Active Directory POG[1]

8/12/2019 Active Directory POG[1]

1/215

Active DirectoryProduct Operations Guide

Managing the Windows Server Platform


2/215


3/215

iii Managing the Windows Server Platform

ContentsIntroduction to Product Operations Guide ....................................................................................... 1

Document Purpose ...................................................................................................................... 1 Intended Audience ....................................................................................................................... 1 How to Use This Guide ................................................................................................................ 1 Background .................................................................................................................................. 2

High-Level Processes for Maintaining Active Directory...... ................. .................. .................. ....... 5 Overview ...................................................................................................................................... 5 Technology Required ................................................................................................................... 6 Maintenance Processes Checklist ............................................................................................... 9

Operating Quadrant .................................................................................................................. 9 Supporting Quadrant .............................................................................................................. 11 Optimizing Quadrant .............................................................................................................. 12 Changing Quadrant ................................................................................................................ 14

Detailed Maintenance Actions ....................................................................................................... 17 Overview .................................................................................................................................... 17 Process: Back up Active Directory ............................................................................................. 18

Task: Back up Active Directory and associated components ................................................ 21 Process: Non-authoritative restore of Active Directory .............................................................. 22

Task: Perform a non-authoritative restore of a domain controller ................ ................. ......... 22 Task: Restore a domain controller through reinstallation and subsequent restorefrom backup ............................................................................................................................ 23

Process: Authoritative restore for Active Directory objects ............... .................. .................. ..... 24 Task: Perform an authoritative restore of one or more directory objects ............................... 25 Task: Perform an authoritative restore of an application partition ......................................... 27 Task: Perform an authoritative restore of Group Policy ......................................................... 27

Process: Recovering a domain controller through reinstallation ............................................... 29 Task: Recovering a domain controller through reinstallation ................................................. 29

Process: Installing a domain controller for an existing domain ............... ................. .................. 31 Task: Preparing for Active Directory installation .................................................................... 32 Task: Install Active Directory .................................................................................................. 34 Task: Install Active Directory from media ............... .................. ................. ................. ............ 34 Task: Unattended install of Active Directory .......................................................................... 35 Task: Verify Active Directory installation ................................................................................ 35

Process: Removing Active Directory.......................................................................................... 37 Task: Decommission the domain controller ........................................................................... 38 Task: Forced removal of a domain controller ......................................................................... 39

Process: Rename a domain controller ................. .................. ................. .................. ................. 41 Task: Rename using the System Properties user interface ................ ................. .................. 41 Task: Rename using the Netdom command-line tool ............................................................ 42

Process: Manage the Active Directory database ....................................................................... 43 Task: Relocate Active Directory database files .................. ................. .................. ................. 44 Task: Returning unused disk space from the Active Directory database to the filesystem .................................................................................................................................... 46

Process: Managing the SYSVOL ............................................................................................... 48

Task: Changing the space allocated to the staging area ....................................................... 50 Task: Relocate the staging area ............................................................................................ 50 Task: Relocating SYSVOL manually ................ .................. ................. .................. ................. 51 Task: Updating the system volume path ................................................................................ 53 Task: Restoring and rebuilding SYSVOL ............................................................................... 53

Process: Manage the Windows Time service ............................................................................ 55 Task: Configuring a time source for the forest ....................................................................... 56 Task: Configuring a reliable time source on a computer other than the PDC emulator ........ 57 Task: Configuring a client to request time from a specific time source ................. ................. 57


4/215

Active Directory Product Operations Guide iv

Task: Optimizing the polling interval ...................................................................................... 58 Task: Disabling the Windows Time service .................. ................. .................. ................. ...... 58

Process: Managing trusts .......................................................................................................... 59 Task: Creating external trusts ................................................................................................ 60 Task: Creating shortcut trusts ................................................................................................ 61 Task: Removing manually created trusts ............................................................................... 62 Task: Preventing unauthorized privilege escalation ................. ................. .................. ........... 62 Task: Creating cross-forest trusts .......................................................................................... 63 Task: Managing selective authentication on a cross-forest trust ........................................... 64 Task: Removing the forest trust ............................................................................................. 64

Process: Managing sites ............................................................................................................ 65 Task: Adding a new site ......................................................................................................... 66 Task: Adding a subnet to the network .................................................................................... 67 Task: Linking sites for replication ........................................................................................... 68 Task: Changing site link properties ........................................................................................ 68 Task: Moving a domain controller to a different site .............................................................. 69 Task: Removing a site ............................................................................................................ 71

Process: Manage antivirus software on domain controllers ...................................................... 74 Task: Exclude files not at risk of infection .............................................................................. 74 Task: Install software ................. ................. .................. ................. .................. ................. ...... 76

Process: Add a global catalog ................................................................................................... 77 Task: Add the global catalog to a domain controller .............................................................. 78 Task: Verify the global catalog readiness .............................................................................. 80

Process: Removing the global catalog from a domain controller .............................................. 81 Task: Remove a global catalog .............................................................................................. 81

Process: Identify global catalog servers in a site ................ ................. .................. ................. ... 82 Task: Identifying a global catalog server ................ .................. ................. ................. ............ 82 Task: Identifying a site that has no global catalog servers .................................................... 82 Task: Identifying sites that have universal group caching enabled ................. ................. ...... 82

Process: Move an operations master role ................................................................................. 83 Task: Designating a domain controller for an operations master role ................................... 88 Task: Verifying the transfer of an operations master role ...................................................... 89

Process: Reduce the workload on the PDC emulator ............................................................... 90 Task: Adjusting the DNS weight setting ................................................................................. 90 Task: Adjusting the DNS priority registry setting ................ ................. .................. ................. 91

Process: Transferring a role holder............................................................................................ 92 Task: Transfer to the standby operations master role ........................................................... 93 Task: Transfer an operations master role when no standby is ready .................................... 93

Process: Seize an operations master role ................................................................................. 95 Task: Seizing an operations master role ................ .................. ................. ................. ............ 97

Process: Choose a standby operations master ......................................................................... 99 Task: Choosing a standby operations master ................. ................. .................. ................. . 100

Processes by MOF Role Clusters ............................................................................................... 103 Operations Role Cluster ....................................................................................................... 103 Support Role Cluster ............................................................................................................ 104 Release Role Cluster ........................................................................................................... 104

Infrastructure Role Cluster ................................................................................................... 105

Security Role Cluster ................. ................. .................. ................. .................. ................. .... 106 Partner Role Cluster ............................................................................................................. 106

Appendix ................. ................. .................. ................. .................. ................. .................. ............ 107 Procedure Details..................................................................................................................... 107


5/215

v Managing the Windows Server Platform

Contributors

Program Manager

Jeff Yuhas , Microsoft Corporation

Chris Macaulay , Microsoft Corporation

Lead Contributors

Nigel Cain , Microsoft Corporation

Arren Conner , Microsoft Corporation

Dmitry Dukat , Microsoft Corporation

Levon Esibov , Microsoft Corporation

Khushru Irani , Microsoft Corporation

Kamal Janardhan , Microsoft Corporation

Gregory Johnson , Microsoft Corporation

William Lees , Microsoft Corporation

Andreas Luther , Microsoft Corporation

Kevin Sims , Microsoft Corporation

Jeromy Statia , Microsoft Corporation

Test Manager

Greg Gicewicz , Microsoft Corporation

QA Manager

Jim Ptaszynski , Microsoft Corporation

Lead Technical Writer

Jerry Dyer , Microsoft Corporation

Lead Technical Editor

Laurie Dunham , Microsoft Corporation

Technical EditorPatricia Rytkonen , Volt Technical Services

Production Editor

Kevin Klein , Volt Technical Services


6/215


7/215

1Introduction to Product OperationsGuide

Document Purpose

This guide describes processes and procedures for improving the management ofMicrosoft Active Directory directory service in an information technology (IT)infrastructure.

