Active Directory Domain Services Operations

Published on June 2016 | Categories: Book Excerpts | Downloads: 38 | Comments: 0 | Views: 298
of 560
Download PDF   Embed   Report

Active Directory Domain Services Operations Guide

Comments

Content

Active Directory Domain Services Operations Guide
Microsoft Corporation Published: September 2008

Abstract
This operations guide provides administering and management information for Active Director ! Domain Services "AD DS# director service technologies in the $indo%s Server! 2008 operating s stem&

Copyright information
'nformation in this document( including )*+ and other 'nternet $eb site references( is sub,ect to change %ithout notice& )nless other%ise noted( the e-ample companies( organi.ations( products( domain names( e/mail addresses( logos( people( places( and events depicted herein are fictitious( and no association %ith an real compan ( organi.ation( product( domain name( e/mail address( logo( person( place( or event is intended or should be inferred& Compl ing %ith all applicable cop right la%s is the responsibilit of the user& $ithout limiting the rights under cop right( no part of this document ma be reproduced( stored in( or introduced into a retrieval s stem( or transmitted in an form or b an means "electronic( mechanical( photocop ing( recording( or other%ise#( or for an purpose( %ithout the e-press %ritten permission of Microsoft Corporation& Microsoft ma have patents( patent applications( trademar0s( cop rights( or other intellectual propert rights covering sub,ect matter in this document& 1-cept as e-pressl provided in an %ritten license agreement from Microsoft( the furnishing of this document does not give ou an license to these patents( trademar0s( cop rights( or other intellectual propert & 2 2008 Microsoft Corporation& All rights reserved& Active Director ( Microsoft( $indo%s( and $indo%s Server are either registered trademar0s or trademar0s of Microsoft Corporation in the )nited States and3or other countries& The names of actual companies and products mentioned herein ma be the trademar0s of their respective o%ners&

Contents
Active Director Domain Services 4perations 5uide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6 Abstract&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6 Cop right information&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2 Contents&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7 Active Director Domain Services 4perations 5uide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28 9e% in This 5uide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 28 Administering Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28 'ntroduction to Administering Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2: $hen to use this guide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2: ;o% to use this guide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2< Administering Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2< 'ntroduction to Administering Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28 >est Practices for Administering Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28 Managing Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2? Creating Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2? 9e% Trust $i.ard terminolog &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 70 @no%n 'ssues for Creating Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&76 Creating 1-ternal Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 72 Create a 4ne/$a ( 'ncoming( 1-ternal Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A Create a 4ne/$a ( 'ncoming( 1-ternal Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78 Create a 4ne/$a ( 4utgoing( 1-ternal Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7< Create a 4ne/$a ( 4utgoing( 1-ternal Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78 Create a T%o/$a ( 1-ternal Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A0 Create a T%o/$a ( 1-ternal Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6 Creating Shortcut Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A7 Create a 4ne/$a ( 'ncoming( Shortcut Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA

Create a 4ne/$a ( 'ncoming( Shortcut Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8 Create a 4ne/$a ( 4utgoing( Shortcut Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A: Create a 4ne/$a ( 4utgoing( Shortcut Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8 Create a T%o/$a ( Shortcut Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A? Create a T%o/$a ( Shortcut Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&86 Creating =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 82 Create a 4ne/$a ( 'ncoming( =orest Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&87 Create a 4ne/$a ( 'ncoming( =orest Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88 Create a 4ne/$a ( 4utgoing( =orest Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8: Create a 4ne/$a ( 4utgoing( =orest Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88 Create a T%o/$a ( =orest Trust for 4ne Side of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8? Create a T%o/$a ( =orest Trust for >oth Sides of the Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&:6 Creating *ealm Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :7 Create a 4ne/$a ( 'ncoming( *ealm Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&:7 Create a 4ne/$a ( 4utgoing( *ealm Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&:8 Create a T%o/$a ( *ealm Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :: Configuring Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&:< Balidating and *emoving Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :< Balidate a Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :8 Balidating a trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :8 *emove a Manuall Created Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :? *emoving a manuall created trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&:? Modif ing 9ame Suffi- *outing Settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<0 Modif *outing for a =orest 9ame Suffi-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<6 <2 Modif *outing for a Subordinate 9ame Suffi-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<2 <7 1-clude 9ame Suffi-es from *outing to a =orest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<7 <A

Securing Domain and =orest Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<A Configuring S'D =ilter Cuarantining on 1-ternal Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<A Disable S'D filter Cuarantining&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& <: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& << *eappl S'D =ilter Cuarantining&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& << Configuring Selective Authentication Settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<8 1nable Selective Authentication over an 1-ternal Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<? 1nabling selective authentication over an e-ternal trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&80 1nable Selective Authentication over a =orest Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&86 1nabling selective authentication over a forest trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&82 1nable Domain/$ide Authentication over an 1-ternal Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&87 1nable =orest/$ide Authentication over a =orest Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8A 5rant the Allo%ed to Authenticate Permission on Computers in the Trusting Domain or =orest&&&88 Appendi-: 9e% Trust $i.ard Pages&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8: Direction of Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8: $i.ard optionDT%o/%a &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8: $i.ard optionD4ne/%a : incoming&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8< $i.ard optionD4ne/%a : outgoing&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8< Sides of trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 88 $i.ard optionDThis domain onl &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 88 $i.ard optionD>oth this domain and the specified domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8? Administering the $indo%s Time Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8? 'ntroduction to Administering the $indo%s Time Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8? $indo%s time source selection&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ?0 1-ternal 9TP time servers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ?0 $72tm and net time&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ?6 Managing the $indo%s Time Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&?2 Configuring a Time Source for the =orest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&?2 Configure the Time Source for the =orest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&?A Change the $indo%s Time Service Configuration on the PDC 1mulator in the =orest *oot Domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ?8 Disable the $indo%s Time Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ??

1nable $indo%s Time Service Debug +ogging&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&600 Configuring $indo%s/>ased Clients to S nchroni.e Time&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&606 Configure a Manual Time Source for a Selected Client Computer&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&606 Configure a Client Computer for Automatic Domain Time S nchroni.ation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&607 *estoring the $indo%s Time Service to Default Settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&60A *estore the $indo%s Time Service on the +ocal Computer to the Default Settings&&&&&&&&&&&&&&&&&&&60A Administering D=S/*eplicated SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&608 'ntroduction to Administering D=S/*eplicated SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&60: SESB4+ terminolog and capitali.ation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&60: )sing D=S *eplication for replicating SESB4+ in $indo%s Server 2008&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&60< *eFuirements for using D=S *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&608 @e considerations for administering SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&608 *elocating SESB4+ folders&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 660 Managing D=S/*eplicated SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&666 Changing the Cuota That 's Allocated to the SESB4+ Staging Area&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&666 Change the Cuota That 's Allocated to the SESB4+ Staging =older&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&662 *elocating the SESB4+ Staging Area&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 662 'dentif *eplication Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 66A Chec0 the Status of the SESB4+ and 9etlogon Shares&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&66A Berif Active Director *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 668 5ather the SESB4+ Path 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 66: To gather the SESB4+ path information&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&66< Stop the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&66? Create the SESB4+ Staging Areas =older Structure&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&620 Change the SESB4+ *oot Path or Staging Areas Path( or >oth&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&626 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 622 Start the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&622 =orce *eplication >et%een Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&627 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 62A *elocating SESB4+ Manuall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 62A

'dentif *eplication Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 628 Chec0 the Status of the SESB4+ and 9etlogon Shares&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&62: Berif Active Director *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 62< 5ather the SESB4+ Path 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&628 To gather the SESB4+ path information&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&62? Stop the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&676 Cop SESB4+ to a 9e% +ocation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&672 Create the SESB4+ *oot Gunction Point&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&67A Change the SESB4+ *oot Path or Staging Areas Path( or >oth&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&678 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 67: Change the SESB4+ 9etlogon Parameters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&67: *eappl Default SESB4+ Securit Settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&67< Start the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&67? =orce *eplication >et%een Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A0 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6A6 )pdating the SESB4+ Path&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6A6 5ather the SESB4+ Path 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A2 To gather the SESB4+ path information&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A7 Stop the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A8 Change the SESB4+ 9etlogon Parameters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A: Create the SESB4+ *oot Gunction Point&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A< Start the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A8 *estoring and *ebuilding SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6A? 'dentif *eplication Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 680 Chec0 the Status of the SESB4+ and 9etlogon Shares&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&686 Berif Active Director *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 682 5ather the SESB4+ Path 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&687 To gather the SESB4+ path information&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68A *estart the Domain Controller in Director Services *estore Mode +ocall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68:

*estarting the domain controller in DS*M locall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 688 *estart the Domain Controller in Director Services *estore Mode *emotel &&&&&&&&&&&&&&&&&&&&&&&&&&&68? See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:2 Stop the D=S *eplication Service and 9etlogon Service&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6:2 'mport the SESB4+ =older Structure&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6:7 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:< Administering the 5lobal Catalog&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6:< 'ntroduction to Administering the 5lobal Catalog&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6:< 5lobal catalog hard%are reFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6:< 5lobal catalog placement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:< 'nitial global catalog replication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:8 5lobal catalog readiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:8 5lobal catalog removal&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:? Managing the 5lobal Catalog&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:? Configuring a 5lobal Catalog Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:? Determine $hether a Domain Controller 's a 5lobal Catalog Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<0 Designate a Domain Controller to >e a 5lobal Catalog Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<0 Monitor 5lobal Catalog *eplication Progress&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<6 Berif Successful *eplication to a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<2 Determining 5lobal Catalog *eadiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<8 Berif 5lobal Catalog *eadiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<8 Berif ing global catalog readiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6<: Berif 5lobal Catalog D9S *egistrations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<< *emoving the 5lobal Catalog&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6<< Clear the 5lobal Catalog Setting&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<8 Monitor 5lobal Catalog *emoval in 1vent Bie%er&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<8 Administering 4perations Master *oles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<? 'ntroduction to Administering 4perations Master *oles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6<? 5uidelines for role placement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 680 5uidelines for role transfer&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 687

Managing 4perations Master *oles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&688 Designating a Standb 4perations Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&688 Standb operations master computer reFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&688 *eplication reFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 688 Determine $hether a Domain Controller 's a 5lobal Catalog Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68: Create a Connection 4b,ect on the 4perations Master and Standb &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68< Berif Successful *eplication to a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&688 Transferring an 4perations Master *ole&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?6 Transferring to a standb operations master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?6 Transferring an operations master role %hen no standb is read &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?6 'nstall the Schema Snap/in&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6?2 Transfer the Schema Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6?7 Transfer the Domain 9aming Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?A Transfer the Domain/+evel 4perations Master *oles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?8 Bie% the Current 4perations Master *ole ;olders&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?: Sei.ing an operations master role&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?< Berif Successful *eplication to a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6?8 Sei.e the 4perations Master *ole&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&202 Bie% the Current 4perations Master *ole ;olders&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&207 *educing the $or0load on the PDC 1mulator Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&20A Changing the %eight for D9S service "S*B# resource records in the registr &&&&&&&&&&&&&&&&&&&&&&&&&20A Changing the priorit for D9S service "S*B# resource records in the registr &&&&&&&&&&&&&&&&&&&&&&&&&208 Change the $eight for D9S Service "S*B# *esource *ecords in the *egistr &&&&&&&&&&&&&&&&&&&&&&&&&&20: Change the Priorit for D9S Service "S*B# *esource *ecords in the *egistr &&&&&&&&&&&&&&&&&&&&&&&&&&20: Administering Active Director >ac0up and *ecover &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&20< 'ntroduction to Administering Active Director >ac0up and *ecover HlhsadIADDSI4psI8JIADDSI4psI8&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&208 >ac0ing up AD DS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 208 *ecovering AD DS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 208 Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 20? Managing Active Director >ac0up and *ecover &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&260

>ac0ing )p Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&260 $indo%s Server bac0up tools&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 260 $indo%s Server bac0up t pes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 266 Contents of $indo%s Server bac0up t pes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&266 Criteria for using bac0up t pes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&262 >ac0up guidelines&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 267 Scheduling regular bac0ups&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 26A 'mmediate "unscheduled# bac0up&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 268 >ac0up freFuenc &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 268 >ac0up freFuenc criteria&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 26: >ac0up latenc interval&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 26: @no%n 'ssues for >ac0ing )p Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&268 Perform a >ac0up of Critical Bolumes of a Domain Controller b )sing the 5)' "$indo%s Server >ac0up#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 26? Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 220 Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 220 Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 226 Perform a =ull Server >ac0up of a Domain Controller b )sing the 5)' "$indo%s Server >ac0up# &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 226 Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 228 Perform a =ull Server >ac0up of a Domain Controller b )sing the Command +ine "$badmin# 22: Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 22: *ecovering Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&22< Causes of disruptions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 22< @e s to protecting against disruptions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&228 Preventing un%anted deletions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&228 *ecover solutions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 22? Solutions for configuration errorsDnonauthoritative restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&22? Solutions for data lossDauthoritative restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&270 *ecover options %ith no available bac0up&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&276 Solutions for hard%are failure or file corruption&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&276 *ecover tas0s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 277 Performing 9onauthoritative *estore of Active Director Domain Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&277 9onauthoritative *estore *eFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&27A SESB4+ restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 27A Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 278 *estart the Domain Controller in Director Services *estore Mode +ocall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&278 *estarting the domain controller in DS*M locall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&27<

See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 278 *estart the Domain Controller in Director Services *estore Mode *emotel &&&&&&&&&&&&&&&&&&&&&&&&&&&278 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2A6 *estore AD DS from >ac0up "9onauthoritative *estore#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A2 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2A7 Berif AD DS restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2A7 Performing Authoritative *estore of Active Director 4b,ects&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2AA Determining ob,ects to restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2A8 Selecting ob,ects to restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2A: Selecting application director partitions to restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A< *estoring group memberships after authoritative restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A< +B* and restoration of group memberships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A< Authoritative restore of pre/+B* group memberships and groups in different domains&&&&&&&&2A8 =iles for recovering group memberships follo%ing authoritative restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A8 )sing a global catalog server for authoritative restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2A? *ecovering deletions %ithout restoring from bac0up&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&280 *etention "merge# of ne% group memberships or other attributes after authoritative restore& &286 Authoritative restore procedures&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 286 Procedures for restoring after deletions have replicated&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&282 Procedures for restoring before deletions have replicated&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&287 Procedures for recovering group memberships "and an other bac0/lin0 attributes# in other domains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 28A Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 288 @no%n 'ssues for Authoritative *estore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&288 4rder of replication and dropped group memberships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&288 Members added bac0 to groups from %hich the %ere deleted&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28: 'ncorrect assignment of 1-change mailbo-es&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28: >est Practices for Authoritative *estore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28< *estart the Domain Controller in Director Services *estore Mode +ocall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&288 *estarting the domain controller in DS*M locall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2:0 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:6 *estart the Domain Controller in Director Services *estore Mode *emotel &&&&&&&&&&&&&&&&&&&&&&&&&&&2:6 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:A *estore AD DS from >ac0up "9onauthoritative *estore#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2:8 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:: Mar0 an 4b,ect or 4b,ects as Authoritative&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2:: Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:?

Turn 4ff 'nbound *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:? Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2:? S nchroni.e *eplication %ith All Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2<0 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<0 *un an +D'= =ile to *ecover >ac0/+in0s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2<6 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<2 Turn on 'nbound *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<2 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<7 Create an +D'= =ile for *ecovering >ac0/+in0s for Authoritativel *estored 4b,ects&&&&&&&&&&&&&&&&&2<7 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<A Performing Authoritative *estore of an Application Director Partition&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2<A *estart the Domain Controller in Director Services *estore Mode *emotel &&&&&&&&&&&&&&&&&&&&&&&&&&&2<8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2<8 *estart the Domain Controller in Director Services *estore Mode +ocall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2<8 *estarting the domain controller in DS*M locall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&280 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 286 *estore AD DS from >ac0up "9onauthoritative *estore#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&286 Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 282 Mar0 an application director partition as authoritative&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&287 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 28A Performing a =ull Server *ecover of a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28A *eFuirements for performing a full server recover of a domain controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&28A Performing a full server recover of a domain controller b using the 5)'&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&288 Performing a full server recover of a domain controller b using the command line&&&&&&&&&&&&&&28: Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 28< *estoring a Domain Controller Through *einstallation and SubseFuent *estore from >ac0up&&288 *estart the Domain Controller in Director Services *estore Mode +ocall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2?0 *estarting the domain controller in DS*M locall &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2?6 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2?2 *estart the Domain Controller in Director Services *estore Mode *emotel &&&&&&&&&&&&&&&&&&&&&&&&&&&2?2 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2?: *estore AD DS from >ac0up "9onauthoritative *estore#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2?: Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2?8 Berif AD DS restore&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2?8

*estoring a Domain Controller Through *einstallation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2?? Clean )p Server Metadata&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 700 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 707 Delete a Server 4b,ect from a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&707 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 70A Berif D9S *egistration and TCP3'P Connectivit &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&70A Berif the Availabilit of the 4perations Masters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&708 'nstall an Additional Domain Controller b )sing the $indo%s 'nterface&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&70: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 70? Berif ing Active Director 'nstallation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&70? Administering 'ntersite *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&760 'ntroduction to Administering 'ntersite *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&760 4ptimi.ing replication bet%een sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&760 1ffects of site lin0 bridging&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 766 1ffects of disabling site lin0 bridging&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&766 4ptimi.ing domain controller location&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&762 =inding the ne-t closest site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&762 =orcing domain controller rediscover &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&762 'mproving the logon e-perience in branch sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&767 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 767 Managing 'ntersite *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 76A Adding a 9e% Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 76A Create a Site 4b,ect and Add it to an 1-isting Site +in0&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&768 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 768 Create a Subnet 4b,ect or 4b,ects and Associate them %ith a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&76: Associate an 1-isting Subnet 4b,ect %ith a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&76: Create a Site +in0 4b,ect and Add the Appropriate Sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&76< *emove a Site from a Site +in0&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 768 +in0ing Sites for *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 768 Creating site lin0s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 768 Selecting bridgehead servers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 76? Create a Site +in0 4b,ect and Add the Appropriate Sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&720

Determine the 'ST5 *ole 4%ner for a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&720 5enerate the *eplication Topolog on the 'ST5&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&726 Designate a Server as a Preferred >ridgehead Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&722 Changing Site +in0 Properties&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 722 Configure the Site +in0 Schedule to 'dentif Times During $hich 'ntersite *eplication Can 4ccur &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 727 Configure the Site +in0 'nterval to 'dentif ;o% 4ften *eplication Polling Can 4ccur During the Schedule $indo%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 72A Configure the Site +in0 Cost to 1stablish a Priorit for *eplication *outing&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&728 Determine the 'ST5 *ole 4%ner for a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&728 5enerate the *eplication Topolog on the 'ST5&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&72: 1nabling Clients to +ocate the 9e-t Closest Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&72< 1nable Clients to +ocate a Domain Controller in the 9e-t Closest Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&728 Moving a Domain Controller to a Different Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&72? TCP3'P settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 770 D9S settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 770 Preferred bridgehead server status&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 770 Change the Static 'P Address of a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&772 )pdate the 'P Address for a D9S Delegation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&777 )pdate the 'P Address for a D9S =or%arder&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&77A Berif That an 'P Address Maps to a Subnet and Determine the Site Association&&&&&&&&&&&&&&&&&&&&&&778 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77: Determine $hether a Server is a Preferred >ridgehead Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&77: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77: Bie% the +ist of All Preferred >ridgehead Servers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&77: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77< Configure a Server to 9ot >e a Preferred >ridgehead Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&77< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 778 Move a Server 4b,ect to a 9e% Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&778 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77? 1nabling )niversal 5roup Membership Caching in a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&77?

1nable )niversal 5roup Membership Caching in a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A0 =orcing *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7A0 =orcing replication of all director updates over a connection&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A6 =orcing replication of configuration updates&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A6 =orce *eplication >et%een Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A2 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7A7 )pdate a Server %ith Configuration Changes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A7 S nchroni.e *eplication %ith All Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7AA See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7A8 Berif Successful *eplication to a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7A8 *emoving a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7A? Delete a Manual Connection 4b,ect&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 780 Determine $hether a Server 4b,ect ;as Child 4b,ects&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&786 Delete a Server 4b,ect from a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&782 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 787 Delete a Site +in0 ob,ect&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 787 Associate an 1-isting Subnet 4b,ect %ith a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&787 Delete a Site ob,ect&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78A See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78A Determine the 'ST5 *ole 4%ner for a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 5enerate the *eplication Topolog on the 'ST5&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 Administering the Active Director Database&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78: 'ntroduction to Administering the Active Director Database HlhsadJIADDSI4psI<&&&&&&&&&&&&&&&&&&&78: Database management conditions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78: Dis0 space monitoring recommendations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78< Database defragmentation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78< *estartable AD DS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 788 Managing the Active Director Database&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 *elocating the Active Director Database =iles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 Dis0 space reFuirements for relocating Active Director database files&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78? Determine the Database Si.e and +ocation 4nline&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7:6

See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7:2 Determine the Database Si.e and +ocation 4ffline&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7:2 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7:7 Compare the Si.e of the Director Database =iles to the Bolume Si.e&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7:A Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7:8 Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7:8 Move the Director Database and +og =iles to a +ocal Drive&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7:8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7:8 Cop the Director Database and +og =iles to a *emote Share&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7:? See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7<6 *eturning )nused Dis0 Space from the Active Director Database to the =ile S stem&&&&&&&&&&&&&&7<2 Change the 5arbage Collection +ogging +evel to 6&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7<7 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7<A Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7<A Additional considerations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7<A Compact the Director Database=file "4ffline Defragmentation#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7<8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7<8 'f the Database 'ntegrit Chec0 =ails( Perform Semantic Database Anal sis %ith =i-up&&&&&&&&&&&&7<8 Administering Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7<? Additional references&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 780 'ntroduction to Administering Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&780 'nstalling *emote Server Administration Tools&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&780 'nstalling and removing AD DS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 780 Adding domain controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 786 *emoving domain controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 786 *enaming domain controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 786 Adding domain controllers to branch sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&786 'nstalling from media&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 782 Shipping installed domain controllers to branch sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&787 Managing Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 787 'nstalling *emote Server Administration Tools for AD DS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 'nstalling Active Director Domain Services Tools on a member server that is running $indo%s Server 2008&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 788

'nstalling Active Director Domain Services Tools on a computer that is running $indo%s Bista %ith SP6&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 78: Managing Antivirus Soft%are on Active Director Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&78: 5uidelines for managing antivirus soft%are on Active Director domain controllers&&&&&&&&&&&&&&&&78< =iles to e-clude from scanning&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&788 Preparing for Active Director 'nstallation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?0 D9S configuration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?0 Site placement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?6 Domain connectivit &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?6 Berif D9S 'nfrastructure and *egistrations&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?2 Berif That an 'P Address Maps to a Subnet and Determine the Site Association&&&&&&&&&&&&&&&&&&&&&&7?A See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?8 Berif the Availabilit of the 4perations Masters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?8 'nstalling a Domain Controller in an 1-isting Domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?< 'nstalling an Additional Domain Controller b )sing the $indo%s 'nterface&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7?8 'nstall an Additional Domain Controller b )sing the $indo%s 'nterface&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7?8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A06 'nstalling an Additional Domain Controller b )sing '=M&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A06 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A07 Create 'nstallation Media b )sing 9tdsutil&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A07 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A0A 'nstall an Additional Domain Controller b )sing 'nstallation Media&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A0A See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A0: 'nstalling an Additional Domain Controller b )sing )nattend Parameters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A0: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A0< Create an Ans%er =ile for )nattended Domain Controller 'nstallation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A0< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A0? 'nstall an Additional Domain Controller b )sing an Ans%er =ile&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A0? See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A0? 'nstall an Additional Domain Controller b )sing )nattend Parameters from the Command +ine &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A60

Berif ing Active Director 'nstallation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A60 Berif That an 'P Address Maps to a Subnet and Determine the Site Association&&&&&&&&&&&&&&&&&&&&&&A66 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A62 Configure D9S Server =or%arders&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A62 Berif ing D9S Configuration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A67 Berif D9S Server Configuration for a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6A See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A68 Berif D9S Client Settings&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A68 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A6: Chec0 the Status of the SESB4+ and 9etlogon Shares&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6: Berif Active Director *eplication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A6< Berif a Domain Computer Account for a 9e% Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6< Adding Domain Controllers in *emote Sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A68 >est Practices for Adding Domain Controllers in *emote Sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6? >est practices for using '=M to install AD DS in the remote site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A6? >est practices for installing domain controllers before ou ship them to a remote site&&&&&&&&&&&&A26 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A27 @no%n 'ssues for Adding Domain Controllers in *emote Sites&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A27 SESB4+ replication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A2A )sing '=M to install a domain controller in a remote site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A2A Advantages of using '=M to install a domain controller in a remote site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A28 'ssues %ith using '=M to install a domain controller in a remote site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A28 'nstalling domain controllers before shipping them to the remote site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A2< Advantages of installing domain controllers before shipping them to the remote site&&&&&&&&&&A2< 'ssues %ith installing domain controllers before shipping them to the remote site&&&&&&&&&&&&&&&&A2< Maintaining director consistenc %hen ou disconnect a domain controller&&&&&&&&&&&&&&&&&&&&&&&A28 Protection against lingering ob,ect replication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A28 Availabilit of operations masters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A2? )p to dateness of active director replication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A2? SESB4+ consistenc &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A2? See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A70 Preparing a Server Computer for Shipping and 'nstallation from Media&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A70 Determining the volume for installation media&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A76 1nabling *emote Des0top&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A76 'ncluding application director partitions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A76 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A72

1nable *emote Des0top&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A72 Create a *emote Des0top Connection&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A7A See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A7A 'nstall an Additional Domain Controller b )sing 'nstallation Media&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A78 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A7: Preparing an 1-isting Domain Controller for Shipping and +ong/Term Disconnection&&&&&&&&&&&&&&&&A7: See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A7< Determine the Tombstone +ifetime for the =orest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A78 1nable Strict *eplication Consistenc &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A78 S nchroni.e *eplication %ith All Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA0 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& AA6 *econnecting a Domain Controller After a +ong/Term Disconnection&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA6 *econnecting an outdated domain controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA2 )pdating SESB4+&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& AA2 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& AAA Determine the Tombstone +ifetime for the =orest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AAA Move a Server 4b,ect to a 9e% Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& AA8 Determine $hen 'ntersite *eplication 's Scheduled to >egin&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA: )se *epadmin to *emove +ingering 4b,ects&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA: Berif Successful *eplication to a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&AA8 *enaming a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A82 *ename a Domain Controller )sing S stem Properties&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A87 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A87 *ename a Domain Controller )sing 9etdom&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A87 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A8: )pdate the =*S or D=S *eplication Member 4b,ect&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8: Decommissioning a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8< *emoving a domain or a forest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8< Protecting 1=S/encr pted files&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A:0 Berif D9S *egistration and TCP3'P Connectivit &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:0

Bie% the Current 4perations Master *ole ;olders&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:6 Transfer the Schema Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A:2 Transfer the Domain 9aming Master&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:7 Transfer the Domain/+evel 4perations Master *oles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:A Determine $hether a Domain Controller 's a 5lobal Catalog Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:8 Berif the Availabilit of the 4perations Masters&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:8 >ac0 )p a Certificate $ith 'ts Private @e &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:< *emoving a $indo%s Server 2008 Domain Controller from a Domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A:8 *emoving a $indo%s Server 2008 domain controller b using the $indo%s interface&&&&&&&&&&&A:8 *emoving a $indo%s Server 2008 domain controller b using an ans%er file&&&&&&&&&&&&&&&&&&&&&&&&A:? *emoving a $indo%s Server 2008 domain controller b entering unattended installation parameters at the command line&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<0 'mport a Certificate&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<0 Determine $hether a Server 4b,ect ;as Child 4b,ects&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<6 Delete a Server 4b,ect from a Site&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<2 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<7 Add the Certificates Snap/in to an MMC&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<7 Adding the Certificates Snap/in to an MMC&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<7 =orcing the *emoval of a Domain Controller&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<8 'dentif *eplication Partners&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<: =orce Domain Controller *emoval&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A<< See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<8 Clean )p Server Metadata&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A<8 See Also&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A86 Administering Active Director Domain *ename&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A86 'n this guide&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A86 'ntroduction to Administering Active Director Domain *ename&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A86 Domain rename reFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A82 Managing Active Director Domain *ename&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A87 Preparing for the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A87 Ad,ust =orest =unctional +evel&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A8A

Setting forest functional level to $indo%s Server 2007 or $indo%s Server 2008&&&&&&&&&&&&&&&&&&&A8A Create 9ecessar Shortcut Trust *elationships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A88 T pes of trust relationships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A88 Precreating parent/child trust relationships for a restructured forest&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8: Precreating a parent/child trust relationship&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8: Pre/creating multiple parent/child trust relationships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8< Precreating a tree/root trust relationship %ith the forest root domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A88 Creating shortcut trust relationships&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A8? Prepare D9S Kones&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A8? *edirect Special =olders to a Standalone D=S9&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?0 *elocate *oaming )ser Profiles to a Standalone D=S9&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?6 Configure Member Computers for ;ost 9ame Changes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?2 Conditions for automatic computer name change&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?2 *eplication effects of renaming large numbers of computers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?7 )sing 5roup Polic to appl the ne% primar D9S suffi-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?A Appl the ne% primar D9S suffi- before renaming domains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?A Appl 5roup Polic in stages to avoid significant replication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?A Configuration reFuired before the application of 5roup Polic &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?8 Configuring member computers for host name changes in large deplo ments&&&&&&&&&&&&&&&&&&&&&&&A?: Determine the primar D9S Suffi- configuration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?< Determine %hether 5roup Polic controls the primar D9S suffi-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?< Configure the domain to allo% a primar D9S suffi- that does not match the domain name &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& A?8 Appl 5roup Polic to set the primar D9S suffi-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&A?? Prepare Certification Authorities&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 800 1-change/Specific Steps: Prepare a Domain that Contains 1-change&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&806 Performing the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&802 Set )p the Control Station&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 807 =ree.e the =orest Configuration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&80A >ac0 )p All Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 808 5enerate the Current =orest Description&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&808 Specif the 9e% =orest Description&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 808 *enaming application director partitions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&866 D9S data&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 866 TAP' data&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 862

Specif ing the source domain controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&862 *evie%ing the ne% forest description&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&867 5enerate Domain *ename 'nstructions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&867 Push Domain *ename 'nstructions to All Domain Controllers and Berif D9S *eadiness&&&&&&&&&86: Pushing domain rename instructions to all domain controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&86: Berif ing D9S readiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 868 Berif *eadiness of Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&826 *un Domain *ename 'nstructions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&822 1-change/Specific Steps: )pdate the 1-change Configuration and *estart 1-change Servers 828 )nfree.e the =orest Configuration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 82: *e/establish 1-ternal Trusts&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 82< =i- 5roup Polic 4b,ects and +in0s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&82< Completing the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&870 Berif Certificate Securit &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 876 Preparing )*+s for C*+ distribution point and Authorit 'nformation Access "A'A# e-tensions after a domain rename&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 876 Berif ing the use of )P9s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 872 1nabling certificate enrollment in a renamed domain&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&872 Berif ing the validit of C*+ distribution point and A'A e-tensions&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&878 *ene%ing subordinate and issuing CA certificates&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&878 Publish ne% C*+s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 87: )pdating domain controller certificates&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&87: Changing the user identit for the 9D1S add/on&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&87: Perform Miscellaneous Tas0s&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 87: >ac0 )p Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 87? *estart Member Computers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8A0 1-change/Specific Steps: Berif the 1-change *ename and )pdate Active Director Connector &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8A6 Perform Attribute Cleanup&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8A6 *ename Domain Controllers&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8A2 Additional *esources for the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8A7 Appendi- A: Command/+ine S nta- for the *endom Tool&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8A7

Appendi- >: Command/+ine S nta- for the 5pfi-up Tool&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8A8 Appendi- C: Chec0lists for the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&880 Satisf ing domain rename reFuirements&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&880 Preparing for the domain rename operation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&887 Performing the domain rename operation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&888 Completing the domain rename operation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88: Appendi- D: $or0sheets for the Domain *ename 4peration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88< $or0sheet 6: Domain 9ame Change 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88< $or0sheet 2: Trust 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88< $or0sheet 7: D9S Kone 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&888 $or0sheet A: D=S9( =older *edirection( and *oaming Profiles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&888 $or0sheet 8: Domain Controller 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&888 $or0sheet :: Domain *ename 1-ecution *eadiness&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88? $or0sheet <: Certification Authorit "CA# 'nformation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&88? Additional *esources&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8:0 Active Director Domain Services 4perations 5uide / cover&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8:6 Section ;eading&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8:6 Subsection ;eading&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 8:6

Active Directory Domain Services Operations Guide
This operations guide provides administering and management information for Active Director ! Domain Services "AD DS# director service technologies in the $indo%s Server! 2008 operating s stem& In this guide • • 9e% in This 5uide Administering Active Director Domain Services

Acknowledgments Produced b : Microsoft $indo%s Server Director and Access Services "DAS# 'T Pro Content Team $riters: Mar ;illman( 5a ana >agdasar an 1ditor: Gim >ec0er Technical revie%ers: )mit A00us( David >each( Arren Conner( 5regoire 5uetat( Lin ;e( @urt ;udson( Gessie +i( ;erbert Mauerer( Goe Patterson( 9ed P le( $a00as *afiF( * an Si.emore( 'ngolfur Arnar Strangeland( Mahesh )nni0rishnan

New in his Guide
This is the first release of the operations guide for Active Director Domain Services "AD DS# in $indo%s Server 2008& This guide %ill be updated periodicall to incorporate ne% information( updates( customer feedbac0( and corrections& =or $indo%s Server 2008( this operations guide contains the section Administering Active Director Domain *ename( %hich is not included in the Active Director 4perations 5uide for $indo%s Server 2007&

Administering Active Directory Domain Services
This guide provides information about administering components of Active Director Domain Services "AD DS# in $indo%s Server 2008& The information includes detailed procedures for managing domain controllers( sites( trusts( and other components of AD DS& In this guide • 'ntroduction to Administering Active Director Domain Services 28

• • • • • • • • • • •

Administering Domain and =orest Trusts Administering the $indo%s Time Service Administering D=S/*eplicated SESB4+ Administering the 5lobal Catalog Administering 4perations Master *oles Administering Active Director >ac0up and *ecover Administering 'ntersite *eplication Administering the Active Director Database Administering Domain Controllers Administering Active Director Domain *ename Additional *esources

Introduction to Administering Active Directory Domain Services
This guide e-plains ho% to administer Active Director Domain Services "AD DS# in $indo%s Server 2008& These activities are part of the operations phase of the information technolog "'T# life c cle& 'f ou are not familiar %ith this guide( revie% the follo%ing sections of this introduction&

!hen to use this guide
)se this guide %hen: • Eou %ant to manage common Active Director problems that are associated %ith misconfiguration& • Eou %ant to configure AD DS to increase net%or0 availabilit & This guide assumes a basic understanding of %hat AD DS is( ho% it %or0s( and %h our organi.ation uses it to access( manage( and secure shared resources across our net%or0& 't also assumes a thorough understanding of ho% AD DS is deplo ed and managed in our organi.ation& This includes an understanding of the mechanism our organi.ation uses to configure and manage Active Director settings& This guide can be used b organi.ations that have deplo ed $indo%s Server 2008& 't includes information that is relevant to different roles in an 'T organi.ation( including 'T operations managers( administrators( and operators& This information includes management/level 0no%ledge about AD DS and administrator/level information about the 'T processes that are reFuired to operate it& This guide contains detailed procedures that are designed for operators "or designated users# %ho have varied levels of e-pertise and e-perience& Although the procedures provide operator guidance from start to finish( operators must have a basic proficienc %ith Microsoft Management 2:

Console "MMC# and MMC snap/ins& 4perators must also 0no% ho% to start administrative programs and access the command line& 'f operators are not familiar %ith AD DS( it might be necessar for 'T planners( managers( or administrators to revie% the relevant operations in this guide and provide the operators %ith the parameters or data that the must enter %hen the perform the operations&

"ow to use this guide
This guide includes the follo%ing t pes of topics: • 4b,ectives are high/level goals for administering AD DS& 1ach ob,ective consists of one or more high/level tas0s that describe ho% the ob,ective is accomplished& 'n this guide( MManaging the $indo%s Time ServiceM is an e-ample of an ob,ective& • Tas0s contain groups of procedures for achieving the goals of an ob,ective& 'n this guide( MConfiguring a time source for the forestM is an e-ample of a tas0& • Procedures provide step/b /step instructions for completing tas0s& 'n this guide( MConfigure a domain controller in the parent domain as a reliable time sourceM is an e-ample of a procedure topic& 'f ou are an 'T manager %ho is delegating tas0s to operators in our organi.ation: • *ead through the ob,ectives and tas0s to determine ho% to delegate permissions& • Determine %hether ou need to install tools before operators perform the procedures for each tas0& >efore ou assign tas0s to individual operators( ensure that all the tools are installed %here operators can use them& • $hen necessar ( create Ntear sheetsO for each tas0 that operators perform in our organi.ation& Cut and paste the tas0 and its related procedures into a separate document& Then ou can either print this document or store it online&

Administering Domain and #orest rusts
This guide provides administrators %ith step/b /step instructions for managing and securing $indo%s Server 2008 domain and forest trusts in Active Director Domain Services "AD DS#& The %a that ou create or configure trusts pla s an important role in operating and securing our net%or0 infrastructure& ;o% ou create or configure domain and forest trusts also determines ho% far net%or0 communications e-tend %ithin a forest or across forests& In this guide • • • • • 'ntroduction to Administering Domain and =orest Trusts >est Practices for Administering Domain and =orest Trusts Managing Domain and =orest Trusts Securing Domain and =orest Trusts Appendi-: 9e% Trust $i.ard Pages

2<

Introduction to Administering Domain and #orest rusts
> using $indo%s Server 2008 domain and forest trusts( service administrators can create or e-tend collaborative relationships bet%een t%o or more domains or forests& $indo%s Server 2008 domains and forests can also trust @erberos realms and other $indo%s Server 2008 forests( as %ell as $indo%s Server 2007 domains( Microsoft! $indo%s! 2000 Server domains( and Microsoft $indo%s 9T! Server A&0 domains& $hen a trust e-ists bet%een t%o domains( the authentication mechanisms for each domain trust the authentications coming from the other domain& Trusts help to provide controlled access to shared resources in a resource domain "the trusting domain# b verif ing that incoming authentication reFuests come from a trusted authorit "the trusted domain#& 'n this %a ( trusts act as bridges that allo% onl validated authentication reFuests to travel bet%een domains& ;o% a specific trust passes authentication reFuests depends on ho% it is configured& Trust relationships can be one/%a ( providing access from the trusted domain to resources in the trusting domain( or t%o/%a ( providing access from each domain to resources in the other domain& Trusts are also either nontransitive( in %hich case a trust e-ists onl bet%een the t%o trust partner domains( or transitive( in %hich case a trust automaticall e-tends to an other domains that either of the partners trusts& 'n some cases( trust relationships are established automaticall %hen domains are created& 'n other cases( administrators must choose a t pe of trust and e-plicitl establish the appropriate relationships& The specific t pes of trusts that are used and the structure of the resulting trust relationships in a given trust implementation depend on such factors as ho% Active Director Domain Services "AD DS# is organi.ed and %hether different versions of $indo%s coe-ist on the net%or0&

$est %ractices for Administering Domain and #orest rusts
The follo%ing best practices increase availabilit ( ensure trouble/free operations( or ease administration %hen ou use them to administer domain and forest trusts: • Optimi&e authentication speed in multidomain forests' $hen our forest contains domain trees %ith man child domains and ou observe noticeable user authentication dela s bet%een the child domains( ou can optimi.e the user authentication process bet%een the child domains b creating shortcut trusts to mid/level domains in the domain tree hierarch & =or more information( see M$hen to create a shortcut trustM in )nderstanding $hen to Create a Shortcut Trust "http:33go&microsoft&com3f%lin03P+in0'DQ60<0:6#& • (eep a current list of trust relationships for future reference' 28

Eou can use the 9ltest&e-e tool to displa and record a list of these trusts& =or more information( see 9ltest 4vervie% "http:33go&microsoft&com3f%lin03P+in0'DQ?78:<#& • $ack up domain controllers' Perform regular bac0ups of domain controllers to preserve all trust relationships %ithin a particular domain&

)anaging Domain and #orest rusts
't is necessar to manage domain and forest trusts %hen our organi.ation needs to collaborate %ith users or resources that are located in other domains( realms( or forests in our organi.ation and in other organi.ations& To set up an environment that ta0es advantage of trusts( ou must first create and configure the appropriate trusts that %ill ma0e it possible for our organi.ation to communicate effectivel %ith users or resources in other locations& The follo%ing ob,ectives are part of managing domain and forest trusts: • • Creating Domain and =orest Trusts Configuring Domain and =orest Trusts

Creating Domain and #orest rusts
'n $indo%s Server 2008( there are four trust t pes that must be created manuall & 1-ternal trusts( realm trusts( and forest trusts help provide interoperabilit %ith realms or %ith domains outside our forest& Shortcut trusts optimi.e access to resources and logons that are made bet%een domain trees in the same forest& This section includes the follo%ing tas0s for creating domain and forest trusts: • • • • Creating 1-ternal Trusts Creating Shortcut Trusts Creating =orest Trusts Creating *ealm Trusts Note A trust does not inherentl allo% users in a trusted domain to have access to resources in a trusting domain& )sers have access %hen the are assigned the appropriate permissions& 'n some cases( users in trusted domains ma have implicit access if the resources are assigned to members of the Authenticated )sers group& >efore ou use the procedures in these tas0s( revie% the issues in @no%n 'ssues for Creating Domain and =orest Trusts&

2?

