain controller by default. Review details about using
the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Important
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
account. Using a domain administrative account to log on to an RODC can compromise
the server. For more information about access to RODCs, see the Step-by-Step Guide for
Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
To restart a domain controller in DSRM remotely by using the Windows GUI
1. Connect to the remote domain controller that is running in normal mode:
a. On the Start menu, click All Programs, click Accessories, and then click Remote
Desktop Connection.
b. In Computer, type the name of the domain controller that you want to restart, and
then click Connect.
c.
In the Windows Security dialog box, provide credentials for a domain administrator,
and then click OK.
d. When you are connected, log on to the domain controller as a domain administrator.
2. On the Start menu, point to Administrative Tools, and then click System
Configuration.
3. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and
then click OK.
4. In the System Configuration dialog box, click Restart. The domain controller restarts in
DSRM. When the domain controller restarts, your Remote Desktop Connection is
dropped.
5. Wait for a period of time that is adequate for the remote domain controller to restart, and
then open Remote Desktop Connection.
6. The domain controller name should still be showing in Computer. If it is not, select it from
the list, and then click Connect.
7. In the Windows Security dialog box, click Use another account.
8. In User name, type the following:
MachineName\Administrator
Where MachineName is the name of the domain controller.
9. In Password, type the DSRM password, and then click OK.
238
10. At the logon screen of the remote domain controller, click Switch User, and then click
Other User.
11. Type MachineName\Administrator, and then press ENTER.
12. Perform procedures in DSRM.
13. When you have finished performing procedures in DSRM, restart the domain controller
normally:
a. On the Start menu, point to Administrative Tools, and then click System
Configuration.
b. On the General tab, in Startup selection, click Normal startup, and then click OK.
The domain controller restarts normally. This procedure will disconnect your remote
session.
To restart a domain controller in DSRM remotely by using the command line
1. Connect to the remote domain controller that is running in normal mode:
a. On the Start menu, click All Programs, click Accessories, and then click Remote
Desktop Connection.
b. In Computer, type the name of the domain controller that you want to restart, and
then click Connect.
c.
In the Windows Security dialog box, provide credentials for a domain administrator,
and then click OK.
d. When you are connected, log on to the domain controller as a domain administrator.
2. Open a command prompt. At the command prompt, type the following command, and
then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
The domain controller restarts in DSRM. When the domain controller restarts, your
Remote Desktop Connection is dropped.
4. Wait for a period of time that is adequate for the remote domain controller to restart, and
then open Remote Desktop Connection.
5. The domain controller name should still be showing in Computer. If it is not, select it in
the list, and then click Connect.
6. In the Windows Security dialog box, click Use another account.
7. In User name, type the following:
MachineName\Administrator
Where MachineName is the name of the domain controller.
8. In Password, type the DSRM password, and then click OK.
9. At the logon screen of the remote domain controller, click Switch User, and then click
239
Other User.
10. Type MachineName\Administrator, and then press ENTER.
11. Perform procedures in DSRM.
12. When you have finished performing procedures in DSRM, restart the domain controller
normally:
a. In DSRM, open a command prompt, type the following command, and then press
ENTER:
bcdedit /deletevalue safeboot
b. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 r
The domain controller restarts normally. This procedure will disconnect your remote
session.
Value
Description
shutdown t 0 -r
See Also
Enable Remote Desktop
Create a Remote Desktop Connection
Restart the Domain Controller in Directory Services Restore Mode Locally
240
Note
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
account. For more information about access to RODCs, see the Step-by-Step Guide for
Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
Be sure that you know the name and location of the version of the backup that you are restoring.
Backup files are named for the date and time of the backup. When you restore the backup, the
version must be stated in the form MM/DD/YYYY-HH:MM (month/day/year-hour:minute), which
specifies the name of backup that you want to restore. The Wbadmin.exe command-line tool
does not require that you provide the target for the recovery. By specifying the backup version
that you want to recover, the command proceeds to recover to the source location of the backup
version that you specify.
Note
The systemstaterecovery command in Wbadmin.exe causes a nonauthoritative restore
of SYSVOL by default (only updates to SYSVOL since the time of the backup are
replicated to the recovery domain controller). If you want to restore SYSVOL
authoritatively (all of SYSVOL is replicated from the recovery domain controller to other
domain controllers in the domain), specify the authsysvol option in the command.
The Administrator password for DSRM is the minimum required to complete this procedure.
Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477. The server must be running in DSRM.
To perform a nonauthoritative restore of AD DS
1. At the Windows logon screen, click Switch User, and then click Other User.
2. Type .\administrator as the user name, type the DSRM password for the server, and
then press ENTER.
3. Open a Command Prompt.
4. At the command prompt, type the following command, and then press ENTER:
wbadmin get versions -backuptarget:<targetDrive>:
-machine:<BackupComputerName>
Where:
<targetDrive>:
<BackupComputerName>
241
-backuptarget:<targetDrive>: -machine:<BackupComputerName>
-quiet
Where:
<MM/DD/YYYY-HH:MM>
<targetDrive>:
<BackupComputerName>
If you do not specify the -quiet parameter, you are prompted to press Y to proceed with
the restore process and then press Y to confirm that the replication engine for SYSVOL
has not changed since you created the backup.
After the recovery operation is complete, if you are not going to perform an authoritative restore of
any restored objects, restart the server.
Additional references
Verify AD DS restore
After you complete a restore of Active Directory Domain Services (AD DS), you can use this
procedure to verify the restore.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To verify an Active Directory restorefrom backup
1. After the restore operation completes, restart the computer in Start Windows Normally
mode. If you used Bcdedit.exe to configure startup in Directory Services Restore Mode
(DSRM), see Restart the Domain Controller in Directory Services Restore Mode
Remotely or Restart the Domain Controller in Directory Services Restore Mode Locally
for information about changing the configuration back to normal startup mode.
2. After you are able to log on to the system, perform the following verification steps:
At a command prompt, use the repadmin /showsig command to verify that the
invocation ID has changed. The invocation ID is the directory database globally
242
unique identifier (GUID), which the Directory System Agent (DSA) uses to identify the
version of the database. The invocation ID changes during the Active Directory
restore process to ensure the consistency of the replication process. Verify that the
previous entry appears in the retired signatures list.
At a command prompt, use the repadmin /showrepl command to verify that there are no
replication errors and all directory partitions are replicating properly with the required
replication partners. You can determine the replication partners by selecting the
NTDS Settings object for the restored server in Active Directory Sites and Services.
At a command prompt, use the net share command to verify that the NETLOGON and
SYSVOL shares appear.
At a command prompt, use the dcdiag command to verify success of all tests on the
domain controller.
Use Active Directory Users and Computers to verify that the deleted objects that you
wanted to recover from the backup are restored. If you have a Volume Shadow Copy
Service (VSS) snapshot of the database, you can use the Active Directory database
mounting tool (Dsamain.exe) to mount the database and view it through
Active Directory Users and Computers to compare the objects. For information about
the Active Directory database mounting tool, see the Step-by-Step Guide for Using
the Active Directory Database Mounting Tool in Windows Server 2008
(http://go.microsoft.com/fwlink/?LinkId=103333).
243
Note
If you can isolate a domain controller in the domain that has not received replication of
the deletion, the preliminary, nonauthoritative restore from backup is not necessary. For
more information, see Recovering deletions without restoring from backup.
You can restore objects in domain directory partitions, application directory partitions, and the
configuration directory partition, as follows:
Domain directory partitions: You must restore the objects on a domain controller in the
domain.
Application directory partitions: You must restore the objects on a domain controller that hosts
the application directory partition. If you delete an entire application directory partition, you
must restore the domain naming operations master to recover the application directory
partition.
Configuration directory partitions: You can restore objects on any domain controller in the
forest.
Note
You can also restore Group Policy objects (GPOs). For information about restoring
GPOs, see Back Up, Restore, Import, and Copy Group Policy Objects in online Help for
the Group Policy Management Console (GPMC).
When an Active Directory object is marked for authoritative restore, its version number is changed
so that the number is higher than the existing version number of the deleted object, which
replicates as a tombstone in the Active Directory replication system. The change in version
number ensures that any object that you restore authoritatively is replicated from the restored
domain controller to other domain controllers in the forest, updating the tombstone object to the
restored object.
An authoritative restore is most commonly used to restore corrupt or deleted objects, often to
recover unintentionally deleted user and group objects. An authoritative restore should not be
used to restore an entire domain controller, nor should it be used as part of a change-control
infrastructure. Proper delegation of administration and change enforcement will help optimize
data consistency, integrity, and security.
Active Directory data that they contain. When inadvertent deletions or modifications occur, you
can use a snapshot to compare the data in the current directory against data in the snapshot. If
you take regular snapshots, you can sometimes avoid having to restore AD DS if you can identify
the differences in the data and return the affected objects to their correct state.
When a recovery operation is required, you can use a database snapshot to assess the
differences and determine the objects that you want to authoritatively restore. For information
about using VSS shadow copies and the Active Directory database mounting tool, see the Stepby-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008
(http://go.microsoft.com/fwlink/?LinkID=103333).
application directory partition as authoritative, and do not perform the procedures for restoring
group memberships.
Note
Although Ntdsutil restores back-links for LVR groups, replication order can result in the
memberships being dropped. For more information, see Performing Authoritative Restore
of Active Directory Objects.
text file that is generated during authoritative restore to create an .ldf file to restore the
memberships in each additional domain.
Global groups: Security principals (users, groups, and computers) can be members of only
the global groups that are created in the same domain. Global catalog servers store a
writable domain directory partition. Therefore, they can restore global group memberships for
the recovery domain.
Universal groups: Security principals can be members of universal groups that are created
in any domain. However, the member attribute is among the attributes that are stored on the
read-only universal group objects in the global catalog. Therefore, a global catalog server can
recover universal group memberships for all domains in the forest. A domain controller that is
248
not a global catalog server stores only universal group objects that are created in its own
domain.
Domain local groups: Security principals can be members of domain local groups that are
created in any domain. Memberships in domain local groups in the recovery domain are
restored automatically during authoritative restore. However, the global catalog does not store
the member attribute for read-only domain local group objects. Therefore, for restored
security principals that have memberships in domain local groups in other domains, you must
recover these memberships by performing follow-up procedures in each additional domain.
Use the Services snap-in to stop AD DS. In this case, other services continue to operate.
Take the global catalog service offline by restarting it in Directory Services Restore Mode
(DSRM). In this case, all other directory-related services are stopped in addition to AD DS.
Use Repadmin.exe to stop inbound replication. In this case, the domain controller continues
to operate but does not receive replication updates.
If an object exists in the backup, before inbound replication the post-restore directory partition
contains the version of the object that exists in the restored backup.
If an object was created after the backup was made and there are additional domain
controllers that store the directory partition, after inbound replication the restored directory
partition also includes the set of objects that were created after the backup.
If an object contains new attributes that are not contained in the backup but that exist in the
directory partition of an additional domain controller in the domain at the time of the restore,
after inbound replication the version of the object and attributes as they existed in the backup
plus any new attributes that were added to the object after the backupare preserved.
Authoritative restore affects only the objects and attributes that existed at the time of the backup.
This functionality applies to objects with linked attributes and nonlinked attributes alike. For
example, if you are restoring an object that has attribute A and attribute B in the backup version
and has attributes A, B, and C in the current directory, attribute C is retained after authoritative
restore. Therefore, a group object that has the member value of User1 in the backup and has
both User1 and User2 in the current directory includes both of those memberships after
authoritative restore of the group object. Any post-backup memberOf or member attribute values
that were added to a user or group, respectively, are not affected by replication updates after the
restore procedure.
If you want to remove group membershipsor any other unwanted object attributecomplete the
following steps:
1. Delete the object whose updates you do not want to retain.
2. Allow the deletion to replicate throughout the forest.
3. Back up a domain controller that has received the deletion.
4. Authoritatively restore the object that you deleted from the backup that does not contain the
unwanted values.
Repadmin.exe
Bcdedit.exe (optional)
Ntdsutil.exe
To complete this task, perform procedures according to the conditions in your environment:
Procedures for recovering group memberships (and any other back-link attributes) in other
domains
251
8. If the .ldf file shows back-links for objects in other domains, perform the procedures in
Procedures for recovering group memberships (and any other back-link attributes) in other
domains.
252
Additional references
replication of the authoritatively restored User X is received, perhaps only seconds later, the
member attribute of the group is not updated. If replication of User X is received before Group A,
the membership on Group A is retained.
Use the following steps to ensure that group memberships for authoritatively restored groups and
their restored members are always retained during replication after authoritative restore:
1. Ensure that all authoritatively restored objects have replicated and exist on all domain
controllers in the domain.
2. Run the .ldf file on the recovery domain controller.
3. Force replication on the recovery domain controller.
Attempt to find a global catalog server to use as the recovery domain controller. Only a global
catalog server can recover universal group memberships for other domains. If you cannot find
a latent global catalog server or other domain controller in the domain where the deletion
occurred, find the most recent system state or critical-volume backup of a global catalog
server in that domain. Use this global catalog server as the recovery domain controller. In
addition, locate the most recent backup of a non-global-catalog domain controller.
You are restoring individual, deleted user or computer accounts by their distinguished
name (DN) paths.
You are restoring a domain controller that has not received replication of the deletions.
256
a. Verify group memberships in the domain of the recovery domain controller and on a
global catalog server in every other domain.
b. Create a new system state or critical-volumes backup in the recovery domain.
c.
Notify users, administrators, and help desk administrators that they can resume making
changes.
d. Instruct help desk administrators to reset the passwords of restored user accounts and
computer accounts whose domain passwords changed after the restored backup was
created.
Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can
use to configure boot and startup options, including restarting in DSRM and normal mode.
257
Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot
configuration on a server that is running Windows Server 2008. You can use Bcdedit with
shutdown commands to instruct the domain controller to restart in DSRM and to restart
normally.
When you are finished managing a domain controller in DSRM, if you have used System
Configuration or Bcdedit.exe to restart the domain controller in DSRM, you must change the
configuration so that the domain controller restarts in normal mode.
Note
A benefit of using System Configuration or Bcdedit.exe for implementing restart of a
domain controller into DSRM is that normally the domain controller cannot be
inadvertently restarted. This benefit is particularly useful when you are performing a
nonauthoritative restore from backup followed by an authoritative restore.
You can also use System Configuration or Bcdedit.exe to restart a domain controller in DSRM
remotely. To use System Configuration or Bcdedit.exe and Remote Desktop Connection to restart
a domain controller in DSRM remotely, see Restart the Domain Controller in Directory Services
Restore Mode Remotely.
Membership in the Domain Admins group is the minimum required complete the System
Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account
and password for DSRM is required to log on to the domain controller in DSRM. Review details
about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Important
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
account. For more information about access to RODCs, see the Step-by-Step Guide for
Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
a. On the Start menu, point to Administrative Tools, and then click System
Configuration.
b. On the General tab, in Startup selection, click Normal startup, and then click OK.
The domain controller restarts normally.
To restart a domain controller in DSRM locally by using the command line
1. Click Start, click Command Prompt, and then click Run as administrator. If the User
Account Control dialog box appears, provide Domain Admins credentials, and then click
OK.
2. At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
4. When you are still in DSRM and you are ready to restart in normal mode, open a
command prompt and type the following, and then press ENTER:
bcdedit /deletevalue safeboot
5. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
Value
Description
shutdown t 0 -r
/deletevalue safeboot
See Also
Restart the Domain Controller in Directory Services Restore Mode Remotely
During installation of Active Directory Domain Services (AD DS), you set the Administrator
password for logging on to the server in DSRM. When you start Windows Server 2008 in DSRM,
you must log on by using this DSRM password for the local Administrator account.
Note
By default, you must start a domain controller in DSRM to log on by using the DSRM
Administrator account. However, on domain controllers that are running
Windows Server 2008, you can change this behavior by modifying the
DSRMAdminLogonBehavior registry entry. By changing the value for this entry, you can
configure a domain controller so that you can log on to it with the DSRM Administrator
account if the domain controller was started normally but the AD DS service is stopped
for some reason. For more information about changing this registry entry, see the
Windows Server 2008 Restartable AD DS Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=88649).
On domain controllers that are running Windows Server 2008, tools are available that replace the
Boot.ini file that is used in earlier versions of Windows Server to modify the boot configuration
parameters and controls. You can use the Windows graphical user interface (GUI) or the
command line or to restart the domain controller in DSRM:
Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can
use to configure boot and startup options, including restarting in DSRM and normal mode.
Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot
configuration on a server that is running Windows Server 2008. You can use Bcdedit with
shutdown commands to instruct the domain controller to restart in DSRM and to restart
normally.
To restart the domain controller in DSRM remotely, you first use Remote Desktop Connection to
connect to the domain controller while it is in normal startup mode. Remote Desktop Connection
must be enabled on the target domain controller. After the domain controller has restarted, you
can use Remote Desktop Connection to reconnect to the domain controller and then log on as
the local Administrator, using the DSRM password.
You can use this procedure to connect to a domain controller remotely, restart it in DSRM, and
then reconnect to it as the DSRM administrator.
Membership in Domain Admins, or equivalent, is the minimum required to complete the System
Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account
and password for DSRM and the user right to log on locally to a domain controller are required to
log on to the domain controller in DSRM. Members of Account Operators, Administrators,
Enterprise Admins, Domain Admins, Backup Operators, Print Operators, and Server Operators
have the user right to log on locally to a domain controller by default. Review details about using
the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Important
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
260
In the Windows Security dialog box, provide credentials for a domain administrator,
and then click OK.
d. When you are connected, log on to the domain controller as a domain administrator.
2. On the Start menu, point to Administrative Tools, and then click System
Configuration.
3. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and
then click OK.
4. In the System Configuration dialog box, click Restart. The domain controller restarts in
DSRM. When the domain controller restarts, your Remote Desktop Connection is
dropped.
5. Wait for a period of time that is adequate for the remote domain controller to restart, and
then open Remote Desktop Connection.
6. The domain controller name should still be showing in Computer. If it is not, select it from
the list, and then click Connect.
7. In the Windows Security dialog box, click Use another account.
8. In User name, type the following:
MachineName\Administrator
Where MachineName is the name of the domain controller.
9. In Password, type the DSRM password, and then click OK.
10. At the logon screen of the remote domain controller, click Switch User, and then click
Other User.
11. Type MachineName\Administrator, and then press ENTER.
12. Perform procedures in DSRM.
13. When you have finished performing procedures in DSRM, restart the domain controller
normally:
a. On the Start menu, point to Administrative Tools, and then click System
Configuration.
b. On the General tab, in Startup selection, click Normal startup, and then click OK.
The domain controller restarts normally. This procedure will disconnect your remote
261
session.
To restart a domain controller in DSRM remotely by using the command line
1. Connect to the remote domain controller that is running in normal mode:
a. On the Start menu, click All Programs, click Accessories, and then click Remote
Desktop Connection.
b. In Computer, type the name of the domain controller that you want to restart, and
then click Connect.
c.
In the Windows Security dialog box, provide credentials for a domain administrator,
and then click OK.
d. When you are connected, log on to the domain controller as a domain administrator.
2. Open a command prompt. At the command prompt, type the following command, and
then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
The domain controller restarts in DSRM. When the domain controller restarts, your
Remote Desktop Connection is dropped.
4. Wait for a period of time that is adequate for the remote domain controller to restart, and
then open Remote Desktop Connection.
5. The domain controller name should still be showing in Computer. If it is not, select it in
the list, and then click Connect.
6. In the Windows Security dialog box, click Use another account.
7. In User name, type the following:
MachineName\Administrator
Where MachineName is the name of the domain controller.
8. In Password, type the DSRM password, and then click OK.
9. At the logon screen of the remote domain controller, click Switch User, and then click
Other User.
10. Type MachineName\Administrator, and then press ENTER.
11. Perform procedures in DSRM.
12. When you have finished performing procedures in DSRM, restart the domain controller
normally:
a. In DSRM, open a command prompt, type the following command, and then press
ENTER:
bcdedit /deletevalue safeboot
b. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 r
262
The domain controller restarts normally. This procedure will disconnect your remote
session.
Value
Description
shutdown t 0 -r
See Also
Enable Remote Desktop
Create a Remote Desktop Connection
Restart the Domain Controller in Directory Services Restore Mode Locally
263
Note
The systemstaterecovery command in Wbadmin.exe causes a nonauthoritative restore
of SYSVOL by default (only updates to SYSVOL since the time of the backup are
replicated to the recovery domain controller). If you want to restore SYSVOL
authoritatively (all of SYSVOL is replicated from the recovery domain controller to other
domain controllers in the domain), specify the authsysvol option in the command.
The Administrator password for DSRM is the minimum required to complete this procedure.
Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477. The server must be running in DSRM.
To perform a nonauthoritative restore of AD DS
1. At the Windows logon screen, click Switch User, and then click Other User.
2. Type .\administrator as the user name, type the DSRM password for the server, and
then press ENTER.
3. Open a Command Prompt.
4. At the command prompt, type the following command, and then press ENTER:
wbadmin get versions -backuptarget:<targetDrive>:
-machine:<BackupComputerName>
Where:
<targetDrive>:
<BackupComputerName>
Where:
<MM/DD/YYYY-HH:MM>
<targetDrive>:
<BackupComputerName>
If you do not specify the -quiet parameter, you are prompted to press Y to proceed with
the restore process and then press Y to confirm that the replication engine for SYSVOL
has not changed since you created the backup.
264
After the recovery operation is complete, if you are not going to perform an authoritative restore of
any restored objects, restart the server.
Additional references
You must know the full distinguished name of the object or objects that you want to restore.
If the deletions that you are recovering have replicated to the recovery domain controller, you
must have completed a nonauthoritative restore procedure, after which you did not restart the
domain controller and it remains in Directory Services Restore Mode (DSRM).
If the deletions that you are recovering have not replicated to the recovery domain controller,
you can perform this procedure in normal mode with Active Directory Domain Services
(AD DS) stopped.
The Ntdsutil functionality that is described in this procedure is available on domain controllers that
are running Windows Server 2008. To perform authoritative restore on a domain controller that is
running a version of Windows Server 2003, see Performing an Authoritative Restore of Active
Directory Objects (http://go.microsoft.com/fwlink/?LinkId=44194).
Note
If you are able to stop inbound replication on a global catalog server or other domain
controller in the domain before it has received the deletion that you want to restore, you
can skip the nonauthoritative restore process.
Perform this procedure to recover deleted objects in the domain and to restore back-links for
those objects in this domain. If you are running the authoritative restore procedure on a global
catalog server, back-links for objects in other domains are also updated if the forward link is
stored in the global catalog. For example, the values for back-link attribute memberOf are
restored in this procedure if the forward link member is stored in the global catalog or in the
domain directory partition. In the case of domain local groups, the member attribute is not stored
in the global catalog and it is not stored in the recovery domain if the group exists in a different
domain. In this case, you must perform additional steps to recover domain local group
265
memberships of restored security principals. These steps are described in Create an LDIF File for
Recovering Back-Links for Authoritatively Restored Objects
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To mark a subtree or individual object authoritative
1. In DSRM, click Start, click Run, type ntdsutil, and then press ENTER.
2. At the ntdsutil: prompt, type authoritative
restore,
(Always enclose the distinguished name in quotes when there is a space or other special
characters within the distinguished name.)
Ntdsutil attempts to mark the object as authoritative. The output message indicates the
status of the operation. The most common cause of failure is an incorrectly specified
distinguished name or a backup for which the distinguished name does not exist. (This
occurs if you try to restore a deleted object that was created after the backup).
The following sample output shows that Ntdsutil created a text file (.txt) and an LDAP
Data Interchange Format (LDIF) (.ldf) file when the marked object was found to have
back-links:
266
following LDIF files with link restore operations have been created
in the current working directory:
ar_20080209-091249_links_Corp.Contoso.com.ldf
5. Make a note of the location of the .txt and .ldf files, if any. We recommend that you use
the .ldf file to restore back-links in this domain, even if restored objects are members of
groups that were created before linked-value replication (LVR) was in effect. However, in
all cases where any of the restored objects listed in the .txt file has memberships in
groups in a different domain, you must use the .txt file to generate an .ldf file to restore
back-links in those domains. If you have other domains in which you want to restore
back-links for this restored object, make a copy of this .txt file to use on a domain
controller in each additional domain.
6. At the authoritative
ENTER.
restore:
Additional references
2. At the command prompt, type the following command, and then press ENTER:
repadmin /options <ServerName> +DISABLE_INBOUND_REPL
displays the conditions that were in effect at the time that you ran
shows the effect of the command, which is that the
DISABLE_INBOUND_REPL option is now in effect.
Current DSA Options
DSA Options
Additional references
268
Value
Description
repadmin /syncall
<DomainControllerName>
/e
/d
/A
/P
/q
2. Check for replication errors in the output of the command in the previous step. If there are
no errors, replication is successful. For replication to complete, any errors must be
corrected.
See Also
Verify Successful Replication to a Domain Controller
Where <FileName> is the name of the .ldf file that you want to run, for example,
ar_20080609-174604_links_corp.contoso.com.ldf.
Additional references
Create an LDIF File for Recovering Back-Links for Authoritatively Restored Objects
You can manage the inbound replication state by setting a repadmin option to change the value
in DISABLE_INBOUND_REPL. You change the state by using a plus (+) to enable the disabled
state (turn off inbound replication) and a minus () to disable (reverse) the disabled state (turn on
inbound replication). When you apply the option, the command output confirms only that the
DISABLE_INBOUND_REPL option is either new or current. It does not indicate on or off.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To turn on inbound replication
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if requested, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
repadmin /options <ServerName> -DISABLE_INBOUND_REPL
displays the conditions that were in effect at the time that you ran
the command. New DSA Options shows the effect of the command, which is that the
DISABLE_INBOUND_REPL option is not in effect (does not appear).
Current DSA Options
Additional references
Create an LDIF File for Recovering BackLinks for Authoritatively Restored Objects
When you perform an authoritative restore in a domain where deletions of Active Directory
objects occurred, the Ntdsutil tool generates a text (.txt) file that identifies the objects that have
been restored. You can use this .txt file to generate an LDAP Data Interchange Format (LDIF) file
(.ldf) in other domains that might have back-links from the restored objects.
This procedure generates the .ldf file that you need to recover back-links in this domain. Perform
this procedure on a domain controller in the domain that might have the back-links.After you
complete this procedure, you must use the Ldifde tool to run the .ldf file on a domain controller in
the same domain, as described in Run an LDIF File to Recover Back-Links.
271
Note
To ensure that current group objects are updated, run the .ldf file on a domain controller
other than the domain controller that you use to generate the .ldf file.
Before you perform this procedure, you must:
Copy the .txt file that Ntdsutil created during the authoritative restore procedure, which you
performed on the first domain controller, to a location on this domain controller or a network
share.
After you restore this domain controller from backup, perform this procedure while the domain
controller is still running in Directory Services Restore Mode (DSRM).
To perform this procedure, you must provide the Administrator password for DSRM.
To create an .ldf file for restoring back-links for authoritatively restored objects
1. In DSRM, click Start, click Run, type ntdsutil, and then press ENTER.
2. At the ntdsutil: prompt, type authoritative
3. At the authoritative
ENTER:
restore:
restore,
Where <TextFilePath> is the location and file name of the .txt file that Ntdsutil created
during the initial authoritative restore of the object whose back-links you want to restore,
for example, d:\ldif\ar_20080609_091558_objects.txt.
Ntdsutil displays a message stating that one or more specified objects have back-links in
this domain and an .ldf file has been created in the current working directory.
4. At the authoritative
restore:
Additional references
If you deleted an entire application directory partition, you must perform the restore procedure on
the domain naming operations master role holder.
Before you perform the procedures in this task, back up the domain controller that you are
restoring. For information about creating backups, see Backing Up Active Directory Domain
Services.
Task requirements
The following tools are required to perform the procedures for this task:
Bcdedit.exe (optional)
Ntdsutil.exe
273
Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can
use to configure boot and startup options, including restarting in DSRM and normal mode.
Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot
configuration on a server that is running Windows Server 2008. You can use Bcdedit with
shutdown commands to instruct the domain controller to restart in DSRM and to restart
normally.
To restart the domain controller in DSRM remotely, you first use Remote Desktop Connection to
connect to the domain controller while it is in normal startup mode. Remote Desktop Connection
must be enabled on the target domain controller. After the domain controller has restarted, you
can use Remote Desktop Connection to reconnect to the domain controller and then log on as
the local Administrator, using the DSRM password.
You can use this procedure to connect to a domain controller remotely, restart it in DSRM, and
then reconnect to it as the DSRM administrator.
Membership in Domain Admins, or equivalent, is the minimum required to complete the System
Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account
and password for DSRM and the user right to log on locally to a domain controller are required to
log on to the domain controller in DSRM. Members of Account Operators, Administrators,
Enterprise Admins, Domain Admins, Backup Operators, Print Operators, and Server Operators
have the user right to log on locally to a domain controller by default. Review details about using
the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Important
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
account. Using a domain administrative account to log on to an RODC can compromise
the server. For more information about access to RODCs, see the Step-by-Step Guide for
Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
To restart a domain controller in DSRM remotely by using the Windows GUI
1. Connect to the remote domain controller that is running in normal mode:
a. On the Start menu, click All Programs, click Accessories, and then click Remote
Desktop Connection.
b. In Computer, type the name of the domain controller that you want to restart, and
then click Connect.
c.
In the Windows Security dialog box, provide credentials for a domain administrator,
274
In the Windows Security dialog box, provide credentials for a domain administrator,
and then click OK.
275
d. When you are connected, log on to the domain controller as a domain administrator.
2. Open a command prompt. At the command prompt, type the following command, and
then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
The domain controller restarts in DSRM. When the domain controller restarts, your
Remote Desktop Connection is dropped.
4. Wait for a period of time that is adequate for the remote domain controller to restart, and
then open Remote Desktop Connection.
5. The domain controller name should still be showing in Computer. If it is not, select it in
the list, and then click Connect.
6. In the Windows Security dialog box, click Use another account.
7. In User name, type the following:
MachineName\Administrator
Where MachineName is the name of the domain controller.
8. In Password, type the DSRM password, and then click OK.
9. At the logon screen of the remote domain controller, click Switch User, and then click
Other User.
10. Type MachineName\Administrator, and then press ENTER.
11. Perform procedures in DSRM.
12. When you have finished performing procedures in DSRM, restart the domain controller
normally:
a. In DSRM, open a command prompt, type the following command, and then press
ENTER:
bcdedit /deletevalue safeboot
b. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 r
The domain controller restarts normally. This procedure will disconnect your remote
session.
Value
Description
shutdown t 0 -r
276
See Also
Enable Remote Desktop
Create a Remote Desktop Connection
Restart the Domain Controller in Directory Services Restore Mode Locally
Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can
use to configure boot and startup options, including restarting in DSRM and normal mode.
Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot
configuration on a server that is running Windows Server 2008. You can use Bcdedit with
shutdown commands to instruct the domain controller to restart in DSRM and to restart
normally.
277
When you are finished managing a domain controller in DSRM, if you have used System
Configuration or Bcdedit.exe to restart the domain controller in DSRM, you must change the
configuration so that the domain controller restarts in normal mode.