Intended AudienceThis material should be useful for anyone planning to deploy this product into anexisting IT infrastructure, especially one based on the IT Infrastructure Library(ITIL)a comprehensive set of best practices for IT service management andMicrosoft Operations Framework (MOF). It is aimed primarily at two main groups:IT managers and IT support staff (including analysts and service-desk specialists).

How to Use This GuideThis guide is divided into five chapters. The first chapter provides basic backgroundinformation. The second chapter provides a high-level checklist of the processesrequired for maintaining this product. The third chapter takes a more detailed lookat the processes described in the maintenance chapter and maps them to the tasksand procedures that make up each process. The fourth chapter organizes processes

by the role responsible for each process. The fifth chapter contains an appendix withprocedure details, including requirements and steps.

The guide may be read as a single volume, including the detailed maintenance andtroubleshooting sections. Reading the document this way will provide the necessarycontext so that later material can be understood more readily. However, some peoplewill prefer to use the document as a reference, only looking up information as theyneed it.


8/215

Active Directory Product Operations Guide 2

BackgroundThis guide is based on Microsoft Solutions for Management (MSM). MSM provides acombination of best practices, best-practice implementation services, and best-practice automation, all of which help customers achieve operational excellence asdemonstrated by high quality of service, industry reliability, availability, security,and low total cost of ownership (TCO).

These MSM best practices are based on MOF, a structured, yet flexible approachcentered on ITIL. MOF includes guidelines on how to plan, deploy, and maintain IToperational processes in support of mission-critical service solutions.

Central to MOF and to understanding the structure of this guide are the MOFProcess and Team Models. The Process Model and its underlying servicemanagement functions (SMFs) are the foundation for the process-based approachthat this guide recommends for maintaining a product. The Team Model and its roleclusters offer guidance for how to ensure the proper people are assigned tooperational roles.

Figure 1 shows the MOF Process Model combined with the SMFs that make up eachquadrant of the Process Model.

Figure 1 MOF Process Model and SMFs


9/215

3 Managing the Windows Server Platform

Figure 2 shows the MOF Team Model, along with some of the many functional rolesor function teams that might exist in service-management organizations. Those rolesand function teams are shown mapped to the MOF role cluster to which they wouldlikely belong.

Figure 2 MOF Team Model and examples of functional roles or teams

Security

Release

Infrastructure

Support

Operations

Partner

Change managementRelease/systems engineeringConfiguration control/assetmanagementSoftware distribution/licensingQuality assurance

Messaging operationsDatabase operationsNetwork administrationMonitoring/metrics

Availability management

Intellectual property protectionNetwork and system securi tyIntrusion detectionVirus protection

Audit and compliance adminContingency planning

Maintenance vendorsEnvironment supportManaged services, outsourcers,trading partnersSoftware/hardware suppliers

Enterprise architectureInfrastructure engineeringCapacity managementCost/IT budget managementResource and long-rangeplanning

Service desk/help deskProduction/production supportProblem managementService level management


10/215


The MOF Team Model is built on six quality goals, which are described and matchedwith the applicable team role cluster in Table 1.Table 1. MOF Team Model Quality Goals and Role Clusters

Quality Goal Team Role Cluster

Effective release and change management. Accurateinventory tracking of all IT services and systems.

Release

Management of physical environments and infrastructuretools.

Infrastructure

Quality customer support and a service culture. Support

Predictable, repeatable, and automated systemmanagement.

Operations

Mutually beneficial relationships with service and supplypartners.

Partner

Protected corporate assets, controlled authorization, andproactive security planning.

Security

Further information about MSM and MOF is available athttp://www.microsoft.com/solutions/msm/techinfo/default.asp , or search for thetopic on TechNet at http://www.microsoft.com/technet/default.asp . You can alsocontact your local Microsoft or partner representative.
http://www.microsoft.com/solutions/msm/techinfo/default.asphttp://www.microsoft.com/solutions/msm/techinfo/default.asphttp://www.microsoft.com/technet/default.asphttp://www.microsoft.com/technet/default.asphttp://www.microsoft.com/technet/default.asphttp://www.microsoft.com/technet/default.asphttp://www.microsoft.com/solutions/msm/techinfo/default.asp


11/215

2High-Level Processes for Maintaining Active Directory

Overview

Every company consists of employees (people), activities that those employeesperform (processes), and tools that help them perform those activities (technology).No matter what the business, it most likely consists of people, processes, andtechnology working together to achieve a common goal. Table 2 illustrates this point.Table 2. People, Processes, and Technology Working Together

Area People Process Technology

Auto repairindustry

Mechanic Repair manual Socket set

Software

developmentindustry

Programmer Project plan Compiler;

debugger

IT operations IT technician MicrosoftOperationsFramework

Microsoft ActiveDirectory

The focus of this product operations guide is Active Directory directory service the directory service for the Microsoft Windows Server 2003 family. ActiveDirectory stores information about objects on the network; its logical, hierarchicalorganization of directory information makes it easy for administrators and users tofind this information. Windows Server 2003 brings many improvements to ActiveDirectory, making it more versatile, dependable, and economical to use. In WindowsServer 2003, Active Directory provides increased performance and scalability. It alsoallows you greater flexibility for designing, deploying, and managing anorganization's directory.


12/215


Technology RequiredTable 3 lists the tools or technologies used in the processes, and their subordinatetasks and procedures, described in this guide. All tools should be accessed from aWindows Server 2003 server console, except in those cases where a link is provided.

Table 3. Tools or Technologies Required to Manage Active DirectoryRequired

TechnologyDescription Location

Backup utility Performs backup and restoreoperations. It is automaticallyinstalled with Windows Server 2003.In Windows Server 2003, the backuputility is Backup.exe. The wizard, or

basic mode, is called Backup orRestore Wizard ; and in advancedmode, it is called Backup Utility .

Start > All Programs >Accessories > SystemTools > Backup

Or to open the Backuptool using the commandline:

Start > Run . In the Open

box, type ntbackup andthen click OK .

DNSManager

Used for modifying DNS parameters.These centralized management andmonitoring tools can be found eitherin Administrative Tools after initialinstallation of the DNS service, orthrough Adminpak.msi.

Start > Control Panel >Administrative Tools

Or to open DNSManager using thecommand line, type:

%systemroot%\System32\ dnsmgmt.msc

ActiveDirectoryDomains andTrustsMicrosoftManagementConsole snap-in

Used for modifying Active Directorydomains and trusts. Thesecentralized management andmonitoring tools can be found eitherin Administrative Tools after initialinstallation of the Active Directory,or through Adminpak.msi.


