Active Directory Domain Services Operations

Published on June 2016 | Categories: Book Excerpts | Downloads: 52 | Comments: 0 | Views: 454
of 560
Download PDF   Embed   Report

Active Directory Domain Services Operations Guide

Comments

Content

Active Directory Domain Services Operations Guide
Microsoft Corporation Published: September 2008

Abstract
This operations guide provides administering and management information for Active Director ! Domain Services "AD DS# director service technologies in the $indo%s Server! 2008 operating s stem&

Copyright information
'nformation in this document( including )*+ and other 'nternet $eb site references( is sub,ect to change %ithout notice& )nless other%ise noted( the e-ample companies( organi.ations( products( domain names( e/mail addresses( logos( people( places( and events depicted herein are fictitious( and no association %ith an real compan ( organi.ation( product( domain name( e/mail address( logo( person( place( or event is intended or should be inferred& Compl ing %ith all applicable cop right la%s is the responsibilit of the user& $ithout limiting the rights under cop right( no part of this document ma be reproduced( stored in( or introduced into a retrieval s stem( or transmitted in an form or b an means "electronic( mechanical( photocop ing( recording( or other%ise#( or for an purpose( %ithout the e-press %ritten permission of Microsoft Corporation& Microsoft ma have patents( patent applications( trademar0s( cop rights( or other intellectual propert rights covering sub,ect matter in this document& 1-cept as e-pressl provided in an %ritten license agreement from Microsoft( the furnishing of this document does not give ou an license to these patents( trademar0s( cop rights( or other intellectual propert & 2 2008 Microsoft Corporation& All rights reserved& Active Director ( Microsoft( $indo%s( and $indo%s Server are either registered trademar0s or trademar0s of Microsoft Corporation in the )nited States and3or other countries& The names of actual companies and products mentioned herein ma be the trademar0s of their respective o%ners&

Contents
Active Director Domain Services 4perations 5uide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6 Abstract&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6 Cop right information&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2 Contents&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7 Active Director Domain Services 4perations 5uide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28 9e% in This 5uide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 28 Administering Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28 'ntroduction to Administering Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2: $hen to use this guide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2: ;o% to use this guide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2< Administering Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2< 'ntroduction to Administering Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28 >est Practices for Administering Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28 Managing Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2? Creating Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2? 9e% Trust $i.ard terminolog &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 70 @no%n 'ssues for Creating Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&76 Creating 1-ternal Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 72 Create a 4ne/$a ( 'ncoming( 1-ternal Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A Create a 4ne/$a ( 'ncoming( 1-ternal Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78 Create a 4ne/$a ( 4utgoing( 1-ternal Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7< Create a 4ne/$a ( 4utgoing( 1-ternal Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78 Create a T%o/$a ( 1-ternal Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A0 Create a T%o/$a ( 1-ternal Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6 Creating Shortcut Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A7 Create a 4ne/$a ( 'ncoming( Shortcut Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA

Create a 4ne/$a ( 'ncoming( Shortcut Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8 Create a 4ne/$a ( 4utgoing( Shortcut Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A: Create a 4ne/$a ( 4utgoing( Shortcut Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8 Create a T%o/$a ( Shortcut Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A? Create a T%o/$a ( Shortcut Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&86 Creating =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 82 Create a 4ne/$a ( 'ncoming( =orest Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&87 Create a 4ne/$a ( 'ncoming( =orest Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88 Create a 4ne/$a ( 4utgoing( =orest Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8: Create a 4ne/$a ( 4utgoing( =orest Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88 Create a T%o/$a ( =orest Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8? Create a T%o/$a ( =orest Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&:6 Creating *ealm Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :7 Create a 4ne/$a ( 'ncoming( *ealm Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&:7 Create a 4ne/$a ( 4utgoing( *ealm Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&:8 Create a T%o/$a ( *ealm Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :: Configuring Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&:< Balidating and *emoving Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :< Balidate a Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :8 Balidating a trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :8 *emove a Manuall Created Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :? *emoving a manuall created trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&:? Modif ing 9ame Suffi- *outing Settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<0 Modif *outing for a =orest 9ame Suffi-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<6 <2 Modif *outing for a Subordinate 9ame Suffi-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<2 <7 1-clude 9ame Suffi-es from *outing to a =orest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<7 <A

Securing Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<A Configuring S'D =ilter Cuarantining on 1-ternal Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<A Disable S'D filter Cuarantining&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& <: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& << *eappl S'D =ilter Cuarantining&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& << Configuring Selective Authentication Settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<8 1nable Selective Authentication over an 1-ternal Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<? 1nabling selective authentication over an e-ternal trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&80 1nable Selective Authentication over a =orest Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&86 1nabling selective authentication over a forest trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&82 1nable Domain/$ide Authentication over an 1-ternal Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&87 1nable =orest/$ide Authentication over a =orest Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8A 5rant the Allo%ed to Authenticate Permission on Computers in the Trusting Domain or =orest&&&88 Appendi-: 9e% Trust $i.ard Pages&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8: Direction of Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8: $i.ard optionDT%o/%a &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8: $i.ard optionD4ne/%a : incoming&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8< $i.ard optionD4ne/%a : outgoing&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8< Sides of trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 88 $i.ard optionDThis domain onl &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 88 $i.ard optionD>oth this domain and the specified domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8? Administering the $indo%s Time Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8? 'ntroduction to Administering the $indo%s Time Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8? $indo%s time source selection&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ?0 1-ternal 9TP time servers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ?0 $72tm and net time&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ?6 Managing the $indo%s Time Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&?2 Configuring a Time Source for the =orest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&?2 Configure the Time Source for the =orest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&?A Change the $indo%s Time Service Configuration on the PDC 1mulator in the =orest *oot Domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ?8 Disable the $indo%s Time Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ??

1nable $indo%s Time Service Debug +ogging&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&600 Configuring $indo%s/>ased Clients to S nchroni.e Time&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&606 Configure a Manual Time Source for a Selected Client Computer&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&606 Configure a Client Computer for Automatic Domain Time S nchroni.ation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&607 *estoring the $indo%s Time Service to Default Settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&60A *estore the $indo%s Time Service on the +ocal Computer to the Default Settings&&&&&&&&&&&&&&&&&&&60A Administering D=S/*eplicated SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&608 'ntroduction to Administering D=S/*eplicated SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&60: SESB4+ terminolog and capitali.ation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&60: )sing D=S *eplication for replicating SESB4+ in $indo%s Server 2008&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&60< *eFuirements for using D=S *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&608 @e considerations for administering SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&608 *elocating SESB4+ folders&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 660 Managing D=S/*eplicated SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&666 Changing the Cuota That 's Allocated to the SESB4+ Staging Area&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&666 Change the Cuota That 's Allocated to the SESB4+ Staging =older&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&662 *elocating the SESB4+ Staging Area&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 662 'dentif *eplication Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 66A Chec0 the Status of the SESB4+ and 9etlogon Shares&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&66A Berif Active Director *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 668 5ather the SESB4+ Path 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 66: To gather the SESB4+ path information&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&66< Stop the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&66? Create the SESB4+ Staging Areas =older Structure&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&620 Change the SESB4+ *oot Path or Staging Areas Path( or >oth&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&626 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 622 Start the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&622 =orce *eplication >et%een Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&627 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 62A *elocating SESB4+ Manuall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 62A

'dentif *eplication Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 628 Chec0 the Status of the SESB4+ and 9etlogon Shares&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&62: Berif Active Director *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 62< 5ather the SESB4+ Path 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&628 To gather the SESB4+ path information&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&62? Stop the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&676 Cop SESB4+ to a 9e% +ocation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&672 Create the SESB4+ *oot Gunction Point&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&67A Change the SESB4+ *oot Path or Staging Areas Path( or >oth&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&678 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 67: Change the SESB4+ 9etlogon Parameters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&67: *eappl Default SESB4+ Securit Settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&67< Start the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&67? =orce *eplication >et%een Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A0 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6A6 )pdating the SESB4+ Path&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6A6 5ather the SESB4+ Path 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A2 To gather the SESB4+ path information&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A7 Stop the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A8 Change the SESB4+ 9etlogon Parameters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A: Create the SESB4+ *oot Gunction Point&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A< Start the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A8 *estoring and *ebuilding SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A? 'dentif *eplication Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 680 Chec0 the Status of the SESB4+ and 9etlogon Shares&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&686 Berif Active Director *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 682 5ather the SESB4+ Path 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&687 To gather the SESB4+ path information&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68A *estart the Domain Controller in Director Services *estore Mode +ocall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68:

*estarting the domain controller in DS*M locall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 688 *estart the Domain Controller in Director Services *estore Mode *emotel &&&&&&&&&&&&&&&&&&&&&&&&&&&68? See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:2 Stop the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6:2 'mport the SESB4+ =older Structure&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6:7 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:< Administering the 5lobal Catalog&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6:< 'ntroduction to Administering the 5lobal Catalog&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6:< 5lobal catalog hard%are reFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6:< 5lobal catalog placement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:< 'nitial global catalog replication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:8 5lobal catalog readiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:8 5lobal catalog removal&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:? Managing the 5lobal Catalog&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:? Configuring a 5lobal Catalog Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:? Determine $hether a Domain Controller 's a 5lobal Catalog Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<0 Designate a Domain Controller to >e a 5lobal Catalog Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<0 Monitor 5lobal Catalog *eplication Progress&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<6 Berif Successful *eplication to a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<2 Determining 5lobal Catalog *eadiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<8 Berif 5lobal Catalog *eadiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<8 Berif ing global catalog readiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6<: Berif 5lobal Catalog D9S *egistrations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<< *emoving the 5lobal Catalog&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6<< Clear the 5lobal Catalog Setting&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<8 Monitor 5lobal Catalog *emoval in 1vent Bie%er&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<8 Administering 4perations Master *oles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<? 'ntroduction to Administering 4perations Master *oles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<? 5uidelines for role placement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 680 5uidelines for role transfer&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 687

Managing 4perations Master *oles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&688 Designating a Standb 4perations Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&688 Standb operations master computer reFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&688 *eplication reFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 688 Determine $hether a Domain Controller 's a 5lobal Catalog Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68: Create a Connection 4b,ect on the 4perations Master and Standb &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68< Berif Successful *eplication to a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&688 Transferring an 4perations Master *ole&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?6 Transferring to a standb operations master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?6 Transferring an operations master role %hen no standb is read &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?6 'nstall the Schema Snap/in&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6?2 Transfer the Schema Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6?7 Transfer the Domain 9aming Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?A Transfer the Domain/+evel 4perations Master *oles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?8 Bie% the Current 4perations Master *ole ;olders&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?: Sei.ing an operations master role&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?< Berif Successful *eplication to a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?8 Sei.e the 4perations Master *ole&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&202 Bie% the Current 4perations Master *ole ;olders&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&207 *educing the $or0load on the PDC 1mulator Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&20A Changing the %eight for D9S service "S*B# resource records in the registr &&&&&&&&&&&&&&&&&&&&&&&&&20A Changing the priorit for D9S service "S*B# resource records in the registr &&&&&&&&&&&&&&&&&&&&&&&&&208 Change the $eight for D9S Service "S*B# *esource *ecords in the *egistr &&&&&&&&&&&&&&&&&&&&&&&&&&20: Change the Priorit for D9S Service "S*B# *esource *ecords in the *egistr &&&&&&&&&&&&&&&&&&&&&&&&&&20: Administering Active Director >ac0up and *ecover &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&20< 'ntroduction to Administering Active Director >ac0up and *ecover HlhsadIADDSI4psI8JIADDSI4psI8&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&208 >ac0ing up AD DS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 208 *ecovering AD DS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 208 Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 20? Managing Active Director >ac0up and *ecover &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&260

>ac0ing )p Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&260 $indo%s Server bac0up tools&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 260 $indo%s Server bac0up t pes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 266 Contents of $indo%s Server bac0up t pes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&266 Criteria for using bac0up t pes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&262 >ac0up guidelines&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 267 Scheduling regular bac0ups&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 26A 'mmediate "unscheduled# bac0up&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 268 >ac0up freFuenc &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 268 >ac0up freFuenc criteria&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 26: >ac0up latenc interval&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 26: @no%n 'ssues for >ac0ing )p Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&268 Perform a >ac0up of Critical Bolumes of a Domain Controller b )sing the 5)' "$indo%s Server >ac0up#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 26? Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 220 Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 220 Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 226 Perform a =ull Server >ac0up of a Domain Controller b )sing the 5)' "$indo%s Server >ac0up# &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 226 Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 228 Perform a =ull Server >ac0up of a Domain Controller b )sing the Command +ine "$badmin# 22: Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 22: *ecovering Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&22< Causes of disruptions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 22< @e s to protecting against disruptions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&228 Preventing un%anted deletions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&228 *ecover solutions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 22? Solutions for configuration errorsDnonauthoritative restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&22? Solutions for data lossDauthoritative restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&270 *ecover options %ith no available bac0up&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&276 Solutions for hard%are failure or file corruption&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&276 *ecover tas0s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 277 Performing 9onauthoritative *estore of Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&277 9onauthoritative *estore *eFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&27A SESB4+ restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 27A Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 278 *estart the Domain Controller in Director Services *estore Mode +ocall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&278 *estarting the domain controller in DS*M locall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&27<

See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 278 *estart the Domain Controller in Director Services *estore Mode *emotel &&&&&&&&&&&&&&&&&&&&&&&&&&&278 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2A6 *estore AD DS from >ac0up "9onauthoritative *estore#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A2 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2A7 Berif AD DS restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2A7 Performing Authoritative *estore of Active Director 4b,ects&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2AA Determining ob,ects to restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2A8 Selecting ob,ects to restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2A: Selecting application director partitions to restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A< *estoring group memberships after authoritative restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A< +B* and restoration of group memberships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A< Authoritative restore of pre/+B* group memberships and groups in different domains&&&&&&&&2A8 =iles for recovering group memberships follo%ing authoritative restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A8 )sing a global catalog server for authoritative restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A? *ecovering deletions %ithout restoring from bac0up&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&280 *etention "merge# of ne% group memberships or other attributes after authoritative restore& &286 Authoritative restore procedures&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 286 Procedures for restoring after deletions have replicated&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&282 Procedures for restoring before deletions have replicated&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&287 Procedures for recovering group memberships "and an other bac0/lin0 attributes# in other domains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 28A Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 288 @no%n 'ssues for Authoritative *estore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&288 4rder of replication and dropped group memberships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&288 Members added bac0 to groups from %hich the %ere deleted&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28: 'ncorrect assignment of 1-change mailbo-es&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28: >est Practices for Authoritative *estore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28< *estart the Domain Controller in Director Services *estore Mode +ocall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&288 *estarting the domain controller in DS*M locall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2:0 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:6 *estart the Domain Controller in Director Services *estore Mode *emotel &&&&&&&&&&&&&&&&&&&&&&&&&&&2:6 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:A *estore AD DS from >ac0up "9onauthoritative *estore#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2:8 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:: Mar0 an 4b,ect or 4b,ects as Authoritative&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2:: Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:?

Turn 4ff 'nbound *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:? Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:? S nchroni.e *eplication %ith All Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2<0 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<0 *un an +D'= =ile to *ecover >ac0/+in0s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2<6 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<2 Turn on 'nbound *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<2 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<7 Create an +D'= =ile for *ecovering >ac0/+in0s for Authoritativel *estored 4b,ects&&&&&&&&&&&&&&&&&2<7 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<A Performing Authoritative *estore of an Application Director Partition&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2<A *estart the Domain Controller in Director Services *estore Mode *emotel &&&&&&&&&&&&&&&&&&&&&&&&&&&2<8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<8 *estart the Domain Controller in Director Services *estore Mode +ocall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2<8 *estarting the domain controller in DS*M locall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&280 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 286 *estore AD DS from >ac0up "9onauthoritative *estore#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&286 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 282 Mar0 an application director partition as authoritative&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&287 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 28A Performing a =ull Server *ecover of a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28A *eFuirements for performing a full server recover of a domain controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28A Performing a full server recover of a domain controller b using the 5)'&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&288 Performing a full server recover of a domain controller b using the command line&&&&&&&&&&&&&&28: Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 28< *estoring a Domain Controller Through *einstallation and SubseFuent *estore from >ac0up&&288 *estart the Domain Controller in Director Services *estore Mode +ocall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2?0 *estarting the domain controller in DS*M locall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2?6 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2?2 *estart the Domain Controller in Director Services *estore Mode *emotel &&&&&&&&&&&&&&&&&&&&&&&&&&&2?2 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2?: *estore AD DS from >ac0up "9onauthoritative *estore#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2?: Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2?8 Berif AD DS restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2?8

*estoring a Domain Controller Through *einstallation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2?? Clean )p Server Metadata&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 700 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 707 Delete a Server 4b,ect from a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&707 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 70A Berif D9S *egistration and TCP3'P Connectivit &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&70A Berif the Availabilit of the 4perations Masters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&708 'nstall an Additional Domain Controller b )sing the $indo%s 'nterface&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&70: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 70? Berif ing Active Director 'nstallation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&70? Administering 'ntersite *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&760 'ntroduction to Administering 'ntersite *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&760 4ptimi.ing replication bet%een sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&760 1ffects of site lin0 bridging&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 766 1ffects of disabling site lin0 bridging&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&766 4ptimi.ing domain controller location&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&762 =inding the ne-t closest site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&762 =orcing domain controller rediscover &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&762 'mproving the logon e-perience in branch sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&767 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 767 Managing 'ntersite *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 76A Adding a 9e% Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 76A Create a Site 4b,ect and Add it to an 1-isting Site +in0&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&768 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 768 Create a Subnet 4b,ect or 4b,ects and Associate them %ith a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&76: Associate an 1-isting Subnet 4b,ect %ith a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&76: Create a Site +in0 4b,ect and Add the Appropriate Sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&76< *emove a Site from a Site +in0&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 768 +in0ing Sites for *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 768 Creating site lin0s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 768 Selecting bridgehead servers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 76? Create a Site +in0 4b,ect and Add the Appropriate Sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&720

Determine the 'ST5 *ole 4%ner for a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&720 5enerate the *eplication Topolog on the 'ST5&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&726 Designate a Server as a Preferred >ridgehead Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&722 Changing Site +in0 Properties&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 722 Configure the Site +in0 Schedule to 'dentif Times During $hich 'ntersite *eplication Can 4ccur &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 727 Configure the Site +in0 'nterval to 'dentif ;o% 4ften *eplication Polling Can 4ccur During the Schedule $indo%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 72A Configure the Site +in0 Cost to 1stablish a Priorit for *eplication *outing&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&728 Determine the 'ST5 *ole 4%ner for a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&728 5enerate the *eplication Topolog on the 'ST5&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&72: 1nabling Clients to +ocate the 9e-t Closest Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&72< 1nable Clients to +ocate a Domain Controller in the 9e-t Closest Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&728 Moving a Domain Controller to a Different Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&72? TCP3'P settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 770 D9S settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 770 Preferred bridgehead server status&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 770 Change the Static 'P Address of a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&772 )pdate the 'P Address for a D9S Delegation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&777 )pdate the 'P Address for a D9S =or%arder&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&77A Berif That an 'P Address Maps to a Subnet and Determine the Site Association&&&&&&&&&&&&&&&&&&&&&&778 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77: Determine $hether a Server is a Preferred >ridgehead Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&77: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77: Bie% the +ist of All Preferred >ridgehead Servers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&77: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77< Configure a Server to 9ot >e a Preferred >ridgehead Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&77< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 778 Move a Server 4b,ect to a 9e% Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&778 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77? 1nabling )niversal 5roup Membership Caching in a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&77?

1nable )niversal 5roup Membership Caching in a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A0 =orcing *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7A0 =orcing replication of all director updates over a connection&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A6 =orcing replication of configuration updates&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A6 =orce *eplication >et%een Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A2 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7A7 )pdate a Server %ith Configuration Changes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A7 S nchroni.e *eplication %ith All Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7AA See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7A8 Berif Successful *eplication to a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A8 *emoving a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7A? Delete a Manual Connection 4b,ect&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 780 Determine $hether a Server 4b,ect ;as Child 4b,ects&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&786 Delete a Server 4b,ect from a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&782 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 787 Delete a Site +in0 ob,ect&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 787 Associate an 1-isting Subnet 4b,ect %ith a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&787 Delete a Site ob,ect&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78A See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78A Determine the 'ST5 *ole 4%ner for a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 5enerate the *eplication Topolog on the 'ST5&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 Administering the Active Director Database&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78: 'ntroduction to Administering the Active Director Database HlhsadJIADDSI4psI<&&&&&&&&&&&&&&&&&&&78: Database management conditions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78: Dis0 space monitoring recommendations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78< Database defragmentation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78< *estartable AD DS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 788 Managing the Active Director Database&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 *elocating the Active Director Database =iles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 Dis0 space reFuirements for relocating Active Director database files&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78? Determine the Database Si.e and +ocation 4nline&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7:6

See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7:2 Determine the Database Si.e and +ocation 4ffline&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7:2 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7:7 Compare the Si.e of the Director Database =iles to the Bolume Si.e&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7:A Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7:8 Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7:8 Move the Director Database and +og =iles to a +ocal Drive&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7:8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7:8 Cop the Director Database and +og =iles to a *emote Share&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7:? See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7<6 *eturning )nused Dis0 Space from the Active Director Database to the =ile S stem&&&&&&&&&&&&&&7<2 Change the 5arbage Collection +ogging +evel to 6&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7<7 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7<A Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7<A Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7<A Compact the Director Database=file "4ffline Defragmentation#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7<8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7<8 'f the Database 'ntegrit Chec0 =ails( Perform Semantic Database Anal sis %ith =i-up&&&&&&&&&&&&7<8 Administering Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7<? Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 780 'ntroduction to Administering Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&780 'nstalling *emote Server Administration Tools&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&780 'nstalling and removing AD DS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 780 Adding domain controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 786 *emoving domain controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 786 *enaming domain controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 786 Adding domain controllers to branch sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&786 'nstalling from media&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 782 Shipping installed domain controllers to branch sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&787 Managing Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 787 'nstalling *emote Server Administration Tools for AD DS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 'nstalling Active Director Domain Services Tools on a member server that is running $indo%s Server 2008&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 788

'nstalling Active Director Domain Services Tools on a computer that is running $indo%s Bista %ith SP6&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78: Managing Antivirus Soft%are on Active Director Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78: 5uidelines for managing antivirus soft%are on Active Director domain controllers&&&&&&&&&&&&&&&&78< =iles to e-clude from scanning&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 Preparing for Active Director 'nstallation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?0 D9S configuration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?0 Site placement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?6 Domain connectivit &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?6 Berif D9S 'nfrastructure and *egistrations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?2 Berif That an 'P Address Maps to a Subnet and Determine the Site Association&&&&&&&&&&&&&&&&&&&&&&7?A See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?8 Berif the Availabilit of the 4perations Masters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?8 'nstalling a Domain Controller in an 1-isting Domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?< 'nstalling an Additional Domain Controller b )sing the $indo%s 'nterface&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?8 'nstall an Additional Domain Controller b )sing the $indo%s 'nterface&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A06 'nstalling an Additional Domain Controller b )sing '=M&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A06 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A07 Create 'nstallation Media b )sing 9tdsutil&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A07 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A0A 'nstall an Additional Domain Controller b )sing 'nstallation Media&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A0A See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A0: 'nstalling an Additional Domain Controller b )sing )nattend Parameters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A0: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A0< Create an Ans%er =ile for )nattended Domain Controller 'nstallation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A0< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A0? 'nstall an Additional Domain Controller b )sing an Ans%er =ile&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A0? See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A0? 'nstall an Additional Domain Controller b )sing )nattend Parameters from the Command +ine &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A60

Berif ing Active Director 'nstallation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A60 Berif That an 'P Address Maps to a Subnet and Determine the Site Association&&&&&&&&&&&&&&&&&&&&&&A66 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A62 Configure D9S Server =or%arders&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A62 Berif ing D9S Configuration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A67 Berif D9S Server Configuration for a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6A See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A68 Berif D9S Client Settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A68 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A6: Chec0 the Status of the SESB4+ and 9etlogon Shares&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6: Berif Active Director *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A6< Berif a Domain Computer Account for a 9e% Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6< Adding Domain Controllers in *emote Sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A68 >est Practices for Adding Domain Controllers in *emote Sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6? >est practices for using '=M to install AD DS in the remote site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6? >est practices for installing domain controllers before ou ship them to a remote site&&&&&&&&&&&&A26 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A27 @no%n 'ssues for Adding Domain Controllers in *emote Sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A27 SESB4+ replication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A2A )sing '=M to install a domain controller in a remote site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A2A Advantages of using '=M to install a domain controller in a remote site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A28 'ssues %ith using '=M to install a domain controller in a remote site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A28 'nstalling domain controllers before shipping them to the remote site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A2< Advantages of installing domain controllers before shipping them to the remote site&&&&&&&&&&A2< 'ssues %ith installing domain controllers before shipping them to the remote site&&&&&&&&&&&&&&&&A2< Maintaining director consistenc %hen ou disconnect a domain controller&&&&&&&&&&&&&&&&&&&&&&&A28 Protection against lingering ob,ect replication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A28 Availabilit of operations masters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A2? )p to dateness of active director replication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A2? SESB4+ consistenc &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A2? See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A70 Preparing a Server Computer for Shipping and 'nstallation from Media&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A70 Determining the volume for installation media&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A76 1nabling *emote Des0top&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A76 'ncluding application director partitions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A76 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A72

1nable *emote Des0top&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A72 Create a *emote Des0top Connection&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A7A See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A7A 'nstall an Additional Domain Controller b )sing 'nstallation Media&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A78 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A7: Preparing an 1-isting Domain Controller for Shipping and +ong/Term Disconnection&&&&&&&&&&&&&&&&A7: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A7< Determine the Tombstone +ifetime for the =orest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A78 1nable Strict *eplication Consistenc &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A78 S nchroni.e *eplication %ith All Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA0 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& AA6 *econnecting a Domain Controller After a +ong/Term Disconnection&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA6 *econnecting an outdated domain controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA2 )pdating SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& AA2 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& AAA Determine the Tombstone +ifetime for the =orest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AAA Move a Server 4b,ect to a 9e% Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& AA8 Determine $hen 'ntersite *eplication 's Scheduled to >egin&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA: )se *epadmin to *emove +ingering 4b,ects&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA: Berif Successful *eplication to a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA8 *enaming a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A82 *ename a Domain Controller )sing S stem Properties&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A87 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A87 *ename a Domain Controller )sing 9etdom&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A87 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A8: )pdate the =*S or D=S *eplication Member 4b,ect&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8: Decommissioning a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8< *emoving a domain or a forest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8< Protecting 1=S/encr pted files&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A:0 Berif D9S *egistration and TCP3'P Connectivit &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:0

Bie% the Current 4perations Master *ole ;olders&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:6 Transfer the Schema Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A:2 Transfer the Domain 9aming Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:7 Transfer the Domain/+evel 4perations Master *oles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:A Determine $hether a Domain Controller 's a 5lobal Catalog Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:8 Berif the Availabilit of the 4perations Masters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:8 >ac0 )p a Certificate $ith 'ts Private @e &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:< *emoving a $indo%s Server 2008 Domain Controller from a Domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:8 *emoving a $indo%s Server 2008 domain controller b using the $indo%s interface&&&&&&&&&&&A:8 *emoving a $indo%s Server 2008 domain controller b using an ans%er file&&&&&&&&&&&&&&&&&&&&&&&&A:? *emoving a $indo%s Server 2008 domain controller b entering unattended installation parameters at the command line&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<0 'mport a Certificate&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<0 Determine $hether a Server 4b,ect ;as Child 4b,ects&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<6 Delete a Server 4b,ect from a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<2 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<7 Add the Certificates Snap/in to an MMC&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<7 Adding the Certificates Snap/in to an MMC&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<7 =orcing the *emoval of a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<8 'dentif *eplication Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<: =orce Domain Controller *emoval&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<8 Clean )p Server Metadata&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A86 Administering Active Director Domain *ename&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A86 'n this guide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A86 'ntroduction to Administering Active Director Domain *ename&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A86 Domain rename reFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A82 Managing Active Director Domain *ename&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A87 Preparing for the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A87 Ad,ust =orest =unctional +evel&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A8A

Setting forest functional level to $indo%s Server 2007 or $indo%s Server 2008&&&&&&&&&&&&&&&&&&&A8A Create 9ecessar Shortcut Trust *elationships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A88 T pes of trust relationships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A88 Precreating parent/child trust relationships for a restructured forest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8: Precreating a parent/child trust relationship&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8: Pre/creating multiple parent/child trust relationships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8< Precreating a tree/root trust relationship %ith the forest root domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A88 Creating shortcut trust relationships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8? Prepare D9S Kones&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A8? *edirect Special =olders to a Standalone D=S9&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?0 *elocate *oaming )ser Profiles to a Standalone D=S9&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?6 Configure Member Computers for ;ost 9ame Changes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?2 Conditions for automatic computer name change&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?2 *eplication effects of renaming large numbers of computers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?7 )sing 5roup Polic to appl the ne% primar D9S suffi-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?A Appl the ne% primar D9S suffi- before renaming domains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?A Appl 5roup Polic in stages to avoid significant replication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?A Configuration reFuired before the application of 5roup Polic &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?8 Configuring member computers for host name changes in large deplo ments&&&&&&&&&&&&&&&&&&&&&&&A?: Determine the primar D9S Suffi- configuration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?< Determine %hether 5roup Polic controls the primar D9S suffi-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?< Configure the domain to allo% a primar D9S suffi- that does not match the domain name &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A?8 Appl 5roup Polic to set the primar D9S suffi-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?? Prepare Certification Authorities&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 800 1-change/Specific Steps: Prepare a Domain that Contains 1-change&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&806 Performing the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&802 Set )p the Control Station&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 807 =ree.e the =orest Configuration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&80A >ac0 )p All Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 808 5enerate the Current =orest Description&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&808 Specif the 9e% =orest Description&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 808 *enaming application director partitions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&866 D9S data&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 866 TAP' data&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 862

Specif ing the source domain controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&862 *evie%ing the ne% forest description&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&867 5enerate Domain *ename 'nstructions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&867 Push Domain *ename 'nstructions to All Domain Controllers and Berif D9S *eadiness&&&&&&&&&86: Pushing domain rename instructions to all domain controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&86: Berif ing D9S readiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 868 Berif *eadiness of Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&826 *un Domain *ename 'nstructions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&822 1-change/Specific Steps: )pdate the 1-change Configuration and *estart 1-change Servers 828 )nfree.e the =orest Configuration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 82: *e/establish 1-ternal Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 82< =i- 5roup Polic 4b,ects and +in0s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&82< Completing the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&870 Berif Certificate Securit &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 876 Preparing )*+s for C*+ distribution point and Authorit 'nformation Access "A'A# e-tensions after a domain rename&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 876 Berif ing the use of )P9s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 872 1nabling certificate enrollment in a renamed domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&872 Berif ing the validit of C*+ distribution point and A'A e-tensions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&878 *ene%ing subordinate and issuing CA certificates&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&878 Publish ne% C*+s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 87: )pdating domain controller certificates&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&87: Changing the user identit for the 9D1S add/on&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&87: Perform Miscellaneous Tas0s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 87: >ac0 )p Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 87? *estart Member Computers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8A0 1-change/Specific Steps: Berif the 1-change *ename and )pdate Active Director Connector &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8A6 Perform Attribute Cleanup&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8A6 *ename Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8A2 Additional *esources for the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8A7 Appendi- A: Command/+ine S nta- for the *endom Tool&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8A7

Appendi- >: Command/+ine S nta- for the 5pfi-up Tool&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8A8 Appendi- C: Chec0lists for the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&880 Satisf ing domain rename reFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&880 Preparing for the domain rename operation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&887 Performing the domain rename operation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&888 Completing the domain rename operation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88: Appendi- D: $or0sheets for the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88< $or0sheet 6: Domain 9ame Change 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88< $or0sheet 2: Trust 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88< $or0sheet 7: D9S Kone 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&888 $or0sheet A: D=S9( =older *edirection( and *oaming Profiles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&888 $or0sheet 8: Domain Controller 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&888 $or0sheet :: Domain *ename 1-ecution *eadiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88? $or0sheet <: Certification Authorit "CA# 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88? Additional *esources&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8:0 Active Director Domain Services 4perations 5uide / cover&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8:6 Section ;eading&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8:6 Subsection ;eading&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8:6

Active Directory Domain Services Operations Guide
This operations guide provides administering and management information for Active Director ! Domain Services "AD DS# director service technologies in the $indo%s Server! 2008 operating s stem& In this guide • • 9e% in This 5uide Administering Active Director Domain Services

Acknowledgments Produced b : Microsoft $indo%s Server Director and Access Services "DAS# 'T Pro Content Team $riters: Mar ;illman( 5a ana >agdasar an 1ditor: Gim >ec0er Technical revie%ers: )mit A00us( David >each( Arren Conner( 5regoire 5uetat( Lin ;e( @urt ;udson( Gessie +i( ;erbert Mauerer( Goe Patterson( 9ed P le( $a00as *afiF( * an Si.emore( 'ngolfur Arnar Strangeland( Mahesh )nni0rishnan

New in his Guide
This is the first release of the operations guide for Active Director Domain Services "AD DS# in $indo%s Server 2008& This guide %ill be updated periodicall to incorporate ne% information( updates( customer feedbac0( and corrections& =or $indo%s Server 2008( this operations guide contains the section Administering Active Director Domain *ename( %hich is not included in the Active Director 4perations 5uide for $indo%s Server 2007&

Administering Active Directory Domain Services
This guide provides information about administering components of Active Director Domain Services "AD DS# in $indo%s Server 2008& The information includes detailed procedures for managing domain controllers( sites( trusts( and other components of AD DS& In this guide • 'ntroduction to Administering Active Director Domain Services 28

• • • • • • • • • • •

Administering Domain and =orest Trusts Administering the $indo%s Time Service Administering D=S/*eplicated SESB4+ Administering the 5lobal Catalog Administering 4perations Master *oles Administering Active Director >ac0up and *ecover Administering 'ntersite *eplication Administering the Active Director Database Administering Domain Controllers Administering Active Director Domain *ename Additional *esources

Introduction to Administering Active Directory Domain Services
This guide e-plains ho% to administer Active Director Domain Services "AD DS# in $indo%s Server 2008& These activities are part of the operations phase of the information technolog "'T# life c cle& 'f ou are not familiar %ith this guide( revie% the follo%ing sections of this introduction&

!hen to use this guide
)se this guide %hen: • Eou %ant to manage common Active Director problems that are associated %ith misconfiguration& • Eou %ant to configure AD DS to increase net%or0 availabilit & This guide assumes a basic understanding of %hat AD DS is( ho% it %or0s( and %h our organi.ation uses it to access( manage( and secure shared resources across our net%or0& 't also assumes a thorough understanding of ho% AD DS is deplo ed and managed in our organi.ation& This includes an understanding of the mechanism our organi.ation uses to configure and manage Active Director settings& This guide can be used b organi.ations that have deplo ed $indo%s Server 2008& 't includes information that is relevant to different roles in an 'T organi.ation( including 'T operations managers( administrators( and operators& This information includes management/level 0no%ledge about AD DS and administrator/level information about the 'T processes that are reFuired to operate it& This guide contains detailed procedures that are designed for operators "or designated users# %ho have varied levels of e-pertise and e-perience& Although the procedures provide operator guidance from start to finish( operators must have a basic proficienc %ith Microsoft Management 2:

Console "MMC# and MMC snap/ins& 4perators must also 0no% ho% to start administrative programs and access the command line& 'f operators are not familiar %ith AD DS( it might be necessar for 'T planners( managers( or administrators to revie% the relevant operations in this guide and provide the operators %ith the parameters or data that the must enter %hen the perform the operations&

"ow to use this guide
This guide includes the follo%ing t pes of topics: • 4b,ectives are high/level goals for administering AD DS& 1ach ob,ective consists of one or more high/level tas0s that describe ho% the ob,ective is accomplished& 'n this guide( MManaging the $indo%s Time ServiceM is an e-ample of an ob,ective& • Tas0s contain groups of procedures for achieving the goals of an ob,ective& 'n this guide( MConfiguring a time source for the forestM is an e-ample of a tas0& • Procedures provide step/b /step instructions for completing tas0s& 'n this guide( MConfigure a domain controller in the parent domain as a reliable time sourceM is an e-ample of a procedure topic& 'f ou are an 'T manager %ho is delegating tas0s to operators in our organi.ation: • *ead through the ob,ectives and tas0s to determine ho% to delegate permissions& • Determine %hether ou need to install tools before operators perform the procedures for each tas0& >efore ou assign tas0s to individual operators( ensure that all the tools are installed %here operators can use them& • $hen necessar ( create Ntear sheetsO for each tas0 that operators perform in our organi.ation& Cut and paste the tas0 and its related procedures into a separate document& Then ou can either print this document or store it online&

Administering Domain and #orest rusts
This guide provides administrators %ith step/b /step instructions for managing and securing $indo%s Server 2008 domain and forest trusts in Active Director Domain Services "AD DS#& The %a that ou create or configure trusts pla s an important role in operating and securing our net%or0 infrastructure& ;o% ou create or configure domain and forest trusts also determines ho% far net%or0 communications e-tend %ithin a forest or across forests& In this guide • • • • • 'ntroduction to Administering Domain and =orest Trusts >est Practices for Administering Domain and =orest Trusts Managing Domain and =orest Trusts Securing Domain and =orest Trusts Appendi-: 9e% Trust $i.ard Pages

2<

Introduction to Administering Domain and #orest rusts
> using $indo%s Server 2008 domain and forest trusts( service administrators can create or e-tend collaborative relationships bet%een t%o or more domains or forests& $indo%s Server 2008 domains and forests can also trust @erberos realms and other $indo%s Server 2008 forests( as %ell as $indo%s Server 2007 domains( Microsoft! $indo%s! 2000 Server domains( and Microsoft $indo%s 9T! Server A&0 domains& $hen a trust e-ists bet%een t%o domains( the authentication mechanisms for each domain trust the authentications coming from the other domain& Trusts help to provide controlled access to shared resources in a resource domain "the trusting domain# b verif ing that incoming authentication reFuests come from a trusted authorit "the trusted domain#& 'n this %a ( trusts act as bridges that allo% onl validated authentication reFuests to travel bet%een domains& ;o% a specific trust passes authentication reFuests depends on ho% it is configured& Trust relationships can be one/%a ( providing access from the trusted domain to resources in the trusting domain( or t%o/%a ( providing access from each domain to resources in the other domain& Trusts are also either nontransitive( in %hich case a trust e-ists onl bet%een the t%o trust partner domains( or transitive( in %hich case a trust automaticall e-tends to an other domains that either of the partners trusts& 'n some cases( trust relationships are established automaticall %hen domains are created& 'n other cases( administrators must choose a t pe of trust and e-plicitl establish the appropriate relationships& The specific t pes of trusts that are used and the structure of the resulting trust relationships in a given trust implementation depend on such factors as ho% Active Director Domain Services "AD DS# is organi.ed and %hether different versions of $indo%s coe-ist on the net%or0&

$est %ractices for Administering Domain and #orest rusts
The follo%ing best practices increase availabilit ( ensure trouble/free operations( or ease administration %hen ou use them to administer domain and forest trusts: • Optimi&e authentication speed in multidomain forests' $hen our forest contains domain trees %ith man child domains and ou observe noticeable user authentication dela s bet%een the child domains( ou can optimi.e the user authentication process bet%een the child domains b creating shortcut trusts to mid/level domains in the domain tree hierarch & =or more information( see M$hen to create a shortcut trustM in )nderstanding $hen to Create a Shortcut Trust "http:33go&microsoft&com3f%lin03P+in0'DQ60<0:6#& • (eep a current list of trust relationships for future reference' 28

Eou can use the 9ltest&e-e tool to displa and record a list of these trusts& =or more information( see 9ltest 4vervie% "http:33go&microsoft&com3f%lin03P+in0'DQ?78:<#& • $ack up domain controllers' Perform regular bac0ups of domain controllers to preserve all trust relationships %ithin a particular domain&

)anaging Domain and #orest rusts
't is necessar to manage domain and forest trusts %hen our organi.ation needs to collaborate %ith users or resources that are located in other domains( realms( or forests in our organi.ation and in other organi.ations& To set up an environment that ta0es advantage of trusts( ou must first create and configure the appropriate trusts that %ill ma0e it possible for our organi.ation to communicate effectivel %ith users or resources in other locations& The follo%ing ob,ectives are part of managing domain and forest trusts: • • Creating Domain and =orest Trusts Configuring Domain and =orest Trusts

Creating Domain and #orest rusts
'n $indo%s Server 2008( there are four trust t pes that must be created manuall & 1-ternal trusts( realm trusts( and forest trusts help provide interoperabilit %ith realms or %ith domains outside our forest& Shortcut trusts optimi.e access to resources and logons that are made bet%een domain trees in the same forest& This section includes the follo%ing tas0s for creating domain and forest trusts: • • • • Creating 1-ternal Trusts Creating Shortcut Trusts Creating =orest Trusts Creating *ealm Trusts Note A trust does not inherentl allo% users in a trusted domain to have access to resources in a trusting domain& )sers have access %hen the are assigned the appropriate permissions& 'n some cases( users in trusted domains ma have implicit access if the resources are assigned to members of the Authenticated )sers group& >efore ou use the procedures in these tas0s( revie% the issues in @no%n 'ssues for Creating Domain and =orest Trusts&

2?

New rust !i&ard terminology
Eou create trusts in $indo%s Server 2008 %ith the 9e% Trust $i.ard& >efore ou use the 9e% Trust $i.ard( revie% the follo%ing terminolog & 1ach highlighted term represents the e-act term as it is used in the %i.ard: • his domain* The domain from %hich ou launch the 9e% Trust $i.ard& $hen ou start the %i.ard( it immediatel verifies our administrative credentials in the domain for %hich ou are the administrator& Therefore( the %i.ard uses the term Nthis domainO to represent the domain that ou are currentl logged on to& • +ocal domain , +ocal forest* The domain or forest %here ou start the 9e% Trust $i.ard& • Specified domain , Specified forest* The other domain or forest that this local domain or local forest %ill trust& Although the 9e% Trust $i.ard is a%are of the domain conte-t in %hich it is running( it does not have 0no%ledge of the other domain that ou %ant to create the relationship %ith& After ou t pe the name of the other domain or forest in the rust Name page( that name is used %henever the %i.ard refers to the specified domain or specified forest& • wo-way trust* A trust relationship bet%een t%o domains in %hich both domains trust each other& =or e-ample( domain A trusts domain >( and domain > trusts domain A& All parent/child trusts are t%o/%a trusts& • One-way* incoming trust* A one/%a trust relationship bet%een t%o domains in %hich the direction of the trust points to%ard the domain from %hich ou start the 9e% Trust $i.ard "and %hich is identified in the %i.ard as his domain#& $hen the direction of the trust points to%ard our domain( users in our domain can access resources in the specified domain& =or e-ample( if ou are the domain administrator in domain A and ou create a one/%a ( incoming trust to domain >( this provides a relationship through %hich users %ho are located in domain A can access resources in domain >& >ecause this relationship is one %a ( users in domain > cannot access resources in domain A& • One-way* outgoing trust* A one/%a trust relationship bet%een t%o domains in %hich the direction of the trust points to%ard the domain that is identified as Specified domain in the 9e% Trust $i.ard& $hen the direction of trust points to%ard the specified domain( users in the specified domain can access resources in our domain& =or e-ample( if ou are the domain administrator in domain A and ou create a one/%a ( outgoing trust to domain >( this action provides a relationship through %hich users %ho are located in domain > can access resources in domain A& >ecause this relationship is one %a ( users in domain A cannot access resources in domain >& • $oth sides of the trust* $hen ou create e-ternal trusts( shortcut trusts( or forest trusts( ou have the option to create each side of the trust separatel or both sides of the trust simultaneousl & 'f ou choose to create each side of the trust separatel ( ou must run the 9e% Trust $i.ard t%iceDonce for each domain& $hen ou create trusts separatel ( ou must suppl the same trust pass%ord for each domain& As a securit best practice( all trust pass%ords should be strong pass%ords&

70

• Domain-wide authentication* An authentication setting that permits unrestricted access b an users in the specified domain to all available shared resources that are located in the local domain& This is the default authentication setting for e-ternal trusts& • #orest-wide authentication* An authentication setting that permits unrestricted access b an users in the specified forest to all available shared resources that are located in an of the domains in the local forest& This is the default authentication setting for forest trusts& • Selective authentication* An authentication setting that restricts access over an e-ternal trust or forest trust to onl those users in a specified domain or specified forest %ho have been e-plicitl given authentication permissions to computer ob,ects "resource computers# that reside in the local domain or the local forest& This authentication setting must be enabled manuall & • rust password* An option in %hich both domains in a trust relationship share a pass%ord( %hich is stored in the trusted domain ob,ect "TD4# ob,ect in Active Director Domain Services "AD DS#& $hen ou choose this option( a strong trust pass%ord is generated automaticall for ou& Eou must use the same pass%ord %hen ou create a trust relationship in the specified domain& 'f ou choose to create both sides of the trust simultaneousl ( ou run the 9e% Trust $i.ard once&

(nown Issues for Creating Domain and #orest rusts
*evie% the follo%ing 0no%n issues before creating domain and forest trusts in $indo%s Server 2008: • Eou cannot delegate the creation of trusts to an user %ho is not a member of the Domain Admins group or the 1nterprise Admins group& 1ven though ou can grant a user the Create TD4 "Trusted Domain 4b,ect# right or the Delete TD4 right in the S stem container of a domain( the user %ill not be granted the right to create a trust& This issue occurs because 9etlogon and the trust/creation tools "Active Director Domains and Trusts and 9etdom# are designed so that onl members of the Domain Admins group and the 1nterprise Admins group can create trusts& ;o%ever( an user %ho is a member of the 'ncoming =orest Trust >uilders group can create one/%a ( incoming forest trusts to our forest& • $hen ou are logged on locall to a domain controller and ou tr to create a ne% trust b using Active Director Domains and Trusts( the operation ma be unsuccessful and ou ma receive the message NAccess denied&O This issue occurs onl if ou are logged on locall to the domain controller as an ordinar user "that is( ou are not logged on as Administrator or as a member of an administrative groups for the domain#& > default( ordinar users are bloc0ed from logging on locall to a domain controller unless 5roup Polic is modified to permit this& • $hen ou use the Active Director Domains and Trusts snap/in to create a trust( ou ma receive the message N4peration failed& Parameter incorrect&O This issue ma occur if ou tr

76

to establish a trust relationship %hen the source domain and the target domain have one or more of the follo%ing identifiers that are the same: • • • Securit identifier "S'D# Domain 9ame S stem "D9S# name 9et>'4S name

To resolve this issue( do one of the follo%ing before ou tr to create the trust( as appropriate to our situation: • • *ename the conflicting identifier& )se a full Fualified domain name "=CD9# if there is a 9et>'4S conflict&

• The option to create a forest trust ma not appear in the 9e% Trust $i.ard& This issue t picall occurs %hen one or both of the $indo%s Server 2008 forests are not set to the $indo%s Server 2007 forest functional level or higher& =or more information about forest functional levels( see Active Director =unctional +evels Technical *eference "http:33go&microsoft&com3f%lin03P+in0'dQ666A::#& • Eou cannot create a trust relationship %ith a Microsoft $indo%s Small >usiness Server 2007 "$indo%s S>S# domain& =or information about $indo%s S>S soft%are( see 'ntroduction to $indo%s Small >usiness Server 2007 for 1nterprise 'T Pros "http:33go&microsoft&com3f%lin03P+in0'dQ6268?6#&

Creating ./ternal rusts
Eou can create an e-ternal trust to form a one/%a or t%o/%a ( nontransitive trust %ith domains that are outside our forest& 1-ternal trusts are sometimes necessar %hen users need access to resources that are located in a $indo%s 9T A&0 domain or in a domain that is in a separate Active Director Domain Services "AD DS# forest that is not ,oined b a forest trust& =or e-ample( if ou have a $indo%s Server 2008Rbased domain %hose users %ant to gain access to resources that are stored in a $indo%s 9TRbased domain( ou must create a trust relationship in %hich the $indo%s 9TRbased domain trusts the users from the $indo%s Server 2008Rbased domain& 'n this case( the $indo%s 9TRbased domain is the trusting domain( and the $indo%s Server 2008Rbased domain is the trusted domain& • Eou can create an e-ternal trust bet%een t%o $indo%s Server 2007Rbased or $indo%s Server 2008Rbased domains( bet%een a $indo%s Server 2008Rbased domain and a $indo%s Server 2007Rbased domain( or bet%een a $indo%s Server 2007Rbased domain or $indo%s Server 2008Rbased domain and a $indo%s 9TRbased domain& 1-ternal trusts cannot be e-tended implicitl to a third domain& • To create an e-ternal trust bet%een domains in different forests( the forest functional level for both of the forests must be set to either $indo%s Server 2007 or $indo%s Server 2008& =or more information about functional levels( see Active Director =unctional +evels Technical *eference "http:33go&microsoft&com3f%lin03P+in0'dQ666A::#&

72

• To create an e-ternal trust successfull ( ou must set up our Domain 9ame S stem "D9S# environment properl & 'f there is a root D9S server that ou can ma0e the root D9S server for the D9S namespaces of both forests( ma0e that server the root D9S server b ensuring that the root .one contains delegations for each of the D9S namespaces& Also( update the root hints of all D9S servers %ith the ne% root D9S server& • 'f there is no shared root D9S server and the root D9S servers for each forest D9S namespace are running $indo%s Server 2007( configure D9S conditional for%arders in each D9S namespace to route Fueries for names in the other namespace& • 'f there is no shared root D9S server and the root D9S servers for each forest D9S namespace are not running $indo%s Server 2008 or $indo%s Server 2007 ( configure D9S secondar .ones in each D9S namespace to route Fueries for names in the other namespace& =or more information about configuring D9S to %or0 %ith AD DS( see D9S Support for Active Director Technical *eference "http:33go&microsoft&com3f%lin03P +in0'DQ60:::0#& =or more information about e-ternal trusts( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'dQ666A86#& Note Trusts that are created bet%een $indo%s 9T A&0 domains and AD DS domains are one %a and nontransitive( and the reFuire 9et>'4S name resolution& ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about ho% to use the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Note 'f ou have the appropriate administrative credentials for each domain( ou can create both sides of an e-ternal trust at the same time& To create both sides of the trust simultaneousl ( follo% the appropriate procedure belo% that contains the %ords Nboth sides of the trustO in the procedure title& =or e-ample( the procedure NCreate a one/%a ( incoming( e-ternal trust for both sides of the trustO provides the steps to follo% %hen ou have the administrative credentials for both domains and ou %ant to use the 9e% Trust $i.ard to create an incoming( e-ternal trust in one operation& =or more information about ho% the Nboth sides of the trustO option %or0s( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& To complete the tas0 of creating an e-ternal trust( ou can perform an of the follo%ing procedures( depending on the reFuirements of our organi.ation and the administrative credentials that ou have %hen ou create the trust: • • Create a 4ne/$a ( 'ncoming( 1-ternal Trust for 4ne Side of the Trust Create a 4ne/$a ( 'ncoming( 1-ternal Trust for >oth Sides of the Trust 77

• • • •

Create a 4ne/$a ( 4utgoing( 1-ternal Trust for 4ne Side of the Trust Create a 4ne/$a ( 4utgoing( 1-ternal Trust for >oth Sides of the Trust Create a T%o/$a ( 1-ternal Trust for 4ne Side of the Trust Create a T%o/$a ( 1-ternal Trust for >oth Sides of the Trust

Create a One-!ay1 Incoming1 ./ternal rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( incoming( e-ternal trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the outgoing side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 'ncoming( 1-ternal Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A one/%a ( incoming( e-ternal trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to access resources in another Active Director domain "outside our forest# or in a $indo%s 9T A&0 domain& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and users in that domain need to access resources in the mar0eting&tailspinto s&com domain "%hich is located in another forest#( ou can use this procedure "in con,unction %ith another procedure( %hich is e-ecuted b the administrator in the other forest# to establish one side of the relationship so that users in our domain can access resources in the mar0eting&tailspinto s&com domain& Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 incoming1 e/ternal trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the e-ternal domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& 7A

:& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& $ith the administrator of the other domain( agree on a secure channel pass%ord to be used in establishing the trust& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain or specified forest must follo% the procedure Create a 4ne/$a ( 4utgoing( 1-ternal Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Incoming1 ./ternal rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a one/%a ( incoming( e-ternal trust& Eou must have administrative credentials for our domain as %ell for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a 4ne/$a ( 'ncoming( 1-ternal Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a one/%a ( outgoing( e-ternal trust from his or her domain& A one/%a ( incoming( e-ternal trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to access resources in another Active Director domain "outside our forest# or in a $indo%s 9T A&0 domain& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and users in that domain need to access resources in the mar0eting&tailspinto s&com domain "%hich is located in another forest# ou can use this procedure to establish a relationship so that users in our domain can access resources in the mar0eting&tailspinto s&com domain& 78

Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 incoming1 e/ternal trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the e-ternal domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--Specified Domain page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication&

60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish&

7:

Create a One-!ay1 Outgoing1 ./ternal rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( outgoing( e-ternal trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the incoming side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 4utgoing( 1-ternal Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A one/%a ( outgoing( e-ternal trust %ill allo% resources in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed b users in a different Active Director domain "outside our forest# or in a $indo%s 9T A&0 domain& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and ou have resources in that domain that need to be accessed b users in the mar0eting&tailspinto s&com domain "%hich is located in another forest#( ou can use this procedure to establish one side of the relationship so that users in the mar0eting&tailspinto s&com domain can access the resources in sales&%ingtipto s&com& Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 outgoing1 e/ternal trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the e-ternal domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the Outgoing rust Authentication +evel page( do one of the follo%ing( and 7<

then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication&

?& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& 60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain' 67& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain or specified forest must follo% the procedure Create a 4ne/$a ( 'ncoming( 1-ternal Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Outgoing1 ./ternal rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a one/%a ( outgoing( e-ternal trust& Eou must have administrative credentials for our domain as %ell as for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a 4ne/$a ( 4utgoing( 1-ternal Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a one/%a ( incoming( e-ternal trust from his or her domain& A one/%a ( outgoing( e-ternal trust allo%s resources in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed b users in a different Active Director domain "outside our forest# or in a $indo%s 9T A&0 domain& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and ou have resources in that domain that need to be accessed b users in the mar0eting&tailspinto s&com domain "%hich is located in another forest#( ou can use this procedure to establish one side of the relationship so that users in the mar0eting&tailspinto s&com domain can access the resources in sales&%ingtipto s&com& Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& 78

Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 outgoing1 e/ternal trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--+ocal Domain page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication&

60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish&

7?

Create a wo-!ay1 ./ternal rust for One Side of the rust
Eou can use this procedure to create one side of a t%o/%a ( e-ternal trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the second side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a T%o/$a ( 1-ternal Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A t%o/%a ( e-ternal trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal domain to access resources in either of the t%o domains& Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a two-way1 e/ternal trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the Outgoing rust Authentication +evel page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication& A0

?& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& 60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 6A& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain or specified forest must follo% this same procedure( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a wo-!ay1 ./ternal rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a t%o/%a ( e-ternal trust& Eou must have administrative credentials for our domain as %ell as for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a T%o/$a ( 1-ternal Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a t%o/%a ( e-ternal trust from his or her domain& A t%o/%a ( e-ternal trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal domain to access resources in either of the t%o domains& Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& A6

o create a two-way1 e/ternal trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--+ocal Domain page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication&

60& 4n the Outgoing rust Authentication +evel--Specified Domain page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication&

66& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 67& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 6A& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& A2

68& 4n the Completing the New rust !i&ard page( clic0 #inish&

Creating Shortcut rusts
A shortcut trust is a manuall created trust that shortens the trust path to improve the speed at %hich authentications( %hich occur bet%een domain trees( are processed& This can result in faster logon times and faster access to resources& A trust path is a chain of multiple trusts that enables trust bet%een domains that are not ad,acent in the domain namespace& =or e-ample( if users in domain A need to gain access to resources in domain C( ou can create a direct lin0 from domain A to domain C through a shortcut trust relationship( b passing domain > in the trust path& =or more information about shortcut trusts( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about ho% to use the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Note 'f ou have the appropriate administrative credentials for each domain( ou can create both sides of a shortcut trust at the same time& To create both sides of the trust( follo% the appropriate procedure belo% that contains the %ords Nfor both sides of the trustO in the title& =or e-ample( the procedure NCreate a one/%a ( incoming( shortcut trust for both sides of the trustO e-plains ho% to configure both sides of a shortcut trust& =or more information about ho% the Nboth sides of the trustO option %or0s( see the section MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& To complete the tas0 of creating a shortcut trust( perform an of the follo%ing procedures( depending on the reFuirements of our organi.ation and the administrative credentials that ou have %hen ou create the trust: • • • • • • Create a 4ne/$a ( 'ncoming( Shortcut Trust for 4ne Side of the Trust Create a 4ne/$a ( 'ncoming( Shortcut Trust for >oth Sides of the Trust Create a 4ne/$a ( 4utgoing( Shortcut Trust for 4ne Side of the Trust Create a 4ne/$a ( 4utgoing( Shortcut Trust for >oth Sides of the Trust Create a T%o/$a ( Shortcut Trust for 4ne Side of the Trust Create a T%o/$a ( Shortcut Trust for >oth Sides of the Trust

A7

Create a One-!ay1 Incoming1 Shortcut rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( incoming( shortcut trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the outgoing side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 'ncoming( Shortcut Trust for >oth Sides of the Trust to create both sides in one simultaneous operation& A one/%a ( incoming( shortcut trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to more Fuic0l access resources in another domain "%hich is nested %ithin another domain tree# in our forest& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and users in that domain need to access resources in the mar0eting&tailspinto s&com domain "%hich is a child domain of the tailspinto s&com tree root domain#( ou can use this procedure to establish one side of the relationship so that users in our domain can more Fuic0l access resources in the mar0eting&tailspinto s&com domain& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 incoming1 shortcut trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& AA

?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain or specified forest must follo% the procedure Create a 4ne/$a ( 4utgoing( Shortcut Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Incoming1 Shortcut rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a one/%a ( incoming( shortcut trust& Eou must have administrative credentials for our domain as %ell for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a 4ne/$a ( 'ncoming( Shortcut Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a one/%a ( outgoing( shortcut trust from his or her domain& A one/%a ( incoming( shortcut trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to more Fuic0l access resources in another domain "%hich is nested %ithin another domain tree# in our forest& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and users in that domain need to access resources in the mar0eting&tailspinto s&com domain "%hich is a child domain of the tailspinto s&com tree root domain#( ou can use this procedure to establish one side of the relationship so that users in our domain can more Fuic0l access resources in the mar0eting&tailspinto s&com domain& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

A8

o create a one-way1 incoming1 shortcut trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish&

Create a One-!ay1 Outgoing1 Shortcut rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( outgoing( shortcut trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the incoming side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 4utgoing( Shortcut Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A one/%a ( outgoing( shortcut trust allo%s resources in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed more Fuic0l b users A:

in another domain "%hich is nested %ithin another domain tree# in our forest& =or e-ample( if ou are the administrator of mar0eting&tailspinto s&com and resources in that domain need to be accessed b users in the sales&%ingtipto s&com domain "%hich is a child domain of the %ingtipto s&com tree root domain#( ou can use this procedure to establish one side of the relationship so that users in the sales&%ingtipto s&com domain can more Fuic0l access resources in the mar0eting&tailspinto s&com domain& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 outgoing1 shortcut trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish&

A<

Note =or this trust to function( the domain administrator for the specified domain or specified forest must follo% the procedure Create a 4ne/$a ( 'ncoming( Shortcut Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Outgoing1 Shortcut rust for $oth Sides of the rust
Eou can this procedure to create both sides of a one/%a ( outgoing( shortcut trust& Eou must administrative credentials for our domain as %ell as for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a 4ne/$a ( 4utgoing( Shortcut Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a one/%a ( incoming( shortcut trust from his or her domain& A one/%a ( outgoing( shortcut trust allo%s resources in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed more Fuic0l b users in another domain "%hich is nested %ithin another domain tree# in our forest& =or e-ample( if ou are the administrator of mar0eting&tailspinto s&com and resources in that domain need to be accessed b users in the sales&%ingtipto s&com domain "%hich is a child domain of the %ingtipto s&com tree root domain#( ou can use this procedure to establish one side of the relationship so that users in the sales&%ingtipto s&com domain can more Fuic0l access resources in the mar0eting&tailspinto s&com domain& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 outgoing1 shortcut trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& A8

:& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish&

Create a wo-!ay1 Shortcut rust for One Side of the rust
Eou can use this procedure to create one side of a t%o/%a ( shortcut trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the second side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a T%o/$a ( Shortcut Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A t%o/%a ( shortcut trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal domain to more Fuic0l access resources in either domain "%hen both domains are separated b a domain tree# in our forest& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about A?

using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a two-way1 shortcut trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain must follo% this same procedure using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

80

Create a wo-!ay1 Shortcut rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a t%o/%a ( shortcut trust& Eou must have administrative credentials for our domain as %ell as for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a T%o/$a ( Shortcut Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a t%o/%a ( shortcut trust from his or her domain& A t%o/%a ( shortcut trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal domain to more Fuic0l access resources in either domain "%hen both domains are separated b a domain tree# in our forest& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a two-way1 shortcut trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t&

86

60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust' • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish&

Creating #orest rusts
'n a $indo%s Server 2008 forest( ou can lin0 t%o dis,oined $indo%s Server 2008 forests together to form a one/%a or t%o/%a ( transitive trust relationship& Eou can use a t%o/%a ( forest trust to form a transitive trust relationship bet%een ever domain in both forests& =or more information about forest trusts( see ;o% Domain and =orest Trusts $or0 in "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& ask re0uirements The follo%ing are reFuired to create forest trusts successfull : • Eou can create a forest trust bet%een t%o $indo%s Server 2007 forests( bet%een t%o $indo%s Server 2008 forests( or bet%een a $indo%s Server 2007 forest and a $indo%s Server 2008 forest& =orest trusts cannot be e-tended implicitl to a third forest& • To create a forest trust( the forest functional level for both of the forests that are involved in the trust relationship must be set to $indo%s Server 2007& =or more information about functional levels( see the Active Director =unctional +evels Technical *eference "http:33go&microsoft&com3f%lin03P+in0'DQ666A::#& • To create a forest trust successfull ( ou must set up our Domain 9ame S stem "D9S# environment properl & 'f there is a root D9S server that ou can ma0e the root D9S server for the D9S namespaces of both forests( ma0e it the root D9S server b ensuring that the root .one contains delegations for each of the D9S namespaces& Also( update the root hints of all D9S servers %ith the ne% root D9S server& • 'f there is no shared root D9S server and the root D9S servers for each forest D9S namespace are running $indo%s Server 2007( configure D9S conditional for%arders in each D9S namespace to route Fueries for names in the other namespace& 82

• 'f there is no shared root D9S server and the root D9S servers for each forest D9S namespace are not running $indo%s Server 2008 or $indo%s Server 2007( configure D9S secondar .ones in each D9S namespace to route Fueries for names in the other namespace& =or more information about configuring D9S to %or0 %ith Active Director Domain Services "AD DS#( see the D9S Support for Active Director Technical *eference "http:33go&microsoft&com3f%lin03P+in0'DQ60:::0#& Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Note 'f ou have the appropriate administrative credentials for each forest( ou can create both sides of a forest trust at the same time& To create both sides of the forest trust( follo% the appropriate procedure belo% that contains the %ords Nfor both sides of the trustO in the title& =or e-ample( the procedure NCreate a one/%a ( incoming( forest trust for both sides of the trustO e-plains ho% to configure both sides of the trust& =or more information about ho% the Nboth sides of the trustO option %or0s( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& To create a forest trust( perform an one of the follo%ing procedures( depending on the reFuirements of our organi.ation and the administrative credentials that ou have %hen ou create the trust: • • • • • • Create a 4ne/$a ( 'ncoming( =orest Trust for 4ne Side of the Trust Create a 4ne/$a ( 'ncoming( =orest Trust for >oth Sides of the Trust Create a 4ne/$a ( 4utgoing( =orest Trust for 4ne Side of the Trust Create a 4ne/$a ( 4utgoing( =orest Trust for >oth Sides of the Trust Create a T%o/$a ( =orest Trust for 4ne Side of the Trust Create a T%o/$a ( =orest Trust for >oth Sides of the Trust

Create a One-!ay1 Incoming1 #orest rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( incoming( forest trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal forest uses his or her credentials to create the outgoing side of the trust& 'f ou have administrative credentials for both forests that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 'ncoming( =orest Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation&

87

A one/%a ( incoming( forest trust allo%s users in our $indo%s Server 2008 forest or $indo%s Server 2007 forest "the forest that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to access resources in another $indo%s Server 2008 forest or $indo%s Server 2007 forest& =or e-ample( if ou are the administrator of the %ingtipto s&com forest and users in that forest need to access resources in the tailspinto s&com forest( ou can use this procedure to establish one side of the relationship so that users in our forest can access resources in an of the domains that ma0e up the tailspinto s&com forest& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'f ou are a member of the Incoming #orest rust $uilders group( ou can create one/%a ( incoming( forest trusts to our forest& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& o create a one-way1 incoming1 forest trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the forest root domain of the forest for %hich ou %ant to establish an incoming forest trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the forest root domain of the other forest( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then 8A

suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain "the forest root domain in the specified forest# must complete the procedure Create a 4ne/$a ( 4utgoing( =orest Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Incoming1 #orest rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a one/%a ( incoming( forest trust& Eou must have administrative credentials for our forest as %ell as for the reciprocal forest& 'f ou have administrative credentials onl for our forest( ou can use the procedure Create a 4ne/$a ( 'ncoming( =orest Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal forest create a one/%a ( outgoing forest trust from his or her domain& A one/%a ( incoming( forest trust allo%s users in our $indo%s Server 2008 forest or $indo%s Server 2007 forest "the forest that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to access resources in another $indo%s Server 2008 forest or $indo%s Server 2007 forest& =or e-ample( if ou are the administrator of the %ingtipto s&com forest and users in that forest need to access resources in the tailspinto s&com forest( ou can use this procedure to establish one side of the relationship so that users in our forest can access resources in an of the domains that ma0e up the tailspinto s&com forest& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'f ou are a member of the Incoming #orest rust $uilders group( ou can create one/%a ( incoming( forest trusts to our forest& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& o create a one-way1 incoming1 forest trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain of the forest for %hich ou %ant to establish an incoming forest trust( and then clic0 %roperties& 88

7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the forest root domain of the other forest( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--Specified #orest page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish&

Create a One-!ay1 Outgoing1 #orest rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( outgoing( forest trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal forest uses his or her credentials to create the incoming side of the trust& 'f ou have administrative credentials for both forests that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 4utgoing( =orest Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A one/%a ( outgoing( forest trust allo%s resources in our $indo%s Server 2008 forest or $indo%s Server 2007 forest "the forest that ou are logged on to at the time that ou run the 9e% 8:

Trust $i.ard# to be accessed b users in another $indo%s Server 2008 forest or $indo%s Server 2007 forest& =or e-ample( if ou are the administrator of the %ingtipto s&com forest and resources in that forest need to be accessed b users in the tailspinto s&com forest( ou can use this procedure to establish one side of the relationship so that users in the tailspinto s&com forest can access resources in an of the domains that ma0e up the %ingtipto s&com forest& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'f ou are a member of the Incoming #orest rust $uilders group( ou can create one/%a ( incoming( forest trusts to our forest& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& o create a one-way1 outgoing1 forest trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the forest root domain for %hich ou %ant to establish an outgoing forest trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the forest root domain of the other forest( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the Outgoing rust Authentication +evel page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

?& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& 60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: 8<

• 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain "the forest root domain in the specified forest# must follo% the procedure Create a 4ne/$a ( 'ncoming( =orest Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Outgoing1 #orest rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a one/%a ( outgoing( forest trust& Eou must have administrative credentials for our forest as %ell as for the reciprocal forest& 'f ou have administrative credentials onl for our forest root domain( ou can use the procedure Create a 4ne/$a ( 4utgoing( =orest Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal forest create a one/%a ( incoming( e-ternal trust from his or her forest& A one/%a ( outgoing( forest trust allo%s resources in our $indo%s Server 2008 forest or $indo%s Server 2007 forest "the forest that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed b users in another $indo%s Server 2008 forest or $indo%s Server 2007 forest& =or e-ample( if ou are the administrator of the %ingtipto s&com forest and resources in that forest need to be accessed b users in the tailspinto s&com forest( ou can use this procedure to establish one side of the relationship so that users in the tailspinto s&com forest can access resources in an of the domains that ma0e up the %ingtipto s&com forest& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P +in0'DQ666A86#&

88

o create a one-way1 outgoing1 forest trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain of the forest for %hich ou %ant to establish an outgoing forest trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the forest root domain of the other forest( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--+ocal #orest page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

60& 4n the rust Selections Completepage( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust' 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish&

Create a wo-!ay1 #orest rust for One Side of the rust
Eou can use this procedure to create one side of a t%o/%a ( forest trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal forest uses his or her credentials to create the incoming side of the trust& 'f ou have 8?

administrative credentials for both forests that are involved in the trust( ou can use the procedure Create a T%o/$a ( =orest Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A t%o/%a ( forest trust allo%s users in our forest "the forest that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal forest to access resources in an of the domains in either of the t%o forests& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'f ou are a member of the Incoming #orest rust $uilders group( ou can create one/%a ( incoming( forest trusts to our forest& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& o create a two-way1 forest trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain of the forest for %hich ou %ant to establish a t%o/%a forest trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the Outgoing rust Authentication +evel page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

?& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& 60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: :0

• 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust' • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 6A& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the forest administrator in the specified forest must follo% this same procedure( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a wo-!ay1 #orest rust for $oth Sides of the rust
Eou can this procedure to create both sides of a t%o/%a ( forest trust Eou must have administrative credentials for our forest as %ell as for the reciprocal forest& 'f ou have administrative credentials onl for our forest( ou can use the procedure Create a T%o/$a ( =orest Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal forest create a one/%a ( outgoing forest trust from his or her forest& A t%o/%a ( forest trust allo%s users in our forest "the forest that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal forest to access resources in an of the domains in either of the t%o forests& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&# 'f ou are a member of the Incoming #orest rust $uilders group( ou can create one/%a ( incoming( forest trusts to our forest& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& :6

o create a two-way1 forest trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the forest root domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the forest root domain of the other forest( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--+ocal #orest page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

60& 4n the Outgoing rust Authentication +evel--Specified #orest page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

66& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 67& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 6A& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& :2

68& 4n the Completing the New rust !i&ard page( clic0 #inish&

Creating 4ealm rusts
Eou can create a realm trust to form a one/%a or t%o/%a ( nontransitive or transitive trust %ith non/$indo%s @erberos realms in our organi.ation& Eou can create the trust %hen ou are logged on to the domain( or ou can use the 4un as command to create the trust for a different domain& =or more information about realm trusts( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about ho% to use the 9etdom command/line tool to create a realm trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Note The 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in does not support the creation of both sides of a realm trust at the same time& =or more information about ho% the Nboth sides of the trustO option %or0s( see the section MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& To create a realm trust( perform an of the follo%ing procedures( depending on the reFuirements of our organi.ation and the administrative credentials that ou have %hen ou create the trust: • • • Create a 4ne/$a ( 'ncoming( *ealm Trust Create a 4ne/$a ( 4utgoing( *ealm Trust Create a T%o/$a ( *ealm Trust

Create a One-!ay1 Incoming1 4ealm rust
A one/%a ( incoming realm trust allo%s users in our $indo%s Server 2008 domain or $indo%s Server 2007 domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to access resources in a @erberos realm& =or e-ample( if ou are the administrator of the sales&%ingtipto s&com domain and users in that domain need access to resources in the P*4D)CTS&TA'+SP'9T4ES&com @erberos realm( ou can use this procedure to establish a relationship so that users in the sales&%ingtipto s&com domain have access to resources in the @erberos realm&

:7

Note @erberos realm names reFuire uppercase characters& Eou can create a realm trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a realm trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 incoming1 realm trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a realm trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the @erberos realm in uppercase characters( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 4ealm trust( and then clic0 Ne/t& :& 4n the ransitivity of rust page( do one of the follo%ing: • To form a trust relationship %ith the domain and the specified realm onl ( clic0 Nontransitive( and then clic0 Ne/t& • To form a trust relationship %ith the domain and the specified realm and all trusted realms( clic0 ransitive( and then clic0 Ne/t& <& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the administrator of the @erberos realm must complete the trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

:A

Create a One-!ay1 Outgoing1 4ealm rust
A one/%a ( outgoing realm trust allo%s resources in our $indo%s Server 2008 domain or $indo%s Server 2007 domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed b users in the @erberos realm& =or e-ample( if ou are the administrator of the sales&%ingtipto s&com domain and resources in that domain need to be accessed b users in the P*4D)CTS&TA'+SP'9T4ES&com @erberos realm( ou can use this procedure to establish a relationship so that users in the @erberos realm can access resources in the sales&%ingtipto s&com domain& Note @erberos realm names reFuire uppercase characters& Eou can create this realm trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a realm trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Account Operators( Domain Admins( or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create a one-way1 outgoing1 realm trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a realm trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the @erberos realm in uppercase characters( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 4ealm trust( and then clic0 Ne/t& :& 4n the ransitivity of rust page( do one of the follo%ing: • To form a trust relationship %ith the domain and the specified realm onl ( clic0 Nontransitive( and then clic0 Ne/t& • To form a trust relationship %ith the domain and the specified realm and all trusted realms( clic0 ransitive( and then clic0 Ne/t& <& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the Completing the New rust !i&ard page( clic0 #inish& :8

Note =or this trust to function( the administrator of the realm must complete the trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a wo-!ay1 4ealm rust
A t%o/%a ( realm trust allo%s users in our $indo%s Server 2008 domain or $indo%s Server 2007 domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in a specified @erberos realm to access resources in either the domain or the @erberos realm& =or e-ample( if users in the sales&%ingtipto s&com domain need access to resources in the P*4D)CTS&TA'+SP'9T4ES&com @erberos realm( and the realm users also need access to resources in the domain( ou can use this procedure to establish a t%o/%a trust relationship that allo%s users in both the realm and the domain to have access to resources in both places& Note @erberos realm names reFuire uppercase characters& Eou can create this realm trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to create a realm trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a two-way1 realm trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a realm trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the @erberos realm( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 4ealm trust( and then clic0 Ne/t& :& 4n the ransitivity of rust page( do one of the follo%ing: • To form a trust relationship %ith the domain and the specified realm onl ( clic0 Nontransitive( and then clic0 Ne/t& • To form a trust relationship %ith the domain and the specified realm and all trusted realms( clic0 ransitive( and then clic0 Ne/t& ::

<& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the administrator of the @erberos realm must complete the trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Configuring Domain and #orest rusts
Eou can remove manuall created trusts( but ou cannot remove the default( t%o/%a ( transitive trusts bet%een domains in a forest& 'f ou remove manuall created trusts( it is particularl important to verif that ou successfull removed the trusts if ou are planning to re/create them& This section includes the follo%ing tas0s for removing a manuall created trust: • • Balidating and *emoving Trusts Modif ing 9ame Suffi- *outing Settings

5alidating and 4emoving rusts
After a trust has been established( ou might need to verif that it is %or0ing as designedDor that communications over the trust are %or0ingDb using Active Director Domain Services "AD DS# tools to validate connectivit over the trust& 't might also be necessar to remove an e-isting( manuall created trust %hen connectivit bet%een t%o domains is no longer necessar & ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about ho% to use the 9etdom command/line tool to validate and remove trusts( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& To complete this tas0( perform the follo%ing procedures: • • Balidate a Trust *emove a Manuall Created Trust

:<

5alidate a rust
Eou can validate all trusts that are made bet%een domains( but ou cannot validate realm trusts& Eou can use this procedure to validate a trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to create a realm trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete these procedures& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

5alidating a trust
• • )sing the $indo%s interface )sing the command line

o validate a trust using the !indows interface 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain that contains the trust that ou %ant to validate( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the trust to be validated( and then clic0 %roperties& A& Clic0 5alidate& 8& Do one of the follo%ing( and then clic0 O(: • Clic0 No1 do not validate the incoming,outgoing trust& 'f ou clic0 this option( %e recommend that ou repeat this procedure for the reciprocal domain& • Clic0 2es1 validate the incoming,outgoing trust& 'f ou clic0 this option( ou must t pe a user account and pass%ord %ith administrative credentials for the reciprocal domain& o validate a trust using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /verify

:8

5alue

Description

<TrustingDomain9ame>

Specifies the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting domain in the trust that is being created& Specifies the D9S name "or 9et>'4S name# of the domain that %ill be trusted in the trust that is being created&

<TrustedDomain9ame>

4emove a )anually Created rust
't is possible to remove manuall created shortcut trusts( e-ternal trusts( realm trusts( or forest trusts& 't is not possible to remove default( t%o/%a ( transitive trusts bet%een domains in a forest& 't is particularl important to verif that ou successfull remove trusts if ou are planning to re/ create them& Eou can use this procedure to remove a manuall created trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about the 9etdom command/line tool( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete these procedures& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

4emoving a manually created trust
• • )sing the $indo%s interface )sing a command prompt

o remove a manually created trust using the !indows interface 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain that contains the trust that ou %ant to remove( and then clic0 %roperties& 7& Clic0 the rusts tab& A& 'n either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the trust to be removed( and then clic0 4emove& 8& Do one of the follo%ing( and then clic0 O(: • Clic0 No1 remove the trust from the local domain only& :?

'f ou clic0 this option( %e recommend that ou repeat this procedure for the reciprocal domain& • Clic0 2es1 remove the trust from both the local domain and the other domain& 'f ou clic0 this option( ou must t pe a user account and pass%ord %ith administrative credentials for the reciprocal domain& o remove a manually created trust using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /remove /UserD:<User> /PasswordD:*

%arameter

Description

<TrustingDomain9ame>

The Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting domain in the trust that is being created& The D9S name "or 9et>'4S name# of the domain that %ill be trusted in the trust that is being created& The account name of the user authori.ed to create the trust&

<TrustedDomain9ame>

S)serT

Note 'f ou are using 9etdom to remove a realm trust( ou must add the ,force option to the end of the command "after ,remove# to remove the trust successfull &

)odifying Name Suffi/ 4outing Settings
9ame suffi- routing is a mechanism for managing ho% authentication reFuests are routed across $indo%s Server 2008 forests and $indo%s Server 2007 forests that are ,oined b forest trusts& To simplif the administration of authentication reFuests( %hen a forest trust is created( all uniFue name suffi-es are routed b default& A uniFue name suffi- is a name suffi- %ithin a forest( such as a user principal name ")P9# suffi-( Service Principal 9ame "SP9# suffi-( or Domain 9ame S stem "D9S# forest or domain tree name( that is not subordinate to an other name suffi-& =or <0

e-ample( the D9S forest name fabri0am&com is a uniFue name suffi- %ithin the fabri0am&com forest& All names that are subordinate to uniFue name suffi-es are routed implicitl & =or e-ample( if our forest uses fabri0am&com as a uniFue name suffi-( authentication reFuests for all child domains of fabri0am&com "childDomain&fabri0am&com# %ill be routed because the child domains are part of the fabri0am&com name suffi-& Child names are displa ed in the Active Director Domains and Trusts snap/in& 'f ou %ant to e-clude members of a child domain from authenticating in the specified forest( ou can disable name suffi- routing for that name& Eou can also disable routing for the forest name itself( if necessar & =or more information about name suffi- routing( see *outing name suffi-es across forests "http:33go&microsoft&com3f%lin03P+in0'dQ666<28#& Note Eou cannot enable a name suffi- that is the same as another name in the routing list& 'f the conflict is %ith a local )P9 name suffi-( ou must remove the local )P9 name suffifrom the list before ou can enable the routing name& 'f the conflict is %ith a name that is claimed b another trust partner( ou must disable the name in the other trust before it can be enabled for this trust& ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about using the 9etdom command/line tool to modif name suffi- routing( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& To complete this tas0( ou can perform the follo%ing procedures: • • • Modif *outing for a =orest 9ame SuffiModif *outing for a Subordinate 9ame Suffi1-clude 9ame Suffi-es from *outing to a =orest

)odify 4outing for a #orest Name Suffi/
'f ou %ant to prevent or allo% authentication reFuests for all name suffi-es that are identified b a forest trust "U&forestname&com# from being routed to a forest( ou can use this procedure to enable or disable routing for the forest name& Eou can enable or disable routing for a name suffib using the Active Director Domains and Trusts snap/in& Eou can also use the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to modif name suffi- routing settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P +in0'dQ66687<#&

<6

Notes • $hen ou disable a name suffi-( the Domain 9ame S stem "D9S# name and all child names of that name %ill be disabled& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete these procedures& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

o modify routing for a forest name suffi/ 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain for the forest trust that ou %ant to administer( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the forest trust that ou %ant to administer( and then clic0 %roperties& A& Clic0 the Name Suffi/ 4outing tab( and then( under Name suffi/es in the /'/ forest1 do one of the follo%ing: • To enable routing for a name suffi-( clic0 the suffi- that ou %ant to enable( and then clic0 .nable& 'f the .nable button is unavailable( the name suffi- is alread enabled& • To disable routing for a name suffi-( clic0 the suffi- that ou %ant to disable( and then clic0 Disable& 'f the Disable button is unavailable( the name suffi- is alread disabled&

)odify 4outing for a Subordinate Name Suffi/
Eou can change the routing status "enable or disable# of a name suffi- that is subordinate to the name of a forest& =or e-ample( if the %ingtipto s&com forest trusts the fabri0am&com forest and the fabri0am&com forest includes a child domain sales&fabri0am&com( ou can enable or disable routing specificall for the child domain name suffi-& Eou can use this procedure to modif routing of an e-isting subordinate name suffi- b using Active Director Domains and Trusts& Eou can also use the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to modif name suffi- routing settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#&

<2

Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete these procedures& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

o modify routing for an e/isting subordinate name suffi/ 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain node for the forest trust that ou %ant to administer( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7or Domains that trust this domain 6incoming trusts7( clic0 the forest trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Name Suffi/ 4outing tab( under Name suffi/es in the /'/ forest( clic0 the forest suffi- %hose subordinate name suffi- ou %ant to modif for routing( and then clic0 .dit& 8& 'n ./isting name suffi/es in /'/( clic0 the suffi- that ou %ant to modif ( and then clic0 .nable or Disable&

./clude Name Suffi/es from 4outing to a #orest
Eou can use the follo%ing procedure to e-clude e-isting name suffi-es from routing to a forest b using the Active Director Domains and Trusts snap/in& Eou can also use the 9etdom command/ line tool& =or more information about ho% to use the 9etdom command/line tool to modif name suffi- routing settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Note $hen ou e-clude a name suffi-( the Domain 9ame S stem "D9S# name and all child names of that name %ill be e-cluded& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete these procedures& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

<7

o e/clude name suffi/es from routing to a forest 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain that ou %ant to administer( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the forest trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Name Suffi/ 4outing tab( under Name suffi/es in the /'/ forest( clic0 the uniFue name suffi- %hose subordinate name suffi- ou %ant to e-clude from routing( and then clic0 .dit& 8& 'n Name suffi/es to e/clude from routing to /'/( clic0 Add( t pe a D9S name suffi- that is subordinate to the uniFue name suffi-( and then clic0 O(&

Securing Domain and #orest rusts
$hen ou create a ne% trust in an e-isting forest in Active Director Domain Services "AD DS#( all communications over that trust are tightl secured& ;o%ever( %hen ou create a trust bet%een our domain and another domain outside our forest( certain securit issues are involved& =or e-ample( ou might need to configure securit identifier "S'D# filtering to den one domain the right to provide credentials for another domain& Eou can enable or disable S'D filtering for e-ternal trusts or forest trusts& This section includes the follo%ing tas0s for securing domain and forest trusts: • • Configuring S'D =ilter Cuarantining on 1-ternal Trusts Configuring Selective Authentication Settings

=or more information about ho% the securit settings for domain and forest trusts %or0( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'dQ6668A:#&

Configuring SID #ilter 8uarantining on ./ternal rusts
Securit principals in Active Director Domain Services "AD DS# have an attribute( called S'D histor ( to %hich domain administrators can add usersV old securit identifiers "S'Ds#& This is useful during Active Director migrations so that administrators do not have to modif access control lists "AC+s# on large numbers of resources and users can use their old S'Ds to access resources& ;o%ever( under some circumstances it is possible for attac0ers or rogue <A

administrators that have compromised a domain controller in a trusted domain to use the S'D histor attribute "sID"istory# to associate S'Ds %ith ne% user accounts( granting themselves unauthori.ed rights& To help prevent this t pe of attac0( S'D filter Fuarantining is automaticall enabled on all e-ternal trusts that are created from domain controllers running either $indo%s Server 2007 or $indo%s Server 2008& 1-ternal trusts that are created from domain controllers running $indo%s 2000 Server %ith Service Pac0 7 "SP7# or earlier do not have S'D filter Fuarantining enforced b default& These e-ternal trusts must be configured manuall to enable S'D filter Fuarantining& Note Eou cannot turn off the default behavior in $indo%s Server 2007 or $indo%s Server 2008 that enables S'D filter Fuarantining for ne%l created e-ternal trusts& ;o%ever( under certain conditions S'D filter Fuarantining can be disabled on such an e-ternal trust& =or information about conditions for disabling S'D filter Fuarantining( see Disable S'D filter Cuarantining& 1-ternal trusts that are created from domain controllers running $indo%s 2000 Server %ith SP7 or earlier do not enforce S'D filter Fuarantining b default& To further secure our forest( consider enabling S'D filter Fuarantining on all e-isting e-ternal trusts that are created from domain controllers running $indo%s 2000 Server SP7 or earlier& Eou can do this b using 9etdom&e-e to enable S'D filter Fuarantining on e-isting e-ternal trusts or b recreating these e-ternal trusts from a domain controller running $indo%s Server 2008( $indo%s Server 2007( or $indo%s 2000 Server %ith Service Pac0 A "SPA#& Eou can use S'D filter Fuarantining to filter out migrated S'Ds that are stored in S'D histor from specific domains& =or e-ample( %here an e-ternal trust relationship e-ists so that the one domain( Contoso "running $indo%s 2000 Server domain controllers#( trusts another domain( Cpandl "also running $indo%s 2000 Server domain controllers#( an administrator of the Contoso domain can manuall appl S'D filter Fuarantining to the Cpandl domain( %hich allo%s all S'Ds %ith a domain S'D from the Cpandl domain to pass but all other S'Ds "such as those from migrated S'Ds that are stored in S'D histor # to be discarded& Note Do not appl S'D filter Fuarantining to trusts %ithin a forest that is not using either the $indo%s Server 2008 or $indo%s Server 2007 forest functional level( because doing so removes S'Ds that are reFuired for Active Director replication& 'f the forest functional level is $indo%s Server 2008 or $indo%s Server 2007 and Fuarantining is applied bet%een t%o domains %ithin a forest( a user in the Fuarantined domain %ith universal group memberships in other domains in the forest might not be able to access resources in nonFuarantined domains( because the group memberships from those domains are filtered %hen resources are accessed across the trust relationship& +i0e%ise( S'D filter Fuarantining should not be applied to forest trusts& =or more information about ho% S'D filtering %or0s( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: <8

• •

Active Director Domains and Trusts 9etdom&e-e

=or more information about using the 9etdom command/line tool to configure S'D filtering settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& To complete this tas0( ou can perform the follo%ing procedures: • • Disable S'D filter Cuarantining *eappl S'D =ilter Cuarantining

Disable SID filter 8uarantining
Although it is not recommended( ou can use this procedure to disable securit identifier "S'D# filter Fuarantining for an e-ternal trust %ith the 9etdom&e-e tool& Eou should consider disabling S'D filter Fuarantining onl in the follo%ing situations: • Eou have an eFuall high level of confidence in the administrators %ho have ph sical access to domain controllers in the trusted domain and the administrators %ith such access in the trusting domain& • Eou have a strict reFuirement to assign universal groups to resources in the trusting domain( even %hen those groups %ere not created in the trusted domain& • )sers have been migrated to the trusted domain %ith their S'D histories preserved( and ou %ant to grant those users access to resources in the trusting domain "the former domain of the migrated users# based on the sID"istory attribute& =or more information about ho% S'D filtering %or0s( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& Eou can disable S'D filter Fuarantining b using the 9etdom command/line tool& =or more information about the 9etdom command/line tool( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o disable SID filter 0uarantining for the trusting domain 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:No /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>

<:

%arameter

Description

STrustingDomain9ameT

The Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting domain in the trust that is being created& The D9S name "or 9et>'4S name# of the domain that %ill be trusted in the trust that is being created& The user account name %ith the appropriate administrator credentials to modif the trust& The pass%ord of the user account in SDomainAdministratorAcctT&

STrustedDomain9ameT

SDomainAdministratorAcctT

SDomainAdminP%dT

Note Eou can enable or disable S'D filter Fuarantining onl from the trusting side of the trust& 'f the trust is a t%o/%a trust( ou can also disable S'D filter Fuarantining in the trusted domain b using the domain administratorVs credentials for the trusted domain and reversing the STrustingDomain9ameT and STrustedDomain9ameT values in the command/line s nta-&

See Also
*eappl S'D =ilter Cuarantining

4eapply SID #ilter 8uarantining
Eou can use this procedure to reappl securit identifier "S'D# filter Fuarantining to an e-ternal trust that has had S'D filter Fuarantining disabled& Also( use this procedure to appl S'D filter Fuarantining to an e-ternal trust that has been created from a $indo%s 2000 Server domain controller& > default( S'D filter Fuarantining is enabled automaticall on all e-ternal trusts that are created from a $indo%s Server 2007 or $indo%s Server 2008 domain controller& =or more information about ho% S'D filter Fuarantining %or0s( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& Eou can reappl S'D filter Fuarantining b using the 9etdom command/line tool& =or more information about the 9etdom command/line tool( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the trusting domain or .nterprise Admins in the forest of the trusting domain Active Director Domain Services "AD DS#( or eFuivalent( is the minimum

<<

reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o reapply SID filter 0uarantining for the trusting domain 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine: es /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>

erm

Definition

STrustingDomain9ameT

The Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting domain in the trust that is being created& The D9S name "or 9et>'4S name# of the domain that %ill be trusted in the trust that is being created& The user account name %ith the appropriate administrator credentials to modif the trust& The pass%ord of the user account in SDomainAdministratorAcctT&

STrustedDomain9ameT

SDomainAdministratorAcctT

SDomainAdminP%dT

Configuring Selective Authentication Settings
Trusts that are created bet%een $indo%s Server 2008 forests can use legac authentication settings "settings that %ere used in $indo%s 2000 Server# or selective authentication& Selective authentication is a securit setting that can be enabled on e-ternal trusts and forest trusts bet%een $indo%s Server 2007 forests and $indo%s Server 2008 forests( in an combination& Selective authentication provides Active Director administrators %ho manage a trusting forest more control over %hich groups of users in a trusted forest can access shared resources in the trusting forest& >ecause creating an e-ternal trust or forest trust provides a path%a for all authentication reFuests bet%een the forests( this increased control is especiall important %hen administrators need to grant access to shared resources in their organi.ationVs forest to a limited set of users in another organi.ationVs forest& =or more information about ho% selective authentication settings %or0( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& <8

ask re0uirements 1ither of the follo%ing tools is reFuired to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about ho% to use the 9etdom command/line tool to configure selective authentication settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& To complete this tas0( ou can perform the follo%ing procedures: • • • • 1nable Selective Authentication over an 1-ternal Trust 1nable Selective Authentication over a =orest Trust 1nable Domain/$ide Authentication over an 1-ternal Trust 1nable =orest/$ide Authentication over a =orest Trust

• 5rant the Allo%ed to Authenticate Permission on Computers in the Trusting Domain or =orest

.nable Selective Authentication over an ./ternal rust
Selective authentication over an e-ternal trust restricts access to onl those users in a trusted domain %ho have been e-plicitl given authentication permissions to computer ob,ects "resource computers# that reside in the trusting domain& To e-plicitl give authentication permissions to computer ob,ects in the trusting domain to certain users( administrators must grant those users the Allowed to Authenticate permission in Active Director Domain Services "AD DS#& =or more information( see 5rant the Allo%ed to Authenticate Permission on Computers in the Trusting Domain or =orest& =or more information about ho% selective authentication %or0s( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& To provide access to computers in the trusting domain to onl those users in the trusted domain %ho have the Allowed to Authenticate permission applied to the computer ob,ects( ou can use this procedure to enable selective authentication over an e-ternal trust %ith the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or %ith the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to configure selective authentication settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

<?

.nabling selective authentication over an e/ternal trust
• • )sing the $indo%s interface )sing a command line

o enable selective authentication over an e/ternal trust using the !indows interface 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain that ou %ant to administer( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the e-ternal trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Authentication tab( clic0 Selective authentication( and then clic0 O(& Note 4nl the authentication settings for the outgoing trust are displa ed %hen ou clic0 %roperties and then clic0 the Authentication tab in Active Director Domains and Trusts& To vie% the correct authentication settings for the incoming side of a t%o/%a ( e-ternal trust( connect to a domain controller in the trusted domain( and then use Active Director Domains and Trusts to vie% the authentication settings for the outgoing side of the same trust& o enable selective authentication over an e/ternal trust using a command line 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /!e"ectiveAUT#: es /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>

80

%arameter

Description

STrustingDomain9ameT

The Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting domain in the trust that is being managed& The D9S name "or 9et>'4S name# of the domain that is trusted in the trust that is being managed& The user account name %ith the appropriate administrator credentials to modif the trust& The pass%ord of the user account in SDomainAdministratorAcctT&

STrustedDomain9ameT

SDomainAdministratorAcctT

SDomainAdminP%dT

.nable Selective Authentication over a #orest rust
Selective authentication over a forest trust restricts access to onl those users in a trusted forest %ho have been e-plicitl given authentication permissions to computer ob,ects "resource computers# that reside in the trusting forest& To e-plicitl give authentication permissions to computer ob,ects in the trusting forest to certain users( administrators must grant those users the Allowed to Authenticate permission in Active Director Domain Services "AD DS#& =or more information about granting the Allowed to Authenticate permission( see 5rant the Allo%ed to Authenticate Permission on Computers in the Trusting Domain or =orest& =or more information about ho% selective authentication %or0s( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& To provide access to computers in the trusting forest to onl those users in the trusted forest %ho have the Allowed to Authenticate permission applied to the computer ob,ects( ou can use this procedure to enable selective authentication over a forest trust %ith the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or %ith the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to configure selective authentication settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in AD DS( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

86

.nabling selective authentication over a forest trust
• • )sing the $indo%s interface )sing a command line

o enable selective authentication over a forest trust using the !indows interface 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the forest root domain( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the forest trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Authentication tab( clic0 Selective authentication( and then clic0 O(& Note 4nl the authentication settings for the outgoing trust are displa ed %hen ou clic0 %roperties and then clic0 the Authentication tab in Active Director Domains and Trusts& To vie% the correct authentication settings for the incoming side of a t%o/%a ( forest trust( connect to a domain controller in the forest root domain of the trusted forest( and then use Active Director Domains and Trusts to vie% the authentication settings for the outgoing side of the same trust& o enable selective authentication over a forest trust using a command line 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /!e"ectiveAUT#: es /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>

82

%arameter

Description

STrustingDomain9ameT

The Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting forest root domain in the trust that is being managed& The D9S name "or 9et>'4S name# of the forest root domain that is trusted in the trust that is being managed& The user account name %ith the appropriate administrator credentials to modif the trust& The pass%ord of the user account in SDomainAdministratorAcctT&

STrustedDomain9ameT

SDomainAdministratorAcctT

SDomainAdminP%dT

.nable Domain-!ide Authentication over an ./ternal rust
The domain/%ide authentication setting permits unrestricted access b an users in the trusted domain to all available shared resources in the trusting domain& This is the default authentication setting for e-ternal trusts( and it is representative of the %a authentications %ere routedD%ithout restrictionDover $indo%s 2000 Server trusts& =or more information about the domain/%ide authentication setting( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P +in0'DQ6668A:#& Eou can use this procedure to enable domain/%ide authentication over an e-ternal trust& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o enable domain-wide authentication over an e/ternal trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain that ou %ant to administer( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the e-ternal trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Authentication tab( clic0 Domain-wide authentication( and then clic0 O(& 87

Note 4nl the authentication settings for the outgoing trust appear %hen ou clic0 %roperties and then clic0 the Authentication tab in Active Director Domains and Trusts& To vie% the correct authentication settings for the incoming side of a t%o/%a ( e-ternal trust( connect to a domain controller in the trusted domain and then use Active Director Domains and Trusts to vie% the authentication settings for the outgoing side of the same trust&

.nable #orest-!ide Authentication over a #orest rust
The forest/%ide authentication setting permits unrestricted access b an users in the trusted forest to all available shared resources in an of the domains in the trusting forest& This is the default authentication setting for forest trusts( and it is representative of the %a authentications %ere routedD%ithout restrictionDover $indo%s 2000 Server trusts& =or more information about the forest/%ide authentication setting( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& Eou can use this procedure to enable forest/%ide authentication over a forest trust& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o enable forest-wide authentication over a forest trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the forest trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Authentication tab( clic0 #orest-wide authentication( and then clic0 O(& Note 4nl the authentication settings for the outgoing trust are displa ed %hen ou clic0 %roperties and then clic0 the Authentication tab in Active Director Domains and Trusts& To vie% the correct authentication settings for the incoming side of a t%o/%a ( forest trust( connect to a domain controller in the trusted domain "the forest root domain in the other forest#( and then use Active Director Domains and Trusts to vie% the authentication settings for the outgoing side of the same trust&

8A

Grant the Allowed to Authenticate %ermission on Computers in the rusting Domain or #orest
=or users in a trusted $indo%s Server 2008 or $indo%s Server 2007 domain or forest to be able to access resources in a trusting $indo%s Server 2008 or $indo%s Server 2007 domain or forest %here the trust authentication setting has been set to selective authentication( each user must be e-plicitl granted the Allowed to Authenticate permission on the securit descriptor of the computer ob,ects "resource computers# that reside in the trusting domain or forest& =or more information about ho% the Allowed to Authenticate permission %or0s( see Securit Considerations for Trusts in the $indo%s Server 2007 Technical *eference "http:33go&microsoft&com3f%lin03P+in0'dQ78A67#& Note The Allowed to Authenticate permission can be set on computer ob,ects that represent member servers running $indo%s 9T Server A&0( $indo%s 2000 Server( $indo%s Server 2007( and $indo%s Server 2008& Eou can use this procedure and the Active Director )sers and Computers snap/in from the trusting domain to enable access to resources over an e-ternal trust or forest trust that is set to selective authentication & Membership in Account 4perators( Domain Admins( or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o grant the Allowed to Authenticate permission on computers in the trusting domain or forest 6& 4pen Active Director )sers and Computers& 2& 'n the console tree( clic0 the Computers container or the container %here our computer ob,ects reside& 7& *ight/clic0 the computer ob,ect that ou %ant users in the trusted domain or forest to access( and then clic0 %roperties& A& 4n the Security tab( do one of the follo%ing: • 'n Group or user names( clic0 the user names or group names for %hich ou %ant to grant access to this computer( select the Allow chec0 bo- ne-t to the Allowed to Authenticate permission( and then clic0 O(& • Clic0 Add& 'n .nter the ob9ect names to select( t pe the name of the user ob,ect or group ob,ect for %hich ou %ant to grant access to this resource computer( and then clic0 O(& Select the Allow chec0 bo- ne-t to the Allowed to Authenticate permission( and then clic0 O(&

88

Appendi/* New rust !i&ard %ages
)nderstanding ho% user input is handled during the trust creation process %ill help ou provide information %hen it is most necessar and help ou better prepare for our specific procedure& This section e-plains the t%o most comple- pages in the 9e% Trust $i.ard: • • Direction of rust Sides of rust

Direction of rust
An administrator in one domain configures the Direction of rust page in the 9e% Trust $i.ard to determine %hether authentication reFuests should be routed from this domain to a specified domain( from the specified domain to this domain( or freel bet%een both domains& The follo%ing trust direction options are available on the Direction of rust page: • wo-way& A t%o/%a trust allo%s authentication reFuests that are sent b users in either domain or forest to be routed successfull to resources in either of the t%o domains or forests& • One-way* incoming& A one/%a ( incoming trust allo%s authentication reFuests that are sent b users in our domain or forest "the domain or forest %here ou started the 9e% Trust $i.ard# to be routed successfull to resources in the other domain or forest& • One-way* outgoing& A one/%a ( outgoing trust allo%s authentication reFuests that are sent b users in the other domain "the domain or forest that ou are indicating in the 9e% Trust $i.ard as the specified domain or forest# to be routed successfull to resources in our domain or forest& These options are e-plained in the follo%ing sections&

!i&ard option: wo-way
)se this option %hen ou %ant to share resources eFuall bet%een t%o domains or forests for all the users that reside in both domains or forests& A t%o/%a trust allo%s authentication reFuests that are sent b users in a trusted domain or forest to be routed successfull to the trusting domain or forest& >oth domains or forests in the trust relationship are reciprocall trusting and trusted& Note Traditionall ( documentation about domain and forest trusts have used the terms NtrustingO and NtrustedO to help administrators pinpoint the direction of the trust& Although this terminolog is still used toda to define and conceptuali.e ho% trusts %or0( it varies from the terminolog that is used in the 9e% Trust $i.ard to help administrators determine the direction of trust& 'nstead( NincomingO and NoutgoingO are used to indicate the direction of the trust( as described in the ne-t sections&

8:

!i&ard option:One-way* incoming
)se this option %hen ou %ant to allo% authentication reFuests to be routed from our domain or forest "referred to as Nthis domainO or Nthis forestO in the %i.ard# to resources residing in a second domain or forest "referred to as Nspecified domainO or Nspecified forestO in the %i.ard#& N4ne/%a O in One-way* incoming means that this selection %ill create a one/%a trust that can route authentications to resources in onl one direction( %hile user access to those resources flo%s in the other direction& N'ncomingO in One-way* incoming refers to the direction of the trust itself( not the direction in %hich authentication reFuests %ill flo%& 'n other %ords( as sho%n in the follo%ing illustration( a Mone/%a incoming trustM means that our domain or forest %ill be the domain or forest that receives access to the resources in the other domain&

!i&ard option:One-way* outgoing
)se this option %hen ou %ant to allo% authentication reFuests to be routed to our domain or forest "referred to as Nthis domainO or Nthis forestO in the %i.ard# from users residing in a second domain or forest "referred to as Nspecified domainO or Nspecified forestO in the %i.ard#& N4ne/%a O in One-way* outgoing means that this selection %ill create a one/%a trust that can route 8<

authentications to resources in onl one direction( %hile user access to those resources flo%s in the other direction& N4utgoingO in One-way* outgoing refers to the direction of the trust itself( not the direction in %hich authentication reFuests %ill flo%& 'n other %ords( as sho%n in the follo%ing illustration( a Mone/%a ( outgoing trustM means that our domain or forest %ill provide access to resources that are located in our domain to users %ho are located in the other domain or forest&

Sides of trust
'n $indo%s 9T A&0 and $indo%s 2000( the onl %a to create trusts using the graphical user interface "5)'# %as incrementall Done side of the trust at a time& $hen ou create e-ternal trusts( shortcut trusts( realm trusts( or forest trusts in $indo%s Server 2007 and $indo%s Server 2008( ou have the option to create each side of the trust separatel or both sides of the trust simultaneousl &

!i&ard option: his domain only
)se this option %hen ou %ant to create each side of the trust separatel ( %hich means that ou must run the 9e% Trust $i.ard t%iceDonce for each domain in the trust& Although the 9e% Trust 88

$i.ard presents a different e-perience than previous version of $indo%s Server operating s stems( this option provides behavior that is similar to the %a that trusts %ere created in $indo%s 9T A&0 and $indo%s 2000& $hen ou create trusts using this method( ou must suppl the same trust pass%ord for each domain& As a securit best practice( all trust pass%ords should be strong pass%ords&

!i&ard option:$oth this domain and the specified domain
This option provides administrators %ho possess the appropriate domain credentials for both domains in the trust relationship %ith the option to Fuic0l create both sides of a trust b completing a single instance of the 9e% Trust $i.ard& $hen ou select this option( a strong trust pass%ord is automaticall generated for ou& =or this selection to be successful( the administrator running the %i.ard must acFuire the appropriate administrative credentials for each domain in the trust relationship

Administering the !indows ime Service
Time s nchroni.ation is critical for the proper operation of man $indo%s services and line/of/ business applications& The $indo%s Time service "$72time# uses the 9et%or0 Time Protocol "9TP# to s nchroni.e computer cloc0s on the net%or0 so that an accurate cloc0 value( or time stamp( can be assigned to net%or0 validation reFuests and resource access reFuests& This guide provides information about administering the $indo%s Time service in $indo%s Server 2008& In this guide • • 'ntroduction to Administering the $indo%s Time Service Managing the $indo%s Time Service

Introduction to Administering the !indows ime Service
The $indo%s Server 2008 $indo%s Time service "$72time# s nchroni.es the date and time for all computers running on a $indo%s Server 2008 net%or0& The service integrates 9et%or0 Time Protocol "9TP# and time providers( ma0ing it a reliable and scalable time service for enterprise administrators& The purpose of the $indo%s Time service is to ma0e sure that all computers running versions of $indo%s 2000 Server( $indo%s Server 2007( $indo%s LP( $indo%s Bista( or $indo%s Server 2008 in an organi.ation use a common time& To guarantee appropriate common time usage( the $indo%s Time service uses a hierarchical relationship that controls authorit and does not permit loops& A domain controller at the top of the hierarch provides authoritative time to all other domain controllers( and domain clients use domain controllers as their time source& > 8?

default( the domain controller at the top of the hierarch is the primar domain controller "PDC# operations master "also 0no%n as fle-ible single master operations or =SM4# in the forest root domain&

!indows time source selection
> default( $indo%s/based computers use the follo%ing sources for time s nchroni.ation: • =or computers that are ,oined to a domain( the first Fuer is to a time source in the parent domain& Note Computers that are not ,oined to a domain and are running $indo%s Bista are configured to s nchroni.e %ith the follo%ing e-ternal time sources b default: time&%indo%s&com( time&nist&gov( time/n%&nist&gov( time/a&nist&gov( and time/ b&nist&gov& Computers that are not ,oined to a domain and are running $indo%s LP or $indo%s LP ;ome 1dition are configured to s nchroni.e %ith time&%indo%s&com b default& • 'f the time client is in a single/domain forest( the first Fuer is to the PDC emulator in the domain& • All PDC emulator operations masters follo% the hierarch of domains in the selection of their inbound time partner& A PDC emulator can s nchroni.e its time from the PDC emulator in the parent domain or from an domain controller in the parent domain& =or more information about time source selection( see ;o% $indo%s Time Service $or0s "http:33go&microsoft&com3f%lin03P+in0'DQ66<<87#& The authoritative time source at the root of the forest can acFuire its time either b connecting to an installed hard%are cloc0 on the internal net%or0 or b connecting to an e-ternal 9TP server( %hich is connected to a hard%are device& 'f no domain controller is configured as the authoritative time source in the forest root domain( the domain controller that holds the PDC emulator operations master role uses its internal cloc0 to provide time to forest computers&

./ternal N % time servers
Man e-ternal 9TP servers are available over the 'nternet& )se the follo%ing information to select an 9TP server: • The 9ational 'nstitute of Standards and Technolog "9'ST# in >oulder( Colorado( %hich is used as the e-ternal time provider b the Microsoft time server "time&%indo%s&com#& 9'ST provides the Automated Computer Time Service "ACTS#( %hich can set a computer cloc0 %ith an uncertaint of less than 60 milliseconds& =or more information about 9TP and for a list of e-ternal time servers( see Set Eour Computer Cloc0 Bia the 'nternet: 9'ST 'nternet Time Service "'TS# "http:33go&microsoft&com3f%lin03P+in0'dQ662078#& • The )&S& 9aval 4bservator ")S94# Time Service Department in $ashington( DC( is another reliable source for accurate time s nchroni.ation in the )nited States& To see a list of

?0

)S94 servers and their descriptions( see )S94 9et%or0 Time Servers "http:33go&microsoft&com3f%lin03P+in0'dQ66207:#& • Eou can use man other sites throughout the %orld for time s nchroni.ation& =or more 9TP server lists and search criteria( see the 9TP&Servers $eb site "http:33go&microsoft&com3f%lin03P+in0'dQ66:?<2#& =or the most highl accurate time s nchroni.ation( configure a hard%are cloc0( such as a radio or 5lobal Positioning S stem "5PS# device( as the time source for the PDC& There are man consumer and enterprise devices that use 9TP( %hich ma0es it possible for ou to install the device on an internal net%or0 for use %ith the PDC& Eou use the w;<tm command/line tool to configure $indo%s Time service& =or a detailed technical reference for the $indo%s Time service( including complete documentation of the w;<tm command/line tool and time service registr settings( see the $indo%s Time Service Technical *eference "http:33go&microsoft&com3f%lin03P+in0'DQ600?A0#&

!;<tm and net time
The net time commands are predecessors of w;<tm commands( and the should not be used to configure the $indo%s Time service or to set the time on a computer %hile the $indo%s Time service is activel running& The recommended method for configuring the $indo%s Time service and displa ing $indo%s Time service information for $indo%s LP( $indo%s Server 2007( $indo%s Bista( and $indo%s Server 2008 operating s stems is to use w;<tm commands& Although the command net time ,0uerysntp appears to displa the Simple 9et%or0 Time Protocol "S9TP# server for $indo%s LP( $indo%s Server 2007( $indo%s Bista( and $indo%s Server 2008 operating s stems( it does not displa complete time configuration information& Eou can use the command w;<tm ,0uery ,configuration to determine %hether the computer is configured to s nchroni.e time from the domain hierarch or from a manual list of time servers& The command output includes a line labeled ype that identifies the time s nchroni.ation method that the client is using& The follo%ing ype line outputs are possible for the time client: • NoSync: The client does not s nchroni.e time& • N %: The client s nchroni.es time from an e-ternal time source& *evie% the values in the NtpServer line in the output to see the name of the server or servers that the client uses for time s nchroni.ation& • N =DS: The client is configured to use the domain hierarch for its time s nchroni.ation& • AllSync: The client s nchroni.es time from an available time source( including domain hierarch and e-ternal time sources& =or information about $indo%s Time Server 'nternet communication( see $indo%s Time Service and *esulting 'nternet Communication in $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P +in0'dQ66:?82#&

?6

)anaging the !indows ime Service
Eou initiall configure the $indo%s Time service "$72time# %hen ou deplo our forest root domain in Active Director Domain Services "AD DS#& Thereafter( the $indo%s Time service reFuires little da /to/da management& After ou ma0e changes on our net%or0( ho%ever( including adding certain client computers( moving the primar domain controller "PDC# emulator operations master role( or simpl changing the time source for our net%or0( ou might need to perform certain tas0s& This section includes the follo%ing tas0s for managing the $indo%s Time service: • • • Configuring a Time Source for the =orest Configuring $indo%s/>ased Clients to S nchroni.e Time *estoring the $indo%s Time Service to Default Settings

Configuring a ime Source for the #orest
The first domain controller that ou deplo in a domain holds the primar domain controller "PDC# emulator operations master "also 0no%n as fle-ible single master operations or =SM4# role for the domain& > default( the domain controller that holds the PDC emulator master role in the forest root domain is the reliable time source at the top of the time/source domain hierarch for the forest& As soon as ou install the first domain controller in the forest( set the PDC emulator in the forest root domain to s nchroni.e from a valid 9et%or0 Time Protocol "9TP# source or from a hard%are cloc0 that is installed on the net%or0& 'f no time source is configured on the PDC emulator or an other domain controller in the forest root domain( the PDC emulator advertises as a reliable time source and uses its internal cloc0 as the source for forest s nchroni.ation& 'n this case( no manual configuration is reFuired& After initial deplo ment of our net%or0( ou t picall reconfigure the time service on the PDC emulator in the forest root domain in onl t%o situations: • Eou move the PDC emulator role to a different computer& 'n this case( ou must configure the $indo%s Time service for the ne% PDC emulator master role holder and reconfigure the original PDC emulator master role holder to s nchroni.e from the domain and not from an e-ternal or internal time source& • Eou change the time source for the PDC emulator& =or e-ample( ou change from s nchroni.ing %ith an e-ternal source to s nchroni.ing %ith an internal hard%are device& 'n some environments( one or more domain controllers are configured to act as standb PDC emulator role holders& 'f the current PDC emulator fails or is other%ise unavailable( the role can Fuic0l be transferred to the standb & 'f ou anticipate moving the PDC emulator role and ou %ant to avoid reconfiguring the ne% and old PDC emulator ever time the role is moved( ou can configure a domain controller in the forest root domain that is not the PDC emulator as the reliable time source for the forest& 'n this %a ( the root of the time service sta s the same and remains properl configured& ?2

Note Ma0e sure that the domain controller that ou configure to be the forest time source is highl available and( if it is not the PDC emulator( that it does not hold other operations master roles that might have to be transferred& )se the follo%ing recommendations for configuring the time source for the forest root domain( in this order of preference: 6& 'nstall a hard%are cloc0( such as a radio or 5lobal Positioning S stem "5PS# device( as the time source for the forest root domain and configure $indo%s Time service "$72time# on the PDC emulator or other domain controller to s nchroni.e %ith this device& Man consumer and enterprise devices are available that use 9TP& Eou can install the device on an internal net%or0 and configure the PDC emulator to use it as its time source& ;ard%are cloc0s have the follo%ing advantages: • More securit & Eou do not have to connect to the 'nternet& • ;ighest accurac ( although the accurac level of 9TP servers is as high as that of $indo%s Time serviceW that is( the effect of the higher accurac is not appreciated& ;ard%are cloc0s have the follo%ing disadvantage: • 1-pense and maintenance& Eou must purchase and install a hard%are cloc0( %hereas ou can connect to a public time server at no cost and %ithout hard%are installation& 2& Configure the $indo%s Time service on the PDC emulator or other domain controller to s nchroni.e %ith an e-ternal time server& Computer cloc0s s nchroni.e %ith e-ternal time servers b using the 9TP protocol over an 'P version A "'PvA# or 'P version : "'Pv:# net%or0& Eou can manuall configure the PDC emulator in the forest root domain to s nchroni.e %ith the e-ternal time source& 1-ternal time servers have the follo%ing advantages: • +o% cost or no cost& Cost is usuall limited to band%idth& • 5ood accurac & Although hard%are cloc0s have the highest accurac ( the accurac of a hard%are cloc0 can actuall e-ceed the accurac of $indo%s Time serviceW therefore( the comparison of accurac is not relevant& 1-ternal time servers have the follo%ing disadvantage: • Securit ris0& 9TP s nchroni.ation %ith an e-ternal time source is not authenticated and is therefore less secure than if the time source is inside the net%or0& 'f ou are using an e-ternal time source( ou can use the follo%ing sites to select an 9TP server: • )S94 9TP 9et%or0 Time Servers "http:33go&microsoft&com3f%lin03P+in0'dQ66207:# • Set Eour Computer Cloc0 Bia the 'nternet: 9'ST 'nternet Time Service "'TS# "http:33go&microsoft&com3f%lin03P+in0'dQ662078# • 9TP&Servers $eb site "http:33go&microsoft&com3f%lin03P+in0'DQ66:?<2# 'f ou choose to implement an 9TP time s nchroni.ation product other than the $indo%s Time service( ou must disable the $indo%s Time service on the forest root domain reliable time source& All 9TP servers need access to )DP port 627& 'f the $indo%s Time service is running on ?7

a $indo%s Server 2007Rbased computer or a $indo%s Server 2008Rbased computer( port 627 %ill remain occupied for the $indo%s Time service& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • $72tm&e-e • The $indo%s =ire%all %ith Advanced Securit snap/in( if ou need to chec0 )ser Datagram Protocol ")DP# port status • The Services snap/in( if ou need to disable the $indo%s Time service To complete this tas0( perform the follo%ing procedures as needed: • To configure the PDC emulator in the forest root domain to s nchroni.e time from an e-ternal time source( see Configure the Time Source for the =orest& 'f ou plan to use a different domain controller as the time source for the forest( perform this procedure on that domain controller instead of the PDC emulator& • 'f the PDC emulator in the forest root domain is configured as the reliable time source for the forest and ou move the PDC emulator role to a different domain controller( see Change the $indo%s Time Service Configuration on the PDC 1mulator in the =orest *oot Domain& • 'f ou are implementing a time s nchroni.ation product other than the $indo%s Time service in our environment that uses 9TP( see Disable the $indo%s Time Service to free )DP port 627 on the net%or0& • 'f ou need more information about $indo%s Time service events( see 1nable $indo%s Time Service Debug +ogging&

Configure the ime Source for the #orest
Eou can use these procedures to configure the $indo%s Time service "$72time# on the domain controller that holds the primar domain controller "PDC# emulator operations master role in the forest root domain to s nchroni.e time from an e-ternal time server or a reliable time source& $hen ou deplo a ne% forest root domain or %hen ou move the role of the PDC emulator in the forest root domain to a ne% domain controller( ou must configure the PDC emulator role holder in the forest root domain to s nchroni.e time for the forest from an e-ternal time source on the 'nternet or from a hard%are cloc0 on the internal net%or0& 'f ou do not configure the PDC emulator to s nchroni.e time from an e-ternal or internal time source( the PDC emulator uses its internal cloc0 and is itself the reliable time source for the forest& As an alternative to configuring the PDC emulator( ou can configure a different domain controller in the forest root domain to s nchroni.e time from a reliable time source& 'f there is such a domain controller in the forest root domain( the PDC emulator no longer advertises as a reliable time source& The procedures in this topic configure the PDC emulator "or other domain controller# to connect to an e-ternal 9et%or0 Time Protocol "9TP# time server for time s nchroni.ation& To configure the

?A

PDC emulator to s nchroni.e time from a hard%are cloc0 device on the internal net%or0( consult the instructions for the hard%are cloc0 device& 'f ou move the role of the PDC emulator to a ne% domain controller( ou must also change the configuration of the $indo%s Time service on the previous PDC emulator& =or more information( see Change the $indo%s Time Service Configuration on the PDC 1mulator in the =orest *oot Domain& >efore ou configure the $indo%s Time service on the PDC emulator( ou can determine the time difference bet%een it and the time source as a means to test basic 9TP communication& 'f ou have not selected a set of e-ternal 9TP servers( use the follo%ing sites to create our list of time servers& This list is referred to in the procedure as the Nmanual peer list&O • )S94 9TP 9et%or0 Time Servers "http:33go&microsoft&com3f%lin03P+in0'dQ66207:#& • Set Eour Computer Cloc0 Bia the 'nternet: 9'ST 'nternet Time Service "'TS# "http:33go&microsoft&com3f%lin03P+in0'dQ662078#& • 9TP&Servers $eb site "http:33go&microsoft&com3f%lin03P+in0'DQ66:?<2# After ou configure the $indo%s Time service on the PDC emulator( be sure to monitor the S stem log in 1vent Bie%er for $72time errors& Note The follo%ing procedures use the w;<tm command/line tool& =or more information about the w;<tm command( t pe w;<tm ,> at a command prompt or see $indo%s Time Service Tools and Settings "http:33go&microsoft&com3f%lin03P+in0'dQ66266:#& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure the time source for the forest 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& To displa the time difference bet%een the local computer and the target time source and to chec0 9TP communication( at the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /stripc&art /computer:<target> /samp"es:<n> /dataon"y

?8

%arameter

Description

$72tm 3stripchart

Displa s a strip chart of the offset bet%een s nchroni.ing computers& A strip chart plots t%o/dimensional dataDin this case( the local time and the offset& Specifies the Domain 9ame S stem "D9S# name or 'P address of the 9TP server that ou are comparing the local computerXs time against( such as time&%indo%s&com or time/n%&nist&gov& Specifies the number of time samples that %ill be returned from the target computer to test basic 9TP communication& Specifies that results sho% onl data( not graphics&

3computer:StargetT

3samples:SnT

3dataonl

'f this procedure fails( chec0 the S stem event log for Time/Service errors and follo% an resolution steps that are provided in the )ore Info lin0 in the error& 't is possible that a perimeter fire%all is bloc0ing access to the 'nternet time server& 9TP port 627 must be open for outbound and inbound traffic on all routers and fire%alls bet%een the PDC emulator and the 'nternet& 'f necessar ( enable debug logging for $72time( as described in 1nable $indo%s Time Service Debug +ogging& *esolve an 9TP connection issues before ou proceed to step 7& 7& To configure the PDC emulator to use an 9TP time source( at the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /config /manua"peer"ist:<peers> /syncfromf"ags:manua" /re"ia'"e:yes /update

?:

%arameter

Description

%72tm 3config 3update 3manualpeerlist:SpeersT

Configures the computer to s nchroni.e time& Specifies the list of D9S names or 'P addresses for the 9TP time source %ith %hich the PDC emulator s nchroni.es& "This list is referred to as the manual peer list&# =or e-ample( ou can specif time&%indo%s&com as the 9TP time server& $hen ou specif multiple peers( use a space as the delimiter and enclose the names of the peers in Fuotation mar0s& Specifies that time %ill be s nchroni.ed %ith peers in the manual peer list& Specifies that the computer is a reliable time source&

3s ncfromflags:manual 3reliable: es

Note $hen ou specif a peer in the manual peer list( do not specif a computer that uses the forest root domain controller as its source for time( such as another domain controller in the forest& The time service does not operate correctl if there are c cles in the time source configuration& Peers should be e-ternal to the domain hierarch & After ou configure the PDC emulator as the time source for the forest( log on to a client computer in the forest root domain and perform steps 6 and 2 in the preceding procedure to chec0 $indo%s Time service performance on the PDC emulator& )se the D9S name of the PDC emulator for the computer target in the command& 'f ou receive error messages( the )ser Datagram Protocol ")DP# ports on the PDC emulator might be disabled or bloc0ed& Eou can use the follo%ing procedure to chec0 the port status on the PDC emulator( if necessar & Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o check 3D% port status on the %DC emulator 6& To chec0 inbound )DP port 627 status on the domain controller that is the PDC emulator( clic0 Start( point to Administrative ools( and then clic0 !indows #irewall with Advanced Security& 2& Clic0 Inbound 4ules& Chec0 that Active Directory Domain Controller - !;< ime ?<

6N %-3D%-In7 has a status of enabled "green# and is not bloc0ed: • 'f this rule is disabled "dimmed#( right/clic0 the rule( and then clic0 .nable& • 'f the rule is bloc0ed( right/clic0 the rule( and then clic0 %roperties& )nder Action( clic0 Allow the connections( and then clic0 O(& 7& To chec0 outbound )DP port status on the domain controller( clic0 Outbound 4ules& A& Chec0 that Active Directory Domain Controller 63D%-Out7 has a status of enabled and is not bloc0ed: • 'f the rule is disabled "dimmed#( right/clic0 the rule( and then clic0 .nable& • 'f the rule is bloc0ed( right/clic0 the rule( and then clic0 %roperties& )nder Action( clic0 Allow the connections( and then clic0 O(& 4r To open onl outbound )DP port 627( create a separate outbound rule for the specific port( as follo%s: a& 'n !indows #irewall with Advanced Security( right/clic0 Outbound 4ules( and then clic0 New& b& 'n the 9e% 4utbound *ule $i.ard( clic0 %ort( and then clic0 Ne/t& c& Clic0 3D%( clic0 Specific local ports( t pe ?<;( and then clic0 Ne/t& d& =ollo% the directions in the %i.ard to configure the securit settings and name the rule( and then clic0 #inish& 8& To ensure that the PDC emulator responds( on an 9TP client( repeat the test in step 2 of the procedure NTo configure the $indo%s Time service on the PDC emulatorO earlier in this topic&

Change the !indows ime Service Configuration on the %DC .mulator in the #orest 4oot Domain
The domain controller in the forest root domain that holds the primar domain controller "PDC# emulator operations master "also 0no%n as fle-ible single master operations or =SM4# role is the default time source for the domain hierarch of time sources in the forest& $hen ou create the forest( ou configure this domain controller either to connect to a manual time source "an e-ternal 9et%or0 Time Protocol "9TP# server or a hard%are cloc0 device on the internal net%or0# or to use its o%n internal cloc0 as its time source& 'f ou move the PDC emulator role to another domain controller or if ou decide to configure a different domain controller as the reliable time source for the forest( ou can use this procedure to change the $indo%s Time service "$72time# configuration on the PDC emulator that is currentl configured as the reliable time source for the forest& ?8

Note The follo%ing procedure uses the w;<tm command/line tool& =or more information about the w;<tm command( t pe w;<tm ,> at a command prompt or see $indo%s Time Service Tools and Settings "http:33go&microsoft&com3f%lin03P+in0'dQ66266:#& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the !indows ime service configuration on the %DC emulator in the forest root domain 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /config /syncfromf"ags:dom&ier /re"ia'"e:no /update

%arameter

Description

$72tm 3config 3update 3s ncfromflags:domhier

Configures the client to s nchroni.e time& Specifies that time %ill be s nchroni.ed %ith the nearest time source in the domain hierarch & >ecause this domain controller is in the forest root domain( it %ill s nchroni.e %ith a reliable time source in the forest root domain& *emoves the status of reliable time source&

3reliable:no

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop w$%time

A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net start w$%time

Disable the !indows ime Service
Eou can use this procedure to disable the $indo%s Time service "$72time# if ou choose to implement another time s nchroni.ation product that uses 9et%or0 Time Protocol "9TP#& ??