Note
A benefit of using System Configuration or Bcdedit.exe for implementing restart of a
domain controller into DSRM is that normally the domain controller cannot be
inadvertently restarted. This benefit is particularly useful when you are performing a
nonauthoritative restore from backup followed by an authoritative restore.
You can also use System Configuration or Bcdedit.exe to restart a domain controller in DSRM
remotely. To use System Configuration or Bcdedit.exe and Remote Desktop Connection to restart
a domain controller in DSRM remotely, see Restart the Domain Controller in Directory Services
Restore Mode Remotely.
Membership in the Domain Admins group is the minimum required complete the System
Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account
and password for DSRM is required to log on to the domain controller in DSRM. Review details
about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Important
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
account. For more information about access to RODCs, see the Step-by-Step Guide for
Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
4. When you are still in DSRM and you are ready to restart in normal mode, open a
command prompt and type the following, and then press ENTER:
bcdedit /deletevalue safeboot
5. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
Value
Description
shutdown t 0 -r
/deletevalue safeboot
See Also
Restart the Domain Controller in Directory Services Restore Mode Remotely
279
Note
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
account. For more information about access to RODCs, see the Step-by-Step Guide for
Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
Be sure that you know the name and location of the version of the backup that you are restoring.
Backup files are named for the date and time of the backup. When you restore the backup, the
version must be stated in the form MM/DD/YYYY-HH:MM (month/day/year-hour:minute), which
specifies the name of backup that you want to restore. The Wbadmin.exe command-line tool
does not require that you provide the target for the recovery. By specifying the backup version
that you want to recover, the command proceeds to recover to the source location of the backup
version that you specify.
Note
The systemstaterecovery command in Wbadmin.exe causes a nonauthoritative restore
of SYSVOL by default (only updates to SYSVOL since the time of the backup are
replicated to the recovery domain controller). If you want to restore SYSVOL
authoritatively (all of SYSVOL is replicated from the recovery domain controller to other
domain controllers in the domain), specify the authsysvol option in the command.
The Administrator password for DSRM is the minimum required to complete this procedure.
Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477. The server must be running in DSRM.
To perform a nonauthoritative restore of AD DS
1. At the Windows logon screen, click Switch User, and then click Other User.
2. Type .\administrator as the user name, type the DSRM password for the server, and
then press ENTER.
3. Open a Command Prompt.
4. At the command prompt, type the following command, and then press ENTER:
wbadmin get versions -backuptarget:<targetDrive>:
-machine:<BackupComputerName>
Where:
<targetDrive>:
<BackupComputerName>
280
-backuptarget:<targetDrive>: -machine:<BackupComputerName>
-quiet
Where:
<MM/DD/YYYY-HH:MM>
<targetDrive>:
<BackupComputerName>
If you do not specify the -quiet parameter, you are prompted to press Y to proceed with
the restore process and then press Y to confirm that the replication engine for SYSVOL
has not changed since you created the backup.
After the recovery operation is complete, if you are not going to perform an authoritative restore of
any restored objects, restart the server.
Additional references
Before you perform this procedure, back up the domain controller that you are restoring. You
should have a current valid backup of the application directory partition before restoring in
case some object changes are lost as the result of changes that have occurred since the
backup that you are using to restore the domain controller was made.
If the entire application directory partition has been deleted, you must perform a
nonauthoritative restore from backup on the domain naming operations master.
281
You must have completed a nonauthoritative restore procedure, after which the domain
controller has not been restarted and remains in Directory Services Restore Mode (DSRM).
The Ntdsutil functionality that is described in this procedure is available on domain controllers that
are running Windows Server 2008. To perform authoritative restore on a domain controller that is
running a version of Windows Server 2003, see Performing an Authoritative Restore of Active
Directory Objects (http://go.microsoft.com/fwlink/?LinkId=44194).
If you are performing this procedure in DSRM, the Administrator password for DSRM is the
minimum required to complete this procedure. If you are performing this procedure with AD DS
stopped on the domain controller, membership in Domain Admins, or equivalent, is the minimum
required to complete this procedure. Review details about using the appropriate accounts and
group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To mark an application directory partition as authoritative
1. Open a Command Prompt.
2. At the command prompt, type the following command, and then press ENTER:
ntdsutil
3. At the ntdsutil: prompt, type activate instance ntds, and then press ENTER. For
assistance with the Ntdsutil command line-tool, type help at any time.
4. At the ntdsutil: prompt, type authoritative
5. At the authoritative
restore:
restore,
NC CRs,
Ntdsutil displays a list of directory partition distinguished names and their associated
cross-reference object distinguished names. Note the cross-reference distinguished
name and application directory partition distinguished name that correspond to the
application directory partition that you want to restore.
6. Type restore subtree <App Partition DN>, where <App Partition DN> is the
distinguished name of the application directory partition that you want to restore.
7. In the confirmation dialog box, click Yes.
The output message indicates the status of the operation. There should be no failures.
8. Type restore object <Cross Ref DN>, where <Cross Ref DN> is the distinguished name of
the cross-reference object for the application directory partition that you want to restore,
and then press ENTER.
9. In the confirmation dialog box, click Yes.
The output message indicates the status of the operation. There should be no failures.
10. Quit the Ntdsutil tool by typing quit at each prompt.
See Also
Backing Up Active Directory Domain Services
282
You must have a full server backup available. This type of backup contains all volumes that
were on the server at the time that you made the backup.
You can store the backup on a separate, internal or external hard drive or a DVD. If you
performed a manual backup, you can perform a full server recovery from a network shared
folder.
Note
Windows Server Backup does not enumerate drives that are not attached or turned
on when you start the Recovery Wizard. If you attach or turn on a drive after you start
the wizard, and you do not see it in the list of backup locations that you can restore
from, close, and then restart Windows Server Backup.
You must have the Windows Server 2008 operating system DVD or have Windows RE
installed on a different partition than the critical partitions that are used by the domain
controller that you are restoring.
If you are recovering to new hardware, the new hardware must provide enough storage
capacity to recover all volumes. In other words, the hard drives that you are recovering data
to must be as large asor larger thanthe drives that are included in the backup set.
d. In Network Folder, type the Universal Naming Convention (UNC) name for the
network share, and then click OK.
e. Type credentials for a user account that has sufficient permissions to restore the
backup, and then click OK.
f.
On the Select the location of the backup page, click the location of the backup, and
then click Next.
vol,
9. Identify the volume from the list that corresponds to the location of the full server backup
that you want to restore.
The drive letters in Windows RE do not necessarily match the volumes as they appear in
Windows Server 2008.
10. Type exit, and then press ENTER.
11. At the Sources prompt, type the following command, and then press ENTER:
wbadmin get versions -backupTarget:<targetDrive>:
-machine:<BackupComputerName>
Where:
<targetDrive>:
<BackupComputerName>
285
Where:
<MM/DD/YYYY-HH:MM>
<targetDrive>:
<BackupComputerName>
14. When you are prompted, press Y to proceed with the restore process.
15. After the recovery operation has completed, minimize the command window, and then, in
the System Recovery Options dialog box, click Restart.
Additional considerations
Be aware of the following issues when you perform a full server recovery of a domain controller:
Wbadmin.exe does not require that you provide the recovery target. By specifying the backup
version that you want to recover, the command proceeds to recover to the source location of
the specified backup version.
Backup files are named for the date and time of the backup. When you recover, the version
must be stated in the form MM/DD/YYYY-HH:MM, which specifies the name of the backup
that you want to recover.
After the restore is completed, restart the server normally, and perform basic verification.
When you restart the computer normally, AD DS and Active Directory Certificate Services
(AD CS) automatically detect that they have been recovered from a backup. They perform an
integrity check and index the database again.
After you log on to the system, browse AD DS. Verify that the following conditions are met:
All of the user objects and group objects that were present in the directory at the time of
the backup are restored.
Note
Active Directory replication updates the objects that you restore with any changes
that have been made to them since the time that the backup was taken.
Files that were members of a File Replication Service (FRS) replica set and certificates
that were issued by AD CS are present.
Host (A) and service (SRV) resource records are registered correctly in Domain Name
System (DNS).
286
Disk configuration. You need a record of the volumes and sizes of the disks and partitions. In
the case of a complete disk failure, use this information to recreate the disk configuration.
Windows Server 2008 must be reinstalled to the same drive letter and with at least the same
amount of physical drive space as for the original installation. Before you restore the system
state, you must recreate all disk configurations. Failure to recreate all disk configurations can
cause the restore process to fail, and it can prevent you from starting the domain controller
after the restore.
Computer name. You need the computer name to restore a domain controller of the same
name and avoid changing client configuration settings.
DSRM Administrator password. You must know the DSRM Administrator password that was
in use when the backup was created.
The following tools are required to perform the procedures for this task:
Bcdedit.exe (optional)
Wbadmin.exe
287
Note
This guide does not provide information about installing Windows Server 2008. For
information about installing Windows Server 2008, see Installing Windows
Server 2008 (http://go.microsoft.com/fwlink/?LinkID=111104).
2. Restart the server in DSRM by using one of the following methods:
Note
Restarting a member server in DSRM is not possible in Windows Server 2003, but it
is possible in Windows Server 2008.
Restart the Domain Controller in Directory Services Restore Mode Locally
Or
Restart the Domain Controller in Directory Services Restore Mode Remotely
3. Restore AD DS from Backup (Nonauthoritative Restore)
4. Verify AD DS restore
On domain controllers that are running Windows Server 2008, tools are available that replace the
Boot.ini file that is used in earlier versions of Windows Server to modify the boot configuration
parameters and controls. You can use the Windows graphical user interface (GUI) or the
command line to restart the domain controller in DSRM:
Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can
use to configure boot and startup options, including restarting in DSRM and normal mode.
Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot
configuration on a server that is running Windows Server 2008. You can use Bcdedit with
shutdown commands to instruct the domain controller to restart in DSRM and to restart
normally.
When you are finished managing a domain controller in DSRM, if you have used System
Configuration or Bcdedit.exe to restart the domain controller in DSRM, you must change the
configuration so that the domain controller restarts in normal mode.
Note
A benefit of using System Configuration or Bcdedit.exe for implementing restart of a
domain controller into DSRM is that normally the domain controller cannot be
inadvertently restarted. This benefit is particularly useful when you are performing a
nonauthoritative restore from backup followed by an authoritative restore.
You can also use System Configuration or Bcdedit.exe to restart a domain controller in DSRM
remotely. To use System Configuration or Bcdedit.exe and Remote Desktop Connection to restart
a domain controller in DSRM remotely, see Restart the Domain Controller in Directory Services
Restore Mode Remotely.
Membership in the Domain Admins group is the minimum required complete the System
Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account
and password for DSRM is required to log on to the domain controller in DSRM. Review details
about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Important
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
account. For more information about access to RODCs, see the Step-by-Step Guide for
Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
4. When you are still in DSRM and you are ready to restart in normal mode, open a
command prompt and type the following, and then press ENTER:
bcdedit /deletevalue safeboot
5. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
Value
Description
shutdown t 0 -r
/deletevalue safeboot
See Also
Restart the Domain Controller in Directory Services Restore Mode Remotely
290
Windows GUI: System Configuration (Msconfig.msc) is an administrative tool that you can
use to configure boot and startup options, including restarting in DSRM and normal mode.
Command line: Bcdedit.exe is a command-line tool that you can use to modify the boot
configuration on a server that is running Windows Server 2008. You can use Bcdedit with
shutdown commands to instruct the domain controller to restart in DSRM and to restart
normally.
To restart the domain controller in DSRM remotely, you first use Remote Desktop Connection to
connect to the domain controller while it is in normal startup mode. Remote Desktop Connection
must be enabled on the target domain controller. After the domain controller has restarted, you
can use Remote Desktop Connection to reconnect to the domain controller and then log on as
the local Administrator, using the DSRM password.
You can use this procedure to connect to a domain controller remotely, restart it in DSRM, and
then reconnect to it as the DSRM administrator.
Membership in Domain Admins, or equivalent, is the minimum required to complete the System
Configuration (Windows GUI) or Bcdedit (command-line) procedure. The Administrator account
and password for DSRM and the user right to log on locally to a domain controller are required to
log on to the domain controller in DSRM. Members of Account Operators, Administrators,
291
Enterprise Admins, Domain Admins, Backup Operators, Print Operators, and Server Operators
have the user right to log on locally to a domain controller by default. Review details about using
the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Important
If you are logging on to a read-only domain controller (RODC) locally or remotely, do not
use a domain administrative account. Use only the delegated RODC administrator
account. Using a domain administrative account to log on to an RODC can compromise
the server. For more information about access to RODCs, see the Step-by-Step Guide for
Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
To restart a domain controller in DSRM remotely by using the Windows GUI
1. Connect to the remote domain controller that is running in normal mode:
a. On the Start menu, click All Programs, click Accessories, and then click Remote
Desktop Connection.
b. In Computer, type the name of the domain controller that you want to restart, and
then click Connect.
c.
In the Windows Security dialog box, provide credentials for a domain administrator,
and then click OK.
d. When you are connected, log on to the domain controller as a domain administrator.
2. On the Start menu, point to Administrative Tools, and then click System
Configuration.
3. On the Boot tab, in Boot options, select Safe boot, click Active Directory repair, and
then click OK.
4. In the System Configuration dialog box, click Restart. The domain controller restarts in
DSRM. When the domain controller restarts, your Remote Desktop Connection is
dropped.
5. Wait for a period of time that is adequate for the remote domain controller to restart, and
then open Remote Desktop Connection.
6. The domain controller name should still be showing in Computer. If it is not, select it from
the list, and then click Connect.
7. In the Windows Security dialog box, click Use another account.
8. In User name, type the following:
MachineName\Administrator
Where MachineName is the name of the domain controller.
9. In Password, type the DSRM password, and then click OK.
10. At the logon screen of the remote domain controller, click Switch User, and then click
Other User.
11. Type MachineName\Administrator, and then press ENTER.
292
In the Windows Security dialog box, provide credentials for a domain administrator,
and then click OK.
d. When you are connected, log on to the domain controller as a domain administrator.
2. Open a command prompt. At the command prompt, type the following command, and
then press ENTER:
bcdedit /set safeboot dsrepair
3. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 -r
The domain controller restarts in DSRM. When the domain controller restarts, your
Remote Desktop Connection is dropped.
4. Wait for a period of time that is adequate for the remote domain controller to restart, and
then open Remote Desktop Connection.
5. The domain controller name should still be showing in Computer. If it is not, select it in
the list, and then click Connect.
6. In the Windows Security dialog box, click Use another account.
7. In User name, type the following:
MachineName\Administrator
Where MachineName is the name of the domain controller.
8. In Password, type the DSRM password, and then click OK.
9. At the logon screen of the remote domain controller, click Switch User, and then click
Other User.
10. Type MachineName\Administrator, and then press ENTER.
11. Perform procedures in DSRM.
293
12. When you have finished performing procedures in DSRM, restart the domain controller
normally:
a. In DSRM, open a command prompt, type the following command, and then press
ENTER:
bcdedit /deletevalue safeboot
b. At the command prompt, type the following command, and then press ENTER:
shutdown -t 0 r
The domain controller restarts normally. This procedure will disconnect your remote
session.
Value
Description
shutdown t 0 -r
See Also
Enable Remote Desktop
Create a Remote Desktop Connection
Restart the Domain Controller in Directory Services Restore Mode Locally
Be sure that you know the name and location of the version of the backup that you are restoring.
Backup files are named for the date and time of the backup. When you restore the backup, the
version must be stated in the form MM/DD/YYYY-HH:MM (month/day/year-hour:minute), which
specifies the name of backup that you want to restore. The Wbadmin.exe command-line tool
does not require that you provide the target for the recovery. By specifying the backup version
that you want to recover, the command proceeds to recover to the source location of the backup
version that you specify.
Note
The systemstaterecovery command in Wbadmin.exe causes a nonauthoritative restore
of SYSVOL by default (only updates to SYSVOL since the time of the backup are
replicated to the recovery domain controller). If you want to restore SYSVOL
authoritatively (all of SYSVOL is replicated from the recovery domain controller to other
domain controllers in the domain), specify the authsysvol option in the command.
The Administrator password for DSRM is the minimum required to complete this procedure.
Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477. The server must be running in DSRM.
To perform a nonauthoritative restore of AD DS
1. At the Windows logon screen, click Switch User, and then click Other User.
2. Type .\administrator as the user name, type the DSRM password for the server, and
then press ENTER.
3. Open a Command Prompt.
4. At the command prompt, type the following command, and then press ENTER:
wbadmin get versions -backuptarget:<targetDrive>:
-machine:<BackupComputerName>
Where:
<targetDrive>:
<BackupComputerName>
Where:
<MM/DD/YYYY-HH:MM>
<targetDrive>:
If you do not specify the -quiet parameter, you are prompted to press Y to proceed with
the restore process and then press Y to confirm that the replication engine for SYSVOL
has not changed since you created the backup.
After the recovery operation is complete, if you are not going to perform an authoritative restore of
any restored objects, restart the server.
Additional references
Verify AD DS restore
After you complete a restore of Active Directory Domain Services (AD DS), you can use this
procedure to verify the restore.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To verify an Active Directory restorefrom backup
1. After the restore operation completes, restart the computer in Start Windows Normally
mode. If you used Bcdedit.exe to configure startup in Directory Services Restore Mode
(DSRM), see Restart the Domain Controller in Directory Services Restore Mode
Remotely or Restart the Domain Controller in Directory Services Restore Mode Locally
for information about changing the configuration back to normal startup mode.
2. After you are able to log on to the system, perform the following verification steps:
At a command prompt, use the repadmin /showsig command to verify that the
invocation ID has changed. The invocation ID is the directory database globally
unique identifier (GUID), which the Directory System Agent (DSA) uses to identify the
version of the database. The invocation ID changes during the Active Directory
restore process to ensure the consistency of the replication process. Verify that the
previous entry appears in the retired signatures list.
At a command prompt, use the repadmin /showrepl command to verify that there are no
replication errors and all directory partitions are replicating properly with the required
296
replication partners. You can determine the replication partners by selecting the
NTDS Settings object for the restored server in Active Directory Sites and Services.
At a command prompt, use the net share command to verify that the NETLOGON and
SYSVOL shares appear.
At a command prompt, use the dcdiag command to verify success of all tests on the
domain controller.
Use Active Directory Users and Computers to verify that the deleted objects that you
wanted to recover from the backup are restored. If you have a Volume Shadow Copy
Service (VSS) snapshot of the database, you can use the Active Directory database
mounting tool (Dsamain.exe) to mount the database and view it through
Active Directory Users and Computers to compare the objects. For information about
the Active Directory database mounting tool, see the Step-by-Step Guide for Using
the Active Directory Database Mounting Tool in Windows Server 2008
(http://go.microsoft.com/fwlink/?LinkId=103333).
297
Note
Before you restore a domain controller through reinstallation, ensure that hardware failure
is not the cause of the problem. If faulty hardware is not changed, restoring through
reinstallation might not solve the problems with the domain controller.
Task requirements
The following tools are required to perform the procedures for this task:
Ntdsutil.exe
Dcdiag.exe
Dcpromo.exe
298
object deletion.
6. In the Deleting Domain Controller dialog box, select This Domain Controller is
permanently offline and can no longer be demoted using the Active Directory
Domain Services Installation Wizard (DCPROMO), and then click Delete.
7. If the domain controller is a global catalog server, in the Delete Domain Controller
dialog box, click Yes to continue with the deletion.
8. If the domain controller currently holds one or more operations master (also known as
flexible single master operations or FSMO) roles, click OK to move the role or roles to the
domain controller that is shown.
You cannot change this domain controller. If you want to move the role to a different
domain controller, you must move the role after you complete the server metadata
cleanup procedure.
To clean up server metadata by using Ntdsutil
1. Open a command prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Enterprise Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
ntdsutil
3. At the ntdsutil: prompt, type the following command, and then press ENTER:
metadata cleanup
4. At the metadata
cleanup:
Or
remove selected server <ServerName1> on <ServerName2>
300
Value
Description
<ServerName> or
<ServerName1>
on <ServerName2>
5. In Server Remove Configuration Dialog, review the information and warning, and then
click Yes to remove the server object and metadata.
At this point, Ntdsutil confirms that the domain controller was removed successfully. If you
receive an error message that indicates that the object cannot be found, the domain
controller might have been removed earlier.
6. At the metadata
cleanup:
See Also
Delete a Server Object from a Site
301
See Also
Decommissioning a Domain Controller
Forcing the Removal of a Domain Controller
302
Note
For a more detailed response from this command, add
command.
/v
If the test fails, do not attempt any additional steps until you determine and fix the
problem that prevents proper DNS functionality.
First, use Server Manager to add the Active Directory Domain Services server role. This part
of the installation procedure installs the Dcdiag.exe command line tool. Perform this
procedure after you add the server role but before you run Dcpromo.exe.
Use the /s command option to indicate the name of an existing domain controller in the
domain of the new domain controller. This domain controller is required to verify the ability of
the server to connect to operations master role holders in the domain and forest.
You do not have to use the /s option if you perform the test in this procedure after you install
AD DS. The test automatically runs on the local domain controller where you are performing the
test. The commands in this procedure show the /s option. If you are performing this test after you
install AD DS, omit the /s option. For a more detailed response from this command, you can use
the verbose option by adding /v to the end of the command.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To verify the availability of the operations masters
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command to ensure that the operations
masters can be located, and then press ENTER:
dcdiag /s:<DomainControllerName> /test:knowsofroleholders /v
304
13. On the Select a Site page, select a site from the list or select the option to install the
domain controller in the site that corresponds to its IP address, and then click Next.
14. On the Additional Domain Controller Options page, make the following selections, and
then click Next:
DNS server: This option is selected by default so that your domain controller can
function as a DNS server. If you do not want the domain controller to be a DNS
server, clear this option.
Note
If you select the option to make this domain controller a DNS server, you
might receive a message that indicates that a DNS delegation for the DNS
server could not be created and that you should manually create a DNS
delegation to the DNS server to ensure reliable name resolution. If you are
installing an additional domain controller in either the forest root domain or a
tree root domain, you do not have to create the DNS delegation. In this case,
click Yes, and disregard the message.
Global Catalog: This option is selected by default. It adds the global catalog, readonly directory partitions to the domain controller, and it enables global catalog search
functionality.
Read-only domain controller. This option is not selected by default. It makes the
additional domain controller a read-only domain controller (RODC).
15. If you selected Use advanced mode installation on the Welcome page, the Install
from Media page appears. You can provide the location of installation media to be used
to create the domain controller and configure AD DS, or you can have all source
replication occur over the network. Note that some data will be replicated over the
network even if you install from media. For information about using this method to install
the domain controller, see Installing an Additional Domain Controller by Using IFM.
16. If you selected Use advanced mode installation on the Welcome page, the Source
Domain Controller page appears. Click Let the wizard choose an appropriate
domain controller or click Use this specific domain controller to specify a domain
controller that you want to provide as a source for replication to create the new domain
controller, and then click Next. If you do not choose to install from media, all data will be
replicated from this source domain controller.
17. On the Location for Database, Log Files, and SYSVOL page, type or browse to the
volume and folder locations for the database file, the directory service log files, and the
SYSVOL files, and then click Next.
Windows Server Backup backs up the directory service by volume. For backup and
recovery efficiency, store these files on separate volumes that do not contain applications
or other nondirectory files.
18. On the Directory Services Restore Mode Administrator Password page, type and
confirm the restore mode password, and then click Next. This password must be used to
start AD DS in Directory Services Restore Mode (DSRM) for tasks that must be
306
performed offline.
19. On the Summary page, review your selections. Click Back to change any selections, if
necessary.
To save the settings that you have selected to an answer file that you can use to
automate subsequent Active Directory operations, click Export settings. Type the name
for your answer file, and then click Save.
When you are sure that your selections are accurate, click Next to install AD DS.
Note
If you are installing an additional domain controller in a child domain and you are
using child domain credentials, the Windows Security dialog box appears
because access is denied in the parent domain to update the DNS delegation in
the parent zone. In this case, click the other user icon and provide administrator
credentials for the parent domain, and then click OK.
20. On the Completing the Active Directory Domain Services Installation Wizard page,
click Finish.
21. You can select Reboot on completion to have the server restart automatically, or you
can restart the server to complete the installation of AD DS when you are prompted to do
so.
See Also
Preparing for Active Directory Installation
Verifying Active Directory Installation
DNS Manager
307
Event Viewer
Dcdiag.exe
Ntdsutil.exe
Make it possible for clients to discover network resources (published shares, domain
controllers, global catalog servers) that are close to the physical location of the client,
reducing network traffic over wide area network (WAN) links.
Managing sites in AD DS involves adding new subnet, site, and site link objects when the network
grows, as well as configuring a schedule and cost for site links. You can modify the site link
schedule, cost, or both to optimize intersite replication. When conditions no longer require
replication to a site or clients no longer require the sites to discover network resources, you can
remove the site and associated objects from AD DS.
Managing large hub-and-spoke topology is beyond the scope of this documentation. For
information about managing branch sites, see the Planning and Deploying Read-Only Domain
Controllers (http://go.microsoft.com/fwlink/?LinkId=120840).
cost is disabled. In addition, Distributed File System (DFS) cannot compute the cost matrix for its
site-costing functionality. Therefore, if you disable site link bridging and you are using File
Replication Service (FRS) to replicate DFS replicas, which include the SYSVOL share, the DFS
site-costing ability is also disabled.
Note
DFS Replication, which is available in domains that are at the Windows Server 2008
domain functional level, uses the replication topology that is defined by the administrator,
which is independent of Active Directory site costing.
If you turn off site link bridging, you must create site link bridges manually. For information about
using manual site link bridges, see Creating a Site Link Bridge Design
(http://go.microsoft.com/fwlink/?LinkId=122678).
Note
When you use FRS to replicate DFS replicas, you can maintain DFS site-costing
functionality with Bridge all site links turned off. When the forest functional level is at
least Windows Server 2003 or Windows Server 2003 interim and the ISTG in a site is
running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with
Service Pack 2 (SP2), Windows Server 2003 R2, or Windows Server 2008, you can use
a site option to turn off automatic site link bridging for KCC operation without hampering
the ability of DFS to use Intersite Messaging to calculate the cost matrix. This site option
is set when you run the command repadmin /siteoptions
W2K3_BRIDGES_REQUIRED. For more information about the effects of disabling site
link bridging, see How Active Directory Replication Topology Works
(http://go.microsoft.com/fwlink/?LinkId=93526).
Do not disable Bridge all site links unless you are deploying a branch office environment. For
information about branch office deployments, see RODC Placement Considerations in Planning
and Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=120840).
The Try Next Closest Site Group Policy setting in the Default Domain Policy can improve the
location of domain controllers by clients that are running Windows Server 2008 or Windows Vista.
The Try Next Closest Site Group Policy setting uses site link cost values to determine the next
closest site to the site of the client. Try Next Closest Site can affect how you configure site link
costs because it affects the order in which domain controllers are located. For enterprises that
have many hub sites and branch offices, you can significantly reduce Active Directory traffic on
the network by ensuring that clients fail over to the next closest hub site when they cannot find a
domain controller in the closest hub site. For more information, see Enabling Clients to Locate the
Next Closest Domain Controller (http://go.microsoft.com/fwlink/?LinkId=120711).
The user's domain has a domain functional level of Windows 2000 native,
Windows Server 2003, or Windows Server 2008. In these cases, the user might belong to a
universal group whose object is stored in a different domain. Only the global catalog stores
universal group memberships for all domains in the forest.
311
The users logon name is a user principal name (UPN), which has the format
sAMAccountName@DNSDomainName. In this case, the Domain Name System (DNS)
domain suffix is not necessarily the users domain and the identity of the users domain must
be retrieved from a global catalog server.
In Windows Server 2008, the best solution to this branch site scenario is to deploy a read-only
domain controller (RODC) that is a global catalog server. In this case, although the global catalog
must be replicated to the site, access to universal group memberships is always local and logon
experience is consistent. In addition, RODCs provide more security against compromise than
regular domain controllers because they are not writable. For information about deploying
RODCs that are global catalog servers, see Planning and Deploying Read-only Domain
Controllers (http://go.microsoft.com/fwlink/?LinkId=120840).
As an alternative to deploying the global catalog in the branch site, you can enable Universal
Group Membership Caching, which means that the domain controller contacts the global catalog
server only once for each user and that it caches all universal group memberships, rather than
having to retrieve them at each logon. For more information about Universal Group Membership
Caching, see How the Global Catalog Works (http://go.microsoft.com/fwlink/?LinkId=107063). For
information about using Universal Group Membership Caching, see Enabling Universal Group
Membership Caching in a Site.
See Also
Managing Intersite Replication
Forcing Replication
Removing a Site
location. Generally, sites are required for those locations that have domain controllers or other
servers that run applications, such as Distributed File System (DFS), that depend on site
topology.
When a site is needed, the design team typically provides details about the placement and
configuration of site links for the new site, as well as subnet assignments or creation if subnets
are needed.
If a new range of IP addresses is added to the network, create a subnet object in AD DS to
correspond to the range of IP addresses. When you use Active Directory Sites and Services to
create a new subnet object, you are required to associate the subnet with a site object. You can
either associate the subnet with an existing site or create a new site first and then create the
subnet and associate it with the new site. If a domain client has an IP address that does not map
to a site, the client might be connected to a domain controller that is potentially far away from the
client, causing slow responses for the client.
Note
When a domain client that has an IP address in a subnet that is not defined in AD DS
connects to a domain controller, NETLOGON Event ID 5807 is generated in the System
event log. The event indicates that clients have connected to the domain controller with
IP addresses that do not map to a site. The text in the event provides instructions for
determining the names and IP addresses of the client computers by searching the
Netlogon.log file.
Task requirements
The following is required to perform the procedures for this task:
3. If you are creating both a new site and a new site link, after you create the new site and add it
to an existing site link, Create a Site Link Object and Add the Appropriate Sites. Then, remove
the site from the first site link that you added it to when you created the site, if appropriate.
4. Remove a Site from a Site Link
Membership in the Enterprise Admins group in the forest or the Domain Admins group in the
forest root domain, or equivalent, is the minimum required to complete this procedure. Review
details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To create a site object and add it to an existing site link
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative
Tools, and then click Active Directory Sites and Services.
2. Right-click the Sites container, and then click New Site.
3. In Name, type the name of the site.
4. In Link Name, click a site link for this site, and then click OK.
5. In Active Directory Domain Services, read the information, and then click OK.
See Also
Create a Subnet Object or Objects and Associate them with a Site
Moving a Domain Controller to a Different Site
Membership in the Enterprise Admins group in the forest or the Domain Admins group in the
forest root domain, or equivalent, is the minimum required to complete this procedure. Review
details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To create a subnet object or objects and associate them with a site
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative
Tools, and then click Active Directory Sites and Services.
2. In the console tree, expand the Sites container, right-click Subnets, and then click New
Subnet.
3. In New Object - Subnet, in Prefix, type the IPv4 or IPv6 subnet prefix for the subnet.
314
4. In Select a site object for this prefix, click the site to be associated with the subnet, and
then click OK.
When you are removing the site to which the subnet is currently associated
When you have temporarily associated the subnet with a different site and you want to
associate the subnet with its permanent site
Membership in Enterprise Admins in the forest or Domain Admins in the forest root domain, or
equivalent, is the minimum required to complete this procedure. Review details about using the
appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To associate an existing subnet object with a site
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative
Tools, and then click Active Directory Sites and Services.