Or to open the MMCsnap-in using thecommand line, type:

%systemroot%\System32\ domain.msc

ActiveDirectoryInstallation

Wizard

Used to promote or demote a domaincontroller.

Start > Run > dcpromo

ActiveDirectorySchema snap-in

Used for modifying Active Directoryschema. This tool does not appear bydefault in Administrative Tools.

Open the MMC snap-inusing the command line,type:

%systemroot%\System32\ schmmgmt.msc


13/215


RequiredTechnology

Description Location

ActiveDirectory Sitesand ServicesMMC snap-in

Used for modifying Active Directorysites and services. This centralizedmanagement and monitoring tool can

be found either in AdministrativeTools after initial installation of theActive Directory, or throughAdminpak.msi.



%systemroot%\System32\ dssit.msc

ActiveDirectoryUsers andComputersMMC snap-in

Used for modifying Active Directoryusers and computers. Thesecentralized management andmonitoring tools can be found eitherin Administrative Tools after initialinstallation of the Active Directory,or through Adminpak.msi.



%systemroot%\System32\ dsa.msc

Adsi editMMC snap-in

Used for editing Active Directory toadd, delete, or move objects withinthe directory. This centralizedmanagement and monitoring tool can

be found either in AdministrativeTools after initial installation of theActive Directory, or throughAdminpak.msi.

Open the MMC snap-inusing the command line,type:

%systemroot%\System32\ adsiedit.msc

Dcdiag.exe This command line tool analyzes thestate of domain controllers in theforest or enterprise and reports anyproblems to assist in troubleshooting.

Start > Run > dcdiag.exe

Event Viewer Provides logs for transactionalreactive reviews of system andservice events. It is automaticallyinstalled with WindowsServer 2003.

Start > Control Panel >Administrative Tools >Event Viewer

Or to open Event Viewerusing the command line:

Start >Run . In the Open

box, type eventvwr.msc and then click OK .

Ldp.exe Used to connect, bind, search,modify, add, and delete against anyLDAP-compatible directory such asActive Directory. Used to viewobjects stored in Active Directoryalong with their metadata.

Start >Run . In the Open box, type ldp.exe andthen click OK .


14/215


RequiredTechnology


Net.exe A set of commands for a variety oftasks, such as managing useraccounts and computer accounts,sending messages, and managingshared resources.

Start > Run > cmd at thecommand prompt, typenet to see options

Netdiag.exe Helps isolate networking andconnectivity problems by performinga series of tests to determine the stateof the network client.

Start > Run > cmd at thecommand prompt, typenetdiag /? to see options

Netdom.exe Enables administrators to manageWindows 2000 and Windows Server2003 domains and trust relationshipsfrom the command line.

Start > Run > cmd at thecommand prompt, typenetdom /? to see options

Nltest.exe Helps you get a list of domaincontrollers, force a remote shutdown,and query the status of trustrelationships.

Start > Run > cmd at thecommand prompt, typenltest /? to see options

Ntdsutil.exe Used to perform databasemaintenance of Active Directory,manage and control single masteroperations, and remove metadata left

behind by domain controllers thatwere removed from the network

without being properly uninstalled.

Start > Run > cmd at thecommand prompt, typentdsutil /? to see options

Registry Editor Enables you to view and changesettings within the registry.

Start > Run > regedit

Repadmin.exe Command line tool that helpsadministrators diagnose replicationproblems between domaincontrollers.

Start > Run > cmd at thecommand prompt, typerepadmin /? to seeoptions

Secedit.exe Configures and analyzes systemsecurity by comparing currentconfiguration with at least onesecurity template.

Start > Run > cmd at thecommand prompt, typesecedit /? to see options

Services snap-in

MMC snap-in that allows you tostart, stop, or restart Windowsservices.

Start > Run > MMC >Services.msc

Ultrasound A tool that allows administrators tomonitor the health of the filereplication service (FRS).

See www.microsoft.com for more information onthe Ultrasound utility.
http://c/Documents%20and%20Settings/kannukont/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/3NLKWGIS/www.microsoft.comhttp://c/Documents%20and%20Settings/kannukont/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/3NLKWGIS/www.microsoft.comhttp://c/Documents%20and%20Settings/kannukont/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/3NLKWGIS/www.microsoft.comhttp://c/Documents%20and%20Settings/kannukont/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/3NLKWGIS/www.microsoft.com


15/215


RequiredTechnology


W32tm.exe A tool used to diagnose problemshaving to do with Windows time.

Start > Run > cmd at thecommand prompt, typew32tm /? to see options

Maintenance Processes ChecklistThe following tables provide a quick reference for those product maintenanceprocesses that need to be performed on a regular basis. These tables represent asummary of the processes, and their subordinate tasks and procedures, described inmore detail in subsequent chapters of this guide. They are limited to those processesrequired for maintaining the product.

Only the pertinent MOF quadrants and SMFs are addressed in this chapter. Forexample, there are no processes that fall within the Supporting Quadrant. There is aplaceholder for the Supporting Quadrant, but no tables.

Also, because all of the Active Directory maintenance processes addressed here fallinto the as-needed category, the daily, weekly, and monthly portions of the tables are

blank. Only the portion of each table that has associated processes is filled in.

Each listed process is linked to a detailed explanation of the process in the followingchapter.

Operating Quadrant

The processes for this section are based on the service management functions that

make up the MOF Operating Quadrant. Further information on the MOF ProcessModel and the MOF SMFs is available at http://www.microsoft.com/solutions/msmand http://www.microsoft.com/mof .
http://www.microsoft.com/solutions/msmhttp://www.microsoft.com/solutions/msmhttp://www.microsoft.com/mofhttp://www.microsoft.com/mofhttp://www.microsoft.com/mofhttp://www.microsoft.com/solutions/msm


16/215


System Administration SMF

Daily Processes

Process Name Related SMF MOF Role Cluster

Back up Active Directory OperationsWeekly Processes


There are no weeklyprocesses for this SMF.

Monthly Processes


There are no monthlyprocesses for this SMF.

As- Needed Processes


Restore Active Directory Operations

Rename a domaincontroller

Operations

Transferring a roleholder

Infrastructure

Seize an operations

master role

Infrastructure

Choose a standbyoperations master

Infrastructure

Managing the SYSVOL Infrastructure

Managing sites Infrastructure

Authoritative restore forActive Directory objects

Operations

Recovering a domaincontroller throughreinstallation

Operations

Move an operationsmaster role

Infrastructure


17/215


Security Administration SMF

Daily Processes

Process Name Related SMFs MOF Role Cluster

There are no dailyprocesses for this SMF.

Weekly Processes



Monthly Processes





Manage antivirussoftware on domaincontrollers

Security

Supporting Quadrant

There are no Active Directory processes that fall within the MOF SupportingQuadrant and its SMFs.


18/215


Optimizing Quadrant

The tasks for this section are based on the SMFs that make up the MOF OptimizingQuadrant.