New rust !i&ard terminology
Eou create trusts in $indo%s Server 2008 %ith the 9e% Trust $i.ard& >efore ou use the 9e% Trust $i.ard( revie% the follo%ing terminolog & 1ach highlighted term represents the e-act term as it is used in the %i.ard: • his domain* The domain from %hich ou launch the 9e% Trust $i.ard& $hen ou start the %i.ard( it immediatel verifies our administrative credentials in the domain for %hich ou are the administrator& Therefore( the %i.ard uses the term Nthis domainO to represent the domain that ou are currentl logged on to& • +ocal domain , +ocal forest* The domain or forest %here ou start the 9e% Trust $i.ard& • Specified domain , Specified forest* The other domain or forest that this local domain or local forest %ill trust& Although the 9e% Trust $i.ard is a%are of the domain conte-t in %hich it is running( it does not have 0no%ledge of the other domain that ou %ant to create the relationship %ith& After ou t pe the name of the other domain or forest in the rust Name page( that name is used %henever the %i.ard refers to the specified domain or specified forest& • wo-way trust* A trust relationship bet%een t%o domains in %hich both domains trust each other& =or e-ample( domain A trusts domain >( and domain > trusts domain A& All parent/child trusts are t%o/%a trusts& • One-way* incoming trust* A one/%a trust relationship bet%een t%o domains in %hich the direction of the trust points to%ard the domain from %hich ou start the 9e% Trust $i.ard "and %hich is identified in the %i.ard as his domain#& $hen the direction of the trust points to%ard our domain( users in our domain can access resources in the specified domain& =or e-ample( if ou are the domain administrator in domain A and ou create a one/%a ( incoming trust to domain >( this provides a relationship through %hich users %ho are located in domain A can access resources in domain >& >ecause this relationship is one %a ( users in domain > cannot access resources in domain A& • One-way* outgoing trust* A one/%a trust relationship bet%een t%o domains in %hich the direction of the trust points to%ard the domain that is identified as Specified domain in the 9e% Trust $i.ard& $hen the direction of trust points to%ard the specified domain( users in the specified domain can access resources in our domain& =or e-ample( if ou are the domain administrator in domain A and ou create a one/%a ( outgoing trust to domain >( this action provides a relationship through %hich users %ho are located in domain > can access resources in domain A& >ecause this relationship is one %a ( users in domain A cannot access resources in domain >& • $oth sides of the trust* $hen ou create e-ternal trusts( shortcut trusts( or forest trusts( ou have the option to create each side of the trust separatel or both sides of the trust simultaneousl & 'f ou choose to create each side of the trust separatel ( ou must run the 9e% Trust $i.ard t%iceDonce for each domain& $hen ou create trusts separatel ( ou must suppl the same trust pass%ord for each domain& As a securit best practice( all trust pass%ords should be strong pass%ords&

70

• Domain-wide authentication* An authentication setting that permits unrestricted access b an users in the specified domain to all available shared resources that are located in the local domain& This is the default authentication setting for e-ternal trusts& • #orest-wide authentication* An authentication setting that permits unrestricted access b an users in the specified forest to all available shared resources that are located in an of the domains in the local forest& This is the default authentication setting for forest trusts& • Selective authentication* An authentication setting that restricts access over an e-ternal trust or forest trust to onl those users in a specified domain or specified forest %ho have been e-plicitl given authentication permissions to computer ob,ects "resource computers# that reside in the local domain or the local forest& This authentication setting must be enabled manuall & • rust password* An option in %hich both domains in a trust relationship share a pass%ord( %hich is stored in the trusted domain ob,ect "TD4# ob,ect in Active Director Domain Services "AD DS#& $hen ou choose this option( a strong trust pass%ord is generated automaticall for ou& Eou must use the same pass%ord %hen ou create a trust relationship in the specified domain& 'f ou choose to create both sides of the trust simultaneousl ( ou run the 9e% Trust $i.ard once&

(nown Issues for Creating Domain and #orest rusts
*evie% the follo%ing 0no%n issues before creating domain and forest trusts in $indo%s Server 2008: • Eou cannot delegate the creation of trusts to an user %ho is not a member of the Domain Admins group or the 1nterprise Admins group& 1ven though ou can grant a user the Create TD4 "Trusted Domain 4b,ect# right or the Delete TD4 right in the S stem container of a domain( the user %ill not be granted the right to create a trust& This issue occurs because 9etlogon and the trust/creation tools "Active Director Domains and Trusts and 9etdom# are designed so that onl members of the Domain Admins group and the 1nterprise Admins group can create trusts& ;o%ever( an user %ho is a member of the 'ncoming =orest Trust >uilders group can create one/%a ( incoming forest trusts to our forest& • $hen ou are logged on locall to a domain controller and ou tr to create a ne% trust b using Active Director Domains and Trusts( the operation ma be unsuccessful and ou ma receive the message NAccess denied&O This issue occurs onl if ou are logged on locall to the domain controller as an ordinar user "that is( ou are not logged on as Administrator or as a member of an administrative groups for the domain#& > default( ordinar users are bloc0ed from logging on locall to a domain controller unless 5roup Polic is modified to permit this& • $hen ou use the Active Director Domains and Trusts snap/in to create a trust( ou ma receive the message N4peration failed& Parameter incorrect&O This issue ma occur if ou tr

76

to establish a trust relationship %hen the source domain and the target domain have one or more of the follo%ing identifiers that are the same: • • • Securit identifier "S'D# Domain 9ame S stem "D9S# name 9et>'4S name

To resolve this issue( do one of the follo%ing before ou tr to create the trust( as appropriate to our situation: • • *ename the conflicting identifier& )se a full Fualified domain name "=CD9# if there is a 9et>'4S conflict&

• The option to create a forest trust ma not appear in the 9e% Trust $i.ard& This issue t picall occurs %hen one or both of the $indo%s Server 2008 forests are not set to the $indo%s Server 2007 forest functional level or higher& =or more information about forest functional levels( see Active Director =unctional +evels Technical *eference "http:33go&microsoft&com3f%lin03P+in0'dQ666A::#& • Eou cannot create a trust relationship %ith a Microsoft $indo%s Small >usiness Server 2007 "$indo%s S>S# domain& =or information about $indo%s S>S soft%are( see 'ntroduction to $indo%s Small >usiness Server 2007 for 1nterprise 'T Pros "http:33go&microsoft&com3f%lin03P+in0'dQ6268?6#&

Creating ./ternal rusts
Eou can create an e-ternal trust to form a one/%a or t%o/%a ( nontransitive trust %ith domains that are outside our forest& 1-ternal trusts are sometimes necessar %hen users need access to resources that are located in a $indo%s 9T A&0 domain or in a domain that is in a separate Active Director Domain Services "AD DS# forest that is not ,oined b a forest trust& =or e-ample( if ou have a $indo%s Server 2008Rbased domain %hose users %ant to gain access to resources that are stored in a $indo%s 9TRbased domain( ou must create a trust relationship in %hich the $indo%s 9TRbased domain trusts the users from the $indo%s Server 2008Rbased domain& 'n this case( the $indo%s 9TRbased domain is the trusting domain( and the $indo%s Server 2008Rbased domain is the trusted domain& • Eou can create an e-ternal trust bet%een t%o $indo%s Server 2007Rbased or $indo%s Server 2008Rbased domains( bet%een a $indo%s Server 2008Rbased domain and a $indo%s Server 2007Rbased domain( or bet%een a $indo%s Server 2007Rbased domain or $indo%s Server 2008Rbased domain and a $indo%s 9TRbased domain& 1-ternal trusts cannot be e-tended implicitl to a third domain& • To create an e-ternal trust bet%een domains in different forests( the forest functional level for both of the forests must be set to either $indo%s Server 2007 or $indo%s Server 2008& =or more information about functional levels( see Active Director =unctional +evels Technical *eference "http:33go&microsoft&com3f%lin03P+in0'dQ666A::#&

72

• To create an e-ternal trust successfull ( ou must set up our Domain 9ame S stem "D9S# environment properl & 'f there is a root D9S server that ou can ma0e the root D9S server for the D9S namespaces of both forests( ma0e that server the root D9S server b ensuring that the root .one contains delegations for each of the D9S namespaces& Also( update the root hints of all D9S servers %ith the ne% root D9S server& • 'f there is no shared root D9S server and the root D9S servers for each forest D9S namespace are running $indo%s Server 2007( configure D9S conditional for%arders in each D9S namespace to route Fueries for names in the other namespace& • 'f there is no shared root D9S server and the root D9S servers for each forest D9S namespace are not running $indo%s Server 2008 or $indo%s Server 2007 ( configure D9S secondar .ones in each D9S namespace to route Fueries for names in the other namespace& =or more information about configuring D9S to %or0 %ith AD DS( see D9S Support for Active Director Technical *eference "http:33go&microsoft&com3f%lin03P +in0'DQ60:::0#& =or more information about e-ternal trusts( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'dQ666A86#& Note Trusts that are created bet%een $indo%s 9T A&0 domains and AD DS domains are one %a and nontransitive( and the reFuire 9et>'4S name resolution& ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about ho% to use the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Note 'f ou have the appropriate administrative credentials for each domain( ou can create both sides of an e-ternal trust at the same time& To create both sides of the trust simultaneousl ( follo% the appropriate procedure belo% that contains the %ords Nboth sides of the trustO in the procedure title& =or e-ample( the procedure NCreate a one/%a ( incoming( e-ternal trust for both sides of the trustO provides the steps to follo% %hen ou have the administrative credentials for both domains and ou %ant to use the 9e% Trust $i.ard to create an incoming( e-ternal trust in one operation& =or more information about ho% the Nboth sides of the trustO option %or0s( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& To complete the tas0 of creating an e-ternal trust( ou can perform an of the follo%ing procedures( depending on the reFuirements of our organi.ation and the administrative credentials that ou have %hen ou create the trust: • • Create a 4ne/$a ( 'ncoming( 1-ternal Trust for 4ne Side of the Trust Create a 4ne/$a ( 'ncoming( 1-ternal Trust for >oth Sides of the Trust 77

• • • •

Create a 4ne/$a ( 4utgoing( 1-ternal Trust for 4ne Side of the Trust Create a 4ne/$a ( 4utgoing( 1-ternal Trust for >oth Sides of the Trust Create a T%o/$a ( 1-ternal Trust for 4ne Side of the Trust Create a T%o/$a ( 1-ternal Trust for >oth Sides of the Trust

Create a One-!ay1 Incoming1 ./ternal rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( incoming( e-ternal trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the outgoing side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 'ncoming( 1-ternal Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A one/%a ( incoming( e-ternal trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to access resources in another Active Director domain "outside our forest# or in a $indo%s 9T A&0 domain& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and users in that domain need to access resources in the mar0eting&tailspinto s&com domain "%hich is located in another forest#( ou can use this procedure "in con,unction %ith another procedure( %hich is e-ecuted b the administrator in the other forest# to establish one side of the relationship so that users in our domain can access resources in the mar0eting&tailspinto s&com domain& Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 incoming1 e/ternal trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the e-ternal domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& 7A

:& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& $ith the administrator of the other domain( agree on a secure channel pass%ord to be used in establishing the trust& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain or specified forest must follo% the procedure Create a 4ne/$a ( 4utgoing( 1-ternal Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Incoming1 ./ternal rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a one/%a ( incoming( e-ternal trust& Eou must have administrative credentials for our domain as %ell for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a 4ne/$a ( 'ncoming( 1-ternal Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a one/%a ( outgoing( e-ternal trust from his or her domain& A one/%a ( incoming( e-ternal trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to access resources in another Active Director domain "outside our forest# or in a $indo%s 9T A&0 domain& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and users in that domain need to access resources in the mar0eting&tailspinto s&com domain "%hich is located in another forest# ou can use this procedure to establish a relationship so that users in our domain can access resources in the mar0eting&tailspinto s&com domain& 78

Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 incoming1 e/ternal trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the e-ternal domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--Specified Domain page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication&

60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish&

7:

Create a One-!ay1 Outgoing1 ./ternal rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( outgoing( e-ternal trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the incoming side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 4utgoing( 1-ternal Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A one/%a ( outgoing( e-ternal trust %ill allo% resources in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed b users in a different Active Director domain "outside our forest# or in a $indo%s 9T A&0 domain& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and ou have resources in that domain that need to be accessed b users in the mar0eting&tailspinto s&com domain "%hich is located in another forest#( ou can use this procedure to establish one side of the relationship so that users in the mar0eting&tailspinto s&com domain can access the resources in sales&%ingtipto s&com& Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 outgoing1 e/ternal trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the e-ternal domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the Outgoing rust Authentication +evel page( do one of the follo%ing( and 7<

then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication&

?& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& 60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain' 67& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain or specified forest must follo% the procedure Create a 4ne/$a ( 'ncoming( 1-ternal Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Outgoing1 ./ternal rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a one/%a ( outgoing( e-ternal trust& Eou must have administrative credentials for our domain as %ell as for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a 4ne/$a ( 4utgoing( 1-ternal Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a one/%a ( incoming( e-ternal trust from his or her domain& A one/%a ( outgoing( e-ternal trust allo%s resources in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed b users in a different Active Director domain "outside our forest# or in a $indo%s 9T A&0 domain& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and ou have resources in that domain that need to be accessed b users in the mar0eting&tailspinto s&com domain "%hich is located in another forest#( ou can use this procedure to establish one side of the relationship so that users in the mar0eting&tailspinto s&com domain can access the resources in sales&%ingtipto s&com& Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& 78

Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 outgoing1 e/ternal trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--+ocal Domain page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication&

60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish&

7?

Create a wo-!ay1 ./ternal rust for One Side of the rust
Eou can use this procedure to create one side of a t%o/%a ( e-ternal trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the second side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a T%o/$a ( 1-ternal Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A t%o/%a ( e-ternal trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal domain to access resources in either of the t%o domains& Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a two-way1 e/ternal trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the Outgoing rust Authentication +evel page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication& A0

?& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& 60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 6A& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain or specified forest must follo% this same procedure( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a wo-!ay1 ./ternal rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a t%o/%a ( e-ternal trust& Eou must have administrative credentials for our domain as %ell as for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a T%o/$a ( 1-ternal Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a t%o/%a ( e-ternal trust from his or her domain& A t%o/%a ( e-ternal trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal domain to access resources in either of the t%o domains& Eou can create this e-ternal trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create an e-ternal trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& A6

o create a two-way1 e/ternal trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--+ocal Domain page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication&

60& 4n the Outgoing rust Authentication +evel--Specified Domain page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 Domain-wide authentication& Clic0 Selective authentication&

66& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 67& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 6A& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& A2

68& 4n the Completing the New rust !i&ard page( clic0 #inish&

Creating Shortcut rusts
A shortcut trust is a manuall created trust that shortens the trust path to improve the speed at %hich authentications( %hich occur bet%een domain trees( are processed& This can result in faster logon times and faster access to resources& A trust path is a chain of multiple trusts that enables trust bet%een domains that are not ad,acent in the domain namespace& =or e-ample( if users in domain A need to gain access to resources in domain C( ou can create a direct lin0 from domain A to domain C through a shortcut trust relationship( b passing domain > in the trust path& =or more information about shortcut trusts( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about ho% to use the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Note 'f ou have the appropriate administrative credentials for each domain( ou can create both sides of a shortcut trust at the same time& To create both sides of the trust( follo% the appropriate procedure belo% that contains the %ords Nfor both sides of the trustO in the title& =or e-ample( the procedure NCreate a one/%a ( incoming( shortcut trust for both sides of the trustO e-plains ho% to configure both sides of a shortcut trust& =or more information about ho% the Nboth sides of the trustO option %or0s( see the section MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& To complete the tas0 of creating a shortcut trust( perform an of the follo%ing procedures( depending on the reFuirements of our organi.ation and the administrative credentials that ou have %hen ou create the trust: • • • • • • Create a 4ne/$a ( 'ncoming( Shortcut Trust for 4ne Side of the Trust Create a 4ne/$a ( 'ncoming( Shortcut Trust for >oth Sides of the Trust Create a 4ne/$a ( 4utgoing( Shortcut Trust for 4ne Side of the Trust Create a 4ne/$a ( 4utgoing( Shortcut Trust for >oth Sides of the Trust Create a T%o/$a ( Shortcut Trust for 4ne Side of the Trust Create a T%o/$a ( Shortcut Trust for >oth Sides of the Trust

A7

Create a One-!ay1 Incoming1 Shortcut rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( incoming( shortcut trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the outgoing side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 'ncoming( Shortcut Trust for >oth Sides of the Trust to create both sides in one simultaneous operation& A one/%a ( incoming( shortcut trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to more Fuic0l access resources in another domain "%hich is nested %ithin another domain tree# in our forest& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and users in that domain need to access resources in the mar0eting&tailspinto s&com domain "%hich is a child domain of the tailspinto s&com tree root domain#( ou can use this procedure to establish one side of the relationship so that users in our domain can more Fuic0l access resources in the mar0eting&tailspinto s&com domain& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 incoming1 shortcut trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& AA

?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain or specified forest must follo% the procedure Create a 4ne/$a ( 4utgoing( Shortcut Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Incoming1 Shortcut rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a one/%a ( incoming( shortcut trust& Eou must have administrative credentials for our domain as %ell for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a 4ne/$a ( 'ncoming( Shortcut Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a one/%a ( outgoing( shortcut trust from his or her domain& A one/%a ( incoming( shortcut trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to more Fuic0l access resources in another domain "%hich is nested %ithin another domain tree# in our forest& =or e-ample( if ou are the administrator of sales&%ingtipto s&com and users in that domain need to access resources in the mar0eting&tailspinto s&com domain "%hich is a child domain of the tailspinto s&com tree root domain#( ou can use this procedure to establish one side of the relationship so that users in our domain can more Fuic0l access resources in the mar0eting&tailspinto s&com domain& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

A8

o create a one-way1 incoming1 shortcut trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish&

Create a One-!ay1 Outgoing1 Shortcut rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( outgoing( shortcut trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the incoming side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 4utgoing( Shortcut Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A one/%a ( outgoing( shortcut trust allo%s resources in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed more Fuic0l b users A:

in another domain "%hich is nested %ithin another domain tree# in our forest& =or e-ample( if ou are the administrator of mar0eting&tailspinto s&com and resources in that domain need to be accessed b users in the sales&%ingtipto s&com domain "%hich is a child domain of the %ingtipto s&com tree root domain#( ou can use this procedure to establish one side of the relationship so that users in the sales&%ingtipto s&com domain can more Fuic0l access resources in the mar0eting&tailspinto s&com domain& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 outgoing1 shortcut trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish&

A<

Note =or this trust to function( the domain administrator for the specified domain or specified forest must follo% the procedure Create a 4ne/$a ( 'ncoming( Shortcut Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Outgoing1 Shortcut rust for $oth Sides of the rust
Eou can this procedure to create both sides of a one/%a ( outgoing( shortcut trust& Eou must administrative credentials for our domain as %ell as for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a 4ne/$a ( 4utgoing( Shortcut Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a one/%a ( incoming( shortcut trust from his or her domain& A one/%a ( outgoing( shortcut trust allo%s resources in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed more Fuic0l b users in another domain "%hich is nested %ithin another domain tree# in our forest& =or e-ample( if ou are the administrator of mar0eting&tailspinto s&com and resources in that domain need to be accessed b users in the sales&%ingtipto s&com domain "%hich is a child domain of the %ingtipto s&com tree root domain#( ou can use this procedure to establish one side of the relationship so that users in the sales&%ingtipto s&com domain can more Fuic0l access resources in the mar0eting&tailspinto s&com domain& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 outgoing1 shortcut trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& A8

:& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish&

Create a wo-!ay1 Shortcut rust for One Side of the rust
Eou can use this procedure to create one side of a t%o/%a ( shortcut trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal domain uses his or her credentials to create the second side of the trust& 'f ou have administrative credentials for both domains that are involved in the trust( ou can use the procedure Create a T%o/$a ( Shortcut Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A t%o/%a ( shortcut trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal domain to more Fuic0l access resources in either domain "%hen both domains are separated b a domain tree# in our forest& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about A?

using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a two-way1 shortcut trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain must follo% this same procedure using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

80

Create a wo-!ay1 Shortcut rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a t%o/%a ( shortcut trust& Eou must have administrative credentials for our domain as %ell as for the reciprocal domain& 'f ou have administrative credentials onl for our domain( ou can use the procedure Create a T%o/$a ( Shortcut Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal domain create a t%o/%a ( shortcut trust from his or her domain& A t%o/%a ( shortcut trust allo%s users in our domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal domain to more Fuic0l access resources in either domain "%hen both domains are separated b a domain tree# in our forest& Eou can create this shortcut trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to create a shortcut trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a two-way1 shortcut trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 ./ternal trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t&

86

60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 62& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust' • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish&

Creating #orest rusts
'n a $indo%s Server 2008 forest( ou can lin0 t%o dis,oined $indo%s Server 2008 forests together to form a one/%a or t%o/%a ( transitive trust relationship& Eou can use a t%o/%a ( forest trust to form a transitive trust relationship bet%een ever domain in both forests& =or more information about forest trusts( see ;o% Domain and =orest Trusts $or0 in "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& ask re0uirements The follo%ing are reFuired to create forest trusts successfull : • Eou can create a forest trust bet%een t%o $indo%s Server 2007 forests( bet%een t%o $indo%s Server 2008 forests( or bet%een a $indo%s Server 2007 forest and a $indo%s Server 2008 forest& =orest trusts cannot be e-tended implicitl to a third forest& • To create a forest trust( the forest functional level for both of the forests that are involved in the trust relationship must be set to $indo%s Server 2007& =or more information about functional levels( see the Active Director =unctional +evels Technical *eference "http:33go&microsoft&com3f%lin03P+in0'DQ666A::#& • To create a forest trust successfull ( ou must set up our Domain 9ame S stem "D9S# environment properl & 'f there is a root D9S server that ou can ma0e the root D9S server for the D9S namespaces of both forests( ma0e it the root D9S server b ensuring that the root .one contains delegations for each of the D9S namespaces& Also( update the root hints of all D9S servers %ith the ne% root D9S server& • 'f there is no shared root D9S server and the root D9S servers for each forest D9S namespace are running $indo%s Server 2007( configure D9S conditional for%arders in each D9S namespace to route Fueries for names in the other namespace& 82

• 'f there is no shared root D9S server and the root D9S servers for each forest D9S namespace are not running $indo%s Server 2008 or $indo%s Server 2007( configure D9S secondar .ones in each D9S namespace to route Fueries for names in the other namespace& =or more information about configuring D9S to %or0 %ith Active Director Domain Services "AD DS#( see the D9S Support for Active Director Technical *eference "http:33go&microsoft&com3f%lin03P+in0'DQ60:::0#& Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Note 'f ou have the appropriate administrative credentials for each forest( ou can create both sides of a forest trust at the same time& To create both sides of the forest trust( follo% the appropriate procedure belo% that contains the %ords Nfor both sides of the trustO in the title& =or e-ample( the procedure NCreate a one/%a ( incoming( forest trust for both sides of the trustO e-plains ho% to configure both sides of the trust& =or more information about ho% the Nboth sides of the trustO option %or0s( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& To create a forest trust( perform an one of the follo%ing procedures( depending on the reFuirements of our organi.ation and the administrative credentials that ou have %hen ou create the trust: • • • • • • Create a 4ne/$a ( 'ncoming( =orest Trust for 4ne Side of the Trust Create a 4ne/$a ( 'ncoming( =orest Trust for >oth Sides of the Trust Create a 4ne/$a ( 4utgoing( =orest Trust for 4ne Side of the Trust Create a 4ne/$a ( 4utgoing( =orest Trust for >oth Sides of the Trust Create a T%o/$a ( =orest Trust for 4ne Side of the Trust Create a T%o/$a ( =orest Trust for >oth Sides of the Trust

Create a One-!ay1 Incoming1 #orest rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( incoming( forest trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal forest uses his or her credentials to create the outgoing side of the trust& 'f ou have administrative credentials for both forests that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 'ncoming( =orest Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation&

87

A one/%a ( incoming( forest trust allo%s users in our $indo%s Server 2008 forest or $indo%s Server 2007 forest "the forest that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to access resources in another $indo%s Server 2008 forest or $indo%s Server 2007 forest& =or e-ample( if ou are the administrator of the %ingtipto s&com forest and users in that forest need to access resources in the tailspinto s&com forest( ou can use this procedure to establish one side of the relationship so that users in our forest can access resources in an of the domains that ma0e up the tailspinto s&com forest& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'f ou are a member of the Incoming #orest rust $uilders group( ou can create one/%a ( incoming( forest trusts to our forest& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& o create a one-way1 incoming1 forest trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the forest root domain of the forest for %hich ou %ant to establish an incoming forest trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the forest root domain of the other forest( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then 8A

suppl the appropriate administrative credentials from the specified domain& 62& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain "the forest root domain in the specified forest# must complete the procedure Create a 4ne/$a ( 4utgoing( =orest Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Incoming1 #orest rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a one/%a ( incoming( forest trust& Eou must have administrative credentials for our forest as %ell as for the reciprocal forest& 'f ou have administrative credentials onl for our forest( ou can use the procedure Create a 4ne/$a ( 'ncoming( =orest Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal forest create a one/%a ( outgoing forest trust from his or her domain& A one/%a ( incoming( forest trust allo%s users in our $indo%s Server 2008 forest or $indo%s Server 2007 forest "the forest that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to access resources in another $indo%s Server 2008 forest or $indo%s Server 2007 forest& =or e-ample( if ou are the administrator of the %ingtipto s&com forest and users in that forest need to access resources in the tailspinto s&com forest( ou can use this procedure to establish one side of the relationship so that users in our forest can access resources in an of the domains that ma0e up the tailspinto s&com forest& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'f ou are a member of the Incoming #orest rust $uilders group( ou can create one/%a ( incoming( forest trusts to our forest& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& o create a one-way1 incoming1 forest trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain of the forest for %hich ou %ant to establish an incoming forest trust( and then clic0 %roperties& 88

7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the forest root domain of the other forest( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--Specified #orest page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish&

Create a One-!ay1 Outgoing1 #orest rust for One Side of the rust
Eou can use this procedure to create one side of a one/%a ( outgoing( forest trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal forest uses his or her credentials to create the incoming side of the trust& 'f ou have administrative credentials for both forests that are involved in the trust( ou can use the procedure Create a 4ne/$a ( 4utgoing( =orest Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A one/%a ( outgoing( forest trust allo%s resources in our $indo%s Server 2008 forest or $indo%s Server 2007 forest "the forest that ou are logged on to at the time that ou run the 9e% 8:

Trust $i.ard# to be accessed b users in another $indo%s Server 2008 forest or $indo%s Server 2007 forest& =or e-ample( if ou are the administrator of the %ingtipto s&com forest and resources in that forest need to be accessed b users in the tailspinto s&com forest( ou can use this procedure to establish one side of the relationship so that users in the tailspinto s&com forest can access resources in an of the domains that ma0e up the %ingtipto s&com forest& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'f ou are a member of the Incoming #orest rust $uilders group( ou can create one/%a ( incoming( forest trusts to our forest& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& o create a one-way1 outgoing1 forest trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the forest root domain for %hich ou %ant to establish an outgoing forest trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the forest root domain of the other forest( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the Outgoing rust Authentication +evel page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

?& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& 60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: 8<

• 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the domain administrator for the specified domain "the forest root domain in the specified forest# must follo% the procedure Create a 4ne/$a ( 'ncoming( =orest Trust for 4ne Side of the Trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a One-!ay1 Outgoing1 #orest rust for $oth Sides of the rust
Eou can use this procedure to create both sides of a one/%a ( outgoing( forest trust& Eou must have administrative credentials for our forest as %ell as for the reciprocal forest& 'f ou have administrative credentials onl for our forest root domain( ou can use the procedure Create a 4ne/$a ( 4utgoing( =orest Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal forest create a one/%a ( incoming( e-ternal trust from his or her forest& A one/%a ( outgoing( forest trust allo%s resources in our $indo%s Server 2008 forest or $indo%s Server 2007 forest "the forest that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed b users in another $indo%s Server 2008 forest or $indo%s Server 2007 forest& =or e-ample( if ou are the administrator of the %ingtipto s&com forest and resources in that forest need to be accessed b users in the tailspinto s&com forest( ou can use this procedure to establish one side of the relationship so that users in the tailspinto s&com forest can access resources in an of the domains that ma0e up the %ingtipto s&com forest& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P +in0'DQ666A86#&

88

o create a one-way1 outgoing1 forest trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain of the forest for %hich ou %ant to establish an outgoing forest trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the forest root domain of the other forest( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--+ocal #orest page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

60& 4n the rust Selections Completepage( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust' 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time that the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Completing the New rust !i&ard page( clic0 #inish&

Create a wo-!ay1 #orest rust for One Side of the rust
Eou can use this procedure to create one side of a t%o/%a ( forest trust& Although one side of a trust %ill be created successfull ( the ne% trust %ill not function until the administrator for the reciprocal forest uses his or her credentials to create the incoming side of the trust& 'f ou have 8?

administrative credentials for both forests that are involved in the trust( ou can use the procedure Create a T%o/$a ( =orest Trust for >oth Sides of the Trust to create both sides of the trust in one simultaneous operation& A t%o/%a ( forest trust allo%s users in our forest "the forest that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal forest to access resources in an of the domains in either of the t%o forests& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'f ou are a member of the Incoming #orest rust $uilders group( ou can create one/%a ( incoming( forest trusts to our forest& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& o create a two-way1 forest trust for one side of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain of the forest for %hich ou %ant to establish a t%o/%a forest trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the domain( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 his domain only( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the Outgoing rust Authentication +evel page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

?& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& 60& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 66& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the Confirm Outgoing rust page( do one of the follo%ing: :0

• 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 67& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust' • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& 6A& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the forest administrator in the specified forest must follo% this same procedure( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a wo-!ay1 #orest rust for $oth Sides of the rust
Eou can this procedure to create both sides of a t%o/%a ( forest trust Eou must have administrative credentials for our forest as %ell as for the reciprocal forest& 'f ou have administrative credentials onl for our forest( ou can use the procedure Create a T%o/$a ( =orest Trust for 4ne Side of the Trust to create our side of the trust& Then( have the administrator for the reciprocal forest create a one/%a ( outgoing forest trust from his or her forest& A t%o/%a ( forest trust allo%s users in our forest "the forest that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in the reciprocal forest to access resources in an of the domains in either of the t%o forests& Eou can create this forest trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a forest trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&# 'f ou are a member of the Incoming #orest rust $uilders group( ou can create one/%a ( incoming( forest trusts to our forest& =or more information about the 'ncoming =orest Trust >uilders group( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& :6

o create a two-way1 forest trust for both sides of the trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the forest root domain for %hich ou %ant to establish a trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the forest root domain of the other forest( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 #orest trust( and then clic0 Ne/t& :& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& <& 4n the Sides of rust page( clic0 $oth this domain and the specified domain( and then clic0 Ne/t& =or more information about the selections that are available on the Sides of rust page( see MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the 3ser Name and %assword page( t pe the user name and pass%ord for the appropriate administrator in the specified domain& ?& 4n the Outgoing rust Authentication +evel--+ocal #orest page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

60& 4n the Outgoing rust Authentication +evel--Specified #orest page( do one of the follo%ing( and then clic0 Ne/t: • • Clic0 #orest-wide authentication& Clic0 Selective authentication&

66& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 62& 4n the rust Creation Complete page( revie% the results( and then clic0 Ne/t& 67& 4n the Confirm Outgoing rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the outgoing trust& 9ote that if ou do not confirm the trust at this stage( the secure channel %ill not be established until the first time the trust is used b users& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the outgoing trust( and then suppl the appropriate administrative credentials from the specified domain& 6A& 4n the Confirm Incoming rust page( do one of the follo%ing: • 'f ou do not %ant to confirm this trust( clic0 No1 do not confirm the incoming trust& • 'f ou %ant to confirm this trust( clic0 2es1 confirm the incoming trust( and then suppl the appropriate administrative credentials from the specified domain& :2

68& 4n the Completing the New rust !i&ard page( clic0 #inish&

Creating 4ealm rusts
Eou can create a realm trust to form a one/%a or t%o/%a ( nontransitive or transitive trust %ith non/$indo%s @erberos realms in our organi.ation& Eou can create the trust %hen ou are logged on to the domain( or ou can use the 4un as command to create the trust for a different domain& =or more information about realm trusts( see ;o% Domain and =orest Trusts $or0 "http:33go&microsoft&com3f%lin03P+in0'DQ666A86#& ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about ho% to use the 9etdom command/line tool to create a realm trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Note The 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in does not support the creation of both sides of a realm trust at the same time& =or more information about ho% the Nboth sides of the trustO option %or0s( see the section MSides of TrustM in Appendi-: 9e% Trust $i.ard Pages& To create a realm trust( perform an of the follo%ing procedures( depending on the reFuirements of our organi.ation and the administrative credentials that ou have %hen ou create the trust: • • • Create a 4ne/$a ( 'ncoming( *ealm Trust Create a 4ne/$a ( 4utgoing( *ealm Trust Create a T%o/$a ( *ealm Trust

Create a One-!ay1 Incoming1 4ealm rust
A one/%a ( incoming realm trust allo%s users in our $indo%s Server 2008 domain or $indo%s Server 2007 domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to access resources in a @erberos realm& =or e-ample( if ou are the administrator of the sales&%ingtipto s&com domain and users in that domain need access to resources in the P*4D)CTS&TA'+SP'9T4ES&com @erberos realm( ou can use this procedure to establish a relationship so that users in the sales&%ingtipto s&com domain have access to resources in the @erberos realm&

:7

Note @erberos realm names reFuire uppercase characters& Eou can create a realm trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a realm trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a one-way1 incoming1 realm trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a realm trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the @erberos realm in uppercase characters( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 4ealm trust( and then clic0 Ne/t& :& 4n the ransitivity of rust page( do one of the follo%ing: • To form a trust relationship %ith the domain and the specified realm onl ( clic0 Nontransitive( and then clic0 Ne/t& • To form a trust relationship %ith the domain and the specified realm and all trusted realms( clic0 ransitive( and then clic0 Ne/t& <& 4n the Direction of rust page( clic0 One-way* incoming( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the administrator of the @erberos realm must complete the trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

:A

Create a One-!ay1 Outgoing1 4ealm rust
A one/%a ( outgoing realm trust allo%s resources in our $indo%s Server 2008 domain or $indo%s Server 2007 domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# to be accessed b users in the @erberos realm& =or e-ample( if ou are the administrator of the sales&%ingtipto s&com domain and resources in that domain need to be accessed b users in the P*4D)CTS&TA'+SP'9T4ES&com @erberos realm( ou can use this procedure to establish a relationship so that users in the @erberos realm can access resources in the sales&%ingtipto s&com domain& Note @erberos realm names reFuire uppercase characters& Eou can create this realm trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to create a realm trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Account Operators( Domain Admins( or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create a one-way1 outgoing1 realm trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain for %hich ou %ant to establish a realm trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the @erberos realm in uppercase characters( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 4ealm trust( and then clic0 Ne/t& :& 4n the ransitivity of rust page( do one of the follo%ing: • To form a trust relationship %ith the domain and the specified realm onl ( clic0 Nontransitive( and then clic0 Ne/t& • To form a trust relationship %ith the domain and the specified realm and all trusted realms( clic0 ransitive( and then clic0 Ne/t& <& 4n the Direction of rust page( clic0 One-way* outgoing( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the Completing the New rust !i&ard page( clic0 #inish& :8

Note =or this trust to function( the administrator of the realm must complete the trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Create a wo-!ay1 4ealm rust
A t%o/%a ( realm trust allo%s users in our $indo%s Server 2008 domain or $indo%s Server 2007 domain "the domain that ou are logged on to at the time that ou run the 9e% Trust $i.ard# and users in a specified @erberos realm to access resources in either the domain or the @erberos realm& =or e-ample( if users in the sales&%ingtipto s&com domain need access to resources in the P*4D)CTS&TA'+SP'9T4ES&com @erberos realm( and the realm users also need access to resources in the domain( ou can use this procedure to establish a t%o/%a trust relationship that allo%s users in both the realm and the domain to have access to resources in both places& Note @erberos realm names reFuire uppercase characters& Eou can create this realm trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to create a realm trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o create a two-way1 realm trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the domain for %hich ou %ant to establish a realm trust( and then clic0 %roperties& 7& 4n the rusts tab( clic0 New rust( and then clic0 Ne/t& A& 4n the rust Name page( t pe the Domain 9ame S stem "D9S# name of the @erberos realm( and then clic0 Ne/t& 8& 4n the rust ype page( clic0 4ealm trust( and then clic0 Ne/t& :& 4n the ransitivity of rust page( do one of the follo%ing: • To form a trust relationship %ith the domain and the specified realm onl ( clic0 Nontransitive( and then clic0 Ne/t& • To form a trust relationship %ith the domain and the specified realm and all trusted realms( clic0 ransitive( and then clic0 Ne/t& ::

<& 4n the Direction of rust page( clic0 wo-way( and then clic0 Ne/t& =or more information about the selections that are available on the Direction of rust page( see MDirection of TrustM in Appendi-: 9e% Trust $i.ard Pages& 8& 4n the rust %assword page( t pe the trust pass%ord t%ice( and then clic0 Ne/t& ?& 4n the rust Selections Complete page( revie% the results( and then clic0 Ne/t& 60& 4n the Completing the New rust !i&ard page( clic0 #inish& Note =or this trust to function( the administrator of the @erberos realm must complete the trust( using his or her administrative credentials and the e-act same trust pass%ord that %as used during this procedure&

Configuring Domain and #orest rusts
Eou can remove manuall created trusts( but ou cannot remove the default( t%o/%a ( transitive trusts bet%een domains in a forest& 'f ou remove manuall created trusts( it is particularl important to verif that ou successfull removed the trusts if ou are planning to re/create them& This section includes the follo%ing tas0s for removing a manuall created trust: • • Balidating and *emoving Trusts Modif ing 9ame Suffi- *outing Settings

5alidating and 4emoving rusts
After a trust has been established( ou might need to verif that it is %or0ing as designedDor that communications over the trust are %or0ingDb using Active Director Domain Services "AD DS# tools to validate connectivit over the trust& 't might also be necessar to remove an e-isting( manuall created trust %hen connectivit bet%een t%o domains is no longer necessar & ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about ho% to use the 9etdom command/line tool to validate and remove trusts( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& To complete this tas0( perform the follo%ing procedures: • • Balidate a Trust *emove a Manuall Created Trust

:<

5alidate a rust
Eou can validate all trusts that are made bet%een domains( but ou cannot validate realm trusts& Eou can use this procedure to validate a trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to create a realm trust( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete these procedures& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

5alidating a trust
• • )sing the $indo%s interface )sing the command line

o validate a trust using the !indows interface 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain that contains the trust that ou %ant to validate( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the trust to be validated( and then clic0 %roperties& A& Clic0 5alidate& 8& Do one of the follo%ing( and then clic0 O(: • Clic0 No1 do not validate the incoming,outgoing trust& 'f ou clic0 this option( %e recommend that ou repeat this procedure for the reciprocal domain& • Clic0 2es1 validate the incoming,outgoing trust& 'f ou clic0 this option( ou must t pe a user account and pass%ord %ith administrative credentials for the reciprocal domain& o validate a trust using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /verify

:8

5alue

Description

<TrustingDomain9ame>

Specifies the Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting domain in the trust that is being created& Specifies the D9S name "or 9et>'4S name# of the domain that %ill be trusted in the trust that is being created&

<TrustedDomain9ame>

4emove a )anually Created rust
't is possible to remove manuall created shortcut trusts( e-ternal trusts( realm trusts( or forest trusts& 't is not possible to remove default( t%o/%a ( transitive trusts bet%een domains in a forest& 't is particularl important to verif that ou successfull remove trusts if ou are planning to re/ create them& Eou can use this procedure to remove a manuall created trust b using the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or b using the 9etdom command/line tool& =or more information about the 9etdom command/line tool( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete these procedures& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

4emoving a manually created trust
• • )sing the $indo%s interface )sing a command prompt

o remove a manually created trust using the !indows interface 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain that contains the trust that ou %ant to remove( and then clic0 %roperties& 7& Clic0 the rusts tab& A& 'n either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the trust to be removed( and then clic0 4emove& 8& Do one of the follo%ing( and then clic0 O(: • Clic0 No1 remove the trust from the local domain only& :?