2. In the console tree, expand the Sites container, and then click the Subnets container.
3. In the details pane, right-click the subnet with which you want to associate the site, and
then click Properties.
4. In Site, click the site to associate the subnet, and then click OK.
Membership in the Enterprise Admins group in the forest or the Domain Admins group in the
forest root domain, or equivalent, is the minimum required to complete this procedure. Review
details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To create a site link object
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative
Tools, and then click Active Directory Sites and Services.
2. Expand Sites, and then expand Inter-Site Transports.
3. Right-click IP, and then click New Site Link.
4. In Name, type a name for the site link.
5. In Sites not in this site link, click a site that you want to add to the site link. Hold down
the SHIFT key to click a second site that is adjacent in the list, or hold down the CTRL
key to click a second site that is not adjacent in the list.
6. After you select all the sites that you want to add to the site link, click Add, and then click
OK.
316
Selecting preferred bridgehead servers limits the bridgehead servers that the Knowledge
Consistency Checker (KCC) can use to those bridgehead servers that you have selected. If
you use Active Directory Sites and Services to select any preferred bridgehead servers at all
in a site, you must select as many bridgehead servers as possible and you must select them
for all domains that must be replicated to a different site.
If a site contains a global catalog server, select the global catalog server as a preferred
bridgehead server.
When you use preferred bridgehead servers, the following problems can occur:
317
If you select preferred bridgehead servers for a domain and all preferred bridgehead servers
for that domain become unavailable, replication of that domain to and from that site does not
occur.
If you select a non-global-catalog server but a global catalog server currently exists in the
site, or the global catalog is subsequently added to another domain controller in the site, the
global catalog server cannot receive updates of read-only domain directory partitions for any
domain that does not have a selected bridgehead server in the site.
Task requirements
The following is required to perform the procedures for this task:
3. If you are designating servers that will perform intersite replication, you can Designate a
Server as a Preferred Bridgehead Server.
To generate the intersite replication topology, run the KCC on the domain controller in the site
that holds the ISTG role.
319
To generate the intrasite replication topology, run the KCC on any domain controller in the site
that does not hold the ISTG role.
Note
To generate the replication topology on the ISTG, you must first complete the procedure:
Determine the ISTG Role Owner for a Site.
2. In the console tree, expand Sites, and then expand the site of the preferred bridgehead
server.
3. Expand Servers to display the list of domain controllers that are currently configured for
that site.
4. Right-click the server that you want to designate as a preferred bridgehead server, and
then click Properties.
5. In Transports available for inter-site data transfer, click IP.
6. Click Add, and then click OK.
Schedule: The time during which replication can occur. The default setting allows replication
at all times.
Interval: The number of minutes between replication polling by intersite replication partners
within the open schedule window. The default setting is every 180 minutes.
Cost: The relative priority of the link. The default setting is 100. Lower relative cost increases
the priority of the link over other, higher-cost links.
Consult your design documentation for information about the values to set for site link properties.
Task requirements
The following is required to perform the procedures for this task:
321
322
Note
Intersite connection objects also have a schedule; they inherit their schedule and interval
from the site link object.
Membership in Enterprise Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To configure the site link interval
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative
Tools, and then click Active Directory Sites and Services.
2. In the console tree, expand Sites and Inter-Site Transports, and then click IP.
3. In the details pane, right-click the site link object that you want to configure, and then click
Properties.
4. In Replicate every _____ minutes, specify the number of minutes for the intervals at
which replication polling occurs during an open schedule, and then click OK.
4. In Cost, specify the number for the comparative cost of using the site link, and then click
OK.
To generate the intersite replication topology, run the KCC on the domain controller in the site
that holds the ISTG role.
To generate the intrasite replication topology, run the KCC on any domain controller in the site
that does not hold the ISTG role.
Note
To generate the replication topology on the ISTG, you must first complete the procedure:
Determine the ISTG Role Owner for a Site.
324
If no domain controller is available in the same site, try to find any domain controller in the
domain.
325
Note
This is the same algorithm that DC Locator used in previous versions of Active Directory.
For more information, see How DNS Support for Active Directory Works
(http://go.microsoft.com/fwlink/?LinkId=108587).
If you enable the Try Next Closest Site setting, DC Locator uses the following algorithm to locate
a domain controller:
If no domain controller is available in the same site, try to find a domain controller in the next
closest site. A site is closer if it has a lower site-link cost than another site with a higher sitelink cost.
If no domain controller is available in the next closest site, try to find any domain controller in
the domain.
By default, DC Locator does not consider any site that contains a read-only domain controller
(RODC) when it determines the next closest site.
For example, assume that a site topology has four sites with the site link values in the following
illustration. In this example, all the domain controllers are writable domain controllers.
When the Try Next Closest Site Group Policy setting is enabled in this example, if a
Windows Vista or Windows Server 2008 client computer in Site_B tries to locate a domain
controller, it first tries to find a domain controller in its own Site_B. If none is available in Site_B, it
tries to find a domain controller in Site_A.
326
If the setting is not enabled, the Windows Vista or Windows Server 2008 client tries to find a
domain controller in Site_A, Site_C, or Site_D if no domain controller is available in Site_B.
To apply the Try Next Closest Site setting, you can create a Group Policy object (GPO) and link
it to the appropriate object for your organization, or you can modify the Default Domain Policy to
have it affect all Windows Vista and Windows Server 2008 clients in the domain. For more
information about how to set the Try Next Closest Site setting, see Enable Clients to Locate a
Domain Controller in the Next Closest Site.
327
If the registry entry DWORD value is 1, DC Locator will try to find the domain controller in the next
closest site if it cannot find a domain controller in the client's site. If the value is 0, DC Locator will
find any domain controller if it cannot find a domain controller in the client's site.
TCP/IP settings
When you move a domain controller to a different site, if an IP address of the domain controller is
configured statically, you must change the TCP/IP settings accordingly. The IP address of the
domain controller must map to a subnet object that is associated with the site to which you are
moving the domain controller. If the IP address of a domain controller does not match the site in
which the server object appears, the domain controller might be forced to communicate over a
potentially slow wide area network (WAN) link to locate resources, rather than locating resources
in its own site.
Before you move the domain controller, ensure that the following TCP/IP client values are
appropriate for the new location:
If the domain controller that you are moving is a DNS server, you must also change the TCP/IP
settings on any clients that have static references to the domain controller as the preferred or
alternate DNS server.
DNS settings
If the domain controller is a DNS server, you must update the IP address in any DNS delegations
or forwarders that reference the IP address. With dynamic update enabled, DNS updates host
(A), host (AAAA), and name server (NS) resource records automatically. However, you must
update delegations and forwarders as follows:
Delegations: Determine whether the parent DNS zone of any zone that is hosted by this DNS
server contains a delegation to this DNS server. If the parent DNS zone does contain a
328
delegation to this DNS server, update the IP address in the name server (NS) resource
record in the parent domain DNS zone that points to this DNS server.
Forwarders: Determine whether the server acts as a forwarder for any DNS servers. If a DNS
server uses this server as a forwarder, change the name server (NS) resource record for the
forwarder on that DNS server.
In the site to which you are moving the server: If you move a preferred bridgehead server to a
different site, it becomes a preferred bridgehead server in the new site. If preferred
bridgehead servers are not currently in use in this site, the ISTG behavior in this site changes
to support preferred bridgehead servers. For this reason, you must either configure the server
to not be a preferred bridgehead server (recommended), or select additional preferred
bridgehead servers in the site (not recommended).
In the site from which you are moving the server: If the server is the last preferred bridgehead
server in the original site for its domain, and if other domain controllers for the domain are in
the site, the ISTG selects a bridgehead server for the domain. If you use preferred
bridgehead servers, always select more than one server as the preferred bridgehead server
for the domain. If, after the removal of this domain controller from the site, multiple domain
controllers remain that are hosting the same domain and only one of them is configured as a
preferred bridgehead server, either configure the server to not be a preferred bridgehead
server (recommended), or select additional preferred bridgehead servers that host the same
domain in the site (not recommended).
Note
If you select preferred bridgehead servers and all selected preferred bridgehead servers
for a domain are unavailable in the site, the ISTG does not select a new bridgehead
server. In this case, replication of this domain to and from other sites does not occur.
However, if no preferred bridgehead server is selected for a domain or transport (through
administrator error or as the result of moving the only preferred bridgehead server to a
different site), the ISTG automatically selects a preferred bridgehead server for the
domain and replication proceeds as scheduled.
Task requirements
The following is required to perform the procedures for this task:
Network Connections
DNS snap-in
Use the DNS snap-in to update the following DNS values that apply to this domain controller:
On the Forwarders tab in the properties of a DNS server, update the IP address on DNS
servers for which this domain controller is designated as a forwarder.
330
Use the procedure Update the IP Address for a DNS Delegation for all delegations to this
domain controller.
On the Zone Transfers tab in the properties of a forward lookup zone, update the IP address
for any primary or seconday DNS zone transfers to this domain controller.
4. In the console tree, click the node for the DNS server that uses the forwarder whose IP
address has changed.
5. In the details pane, double-click Forwarders.
6. In the IP Address list, click the address that you want to change, and then click Edit.
7. In the IP Address list, click the address, and then type changes as necessary.
8. Click OK twice.
7. Expand the Sites container, and then click the Subnets container.
8. In the Name column in the details pane, find the subnet object that matches the subnet
address for the server or domain controller.
9. In the Site column, note the site to which the IP subnet address is associated.
If the site that appears in the Site column is not the appropriate site, contact a site
administrator and find out whether the IP address is incorrect or whether you should
move the server object to the site that is indicated by the subnet-to-site association.
See Also
Move a Server Object to a New Site
See Also
Configure a Server to Not Be a Preferred Bridgehead Server
334
See Also
Determine Whether a Server is a Preferred Bridgehead Server
Configure a Server to Not Be a Preferred Bridgehead Server
335
from the list so that it is not a designated preferred bridgehead server, you can use this procedure
to open the server object properties and remove the server from the IP transport.
Membership in the Enterprise Admins group in the forest or the Domain Admins group in the
forest root domain, or equivalent, is the minimum required to complete this procedure. Review
details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To configure the server to not be a preferred bridgehead server
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative
Tools, and then click Active Directory Sites and Services.
2. In the console tree, expand Sites, and then expand the site of the preferred bridgehead
server.
3. Expand the Servers container to display the list of domain controllers that are currently
configured for that site.
4. Right-click the server that you want to remove, and then click Properties.
5. If IP appears in the list that marks this server as a bridgehead server for the IP transport,
click IP, click Remove, and then click OK.
See Also
View the List of All Preferred Bridgehead Servers
3. Expand Servers to display the domain controllers that are currently configured for that
site.
4. Right-click the server object that you want to move, and then click Move.
5. In Site Name, click the destination site, and then click OK.
6. Expand the site object to which you moved the server, and then expand the Servers
container.
7. Verify that an object for the server that you moved exists.
8. Expand the server object, and verify that an NTDS Settings object exists.
Within an hour, the Net Logon service on the domain controller registers the new site information
in Domain Name System (DNS). Wait an hour, and then open Event Viewer and connect to the
domain controller whose server object you moved. Review the System log for NETLOGON errors
regarding registration of service (SRV) resource records in DNS that have occurred within the last
hour. The absence of errors indicates that the Net Logon service has updated DNS with sitespecific service (SRV) resource records. NETLOGON Event ID 5774 indicates that the dynamic
registration of DNS resource records has failed. If this error occurs, contact a supervisor and
pursue DNS troubleshooting.
See Also
Verify That an IP Address Maps to a Subnet and Determine the Site Association
controller uses cached universal group memberships and does not have to contact a global
catalog server.
Task requirements
The following tool is required to perform the procedures for this task:
338
Forcing Replication
When you need updates to be replicated sooner than the intersite replication schedule allows, or
when replication between sites is impossible because of configuration errors, you can force
replication to and from domain controllers. You can use the following two methods of forcing
replication:
Force replication of all directory partition updates from one server to another server over a
connection
Force replication of configuration directory partition updates from one server to another server
domain controller has a site link, the Knowledge Consistency Checker (KCC) on the domain
controller can then create connection objects from servers in the other site.
On writable domain controllers running Windows Server 2008, a new option is available that you
can use to force replication of only the configuration directory partition to a domain controller in
another site, even though a connection object from a server in the site does not exist in the
configuration directory partition. In this case, you can recreate the site link in one site and force
replication of this configuration change to a domain controller in the other site. When replication of
the new site link object is received on the domain controller in the other site, that domain
controller can then create new connection objects from servers in the other sites in the site link.
This functionality is particularly useful if the only domain controller in a site is a read-only domain
controller (RODC). In this case, you cannot recreate the site link on a domain controller in both
sites because you cannot write to the RODC. When you recreate the site link in the hub site and
then force replication of the configuration directory partition to the site of the RODC, you enable
the RODC to create connection objects from replication partners in the hub site.
Task requirements
The following tools are required to perform the procedures for this task:
Repadmin.exe
See Also
Synchronize Replication with All Partners
Where <ServerName> is the name of the domain controller that has the configuration
changes that you want to replicate. The /showrepl switch provides the globally unique
identifier (GUID) information that you need for step 6.
3. Click the Command Prompt menu in the title bar, click Edit, and then click Mark.
4. Use the cursor to select the value in
5. Click the Command Prompt menu in the title bar, and then click Copy. Use the Paste
command on the Command Prompt menu to paste this value for the
<SourceDomainControllerGUID> parameter in the next step.
6. At the command prompt, type the following command, and then press ENTER:
repadmin /sync <ConfigurationDistinguishedName> <DestinationServerName>
<SourceDomainControllerGUID>
Value
Description
/sync
<ConfigurationDistinguishedName>
<DestinationServerName>
<SourceDomainControllerGUID>
Membership in Enterprise Admins in the forest or Domain Admins in the forest root domain, or
equivalent, is the minimum required to complete this procedure. Review details about using the
appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To synchronize replication with all partners
1. At a command prompt, type the following command, and then press ENTER:
repadmin /syncall <DomainControllerName> /e /d /A /P /q
Value
Description
repadmin /syncall
<DomainControllerName>
/e
/d
/A
/P
/q
2. Check for replication errors in the output of the command in the previous step. If there are
no errors, replication is successful. For replication to complete, any errors must be
corrected.
See Also
Verify Successful Replication to a Domain Controller
you are checking, you can specify a destination domain controller in the command. Repadmin
lists INBOUND NEIGHBORS for the current or specified domain controller. INBOUND
NEIGHBORS shows the distinguished name of each directory partition for which inbound
directory replication has been attempted, the site and name of the source domain controller, and
whether replication succeeded or not, as follows:
If @ [Never] appears in the output for a directory partition, replication of that directory partition has
never succeeded from the identified source replication partner over the listed connection.
Membership in Enterprise Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To verify successful replication to a domain controller
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl <servername> /u:<domainname>\<username> /pw:*
Note
The user credential parameters (/u:<domainname>\<username> /pw:*) are not
required for the domain of the user if the user has opened the Command Prompt
as an administrator with Domain Admins credentials or is logged on to the
domain controller as a member of Domain Admins or equivalent. However, if you
run the command for a domain controller in a different domain in the same
Command Prompt session, you must provide credentials for an account in that
domain.
344
Value
Description
repadmin /showrepl
<servername>
/u:
<domainname>
<username>
/pw:*
3. At the Password: prompt, type the password for the user account that you provided, and
then press ENTER.
You can also use repadmin to generate the details of replication to and from all replication
partners in a Microsoft Excel spreadsheet. The spreadsheet displays data in the following
columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
Last Failure Time
Last Success Time
Last Failure Status
345
The following procedure creates this spreadsheet and sets column headings for improved
readability.
To generate a repadmin /showrepl spreadsheet for all replication partners
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl * /csv >showrepl.csv
3. Open Excel.
4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open.
5. Hide or delete column A as well as the Transport Type column, as follows:
6. Select a column that you want to hide or delete.
To hide the column, right-click the column, and then click Hide.
Or
To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and
then click Freeze Top Row.
8. Select the entire spreadsheet. On the Data tab, click Filter.
9. In the Last Success Time column, click the down arrow, and then click Sort Ascending.
10. In the Source DC column, click the filter down arrow, point to Text Filters, and then click
Custom Filter.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain.
In the adjacent text box, type del to eliminate from view the results for deleted domain
controllers.
12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and
then type the value 0.
13. Resolve replication failures.
The last successful attempt should agree with the replication schedule for intersite replication, or
the attempt should be within the last hour for intrasite replication.
If Repadmin reports any of the following conditions, see Troubleshooting Active Directory
Replication Problems (http://go.microsoft.com/fwlink/?LinkID=93582):
The last successful intersite replication was before the last scheduled replication.
The last intrasite replication was longer than one hour ago.
346
Removing a Site
If domain controllers are no longer needed in a network location, you can remove them from the
site and then delete the site object. Before you delete the site, you must remove each domain
controller from the site either by removing domain controller completely or by moving it to a new
location:
To remove the domain controller completely, remove Active Directory Domain Services
(AD DS) from the server and then delete the server object from the site in AD DS.
To retain the domain controller in a different location, move the domain controller itself to the
new site and then move the server object to the respective site in AD DS.
Before you remove a server object from a site, check the NTDS Settings object of the server to
see if the server has a manual connection object from any server in another site. If a manual
connection object exists, check the source server in the other site for a corresponding manual
connection object from the server that you are removing. The Knowledge Consistency Checker
(KCC) does not remove manual connection objects automatically. Therefore, if you leave a
manually created connection object on a server and then remove the source server for the
connection, the inability of the destination server to replicate from its source replication partner
will cause replication errors to be generated. If a manual connection object exists in the NTDS
Settings object of a server in another site, and if the server that you are removing is the source
(replicate from) server for the connection, delete that manual connection object on the
destination server to avoid unnecessary replication errors after you have removed the server
object.
Domain controllers can host other applications that depend on site topology and publish objects
as child objects of the respective server object. For example, when Microsoft Operations
Manager (MOM) or Message Queuing is running on a domain controller, these applications
create child objects beneath the server object. In addition, a server running Message Queuing
that is not a domain controller and that is configured to be a routing server running Message
Queuing creates a server object in the sites container. Removing the application from the server
automatically removes the child object below the respective server object. However, the server
object is not removed automatically.
When all applications have been removed from the server (no child objects appear beneath the
server object), you can remove the server object. After the application is removed from the server,
a replication cycle might be required before child objects are no longer visible below the server
object.
After you delete or move the server objects but before you delete the site object, reconcile the
following objects:
IP addresses:
If the addresses are being reassigned to a different site, associate the subnet object or
objects with that site. Any clients that use the addresses for the decommissioned site will
thereafter be assigned automatically to the other site.
If the IP addresses will no longer be used on the network, delete the corresponding subnet
object or objects.
347
If the site that you are removing is added to a site link that contains only two sites, delete the
site link object.
If the site that you are removing is added to a site link that contains more than two sites, do
not delete this site link object.
Before you remove a site, consider the implications. If the site that you are removing is added to
more than one site link, it might be an interim site between other sites that are added to this site
link. Deleting the site might disconnect the outer sites from each other. In this case, the site links
must be reconciled according to the instructions of the design team.
Task requirements
The following tool is required to perform the procedures for this task:
348
If an NTDS Settings object is present, it is possible that replication of the deletion has not
reached the domain controller whose objects you are viewing. Check the presence of the
object on another domain controller, or force replication from another domain controller in the
domain. (See Force Replication Between Domain Controllers.)
If a child object other than NTDS Settings is present, another application has published the
object and is using the server object. In this case, do not delete the server object.
Membership in Domain Users, or equivalent, is the minimum required to complete this procedure
when you perform the procedure remotely by using Remote Server Administration Tools (RSAT).
Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
349
See Also
Decommissioning a Domain Controller
Forcing the Removal of a Domain Controller
When you are removing the site to which the subnet is currently associated
When you have temporarily associated the subnet with a different site and you want to
associate the subnet with its permanent site
Membership in Enterprise Admins in the forest or Domain Admins in the forest root domain, or
equivalent, is the minimum required to complete this procedure. Review details about using the
appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
351
See Also
Delete a Server Object from a Site
Delete a Site Link object
To generate the intersite replication topology, run the KCC on the domain controller in the site
that holds the ISTG role.
To generate the intrasite replication topology, run the KCC on any domain controller in the site
that does not hold the ISTG role.
Note
To generate the replication topology on the ISTG, you must first complete the procedure:
Determine the ISTG Role Owner for a Site.
4. Expand Servers, and then click the Server object for the ISTG.
5. In the details pane, right-click NTDS Settings, click All Tasks, and then click Check
Replication Topology.
6. In the Check Replication Topology message box, click OK.
Low disk space: move the files to a different location permanently, or replace the disk on
which the database or log files are stored.
Pending or current hardware failure: upgrade or replace the disk on which the database or log
files are stored.
A need to recover physical disk space: defragment the database after bulk deletion or
removal of the global catalog.
354
Ntds.dit partition: The greater of 20 percent of the Ntds.dit file size or 500 megabytes (MB).
Log file partition: The greater of 20 percent of the combined log files size or 500 MB.
Ntds.dit and logs on the same volume: The greater of 20 percent of the combined Ntds.dit
and log files sizes or 1 gigabyte (GB).
Database defragmentation
During ordinary operation, you will delete objects from AD DS. When you delete an object, free
(unused) disk space is created in the database. On a regular basis, the database consolidates
this free disk space through a process called online defragmentation. This disk space will be
reused when new objects are added (without adding any size to the file itself). This automatic
online defragmentation redistributes and retains free disk space for use by the database, but
does not release the disk space to the file system. Therefore, the database size does not shrink,
even though objects might be deleted.
In cases in which the data decreases significantly, such as when the global catalog is removed
from a domain controller, free disk space is not automatically returned to the file system. Although
this condition does not affect database operation, it does result in large amounts of free disk
space in the database. To decrease the size of the database file by returning free disk space from
the database file to the file system, you can perform an offline defragmentation of the database.
Whereas online defragmentation occurs automatically while AD DS is running, offline
defragmentation requires taking the domain controller offline and using the Ntdsutil.exe
command-line tool to perform the procedure.
Note
NTFS disk compression is not supported for the database and log files.
Restartable AD DS
On domain controllers that are running Windows Server 2008, performing offline defragmentation
and other database management tasks does not require a restart of the domain controller in
Directory Services Restore Mode (DSRM). You can stop the AD DS service while you perform
database management procedures. This feature, called restartable AD DS, eliminates the need to
restart the domain controller when you perform certain database management tasks. Services
that are running on the server that depend on AD DS to function shut down before AD DS shuts
down. The following services stop when you stop AD DS:
Intersite Messaging
Other services that are running on the server and that do not depend on AD DS to function, such
as Dynamic Host Configuration Protocol (DHCP), remain available to satisfy client requests while
AD DS is stopped. For information about restartable AD DS, see Windows Server 2008
Restartable AD DS Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=88649).
See Also
Managing the Active Directory Database
Returning Unused Disk Space from the Active Directory Database to the File System
Hardware maintenance: If the physical disk on which the database or log files are stored
requires upgrading or maintenance, the database files must be movedeither temporarily or
permanently.
Low disk space: When free disk space is low on the logical drive that stores the database
file (Ntds.dit), the log files, or both, first verify that no other files are causing the problem. If
the database file or log files are the cause of the growth, provide more disk space by taking
one of the following actions:
356
Expand the partition on the disk that currently stores the database file, the log files, or
both. This procedure does not change the path to the files and does not require updating
the registry.
Use Ntdsutil.exe to move the database file, the log files, or both to a larger existing
partition. If you are not using Ntdsutil.exe when you move files to a different partition, you
must update the registry manually.
If the path to the database file or log files will change as a result of moving the files, be sure that
you:
Use Ntdsutil.exe to move the files (rather than copying them) so that the registry is updated
with the new path. Even if you are moving the files only temporarily, use Ntdsutil.exe to move
files locally so that the registry remains current.
Perform a system state or critical-volume backup as soon as the move is complete so that the
restore procedure uses the correct path.
Verify that the correct permissions are applied on the destination folder after the move.
Revise permissions to just the permissions that are required to protect the database files, if
necessary.
The registry entries that Ntdsutil.exe updates when you move the database file are as follows:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Parameters:
The registry entry that Ntdsutil.exe updates when you move the log files is as follows:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
Parameters:
357
Database file only: The size of the database file, plus 20 percent of the Ntds.dit file or
500 megabytes (MB), whichever is greater.
Log files only: The size of the combined log files, plus 20 percent of the combined logs or
500 MB, whichever is greater.
Database and logs. If the database and log files are stored on the same partition, free space
should be at least 20 percent of the combined Ntds.dit and log files, or 1 gigabyte (GB),
whichever is greater.
Important
The preceding levels are minimum recommended levels. Therefore, adding additional
space according to anticipated growth is recommended.
Task requirements
The following tools are required to perform the procedures for this task:
dir
xcopy
Ntdsutil.exe
Windows Explorer
Note
If you replace or reconfigure a drive that stores the SYSVOL folder, you must first move
the SYSVOL folder manually. For information about moving SYSVOL manually, see
Relocating SYSVOL Manually.
2. Compare the Size of the Directory Database Files to the Volume Size
3. Perform a System State Backup of a Domain Controller by Using the Command Line
(Wbadmin) (http://go.microsoft.com/fwlink/?LinkId=118357)
System state includes the database file and log files as well as SYSVOL and Net Logon
shared folders, among other things. Always ensure that you have a current system state or
critical-volume backup before you move database files.
358
4. Move or copy the directory database and log files by performing one of the following
procedures:
5. Perform a System State Backup of a Domain Controller by Using the Command Line
(Wbadmin) (http://go.microsoft.com/fwlink/?LinkId=118357)
<DIR>
01/29/2008 11:04 AM
<DIR>
..
01/29/2008 10:29 AM
8,192 edb.chk
01/29/2008 10:29 AM
10,485,760 edb.log
01/29/2008 10:29 AM
10,485,760 edb00001.log
01/29/2008 10:29 AM
10,485,760 edbres00001.jrs
01/29/2008 10:29 AM
10,485,760 edbres00002.jrs
01/29/2008 10:29 AM
14,696,488 ntds.dit
01/28/2008 02:54 PM
2,113,536 temp.edb
7 File(s)
2 Dir(s)
58,761,256 bytes
126,027,243,520 bytes free
See Also
Determine the Database Size and Location Offline
360
Important
Be sure to use the same method to check file sizes when you compare them. The size is
reported differently, depending on whether the domain controller is online or offline. For
information about determining database size online, see Determine the Database Size
and Location Online.
If you have set garbage collection logging to report free disk space, Event ID 1646 in the
Directory Service log also reports the size of the database file: Total allocated hard disk space
(megabytes):
As an alternative, you can determine the size of the database file by listing the contents of the
directory that contains the files.
Membership in Builtin Administrators, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To determine the database size and location offline
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
net stop ntds
instance ntds,
See Also
Determine the Database Size and Location Online
361
362
Where <targetDrive> identifies the local volume or the letter of the physical disk drive to
receive the backup. You cannot store a system state backup on a network shared drive.
If you do not specify the -quiet parameter, you are prompted to press Y to proceed with
the backup operation.
Additional considerations
Be aware of the following issues when you perform a system state backup:
To use Wbadmin.exe, you must install Windows Server Backup. For more information about
installing Windows Server Backup, see Installing Windows Server Backup
(http://go.microsoft.com/fwlink/?LinkID=96495).
The target volume for a system state backup can be a local drive, but it cannot be any of the
volumes that are included in the backup by default. To store the system state backup on a
volume that is included in the backup, you must add the AllowSSBToAnyVolume registry
entry to the server that you are backing up. There are also some prerequisites for storing
system state backup on a volume that is included in the backup. For more information, see
Known Issues for AD DS Backup and Recovery (http://go.microsoft.com/fwlink/?
LinkID=117940).
When you move the files to a folder on the local domain controller, you can move them
permanently or temporarily. Move the files to a temporary destination if you need to reformat the
original location, or move the files to a permanent location if you have additional disk space. If
you reformat the original drive, use the same procedure to move the files back after the reformat
is complete. Ntdsutil.exe updates the registry when you move files locally. Even if you are moving
the files only temporarily, use Ntdsutil.exe so that the registry is always current.
If you do not have space on the local domain controller to move the files temporarily, you can
copy files to a remote share. For information about copying files to a remote share, see Copy the
Directory Database and Log Files to a Remote Share.
On a domain controller that is running Windows Server 2008, you do not have to restart the
domain controller in Directory Services Restore Mode (DSRM) to move database files. You can
stop the Active Directory Domain Services (AD DS) service and then restart the service after you
move the files to their permanent location. For information about restartable AD DS, see the
Windows Server 2008 Restartable AD DS Step-by-Step Guide on the Microsoft Web site at
(http://go.microsoft.com/fwlink/?LinkId=88649).
Membership in Builtin Administrators, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To move the directory database and log files to a local drive
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
net stop ntds
instance ntds,
file maintenance:
To move the Ntds.dit file, type the following command, and then press ENTER:
move db to<drive>:\<directory>
To move the log files, type the following command, and then press ENTER:
move logs to<drive>:\<directory>
where <drive>:\<directory> specifies the path to the new location. If the directory does
364
If the permissions in step 12b are in effect, go to step 13. If permissions other than
the permissions described in step 12b are in effect, perform steps 12d through 12k.
d. If Include inheritable permissions from this objects parent is selected, click Edit,
click to clear the setting, and then click OK.
When you are prompted, click Copy to copy previously inherited permissions to this
object.
e. If Administrators or SYSTEM, or both, are not in the Name list, click OK, click Edit,
and then click Add.
f.
In From this location, be sure that the name of the domain is selected.
g. In Enter the object names to select, type System, if necessary, and then click OK.
Repeat to add Administrators, if necessary, and then click OK.
h. On the Security tab, click System, and then, in the Allow column, click Full Control.
Repeat for Administrators.
365
i.
In the Group or user names box, click any name that is not SYSTEM or
Administrators, and then click Remove. Repeat until the only remaining accounts
are Administrators and SYSTEM, and then click OK.
Note
Some accounts might appear in the form of security identifiers (SIDs).
Remove any such accounts.
j.
13. At the command prompt, type ntdsutil, and then press ENTER.
14. At the ntdsutil prompt, type activate
instance ntds,
15. At the ntdsutil prompt, type files, and then press ENTER.
16. At the file
maintenance:
If the integrity check fails, see If the Database Integrity Check Fails, Perform Semantic
Database Analysis with Fixup.
17. If the integrity check succeeds, type quit, and then press ENTER to quit the file
maintenance prompt. Type quit again, and then press ENTER to quit Ntdsutil.exe.
18. At the command prompt, type the following command, and then press ENTER:
net start ntds
19. Open Event Viewer, and check the Directory Service log for errors.
20. If the following events are logged in the Directory Service log in Event Viewer when you
restart AD DS, stop AD DS, and then resolve the event issues as follows:
Event ID 1046. The Active Directory database engine caused an exception with the
following parameters. In this case, AD DS cannot recover from this error and you
must restore AD DS from backup.