Availability Management SMF

Daily Processes



Weekly Processes



Monthly Processes





Manage the ActiveDirectory database

Infrastructure

Add a global catalog Infrastructure

Manage the WindowsTime service

Infrastructure

Managing trusts Infrastructure


19/215


Capacity Management SMF

Daily Processes



Weekly Processes



Monthly Processes





Removing the globalcatalog from a domaincontroller

Infrastructure

Identify global catalogservers in a site

Infrastructure

Reduce the workload onthe PDC emulator

Infrastructure


20/215


Changing Quadrant

The processes for this section are based on the SMFs that make up the MOFChanging Quadrant.

Release Management SMF

Daily Processes



Weekly Processes



Monthly Processes





Installing a domaincontroller for an existing

domain

Release


21/215


22/215


23/215

3Detailed Maintenance ActionsOverview

This chapter provides detailed information about the processes that must beperformed in order to maintain Active Directory. These processes are arranged

according to the MOF quadrant to which they belong and, within each quadrant, bythe MOF service management functions (SMFs) that make up that quadrant.

Those quadrants are:

Operating Quadrant

Supporting Quadrant

Optimizing Quadrant

Changing Quadrant

Further information about the MOF Process Model and the MOF SMF guides isavailable at http://www.microsoft.com/solutions/msm . Further information about

the MOF Team Model and role clusters is available athttp://www.microsoft.com/mof .
http://www.microsoft.com/solutions/msmhttp://www.microsoft.com/solutions/msmhttp://www.microsoft.com/solutions/msmhttp://www.microsoft.com/mofhttp://www.microsoft.com/mofhttp://www.microsoft.com/mofhttp://www.microsoft.com/solutions/msm


24/215


Operating Quadrant System AdministrationSMF

Operations Role Cluster Daily

Process: Back up Active Directory

Description Active Directory is backed up as part of Microsoft Windows system state, acollection of system components that depend on each other. All system statecomponents must be backed up and restored together.

The system state components on a domain controller include: System start-up (boot) files. These are the files required for Windows Server 2003

to start. System registry.

Class registration database of component services. The Component Object Model

(COM) is a binary standard for writing component software in a distributedsystems environment.

System volume (SYSVOL). SYSVOL provides a default Active Directory locationfor files that must be shared for common access throughout a domain. TheSYSVOL folder on a domain controller contains:

Net Logon shared folders. These usually host user logon scripts and GroupPolicy objects (GPOs) for network clients who are not running Windows2003-based computers.

User logon scripts for Active Directory-enabled clients.

Windows 2003 GPOs.

File system junctions. File Replication service (FRS) staging directories and files that are required to

be available and synchronized between domain controllers.

Active Directory, including:

The Active Directory database (Ntds.dit) The checkpoint file (Edb.chk)

The transaction logs, each 10 megabytes (MB) in size, (Edb*.log) Reserved transaction logs (Res1.log and Res2.log)

If you use Active Directory-integrated Domain Name System (DNS), be sure that

you back up a domain controller that is hosting DNS. If you do not use ActiveDirectory-integrated DNS, you must explicitly back up the zone files. However, ifyou back up the system disk along with the system state, zone data is backed up aspart of the system disk.

If you installed Windows Clustering or Certificate Services on your domaincontroller, they are also backed up as part of system state. Details of thesecomponents are not discussed in this guide.


25/215


Purpose

There are several reasons why a current, verified, and reliable backup is needed:

To restore Active Directory data that becomes lost or corrupted. Using anauthoritative restore process, you can restore individual objects or sets of objectsfrom their deleted state.

To recover a domain controller that cannot boot normally because of software orhardware failure.

To perform a forest recovery in the event that forest-wide corruption occurs. To perform an install from media operation. This new feature in Windows Server

2003 allows you to promote a new domain controller and populate it withcurrent information from a local source, rather than having to wait for a full syncreplication over potentially much slower media for example, a 56K connection.

Guidelines

Although the Backup tool in Windows Server 2003 supports multiple types of backup normal, copy, incremental, differential, and daily the only type of backupavailable and supported for Active Directory is normal, because Active Directory is

backed up as part of system state. A normal backup creates a backup of the entiresystem state while the domain controller is online.

If you do not use Active Directory-integrated DNS zones, you should include the filepaths that contain all of your DNS zone files in the backup, in addition to the systemstate and/or system disk, to ensure a successful recovery.

Which domain controllers to back up

For every Active Directory domain, you can define a backup set composed of thephysical domain controllers that would be required to successfully restore thedomain. The collection of domain backup sets ensures that a forest restore operationcan be performed.

At a minimum, the backup set consists of two or more domain controllers for eachdomain and at least one domain controller that is a member of an applicationpartition replica set.

The backup set must contain a system state, a system disk backup for each computerin the set, and a global catalog.

If you are using Active Directory-integrated DNS, it would useful to back up at leastone DNS server.

Note A backup can only be used to restore the domain controller that the backup was generated from.It cannot be used to restore a different domain controller or this domain controller onto differenthardware.


26/215


When to back up Active Directory

At a minimum, each domain controller in the backup set must be backed up at leasttwice within the tombstone lifetime. By default, the tombstone lifetime is 60 days,which places the requirement of a backup for each domain controller in the backupset every 30 days.

While monthly backup operations are adequate for successful disaster recovery, theydo not facilitate the recovery of new information since the last backup. You will needto consider these changes when you are planning backup frequency. The frequencyof backups is dictated both by business requirements and technical requirements andshould be adjusted according to your deployment's needs.

By default, machine accounts change their passwords every 30 days. Therefore,domain controllers will also change their machine account passwords every 30 days.If you were to restore a domain controller with an old password, it could result inthat domain controller being unable to replicate with its partners. Therefore, tominimize the effect of restoring a domain controller with an old password, youshould perform a backup more than once every 30 days.In addition to regular backup requirements, an immediate backup should be takenwhen: The storage location of the database [Ntds.dit] or log files is changed.

A domain controller is upgraded from Windows 2000 Server to Windows Server2003, or any further operating system upgrades.

A current backup is required for an install for media operation for a new domaincontroller.

The tombstone lifetime is changed.

Note A backup from a Windows 2000 Server cannot be used to restore a domain controller runningWindows Server 2003.

Active Directory protects itself from restoring data older than the tombstone lifetime by disallowing the restore. As a result, the useful life of a backup is equivalent to thetombstone lifetime setting for the enterprise.


27/215


Task: Back up Active Directory and associated components

Procedure: Back up system state

Link to procedure

Procedure: Back up system state and the system disk

Link to procedure

Dependencies

None

Technology Required

Backup Tape drive or other backup media


28/215



Operations Role Cluster As Needed

Process: Non-authoritative restore of Active Directory

Description A non-authoritative restore returns the domain controller to its state at the time of

backup and then allows normal replication to overwrite that state with any changesthat have occurred after the backup was taken. After you restore the system state, thedomain controller queries its replication partners. The replication partners replicateany changes to the restored domain controller, ensuring that the domain controllerhas an accurate and updated copy of the Active Directory database.

Purpose

A non-authoritative restore allows the entire directory to be restored on a domaincontroller, without reintroducing or changing objects that have been modified sincethe backup. The most common use of a non-authoritative restore is to bring an entiredomain controller back, often after catastrophic or debilitating hardware failures. Itis uncommon for data corruption to drive a non-authoritative restore, unless thecorruption is local and the database cannot be successfully loaded.