Perform this procedure on the forest root domain reliable time source& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o disable the !indows ime service 6& Clic0 Start( point to Administrative ools( and then clic0 Services& 2& *ight/clic0 !indows ime( and then clic0 %roperties& 7& 'n the !indows ime %roperties dialog bo-( in Startup type( clic0 Disabled( and then clic0 O(& A& 'n the Services list( verif that the Startup ype for the $indo%s Time service is Disabled&

.nable !indows ime Service Debug +ogging
Eou can use this procedure to enable $indo%s Time service "$72time# debug logging %hen ou need more information to solve a problem %ith $indo%s Time service configuration& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o enable !indows ime Service debug logging 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& Create a folder to receive the $indo%s Time service log file& =or e-ample( in the command prompt %indo%( t pe md c:\W32Time( and then press 19T1*& This command creates a director named $72Time on the C: drive& 7& To enable $indo%s Time service debug logging( at the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /de'ug /ena'"e /fi"e:c:()$%Time(w$%time*"og /si+e:,------- /entries:-. ,,/

600

Configuring !indows-$ased Clients to Synchroni&e ime
Certain $indo%s/based client computers do not automaticall s nchroni.e their time %ith their domain in Active Director Domain Services "AD DS#& The follo%ing client computers do not automaticall s nchroni.e to the domain time b using the $indo%s Time service "$72time#: • • • Client computers that run in a preR$indo%s 2000 domain environment Client computers that run in a )9'L environment Computers that are not ,oined to a domain

Eou can configure these computers to reFuest time from a particular time source( such as a domain controller in the domain& 'f ou do not specif a source that is s nchroni.ed %ith the domain( each computerVs internal hard%are cloc0 governs its time& ask re0uirements The follo%ing tool is reFuired to perform the procedures for this tas0: • • • $72tm Configure a Manual Time Source for a Selected Client Computer Configure a Client Computer for Automatic Domain Time S nchroni.ation To complete this tas0( ou can perform the follo%ing procedures:

Configure a )anual ime Source for a Selected Client Computer
Eou can use this procedure to configure a manual time source for a selected client computer& The default method of s nchroni.ing time in a $indo%s forest is through the domain hierarch ( in %hich a client connects to a domain controller in its domain as its time source& A manual time source is a specified computer or computers from %hich the client s nchroni.es its time %hen it cannot s nchroni.e through the domain hierarch & To configure a computer for automatic domain time s nchroni.ation( see Configure a Client Computer for Automatic Domain Time S nchroni.ation& >efore ou configure a manual time source for a client computer( ou can determine the time difference bet%een the time source and the computer as a means of testing basic 9et%or0 Time Protocol "9TP# communication& After ou complete the configuration of the manual time source on the client computer( be sure to monitor the S stem log in 1vent Bie%er for $indo%s Time service "$72time# errors& Note The follo%ing procedure uses the w;<tm command/line tool& =or more information about the w;<tm command( t pe w;<tm ,> at a command prompt or see $indo%s Time Service Tools and Settings "http:33go&microsoft&com3f%lin03P+in0'dQ66266:#& 606

Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in the Domain Admins group( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure a manual time source for a selected client computer 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 0un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& To displa the time difference bet%een the local computer and a time source( at the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /stripc&art /computer:<target> /samp"es:<n> /dataon"y

%arameter

Description

$72tm 3stripchart

Displa s a strip chart of the offset bet%een s nchroni.ing computers& A strip chart plots t%o/dimensional dataDin this case( the local time and the offset& Specifies the Domain 9ame S stem "D9S# name or 'P address of the 9TP server that ou are comparing the local computerXs time against( such as time&%indo%s&com& Specifies the number of time samples that %ill be returned from the target computer to test basic 9TP communication& Specifies that results sho% onl data( not graphics&

3computer:StargetT

3samples:SnT

3dataonl

7& 4pen )DP port 627 for outgoing traffic on the fire%all( if necessar & A& 4pen )DP port 627 "or a different port that ou have selected# for incoming 9TP traffic& 8& To configure a manual time source for the selected computer( at the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /config /manua"peer"ist:<peers> /syncfromf"ags:manua" /update

602

%arameter

Description

$72tm 3config 3update 3manualpeerlist:SpeersT

Configures the computer for time s nchroni.ation& Specifies the list of Domain 9ame S stem "D9S# names or 'P addresses for the 9TP time source %ith %hich the primar domain controller "PDC# emulator s nchroni.es& "This list is referred to as the manual peer list&# =or e-ample( ou can specif time&%indo%s&com as the 9TP time server& $hen ou specif multiple peers( use a space as the delimiter and enclose the names of the peers in Fuotation mar0s& Specifies that time is s nchroni.ed %ith peers in the manual peer list&

3s ncfromflags:manual

Configure a Client Computer for Automatic Domain ime Synchroni&ation
> default( a computer that is ,oined to a domain s nchroni.es time through the domain hierarch of reliable time sources& ;o%ever( if a computer has been manuall configured to s nchroni.e from a specific time sourceDperhaps because it %as formerl not ,oined to the domainD ou must reconfigure the computer to begin sourcing its time from the domain hierarch & Eou can use this procedure to configure a client computer that is currentl s nchroni.ing %ith a manuall specified computer to s nchroni.e time automaticall from the domain hierarch & Note The follo%ing procedure uses the w;<tm command/line tool& =or more information about the w;<tm command( t pe w;<tm ,> at a command prompt or see $indo%s Time Service Tools and Settings "http:33go&microsoft&com3f%lin03P+in0'dQ66266:#& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in the Domain Admins group( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure a client computer for automatic domain time synchroni&ation 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control 607

dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /config /syncfromf"ags:dom&ier /update

%arameter

Description

$72tm 3config 3update 3s ncfromflags:domhier

Configures the computer for time s nchroni.ation& Specifies that time is s nchroni.ed %ith computers in the domain hierarch &

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop w$%time

A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net start w$%time

4estoring the !indows ime Service to Default Settings
'f the local $indo%s Time service "$72time# settings are not configured correctl ( restoring the $indo%s Time service to its default settings might be more efficient than troubleshooting the problem& ask re0uirements The follo%ing tools are reFuired to perform the procedure for this tas0: • • $72tm&e-e *estore the $indo%s Time Service on the +ocal Computer to the Default Settings To complete this tas0( perform the follo%ing procedure:

4estore the !indows ime Service on the +ocal Computer to the Default Settings
Eou can use this procedure to restore the $indo%s Time service "$72time# on the local computer to the default settings& 'f ou are e-periencing a problem( returning to the default settings might be more efficient than troubleshooting the problem&

60A

Note The follo%ing procedure uses the w;<tm command/line tool& =or more information about the w;<tm command( t pe w;<tm ,> at a command prompt or see $indo%s Time Service Tools and Settings "http:33go&microsoft&com3f%lin03P+in0'dQ66266:#& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in the Domain Admins group( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o restore the !indows ime service on the local computer to the default settings 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop w$%time

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /unregister

A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /register

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net start w$%time

Administering D#S-4eplicated S2S5O+
This guide provides administering information for the SESB4+ shared folder in the $indo%s Server 2008& The information in this guide applies to ne%l installed $indo%s Server 2008 domains and domains that have been upgraded to the $indo%s Server 2008 domain functional level that are using Distributed =ile S stem "D=S# *eplication for replication of the SESB4+ share& =or information about managing SESB4+ in domains that are using =ile *eplication Service "=*S#( see Administering SESB4+ "http:33go&microsoft&com3f%lin03P+in0'dQ6626:A#& In this guide • • 'ntroduction to Administering D=S/*eplicated SESB4+ Managing D=S/*eplicated SESB4+

608

Introduction to Administering D#S4eplicated S2S5O+
SESB4+ is a collection of folders that contain a cop of the domainVs public files( including s stem policies( logon scripts( and important elements of 5roup Polic ob,ects "5P4s#& The SESB4+ director must be present and the appropriate subdirectories must be shared on a server before the server can advertise itself on the net%or0 as a domain controller& Shared subdirectories in the SESB4+ tree are replicated to ever domain controller in the domain& Note =or 5roup Polic ( onl the 5roup Polic template "5PT# is replicated through SESB4+ replication& The 5roup Polic container "5PC#( %hich is stored in the domain( is replicated through Active Director replication& =or 5roup Polic to be effective( both parts must be available on a domain controller&

S2S5O+ terminology and capitali&ation
SESB4+ is referred to as the NSESB4+ share&O The default root of the SESB4+ replica is at the path Ys stemrootYZSESB4+Zdomain( but the folder that is actuall shared b the domain controller is the Ys stemrootYZSESB4+Zs svol folder b default& Note The location of the SESB4+ director and subdirectories is configurable during and after Active Director installation& The default locations under Ys stemrootYZSESB4+ are used throughout this guide onl as a relative reference to the location of SESB4+ files and folders& The Ys stemrootYZSESB4+Zdomain and Ys stemrootYZSESB4+Zs svol folders appear to contain the same content because SESB4+ uses ,unction points "also called reparse points#& A ,unction point is a ph sical location on a hard dis0 that points to data that is located else%here on the hard dis0 or on another storage device& Gunction points loo0 li0e folders and behave li0e folders "in $indo%s 1-plorer the appear to be shortcuts to folders#( but the are not folders& A ,unction point contains a lin0 to another folder& $hen a program opens it( the ,unction point automaticall redirects the program to the folder to %hich the ,unction point is lin0ed& The redirection is completel transparent to the user and the application& =or e-ample( if ou open a command prompt and t pe dir to list the contents of ZYs stemrootYZSESB4+Zs svol( ou notice a folder that is listed as SG)9CT'49T& The ,unction point in Ys stemrootYZSESB4+Zs svol lin0s to Ys stemrootYZSESB4+Zdomain& 'n this guide( in reference to SESB4+ components and folders( the capitali.ation that is used reflects the capitali.ation of the default folders and parameters as the appear in the file s stem( in the registr ( and in Active Director Domain Services "AD DS#& =or e-ample( the default SESB4+ director tree al%a s appears as Ys stemrootYZSESB4+Zs svol( as it appears in $indo%s 1-plorer& $hen the topic is specific to the s svol shared folder( lo%ercase s svol is used& Similarl ( the area of SESB4+ that is historicall referred to as Nthe staging areaO is 60:

described in this guide as Nthe staging areas subdirector &O 'n this %a ( the folder NYs stemroot YZSESB4+Zstaging areasO is clearl understood and distinct from the NYs stemroot YZSESB4+ZstagingO folder& Capitali.ation of registr parameters and Active Director attribute names are presented as the appear in those locations&

3sing D#S 4eplication for replicating S2S5O+ in !indows Server <@@A
Distributed =ile S stem "D=S# *eplication is a replication service that is available for replicating SESB4+ to all domain controllers in domains that have the $indo%s Server 2008 domain functional level& D=S *eplication %as introduced in $indo%s Server 2007 *2& ;o%ever( on domain controllers that are running $indo%s Server 2007 *2( SESB4+ replication is performed b the =ile *eplication Service "=*S#& Note The information and instructions in this section relate to D=S *eplication of SESB4+& =or information about managing SESB4+ %hen ou use =*S for file replication( see Administering =*S/*eplicated SESB4+ "http:33go&microsoft&com3f%lin03P+in0'dQ622878#& D=S *eplication technolog significantl improves replication of SESB4+& 'n $indo%s 2000 Server( $indo%s Server 2007( and $indo%s Server 2007 *2( =*S is used to replicate the contents of the SESB4+ share& $hen a change to a file occurs( =*S replicates the entire updated file& $ith D=S *eplication( for files larger than :A @>( onl the updated portion of the file is replicated& To replicate onl updates to files( D=S *eplication uses an algorithm called remote differential compression "*DC#& *DC detects changes to the data in a file and enables D=S *eplication to replicate changes in the form of file bloc0s( %ithout having to replicate the entire file& *DC detects insertions( removals( and rearrangements of data in files& The D=S *eplication service monitors SESB4+( and( if a change occurs to an file that is stored in SESB4+( D=S *eplication automaticall replicates the file updates to the SESB4+ folders on the other domain controllers in the domain& An additional improvement is that D=S *eplication does not reFuire the version vector ,oin "vv,oin# operation( %hich is performed bet%een =*S replication partners %hen ne% connections are created& Bv,oin is a CP)/intensive operation that can affect the performance of the server and cause increased replication traffic& 'n $indo%s Server 2008( D=S *eplication is the default file replication service for domains that are initiall created on domain controllers running $indo%s Server 2008& ;o%ever( in a domain that is upgraded from another operating s stem to $indo%s Server 2008( =*S is the default replication service for SESB4+ replication& To implement D=S *eplication of SESB4+ after an upgrade to $indo%s Server 2008 domain functional level( ou must perform a preliminar migration process for replication of the SESB4+ tree&

60<

4e0uirements for using D#S 4eplication
'n $indo%s Server 2008( for ne%l created domains operating at the Active Director domain functional level of $indo%s Server 2008( D=S *eplication is used b default for SESB4+ replication& 'f our domain controllers are upgraded from another operating s stem to $indo%s Server 2008( ou must install D=S *eplication on all domain controllers in the domain( raise the domain functional level to $indo%s Server 2008( and then follo% a migration process to move from using =*S replication of SESB4+ to D=S *eplication& =or more information about the SESB4+ migration process( see SESB4+ Migration Series: Part 6 R 'ntroduction to the SESB4+ migration process "http:33go&microsoft&com3f%lin03P+in0'DQ66?2?:#& =or more information about D=S *eplication( see Distributed =ile S stem *eplication: =reFuentl As0ed Cuestions "http:33go&microsoft&com3f%lin03P+in0'dQ62287<#& The da /to/da operation of SESB4+ replication is an automated process that does not reFuire an human intervention other than %atching for alerts that the D=S *eplication service raises& 4ccasionall ( ou might perform some s stem maintenance as ou change our net%or0& The topics in this section describe the tas0s that are reFuired for managing SESB4+ replication( including maintaining capacit and relocating SESB4+ components&

(ey considerations for administering S2S5O+
A ne% graphical user interface "5)'# management tool( D=S Management( provides options for performing man SESB4+ management tas0s& 'n $indo%s Server 2007( most SESB4+ management tas0s reFuired registr changes& 'n $indo%s Server 2008( ou can use D=S Management to perform the follo%ing SESB4+ updates: • • Change the space that is allocated to the staging area Change the staging area path Note Eou cannot use D=S Management to change the SESB4+ path& Eou must ma0e this change in the registr directl & =or information about changing the SESB4+ path( see *elocating SESB4+ Manuall & • Bie% shared folders Eou can use the Diagnostic *eports features of D=S Management to implement a monitoring s stem to detect lo% dis0 space and other potential D=S *eplication disruptions so that ou can resolve these issues before the s stem stops replicating& The )ltrasound utilit ( %hich is a tool for monitoring =*S( cannot be used for D=S *eplication& 'nstead( ou can use the D=S *eplication health reports that D=S Management generates& =or information about using D=S Management to generate diagnostic reports( see Create a Diagnostic *eport for D=S *eplication "http:33go&microsoft&com3f%lin03P+in0'dQ622878#& 4ther 0e considerations for managing SESB4+ include the follo%ing: • Capacity To manage SESB4+( enough space must be provided to store SESB4+& The Fuota that is allocated to the D=S *eplication staging area is A gigab tes "5># "A0?: M>#& The ma-imum 608

si.e is A terab tes "T># "A0?: 5>#& Depending on the configuration of our domain( SESB4+ can reFuire a significant amount of dis0 space to function properl & During the initial deplo ment( SESB4+ might be allocated adeFuate dis0 space to function& ;o%ever( as our installation of Active Director Domain Services "AD DS# gro%s in si.e and comple-it ( the reFuired capacit can e-ceed the available dis0 space& 'f ou receive indications that dis0 space is lo%( determine %hether the cause is attributable to inadeFuate ph sical space on the dis0 or the D=S Management setting that limits the Fuota that is allocated to the staging area& 'f staging area dis0 space is lo%( D=S *eplication encounters freFuent staging area cleanup events& Eou can avoid this scenario b using &admfile capabilit to implement a Central Store in SESB4+ to store and to replicate $indo%s Bista polic files& =or information about using this solution( see article ?2?8A6 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ62287?#& Eou can also reduce SESB4+ si.e and replication time b managing Administrative Templates in 5roup Polic & =or information about using this solution( see article 867778 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ6228A0#& • "ardware maintenance S stem maintenance( such as removal of a dis0 drive( can ma0e it necessar for ou to relocate SESB4+& 1ven if the maintenance occurs on a different dis0 drive( verif that the maintenance does not affect SESB4+& +ogical drive letters can change after ou add and remove dis0s& D=S *eplication locates SESB4+ b using paths that are stored in AD DS& 'f drive letters change after ou add or remove dis0 drives( ou must manuall update the paths in AD DS& • $acking up G%Os The successful operation of 5roup Polic depends on the reliable operation of SESB4+& @e components of 5P4s e-ist in SESB4+ "in the policies subdirector #( and it is essential that these 5P4 components remain s nchroni.ed %ith related components in AD DS& Therefore( bac0ing up onl the SESB4+ component does not represent a full and complete bac0up of our 5P4s& The 5roup Polic Management Console "5PMC# provides both )'/based and scriptable methods for bac0ing up 5P4s& 't is important that ou bac0 up 5P4s as part of our regular bac0up3disaster recover processes& Soon after installation of a ne% domain( the default domain and default domain controllersX 5P4s should be bac0ed up& The should also be bac0ed up after an subseFuent changes are made& 5P4s are included in s stem state bac0ups& =or information about bac0ing up s stem state( see >ac0ing )p Active Director Domain Services& =or information about bac0ing up 5P4s( see >ac0 )p a 5roup Polic 4b,ect "http:33go&microsoft&com3f%lin03P+in0'DQ6228A2#& • 4elocating S2S5O+ $hen ou relocate SESB4+( ou must first cop the entire folder structure to a ne% location& Then( ou must update the ,unction points and path values that are stored in the registr and in AD DS to maintain the relationships bet%een the paths( the folders( and the ,unctions& As an option( ou can relocate the staging area and leave the rest of SESB4+ at its original location& 'n this case( ou must update the staging folder path in AD DS&

60?

4elocating S2S5O+ folders
SESB4+ relocation should be underta0en onl %hen reFuired b dis0 space maintenance or upgrades& > default( SESB4+ is contained in the Ys stemrootYZSESB4+ folder& The tree of folders that is contained %ithin this folder can be e-tensive( depending on the si.e of SESB4+( number of 5P4s( and use of logon scripts& $hen ou relocate SESB4+ folders( ensure that ou cop all folders "including an hidden folders# and ensure that the relationships of the folders do not change& Note To ensure that all folders appear in $indo%s 1-plorer( on the ools menu( clic0 #older Options& 4n the 5iew tab( select Show hidden files and folders& >efore ou attempt to relocate all or portions of SESB4+( ou must clearl understand the folder structure and the relationships bet%een the folders and the path and si.e information that is stored in AD DS& $hen folders are moved( an associated values that are stored in AD DS and the registr must be updated to match the ne% location& The folder structure contains ,unction points that also reFuire updating after folders are moved to a ne% location& $hen ou relocate folders( ou use the first three levels of subdirectories to properl update the path locations that D=S *eplication uses& These levels are affected b ,unction points and parameter settings& These folders include the follo%ing: Ys stemrootYZSESB4+ Ys stemrootYZSESB4+Zdomain Ys stemrootYZSESB4+ZdomainZDfsrPrivate Ys stemrootYZSESB4+ZdomainZPolicies Ys stemrootYZSESB4+ZdomainZscripts Ys stemrootYZSESB4+Zstaging Ys stemrootYZSESB4+ZstagingZdomain Ys stemrootYZSESB4+Zstaging areas Ys stemrootYZSESB4+Zstaging areasZS=CD9T( %here =CD9 is the full Fualified domain name of the domain that this domain controller hosts( for e-ample( contoso&com& Ys stemrootYZSESB4+Zs svol Ys stemrootYZSESB4+Zs svolZS=CD9T( %here =CD9 is the full Fualified domain name of the domain that this domain controller hosts( for e-ample( contoso&com& Note 'f an of the folders do not appear in $indo%s 1-plorer( clic0 ools( and then clic0 #older Options& 4n the 5iew tab( clic0 Show hidden files and folders& 'f ou use $indo%s 1-plorer to vie% these folders( the appear to be t pical folders& 'f ou open a command prompt and t pe dir to list these folders( ou notice that t%o special folders are listed as SG)9CT'49T& >oth folders labeled =CD9 are ,unction points& The ,unction point in Ys stemrootYZSESB4+Zs svol lin0s to Ys stemrootYZSESB4+Zdomain& The ,unction in Ys stemrootYZSESB4+Zstaging areas lin0s to Ys stemrootYZSESB4+ZstagingZdomain& 'f ou 660

change the path to the folders to %hich the ,unctions are lin0ed( ou must also update the ,unctions( including drive letter changes and folder changes& >esides ,unction points lin0ing to folders %ithin the SESB4+ tree( the registr and AD DS also store references to folders& These references contain paths that ou must update if ou change the location of the folder: • *egistr : The Sys5ol 9etlogon parameter in "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameters & This registr entr stores the path to the s svol shared folder "default Ys stemroot YZSESB4+Zs svol#& The 9etlogon service uses this path to identif the location of the folder that it uses to create the SESB4+ and 91T+4549 "scripts# share points& • AD DS: T%o attributes in AD DS store the paths for the SESB4+ root and staging area folders( as sho%n in the follo%ing table&
Directory value Default referenced location Contents

msD#S4-4oot%ath msD#S4-Staging%ath

Ys stemrootZSESB4+Zdomain Ys stemrootZSESB4+ZstagingZdomain

Policies and scripts Staging area folders

)anaging D#S-4eplicated S2S5O+
This section includes the follo%ing tas0s for managing D=S/*eplicated SESB4+: • • • • • Changing the Cuota That 's Allocated to the SESB4+ Staging Area *elocating the SESB4+ Staging Area *elocating SESB4+ Manuall )pdating the SESB4+ Path *estoring and *ebuilding SESB4+

Changing the 8uota hat Is Allocated to the S2S5O+ Staging Area
The staging folder in SESB4+( a subfolder of the staging areas folder( stores updates before the are replicated& 't also stores updates that it has ,ust received through replication before it updates the cop of the files in SESB4+& D=S *eplication compresses the data to save space in the staging folder and to reduce the time that is necessar to replicate the files& The default Fuota that is allocated to the staging folder is A0?: megab tes "M>#( or A gigab tes "5>#& The minimum Fuota is 60 M> and the ma-imum Fuota that can be allocated is A0?: 5>( or A terab tes "T>#& 'f ou need more space in the staging folder and space is available on the volume( ou can ad,ust the staging folder Fuota b using D=S Management& 666

ask re0uirements The follo%ing tool is reFuired to perform the procedures for this tas0: • • D=S Management Change the Cuota That 's Allocated to the SESB4+ Staging =older To complete this tas0( perform the follo%ing procedure:

Change the 8uota hat Is Allocated to the S2S5O+ Staging #older
Eou can use this procedure to modif the amount of dis0 space that is allocated to the staging folder in SESB4+& 'f space is available on the volume( ou can increase the Fuota that is allocated to the staging folder to improve SESB4+ replication efficienc & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the space that is allocated to the staging folder 6& 4n the Start menu( point to Administrative ools( and then clic0 D#S )anagement& 2& 'n the console tree( e-pand 4eplication( and then clic0 Domain System 5olume& 7& 'n the details pane( right/clic0 the SESB4+ replication member %hose staging folder allocation ou %ant to change( and then clic0 %roperties& A& 4n the Staging tab( change the value in 8uota 6in megabytes7( and then clic0 O(&

4elocating the S2S5O+ Staging Area
$hen ou install Active Director Domain Services "AD DS#( the Active Director Domain Services 'nstallation $i.ard installs folders that are referred to as Nthe SESB4+ staging area&O The Active Director Domain Services 'nstallation $i.ard creates t%o foldersDYs stemroot YZSESB4+Zstaging and Ys stemrootYZSESB4+Zstaging areasD%hich the Distributed =ile S stem "D=S# *eplication service uses as the Fueue for changes that are to be replicated to other domain controllers& NStagingO and Nstaging areasO are default names& $hen ou relocate these staging folders( ou can change the name& 1nsure that ou identif the proper area in the SESB4+ tree in case it is renamed in our environment&

662

Important >efore ou relocate all or part of SESB4+( be sure to inform domain administrators that ou are doing so and that the should not ma0e an changes in the SESB4+ director until the move is complete& T%o values determine the location of the staging area: • The msD#S4-Staging%ath attribute of the ob,ect C9QSESB4+ Subscription(C9QDomain S stem Bolume(C9QD=S*/ +ocalSettings(C9QDomainController9ame(4)QDomain Controllers(DCQDomain9ame in AD DS& This attribute contains the path to the actual location that D=S *eplication uses to stage files& • A ,unction point that is stored in the staging areas folder in SESB4+ that lin0s to the actual location that D=S *eplication uses to stage files& After ou move the staging areas folders( ou must change the staging folder path in AD DS& The staging ,unction point is updated automaticall to reference the ne% location %hen ou restart the D=S *eplication service and 9etlogon service& Eou do not have to update the staging ,unction point manuall & After ou move the staging areas folders( force replication of the changes to a replication partner in the domain& 1-cept %here noted( perform these procedures on the domain controller that contains the staging folder that ou %ant to relocate& ask re0uirements An understanding of the SESB4+ folder structure is necessar for this tas0& =or information about the SESB4+ folder structure( see 'ntroduction to Administering D=S/*eplicated SESB4+& The follo%ing tools are reFuired to perform the procedures for this tas0: • • • • • • • • • • • • • • • Active Director Sites and Services 1vent Bie%er 9et&e-e Dcdiag&e-e *egedit&e-e ADS' 1dit 'dentif *eplication Partners Chec0 the Status of the SESB4+ and 9etlogon Shares Berif Active Director *eplication 5ather the SESB4+ Path 'nformation Stop the D=S *eplication Service and 9etlogon Service Create the SESB4+ Staging Areas =older Structure Change the SESB4+ *oot Path or Staging Areas Path( or >oth Start the D=S *eplication Service and 9etlogon Service =orce *eplication >et%een Domain Controllers 667

To complete this tas0( perform the follo%ing procedures:

Identify 4eplication %artners
Eou can use this procedure to e-amine the connection ob,ects for a domain controller and identif its replication partners& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o identify replication partners 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( double/clic0 the Sites container to displa the list of sites& 7& Double/clic0 the site that contains the domain controller for %hich ou %ant to determine connection ob,ects& Note 'f ou do not 0no% the site in %hich the domain controller is located( open a command prompt and t pe ipconfig to get the 'P address of the domain controller& )se the 'P address to verif that an 'P address maps to a subnet( and then determine the site association& A& Double/clic0 the Servers folder to displa the list of servers in that site& 8& Double/clic0 the server ob,ect for the domain controller %hose replication partners ou %ant to identif to displa its 9TDS Settings ob,ect& :& Clic0 the N DS Settings ob,ect to displa the list of connection ob,ects in the details pane& "These ob,ects represent inbound connections that are used for replication to the server&# The #rom Server column displa s the names of the domain controllers that are source replication partners for the selected server ob,ect&

Check the Status of the S2S5O+ and Netlogon Shares
Eou can use this procedure to ma0e sure that the Distributed =ile S stem "D=S# *eplication service is started properl and then ensure that the s svol shared folder and netlogon "scripts# shared folder are created and shared& =or information about chec0ing SESB4+ status for =ile *eplication Service "=*S#( see the $indo%s Server 2007 topic Chec0 the status of the shared SESB4+ "http:33go&microsoft&com3f%lin03P+in0'dQ620<<A#&

66A

Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o check the status of the S2S5O+ and Netlogon shares 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& Berif that the D#S 4eplication service and the Netlogon service have a status of Started& 'f a service is stopped( clic0 4estart& 7& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& A& To verif that the SESB4+ tree includes the s svol and scripts shared folders( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net s&are

8& Chec0 the list to be sure that it includes 1systemroot1(! !234(sysvo"( "the SESB4+ share# and 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! "the 91T+4549 share#( %here <Domain Name> is the domain of the ne% domain controller& Note 'f neither 1systemroot1(! !234(sysvo"( nor 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! are present( see Berif Active Director *eplication& :& Berif that the proper permissions are set for SESB4+ replication& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:net"ogons

+oo0 for a message that states that <5omputerName> passed test Net4ogons( %here <5omputerName> is the name of the domain controller& 'f ou do not see the Npassed testO message( chec0 the permissions that are set on the Scripts and S svol shared folders& =or information about default SESB4+ permissions( see *eappl Default SESB4+ Securit Settings&

5erify Active Directory 4eplication
Eou can use this procedure to verif that Active Director replication is functioning properl on a domain controller& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

668

o verify Active Directory replication 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:rep"ications

Note =or more detailed replication information( use the
/v

option&

'f this test fails( open 1vent Bie%er and chec0 for errors in the Director Service log& )se the information in the ActiveDirector IDomainService replication events to troubleshoot the problem&

Gather the S2S5O+ %ath Information
$hen ou relocate the SESB4+ tree or staging areas subtree( it is helpful to record the current and ne% values for the path locations in the SESB4+ tree that are reFuired for SESB4+ to function& > recording these values in advance( ou can facilitate the move process& $hen ou move SESB4+( ou first cop the folder structure to a ne% location& Then( ou update the locations %here folder paths are specified: ,unction points in the file s stem( 9etlogon parameters in the registr ( and attributes in Active Director Domain Services "AD DS#& As an option( ou can relocate the staging areas subtree and leave the rest of the SESB4+ tree at its original location& 'n this case( ou must update an attribute in AD DS( but the ,unction point for the staging areas folder is updated automaticall & Eou also have to record this path information %hen ou are rebuilding SESB4+ on one domain controller b importing the SESB4+ of another domain controller& Note The instructions in this procedure relate to domains in %hich Distributed =ile S stem "D=S# *eplication is used to replicate SESB4+& =or information about relocating SESB4+ %hen ou use =ile *eplication Service "=*S#( see *elocating SESB4+ Manuall "http:33go&microsoft&com3f%lin03P+in0'dQ6228?0#& =or more information about the folder structure and the relationships bet%een the folders and the path information that is stored in the registr ( AD DS( and the SESB4+ director itself( see 'ntroduction to Administering D=S/*eplicated SESB4+& Eou can use these procedures to locate the SESB4+ path information and then record the values in the follo%ing table& )se the ro%s and columns in the table according to the goals of our procedure& *ecord the current values and also the ne% values if ou are moving the SESB4+ tree or the staging areas subtree or if ou are rebuilding SESB4+: 66:

• *elocating the entire SESB4+ tree: *ecord the current and ne% path values in ro%s 6 through 8& • *elocating the staging areas subtree onl : *ecord the current and ne% path values in ro%s 2 and 8& • *estoring and rebuilding SESB4+: *ecord path information as follo%s: • *ecord the current values from the domain controller that ou are restoring in ro%s 6( 2( and 7& • 'n the Current 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller from %hich ou are cop ing the SESB4+ folder structure& • 'n the New 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller %hose SESB4+ ou are rebuilding&
%arameter Current value New value

6 2 7 A 8

msD=S*/*ootPath in AD DS msD=S*/StagingPath in AD DS S sBol 9etlogon parameter in the registr S svol ,unction point Staging areas ,unction point

o gather the S2S5O+ path information
Perform the follo%ing procedures to gather values for SESB4+ paths and record the data in the preceding table& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the msD#S4-4oot%ath and the msD#S4-Staging%ath values in AD DS 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& 66<

A& 'n the tree vie%( e-pand the domain component( and then e-pand O3DDomain Controllers& 8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 %roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if it is not selected& 8& 'n Attributes( locate msD#S4-4oot%ath and msD#S4-Staging%ath( and then record the current values in ro%s 6 and 2( respectivel ( in the previous table& 'f ou are moving SESB4+( also record the ne% values for the ne% location in both ro%s& 'f ou are moving the staging areas subtree( record the ne% path value in ro% 2& ?& Clic0 Cancel to close the CNDSubscription %roperties dialog bo-& o determine the Sys5ol Netlogon parameter value in the registry 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 'n *egistr 1ditor( navigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter s& 7& 'n the details pane( double/clic0 Sys5ol& The current value is listed in 5alue data& A& *ecord the current value in ro% 7 of the previous table( and then clic0 Cancel to close the .dit String dialog bo-& 'f ou are moving SESB4+( also record the ne% value for the ne% location& 8& Close *egistr 1ditor& o determine the value in the sysvol 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zs svol( or to the current location if SESB4+ has been moved from the default location& 7& To vie% the ,unction point for the s svol folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& *ecord the current value in ro% A in the previous table& 'f ou are moving SESB4+( also record the ne% value for the ne% location&

668

o determine the value in the staging areas 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zstaging areas or to the current location if the staging areas subtree has been moved from the default location& 7& To vie% the ,unction point for the staging areas folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& The output identifies the SG)9CT'49T folder t pe and the value that is stored in the staging areas ,unction point in brac0ets& =or e-ample( the default value is H Drive:Z Ys stemrootYZSESB4+ZstagingZdomainJ "or( if SESB4+ has been migrated from =*S to D=S *eplication( HDrive:ZYs stemrootYZSESB4+ID=S*ZstagingZdomainJ#& *ecord the current value in ro% 8 of the previous table& 'f ou are moving SESB4+ or the staging areas subtree( also record the ne% value for the ne% location&

Stop the D#S 4eplication Service and Netlogon Service
Eou can use this procedure to stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service %hen ou are performing offline updates to the SESB4+ tree& The 9etlogon service advertises the server as a domain controller b sharing out the SESB4+ folder& The services must be turned off until updates to the SESB4+ path information are complete and the SESB4+ ,unction point has been updated for the ne% location& Eou can use the $indo%s graphical user interface "5)'# or the command line to stop the D=S *eplication service and the 9etlogon service& Note The staging path ,unction point is updated automaticall %hen D=S *eplication is restarted& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o stop the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 66?

2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 Stop& o stop the D#S 4eplication service and the Netlogon service by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop dfsr

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop net"ogon

After ou move or restore SESB4+( %hen ou update the SESB4+ 9etlogon path in the registr ( ou must also update the Sysvol4eady parameter in Netlogon parameters( as described in Change the SESB4+ 9etlogon Parameters&

Create the S2S5O+ Staging Areas #older Structure
Eou can use this procedure to create the SESB4+ staging areas subdirector folder structure %hen ou move the staging areas tree to a ne% location& The Ys stemrootYZSESB4+Zstaging areas folder is the top of the staging areas tree in SESB4+& To move the staging areas tree properl ( ou must select and cop the contents of Ys stemrootYZSESB4+Zstaging areas& A different subfolder of Ys stemrootYZSESB4+ is named staging& 1nsure that ou select the contents of the staging areas subfolder "Ys stemrootYZSESB4+Zstaging areas# and not the staging subfolder "Ys stemrootYZSESB4+Zstaging#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create the S2S5O+ staging areas folder structure 6& 'n $indo%s 1-plorer( create a ne% folder for the ne% location of the staging areas folder& 2& 9avigate to the folder that represents the top of our current staging areas tree& > default( this folder is Ys stemrootYZSESB4+Zstaging areas& 7& 'n the console tree( right/clic0 the staging areas folder( and then clic0 Copy& A& 'n the console tree( navigate to the ne% folder that ou created for the staging areas tree( right/clic0 the folder( and then clic0 %aste& Note 620

This folder must be empt %hen ou paste the staging areas folders& 8& Berif that the folder structure %as copied correctl & To compare the ne% folder structure to the original( open a command prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& :& Change directories to the ne% staging areas folder& To list the contents of the folder and subfolders( t pe the follo%ing command( and then press 19T1*:
dir /s

1nsure that all folders e-ist& 'f an folders are missing at the ne% location "such as Zscripts#( re/create them&

Change the S2S5O+ 4oot %ath or Staging Areas %ath1 or $oth
'f ou are moving the SESB4+ tree or the SESB4+ staging areas tree( or if ou are updating these locations after hard%are reconfiguration that has resulted in a drive letter change( ou can use this procedure to change the SESB4+ root path( the staging areas path( or both in Active Director Domain Services "AD DS#& >efore ou perform this procedure( ou must stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service( as described in Stop the D=S *eplication Service and 9etlogon Service& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the S2S5O+ root path or the staging areas path1 or both 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& A& 'n the console tree( e-pand the domain component( and then e-pand O3DDomain Controllers& 8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 626

%roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if it is not selected& 8& 'n Attributes( double/clic0 one or both of the follo%ing: • • msD#S4-4oot%ath to change the SESB4+ root path& msD#S4-Staging%ath to change the SESB4+ staging areas path&

?& 'n 5alue( t pe the ne% folder path( and then clic0 O(& 60& Clic0 O( to close the CNDSubscription %roperties dialog bo-&

See Also
Start the D=S *eplication Service and 9etlogon Service

Start the D#S 4eplication Service and Netlogon Service
After ou relocate the SESB4+ tree or the SESB4+ staging area( or both( use this procedure to restart the Distributed =ile S stem "D=S# *eplication service( the 9etlogon service( or both& After ou restart the service or services( revie% the event log to ensure that the services restarted successfull & Eou can use the $indo%s graphical user interface "5)'# or the command line to start the D=S *eplication service and the 9etlogon service& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o start the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 4estart& o start the D#S 4eplication service or Netlogon service1 or both1 by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& To start the D=S *eplication service( at the command prompt( t pe the follo%ing 622

command( and then press 19T1*:
net start dfsr

7& To start the 9etlogon service( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net start net"ogon

Notes • Eou can use 1vent Bie%er to verif that D=S *eplication restarted correctl & 'n the D=S *eplication log "in Applications and Services +ogs#( 1vent 'D 600A indicates that the service restarted& +oo0 for 1vent 'Ds 6260( 620:( and :602 to verif that the domain controller is running and read for service& 'f ou moved SESB4+ to a ne% location or relocated the staging areas folder( loo0 for 1vent 'Ds A:0A and :068( %hich indicate success& 1vent 'D <07: in the S stem event log reports that the 9etlogon service is running& This event reports on all services that are stopped or started& • Also verif that the 9etlogon service is sharing the s svol "SESB4+ share# and scripts "91T+4549 share# folders& At a command prompt( t pe net s&are( and then press 19T1*&

#orce 4eplication $etween Domain Controllers
Eou can use this procedure to force Active Director replication to occur bet%een t%o domain controllers on a one/time basis %hen ou %ant changes to be replicated from the server that received the changes to a server in another site sooner than the site lin0 schedule allo%s& As an alternative( ou can s nchroni.e replication %ith all replication partners& Membership in .nterprise Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o force replication over a connection 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites( and then e-pand the site to %hich ou %ant to force replication from the updated server& 7& 1-pand the Servers container to displa the list of servers that are currentl configured for that site& A& 1-pand the server ob,ects and clic0 their N DS Settings ob,ects to displa their connection ob,ects in the details pane& =ind a server that has a connection ob,ect from the server on %hich ou made the updates& 8& Clic0 N DS Settings belo% the server ob,ect& 'n the details pane( right/clic0 the 627

connection ob,ect %hose #rom Server is the domain controller that has the updates that ou %ant to replicate( and then clic0 4eplicate Now& :& $hen the 4eplicate Now message bo- appears( revie% the information( and then clic0 O(&

See Also
S nchroni.e *eplication %ith All Partners

4elocating S2S5O+ )anually
'f ou %ant to move all folders in the SESB4+ director ( ou can relocate these folders manuall & Eou must carefull cop all folders and retain the same level of securit at the ne% location& Caution The recommended method for relocating SESB4+ is to remove Active Director Domain Services "AD DS# and then reinstall AD DS %ith the ne% SESB4+ path& >ecause of the potential for error( %e do not recommend relocating SESB4+ manuall & 'f ou choose to move SESB4+ manuall ( ou first cop the entire folder structure to a ne% locationW then( ou update the SESB4+ ,unction point and the parameters that are stored in the registr and in AD DS& As an option( ou can relocate the staging areas subdirector onl & =or information about relocating the staging areas subdirector ( see *elocating the SESB4+ Staging Area& Important >efore ou relocate all or part of SESB4+( be sure to inform domain administrators that ou are doing so and that the should not ma0e an changes in the SESB4+ director until the move is complete& *elocating SESB4+ can alter securit settings if ou do not use a cop method that retains file o%nership and access control list "AC+# settings& The cop method that is described in this procedure retains securit settings& After ou move the SESB4+ tree( verif that the securit settings on the relocated SESB4+ folders match the settings on the original SESB4+ folder structure& As an alternative( ou can reappl securit settings on the moved SESB4+& $hen ou have completed SESB4+ relocation( force replication from the updated domain controller to a replication partner in the domain& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • • Active Director Sites and Services 9et&e-e Dcdiag&e-e 1vent Bie%er 62A

• • • • • •

ADS' 1dit *egedit&e-e Dir&e-e $indo%s 1-plorer *obocop &e-e M0lin0&e-e

• 'f ou choose to reappl securit settings manuall ( the follo%ing additional tools are reFuired: • • 9otepad&e-e Secedit&e-e

To complete this tas0( perform the follo%ing procedures: 6& 'dentif *eplication Partners 2& Chec0 the Status of the SESB4+ and 9etlogon Shares 7& Berif Active Director *eplication A& 5ather the SESB4+ Path 'nformation 8& Stop the D=S *eplication Service and 9etlogon Service :& Cop SESB4+ to a 9e% +ocation <& Create the SESB4+ *oot Gunction Point 8& Change the SESB4+ *oot Path or Staging Areas Path( or >oth ?& Change the SESB4+ 9etlogon Parameters 60& *eappl Default SESB4+ Securit Settings Eou can use this procedure if ou %ant to reappl the default securit settings to the SESB4+ director & ;o%ever( if ou use the *obocop command that is specified in Cop SESB4+ to a 9e% +ocation( file o%nership and access control list "AC+# settings are retained on the copied SESB4+ folders and files( and reappl ing securit settings is not reFuired& 66& Start the D=S *eplication Service and 9etlogon Service 62& Chec0 the Status of the SESB4+ and 9etlogon Shares 67& =orce *eplication >et%een Domain Controllers

Identify 4eplication %artners
Eou can use this procedure to e-amine the connection ob,ects for a domain controller and identif its replication partners& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

628

o identify replication partners 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( double/clic0 the Sites container to displa the list of sites& 7& Double/clic0 the site that contains the domain controller for %hich ou %ant to determine connection ob,ects& Note 'f ou do not 0no% the site in %hich the domain controller is located( open a command prompt and t pe ipconfig to get the 'P address of the domain controller& )se the 'P address to verif that an 'P address maps to a subnet( and then determine the site association& A& Double/clic0 the Servers folder to displa the list of servers in that site& 8& Double/clic0 the server ob,ect for the domain controller %hose replication partners ou %ant to identif to displa its 9TDS Settings ob,ect& :& Clic0 the N DS Settings ob,ect to displa the list of connection ob,ects in the details pane& "These ob,ects represent inbound connections that are used for replication to the server&# The #rom Server column displa s the names of the domain controllers that are source replication partners for the selected server ob,ect&

Check the Status of the S2S5O+ and Netlogon Shares
Eou can use this procedure to ma0e sure that the Distributed =ile S stem "D=S# *eplication service is started properl and then ensure that the s svol shared folder and netlogon "scripts# shared folder are created and shared& =or information about chec0ing SESB4+ status for =ile *eplication Service "=*S#( see the $indo%s Server 2007 topic Chec0 the status of the shared SESB4+ "http:33go&microsoft&com3f%lin03P+in0'dQ620<<A#& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o check the status of the S2S5O+ and Netlogon shares 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& Berif that the D#S 4eplication service and the Netlogon service have a status of Started& 'f a service is stopped( clic0 4estart& 7& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 62:

Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& A& To verif that the SESB4+ tree includes the s svol and scripts shared folders( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net s&are

8& Chec0 the list to be sure that it includes 1systemroot1(! !234(sysvo"( "the SESB4+ share# and 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! "the 91T+4549 share#( %here <Domain Name> is the domain of the ne% domain controller& Note 'f neither 1systemroot1(! !234(sysvo"( nor 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! are present( see Berif Active Director *eplication& :& Berif that the proper permissions are set for SESB4+ replication& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:net"ogons

+oo0 for a message that states that <5omputerName> passed test Net4ogons( %here <5omputerName> is the name of the domain controller& 'f ou do not see the Npassed testO message( chec0 the permissions that are set on the Scripts and S svol shared folders& =or information about default SESB4+ permissions( see *eappl Default SESB4+ Securit Settings&

5erify Active Directory 4eplication
Eou can use this procedure to verif that Active Director replication is functioning properl on a domain controller& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify Active Directory replication 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:rep"ications

Note 62<

=or more detailed replication information( use the

/v

option&

'f this test fails( open 1vent Bie%er and chec0 for errors in the Director Service log& )se the information in the ActiveDirector IDomainService replication events to troubleshoot the problem&

Gather the S2S5O+ %ath Information
$hen ou relocate the SESB4+ tree or staging areas subtree( it is helpful to record the current and ne% values for the path locations in the SESB4+ tree that are reFuired for SESB4+ to function& > recording these values in advance( ou can facilitate the move process& $hen ou move SESB4+( ou first cop the folder structure to a ne% location& Then( ou update the locations %here folder paths are specified: ,unction points in the file s stem( 9etlogon parameters in the registr ( and attributes in Active Director Domain Services "AD DS#& As an option( ou can relocate the staging areas subtree and leave the rest of the SESB4+ tree at its original location& 'n this case( ou must update an attribute in AD DS( but the ,unction point for the staging areas folder is updated automaticall & Eou also have to record this path information %hen ou are rebuilding SESB4+ on one domain controller b importing the SESB4+ of another domain controller& Note The instructions in this procedure relate to domains in %hich Distributed =ile S stem "D=S# *eplication is used to replicate SESB4+& =or information about relocating SESB4+ %hen ou use =ile *eplication Service "=*S#( see *elocating SESB4+ Manuall "http:33go&microsoft&com3f%lin03P+in0'dQ6228?0#& =or more information about the folder structure and the relationships bet%een the folders and the path information that is stored in the registr ( AD DS( and the SESB4+ director itself( see 'ntroduction to Administering D=S/*eplicated SESB4+& Eou can use these procedures to locate the SESB4+ path information and then record the values in the follo%ing table& )se the ro%s and columns in the table according to the goals of our procedure& *ecord the current values and also the ne% values if ou are moving the SESB4+ tree or the staging areas subtree or if ou are rebuilding SESB4+: • *elocating the entire SESB4+ tree: *ecord the current and ne% path values in ro%s 6 through 8& • *elocating the staging areas subtree onl : *ecord the current and ne% path values in ro%s 2 and 8& • *estoring and rebuilding SESB4+: *ecord path information as follo%s: • *ecord the current values from the domain controller that ou are restoring in ro%s 6( 2( and 7&

628

• 'n the Current 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller from %hich ou are cop ing the SESB4+ folder structure& • 'n the New 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller %hose SESB4+ ou are rebuilding&
%arameter Current value New value

6 2 7 A 8

msD=S*/*ootPath in AD DS msD=S*/StagingPath in AD DS S sBol 9etlogon parameter in the registr S svol ,unction point Staging areas ,unction point

o gather the S2S5O+ path information
Perform the follo%ing procedures to gather values for SESB4+ paths and record the data in the preceding table& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the msD#S4-4oot%ath and the msD#S4-Staging%ath values in AD DS 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& A& 'n the tree vie%( e-pand the domain component( and then e-pand O3DDomain Controllers& 8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 %roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if 62?

it is not selected& 8& 'n Attributes( locate msD#S4-4oot%ath and msD#S4-Staging%ath( and then record the current values in ro%s 6 and 2( respectivel ( in the previous table& 'f ou are moving SESB4+( also record the ne% values for the ne% location in both ro%s& 'f ou are moving the staging areas subtree( record the ne% path value in ro% 2& ?& Clic0 Cancel to close the CNDSubscription %roperties dialog bo-& o determine the Sys5ol Netlogon parameter value in the registry 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 'n *egistr 1ditor( navigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter s& 7& 'n the details pane( double/clic0 Sys5ol& The current value is listed in 5alue data& A& *ecord the current value in ro% 7 of the previous table( and then clic0 Cancel to close the .dit String dialog bo-& 'f ou are moving SESB4+( also record the ne% value for the ne% location& 8& Close *egistr 1ditor& o determine the value in the sysvol 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zs svol( or to the current location if SESB4+ has been moved from the default location& 7& To vie% the ,unction point for the s svol folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& *ecord the current value in ro% A in the previous table& 'f ou are moving SESB4+( also record the ne% value for the ne% location& o determine the value in the staging areas 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zstaging areas or to the current location if the staging areas subtree has been moved from the default location& 7& To vie% the ,unction point for the staging areas folder( at the command prompt( t pe 670

the follo%ing command( and then press 19T1*:
dir /a:4

A& The output identifies the SG)9CT'49T folder t pe and the value that is stored in the staging areas ,unction point in brac0ets& =or e-ample( the default value is H Drive:Z Ys stemrootYZSESB4+ZstagingZdomainJ "or( if SESB4+ has been migrated from =*S to D=S *eplication( HDrive:ZYs stemrootYZSESB4+ID=S*ZstagingZdomainJ#& *ecord the current value in ro% 8 of the previous table& 'f ou are moving SESB4+ or the staging areas subtree( also record the ne% value for the ne% location&

Stop the D#S 4eplication Service and Netlogon Service
Eou can use this procedure to stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service %hen ou are performing offline updates to the SESB4+ tree& The 9etlogon service advertises the server as a domain controller b sharing out the SESB4+ folder& The services must be turned off until updates to the SESB4+ path information are complete and the SESB4+ ,unction point has been updated for the ne% location& Eou can use the $indo%s graphical user interface "5)'# or the command line to stop the D=S *eplication service and the 9etlogon service& Note The staging path ,unction point is updated automaticall %hen D=S *eplication is restarted& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o stop the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 Stop& o stop the D#S 4eplication service and the Netlogon service by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*: 676

net stop dfsr

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop net"ogon

After ou move or restore SESB4+( %hen ou update the SESB4+ 9etlogon path in the registr ( ou must also update the Sysvol4eady parameter in Netlogon parameters( as described in Change the SESB4+ 9etlogon Parameters&

Copy S2S5O+ to a New +ocation
'f ou %ant to relocate the SESB4+ director ( ou can use this procedure to create the ne% director location and cop the SESB4+ folders to the ne% location& > default( the root of the SESB4+ director is located at Ys stemrootYZSESB4+& To move SESB4+ properl ( ou must correctl cop the contents of the SESB4+ folder& A subfolder %ith the default location of Ys stemrootYZSESB4+ is also named s svol& 1nsure that ou cop the root folder "Ys stemroot YZSESB4+# and not the subfolder "Ys stemrootYZSESB4+Zs svol#& Important To retain the SESB4+ securit settings( ou must use the proper robocopy command( as described in this procedure& 'f ou perform a simple cop and paste in $indo%s 1-plorer( securit settings are not copied& 'n this case( ou must reappl securit settings& =or information about reappl ing securit settings( see *eappl Default SESB4+ Securit Settings& =or information about using robocopy( see *obocop "http:33go&microsoft&com3f%lin03P+in0'dQ6228AA#& >efore ou perform this procedure( ou must have performed the follo%ing procedures: • 'dentif *eplication Partners& After ou relocate SESB4+( ou %ill force replication of the changes to replication partners so that SESB4+ is updated as soon as possible on other domain controllers& • Chec0 the Status of the SESB4+ and 9etlogon Shares& Ma0e sure that the s svol and scrips folders are shared on the domain controller& • Berif Active Director *eplication& Ma0e sure that ou resolve an replication issues before ou move SESB4+& • 5ather the SESB4+ Path 'nformation& Eou must have the current path information( and ou must also document the ne% location&

• Stop the D=S *eplication Service and 9etlogon Service& Do not ma0e an changes to the SESB4+ location %hile these services are running& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

672

o copy S2S5O+ to a new location 6& 'n $indo%s 1-plorer( create a ne% folder for the ne% location of SESB4+& This folder must be empt & 2& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 7& Change directories to the e-isting SESB4+ director that ou %ant to move& > default( the path to this director is Ys stemrootYZSESB4+& A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
ro'ocopy <!ource 7o"der> <Destination 7o"der> /copya"" /mir /' /r:- /8d 9DfsrPrivate9 /8f 9DfsrPrivate9

Note The destination folder must be empt &
%arameter Description

SSource =olderT

The path to the SESB4+ director that ou are cop ing& The default location is Ys stemrootYZSESB4+& The path to the ne% SESB4+ location that ou created in step 6& Copies the follo%ing file information: data( attributes( time stamps( 9T=S access control list "AC+#( o%ner information( and auditing information& Mirrors the director tree that ou are cop ing& Copies files in bac0up mode& *obocop uses bac0up mode to override file and folder permission settings "AC+s#& Specifies performing 0 ".ero# retries on failed copies& 1-cludes the DfsrPrivate director from the cop & 1-cludes the DfsrPrivate file from the cop &

SDestination =olderT 3cop all

3mir 3b

3r:0 3-d MDfsrPrivateM 3-f MDfsrPrivateM

8& Berif that the folder structure %as copied correctl & To compare the ne% folder structure to the original( open a Command Prompt as an administrator: 4n the Start 677

menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& :& Berif that the folder structure %as copied correctl & To compare the ne% folder structure to the original( change directories to the ne% SESB4+ folder& To list the contents of the folder and subfolders b si.e( t pe the follo%ing command( and then press 19T1*:
dir /s

Compare the ouptut %ith the output for the original SESB4+ folder& 1nsure that all folders e-ist and that file si.es are the same& 'f an folders are missing at the ne% location "such as Zscripts#( re/create them& <& Berif that the securit settings on the moved SESB4+ are the same as the settings on the original location&

Create the S2S5O+ 4oot Eunction %oint
'f ou move the SESB4+ tree( ou must create a ,unction point that is named for the full Fualified domain name "=CD9# of the domain& Eou create this ,unction point under S9e%+ocation=orSESB4+TZs svol& The ,unction point must point to S9e%+ocation=orSESB4+TZdomain& 'f ou move the tree or if hard%are reconfiguration results in a change in the drive letter( ou must recreate the SESB4+ ,unction point for the ne% location& To perform this procedure( ou can use the M0lin0&e-e command/line tool( %hich is included %ith $indo%s Server 2008& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create the sysvol root 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to the ne% s svol root location( for e-ample( FolderNameZSESB4+Zs svol& 7& To create the ,unction point for the s svol root( at the command prompt( t pe the follo%ing command( and then press 19T1*:
m:"in: /; <7<DN> <New sysvo" root =unction pat&>

1-ample: m:"in:

/; contoso*com D:(5ontoso0oot(! !234(domain

67A

%arameter

Definition

mklink ,E S=CD9T S9e% s svol root ,unction pathT

Creates a ,unction point for the specified domain in the specified path location& The full Fualified domain name of the SESB4+ domain The drive letter and path to the SESB4+ root( for e-ample( Drive:ZFolderNameZSESB4+Zdomain or Drive:ZFolderNameZSESB4+ID=S*Zdomain if SESB4+ has been migrated from =ile *eplication Service "=*S# to Distributed =ile S stem "D=S# *eplication

A& To verif the creation of the ,unction point( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

Berif the presence of the SG)9CT'49T folder t pe and the value that ou specified in step 7&

Change the S2S5O+ 4oot %ath or Staging Areas %ath1 or $oth
'f ou are moving the SESB4+ tree or the SESB4+ staging areas tree( or if ou are updating these locations after hard%are reconfiguration that has resulted in a drive letter change( ou can use this procedure to change the SESB4+ root path( the staging areas path( or both in Active Director Domain Services "AD DS#& >efore ou perform this procedure( ou must stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service( as described in Stop the D=S *eplication Service and 9etlogon Service& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the S2S5O+ root path or the staging areas path1 or both 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 678

7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& A& 'n the console tree( e-pand the domain component( and then e-pand O3DDomain Controllers& 8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 %roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if it is not selected& 8& 'n Attributes( double/clic0 one or both of the follo%ing: • • msD#S4-4oot%ath to change the SESB4+ root path& msD#S4-Staging%ath to change the SESB4+ staging areas path&

?& 'n 5alue( t pe the ne% folder path( and then clic0 O(& 60& Clic0 O( to close the CNDSubscription %roperties dialog bo-&

See Also
Start the D=S *eplication Service and 9etlogon Service

Change the S2S5O+ Netlogon %arameters
$hen ou are relocating the SESB4+ tree( ou can use this procedure to update the registr parameter that the 9etlogon service uses to discover the path to the SESB4+Zs svol shared folder& 9etlogon advertises the shared folder location based on this registr entr & The default value in this entr is Drive:ZYs stemrootYZSESB4+Zs svol& 'f ou move the SESB4+ tree to a different folder or drive( or both( or if onl the drive letter changes as a result of hard%are updates( ou must update this 9etlogon parameter& $hen ou update the S sBol 9etlogon parameter in the registr ( ou must also change the S svol*ead 9etlogon parameter so that SESB4+ is not advertised until all ne% path values have been initiali.ed& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the S2S5O+ Netlogon parameters 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 9avigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter 67:

s& 7& *ight/clic0 Sys5ol( and then clic0 )odify& A& 'n the 5alue data bo-( t pe the ne% path( including the drive letter( and then clic0 O(& 8& *ight/clic0 Sysvol4eady( and then clic0 )odify& :& 'n the 5alue data bo-( t pe @( and then clic0 O(& <& Close *egistr 1ditor& Note The path in the S sBol registr entr points to the s svol shared folder( %hich is located inside the parent SESB4+ folder that is under the root "b default( Drive:Z Ys stemrootYZSESB4+Zs svol#& $hen ou update the path( ensure that it still identifies the s svol shared folder %ithin the parent SESB4+ folder& 'f ou have moved the SESB4+ tree( the root folder %ill change& >e sure to also change the drive letter to its ne% value if this has changed&

4eapply Default S2S5O+ Security Settings
$hen ou relocate the entire SESB4+ director ( ou can use a robocopy command that transfers all securit settings %ith the files %hen ou cop them& Therefore( %hen ou use the procedure in Administering the $indo%s Time Service to relocate SESB4+( updating securit settings is not reFuired& ;o%ever( if securit settings are in Fuestion( ou can use this procedure to reappl the default securit settings to SESB4+ folders& The settings %ill be the eFuivalent of the settings that are set b default during installation of Active Director Domain Services "AD DS#& 'f additional securit settings have been applied to SESB4+ folders since AD DS %as installed( ou must reappl those settings manuall after ou complete this procedure& Caution =ailure to reappl securit changes that %ere made after AD DS %as installed might result in unauthori.ed access to logon and logoff scripts and 5roup Polic ob,ects "5P4s#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o reapply default S2S5O+ security settings 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 9avigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetC ServicesCNetlogonC%arameters& 67<

Double/clic0 Sys5ol( and note the path in 5alue data& 7& 'n Control %anel( double/clic0 System& A& )nder asks( clic0 Advanced System Settings& 8& 4n the Advanced tab( clic0 .nvironment 5ariables& :& )nder System 5ariables( clic0 New& <& =or 5ariable name( t pe sysvol& 8& =or 5ariable value( t pe the path that ou noted in step 2& ?& Clic0 O( t%ice& Clic0 O( again to close System %roperties& 60& 4pen 9otepad( and then enter the follo%ing information: H)nicodeJ )nicodeQ es HBersionJ signatureQM[C;'CA54[M *evisionQ6 HProfile DescriptionJ DescriptionQdefault perms for s svol H=ile Securit J WMYS stem*ootYZSESB4+M(0(MD:A*"AW4'C'W=AWWW>A#M MYS svolYM(2(MD:P"AWC'4'W5*5LWWWA)#"AWC'4'W5*5LWWWS4#"AWC'4'W5AWWW>A# "AWC'4'W5AWWWSE#"AWC'4'W5AWWWC4#M MYS svolYZdomainZpoliciesM(2(MD:P"AWC'4'W5*5LWWWA)#"AWC'4'W5*5LWWWS4# "AWC'4'W5AWWW>A#"AWC'4'W5AWWWSE#"AWC'4'W5AWWWC4#"AWC'4'W5*5$5LSDWWWPA#M )se this file to appl the securit settings to the ne% SESB4+ folders& Note Do not include a space bet%een the sets of parentheses& 66& Save this file as S svol&inf& 62& 4pen a ne% Command Prompt& Do not use an e-isting command prompt that has been open on our des0top because it %ill not have the proper environment settings& Change the director to the folder %here ou saved the S svol&inf file in step 66& 67& At the ne% command prompt( t pe the follo%ing command all on one line( and then press 19T1*:
secedit /configure /cfg <pat&>(sysvo"*inf /d' <pat&>(sysvo"*d' /overwrite

678

%arameter

Description

3configure 3cfg SpathT "to securit template# 3db SpathT "to database# 3over%rite

Performs directed configurations& Specifies the path %here ou saved S svol&inf in step 66& Specifies the path to the database that is used to perform the securit configuration& Specifies that the database should be emptied before it is imported into the securit template& 'f this parameter is not specified( the settings in the securit template are accumulated into the database& 'f this parameter is not specified and there are conflicting settings in the database and the template that is being imported( the template settings ta0e precedence&

Start the D#S 4eplication Service and Netlogon Service
After ou relocate the SESB4+ tree or the SESB4+ staging area( or both( use this procedure to restart the Distributed =ile S stem "D=S# *eplication service( the 9etlogon service( or both& After ou restart the service or services( revie% the event log to ensure that the services restarted successfull & Eou can use the $indo%s graphical user interface "5)'# or the command line to start the D=S *eplication service and the 9etlogon service& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o start the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 4estart& 67?

o start the D#S 4eplication service or Netlogon service1 or both1 by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& To start the D=S *eplication service( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net start dfsr

7& To start the 9etlogon service( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net start net"ogon

Notes • Eou can use 1vent Bie%er to verif that D=S *eplication restarted correctl & 'n the D=S *eplication log "in Applications and Services +ogs#( 1vent 'D 600A indicates that the service restarted& +oo0 for 1vent 'Ds 6260( 620:( and :602 to verif that the domain controller is running and read for service& 'f ou moved SESB4+ to a ne% location or relocated the staging areas folder( loo0 for 1vent 'Ds A:0A and :068( %hich indicate success& 1vent 'D <07: in the S stem event log reports that the 9etlogon service is running& This event reports on all services that are stopped or started& • Also verif that the 9etlogon service is sharing the s svol "SESB4+ share# and scripts "91T+4549 share# folders& At a command prompt( t pe net s&are( and then press 19T1*&

#orce 4eplication $etween Domain Controllers
Eou can use this procedure to force Active Director replication to occur bet%een t%o domain controllers on a one/time basis %hen ou %ant changes to be replicated from the server that received the changes to a server in another site sooner than the site lin0 schedule allo%s& As an alternative( ou can s nchroni.e replication %ith all replication partners& Membership in .nterprise Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o force replication over a connection 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites( and then e-pand the site to %hich ou %ant to 6A0

force replication from the updated server& 7& 1-pand the Servers container to displa the list of servers that are currentl configured for that site& A& 1-pand the server ob,ects and clic0 their N DS Settings ob,ects to displa their connection ob,ects in the details pane& =ind a server that has a connection ob,ect from the server on %hich ou made the updates& 8& Clic0 N DS Settings belo% the server ob,ect& 'n the details pane( right/clic0 the connection ob,ect %hose #rom Server is the domain controller that has the updates that ou %ant to replicate( and then clic0 4eplicate Now& :& $hen the 4eplicate Now message bo- appears( revie% the information( and then clic0 O(&

See Also
S nchroni.e *eplication %ith All Partners

3pdating the S2S5O+ %ath
$hen ou add or remove dis0 drives( the logical drive letters of the other drives on the s stem can change& 'f either our Ys stemrootYZSESB4+Zs svol folder or our Ys stemroot YZSESB4+Zstaging areas folder is located on one of the drives %hose letter changes( Distributed =ile S stem "D=S# *eplication cannot locate these folders& To solve this problem( ou must update the paths that D=S *eplication uses to locate these folders& >efore ou update SESB4+ path information( ou must stop the D=S *eplication service and the 9etlogon service& To change the path for the Ys stemrootYZSESB4+Zs svol root folder and staging areas folder( ou update path values in Active Director Domain Services "AD DS#& Eou also update the registr to change the path to the Ys stemrootYZSESB4+Zs svol shared folder that is used b the 9etlogon service& 'n addition( ou must update the ,unction point that references the Ys stemrootYZSESB4+Zdomain folder in the SESB4+ tree& The ,unction point that references the domain folder in the staging areas subdirector "Ys stemroot YZSESB4+Zstaging areasZDomainName# is updated automaticall %hen ou restart D=S *eplication and 9etlogon& After ou update the path information( %hen ou restart D=S *eplication and 9etlogon( the ne% path values are initiali.ed& To be sure that SESB4+ is not advertised on the net%or0 before the ne% paths are initali.ed( ou must also modif the S svol*ead 9etlogon parameter %hile the services are stopped& Eou can ma0e this change at the same time ou update the S svol 9etlogon path in the registr & ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • 9et&e-e 6A6

• • • •

ADS' 1dit *egedit&e-e Dir&e-e M0lin0&e-e

To complete this tas0( perform the follo%ing procedures in order: 6& 5ather the SESB4+ Path 'nformation 2& Stop the D=S *eplication Service and 9etlogon Service 7& Change the SESB4+ 9etlogon Parameters A& Create the SESB4+ *oot Gunction Point 8& Start the D=S *eplication Service and 9etlogon Service

Gather the S2S5O+ %ath Information
$hen ou relocate the SESB4+ tree or staging areas subtree( it is helpful to record the current and ne% values for the path locations in the SESB4+ tree that are reFuired for SESB4+ to function& > recording these values in advance( ou can facilitate the move process& $hen ou move SESB4+( ou first cop the folder structure to a ne% location& Then( ou update the locations %here folder paths are specified: ,unction points in the file s stem( 9etlogon parameters in the registr ( and attributes in Active Director Domain Services "AD DS#& As an option( ou can relocate the staging areas subtree and leave the rest of the SESB4+ tree at its original location& 'n this case( ou must update an attribute in AD DS( but the ,unction point for the staging areas folder is updated automaticall & Eou also have to record this path information %hen ou are rebuilding SESB4+ on one domain controller b importing the SESB4+ of another domain controller& Note The instructions in this procedure relate to domains in %hich Distributed =ile S stem "D=S# *eplication is used to replicate SESB4+& =or information about relocating SESB4+ %hen ou use =ile *eplication Service "=*S#( see *elocating SESB4+ Manuall "http:33go&microsoft&com3f%lin03P+in0'dQ6228?0#& =or more information about the folder structure and the relationships bet%een the folders and the path information that is stored in the registr ( AD DS( and the SESB4+ director itself( see 'ntroduction to Administering D=S/*eplicated SESB4+& Eou can use these procedures to locate the SESB4+ path information and then record the values in the follo%ing table& )se the ro%s and columns in the table according to the goals of our procedure& *ecord the current values and also the ne% values if ou are moving the SESB4+ tree or the staging areas subtree or if ou are rebuilding SESB4+: • *elocating the entire SESB4+ tree: *ecord the current and ne% path values in ro%s 6 through 8&

6A2

• *elocating the staging areas subtree onl : *ecord the current and ne% path values in ro%s 2 and 8& • *estoring and rebuilding SESB4+: *ecord path information as follo%s: • *ecord the current values from the domain controller that ou are restoring in ro%s 6( 2( and 7& • 'n the Current 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller from %hich ou are cop ing the SESB4+ folder structure& • 'n the New 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller %hose SESB4+ ou are rebuilding&
%arameter Current value New value

6 2 7 A 8

msD=S*/*ootPath in AD DS msD=S*/StagingPath in AD DS S sBol 9etlogon parameter in the registr S svol ,unction point Staging areas ,unction point

o gather the S2S5O+ path information
Perform the follo%ing procedures to gather values for SESB4+ paths and record the data in the preceding table& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the msD#S4-4oot%ath and the msD#S4-Staging%ath values in AD DS 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& A& 'n the tree vie%( e-pand the domain component( and then e-pand O3DDomain Controllers& 6A7

8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 %roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if it is not selected& 8& 'n Attributes( locate msD#S4-4oot%ath and msD#S4-Staging%ath( and then record the current values in ro%s 6 and 2( respectivel ( in the previous table& 'f ou are moving SESB4+( also record the ne% values for the ne% location in both ro%s& 'f ou are moving the staging areas subtree( record the ne% path value in ro% 2& ?& Clic0 Cancel to close the CNDSubscription %roperties dialog bo-& o determine the Sys5ol Netlogon parameter value in the registry 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 'n *egistr 1ditor( navigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter s& 7& 'n the details pane( double/clic0 Sys5ol& The current value is listed in 5alue data& A& *ecord the current value in ro% 7 of the previous table( and then clic0 Cancel to close the .dit String dialog bo-& 'f ou are moving SESB4+( also record the ne% value for the ne% location& 8& Close *egistr 1ditor& o determine the value in the sysvol 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zs svol( or to the current location if SESB4+ has been moved from the default location& 7& To vie% the ,unction point for the s svol folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& *ecord the current value in ro% A in the previous table& 'f ou are moving SESB4+( also record the ne% value for the ne% location& o determine the value in the staging areas 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control 6AA

dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zstaging areas or to the current location if the staging areas subtree has been moved from the default location& 7& To vie% the ,unction point for the staging areas folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& The output identifies the SG)9CT'49T folder t pe and the value that is stored in the staging areas ,unction point in brac0ets& =or e-ample( the default value is H Drive:Z Ys stemrootYZSESB4+ZstagingZdomainJ "or( if SESB4+ has been migrated from =*S to D=S *eplication( HDrive:ZYs stemrootYZSESB4+ID=S*ZstagingZdomainJ#& *ecord the current value in ro% 8 of the previous table& 'f ou are moving SESB4+ or the staging areas subtree( also record the ne% value for the ne% location&

Stop the D#S 4eplication Service and Netlogon Service
Eou can use this procedure to stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service %hen ou are performing offline updates to the SESB4+ tree& The 9etlogon service advertises the server as a domain controller b sharing out the SESB4+ folder& The services must be turned off until updates to the SESB4+ path information are complete and the SESB4+ ,unction point has been updated for the ne% location& Eou can use the $indo%s graphical user interface "5)'# or the command line to stop the D=S *eplication service and the 9etlogon service& Note The staging path ,unction point is updated automaticall %hen D=S *eplication is restarted& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o stop the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 Stop&

6A8

o stop the D#S 4eplication service and the Netlogon service by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop dfsr

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop net"ogon

After ou move or restore SESB4+( %hen ou update the SESB4+ 9etlogon path in the registr ( ou must also update the Sysvol4eady parameter in Netlogon parameters( as described in Change the SESB4+ 9etlogon Parameters&

Change the S2S5O+ Netlogon %arameters
$hen ou are relocating the SESB4+ tree( ou can use this procedure to update the registr parameter that the 9etlogon service uses to discover the path to the SESB4+Zs svol shared folder& 9etlogon advertises the shared folder location based on this registr entr & The default value in this entr is Drive:ZYs stemrootYZSESB4+Zs svol& 'f ou move the SESB4+ tree to a different folder or drive( or both( or if onl the drive letter changes as a result of hard%are updates( ou must update this 9etlogon parameter& $hen ou update the S sBol 9etlogon parameter in the registr ( ou must also change the S svol*ead 9etlogon parameter so that SESB4+ is not advertised until all ne% path values have been initiali.ed& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the S2S5O+ Netlogon parameters 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 9avigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter s& 7& *ight/clic0 Sys5ol( and then clic0 )odify& A& 'n the 5alue data bo-( t pe the ne% path( including the drive letter( and then clic0 O(& 8& *ight/clic0 Sysvol4eady( and then clic0 )odify& :& 'n the 5alue data bo-( t pe @( and then clic0 O(& 6A:

<& Close *egistr 1ditor& Note The path in the S sBol registr entr points to the s svol shared folder( %hich is located inside the parent SESB4+ folder that is under the root "b default( Drive:Z Ys stemrootYZSESB4+Zs svol#& $hen ou update the path( ensure that it still identifies the s svol shared folder %ithin the parent SESB4+ folder& 'f ou have moved the SESB4+ tree( the root folder %ill change& >e sure to also change the drive letter to its ne% value if this has changed&

Create the S2S5O+ 4oot Eunction %oint
'f ou move the SESB4+ tree( ou must create a ,unction point that is named for the full Fualified domain name "=CD9# of the domain& Eou create this ,unction point under S9e%+ocation=orSESB4+TZs svol& The ,unction point must point to S9e%+ocation=orSESB4+TZdomain& 'f ou move the tree or if hard%are reconfiguration results in a change in the drive letter( ou must recreate the SESB4+ ,unction point for the ne% location& To perform this procedure( ou can use the M0lin0&e-e command/line tool( %hich is included %ith $indo%s Server 2008& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create the sysvol root 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to the ne% s svol root location( for e-ample( FolderNameZSESB4+Zs svol& 7& To create the ,unction point for the s svol root( at the command prompt( t pe the follo%ing command( and then press 19T1*:
m:"in: /; <7<DN> <New sysvo" root =unction pat&>

1-ample: m:"in:

/; contoso*com D:(5ontoso0oot(! !234(domain

6A<

%arameter

Definition

mklink ,E S=CD9T S9e% s svol root ,unction pathT

Creates a ,unction point for the specified domain in the specified path location& The full Fualified domain name of the SESB4+ domain The drive letter and path to the SESB4+ root( for e-ample( Drive:ZFolderNameZSESB4+Zdomain or Drive:ZFolderNameZSESB4+ID=S*Zdomain if SESB4+ has been migrated from =ile *eplication Service "=*S# to Distributed =ile S stem "D=S# *eplication

A& To verif the creation of the ,unction point( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

Berif the presence of the SG)9CT'49T folder t pe and the value that ou specified in step 7&

Start the D#S 4eplication Service and Netlogon Service
After ou relocate the SESB4+ tree or the SESB4+ staging area( or both( use this procedure to restart the Distributed =ile S stem "D=S# *eplication service( the 9etlogon service( or both& After ou restart the service or services( revie% the event log to ensure that the services restarted successfull & Eou can use the $indo%s graphical user interface "5)'# or the command line to start the D=S *eplication service and the 9etlogon service& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o start the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 4estart& 6A8

o start the D#S 4eplication service or Netlogon service1 or both1 by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& To start the D=S *eplication service( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net start dfsr

7& To start the 9etlogon service( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net start net"ogon

Notes • Eou can use 1vent Bie%er to verif that D=S *eplication restarted correctl & 'n the D=S *eplication log "in Applications and Services +ogs#( 1vent 'D 600A indicates that the service restarted& +oo0 for 1vent 'Ds 6260( 620:( and :602 to verif that the domain controller is running and read for service& 'f ou moved SESB4+ to a ne% location or relocated the staging areas folder( loo0 for 1vent 'Ds A:0A and :068( %hich indicate success& 1vent 'D <07: in the S stem event log reports that the 9etlogon service is running& This event reports on all services that are stopped or started& • Also verif that the 9etlogon service is sharing the s svol "SESB4+ share# and scripts "91T+4549 share# folders& At a command prompt( t pe net s&are( and then press 19T1*&

4estoring and 4ebuilding S2S5O+
A domain controller cannot function %ithout a properl shared and replicating SESB4+& 'f our efforts to move SESB4+ or perform certain maintenance tas0s fail and SESB4+ is not replicating( ou must recreate "rebuild# SESB4+ on the domain controller& Attempt to rebuild SESB4+ on a domain controller onl %hen all other domain controllers in the domain have a health and functioning SESB4+& Do not attempt to rebuild SESB4+ until ou correct an problems that ma be occurring %ith Distributed =ile S stem "D=S# *eplication in a domain& )se the procedures in this section onl on a domain controller that does not have a functioning SESB4+& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • Active Director Sites and Services 1vent Bie%er Dcdiag&e-e 6A?

• • • • •

ADS' 1dit 9et&e-e *egedit&e-e $indo%s 1-plorer M0lin0&e-e

To complete this tas0( perform the follo%ing procedures in order: 6& 'dentif *eplication Partners Eou %ill import the SESB4+ from a replication partner& 2& Chec0 the Status of the SESB4+ and 9etlogon Shares Perform this procedure on the replication partner from %hich ou are cop ing SESB4+ to ma0e sure that the SESB4+ tree that ou cop from the partner is shared and replicating properl & 7& Berif Active Director *eplication Berif that replication is %or0ing on both replication partners& A& 5ather the SESB4+ Path 'nformation 8& *estart the domain controller in Director Services *estore Mode "DS*M# b using one of the follo%ing methods: • *estart the Domain Controller in Director Services *estore Mode +ocall 'f ou are sitting at the console of the domain controller( restart the domain controller locall in DS*M& • *estart the Domain Controller in Director Services *estore Mode *emotel 'f ou are accessing the domain controller remotel using *emote Des0top Connection( restart the domain controller remotel in DS*M& :& Stop the D=S *eplication Service and 9etlogon Service 'n DS*M( the D=S *eplication service is stopped automaticall & Eou have to stop onl the 9etlogon service& >oth services restart automaticall %hen ou restart the domain controller normall after ou complete the procedure to import the SESB4+ folder structure& <& 'mport the SESB4+ =older Structure 8& Chec0 the Status of the SESB4+ and 9etlogon Shares

Identify 4eplication %artners
Eou can use this procedure to e-amine the connection ob,ects for a domain controller and identif its replication partners& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

680

o identify replication partners 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( double/clic0 the Sites container to displa the list of sites& 7& Double/clic0 the site that contains the domain controller for %hich ou %ant to determine connection ob,ects& Note 'f ou do not 0no% the site in %hich the domain controller is located( open a command prompt and t pe ipconfig to get the 'P address of the domain controller& )se the 'P address to verif that an 'P address maps to a subnet( and then determine the site association& A& Double/clic0 the Servers folder to displa the list of servers in that site& 8& Double/clic0 the server ob,ect for the domain controller %hose replication partners ou %ant to identif to displa its 9TDS Settings ob,ect& :& Clic0 the N DS Settings ob,ect to displa the list of connection ob,ects in the details pane& "These ob,ects represent inbound connections that are used for replication to the server&# The #rom Server column displa s the names of the domain controllers that are source replication partners for the selected server ob,ect&

Check the Status of the S2S5O+ and Netlogon Shares
Eou can use this procedure to ma0e sure that the Distributed =ile S stem "D=S# *eplication service is started properl and then ensure that the s svol shared folder and netlogon "scripts# shared folder are created and shared& =or information about chec0ing SESB4+ status for =ile *eplication Service "=*S#( see the $indo%s Server 2007 topic Chec0 the status of the shared SESB4+ "http:33go&microsoft&com3f%lin03P+in0'dQ620<<A#& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o check the status of the S2S5O+ and Netlogon shares 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& Berif that the D#S 4eplication service and the Netlogon service have a status of Started& 'f a service is stopped( clic0 4estart& 7& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 686

Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& A& To verif that the SESB4+ tree includes the s svol and scripts shared folders( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net s&are

8& Chec0 the list to be sure that it includes 1systemroot1(! !234(sysvo"( "the SESB4+ share# and 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! "the 91T+4549 share#( %here <Domain Name> is the domain of the ne% domain controller& Note 'f neither 1systemroot1(! !234(sysvo"( nor 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! are present( see Berif Active Director *eplication& :& Berif that the proper permissions are set for SESB4+ replication& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:net"ogons

+oo0 for a message that states that <5omputerName> passed test Net4ogons( %here <5omputerName> is the name of the domain controller& 'f ou do not see the Npassed testO message( chec0 the permissions that are set on the Scripts and S svol shared folders& =or information about default SESB4+ permissions( see *eappl Default SESB4+ Securit Settings&

5erify Active Directory 4eplication
Eou can use this procedure to verif that Active Director replication is functioning properl on a domain controller& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify Active Directory replication 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:rep"ications

Note 682

=or more detailed replication information( use the

/v

option&

'f this test fails( open 1vent Bie%er and chec0 for errors in the Director Service log& )se the information in the ActiveDirector IDomainService replication events to troubleshoot the problem&

Gather the S2S5O+ %ath Information
$hen ou relocate the SESB4+ tree or staging areas subtree( it is helpful to record the current and ne% values for the path locations in the SESB4+ tree that are reFuired for SESB4+ to function& > recording these values in advance( ou can facilitate the move process& $hen ou move SESB4+( ou first cop the folder structure to a ne% location& Then( ou update the locations %here folder paths are specified: ,unction points in the file s stem( 9etlogon parameters in the registr ( and attributes in Active Director Domain Services "AD DS#& As an option( ou can relocate the staging areas subtree and leave the rest of the SESB4+ tree at its original location& 'n this case( ou must update an attribute in AD DS( but the ,unction point for the staging areas folder is updated automaticall & Eou also have to record this path information %hen ou are rebuilding SESB4+ on one domain controller b importing the SESB4+ of another domain controller& Note The instructions in this procedure relate to domains in %hich Distributed =ile S stem "D=S# *eplication is used to replicate SESB4+& =or information about relocating SESB4+ %hen ou use =ile *eplication Service "=*S#( see *elocating SESB4+ Manuall "http:33go&microsoft&com3f%lin03P+in0'dQ6228?0#& =or more information about the folder structure and the relationships bet%een the folders and the path information that is stored in the registr ( AD DS( and the SESB4+ director itself( see 'ntroduction to Administering D=S/*eplicated SESB4+& Eou can use these procedures to locate the SESB4+ path information and then record the values in the follo%ing table& )se the ro%s and columns in the table according to the goals of our procedure& *ecord the current values and also the ne% values if ou are moving the SESB4+ tree or the staging areas subtree or if ou are rebuilding SESB4+: • *elocating the entire SESB4+ tree: *ecord the current and ne% path values in ro%s 6 through 8& • *elocating the staging areas subtree onl : *ecord the current and ne% path values in ro%s 2 and 8& • *estoring and rebuilding SESB4+: *ecord path information as follo%s: • *ecord the current values from the domain controller that ou are restoring in ro%s 6( 2( and 7&

687

• 'n the Current 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller from %hich ou are cop ing the SESB4+ folder structure& • 'n the New 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller %hose SESB4+ ou are rebuilding&
%arameter Current value New value

6 2 7 A 8

msD=S*/*ootPath in AD DS msD=S*/StagingPath in AD DS S sBol 9etlogon parameter in the registr S svol ,unction point Staging areas ,unction point

o gather the S2S5O+ path information
Perform the follo%ing procedures to gather values for SESB4+ paths and record the data in the preceding table& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the msD#S4-4oot%ath and the msD#S4-Staging%ath values in AD DS 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& A& 'n the tree vie%( e-pand the domain component( and then e-pand O3DDomain Controllers& 8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 %roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if 68A

it is not selected& 8& 'n Attributes( locate msD#S4-4oot%ath and msD#S4-Staging%ath( and then record the current values in ro%s 6 and 2( respectivel ( in the previous table& 'f ou are moving SESB4+( also record the ne% values for the ne% location in both ro%s& 'f ou are moving the staging areas subtree( record the ne% path value in ro% 2& ?& Clic0 Cancel to close the CNDSubscription %roperties dialog bo-& o determine the Sys5ol Netlogon parameter value in the registry 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 'n *egistr 1ditor( navigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter s& 7& 'n the details pane( double/clic0 Sys5ol& The current value is listed in 5alue data& A& *ecord the current value in ro% 7 of the previous table( and then clic0 Cancel to close the .dit String dialog bo-& 'f ou are moving SESB4+( also record the ne% value for the ne% location& 8& Close *egistr 1ditor& o determine the value in the sysvol 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zs svol( or to the current location if SESB4+ has been moved from the default location& 7& To vie% the ,unction point for the s svol folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& *ecord the current value in ro% A in the previous table& 'f ou are moving SESB4+( also record the ne% value for the ne% location& o determine the value in the staging areas 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zstaging areas or to the current location if the staging areas subtree has been moved from the default location& 7& To vie% the ,unction point for the staging areas folder( at the command prompt( t pe 688

the follo%ing command( and then press 19T1*:
dir /a:4

A& The output identifies the SG)9CT'49T folder t pe and the value that is stored in the staging areas ,unction point in brac0ets& =or e-ample( the default value is H Drive:Z Ys stemrootYZSESB4+ZstagingZdomainJ "or( if SESB4+ has been migrated from =*S to D=S *eplication( HDrive:ZYs stemrootYZSESB4+ID=S*ZstagingZdomainJ#& *ecord the current value in ro% 8 of the previous table& 'f ou are moving SESB4+ or the staging areas subtree( also record the ne% value for the ne% location&

4estart the Domain Controller in Directory Services 4estore )ode +ocally
'f ou have ph sical access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# locall & *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not as a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Eou can restart a domain controller in DS*M manuall b pressing the =8 0e during domain controller startup( %hich reFuires %atching the startup and %aiting for the appropriate point in the startup to press the 0e & This method is tedious and can %aste time if ou miss the brief %indo% of opportunit for selecting the restart mode& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line to restart the domain controller in DS*M:

68:

• !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & $hen ou are finished managing a domain controller in DS*M( if ou have used S stem Configuration or >cdedit&e-e to restart the domain controller in DS*M( ou must change the configuration so that the domain controller restarts in normal mode& Note A benefit of using S stem Configuration or >cdedit&e-e for implementing restart of a domain controller into DS*M is that normall the domain controller cannot be inadvertentl restarted& This benefit is particularl useful %hen ou are performing a nonauthoritative restore from bac0up follo%ed b an authoritative restore& Eou can also use S stem Configuration or >cdedit&e-e to restart a domain controller in DS*M remotel & To use S stem Configuration or >cdedit&e-e and *emote Des0top Connection to restart a domain controller in DS*M remotel ( see *estart the Domain Controller in Director Services *estore Mode *emotel & Membership in the Domain Admins group is the minimum reFuired complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M is reFuired to log on to the domain controller in DS*M& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#&

4estarting the domain controller in DS4) locally
Eou can use either of the follo%ing methods to restart the domain controller in DS*M: o restart a domain controller in DS4) locally by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 2& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& 7& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& 68<

A& Perform procedures in DS*M& 8& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & o restart a domain controller in DS4) locally by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

A& $hen ou are still in DS*M and ou are read to restart in normal mode( open a command prompt and t pe the follo%ing( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

5alue

Description

3set safeboot dsrepair shutdo%n Rt 0 /r 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
*estart the Domain Controller in Director Services *estore Mode *emotel

688

4estart the Domain Controller in Directory Services 4estore )ode 4emotely
'f ou have remote access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# remotel & *emote access reFuires the user right to log on locall to a domain controller& *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line or to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & To restart the domain controller in DS*M remotel ( ou first use *emote Des0top Connection to connect to the domain controller %hile it is in normal startup mode& *emote Des0top Connection must be enabled on the target domain controller& After the domain controller has restarted( ou can use *emote Des0top Connection to reconnect to the domain controller and then log on as the local Administrator( using the DS*M pass%ord& Eou can use this procedure to connect to a domain controller remotel ( restart it in DS*M( and then reconnect to it as the DS*M administrator& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M and the user right to log on locall to a domain controller are reFuired to 68?

log on to the domain controller in DS*M& Members of Account 4perators( Administrators( 1nterprise Admins( Domain Admins( >ac0up 4perators( Print 4perators( and Server 4perators have the user right to log on locall to a domain controller b default& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& )sing a domain administrative account to log on to an *4DC can compromise the server& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& o restart a domain controller in DS4) remotely by using the !indows G3I 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 7& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& A& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& 8& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& :& The domain controller name should still be sho%ing in Computer& 'f it is not( select it from the list( and then clic0 Connect& <& 'n the !indows Security dialog bo-( clic0 3se another account& 8& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& ?& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& 60& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 6:0

66& T pe MachineNameCAdministrator( and then press 19T1*& 62& Perform procedures in DS*M& 67& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & This procedure %ill disconnect our remote session& o restart a domain controller in DS4) remotely by using the command line 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4pen a command prompt& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& A& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& 8& The domain controller name should still be sho%ing in Computer& 'f it is not( select it in the list( and then clic0 Connect& :& 'n the !indows Security dialog bo-( clic0 3se another account& <& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& 8& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& ?& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then 6:6

clic0 Other 3ser& 60& T pe MachineNameCAdministrator( and then press 19T1*& 66& Perform procedures in DS*M& 62& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 'n DS*M( open a command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

b& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - >r

The domain controller restarts normall & This procedure %ill disconnect our remote session&
5alue Description

bcdedit 3set safeboot dsrepair shutdo%n Rt 0 /r bcdedit 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode +ocall

Stop the D#S 4eplication Service and Netlogon Service
Eou can use this procedure to stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service %hen ou are performing offline updates to the SESB4+ tree& The 9etlogon service advertises the server as a domain controller b sharing out the SESB4+ folder& The services must be turned off until updates to the SESB4+ path information are complete and the SESB4+ ,unction point has been updated for the ne% location& Eou can use the $indo%s graphical user interface "5)'# or the command line to stop the D=S *eplication service and the 9etlogon service&

6:2

Note The staging path ,unction point is updated automaticall %hen D=S *eplication is restarted& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o stop the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 Stop& o stop the D#S 4eplication service and the Netlogon service by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop dfsr

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop net"ogon

After ou move or restore SESB4+( %hen ou update the SESB4+ 9etlogon path in the registr ( ou must also update the Sysvol4eady parameter in Netlogon parameters( as described in Change the SESB4+ 9etlogon Parameters&

Import the S2S5O+ #older Structure
'f a domain controller has a nonfunctioning SESB4+( ou can use this procedure to rebuild SESB4+ on the domain controller b cop ing the SESB4+ folder structure on another domain controller and importing it to the offline domain controller( %hich cannot operate as a domain controller %ithout a functioning SESB4+& To properl import SESB4+( ou must cop the SESB4+ folder and its contents& 'n this procedure( ou cop an e-isting SESB4+ folder structure on a health ( online domain controller to the target domain controller( %hich has a failed SESB4+& After ou delete the failed SESB4+ folder( ou cop the health SESB4+ folder structure to the same location as the original "deleted# SESB4+ folder& This procedure has the follo%ing preliminar reFuirements: • Eou have identified a replication partner domain controller %hose SESB4+ folder structure ou %ill cop & 6:7

• Eou have restarted the domain controller to %hich ou are importing SESB4+ in Director Services *estore Mode "DS*M#& • Eou have stopped the 9etlogon service on the target domain controller after restarting the domain controller in DS*M& The Distributed =ile S stem "D=S# *eplication service is stopped automaticall %hen ou restart the domain controller in DS*M& • The default shared folder ADM'9[ must e-ist on the domain controller from %hich ou plan to cop the SESB4+ folder structure& Some organi.ations remove this shared folder or rename it for securit reasons& 'f this shared folder is not available( ou must share the Ys stemrootY folder and name the share ADM'9[& Note To vie% the shared folders to see %hether ADM'9[ is shared( on the source domain controller( open Server Manager& 'n the navigation pane for the domain controller( vie% 4oles and #ile Services( and then clic0 Share and Storage )anagement& As an alternative( ou can open a command prompt and t pe net s&are at the command prompt& • 'f the ADM'9[ share has been renamed( use the name that is assigned b organi.ation instead of ADM'9[ as ou complete this procedure& our

• Eou have determined the target domain controller values for ro%s A "S svol ,unction point# and 8 "Staging areas ,unction point# in the table ou that created in 5ather the SESB4+ Path 'nformation& This procedure has the follo%ing follo%/up reFuirements: • 'f ou share the Ys stemrootY folder on the source domain controller to complete this procedure( be sure to remove the share after the procedure is complete to maintain an securit policies that are established on our net%or0& • 4n the target domain controller( perform the verification tests in Chec0 the Status of the SESB4+ and 9etlogon Shares& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure on the domain controller from %hich ou are cop ing SESB4+& The DS*M administrator pass%ord is the minimum reFuired to complete this procedure on the controller to %hich ou are importing SESB4+& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o import the S2S5O+ folder structure 6& 4n the domain controller to %hich ou are importing the SESB4+ folder structure( open $indo%s 1-plorer& 2& 9avigate to the e-isting SESB4+ folder that ou are rebuilding( and then delete it& 7& Map a net%or0 drive to the AD)INF shared director on the domain controller that ou identified earlier as the replication partner from %hich ou plan to cop the SESB4+ folder structure& A& $hen ou are connected to the AD)INF share( verif that a folder labeled S2S5O+ appears& *ight/clic0 the S2S5O+ folder( and then clic0 Copy& 6:A

8& 'n the same ADM'9[ shared director ( right/clic0 some blan0 space( and then clic0 %aste& :& Berif that the original S2S5O+ folder and a ne% folder labeled S2S5O+ G Copy both appear& *ight/clic0 S2S5O+ - Copy( and then clic0 4ename& T pe S2S5O+<( and then press 19T1*& <& 4pen a Command Prompt& At the command prompt( change to the drive letter that represents the connection to the remote domain controller %here ou created the S2S5O+< folder& 8& Change the director to !
!234%(sysvo"&

?& T pe dir /a:4( and then press 19T1*& Berif that <;UN5T63N> appears in the command output and that it is follo%ed b the name of the domain& 60& Eou must update the path in this ,unction point so that it references the ne% location on the target domain controller& At the command prompt( t pe the follo%ing command( and then press 19T1*:
m:"in: <7<DN> <newpat&>

$here <7<DN> is the full Fualified domain name "=CD9# and <newpat&> is the ne% value that ou recorded in ro% A of the table in 5ather the SESB4+ Path 'nformation& 66& 'f the staging areas subfolder has been relocated and it is no longer inside the SESB4+ folder( s0ip steps 66 and 62( and proceed to step 67& 'f the staging areas subfolder has not been relocated( at a command prompt( change the director to (! !234%(staging areas under the cop of SESB4+ that ou created& T pe dir to list the contents( and verif that <;UN5T63N> appears in the output of the dir command& 62& )pdate the ,unction so that it points to the ne% location on the target domain controller& At the command prompt( t pe the follo%ing command( and then press 19T1*:
"in:d <=unctionname> <newpat&>

$here <newpat&> is the ne% value that ou recorded in ro% 8 of the table in 5ather the SESB4+ Path 'nformation& 67& At the command prompt( change bac0 to the Ys stemrootY director for the domain controller that is receiving the imported SESB4+& 6A& At the command prompt( use the robocopy command/line tool to cop the contents of the ZSESB4+2 folder that ou created to a ne% SESB4+ folder on our local drive& At the command prompt( t pe the follo%ing command( and then press 19T1*:
ro'ocopy <!ource 7o"der> <Destination 7o"der> /copya"" /mir /' /r:- /8d 9DfsrPrivate9 /8f 9DfsrPrivate9

6:8

%arameter

Description

SSource =olderT SDestination =olderT

Drive letter and path to the SESB4+2 director on the source domain controller& Drive letter and path to the parent location of the SESB4+ folder that ou deleted in step 2 on the local domain controller& =or e-ample( if ou deleted the original SESB4+ folder from C:Z$indo%sZSESB4+( the path in SDestination =olderT is C:Z$indo%s& Copies the follo%ing file information: data( attributes( time stamps( 9T=S access control list "AC+#( o%ner information( and auditing information& Mirrors the director tree that ou are cop ing& Copies files in bac0up mode& >ac0up mode allo%s *obocop to override file and folder permission settings "AC+s#& Specifies performing 0 ".ero# retries on failed copies& 1-cludes the DfsrPrivate director from the cop & 1-cludes the DfsrPrivate file from the cop &

3cop all

3mir 3b

3r:0 3-d MDfsrPrivateM 3-f MDfsrPrivateM

68& Berif that the folder structure copied correctl & Compare the ne% folder structure to the SESB4+ "not SESB4+2# folder structure on the remote "source# domain controller& 4pen a command prompt( and t pe dir /s to list the contents of the folders and subfolders& 1nsure that all folders e-ist& 6:& Delete the SESB4+2 folder that ou created on the remote domain controller& 6<& 'f ou shared the Ys stemrootY folder and created an ADM'9[ share on the remote domain controller( remove the ADM'9[ share& Disconnect from the remote domain controller& 68& *estart the domain controller in normal mode& $hen ou restart the domain controller( the 9etlogon service and the D=S *eplication service start automaticall &

6::

See Also
Chec0 the Status of the SESB4+ and 9etlogon Shares

Administering the Global Catalog
This guide provides information about administering the global catalog for Active Director Domain Services "AD DS# in $indo%s Server 2008& In this guide • • 'ntroduction to Administering the 5lobal Catalog Managing the 5lobal Catalog

Introduction to Administering the Global Catalog
Designate global catalog servers in sites to accommodate forest/%ide director searching and to facilitate domain client logons %hen universal groups are available "that is( %hen a domain has a domain functional level of $indo%s Server 2008( $indo%s Server 2007( or $indo%s 2000 native#& $hen universal groups are available in a domain( a domain controller must be able to locate a global catalog server to process a logon reFuest&

Global catalog hardware re0uirements
Minimum hard%are reFuirements for global catalog servers depend on the number of users in the site& =or dis0 space reFuirements and director database storage guidelines( see Planning Domain Controller Capacit "http:33go&microsoft&com3f%lin03P+in0'dQ80A0A#&

Global catalog placement
'n most cases( %e recommend that ou include the global catalog %hen ou install ne% domain controllers& The follo%ing e-ceptions appl : +imited band%idth: 'n remote sites( if the %ide area net%or0 "$A9# lin0 bet%een the remote site and the hub site is limited( ou can use universal group membership caching in the remote site to accommodate the logon needs of users in the site& =or information about universal group membership caching( see 1nabling )niversal 5roup Membership Caching in a Site& 'nfrastructure operations master role incompatibilit : Do not place the global catalog on a domain controller that hosts the infrastructure operations master role in the domain unless all domain controllers in the domain are global catalog servers or the forest has onl one domain&

6:<

Initial global catalog replication
$hen ou add a global catalog server to a site( the @no%ledge Consistenc Chec0er "@CC# updates the replication topolog ( after %hich replication of partial domain director partitions that are available %ithin the site begins& *eplication of partial domain director partitions that are available onl from other sites begins at the ne-t scheduled interval& Adding subseFuent global catalog servers %ithin the same site reFuires onl intrasite replication and does not affect net%or0 performance& *eplication of the global catalog potentiall affects net%or0 performance onl %hen ou add the first global catalog server in the site& The impact of this replication varies( depending on the follo%ing conditions: • • The speed and reliabilit of the $A9 lin0 or lin0s to the site The si.e of the forest

=or e-ample( in a forest that has a large hub site( five domains( and thirt small branch sites "some of %hich are connected b onl dial/up connections#( global catalog replication to the small sites ta0es considerabl longer than replication of one or t%o domains to a fe% %ell/connected sites&

Global catalog readiness
A global catalog server is available to director clients %hen Domain 9ame S stem "D9S# servers can locate it as a global catalog server& Several conditions must be met before the global catalog server is locatable b clients& These conditions are divided into seven levels "numbered 0 to :# of readiness( called occupanc levels& At each level( a specific degree of s nchroni.ation must be achieved before occupanc moves to the ne-t level& > default( domain controllers running $indo%s Server 2008 reFuire all levels to be reached before the global catalog is read for use& At level :( all partial( read/onl director partitions have been successfull replicated to the global catalog server& $hen the reFuirements of all occupanc levels have been satisfied( the 9et +ogon service on the global catalog server registers D9S service "S*B# resource records that identif the domain controller as a global catalog server in the site and in the forest& =or more information about global catalog readiness and occupanc levels( see ;o% the 5lobal Catalog $or0s "http:33go&microsoft&com3f%lin03P+in0'DQ60<0:7#& 'n summar ( a global catalog server is read to serve clients %hen the follo%ing events occur( in this order: • The global catalog receives replication of read/onl replicas to the reFuired occupanc level& • The isGlobalCatalog4eady rootDS1 attribute is set to 43.& • The 9et +ogon service on the domain controller has updated D9S %ith global/catalog/ specific service "S*B# resource records& At this point( the global catalog server begins accepting Fueries on ports 72:8 and 72:?&

6:8

Global catalog removal
$hen ou remove the global catalog from a domain controller( that domain controller immediatel stops advertising in D9S as a global catalog server& The @no%ledge Consistenc Chec0er "@CC# graduall removes the read/onl replicas from the domain controller& 4n domain controllers running $indo%s Server 2008 or $indo%s Server 2007( the global catalog( partial( read/onl director partitions are removed in the bac0ground( and the receive a lo% priorit so that high/ priorit services are not interrupted& Eou might decide to remove the global catalog from a domain controller if universal group membership caching is adeFuate to satisf logon reFuirements in a particular site %here $A9 lin0 speeds are not adeFuate for the global catalog& =or more information( see 1nabling )niversal 5roup Membership Caching in a Site& =or more information about global catalog removal( see ;o% the 5lobal Catalog $or0s "http:33go&microsoft&com3f%lin03P+in0'DQ60<0:7#&

)anaging the Global Catalog
Designate global catalog servers to accommodate users in sites %here a global catalog server is reFuired( for e-ample( to accommodate forest/%ide director searching and to facilitate domain client logons %hen universal groups are available& =or information about global catalog servers( see ;o% the 5lobal Catalog $or0s "http:33go&microsoft&com3f%lin03P+in0'dQ60<0:7#& This section includes the follo%ing tas0s for managing the global catalog: • • • Configuring a 5lobal Catalog Server Determining 5lobal Catalog *eadiness *emoving the 5lobal Catalog

Configuring a Global Catalog Server
$hen conditions in a site %arrant adding a global catalog server( ou can configure a domain controller to be a global catalog server& Selecting the global catalog setting on the 9TDS Settings ob,ect prompts the @no%ledge Consistenc Chec0er "@CC# to update the topolog & After the topolog is updated( read/onl ( partial( domain director partitions are replicated to the designated domain controller& $hen replication must occur bet%een sites to create the global catalog( the site lin0 schedule determines %hen replication can occur& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • Active Director Sites and Services *epadmin&e-e Dcdiag&e-e 6:?