Event ID 1168. Internal error: An Active Directory error has occurred. In this case,
information is missing from the registry and you must restore AD DS from backup.
See Also
If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup
Copy the Directory Database and Log Files to a Remote Share
Recovering Active Directory Domain Services
366
If you need to move the database file or the log files while you reconfigure the drive on which they
are currently stored and you do not have enough space to move the files locally, you can use the
xcopy command to copy the files to a remote shared folder temporarily and then use the same
procedure to copy them back to the original drive. Use this method only if the path to the files
does not change.
Important
When you relocate any database files (the database file or the log files) off the local
computer, always copy both the database file and the log files so that all the files that are
necessary to restore the directory service are maintained.
If you have enough space locally on the domain controller and you do not want to copy database
files to a remote share, you can use Ntdsutil to move the files to a local folder. For information
about moving the database files, see Move the Directory Database and Log Files to a Local
Drive.
On a domain controller that is running Windows Server 2008, you do not have to restart the
domain controller in Directory Services Restore Mode (DSRM) to copy database files. You can
stop the Active Directory Domain Services (AD DS) service and then restart the service after you
copy the files to their permanent location. For information about restartable AD DS, see the
Windows Server 2008 Restartable AD DS Step-by-Step Guide (http://go.microsoft.com/fwlink/?
LinkId=88649).
Membership in Builtin Administrators, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To copy the directory database and log files to a remote share and back to the local
computer
1. Before you stop AD DS, prepare a shared directory on a remote server in the domain.
Create separate subdirectories for the database files and log files. Allow access only to
the Builtin Administrators group.
2. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide credentials, if required, and then click Continue.
3. At the command prompt, type the following command, and then press ENTER:
net stop ntds
Value
Description
\\<ServerName>\<SharedFolderName>
/user:<domainName>\<userName>
For example, if you shared the \TempCopy directory on the server named SERVER1, the
following command maps network drive G: to the shared location and provides the
domain and user name for user tonip5:
net use G: \\server1\tempcopy /user:contoso\tonip5 *
7. Use the xcopy command to copy the database files to the location that you established in
step 6. Type the following command, and then press ENTER:
xcopy \<PathToDatabaseFiles> <NetworkDrive>:\<DatabaseSubdirectory>
This command copies the contents of the local folder for the database to the named
subfolder in the remote shared folder. For example, the following command copies the
database files from their location on the domain controller to the DB subdirectory on the
mapped drive G:
xcopy \windows\ntds G:\DB
8. Repeat step 7 to copy the log files. For example, the following command copies the log
files to the Logs subdirectory on the mapped drive G:
xcopy \windows\ntds\*.log G:\Logs
9. Change drives to the remote directory and run the dir command in each subdirectory to
compare the file sizes to the file sizes that are listed in step 5. Use this step to ensure
that you copy the correct set of files back to the local computer.
10. At this point, you can safely destroy data on the original local drive.
368
11. After the destination drive is prepared, re-establish a connection to the network drive as
described in step 6, if necessary.
12. Use the method in step 7 to copy the database and log files from the remote shared
folder back to the original location on the domain controller.
13. At the command prompt, type ntdsutil, and then press ENTER.
14. At the ntdsutil prompt, type activate
instance ntds,
15. At the ntdsutil prompt, type files, and then press ENTER.
16. At the file
maintenance:
If the integrity check fails, see If the Database Integrity Check Fails, Perform Semantic
Database Analysis with Fixup.
17. If the integrity check succeeds, type quit, and then press ENTER to quit the file
maintenance: prompt. Type quit again, and then press ENTER to quit Ntdsutil.exe.
18. At the command prompt, type the following command, and then press ENTER:
net start ntds
19. Open Event Viewer, and check the Directory Service log for errors.
20. If the following events are logged in the Directory Service log in Event Viewer when
AD DS restarts, resolve the events as follows:
Event ID 1046. The Active Directory database engine caused an exception with the
following parameters. In this case, AD DS cannot recover from this error and you
must restore AD DS from backup.
Event ID 1168. Internal error: An Active Directory error has occurred. In this case,
information is missing from the registry and you must restore AD DS from backup.
See Also
If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup
Move the Directory Database and Log Files to a Local Drive
Recovering Active Directory Domain Services
369
Only offline defragmentation can return unused disk space from the directory database to the file
system. When database contents have decreased considerably through a bulk deletion (for
example, when you remove the global catalog from a domain controller), or if the size of the
database backup is significantly increased as a result of the amount of free disk space, use offline
defragmentation to reduce the size of the Ntds.dit file.
You can determine how much free disk space is recoverable from the Ntds.dit file by setting the
garbage collection logging level in the registry. Changing the garbage collection logging level from
the default value of 0 to a value of 1 results in event ID 1646 being logged in the directory service
log. This event describes the total amount of disk space that the database file uses as well as the
amount of free disk space that is recoverable from the Ntds.dit file through offline
defragmentation.
At garbage collection logging level 0, only critical events and error events are logged in the
Directory Service log. These events include Event IDs 700 and 701, which report when online
defragmentation begins and ends, respectively. At level 1, higher-level events are logged as well.
At level 1, Event ID 1646 is also reported, which indicates the amount of free space that is
available in the database relative to the amount of allocated space.
Caution
Setting the value of entries in the Diagnostics subkey to greater than 3 can degrade
server performance and is not recommended.
On domain controllers that are running Windows Server 2008, offline defragmentation does not
require restarting the domain controller in Directory Services Restore Mode (DSRM), as is
required on domain controllers that are running versions of Windows Server 2000 and
Windows Server 2003. You can use a new feature in Windows Server 2008, restartable Active
Directory Domain Services (AD DS), to stop the AD DS service. When the service is stopped,
services that depend on AD DS shut down automatically. However, any other services that are
running on the domain controller, such as Dynamic Host Configuration Protocol (DHCP), continue
to run and respond to clients. For more information about restartable AD DS, see the
Windows Server 2008 Restartable AD DS Step-by-Step Guide (http://go.microsoft.com/fwlink/?
LinkId=88649).
After offline defragmentation completes, perform a database integrity check. The integrity
command in Ntdsutil.exe detects binary-level database corruption by reading every byte in the
database file. This process ensures that the correct headers exist in the database itself and that
all of the tables are functioning and consistent. Therefore, depending on the size of your Ntds.dit
file and the domain controller hardware, the process might take considerable time. In testing
environments, the speed of 2 gigabytes (GB) per hour is considered to be typical. When you run
the command, an online graph displays the percentage completed.
If the database integrity check fails, you must perform semantic database analysis.
Task requirements
The following tools are required to perform the procedures for this task:
Regedit.exe
Ntdsutil.exe
371
See Also
Compact the Directory DatabaseFfile (Offline Defragmentation)
Where <targetDrive> identifies the local volume or the letter of the physical disk drive to
receive the backup. You cannot store a system state backup on a network shared drive.
If you do not specify the -quiet parameter, you are prompted to press Y to proceed with
the backup operation.
Additional considerations
Be aware of the following issues when you perform a system state backup:
To use Wbadmin.exe, you must install Windows Server Backup. For more information about
installing Windows Server Backup, see Installing Windows Server Backup
(http://go.microsoft.com/fwlink/?LinkID=96495).
The target volume for a system state backup can be a local drive, but it cannot be any of the
volumes that are included in the backup by default. To store the system state backup on a
volume that is included in the backup, you must add the AllowSSBToAnyVolume registry
entry to the server that you are backing up. There are also some prerequisites for storing
system state backup on a volume that is included in the backup. For more information, see
Known Issues for AD DS Backup and Recovery (http://go.microsoft.com/fwlink/?
LinkID=117940).
372
Current database drive. Free space (on the drive that contains the Active Directory
database file) equivalent of at least 15 percent of the current size of the database (Ntds.dit)
for temporary storage during the index rebuild process.
Destination database drive. Free space equivalent to at least the current size of the
database for storage of the compacted database file.
Note
These disk space requirements mean that if you compress the Active Directory database
on a single drive, you should have free space equivalent to at least 115 percent of the
space that the current Active Directory database uses on that drive.
373
Remote directory: If you are compacting the database file to a shared folder on a
remote computer, before you stop AD DS, prepare a shared directory on a remote
server in the domain. For example, create the share \\ServerName\NTDS. Allow
access to only the Builtin Administrators group. On the domain controller, map a
network drive to this shared folder.
Important
You should make a copy of the existing Ntds.dit file if at all possible, even if you
have to store that copy on a network drive. If the compaction of the database
does not work properly, you can then easily restore the database by copying
back the copy of the Ntds.dit file that you made. Do not delete this copy of the
Ntds.dit file until you have verified that the domain controller starts properly.
instance ntds,
Caution
Do not overwrite the original Ntds.dit file or delete any log files.
9. If defragmentation succeeds with no errors, follow the Ntdsutil.exe onscreen instructions
to:
a. To delete all the log files in the log directory, type the following command, and then
press ENTER:
del <drive>:\<pathToLogFiles>\*.log
Ntdsutil provides the correct path to the log files in the onscreen instructions.
Note
You do not have to delete the Edb.chk file.
b. You should make a copy of the existing Ntds.dit file if at all possible, even if you have
to store that copy on a secured network drive. If the compaction of the database does
not work properly, you can then easily restore the database by copying it back to the
original location. Do not delete the copy of the Ntds.dit file until you have at least
verified that the domain controller starts properly. If space allows, you can rename
the original Ntds.dit file to preserve it. Avoid overwriting the original Ntds.dit file.
c.
Manually copy the compacted database file to the original location, as follows:
copy <temporaryDrive>:\ntds.dit
<originalDrive>:\<pathToOriginalDatabaseFile> \ntds.dit
Ntdsutil provides the correct paths to the temporary and original locations of the
Ntds.dit file.
10. At the command prompt, type ntdsutil, and then press ENTER.
11. At the ntdsutil: prompt, type files, and then press ENTER.
12. At the file
maintenance:
If the integrity check fails, the likely cause is that an error occurred during the copy
operation in step 9.c. Repeat steps 9.c through step 12. If the integrity check fails again:
Copy the original version of the Ntds.dit file that you preserved in step 9.b. to the
original database location, and repeat the offline defragmentation procedure.
to
to
14. Restart AD DS. At the command prompt, type the following command, and then press
ENTER:
375
Event ID 1046. The Active Directory database engine caused an exception with the
following parameters. In this case, AD DS cannot recover from this error and you must
restore from backup media.
Event ID 1168. Internal error: An Active Directory error has occurred. In this case,
information is missing from the registry and you must restore from backup media.
Copy the original version of the Ntds.dit file that you preserved in step 9.b. to the original
database location and repeat the offline defragmentation procedure.
If the integrity check succeeds, follow the steps in the procedure If the Database Integrity
Check Fails, Perform Semantic Database Analysis with Fixup.
4. If semantic database analysis with fixup succeeds, quit Ntdsutil.exe, and then restart AD DS.
At the command prompt, type the following command, and then press ENTER:
net start ntds
If semantic database analysis with fixup fails, contact Microsoft Customer Service and Support.
See Also
If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup
376
into Dsdit.dmp.xx log files. A progress indicator reports the status of the check. You can use this
procedure to perform semantic database analysis with fixup.
Note
To perform this procedure, Active Directory Domain Services (AD DS) must be offline. On
domain controllers that are running Windows Server 2008, you can take AD DS offline by
stopping the service. Otherwise, the domain controller must be started in Directory
Services Restore Mode (DSRM). For information about stopping the AD DS service on
domain controllers that are running Windows Server 2008, see the Windows Server 2008
Restartable AD DS Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=88649).
For information about performing this procedure in DSRM, see If database integrity check
fails, perform semantic database analysis with fixup on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=121568).
Membership in Builtin Administrators, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To perform semantic database analysis with fixup
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
net stop ntds
instance ntds,
database analysis,
6. At the semantic
checker:
7. At the semantic
checker:
prompt, type go
on,
fixup,
If errors are reported during the semantic database analysis Go Fixup phase, perform
directory database recovery: Go to the file maintenance: prompt, type recover, and
then press ENTER.
checker
prompt,
8. At the command prompt, type the following command, and then press ENTER:
net start ntds
377
Additional references
Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Installation
and Removal (http://go.microsoft.com/fwlink/?LinkId=86727)
Install tools that you can use to administer Active Directory Domain Services (AD DS)
remotely
task that you perform when you initially deploy your forest, and it is beyond the scope of this
guide. However, as your forest grows, you might need to add more domain controllers to existing
domains.
Additional domain controllers might be needed to provide upgrades and fault tolerance and to
reduce failures.
You might add a new site where users require a domain controller for logging on to the
domain.
Many improvements to the installation process are available in Windows Server 2008. For
information about new Windows Server 2008 features and options, see What's New in AD DS
Installation and Removal (http://go.microsoft.com/fwlink/?LinkId=103330). For information about
the criteria and best practices for deploying domain controllers, see Planning Domain Controller
Placement (http://go.microsoft.com/fwlink/?LinkId=120383).
Install the domain controller in the hub site, and then ship the installed domain controller to
the site.
Ship the server computer to the branch site, and then install AD DS in the branch site.
When you install the domain controller in the branch site, the server can receive AD DS in
one of two ways:
running Windows Server 2003 using installation media that is created on a domain controller that
is running Windows Server 2008. An improvement in the requirements for Windows Server 2008
domain controllers over the requirements for Windows Server 2003 domain controllers is that the
hardware platform (32-bit or 64-bit) of the two computers does not have to match.
Although information in this guide is specific to installing writable domain controllers in branch
office sites, in Windows Server 2008 forests, RODCs are the recommended domain controller
installation for branch office sites. For information about using IFM to install RODCs, see
Planning and Deploying Read-only Domain Controllers (http://go.microsoft.com/fwlink/?
LinkId=120840).
Install Remote Server Administration Tools (RSAT) on a member server that is running
Windows Server 2008 or on a client computer that is running Windows Vista with Service
Pack 1 (SP1). RSAT include a selection for Active Directory Domain Services Tools. You can
install these tools on a non-domain-controller computer in the domain and then use this
computer to manage domain controllers remotely.
Prepare for Active Directory installation. Proper preparation decreases the chances of
problems occurring during and after the installation.
Install an additional domain controller in an existing domain. This task involves preparation
steps of gathering information and configuring the TCP/IP and Domain Name System (DNS)
client settings. You can use the following methods to install Active Directory Domain Services
(AD DS) on a server to create an additional domain controller in an existing domain:
381
Run the Active Directory Domain Services Installation Wizard, and use Active Directory
replication to create the Active Directory replica and either the File Replication Service
(FRS) or Distributed File System (DFS) Replication to create the SYSVOL replicas.
Run the Active Directory Domain Services Installation Wizard, and use installation from
media (IFM) to create the Active Directory replica.
Note
By default, SYSVOL is created on the new domain controller by replication from a
source domain controller. It does not come from the installation media. Obtaining
SYSVOL from installation media requires additional procedures. For information
about the process for configuring the server to obtain SYSVOL from installation
media, see article 311078 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=70809).
Run the Active Directory Domain Services Installation Wizard, and use an answer file to
provide the information that the Active Directory Domain Services Installation Wizard
requires. You can create an answer file by using the Export feature in the Active Directory
Domain Services Installation Wizard during domain controller installation.
Verify installation. Perform tests to verify that AD DS is properly installed and the domain
controller is functioning.
Add domain controllers to remote sites. When you prepare and ship an additional domain
controller to a remote site, you can either install the domain controller before shipping or
install the domain controller in the remote site. This process is different if you are installing an
RODC. For information about installing RODCs in remote sites, see the Step-by-Step Guide
for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728).
When you install a domain controller in a hub site or staging site before shipment, you
must disconnect the domain controller for a period, which requires careful preparation.
When you reconnect the domain controller, Active Directory replication brings the domain
controller up to date.
When you install the domain controller in the remote site, you can use installation media
that is prepared from an existing domain controller to avoid having to replicate AD DS
over a wide area network (WAN) link.
Rename a domain controller. You may have to rename a domain controller for organizational
or administrative reasons.
Force the removal of a nonfunctioning domain controller from a domain. If a domain controller
is not functioning properly on the network, the Active Directory Domain Services Installation
Wizard cannot contact other domain controllers and DNS servers that are required for
Active Directory removal. In this case, you can invoke a special version of the wizard to
forcefully remove objects from AD DS that represent the server as a domain controller.
This section includes the following tasks for managing domain controllers:
382
Tools, double-click Active Directory Domain Services Tools, and then click Next.
4. Click Install.
5. Click the message that indicates you must restart the server, and then click Yes to restart
the server or click No to restart the server later.
6. After the server restarts, on the Installation Results page of the Resume Configuration
Wizard, click Close. The Active Directory Domain Services Administration Tools are
available on the Administrative Tools menu.
We cannot guarantee the interoperability of any antivirus software with DFS Replication, including
any tests recommended in this guide. The need for extensive testing can be avoided completely
by asking their antivirus software vendor to disclose their tested interoperability with DFS
Replication. Vendors that have tested their software are happy to stand by their products. For a
list of antivirus software vendors, see article 49500 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=22381).
Stability issues
Memory leaks
The following recommendations are general and should not be construed as more important than
the specific recommendations of your antivirus software vendor. These guidelines must be
followed for correct Active Directory file replication operation:
Antivirus software must be installed on all domain controllers in the enterprise. Ideally, such
software should also be installed on all other server and client computers that have to interact
with the domain controllers. Catching the virus at the earliest pointat the firewall or at the
client computer on which the virus is first introducedis the best way to prevent the virus
from ever reaching the infrastructure systems on which all client computers depend.
Use a version of antivirus software that is confirmed to work with AD DS and that uses the
correct application programming interfaces (APIs) for accessing files on the server. Some
versions of antivirus software inappropriately modify file metadata as it is scanned, causing
the FRS replication engine to perceive a file as having changed and to schedule it for
replication. Some newer versions of antivirus software prevent this problem. For more
information about antivirus software versions and FRS, see article 815263 in the Microsoft
Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=120540) and see the vendor-specific
sites for compliant versions.
Verify antivirus compatibility with DFS Replication, as described in Testing Antivirus
Application Interoperability with DFS Replication (http://go.microsoft.com/fwlink/?
LinkId=122787).
385
Note
If you are using ForeFront Client Security, see article 956123 in the Microsoft
Knowledge Base for a hotfix (http://go.microsoft.com/fwlink/?LinkId=131409).
Prevent the use of domain controller systems as general workstations. Users should not use
a domain controller to surf the Web or to perform any other activities that can allow the
introduction of malicious code. Allow browsing of known safe sites only for the purpose of
supporting server operation and maintenance.
When possible, do not use a domain controller as a file sharing server. Virus scanning
software must be run against all files in the shared folders, and it can place a large resource
load on the processor and memory resources of the server. For the same reason, the
SYSVOL and Netlogon shares that are automatically created on domain controllers should
not be used to distribute software or for to store data.
Main NTDS database files. The location of these files is specified in:
HKLM\System\Services\NTDS\Parameters\DSA Database File
The default location is %systemroot%\ntds.
File to exclude:
Ntds.dit
Active Directory transaction log files. The log directory on any given server is specified in:
HKLM\System\Services\NTDS\Parameters\Database Log Files Path
The default location is %systemroot%\ntds.
Files to exclude:
EDB*.log (Notice the wildcard symbol; there can be several log files.)
Edbres00001.jrs
Edbres00001.jrs
386
TEMP.edb
EDB.chk
Scan or
Exclude
%systemroot%\SYSVOL
Exclude
%systemroot%\SYSVOL\domain
Scan
%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory Exclude
%systemroot%\SYSVOL\domain\policies
Scan
%systemroot%\SYSVOL\domain\scripts
Scan
%systemroot%\SYSVOL\staging
Exclude
%systemroot%\SYSVOL\staging areas
Exclude
%systemroot%\SYSVOL\sysvol
Exclude
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\Replica
Sets\GUID\Replica Set Root
System Volume Information\DFSR folders and their contents (includes DFSR.DB). This
system-protected directory contains working files for the DFS Replication service. It should
not be scanned because these files are always in use by the service.
DNS configuration
The DNS Client service is always present on a server running Windows Server 2008. A DNS
server must be present in an Active Directory forest, and the DNS server must store DNS data for
the server computer that you are installing. You should configure both the DNS client and the
DNS server to ensure that name resolution and related dependencies will function as expected
during the installation of AD DS.
For ease of administration, install the DNS Server service when you install AD DS. When you use
the Active Directory Domain Services Installation Wizard to install the DNS Server service, DNS
zones, zone delegations, root hints or forwarders, and DNS client settings are configured
automatically.
388
Ensure that any required configuration, forwarders, or zones are present and accessible before
installation. For more information about DNS configuration in preparation for domain controller
installation, see Integrating AD DS into an Existing DNS Infrastructure
(http://go.microsoft.com/fwlink/?LinkId=120585).
Site placement
During Active Directory installation, the Active Directory Domain Services Installation Wizard
attempts to place the new domain controller in the appropriate site. You can select a source
replication partner, the site for the new domain controller, or both when you use the wizard to
install AD DS. The appropriate site is determined by the domain controllers IP address and
subnet mask. The wizard uses the IP information to calculate the subnet address of the domain
controller. The wizard then checks to see if a subnet object exists in the directory for that subnet
address. If the subnet object exists, the wizard uses it to place the new server object in the
appropriate site. If the subnet object does not exist, if you do not specify a site, the wizard places
the new server object in the same site as the domain controller that is being used as a source to
replicate the directory database to the new domain controller. Make sure that the subnet object
has been created and that it is associated with the target site before you run the wizard. For
information about creating a subnet and associating it with a site, see Create a Subnet Object or
Objects and Associate them with a Site.
Domain connectivity
During the installation process, the Active Directory Domain Services Installation Wizard must
communicate with other domain controllers to join the new domain controller to the domain. The
wizard must communicate with a member of the domain to receive the initial copy of the directory
database for the new domain controller. The wizard communicates with the domain controller that
holds the domain naming operations master (also known as flexible single master operations or
FSMO) role for domain installations only, so that the new domain controller can be added to the
domain. The wizard must also contact the relative ID (RID) operations master so that the new
domain controller can receive its RID pool, and the wizard must communicate with another
domain controller in the domain to populate the SYSVOL shared folder on the new domain
controller. All of this communication depends on proper DNS installation and configuration. By
using Dcdiag.exe, you can test all of these connections before you start the Active Directory
Domain Services Installation Wizard.
Task requirements
During the installation process, the wizard must communicate with other domain controllers to
add this new domain controller to the domain and get the appropriate information into the
Active Directory database. To maintain security, you must provide credentials that allow
administrative access to the directory.
Before you begin your installation, the following conditions must exist in your environment:
389
If you are installing a new domain controller in a child domain, there should be at least two
properly functioning domain controllers in the forest root domain.
DNS must be functioning properly. In this guide, it is assumed that you are using
Active Directoryintegrated DNS zones. You must have configured at least one domain
controller as a DNS server.
The Active Directory Domain Services Installation Wizard asks for the following specific
configuration information before it begins installing AD DS:
The fully qualified DNS name of the domain to which the new domain controller will be
added
Dcdiag.exe
Network Connections
Because all Dcdiag tests include a connectivity test, this procedure also tests TCP/IP connectivity.
To complete this procedure, you must have Dcdiag.exe installed on the server. During the initial
part of the installation of AD DS, you use Server Manager to add the Active Directory Domain
Services server role. This part of the installation procedure installs the Dcdiag.exe command line
tool. The second part of the installation process, running Dcpromo.exe, actually installs AD DS.
Perform the Dcdiag test procedure after you add the Active Directory Domain Services server role
but before you run Dcpromo.exe.
Note
If you do not want to install the Active Directory Domain Services server role at this time,
you can install the Active Directory Domain Services Administration Tools, which include
Dcdiag.exe, by using Add Features in Server Manager. For information about using Add
Features to install the Active Directory Domain Services Administration Tools, see
Installing Remote Server Administration Tools for AD DS.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To verify the DNS infrastructure and registrations
1. If you do not want to install AD DS at this time but you want to perform DNS verification
tests, install the Active Directory Domain Services Administrative Tools, as described in
Installing Remote Server Administration Tools for AD DS, and then go to step 9.
2. If you want to install Dcdiag.exe during the installation of AD DS and run the DNS test
before you run Dcpromo.exe, click Start, and then click Server Manager.
3. In Roles Summary, click Add Roles.
4. Review the information on the Before You Begin page, and then click Next.
5. On the Select Server Roles page, click Active Directory Domain Services, and then
click Next.
6. Review the information on the Active Directory Domain Services page, and then click
Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Installation Results page, do not click Close this wizard and launch the Active
Directory Domain Services Installation Wizard (dcpromo.exe). First, perform steps 9
and 10. When you have completed the Dcpromo test successfully, return to the
Installation Results page and continue with the installation of the Active Directory
Domain Services server role.
9. Open a Command Prompt window as an administrator: On the Start menu, right-click
Command Prompt, and then click Run as administrator. If the User Account Control
dialog box appears, provide Domain Admins credentials, if required, and then click
Continue.
10. At the command prompt, type the following command, and then press ENTER:
391
See Also
Move a Server Object to a New Site
First, use Server Manager to add the Active Directory Domain Services server role. This part
of the installation procedure installs the Dcdiag.exe command line tool. Perform this
procedure after you add the server role but before you run Dcpromo.exe.
Use the /s command option to indicate the name of an existing domain controller in the
domain of the new domain controller. This domain controller is required to verify the ability of
the server to connect to operations master role holders in the domain and forest.
You do not have to use the /s option if you perform the test in this procedure after you install
AD DS. The test automatically runs on the local domain controller where you are performing the
test. The commands in this procedure show the /s option. If you are performing this test after you
install AD DS, omit the /s option. For a more detailed response from this command, you can use
the verbose option by adding /v to the end of the command.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To verify the availability of the operations masters
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command to ensure that the operations
masters can be located, and then press ENTER:
393
394
Command-line installation, by using unattend parameters that either specify a source domain
controller or allow the replication system to select a replication partner.
The following methods use installation media as the source for Active Directory installation, which
avoids replication of AD DS:
Before you perform the installation procedures, prepare the server for installation according to the
instructions in Preparing for Active Directory Installation. To ensure successful installation of a
new domain controller, verify that all critical services that AD DS depends on are configured
according to Requirements for Installing AD DS (http://go.microsoft.com/fwlink/?LinkId=120603).
If you are installing the first Windows Server 2008 domain controller in an existing
Windows Server 2000 or Windows Server 2003 domain, see the domain and forest preparation
information in Installing an Additional Windows Server 2008 Domain Controller
(http://go.microsoft.com/fwlink/?LinkID=93254).
For information about best practices for planning, testing, and deploying AD DS, see the AD DS
Design Guide (http://go.microsoft.com/fwlink/?LinkID=116282) and see the AD DS Deployment
Guide (http://go.microsoft.com/fwlink/?LinkId=116283).
This section includes the following tasks for installing a domain controller in an existing domain:
See Also
Preparing for Active Directory Installation
When you complete the Add Roles Wizard in Server Manager, click the link to start the
Active Directory Domain Services Installation Wizard.
Click Start, click Run, type dcpromo.exe, and then click OK.
If you use the advanced options in the Active Directory Domain Services Installation Wizard, you
can control how AD DS is installed on the server, either by installation from media (IFM) or by
replication:
IFM: You can provide a location for installation media that you have created by using
Ntdsutil.exe or that you have created by restoring a critical-volume backup of a similar
domain controller in the same domain to an alternate location. If you create the installation
media by using Ntdsutil, you have the option to create secure installation media for a readonly domain controller (RODC). In this case, the Ntdsutil process removes cached secrets
(such as passwords) from the installation media. For information about using IFM to install an
RODC, see Planning and Deploying Read-Only Domain Controllers
(http://go.microsoft.com/fwlink/?LinkId=120840). You can also create installation media by
restoring an Active Directory backup to an alternate location. For information about creating
installation media by restoring a critical-volume backup to an alternate location, see Restoring
a Critical-Volume Backup to an Alternate Location (http://go.microsoft.com/fwlink/?
LinkId=120612).
Replication: You can specify a domain controller in the domain from which to replicate AD DS.
See Also
Installing an Additional Domain Controller by Using Unattend Parameters
Installing an Additional Domain Controller by Using Unattend Parameters
3. Review the information on the Before You Begin page, and then click Next.
4. On the Select Server Roles page, click Active Directory Domain Services, and then
click Next.
5. Review the information on the Active Directory Domain Services page, and then click
Next.
6. On the Confirm Installation Selections page, click Install.
7. On the Installation Results page, click Close this wizard and launch the Active
Directory Domain Services Installation Wizard (dcpromo.exe).
8. On the Welcome to the Active Directory Domain Services Installation Wizard page,
click Next.
You can click Use advanced mode installation to see additional installation options.
Specifically, click Use advanced mode installation if you want to install from media or
identify the source domain controller for Active Directory replication.
9. On the Operating System Compatibility page, review the warning about the default
security settings for Windows Server 2008 domain controllers, and then click Next.
10. On the Choose a Deployment Configuration page, click Existing forest, click Add a
domain controller to an existing domain, and then click Next.
11. On the Network Credentials page, type the name of any existing domain in the forest
where you plan to install the additional domain controller. Under Specify the account
credentials to use to perform the installation, click My current logged on
credentials or click Alternate credentials, and then click Set. In the Windows Security
dialog box, provide the user name and password for an account that can install the
additional domain controller. To install an additional domain controller, you must be a
member of the Enterprise Admins group or the Domain Admins group. When you are
finished providing credentials, click Next.
12. On the Select a Domain page, select the domain of the new domain controller, and then
click Next.
13. On the Select a Site page, select a site from the list or select the option to install the
domain controller in the site that corresponds to its IP address, and then click Next.
14. On the Additional Domain Controller Options page, make the following selections, and
then click Next:
DNS server: This option is selected by default so that your domain controller can
function as a DNS server. If you do not want the domain controller to be a DNS
server, clear this option.
Note
If you select the option to make this domain controller a DNS server, you
might receive a message that indicates that a DNS delegation for the DNS
server could not be created and that you should manually create a DNS
delegation to the DNS server to ensure reliable name resolution. If you are
installing an additional domain controller in either the forest root domain or a
397
tree root domain, you do not have to create the DNS delegation. In this case,
click Yes, and disregard the message.
Global Catalog: This option is selected by default. It adds the global catalog, readonly directory partitions to the domain controller, and it enables global catalog search
functionality.
Read-only domain controller. This option is not selected by default. It makes the
additional domain controller a read-only domain controller (RODC).
15. If you selected Use advanced mode installation on the Welcome page, the Install
from Media page appears. You can provide the location of installation media to be used
to create the domain controller and configure AD DS, or you can have all source
replication occur over the network. Note that some data will be replicated over the
network even if you install from media. For information about using this method to install
the domain controller, see Installing an Additional Domain Controller by Using IFM.
16. If you selected Use advanced mode installation on the Welcome page, the Source
Domain Controller page appears. Click Let the wizard choose an appropriate
domain controller or click Use this specific domain controller to specify a domain
controller that you want to provide as a source for replication to create the new domain
controller, and then click Next. If you do not choose to install from media, all data will be
replicated from this source domain controller.
17. On the Location for Database, Log Files, and SYSVOL page, type or browse to the
volume and folder locations for the database file, the directory service log files, and the
SYSVOL files, and then click Next.