Guidelines

If you intend to restore a deleted object (or objects), you should refer to theprocedures outlined for an authoritative restore. A non-authoritative restore should

be used any time the entire directory is being restored on a single domain controllerin order to deal with a local database corruption or hardware failure. A non-authoritative restore can be performed on a Windows Server 2003 system that is astand-alone server, member server, or domain controller. A server must be inDirectory Services Restore Mode to perform a non-authoritative restore.

Task: Perform a non-authoritative restore of a domain controller

A non-authoritative restore is the default method for restoring Active Directory. Toperform a non-authoritative restore, you must be able to start the domain controllerin Directory Services Restore Mode. After you restore the domain controller from

backup media, replication partners use the standard replication protocols to update both the Active Directory and associated information on the restored domaincontroller.


29/215


Procedure 1: Restart the domain controller in Directory Services RestoreMode

Note In cases where you have to reinstall the operating system: Before you restore the directory, youdo not have to perform a non-authoritative restore in Directory Services Restore Mode. After you havereinstalled the operating system, you can perform a restore after the machine boots normally.

Link to procedure.

Procedure 2: Restore from backup media

Link to procedure.

Procedure 3: Verify Active Directory restore

Link to procedure.

Task: Restore a domain controller through reinstallation and

subsequent restore from backupIf you cannot restart a domain controller in Directory Services Restore Mode, youcan restore it through reinstallation of the operating system, and subsequentlyrestore Active Directory from backup.

In order for the restore operation to succeed, Windows Server 2003 must bereinstalled to the same drive letter as previously and with at least the same amountof physical drive space. After you reinstall Windows Server 2003, perform a non-authoritative restore of the system state and the system disk.

Procedure 1: Install Windows Server 2003

This guide does not address installing Windows Server 2003.


Link to procedure.

Procedure 3: Verify Active Directory restore

Link to procedure.

Dependencies

The domain controller being restored needs to have a previous backup taken withBackup utility.

Technology Required

Backup


30/215




Process: Authoritative restore for Active Directory objects

Description An authoritative restore process returns an object to its state at the time of the mostrecent backup. Changes made since the latest backup will be erased. This differsfrom a non-authoritative restore, which relies on the presence of a replication partnerto bring in the current data, including information about objects that were deletedsince the backup.

An authoritative restore should not be relied on as part of a change controlinfrastructure. Proper delegation of administration and change enforcement willoptimize data consistency, integrity, and security.

Purpose

An authoritative restore is most commonly used to restore corrupt or deleted objectsfrom the directory for example, a deleted user account. An authoritative restoreshould not be used to restore an entire domain controller.

Guidelines

An authoritative restore of a subtree or leaf object restores that subtree or leaf andmarks it as authoritative for the directory. This means that the restored object will bereplicated out to other domain controllers and will be the data that is maintainedmoving forward. In cases where the object was deleted, it will be revived; in othercases, the object will be returned to a previous state.

It is important to ensure successful recovery of the information being restored.Group membership is particularly sensitive and can be greatly affected by theprocedures that are followed during an authoritative restore.

You begin by restoring from backup media, just as in a non-authoritative restore, andthen perform the following additional steps to complete an authoritative restore.


31/215


Task: Perform an authoritative restore of one or more directoryobjects

Note If the objects that were deleted do not include group objects, then you dont need to performsteps 3-10. Additionally, if the groups that were deleted do not have members among the list of deletedobjects, then you do not need to perform steps 3-10.


Link to procedure.

Procedure 2: Mark the object(s) authoritative

Once the data has been restored from backup, you must select which objects are to bemarked authoritative in order to have them replicated to other domain controllers. Inorder to complete this operation, you must know the full distinguished name (alsoknown as DN) of the object you wish to restore.

Link to procedure.

Procedure 3: Reboot the computer in isolation

To combat some of the challenges of a distributed system and to ensure successfulrestoration of data, it is necessary to follow some additional precautions during theauthoritative restore process.

Rebooting the machine in isolation helps you prepare for the next step, which is toturn off inbound replication, since you cannot turn off inbound replication inDirectory Services Restore Mode.

If you do need to reboot, the most common way to boot a computer in isolation is toremove the network connection from the domain controller by physically removingthe network cable. Alternate methods may be possible depending on your networkhardware and enterprise practices.

It is important to prevent the domain controller from communicating with any otherdomain controller in the domain or forest. You should also isolate the domaincontroller from any clients that could invoke change on any object in the directory.

Procedure 4: Turn off inbound replication using repadmin

By turning off inbound replication, you ensure that no changes replicate into thedomain controller and alter group membership.

Link to procedure.


32/215


33/215


34/215



35/215




Process: Recovering a domain controller through

reinstallationDescription

Recovering through reinstallation is the same process as creating a new domaincontroller. It does not involve restoring from backup media. This method relies onActive Directory replication to restore a domain controller to a working state and isvalid only if another healthy domain controller exists in the same domain. Thisoption is normally used on computers that function only as a domain controller.

Purpose

Recovering through reinstallation is the only method by which a domain controller

that is not part of the backup set can be restored. Additionally, this procedure may be chosen over a non-authoritative restore because of the inaccessibility of the backup media or due to convenience.

Guidelines

This process assumes a complete reinstallation of the operating system. It isrecommended that prior to installing the operating system, the entire system disk beformatted, which will remove all information on the system disk. Ensure that anyimportant or relevant data is moved or backed up before performing these actions.

Recovering through reinstallation should not be a substitute for regular backuproutines, which are needed to ensure a successful recovery should the need arise, as

it depends on the presence of another domain controller in the same domain.Bandwidth is the primary consideration for recovering a domain controller throughreinstallation. The bandwidth required is directly proportional to the size of theActive Directory database and the time in which the domain controller is required to

be in a functioning state. Ideally, the existing functional domain controller should belocated in the same Active Directory site as the replicating domain controller (newdomain controller) in order to reduce network impact and the time the reinstallationtakes to complete.

Task: Recovering a domain controller through reinstallation

Procedure 1: Clean up metadataLink to procedure.

Procedure 2: Install Windows Server 2003

It is assumed that a fresh installation of Windows Server 2003 will be performed.This may be precluded by partition or format actions on your hard disk drive inpreparation for the install.


36/215


Procedure 3: Verify DNS registration and functionality

Link to procedure.

Procedure 4: Verify communication with other domain controllers

Link to procedure.

Procedure 5: Verify the availability of the operations masters

Link to procedure.

Procedure 6: Install Active Directory

During the installation process, replication occurs, ensuring that the domaincontroller has an accurate and up-to-date copy of Active Directory. Optionally, usethe same information for this domain controller as the domain controller it isreplacing. Site placement, domain controller name, and domain membership shouldremain the same. If you plan on installing the domain controller under a differentname, you may wish to also refer to the process: Installing a domain controller foran existing domain.

Link to procedure.

Procedure 7: Verify Active Directory installation

Read and perform the procedures in Task: Verify Active Directory Installation. Link to task .