To complete this tas0( perform the follo%ing procedures& Note Some procedures are performed onl %hen ou are configuring the first global catalog server in a site& 6& Determine $hether a Domain Controller 's a 5lobal Catalog Server 2& Designate a Domain Controller to >e a 5lobal Catalog Server 7& Monitor 5lobal Catalog *eplication Progress A& Berif Successful *eplication to a Domain Controller

Determine !hether a Domain Controller Is a Global Catalog Server
Eou can use the setting on the 9TDS Settings ob,ect to determine %hether a domain controller is designated as a global catalog server& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure %hen ou perform the procedure remotel b using *emote Server Administration Tools "*SAT#& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine whether a domain controller is a global catalog server 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( e-pand the Sites container( e-pand the site of the domain controller that ou %ant to chec0( e-pand the Servers container( and then e-pand the Server ob,ect& 7& *ight/clic0 the N DS Settings ob,ect( and then clic0 %roperties& A& 4n the General tab( if the Global Catalog bo- is selected( the domain controller is designated as a global catalog server&

Designate a Domain Controller to $e a Global Catalog Server
Eou use this procedure to designate a domain controller as a global catalog server& $hen ou designate a domain controller as a global catalog server( a partial( read/onl director partition for 6<0

each domain in the forest( other than the full( %ritable director partition of the local domain( is replicated to create the global catalog instance on the server& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o designate a domain controller to be a global catalog server 6& Clic0 Start( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand the Sites container( and then e-pand the site in %hich ou are designating a global catalog server& 7& 1-pand the Servers container( and then e-pand the Server ob,ect for the domain controller that ou %ant to designate as a global catalog server& A& *ight/clic0 the N DS Settings ob,ect for the target server( and then clic0 %roperties& 8& Select the Global Catalog chec0 bo-( and then clic0 O(&

)onitor Global Catalog 4eplication %rogress
Eou can monitor inbound replication progress to see the percentage of completeness of partial( read/onl ( director partition replication to the ne% global catalog server& Note Although ou can change occupanc level reFuirements for global catalog advertisement to force advertisement to occur before full replica occupanc ( doing so can cause e/mail and search issues& 1-change servers use the global catalog for Address >oo0 loo0up& Therefore( in addition to causing Active Director client search problems( the condition of a global catalog server being advertised before it receives all partial replicas can cause Address >oo0 loo0up and e/mail deliver problems for 1-change clients& Membership in Domain 3sers and the right to log on locall to the domain controller is the minimum reFuired to complete this procedure& > default( members of Account Operators( Administrators( .nterprise Admins( Domain Admins( $ackup Operators( %rint Operators( and Server Operators have the right to log on locall to a domain controller& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o monitor global catalog replication progress 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 6<6

2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /s:<servername> /v ? find 919

%arameter

Description

s:SservernameT 3v \ find MYM

Specifies the name of the global catalog server that ou %ant to monitor& =inds the percentage of replication( and provides e-tended information&

7& *epeat this command periodicall to monitor progress& 'f the test sho%s no output( replication has completed&

5erify Successful 4eplication to a Domain Controller
Eou can use the repadmin ,showrepl command to verif successful replication to a specific domain controller& 'f ou are not running *epadmin on the domain controller %hose replication ou are chec0ing( ou can specif a destination domain controller in the command& *epadmin lists IN$O3ND N.IG"$O4S for the current or specified domain controller& IN$O3ND N.IG"$O4S sho%s the distinguished name of each director partition for %hich inbound director replication has been attempted( the site and name of the source domain controller( and %hether replication succeeded or not( as follo%s: • •
4ast attempt @ < .AA.DD ##:AA*!!> was successfu"*

4ast attempt @ BNeverC was successfu"*

'f @ BNeverC appears in the output for a director partition( replication of that director partition has never succeeded from the identified source replication partner over the listed connection& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify successful replication to a domain controller 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" <servername> /u:<domainname>(<username> /pw:*

6<2

Note The user credential parameters "/u:<domainname>(<username> /pw:*# are not reFuired for the domain of the user if the user has opened the Command Prompt as an administrator %ith Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or eFuivalent& ;o%ever( if ou run the command for a domain controller in a different domain in the same Command Prompt session( ou must provide credentials for an account in that domain&
5alue Description

repadmin 3sho%repl

Displa s the replication status for the last time that the domain controller that is named in SservernameT attempted inbound replication of Active Director partitions& The name of the destination domain controller& Specifies the domain name and user name( separated b a bac0slash( for a user %ho has permissions to perform operations in AD DS& The single/label name of the domain of the destination domain controller& "Eou do not have to use a full Fualified Domain 9ame S stem "D9S# name&# The name of an administrative account in that domain& Specifies the domain pass%ord for the user named in SusernameT& U provides a %assword* prompt %hen ou press 19T1*&

SservernameT 3u:

SdomainnameT

SusernameT 3p%:U

7& At the %assword* prompt( t pe the pass%ord for the user account that ou provided( and then press 19T1*& Eou can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft 1-cel spreadsheet& The spreadsheet displa s data in the follo%ing columns: ShowreplBCO+3)NS Destination DC Site Destination DC Naming Conte/t 6<7

Source DC Site Source DC ransport ype Number of #ailures +ast #ailure ime +ast Success ime +ast #ailure Status The follo%ing procedure creates this spreadsheet and sets column headings for improved readabilit & o generate a repadmin ,showrepl spreadsheet for all replication partners 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" * /csv >s&owrep"*csv

7& 4pen 1-cel& A& Clic0 the Office button( clic0 Open( navigate to showrepl'csv( and then clic0 Open& 8& ;ide or delete column A as %ell as the ransport ype column( as follo%s: :& Select a column that ou %ant to hide or delete& • 4r • To delete the column( right/clic0 the selected column( and then clic0 Delete& <& Select ro% 6 beneath the column heading ro%& 4n the 5iew tab( clic0 #ree&e %anes( and then clic0 #ree&e op 4ow& 8& Select the entire spreadsheet& 4n the Data tab( clic0 #ilter& ?& 'n the +ast Success ime column( clic0 the do%n arro%( and then clic0 Sort Ascending& 60& 'n the Source DC column( clic0 the filter do%n arro%( point to e/t #ilters( and then clic0 Custom #ilter& 66& 'n the Custom Auto#ilter dialog bo-( under Show rows where( clic0 does not contain& 'n the ad,acent te-t bo-( t pe del to eliminate from vie% the results for deleted domain controllers& 62& *epeat step 66 for the +ast #ailure ime column( but use the value does not e0ual( and then t pe the value @& 67& *esolve replication failures& To hide the column( right/clic0 the column( and then clic0 "ide&

6<A

The last successful attempt should agree %ith the replication schedule for intersite replication( or the attempt should be %ithin the last hour for intrasite replication& 'f *epadmin reports an of the follo%ing conditions( see Troubleshooting Active Director *eplication Problems "http:33go&microsoft&com3f%lin03P+in0'DQ?7882#: • • • The last successful intersite replication %as before the last scheduled replication& The last intrasite replication %as longer than one hour ago& *eplication %as never successful&

Determining Global Catalog 4eadiness
After replication of the partial domain director partitions is complete( the domain controller advertises itself as a global catalog server and begins accepting Fueries& Advertising begins %hen the occupanc level for partial domain director partition replication has been reached& The default occupanc level reFuires that all partial domain director partitions have been replicated& Caution 'f ou lo%er the occupanc level( the domain controller advertises itself as a global catalog server before it has complete information from all domains in the forest& 'n this case( it might return false information to applications that begin using the server for Address >oo0 loo0up and forest/%ide searches& Eou can use the procedures in this tas0 to determine if a domain controller is read to begin advertising itself as a global catalog server& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • +dp&e-e 9ltest&e-e D9S snap/in

To complete this tas0( perform the follo%ing procedures: 6& Berif 5lobal Catalog *eadiness 2& Berif 5lobal Catalog D9S *egistrations

5erify Global Catalog 4eadiness
$hen a global catalog server has satisfied replication reFuirements( the isGlobalCatalog4eady rootDS. attribute is set to 43.( and the global catalog is read to serve clients& Eou can use this procedure to verif global catalog readiness& Membership in Domain 3sers and the right to log on locall to a domain controller is the minimum reFuired to complete this procedure& > default( members of Account Operators( Administrators( .nterprise Admins( Domain Admins( $ackup Operators( %rint Operators( 6<8

and Server Operators have the right to log on locall to a domain controller& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

5erifying global catalog readiness
• • )sing the $indo%s interface )sing a command prompt

o verify global catalog readiness using the !indows interface 6& Clic0 Start( clic0 4un( t pe +dp( and then clic0 O(& 2& 4n the Connection menu( clic0 Connect& 7& 'n Connect( t pe the name of the server %hose global catalog readiness ou %ant to verif & A& 'n %ort( if 78? is not sho%ing( t pe ;AH& 8& 'f the Connectionless chec0 bo- is selected( clear it( and then clic0 O(& :& 'n the details pane( verif that the isGlobalCatalog4eady attribute has a value of 43.& <& 4n the Connection menu( clic0 Disconnect( and then close +dp& o verify global catalog readiness using a command prompt 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
n"test /server:<servername> /dsgetdc:<domainname>

%arameter

Description

SservernameT

Specifies the name of the domain controller that ou have designated as a global catalog server& Specifies the name of the domain to %hich the server belongs&

SdomainnameT

7& 'n the 7"ags: line of the output( if D5 appears( the global catalog server has satisfied its replication reFuirements&

6<:

5erify Global Catalog DNS 4egistrations
To verif that a server is advertised as a global catalog server( confirm the presence of Domain 9ame S stem "D9S# service "S*B# resource records for the server& Eou can use this procedure to verif global catalog D9S registrations& Membership in DNSAdmins and the right to log on locall to the domain controller is the minimum reFuired to complete this procedure& > default( members of Account Operators( Administrators( .nterprise Admins( Domain Admins( $ackup Operators( %rint Operators( and Server Operators have the right to log on locall to a domain controller& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o verify global catalog DNS registrations 6& Clic0 Start( point to Administrative ools( and then clic0 DNS& 2& Connect to a domain controller in the forest root domain: *ight/clic0 DNS( clic0 Connect to DNS Server( and then clic0 he following computer& T pe the computer name( and then clic0 O(& 7& 1-pand #orward +ookup Iones( and then e-pand the forest root domain& A& Clic0 the Btcp container& 8& 'n the details pane( loo0 in the Name column for Bgc and in the Data column for the name of the server& The records that begin %ith Bgc are global catalog service "S*B# resource records&

4emoving the Global Catalog
*emoving the global catalog from a domain controller simpl reFuires clearing the Global Catalog chec0 bo- on the 9TDS Settings ob,ect properties page in Active Director Sites and Services& As soon as this operation is complete( the domain controller stops advertising itself as a global catalog server "that is( 9et +ogon deregisters the global/catalog/related records in Domain 9ame S stem "D9S##( and the domain controller immediatel stops accepting +ight%eight Director Access Protocol "+DAP# reFuests over ports 72:8 and 72:?& 5lobal catalog director partitions are removed graduall in the bac0ground& ask re0uirements The follo%ing tool is reFuired to perform the procedures for this tas0: • Active Director Sites and Services To complete this tas0( perform the follo%ing procedures: 6& Clear the 5lobal Catalog Setting 2& Monitor 5lobal Catalog *emoval in 1vent Bie%er 6<<

Clear the Global Catalog Setting
Clearing the global catalog setting begins the removal of the partial( read/onl director partitions from the director database of the domain controller& Eou can use this procedure to clear the global catalog setting& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o clear the global catalog setting 6& Clic0 Start( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 1-pand the Sites container( and then e-pand the site from %hich ou are removing a global catalog server& 7& 1-pand the Servers container( and then e-pand the Server ob,ect for the domain controller from %hich ou %ant to remove the global catalog& A& *ight/clic0 the N DS Settings ob,ect for the target server( and then clic0 %roperties& 8& 'f the Global Catalog chec0 bo- is selected( clear the chec0 bo-( and then clic0 O(&

)onitor Global Catalog 4emoval in .vent 5iewer
To verif that the global catalog has been removed from a domain controller( monitor 1vent Bie%er& $hen the global catalog has been removed successfull ( the @no%ledge Consistenc Chec0er "@CC# logs 1vent 'D 62:8 in the Director Service event log& Eou can use this procedure to monitor global catalog removal in 1vent Bie%er& Membership in Server Operators and the right to log on locall to a domain controller( or eFuivalent( is the minimum reFuired to complete this procedure& > default( members of Account Operators( Administrators( .nterprise Admins( Domain Admins( $ackup Operators( %rint Operators( and Server Operators have the right to log on locall to a domain controller& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o monitor global catalog removal in .vent 5iewer 6& Clic0 Start( point to Administrative ools( and then clic0 .vent 5iewer& 2& *ight/clic0 .vent 5iewer 6+ocal7( and then clic0 Connect to Another Computer& 7& 'n the Select Computer dialog bo-( clic0 Another computer( and then t pe the name of the server from %hich ou removed the global catalog& 6<8

A& Clic0 Connect as another user( and then clic0 Set 3ser& 8& T pe the user name and pass%ord for a user that has access to the global catalog server and permission to open 1vent Bie%er( and then clic0 O( t%ice& :& )nder Applications and Services +ogs( clic0 Directory Service& <& +oo0 for ActiveDirector IDomainService event 'D 62:8( %hich indicates that the global catalog is removed from the local computer&

Administering Operations )aster 4oles
This guide provides information about administering Active Director operations master "also 0no%n as fle-ible single master operations or =SM4# roles in $indo%s Server 2008& In this guide • • 'ntroduction to Administering 4perations Master *oles Managing 4perations Master *oles

Introduction to Administering Operations )aster 4oles
Domain controllers that hold operations master "also 0no%n as fle-ible single master operations or =SM4# roles 0eep the director functioning properl b performing specific tas0s that no other domain controllers are permitted to perform& Three operations master roles e-ist in each domain: • he primary domain controller 6%DC7 emulator operations master & The PDC emulator operations master processes all replication reFuests from $indo%s 9T Server A&0 bac0up domain controllers ">DCs#& 't also processes all pass%ord updates for clients not running Active Director Renabled client soft%are( plus an other director %rite operations& The PDC emulator receives preferential replication of pass%ord changes that are performed b other domain controllers in the domain( and it is the source for the latest pass%ord information %henever a logon attempt fails as a result of a bad pass%ord& =or this reason( of all operations master roles( the PDC emulator operations master role has the highest impact on the performance of the domain controller that hosts that role& The PDC emulator in the forest root domain is also the default $indo%s Time service "$72time# time source for the forest& • he relative ID 64ID7 operations master& The *'D master allocates *'D pools to all domain controllers to ensure that ne% securit principals can be created %ith a uniFue identifier&

6<?

• he infrastructure operations master& The infrastructure master manages references from ob,ects in its domain to ob,ects in other domains& 't also updates group/to/user references %hen the members of groups are renamed or changed& 'n addition to the three domain/level operations master roles( t%o operations master roles e-ist in each forest: • he schema operations master& The schema master governs all changes to the schema& • he domain naming operations master& The domain naming master adds and removes domain director partitions and application director partitions to and from the forest& To perform their respective operations( the domain controllers that host operations master roles must be consistentl available and the must be located in areas %here net%or0 reliabilit is high& Careful placement of our operations masters becomes more important as ou add more domains and sites as ou build our forest&

Guidelines for role placement
'mproper placement of operations master role holders can prevent clients from changing their pass%ords or being able to add domains and ne% ob,ects( such as )sers and 5roups& Schema changes might not be possible& 'n addition( name changes might appear improperl %ithin group memberships that are displa ed in the user interface ")'#& Note 4perations master roles cannot be placed on a read/onl domain controller "*4DC#& As our environment changes( ou must avoid the problems that are associated %ith improper operations master role placement& 1ventuall ( ou might have to reassign the roles to other domain controllers& Although ou can assign the forest/level and domain/level operations master roles to an domain controller in the forest and domain( respectivel ( improper infrastructure master role placement can cause the infrastructure master to perform incorrectl & 4ther improper operations master configurations can increase administrative overhead& =ollo%ing these guidelines %ill help to minimi.e administrative overhead and ensure the proper performance of Active Director Domain Services "AD DS#& =ollo%ing these guidelines %ill simplif the recover process if a domain controller that is hosting an operations master role fails& =ollo% these guidelines for operations master role placement: • Configure an additional domain controller as the standb operations master for the forest/ level roles& Configure an additional domain controller as the standb operations master for the domain/level roles& • • • Place the domain/level roles on a high/performance domain controller& Do not place domain/level roles on a global catalog server& +eave the t%o forest/level roles on a domain controller in the forest root domain&

680

• 'n the forest root domain( transfer the three domain/level roles from the first domain controller that ou installed in the forest root domain to an additional domain controller that has a high performance level& • • 'n all other domains( leave the domain/level roles on the first domain controller& Ad,ust the %or0load of the PDC emulator( if necessar &

%repare additional domain controllers as standby operations masters >ecause the operations master roles are critical to proper forest and domain function( it is important to be prepared in the event that an operations master role holder becomes inoperable or unreachable& Eou can prepare an additional domain controller for the forest roles in the forest root domain and an additional domain controller for the domain roles in each domain b configuring them to be optimall connected to the respective current role holder so that role transfer occurs as Fuic0l as possible& %lace domain-level roles on a high-performance domain controller The PDC emulator role reFuires a po%erful and reliable domain controller to ensure that the domain controller is available and capable of handling the %or0load& 4f all the operations master roles( the PDC emulator role creates the most overhead on the server that is hosting the role& 't has the most intensive dail interaction %ith other s stems on the net%or0& The PDC emulator has the greatest potential to affect dail operations of the director & Note 'f an *4DC is installed in the domain( the PDC emulator role must be placed on a domain controller that is running $indo%s Server 2008& Domain controllers can become overloaded %hile attempting to service client reFuests on the net%or0( manage their o%n resources( and handle an speciali.ed tas0s( such as performing the various operations master roles& This is especiall true of the domain controller that holds the PDC emulator role& Again( clients running operating s stems earlier than $indo%s 2000 Server and domain controllers running $indo%s 9T Server A&0 rel more heavil on the PDC emulator than AD DS clients and domain controllers& 'f our net%or0ing environment has clients and domain controllers running operating s stems earlier than $indo%s 2000 Server( ou might need to reduce the %or0load of the PDC emulator& 'f a domain controller begins to indicate that it is overloaded and its performance is affected( ou can reconfigure the environment so that some tas0s are performed b other( less/used domain controllers& > ad,usting the domain controllerVs %eight in the Domain 9ame S stem "D9S# environment( ou can configure the domain controller to receive fe%er client reFuests than other domain controllers on our net%or0& As an option( ou can ad,ust the domain controllerVs priorit in the D9S environment so that it processes client reFuests onl if other D9S servers are unavailable& $ith fe%er D9S client reFuests to process( the domain controller can use more resources to perform operations master services for the domain& Do not place domain-level roles on a global catalog server The infrastructure master is incompatible %ith the global catalog( and it must not be placed on a global catalog server& >ecause it is best to 0eep the three domain/level roles together for ease of administration( avoid putting an of them on a global catalog server& 686

The infrastructure master updates ob,ects for an attribute values %ith distinguished name " dn# s nta- that reference ob,ects outside the current domain& These updates are particularl important for securit principal ob,ects "users( computers( and groups#& =or e-ample( suppose a user from one domain is a member of a group in a second domain and the userVs surname "the sn attribute on the user ob,ect# is changed in the first domain& This change usuall also changes the dn attribute value of the user ob,ect( %hich is the value that is used in the member attribute of group ob,ects& >ecause domain controllers in one domain do not replicate securit principals to domain controllers in another domain( the second domain never receives the change& An out/of/ date value on the member attribute of a group in another domain could result in the user %hose name has changed being denied privileges& To ensure consistenc bet%een domains( the infrastructure master constantl monitors group memberships( loo0ing for member attribute values that identif securit principals from other domains& 'f it finds one( it compares its distinguished name %ith the distinguished name in the domain of the securit principal to determine if the information has changed& 'f the information on the infrastructure master is out of date( the infrastructure master performs an update and then replicates the change to the other domain controllers in its domain& T%o e-ceptions appl to this rule: 6& 'f all the domain controllers are global catalog servers( the domain controller that hosts the infrastructure master role is insignificant because global catalog servers replicate updated securit principal information to all other global catalog servers& 2& 'f the forest has onl one domain( the infrastructure master role is not needed because securit principals from other domains do not e-ist& +eave forest-level roles on the original domain controller in the forest root domain The first domain controller that is installed in the forest automaticall receives the schema master and domain naming master roles& 't also hosts the global catalog& To ease administration and bac0up and restore procedures( leave these roles on the original forest root domain controller& The roles are compatible %ith the global catalog( and moving the roles to other domain controllers does not improve performance& Separating the roles creates additional administrative overhead %hen ou must identif the standb operations masters and %hen ou implement a bac0up and restore polic & )nli0e the PDC emulator role( forest/level roles rarel place a significant burden on the domain controller& @eep these roles together to provide eas ( predictable management& In the forest root domain1 transfer domain-level roles from the first domain controller The three domain/level roles are assigned to the first domain controller that is created in a ne% domain& 'n the case of the forest root domain( the first domain controller that is created in the domain hosts both forest/level roles and all three domain/level roles( as %ell as the global catalog& The infrastructure master role is incompatible %ith the global catalog& =or this reason( %hen ou install the second domain controller in the forest root domain( the Active Director Domain Services 'nstallation $i.ard prompts ou to allo% the %i.ard to transfer the role during installation of AD DS& =ollo%ing installation of the second domain controller( consider transferring the PDC emulator and *'D master roles to the second domain controller( as %ell( to 0eep the three roles together for eas administration& 682

In all other domains1 leave domain-level roles on the first domain controller 1-cept for the forest root domain( leave the domain/level roles on the first domain controller that ou install in the domain and do not configure that domain controller as a global catalog server& @eep the roles together unless the %or0load on our operations master ,ustifies the additional management burden of separating the roles& >ecause all clients running non/$indo%s operating s stems or $indo%s operating s stems earlier than $indo%s 2000 Server submit updates to the PDC emulator( the domain controller holding that role uses a higher number of *'Ds %hen the net%or0 hosts man of these clients& Place the PDC emulator and *'D master roles on the same domain controller so that these t%o roles interact more efficientl & 'f ou must separate the roles( ou can still use a single standb operations master for all three roles& ;o%ever( ou must ensure that the standb is a replication partner of all three of the role holders& >ac0up and restore procedures also become more comple- if ou separate the roles& Special care must be ta0en to restore a domain controller that hosted an operations master role& > hosting the roles on a single computer( ou minimi.e the steps that are reFuired to restore a role holder& Ad9ust the workload of the %DC emulator operations master role holder Depending on the si.e of the forest or domain( ou might %ant to configure D9S so that client reFuests favor domain controllers other than the PDC emulator& The PDC emulator role has the highest load demands of all the operations master roles&

Guidelines for role transfer
*ole transfer is the preferred method to move an operations master role from one domain controller to another& During a role transfer( the t%o domain controllers replicate to ensure that no information is lost& After the transfer is complete( the previous role holder no longer attempts to perform as the operations master( %hich eliminates the possibilit of duplicate operations masters e-isting on the net%or0& Consider moving the operations master role or roles %hen an of the follo%ing conditions e-ist: • • • • 'nadeFuate service performance =ailure of a domain controller that hosts an operations master role Decommissioning of a domain controller that hosts an operations master role Administrative configuration changes that affect operations master role placement

Inade0uate service performance The PDC emulator is the operations master role that most affects the performance of a domain controller& =or clients that do not run Active Director client soft%are( the PDC emulator processes reFuests for pass%ord changes( replication( and user authentication& $hile it provides support for these clients( the domain controller continues to perform its normal services( such as authenticating Active Director Renabled clients& As the net%or0 gro%s( the volume of client reFuests can increase the %or0load for the domain controller that hosts the PDC emulator role 687

and its performance can suffer& To solve this problem( ou can transfer all or some of the operations master roles to another( more po%erful domain controller& As an alternative( ou ma choose to transfer the role to another domain controller( upgrade the hard%are on the original domain controller( and then transfer the role bac0 again& Operations master failure 'n the event of a failure of an operations role holder( ou must decide if ou need to relocate the operations master roles to another domain controller or %ait for the domain controller to be returned to service& >ase that determination on the role that the domain controller hosts and the e-pected do%ntime& Decommissioning of the domain controller >efore ou ta0e a domain controller offline permanentl ( transfer an operations master roles that the domain controller holds to another domain controller& $hen ou use the Active Director 'nstallation $i.ard to decommission a domain controller that currentl hosts one or more operations master roles( the %i.ard reassigns the roles to a different domain controller& $hen the %i.ard is run( it determines %hether the domain controller currentl hosts an operations master roles& 'f it detects an operations master roles( it Fueries the director for other eligible domain controllers and transfers the roles to a ne% domain controller& A domain controller is eligible to host the domain/level roles if it is a member of the same domain& A domain controller is eligible to host a forest/level role if it is a member of the same forest& Configuration changes Configuration changes to domain controllers or the net%or0 topolog can result in the need to transfer operations master roles& 1-cept for the infrastructure master( ou can assign operations master roles to an domain controller regardless of an other tas0s that the domain controller performs& Do not host the infrastructure master role on a domain controller that is also acting as a global catalog server unless all the domain controllers in the domain are global catalog servers or unless the forest has onl one domain& 'f the domain controller that hosts the infrastructure master role is configured to be a global catalog server( ou must transfer the infrastructure master role to another domain controller& Changes to the net%or0 topolog can result in the need to transfer operations master roles to 0eep them in a particular site& Note Do not change the global catalog configuration on the domain controller that ou intend to assume an operations master role unless our information technolog "'T# management authori.es that change& Changing the global catalog configuration can cause changes that can ta0e da s to complete( and the domain controller might not be available during that period& 'nstead( transfer the operations master roles to a different domain controller that is alread configured properl & Eou can reassign an operations master role b transfer or( as a last resort( b sei.ure& Important 'f ou must sei.e an operations master role( never reattach the previous role holder to the net%or0 %ithout follo%ing the procedures in this guide& *eattaching the previous role

68A

holder to the net%or0 incorrectl can result in invalid data and corruption of data in the director &

)anaging Operations )aster 4oles
4perations masters 0eep the director functioning properl b performing specific tas0s that no other domain controllers are permitted to perform& This section includes the follo%ing tas0s for managing operations master roles: • • • • Designating a Standb 4perations Master Transferring an 4perations Master *ole Sei.ing an operations master role *educing the $or0load on the PDC 1mulator Master

Designating a Standby Operations )aster
A standb operations master is a domain controller that ou identif as the computer that assumes the operations master role if the original computer fails& A single domain controller can act as the standb operations master for all the operations master roles in a domain( or ou can designate a separate standb for each operations master role& $hen ou designate a domain controller as the standb operations master( follo% all the recommendations in M5uidelines for *ole PlacementM in 'ntroduction to Administering 4perations Master *oles&

Standby operations master computer re0uirements
9o utilities or special steps are reFuired to designate a domain controller as a standb operations master& ;o%ever( the current operations master and the standb operations master should be %ell connected& N$ell connectedO means that the net%or0 connection bet%een them must support at least a 60/megabit transmission rate and be available at all times& 'n addition( creating a manual connection ob,ect bet%een the standb domain controller and the operations master %ill ensure direct replication bet%een the t%o operations masters& > ma0ing the operations master and the standb operations master direct replication partners( ou reduce the chance of data loss in the event of a role sei.ure( %hich reduces the chance of director corruption&

4eplication re0uirements
>efore ou transfer a role from the current role holder to the standb operations master( ensure that replication bet%een the t%o computers is functioning properl & >ecause the are replication

688

partners( the ne% operations master is alread consistent %ith the original operations master( %hich reduces the time that is reFuired for the transfer operation& During role transfer( the t%o domain controllers e-change an unreplicated information to ensure that no transactions are lost& 'f the t%o domain controllers are not direct replication partners( a substantial amount of information might have to be replicated before the domain controllers completel s nchroni.e %ith each other& The role transfer reFuires e-tra time to replicate the outstanding transactions& 'f the t%o domain controllers are direct replication partners( fe%er outstanding transactions e-ist and the role transfer operation completes sooner& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • • • Active Director Sites and Services *epadmin&e-e Determine $hether a Domain Controller 's a 5lobal Catalog Server Create a Connection 4b,ect on the 4perations Master and Standb Berif Successful *eplication to a Domain Controller

To complete this tas0( perform the follo%ing procedure:

Determine !hether a Domain Controller Is a Global Catalog Server
Eou can use the setting on the 9TDS Settings ob,ect to determine %hether a domain controller is designated as a global catalog server& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure %hen ou perform the procedure remotel b using *emote Server Administration Tools "*SAT#& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine whether a domain controller is a global catalog server 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( e-pand the Sites container( e-pand the site of the domain controller that ou %ant to chec0( e-pand the Servers container( and then e-pand the Server ob,ect& 7& *ight/clic0 the N DS Settings ob,ect( and then clic0 %roperties& A& 4n the General tab( if the Global Catalog bo- is selected( the domain controller is designated as a global catalog server&

68:

Create a Connection Ob9ect on the Operations )aster and Standby
To ensure that the current operations master role holder and the standb operations master are replication partners( ou can manuall create connection ob,ects bet%een the t%o domain controllers& 1ven if a connection ob,ect is generated automaticall ( %e recommend that ou manuall create a connection ob,ect on both the operations master and the standb operations master& The replication s stem can alter automaticall created connection ob,ects an time& Manuall created connections remain the same until an administrator changes them& Eou can use this procedure to create the follo%ing: • A manual connection ob,ect that designates the standb server as the =rom Server on the 9TDS Settings ob,ect of the operations master • A manual connection ob,ect that designates the operations master server as the =rom Server on the 9TDS Settings ob,ect of the standb server Administrative credentials Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create a connection ob9ect on the operations master and standby 6& Clic0 Start( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 1-pand the site name in %hich the current operations master role holder is located to displa the Servers folder& 7& 1-pand the Servers folder to see a list of the servers in that site& A& To create a connection ob,ect from the standb server on the current operations master( e-pand the name of the operations master server on %hich ou %ant to create the connection ob,ect to displa its 9TDS Settings ob,ect& 8& *ight/clic0 N DS Settings( clic0 New( and then clic0 Connection& :& 'n the #ind Active Directory Domain Controllers dialog bo-( select the name of the standb server from %hich ou %ant to create the connection ob,ect( and then clic0 O(& <& 'n the New Ob9ect-Connection dialog bo-( enter an appropriate name for the connection ob,ect or accept the default name( and then clic0 O(& 8& To create a connection ob,ect from the current operations master to the standb server( repeat steps A through <( but in step A( e-pand the name of the standb server& 'n step :( select the name of the current operations master&

68<

5erify Successful 4eplication to a Domain Controller
Eou can use the repadmin ,showrepl command to verif successful replication to a specific domain controller& 'f ou are not running *epadmin on the domain controller %hose replication ou are chec0ing( ou can specif a destination domain controller in the command& *epadmin lists IN$O3ND N.IG"$O4S for the current or specified domain controller& IN$O3ND N.IG"$O4S sho%s the distinguished name of each director partition for %hich inbound director replication has been attempted( the site and name of the source domain controller( and %hether replication succeeded or not( as follo%s: • •
4ast attempt @ < .AA.DD ##:AA*!!> was successfu"*

4ast attempt @ BNeverC was successfu"*

'f @ BNeverC appears in the output for a director partition( replication of that director partition has never succeeded from the identified source replication partner over the listed connection& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify successful replication to a domain controller 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" <servername> /u:<domainname>(<username> /pw:*

Note The user credential parameters "/u:<domainname>(<username> /pw:*# are not reFuired for the domain of the user if the user has opened the Command Prompt as an administrator %ith Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or eFuivalent& ;o%ever( if ou run the command for a domain controller in a different domain in the same Command Prompt session( ou must provide credentials for an account in that domain&

688

5alue

Description

repadmin 3sho%repl

Displa s the replication status for the last time that the domain controller that is named in SservernameT attempted inbound replication of Active Director partitions& The name of the destination domain controller& Specifies the domain name and user name( separated b a bac0slash( for a user %ho has permissions to perform operations in AD DS& The single/label name of the domain of the destination domain controller& "Eou do not have to use a full Fualified Domain 9ame S stem "D9S# name&# The name of an administrative account in that domain& Specifies the domain pass%ord for the user named in SusernameT& U provides a %assword* prompt %hen ou press 19T1*&

SservernameT 3u:

SdomainnameT

SusernameT 3p%:U

7& At the %assword* prompt( t pe the pass%ord for the user account that ou provided( and then press 19T1*& Eou can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft 1-cel spreadsheet& The spreadsheet displa s data in the follo%ing columns: ShowreplBCO+3)NS Destination DC Site Destination DC Naming Conte/t Source DC Site Source DC ransport ype Number of #ailures +ast #ailure ime +ast Success ime +ast #ailure Status

68?

The follo%ing procedure creates this spreadsheet and sets column headings for improved readabilit & o generate a repadmin ,showrepl spreadsheet for all replication partners 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" * /csv >s&owrep"*csv

7& 4pen 1-cel& A& Clic0 the Office button( clic0 Open( navigate to showrepl'csv( and then clic0 Open& 8& ;ide or delete column A as %ell as the ransport ype column( as follo%s: :& Select a column that ou %ant to hide or delete& • 4r • To delete the column( right/clic0 the selected column( and then clic0 Delete& <& Select ro% 6 beneath the column heading ro%& 4n the 5iew tab( clic0 #ree&e %anes( and then clic0 #ree&e op 4ow& 8& Select the entire spreadsheet& 4n the Data tab( clic0 #ilter& ?& 'n the +ast Success ime column( clic0 the do%n arro%( and then clic0 Sort Ascending& 60& 'n the Source DC column( clic0 the filter do%n arro%( point to e/t #ilters( and then clic0 Custom #ilter& 66& 'n the Custom Auto#ilter dialog bo-( under Show rows where( clic0 does not contain& 'n the ad,acent te-t bo-( t pe del to eliminate from vie% the results for deleted domain controllers& 62& *epeat step 66 for the +ast #ailure ime column( but use the value does not e0ual( and then t pe the value @& 67& *esolve replication failures& The last successful attempt should agree %ith the replication schedule for intersite replication( or the attempt should be %ithin the last hour for intrasite replication& 'f *epadmin reports an of the follo%ing conditions( see Troubleshooting Active Director *eplication Problems "http:33go&microsoft&com3f%lin03P+in0'DQ?7882#: • • • The last successful intersite replication %as before the last scheduled replication& The last intrasite replication %as longer than one hour ago& *eplication %as never successful& To hide the column( right/clic0 the column( and then clic0 "ide&

6?0

ransferring an Operations )aster 4ole
$hen ou create a ne% domain( the Active Director Domain Services 'nstallation $i.ard automaticall assigns all the domain/level operations master roles to the first domain controller that is created in that domain& $hen ou create a ne% forest( the %i.ard also assigns the t%o forest/level operations master roles to the first domain controller& After the domain is created and functioning( ou might transfer various operations master roles to different domain controllers to optimi.e performance and simplif administration& The first domain controller that ou install to create a ne% forest is necessaril both a global catalog server and the infrastructure operations master role holder& $hen ou install the second domain controller in the forest root domain( the Active Director Domain Services 'nstallation $i.ard prompts ou to transfer the infrastructure master role to the domain controller that ou are installing& Select this option to avoid having to transfer the infrastructure operations master role manuall & The transfer of forest/level and domain/level operations master roles is performed as needed( and it is governed b the guidelines for placing operations master roles& >efore ou transfer an operations master role( ensure that replication bet%een the current role holder and the domain controller that is assuming the role is updated& $hen ou transfer domain/level roles( ou must determine %hether the domain controller that ou %ant to assume an operations master role is a global catalog server& The infrastructure master for each domain must not host the global catalog& Caution Do not change the global catalog configuration on the domain controller that ou %ant to assume an operations master role unless our information technolog "'T# management authori.es that change& Changing the global catalog configuration can cause changes that can ta0e da s to complete( and the domain controller might not be available during that period& 'nstead( transfer the operations master roles to a different domain controller that is alread properl configured&

ransferring to a standby operations master
$hen ou follo% the recommendations for operations master role placement( the standb operations master is a direct replication partner and it is read to assume the operations master roles& *emember to designate a ne% standb operations master for the domain controller that assumes the operations master roles& =or more information( see Designating a Standb 4perations Master&

ransferring an operations master role when no standby is ready
'f ou have not designated a standb operations master( ou must properl prepare a domain controller to %hich ou intend to transfer the operations master roles& 'f ou are transferring the 6?6

infrastructure master role( ma0e sure that the target domain controller is not a global catalog server& Preparing the future operations master role holder is the same process as preparing a standb operations master& Eou must manuall create a connection ob,ect to ensure that the standb operations master is a replication partner %ith the current role holder and that replication bet%een the t%o domain controllers is updated& ask re0uirements The follo%ing are reFuired to perform the procedures for this tas0: • • • • • • • • • • • • • *epadmin&e-e Active Director Sites and Services Active Director Domains and Trusts Active Director Schema snap/in Active Director )sers and Computers 9tdsutil&e-e Berif Successful *eplication to a Domain Controller Determine $hether a Domain Controller 's a 5lobal Catalog Server 'nstall the Schema Snap/in Transfer the Schema Master Transfer the Domain 9aming Master Transfer the Domain/+evel 4perations Master *oles Bie% the Current 4perations Master *ole ;olders

To complete this tas0( perform the follo%ing procedure:

Install the Schema Snap-in
Eou can use this procedure to first register the d namic/lin0 librar "D++# that is reFuired for the Active Director Schema snap/in& Eou can then add the snap/in to Microsoft Management Console "MMC#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o install the Active Directory Schema snap-in 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
regsvr$% sc&mmgmt*d""

7& Clic0 Start( clic0 4un( t pe mmc( and then clic0 O(& 6?2

A& 4n the #ile menu( clic0 Add,4emove Snap-in& 8& )nder Available snap-ins( clic0 Active Directory Schema( clic0 Add( and then clic0 O(& :& To save this snap/in( on the #ile menu( clic0 Save& <& 'n the Save As dialog bo-( do one of the follo%ing: • To place the snap/in in the Administrative ools folder( in #ile name( t pe a name for the snap/in( and then clic0 Save& • To save the snap/in in a location other than the Administrative Tools folder( in Save in( navigate to a location for the snap/in& 'n #ile name( t pe a name for the snap/in( and then clic0 Save& Caution Modif ing the schema is an advanced operation that is best performed b e-perienced programmers and s stem administrators& =or detailed information about modif ing the schema( see Active Director Schema "http:33go&microsoft&com3f%lin03P+in0'dQ8080?#& Additional considerations • To perform the Schmmgmt&dll registration portion of this procedure( ou must be a member of the Domain Admins group in the domain or the 1nterprise Admins group in the forest( or ou must have been delegated the appropriate authorit & Adding the Active Director Schema snap/in to MMC reFuires onl membership in the Domain )sers group& ;o%ever( ma0ing changes to the schema reFuires membership in the Schema Admins group& • The $indo%s Server 2008 Administration Tools Pac0 cannot be installed on computers running $indo%s LP Professional or $indo%s Server 2007&

ransfer the Schema )aster
Eou can use this procedure to transfer the schema operations master role if the domain controller that currentl hosts the role is inadeFuate( has failed( or is being decommissioned& The schema master is a forest/%ide operations master "also 0no%n as fle-ible single master operations or =SM4# role& >efore ou perform this procedure( ou must identif the domain controller to %hich ou %ill transfer the schema operations master role& >efore ou can use the Active Director Schema snap/in for the first time( ou must register it %ith the s stem& 'f ou have not et prepared the Active Director Schema snap/in( see 'nstall the Schema Snap/in before ou begin this procedure& Note Eou perform this procedure b using a Microsoft Management Console "MMC# snap/in( although ou can also transfer this role b using 9tdsutil&e-e& =or information about using 9tdsutil&e-e to transfer operations master roles( see 9tdsutil 6?7

"http:33go&microsoft&com3f%lin03P+in0'dQ620?<0#& =or information about the ntdsutil command( ou can t pe > at the 9tdsutil&e-e command prompt& Membership in Schema Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& ransfer the schema master 6& 4pen the Active Director Schema snap/in& 2& 'n the console tree( right/clic0 Active Directory Schema( and then clic0 Change Active Directory Domain Controller& 7& 'n the Change Directory Server dialog bo-( under Change to( clic0 his domain Controller or AD +DS instance& A& 'n the list of domain controllers( clic0 the name of the domain controller to %hich ou %ant to transfer the schema master role( and then clic0 O(& 8& 'n the console tree( right/clic0 Active Directory Schema( and then clic0 Operations )aster& The Change Schema )aster bo- displa s the name of the server that is currentl holding the schema master role& The targeted domain controller is listed in the second bo-& :& Clic0 Change& Clic0 2es to confirm our choice& The s stem confirms the operation& Clic0 O( again to confirm that the operation succeeded& <& Clic0 Close to close the Change Schema )aster dialog bo-&

ransfer the Domain Naming )aster
Eou can use this procedure to transfer the domain naming operations master role if the domain controller that currentl hosts the role is inadeFuate( has failed( or is being decommissioned& The domain naming master is a forest/%ide operations master "also 0no%n as fle-ible single master operations or =SM4# role& >efore ou perform this procedure( ou must identif the domain controller to %hich ou %ill transfer the domain naming operations master role& Note Eou perform this procedure b using a Microsoft Management Console "MMC# snap/in( although ou can also transfer this role b using 9tdsutil&e-e& =or information about using 9tdsutil&e-e to transfer operations master roles( see 9tdsutil "http:33go&microsoft&com3f%lin03P+in0'dQ620?<0#& =or information about the ntdsutil command( ou can also t pe > at the 9tdsutil&e-e command prompt& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 6?A

o transfer the domain naming master 6& 4pen Active Director Domains and Trusts: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Domains and rusts& 'f the 3ser Account Control dialog bo- appears( provide 1nterprise Admins credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( right/clic0 Active Directory Domains and rusts( and then clic0 Change Active Directory Domain Controller& 7& 1nsure that the correct domain name is entered in +ook in this domain& The available domain controllers from this domain are listed& A& 'n the Name column( clic0 the domain controller to %hich ou %ant to transfer the domain naming master role( and then clic0 O(& 8& At the top of the console tree( right/clic0 Active Directory Domains and rusts( and then clic0 Operations )aster& :& The name of the current domain naming master appears in the first te-t bo-& The domain controller to %hich ou %ant to transfer the domain naming master role should appear in the second te-t bo-& 'f this is not the case( repeat steps 6 through A& <& Clic0 Change& To confirm the role transfer( clic0 2es& Clic0 O( again to close the message bo- indicating that the transfer too0 place& Clic0 Close to close the Operations )aster dialog bo-&

ransfer the Domain-+evel Operations )aster 4oles
Eou can use this procedure to transfer the follo%ing three domain/level operations master "also 0no%n as fle-ible single master operations or =SM4# roles: • • • Primar domain controller "PDC# emulator operations master *elative 'D "*'D# operations master 'nfrastructure operations master

Eou might %ant to transfer a domain/level operations master role if the domain controller that currentl hosts the role is inadeFuate( has failed( or is being decommissioned& Eou can transfer all domain roles b using the Active Director )sers and Computers snap/in& Note Eou perform these procedures b using a Microsoft Management Console "MMC# snap/ in( although ou can also transfer these roles b using 9tdsutil&e-e& =or information about using 9tdsutil&e-e to transfer the operations master roles( see 9tdsutil "http:33go&microsoft&com3f%lin03P+in0'DQ620?<0&# =or information about the ntdsutil command( can also t pe > at the 9tdsutil&e-e command prompt& 6?8

>efore ou perform this procedure( ou must identif the domain controller to %hich ou %ill transfer the operations master role& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o transfer a domain-level operations master role 6& 4pen Active Director )sers and Computers: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory 3sers and Computers& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the top of the console tree( right/clic0 Active Directory 3sers and Computers( and then clic0 Change Active Directory Domain Controller& 7& 1nsure that the correct domain name is entered in +ook in this domain& The available domain controllers from this domain are listed& A& 'n the Name column( clic0 the name of the domain controller to %hich ou %ant to transfer the role( and then clic0 O(& 8& At the top of the console tree( right/clic0 Active Directory 3sers and Computers( and then clic0 Operations )asters& The name of the current operations master role holder appears in the Operations master bo-& The name of the domain controller to %hich ou %ant to transfer the role appears in the lo%er bo-& :& Clic0 the tab for the operations master role that ou %ant to transfer: 4ID( %DC( or Infrastructure& Berif the computer names that appear( and then clic0 Change& Clic0 2es to transfer the role( and then clic0 O(& <& *epeat steps 8 and : for each role that ou %ant to transfer&

5iew the Current Operations )aster 4ole "olders
To vie% the current operations master "also 0no%n as fle-ible single master operations or =SM4# role holders( use the 9tdsutil&e-e command/line tool %ith the roles option& This option displa s a list of all current role holders& After ou transfer an operations master role( use this procedure to verif that the transfer has occurred successfull throughout the domain& To have full effect( the change must replicate to all domain controllers in the domain for a domain/level role and to all domain controllers in the forest for a forest/level role&

6?:

Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o view the current operations master role holders 6& 4pen 9tdsutil as an administrator: Clic0 Start( and then( in Start Search( t pe ntdsutil& At the top of the Start menu( right/clic0 ntdsutil( and then clic0 4un as administrator& 'n the 3ser Account Control dialog bo-( provide Domain Admins credentials( and then clic0 O(& 2& At the ntdsuti": prompt( t pe ro"es( and then press 19T1*& 7& At the fsmo
maintenance:

prompt( t pe connections( and then press 19T1*&

A& At the server connections: prompt( t pe connect to server <servername>( %here <servername> is the name of the domain controller that belongs to the domain that contains the operations masters& 8& After ou receive confirmation of the connection( t pe e-it this menu& :& At the fsmo 19T1*&
maintenance: quit(

and then press 19T1* to and then press and

prompt( t pe se"ect

operation target(

<& At the select operations target: prompt( t pe then press 19T1*&

"ist ro"es for connected server(

The s stem responds %ith a list of the current roles and the +ight%eight Director Access Protocol "+DAP# name of the domain controllers that are currentl assigned to host each role& 8& T pe quit( and then press 19T1* to e-it each prompt in 9tdsutil&e-e& At the ntdsuti": prompt( t pe quit( and then press 19T1* to close the %indo%&

Sei&ing an operations master role
*ole sei.ure is the act of assigning an operations master "also 0no%n as fle-ible single master operations or =SM4# role to a ne% domain controller %ithout the cooperation of the current role holderDusuall ( because the current role holder is offline as a result of a hard%are failure& During role sei.ure( the ne% domain controller assumes the operations master role %ithout communicating %ith the current role holder& *ole sei.ure should be performed onl as a last resort& *ole sei.ure can cause the follo%ing director problems: • Data loss or directory inconsistency as a result of replication latency' The ne% role holder starts performing its duties based on the data that is located in its current director partition& 'f replication did not complete before the time that the original role holder %ent offline( the ne% role holder might not have received the latest changes& 6?<

To minimi.e the ris0 of losing data to incomplete replication( do not perform a role sei.ure until enough time has passed to complete at least one end/to/end replication c cle across our net%or0& Allo%ing enough time for complete end/to/end replication ensures that the domain controller that assumes the role is as up to date as possible& • wo domain controllers performing the same role' >ecause the original role holder is offline %hen role sei.ure occurs( the original role holder is not informed that it is no longer the operations master role holder( %hich is not a problem if the original role holder sta s offline& ;o%ever( if the original role holder comes bac0 onlineDfor e-ample( if the hard%are is repaired or the server is restored from a bac0up#Dit might tr to perform the operations master role that it previousl o%ned& 'f t%o domain controllers are performing the same operations master role simultaneousl ( the severit of the effect from duplicate operations master roles varies( depending on the role that %as sei.ed& The effect can range from no visible effect to potential corruption of the Active Director database& Do not allo% a former operations master role holder %hose role has been sei.ed to return to an online domain controller& ask re0uirements The follo%ing is reFuired to perform the procedures for this tas0: • • • • • *epadmin&e-e 9tdsutil&e-e Berif Successful *eplication to a Domain Controller Sei.e the 4perations Master *ole Bie% the Current 4perations Master *ole ;olders

To complete this tas0( perform the follo%ing procedure: Berif replication to the domain controller that %ill be sei.ing the role&

5erify Successful 4eplication to a Domain Controller
Eou can use the repadmin ,showrepl command to verif successful replication to a specific domain controller& 'f ou are not running *epadmin on the domain controller %hose replication ou are chec0ing( ou can specif a destination domain controller in the command& *epadmin lists IN$O3ND N.IG"$O4S for the current or specified domain controller& IN$O3ND N.IG"$O4S sho%s the distinguished name of each director partition for %hich inbound director replication has been attempted( the site and name of the source domain controller( and %hether replication succeeded or not( as follo%s: • •
4ast attempt @ < .AA.DD ##:AA*!!> was successfu"*

4ast attempt @ BNeverC was successfu"*

'f @ BNeverC appears in the output for a director partition( replication of that director partition has never succeeded from the identified source replication partner over the listed connection& 6?8

Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify successful replication to a domain controller 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" <servername> /u:<domainname>(<username> /pw:*

Note The user credential parameters "/u:<domainname>(<username> /pw:*# are not reFuired for the domain of the user if the user has opened the Command Prompt as an administrator %ith Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or eFuivalent& ;o%ever( if ou run the command for a domain controller in a different domain in the same Command Prompt session( ou must provide credentials for an account in that domain&

6??

5alue

Description

repadmin 3sho%repl

Displa s the replication status for the last time that the domain controller that is named in SservernameT attempted inbound replication of Active Director partitions& The name of the destination domain controller& Specifies the domain name and user name( separated b a bac0slash( for a user %ho has permissions to perform operations in AD DS& The single/label name of the domain of the destination domain controller& "Eou do not have to use a full Fualified Domain 9ame S stem "D9S# name&# The name of an administrative account in that domain& Specifies the domain pass%ord for the user named in SusernameT& U provides a %assword* prompt %hen ou press 19T1*&

SservernameT 3u:

SdomainnameT

SusernameT 3p%:U

7& At the %assword* prompt( t pe the pass%ord for the user account that ou provided( and then press 19T1*& Eou can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft 1-cel spreadsheet& The spreadsheet displa s data in the follo%ing columns: ShowreplBCO+3)NS Destination DC Site Destination DC Naming Conte/t Source DC Site Source DC ransport ype Number of #ailures +ast #ailure ime +ast Success ime +ast #ailure Status

200

The follo%ing procedure creates this spreadsheet and sets column headings for improved readabilit & o generate a repadmin ,showrepl spreadsheet for all replication partners 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" * /csv >s&owrep"*csv

7& 4pen 1-cel& A& Clic0 the Office button( clic0 Open( navigate to showrepl'csv( and then clic0 Open& 8& ;ide or delete column A as %ell as the ransport ype column( as follo%s: :& Select a column that ou %ant to hide or delete& • 4r • To delete the column( right/clic0 the selected column( and then clic0 Delete& <& Select ro% 6 beneath the column heading ro%& 4n the 5iew tab( clic0 #ree&e %anes( and then clic0 #ree&e op 4ow& 8& Select the entire spreadsheet& 4n the Data tab( clic0 #ilter& ?& 'n the +ast Success ime column( clic0 the do%n arro%( and then clic0 Sort Ascending& 60& 'n the Source DC column( clic0 the filter do%n arro%( point to e/t #ilters( and then clic0 Custom #ilter& 66& 'n the Custom Auto#ilter dialog bo-( under Show rows where( clic0 does not contain& 'n the ad,acent te-t bo-( t pe del to eliminate from vie% the results for deleted domain controllers& 62& *epeat step 66 for the +ast #ailure ime column( but use the value does not e0ual( and then t pe the value @& 67& *esolve replication failures& The last successful attempt should agree %ith the replication schedule for intersite replication( or the attempt should be %ithin the last hour for intrasite replication& 'f *epadmin reports an of the follo%ing conditions( see Troubleshooting Active Director *eplication Problems "http:33go&microsoft&com3f%lin03P+in0'DQ?7882#: • • • The last successful intersite replication %as before the last scheduled replication& The last intrasite replication %as longer than one hour ago& *eplication %as never successful& To hide the column( right/clic0 the column( and then clic0 "ide&

206

Sei&e the Operations )aster 4ole
Eou can use the 9tdsutil&e-e command/line tool to transfer and sei.e an operations master "also 0no%n as fle-ible single master operations or =SM4# role& Eou must use 9tdsutil&e-e to sei.e the schema operations master( domain naming operations master( and relative 'D "*'D# operations master roles& $hen ou use 9tdsutil&e-e to sei.e an operations master role( the tool first attempts a transfer from the current role o%ner& 'f the current role o%ner is not available( the tool sei.es the role& $hen ou use 9tdsutil&e-e to sei.e an operations master role( the procedure is nearl identical for all roles& =or more information about using 9tdsutil&e-e( t pe > at the ntdsutil* command prompt& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o sei&e an operations master role 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& At the command prompt( t pe ntdsuti"( and then press 19T1*& 7& At the ntdsuti": prompt( t pe ro"es( and then press 19T1*& A& At the fsmo
maintenance:

prompt( t pe connections( and then press 19T1*&

8& At the server connections: prompt( t pe connect to server<servername> "%here <servername> is the name of the domain controller that %ill assume the operations master role#( and then press 19T1*& :& After ou receive confirmation of the connection( t pe <& Depending on the role that ou %ant to sei.e( at the the appropriate command( and then press 19T1*&
4ole Credentials
quit(

and then press 19T1*& prompt( t pe

fsmo maintenance:

Command

Domain naming master Schema master 'nfrastructure master Primar domain controller "PDC# emulator *'D master

1nterprise Admins 1nterprise Admins Domain Admins Domain Admins Domain Admins

Sei.e domain naming master Sei.e schema master Sei.e infrastructure master Sei.e pdc Sei.e rid master

202

The s stem as0s for confirmation& 't then attempts to transfer the role& $hen the transfer fails( some error information appears and the s stem proceeds %ith the sei.ure of the role& After the sei.ure of the role is complete( a list of the roles and the +ight%eight Director Access Protocol "+DAP# name of the server that currentl holds each role appears& During sei.ure of the relative 'D "*'D# operations master role( the current role holder attempts to s nchroni.e %ith its replication partners& 'f it cannot establish a connection %ith a replication partner during the sei.ure operation( it displa s a %arning and as0s for confirmation that ou %ant the sei.ure of the role to proceed& Clic0 2es to proceed& 8& T pe quit( and then press 19T1*& T pe quit again( and then press 19T1* to e-it 9tdsutil&e-e&

5iew the Current Operations )aster 4ole "olders
To vie% the current operations master "also 0no%n as fle-ible single master operations or =SM4# role holders( use the 9tdsutil&e-e command/line tool %ith the roles option& This option displa s a list of all current role holders& After ou transfer an operations master role( use this procedure to verif that the transfer has occurred successfull throughout the domain& To have full effect( the change must replicate to all domain controllers in the domain for a domain/level role and to all domain controllers in the forest for a forest/level role& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o view the current operations master role holders 6& 4pen 9tdsutil as an administrator: Clic0 Start( and then( in Start Search( t pe ntdsutil& At the top of the Start menu( right/clic0 ntdsutil( and then clic0 4un as administrator& 'n the 3ser Account Control dialog bo-( provide Domain Admins credentials( and then clic0 O(& 2& At the ntdsuti": prompt( t pe ro"es( and then press 19T1*& 7& At the fsmo
maintenance:

prompt( t pe connections( and then press 19T1*&

A& At the server connections: prompt( t pe connect to server <servername>( %here <servername> is the name of the domain controller that belongs to the domain that contains the operations masters& 8& After ou receive confirmation of the connection( t pe e-it this menu&
quit(

and then press 19T1* to

207

:& At the fsmo 19T1*&

maintenance:

prompt( t pe se"ect

operation target(

and then press and

<& At the select operations target: prompt( t pe then press 19T1*&

"ist ro"es for connected server(

The s stem responds %ith a list of the current roles and the +ight%eight Director Access Protocol "+DAP# name of the domain controllers that are currentl assigned to host each role& 8& T pe quit( and then press 19T1* to e-it each prompt in 9tdsutil&e-e& At the ntdsuti": prompt( t pe quit( and then press 19T1* to close the %indo%&

4educing the !orkload on the %DC .mulator )aster
'n addition to processing normal domain controller load from clients( the primar domain controller "PDC# emulator operations master must also process pass%ord changes& 4f all the operations master "also 0no%n as fle-ible single master operations or =SM4# roles( the PDC emulator master role has the highest impact on the domain controller that hosts that role& To mitigate some of the load that is caused b normal domain controller traffic( ou can protect the PDC emulator b configuring Domain 9ame S stem "D9S# to distribute some of the normal reFuest load to other domain controllers that are capable of processing the reFuests& To receive information from the domain( a client uses D9S to locate a domain controller& The client then sends the reFuest to that domain controller& > default( D9S performs rudimentar load balancing& 't also randomi.es the distribution of client reFuests so that the reFuests are not al%a s sent to the same domain controller& 'f too man client reFuests are sent to a domain controller %hile it attempts to perform other duties( such as the duties of the PDC emulator( it can become overloaded( %hich has a negative impact on its performance& Eou can configure D9S so that a domain controller is Fueried less freFuentl than others& *educing the number of client reFuests helps reduce the %or0load on a domain controller( %hich gives it more time to function as an operations master& This is especiall important for the PDC emulator& To reduce the number of client reFuests that are processed b the PDC emulator( ou can change its %eight or its priorit in the D9S environment&

Changing the weight for DNS service 6S457 resource records in the registry
Changing the %eight of a domain controller to a value less than that of other domain controllers reduces the number of clients that Domain 9ame S stem "D9S# refers to that domain controller& This value is stored in the +dapSrv!eight registr entr & The default value is 600( but it can 20A

range from 0 through :8878& $hen ou lo%er this value on a domain controller( D9S refers clients to that domain controller less freFuentl based on the proportion of this value to the value on other domain controllers& =or e-ample( to configure the s stem so that the domain controller that hosts the PDC emulator role receives reFuests onl half as man times as other domain controllers( configure the %eight of the domain controller that host the PDC emulator role to be 80& Assuming that other domain controllers use the default %eight value of 600( D9S determines the %eight ratio for that domain controller to be 803600 "80 for that domain controller and 600 for the other domain controllers#& After ou reduce this ratio to 632( D9S refers clients to the other domain controllers t%ice as often as it refers to the domain controller %ith the reduced %eight setting& > reducing client referrals( the domain controller receives fe%er client reFuests and has more resources for other tas0s( such as performing the role of PDC emulator&

Changing the priority for DNS service 6S457 resource records in the registry
Changing the priorit of a domain controller also reduces the number of client referrals to it& ;o%ever( rather than reducing access to the domain controller proportionall %ith regard to the other domain controllers( changing the priorit causes Domain 9ame S stem "D9S# to stop referring all clients to this domain controller unless all domain controllers %ith a lo%er priorit setting are unavailable& To prevent clients from sending all reFuests to a single domain controller( the domain controllers are assigned a priorit value& This value is stored in the +dapSrv%riority registr entr & The default value is 0( but it can range from 0 through :8878& The client uses the priorit value to help determine to %hich domain controller it sends reFuests& $hen a client uses D9S to discover a domain controller( the priorit for a given domain controller is returned to the client %ith the rest of the D9S information& Clients al%a s send reFuests to the domain controller that has the lo%est priorit value& 'f more than one domain controller has the same value( the clients randoml choose from the group of domain controllers %ith the same value& 'f no domain controllers %ith the lo%est priorit value are available( the clients send reFuests to the domain controller %ith the ne-t highest priorit & Therefore( raising the value of the +dapSrv%riority registr entr on the PDC emulator can reduce its chances of receiving client reFuests& ask re0uirements The follo%ing tool is reFuired to perform the procedures for this tas0: • *egedit&e-e To complete this tas0( perform the follo%ing procedures: 6& Change the $eight for D9S Service "S*B# *esource *ecords in the *egistr 2& Change the Priorit for D9S Service "S*B# *esource *ecords in the *egistr

208

Change the !eight for DNS Service 6S457 4esource 4ecords in the 4egistry
Eou can use this procedure to reduce the %or0load on the primar domain controller "PDC# emulator operations master b changing the %eight for Domain 9ame S stem "D9S# service "S*B# resource records in the registr & Caution *egistr 1ditor b passes standard safeguards( %hich allo%s settings that can damage our s stem or even reFuire ou to reinstall $indo%s& 'f ou must edit the registr ( bac0 up critical volumes first& =or information about bac0ing up critical volumes( see Administering Active Director >ac0up and *ecover & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the weight for DNS service 6S457 resource records in the registry 6& 4pen *egistr 1ditor as an administrator: Clic0 Start and then( in Start Search( t pe regedit& At the top of the Start menu( right/clic0 regedit( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& 'n *egistr 1ditor( navigate to "(+)CS2S .)CCurrentControlSetCServicesCNetlogonC%arameters & 7& Clic0 .dit( clic0 New( and then clic0 D!O4D 6;<-$I 75alue& A& =or the ne% value name( t pe +dapSrv!eight( and then press 19T1*& 8& Double/clic0 the value name that ou ,ust t ped to open the .dit D!O4D 6;<-$I 7 5alue dialog bo-& :& 1nter a value from 0 through :8878& The default value is 600& <& Choose Decimal as the $ase option( and then clic0 O(& 8& Clic0 #ile( and then clic0 ./it to close *egistr 1ditor&

Change the %riority for DNS Service 6S457 4esource 4ecords in the 4egistry
Eou can use this procedure to reduce the %or0load on the primar domain controller "PDC# emulator operations master b changing the priorit for Domain 9ame S stem "D9S# service "S*B# resource records in the registr &

20:

Caution *egistr 1ditor b passes standard safeguards( %hich allo%s settings that can damage our s stem or even reFuire ou to reinstall $indo%s& 'f ou must edit the registr ( bac0 up critical volumes first& =or information about bac0ing up critical volumes( see Administering Active Director >ac0up and *ecover & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the priority for DNS S45 records in the registry 6& 4pen *egistr 1ditor as an administrator: Clic0 Start and then( in Start Search( t pe regedit& At the top of the Start menu( right/clic0 regedit( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& 'n *egistr 1ditor( navigate to "(+)CS2S .)CCurrentControlSetCServicesCNetlogonC%arameters & 7& Clic0 .dit( clic0 New( and then clic0 D!O4D 6;<-$I 7 5alue& A& =or the ne% value name( t pe +dapSrv%riority( and then press 19T1*& 8& Double/clic0 the value name that ou ,ust t ped to open the .dit D!O4D 6;<-$I 7 5alue dialog bo-& :& 1nter a value from 0 through :8878& The default value is 0& <& Choose Decimal as the $ase option( and then clic0 O(& 8& Clic0 #ile( and then clic0 ./it to close *egistr 1ditor&

Administering Active Directory $ackup and 4ecovery
This guide provides information about administering bac0up and recover of Active Director Domain Services "AD DS# in $indo%s Server 2008& In this guide • 'ntroduction to Administering Active Director >ac0up and *ecover HlhsadIADDSI4psI8JIADDSI4psI8 • Managing Active Director >ac0up and *ecover

20<

Introduction to Administering Active Directory $ackup and 4ecovery JlhsadBADDSBOpsB=KBADDSBOpsB=
>ac0up of Active Director Domain Services "AD DS# must be incorporated into our operations schedule for a set of domain controllers that ou identif as critical and on %hich ou perform routine( scheduled bac0up operations& *ecovering AD DS is not performed routinel as an operations tas0W it is performed onl %hen it is made necessar b a failure or other condition from %hich a domain controller can recover onl b restoring the director to a previous state& Important *estoring from a bac0up is not al%a s the best or onl option to recover AD DS& Do not perform a restore operation to recover a domain controller until ou have performed tests to rule out other causes& *estoring from bac0up is almost al%a s the right solution to recover deleted ob,ects&

$acking up AD DS
>ac0up procedures have changed in $indo%s Server 2008( as compared to previous versions of $indo%s Server& A ne% bac0up tool( $indo%s Server >ac0up( replaces 9t>ac0up as the tool that ou use to bac0 up AD DS& Eou cannot use 9tbac0up to bac0 up servers running $indo%s Server 2008& 'n $indo%s Server 2008( ou can perform three t pes of bac0up: • • • S stem state bac0up( %hich includes all the files that are reFuired to recover AD DS Critical/volumes bac0up( %hich includes all the volumes that contain s stem state files =ull server bac0up( %hich includes all volumes on the server

Eou can use the $indo%s Server >ac0up graphical user interface "5)'# to perform critical/ volumes bac0ups and full server bac0ups& Eou can use the $indo%s Server >ac0up command/ line tool( $badmin&e-e( to perform all t pes of bac0up( including s stem state bac0up& =or more information about bac0ing up domain controllers( see >ac0ing )p Active Director Domain Services&

4ecovering AD DS
Eou can recover from Active Director corruption or inconsistenc b performing a restore operation to return AD DS to its state at the time of the latest bac0up& *estoring from bac0up as a method of recovering AD DS should not be underta0en as the primar method of recovering from an error or failure condition( but as a last resort& Assuming that a restore operation is appropriate to recover the domain controller( reFuirements for recovering AD DS relate to the age of the bac0up( as follo%s: 208

• The primar reFuirement for recovering AD DS is that the bac0up ou use must not be older than a tombstone lifetime( %hich is the number of da s that deletions are retained in the director & 'n forests that are created on servers running $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 %ith SP2( or $indo%s Server 2008( the default value of the tombstone lifetime is 680 da s& The default value is :0 da s in forests that are created on servers running $indo%s 2000 Server or $indo%s Server 2007& AD DS protects itself from restoring data that is older than the tombstone lifetime b not allo%ing the restore& Important Al%a s chec0 the tombstone lifetime value before ou use a bac0up to restore AD DS& 1ven if ou are sure of the default value for our environment( the tombstone lifetime value might have been changed administrativel in AD DS& )se ADS' 1dit to vie% the value in the tombstone+ifetime attribute on the ob,ect C9QDirector Service(C9/$indo%s 9T(C9QServices(C9QConfiguration(DCQForestRootDomain& • Do not modif s stem cloc0s in an attempt to improperl e-tend the useful life of a s stem state bac0up& S0e%ed time can cause serious problems in cases %here director data is time sensitive& Eou can recover AD DS b restoring a bac0up in the follo%ing %a s: • Nonauthoritative restore: )se this process to restore AD DS to its state at the time of the bac0up( and then allo% Active Director replication to update the restored domain controller to the current state of AD DS& • Authoritative restore: )se this process to recover ob,ects that have been deleted from AD DS& Authoritative restore does not allo% replication to over%rite the restored deletions& 'nstead( the restored ob,ects replicate authoritativel to the other domain controllers in the domain& Note >e a%are that additions of data that are made bet%een the time of the bac0up and the authoritative restore process are not removed during the restore process& Authoritative restore focuses onl on the deleted ob,ects& Additional data is merged during the restore process& $hen recovering AD DS b restoring from bac0up is not possible( ou must reinstall AD DS& Sometimes restoring from bac0up is possible but not feasible& =or e-ample( if a domain controller is needed Fuic0l ( it is sometimes faster to reinstall AD DS than to recover the domain controller& 'n cases of hard%are failure or file corruption( ou might have to reinstall the operating s stem and then either reinstall or restore AD DS& =or more information about rationales and methods for recovering domain controllers( see *ecovering Active Director Domain Services&

Additional considerations
• • >ac0ing )p Active Director Domain Services *ecovering Active Director Domain Services 20?

)anaging Active Directory $ackup and 4ecovery
This section includes the follo%ing tas0s for managing bac0up and recover of Active Director Domain Services "AD DS#: • • >ac0ing )p Active Director Domain Services *ecovering Active Director Domain Services

$acking 3p Active Directory Domain Services
This section describes the different t pes of bac0ups that ou can perform to ensure that ou can recover Active Director Domain Services "AD DS# if Active Director data Fualit or consistenc is ,eopardi.ed b human error( hard%are brea0do%n( or soft%are issues& Eou can perform regular( scheduled bac0upsD%hich are essential for dependable operationsDand ou can perform immediate( ad hoc bac0ups %hen necessar or as an alternative to scheduling regular bac0ups( although scheduling is preferred& >ac0up tools and processes are improved in $indo%s Server 2008 to provide easier methods for bac0ing up the data that is reFuired to recover AD DS and the full server&

!indows Server backup tools
To bac0 up AD DS in $indo%s Server 2008( ou use the $indo%s Server >ac0up tool& $indo%s Server >ac0up replaces the >ac0up or *estore $i.ard "9tbac0up#( the tool that is used in earlier versions of the $indo%s Server operating s stem& Eou cannot use 9tbac0up to bac0 up servers that are running $indo%s Server 2008& To use $indo%s Server >ac0up tools( ou must install !indows Server $ackup #eatures in Server Manager& =or information about ho% to install $indo%s Server >ac0up =eatures( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'dQ?:A?8#& 'n the features list in Server Manager( !indows Server $ackup #eatures has t%o parts: • !indows Server $ackup 6!badmin'msc7( a graphical user interface "5)'# snap/in that is available on the Administrative ools menu Eou can use the $indo%s Server >ac0up 5)' to perform critical/volumes bac0ups and full server bac0ups& Note Eou can perform a s stem state bac0up onl b using the $badmin&e-e command/ line tool& • Command-line ools( %hich is reFuired to install the $badmin&e-e command/line tool for $indo%s Server >ac0up& NCommand/line ToolsO refers to a set of $indo%s Po%erShell 260

tools& $hen ou select Command-line ools( ou are prompted to install the reFuired $indo%s Po%erShell feature& Eou can use the $indo%s Server >ac0up command/line tool( $badmin&e-e( to perform all t pes of bac0up( including s stem state bac0up& Eou can use the $indo%s Server >ac0up snap/in to bac0 up entire volumes onl ( as follo%s: those volumes that contain s stem state files "critical/volumes bac0up# or all volumes "full server bac0up#& The $indo%s Server >ac0up snap/in has t%o %i.ard options: a >ac0up Schedule $i.ard and a >ac0up 4nce $i.ard& To use one of the %i.ards for bac0ing up critical volumes( ou must 0no% %hich volumes to select( or ou can allo% the %i.ard to select them %hen ou specif that ou %ant to enable s stem recover & $hen ou use the command/line tool for bac0ing up critical volumes( the tool selects the correct volumes automaticall & To bac0 up s stem state( ou must use the $badmin&e-e command/line tool&

!indows Server backup types
'n $indo%s Server 2008( ou can use $indo%s Server >ac0up tools to bac0 up three categories of domain controller data( all of %hich can be used to recover AD DS& 1ach bac0up t pe bac0s up a different set of data&

Contents of !indows Server backup types
The follo%ing list describes the bac0up t pes and the data that the contain: • System state( %hich includes all the files that are reFuired to recover AD DS& S stem state includes at least the follo%ing data( plus additional data( depending on the server roles that are installed: • • • • • • • • • • *egistr C4M] Class *egistration database >oot files Active Director Certificate Services "AD CS# database Active Director database "9tds&dit# file and log files SESB4+ director Cluster service information Microsoft 'nternet 'nformation Services "''S# metadirector S stem files that are under $indo%s *esource Protection

Critical volumes( %hich includes all volumes that contain s stem state files: • The volume that hosts the boot files( %hich consist of the >ootmgr file and the >oot Configuration Data ">CD# store • • The volume that hosts the $indo%s operating s stem and the registr The volume that hosts the SESB4+ tree 266

• •

The volume that hosts the Active Director database The volume that hosts the Active Director database log files

• #ull server( %hich includes all volumes on the server( including )niversal Serial >us ")S># drives& The bac0up does not include the volume %here the bac0up is stored&

Criteria for using backup types
The follo%ing table sho%s the Fualities and restrictions that appl to each bac0up t pe& )se this table to determine the bac0up t pe to use&
#eature System state backup Critical-volumes backup #ull server backup

Can be used to recover from registr or director service configuration errors "recover AD DS# Can be used for full server "bare/metal# recover %ith $indo%s *ecover 1nvironment "$indo%s *1# Can be used to recover from unbootable conditions Can be used to recover specific files and folders Can be created b using $indo%s Server >ac0up snap/in "5)'# Can be created b using $badmin&e-e command line tool ;as incremental bac0up support Can be stored on a DBD or on a net%or0 share if the bac0up is performed manuall "is not a scheduled bac0up#

Ees

Ees

Ees

9o

Ees

Ees

9o

Ees

Ees

9o 9o

Ees Ees

Ees Ees

Ees

Ees

Ees

9oU 9o

Ees Ees

P EesUU

262

#eature

System state backup

Critical-volumes backup

#ull server backup

Can use an of the EesUUU volumes that are included in the bac0up as the target volume Can be scheduled b using the $indo%s Server >ac0up snap/in 9o

9o

9o

Ees

Ees

U 1ach consecutive bac0up reFuires as much space as the first& To help manage the number of versions of s stem state bac0ups that ou store( ou can use the wbadmin delete systemstatebackup command to remove old versions& =or more information( see $badmin delete s stemstatebac0up "http:33go&microsoft&com3f%lin03P+in0'dQ66687:#& UU Must be stored on a different hard dis0 from the source volumes( including e-ternal dis0s or DBDs& 1-ternal storage devices must be connected to the bac0up computer& UUU 9o( b default( but ou can override the default b ma0ing a change in the registr & To store the s stem state bac0up on a volume that is included in the bac0up( ou must add the AllowSS$ oAny5olume registr entr to the server that ou are bac0ing up& ;o%ever( there are some 0no%n issues %ith storing s stem state bac0up on a volume that is included in the bac0up& =or more information( see @no%n 'ssues for >ac0ing )p Active Director Domain Services&

$ackup guidelines
The follo%ing guidelines for bac0up include the performance of bac0ups to ensure redundanc of Active Director data: • Create dail bac0ups of all uniFue data( including all domain director partitions on global catalog servers& • Create dail bac0ups of critical volumes on at least t%o uniFue domain controllers( if possible& $hen ou have environments %ith single/domain/controller forests( single/domain/ controller domains( or empt root domains( ta0e special care to bac0 up more often& • 1nsure that bac0ups are available in sites %here the are needed& Do not rel on cop ing a bac0up from a different site( %hich is ver time consuming and can significantl dela recover & • $here domains e-ist in onl one site( store additional bac0up files offsite in a secure location so that no bac0up file of a uniFue domain e-ists in onl one ph sical site at an point in time& This precaution provides an e-tra level of redundanc in case of ph sical disaster or theft& • Ma0e sure that our bac0ups are stored in a secure location at all times& • >ac0 up volumes that store Domain 9ame S stem "D9S# .ones that are not Active Director Rintegrated& Eou must be a%are of the location of D9S .ones and bac0 up 267

D9S servers accordingl & 'f ou use Active Director Rintegrated D9S( D9S .one data is captured as part of s stem state and critical/volume bac0ups on domain controllers that are also D9S servers& 'f ou do not use Active Director Rintegrated D9S( ou must bac0 up the .one volumes on a representative set of D9S servers for each D9S .one to ensure fault tolerance for the .one& Note The D9S server stores settings in the registr & Therefore( s stem state or critical/volume bac0up is reFuired for D9S( regardless of %hether the .one data is Active Director R integrated or stored in the file s stem& • 'f ou have application director partitions in our forest( ma0e sure that ou ma0e a bac0up of the domain controllers that replicate those application director partitions& • Create additional bac0ups of domains in ever geographic location %here: • +arge populations of users e-ist& • Critical populations of users e-ist( such as those %ho support compan e-ecutives or operate critical business units& • • Mission/critical %or0 is performed& A %ide area net%or0 "$A9# outage %ould disrupt business&

• The elapsed time that it ta0es to perform either of the follo%ing tas0s %ould be cost prohibitive because of slo% lin0 speeds( the si.e of the director database( or both: To create a domain controller in its intended domain over the net%or0& 4r To cop or transport installation media from a site %here a bac0up e-ists to a site that has no bac0up for the purpose of performing an installation from media "'=M#& Note Eou can use a s stem state or critical/volumes bac0up to restore onl the domain controller on %hich the bac0up %as generated or to create a ne% additional domain controller in the same domain b installing from restored bac0up media& Eou cannot use a s stem state or critical/volumes bac0up to restore a different domain controller or to restore a domain controller onto different hard%are& Eou can onl use a full server bac0up to restore a domain controller onto different hard%are&

Scheduling regular backups
Eou can use the >ac0up Schedule $i.ard to schedule regular( automatic critical/volumes or full server bac0ups of our domain controllers& Eou need a current( verified( and reliable bac0up to: • *estore Active Director data that becomes lost& • *ecover a domain controller that cannot start up or operate normall because of soft%are failure( hard%are failure( or administrative error& =or e-ample( an administrator might have set overl restrictive permissions( either e-plicitl or b using a securit polic ( that den the operating s stem access to the 9tds&dit file and log files& 26A

• 'nstall AD DS from installation media that ou create b using the ntdsutil ifm command& =or information about installing a domain controller from installation media( see 'nstalling an Additional Domain Controller b )sing '=M& • Perform a forest recover if forest/%ide failure occurs& =or information about scheduling bac0ups of AD DS in $indo%s Server 2008( see Scheduling *egular =ull Server >ac0ups of a Domain Controller "http:33go&microsoft&com3f%lin03P +in0'dQ668008#&

Immediate 6unscheduled7 backup
'n addition to scheduling regular bac0ups( perform an immediate bac0up %hen certain events occur in our environment& Eou can use the >ac0up 4nce $i.ard or the command line to bac0 up AD DS %hen the follo%ing conditions arise: • Eou have moved the Active Director database( log files( or both to a different location on a dis0& • • • • The operating s stem on a domain controller is upgraded& A Service Pac0 is installed on a domain controller& A hotfi- is installed that ma0es changes to the Active Director database& A current bac0up is reFuired for installing from bac0up media for a ne% domain controller&

• The tombstone lifetime is changed administrativel b changing the value in the tombstone+ifetime attribute of the ob,ect C9QDirector Service(C9Q$indo%s 9T(C9QServices(C9/Configuration(DCQForestRootDomain& The tombstone lifetime value in an Active Director forest defines the number of da s that a domain controller preserves information about deleted ob,ects& =or this reason( this value also defines the useful life of a bac0up that ou use for disaster recover or installation from bac0up media&

$ackup fre0uency
The freFuenc of our bac0ups depends on criteria that var for individual Active Director environments& 'n most Active Director environments( users( computers( and administrators ma0e dail changes to director ob,ects( such as group membership or 5roup Polic & =or e-ample( computer accounts( including domain controller accounts( change their pass%ords ever 70 da s b default& Therefore( ever da a percentage of computer pass%ords changes for domain controllers and domain client computers& *olling the computer pass%ord of a domain controller bac0 to a former state affects authentication and replication& A percentage of user pass%ords might also e-pire on a dail basis( and if the are lost as a result of domain controller failure( the must be reset manuall & 5enerall ( no e-ternal record of these changes e-ists e-cept in AD DS& Therefore( the more freFuentl ou bac0 up domain controllers( the fe%er problems ou %ill encounter if ou need to restore this t pe of information& The more Active Director ob,ects and domain controllers ou have( the more freFuent our bac0ups should be& =or e-ample( in a large organi.ation( to recover from the inadvertent deletion of a large organi.ational unit "4)# b restoring the domain from a bac0up that is da s or %ee0s 268

old( ou might have to re/create hundreds of accounts that %ere created in that 4) since the bac0up %as made& To avoid re/creating accounts and potentiall performing large numbers of manual pass%ord resets( ensure that recent s stem state bac0ups are al%a s available to recover recent Create( Modif ( and Delete operations&

$ackup fre0uency criteria
)se the follo%ing criteria to assess the freFuenc of our bac0ups: • Small environments %ith a single domain controller in the forest or domains that e-ist in a single ph sical location "that is( domains that have a single point of failure#: create bac0ups at least dail & • Medium "60 to A? domain controllers# and large environments "80 to 6(000 or more domain controllers#: Create bac0ups of each uniFue director partition in the forest on t%o different computers at least dail %ith an emphasis on bac0ing up application director partitions( empt root domains( domains in a single geographic site( and sites that have large populations of users or that host mission/critical %or0& Ma0e bac0ups %ith increasing freFuenc until ou are confident that if ou lose the ob,ects that %ere created or modified since the last bac0up( the loss %ould not create a disruption of our operations& Ma,or changes to the environment should al%a s be immediatel follo%ed b a ne% s stem state bac0up& Note $e al%a s recommend that ou have at least t%o domain controllers in each domain of our Active Director forest&

$ackup latency interval
After ou perform an initial Active Director bac0up on a domain controller( 1vent 'D 208? provides %arnings about the bac0up status of each director partition that a domain controller stores( including application director partitions& Specificall ( 1vent 'D 208? is logged in the Director Service event log %hen partitions in the Active Director forest are not bac0ed up %ith sufficient freFuenc ( and it continues dail until a bac0up of the partition occurs& This event serves as a %arning to administrators and monitoring applications to ma0e sure that domain controllers are bac0ed up %ell before the tombstone lifetime e-pires& > monitoring this event( ou can ensure that bac0ups occur %ith sufficient freFuenc & Sufficient freFuenc is determined b the bac0up latenc interval& The value for the bac0up latenc interval is stored as a 4.GBD!O4D value in the $ackup +atency hreshold 6days7 registr entr in "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCN DSC%arameters & > default( the value of $ackup +atency hreshold 6days7 is half the value of the tombstone lifetime of the forest& 'n a $indo%s Server 2008 forest( half the tombstone lifetime is ?0 da s& ;o%ever( %e recommend that ou ma0e bac0ups at a much higher freFuenc than the default value of $ackup +atency hreshold 6days7& > setting a minimum bac0up freFuenc ( changing

26:

this setting to reflect that freFuenc ( and monitoring 1vent 'D 208?( ou ensure the bac0up freFuenc that is established in our organi.ation& To set a different $ackup +atency hreshold 6days7 value( use *egistr 1ditor "*egedit&e-e# to create the entr as a 4.GBD!O4D and provide the appropriate number of da s& More information about the $indo%s Server >ac0up tools and bac0ing up AD DS is available in the Step/b /Step 5uide for $indo%s Server 2008 AD DS >ac0up and *ecover "http:33go&microsoft&com3f%lin03P+in0'dQ?70<<#( as follo%s: • $hatVs 9e% in AD DS >ac0up and *ecover P "http:33go&microsoft&com3f%lin03P +in0'dQ668066# • @no%n 'ssues for AD DS >ac0up and *ecover "http:33go&microsoft&com3f%lin03P +in0'DQ66<?A0# • >est Practices for AD DS >ac0up and *ecover "http:33go&microsoft&com3f%lin03P +in0'dQ668062# • 5eneral *eFuirements for >ac0up )p and *ecovering AD DS "http:33go&microsoft&com3f%lin03P+in0'dQ668067# • Scenario 4vervie%s for >ac0ing )p and *ecovering AD DS "http:33go&microsoft&com3f%lin03P+in0'dQ66806A# ask re0uirements >efore ou bac0 up a domain controller( see Performing an )nscheduled >ac0up of a Domain Controller "http:33go&microsoft&com3f%lin03P+in0'dQ668068#& The follo%ing tools( media( and credentials are reFuired to perform the procedures for this tas0: • $indo%s Server >ac0up: • • • • • • $indo%s Server >ac0up snap/in "$badmin&msc# $indo%s Server >ac0up command/line tool "$badmin&e-e# 'nternal or e-ternal hard dis0 drive Shared net%or0 folder $ritable DBD

>ac0up media( as follo%s:

• >uiltin Administrator credentials to schedule bac0ups( or >ac0up 4perator credentials to perform unscheduled bac0ups To complete this tas0( ou can perform the procedures in the follo%ing topics( depending on our bac0up needs: • Perform a >ac0up of Critical Bolumes of a Domain Controller b )sing the 5)' "$indo%s Server >ac0up# • Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# • Perform a =ull Server >ac0up of a Domain Controller b )sing the 5)' "$indo%s Server >ac0up#

26<

• Perform a =ull Server >ac0up of a Domain Controller b )sing the Command +ine "$badmin#

(nown Issues for $acking 3p Active Directory Domain Services
The follo%ing 0no%n issues e-ist for bac0ing up Active Director Domain Services "AD DS# in $indo%s Server 2008: • Administrator credentials are reFuired for scheduling bac0ups& A member of >ac0up 4perators cannot schedule bac0ups b default( and the privilege cannot be delegated& • $indo%s Server >ac0up tools are not installed automaticall & Eou must use Server Manager to install the $indo%s Server >ac0up =eatures( %hich include the $indo%s Server >ac0up snap/in "$badmin&msc# and the $badmin&e-e component of $indo%s Po%erShell command/line tools& • • $indo%s Server >ac0up does not support bac0ing up to tape media& Eou cannot bac0 up individual files and folders&

• Eou cannot perform or schedule s stem state bac0ups b using $indo%s Server >ac0up& Eou must use the $badmin&e-e command/line tool& • Eou cannot schedule %ee0l or monthl bac0ups b using $indo%s Server >ac0up& ;o%ever( ou can use Tas0 Scheduler to schedule manual bac0ups that are performed at different times of the %ee0& • A s stem state bac0up and recover includes Active Director Rintegrated Domain 9ame S stem "D9S# .ones but does not include file/based D9S .ones& To bac0 up and restore file/ based D9S .ones( ou have to bac0 up and recover the entire volume that hosts the files& • The target volume for a s stem state bac0up cannot be a source volume b default& A source volume is an volume that has a file that is included in the bac0up& Therefore( the target volume cannot be an volume that hosts the operating s stem( 9tds&dit file( 9tds log files( or SESB4+ director & To change this restriction( ou can add the AllowSS$ oAny5olume registr entr to the server& ;o%ever( there are 0no%n issues %ith storing a s stem state bac0up on a source volume: • >ac0ups can fail& The bac0up can be modified during the bac0up process( %hich might cause the bac0up to fail& • )se of target space is inefficient& T%ice the amount of space is necessar for a bac0up than for the original data& The volume must allocate t%ice the amount of space for the shado% cop process& The path for adding the ne% registr entr is as follo%s: "(+)CS2S .)CCurrentControlSetCServicesCwbengineCSystemState$ackupCAllowS S$ oAny5olume T pe: D!O4D 268

A value of @ prevents the storing of s stem state bac0up on a source volume& A value of ? allo%s the storing of s stem state bac0up on a source volume&

%erform a $ackup of Critical 5olumes of a Domain Controller by 3sing the G3I 6!indows Server $ackup7
Eou can use this procedure to bac0 up critical volumes for a domain controller b using $indo%s Server >ac0up& Eou can also bac0 up critical volumes b using the wbadmin start backup command %ith the -allCritical parameter& =or more information( see $badmin start bac0up "http:33go&microsoft&com3f%lin03P+in0'dQ666878#& Note $indo%s Server >ac0up appears on the Administrative ools menu b default( even if the $indo%s Server >ac0up feature is not installed& 'f $indo%s Server >ac0up is not installed( %hen ou open $indo%s Server >ac0up( a message appears( sa ing that the tool is not installed and providing the instructions for installing $indo%s Server >ac0up& =or more information about installing $indo%s Server >ac0up( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'DQ?:A?8#& Membership in $uiltin Administrators or $ackup Operators( or eFuivalent( is the minimum reFuired to complete this procedure& 'n addition( ou must have %rite access to the target bac0up location& o perform a critical-volume backup for a domain controller 6& Clic0 Start( point to Administrative ools( and then clic0 !indows Server $ackup& 2& 'f ou are prompted( in the 3ser Account Control dialog bo-( provide >ac0up 4perator credentials( and then clic0 O(& 7& 4n the Action menu( clic0 $ackup once& A& 'n the >ac0up 4nce $i.ard( on the $ackup options page( clic0 Different options( and then clic0 Ne/t& 8& 'f ou are creating the first bac0up of the domain controller( clic0 Ne/t to select Different options& :& 4n the Select backup configuration page( clic0 Custom( and then clic0 Ne/t& <& 4n the Select backup items page( select the volumes to include in the bac0up& 'f ou select the .nable system recovery chec0 bo-( all critical volumes are selected& As an alternative( ou can clear that chec0 bo-( select the individual volumes that ou %ant to include( and then clic0 Ne/t& Eour selection must include the volumes that store the operating s stem( 9tds&dit( and SESB4+& 26?

Note 'f ou select a volume that hosts an operating s stem( all volumes that store s stem components are also selected& 8& 4n the Specify destination type page( clic0 +ocal drives or 4emote shared folder( and then clic0 Ne/t& ?& Choose the bac0up location as follo%s: • 'f ou are bac0ing up to a local drive( on the Select backup location page( in $ackup destination( select a drive( and then clic0 Ne/t& • 'f ou are bac0ing up to a remote shared folder( do the follo%ing: a& T pe the path to the shared folder& b& )nder Access Control( select Do not inherit or Inherit to determine access to the bac0up( and then clic0 Ne/t& c& 'n the %rovide user credentials for $ackup dialog bo-( provide the user name and pass%ord for a user %ho has %rite access to the shared folder( and then clic0 O(& 60& 4n the Specify advanced option page( select 5SS copy backup and then clic0 Ne/t( 66& 4n the Summary page( revie% our selections( and then clic0 $ackup& 62& After the >ac0up 4nce $i.ard begins the bac0up( clic0 Close at an time& The bac0up runs in the bac0ground and ou can vie% bac0up progress at an time during the bac0up& The %i.ard closes automaticall %hen the bac0up is complete&

Additional considerations
The target volume for a critical/volume bac0up can be a local drive( but it cannot be an of the volumes that are included in the bac0up&

%erform a System State $ackup of a Domain Controller by 3sing the Command +ine 6!badmin7
Eou can use this procedure to bac0 up s stem state on a domain controller& Membership in $uiltin Administrators or $ackup Operators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'n addition( ou must have %rite access to the target bac0up location& o perform a system state backup of a domain controller 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 220

2& 'f ou are prompted( in the 3ser Account Control dialog bo-( provide >ac0up 4perator credentials( and then clic0 O(& 7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstate'ac:up .'ac:uptarget:<targetDrive>: .quiet

$here <targetDrive> identifies the local volume or the letter of the ph sical dis0 drive to receive the bac0up& Eou cannot store a s stem state bac0up on a net%or0 shared drive& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the bac0up operation&

Additional considerations
>e a%are of the follo%ing issues %hen ou perform a s stem state bac0up: • To use $badmin&e-e( ou must install $indo%s Server >ac0up& =or more information about installing $indo%s Server >ac0up( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'DQ?:A?8#& • The target volume for a s stem state bac0up can be a local drive( but it cannot be an of the volumes that are included in the bac0up b default& To store the s stem state bac0up on a volume that is included in the bac0up( ou must add the AllowSS$ oAny5olume registr entr to the server that ou are bac0ing up& There are also some prereFuisites for storing s stem state bac0up on a volume that is included in the bac0up& =or more information( see @no%n 'ssues for AD DS >ac0up and *ecover "http:33go&microsoft&com3f%lin03P +in0'DQ66<?A0#&

%erform a #ull Server $ackup of a Domain Controller by 3sing the G3I 6!indows Server $ackup7
A full server bac0up captures all volumes on all locall attached volumes& $indo%s Server >ac0up treats )niversal Serial >us ")S># drives and 'nternet SCS' "iSCS'# devices as locall attached volumes& 'f the bac0up destination is a locall attached drive( it is e-cluded from the bac0up set& Eou can use this procedure to bac0 up all the volumes on a domain controller b using the $indo%s Server >ac0up snap/in& Note $indo%s Server >ac0up appears on the Administrative ools menu b default( even if the $indo%s Server >ac0up feature is not installed& 'f $indo%s Server >ac0up is not installed( %hen ou open $indo%s Server >ac0up( a message appears( sa ing that the tool is not installed and providing the instructions for installing $indo%s Server >ac0up&

226

=or more information about installing $indo%s Server >ac0up( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'DQ?:A?8#& Membership in $uiltin Administrators or $ackup Operators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'n addition( ou must have %rite access to the target bac0up location& o perform an unscheduled full server backup of all volumes by using the graphical user interface 6G3I7 6& Clic0 Start( point to Administrative ools( and then clic0 !indows Server $ackup& 2& 'f ou are prompted( in the 3ser Account Control dialog bo-( provide >ac0up 4perator credentials( and then clic0 O(& 7& 4n the Action menu( clic0 $ackup once& A& 'n the >ac0up 4nce $i.ard( on the $ackup options page( clic0 Different options( as sho%n in the follo%ing figure( and then clic0 Ne/t&

8& 'f ou are creating the first bac0up of the domain controller( clic0 Ne/t to select Different options& 222

:& 4n the Select backup configuration page( clic0 #ull server( as sho%n in the follo%ing figure( and then clic0 Ne/t&

<& 4n the Specify destination type page( clic0 +ocal drives or 4emote shared folder( and then clic0 Ne/t& 8& Choose the bac0up location as follo%s: • 'f ou are bac0ing up to a local drive( on the Select backup location page( in $ackup destination( select a drive( and then clic0 Ne/t&

227

• 'f ou are bac0ing up to a remote shared folder( on the Specify remote folder page( provide shared folder information( as sho%n in the follo%ing figure:

22A

a& T pe the path to the shared folder& b& )nder Access Control( select Do not inherit or Inherit to determine access to the bac0up( and then clic0 Ne/t& c& 'n the %rovide user credentials for $ackup dialog bo-( provide the user name and pass%ord for a user %ho has %rite access to the shared folder( and then clic0 O(& ?& 4n the Specify advanced option page( select 5SS copy backup 6recommended7 and then clic0 Ne/t& 60& 4n the Confirmation page( revie% our selections( and then clic0 $ackup& 66& After the >ac0up 4nce $i.ard begins the bac0up( clic0 Close at an time& The bac0up runs in the bac0ground and ou can vie% bac0up progress at an time during the bac0up& The %i.ard closes automaticall %hen the bac0up is complete&

Additional considerations
The target volume for an unscheduled bac0up can be a local drive( but it cannot be an of the volumes that are included in the bac0up& 228

%erform a #ull Server $ackup of a Domain Controller by 3sing the Command +ine 6!badmin7
A full server bac0up captures all volumes on all locall attached volumes& $indo%s Server >ac0up treats )niversal Serial >us ")S># drives and 'nternet SCS' "iSCS'# devices as locall attached volumes& 'f the bac0up target is a locall attached drive( it is e-cluded from the bac0up set& Eou can use this procedure to bac0 up all volumes %ith the $badmin&e-e command/line tool& Membership in $uiltin Administrators or $ackup Operators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'n addition( ou must have %rite access to the target bac0up location& o perform an unscheduled backup of all volumes by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 2& 'f ou are prompted( in the 3ser Account Control dialog bo-( provide >ac0up 4perator credentials( and then clic0 O(& 7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start 'ac:up .inc"ude:<sourceDriveE,>:F<sourceDriveE%>:F*** <sourceDriveEn>: .'ac:uptarget:<targetDrive>: .quiet

$here: • <sourceDriveE8> identifies the volume or volumes to be bac0ed up( separated b commas and no spaces& • <targetDrive> identifies the local volume or the letter of the net%or0 shared drive or ph sical dis0 drive to receive the bac0up& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the restore process&

Additional considerations
>e a%are of the follo%ing issues %hen ou perform unscheduled bac0ups: • To use $badmin&e-e( ou must install $indo%s Server >ac0up& =or more information about installing $indo%s Server >ac0up( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'DQ?:A?8#& • The target volume for an unscheduled bac0up can be a local drive( but it cannot be an of the volumes that are included in the bac0up&

22:

4ecovering Active Directory Domain Services
Eou can use the information in this section to recover Active Director Domain Services "AD DS# %hen director services are disrupted as a result of problems %ith hard%are( soft%are( the net%or0 environment( or human error& To guard against damage from these t pes of disruptions( ma0e sure that ou are al%a s prepared to restore AD DS %ith a timel bac0up of the volumes and servers that are critical to successful operation of our forest& $hen recover of AD DS b restoration from a bac0up is necessar ( the most common cause is either administrative error or hard%are failure& The best defense against these problems is prevention& >e sure to ta0e steps to protect Active Director data from accidental deletion& Eou can also manage hard%are replacement in a timel fashion( before it leads to failure and loss of Active Director data&

Causes of disruptions
Disruptions to director services can be caused b man conditions on a domain controller( in a domain or forest( and %ith service clients and applications that use AD DS& The follo%ing are some of the conditions that can disrupt director services: • *eordering or changes to drive letters that cause the operating s stem( the director service file( and logs to be unavailable in their e-pected locations • 1-cessive permissions on ob,ects in AD DS( the file s stem( or the registr ( or e-plicitl defined and assigned in 5roup Polic • Dis0 failure( %hich prevents access to or causes damage to the follo%ing sets of files: operating s stem( director service and log( SESB4+( and registr or other critical s stem files • 'nabilit to restart AD DS in normal mode( for e-ample( after an unscheduled po%er outage or soft%are update • Antivirus utilities and other utilities( such as dis0 optimi.ation utilities( %hich prevent unfettered access to the director service file and logs • 'nabilit of a domain controller to respond to +ight%eight Director Access Protocol "+DAP# reFuests( logon reFuests( or replication reFuests • 'nabilit to boot from AD DS( for e-ample( after an unscheduled po%er outage or soft%are update • • • • • Ph sical site disaster( such as natural disasters or virus attac0s or other securit attac0s Accidental deletions in AD DS( the file s stem( or the registr *ollbac0 to a 0no%n good point in time Corruption that is locali.ed to a domain controller Corruption that has replicated "the %orst/case scenario#

22<

(eys to protecting against disruptions
The 0e s to protecting our net%or0 from disruptions are preparation and prevention& To ma0e sure that ou are al%a s able to recover from disruption( prepare b scheduling bac0ups as follo%s: • >ac0 up the volumes that are reFuired to recover AD DS and the entire domain controller& • >ac0 up all critical domain controllers( as described in >ac0ing )p Active Director Domain Services& • >ac0 up on a dail schedule and %hen significant changes are made to the registr or the director & >efore ou introduce configuration changes on domain controllers in production( test our configuration changes in a lab or on a test computer that mirrors the production environment in the same %a that ou test hard%are configuration( service pac0 and soft%are update revisions( performance load( and so on& Some configuration changes have immediate implicationsW some are apparent %hen a single event or operation occurs "such as a reboot or service startup#W and some have chained implications "for e-ample( if L and E both occur( then K occurs#& 4ther changes have time/based or threshold/based implications& >e sure that ou are a%are of all the effects of a configuration change before ou implement it in production& =or more information about bac0up recommendations( see >ac0ing )p Active Director Domain Services& The most common causes of director service disruption reFuiring recover are administrative error and hard%are failure& The best defense against these problems is prevention& Eou can prevent disruptions b ta0ing steps to protect against easil avoidable problems: • )se the %rotect ob9ect from accidental deletion option in $indo%s Server 2008 to prevent inadvertent deletions of critical data& =or more information( see NPreventing un%anted deletionsO in this topic& • • Monitor all critical services& Manage hard%are replacement in a timel fashion&

$hen ou consider recover options( the ob,ective is to use the fastest method that results in the least intrusive and most complete recover & 4ptions for recover can range from repair of individual elements to restoration of a single domain controller& 'n the %orst/case scenario( the onl option might be to recover all domain controllers in a domain or forest&

%reventing unwanted deletions
Most large/scale deletions are accidental& 'n man cases( ou ma have to perform a recover operation to recover ob,ects that have been deleted from AD DS& 'n $indo%s Server 2008( the Active Director )sers and Computers snap/in provides the %rotect ob9ect from accidental deletion option& $hen enabled( %rotect ob9ect from accidental deletion implements the Deny delete subtree permission& This option is available in Active Director )sers and Computers on the domain controller and %hen vie%ed through *emote Server Administration Tools "*SAT# on computers running $indo%s Server 2008 and 228

$indo%s Bista& $hen ou enable Advanced #eatures on the 5iew menu( the %rotect ob9ect from accidental deletion option is available on the Ob9ect tab& Eou can open the %roperties page for each container in the domain and enable this option& Note C9Q)sers(DCQDomainName and C9QComputers(DCQDomainName are protected from deletion b s stem flags on the ob,ects& )se this option to protect all other containers up to the domain level& 5ood candidates for protection are containers that store 5roup Polic ob,ects "5P4s# and Active Director Rintegrated Domain 9ame S stem "D9S# .ones& $hen ou enable the %rotect ob9ect from accidental deletion option( neither the container nor an child ob,ect can be deleted b an administrator or other user& An administrator %ith the right to log on locall to a domain controller and the right to open Active Director )sers and Computers can enable or disable the setting& Pa particular attention to protecting organi.ational units "4)s# that might have been created in an earlier version of $indo%s& $hen ou create an 4) b using Active Director )sers and Computers in $indo%s Server 2008( the %rotect container from accidental deletion chec0 bois selected b default& 4n domain controllers that are running earlier versions of $indo%s( ou must appl the Deny access control entries 6AC.s7 permission on the Security tab of the properties page of the containers to implement protection from accidental deletion& =or information about ho% to appl these access control entries "AC1s# manuall ( see 5uarding Against Accidental >ul0 Deletions in Active Director "http:33go&microsoft&com3f%lin03P +in0'dQ66:7:8#&

4ecovery solutions
$hen ou are faced %ith unacceptable director service conditions that cannot be resolved reliabl b manual updates( our recover solutions depend on data issues( hard%are issues( time constraints( and the bac0ups that are available&

Solutions for configuration errors:nonauthoritative restore
To undo errors in configuration so that AD DS returns to a previous health state and is then brought up to date through replication( perform a nonauthoritative restore from bac0up& This process over%rites the current version of AD DS %ith the version in the bac0up& After replication( the director is current %ith the rest of the domain& Eou can restore AD DS b using a s stem state bac0up( a critical/volumes bac0up( or a full server bac0up& 'f a s stem state bac0up is available( use the s stem state bac0up to recover from registr or director service configuration errors& Eou can use a critical/volumes bac0up as %ell( but it contains more than Active Director data and it is not reFuired for restoring AD DS onl & )se full/server recover for more serious problems( as described in NSolutions for hard%are failure or file corruptionO later in this topic&

22?