'f ou clic0 this option( %e recommend that ou repeat this procedure for the reciprocal domain& • Clic0 2es1 remove the trust from both the local domain and the other domain& 'f ou clic0 this option( ou must t pe a user account and pass%ord %ith administrative credentials for the reciprocal domain& o remove a manually created trust using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
netdom trust <TrustingDomainName> /d:<TrustedDomainName> /remove /UserD:<User> /PasswordD:*

%arameter

Description

<TrustingDomain9ame>

The Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting domain in the trust that is being created& The D9S name "or 9et>'4S name# of the domain that %ill be trusted in the trust that is being created& The account name of the user authori.ed to create the trust&

<TrustedDomain9ame>

S)serT

Note 'f ou are using 9etdom to remove a realm trust( ou must add the ,force option to the end of the command "after ,remove# to remove the trust successfull &

)odifying Name Suffi/ 4outing Settings
9ame suffi- routing is a mechanism for managing ho% authentication reFuests are routed across $indo%s Server 2008 forests and $indo%s Server 2007 forests that are ,oined b forest trusts& To simplif the administration of authentication reFuests( %hen a forest trust is created( all uniFue name suffi-es are routed b default& A uniFue name suffi- is a name suffi- %ithin a forest( such as a user principal name ")P9# suffi-( Service Principal 9ame "SP9# suffi-( or Domain 9ame S stem "D9S# forest or domain tree name( that is not subordinate to an other name suffi-& =or <0

e-ample( the D9S forest name fabri0am&com is a uniFue name suffi- %ithin the fabri0am&com forest& All names that are subordinate to uniFue name suffi-es are routed implicitl & =or e-ample( if our forest uses fabri0am&com as a uniFue name suffi-( authentication reFuests for all child domains of fabri0am&com "childDomain&fabri0am&com# %ill be routed because the child domains are part of the fabri0am&com name suffi-& Child names are displa ed in the Active Director Domains and Trusts snap/in& 'f ou %ant to e-clude members of a child domain from authenticating in the specified forest( ou can disable name suffi- routing for that name& Eou can also disable routing for the forest name itself( if necessar & =or more information about name suffi- routing( see *outing name suffi-es across forests "http:33go&microsoft&com3f%lin03P+in0'dQ666<28#& Note Eou cannot enable a name suffi- that is the same as another name in the routing list& 'f the conflict is %ith a local )P9 name suffi-( ou must remove the local )P9 name suffifrom the list before ou can enable the routing name& 'f the conflict is %ith a name that is claimed b another trust partner( ou must disable the name in the other trust before it can be enabled for this trust& ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about using the 9etdom command/line tool to modif name suffi- routing( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& To complete this tas0( ou can perform the follo%ing procedures: • • • Modif *outing for a =orest 9ame SuffiModif *outing for a Subordinate 9ame Suffi1-clude 9ame Suffi-es from *outing to a =orest

)odify 4outing for a #orest Name Suffi/
'f ou %ant to prevent or allo% authentication reFuests for all name suffi-es that are identified b a forest trust "U&forestname&com# from being routed to a forest( ou can use this procedure to enable or disable routing for the forest name& Eou can enable or disable routing for a name suffib using the Active Director Domains and Trusts snap/in& Eou can also use the 9etdom command/line tool& =or more information about using the 9etdom command/line tool to modif name suffi- routing settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P +in0'dQ66687<#&

<6

Notes • $hen ou disable a name suffi-( the Domain 9ame S stem "D9S# name and all child names of that name %ill be disabled& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete these procedures& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

o modify routing for a forest name suffi/ 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain for the forest trust that ou %ant to administer( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the forest trust that ou %ant to administer( and then clic0 %roperties& A& Clic0 the Name Suffi/ 4outing tab( and then( under Name suffi/es in the /'/ forest1 do one of the follo%ing: • To enable routing for a name suffi-( clic0 the suffi- that ou %ant to enable( and then clic0 .nable& 'f the .nable button is unavailable( the name suffi- is alread enabled& • To disable routing for a name suffi-( clic0 the suffi- that ou %ant to disable( and then clic0 Disable& 'f the Disable button is unavailable( the name suffi- is alread disabled&

)odify 4outing for a Subordinate Name Suffi/
Eou can change the routing status "enable or disable# of a name suffi- that is subordinate to the name of a forest& =or e-ample( if the %ingtipto s&com forest trusts the fabri0am&com forest and the fabri0am&com forest includes a child domain sales&fabri0am&com( ou can enable or disable routing specificall for the child domain name suffi-& Eou can use this procedure to modif routing of an e-isting subordinate name suffi- b using Active Director Domains and Trusts& Eou can also use the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to modif name suffi- routing settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#&

<2

Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete these procedures& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

o modify routing for an e/isting subordinate name suffi/ 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain node for the forest trust that ou %ant to administer( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7or Domains that trust this domain 6incoming trusts7( clic0 the forest trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Name Suffi/ 4outing tab( under Name suffi/es in the /'/ forest( clic0 the forest suffi- %hose subordinate name suffi- ou %ant to modif for routing( and then clic0 .dit& 8& 'n ./isting name suffi/es in /'/( clic0 the suffi- that ou %ant to modif ( and then clic0 .nable or Disable&

./clude Name Suffi/es from 4outing to a #orest
Eou can use the follo%ing procedure to e-clude e-isting name suffi-es from routing to a forest b using the Active Director Domains and Trusts snap/in& Eou can also use the 9etdom command/ line tool& =or more information about ho% to use the 9etdom command/line tool to modif name suffi- routing settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Note $hen ou e-clude a name suffi-( the Domain 9ame S stem "D9S# name and all child names of that name %ill be e-cluded& Membership in Domain Admins in the forest root domain or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete these procedures& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

<7

o e/clude name suffi/es from routing to a forest 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain that ou %ant to administer( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the forest trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Name Suffi/ 4outing tab( under Name suffi/es in the /'/ forest( clic0 the uniFue name suffi- %hose subordinate name suffi- ou %ant to e-clude from routing( and then clic0 .dit& 8& 'n Name suffi/es to e/clude from routing to /'/( clic0 Add( t pe a D9S name suffi- that is subordinate to the uniFue name suffi-( and then clic0 O(&

Securing Domain and #orest rusts
$hen ou create a ne% trust in an e-isting forest in Active Director Domain Services "AD DS#( all communications over that trust are tightl secured& ;o%ever( %hen ou create a trust bet%een our domain and another domain outside our forest( certain securit issues are involved& =or e-ample( ou might need to configure securit identifier "S'D# filtering to den one domain the right to provide credentials for another domain& Eou can enable or disable S'D filtering for e-ternal trusts or forest trusts& This section includes the follo%ing tas0s for securing domain and forest trusts: • • Configuring S'D =ilter Cuarantining on 1-ternal Trusts Configuring Selective Authentication Settings

=or more information about ho% the securit settings for domain and forest trusts %or0( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'dQ6668A:#&

Configuring SID #ilter 8uarantining on ./ternal rusts
Securit principals in Active Director Domain Services "AD DS# have an attribute( called S'D histor ( to %hich domain administrators can add usersV old securit identifiers "S'Ds#& This is useful during Active Director migrations so that administrators do not have to modif access control lists "AC+s# on large numbers of resources and users can use their old S'Ds to access resources& ;o%ever( under some circumstances it is possible for attac0ers or rogue <A

administrators that have compromised a domain controller in a trusted domain to use the S'D histor attribute "sID"istory# to associate S'Ds %ith ne% user accounts( granting themselves unauthori.ed rights& To help prevent this t pe of attac0( S'D filter Fuarantining is automaticall enabled on all e-ternal trusts that are created from domain controllers running either $indo%s Server 2007 or $indo%s Server 2008& 1-ternal trusts that are created from domain controllers running $indo%s 2000 Server %ith Service Pac0 7 "SP7# or earlier do not have S'D filter Fuarantining enforced b default& These e-ternal trusts must be configured manuall to enable S'D filter Fuarantining& Note Eou cannot turn off the default behavior in $indo%s Server 2007 or $indo%s Server 2008 that enables S'D filter Fuarantining for ne%l created e-ternal trusts& ;o%ever( under certain conditions S'D filter Fuarantining can be disabled on such an e-ternal trust& =or information about conditions for disabling S'D filter Fuarantining( see Disable S'D filter Cuarantining& 1-ternal trusts that are created from domain controllers running $indo%s 2000 Server %ith SP7 or earlier do not enforce S'D filter Fuarantining b default& To further secure our forest( consider enabling S'D filter Fuarantining on all e-isting e-ternal trusts that are created from domain controllers running $indo%s 2000 Server SP7 or earlier& Eou can do this b using 9etdom&e-e to enable S'D filter Fuarantining on e-isting e-ternal trusts or b recreating these e-ternal trusts from a domain controller running $indo%s Server 2008( $indo%s Server 2007( or $indo%s 2000 Server %ith Service Pac0 A "SPA#& Eou can use S'D filter Fuarantining to filter out migrated S'Ds that are stored in S'D histor from specific domains& =or e-ample( %here an e-ternal trust relationship e-ists so that the one domain( Contoso "running $indo%s 2000 Server domain controllers#( trusts another domain( Cpandl "also running $indo%s 2000 Server domain controllers#( an administrator of the Contoso domain can manuall appl S'D filter Fuarantining to the Cpandl domain( %hich allo%s all S'Ds %ith a domain S'D from the Cpandl domain to pass but all other S'Ds "such as those from migrated S'Ds that are stored in S'D histor # to be discarded& Note Do not appl S'D filter Fuarantining to trusts %ithin a forest that is not using either the $indo%s Server 2008 or $indo%s Server 2007 forest functional level( because doing so removes S'Ds that are reFuired for Active Director replication& 'f the forest functional level is $indo%s Server 2008 or $indo%s Server 2007 and Fuarantining is applied bet%een t%o domains %ithin a forest( a user in the Fuarantined domain %ith universal group memberships in other domains in the forest might not be able to access resources in nonFuarantined domains( because the group memberships from those domains are filtered %hen resources are accessed across the trust relationship& +i0e%ise( S'D filter Fuarantining should not be applied to forest trusts& =or more information about ho% S'D filtering %or0s( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& ask re0uirements Eou can use either of the follo%ing tools to perform the procedures for this tas0: <8

• •

Active Director Domains and Trusts 9etdom&e-e

=or more information about using the 9etdom command/line tool to configure S'D filtering settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& To complete this tas0( ou can perform the follo%ing procedures: • • Disable S'D filter Cuarantining *eappl S'D =ilter Cuarantining

Disable SID filter 8uarantining
Although it is not recommended( ou can use this procedure to disable securit identifier "S'D# filter Fuarantining for an e-ternal trust %ith the 9etdom&e-e tool& Eou should consider disabling S'D filter Fuarantining onl in the follo%ing situations: • Eou have an eFuall high level of confidence in the administrators %ho have ph sical access to domain controllers in the trusted domain and the administrators %ith such access in the trusting domain& • Eou have a strict reFuirement to assign universal groups to resources in the trusting domain( even %hen those groups %ere not created in the trusted domain& • )sers have been migrated to the trusted domain %ith their S'D histories preserved( and ou %ant to grant those users access to resources in the trusting domain "the former domain of the migrated users# based on the sID"istory attribute& =or more information about ho% S'D filtering %or0s( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& Eou can disable S'D filter Fuarantining b using the 9etdom command/line tool& =or more information about the 9etdom command/line tool( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o disable SID filter 0uarantining for the trusting domain 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:No /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>

<:

%arameter

Description

STrustingDomain9ameT

The Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting domain in the trust that is being created& The D9S name "or 9et>'4S name# of the domain that %ill be trusted in the trust that is being created& The user account name %ith the appropriate administrator credentials to modif the trust& The pass%ord of the user account in SDomainAdministratorAcctT&

STrustedDomain9ameT

SDomainAdministratorAcctT

SDomainAdminP%dT

Note Eou can enable or disable S'D filter Fuarantining onl from the trusting side of the trust& 'f the trust is a t%o/%a trust( ou can also disable S'D filter Fuarantining in the trusted domain b using the domain administratorVs credentials for the trusted domain and reversing the STrustingDomain9ameT and STrustedDomain9ameT values in the command/line s nta-&

See Also
*eappl S'D =ilter Cuarantining

4eapply SID #ilter 8uarantining
Eou can use this procedure to reappl securit identifier "S'D# filter Fuarantining to an e-ternal trust that has had S'D filter Fuarantining disabled& Also( use this procedure to appl S'D filter Fuarantining to an e-ternal trust that has been created from a $indo%s 2000 Server domain controller& > default( S'D filter Fuarantining is enabled automaticall on all e-ternal trusts that are created from a $indo%s Server 2007 or $indo%s Server 2008 domain controller& =or more information about ho% S'D filter Fuarantining %or0s( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& Eou can reappl S'D filter Fuarantining b using the 9etdom command/line tool& =or more information about the 9etdom command/line tool( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the trusting domain or .nterprise Admins in the forest of the trusting domain Active Director Domain Services "AD DS#( or eFuivalent( is the minimum

<<

reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o reapply SID filter 0uarantining for the trusting domain 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine: es /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>

erm

Definition

STrustingDomain9ameT

The Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting domain in the trust that is being created& The D9S name "or 9et>'4S name# of the domain that %ill be trusted in the trust that is being created& The user account name %ith the appropriate administrator credentials to modif the trust& The pass%ord of the user account in SDomainAdministratorAcctT&

STrustedDomain9ameT

SDomainAdministratorAcctT

SDomainAdminP%dT

Configuring Selective Authentication Settings
Trusts that are created bet%een $indo%s Server 2008 forests can use legac authentication settings "settings that %ere used in $indo%s 2000 Server# or selective authentication& Selective authentication is a securit setting that can be enabled on e-ternal trusts and forest trusts bet%een $indo%s Server 2007 forests and $indo%s Server 2008 forests( in an combination& Selective authentication provides Active Director administrators %ho manage a trusting forest more control over %hich groups of users in a trusted forest can access shared resources in the trusting forest& >ecause creating an e-ternal trust or forest trust provides a path%a for all authentication reFuests bet%een the forests( this increased control is especiall important %hen administrators need to grant access to shared resources in their organi.ationVs forest to a limited set of users in another organi.ationVs forest& =or more information about ho% selective authentication settings %or0( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& <8

ask re0uirements 1ither of the follo%ing tools is reFuired to perform the procedures for this tas0: • • Active Director Domains and Trusts 9etdom&e-e

=or more information about ho% to use the 9etdom command/line tool to configure selective authentication settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& To complete this tas0( ou can perform the follo%ing procedures: • • • • 1nable Selective Authentication over an 1-ternal Trust 1nable Selective Authentication over a =orest Trust 1nable Domain/$ide Authentication over an 1-ternal Trust 1nable =orest/$ide Authentication over a =orest Trust

• 5rant the Allo%ed to Authenticate Permission on Computers in the Trusting Domain or =orest

.nable Selective Authentication over an ./ternal rust
Selective authentication over an e-ternal trust restricts access to onl those users in a trusted domain %ho have been e-plicitl given authentication permissions to computer ob,ects "resource computers# that reside in the trusting domain& To e-plicitl give authentication permissions to computer ob,ects in the trusting domain to certain users( administrators must grant those users the Allowed to Authenticate permission in Active Director Domain Services "AD DS#& =or more information( see 5rant the Allo%ed to Authenticate Permission on Computers in the Trusting Domain or =orest& =or more information about ho% selective authentication %or0s( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& To provide access to computers in the trusting domain to onl those users in the trusted domain %ho have the Allowed to Authenticate permission applied to the computer ob,ects( ou can use this procedure to enable selective authentication over an e-ternal trust %ith the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or %ith the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to configure selective authentication settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

<?

.nabling selective authentication over an e/ternal trust
• • )sing the $indo%s interface )sing a command line

o enable selective authentication over an e/ternal trust using the !indows interface 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain that ou %ant to administer( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the e-ternal trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Authentication tab( clic0 Selective authentication( and then clic0 O(& Note 4nl the authentication settings for the outgoing trust are displa ed %hen ou clic0 %roperties and then clic0 the Authentication tab in Active Director Domains and Trusts& To vie% the correct authentication settings for the incoming side of a t%o/%a ( e-ternal trust( connect to a domain controller in the trusted domain( and then use Active Director Domains and Trusts to vie% the authentication settings for the outgoing side of the same trust& o enable selective authentication over an e/ternal trust using a command line 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /!e"ectiveAUT#: es /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>

80

%arameter

Description

STrustingDomain9ameT

The Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting domain in the trust that is being managed& The D9S name "or 9et>'4S name# of the domain that is trusted in the trust that is being managed& The user account name %ith the appropriate administrator credentials to modif the trust& The pass%ord of the user account in SDomainAdministratorAcctT&

STrustedDomain9ameT

SDomainAdministratorAcctT

SDomainAdminP%dT

.nable Selective Authentication over a #orest rust
Selective authentication over a forest trust restricts access to onl those users in a trusted forest %ho have been e-plicitl given authentication permissions to computer ob,ects "resource computers# that reside in the trusting forest& To e-plicitl give authentication permissions to computer ob,ects in the trusting forest to certain users( administrators must grant those users the Allowed to Authenticate permission in Active Director Domain Services "AD DS#& =or more information about granting the Allowed to Authenticate permission( see 5rant the Allo%ed to Authenticate Permission on Computers in the Trusting Domain or =orest& =or more information about ho% selective authentication %or0s( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& To provide access to computers in the trusting forest to onl those users in the trusted forest %ho have the Allowed to Authenticate permission applied to the computer ob,ects( ou can use this procedure to enable selective authentication over a forest trust %ith the 9e% Trust $i.ard in the Active Director Domains and Trusts snap/in or %ith the 9etdom command/line tool& =or more information about ho% to use the 9etdom command/line tool to configure selective authentication settings( see 9etdom 4vervie% "http:33go&microsoft&com3f%lin03P+in0'dQ66687<#& Membership in Domain Admins in the forest root domain or .nterprise Admins in AD DS( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

86

.nabling selective authentication over a forest trust
• • )sing the $indo%s interface )sing a command line

o enable selective authentication over a forest trust using the !indows interface 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain node for the forest root domain( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the forest trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Authentication tab( clic0 Selective authentication( and then clic0 O(& Note 4nl the authentication settings for the outgoing trust are displa ed %hen ou clic0 %roperties and then clic0 the Authentication tab in Active Director Domains and Trusts& To vie% the correct authentication settings for the incoming side of a t%o/%a ( forest trust( connect to a domain controller in the forest root domain of the trusted forest( and then use Active Director Domains and Trusts to vie% the authentication settings for the outgoing side of the same trust& o enable selective authentication over a forest trust using a command line 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
Netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /!e"ectiveAUT#: es /userD:<DomainAdministratorAcct> /passwordD:<DomainAdminPwd>

82

%arameter

Description

STrustingDomain9ameT

The Domain 9ame S stem "D9S# name "or 9et>'4S name# of the trusting forest root domain in the trust that is being managed& The D9S name "or 9et>'4S name# of the forest root domain that is trusted in the trust that is being managed& The user account name %ith the appropriate administrator credentials to modif the trust& The pass%ord of the user account in SDomainAdministratorAcctT&

STrustedDomain9ameT

SDomainAdministratorAcctT

SDomainAdminP%dT

.nable Domain-!ide Authentication over an ./ternal rust
The domain/%ide authentication setting permits unrestricted access b an users in the trusted domain to all available shared resources in the trusting domain& This is the default authentication setting for e-ternal trusts( and it is representative of the %a authentications %ere routedD%ithout restrictionDover $indo%s 2000 Server trusts& =or more information about the domain/%ide authentication setting( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P +in0'DQ6668A:#& Eou can use this procedure to enable domain/%ide authentication over an e-ternal trust& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o enable domain-wide authentication over an e/ternal trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the domain that ou %ant to administer( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the e-ternal trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Authentication tab( clic0 Domain-wide authentication( and then clic0 O(& 87

Note 4nl the authentication settings for the outgoing trust appear %hen ou clic0 %roperties and then clic0 the Authentication tab in Active Director Domains and Trusts& To vie% the correct authentication settings for the incoming side of a t%o/%a ( e-ternal trust( connect to a domain controller in the trusted domain and then use Active Director Domains and Trusts to vie% the authentication settings for the outgoing side of the same trust&

.nable #orest-!ide Authentication over a #orest rust
The forest/%ide authentication setting permits unrestricted access b an users in the trusted forest to all available shared resources in an of the domains in the trusting forest& This is the default authentication setting for forest trusts( and it is representative of the %a authentications %ere routedD%ithout restrictionDover $indo%s 2000 Server trusts& =or more information about the forest/%ide authentication setting( see Securit Considerations for Trusts "http:33go&microsoft&com3f%lin03P+in0'DQ6668A:#& Eou can use this procedure to enable forest/%ide authentication over a forest trust& Membership in Domain Admins or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o enable forest-wide authentication over a forest trust 6& 4pen Active Director Domains and Trusts& 2& 'n the console tree( right/clic0 the forest root domain( and then clic0 %roperties& 7& 4n the rusts tab( under either Domains trusted by this domain 6outgoing trusts7 or Domains that trust this domain 6incoming trusts7( clic0 the forest trust that ou %ant to administer( and then clic0 %roperties& A& 4n the Authentication tab( clic0 #orest-wide authentication( and then clic0 O(& Note 4nl the authentication settings for the outgoing trust are displa ed %hen ou clic0 %roperties and then clic0 the Authentication tab in Active Director Domains and Trusts& To vie% the correct authentication settings for the incoming side of a t%o/%a ( forest trust( connect to a domain controller in the trusted domain "the forest root domain in the other forest#( and then use Active Director Domains and Trusts to vie% the authentication settings for the outgoing side of the same trust&

8A

Grant the Allowed to Authenticate %ermission on Computers in the rusting Domain or #orest
=or users in a trusted $indo%s Server 2008 or $indo%s Server 2007 domain or forest to be able to access resources in a trusting $indo%s Server 2008 or $indo%s Server 2007 domain or forest %here the trust authentication setting has been set to selective authentication( each user must be e-plicitl granted the Allowed to Authenticate permission on the securit descriptor of the computer ob,ects "resource computers# that reside in the trusting domain or forest& =or more information about ho% the Allowed to Authenticate permission %or0s( see Securit Considerations for Trusts in the $indo%s Server 2007 Technical *eference "http:33go&microsoft&com3f%lin03P+in0'dQ78A67#& Note The Allowed to Authenticate permission can be set on computer ob,ects that represent member servers running $indo%s 9T Server A&0( $indo%s 2000 Server( $indo%s Server 2007( and $indo%s Server 2008& Eou can use this procedure and the Active Director )sers and Computers snap/in from the trusting domain to enable access to resources over an e-ternal trust or forest trust that is set to selective authentication & Membership in Account 4perators( Domain Admins( or .nterprise Admins in Active Director Domain Services "AD DS#( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o grant the Allowed to Authenticate permission on computers in the trusting domain or forest 6& 4pen Active Director )sers and Computers& 2& 'n the console tree( clic0 the Computers container or the container %here our computer ob,ects reside& 7& *ight/clic0 the computer ob,ect that ou %ant users in the trusted domain or forest to access( and then clic0 %roperties& A& 4n the Security tab( do one of the follo%ing: • 'n Group or user names( clic0 the user names or group names for %hich ou %ant to grant access to this computer( select the Allow chec0 bo- ne-t to the Allowed to Authenticate permission( and then clic0 O(& • Clic0 Add& 'n .nter the ob9ect names to select( t pe the name of the user ob,ect or group ob,ect for %hich ou %ant to grant access to this resource computer( and then clic0 O(& Select the Allow chec0 bo- ne-t to the Allowed to Authenticate permission( and then clic0 O(&

88

Appendi/* New rust !i&ard %ages
)nderstanding ho% user input is handled during the trust creation process %ill help ou provide information %hen it is most necessar and help ou better prepare for our specific procedure& This section e-plains the t%o most comple- pages in the 9e% Trust $i.ard: • • Direction of rust Sides of rust

Direction of rust
An administrator in one domain configures the Direction of rust page in the 9e% Trust $i.ard to determine %hether authentication reFuests should be routed from this domain to a specified domain( from the specified domain to this domain( or freel bet%een both domains& The follo%ing trust direction options are available on the Direction of rust page: • wo-way& A t%o/%a trust allo%s authentication reFuests that are sent b users in either domain or forest to be routed successfull to resources in either of the t%o domains or forests& • One-way* incoming& A one/%a ( incoming trust allo%s authentication reFuests that are sent b users in our domain or forest "the domain or forest %here ou started the 9e% Trust $i.ard# to be routed successfull to resources in the other domain or forest& • One-way* outgoing& A one/%a ( outgoing trust allo%s authentication reFuests that are sent b users in the other domain "the domain or forest that ou are indicating in the 9e% Trust $i.ard as the specified domain or forest# to be routed successfull to resources in our domain or forest& These options are e-plained in the follo%ing sections&

!i&ard option: wo-way
)se this option %hen ou %ant to share resources eFuall bet%een t%o domains or forests for all the users that reside in both domains or forests& A t%o/%a trust allo%s authentication reFuests that are sent b users in a trusted domain or forest to be routed successfull to the trusting domain or forest& >oth domains or forests in the trust relationship are reciprocall trusting and trusted& Note Traditionall ( documentation about domain and forest trusts have used the terms NtrustingO and NtrustedO to help administrators pinpoint the direction of the trust& Although this terminolog is still used toda to define and conceptuali.e ho% trusts %or0( it varies from the terminolog that is used in the 9e% Trust $i.ard to help administrators determine the direction of trust& 'nstead( NincomingO and NoutgoingO are used to indicate the direction of the trust( as described in the ne-t sections&

8:

!i&ard option:One-way* incoming
)se this option %hen ou %ant to allo% authentication reFuests to be routed from our domain or forest "referred to as Nthis domainO or Nthis forestO in the %i.ard# to resources residing in a second domain or forest "referred to as Nspecified domainO or Nspecified forestO in the %i.ard#& N4ne/%a O in One-way* incoming means that this selection %ill create a one/%a trust that can route authentications to resources in onl one direction( %hile user access to those resources flo%s in the other direction& N'ncomingO in One-way* incoming refers to the direction of the trust itself( not the direction in %hich authentication reFuests %ill flo%& 'n other %ords( as sho%n in the follo%ing illustration( a Mone/%a incoming trustM means that our domain or forest %ill be the domain or forest that receives access to the resources in the other domain&

!i&ard option:One-way* outgoing
)se this option %hen ou %ant to allo% authentication reFuests to be routed to our domain or forest "referred to as Nthis domainO or Nthis forestO in the %i.ard# from users residing in a second domain or forest "referred to as Nspecified domainO or Nspecified forestO in the %i.ard#& N4ne/%a O in One-way* outgoing means that this selection %ill create a one/%a trust that can route 8<

authentications to resources in onl one direction( %hile user access to those resources flo%s in the other direction& N4utgoingO in One-way* outgoing refers to the direction of the trust itself( not the direction in %hich authentication reFuests %ill flo%& 'n other %ords( as sho%n in the follo%ing illustration( a Mone/%a ( outgoing trustM means that our domain or forest %ill provide access to resources that are located in our domain to users %ho are located in the other domain or forest&

Sides of trust
'n $indo%s 9T A&0 and $indo%s 2000( the onl %a to create trusts using the graphical user interface "5)'# %as incrementall Done side of the trust at a time& $hen ou create e-ternal trusts( shortcut trusts( realm trusts( or forest trusts in $indo%s Server 2007 and $indo%s Server 2008( ou have the option to create each side of the trust separatel or both sides of the trust simultaneousl &

!i&ard option: his domain only
)se this option %hen ou %ant to create each side of the trust separatel ( %hich means that ou must run the 9e% Trust $i.ard t%iceDonce for each domain in the trust& Although the 9e% Trust 88

$i.ard presents a different e-perience than previous version of $indo%s Server operating s stems( this option provides behavior that is similar to the %a that trusts %ere created in $indo%s 9T A&0 and $indo%s 2000& $hen ou create trusts using this method( ou must suppl the same trust pass%ord for each domain& As a securit best practice( all trust pass%ords should be strong pass%ords&

!i&ard option:$oth this domain and the specified domain
This option provides administrators %ho possess the appropriate domain credentials for both domains in the trust relationship %ith the option to Fuic0l create both sides of a trust b completing a single instance of the 9e% Trust $i.ard& $hen ou select this option( a strong trust pass%ord is automaticall generated for ou& =or this selection to be successful( the administrator running the %i.ard must acFuire the appropriate administrative credentials for each domain in the trust relationship

Administering the !indows ime Service
Time s nchroni.ation is critical for the proper operation of man $indo%s services and line/of/ business applications& The $indo%s Time service "$72time# uses the 9et%or0 Time Protocol "9TP# to s nchroni.e computer cloc0s on the net%or0 so that an accurate cloc0 value( or time stamp( can be assigned to net%or0 validation reFuests and resource access reFuests& This guide provides information about administering the $indo%s Time service in $indo%s Server 2008& In this guide • • 'ntroduction to Administering the $indo%s Time Service Managing the $indo%s Time Service

Introduction to Administering the !indows ime Service
The $indo%s Server 2008 $indo%s Time service "$72time# s nchroni.es the date and time for all computers running on a $indo%s Server 2008 net%or0& The service integrates 9et%or0 Time Protocol "9TP# and time providers( ma0ing it a reliable and scalable time service for enterprise administrators& The purpose of the $indo%s Time service is to ma0e sure that all computers running versions of $indo%s 2000 Server( $indo%s Server 2007( $indo%s LP( $indo%s Bista( or $indo%s Server 2008 in an organi.ation use a common time& To guarantee appropriate common time usage( the $indo%s Time service uses a hierarchical relationship that controls authorit and does not permit loops& A domain controller at the top of the hierarch provides authoritative time to all other domain controllers( and domain clients use domain controllers as their time source& > 8?

default( the domain controller at the top of the hierarch is the primar domain controller "PDC# operations master "also 0no%n as fle-ible single master operations or =SM4# in the forest root domain&

!indows time source selection
> default( $indo%s/based computers use the follo%ing sources for time s nchroni.ation: • =or computers that are ,oined to a domain( the first Fuer is to a time source in the parent domain& Note Computers that are not ,oined to a domain and are running $indo%s Bista are configured to s nchroni.e %ith the follo%ing e-ternal time sources b default: time&%indo%s&com( time&nist&gov( time/n%&nist&gov( time/a&nist&gov( and time/ b&nist&gov& Computers that are not ,oined to a domain and are running $indo%s LP or $indo%s LP ;ome 1dition are configured to s nchroni.e %ith time&%indo%s&com b default& • 'f the time client is in a single/domain forest( the first Fuer is to the PDC emulator in the domain& • All PDC emulator operations masters follo% the hierarch of domains in the selection of their inbound time partner& A PDC emulator can s nchroni.e its time from the PDC emulator in the parent domain or from an domain controller in the parent domain& =or more information about time source selection( see ;o% $indo%s Time Service $or0s "http:33go&microsoft&com3f%lin03P+in0'DQ66<<87#& The authoritative time source at the root of the forest can acFuire its time either b connecting to an installed hard%are cloc0 on the internal net%or0 or b connecting to an e-ternal 9TP server( %hich is connected to a hard%are device& 'f no domain controller is configured as the authoritative time source in the forest root domain( the domain controller that holds the PDC emulator operations master role uses its internal cloc0 to provide time to forest computers&

./ternal N % time servers
Man e-ternal 9TP servers are available over the 'nternet& )se the follo%ing information to select an 9TP server: • The 9ational 'nstitute of Standards and Technolog "9'ST# in >oulder( Colorado( %hich is used as the e-ternal time provider b the Microsoft time server "time&%indo%s&com#& 9'ST provides the Automated Computer Time Service "ACTS#( %hich can set a computer cloc0 %ith an uncertaint of less than 60 milliseconds& =or more information about 9TP and for a list of e-ternal time servers( see Set Eour Computer Cloc0 Bia the 'nternet: 9'ST 'nternet Time Service "'TS# "http:33go&microsoft&com3f%lin03P+in0'dQ662078#& • The )&S& 9aval 4bservator ")S94# Time Service Department in $ashington( DC( is another reliable source for accurate time s nchroni.ation in the )nited States& To see a list of

?0

)S94 servers and their descriptions( see )S94 9et%or0 Time Servers "http:33go&microsoft&com3f%lin03P+in0'dQ66207:#& • Eou can use man other sites throughout the %orld for time s nchroni.ation& =or more 9TP server lists and search criteria( see the 9TP&Servers $eb site "http:33go&microsoft&com3f%lin03P+in0'dQ66:?<2#& =or the most highl accurate time s nchroni.ation( configure a hard%are cloc0( such as a radio or 5lobal Positioning S stem "5PS# device( as the time source for the PDC& There are man consumer and enterprise devices that use 9TP( %hich ma0es it possible for ou to install the device on an internal net%or0 for use %ith the PDC& Eou use the w;<tm command/line tool to configure $indo%s Time service& =or a detailed technical reference for the $indo%s Time service( including complete documentation of the w;<tm command/line tool and time service registr settings( see the $indo%s Time Service Technical *eference "http:33go&microsoft&com3f%lin03P+in0'DQ600?A0#&