Dependencies

Domain Administrator credentials

Technology Required

Dcpromo.exe or Backup


37/215


Changing Quadrant Release ManagementSMF

Release Role Cluster As Needed

Process: Installing a domain controller for an existing

domainDescription

This process covers the installation of Active Directory onto a Windows Server 2003system that will become a domain controller in an existing Active Directory domain.For more information regarding the best practices for planning, testing, anddeploying Active Directory, refer to the Windows Server 2003 Deployment Kit:Designing and Deploying Directory and Security Services athttp://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en .

To ensure successful installation of a new domain controller, you should verify thatall critical services that Active Directory depends on are configured followingMicrosoft best practices.

Active Directory is installed on a Windows Server 2003 server by running the ActiveDirectory Installation Wizard. The wizard simplifies the promotion process byautomating as much of the installation as possible. To run the Active DirectoryInstallation Wizard, you must be a member of the Domain Administrators group.

Purpose

There are several motivations for adding a new domain controller. Additionalapplications (Active Directory-integrated as opposed to those running on domain

controllers) may be required to meet increased capacity requirements, provideupgrades and fault tolerance, and reduce failures. For more information on criteriafor deploying a new domain controller and best practices for Active Directory, referto the Windows Server 2003 Deployment Kit: Designing and Deploying Directory andSecurity Services.

Guidelines

Before you begin your installation, the following conditions must exist in yourenvironment:

Your Active Directory forest root domain must already exist with at least twoproperly functioning domain controllers.

If you are installing a new domain controller for a child domain, there should beat least two properly functioning domain controllers in the forest root domain.

DNS must be functioning properly.

This guide assumes you are using Active Directory integrated DNS zones. Youmust configure at least one domain controller as a DNS server.

Creating or removing a domain or forest is beyond the scope of this guide.
http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20


38/215


Task: Preparing for Active Directory installation

Properly preparing for the installation of Active Directory decreases the chances ofproblems occurring during the installation process and helps you quickly completethe operation. Preparation includes installing and configuring DNS and gatheringinformation that you need for the installation.

Configure DNS

The DNS client is always present on a server on Windows Server 2003. You shouldproperly configure both the DNS client and the DNS server to ensure that nameresolution and related dependencies will function as expected during the installationof Active Directory.

Ensure that any required configuration, forwarders, or zones are present andaccessible prior to installation. For more information about DNS configuration bestpractices, see the Windows Server 2003 Deployment Kit: Designing and DeployingDirectory and Security Services at

http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en .

Site Placement

During installation, the Active Directory Installation Wizard attempts to place thenew domain controller in the appropriate site. The appropriate site is determined bythe domain controllers IP address and subnet mask. The wizard uses the IPinformation to calculate the subnet address of the domain controller and checks tosee if a Subnet object exists in the directory for that subnet address. If the Subnetobject exists, the wizard uses it to place the new Server object in the appropriate site.If not, the wizard places the new Server object in the same site as the domaincontroller that is being used as a source to replicate the directory database to the newdomain controller. Make sure the Subnet object has been created for the desired siteprior to running the wizard.

A site is allocated according to the following rules:1. If you specify a site in the Unattended text file that is used to create the new

domain controller, the domain controller will be placed directly into that sitewhen it is built.

2. If no site is specified in the Unattended text file when the new domain controlleris built, then by default the domain controller will be placed in a site based on itsIP address.

3. If you specify a replica partner in the Unattended text file but do not specify asite, the new domain controller should be placed in the replica partner's site.

4. If the replica partner or site is not specified, then the allocation of the site israndom. It will depend on the replica partner selected for initial replication.
http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20


39/215


Domain Connectivity

During the installation process, the Active Directory Installation Wizard needs tocommunicate with other domain controllers in order to join the new domaincontroller to the domain. The wizard needs to communicate with a member of thedomain to receive the initial copy of the directory database for the new domaincontroller. It communicates with the domain naming master for domain installs only,so that the new domain controller can be added to the domain. The wizard alsoneeds to contact the relative ID (RID) master so that the new domain controller canreceive its RID pool, and it needs to communicate with another domain controller inorder to populate the SYSVOL shared folder on the new domain controller. All ofthis communication depends on proper DNS installation and configuration. By usingNetdiag.exe and Dcdiag.exe, you can test all of these connections prior to starting theActive Directory Installation Wizard.

Required Information

The installation wizard asks for the following specific configuration information before it begins installing Active Directory:

A domain adminis trators user name and password

Location to store the directory database and log files

The password to use for Directory Services Restore Mode The fully qualified DNS name of the domain to which the new domain controller

will be added

Have this information ready before you run the Active Directory Installation Wizard.

Procedure 1: Install the DNS Server service

Link to procedure.

Procedure 2: Gather the SYSVOL path installation information

Link to procedure.


Link to procedure.

Procedure 4: Verify that an IP address maps to a subnet and determine thesite association

Link to procedure.


Link to procedure.


Link to procedure.


40/215


Caution If any of the verification tests fail, do not continue until you determine what went wrong andfix the problems. If these tests fai l, the installation is also likely to fail.

Task: Install Active Directory

There are a number of elements to consider when installing Active Directory on anew domain controller. This task addresses the general requirements concerning thesite placement, connectivity, and Active Directory Installation Wizard.

The Active Directory Installation Wizard

After you have gathered all the information that you need to run the ActiveDirectory Installation Wizard and have performed the tests to verify that all of thenecessary domain controllers are available, you are ready to install Active Directoryon your server and turn it into a domain controller.

During the installation process, the wizard asks for information that it needs in order

to properly configure the new domain controller. First, it asks if you want to install adomain controller in a new domain or an additional domain controller in an existingdomain. Because this guide pertains to adding domain controllers to domains thatalready exist, choose Additional domain controller in an existing domain .

During the installation process, the wizard needs to communicate with other domaincontrollers in order to add this new domain controller to the domain and get theappropriate information into the Active Directory database. To maintain security,you must provide credentials that have administrative access to the directory.

Procedure 1: Install Active Directory

Link to procedure.

Task: Install Active Directory from media

Installing Active Directory from media allows you to reduce the replication trafficthat is initiated during the installation of an additional domain controller in anActive Directory domain, and thus reduces the time it takes to install a replicadomain controller.

This task has three procedures:

Back up the system state of an existing domain controller in the same domain asthe new domain controller.

Restore the system state to an alternate location locally on the new domaincontroller.

Promote the server to a domain controller using dcpromo /adv option.

Procedure 1: Back up system state

Link to procedure.


41/215


Procedure 2: Restore system state to an alternate location

Link to procedure.

Procedure 3: Promote server to domain controller

Link to procedure.

Task: Unattended install of Active Directory

Running an unattended install simplifies the process of setting up Active Directoryon multiple computers. The unattended install feature uses an answer file toprovide answers to the questions asked during a normal setup. This allows theinstallation process to proceed from start to completion without user intervention.This method works best when Active Directory is being installed with identicaloptions on many computers.

Procedure 1: Install and run Setup Manager to create an answer file(Unattend.txt)

Link to procedure.

Procedure 2: Run Active Directory automated install

In the Run dialog box, type dcpromo /answer:< answerfile> (where answerfile is thefile created with Setup Manager), and click OK.

Task: Verify Active Directory installation

There are several verification tasks that can be performed on a newly promoteddomain controller. Successfully completing the requirements of each verification taskwill provide a strong indication of a healthy, operational domain controller.