Note 9onauthoritative restore from bac0up reFuires that the domain controller is running in Director Services *estore Mode "DS*M#& Eou cannot perform this procedure b stopping AD DS&

Solutions for data loss:authoritative restore
Accidental deletions can occur in an %ritable director partition& Such deletions are most common in the domain director partition( but the can also occur in the configuration director partition& 4b,ects in the schema director partition are protected against deletion& The method for recovering deleted ob,ects is authoritative restore& 'f ou have data loss and ou can identif the source and Fuantit of the loss( ou can recover the lost data b performing an authoritative restore& 'f ou lose domain data( ou must perform recover b restoring a domain controller that hosts a %ritable cop of the domain director partition %here the data loss occurred& 'f ob,ects are deleted from the configuration director partition( ou can recover these ob,ects b restoring an domain controller in the forest& There are special considerations if the deleted ob,ects have a for%ard lin0/bac0 lin0 relationship %ith each other& This relationship e-ists for securit groups and distribution groups& 4estoring group memberships Securit principals are ob,ects that can have group memberships& *ecovering deleted securit principals reFuires not onl restoring the ob,ect itself but also restoring the group memberships of each restored securit principal& Eou use files that are generated b 9tdsutil during authoritative restore to recover group memberships& 5roup membership is defined b lin0ed attributes on the group ob,ect and on the group member ob,ect: the member attribute of the group ob,ect is a for%ard lin0 attribute that lin0s to the memberOf attribute "the bac0 lin0# of the group member( %hich can be a user( a computer( or another group& 'f ou perform the restore on a domain controller that is not a global catalog server( onl group memberships for groups that are stored in the domain are restored& 'f ou perform the restore on a global catalog server( group memberships in universal groups that are stored in other domains in the forest are also restored& ;o%ever( restoring memberships in domain local groups that are stored in other domains reFuires additional steps that involve using the files that 9tdsutil generates during authoritative restore& $hen ou authoritativel restore securit principals on a domain controller that is running a version of $indo%s Server later than $indo%s Server 2007 "that is( $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 Service Pac0 2 "SP2#( $indo%s Server 2007 *2( or $indo%s Server 2008#( the 9tdsutil command/line tool recovers group memberships automaticall "restores the memberOf value on the restored securit principal ob,ect# for all groups that %ere created or updated at a forest functional level of at least either $indo%s Server 2007 or $indo%s Server 2007 interim& ;o%ever( replication order can undo the restored memberships in the recover domain& =or this reason( it is best to perform the additional steps to recover group memberships in the recover domain as %ell& =or more information about restoring group memberships( see Performing Authoritative *estore of Active Director 4b,ects& )ethods of authoritative restore 270

Depending on replication conditions in the domain of the deletions( ou can use the follo%ing methods to perform an authoritative restore: • 9onauthoritative restore from bac0up( follo%ed b authoritative restore: )nless ou can isolate a domain controller that has not received the deletions( authoritative restore must be preceded b a nonauthoritative restore from bac0up to restore the director to a former state that contained the deleted ob,ects& $ith the deleted ob,ects restored( ou can mar0 them as authoritative so that replication does not over%rite them %ith the delete condition that still e-ists on the other domain controllers in the domain& • Authoritative restore onl : 'f ou identif the data loss Fuic0l and ou can isolate a global catalog server in the domain %here the deletion occurred that has not received replication of the deletions( ou can mar0 the ob,ects as authoritative on the global catalog server and avoid performing an initial restore from a bac0up "nonauthoritative restore#& This option depends on our abilit to stop inbound replication on the global catalog server before replication of the deletions is received& 5lobal catalog servers often have longer replication latenc than other domain controllers& 5lobal catalog servers are preferred as recover domain controllers because the store more group information& ;o%ever( an latent domain controller in the domain of the deletions that has not received replication of the deletions can serve as the recover domain controller if ou %ant to avoid restoring from bac0up& =or more information about performing authoritative restore %ithout restoring from bac0up( see Performing Authoritative *estore of Active Director 4b,ects&

4ecovery options with no available backup
'f ou have data loss but ou do not have a bac0up( ou must recreate the deleted ob,ects& As an alternative( %here data loss is minimal( ou might be able to recover lost data b using the undelete capabilit that recovers ob,ects b reanimating the ob,ect tombstone "the retained record of the ob,ect deletion#& The $indo%s Server 2007 and $indo%s Server 2008 director database supports an +DAP application programming interface "AP'# that reanimates the tombstone of a single ob,ect "that is( it NundeletesO the ob,ect#& This AP' is available for developing applications to restore the attributes that are preserved on tombstones( %hich include the ob,ect securit identifier "S'D#( globall uniFue identifier "5)'D#( and securit descriptor( as %ell as an inde-ed attributes& 4n domain controllers that are running $indo%s Server 2007 %ith SP6( $indo%s Server 2007 %ith SP2( $indo%s Server *2( or $indo%s Server 2008( the sID"istory attribute is also retained& All other attributes must be recreated& 'n the case of a deleted user ob,ect( ou must repopulate attributes to re/establish group memberships( profile path( home director ( and contact information& Eou must also reset pass%ords and communicate the pass%ord to the users so the can log on to the domain& =or information about reanimating tombstones( see *eanimating Active Director Tombstone 4b,ects "http:33go&microsoft&com3f%lin03P+in0'dQ66:20A#&

Solutions for hardware failure or file corruption
'f ou have hard%are issues that reFuire the replacement of the hard drive on a domain controller( ou must either recover the full server to the ne% hard%are or reinstall the operating s stem& 'f 276

ou have %idespread corruption in the file s stem( our best solution is also full server recover or reinstallation& To decide %hether or not to perform a full server recover ( consider the follo%ing conditions: • A full server recover reformats and repartitions all dis0s that are attached to the server& • A full server recover might be more time consuming than reinstalling the operating s stem& • *einstallation reFuires a cleanup of server metadata on the failed domain controller& • *einstallation results in data loss& All servers have roles and features installed& 1ach role has configuration state in AD DS( the file s stem( and the registr ( and a role freFuentl has its o%n data store& =or e-ample( the server might be configured for D9S( D namic ;ost Configuration Protocol "D;CP#( $indo%s 'nternet 9ame Service "$'9S#( administration tools( and registr settings for ma-imum transmission unit "MT)#( ma/%acketSi&e( and securit & 'f ou have to reinstall( ou must either e-port and import all these settings or recreate them& This method is certain to be time consuming and error prone& 4einstalling and restoring criteria 'n general( use the follo%ing criteria to the decide %hether to reinstall or restore a domain controller from bac0up: • *einstall the operating s stem under the follo%ing conditions: • Eou do not have an available bac0up& • Eou must have the domain controller bac0 online as soon as possible and reinstallation is faster than restoring& • Eou have e-hausted all 0no%n avenues of troubleshooting a fault or error condition( and continued troubleshooting is not li0el to succeed or %ill result in diminishing returns %ith more time spent& • Perform a full server restore of the domain controller under the follo%ing conditions: • • *einstalling %ill result in an unacceptable loss of data& Eou %ant to recover from locali.ed or replicated corruption&

• The domain controller is running other server services( such as 1-change( or it contains other data that ou must restore from a bac0up& 4estoring AD DS after reinstalling the operating system 'f ou reinstall the operating s stem( ou can restore AD DS in one of the follo%ing %a s: • )se Dcpromo to reinstall AD DS and allo% replication from another( health domain controller in the domain to update the domain controller& • *estore AD DS from bac0up "nonauthoritative restore#& Then( allo% replication from another( health domain controller in the domain to update the domain controller& This method reFuires less replication than reinstalling AD DS& • 'nstall AD DS from installation media& This method( called install from media "'=M#( reFuires that ou have created installation media that can be used to install AD DS& Eou use 9tdsutil to create the media on a health domain controller in the domain& 'n this case(

272

recover is faster because Active Director replication is not reFuired& =or more information about installing from media( see 'nstalling an Additional Domain Controller b )sing '=M&

4ecovery tasks
This section includes the follo%ing tas0s for recovering AD DS: Performing 9onauthoritative *estore of Active Director Domain Services Performing Authoritative *estore of Active Director 4b,ects Performing Authoritative *estore of an Application Director Partition Performing a =ull Server *ecover of a Domain Controller *estoring a Domain Controller Through *einstallation and SubseFuent *estore from >ac0up *estoring a Domain Controller Through *einstallation

%erforming Nonauthoritative 4estore of Active Directory Domain Services
A nonauthoritative restore is the method for restoring Active Director Domain Services "AD DS# from a s stem state( critical/volumes( or full server bac0up& A nonauthoritative restore returns the domain controller to its state at the time of bac0up and then allo%s normal replication to over%rite that state %ith an changes that occurred after the bac0up %as ta0en& After ou restore AD DS from bac0up( the domain controller Fueries its replication partners& *eplication partners use the standard replication protocols to update AD DS and associated information( including the SESB4+ shared folder( on the restored domain controller& Eou can use a nonauthoritative restore to restore the director service on a domain controller %ithout reintroducing or changing ob,ects that have been modified since the bac0up& The most common use of a nonauthoritative restore is to reinstate a domain controller( often after catastrophic or debilitating hard%are failures& 'n the case of data corruption( do not use nonauthoritative restore unless ou have confirmed that the problem is %ith AD DS& Note 'f our ob,ective is to recover ob,ects that %ere deleted since the last bac0up( first perform a nonauthoritative restore from bac0up to reinstate the deleted ob,ects and then perform an authoritative restore to mar0 the deleted ob,ects as authoritative so that the are not over%ritten during replication& $hen ou are performing both a nonauthoritative restore and an authoritative restore( do not allo% the domain controller to restart after the nonauthoritative restore& =or information about performing authoritative restore( see Performing Authoritative *estore of Active Director 4b,ects&

277

Nonauthoritative 4estore 4e0uirements
Eou can perform a nonauthoritative restore from bac0up on a $indo%s Server 2008 s stem that is a stand/alone server( member server( or domain controller& 4n domain controllers that are running $indo%s Server 2008( ou can stop and restart AD DS as a service& Therefore( in $indo%s Server 2008( performing offline defragmentation and other database management tas0s does not reFuire restarting the domain controller in Director Services *estore Mode "DS*M#& ;o%ever( ou cannot perform a nonauthoritative restore after simpl stopping the AD DS service in regular startup mode& Eou must be able to start the domain controller in Director Services *estore Mode "DS*M#& 'f the domain controller cannot be started in DS*M( ou must first reinstall the operating s stem& 'f ou need to reinstall the operating s stem and then restore AD DS( see *estoring a Domain Controller Through *einstallation or *estoring a Domain Controller Through *einstallation& To perform a nonauthoritative restore( ou need one of the follo%ing t pes of bac0up for our bac0up source: • System state backup: )se this t pe of bac0up to restore AD DS& 'f ou have reinstalled the operating s stem( ou must use a critical/volumes or full server bac0up& 'f ou are restoring a s stem state bac0up( use the %badmin start s stemstaterecover command& • Critical/volumes bac0up: A critical/volumes bac0up includes all data on all volumes that contain operating s stem and registr files( boot files( SESB4+ files( or Active Director files& )se this t pe of bac0up if ou %ant to restore more than the s stem state& To restore a critical/volumes bac0up( use the wbadmin start recovery command& • #ull server backup: )se this t pe of bac0up onl if ou cannot start the server or ou do not have a s stem state or critical/volumes bac0up& A full server bac0up is generall larger than a critical/volumes bac0up& *estoring a full server bac0up not onl rolls bac0 data in AD DS to the time of bac0up( but it also rolls bac0 all data in all other volumes& *olling bac0 this additional data is not necessar to achieve nonauthoritative restore of AD DS& =or information about performing a full server bac0up for disaster recover ( see Performing a =ull Server *ecover of a Domain Controller on the Microsoft $eb site "http:33go&microsoft&com3f%lin03P+in0'dQ66:20:#&

S2S5O+ restore
SESB4+ is al%a s restored nonauthoritativel during a restore of AD DS& *estoring SESB4+ reFuires no additional procedures& 'f ou deleted file s stem polic and have a bac0up of polic that ou created b using 5roup Polic Management Console( ou can recover the polic b using that tool& =or information about managing 5roup Polic ( see 5roup Polic Management Console "http:33go&microsoft&com3f%lin03P+in0'dQ606:7A#& 'f ou deleted the Default Domain Polic or Default Domain Controllers Polic ( ou can use Dcgpofi-&e-e to rebuild the polic & =or information about using Dcgpofi-&e-e( see Dcgpofi-&e-e on the Microsoft $eb site "http:33go&microsoft&com3f%lin03P+in0'dQ60?2?6#& $hen ou use S stem *ecover 4ptions in $indo%s Server >ac0up to restore a $indo%s Server 2008 domain controller in an environment that has Distributed =ile S stem "D=S# 27A

*eplication implemented( the SESB4+ restore is performed nonauthoritativel b default& To perform an authoritative restore of SESB4+( include the -authsysvol s%itch in our recover command( as sho%n in the follo%ing e-ample:
w'admin start systemstaterecovery <ot&eroptions> .aut&sysvo"

'f ou use =ile *eplication Service "=*S#( the restore operation sets the $34#+AGS registr entries for =*S( %hich affects all replica sets that are replicated b =*S& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • *emote Des0top Connection "optional# $badmin&e-e >cdedit&e-e

To complete this tas0( perform the follo%ing procedures: 6& *estart the domain controller in DS*M b using one of the follo%ing methods: *estart the Domain Controller in Director Services *estore Mode +ocall 4r *estart the Domain Controller in Director Services *estore Mode *emotel 2& *estore AD DS from >ac0up "9onauthoritative *estore# 7& Berif AD DS restore

Additional references
• • • Performing Authoritative *estore of Active Director 4b,ects 1nable *emote Des0top Create a *emote Des0top Connection

4estart the Domain Controller in Directory Services 4estore )ode +ocally
'f ou have ph sical access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# locall & *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not as a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s 278

Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Eou can restart a domain controller in DS*M manuall b pressing the =8 0e during domain controller startup( %hich reFuires %atching the startup and %aiting for the appropriate point in the startup to press the 0e & This method is tedious and can %aste time if ou miss the brief %indo% of opportunit for selecting the restart mode& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & $hen ou are finished managing a domain controller in DS*M( if ou have used S stem Configuration or >cdedit&e-e to restart the domain controller in DS*M( ou must change the configuration so that the domain controller restarts in normal mode& Note A benefit of using S stem Configuration or >cdedit&e-e for implementing restart of a domain controller into DS*M is that normall the domain controller cannot be inadvertentl restarted& This benefit is particularl useful %hen ou are performing a nonauthoritative restore from bac0up follo%ed b an authoritative restore& Eou can also use S stem Configuration or >cdedit&e-e to restart a domain controller in DS*M remotel & To use S stem Configuration or >cdedit&e-e and *emote Des0top Connection to restart a domain controller in DS*M remotel ( see *estart the Domain Controller in Director Services *estore Mode *emotel & Membership in the Domain Admins group is the minimum reFuired complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M is reFuired to log on to the domain controller in DS*M& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

27:

Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#&

4estarting the domain controller in DS4) locally
Eou can use either of the follo%ing methods to restart the domain controller in DS*M: o restart a domain controller in DS4) locally by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 2& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& 7& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& A& Perform procedures in DS*M& 8& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & o restart a domain controller in DS4) locally by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

A& $hen ou are still in DS*M and ou are read to restart in normal mode( open a command prompt and t pe the follo%ing( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

27<

5alue

Description

3set safeboot dsrepair shutdo%n Rt 0 /r 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
*estart the Domain Controller in Director Services *estore Mode *emotel

4estart the Domain Controller in Directory Services 4estore )ode 4emotely
'f ou have remote access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# remotel & *emote access reFuires the user right to log on locall to a domain controller& *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line or to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode&

278

• Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & To restart the domain controller in DS*M remotel ( ou first use *emote Des0top Connection to connect to the domain controller %hile it is in normal startup mode& *emote Des0top Connection must be enabled on the target domain controller& After the domain controller has restarted( ou can use *emote Des0top Connection to reconnect to the domain controller and then log on as the local Administrator( using the DS*M pass%ord& Eou can use this procedure to connect to a domain controller remotel ( restart it in DS*M( and then reconnect to it as the DS*M administrator& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M and the user right to log on locall to a domain controller are reFuired to log on to the domain controller in DS*M& Members of Account 4perators( Administrators( 1nterprise Admins( Domain Admins( >ac0up 4perators( Print 4perators( and Server 4perators have the user right to log on locall to a domain controller b default& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& )sing a domain administrative account to log on to an *4DC can compromise the server& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& o restart a domain controller in DS4) remotely by using the !indows G3I 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 7& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& A& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller 27?

restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& 8& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& :& The domain controller name should still be sho%ing in Computer& 'f it is not( select it from the list( and then clic0 Connect& <& 'n the !indows Security dialog bo-( clic0 3se another account& 8& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& ?& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& 60& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 66& T pe MachineNameCAdministrator( and then press 19T1*& 62& Perform procedures in DS*M& 67& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & This procedure %ill disconnect our remote session& o restart a domain controller in DS4) remotely by using the command line 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4pen a command prompt& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:

2A0

s&utdown .t - .r

The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& A& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& 8& The domain controller name should still be sho%ing in Computer& 'f it is not( select it in the list( and then clic0 Connect& :& 'n the !indows Security dialog bo-( clic0 3se another account& <& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& 8& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& ?& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 60& T pe MachineNameCAdministrator( and then press 19T1*& 66& Perform procedures in DS*M& 62& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 'n DS*M( open a command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

b& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - >r

The domain controller restarts normall & This procedure %ill disconnect our remote session&
5alue Description

bcdedit 3set safeboot dsrepair shutdo%n Rt 0 /r bcdedit 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode +ocall 2A6

4estore AD DS from $ackup 6Nonauthoritative 4estore7
9onauthoritative restore from bac0up restores Active Director Domain Services "AD DS# from its current state to the previous state of a bac0up& )se this procedure before ou perform an authoritative restore procedure to recover ob,ects that %ere deleted after the time of the bac0up& To restore AD DS from bac0up( use a s stem state or critical/volumes bac0up& To restore AD DS from bac0up( ou must restart the domain controller in Director Services *estore Mode "DS*M#& Note 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& >e sure that ou 0no% the name and location of the version of the bac0up that ou are restoring& >ac0up files are named for the date and time of the bac0up& $hen ou restore the bac0up( the version must be stated in the form MM3DD3EEEE/;;:MM "month3da 3 ear/hour:minute#( %hich specifies the name of bac0up that ou %ant to restore& The $badmin&e-e command/line tool does not reFuire that ou provide the target for the recover & > specif ing the bac0up version that ou %ant to recover( the command proceeds to recover to the source location of the bac0up version that ou specif & Note The systemstaterecovery command in $badmin&e-e causes a nonauthoritative restore of SESB4+ b default "onl updates to SESB4+ since the time of the bac0up are replicated to the recover domain controller#& 'f ou %ant to restore SESB4+ authoritativel "all of SESB4+ is replicated from the recover domain controller to other domain controllers in the domain#( specif the Gauthsysvol option in the command& The Administrator pass%ord for DS*M is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& The server must be running in DS*M& o perform a nonauthoritative restore of AD DS 6& At the !indows logon screen( clic0 Switch 3ser( and then clic0 Other 3ser& 2& T pe 'Cadministrator as the user name( t pe the DS*M pass%ord for the server( and then press 19T1*& 7& 4pen a Command Prompt& A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin get versions .'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName>

2A2

$here: •
<targetDrive>:

is the location of the bac0up that ou %ant to restore&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as made& 8& 'dentif the bac0up version that ou %ant to restore& Eou must enter this bac0up version e-actl in the ne-t step& :& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstaterecovery .version:<AA/DD/ .##:AA>

.'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName> .quiet

$here: • •
<AA/DD/ .##:AA>

is the version of the bac0up that ou %ant to restore&

<targetDrive>:

is the volume that contains the bac0up&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as ta0en& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the restore process and then press E to confirm that the replication engine for SESB4+ has not changed since ou created the bac0up& After the recover operation is complete( if ou are not going to perform an authoritative restore of an restored ob,ects( restart the server&

Additional references
• • • • • *estart the Domain Controller in Director Services *estore Mode +ocall 1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode *emotel Performing Authoritative *estore of Active Director 4b,ects

5erify AD DS restore
After ou complete a restore of Active Director Domain Services "AD DS#( ou can use this procedure to verif the restore& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 2A7

o verify an Active Directory restorefrom backup 6& After the restore operation completes( restart the computer in Start $indo%s 9ormall mode& 'f ou used >cdedit&e-e to configure startup in Director Services *estore Mode "DS*M#( see *estart the Domain Controller in Director Services *estore Mode *emotel or *estart the Domain Controller in Director Services *estore Mode +ocall for information about changing the configuration bac0 to normal startup mode& 2& After ou are able to log on to the s stem( perform the follo%ing verification steps: At a command prompt( use the repadmin ,showsig command to verif that the invocation 'D has changed& The invocation 'D is the director database globall uniFue identifier "5)'D#( %hich the Director S stem Agent "DSA# uses to identif the version of the database& The invocation 'D changes during the Active Director restore process to ensure the consistenc of the replication process& Berif that the previous entr appears in the retired signatures list& At a command prompt( use the repadmin ,showrepl command to verif that there are no replication errors and all director partitions are replicating properl %ith the reFuired replication partners& Eou can determine the replication partners b selecting the 9TDS Settings ob,ect for the restored server in Active Director Sites and Services& At a command prompt( use the net share command to verif that the 91T+4549 and SESB4+ shares appear& At a command prompt( use the dcdiag command to verif success of all tests on the domain controller& )se Active Director )sers and Computers to verif that the deleted ob,ects that ou %anted to recover from the bac0up are restored& 'f ou have a Bolume Shado% Cop Service "BSS# snapshot of the database( ou can use the Active Director database mounting tool "Dsamain&e-e# to mount the database and vie% it through Active Director )sers and Computers to compare the ob,ects& =or information about the Active Director database mounting tool( see the Step/b /Step 5uide for )sing the Active Director Database Mounting Tool in $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P+in0'dQ607777#&

%erforming Authoritative 4estore of Active Directory Ob9ects
An authoritative restore process returns a designated( deleted Active Director ob,ect or container of ob,ects to its predeletion state at the time %hen it %as bac0ed up& =or e-ample( ou might have to perform an authoritative restore if an administrator inadvertentl deletes an organi.ational unit "4)# that contains a large number of users& 'n most cases( there are t%o parts to the authoritative restore process: a nonauthoritative restore from bac0up( follo%ed b an authoritative restore of the deleted ob,ects& 'f ou perform a nonauthoritative restore from bac0up onl ( the deleted 4) is 2AA

not restored because the restored domain controller is updated after the restore process to the current status of its replication partners( %hich have deleted the 4)& To recover the deleted 4)( after ou perform nonauthoritative restore from bac0up and before allo%ing replication to occur( ou must perform an authoritative restore procedure& During the authoritative restore procedure( ou mar0 the 4) as authoritative and let the replication process restore it to all the other domain controllers in the domain& After an authoritative restore( ou also restore group memberships( if necessar & Note 'f ou can isolate a domain controller in the domain that has not received replication of the deletion( the preliminar ( nonauthoritative restore from bac0up is not necessar & =or more information( see *ecovering deletions %ithout restoring from bac0up& Eou can restore ob,ects in domain director partitions( application director partitions( and the configuration director partition( as follo%s: • Domain director partitions: Eou must restore the ob,ects on a domain controller in the domain& • Application director partitions: Eou must restore the ob,ects on a domain controller that hosts the application director partition& 'f ou delete an entire application director partition( ou must restore the domain naming operations master to recover the application director partition& • Configuration director partitions: Eou can restore ob,ects on an domain controller in the forest& Note Eou can also restore 5roup Polic ob,ects "5P4s#& =or information about restoring 5P4s( see N>ac0 )p( *estore( 'mport( and Cop 5roup Polic 4b,ectsO in online ;elp for the 5roup Polic Management Console "5PMC#& $hen an Active Director ob,ect is mar0ed for authoritative restore( its version number is changed so that the number is higher than the e-isting version number of the deleted ob,ect( %hich replicates as a tombstone in the Active Director replication s stem& The change in version number ensures that an ob,ect that ou restore authoritativel is replicated from the restored domain controller to other domain controllers in the forest( updating the tombstone ob,ect to the restored ob,ect& An authoritative restore is most commonl used to restore corrupt or deleted ob,ects( often to recover unintentionall deleted user and group ob,ects& An authoritative restore should not be used to restore an entire domain controller( nor should it be used as part of a change/control infrastructure& Proper delegation of administration and change enforcement %ill help optimi.e data consistenc ( integrit ( and securit &

Determining ob9ects to restore
>efore ou perform an authoritative restore operation( determine the ob,ects that must be restored& 4n domain controllers that are running $indo%s Server 2008( ou can use 9tdsutil to 2A8

ta0e a snapshot of the director database& A snapshot is a shado% cop Dcreated b the Bolume Shado% Cop Service "BSS#Dof the volumes that contain the Active Director database and log files& Eou can use the Active Director database mounting tool "Dsamain&e-e# to mount these database snapshots and vie% the director data in a +ight%eight Director Access Protocol "+DAP# tool such as Active Director )sers and Computers( ADS' 1dit( or +dp& The database mounting tool can improve recover processes b providing a means to compare data as it e-ists in snapshots or bac0ups that are ta0en at different times so that ou can better decide %hich data to restore after data loss& This eliminates the need to restore multiple bac0ups to compare the Active Director data that the contain& $hen inadvertent deletions or modifications occur( ou can use a snapshot to compare the data in the current director against data in the snapshot& 'f ou ta0e regular snapshots( ou can sometimes avoid having to restore AD DS if ou can identif the differences in the data and return the affected ob,ects to their correct state& $hen a recover operation is reFuired( ou can use a database snapshot to assess the differences and determine the ob,ects that ou %ant to authoritativel restore& =or information about using BSS shado% copies and the Active Director database mounting tool( see the Step/ b /Step 5uide for )sing the Active Director Database Mounting Tool in $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P+in0'DQ607777#&

Selecting ob9ects to restore
$hen ou are selecting ob,ects that ou %ant to replicate authoritativel ( it is important to select the ob,ect that is lo%est in the director subtree as possible that ou can still use to recover the deleted ob,ects& 'n this %a ( ou avoid reverting ob,ects bac0 in time that are not related to the deletion& 4b,ects other than the deleted ob,ects might have been modified after the bac0up %as created& $hen ou restore an 4)( an changes that are made up to the time that a bac0up is restored are rolled bac0 to their values at the time of the bac0up& =or an user accounts( computer accounts( and securit groups in the restored 4) that %ere not among the deletions being restored( this rollbac0 might mean the loss of the most recent changes to pass%ords( home director ( profile path( location and container information( group membership( and an securit descriptors that are defined on those ob,ects and attributes& =or e-ample( if an ob,ect %ith a pass%ord( such as a user or computer or trust account( is authoritativel restored( the pass%ord value of the restored ob,ect reverts to the pass%ord value at the time of the bac0up& 'n this case( user( computer( and service accounts that have a record of onl the current pass%ord cannot log on because the have no record of the pass%ord that e-isted %hen the bac0up %as created& 'n this %a ( group membership or other data can also be lost& )pdates to the pass%ord are bloc0ed because the restored value is authoritative during replication& To minimi.e the impact of rolling unrelated ob,ects bac0 in time( target as fe% ob,ects as possible& 'f ou have relativel fe% deletions to restore( ou might be able to restore each ob,ect individuall & 'f ou have a relativel large number of deleted ob,ects to restore( use the container ob,ect that contains most of the deleted ob,ects& 'deall ( the container that ou restore %ill contain all the ob,ects that ou need to recover& 2A:

Selecting application directory partitions to restore
'f ou are restoring an application director partition( the selection process is different from the process that ou use to select other Active Director ob,ects& To authoritativel restore an application director partition( follo% the procedures that are provided for this tas0 but use the procedure in Performing Authoritative *estore of an Application Director Partition to mar0 the application director partition as authoritative( and do not perform the procedures for restoring group memberships&

4estoring group memberships after authoritative restore
$hen a user ob,ect is deleted inadvertentl ( ou restore it b mar0ing the user ob,ect as authoritative during an authoritative restore procedure& ;o%ever( depending on the functional level of the forest at the time that an groups to %hich the user belongs %ere created "or the forest functional level at the time that the user %as added to the group( if the are different#( the userXs group memberships might not be restored in the process& This condition is multiplied b hundreds or thousands of users %hen an 4) is deleted& 'n this case( additional steps are reFuired to restore the group memberships of user accounts that ou restore&

+54 and restoration of group memberships
*estoration of group memberships for securit principals that are deleted and restored authoritativel differs( depending on %hether the group %as created "or its membership %as updated# before or after the implementation of $indo%s Server 2007 functionalit called lin0ed/ value replication "+B*#& +B* is a feature that is available %hen the forest has a functional level of at least $indo%s Server 2007 interim or $indo%s Server 2007& 'n groups that are created before +B* is in effect( the member attribute of a group ob,ect is replicated as a single value& Therefore( an change to the groupXs membership results in replication of the entire member attribute& 'n groups that are created after +B* is in effect( or in groups that are created before +B* but that are updated after +B* is in effect( updates to the member attribute of a group ob,ect are replicated separatel & 'n this case( group memberships are restored %hen ou use the 9tdsutil command/line tool to authoritativel restore a user( group( or computer ob,ect& Important The memberOf attribute "or an bac0/lin0 attribute# e-ists onl because of its lin0 to the member attribute "or an corresponding for%ard/lin0 attribute#& The bac0/lin0 is generated onl %hen it is accessed( and it is not replicated& 4nl the for%ard/lin0 attribute value can be updated and replicated& =or this reason( restoring the membership on a user ob,ect necessaril involves updating the member attribute on the group ob,ect to include the distinguished name of the restored user& $hen ou use the 9tdsutil command/line tool to authoritativel restore a subtree or a single ob,ect( the abilit of 9tdsutil to automaticall restore the group memberships of an ob,ect that is 2A<

authoritativel restored depends on %hether the group %as created before or after +B* %as implemented& =or e-ample( if a user ob,ect is restored and the user belongs to group 56 that %as created before +B* %as implemented and the user belongs to group 52 that %as created after +B* %as implemented "that is( after the functional level of the forest %as raised to $indo%s Server 2007 interim or $indo%s Server 2007#( the member attribute of 52 is updated during authoritative restore "and( therefore( the memberOf attribute of the restored user is updated#( but the member attribute of 56 is not updated& Note Although 9tdsutil restores bac0/lin0s for +B* groups( replication order can result in the memberships being dropped& =or more information( see Performing Authoritative *estore of Active Director 4b,ects&

Authoritative restore of pre-+54 group memberships and groups in different domains
The version of 9tdsutil that is included %ith $indo%s Server 2007 Service Pac0 6 "SP6#( $indo%s Server 2007 %ith Service Pac0 2 "SP2#( $indo%s Server 2007 *2( and $indo%s Server 2008 provides the abilit to also restore the memberships of groups that %ere created before +B* %as implemented and in groups that can have members from other domains& 9tdsutil creates a te-t file that identifies the authoritativel restored ob,ects& 'n addition( 9tdsutil creates an +DAP Data 'nterchange =ormat "+D'=# file "&ldf# that identifies restored ob,ects that have bac0/ lin0s& Eou can use the &ldf file to regenerate memberOf bac0/lin0s on restored securit principal ob,ects "users( groups( and computers# in a forest %here +B* %as not in effect %hen the groups that are identified in the memberOf bac0/lin0s %ere created& To restore group memberships in groups that are stored in other domains "that is( for universal group or domain local group memberships#( additional steps are reFuired& )se the &t-t file that 9tdsutil generates during authoritative restore to generate an &ldf file in each additional domain that has groups in %hich restored securit principals have memberships& The updates to 9tdsutil that generate files that ou can use to recover group memberships for pre/+B* groups and groups in other domains %ere introduced in $indo%s Server 2007 %ith SP6& The steps that ou perform are different if ou are restoring the ob,ects on a domain controller that is running an earlier version of $indo%s Server& 'f ou are performing authoritative restore in a preR$indo%s Server 2007 SP6 environment( see NProcedures for Domain Controllers *unning $indo%s Server 2007 %ith 9o Service Pac0 'nstalledO in Performing an Authoritative *estore of Active Director 4b,ects"http:33go&microsoft&com3f%lin03P+in0'dQ:88:A#&

#iles for recovering group memberships following authoritative restore
$hen ou perform authoritative restore( 9tdsutil creates the follo%ing files that are used to recover group memberships: • arIYYYYMMDD-HHMMSSIlin0sIDomain&ldf( %hich is an +D'= file that is generated for the domain in %hich ou perform the authoritative restore procedure& This file contains bac0/ 2A8

lin0 information for the restored ob,ects& 'f ou perform the procedure on a global catalog server( a separate &ldf file is created for each domain in the forest& Eou can use this file %ith the +difde&e-e command/line tool to import the bac0/lin0s to recover universal and global group memberships in environments that include pre/+B* groups& =or environments that do not include pre/+B* groups( the 9tdsutil tool recovers group memberships automaticall in the recover domain and in the forest "for universal groups# if the recover domain controller is a global catalog server& 'f the restore includes securit principals that can have memberships in domain local groups in other domains( ou use the arI YYYYMMDDHHMMSSIob,ects&t-t te-t file that is generated during authoritative restore to create an &ldf file to restore the memberships in each additional domain& • arIYYYYMMDD-HHMMSSIob,ects&t-t( %hich is a te-t file that contains a list of the authoritativel restored ob,ects& This file is generated for each individual ob,ect or container that ou mar0 as authoritative& Eou can use this file to generate an &ldf file that ou can use to recover memberships in domain local groups and universal groups "if ou are not restoring a global catalog server# in other domains& This file is created on an domain controller that ou authoritativel restore& 5lobal catalog servers do not store the member attribute of domain local groups& Therefore( even if ou perform the restore on a global catalog server( ou must al%a s use this file to generate an &ldf file in an domain %here there are domain local groups of %hich restored securit principals might be members& Eou must create a separate &ldf file for each ob,ect or container that ou mar0 as authoritative& Note Although group memberships are restored automaticall %hen ou use 9tdsutil to recover membership in +B* groups( it is best to process the &ldf files to ensure recover & 'n some cases( replication order can result in lost memberships& =or more information( see @no%n 'ssues for Authoritative *estore&

3sing a global catalog server for authoritative restore
'f possible( perform the authoritative restore on a global catalog server in the domain %here the ob,ects %ere deleted to recover securit principals and group memberships& 5lobal catalog servers store a single( %ritable domain and a partial( read/onl replica of all other domains in the forest& A partial replica means that the global catalog stores all ob,ects( but %ith a limited set of attributes on each ob,ect& Chec0 the properties of the 9TDS Settings ob,ect of the server ob,ect in Active Director Sites and Services to determine that a domain controller is a global catalog server& Global catalog and group memberships 'n relation to the three t pes of securit groupsDglobal groups( domain local groups( and universal groupsDglobal catalog servers are best suited for recovering group memberships after an authoritative restore procedure because the store memberships of all universal groups in the forest and all global groups in the domain& Securit group memberships are restored on a global catalog server as follo%s: 2A?

• Global groups: Securit principals "users( groups( and computers# can be members of onl the global groups that are created in the same domain& 5lobal catalog servers store a %ritable domain director partition& Therefore( the can restore global group memberships for the recover domain& • 3niversal groups* Securit principals can be members of universal groups that are created in an domain& ;o%ever( the member attribute is among the attributes that are stored on the read/onl universal group ob,ects in the global catalog& Therefore( a global catalog server can recover universal group memberships for all domains in the forest& A domain controller that is not a global catalog server stores onl universal group ob,ects that are created in its o%n domain& • Domain local groups: Securit principals can be members of domain local groups that are created in an domain& Memberships in domain local groups in the recover domain are restored automaticall during authoritative restore& ;o%ever( the global catalog does not store the member attribute for read/onl domain local group ob,ects& Therefore( for restored securit principals that have memberships in domain local groups in other domains( ou must recover these memberships b performing follo%/up procedures in each additional domain&

4ecovering deletions without restoring from backup
'f ou can isolate a global catalog server "or an domain controller( but preferabl a global catalog server# in the domain %here the deletion occurred before the server receives replication of the deletion( ou might be able to avoid performing a preliminar restore from bac0up "nonauthoritative restore# and having to e-tend the restore process to other domains& )se the repadmin ,showrepl command to determine the date and time of the latest inbound replication of the domain director partition %here the deletions occurred& 5lobal catalog servers often have greater replication latenc than ordinar domain controllers( and the are better restore candidates in general because the store universal group memberships& 'f ou can stop inbound replication on a latent global catalog server( ou can perform an authoritative restore on the global catalog server to recover the deleted memberships for all groups in the domain and for all universal groups in other domains& 'f ou %ant to use a latent global catalog server for restoring deleted ob,ects( ou must ta0e steps to stop inbound replication immediatel & Eou can use one of the follo%ing methods to stop replication: • )se the Services snap/in to stop AD DS& 'n this case( other services continue to operate& • Ta0e the global catalog service offline b restarting it in Director Services *estore Mode "DS*M#& 'n this case( all other director /related services are stopped in addition to AD DS& • )se *epadmin&e-e to stop inbound replication& 'n this case( the domain controller continues to operate but does not receive replication updates&

280

4etention 6merge7 of new group memberships or other attributes after authoritative restore
The authoritative restore procedure results in a merge of authoritativel restored ob,ects and attributes and e-isting ob,ects and attributes& =or e-ample( do not e-pect that users that have been added to a group "after the bac0up that is used to restore the deleted group# %ill be removed b an authoritative restore of the group ob,ect& 'nstead( ne% attributes of ob,ects that are specified in the authoritative restore are preserved during replication& Therefore( authoritative restore does not remove group memberships that %ere added bet%een the time of the bac0up that is used for authoritative restore and the time of the restore procedure& 4b,ects and attributes are preserved during authoritative restore as follo%s: • 'f an ob,ect e-ists in the bac0up( before inbound replication the post/restore director partition contains the version of the ob,ect that e-ists in the restored bac0up& • 'f an ob,ect %as created after the bac0up %as made and there are additional domain controllers that store the director partition( after inbound replication the restored director partition also includes the set of ob,ects that %ere created after the bac0up& • 'f an ob,ect contains ne% attributes that are not contained in the bac0up but that e-ist in the director partition of an additional domain controller in the domain at the time of the restore( after inbound replication the version of the ob,ect and attributes as the e-isted in the bac0upDplus an ne% attributes that %ere added to the ob,ect after the bac0upDare preserved& Authoritative restore affects onl the ob,ects and attributes that e-isted at the time of the bac0up& This functionalit applies to ob,ects %ith lin0ed attributes and nonlin0ed attributes ali0e& =or e-ample( if ou are restoring an ob,ect that has attribute A and attribute > in the bac0up version and has attributes AV( >V( and C in the current director ( attribute C is retained after authoritative restore& Therefore( a group ob,ect that has the member value of )ser6 in the bac0up and has both )ser6 and )ser2 in the current director includes both of those memberships after authoritative restore of the group ob,ect& An post/bac0up memberOf or member attribute values that %ere added to a user or group( respectivel ( are not affected b replication updates after the restore procedure& 'f ou %ant to remove group membershipsDor an other un%anted ob,ect attributeDcomplete the follo%ing steps: 6& Delete the ob,ect %hose updates ou do not %ant to retain& 2& Allo% the deletion to replicate throughout the forest& 7& >ac0 up a domain controller that has received the deletion& A& Authoritativel restore the ob,ect that ou deleted from the bac0up that does not contain the un%anted values&

Authoritative restore procedures
Procedures for this tas0 restore deleted ob,ects and bac0/lin0s for the restored ob,ects in the domain of the deletions& 'f ou are restoring securit principals that might belong to groups in 286

more than one domain or if ou are restoring other ob,ects that have bac0/lin0s to ob,ects in another domain( additional steps are reFuired& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • • • • *epadmin&e-e *emote Des0top Connection "optional# >cdedit&e-e "optional# 9tdsutil&e-e Procedures for restoring after deletions have replicated Procedures for restoring before deletions have replicated

To complete this tas0( perform procedures according to the conditions in our environment:

• Procedures for recovering group memberships "and an other bac0/lin0 attributes# in other domains

%rocedures for restoring after deletions have replicated
'f ou are performing authoritative restore on a domain controller that has alread received replication of the deletions( perform the follo%ing procedures on the recover domain controller: 6& 'f ou do not have a current bac0up of the recover domain controller( Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin#& Eou can use this bac0up if our recover is not successful and then tr again& 2& *estart the Domain Controller in Director Services *estore Mode +ocall 4r *estart the Domain Controller in Director Services *estore Mode *emotel *estore from bac0up reFuires restarting the domain controller in DS*M& Ta0ing the domain controller offline b stopping AD DS is not sufficient to run 9tdsutil procedures to restore from bac0up& 7& *estore AD DS from >ac0up "9onauthoritative *estore# )se this procedure to return the domain controller to its state at the time of the bac0up so that an groups that are being restoredDor %hose members are being restoredDare present in the director %ith their predeletion membership intact& $hen 9tdsutil&e-e generates the &ldf file during authoritative restore( it searches for member attributes that refer to ob,ects that are contained in the te-t file( %hich contains the ob,ects that are mar0ed for authoritative restore& To ensure that replication does not occur( do not restart the domain controller after the restore procedure& A& Mar0 an 4b,ect or 4b,ects as Authoritative Mar0 the ob,ect or ob,ects that ou %ant to restore so that replication does not over%rite them %hen ou restart the domain controller& 8& *estart the domain controller normall & :& S nchroni.e *eplication %ith All Partners 282

=or the ne%l restored ob,ect to become available and be instantiated in its restored form on all domain controllers( successful outbound replication must occur from the domain controller that originates the restored changes to its partners& Ma0e sure that all domain controllers in the domain and all global catalog servers in the forest have received the restored ob,ects& <& *un an +D'= =ile to *ecover >ac0/+in0s in this domain& This procedure updates the group memberships of a restored securit principal ob,ect or container of ob,ects in the recover domain& Perform this procedure for each individual ob,ect or container that ou mar0ed as authoritative& 8& 'f the &ldf file sho%s bac0/lin0s for ob,ects in other domains( perform the procedures in Procedures for recovering group memberships "and an other bac0/lin0 attributes# in other domains&

%rocedures for restoring before deletions have replicated
'f ou have identified a global catalog server or other domain controller that has not received replication of the deletions and for %hich ou have a recent bac0up( ou do not have to perform a preliminar restore from bac0up& Eou do not have to perform the authoritative restore procedure in DS*M& 'nstead( ou can stop the AD DS service& Perform the follo%ing procedures on the recover domain controller: 6& Turn 4ff 'nbound *eplication& +eave inbound replication turned off until ou have finished mar0ing ob,ects that ou %ant to replicate authoritativel & 2& 'f ou do not have a current bac0up of the recover domain controller( Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin#& Eou can use this bac0up if our recover is not successful and then tr again& 7& )se the Services snap/in to stop AD DS& A& Mar0 an 4b,ect or 4b,ects as Authoritative Mar0 the ob,ect or ob,ects that ou %ant to restore so that replication does not over%rite them %hen ou restart the domain controller& 8& )se the Services snap/in to restart AD DS& :& S nchroni.e *eplication %ith All Partners =or the authoritativel mar0ed ob,ects to become available and be instantiated on all domain controllers( successful outbound replication must occur from the domain controller that originates the authoritative changes to its partners& Ma0e sure that all domain controllers in the domain and all global catalog servers in the forest have received replication of the authoritative ob,ects& <& *un an +D'= =ile to *ecover >ac0/+in0s in this domain& This procedure updates the group memberships of a restored securit principal ob,ect or a container of ob,ects in the recover domain& Perform this procedure for each individual ob,ect or container that ou mar0ed as authoritative& 8& Turn on 'nbound *eplication& 287

?& >ac0 up the recovered domain controller& See Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# "http:33go&microsoft&com3f%lin03P +in0'dQ66878<# or Perform a >ac0up of Critical Bolumes of a Domain Controller b )sing the 5)' "$indo%s Server >ac0up# "http:33go&microsoft&com3f%lin03P+in0'dQ66:762#& 60& 'f the &ldf file sho%s bac0/lin0s for ob,ects in other domains( complete the procedures in Procedures for recovering group memberships "and an other bac0/lin0 attributes# in other domains&

%rocedures for recovering group memberships 6and any other back-link attributes7 in other domains
Eou can recover group memberships in other domains either b adding the members manuall to the respective groups or b using the te-t file from the original authoritative restore procedure to generate one or more &ldf files that ou can use to recover bac0/lin0s in other domains& >e a%are that restored ob,ects might have bac0/lin0s other than group memberships& 'f ou have restored securit principal ob,ects or other ob,ects that have bac0/lin0 attributes in a forest that has more than one domain and ou do not %ant to restore the bac0/lin0s manuall ( perform the follo%ing steps on a domain controller in each additional domain: Note =or restored securit principals( these steps are reFuired onl if the restored securit principals have memberships in domain local or universal groups in a different domain from the recover domain& 'f ou restored the securit principals on a global catalog server( ou need to recover onl domain local group memberships in other domains& 'n some cases( these accounts might be fe% enough that ou can manuall recreate the memberships instead of follo%ing these procedures& 6& *estart the Domain Controller in Director Services *estore Mode +ocall 4r *estart the Domain Controller in Director Services *estore Mode *emotel 2& *estore AD DS from >ac0up "9onauthoritative *estore# $hen the group members %ere deleted( the member attribute "for%ard lin0# on an group of %hich the %ere members %as removed from the group ob,ect& This procedure is reFuired to restore the member attribute on group ob,ects for those group members that %ere deleted& This attribute is reFuired to regenerate the memberOf attribute value on the restored group members& 7& $hile still in DS*M( use 9tdsutil to Create an +D'= =ile for *ecovering >ac0/+in0s for Authoritativel *estored 4b,ects& 'n this procedure( ou must specif the location of the &t-t file that %as generated b 9tdsutil during the authoritative restore procedure& A& *estart the domain controller normall & 8& *un an +D'= =ile to *ecover >ac0/+in0s in this domain on a domain controller other than the domain controller that ou restored from bac0up and on %hich ou created the +D'= file& 28A

>ecause ou have ,ust restored the domain controller on %hich ou created the +D'= file from bac0up( perform this procedure on a different domain controller to be sure that the group ob,ects ou update are current& This procedure updates the group memberships of a restored securit principal ob,ect or container of ob,ects& Perform this procedure for each individual ob,ect or container that ou mar0ed as authoritative&

Additional references
• • @no%n 'ssues for Authoritative *estore >est Practices for Authoritative *estore

(nown Issues for Authoritative 4estore
*evie% the follo%ing 0no%n issues before ou perform an authoritative restore on domain controllers running $indo%s Server 2008 in forests that have the forest functional level of $indo%s Server 2007( $indo%s Server 2007 interim( or $indo%s Server 2008: • • • 4rder of replication and dropped group memberships Members added bac0 to groups from %hich the %ere deleted 'ncorrect assignment of 1-change mailbo-es

Order of replication and dropped group memberships
$hen groups that are being restored %ere created or updated %hen the forest had a forest functional level of $indo%s Server 2007( $indo%s Server 2007 interim( or $indo%s Server 2008 "that is( %hen lin0ed/value replication "+B*# %as in effect#( the version of 9tdsutil on domain controllers that are running $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 %ith Service Pac0 2 "SP2#( $indo%s Server 2007 *2( or $indo%s Server 2008 automaticall restores group memberships during the authoritative restore procedure b restoring bac0/lin0s to group ob,ects& To restore bac0/lin0s for pre/+B* groups( 9tdsutil generates an +DAP Data 'nterchange =ormat "+D'=# file "&ldf# that ou must process b using the +difde&e-e tool to manuall restore the bac0/lin0 values& ;o%everDof particular importance %here group memberships are concernedDthe order of replication can undo the benefits of authoritative restore in some cases& =or this reason( %e recommend al%a s processing the &ldf file that is produced b 9tdsutil during authoritative restore to update group memberships( even if the group or groups being restored %ere created or updated %hen +B* %as in effect& =or information about +B* and its effects on the authoritative restore process( see Performing Authoritative *estore of Active Director 4b,ects& )pdated( authoritativel mar0ed ob,ects replicate in a Nstore/and/for%ardO manner that might lead to the ob,ects being received on one domain controller and for%arded to one or more other domain controllers& *egardless of the order in %hich replication is initiated( the order in %hich 288

replicated updates are received cannot be guaranteed& =or this reason( it is possible for authoritativel restored group ob,ects to replicate ahead of authoritativel restored ob,ects that are group members( %hich can result in dropped memberships& =or e-ample( suppose group A and its member )ser L are both deleted& And suppose )ser L and 5roup A are authoritativel restored and( during the authoritative restore procedure( 9tdsutil updates the member attribute of 5roup A to include authoritativel restored )ser L( and the memberOf attribute of )ser L to include 5roup A& 'f replication of 5roup A is received before replication of )ser L( )ser L is currentl a deleted ob,ect on the recipient domain controller& 'n this case( the )ser L lin0 value is dropped from the member attribute of 5roup A& $hen replication of the authoritativel restored )ser L is received( perhaps onl seconds later( the member attribute of the group is not updated& 'f replication of )ser L is received before 5roup A( the membership on 5roup A is retained& )se the follo%ing steps to ensure that group memberships for authoritativel restored groups and their restored members are al%a s retained during replication after authoritative restore: 6& 1nsure that all authoritativel restored ob,ects have replicated and e-ist on all domain controllers in the domain& 2& *un the &ldf file on the recover domain controller& 7& =orce replication on the recover domain controller&

)embers added back to groups from which they were deleted
To recover memberships in groups in the recover domain and in other domains in %hich a restored securit principal might have group memberships( ou process an &ldf file to restore the memberships& 't is possible for the &ldf file to include memberships in groups from %hich a restored user ob,ect %as removed before the bac0up that is used for the preliminar nonauthoritative restore& 'n this case( after authoritative restore( a user might have membership in a group from %hich the user %as formerl removed& =or more information( see article ?86720 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ622:8:#&

Incorrect assignment of ./change mailbo/es
Authoritative restore of deleted user accounts that have mailbo-es in Microsoft 1-change 2007 can result in incorrect mailbo- assignments after replication& =or information about avoiding this issue( see article ?A8??< in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P +in0'dQ66:2<8#&

28:

$est %ractices for Authoritative 4estore
The follo%ing best practices are provided to ensure successful recover of the data that is being restored& 5roup membership is particularl sensitive& 't can be affected greatl b the procedures that ou follo% during an authoritative restore& The follo%ing best practices help ensure successful recover of data %hen ou use them to perform authoritative restore: • 4estore a latent domain controller' 'f possible( find a domain controller "preferabl a global catalog server# that has not received replication of the deleted ob,ects( and perform authoritative restore on that domain controller& 'n this case( ou do not have to perform a preliminar nonauthoritative restore from bac0up& • 4estore a global catalog server' Attempt to find a global catalog server to use as the recover domain controller& 4nl a global catalog server can recover universal group memberships for other domains& 'f ou cannot find a latent global catalog server or other domain controller in the domain %here the deletion occurred( find the most recent s stem state or critical/volume bac0up of a global catalog server in that domain& )se this global catalog server as the recover domain controller& 'n addition( locate the most recent bac0up of a non/global/catalog domain controller& • Stop changes to groups' Stop ma0ing changes to securit groups in the forest if all of the follo%ing statements are true: • Eou are restoring individual( deleted user or computer accounts b their distinguished name "D9# paths& • Eou are restoring a domain controller that has not received replication of the deletions& • • Eou are not restoring securit groups or their parent containers& (eep users and administrators informed'

'f ou are restoring securit groups or organi.ational unit "4)# containers that host securit groups or user accounts( notif users( administrators( and help des0 administrators in the domain of the deletionsDand in an other domains that might have group memberships for the deleted accountsDto temporaril stop all changes to these ob,ects& • Create a preliminary backup' 'f s stem state or critical/volume bac0up is not current up to the point of the deletion( before ou perform authoritative restore( create a ne% s stem state or critical/volume bac0up in the domain of the deletions& Eou can use this bac0up if ou need to roll bac0 our changes& • Select ob9ects as low as possible in the directory tree' $hen ou are selecting ob,ects to mar0 for authoritative restore( find the lo%est possible container or set of ob,ects to restore so that ou do not roll bac0 ob,ects unnecessaril & =or more information( see Performing Authoritative *estore of Active Director 4b,ects& • %rocess the 'ldf file after replication' 28<

After the authoritativel restored ob,ects have replicated to all domain controllers in the domain( al%a s use the +difde&e-e tool to process the &ldf file that is generated b 9tdsutil& 1ven %hen memberships are being restored automaticall b 9tdsutil for groups that use lin0ed/value replication "+B*#( processing the &ldf file ensures that memberships are retained %hen replicated& =or more information about the effect of replication order on group memberships follo%ing authoritative restore( see @no%n 'ssues for Authoritative *estore& Note 't is possible for the &ldf file to contain memberships in groups from %hich the restored securit principal %as removed before bac0up& =or more information( see @no%n 'ssues for Authoritative *estore& • %erform follow-up steps' a& Berif group memberships in the domain of the recover domain controller and on a global catalog server in ever other domain& b& Create a ne% s stem state or critical/volumes bac0up in the recover domain& c& 9otif users( administrators( and help des0 administrators that the can resume ma0ing changes& d& 'nstruct help des0 administrators to reset the pass%ords of restored user accounts and computer accounts %hose domain pass%ords changed after the restored bac0up %as created& After the authoritative restore procedure is complete( perform the follo%ing steps:

4estart the Domain Controller in Directory Services 4estore )ode +ocally
'f ou have ph sical access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# locall & *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not as a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the 288

$indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Eou can restart a domain controller in DS*M manuall b pressing the =8 0e during domain controller startup( %hich reFuires %atching the startup and %aiting for the appropriate point in the startup to press the 0e & This method is tedious and can %aste time if ou miss the brief %indo% of opportunit for selecting the restart mode& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & $hen ou are finished managing a domain controller in DS*M( if ou have used S stem Configuration or >cdedit&e-e to restart the domain controller in DS*M( ou must change the configuration so that the domain controller restarts in normal mode& Note A benefit of using S stem Configuration or >cdedit&e-e for implementing restart of a domain controller into DS*M is that normall the domain controller cannot be inadvertentl restarted& This benefit is particularl useful %hen ou are performing a nonauthoritative restore from bac0up follo%ed b an authoritative restore& Eou can also use S stem Configuration or >cdedit&e-e to restart a domain controller in DS*M remotel & To use S stem Configuration or >cdedit&e-e and *emote Des0top Connection to restart a domain controller in DS*M remotel ( see *estart the Domain Controller in Director Services *estore Mode *emotel & Membership in the Domain Admins group is the minimum reFuired complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M is reFuired to log on to the domain controller in DS*M& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#&

28?

4estarting the domain controller in DS4) locally
Eou can use either of the follo%ing methods to restart the domain controller in DS*M: o restart a domain controller in DS4) locally by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 2& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& 7& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& A& Perform procedures in DS*M& 8& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & o restart a domain controller in DS4) locally by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

A& $hen ou are still in DS*M and ou are read to restart in normal mode( open a command prompt and t pe the follo%ing( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

5alue

Description

3set safeboot dsrepair shutdo%n Rt 0 /r 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous 2:0

5alue

Description

setting&

See Also
*estart the Domain Controller in Director Services *estore Mode *emotel

4estart the Domain Controller in Directory Services 4estore )ode 4emotely
'f ou have remote access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# remotel & *emote access reFuires the user right to log on locall to a domain controller& *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line or to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall &

2:6

To restart the domain controller in DS*M remotel ( ou first use *emote Des0top Connection to connect to the domain controller %hile it is in normal startup mode& *emote Des0top Connection must be enabled on the target domain controller& After the domain controller has restarted( ou can use *emote Des0top Connection to reconnect to the domain controller and then log on as the local Administrator( using the DS*M pass%ord& Eou can use this procedure to connect to a domain controller remotel ( restart it in DS*M( and then reconnect to it as the DS*M administrator& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M and the user right to log on locall to a domain controller are reFuired to log on to the domain controller in DS*M& Members of Account 4perators( Administrators( 1nterprise Admins( Domain Admins( >ac0up 4perators( Print 4perators( and Server 4perators have the user right to log on locall to a domain controller b default& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& )sing a domain administrative account to log on to an *4DC can compromise the server& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& o restart a domain controller in DS4) remotely by using the !indows G3I 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 7& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& A& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& 8& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& 2:2

:& The domain controller name should still be sho%ing in Computer& 'f it is not( select it from the list( and then clic0 Connect& <& 'n the !indows Security dialog bo-( clic0 3se another account& 8& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& ?& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& 60& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 66& T pe MachineNameCAdministrator( and then press 19T1*& 62& Perform procedures in DS*M& 67& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & This procedure %ill disconnect our remote session& o restart a domain controller in DS4) remotely by using the command line 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4pen a command prompt& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& A& $ait for a period of time that is adeFuate for the remote domain controller to restart( 2:7

and then open *emote Des0top Connection& 8& The domain controller name should still be sho%ing in Computer& 'f it is not( select it in the list( and then clic0 Connect& :& 'n the !indows Security dialog bo-( clic0 3se another account& <& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& 8& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& ?& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 60& T pe MachineNameCAdministrator( and then press 19T1*& 66& Perform procedures in DS*M& 62& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 'n DS*M( open a command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

b& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - >r

The domain controller restarts normall & This procedure %ill disconnect our remote session&
5alue Description

bcdedit 3set safeboot dsrepair shutdo%n Rt 0 /r bcdedit 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode +ocall

2:A

4estore AD DS from $ackup 6Nonauthoritative 4estore7
9onauthoritative restore from bac0up restores Active Director Domain Services "AD DS# from its current state to the previous state of a bac0up& )se this procedure before ou perform an authoritative restore procedure to recover ob,ects that %ere deleted after the time of the bac0up& To restore AD DS from bac0up( use a s stem state or critical/volumes bac0up& To restore AD DS from bac0up( ou must restart the domain controller in Director Services *estore Mode "DS*M#& Note 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& >e sure that ou 0no% the name and location of the version of the bac0up that ou are restoring& >ac0up files are named for the date and time of the bac0up& $hen ou restore the bac0up( the version must be stated in the form MM3DD3EEEE/;;:MM "month3da 3 ear/hour:minute#( %hich specifies the name of bac0up that ou %ant to restore& The $badmin&e-e command/line tool does not reFuire that ou provide the target for the recover & > specif ing the bac0up version that ou %ant to recover( the command proceeds to recover to the source location of the bac0up version that ou specif & Note The systemstaterecovery command in $badmin&e-e causes a nonauthoritative restore of SESB4+ b default "onl updates to SESB4+ since the time of the bac0up are replicated to the recover domain controller#& 'f ou %ant to restore SESB4+ authoritativel "all of SESB4+ is replicated from the recover domain controller to other domain controllers in the domain#( specif the Gauthsysvol option in the command& The Administrator pass%ord for DS*M is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& The server must be running in DS*M& o perform a nonauthoritative restore of AD DS 6& At the !indows logon screen( clic0 Switch 3ser( and then clic0 Other 3ser& 2& T pe 'Cadministrator as the user name( t pe the DS*M pass%ord for the server( and then press 19T1*& 7& 4pen a Command Prompt& A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin get versions .'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName>

2:8

$here: •
<targetDrive>:

is the location of the bac0up that ou %ant to restore&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as made& 8& 'dentif the bac0up version that ou %ant to restore& Eou must enter this bac0up version e-actl in the ne-t step& :& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstaterecovery .version:<AA/DD/ .##:AA>

.'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName> .quiet

$here: • •
<AA/DD/ .##:AA>

is the version of the bac0up that ou %ant to restore&

<targetDrive>:

is the volume that contains the bac0up&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as ta0en& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the restore process and then press E to confirm that the replication engine for SESB4+ has not changed since ou created the bac0up& After the recover operation is complete( if ou are not going to perform an authoritative restore of an restored ob,ects( restart the server&

Additional references
• • • • • *estart the Domain Controller in Director Services *estore Mode +ocall 1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode *emotel Performing Authoritative *estore of Active Director 4b,ects

)ark an Ob9ect or Ob9ects as Authoritative
Eou can use this procedure to mar0 Active Director ob,ects as authoritative %hen ou perform an authoritative restore& 'n this procedure( ou use the ntdsutil command to select ob,ects that are to be mar0ed authoritative %hen the replicate to other domain controllers& This procedure has the follo%ing preliminar reFuirements:

2::

• Eou must 0no% the full distinguished name of the ob,ect or ob,ects that ou %ant to restore& • 'f the deletions that ou are recovering have replicated to the recover domain controller( ou must have completed a nonauthoritative restore procedure( after %hich ou did not restart the domain controller and it remains in Director Services *estore Mode "DS*M#& • 'f the deletions that ou are recovering have not replicated to the recover domain controller( ou can perform this procedure in normal mode %ith Active Director Domain Services "AD DS# stopped& The 9tdsutil functionalit that is described in this procedure is available on domain controllers that are running $indo%s Server 2008& To perform authoritative restore on a domain controller that is running a version of $indo%s Server 2007( see Performing an Authoritative *estore of Active Director 4b,ects "http:33go&microsoft&com3f%lin03P+in0'dQAA6?A#& Note 'f ou are able to stop inbound replication on a global catalog server or other domain controller in the domain before it has received the deletion that ou %ant to restore( ou can s0ip the nonauthoritative restore process& Perform this procedure to recover deleted ob,ects in the domain and to restore bac0/lin0s for those ob,ects in this domain& 'f ou are running the authoritative restore procedure on a global catalog server( bac0/lin0s for ob,ects in other domains are also updated if the for%ard lin0 is stored in the global catalog& =or e-ample( the values for bac0/lin0 attribute memberOf are restored in this procedure if the for%ard lin0 member is stored in the global catalog or in the domain director partition& 'n the case of domain local groups( the member attribute is not stored in the global catalog and it is not stored in the recover domain if the group e-ists in a different domain& 'n this case( ou must perform additional steps to recover domain local group memberships of restored securit principals& These steps are described in Create an +D'= =ile for *ecovering >ac0/+in0s for Authoritativel *estored 4b,ects Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o mark a subtree or individual ob9ect authoritative 6& 'n DS*M( clic0 Start( clic0 4un( t pe ntdsutil( and then press 19T1*& 2& At the ntdsuti": prompt( t pe aut&oritative
restore(

and then press 19T1*&

7& To restore a subtree or individual ob,ect( t pe one of the follo%ing commands( as appropriate( and then press 19T1*: To restore a subtree "for e-ample( an organi.ational unit "4)# and all child ob,ects#:
restore su'tree <Distinguis&edName>

To restore a single ob,ect:
restore o'=ect <Distinguis&edName>

$here <Distinguis&edName> is the distinguished name of the subtree or ob,ect that is to 2:<

be mar0ed authoritative& A& Clic0 2es in the message bo- to confirm the command& =or e-ample( if ou %ant to restore a deleted 4) named Mar0eting 9orthAm in the corp&contoso&com domain( t pe:
restore su'tree H3UIAar:eting Nort&AmFD5IcorpFD5IcontosoFD5IcomJ

"Al%a s enclose the distinguished name in Fuotes %hen there is a space or other special characters %ithin the distinguished name&# 9tdsutil attempts to mar0 the ob,ect as authoritative& The output message indicates the status of the operation& The most common cause of failure is an incorrectl specified distinguished name or a bac0up for %hich the distinguished name does not e-ist& "This occurs if ou tr to restore a deleted ob,ect that %as created after the bac0up#& The follo%ing sample output sho%s that 9tdsutil created a te-t file "&t-t# and an +DAP Data 'nterchange =ormat "+D'=# "&ldf# file %hen the mar0ed ob,ect %as found to have bac0/lin0s:

!uccessfu""y updated $ records*

T&e fo""owing te8t fi"e wit& a "ist of aut&oritative"y restored o'=ects &as 'een created in t&e current wor:ing directory: arE%--K-%-L.-L,%MLEo'=ects*t8t

3ne or more specified o'=ects &ave 'ac:."in:s in t&is domain* T&e fo""owing 4D67 fi"es wit& "in: restore operations &ave 'een created in t&e current wor:ing directory: arE%--K-%-L.-L,%MLE"in:sE5orp*5ontoso*com*"df

Aut&oritative 0estore comp"eted successfu""y*

8& Ma0e a note of the location of the &t-t and &ldf files( if an & $e recommend that ou use the &ldf file to restore bac0/lin0s in this domain( even if restored ob,ects are members of groups that %ere created before lin0ed/value replication "+B*# %as in effect& ;o%ever( in all cases %here an of the restored ob,ects listed in the &t-t file has memberships in groups in a different domain( ou must use the &t-t file to generate an &ldf file to restore bac0/lin0s in those domains& 'f ou have other domains in %hich ou %ant to restore bac0/lin0s for this restored ob,ect( ma0e a cop of this &t-t file to use on a domain controller in each additional domain& :& At the aut&oritative 19T1*&
restore:

and ntdsuti": prompts( t pe quitF and then press

2:8

<& *estart the domain controller in normal operating mode&

Additional references
• *un an +D'= =ile to *ecover >ac0/+in0s

urn Off Inbound 4eplication
Eou can use this procedure and the repadmin command to turn off inbound replication so that Active Director ob,ects on a domain controller cannot be updated b replication from another domain controller& Eou can manage the inbound replication state b setting a repadmin option to change the value in DISA$+.BIN$O3NDB4.%+& Eou change the state is b using a plus "L# to enable the disabled state "turn off inbound replication# and a minus "G# to disable "reverse# the disabled state "turn on inbound replication#& $hen ou appl the option( the command output confirms onl that the DISA$+.BIN$O3NDB4.%+ option is either ne% or current& 't does not indicate NonO or Noff&O Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o turn off inbound replication 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuested( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /options <!erverName> ND6!AG4OE6NG3UNDE0OP4

%here <!erverName> is the 9et>'4S name of the domain controller& 7& Berif that the D6!AG4OE6NG3UNDE0OP4 option is in effect& The follo%ing message should appear:
5urrent D!A options: <)&atever options are set> New D!A 3ptions: D6!AG4OE6NG3UNDE0OP4

displa s the conditions that %ere in effect at the time that ou ran sho%s the effect of the command( %hich is that the D6!AG4OE6NG3UNDE0OP4 option is no% in effect&
5urrent D!A 3ptions

the command& New

D!A 3ptions

Additional references
• Turn on 'nbound *eplication 2:?

Synchroni&e 4eplication with All %artners
Eou can use this procedure to s nchroni.e replication %ith all replication partners of a domain controller& Membership in .nterprise Admins in the forest or Domain Admins in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o synchroni&e replication with all partners 6& At a command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /synca"" <Domain5ontro""erName> /e /d /A /P /q

5alue

Description

repadmin 3s ncall SDomainController9ameT

S nchroni.es a specified domain controller %ith all replication partners& The Domain 9ame S stem "D9S# name of the domain controller on %hich ou %ant to s nchroni.e replication %ith all partners& 1nterpriseW includes partners in all sites& 'dentifies servers b their distinguished names in messages& AllW s nchroni.es all director partitions that are held on the home server& Pushes changes out%ard from the home server& *uns in Fuiet modeW suppresses callbac0 messages&

3e 3d 3A 3P 3F

2& Chec0 for replication errors in the output of the command in the previous step& 'f there are no errors( replication is successful& =or replication to complete( an errors must be corrected&

See Also
Berif Successful *eplication to a Domain Controller

2<0

4un an +DI# #ile to 4ecover $ack-+inks
$hen ou perform an authoritative restore on a domain controller that is running $indo%s Server 2008( $indo%s Server 2007 *2( $indo%s Server 2007 %ith Service Pac0 6 "SP6#( or $indo%s Server 2007 %ith Service Pac0 2 "SP2#( the output of the authoritative restore procedure includes an +DAP Data 'nterchange =ormat "+D'=# "&ldf# file& This &ldf file contains information about the for%ard/lin0s that are reFuired so that the group memberships "bac0/lin0s# of an restored user( group( or computer ob,ects in Active Director Domain Services "AD DS# can be recovered in the domain in %hich the deletions occurred& Eou can use this procedure to run an &ldf file to recover bac0/lin0s for Active Director ob,ects& 4estore group memberships in the domain of the deletions =or each ob,ect or subtree that ou authoritativel restore( run the &ldf file on the restored domain controller to recover group memberships in the domain of the deletions& 4estore group memberships in other domains To recover group memberships in other domains in the forest( ou must first generate an &ldf file in that domain( as described in Create an +D'= =ile for *ecovering >ac0/+in0s for Authoritativel *estored 4b,ects& Then( use this procedure in the respective domain to recover bac0/lin0s& $hen ou recover group memberships in domains other than the domain of the deletions( ou first perform a nonauthoritative restore of the domain controller to return AD DS to a state in %hich it contained the deleted memberships and then use the &t-t file to generate the &ldf file& The domain controller that ou restore from bac0up has old data until it has finished replicating from another domain controller in the domain& 'f ou add users to groups on the restored computer before it is up to date( ou might lose some of the changes that ou ma0e %hen this domain controller is updated through inbound replication& =or this reason( run the &ldf file on a different( up/to/date domain controller in the same domain& Note This procedure is critical for recovering group memberships for deleted users( groups( or computers( but it applies to an restored ob,ects that have bac0/lin0 attributes& This procedure e-plains ho% to use the +difde tool and an &ldf file to recover bac0/lin0s for authoritativel restored ob,ects in a single domain& Perform this procedure on an up/to/date domain controller in the domain of the group or groups %hose memberships ou are recovering& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o run an 'ldf file to recover back-links after authoritative restore 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& Change directories( if necessar ( to the director of the &ldf file and its respective log files& 2<6

2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
"difde .i .: .f <7i"eName>

$here <7i"eName> is the name of the &ldf file that ou %ant to run( for e-ample( arI20080:0?/6<A:0AIlin0sIcorp&contoso&com&ldf&

Additional references
• Create an +D'= =ile for *ecovering >ac0/+in0s for Authoritativel *estored 4b,ects

urn on Inbound 4eplication
Eou can use the repadmin command/line tool in this procedure to turn on inbound Active Director replication after it has been turned off manuall & Eou can manage the inbound replication state b setting a repadmin option to change the value in DISA$+.BIN$O3NDB4.%+& Eou change the state b using a plus "L# to enable the disabled state "turn off inbound replication# and a minus "G# to disable "reverse# the disabled state "turn on inbound replication#& $hen ou appl the option( the command output confirms onl that the DISA$+.BIN$O3NDB4.%+ option is either ne% or current& 't does not indicate NonO or Noff&O Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o turn on inbound replication 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuested( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /options <!erverName> .D6!AG4OE6NG3UNDE0OP4

$here <!erverName> is the 9et>'4S name of the domain controller& 7& Berif that the D'SA>+1I'9>4)9DI*1P+ option is not in effect& The follo%ing message should appear:
5urrent D!A options: D6!AG4OE6NG3UNDE0OP4 New D!A 3ptions: <none>

displa s the conditions that %ere in effect at the time that ou ran the command& New D!A 3ptions sho%s the effect of the command( %hich is that the D6!AG4OE6NG3UNDE0OP4 option is not in effect "does not appear#&
5urrent D!A 3ptions

2<2

Additional references
• Turn 4ff 'nbound *eplication

Create an +DI# #ile for 4ecovering $ack+inks for Authoritatively 4estored Ob9ects
$hen ou perform an authoritative restore in a domain %here deletions of Active Director ob,ects occurred( the 9tdsutil tool generates a te-t "&t-t# file that identifies the ob,ects that have been restored& Eou can use this &t-t file to generate an +DAP Data 'nterchange =ormat "+D'=# file "&ldf# in other domains that might have bac0/lin0s from the restored ob,ects& This procedure generates the &ldf file that ou need to recover bac0/lin0s in this domain& Perform this procedure on a domain controller in the domain that might have the bac0/lin0s&After ou complete this procedure( ou must use the +difde tool to run the &ldf file on a domain controller in the same domain( as described in *un an +D'= =ile to *ecover >ac0/+in0s& Note To ensure that current group ob,ects are updated( run the &ldf file on a domain controller other than the domain controller that ou use to generate the &ldf file& >efore ou perform this procedure( ou must: • Cop the &t-t file that 9tdsutil created during the authoritative restore procedure( %hich ou performed on the first domain controller( to a location on this domain controller or a net%or0 share& • *estore this domain controller from bac0up& After ou restore this domain controller from bac0up( perform this procedure %hile the domain controller is still running in Director Services *estore Mode "DS*M#& To perform this procedure( ou must provide the Administrator pass%ord for DS*M& o create an 'ldf file for restoring back-links for authoritatively restored ob9ects 6& 'n DS*M( clic0 Start( clic0 4un( t pe ntdsutil( and then press 19T1*& 2& At the ntdsuti": prompt( t pe aut&oritative 7& At the aut&oritative 19T1*:
restore: restore(

and then press 19T1*&

prompt( t pe the follo%ing command( and then press

create "dif fi"es from <Te8t7i"ePat&>

$here <Te8t7i"ePat&> is the location and file name of the &t-t file that 9tdsutil created during the initial authoritative restore of the ob,ect %hose bac0/lin0s ou %ant to restore( for e-ample( d:ZldifZarI20080:0?I0?6888Iob,ects&t-t& 9tdsutil displa s a message stating that one or more specified ob,ects have bac0/lin0s in this domain and an &ldf file has been created in the current %or0ing director & A& At the aut&oritative
restore:

and ntdsuti": prompts( t pe quit& 2<7

Additional references
• • *estore AD DS from >ac0up "9onauthoritative *estore# *un an +D'= =ile to *ecover >ac0/+in0s

%erforming Authoritative 4estore of an Application Directory %artition
A restore of an application director partition mar0s all data that is present in the partition as authoritative for the replica set& The information that an application director partition contains replicates to all domain controllers in the forest that %ere previousl present in the replica set& Eou should have a current valid bac0up of the application director partition before ou begin the authoritative restore( in the event that particular ob,ect changes are lost because of changes since the bac0up %as created& 'f ou deleted an entire application director partition( ou must perform the restore procedure on the domain naming operations master role holder& >efore ou perform the procedures in this tas0( bac0 up the domain controller that ou are restoring& =or information about creating bac0ups( see >ac0ing )p Active Director Domain Services& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • *emote Des0top Connection "optional# >cdedit&e-e "optional# 9tdsutil&e-e

To complete this tas0( perform the follo%ing procedures: 6& *estart the domain controller in Director Services *estore Mode "DS*M#( as follo%s: *estart the Domain Controller in Director Services *estore Mode +ocall 4r *estart the Domain Controller in Director Services *estore Mode *emotel 2& *estore AD DS from >ac0up "9onauthoritative *estore#& Do not restart the domain controller& 7& Mar0 an application director partition as authoritative A& *estart the domain controller normall &

2<A

4estart the Domain Controller in Directory Services 4estore )ode 4emotely
'f ou have remote access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# remotel & *emote access reFuires the user right to log on locall to a domain controller& *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line or to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & To restart the domain controller in DS*M remotel ( ou first use *emote Des0top Connection to connect to the domain controller %hile it is in normal startup mode& *emote Des0top Connection must be enabled on the target domain controller& After the domain controller has restarted( ou can use *emote Des0top Connection to reconnect to the domain controller and then log on as the local Administrator( using the DS*M pass%ord& Eou can use this procedure to connect to a domain controller remotel ( restart it in DS*M( and then reconnect to it as the DS*M administrator& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M and the user right to log on locall to a domain controller are reFuired to 2<8

log on to the domain controller in DS*M& Members of Account 4perators( Administrators( 1nterprise Admins( Domain Admins( >ac0up 4perators( Print 4perators( and Server 4perators have the user right to log on locall to a domain controller b default& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& )sing a domain administrative account to log on to an *4DC can compromise the server& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& o restart a domain controller in DS4) remotely by using the !indows G3I 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 7& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& A& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& 8& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& :& The domain controller name should still be sho%ing in Computer& 'f it is not( select it from the list( and then clic0 Connect& <& 'n the !indows Security dialog bo-( clic0 3se another account& 8& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& ?& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& 60& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 2<:

66& T pe MachineNameCAdministrator( and then press 19T1*& 62& Perform procedures in DS*M& 67& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & This procedure %ill disconnect our remote session& o restart a domain controller in DS4) remotely by using the command line 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4pen a command prompt& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& A& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& 8& The domain controller name should still be sho%ing in Computer& 'f it is not( select it in the list( and then clic0 Connect& :& 'n the !indows Security dialog bo-( clic0 3se another account& <& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& 8& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& ?& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 2<<

60& T pe MachineNameCAdministrator( and then press 19T1*& 66& Perform procedures in DS*M& 62& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 'n DS*M( open a command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

b& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - >r

The domain controller restarts normall & This procedure %ill disconnect our remote session&
5alue Description

bcdedit 3set safeboot dsrepair shutdo%n Rt 0 /r bcdedit 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode +ocall

4estart the Domain Controller in Directory Services 4estore )ode +ocally
'f ou have ph sical access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# locall & *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not as a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account&

2<8

Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Eou can restart a domain controller in DS*M manuall b pressing the =8 0e during domain controller startup( %hich reFuires %atching the startup and %aiting for the appropriate point in the startup to press the 0e & This method is tedious and can %aste time if ou miss the brief %indo% of opportunit for selecting the restart mode& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & $hen ou are finished managing a domain controller in DS*M( if ou have used S stem Configuration or >cdedit&e-e to restart the domain controller in DS*M( ou must change the configuration so that the domain controller restarts in normal mode& Note A benefit of using S stem Configuration or >cdedit&e-e for implementing restart of a domain controller into DS*M is that normall the domain controller cannot be inadvertentl restarted& This benefit is particularl useful %hen ou are performing a nonauthoritative restore from bac0up follo%ed b an authoritative restore& Eou can also use S stem Configuration or >cdedit&e-e to restart a domain controller in DS*M remotel & To use S stem Configuration or >cdedit&e-e and *emote Des0top Connection to restart a domain controller in DS*M remotel ( see *estart the Domain Controller in Director Services *estore Mode *emotel & Membership in the Domain Admins group is the minimum reFuired complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M is reFuired to log on to the domain controller in DS*M& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& 2<?

Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#&

4estarting the domain controller in DS4) locally
Eou can use either of the follo%ing methods to restart the domain controller in DS*M: o restart a domain controller in DS4) locally by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 2& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& 7& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& A& Perform procedures in DS*M& 8& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & o restart a domain controller in DS4) locally by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

A& $hen ou are still in DS*M and ou are read to restart in normal mode( open a command prompt and t pe the follo%ing( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

280

5alue

Description

3set safeboot dsrepair shutdo%n Rt 0 /r 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
*estart the Domain Controller in Director Services *estore Mode *emotel

4estore AD DS from $ackup 6Nonauthoritative 4estore7
9onauthoritative restore from bac0up restores Active Director Domain Services "AD DS# from its current state to the previous state of a bac0up& )se this procedure before ou perform an authoritative restore procedure to recover ob,ects that %ere deleted after the time of the bac0up& To restore AD DS from bac0up( use a s stem state or critical/volumes bac0up& To restore AD DS from bac0up( ou must restart the domain controller in Director Services *estore Mode "DS*M#& Note 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& >e sure that ou 0no% the name and location of the version of the bac0up that ou are restoring& >ac0up files are named for the date and time of the bac0up& $hen ou restore the bac0up( the version must be stated in the form MM3DD3EEEE/;;:MM "month3da 3 ear/hour:minute#( %hich specifies the name of bac0up that ou %ant to restore& The $badmin&e-e command/line tool does not reFuire that ou provide the target for the recover & > specif ing the bac0up version that ou %ant to recover( the command proceeds to recover to the source location of the bac0up version that ou specif & Note The systemstaterecovery command in $badmin&e-e causes a nonauthoritative restore of SESB4+ b default "onl updates to SESB4+ since the time of the bac0up are replicated to the recover domain controller#& 'f ou %ant to restore SESB4+ authoritativel "all of SESB4+ is replicated from the recover domain controller to other domain controllers in the domain#( specif the Gauthsysvol option in the command& 286

The Administrator pass%ord for DS*M is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& The server must be running in DS*M& o perform a nonauthoritative restore of AD DS 6& At the !indows logon screen( clic0 Switch 3ser( and then clic0 Other 3ser& 2& T pe 'Cadministrator as the user name( t pe the DS*M pass%ord for the server( and then press 19T1*& 7& 4pen a Command Prompt& A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin get versions .'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName>

$here: •
<targetDrive>:

is the location of the bac0up that ou %ant to restore&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as made& 8& 'dentif the bac0up version that ou %ant to restore& Eou must enter this bac0up version e-actl in the ne-t step& :& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstaterecovery .version:<AA/DD/ .##:AA>

.'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName> .quiet

$here: • •
<AA/DD/ .##:AA>

is the version of the bac0up that ou %ant to restore&

<targetDrive>:

is the volume that contains the bac0up&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as ta0en& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the restore process and then press E to confirm that the replication engine for SESB4+ has not changed since ou created the bac0up& After the recover operation is complete( if ou are not going to perform an authoritative restore of an restored ob,ects( restart the server&

Additional references
• • *estart the Domain Controller in Director Services *estore Mode +ocall 1nable *emote Des0top 282

• • •

Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode *emotel Performing Authoritative *estore of Active Director 4b,ects

)ark an application directory partition as authoritative
'f ou are performing an authoritative restore to recover deletions in an application director partition( ou must mar0 the application director partition as authoritative& Mar0ing an application director partition as authoritative reFuires a different procedure from the procedure that ou use to mar0 other Active Director ob,ects as authoritative& Eou can use this procedure to select the application director partition that ou %ant to replicate authoritativel to other domain controllers that host the application director partition& This procedure has the follo%ing preliminar reFuirements: • >efore ou perform this procedure( bac0 up the domain controller that ou are restoring& Eou should have a current valid bac0up of the application director partition before restoring in case some ob,ect changes are lost as the result of changes that have occurred since the bac0up that ou are using to restore the domain controller %as made& • 'f the entire application director partition has been deleted( ou must perform a nonauthoritative restore from bac0up on the domain naming operations master& • Eou must have completed a nonauthoritative restore procedure( after %hich the domain controller has not been restarted and remains in Director Services *estore Mode "DS*M#& The 9tdsutil functionalit that is described in this procedure is available on domain controllers that are running $indo%s Server 2008& To perform authoritative restore on a domain controller that is running a version of $indo%s Server 2007( see Performing an Authoritative *estore of Active Director 4b,ects "http:33go&microsoft&com3f%lin03P+in0'dQAA6?A#& 'f ou are performing this procedure in DS*M( the Administrator pass%ord for DS*M is the minimum reFuired to complete this procedure& 'f ou are performing this procedure %ith AD DS stopped on the domain controller( membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o mark an application directory partition as authoritative 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
ntdsuti"

7& At the ntdsuti": prompt( t pe activate instance ntds( and then press 19T1*& =or assistance %ith the 9tdsutil command line/tool( t pe &e"p at an time& A& At the ntdsuti": prompt( t pe aut&oritative
restore(

and then press 19T1*& 287

8& At the aut&oritative

restore:

prompt( t pe 4ist

N5 50s(

and then press 19T1*&

9tdsutil displa s a list of director partition distinguished names and their associated cross/reference ob,ect distinguished names& 9ote the cross/reference distinguished name and application director partition distinguished name that correspond to the application director partition that ou %ant to restore& :& T pe restore su'tree <App Partition DN>( %here <App Partition DN> is the distinguished name of the application director partition that ou %ant to restore& <& 'n the confirmation dialog bo-( clic0 2es& The output message indicates the status of the operation& There should be no failures& 8& T pe restore o'=ect <5ross 0ef DN>( %here <5ross 0ef DN> is the distinguished name of the cross/reference ob,ect for the application director partition that ou %ant to restore( and then press 19T1*& ?& 'n the confirmation dialog bo-( clic0 2es& The output message indicates the status of the operation& There should be no failures& 60& Cuit the 9tdsutil tool b t ping quit at each prompt&

See Also
>ac0ing )p Active Director Domain Services

%erforming a #ull Server 4ecovery of a Domain Controller
$hen ou perform a full server recover ( ou recover all volumes from the bac0up set to the server& The procedure to perform full server recover of a domain controller is the same as for an server running $indo%s Server 2008& $henever ou perform a full server recover of a domain controller( ou perform a nonauthoritative restore of Active Director Domain Services "AD DS#& Eou can use these procedures to perform full server recover of a domain controller b using $indo%s Complete PC *estore "a graphical user interface "5)'# tool# and $badmin&e-e from the command line&

4e0uirements for performing a full server recovery of a domain controller
=ull server recover of a domain controller has the follo%ing reFuirements: • Eou must have a full server bac0up available& This t pe of bac0up contains all volumes that %ere on the server at the time that ou made the bac0up&

28A

• Eou can store the bac0up on a separate( internal or e-ternal hard drive or a DBD& 'f ou performed a manual bac0up( ou can perform a full server recover from a net%or0 shared folder& Note $indo%s Server >ac0up does not enumerate drives that are not attached or turned on %hen ou start the *ecover $i.ard& 'f ou attach or turn on a drive after ou start the %i.ard( and ou do not see it in the list of bac0up locations that ou can restore from( close( and then restart $indo%s Server >ac0up& • Eou must have the $indo%s Server 2008 operating s stem DBD or have $indo%s *1 installed on a different partition than the critical partitions that are used b the domain controller that ou are restoring& • 'f ou are recovering to ne% hard%are( the ne% hard%are must provide enough storage capacit to recover all volumes& 'n other %ords( the hard drives that ou are recovering data to must be as large asDor larger thanDthe drives that are included in the bac0up set&

%erforming a full server recovery of a domain controller by using the G3I
Eou can use this procedure to perform full server recover of a domain controller %ith $indo%s Complete PC *estore& There are no administrative credential reFuirements& 9o authentication is performed %hen ou start in $indo%s *1& o perform full server recovery of a domain controller 6a nonauthoritative restore7 by using the G3I 6& 'nsert the $indo%s Server 2008 installation DBD into the dis0 drive( and then restart the domain controller& 2& $hen ou are prompted( press a 0e to start from the DBD& 7& At the initial !indows screen( accept or select language options( the time and currenc format( and a 0e board la out( and then clic0 Ne/t& A& At the Install now screen( clic0 4epair your computer& 8& 'n the System 4ecovery Options dialog bo-( clic0 an %here to clear an operating s stems that are selected for repair( and then clic0 Ne/t& :& )nder Choose a recovery tool( clic0 !indows Complete %C 4estore& <& 'f the bac0up is stored on a remote server( a message indicates that $indo%s cannot find a bac0up on the hard dis0s or DBDs on this computer& Clic0 Cancel to close the message& 8& Clic0 4estore a different backup( and then clic0 Ne/t& ?& 4n the Select the location of the backup page( perform either set of the follo%ing steps( depending on %hether the bac0up is stored locall or on a net%or0 shared folder: 288

a& 'f the bac0up is stored on the local computer( select the location of the bac0up( and then clic0 Ne/t& 4r b& 'f the bac0up is stored on a net%or0 shared folder( clic0 Advanced( and then clic0 Search for a backup on the network& c& Clic0 2es to confirm that ou %ant to connect to the net%or0& d& 'n Network #older( t pe the )niversal 9aming Convention ")9C# name for the net%or0 share( and then clic0 O(& e& T pe credentials for a user account that has sufficient permissions to restore the bac0up( and then clic0 O(& f& 4n the Select the location of the backup page( clic0 the location of the bac0up( and then clic0 Ne/t& 60& Clic0 the bac0up to restore( and then clic0 Ne/t& 66& 'f ou %ant to replace all data on all volumes( regardless of %hether the are included in the bac0up( on the Choose how to restore the backup page( select the #ormat and repartition disks chec0 bo-& 62& To prevent volumes that are not included in the restore from being deleted and re/ created( clic0 ./clude Disks( select the chec0 bo- for the dis0s that ou %ant to e-clude( and then clic0 O(& 67& Clic0 Ne/t( and then clic0 #inish& 6A& Select the I confirm that I want to format the disks and restore the backup chec0 bo-( and then clic0 O(&

%erforming a full server recovery of a domain controller by using the command line
)se the follo%ing procedure to perform full server recover of a domain controller from the command line& There are no administrative credential reFuirements& 9o authentication is performed %hen ou start in $indo%s *1& o perform full server recovery of a domain controller 6a nonauthoritative restore7 by using the command line 6& 'nsert the $indo%s Server 2008 installation DBD into the dis0 drive( and then restart the domain controller& 2& $hen ou are prompted( press a 0e to start from the DBD& 7& At the initial !indows screen( accept or select language options( the time and currenc format( and a 0e board la out( and then clic0 Ne/t& A& At the Install now screen( clic0 4epair your computer& 8& 'n the System 4ecovery Options dialog bo-( clic0 an %here to clear an operating 28:

s stems that are selected for repair( and then clic0 Ne/t& :& )nder Choose a recovery tool( clic0 Command %rompt& <& At the !ources prompt( t pe dis:part( and then press 19T1*& 8& At the Dis:part prompt( t pe "ist
vo"(

and then press 19T1*&

?& 'dentif the volume from the list that corresponds to the location of the full server bac0up that ou %ant to restore& The drive letters in $indo%s *1 do not necessaril match the volumes as the appear in $indo%s Server 2008& 60& T pe e8it( and then press 19T1*& 66& At the !ources prompt( t pe the follo%ing command( and then press 19T1*:
w'admin get versions .'ac:upTarget:<targetDrive>: .mac&ine:<Gac:up5omputerName>

$here: •
<targetDrive>:

is the location of the bac0up that ou %ant to restore&

• <Gac:up5omputerNameT is the name of the computer %here ou %ant to recover the bac0up& This parameter is reFuired( if the bac0up is stored on a remote computer& 62& 'dentif the version that ou %ant to restore& Eou must enter this version e-actl in the ne-t step& 67& At the !ources prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start sysrecovery .version:<AA/DD/ .##:AA> .'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName> .restoreA""2o"umes

$here: • •
<AA/DD/ .##:AA>

is the version of the bac0up that ou %ant to restore&

<targetDrive>:

is the drive that contains the bac0up&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as ta0en& 6A& $hen ou are prompted( press E to proceed %ith the restore process& 68& After the recover operation has completed( minimi.e the command %indo%( and then( in the System 4ecovery Options dialog bo-( clic0 4estart&

Additional considerations
>e a%are of the follo%ing issues %hen ou perform a full server recover of a domain controller: • $badmin&e-e does not reFuire that ou provide the recover target& > specif ing the bac0up version that ou %ant to recover( the command proceeds to recover to the source location of the specified bac0up version& 28<

• >ac0up files are named for the date and time of the bac0up& $hen ou recover( the version must be stated in the form MM3DD3EEEE/;;:MM( %hich specifies the name of the bac0up that ou %ant to recover& • After the restore is completed( restart the server normall ( and perform basic verification& $hen ou restart the computer normall ( AD DS and Active Director Certificate Services "AD CS# automaticall detect that the have been recovered from a bac0up& The perform an integrit chec0 and inde- the database again& • After ou log on to the s stem( bro%se AD DS& Berif that the follo%ing conditions are met: • All of the user ob,ects and group ob,ects that %ere present in the director at the time of the bac0up are restored& Note Active Director replication updates the ob,ects that ou restore %ith an changes that have been made to them since the time that the bac0up %as ta0en& • =iles that %ere members of a =ile *eplication Service "=*S# replica set and certificates that %ere issued b AD CS are present& • • • The $indo%s Time service "$72time# is s nchroni.ed correctl & The 91T+4549 and SESB4+ folders are properl shared& The Preferred D9S server address is configured correctl &

• ;ost "A# and service "S*B# resource records are registered correctl in Domain 9ame S stem "D9S#&

4estoring a Domain Controller hrough 4einstallation and Subse0uent 4estore from $ackup
'f ou cannot restart a domain controller in Director Services *estore Mode "DS*M#( ou can restore it through reinstallation of the operating s stem and subseFuent restore of Active Director Domain Services "AD DS# from bac0up& After ou reinstall $indo%s Server 2008( perform a nonauthoritative restore of a s stem state or critical/volumes bac0up& Eou must have a previous bac0up for the failed domain controller( and the bac0up cannot be older than the tombstone lifetime for the forest& Eou do not have to ,oin the computer to the domain before ou perform the restore procedure& During the restore( the computer account is reestablished automaticall & Note Eou must perform the restore procedure b using the same bac0up tool %ith %hich the bac0up %as made& Procedures in this tas0 describe using $indo%s Server >ac0up to

288

restore AD DS( but ou must use the tool that ou used to create the bac0up file if it is not $indo%s Server >ac0up& ask re0uirements To perform the domain controller restore procedure( ou must have the follo%ing information about the failed domain controller: • Dis0 configuration& Eou need a record of the volumes and si.es of the dis0s and partitions& 'n the case of a complete dis0 failure( use this information to recreate the dis0 configuration& $indo%s Server 2008 must be reinstalled to the same drive letter and %ith at least the same amount of ph sical drive space as for the original installation& >efore ou restore the s stem state( ou must recreate all dis0 configurations& =ailure to recreate all dis0 configurations can cause the restore process to fail( and it can prevent ou from starting the domain controller after the restore& • Computer name& Eou need the computer name to restore a domain controller of the same name and avoid changing client configuration settings& • DS*M Administrator pass%ord& Eou must 0no% the DS*M Administrator pass%ord that %as in use %hen the bac0up %as created& The follo%ing tools are reFuired to perform the procedures for this tas0: • • • *emote Des0top Connection "optional# >cdedit&e-e "optional# $badmin&e-e

To complete this tas0( perform the follo%ing procedures: 6& After ou configure the dis0s appropriatel ( install $indo%s Server 2008& Note This guide does not provide information about installing $indo%s Server 2008& =or information about installing $indo%s Server 2008( see 'nstalling $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P+in0'DQ66660A#& 2& *estart the server in DS*M b using one of the follo%ing methods: Note *estarting a member server in DS*M is not possible in $indo%s Server 2007( but it is possible in $indo%s Server 2008& *estart the Domain Controller in Director Services *estore Mode +ocall 4r *estart the Domain Controller in Director Services *estore Mode *emotel 7& *estore AD DS from >ac0up "9onauthoritative *estore# A& Berif AD DS restore

28?

4estart the Domain Controller in Directory Services 4estore )ode +ocally
'f ou have ph sical access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# locall & *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not as a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Eou can restart a domain controller in DS*M manuall b pressing the =8 0e during domain controller startup( %hich reFuires %atching the startup and %aiting for the appropriate point in the startup to press the 0e & This method is tedious and can %aste time if ou miss the brief %indo% of opportunit for selecting the restart mode& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & $hen ou are finished managing a domain controller in DS*M( if ou have used S stem Configuration or >cdedit&e-e to restart the domain controller in DS*M( ou must change the configuration so that the domain controller restarts in normal mode&

2?0

Note A benefit of using S stem Configuration or >cdedit&e-e for implementing restart of a domain controller into DS*M is that normall the domain controller cannot be inadvertentl restarted& This benefit is particularl useful %hen ou are performing a nonauthoritative restore from bac0up follo%ed b an authoritative restore& Eou can also use S stem Configuration or >cdedit&e-e to restart a domain controller in DS*M remotel & To use S stem Configuration or >cdedit&e-e and *emote Des0top Connection to restart a domain controller in DS*M remotel ( see *estart the Domain Controller in Director Services *estore Mode *emotel & Membership in the Domain Admins group is the minimum reFuired complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M is reFuired to log on to the domain controller in DS*M& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#&

4estarting the domain controller in DS4) locally
Eou can use either of the follo%ing methods to restart the domain controller in DS*M: o restart a domain controller in DS4) locally by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 2& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& 7& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& A& Perform procedures in DS*M& 8& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall &

2?6

o restart a domain controller in DS4) locally by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

A& $hen ou are still in DS*M and ou are read to restart in normal mode( open a command prompt and t pe the follo%ing( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

5alue

Description

3set safeboot dsrepair shutdo%n Rt 0 /r 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
*estart the Domain Controller in Director Services *estore Mode *emotel

4estart the Domain Controller in Directory Services 4estore )ode 4emotely
'f ou have remote access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# remotel & *emote access reFuires the user right to log on locall to a domain controller& *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account&

2?2

Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line or to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & To restart the domain controller in DS*M remotel ( ou first use *emote Des0top Connection to connect to the domain controller %hile it is in normal startup mode& *emote Des0top Connection must be enabled on the target domain controller& After the domain controller has restarted( ou can use *emote Des0top Connection to reconnect to the domain controller and then log on as the local Administrator( using the DS*M pass%ord& Eou can use this procedure to connect to a domain controller remotel ( restart it in DS*M( and then reconnect to it as the DS*M administrator& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M and the user right to log on locall to a domain controller are reFuired to log on to the domain controller in DS*M& Members of Account 4perators( Administrators( 1nterprise Admins( Domain Admins( >ac0up 4perators( Print 4perators( and Server 4perators have the user right to log on locall to a domain controller b default& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& )sing a domain administrative account to log on to an *4DC can compromise the server& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& 2?7

o restart a domain controller in DS4) remotely by using the !indows G3I 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 7& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& A& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& 8& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& :& The domain controller name should still be sho%ing in Computer& 'f it is not( select it from the list( and then clic0 Connect& <& 'n the !indows Security dialog bo-( clic0 3se another account& 8& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& ?& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& 60& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 66& T pe MachineNameCAdministrator( and then press 19T1*& 62& Perform procedures in DS*M& 67& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & This procedure %ill disconnect our remote session&

2?A

o restart a domain controller in DS4) remotely by using the command line 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4pen a command prompt& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& A& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& 8& The domain controller name should still be sho%ing in Computer& 'f it is not( select it in the list( and then clic0 Connect& :& 'n the !indows Security dialog bo-( clic0 3se another account& <& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& 8& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& ?& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 60& T pe MachineNameCAdministrator( and then press 19T1*& 66& Perform procedures in DS*M& 62& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 'n DS*M( open a command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

b& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - >r

The domain controller restarts normall & This procedure %ill disconnect our remote 2?8

session&
5alue Description

bcdedit 3set safeboot dsrepair shutdo%n Rt 0 /r bcdedit 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode +ocall

4estore AD DS from $ackup 6Nonauthoritative 4estore7
9onauthoritative restore from bac0up restores Active Director Domain Services "AD DS# from its current state to the previous state of a bac0up& )se this procedure before ou perform an authoritative restore procedure to recover ob,ects that %ere deleted after the time of the bac0up& To restore AD DS from bac0up( use a s stem state or critical/volumes bac0up& To restore AD DS from bac0up( ou must restart the domain controller in Director Services *estore Mode "DS*M#& Note 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& >e sure that ou 0no% the name and location of the version of the bac0up that ou are restoring& >ac0up files are named for the date and time of the bac0up& $hen ou restore the bac0up( the version must be stated in the form MM3DD3EEEE/;;:MM "month3da 3 ear/hour:minute#( %hich specifies the name of bac0up that ou %ant to restore& The $badmin&e-e command/line tool does not reFuire that ou provide the target for the recover & > specif ing the bac0up version that ou %ant to recover( the command proceeds to recover to the source location of the bac0up version that ou specif &

2?:

Note The systemstaterecovery command in $badmin&e-e causes a nonauthoritative restore of SESB4+ b default "onl updates to SESB4+ since the time of the bac0up are replicated to the recover domain controller#& 'f ou %ant to restore SESB4+ authoritativel "all of SESB4+ is replicated from the recover domain controller to other domain controllers in the domain#( specif the Gauthsysvol option in the command& The Administrator pass%ord for DS*M is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& The server must be running in DS*M& o perform a nonauthoritative restore of AD DS 6& At the !indows logon screen( clic0 Switch 3ser( and then clic0 Other 3ser& 2& T pe 'Cadministrator as the user name( t pe the DS*M pass%ord for the server( and then press 19T1*& 7& 4pen a Command Prompt& A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin get versions .'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName>

$here: •
<targetDrive>:

is the location of the bac0up that ou %ant to restore&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as made& 8& 'dentif the bac0up version that ou %ant to restore& Eou must enter this bac0up version e-actl in the ne-t step& :& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstaterecovery .version:<AA/DD/ .##:AA>

.'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName> .quiet

$here: • •
<AA/DD/ .##:AA>

is the version of the bac0up that ou %ant to restore&

<targetDrive>:

is the volume that contains the bac0up&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as ta0en& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the restore process and then press E to confirm that the replication engine for SESB4+ has not changed since ou created the bac0up&

2?<

After the recover operation is complete( if ou are not going to perform an authoritative restore of an restored ob,ects( restart the server&

Additional references
• • • • • *estart the Domain Controller in Director Services *estore Mode +ocall 1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode *emotel Performing Authoritative *estore of Active Director 4b,ects

5erify AD DS restore
After ou complete a restore of Active Director Domain Services "AD DS#( ou can use this procedure to verif the restore& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify an Active Directory restorefrom backup 6& After the restore operation completes( restart the computer in Start $indo%s 9ormall mode& 'f ou used >cdedit&e-e to configure startup in Director Services *estore Mode "DS*M#( see *estart the Domain Controller in Director Services *estore Mode *emotel or *estart the Domain Controller in Director Services *estore Mode +ocall for information about changing the configuration bac0 to normal startup mode& 2& After ou are able to log on to the s stem( perform the follo%ing verification steps: At a command prompt( use the repadmin ,showsig command to verif that the invocation 'D has changed& The invocation 'D is the director database globall uniFue identifier "5)'D#( %hich the Director S stem Agent "DSA# uses to identif the version of the database& The invocation 'D changes during the Active Director restore process to ensure the consistenc of the replication process& Berif that the previous entr appears in the retired signatures list& At a command prompt( use the repadmin ,showrepl command to verif that there are no replication errors and all director partitions are replicating properl %ith the reFuired replication partners& Eou can determine the replication partners b selecting the 9TDS Settings ob,ect for the restored server in Active Director Sites and Services& At a command prompt( use the net share command to verif that the 91T+4549 and SESB4+ shares appear& At a command prompt( use the dcdiag command to verif success of all tests on the domain controller& 2?8

)se Active Director )sers and Computers to verif that the deleted ob,ects that ou %anted to recover from the bac0up are restored& 'f ou have a Bolume Shado% Cop Service "BSS# snapshot of the database( ou can use the Active Director database mounting tool "Dsamain&e-e# to mount the database and vie% it through Active Director )sers and Computers to compare the ob,ects& =or information about the Active Director database mounting tool( see the Step/b /Step 5uide for )sing the Active Director Database Mounting Tool in $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P+in0'dQ607777#&

4estoring a Domain Controller hrough 4einstallation
*estoring a domain controller through reinstallation is the same process as creating a ne% domain controller& 't does not involve restoring from bac0up& This method relies on Active Director replication to restore a domain controller to a %or0ing state( and it is valid onl if another health domain controller e-ists in the same domain& This method is normall used on computers that function onl as domain controllers& *estoring through reinstallation is the onl method b %hich a domain controller that is not part of the bac0up set can be restored& 'n addition( ou might decide to use this method instead of a nonauthoritative restore because bac0up media is inaccessible or because this method is more convenient& *estoring a domain controller through reinstallation should not be a substitute for regular bac0up routines& This method of restoring a domain controller reFuires a complete reinstallation of the operating s stem& $e recommend that( before ou install the operating s stem( ou format the entire s stem dis0( %hich removes all information on the s stem dis0& 1nsure that an important or relevant data is moved or bac0ed up before ou format the dis0& >and%idth is the primar consideration for restoring a domain controller through reinstallation& The band%idth that is reFuired is directl proportional to the si.e of the Active Director database and the time in %hich the domain controller is reFuired to be in a functioning state& 'deall ( the e-isting functional domain controller should be located in the same Active Director site as the replicating domain controller "the ne% domain controller# to reduce the impact on the net%or0 and the time that the reinstallation ta0es to complete& Note >efore ou restore a domain controller through reinstallation( ensure that hard%are failure is not the cause of the problem& 'f fault hard%are is not changed( restoring through reinstallation might not solve the problems %ith the domain controller& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • 9tdsutil&e-e 2??

• •

Dcdiag&e-e Dcpromo&e-e

To complete this tas0( perform the follo%ing procedures: 6& )se the follo%ing procedure to clean up server metadata to remove the 9TDS Settings ob,ect of the failed domain controller: Clean )p Server Metadata 'f ou plan to give the ne% domain controller a different name from the name of the failed domain controller( in addition to cleaning up server metadata perform the follo%ing procedure: Delete a Server 4b,ect from a Site 2& 'nstall $indo%s Server 2008& A fresh installation of $indo%s Server 2008 is assumed& Prepare for installation of the operating s stem b partitioning or reformatting the hard dis0 drive( if necessar & Note This guide does not provide information about installing $indo%s Server 2008& =or information about installing $indo%s Server 2008( see 'nstalling $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P+in0'DQ66660A#& 7& Berif D9S *egistration and TCP3'P Connectivit A& Berif the Availabilit of the 4perations Masters 8& 'nstall an Additional Domain Controller b )sing the $indo%s 'nterface During the installation process( replication occurs( %hich ensures that the domain controller has an accurate and up/to/date cop of Active Director Domain Services "AD DS#& Eou have the option to use the same information for this domain controller as the domain controller that it is replacing: site placement( domain controller name( and domain membership should remain the same& 'f ou plan to install the domain controller under a different name( see 'nstalling a Domain Controller in an 1-isting Domain& :& After ou install AD DS( see Berif ing Active Director 'nstallation and perform procedures for verification of the installation&

Clean 3p Server )etadata
Metadata cleanup is a reFuired procedure after a forced removal of Active Director Domain Services "AD DS#& Eou perform metadata cleanup on a domain controller in the domain of the domain controller that ou forcibl removed& Metadata cleanup removes data from AD DS that identifies a domain controller to the replication s stem& Metadata cleanup also removes =ile *eplication Service "=*S# and Distributed =ile S stem "D=S# *eplication connections and attempts to transfer or sei.e an operations master "also 0no%n as fle-ible single master operations or =SM4# roles that the retired domain controller holds& These additional processes are performed automaticall & Eou can use this procedure to clean up server metadata for a domain controller from %hich ou have forcibl removed AD DS& 700

4n domain controllers that are running $indo%s Server 2008( ou can use Active Director )sers and Computers to clean up server metadata& 'n this procedure( deleting the computer ob,ect in the Domain Controllers organi.ational unit "4)# initiates the cleanup process( %hich proceeds automaticall & Eou can also perform metadata cleanup b using 9tdsutil&e-e( a command/line tool that is installed automaticall on all domain controllers& Eou can perform this procedure on a domain controller that is running $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 %ith Service Pac0 2 "SP2#( $indo%s Server 2007 *2( or $indo%s Server 2008& =or information about performing metadata cleanup on domain controllers that are running earlier versions of $indo%s Server( see NClean up server metadataO in the $indo%s Server 2007 4perations 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ60A276#& Eou can also use a script to clean up server metadata on most $indo%s operating s stems& =or information about using this script( see *emove Active Director Domain Controller Metadata "http:33go&microsoft&com3f%lin03P+in0'DQ6278??#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o clean up server metadata by using Active Directory 3sers and Computers 6& 4pen Active Director )sers and Computers: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory 3sers and Computers& 2& 'f ou have identified replication partners in preparation for this procedure( and if ou are not connected to a replication partner of the removed domain controller %hose metadata ou are cleaning up( right/clic0 Active Directory 3sers and Computers MDomainControllerNameN( and then clic0 Change Domain Controller& Clic0 the name of the domain controller from %hich ou %ant to remove the metadata( and then clic0 O(& 7& 1-pand the domain of the domain controller that ou forcibl removed( and then clic0 Domain Controllers& A& 'n the details pane( right/clic0 the computer ob,ect of the domain controller %hose metadata ou %ant to clean up( and then clic0 Delete& 8& 'n the Active Directory Domain Services dialog bo-( clic0 2es to confirm the computer ob,ect deletion& :& 'n the Deleting Domain Controller dialog bo-( select his Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation !i&ard 6DC%4O)O7( and then clic0 Delete& <& 'f the domain controller is a global catalog server( in the Delete Domain Controller dialog bo-( clic0 2es to continue %ith the deletion& 8& 'f the domain controller currentl holds one or more operations master "also 0no%n as fle-ible single master operations or =SM4# roles( clic0 O( to move the role or roles to the domain controller that is sho%n& Eou cannot change this domain controller& 'f ou %ant to move the role to a different 706

domain controller( ou must move the role after ou complete the server metadata cleanup procedure& o clean up server metadata by using Ntdsutil 6& 4pen a command prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide 1nterprise Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
ntdsuti"

7& At the ntdsuti": prompt( t pe the follo%ing command( and then press 19T1*:
metadata c"eanup

A& At the metadata 19T1*: 4r

c"eanup:

prompt( t pe the follo%ing command( and then press

remove se"ected server <!erverName>

remove se"ected server <!erverName,> on <!erverName%>

5alue

Description

ntdsutil: metadata cleanup remove selected server SServer9ameT or SServer9ame6T

'nitiates removal of ob,ects that refer to a decommissioned domain controller& *emoves ob,ects for a specified( decommissioned domain controller from a specified server& The distinguished name of the domain controller %hose metadata ou %ant to remove( in the form cnQServerName(cnQServers(cnQSiteName( cnQSites(cnQConfiguration(dcQForestRootDomain& 'f ou specif onl one server name( the ob,ects are removed from the current domain controller& Specifies removing server metadata on SServer9ame2T( the Domain 9ame S stem "D9S# name of the domain controller to %hich ou %ant to connect& 'f ou have identified replication partners in preparation for this procedure( specif a domain controller that is a replication partner of the removed domain controller&

on SServer9ame2T

8& 'n Server 4emove Configuration Dialog( revie% the information and %arning( and then clic0 2es to remove the server ob,ect and metadata& 702

At this point( 9tdsutil confirms that the domain controller %as removed successfull & 'f ou receive an error message that indicates that the ob,ect cannot be found( the domain controller might have been removed earlier& :& At the metadata
c"eanup:

and ntdsuti": prompts( t pe quit( and then press 19T1*&

<& To confirm removal of the domain controller: 4pen Active Director )sers and Computers& 'n the domain of the removed domain controller( clic0 Domain Controllers& 'n the details pane( an ob,ect for the domain controller that ou removed should not appear& 4pen Active Director Sites and Services& 9avigate to the Servers container and confirm that the server ob,ect for the domain controller that ou removed does not contain an 9TDS Settings ob,ect& 'f no child ob,ects appear belo% the server ob,ect( ou can delete the server ob,ect& 'f a child ob,ect appears( do not delete the server ob,ect because another application is using the ob,ect&

See Also
Delete a Server 4b,ect from a Site

Delete a Server Ob9ect from a Site
$hen ou remove a domain controller from service b uninstalling Active Director Domain Services "AD DS#( the domain controller ob,ect is removed from the domain director partition automaticall & Eou can chec0 this deletion b loo0ing in the Domain Controllers container in the Active Director )sers and Computers snap/in& The server ob,ect( %hich represents the domain controller in the configuration director partition( can have child ob,ects and is therefore not removed automaticall & $hen no child ob,ects are visible belo% the server ob,ect in Active Director Sites and Services( ou can use this procedure to remove the server ob,ect& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o delete a server ob9ect from a site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( e-pand the Sites container( and then e-pand the site from %hich ou %ant to delete a server ob,ect& 7& 'f no child ob,ects appear belo% the server ob,ect( right/clic0 the server ob,ect( and 707

then clic0 Delete& Important Do not delete a server ob,ect that has a child ob,ect& 'f an 9TDS Settings ob,ect appears belo% the server ob,ect ou %ant to delete( either replication on the domain controller on %hich ou are vie%ing the configuration container has not occurred or the server %hose server ob,ect ou are removing has not been properl decommissioned& 'f a child ob,ect other than 9TDS Settings appears belo% the server ob,ect that ou %ant to delete( another application has published the ob,ect& Eou must contact an administrator for the application and determine the appropriate action to remove the child ob,ect& A& Clic0 2es to confirm our choice&

See Also
Decommissioning a Domain Controller =orcing the *emoval of a Domain Controller

5erify DNS 4egistration and C%,I% Connectivity
Eou can use the Dcdiag command/line tests in this procedure to verif that a server can successfull connect to domain controllers in the same site or in the enterprise and to verif that Domain 9ame S stem "D9S# is functioning& > default( all Dcdiag tests verif TCP3'P connectivit for both 'P version A "'PvA# and 'P version : "'Pv:#& Note Dcdiag is installed %ith Active Director Domain Services "AD DS# b default& To perform this test on a server that is not a domain controller( ou must install Dcdiag& =or information about installing Dcdiag( see 'nstalling *emote Server Administration Tools for AD DS& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify DNS registration and C%,I% connectivity 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:dns

70A

Note =or a more detailed response from this command( add command&
/v

to the end of the

'f the test fails( do not attempt an additional steps until ou determine and fi- the problem that prevents proper D9S functionalit &

5erify the Availability of the Operations )asters
Eou can use this procedure to verif that the domain controllers that hold the operations master "also 0no%n as fle-ible single master operations or =SM4# roles can be located and that the are online and responding& Eou can use the tests in this procedure before ou install Active Director Domain Services "AD DS# as %ell as after%ard& ;o%ever( if ou perform this procedure before ou install AD DS( ou must do the follo%ing: • =irst( use Server Manager to add the Active Director Domain Services server role& This part of the installation procedure installs the Dcdiag&e-e command line tool& Perform this procedure after ou add the server role but before ou run Dcpromo&e-e& • )se the ,s command option to indicate the name of an e-isting domain controller in the domain of the ne% domain controller& This domain controller is reFuired to verif the abilit of the server to connect to operations master role holders in the domain and forest& Eou do not have to use the ,s option if ou perform the test in this procedure after ou install AD DS& The test automaticall runs on the local domain controller %here ou are performing the test& The commands in this procedure sho% the ,s option& 'f ou are performing this test after ou install AD DS( omit the ,s option& =or a more detailed response from this command( ou can use the verbose option b adding ,v to the end of the command& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify the availability of the operations masters 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command to ensure that the operations masters can be located( and then press 19T1*:
dcdiag /s:<Domain5ontro""erName> /test::nowsofro"e&o"ders /v

708

%here <Domain5ontro""erName> is the name of an e-isting domain controller in the domain in %hich ou %ant to add the ne% domain controller& The verbose option provides a detailed list of the operations masters that %ere tested& 9ear the bottom of the screen( a message confirms that the test succeeded& 'f ou use the verbose option( loo0 carefull at the bottom part of the displa ed output& The test confirmation message appears immediatel after the list of operations masters& 7& T pe the follo%ing command to ensure that the operations masters are functioning properl and available on the net%or0( and then press 19T1*:
dcdiag /s:<Domain5ontro""erName> /test:fsmoc&ec:

%here <Domain5ontro""erName> is the name of a domain controller in the domain in %hich ou %ant to add the ne% domain controller& The verbose option provides a detailed list of the operations masters that %ere tested as %ell as other important servers( such as global catalog servers and time servers& 9ear the bottom of our screen( a message confirms that the test succeeded& 'f these tests fail( do not attempt an additional steps until ou fi- the problem that prevents the location of operations masters and ou can verif that the are functioning properl &

Install an Additional Domain Controller by 3sing the !indows Interface
Eou can use this procedure to add the Active Director Domain Services "AD DS# server role to a server to create a domain controller in an e-isting domain& Eou can complete this procedure b using the $indo%s graphical user interface "5)'#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o install an additional domain controller by using the !indows interface 6& Clic0 Start( and then clic0 Server )anager& 2& 'n 4oles Summary( clic0 Add 4oles& 7& *evie% the information on the $efore 2ou $egin page( and then clic0 Ne/t& A& 4n the Select Server 4oles page( clic0 Active Directory Domain Services( and then clic0 Ne/t& 8& *evie% the information on the Active Directory Domain Services page( and then clic0 Ne/t& :& 4n the Confirm Installation Selections page( clic0 Install& <& 4n the Installation 4esults page( clic0 Close this wi&ard and launch the Active 70:

Directory Domain Services Installation !i&ard 6dcpromo'e/e7& 8& 4n the !elcome to the Active Directory Domain Services Installation !i&ard page( clic0 Ne/t& Eou can clic0 3se advanced mode installation to see additional installation options& Specificall ( clic0 3se advanced mode installation if ou %ant to install from media or identif the source domain controller for Active Director replication& ?& 4n the Operating System Compatibility page( revie% the %arning about the default securit settings for $indo%s Server 2008 domain controllers( and then clic0 Ne/t& 60& 4n the Choose a Deployment Configuration page( clic0 ./isting forest( clic0 Add a domain controller to an e/isting domain( and then clic0 Ne/t& 66& 4n the Network Credentials page( t pe the name of an e-isting domain in the forest %here ou plan to install the additional domain controller& )nder Specify the account credentials to use to perform the installation( clic0 )y current logged on credentials or clic0 Alternate credentials( and then clic0 Set& 'n the !indows Security dialog bo-( provide the user name and pass%ord for an account that can install the additional domain controller& To install an additional domain controller( ou must be a member of the 1nterprise Admins group or the Domain Admins group& $hen ou are finished providing credentials( clic0 Ne/t& 62& 4n the Select a Domain page( select the domain of the ne% domain controller( and then clic0 Ne/t& 67& 4n the Select a Site page( select a site from the list or select the option to install the domain controller in the site that corresponds to its 'P address( and then clic0 Ne/t& 6A& 4n the Additional Domain Controller Options page( ma0e the follo%ing selections( and then clic0 Ne/t: • DNS server: This option is selected b default so that our domain controller can function as a D9S server& 'f ou do not %ant the domain controller to be a D9S server( clear this option& Note 'f ou select the option to ma0e this domain controller a D9S server( ou might receive a message that indicates that a D9S delegation for the D9S server could not be created and that ou should manuall create a D9S delegation to the D9S server to ensure reliable name resolution& 'f ou are installing an additional domain controller in either the forest root domain or a tree root domain( ou do not have to create the D9S delegation& 'n this case( clic0 2es( and disregard the message& • Global Catalog: This option is selected b default& 't adds the global catalog( read/onl director partitions to the domain controller( and it enables global catalog search functionalit & • 4ead-only domain controller& This option is not selected b default& 't ma0es the additional domain controller a read/onl domain controller "*4DC#& 68& 'f ou selected 3se advanced mode installation on the !elcome page( the Install 70<

from )edia page appears& Eou can provide the location of installation media to be used to create the domain controller and configure AD DS( or ou can have all source replication occur over the net%or0& 9ote that some data %ill be replicated over the net%or0 even if ou install from media& =or information about using this method to install the domain controller( see 'nstalling an Additional Domain Controller b )sing '=M& 6:& 'f ou selected 3se advanced mode installation on the !elcome page( the Source Domain Controller page appears& Clic0 +et the wi&ard choose an appropriate domain controller or clic0 3se this specific domain controller to specif a domain controller that ou %ant to provide as a source for replication to create the ne% domain controller( and then clic0 Ne/t& 'f ou do not choose to install from media( all data %ill be replicated from this source domain controller& 6<& 4n the +ocation for Database1 +og #iles1 and S2S5O+ page( t pe or bro%se to the volume and folder locations for the database file( the director service log files( and the SESB4+ files( and then clic0 Ne/t& $indo%s Server >ac0up bac0s up the director service b volume& =or bac0up and recover efficienc ( store these files on separate volumes that do not contain applications or other nondirector files& 68& 4n the Directory Services 4estore )ode Administrator %assword page( t pe and confirm the restore mode pass%ord( and then clic0 Ne/t& This pass%ord must be used to start AD DS in Director Services *estore Mode "DS*M# for tas0s that must be performed offline& 6?& 4n the Summary page( revie% our selections& Clic0 $ack to change an selections( if necessar & To save the settings that ou have selected to an ans%er file that ou can use to automate subseFuent Active Director operations( clic0 ./port settings& T pe the name for our ans%er file( and then clic0 Save& $hen ou are sure that our selections are accurate( clic0 Ne/t to install AD DS& Note 'f ou are installing an additional domain controller in a child domain and ou are using child domain credentials( the !indows Security dialog bo- appears because access is denied in the parent domain to update the D9S delegation in the parent .one& 'n this case( clic0 the other user icon and provide administrator credentials for the parent domain( and then clic0 O(& 20& 4n the Completing the Active Directory Domain Services Installation !i&ard page( clic0 #inish& 26& Eou can select 4eboot on completion to have the server restart automaticall ( or ou can restart the server to complete the installation of AD DS %hen ou are prompted to do so&

708

See Also
Preparing for Active Director 'nstallation Berif ing Active Director 'nstallation

5erifying Active Directory Installation
There are several verification tas0s that ou can perform on a computer on %hich Active Director Domain Services "AD DS# has been ne%l installed& Successfull completing the reFuirements of each verification tas0 %ill provide a strong indication of a health ( operational domain controller& The individual procedures in this tas0 are provided so that ou can test specific criteria to determine the health of an Active Director installation& To thoroughl test the domain controller for all director service issues( ou can run the dcdiag ,v command& The output of this command provides detailed information about the conditions on the domain controller& =or information about using the Dcdiag&e-e command/line tool( see Dcdiag "http:33go&microsoft&com3f%lin03P +in0'dQ60A:8?#& ask re0uirements The follo%ing tools are recommended to perform the procedures for this tas0: • • • • • Active Director Sites and Services D9S Manager 1vent Bie%er Dcdiag&e-e 9tdsutil&e-e

To complete this tas0( perform the follo%ing procedures: 6& Determine $hether a Server 4b,ect ;as Child 4b,ects 2& Berif That an 'P Address Maps to a Subnet and Determine the Site Association Chec0 that the ne% domain controller is located in the correct site so that the ne% domain controller can locate replication partners and become part of the replication topolog & 7& Move a Server 4b,ect to a 9e% Site 'f ou have performed an unattended installation and the domain controller %as not placed in the site that ou e-pected( ou can move the server ob,ect to the correct site& A& Configure D9S Server =or%arders 8& Complete all procedures for the Berif ing D9S Configuration tas0& :& Chec0 the Status of the SESB4+ and 9etlogon Shares <& Berif D9S *egistration and TCP3'P Connectivit 8& Berif a Domain Computer Account for a 9e% Domain Controller ?& Berif Active Director *eplication 60& Berif the Availabilit of the 4perations Masters 70?