!;<tm and net time
The net time commands are predecessors of w;<tm commands( and the should not be used to configure the $indo%s Time service or to set the time on a computer %hile the $indo%s Time service is activel running& The recommended method for configuring the $indo%s Time service and displa ing $indo%s Time service information for $indo%s LP( $indo%s Server 2007( $indo%s Bista( and $indo%s Server 2008 operating s stems is to use w;<tm commands& Although the command net time ,0uerysntp appears to displa the Simple 9et%or0 Time Protocol "S9TP# server for $indo%s LP( $indo%s Server 2007( $indo%s Bista( and $indo%s Server 2008 operating s stems( it does not displa complete time configuration information& Eou can use the command w;<tm ,0uery ,configuration to determine %hether the computer is configured to s nchroni.e time from the domain hierarch or from a manual list of time servers& The command output includes a line labeled ype that identifies the time s nchroni.ation method that the client is using& The follo%ing ype line outputs are possible for the time client: • NoSync: The client does not s nchroni.e time& • N %: The client s nchroni.es time from an e-ternal time source& *evie% the values in the NtpServer line in the output to see the name of the server or servers that the client uses for time s nchroni.ation& • N =DS: The client is configured to use the domain hierarch for its time s nchroni.ation& • AllSync: The client s nchroni.es time from an available time source( including domain hierarch and e-ternal time sources& =or information about $indo%s Time Server 'nternet communication( see $indo%s Time Service and *esulting 'nternet Communication in $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P +in0'dQ66:?82#&

?6

)anaging the !indows ime Service
Eou initiall configure the $indo%s Time service "$72time# %hen ou deplo our forest root domain in Active Director Domain Services "AD DS#& Thereafter( the $indo%s Time service reFuires little da /to/da management& After ou ma0e changes on our net%or0( ho%ever( including adding certain client computers( moving the primar domain controller "PDC# emulator operations master role( or simpl changing the time source for our net%or0( ou might need to perform certain tas0s& This section includes the follo%ing tas0s for managing the $indo%s Time service: • • • Configuring a Time Source for the =orest Configuring $indo%s/>ased Clients to S nchroni.e Time *estoring the $indo%s Time Service to Default Settings

Configuring a ime Source for the #orest
The first domain controller that ou deplo in a domain holds the primar domain controller "PDC# emulator operations master "also 0no%n as fle-ible single master operations or =SM4# role for the domain& > default( the domain controller that holds the PDC emulator master role in the forest root domain is the reliable time source at the top of the time/source domain hierarch for the forest& As soon as ou install the first domain controller in the forest( set the PDC emulator in the forest root domain to s nchroni.e from a valid 9et%or0 Time Protocol "9TP# source or from a hard%are cloc0 that is installed on the net%or0& 'f no time source is configured on the PDC emulator or an other domain controller in the forest root domain( the PDC emulator advertises as a reliable time source and uses its internal cloc0 as the source for forest s nchroni.ation& 'n this case( no manual configuration is reFuired& After initial deplo ment of our net%or0( ou t picall reconfigure the time service on the PDC emulator in the forest root domain in onl t%o situations: • Eou move the PDC emulator role to a different computer& 'n this case( ou must configure the $indo%s Time service for the ne% PDC emulator master role holder and reconfigure the original PDC emulator master role holder to s nchroni.e from the domain and not from an e-ternal or internal time source& • Eou change the time source for the PDC emulator& =or e-ample( ou change from s nchroni.ing %ith an e-ternal source to s nchroni.ing %ith an internal hard%are device& 'n some environments( one or more domain controllers are configured to act as standb PDC emulator role holders& 'f the current PDC emulator fails or is other%ise unavailable( the role can Fuic0l be transferred to the standb & 'f ou anticipate moving the PDC emulator role and ou %ant to avoid reconfiguring the ne% and old PDC emulator ever time the role is moved( ou can configure a domain controller in the forest root domain that is not the PDC emulator as the reliable time source for the forest& 'n this %a ( the root of the time service sta s the same and remains properl configured& ?2

Note Ma0e sure that the domain controller that ou configure to be the forest time source is highl available and( if it is not the PDC emulator( that it does not hold other operations master roles that might have to be transferred& )se the follo%ing recommendations for configuring the time source for the forest root domain( in this order of preference: 6& 'nstall a hard%are cloc0( such as a radio or 5lobal Positioning S stem "5PS# device( as the time source for the forest root domain and configure $indo%s Time service "$72time# on the PDC emulator or other domain controller to s nchroni.e %ith this device& Man consumer and enterprise devices are available that use 9TP& Eou can install the device on an internal net%or0 and configure the PDC emulator to use it as its time source& ;ard%are cloc0s have the follo%ing advantages: • More securit & Eou do not have to connect to the 'nternet& • ;ighest accurac ( although the accurac level of 9TP servers is as high as that of $indo%s Time serviceW that is( the effect of the higher accurac is not appreciated& ;ard%are cloc0s have the follo%ing disadvantage: • 1-pense and maintenance& Eou must purchase and install a hard%are cloc0( %hereas ou can connect to a public time server at no cost and %ithout hard%are installation& 2& Configure the $indo%s Time service on the PDC emulator or other domain controller to s nchroni.e %ith an e-ternal time server& Computer cloc0s s nchroni.e %ith e-ternal time servers b using the 9TP protocol over an 'P version A "'PvA# or 'P version : "'Pv:# net%or0& Eou can manuall configure the PDC emulator in the forest root domain to s nchroni.e %ith the e-ternal time source& 1-ternal time servers have the follo%ing advantages: • +o% cost or no cost& Cost is usuall limited to band%idth& • 5ood accurac & Although hard%are cloc0s have the highest accurac ( the accurac of a hard%are cloc0 can actuall e-ceed the accurac of $indo%s Time serviceW therefore( the comparison of accurac is not relevant& 1-ternal time servers have the follo%ing disadvantage: • Securit ris0& 9TP s nchroni.ation %ith an e-ternal time source is not authenticated and is therefore less secure than if the time source is inside the net%or0& 'f ou are using an e-ternal time source( ou can use the follo%ing sites to select an 9TP server: • )S94 9TP 9et%or0 Time Servers "http:33go&microsoft&com3f%lin03P+in0'dQ66207:# • Set Eour Computer Cloc0 Bia the 'nternet: 9'ST 'nternet Time Service "'TS# "http:33go&microsoft&com3f%lin03P+in0'dQ662078# • 9TP&Servers $eb site "http:33go&microsoft&com3f%lin03P+in0'DQ66:?<2# 'f ou choose to implement an 9TP time s nchroni.ation product other than the $indo%s Time service( ou must disable the $indo%s Time service on the forest root domain reliable time source& All 9TP servers need access to )DP port 627& 'f the $indo%s Time service is running on ?7

a $indo%s Server 2007Rbased computer or a $indo%s Server 2008Rbased computer( port 627 %ill remain occupied for the $indo%s Time service& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • $72tm&e-e • The $indo%s =ire%all %ith Advanced Securit snap/in( if ou need to chec0 )ser Datagram Protocol ")DP# port status • The Services snap/in( if ou need to disable the $indo%s Time service To complete this tas0( perform the follo%ing procedures as needed: • To configure the PDC emulator in the forest root domain to s nchroni.e time from an e-ternal time source( see Configure the Time Source for the =orest& 'f ou plan to use a different domain controller as the time source for the forest( perform this procedure on that domain controller instead of the PDC emulator& • 'f the PDC emulator in the forest root domain is configured as the reliable time source for the forest and ou move the PDC emulator role to a different domain controller( see Change the $indo%s Time Service Configuration on the PDC 1mulator in the =orest *oot Domain& • 'f ou are implementing a time s nchroni.ation product other than the $indo%s Time service in our environment that uses 9TP( see Disable the $indo%s Time Service to free )DP port 627 on the net%or0& • 'f ou need more information about $indo%s Time service events( see 1nable $indo%s Time Service Debug +ogging&

Configure the ime Source for the #orest
Eou can use these procedures to configure the $indo%s Time service "$72time# on the domain controller that holds the primar domain controller "PDC# emulator operations master role in the forest root domain to s nchroni.e time from an e-ternal time server or a reliable time source& $hen ou deplo a ne% forest root domain or %hen ou move the role of the PDC emulator in the forest root domain to a ne% domain controller( ou must configure the PDC emulator role holder in the forest root domain to s nchroni.e time for the forest from an e-ternal time source on the 'nternet or from a hard%are cloc0 on the internal net%or0& 'f ou do not configure the PDC emulator to s nchroni.e time from an e-ternal or internal time source( the PDC emulator uses its internal cloc0 and is itself the reliable time source for the forest& As an alternative to configuring the PDC emulator( ou can configure a different domain controller in the forest root domain to s nchroni.e time from a reliable time source& 'f there is such a domain controller in the forest root domain( the PDC emulator no longer advertises as a reliable time source& The procedures in this topic configure the PDC emulator "or other domain controller# to connect to an e-ternal 9et%or0 Time Protocol "9TP# time server for time s nchroni.ation& To configure the

?A

PDC emulator to s nchroni.e time from a hard%are cloc0 device on the internal net%or0( consult the instructions for the hard%are cloc0 device& 'f ou move the role of the PDC emulator to a ne% domain controller( ou must also change the configuration of the $indo%s Time service on the previous PDC emulator& =or more information( see Change the $indo%s Time Service Configuration on the PDC 1mulator in the =orest *oot Domain& >efore ou configure the $indo%s Time service on the PDC emulator( ou can determine the time difference bet%een it and the time source as a means to test basic 9TP communication& 'f ou have not selected a set of e-ternal 9TP servers( use the follo%ing sites to create our list of time servers& This list is referred to in the procedure as the Nmanual peer list&O • )S94 9TP 9et%or0 Time Servers "http:33go&microsoft&com3f%lin03P+in0'dQ66207:#& • Set Eour Computer Cloc0 Bia the 'nternet: 9'ST 'nternet Time Service "'TS# "http:33go&microsoft&com3f%lin03P+in0'dQ662078#& • 9TP&Servers $eb site "http:33go&microsoft&com3f%lin03P+in0'DQ66:?<2# After ou configure the $indo%s Time service on the PDC emulator( be sure to monitor the S stem log in 1vent Bie%er for $72time errors& Note The follo%ing procedures use the w;<tm command/line tool& =or more information about the w;<tm command( t pe w;<tm ,> at a command prompt or see $indo%s Time Service Tools and Settings "http:33go&microsoft&com3f%lin03P+in0'dQ66266:#& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure the time source for the forest 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& To displa the time difference bet%een the local computer and the target time source and to chec0 9TP communication( at the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /stripc&art /computer:<target> /samp"es:<n> /dataon"y

?8

%arameter

Description

$72tm 3stripchart

Displa s a strip chart of the offset bet%een s nchroni.ing computers& A strip chart plots t%o/dimensional dataDin this case( the local time and the offset& Specifies the Domain 9ame S stem "D9S# name or 'P address of the 9TP server that ou are comparing the local computerXs time against( such as time&%indo%s&com or time/n%&nist&gov& Specifies the number of time samples that %ill be returned from the target computer to test basic 9TP communication& Specifies that results sho% onl data( not graphics&

3computer:StargetT

3samples:SnT

3dataonl

'f this procedure fails( chec0 the S stem event log for Time/Service errors and follo% an resolution steps that are provided in the )ore Info lin0 in the error& 't is possible that a perimeter fire%all is bloc0ing access to the 'nternet time server& 9TP port 627 must be open for outbound and inbound traffic on all routers and fire%alls bet%een the PDC emulator and the 'nternet& 'f necessar ( enable debug logging for $72time( as described in 1nable $indo%s Time Service Debug +ogging& *esolve an 9TP connection issues before ou proceed to step 7& 7& To configure the PDC emulator to use an 9TP time source( at the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /config /manua"peer"ist:<peers> /syncfromf"ags:manua" /re"ia'"e:yes /update

?:

%arameter

Description

%72tm 3config 3update 3manualpeerlist:SpeersT

Configures the computer to s nchroni.e time& Specifies the list of D9S names or 'P addresses for the 9TP time source %ith %hich the PDC emulator s nchroni.es& "This list is referred to as the manual peer list&# =or e-ample( ou can specif time&%indo%s&com as the 9TP time server& $hen ou specif multiple peers( use a space as the delimiter and enclose the names of the peers in Fuotation mar0s& Specifies that time %ill be s nchroni.ed %ith peers in the manual peer list& Specifies that the computer is a reliable time source&

3s ncfromflags:manual 3reliable: es

Note $hen ou specif a peer in the manual peer list( do not specif a computer that uses the forest root domain controller as its source for time( such as another domain controller in the forest& The time service does not operate correctl if there are c cles in the time source configuration& Peers should be e-ternal to the domain hierarch & After ou configure the PDC emulator as the time source for the forest( log on to a client computer in the forest root domain and perform steps 6 and 2 in the preceding procedure to chec0 $indo%s Time service performance on the PDC emulator& )se the D9S name of the PDC emulator for the computer target in the command& 'f ou receive error messages( the )ser Datagram Protocol ")DP# ports on the PDC emulator might be disabled or bloc0ed& Eou can use the follo%ing procedure to chec0 the port status on the PDC emulator( if necessar & Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o check 3D% port status on the %DC emulator 6& To chec0 inbound )DP port 627 status on the domain controller that is the PDC emulator( clic0 Start( point to Administrative ools( and then clic0 !indows #irewall with Advanced Security& 2& Clic0 Inbound 4ules& Chec0 that Active Directory Domain Controller - !;< ime ?<

6N %-3D%-In7 has a status of enabled "green# and is not bloc0ed: • 'f this rule is disabled "dimmed#( right/clic0 the rule( and then clic0 .nable& • 'f the rule is bloc0ed( right/clic0 the rule( and then clic0 %roperties& )nder Action( clic0 Allow the connections( and then clic0 O(& 7& To chec0 outbound )DP port status on the domain controller( clic0 Outbound 4ules& A& Chec0 that Active Directory Domain Controller 63D%-Out7 has a status of enabled and is not bloc0ed: • 'f the rule is disabled "dimmed#( right/clic0 the rule( and then clic0 .nable& • 'f the rule is bloc0ed( right/clic0 the rule( and then clic0 %roperties& )nder Action( clic0 Allow the connections( and then clic0 O(& 4r To open onl outbound )DP port 627( create a separate outbound rule for the specific port( as follo%s: a& 'n !indows #irewall with Advanced Security( right/clic0 Outbound 4ules( and then clic0 New& b& 'n the 9e% 4utbound *ule $i.ard( clic0 %ort( and then clic0 Ne/t& c& Clic0 3D%( clic0 Specific local ports( t pe ?<;( and then clic0 Ne/t& d& =ollo% the directions in the %i.ard to configure the securit settings and name the rule( and then clic0 #inish& 8& To ensure that the PDC emulator responds( on an 9TP client( repeat the test in step 2 of the procedure NTo configure the $indo%s Time service on the PDC emulatorO earlier in this topic&

Change the !indows ime Service Configuration on the %DC .mulator in the #orest 4oot Domain
The domain controller in the forest root domain that holds the primar domain controller "PDC# emulator operations master "also 0no%n as fle-ible single master operations or =SM4# role is the default time source for the domain hierarch of time sources in the forest& $hen ou create the forest( ou configure this domain controller either to connect to a manual time source "an e-ternal 9et%or0 Time Protocol "9TP# server or a hard%are cloc0 device on the internal net%or0# or to use its o%n internal cloc0 as its time source& 'f ou move the PDC emulator role to another domain controller or if ou decide to configure a different domain controller as the reliable time source for the forest( ou can use this procedure to change the $indo%s Time service "$72time# configuration on the PDC emulator that is currentl configured as the reliable time source for the forest& ?8

Note The follo%ing procedure uses the w;<tm command/line tool& =or more information about the w;<tm command( t pe w;<tm ,> at a command prompt or see $indo%s Time Service Tools and Settings "http:33go&microsoft&com3f%lin03P+in0'dQ66266:#& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the !indows ime service configuration on the %DC emulator in the forest root domain 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /config /syncfromf"ags:dom&ier /re"ia'"e:no /update

%arameter

Description

$72tm 3config 3update 3s ncfromflags:domhier

Configures the client to s nchroni.e time& Specifies that time %ill be s nchroni.ed %ith the nearest time source in the domain hierarch & >ecause this domain controller is in the forest root domain( it %ill s nchroni.e %ith a reliable time source in the forest root domain& *emoves the status of reliable time source&

3reliable:no

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop w$%time

A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net start w$%time

Disable the !indows ime Service
Eou can use this procedure to disable the $indo%s Time service "$72time# if ou choose to implement another time s nchroni.ation product that uses 9et%or0 Time Protocol "9TP#& ??

Perform this procedure on the forest root domain reliable time source& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o disable the !indows ime service 6& Clic0 Start( point to Administrative ools( and then clic0 Services& 2& *ight/clic0 !indows ime( and then clic0 %roperties& 7& 'n the !indows ime %roperties dialog bo-( in Startup type( clic0 Disabled( and then clic0 O(& A& 'n the Services list( verif that the Startup ype for the $indo%s Time service is Disabled&

.nable !indows ime Service Debug +ogging
Eou can use this procedure to enable $indo%s Time service "$72time# debug logging %hen ou need more information to solve a problem %ith $indo%s Time service configuration& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o enable !indows ime Service debug logging 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& Create a folder to receive the $indo%s Time service log file& =or e-ample( in the command prompt %indo%( t pe md c:\W32Time( and then press 19T1*& This command creates a director named $72Time on the C: drive& 7& To enable $indo%s Time service debug logging( at the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /de'ug /ena'"e /fi"e:c:()$%Time(w$%time*"og /si+e:,------- /entries:-. ,,/

600

Configuring !indows-$ased Clients to Synchroni&e ime
Certain $indo%s/based client computers do not automaticall s nchroni.e their time %ith their domain in Active Director Domain Services "AD DS#& The follo%ing client computers do not automaticall s nchroni.e to the domain time b using the $indo%s Time service "$72time#: • • • Client computers that run in a preR$indo%s 2000 domain environment Client computers that run in a )9'L environment Computers that are not ,oined to a domain

Eou can configure these computers to reFuest time from a particular time source( such as a domain controller in the domain& 'f ou do not specif a source that is s nchroni.ed %ith the domain( each computerVs internal hard%are cloc0 governs its time& ask re0uirements The follo%ing tool is reFuired to perform the procedures for this tas0: • • • $72tm Configure a Manual Time Source for a Selected Client Computer Configure a Client Computer for Automatic Domain Time S nchroni.ation To complete this tas0( ou can perform the follo%ing procedures:

Configure a )anual ime Source for a Selected Client Computer
Eou can use this procedure to configure a manual time source for a selected client computer& The default method of s nchroni.ing time in a $indo%s forest is through the domain hierarch ( in %hich a client connects to a domain controller in its domain as its time source& A manual time source is a specified computer or computers from %hich the client s nchroni.es its time %hen it cannot s nchroni.e through the domain hierarch & To configure a computer for automatic domain time s nchroni.ation( see Configure a Client Computer for Automatic Domain Time S nchroni.ation& >efore ou configure a manual time source for a client computer( ou can determine the time difference bet%een the time source and the computer as a means of testing basic 9et%or0 Time Protocol "9TP# communication& After ou complete the configuration of the manual time source on the client computer( be sure to monitor the S stem log in 1vent Bie%er for $indo%s Time service "$72time# errors& Note The follo%ing procedure uses the w;<tm command/line tool& =or more information about the w;<tm command( t pe w;<tm ,> at a command prompt or see $indo%s Time Service Tools and Settings "http:33go&microsoft&com3f%lin03P+in0'dQ66266:#& 606

Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in the Domain Admins group( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure a manual time source for a selected client computer 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 0un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& To displa the time difference bet%een the local computer and a time source( at the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /stripc&art /computer:<target> /samp"es:<n> /dataon"y

%arameter

Description

$72tm 3stripchart

Displa s a strip chart of the offset bet%een s nchroni.ing computers& A strip chart plots t%o/dimensional dataDin this case( the local time and the offset& Specifies the Domain 9ame S stem "D9S# name or 'P address of the 9TP server that ou are comparing the local computerXs time against( such as time&%indo%s&com& Specifies the number of time samples that %ill be returned from the target computer to test basic 9TP communication& Specifies that results sho% onl data( not graphics&

3computer:StargetT

3samples:SnT

3dataonl

7& 4pen )DP port 627 for outgoing traffic on the fire%all( if necessar & A& 4pen )DP port 627 "or a different port that ou have selected# for incoming 9TP traffic& 8& To configure a manual time source for the selected computer( at the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /config /manua"peer"ist:<peers> /syncfromf"ags:manua" /update

602

%arameter

Description

$72tm 3config 3update 3manualpeerlist:SpeersT

Configures the computer for time s nchroni.ation& Specifies the list of Domain 9ame S stem "D9S# names or 'P addresses for the 9TP time source %ith %hich the primar domain controller "PDC# emulator s nchroni.es& "This list is referred to as the manual peer list&# =or e-ample( ou can specif time&%indo%s&com as the 9TP time server& $hen ou specif multiple peers( use a space as the delimiter and enclose the names of the peers in Fuotation mar0s& Specifies that time is s nchroni.ed %ith peers in the manual peer list&

3s ncfromflags:manual

Configure a Client Computer for Automatic Domain ime Synchroni&ation
> default( a computer that is ,oined to a domain s nchroni.es time through the domain hierarch of reliable time sources& ;o%ever( if a computer has been manuall configured to s nchroni.e from a specific time sourceDperhaps because it %as formerl not ,oined to the domainD ou must reconfigure the computer to begin sourcing its time from the domain hierarch & Eou can use this procedure to configure a client computer that is currentl s nchroni.ing %ith a manuall specified computer to s nchroni.e time automaticall from the domain hierarch & Note The follo%ing procedure uses the w;<tm command/line tool& =or more information about the w;<tm command( t pe w;<tm ,> at a command prompt or see $indo%s Time Service Tools and Settings "http:33go&microsoft&com3f%lin03P+in0'dQ66266:#& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in the Domain Admins group( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o configure a client computer for automatic domain time synchroni&ation 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control 607

dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /config /syncfromf"ags:dom&ier /update

%arameter

Description

$72tm 3config 3update 3s ncfromflags:domhier

Configures the computer for time s nchroni.ation& Specifies that time is s nchroni.ed %ith computers in the domain hierarch &

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop w$%time

A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net start w$%time

4estoring the !indows ime Service to Default Settings
'f the local $indo%s Time service "$72time# settings are not configured correctl ( restoring the $indo%s Time service to its default settings might be more efficient than troubleshooting the problem& ask re0uirements The follo%ing tools are reFuired to perform the procedure for this tas0: • • $72tm&e-e *estore the $indo%s Time Service on the +ocal Computer to the Default Settings To complete this tas0( perform the follo%ing procedure:

4estore the !indows ime Service on the +ocal Computer to the Default Settings
Eou can use this procedure to restore the $indo%s Time service "$72time# on the local computer to the default settings& 'f ou are e-periencing a problem( returning to the default settings might be more efficient than troubleshooting the problem&

60A

Note The follo%ing procedure uses the w;<tm command/line tool& =or more information about the w;<tm command( t pe w;<tm ,> at a command prompt or see $indo%s Time Service Tools and Settings "http:33go&microsoft&com3f%lin03P+in0'dQ66266:#& Membership in the local Administrators group( or eFuivalent( is the minimum reFuired to complete this procedure locall & Membership in the Domain Admins group( or eFuivalent( is the minimum reFuired to complete this procedure remotel & *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o restore the !indows ime service on the local computer to the default settings 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop w$%time

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /unregister

A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w$%tm /register

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net start w$%time

Administering D#S-4eplicated S2S5O+
This guide provides administering information for the SESB4+ shared folder in the $indo%s Server 2008& The information in this guide applies to ne%l installed $indo%s Server 2008 domains and domains that have been upgraded to the $indo%s Server 2008 domain functional level that are using Distributed =ile S stem "D=S# *eplication for replication of the SESB4+ share& =or information about managing SESB4+ in domains that are using =ile *eplication Service "=*S#( see Administering SESB4+ "http:33go&microsoft&com3f%lin03P+in0'dQ6626:A#& In this guide • • 'ntroduction to Administering D=S/*eplicated SESB4+ Managing D=S/*eplicated SESB4+

608

Introduction to Administering D#S4eplicated S2S5O+
SESB4+ is a collection of folders that contain a cop of the domainVs public files( including s stem policies( logon scripts( and important elements of 5roup Polic ob,ects "5P4s#& The SESB4+ director must be present and the appropriate subdirectories must be shared on a server before the server can advertise itself on the net%or0 as a domain controller& Shared subdirectories in the SESB4+ tree are replicated to ever domain controller in the domain& Note =or 5roup Polic ( onl the 5roup Polic template "5PT# is replicated through SESB4+ replication& The 5roup Polic container "5PC#( %hich is stored in the domain( is replicated through Active Director replication& =or 5roup Polic to be effective( both parts must be available on a domain controller&

S2S5O+ terminology and capitali&ation
SESB4+ is referred to as the NSESB4+ share&O The default root of the SESB4+ replica is at the path Ys stemrootYZSESB4+Zdomain( but the folder that is actuall shared b the domain controller is the Ys stemrootYZSESB4+Zs svol folder b default& Note The location of the SESB4+ director and subdirectories is configurable during and after Active Director installation& The default locations under Ys stemrootYZSESB4+ are used throughout this guide onl as a relative reference to the location of SESB4+ files and folders& The Ys stemrootYZSESB4+Zdomain and Ys stemrootYZSESB4+Zs svol folders appear to contain the same content because SESB4+ uses ,unction points "also called reparse points#& A ,unction point is a ph sical location on a hard dis0 that points to data that is located else%here on the hard dis0 or on another storage device& Gunction points loo0 li0e folders and behave li0e folders "in $indo%s 1-plorer the appear to be shortcuts to folders#( but the are not folders& A ,unction point contains a lin0 to another folder& $hen a program opens it( the ,unction point automaticall redirects the program to the folder to %hich the ,unction point is lin0ed& The redirection is completel transparent to the user and the application& =or e-ample( if ou open a command prompt and t pe dir to list the contents of ZYs stemrootYZSESB4+Zs svol( ou notice a folder that is listed as SG)9CT'49T& The ,unction point in Ys stemrootYZSESB4+Zs svol lin0s to Ys stemrootYZSESB4+Zdomain& 'n this guide( in reference to SESB4+ components and folders( the capitali.ation that is used reflects the capitali.ation of the default folders and parameters as the appear in the file s stem( in the registr ( and in Active Director Domain Services "AD DS#& =or e-ample( the default SESB4+ director tree al%a s appears as Ys stemrootYZSESB4+Zs svol( as it appears in $indo%s 1-plorer& $hen the topic is specific to the s svol shared folder( lo%ercase s svol is used& Similarl ( the area of SESB4+ that is historicall referred to as Nthe staging areaO is 60:

described in this guide as Nthe staging areas subdirector &O 'n this %a ( the folder NYs stemroot YZSESB4+Zstaging areasO is clearl understood and distinct from the NYs stemroot YZSESB4+ZstagingO folder& Capitali.ation of registr parameters and Active Director attribute names are presented as the appear in those locations&

3sing D#S 4eplication for replicating S2S5O+ in !indows Server <@@A
Distributed =ile S stem "D=S# *eplication is a replication service that is available for replicating SESB4+ to all domain controllers in domains that have the $indo%s Server 2008 domain functional level& D=S *eplication %as introduced in $indo%s Server 2007 *2& ;o%ever( on domain controllers that are running $indo%s Server 2007 *2( SESB4+ replication is performed b the =ile *eplication Service "=*S#& Note The information and instructions in this section relate to D=S *eplication of SESB4+& =or information about managing SESB4+ %hen ou use =*S for file replication( see Administering =*S/*eplicated SESB4+ "http:33go&microsoft&com3f%lin03P+in0'dQ622878#& D=S *eplication technolog significantl improves replication of SESB4+& 'n $indo%s 2000 Server( $indo%s Server 2007( and $indo%s Server 2007 *2( =*S is used to replicate the contents of the SESB4+ share& $hen a change to a file occurs( =*S replicates the entire updated file& $ith D=S *eplication( for files larger than :A @>( onl the updated portion of the file is replicated& To replicate onl updates to files( D=S *eplication uses an algorithm called remote differential compression "*DC#& *DC detects changes to the data in a file and enables D=S *eplication to replicate changes in the form of file bloc0s( %ithout having to replicate the entire file& *DC detects insertions( removals( and rearrangements of data in files& The D=S *eplication service monitors SESB4+( and( if a change occurs to an file that is stored in SESB4+( D=S *eplication automaticall replicates the file updates to the SESB4+ folders on the other domain controllers in the domain& An additional improvement is that D=S *eplication does not reFuire the version vector ,oin "vv,oin# operation( %hich is performed bet%een =*S replication partners %hen ne% connections are created& Bv,oin is a CP)/intensive operation that can affect the performance of the server and cause increased replication traffic& 'n $indo%s Server 2008( D=S *eplication is the default file replication service for domains that are initiall created on domain controllers running $indo%s Server 2008& ;o%ever( in a domain that is upgraded from another operating s stem to $indo%s Server 2008( =*S is the default replication service for SESB4+ replication& To implement D=S *eplication of SESB4+ after an upgrade to $indo%s Server 2008 domain functional level( ou must perform a preliminar migration process for replication of the SESB4+ tree&

60<

4e0uirements for using D#S 4eplication
'n $indo%s Server 2008( for ne%l created domains operating at the Active Director domain functional level of $indo%s Server 2008( D=S *eplication is used b default for SESB4+ replication& 'f our domain controllers are upgraded from another operating s stem to $indo%s Server 2008( ou must install D=S *eplication on all domain controllers in the domain( raise the domain functional level to $indo%s Server 2008( and then follo% a migration process to move from using =*S replication of SESB4+ to D=S *eplication& =or more information about the SESB4+ migration process( see SESB4+ Migration Series: Part 6 R 'ntroduction to the SESB4+ migration process "http:33go&microsoft&com3f%lin03P+in0'DQ66?2?:#& =or more information about D=S *eplication( see Distributed =ile S stem *eplication: =reFuentl As0ed Cuestions "http:33go&microsoft&com3f%lin03P+in0'dQ62287<#& The da /to/da operation of SESB4+ replication is an automated process that does not reFuire an human intervention other than %atching for alerts that the D=S *eplication service raises& 4ccasionall ( ou might perform some s stem maintenance as ou change our net%or0& The topics in this section describe the tas0s that are reFuired for managing SESB4+ replication( including maintaining capacit and relocating SESB4+ components&

(ey considerations for administering S2S5O+
A ne% graphical user interface "5)'# management tool( D=S Management( provides options for performing man SESB4+ management tas0s& 'n $indo%s Server 2007( most SESB4+ management tas0s reFuired registr changes& 'n $indo%s Server 2008( ou can use D=S Management to perform the follo%ing SESB4+ updates: • • Change the space that is allocated to the staging area Change the staging area path Note Eou cannot use D=S Management to change the SESB4+ path& Eou must ma0e this change in the registr directl & =or information about changing the SESB4+ path( see *elocating SESB4+ Manuall & • Bie% shared folders Eou can use the Diagnostic *eports features of D=S Management to implement a monitoring s stem to detect lo% dis0 space and other potential D=S *eplication disruptions so that ou can resolve these issues before the s stem stops replicating& The )ltrasound utilit ( %hich is a tool for monitoring =*S( cannot be used for D=S *eplication& 'nstead( ou can use the D=S *eplication health reports that D=S Management generates& =or information about using D=S Management to generate diagnostic reports( see Create a Diagnostic *eport for D=S *eplication "http:33go&microsoft&com3f%lin03P+in0'dQ622878#& 4ther 0e considerations for managing SESB4+ include the follo%ing: • Capacity To manage SESB4+( enough space must be provided to store SESB4+& The Fuota that is allocated to the D=S *eplication staging area is A gigab tes "5># "A0?: M>#& The ma-imum 608

si.e is A terab tes "T># "A0?: 5>#& Depending on the configuration of our domain( SESB4+ can reFuire a significant amount of dis0 space to function properl & During the initial deplo ment( SESB4+ might be allocated adeFuate dis0 space to function& ;o%ever( as our installation of Active Director Domain Services "AD DS# gro%s in si.e and comple-it ( the reFuired capacit can e-ceed the available dis0 space& 'f ou receive indications that dis0 space is lo%( determine %hether the cause is attributable to inadeFuate ph sical space on the dis0 or the D=S Management setting that limits the Fuota that is allocated to the staging area& 'f staging area dis0 space is lo%( D=S *eplication encounters freFuent staging area cleanup events& Eou can avoid this scenario b using &admfile capabilit to implement a Central Store in SESB4+ to store and to replicate $indo%s Bista polic files& =or information about using this solution( see article ?2?8A6 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ62287?#& Eou can also reduce SESB4+ si.e and replication time b managing Administrative Templates in 5roup Polic & =or information about using this solution( see article 867778 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ6228A0#& • "ardware maintenance S stem maintenance( such as removal of a dis0 drive( can ma0e it necessar for ou to relocate SESB4+& 1ven if the maintenance occurs on a different dis0 drive( verif that the maintenance does not affect SESB4+& +ogical drive letters can change after ou add and remove dis0s& D=S *eplication locates SESB4+ b using paths that are stored in AD DS& 'f drive letters change after ou add or remove dis0 drives( ou must manuall update the paths in AD DS& • $acking up G%Os The successful operation of 5roup Polic depends on the reliable operation of SESB4+& @e components of 5P4s e-ist in SESB4+ "in the policies subdirector #( and it is essential that these 5P4 components remain s nchroni.ed %ith related components in AD DS& Therefore( bac0ing up onl the SESB4+ component does not represent a full and complete bac0up of our 5P4s& The 5roup Polic Management Console "5PMC# provides both )'/based and scriptable methods for bac0ing up 5P4s& 't is important that ou bac0 up 5P4s as part of our regular bac0up3disaster recover processes& Soon after installation of a ne% domain( the default domain and default domain controllersX 5P4s should be bac0ed up& The should also be bac0ed up after an subseFuent changes are made& 5P4s are included in s stem state bac0ups& =or information about bac0ing up s stem state( see >ac0ing )p Active Director Domain Services& =or information about bac0ing up 5P4s( see >ac0 )p a 5roup Polic 4b,ect "http:33go&microsoft&com3f%lin03P+in0'DQ6228A2#& • 4elocating S2S5O+ $hen ou relocate SESB4+( ou must first cop the entire folder structure to a ne% location& Then( ou must update the ,unction points and path values that are stored in the registr and in AD DS to maintain the relationships bet%een the paths( the folders( and the ,unctions& As an option( ou can relocate the staging area and leave the rest of SESB4+ at its original location& 'n this case( ou must update the staging folder path in AD DS&

60?