Procedure 1: Determine whether a Server object has Child objects

Link to procedure.

Procedure 2: Verify the site assignment for the domain controller

You must ensure that the new domain controller is located in the proper site so thatafter the installation is complete, the new domain controller can locate replicationpartners and become part of the replication topology. If the site is not correct, youcan use the Active Directory Sites and Services snap-in to move the Server object forthe domain controller to the proper site after Active Directory installation iscomplete.

Note The last dialog box displayed by the Active Directory Installation Wizard lists the site where thenew domain controller is installed. If this is not the proper site, you must move the Server object afterthe server is rebooted.

Link to procedure.


42/215


Procedure 3: Move a Server object to a different site if the domain controlleris located in the wrong site

Link to procedure.

Procedure 4: Configure DNS server forwarders

Link to procedure.

Procedure 5: Verify DNS configuration

Link to procedure.

Procedure 6: Check the status of the shared SYSVOL

Link to procedure.


Link to procedure.

Procedure 8: Verify domain membership for the new domain controllerLink to procedure.


Link to procedure.

Procedure 10: Verify replication with other domain controllers

Link to procedure.


Link to procedure.

Dependencies

The following access levels are required: Domain user

Domain admin

Technology Required

Active Directory Sites and Services (administrative tools)

DNS Manager

Event Viewer

Netdiag.exe Dcdiag.exe

Ntdsutil.exe (system tool)


43/215


Changing Quadrant Change ManagementSMF

Release Role Cluster As Needed

Process: Removing Active Directory

Description A domain controller can be removed from a domain in one of two ways: byremoving Active Directory or by a system failure that renders the domain controllerinoperable so that you cannot restore it to service.

Purpose

A domain controller might need to be removed when:

You no longer need the domain controller.

The domain controller's connection to the rest of the network may not besufficient.

The domain controller has suffered a hardware failure that will not be quicklyrepaired.

Guidelines

Similarly to how you can install Active Directory to turn a Windows 2003 basedserver into a domain controller, you can remove Active Directory to turn a Windows2003 based domain controller back into a server. This process removes most of thereferences to the domain controller from the directory. You must manually removethe Server object that represents the domain controller from the computer containerafter you remove Active Directory. This method properly removes the domaincontroller from the directory.

A hardware failure on a domain controller can render it inoperable. If the problem issevere enough, you might never be able to return the domain controller to service. Inthis case, the other domain controllers eventually reconfigure themselves so that theycan continue to replicate directory information without the failed domain controller.

When a domain controller is removed from the domain without removing ActiveDirectory, all the information about that domain controller remains in the directory.You must take additional steps to remove this information from the directory.


44/215


Task: Decommission the domain controller

Demoting a domain controller effectively removes all Active Directory and relatedcomponents and returns the domain controller to a member server role.

Procedure 1: View the current operations master role holders

To avoid problems, transfer any operations master roles prior to running the ActiveDirectory Installation Wizard to decommission a domain controller so that you cancontrol the operations master role placement. If you need to transfer any roles from adomain controller, understand all the recommendations for role placement beforeperforming the transfer.

Caution During the decommissioning process, the Active Directory Installation Wizard will attempt totransfer any remaining operations master roles to other domain controllers without any userinteraction. However, if a failure occurs, the wizard will continue to demote and leave your domainwithout roles. Also, you do not have control over which domain controller receives the roles. The wizardtransfers the roles to any available domain controller and does not indicate which domain controllerhosts them.

Link to procedure.

Procedure 2: Transfer the forest-level operations master roles

This is required only if this domain controller hosts either the schema master ordomain naming master roles.

Link to procedure.

Procedure 3: Transfer the domain-level operations master roles

This is required only if this domain controller hosts the PDC emulator, infrastructuremaster, or RID master.

Link to procedure.

Procedure 4: Determine whether a domain controller is a global catalogserver

If you remove Active Directory from a domain controller that hosts a global catalog,the Active Directory Installation Wizard confirms that you want to continue withremoving Active Directory. This confirmation ensures that you are aware that youare removing a global catalog from your environment. Do not remove the last globalcatalog server from your environment because users cannot log on without anavailable global catalog server. If you are not sure, do not proceed with removingActive Directory until you know that at least one other global catalog server isavailable.

Link to procedure.


Link to procedure.


45/215



During the removal of Active Directory, contact with other domain controllers isrequired to ensure:

Any unreplicated changes are replicated to another domain controller.

Removal of the domain controller from the directory. Transfer of any remaining operations master roles.

If the domain controller cannot contact the other domain controllers during ActiveDirectory removal, the decommissioning operation fails. As with the installationprocess, test the communication infrastructure prior to running the installationwizard. When you remove Active Directory, use the same connectivity tests that youused during the installation of Active Directory.

Link to procedure.


Link to procedure.

Note If any of the verification tests fail, do not continue until you determine and fix the problems. Ifthese tests fail, the removal is also likely to fail.

Procedure 8: Remove Active Directory

Link to procedure.

Procedure 9: Determine whether a Server object has Child objects

Link to procedure.

Procedure 10: Delete a Server object from a site

Note The administrator may not want to remove the Server object if it hosts something in addition toActive Directory Microsoft Exchange, for example.

Link to procedure.

Task: Forced removal of a domain controller

Forced removal of a domain controller is only intended to be used as a last resort forrecovering a domain controller without requiring reinstallation of the operating

system.It is not intended to replace the normal removal procedure in any way and isvirtually equivalent to permanently disconnecting the domain controller.

There is a considerable amount of metadata about a domain controller stored withinActive Directory. During a normal demotion, this metadata is cleaned up. A forcedremoval assumes there is no connectivity to the domain and does not attempt anycleanup.


46/215


Forced removal of a domain controller should always be followed by cleaning up theassociated metadata, thereby effectively removing all references to the domaincontroller from the domain and forest.

Forced demotion should not be done on the last domain controller in a domain.

Procedure 1: Identify replication partnersLink to procedure.

Procedure 2: Force domain controller removal

Link to procedure.

Procedure 3: Clean up metadata

Link to procedure.

Dependencies

None

Technology Required

None


47/215




Process: Rename a domain controller

Description The ability to rename domain controllers running Windows Server 2003 (contrary toWindows 2000 Server) provides you with the flexibility to: Restructure your network for organizational and business needs.

Make management and administrative control easier.

Although one can rename a domain controller through the System Properties GUI(as with any other computer), Active Directory and DNS replication latency maytemporarily prevent clients from locating and/or authenticating to the renameddomain controller. To eliminate this, it is recommended that the Netdom command-

line tool be used to rename a domain controller.Purpose

Renaming a domain controller is a common operation in many organizations andusually occurs when:

New hardware is purchased to replace an existing domain controller.

Domain controllers are decommissioned, or promoted, and renamed to maintaina naming convention.

Movement or site placement of domain controllers.

Guidelines

It is important to note that domain controller names have a primary impact onadministration, rather than client access. Renaming a domain controller is anoptional exercise, and the impacts should be well-understood prior to renaming.

You can rename a domain controller by using the GUI or the Netdom tool. Thedomain functional level must be set to Windows Server 2003 for you to be able to usethe Netdom tool. In all other cases, you should use the GUI.