Administering Intersite 4eplication
This guide provides information about administering intersite replication of Active Director ob,ects in the $indo%s Server 2008 operating s stem& In this guide • • 'ntroduction to Administering 'ntersite *eplication Managing 'ntersite *eplication

Introduction to Administering Intersite 4eplication
This guide e-plains ho% to administer intersite replication& These administration activities are part of the operations phase of the information technolog "'T# life c cle& 'f ou are not familiar %ith this guide( revie% the follo%ing sections of this introduction& A site ob,ect in Active Director Domain Services "AD DS# represents a collection of 'P subnets( usuall constituting a ph sical local area net%or0 "+A9#& Multiple sites are connected for replication b site lin0 ob,ects& Sites are used in AD DS to: • Ma0e it possible for clients to discover net%or0 resources "published shares( domain controllers( global catalog servers# that are close to the ph sical location of the client( reducing net%or0 traffic over %ide area net%or0 "$A9# lin0s& • 4ptimi.e replication bet%een domain controllers& Managing sites in AD DS involves adding ne% subnet( site( and site lin0 ob,ects %hen the net%or0 gro%s( as %ell as configuring a schedule and cost for site lin0s& Eou can modif the site lin0 schedule( cost( or both to optimi.e intersite replication& $hen conditions no longer reFuire replication to a site or clients no longer reFuire the sites to discover net%or0 resources( ou can remove the site and associated ob,ects from AD DS& Managing large hub/and/spo0e topolog is be ond the scope of this documentation& =or information about managing branch sites( see the Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ6208A0#&

Optimi&ing replication between sites
The efficienc of replication bet%een sites is optimi.ed b cost settings on site lin0s that favor replication routes bet%een specific sites& The @no%ledge Consistenc Chec0er "@CC# uses site lin0 configuration information to enable and optimi.e replication traffic b generating a least/cost replication topolog & $ithin a site( for each director partition( the @CC builds a ring topolog that tries to set a ma-imum number of hops "three# bet%een an t%o domain controllers& >et%een sites( the @CC on the domain controller that has the intersite topolog generator "'ST5# role creates the topolog based on site lin0 cost& 760

Designing a simple replication topolog is the best %a to optimi.e replication& Adding sites and domains increases the processing that is reFuired b the @CC& >efore adding to the site topolog ( be sure to revie% the guidelines in Adding a 9e% Site& =or information about topolog design( see Designing the Site Topolog for $indo%s Server 2008 AD DS "http:33go&microsoft&com3f%lin03P +in0'dQ8?02:#&

.ffects of site link bridging
> default( all site lin0s are bridged& $hen site lin0s are bridged( replication is transitive bet%een sites and the costs that are assigned to site lin0s are cumulativeW the lo%est/cost route bet%een sites that have more than one site lin0 is the route that replication ta0es& > default( site lin0 costs are eFual( %ith a cost of 600 on each ne% site lin0& =or this reason( %ith no changes to the default site lin0 cost( a hub/and/spo0e topolog favors the replication route bet%een the hub site and each branch site( rather than bet%een branch sites& The cost to replicate to and from t%o branch sites is al%a s higher than the cost to replicate to and from the hub site& Therefore( replication bet%een branch sites occurs onl if no domain controller for the domain is available in the hub site&

.ffects of disabling site link bridging
'f ou disable the $ridge all site links setting in the properties of the 'P container in Active Director Sites and Services( the abilit of the 'ST5 to create the topolog on the basis of cost is disabled& 'n addition( Distributed =ile S stem "D=S# cannot compute the cost matri- for its site/costing functionalit & Therefore( if ou disable site lin0 bridging and ou are using =ile *eplication Service "=*S# to replicate D=S replicas( %hich include the SESB4+ share( the D=S site/costing abilit is also disabled& Note D=S *eplication( %hich is available in domains that are at the $indo%s Server 2008 domain functional level( uses the replication topolog that is defined b the administrator( %hich is independent of Active Director site costing& 'f ou turn off site lin0 bridging( ou must create site lin0 bridges manuall & =or information about using manual site lin0 bridges( see Creating a Site +in0 >ridge Design "http:33go&microsoft&com3f%lin03P+in0'dQ622:<8#& Note $hen ou use =*S to replicate D=S replicas( ou can maintain D=S site/costing functionalit %ith $ridge all site links turned off& $hen the forest functional level is at least $indo%s Server 2007 or $indo%s Server 2007 interim and the 'ST5 in a site is running $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 %ith Service Pac0 2 "SP2#( $indo%s Server 2007 *2( or $indo%s Server 2008( ou can use a site option to turn off automatic site lin0 bridging for @CC operation %ithout hampering the abilit of D=S to use 'ntersite Messaging to calculate the cost matri-& This site option is set %hen ou run the command repadmin ,siteoptions !<(;B$4IDG.SB4.83I4.D& =or more information about the effects of disabling site 766

lin0 bridging( see ;o% Active Director *eplication Topolog $or0s "http:33go&microsoft&com3f%lin03P+in0'dQ?782:#& Do not disable $ridge all site links unless ou are deplo ing a branch office environment& =or information about branch office deplo ments( see N*4DC Placement ConsiderationsO in Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ6208A0#&

Optimi&ing domain controller location
T%o ne% 5roup Polic settings are available on domain controllers that are running $indo%s Server 2008: ry Ne/t Closest Site and #orce 4ediscovery Interval& These settings help $indo%s Bista and $indo%s Server 2008 clients in the domain to locate domain controllers in the ne-t closest site if no domain controller in their o%n site is available& These settings improve domain controller discover b controlling ho% the domain controller locator "DC +ocator# process operates&

#inding the ne/t closest site
> default( %hen a client reFuests a domain controller( the DC +ocator process locates a domain controller in the site of the client& 'f no domain controller is available in the site( DC +ocator returns an domain controller in the domain& 'f the domain controller is located in another branch site instead of the hub site( communication %ith the domain controller might be significantl slo%& The ry Ne/t Closest Site 5roup Polic setting in the Default Domain Polic can improve the location of domain controllers b clients that are running $indo%s Server 2008 or $indo%s Bista& The ry Ne/t Closest Site 5roup Polic setting uses site lin0 cost values to determine the ne-t closest site to the site of the client& ry Ne/t Closest Site can affect ho% ou configure site lin0 costs because it affects the order in %hich domain controllers are located& =or enterprises that have man hub sites and branch offices( ou can significantl reduce Active Director traffic on the net%or0 b ensuring that clients fail over to the ne-t closest hub site %hen the cannot find a domain controller in the closest hub site& =or more information( see 1nabling Clients to +ocate the 9e-t Closest Domain Controller "http:33go&microsoft&com3f%lin03P+in0'dQ620<66#&

#orcing domain controller rediscovery
'n addition to finding a domain controller in the ne-t closest site( a ne% 5roup Polic setting in $indo%s Server 2008 ensures that a client that is running $indo%s Bista or $indo%s Server 2008 finds a ne% domain controller that might be introduced since the last domain controller location& 4n domain controllers that are running $indo%s Server 2008( the #orce 4ediscovery Interval 5roup Polic setting forces a ne% domain controller location ever 62 hours "A7200 seconds# b default& Eou can change the time limit for rediscover b enabling the setting and specif ing a ne% time in seconds& > default( clients cache the last domain controller that %as returned b DC +ocator& 4n clients that are running $indo%s LP or $indo%s Server 2007( even if the domain controller that %as last located is in a distant site( DC +ocator continues to return the cached domain controller on each

762

subseFuent reFuest& The cache is updated onl if the cached domain controller is unavailable or the client restarts& =or domain clients that are running $indo%s LP and $indo%s Server 2007( a hotfi- is available that ma0es the registr setting available for this 5roup Polic setting& =or information about do%nloading and using this hotfi-( see article 'D ?7?282 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ622:86#&

Improving the logon e/perience in branch sites
>ranch sites often contain onl a single domain controller that might not be a global catalog server& Perhaps replication of global catalog updates is considered to be prohibitive as a result of poor or unreliable band%idth bet%een the branch site and the nearest hub site& $hen the global catalog is reFuired for domain logon and there is no global catalog server in the site( the domain controller must contact a global catalog server in another site& The global catalog is reFuired %hen a domain user logs on interactivel to a domain under the follo%ing conditions: • The userXs domain has a domain functional level of $indo%s 2000 native( $indo%s Server 2007( or $indo%s Server 2008& 'n these cases( the user might belong to a universal group %hose ob,ect is stored in a different domain& 4nl the global catalog stores universal group memberships for all domains in the forest& • The userVs logon name is a user principal name ")P9#( %hich has the format sAMAccount9ame^D9SDomain9ame& 'n this case( the Domain 9ame S stem "D9S# domain suffi- is not necessaril the userVs domain and the identit of the userVs domain must be retrieved from a global catalog server& 'n $indo%s Server 2008( the best solution to this branch site scenario is to deplo a read/onl domain controller "*4DC# that is a global catalog server& 'n this case( although the global catalog must be replicated to the site( access to universal group memberships is al%a s local and logon e-perience is consistent& 'n addition( *4DCs provide more securit against compromise than regular domain controllers because the are not %ritable& =or information about deplo ing *4DCs that are global catalog servers( see Planning and Deplo ing *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ6208A0#& As an alternative to deplo ing the global catalog in the branch site( ou can enable )niversal 5roup Membership Caching( %hich means that the domain controller contacts the global catalog server onl once for each user and that it caches all universal group memberships( rather than having to retrieve them at each logon& =or more information about )niversal 5roup Membership Caching( see ;o% the 5lobal Catalog $or0s "http:33go&microsoft&com3f%lin03P+in0'dQ60<0:7#& =or information about using )niversal 5roup Membership Caching( see 1nabling )niversal 5roup Membership Caching in a Site&

See Also
Managing 'ntersite *eplication 767

)anaging Intersite 4eplication
This section includes the follo%ing tas0s for managing intersite replication: • • • • • • • • Adding a 9e% Site +in0ing Sites for *eplication Changing Site +in0 Properties 1nabling Clients to +ocate the 9e-t Closest Domain Controller Moving a Domain Controller to a Different Site 1nabling )niversal 5roup Membership Caching in a Site =orcing *eplication *emoving a Site

Adding a New Site
Design teams or net%or0 architects might %ant to add site ob,ects in Active Director Domain Services "AD DS# as part of ongoing deplo ment& Although ou t picall create subnets to accommodate all address ranges in the net%or0( ou do not have to create sites for ever location& 5enerall ( sites are reFuired for those locations that have domain controllers or other servers that run applications( such as Distributed =ile S stem "D=S#( that depend on site topolog & $hen a site is needed( the design team t picall provides details about the placement and configuration of site lin0s for the ne% site( as %ell as subnet assignments or creation if subnets are needed& 'f a ne% range of 'P addresses is added to the net%or0( create a subnet ob,ect in AD DS to correspond to the range of 'P addresses& $hen ou use Active Director Sites and Services to create a ne% subnet ob,ect( ou are reFuired to associate the subnet %ith a site ob,ect& Eou can either associate the subnet %ith an e-isting site or create a ne% site first and then create the subnet and associate it %ith the ne% site& 'f a domain client has an 'P address that does not map to a site( the client might be connected to a domain controller that is potentiall far a%a from the client( causing slo% responses for the client& Note $hen a domain client that has an 'P address in a subnet that is not defined in AD DS connects to a domain controller( 91T+4549 1vent 'D 880< is generated in the S stem event log& The event indicates that clients have connected to the domain controller %ith 'P addresses that do not map to a site& The te-t in the event provides instructions for determining the names and 'P addresses of the client computers b searching the 9etlogon&log file& ask re0uirements The follo%ing is reFuired to perform the procedures for this tas0: 76A



Active Director Sites and Services

To complete this tas0( perform the follo%ing procedures: 6& Create a Site 4b,ect and Add it to an 1-isting Site +in0 2& Associate a range of 'P addresses %ith the site b using either of the follo%ing methods: • • Create a Subnet 4b,ect or 4b,ects and Associate them %ith a Site Associate an 1-isting Subnet 4b,ect %ith a Site

7& 'f ou are creating both a ne% site and a ne% site lin0( after ou create the ne% site and add it to an e-isting site lin0( Create a Site +in0 4b,ect and Add the Appropriate Sites& Then( remove the site from the first site lin0 that ou added it to %hen ou created the site( if appropriate& A& *emove a Site from a Site +in0

Create a Site Ob9ect and Add it to an ./isting Site +ink
To create a ne% site in our forest( ou must create a site ob,ect in Active Director Domain Services "AD DS# and then add the site ob,ect to a site lin0& Eou can use this procedure to create a site ob,ect and add it to an e-isting site lin0& Membership in the .nterprise Admins group in the forest or the Domain Admins group in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create a site ob9ect and add it to an e/isting site link 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& *ight/clic0 the Sites container( and then clic0 New Site& 7& 'n Name( t pe the name of the site& A& 'n +ink Name( clic0 a site lin0 for this site( and then clic0 O(& 8& 'n Active Directory Domain Services( read the information( and then clic0 O(&

See Also
Create a Subnet 4b,ect or 4b,ects and Associate them %ith a Site Moving a Domain Controller to a Different Site

768

Create a Subnet Ob9ect or Ob9ects and Associate them with a Site
'f ou create a ne% site or if ou enlarge a ne% site( ou can use this procedure to create a subnet ob,ect or ob,ects and associate them %ith the site in Active Director Domain Services "AD DS#& Eou can assign the appropriate net%or0 address to the subnet ob,ect so that it represents a range of TCP3'P addresses& To accomplish this procedure( ou must have the follo%ing information: • • The site %ith %hich the subnet is to be associated& The 'P version A "'PvA# or 'P version : "'Pv:# subnet prefi-&

Membership in the .nterprise Admins group in the forest or the Domain Admins group in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create a subnet ob9ect or ob9ects and associate them with a site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand the Sites container( right/clic0 Subnets( and then clic0 New Subnet& 7& 'n New Ob9ect - Subnet( in %refi/( t pe the 'PvA or 'Pv: subnet prefi- for the subnet& A& 'n Select a site ob9ect for this prefi/( clic0 the site to be associated %ith the subnet( and then clic0 O(&

Associate an ./isting Subnet Ob9ect with a Site
Eou can use this procedure to associate an e-isting subnet ob,ect %ith a site& A subnet ob,ect identifies a range of 'P addresses that map respective computers to the site %ith %hich the subnet is associated in Active Director Domain Services "AD DS#& Associate an e-isting subnet %ith a site under the follo%ing conditions: • $hen ou are removing the site to %hich the subnet is currentl associated • $hen ou have temporaril associated the subnet %ith a different site and ou %ant to associate the subnet %ith its permanent site Membership in .nterprise Admins in the forest or Domain Admins in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 76:

o associate an e/isting subnet ob9ect with a site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand the Sites container( and then clic0 the Subnets container& 7& 'n the details pane( right/clic0 the subnet %ith %hich ou %ant to associate the site( and then clic0 %roperties& A& 'n Site( clic0 the site to associate the subnet( and then clic0 O(&

Create a Site +ink Ob9ect and Add the Appropriate Sites
Eou can use this procedure to create a site lin0 ob,ect and add the appropriate sites to it& $hen our net%or0 gro%s( ou might add a site or sites in Active Director Domain Services "AD DS# that ou %ant to lin0 to another site or sites for replication& 'f there is no e-isting site lin0 to connect a site to the site %ith %hich its domain controllers replicate( use this procedure to create a site lin0 ob,ect in the 'P container in AD DS( and add the appropriate sites to the lin0& To lin0 sites for replication( create a site lin0 ob,ect in the container for the intersite transport that %ill replicate the site( and then add the sites to it& Membership in the .nterprise Admins group in the forest or the Domain Admins group in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create a site link ob9ect 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 1-pand Sites( and then e-pand Inter-Site ransports& 7& *ight/clic0 I%( and then clic0 New Site +ink& A& 'n Name( t pe a name for the site lin0& 8& 'n Sites not in this site link( clic0 a site that ou %ant to add to the site lin0& ;old do%n the S;'=T 0e to clic0 a second site that is ad,acent in the list( or hold do%n the CT*+ 0e to clic0 a second site that is not ad,acent in the list& :& After ou select all the sites that ou %ant to add to the site lin0( clic0 Add( and then clic0 O(&

76<

4emove a Site from a Site +ink
'f ou change the site topolog and %ant to remove a site from a site lin0( or if ou are removing a site from the enterprise( ou can use this procedure to remove a site from a site lin0 in Active Director Domain Services "AD DS#& 'f ou are adding a site to a different site lin0( ou must first remove the site from its current site lin0& Membership in .nterprise Admins in the forest or Domain Admins in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o remove a site from a site link 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand the Sites container and then the Inter-Site ransports container& 7& Clic0 I%& 'n the details pane( right/clic0 the site lin0 from %hich ou %ant to remove a site( and then clic0 %roperties& A& 'n Sites in this site link( clic0 the site that ou %ant to remove from the site lin0& 8& Clic0 4emove( and then clic0 O(&

+inking Sites for 4eplication
+in0ing sites is reFuired for Active Director replication to occur bet%een sites& Plan our site topolog and then implement the plan b creating sites and site lin0s& =or information about planning our site topolog ( see Designing the Site Topolog for $indo%s Server 2008 AD DS "http:33go&microsoft&com3f%lin03P+in0'dQ8?02:#&

Creating site links
To lin0 sites for Active Director replication( create a site lin0 ob,ect in the 'P transport container in Active Director Domain Services "AD DS# and add t%o or more sites to the lin0& )se a naming convention that includes the sites that ou are lin0ing& =or e-ample( if ou %ant to lin0 the site named Seattle to the site named >oston( ou might name the site lin0 S1A/>4S& After ou add t%o or more site names to a site lin0 ob,ect( the bridgehead servers in the respective sites replicate bet%een the sites according to the replication schedule( cost( and interval settings on the site lin0 ob,ect& =or information about modif ing the default settings( see Changing Site +in0 Properties&

768

At least t%o sites must e-ist %hen ou create a site lin0& 'f ou are adding a site lin0 to connect a ne% site to an e-isting site( create the ne% site first and then create the site lin0& =or information about creating a site( see Adding a 9e% Site&

Selecting bridgehead servers
> default( the intersite topolog generator "'ST5# selects bridgehead servers in a site automaticall & $e recommend that ou allo% the 'ST5 to perform bridgehead server selection& ;o%ever( if ou %ant to ensure that onl certain domain controllers in the sites ou are lin0ing perform replication bet%een sites( ou can designate preferred bridgehead servers in the site& Note 'f ou have selected one or more bridgehead servers( removing them all from the bridgehead servers list restores the automatic selection functionalit to the 'ST5& )se the follo%ing guidelines %hen ou select bridgehead servers: • Selecting preferred bridgehead servers limits the bridgehead servers that the @no%ledge Consistenc Chec0er "@CC# can use to those bridgehead servers that ou have selected& 'f ou use Active Director Sites and Services to select an preferred bridgehead servers at all in a site( ou must select as man bridgehead servers as possible and ou must select them for all domains that must be replicated to a different site& • 'f a site contains a global catalog server( select the global catalog server as a preferred bridgehead server& $hen ou use preferred bridgehead servers( the follo%ing problems can occur: • 'f ou select preferred bridgehead servers for a domain and all preferred bridgehead servers for that domain become unavailable( replication of that domain to and from that site does not occur& • 'f ou select a non/global/catalog server but a global catalog server currentl e-ists in the site( or the global catalog is subseFuentl added to another domain controller in the site( the global catalog server cannot receive updates of read/onl domain director partitions for an domain that does not have a selected bridgehead server in the site& ask re0uirements The follo%ing is reFuired to perform the procedures for this tas0: • Active Director Sites and Services To complete this tas0( perform the follo%ing procedures: 6& Create a Site +in0 4b,ect and Add the Appropriate Sites 2& > default( the @CC runs ever 68 minutes to generate the replication topolog & To generate the intersite topolog immediatel ( perform the follo%ing t%o procedures: • • Determine the 'ST5 *ole 4%ner for a Site 5enerate the *eplication Topolog on the 'ST5

7& 'f ou are designating servers that %ill perform intersite replication( ou can Designate a Server as a Preferred >ridgehead Server& 76?

Create a Site +ink Ob9ect and Add the Appropriate Sites
Eou can use this procedure to create a site lin0 ob,ect and add the appropriate sites to it& $hen our net%or0 gro%s( ou might add a site or sites in Active Director Domain Services "AD DS# that ou %ant to lin0 to another site or sites for replication& 'f there is no e-isting site lin0 to connect a site to the site %ith %hich its domain controllers replicate( use this procedure to create a site lin0 ob,ect in the 'P container in AD DS( and add the appropriate sites to the lin0& To lin0 sites for replication( create a site lin0 ob,ect in the container for the intersite transport that %ill replicate the site( and then add the sites to it& Membership in the .nterprise Admins group in the forest or the Domain Admins group in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create a site link ob9ect 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 1-pand Sites( and then e-pand Inter-Site ransports& 7& *ight/clic0 I%( and then clic0 New Site +ink& A& 'n Name( t pe a name for the site lin0& 8& 'n Sites not in this site link( clic0 a site that ou %ant to add to the site lin0& ;old do%n the S;'=T 0e to clic0 a second site that is ad,acent in the list( or hold do%n the CT*+ 0e to clic0 a second site that is not ad,acent in the list& :& After ou select all the sites that ou %ant to add to the site lin0( clic0 Add( and then clic0 O(&

Determine the IS G 4ole Owner for a Site
The 'ntersite Topolog 5enerator "'ST5# is the domain controller in each site that is responsible for generating the intersite topolog & 'f ou %ant to regenerate the intersite topolog ( ou must determine the identit of the 'ST5 role o%ner in a site& Eou can use this procedure to vie% the 9TDS Site Settings ob,ect properties and determine the 'ST5 role o%ner for the site& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

720

o determine the IS G role owner for a site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( clic0 the site ob,ect %hose 'ST5 role o%ner ou %ant to determine& 7& 'n the details pane( right/clic0 the N DS Site Settings ob,ect( and then clic0 %roperties& The current role o%ner appears in the Server bo- under Inter-Site opology Generator&

Generate the 4eplication opology on the IS G
Eou can use this procedure to generate the intersite replication topolog on the intersite topolog generator "'ST5#& The @no%ledge Consistenc Chec0er "@CC# generates the Active Director replication topolog on ever domain controller& The @CC runs b default ever 68 minutes& Eou can force the @CC to run on an domain controller& The topolog that is generated depends on the domain controller on %hich ou run the command& Eou can force the @CC to run as follo%s: • To generate the intersite replication topolog ( run the @CC on the domain controller in the site that holds the 'ST5 role& • To generate the intrasite replication topolog ( run the @CC on an domain controller in the site that does not hold the 'ST5 role& Note To generate the replication topolog on the 'ST5( ou must first complete the procedure: Determine the 'ST5 *ole 4%ner for a Site& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o generate the replication topology on the IS G 6& Determine the server that holds the 'ST5 role for the site& 2& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 7& 'n the console tree( e-pand Sites( and then e-pand the site that contains the 'ST5 on %hich ou %ant to run the @CC& A& 1-pand Servers( and then clic0 the Server ob,ect for the 'ST5& 8& 'n the details pane( right/clic0 N DS Settings( clic0 All asks( and then clic0 Check 726

4eplication opology& :& 'n the Check 4eplication opology message bo-( clic0 O(&

Designate a Server as a %referred $ridgehead Server
Eou can use this procedure to designate a server as a preferred bridgehead server& 'f ou %ant to manuall select the domain controllers that can replicate bet%een sites( use the server ob,ect properties to designate a preferred bridgehead server on the 'P transport& 'f ou use preferred bridgehead servers( ma0e sure to designate more than one preferred bridgehead server in the site and designate at least one preferred bridgehead server for each domain that is replicated to another site& >efore ou perform this procedure( revie% the information about the effects of selecting bridgehead servers in +in0ing Sites for *eplication& Membership in .nterprise Admins or Domain Admins in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o designate a preferred bridgehead server 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites( and then e-pand the site of the preferred bridgehead server& 7& 1-pand Servers to displa the list of domain controllers that are currentl configured for that site& A& *ight/clic0 the server that ou %ant to designate as a preferred bridgehead server( and then clic0 %roperties& 8& 'n ransports available for inter-site data transfer( clic0 I%& :& Clic0 Add( and then clic0 O(&

Changing Site +ink %roperties
To control %hich sites replicate directl %ith each other( and %hen( ou can use the cost( schedule( and interval properties on the site lin0 ob,ect in Active Director Domain Services "AD DS#& =or information about ho% to design the site topolog ( see Designing the Site Topolog for $indo%s Server 2008 AD DS "http:33go&microsoft&com3f%lin03P+in0'dQ8?02:#& 722

These settings control intersite replication( as follo%s: • Schedule: The time during %hich replication can occur& The default setting allo%s replication at all times& • Interval: The number of minutes bet%een replication polling b intersite replication partners %ithin the open schedule %indo%& The default setting is ever 680 minutes& • Cost: The relative priorit of the lin0& The default setting is 600& +o%er relative cost increases the priorit of the lin0 over other( higher/cost lin0s& Consult our design documentation for information about the values to set for site lin0 properties& ask re0uirements The follo%ing is reFuired to perform the procedures for this tas0: • Active Director Sites and Services To complete this tas0( perform the follo%ing procedures: 6& Configure the Site +in0 Schedule to 'dentif Times During $hich 'ntersite *eplication Can 4ccur 2& Configure the Site +in0 'nterval to 'dentif ;o% 4ften *eplication Polling Can 4ccur During the Schedule $indo% 7& Configure the Site +in0 Cost to 1stablish a Priorit for *eplication *outing A& To generate the intersite topolog ( perform the follo%ing procedures: a& Determine the 'ST5 *ole 4%ner for a Site b& 5enerate the *eplication Topolog on the 'ST5

Configure the Site +ink Schedule to Identify imes During !hich Intersite 4eplication Can Occur
'f ou need to change the schedule for Active Director replication bet%een sites( configure the site lin0 ob,ect in Active Director Domain Services "AD DS#& )se the properties on the site lin0 ob,ect to define %hen replication is allo%ed to occur bet%een the bridgehead servers in the sites that are assigned to the site lin0& Eou can use this procedure to configure the site lin0 schedule& 4btain the site lin0 schedule from our design team& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure the site link schedule 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites and Inter-Site ransports( and then clic0 I%& 727

7& 'n the details pane( right/clic0 the site lin0 ob,ect that ou %ant to configure( and then clic0 %roperties& A& 'n the Site+inkName %roperties dialog bo-( clic0 Change Schedule& 8& 'n the Schedule for Site+inkName dialog bo-( select the bloc0 of da s and hours during %hich ou %ant replication to occur or not occur "that is( be available or not available#( and then clic0 the appropriate option& :& Clic0 O( t%ice&

Configure the Site +ink Interval to Identify "ow Often 4eplication %olling Can Occur During the Schedule !indow
>ridgehead servers initiate intersite replication b polling their replication partners& Eou configure the polling schedule on the site lin0 ob,ect in Active Director Domain Services "AD DS#& Eou can use this procedure and the properties on the site lin0 ob,ect to determine ho% often during the available replication schedule ou %ant bridgehead servers to poll their intersite replication partners for changes& 4btain the interval value from our design team& Note 'ntersite connection ob,ects also have a scheduleW the inherit their schedule and interval from the site lin0 ob,ect& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure the site link interval 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites and Inter-Site ransports( and then clic0 I%& 7& 'n the details pane( right/clic0 the site lin0 ob,ect that ou %ant to configure( and then clic0 %roperties& A& 'n 4eplicate every BBBBB minutes( specif the number of minutes for the intervals at %hich replication polling occurs during an open schedule( and then clic0 O(&

72A

Configure the Site +ink Cost to .stablish a %riority for 4eplication 4outing
The cost setting on a site lin0 ob,ect determines the li0elihood that replication occurs over a particular route bet%een t%o site& *elication routes %ith the lo%est cumulative cost are preferred& Eou can use this procedure to configure replication cost on the site lin0 ob,ect in Active Director Domain Services "AD DS#& $hen ou create or modif site lin0s( use the site lin0 ob,ect properties to configure the relative cost of using the site lin0& To perform this procedure( ou must have site topolog information that includes the cost values for the sight lin0s that ou %ant to manage& The cost that ou set in this procedure must be determined relative to e-isting or planned costs of other site lin0s& Eou can use an range of numbersW onl their relative values "higher or lo%er# are important& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure the site link cost 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites and Inter-Site ransports( and then clic0 I%& 7& 'n the details pane( right/clic0 the site lin0 ob,ect that ou %ant to configure( and then clic0 %roperties& A& 'n Cost( specif the number for the comparative cost of using the site lin0( and then clic0 O(&

Determine the IS G 4ole Owner for a Site
The 'ntersite Topolog 5enerator "'ST5# is the domain controller in each site that is responsible for generating the intersite topolog & 'f ou %ant to regenerate the intersite topolog ( ou must determine the identit of the 'ST5 role o%ner in a site& Eou can use this procedure to vie% the 9TDS Site Settings ob,ect properties and determine the 'ST5 role o%ner for the site& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the IS G role owner for a site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 728

2& 'n the console tree( clic0 the site ob,ect %hose 'ST5 role o%ner ou %ant to determine& 7& 'n the details pane( right/clic0 the N DS Site Settings ob,ect( and then clic0 %roperties& The current role o%ner appears in the Server bo- under Inter-Site opology Generator&

Generate the 4eplication opology on the IS G
Eou can use this procedure to generate the intersite replication topolog on the intersite topolog generator "'ST5#& The @no%ledge Consistenc Chec0er "@CC# generates the Active Director replication topolog on ever domain controller& The @CC runs b default ever 68 minutes& Eou can force the @CC to run on an domain controller& The topolog that is generated depends on the domain controller on %hich ou run the command& Eou can force the @CC to run as follo%s: • To generate the intersite replication topolog ( run the @CC on the domain controller in the site that holds the 'ST5 role& • To generate the intrasite replication topolog ( run the @CC on an domain controller in the site that does not hold the 'ST5 role& Note To generate the replication topolog on the 'ST5( ou must first complete the procedure: Determine the 'ST5 *ole 4%ner for a Site& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o generate the replication topology on the IS G 6& Determine the server that holds the 'ST5 role for the site& 2& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 7& 'n the console tree( e-pand Sites( and then e-pand the site that contains the 'ST5 on %hich ou %ant to run the @CC& A& 1-pand Servers( and then clic0 the Server ob,ect for the 'ST5& 8& 'n the details pane( right/clic0 N DS Settings( clic0 All asks( and then clic0 Check 4eplication opology& :& 'n the Check 4eplication opology message bo-( clic0 O(&

72:

.nabling Clients to +ocate the Ne/t Closest Domain Controller
'n a $indo%s Server 2008 domain( ou can ma0e it possible for client computers that run $indo%s Bista or $indo%s Server 2008 to locate domain controllers more efficientl b enabling the ry Ne/t Closest Site 5roup Polic setting& This setting improves the Domain Controller +ocator "DC +ocator# b helping to streamline net%or0 traffic( especiall in large enterprises that have man branch offices and sites& This ne% setting can affect ho% ou configure site lin0 costs because it affects the order in %hich domain controllers are located& =or enterprises that have man hub sites and branch offices( ou can significantl reduce Active Director traffic on the net%or0 b ensuring that clients fail over to the ne-t closest hub site %hen the cannot find a domain controller in the closest hub site& As a general best practice( ou should simplif our site topolog and site lin0 costs as much as possible if ou enable the ry Ne/t Closest Site setting& 'n enterprises %ith man hub sites( this can simplif an plans that ou ma0e for handling situations in %hich $indo%s Bista or $indo%s Server 2008 clients in one site need to fail over to a domain controller in another site& > default( the ry Ne/t Closest Site setting is not enabled& $hen the setting is not enabled( DC +ocator uses the follo%ing algorithm to locate a domain controller: • Tr to find a domain controller in the same site& • 'f no domain controller is available in the same site( tr to find an domain controller in the domain& Note This is the same algorithm that DC +ocator used in previous versions of Active Director & =or more information( see ;o% D9S Support for Active Director $or0s "http:33go&microsoft&com3f%lin03P+in0'dQ60888<#& 'f ou enable the ry Ne/t Closest Site setting( DC +ocator uses the follo%ing algorithm to locate a domain controller: • Tr to find a domain controller in the same site& • 'f no domain controller is available in the same site( tr to find a domain controller in the ne-t closest site& A site is closer if it has a lo%er site/lin0 cost than another site %ith a higher site/lin0 cost& • 'f no domain controller is available in the ne-t closest site( tr to find an domain controller in the domain& > default( DC +ocator does not consider an site that contains a read/onl domain controller "*4DC# %hen it determines the ne-t closest site& =or e-ample( assume that a site topolog has four sites %ith the site lin0 values in the follo%ing illustration& 'n this e-ample( all the domain controllers are %ritable domain controllers&

72<

$hen the ry Ne/t Closest Site 5roup Polic setting is enabled in this e-ample( if a $indo%s Bista or $indo%s Server 2008 client computer in SiteI> tries to locate a domain controller( it first tries to find a domain controller in its o%n SiteI>& 'f none is available in SiteI>( it tries to find a domain controller in SiteIA& 'f the setting is not enabled( the $indo%s Bista or $indo%s Server 2008 client tries to find a domain controller in SiteIA( SiteIC( or SiteID if no domain controller is available in SiteI>& To appl the ry Ne/t Closest Site setting( ou can create a 5roup Polic ob,ect "5P4# and lin0 it to the appropriate ob,ect for our organi.ation( or ou can modif the Default Domain Polic to have it affect all $indo%s Bista and $indo%s Server 2008 clients in the domain& =or more information about ho% to set the ry Ne/t Closest Site setting( see 1nable Clients to +ocate a Domain Controller in the 9e-t Closest Site&

.nable Clients to +ocate a Domain Controller in the Ne/t Closest Site
Eou can modif the Default Domain Polic to enable $indo%s Bista and $indo%s Server 2008 clients in the domain to locate domain controllers in the ne-t closest site if no domain controller in their o%n site or the closest site is available&

728

Membership .nterprise Admins in the forest or Domain Admins in the domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o enable clients to locate a domain controller in the ne/t closest site 6& Clic0 Start( clic0 Administrative ools( and then clic0 Group %olicy )anagement& 2& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 7& Double/clic0 #orest*forest_name( double/clic0 Domains( and then double/clic0 domain_name& A& *ight/clic0 Default Domain %olicy( and then clic0 .dit& 8& 'n Group %olicy )anagement .ditor( in the console tree( go to Computer Configuration3Policies3Administrative Templates3S stem39etlogon3DC +ocator D9S *ecords& :& 'n the details pane( double/clic0 ry Ne/t Closest Site( clic0 .nabled( and then clic0 O(& As an option( ou can create the follo%ing registr entr to affect the Domain +ocator "DC +ocator# behavior for an individual computer that runs $indo%s Bista or $indo%s Server 2008& ;o%ever( using a domain/%ide 5roup Polic ob,ect "5P4# is recommended instead because the behavior %ill be more consistent& Caution 'ncorrectl editing the registr ma severel damage our s stem& >efore ma0ing changes to the registr ( ou should bac0 up an valued data on the computer& "(+)CSystemCCurrentControlSetCServicesCNetlogonC%arametersC ry Ne/t Closest Site 'f the registr entr D!O4D value is ?( DC +ocator %ill tr to find the domain controller in the ne-t closest site if it cannot find a domain controller in the clientXs site& 'f the value is @( DC +ocator %ill find an domain controller if it cannot find a domain controller in the clientXs site&

)oving a Domain Controller to a Different Site
$hen ou install Active Director Domain Services "AD DS# on a server running $indo%s Server 2008( ou can select the site for the domain controller& 'f ou do not ma0e this selection( the domain controller is placed into the site that its 'P address maps to& 'f ou change the 'P address or the subnet/to/site association of a domain controller after AD DS is installed on the server( the server ob,ect does not change sites automaticall & Eou must move it to the ne% site manuall & $hen ou move the server ob,ect( the 9etlogon service on the domain controller registers Domain 9ame S stem "D9S# service "S*B# resource records for the appropriate site&

72?

C%,I% settings
$hen ou move a domain controller to a different site( if an 'P address of the domain controller is configured staticall ( ou must change the TCP3'P settings accordingl & The 'P address of the domain controller must map to a subnet ob,ect that is associated %ith the site to %hich ou are moving the domain controller& 'f the 'P address of a domain controller does not match the site in %hich the server ob,ect appears( the domain controller might be forced to communicate over a potentiall slo% %ide area net%or0 "$A9# lin0 to locate resources( rather than locating resources in its o%n site& >efore ou move the domain controller( ensure that the follo%ing TCP3'P client values are appropriate for the ne% location: • • • 'P address( including the subnet mas0 and default gate%a D9S server addresses $indo%s 'nternet 9ame Service "$'9S# server addresses "if appropriate#

'f the domain controller that ou are moving is a D9S server( ou must also change the TCP3'P settings on an clients that have static references to the domain controller as the preferred or alternate D9S server&

DNS settings
'f the domain controller is a D9S server( ou must update the 'P address in an D9S delegations or for%arders that reference the 'P address& $ith d namic update enabled( D9S updates host "A#( host "AAAA#( and name server "9S# resource records automaticall & ;o%ever( ou must update delegations and for%arders as follo%s: • Delegations: Determine %hether the parent D9S .one of an .one that is hosted b this D9S server contains a delegation to this D9S server& 'f the parent D9S .one does contain a delegation to this D9S server( update the 'P address in the name server "9S# resource record in the parent domain D9S .one that points to this D9S server& • =or%arders: Determine %hether the server acts as a for%arder for an D9S servers& 'f a D9S server uses this server as a for%arder( change the name server "9S# resource record for the for%arder on that D9S server&

%referred bridgehead server status
>efore ou move an server ob,ect( chec0 the server ob,ect to see %hether it is acting as a preferred bridgehead server for the site& This condition has implications for the 'ntersite Topolog 5enerator "'ST5# in both sites( as follo%s: • 'n the site to %hich ou are moving the server: 'f ou move a preferred bridgehead server to a different site( it becomes a preferred bridgehead server in the ne% site& 'f preferred bridgehead servers are not currentl in use in this site( the 'ST5 behavior in this site changes to support preferred bridgehead servers& =or this reason( ou must either configure the server to not be a preferred bridgehead server "recommended#( or select additional preferred bridgehead servers in the site "not recommended#& 770

• 'n the site from %hich ou are moving the server: 'f the server is the last preferred bridgehead server in the original site for its domain( and if other domain controllers for the domain are in the site( the 'ST5 selects a bridgehead server for the domain& 'f ou use preferred bridgehead servers( al%a s select more than one server as the preferred bridgehead server for the domain& 'f( after the removal of this domain controller from the site( multiple domain controllers remain that are hosting the same domain and onl one of them is configured as a preferred bridgehead server( either configure the server to not be a preferred bridgehead server "recommended#( or select additional preferred bridgehead servers that host the same domain in the site "not recommended#& Note 'f ou select preferred bridgehead servers and all selected preferred bridgehead servers for a domain are unavailable in the site( the 'ST5 does not select a ne% bridgehead server& 'n this case( replication of this domain to and from other sites does not occur& ;o%ever( if no preferred bridgehead server is selected for a domain or transport "through administrator error or as the result of moving the onl preferred bridgehead server to a different site#( the 'ST5 automaticall selects a preferred bridgehead server for the domain and replication proceeds as scheduled& ask re0uirements The follo%ing is reFuired to perform the procedures for this tas0: • • • 9et%or0 Connections D9S snap/in Active Director Sites and Services

To complete this tas0( perform the follo%ing procedures in order: 6& Change the Static 'P Address of a Domain Controller 2& )pdate the 'P Address for a D9S Delegation 'f the parent D9S .one of an .one that is hosted b this D9S server contains a delegation to this D9S server( use this procedure to update the 'P address in all such delegations& 'f our forest root domain has a parent D9S domain( perform this procedure on a D9S server in the parent domain& 'f ou ,ust added a ne% domain controller to a child domain( perform this procedure on a D9S server in the D9S parent domain& 'f ou are follo%ing recommended practices( the parent domain is the forest root domain& 7& )pdate the 'P Address for a D9S =or%arder 'f the D9S server is configured as a for%arder for an other D9S server( use this procedure to update the 'P address in all for%arders& A& Berif That an 'P Address Maps to a Subnet and Determine the Site Association 8& To determine %hether the server is a preferred bridgehead server( ou can chec0 a single server or ou can vie% the entire preferred bridgehead server list: • • Determine $hether a Server is a Preferred >ridgehead Server Bie% the +ist of All Preferred >ridgehead Servers

:& Configure a Server to 9ot >e a Preferred >ridgehead Server 776

<& Move a Server 4b,ect to a 9e% Site

Change the Static I% Address of a Domain Controller
'f ou move a domain controller to a different site( ou must change the 'P address of the domain controller to an 'P address that maps to a subnet that is associated %ith the site& To change an 'P address( ou use the TCP3'P client settings in the properties of the net%or0 connection& Eou can use this procedure to change all appropriate values in the TCP3'P client settings on a domain controller( including preferred and alternate D9S servers( as %ell as $indo%s 'nternet 9ame Service "$'9S# servers "if appropriate#& 4btain these values from our design team& 'f ou change the static 'P address of a domain controller( ma0e sure that the 'P address is included in the respective D namic ;ost Configuration Protocol "D;CP# scope& Eou must also verif that D9S resource records are updated on the D9S server that the domain controller references as the preferred D9S server in TCP3'P settings& 'n D9S( verif the values of the follo%ing resource records& 'f the have not updated automaticall ( update the 'P address in these resource records: • • ;ost "A# or host "AAAA# resource records 9ame Server "9S# resource records

)se the D9S snap/in to update the follo%ing D9S values that appl to this domain controller: • 4n the #orwarders tab in the properties of a D9S server( update the 'P address on D9S servers for %hich this domain controller is designated as a for%arder& • )se the procedure )pdate the 'P Address for a D9S Delegation for all delegations to this domain controller& • 4n the Ione ransfers tab in the properties of a for%ard loo0up .one( update the 'P address for an primar or seconda D9S .one transfers to this domain controller& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the static I% address of a domain controller 6& +og on locall to the domain controller %hose 'P address ou %ant to change& 2& Clic0 Start( point to Administrative ools( clic0 Server )anager( and then clic0 5iew Network Connections& 7& 'n the Network Connections dialog bo-( right/clic0 the appropriate connection( and then clic0 %roperties& A& 'n the Connection %roperties dialog bo-( double/clic0 Internet %rotocol 5ersion O 6 C%,I%vO7 or Internet %rotocol 5ersion P 6 C%,I%vP7& 8& 'n I% address( t pe the ne% address& 772

:& 'n Subnet mask( t pe the ne% subnet mas0 if it has changed& <& 'n Default gateway( t pe the ne% default gate%a & 8& 'n %referred DNS server( t pe the address of the Domain 9ame S stem "D9S# server that this computer contacts if it has changed& ?& 'n Alternate DNS server( t pe the address of the D9S server that this computer contacts if the preferred server is unavailable& 60& 'f this domain controller uses $'9S servers( clic0 Advanced( and then( in the Advanced C%,I% Settings dialog bo-( clic0 the !INS tab& 66& 'f an address in the list is no longer appropriate( clic0 the address( and then clic0 .dit& 62& 'n the C%,I% !INS Server dialog bo-( t pe the ne% address( and then clic0 O(& 67& *epeat steps 66 and 62 for all addresses that have to be changed( and then clic0 O( t%ice to close the C%,I% !INS Server dialog bo- and the Advanced C%,I% Settings dialog bo-& 6A& Clic0 O( to close the Internet %rotocol 6 C%,I%7 %roperties dialog bo-&

3pdate the I% Address for a DNS Delegation
'f ou change the 'P address of a domain controller that is a Domain 9ame S stem "D9S# server( ou must update the 'P address in the delegation for the D9S server in the D9S .one for the parent domain& Eou can use this procedure to update the 'P address of a delegation for a domain controller that is also a D9S server& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o update the I% address for a DNS delegation 6& 4pen the D9S snap/in: 4n the Start menu( point to Administrative ools( and then clic0 DNS& 2& 'n the console tree( if ou are connected to a D9S server that hosts the parent .one( go to step A& 'f ou are not connected to a D9S server that hosts the parent .one( right/ clic0 DNS and then clic0 Connect to DNS Server& 7& Clic0 he following computer( t pe the name of the D9S server that hosts the parent .one( and then clic0 O(& A& 'n the console tree( double/clic0 the server node for a D9S server that hosts the parent .one( double/clic0 #orward +ookup Iones( and then double/clic0 the parent .one& 8& 'n the console tree( right/clic0 the delegated .one of the D9S server %hose 'P 777

address has changed( and then clic0 %roperties& :& 4n the Name Servers tab( clic0 the D9S server %hose 'P address has changed( and then clic0 .dit& <& 'n the I% Address list( clic0 the address( and then t pe changes as necessar & 8& Clic0 O( t%ice&

3pdate the I% Address for a DNS #orwarder
'f ou change the 'P address of a domain controller that is a Domain 9ame S stem "D9S# server( if the server is designated as a for%arder for another D9S server ou must update the 'P address in the for%arder name server "9S# record& Eou can use this procedure to update the 'P address of a for%arder for a domain controller that is also a D9S server& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o update the I% address for a DNS forwarder 6& 4pen the D9S snap/in: 4n the Start menu( point to Administrative ools( and then clic0 DNS& 2& 'n the console tree( if ou are connected to the D9S server that uses the for%arder %hose 'P address ou %ant to change( go to step A& 'f ou are not connected to the D9S server that uses the for%arder( right/clic0 DNS and then clic0 Connect to DNS Server& 7& Clic0 he following computer( t pe the name of the D9S server that uses the for%arder( and then clic0 O(& A& 'n the console tree( clic0 the node for the D9S server that uses the for%arder %hose 'P address has changed& 8& 'n the details pane( double/clic0 #orwarders& :& 'n the I% Address list( clic0 the address that ou %ant to change( and then clic0 .dit& <& 'n the I% Address list( clic0 the address( and then t pe changes as necessar & 8& Clic0 O( t%ice&

77A

5erify hat an I% Address )aps to a Subnet and Determine the Site Association
Eou can use this procedure to determine the site to %hich ou %ant to add a server ob,ect before ou install Active Director Domain Services "AD DS#& Eou can also use this procedure to verif the site after ou install AD DS or before ou move a server ob,ect& To be associated %ith a site( the 'P address of a domain controller must map to a subnet ob,ect that is defined in AD DS& The site to %hich the subnet is associated is the site of the domain controller& The subnet address( %hich is computed from the 'P net%or0 address and the subnet mas0( is the name of a subnet ob,ect in AD DS& $hen ou 0no% the subnet address( ou can locate the subnet ob,ect and determine the site to %hich the subnet is associated& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify that an I% address maps to a subnet and to determine the site association 6& +og on locall or open a *emote Des0top connection to the server for %hich ou %ant to chec0 the 'P address& 2& 'n Server Manager( clic0 5iew Network Connections& 7& *ight/clic0 the connection that represents the connection the server or domain controller uses to attach to the net%or0( and then clic0 %roperties& A& 'n the Connection %roperties dialog bo-( double/clic0 Internet %rotocol 5ersion O 6 C%,I%vO7 or Internet %rotocol 5ersion P 6 C%,I%vP7& 8& )se an 'P subnet calculator and the values in I% address and Subnet mask to calculate the subnet address( and then clic0 O( t%ice& :& 4pen the Active Director Sites and Services snap/in: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& <& 1-pand the Sites container( and then clic0 the Subnets container& 8& 'n the Name column in the details pane( find the subnet ob,ect that matches the subnet address for the server or domain controller& ?& 'n the Site column( note the site to %hich the 'P subnet address is associated& 'f the site that appears in the Site column is not the appropriate site( contact a site administrator and find out %hether the 'P address is incorrect or %hether ou should move the server ob,ect to the site that is indicated b the subnet/to/site association&

778

See Also
Move a Server 4b,ect to a 9e% Site

Determine !hether a Server is a %referred $ridgehead Server
Eou can designate preferred bridgehead servers to al%a s perform intersite replication& 'f ou are moving a server to a different site( ou must ma0e sure that the server is not a preferred bridgehead server& 'f it is a preferred bridgehead server( ou must configure it to not be a preferred bridgehead server before ou move the server ob,ect& Eou can use this procedure to vie% the server ob,ect properties in Active Director Domain Services "AD DS# and determine the bridgehead server status of the server& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine whether a server is a preferred bridgehead server 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 1-pand Sites( and then e-pand the site of the server %hose bridgehead server status ou %ant determine& 7& 1-pand the Servers node to displa the list of domain controllers that are currentl configured for that site& A& *ight/clic0 the server %hose status ou %ant to chec0( and then clic0 %roperties& 8& 'f I% appears in the list that mar0s this server as a bridgehead server for the 'P transport( the server is a preferred bridgehead server&

See Also
Configure a Server to 9ot >e a Preferred >ridgehead Server Bie% the +ist of All Preferred >ridgehead Servers

5iew the +ist of All %referred $ridgehead Servers
$hen ou manage preferred bridgehead servers or %hen ou move a server ob,ect( ou might %ant to identif the domain controllers that are preferred bridgehead servers& Preferred bridgehead servers are distinguished b a propert on the server ob,ect that adds the server to 77:

the preferred bridgehead server list for the 'P transport& A bac0/lin0 attribute on the 'P transport ob,ect sho%s the entire list& 'f ou %ant to chec0 all servers for preferred bridgehead server status( rather than a single server( ou can use this procedure to vie% the list of all preferred bridgehead servers& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o view the list of preferred bridgehead servers 6& Clic0 Start( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 1-pand the Sites container and the Inter-Site ransports container& 7& *ight/clic0 the I% container( and then clic0 %roperties& A& Clic0 #ilter( and then( under Show read-only attributes( clic0 $acklinks& 8& 'n Attributes( double/clic0 bridgeheadServer+ist$+& :& 'f an preferred bridgehead servers are selected in an site in the forest( the 5alues bo- displa s the distinguished name for each server ob,ect that is currentl selected as a preferred bridgehead server&

See Also
Determine $hether a Server is a Preferred >ridgehead Server Configure a Server to 9ot >e a Preferred >ridgehead Server

Configure a Server to Not $e a %referred $ridgehead Server
Preferred bridgehead servers are distinguished b a propert on the server ob,ect that adds the server to the preferred bridgehead server list for the 'P transport& 'f ou %ant to remove a server from the list so that it is not a designated preferred bridgehead server( ou can use this procedure to open the server ob,ect properties and remove the server from the 'P transport& Membership in the .nterprise Admins group in the forest or the Domain Admins group in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure the server to not be a preferred bridgehead server 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites( and then e-pand the site of the preferred 77<

bridgehead server& 7& 1-pand the Servers container to displa the list of domain controllers that are currentl configured for that site& A& *ight/clic0 the server that ou %ant to remove( and then clic0 %roperties& 8& 'f I% appears in the list that mar0s this server as a bridgehead server for the 'P transport( clic0 I%( clic0 4emove( and then clic0 O(&

See Also
Bie% the +ist of All Preferred >ridgehead Servers

)ove a Server Ob9ect to a New Site
$hen ou move a server ob,ect in Active Director Domain Services "AD DS#( the Active Director Sites and Services snap/in does not reFuire that the 'P address of the server maps to the site to %hich ou are moving the server ob,ect& 'f the 'P address does not map to a subnet that is associated %ith the site to %hich ou move it( the server might be forced to communicate over a potentiall slo% %ide area net%or0 "$A9# lin0 to locate resources rather than locating resources in its o%n site& >efore ou move the server ob,ect( verif that the 'P address maps to the target site& Eou can use this procedure to move a server ob,ect to a ne% site& Membership in .nterprise Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o move a server ob9ect to a new site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites and the site in %hich the server ob,ect resides& 7& 1-pand Servers to displa the domain controllers that are currentl configured for that site& A& *ight/clic0 the server ob,ect that ou %ant to move( and then clic0 )ove& 8& 'n Site Name( clic0 the destination site( and then clic0 O(& :& 1-pand the site ob,ect to %hich ou moved the server( and then e-pand the Servers container& <& Berif that an ob,ect for the server that ou moved e-ists& 8& 1-pand the server ob,ect( and verif that an 9TDS Settings ob,ect e-ists& $ithin an hour( the 9et +ogon service on the domain controller registers the ne% site information in Domain 9ame S stem "D9S#& $ait an hour( and then open 1vent Bie%er and connect to the 778

domain controller %hose server ob,ect ou moved& *evie% the S stem log for 91T+4549 errors regarding registration of service "S*B# resource records in D9S that have occurred %ithin the last hour& The absence of errors indicates that the 9et +ogon service has updated D9S %ith site/ specific service "S*B# resource records& 91T+4549 1vent 'D 8<<A indicates that the d namic registration of D9S resource records has failed& 'f this error occurs( contact a supervisor and pursue D9S troubleshooting&

See Also
Berif That an 'P Address Maps to a Subnet and Determine the Site Association

.nabling 3niversal Group )embership Caching in a Site
'n a multidomain forest( %hen a user logs on to a domain( a global catalog server must be contacted to determine the universal group memberships of the user& A universal group can contain users from other domains( and it can be applied to access control lists "AC+s# on ob,ects in all domains in the forest& Therefore( universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session& 4nl global catalog servers store the memberships of all universal groups in the forest& 'f a global catalog server is not available in the site %hen a user logs on to a domain( the domain controller must contact a global catalog server in another site& 'n multidomain forests %here remote sites do not have a global catalog server( the need to contact a global catalog server over a potentiall slo% %ide are net%or0 "$A9# connection can be problematic and a user can potentiall be unable to log on to the domain if a global catalog server is not available& Eou can enable )niversal 5roup Membership Caching on domain controllers that are running $indo%s Server 2008 so that %hen the domain controller contacts a global catalog server for the userVs initial domain logon( the domain controller retrieves universal group memberships for the user& 4n subseFuent logon reFuests b the same user( the domain controller uses cached universal group memberships and does not have to contact a global catalog server& ask re0uirements The follo%ing tool is reFuired to perform the procedures for this tas0: • • Active Director Sites and Services 1nable )niversal 5roup Membership Caching in a Site To complete this tas0( perform the follo%ing procedure:

77?

.nable 3niversal Group )embership Caching in a Site
'n a branch site that has no global catalog server and in a forest that has multiple domains( ou can use this procedure to enable )niversal 5roup Membership Caching on a domain controller in the site so that a global catalog server does not have to be contacted across a %ide area net%or0 "$A9# lin0 for ever initial user logon& Eou enable this setting on the 9TDS Site Settings ob,ect for the site in Active Director Domain Services "AD DS#( and ou can specif the site of a global catalog server to contact %hen the cache must be updated& 'n most cases( the closest global catalog server is located in the hub site& Eou can use this procedure to enable )niversal 5roup Membership Caching in a site& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o enable 3niversal Group )embership Caching in a site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites( and then clic0 the site in %hich ou %ant to enable )niversal 5roup Membership Caching& 7& 'n the details pane( right/clic0 the N DS Site Settings ob,ect( and then clic0 %roperties& A& )nder 3niversal Group )embership Caching( select .nable 3niversal Group )embership Caching& 8& 'n the 4efresh cache from list( clic0 the site that ou %ant the domain controller to contact %hen the )niversal 5roup membership cache must be updated( and then clic0 O(&

#orcing 4eplication
$hen ou need updates to be replicated sooner than the intersite replication schedule allo%s( or %hen replication bet%een sites is impossible because of configuration errors( ou can force replication to and from domain controllers& Eou can use the follo%ing t%o methods of forcing replication: • =orce replication of all director partition updates from one server to another server over a connection • =orce replication of configuration director partition updates from one server to another server 7A0

#orcing replication of all directory updates over a connection
'f ou %ant to replicate certain updates( such as a significant addition of ne% pass%ords or user accounts( to another domain controller in the domain( ou can use the 4eplicate now option in the Active Director Sites and Services snap/in to force replication of all director partitions over a connection ob,ect that represents inbound replication from a specific domain controller& A connection ob,ect for a server ob,ect that represents a domain controller identifies the replication partner from %hich the domain controller receives replication& 'f the changes are made on one domain controller( ou can select the connection from that domain controller and force replication to its replication partner& Eou can also use the *epadmin&e-e command/line tool to replication changes from a server to one or more other servers or to all servers&

#orcing replication of configuration updates
Active Director replication uses a pull model( in %hich one domain controller reFuests changes from another domain controller& =or this reason( connection ob,ects al%a s represent one/%a ( inbound replication from a source server to a destination server& All ob,ects that are reFuired for replication are contained in the configuration director partition( %hich is replicated to ever domain controller in the forest& 'f a site lin0 is deleted inadvertentl ( the domain controllers in the respective sites drop connection ob,ects that represent servers in an site to %hich the domain controllerVs site is no longer lin0ed& The onl %a for these connection ob,ects to be recreated is for a ne% site lin0 to be created and for domain controllers in each site in the site lin0 to recreate the connection ob,ects& ;o%ever( the change to the configuration director partition "the ne% site lin0# cannot be replicated from the site %here the change occurs to the other site because the domain controllers in the other site have dropped their inbound connection ob,ects from servers in the site %here the site lin0 has been recreated& The 4eplicate now option does not fi- the problem because the abilit to use 4eplicate now depends on the e-istence of a from/server connection ob,ect& 4n %ritable domain controllers running $indo%s Server 2007( the onl %a to resolve this issue is to create the ne% site lin0 ob,ect t%ice( once on a domain controller in each site& $hen the domain controller has a site lin0( the @no%ledge Consistenc Chec0er "@CC# on the domain controller can then create connection ob,ects from servers in the other site& 4n %ritable domain controllers running $indo%s Server 2008( a ne% option is available that ou can use to force replication of onl the configuration director partition to a domain controller in another site( even though a connection ob,ect from a server in the site does not e-ist in the configuration director partition& 'n this case( ou can recreate the site lin0 in one site and force replication of this configuration change to a domain controller in the other site& $hen replication of the ne% site lin0 ob,ect is received on the domain controller in the other site( that domain controller can then create ne% connection ob,ects from servers in the other sites in the site lin0& This functionalit is particularl useful if the onl domain controller in a site is a read/onl domain controller "*4DC#& 'n this case( ou cannot recreate the site lin0 on a domain controller in both 7A6

sites because ou cannot %rite to the *4DC& $hen ou recreate the site lin0 in the hub site and then force replication of the configuration director partition to the site of the *4DC( ou enable the *4DC to create connection ob,ects from replication partners in the hub site& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • Active Director Sites and Services *epadmin&e-e

To complete this tas0( perform the follo%ing procedures: 6& =orce *eplication >et%een Domain Controllers 2& )pdate a Server %ith Configuration Changes 7& S nchroni.e *eplication %ith All Partners A& Berif Successful *eplication to a Domain Controller

#orce 4eplication $etween Domain Controllers
Eou can use this procedure to force Active Director replication to occur bet%een t%o domain controllers on a one/time basis %hen ou %ant changes to be replicated from the server that received the changes to a server in another site sooner than the site lin0 schedule allo%s& As an alternative( ou can s nchroni.e replication %ith all replication partners& Membership in .nterprise Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o force replication over a connection 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites( and then e-pand the site to %hich ou %ant to force replication from the updated server& 7& 1-pand the Servers container to displa the list of servers that are currentl configured for that site& A& 1-pand the server ob,ects and clic0 their N DS Settings ob,ects to displa their connection ob,ects in the details pane& =ind a server that has a connection ob,ect from the server on %hich ou made the updates& 8& Clic0 N DS Settings belo% the server ob,ect& 'n the details pane( right/clic0 the connection ob,ect %hose #rom Server is the domain controller that has the updates that ou %ant to replicate( and then clic0 4eplicate Now& :& $hen the 4eplicate Now message bo- appears( revie% the information( and then clic0 O(& 7A2

See Also
S nchroni.e *eplication %ith All Partners

3pdate a Server with Configuration Changes
4n a domain controller that is running $indo%s Server 2008( ou can use this procedure to force replication of configuration changes to a domain controller that is not receiving replication as a result of configuration errors& This procedure is particularl useful for updating a read/onl domain controller "*4DC# in a branch site %ith configuration changes from a hub site( for e-ample( %hen a site lin0 ob,ect has been inadvertentl deleted& Eou can complete this procedure b using either the $indo%s interface or the *epadmin command/line tool& Membership in .nterprise Admins in the forest or Domain Admins in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o use the !indows interface to update a server with configuration changes 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites( and then e-pand the site of the domain controller that ou %ant to receive configuration updates& 7& 1-pand the Servers container to displa the list of servers that are currentl configured for that site& A& Double/clic0 the server ob,ect that reFuires the configuration updates that ou %ant to replicate& 8& *ight/clic0 N DS Settings belo% the server ob,ect( and then clic0 4eplicate configuration to the selected DC& :& 'n the 4eplicate Now message bo-( clic0 O(& o use 4epadmin to update a server with configuration changes 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide 1nterprise Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" <!erverName>

$here SServer9ameT is the name of the domain controller that has the configuration changes that ou %ant to replicate& The /s&owrep" s%itch provides the globall uniFue identifier "5)'D# information that ou need for step :& 7A7

7& Clic0 the Command %rompt menu in the title bar( clic0 .dit( and then clic0 )ark& A& )se the cursor to select the value in
D!A o'=ect DU6D&

8& Clic0 the Command %rompt menu in the title bar( and then clic0 Copy& )se the %aste command on the Command %rompt menu to paste this value for the <!ourceDomain5ontro""erDU6D> parameter in the ne-t step& :& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /sync <5onfigurationDistinguis&edName> <Destination!erverName> <!ourceDomain5ontro""erDU6D>

5alue

Description

3s nc

S nchroni.es replication of the specified director partition bet%een the specified domain controllers The configuration director partition distinguished name: C9QConfiguration(DCQForestRootDomainName The name of the domain controller that is to receive the configuration updates( for e-ample( DC7>& The Director S stem Agent "DSA# 5)'D of the domain controller that is forcing replication&

SConfigurationDistinguished9ameT

SDestinationServer9ameT

SSourceDomainController5)'DT

Synchroni&e 4eplication with All %artners
Eou can use this procedure to s nchroni.e replication %ith all replication partners of a domain controller& Membership in .nterprise Admins in the forest or Domain Admins in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o synchroni&e replication with all partners 6& At a command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /synca"" <Domain5ontro""erName> /e /d /A /P /q

7AA

5alue

Description

repadmin 3s ncall SDomainController9ameT

S nchroni.es a specified domain controller %ith all replication partners& The Domain 9ame S stem "D9S# name of the domain controller on %hich ou %ant to s nchroni.e replication %ith all partners& 1nterpriseW includes partners in all sites& 'dentifies servers b their distinguished names in messages& AllW s nchroni.es all director partitions that are held on the home server& Pushes changes out%ard from the home server& *uns in Fuiet modeW suppresses callbac0 messages&

3e 3d 3A 3P 3F

2& Chec0 for replication errors in the output of the command in the previous step& 'f there are no errors( replication is successful& =or replication to complete( an errors must be corrected&

See Also
Berif Successful *eplication to a Domain Controller

5erify Successful 4eplication to a Domain Controller
Eou can use the repadmin ,showrepl command to verif successful replication to a specific domain controller& 'f ou are not running *epadmin on the domain controller %hose replication ou are chec0ing( ou can specif a destination domain controller in the command& *epadmin lists IN$O3ND N.IG"$O4S for the current or specified domain controller& IN$O3ND N.IG"$O4S sho%s the distinguished name of each director partition for %hich inbound director replication has been attempted( the site and name of the source domain controller( and %hether replication succeeded or not( as follo%s: • •
4ast attempt @ < .AA.DD ##:AA*!!> was successfu"*

4ast attempt @ BNeverC was successfu"*

7A8

'f @ BNeverC appears in the output for a director partition( replication of that director partition has never succeeded from the identified source replication partner over the listed connection& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify successful replication to a domain controller 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" <servername> /u:<domainname>(<username> /pw:*

Note The user credential parameters "/u:<domainname>(<username> /pw:*# are not reFuired for the domain of the user if the user has opened the Command Prompt as an administrator %ith Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or eFuivalent& ;o%ever( if ou run the command for a domain controller in a different domain in the same Command Prompt session( ou must provide credentials for an account in that domain&

7A:

5alue

Description

repadmin 3sho%repl

Displa s the replication status for the last time that the domain controller that is named in SservernameT attempted inbound replication of Active Director partitions& The name of the destination domain controller& Specifies the domain name and user name( separated b a bac0slash( for a user %ho has permissions to perform operations in AD DS& The single/label name of the domain of the destination domain controller& "Eou do not have to use a full Fualified Domain 9ame S stem "D9S# name&# The name of an administrative account in that domain& Specifies the domain pass%ord for the user named in SusernameT& U provides a %assword* prompt %hen ou press 19T1*&

SservernameT 3u:

SdomainnameT

SusernameT 3p%:U

7& At the %assword* prompt( t pe the pass%ord for the user account that ou provided( and then press 19T1*& Eou can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft 1-cel spreadsheet& The spreadsheet displa s data in the follo%ing columns: ShowreplBCO+3)NS Destination DC Site Destination DC Naming Conte/t Source DC Site Source DC ransport ype Number of #ailures +ast #ailure ime +ast Success ime +ast #ailure Status

7A<

The follo%ing procedure creates this spreadsheet and sets column headings for improved readabilit & o generate a repadmin ,showrepl spreadsheet for all replication partners 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" * /csv >s&owrep"*csv

7& 4pen 1-cel& A& Clic0 the Office button( clic0 Open( navigate to showrepl'csv( and then clic0 Open& 8& ;ide or delete column A as %ell as the ransport ype column( as follo%s: :& Select a column that ou %ant to hide or delete& • 4r • To delete the column( right/clic0 the selected column( and then clic0 Delete& <& Select ro% 6 beneath the column heading ro%& 4n the 5iew tab( clic0 #ree&e %anes( and then clic0 #ree&e op 4ow& 8& Select the entire spreadsheet& 4n the Data tab( clic0 #ilter& ?& 'n the +ast Success ime column( clic0 the do%n arro%( and then clic0 Sort Ascending& 60& 'n the Source DC column( clic0 the filter do%n arro%( point to e/t #ilters( and then clic0 Custom #ilter& 66& 'n the Custom Auto#ilter dialog bo-( under Show rows where( clic0 does not contain& 'n the ad,acent te-t bo-( t pe del to eliminate from vie% the results for deleted domain controllers& 62& *epeat step 66 for the +ast #ailure ime column( but use the value does not e0ual( and then t pe the value @& 67& *esolve replication failures& The last successful attempt should agree %ith the replication schedule for intersite replication( or the attempt should be %ithin the last hour for intrasite replication& 'f *epadmin reports an of the follo%ing conditions( see Troubleshooting Active Director *eplication Problems "http:33go&microsoft&com3f%lin03P+in0'DQ?7882#: • • • The last successful intersite replication %as before the last scheduled replication& The last intrasite replication %as longer than one hour ago& *eplication %as never successful& To hide the column( right/clic0 the column( and then clic0 "ide&

7A8

4emoving a Site
'f domain controllers are no longer needed in a net%or0 location( ou can remove them from the site and then delete the site ob,ect& >efore ou delete the site( ou must remove each domain controller from the site either b removing domain controller completel or b moving it to a ne% location: • To remove the domain controller completel ( remove Active Director Domain Services "AD DS# from the server and then delete the server ob,ect from the site in AD DS& • To retain the domain controller in a different location( move the domain controller itself to the ne% site and then move the server ob,ect to the respective site in AD DS& >efore ou remove a server ob,ect from a site( chec0 the 9TDS Settings ob,ect of the server to see if the server has a manual connection ob,ect from an server in another site& 'f a manual connection ob,ect e-ists( chec0 the source server in the other site for a corresponding manual connection ob,ect from the server that ou are removing& The @no%ledge Consistenc Chec0er "@CC# does not remove manual connection ob,ects automaticall & Therefore( if ou leave a manuall created connection ob,ect on a server and then remove the source server for the connection( the inabilit of the destination server to replicate from its source replication partner %ill cause replication errors to be generated& 'f a manual connection ob,ect e-ists in the 9TDS Settings ob,ect of a server in another site( and if the server that ou are removing is the source "Nreplicate fromO# server for the connection( delete that manual connection ob,ect on the destination server to avoid unnecessar replication errors after ou have removed the server ob,ect& Domain controllers can host other applications that depend on site topolog and publish ob,ects as child ob,ects of the respective server ob,ect& =or e-ample( %hen Microsoft 4perations Manager "M4M# or Message Cueuing is running on a domain controller( these applications create child ob,ects beneath the server ob,ect& 'n addition( a server running Message Cueuing that is not a domain controller and that is configured to be a routing server running Message Cueuing creates a server ob,ect in the sites container& *emoving the application from the server automaticall removes the child ob,ect belo% the respective server ob,ect& ;o%ever( the server ob,ect is not removed automaticall & $hen all applications have been removed from the server "no child ob,ects appear beneath the server ob,ect#( ou can remove the server ob,ect& After the application is removed from the server( a replication c cle might be reFuired before child ob,ects are no longer visible belo% the server ob,ect& After ou delete or move the server ob,ects but before ou delete the site ob,ect( reconcile the follo%ing ob,ects: 'P addresses: • 'f the addresses are being reassigned to a different site( associate the subnet ob,ect or ob,ects %ith that site& An clients that use the addresses for the decommissioned site %ill thereafter be assigned automaticall to the other site& • 'f the 'P addresses %ill no longer be used on the net%or0( delete the corresponding subnet ob,ect or ob,ects& 7A?

Site lin0 ob,ects: • 'f the site that ou are removing is added to a site lin0 that contains onl t%o sites( delete the site lin0 ob,ect& • 'f the site that ou are removing is added to a site lin0 that contains more than t%o sites( do not delete this site lin0 ob,ect& >efore ou remove a site( consider the implications& 'f the site that ou are removing is added to more than one site lin0( it might be an interim site bet%een other sites that are added to this site lin0& Deleting the site might disconnect the outer sites from each other& 'n this case( the site lin0s must be reconciled according to the instructions of the design team& ask re0uirements The follo%ing tool is reFuired to perform the procedures for this tas0: • Active Director Sites and Services To complete this tas0( perform the follo%ing procedures: 6& Delete a manual Connection ob,ect 2& Determine $hether a Server 4b,ect ;as Child 4b,ects 7& Delete a Server 4b,ect from a Site A& Delete a Site +in0 ob,ect 8& Associate an 1-isting Subnet 4b,ect %ith a Site :& Delete a Site ob,ect <& To avoid replication errors on bridgehead servers in other sites that received replication from the site that has been removed( generate the intersite topolog in those sites b performing the follo%ing t%o procedures: • • Determine the 'ST5 *ole 4%ner for a Site 5enerate the *eplication Topolog on the 'ST5

Delete a )anual Connection Ob9ect
'f ou are removing a server ob,ect that has a manual connection ob,ect( ou must remove the corresponding connection ob,ect on the destination domain controller& The @no%ledge Consistenc Chec0er "@CC# does not remove manual connection ob,ects automaticall & 'f the source "Nreplicate fromO# server in the connection is being removed and ou no longer need a manual connection ob,ect on the destination server( delete the connection ob,ect from the destination server& Eou can use this procedure to delete a manual connection ob,ect& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

780

o delete a manual connection ob9ect 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites( and then e-pand the site of the server %hose manual connection ob,ect ou %ant to delete& 7& 1-pand Servers( and then e-pand the server ob,ect %hose manual connection ob,ect ou %ant to delete& A& Clic0 the N DS Settings ob,ect of the server ob,ect( and then( in the details pane( vie% the Name column to find a connection ob,ect that has a name other than Mautomatically generatedN& 8& )suall ( a manual connection ob,ect is named for the source server& To be sure( right/ clic0 the connection ob,ect and then( in 4eplicate from( note the server name in the Server bo-& This is the source server from %hich this connection transfers replication updates to the destination server %hose 9TDS Settings ob,ect ou have selected& :& 'f ou no longer %ant the destination server to e-plicitl use this server as its replication source( right/clic0 the manual connection ob,ect( and then clic0 Delete&

Determine !hether a Server Ob9ect "as Child Ob9ects
After Active Director Domain Services "AD DS# is properl installed on a domain controller( the server ob,ect for the domain controller has a child 9TDS Settings ob,ect& 4ther applications that are running on domain controllers can also publish child ob,ects& $hen ou remove AD DS from a server( the 9TDS Settings child ob,ect is removed automaticall from the server ob,ect in the Servers container in Active Director Sites and Services& >efore ou delete a server ob,ect from the Servers container for a site( verif that the server ob,ect has no child ob,ects& The follo%ing conditions might result in the presence of a child ob,ect: • 'f an 9TDS Settings ob,ect is present( it is possible that replication of the deletion has not reached the domain controller %hose ob,ects ou are vie%ing& Chec0 the presence of the ob,ect on another domain controller( or force replication from another domain controller in the domain& "See =orce *eplication >et%een Domain Controllers&# • 'f a child ob,ect other than 9TDS Settings is present( another application has published the ob,ect and is using the server ob,ect& 'n this case( do not delete the server ob,ect& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure %hen ou perform the procedure remotel b using *emote Server Administration Tools "*SAT#& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

786

o determine whether a server ob9ect has child ob9ects 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( e-pand the Sites container( and then e-pand the site of the server ob,ect& 7& 1-pand the Servers container( and then e-pand the server ob,ect to vie% an child ob,ects&

Delete a Server Ob9ect from a Site
$hen ou remove a domain controller from service b uninstalling Active Director Domain Services "AD DS#( the domain controller ob,ect is removed from the domain director partition automaticall & Eou can chec0 this deletion b loo0ing in the Domain Controllers container in the Active Director )sers and Computers snap/in& The server ob,ect( %hich represents the domain controller in the configuration director partition( can have child ob,ects and is therefore not removed automaticall & $hen no child ob,ects are visible belo% the server ob,ect in Active Director Sites and Services( ou can use this procedure to remove the server ob,ect& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o delete a server ob9ect from a site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( e-pand the Sites container( and then e-pand the site from %hich ou %ant to delete a server ob,ect& 7& 'f no child ob,ects appear belo% the server ob,ect( right/clic0 the server ob,ect( and then clic0 Delete& Important Do not delete a server ob,ect that has a child ob,ect& 'f an 9TDS Settings ob,ect appears belo% the server ob,ect ou %ant to delete( either replication on the domain controller on %hich ou are vie%ing the configuration container has not occurred or the server %hose server ob,ect ou are removing has not been properl decommissioned& 'f a child ob,ect other than 9TDS Settings appears 782

belo% the server ob,ect that ou %ant to delete( another application has published the ob,ect& Eou must contact an administrator for the application and determine the appropriate action to remove the child ob,ect& A& Clic0 2es to confirm our choice&

See Also
Decommissioning a Domain Controller =orcing the *emoval of a Domain Controller

Delete a Site +ink ob9ect
'f ou are removing a site and ou no longer need a site lin0( ou can use this procedure to delete a site lin0 ob,ect& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o delete a site link ob9ect 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites and Inter-Site ransports( and then clic0 I%& 7& 'n the details pane( right/clic0 the site lin0 ob,ect that ou %ant to delete( and then clic0 Delete& A& Clic0 2es to confirm our choice&

Associate an ./isting Subnet Ob9ect with a Site
Eou can use this procedure to associate an e-isting subnet ob,ect %ith a site& A subnet ob,ect identifies a range of 'P addresses that map respective computers to the site %ith %hich the subnet is associated in Active Director Domain Services "AD DS#& Associate an e-isting subnet %ith a site under the follo%ing conditions: • $hen ou are removing the site to %hich the subnet is currentl associated • $hen ou have temporaril associated the subnet %ith a different site and ou %ant to associate the subnet %ith its permanent site

787

Membership in .nterprise Admins in the forest or Domain Admins in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o associate an e/isting subnet ob9ect with a site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand the Sites container( and then clic0 the Subnets container& 7& 'n the details pane( right/clic0 the subnet %ith %hich ou %ant to associate the site( and then clic0 %roperties& A& 'n Site( clic0 the site to associate the subnet( and then clic0 O(&

Delete a Site ob9ect
Eou can use this procedure to delete a site ob,ect& Delete a site ob,ect onl after ou have removed all server ob,ects from the site and ou have reassociated the subnets %ith a different site& The Servers container is deleted %hen ou delete the site& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o delete a site ob9ect 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( clic0 the Sites container& 7& 'n the details pane( right/clic0 the site that ou %ant to delete( and then clic0 Delete& A& Clic0 2es to confirm our choice& 8& 'n the Active Director message bo-( read the information( and then clic0 2es to delete the site and its servers container ob,ect&

See Also
Delete a Server 4b,ect from a Site Delete a Site +in0 ob,ect

78A

Determine the IS G 4ole Owner for a Site
The 'ntersite Topolog 5enerator "'ST5# is the domain controller in each site that is responsible for generating the intersite topolog & 'f ou %ant to regenerate the intersite topolog ( ou must determine the identit of the 'ST5 role o%ner in a site& Eou can use this procedure to vie% the 9TDS Site Settings ob,ect properties and determine the 'ST5 role o%ner for the site& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the IS G role owner for a site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( clic0 the site ob,ect %hose 'ST5 role o%ner ou %ant to determine& 7& 'n the details pane( right/clic0 the N DS Site Settings ob,ect( and then clic0 %roperties& The current role o%ner appears in the Server bo- under Inter-Site opology Generator&

Generate the 4eplication opology on the IS G
Eou can use this procedure to generate the intersite replication topolog on the intersite topolog generator "'ST5#& The @no%ledge Consistenc Chec0er "@CC# generates the Active Director replication topolog on ever domain controller& The @CC runs b default ever 68 minutes& Eou can force the @CC to run on an domain controller& The topolog that is generated depends on the domain controller on %hich ou run the command& Eou can force the @CC to run as follo%s: • To generate the intersite replication topolog ( run the @CC on the domain controller in the site that holds the 'ST5 role& • To generate the intrasite replication topolog ( run the @CC on an domain controller in the site that does not hold the 'ST5 role& Note To generate the replication topolog on the 'ST5( ou must first complete the procedure: Determine the 'ST5 *ole 4%ner for a Site& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 788

o generate the replication topology on the IS G 6& Determine the server that holds the 'ST5 role for the site& 2& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 7& 'n the console tree( e-pand Sites( and then e-pand the site that contains the 'ST5 on %hich ou %ant to run the @CC& A& 1-pand Servers( and then clic0 the Server ob,ect for the 'ST5& 8& 'n the details pane( right/clic0 N DS Settings( clic0 All asks( and then clic0 Check 4eplication opology& :& 'n the Check 4eplication opology message bo-( clic0 O(&

Administering the Active Directory Database
This guide provides information about administering the Active Director database in the $indo%s Server 2008 operating s stem& In this guide • • 'ntroduction to Administering the Active Director Database HlhsadJIADDSI4psI< Managing the Active Director Database

Introduction to Administering the Active Directory Database JlhsadKBADDSBOpsBQ
Active Director Domain Services "AD DS# is stored in the 9tds&dit database file& 'n addition to this file( the director service uses log files( %hich store transactions before the commit them to the database file& =or best performance( store the log files and the database on separate hard drives& >efore ou perform an procedures that affect the director database( be sure that ou have a current s stem state or critical/volume bac0up& =or information about bac0ing up AD DS( see >ac0ing )p Active Director Domain Services&

Database management conditions
The Active Director database is a self/maintained s stem& 't reFuires no dail maintenance( other than regular bac0up( during ordinar operation& ;o%ever( ou ma have to manage it if the follo%ing conditions occur: • +o% dis0 space: move the files to a different location permanentl ( or replace the dis0 on %hich the database or log files are stored& 78:

• Pending or current hard%are failure: upgrade or replace the dis0 on %hich the database or log files are stored& • A need to recover ph sical dis0 space: defragment the database after bul0 deletion or removal of the global catalog&

Disk space monitoring recommendations
Monitor free dis0 space on the partition or partitions that store the director database and logs& The follo%ing are the recommended parameters for free dis0 space: • 9tds&dit partition: The greater of 20 percent of the 9tds&dit file si.e or 800 megab tes "M>#& • +og file partition: The greater of 20 percent of the combined log files si.e or 800 M>& • 9tds&dit and logs on the same volume: The greater of 20 percent of the combined 9tds&dit and log files si.es or 6 gigab te "5>#&

Database defragmentation
During ordinar operation( ou %ill delete ob,ects from AD DS& $hen ou delete an ob,ect( free "unused# dis0 space is created in the database& 4n a regular basis( the database consolidates this free dis0 space through a process called online defragmentation& This dis0 space %ill be reused %hen ne% ob,ects are added "%ithout adding an si.e to the file itself#& This automatic online defragmentation redistributes and retains free dis0 space for use b the database( but does not release the dis0 space to the file s stem& Therefore( the database si.e does not shrin0( even though ob,ects might be deleted& 'n cases in %hich the data decreases significantl ( such as %hen the global catalog is removed from a domain controller( free dis0 space is not automaticall returned to the file s stem& Although this condition does not affect database operation( it does result in large amounts of free dis0 space in the database& To decrease the si.e of the database file b returning free dis0 space from the database file to the file s stem( ou can perform an offline defragmentation of the database& $hereas online defragmentation occurs automaticall %hile AD DS is running( offline defragmentation reFuires ta0ing the domain controller offline and using the 9tdsutil&e-e command/line tool to perform the procedure&

Note 9T=S dis0 compression is not supported for the database and log files&

4estartable AD DS
4n domain controllers that are running $indo%s Server 2008( performing offline defragmentation and other database management tas0s does not reFuire a restart of the domain controller in Director Services *estore Mode "DS*M#& Eou can stop the AD DS service %hile ou perform database management procedures& This feature( called restartable AD DS( eliminates the need to 78<

restart the domain controller %hen ou perform certain database management tas0s& Services that are running on the server that depend on AD DS to function shut do%n before AD DS shuts do%n& The follo%ing services stop %hen ou stop AD DS: • • • • • D9S Server service =ile *eplication Service "=*S# @erberos @e Distribution Center "@DC# 'ntersite Messaging Distributed =ile S stem "D=S# *eplication

4ther services that are running on the server and that do not depend on AD DS to function( such as D namic ;ost Configuration Protocol "D;CP#( remain available to satisf client reFuests %hile AD DS is stopped& =or information about restartable AD DS( see $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#&

See Also
Managing the Active Director Database

)anaging the Active Directory Database
This section includes the follo%ing tas0s for managing the Active Director database: • • *elocating the Active Director Database =iles *eturning )nused Dis0 Space from the Active Director Database to the =ile S stem

4elocating the Active Directory Database #iles
*elocating Active Director database files usuall involves moving files to a temporar location %hile hard%are updates are being performed and then moving the files to a permanent location& 4n domain controllers that are running versions of $indo%s 2000 Server and $indo%s Server 2007( moving database files reFuires restarting the domain controller in Director Services *estore Mode "DS*M#& $indo%s Server 2008 introduces restartable Active Director Domain Services "AD DS#( %hich ou can use to perform database management tas0s %ithout restarting the domain controller in DS*M& >efore ou move database files( ou must stop AD DS as a service& =or information about restartable AD DS( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& The follo%ing conditions reFuire moving database files: • "ardware maintenance: 'f the ph sical dis0 on %hich the database or log files are stored reFuires upgrading or maintenance( the database files must be movedDeither temporaril or permanentl & 788

• +ow disk space: $hen free dis0 space is lo% on the logical drive that stores the database file "9tds&dit#( the log files( or both( first verif that no other files are causing the problem& 'f the database file or log files are the cause of the gro%th( provide more dis0 space b ta0ing one of the follo%ing actions: • 1-pand the partition on the dis0 that currentl stores the database file( the log files( or both& This procedure does not change the path to the files and does not reFuire updating the registr & • )se 9tdsutil&e-e to move the database file( the log files( or both to a larger e-isting partition& 'f ou are not using 9tdsutil&e-e %hen ou move files to a different partition( ou must update the registr manuall & 'f the path to the database file or log files %ill change as a result of moving the files( be sure that ou: • )se 9tdsutil&e-e to move the files "rather than cop ing them# so that the registr is updated %ith the ne% path& 1ven if ou are moving the files onl temporaril ( use 9tdsutil&e-e to move files locall so that the registr remains current& • Perform a s stem state or critical/volume bac0up as soon as the move is complete so that the restore procedure uses the correct path& • Berif that the correct permissions are applied on the destination folder after the move& *evise permissions to ,ust the permissions that are reFuired to protect the database files( if necessar & The registr entries that 9tdsutil&e-e updates %hen ou move the database file are as follo%s: 'n "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCN DSC %arameters* • • • Database bac0up path Director S stem Agent "DSA# database file DSA %or0ing director

The registr entr that 9tdsutil&e-e updates %hen ou move the log files is as follo%s: 'n "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCN DSC %arameters* • Database log files path

Disk space re0uirements for relocating Active Directory database files
emporary location& =ree space on the destination drive eFuivalent to at least the current si.e of the database file( the combined log files( or both( depending on %hich files ou are moving& %ermanent location& =ree space on the destination 9T=S drive eFuivalent to at least the follo%ing specified si.e( plus space to accommodate anticipated gro%th( depending on %hich file or files ou are moving&

78?

Caution The drive that is the permanent location of the database file or log files must be formatted as 9T=S& • Database file onl : The si.e of the database file( plus 20 percent of the 9tds&dit file or 800 megab tes "M>#( %hichever is greater& • +og files onl : The si.e of the combined log files( plus 20 percent of the combined logs or 800 M>( %hichever is greater& • Database and logs& 'f the database and log files are stored on the same partition( free space should be at least 20 percent of the combined 9tds&dit and log files( or 6 gigab te "5>#( %hichever is greater& Important The preceding levels are minimum recommended levels& Therefore( adding additional space according to anticipated gro%th is recommended& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • • • • net use( net stop( net start dir -cop 9tdsutil&e-e $indo%s Server >ac0up $indo%s 1-plorer

Note 'f ou replace or reconfigure a drive that stores the SESB4+ folder( ou must first move the SESB4+ folder manuall & =or information about moving SESB4+ manuall ( see *elocating SESB4+ Manuall & To complete this tas0( perform the follo%ing procedures: Note The domain controller %ill not be available during the time in %hich files are being moved and until the move is verified& 1nsure that alternate domain controllers are available during the file relocation to handle the capacit & 6& Determine the si.e and location of the Active Director database b using one of the follo%ing procedures: • • Determine the Database Si.e and +ocation 4nline Determine the Database Si.e and +ocation 4ffline

2& Compare the Si.e of the Director Database =iles to the Bolume Si.e 7& Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# "http:33go&microsoft&com3f%lin03P+in0'dQ66878<#

7:0

S stem state includes the database file and log files as %ell as SESB4+ and 9et +ogon shared folders( among other things& Al%a s ensure that ou have a current s stem state or critical/volume bac0up before ou move database files& A& Move or cop the director database and log files b performing one of the follo%ing procedures: • • Move the Director Database and +og =iles to a +ocal Drive Cop the Director Database and +og =iles to a *emote Share

The shared folder on a remote drive must have enough free space to hold the database file "9tds&dit# and log files& Create separate subdirectories for cop ing the database file and the log files& 8& Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# "http:33go&microsoft&com3f%lin03P+in0'dQ66878<#

Determine the Database Si&e and +ocation Online
Eou can use this procedure to determine the si.e and location of the Active Director database %hen Active Director Domain Services "AD DS# is running in normal $indo%s mode on a domain controller that is connected to the net%or0 "that is( on a domain controller that is online#& $hen ou determine the database si.e and location online( the si.e is reported in b tes& 'f ou must manage the database file( the log files( or both( first determine the location and si.e of the files& > default( the database file and associated log files are stored in the %systemroot%Z9TDS director & Important >e sure to use the same method to chec0 file si.es %hen ou compare them& The si.e is reported differentl ( depending on %hether the domain controller is online or offline& =or information about determining database si.e offline( see Determine the Database Si.e and +ocation 4ffline& Eou can also use the Search command on the Start menu to locate the database file "9tds&dit# or the edbU&log file for the location of the database and log files( respectivel & 'f ou have set garbage collection logging to report free dis0 space( 1vent 'D 6:A: in the Director Service log also reports the si.e of the database file: NTotal allocated hard dis0 space "megab tes#:O As an alternative( ou can determine the si.e of the database file b listing the contents of the director that contains the files& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

7:6

o determine the database si&e and location online 6& 4n the domain controller on %hich ou %ant to manage database files( open a command prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& Change directories to the director that contains the files that ou %ant to manage& 7& At the command prompt( t pe dir( and then press 19T1* to e-amine the database si.e& 'n the follo%ing e-ample command output( the 9tds&dit file and the log files are stored in the same director & 'n the e-ample( the files ta0e up 88(<:6(28: b tes of dis0 space& This output is representative of a director database to %hich fe% ob,ects have been added& C*C!indowsCN DSNdir 5olume in drive C has no label' 5olume Serial Number is @@;[email protected]. Directory of C*C!indowsCN DS @?,<H,<@@A ??*@O A) @?,<H,<@@A ??*@O A) @?,<H,<@@A ?@*<H A) @?,<H,<@@A ?@*<H A) @?,<H,<@@A ?@*<H A) @?,<H,<@@A ?@*<H A) @?,<H,<@@A ?@*<H A) @?,<H,<@@A ?@*<H A) @?,<A,<@@A @<*=O %) Q #ile6s7 < Dir6s7 MDI4N MDI4N ' ''

A1?H< edb'chk ?@1OA=1QP@ edb'log ?@1OA=1QP@ edb@@@@?'log ?@1OA=1QP@ edbres@@@@?'9rs ?@1OA=1QP@ edbres@@@@<'9rs ?O1PHP1OAA ntds'dit <1??;1=;P temp'edb

=A1QP?1<=P bytes ?<P1@<Q1<O;1=<@ bytes free

See Also
Determine the Database Si.e and +ocation 4ffline

Determine the Database Si&e and +ocation Offline
Eou can use this procedure to determine the si.e and location of the Active Director database %hen Active Director Domain Services "AD DS# is offline& $hen ou determine the database si.e and location offline( the si.e is reported in megab tes "M>#& 4n domain controllers that are running $indo%s Server 2008( ou can ta0e AD DS offline b stopping the service& 4ther%ise( 7:2

the domain controller must be started in Director Services *estore Mode "DS*M#& =or information about stopping the AD DS service on domain controllers that are running $indo%s Server 2008( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Important >e sure to use the same method to chec0 file si.es %hen ou compare them& The si.e is reported differentl ( depending on %hether the domain controller is online or offline& =or information about determining database si.e online( see Determine the Database Si.e and +ocation 4nline& 'f ou have set garbage collection logging to report free dis0 space( 1vent 'D 6:A: in the Director Service log also reports the si.e of the database file: NTotal allocated hard dis0 space "megab tes#:O As an alternative( ou can determine the si.e of the database file b listing the contents of the director that contains the files& Membership in $uiltin Administrators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the database si&e and location offline 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop ntds

T pe

to agree to stop additional services( and then press 19T1*&
instance ntds(

7& At the command prompt( t pe ntdsuti"( and then press 19T1*& A& At the ntdsuti" prompt( t pe activate and then press 19T1*& 8& At the ntdsuti" prompt( t pe fi"es( and then press 19T1*& :& At the fi"e maintenance prompt( t pe info( and then press 19T1*& Ma0e a note of the file si.es that appear& <& At the fi"e maintenance prompt( t pe 0uit( and then press 19T1*& T pe quit( and then press 19T1* again to Fuit 9tdsutil&e-e& 8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net start ntds

See Also
Determine the Database Si.e and +ocation 4nline

7:7

Compare the Si&e of the Directory Database #iles to the 5olume Si&e
>efore ou move an Active Director database files in response to lo% dis0 space( verif that no other files on the volume are responsible for the condition of lo% dis0 space& Eou might have to relocate the database file( the log files( or both( if dis0 space on the volume on %hich the are stored becomes lo%& >efore ou move the database file or log files( e-amine the si.e of the database folder( logs folder( or bothDif the are stored in the same locationD compared to the si.e of the volume to verif that these files are the cause of lo% dis0 space& 'nclude the si.e of the SESB4+ folder if it is on the same partition& Eou can use this procedure to compare the si.e of the director database files to the si.e of the volume& 'f Active Director Domain Services "AD DS# is started %hen ou are comparing the si.e of the director database files and volume( membership in Domain Admins is the minimum reFuired to complete this procedure& 'f AD DS is stopped( membership in $uiltin Administrators is the minimum reFuired to complete this procedure& 'f the domain controller is restarted in Director Services *estore Mode "DS*M#( the DS*M administrator pass%ord is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o compare the si&e of the directory database files to the volume si&e 6& 4n the Start menu( clic0 Computer& 2& 'n the #olders list( clic0 Computer& 7& 'n the details pane( locate the volume that has lo% dis0 space& Ma0e a note of the value in the otal Si&e column for that volume& A& 9avigate to the folder that stores the database file( the log files( or both& 8& *ight/clic0 the folder( and then clic0 %roperties& Ma0e a note of the value in Si&e on disk& :& 'f the volume includes S2S5O+( navigate to that folder and repeat step 8& <& Compare the values of otal Si&e "volume# and Si&e on disk "database files plus SESB4+ if SESB4+ is on the same volume#& 'f the combined si.e of the relevant database files and SESB4+ files "if appropriate# is significantl smaller than the volume si.e( chec0 the contents of the volume for other files& 8& 'f other files are present( move those files and then reassess the dis0 space on the volume&

7:A

%erform a System State $ackup of a Domain Controller by 3sing the Command +ine 6!badmin7
Eou can use this procedure to bac0 up s stem state on a domain controller& Membership in $uiltin Administrators or $ackup Operators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'n addition( ou must have %rite access to the target bac0up location& o perform a system state backup of a domain controller 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 2& 'f ou are prompted( in the 3ser Account Control dialog bo-( provide >ac0up 4perator credentials( and then clic0 O(& 7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstate'ac:up .'ac:uptarget:<targetDrive>: .quiet

$here <targetDrive> identifies the local volume or the letter of the ph sical dis0 drive to receive the bac0up& Eou cannot store a s stem state bac0up on a net%or0 shared drive& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the bac0up operation&

Additional considerations
>e a%are of the follo%ing issues %hen ou perform a s stem state bac0up: • To use $badmin&e-e( ou must install $indo%s Server >ac0up& =or more information about installing $indo%s Server >ac0up( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'DQ?:A?8#& • The target volume for a s stem state bac0up can be a local drive( but it cannot be an of the volumes that are included in the bac0up b default& To store the s stem state bac0up on a volume that is included in the bac0up( ou must add the AllowSS$ oAny5olume registr entr to the server that ou are bac0ing up& There are also some prereFuisites for storing s stem state bac0up on a volume that is included in the bac0up& =or more information( see @no%n 'ssues for AD DS >ac0up and *ecover "http:33go&microsoft&com3f%lin03P +in0'DQ66<?A0#&

)ove the Directory Database and +og #iles to a +ocal Drive
Eou can use this procedure to move Active Director database and log files to a local drive& 7:8

$hen ou move the files to a folder on the local domain controller( ou can move them permanentl or temporaril & Move the files to a temporar destination if ou need to reformat the original location( or move the files to a permanent location if ou have additional dis0 space& 'f ou reformat the original drive( use the same procedure to move the files bac0 after the reformat is complete& 9tdsutil&e-e updates the registr %hen ou move files locall & 1ven if ou are moving the files onl temporaril ( use 9tdsutil&e-e so that the registr is al%a s current& 'f ou do not have space on the local domain controller to move the files temporaril ( ou can cop files to a remote share& =or information about cop ing files to a remote share( see Cop the Director Database and +og =iles to a *emote Share& 4n a domain controller that is running $indo%s Server 2008( ou do not have to restart the domain controller in Director Services *estore Mode "DS*M# to move database files& Eou can stop the Active Director Domain Services "AD DS# service and then restart the service after ou move the files to their permanent location& =or information about restartable AD DS( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide on the Microsoft $eb site at "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Membership in $uiltin Administrators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o move the directory database and log files to a local drive 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop ntds

T pe

to agree to stop additional services( and then press 19T1*&

7& At the command prompt( change directories to the current location of the director database file "9tds&dit# or the log files( %hichever ou are moving& A& *un the dir command( and ma0e a note of the current si.e and location of the 9tds&dit file& 8& At the command prompt( t pe ntdsuti"( and then press 19T1*& :& At the ntdsuti" prompt( t pe activate 8& To move the database file( at the commands: • •
instance ntds(

and then press 19T1*&

<& At the ntdsuti" prompt( t pe fi"es( and then press 19T1*&
fi"e maintenance:

prompt( use the follo%ing

To move the 9tds&dit file( t pe the follo%ing command( and then press 19T1*: To move the log files( t pe the follo%ing command( and then press 19T1*:

move d' to<drive>:(<directory>

move "ogs to<drive>:(<directory>

%here <drive>:(<directory> specifies the path to the ne% location& 'f the director does 7::

not e-ist( 9tdsutil&e-e creates it& Note 'f the director path contains an spaces( the entire path must be surrounded b Fuotation mar0s( for e-ample( move d' to9g:(new fo"der9& ?& After the move completes( at the fi"e maintenance: prompt( t pe quit( and then press 19T1*& T pe quit again( and then press 19T1* to Fuit 9tdsutil&e-e& 60& Change to the destination director ( and then run the dir command to confirm the presence of the files& 'f ou have moved the database file( chec0 the si.e of the 9tds&dit file against the file si.e that ou noted in step A to be sure that ou are focused on the correct file& 66& 'f ou are moving the database file or log files permanentl ( go to step 62& 'f ou are moving the database file or log files temporaril ( ou can no% perform an reFuired updates to the original drive& After ou update the drive( repeat steps 7 through ? to move the files bac0 to the original location& 'f the path to the database file or log files has not changed( go to step 67& 62& 'f the path to the database file or log files has changed from the original location( chec0 permissions on the database folder or logs folder( as follo%s: a& 'n $indo%s 1-plorer( right/clic0 the folder to %hich ou have moved the database file or log files( and then clic0 %roperties& b& Clic0 the Security tab( and then clic0 Advanced& Berif that the permissions are as follo%s: Administrators group has Allow #ull Control& S2S .) has Allow #ull Control& The Include inheritable permissions from this ob9ectRs parent chec0 bo- is cleared& No Deny permissions are selected& c& 'f the permissions in step 62b are in effect( go to step 67& 'f permissions other than the permissions described in step 62b are in effect( perform steps 62d through 620& d& 'f Include inheritable permissions from this ob9ectRs parent is selected( clic0 .dit( clic0 to clear the setting( and then clic0 O(& $hen ou are prompted( clic0 Copy to cop previousl inherited permissions to this ob,ect& e& 'f Administrators or S2S .)( or both( are not in the Name list( clic0 O(( clic0 .dit( and then clic0 Add& f& 'n #rom this location( be sure that the name of the domain is selected& g& 'n .nter the ob9ect names to select( t pe System( if necessar ( and then clic0 O(& *epeat to add Administrators( if necessar ( and then clic0 O(& h& 4n the Security tab( clic0 System( and then( in the Allow column( clic0 #ull 7:<

Control& *epeat for Administrators& i& 'n the Group or user names bo-( clic0 an name that is not S2S .) or Administrators( and then clic0 4emove& *epeat until the onl remaining accounts are Administrators and S2S .)( and then clic0 O(& Note Some accounts might appear in the form of securit identifiers "S'Ds#& *emove an such accounts& ,& Clic0 O( to close %roperties&
instance ntds(

67& At the command prompt( t pe ntdsuti"( and then press 19T1*& 6A& At the ntdsuti" prompt( t pe activate 6:& At the fi"e
maintenance:

and then press 19T1*&

68& At the ntdsuti" prompt( t pe fi"es( and then press 19T1*& prompt( t pe integrity( and then press 19T1*& 'f the integrit chec0 fails( see 'f the Database 'ntegrit Chec0 =ails( Perform Semantic Database Anal sis %ith =i-up& 6<& 'f the integrit chec0 succeeds( t pe quit( and then press 19T1* to Fuit the fi"e maintenance prompt& T pe quit again( and then press 19T1* to Fuit 9tdsutil&e-e& 68& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net start ntds

6?& 4pen 1vent Bie%er( and chec0 the Director Service log for errors& 20& 'f the follo%ing events are logged in the Director Service log in 1vent Bie%er %hen ou restart AD DS( stop AD DS( and then resolve the event issues as follo%s: • 1vent 'D 60A:& NThe Active Director database engine caused an e-ception %ith the follo%ing parameters&O 'n this case( AD DS cannot recover from this error and ou must restore AD DS from bac0up& • 1vent 'D 66:8& N'nternal error: An Active Director error has occurred&O 'n this case( information is missing from the registr and ou must restore AD DS from bac0up&

See Also
'f the Database 'ntegrit Chec0 =ails( Perform Semantic Database Anal sis %ith =i-up Cop the Director Database and +og =iles to a *emote Share *ecovering Active Director Domain Services

7:8

Copy the Directory Database and +og #iles to a 4emote Share
Eou can use this procedure to cop the Active Director director database and log files to a remote shared folder& 'f ou need to move the database file or the log files %hile ou reconfigure the drive on %hich the are currentl stored and ou do not have enough space to move the files locall ( ou can use the /copy command to cop the files to a remote shared folder temporaril and then use the same procedure to cop them bac0 to the original drive& )se this method onl if the path to the files does not change& Important $hen ou relocate an database files "the database file or the log files# off the local computer( al%a s cop both the database file and the log files so that all the files that are necessar to restore the director service are maintained& 'f ou have enough space locall on the domain controller and ou do not %ant to cop database files to a remote share( ou can use 9tdsutil to move the files to a local folder& =or information about moving the database files( see Move the Director Database and +og =iles to a +ocal Drive& 4n a domain controller that is running $indo%s Server 2008( ou do not have to restart the domain controller in Director Services *estore Mode "DS*M# to cop database files& Eou can stop the Active Director Domain Services "AD DS# service and then restart the service after ou cop the files to their permanent location& =or information about restartable AD DS( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P +in0'dQ88:A?#& Membership in $uiltin Administrators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o copy the directory database and log files to a remote share and back to the local computer 6& >efore ou stop AD DS( prepare a shared director on a remote server in the domain& Create separate subdirectories for the database files and log files& Allo% access onl to the >uiltin Administrators group& 2& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop ntds

T pe

to agree to stop additional services( and then press 19T1*&

A& At the command prompt( change directories to the current location of the database 7:?

file "9tds&dit# or the log files& 'f the database file and log files are in different locations( perform step A for each director & 8& *un the dir command( and ma0e a note of the current si.e and location of the 9tds&dit file and the log files& :& 1stablish a net%or0 connection to the shared folder& After ou t pe the follo%ing command and press 19T1*( ou are prompted for the pass%ord for the specified account& T pe the pass%ord( and then press 19T1*&
net use <Networ:Drive>: ((<!erverName>(<!&ared7o"derName> /user:<domainName>(<userName> *

5alue

Description

net use S9et%or0DriveT: ZZSServer9ameTZSShared=older9ameT

Specifies the drive letter to use for connecting to the shared folder& The universal naming convention ")9C# name of the shared folder location( specif ing the server that stores the shared folder and the name of the shared folder( separated b a bac0slash& Specifies the domain name and user name( separated b a bac0slash( for a user %ho has permissions to perform operations in AD DS& Provides a ype the password for CCMServerNameNCMShared#olderNameN* prompt %hen ou press 19T1*&

3user:Sdomain9ameTZSuser9ameT

U

=or e-ample( if ou shared the ZTempCop director on the server named S1*B1*6( the follo%ing command maps net%or0 drive 5: to the shared location and provides the domain and user name for user tonip8:
net use D: ((server,(tempcopy /user:contoso(tonipP *

<& )se the 8copy command to cop the database files to the location that ou established in step :& T pe the follo%ing command( and then press 19T1*:
8copy (<Pat&ToData'ase7i"es> <Networ:Drive>:(<Data'ase!u'directory>

This command copies the contents of the local folder for the database to the named subfolder in the remote shared folder& =or e-ample( the follo%ing command copies the database files from their location on the domain controller to the D> subdirector on the mapped drive 5:
8copy (windows(ntds D:(DG

8& *epeat step < to cop the log files& =or e-ample( the follo%ing command copies the 7<0

log files to the +ogs subdirector on the mapped drive 5:
8copy (windows(ntds(**"og D:(4ogs

?& Change drives to the remote director and run the dir command in each subdirector to compare the file si.es to the file si.es that are listed in step 8& )se this step to ensure that ou cop the correct set of files bac0 to the local computer& 60& At this point( ou can safel destro data on the original local drive& 66& After the destination drive is prepared( re/establish a connection to the net%or0 drive as described in step :( if necessar & 62& )se the method in step < to cop the database and log files from the remote shared folder bac0 to the original location on the domain controller& 67& At the command prompt( t pe ntdsuti"( and then press 19T1*& 6A& At the ntdsuti" prompt( t pe activate 6:& At the fi"e
maintenance: instance ntds(

and then press 19T1*&

68& At the ntdsuti" prompt( t pe fi"es( and then press 19T1*& prompt( t pe integrity( and then press 19T1*& 'f the integrit chec0 fails( see 'f the Database 'ntegrit Chec0 =ails( Perform Semantic Database Anal sis %ith =i-up& 6<& 'f the integrit chec0 succeeds( t pe quit( and then press 19T1* to Fuit the fi"e maintenance: prompt& T pe quit again( and then press 19T1* to Fuit 9tdsutil&e-e& 68& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net start ntds

6?& 4pen 1vent Bie%er( and chec0 the Director Service log for errors& 20& 'f the follo%ing events are logged in the Director Service log in 1vent Bie%er %hen AD DS restarts( resolve the events as follo%s: • 1vent 'D 60A:& NThe Active Director database engine caused an e-ception %ith the follo%ing parameters&O 'n this case( AD DS cannot recover from this error and ou must restore AD DS from bac0up& • 1vent 'D 66:8& N'nternal error: An Active Director error has occurred&O 'n this case( information is missing from the registr and ou must restore AD DS from bac0up&

See Also
'f the Database 'ntegrit Chec0 =ails( Perform Semantic Database Anal sis %ith =i-up Move the Director Database and +og =iles to a +ocal Drive *ecovering Active Director Domain Services

7<6

4eturning 3nused Disk Space from the Active Directory Database to the #ile System
During ordinar operation( the free dis0 space in the Active Director database file becomes fragmented& 1ach time garbage collection runs "ever 62 hours( b default#( free dis0 space is automaticall defragmented online to optimi.e its use %ithin the database file& The unused dis0 space is maintained for the databaseW it is not returned to the file s stem& 4nl offline defragmentation can return unused dis0 space from the director database to the file s stem& $hen database contents have decreased considerabl through a bul0 deletion "for e-ample( %hen ou remove the global catalog from a domain controller#( or if the si.e of the database bac0up is significantl increased as a result of the amount of free dis0 space( use offline defragmentation to reduce the si.e of the 9tds&dit file& Eou can determine ho% much free dis0 space is recoverable from the 9tds&dit file b setting the garbage collection logging level in the registr & Changing the garbage collection logging level from the default value of @ to a value of ? results in event 'D 6:A: being logged in the director service log& This event describes the total amount of dis0 space that the database file uses as %ell as the amount of free dis0 space that is recoverable from the 9tds&dit file through offline defragmentation& At garbage collection logging level 0( onl critical events and error events are logged in the Director Service log& These events include 1vent 'Ds <00 and <06( %hich report %hen online defragmentation begins and ends( respectivel & At level 6( higher/level events are logged as %ell& At level 6( 1vent 'D 6:A: is also reported( %hich indicates the amount of free space that is available in the database relative to the amount of allocated space& Caution Setting the value of entries in the Diagnostics sub0e to greater than 7 can degrade server performance and is not recommended& 4n domain controllers that are running $indo%s Server 2008( offline defragmentation does not reFuire restarting the domain controller in Director Services *estore Mode "DS*M#( as is reFuired on domain controllers that are running versions of $indo%s Server 2000 and $indo%s Server 2007& Eou can use a ne% feature in $indo%s Server 2008( restartable Active Director Domain Services "AD DS#( to stop the AD DS service& $hen the service is stopped( services that depend on AD DS shut do%n automaticall & ;o%ever( an other services that are running on the domain controller( such as D namic ;ost Configuration Protocol "D;CP#( continue to run and respond to clients& =or more information about restartable AD DS( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P +in0'dQ88:A?#& After offline defragmentation completes( perform a database integrit chec0& The integrity command in 9tdsutil&e-e detects binar /level database corruption b reading ever b te in the database file& This process ensures that the correct headers e-ist in the database itself and that all of the tables are functioning and consistent& Therefore( depending on the si.e of our 9tds&dit 7<2

file and the domain controller hard%are( the process might ta0e considerable time& 'n testing environments( the speed of 2 gigab tes "5># per hour is considered to be t pical& $hen ou run the command( an online graph displa s the percentage completed& 'f the database integrit chec0 fails( ou must perform semantic database anal sis& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • *egedit&e-e $indo%s Server >ac0up 9tdsutil&e-e

To complete this tas0( perform the follo%ing procedures: 6& Change the 5arbage Collection +ogging +evel to 6 2& Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# "http:33go&microsoft&com3f%lin03P+in0'dQ66878<# 7& Compact the Director Database=file "4ffline Defragmentation# As part of the offline defragmentation procedure( chec0 director database integrit & A& 'f the Database 'ntegrit Chec0 =ails( Perform Semantic Database Anal sis %ith =i-up

Change the Garbage Collection +ogging +evel to ?
5arbage collection in Active Director Domain Services "AD DS# is the process of removing deleted ob,ects "tombstones# from the director database& This process results in free dis0 space in the director database& > default( this free space is not reported in 1vent Bie%er& To see the amount of free dis0 space that can be made available to the file s stem b offline defragmentation( ou can change the garbage collection logging level so that the dis0 space is reported in the Director Service event log& After ou change the logging level( chec0 the Director Service event log for 1vent 'D 6:A:( %hich reports the amount of dis0 space that ou can recover b performing offline defragmentation& The garbage collection logging level is an 9TDS diagnostics setting in the registr & Eou can use this procedure to change the garbage collection logging level to 6 so that ou can vie% 1vent 'D 6:A: in 1vent Bie%er& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& Caution The *egistr 1ditor b passes standard safeguards( allo%ing settings that can damage our s stem or even reFuire ou to reinstall $indo%s& 'f ou must edit the registr ( bac0 up s stem state first& =or information about bac0ing up s stem state( see 'ntroduction to 7<7

Administering Active Director >ac0up and *ecover HlhsadIADDSI4psI8JIADDSI4psI8& o change the garbage collection logging level 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 'n *egistr 1ditor( navigate to the Garbage Collection entr in "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCN DSCDiagnostics & 7& Double/clic0 Garbage Collection& 'n the 5alue data bo-( t pe ?( and then clic0 O(&

See Also
Compact the Director Database=file "4ffline Defragmentation#

%erform a System State $ackup of a Domain Controller by 3sing the Command +ine 6!badmin7
Eou can use this procedure to bac0 up s stem state on a domain controller& Membership in $uiltin Administrators or $ackup Operators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'n addition( ou must have %rite access to the target bac0up location& o perform a system state backup of a domain controller 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 2& 'f ou are prompted( in the 3ser Account Control dialog bo-( provide >ac0up 4perator credentials( and then clic0 O(& 7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstate'ac:up .'ac:uptarget:<targetDrive>: .quiet

$here <targetDrive> identifies the local volume or the letter of the ph sical dis0 drive to receive the bac0up& Eou cannot store a s stem state bac0up on a net%or0 shared drive& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the bac0up operation&

Additional considerations
>e a%are of the follo%ing issues %hen ou perform a s stem state bac0up:

7<A

• To use $badmin&e-e( ou must install $indo%s Server >ac0up& =or more information about installing $indo%s Server >ac0up( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'DQ?:A?8#& • The target volume for a s stem state bac0up can be a local drive( but it cannot be an of the volumes that are included in the bac0up b default& To store the s stem state bac0up on a volume that is included in the bac0up( ou must add the AllowSS$ oAny5olume registr entr to the server that ou are bac0ing up& There are also some prereFuisites for storing s stem state bac0up on a volume that is included in the bac0up& =or more information( see @no%n 'ssues for AD DS >ac0up and *ecover "http:33go&microsoft&com3f%lin03P +in0'DQ66<?A0#&

Compact the Directory Database#file 6Offline Defragmentation7
Eou can use this procedure to compact the Active Director database offline& 4ffline defragmentation returns free dis0 space in the Active Director database to the file s stem& As part of the offline defragmentation procedure( chec0 director database integrit & Performing offline defragmentation creates a ne%( compacted version of the database file in a different location& This location can be either on the same computer or a net%or0/mapped drive& ;o%ever( to avoid potential problems related to net%or0 issues( it is best to perform this procedure locall ( if space allo%s& Eou can use locall attached e-ternal mass storage devices( such as )niversal Serial >us ")S>#( '111 67?A( and Serial Advanced Technolog Attachment "SATA#( to provide additional dis0 space for defragmentation of the database& After ou compact the file to the temporar location( cop the compacted 9tds&dit file bac0 to the original location& 'f space allo%s( maintain a cop of the original database file that ou have either renamed in its current location or copied to an archival location& Note To perform this procedure( Active Director Domain Services "AD DS# must be offline& 4n domain controllers that are running $indo%s Server 2008( ou can ta0e AD DS offline b stopping the service& 4ther%ise( the domain controller must be started in Director Services *estore Mode "DS*M#& =or information about stopping the AD DS service on domain controllers that are running $indo%s Server 2008( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& =or information about performing this procedure in DS*M( see Compact the director database file "offline defragmentation# "http:33go&microsoft&com3f%lin03P+in0'dQ887?7#& Membership in $uiltin Administrators( or eFuivalent( is the minimum reFuired to complete this procedure& 'f ou are compacting to the database to a remote location( ou must have *ead and $rite permissions on the destination drive and the shared folder& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& Disk space 7<8

• Current database drive& =ree space "on the drive that contains the Active Director database file# eFuivalent of at least 68 percent of the current si.e of the database "9tds&dit# for temporar storage during the inde- rebuild process& • Destination database drive& =ree space eFuivalent to at least the current si.e of the database for storage of the compacted database file& Note These dis0 space reFuirements mean that if ou compress the Active Director database on a single drive( ou should have free space eFuivalent to at least 668 percent of the space that the current Active Director database uses on that drive& o perform offline defragmentation of the directory database 6& Compact the database file to a local director or remote shared folder( as follo%s: • +ocal directory* 5o to step 2& • 4emote directory* 'f ou are compacting the database file to a shared folder on a remote computer( before ou stop AD DS( prepare a shared director on a remote server in the domain& =or e-ample( create the share ZZ ServerNameZ9TDS& Allo% access to onl the >uiltin Administrators group& 4n the domain controller( map a net%or0 drive to this shared folder& Important Eou should ma0e a cop of the e-isting 9tds&dit file if at all possible( even if ou have to store that cop on a net%or0 drive& 'f the compaction of the database does not %or0 properl ( ou can then easil restore the database b cop ing bac0 the cop of the 9tds&dit file that ou made& Do not delete this cop of the 9tds&dit file until ou have verified that the domain controller starts properl & 2& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop ntds

T pe

to agree to stop additional services( and then press 19T1*&
instance ntds(

A& At the command prompt( t pe ntdsuti"( and then press 19T1*& 8& At the ntdsuti" prompt( t pe activate and then press 19T1*& :& At the ntdsuti" prompt( t pe fi"es( and then press 19T1*& <& 'f ou are compacting the database to a local drive( at the fi"e maintenance: prompt( t pe compact to <drive>:( <4oca"DirectoryPat&> "%here <drive>:( <4oca"DirectoryPat&> is the path to a location on the local computer#( and then press 19T1*& 'f ou mapped a drive to a shared folder on a remote computer( t pe the drive letter onl ( for e-ample( compact to Q:(& 7<:

Note $hen ou compact the database to a local drive( ou must provide a path& 'f the path contains an spaces( enclose the entire path in Fuotation mar0s "for e-ample( compact to 9c:(new fo"der9#& 'f the director does not e-ist( 9tdsutil&e-e creates the director and then creates the file named 9tds&dit in that location& 8& 'f defragmentation completes successfull ( t pe quit( and then press 19T1* to Fuit the fi"e maintenance: prompt& T pe quit again( and then press 19T1* to Fuit 9tdsutil&e-e& 5o to step ?& 'f defragmentation completes %ith errors( go to step 62& Caution Do not over%rite the original 9tds&dit file or delete an log files& ?& 'f defragmentation succeeds %ith no errors( follo% the 9tdsutil&e-e onscreen instructions to: a& To delete all the log files in the log director ( t pe the follo%ing command( and then press 19T1*:
de" <drive>:(<pat&To4og7i"es>(**"og

9tdsutil provides the correct path to the log files in the onscreen instructions& Note Eou do not have to delete the 1db&ch0 file& b& Eou should ma0e a cop of the e-isting 9tds&dit file if at all possible( even if ou have to store that cop on a secured net%or0 drive& 'f the compaction of the database does not %or0 properl ( ou can then easil restore the database b cop ing it bac0 to the original location& Do not delete the cop of the 9tds&dit file until ou have at least verified that the domain controller starts properl & 'f space allo%s( ou can rename the original 9tds&dit file to preserve it& Avoid over%riting the original 9tds&dit file& c& Manuall cop the compacted database file to the original location( as follo%s:

copy H<temporaryDrive>:(ntds*ditJ H<origina"Drive>:(<pat&To3rigina"Data'ase7i"e> (ntds*ditJ

9tdsutil provides the correct paths to the temporar and original locations of the 9tds&dit file& 60& At the command prompt( t pe ntdsuti"( and then press 19T1*& 66& At the ntdsuti": prompt( t pe fi"es( and then press 19T1*& 62& At the fi"e
maintenance:

prompt( t pe integrity( and then press 19T1*&

'f the integrit chec0 fails( the li0el cause is that an error occurred during the cop operation in step ?&c& *epeat steps ?&c through step 62& 'f the integrit chec0 fails again: • 4r • Cop the original version of the 9tds&dit file that ou preserved in step ?&b& to the 7<< Contact Microsoft Customer Service and Support&

'f errors appear %hen ou restart AD DS: 6& Stop AD DS& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop ntds

T pe

to agree to stop additional services( and then press 19T1*&

2& Chec0 the errors in 1vent Bie%er& 'f the follo%ing events are logged in the Director Service log in 1vent Bie%er %hen ou restart AD DS( respond to the events as follo%s: • 1vent 'D 60A:& NThe Active Director database engine caused an e-ception %ith the follo%ing parameters&O 'n this case( AD DS cannot recover from this error and ou must restore from bac0up media& • 1vent 'D 66:8& N'nternal error: An Active Director error has occurred&O 'n this case( information is missing from the registr and ou must restore from bac0up media& 7& Chec0 database integrit ( and then proceed as follo%s: 'f the integrit chec0 fails( tr repeating step ?&c through step 62 above( and then repeat the integrit chec0& 'f the integrit chec0 fails again: • 4r • Cop the original version of the 9tds&dit file that ou preserved in step ?&b& to the original database location and repeat the offline defragmentation procedure& 'f the integrit chec0 succeeds( follo% the steps in the procedure 'f the Database 'ntegrit Chec0 =ails( Perform Semantic Database Anal sis %ith =i-up& A& 'f semantic database anal sis %ith fi-up succeeds( Fuit 9tdsutil&e-e( and then restart AD DS& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net start ntds

Contact Microsoft Customer Service and Support&

'f semantic database anal sis %ith fi-up fails( contact Microsoft Customer Service and Support&

See Also
'f the Database 'ntegrit Chec0 =ails( Perform Semantic Database Anal sis %ith =i-up

If the Database Integrity Check #ails1 %erform Semantic Database Analysis with #i/up
$hen ou move or compact the Active Director database( if the integrit chec0 fails( ou must run a subseFuent database test called semantic database anal sis& $hen ou run semantic database anal sis %ith the Go #i/up command instead of the Go command( errors are %ritten into Dsdit&dmp&-- log files& A progress indicator reports the status of the chec0& Eou can use this procedure to perform semantic database anal sis %ith fi-up& 7<8

Note To perform this procedure( Active Director Domain Services "AD DS# must be offline& 4n domain controllers that are running $indo%s Server 2008( ou can ta0e AD DS offline b stopping the service& 4ther%ise( the domain controller must be started in Director Services *estore Mode "DS*M#& =or information about stopping the AD DS service on domain controllers that are running $indo%s Server 2008( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& =or information about performing this procedure in DS*M( see 'f database integrit chec0 fails( perform semantic database anal sis %ith fi-up on the Microsoft $eb site "http:33go&microsoft&com3f%lin03P+in0'dQ6268:8#& Membership in $uiltin Administrators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o perform semantic database analysis with fi/up 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop ntds

T pe

to agree to stop additional services( and then press 19T1*&
instance ntds(

7& At the command prompt( t pe ntdsuti"( and then press 19T1*& A& At the ntdsuti": prompt( t pe activate 8& At the ntdsuti": prompt( t pe semantic :& At the semantic <& At the semantic
c&ec:er: c&ec:er:

and then press 19T1*& and then press 19T1*&

data'ase ana"ysis( on(

prompt( t pe ver'ose prompt( t pe go

and then press 19T1*&

fi8up(

and then press 19T1*&

• 'f errors are reported during the semantic database anal sis Do 7i8up phase( perform director database recover : 5o to the fi"e maintenance: prompt( t pe recover( and then press 19T1*& • 'f semantic database anal sis %ith fi-up succeeds( at the semantic prompt( t pe quit( and then t pe quit again to close 9tdsutil&e-e&
net start ntds c&ec:er

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:

Administering Domain Controllers
This guide provides information about administering Active Director domain controllers in the $indo%s Server 2008 operating s stem& 7<?