Windows Server Backup backs up the directory service by volume. For backup and
recovery efficiency, store these files on separate volumes that do not contain applications
or other nondirectory files.
18. On the Directory Services Restore Mode Administrator Password page, type and
confirm the restore mode password, and then click Next. This password must be used to
start AD DS in Directory Services Restore Mode (DSRM) for tasks that must be
performed offline.
19. On the Summary page, review your selections. Click Back to change any selections, if
necessary.
To save the settings that you have selected to an answer file that you can use to
automate subsequent Active Directory operations, click Export settings. Type the name
for your answer file, and then click Save.
When you are sure that your selections are accurate, click Next to install AD DS.
Note
If you are installing an additional domain controller in a child domain and you are
using child domain credentials, the Windows Security dialog box appears
because access is denied in the parent domain to update the DNS delegation in
the parent zone. In this case, click the other user icon and provide administrator
credentials for the parent domain, and then click OK.
398
20. On the Completing the Active Directory Domain Services Installation Wizard page,
click Finish.
21. You can select Reboot on completion to have the server restart automatically, or you
can restart the server to complete the installation of AD DS when you are prompted to do
so.
See Also
Preparing for Active Directory Installation
Verifying Active Directory Installation
You cannot use IFM to create the first domain controller in a domain. A
Windows Server 2008based domain controller must be running in the domain before you
can perform IFM installations.
The media that you use to create additional domain controllers must be taken from a domain
controller in the same domain as the domain of the new domain controller.
If the domain controller that you are creating is to be a global catalog server, the media for the
installation must be created on an existing global catalog server in the domain.
To install a domain controller that is a Domain Name System (DNS) server, you must create
the installation media on a domain controller that is a DNS server in the domain.
To create installation media for a full (writable) domain controller, you must run the ntdsutil
ifm command on a writable domain controller that is running Windows Server 2008.
Note
You cannot run the ntdsutil ifm command on a domain controller that runs
Windows Server 2003. However, you can create a system state backup of a
Windows Server 2003 domain controller, restore the backup to an alternate location,
and then use the dcpromo /adv command to create a Windows Server 2003 domain
controller. For information about performing IFM installations on domain controllers
that are running Windows Server 2003, see Installing a Domain Controller in an
Existing Domain Using Restored Backup Media (http://go.microsoft.com/fwlink/?
LinkId=120623).
To create installation media for a read-only domain controller (RODC), you can run the
ntdsutil ifm command on either a writable domain controller or an RODC that runs
Windows Server 2008. For RODC installation media, Ntdsutil removes any cached secrets,
such as passwords. For more information about installing and managing RODCs, see the
Step-by-Step Guide for Read-only Domain Controllers (http://go.microsoft.com/fwlink/?
LinkId=92728).
You can use a 32-bit domain controller to generate installation media for a 64-bit domain
controller, and the reverse is also true. The ability to mix processor types for IFM installations
is new in Windows Server 2008.
Ntdsutil.exe can create the two types of installation media, as described in the following table.
Type of installation media
Parameter
Description
Parameter
Description
Create RODC
PathToMediaFolder
Task requirements
The following tools are required to perform the procedures for this task:
Ntdsutil.exe
Dcpromo.exe
See Also
Verifying Active Directory Installation
Adding Domain Controllers in Remote Sites
401
On a read-only domain controller (RODC), a delegated user can create the installation media.
However, that user can create only RODC installation media (not installation media for a writable
domain controller) on an RODC.
To create installation media for IFM
1. Open a command prompt as an administrator: Click Start, right-click Command Prompt,
and then click Run as administrator.
2. Type the following command, and then press ENTER:
ntdsutil
3. At the ntdsutil prompt, type the following command, and then press ENTER:
activate instance ntds
4. At the ntdsutil prompt, type the following command, and then press ENTER:
ifm
5. At the ifm prompt, type the command for the type of installation media that you want to
create, and then press ENTER. For example, to create installation media for a read-write
domain controller, type the following command:
Create full <Drive>:\<InstallationMediaFolder>
Where <Drive>:\<InstallationMediaFolder> is the path to the folder where you want the
installation media to be created. You can save the installation media to a network shared
folder or to removable media.
When you create additional domain controllers in the domain, you can refer to the shared folder
or removable media where you store the installation media as follows:
In the Active Directory Domain Services Installation Wizard: on the Install from Media page
See Also
Create an Answer File for Unattended Domain Controller Installation
Installing an Additional Domain Controller by Using IFM
Windows interface: Provide the location on the Install from Media page in the
Active Directory Domain Services Installation Wizard.
Unattended installation: Use the /ReplicationSourcePath parameter in the answer file for an
unattended installation.
Command line: Use the /ReplicationSourcePath unattend parameter at the command line.
Membership in the Domain Admins group in the domain into which you are installing the
additional domain controller, or the equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To install AD DS from IFM media by using the Windows interface
1. Use the procedure Install an Additional Domain Controller by Using the Windows
Interface. In step 8, select Use advanced mode installation.
2. In step 15, select the install from media option and provide the location of the installation
media.
3. Complete the remaining pages of the Active Directory Domain Services Installation
Wizard.
4. After the installation operation completes successfully and the computer is restarted,
remove the folder that contains the IFM media from the local disk.
To install AD DS from IFM media by using an answer file
1. Create an answer file by using one of the following methods:
During the procedure Install an Additional Domain Controller by Using the Windows
Interface, select the Export settings option to save the installation settings to a file.
This file is an answer file that you can use to install an additional domain controller in
the same domain.
Use the procedure Create an Answer File for Unattended Domain Controller
Installation to create an answer file. Include the /ReplicationSourcePath parameter
to specify the location of the IFM media.
2. Use the procedure Install an Additional Domain Controller by Using an Answer File to
install AD DS.
To install AD DS from IFM media by using unattend parameters from the command line
1. Use the procedure Install an Additional Domain Controller by Using Unattend Parameters
from the Command Line to install AD DS.
2. During the procedure, use the /ReplicationSourcePath parameter to specify the location
of the IFM media.
403
See Also
Preparing for Active Directory Installation
Verifying Active Directory Installation
In an answer file: You can manually create an answer file that contains unattend parameters
to specify the settings for a domain controller, including such values as its name, domain,
site, and whether it is a writable domain controller or read-only domain controller (RODC).
You can also create an answer file automatically by exporting installation settings to a file
during an Active Directory Domain Services Installation Wizard installation.
Note
For information about installing RODCs, see Step-by-Step Guide for Read-only
Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=92728) and Planning and
Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?
LinkId=120840).
From the command line: You can type the parameters and values manually at the command
line.
Dcpromo.exe
404
See Also
Installing an Additional Domain Controller by Using IFM
Installing an Additional Domain Controller by Using the Windows Interface
The answer file that you use to install an additional domain controller in an existing
domain must have the /ReplicaOrNewDomain and /ReplicaDomainDNSName
parameters specified.
The answer file that you use to install a domain controller from media must have the
/ReplicationSourcePath parameter specified.
Any account that has Read and Write privileges for the text editor application is the minimum
required to complete this procedure. Review details about using the appropriate accounts and
group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To create an answer file for installing a new domain controller
1. Open Notepad or any text editor.
2. On the first line, type [DCINSTALL], and then press ENTER.
3. Create the following entries, one entry on each line. These options are the minimum
options that are required for an additional domain controller installation with Domain
Name System (DNS) and the global catalog installed and configured automatically.
For a complete list of unattended installation options, including default values, allowed
values, and descriptions, see Promotion Operation (http://go.microsoft.com/fwlink/?
LinkID=120626).
UserName=SAM account name that has Domain Admins credentials in the target
domain. This account must be used by the administrator who runs the Dcpromo
command.
UserDomain=Domain name for the user account in UserName
Password=Password for the account in UserName. If you leave this blank, Dcpromo
prompts the installer for a password during installation. Dcpromo deletes this value after
installation.
405
If you want to include all application directory partitions, use the value *.
If you want to include specific application directory partitions, type the distinguished
name of each directory partition. Separate each distinguished name with a space,
and enclose the entire list in quotation marks, as shown in the following example:
ApplicationPartitionsToReplicate="dc=app1,dc=contoso,dc=com
dc=app2,dc=contoso,dc=com"
5. Save the answer file to the location on the installation server from which it is to be called
by Dcpromo, or save the file to a network shared folder or removable media for
distribution.
406
See Also
Install an Additional Domain Controller by Using an Answer File
Install an Additional Domain Controller by Using Unattend Parameters from the Command Line
At the command prompt, type the following command, and then press ENTER:
dcpromo /unattend:"<path to the answer file>"
See Also
Preparing for Active Directory Installation
Create an Answer File for Unattended Domain Controller Installation
Verifying Active Directory Installation
407
At a command prompt, type the following command. When you have typed all the options
that are required to create the additional domain controller, press ENTER.
dcpromo /unattend /<unattendOption>:<value> /<unattendOption>:<value> ...
Where:
<unattendOption>
<value>
The following example creates an additional domain controller with the global catalog,
and it installs and configures the DNS Server service:
dcpromo /unattend /InstallDns:yes /confirmGC:yes /replicaOrNewDomain:replica
/databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"g:\sysvol"
/safeModeAdminPassword:FH#3573.cK /rebootOnCompletion:yes
DNS Manager
Event Viewer
Dcdiag.exe
Ntdsutil.exe
See Also
Move a Server Object to a New Site
specified in the query, configure conditional forwarding appropriately. For information about using
forwarding and conditional forwarding for DNS name resolution, see Using Forwarding
(http://go.microsoft.com/fwlink/?LinkId=26353).
Note
Root hints is the recommended method of recursive name resolution for Active Directory
integrated DNS in Windows Server 2008 forests. For more information about configuring
DNS for Windows Server 2008 forests, see the AD DS Deployment Guide
(http://go.microsoft.com/fwlink/?LinkId=116283).
Membership in Domain Admins, or equivalent, is required to complete this procedure. Review
details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To configure DNS server forwarders
1. If your network uses root hints as the DNS forwarding method, you do not have to
perform any additional options. Root hints are configured automatically during installation.
Do not continue to step 2.
2. If you have to configure forwarders, open the DNS snap-in, and continue to step 3.
3. In the console tree, right-click ComputerName (where ComputerName is the computer
name of the domain controller), and then click Properties.
4. In the ComputerName properties sheet (where ComputerName is the name of the
domain controller), on the Forwarders tab, click Edit.
5. Click the text entry area where indicated, type an IP address or DNS name for a DNS
server that will receive forwarded DNS queries, and then click OK.
6. When the IP address resolves to the servers fully qualified domain name (FQDN) on the
Forwarders tab, click OK.
The following tools are required to perform the procedures for this task:
DNS snap-in
Network Connections
See Also
Verify DNS Client Settings
The preferred Domain Name System (DNS) server is added to the DNS servers list of the
DNS client settings.
See Also
Verify DNS Server Configuration for a Domain Controller
413
Look for a message that states that <ComputerName> passed test NetLogons, where
<ComputerName> is the name of the domain controller. If you do not see the passed test
message, check the permissions that are set on the Scripts and Sysvol shared folders.
For information about default SYSVOL permissions, see Reapply Default SYSVOL
Security Settings.
414
Note
For more detailed replication information, use the
/v
option.
If this test fails, open Event Viewer and check for errors in the Directory Service log. Use
the information in the ActiveDirectory_DomainService replication events to troubleshoot
the problem.
To receive more detailed information, including the SPNs that are found for the domain
controller, use the /v option.
Ship the computer as a workgroup computer, and install AD DS on it in the remote site. If you
do not have administrative support in the remote site, enable Remote Desktop on the
computer before you ship the computer so that you can perform the installation remotely. In
the remote site, you can either:
Install AD DS from installation media that has been shipped to the site on removable
media.
Install AD DS on the server in a hub or staging site, and then ship the installed domain
controller to the remote site.
Both methods have advantages and disadvantages, and both methods require care to ensure the
secure transfer of Active Directory data, whether it is installed or in the form of removable media.
For information about the advantages and disadvantages of shipping a server to a remote site
before or after installing AD DS, see Known Issues for Adding Domain Controllers in Remote
Sites.
For recommended practices for adding domain controllers to remote sites for the method that you
are using, see Best Practices for Adding Domain Controllers in Remote Sites.
By reviewing issues and guidelines, you can decide the best method of adding domain controllers
in remote sites for your environment. By following the instructions in this guide, you can safely
and securely install domain controllers in remote sites, either locally or remotely.
Note
On servers that are running Windows Server 2008, you can install a read-only domain
controller (RODC), which is ideal for providing AD DS in remote sites without incurring the
security risks of a writable domain controller. For information about installing and
managing RODCs in remote sites, see Planning and Deploying Read-Only Domain
Controllers (http://go.microsoft.com/fwlink/?LinkID=120709).
This section includes the following tasks, known issues, and best practices for adding domain
controllers in remote sites:
Specify a volume on the installation computer as the location for the media when you run the
ntdsutil ifm command. For information about the effects of the location on the installation
process, see Preparing a Server Computer for Shipping and Installation from Media.
Create the media locally, and then copy ("burn") the installation media onto removable media,
such as a portable disk drive, CD, or DVD, which can be shipped with the installation
computer when it leaves the staging site, or it can be shipped separately.
417
Create the media locally, and then transfer the installation media to the local hard drive of the
workgroup computer before it leaves the staging site.
For information about the advantages and disadvantages of these methods, see Preparing a
Server Computer for Shipping and Installation from Media.
The following best practices optimize data security and consistency when you add domain
controllers in remote sites:
Upgrade to Windows Server 2008. Windows Server 2008 includes an enhanced version of
Ntdsutil.exe that you can use to create installation media, rather than using a restored system
state backup as is required in Windows Server 2003. Ntdsutil.exe in Windows Server 2008
includes a new ifm command that creates installation media for additional domain controllers.
The installation media that is created by this command contains only is the items that are
required for installing AD DS: the Ntds.dit database file and the registry. You can create media
for a full (writable) installation of AD DS or for a read-only domain controller (RODC)
installation. For the RODC installation, the ntdsutil ifm command creates secure installation
media by removing secrets, such as passwords, from the Active Directory data. You create
the media by using Volume Shadow Copy Service (VSS), taking a fraction of the time that is
required to create a backup. For information about upgrading the forest to
Windows Server 2008, see the AD DS Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=116283).
Note
On a domain controller that is running Windows Server 2008, you cannot restore a
system state backup to an alternate location. Instead, use the ntdsutil ifm command
to create installation media.
Create media on the type of domain controller that you want to add. You must create
installation media on the type of domain controller that you want to add. If you want to add a
global catalog server in the remote site, run the ntdsutil ifm command on a global catalog
server in the domain. If you want to add a DNS server, run the ntdsutil ifm command on a
domain controller that is a DNS server in the domain.
Take the same security precautions when you ship removable installation mediaor a
server computer that contains installation mediaas you would when you ship an
installed domain controller. For information about securing domain controllers, see the Best
Practice Guide for Securing Windows Server Active Directory Installations
(http://go.microsoft.com/fwlink/?LinkId=28521).
Minimize the time between media creation and installation. Minimizing this delay reduces
the number of updates that will be required to replicate after installation.
Install the operating system before you ship the server to the remote site. Installing the
operating system requires expertise that might not be available at branch sites. Ideally,
installation routines are available in the staging site to automate the operating system
installation process and ensure uniformity for all domain controllers (partition sizes, drive
letter assignments, and so on). As part of the operating system installation, apply a
standardized set of hotfixes plus any available service packs to ensure service consistency
throughout the forest.
418
Ship the server as a member of a workgroup rather than a member server in a domain.
If the server is joined to a domain and then stolen during shipment, information about domain
names, DNS suffixes, and the number of domains in the forest can aid attackers in their
attempts to compromise or steal directory data.
Ship computers with properly configured IP, subnet mask, default gateway, and DNS
server addresses. Remember to reconfigure the server with TCP/IP settings that are
appropriate to the target site, not the staging site.
Enable Remote Desktop on the server computer before shipping. This best practice
assumes that you want to install and manage AD DS remotely rather than employing an
administrator with Domain Admins credentials in each remote site.
Configure the tombstone lifetime appropriately. Ensure that the tombstone lifetime is not
lowered below the default value. The default tombstone lifetime in a forest that is created on a
domain controller running Windows 2000 Server or Windows Server 2003 is 60 days. The
default tombstone lifetime in a forest that is created on a server running
Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2
(SP2), Windows Server 2003 R2, or Windows Server 2008 is 180 days. If you must
disconnect a domain controller for a period of several weeks or months, before you
disconnect the domain controller, do the following:
Determine the value of the tombstone lifetime for the forest. This value is stored in
the tombstoneLifetime attribute of CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ForestRootDomain.
Determine the maximum length of time that the domain controller can be
disconnected safely. From the tombstone lifetime number of days, subtract a generous
estimate of the number of days that are required for end-to-end replication latency. The
419
resulting amount of time is the maximum period for which the domain controller can be
disconnected safely, without danger of expired deletions (tombstones) remaining on the
domain controller.
Determine whether to extend the tombstone lifetime for the forest. If you estimate
the maximum time of disconnection to be longer than the tombstone lifetime, you must
determine whether to extend the tombstone lifetime or perform the procedure to remove
lingering objects from the domain controller after it is reconnected. If you extend the
tombstone lifetime, you must also make sure that all domain controllers have adequate
disk space to store additional tombstones. In addition, make sure that replication of the
tombstone lifetime change has reached all potential source domain controllers before you
run Dcpromo to install an additional domain controller.
Ensure that strict replication consistency is enabled on all domain controllers. Strict
replication consistency is a registry setting thatwhen it is enabledstops inbound
replication of a directory partition from a source domain controller that is suspected of having
a lingering object. Strict replication consistency should be enabled for the forest to prevent
the reintroduction of a lingering object into the directory. You can use the repadmin /regkey
command to enable this setting on a specific domain controller or on all domain controllers in
the forest, as described in Enable Strict Replication Consistency.
Monitor the Knowledge Consistency Checker (KCC) topology and replication to ensure
that unintended long disconnections are detected. By monitoring replication, you can
detect disconnections that occur as a result of network failures, service failures, or
configuration errors. Use the Active Directory Management Pack or other monitoring
application to implement a monitoring solution for your Active Directory deployment. Event
IDs to monitor include 1311, 1388, 1925, 1988, 2042, 2087, and 2088.
Ship computers with properly configured IP, subnet mask, default gateway, and DNS
server addresses. Remember to reconfigure the server with TCP/IP settings that are
appropriate to the target site, not the staging site.
Prepare the registry for automatic nonauthoritative restore of SYSVOL when the
domain controller restarts. This recommendation applies only when you use FRS to
replicate SYSVOL. For FRS replication of SYSVOL, the nonauthoritative restore prevents the
domain controller from having to reconcile and process deletions and modifications that took
place from the time of the last SYSVOL update to the time that the domain controller is
restarted in the new site, which improves synchronization time. For information about
preparing for nonauthoritative restore of SYSVOL, see Prepare a domain controller for
nonauthoritative SYSVOL restart (http://go.microsoft.com/fwlink/?LinkId=122831). This
additional configuration is not required for Distributed File System (DFS) Replication of
SYSVOL because DFS Replication processes updates differently.
Ensure that the domain controller replicates successfully with all replication partners.
Immediately before you disconnect the domain controller, force replication with its partners.
Check that replication has succeeded before you disconnect the domain controller.
Label the domain controller. When you disconnect the domain controller, attach a label to
the computer that identifies the date and time of disconnection, the destination, and the IP
settings.
420
When you reconnect the domain controller, update SYSVOL as quickly as possible.
The domain controller does not serve as a domain controller until SYSVOL has been updated
through replication. If the site has one or more other domain controllers in the same domain,
start the domain controller anytime. If the site contains no other domain controller in the same
domain, time the restart of the domain controller to coincide with the beginning of intersite
replication.
To avoid time skew issues, ensure that the system clock is synchronized with the
domain source on startup. When you start the domain controller in the remote site, use the
following command to ensure that the domain controller uses the domain hierarchy to
synchronize time:
w32tm /resync/ computer:<PDCEmulatorHostName>
See Also
Known Issues for Adding Domain Controllers in Remote Sites
Preparing a Server Computer for Shipping and Installation from Media
Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection
Reconnecting a Domain Controller After a Long-Term Disconnection
Ship the member computer to the remote site, and then use the install from media (IFM)
method to install Active Directory Domain Services (AD DS) on that computer. IFM uses
previously prepared installation media as the source for the installation of AD DS in the
remote site, avoiding replication from a source domain controller.
Install AD DS in the hub site by using the normal Dcpromo method or the IFM method, and
then ship the installed domain controller to the remote site.
SYSVOL replication
SYSVOL is a shared folder that stores files that must be available and synchronized among all
domain controllers in a domain. SYSVOL contains Net Logon scripts, Group Policy settings, and
either File Replication Service (FRS) or Distributed File System (DFS) Replication staging
directories and files, depending on the replication method in use for replicating DFS folders.
Replication of the SYSVOL folder is required for AD DS to function properly.
The primary focus for both methods of installing additional domain controllers in remote sites is to
avoid the replication of AD DS over a wide area network (WAN) between the remote site and the
hub site. Each method accomplishes this goal. However, depending on the size of your SYSVOL,
you might also be concerned about replication of SYSVOL files over the network. When you use
the IFM method to install a domain controller, SYSVOL is replicated from a domain controller in
the domain unless you perform preliminary procedures. For information about using installation
media as the source for SYSVOL during IFM installation of AD DS when you use DFS Replication
to replicate SYSVOL, see Planning and Deploying Read-Only Domain Controllers
(http://go.microsoft.com/fwlink/?LinkId=120840). If you use FRS to replicate SYSVOL, see
article 311078 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=70809).
422
You can install many domain controllers from a single source of installation media.
You do not have to disconnect a functioning domain controller from the replication topology.
Therefore, you can avoid the disadvantages that are associated with a domain controller that
does not replicate. For information about the problems that are associated with domain
controller disconnection, see Issues with Installing Domain Controllers Before Shipping Them
to the Remote Site.
You avoid replicating AD DS over a WAN link, particularly a link that requires a dial-up
connection.
If you enable Remote Desktop on the server before you ship it, you do not have to employ an
administrator with Domain Admins credentials in the remote site. You can also use Remote
Server Administration Tools (RSAT) to manage AD DS remotely. You can install the tools on a
member server that is running Windows Server 2008 or on a workstation that is running
Windows Vista with Service Pack 1 (SP1). For information about installing these tools, see
Installing Remote Server Administration Tools for AD DS.
Note
If you do not need a writable domain controller in a remote site, you can install a
read-only domain controller (RODC) in the remote site. RODCs do not require
administrative credentials for management. For information about using RODCs in
remote sites, see Planning and Deploying Read-Only Domain Controllers
(http://go.microsoft.com/fwlink/?LinkID=120709).
Domain Admins credentials and remote installation. If you install a writable domain
controller, an administrator must have Domain Admins credentials to install AD DS. Assuming
that you do not employ a service administrator with this level of administrative credentials in
each branch site, a domain administrator in the hub site must be able to connect remotely to
the server to perform the installation. Therefore, you must enable Remote Desktop on the
server before you ship it to the remote site.
Bridgehead server load balancing. If installation media are sent to many sites and if
enough domain controllers are promoted at the same time, you might experience
performance issues with the bridgehead servers that are the source for Active Directory and
SYSVOL replication.
423
Note
These issues are of concern only in situations in which hundreds of domain
controllers might be promoted at the same time and FRS is the SYSVOL replication
system. If you are deploying hundreds of writable domain controllers in branch sites,
see the Windows Server 2003 Active Directory Branch Office Guide
(http://go.microsoft.com/fwlink/?LinkId=42506). If you are installing RODCs in branch
sites, see Planning and Deploying Read-Only Domain Controllers
(http://go.microsoft.com/fwlink/?LinkID=120840).
SYSVOL replication. Whether you use DFS Replication or FRS to replicate SYSVOL,
replication of the full SYSVOL occurs if you do not perform preliminary preseeding
procedures, as described in article 311078 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=70809) for SYSVOL that is replicated by FRS, and
in Planning and Deploying Read-Only Domain Controllers
(http://go.microsoft.com/fwlink/?LinkId=120840) for SYSVOL that is replicated by
DFS Replication. When you install AD DS without this additional preparation, the
SYSVOL data in the installation media is deleted and SYSVOL is generated by
replication.
Because FRS on the source computer uses CPU, memory, and disk resources, the FRS
recommendation is to perform a staged update on no more than 10 branch office domain
controllers at a time for a single source hub domain controller. If a single domain
controller functions as the source for SYSVOL replication to more than 10 destination
domain controllers, performance on the source domain controller can decrease
significantly. To balance source domain controllers, you can use an answer file with
Dcpromo to specify the source domain controller.
Note
When you use DFS Replication to replicate SYSVOL, these conditions are not an
issue.
For information about performing a staged installation of RODCs, see Planning and
Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?
LinkId=120840).
424
Standardization. The process for installing domain controllers can be automated and
standardized in the hub or staging site, with the one additional step of packing and shipping
the domain controller. If you follow the instructions in this guide for safe disconnection and
reconnection, restarting the domain controller in the remote site is all that is required.
Branch site personnel. The requirement for personnel with Domain Admins credentials is
limited to the hub site.
Protection of existing accounts and metadata. You must ensure that computer accounts
and metadata for the domain controller are not deleted or improperly modified while the
domain controller is disconnected.
Caution
The default value for the tombstone lifetime is 180 days. In this case, the risk is
remote if the tombstone lifetime is not changed. However, because the tombstone
lifetime value can be changed administratively and because the risk has such
significant consequences, you should always check the tombstone lifetime setting.
For more information about lingering objects and their causes and effects, see Fixing
Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
(http://go.microsoft.com/fwlink/?LinkId=120797).
For procedures to ensure that all of these issues are resolved, see the following topics:
1 (enabled): Inbound replication of the specified directory partition from the source is stopped
on the destination domain controller. Replication of the directory partition is stopped on both
the source and destination domain controllers.
426
0 (disabled): The destination requests the full object from the source domain controller, and
the destination domain controller reanimates a full copy of an object that it has previously
deleted and permanently removed through garbage collection.
The default value of the strict replication consistency registry entry is 1 on domain controllers
that are running Windows Server 2003, Windows Server 2003 R2, and Windows Server 2008. If
you are in doubt as to whether strict replication consistency is in effect, you can use the
Repadmin command-line tool to set replication consistency to Strict for all domain controllers in
the forest. If you have domain controllers that are running Windows Server 2000, update these
domain controllers to Windows Server 2008.
SYSVOL consistency
When you use DFS Replication for SYSVOL replication, when you restart the domain controller in
the new site DFS Replication updates SYSVOL by processing the latest changes from the source
domain controller. To ensure that SYSVOL is updated as quickly as possible, time the restart of
the domain controller with the intersite replication schedule.
When you use FRS for SYSVOL replication, in addition to timing restart according to the
replication schedule preparation might be necessary to avoid an extended period of latency when
SYSVOL is updated. When you restart a domain controller without this preparation, FRS
reconciles and processes all deletions and modifications that took place from the time of the last
SYSVOL update to the time that the domain controller is restarted in the new site. If you have a
large SYSVOL, you can avoid this extra processing and replication time by preparing the domain
controller for nonauthoritative SYSVOL restore before you ship the domain controller. For
information about preparing the domain controller for nonauthoritative SYSVOL restore, see
Prepare a domain controller for nonauthoritative SYSVOL restart (http://go.microsoft.com/fwlink/?
LinkID=122831).
See Also
Preparing a Server Computer for Shipping and Installation from Media
427
Determine the type of domain controller that you want to install. Identify a domain controller
that is suitable for creating the media according to whether you are creating an additional
domain controller that is a global catalog server, a Domain Name System (DNS) server, both,
or neither. You must create the installation media on the same type of domain controller that
you want to create.
Determine whether to create the installation media in a shared folder on the computer that will
be installed or use removable media to ship the installation media separately from the
computer. If you will create the media in a shared folder on the installation server, do the
following:
Determine the volume on which to create the media. See the criteria in Determine the
volume for installation media in this topic.
Create a shared folder on the server and map a network drive to the folder on the domain
controller that you are using to create the media.
Install the operating system on the server computer. This task is best performed in the hub
site where administrative personnel are available.
If you want to include application directory partitions on the domain controller, prepare an
answer file that contains the location of the installation media and the application directory
partitions.
Determine the volume on which to store the installation media on the installation server. This
location affects SYSVOL replication after the installation of AD DS.
428
to the new domain controller, regardless of whether you perform the additional, preliminary
procedures.
Use the following references for information about ensuring that SYSVOL is not replicated during
IFM:
For information about how to ensure that the installation media is used as the source for
SYSVOL when you are using FRS to replicate SYSVOL, see "Seeding the SYSVOL tree from
restored files during IFM promotion" in article 311078 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkID=70809).
For information about how to ensure that the installation media is used as the source for
SYSVOL when you are using Distributed File System (DFS) Replication to replicate SYSVOL,
see Planning and Deploying Read-Only Domain Controllers (http://go.microsoft.com/fwlink/?
LinkId=120840).
Ntdsutil.exe
Dcpromo.exe
1. Create Installation Media by Using Ntdsutil. Before you perform this procedure, see Installing
an Additional Domain Controller by Using IFM.
Perform this procedure on a domain controller that is the type of domain controller that you
want to create (for example, a global catalog server or a DNS server). Specify removable
media or a shared folder on the installation server as the location for the installation media.
2. Enable Remote Desktop on the installation server.
3. Ship the installation server and any prepared removable media and answer file to the remote
site. Ship these items separately and securely.
When the server is running in the remote site, install the domain controller as follows:
1. Create a Remote Desktop Connection to the remote server.
2. Install an Additional Domain Controller by Using Installation Media. When the domain
controller restarts after installation, the Remote Desktop Connection is dropped. After the
installed domain controller restarts, you must reconnect by using Remote Desktop
Connection.
See Also
Installing an Additional Domain Controller by Using IFM
Allow connections only from computers running Remote Desktop with Network
Level Authentication (more secure). Use this option if you know that the users who
will connect to this server are running Windows Vista or Windows Server 2008.
4. Review the information in the Remote Desktop dialog box, and then click OK twice.
To enable Remote Desktop remotely by using the registry
1. On any computer that is running a version of Windows Server 2003,
Windows Server 2003 R2, Windows Server 2008, Windows XP Professional, or
Windows Vista, open Regedit as an administrator. To open Regedit as an administrator,
click Start, and then, in Start Search, type regedit. At the top of the Start menu, rightclick regedit, and then click Run as administrator. In the User Account Control dialog
box, provide Domain Admins credentials, and then click OK.
2. On the File menu, click Connect Network Registry.
3. In the Select Computer dialog box, under Enter the object name to select, type the
computer name, and then click Check Names.
4. After the computer name resolves, click OK.
5. In the computer node that appears in the Registry Editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server.
6. In the console tree, click Terminal Server, and then, in the details pane, double-click
fDenyTSConnections.
7. In the Edit DWORD Value box, in Value data, type 0, and then click OK.
This value enables connections at the level that allows connections from computers
running any version of Remote Desktop.