4elocating S2S5O+ folders
SESB4+ relocation should be underta0en onl %hen reFuired b dis0 space maintenance or upgrades& > default( SESB4+ is contained in the Ys stemrootYZSESB4+ folder& The tree of folders that is contained %ithin this folder can be e-tensive( depending on the si.e of SESB4+( number of 5P4s( and use of logon scripts& $hen ou relocate SESB4+ folders( ensure that ou cop all folders "including an hidden folders# and ensure that the relationships of the folders do not change& Note To ensure that all folders appear in $indo%s 1-plorer( on the ools menu( clic0 #older Options& 4n the 5iew tab( select Show hidden files and folders& >efore ou attempt to relocate all or portions of SESB4+( ou must clearl understand the folder structure and the relationships bet%een the folders and the path and si.e information that is stored in AD DS& $hen folders are moved( an associated values that are stored in AD DS and the registr must be updated to match the ne% location& The folder structure contains ,unction points that also reFuire updating after folders are moved to a ne% location& $hen ou relocate folders( ou use the first three levels of subdirectories to properl update the path locations that D=S *eplication uses& These levels are affected b ,unction points and parameter settings& These folders include the follo%ing: Ys stemrootYZSESB4+ Ys stemrootYZSESB4+Zdomain Ys stemrootYZSESB4+ZdomainZDfsrPrivate Ys stemrootYZSESB4+ZdomainZPolicies Ys stemrootYZSESB4+ZdomainZscripts Ys stemrootYZSESB4+Zstaging Ys stemrootYZSESB4+ZstagingZdomain Ys stemrootYZSESB4+Zstaging areas Ys stemrootYZSESB4+Zstaging areasZS=CD9T( %here =CD9 is the full Fualified domain name of the domain that this domain controller hosts( for e-ample( contoso&com& Ys stemrootYZSESB4+Zs svol Ys stemrootYZSESB4+Zs svolZS=CD9T( %here =CD9 is the full Fualified domain name of the domain that this domain controller hosts( for e-ample( contoso&com& Note 'f an of the folders do not appear in $indo%s 1-plorer( clic0 ools( and then clic0 #older Options& 4n the 5iew tab( clic0 Show hidden files and folders& 'f ou use $indo%s 1-plorer to vie% these folders( the appear to be t pical folders& 'f ou open a command prompt and t pe dir to list these folders( ou notice that t%o special folders are listed as SG)9CT'49T& >oth folders labeled =CD9 are ,unction points& The ,unction point in Ys stemrootYZSESB4+Zs svol lin0s to Ys stemrootYZSESB4+Zdomain& The ,unction in Ys stemrootYZSESB4+Zstaging areas lin0s to Ys stemrootYZSESB4+ZstagingZdomain& 'f ou 660

change the path to the folders to %hich the ,unctions are lin0ed( ou must also update the ,unctions( including drive letter changes and folder changes& >esides ,unction points lin0ing to folders %ithin the SESB4+ tree( the registr and AD DS also store references to folders& These references contain paths that ou must update if ou change the location of the folder: • *egistr : The Sys5ol 9etlogon parameter in "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameters & This registr entr stores the path to the s svol shared folder "default Ys stemroot YZSESB4+Zs svol#& The 9etlogon service uses this path to identif the location of the folder that it uses to create the SESB4+ and 91T+4549 "scripts# share points& • AD DS: T%o attributes in AD DS store the paths for the SESB4+ root and staging area folders( as sho%n in the follo%ing table&
Directory value Default referenced location Contents

msD#S4-4oot%ath msD#S4-Staging%ath

Ys stemrootZSESB4+Zdomain Ys stemrootZSESB4+ZstagingZdomain

Policies and scripts Staging area folders

)anaging D#S-4eplicated S2S5O+
This section includes the follo%ing tas0s for managing D=S/*eplicated SESB4+: • • • • • Changing the Cuota That 's Allocated to the SESB4+ Staging Area *elocating the SESB4+ Staging Area *elocating SESB4+ Manuall )pdating the SESB4+ Path *estoring and *ebuilding SESB4+

Changing the 8uota hat Is Allocated to the S2S5O+ Staging Area
The staging folder in SESB4+( a subfolder of the staging areas folder( stores updates before the are replicated& 't also stores updates that it has ,ust received through replication before it updates the cop of the files in SESB4+& D=S *eplication compresses the data to save space in the staging folder and to reduce the time that is necessar to replicate the files& The default Fuota that is allocated to the staging folder is A0?: megab tes "M>#( or A gigab tes "5>#& The minimum Fuota is 60 M> and the ma-imum Fuota that can be allocated is A0?: 5>( or A terab tes "T>#& 'f ou need more space in the staging folder and space is available on the volume( ou can ad,ust the staging folder Fuota b using D=S Management& 666

ask re0uirements The follo%ing tool is reFuired to perform the procedures for this tas0: • • D=S Management Change the Cuota That 's Allocated to the SESB4+ Staging =older To complete this tas0( perform the follo%ing procedure:

Change the 8uota hat Is Allocated to the S2S5O+ Staging #older
Eou can use this procedure to modif the amount of dis0 space that is allocated to the staging folder in SESB4+& 'f space is available on the volume( ou can increase the Fuota that is allocated to the staging folder to improve SESB4+ replication efficienc & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the space that is allocated to the staging folder 6& 4n the Start menu( point to Administrative ools( and then clic0 D#S )anagement& 2& 'n the console tree( e-pand 4eplication( and then clic0 Domain System 5olume& 7& 'n the details pane( right/clic0 the SESB4+ replication member %hose staging folder allocation ou %ant to change( and then clic0 %roperties& A& 4n the Staging tab( change the value in 8uota 6in megabytes7( and then clic0 O(&

4elocating the S2S5O+ Staging Area
$hen ou install Active Director Domain Services "AD DS#( the Active Director Domain Services 'nstallation $i.ard installs folders that are referred to as Nthe SESB4+ staging area&O The Active Director Domain Services 'nstallation $i.ard creates t%o foldersDYs stemroot YZSESB4+Zstaging and Ys stemrootYZSESB4+Zstaging areasD%hich the Distributed =ile S stem "D=S# *eplication service uses as the Fueue for changes that are to be replicated to other domain controllers& NStagingO and Nstaging areasO are default names& $hen ou relocate these staging folders( ou can change the name& 1nsure that ou identif the proper area in the SESB4+ tree in case it is renamed in our environment&

662

Important >efore ou relocate all or part of SESB4+( be sure to inform domain administrators that ou are doing so and that the should not ma0e an changes in the SESB4+ director until the move is complete& T%o values determine the location of the staging area: • The msD#S4-Staging%ath attribute of the ob,ect C9QSESB4+ Subscription(C9QDomain S stem Bolume(C9QD=S*/ +ocalSettings(C9QDomainController9ame(4)QDomain Controllers(DCQDomain9ame in AD DS& This attribute contains the path to the actual location that D=S *eplication uses to stage files& • A ,unction point that is stored in the staging areas folder in SESB4+ that lin0s to the actual location that D=S *eplication uses to stage files& After ou move the staging areas folders( ou must change the staging folder path in AD DS& The staging ,unction point is updated automaticall to reference the ne% location %hen ou restart the D=S *eplication service and 9etlogon service& Eou do not have to update the staging ,unction point manuall & After ou move the staging areas folders( force replication of the changes to a replication partner in the domain& 1-cept %here noted( perform these procedures on the domain controller that contains the staging folder that ou %ant to relocate& ask re0uirements An understanding of the SESB4+ folder structure is necessar for this tas0& =or information about the SESB4+ folder structure( see 'ntroduction to Administering D=S/*eplicated SESB4+& The follo%ing tools are reFuired to perform the procedures for this tas0: • • • • • • • • • • • • • • • Active Director Sites and Services 1vent Bie%er 9et&e-e Dcdiag&e-e *egedit&e-e ADS' 1dit 'dentif *eplication Partners Chec0 the Status of the SESB4+ and 9etlogon Shares Berif Active Director *eplication 5ather the SESB4+ Path 'nformation Stop the D=S *eplication Service and 9etlogon Service Create the SESB4+ Staging Areas =older Structure Change the SESB4+ *oot Path or Staging Areas Path( or >oth Start the D=S *eplication Service and 9etlogon Service =orce *eplication >et%een Domain Controllers 667

To complete this tas0( perform the follo%ing procedures:

Identify 4eplication %artners
Eou can use this procedure to e-amine the connection ob,ects for a domain controller and identif its replication partners& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o identify replication partners 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( double/clic0 the Sites container to displa the list of sites& 7& Double/clic0 the site that contains the domain controller for %hich ou %ant to determine connection ob,ects& Note 'f ou do not 0no% the site in %hich the domain controller is located( open a command prompt and t pe ipconfig to get the 'P address of the domain controller& )se the 'P address to verif that an 'P address maps to a subnet( and then determine the site association& A& Double/clic0 the Servers folder to displa the list of servers in that site& 8& Double/clic0 the server ob,ect for the domain controller %hose replication partners ou %ant to identif to displa its 9TDS Settings ob,ect& :& Clic0 the N DS Settings ob,ect to displa the list of connection ob,ects in the details pane& "These ob,ects represent inbound connections that are used for replication to the server&# The #rom Server column displa s the names of the domain controllers that are source replication partners for the selected server ob,ect&

Check the Status of the S2S5O+ and Netlogon Shares
Eou can use this procedure to ma0e sure that the Distributed =ile S stem "D=S# *eplication service is started properl and then ensure that the s svol shared folder and netlogon "scripts# shared folder are created and shared& =or information about chec0ing SESB4+ status for =ile *eplication Service "=*S#( see the $indo%s Server 2007 topic Chec0 the status of the shared SESB4+ "http:33go&microsoft&com3f%lin03P+in0'dQ620<<A#&

66A

Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o check the status of the S2S5O+ and Netlogon shares 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& Berif that the D#S 4eplication service and the Netlogon service have a status of Started& 'f a service is stopped( clic0 4estart& 7& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& A& To verif that the SESB4+ tree includes the s svol and scripts shared folders( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net s&are

8& Chec0 the list to be sure that it includes 1systemroot1(! !234(sysvo"( "the SESB4+ share# and 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! "the 91T+4549 share#( %here <Domain Name> is the domain of the ne% domain controller& Note 'f neither 1systemroot1(! !234(sysvo"( nor 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! are present( see Berif Active Director *eplication& :& Berif that the proper permissions are set for SESB4+ replication& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:net"ogons

+oo0 for a message that states that <5omputerName> passed test Net4ogons( %here <5omputerName> is the name of the domain controller& 'f ou do not see the Npassed testO message( chec0 the permissions that are set on the Scripts and S svol shared folders& =or information about default SESB4+ permissions( see *eappl Default SESB4+ Securit Settings&

5erify Active Directory 4eplication
Eou can use this procedure to verif that Active Director replication is functioning properl on a domain controller& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

668

o verify Active Directory replication 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:rep"ications

Note =or more detailed replication information( use the
/v

option&

'f this test fails( open 1vent Bie%er and chec0 for errors in the Director Service log& )se the information in the ActiveDirector IDomainService replication events to troubleshoot the problem&

Gather the S2S5O+ %ath Information
$hen ou relocate the SESB4+ tree or staging areas subtree( it is helpful to record the current and ne% values for the path locations in the SESB4+ tree that are reFuired for SESB4+ to function& > recording these values in advance( ou can facilitate the move process& $hen ou move SESB4+( ou first cop the folder structure to a ne% location& Then( ou update the locations %here folder paths are specified: ,unction points in the file s stem( 9etlogon parameters in the registr ( and attributes in Active Director Domain Services "AD DS#& As an option( ou can relocate the staging areas subtree and leave the rest of the SESB4+ tree at its original location& 'n this case( ou must update an attribute in AD DS( but the ,unction point for the staging areas folder is updated automaticall & Eou also have to record this path information %hen ou are rebuilding SESB4+ on one domain controller b importing the SESB4+ of another domain controller& Note The instructions in this procedure relate to domains in %hich Distributed =ile S stem "D=S# *eplication is used to replicate SESB4+& =or information about relocating SESB4+ %hen ou use =ile *eplication Service "=*S#( see *elocating SESB4+ Manuall "http:33go&microsoft&com3f%lin03P+in0'dQ6228?0#& =or more information about the folder structure and the relationships bet%een the folders and the path information that is stored in the registr ( AD DS( and the SESB4+ director itself( see 'ntroduction to Administering D=S/*eplicated SESB4+& Eou can use these procedures to locate the SESB4+ path information and then record the values in the follo%ing table& )se the ro%s and columns in the table according to the goals of our procedure& *ecord the current values and also the ne% values if ou are moving the SESB4+ tree or the staging areas subtree or if ou are rebuilding SESB4+: 66:

• *elocating the entire SESB4+ tree: *ecord the current and ne% path values in ro%s 6 through 8& • *elocating the staging areas subtree onl : *ecord the current and ne% path values in ro%s 2 and 8& • *estoring and rebuilding SESB4+: *ecord path information as follo%s: • *ecord the current values from the domain controller that ou are restoring in ro%s 6( 2( and 7& • 'n the Current 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller from %hich ou are cop ing the SESB4+ folder structure& • 'n the New 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller %hose SESB4+ ou are rebuilding&
%arameter Current value New value

6 2 7 A 8

msD=S*/*ootPath in AD DS msD=S*/StagingPath in AD DS S sBol 9etlogon parameter in the registr S svol ,unction point Staging areas ,unction point

o gather the S2S5O+ path information
Perform the follo%ing procedures to gather values for SESB4+ paths and record the data in the preceding table& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the msD#S4-4oot%ath and the msD#S4-Staging%ath values in AD DS 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& 66<

A& 'n the tree vie%( e-pand the domain component( and then e-pand O3DDomain Controllers& 8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 %roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if it is not selected& 8& 'n Attributes( locate msD#S4-4oot%ath and msD#S4-Staging%ath( and then record the current values in ro%s 6 and 2( respectivel ( in the previous table& 'f ou are moving SESB4+( also record the ne% values for the ne% location in both ro%s& 'f ou are moving the staging areas subtree( record the ne% path value in ro% 2& ?& Clic0 Cancel to close the CNDSubscription %roperties dialog bo-& o determine the Sys5ol Netlogon parameter value in the registry 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 'n *egistr 1ditor( navigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter s& 7& 'n the details pane( double/clic0 Sys5ol& The current value is listed in 5alue data& A& *ecord the current value in ro% 7 of the previous table( and then clic0 Cancel to close the .dit String dialog bo-& 'f ou are moving SESB4+( also record the ne% value for the ne% location& 8& Close *egistr 1ditor& o determine the value in the sysvol 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zs svol( or to the current location if SESB4+ has been moved from the default location& 7& To vie% the ,unction point for the s svol folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& *ecord the current value in ro% A in the previous table& 'f ou are moving SESB4+( also record the ne% value for the ne% location&

668

o determine the value in the staging areas 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zstaging areas or to the current location if the staging areas subtree has been moved from the default location& 7& To vie% the ,unction point for the staging areas folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& The output identifies the SG)9CT'49T folder t pe and the value that is stored in the staging areas ,unction point in brac0ets& =or e-ample( the default value is H Drive:Z Ys stemrootYZSESB4+ZstagingZdomainJ "or( if SESB4+ has been migrated from =*S to D=S *eplication( HDrive:ZYs stemrootYZSESB4+ID=S*ZstagingZdomainJ#& *ecord the current value in ro% 8 of the previous table& 'f ou are moving SESB4+ or the staging areas subtree( also record the ne% value for the ne% location&

Stop the D#S 4eplication Service and Netlogon Service
Eou can use this procedure to stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service %hen ou are performing offline updates to the SESB4+ tree& The 9etlogon service advertises the server as a domain controller b sharing out the SESB4+ folder& The services must be turned off until updates to the SESB4+ path information are complete and the SESB4+ ,unction point has been updated for the ne% location& Eou can use the $indo%s graphical user interface "5)'# or the command line to stop the D=S *eplication service and the 9etlogon service& Note The staging path ,unction point is updated automaticall %hen D=S *eplication is restarted& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o stop the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 66?

2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 Stop& o stop the D#S 4eplication service and the Netlogon service by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop dfsr

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop net"ogon

After ou move or restore SESB4+( %hen ou update the SESB4+ 9etlogon path in the registr ( ou must also update the Sysvol4eady parameter in Netlogon parameters( as described in Change the SESB4+ 9etlogon Parameters&

Create the S2S5O+ Staging Areas #older Structure
Eou can use this procedure to create the SESB4+ staging areas subdirector folder structure %hen ou move the staging areas tree to a ne% location& The Ys stemrootYZSESB4+Zstaging areas folder is the top of the staging areas tree in SESB4+& To move the staging areas tree properl ( ou must select and cop the contents of Ys stemrootYZSESB4+Zstaging areas& A different subfolder of Ys stemrootYZSESB4+ is named staging& 1nsure that ou select the contents of the staging areas subfolder "Ys stemrootYZSESB4+Zstaging areas# and not the staging subfolder "Ys stemrootYZSESB4+Zstaging#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create the S2S5O+ staging areas folder structure 6& 'n $indo%s 1-plorer( create a ne% folder for the ne% location of the staging areas folder& 2& 9avigate to the folder that represents the top of our current staging areas tree& > default( this folder is Ys stemrootYZSESB4+Zstaging areas& 7& 'n the console tree( right/clic0 the staging areas folder( and then clic0 Copy& A& 'n the console tree( navigate to the ne% folder that ou created for the staging areas tree( right/clic0 the folder( and then clic0 %aste& Note 620

This folder must be empt %hen ou paste the staging areas folders& 8& Berif that the folder structure %as copied correctl & To compare the ne% folder structure to the original( open a command prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& :& Change directories to the ne% staging areas folder& To list the contents of the folder and subfolders( t pe the follo%ing command( and then press 19T1*:
dir /s

1nsure that all folders e-ist& 'f an folders are missing at the ne% location "such as Zscripts#( re/create them&

Change the S2S5O+ 4oot %ath or Staging Areas %ath1 or $oth
'f ou are moving the SESB4+ tree or the SESB4+ staging areas tree( or if ou are updating these locations after hard%are reconfiguration that has resulted in a drive letter change( ou can use this procedure to change the SESB4+ root path( the staging areas path( or both in Active Director Domain Services "AD DS#& >efore ou perform this procedure( ou must stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service( as described in Stop the D=S *eplication Service and 9etlogon Service& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the S2S5O+ root path or the staging areas path1 or both 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& A& 'n the console tree( e-pand the domain component( and then e-pand O3DDomain Controllers& 8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 626

%roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if it is not selected& 8& 'n Attributes( double/clic0 one or both of the follo%ing: • • msD#S4-4oot%ath to change the SESB4+ root path& msD#S4-Staging%ath to change the SESB4+ staging areas path&

?& 'n 5alue( t pe the ne% folder path( and then clic0 O(& 60& Clic0 O( to close the CNDSubscription %roperties dialog bo-&

See Also
Start the D=S *eplication Service and 9etlogon Service

Start the D#S 4eplication Service and Netlogon Service
After ou relocate the SESB4+ tree or the SESB4+ staging area( or both( use this procedure to restart the Distributed =ile S stem "D=S# *eplication service( the 9etlogon service( or both& After ou restart the service or services( revie% the event log to ensure that the services restarted successfull & Eou can use the $indo%s graphical user interface "5)'# or the command line to start the D=S *eplication service and the 9etlogon service& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o start the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 4estart& o start the D#S 4eplication service or Netlogon service1 or both1 by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& To start the D=S *eplication service( at the command prompt( t pe the follo%ing 622

command( and then press 19T1*:
net start dfsr

7& To start the 9etlogon service( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net start net"ogon

Notes • Eou can use 1vent Bie%er to verif that D=S *eplication restarted correctl & 'n the D=S *eplication log "in Applications and Services +ogs#( 1vent 'D 600A indicates that the service restarted& +oo0 for 1vent 'Ds 6260( 620:( and :602 to verif that the domain controller is running and read for service& 'f ou moved SESB4+ to a ne% location or relocated the staging areas folder( loo0 for 1vent 'Ds A:0A and :068( %hich indicate success& 1vent 'D <07: in the S stem event log reports that the 9etlogon service is running& This event reports on all services that are stopped or started& • Also verif that the 9etlogon service is sharing the s svol "SESB4+ share# and scripts "91T+4549 share# folders& At a command prompt( t pe net s&are( and then press 19T1*&

#orce 4eplication $etween Domain Controllers
Eou can use this procedure to force Active Director replication to occur bet%een t%o domain controllers on a one/time basis %hen ou %ant changes to be replicated from the server that received the changes to a server in another site sooner than the site lin0 schedule allo%s& As an alternative( ou can s nchroni.e replication %ith all replication partners& Membership in .nterprise Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o force replication over a connection 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites( and then e-pand the site to %hich ou %ant to force replication from the updated server& 7& 1-pand the Servers container to displa the list of servers that are currentl configured for that site& A& 1-pand the server ob,ects and clic0 their N DS Settings ob,ects to displa their connection ob,ects in the details pane& =ind a server that has a connection ob,ect from the server on %hich ou made the updates& 8& Clic0 N DS Settings belo% the server ob,ect& 'n the details pane( right/clic0 the 627

connection ob,ect %hose #rom Server is the domain controller that has the updates that ou %ant to replicate( and then clic0 4eplicate Now& :& $hen the 4eplicate Now message bo- appears( revie% the information( and then clic0 O(&

See Also
S nchroni.e *eplication %ith All Partners

4elocating S2S5O+ )anually
'f ou %ant to move all folders in the SESB4+ director ( ou can relocate these folders manuall & Eou must carefull cop all folders and retain the same level of securit at the ne% location& Caution The recommended method for relocating SESB4+ is to remove Active Director Domain Services "AD DS# and then reinstall AD DS %ith the ne% SESB4+ path& >ecause of the potential for error( %e do not recommend relocating SESB4+ manuall & 'f ou choose to move SESB4+ manuall ( ou first cop the entire folder structure to a ne% locationW then( ou update the SESB4+ ,unction point and the parameters that are stored in the registr and in AD DS& As an option( ou can relocate the staging areas subdirector onl & =or information about relocating the staging areas subdirector ( see *elocating the SESB4+ Staging Area& Important >efore ou relocate all or part of SESB4+( be sure to inform domain administrators that ou are doing so and that the should not ma0e an changes in the SESB4+ director until the move is complete& *elocating SESB4+ can alter securit settings if ou do not use a cop method that retains file o%nership and access control list "AC+# settings& The cop method that is described in this procedure retains securit settings& After ou move the SESB4+ tree( verif that the securit settings on the relocated SESB4+ folders match the settings on the original SESB4+ folder structure& As an alternative( ou can reappl securit settings on the moved SESB4+& $hen ou have completed SESB4+ relocation( force replication from the updated domain controller to a replication partner in the domain& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • • Active Director Sites and Services 9et&e-e Dcdiag&e-e 1vent Bie%er 62A

• • • • • •

ADS' 1dit *egedit&e-e Dir&e-e $indo%s 1-plorer *obocop &e-e M0lin0&e-e

• 'f ou choose to reappl securit settings manuall ( the follo%ing additional tools are reFuired: • • 9otepad&e-e Secedit&e-e

To complete this tas0( perform the follo%ing procedures: 6& 'dentif *eplication Partners 2& Chec0 the Status of the SESB4+ and 9etlogon Shares 7& Berif Active Director *eplication A& 5ather the SESB4+ Path 'nformation 8& Stop the D=S *eplication Service and 9etlogon Service :& Cop SESB4+ to a 9e% +ocation <& Create the SESB4+ *oot Gunction Point 8& Change the SESB4+ *oot Path or Staging Areas Path( or >oth ?& Change the SESB4+ 9etlogon Parameters 60& *eappl Default SESB4+ Securit Settings Eou can use this procedure if ou %ant to reappl the default securit settings to the SESB4+ director & ;o%ever( if ou use the *obocop command that is specified in Cop SESB4+ to a 9e% +ocation( file o%nership and access control list "AC+# settings are retained on the copied SESB4+ folders and files( and reappl ing securit settings is not reFuired& 66& Start the D=S *eplication Service and 9etlogon Service 62& Chec0 the Status of the SESB4+ and 9etlogon Shares 67& =orce *eplication >et%een Domain Controllers

Identify 4eplication %artners
Eou can use this procedure to e-amine the connection ob,ects for a domain controller and identif its replication partners& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

628

o identify replication partners 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( double/clic0 the Sites container to displa the list of sites& 7& Double/clic0 the site that contains the domain controller for %hich ou %ant to determine connection ob,ects& Note 'f ou do not 0no% the site in %hich the domain controller is located( open a command prompt and t pe ipconfig to get the 'P address of the domain controller& )se the 'P address to verif that an 'P address maps to a subnet( and then determine the site association& A& Double/clic0 the Servers folder to displa the list of servers in that site& 8& Double/clic0 the server ob,ect for the domain controller %hose replication partners ou %ant to identif to displa its 9TDS Settings ob,ect& :& Clic0 the N DS Settings ob,ect to displa the list of connection ob,ects in the details pane& "These ob,ects represent inbound connections that are used for replication to the server&# The #rom Server column displa s the names of the domain controllers that are source replication partners for the selected server ob,ect&

Check the Status of the S2S5O+ and Netlogon Shares
Eou can use this procedure to ma0e sure that the Distributed =ile S stem "D=S# *eplication service is started properl and then ensure that the s svol shared folder and netlogon "scripts# shared folder are created and shared& =or information about chec0ing SESB4+ status for =ile *eplication Service "=*S#( see the $indo%s Server 2007 topic Chec0 the status of the shared SESB4+ "http:33go&microsoft&com3f%lin03P+in0'dQ620<<A#& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o check the status of the S2S5O+ and Netlogon shares 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& Berif that the D#S 4eplication service and the Netlogon service have a status of Started& 'f a service is stopped( clic0 4estart& 7& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 62:

Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& A& To verif that the SESB4+ tree includes the s svol and scripts shared folders( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net s&are

8& Chec0 the list to be sure that it includes 1systemroot1(! !234(sysvo"( "the SESB4+ share# and 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! "the 91T+4549 share#( %here <Domain Name> is the domain of the ne% domain controller& Note 'f neither 1systemroot1(! !234(sysvo"( nor 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! are present( see Berif Active Director *eplication& :& Berif that the proper permissions are set for SESB4+ replication& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:net"ogons

+oo0 for a message that states that <5omputerName> passed test Net4ogons( %here <5omputerName> is the name of the domain controller& 'f ou do not see the Npassed testO message( chec0 the permissions that are set on the Scripts and S svol shared folders& =or information about default SESB4+ permissions( see *eappl Default SESB4+ Securit Settings&

5erify Active Directory 4eplication
Eou can use this procedure to verif that Active Director replication is functioning properl on a domain controller& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify Active Directory replication 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:rep"ications

Note 62<

=or more detailed replication information( use the

/v

option&

'f this test fails( open 1vent Bie%er and chec0 for errors in the Director Service log& )se the information in the ActiveDirector IDomainService replication events to troubleshoot the problem&

Gather the S2S5O+ %ath Information
$hen ou relocate the SESB4+ tree or staging areas subtree( it is helpful to record the current and ne% values for the path locations in the SESB4+ tree that are reFuired for SESB4+ to function& > recording these values in advance( ou can facilitate the move process& $hen ou move SESB4+( ou first cop the folder structure to a ne% location& Then( ou update the locations %here folder paths are specified: ,unction points in the file s stem( 9etlogon parameters in the registr ( and attributes in Active Director Domain Services "AD DS#& As an option( ou can relocate the staging areas subtree and leave the rest of the SESB4+ tree at its original location& 'n this case( ou must update an attribute in AD DS( but the ,unction point for the staging areas folder is updated automaticall & Eou also have to record this path information %hen ou are rebuilding SESB4+ on one domain controller b importing the SESB4+ of another domain controller& Note The instructions in this procedure relate to domains in %hich Distributed =ile S stem "D=S# *eplication is used to replicate SESB4+& =or information about relocating SESB4+ %hen ou use =ile *eplication Service "=*S#( see *elocating SESB4+ Manuall "http:33go&microsoft&com3f%lin03P+in0'dQ6228?0#& =or more information about the folder structure and the relationships bet%een the folders and the path information that is stored in the registr ( AD DS( and the SESB4+ director itself( see 'ntroduction to Administering D=S/*eplicated SESB4+& Eou can use these procedures to locate the SESB4+ path information and then record the values in the follo%ing table& )se the ro%s and columns in the table according to the goals of our procedure& *ecord the current values and also the ne% values if ou are moving the SESB4+ tree or the staging areas subtree or if ou are rebuilding SESB4+: • *elocating the entire SESB4+ tree: *ecord the current and ne% path values in ro%s 6 through 8& • *elocating the staging areas subtree onl : *ecord the current and ne% path values in ro%s 2 and 8& • *estoring and rebuilding SESB4+: *ecord path information as follo%s: • *ecord the current values from the domain controller that ou are restoring in ro%s 6( 2( and 7&

628

• 'n the Current 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller from %hich ou are cop ing the SESB4+ folder structure& • 'n the New 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller %hose SESB4+ ou are rebuilding&
%arameter Current value New value

6 2 7 A 8

msD=S*/*ootPath in AD DS msD=S*/StagingPath in AD DS S sBol 9etlogon parameter in the registr S svol ,unction point Staging areas ,unction point

o gather the S2S5O+ path information
Perform the follo%ing procedures to gather values for SESB4+ paths and record the data in the preceding table& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the msD#S4-4oot%ath and the msD#S4-Staging%ath values in AD DS 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& A& 'n the tree vie%( e-pand the domain component( and then e-pand O3DDomain Controllers& 8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 %roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if 62?

it is not selected& 8& 'n Attributes( locate msD#S4-4oot%ath and msD#S4-Staging%ath( and then record the current values in ro%s 6 and 2( respectivel ( in the previous table& 'f ou are moving SESB4+( also record the ne% values for the ne% location in both ro%s& 'f ou are moving the staging areas subtree( record the ne% path value in ro% 2& ?& Clic0 Cancel to close the CNDSubscription %roperties dialog bo-& o determine the Sys5ol Netlogon parameter value in the registry 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 'n *egistr 1ditor( navigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter s& 7& 'n the details pane( double/clic0 Sys5ol& The current value is listed in 5alue data& A& *ecord the current value in ro% 7 of the previous table( and then clic0 Cancel to close the .dit String dialog bo-& 'f ou are moving SESB4+( also record the ne% value for the ne% location& 8& Close *egistr 1ditor& o determine the value in the sysvol 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zs svol( or to the current location if SESB4+ has been moved from the default location& 7& To vie% the ,unction point for the s svol folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& *ecord the current value in ro% A in the previous table& 'f ou are moving SESB4+( also record the ne% value for the ne% location& o determine the value in the staging areas 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zstaging areas or to the current location if the staging areas subtree has been moved from the default location& 7& To vie% the ,unction point for the staging areas folder( at the command prompt( t pe 670

the follo%ing command( and then press 19T1*:
dir /a:4

A& The output identifies the SG)9CT'49T folder t pe and the value that is stored in the staging areas ,unction point in brac0ets& =or e-ample( the default value is H Drive:Z Ys stemrootYZSESB4+ZstagingZdomainJ "or( if SESB4+ has been migrated from =*S to D=S *eplication( HDrive:ZYs stemrootYZSESB4+ID=S*ZstagingZdomainJ#& *ecord the current value in ro% 8 of the previous table& 'f ou are moving SESB4+ or the staging areas subtree( also record the ne% value for the ne% location&

Stop the D#S 4eplication Service and Netlogon Service
Eou can use this procedure to stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service %hen ou are performing offline updates to the SESB4+ tree& The 9etlogon service advertises the server as a domain controller b sharing out the SESB4+ folder& The services must be turned off until updates to the SESB4+ path information are complete and the SESB4+ ,unction point has been updated for the ne% location& Eou can use the $indo%s graphical user interface "5)'# or the command line to stop the D=S *eplication service and the 9etlogon service& Note The staging path ,unction point is updated automaticall %hen D=S *eplication is restarted& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o stop the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 Stop& o stop the D#S 4eplication service and the Netlogon service by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*: 676

net stop dfsr

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop net"ogon

After ou move or restore SESB4+( %hen ou update the SESB4+ 9etlogon path in the registr ( ou must also update the Sysvol4eady parameter in Netlogon parameters( as described in Change the SESB4+ 9etlogon Parameters&

Copy S2S5O+ to a New +ocation
'f ou %ant to relocate the SESB4+ director ( ou can use this procedure to create the ne% director location and cop the SESB4+ folders to the ne% location& > default( the root of the SESB4+ director is located at Ys stemrootYZSESB4+& To move SESB4+ properl ( ou must correctl cop the contents of the SESB4+ folder& A subfolder %ith the default location of Ys stemrootYZSESB4+ is also named s svol& 1nsure that ou cop the root folder "Ys stemroot YZSESB4+# and not the subfolder "Ys stemrootYZSESB4+Zs svol#& Important To retain the SESB4+ securit settings( ou must use the proper robocopy command( as described in this procedure& 'f ou perform a simple cop and paste in $indo%s 1-plorer( securit settings are not copied& 'n this case( ou must reappl securit settings& =or information about reappl ing securit settings( see *eappl Default SESB4+ Securit Settings& =or information about using robocopy( see *obocop "http:33go&microsoft&com3f%lin03P+in0'dQ6228AA#& >efore ou perform this procedure( ou must have performed the follo%ing procedures: • 'dentif *eplication Partners& After ou relocate SESB4+( ou %ill force replication of the changes to replication partners so that SESB4+ is updated as soon as possible on other domain controllers& • Chec0 the Status of the SESB4+ and 9etlogon Shares& Ma0e sure that the s svol and scrips folders are shared on the domain controller& • Berif Active Director *eplication& Ma0e sure that ou resolve an replication issues before ou move SESB4+& • 5ather the SESB4+ Path 'nformation& Eou must have the current path information( and ou must also document the ne% location&

• Stop the D=S *eplication Service and 9etlogon Service& Do not ma0e an changes to the SESB4+ location %hile these services are running& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

672

o copy S2S5O+ to a new location 6& 'n $indo%s 1-plorer( create a ne% folder for the ne% location of SESB4+& This folder must be empt & 2& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 7& Change directories to the e-isting SESB4+ director that ou %ant to move& > default( the path to this director is Ys stemrootYZSESB4+& A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
ro'ocopy <!ource 7o"der> <Destination 7o"der> /copya"" /mir /' /r:- /8d 9DfsrPrivate9 /8f 9DfsrPrivate9

Note The destination folder must be empt &
%arameter Description

SSource =olderT

The path to the SESB4+ director that ou are cop ing& The default location is Ys stemrootYZSESB4+& The path to the ne% SESB4+ location that ou created in step 6& Copies the follo%ing file information: data( attributes( time stamps( 9T=S access control list "AC+#( o%ner information( and auditing information& Mirrors the director tree that ou are cop ing& Copies files in bac0up mode& *obocop uses bac0up mode to override file and folder permission settings "AC+s#& Specifies performing 0 ".ero# retries on failed copies& 1-cludes the DfsrPrivate director from the cop & 1-cludes the DfsrPrivate file from the cop &

SDestination =olderT 3cop all

3mir 3b

3r:0 3-d MDfsrPrivateM 3-f MDfsrPrivateM

8& Berif that the folder structure %as copied correctl & To compare the ne% folder structure to the original( open a Command Prompt as an administrator: 4n the Start 677

menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& :& Berif that the folder structure %as copied correctl & To compare the ne% folder structure to the original( change directories to the ne% SESB4+ folder& To list the contents of the folder and subfolders b si.e( t pe the follo%ing command( and then press 19T1*:
dir /s

Compare the ouptut %ith the output for the original SESB4+ folder& 1nsure that all folders e-ist and that file si.es are the same& 'f an folders are missing at the ne% location "such as Zscripts#( re/create them& <& Berif that the securit settings on the moved SESB4+ are the same as the settings on the original location&

Create the S2S5O+ 4oot Eunction %oint
'f ou move the SESB4+ tree( ou must create a ,unction point that is named for the full Fualified domain name "=CD9# of the domain& Eou create this ,unction point under S9e%+ocation=orSESB4+TZs svol& The ,unction point must point to S9e%+ocation=orSESB4+TZdomain& 'f ou move the tree or if hard%are reconfiguration results in a change in the drive letter( ou must recreate the SESB4+ ,unction point for the ne% location& To perform this procedure( ou can use the M0lin0&e-e command/line tool( %hich is included %ith $indo%s Server 2008& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create the sysvol root 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to the ne% s svol root location( for e-ample( FolderNameZSESB4+Zs svol& 7& To create the ,unction point for the s svol root( at the command prompt( t pe the follo%ing command( and then press 19T1*:
m:"in: /; <7<DN> <New sysvo" root =unction pat&>

1-ample: m:"in:

/; contoso*com D:(5ontoso0oot(! !234(domain

67A

%arameter

Definition

mklink ,E S=CD9T S9e% s svol root ,unction pathT

Creates a ,unction point for the specified domain in the specified path location& The full Fualified domain name of the SESB4+ domain The drive letter and path to the SESB4+ root( for e-ample( Drive:ZFolderNameZSESB4+Zdomain or Drive:ZFolderNameZSESB4+ID=S*Zdomain if SESB4+ has been migrated from =ile *eplication Service "=*S# to Distributed =ile S stem "D=S# *eplication

A& To verif the creation of the ,unction point( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

Berif the presence of the SG)9CT'49T folder t pe and the value that ou specified in step 7&

Change the S2S5O+ 4oot %ath or Staging Areas %ath1 or $oth
'f ou are moving the SESB4+ tree or the SESB4+ staging areas tree( or if ou are updating these locations after hard%are reconfiguration that has resulted in a drive letter change( ou can use this procedure to change the SESB4+ root path( the staging areas path( or both in Active Director Domain Services "AD DS#& >efore ou perform this procedure( ou must stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service( as described in Stop the D=S *eplication Service and 9etlogon Service& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the S2S5O+ root path or the staging areas path1 or both 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 678

7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& A& 'n the console tree( e-pand the domain component( and then e-pand O3DDomain Controllers& 8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 %roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if it is not selected& 8& 'n Attributes( double/clic0 one or both of the follo%ing: • • msD#S4-4oot%ath to change the SESB4+ root path& msD#S4-Staging%ath to change the SESB4+ staging areas path&

?& 'n 5alue( t pe the ne% folder path( and then clic0 O(& 60& Clic0 O( to close the CNDSubscription %roperties dialog bo-&

See Also
Start the D=S *eplication Service and 9etlogon Service

Change the S2S5O+ Netlogon %arameters
$hen ou are relocating the SESB4+ tree( ou can use this procedure to update the registr parameter that the 9etlogon service uses to discover the path to the SESB4+Zs svol shared folder& 9etlogon advertises the shared folder location based on this registr entr & The default value in this entr is Drive:ZYs stemrootYZSESB4+Zs svol& 'f ou move the SESB4+ tree to a different folder or drive( or both( or if onl the drive letter changes as a result of hard%are updates( ou must update this 9etlogon parameter& $hen ou update the S sBol 9etlogon parameter in the registr ( ou must also change the S svol*ead 9etlogon parameter so that SESB4+ is not advertised until all ne% path values have been initiali.ed& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the S2S5O+ Netlogon parameters 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 9avigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter 67:

s& 7& *ight/clic0 Sys5ol( and then clic0 )odify& A& 'n the 5alue data bo-( t pe the ne% path( including the drive letter( and then clic0 O(& 8& *ight/clic0 Sysvol4eady( and then clic0 )odify& :& 'n the 5alue data bo-( t pe @( and then clic0 O(& <& Close *egistr 1ditor& Note The path in the S sBol registr entr points to the s svol shared folder( %hich is located inside the parent SESB4+ folder that is under the root "b default( Drive:Z Ys stemrootYZSESB4+Zs svol#& $hen ou update the path( ensure that it still identifies the s svol shared folder %ithin the parent SESB4+ folder& 'f ou have moved the SESB4+ tree( the root folder %ill change& >e sure to also change the drive letter to its ne% value if this has changed&

4eapply Default S2S5O+ Security Settings
$hen ou relocate the entire SESB4+ director ( ou can use a robocopy command that transfers all securit settings %ith the files %hen ou cop them& Therefore( %hen ou use the procedure in Administering the $indo%s Time Service to relocate SESB4+( updating securit settings is not reFuired& ;o%ever( if securit settings are in Fuestion( ou can use this procedure to reappl the default securit settings to SESB4+ folders& The settings %ill be the eFuivalent of the settings that are set b default during installation of Active Director Domain Services "AD DS#& 'f additional securit settings have been applied to SESB4+ folders since AD DS %as installed( ou must reappl those settings manuall after ou complete this procedure& Caution =ailure to reappl securit changes that %ere made after AD DS %as installed might result in unauthori.ed access to logon and logoff scripts and 5roup Polic ob,ects "5P4s#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o reapply default S2S5O+ security settings 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 9avigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetC ServicesCNetlogonC%arameters& 67<