In this guide • • 'ntroduction to Administering Domain Controllers Managing Domain Controllers

Additional references
• Step/b /Step 5uide for $indo%s Server 2008 Active Director Domain Services 'nstallation and *emoval "http:33go&microsoft&com3f%lin03P+in0'dQ8:<2<#

Introduction to Administering Domain Controllers
Although installed domain controllers reFuire little management( our overall operations environment might reFuire change/related tas0s( such as adding or removing domain controllers( including managing the preparation and shipment of domain controllers to remote sites& During our da /to/da operations( ou might need to do some or all of the follo%ing: • 'nstall tools that ou can use to administer Active Director Domain Services "AD DS# remotel • • • 'nstall and remove AD DS to create or decommission domain controllers *ename domain controllers Add domain controllers to remote "branch# sites

Installing 4emote Server Administration ools
To manage domain controllers( ou can configure a member server that is running $indo%s Server 2008 or a %or0station that is running $indo%s Bista %ith Service Pac0 6 "SP6# %ith the same administration tools for managing AD DS that are available on a domain controller& Administering domain controllers remotel from a member server or a %or0station is more secure and more efficient than logging on to a domain controller locall & Eou can use Server Manager to install the *emote Server Administration Tools feature to include Active Director Domain Services Tools&

Installing and removing AD DS
To create a ne% domain controller( ou install AD DS on a computer that is running $indo%s Server 2008& 'nstalling domain controllers to create a forest and ne% domains is a deplo ment tas0 that ou perform %hen ou initiall deplo our forest( and it is be ond the scope of this guide& ;o%ever( as our forest gro%s( ou might need to add more domain controllers to e-isting domains&

780

Adding domain controllers
Eou might %ant to add a ne% domain controller for the follo%ing reasons: • Additional applications that use AD DS "Active Director Rintegrated applications# might reFuire increased capacit & • Additional domain controllers might be needed to provide upgrades and fault tolerance and to reduce failures& • Eou might add a ne% site %here users reFuire a domain controller for logging on to the domain& Man improvements to the installation process are available in $indo%s Server 2008& =or information about ne% $indo%s Server 2008 features and options( see $hatXs 9e% in AD DS 'nstallation and *emoval "http:33go&microsoft&com3f%lin03P+in0'dQ607770#& =or information about the criteria and best practices for deplo ing domain controllers( see Planning Domain Controller Placement "http:33go&microsoft&com3f%lin03P+in0'dQ620787#&

4emoving domain controllers
$hen ou no longer need a server to be a domain controller( ou remove AD DS from the server& The process of removing AD DS is similar to the process for installing AD DS& Eou run man of the same tests before ou remove AD DS that ou run before ou install AD DS& These tests ensure that the removal process occurs %ithout an problems& 'f a domain controller has a hard%are failure( AD DS cannot be started( and ou plan to never return that domain controller to service( ou must use a procedure that forces the removal of AD DS and then ta0e additional steps to remove the server ob,ect and its metadata from the director &

4enaming domain controllers
Eou often have to rename a domain controller for organi.ational or administrative reasons or %hen the computer hard%are must be replaced& *enaming a domain controller reFuires that Domain 9ame S stem "D9S# resource records be updated %ith the ne% 'P/to/host name mappings and that service principal names "SP9s# replicate to all domain controllers in the domain&

Adding domain controllers to branch sites
'f enough director users are emplo ed in a branch office( especiall in a site that has slo% connectivit to the hub site( ou might have to add a domain controller to the site to provide director access for logons and searches& 'n $indo%s Server 2008( ou have the option to deplo read/onl domain controllers "*4DCs#& An *4DC is an additional domain controller that hosts read/onl director partitions of the Active Director database& An *4DC is primaril designed to be deplo ed in a branch office environment& >ranch offices t picall have relativel fe% users( poor ph sical securit ( relativel poor net%or0 band%idth to a hub site( and little local information technolog "'T# e-pertise& *4DCs receive replication updates from the hub site( but the do not accept manual updates to 786

AD DS and the do not replicate director updates to other domain controllers& Therefore( although securit precautions should be maintained( the stringent securit measures that appl to protecting a %ritable domain controller are lessened& 'n addition( elevated administrative credentials are not reFuired to install and manage the *4DC& The information in this guide is specific to managing %ritable domain controllers& =or information about managing *4DCs( see Planning and Deplo ing *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P +in0'dQ6208A0#& $hen ou are creating a ne% branch site( a local domain controller is not available to be the source for Active Director replication& 'f the %ide area net%or0 "$A9# connection %ith the closest hub site is slo% or unreliable( replicating AD DS can be time consuming and might fail if the connection is lost& $hen ou deplo the first domain controller in a branch site( if ou %ant to avoid replicating AD DS( ou have the follo%ing options: • 'nstall the domain controller in the hub site( and then ship the installed domain controller to the site& • Ship the server computer to the branch site( and then install AD DS in the branch site& $hen ou install the domain controller in the branch site( the server can receive AD DS in one of t%o %a s: • • > Active Director replication over a $A9 lin0 Directl from locall available installation media

Installing from media
'nstallation from media "'=M# eliminates the use of replication to create the Active Director domain( configuration( and schema director partition replicas on the ne% domain controller& Assuming that the remote site is connected to a hub site b a $A9 lin0 and that the remote site does not contain a domain controller for the domain( ou might %ant to avoid the additional time and the performance impact of replicating the full contents of AD DS over the $A9 lin0 %hen ou add the ne% domain controller to the remote site& 'n this case( ou can use '=M to install AD DS& 4n a domain controller that is running $indo%s Server 2007( installation media must be created b bac0ing up s stem state and restoring the bac0up file to a location either on the server ou are installing or on removable media& The '=M process is improved in $indo%s Server 2008( eliminating the necessit of using the bac0up and restore process to create the installation media& 4n a domain controller that is running $indo%s Server 2008( ou can use the 9tdsutil command/ line tool to create the installation media& Then( ou can use the Active Director Domain Services 'nstallation $i.ard "Dcpromo&e-e# to install AD DS from the installation media& 'f ou %ant to use 9tdsutil to create the installation media to install a domain controller( both the source of the media and the target server that is to be promoted to a domain controller must be running $indo%s Server 2008& 'n addition( the operating s stem of the source of the bac0up and the target server must be the same& =or e-ample( ou cannot install AD DS on a server that is running $indo%s Server 2007 using installation media that is created on a domain controller that is running $indo%s Server 2008& An improvement in the reFuirements for $indo%s Server 2008 domain controllers over the reFuirements for $indo%s Server 2007 domain controllers is that the hard%are platform "72/bit or :A/bit# of the t%o computers does not have to match& 782

Although information in this guide is specific to installing %ritable domain controllers in branch office sites( in $indo%s Server 2008 forests( *4DCs are the recommended domain controller installation for branch office sites& =or information about using '=M to install *4DCs( see Planning and Deplo ing *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P +in0'dQ6208A0#&

Shipping installed domain controllers to branch sites
Shipping an e-isting domain controller reFuires removing it from the replication topolog for %hat ma be an e-tended period& Preparation is reFuired to ensure a smooth transition %hen the domain controller restarts in the branch site& =or e-ample( ou must be sure that the domain controller does not hold an operations master "also 0no%n as fle-ible single master operations or =SM4# roles and that replication is updated immediatel before ou disconnect the domain controller&

)anaging Domain Controllers
The tas0s that are described in this ob,ective appl to the installation and management of Active Director Domain Services "AD DS# on %ritable domain controllers& =or information about installing and managing read/onl domain controllers "*4DCs#( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28# and Planning and Deplo ing *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ6208A0#& The tas0s that are described in this ob,ective %ill help ou do the follo%ing: • 'nstall *emote Server Administration Tools "*SAT# on a member server that is running $indo%s Server 2008 or on a client computer that is running $indo%s Bista %ith Service Pac0 6 "SP6#& *SAT include a selection for Active Director Domain Services Tools& Eou can install these tools on a non/domain/controller computer in the domain and then use this computer to manage domain controllers remotel & • Manage antivirus soft%are& Antivirus soft%are provides important safeguards& ;o%ever( installation on a domain controller reFuires care to ensure that domain controller performance is not affected& • Prepare for Active Director installation& Proper preparation decreases the chances of problems occurring during and after the installation& • 'nstall an additional domain controller in an e-isting domain& This tas0 involves preparation steps of gathering information and configuring the TCP3'P and Domain 9ame S stem "D9S# client settings& Eou can use the follo%ing methods to install Active Director Domain Services "AD DS# on a server to create an additional domain controller in an e-isting domain: • *un the Active Director Domain Services 'nstallation $i.ard( and use Active Director replication to create the Active Director replica and either the =ile *eplication Service "=*S# or Distributed =ile S stem "D=S# *eplication to create the SESB4+ replicas& 787

• *un the Active Director Domain Services 'nstallation $i.ard( and use installation from media "'=M# to create the Active Director replica& Note > default( SESB4+ is created on the ne% domain controller b replication from a source domain controller& 't does not come from the installation media& 4btaining SESB4+ from installation media reFuires additional procedures& =or information about the process for configuring the server to obtain SESB4+ from installation media( see article 7660<8 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ<080?#& • *un the Active Director Domain Services 'nstallation $i.ard( and use an ans%er file to provide the information that the Active Director Domain Services 'nstallation $i.ard reFuires& Eou can create an ans%er file b using the 1-port feature in the Active Director Domain Services 'nstallation $i.ard during domain controller installation& • Berif installation& Perform tests to verif that AD DS is properl installed and the domain controller is functioning& • Add domain controllers to remote sites& $hen ou prepare and ship an additional domain controller to a remote site( ou can either install the domain controller before shipping or install the domain controller in the remote site& This process is different if ou are installing an *4DC& =or information about installing *4DCs in remote sites( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& • $hen ou install a domain controller in a hub site or staging site before shipment( ou must disconnect the domain controller for a period( %hich reFuires careful preparation& $hen ou reconnect the domain controller( Active Director replication brings the domain controller up to date& • $hen ou install the domain controller in the remote site( ou can use installation media that is prepared from an e-isting domain controller to avoid having to replicate AD DS over a %ide area net%or0 "$A9# lin0& • *ename a domain controller& Eou ma have to rename a domain controller for organi.ational or administrative reasons& • *emove AD DS from "decommission# a properl functioning domain controller& This tas0 includes first transferring operations master roles "also 0no%n as fle-ible single/master operation "=SM4# roles# and the global catalog( if necessar & • =orce the removal of a nonfunctioning domain controller from a domain& 'f a domain controller is not functioning properl on the net%or0( the Active Director Domain Services 'nstallation $i.ard cannot contact other domain controllers and D9S servers that are reFuired for Active Director removal& 'n this case( ou can invo0e a special version of the %i.ard to forcefull remove ob,ects from AD DS that represent the server as a domain controller& This section includes the follo%ing tas0s for managing domain controllers: • • 'nstalling *emote Server Administration Tools for AD DS Managing Antivirus Soft%are on Active Director Domain Controllers 78A

• • • • • • •

Preparing for Active Director 'nstallation 'nstalling a Domain Controller in an 1-isting Domain Berif ing Active Director 'nstallation Adding Domain Controllers in *emote Sites *enaming a Domain Controller Decommissioning a Domain Controller =orcing the *emoval of a Domain Controller

Installing 4emote Server Administration ools for AD DS
$hen ou install Active Director Domain Services "AD DS# to create a domain controller( the administrative tools that ou use to manage AD DS are installed automaticall & 'f ou %ant to manage domain controllers remotel from a computer that is not a domain controller( ou can install the administrative tools on a member server that is running $indo%s Server 2008 or on a computer that is running $indo%s Bista %ith Service Pac0 6 "SP6#& 4n member servers that are running $indo%s Server 2008( ou use the *emote Server Administration Tools "*SAT# feature in Server Manager to install Active Director Domain Services Tools& *SAT replaces $indo%s Support Tools and Adminpa0&msi that are used %ith $indo%s Server 2007& Eou can also install Active Director Domain Services Tools on a computer that is running $indo%s Bista %ith Service Pac0 6 "SP6# b do%nloading the tools&

Installing Active Directory Domain Services ools on a member server that is running !indows Server <@@A
Eou can use the follo%ing procedure to add the Active Director Domain Services Tools component of *SAT to a member server& Membership in $uiltin Administrators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o install Active Directory Domain Services ools on a member server 6& 4n the Start menu( clic0 Server )anager& 2& )nder #eatures Summary( clic0 Add #eatures& 7& Double/clic0 4emote Server Administration ools( double/clic0 4ole Administration ools( double/clic0 Active Directory Domain Services ools( and then clic0 Ne/t&

788

A& Clic0 Install& 8& Clic0 the message that indicates ou must restart the server( and then clic0 2es to restart the server or clic0 No to restart the server later& :& After the server restarts( on the Installation 4esults page of the *esume Configuration $i.ard( clic0 Close& The Active Director Domain Services Administration Tools are available on the Administrative ools menu&

Installing Active Directory Domain Services ools on a computer that is running !indows 5ista with S%?
=or information about adding the Active Director Domain Services Tools component of *SAT to a client computer that is running $indo%s Bista %ith SP6( and to do%nload the tools( see Microsoft *emote Server Administration Tools for $indo%s Bista "@>?A676A# "http:33go&microsoft&com3f%lin03P+in0'dQ?8<07#& 4n the do%nload page( under 8uick Details( clic0 ($HO?;?O& )se the information and the lin0s in the article to do%nload the tools and select the tools that ou %ant to install on the $indo%s Bista %or0station&

)anaging Antivirus Software on Active Directory Domain Controllers
>ecause domain controllers provide critical services to their clients( it is crucial to minimi.e the ris0 of an disruption of these services that ma be caused b malicious code& Eou can generall use antivirus soft%are to mitigate the ris0 of malicious code& ;o%ever( installing antivirus soft%are "from an vendor# on a domain controller and configuring it to scan ever thing is not a reliable or recommended solution because the antivirus soft%are ma interfere %ith domain controller performance& Specificall ( the scanning procedures that most antivirus applications use reFuire e-clusive loc0s on files& 'n man cases( these loc0s can interfere %ith the real/time data replication that domain controllers use to sta s nchroni.ed %ith the rest of the net%or0& The antivirus soft%are that ou use must be compatible %ith $indo%s operating s stems in general and domain controllers in particular& Antivirus soft%are must be installed in a manner that protects against attac0s as much as possible %hile not interfering %ith domain controller performance& =or e-ample( antivirus soft%are must be able to scan Distributed =ile S stem "D=S# files that are replicated b =ile *eplication Service "=*S# or D=S *eplication in a %a that does not initiate full s nchroni.ation of files and folders in SESB4+ or of D=S roots and lin0s& An antivirus vendor should provide specific instructions to correctl configure their product to %or0 %ith domain controllers that are running versions of $indo%s Server and that have Active Director Domain Services "AD DS# installed&

78:

$e cannot guarantee the interoperabilit of an antivirus soft%are %ith D=S *eplication( including an tests recommended in this guide& The need for e-tensive testing can be avoided completel b as0ing their antivirus soft%are vendor to disclose their tested interoperabilit %ith D=S *eplication& Bendors that have tested their soft%are are happ to stand b their products& =or a list of antivirus soft%are vendors( see article A?800 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ22786#&

Guidelines for managing antivirus software on Active Directory domain controllers
=ollo% the guidelines from our antivirus soft%are vendor& Berif that the antivirus soft%are ou select is confirmed to be compatible %ith our domain controllers& Test our chosen antivirus soft%are solution thoroughl in a lab environment to ensure that the soft%are does not compromise the stabilit of our s stem& Antivirus soft%are has been 0no%n to cause blue screens on domain controllers& >efore ou install antivirus soft%are or an update to that soft%are on domain controllers in a domain( test lab domain controllers for the follo%ing issues: • • • • Stabilit issues Memor lea0s ;igh CP) usage 'nterruptions or failure of inbound and outbound replication

The follo%ing recommendations are general and should not be construed as more important than the specific recommendations of our antivirus soft%are vendor& These guidelines must be follo%ed for correct Active Director file replication operation: • Antivirus soft%are must be installed on all domain controllers in the enterprise& 'deall ( such soft%are should also be installed on all other server and client computers that have to interact %ith the domain controllers& Catching the virus at the earliest pointDat the fire%all or at the client computer on %hich the virus is first introducedDis the best %a to prevent the virus from ever reaching the infrastructure s stems on %hich all client computers depend& • )se a version of antivirus soft%are that is confirmed to %or0 %ith AD DS and that uses the correct application programming interfaces "AP's# for accessing files on the server& Some versions of antivirus soft%are inappropriatel modif file metadata as it is scanned( causing the =*S replication engine to perceive a file as having changed and to schedule it for replication& Some ne%er versions of antivirus soft%are prevent this problem& =or more information about antivirus soft%are versions and =*S( see article 8682:7 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ6208A0# and see the vendor/specific sites for compliant versions& Berif antivirus compatibilit %ith D=S *eplication( as described in Testing Antivirus Application 'nteroperabilit %ith D=S *eplication "http:33go&microsoft&com3f%lin03P +in0'dQ622<8<#&

78<

Note 'f ou are using =ore=ront Client Securit ( see article ?8:627 in the Microsoft @no%ledge >ase for a hotfi- "http:33go&microsoft&com3f%lin03P+in0'dQ676A0?#& • Prevent the use of domain controller s stems as general %or0stations& )sers should not use a domain controller to surf the $eb or to perform an other activities that can allo% the introduction of malicious code& Allo% bro%sing of 0no%n safe sites onl for the purpose of supporting server operation and maintenance& • $hen possible( do not use a domain controller as a file sharing server& Birus scanning soft%are must be run against all files in the shared folders( and it can place a large resource load on the processor and memor resources of the server& =or the same reason( the SESB4+ and 9etlogon shares that are automaticall created on domain controllers should not be used to distribute soft%are or for to store data&

#iles to e/clude from scanning
1-clude the follo%ing files and folders from our antivirus scanning operations& These files are not at ris0 of infection( and including them can cause serious performance problems or loss of functionalit as a result of file loc0ing and e-cessive replication bet%een domain controllers& =urthermore( scanning these files ma cause AD DS( =*S( and D=S *eplication to %or0 improperl ( possibl causing data loss& $here a specific set of files is identified b name( e-clude onl those files rather than the entire folder& 'n some cases( ou must e-clude the entire folder& Do not e-clude an files that ou thin0 are not at ris0 based onl on the file name e-tension& "=or e-ample( do not e-clude all files %ith a &dit e-tension&# Microsoft has no control over other files that might use the same file name e-tension as the files sho%n here& Antivirus soft%are must not modif an data files in the logs( database( or director service %or0ing directories that are specified belo%& Active Directory and related files to e/clude • Main 9TDS database files& The location of these files is specified in: "(+)CSystemCServicesCN DSC%arametersCDSA Database #ile The default location is Ys stemrootYZntds& =ile to e-clude: • • Ntds'dit Active Director transaction log files& The log director on an given server is specified in:

"(+)CSystemCServicesCN DSC%arametersCDatabase +og #iles %ath The default location is Ys stemrootYZntds& =iles to e-clude: • • • 1D>U&log "9otice the %ildcard s mbolW there can be several log files&# 1dbres00006&,rs 1dbres00006&,rs 788



The 9TDS $or0ing folder that is specified in:

"(+)CSystemCServicesCN DSC%arametersCDSA !orking Directory =iles to e-clude: • • T1MP&edb 1D>&ch0

S2S5O+ files to e/clude The list in the follo%ing table sho%s the default locations of files and folders to be e-cluded or scanned for the SESB4+ director and subdirectories %hen ou use =*S to replicate SESB4+&
#older or #ile Scan or ./clude

Ys stemrootYZSESB4+ Ys stemrootYZSESB4+Zdomain Ys stemrootYZSESB4+ZdomainZD4I94TI*1M4B1I9t=rsIPre'nstallIDirector Ys stemrootYZSESB4+ZdomainZpolicies Ys stemrootYZSESB4+ZdomainZscripts Ys stemrootYZSESB4+Zstaging Ys stemrootYZSESB4+Zstaging areas Ys stemrootYZSESB4+Zs svol #4S and related files to e/clude • The =*S %or0ing director that is specified in:

1-clude Scan 1-clude Scan Scan 1-clude 1-clude 1-clude

"(.2B+OCA+B)AC"IN.CSystemCCurrentControlSetCServicesCNt#rsC%arametersC!orki ng Directory =iles to e-clude: • • • • S=*S %or0ing director TZ,etZs sZedb&ch0 S=*S %or0ing director TZ,etZntfrs&,db S=*S $or0ing Director TZ,etZlogZU&log

The =*S database log files that are specified in:

"(.2B+OCA+B)AC"IN.CsystemCcurrentcontrolsetCservicesCNt#rsC%arametersCD$ +og #ile Directory The default location is Ys stemrootYZntds& =iles to e-clude: • • • S=*S %or0ing director TZ,etZlogZU&log "if the registr entr is not set# SDatabase log file director TZlogZU&log "if the registr entr is set#

=*S *eplicaIroot files that are specified in: 78?

"(.2B+OCA+B)AC"IN.CsystemCcurrentcontrolsetCservicesCNt#rsC%arametersC4eplica SetsCG3IDC4eplica Set 4oot • The staging director in: "(.2B+OCA+B)AC"IN.CsystemCcurrentcontrolsetCservicesCNt#rsC%arametersC4eplica SetsCG3IDC4eplica Set Stage • The =*S Preinstall director at: M4eplicaBrootNCDOBNO B4.)O5.BNt#rsB%reInstallBDirectory& The Preinstall director is al%a s open %hen =*S is running& D#S 4eplication and related files to e/clude • S stem Bolume 'nformationZD=S* folders and their contents "includes D=S*&D>#& This s stem/protected director contains %or0ing files for the D=S *eplication service& 't should not be scanned because these files are al%a s in use b the service& • S*eplicated folder pathTZdfsrprivate folders and their contents

%reparing for Active Directory Installation
Properl preparing for the installation of Active Director Domain Services "AD DS# decreases the chances of problems occurring during the installation process and helps ou complete the installation Fuic0l & There are a number of reFuirements for installing AD DS on a ne% domain controller in an e-isting domain& Preparation includes configuring D9S and gathering information that ou need for the installation& This section describes general reFuirements %ith respect to Domain 9ame S stem "D9S# configuration( placement of the domain controller in a site( and connectivit for the Active Director Domain Services 'nstallation $i.ard& After ou have gathered all the information that ou need to run the Active Director Domain Services 'nstallation $i.ard and ou have performed the tests to verif that all the necessar domain controllers are available( ou are read to install AD DS on our server and create an additional domain controller in our domain&

DNS configuration
The D9S Client service is al%a s present on a server running $indo%s Server 2008& A D9S server must be present in an Active Director forest( and the D9S server must store D9S data for the server computer that ou are installing& Eou should configure both the D9S client and the D9S server to ensure that name resolution and related dependencies %ill function as e-pected during the installation of AD DS& =or ease of administration( install the D9S Server service %hen ou install AD DS& $hen ou use the Active Director Domain Services 'nstallation $i.ard to install the D9S Server service( D9S .ones( .one delegations( root hints or for%arders( and D9S client settings are configured automaticall & 7?0

1nsure that an reFuired configuration( for%arders( or .ones are present and accessible before installation& =or more information about D9S configuration in preparation for domain controller installation( see 'ntegrating AD DS into an 1-isting D9S 'nfrastructure "http:33go&microsoft&com3f%lin03P+in0'dQ620888#&

Site placement
During Active Director installation( the Active Director Domain Services 'nstallation $i.ard attempts to place the ne% domain controller in the appropriate site& Eou can select a source replication partner( the site for the ne% domain controller( or both %hen ou use the %i.ard to install AD DS& The appropriate site is determined b the domain controllerVs 'P address and subnet mas0& The %i.ard uses the 'P information to calculate the subnet address of the domain controller& The %i.ard then chec0s to see if a subnet ob,ect e-ists in the director for that subnet address& 'f the subnet ob,ect e-ists( the %i.ard uses it to place the ne% server ob,ect in the appropriate site& 'f the subnet ob,ect does not e-ist( if ou do not specif a site( the %i.ard places the ne% server ob,ect in the same site as the domain controller that is being used as a source to replicate the director database to the ne% domain controller& Ma0e sure that the subnet ob,ect has been created and that it is associated %ith the target site before ou run the %i.ard& =or information about creating a subnet and associating it %ith a site( see Create a Subnet 4b,ect or 4b,ects and Associate them %ith a Site&

Domain connectivity
During the installation process( the Active Director Domain Services 'nstallation $i.ard must communicate %ith other domain controllers to ,oin the ne% domain controller to the domain& The %i.ard must communicate %ith a member of the domain to receive the initial cop of the director database for the ne% domain controller& The %i.ard communicates %ith the domain controller that holds the domain naming operations master "also 0no%n as fle-ible single master operations or =SM4# role for domain installations onl ( so that the ne% domain controller can be added to the domain& The %i.ard must also contact the relative 'D "*'D# operations master so that the ne% domain controller can receive its *'D pool( and the %i.ard must communicate %ith another domain controller in the domain to populate the SESB4+ shared folder on the ne% domain controller& All of this communication depends on proper D9S installation and configuration& > using Dcdiag&e-e( ou can test all of these connections before ou start the Active Director Domain Services 'nstallation $i.ard& ask re0uirements During the installation process( the %i.ard must communicate %ith other domain controllers to add this ne% domain controller to the domain and get the appropriate information into the Active Director database& To maintain securit ( ou must provide credentials that allo% administrative access to the director & >efore ou begin our installation( the follo%ing conditions must e-ist in our environment: • Eour Active Director forest root domain must alread e-ist&

7?6

• 'f ou are installing a ne% domain controller in a child domain( there should be at least t%o properl functioning domain controllers in the forest root domain& • D9S must be functioning properl & 'n this guide( it is assumed that ou are using Active Director Rintegrated D9S .ones& Eou must have configured at least one domain controller as a D9S server& Creating or removing a domain or forest is be ond the scope of this guide& The follo%ing information and tools are necessar to complete this tas0: • The Active Director Domain Services 'nstallation $i.ard as0s for the follo%ing specific configuration information before it begins installing AD DS: • • • • A domain administratorVs user name and pass%ord A location to store the director database and log files A location to store SESB4+ The pass%ord to use for Director Services *estore Mode "DS*M#

• The full Fualified D9S name of the domain to %hich the ne% domain controller %ill be added • • • Dcdiag&e-e 9et%or0 Connections Active Director Sites and Services

To complete this tas0( perform the follo%ing procedures: 6& Berif D9S 'nfrastructure and *egistrations 2& Berif That an 'P Address Maps to a Subnet and Determine the Site Association 7& Berif the Availabilit of the 4perations Masters Caution 'f an verification test fails( do not continue until ou determine %hat %ent %rong and ou fi- the problems& 'f one or more of these tests fail( the installation of AD DS is also li0el to fail&

5erify DNS Infrastructure and 4egistrations
Eou can use this procedure to verif that the e-isting Domain 9ame S stem "D9S# infrastructure is sufficient for installing Active Director Domain Services "AD DS# on the installation computer in the specified domain& This test reports %hether an modifications to the e-isting D9S infrastructure are reFuired so that the server can d namicall register D9S records that are reFuired for the location of the domain controller b other devices on the net%or0& Although the Active Director Domain Services 'nstallation $i.ard presents a %arning message during Active Director installation if it encounters D9S registration errors( failure of this test does not prevent ou from running the %i.ard& ;o%ever( failed D9S registrations %ill prevent the domain controller from functioning properl on the net%or0& Therefore( resolve an problems that this test reports before ou install AD DS& 7?2

>ecause all Dcdiag tests include a connectivit test( this procedure also tests TCP3'P connectivit & To complete this procedure( ou must have Dcdiag&e-e installed on the server& During the initial part of the installation of AD DS( ou use Server Manager to add the Active Director Domain Services server role& This part of the installation procedure installs the Dcdiag&e-e command line tool& The second part of the installation process( running Dcpromo&e-e( actuall installs AD DS& Perform the Dcdiag test procedure after ou add the Active Director Domain Services server role but before ou run Dcpromo&e-e& Note 'f ou do not %ant to install the Active Director Domain Services server role at this time( ou can install the Active Director Domain Services Administration Tools( %hich include Dcdiag&e-e( b using Add #eatures in Server Manager& =or information about using Add #eatures to install the Active Director Domain Services Administration Tools( see 'nstalling *emote Server Administration Tools for AD DS& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify the DNS infrastructure and registrations 6& 'f ou do not %ant to install AD DS at this time but ou %ant to perform D9S verification tests( install the Active Director Domain Services Administrative Tools( as described in 'nstalling *emote Server Administration Tools for AD DS( and then go to step ?& 2& 'f ou %ant to install Dcdiag&e-e during the installation of AD DS and run the D9S test before ou run Dcpromo&e-e( clic0 Start( and then clic0 Server )anager& 7& 'n 4oles Summary( clic0 Add 4oles& A& *evie% the information on the $efore 2ou $egin page( and then clic0 Ne/t& 8& 4n the Select Server 4oles page( clic0 Active Directory Domain Services( and then clic0 Ne/t& :& *evie% the information on the Active Directory Domain Services page( and then clic0 Ne/t& <& 4n the Confirm Installation Selections page( clic0 Install& 8& 4n the Installation 4esults page( do not clic0 Close this wi&ard and launch the Active Directory Domain Services Installation !i&ard 6dcpromo'e/e7 & =irst( perform steps ? and 60& $hen ou have completed the Dcpromo test successfull ( return to the Installation 4esults page and continue %ith the installation of the Active Director Domain Services server role& ?& 4pen a Command Prompt %indo% as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 60& At the command prompt( t pe the follo%ing command( and then press 19T1*: 7?7

dcdiag /test:dcpromo /DnsDomain:<DN!DomainName> /0ep"icaD5

%here <DN!DomainName> is the D9S name of the domain( in the form <DomainName*7orestName>( in %hich ou %ant to add a domain controller& 66& 'f the server does not pass the Dcpromo test( fi- the reported problems before ou continue %ith the installation of AD DS&

5erify hat an I% Address )aps to a Subnet and Determine the Site Association
Eou can use this procedure to determine the site to %hich ou %ant to add a server ob,ect before ou install Active Director Domain Services "AD DS#& Eou can also use this procedure to verif the site after ou install AD DS or before ou move a server ob,ect& To be associated %ith a site( the 'P address of a domain controller must map to a subnet ob,ect that is defined in AD DS& The site to %hich the subnet is associated is the site of the domain controller& The subnet address( %hich is computed from the 'P net%or0 address and the subnet mas0( is the name of a subnet ob,ect in AD DS& $hen ou 0no% the subnet address( ou can locate the subnet ob,ect and determine the site to %hich the subnet is associated& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify that an I% address maps to a subnet and to determine the site association 6& +og on locall or open a *emote Des0top connection to the server for %hich ou %ant to chec0 the 'P address& 2& 'n Server Manager( clic0 5iew Network Connections& 7& *ight/clic0 the connection that represents the connection the server or domain controller uses to attach to the net%or0( and then clic0 %roperties& A& 'n the Connection %roperties dialog bo-( double/clic0 Internet %rotocol 5ersion O 6 C%,I%vO7 or Internet %rotocol 5ersion P 6 C%,I%vP7& 8& )se an 'P subnet calculator and the values in I% address and Subnet mask to calculate the subnet address( and then clic0 O( t%ice& :& 4pen the Active Director Sites and Services snap/in: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& <& 1-pand the Sites container( and then clic0 the Subnets container& 8& 'n the Name column in the details pane( find the subnet ob,ect that matches the 7?A

subnet address for the server or domain controller& ?& 'n the Site column( note the site to %hich the 'P subnet address is associated& 'f the site that appears in the Site column is not the appropriate site( contact a site administrator and find out %hether the 'P address is incorrect or %hether ou should move the server ob,ect to the site that is indicated b the subnet/to/site association&

See Also
Move a Server 4b,ect to a 9e% Site

5erify the Availability of the Operations )asters
Eou can use this procedure to verif that the domain controllers that hold the operations master "also 0no%n as fle-ible single master operations or =SM4# roles can be located and that the are online and responding& Eou can use the tests in this procedure before ou install Active Director Domain Services "AD DS# as %ell as after%ard& ;o%ever( if ou perform this procedure before ou install AD DS( ou must do the follo%ing: • =irst( use Server Manager to add the Active Director Domain Services server role& This part of the installation procedure installs the Dcdiag&e-e command line tool& Perform this procedure after ou add the server role but before ou run Dcpromo&e-e& • )se the ,s command option to indicate the name of an e-isting domain controller in the domain of the ne% domain controller& This domain controller is reFuired to verif the abilit of the server to connect to operations master role holders in the domain and forest& Eou do not have to use the ,s option if ou perform the test in this procedure after ou install AD DS& The test automaticall runs on the local domain controller %here ou are performing the test& The commands in this procedure sho% the ,s option& 'f ou are performing this test after ou install AD DS( omit the ,s option& =or a more detailed response from this command( ou can use the verbose option b adding ,v to the end of the command& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify the availability of the operations masters 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command to ensure that the operations 7?8

masters can be located( and then press 19T1*:
dcdiag /s:<Domain5ontro""erName> /test::nowsofro"e&o"ders /v

%here <Domain5ontro""erName> is the name of an e-isting domain controller in the domain in %hich ou %ant to add the ne% domain controller& The verbose option provides a detailed list of the operations masters that %ere tested& 9ear the bottom of the screen( a message confirms that the test succeeded& 'f ou use the verbose option( loo0 carefull at the bottom part of the displa ed output& The test confirmation message appears immediatel after the list of operations masters& 7& T pe the follo%ing command to ensure that the operations masters are functioning properl and available on the net%or0( and then press 19T1*:
dcdiag /s:<Domain5ontro""erName> /test:fsmoc&ec:

%here <Domain5ontro""erName> is the name of a domain controller in the domain in %hich ou %ant to add the ne% domain controller& The verbose option provides a detailed list of the operations masters that %ere tested as %ell as other important servers( such as global catalog servers and time servers& 9ear the bottom of our screen( a message confirms that the test succeeded& 'f these tests fail( do not attempt an additional steps until ou fi- the problem that prevents the location of operations masters and ou can verif that the are functioning properl &

Installing a Domain Controller in an ./isting Domain
This section describes methods for installing Active Director Domain Services "AD DS# onto a $indo%s Server 2008 server that %ill become a domain controller in an e-isting Active Director domain& The procedures in this section provide instructions for installing AD DS b using replication to create the ne% domain controller or b using installation media& > using the installation from media "'=M# method( ou can avoid replicating AD DS over the net%or0& Note This section describes methods for installing %ritable domain controllers& =or information about installing read/onl domain controllers "*4DCs#( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28# and Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P +in0'dQ6208A0#& The follo%ing methods use replication to create the ne% domain controller: • Active Director Domain Services 'nstallation $i.ard "Dcpromo&e-e#( b specif ing a source domain controller or allo%ing the replication s stem to select a replication partner&

7?:

• )nattended installation( b instructing Dcpromo to use parameters in an ans%er file to install AD DS& The ans%er file either specifies a source domain controller or allo%s the replication s stem to select a replication partner& • Command/line installation( b using unattend parameters that either specif a source domain controller or allo% the replication s stem to select a replication partner& The follo%ing methods use installation media as the source for Active Director installation( %hich avoids replication of AD DS: • Active Director Domain Services 'nstallation $i.ard "Dcpromo&e-e#( b using advanced options and specif ing the location of installation media "the '=M method#& • )nattended installation( b instructing Dcpromo to use parameters in an ans%er file to install AD DS& The ans%er file specifies the location of installation media& • Command/line installation( b using unattend parameters to specif the location of installation media& >efore ou perform the installation procedures( prepare the server for installation according to the instructions in Preparing for Active Director 'nstallation& To ensure successful installation of a ne% domain controller( verif that all critical services that AD DS depends on are configured according to *eFuirements for 'nstalling AD DS "http:33go&microsoft&com3f%lin03P+in0'dQ620:07#& 'f ou are installing the first $indo%s Server 2008 domain controller in an e-isting $indo%s Server 2000 or $indo%s Server 2007 domain( see the domain and forest preparation information in 'nstalling an Additional $indo%s Server 2008 Domain Controller "http:33go&microsoft&com3f%lin03P+in0'DQ?728A#& =or information about best practices for planning( testing( and deplo ing AD DS( see the AD DS Design 5uide "http:33go&microsoft&com3f%lin03P+in0'DQ66:282# and see the AD DS Deplo ment 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ66:287#& This section includes the follo%ing tas0s for installing a domain controller in an e-isting domain: • • • 'nstalling an Additional Domain Controller b )sing the $indo%s 'nterface 'nstalling an Additional Domain Controller b )sing '=M 'nstalling an Additional Domain Controller b )sing )nattend Parameters

See Also
Preparing for Active Director 'nstallation

Installing an Additional Domain Controller by 3sing the !indows Interface
The $indo%s interface provides t%o %i.ards that guide ou through the process of installing Active Director Domain Services "AD DS#& The first %i.ard is the Add *oles $i.ard( %hich ou can access in Server Manager& The second %i.ard is the Active Director Domain Services 'nstallation $i.ard( %hich ou can access in the follo%ing %a s: 7?<

• $hen ou complete the Add *oles $i.ard in Server Manager( clic0 the lin0 to start the Active Director Domain Services 'nstallation $i.ard& • Clic0 Start( clic0 4un( t pe dcpromo'e/e( and then clic0 O(& 'f ou use the advanced options in the Active Director Domain Services 'nstallation $i.ard( ou can control ho% AD DS is installed on the server( either b installation from media "'=M# or b replication: • '=M: Eou can provide a location for installation media that ou have created b using 9tdsutil&e-e or that ou have created b restoring a critical/volume bac0up of a similar domain controller in the same domain to an alternate location& 'f ou create the installation media b using 9tdsutil( ou have the option to create secure installation media for a read/ onl domain controller "*4DC#& 'n this case( the 9tdsutil process removes cached secrets "such as pass%ords# from the installation media& =or information about using '=M to install an *4DC( see Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ6208A0#& Eou can also create installation media b restoring an Active Director bac0up to an alternate location& =or information about creating installation media b restoring a critical/volume bac0up to an alternate location( see *estoring a Critical/Bolume >ac0up to an Alternate +ocation "http:33go&microsoft&com3f%lin03P +in0'dQ620:62#& • *eplication: Eou can specif a domain controller in the domain from %hich to replicate AD DS& To complete this tas0( perform one of the follo%ing procedures: • 'nstall an Additional Domain Controller b )sing the $indo%s 'nterface

See Also
'nstalling an Additional Domain Controller b )sing )nattend Parameters 'nstalling an Additional Domain Controller b )sing )nattend Parameters

Install an Additional Domain Controller by 3sing the !indows Interface
Eou can use this procedure to add the Active Director Domain Services "AD DS# server role to a server to create a domain controller in an e-isting domain& Eou can complete this procedure b using the $indo%s graphical user interface "5)'#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o install an additional domain controller by using the !indows interface 6& Clic0 Start( and then clic0 Server )anager& 7?8

2& 'n 4oles Summary( clic0 Add 4oles& 7& *evie% the information on the $efore 2ou $egin page( and then clic0 Ne/t& A& 4n the Select Server 4oles page( clic0 Active Directory Domain Services( and then clic0 Ne/t& 8& *evie% the information on the Active Directory Domain Services page( and then clic0 Ne/t& :& 4n the Confirm Installation Selections page( clic0 Install& <& 4n the Installation 4esults page( clic0 Close this wi&ard and launch the Active Directory Domain Services Installation !i&ard 6dcpromo'e/e7& 8& 4n the !elcome to the Active Directory Domain Services Installation !i&ard page( clic0 Ne/t& Eou can clic0 3se advanced mode installation to see additional installation options& Specificall ( clic0 3se advanced mode installation if ou %ant to install from media or identif the source domain controller for Active Director replication& ?& 4n the Operating System Compatibility page( revie% the %arning about the default securit settings for $indo%s Server 2008 domain controllers( and then clic0 Ne/t& 60& 4n the Choose a Deployment Configuration page( clic0 ./isting forest( clic0 Add a domain controller to an e/isting domain( and then clic0 Ne/t& 66& 4n the Network Credentials page( t pe the name of an e-isting domain in the forest %here ou plan to install the additional domain controller& )nder Specify the account credentials to use to perform the installation( clic0 )y current logged on credentials or clic0 Alternate credentials( and then clic0 Set& 'n the !indows Security dialog bo-( provide the user name and pass%ord for an account that can install the additional domain controller& To install an additional domain controller( ou must be a member of the 1nterprise Admins group or the Domain Admins group& $hen ou are finished providing credentials( clic0 Ne/t& 62& 4n the Select a Domain page( select the domain of the ne% domain controller( and then clic0 Ne/t& 67& 4n the Select a Site page( select a site from the list or select the option to install the domain controller in the site that corresponds to its 'P address( and then clic0 Ne/t& 6A& 4n the Additional Domain Controller Options page( ma0e the follo%ing selections( and then clic0 Ne/t: • DNS server: This option is selected b default so that our domain controller can function as a D9S server& 'f ou do not %ant the domain controller to be a D9S server( clear this option& Note 'f ou select the option to ma0e this domain controller a D9S server( ou might receive a message that indicates that a D9S delegation for the D9S server could not be created and that ou should manuall create a D9S delegation to the D9S server to ensure reliable name resolution& 'f ou are 7??

installing an additional domain controller in either the forest root domain or a tree root domain( ou do not have to create the D9S delegation& 'n this case( clic0 2es( and disregard the message& • Global Catalog: This option is selected b default& 't adds the global catalog( read/onl director partitions to the domain controller( and it enables global catalog search functionalit & • 4ead-only domain controller& This option is not selected b default& 't ma0es the additional domain controller a read/onl domain controller "*4DC#& 68& 'f ou selected 3se advanced mode installation on the !elcome page( the Install from )edia page appears& Eou can provide the location of installation media to be used to create the domain controller and configure AD DS( or ou can have all source replication occur over the net%or0& 9ote that some data %ill be replicated over the net%or0 even if ou install from media& =or information about using this method to install the domain controller( see 'nstalling an Additional Domain Controller b )sing '=M& 6:& 'f ou selected 3se advanced mode installation on the !elcome page( the Source Domain Controller page appears& Clic0 +et the wi&ard choose an appropriate domain controller or clic0 3se this specific domain controller to specif a domain controller that ou %ant to provide as a source for replication to create the ne% domain controller( and then clic0 Ne/t& 'f ou do not choose to install from media( all data %ill be replicated from this source domain controller& 6<& 4n the +ocation for Database1 +og #iles1 and S2S5O+ page( t pe or bro%se to the volume and folder locations for the database file( the director service log files( and the SESB4+ files( and then clic0 Ne/t& $indo%s Server >ac0up bac0s up the director service b volume& =or bac0up and recover efficienc ( store these files on separate volumes that do not contain applications or other nondirector files& 68& 4n the Directory Services 4estore )ode Administrator %assword page( t pe and confirm the restore mode pass%ord( and then clic0 Ne/t& This pass%ord must be used to start AD DS in Director Services *estore Mode "DS*M# for tas0s that must be performed offline& 6?& 4n the Summary page( revie% our selections& Clic0 $ack to change an selections( if necessar & To save the settings that ou have selected to an ans%er file that ou can use to automate subseFuent Active Director operations( clic0 ./port settings& T pe the name for our ans%er file( and then clic0 Save& $hen ou are sure that our selections are accurate( clic0 Ne/t to install AD DS& Note 'f ou are installing an additional domain controller in a child domain and ou are using child domain credentials( the !indows Security dialog bo- appears because access is denied in the parent domain to update the D9S delegation in the parent .one& 'n this case( clic0 the other user icon and provide administrator A00

credentials for the parent domain( and then clic0 O(& 20& 4n the Completing the Active Directory Domain Services Installation !i&ard page( clic0 #inish& 26& Eou can select 4eboot on completion to have the server restart automaticall ( or ou can restart the server to complete the installation of AD DS %hen ou are prompted to do so&

See Also
Preparing for Active Director 'nstallation Berif ing Active Director 'nstallation

Installing an Additional Domain Controller by 3sing I#)
$hen ou install Active Director Domain Services "AD DS# b using the install from media "'=M# method( ou can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Director domain& *educing the replication traffic reduces the time that is necessar to install the additional domain controller& $indo%s Server 2008 includes an improved version of the 9tdsutil tool that ou can use to create installation media for an additional domain controller& Eou can use 9tdsutil&e-e to create installation media for additional domain controllers that ou are creating in a domain& The '=M method uses the data in the installation media to install AD DS( %hich eliminates the need to replicate ever ob,ect from a partner domain controller& ;o%ever( ob,ects that %ere modified( added( or deleted since the installation media %as created must be replicated& 'f the installation media %as created recentl ( the amount of replication that is reFuired is considerabl less than the amount of replication that is reFuired for a regular AD DS installation& Eou can also create installation media b restoring a critical/volume bac0up of a similar domain controller in the same domain to an alternate location& =or information about creating installation media b restoring a critical/volume bac0up to an alternate location( see *estoring a Critical/ Bolume >ac0up to an Alternate +ocation "http:33go&microsoft&com3f%lin03P+in0'DQ620:62#& Note Eou cannot restore a s stem state bac0up to an alternate location& A s stem state bac0up can onl be restored on the local domain controller( and therefore this t pe of bac0up is not appropriate for creating installation media& To use this method of creating installation media( ou must restore a critical/volume bac0up& The procedures in this tas0 are particularl useful for installing domain controllers in remote sites& > using these procedures( ou can avoid having to either replicate the entire Active Director replica over a %ide area net%or0 "$A9# lin0 or disconnect an e-isting domain controller %hile it is A06

being shipped to the remote site& =or more information about installing additional domain controllers in remote sites( see Adding Domain Controllers in *emote Sites& '=M has the follo%ing reFuirements: • Eou cannot use '=M to create the first domain controller in a domain& A $indo%s Server 2008Rbased domain controller must be running in the domain before ou can perform '=M installations& • The media that ou use to create additional domain controllers must be ta0en from a domain controller in the same domain as the domain of the ne% domain controller& • 'f the domain controller that ou are creating is to be a global catalog server( the media for the installation must be created on an e-isting global catalog server in the domain& • To install a domain controller that is a Domain 9ame S stem "D9S# server( ou must create the installation media on a domain controller that is a D9S server in the domain& • To create installation media for a full "%ritable# domain controller( ou must run the ntdsutil ifm command on a %ritable domain controller that is running $indo%s Server 2008& Note Eou cannot run the ntdsutil ifm command on a domain controller that runs $indo%s Server 2007& ;o%ever( ou can create a s stem state bac0up of a $indo%s Server 2007 domain controller( restore the bac0up to an alternate location( and then use the dcpromo ,adv command to create a $indo%s Server 2007 domain controller& =or information about performing '=M installations on domain controllers that are running $indo%s Server 2007( see 'nstalling a Domain Controller in an 1-isting Domain )sing *estored >ac0up Media "http:33go&microsoft&com3f%lin03P +in0'dQ620:27#& • To create installation media for a read/onl domain controller "*4DC#( ou can run the ntdsutil ifm command on either a %ritable domain controller or an *4DC that runs $indo%s Server 2008& =or *4DC installation media( 9tdsutil removes an cached secrets( such as pass%ords& =or more information about installing and managing *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P +in0'dQ?2<28#& • Eou can use a 72/bit domain controller to generate installation media for a :A/bit domain controller( and the reverse is also true& The abilit to mi- processor t pes for '=M installations is ne% in $indo%s Server 2008& 9tdsutil&e-e can create the t%o t pes of installation media( as described in the follo%ing table&
ype of installation media %arameter Description

=ull "%ritable# domain controller

Create =ull PathToMediaFolder

Creates installation media for a %ritable domain controller or an Active Director +ight%eight Director Services "AD +DS# instance in the folder that is identified in the path& 'f ou are A02

ype of installation media

%arameter

Description

creating media in a shared folder on another computer( map a net%or0 drive to the folder before ou perform the procedure& *ead/onl domain controller Create *4DC PathToMediaFolder Creates installation media for an *4DC in the folder that is identified in the path

ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • 9tdsutil&e-e Dcpromo&e-e

To complete this tas0( perform the follo%ing procedures: 6& Create 'nstallation Media b )sing 9tdsutil 2& 'nstall an Additional Domain Controller b )sing 'nstallation Media

See Also
Berif ing Active Director 'nstallation Adding Domain Controllers in *emote Sites

Create Installation )edia by 3sing Ntdsutil
Eou can use the follo%ing procedure to create installation media for installing Active Director Domain Services "AD DS# to create a ne% domain controller in an e-isting domain& Create the media on a domain controller in the domain %here ou are installing one or more ne% domain controllers& This procedure uses 9tdsutil to create installation media& Eou can also create installation media b restoring a critical/volume bac0up to an alternate location& This method is not recommended because it ta0es significantl longer than the 9tdsutil method and it reFuires more space for the installation media( %hich contains more data than is reFuired for installing AD DS& =or more information( see *estoring a Critical/Bolume >ac0up to an Alternate +ocation "http:33go&microsoft&com3f%lin03P+in0'DQ620:62#& The abilit to log on to a domain controller locall and to bac0 up a domain controller is the minimum reFuired to complete this procedure& Members of >uiltin Administrators( 1nterprise Admins( Domain Admins( >ac0up 4perators( and Server 4perators have these rights b default&

A07

*evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 4n a read/onl domain controller "*4DC#( a delegated user can create the installation media& ;o%ever( that user can create onl *4DC installation media "not installation media for a %ritable domain controller# on an *4DC& o create installation media for I#) 6& 4pen a command prompt as an administrator: Clic0 Start( right/clic0 Command %rompt( and then clic0 4un as administrator& 2& T pe the follo%ing command( and then press 19T1*:
ntdsuti"

7& At the ntdsuti" prompt( t pe the follo%ing command( and then press 19T1*:
activate instance ntds

A& At the ntdsuti" prompt( t pe the follo%ing command( and then press 19T1*:
ifm

8& At the ifm prompt( t pe the command for the t pe of installation media that ou %ant to create( and then press 19T1*& =or e-ample( to create installation media for a read/ %rite domain controller( t pe the follo%ing command:
5reate fu"" <Drive>:(<6nsta""ationAedia7o"der>

$here <Drive>:(<6nsta""ationAedia7o"der> is the path to the folder %here ou %ant the installation media to be created& Eou can save the installation media to a net%or0 shared folder or to removable media& $hen ou create additional domain controllers in the domain( ou can refer to the shared folder or removable media %here ou store the installation media as follo%s: • 'n the Active Director Domain Services 'nstallation $i.ard: on the Install from )edia page • 'n an unattended installation ans%er file: in the ,4eplicationSource%ath parameter

See Also
Create an Ans%er =ile for )nattended Domain Controller 'nstallation 'nstalling an Additional Domain Controller b )sing '=M

Install an Additional Domain Controller by 3sing Installation )edia
Eou can use this procedure to install Active Director Domain Services "AD DS# from media& Eou can use the install from media "'=M# method to create an additional domain controller in an e-isting domain& A0A

$hen ou create an additional domain controller in the domain( ou can specif sourcing the installation from the shared folder or removable media %here ou created the installation media b using one of the follo%ing methods: • $indo%s interface: Provide the location on the Install from )edia page in the Active Director Domain Services 'nstallation $i.ard& • )nattended installation: )se the ,4eplicationSource%ath parameter in the ans%er file for an unattended installation& • Command line: )se the ,4eplicationSource%ath unattend parameter at the command line& Membership in the Domain Admins group in the domain into %hich ou are installing the additional domain controller( or the eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o install AD DS from I#) media by using the !indows interface 6& )se the procedure 'nstall an Additional Domain Controller b )sing the $indo%s 'nterface& 'n step 8( select 3se advanced mode installation& 2& 'n step 68( select the install from media option and provide the location of the installation media& 7& Complete the remaining pages of the Active Director Domain Services 'nstallation $i.ard& A& After the installation operation completes successfull and the computer is restarted( remove the folder that contains the '=M media from the local dis0& o install AD DS from I#) media by using an answer file 6& Create an ans%er file b using one of the follo%ing methods: • During the procedure 'nstall an Additional Domain Controller b )sing the $indo%s 'nterface( select the ./port settings option to save the installation settings to a file& This file is an ans%er file that ou can use to install an additional domain controller in the same domain& • )se the procedure Create an Ans%er =ile for )nattended Domain Controller 'nstallation to create an ans%er file& 'nclude the ,4eplicationSource%ath parameter to specif the location of the '=M media& 2& )se the procedure 'nstall an Additional Domain Controller b )sing an Ans%er =ile to install AD DS& o install AD DS from I#) media by using unattend parameters from the command line 6& )se the procedure 'nstall an Additional Domain Controller b )sing )nattend Parameters from the Command +ine to install AD DS& 2& During the procedure( use the ,4eplicationSource%ath parameter to specif the A08

location of the '=M media&

See Also
Preparing for Active Director 'nstallation Berif ing Active Director 'nstallation

Installing an Additional Domain Controller by 3sing 3nattend %arameters
Eou can use unattend parameters to specif configuration settings for installing Active Director Domain Services "AD DS# to create an additional domain controller in an e-isting domain& Specificall ( ou can use the dcpromo ,unattend command to install AD DS& Eou can use unattend parameters in the follo%ing %a s: • 'n an ans%er file: Eou can manuall create an ans%er file that contains unattend parameters to specif the settings for a domain controller( including such values as its name( domain( site( and %hether it is a %ritable domain controller or read/onl domain controller "*4DC#& Eou can also create an ans%er file automaticall b e-porting installation settings to a file during an Active Director Domain Services 'nstallation $i.ard installation& Note =or information about installing *4DCs( see Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28# and Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P +in0'dQ6208A0#& • =rom the command line: Eou can t pe the parameters and values manuall at the command line& *unning an unattended installation simplifies the process of installing and configuring Active Director Domain Services "AD DS# on multiple computers& $hen ou use Dcpromo to reference the ans%er file( the installation proceeds from start to completion %ithout user intervention& This method is most useful %hen ou %ant to install AD DS %ith identical options on man computers& ask re0uirements The follo%ing tools are reFuired to complete this tas0: • • Te-t editor application Dcpromo&e-e

To complete this tas0( perform the follo%ing procedures: 6& Create an Ans%er =ile for )nattended Domain Controller 'nstallation 2& 'nstall an Additional Domain Controller b )sing an Ans%er =ile A0:

7& 'nstall an Additional Domain Controller b )sing )nattend Parameters from the Command +ine

See Also
'nstalling an Additional Domain Controller b )sing '=M 'nstalling an Additional Domain Controller b )sing the $indo%s 'nterface

Create an Answer #ile for 3nattended Domain Controller Installation
Eou can use this procedure to create a te-t file that ou can use as the ans%er file for an unattended installation of an additional domain controller& )se the ans%er file to install Active Director Domain Services "AD DS# on either a full installation of $indo%s Server 2008 or a Server Core installation of $indo%s Server 2008& The ans%er file contains sensitive information( and it should be 0ept in a secure location& Notes • The ans%er file that ou use to install an additional domain controller in an e-isting domain must have the ,4eplicaOrNewDomain and ,4eplicaDomainDNSName parameters specified& • The ans%er file that ou use to install a domain controller from media must have the ,4eplicationSource%ath parameter specified& An account that has *ead and $rite privileges for the te-t editor application is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create an answer file for installing a new domain controller 6& 4pen 9otepad or an te-t editor& 2& 4n the first line( t pe JDCINS A++K( and then press 19T1*& 7& Create the follo%ing entries( one entr on each line& These options are the minimum options that are reFuired for an additional domain controller installation %ith Domain 9ame S stem "D9S# and the global catalog installed and configured automaticall & =or a complete list of unattended installation options( including default values( allo%ed values( and descriptions( see Promotion 4peration "http:33go&microsoft&com3f%lin03P +in0'DQ620:2:#& 3serNameQS M!acco"nt!name!that!has!Domain! dmins!credentials!in!the!tar#et! domain$!This account must be used b the administrator %ho runs the Dcpromo command& 3serDomainQDomain!name!for!the!"ser!acco"nt!in!3serName A0<

%asswordQPass%ord!for!the!acco"nt!in!&serName$!'f ou leave this blan0( Dcpromo prompts the installer for a pass%ord during installation& Dcpromo deletes this value after installation& 4eplicaDomainDNSNameDThe!f"lly!'"alified!domain!name!(F)DN*!of!the!domain!of! the!ne%!domain!controller$ 4eplicaOrNewDomainQ4eplica for an additional domain controller in an e-isting domain or NewDomain for the first domain controller in a ne% domain& Database%athQ+ocation!of!the!Ntds$dit!file,a!folder!on!a!local!vol"me-!s"rro"nded!.y! do".le!'"otation!mar/s$!"The default is NYs stemrootYZntdsO&# 'f ou omit this entr ( Dcpromo uses the default location& +og%athQ+ocation!of!the!data.ase!lo#!files,a!folder!on!a!local!vol"me-!s"rro"nded!.y! do".le!'"otation!mar/s$!"The default is NYs stemrootYZntdsO&# 'f ou omit this entr ( Dcpromo uses the default location& S2S5O+%athQ+ocation!of!the!SYS01+!tree,a!folder!on!a!local!vol"me-!s"rro"nded!.y! do".le!'"otation!mar/s$!"The default is NYs stemrootYZSESB4+O&# 'f ou omit this entr ( Dcpromo uses the default location& InstallDNSQ2es to ma0e the domain controller a D9S server or no to create a domain controller %ithout D9S installed& ConfirmGCQ2es to ma0e the domain controller a global catalog server or No to create a domain controller %ithout the global catalog read/onl director partitions& Safe)odeAdmin%asswordQPass%ord!for!the!administrator!acco"nt!that!m"st!.e!"sed! to!start!the!domain!controller!in!Directory!Services!Restore!Mode!(DSRM*$ 'f ou leave this blan0( Dcpromo prompts the installer for the pass%ord during installation& Dcpromo deletes this value after installation& Pass%ords are removed from the ans%er file %hen ou run Dcpromo& 4ebootOnCompletionQ2es if ou %ant the domain controller to restart automaticall follo%ing a successful installation( no if ou %ant to restart the domain controller manuall & 'f ou do not %ant the domain controller to restart automaticall and ou do not %ant to be prompted( use the value NoAndNo%rompt.ither& A& 'f ou %ant to include application director partitions in the ans%er file( add the follo%ing parameter: Application%artitions o4eplicateD Provide a value for Application%artitions o4eplicate as follo%s: • 'f ou %ant to include all application director partitions( use the value S& • 'f ou %ant to include specific application director partitions( t pe the distinguished name of each director partition& Separate each distinguished name %ith a space( and enclose the entire list in Fuotation mar0s( as sho%n in the follo%ing e-ample: Application%artitions o4eplicateDTdcDapp?1dcDcontoso1dcDcom dcDapp<1dcDcontoso1dcDcomT A08

8& Save the ans%er file to the location on the installation server from %hich it is to be called b Dcpromo( or save the file to a net%or0 shared folder or removable media for distribution&

See Also
'nstall an Additional Domain Controller b )sing an Ans%er =ile 'nstall an Additional Domain Controller b )sing )nattend Parameters from the Command +ine

Install an Additional Domain Controller by 3sing an Answer #ile
Eou can use this procedure to install an additional domain controller in an e-isting domain& To perform this procedure( ou must have created an ans%er file& Eou can create an ans%er file automaticall %hen ou install a domain controller using the Active Director Domain Services 'nstallation $i.ard b selecting the option to e-port the installation information to a file& =or information about creating an ans%er file manuall ( see Create an Ans%er =ile for )nattended Domain Controller 'nstallation& Note Eou can also use an ans%er file to create a ne% domain& After ou create the ans%er file( use the follo%ing procedure to perform the unattended installation& Eou can use this procedure to install Active Director Domain Services "AD DS# on either a full installation of $indo%s Server 2008 or a Server Core installation of $indo%s Server 2008& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o install a new domain controller by using an answer file • 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& • At the command prompt( t pe the follo%ing command( and then press 19T1*:

dcpromo /unattend:9<pat& to t&e answer fi"e>9

See Also
Preparing for Active Director 'nstallation A0?

Create an Ans%er =ile for )nattended Domain Controller 'nstallation Berif ing Active Director 'nstallation

Install an Additional Domain Controller by 3sing 3nattend %arameters from the Command +ine
Eou can use the follo%ing procedure to install a ne% domain controller from the command line& 'n this method of installation( ou t pe unattended installation parameters at the command line rather than creating an ans%er file& =or a complete list of unattended installation options( including default values( allo%ed values( and descriptions( t pe dcpromo ,>*%romotion at a command prompt( or see Promotion 4peration "http:33go&microsoft&com3f%lin03P+in0'DQ620:2:#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o install an additional domain controller by entering unattended installation parameters at the command line • At a command prompt( t pe the follo%ing command& $hen ou have t ped all the options that are reFuired to create the additional domain controller( press 19T1*&
dcpromo /unattend /<unattend3ption>:<va"ue> /<unattend3ption>:<va"ue> ***

$here: • • is an option in the Promotion 4peration table& Separate each <option:va"ue> pair %ith a space&
<unattend3ption> <va"ue>

is the configuration instruction for the option&

The follo%ing e-ample creates an additional domain controller %ith the global catalog( and it installs and configures the D9S Server service:
dcpromo /unattend /6nsta""Dns:yes /confirmD5:yes /rep"ica3rNewDomain:rep"ica /data'asePat&:9e:(ntds9 /"ogPat&:9e:(ntds"ogs9 /sysvo"pat&:9g:(sysvo"9 /safeAodeAdminPassword:7#R$PS$*cQ /re'oot3n5omp"etion:yes

5erifying Active Directory Installation
There are several verification tas0s that ou can perform on a computer on %hich Active Director Domain Services "AD DS# has been ne%l installed& Successfull completing the reFuirements of each verification tas0 %ill provide a strong indication of a health ( operational domain controller&

A60

The individual procedures in this tas0 are provided so that ou can test specific criteria to determine the health of an Active Director installation& To thoroughl test the domain controller for all director service issues( ou can run the dcdiag ,v command& The output of this command provides detailed information about the conditions on the domain controller& =or information about using the Dcdiag&e-e command/line tool( see Dcdiag "http:33go&microsoft&com3f%lin03P +in0'dQ60A:8?#& ask re0uirements The follo%ing tools are recommended to perform the procedures for this tas0: • • • • • Active Director Sites and Services D9S Manager 1vent Bie%er Dcdiag&e-e 9tdsutil&e-e

To complete this tas0( perform the follo%ing procedures: 6& Determine $hether a Server 4b,ect ;as Child 4b,ects 2& Berif That an 'P Address Maps to a Subnet and Determine the Site Association Chec0 that the ne% domain controller is located in the correct site so that the ne% domain controller can locate replication partners and become part of the replication topolog & 7& Move a Server 4b,ect to a 9e% Site 'f ou have performed an unattended installation and the domain controller %as not placed in the site that ou e-pected( ou can move the server ob,ect to the correct site& A& Configure D9S Server =or%arders 8& Complete all procedures for the Berif ing D9S Configuration tas0& :& Chec0 the Status of the SESB4+ and 9etlogon Shares <& Berif D9S *egistration and TCP3'P Connectivit 8& Berif a Domain Computer Account for a 9e% Domain Controller ?& Berif Active Director *eplication 60& Berif the Availabilit of the 4perations Masters

5erify hat an I% Address )aps to a Subnet and Determine the Site Association
Eou can use this procedure to determine the site to %hich ou %ant to add a server ob,ect before ou install Active Director Domain Services "AD DS#& Eou can also use this procedure to verif the site after ou install AD DS or before ou move a server ob,ect& To be associated %ith a site( the 'P address of a domain controller must map to a subnet ob,ect that is defined in AD DS& The site to %hich the subnet is associated is the site of the domain controller& A66

The subnet address( %hich is computed from the 'P net%or0 address and the subnet mas0( is the name of a subnet ob,ect in AD DS& $hen ou 0no% the subnet address( ou can locate the subnet ob,ect and determine the site to %hich the subnet is associated& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify that an I% address maps to a subnet and to determine the site association 6& +og on locall or open a *emote Des0top connection to the server for %hich ou %ant to chec0 the 'P address& 2& 'n Server Manager( clic0 5iew Network Connections& 7& *ight/clic0 the connection that represents the connection the server or domain controller uses to attach to the net%or0( and then clic0 %roperties& A& 'n the Connection %roperties dialog bo-( double/clic0 Internet %rotocol 5ersion O 6 C%,I%vO7 or Internet %rotocol 5ersion P 6 C%,I%vP7& 8& )se an 'P subnet calculator and the values in I% address and Subnet mask to calculate the subnet address( and then clic0 O( t%ice& :& 4pen the Active Director Sites and Services snap/in: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& <& 1-pand the Sites container( and then clic0 the Subnets container& 8& 'n the Name column in the details pane( find the subnet ob,ect that matches the subnet address for the server or domain controller& ?& 'n the Site column( note the site to %hich the 'P subnet address is associated& 'f the site that appears in the Site column is not the appropriate site( contact a site administrator and find out %hether the 'P address is incorrect or %hether ou should move the server ob,ect to the site that is indicated b the subnet/to/site association&

See Also
Move a Server 4b,ect to a 9e% Site

Configure DNS Server #orwarders
Eou can use this procedure to configure Domain 9ame S stem "D9S# server for%arders& $hen ou add a ne% domain controller that is a D9S server( if our net%or0 uses for%arding for recursive name resolution( configure D9S server for%arders based on the for%arding method that is established on our net%or0& $hen for%arders are configured( a D9S server that receives a D9S Fuer for a name for %hich it is not authoritative for%ards the reFuest to the D9S for%arder A62

instead of using root hints& 'f our net%or0 uses for%arding( use the D9S snap/in to add the appropriate for%arders on the ne% domain controller& 'f ou %ant the D9S Server service on the ne% domain controller to for%ard Fueries to different servers depending on the D9S suffi- that is specified in the Fuer ( configure conditional for%arding appropriatel & =or information about using for%arding and conditional for%arding for D9S name resolution( see )sing =or%arding "http:33go&microsoft&com3f%lin03P+in0'dQ2:787#& Note *oot hints is the recommended method of recursive name resolution for Active Director R integrated D9S in $indo%s Server 2008 forests& =or more information about configuring D9S for $indo%s Server 2008 forests( see the AD DS Deplo ment 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ66:287#& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure DNS server forwarders 6& 'f our net%or0 uses root hints as the D9S for%arding method( ou do not have to perform an additional options& *oot hints are configured automaticall during installation& Do not continue to step 2& 2& 'f ou have to configure for%arders( open the D9S snap/in( and continue to step 7& 7& 'n the console tree( right/clic0 2om3"terName "%here 2om3"terName is the computer name of the domain controller#( and then clic0 %roperties& A& 'n the 2om3"terName properties sheet "%here 2om3"terName is the name of the domain controller#( on the #orwarders tab( clic0 .dit& 8& Clic0 the te-t entr area %here indicated( t pe an 'P address or D9S name for a D9S server that %ill receive for%arded D9S Fueries( and then clic0 O(& :& $hen the 'P address resolves to the serverVs full Fualified domain name "=CD9# on the #orwarders tab( clic0 O(&

5erifying DNS Configuration
Part of verif ing Active Director installation is verif ing that Domain 9ame S stem "D9S# is installed and configured appropriatel & *egarding D9S configuration for Active Director forests( %e recommend that ou install the D9S Server service on all domain controllers& $hen ou use the Active Director Domain Services 'nstallation $i.ard to install D9S during installation of Active Director Domain Services "AD DS#( the %i.ard creates the D9S .one delegation automaticall & The 9et +ogon service registers the reFuired host and service resource records for the ne% domain controller %hen it restarts after installation&

A67

The D9S Client service on a domain controller determines the D9S servers that the domain controller uses to locate other domain controllers& Berif that the primar and alternate D9S server settings are appropriate for the net%or0 segment& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • D9S snap/in 9et%or0 Connections

To complete this tas0( perform the follo%ing procedures: 6& Berif D9S Server Configuration for a Domain Controller 2& Berif D9S Client Settings

5erify DNS Server Configuration for a Domain Controller
Eou can use this procedure to verif D9S Server service configuration on a ne% additional domain controller that has Domain 9ame S stem "D9S# installed& Berif that resource records are registered so that clients can locate the D9S server& Berif also that the forest and domain D9S .one application director partitions have replicated so that the D9S server receives .one updates& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify DNS server configuration for a domain controller 6& 4pen the D9S snap/in: 4n the Start menu( point to Administrative ools( and then clic0 DNS& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& Double/clic0 #orward +ookup Iones( and verif that the .one Imsdcs&ForestRootDomain and the .one for the domain of the ne% domain controller are present& 7& Clic0 the domain node( and then( in the details pane( verif that host "A# resource records( 'Pv: host "AAAA# resource records "if TCP3'Pv: addresses are in use#( and name server "9S# resource records are present for the ne% domain controller& A& To verif that the =orestDnsKones and DomainDnsKones application director partitions replicated successfull ( open a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 8& At the command prompt( t pe the follo%ing command( and then press 19T1*: A6A

repadmin /s&owrep"

:& Berif that the DCQDomainDnsKones(DCQDomainName( _(DCQForestRootDomainName(DCQcom and DCQ=orestDnsKones(DCQForestRootDomainName(DCQcom application director partitions replicated successfull &

See Also
Berif D9S Client Settings

5erify DNS Client Settings
After ou install an additional domain controller( verif the D9S Client service settings on the ne% domain controller& 'f ou use the Active Director Domain Services 'nstallation $i.ard to install a domain controller( the %i.ard configures the D9S Client service settings( as follo%s: • The preferred Domain 9ame S stem "D9S# server is added to the D9S servers list of the D9S client settings& • The alternate D9S server is unchanged( but 62<&0&0&6 is added&

Note 'f 'P version : "'Pv:# is enabled( 'Pv: addresses are used instead of 'P version A "'PvA# addresses& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify the DNS client settings 6& 'n Server Manager( clic0 5iew Network Connections& 2& *ight/clic0 the connection that represents the connection that the domain controller uses to attach to the net%or0( and then clic0 %roperties& 7& 'n Connection %roperties( double/clic0 Internet %rotocol 5ersion O 6 C%,I%vO7 or Internet %rotocol 5ersion P 6 C%,I%vP7& A& 'n Internet %rotocol 6 C%,I%7 %roperties( verif that 3se the following DNS server addresses is selected& 8& Berif that the %referred DNS server 'P address is the 'P address of the ne% domain controller "so that it is referencing itself#& Berif that the Alternate DNS server address is that of another D9S server in the same domain& :& Clic0 O( t%ice&

A68

See Also
Berif D9S Server Configuration for a Domain Controller

Check the Status of the S2S5O+ and Netlogon Shares
Eou can use this procedure to ma0e sure that the Distributed =ile S stem "D=S# *eplication service is started properl and then ensure that the s svol shared folder and netlogon "scripts# shared folder are created and shared& =or information about chec0ing SESB4+ status for =ile *eplication Service "=*S#( see the $indo%s Server 2007 topic Chec0 the status of the shared SESB4+ "http:33go&microsoft&com3f%lin03P+in0'dQ620<<A#& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o check the status of the S2S5O+ and Netlogon shares 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& Berif that the D#S 4eplication service and the Netlogon service have a status of Started& 'f a service is stopped( clic0 4estart& 7& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& A& To verif that the SESB4+ tree includes the s svol and scripts shared folders( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net s&are

8& Chec0 the list to be sure that it includes 1systemroot1(! !234(sysvo"( "the SESB4+ share# and 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! "the 91T+4549 share#( %here <Domain Name> is the domain of the ne% domain controller& Note 'f neither 1systemroot1(! !234(sysvo"( nor 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! are present( see Berif Active Director *eplication& :& Berif that the proper permissions are set for SESB4+ replication& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:net"ogons

+oo0 for a message that states that <5omputerName> passed test Net4ogons( %here <5omputerName> is the name of the domain controller& 'f ou do not see the Npassed testO A6:

message( chec0 the permissions that are set on the Scripts and S svol shared folders& =or information about default SESB4+ permissions( see *eappl Default SESB4+ Securit Settings&

5erify Active Directory 4eplication
Eou can use this procedure to verif that Active Director replication is functioning properl on a domain controller& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify Active Directory replication 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:rep"ications

Note =or more detailed replication information( use the
/v

option&

'f this test fails( open 1vent Bie%er and chec0 for errors in the Director Service log& )se the information in the ActiveDirector IDomainService replication events to troubleshoot the problem&

5erify a Domain Computer Account for a New Domain Controller
Eou can use this procedure to verif that a domain computer account is registered properl and that the Service Principal 9ames "SP9s# are advertised& This account is reFuired for the domain controller to function as a domain controller in the domain& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

A6<

o verify a domain computer account for a new domain controller 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:Aac&ineAccount

7& 't the test is successful( ou should see the follo%ing message:
<5omputerName> passed test Aac&ineAccount&

To receive more detailed information( including the SP9s that are found for the domain controller( use the /v option&

Adding Domain Controllers in 4emote Sites
Eou can create an additional domain controller in a domain b installing Active Director Domain Services "AD DS# on a server computer& $hen ou are placing the additional domain controller in a remote site( ou can install AD DS on the server either before or after ou ship it to the remote site( as follo%s: • Ship the computer as a %or0group computer( and install AD DS on it in the remote site& 'f ou do not have administrative support in the remote site( enable *emote Des0top on the computer before ou ship the computer so that ou can perform the installation remotel & 'n the remote site( ou can either: • 'nstall AD DS from installation media that has been shipped to the site on removable media& • 'nstall AD DS over the net%or0& • 'nstall AD DS on the server in a hub or staging site( and then ship the installed domain controller to the remote site& >oth methods have advantages and disadvantages( and both methods reFuire care to ensure the secure transfer of Active Director data( %hether it is installed or in the form of removable media& =or information about the advantages and disadvantages of shipping a server to a remote site before or after installing AD DS( see @no%n 'ssues for Adding Domain Controllers in *emote Sites& =or recommended practices for adding domain controllers to remote sites for the method that ou are using( see >est Practices for Adding Domain Controllers in *emote Sites& > revie%ing issues and guidelines( ou can decide the best method of adding domain controllers in remote sites for our environment& > follo%ing the instructions in this guide( ou can safel and securel install domain controllers in remote sites( either locall or remotel &

A68

Note 4n servers that are running $indo%s Server 2008( ou can install a read/onl domain controller "*4DC#( %hich is ideal for providing AD DS in remote sites %ithout incurring the securit ris0s of a %ritable domain controller& =or information about installing and managing *4DCs in remote sites( see Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'DQ620<0?#& This section includes the follo%ing tas0s( 0no%n issues( and best practices for adding domain controllers in remote sites: • • • • • @no%n 'ssues for Adding Domain Controllers in *emote Sites >est Practices for Adding Domain Controllers in *emote Sites Preparing a Server Computer for Shipping and 'nstallation from Media Preparing an 1-isting Domain Controller for Shipping and +ong/Term Disconnection *econnecting a Domain Controller After a +ong/Term Disconnection

$est %ractices for Adding Domain Controllers in 4emote Sites
> revie%ing the information in @no%n 'ssues for Adding Domain Controllers in *emote Sites( ou can determine the best method to use for installing Active Director Domain Services "AD DS# to create domain controllers in our remote sites& The follo%ing best practices help ensure trouble/free installation of domain controllers in remote sites& Important Do not attempt to perform actions based onl on the recommendations that are described in this topic& Step/b /step guidance is provided in the tas0/based topics in this guide for all recommendations in this topic&

$est practices for using I#) to install AD DS in the remote site
'nstallation from media "'=M# is a method of installing AD DS %ithout replication from a source domain controller& > using '=M( ou provide a local source for the domain( configuration( and schema director partitionsDand( as an option( global catalog( partial( read/onl director partitions and Domain 9ame S stem "D9S# application director partitions& The local source is the installation media files that reside on the server that ou are installing& )pdates to ob,ect attributes that occur since the installation media %as created %ill replicate over the net%or0 from an e-isting domain controller in the domain or forest& Although SESB4+ is part of the installation media( under normal conditions the source for SESB4+ is not the installation media& 'nstead( SESB4+ is created b replication from an e-isting domain controller& Configuring the installation media to be the source for SESB4+ reFuires additional procedures& =or information about using A6?

installation media as the source for SESB4+ during '=M installation of AD DS( see Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ6208A0#& To use '=M for installation of one or more additional domain controllers in a domain( ou can do one of the follo%ing: • Specif a volume on the installation computer as the location for the media %hen ou run the ntdsutil ifm command& =or information about the effects of the location on the installation process( see Preparing a Server Computer for Shipping and 'nstallation from Media& • Create the media locall ( and then cop "MburnM# the installation media onto removable media( such as a portable dis0 drive( CD( or DBD( %hich can be shipped %ith the installation computer %hen it leaves the staging site( or it can be shipped separatel & • Create the media locall ( and then transfer the installation media to the local hard drive of the %or0group computer before it leaves the staging site& =or information about the advantages and disadvantages of these methods( see Preparing a Server Computer for Shipping and 'nstallation from Media& The follo%ing best practices optimi.e data securit and consistenc %hen ou add domain controllers in remote sites: • 3pgrade to !indows Server <@@A' $indo%s Server 2008 includes an enhanced version of 9tdsutil&e-e that ou can use to create installation media( rather than using a restored s stem state bac0up as is reFuired in $indo%s Server 2007& 9tdsutil&e-e in $indo%s Server 2008 includes a ne% ifm command that creates installation media for additional domain controllers& The installation media that is created b this command contains onl is the items that are reFuired for installing AD DS: the 9tds&dit database file and the registr & Eou can create media for a full "%ritable# installation of AD DS or for a read/onl domain controller "*4DC# installation& =or the *4DC installation( the ntdsutil ifm command creates secure installation media b removing secrets( such as pass%ords( from the Active Director data& Eou create the media b using Bolume Shado% Cop Service "BSS#( ta0ing a fraction of the time that is reFuired to create a bac0up& =or information about upgrading the forest to $indo%s Server 2008( see the AD DS Deplo ment 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ66:287#& Note 4n a domain controller that is running $indo%s Server 2008( ou cannot restore a s stem state bac0up to an alternate location& 'nstead( use the ntdsutil ifm command to create installation media& • Create media on the type of domain controller that you want to add' Eou must create installation media on the t pe of domain controller that ou %ant to add& 'f ou %ant to add a global catalog server in the remote site( run the ntdsutil ifm command on a global catalog server in the domain& 'f ou %ant to add a D9S server( run the ntdsutil ifm command on a domain controller that is a D9S server in the domain& • ake the same security precautions when you ship removable installation media: or a server computer that contains installation media:as you would when you ship an installed domain controller' =or information about securing domain controllers( see the >est A20

Practice 5uide for Securing $indo%s Server Active Director 'nstallations "http:33go&microsoft&com3f%lin03P+in0'dQ28826#& • )inimi&e the time between media creation and installation' Minimi.ing this dela reduces the number of updates that %ill be reFuired to replicate after installation& • Install the operating system before you ship the server to the remote site' 'nstalling the operating s stem reFuires e-pertise that might not be available at branch sites& 'deall ( installation routines are available in the staging site to automate the operating s stem installation process and ensure uniformit for all domain controllers "partition si.es( drive letter assignments( and so on#& As part of the operating s stem installation( appl a standardi.ed set of hotfi-es plus an available service pac0s to ensure service consistenc throughout the forest& • Ship the server as a member of a workgroup rather than a member server in a domain' 'f the server is ,oined to a domain and then stolen during shipment( information about domain names( D9S suffi-es( and the number of domains in the forest can aid attac0ers in their attempts to compromise or steal director data& • Ship computers with properly configured I%1 subnet mask1 default gateway1 and DNS server addresses' *emember to reconfigure the server %ith TCP3'P settings that are appropriate to the target site( not the staging site& • .nable 4emote Desktop on the server computer before shipping' This best practice assumes that ou %ant to install and manage AD DS remotel rather than emplo ing an administrator %ith Domain Admins credentials in each remote site&

$est practices for installing domain controllers before you ship them to a remote site
$hen ou install AD DS in the hub or staging site( disconnect the installed domain controller( and then ship the computer to the remote site( ou are disconnecting a viable domain controller from the replication topolog & The most significant ris0 from disconnection is that the domain controller %ill remain offline long enough to e-ceed the tombstone lifetime and thereb become capable of retaining ob,ects that have been permanentl deleted from the director on all other domain controllers in the domain& Such ob,ects( called lingering ob,ects( cause director inconsistenc ( and( under certain conditions( the can be reintroduced into the director & =or information about the causes and effects of lingering ob,ects and ho% to avoid them( see @no%n 'ssues for Adding Domain Controllers in *emote Sites& The follo%ing best practices help ensure a smooth and secure disconnection and restart& =or step/b /step procedures to perform all of these best practices( see Preparing an 1-isting Domain Controller for Shipping and +ong/Term Disconnection and *econnecting a Domain Controller After a +ong/Term Disconnection& • Configure the tombstone lifetime appropriately' 1nsure that the tombstone lifetime is not lo%ered belo% the default value& The default tombstone lifetime in a forest that is created on a domain controller running $indo%s 2000 Server or $indo%s Server 2007 is :0 da s& The default tombstone lifetime in a forest that is created on a server running A26

$indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 %ith Service Pac0 2 "SP2#( $indo%s Server 2007 *2( or $indo%s Server 2008 is 680 da s& 'f ou must disconnect a domain controller for a period of several %ee0s or months( before ou disconnect the domain controller( do the follo%ing: • .stimate the anticipated length of disconnection' • Determine the value of the tombstone lifetime for the forest' This value is stored in the tombstone+ifetime attribute of C9QDirector Service(C9Q$indo%s 9T(C9QServices(C9QConfiguration(DCQForestRootDomain& • Determine the ma/imum length of time that the domain controller can be disconnected safely' =rom the tombstone lifetime number of da s( subtract a generous estimate of the number of da s that are reFuired for end/to/end replication latenc & The resulting amount of time is the ma-imum period for %hich the domain controller can be disconnected safel ( %ithout danger of e-pired deletions "tombstones# remaining on the domain controller& • Determine whether to e/tend the tombstone lifetime for the forest' 'f ou estimate the ma-imum time of disconnection to be longer than the tombstone lifetime( ou must determine %hether to e-tend the tombstone lifetime or perform the procedure to remove lingering ob,ects from the domain controller after it is reconnected& 'f ou e-tend the tombstone lifetime( ou must also ma0e sure that all domain controllers have adeFuate dis0 space to store additional tombstones& 'n addition( ma0e sure that replication of the tombstone lifetime change has reached all potential source domain controllers before ou run Dcpromo to install an additional domain controller& • .nsure that strict replication consistency is enabled on all domain controllers' Strict replication consistenc is a registr setting thatD%hen it is enabledDstops inbound replication of a director partition from a source domain controller that is suspected of having a lingering ob,ect& Strict replication consistenc should be enabled for the forest to prevent the reintroduction of a lingering ob,ect into the director & Eou can use the repadmin ,regkey command to enable this setting on a specific domain controller or on all domain controllers in the forest( as described in 1nable Strict *eplication Consistenc & • )onitor the (nowledge Consistency Checker 6(CC7 topology and replication to ensure that unintended long disconnections are detected' > monitoring replication( ou can detect disconnections that occur as a result of net%or0 failures( service failures( or configuration errors& )se the Active Director Management Pac0 or other monitoring application to implement a monitoring solution for our Active Director deplo ment& 1vent 'Ds to monitor include 6766( 6788( 6?28( 6?88( 20A2( 208<( and 2088& • Ship computers with properly configured I%1 subnet mask1 default gateway1 and DNS server addresses' *emember to reconfigure the server %ith TCP3'P settings that are appropriate to the target site( not the staging site& • %repare the registry for automatic nonauthoritative restore of S2S5O+ when the domain controller restarts' This recommendation applies onl %hen ou use =*S to replicate SESB4+& =or =*S replication of SESB4+( the nonauthoritative restore prevents the domain controller from having to reconcile and process deletions and modifications that too0 A22

place from the time of the last SESB4+ update to the time that the domain controller is restarted in the ne% site( %hich improves s nchroni.ation time& =or information about preparing for nonauthoritative restore of SESB4+( see Prepare a domain controller for nonauthoritative SESB4+ restart "http:33go&microsoft&com3f%lin03P+in0'dQ622876#& This additional configuration is not reFuired for Distributed =ile S stem "D=S# *eplication of SESB4+ because D=S *eplication processes updates differentl & • .nsure that the domain controller replicates successfully with all replication partners' 'mmediatel before ou disconnect the domain controller( force replication %ith its partners& Chec0 that replication has succeeded before ou disconnect the domain controller& • +abel the domain controller' $hen ou disconnect the domain controller( attach a label to the computer that identifies the date and time of disconnection( the destination( and the 'P settings& • !hen you reconnect the domain controller1 update S2S5O+ as 0uickly as possible' The domain controller does not serve as a domain controller until SESB4+ has been updated through replication& 'f the site has one or more other domain controllers in the same domain( start the domain controller an time& 'f the site contains no other domain controller in the same domain( time the restart of the domain controller to coincide %ith the beginning of intersite replication& • o avoid time skew issues( ensure that the system clock is synchroni&ed with the domain source on startup' $hen ou start the domain controller in the remote site( use the follo%ing command to ensure that the domain controller uses the domain hierarch to s nchroni.e time:
w$%tm /resync/ computer:<PD5Omu"ator#ostName>

See Also
@no%n 'ssues for Adding Domain Controllers in *emote Sites Preparing a Server Computer for Shipping and 'nstallation from Media Preparing an 1-isting Domain Controller for Shipping and +ong/Term Disconnection *econnecting a Domain Controller After a +ong/Term Disconnection

(nown Issues for Adding Domain Controllers in 4emote Sites
*evie% the follo%ing 0no%n issues before adding domain controllers in remote sites& Eou can use the information in this section to determine the method for adding domain controllers in remote sites that is best for our environment& 1ach method has advantages and disadvantages that are described in this section&

A27

Important Do not attempt to perform actions based onl on the recommendations in this topic& Step/ b /step guidance is provided in the tas0/based topics in this section for all actions that are recommended in this topic& =ollo% the lin0s in this topic to the related tas0/based topics& Eou can use the follo%ing methods to add domain controllers in remote sites: • Ship the member computer to the remote site( and then use the install from media "'=M# method to install Active Director Domain Services "AD DS# on that computer& '=M uses previousl prepared installation media as the source for the installation of AD DS in the remote site( avoiding replication from a source domain controller& • 'nstall AD DS in the hub site b using the normal Dcpromo method or the '=M method( and then ship the installed domain controller to the remote site& SESB4+ replication issues potentiall affect both methods&

S2S5O+ replication
SESB4+ is a shared folder that stores files that must be available and s nchroni.ed among all domain controllers in a domain& SESB4+ contains 9et +ogon scripts( 5roup Polic settings( and either =ile *eplication Service "=*S# or Distributed =ile S stem "D=S# *eplication staging directories and files( depending on the replication method in use for replicating D=S folders& *eplication of the SESB4+ folder is reFuired for AD DS to function properl & The primar focus for both methods of installing additional domain controllers in remote sites is to avoid the replication of AD DS over a %ide area net%or0 "$A9# bet%een the remote site and the hub site& 1ach method accomplishes this goal& ;o%ever( depending on the si.e of our SESB4+( ou might also be concerned about replication of SESB4+ files over the net%or0& $hen ou use the '=M method to install a domain controller( SESB4+ is replicated from a domain controller in the domain unless ou perform preliminar procedures& =or information about using installation media as the source for SESB4+ during '=M installation of AD DS %hen ou use D=S *eplication to replicate SESB4+( see Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ6208A0#& 'f ou use =*S to replicate SESB4+( see article 7660<8 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ<080?#&

3sing I#) to install a domain controller in a remote site
4n domain controllers that are running $indo%s Server 2008( the 9tdsutil command/line tool is improved to include a ne% command for creating installation media& The method for using '=M to install domain controllers includes the follo%ing general steps: 6& )se the Ntdsutil ifm command to create installation media from an up/to/date domain controller in the domain& 'f ou %ant the additional domain controller to be a global catalog server( create the media on a global catalog server& 'f ou %ant the additional domain controller to be a Domain 9ame S stem "D9S# server( create the media on a D9S server& A2A

2& $hen ou create additional domain controllers in the domain( ou can refer to the shared folder or removable media %here ou store the installation media as follo%s: on the Install from )edia page in the Active Director Domain Services 'nstallation $i.ard or b using the ,4eplicationSource%ath parameter during an unattended installation& As an alternative( ou can create installation media b using $badmin&e-e to restore a critical/ volumes bac0up to an alternate location& ;o%ever( the 9tdsutil method is more efficient because ou eliminate the restore process( %hich adds time and effort to the installation process& Note 'n $indo%s Server 2008( ou cannot restore a s stem state bac0up to a net%or0 shared folder&

Advantages of using I#) to install a domain controller in a remote site
The follo%ing advantages are associated %ith using '=M to install a domain controller in a remote site: • Eou can install man domain controllers from a single source of installation media& • Eou do not have to disconnect a functioning domain controller from the replication topolog & Therefore( ou can avoid the disadvantages that are associated %ith a domain controller that does not replicate& =or information about the problems that are associated %ith domain controller disconnection( see 'ssues %ith 'nstalling Domain Controllers >efore Shipping Them to the *emote Site& • Eou avoid replicating AD DS over a $A9 lin0( particularl a lin0 that reFuires a dial/up connection& • 'f ou enable *emote Des0top on the server before ou ship it( ou do not have to emplo an administrator %ith Domain Admins credentials in the remote site& Eou can also use *emote Server Administration Tools "*SAT# to manage AD DS remotel & Eou can install the tools on a member server that is running $indo%s Server 2008 or on a %or0station that is running $indo%s Bista %ith Service Pac0 6 "SP6#& =or information about installing these tools( see 'nstalling *emote Server Administration Tools for AD DS& Note 'f ou do not need a %ritable domain controller in a remote site( ou can install a read/onl domain controller "*4DC# in the remote site& *4DCs do not reFuire administrative credentials for management& =or information about using *4DCs in remote sites( see Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'DQ620<0?#&

Issues with using I#) to install a domain controller in a remote site
The follo%ing issues are associated %ith using '=M to install a %ritable domain controller in a remote site: A28

• Domain Admins credentials and remote installation' 'f ou install a %ritable domain controller( an administrator must have Domain Admins credentials to install AD DS& Assuming that ou do not emplo a service administrator %ith this level of administrative credentials in each branch site( a domain administrator in the hub site must be able to connect remotel to the server to perform the installation& Therefore( ou must enable *emote Des0top on the server before ou ship it to the remote site& • $ridgehead server load balancing' 'f installation media are sent to man sites and if enough domain controllers are promoted at the same time( ou might e-perience performance issues %ith the bridgehead servers that are the source for Active Director and SESB4+ replication& Note These issues are of concern onl in situations in %hich hundreds of domain controllers might be promoted at the same time and =*S is the SESB4+ replication s stem& 'f ou are deplo ing hundreds of %ritable domain controllers in branch sites( see the $indo%s Server 2007 Active Director >ranch 4ffice 5uide "http:33go&microsoft&com3f%lin03P+in0'dQA280:#& 'f ou are installing *4DCs in branch sites( see Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'DQ6208A0#& • S2S5O+ replication' $hether ou use D=S *eplication or =*S to replicate SESB4+( replication of the full SESB4+ occurs if ou do not perform preliminar preseeding procedures( as described in article 7660<8 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ<080?# for SESB4+ that is replicated b =*S( and in Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ6208A0# for SESB4+ that is replicated b D=S *eplication& $hen ou install AD DS %ithout this additional preparation( the SESB4+ data in the installation media is deleted and SESB4+ is generated b replication& >ecause =*S on the source computer uses CP)( memor ( and dis0 resources( the =*S recommendation is to perform a staged update on no more than 60 branch office domain controllers at a time for a single source hub domain controller& 'f a single domain controller functions as the source for SESB4+ replication to more than 60 destination domain controllers( performance on the source domain controller can decrease significantl & To balance source domain controllers( ou can use an ans%er file %ith Dcpromo to specif the source domain controller& Note $hen ou use D=S *eplication to replicate SESB4+( these conditions are not an issue& =or information about performing a staged installation of *4DCs( see Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P +in0'dQ6208A0#&

A2:

Installing domain controllers before shipping them to the remote site
$hen ou install a domain controller and then disconnect it from the net%or0 for a period of time( ou interrupt the normal activities of other domain controllers on the net%or0& This interruption creates error conditions that result from various failed operations( such as attempts to replicate %ith the disconnected domain controller& As long as ou are a%are of the issues that disconnections cause( ou can ta0e steps to ensure smooth disconnection and reconnection&

Advantages of installing domain controllers before shipping them to the remote site
The follo%ing advantages are associated %ith installing domain controllers before ou ship them to the remote site: • Standardi&ation' The process for installing domain controllers can be automated and standardi.ed in the hub or staging site( %ith the one additional step of pac0ing and shipping the domain controller& 'f ou follo% the instructions in this guide for safe disconnection and reconnection( restarting the domain controller in the remote site is all that is reFuired& • $ranch site personnel' The reFuirement for personnel %ith Domain Admins credentials is limited to the hub site&

Issues with installing domain controllers before shipping them to the remote site
The follo%ing issues are associated %ith installing domain controllers and then disconnecting them from the net%or0 %hile the are shipped to the remote site: • Disconnection error conditions' After disconnection( online domain controllers in the domain continue to attempt replication %ith the disconnected domain controller( causing AD DS and SESB4+ replication errors to be generated for as long as the domain controller is disconnected& • Additional preparation' Additional preparation is reFuired to ensure smooth reconnection: • Preparing for the nonauthoritative restart of SESB4+& To avoid full replication of SESB4+( ou can ta0e steps to ensure that onl SESB4+ updates are replicated %hen the domain controller starts in the branch site& • 1nsuring an adeFuate tombstone lifetime to avoid the possibilit of ob,ects remaining on the domain controller that have been permanentl deleted from the director on all other domain controllers& The tombstone lifetime is a forest/%ide setting that determines ho% long an ob,ect deletion persists in the director & • %rotection of e/isting accounts and metadata' Eou must ensure that computer accounts and metadata for the domain controller are not deleted or improperl modified %hile the domain controller is disconnected&

A2<

• 4isk of lingering ob9ects' A lingering ob,ect is an ob,ect that remains on a disconnected domain controller after the ob,ect has been permanentl deleted from AD DS on all connected domain controllers& Deletion updates are replicated as tombstone ob,ects& These ob,ects have a limited lifetime in AD DS( %hich is defined b the tombstone lifetime& After a tombstone is permanentl removed from Active Director ( replication of the deletion that it represented is no longer possible& Therefore( if ou restart a domain controller on %hich such an ob,ect remains( replication does not recogni.e that ob,ect as a deleted ob,ect( and the ob,ect remains in AD DS on onl the reconnected domain controller and no%here else& 'f ou plan to disconnect a domain controller for longer than the period of time that a domain controller 0eeps trac0 of ob,ect deletions "the tombstone lifetime#( ou must ta0e additional steps to ensure director consistenc & Caution The default value for the tombstone lifetime is 680 da s& 'n this case( the ris0 is remote if the tombstone lifetime is not changed& ;o%ever( because the tombstone lifetime value can be changed administrativel and because the ris0 has such significant conseFuences( ou should al%a s chec0 the tombstone lifetime setting& =or more information about lingering ob,ects and their causes and effects( see =i-ing *eplication +ingering 4b,ect Problems "1vent 'Ds 6788( 6?88( 20A2# "http:33go&microsoft&com3f%lin03P+in0'dQ620<?<#&

)aintaining directory consistency when you disconnect a domain controller
Maintaining consistenc of Active Director data involves several related issues& *evie% the follo%ing 0no%n issues before ou disconnect an installed domain controller: • • • • • • Protection against lingering ob,ect replication Availabilit of operations master roles in the domain and forest )p to dateness of Active Director replication at the time of disconnection SESB4+ consistenc at reconnection Preparing an 1-isting Domain Controller for Shipping and +ong/Term Disconnection *econnecting a Domain Controller After a +ong/Term Disconnection

=or procedures to ensure that all of these issues are resolved( see the follo%ing topics:

%rotection against lingering ob9ect replication
Domain controllers that have not performed inbound replication in the number of da s eFual to the previous tombstone lifetime are vulnerable to retaining lingering ob,ects& 'f a domain controller that has one or more lingering ob,ects is reconnected to the replication topolog and a lingering ob,ect is subseFuentl updated on that domain controller( the ob,ect might be recreated in AD DS( depending on ho% the strict replication consistenc registr setting is configured& A lingering ob,ect is made 0no%n to the replication s stem onl if it is updated on the domain controller that stores it& 'n this case( the source domain controller attempts replication of an A28

update to an ob,ect that the destination does not store& The strict replication consistency registr entr "t pe 4.GBD!O4D# in "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCN DSC%arameters # determines %hether replication is allo%ed to proceed if the domain controller receives a reFuest for an update to an ob,ect that it does not have& The value in the strict replication consistency registr entr determines %hether replication proceeds or is stopped( as follo%s: • ? "enabled#: 'nbound replication of the specified director partition from the source is stopped on the destination domain controller& *eplication of the director partition is stopped on both the source and destination domain controllers& • @ "disabled#: The destination reFuests the full ob,ect from the source domain controller( and the destination domain controller reanimates a full cop of an ob,ect that it has previousl deleted and permanentl removed through garbage collection& The default value of the strict replication consistency registr entr is 6 on domain controllers that are running $indo%s Server 2007( $indo%s Server 2007 *2( and $indo%s Server 2008& 'f ou are in doubt as to %hether strict replication consistenc is in effect( ou can use the *epadmin command/line tool to set replication consistenc to Strict for all domain controllers in the forest& 'f ou have domain controllers that are running $indo%s Server 2000( update these domain controllers to $indo%s Server 2008&

Availability of operations masters
'f ou disconnect a domain controller from the net%or0( ou must ensure that it is not holding an operations master roles for the domain or forest& Chec0 the domain controller for an operations master roles and( if ou find an ( transfer the roles before ou disconnect the domain controller&

3p to dateness of active directory replication
1nsure that a domain controller is updated before ou disconnect it& 'mmediatel before ou disconnect the domain controller( force replication %ith all replication partners and verif that each director partition replicates to the domain controller that ou are disconnecting& 'f replication of an director partition does not succeed( resolve the replication problem before ou disconnect the domain controller& > ensuring that replication is up to date( ou can ma-imi.e the possible safe disconnection period( %hich cannot e-ceed the tombstone lifetime for the forest&

S2S5O+ consistency
$hen ou use D=S *eplication for SESB4+ replication( %hen ou restart the domain controller in the ne% site D=S *eplication updates SESB4+ b processing the latest changes from the source domain controller& To ensure that SESB4+ is updated as Fuic0l as possible( time the restart of the domain controller %ith the intersite replication schedule& $hen ou use =*S for SESB4+ replication( in addition to timing restart according to the replication schedule preparation might be necessar to avoid an e-tended period of latenc %hen SESB4+ is updated& $hen ou restart a domain controller %ithout this preparation( =*S reconciles and processes all deletions and modifications that too0 place from the time of the last A2?