8. To implement the change, restart the server remotely, as follows:
At the command prompt, type the following command, and then press ENTER:
shutdown /m \\<DomainControllerName> /r
Value
Description
/m \\<DomainControllerName>
/r
431
See Also
Enable Remote Desktop
Windows interface: Provide the location on the Install from Media page in the
Active Directory Domain Services Installation Wizard.
Unattended installation: Use the /ReplicationSourcePath parameter in the answer file for an
unattended installation.
432
Command line: Use the /ReplicationSourcePath unattend parameter at the command line.
Membership in the Domain Admins group in the domain into which you are installing the
additional domain controller, or the equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To install AD DS from IFM media by using the Windows interface
1. Use the procedure Install an Additional Domain Controller by Using the Windows
Interface. In step 8, select Use advanced mode installation.
2. In step 15, select the install from media option and provide the location of the installation
media.
3. Complete the remaining pages of the Active Directory Domain Services Installation
Wizard.
4. After the installation operation completes successfully and the computer is restarted,
remove the folder that contains the IFM media from the local disk.
To install AD DS from IFM media by using an answer file
1. Create an answer file by using one of the following methods:
During the procedure Install an Additional Domain Controller by Using the Windows
Interface, select the Export settings option to save the installation settings to a file.
This file is an answer file that you can use to install an additional domain controller in
the same domain.
Use the procedure Create an Answer File for Unattended Domain Controller
Installation to create an answer file. Include the /ReplicationSourcePath parameter
to specify the location of the IFM media.
2. Use the procedure Install an Additional Domain Controller by Using an Answer File to
install AD DS.
To install AD DS from IFM media by using unattend parameters from the command line
1. Use the procedure Install an Additional Domain Controller by Using Unattend Parameters
from the Command Line to install AD DS.
2. During the procedure, use the /ReplicationSourcePath parameter to specify the location
of the IFM media.
See Also
Preparing for Active Directory Installation
Verifying Active Directory Installation
433
ADSI Edit
Ntdsutil.exe
Repadmin.exe
If the estimated time of disconnection does not exceed the maximum safe disconnection
time, proceed with preparations for disconnection.
4. View the Current Operations Master Role Holders to determine whether the domain controller
is an operations master role holder.
434
See Also
Known Issues for Adding Domain Controllers in Remote Sites
Managing Operations Master Roles
Managing DFS-Replicated SYSVOL
Reconnecting a Domain Controller After a Long-Term Disconnection
435
Value: 1 (0 to disable)
Default: 1 (enabled) in a new Windows Server 2003 or Windows Server 2008 forest;
otherwise 0.
436
If the value is 0, use the following procedure to change the value to 1 on a specific domain
controller or on all domain controllers.
Membership in the Domain Admins group in the domain, or equivalent, is the minimum required
to complete this procedure on a single domain controller. Membership in the Enterprise
Admins group in the forest, or equivalent, is the minimum required to complete this procedure on
all domain controllers. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To enable strict replication consistency
1. Open a command prompt, type the following command, and then press ENTER:
repadmin /regkey <DC_LIST> {+|-}<key>
Value
Description
repadmin /regkey
<DC_LIST>
{+|-}<key>
2. Repeat step 1 for every domain controller on which you want to enable strict replication
consistency.
Note
For more naming options and information about the syntax of the
the command prompt, type repadmin /listhelp.
<DC_LIST>
parameter, at
437
Value
Description
repadmin /syncall
<DomainControllerName>
/e
/d
/A
/P
/q
2. Check for replication errors in the output of the command in the previous step. If there are
no errors, replication is successful. For replication to complete, any errors must be
corrected.
See Also
Verify Successful Replication to a Domain Controller
438
The disconnected domain controller is running Windows 2000 Server, and no other domain
controller is available in the domain: If you want to recover the domain, reconnect the domain
controller, and follow the instructions in article 314282 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkId=37924).
The disconnected domain controller is running Windows 2000 Server, and another domain
controller is available in the domain: Do not reconnect the domain controller. Instead, force
Active Directory removal on the disconnected domain controller, perform metadata cleanup,
and then reinstall Active Directory. To complete these tasks, follow the instructions in Forcing
the Removal of a Domain Controller and Installing a Domain Controller in an Existing
Domain.
Updating SYSVOL
To update SYSVOL as soon as possible after you reconnect a domain controller, plan the time
that you restart the domain controller to optimize the replication schedule, as follows:
439
If the closest replication partner for the domain is in a different site, view site link properties to
determine the replication schedule, and then restart the domain controller as soon as
possible after replication is scheduled to start.
If a replication partner for the domain is available within the site, verify replication success on
that partner before you restart the domain controller.
Important
If you use File Replication Service (FRS) to replicate SYSVOL, the recommended
practice to reduce the time required to update SYSVOL is to modify the registry before
you disconnect the domain controller so that SYSVOL is updated with only the latest file
changes when you restart the domain controller. For information about preparing for
SYSVOL replication when using FRS, see Preparing an Existing Domain Controller for
Shipping and Long-Term Disconnection (http://go.microsoft.com/fwlink/?LinkId=122834).
Task requirements
The following tools are required to perform the procedures for this task:
ADSI Edit
Repadmin.exe
If the site in which you are reconnecting the domain controller has one or more other
domain controllers that are authoritative for the domain, start the domain controller
anytime.
If the site in which you are reconnecting the domain controller has no other domain
controllers that are authoritative for the domain, proceed as follows:
Determine When Intersite Replication Is Scheduled to Begin by viewing the replication
properties on the site link that connects this site to the next closest site that includes a
domain controller that is authoritative for this domain.
As soon as possible after the next replication cycle begins, start the domain controller.
440
If the maximum safe disconnection time has been exceeded, proceed in the appropriate
manner according to the operating system, as described in "Reconnecting an Outdated
Domain Controller" earlier in this topic.
4. Verify Successful Replication to a Domain Controller
After replication is complete, verify replication of the domain, configuration, and schema
directory partitions. If the domain controller is a global catalog server, verify replication of all
domain directory partitions. If the domain controller is a Domain Name System (DNS) server,
verify replication of the domain and forest DNS application directory partitions.
See Also
Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection
specific service (SRV) resource records. NETLOGON Event ID 5774 indicates that the dynamic
registration of DNS resource records has failed. If this error occurs, contact a supervisor and
pursue DNS troubleshooting.
See Also
Verify That an IP Address Maps to a Subnet and Determine the Site Association
lingering objects do not exist or, if they do, that they are removed before they are replicated. You
can also use this procedure when event ID 1388 or event ID 1988 is logged on a domain
controller. In this case, the information that you need to perform the procedure is provided in the
event. For information about removing lingering objects when event ID 1388 or event ID 1988 has
been logged, see Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
(http://go.microsoft.com/fwlink/?LinkID=120797).
If you are running the procedure without having received Event ID 1388 or Event ID 1988, you
must gather the following information before you begin the procedure:
The name of the server that has or might have lingering objects. This name can be the
Domain Name System (DNS) name, NetBIOS name, or distinguished name of the domain
controller.
The globally unique identifier (GUID) of the NTDS Settings object of a domain controller that
is authoritative for the domain of the domain controller from which you want to remove
lingering objects. This domain controller is the source domain controller. The source domain
controller and the domain controller from which you want to remove lingering objects must be
running a version of either Windows Server 2003 or Windows Server 2008. If either domain
controller is running Windows 2000 Server, follow the instructions in article 314282 in the
Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=37924).
DC object GUID:
444
Value
Description
repadmin
Removes objects that have been deleted and permanently
/removelingeringobjec removed from replication partners but remain on this domain
ts
controller.
<ServerName>
<ServerGUID>
<DirectoryPartition>
/advisory_mode logs the lingering objects that will be removed so that you can review
them, but it does not remove them.
2. If lingering objects are found, repeat step 1 without /advisory_mode to delete the
identified lingering objects from the directory partition.
3. Repeat steps 1 and 2 for every domain controller that might have lingering objects.
Note
The ServerName parameter uses the DC_LIST syntax for repadmin, which allows the
use of * for all domain controllers in the forest and gc: for all global catalog servers in the
forest. To see the DC_LIST syntax, at a command prompt, type repadmin /listhelp, and
then press ENTER.
directory replication has been attempted, the site and name of the source domain controller, and
whether replication succeeded or not, as follows:
If @ [Never] appears in the output for a directory partition, replication of that directory partition has
never succeeded from the identified source replication partner over the listed connection.
Membership in Enterprise Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To verify successful replication to a domain controller
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl <servername> /u:<domainname>\<username> /pw:*
Note
The user credential parameters (/u:<domainname>\<username> /pw:*) are not
required for the domain of the user if the user has opened the Command Prompt
as an administrator with Domain Admins credentials or is logged on to the
domain controller as a member of Domain Admins or equivalent. However, if you
run the command for a domain controller in a different domain in the same
Command Prompt session, you must provide credentials for an account in that
domain.
446
Value
Description
repadmin /showrepl
<servername>
/u:
<domainname>
<username>
/pw:*
3. At the Password: prompt, type the password for the user account that you provided, and
then press ENTER.
You can also use repadmin to generate the details of replication to and from all replication
partners in a Microsoft Excel spreadsheet. The spreadsheet displays data in the following
columns:
Showrepl_COLUMNS
Destination DC Site
Destination DC
Naming Context
Source DC Site
Source DC
Transport Type
Number of Failures
Last Failure Time
Last Success Time
Last Failure Status
447
The following procedure creates this spreadsheet and sets column headings for improved
readability.
To generate a repadmin /showrepl spreadsheet for all replication partners
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER:
repadmin /showrepl * /csv >showrepl.csv
3. Open Excel.
4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open.
5. Hide or delete column A as well as the Transport Type column, as follows:
6. Select a column that you want to hide or delete.
To hide the column, right-click the column, and then click Hide.
Or
To delete the column, right-click the selected column, and then click Delete.
7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and
then click Freeze Top Row.
8. Select the entire spreadsheet. On the Data tab, click Filter.
9. In the Last Success Time column, click the down arrow, and then click Sort Ascending.
10. In the Source DC column, click the filter down arrow, point to Text Filters, and then click
Custom Filter.
11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain.
In the adjacent text box, type del to eliminate from view the results for deleted domain
controllers.
12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and
then type the value 0.
13. Resolve replication failures.
The last successful attempt should agree with the replication schedule for intersite replication, or
the attempt should be within the last hour for intrasite replication.
If Repadmin reports any of the following conditions, see Troubleshooting Active Directory
Replication Problems (http://go.microsoft.com/fwlink/?LinkID=93582):
The last successful intersite replication was before the last scheduled replication.
The last intrasite replication was longer than one hour ago.
448
Although you can use System Properties to rename a domain controller (as you can for any
computer), Active Directory and DNS replication latency might temporarily prevent clients from
locating or authenticating (or both) to the renamed domain controller. To avoid this delay, you can
use the Netdom command-line tool to rename a domain controller.
Task requirements
The following is required to perform the procedures for this task:
If you want to use Netdom, the domain functional level must be set to Windows Server 2003 or
Windows Server 2008.
To complete this task, use one of the following two sets of procedures:
1. Rename a Domain Controller Using System Properties
2. Update the FRS or DFS Replication Member Object
Or
1. Rename a Domain Controller Using Netdom
449
See Also
Rename a Domain Controller Using Netdom
domain name. If the updates and registrations have not occurred before the removal of the old
computer name, some clients might not be able to locate this computer using the new name or
the old name.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To rename a domain controller using Netdom
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command to add the new domain controller
name, and then press ENTER:
netdom computername <CurrentComputerName> /add:<NewComputerName>
Value
Description
netdom computername
<CurrentComputerName>
/add:
<NewComputerName>
3. Type the following command to designate the new name as the primary computer name,
and then press ENTER:
netdom computername <CurrentComputerName> /makeprimary:<NewComputerName>
451
Value
Description
netdom computername
<CurrentComputerName>
/makeprimary:
<NewComputerName>
Value
Description
netdom computername
<NewComputerName>
/remove:
<OldComputerName>
452
See Also
Rename a Domain Controller Using System Properties
To remove a domain, see Removing the Last Windows Server 2008 Domain Controller in a
Domain (http://go.microsoft.com/fwlink/?LinkId=93208).
To remove a forest, see Removing the Last Windows Server 2008 Domain Controller in a
Forest (http://go.microsoft.com/fwlink/?LinkId=93209).
decommission the domain controller. After you remove Active Directory Domain Services
(AD DS), import the private key again.
You must be able to ensure that the domain account that is serving as the recovery agent for the
certificate remains the same after you remove AD DS. If you cannot guarantee that the account
will remain the same after the domain controller is decommissioned or if you removed AD DS
without backing up the certificate and you cannot recover EFS-encrypted files, see article 276239
in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=117370).
Task requirements
The following tools are required to perform the procedures for this task:
Dcdiag.exe
Ntdsutil.exe
If you must protect the recovery agent private key for encrypted files, the following additional tool
is required:
Certificates snap-in
If the domain controller cannot contact another domain controller during Active Directory
removal, the decommissioning operation fails. As with the installation process, test the
communication infrastructure before you run the installation wizard. Before you remove
AD DS, use the same connectivity tests that you used before you installed AD DS.
2. View the Current Operations Master Role Holders
To avoid problems for client computers in the domain and forest, transfer any operations
master (also known as flexible single master operations or FSMO) roles before you run the
Active Directory Domain Services Installation Wizard to decommission a domain controller so
that you can control the operations master role placement. If you need to transfer any
operations master roles from a domain controller, review all the recommendations for role
placement before you perform the transfer, as described in Introduction to Administering
Operations Master Roles. Identify the domain controllers to which you will transfer each role
before you perform the transfer procedures.
455
Caution
During the decommissioning process, the Active Directory Domain Services
Installation Wizard checks for the presence of operations master roles. If the domain
controller being decommissioned holds any operations master (also known as flexible
single master operations or FSMO) role, the wizard provides a warning and attempts
to transfer the role or roles to another domain controller without any user interaction.
You do not have control over which domain controller receives the operations master
roles that are transferred, and the wizard does not indicate which domain controller
receives them. If the wizard cannot transfer an operations master role, you can
override the warnings and the wizard will continue to uninstall AD DS and leave your
domain or forest without the role. In this case, you must seize the operations master
role to another domain controller.
If the domain controller holds any operations master roles, use the following procedures to
transfer the role or roles:
Transfer the Schema Master
Transfer the Domain Naming Master
Transfer the Domain-Level Operations Master Roles
3. Determine Whether a Domain Controller Is a Global Catalog Server
If you remove AD DS from a domain controller that hosts the global catalog, the
Active Directory Domain Services Installation Wizard confirms that you want to continue with
removing AD DS. This confirmation ensures that you are aware that you are removing a
global catalog server from your environment. Do not remove the last global catalog server
from your environment because users cannot log on without an available global catalog
server. If you are not sure, do not proceed with removing AD DS until you know that at least
one other global catalog server is available.
4. Verify the Availability of the Operations Masters
Verify that the operations master role holders are online and responding.
Important
If any verification test fails, do not continue until you determine the problems and
fixthem. If these tests fail, the uninstallation is also likely to fail.
5. If the domain controller hosts encrypted documents, perform the following procedure before
you remove AD DS to ensure that the encrypted files can be recovered after AD DS is
removed:
Back Up A Certificate With Its Private Key (http://go.microsoft.com/fwlink/?LinkId=122856).
6. Removing a Windows Server 2008 Domain Controller from a Domain
You can remove AD DS by using the Windows interface, an answer file, or the command line.
7. If the domain controller hosts encrypted documents and you backed up the certificate and
private key before you removed AD DS, perform the following procedure to import the
certificate to the server again:
Import a Certificate (http://go.microsoft.com/fwlink/?LinkID=108290).
456
See Also
Introduction to Administering Operations Master Roles
Note
For a more detailed response from this command, add
command.
/v
If the test fails, do not attempt any additional steps until you determine and fix the
problem that prevents proper DNS functionality.
457
maintenance:
4. At the server
maintenance:
quit,
operation target,
and then
The system responds with a list of the current roles and the Lightweight Directory Access
Protocol (LDAP) name of the domain controllers that are currently assigned to host each
role.
8. Type quit, and then press ENTER to exit each prompt in Ntdsutil.exe. At the
prompt, type quit, and then press ENTER to close the window.
ntdsutil:
458
459
460
You might want to transfer a domain-level operations master role if the domain controller that
currently hosts the role is inadequate, has failed, or is being decommissioned. You can transfer all
domain roles by using the Active Directory Users and Computers snap-in.
Note
You perform these procedures by using a Microsoft Management Console (MMC) snapin, although you can also transfer these roles by using Ntdsutil.exe. For information about
using Ntdsutil.exe to transfer the operations master roles, see Ntdsutil
(http://go.microsoft.com/fwlink/?LinkID=120970.) For information about the ntdsutil
command, can also type ? at the Ntdsutil.exe command prompt.
Before you perform this procedure, you must identify the domain controller to which you will
transfer the operations master role.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To transfer a domain-level operations master role
1. Open Active Directory Users and Computers: On the Start menu, point to
Administrative Tools, and then click Active Directory Users and Computers. If the
User Account Control dialog box appears, provide Domain Admins credentials, if
required, and then click Continue.
2. At the top of the console tree, right-click Active Directory Users and Computers, and
then click Change Active Directory Domain Controller.
3. Ensure that the correct domain name is entered in Look in this domain.
The available domain controllers from this domain are listed.
4. In the Name column, click the name of the domain controller to which you want to
transfer the role, and then click OK.
5. At the top of the console tree, right-click Active Directory Users and Computers, and
then click Operations Masters.
The name of the current operations master role holder appears in the Operations
master box. The name of the domain controller to which you want to transfer the role
appears in the lower box.
461
6. Click the tab for the operations master role that you want to transfer: RID, PDC, or
Infrastructure. Verify the computer names that appear, and then click Change. Click Yes
to transfer the role, and then click OK.
7. Repeat steps 5 and 6 for each role that you want to transfer.
First, use Server Manager to add the Active Directory Domain Services server role. This part
of the installation procedure installs the Dcdiag.exe command line tool. Perform this
procedure after you add the server role but before you run Dcpromo.exe.
Use the /s command option to indicate the name of an existing domain controller in the
domain of the new domain controller. This domain controller is required to verify the ability of
the server to connect to operations master role holders in the domain and forest.
You do not have to use the /s option if you perform the test in this procedure after you install
AD DS. The test automatically runs on the local domain controller where you are performing the
test. The commands in this procedure show the /s option. If you are performing this test after you
install AD DS, omit the /s option. For a more detailed response from this command, you can use
the verbose option by adding /v to the end of the command.
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To verify the availability of the operations masters
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command
Prompt, and then click Run as administrator. If the User Account Control dialog box
appears, provide Domain Admins credentials, if required, and then click Continue.
2. At the command prompt, type the following command to ensure that the operations
masters can be located, and then press ENTER:
dcdiag /s:<DomainControllerName> /test:knowsofroleholders /v
463
If you are in Logical Certificate Stores view mode, in the console tree, click
Certificates.
If you are in Certificate purpose view mode, in the console tree, click Purpose.
To include all certificates in the certification path, select the Include all certificates
in the certification path if possible check box.
To include all extended properties of the certificate, select Export all extended
properties.
To delete the private key if the export is successful, select the Delete the private key
if the export is successful check box.
7. If required, In Password, type a password to encrypt the private key you are exporting. In
Confirm password, type the same password again, and then click Next.
8. In File name, type a file name and path for the PKCS #12 file that will store the exported
certificate and private key, click Next, and then click Finish.
Additional considerations
To open the Certificates snap-in, see Add the Certificates Snap-in to an MMC.
Strong protection (also known as iteration count) is enabled by default in the Certificate
Export Wizard when you export a certificate with its associated private key.
464
After the Certificate Export Wizard is finished, the certificate will remain in the certificate store
in addition to being in the newly-created file. If you want to remove the certificate from the
certificate store, you will need to delete it.
Removing a Windows Server 2008 domain controller by using the Windows interface
If you do not want to retain any application directory partitions that are stored on the
domain controller, click Next.
If you want to retain an application directory partition that an application has created
on the domain controller, use the application that created the partition to remove it,
465
removeapplicationpartitions=yes
removeDNSDelegation=yes
DNSDelegationUserName=<DNS server administrative account for the DNS zone that
contains the DNS delegation>
DNSDelegationPassword=<Password for the DNS server administrative account>
4. Save the answer file to the location on the installation server from which it is to be called
by dcpromo, or save the file to a network shared folder or removable media for
distribution.
5. The dcpromo command to use an answer file is the same for both removing and
installing a domain controller. Use the procedure "To install a new domain controller by
using an answer file" to remove the domain controller.
Import a Certificate
You should only import certificates obtained from trusted sources. Importing an unreliable
certificate could compromise the security of any system component that uses the imported
certificate.
You can import a certificate into any logical or physical store. In most cases, you will import
certificates into the Personal store or the Trusted Root Certification Authorities store, depending
on whether the certificate is intended for you or if it is a root CA certificate.
Users or local Administrators are the minimum group memberships required to complete this
procedure. Review the details in "Additional considerations" in this topic.
To import a certificate
1. Open the Certificates snap-in for a user, computer, or service.
2. In the console tree, click the logical store where you want to import the certificate.
3. On the Action menu, point to All Tasks and then click Import to start the Certificate
467
Import Wizard.
4. Type the file name containing the certificate to be imported. (You can also click Browse
and navigate to the file.)
5. If it is a PKCS #12 file, do the following:
(Optional) If you want to be able to use strong private key protection, select the
Enable strong private key protection check box.
(Optional) If you want to back up or transport your keys at a later time, select the
Mark key as exportable check box.
If you want to specify where the certificate is stored, select Place all certificates in
the following store, click Browse, and choose the certificate store to use.
Additional considerations
To open the Certificates snap-in, see Add the Certificates Snap-in to an MMC.
Enabling strong private key protection will ensure that you are prompted for a password every
time the private key is used. This is useful if you want to make sure that the private key is not
used without your knowledge.
The file from which you import certificates will remain intact after you have completed
importing the certificates. You can use Windows Explorer to delete the file if it is no longer
needed.
If an NTDS Settings object is present, it is possible that replication of the deletion has not
reached the domain controller whose objects you are viewing. Check the presence of the
468
object on another domain controller, or force replication from another domain controller in the
domain. (See Force Replication Between Domain Controllers.)
If a child object other than NTDS Settings is present, another application has published the
object and is using the server object. In this case, do not delete the server object.
Membership in Domain Users, or equivalent, is the minimum required to complete this procedure
when you perform the procedure remotely by using Remote Server Administration Tools (RSAT).
Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To determine whether a server object has child objects
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative
Tools, and then click Active Directory Sites and Services. If the User Account
Control dialog box appears, provide credentials, if required, and then click Continue.
2. In the console tree, expand the Sites container, and then expand the site of the server
object.
3. Expand the Servers container, and then expand the server object to view any child
objects.
click Delete.
Important
Do not delete a server object that has a child object. If an NTDS Settings object
appears below the server object you want to delete, either replication on the
domain controller on which you are viewing the configuration container has not
occurred or the server whose server object you are removing has not been
properly decommissioned. If a child object other than NTDS Settings appears
below the server object that you want to delete, another application has
published the object. You must contact an administrator for the application and
determine the appropriate action to remove the child object.
4. Click Yes to confirm your choice.
See Also
Decommissioning a Domain Controller
Forcing the Removal of a Domain Controller
For a service
Users or local Administrators are the minimum group memberships required to complete this
procedure. Review the details in "Additional considerations" in this topic.
To add the Certificates snap-in to an MMC for a user account
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, double-click Certificates, and then:
If you are logged on as an administrator, click My user account, and then click
Finish.
Local Administrators is the minimum group memberships required to complete this procedure.
Review the details in "Additional considerations" in this topic.
To add the Certificates snap-in to an MMC for a computer account
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, double-click Certificates
4. Select Computer account and then click Next.
5. Do one of the following:
To manage certificates for the local computer, click Local computer, and then click
Finish.
To manage certificates for a remote computer, click Another computer and type the
name of the computer, or click Browse to select the computer name, and then click
Finish.
To perform this procedure, you must be a member of the Administrators group on the local
computer, or you must have been delegated the appropriate authority. If the computer is
joined to a domain, members of the Domain Admins group might be able to perform this
procedure. As a security best practice, consider using Run as to perform this procedure.
To manage certificates for another computer, you can either create another instance of
Certificates in the console, or right-click Certificates (Computer Name), and then click
Connect to Another Computer.
Local Administrators is the minimum group memberships required to complete this procedure.
Review the details in "Additional considerations" in this topic.
To add the Certificates snap-in to an MMC for a service
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, double-click Certificates
4. Select Service account and then click Next.
5. Do one of the following:
To manage certificates for services on your local computer, click Local computer,
and then click Next.
471
To perform this procedure, you must be a member of the Administrators group on the local
computer, or you must have been delegated the appropriate authority. If the computer is
joined to a domain, members of the Domain Admins group might be able to perform this
procedure. As a security best practice, consider using Run as to perform this procedure.
To manage certificates for a service on another computer, you can either create another
instance of Certificates in the console, or right-click Certificates - Service (Service Name)
on Computer Name, and then click Connect to Another Computer.
472
Forced removal should not be performed on the last domain controller in a domain. For this
domain controller, you can reinstall the operating system to restore the server to network
operation.
If the domain controller that you are forcibly removing holds an operations master (also known as
flexible single master operations or FSMO) role or roles, transfer the roles before you perform the
forced removal procedure. From a healthy domain controller in the domain of the operations
master role, or in the forest if the role is a forest-wide role, attempt to transfer the role to another
domain controller. If you do not transfer operations master roles before you forcibly remove
AD DS, the roles are transferred during the metadata cleanup process automatically. However,
during metadata cleanup, you do not have the option to select the domain controller to which the
roles are transferred. The cleanup application makes the selection automatically. If role transfer
fails during metadata cleanup, you must seize the role following the metadata cleanup procedure.
For more information about transferring and seizing operations master roles, see Introduction to
Administering Operations Master Roles.
Task requirements
The following is required to perform the procedures for this task:
Dcpromo.exe
connection objects.
Note
If you do not know the site in which the domain controller is located, open a
command prompt and type ipconfig to get the IP address of the domain
controller. Use the IP address to verify that an IP address maps to a subnet, and
then determine the site association.
4. Double-click the Servers folder to display the list of servers in that site.
5. Double-click the server object for the domain controller whose replication partners you
want to identify to display its NTDS Settings object.
6. Click the NTDS Settings object to display the list of connection objects in the details
pane. (These objects represent inbound connections that are used for replication to the
server.) The From Server column displays the names of the domain controllers that are
source replication partners for the selected server object.
If the domain controller hosts any operations master (also known as flexible single master
operations or FSMO) roles or if it is a Domain Name System (DNS) server or a global
catalog server, warnings appear that explain how the forced removal will affect the rest of
474
the environment. After you read each warning, click Yes. To suppress the warnings in
advance of the removal operation, type /demotefsmo:yes at the command prompt. If you
forcefully removal AD DS from a server that hosts an operations master role, you must
seize the role after the Dcpromo operation. For information about seizing an operations
master role, see Seizing an operations master role.
2. On the Welcome to the Active Directory Domain Services Installation Wizard page,
click Next.
3. On the Force the Removal of Active Directory Domain Services page, review the
information about forcing the removal of AD DS and metadata cleanup requirements, and
then click Next.
4. On the Administrator Password page, type and confirm a secure password for the local
Administrator account, and then click Next.
5. On the Summary page, review your selections. Click Back to change any selections, if
necessary.
To save the settings that you selected to an answer file that you can use to automate
subsequent AD DS operations, click Export settings. Type a name for your answer file,
and then click Save.
When you are sure that your selections are accurate, click Next to remove AD DS.
6. You can select Reboot on completion to have the server restart automatically, or you
can restart the server to complete the AD DS removal when you are prompted to do so.
7. Perform metadata cleanup, as described in Clean Up Server Metadata.
See Also
Seizing an operations master role
You can also perform metadata cleanup by using Ntdsutil.exe, a command-line tool that is
installed automatically on all domain controllers. You can perform this procedure on a domain
controller that is running Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003
with Service Pack 2 (SP2), Windows Server 2003 R2, or Windows Server 2008. For information
about performing metadata cleanup on domain controllers that are running earlier versions of
Windows Server, see Clean up server metadata in the Windows Server 2003 Operations Guide
(http://go.microsoft.com/fwlink/?LinkId=104231).
You can also use a script to clean up server metadata on most Windows operating systems. For
information about using this script, see Remove Active Directory Domain Controller Metadata
(http://go.microsoft.com/fwlink/?LinkID=123599).
Membership in Domain Admins, or equivalent, is the minimum required to complete this
procedure. Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To clean up server metadata by using Active Directory Users and Computers
1. Open Active Directory Users and Computers: On the Start menu, point to
Administrative Tools, and then click Active Directory Users and Computers.
2. If you have identified replication partners in preparation for this procedure, and if you are
not connected to a replication partner of the removed domain controller whose metadata
you are cleaning up, right-click Active Directory Users and Computers
<DomainControllerName>, and then click Change Domain Controller. Click the name
of the domain controller from which you want to remove the metadata, and then click OK.
3. Expand the domain of the domain controller that you forcibly removed, and then click
Domain Controllers.
4. In the details pane, right-click the computer object of the domain controller whose
metadata you want to clean up, and then click Delete.
5. In the Active Directory Domain Services dialog box, click Yes to confirm the computer
object deletion.
6. In the Deleting Domain Controller dialog box, select This Domain Controller is
permanently offline and can no longer be demoted using the Active Directory
Domain Services Installation Wizard (DCPROMO), and then click Delete.
7. If the domain controller is a global catalog server, in the Delete Domain Controller
dialog box, click Yes to continue with the deletion.
8. If the domain controller currently holds one or more operations master (also known as
flexible single master operations or FSMO) roles, click OK to move the role or roles to the
domain controller that is shown.
You cannot change this domain controller. If you want to move the role to a different
domain controller, you must move the role after you complete the server metadata
cleanup procedure.
476
3. At the ntdsutil: prompt, type the following command, and then press ENTER:
metadata cleanup
4. At the metadata
cleanup:
Or
remove selected server <ServerName1> on <ServerName2>
Value
Description
<ServerName> or
<ServerName1>
on <ServerName2>
5. In Server Remove Configuration Dialog, review the information and warning, and then
click Yes to remove the server object and metadata.
At this point, Ntdsutil confirms that the domain controller was removed successfully. If you
receive an error message that indicates that the object cannot be found, the domain
controller might have been removed earlier.
6. At the metadata
cleanup:
Open Active Directory Users and Computers. In the domain of the removed domain
controller, click Domain Controllers. In the details pane, an object for the domain
controller that you removed should not appear.
Open Active Directory Sites and Services. Navigate to the Servers container and confirm
that the server object for the domain controller that you removed does not contain an
NTDS Settings object. If no child objects appear below the server object, you can delete
the server object. If a child object appears, do not delete the server object because
another application is using the object.
See Also
Delete a Server Object from a Site
In this guide
can change the name of a domain, but you can also change the structure of the domain
hierarchy. You can also change the parent of a domain or move a domain in one domain tree to
another domain tree. The domain rename process can accommodate scenarios involving
acquisitions, mergers, or name changes in your organization, but it is not designed to
accommodate forest mergers or the movement of domains between forests.