Double/clic0 Sys5ol( and note the path in 5alue data& 7& 'n Control %anel( double/clic0 System& A& )nder asks( clic0 Advanced System Settings& 8& 4n the Advanced tab( clic0 .nvironment 5ariables& :& )nder System 5ariables( clic0 New& <& =or 5ariable name( t pe sysvol& 8& =or 5ariable value( t pe the path that ou noted in step 2& ?& Clic0 O( t%ice& Clic0 O( again to close System %roperties& 60& 4pen 9otepad( and then enter the follo%ing information: H)nicodeJ )nicodeQ es HBersionJ signatureQM[C;'CA54[M *evisionQ6 HProfile DescriptionJ DescriptionQdefault perms for s svol H=ile Securit J WMYS stem*ootYZSESB4+M(0(MD:A*"AW4'C'W=AWWW>A#M MYS svolYM(2(MD:P"AWC'4'W5*5LWWWA)#"AWC'4'W5*5LWWWS4#"AWC'4'W5AWWW>A# "AWC'4'W5AWWWSE#"AWC'4'W5AWWWC4#M MYS svolYZdomainZpoliciesM(2(MD:P"AWC'4'W5*5LWWWA)#"AWC'4'W5*5LWWWS4# "AWC'4'W5AWWW>A#"AWC'4'W5AWWWSE#"AWC'4'W5AWWWC4#"AWC'4'W5*5$5LSDWWWPA#M )se this file to appl the securit settings to the ne% SESB4+ folders& Note Do not include a space bet%een the sets of parentheses& 66& Save this file as S svol&inf& 62& 4pen a ne% Command Prompt& Do not use an e-isting command prompt that has been open on our des0top because it %ill not have the proper environment settings& Change the director to the folder %here ou saved the S svol&inf file in step 66& 67& At the ne% command prompt( t pe the follo%ing command all on one line( and then press 19T1*:
secedit /configure /cfg <pat&>(sysvo"*inf /d' <pat&>(sysvo"*d' /overwrite

678

%arameter

Description

3configure 3cfg SpathT "to securit template# 3db SpathT "to database# 3over%rite

Performs directed configurations& Specifies the path %here ou saved S svol&inf in step 66& Specifies the path to the database that is used to perform the securit configuration& Specifies that the database should be emptied before it is imported into the securit template& 'f this parameter is not specified( the settings in the securit template are accumulated into the database& 'f this parameter is not specified and there are conflicting settings in the database and the template that is being imported( the template settings ta0e precedence&

Start the D#S 4eplication Service and Netlogon Service
After ou relocate the SESB4+ tree or the SESB4+ staging area( or both( use this procedure to restart the Distributed =ile S stem "D=S# *eplication service( the 9etlogon service( or both& After ou restart the service or services( revie% the event log to ensure that the services restarted successfull & Eou can use the $indo%s graphical user interface "5)'# or the command line to start the D=S *eplication service and the 9etlogon service& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o start the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 4estart& 67?

o start the D#S 4eplication service or Netlogon service1 or both1 by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& To start the D=S *eplication service( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net start dfsr

7& To start the 9etlogon service( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net start net"ogon

Notes • Eou can use 1vent Bie%er to verif that D=S *eplication restarted correctl & 'n the D=S *eplication log "in Applications and Services +ogs#( 1vent 'D 600A indicates that the service restarted& +oo0 for 1vent 'Ds 6260( 620:( and :602 to verif that the domain controller is running and read for service& 'f ou moved SESB4+ to a ne% location or relocated the staging areas folder( loo0 for 1vent 'Ds A:0A and :068( %hich indicate success& 1vent 'D <07: in the S stem event log reports that the 9etlogon service is running& This event reports on all services that are stopped or started& • Also verif that the 9etlogon service is sharing the s svol "SESB4+ share# and scripts "91T+4549 share# folders& At a command prompt( t pe net s&are( and then press 19T1*&

#orce 4eplication $etween Domain Controllers
Eou can use this procedure to force Active Director replication to occur bet%een t%o domain controllers on a one/time basis %hen ou %ant changes to be replicated from the server that received the changes to a server in another site sooner than the site lin0 schedule allo%s& As an alternative( ou can s nchroni.e replication %ith all replication partners& Membership in .nterprise Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o force replication over a connection 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand Sites( and then e-pand the site to %hich ou %ant to 6A0

force replication from the updated server& 7& 1-pand the Servers container to displa the list of servers that are currentl configured for that site& A& 1-pand the server ob,ects and clic0 their N DS Settings ob,ects to displa their connection ob,ects in the details pane& =ind a server that has a connection ob,ect from the server on %hich ou made the updates& 8& Clic0 N DS Settings belo% the server ob,ect& 'n the details pane( right/clic0 the connection ob,ect %hose #rom Server is the domain controller that has the updates that ou %ant to replicate( and then clic0 4eplicate Now& :& $hen the 4eplicate Now message bo- appears( revie% the information( and then clic0 O(&

See Also
S nchroni.e *eplication %ith All Partners

3pdating the S2S5O+ %ath
$hen ou add or remove dis0 drives( the logical drive letters of the other drives on the s stem can change& 'f either our Ys stemrootYZSESB4+Zs svol folder or our Ys stemroot YZSESB4+Zstaging areas folder is located on one of the drives %hose letter changes( Distributed =ile S stem "D=S# *eplication cannot locate these folders& To solve this problem( ou must update the paths that D=S *eplication uses to locate these folders& >efore ou update SESB4+ path information( ou must stop the D=S *eplication service and the 9etlogon service& To change the path for the Ys stemrootYZSESB4+Zs svol root folder and staging areas folder( ou update path values in Active Director Domain Services "AD DS#& Eou also update the registr to change the path to the Ys stemrootYZSESB4+Zs svol shared folder that is used b the 9etlogon service& 'n addition( ou must update the ,unction point that references the Ys stemrootYZSESB4+Zdomain folder in the SESB4+ tree& The ,unction point that references the domain folder in the staging areas subdirector "Ys stemroot YZSESB4+Zstaging areasZDomainName# is updated automaticall %hen ou restart D=S *eplication and 9etlogon& After ou update the path information( %hen ou restart D=S *eplication and 9etlogon( the ne% path values are initiali.ed& To be sure that SESB4+ is not advertised on the net%or0 before the ne% paths are initali.ed( ou must also modif the S svol*ead 9etlogon parameter %hile the services are stopped& Eou can ma0e this change at the same time ou update the S svol 9etlogon path in the registr & ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • 9et&e-e 6A6

• • • •

ADS' 1dit *egedit&e-e Dir&e-e M0lin0&e-e

To complete this tas0( perform the follo%ing procedures in order: 6& 5ather the SESB4+ Path 'nformation 2& Stop the D=S *eplication Service and 9etlogon Service 7& Change the SESB4+ 9etlogon Parameters A& Create the SESB4+ *oot Gunction Point 8& Start the D=S *eplication Service and 9etlogon Service

Gather the S2S5O+ %ath Information
$hen ou relocate the SESB4+ tree or staging areas subtree( it is helpful to record the current and ne% values for the path locations in the SESB4+ tree that are reFuired for SESB4+ to function& > recording these values in advance( ou can facilitate the move process& $hen ou move SESB4+( ou first cop the folder structure to a ne% location& Then( ou update the locations %here folder paths are specified: ,unction points in the file s stem( 9etlogon parameters in the registr ( and attributes in Active Director Domain Services "AD DS#& As an option( ou can relocate the staging areas subtree and leave the rest of the SESB4+ tree at its original location& 'n this case( ou must update an attribute in AD DS( but the ,unction point for the staging areas folder is updated automaticall & Eou also have to record this path information %hen ou are rebuilding SESB4+ on one domain controller b importing the SESB4+ of another domain controller& Note The instructions in this procedure relate to domains in %hich Distributed =ile S stem "D=S# *eplication is used to replicate SESB4+& =or information about relocating SESB4+ %hen ou use =ile *eplication Service "=*S#( see *elocating SESB4+ Manuall "http:33go&microsoft&com3f%lin03P+in0'dQ6228?0#& =or more information about the folder structure and the relationships bet%een the folders and the path information that is stored in the registr ( AD DS( and the SESB4+ director itself( see 'ntroduction to Administering D=S/*eplicated SESB4+& Eou can use these procedures to locate the SESB4+ path information and then record the values in the follo%ing table& )se the ro%s and columns in the table according to the goals of our procedure& *ecord the current values and also the ne% values if ou are moving the SESB4+ tree or the staging areas subtree or if ou are rebuilding SESB4+: • *elocating the entire SESB4+ tree: *ecord the current and ne% path values in ro%s 6 through 8&

6A2

• *elocating the staging areas subtree onl : *ecord the current and ne% path values in ro%s 2 and 8& • *estoring and rebuilding SESB4+: *ecord path information as follo%s: • *ecord the current values from the domain controller that ou are restoring in ro%s 6( 2( and 7& • 'n the Current 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller from %hich ou are cop ing the SESB4+ folder structure& • 'n the New 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller %hose SESB4+ ou are rebuilding&
%arameter Current value New value

6 2 7 A 8

msD=S*/*ootPath in AD DS msD=S*/StagingPath in AD DS S sBol 9etlogon parameter in the registr S svol ,unction point Staging areas ,unction point

o gather the S2S5O+ path information
Perform the follo%ing procedures to gather values for SESB4+ paths and record the data in the preceding table& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the msD#S4-4oot%ath and the msD#S4-Staging%ath values in AD DS 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& A& 'n the tree vie%( e-pand the domain component( and then e-pand O3DDomain Controllers& 6A7

8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 %roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if it is not selected& 8& 'n Attributes( locate msD#S4-4oot%ath and msD#S4-Staging%ath( and then record the current values in ro%s 6 and 2( respectivel ( in the previous table& 'f ou are moving SESB4+( also record the ne% values for the ne% location in both ro%s& 'f ou are moving the staging areas subtree( record the ne% path value in ro% 2& ?& Clic0 Cancel to close the CNDSubscription %roperties dialog bo-& o determine the Sys5ol Netlogon parameter value in the registry 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 'n *egistr 1ditor( navigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter s& 7& 'n the details pane( double/clic0 Sys5ol& The current value is listed in 5alue data& A& *ecord the current value in ro% 7 of the previous table( and then clic0 Cancel to close the .dit String dialog bo-& 'f ou are moving SESB4+( also record the ne% value for the ne% location& 8& Close *egistr 1ditor& o determine the value in the sysvol 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zs svol( or to the current location if SESB4+ has been moved from the default location& 7& To vie% the ,unction point for the s svol folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& *ecord the current value in ro% A in the previous table& 'f ou are moving SESB4+( also record the ne% value for the ne% location& o determine the value in the staging areas 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control 6AA

dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zstaging areas or to the current location if the staging areas subtree has been moved from the default location& 7& To vie% the ,unction point for the staging areas folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& The output identifies the SG)9CT'49T folder t pe and the value that is stored in the staging areas ,unction point in brac0ets& =or e-ample( the default value is H Drive:Z Ys stemrootYZSESB4+ZstagingZdomainJ "or( if SESB4+ has been migrated from =*S to D=S *eplication( HDrive:ZYs stemrootYZSESB4+ID=S*ZstagingZdomainJ#& *ecord the current value in ro% 8 of the previous table& 'f ou are moving SESB4+ or the staging areas subtree( also record the ne% value for the ne% location&

Stop the D#S 4eplication Service and Netlogon Service
Eou can use this procedure to stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service %hen ou are performing offline updates to the SESB4+ tree& The 9etlogon service advertises the server as a domain controller b sharing out the SESB4+ folder& The services must be turned off until updates to the SESB4+ path information are complete and the SESB4+ ,unction point has been updated for the ne% location& Eou can use the $indo%s graphical user interface "5)'# or the command line to stop the D=S *eplication service and the 9etlogon service& Note The staging path ,unction point is updated automaticall %hen D=S *eplication is restarted& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o stop the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 Stop&

6A8

o stop the D#S 4eplication service and the Netlogon service by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop dfsr

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop net"ogon

After ou move or restore SESB4+( %hen ou update the SESB4+ 9etlogon path in the registr ( ou must also update the Sysvol4eady parameter in Netlogon parameters( as described in Change the SESB4+ 9etlogon Parameters&

Change the S2S5O+ Netlogon %arameters
$hen ou are relocating the SESB4+ tree( ou can use this procedure to update the registr parameter that the 9etlogon service uses to discover the path to the SESB4+Zs svol shared folder& 9etlogon advertises the shared folder location based on this registr entr & The default value in this entr is Drive:ZYs stemrootYZSESB4+Zs svol& 'f ou move the SESB4+ tree to a different folder or drive( or both( or if onl the drive letter changes as a result of hard%are updates( ou must update this 9etlogon parameter& $hen ou update the S sBol 9etlogon parameter in the registr ( ou must also change the S svol*ead 9etlogon parameter so that SESB4+ is not advertised until all ne% path values have been initiali.ed& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the S2S5O+ Netlogon parameters 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 9avigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter s& 7& *ight/clic0 Sys5ol( and then clic0 )odify& A& 'n the 5alue data bo-( t pe the ne% path( including the drive letter( and then clic0 O(& 8& *ight/clic0 Sysvol4eady( and then clic0 )odify& :& 'n the 5alue data bo-( t pe @( and then clic0 O(& 6A:

<& Close *egistr 1ditor& Note The path in the S sBol registr entr points to the s svol shared folder( %hich is located inside the parent SESB4+ folder that is under the root "b default( Drive:Z Ys stemrootYZSESB4+Zs svol#& $hen ou update the path( ensure that it still identifies the s svol shared folder %ithin the parent SESB4+ folder& 'f ou have moved the SESB4+ tree( the root folder %ill change& >e sure to also change the drive letter to its ne% value if this has changed&

Create the S2S5O+ 4oot Eunction %oint
'f ou move the SESB4+ tree( ou must create a ,unction point that is named for the full Fualified domain name "=CD9# of the domain& Eou create this ,unction point under S9e%+ocation=orSESB4+TZs svol& The ,unction point must point to S9e%+ocation=orSESB4+TZdomain& 'f ou move the tree or if hard%are reconfiguration results in a change in the drive letter( ou must recreate the SESB4+ ,unction point for the ne% location& To perform this procedure( ou can use the M0lin0&e-e command/line tool( %hich is included %ith $indo%s Server 2008& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create the sysvol root 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to the ne% s svol root location( for e-ample( FolderNameZSESB4+Zs svol& 7& To create the ,unction point for the s svol root( at the command prompt( t pe the follo%ing command( and then press 19T1*:
m:"in: /; <7<DN> <New sysvo" root =unction pat&>

1-ample: m:"in:

/; contoso*com D:(5ontoso0oot(! !234(domain

6A<

%arameter

Definition

mklink ,E S=CD9T S9e% s svol root ,unction pathT

Creates a ,unction point for the specified domain in the specified path location& The full Fualified domain name of the SESB4+ domain The drive letter and path to the SESB4+ root( for e-ample( Drive:ZFolderNameZSESB4+Zdomain or Drive:ZFolderNameZSESB4+ID=S*Zdomain if SESB4+ has been migrated from =ile *eplication Service "=*S# to Distributed =ile S stem "D=S# *eplication

A& To verif the creation of the ,unction point( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

Berif the presence of the SG)9CT'49T folder t pe and the value that ou specified in step 7&

Start the D#S 4eplication Service and Netlogon Service
After ou relocate the SESB4+ tree or the SESB4+ staging area( or both( use this procedure to restart the Distributed =ile S stem "D=S# *eplication service( the 9etlogon service( or both& After ou restart the service or services( revie% the event log to ensure that the services restarted successfull & Eou can use the $indo%s graphical user interface "5)'# or the command line to start the D=S *eplication service and the 9etlogon service& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o start the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 4estart& 6A8

o start the D#S 4eplication service or Netlogon service1 or both1 by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& To start the D=S *eplication service( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net start dfsr

7& To start the 9etlogon service( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net start net"ogon

Notes • Eou can use 1vent Bie%er to verif that D=S *eplication restarted correctl & 'n the D=S *eplication log "in Applications and Services +ogs#( 1vent 'D 600A indicates that the service restarted& +oo0 for 1vent 'Ds 6260( 620:( and :602 to verif that the domain controller is running and read for service& 'f ou moved SESB4+ to a ne% location or relocated the staging areas folder( loo0 for 1vent 'Ds A:0A and :068( %hich indicate success& 1vent 'D <07: in the S stem event log reports that the 9etlogon service is running& This event reports on all services that are stopped or started& • Also verif that the 9etlogon service is sharing the s svol "SESB4+ share# and scripts "91T+4549 share# folders& At a command prompt( t pe net s&are( and then press 19T1*&

4estoring and 4ebuilding S2S5O+
A domain controller cannot function %ithout a properl shared and replicating SESB4+& 'f our efforts to move SESB4+ or perform certain maintenance tas0s fail and SESB4+ is not replicating( ou must recreate "rebuild# SESB4+ on the domain controller& Attempt to rebuild SESB4+ on a domain controller onl %hen all other domain controllers in the domain have a health and functioning SESB4+& Do not attempt to rebuild SESB4+ until ou correct an problems that ma be occurring %ith Distributed =ile S stem "D=S# *eplication in a domain& )se the procedures in this section onl on a domain controller that does not have a functioning SESB4+& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • Active Director Sites and Services 1vent Bie%er Dcdiag&e-e 6A?

• • • • •

ADS' 1dit 9et&e-e *egedit&e-e $indo%s 1-plorer M0lin0&e-e

To complete this tas0( perform the follo%ing procedures in order: 6& 'dentif *eplication Partners Eou %ill import the SESB4+ from a replication partner& 2& Chec0 the Status of the SESB4+ and 9etlogon Shares Perform this procedure on the replication partner from %hich ou are cop ing SESB4+ to ma0e sure that the SESB4+ tree that ou cop from the partner is shared and replicating properl & 7& Berif Active Director *eplication Berif that replication is %or0ing on both replication partners& A& 5ather the SESB4+ Path 'nformation 8& *estart the domain controller in Director Services *estore Mode "DS*M# b using one of the follo%ing methods: • *estart the Domain Controller in Director Services *estore Mode +ocall 'f ou are sitting at the console of the domain controller( restart the domain controller locall in DS*M& • *estart the Domain Controller in Director Services *estore Mode *emotel 'f ou are accessing the domain controller remotel using *emote Des0top Connection( restart the domain controller remotel in DS*M& :& Stop the D=S *eplication Service and 9etlogon Service 'n DS*M( the D=S *eplication service is stopped automaticall & Eou have to stop onl the 9etlogon service& >oth services restart automaticall %hen ou restart the domain controller normall after ou complete the procedure to import the SESB4+ folder structure& <& 'mport the SESB4+ =older Structure 8& Chec0 the Status of the SESB4+ and 9etlogon Shares

Identify 4eplication %artners
Eou can use this procedure to e-amine the connection ob,ects for a domain controller and identif its replication partners& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<&

680

o identify replication partners 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( double/clic0 the Sites container to displa the list of sites& 7& Double/clic0 the site that contains the domain controller for %hich ou %ant to determine connection ob,ects& Note 'f ou do not 0no% the site in %hich the domain controller is located( open a command prompt and t pe ipconfig to get the 'P address of the domain controller& )se the 'P address to verif that an 'P address maps to a subnet( and then determine the site association& A& Double/clic0 the Servers folder to displa the list of servers in that site& 8& Double/clic0 the server ob,ect for the domain controller %hose replication partners ou %ant to identif to displa its 9TDS Settings ob,ect& :& Clic0 the N DS Settings ob,ect to displa the list of connection ob,ects in the details pane& "These ob,ects represent inbound connections that are used for replication to the server&# The #rom Server column displa s the names of the domain controllers that are source replication partners for the selected server ob,ect&

Check the Status of the S2S5O+ and Netlogon Shares
Eou can use this procedure to ma0e sure that the Distributed =ile S stem "D=S# *eplication service is started properl and then ensure that the s svol shared folder and netlogon "scripts# shared folder are created and shared& =or information about chec0ing SESB4+ status for =ile *eplication Service "=*S#( see the $indo%s Server 2007 topic Chec0 the status of the shared SESB4+ "http:33go&microsoft&com3f%lin03P+in0'dQ620<<A#& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o check the status of the S2S5O+ and Netlogon shares 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& Berif that the D#S 4eplication service and the Netlogon service have a status of Started& 'f a service is stopped( clic0 4estart& 7& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 686

Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& A& To verif that the SESB4+ tree includes the s svol and scripts shared folders( at the command prompt( t pe the follo%ing command( and then press 19T1*:
net s&are

8& Chec0 the list to be sure that it includes 1systemroot1(! !234(sysvo"( "the SESB4+ share# and 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! "the 91T+4549 share#( %here <Domain Name> is the domain of the ne% domain controller& Note 'f neither 1systemroot1(! !234(sysvo"( nor 1systemroot1(! !234(sysvo"(<Domain Name>(!506PT! are present( see Berif Active Director *eplication& :& Berif that the proper permissions are set for SESB4+ replication& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:net"ogons

+oo0 for a message that states that <5omputerName> passed test Net4ogons( %here <5omputerName> is the name of the domain controller& 'f ou do not see the Npassed testO message( chec0 the permissions that are set on the Scripts and S svol shared folders& =or information about default SESB4+ permissions( see *eappl Default SESB4+ Securit Settings&

5erify Active Directory 4eplication
Eou can use this procedure to verif that Active Director replication is functioning properl on a domain controller& Membership in Domain Admins( or eFuivalent( is reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify Active Directory replication 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:rep"ications

Note 682

=or more detailed replication information( use the

/v

option&

'f this test fails( open 1vent Bie%er and chec0 for errors in the Director Service log& )se the information in the ActiveDirector IDomainService replication events to troubleshoot the problem&

Gather the S2S5O+ %ath Information
$hen ou relocate the SESB4+ tree or staging areas subtree( it is helpful to record the current and ne% values for the path locations in the SESB4+ tree that are reFuired for SESB4+ to function& > recording these values in advance( ou can facilitate the move process& $hen ou move SESB4+( ou first cop the folder structure to a ne% location& Then( ou update the locations %here folder paths are specified: ,unction points in the file s stem( 9etlogon parameters in the registr ( and attributes in Active Director Domain Services "AD DS#& As an option( ou can relocate the staging areas subtree and leave the rest of the SESB4+ tree at its original location& 'n this case( ou must update an attribute in AD DS( but the ,unction point for the staging areas folder is updated automaticall & Eou also have to record this path information %hen ou are rebuilding SESB4+ on one domain controller b importing the SESB4+ of another domain controller& Note The instructions in this procedure relate to domains in %hich Distributed =ile S stem "D=S# *eplication is used to replicate SESB4+& =or information about relocating SESB4+ %hen ou use =ile *eplication Service "=*S#( see *elocating SESB4+ Manuall "http:33go&microsoft&com3f%lin03P+in0'dQ6228?0#& =or more information about the folder structure and the relationships bet%een the folders and the path information that is stored in the registr ( AD DS( and the SESB4+ director itself( see 'ntroduction to Administering D=S/*eplicated SESB4+& Eou can use these procedures to locate the SESB4+ path information and then record the values in the follo%ing table& )se the ro%s and columns in the table according to the goals of our procedure& *ecord the current values and also the ne% values if ou are moving the SESB4+ tree or the staging areas subtree or if ou are rebuilding SESB4+: • *elocating the entire SESB4+ tree: *ecord the current and ne% path values in ro%s 6 through 8& • *elocating the staging areas subtree onl : *ecord the current and ne% path values in ro%s 2 and 8& • *estoring and rebuilding SESB4+: *ecord path information as follo%s: • *ecord the current values from the domain controller that ou are restoring in ro%s 6( 2( and 7&

687

• 'n the Current 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller from %hich ou are cop ing the SESB4+ folder structure& • 'n the New 5alue column in ro%s A and 8( record the values in the ,unction points that are located on the domain controller %hose SESB4+ ou are rebuilding&
%arameter Current value New value

6 2 7 A 8

msD=S*/*ootPath in AD DS msD=S*/StagingPath in AD DS S sBol 9etlogon parameter in the registr S svol ,unction point Staging areas ,unction point

o gather the S2S5O+ path information
Perform the follo%ing procedures to gather values for SESB4+ paths and record the data in the preceding table& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine the msD#S4-4oot%ath and the msD#S4-Staging%ath values in AD DS 6& Clic0 Start( point to Administrative ools( and then clic0 ADSI .dit& 2& *ight/clic0 ADSI .dit( and then( if the domain %hose path information ou %ant to chec0 is not listed( clic0 Connect to& 7& )nder Connection %oint( clic0 Select a well known Naming Conte/t( clic0 Default naming conte/t( and then clic0 O(& A& 'n the tree vie%( e-pand the domain component( and then e-pand O3DDomain Controllers& 8& Double/clic0 the container that represents a domain controller on %hich ou can chec0 the path information( double/clic0 CNDD#S4-+ocalSettings( and then clic0 CNDDomain System 5olume& :& 'n the details pane( right/clic0 CNDS2S5O+ Subscription( and then clic0 %roperties& <& Clic0 #ilter& 1nsure that Show mandatory attributes is selected& Select this option if 68A

it is not selected& 8& 'n Attributes( locate msD#S4-4oot%ath and msD#S4-Staging%ath( and then record the current values in ro%s 6 and 2( respectivel ( in the previous table& 'f ou are moving SESB4+( also record the ne% values for the ne% location in both ro%s& 'f ou are moving the staging areas subtree( record the ne% path value in ro% 2& ?& Clic0 Cancel to close the CNDSubscription %roperties dialog bo-& o determine the Sys5ol Netlogon parameter value in the registry 6& Clic0 Start( clic0 4un( t pe regedit( and then press 19T1*& 2& 'n *egistr 1ditor( navigate to "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCNetlogonC%arameter s& 7& 'n the details pane( double/clic0 Sys5ol& The current value is listed in 5alue data& A& *ecord the current value in ro% 7 of the previous table( and then clic0 Cancel to close the .dit String dialog bo-& 'f ou are moving SESB4+( also record the ne% value for the ne% location& 8& Close *egistr 1ditor& o determine the value in the sysvol 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zs svol( or to the current location if SESB4+ has been moved from the default location& 7& To vie% the ,unction point for the s svol folder( at the command prompt( t pe the follo%ing command( and then press 19T1*:
dir /a:4

A& *ecord the current value in ro% A in the previous table& 'f ou are moving SESB4+( also record the ne% value for the ne% location& o determine the value in the staging areas 9unction point 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( change the director to Ys stemrootYZSESB4+Zstaging areas or to the current location if the staging areas subtree has been moved from the default location& 7& To vie% the ,unction point for the staging areas folder( at the command prompt( t pe 688

the follo%ing command( and then press 19T1*:
dir /a:4

A& The output identifies the SG)9CT'49T folder t pe and the value that is stored in the staging areas ,unction point in brac0ets& =or e-ample( the default value is H Drive:Z Ys stemrootYZSESB4+ZstagingZdomainJ "or( if SESB4+ has been migrated from =*S to D=S *eplication( HDrive:ZYs stemrootYZSESB4+ID=S*ZstagingZdomainJ#& *ecord the current value in ro% 8 of the previous table& 'f ou are moving SESB4+ or the staging areas subtree( also record the ne% value for the ne% location&

4estart the Domain Controller in Directory Services 4estore )ode +ocally
'f ou have ph sical access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# locall & *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not as a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Eou can restart a domain controller in DS*M manuall b pressing the =8 0e during domain controller startup( %hich reFuires %atching the startup and %aiting for the appropriate point in the startup to press the 0e & This method is tedious and can %aste time if ou miss the brief %indo% of opportunit for selecting the restart mode& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line to restart the domain controller in DS*M:

68:

• !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & $hen ou are finished managing a domain controller in DS*M( if ou have used S stem Configuration or >cdedit&e-e to restart the domain controller in DS*M( ou must change the configuration so that the domain controller restarts in normal mode& Note A benefit of using S stem Configuration or >cdedit&e-e for implementing restart of a domain controller into DS*M is that normall the domain controller cannot be inadvertentl restarted& This benefit is particularl useful %hen ou are performing a nonauthoritative restore from bac0up follo%ed b an authoritative restore& Eou can also use S stem Configuration or >cdedit&e-e to restart a domain controller in DS*M remotel & To use S stem Configuration or >cdedit&e-e and *emote Des0top Connection to restart a domain controller in DS*M remotel ( see *estart the Domain Controller in Director Services *estore Mode *emotel & Membership in the Domain Admins group is the minimum reFuired complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M is reFuired to log on to the domain controller in DS*M& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#&

4estarting the domain controller in DS4) locally
Eou can use either of the follo%ing methods to restart the domain controller in DS*M: o restart a domain controller in DS4) locally by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 2& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& 7& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& 68<

A& Perform procedures in DS*M& 8& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & o restart a domain controller in DS4) locally by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

A& $hen ou are still in DS*M and ou are read to restart in normal mode( open a command prompt and t pe the follo%ing( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

5alue

Description

3set safeboot dsrepair shutdo%n Rt 0 /r 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
*estart the Domain Controller in Director Services *estore Mode *emotel

688

4estart the Domain Controller in Directory Services 4estore )ode 4emotely
'f ou have remote access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# remotel & *emote access reFuires the user right to log on locall to a domain controller& *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line or to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & To restart the domain controller in DS*M remotel ( ou first use *emote Des0top Connection to connect to the domain controller %hile it is in normal startup mode& *emote Des0top Connection must be enabled on the target domain controller& After the domain controller has restarted( ou can use *emote Des0top Connection to reconnect to the domain controller and then log on as the local Administrator( using the DS*M pass%ord& Eou can use this procedure to connect to a domain controller remotel ( restart it in DS*M( and then reconnect to it as the DS*M administrator& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M and the user right to log on locall to a domain controller are reFuired to 68?

log on to the domain controller in DS*M& Members of Account 4perators( Administrators( 1nterprise Admins( Domain Admins( >ac0up 4perators( Print 4perators( and Server 4perators have the user right to log on locall to a domain controller b default& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& )sing a domain administrative account to log on to an *4DC can compromise the server& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& o restart a domain controller in DS4) remotely by using the !indows G3I 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 7& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& A& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& 8& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& :& The domain controller name should still be sho%ing in Computer& 'f it is not( select it from the list( and then clic0 Connect& <& 'n the !indows Security dialog bo-( clic0 3se another account& 8& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& ?& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& 60& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 6:0

66& T pe MachineNameCAdministrator( and then press 19T1*& 62& Perform procedures in DS*M& 67& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & This procedure %ill disconnect our remote session& o restart a domain controller in DS4) remotely by using the command line 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4pen a command prompt& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& A& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& 8& The domain controller name should still be sho%ing in Computer& 'f it is not( select it in the list( and then clic0 Connect& :& 'n the !indows Security dialog bo-( clic0 3se another account& <& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& 8& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& ?& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then 6:6

clic0 Other 3ser& 60& T pe MachineNameCAdministrator( and then press 19T1*& 66& Perform procedures in DS*M& 62& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 'n DS*M( open a command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

b& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - >r

The domain controller restarts normall & This procedure %ill disconnect our remote session&
5alue Description

bcdedit 3set safeboot dsrepair shutdo%n Rt 0 /r bcdedit 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode +ocall

Stop the D#S 4eplication Service and Netlogon Service
Eou can use this procedure to stop the Distributed =ile S stem "D=S# *eplication service and the 9etlogon service %hen ou are performing offline updates to the SESB4+ tree& The 9etlogon service advertises the server as a domain controller b sharing out the SESB4+ folder& The services must be turned off until updates to the SESB4+ path information are complete and the SESB4+ ,unction point has been updated for the ne% location& Eou can use the $indo%s graphical user interface "5)'# or the command line to stop the D=S *eplication service and the 9etlogon service&

6:2

Note The staging path ,unction point is updated automaticall %hen D=S *eplication is restarted& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o stop the D#S 4eplication service or Netlogon service1 or both1 by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 Services& 2& 'n the Name column( right/clic0 D#S 4eplication or Netlogon( and then clic0 Stop& o stop the D#S 4eplication service and the Netlogon service by using the command line 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop dfsr

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
net stop net"ogon

After ou move or restore SESB4+( %hen ou update the SESB4+ 9etlogon path in the registr ( ou must also update the Sysvol4eady parameter in Netlogon parameters( as described in Change the SESB4+ 9etlogon Parameters&

Import the S2S5O+ #older Structure
'f a domain controller has a nonfunctioning SESB4+( ou can use this procedure to rebuild SESB4+ on the domain controller b cop ing the SESB4+ folder structure on another domain controller and importing it to the offline domain controller( %hich cannot operate as a domain controller %ithout a functioning SESB4+& To properl import SESB4+( ou must cop the SESB4+ folder and its contents& 'n this procedure( ou cop an e-isting SESB4+ folder structure on a health ( online domain controller to the target domain controller( %hich has a failed SESB4+& After ou delete the failed SESB4+ folder( ou cop the health SESB4+ folder structure to the same location as the original "deleted# SESB4+ folder& This procedure has the follo%ing preliminar reFuirements: • Eou have identified a replication partner domain controller %hose SESB4+ folder structure ou %ill cop & 6:7

• Eou have restarted the domain controller to %hich ou are importing SESB4+ in Director Services *estore Mode "DS*M#& • Eou have stopped the 9etlogon service on the target domain controller after restarting the domain controller in DS*M& The Distributed =ile S stem "D=S# *eplication service is stopped automaticall %hen ou restart the domain controller in DS*M& • The default shared folder ADM'9[ must e-ist on the domain controller from %hich ou plan to cop the SESB4+ folder structure& Some organi.ations remove this shared folder or rename it for securit reasons& 'f this shared folder is not available( ou must share the Ys stemrootY folder and name the share ADM'9[& Note To vie% the shared folders to see %hether ADM'9[ is shared( on the source domain controller( open Server Manager& 'n the navigation pane for the domain controller( vie% 4oles and #ile Services( and then clic0 Share and Storage )anagement& As an alternative( ou can open a command prompt and t pe net s&are at the command prompt& • 'f the ADM'9[ share has been renamed( use the name that is assigned b organi.ation instead of ADM'9[ as ou complete this procedure& our

• Eou have determined the target domain controller values for ro%s A "S svol ,unction point# and 8 "Staging areas ,unction point# in the table ou that created in 5ather the SESB4+ Path 'nformation& This procedure has the follo%ing follo%/up reFuirements: • 'f ou share the Ys stemrootY folder on the source domain controller to complete this procedure( be sure to remove the share after the procedure is complete to maintain an securit policies that are established on our net%or0& • 4n the target domain controller( perform the verification tests in Chec0 the Status of the SESB4+ and 9etlogon Shares& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure on the domain controller from %hich ou are cop ing SESB4+& The DS*M administrator pass%ord is the minimum reFuired to complete this procedure on the controller to %hich ou are importing SESB4+& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o import the S2S5O+ folder structure 6& 4n the domain controller to %hich ou are importing the SESB4+ folder structure( open $indo%s 1-plorer& 2& 9avigate to the e-isting SESB4+ folder that ou are rebuilding( and then delete it& 7& Map a net%or0 drive to the AD)INF shared director on the domain controller that ou identified earlier as the replication partner from %hich ou plan to cop the SESB4+ folder structure& A& $hen ou are connected to the AD)INF share( verif that a folder labeled S2S5O+ appears& *ight/clic0 the S2S5O+ folder( and then clic0 Copy& 6:A

8& 'n the same ADM'9[ shared director ( right/clic0 some blan0 space( and then clic0 %aste& :& Berif that the original S2S5O+ folder and a ne% folder labeled S2S5O+ G Copy both appear& *ight/clic0 S2S5O+ - Copy( and then clic0 4ename& T pe S2S5O+<( and then press 19T1*& <& 4pen a Command Prompt& At the command prompt( change to the drive letter that represents the connection to the remote domain controller %here ou created the S2S5O+< folder& 8& Change the director to !
!234%(sysvo"&

?& T pe dir /a:4( and then press 19T1*& Berif that <;UN5T63N> appears in the command output and that it is follo%ed b the name of the domain& 60& Eou must update the path in this ,unction point so that it references the ne% location on the target domain controller& At the command prompt( t pe the follo%ing command( and then press 19T1*:
m:"in: <7<DN> <newpat&>

$here <7<DN> is the full Fualified domain name "=CD9# and <newpat&> is the ne% value that ou recorded in ro% A of the table in 5ather the SESB4+ Path 'nformation& 66& 'f the staging areas subfolder has been relocated and it is no longer inside the SESB4+ folder( s0ip steps 66 and 62( and proceed to step 67& 'f the staging areas subfolder has not been relocated( at a command prompt( change the director to (! !234%(staging areas under the cop of SESB4+ that ou created& T pe dir to list the contents( and verif that <;UN5T63N> appears in the output of the dir command& 62& )pdate the ,unction so that it points to the ne% location on the target domain controller& At the command prompt( t pe the follo%ing command( and then press 19T1*:
"in:d <=unctionname> <newpat&>

$here <newpat&> is the ne% value that ou recorded in ro% 8 of the table in 5ather the SESB4+ Path 'nformation& 67& At the command prompt( change bac0 to the Ys stemrootY director for the domain controller that is receiving the imported SESB4+& 6A& At the command prompt( use the robocopy command/line tool to cop the contents of the ZSESB4+2 folder that ou created to a ne% SESB4+ folder on our local drive& At the command prompt( t pe the follo%ing command( and then press 19T1*:
ro'ocopy <!ource 7o"der> <Destination 7o"der> /copya"" /mir /' /r:- /8d 9DfsrPrivate9 /8f 9DfsrPrivate9

6:8

%arameter

Description

SSource =olderT SDestination =olderT

Drive letter and path to the SESB4+2 director on the source domain controller& Drive letter and path to the parent location of the SESB4+ folder that ou deleted in step 2 on the local domain controller& =or e-ample( if ou deleted the original SESB4+ folder from C:Z$indo%sZSESB4+( the path in SDestination =olderT is C:Z$indo%s& Copies the follo%ing file information: data( attributes( time stamps( 9T=S access control list "AC+#( o%ner information( and auditing information& Mirrors the director tree that ou are cop ing& Copies files in bac0up mode& >ac0up mode allo%s *obocop to override file and folder permission settings "AC+s#& Specifies performing 0 ".ero# retries on failed copies& 1-cludes the DfsrPrivate director from the cop & 1-cludes the DfsrPrivate file from the cop &

3cop all

3mir 3b

3r:0 3-d MDfsrPrivateM 3-f MDfsrPrivateM

68& Berif that the folder structure copied correctl & Compare the ne% folder structure to the SESB4+ "not SESB4+2# folder structure on the remote "source# domain controller& 4pen a command prompt( and t pe dir /s to list the contents of the folders and subfolders& 1nsure that all folders e-ist& 6:& Delete the SESB4+2 folder that ou created on the remote domain controller& 6<& 'f ou shared the Ys stemrootY folder and created an ADM'9[ share on the remote domain controller( remove the ADM'9[ share& Disconnect from the remote domain controller& 68& *estart the domain controller in normal mode& $hen ou restart the domain controller( the 9etlogon service and the D=S *eplication service start automaticall &

6::

See Also
Chec0 the Status of the SESB4+ and 9etlogon Shares

Administering the Global Catalog
This guide provides information about administering the global catalog for Active Director Domain Services "AD DS# in $indo%s Server 2008& In this guide • • 'ntroduction to Administering the 5lobal Catalog Managing the 5lobal Catalog

Introduction to Administering the Global Catalog
Designate global catalog servers in sites to accommodate forest/%ide director searching and to facilitate domain client logons %hen universal groups are available "that is( %hen a domain has a domain functional level of $indo%s Server 2008( $indo%s Server 2007( or $indo%s 2000 native#& $hen universal groups are available in a domain( a domain controller must be able to locate a global catalog server to process a logon reFuest&

Global catalog hardware re0uirements
Minimum hard%are reFuirements for global catalog servers depend on the number of users in the site& =or dis0 space reFuirements and director database storage guidelines( see Planning Domain Controller Capacit "http:33go&microsoft&com3f%lin03P+in0'dQ80A0A#&

Global catalog placement
'n most cases( %e recommend that ou include the global catalog %hen ou install ne% domain controllers& The follo%ing e-ceptions appl : +imited band%idth: 'n remote sites( if the %ide area net%or0 "$A9# lin0 bet%een the remote site and the hub site is limited( ou can use universal group membership caching in the remote site to accommodate the logon needs of users in the site& =or information about universal group membership caching( see 1nabling )niversal 5roup Membership Caching in a Site& 'nfrastructure operations master role incompatibilit : Do not place the global catalog on a domain controller that hosts the infrastructure operations master role in the domain unless all domain controllers in the domain are global catalog servers or the forest has onl one domain&

6:<

Initial global catalog replication
$hen ou add a global catalog server to a site( the @no%ledge Consistenc Chec0er "@CC# updates the replication topolog ( after %hich replication of partial domain director partitions that are available %ithin the site begins& *eplication of partial domain director partitions that are available onl from other sites begins at the ne-t scheduled interval& Adding subseFuent global catalog servers %ithin the same site reFuires onl intrasite replication and does not affect net%or0 performance& *eplication of the global catalog potentiall affects net%or0 performance onl %hen ou add the first global catalog server in the site& The impact of this replication varies( depending on the follo%ing conditions: • • The speed and reliabilit of the $A9 lin0 or lin0s to the site The si.e of the forest

=or e-ample( in a forest that has a large hub site( five domains( and thirt small branch sites "some of %hich are connected b onl dial/up connections#( global catalog replication to the small sites ta0es considerabl longer than replication of one or t%o domains to a fe% %ell/connected sites&

Global catalog readiness
A global catalog server is available to director clients %hen Domain 9ame S stem "D9S# servers can locate it as a global catalog server& Several conditions must be met before the global catalog server is locatable b clients& These conditions are divided into seven levels "numbered 0 to :# of readiness( called occupanc levels& At each level( a specific degree of s nchroni.ation must be achieved before occupanc moves to the ne-t level& > default( domain controllers running $indo%s Server 2008 reFuire all levels to be reached before the global catalog is read for use& At level :( all partial( read/onl director partitions have been successfull replicated to the global catalog server& $hen the reFuirements of all occupanc levels have been satisfied( the 9et +ogon service on the global catalog server registers D9S service "S*B# resource records that identif the domain controller as a global catalog server in the site and in the forest& =or more information about global catalog readiness and occupanc levels( see ;o% the 5lobal Catalog $or0s "http:33go&microsoft&com3f%lin03P+in0'DQ60<0:7#& 'n summar ( a global catalog server is read to serve clients %hen the follo%ing events occur( in this order: • The global catalog receives replication of read/onl replicas to the reFuired occupanc level& • The isGlobalCatalog4eady rootDS1 attribute is set to 43.& • The 9et +ogon service on the domain controller has updated D9S %ith global/catalog/ specific service "S*B# resource records& At this point( the global catalog server begins accepting Fueries on ports 72:8 and 72:?&

6:8

Global catalog removal
$hen ou remove the global catalog from a domain controller( that domain controller immediatel stops advertising in D9S as a global catalog server& The @no%ledge Consistenc Chec0er "@CC# graduall removes the read/onl replicas from the domain controller& 4n domain controllers running $indo%s Server 2008 or $indo%s Server 2007( the global catalog( partial( read/onl director partitions are removed in the bac0ground( and the receive a lo% priorit so that high/ priorit services are not interrupted& Eou might decide to remove the global catalog from a domain controller if universal group membership caching is adeFuate to satisf logon reFuirements in a particular site %here $A9 lin0 speeds are not adeFuate for the global catalog& =or more information( see 1nabling )niversal 5roup Membership Caching in a Site& =or more information about global catalog removal( see ;o% the 5lobal Catalog $or0s "http:33go&microsoft&com3f%lin03P+in0'DQ60<0:7#&

)anaging the Global Catalog
Designate global catalog servers to accommodate users in sites %here a global catalog server is reFuired( for e-ample( to accommodate forest/%ide director searching and to facilitate domain client logons %hen universal groups are available& =or information about global catalog servers( see ;o% the 5lobal Catalog $or0s "http:33go&microsoft&com3f%lin03P+in0'dQ60<0:7#& This section includes the follo%ing tas0s for managing the global catalog: • • • Configuring a 5lobal Catalog Server Determining 5lobal Catalog *eadiness *emoving the 5lobal Catalog

Configuring a Global Catalog Server
$hen conditions in a site %arrant adding a global catalog server( ou can configure a domain controller to be a global catalog server& Selecting the global catalog setting on the 9TDS Settings ob,ect prompts the @no%ledge Consistenc Chec0er "@CC# to update the topolog & After the topolog is updated( read/onl ( partial( domain director partitions are replicated to the designated domain controller& $hen replication must occur bet%een sites to create the global catalog( the site lin0 schedule determines %hen replication can occur& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • Active Director Sites and Services *epadmin&e-e Dcdiag&e-e 6:?