SESB4+ update to the time that the domain controller is restarted in the ne% site& 'f ou have a large SESB4+( ou can avoid this e-tra processing and replication time b preparing the domain controller for nonauthoritative SESB4+ restore before ou ship the domain controller& =or information about preparing the domain controller for nonauthoritative SESB4+ restore( see Prepare a domain controller for nonauthoritative SESB4+ restart "http:33go&microsoft&com3f%lin03P +in0'DQ622876#&

See Also
Preparing a Server Computer for Shipping and 'nstallation from Media Preparing an 1-isting Domain Controller for Shipping and +ong/Term Disconnection *econnecting a Domain Controller After a +ong/Term Disconnection

%reparing a Server Computer for Shipping and Installation from )edia
The specific guidelines for installing Active Director Domain Services "AD DS# from installation media are provided in the topic 'nstalling an Additional Domain Controller b )sing '=M& >e sure to read that topic before ou perform the procedures that are specified in this section& To prepare for an '=M installation( perform the follo%ing tas0s: • Determine the t pe of domain controller that ou %ant to install& 'dentif a domain controller that is suitable for creating the media according to %hether ou are creating an additional domain controller that is a global catalog server( a Domain 9ame S stem "D9S# server( both( or neither& Eou must create the installation media on the same t pe of domain controller that ou %ant to create& • Determine %hether to create the installation media in a shared folder on the computer that %ill be installed or use removable media to ship the installation media separatel from the computer& 'f ou %ill create the media in a shared folder on the installation server( do the follo%ing: • Determine the volume on %hich to create the media& See the criteria in NDetermine the volume for installation mediaO in this topic& • Create a shared folder on the server and map a net%or0 drive to the folder on the domain controller that ou are using to create the media& • 'nstall the operating s stem on the server computer& This tas0 is best performed in the hub site %here administrative personnel are available& • 1nable *emote Des0top on the server before ou ship it& • 'f ou %ant to include application director partitions on the domain controller( prepare an ans%er file that contains the location of the installation media and the application director partitions&

A70

• Determine the volume on %hich to store the installation media on the installation server& This location affects SESB4+ replication after the installation of AD DS&

Determining the volume for installation media
The volume on %hich ou store the installation media has implications for SESB4+ files& 'f ou plan to perform additional( preliminar procedures to ensure that the installation media is the source for SESB4+ on the installation server( the installation media must be stored on the same volume that ou specif during Active Director installation to host the SESB4+ tree& 'f ou do not store the installation media on the volume %here SESB4+ is to be hosted( SESB4+ is replicated to the ne% domain controller( regardless of %hether ou perform the additional( preliminar procedures& )se the follo%ing references for information about ensuring that SESB4+ is not replicated during '=M: • =or information about ho% to ensure that the installation media is used as the source for SESB4+ %hen ou are using =*S to replicate SESB4+( see MSeeding the SESB4+ tree from restored files during '=M promotionM in article 7660<8 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'DQ<080?#& • =or information about ho% to ensure that the installation media is used as the source for SESB4+ %hen ou are using Distributed =ile S stem "D=S# *eplication to replicate SESB4+( see Planning and Deplo ing *ead/4nl Domain Controllers "http:33go&microsoft&com3f%lin03P +in0'dQ6208A0#& To assess the effect of SESB4+ replication( as opposed to additional configuration that is reFuired to ensure that the installation media is used as the source for SESB4+( test both processes in a lab environment that mirrors our production environment in terms of %ide area net%or0 "$A9# speed and replication latenc & Note $e recommend that ou deplo at least t%o domain controllers in each domain for the purposes of redundanc and failover&

.nabling 4emote Desktop
Eou can use *emote Des0top to connect to the domain controller and manage it remotel & *emote Des0top is disabled b default in $indo%s Server 2008& To install AD DS( ou must have Domain Admins credentials in the domain into %hich ou are adding the domain controller& This level of service administration ma not be available in the remote site& 'n an case( ou %ill probabl %ant to be able to install and manage the domain controller from the hub site&

Including application directory partitions
'f ou %ant application director partitions to be included in the installation( ou must use an ans%er file to perform the '=M installation and include the ,Application%artitions o4eplicate parameter in the ans%er file& $hen ou perform an unattended installation( Dcpromo uses the A76

ans%er file for installation instructions( including the location of installation media and application director partitions& ask re0uirements The follo%ing tools are reFuired to complete this tas0: • • • 9tdsutil&e-e S stem Control Panel Dcpromo&e-e

To complete this tas0( perform the follo%ing procedures: 6& Create 'nstallation Media b )sing 9tdsutil& >efore ou perform this procedure( see 'nstalling an Additional Domain Controller b )sing '=M& Perform this procedure on a domain controller that is the t pe of domain controller that ou %ant to create "for e-ample( a global catalog server or a D9S server#& Specif removable media or a shared folder on the installation server as the location for the installation media& 2& 1nable *emote Des0top on the installation server& 7& Ship the installation server and an prepared removable media and ans%er file to the remote site& Ship these items separatel and securel & $hen the server is running in the remote site( install the domain controller as follo%s: 6& Create a *emote Des0top Connection to the remote server& 2& 'nstall an Additional Domain Controller b )sing 'nstallation Media& $hen the domain controller restarts after installation( the *emote Des0top Connection is dropped& After the installed domain controller restarts( ou must reconnect b using *emote Des0top Connection&

See Also
'nstalling an Additional Domain Controller b )sing '=M

.nable 4emote Desktop
Eou can use this procedure to enable *emote Des0top on the server that ou are installing as a domain controller so that service administrators can manage the domain controller remotel & *emote Des0top is disabled b default in $indo%s Server 2008& Eou can enable *emote Des0top on the $indo%s Server 2008 server directl ( or ou can enable it remotel from another server or %or0station computer& Membership in local Administrators( or eFuivalent( is the minimum reFuired to complete these procedures if Active Director Domain Services "AD DS# is not installed& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure if AD DS is installed& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& A72

o enable 4emote Desktop locally by using Server )anager 6& 4pen Server Manager& To open Server Manager( clic0 Start( point to Administrative ools( and then clic0 Server )anager& 2& 'n Computer Information( clic0 Configure 4emote Desktop& 7& 'n the System %roperties dialog bo-( under 4emote Desktop( clic0 one of the follo%ing options: • Allow connections from computers running any version of 4emote Desktop 6less secure7& )se this option if ou do not 0no% the version of *emote Des0top Connection that %ill be used to connect to this server& • Allow connections only from computers running 4emote Desktop with Network +evel Authentication 6more secure7& )se this option if ou 0no% that the users %ho %ill connect to this server are running $indo%s Bista or $indo%s Server 2008& A& *evie% the information in the 4emote Desktop dialog bo-( and then clic0 O( t%ice& o enable 4emote Desktop remotely by using the registry 6& 4n an computer that is running a version of $indo%s Server 2007( $indo%s Server 2007 *2( $indo%s Server 2008( $indo%s LP Professional( or $indo%s Bista( open *egedit as an administrator& To open *egedit as an administrator( clic0 Start( and then( in Start Search( t pe regedit& At the top of the Start menu( right/ clic0 regedit( and then clic0 4un as administrator& 'n the 3ser Account Control dialog bo-( provide Domain Admins credentials( and then clic0 O(& 2& 4n the #ile menu( clic0 Connect Network 4egistry& 7& 'n the Select Computer dialog bo-( under .nter the ob9ect name to select( t pe the computer name( and then clic0 Check Names& A& After the computer name resolves( clic0 O(& 8& 'n the computer node that appears in the *egistr 1ditor( navigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCControlC erminal Server & :& 'n the console tree( clic0 erminal Server( and then( in the details pane( double/clic0 fDeny SConnections& <& 'n the .dit D!O4D 5alue bo-( in 5alue data( t pe @( and then clic0 O(& This value enables connections at the level that allo%s connections from computers running an version of *emote Des0top& 8& To implement the change( restart the server remotel ( as follo%s: • 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'n the 3ser Account Control dialog bo-( provide Domain Admins credentials( and then clic0 O(& • At the command prompt( t pe the follo%ing command( and then press 19T1*:

s&utdown /m ((<Domain5ontro""erName> /r

A77

5alue

Description

3m ZZSDomainController9ameT 3r

The name of the computer to be shut do%n or restarted& Shuts do%n and then restarts the computer&

Create a 4emote Desktop Connection
'f *emote Des0top is enabled on a server( ou can use this procedure to create a ne% *emote Des0top Connection to connect to the server and manage it remotel & *emote Des0top is disabled b default in $indo%s Server 2007( $indo%s Server 2007 *2( and $indo%s Server 2008 operating s stems& Membership in 4emote Desktop 3sers( or eFuivalent( is the minimum reFuired to complete this procedure& 'f the remote computer is a domain controller( ou must have the Allow +ogon +ocally right applied in the Default Domain Controllers Polic & Members of Account Operators( Administrators( .nterprise Admins( Domain Admins( $ackup Operators( %rint Operators( and Server Operators have the user right to log on locall to a domain controller b default& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create a new 4emote Desktop Connection 6& 4n the Start menu( point to %rograms or All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& 2& 'n Computer( t pe a computer name or 'P address( and then clic0 Connect& 7& 'n the !indows Security dialog bo-( t pe our pass%ord( and then clic0 O(& 'f ou are not logged on %ith an account that is a member of the *emote Des0top )sers( or eFuivalent( clic0 3se another account( and then provide credentials for the appropriate account&

See Also
1nable *emote Des0top

A7A

Install an Additional Domain Controller by 3sing Installation )edia
Eou can use this procedure to install Active Director Domain Services "AD DS# from media& Eou can use the install from media "'=M# method to create an additional domain controller in an e-isting domain& $hen ou create an additional domain controller in the domain( ou can specif sourcing the installation from the shared folder or removable media %here ou created the installation media b using one of the follo%ing methods: • $indo%s interface: Provide the location on the Install from )edia page in the Active Director Domain Services 'nstallation $i.ard& • )nattended installation: )se the ,4eplicationSource%ath parameter in the ans%er file for an unattended installation& • Command line: )se the ,4eplicationSource%ath unattend parameter at the command line& Membership in the Domain Admins group in the domain into %hich ou are installing the additional domain controller( or the eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o install AD DS from I#) media by using the !indows interface 6& )se the procedure 'nstall an Additional Domain Controller b )sing the $indo%s 'nterface& 'n step 8( select 3se advanced mode installation& 2& 'n step 68( select the install from media option and provide the location of the installation media& 7& Complete the remaining pages of the Active Director Domain Services 'nstallation $i.ard& A& After the installation operation completes successfull and the computer is restarted( remove the folder that contains the '=M media from the local dis0& o install AD DS from I#) media by using an answer file 6& Create an ans%er file b using one of the follo%ing methods: • During the procedure 'nstall an Additional Domain Controller b )sing the $indo%s 'nterface( select the ./port settings option to save the installation settings to a file& This file is an ans%er file that ou can use to install an additional domain controller in the same domain& • )se the procedure Create an Ans%er =ile for )nattended Domain Controller 'nstallation to create an ans%er file& 'nclude the ,4eplicationSource%ath parameter to specif the location of the '=M media& 2& )se the procedure 'nstall an Additional Domain Controller b )sing an Ans%er =ile to A78

install AD DS& o install AD DS from I#) media by using unattend parameters from the command line 6& )se the procedure 'nstall an Additional Domain Controller b )sing )nattend Parameters from the Command +ine to install AD DS& 2& During the procedure( use the ,4eplicationSource%ath parameter to specif the location of the '=M media&

See Also
Preparing for Active Director 'nstallation Berif ing Active Director 'nstallation

%reparing an ./isting Domain Controller for Shipping and +ong- erm Disconnection
$hen ou ship a domain controller to a remote site( ou must disconnect it from the net%or0 and( conseFuentl ( from the replication topolog & 'f a domain controller must be separated from the replication topolog for a period of time that might be longer than a tombstone lifetime( ou must ta0e preliminar steps to ensure a smooth reconnection& 4ther%ise( it is possible that a long/term disconnection can result in a deleted ob,ect being reintroduced into the director & Such deleted ob,ects( %hen the are retained on a domain controller that has been disconnected for a period that is longer than a tombstone lifetime( are called Mlingering ob,ects&M +ingering ob,ects that are securit principals( such as users or groups( can cause problems %ith Active Director searches and e/mail deliver & +ingering ob,ects can also ,eopardi.e securit if a user is allo%ed access to a resource b virtue of membership in a group that has been deleted& =or more information about lingering ob,ects( see MMaintaining Director Consistenc $hen Disconnecting a Domain ControllerM in @no%n 'ssues for Adding Domain Controllers in *emote Sites& > ta0ing preliminar precautions( ou can ensure that long/term disconnections do not result in director inconsistenc from lingering ob,ects& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • • • • ADS' 1dit 9tdsutil&e-e Active Director )sers and Computers Active Director Schema Active Director Domains and Trusts *epadmin&e-e

To complete this tas0( perform the follo%ing procedures: A7:

6& Determine the anticipated length of the disconnection& 2& Determine the Tombstone +ifetime for the =orest& 7& Determine the ma-imum safe/disconnection period b subtracting a generous estimate of the end/to/end replication latenc from the tombstone lifetime& 1ither find the latenc estimate in the design documentation for our deplo ment or reFuest the information from a member of our design or deplo ment team& • 'f the anticipated time of disconnection e-ceeds the ma-imum safedisconnection period( ma0e a decision about %hether to e-tend the tombstone lifetime& To change the tombstone lifetime( see Determine the Tombstone +ifetime for the =orest and change the value in the tombstone+ifetime attribute& • 'f the estimated time of disconnection does not e-ceed the ma-imum safe disconnection time( proceed %ith preparations for disconnection& A& Bie% the Current 4perations Master *ole ;olders to determine %hether the domain controller is an operations master role holder& 8& Transfer the Domain/+evel 4perations Master *oles( if appropriate& :& Transfer the Schema Master( if appropriate& <& Transfer the Domain 9aming Master( if appropriate& 8& 'f ou use =ile *eplication Service "=*S# to replicate SESB4+( ou can decrease the time reFuired to update SESB4+ %hen the domain controller is restarted b performing a preliminar registr update on the server& =or instructions( see Prepare a domain controller for nonauthoritative SESB4+ restart "http:33go&microsoft&com3f%lin03P+in0'DQ622876#& This procedure is not necessar if ou use Distributed =ile S stem "D=S# *eplication& ?& 1nable Strict *eplication Consistenc ( if necessar & 'f strict replication consistenc is not enabled on the domain controller that ou are disconnecting( use this command/line procedure to enable strict replication consistenc on specific domain controllers or on all domain controllers in the forest& 60& S nchroni.e *eplication %ith All Partners& )pdate the domain controller %ith the latest changes ,ust before ou disconnect it& 66& Berif Successful *eplication to a Domain Controller for the domain controller that ou are disconnecting& 62& +abel the domain controller %ith the date and time of disconnection and the ma-imum safe/disconnection period&

See Also
@no%n 'ssues for Adding Domain Controllers in *emote Sites Managing 4perations Master *oles Managing D=S/*eplicated SESB4+ *econnecting a Domain Controller After a +ong/Term Disconnection

A7<

Determine the ombstone +ifetime for the #orest
The tombstone lifetime in an Active Director forest determines ho% long a deleted ob,ect "called a NtombstoneO# is retained in Active Director Domain Services "AD DS#& The tombstone lifetime is determined b the value of the tombstone+ifetime attribute on the Director Service ob,ect in the configuration director partition& Eou can use this procedure to determine the tombstone lifetime for the forest& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the tombstone lifetime for the forest 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& 'n ADS' 1dit( right/clic0 ADSI .dit( and then clic0 Connect to& 7& =or Connection %oint( clic0 Select a well known Naming Conte/t( and then clic0 Configuration& A& 'f ou %ant to connect to a different domain controller( for Computer( clic0 Select or type a domain or server* 6Server U Domain J*portK7& Provide the server name or the domain name and +ight%eight Director Access Protocol "+DAP# port "78?#( and then clic0 O(& 8& Double/clic0 Configuration( CNDConfiguration1DCDForestRootDomainName( CNDServices( and CND!indows N & :& *ight/clic0 CNDDirectory Service( and then clic0 %roperties& <& 'n the Attribute column( clic0 tombstone+ifetime& 8& 9ote the value in the 5alue column& 'f the value is Mnot setN( the default value is in effect as follo%s: • 4n a domain controller in a forest that %as created on a domain controller running $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 %ith Service Pac0 2 "SP2#( $indo%s Server 2007 *2( or $indo%s Server 2008( the default value is 680 da s& • 4n a domain controller in a forest that %as created on a domain controller running $indo%s 2000 Server or $indo%s Server 2007( the default value is :0 da s&

.nable Strict 4eplication Consistency
Eou can use this procedure to ensure that strict replication consistenc is enabled in the forest& This setting prohibits replication of outdated Active Director ob,ects& 'f ou disconnect a domain A78

controller from the replication topolog for an e-tended period and then reconnect it( this setting ensures that no outdated ob,ects are reintroduced into Active Director Domain Services "AD DS#& To determine %hether strict replication consistenc is enabled( use the regedit command to vie% the registr on a domain controller& The setting for replication consistenc is stored in the registr in the Strict 4eplication Consistency entr in "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCN DSC%arameters & Balues for this entr are as follo%s: • Balue: ? "@ to disable# • Default: ? "enabled# in a ne% $indo%s Server 2007 or $indo%s Server 2008 forestW other%ise @& • Data t pe: 4.GBD!O4D 'f the value is @( use the follo%ing procedure to change the value to ? on a specific domain controller or on all domain controllers& Membership in the Domain Admins group in the domain( or eFuivalent( is the minimum reFuired to complete this procedure on a single domain controller& Membership in the .nterprise Admins group in the forest( or eFuivalent( is the minimum reFuired to complete this procedure on all domain controllers& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o enable strict replication consistency 6& 4pen a command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /reg:ey <D5E46!T> TN?.U<:ey>

A7?

5alue

Description

repadmin ,regkey

1nables and disables the values for the follo%ing t%o registr entries under "(.2B+OCA+B)AC"IN.CS2S .)CCurrent Control SetCServicesCN DSC%arameters: • Strict replication consistency • Allow replication with divergent and corrupt partner

SDCI+'STT

The name of a single domain controller& 4r( use S to appl the change to all domain controllers in the forest& =or the domain controller name( ou can use the Domain 9ame S stem "D9S# name( the distinguished name of the domain controller computer ob,ect( or the distinguished name of the domain controller server ob,ect& L to enable and - to disable( and /ey is strict& =or e-ample( Lstrict enables strict replication consistenc W -strict disables it&

`]\/aS0e T

2& *epeat step 6 for ever domain controller on %hich ou %ant to enable strict replication consistenc & Note =or more naming options and information about the s nta- of the the command prompt( t pe repadmin /"ist&e"p&
<D5E46!T>

parameter( at

Synchroni&e 4eplication with All %artners
Eou can use this procedure to s nchroni.e replication %ith all replication partners of a domain controller& Membership in .nterprise Admins in the forest or Domain Admins in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o synchroni&e replication with all partners 6& At a command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /synca"" <Domain5ontro""erName> /e /d /A /P /q

AA0

5alue

Description

repadmin 3s ncall SDomainController9ameT

S nchroni.es a specified domain controller %ith all replication partners& The Domain 9ame S stem "D9S# name of the domain controller on %hich ou %ant to s nchroni.e replication %ith all partners& 1nterpriseW includes partners in all sites& 'dentifies servers b their distinguished names in messages& AllW s nchroni.es all director partitions that are held on the home server& Pushes changes out%ard from the home server& *uns in Fuiet modeW suppresses callbac0 messages&

3e 3d 3A 3P 3F

2& Chec0 for replication errors in the output of the command in the previous step& 'f there are no errors( replication is successful& =or replication to complete( an errors must be corrected&

See Also
Berif Successful *eplication to a Domain Controller

4econnecting a Domain Controller After a +ong- erm Disconnection
Assuming that a domain controller has not been disconnected for longer than the ma-imum safe period for disconnection "the tombstone lifetime minus end/to/end replication latenc #( reconnecting the domain controller to the replication topolog reFuires no special procedures& > default( the @no%ledge Consistenc Chec0er "@CC# on a domain controller runs five minutes after the domain controller starts( automaticall incorporating the reconnected domain controller into the replication topolog &

AA6

4econnecting an outdated domain controller
'f ou plan appropriatel for disconnecting and reconnecting domain controllers( no domain controller %ill be disconnected from the replication topolog for longer than a tombstone lifetime& ;o%ever( if une-pected events result in a domain controller becoming outdated( ou can perform a procedure to safel remove lingering ob,ects& 'f the disconnected domain controller is running $indo%s Server 2007 or $indo%s Server 2008 and an authoritative domain controller running $indo%s Server 2007 or $indo%s Server 2008 is available in this site or a neighboring site( reconnect the domain controller and immediatel follo% the instructions in )se *epadmin to *emove +ingering 4b,ects& The follo%ing conditions reFuire using a different method of remove lingering ob,ects: • The disconnected domain controller is running $indo%s Server 2007 or $indo%s Server 2008( but no other authoritative domain controller running $indo%s Server 2007 or $indo%s Server 2008 is available in the domain: *econnect the domain controller( and follo% the instructions in article 76A282 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ66?208#& • The disconnected domain controller is running $indo%s 2000 Server( and no other domain controller is available in the domain: 'f ou %ant to recover the domain( reconnect the domain controller( and follo% the instructions in article 76A282 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ7<?2A#& • The disconnected domain controller is running $indo%s 2000 Server( and another domain controller is available in the domain: Do not reconnect the domain controller& 'nstead( force Active Director removal on the disconnected domain controller( perform metadata cleanup( and then reinstall Active Director & To complete these tas0s( follo% the instructions in =orcing the *emoval of a Domain Controller and 'nstalling a Domain Controller in an 1-isting Domain&

3pdating S2S5O+
To update SESB4+ as soon as possible after ou reconnect a domain controller( plan the time that ou restart the domain controller to optimi.e the replication schedule( as follo%s: • 'f the closest replication partner for the domain is in a different site( vie% site lin0 properties to determine the replication schedule( and then restart the domain controller as soon as possible after replication is scheduled to start& • 'f a replication partner for the domain is available %ithin the site( verif replication success on that partner before ou restart the domain controller& Important 'f ou use =ile *eplication Service "=*S# to replicate SESB4+( the recommended practice to reduce the time reFuired to update SESB4+ is to modif the registr before ou disconnect the domain controller so that SESB4+ is updated %ith onl the latest file changes %hen ou restart the domain controller& =or information about preparing for

AA2

SESB4+ replication %hen using =*S( see Preparing an 1-isting Domain Controller for Shipping and +ong/Term Disconnection "http:33go&microsoft&com3f%lin03P+in0'dQ62287A#& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • ADS' 1dit Active Director Sites and Services *epadmin&e-e

To complete this tas0( perform the follo%ing procedures: 6& Determine the Tombstone +ifetime for the =orest& 2& Determine %hether the ma-imum safe disconnection time has been e-ceeded& The ma-imum safe disconnection time should have been established at the time of disconnection( as follo%s: Subtract a generous estimate of the amount of time for end/to/end replication latenc from the tombstone lifetime& 1ither find the latenc estimate in the design documentation for our deplo ment or reFuest the information from a member of our design or deplo ment team& 7& 'f the ma-imum safe disconnection time has not been e-ceeded( proceed %ith the reconnection process as follo%s: • Move a Server 4b,ect to a 9e% Site 'f the server ob,ect for the domain controller is still in the site %here the domain controller %as installed( move the server ob,ect to the site in %hich ou are reconnecting the domain controller& • 'f the site in %hich ou are reconnecting the domain controller has one or more other domain controllers that are authoritative for the domain( start the domain controller an time& • 'f the site in %hich ou are reconnecting the domain controller has no other domain controllers that are authoritative for the domain( proceed as follo%s: Determine $hen 'ntersite *eplication 's Scheduled to >egin b vie%ing the replication properties on the site lin0 that connects this site to the ne-t closest site that includes a domain controller that is authoritative for this domain& As soon as possible after the ne-t replication c cle begins( start the domain controller& 'f the ma-imum safe disconnection time has been e-ceeded( proceed in the appropriate manner according to the operating s stem( as described in M*econnecting an 4utdated Domain ControllerM earlier in this topic& A& Berif Successful *eplication to a Domain Controller After replication is complete( verif replication of the domain( configuration( and schema director partitions& 'f the domain controller is a global catalog server( verif replication of all domain director partitions& 'f the domain controller is a Domain 9ame S stem "D9S# server( verif replication of the domain and forest D9S application director partitions&

AA7

See Also
Preparing an 1-isting Domain Controller for Shipping and +ong/Term Disconnection

Determine the ombstone +ifetime for the #orest
The tombstone lifetime in an Active Director forest determines ho% long a deleted ob,ect "called a NtombstoneO# is retained in Active Director Domain Services "AD DS#& The tombstone lifetime is determined b the value of the tombstone+ifetime attribute on the Director Service ob,ect in the configuration director partition& Eou can use this procedure to determine the tombstone lifetime for the forest& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the tombstone lifetime for the forest 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& 'n ADS' 1dit( right/clic0 ADSI .dit( and then clic0 Connect to& 7& =or Connection %oint( clic0 Select a well known Naming Conte/t( and then clic0 Configuration& A& 'f ou %ant to connect to a different domain controller( for Computer( clic0 Select or type a domain or server* 6Server U Domain J*portK7& Provide the server name or the domain name and +ight%eight Director Access Protocol "+DAP# port "78?#( and then clic0 O(& 8& Double/clic0 Configuration( CNDConfiguration1DCDForestRootDomainName( CNDServices( and CND!indows N & :& *ight/clic0 CNDDirectory Service( and then clic0 %roperties& <& 'n the Attribute column( clic0 tombstone+ifetime& 8& 9ote the value in the 5alue column& 'f the value is Mnot setN( the default value is in effect as follo%s: • 4n a domain controller in a forest that %as created on a domain controller running $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 %ith Service Pac0 2 "SP2#( $indo%s Server 2007 *2( or $indo%s Server 2008( the default value is 680 da s& • 4n a domain controller in a forest that %as created on a domain controller running $indo%s 2000 Server or $indo%s Server 2007( the default value is :0 da s&

AAA

)ove a Server Ob9ect to a New Site
$hen ou move a server ob,ect in Active Director Domain Services "AD DS#( the Active Director Sites and Services snap/in does not reFuire that the 'P address of the server maps to the site to %hich ou are moving the server ob,ect& 'f the 'P address does not map to a subnet that is associated %ith the site to %hich ou move it( the server might be forced to communicate over a potentiall slo% %ide area net%or0 "$A9# lin0 to locate resources rather than locating resources in its o%n site& >efore ou move the server ob,ect( verif that the 'P address maps to the target site& Eou can use this procedure to move a server ob,ect to a ne% site& Membership in .nterprise Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o move a server ob9ect to a new site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites and the site in %hich the server ob,ect resides& 7& 1-pand Servers to displa the domain controllers that are currentl configured for that site& A& *ight/clic0 the server ob,ect that ou %ant to move( and then clic0 )ove& 8& 'n Site Name( clic0 the destination site( and then clic0 O(& :& 1-pand the site ob,ect to %hich ou moved the server( and then e-pand the Servers container& <& Berif that an ob,ect for the server that ou moved e-ists& 8& 1-pand the server ob,ect( and verif that an 9TDS Settings ob,ect e-ists& $ithin an hour( the 9et +ogon service on the domain controller registers the ne% site information in Domain 9ame S stem "D9S#& $ait an hour( and then open 1vent Bie%er and connect to the domain controller %hose server ob,ect ou moved& *evie% the S stem log for 91T+4549 errors regarding registration of service "S*B# resource records in D9S that have occurred %ithin the last hour& The absence of errors indicates that the 9et +ogon service has updated D9S %ith site/ specific service "S*B# resource records& 91T+4549 1vent 'D 8<<A indicates that the d namic registration of D9S resource records has failed& 'f this error occurs( contact a supervisor and pursue D9S troubleshooting&

See Also
Berif That an 'P Address Maps to a Subnet and Determine the Site Association

AA8

Determine !hen Intersite 4eplication Is Scheduled to $egin
>efore ou restart a domain controller that has been disconnected and shipped to a branch site( if the domain controller is the onl domain controller for the domain in the site( the domain controller must be updated from the hub site& Eou can minimi.e the time that the domain controller is out of s nchroni.ation %ith domain controllers in the hub site b timing the restart to coincide %ith intersite replication& Eou can use this procedure to determine %hen intersite replication bet%een sites is scheduled to begin& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine when intersite replication is scheduled to begin 6& 4pen Active Director Sites and Services: Clic0 Start( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( double/clic0 the Sites container( double/clic0 the Inter-Site ransports container( and then clic0 the I% container& 7& 'n the details pane( right/clic0 the site lin0 ob,ect for %hich ou %ant to vie% the schedule( and then clic0 %roperties& A& 'n the Site+in/Name%roperties dialog bo-( clic0 Change Schedule& 9ote the bloc0 of da s and hours during %hich replication is allo%ed "4eplication Available#( and then clic0 O( or Cancel& 8& 'n 4eplicate every BBBBB minutes( note the number of minutes for the intervals at %hich replication polling ta0es place during an open schedule %indo%( and then clic0 O(&

3se 4epadmin to 4emove +ingering Ob9ects
Eou can use the *epadmin tool to remove lingering ob,ects %hen ou reconnect a domain controller that has been offline for longer than a tombstone lifetime and ou %ant to ensure that lingering ob,ects do not e-ist or( if the do( that the are removed before the are replicated& Eou can also use this procedure %hen event 'D 6788 or event 'D 6?88 is logged on a domain controller& 'n this case( the information that ou need to perform the procedure is provided in the event& =or information about removing lingering ob,ects %hen event 'D 6788 or event 'D 6?88 has been logged( see =i-ing *eplication +ingering 4b,ect Problems "1vent 'Ds 6788( 6?88( 20A2# "http:33go&microsoft&com3f%lin03P+in0'DQ620<?<#& 'f ou are running the procedure %ithout having received 1vent 'D 6788 or 1vent 'D 6?88( ou must gather the follo%ing information before ou begin the procedure: AA:

• The name of the server that has or might have lingering ob,ects& This name can be the Domain 9ame S stem "D9S# name( 9et>'4S name( or distinguished name of the domain controller& • The globall uniFue identifier "5)'D# of the 9TDS Settings ob,ect of a domain controller that is authoritative for the domain of the domain controller from %hich ou %ant to remove lingering ob,ects& This domain controller is the source domain controller& The source domain controller and the domain controller from %hich ou %ant to remove lingering ob,ects must be running a version of either $indo%s Server 2007 or $indo%s Server 2008& 'f either domain controller is running $indo%s 2000 Server( follo% the instructions in article 76A282 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ7<?2A#& )se the follo%ing procedure to determine the 5)'D of a domain controller& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the G3ID of a domain controller 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At a command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" <Domain5ontro""erName>

$here <Domain5ontro""erName> is the 9et>'4S name of the domain controller %hose 5)'D ou %ant to determine& 7& 'n the top portion of the output( note the value in
D5 o'=ect DU6D:

)se the follo%ing procedure to remove lingering ob,ects b using *epadmin& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o use 4epadmin to remove lingering ob9ects 6& At a command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /remove"ingeringo'=ects <!erverName !erverDU6D DirectoryPartition> /advisoryEmode

AA<

5alue

Description

repadmin *emoves ob,ects that have been deleted and permanentl 3removelingeringob,ec removed from replication partners but remain on this domain ts controller& SServer9ameT SServer5)'DT SDirector PartitionT The D9S name or the distinguished name of the domain controller that has or might have lingering ob,ects& The 5)'D of a domain controller that has an up/to/date( %ritable replica of the director partition The distinguished name of the domain director partition that might have lingering ob,ects& =or e-ample( DCQRe#ionalDomainName(DCQForestRootDomainName(DCQ com& Also run the command against the configuration director partition "C9Qconfiguration(DCQForestRootDomainName(DCQcom#( the schema director partition "C9Qschema(C9Qconfiguration(DCQForestRootDomainName#( and an application director partitions that are hosted on the domain controller that ou are chec0ing for lingering ob,ects&

,advisoryBmode logs the lingering ob,ects that %ill be removed so that ou can revie% them( but it does not remove them& 2& 'f lingering ob,ects are found( repeat step 6 %ithout ,advisoryBmode to delete the identified lingering ob,ects from the director partition& 7& *epeat steps 6 and 2 for ever domain controller that might have lingering ob,ects& Note The ServerName parameter uses the DCB+IS s nta- for repadmin( %hich allo%s the use of S for all domain controllers in the forest and gc* for all global catalog servers in the forest& To see the DCB+IS s nta-( at a command prompt( t pe repadmin ,listhelp( and then press 19T1*&

5erify Successful 4eplication to a Domain Controller
Eou can use the repadmin ,showrepl command to verif successful replication to a specific domain controller& 'f ou are not running *epadmin on the domain controller %hose replication ou are chec0ing( ou can specif a destination domain controller in the command& *epadmin lists IN$O3ND N.IG"$O4S for the current or specified domain controller& IN$O3ND N.IG"$O4S sho%s the distinguished name of each director partition for %hich inbound AA8

director replication has been attempted( the site and name of the source domain controller( and %hether replication succeeded or not( as follo%s: • •
4ast attempt @ < .AA.DD ##:AA*!!> was successfu"*

4ast attempt @ BNeverC was successfu"*

'f @ BNeverC appears in the output for a director partition( replication of that director partition has never succeeded from the identified source replication partner over the listed connection& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify successful replication to a domain controller 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" <servername> /u:<domainname>(<username> /pw:*

Note The user credential parameters "/u:<domainname>(<username> /pw:*# are not reFuired for the domain of the user if the user has opened the Command Prompt as an administrator %ith Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or eFuivalent& ;o%ever( if ou run the command for a domain controller in a different domain in the same Command Prompt session( ou must provide credentials for an account in that domain&

AA?

5alue

Description

repadmin 3sho%repl

Displa s the replication status for the last time that the domain controller that is named in SservernameT attempted inbound replication of Active Director partitions& The name of the destination domain controller& Specifies the domain name and user name( separated b a bac0slash( for a user %ho has permissions to perform operations in AD DS& The single/label name of the domain of the destination domain controller& "Eou do not have to use a full Fualified Domain 9ame S stem "D9S# name&# The name of an administrative account in that domain& Specifies the domain pass%ord for the user named in SusernameT& U provides a %assword* prompt %hen ou press 19T1*&

SservernameT 3u:

SdomainnameT

SusernameT 3p%:U

7& At the %assword* prompt( t pe the pass%ord for the user account that ou provided( and then press 19T1*& Eou can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft 1-cel spreadsheet& The spreadsheet displa s data in the follo%ing columns: ShowreplBCO+3)NS Destination DC Site Destination DC Naming Conte/t Source DC Site Source DC ransport ype Number of #ailures +ast #ailure ime +ast Success ime +ast #ailure Status

A80

The follo%ing procedure creates this spreadsheet and sets column headings for improved readabilit & o generate a repadmin ,showrepl spreadsheet for all replication partners 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" * /csv >s&owrep"*csv

7& 4pen 1-cel& A& Clic0 the Office button( clic0 Open( navigate to showrepl'csv( and then clic0 Open& 8& ;ide or delete column A as %ell as the ransport ype column( as follo%s: :& Select a column that ou %ant to hide or delete& • 4r • To delete the column( right/clic0 the selected column( and then clic0 Delete& <& Select ro% 6 beneath the column heading ro%& 4n the 5iew tab( clic0 #ree&e %anes( and then clic0 #ree&e op 4ow& 8& Select the entire spreadsheet& 4n the Data tab( clic0 #ilter& ?& 'n the +ast Success ime column( clic0 the do%n arro%( and then clic0 Sort Ascending& 60& 'n the Source DC column( clic0 the filter do%n arro%( point to e/t #ilters( and then clic0 Custom #ilter& 66& 'n the Custom Auto#ilter dialog bo-( under Show rows where( clic0 does not contain& 'n the ad,acent te-t bo-( t pe del to eliminate from vie% the results for deleted domain controllers& 62& *epeat step 66 for the +ast #ailure ime column( but use the value does not e0ual( and then t pe the value @& 67& *esolve replication failures& The last successful attempt should agree %ith the replication schedule for intersite replication( or the attempt should be %ithin the last hour for intrasite replication& 'f *epadmin reports an of the follo%ing conditions( see Troubleshooting Active Director *eplication Problems "http:33go&microsoft&com3f%lin03P+in0'DQ?7882#: • • • The last successful intersite replication %as before the last scheduled replication& The last intrasite replication %as longer than one hour ago& *eplication %as never successful& To hide the column( right/clic0 the column( and then clic0 "ide&

A86

4enaming a Domain Controller
Eou can use the 9etdom&e-e command/line tool to rename a domain controller if the domain functional level is $indo%s Server 2007 or $indo%s Server 2008& At these domain functional levels( 9etdom provides the reFuired preparation for Domain 9ame S stem "D9S# and service recognition of the ne% domain controller name& Eou can also use the S stem Properties user interface ")'#( %hich does not reFuire a domain functional level and does not provide the same preparation but %hich relies solel on replication to update the domain controller D9S name and service principal name "SP9#& This method can result in a longer dela before clients can use the renamed domain controller& The abilit to rename domain controllers provides ou %ith the fle-ibilit to: • • *estructure our net%or0 for organi.ational and business needs& Ma0e management and administrative control easier&

*enaming a domain controller is a common operation in man organi.ations( and it usuall occurs %hen: • 9e% hard%are is purchased to replace an e-isting domain controller& • Domain controllers are decommissioned or promoted and renamed to maintain a naming convention& • Domain controllers are moved or placed in sites&

Note 't is important to note that domain controller names have a primar impact on administration( rather than client access& *enaming a domain controller is an optional e-ercise( and the effects of renaming a domain controller should be %ell understood before the domain controller is renamed& Although ou can use S stem Properties to rename a domain controller "as ou can for an computer#( Active Director and D9S replication latenc might temporaril prevent clients from locating or authenticating "or both# to the renamed domain controller& To avoid this dela ( ou can use the 9etdom command/line tool to rename a domain controller& ask re0uirements The follo%ing is reFuired to perform the procedures for this tas0: • • S stem Properties or 9etdom&e-e +dp&e-e or ADS' 1dit

'f ou %ant to use 9etdom( the domain functional level must be set to $indo%s Server 2007 or $indo%s Server 2008& To complete this tas0( use one of the follo%ing t%o sets of procedures: 6& *ename a Domain Controller )sing S stem Properties 2& )pdate the =*S or D=S *eplication Member 4b,ect 4r 6& *ename a Domain Controller )sing 9etdom A82

2& )pdate the =*S or D=S *eplication Member 4b,ect

4ename a Domain Controller 3sing System %roperties
Eou can use this procedure to rename a domain controller b using the S stem Properties graphical user interface "5)'#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o rename a domain controller using System %roperties 6& 'n Server )anager( clic0 Change System %roperties& 2& 4n the Computer Name tab( clic0 Change& 7& Clic0 O( to ac0no%ledge that renaming the domain controller ma cause it to become temporaril unavailable to users and computers& Note *enaming a domain controller in this %a ma result in Active Director replication latenc ( ma0ing it more difficult for clients to locate or authenticate the domain controller under its ne% name& A& )nder Computer Name( t pe the ne% name( and then clic0 O(& 8& Clic0 O( to close the System %roperties dialog bo-& :& 'f ou are prompted( provide the user name and pass%ord for an account %ith Domain Admin or 1nterprise Admin credentials&

See Also
*ename a Domain Controller )sing 9etdom

4ename a Domain Controller 3sing Netdom
Eou can use this procedure to rename a domain controller b using the 9etdom command/line tool& The netdom command updates the Service Principal 9ame "SP9# attributes in Active Director Domain Services "AD DS# for the computer account& This command also registers Domain 9ame S stem "D9S# resource records for the ne% computer name& The SP9 value of the computer account must be replicated to all domain controllers in the domain( and the D9S resource records for the ne% computer name must be distributed to all the authoritative D9S servers for the A87

domain name& 'f the updates and registrations have not occurred before the removal of the old computer name( some clients might not be able to locate this computer using the ne% name or the old name& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o rename a domain controller using Netdom 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command to add the ne% domain controller name( and then press 19T1*:
netdom computername <5urrent5omputerName> /add:<New5omputerName>

5alue

Description

netdom computername SCurrentComputer9ameT

Manages the primar and alternate names for a computer& The current( or primar ( full Fualified D9S name of the computer that ou are renaming& Specifies that a ne% alternate D9S name should be added& The ne% full Fualified D9S name for the computer that ou are renaming&

3add: S9e%Computer9ameT

7& T pe the follo%ing command to designate the ne% name as the primar computer name( and then press 19T1*:
netdom computername <5urrent5omputerName> /ma:eprimary:<New5omputerName>

A8A

5alue

Description

netdom computername SCurrentComputer9ameT

Manages the primar and alternate names for a computer& The current( or primar ( full Fualified domain name "=CD9#of the computer that ou are renaming& Specifies that an e-isting alternate name should be made into the primar name& The ne% name for the computer& The Ne%2om3"terName must be a =CD9& The primar D9S suffi- that is specified in the =CD9 for Ne%2om3"terName must be the same as the primar D9S suffi- of 2"rrent2om3"terName( or it must match the D9S name of the Active Director domain that is hosted b this domain controller( or it must be contained in the list of allo%ed D9S suffi-es that is specified in the msDSAllowedDNSSuffi/es attribute of the domainDns ob,ect&

3ma0eprimar : S9e%Computer9ameT

A& *estart the computer& 8& After the computer restarts( open a Command Prompt& :& At the command prompt( t pe the follo%ing command to remove the old domain controller name( and then press 19T1*:
netdom computername <New5omputerName> /remove:<3"d5omputerName>

5alue

Description

netdom computername S9e%Computer9ameT 3remove: S4ldComputer9ameT

Manages the primar and alternate names for a computer& The ne% =CD9 that ou added for the computer in step 2& Specifies that an e-isting alternate name should be removed& The old =CD9 of the renamed computer&

A88

See Also
*ename a Domain Controller )sing S stem Properties

3pdate the #4S or D#S 4eplication )ember Ob9ect
Eou can use this procedure to update the =ile *eplication Service "=*S# or Distributed =ile S stem "D=S# *eplication member ob,ect after ou rename a domain controller& This ob,ect must be updated %ith the ne% domain controller name so that the domain controller can replicate SESB4+& =or more information about this procedure( see article 76:82: in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ82826#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o update the #4S member ob9ect 6& 4n the Start menu( point to Administrative ools( and then clic0 Active Directory 3sers and Computers& 2& 4n the 5iew menu( clic0 Advanced #eatures& 7& 1-pand the domain node( System( #ile 4eplication Service( and Domain System 5olume 6S2S5O+ share7& The SDomainController9ameT ob,ects belo% Domain System 5olume 6S2S5O+ share7 are the =S* Member ob,ects that correspond to domain controllers in the domain& =ind the SDomainController9ameT ob,ect that sho%s the old name of the domain controller& A& *ight/clic0 the =*S Member ob,ect for the old name of the domain controller( and then clic0 4ename& 8& T pe the ne% name of the domain controller& :& To verif the name change( open ADS' 1dit: 4n the Start menu( point to Administrative ools( and then clic0 ADSI .dit& Bie% the f4S)ember4eference attribute of the ob,ect C9QDomain S stem Bolume "SESB4+ share#(C9Q9T=*S Subscriptions(C9QSDomainController9ameT(4)QDomain Controllers(DCQSDomain9ameT and confirm that the value in C9QSDomainController9ameT is the ne% name& o update the D#S 4eplication member ob9ect 6& 4n the Start menu( point to Administrative ools( and then clic0 Active Directory 3sers and Computers& 2& 4n the 5iew menu( clic0 Advanced #eatures& A8:

7& 1-pand the domain node( System( D#S4-GlobalSettings( Domain System 5olume( and opology& The SDomainController9ameT ob,ects belo% Domain System 5olume are the msD=S*/Member ob,ects that correspond to domain controllers in the domain& =ind the SDomainController9ameT ob,ect that sho%s the old name of the domain controller& A& *ight/clic0 the msD=S*/Member ob,ect for the old name of the domain controller( and then clic0 4ename& 8& T pe the ne% name of the domain controller& :& To verif the name change( open ADS' 1dit: 4n the Start menu( point to Administrative ools( and then clic0 ADSI .dit& Bie% the msD#S4-)ember4eference attribute of the ob,ect C9QDomain S stem Bolume(C9QD=S*/+ocalSettings(C9QSDomainController9ameT(4)QDomain Controllers(DCQSDomain9ameT and confirm that the value in C9QSDomainController9ameT is the ne% name&

Decommissioning a Domain Controller
Decommissioning a domain controller removes all Active Director components and related components and returns the domain controller to a member server role& This tas0 provides procedures for removing a domain controller from a domain that has other domain controllers&

4emoving a domain or a forest
The follo%ing topics contain information about removing a domain or a forest: • To remove a domain( see *emoving the +ast $indo%s Server 2008 Domain Controller in a Domain "http:33go&microsoft&com3f%lin03P+in0'dQ?7208#& • To remove a forest( see *emoving the +ast $indo%s Server 2008 Domain Controller in a =orest "http:33go&microsoft&com3f%lin03P+in0'dQ?720?#&

%rotecting .#S-encrypted files
'f the domain controller to be decommissioned hosts an 1ncr pting =ile S stem "1=S#R encr pted files( ou must ta0e precautions to protect the private 0e for the recover agent for the local 1=S/encr pted documents& This might be lost during Active Director removal %hen the Securit Accounts Manager "SAM# is recreated on the computer& 'n this case( ou are unable to recover encr pted documents on this computer unless ou unencr pt all the files and the recover agent is changed to an e-isting domain account before re/encr ption& To prevent loss of the private 0e ( ou must bac0 up "e-port# the recover agent private 0e before ou A8<

decommission the domain controller& After ou remove Active Director Domain Services "AD DS#( import the private 0e again& Eou must be able to ensure that the domain account that is serving as the recover agent for the certificate remains the same after ou remove AD DS& 'f ou cannot guarantee that the account %ill remain the same after the domain controller is decommissioned or if ou removed AD DS %ithout bac0ing up the certificate and ou cannot recover 1=S/encr pted files( see article 2<:27? in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'DQ66<7<0#& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • • • • Dcdiag&e-e Active Director Schema Active Director Domains and Trusts Active Director )sers and Computers Active Director Sites and Services 9tdsutil&e-e

'f ou must protect the recover agent private 0e for encr pted files( the follo%ing additional tool is reFuired: • Certificates snap/in To complete this tas0( perform the follo%ing procedures: 6& Berif D9S *egistration and TCP3'P Connectivit The Active Director Domain Services 'nstallation $i.ard reFuires both TCP3'P connectivit and Domain 9ame S stem "D9S# to locate another domain controller in the domain& During the removal of AD DS( contact %ith other domain controllers is reFuired to ensure the follo%ing: • • • An unreplicated changes are replicated to another domain controller& *emoval of the domain controller from the director & Transfer of an remaining operations master roles&

'f the domain controller cannot contact another domain controller during Active Director removal( the decommissioning operation fails& As %ith the installation process( test the communication infrastructure before ou run the installation %i.ard& >efore ou remove AD DS( use the same connectivit tests that ou used before ou installed AD DS& 2& Bie% the Current 4perations Master *ole ;olders To avoid problems for client computers in the domain and forest( transfer an operations master "also 0no%n as fle-ible single master operations or =SM4# roles before ou run the Active Director Domain Services 'nstallation $i.ard to decommission a domain controller so that ou can control the operations master role placement& 'f ou need to transfer an operations master roles from a domain controller( revie% all the recommendations for role placement before ou perform the transfer( as described in 'ntroduction to Administering 4perations Master *oles& 'dentif the domain controllers to %hich ou %ill transfer each role before ou perform the transfer procedures& A88

Caution During the decommissioning process( the Active Director Domain Services 'nstallation $i.ard chec0s for the presence of operations master roles& 'f the domain controller being decommissioned holds an operations master "also 0no%n as fle-ible single master operations or =SM4# role( the %i.ard provides a %arning and attempts to transfer the role or roles to another domain controller %ithout an user interaction& Eou do not have control over %hich domain controller receives the operations master roles that are transferred( and the %i.ard does not indicate %hich domain controller receives them& 'f the %i.ard cannot transfer an operations master role( ou can override the %arnings and the %i.ard %ill continue to uninstall AD DS and leave our domain or forest %ithout the role& 'n this case( ou must sei.e the operations master role to another domain controller& 'f the domain controller holds an operations master roles( use the follo%ing procedures to transfer the role or roles: Transfer the Schema Master Transfer the Domain 9aming Master Transfer the Domain/+evel 4perations Master *oles 7& Determine $hether a Domain Controller 's a 5lobal Catalog Server 'f ou remove AD DS from a domain controller that hosts the global catalog( the Active Director Domain Services 'nstallation $i.ard confirms that ou %ant to continue %ith removing AD DS& This confirmation ensures that ou are a%are that ou are removing a global catalog server from our environment& Do not remove the last global catalog server from our environment because users cannot log on %ithout an available global catalog server& 'f ou are not sure( do not proceed %ith removing AD DS until ou 0no% that at least one other global catalog server is available& A& Berif the Availabilit of the 4perations Masters Berif that the operations master role holders are online and responding& Important 'f an verification test fails( do not continue until ou determine the problems and fi-them& 'f these tests fail( the uninstallation is also li0el to fail& 8& 'f the domain controller hosts encr pted documents( perform the follo%ing procedure before ou remove AD DS to ensure that the encr pted files can be recovered after AD DS is removed: >ac0 )p A Certificate $ith 'ts Private @e "http:33go&microsoft&com3f%lin03P+in0'dQ62288:#& :& *emoving a $indo%s Server 2008 Domain Controller from a Domain Eou can remove AD DS b using the $indo%s interface( an ans%er file( or the command line& <& 'f the domain controller hosts encr pted documents and ou bac0ed up the certificate and private 0e before ou removed AD DS( perform the follo%ing procedure to import the certificate to the server again: 'mport a Certificate "http:33go&microsoft&com3f%lin03P+in0'DQ6082?0#& A8?

8& Determine $hether a Server 4b,ect ;as Child 4b,ects ?& Delete a Server 4b,ect from a Site Note Eou ma not %ant to remove the server ob,ect if it hosts something in addition to AD DS( for e-ample( Microsoft 1-change&

See Also
'ntroduction to Administering 4perations Master *oles

5erify DNS 4egistration and C%,I% Connectivity
Eou can use the Dcdiag command/line tests in this procedure to verif that a server can successfull connect to domain controllers in the same site or in the enterprise and to verif that Domain 9ame S stem "D9S# is functioning& > default( all Dcdiag tests verif TCP3'P connectivit for both 'P version A "'PvA# and 'P version : "'Pv:#& Note Dcdiag is installed %ith Active Director Domain Services "AD DS# b default& To perform this test on a server that is not a domain controller( ou must install Dcdiag& =or information about installing Dcdiag( see 'nstalling *emote Server Administration Tools for AD DS& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify DNS registration and C%,I% connectivity 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:dns

Note =or a more detailed response from this command( add command&
/v

to the end of the

'f the test fails( do not attempt an additional steps until ou determine and fi- the problem that prevents proper D9S functionalit &

A:0

5iew the Current Operations )aster 4ole "olders
To vie% the current operations master "also 0no%n as fle-ible single master operations or =SM4# role holders( use the 9tdsutil&e-e command/line tool %ith the roles option& This option displa s a list of all current role holders& After ou transfer an operations master role( use this procedure to verif that the transfer has occurred successfull throughout the domain& To have full effect( the change must replicate to all domain controllers in the domain for a domain/level role and to all domain controllers in the forest for a forest/level role& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o view the current operations master role holders 6& 4pen 9tdsutil as an administrator: Clic0 Start( and then( in Start Search( t pe ntdsutil& At the top of the Start menu( right/clic0 ntdsutil( and then clic0 4un as administrator& 'n the 3ser Account Control dialog bo-( provide Domain Admins credentials( and then clic0 O(& 2& At the ntdsuti": prompt( t pe ro"es( and then press 19T1*& 7& At the fsmo
maintenance:

prompt( t pe connections( and then press 19T1*&

A& At the server connections: prompt( t pe connect to server <servername>( %here <servername> is the name of the domain controller that belongs to the domain that contains the operations masters& 8& After ou receive confirmation of the connection( t pe e-it this menu& :& At the fsmo 19T1*&
maintenance: quit(

and then press 19T1* to and then press and

prompt( t pe se"ect

operation target(

<& At the select operations target: prompt( t pe then press 19T1*&

"ist ro"es for connected server(

The s stem responds %ith a list of the current roles and the +ight%eight Director Access Protocol "+DAP# name of the domain controllers that are currentl assigned to host each role& 8& T pe quit( and then press 19T1* to e-it each prompt in 9tdsutil&e-e& At the ntdsuti": prompt( t pe quit( and then press 19T1* to close the %indo%&

A:6

ransfer the Schema )aster
Eou can use this procedure to transfer the schema operations master role if the domain controller that currentl hosts the role is inadeFuate( has failed( or is being decommissioned& The schema master is a forest/%ide operations master "also 0no%n as fle-ible single master operations or =SM4# role& >efore ou perform this procedure( ou must identif the domain controller to %hich ou %ill transfer the schema operations master role& >efore ou can use the Active Director Schema snap/in for the first time( ou must register it %ith the s stem& 'f ou have not et prepared the Active Director Schema snap/in( see 'nstall the Schema Snap/in before ou begin this procedure& Note Eou perform this procedure b using a Microsoft Management Console "MMC# snap/in( although ou can also transfer this role b using 9tdsutil&e-e& =or information about using 9tdsutil&e-e to transfer operations master roles( see 9tdsutil "http:33go&microsoft&com3f%lin03P+in0'dQ620?<0#& =or information about the ntdsutil command( ou can t pe > at the 9tdsutil&e-e command prompt& Membership in Schema Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& ransfer the schema master 6& 4pen the Active Director Schema snap/in& 2& 'n the console tree( right/clic0 Active Directory Schema( and then clic0 Change Active Directory Domain Controller& 7& 'n the Change Directory Server dialog bo-( under Change to( clic0 his domain Controller or AD +DS instance& A& 'n the list of domain controllers( clic0 the name of the domain controller to %hich ou %ant to transfer the schema master role( and then clic0 O(& 8& 'n the console tree( right/clic0 Active Directory Schema( and then clic0 Operations )aster& The Change Schema )aster bo- displa s the name of the server that is currentl holding the schema master role& The targeted domain controller is listed in the second bo-& :& Clic0 Change& Clic0 2es to confirm our choice& The s stem confirms the operation& Clic0 O( again to confirm that the operation succeeded& <& Clic0 Close to close the Change Schema )aster dialog bo-&

A:2

ransfer the Domain Naming )aster
Eou can use this procedure to transfer the domain naming operations master role if the domain controller that currentl hosts the role is inadeFuate( has failed( or is being decommissioned& The domain naming master is a forest/%ide operations master "also 0no%n as fle-ible single master operations or =SM4# role& >efore ou perform this procedure( ou must identif the domain controller to %hich ou %ill transfer the domain naming operations master role& Note Eou perform this procedure b using a Microsoft Management Console "MMC# snap/in( although ou can also transfer this role b using 9tdsutil&e-e& =or information about using 9tdsutil&e-e to transfer operations master roles( see 9tdsutil "http:33go&microsoft&com3f%lin03P+in0'dQ620?<0#& =or information about the ntdsutil command( ou can also t pe > at the 9tdsutil&e-e command prompt& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o transfer the domain naming master 6& 4pen Active Director Domains and Trusts: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Domains and rusts& 'f the 3ser Account Control dialog bo- appears( provide 1nterprise Admins credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( right/clic0 Active Directory Domains and rusts( and then clic0 Change Active Directory Domain Controller& 7& 1nsure that the correct domain name is entered in +ook in this domain& The available domain controllers from this domain are listed& A& 'n the Name column( clic0 the domain controller to %hich ou %ant to transfer the domain naming master role( and then clic0 O(& 8& At the top of the console tree( right/clic0 Active Directory Domains and rusts( and then clic0 Operations )aster& :& The name of the current domain naming master appears in the first te-t bo-& The domain controller to %hich ou %ant to transfer the domain naming master role should appear in the second te-t bo-& 'f this is not the case( repeat steps 6 through A& <& Clic0 Change& To confirm the role transfer( clic0 2es& Clic0 O( again to close the message bo- indicating that the transfer too0 place& Clic0 Close to close the Operations )aster dialog bo-&

A:7

ransfer the Domain-+evel Operations )aster 4oles
Eou can use this procedure to transfer the follo%ing three domain/level operations master "also 0no%n as fle-ible single master operations or =SM4# roles: • • • Primar domain controller "PDC# emulator operations master *elative 'D "*'D# operations master 'nfrastructure operations master

Eou might %ant to transfer a domain/level operations master role if the domain controller that currentl hosts the role is inadeFuate( has failed( or is being decommissioned& Eou can transfer all domain roles b using the Active Director )sers and Computers snap/in& Note Eou perform these procedures b using a Microsoft Management Console "MMC# snap/ in( although ou can also transfer these roles b using 9tdsutil&e-e& =or information about using 9tdsutil&e-e to transfer the operations master roles( see 9tdsutil "http:33go&microsoft&com3f%lin03P+in0'DQ620?<0&# =or information about the ntdsutil command( can also t pe > at the 9tdsutil&e-e command prompt& >efore ou perform this procedure( ou must identif the domain controller to %hich ou %ill transfer the operations master role& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o transfer a domain-level operations master role 6& 4pen Active Director )sers and Computers: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory 3sers and Computers& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the top of the console tree( right/clic0 Active Directory 3sers and Computers( and then clic0 Change Active Directory Domain Controller& 7& 1nsure that the correct domain name is entered in +ook in this domain& The available domain controllers from this domain are listed& A& 'n the Name column( clic0 the name of the domain controller to %hich ou %ant to transfer the role( and then clic0 O(& 8& At the top of the console tree( right/clic0 Active Directory 3sers and Computers( and then clic0 Operations )asters& The name of the current operations master role holder appears in the Operations master bo-& The name of the domain controller to %hich ou %ant to transfer the role appears in the lo%er bo-& A:A

:& Clic0 the tab for the operations master role that ou %ant to transfer: 4ID( %DC( or Infrastructure& Berif the computer names that appear( and then clic0 Change& Clic0 2es to transfer the role( and then clic0 O(& <& *epeat steps 8 and : for each role that ou %ant to transfer&

Determine !hether a Domain Controller Is a Global Catalog Server
Eou can use the setting on the 9TDS Settings ob,ect to determine %hether a domain controller is designated as a global catalog server& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure %hen ou perform the procedure remotel b using *emote Server Administration Tools "*SAT#& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine whether a domain controller is a global catalog server 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( e-pand the Sites container( e-pand the site of the domain controller that ou %ant to chec0( e-pand the Servers container( and then e-pand the Server ob,ect& 7& *ight/clic0 the N DS Settings ob,ect( and then clic0 %roperties& A& 4n the General tab( if the Global Catalog bo- is selected( the domain controller is designated as a global catalog server&

5erify the Availability of the Operations )asters
Eou can use this procedure to verif that the domain controllers that hold the operations master "also 0no%n as fle-ible single master operations or =SM4# roles can be located and that the are online and responding& Eou can use the tests in this procedure before ou install Active Director Domain Services "AD DS# as %ell as after%ard& ;o%ever( if ou perform this procedure before ou install AD DS( ou must do the follo%ing: A:8

• =irst( use Server Manager to add the Active Director Domain Services server role& This part of the installation procedure installs the Dcdiag&e-e command line tool& Perform this procedure after ou add the server role but before ou run Dcpromo&e-e& • )se the ,s command option to indicate the name of an e-isting domain controller in the domain of the ne% domain controller& This domain controller is reFuired to verif the abilit of the server to connect to operations master role holders in the domain and forest& Eou do not have to use the ,s option if ou perform the test in this procedure after ou install AD DS& The test automaticall runs on the local domain controller %here ou are performing the test& The commands in this procedure sho% the ,s option& 'f ou are performing this test after ou install AD DS( omit the ,s option& =or a more detailed response from this command( ou can use the verbose option b adding ,v to the end of the command& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify the availability of the operations masters 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command to ensure that the operations masters can be located( and then press 19T1*:
dcdiag /s:<Domain5ontro""erName> /test::nowsofro"e&o"ders /v

%here <Domain5ontro""erName> is the name of an e-isting domain controller in the domain in %hich ou %ant to add the ne% domain controller& The verbose option provides a detailed list of the operations masters that %ere tested& 9ear the bottom of the screen( a message confirms that the test succeeded& 'f ou use the verbose option( loo0 carefull at the bottom part of the displa ed output& The test confirmation message appears immediatel after the list of operations masters& 7& T pe the follo%ing command to ensure that the operations masters are functioning properl and available on the net%or0( and then press 19T1*:
dcdiag /s:<Domain5ontro""erName> /test:fsmoc&ec:

%here <Domain5ontro""erName> is the name of a domain controller in the domain in %hich ou %ant to add the ne% domain controller& The verbose option provides a detailed list of the operations masters that %ere tested as %ell as other important servers( such as global catalog servers and time servers& 9ear the bottom of our screen( a message confirms that the test succeeded& 'f these tests fail( do not attempt an additional steps until ou fi- the problem that prevents the location of operations masters and ou can verif that the are functioning properl &

A::

$ack 3p a Certificate !ith Its %rivate (ey
Certificates are important credentials& Their loss or corruption can cause serious harm& Such harm can come from dela s in authenticating our identit to an inabilit to retrieve encr pted data& Eou can bac0 up certificates to protect them from loss or corruption( or to move them to a different computer& 3sers or local Administrators are the minimum group memberships reFuired to complete this procedure& *evie% the details in MAdditional considerationsM in this topic& o e/port a certificate with the private key 6& 4pen the Certificates snap/in for a user( computer( or service& 2& Do one of the follo%ing: • 'f ou are in +ogical Certificate Stores vie% mode( in the console tree( clic0 Certificates& • 'f ou are in Certificate purpose vie% mode( in the console tree( clic0 %urpose& 7& 'n the details pane( clic0 the certificate ou %ant to e-port& A& 4n the Action menu( point to All asks( and then clic0 ./port& 8& 'n the Certificate 1-port $i.ard( clic0 2es1 e/port the private key& "This option %ill appear onl if the private 0e is mar0ed as e-portable and ou have access to the private 0e &# :& )nder ./port #ile #ormat( select one of the available certificate file/format options& Also( do one or all of the follo%ing( if available( and then clic0 Ne/t& • To include all certificates in the certification path( select the Include all certificates in the certification path if possible chec0 bo-& • To include all e-tended properties of the certificate( select ./port all e/tended properties& • To delete the private 0e if the e-port is successful( select the Delete the private key if the e/port is successful chec0 bo-& <& 'f reFuired( 'n %assword( t pe a pass%ord to encr pt the private 0e ou are e-porting& 'n Confirm password( t pe the same pass%ord again( and then clic0 Ne/t& 8& 'n #ile name( t pe a file name and path for the P@CS b62 file that %ill store the e-ported certificate and private 0e ( clic0 Ne/t( and then clic0 #inish& Additional considerations • )ser certificates can be managed b the user or b an administrator& Certificates issued to a computer or service can onl be managed b an administrator or user %ho has been given the appropriate permissions& • To open the Certificates snap/in( see Add the Certificates Snap/in to an MMC& • Strong protection "also 0no%n as iteration count# is enabled b default in the Certificate 1-port $i.ard %hen ou e-port a certificate %ith its associated private 0e & A:<



Strong protection is not compatible %ith older applications&

• After the Certificate 1-port $i.ard is finished( the certificate %ill remain in the certificate store in addition to being in the ne%l /created file& 'f ou %ant to remove the certificate from the certificate store( ou %ill need to delete it&

4emoving a !indows Server <@@A Domain Controller from a Domain
The procedures in this section describe the methods for removing a $indo%s Server 2008 domain controller from a domain: • • *emoving a $indo%s Server 2008 domain controller b using the $indo%s interface *emoving a $indo%s Server 2008 domain controller b using an ans%er file

• *emoving a $indo%s Server 2008 domain controller b entering unattended installation parameters at the command line

4emoving a !indows Server <@@A domain controller by using the !indows interface
Eou can use the Active Director Domain Services 'nstallation $i.ard to remove a domain controller from an e-isting domain& 'f the domain controller hosts an Active Director /integrated D9S .ones( the %i.ard removes those .ones and b default also attempts to remove the D9S delegations for those .ones that point to the domain controller& Administrative credentials To perform this procedure( ou must be a member of the Domain Admins group in the domain& o remove a domain controller by using the !indows interface 6& Clic0 Start( clic0 4un( t pe dcpromo( and then press 19T1*& 2& 'n the !elcome to the Active Directory Domain Services Installation !i&ard page( clic0 Ne/t& 7& 'f the domain controller is a global catalog server( a message appears to %arn ou about the effect of removing a global catalog server from the environment& Clic0 O( to continue& A& 4n the Delete the Domain page( ma0e no selection( and then clic0 Ne/t& 8& 'f the domain controller has application director partitions( on the Application Directory %artitions page( vie% the application director partitions in the list( and then remove or retain application director partitions( as follo%s: • 'f ou do not %ant to retain an application director partitions that are stored on the domain controller( clic0 Ne/t& • 'f ou %ant to retain an application director partition that an application has A:8

created on the domain controller( use the application that created the partition to remove it( and then clic0 4efresh to update the list& :& 'f the Confirm Deletion page appears( select the option to delete all application director partitions on the domain controller( and then clic0 Ne/t& <& 4n the 4emove DNS Delegation page( verif that the Delete the DNS delegations pointing to this server chec0 bo- is selected and then clic0 Ne/t& 8& 'f necessar ( enter administrative credentials for the server that hosts the D9S .ones that contain the D9S delegation for this server and then clic0 O(& ?& 4n the Administrator %assword page( t pe and confirm a secure pass%ord for the local Administrator account( and then clic0 Ne/t& 60& 4n the Summary page( to save the settings that ou selected to an ans%er file that ou can use to automate subseFuent Active Director Domain Services "AD DS# operations( clic0 ./port settings& T pe a name for our ans%er file( and then clic0 Save& *evie% our selections( and then clic0 Ne/t to remove AD DS& 66& 4n the Completing the Active Directory Domain Services Installation !i&ard page( clic0 #inish& 62& Eou can either select the 4eboot on completion chec0 bo- to have the server restart automaticall or ou can restart the server to complete the AD DS removal %hen ou are prompted to do so&

4emoving a !indows Server <@@A domain controller by using an answer file
The ans%er file that ou use to remove a domain controller in a domain %here other domain controllers e-ist reFuires onl Domain Admin credentials& Eou can also create the pass%ord for the local Administrator account for the member server& 'f ou do not specif the pass%ord in the ans%er file( the administrator pass%ord is blan0& Administrative credentials To perform this procedure( ou must be a member of the Domain Admins group in the domain& o create an answer file for removing a domain controller 6& 4pen 9otepad or an te-t editor& 2& 4n the first line( t pe HDC'9STA++J( and then press 19T1*& 7& Create the follo%ing entries( one entr on each line& =or a complete list of parameters for removing AD DS( see Demotion 4peration or t pe dcpromo ,>*Demotion at a command line& usernameQSadministrative account in the domainT userdomainQSdomain name of administrative accountT pass%ordQSpass%ord for the account in )ser9ameT administratorpass%ordQSlocal administrator pass%ord for serverT A:?

removeapplicationpartitionsQ es removeD9SDelegationQ es D9SDelegation)ser9ameQSD9S server administrative account for the D9S .one that contains the D9S delegationT D9SDelegationPass%ordQSPass%ord for the D9S server administrative accountT A& Save the ans%er file to the location on the installation server from %hich it is to be called b dcpromo( or save the file to a net%or0 shared folder or removable media for distribution& 8& The dcpromo command to use an ans%er file is the same for both removing and installing a domain controller& )se the procedure MTo install a ne% domain controller b using an ans%er fileM to remove the domain controller&

4emoving a !indows Server <@@A domain controller by entering unattended installation parameters at the command line
The dcpromo command that ou use to enter unattended installation parameters at the command line is the same for both removing and installing a domain controller& )se the procedure MTo install a ne% domain controller b entering unattended installation parameters at the command lineM to remove the domain controller( but use unattended installation options that are appropriate for removing a domain controller from an e-isting domain& =or a complete list of parameters for removing AD DS( see Demotion 4perationor t pe dcpromo ,>*Demotion at a command line&

Import a Certificate
Eou should onl import certificates obtained from trusted sources& 'mporting an unreliable certificate could compromise the securit of an s stem component that uses the imported certificate& Eou can import a certificate into an logical or ph sical store& 'n most cases( ou %ill import certificates into the Personal store or the Trusted *oot Certification Authorities store( depending on %hether the certificate is intended for ou or if it is a root CA certificate& 3sers or local Administrators are the minimum group memberships reFuired to complete this procedure& *evie% the details in MAdditional considerationsM in this topic& o import a certificate 6& 4pen the Certificates snap/in for a user( computer( or service& 2& 'n the console tree( clic0 the logical store %here ou %ant to import the certificate& 7& 4n the Action menu( point to All asks and then clic0 Import to start the Certificate A<0

'mport $i.ard& A& T pe the file name containing the certificate to be imported& "Eou can also clic0 $rowse and navigate to the file&# 8& 'f it is a P@CS b62 file( do the follo%ing: • T pe the pass%ord used to encr pt the private 0e & • "4ptional# 'f ou %ant to be able to use strong private 0e protection( select the .nable strong private key protection chec0 bo-& • "4ptional# 'f ou %ant to bac0 up or transport our 0e s at a later time( select the )ark key as e/portable chec0 bo-& :& Do one of the follo%ing: • 'f the certificate should be automaticall placed in a certificate store based on the t pe of certificate( clic0 Automatically select the certificate store based on the type of certificate& • 'f ou %ant to specif %here the certificate is stored( select %lace all certificates in the following store( clic0 $rowse( and choose the certificate store to use& Additional considerations • )ser certificates can be managed b the user or b an administrator& Certificates issued to a computer or service can onl be managed b an administrator or user %ho has been given the appropriate permissions& • To open the Certificates snap/in( see Add the Certificates Snap/in to an MMC& • 1nabling strong private 0e protection %ill ensure that ou are prompted for a pass%ord ever time the private 0e is used& This is useful if ou %ant to ma0e sure that the private 0e is not used %ithout our 0no%ledge& • The file from %hich ou import certificates %ill remain intact after ou have completed importing the certificates& Eou can use $indo%s 1-plorer to delete the file if it is no longer needed&

Determine !hether a Server Ob9ect "as Child Ob9ects
After Active Director Domain Services "AD DS# is properl installed on a domain controller( the server ob,ect for the domain controller has a child 9TDS Settings ob,ect& 4ther applications that are running on domain controllers can also publish child ob,ects& $hen ou remove AD DS from a server( the 9TDS Settings child ob,ect is removed automaticall from the server ob,ect in the Servers container in Active Director Sites and Services& >efore ou delete a server ob,ect from the Servers container for a site( verif that the server ob,ect has no child ob,ects& The follo%ing conditions might result in the presence of a child ob,ect: • 'f an 9TDS Settings ob,ect is present( it is possible that replication of the deletion has not reached the domain controller %hose ob,ects ou are vie%ing& Chec0 the presence of the A<6

ob,ect on another domain controller( or force replication from another domain controller in the domain& "See =orce *eplication >et%een Domain Controllers&# • 'f a child ob,ect other than 9TDS Settings is present( another application has published the ob,ect and is using the server ob,ect& 'n this case( do not delete the server ob,ect& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure %hen ou perform the procedure remotel b using *emote Server Administration Tools "*SAT#& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine whether a server ob9ect has child ob9ects 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( e-pand the Sites container( and then e-pand the site of the server ob,ect& 7& 1-pand the Servers container( and then e-pand the server ob,ect to vie% an child ob,ects&

Delete a Server Ob9ect from a Site
$hen ou remove a domain controller from service b uninstalling Active Director Domain Services "AD DS#( the domain controller ob,ect is removed from the domain director partition automaticall & Eou can chec0 this deletion b loo0ing in the Domain Controllers container in the Active Director )sers and Computers snap/in& The server ob,ect( %hich represents the domain controller in the configuration director partition( can have child ob,ects and is therefore not removed automaticall & $hen no child ob,ects are visible belo% the server ob,ect in Active Director Sites and Services( ou can use this procedure to remove the server ob,ect& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o delete a server ob9ect from a site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( e-pand the Sites container( and then e-pand the site from %hich A<2

ou %ant to delete a server ob,ect& 7& 'f no child ob,ects appear belo% the server ob,ect( right/clic0 the server ob,ect( and then clic0 Delete& Important Do not delete a server ob,ect that has a child ob,ect& 'f an 9TDS Settings ob,ect appears belo% the server ob,ect ou %ant to delete( either replication on the domain controller on %hich ou are vie%ing the configuration container has not occurred or the server %hose server ob,ect ou are removing has not been properl decommissioned& 'f a child ob,ect other than 9TDS Settings appears belo% the server ob,ect that ou %ant to delete( another application has published the ob,ect& Eou must contact an administrator for the application and determine the appropriate action to remove the child ob,ect& A& Clic0 2es to confirm our choice&

See Also
Decommissioning a Domain Controller =orcing the *emoval of a Domain Controller

Add the Certificates Snap-in to an ))C
Eou can use the Certificates snap/in to manage certificates for a user( computer( or service account& To s%itch bet%een managing certificates for our user account( a computer( or a service( ou must add separate instances of the Certificates snap/in to the console&

Adding the Certificates Snap-in to an ))C
• • • =or a user account =or a computer account =or a service

3sers or local Administrators are the minimum group memberships reFuired to complete this procedure& *evie% the details in MAdditional considerationsM in this topic& o add the Certificates snap-in to an ))C for a user account 6& Clic0 Start( clic0 Start Search( t pe mmc( and then press .N .4& 2& 4n the #ile menu( clic0 Add,4emove Snap-in& 7& )nder Available snap-ins( double/clic0 Certificates( and then: • 'f ou are logged on as an administrator( clic0 )y user account( and then clic0 #inish& A<7



'f ou are logged on as a user( Certificates automaticall loads&

A& 'f ou have no more snap/ins to add to the console( clic0 O(& 8& To save this console( on the #ile menu( clic0 Save& Additional considerations • )ser certificates can be managed b the user or b an administrator& +ocal Administrators is the minimum group memberships reFuired to complete this procedure& *evie% the details in MAdditional considerationsM in this topic& o add the Certificates snap-in to an ))C for a computer account 6& Clic0 Start( clic0 Start Search( t pe mmc( and then press .N .4& 2& 4n the #ile menu( clic0 Add,4emove Snap-in& 7& )nder Available snap-ins( double/clic0 Certificates A& Select Computer account and then clic0 Ne/t& 8& Do one of the follo%ing: • To manage certificates for the local computer( clic0 +ocal computer( and then clic0 #inish& • To manage certificates for a remote computer( clic0 Another computer and t pe the name of the computer( or clic0 $rowse to select the computer name( and then clic0 #inish& :& 'f ou have no more snap/ins to add to the console( clic0 O(& <& To save this console( on the #ile menu( clic0 Save& Additional considerations • To perform this procedure( ou must be a member of the Administrators group on the local computer( or ou must have been delegated the appropriate authorit & 'f the computer is ,oined to a domain( members of the Domain Admins group might be able to perform this procedure& As a securit best practice( consider using *un as to perform this procedure& • To manage certificates for another computer( ou can either create another instance of Certificates in the console( or right/clic0 Certificates 6Computer Name7( and then clic0 Connect to Another Computer& +ocal Administrators is the minimum group memberships reFuired to complete this procedure& *evie% the details in MAdditional considerationsM in this topic& o add the Certificates snap-in to an ))C for a service 6& Clic0 Start( clic0 Start Search( t pe mmc( and then press .N .4& 2& 4n the #ile menu( clic0 Add,4emove Snap-in& 7& )nder Available snap-ins( double/clic0 Certificates A& Select Service account and then clic0 Ne/t& 8& Do one of the follo%ing: A<A

• To manage certificates for services on our local computer( clic0 +ocal computer( and then clic0 Ne/t& • To manage certificates for service on a remote computer( clic0 Another computer and t pe the name of the computer( or clic0 $rowse to select the computer name( and then clic0 Ne/t& :& Select the service for %hich ou are managing certificates& <& Clic0 #inish( and then clic0 Close& 8& 'f ou have no more snap/ins to add to the console( clic0 O(& ?& To save this console( on the #ile menu( clic0 Save& Additional considerations • To perform this procedure( ou must be a member of the Administrators group on the local computer( or ou must have been delegated the appropriate authorit & 'f the computer is ,oined to a domain( members of the Domain Admins group might be able to perform this procedure& As a securit best practice( consider using *un as to perform this procedure& • To manage certificates for a service on another computer( ou can either create another instance of Certificates in the console( or right/clic0 Certificates - Service 6Service Name7 on Computer Name( and then clic0 Connect to Another Computer&

#orcing the 4emoval of a Domain Controller
=orced removal of a domain controller from Active Director Domain Services "AD DS# is intended to be used as a last resort to avoid having to reinstall the operating s stem on a domain controller that has failed and cannot be recovered& $hen a domain controller can no longer function in a domain "that is( it is offline#( ou cannot remove AD DS in the normal %a ( %hich reFuires connectivit to the domain& =orced removal is not intended to replace the normal AD DS removal procedure in an %a & 't is eFuivalent to permanentl disconnecting the domain controller& ;o%ever( after successful metadata cleanup of a forcibl removed domain controller( ou can recreate the domain controller using the same name& Note 4n domain controllers that are running $indo%s Server 2008( ou can perform a forced removal of AD DS on a server that can be started onl in Director Services *estore Mode "DS*M#& AD DS stores a considerable amount of metadata about a domain controller& During the normal process of uninstalling AD DS on a domain controller( this metadata is removed from AD DS through a connection to another domain controller in the domain& 'n a forced removal( it is assumed that there is no connectivit to the domain& Therefore( there is no attempt at metadata removal "cleanup# after a forced removal& ConseFuentl ( forced removal of AD DS from a domain controller must al%a s be follo%ed b the metadata cleanup procedure( %hich removes all references to the domain controller from the domain and forest& A<8

=orced removal should not be performed on the last domain controller in a domain& =or this domain controller( ou can reinstall the operating s stem to restore the server to net%or0 operation& 'f the domain controller that ou are forcibl removing holds an operations master "also 0no%n as fle-ible single master operations or =SM4# role or roles( transfer the roles before ou perform the forced removal procedure& =rom a health domain controller in the domain of the operations master role( or in the forest if the role is a forest/%ide role( attempt to transfer the role to another domain controller& 'f ou do not transfer operations master roles before ou forcibl remove AD DS( the roles are transferred during the metadata cleanup process automaticall & ;o%ever( during metadata cleanup( ou do not have the option to select the domain controller to %hich the roles are transferred& The cleanup application ma0es the selection automaticall & 'f role transfer fails during metadata cleanup( ou must sei.e the role follo%ing the metadata cleanup procedure& =or more information about transferring and sei.ing operations master roles( see 'ntroduction to Administering 4perations Master *oles& ask re0uirements The follo%ing is reFuired to perform the procedures for this tas0: • • • Active Director Sites and Services Dcpromo&e-e 9tdsutil&e-e or Active Director )sers and Computers

To complete this tas0( perform the follo%ing procedures: 6& 'dentif *eplication Partners& )se this procedure to identif a domain controller that is a replication partner of the domain controller that ou are removing& 'dentif a replication partner in the same site( if possible& Eou %ill connect to this domain controller %hen ou clean up server metadata& 2& =orce Domain Controller *emoval 7& Clean )p Server Metadata

Identify 4eplication %artners
Eou can use this procedure to e-amine the connection ob,ects for a domain controller and identif its replication partners& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o identify replication partners 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( double/clic0 the Sites container to displa the list of sites& 7& Double/clic0 the site that contains the domain controller for %hich ou %ant to A<:

determine connection ob,ects& Note 'f ou do not 0no% the site in %hich the domain controller is located( open a command prompt and t pe ipconfig to get the 'P address of the domain controller& )se the 'P address to verif that an 'P address maps to a subnet( and then determine the site association& A& Double/clic0 the Servers folder to displa the list of servers in that site& 8& Double/clic0 the server ob,ect for the domain controller %hose replication partners ou %ant to identif to displa its 9TDS Settings ob,ect& :& Clic0 the N DS Settings ob,ect to displa the list of connection ob,ects in the details pane& "These ob,ects represent inbound connections that are used for replication to the server&# The #rom Server column displa s the names of the domain controllers that are source replication partners for the selected server ob,ect&

#orce Domain Controller 4emoval
Eou can use this procedure to forcefull remove Active Director Domain Services "AD DS# from a domain controller running $indo%s Server 2008& 4n a domain controller that is running $indo%s Server 2008( ou can forcefull remove a domain controller even %hen it can be started onl in Director Services *estore Mode "DS*M#& T picall ( ou force the removal of a domain controller onl if the domain controller has no connectivit %ith other domain controllers& >ecause the domain controller cannot contact other domain controllers during the operation( the Active Director domain and forest metadata is not updated automaticall as it is %hen a domain controller is removed normall & 'nstead( ou must manuall update the metadata after ou remove the domain controller& =or information about performing metadata cleanup( see Clean )p Server Metadata& Eou can forcefull remove a domain controller at a command line or b using an ans%er file& =or ans%er file parameters that ou can use to remove AD DS( see Demotion 4peration "http:33go&microsoft&com3f%lin03P+in0'dQ620??:#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o force removal of AD DS from a domain controller 6& Clic0 Start( clic0 4un( t pe the follo%ing command( and then press 19T1*:
Dcpromo /forceremova"

'f the domain controller hosts an operations master "also 0no%n as fle-ible single master operations or =SM4# roles or if it is a Domain 9ame S stem "D9S# server or a global catalog server( %arnings appear that e-plain ho% the forced removal %ill affect the rest of A<<

the environment& After ou read each %arning( clic0 2es& To suppress the %arnings in advance of the removal operation( t pe /demotefsmo:yes at the command prompt& 'f ou forcefull removal AD DS from a server that hosts an operations master role( ou must sei.e the role after the Dcpromo operation& =or information about sei.ing an operations master role( see Sei.ing an operations master role& 2& 4n the !elcome to the Active Directory Domain Services Installation !i&ard page( clic0 Ne/t& 7& 4n the #orce the 4emoval of Active Directory Domain Services page( revie% the information about forcing the removal of AD DS and metadata cleanup reFuirements( and then clic0 Ne/t& A& 4n the Administrator %assword page( t pe and confirm a secure pass%ord for the local Administrator account( and then clic0 Ne/t& 8& 4n the Summary page( revie% our selections& Clic0 $ack to change an selections( if necessar & To save the settings that ou selected to an ans%er file that ou can use to automate subseFuent AD DS operations( clic0 ./port settings& T pe a name for our ans%er file( and then clic0 Save& $hen ou are sure that our selections are accurate( clic0 Ne/t to remove AD DS& :& Eou can select 4eboot on completion to have the server restart automaticall ( or ou can restart the server to complete the AD DS removal %hen ou are prompted to do so& <& Perform metadata cleanup( as described in Clean )p Server Metadata&

See Also
Sei.ing an operations master role

Clean 3p Server )etadata
Metadata cleanup is a reFuired procedure after a forced removal of Active Director Domain Services "AD DS#& Eou perform metadata cleanup on a domain controller in the domain of the domain controller that ou forcibl removed& Metadata cleanup removes data from AD DS that identifies a domain controller to the replication s stem& Metadata cleanup also removes =ile *eplication Service "=*S# and Distributed =ile S stem "D=S# *eplication connections and attempts to transfer or sei.e an operations master "also 0no%n as fle-ible single master operations or =SM4# roles that the retired domain controller holds& These additional processes are performed automaticall & Eou can use this procedure to clean up server metadata for a domain controller from %hich ou have forcibl removed AD DS& 4n domain controllers that are running $indo%s Server 2008( ou can use Active Director )sers and Computers to clean up server metadata& 'n this procedure( deleting the computer ob,ect in A<8

the Domain Controllers organi.ational unit "4)# initiates the cleanup process( %hich proceeds automaticall & Eou can also perform metadata cleanup b using 9tdsutil&e-e( a command/line tool that is installed automaticall on all domain controllers& Eou can perform this procedure on a domain controller that is running $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 %ith Service Pac0 2 "SP2#( $indo%s Server 2007 *2( or $indo%s Server 2008& =or information about performing metadata cleanup on domain controllers that are running earlier versions of $indo%s Server( see NClean up server metadataO in the $indo%s Server 2007 4perations 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ60A276#& Eou can also use a script to clean up server metadata on most $indo%s operating s stems& =or information about using this script( see *emove Active Director Domain Controller Metadata "http:33go&microsoft&com3f%lin03P+in0'DQ6278??#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o clean up server metadata by using Active Directory 3sers and Computers 6& 4pen Active Director )sers and Computers: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory 3sers and Computers& 2& 'f ou have identified replication partners in preparation for this procedure( and if ou are not connected to a replication partner of the removed domain controller %hose metadata ou are cleaning up( right/clic0 Active Directory 3sers and Computers MDomainControllerNameN( and then clic0 Change Domain Controller& Clic0 the name of the domain controller from %hich ou %ant to remove the metadata( and then clic0 O(& 7& 1-pand the domain of the domain controller that ou forcibl removed( and then clic0 Domain Controllers& A& 'n the details pane( right/clic0 the computer ob,ect of the domain controller %hose metadata ou %ant to clean up( and then clic0 Delete& 8& 'n the Active Directory Domain Services dialog bo-( clic0 2es to confirm the computer ob,ect deletion& :& 'n the Deleting Domain Controller dialog bo-( select his Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation !i&ard 6DC%4O)O7( and then clic0 Delete& <& 'f the domain controller is a global catalog server( in the Delete Domain Controller dialog bo-( clic0 2es to continue %ith the deletion& 8& 'f the domain controller currentl holds one or more operations master "also 0no%n as fle-ible single master operations or =SM4# roles( clic0 O( to move the role or roles to the domain controller that is sho%n& Eou cannot change this domain controller& 'f ou %ant to move the role to a different domain controller( ou must move the role after ou complete the server metadata cleanup procedure& A<?

o clean up server metadata by using Ntdsutil 6& 4pen a command prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide 1nterprise Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
ntdsuti"

7& At the ntdsuti": prompt( t pe the follo%ing command( and then press 19T1*:
metadata c"eanup

A& At the metadata 19T1*: 4r

c"eanup:

prompt( t pe the follo%ing command( and then press

remove se"ected server <!erverName>

remove se"ected server <!erverName,> on <!erverName%>

5alue

Description

ntdsutil: metadata cleanup remove selected server SServer9ameT or SServer9ame6T

'nitiates removal of ob,ects that refer to a decommissioned domain controller& *emoves ob,ects for a specified( decommissioned domain controller from a specified server& The distinguished name of the domain controller %hose metadata ou %ant to remove( in the form cnQServerName(cnQServers(cnQSiteName( cnQSites(cnQConfiguration(dcQForestRootDomain& 'f ou specif onl one server name( the ob,ects are removed from the current domain controller& Specifies removing server metadata on SServer9ame2T( the Domain 9ame S stem "D9S# name of the domain controller to %hich ou %ant to connect& 'f ou have identified replication partners in preparation for this procedure( specif a domain controller that is a replication partner of the removed domain controller&

on SServer9ame2T

8& 'n Server 4emove Configuration Dialog( revie% the information and %arning( and then clic0 2es to remove the server ob,ect and metadata& At this point( 9tdsutil confirms that the domain controller %as removed successfull & 'f ou receive an error message that indicates that the ob,ect cannot be found( the domain controller might have been removed earlier& A80

:& At the metadata

c"eanup:

and ntdsuti": prompts( t pe quit( and then press 19T1*&

<& To confirm removal of the domain controller: 4pen Active Director )sers and Computers& 'n the domain of the removed domain controller( clic0 Domain Controllers& 'n the details pane( an ob,ect for the domain controller that ou removed should not appear& 4pen Active Director Sites and Services& 9avigate to the Servers container and confirm that the server ob,ect for the domain controller that ou removed does not contain an 9TDS Settings ob,ect& 'f no child ob,ects appear belo% the server ob,ect( ou can delete the server ob,ect& 'f a child ob,ect appears( do not delete the server ob,ect because another application is using the ob,ect&

See Also
Delete a Server 4b,ect from a Site

Administering Active Directory Domain 4ename
This guide provides information about planning and performing a domain rename operation in $indo%s Server 2008& =or chec0lists of the various tas0s to be performed during the different phases of this operation( see Appendi- C: Chec0lists for the Domain *ename 4peration& Suggested formats for a variet of %or0sheets that ou can use for gathering information about our Active Director Domain Services "AD DS# infrastructure are included in Appendi- D: $or0sheets for the Domain *ename 4peration& Eou can use these %or0sheets for planning and trac0ing progress as ou proceed %ith our domain rename operation&

In this guide
• • • 'ntroduction to Administering Active Director Domain *ename Managing Active Director Domain *ename Additional *esources for the Domain *ename 4peration

Introduction to Administering Active Directory Domain 4ename
Eou can use the $indo%s Server 2008 domain rename process to change the names of our Active Director domains( and ou can also use it to change the structure of the domain trees in our Active Director forest& This process involves updating the Domain 9ame S stem "D9S# and trust infrastructures as %ell as 5roup Polic and Service Principal 9ames "SP9s#& A86

The abilit to rename domains gives ou the fle-ibilit to ma0e important name changes and forest structural changes as the needs of our organi.ation change& )sing domain rename( ou can change the name of a domain( but ou can also change the structure of the domain hierarch & Eou can also change the parent of a domain or move a domain in one domain tree to another domain tree& The domain rename process can accommodate scenarios involving acFuisitions( mergers( or name changes in our organi.ation( but it is not designed to accommodate forest mergers or the movement of domains bet%een forests& Important 't is e-tremel important and highl recommended that ou test the domain rename operation before ou perform it in a production environment& =irst( perform the domain rename operation that is described in this section in a test environment that has a minimum of t%o domains& =amiliari.ing ourself %ith the specifics of each stage in the domain rename operation in a test environment %ill provide ou %ith not onl a much better understanding of the operation itself but also better prepare ou to troubleshoot an issues that ma arise during the domain rename operation in a production forest& =or more information( see Domain *ename Technical *eference "http:33go&microsoft&com3f%lin03P +in0'DQ622?22#&

Domain rename re0uirements
The follo%ing conditions must be in effect before ou can begin a domain rename operation: • =orest functionalit : Eou can rename domains onl in a forest %here all of the domain controllers are running $indo%s Server 2008 or $indo%s Server 2007 Standard 1dition( $indo%s Server 2008 or $indo%s Server 2007 1nterprise 1dition( or $indo%s Server 2008 or $indo%s Server 2007 Datacenter 1dition operating s stems( and the Active Director forest functional level has been raised to either $indo%s Server 2007 or $indo%s Server 2008& The domain rename operation %ill not be successful if the forest functional level is set to $indo%s 2000 native& =or more information about forest functional levels and for procedures to determine and set forest functional levels( see 1nabling $indo%s Server 2008 Advanced =eatures for Active Director Domain Services "http:33go&microsoft&com3f%lin03P +in0'DQ608707#& • Administrative credentials: Eou must have 1nterprise Admins credentials to perform the various procedures for the domain rename operation& 'f ou are running Microsoft 1-change( the account that ou use must also have =ull 1-change Administrator credentials& • Control Station: The computer that ou use as the control station for the domain rename operation must be a member computer "not a domain controller# running $indo%s Server 2008 Standard 1dition( $indo%s Server 2008 1nterprise 1dition( or $indo%s Server 2008 Datacenter 1dition& • Distributed =ile S stem "D=S# root servers: So that ou can rename a domain %ith domain/based D=S 9amespace "D=S9# roots( all D=S9 root servers must be running $indo%s 2000 %ith Service Pac0 7 "SP7#( $indo%s Server 2007( or $indo%s Server 2008 operating s stems& A82

• 'f our forest contains 1-change 2007 Service Pac0 6 "SP6# servers( ou can run the $indo%s Server 2008 domain rename operation( but ou must also use the 1-change Domain *ename =i-/up Tool to update 1-change attributes& =or more information( see Microsoft 1-change Server Domain *ename =i-up "LD*/=i-up# "http:33go&microsoft&com3f%lin03P+in0'DQ622?82#& The document that accompanies this tool describes %hen and ho% to perform 1-change/related tas0s& To perform a domain rename operation( 1-change must not be installed on an domain controllers& 'f a domain controller is running 1-change( move the 1-change data off the domain controller and then uninstall 1-change& Important The $indo%s Server 2008 domain rename operation is not supported in an Active Director forest that contains 1-change Server 2007( 1-change Server 2007 SP2( 1-change Server 200<( or 1-change Server 200< SP6& Note Eou can use MChec0list: Satisf ing Domain *ename *eFuirementsM in Appendi- C: Chec0lists for the Domain *ename 4peration to ma0e sure that ou have met all the necessar reFuirements for the domain rename operation&

)anaging Active Directory Domain 4ename
This section includes the follo%ing tas0s for managing $indo%s Server 2008 Active Director domain rename: • • • Preparing for the Domain *ename 4peration Performing the Domain *ename 4peration Completing the Domain *ename 4peration

%reparing for the Domain 4ename Operation
This tas0 helps ou prepare for the domain rename operation& The goal of the preparation phase for the domain rename operation is to ensure that the prereFuisites for the domain rename operation are in place& Completing these preliminar tas0s %ill ensure a smooth implementation of domain renaming or domain restructuring in our forest& Eou can use the MChec0list: Preparing for the domain rename operationM in Appendi- C: Chec0lists for the Domain *ename 4peration to ma0e sure that ou have completed all of the reFuired preliminar tas0s& 'f these prereFuisites are not satisfied( domain rename cannot be performed successfull & To complete this tas0( perform the follo%ing procedures: • • • Ad,ust =orest =unctional +evel Create 9ecessar Shortcut Trust *elationships Prepare D9S Kones A87

• • • • •

*edirect Special =olders to a Standalone D=S9 *elocate *oaming )ser Profiles to a Standalone D=S9 Configure Member Computers for ;ost 9ame Changes Prepare Certification Authorities 1-change/Specific Steps: Prepare a Domain that Contains 1-change

Ad9ust #orest #unctional +evel
Eou can use this procedure to ad,ust the forest functional level for a domain rename operation& The domain rename operation is supported %ithin an Active Director forest if( and onl if( all domain controllers in the forest are running $indo%s Server 2007 or $indo%s Server 2008 Standard 1dition( $indo%s Server 2007 or $indo%s Server 2008 1nterprise 1dition( or $indo%s Server 2007 or $indo%s Server 2008 Datacenter 1dition( and the forest functionalit has been raised to $indo%s Server 2007 or $indo%s Server 2008& Therefore( before ou can rename a domain in our Active Director forest( ou must ensure that the forest functionalit has been set to at least $indo%s Server 2007 or raised to $indo%s Server 2008&

Setting forest functional level to !indows Server <@@; or !indows Server <@@A
Eou can set the forest functional level to $indo%s Server 2007 if all domain controllers in the forest run either $indo%s Server 2007 or $indo%s Server 2008 operating s stems& 'f an domain controller in the forest is still running $indo%s 2000( ou cannot set the forest functional level to $indo%s Server 2007& Eou can set the forest functional level to $indo%s Server 2008 if all domain controllers in the forest run $indo%s Server 2008 operating s stem& 'f an domain controller in the forest is still running $indo%s Server 2007( ou cannot set the forest functional level to $indo%s Server 2008& =or more information( see )nderstanding AD DS =unctional +evels "http:33go&microsoft&com3f%lin03P+in0'dQ62A60<#& o set the forest functional level to !indows Server <@@; or !indows Server <@@A 6& 4pen the Active Director Domains and Trusts snap/in: clic0 Start( clic0 Administrative ools( and then clic0 Active Directory Domains and rusts& 2& 'n the console tree( right/clic0 Active Directory Domains and rusts( and then clic0 4aise #orest #unctional +evel& 7& 'n Select an available forest functional level( do one of the follo%ing: • To raise the forest functional level to $indo%s Server 2007( clic0 !indows Server <@@;( and then clic0 4aise& • To raise the forest functional level to $indo%s Server 2008( clic0 $indo%s A8A

Server 2008( and then clic0 4aise& Caution Do not raise the forest functional level to $indo%s Server 2008 if ou have( or %ill have( an domain controllers that are running $indo%s Server 2007 or earlier& After ou raise the forest functional level to $indo%s Server 2008( ou cannot change the level bac0 to $indo%s Server 2007&

Create Necessary Shortcut rust 4elationships
Eou can use this procedure to create the necessar shortcut trust relationships for a domain rename operation& Eou can reposition an domain %ithin the domain tree hierarch of a forest( %ith the e-ception of the forest/root domain& 'n other %ords( although the forest root domain can be renamed "its Domain 9ame S stem "D9S# and 9et>'4S names can change#( it cannot be repositioned in such a %a that ou designate a different domain to become the ne% forest root domain& 'f our domain rename operation involves restructuring the forest b repositioning the domains in the domain tree hierarch ( as opposed to simpl changing the names of the domains in/place( first create the necessar shortcut trust relationships bet%een domains so that the ne% forest structure has t%o/%a ( transitive trust paths bet%een ever pair of domains in the target forest( ,ust as our current forest does&

ypes of trust relationships
A hierarch of Active Director domains is implemented b trust relationships bet%een domains& The follo%ing t pes of trust relationships are established bet%een domains %ithin an Active Director forest: • Parent/child: The trust that is established %hen ou create a ne% domain in an e-isting tree in the forest& The Active Director Domain Services "AD DS# installation process creates a transitive( t%o/%a trust relationship automaticall bet%een the ne% domain "the child domain# and the domain that immediatel precedes it in the namespace hierarch "the parent domain#& • Tree/root: The trust that is established %hen ou add a ne% domain tree to the forest& The installation process for AD DS creates a transitive( t%o/%a trust relationship automaticall bet%een the domain that ou are creating "the ne% tree/root domain# and the forest root domain& • Shortcut: A manuall created( one/%a ( transitive trust relationship bet%een an t%o domains in the forest( created to shorten the trust path& To establish t%o/%a ( shortcut trust relationships bet%een t%o domains( ou set up a shortcut trust relationship manuall in each direction& A88

The effect of the transitive( t%o/%a trust relationships that are created automaticall b the installation process for AD DS is that there is complete trust bet%een all domains in an Active Director forestDever domain has a transitive trust relationship %ith its parent domain( and ever tree/root domain has a transitive trust relationship %ith the forest root domain& 'f ou use the domain rename operation to restructure an e-isting Active Director forest b altering the domain tree hierarch ( automatic creation of the necessar trust relationships does not occur& =or this reason( as part of the preparation phase of domain rename( the trust relationships that are reFuired to preserve complete trust bet%een all domains in our ne% forest "after restructuring# must be precreated manuall &

%recreating parent-child trust relationships for a restructured forest
'f ou plan to use the domain rename operation to reposition one or more domains in the domain tree hierarch ( for each domain that ou plan to reposition( the necessar shortcut trust relationships must be created bet%een the domain that ou %ant to reposition and its ne% parent domain "or the forest root domain( if the repositioned domain becomes a tree root#& These precreated trust relationships substitute for the reFuired tree/root or parent/child trust relationships that %ill be missing in the restructured forest&

%recreating a parent-child trust relationship
=or e-ample( suppose that ou %ant to restructure the coho%iner &com forest( sho%n in the follo%ing illustration( so that the products&sales&coho%iner &com domain becomes a child of the coho%iner &com domain& >efore ou perform the domain rename operation to carr out this restructure( ou must first create a t%o/%a ( transitive shortcut trust relationship bet%een products&sales&coho%iner &com and coho%iner &com& This trust relationship precreates the t%o/ %a ( parent/child trust relationship that %ill be reFuired for the targeted parent and child domains& The follo%ing illustration sho%s the NbeforeO and NafterO domain structures and the shortcut trust relationships ou have to create that %ill serve as parent/child trust relationships in the target forest&

A8:

%re-creating multiple parent-child trust relationships
=or scenarios in %hich ou have to restructure a domain that is both a child domain and a parent domain( ou might have to create shortcut trust relationships in t%o places& =or e-ample( suppose that ou %ant to restructure the coho%iner &com forest( sho%n in the follo%ing illustration( to move the hr&sales&coho%iner &com domain so that it becomes a child of the eu&coho%iner &com domain& At the same time( ou %ant to ma0e its child domain( pa roll&hr&sales&coho%iner &com( become a direct child of its current parent domain( sales&coho%iner &com& To perform this restructure operation( ou first have to create t%o shortcut trust relationships that %ill become the parent/child trust relationships for the ne% forest that follo%s the restructuring( as sho%n: • A t%o/%a ( transitive shortcut trust relationship bet%een the eu&coho%iner &com and hr&sales&coho%iner &com domains( %hich %ill create a t%o/%a ( transitive parent/child trust relationship bet%een eu&coho%iner &com and hr&eu&coho%iner &com after restructuring • A t%o/%a ( transitive shortcut trust relationship bet%een the sales&coho%iner &com and pa roll&hr&sales&coho%iner &com domains( %hich %ill create a t%o/%a ( transitive parent/child trust relationship bet%een sales&coho%iner &com and pa roll&sales&coho%iner &com after restructuring

A8<

These shortcut trusts are responsible for maintaining the t%o/%a ( transitive trust relationships that are reFuired bet%een the ne%l renamed domains %hen the domain rename operation is complete&

%recreating a tree-root trust relationship with the forest root domain
$hen a domain is renamed to become a ne% tree root( the ne% tree/root domain must have a t%o/%a ( transitive trust relationship %ith the forest root domain& =or this scenario( ou create a t%o/%a shortcut trust relationship bet%een the domain that ou %ant to rename to become a ne% tree/root domain and the forest root domain&

A88

=or e-ample( suppose that ou have a deep tree and ou %ant to create a ne% tree b moving the lo%est/level domain to become a tree/root domain& The follo%ing illustration sho%s the t%o/ %a shortcut trust relationship that ou create( and the tree/root trust relationship it provides after the restructure( %hen ou rename the eu&sales&coho%iner &com domain to create the tree/root domain cohoeurope&com&

Creating shortcut trust relationships
Anal .e the target forest structure that ou intend to achieve& Consider the reFuirement of a t%o/ %a ( transitive trust relationship bet%een each pair of domains in the forest( and create a list of shortcut trust relationships that are necessar to preserve full trust relationships bet%een all the domains in the target forest& Create the shortcut trust relationships so that the are in place %hen ou begin the domain rename procedure& Eou can use M$or0sheet 2: Trust 'nformationM in Appendi- D: $or0sheets for the Domain *ename 4peration to document all trust relationships that are necessar to preserve full trust relationships bet%een all the domains in the target forest& =or information about ho% to create shortcut trust relationships( see Create a Shortcut Trust "http:33go&microsoft&com3f%lin03P+in0'dQ62A662#&

%repare DNS Iones
Eou can use this procedure to prepare Domain 9ame S stem "D9S# .ones for Active Director domain rename& $hen an application or client reFuests access to Active Director Domain A8?