Important
It is extremely important and highly recommended that you test the domain rename
operation before you perform it in a production environment. First, perform the domain
rename operation that is described in this section in a test environment that has a
minimum of two domains. Familiarizing yourself with the specifics of each stage in the
domain rename operation in a test environment will provide you with not only a much
better understanding of the operation itself but also better prepare you to troubleshoot
any issues that may arise during the domain rename operation in a production forest.
For more information, see Domain Rename Technical Reference (http://go.microsoft.com/fwlink/?
LinkID=122922).
Forest functionality: You can rename domains only in a forest where all of the domain
controllers are running Windows Server 2008 or Windows Server 2003 Standard Edition,
Windows Server 2008 or Windows Server 2003 Enterprise Edition, or Windows Server 2008
or Windows Server 2003 Datacenter Edition operating systems, and the Active Directory
forest functional level has been raised to either Windows Server 2003 or Windows
Server 2008. The domain rename operation will not be successful if the forest functional level
is set to Windows 2000 native. For more information about forest functional levels and for
procedures to determine and set forest functional levels, see Enabling Windows Server 2008
Advanced Features for Active Directory Domain Services (http://go.microsoft.com/fwlink/?
LinkID=105303).
Administrative credentials: You must have Enterprise Admins credentials to perform the
various procedures for the domain rename operation. If you are running Microsoft Exchange,
the account that you use must also have Full Exchange Administrator credentials.
Control Station: The computer that you use as the control station for the domain rename
operation must be a member computer (not a domain controller) running Windows
Server 2008 Standard Edition, Windows Server 2008 Enterprise Edition, or Windows
Server 2008 Datacenter Edition.
Distributed File System (DFS) root servers: So that you can rename a domain with domainbased DFS Namespace (DFSN) roots, all DFSN root servers must be running Windows 2000
with Service Pack 3 (SP3), Windows Server 2003, or Windows Server 2008 operating
systems.
If your forest contains Exchange 2003 Service Pack 1 (SP1) servers, you can run the
Windows Server 2008 domain rename operation, but you must also use the Exchange
479
Domain Rename Fix-up Tool to update Exchange attributes. For more information, see
Microsoft Exchange Server Domain Rename Fixup (XDR-Fixup)
(http://go.microsoft.com/fwlink/?LinkID=122982). The document that accompanies this tool
describes when and how to perform Exchange-related tasks. To perform a domain rename
operation, Exchange must not be installed on any domain controllers. If a domain controller is
running Exchange, move the Exchange data off the domain controller and then uninstall
Exchange.
Important
The Windows Server 2008 domain rename operation is not supported in an
Active Directory forest that contains Exchange Server 2003, Exchange Server 2003
SP2, Exchange Server 2007, or Exchange Server 2007 SP1.
Note
You can use "Checklist: Satisfying Domain Rename Requirements" in Appendix C:
Checklists for the Domain Rename Operation to make sure that you have met all the
necessary requirements for the domain rename operation.
To raise the forest functional level to Windows Server 2008, click Windows
Server 2008, and then click Raise.
481
Caution
Do not raise the forest functional level to Windows Server 2008 if you have, or
will have, any domain controllers that are running Windows Server 2003 or
earlier. After you raise the forest functional level to Windows Server 2008, you
cannot change the level back to Windows Server 2003.
Parent-child: The trust that is established when you create a new domain in an existing tree in
the forest. The Active Directory Domain Services (AD DS) installation process creates a
transitive, two-way trust relationship automatically between the new domain (the child
domain) and the domain that immediately precedes it in the namespace hierarchy (the parent
domain).
Tree-root: The trust that is established when you add a new domain tree to the forest. The
installation process for AD DS creates a transitive, two-way trust relationship automatically
between the domain that you are creating (the new tree-root domain) and the forest root
domain.
Shortcut: A manually created, one-way, transitive trust relationship between any two domains
in the forest, created to shorten the trust path. To establish two-way, shortcut trust
relationships between two domains, you set up a shortcut trust relationship manually in each
direction.
482
The effect of the transitive, two-way trust relationships that are created automatically by the
installation process for AD DS is that there is complete trust between all domains in an
Active Directory forestevery domain has a transitive trust relationship with its parent domain,
and every tree-root domain has a transitive trust relationship with the forest root domain. If you
use the domain rename operation to restructure an existing Active Directory forest by altering the
domain tree hierarchy, automatic creation of the necessary trust relationships does not occur. For
this reason, as part of the preparation phase of domain rename, the trust relationships that are
required to preserve complete trust between all domains in your new forest (after restructuring)
must be precreated manually.
483
484
These shortcut trusts are responsible for maintaining the two-way, transitive trust relationships
that are required between the newly renamed domains when the domain rename operation is
complete.
485
For example, suppose that you have a deep tree and you want to create a new tree by moving
the lowest-level domain to become a tree-root domain. The following illustration shows the twoway shortcut trust relationship that you create, and the tree-root trust relationship it provides after
the restructure, when you rename the eu.sales.cohowinery.com domain to create the tree-root
domain cohoeurope.com.
Services (AD DS), an Active Directory domain controller is located by the domain locator
(DC Locator) mechanism. In response to client requests for AD DS services, DC Locator uses
service (SRV) resource records in Domain Name System (DNS) to locate domain controllers. In
the absence of these DNS service location (SRV) resource records, directory clients experience
failures when they attempt to access AD DS. For this reason, before you rename an
Active Directory domain, you have to be sure that the appropriate DNS zones exist for the forest
and for each domain. If the appropriate zones do not exist in DNS, you have to create the DNS
zone or zones that will contain the service (SRV) resource records for the renamed domains. We
also strongly recommend that you configure the zone(s) to allow secure dynamic updates. This
DNS zone requirement applies to each domain that is renamed as part of the domain rename
operation.
The DNS requirements to rename an Active Directory domain are identical to the DNS
requirements to support an existing Active Directory domain. Your current DNS infrastructure
already provides necessary support for your Active Directory domain by using its current name.
Usually, you only have to mirror the existing DNS infrastructure to add support for the planned
new name of your domain.
For example, suppose that you want to rename an existing Active Directory domain
sales.cohovineyard.com to marketing.cohovineyard.com. If the service (SRV) resource records
that are registered by the domain controllers of the sales.cohovineyard.com Active Directory
domain are registered in the DNS zone named sales.cohovineyard.com, you have to create a
new DNS zone called marketing.cohovineyard.com which corresponds to the new name of the
domain. For more information about how to configure DNS to provide support for AD DS, see
Creating a DNS Infrastructure Design (http://go.microsoft.com/fwlink/?LinkId=124108).
Before you begin the domain rename process, verify that any new zones that are required have
been created and configured to allow dynamic updates. Analyze your current DNS infrastructure
in relation to the new forest structure that you want after the domain rename operation has
completed and compile a list of DNS zones that have to be created. You can use "Worksheet 3:
DNS Zone Information" in Appendix D: Worksheets for the Domain Rename Operation to
document this list.
For more information about how to create DNS zones, see Add a Forward Lookup Zone
(http://go.microsoft.com/fwlink/?LinkID=108851). For more information about how to configure
dynamic updates, see Allow Dynamic Updates (http://go.microsoft.com/fwlink/?LinkId=124109).
488
The primary DNS suffix of the computer is configured to be updated when domain
membership changes.
No Group Policy that specifies a primary DNS suffix is applied to the member computer.
These conditions represent the default configuration for computers that are running
Windows Server 2003 and Windows Server 2008.
Remember that the DNS suffix setting also applies to servers that are running Microsoft
Exchange. When you determine the primary DNS suffix configuration for your servers, also check
your Exchange servers.
Note
The DNS host names of domain controllers in a renamed domain are not changed
automatically to use the new domain DNS name as the primary DNS suffix, regardless of
the primary DNS suffix configuration. In other words, the DNS names of domain
controllers in a renamed domain will remain unchanged. You can rename the domain
controllers in a separate step after the domain rename operation is complete by using a
special domain controller rename procedure. For more information about how to rename
a domain controller, see Renaming a Domain Controller.
489
490
1. Estimate the largest number of computers (N) that can be renamed in your environment so
that the resulting replication traffic can be sustained by your network without becoming
saturated. It is our expectation that 1000 is an acceptable number.
2. Divide the member computers in the domain to be renamed into groups. Each group should
contain no more than the number of computers N estimated in step 1, so that the new primary
DNS suffix can be applied to one group at a time.
Note
The "groups" that are specified in this step are purely imaginary entities that
represent some collection of computers. There might be no actual object that
corresponds to such a group in the domain. For example, the combination of two
OUs , or one site, or one site plus an OU, and so on, might be used to form one
group, provided that the number of computers in the group does not exceed the
number N of computers that is specified in step 1. If existing sites and OUs all contain
more computers than the number N that is specified in step 1, you might have to
create one or more temporary OUs to group computers so that the new primary DNS
suffix can be applied to one group (in this case, one or more OUs ) at a time. As an
alternative, you can restrict the scope of application of Group Policy to one group by
creating a temporary security group that consists of the group of computers that
should receive the policy and by setting security permissions on the Group Policy
object (GPO) accordingly using the security group that you just created.
3. Create a staggered schedule that determines when the new primary DNS suffix will be
applied to each group of computers that you established in step 2. Ensure that there is
sufficient time between two consecutive applications of the Group Policy setting Primary
DNS Suffix to two different groups of computers to allow replication to occur. Replication of
the updated dnsHostName and servicePrincipalName attributes on computer accounts and
replication of the DNS records of the renamed computers must be completed fully during the
scheduled gap.
4. Configure the domain that is being renamed to allow member computers of the domain to
register the new primary DNS suffix in the dnsHostName attribute of their corresponding
computer accounts in AD DS.
setting Primary DNS Suffix, you will specify one of the DNS suffixes that you have added to the
msDS-AllowedNDSSuffixes attribute.
If you apply the Primary DNS suffix Group Policy setting to the computers in the domain to be
renamed, we highly recommend that you set the DNS Suffix Search List Group Policy setting
and apply it to the computers in the domain being renamed. The DNS Suffix Search List setting
should contain the old primary DNS suffix, new primary DNS suffix, and potentially parent suffixes
of the old and new primary DNS suffixes. (The latter depends on whether parent name spaces
are being used in the organization.) For example, suppose that the old name of a domain was
payroll.hr.sales.cohowinery.com (that also corresponds with the old primary DNS suffix). Also,
suppose that the new name of the domain is payroll.sales.cohowinery.com (that also corresponds
with the new primary DNS suffix). The DNS Suffix Search List should contain the following
suffixes:
payroll.hr.sales.cohowinery.com
payroll.sales.cohowinery.com
hr.sales.cohowinery.com
sales.cohowinery.com
cohowinery.com
Such configuration preserves the ability of users to resolve the DNS names of computers in the
domain that is being renamed by specifying first label only of the full DNS names of computers
even during the transition period when a users computer and resource server may have different
primary DNS suffixes.
For the same reason, if computers in another domain were configured with DNS Suffix Search
List that contains the old name of a domain being renamed, during the domain rename operation
those computers should be reconfigured so that DNS Suffix Search List is updated to contain
both the old and new domain names.
Configure the Domain to Allow a Primary DNS Suffix that Does Not Match the Domain Name
493
To check for primary DNS suffix update configuration for a computer using the registry
1. On the Start menu, click Run.
2. In Open, type regedit, and then click OK.
Caution
Incorrectly editing the registry may severely damage your system. Before making
changes to the registry, you should back up any valued data on the computer.
3. Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
4. Verify whether the value of REG_RWORDSyncDomainWithMembership is 0x1. This
value indicates that the primary DNS suffix changes when the domain membership
changes.
494
To determine whether Group Policy specifies the primary DNS suffix by using the
command line
1. To open a command prompt, click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command, and then press ENTER:
gpresult
3. In the output, under Applied Group Policy objects, check to see whether Primary DNS
Suffix is listed.
Or
4. Type the following command, and then press ENTER:
ipconfig /all
5. Check Primary DNS Suffix in the output. If it does not match the primary DNS suffix that
is specified in Control Panel for the computer, the Primary DNS Suffix Group Policy
setting is applied.
To determine whether Group Policy specifies the primary DNS suffix by using the
registry
1. On the Start menu, click Run.
2. In Open, type regedit and then click OK.
3. Navigate to
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\DNSclient.
4. Check for the presence of the entry Primary DNS Suffix. If a value is present, the
Primary DNS Suffix Group Policy setting is applied to the computer.
All domain controllers in the domain must be running Windows Server 2003 or Windows
Server 2008.
For each new DNS suffix that you add, a subdomain by that name must exist in DNS.
495
Caution
The same value in the msDS-AllowedDNSSuffixes attribute cannot be used for more
than one domain in the forest. This undesired configuration enables a malicious
administrator of a computer that is joined to one such domain to set the
servicePrincipalName attribute of its computer account to the same value as the
Service Principal Name (SPN) of a computer in the other domain that is configured to
allow the same DNS suffix. Such a configuration prevents Kerberos authentication
against both of these computers.
The attribute msDS-AllowedDNSSuffixes is an attribute of the domain object. Therefore, you
must set DNS suffixes for each domain whose name is going to change.
To use ADSI Edit to add DNS suffixes to msDSAllowedDNSSuffixes
1. Click Start menu, click Administrative Tools, and then click ADSI Edit.
2. Double-click the domain directory partition for the domain that you want to modify.
3. Right-click Domain container object, and then click Properties.
4. On the Attribute Editor tab, in Attributes, double-click the attribute msDSAllowedDNSSuffixes.
5. In the Multi-valued String Editor dialog box, in Value to add, type a DNS suffix, and
then click Add.
6. When you have added all the DNS suffixes for the domain, click OK.
7. Click OK to close the Properties dialog box for that domain.
8. In the console tree, right-click ADSI Edit, and then click Connect to.
9. Under Computer, click Select or type a domain or server.
10. Type the name of the next domain for which you want to set the primary DNS suffix, and
then click OK.
11. Repeat steps 2 through 7 for that domain.
12. Repeat steps 8 through 10 to select each subsequent domain and repeat steps 2 through
7 to set the primary DNS suffix for each subsequent domain that is being renamed.
496
To apply the Group Policy setting Primary DNS Suffix to groups of member computers
1. Open the Group Policy Management Editor snap-in: click Start, click Administrative
Tools, and then click Group Policy Management.
2. In Group Policy Management Editor, right-click the domain or OU that contains the group
of computers to which you are applying Group Policy.
3. In Group Policy Objects, right-click the GPO that you want to contain the Primary DNS
Suffix setting, and then click Edit.
Note
To create a new GPO that will contain the Primary DNS Suffix setting, right-click
Group Policy Objects, click New, and then type a name for the object.
4. Under Computer Configuration, expand Policies and Administrative Templates,
Network, and then click DNS Client.
5. In the results pane, double-click Primary DNS Suffix.
6. Click Enabled, and then in the Enter a primary DNS suffix box, type the DNS suffix for
the domain whose member computers are in the group that you selected in step 2.
After the Active Directory domain has been renamed and all member computers have had time to
restart, you can disable the Group Policy setting that you enabled in step 6 of the previous
procedure.
Note
The steps in the previous procedure result in naming member computers only, not
domain controllers. Renaming mission-critical servers, such as domain controllers,
requires special preparation that is beyond the scope of this document. For information
about how to rename a domain controller, see Renaming a Domain Controller. We
strongly recommend that you carefully read this Help documentation and then rename
domain controllers in a renamed domain according to the specified recommendations
only after the domain rename operation has completed successfully.
As a best practice, all the CAs should include both Lightweight Directory Access Protocol
(LDAP) and Hypertext Transfer Protocol (HTTP) URLs in their Authority Information Access
(AIA) and Certificate Distribution Point (CDP) extensions.
497
Caution
If any certificate that the CA issues has only one of these URL types, the certificate may
or may not work. Depending on the complexity of your domain configuration, steps in this
document might not be sufficient for proper management of CAs after the domain rename
operation. Proceed with these steps only if you have considerable expertise in handling
Microsoft CAs.
If one or more of the following conditions exist at the time of domain rename, CA management is
not supported:
The CA is configured to have only LDAP URLs for its CDP or AIA. Because the old LDAP
extensions would be invalid after the domain rename operation, all the certificates that are
issued by the CA are no longer valid. As a workaround, you have to renew the existing CA
hierarchy and all issued End Entity certificates.
After the domain rename operation, the name constraints might not be valid. As a
workaround, you will have to reissue cross-certificates with appropriate name constraints.
A Request for Comments (RFC) 822style e-mail name is used in the user account. If the CA
(or the certificate template) is configured to include RFC 822-style e-mail names and this
name style is used in the certificates that are issued, these certificates will contain an
incorrect e-mail name after domain rename operation. Any such Active Directory accounts
should be changed before any certificate is issued.
As a best practice, the default LDAP and HTTP URLs require no special configuration before the
domain rename operation.
Before you begin the domain rename operation, ensure that the certificate revocation lists (CRLs)
and the CA certificates will not expire soon. If you find that they are close to expiration, complete
the following tasks before the domain rename operation:
1. Renew the CA certificates.
2. Issue a new CRL with the appropriate validity period.
3. Wait until both of these previous items have propagated to all client computers.
For more information, see Active Directory Certificate Services (http://go.microsoft.com/fwlink/?
LinkID=122981).
If your forest contains Exchange 2003 Service Pack 1 (SP1) servers, you can run the
Windows Server 2008 domain rename operation, but you must also use the Exchange Domain
Rename Fix-up Tool to update Exchange attributes. For more information, see Microsoft
Exchange Server Domain Rename Fixup (XDR-Fixup) http://go.microsoft.com/fwlink/?
LinkID=122982). This document describes preliminary steps and instructions for running the
Exchange Domain Rename Fix-up Tool. As part of the preliminary steps, you must move
Exchange off all domain controllers and discontinue Exchange configuration changes.
Task requirements
The following is required to perform the procedures for this task:
Rendom.exe
Repadmin.exe
Gpfixup.exe
Push Domain Rename Instructions to All Domain Controllers and Verify DNS Readiness
Exchange-Specific Steps: Update the Exchange Configuration and Restart Exchange Servers
Computer: Use a computer that is a member of a domain in the forest in which domain
rename operation is to be performed to serve as the control station.
Operating system: The computer must be a member computer (not a domain controller) that
is running Windows Server 2003 Standard Edition or Windows Server 2008 Standard,
Windows Server 2003 Enterprise Edition or Windows Server 2008 Enterprise, or
Windows Server 2003 Datacenter Edition or Windows Server 2008 Datacenter.
Important
Do not use a domain controller to act as the control station for the domain rename
operation.
Operating system CD: You must have the Windows Server 2003 Standard Edition,
Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition
operating system CD.
Membership in the Local Administrators group (or a write access to a local disk drive) on the
computer that is the control station is the minimum required to complete these procedures.
Review details about using the appropriate accounts and group memberships at
http://go.microsoft.com/fwlink/?LinkId=83477.
To set up the control station on a Windows Server 2003 member server
1. On a local disk drive of the selected control station computer, create a working directory
for the domain rename tools, for example, C:\domren
Note
Each time that you use the tools in this procedure, run them from this directory.
500
2. Insert the Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise
Edition, or Windows Server 2003 Datacenter Edition operating system CD into the
CDROM drive and copy the files from the valueadd directory into your working directory
as follows:
copy D:\valueadd\msft\mgmt\domren\*.* C:\domren
In particular, verify that the two tools Rendom.exe and Gpfixup.exe have been copied into
the working directory on the control station.
3. Install the Support Tools from the Support\Tools folder on the Windows Server 2003
Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003
Datacenter Edition operating system CD. (To install Support Tools, run Suptools.msi in
the Support\Tools directory.) In particular, verify that the tools Rendom.exe,
Repadmin.exe, Dfsutil.exe, and Gpfixup.exe are installed on the control station.
To set up the control station on a Windows Server 2008 member server
1. On a local disk drive of the selected control station computer, create a working directory
for the domain rename tools, for example, C:\domren.
Note
Each time that you use the tools in this procedure, run them from this directory.
2. To obtain the necessary tools for the domain rename operation, install the Remote Server
Administration Tools Pack. For more information, see Installing or Removing the Remote
Server Administration Tools Pack (http://go.microsoft.com/fwlink/?LinkId=124111).
Verify that the tools Rendom.exe, Repadmin.exe, Dfsutil.exe, and Gpfixup.exe are
installed on the control station in the %\Windows\System32 directory.
3. Copy Rendom.exe, Repadmin.exe, Dfsutil.exe, and Gpfixup.exe tools from the
%\Windows\System32 directory into your working directory as follows:
robocopy %:\Windows\System32 C:\domren rendom.exe repadmin.exe dfsutil.exe
gpfixup.exe
Creating new domains in, or removing existing domains from, your forest
Creating new application directory partitions in, or removing existing application directory
partitions from, your forest
501
Adding domain controllers to, or removing domain controllers from, your forest
Adding attributes to, or removing attributes from, the set of attributes that replicate to the
global catalog (the partial attribute set).
You can resume these activities after you successfully complete the domain rename operation.
For more information see, Unfreeze the Forest Configuration.
DomainDnsZones.sales.cohovineyard.com
DomainDnsZones.cohovineyard.com
ForestDnsZones.cohovineyard.com
502
<Forest>
<Domain>
<!-- PartitionType:Application -->
<Guid>59add6bb-d0e8-499e-82b9-8aaca5d3e18b</Guid>
<DNSname>DomainDnsZones.sales.cohovineyard.com</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<Guid>89cf8ae3-f4a3-453b-ac5c-cb05a76bfa40</Guid>
<DNSname>sales.cohovineyard.com</DNSname>
<NetBiosName>SALES</NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<!-- PartitionType:Application -->
<Guid>f018941b-c899-4601-bfa7-5c017e9d31e7</Guid>
<DNSname>ForestDnsZones.cohovineyard.com</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<!-- PartitionType:Application -->
<Guid>f018941b-c899-4601-bfa7-5c017e9d31f3</Guid>
<DNSname>DomainDnsZones.cohovineyard.com</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<! - ForestRoot -->
<Guid>89cf6b34-d753-32a8-da6b-6a8e04bc48a4</Guid>
<DNSname>cohovineyard.com</DNSname>
<NetBiosName>COHOVINEYARD</NetBiosName>
<DcName></DcName>
503
</Domain>
</Forest>
Important
The functional level of the forest in which you perform the domain rename operation must
be set to Windows Server 2003 or Windows Server 2008. Otherwise, the domain rename
tool, Rendom.exe, reports an error and it cannot proceed with further steps.
Membership in the Enterprise Admins group in the current forest and the Local Administrators
group (or write access to the domain rename C:\domren working directory) on the control station
computer is the minimum required to complete this procedure. Review details about using the
appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
Note
You can use credentials other than those credentials with which you are currently logged
on. To use alternative credentials, use the /user and /pwd command-line switches of
rendom, as described in Appendix A: Command-Line Syntax for the Rendom Tool.
To generate the current forest description file
1. On the control station, click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command to change to the working directory,
and then press ENTER:
C:\domren
3. To generate the XML-encoded forest description file, at the command prompt, type the
following command, and then press ENTER:
rendom /list
4. Save a copy of the current forest description file (Domainlist.xml) that was generated in
step 3 as Domainlist-save.xml for future reference by using the following copy command:
copy domainlist.xml domainlist-save.xml
Note
The Rendom tool contacts the domain controller that is the current domain naming
operations master role owner in the target forest to gather the information that is
necessary to generate the forest description file. The command might fail if the domain
naming master is unavailable or unreachable from the control station.
and the application directory partition names in the Domainlist.xml file will form the starting point
for the remainder of the steps in the domain rename operation.
You can change either the Domain Name System (DNS) name (the field that is bounded by the
<DNSname></DNSname> tags) or the NetBIOS name (the field that is bounded by the
<NetBiosName></ NetBiosName> tags), or both names, for any given domain in the forest. You
cannot, however, change the globally unique identifier (GUID) in the field that is bounded by the
<Guid></ Guid> tags.
Furthermore, pay special attention to the fact that when the DNS name of a parent domain
changes, the DNS name of its child domain should also be changed, unless you are deliberately
restructuring the child domain into a new domain tree root in the forest. For example, if the root
domain cohovineyard.com is renamed to cohowinery.com, the child domain
sales.cohovineyard.com should also be renamed to sales.cohowinery.com, unless you want to
make the domain sales.cohovineyard.com become the root of a new domain tree.
Here is a sample of a forest description Domainlist.xml file before and after you edit it for domain
name changes to rename the root domain from cohovineyard.com to cohowinery.com. This name
change of the forest root domain also results in a renaming of the child domain from
sales.cohovineyard.com to sales.cohowinery.com. Furthermore, assume that the NetBIOS name
of the root domain is also being changed from COHOVINEYARD to COHOWINERY.
BEFORE editing (root domain name: cohovineyard.com)
<Forest>
<Domain>
<!- PartitionType:Application -->
<Guid>59add6bb-d0e8-499e-82b9-8aaca5d3e18b</Guid>
<DNSname>DomainDnsZones.sales.cohovineyard.com</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<Guid>89cf8ae3-f4a3-453b-ac5c-cb05a76bfa40</Guid>
<DNSname>sales.cohovineyard.com</DNSname>
<NetBiosName>SALES</NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<! - PartitionType:Application -->
<Guid> f018941b-c899-4601-bfa7-5c017e9d31e7</Guid>
<DNSname>ForestDnsZones.cohovineyard.com</DNSname>
<NetBiosName></NetBiosName>
505
<DcName></DcName>
</Domain>
<Domain>
<! - PartitionType:Application -->
<Guid> f018941b-c899-4601-bfa7-5c017e9d31f3</Guid>
<DNSname>DomainDnsZones.cohovineyard.com</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<! - ForestRoot -->
<Guid>89cf6b34-d753-32a8-da6b-6a8e04bc48a4</Guid>
<DNSname>cohovineyard.com</DNSname>
<NetBiosName>COHOVINEYARD</NetBiosName>
<DcName></DcName>
</Domain>
</Forest>
506
<Guid> f018941b-c899-4601-bfa7-5c017e9d31e7</Guid>
<DNSname>ForestDnsZones.cohowinery.com</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<! - PartitionType:Application -->
<Guid> f018941b-c899-4601-bfa7-5c017e9d31f3</Guid>
<DNSname>DomainDnsZones.cohowinery.com</DNSname>
<NetBiosName></NetBiosName>
<DcName></DcName>
</Domain>
<Domain>
<! - ForestRoot -->
<Guid>89cf6b34-d753-32a8-da6b-6a8e04bc48a4</Guid>
<DNSname>cohowinery.com</DNSname>
<NetBiosName>COHOWINERY</NetBiosName>
<DcName></DcName>
</Domain>
</Forest>
Note
The current forest description must be available as the XML-encoded file Domainlist.xml
that can be modified.
Membership in the Local Administrators group (or write access to the domain rename
C:\domren working directory) on the control station computer is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To edit the Domainlist.xml file
1. Use a simple text editor, such as Notepad.exe, to open the current forest description file
Domainlist.xml that you created in Generate the Current Forest Description.
2. Edit the forest description file, replacing the current DNS or NetBIOS names of the
domains and application directory partitions to be renamed with the planned new DNS or
NetBIOS names.
Note
It is not necessary to change the NetBIOS name of a domain when its DNS
507
name changes.
These directory partitions store DNS zone data. By default, application directory partitions can be
used to store DNS zone data and Microsoft Telephony Application Programming Interface (TAPI)
data in Active Directory Domain Services (AD DS). Other applications must be programmed to
create and use application directory partitions in AD DS.
Application directory partitions can exist anywhere in the domain hierarchy where a domain
directory partition can exist, except for the forest root or tree root domain positions. However,
when you rename a domain, an application directory partition that occurs below the renamed
domain in the domain tree is not renamed automatically. You must take care to edit the names of
application directory partitions if they occur below a renamed domain in the hierarchy.
DNS data
If you have Active Directoryintegrated DNS that is running on a domain controller, the DNS
server might have created one or more application directory partitions to store data for DNS
zones. There is one DNS-specific application directory partition dedicated for each domain
(named DomainDnsZones.<domain DNS name>, where <domain DNS name> is the name of the
domain), and another DNS-specific application directory partition dedicated for the entire forest
(named ForestDnsZones.<forest DNS name>, where <forest DNS name> is the name of the
forest root domain).
Important
When an Active Directory forest root domain or other domain is renamed, the
corresponding DNS-specific application directory partition must be renamed. If the DNSspecific application directory partition is not renamed, new DNS servers that are added to
the network will not automatically load the DNS zones that are stored in the DNS-specific
application directory partition, and therefore they will not function correctly.
As you can see from the contents of the sample Domainlist.xml file before and after editing, the
following three DNS-specific application directory partitions in the original forest
DomainDnsZones.sales.cohovineyard.com
DomainDnsZones.cohovineyard.com
ForestDnsZones.cohovineyard.com
are renamed to
DomainDnsZones.sales.cohowinery.com
DomainDnsZones.cohowinery.com
508
ForestDnsZones.cohowinery.com
in the new forest as a result of the domain name sales.cohovineyard.com that is being
changed to sales.cohowinery.com and the forest root domain name cohovineyard.com being
changed to cohowinery.com, respectively.
TAPI data
If you have a Microsoft TAPI dynamic directory for a domain that is hosted by AD DS, you may
have created one or more application directory partitions (one for each domain) to store TAPI
application data. There is one TAPI-specific application directory partition configured for each
domain. When you rename an Active Directory domain, the corresponding TAPI-specific
application directory partition is not renamed automatically. We recommend that you rename a
TAPI-specific application directory partition when its corresponding domain name is changed.
To rename application directory partitions
1. Examine the forest description file to determine if any application directory partitions in
the forest must be renamed as a result of the domain DNS name changes that are being
specified.
2. Consult the documentation for the application that created the application directory
partition to see if the directory partition should be renamed. Any DNS name changes for
application directory partitions must also be specified in the forest description file
Domainlist.xml, along with the domain directory partition name changes.
In the field that is bounded by the <DcName></DcName> tags within each domain entry,
type the DNS host name of the domain controller that you want to use. For example, to
retrieve information for the domain sales.cohovineyard.com from the domain controller
dc1.sales.cohovineyard.com, specify <DcName>dc1.sales.cohovineyard.com</DcName>
within the domain entry for the renamed domain sales.cohowinery.com. (Recall that
domain controller names do not change when the domain is renamed.)
509
This command simply displays the contents of the Domainlist.xml file in a format that is
easier to read and in which you can better see the forest structure. Use this command
each time that you make any changes to the Domainlist.xml file to verify that the forest
structure looks as you intended.
Note
It is essential at this step to specify an accurate forest description that reflects the
desired changes to the forest structure, because any error at this stage will result
in an unintended forest structure when the domain rename operation is complete.
If your target structure is not what you intended, you must perform the entire
domain rename procedure again.
Note
To gather the information that is necessary to process the /showforest command-line
option, Rendom.exe contacts the domain controller that is the current domain naming
master in the target forest. The command might fail if the domain naming master is
unavailable or unreachable from the control station.
the control station's working directory. The Dclist.xml state file is used to track the progress and
state of each domain controller in the forest for the rest of the domain rename operation.