To complete this tas0( perform the follo%ing procedures& Note Some procedures are performed onl %hen ou are configuring the first global catalog server in a site& 6& Determine $hether a Domain Controller 's a 5lobal Catalog Server 2& Designate a Domain Controller to >e a 5lobal Catalog Server 7& Monitor 5lobal Catalog *eplication Progress A& Berif Successful *eplication to a Domain Controller

Determine !hether a Domain Controller Is a Global Catalog Server
Eou can use the setting on the 9TDS Settings ob,ect to determine %hether a domain controller is designated as a global catalog server& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure %hen ou perform the procedure remotel b using *emote Server Administration Tools "*SAT#& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine whether a domain controller is a global catalog server 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( e-pand the Sites container( e-pand the site of the domain controller that ou %ant to chec0( e-pand the Servers container( and then e-pand the Server ob,ect& 7& *ight/clic0 the N DS Settings ob,ect( and then clic0 %roperties& A& 4n the General tab( if the Global Catalog bo- is selected( the domain controller is designated as a global catalog server&

Designate a Domain Controller to $e a Global Catalog Server
Eou use this procedure to designate a domain controller as a global catalog server& $hen ou designate a domain controller as a global catalog server( a partial( read/onl director partition for 6<0

each domain in the forest( other than the full( %ritable director partition of the local domain( is replicated to create the global catalog instance on the server& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o designate a domain controller to be a global catalog server 6& Clic0 Start( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 'n the console tree( e-pand the Sites container( and then e-pand the site in %hich ou are designating a global catalog server& 7& 1-pand the Servers container( and then e-pand the Server ob,ect for the domain controller that ou %ant to designate as a global catalog server& A& *ight/clic0 the N DS Settings ob,ect for the target server( and then clic0 %roperties& 8& Select the Global Catalog chec0 bo-( and then clic0 O(&

)onitor Global Catalog 4eplication %rogress
Eou can monitor inbound replication progress to see the percentage of completeness of partial( read/onl ( director partition replication to the ne% global catalog server& Note Although ou can change occupanc level reFuirements for global catalog advertisement to force advertisement to occur before full replica occupanc ( doing so can cause e/mail and search issues& 1-change servers use the global catalog for Address >oo0 loo0up& Therefore( in addition to causing Active Director client search problems( the condition of a global catalog server being advertised before it receives all partial replicas can cause Address >oo0 loo0up and e/mail deliver problems for 1-change clients& Membership in Domain 3sers and the right to log on locall to the domain controller is the minimum reFuired to complete this procedure& > default( members of Account Operators( Administrators( .nterprise Admins( Domain Admins( $ackup Operators( %rint Operators( and Server Operators have the right to log on locall to a domain controller& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o monitor global catalog replication progress 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 6<6

2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /s:<servername> /v ? find 919

%arameter

Description

s:SservernameT 3v \ find MYM

Specifies the name of the global catalog server that ou %ant to monitor& =inds the percentage of replication( and provides e-tended information&

7& *epeat this command periodicall to monitor progress& 'f the test sho%s no output( replication has completed&

5erify Successful 4eplication to a Domain Controller
Eou can use the repadmin ,showrepl command to verif successful replication to a specific domain controller& 'f ou are not running *epadmin on the domain controller %hose replication ou are chec0ing( ou can specif a destination domain controller in the command& *epadmin lists IN$O3ND N.IG"$O4S for the current or specified domain controller& IN$O3ND N.IG"$O4S sho%s the distinguished name of each director partition for %hich inbound director replication has been attempted( the site and name of the source domain controller( and %hether replication succeeded or not( as follo%s: • •
4ast attempt @ < .AA.DD ##:AA*!!> was successfu"*

4ast attempt @ BNeverC was successfu"*

'f @ BNeverC appears in the output for a director partition( replication of that director partition has never succeeded from the identified source replication partner over the listed connection& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify successful replication to a domain controller 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" <servername> /u:<domainname>(<username> /pw:*

6<2

Note The user credential parameters "/u:<domainname>(<username> /pw:*# are not reFuired for the domain of the user if the user has opened the Command Prompt as an administrator %ith Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or eFuivalent& ;o%ever( if ou run the command for a domain controller in a different domain in the same Command Prompt session( ou must provide credentials for an account in that domain&
5alue Description

repadmin 3sho%repl

Displa s the replication status for the last time that the domain controller that is named in SservernameT attempted inbound replication of Active Director partitions& The name of the destination domain controller& Specifies the domain name and user name( separated b a bac0slash( for a user %ho has permissions to perform operations in AD DS& The single/label name of the domain of the destination domain controller& "Eou do not have to use a full Fualified Domain 9ame S stem "D9S# name&# The name of an administrative account in that domain& Specifies the domain pass%ord for the user named in SusernameT& U provides a %assword* prompt %hen ou press 19T1*&

SservernameT 3u:

SdomainnameT

SusernameT 3p%:U

7& At the %assword* prompt( t pe the pass%ord for the user account that ou provided( and then press 19T1*& Eou can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft 1-cel spreadsheet& The spreadsheet displa s data in the follo%ing columns: ShowreplBCO+3)NS Destination DC Site Destination DC Naming Conte/t 6<7

Source DC Site Source DC ransport ype Number of #ailures +ast #ailure ime +ast Success ime +ast #ailure Status The follo%ing procedure creates this spreadsheet and sets column headings for improved readabilit & o generate a repadmin ,showrepl spreadsheet for all replication partners 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" * /csv >s&owrep"*csv

7& 4pen 1-cel& A& Clic0 the Office button( clic0 Open( navigate to showrepl'csv( and then clic0 Open& 8& ;ide or delete column A as %ell as the ransport ype column( as follo%s: :& Select a column that ou %ant to hide or delete& • 4r • To delete the column( right/clic0 the selected column( and then clic0 Delete& <& Select ro% 6 beneath the column heading ro%& 4n the 5iew tab( clic0 #ree&e %anes( and then clic0 #ree&e op 4ow& 8& Select the entire spreadsheet& 4n the Data tab( clic0 #ilter& ?& 'n the +ast Success ime column( clic0 the do%n arro%( and then clic0 Sort Ascending& 60& 'n the Source DC column( clic0 the filter do%n arro%( point to e/t #ilters( and then clic0 Custom #ilter& 66& 'n the Custom Auto#ilter dialog bo-( under Show rows where( clic0 does not contain& 'n the ad,acent te-t bo-( t pe del to eliminate from vie% the results for deleted domain controllers& 62& *epeat step 66 for the +ast #ailure ime column( but use the value does not e0ual( and then t pe the value @& 67& *esolve replication failures& To hide the column( right/clic0 the column( and then clic0 "ide&

6<A

The last successful attempt should agree %ith the replication schedule for intersite replication( or the attempt should be %ithin the last hour for intrasite replication& 'f *epadmin reports an of the follo%ing conditions( see Troubleshooting Active Director *eplication Problems "http:33go&microsoft&com3f%lin03P+in0'DQ?7882#: • • • The last successful intersite replication %as before the last scheduled replication& The last intrasite replication %as longer than one hour ago& *eplication %as never successful&

Determining Global Catalog 4eadiness
After replication of the partial domain director partitions is complete( the domain controller advertises itself as a global catalog server and begins accepting Fueries& Advertising begins %hen the occupanc level for partial domain director partition replication has been reached& The default occupanc level reFuires that all partial domain director partitions have been replicated& Caution 'f ou lo%er the occupanc level( the domain controller advertises itself as a global catalog server before it has complete information from all domains in the forest& 'n this case( it might return false information to applications that begin using the server for Address >oo0 loo0up and forest/%ide searches& Eou can use the procedures in this tas0 to determine if a domain controller is read to begin advertising itself as a global catalog server& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • +dp&e-e 9ltest&e-e D9S snap/in

To complete this tas0( perform the follo%ing procedures: 6& Berif 5lobal Catalog *eadiness 2& Berif 5lobal Catalog D9S *egistrations

5erify Global Catalog 4eadiness
$hen a global catalog server has satisfied replication reFuirements( the isGlobalCatalog4eady rootDS. attribute is set to 43.( and the global catalog is read to serve clients& Eou can use this procedure to verif global catalog readiness& Membership in Domain 3sers and the right to log on locall to a domain controller is the minimum reFuired to complete this procedure& > default( members of Account Operators( Administrators( .nterprise Admins( Domain Admins( $ackup Operators( %rint Operators( 6<8

and Server Operators have the right to log on locall to a domain controller& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

5erifying global catalog readiness
• • )sing the $indo%s interface )sing a command prompt

o verify global catalog readiness using the !indows interface 6& Clic0 Start( clic0 4un( t pe +dp( and then clic0 O(& 2& 4n the Connection menu( clic0 Connect& 7& 'n Connect( t pe the name of the server %hose global catalog readiness ou %ant to verif & A& 'n %ort( if 78? is not sho%ing( t pe ;AH& 8& 'f the Connectionless chec0 bo- is selected( clear it( and then clic0 O(& :& 'n the details pane( verif that the isGlobalCatalog4eady attribute has a value of 43.& <& 4n the Connection menu( clic0 Disconnect( and then close +dp& o verify global catalog readiness using a command prompt 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
n"test /server:<servername> /dsgetdc:<domainname>

%arameter

Description

SservernameT

Specifies the name of the domain controller that ou have designated as a global catalog server& Specifies the name of the domain to %hich the server belongs&

SdomainnameT

7& 'n the 7"ags: line of the output( if D5 appears( the global catalog server has satisfied its replication reFuirements&

6<:

5erify Global Catalog DNS 4egistrations
To verif that a server is advertised as a global catalog server( confirm the presence of Domain 9ame S stem "D9S# service "S*B# resource records for the server& Eou can use this procedure to verif global catalog D9S registrations& Membership in DNSAdmins and the right to log on locall to the domain controller is the minimum reFuired to complete this procedure& > default( members of Account Operators( Administrators( .nterprise Admins( Domain Admins( $ackup Operators( %rint Operators( and Server Operators have the right to log on locall to a domain controller& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& o verify global catalog DNS registrations 6& Clic0 Start( point to Administrative ools( and then clic0 DNS& 2& Connect to a domain controller in the forest root domain: *ight/clic0 DNS( clic0 Connect to DNS Server( and then clic0 he following computer& T pe the computer name( and then clic0 O(& 7& 1-pand #orward +ookup Iones( and then e-pand the forest root domain& A& Clic0 the Btcp container& 8& 'n the details pane( loo0 in the Name column for Bgc and in the Data column for the name of the server& The records that begin %ith Bgc are global catalog service "S*B# resource records&

4emoving the Global Catalog
*emoving the global catalog from a domain controller simpl reFuires clearing the Global Catalog chec0 bo- on the 9TDS Settings ob,ect properties page in Active Director Sites and Services& As soon as this operation is complete( the domain controller stops advertising itself as a global catalog server "that is( 9et +ogon deregisters the global/catalog/related records in Domain 9ame S stem "D9S##( and the domain controller immediatel stops accepting +ight%eight Director Access Protocol "+DAP# reFuests over ports 72:8 and 72:?& 5lobal catalog director partitions are removed graduall in the bac0ground& ask re0uirements The follo%ing tool is reFuired to perform the procedures for this tas0: • Active Director Sites and Services To complete this tas0( perform the follo%ing procedures: 6& Clear the 5lobal Catalog Setting 2& Monitor 5lobal Catalog *emoval in 1vent Bie%er 6<<

Clear the Global Catalog Setting
Clearing the global catalog setting begins the removal of the partial( read/onl director partitions from the director database of the domain controller& Eou can use this procedure to clear the global catalog setting& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o clear the global catalog setting 6& Clic0 Start( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 1-pand the Sites container( and then e-pand the site from %hich ou are removing a global catalog server& 7& 1-pand the Servers container( and then e-pand the Server ob,ect for the domain controller from %hich ou %ant to remove the global catalog& A& *ight/clic0 the N DS Settings ob,ect for the target server( and then clic0 %roperties& 8& 'f the Global Catalog chec0 bo- is selected( clear the chec0 bo-( and then clic0 O(&

)onitor Global Catalog 4emoval in .vent 5iewer
To verif that the global catalog has been removed from a domain controller( monitor 1vent Bie%er& $hen the global catalog has been removed successfull ( the @no%ledge Consistenc Chec0er "@CC# logs 1vent 'D 62:8 in the Director Service event log& Eou can use this procedure to monitor global catalog removal in 1vent Bie%er& Membership in Server Operators and the right to log on locall to a domain controller( or eFuivalent( is the minimum reFuired to complete this procedure& > default( members of Account Operators( Administrators( .nterprise Admins( Domain Admins( $ackup Operators( %rint Operators( and Server Operators have the right to log on locall to a domain controller& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o monitor global catalog removal in .vent 5iewer 6& Clic0 Start( point to Administrative ools( and then clic0 .vent 5iewer& 2& *ight/clic0 .vent 5iewer 6+ocal7( and then clic0 Connect to Another Computer& 7& 'n the Select Computer dialog bo-( clic0 Another computer( and then t pe the name of the server from %hich ou removed the global catalog& 6<8

A& Clic0 Connect as another user( and then clic0 Set 3ser& 8& T pe the user name and pass%ord for a user that has access to the global catalog server and permission to open 1vent Bie%er( and then clic0 O( t%ice& :& )nder Applications and Services +ogs( clic0 Directory Service& <& +oo0 for ActiveDirector IDomainService event 'D 62:8( %hich indicates that the global catalog is removed from the local computer&

Administering Operations )aster 4oles
This guide provides information about administering Active Director operations master "also 0no%n as fle-ible single master operations or =SM4# roles in $indo%s Server 2008& In this guide • • 'ntroduction to Administering 4perations Master *oles Managing 4perations Master *oles

Introduction to Administering Operations )aster 4oles
Domain controllers that hold operations master "also 0no%n as fle-ible single master operations or =SM4# roles 0eep the director functioning properl b performing specific tas0s that no other domain controllers are permitted to perform& Three operations master roles e-ist in each domain: • he primary domain controller 6%DC7 emulator operations master & The PDC emulator operations master processes all replication reFuests from $indo%s 9T Server A&0 bac0up domain controllers ">DCs#& 't also processes all pass%ord updates for clients not running Active Director Renabled client soft%are( plus an other director %rite operations& The PDC emulator receives preferential replication of pass%ord changes that are performed b other domain controllers in the domain( and it is the source for the latest pass%ord information %henever a logon attempt fails as a result of a bad pass%ord& =or this reason( of all operations master roles( the PDC emulator operations master role has the highest impact on the performance of the domain controller that hosts that role& The PDC emulator in the forest root domain is also the default $indo%s Time service "$72time# time source for the forest& • he relative ID 64ID7 operations master& The *'D master allocates *'D pools to all domain controllers to ensure that ne% securit principals can be created %ith a uniFue identifier&

6<?

• he infrastructure operations master& The infrastructure master manages references from ob,ects in its domain to ob,ects in other domains& 't also updates group/to/user references %hen the members of groups are renamed or changed& 'n addition to the three domain/level operations master roles( t%o operations master roles e-ist in each forest: • he schema operations master& The schema master governs all changes to the schema& • he domain naming operations master& The domain naming master adds and removes domain director partitions and application director partitions to and from the forest& To perform their respective operations( the domain controllers that host operations master roles must be consistentl available and the must be located in areas %here net%or0 reliabilit is high& Careful placement of our operations masters becomes more important as ou add more domains and sites as ou build our forest&

Guidelines for role placement
'mproper placement of operations master role holders can prevent clients from changing their pass%ords or being able to add domains and ne% ob,ects( such as )sers and 5roups& Schema changes might not be possible& 'n addition( name changes might appear improperl %ithin group memberships that are displa ed in the user interface ")'#& Note 4perations master roles cannot be placed on a read/onl domain controller "*4DC#& As our environment changes( ou must avoid the problems that are associated %ith improper operations master role placement& 1ventuall ( ou might have to reassign the roles to other domain controllers& Although ou can assign the forest/level and domain/level operations master roles to an domain controller in the forest and domain( respectivel ( improper infrastructure master role placement can cause the infrastructure master to perform incorrectl & 4ther improper operations master configurations can increase administrative overhead& =ollo%ing these guidelines %ill help to minimi.e administrative overhead and ensure the proper performance of Active Director Domain Services "AD DS#& =ollo%ing these guidelines %ill simplif the recover process if a domain controller that is hosting an operations master role fails& =ollo% these guidelines for operations master role placement: • Configure an additional domain controller as the standb operations master for the forest/ level roles& Configure an additional domain controller as the standb operations master for the domain/level roles& • • • Place the domain/level roles on a high/performance domain controller& Do not place domain/level roles on a global catalog server& +eave the t%o forest/level roles on a domain controller in the forest root domain&

680

• 'n the forest root domain( transfer the three domain/level roles from the first domain controller that ou installed in the forest root domain to an additional domain controller that has a high performance level& • • 'n all other domains( leave the domain/level roles on the first domain controller& Ad,ust the %or0load of the PDC emulator( if necessar &

%repare additional domain controllers as standby operations masters >ecause the operations master roles are critical to proper forest and domain function( it is important to be prepared in the event that an operations master role holder becomes inoperable or unreachable& Eou can prepare an additional domain controller for the forest roles in the forest root domain and an additional domain controller for the domain roles in each domain b configuring them to be optimall connected to the respective current role holder so that role transfer occurs as Fuic0l as possible& %lace domain-level roles on a high-performance domain controller The PDC emulator role reFuires a po%erful and reliable domain controller to ensure that the domain controller is available and capable of handling the %or0load& 4f all the operations master roles( the PDC emulator role creates the most overhead on the server that is hosting the role& 't has the most intensive dail interaction %ith other s stems on the net%or0& The PDC emulator has the greatest potential to affect dail operations of the director & Note 'f an *4DC is installed in the domain( the PDC emulator role must be placed on a domain controller that is running $indo%s Server 2008& Domain controllers can become overloaded %hile attempting to service client reFuests on the net%or0( manage their o%n resources( and handle an speciali.ed tas0s( such as performing the various operations master roles& This is especiall true of the domain controller that holds the PDC emulator role& Again( clients running operating s stems earlier than $indo%s 2000 Server and domain controllers running $indo%s 9T Server A&0 rel more heavil on the PDC emulator than AD DS clients and domain controllers& 'f our net%or0ing environment has clients and domain controllers running operating s stems earlier than $indo%s 2000 Server( ou might need to reduce the %or0load of the PDC emulator& 'f a domain controller begins to indicate that it is overloaded and its performance is affected( ou can reconfigure the environment so that some tas0s are performed b other( less/used domain controllers& > ad,usting the domain controllerVs %eight in the Domain 9ame S stem "D9S# environment( ou can configure the domain controller to receive fe%er client reFuests than other domain controllers on our net%or0& As an option( ou can ad,ust the domain controllerVs priorit in the D9S environment so that it processes client reFuests onl if other D9S servers are unavailable& $ith fe%er D9S client reFuests to process( the domain controller can use more resources to perform operations master services for the domain& Do not place domain-level roles on a global catalog server The infrastructure master is incompatible %ith the global catalog( and it must not be placed on a global catalog server& >ecause it is best to 0eep the three domain/level roles together for ease of administration( avoid putting an of them on a global catalog server& 686

The infrastructure master updates ob,ects for an attribute values %ith distinguished name " dn# s nta- that reference ob,ects outside the current domain& These updates are particularl important for securit principal ob,ects "users( computers( and groups#& =or e-ample( suppose a user from one domain is a member of a group in a second domain and the userVs surname "the sn attribute on the user ob,ect# is changed in the first domain& This change usuall also changes the dn attribute value of the user ob,ect( %hich is the value that is used in the member attribute of group ob,ects& >ecause domain controllers in one domain do not replicate securit principals to domain controllers in another domain( the second domain never receives the change& An out/of/ date value on the member attribute of a group in another domain could result in the user %hose name has changed being denied privileges& To ensure consistenc bet%een domains( the infrastructure master constantl monitors group memberships( loo0ing for member attribute values that identif securit principals from other domains& 'f it finds one( it compares its distinguished name %ith the distinguished name in the domain of the securit principal to determine if the information has changed& 'f the information on the infrastructure master is out of date( the infrastructure master performs an update and then replicates the change to the other domain controllers in its domain& T%o e-ceptions appl to this rule: 6& 'f all the domain controllers are global catalog servers( the domain controller that hosts the infrastructure master role is insignificant because global catalog servers replicate updated securit principal information to all other global catalog servers& 2& 'f the forest has onl one domain( the infrastructure master role is not needed because securit principals from other domains do not e-ist& +eave forest-level roles on the original domain controller in the forest root domain The first domain controller that is installed in the forest automaticall receives the schema master and domain naming master roles& 't also hosts the global catalog& To ease administration and bac0up and restore procedures( leave these roles on the original forest root domain controller& The roles are compatible %ith the global catalog( and moving the roles to other domain controllers does not improve performance& Separating the roles creates additional administrative overhead %hen ou must identif the standb operations masters and %hen ou implement a bac0up and restore polic & )nli0e the PDC emulator role( forest/level roles rarel place a significant burden on the domain controller& @eep these roles together to provide eas ( predictable management& In the forest root domain1 transfer domain-level roles from the first domain controller The three domain/level roles are assigned to the first domain controller that is created in a ne% domain& 'n the case of the forest root domain( the first domain controller that is created in the domain hosts both forest/level roles and all three domain/level roles( as %ell as the global catalog& The infrastructure master role is incompatible %ith the global catalog& =or this reason( %hen ou install the second domain controller in the forest root domain( the Active Director Domain Services 'nstallation $i.ard prompts ou to allo% the %i.ard to transfer the role during installation of AD DS& =ollo%ing installation of the second domain controller( consider transferring the PDC emulator and *'D master roles to the second domain controller( as %ell( to 0eep the three roles together for eas administration& 682

In all other domains1 leave domain-level roles on the first domain controller 1-cept for the forest root domain( leave the domain/level roles on the first domain controller that ou install in the domain and do not configure that domain controller as a global catalog server& @eep the roles together unless the %or0load on our operations master ,ustifies the additional management burden of separating the roles& >ecause all clients running non/$indo%s operating s stems or $indo%s operating s stems earlier than $indo%s 2000 Server submit updates to the PDC emulator( the domain controller holding that role uses a higher number of *'Ds %hen the net%or0 hosts man of these clients& Place the PDC emulator and *'D master roles on the same domain controller so that these t%o roles interact more efficientl & 'f ou must separate the roles( ou can still use a single standb operations master for all three roles& ;o%ever( ou must ensure that the standb is a replication partner of all three of the role holders& >ac0up and restore procedures also become more comple- if ou separate the roles& Special care must be ta0en to restore a domain controller that hosted an operations master role& > hosting the roles on a single computer( ou minimi.e the steps that are reFuired to restore a role holder& Ad9ust the workload of the %DC emulator operations master role holder Depending on the si.e of the forest or domain( ou might %ant to configure D9S so that client reFuests favor domain controllers other than the PDC emulator& The PDC emulator role has the highest load demands of all the operations master roles&

Guidelines for role transfer
*ole transfer is the preferred method to move an operations master role from one domain controller to another& During a role transfer( the t%o domain controllers replicate to ensure that no information is lost& After the transfer is complete( the previous role holder no longer attempts to perform as the operations master( %hich eliminates the possibilit of duplicate operations masters e-isting on the net%or0& Consider moving the operations master role or roles %hen an of the follo%ing conditions e-ist: • • • • 'nadeFuate service performance =ailure of a domain controller that hosts an operations master role Decommissioning of a domain controller that hosts an operations master role Administrative configuration changes that affect operations master role placement

Inade0uate service performance The PDC emulator is the operations master role that most affects the performance of a domain controller& =or clients that do not run Active Director client soft%are( the PDC emulator processes reFuests for pass%ord changes( replication( and user authentication& $hile it provides support for these clients( the domain controller continues to perform its normal services( such as authenticating Active Director Renabled clients& As the net%or0 gro%s( the volume of client reFuests can increase the %or0load for the domain controller that hosts the PDC emulator role 687

and its performance can suffer& To solve this problem( ou can transfer all or some of the operations master roles to another( more po%erful domain controller& As an alternative( ou ma choose to transfer the role to another domain controller( upgrade the hard%are on the original domain controller( and then transfer the role bac0 again& Operations master failure 'n the event of a failure of an operations role holder( ou must decide if ou need to relocate the operations master roles to another domain controller or %ait for the domain controller to be returned to service& >ase that determination on the role that the domain controller hosts and the e-pected do%ntime& Decommissioning of the domain controller >efore ou ta0e a domain controller offline permanentl ( transfer an operations master roles that the domain controller holds to another domain controller& $hen ou use the Active Director 'nstallation $i.ard to decommission a domain controller that currentl hosts one or more operations master roles( the %i.ard reassigns the roles to a different domain controller& $hen the %i.ard is run( it determines %hether the domain controller currentl hosts an operations master roles& 'f it detects an operations master roles( it Fueries the director for other eligible domain controllers and transfers the roles to a ne% domain controller& A domain controller is eligible to host the domain/level roles if it is a member of the same domain& A domain controller is eligible to host a forest/level role if it is a member of the same forest& Configuration changes Configuration changes to domain controllers or the net%or0 topolog can result in the need to transfer operations master roles& 1-cept for the infrastructure master( ou can assign operations master roles to an domain controller regardless of an other tas0s that the domain controller performs& Do not host the infrastructure master role on a domain controller that is also acting as a global catalog server unless all the domain controllers in the domain are global catalog servers or unless the forest has onl one domain& 'f the domain controller that hosts the infrastructure master role is configured to be a global catalog server( ou must transfer the infrastructure master role to another domain controller& Changes to the net%or0 topolog can result in the need to transfer operations master roles to 0eep them in a particular site& Note Do not change the global catalog configuration on the domain controller that ou intend to assume an operations master role unless our information technolog "'T# management authori.es that change& Changing the global catalog configuration can cause changes that can ta0e da s to complete( and the domain controller might not be available during that period& 'nstead( transfer the operations master roles to a different domain controller that is alread configured properl & Eou can reassign an operations master role b transfer or( as a last resort( b sei.ure& Important 'f ou must sei.e an operations master role( never reattach the previous role holder to the net%or0 %ithout follo%ing the procedures in this guide& *eattaching the previous role

68A

holder to the net%or0 incorrectl can result in invalid data and corruption of data in the director &

)anaging Operations )aster 4oles
4perations masters 0eep the director functioning properl b performing specific tas0s that no other domain controllers are permitted to perform& This section includes the follo%ing tas0s for managing operations master roles: • • • • Designating a Standb 4perations Master Transferring an 4perations Master *ole Sei.ing an operations master role *educing the $or0load on the PDC 1mulator Master

Designating a Standby Operations )aster
A standb operations master is a domain controller that ou identif as the computer that assumes the operations master role if the original computer fails& A single domain controller can act as the standb operations master for all the operations master roles in a domain( or ou can designate a separate standb for each operations master role& $hen ou designate a domain controller as the standb operations master( follo% all the recommendations in M5uidelines for *ole PlacementM in 'ntroduction to Administering 4perations Master *oles&

Standby operations master computer re0uirements
9o utilities or special steps are reFuired to designate a domain controller as a standb operations master& ;o%ever( the current operations master and the standb operations master should be %ell connected& N$ell connectedO means that the net%or0 connection bet%een them must support at least a 60/megabit transmission rate and be available at all times& 'n addition( creating a manual connection ob,ect bet%een the standb domain controller and the operations master %ill ensure direct replication bet%een the t%o operations masters& > ma0ing the operations master and the standb operations master direct replication partners( ou reduce the chance of data loss in the event of a role sei.ure( %hich reduces the chance of director corruption&

4eplication re0uirements
>efore ou transfer a role from the current role holder to the standb operations master( ensure that replication bet%een the t%o computers is functioning properl & >ecause the are replication

688

partners( the ne% operations master is alread consistent %ith the original operations master( %hich reduces the time that is reFuired for the transfer operation& During role transfer( the t%o domain controllers e-change an unreplicated information to ensure that no transactions are lost& 'f the t%o domain controllers are not direct replication partners( a substantial amount of information might have to be replicated before the domain controllers completel s nchroni.e %ith each other& The role transfer reFuires e-tra time to replicate the outstanding transactions& 'f the t%o domain controllers are direct replication partners( fe%er outstanding transactions e-ist and the role transfer operation completes sooner& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • • • Active Director Sites and Services *epadmin&e-e Determine $hether a Domain Controller 's a 5lobal Catalog Server Create a Connection 4b,ect on the 4perations Master and Standb Berif Successful *eplication to a Domain Controller

To complete this tas0( perform the follo%ing procedure:

Determine !hether a Domain Controller Is a Global Catalog Server
Eou can use the setting on the 9TDS Settings ob,ect to determine %hether a domain controller is designated as a global catalog server& Membership in Domain 3sers( or eFuivalent( is the minimum reFuired to complete this procedure %hen ou perform the procedure remotel b using *emote Server Administration Tools "*SAT#& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o determine whether a domain controller is a global catalog server 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( e-pand the Sites container( e-pand the site of the domain controller that ou %ant to chec0( e-pand the Servers container( and then e-pand the Server ob,ect& 7& *ight/clic0 the N DS Settings ob,ect( and then clic0 %roperties& A& 4n the General tab( if the Global Catalog bo- is selected( the domain controller is designated as a global catalog server&

68:

Create a Connection Ob9ect on the Operations )aster and Standby
To ensure that the current operations master role holder and the standb operations master are replication partners( ou can manuall create connection ob,ects bet%een the t%o domain controllers& 1ven if a connection ob,ect is generated automaticall ( %e recommend that ou manuall create a connection ob,ect on both the operations master and the standb operations master& The replication s stem can alter automaticall created connection ob,ects an time& Manuall created connections remain the same until an administrator changes them& Eou can use this procedure to create the follo%ing: • A manual connection ob,ect that designates the standb server as the =rom Server on the 9TDS Settings ob,ect of the operations master • A manual connection ob,ect that designates the operations master server as the =rom Server on the 9TDS Settings ob,ect of the standb server Administrative credentials Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o create a connection ob9ect on the operations master and standby 6& Clic0 Start( point to Administrative ools( and then clic0 Active Directory Sites and Services& 2& 1-pand the site name in %hich the current operations master role holder is located to displa the Servers folder& 7& 1-pand the Servers folder to see a list of the servers in that site& A& To create a connection ob,ect from the standb server on the current operations master( e-pand the name of the operations master server on %hich ou %ant to create the connection ob,ect to displa its 9TDS Settings ob,ect& 8& *ight/clic0 N DS Settings( clic0 New( and then clic0 Connection& :& 'n the #ind Active Directory Domain Controllers dialog bo-( select the name of the standb server from %hich ou %ant to create the connection ob,ect( and then clic0 O(& <& 'n the New Ob9ect-Connection dialog bo-( enter an appropriate name for the connection ob,ect or accept the default name( and then clic0 O(& 8& To create a connection ob,ect from the current operations master to the standb server( repeat steps A through <( but in step A( e-pand the name of the standb server& 'n step :( select the name of the current operations master&

68<

5erify Successful 4eplication to a Domain Controller
Eou can use the repadmin ,showrepl command to verif successful replication to a specific domain controller& 'f ou are not running *epadmin on the domain controller %hose replication ou are chec0ing( ou can specif a destination domain controller in the command& *epadmin lists IN$O3ND N.IG"$O4S for the current or specified domain controller& IN$O3ND N.IG"$O4S sho%s the distinguished name of each director partition for %hich inbound director replication has been attempted( the site and name of the source domain controller( and %hether replication succeeded or not( as follo%s: • •
4ast attempt @ < .AA.DD ##:AA*!!> was successfu"*

4ast attempt @ BNeverC was successfu"*

'f @ BNeverC appears in the output for a director partition( replication of that director partition has never succeeded from the identified source replication partner over the listed connection& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify successful replication to a domain controller 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" <servername> /u:<domainname>(<username> /pw:*

Note The user credential parameters "/u:<domainname>(<username> /pw:*# are not reFuired for the domain of the user if the user has opened the Command Prompt as an administrator %ith Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or eFuivalent& ;o%ever( if ou run the command for a domain controller in a different domain in the same Command Prompt session( ou must provide credentials for an account in that domain&

688

5alue

Description

repadmin 3sho%repl

Displa s the replication status for the last time that the domain controller that is named in SservernameT attempted inbound replication of Active Director partitions& The name of the destination domain controller& Specifies the domain name and user name( separated b a bac0slash( for a user %ho has permissions to perform operations in AD DS& The single/label name of the domain of the destination domain controller& "Eou do not have to use a full Fualified Domain 9ame S stem "D9S# name&# The name of an administrative account in that domain& Specifies the domain pass%ord for the user named in SusernameT& U provides a %assword* prompt %hen ou press 19T1*&

SservernameT 3u:

SdomainnameT

SusernameT 3p%:U

7& At the %assword* prompt( t pe the pass%ord for the user account that ou provided( and then press 19T1*& Eou can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft 1-cel spreadsheet& The spreadsheet displa s data in the follo%ing columns: ShowreplBCO+3)NS Destination DC Site Destination DC Naming Conte/t Source DC Site Source DC ransport ype Number of #ailures +ast #ailure ime +ast Success ime +ast #ailure Status

68?