Services "AD DS#( an Active Director domain controller is located b the domain locator "DC +ocator# mechanism& 'n response to client reFuests for AD DS services( DC +ocator uses service "S*B# resource records in Domain 9ame S stem "D9S# to locate domain controllers& 'n the absence of these D9S service location "S*B# resource records( director clients e-perience failures %hen the attempt to access AD DS& =or this reason( before ou rename an Active Director domain( ou have to be sure that the appropriate D9S .ones e-ist for the forest and for each domain& 'f the appropriate .ones do not e-ist in D9S( ou have to create the D9S .one or .ones that %ill contain the service "S*B# resource records for the renamed domains& $e also strongl recommend that ou configure the .one"s# to allo% secure d namic updates& This D9S .one reFuirement applies to each domain that is renamed as part of the domain rename operation& The D9S reFuirements to rename an Active Director domain are identical to the D9S reFuirements to support an e-isting Active Director domain& Eour current D9S infrastructure alread provides necessar support for our Active Director domain b using its current name& )suall ( ou onl have to mirror the e-isting D9S infrastructure to add support for the planned ne% name of our domain& =or e-ample( suppose that ou %ant to rename an e-isting Active Director domain sales&cohovine ard&com to mar0eting&cohovine ard&com& 'f the service "S*B# resource records that are registered b the domain controllers of the sales&cohovine ard&com Active Director domain are registered in the D9S .one named sales&cohovine ard&com( ou have to create a ne% D9S .one called mar0eting&cohovine ard&com %hich corresponds to the ne% name of the domain& =or more information about ho% to configure D9S to provide support for AD DS( see Creating a D9S 'nfrastructure Design "http:33go&microsoft&com3f%lin03P+in0'dQ62A608#& >efore ou begin the domain rename process( verif that an ne% .ones that are reFuired have been created and configured to allo% d namic updates& Anal .e our current D9S infrastructure in relation to the ne% forest structure that ou %ant after the domain rename operation has completed and compile a list of D9S .ones that have to be created& Eou can use M$or0sheet 7: D9S Kone 'nformationM in Appendi- D: $or0sheets for the Domain *ename 4peration to document this list& =or more information about ho% to create D9S .ones( see Add a =or%ard +oo0up Kone "http:33go&microsoft&com3f%lin03P+in0'DQ608886#& =or more information about ho% to configure d namic updates( see Allo% D namic )pdates "http:33go&microsoft&com3f%lin03P+in0'dQ62A60?#&

4edirect Special #olders to a Standalone D#SN
Eou can use this procedure to redirect special folders to the standalone Distributed =ile S stem 9amespaces "D=S9# for domain rename& $indo%s Server 2007 and $indo%s Server 2008 help redirect a set of special folders for users( such as the M Documents folder( from the local computer to a net%or0 location& =older *edirection is an e-tension to 5roup Polic that ou can use to identif net%or0 locations for these folders on specific servers or D=S9& 'f ou redirect A?0

folders to a net%or0 location that uses domain/based D=S9 " Domain_NameZDFSN_Name#( renaming the Active Director domain invalidates the path to the domain/based D=S9& 'f the redirected path is no longer valid( =older *edirection stops %or0ing& Note 'f the 9et>'4S name of a domain is used in a domain/based D=S9 and the 9et>'4S name of the domain is not changed during the domain rename operation( the path to this domain/based D=S9 %ill continue to be valid& So that =older *edirection can continue to %or0 after a domain rename operation( folders that are redirected to a domain/based D=S9 for a domain that is going to be renamed must instead be redirected to a standalone D=S9 "also 0no%n as server/based D=S9# before ou rename the domain& Stand/alone D=S9s are not affected b the domain rename operation& Eou can configure =older *edirection to a stand/alone D=S9 instead of a domain/based D=S9 b using the =older *edirection 5roup Polic e-tension& =or information about ho% to use 5roup Polic to redirect special folders to a net%or0 location( see )se =older *edirection "http:33go&microsoft&com3f%lin03P+in0'dQ62A08?#&

4elocate 4oaming 3ser %rofiles to a Standalone D#SN
Eou can use this procedure to relocate roaming user profiles to a stand/alone Distributed =ile S stem 9amespace "D=S9# for domain rename& $indo%s Server 2007 Server and $indo%s Server 2008 provide support for roaming user profiles %here the user profile "as %ell as the home director # can be located on a net%or0 location& Gust as for =older *edirection( if roaming user profiles "and the home director # are placed on a net%or0 location b using a domain/based D=S9( renaming the domain invalidates the path to this D=S9 and roaming profiles that use this path stop %or0ing& Note 'f the 9et>'4S name of a domain is used in a domain/based D=S9 and the 9et>'4S name of the domain is not changed during a domain rename operation( the path to the domain/based D=S9 continues to be valid& To ensure that net%or0 share/based user profiles continue to %or0 after a domain rename operation( user profiles that are located on a domain/based D=S9 for a domain that is going to be renamed must be relocated to a stand/alone D=S9 "also 0no%n as a server/based D=S9#& Server/based D=S9s are not affected b the domain rename operation& =or information about ho% to create roaming user profiles( see Configuring *oaming )ser Profiles "http:33go&microsoft&com3f%lin03P+in0'DQ622?A0#&

A?6

Configure )ember Computers for "ost Name Changes
Eou can use this procedure to configure member computers for host name changes in a domain rename operation& > default( the primar Domain 9ame S stem "D9S# suffi- of a member computer of an Active Director domain is configured to change automaticall %hen domain membership of the computer changes& The same default behavior is true %hen the D9S name of the domain to %hich a computer is ,oined changes& =or this reason( rename of an Active Director domain can cause modification of the primar D9S suffi- and( therefore( of the full D9S host names of the computers that are the members of the renamed domain& =or e-ample( if the sales&coho%iner &com domain is renamed to mar0eting&coho%iner &com( the primar D9S suffi- of the member computers of this domain might also change from sales&coho%iner &com to mar0eting&coho%iner &com( depending on %hether the default behavior is in effect& 'f the default behavior is in effect( the full D9S host name of a computer in the renamed domain changes from host&sales&coho%iner &com to host&mar0eting&coho%iner &com&

Conditions for automatic computer name change
The primar D9S suffi-( and therefore the full D9S name of a member computer in an Active Director domain( changes automaticall %hen the domain is renamed if both of the follo%ing conditions are true: • The primar D9S suffi- of the computer is configured to be updated %hen domain membership changes& • 9o 5roup Polic that specifies a primar D9S suffi- is applied to the member computer& These conditions represent the default configuration for computers that are running $indo%s Server 2007 and $indo%s Server 2008& *emember that the D9S suffi- setting also applies to servers that are running Microsoft 1-change& $hen ou determine the primar D9S suffi- configuration for our servers( also chec0 our 1-change servers& Note The D9S host names of domain controllers in a renamed domain are not changed automaticall to use the ne% domain D9S name as the primar D9S suffi-( regardless of the primar D9S suffi- configuration& 'n other %ords( the D9S names of domain controllers in a renamed domain %ill remain unchanged& Eou can rename the domain controllers in a separate step after the domain rename operation is complete b using a special domain controller rename procedure& =or more information about ho% to rename a domain controller( see *enaming a Domain Controller&

A?2

4eplication effects of renaming large numbers of computers
'f the conditions that prompt automatic update of the D9S host names for all computers in the domain are true and if there are a large number of member computers in the domain that is being renamed( replication of that man changes might cause e-cessive traffic on our net%or0& *ecall that a computer name change triggers update of the dns"ostName and service%rincipalName attributes on the corresponding computer account in Active Director Domain Services "AD DS#& These attributes %ill t picall be updated %hen the member computer is restarted( as reFuired b the domain rename operation after ou rename the domain& )pdate of these attributes b a large number of computers %ithin a short period of time might trigger replication activit that saturates the net%or0& Moreover( computer name change triggers update of the host "A#( host "AAAA#( and pointer "PT*# resource records in the D9S database& Such updates also cause additional replication traffic( regardless of %hether D9S .ones are stored in AD DS or in some other D9S store& =or these reasons( ou should prepare for the domain rename operation in advance b reconfiguring the default behavior that changes the primar D9S suffi- on member computers %hen a domain is renamed& Important 'f ou do not thin0 that the resulting replication traffic poses a ris0 of net%or0 congestion or saturation to our infrastructure( ou can allo% for the D9S names of the member computers in the renamed domain to change automaticall as a result of the domain rename operation& 'n other %ords( if there is no ris0 of net%or0 congestion( s0ip this preparator step of configuring member computers for host name changes and proceed %ith the ne-t step: Prepare Certification Authorities& 4n the other hand( if the number of member computers in the domain to be renamed is large and the conseFuent replication traffic poses the ris0 of net%or0 congestion in our environment( ou should prepare for an Active Director domain rename operation in advance so that ou can rename the member computers in smaller batches to mitigate the replication traffic problem& 'n this case( ou can ta0e steps so that computers %ill not be renamed after domain rename b ensuring that at least one of the t%o conditions in Conditions for Automatic Computer 9ame Change is not true& Note Eou do not have to match the D9S suffi- to the ne% domain name& 'f our current implementation uses a primar D9S suffi- that does not match the D9S name of the domain to %hich the member computers are ,oined and if ou do not %ant the D9S suffito change follo%ing domain rename( ou can ensure that these computers are not renamed after the domain rename b verif ing that at least one of the t%o conditions in Conditions for Automatic Computer 9ame Change is not satisfied&

A?7

3sing Group %olicy to apply the new primary DNS suffi/
To avoid a replication MstormM that can result from thousands of computer names being changed at appro-imatel the same time( ou can use 5roup Polic to revise the primar D9S suffi- to the ne% domain name before the domain rename so that member names are not automaticall updated but have the correct primar D9S suffi- at the time that ou perform the domain rename&

Apply the new primary DNS suffi/ before renaming domains
'f ou establish the planned ne% name of the domain as the primar D9S suffi- for all computers in the domain before ou rename the domain( ou can ensure that our member computers are not renamed automaticall after the domain rename opration& 'n this %a ( ou can avoid a potential problem in %hich replication of name/change updates negativel affects net%or0 performance immediatel after the domain rename& Eou can use the 5roup Polic setting %rimary DNS Suffi/ to establish the primar D9S suffi- for the domain as the ne% D9S domain name& $hen this 5roup Polic setting is in effect( it overrides the default behavior of changing the primar D9S suffi- %hen the D9S name of the domain changes& 'n this case( the computer names remain the same %hen ou rename the domain and replication of name changes does not occur&

Apply Group %olicy in stages to avoid significant replication
$hen ou appl the 5roup Polic setting( %rimary DNS Suffi/ changes the D9S suffi- and precipitates a name change& Therefore( ou must manage the 5roup Polic application in stages( depending on ho% man member computers are in the domain that is being renamed& To appl 5roup Polic to all member computers in the domain or domains that are being renamed( %hile also avoiding replication on a large scale( ou have to divide computer ob,ects among several locations in AD DSDeither organi.ational units "4)s# or sites( or both& 'n deplo ments in %hich member computers e-ist in numbers that can affect net%or0 efficienc if all computers %ere renamed at the same time( ou %ant to have computers distributed among several 4)s( for ease of administration& 'f member computers at both the site and 4) levels are too numerous to undergo a name change %ithout causing e-cessive replication( ou might %ant to create additional organi.ational units to temporaril house some of the computers so that ou can appl 5roup Polic in stages& Important Do not appl the 5roup Polic setting to cause a D9S host name change for member servers that are housing soft%are distribution points for managed soft%are deplo ment in our domain& Eou should %ait until the step =i- 5roup Polic 4b,ects and +in0s later in this document& The member servers that house soft%are distribution points %ill change their D9S host name at that step after the are restarted& Eou can rename member computers one group at a time b using the follo%ing seFuence of tas0s: A?A

6& 1stimate the largest number of computers "9# that can be renamed in our environment so that the resulting replication traffic can be sustained b our net%or0 %ithout becoming saturated& 't is our e-pectation that 6000 is an acceptable number& 2& Divide the member computers in the domain to be renamed into groups& 1ach group should contain no more than the number of computers 9 estimated in step 6( so that the ne% primar D9S suffi- can be applied to one group at a time& Note The MgroupsM that are specified in this step are purel imaginar entities that represent some collection of computers& There might be no actual ob,ect that corresponds to such a group in the domain& =or e-ample( the combination of t%o 4)s ( or one site( or one site plus an 4)( and so on( might be used to form one group( provided that the number of computers in the group does not e-ceed the number 9 of computers that is specified in step 6& 'f e-isting sites and 4)s all contain more computers than the number 9 that is specified in step 6( ou might have to create one or more temporar 4)s to group computers so that the ne% primar D9S suffi- can be applied to one group "in this case( one or more 4)s # at a time& As an alternative( ou can restrict the scope of application of 5roup Polic to one group b creating a temporar securit group that consists of the group of computers that should receive the polic and b setting securit permissions on the 5roup Polic ob,ect "5P4# accordingl using the securit group that ou ,ust created& 7& Create a staggered schedule that determines %hen the ne% primar D9S suffi- %ill be applied to each group of computers that ou established in step 2& 1nsure that there is sufficient time bet%een t%o consecutive applications of the 5roup Polic setting %rimary DNS Suffi/ to t%o different groups of computers to allo% replication to occur& *eplication of the updated dns"ostName and service%rincipalName attributes on computer accounts and replication of the D9S records of the renamed computers must be completed full during the scheduled gap& A& Configure the domain that is being renamed to allo% member computers of the domain to register the ne% primar D9S suffi- in the dns"ostName attribute of their corresponding computer accounts in AD DS&

Configuration re0uired before the application of Group %olicy
$hen ou appl the 5roup Polic setting %rimary DNS Suffi/( the D9S suffi- of member computers %ill no longer match the D9S name of the domain of %hich the are members& To allo% the member computers of a domain to have a primar D9S suffi- that does not match the D9S domain name( ou must first configure the domain to accept the names that the D9S suffican have& This configuration must be in place before ou can set 5roup Polic to appl to a set of computers& To configure the set of D9S suffi-es that can be applied to computers in the domain( add a ne% value "or values# to the msDS-AllowedNDSSuffi/es multivalued attribute of the domain ob,ect "the domainDns ob,ect for the domain# so that the attribute contains a list of D9S suffi-es that member computers of the Active Director domain can have& $hen ou appl the 5roup Polic A?8

setting %rimary DNS Suffi/( ou %ill specif one of the D9S suffi-es that ou have added to the msDS-AllowedNDSSuffi/es attribute& 'f ou appl the %rimary DNS suffi/ 5roup Polic setting to the computers in the domain to be renamed( %e highl recommend that ou set the DNS Suffi/ Search +ist 5roup Polic setting and appl it to the computers in the domain being renamed& The DNS Suffi/ Search +ist setting should contain the old primar D9S suffi-( ne% primar D9S suffi-( and potentiall parent suffi-es of the old and ne% primar D9S suffi-es& "The latter depends on %hether parent name spaces are being used in the organi.ation&# =or e-ample( suppose that the old name of a domain %as pa roll&hr&sales&coho%iner &com "that also corresponds %ith the old primar D9S suffi-#& Also( suppose that the ne% name of the domain is pa roll&sales&coho%iner &com "that also corresponds %ith the ne% primar D9S suffi-#& The DNS Suffi/ Search +ist should contain the follo%ing suffi-es: • • • • • pa roll&hr&sales&coho%iner &com pa roll&sales&coho%iner &com hr&sales&coho%iner &com sales&coho%iner &com coho%iner &com

_ and it ma contain these suffi-es:

Such configuration preserves the abilit of users to resolve the D9S names of computers in the domain that is being renamed b specif ing first label onl of the full D9S names of computersD even during the transition period %hen a userVs computer and resource server ma have different primar D9S suffi-es& =or the same reason( if computers in another domain %ere configured %ith DNS Suffi/ Search +ist that contains the old name of a domain being renamed( during the domain rename operation those computers should be reconfigured so that DNS Suffi/ Search +ist is updated to contain both the old and ne% domain names&

Configuring member computers for host name changes in large deployments
'f our AD DS implementation is large enough to %arrant updating the primar D9S suffi- before the domain rename "that is( ou %ant to avoid the effects of e-cessive replication of computer name changes that follo% domain rename#( ou must complete the follo%ing tas0s: • • Determine the Primar D9S Suffi- Configuration Determine $hether 5roup Polic Controls the Primar D9S Suffi-

• Configure the Domain to Allo% a Primar D9S Suffi- that Does 9ot Match the Domain 9ame • Appl 5roup Polic to Set the Primar D9S Suffi-

A?:

Determine the primary DNS Suffi/ configuration
As a preliminar step( if ou do not 0no% ho% our member computers are configured in relation to updating the primar D9S suffi- if the membership domain changes( ou first %ant to establish these conditions& The follo%ing procedures describe t%o %a s to vie% the setting for a member computer that determines %hether the primar D9S suffi- changes %hen the name of the membership domain changes& o check for primary DNS suffi/ update configuration using Control %anel 6& 4n a member computer( in Control %anel( double/clic0 System& 2& Clic0 the Change settings lin0& 7& 4n Computer Name tab( clic0 Change& A& Clic0 )ore( and then verif %hether Change primary domain suffi/ when domain membership changes is selected& 8& Clic0 O( until all dialog bo-es are closed&

o check for primary DNS suffi/ update configuration for a computer using the registry 6& 4n the Start menu( clic0 4un& 2& 'n Open( t pe regedit( and then clic0 O(& Caution 'ncorrectl editing the registr ma severel damage our s stem& >efore ma0ing changes to the registr ( ou should bac0 up an valued data on the computer& 7& 9avigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesC cpipC%arameters & A& Berif %hether the value of 4.GB4!O4DSyncDomain!ith)embership is 0-6& This value indicates that the primar D9S suffi- changes %hen the domain membership changes&

Determine whether Group %olicy controls the primary DNS suffi/
Eou can also determine %hether 5roup Polic is applied to the computer to specif the primar D9S suffi-& There are several %a s to discover this information( as described in the follo%ing procedure& Eou can determine %hether 5roup Polic specifies the primar D9S suffi- for a computer on a member computer using either of the follo%ing t%o procedures&

A?<

o determine whether Group %olicy specifies the primary DNS suffi/ by using the command line 6& To open a command prompt( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
gpresu"t

7& 'n the output( under Applied Group %olicy ob9ects( chec0 to see %hether %rimary DNS Suffi/ is listed& 4r A& T pe the follo%ing command( and then press 19T1*:
ipconfig /a""

8& Chec0 %rimary DNS Suffi/ in the output& 'f it does not match the primar D9S suffithat is specified in Control Panel for the computer( the %rimary DNS Suffi/ 5roup Polic setting is applied&

o determine whether Group %olicy specifies the primary DNS suffi/ by using the registry 6& 4n the Start menu( clic0 4un& 2& 'n Open( t pe regedit and then clic0 O(& 7& 9avigate to "(.2B+OCA+B)AC"IN.CSoftwareC%oliciesC)icrosoftC!indowsN CDNSclient& A& Chec0 for the presence of the entr %rimary DNS Suffi/& 'f a value is present( the %rimary DNS Suffi/ 5roup Polic setting is applied to the computer&

Configure the domain to allow a primary DNS suffi/ that does not match the domain name
>efore ou appl 5roup Polic to set the primar D9S suffi- for each renamed domain( create a list of the D9S suffi-es that ou %ant to use for each domain& The onl primar D9S suffiavailable to the domain( b default( is the D9S name of the domain itself& To ma0e these different D9S suffi-es available to member computers( ou must first ma0e the D9S suffi-es 0no%n to the domains in %hich ou %ant to use them& Eou add D9S suffi-es to the domain b editing the attribute msDS-AllowedDNSSuffi/es on the domain ob,ect to contain the additional D9S domain names that are available to be used as D9S suffi-es for that domain& =or ou to be able to add a primar D9S suffi- that is different from the current D9S domain name( our environment must meet the follo%ing reFuirements: • All domain controllers in the domain must be running $indo%s Server 2007 or $indo%s Server 2008& • =or each ne% D9S suffi- that ou add( a subdomain b that name must e-ist in D9S&

A?8

Caution The same value in the msDS-AllowedDNSSuffi/es attribute cannot be used for more than one domain in the forest& This undesired configuration enables a malicious administrator of a computer that is ,oined to one such domain to set the service%rincipalName attribute of its computer account to the same value as the Service Principal 9ame "SP9# of a computer in the other domain that is configured to allo% the same D9S suffi-& Such a configuration prevents @erberos authentication against both of these computers& The attribute msDS-AllowedDNSSuffi/es is an attribute of the domain ob,ect& Therefore( ou must set D9S suffi-es for each domain %hose name is going to change& o use ADSI .dit to add DNS suffi/es to msDSAllowedDNSSuffi/es 6& Clic0 Start menu( clic0 Administrative ools( and then clic0 ADSI .dit& 2& Double/clic0 the domain director partition for the domain that ou %ant to modif & 7& *ight/clic0 Domain container ob9ect( and then clic0 %roperties& A& 4n the Attribute .ditor tab( in Attributes( double/clic0 the attribute msDSAllowedDNSSuffi/es& 8& 'n the )ulti-valued String .ditor dialog bo-( in 5alue to add( t pe a D9S suffi-( and then clic0 Add& :& $hen ou have added all the D9S suffi-es for the domain( clic0 O(& <& Clic0 O( to close the %roperties dialog bo- for that domain& 8& 'n the console tree( right/clic0 ADSI .dit( and then clic0 Connect to& ?& )nder Computer( clic0 Select or type a domain or server& 60& T pe the name of the ne-t domain for %hich ou %ant to set the primar D9S suffi-( and then clic0 O(& 66& *epeat steps 2 through < for that domain& 62& *epeat steps 8 through 60 to select each subseFuent domain and repeat steps 2 through < to set the primar D9S suffi- for each subseFuent domain that is being renamed&

Apply Group %olicy to set the primary DNS suffi/
Start appl ing the 5roup Polic setting %rimary DNS Suffi/ to one group of computers at a time& "=or more information( see Appl 5roup Polic in stages to avoid significant replication&# The ne% primar D9S suffi- must be applied to all member computers in a domain before the domain is renamed& Note The group of member computers to %hich this 5roup Polic setting is applied %ill have to be restarted for the host name change to ta0e effect&

A??

o apply the Group %olicy setting %rimary DNS Suffi/ to groups of member computers 6& 4pen the 5roup Polic Management 1ditor snap/in: clic0 Start( clic0 Administrative ools( and then clic0 Group %olicy )anagement& 2& 'n 5roup Polic Management 1ditor( right/clic0 the domain or 4) that contains the group of computers to %hich ou are appl ing 5roup Polic & 7& 'n Group %olicy Ob9ects( right/clic0 the 5P4 that ou %ant to contain the %rimary DNS Suffi/ setting( and then clic0 .dit& Note To create a ne% 5P4 that %ill contain the %rimary DNS Suffi/ setting( right/clic0 Group %olicy Ob9ects( clic0 New( and then t pe a name for the ob,ect& A& )nder Computer Configuration( e-pand %olicies and Administrative emplates1 Network( and then clic0 DNS Client& 8& 'n the results pane( double/clic0 %rimary DNS Suffi/& :& Clic0 .nabled( and then in the .nter a primary DNS suffi/ bo-( t pe the D9S suffifor the domain %hose member computers are in the group that ou selected in step 2& After the Active Director domain has been renamed and all member computers have had time to restart( ou can disable the 5roup Polic setting that ou enabled in step : of the previous procedure& Note The steps in the previous procedure result in naming member computers onl ( not domain controllers& *enaming mission/critical servers( such as domain controllers( reFuires special preparation that is be ond the scope of this document& =or information about ho% to rename a domain controller( see *enaming a Domain Controller& $e strongl recommend that ou carefull read this ;elp documentation and then rename domain controllers in a renamed domain according to the specified recommendations onl after the domain rename operation has completed successfull &

%repare Certification Authorities
Eou can use this procedure to prepare certification authorities "CAs# for domain rename& Management of enterprise certificates can be sustained through a domain rename operation %hen the follo%ing reFuirements are in effect before domain rename: • The CAs are not installed on domain controllers& • As a best practice( all the CAs should include both +ight%eight Director Access Protocol "+DAP# and ; perte-t Transfer Protocol ";TTP# )*+s in their Authorit 'nformation Access "A'A# and Certificate Distribution Point "CDP# e-tensions&

800

Caution 'f an certificate that the CA issues has onl one of these )*+ t pes( the certificate ma or ma not %or0& Depending on the comple-it of our domain configuration( steps in this document might not be sufficient for proper management of CAs after the domain rename operation& Proceed %ith these steps onl if ou have considerable e-pertise in handling Microsoft CAs& 'f one or more of the follo%ing conditions e-ist at the time of domain rename( CA management is not supported: • The CA is configured to have onl +DAP )*+s for its CDP or A'A& >ecause the old +DAP e-tensions %ould be invalid after the domain rename operation( all the certificates that are issued b the CA are no longer valid& As a %or0around( ou have to rene% the e-isting CA hierarch and all issued 1nd 1ntit certificates& • After the domain rename operation( the name constraints might not be valid& As a %or0around( ou %ill have to reissue cross/certificates %ith appropriate name constraints& • A *eFuest for Comments "*=C# 822Rst le e/mail name is used in the user account& 'f the CA "or the certificate template# is configured to include *=C 822/st le e/mail names and this name st le is used in the certificates that are issued( these certificates %ill contain an incorrect e/mail name after domain rename operation& An such Active Director accounts should be changed before an certificate is issued& As a best practice( the default +DAP and ;TTP )*+s reFuire no special configuration before the domain rename operation& >efore ou begin the domain rename operation( ensure that the certificate revocation lists "C*+s# and the CA certificates %ill not e-pire soon& 'f ou find that the are close to e-piration( complete the follo%ing tas0s before the domain rename operation: 6& *ene% the CA certificates& 2& 'ssue a ne% C*+ %ith the appropriate validit period& 7& $ait until both of these previous items have propagated to all client computers& =or more information( see Active Director Certificate Services "http:33go&microsoft&com3f%lin03P +in0'DQ622?86#&

./change-Specific Steps* %repare a Domain that Contains ./change
Important Eou can use this procedure to prepare a domain that contains 1-change for a domain rename operation& The $indo%s Server 2008 domain rename operation is not supported in an Active Director forest that contains 1-change Server 2007( 1-change Server 2007 Service Pac0 2 "SP2#( 1-change Server 200<( or 1-change Server 200< Service Pac0 6 "SP6#& 806

'f our forest contains 1-change 2007 Service Pac0 6 "SP6# servers( ou can run the $indo%s Server 2008 domain rename operation( but ou must also use the 1-change Domain *ename =i-/up Tool to update 1-change attributes& =or more information( see Microsoft 1-change Server Domain *ename =i-up "LD*/=i-up# http:33go&microsoft&com3f%lin03P +in0'DQ622?82#& This document describes preliminar steps and instructions for running the 1-change Domain *ename =i-/up Tool& As part of the preliminar steps( ou must move 1-change off all domain controllers and discontinue 1-change configuration changes&

%erforming the Domain 4ename Operation
This tas0 provides information about performing the domain rename operation& This tas0 describes in detail the procedures that ou complete to perform the domain rename operation in our forest& >e sure that ou have revie%ed and completed ever preliminar procedure that applies to our domain rename conditions( as described in Preparing for the Domain *ename 4peration& After ou complete all the procedures in this tas0( the target domain name changes %ill be effective in our forest& The domain name changes %ill have propagated toall the domain controllers in our forest( as %ell as to the member computers in the renamed domains& A brief period of interruption in our Active Director forest service occurs during the time %hen all of the domain controllers in the forest are automaticall restarting& The e-act point at %hich the service interruption occurs is indicated in *un Domain *ename 'nstructions& 1-cept for this brief period of interruption( the Active Director Domain Services "AD DS# service should continue to be available and function normall throughout the rest of the domain rename process&

ask re0uirements The follo%ing is reFuired to perform the procedures for this tas0: • • • • • • • • • • • *endom&e-e *epadmin&e-e 5pfi-up&e-e Set )p the Control Station =ree.e the =orest Configuration >ac0 )p All Domain Controllers 5enerate the Current =orest Description Specif the 9e% =orest Description 5enerate Domain *ename 'nstructions Push Domain *ename 'nstructions to All Domain Controllers and Berif D9S *eadiness Berif *eadiness of Domain Controllers 802

To complete this tas0( perform the follo%ing procedures:



*un Domain *ename 'nstructions

• 1-change/Specific Steps: )pdate the 1-change Configuration and *estart 1-change Servers • • • )nfree.e the =orest Configuration *e/establish 1-ternal Trusts =i- 5roup Polic 4b,ects and +in0s

Set 3p the Control Station
Eou can use this procedure to set up the control station for a domain rename operation& To perform an Active Director domain rename operation( ou must set up a single computer as the administrative control station for the entire domain rename operation& All the domain rename procedures are performed and controlled from this computer& Eou cop all the reFuired tools to perform the domain rename operation to a director on the local dis0 of the control station and run the tools from that control station& Although the domain rename operation involves contacting each domain controller in the forest( the domain controllers are contacted remotel b the domain rename tools from the control station& %rere0uisites • Computer: )se a computer that is a member of a domain in the forest in %hich domain rename operation is to be performed to serve as the control station& • 4perating s stem: The computer must be a member computer "not a domain controller# that is running $indo%s Server 2007 Standard 1dition or $indo%s Server 2008 Standard( $indo%s Server 2007 1nterprise 1dition or $indo%s Server 2008 1nterprise( or $indo%s Server 2007 Datacenter 1dition or $indo%s Server 2008 Datacenter& Important Do not use a domain controller to act as the control station for the domain rename operation& • 4perating s stem CD: Eou must have the $indo%s Server 2007 Standard 1dition( $indo%s Server 2007 1nterprise 1dition( or $indo%s Server 2007 Datacenter 1dition operating s stem CD& Membership in the +ocal Administrators group "or a %rite access to a local dis0 drive# on the computer that is the control station is the minimum reFuired to complete these procedures& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o set up the control station on a !indows Server <@@; member server 6& 4n a local dis0 drive of the selected control station computer( create a %or0ing director for the domain rename tools( for e-ample( C:Zdomren Note 807

1ach time that ou use the tools in this procedure( run them from this director & 2& 'nsert the $indo%s Server 2007 Standard 1dition( $indo%s Server 2007 1nterprise 1dition( or $indo%s Server 2007 Datacenter 1dition operating s stem CD into the CD*4M drive and cop the files from the valueadd director into our %or0ing director as follo%s:
copy D:(va"ueadd(msft(mgmt(domren(*** 5:(domren

'n particular( verif that the t%o tools *endom&e-e and 5pfi-up&e-e have been copied into the %or0ing director on the control station& 7& 'nstall the Support Tools from the SupportZTools folder on the $indo%s Server 2007 Standard 1dition( $indo%s Server 2007 1nterprise 1dition( or $indo%s Server 2007 Datacenter 1dition operating s stem CD& "To install Support Tools( run Suptools&msi in the SupportZTools director &# 'n particular( verif that the tools *endom&e-e( *epadmin&e-e( Dfsutil&e-e( and 5pfi-up&e-e are installed on the control station& o set up the control station on a !indows Server <@@A member server 6& 4n a local dis0 drive of the selected control station computer( create a %or0ing director for the domain rename tools( for e-ample( C:Zdomren& Note 1ach time that ou use the tools in this procedure( run them from this director & 2& To obtain the necessar tools for the domain rename operation( install the *emote Server Administration Tools Pac0& =or more information( see 'nstalling or *emoving the *emote Server Administration Tools Pac0 "http:33go&microsoft&com3f%lin03P +in0'dQ62A666#& Berif that the tools *endom&e-e( *epadmin&e-e( Dfsutil&e-e( and 5pfi-up&e-e are installed on the control station in the YZ$indo%sZS stem72 director & 7& Cop *endom&e-e( *epadmin&e-e( Dfsutil&e-e( and 5pfi-up&e-e tools from the YZ$indo%sZS stem72 director into our %or0ing director as follo%s:
ro'ocopy 1:()indows(!ystem$% 5:(domren rendom*e8e repadmin*e8e dfsuti"*e8e gpfi8up*e8e

#ree&e the #orest Configuration
Eou can use this procedure to free.e the forest configuration for a domain rename operation& $hen our domain rename plan is in place and all preliminar procedures are complete( ou must ensure that the configuration of our forest %ill not change until after the domain rename operation is complete& Therefore( before ou begin the domain rename operation ou must discontinue the follo%ing activities in our forest: • Creating ne% domains in( or removing e-isting domains from( our forest 80A

• Creating ne% application director partitions in( or removing e-isting application director partitions from( our forest • • Adding domain controllers to( or removing domain controllers from( our forest Creating or deleting shortcut trusts %ithin our forest

• Adding attributes to( or removing attributes from( the set of attributes that replicate to the global catalog "the partial attribute set#& Eou can resume these activities after ou successfull complete the domain rename operation& =or more information see( )nfree.e the =orest Configuration&

$ack 3p All Domain Controllers
>ac0 up all domain controllers before ou begin a domain rename operation& Perform a full s stem state bac0up of all domain controllers in the forest& =or more bac0ground information and detailed step/b /step instructions for bac0ing up domain controllers( see the Step/b /Step 5uide for $indo%s Server 2008 Active Director Domain Services >ac0up and *ecover "http:33go&microsoft&com3f%lin03P+in0'dQ?70<<#&

Generate the Current #orest Description
Eou can use this procedure to generate a current forest description for a domain rename operation& 'n this procedure( ou use the domain rename tool *endom&e-e to generate a te-tual description of our current forest structure as an LM+/encoded file named Domainlist&-ml( %hich contains a list of all domain director partitions as %ell as application director partitions that constitute our forest& This file includes an entr for ever domain and application director partition( and each entr is bounded b the SDomainTS3DomainT LM+ tags& 1ach entr for a domain "or an application director partition# contains its naming data( %hich includes the ob,ect globall uniFue identifier "5)'D# of the partition root ob,ect( the Domain 9ame S stem "D9S# name of the domain "or application director partition#( and the 9et>'4S name of the domain& "An application director partition does not have a 9et>'4S name&# The domain name changes %ill be specified from this LM+/encoded forest description file in the subseFuent step of the domain rename operation& The follo%ing is a sample Domainlist&-ml file that is generated in a forest %ith t%o domains named cohovine ard&com "%ith a 9et>'4S name of C4;4B'91EA*D# and sales&cohovine ard&com "%ith a 9et>'4S name of SA+1S#& 'n addition to the t%o entries that correspond to the t%o domains in the forest( the follo%ing three entries appear& These entries correspond to the application director partitions that the Active Director Rintegrated D9S service uses: • • • DomainDnsKones&sales&cohovine ard&com DomainDnsKones&cohovine ard&com =orestDnsKones&cohovine ard&com 808

These application director partitions must also be renamed&
<V8m" version I H,*-JV> <7orest> <Domain> <W.. PartitionType:App"ication ..> <Duid>PLadd/''.d-eK.MLLe.K%'L.KaacaPd$e,K'</Duid> <DN!name>DomainDnsXones*sa"es*co&ovineyard*com</DN!name> <NetGiosName></NetGiosName> <DcName></DcName> </Domain> <Domain> <Duid>KLcfKae$.fMa$.MP$'.acPc.c'-PaS/'faM-</Duid> <DN!name>sa"es*co&ovineyard*com</DN!name> <NetGiosName>!A4O!</NetGiosName> <DcName></DcName> </Domain> <Domain> <W.. PartitionType:App"ication ..> <Duid>f-,KLM,'.cKLL.M/-,.'faS.Pc-,SeLd$,eS</Duid> <DN!name>7orestDnsXones*co&ovineyard*com</DN!name> <NetGiosName></NetGiosName> <DcName></DcName> </Domain> <Domain> <W.. PartitionType:App"ication ..> <Duid>f-,KLM,'.cKLL.M/-,.'faS.Pc-,SeLd$,f$</Duid> <DN!name>DomainDnsXones*co&ovineyard*com</DN!name> <NetGiosName></NetGiosName> <DcName></DcName> </Domain> <Domain> <W Y . 7orest0oot ..> <Duid>KLcf/'$M.dSP$.$%aK.da/'./aKe-M'cMKaM</Duid> <DN!name>co&ovineyard*com</DN!name>

80:

<NetGiosName>53#326NO A0D</NetGiosName> <DcName></DcName> </Domain> </7orest>

Important The functional level of the forest in %hich ou perform the domain rename operation must be set to $indo%s Server 2007 or $indo%s Server 2008& 4ther%ise( the domain rename tool( *endom&e-e( reports an error and it cannot proceed %ith further steps& Membership in the .nterprise Admins group in the current forest and the +ocal Administrators group "or %rite access to the domain rename C:Zdomren %or0ing director # on the control station computer is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& Note Eou can use credentials other than those credentials %ith %hich ou are currentl logged on& To use alternative credentials( use the ,user and ,pwd command/line s%itches of rendom( as described in Appendi- A: Command/+ine S nta- for the *endom Tool& o generate the current forest description file 6& 4n the control station( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command to change to the %or0ing director ( and then press 19T1*:
5:(domren

7& To generate the LM+/encoded forest description file( at the command prompt( t pe the follo%ing command( and then press 19T1*:
rendom /"ist

A& Save a cop of the current forest description file "Domainlist&-ml# that %as generated in step 7 as Domainlist/save&-ml for future reference b using the follo%ing cop command:
copy domain"ist*8m" domain"ist.save*8m"

Note The *endom tool contacts the domain controller that is the current domain naming operations master role o%ner in the target forest to gather the information that is necessar to generate the forest description file& The command might fail if the domain naming master is unavailable or unreachable from the control station&

80<

Specify the New #orest Description
Eou can use this procedure to specif the ne% forest description for a domain rename operation& 'n this procedure( ou use a te-t editor to specif our ne% target forest structure b editing the forest description file Domainlist&-ml that ou created %ith the procedure 5enerate the Current =orest Description& The ne% forest description( %hich is specified through changes to the domain and the application director partition names in the Domainlist&-ml file %ill form the starting point for the remainder of the steps in the domain rename operation& Eou can change either the Domain 9ame S stem "D9S# name "the field that is bounded b the SD9SnameTS3D9SnameT tags# or the 9et>'4S name "the field that is bounded b the S9et>ios9ameTS3 9et>ios9ameT tags#( or both names( for an given domain in the forest& Eou cannot( ho%ever( change the globall uniFue identifier "5)'D# in the field that is bounded b the S5uidTS3 5uidT tags& =urthermore( pa special attention to the fact that %hen the D9S name of a parent domain changes( the D9S name of its child domain should also be changed( unless ou are deliberatel restructuring the child domain into a ne% domain tree root in the forest& =or e-ample( if the root domain cohovine ard&com is renamed to coho%iner &com( the child domain sales&cohovine ard&com should also be renamed to sales&coho%iner &com( unless ou %ant to ma0e the domain sales&cohovine ard&com become the root of a ne% domain tree& ;ere is a sample of a forest description Domainlist&-ml file before and after ou edit it for domain name changes to rename the root domain from cohovine ard&com to coho%iner &com& This name change of the forest root domain also results in a renaming of the child domain from sales&cohovine ard&com to sales&coho%iner &com& =urthermore( assume that the 9et>'4S name of the root domain is also being changed from C4;4B'91EA*D to C4;4$'91*E& $.#O4. editing 6root domain name* cohovineyard'com7
<7orest> <Domain> <W.Y PartitionType:App"ication ..> <Duid>PLadd/''.d-eK.MLLe.K%'L.KaacaPd$e,K'</Duid> <DN!name>DomainDnsXones*sa"es*co&ovineyard*com</DN!name> <NetGiosName></NetGiosName> <DcName></DcName> </Domain> <Domain> <Duid>KLcfKae$.fMa$.MP$'.acPc.c'-PaS/'faM-</Duid> <DN!name>sa"es*co&ovineyard*com</DN!name> <NetGiosName>!A4O!</NetGiosName> <DcName></DcName> </Domain>

808

<Domain> <W Y . PartitionType:App"ication ..> <Duid> f-,KLM,'.cKLL.M/-,.'faS.Pc-,SeLd$,eS</Duid> <DN!name>7orestDnsXones*co&ovineyard*com</DN!name> <NetGiosName></NetGiosName> <DcName></DcName> </Domain> <Domain> <W Y . PartitionType:App"ication ..> <Duid> f-,KLM,'.cKLL.M/-,.'faS.Pc-,SeLd$,f$</Duid> <DN!name>DomainDnsXones*co&ovineyard*com</DN!name> <NetGiosName></NetGiosName> <DcName></DcName> </Domain> <Domain> <W Y . 7orest0oot ..> <Duid>KLcf/'$M.dSP$.$%aK.da/'./aKe-M'cMKaM</Duid> <DN!name>co&ovineyard*com</DN!name> <NetGiosName>53#326NO A0D</NetGiosName> <DcName></DcName> </Domain> </7orest>

A# .4 editing 6root domain name* cohowinery'com7
<7orest> <Domain> <W.Y PartitionType:App"ication ..> <Duid>PLadd/''.d-eK.MLLe.K%'L.KaacaPd$e,K'</Duid> <DN!name>DomainDnsXones*sa"es*co&owinery*com</DN!name> <NetGiosName></NetGiosName> <DcName></DcName> </Domain> <Domain> <Duid>KLcfKae$.fMa$.MP$'.acPc.c'-PaS/'faM-</Duid> <DN!name>sa"es*co&owinery*com</DN!name>

80?

<NetGiosName>!A4O!</NetGiosName> <DcName></DcName> </Domain> <Domain> <W Y . PartitionType:App"ication ..> <Duid> f-,KLM,'.cKLL.M/-,.'faS.Pc-,SeLd$,eS</Duid> <DN!name>7orestDnsXones*co&owinery*com</DN!name> <NetGiosName></NetGiosName> <DcName></DcName> </Domain> <Domain> <W Y . PartitionType:App"ication ..> <Duid> f-,KLM,'.cKLL.M/-,.'faS.Pc-,SeLd$,f$</Duid> <DN!name>DomainDnsXones*co&owinery*com</DN!name> <NetGiosName></NetGiosName> <DcName></DcName> </Domain> <Domain> <W Y . 7orest0oot ..> <Duid>KLcf/'$M.dSP$.$%aK.da/'./aKe-M'cMKaM</Duid> <DN!name>co&owinery*com</DN!name> <NetGiosName>53#3)6NO0 </NetGiosName> <DcName></DcName> </Domain> </7orest>

Note The current forest description must be available as the LM+/encoded file Domainlist&-ml that can be modified& Membership in the +ocal Administrators group "or %rite access to the domain rename C:Zdomren %or0ing director # on the control station computer is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o edit the Domainlist'/ml file 6& )se a simple te-t editor( such as 9otepad&e-e( to open the current forest description file Domainlist&-ml that ou created in 5enerate the Current =orest Description& 860

2& 1dit the forest description file( replacing the current D9S or 9et>'4S names of the domains and application director partitions to be renamed %ith the planned ne% D9S or 9et>'4S names& Note 't is not necessar to change the 9et>'4S name of a domain %hen its D9S name changes&

4enaming application directory partitions
'n the previous sample forest description Domainlist&-ml file( notice that there are t%o D9Sname entries that are not domains& These director partitions are labeled as follo%s:
<W.Y PartitionType:App"ication ..>

These director partitions store D9S .one data& > default( application director partitions can be used to store D9S .one data and Microsoft Telephon Application Programming 'nterface "TAP'# data in Active Director Domain Services "AD DS#& 4ther applications must be programmed to create and use application director partitions in AD DS& Application director partitions can e-ist an %here in the domain hierarch %here a domain director partition can e-ist( e-cept for the forest root or tree root domain positions& ;o%ever( %hen ou rename a domain( an application director partition that occurs belo% the renamed domain in the domain tree is not renamed automaticall & Eou must ta0e care to edit the names of application director partitions if the occur belo% a renamed domain in the hierarch &

DNS data
'f ou have Active Director Rintegrated D9S that is running on a domain controller( the D9S server might have created one or more application director partitions to store data for D9S .ones& There is one D9S/specific application director partition dedicated for each domain "named DomainDnsKones&Sdomain D9S nameT( %here Sdomain D9S nameT is the name of the domain#( and another D9S/specific application director partition dedicated for the entire forest "named =orestDnsKones&Sforest D9S nameT( %here Sforest D9S nameT is the name of the forest root domain#& Important $hen an Active Director forest root domain or other domain is renamed( the corresponding D9S/specific application director partition must be renamed& 'f the D9S/ specific application director partition is not renamed( ne% D9S servers that are added to the net%or0 %ill not automaticall load the D9S .ones that are stored in the D9S/specific application director partition( and therefore the %ill not function correctl & As ou can see from the contents of the sample Domainlist&-ml file before and after editing( the follo%ing three D9S/specific application director partitions in the original forest _
DomainDnsXones*sa"es*co&ovineyard*com DomainDnsXones*co&ovineyard*com

866

7orestDnsXones*co&ovineyard*com

_ are renamed to _
DomainDnsXones*sa"es*co&owinery*com DomainDnsXones*co&owinery*com 7orestDnsXones*co&owinery*com

_ in the ne% forest as a result of the domain name sales&cohovine ard&com that is being changed to sales&coho%iner &com and the forest root domain name cohovine ard&com being changed to coho%iner &com( respectivel &

A%I data
'f ou have a Microsoft TAP' d namic director for a domain that is hosted b AD DS( ou ma have created one or more application director partitions "one for each domain# to store TAP' application data& There is one TAP'/specific application director partition configured for each domain& $hen ou rename an Active Director domain( the corresponding TAP'/specific application director partition is not renamed automaticall & $e recommend that ou rename a TAP'/specific application director partition %hen its corresponding domain name is changed& o rename application directory partitions 6& 1-amine the forest description file to determine if an application director partitions in the forest must be renamed as a result of the domain D9S name changes that are being specified& 2& Consult the documentation for the application that created the application director partition to see if the director partition should be renamed& An D9S name changes for application director partitions must also be specified in the forest description file Domainlist&-ml( along %ith the domain director partition name changes&

Specifying the source domain controllers
'n 5enerate Domain *ename 'nstructions( the *endom&e-e tool contacts one arbitraril chosen domain controller in each domain of the forest to gather the information that is reFuired for translating our ne% forest specification in the Domainlist&-ml file into a seFuence of reFuired director changes that areee encoded as a script to be run at each domain controller& As an option( ou can specif a particular domain controller in each domain from %hich to pull the domain/specific information& o specify domain controllers for each renamed domain in domainlist'/ml • 'n the field that is bounded b the SDc9ameTS3Dc9ameT tags %ithin each domain entr ( t pe the D9S host name of the domain controller that ou %ant to use& =or e-ample( to retrieve information for the domain sales&cohovine ard&com from the domain controller dc6&sales&cohovine ard&com( specif SDc9ameTdc6&sales&cohovine ard&comS3Dc9ameT %ithin the domain entr for the 862

renamed domain sales&coho%iner &com& "*ecall that domain controller names do not change %hen the domain is renamed&#

4eviewing the new forest description
Berif that the domain name changes that ou have specified in the forest description file Domainlist&-ml ield the ne% forest structure that ou %ant& Eou can use *endom&e-e to displa the ne% forest structure that ou specified in the Domainlist&-ml file in a user/friendl format b using te-t indentation to reflect the domain hierarch & o review the new forest description in Domainlist'/ml 6& Clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
rendom /s&owforest

This command simpl displa s the contents of the Domainlist&-ml file in a format that is easier to read and in %hich ou can better see the forest structure& )se this command each time that ou ma0e an changes to the Domainlist&-ml file to verif that the forest structure loo0s as ou intended& Note 't is essential at this step to specif an accurate forest description that reflects the desired changes to the forest structure( because an error at this stage %ill result in an unintended forest structure %hen the domain rename operation is complete& 'f our target structure is not %hat ou intended( ou must perform the entire domain rename procedure again& Note To gather the information that is necessar to process the ,showforest command/line option( *endom&e-e contacts the domain controller that is the current domain naming master in the target forest& The command might fail if the domain naming master is unavailable or unreachable from the control station&

Generate Domain 4ename Instructions
Eou can use this procedure to generate domain rename instructions& 'n this procedure( ou use the *endom&e-e tool to generate the domain rename instructions that are reFuired to ma0e our ne% target forest structure effective& *endom&e-e translates the ne% forest structure as specified in the edited forest description file that ou prepared in Specif the 9e% =orest Description into a seFuence of director update instructions that are run individuall and remotel on each domain controller in the forest& The LM+/encoded script that contains the domain rename instructions is %ritten to the single/valued( octet/string attribute msDS-3pdateScript on the Partitions container ob,ect "cnQpartitions(cnQconfiguration(dcQ=orest*ootDomain# in the configuration director 867

partition on the domain naming operations master& =or more information about the e-act director changes that occur on the domain naming master( see NPreparing Domain Controllers for Domain *enameO in ;o% Domain *ename $or0s "http:33go&microsoft&com3f%lin03P+in0'dQ62A60A#& *endom&e-e also generates a state file called Dclist&-ml "the default name# and stores this file in the control stationXs %or0ing director & The Dclist&-ml state file is used to trac0 the progress and state of each domain controller in the forest for the rest of the domain rename operation& The follo%ing is a sample Dclist&-ml file that is generated for the t%o/domain forest in %hich there are t%o domain controllers named DC6 and DC2 in the cohovine ard&com domain and t%o domain controllers named DC7 and DCA in the sales&cohovine ard&com domain&
<V8m" version I H,*-JV> <Dc4ist> <#as&>++++++++</#as&> <!ignature>++++++++</!ignature>

<D5> <Name>D5,*co&ovineyard*com</Name> <!tate>6nitia"</!tate> <4astOrror>-</4astOrror> <Password /> <4astOrrorAsg /> <7ata"OrrorAsg /> <0etry></0etry> </D5> <D5> <Name>D5%*co&ovineyard*com</Name> <!tate>6nitia"</!tate> <4astOrror>-</4astOrror> <Password /> <4astOrrorAsg /> <7ata"OrrorAsg /> <0etry></0etry> </D5> <D5> <Name>D5$*sa"es*co&ovineyard*com</Name> <!tate>6nitia"</!tate> <4astOrror>-</4astOrror>

86A

<Password /> <4astOrrorAsg /> <7ata"OrrorAsg /> <0etry></0etry> </D5> <D5> <Name>D5M*sa"es*co&ovineyard*com</Name> <!tate>6nitia"</!tate> <4astOrror>-</4astOrror> <Password /> <4astOrrorAsg /> <7ata"OrrorAsg /> <0etry></0etry> </D5> </Dc4ist>

9otice that there is an entr for ever domain controller in the forest in the Dclist&-ml state file( and the state of each domain controller entr "the field that is bounded b the SStateTS3StateT tags# is set to N'nitialO at this step& This state %ill change independentl for each domain controller as it progresses through the rest of the domain rename operation& 1nsure that the follo%ing conditions are in effect before ou generate domain rename instructions: • The source domain controller must be available and reachable& *endom contacts one arbitraril chosen domain controller in each domain "or the domain controller that is designated for each domain in the SDCnameTS3DCnameT field in the Domainlist&-ml file# to gather the information that is necessar to generate the domain rename instructions& The command might fail if a designated domain controller in a domain is unavailable or unreachable from the control station "or if a designated domain controller %as not specified( if no domain controller in a domain is reachable from the control station#& • The domain naming master must be available and reachable& *endom %rites the domain rename instructions to the Partitions container in the Configuration director partition on the domain naming master( and *endom gathers the information that is necessar to generate the state file Dclist&-ml& The command might fail if the domain naming master is unavailable or unreachable from the control station& Membership in the .nterprise Admins group in the target forest "%ith a %rite access to the Partitions container ob,ect and the cross/reference ob,ects that are its children in the configuration director partition# and the +ocal Administrators group "or a %rite access to the domain rename C:Zdomren %or0ing director # on the control station computer is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 868

Note Eou can use credentials other than the credentials %ith %hich ou are currentl logged on& To use alternative credentials( use the ,user and ,pwd command/line s%itches of rendom( as described in Appendi- A: Command/+ine S nta- for the *endom Tool& o generate the domain rename instructions and upload them to the domain naming master 6& 4n the control station( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 2& At the command prompt( t pe the follo%ing to change to the %or0ing director ( and then press 19T1*:
5:(domren

7& =rom %ithin the %or0ing director ( t pe the follo%ing command( and then press 19T1*:
rendom /up"oad

A& Berif that the state file Dclist&-ml is created in the %or0ing director and that it contains an entr for ever domain controller in our forest&

%ush Domain 4ename Instructions to All Domain Controllers and 5erify DNS 4eadiness
Eou can use this procedure to push domain rename instructions to all domain controllers and verif Domain 9ame S stem "D9S# readiness& 'n this procedure( ou force Active Director replication to push the domain rename instructions that %ere uploaded to the domain naming operations master in 5enerate Domain *ename 'nstructions to all domain controllers in the forest& 'n addition( ou verif that the domain controller +ocator "DC +ocator# records that are registered in D9S b each domain controller for the ne% domain names have replicated to all D9S servers that are authoritative for those records&

%ushing domain rename instructions to all domain controllers
Eou can use *epadmin&e-e tool to force Active Director replication of director changes on the domain naming master to all domain controllers in the forest& Note =orcing replication is not reFuired( but it serves to accelerate the replication of the changes to the Partitions container in the configuration director partition to all domain 86:

controllers in the forest& As an option( ou can %ait for replication to complete according to the usual replication intervals and dela s that are characteristic of our forest& 'f the command in the follo%ing procedure completes successfull ( the changes that originate at the domain naming master domain controller have replicated to ever domain controller in the forest& 'f the command reports an error for some subset of the domain controllers in the forest( the replication must be reattempted for those failed domain controllers until all domain controllers in the forest have successfull received the changes from the domain naming master& Membership in the .nterprise Admins group in the target forest is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o force synchroni&ation of changes made on the domain naming master to all domain controllers in the forest 6& 4n the control station( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /synca"" /d /e /P /q DomainNamingAaster

Note The repadmin command/line options are case sensitive& Note 'f read/onl domain controllers "*4DCs# are included in our domain( run this command one more time to ensure that the *4DC ne% service%rincipalName attribute is replicated to all the domain controllers in the forest&
%arameter Description

3s ncall 3d 3e 3P 3F Domain9amingMaster

S nchroni.es a specified domain controller %ith all replication partners& 'dentifies servers b distinguished name in messages& 1nterprise( cross sites& Pushes changes out%ard from the home server& Cuiet modeW suppresses callbac0 messages& Specifies the D9S host name of the domain controller that is the current domain naming master for the forest&

'f ou do not 0no% the D9S host name of the domain naming master( ou can use the DsFuer &e-e tool to discover it&

86<

Membership in the .nterprise Admins group in the target forest( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o discover the DNS host name of the domain naming master 6& 4n the control station( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
Dsquery server .&asfsmo name

%arameter

Description

DsFuer server /hasfsmo

=inds the domain controller in Active Director Domain Services "AD DS# that holds the specified operations master "also 0no%n as fle-ible single master operations "=SM4## role& Specifies the Active Director domain controller name&

name

5erifying DNS readiness
During domain rename( the service "S*B# resource records that are associated %ith the ne% domain name that are used b the domain controller +ocator "DC +ocator# are prepublished in the authoritative D9S servers b the 9et +ogon service that is running on the domain controllers of the domain& =or domain controller location to be functional after domain rename( there are a subset of records %hose presence at the authoritative D9S servers is critical for authentication and replication to ta0e place& The follo%ing table lists the necessar resource records( in order of importance& T pe C9AM1 9ame of o%ner Dsa5uid&Imsdcs&Dns=orest9ame 1-planation There must be one alias "C9AM1# resource record associated %ith ever domain controller in all authoritative D9S servers& This record ensures that replication %ill ta0e place from that domain controller& There must be one service "S*B# resource record that pertains to the primar 868

S*B

Ildap&Itcp&pdc&Imsdcs&DnsDomain9ame

domain controller "PDC# on all authoritative D9S servers& This record ensures that authentication of users and computers is functioning& S*B Ildap&Itcp&gc&Imsdcs&Dns=orest9ame There must be at least one resource record that pertains to at least one global catalog server on all authoritative D9S servers& This record ensures that authentication of users and computers is functioning& =or e-ample( one D9S server might contain a record of this t pe that is registered b one gobal catalog( %hile other D9S servers might contain the records of this t pe that are registered b other global catalogss& 't is sufficient( temporaril ( if there is at least one record of this t pe that is present on all authoritative D9S servers& The other records %ill eventuall replicate to all authoritative D9S servers& There must be at least one resource record pertaining to at least one domain controller on all authoritative D9S servers& This record ensures that authentication of users and computers is functioning& =or e-ample( one D9S server might contain a resource record 86?

S*B

Ildap&Itcp&dc&Imsdcs&DnsDomain9ame

of this t pe that is registered b one domain controller( %hile other D9S servers might contain the records of this t pe that are registered b other domain controllers& 't is sufficient( temporaril ( if there is at least one record of this t pe present on all authoritative D9S servers& The other records %ill eventuall replicate to all authoritative D9S servers& Note The %ord MmustM in the conte-t of this table means do notDunder an circumstancesD proceed %ith domain rename unless this reFuirement is fulfilled& The follo%ing t%o resource records are also reFuired for authentication: • @DC: A service "S*B# resource record that is o%ned b I0erberos&Itcp&dc&Imsdcs&DnsDomain9ame& • 5c'pAddress: A host "A# resource record that is o%ned b Igc&Imsdcs&Dns=orest9ame& ;o%ever( because these resource records are closel lin0ed %ith the global catalog and the domain controller service "S*B# resource records that are described in the table( it is sufficient to confirm the presence of the global catalog and the domain controller service "S*B# resource records to assume that these t%o records have also been prepublished& Eou can use the DcDiag&e-e tool to confirm that the correct service "S*B# resource records that DC +ocator uses have been registered in D9S& Membership in the .nterprise Admins group in the target forest( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify DNS records readiness 6& 4n the control station( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
Dcdiag /test:DN! /Dns0ecord0egistration /s:domaincontro""er

=or more information about dcdiag s nta- and parameters( see Dcdiag S nta"http:33go&microsoft&com3f%lin03P+in0'DQ627607#&

820

5erify 4eadiness of Domain Controllers
Eou can use this procedure to verif the readiness of domain controllers for a domain rename operation& 'n this procedure( ou run a preparator chec0 on ever domain controller in the forest to verif that the director database at each domain controller in the forest is in a good state and read to perform the director modifications that are dictated b the domain rename instructions& Eou perform the verification b using the *endom&e-e tool to issue a remote procedure call "*PC# individuall to each domain controller in the forest that is trac0ed b the state file Dclist&-ml& The *PC causes each domain controller to verif that its director replica is in a good state to perform the changes that are dictated b the domain rename instructions& =or each domain controller that is successfull verified for readiness( *endom updates the state field in the corresponding domain controller entr in the state file Dclist&-ml to Prepared "SStateTPreparedS3StateT#& Important All domain controllers must be in the Prepared state before domain rename instructions can be run& 1nsure that the follo%ing conditions are in effect before ou use *endom&e-e to verif that our domain controllers are read for the domain rename operation: • The preparator changes that are made to the Partitions container of the forestVs domain naming operations master during the generation of domain rename instructions must have replicated to ever domain controller in the forest& This status is chec0ed for and enforced b *endom&e-e during this step& • Service "S*B# resource records( %hich are reFuired for domain controller location of the renamed domains( must be registered in Domain 9ame S stem "D9S# and the must have replicated to all D9S servers& Membership in the .nterprise Admins group in the target forest "%ith %rite access to the Partitions container ob,ect and the cross/reference ob,ects that are its children in the configuration director partition# and the +ocal Administrators group "or %rite access to the domain rename C:Zdomren %or0ing director # on the control station computer is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& Note Eou can use credentials other than the credentials %ith %hich ou are currentl logged on& To use alternative credentials( use the ,user and ,pwd command/line s%itches of rendom( as described in Appendi- A: Command/+ine S nta- for the *endom Tool& o verify the readiness of domain controllers in the forest 6& 4n the control station( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command to change to the %or0ing director ( and then press 19T1*:
5:(domren

826

7& =rom %ithin the %or0ing director ( t pe the follo%ing command( and then press 19T1*:
rendom /prepare

A& After the command finishes( e-amine the state file Dclist&-ml to determine %hether all domain controllers achieved the Prepared state& 'f not( repeat step 2 in this procedure until all domain controllers achieve the Prepared state& Note 1ach time that it runs( the *endom tool consults the Dclist&-ml state file and( it does not connect to and verif the domain controllers that are alread in the Prepared state& Therefore( no redundant operations are performed %hen ou run this command repeatedl & 'n a large forest %ith a large number of domain controllers( it is ver li0el that all domain controllers cannot be reached from the control station at the same time& 'n other %ords( it is not li0el that all domain controllers that are trac0ed b the state file Dclist&-ml %ill reach the Prepared state in a single running of the rendom ,prepare command& Therefore( multiple invocations of this command might be necessar to ma0e incremental progress %ith groups of domain controllers that reach the Prepared state at the same time& 'f ou determine thatDfor an reason Dit is impossible to ma0e an further progress %ith a specific domain controller( ou can remove the entr for that domain controller "bounded b the SDCTS3DCT tags# from the Dclist&-ml file b simpl editing the state file %ith a te-t editor& *emember that( %hen a domain controller is removed in this manner from participating in the domain rename procedure( it must be retired "that is( Active Director Domain Services "AD DS# must be removed from domain controller# in the ne% forest after the domain rename operation is complete& Note Ma0e sure that ou save a cop of the state file Dclist&-ml ever time before ou edit b using a te-t editor& This ma0es an eas fallbac0 and recover possible in case ou ma0e an error in editing the file& As *endom&e-e e-ecutes the various command/line options( the command e-ecution log is cumulativel captured in a log file named *endom&log "the default name# in the current %or0ing director "C:Zdomren#& $hen e-ecution of a *endom&e-e command fails( e-amination of this log file can ield valuable information about the actual tas0s that the tool performed( and at %hat stage or on %hich domain controller a problem occurred&

4un Domain 4ename Instructions
Eou can use this procedure to e-ecute domain rename instructions& 'n this procedure( ou e-ecute the domain rename instructions that are contained in the special script that is uploaded to the msDS-3pdateScript attribute on the Partitions container on ever domain controller in the forest& To e-ecute the script( the control station computer issues a remote procedure call "*PC# to each domain controller in the forest individuall ( %hich causes each domain controller to e-ecute 822

the domain rename instructions and then restart automaticall after it runs the instructions successfull & At the end of this procedure( ever domain controller that is trac0ed b the state file dclist'/ml %ill be in one of t%o final states: • Done( %hich means that the domain controller successfull completed the domain rename operation& • 1rror( %hich means that the domain controller encountered an irrecoverable error and did not complete the domain rename operation& 'n other %ords( if a domain controller successfull e-ecutes the domain rename instructions( it restarts automaticall and its corresponding state for the domain controller entr in the state file is updated to read SStateTDoneS3StateT& >ut( if a fatal or irrecoverable error is encountered on a domain controller %hile ou attempt to e-ecute the domain rename instructions( its corresponding state for the domain controller entr in the state file is updated to read SStateT1rrorS3StateT& =or the 1rror state( the error code is %ritten to the last error field S+ast1rrorTS3+ast1rrorT and a corresponding error message is %ritten to the S=atal1rrorMsgTS3=atal1rrorMsgT field& The rendom command must be repeated until all domain controllers have either successfull e-ecuted the domain rename or ou have established that one or more domain controllers are unreachable and %ill be removed from the forest& Important This step %ill cause a temporar disruption in service %hile the domain controllers are running the domain rename instructions and restarting after the run the instructions successfull & The Active Director Domain Services "AD DS# service in the forest has not been disrupted up to this point in the domain rename operation& Important All domain controllers in the forest must be in the Prepared state( as indicated b the state field "SStateTPreparedS3StateT# in the state file Dclist&-ml& This state is chec0ed for and enforced b rendom at this step& Membership in the .nterprise Admins group in the target forest "%ith %rite access to the Partitions container ob,ect and the cross/reference ob,ects that are its children in the configuration director partition# and the +ocal Administrators group "or %rite access to the domain rename C:Zdomren %or0ing director # on the control station computer is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& Note Eou can use credentials other than the credentials %ith %hich ou are currentl logged on& To use alternative credentials( use the ,user and ,pwd command/line s%itches of rendom( as described in Appendi- A: Command/+ine S nta- for the *endom Tool& o run the domain rename instructions on all domain controllers 6& 4n the control station( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command to change to the %or0ing 827

director ( and then press 19T1*:
5:(domren

7& =rom %ithin the %or0ing director ( t pe the follo%ing command( and then press 19T1*:
rendom /e8ecute

A& $hen the command has finished running( e-amine the state file Dclist&-ml to determine %hether all domain controllers have reached either the Done state or the 1rror state& 8& 'f the Dclist&-ml file sho%s an domain controllers as remaining in the Prepared state( repeat step 2 in this procedure as man times as necessar until the stopping criterion is met& Important The stopping criterion for the domain rename operation is that ever domain controller in the forest has reached one of the t%o final states of Done or 1rror in the Dclist&-ml state file& Note 1ach time that ou run it( the rendom ,e/ecute command consults the Dclist&-ml state file and s0ips connecting to the domain controllers that are alread in the Done or 1rror state& Therefore( no redundant operations are performed if ou repeatedl attempt this command& 'f ou determine that an error that has caused a domain controller to reach the 1rror state in the Cclist&-ml file is actuall a recoverable error and ou thin0 that progress can be made on that domain controller b tr ing to run the domain rename instructions again( ou can force the rendom ,e/ecute command to run again b issuing the *PC to that domain controller "instead of s0ipping it# as described in the follo%ing procedure& o force rendom ,e/ecute to reissue the 4%C to a domain controller in the .rror state 6& 4n the control station( navigate to the %or0ing director C:Zdomren( and using a simple te-t editor( such as 9otepad&e-e( open the Dclist&-ml file& 2& 'n the Dclist&-ml file( locate the S*etr TS3*etr T field in the domain controller entr for the domain controller that ou thin0 should be reissued the *PC( and then edit the Dclist&-ml file so that the field reads S*etr T esS3*etr T for that entr & 7& 4n the control station( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& A& At the command prompt( t pe the follo%ing command to change to the %or0ing director ( and then press 19T1*:
5:(domren

8& =rom %ithin the %or0ing director ( t pe the follo%ing command( and then press 19T1*:
rendom /e8ecute

82A

*unning the rendom ,e/ecute command reissues the e-ecute/specific *PC to that domain controller& $hen all the domain controllers are in either the Done or 1rror state "there should be no domain controller in the Prepared state#( declaring the e-ecution of the domain rename instructions to be complete is at our discretion& Eou can continue to retr e-ecution attempts on domain controllers that are in the 1rror state if ou thin0 that the %ill eventuall succeed& ;o%ever( %hen ou declare that the e-ecution of the domain rename instructions is: Complete( and ou %ill not retr the rendom ,e/ecute command( ou must remove AD DS from all domain controllers that are still in the 1rror state& =or detailed step/b /step instructions to remove the AD DS server role( see the Step/b /Step 5uide for $indo%s Server 2008 Active Director Domain Services 'nstallation and *emoval "http:33go&microsoft&com3f%lin03P +in0'DQ8:<6:#& Note The Domain 9ame S stem "D9S# host names of the domain controllers in the renamed domains do not change automaticall as a result of the domain rename operation& 'n other %ords( the D9S suffi- in the full Fualified D9S host name of a domain controller in the renamed domain %ill continue to reflect the old domain name& Eou can use a special domain controller rename procedure( %hich ou run as a separate post/domain/rename tas0( to change the D9S host name of a domain controller so that it conforms to the D9S name of the domain to %hich it is ,oined& =or information about renaming domain controllers( see *enaming a Domain Controller&

./change-Specific Steps* 3pdate the ./change Configuration and 4estart ./change Servers
Eou can use this procedure to update the 1-change configuration and restart 1-change servers for a domain rename operation& 'f the domain contains servers running Microsoft 1-change Server 2007 Service Pac0 6 "SP6#( before ou continue %ith step ?( run the 1-change Domain *ename =i-/up Tool "LD*/fi-up#& Then( restart all the servers running 1-change t%ice& =or more information( see Microsoft 1-change Server Domain *ename =i-up "LD*/=i-up# "http:33go&microsoft&com3f%lin03P+in0'DQ6276AA#& Important The $indo%s Server 2008 domain rename operation is not supported in an Active Director forest that contains 1-change Server 2007( 1-change Server 2007 Service Pac0 2 "SP2#( 1-change Server 200<( or 1-change Server 200< SP6&

828

3nfree&e the #orest Configuration
Eou can use this procedure to unfree.e the forest configuration after a domain rename operation& After ou generated the domain rename instructions "see 5enerate Domain *ename 'nstructions#( our forest configuration %as fro.en %ith respect to certain t pes of changes& 'n this fro.en configuration( addition or removal of domains( addition or removal of domain controllers "DCs#( and addition or removal of trusts %ere not allo%ed %ithin the forest& =or more information( see =ree.e the =orest Configuration& 'n this procedure( ou use the rendom command to unfree.e the forest so that changes that %ere not allo%ed can once again be made& Important All the procedures in *un Domain *ename 'nstructions( including the automatic domain controller restart( must have been completed on all domain controllers in the renamed domains& Membership in the .nterprise Admins group in the target forest "%ith %rite access to the Partitions container ob,ect# is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Note Eou can use credentials other than the credentials %ith %hich ou are currentl logged on& To use alternative credentials( use the ,user and ,pwd command/line s%itches of 4endom( as described in Appendi- A: Command/+ine S nta- for the *endom Tool& o unfree&e the forest configuration 6& *estart the control station computer t%ice to ensure that all services that are running on it learn of the ne% name "Domain 9ame S stem "D9S# name or 9et>'4S name# of the domain of %hich the control station is a member& Do not restart the control station b turning its po%er off and then bac0 on& 2& 4n the control station( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 7& At the command prompt( t pe the follo%ing command to change to the %or0ing director ( and then press 19T1*:
5:(domren

A& =rom %ithin the %or0ing director ( t pe the follo%ing command( and then press 19T1*:
rendom /end

The rendom ,end command connects to the domain controller that holds the domain naming operations master role and removes the attribute msDS-3pdateScript on the Partitions container&

82:

4e-establish ./ternal rusts
Eou can use this procedure to re/establish e-ternal trusts after a domain rename operation& All intraforest shortcut trusts %ithin the forest in %hich the domain rename occurred are automaticall ad,usted during the domain rename operation so that the continue to %or0& ;o%ever( as a result of the domain name changes in our forest( an e-ternal trust relationships that our forest has %ith other forests "including trusts across forests# %ill not be valid& Therefore( the must be re/ established& 'n particular( %hen a domain in our forest is renamed( the follo%ing trust relationships are not valid: • An interforest trust relationship that is established at the forest root level "a trust across forests#& • An e-ternal trust relationship %ith a domain in another forest& All e-ternal trusts from or to the forest in %hich the domain rename operation occurred must be deleted and recreated& Eou can use the Active Director Domains and Trusts Microsoft Management Console "MMC# snap/in to delete and recreate all such trust relationships& =or more information( see Administering Domain and =orest Trusts&

#i/ Group %olicy Ob9ects and +inks
Eou can use this procedure to fi- 5roup Polic ob,ects "5P4s# and lin0s after a domain rename operation& 'n this procedure( ou use the 5pfi-up&e-e command/line tool to repair 5P4s as %ell as 5P4 references in each renamed domain& 't is necessar to repair the 5P4s and the 5roup Polic lin0s after a domain rename operation to update the old domain name that is embedded in these 5P4s and their lin0s& This procedure is necessar so that 5roup Polic continues to function normall in the ne% forest after the domain rename operation is complete& The 5pfi-up&e-e tool also repairs an 5roup Polic Rbased Soft%are 'nstallation and Maintenance data "such as Soft%are Distribution Point net%or0 paths#( if the are present in Active Director Domain Services "AD DS#( so that managed soft%are deplo ment continues to %or0 in our environment& The 5P4 and lin0 fi-/up tool must be run once in each renamed domain& There is no 5P4 and lin0 fi-/up reFuired that corresponds to renamed application director partitions because ou cannot appl 5roup Polic to an application director partition& Important The 5P43lin0 fi-/up procedure does not fi- an interdomain 5P4 lin0s that might e-ist in our forest& An e-isting interdomain 5P4 lin0s must be either removed or reconfigured so that the can %or0 properl & 'n addition( this fi-/up procedure does not repair net%or0 paths for Soft%are Distribution Points "present in AD DS# that are e-ternal to the domain& As a best practice( do not use 5P4 lin0s that cross domain boundaries& >efore ou repair 5P4s( ensure that the follo%ing conditions are satisfied:

82<

• All procedures that are described in *un Domain *ename 'nstructions( that include the automatic domain controller restart( must have been completed on all domain controllers in the renamed domains& • The domain controller %ith the primar domain controller "PDC# emulator operations master role in a renamed domain must have successfull completed the domain rename operation( and it must have reached the final MDoneM state as described in *un Domain *ename 'nstructions& • The control station computer must have been restarted t%ice( as described in )nfree.e the =orest Configuration& • All member servers in the domain that host Soft%are Distribution Points "net%or0 locations from %hich users deplo managed soft%are in our environment# must have been restarted t%ice( as described in *un Domain *ename 'nstructions& This prereFuisite step is e-tremel important and necessar for the Soft%are 'nstallation and Maintenance data fi-/up to %or0 correctl & Membership in the .nterprise Admins group in the target forest is the minimum reFuired to complete these procedures& The access chec0 that ou perform in this procedure reFuires that ou have %rite access to the gp+ink attribute on the site( domain( and organi.ational unit "4)# ob,ects( as %ell as %rite access to the 5P4s themselves& Note Eou can use credentials other than the credentials %ith %hich ou are currentl logged on& To use alternative credentials( use the ,user and ,pwd command/line s%itches of gpfi/up( as described in Appendi- >: Command/+ine S nta- for the 5pfi-up Tool& o fi/ up G%Os and G%O references 6& 4n the control station( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command to change to the %or0ing director ( and then press 19T1*:
5:(domren

7& =rom %ithin the %or0ing director ( t pe the follo%ing command( and then press 19T1*& The entire command must be t ped on a single line( although it is sho%n on multiple lines for clarit &
gpfi8up /o"ddns:3"dDomainDnsName /newdns:NewDomainDN!Name /o"dn':3"dDomainNetG63!Name /newn':NewDomainNetG63!Name /dc:DcDnsName %>Z, >gpfi8up*"og

Note The command/line parameters /o"dn' and /newn' are reFuired onl if the 9et>'4S name of the domain changed& 4ther%ise( ou can omit these 828

parameters from the command line for Dpfi8up& The output of the commandDboth status or error outputDis saved to the file 5pfi-up&log( %hich ou can displa periodicall to monitor the progress of the command& A& To force replication of the 5roup Polic fi-/up changes that are made at the domain controller that is named in DcDN!Name in step 7 of this procedure to the rest of the domain controllers in the renamed domain( t pe the follo%ing command( and then press 19T1*:
repadmin /synca"" /d /e /P /q DcDnsName NewDomainDN

$here: • DcDnsName is the Domain 9ame S stem "D9S# host name of the domain controller that %as targeted b the gpfi8up command& • NewDomainDN is the distinguished name that corresponds to the ne% D9S name of the renamed domain& 8& *epeat steps 2 and 7 in this procedure for ever renamed domain& Eou can enter the commands in seFuence for each renamed domain& =or e-ample( using the sample forest and domain name changes in Specif the 9e% =orest Description( ou run the gpfi/up command t%iceDonce for the renamed cohovine ard&com domain and once for the sales&cohovine ard&com domain( as indicated in the follo%ing e-ample:
gpfi8up /o"ddns:co&ovineyard*com /o"dn':co&ovineyard /newdns:co&owinery*com

/newn':co&owinery %>Z, >gpfi8up,*"og

/dc:dc,*co&ovineyard*com

repadmin /synca"" /d /e /P /q dc,*co&ovineyard*com dcIco&owineryFdcIcom gpfi8up /o"ddns:sa"es*co&ovineyard*com /dc:dc$*sa"es*co&ovineyard*com /newdns:sa"es*co&owinery*com

%>Z, >gpfi8up%*"og

repadmin /synca"" /d /e /P /q dc$*sa"es*co&ovineyard*com dcIsa"esFdcIco&owineryFdcIcom

Important *un the gpfi/up command onl once for each renamed domain& Do not run it for renamed application director partitions& Note The D9S host names for the domain controllers in the renamed domains that are used in these command invocations still reflect the old D9S name for the domain& As mentioned earlier( the D9S host name of a domain controller in a renamed domain does not change automaticall as a result of the domain name change&

82?

%arameter

Description

gpfi-up

=i-es domain name dependencies in 5roup Polic ob,ects and 5roup Polic lin0s after a domain rename operation& Specifies the old D9S name of the renamed domain& Specifies the ne% D9S name of the renamed domain& Specifies the old 91T>'4S name of the renamed domain& Specifies the ne% 91T>'4S name of the renamed domain& Contains status or error output of the command&

3olddns:4ldDomainDns9ame 3ne%dns:9e%DomainD9S9ame 3oldnb:4ldDomain9et>'4S9ame 3ne%nb:9e%Domain9et>'4S9ame 3dc:DcDns9ame 2Tc6 Tgpfi-up&log

Completing the Domain 4ename Operation
This tas0 provides information and procedures for completing the domain rename operation& After ou complete the domain rename procedures in Performing the Domain *ename 4peration( complete the instructions in this tas0 to be sure that all functionalit that relies on the accurate domain name has been addressed %ith an needed related tas0s& ask re0uirements The follo%ing is reFuired to perform the procedures for this tas0: • • • • • *endom&e-e Berif Certificate Securit Perform Miscellaneous Tas0s >ac0 )p Domain Controllers *estart Member Computers To complete this tas0( perform the follo%ing procedures:

• 1-change/Specific Steps: Berif the 1-change *ename and )pdate Active Director Connector • • Perform Attribute Cleanup *ename Domain Controllers

870

5erify Certificate Security
Eou can use this procedure to verif certificate securit after ou complete a domain rename operation& 'f ou use enterprise certificates( perform all the follo%ing procedures after the domain rename operation is complete&

%reparing 34+s for C4+ distribution point and Authority Information Access 6AIA7 e/tensions after a domain rename
To ensure that the old certificates function properl after a domain rename operation( ma0e an alias "C9AM1# resource record Domain 9ame S stem "D9S# entr that redirects the old ; perte-t Transfer Protocol ";TTP# server "that services the Certificate *evocation +ist "C*+# of the certification authorit "CA## name Fuer to the ne% D9S name for the server& This redirection causes the ;TTP )*+s in the old certificates to be valid& Client computers can then obtain C*+s and CA certificates for verification& Note Eou can remove the alias "C9AM1# resource record after ou 0no% that the e-isting certificates have been rene%ed& Note 'f ou onl have +ight%eight Director Access Protocol "+DAP# )*+s in the certificates( all the previousl issued certificates %ill no longer be validated& The onl %or0around for correcting the +DAP C*+ distribution point and A'A pointers is to rene% the entire CA hierarch and reissue the 1nd 1ntit certificates& 1-pect public 0e infrastructure "P@'# do%ntime until these issues are resolved& Membership in Account Operators( Domain Admins( or .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure the redirecting alias DNS entry 6& 4pen the D9S Manager snap/in& To open D9S Manager( clic0 Start( clic0 Administrative ools( and then clic0 DNS& 2& 'n the console tree( e-pand the D9S server node( and locate the old D9S .one& 7& *ight/clic0 the old D9S .one( and then clic0 New Alias 6CNA).7& A& 'n Alias name( t pe the original full Fualified domain name "=CD9# of the ;TTP server& 8& 'n #ully 0ualified domain name for target host( t pe the ne% =CD9 of the ;TTP server( and then clic0 O(&

876

At this point ou can test the redirection b pinging the =CD9 of the old ;TTP server& The ping should be remapped to the ne% =CD9 of the ;TTP server&

5erifying the use of 3%Ns
Authentication protocols( such as @erberos "Smart Card +ogon#( reFuire the user principal name ")P9# in the user certificate to match the )P9 in the user account "implicitl or e-plicitl # in Active Director Domain Services "AD DS#& Eou should be a%are of the differences in behavior bet%een implicit and e-plicit )P9s& • Implicit 3%N: 'f a user account in AD DS does not have an e-plicitl assigned value for its )P9 attribute( it is assumed to have an implicit )P9 for authentication purposes that is based on the D9S name of the domain in %hich the account e-ists& $hen the D9S name of a domain changes as a result of the domain rename operation( the implicit )P9s of all user accounts in the domain also change& >oth the old and the ne% implicit )P9 forms %ill be accepted for authentication until the attribute cleanup procedures are complete "see Perform Attribute Cleanup#& After the attribute cleanup procedures are complete( onl the ne% implicit )P9 form %ill be accepted& Note This behavior implies that if ou %ant to continue using implicit )P9s for user accounts( ou must reissue all e-isting authentication certificates after the D9S name of a domain has changed and before ou perform the attribute cleanup procedures& • ./plicit 3%N: 'f a user account in AD DS has an e-plicitl assigned value for its )P9 attribute( it is said to have an e-plicit )P9 that can be used for authentication purposes& $hen the D9S name of a domain changes as a result of the domain rename operation( the e-plicit )P9s of user accounts in the domain are not affected& Therefore( if ou are using e-plicit )P9s for user accounts( no maintenance is necessar after the domain rename operation&

.nabling certificate enrollment in a renamed domain
• To enable certificate enrollment using either autoenrollment or the Certificates Microsoft Management Console "MMC# snap/in in the ne% domain( ou have to ma0e a small change in AD DS to the 1nrollment Services Container in the configuration director partition "cnQ1nrollment Services(cnQPublic @e Services( cnQServices(cnQConfiguration(dcQ=orest*ootDomain#& The CA ob,ect in this container has a dNS"ostName attribute that still contains the old D9S name of the CA computer& Eou can use the follo%ing Microsoft Bisual >asic! script to change the value of this attribute( as follo%s:
5ontainer I H4DAP://5NI 3U05AF5NIOnro""ment !ervicesF5NIPu'"ic Qey !ervicesF 5NI!ervicesF5NI5onfigurationFD5I oursu'DomainFD5I ourDomainFD5IcomJ !et o'= I Det3'=ect[container\

872

3'=*dns&ostname I HNO)DN!NAAO37T#O5AAA5#6NOJ 3'=*setinfo

Note Eou must perform this procedure for all the CAs in our domain& Also note that the container name depends on our domain configuration& • Eou must also change the registr on the CA computer to reflect the ne% D9S name for the CA computer& Caution 'ncorrectl editing the registr ma severel damage our s stem& >efore ma0ing changes to the registr ( ou should bac0 up an valued data on the computer& Membership in Account Operators( Domain Admins( or .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o update the DNS name of the CA computer 6& 4n the CA computer( clic0 Start( clic0 4un( t pe regedit to open the *egistr 1ditor( and then locate the entr CAServerName under "(+)CSystemCCurrentControlSetCCertSvcCConfigurationC2ourCAName & 2& Change the value in CAServerName to correspond to the ne% D9S host name& • To enable proper $eb enrollment for the user( ou must also update the file that is used b the Active Server Pages "ASPs# for $eb enrollment& The follo%ing change must be made on all the CA computers in our domain& Membership in Account Operators( Domain Admins( or .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o update the !eb enrollment file 6& 4n the CA computer( search for the Certdat&inc file& 'f ou have used default installation settings( this file should be located in Y%indirYZs stem72Zcertsrv director & 2& 4pen the file( %hich appears as follo%s:
<1] 53DOPADOI/P--, ]UT7.K1> <1] certdat*inc . [5O0T\srv we' . g"o'a" [DAT\a ] 5opyrig&t [5\ Aicrosoft 5orporationF ,LLK . ,LLL 1> <1] defau"t va"ues for t&e certificate request sDefau"t5ompanyI99

877

sDefau"t3rgUnitI99 sDefau"t4oca"ityI99 sDefau"t!tateI99 sDefau"t5ountryI99

] g"o'a" state s!erverTypeI9Onterprise9 ]vs !tandA"one s!erver5onfigI934DDN!NAAO( our5AName9 s!erverDisp"ayNameI9 our5AName9 nPendingTimeoutDaysI,-

7& Change the SServerConfig entr so that it has the 9e%D9S9ame of the CA computer& • 'f the CA %as installed %ith the shared folder option "%hich is available onl if the server %as upgraded to $indo%s Server 2008from $indo%s Server 2007#( the file Certsrv&t-t "under the shared folder# should be edited to reflect the ne% D9S name of the CA computer& Save a cop of this file before ou edit it( open the file b using 9otepad&e-e( ma0e the change to the D9S name of the CA computer( and then save the file& • 'f ou have a $eb pro- computer "for CA $eb pages# %hose D9S host name changed as a result of the domain rename operation( ou have to ma0e changes to the follo%ing registr 0e : "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCCertSvcCConfiguration )nder this 0e there is a value named !ebClientCA)achine that holds the D9S name of the CA computer& Change this value to correspond to the ne% D9S name& To update the 9etscape revocation chec0 mechanism • 4n all computers %here $eb pages for the CA reside "for e-ample( on the $eb proand the CA computers# there is a file named nsrevICA9AM1&asp that contains the D9S host name of the CA computer that is used b the 9etscape revocation chec0ing mechanism& Search for this file( and change the D9S host name of the CA computer that is embedded in the file& 'f ou have used the default installations settings( this file %ill be in the folder Y$indir YZs stem72ZcertsrvZcertenroll and its content loo0s li0e the follo%ing&
<1 0esponse*5ontentType I 9app"ication/8.netscape.revocation9 seria"num'er I 0equest*<uery!tring set Admin I !erver*5reate3'=ect[95ertificateAut&ority*Admin9\ stat I Admin*6s2a"id5ertificate[95AAac&ineDns#ostname(5ANAAO9F seria"num'er\ if stat I $ t&en 0esponse*)rite[9-9\ e"se 0esponse*)rite[9,9\ end if

87A

1>

4pen this file %ith 9otepad&e-e( and change CAMachineDns;ost9ame to correspond to the ne% D9S host name&

5erifying the validity of C4+ distribution point and AIA e/tensions
C*+ distribution point and A'A e-tensions can be hard coded& Therefore( the e-tension )*+s %ill not reflect the ne% D9S name of the CA computer& =irst( chec0 to see %hether the e-tensions are hard coded( and( if the are( ou must change the )*+ to reflect the ne% D9S name& Eou must perform this procedure on ever CA computer in each renamed domain& The )anage CA permission on the CA computer is the minimum reFuired to complete this procedure& )anage CA is a special privilege that ou can configure %ith the Certification Authorit snap/in& o check whether the C4+ distribution point and AIA e/tensions are fle/ible 6& 4pen the Certification Authorit snap/in& To open Certification Authorit ( see Add the Certificates Snap/in to an MMC "http:33go&microsoft&com3f%lin03P+in0'dQ62A66A#& 2& *ight/clic0 the CA name( and then clic0 %roperties& 7& 4n the ./tensions tab( chec0 the fle-ibilit of the C*+ distribution point and A'A e-tensions( as follo%s: a& =le-ible e-tensions have the follo%ing format: http:33SServerD9S9ameT3Cert1nroll3SCA9ameTSC*+9ameSuffi-TSDeltaC*+Allo%e dT&crl b& ;ard/coded e-tensions have the follo%ing format: http:33m dnsname&m compan name&com3certenroll3SCA9ameTSC*+9ameSuffi-TS DeltaC*+Allo%edT&crl A& 'f the C*+ distribution point and A'A e-tensions are fle-ible( ou do not have to change the e-tensions& 8& 'f the C*+ distribution point and A'A e-tensions are not fle-ible( change the e-tension )*+s to reflect the ne% D9S name of the CA computer& :& *epeat this procedure for ever CA computer in the domain&

4enewing subordinate and issuing CA certificates
After all the preceding CA/related procedures have been performed on all CA computers( ou can rene% certificates to update the C*+ distribution point and A'A locations in the CA certificate& *ene% all subordinate and issuing CA certificates in hierarchical order& 'n addition( update 5roup Polic on all the computers to ensure that the have ne% root CA certificates&

878

%ublish new C4+s
To publish ne% Delta and >ase C*+s( run the follo%ing command on all the CA computers in the renamed domain:
5ertuti"*e8e >cr"

3pdating domain controller certificates
The domain controller certificates have to be updated so that an authentication mechanism that is based on certificates "for e-ample( replication and Smart Card through @erberos# continues to %or0& To update these certificates( if template/based autoenrollment is set before the domain rename operation( increment the version number for Domain Controller Authentication and Director 1/mail *eplication Certificate templates to force re/enrollment& 4ther%ise( use 5roup Polic to set Machine >ased Autoenrollment& The domain controllers %ill re/enroll and supersede the e-isting B6 Domain Controller Certificate& Eou might also %ant to increase the version number on other templates "particularl the templates that are related %ith authentication# to set autoenrollment for the users and their computers& =i- Cross and Cualified Subordination Certificates and name constraints& =or more information( see Planning and 'mplementing Cross/Certification and Cualified Subordination )sing $indo%s Server 2007 "http:33go&microsoft&com3f%lin03P+in0'DQ6276<:#&

Changing the user identity for the ND.S add-on
'f the 9et%or0 Device 1nrollment Services "9D1S# add/on for Microsoft Certificate Services is installed( ou might have to change the identit of the user under %hose conte-t the 9D1S process %as created& =or e-ample( if 9D1S %as originall running %ith the identit 4riginalDomain9ameZ)ser9ame( after domain rename operation( 'nternet 'nformation Services "''S# %ill attempt to start the process %ith the same identit & "The ''S metabase is not altered during the domain rename operation&# Eou can change this identit in ''S& o change the user identity for ND.S in IIS 6& 'n the ''S MMC snap/in( bro%se to Application pools& 2& )nder Application pools( right/clic0 the folder for 9D1S( and then clic0 %roperties& 7& 4n the Identity tab( change the identit for 9D1S to correspond to the ne% domain name&

%erform )iscellaneous asks
Eou can use this procedure to perform miscellaneous tas0s after a domain rename procedure& There are a number of miscellaneous follo%/up tas0s that ou have to perform after the core 87:

domain rename tas0s are complete& There is no particular order in %hich these tas0s have to be performed& • %ublish service connection points for renamed A%I-specific application directory partitions& 'f ou renamed Telephon Application Programming 'nterface "TAP'#Rspecific application director partitions as part of specif ing the ne% forest description procedure "Specif the 9e% =orest Description#( ou have to publish service connection points in Active Director Domain Services "AD DS# for the ne% name of the application director partition so that TAP' clients can locate it& At the same time( ou can remove the service connection points for the old name of the application director partition& =or e-ample( suppose that ou had a TAP'/specific application partition named mstapi&cohovine ard&com that %as configured for the domain cohovine ard&com& As a result of the Domain 9ame S stem "D9S# name of the domain changing to coho%iner &com( ou renamed the corresponding application director partition to mstapi&coho%iner &com during the domain rename operation& Eou should no% remove the service connection point for the old application director partition name mstapi&cohovine ard&com b running the follo%ing command from a command prompt on the control station computer:
tapicfg removescp /directory:mstapi*co&ovineyard*com /domain:co&owinery*com

Then( publish a service connection point for the ne% application director partition name mstapi&coho%iner &com b running the follo%ing command from a command prompt on the control station:
tapicfg pu'"is&scp /directory:mstapi*co&owinery*com /domain:co&owinery*com /forcedefau"t



Orchestrate password reset for Digest authentication'

A Digest authentication mechanism uses the D9S domain name as the realm( %hich is then used to precompute the Digest user pass%ord hash that is stored in AD DS& 'f ou are using Digest authentication in a domain that %as renamed b the domain rename operation( a user in that domain %ill not be able to use Digest authentication until the user pass%ord is changed& 'f ou are using Digest authentication in a domain that is renamed( ou must do something to cause a pass%ord reset to occur& =or e-ample( ou could do the follo%ing: • After ou complete all the procedures in *un Domain *ename 'nstructions( "the domain rename instructions have all been follo%ed and domain controllers have restarted in a renamed domain#( e-pire all user pass%ords b changing domain pass%ord polic in the renamed domain& • Send out e/mail that %arns users that the must change their pass%ords immediatel after the reboot their computers t%ice "as described in *estart Member Computers#& )sers change their pass%ords b pressing Ctrl]Alt]Del& • 4emove any redundant interdomain trusts within your forest'

87<

'f ou performed a forest restructure operation in %hich the e-isting domains %ere rearranged into a different tree structure( ou %ould have created the necessar shortcut trusts to preserve complete trust bet%een all the domains in our ne% forest( as described in MPre/ Creating Parent/Child Trust *elationships for a *estructured =orestM in Create 9ecessar Shortcut Trust *elationships& This t pe of a restructure can result in one or more parent/child or tree/root trust relationships remaining in our forest that reflect the old domain structure and are no longer reFuired& Although their presence does no harm( ou can use the Active Director Domains and Trusts snap/in to remove these redundant trust relationships after the domain rename operation is complete& =or more information( see Active Director Domains and Trusts "http:33go&microsoft&com3f%lin03P+in0'dQ62A088#& • #i/ Start menu shortcuts for Domain Security %olicy and Domain Controller Security %olicy )icrosoft )anagement Console 6))C7 snap-ins'

6& Clic0 Start( clic0 %rograms( and then clic0 Administrative ools& 2& *ight/clic0 Domain Security %olicy( and then clic0 %roperties& 7& Modif the arget field to replace the old distinguished name of the domain that appears as part of the 3gpob,ect: parameter %ith the ne% distinguished name of the domain& A& Clic0 O(& Note =or e-ample( if ou renamed the domain cohovine ard&com to coho%iner &com( the 3gpob,ect: parameter %ill have to be changed from 3gpob,ect:M+DAP:33C9Q`76>2=7A0/06:D/66D2/?A8=/ 00C0A=>?8A=?a(C9QPolicies(C9QS stem(DCQcohovine ard(DCQcomM to 3gpob,ect:M+DAP:33C9Q`76>2=7A0/06:D/66D2/?A8=/ 00C0A=>?8A=?a(C9QPolicies(C9QS stem(DCQcoho%iner (DCQcomM& 8& To fi- the Domain Controller Securit Polic snap/in shortcut( follo% steps 6 through A above( but select Domain Controller Security %olicy in step 2& Note =or e-ample( if ou renamed the domain msn&com to msn.one&com( the 3gpob,ect: parameter %ill have to be changed from 3gpob,ect:M+DAP:33C9Q `:AC6<8:C/06:=/66D2/?A8=/ 00C0Af>?8A=?a(C9QPolicies(C9QS stem(DCQcohovine ard(DCQcomM to 3gpob,ect:M+DAP:33C9Q `:AC6<8:C/06:=/66D2/?A8=/ 00C0Af>?8A=?a(C9QPolicies(C9QS stem(DCQcoho%iner (DCQcomM& • 4emove the Group %olicy to set primary DNS suffi/ of member computers in renamed domains' 'f ou follo%ed the recommendations to avoid e-cess replication due to member computers being renamed in a large domain( as described in MConfiguring Member Computers for ;ost 9ame Changes in +arge Deplo mentsM in Configure Member Computers for ;ost 9ame 878

Changes( ou might have configured and applied a 5roup Polic setting %rimary DNS Suffi/ to member computers in our renamed domains& >ecause the intended purpose of this 5roup Polic setting has no% been served( it can be removed& To remove this 5roup Polic setting( follo% steps 6 through 8 of the procedure MAppl 5roup Polic to Set the Primar D9S Suffi-M in Configure Member Computers for ;ost 9ame Changes( clic0 Disabled( and then clic0 O(& • 4emove DNS &ones that are no longer needed' As a result of the domain D9S name changes that occurred during the domain rename operation( some of the D9S .ones in our D9S infrastructure might no longer be necessar & =or e-ample( if there %as a D9S .one %ith a name that matched the old D9S name of a renamed domain( there might be no more D9S resource records "service "S*B#( host "A#( and pointer "PT*# resource records# %ith the old domain suffi- that have to be registered %ith D9S& 'n this case( ou can remove these D9S .ones that are no longer necessar &

$ack 3p Domain Controllers
Eou can use this procedure to bac0 up domain controllers after a domain rename operation& As a result of the domain rename operation( the content of the Active Director database( s stem registr ( and 5roup Polic ob,ects "5P4s# on the domain controllers change& Therefore( the e-isting bac0ups that ou have ta0en for the domain controllers are no longer valid& • $ack up system state Perform a full s stem state bac0up of all domain controllers in the forest so that ou have a recoverable bac0up state& =or more information( see the Step/b /Step 5uide for $indo%s Server 2008 Active Director Domain Services >ac0up and *ecover "http:33go&microsoft&com3f%lin03P+in0'dQ?70<<#& • $ack up G%Os 'f ou use 5roup Polic ( consider installing the 5roup Polic Management Console "5PMC#& =or more information( see 5PMC "http:33go&microsoft&com3f%lin03P+in0'DQ62770<#& 5PMC ma0es 5roup Polic easier to use( and it adds functional improvements such as the abilit to bac0 up 5P4s independentl of the rest of Active Director Domain Services "AD DS#& 5P4s that ou bac0 up %ith 5PMC before the domain rename operation cannot be restored after domain rename& Therefore( %e recommend that after a domain rename operation( ou use 5PMC to bac0 up all the 5P4s again& Note Saved 5PMCs for a domain %ill no longer %or0 after ou rename a domain& 'f ou %ant to use saved 5PMCs( ou have to re/create them after the domain rename operation&

87?

4estart )ember Computers
Eou can use this procedure to restart member computers after a domain rename operation& After the domains are renamed( ou have to create a process b %hich all member computers in the renamed domains in our forest recogni.e and propagate the domain name changes to all applications and services that are running on member computers& Eou can do this b notif ing all users to restart their computers "the member computers# to cause those computers to pic0 up the domain name changes& Important $hen the member computers are restarted( their Domain 9ame S stem "D9S# host names %ill also change after the restart as a result of the fact that their primar D9S suffi- changes as a result of the name change of the domain of %hich the are members& The primar D9S suffi- of a member computer in an Active Director domain is( b default( configured to change automaticall %hen domain membership of the computer changes& 'f ou have ver large domains %hose D9S name %as changed b the domain rename operation and these domains have a large number of member computers( ou might observe a large replication storm and a surge in net%or0 traffic as a result of the member computer restarts& =or information about ho% to avoid e-cess replication under these conditions( see Configure Member Computers for ;ost 9ame Changes& Perform the follo%ing tas0s after the domain rename operation: • 4estart all member computers twice' *estart t%ice all member %or0stations( member servers( and standalone servers "e-cluding domain controllers# that are running $indo%s 2000( $indo%s LP( $indo%s Server 2007( and $indo%s Server 2008 in the renamed domains in our forest& $hen ou restart these computers t%ice( this ensures that each member computer learns of the domain name changes and propagates the changes to all applications and services that are running on the member computer& Note 1ach computer must be restarted b logging into the computer and b using the Shutdo%n3*estart administrative option& Computers must not be restarted b turning off the computerVs po%er and then turning it bac0 on& Note Member computers on a %ired local area net%or0 "+A9# can simpl be restarted t%ice& Member computers on a %ireless +A9 should be connected to a %ired net%or0 %hile ou perform the t%o reFuired restarts& 'f that is not possible( e,ect the %ireless net%or0 card and then reinsert it after logon before each restart& • 3n9oin and then 9oin any remote computers that connect to the renamed domain through a remote connection1 such as dial-up and virtual private network 65%N7' 'f there are an remote computers that are members of a renamed domain that connect to the domain through remote connection mechanisms such dial/up lines or BP9s( ou %ill have to 8A0

un,oin each member computer from the old domain name and then re,oin it to the ne% domain name&

./change-Specific Steps* 5erify the ./change 4ename and 3pdate Active Directory Connector
Eou can use this procedure to verif the 1-change rename and update the Active Director Connector after a domain rename operation& 'f the domain contains 1-change Server 2007 Service Pac0 6 "SP6# servers( follo% the steps to verif the 1-change rename and update Active Director Connector& =or more information( see Microsoft 1-change Server Domain *ename =i-up "LD*/=i-up# "http:33go&microsoft&com3f%lin03P+in0'DQ627722#& Important The $indo%s Server 2008 domain rename operation is not supported in an Active Director forest that contains 1-change Server 2007( 1-change Server 2007 Service Pac0 2 "SP2#( 1-change Server 200<( or 1-change Server 200< SP6&

%erform Attribute Cleanup
Eou can use this procedure to perform attribute cleanup after a domain rename operation& This post/domain/rename cleanup procedure removes all values of the msDS-Dns4ootAlias and msDS-3pdateScript attributes from Active Director Domain Services "AD DS# that %ere %ritten during the domain rename operation& Important Perform this cleanup procedure onl after all member computers in the renamed domains have been restarted as described in *estart Member Computers& 'f smart card logon is used in our environment( ma0e sure that all authentication certificates have been rene%ed before this stepW other%ise( authentication %ill start to fail for the certificates& Membership in the .nterprise Admins group in the target forest "%ith %rite access to the Partitions container ob,ect and the cross/reference ob,ects that are its children in the configuration director partition# and the +ocal Administrators group "or %rite access to the domain rename C:Zdomren %or0ing director # on the control station computer is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& Note Eou can use credentials other than the credentials %ith %hich ou are currentl logged on& To use alternative credentials( use the ,user and ,pwd command/line s%itches of rendom( as described in Appendi- A: Command/+ine S nta- for the *endom Tool& 8A6

o perform attribute cleanup after a domain rename 6& 4n the control station( clic0 Start( clic0 4un( t pe cmd( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command to change to the %or0ing director ( and then press 19T1*:
5:(domren

7& =rom %ithin the %or0ing director ( t pe the follo%ing command( and then press 19T1*:
rendom /c"ean

The rendom /c"ean command removes the values for the msDS-Dns4ootAlias and msDS-3pdateScript attributes from AD DS b connecting to the domain controller that has the domain naming operations master role& After the steps in this procedure are complete( the ne% forest is read for another domain rename "or forest restructuring# operation( if necessar &

4ename Domain Controllers
Eou can use this procedure to rename domain controllers after a domain rename operation&The Domain 9ame S stem "D9S# host names of the domain controllers in the renamed domains do not change automaticall as a result of the domain rename operation& 'n other %ords( the D9S suffi- in the full Fualified D9S host name of a domain controller in the renamed domain continues to reflect the old domain name& Eou can change the D9S host name of domain controllers in a renamed domain at a later time b using a special procedure& Modification of the computer name causes updates to the D9S and Active Director databases& The computer performs these updates automaticall & After the updated data propagates to the D9S servers and Active Director domain controllers that a client computer uses( the client computer can locate and authenticate to the renamed domain controller computer& ;o%ever( D9S and Active Director replication latenc "the time that it ta0es for the name change to replicate throughout the databases# might cause a temporar inabilit of clients to locate or authenticate the renamed domain controller& Therefore( renaming a mission/critical server( such as a domain controller( reFuires that ou follo% a computer rename preparation procedure before ou rename the domain controller& This preparation procedure ensures that there %ill be no interruption in the abilit of client computers to locate or authenticate the renamed domain controller& =or more information about ho% to rename a domain controller( see *enaming a Domain Controller& Note 'f our forest contains 1-change 2007 Service Pac0 6 "SP6# servers( and ou chose to rename domain controllers( ou must perform several 1-change/specific steps to update the *ecipient )pdate Service and DSAccess registr 0e s& =or more information( see Microsoft 1-change Server Domain *ename =i-up "LD*/=i-up# "http:33go&microsoft&com3f%lin03P+in0'DQ627722#&

8A2

Additional 4esources for the Domain 4ename Operation
=or more information about the Active Director domain rename operation( see the follo%ing resources: • • • • Appendi- A: Command/+ine S nta- for the *endom Tool Appendi- >: Command/+ine S nta- for the 5pfi-up Tool Appendi- C: Chec0lists for the Domain *ename 4peration Appendi- D: $or0sheets for the Domain *ename 4peration

Appendi/ A* Command-+ine Synta/ for the 4endom ool
The *endom command/line tool collects forest/%ide information( monitors domain rename status( and performs the actions that are necessar to complete a domain rename operation in our forest& Synta/
rendom B/VC B/dc:TD5NAAO ? D3AA6NUC B/user:U!O0NAAOC B/pwd:TPA!!)30D?*UC B/"istC B/up"oadC B/prepareC B/e8ecuteC B/endC B/c"eanC B/s&owforestC B/"istfi"e:46!T764OC B/statefi"e:!TATO764OC B/"ogfi"e:43D764OC

%arameter

Description

3P 3dc:`DC9AM1 \ D4MA'9a

4ptional& Displa s the ;elp and the version number of the tool& 4ptional& Specifies that the command connect to a specific domain controller( indicated b DCNA). "a Domain 9ame S stem "D9S# name or a 9et>'4S name#( to run the operation that is specified b one of the operation s%itches: ,list( ,upload( ,prepare( ,e/ecute( or ,clean& 'f the name of a domain is specified instead as DO)AIN( the command connects to a domain controller in that domain& Default: $hen this s%itch is not specified( connects to an domain controller in the domain to %hich 8A7

%arameter

Description

the computer on %hich this command is being run belongs& 'f this command is run on a computer that is not a member of an domain( the ,dc s%itch is reFuiredW other%ise( an error is returned& 3user:)S1*9AM1 4ptional& *eFuests that the command run in the securit conte-t of a specific user( indicated b 3S.4NA).( that is different from the logged on user& 3S.4NA). can currentl be in onl one form: domainZ"ser( for e-ample( ntdevC9dow& 4ptional& Specifies the pass%ord for the alternate securit conte-t indicated b )S1*9AM1& 'f the value that is specified for this s%itch is S( the command prompts for the pass%ord to allo% hiding of the pass%ord& This operation creates a list of the director partitions in the forest& The list is %ritten as te-t to a file using an LM+ format& Therefore( this command creates a te-tual description of the forest structure using a structured LM+ format& 'f a file name is specified %ith the ,listfile s%itch( belo%( the forest description is %ritten into that file& 'f no file name is specified( the forest description is %ritten to a file named D4MA'9+'ST&LM+ in the current director from %hich this command is run& 'f the specified file alread e-ists( it is renamed and a ne% file is created& 3upload Performs the follo%ing functions: >ased on the ne% forest description that is provided in the file that is created b the ,listfile s%itch "or the file D4MA'9+'ST&LM+ in the current director ( b default#( this operation generates an instructions file in the form of a special script that %ill run later on ever domain controller in the forest& The instructions file is not a file that is stored on the dis0& $rites the autogenerated script "instructions file# to the msDS-3pdateScript attribute of the 8AA

3p%d:`PASS$4*D \ Ua

3list

%arameter

Description

Partitions container on the domain controller that holds the domain naming operations master role& Sets the msDS Dns4ootAlias attribute on the cross*ef ob,ect that corresponds to ever domain that is being renamed& $rites a ne% state file( indicated b the ,statefile s%itch "or the file DC+'ST&LM+ in the current director ( b default#( to trac0 the state of ever domain controller in the forest& All domain controllers are mar0ed to be in the 'nitial state& 'f the specified file alread e-ists( it is renamed and a ne% file is created& The forest configuration is fro.en for certain t pes of operations after successful completion of this command& 3prepare Attempts to contact ever domain controller in the forest "as trac0ed b the state file#( and verifies the follo%ing: The correct instructions file "the special script that is uploaded b the ,upload operation# has replicated to the domain controller& The changes that are dictated b the instructions file are consistent %ith the contents of the director partition replicas that the domain controller holds& The domain controller has authori.ed the running of the domain rename operation& After successful verification of the previous conditions on a given domain controller( the corresponding state for that domain controller is advanced to the Prepared state in the state file& 3e-ecute Attempts to contact ever domain controller in the forest "as trac0ed b the state file#( and e-ecutes the changes that the instructions file dictates to cause the actual domain rename to occur& After successful e-ecution of the instructions file on a given domain controller( the corresponding state in the state file for that domain controller is 8A8

%arameter

Description

advanced to DoneDa final state that indicates that the restructuring is finished on that domain controller& 'f an irrecoverable error occurs on a given domain controller( the corresponding state in the state file for that domain controller is set to 1rrorDalso a final state( that indicates that the domain controller is not functioning and that it must have Active Director removed& "That is( it can no longer be used as a domain controller&# The state file that this operation uses is the state file that is specified b the ,statefile s%itch "or the file DC+'ST&LM+ in the current director ( b default#& 3end Attempts to contact the domain controller that holds the domain naming operations master role of the forest( and removes the msDS3pdateScript attribute on the Partitions container& After successful removal of this attribute on the domain naming master( this operation returns a S)CC1SS summar status message& The forest configuration( %hich %as fro.en for certain t pes of operations that follo% the ,upload operation( is no% unfro.en& 3clean Attempts to contact the domain controllers that holds the domain naming operations master role of the forest( and performs the follo%ing functions: *emoves all values of the msDSDns4ootAlias attribute on all cross*ef ob,ects in the Partitions container& *emoves the msDS-3pdateScript attribute on the Partitions container& After successful removal of these attributes on the domain naming master( this operation returns a S)CC1SS summar status message& 3sho%forest *eFuests that the forest description( %hich is represented b the list of its director partitions and their hierarch #( that is contained in the list 8A:

%arameter

Description

file be displa ed in a user/friendl format %ith indentation that reflects the domain hierarch & The list file %ill t picall have been generated b the ,list operation of this command& 'f a file name is specified %ith the ,listfile s%itch( belo%( the forest description is read from that file& 'f no file name is specified( the forest description is assumed to be in a file named D4MA'9+'ST&LM+ in the current director from %hich this command is being run& 'f the specified file "or the default file# does not e-ist( an error is reported %ith an indication to run the ,list operation first& 3listfile:+'ST='+1 4ptional& Specifies that +IS #I+. is the name of the file that holds the forest description& The list file contains a list of the director partitions in the forest that is %ritten as te-t in an LM+ format& Eou can use this s%itch to specif the output file for the ,list operation or the input file for the ,upload operation& 'f this s%itch is not specified( the forest description is assumed to be in a file named D4MA'9+'ST&LM+ in the current director from %hich this command is being run& 3statefile:STAT1='+1 4ptional& Specifies that S A .#I+. is the name of the file that is used to trac0 the state of each domain controller in the forest during the domain rename operation& The state file contains a list of all the domain controllers in the forest and their corresponding states that is %ritten as te-t in an LM+ format& Eou can use this s%itch to specif the state file for the ,upload( ,prepare( and ,e/ecute operations& 'f this s%itch is not specified( the state of the domain controllers is assumed to be in a file that is named DC+'ST&LM+ in the current director from %hich this command is being run& 3logfile:+45='+1 4ptional& Specifies that +OG#I+. is the name of the file that is used to %rite the e-ecution log of the command as an operation runs& The 8A<

%arameter

Description

contents of the log file varies( depending on %hich operation ",list( ,upload( ,prepare( ,e/ecute( ,clean# is running& 'f this s%itch is not specified( the e-ecution log is %ritten to a file named *19D4M&+45 in the current director from %hich this command is being run&

Appendi/ $* Command-+ine Synta/ for the Gpfi/up ool
Eou can use the gpfi-up command/line tool to fi- the dependencies that 5roup Polic ob,ects "5P4s# and 5roup Polic lin0s in Active Director Domain Services "AD DS# have on Domain 9ame S stem "D9S# and 9et>'4S names after a domain rename operation& Synta/
gpfi8up B/VC B/vC B/dc:D5NAAOC B/user:U!O0NAAOC B/pwd:TPA!!)30D?*UC B/o"ddns:34DDN!NAAOC B/newdns:NO)DN!NAAOC B/o"dn':34D74ATNAAOC B/newn':NO)74ATNAAOC B/sion"yC

%arameter

Description

3P 3v

4ptional& Displa s the ;elp s nta- and the version number of the tool& 4ptional& *eFuests that detailed status messages be displa ed& 'n the absence of this s%itch( onl error messages or a brief summar status message of S3CC.SS or #AI+34. appears& 4ptional& $hen the domain rename operation changes the D9S name of a domain( this s%itch specifies the old D9S name of the renamed domain as O+DDNSNA).( "for e-ample( olddom&contoso&com& Eou can use this s%itch if and onl if ou also use the ,newdns s%itch to provide a ne% domain D9S name& 8A8

3olddns:4+DD9S9AM1

%arameter

Description

3ne%dns:91$D9S9AM1

4ptional& $hen the domain rename operation changes the D9S name of a domain( this s%itch specifies the ne% D9S name of the renamed domain as N.!DNSNA).( for e-ample( ne%dom&contoso&com& Eou can use this s%itch to specif the ne% domain D9S name if and onl if ou use the ,olddns s%itch to provide the old domain D9S name& 4ptional& $hen the domain rename operation changes the 9et>'4S name of a domain( this s%itch specifies the old 9et>'4S name of the renamed domain as O+D#+A NA).( for e-ample( olddom& Eou can use this s%itch if and onl if ou use the ,newnb s%itch to provide a ne% domain 9et>'4S name& 4ptional& $hen the domain rename operation changes the 9et>'4S name of a domain( this s%itch specifies the ne% 9et>'4S name of the renamed domain as 91$=+AT9AM1( for e-ample( ne%dom& Eou can use this s%itch to specif the ne% 9et>'4S name of the domain if and onl if ou use the ,oldnb s%itch to provide the old 9et>'4S name of the domain& 4ptional& *eFuests that onl the 5roup Polic fi- that relates to managed soft%are installation "that is( the S' e-tension for 5roup Polic # be performed& S0ips the actions that fi- up the 5roup Polic lin0s and the SESB4+ paths in the 5P4s& 4ptional& *eFuests that the command connect to a specific domain controller( indicated b DCNA). "a D9S name or a 9et>'4S name#( to run the fi-/up operation& 'f DCNA). is specified( it must host a %ritable replica of the domain director partition( as indicated b either of the follo%ing: The D9S name N.!DNSNA).( using ,newdns The 9et>'4S name N.!#+A NA).( using ,newnb 8A?

3oldnb:4+D=+AT9AM1

3ne%nb:91$=+AT9AM1

3sionl

3dc:DC9AM1

%arameter

Description

Default: $hen this s%itch is not specified( connects to an domain controller in the renamed domain( as indicated b either N.!DNSNA). or N.!#+A NA).& Eou can use the function DsGetDcName67 to obtain a proper domain controller for the given domain& 3user:)S1*9AM1 4ptional& *eFuests that the command run in the securit conte-t of a specific user( indicated b 3S.4NA).( that is different from the logged on user& 3S.4NA). can currentl be specified in onl one form: domainZ"ser( for e-ample( ntdevC9dow& 4ptional& Specifies the pass%ord for the alternate securit conte-t that is indicated b 3S.4NA).& 'f the value that is specified for this s%itch is S( the command prompts for the pass%ord to allo% hiding of the pass%ord&

3p%d:`PASS$4*D \ Ua

Appendi/ C* Checklists for the Domain 4ename Operation
This appendi- provides chec0lists for the tas0s to be performed during the various phases of the domain rename operation& Complete the tas0s in these chec0lists in the order in %hich the are presented& 'f a reference lin0 ta0es ou to a conceptual topic( return to the chec0list after ou revie% the conceptual topic so that ou can proceed %ith the remaining tas0s&

Satisfying domain rename re0uirements
This chec0list provides the list of reFuirements that must be met before ou can begin a domain rename operation& Checklist* Satisfying domain rename re0uirements
ask 4eference

Ad,ust the forest functional level& Eou can rename domains onl

=or more information about forest functional levels and for procedures to determine and set forest functional levels( see 1nabling 880

ask

4eference

in a forest in %hich all the $indo%s Server 2008 Advanced =eatures for domain controllers are Active Director Domain Services running $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P+in0'DQ608707#& Standard or $indo%s Server 2007 Standard 1dition( $indo%s Server 2008 1nterprise or $indo%s Server 2007 1nterprise 1dition( or $indo%s Server 2008 Datacenter or $indo%s Server 2007 Datacenter 1dition operating s stems( and the Active Director forest functional level has been raised to either $indo%s Server 2007 or $indo%s Server 2008& The domain rename operation %ill not succeed if the forest functional level is set to $indo%s 2000 native& 4btain the necessar administrative credentials& Eou must have 1nterprise Admins credentials to perform the various steps in the domain rename procedures& 'f ou are running Microsoft 1-change( the account that ou use must also have =ull 1-change Administrator credentials& Set up the control station& The computer that is to be used as the control station for the domain rename operation must be a member computer "not a domain controller# that is running $indo%s 886 The reFuired credentials for each procedure in the domain rename operations are described throughout the topics in Managing Active Director Domain *ename&

Set )p the Control Station

ask

4eference

Server 2008 Standard( $indo%s Server 2008 1nterprise( or $indo%s Server 2008 Datacenter& Configure Distributed =ile S stem "D=S# root servers& 'f ou %ant to rename a domain %ith domain/based D=S roots( all D=S root servers must be running $indo%s 2000 Service Pac0 7 "SP7# or a later release of $indo%s Server( up to $indo%s Server 2008& Satisf 1-change/specific reFuirements: • 1-change 2007 SP6: 'f our Active Director forest contains onl 1-change 2007 Service Pac0 6 "SP6# servers( ou can run the domain rename operation( but ou must also use the 1-change Domain *ename =i-/up Tool to update 1-change attributes& So that ou can perform a domain rename operation( 1-change must not be installed on an domain controllers& 'f a domain controller is running 1-change( move the 1-change data off the domain controller and uninstall 1-change& • 1-change 2007( 1-change 2000( or 1-change 8&8: The 882 =or more information( see Distributed =ile S stem Technolog Center "http:33go&microsoft&com3f%lin03P+in0'DQ68A26#&

The 1-change Domain *ename =i-/up Tool is available at Microsoft 1-change Server Domain *ename =i-up "LD*/=i-up# "http:33go&microsoft&com3f%lin03P+in0'DQ622?82#&

ask

4eference

domain rename operation is not supported in an Active Director forest that contains 1-change Server 2007( 1-change 2000( or 1-change 8&8 servers& 'f the domain rename tool detects 1-change 2000 servers( the tool %ill not proceed& The domain rename tool %ill not detect %hether 1-change 8&8 servers e-ist& Therefore( do not attempt the domain rename operation if the forest contains 1-change 8&8 servers&

%reparing for the domain rename operation
This chec0list provides the list of tas0s for preparing for the domain rename operation& Checklist* %reparing for the domain rename operation
ask 4eference

Ad,ust the forest functional level& Note Eou can rename domains onl in a forest in %hich all of the domain controllers are running $indo%s Server 2008 Standard or $indo%s Server 2007 Standard 1dition( $indo%s Server 2008 1nterprise or $indo%s Server 2007 1nterprise 1dition( or $indo%s Server 2008 Datacenter or $indo%s Server 2007

Ad,ust =orest =unctional +evel

887

ask

4eference

Datacenter 1dition operating s stems( and the Active Director forest functional level has been raised to either $indo%s Server 2007 or $indo%s Server 2008& The domain rename operation %ill not succeed if the forest functional level is set to $indo%s 2000 native& Create necessar shortcut trust relationships %ithin the forest( and document all trusts& • Compile a list of domains to be renamed based on the ne% forest structure that ou %ant& • Create shortcut trusts( if necessar & • Compile a list of all e-isting trustsDshortcut( e-ternal( and across forestsDin the forest& Prepare Domain 9ame S stem "D9S# .ones& • Compile a list of D9S .ones for the domain rename operation& • Create ne% D9S .ones as necessar as a result of the name changes to be performed& *edirect Special =olders to a Stand/ Alone Distributed =ile S stem 9amespace "D=S9#& *elocate *oaming )ser Profiles to a Stand/Alone D=S9& Prepare member computers for host name changes& *edirect Special =olders to a Standalone D=S9 *elocate *oaming )ser Profiles to a Standalone D=S9 Configure Member Computers for ;ost 9ame Changes 88A Prepare D9S Kones Create 9ecessar Shortcut Trust *elationships

ask

4eference

Prepare certification authorities "CAs#& Prepare a domain that contains 1-change&

Prepare Certification Authorities 1-change/Specific Steps: Prepare a Domain that Contains 1-change

%erforming the domain rename operation
This chec0list provides the list of tas0s that to perform during the core domain rename operation& Checklist* %erforming the domain rename operation
ask 4eference

Set up our control station for the domain rename operation& =ree.e the =orest Configuration >ac0 up all the domain controllers in our forest& 5enerate the current forest description& Specif the ne% forest description& 5enerate domain rename instructions& Push domain rename instructions to all domain controllers( and verif D9S readiness& Berif the readiness of the domain controllers& 1-ecute the domain rename instructions& )pdate the 1-change configuration( and restart the 1-change servers&

Set )p the Control Station =ree.e the =orest Configuration >ac0 )p All Domain Controllers 5enerate the Current =orest Description Specif the 9e% =orest Description 5enerate Domain *ename 'nstructions Push Domain *ename 'nstructions to All Domain Controllers and Berif D9S *eadiness Berif *eadiness of Domain Controllers *un Domain *ename 'nstructions 1-change/Specific Steps: )pdate the 1-change Configuration and *estart 888

ask

4eference

Note This is an optional( 1-change/specific tas0& )nfree.e the forest configuration& *e/establish e-ternal trusts& =i- 5roup Polic ob,ects "5P4s# and lin0s&

1-change Servers

)nfree.e the =orest Configuration *e/establish 1-ternal Trusts =i- 5roup Polic 4b,ects and +in0s

Completing the domain rename operation
This chec0list provides a list of tas0s that have to be performed after the core domain rename procedures are complete& Some tas0s ma be optional( depending on our situation and business needs& Checklist* Completing the domain rename operation
ask 4eference

Berif certificate securit & Perform certain miscellaneous procedures& >ac0 up domain controllers& *estart all member computers& Berif the 1-change rename( and update Active Director Connector& Note This is an optional( 1-change/specific step& Perform attribute cleanup& *ename domain controllers&

Berif Certificate Securit Perform Miscellaneous Tas0s >ac0 )p Domain Controllers *estart Member Computers 1-change/Specific Steps: Berif the 1-change *ename and )pdate Active Director Connector

Perform Attribute Cleanup *ename Domain Controllers

88:

Appendi/ D* !orksheets for the Domain 4ename Operation
This section includes %or0sheets in suggested formats that ou can to gather information about our Active Director infrastructure& Eou can use these %or0sheets to prepare for the domain rename operation and to trac0 progress as ou perform the operation&

!orksheet ?* Domain Name Change Information
Eou can use this %or0sheet to create a list of name changes that %ill be completed during our domain rename operation& +ist changes for all forests and domains and all application director partitions&
Old Net$IOS name Old DNS name New Net$IOS name New DNS name

6 2 7 A 8

!orksheet <* rust Information
Eou can use this %or0sheet to document all trust relationships "for shortcut trusts and e-ternal trusts# and the status of each trust that has to be created or removed during the domain rename operation&
rusting domain name rusted domain name rust direction rust type Date created,removed

6 2 7 A 8

88<

!orksheet ;* DNS Ione Information
Eou can use this %or0sheet to list all Domain 9ame S stem "D9S# .ones that must be added in preparation for the domain rename operation&
DNS &one name Add,remove Completed> Date,time

6 2 7 A 8

!orksheet O* D#SN1 #older 4edirection1 and 4oaming %rofiles
Eou can use this %or0sheet to document all domain Distributed =ile S stem 9amespaces "D=S9# paths( including the paths that are used b folder redirection and roaming profiles& All domain D=S9 paths %ill reFuire reconfiguration after the domain rename operation is complete&
Domain name Old domain D#SN path New domain D#SN path Server share path for folder redirection and roaming profiles Group %olicy updated> Date,time> D#SN fi/ed> Date,time>

6 2 7 A 8

!orksheet =* Domain Controller Information
Eou can use this %or0sheet to document information about specific domain controllers( including information about operations master roles "also 0no%n as fle-ible single master operations or =SM4 roles#&

888

Domain

DC name

I% address

#S)O roles held by DC

C4+ e/piry

./ecute successfully>

Automatic restart>

Dcdiag notes

6 2 7 A 8

!orksheet P* Domain 4ename ./ecution 4eadiness
Eou can use this %or0sheet to trac0 the readiness of domains( forests( and application partitions before the beginning of the domain rename operation& Eou can also use the information in this %or0sheet to chec0 the forest description before ou proceed&
Domain,application partition 4un Dcdiag> $acked up> DNS &one ready>

6 2 7 A 8

!orksheet Q* Certification Authority 6CA7 Information
Eou can use this %or0sheet %hen ou enable certificate enrollment in a renamed domain&

88?

Old DNS name of CA

New DNS name of CA

Alias created> Date,time

Certificate enrollment enabled>

CD% and AIA e/tensions fle/ible>

Subordinate and issuing CA certs renewed>

Group %olicy updated>

6 2 7 A 8

Additional 4esources
=or general information about ho% Active Director Domain Services "AD DS# %or0s and ho% to deplo ( manage( and troubleshoot AD DS( see the follo%ing resources: • • • Active Director Domain Services "http:33go&microsoft&com3f%lin03P+in0'dQ?:A68# AD DS Design 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ600A?7# AD DS Deplo ment 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ66:287#

• >est Practices for Delegating Active Director Administration "http:33go&microsoft&com3f%lin03P+in0'dQA:8<?# • Active Director Script Center "http:33go&microsoft&com3f%lin03P+in0'dQ6228<8# =or specific information about troubleshooting Active Director problems( see the follo%ing resources: • • • Troubleshooting: AD DS "http:33go&microsoft&com3f%lin03P+in0'dQ6228<8# Director Services Communit "http:33go&microsoft&com3f%lin03P+in0'dQ20686# Active Director Domain Services "http:33go&microsoft&com3f%lin03Plin0idQ6A2#

=or development information about Active Director ( see the follo%ing resources: • +ight%eight Director Access Protocol "+DAP# "http:33go&microsoft&com3f%lin03P +in0'DQ2?<2# • *eFuest for Comments "*=C# Pages and 'nternet/Drafts on the 'nternet 1ngineering Tas0 =orce $eb site "http:33go&microsoft&com3f%lin03P+in0'DQ626#

8:0

Active Directory Domain Services Operations Guide - cover
'nsert introduction here&

Section "eading
'nsert section bod here&

Subsection "eading
'nsert subsection bod here&

8:6

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close