The following is a sample Dclist.xml file that is generated for the two-domain forest in which there
are two domain controllers named DC1 and DC2 in the cohovineyard.com domain and two
domain controllers named DC3 and DC4 in the sales.cohovineyard.com domain.
<?xml version = 1.0?>
<DcList>
<Hash>zzzzzzzz</Hash>
<Signature>zzzzzzzz</Signature>
<DC>
<Name>DC1.cohovineyard.com</Name>
<State>Initial</State>
<LastError>0</LastError>
<Password />
<LastErrorMsg />
<FatalErrorMsg />
<Retry></Retry>
</DC>
<DC>
<Name>DC2.cohovineyard.com</Name>
<State>Initial</State>
<LastError>0</LastError>
<Password />
<LastErrorMsg />
<FatalErrorMsg />
<Retry></Retry>
</DC>
<DC>
<Name>DC3.sales.cohovineyard.com</Name>
<State>Initial</State>
<LastError>0</LastError>
<Password />
<LastErrorMsg />
<FatalErrorMsg />
511
<Retry></Retry>
</DC>
<DC>
<Name>DC4.sales.cohovineyard.com</Name>
<State>Initial</State>
<LastError>0</LastError>
<Password />
<LastErrorMsg />
<FatalErrorMsg />
<Retry></Retry>
</DC>
</DcList>
Notice that there is an entry for every domain controller in the forest in the Dclist.xml state file,
and the state of each domain controller entry (the field that is bounded by the <State></State>
tags) is set to Initial at this step. This state will change independently for each domain controller
as it progresses through the rest of the domain rename operation.
Ensure that the following conditions are in effect before you generate domain rename
instructions:
The source domain controller must be available and reachable. Rendom contacts one
arbitrarily chosen domain controller in each domain (or the domain controller that is
designated for each domain in the <DCname></DCname> field in the Domainlist.xml file) to
gather the information that is necessary to generate the domain rename instructions. The
command might fail if a designated domain controller in a domain is unavailable or
unreachable from the control station (or if a designated domain controller was not specified, if
no domain controller in a domain is reachable from the control station).
The domain naming master must be available and reachable. Rendom writes the domain
rename instructions to the Partitions container in the Configuration directory partition on the
domain naming master, and Rendom gathers the information that is necessary to generate
the state file Dclist.xml. The command might fail if the domain naming master is unavailable
or unreachable from the control station.
Membership in the Enterprise Admins group in the target forest (with a write access to the
Partitions container object and the cross-reference objects that are its children in the
configuration directory partition) and the Local Administrators group (or a write access to the
domain rename C:\domren working directory) on the control station computer is the minimum
required to complete this procedure. Review details about using the appropriate accounts and
group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
512
Note
You can use credentials other than the credentials with which you are currently logged
on. To use alternative credentials, use the /user and /pwd command-line switches of
rendom, as described in Appendix A: Command-Line Syntax for the Rendom Tool.
To generate the domain rename instructions and upload them to the domain naming
master
1. On the control station, click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following to change to the working directory, and then
press ENTER:
C:\domren
3. From within the working directory, type the following command, and then press ENTER:
rendom /upload
4. Verify that the state file Dclist.xml is created in the working directory and that it contains
an entry for every domain controller in your forest.
513
controllers in the forest. As an option, you can wait for replication to complete according
to the usual replication intervals and delays that are characteristic of your forest.
If the command in the following procedure completes successfully, the changes that originate at
the domain naming master domain controller have replicated to every domain controller in the
forest. If the command reports an error for some subset of the domain controllers in the forest, the
replication must be reattempted for those failed domain controllers until all domain controllers in
the forest have successfully received the changes from the domain naming master.
Membership in the Enterprise Admins group in the target forest is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To force synchronization of changes made on the domain naming master to all domain
controllers in the forest
1. On the control station, click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command, and then press ENTER:
repadmin /syncall /d /e /P /q DomainNamingMaster
Note
The repadmin command-line options are case sensitive.
Note
If read-only domain controllers (RODCs) are included in your domain, run this
command one more time to ensure that the RODC new servicePrincipalName
attribute is replicated to all the domain controllers in the forest.
Parameter
Description
/syncall
/d
/e
/P
/q
DomainNamingMaster
If you do not know the DNS host name of the domain naming master, you can use the
Dsquery.exe tool to discover it.
514
Membership in the Enterprise Admins group in the target forest, or equivalent, is the minimum
required to complete this procedure. Review details about using the appropriate accounts and
group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To discover the DNS host name of the domain naming master
1. On the control station, click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command, and then press ENTER:
Dsquery server -hasfsmo name
Parameter
Description
name
Name of owner
Explanation
CNAME
DsaGuid._msdcs.DnsForestName
SRV
_ldap._tcp.pdc._msdcs.DnsDomainName
_ldap._tcp.gc._msdcs.DnsForestName
SRV
_ldap._tcp.dc._msdcs.DnsDomainName
However, because these resource records are closely linked with the global catalog and the
domain controller service (SRV) resource records that are described in the table, it is sufficient to
confirm the presence of the global catalog and the domain controller service (SRV) resource
records to assume that these two records have also been prepublished.
You can use the DcDiag.exe tool to confirm that the correct service (SRV) resource records that
DC Locator uses have been registered in DNS.
Membership in the Enterprise Admins group in the target forest, or equivalent, is the minimum
required to complete this procedure. Review details about using the appropriate accounts and
group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To verify DNS records readiness
1. On the control station, click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command, and then press ENTER:
Dcdiag /test:DNS /DnsRecordRegistration /s:domaincontroller
For more information about dcdiag syntax and parameters, see Dcdiag Syntax
(http://go.microsoft.com/fwlink/?LinkID=123103).
517
The preparatory changes that are made to the Partitions container of the forests domain
naming operations master during the generation of domain rename instructions must have
replicated to every domain controller in the forest. This status is checked for and enforced by
Rendom.exe during this step.
Service (SRV) resource records, which are required for domain controller location of the
renamed domains, must be registered in Domain Name System (DNS) and they must have
replicated to all DNS servers.
Membership in the Enterprise Admins group in the target forest (with write access to the
Partitions container object and the cross-reference objects that are its children in the
configuration directory partition) and the Local Administrators group (or write access to the
domain rename C:\domren working directory) on the control station computer is the minimum
required to complete this procedure. Review details about using the appropriate accounts and
group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
Note
You can use credentials other than the credentials with which you are currently logged
on. To use alternative credentials, use the /user and /pwd command-line switches of
rendom, as described in Appendix A: Command-Line Syntax for the Rendom Tool.
To verify the readiness of domain controllers in the forest
1. On the control station, click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command to change to the working directory,
and then press ENTER:
C:\domren
518
3. From within the working directory, type the following command, and then press ENTER:
rendom /prepare
4. After the command finishes, examine the state file Dclist.xml to determine whether all
domain controllers achieved the Prepared state. If not, repeat step 2 in this procedure
until all domain controllers achieve the Prepared state.
Note
Each time that it runs, the Rendom tool consults the Dclist.xml state file and, it
does not connect to and verify the domain controllers that are already in the
Prepared state. Therefore, no redundant operations are performed when you run
this command repeatedly.
In a large forest with a large number of domain controllers, it is very likely that all domain
controllers cannot be reached from the control station at the same time. In other words, it is not
likely that all domain controllers that are tracked by the state file Dclist.xml will reach the Prepared
state in a single running of the rendom /prepare command. Therefore, multiple invocations of
this command might be necessary to make incremental progress with groups of domain
controllers that reach the Prepared state at the same time. If you determine thatfor any reason
it is impossible to make any further progress with a specific domain controller, you can remove
the entry for that domain controller (bounded by the <DC></DC> tags) from the Dclist.xml file by
simply editing the state file with a text editor. Remember that, when a domain controller is
removed in this manner from participating in the domain rename procedure, it must be retired
(that is, Active Directory Domain Services (AD DS) must be removed from domain controller) in
the new forest after the domain rename operation is complete.
Note
Make sure that you save a copy of the state file Dclist.xml every time before you edit by
using a text editor. This makes an easy fallback and recovery possible in case you make
an error in editing the file.
As Rendom.exe executes the various command-line options, the command execution log is
cumulatively captured in a log file named Rendom.log (the default name) in the current working
directory (C:\domren). When execution of a Rendom.exe command fails, examination of this log
file can yield valuable information about the actual tasks that the tool performed, and at what
stage or on which domain controller a problem occurred.
successfully. At the end of this procedure, every domain controller that is tracked by the state file
dclist.xml will be in one of two final states:
Done, which means that the domain controller successfully completed the domain rename
operation.
Error, which means that the domain controller encountered an irrecoverable error and did not
complete the domain rename operation.
In other words, if a domain controller successfully executes the domain rename instructions, it
restarts automatically and its corresponding state for the domain controller entry in the state file is
updated to read <State>Done</State>. But, if a fatal or irrecoverable error is encountered on a
domain controller while you attempt to execute the domain rename instructions, its corresponding
state for the domain controller entry in the state file is updated to read <State>Error</State>. For
the Error state, the error code is written to the last error field <LastError></LastError> and a
corresponding error message is written to the <FatalErrorMsg></FatalErrorMsg> field.
The rendom command must be repeated until all domain controllers have either successfully
executed the domain rename or you have established that one or more domain controllers are
unreachable and will be removed from the forest.
Important
This step will cause a temporary disruption in service while the domain controllers are
running the domain rename instructions and restarting after they run the instructions
successfully. The Active Directory Domain Services (AD DS) service in the forest has not
been disrupted up to this point in the domain rename operation.
Important
All domain controllers in the forest must be in the Prepared state, as indicated by the
state field (<State>Prepared</State>) in the state file Dclist.xml. This state is checked for
and enforced by rendom at this step.
Membership in the Enterprise Admins group in the target forest (with write access to the
Partitions container object and the cross-reference objects that are its children in the
configuration directory partition) and the Local Administrators group (or write access to the
domain rename C:\domren working directory) on the control station computer is the minimum
required to complete this procedure. Review details about using the appropriate accounts and
group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
Note
You can use credentials other than the credentials with which you are currently logged
on. To use alternative credentials, use the /user and /pwd command-line switches of
rendom, as described in Appendix A: Command-Line Syntax for the Rendom Tool.
To run the domain rename instructions on all domain controllers
1. On the control station, click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command to change to the working directory,
and then press ENTER:
520
C:\domren
3. From within the working directory, type the following command, and then press ENTER:
rendom /execute
4. When the command has finished running, examine the state file Dclist.xml to determine
whether all domain controllers have reached either the Done state or the Error state.
5. If the Dclist.xml file shows any domain controllers as remaining in the Prepared state,
repeat step 2 in this procedure as many times as necessary until the stopping criterion is
met.
Important
The stopping criterion for the domain rename operation is that every domain
controller in the forest has reached one of the two final states of Done or Error in
the Dclist.xml state file.
Note
Each time that you run it, the rendom /execute command consults the Dclist.xml
state file and skips connecting to the domain controllers that are already in the
Done or Error state. Therefore, no redundant operations are performed if you
repeatedly attempt this command.
If you determine that an error that has caused a domain controller to reach the Error state in the
Cclist.xml file is actually a recoverable error and you think that progress can be made on that
domain controller by trying to run the domain rename instructions again, you can force the
rendom /execute command to run again by issuing the RPC to that domain controller (instead of
skipping it) as described in the following procedure.
To force rendom /execute to reissue the RPC to a domain controller in the Error state
1. On the control station, navigate to the working directory C:\domren, and using a simple
text editor, such as Notepad.exe, open the Dclist.xml file.
2. In the Dclist.xml file, locate the <Retry></Retry> field in the domain controller entry for the
domain controller that you think should be reissued the RPC, and then edit the Dclist.xml
file so that the field reads <Retry>yes</Retry> for that entry.
3. On the control station, click Start, click Run, type cmd, and then click OK.
4. At the command prompt, type the following command to change to the working directory,
and then press ENTER:
C:\domren
5. From within the working directory, type the following command, and then press ENTER:
rendom /execute
Running the rendom /execute command reissues the execute-specific RPC to that
domain controller.
When all the domain controllers are in either the Done or Error state (there should be no domain
controller in the Prepared state), declaring the execution of the domain rename instructions to be
521
complete is at your discretion. You can continue to retry execution attempts on domain controllers
that are in the Error state if you think that they will eventually succeed. However, when you
declare that the execution of the domain rename instructions is:
Complete, and you will not retry the rendom /execute command, you must remove AD DS from
all domain controllers that are still in the Error state. For detailed step-by-step instructions to
remove the AD DS server role, see the Step-by-Step Guide for Windows Server 2008
Active Directory Domain Services Installation and Removal (http://go.microsoft.com/fwlink/?
LinkID=86716).
Note
The Domain Name System (DNS) host names of the domain controllers in the renamed
domains do not change automatically as a result of the domain rename operation. In
other words, the DNS suffix in the fully qualified DNS host name of a domain controller in
the renamed domain will continue to reflect the old domain name. You can use a special
domain controller rename procedure, which you run as a separate post-domain-rename
task, to change the DNS host name of a domain controller so that it conforms to the DNS
name of the domain to which it is joined. For information about renaming domain
controllers, see Renaming a Domain Controller.
(DCs), and addition or removal of trusts were not allowed within the forest. For more information,
see Freeze the Forest Configuration.
In this procedure, you use the rendom command to unfreeze the forest so that changes that
were not allowed can once again be made.
Important
All the procedures in Run Domain Rename Instructions, including the automatic domain
controller restart, must have been completed on all domain controllers in the renamed
domains.
Membership in the Enterprise Admins group in the target forest (with write access to the
Partitions container object) is the minimum required to complete this procedure. Review details
about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
Note
You can use credentials other than the credentials with which you are currently logged
on. To use alternative credentials, use the /user and /pwd command-line switches of
Rendom, as described in Appendix A: Command-Line Syntax for the Rendom Tool.
To unfreeze the forest configuration
1. Restart the control station computer twice to ensure that all services that are running on it
learn of the new name (Domain Name System (DNS) name or NetBIOS name) of the
domain of which the control station is a member. Do not restart the control station by
turning its power off and then back on.
2. On the control station, click Start, click Run, type cmd, and then click OK.
3. At the command prompt, type the following command to change to the working directory,
and then press ENTER:
C:\domren
4. From within the working directory, type the following command, and then press ENTER:
rendom /end
The rendom /end command connects to the domain controller that holds the domain
naming operations master role and removes the attribute msDS-UpdateScript on the
Partitions container.
with other forests (including trusts across forests) will not be valid. Therefore, they must be reestablished.
In particular, when a domain in your forest is renamed, the following trust relationships are not
valid:
Any interforest trust relationship that is established at the forest root level (a trust across
forests).
All external trusts from or to the forest in which the domain rename operation occurred must be
deleted and recreated. You can use the Active Directory Domains and Trusts Microsoft
Management Console (MMC) snap-in to delete and recreate all such trust relationships. For more
information, see Administering Domain and Forest Trusts.
All procedures that are described in Run Domain Rename Instructions, that include the
automatic domain controller restart, must have been completed on all domain controllers in
the renamed domains.
The domain controller with the primary domain controller (PDC) emulator operations master
role in a renamed domain must have successfully completed the domain rename operation,
and it must have reached the final "Done" state as described in Run Domain Rename
Instructions.
524
The control station computer must have been restarted twice, as described in Unfreeze the
Forest Configuration.
All member servers in the domain that host Software Distribution Points (network locations
from which users deploy managed software in your environment) must have been restarted
twice, as described in Run Domain Rename Instructions. This prerequisite step is extremely
important and necessary for the Software Installation and Maintenance data fix-up to work
correctly.
Membership in the Enterprise Admins group in the target forest is the minimum required to
complete these procedures. The access check that you perform in this procedure requires that
you have write access to the gpLink attribute on the site, domain, and organizational unit (OU)
objects, as well as write access to the GPOs themselves.
Note
You can use credentials other than the credentials with which you are currently logged
on. To use alternative credentials, use the /user and /pwd command-line switches of
gpfixup, as described in Appendix B: Command-Line Syntax for the Gpfixup Tool.
To fix up GPOs and GPO references
1. On the control station, click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command to change to the working directory,
and then press ENTER:
C:\domren
3. From within the working directory, type the following command, and then press ENTER.
The entire command must be typed on a single line, although it is shown on multiple lines
for clarity.
gpfixup /olddns:OldDomainDnsName
/newdns:NewDomainDNSName
/oldnb:OldDomainNetBIOSName
/newnb:NewDomainNetBIOSName
/dc:DcDnsName 2>&1 >gpfixup.log
Note
The command-line parameters /oldnb and /newnb are required only if the
NetBIOS name of the domain changed. Otherwise, you can omit these
parameters from the command line for Gpfixup.
The output of the commandboth status or error outputis saved to the file Gpfixup.log,
which you can display periodically to monitor the progress of the command.
4. To force replication of the Group Policy fix-up changes that are made at the domain
controller that is named in DcDNSName in step 3 of this procedure to the rest of the domain
controllers in the renamed domain, type the following command, and then press ENTER:
repadmin /syncall /d /e /P /q DcDnsName NewDomainDN
525
Where:
DcDnsName
NewDomainDN
is the Domain Name System (DNS) host name of the domain controller
that was targeted by the gpfixup command.
is the distinguished name that corresponds to the new DNS name of the
renamed domain.
5. Repeat steps 2 and 3 in this procedure for every renamed domain. You can enter the
commands in sequence for each renamed domain.
For example, using the sample forest and domain name changes in Specify the New
Forest Description, you run the gpfixup command twiceonce for the renamed
cohovineyard.com domain and once for the sales.cohovineyard.com domain, as
indicated in the following example:
gpfixup /olddns:cohovineyard.com
/oldnb:cohovineyard
/newdns:cohowinery.com
/newnb:cohowinery
/dc:dc1.cohovineyard.com
2>&1 >gpfixup1.log
/newdns:sales.cohowinery.com
2>&1 >gpfixup2.log
Important
Run the gpfixup command only once for each renamed domain. Do not run it for
renamed application directory partitions.
Note
The DNS host names for the domain controllers in the renamed domains that are
used in these command invocations still reflect the old DNS name for the
domain. As mentioned earlier, the DNS host name of a domain controller in a
renamed domain does not change automatically as a result of the domain name
change.
Parameter
Description
gpfixup
/olddns:OldDomainDnsName
/newdns:NewDomainDNSName
Parameter
Description
/oldnb:OldDomainNetBIOSName
/newnb:NewDomainNetBIOSName
Rendom.exe
Exchange-Specific Steps: Verify the Exchange Rename and Update Active Directory
Connector
527
Implicit UPN: If a user account in AD DS does not have an explicitly assigned value for its
UPN attribute, it is assumed to have an implicit UPN for authentication purposes that is based
on the DNS name of the domain in which the account exists. When the DNS name of a
domain changes as a result of the domain rename operation, the implicit UPNs of all user
accounts in the domain also change. Both the old and the new implicit UPN forms will be
accepted for authentication until the attribute cleanup procedures are complete (see Perform
Attribute Cleanup). After the attribute cleanup procedures are complete, only the new implicit
UPN form will be accepted.
Note
This behavior implies that if you want to continue using implicit UPNs for user
accounts, you must reissue all existing authentication certificates after the DNS name
of a domain has changed and before you perform the attribute cleanup procedures.
Explicit UPN: If a user account in AD DS has an explicitly assigned value for its UPN
attribute, it is said to have an explicit UPN that can be used for authentication purposes.
When the DNS name of a domain changes as a result of the domain rename operation, the
explicit UPNs of user accounts in the domain are not affected. Therefore, if you are using
explicit UPNs for user accounts, no maintenance is necessary after the domain rename
operation.
Note
You must perform this procedure for all the CAs in your domain. Also note that the
container name depends on your domain configuration.
You must also change the registry on the CA computer to reflect the new DNS name for the
CA computer.
529
Caution
Incorrectly editing the registry may severely damage your system. Before making
changes to the registry, you should back up any valued data on the computer.
Membership in Account Operators, Domain Admins, or Enterprise Admins, or equivalent,
is the minimum required to complete this procedure. Review details about using the
appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
To update the DNS name of the CA computer
1. On the CA computer, click Start, click Run, type regedit to open the Registry Editor,
and then locate the entry CAServerName under
HKLM\System\CurrentControlSet\CertSvc\Configuration\YourCAName.
2. Change the value in CAServerName to correspond to the new DNS host name.
To enable proper Web enrollment for the user, you must also update the file that is used by
the Active Server Pages (ASPs) for Web enrollment. The following change must be made on
all the CA computers in your domain.
Membership in Account Operators, Domain Admins, or Enterprise Admins, or equivalent,
is the minimum required to complete this procedure. Review details about using the
appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?
LinkId=83477.
To update the Web enrollment file
1. On the CA computer, search for the Certdat.inc file. If you have used default
installation settings, this file should be located in %windir%\system32\certsrv
directory.
2. Open the file, which appears as follows:
<%' CODEPAGE=65001 'UTF-8%>
<%' certdat.inc - (CERT)srv web - global (DAT)a
' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
<%' default values for the certificate request
sDefaultCompany=""
sDefaultOrgUnit=""
sDefaultLocality=""
sDefaultState=""
sDefaultCountry=""
530
sServerConfig="OLDDNSNAME\YourCAName"
sServerDisplayName="YourCAName"
nPendingTimeoutDays=10
If the CA was installed with the shared folder option (which is available only if the server was
upgraded to Windows Server 2008from Windows Server 2003), the file Certsrv.txt (under the
shared folder) should be edited to reflect the new DNS name of the CA computer. Save a
copy of this file before you edit it, open the file by using Notepad.exe, make the change to the
DNS name of the CA computer, and then save the file.
If you have a Web proxy computer (for CA Web pages) whose DNS host name changed as a
result of the domain rename operation, you have to make changes to the following registry
key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
Under this key there is a value named WebClientCAMachine that holds the DNS name of
the CA computer. Change this value to correspond to the new DNS name.
On all computers where Web pages for the CA reside (for example, on the Web proxy and
the CA computers) there is a file named nsrev_CANAME.asp that contains the DNS host
name of the CA computer that is used by the Netscape revocation checking mechanism.
Search for this file, and change the DNS host name of the CA computer that is embedded in
the file.
If you have used the default installations settings, this file will be in the folder %Windir
%\system32\certsrv\certenroll and its content looks like the following.
<%
Response.ContentType = "application/x-netscape-revocation"
serialnumber = Request.QueryString
set Admin = Server.CreateObject("CertificateAuthority.Admin")
stat = Admin.IsValidCertificate("CAMachineDnsHostname\CANAME", serialnumber)
if stat = 3 then Response.Write("0") else Response.Write("1") end if
%>
Open this file with Notepad.exe, and change CAMachineDnsHostName to correspond to the
new DNS host name.
531
532
New Forest Description), you have to publish service connection points in Active Directory
Domain Services (AD DS) for the new name of the application directory partition so that TAPI
clients can locate it. At the same time, you can remove the service connection points for the
old name of the application directory partition.
For example, suppose that you had a TAPI-specific application partition named
mstapi.cohovineyard.com that was configured for the domain cohovineyard.com. As a result
of the Domain Name System (DNS) name of the domain changing to cohowinery.com, you
renamed the corresponding application directory partition to mstapi.cohowinery.com during
the domain rename operation.
You should now remove the service connection point for the old application directory partition
name mstapi.cohovineyard.com by running the following command from a command prompt
on the control station computer:
tapicfg removescp /directory:mstapi.cohovineyard.com /domain:cohowinery.com
Then, publish a service connection point for the new application directory partition name
mstapi.cohowinery.com by running the following command from a command prompt on the
control station:
tapicfg publishscp /directory:mstapi.cohowinery.com /domain:cohowinery.com
/forcedefault
After you complete all the procedures in Run Domain Rename Instructions, (the domain
rename instructions have all been followed and domain controllers have restarted in a
renamed domain), expire all user passwords by changing domain password policy in the
renamed domain.
Send out e-mail that warns users that they must change their passwords immediately
after they reboot their computers twice (as described in Restart Member Computers).
Users change their passwords by pressing Ctrl+Alt+Del.
Active Directory Domains and Trusts snap-in to remove these redundant trust relationships
after the domain rename operation is complete. For more information, see Active Directory
Domains and Trusts (http://go.microsoft.com/fwlink/?LinkId=124088).
Fix Start menu shortcuts for Domain Security Policy and Domain Controller Security
Policy Microsoft Management Console (MMC) snap-ins.
Remove the Group Policy to set primary DNS suffix of member computers in renamed
domains.
If you followed the recommendations to avoid excess replication due to member computers
being renamed in a large domain, as described in "Configuring Member Computers for Host
Name Changes in Large Deployments" in Configure Member Computers for Host Name
Changes, you might have configured and applied a Group Policy setting Primary DNS Suffix
to member computers in your renamed domains. Because the intended purpose of this Group
Policy setting has now been served, it can be removed. To remove this Group Policy setting,
follow steps 1 through 5 of the procedure "Apply Group Policy to Set the Primary DNS Suffix"
in Configure Member Computers for Host Name Changes, click Disabled, and then click OK.
As a result of the domain DNS name changes that occurred during the domain rename
operation, some of the DNS zones in your DNS infrastructure might no longer be necessary.
For example, if there was a DNS zone with a name that matched the old DNS name of a
renamed domain, there might be no more DNS resource records (service (SRV), host (A),
and pointer (PTR) resource records) with the old domain suffix that have to be registered with
DNS. In this case, you can remove these DNS zones that are no longer necessary.
Back up GPOs
If you use Group Policy, consider installing the Group Policy Management Console (GPMC).
For more information, see GPMC (http://go.microsoft.com/fwlink/?LinkID=123307). GPMC
makes Group Policy easier to use, and it adds functional improvements such as the ability to
back up GPOs independently of the rest of Active Directory Domain Services (AD DS). GPOs
that you back up with GPMC before the domain rename operation cannot be restored after
domain rename. Therefore, we recommend that after a domain rename operation, you use
GPMC to back up all the GPOs again.
Note
Saved GPMCs for a domain will no longer work after you rename a domain. If you
want to use saved GPMCs, you have to re-create them after the domain rename
operation.
536
Important
When the member computers are restarted, their Domain Name System (DNS) host
names will also change after the restart as a result of the fact that their primary DNS
suffix changes as a result of the name change of the domain of which they are members.
The primary DNS suffix of a member computer in an Active Directory domain is, by
default, configured to change automatically when domain membership of the computer
changes. If you have very large domains whose DNS name was changed by the domain
rename operation and these domains have a large number of member computers, you
might observe a large replication storm and a surge in network traffic as a result of the
member computer restarts. For information about how to avoid excess replication under
these conditions, see Configure Member Computers for Host Name Changes.
Perform the following tasks after the domain rename operation:
Unjoin and then join any remote computers that connect to the renamed domain
through a remote connection, such as dial-up and virtual private network (VPN).
If there are any remote computers that are members of a renamed domain that connect to the
domain through remote connection mechanisms such dial-up lines or VPNs, you will have to
unjoin each member computer from the old domain name and then rejoin it to the new
domain name.
537
2. At the command prompt, type the following command to change to the working directory,
and then press ENTER:
C:\domren
3. From within the working directory, type the following command, and then press ENTER:
rendom /clean
The rendom /clean command removes the values for the msDS-DnsRootAlias and
msDS-UpdateScript attributes from AD DS by connecting to the domain controller that
has the domain naming operations master role.
After the steps in this procedure are complete, the new forest is ready for another domain rename
(or forest restructuring) operation, if necessary.
539
Parameter
Description
/?
/dc:{DCNAME | DOMAIN}
Parameter
Description
/pwd:{PASSWORD | *}
/list
/upload
Parameter
Description
/execute
Parameter
Description
/clean
/showforest
Parameter
Description
/statefile:STATEFILE
/logfile:LOGFILE
Parameter
Description
Parameter
Description
/?
/v
/olddns:OLDDNSNAME
Parameter
Description
/newdns:NEWDNSNAME
/oldnb:OLDFLATNAME
/newnb:NEWFLATNAME
/sionly
/dc:DCNAME
Parameter
Description
/pwd:{PASSWORD | *}
Reference
Task
Reference
Task
Reference
Exchange 2003,
Exchange 2000, or
Exchange 5.5: The
domain rename operation
549
Task
Reference
is not supported in an
Active Directory forest that
contains
Exchange Server 2003,
Exchange 2000, or
Exchange 5.5 servers. If
the domain rename tool
detects Exchange 2000
servers, the tool will not
proceed. The domain
rename tool will not detect
whether Exchange 5.5
servers exist. Therefore,
do not attempt the domain
rename operation if the
forest contains
Exchange 5.5 servers.
Reference
Note
You can rename domains only
in a forest in which all of the
domain controllers are running
Windows Server 2008
Standard or
Windows Server 2003
Standard Edition, Windows
Server 2008 Enterprise or
Windows Server 2003
Enterprise Edition, or
Windows Server 2008
Datacenter or
Windows Server 2003
Datacenter Edition operating
550
Task
Reference
Configure Member
Computers for Host Name
Changes
Prepare Certification
551
Task
Reference
Authorities
Prepare a domain that contains
Exchange.
Exchange-Specific Steps:
Prepare a Domain that
Contains Exchange
Reference
Exchange-Specific Steps:
Update the Exchange
Configuration and Restart
Exchange Servers
Note
552
Task
Reference
This is an optional,
Exchange-specific task.
Unfreeze the forest configuration.
Re-establish external trusts.
Fix Group Policy objects (GPOs)
and links.
Reference
Exchange-Specific Steps:
Verify the Exchange Rename
and Update Active Directory
Connector
This is an optional,
Exchange-specific step.
Perform attribute cleanup.
553
1
2
3
4
5
Trusted
domain name
domain name
Trust direction
Trust type
Date created/removed
1
2
3
4
5
554
Add/remove
Completed?
Date/time
1
2
3
4
5
Old domain
New
Server share
Group Policy
DFSN fixed?
name
DFSN path
domain
updated?
Date/time?
DFSN path
redirection and
roaming
Date/time?
profiles
1
2
3
4
5
555
Domain
DC
IP
FSMO
CRL
Execute
Automatic
Dcdiag
name
address
roles
expiry
successfully?
restart?
notes
held by
DC
1
2
3
4
5
Run Dcdiag?
Backed up?
partition
1
2
3
4
5
556
Old
New
Alias
Certificate
CDP and
Subordinate
Group
DNS
DNS
created?
enrollment
AIA
and issuing
Policy
name of
name of
Date/time
CA certs
updated?
CA
enabled?
extensions
CA
flexible?
renewed?
1
2
3
4
5
Additional Resources
For general information about how Active Directory Domain Services (AD DS) works and how to
deploy, manage, and troubleshoot AD DS, see the following resources:
For specific information about troubleshooting Active Directory problems, see the following
resources:
Troubleshooting: AD DS (http://go.microsoft.com/fwlink/?LinkId=122878)
For development information about Active Directory, see the following resources:
Request for Comments (RFC) Pages and Internet-Drafts on the Internet Engineering Task
Force Web site (http://go.microsoft.com/fwlink/?LinkID=121)
Section Heading
Insert section body here.
Subsection Heading
Insert subsection body here.
558