Task: Rename using the System Properties user interface

Procedure 1: Use System Properties interface to change name

Link to procedure.

Procedure 2: Update the FRS Member object

Link to procedure.


48/215


Task: Rename using the Netdom command-line tool

The netdom command updates the service principal name (SPN) attributes in ActiveDirectory for the computer account and registers DNS resource records for the newcomputer name. The SPN value of the computer account must be replicated to all

domain controllers in the domain, and the DNS resource records for the newcomputer name must be distributed to all the authoritative DNS servers for thedomain name. If the updates and registrations have not occurred prior to removingthe old computer name, then some clients may be unable to locate this computerusing the new or old name.

Procedure 1: Add the new domain controller name

Link to procedure.

Procedure 2: Designate the new name as the primary computer name

Prior to performing this operation, you must ensure that the SPN value has beenregistered in Active Directory and the DNS records for the new computer name have

been registered in DNS.

Link to procedure.

Procedure 3: Remove the old domain controller name

Prior to performing this operation, you must ensure that the updated dnsHostName attribute for the new computer name in the computer account has been registered inActive Directory and that the SRV DNS records have been registered in authoritativeDNS servers.

Link to procedure.

Procedure 4: Update the FRS Member object

Link to procedure.

Dependencies

Domain admin or Enterprise admin

Windows Server 2003 functional level

Technology Required

Netdom command-line tool

System Properties tool


49/215


Optimizing Quadrant AvailabilityManagement SMF

Infrastructure RoleCluster

As Needed

Process: Manage the Active Directory database

Description Active Directory is stored in the Ntds.dit database file. In addition to this file, thedirectory uses log files, which store transactions prior to committing them to thedatabase file. For best performance, store the log files and the database on separatehard drives.

The Active Directory database is a self-maintained system and requires no dailymaintenance, other than regular backup, during ordinary operation. However, itmay need to be managed if the following conditions occur:

Low disk space

Pending or current hardware failure

A need to recover physical space following bulk deletion or removal of the globalcatalog

Monitor free disk space on the partition or partitions that store the directorydatabase and logs. The following are the recommended parameters for free space: Ntds.dit partition: The greater of 20 percent of the Ntds.dit file size or 500

megabytes (MB).

Log file partition: The greater of 20 percent of the combined log files size or 500MB.

Ntds.dit and logs on the same volume: The greater of 1 gigabyte (GB) or 20

percent of the combined Ntds.dit and log files sizes.

Purpose

During ordinary operation, the customer will delete objects from Active Directory.When an object is deleted, it results in white space (or unused space) being created inthe database. On a regular basis, the database will consolidate this white spacethrough a process called defragmentation, and this white space will be reused whennew objects are added (without adding any size to the file itself). This automaticonline defragmentation redistributes and retains white space for use by the database,

but does not release it to the file system. Therefore, the database size does not shrink,even though objects might be deleted. In cases where the data is decreasedsignificantly, such as when the global catalog is removed from a domain controller,white space is not automatically returned to the file system. Although this conditiondoes not affect database operation, it does result in large amounts of white space inthe database. You can use offline defragmentation to decrease the size of thedatabase file by returning white space from the database file to the file system.


50/215


Managing the Active Directory database also allows you to upgrade or replace thedisk on which the database or log files are stored or to move the files to a differentlocation, either permanently or temporarily.

Guidelines

Prior to performing any procedures that affect the directory database, be sure thatyou have a current system state backup. For information about performing systemstate backup, see Back up Active Directory earlier in this guide.

To manage the database file itself, you must take the domain controller offline byrestarting in Directory Services Restore Mode, and then use Ntdsutil.exe to managethe file.

Note NTFS disk compression is not supported for the database and log f iles.

Task: Relocate Active Directory database files

The following conditions require moving database files:

Hardware maintenance: If the physical disk on which the database or log files arestored requires upgrading or maintenance, the database files must be moved,either temporarily or permanently.

Low disk space: When free disk space is low on the logical drive that stores thedatabase file (Ntds.dit), the log files, or both, first verify that no other files arecausing the problem. If the database file or log files are the cause of the growth,then provide more disk space by taking one of the following actions:

Expand the partition on the disk that currently stores the database file, the

log files, or both. This procedure does not change the path to the files anddoes not require updating the registry.

Use Ntdsutil.exe to move the database file, the log files, or both to a largerexisting partition. If you are not using Ntdsutil.exe when moving files to adifferent partition, you will need to manually update the registry.

Guidelines

If the path to the database file or log files will change as a result of moving the files, be sure that you:

Use Ntdsutil.exe to move the files (rather than copying them) so that the registryis updated with the new path. Even if you are moving the files only temporarily,use Ntdsutil.exe to move files locally so that the registry remains current.

Perform a system state backup as soon as the move is complete so that the restoreprocedure uses the correct path.

Verify that the correct permissions are applied on the destination folderfollowing the move. Revise permissions to those that are required to protect thedatabase files, if needed.


51/215


If you replace or reconfigure a drive that stores the SYSVOL folder, you must firstmove the SYSVOL folder manually. For information about moving SYSVOLmanually, see Managing the SYSVOL later in this guide.

Use the following procedures to move or copy the database file, the log files, or both.Procedures are explained in detail in the linked topics.

Note The domain controller will not be available during the time in which files are moved and the moveis verified. Ensure that alternate domain controllers are available to handle the capacity.

Procedure 1: Determine the location and size of the directory database files

Use the database size to prepare a destination location of the appropriate size. Trackthe respective file sizes during the move to ensure that you successfully move thecorrect files.

Link to procedure.

Procedure 2: Compare the size of the directory database files to the volumesize

Before moving any files in response to low disk space, verify that no other files onthe volume are responsible for the condition of low disk space.

Link to procedure.

Procedure 3: Back up system state

System state includes the database file and log files as well as SYSVOL and NetLogon shared folders, among other things. Always ensure that you have a current

backup prior to moving database files.

Link to procedure.

Procedure 4: Restart the domain controller in Directory Services RestoreMode)

If you are logged on to the domain controller console, locally restart the domaincontroller in Directory Services Restore Mode.

Link to procedure.

Procedure 5: Move the database file, the log files, or both

Link to procedure. Procedure 6: Back up system state

Link to procedure.


52/215


Task: Returning unused disk space from the Active Directorydatabase to the file system

During ordinary operation, the white space in the Active Directory database file becomes fragmented. Each time garbage collection runs (every 12 hours by default),white space is automatically defragmented online to optimize its use within thedatabase file. The unused disk space is thereby maintained for the database; it is notreturned to the file system.

Only offline defragmentation can return unused disk space from the directorydatabase to the file system. When database contents have decreased considerablythrough a bulk deletion (for example, you remove the global catalog from a domaincontroller), or if the size of the database backup is significantly increased due to thewhite space, use offline defragmentation to reduce the size of the Ntds.dit file.

You can determine how much free disk space is recoverable from the Ntds.dit file bysetting the garbage collection logging level in the registry. Changing the garbagecollection logging level from the default value of 0 to a value of 1 results in event ID1646 being logge

Active Directory POG[1]

Documents

Transcript of Active Directory POG[1]