The follo%ing procedure creates this spreadsheet and sets column headings for improved readabilit & o generate a repadmin ,showrepl spreadsheet for all replication partners 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" * /csv >s&owrep"*csv

7& 4pen 1-cel& A& Clic0 the Office button( clic0 Open( navigate to showrepl'csv( and then clic0 Open& 8& ;ide or delete column A as %ell as the ransport ype column( as follo%s: :& Select a column that ou %ant to hide or delete& • 4r • To delete the column( right/clic0 the selected column( and then clic0 Delete& <& Select ro% 6 beneath the column heading ro%& 4n the 5iew tab( clic0 #ree&e %anes( and then clic0 #ree&e op 4ow& 8& Select the entire spreadsheet& 4n the Data tab( clic0 #ilter& ?& 'n the +ast Success ime column( clic0 the do%n arro%( and then clic0 Sort Ascending& 60& 'n the Source DC column( clic0 the filter do%n arro%( point to e/t #ilters( and then clic0 Custom #ilter& 66& 'n the Custom Auto#ilter dialog bo-( under Show rows where( clic0 does not contain& 'n the ad,acent te-t bo-( t pe del to eliminate from vie% the results for deleted domain controllers& 62& *epeat step 66 for the +ast #ailure ime column( but use the value does not e0ual( and then t pe the value @& 67& *esolve replication failures& The last successful attempt should agree %ith the replication schedule for intersite replication( or the attempt should be %ithin the last hour for intrasite replication& 'f *epadmin reports an of the follo%ing conditions( see Troubleshooting Active Director *eplication Problems "http:33go&microsoft&com3f%lin03P+in0'DQ?7882#: • • • The last successful intersite replication %as before the last scheduled replication& The last intrasite replication %as longer than one hour ago& *eplication %as never successful& To hide the column( right/clic0 the column( and then clic0 "ide&

6?0

ransferring an Operations )aster 4ole
$hen ou create a ne% domain( the Active Director Domain Services 'nstallation $i.ard automaticall assigns all the domain/level operations master roles to the first domain controller that is created in that domain& $hen ou create a ne% forest( the %i.ard also assigns the t%o forest/level operations master roles to the first domain controller& After the domain is created and functioning( ou might transfer various operations master roles to different domain controllers to optimi.e performance and simplif administration& The first domain controller that ou install to create a ne% forest is necessaril both a global catalog server and the infrastructure operations master role holder& $hen ou install the second domain controller in the forest root domain( the Active Director Domain Services 'nstallation $i.ard prompts ou to transfer the infrastructure master role to the domain controller that ou are installing& Select this option to avoid having to transfer the infrastructure operations master role manuall & The transfer of forest/level and domain/level operations master roles is performed as needed( and it is governed b the guidelines for placing operations master roles& >efore ou transfer an operations master role( ensure that replication bet%een the current role holder and the domain controller that is assuming the role is updated& $hen ou transfer domain/level roles( ou must determine %hether the domain controller that ou %ant to assume an operations master role is a global catalog server& The infrastructure master for each domain must not host the global catalog& Caution Do not change the global catalog configuration on the domain controller that ou %ant to assume an operations master role unless our information technolog "'T# management authori.es that change& Changing the global catalog configuration can cause changes that can ta0e da s to complete( and the domain controller might not be available during that period& 'nstead( transfer the operations master roles to a different domain controller that is alread properl configured&

ransferring to a standby operations master
$hen ou follo% the recommendations for operations master role placement( the standb operations master is a direct replication partner and it is read to assume the operations master roles& *emember to designate a ne% standb operations master for the domain controller that assumes the operations master roles& =or more information( see Designating a Standb 4perations Master&

ransferring an operations master role when no standby is ready
'f ou have not designated a standb operations master( ou must properl prepare a domain controller to %hich ou intend to transfer the operations master roles& 'f ou are transferring the 6?6

infrastructure master role( ma0e sure that the target domain controller is not a global catalog server& Preparing the future operations master role holder is the same process as preparing a standb operations master& Eou must manuall create a connection ob,ect to ensure that the standb operations master is a replication partner %ith the current role holder and that replication bet%een the t%o domain controllers is updated& ask re0uirements The follo%ing are reFuired to perform the procedures for this tas0: • • • • • • • • • • • • • *epadmin&e-e Active Director Sites and Services Active Director Domains and Trusts Active Director Schema snap/in Active Director )sers and Computers 9tdsutil&e-e Berif Successful *eplication to a Domain Controller Determine $hether a Domain Controller 's a 5lobal Catalog Server 'nstall the Schema Snap/in Transfer the Schema Master Transfer the Domain 9aming Master Transfer the Domain/+evel 4perations Master *oles Bie% the Current 4perations Master *ole ;olders

To complete this tas0( perform the follo%ing procedure:

Install the Schema Snap-in
Eou can use this procedure to first register the d namic/lin0 librar "D++# that is reFuired for the Active Director Schema snap/in& Eou can then add the snap/in to Microsoft Management Console "MMC#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o install the Active Directory Schema snap-in 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
regsvr$% sc&mmgmt*d""

7& Clic0 Start( clic0 4un( t pe mmc( and then clic0 O(& 6?2

A& 4n the #ile menu( clic0 Add,4emove Snap-in& 8& )nder Available snap-ins( clic0 Active Directory Schema( clic0 Add( and then clic0 O(& :& To save this snap/in( on the #ile menu( clic0 Save& <& 'n the Save As dialog bo-( do one of the follo%ing: • To place the snap/in in the Administrative ools folder( in #ile name( t pe a name for the snap/in( and then clic0 Save& • To save the snap/in in a location other than the Administrative Tools folder( in Save in( navigate to a location for the snap/in& 'n #ile name( t pe a name for the snap/in( and then clic0 Save& Caution Modif ing the schema is an advanced operation that is best performed b e-perienced programmers and s stem administrators& =or detailed information about modif ing the schema( see Active Director Schema "http:33go&microsoft&com3f%lin03P+in0'dQ8080?#& Additional considerations • To perform the Schmmgmt&dll registration portion of this procedure( ou must be a member of the Domain Admins group in the domain or the 1nterprise Admins group in the forest( or ou must have been delegated the appropriate authorit & Adding the Active Director Schema snap/in to MMC reFuires onl membership in the Domain )sers group& ;o%ever( ma0ing changes to the schema reFuires membership in the Schema Admins group& • The $indo%s Server 2008 Administration Tools Pac0 cannot be installed on computers running $indo%s LP Professional or $indo%s Server 2007&

ransfer the Schema )aster
Eou can use this procedure to transfer the schema operations master role if the domain controller that currentl hosts the role is inadeFuate( has failed( or is being decommissioned& The schema master is a forest/%ide operations master "also 0no%n as fle-ible single master operations or =SM4# role& >efore ou perform this procedure( ou must identif the domain controller to %hich ou %ill transfer the schema operations master role& >efore ou can use the Active Director Schema snap/in for the first time( ou must register it %ith the s stem& 'f ou have not et prepared the Active Director Schema snap/in( see 'nstall the Schema Snap/in before ou begin this procedure& Note Eou perform this procedure b using a Microsoft Management Console "MMC# snap/in( although ou can also transfer this role b using 9tdsutil&e-e& =or information about using 9tdsutil&e-e to transfer operations master roles( see 9tdsutil 6?7

"http:33go&microsoft&com3f%lin03P+in0'dQ620?<0#& =or information about the ntdsutil command( ou can t pe > at the 9tdsutil&e-e command prompt& Membership in Schema Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& ransfer the schema master 6& 4pen the Active Director Schema snap/in& 2& 'n the console tree( right/clic0 Active Directory Schema( and then clic0 Change Active Directory Domain Controller& 7& 'n the Change Directory Server dialog bo-( under Change to( clic0 his domain Controller or AD +DS instance& A& 'n the list of domain controllers( clic0 the name of the domain controller to %hich ou %ant to transfer the schema master role( and then clic0 O(& 8& 'n the console tree( right/clic0 Active Directory Schema( and then clic0 Operations )aster& The Change Schema )aster bo- displa s the name of the server that is currentl holding the schema master role& The targeted domain controller is listed in the second bo-& :& Clic0 Change& Clic0 2es to confirm our choice& The s stem confirms the operation& Clic0 O( again to confirm that the operation succeeded& <& Clic0 Close to close the Change Schema )aster dialog bo-&

ransfer the Domain Naming )aster
Eou can use this procedure to transfer the domain naming operations master role if the domain controller that currentl hosts the role is inadeFuate( has failed( or is being decommissioned& The domain naming master is a forest/%ide operations master "also 0no%n as fle-ible single master operations or =SM4# role& >efore ou perform this procedure( ou must identif the domain controller to %hich ou %ill transfer the domain naming operations master role& Note Eou perform this procedure b using a Microsoft Management Console "MMC# snap/in( although ou can also transfer this role b using 9tdsutil&e-e& =or information about using 9tdsutil&e-e to transfer operations master roles( see 9tdsutil "http:33go&microsoft&com3f%lin03P+in0'dQ620?<0#& =or information about the ntdsutil command( ou can also t pe > at the 9tdsutil&e-e command prompt& Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 6?A

o transfer the domain naming master 6& 4pen Active Director Domains and Trusts: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Domains and rusts& 'f the 3ser Account Control dialog bo- appears( provide 1nterprise Admins credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( right/clic0 Active Directory Domains and rusts( and then clic0 Change Active Directory Domain Controller& 7& 1nsure that the correct domain name is entered in +ook in this domain& The available domain controllers from this domain are listed& A& 'n the Name column( clic0 the domain controller to %hich ou %ant to transfer the domain naming master role( and then clic0 O(& 8& At the top of the console tree( right/clic0 Active Directory Domains and rusts( and then clic0 Operations )aster& :& The name of the current domain naming master appears in the first te-t bo-& The domain controller to %hich ou %ant to transfer the domain naming master role should appear in the second te-t bo-& 'f this is not the case( repeat steps 6 through A& <& Clic0 Change& To confirm the role transfer( clic0 2es& Clic0 O( again to close the message bo- indicating that the transfer too0 place& Clic0 Close to close the Operations )aster dialog bo-&

ransfer the Domain-+evel Operations )aster 4oles
Eou can use this procedure to transfer the follo%ing three domain/level operations master "also 0no%n as fle-ible single master operations or =SM4# roles: • • • Primar domain controller "PDC# emulator operations master *elative 'D "*'D# operations master 'nfrastructure operations master

Eou might %ant to transfer a domain/level operations master role if the domain controller that currentl hosts the role is inadeFuate( has failed( or is being decommissioned& Eou can transfer all domain roles b using the Active Director )sers and Computers snap/in& Note Eou perform these procedures b using a Microsoft Management Console "MMC# snap/ in( although ou can also transfer these roles b using 9tdsutil&e-e& =or information about using 9tdsutil&e-e to transfer the operations master roles( see 9tdsutil "http:33go&microsoft&com3f%lin03P+in0'DQ620?<0&# =or information about the ntdsutil command( can also t pe > at the 9tdsutil&e-e command prompt& 6?8

>efore ou perform this procedure( ou must identif the domain controller to %hich ou %ill transfer the operations master role& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o transfer a domain-level operations master role 6& 4pen Active Director )sers and Computers: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory 3sers and Computers& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the top of the console tree( right/clic0 Active Directory 3sers and Computers( and then clic0 Change Active Directory Domain Controller& 7& 1nsure that the correct domain name is entered in +ook in this domain& The available domain controllers from this domain are listed& A& 'n the Name column( clic0 the name of the domain controller to %hich ou %ant to transfer the role( and then clic0 O(& 8& At the top of the console tree( right/clic0 Active Directory 3sers and Computers( and then clic0 Operations )asters& The name of the current operations master role holder appears in the Operations master bo-& The name of the domain controller to %hich ou %ant to transfer the role appears in the lo%er bo-& :& Clic0 the tab for the operations master role that ou %ant to transfer: 4ID( %DC( or Infrastructure& Berif the computer names that appear( and then clic0 Change& Clic0 2es to transfer the role( and then clic0 O(& <& *epeat steps 8 and : for each role that ou %ant to transfer&

5iew the Current Operations )aster 4ole "olders
To vie% the current operations master "also 0no%n as fle-ible single master operations or =SM4# role holders( use the 9tdsutil&e-e command/line tool %ith the roles option& This option displa s a list of all current role holders& After ou transfer an operations master role( use this procedure to verif that the transfer has occurred successfull throughout the domain& To have full effect( the change must replicate to all domain controllers in the domain for a domain/level role and to all domain controllers in the forest for a forest/level role&

6?:

Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o view the current operations master role holders 6& 4pen 9tdsutil as an administrator: Clic0 Start( and then( in Start Search( t pe ntdsutil& At the top of the Start menu( right/clic0 ntdsutil( and then clic0 4un as administrator& 'n the 3ser Account Control dialog bo-( provide Domain Admins credentials( and then clic0 O(& 2& At the ntdsuti": prompt( t pe ro"es( and then press 19T1*& 7& At the fsmo
maintenance:

prompt( t pe connections( and then press 19T1*&

A& At the server connections: prompt( t pe connect to server <servername>( %here <servername> is the name of the domain controller that belongs to the domain that contains the operations masters& 8& After ou receive confirmation of the connection( t pe e-it this menu& :& At the fsmo 19T1*&
maintenance: quit(

and then press 19T1* to and then press and

prompt( t pe se"ect

operation target(

<& At the select operations target: prompt( t pe then press 19T1*&

"ist ro"es for connected server(

The s stem responds %ith a list of the current roles and the +ight%eight Director Access Protocol "+DAP# name of the domain controllers that are currentl assigned to host each role& 8& T pe quit( and then press 19T1* to e-it each prompt in 9tdsutil&e-e& At the ntdsuti": prompt( t pe quit( and then press 19T1* to close the %indo%&

Sei&ing an operations master role
*ole sei.ure is the act of assigning an operations master "also 0no%n as fle-ible single master operations or =SM4# role to a ne% domain controller %ithout the cooperation of the current role holderDusuall ( because the current role holder is offline as a result of a hard%are failure& During role sei.ure( the ne% domain controller assumes the operations master role %ithout communicating %ith the current role holder& *ole sei.ure should be performed onl as a last resort& *ole sei.ure can cause the follo%ing director problems: • Data loss or directory inconsistency as a result of replication latency' The ne% role holder starts performing its duties based on the data that is located in its current director partition& 'f replication did not complete before the time that the original role holder %ent offline( the ne% role holder might not have received the latest changes& 6?<

To minimi.e the ris0 of losing data to incomplete replication( do not perform a role sei.ure until enough time has passed to complete at least one end/to/end replication c cle across our net%or0& Allo%ing enough time for complete end/to/end replication ensures that the domain controller that assumes the role is as up to date as possible& • wo domain controllers performing the same role' >ecause the original role holder is offline %hen role sei.ure occurs( the original role holder is not informed that it is no longer the operations master role holder( %hich is not a problem if the original role holder sta s offline& ;o%ever( if the original role holder comes bac0 onlineDfor e-ample( if the hard%are is repaired or the server is restored from a bac0up#Dit might tr to perform the operations master role that it previousl o%ned& 'f t%o domain controllers are performing the same operations master role simultaneousl ( the severit of the effect from duplicate operations master roles varies( depending on the role that %as sei.ed& The effect can range from no visible effect to potential corruption of the Active Director database& Do not allo% a former operations master role holder %hose role has been sei.ed to return to an online domain controller& ask re0uirements The follo%ing is reFuired to perform the procedures for this tas0: • • • • • *epadmin&e-e 9tdsutil&e-e Berif Successful *eplication to a Domain Controller Sei.e the 4perations Master *ole Bie% the Current 4perations Master *ole ;olders

To complete this tas0( perform the follo%ing procedure: Berif replication to the domain controller that %ill be sei.ing the role&

5erify Successful 4eplication to a Domain Controller
Eou can use the repadmin ,showrepl command to verif successful replication to a specific domain controller& 'f ou are not running *epadmin on the domain controller %hose replication ou are chec0ing( ou can specif a destination domain controller in the command& *epadmin lists IN$O3ND N.IG"$O4S for the current or specified domain controller& IN$O3ND N.IG"$O4S sho%s the distinguished name of each director partition for %hich inbound director replication has been attempted( the site and name of the source domain controller( and %hether replication succeeded or not( as follo%s: • •
4ast attempt @ < .AA.DD ##:AA*!!> was successfu"*

4ast attempt @ BNeverC was successfu"*

'f @ BNeverC appears in the output for a director partition( replication of that director partition has never succeeded from the identified source replication partner over the listed connection& 6?8

Membership in .nterprise Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify successful replication to a domain controller 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" <servername> /u:<domainname>(<username> /pw:*

Note The user credential parameters "/u:<domainname>(<username> /pw:*# are not reFuired for the domain of the user if the user has opened the Command Prompt as an administrator %ith Domain Admins credentials or is logged on to the domain controller as a member of Domain Admins or eFuivalent& ;o%ever( if ou run the command for a domain controller in a different domain in the same Command Prompt session( ou must provide credentials for an account in that domain&

6??

5alue

Description

repadmin 3sho%repl

Displa s the replication status for the last time that the domain controller that is named in SservernameT attempted inbound replication of Active Director partitions& The name of the destination domain controller& Specifies the domain name and user name( separated b a bac0slash( for a user %ho has permissions to perform operations in AD DS& The single/label name of the domain of the destination domain controller& "Eou do not have to use a full Fualified Domain 9ame S stem "D9S# name&# The name of an administrative account in that domain& Specifies the domain pass%ord for the user named in SusernameT& U provides a %assword* prompt %hen ou press 19T1*&

SservernameT 3u:

SdomainnameT

SusernameT 3p%:U

7& At the %assword* prompt( t pe the pass%ord for the user account that ou provided( and then press 19T1*& Eou can also use repadmin to generate the details of replication to and from all replication partners in a Microsoft 1-cel spreadsheet& The spreadsheet displa s data in the follo%ing columns: ShowreplBCO+3)NS Destination DC Site Destination DC Naming Conte/t Source DC Site Source DC ransport ype Number of #ailures +ast #ailure ime +ast Success ime +ast #ailure Status

200

The follo%ing procedure creates this spreadsheet and sets column headings for improved readabilit & o generate a repadmin ,showrepl spreadsheet for all replication partners 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /s&owrep" * /csv >s&owrep"*csv

7& 4pen 1-cel& A& Clic0 the Office button( clic0 Open( navigate to showrepl'csv( and then clic0 Open& 8& ;ide or delete column A as %ell as the ransport ype column( as follo%s: :& Select a column that ou %ant to hide or delete& • 4r • To delete the column( right/clic0 the selected column( and then clic0 Delete& <& Select ro% 6 beneath the column heading ro%& 4n the 5iew tab( clic0 #ree&e %anes( and then clic0 #ree&e op 4ow& 8& Select the entire spreadsheet& 4n the Data tab( clic0 #ilter& ?& 'n the +ast Success ime column( clic0 the do%n arro%( and then clic0 Sort Ascending& 60& 'n the Source DC column( clic0 the filter do%n arro%( point to e/t #ilters( and then clic0 Custom #ilter& 66& 'n the Custom Auto#ilter dialog bo-( under Show rows where( clic0 does not contain& 'n the ad,acent te-t bo-( t pe del to eliminate from vie% the results for deleted domain controllers& 62& *epeat step 66 for the +ast #ailure ime column( but use the value does not e0ual( and then t pe the value @& 67& *esolve replication failures& The last successful attempt should agree %ith the replication schedule for intersite replication( or the attempt should be %ithin the last hour for intrasite replication& 'f *epadmin reports an of the follo%ing conditions( see Troubleshooting Active Director *eplication Problems "http:33go&microsoft&com3f%lin03P+in0'DQ?7882#: • • • The last successful intersite replication %as before the last scheduled replication& The last intrasite replication %as longer than one hour ago& *eplication %as never successful& To hide the column( right/clic0 the column( and then clic0 "ide&

206

Sei&e the Operations )aster 4ole
Eou can use the 9tdsutil&e-e command/line tool to transfer and sei.e an operations master "also 0no%n as fle-ible single master operations or =SM4# role& Eou must use 9tdsutil&e-e to sei.e the schema operations master( domain naming operations master( and relative 'D "*'D# operations master roles& $hen ou use 9tdsutil&e-e to sei.e an operations master role( the tool first attempts a transfer from the current role o%ner& 'f the current role o%ner is not available( the tool sei.es the role& $hen ou use 9tdsutil&e-e to sei.e an operations master role( the procedure is nearl identical for all roles& =or more information about using 9tdsutil&e-e( t pe > at the ntdsutil* command prompt& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o sei&e an operations master role 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& At the command prompt( t pe ntdsuti"( and then press 19T1*& 7& At the ntdsuti": prompt( t pe ro"es( and then press 19T1*& A& At the fsmo
maintenance:

prompt( t pe connections( and then press 19T1*&

8& At the server connections: prompt( t pe connect to server<servername> "%here <servername> is the name of the domain controller that %ill assume the operations master role#( and then press 19T1*& :& After ou receive confirmation of the connection( t pe <& Depending on the role that ou %ant to sei.e( at the the appropriate command( and then press 19T1*&
4ole Credentials
quit(

and then press 19T1*& prompt( t pe

fsmo maintenance:

Command

Domain naming master Schema master 'nfrastructure master Primar domain controller "PDC# emulator *'D master

1nterprise Admins 1nterprise Admins Domain Admins Domain Admins Domain Admins

Sei.e domain naming master Sei.e schema master Sei.e infrastructure master Sei.e pdc Sei.e rid master

202

The s stem as0s for confirmation& 't then attempts to transfer the role& $hen the transfer fails( some error information appears and the s stem proceeds %ith the sei.ure of the role& After the sei.ure of the role is complete( a list of the roles and the +ight%eight Director Access Protocol "+DAP# name of the server that currentl holds each role appears& During sei.ure of the relative 'D "*'D# operations master role( the current role holder attempts to s nchroni.e %ith its replication partners& 'f it cannot establish a connection %ith a replication partner during the sei.ure operation( it displa s a %arning and as0s for confirmation that ou %ant the sei.ure of the role to proceed& Clic0 2es to proceed& 8& T pe quit( and then press 19T1*& T pe quit again( and then press 19T1* to e-it 9tdsutil&e-e&

5iew the Current Operations )aster 4ole "olders
To vie% the current operations master "also 0no%n as fle-ible single master operations or =SM4# role holders( use the 9tdsutil&e-e command/line tool %ith the roles option& This option displa s a list of all current role holders& After ou transfer an operations master role( use this procedure to verif that the transfer has occurred successfull throughout the domain& To have full effect( the change must replicate to all domain controllers in the domain for a domain/level role and to all domain controllers in the forest for a forest/level role& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o view the current operations master role holders 6& 4pen 9tdsutil as an administrator: Clic0 Start( and then( in Start Search( t pe ntdsutil& At the top of the Start menu( right/clic0 ntdsutil( and then clic0 4un as administrator& 'n the 3ser Account Control dialog bo-( provide Domain Admins credentials( and then clic0 O(& 2& At the ntdsuti": prompt( t pe ro"es( and then press 19T1*& 7& At the fsmo
maintenance:

prompt( t pe connections( and then press 19T1*&

A& At the server connections: prompt( t pe connect to server <servername>( %here <servername> is the name of the domain controller that belongs to the domain that contains the operations masters& 8& After ou receive confirmation of the connection( t pe e-it this menu&
quit(

and then press 19T1* to

207

:& At the fsmo 19T1*&

maintenance:

prompt( t pe se"ect

operation target(

and then press and

<& At the select operations target: prompt( t pe then press 19T1*&

"ist ro"es for connected server(

The s stem responds %ith a list of the current roles and the +ight%eight Director Access Protocol "+DAP# name of the domain controllers that are currentl assigned to host each role& 8& T pe quit( and then press 19T1* to e-it each prompt in 9tdsutil&e-e& At the ntdsuti": prompt( t pe quit( and then press 19T1* to close the %indo%&

4educing the !orkload on the %DC .mulator )aster
'n addition to processing normal domain controller load from clients( the primar domain controller "PDC# emulator operations master must also process pass%ord changes& 4f all the operations master "also 0no%n as fle-ible single master operations or =SM4# roles( the PDC emulator master role has the highest impact on the domain controller that hosts that role& To mitigate some of the load that is caused b normal domain controller traffic( ou can protect the PDC emulator b configuring Domain 9ame S stem "D9S# to distribute some of the normal reFuest load to other domain controllers that are capable of processing the reFuests& To receive information from the domain( a client uses D9S to locate a domain controller& The client then sends the reFuest to that domain controller& > default( D9S performs rudimentar load balancing& 't also randomi.es the distribution of client reFuests so that the reFuests are not al%a s sent to the same domain controller& 'f too man client reFuests are sent to a domain controller %hile it attempts to perform other duties( such as the duties of the PDC emulator( it can become overloaded( %hich has a negative impact on its performance& Eou can configure D9S so that a domain controller is Fueried less freFuentl than others& *educing the number of client reFuests helps reduce the %or0load on a domain controller( %hich gives it more time to function as an operations master& This is especiall important for the PDC emulator& To reduce the number of client reFuests that are processed b the PDC emulator( ou can change its %eight or its priorit in the D9S environment&

Changing the weight for DNS service 6S457 resource records in the registry
Changing the %eight of a domain controller to a value less than that of other domain controllers reduces the number of clients that Domain 9ame S stem "D9S# refers to that domain controller& This value is stored in the +dapSrv!eight registr entr & The default value is 600( but it can 20A

range from 0 through :8878& $hen ou lo%er this value on a domain controller( D9S refers clients to that domain controller less freFuentl based on the proportion of this value to the value on other domain controllers& =or e-ample( to configure the s stem so that the domain controller that hosts the PDC emulator role receives reFuests onl half as man times as other domain controllers( configure the %eight of the domain controller that host the PDC emulator role to be 80& Assuming that other domain controllers use the default %eight value of 600( D9S determines the %eight ratio for that domain controller to be 803600 "80 for that domain controller and 600 for the other domain controllers#& After ou reduce this ratio to 632( D9S refers clients to the other domain controllers t%ice as often as it refers to the domain controller %ith the reduced %eight setting& > reducing client referrals( the domain controller receives fe%er client reFuests and has more resources for other tas0s( such as performing the role of PDC emulator&

Changing the priority for DNS service 6S457 resource records in the registry
Changing the priorit of a domain controller also reduces the number of client referrals to it& ;o%ever( rather than reducing access to the domain controller proportionall %ith regard to the other domain controllers( changing the priorit causes Domain 9ame S stem "D9S# to stop referring all clients to this domain controller unless all domain controllers %ith a lo%er priorit setting are unavailable& To prevent clients from sending all reFuests to a single domain controller( the domain controllers are assigned a priorit value& This value is stored in the +dapSrv%riority registr entr & The default value is 0( but it can range from 0 through :8878& The client uses the priorit value to help determine to %hich domain controller it sends reFuests& $hen a client uses D9S to discover a domain controller( the priorit for a given domain controller is returned to the client %ith the rest of the D9S information& Clients al%a s send reFuests to the domain controller that has the lo%est priorit value& 'f more than one domain controller has the same value( the clients randoml choose from the group of domain controllers %ith the same value& 'f no domain controllers %ith the lo%est priorit value are available( the clients send reFuests to the domain controller %ith the ne-t highest priorit & Therefore( raising the value of the +dapSrv%riority registr entr on the PDC emulator can reduce its chances of receiving client reFuests& ask re0uirements The follo%ing tool is reFuired to perform the procedures for this tas0: • *egedit&e-e To complete this tas0( perform the follo%ing procedures: 6& Change the $eight for D9S Service "S*B# *esource *ecords in the *egistr 2& Change the Priorit for D9S Service "S*B# *esource *ecords in the *egistr

208

Change the !eight for DNS Service 6S457 4esource 4ecords in the 4egistry
Eou can use this procedure to reduce the %or0load on the primar domain controller "PDC# emulator operations master b changing the %eight for Domain 9ame S stem "D9S# service "S*B# resource records in the registr & Caution *egistr 1ditor b passes standard safeguards( %hich allo%s settings that can damage our s stem or even reFuire ou to reinstall $indo%s& 'f ou must edit the registr ( bac0 up critical volumes first& =or information about bac0ing up critical volumes( see Administering Active Director >ac0up and *ecover & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the weight for DNS service 6S457 resource records in the registry 6& 4pen *egistr 1ditor as an administrator: Clic0 Start and then( in Start Search( t pe regedit& At the top of the Start menu( right/clic0 regedit( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& 'n *egistr 1ditor( navigate to "(+)CS2S .)CCurrentControlSetCServicesCNetlogonC%arameters & 7& Clic0 .dit( clic0 New( and then clic0 D!O4D 6;<-$I 75alue& A& =or the ne% value name( t pe +dapSrv!eight( and then press 19T1*& 8& Double/clic0 the value name that ou ,ust t ped to open the .dit D!O4D 6;<-$I 7 5alue dialog bo-& :& 1nter a value from 0 through :8878& The default value is 600& <& Choose Decimal as the $ase option( and then clic0 O(& 8& Clic0 #ile( and then clic0 ./it to close *egistr 1ditor&

Change the %riority for DNS Service 6S457 4esource 4ecords in the 4egistry
Eou can use this procedure to reduce the %or0load on the primar domain controller "PDC# emulator operations master b changing the priorit for Domain 9ame S stem "D9S# service "S*B# resource records in the registr &

20:

Caution *egistr 1ditor b passes standard safeguards( %hich allo%s settings that can damage our s stem or even reFuire ou to reinstall $indo%s& 'f ou must edit the registr ( bac0 up critical volumes first& =or information about bac0ing up critical volumes( see Administering Active Director >ac0up and *ecover & Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o change the priority for DNS S45 records in the registry 6& 4pen *egistr 1ditor as an administrator: Clic0 Start and then( in Start Search( t pe regedit& At the top of the Start menu( right/clic0 regedit( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( confirm that the action it displa s is %hat ou %ant( and then clic0 Continue& 2& 'n *egistr 1ditor( navigate to "(+)CS2S .)CCurrentControlSetCServicesCNetlogonC%arameters & 7& Clic0 .dit( clic0 New( and then clic0 D!O4D 6;<-$I 7 5alue& A& =or the ne% value name( t pe +dapSrv%riority( and then press 19T1*& 8& Double/clic0 the value name that ou ,ust t ped to open the .dit D!O4D 6;<-$I 7 5alue dialog bo-& :& 1nter a value from 0 through :8878& The default value is 0& <& Choose Decimal as the $ase option( and then clic0 O(& 8& Clic0 #ile( and then clic0 ./it to close *egistr 1ditor&

Administering Active Directory $ackup and 4ecovery
This guide provides information about administering bac0up and recover of Active Director Domain Services "AD DS# in $indo%s Server 2008& In this guide • 'ntroduction to Administering Active Director >ac0up and *ecover HlhsadIADDSI4psI8JIADDSI4psI8 • Managing Active Director >ac0up and *ecover

20<

Introduction to Administering Active Directory $ackup and 4ecovery JlhsadBADDSBOpsB=KBADDSBOpsB=
>ac0up of Active Director Domain Services "AD DS# must be incorporated into our operations schedule for a set of domain controllers that ou identif as critical and on %hich ou perform routine( scheduled bac0up operations& *ecovering AD DS is not performed routinel as an operations tas0W it is performed onl %hen it is made necessar b a failure or other condition from %hich a domain controller can recover onl b restoring the director to a previous state& Important *estoring from a bac0up is not al%a s the best or onl option to recover AD DS& Do not perform a restore operation to recover a domain controller until ou have performed tests to rule out other causes& *estoring from bac0up is almost al%a s the right solution to recover deleted ob,ects&

$acking up AD DS
>ac0up procedures have changed in $indo%s Server 2008( as compared to previous versions of $indo%s Server& A ne% bac0up tool( $indo%s Server >ac0up( replaces 9t>ac0up as the tool that ou use to bac0 up AD DS& Eou cannot use 9tbac0up to bac0 up servers running $indo%s Server 2008& 'n $indo%s Server 2008( ou can perform three t pes of bac0up: • • • S stem state bac0up( %hich includes all the files that are reFuired to recover AD DS Critical/volumes bac0up( %hich includes all the volumes that contain s stem state files =ull server bac0up( %hich includes all volumes on the server

Eou can use the $indo%s Server >ac0up graphical user interface "5)'# to perform critical/ volumes bac0ups and full server bac0ups& Eou can use the $indo%s Server >ac0up command/ line tool( $badmin&e-e( to perform all t pes of bac0up( including s stem state bac0up& =or more information about bac0ing up domain controllers( see >ac0ing )p Active Director Domain Services&

4ecovering AD DS
Eou can recover from Active Director corruption or inconsistenc b performing a restore operation to return AD DS to its state at the time of the latest bac0up& *estoring from bac0up as a method of recovering AD DS should not be underta0en as the primar method of recovering from an error or failure condition( but as a last resort& Assuming that a restore operation is appropriate to recover the domain controller( reFuirements for recovering AD DS relate to the age of the bac0up( as follo%s: 208

• The primar reFuirement for recovering AD DS is that the bac0up ou use must not be older than a tombstone lifetime( %hich is the number of da s that deletions are retained in the director & 'n forests that are created on servers running $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 %ith SP2( or $indo%s Server 2008( the default value of the tombstone lifetime is 680 da s& The default value is :0 da s in forests that are created on servers running $indo%s 2000 Server or $indo%s Server 2007& AD DS protects itself from restoring data that is older than the tombstone lifetime b not allo%ing the restore& Important Al%a s chec0 the tombstone lifetime value before ou use a bac0up to restore AD DS& 1ven if ou are sure of the default value for our environment( the tombstone lifetime value might have been changed administrativel in AD DS& )se ADS' 1dit to vie% the value in the tombstone+ifetime attribute on the ob,ect C9QDirector Service(C9/$indo%s 9T(C9QServices(C9QConfiguration(DCQForestRootDomain& • Do not modif s stem cloc0s in an attempt to improperl e-tend the useful life of a s stem state bac0up& S0e%ed time can cause serious problems in cases %here director data is time sensitive& Eou can recover AD DS b restoring a bac0up in the follo%ing %a s: • Nonauthoritative restore: )se this process to restore AD DS to its state at the time of the bac0up( and then allo% Active Director replication to update the restored domain controller to the current state of AD DS& • Authoritative restore: )se this process to recover ob,ects that have been deleted from AD DS& Authoritative restore does not allo% replication to over%rite the restored deletions& 'nstead( the restored ob,ects replicate authoritativel to the other domain controllers in the domain& Note >e a%are that additions of data that are made bet%een the time of the bac0up and the authoritative restore process are not removed during the restore process& Authoritative restore focuses onl on the deleted ob,ects& Additional data is merged during the restore process& $hen recovering AD DS b restoring from bac0up is not possible( ou must reinstall AD DS& Sometimes restoring from bac0up is possible but not feasible& =or e-ample( if a domain controller is needed Fuic0l ( it is sometimes faster to reinstall AD DS than to recover the domain controller& 'n cases of hard%are failure or file corruption( ou might have to reinstall the operating s stem and then either reinstall or restore AD DS& =or more information about rationales and methods for recovering domain controllers( see *ecovering Active Director Domain Services&

Additional considerations
• • >ac0ing )p Active Director Domain Services *ecovering Active Director Domain Services 20?

)anaging Active Directory $ackup and 4ecovery
This section includes the follo%ing tas0s for managing bac0up and recover of Active Director Domain Services "AD DS#: • • >ac0ing )p Active Director Domain Services *ecovering Active Director Domain Services

$acking 3p Active Directory Domain Services
This section describes the different t pes of bac0ups that ou can perform to ensure that ou can recover Active Director Domain Services "AD DS# if Active Director data Fualit or consistenc is ,eopardi.ed b human error( hard%are brea0do%n( or soft%are issues& Eou can perform regular( scheduled bac0upsD%hich are essential for dependable operationsDand ou can perform immediate( ad hoc bac0ups %hen necessar or as an alternative to scheduling regular bac0ups( although scheduling is preferred& >ac0up tools and processes are improved in $indo%s Server 2008 to provide easier methods for bac0ing up the data that is reFuired to recover AD DS and the full server&

!indows Server backup tools
To bac0 up AD DS in $indo%s Server 2008( ou use the $indo%s Server >ac0up tool& $indo%s Server >ac0up replaces the >ac0up or *estore $i.ard "9tbac0up#( the tool that is used in earlier versions of the $indo%s Server operating s stem& Eou cannot use 9tbac0up to bac0 up servers that are running $indo%s Server 2008& To use $indo%s Server >ac0up tools( ou must install !indows Server $ackup #eatures in Server Manager& =or information about ho% to install $indo%s Server >ac0up =eatures( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'dQ?:A?8#& 'n the features list in Server Manager( !indows Server $ackup #eatures has t%o parts: • !indows Server $ackup 6!badmin'msc7( a graphical user interface "5)'# snap/in that is available on the Administrative ools menu Eou can use the $indo%s Server >ac0up 5)' to perform critical/volumes bac0ups and full server bac0ups& Note Eou can perform a s stem state bac0up onl b using the $badmin&e-e command/ line tool& • Command-line ools( %hich is reFuired to install the $badmin&e-e command/line tool for $indo%s Server >ac0up& NCommand/line ToolsO refers to a set of $indo%s Po%erShell 260

tools& $hen ou select Command-line ools( ou are prompted to install the reFuired $indo%s Po%erShell feature& Eou can use the $indo%s Server >ac0up command/line tool( $badmin&e-e( to perform all t pes of bac0up( including s stem state bac0up& Eou can use the $indo%s Server >ac0up snap/in to bac0 up entire volumes onl ( as follo%s: those volumes that contain s stem state files "critical/volumes bac0up# or all volumes "full server bac0up#& The $indo%s Server >ac0up snap/in has t%o %i.ard options: a >ac0up Schedule $i.ard and a >ac0up 4nce $i.ard& To use one of the %i.ards for bac0ing up critical volumes( ou must 0no% %hich volumes to select( or ou can allo% the %i.ard to select them %hen ou specif that ou %ant to enable s stem recover & $hen ou use the command/line tool for bac0ing up critical volumes( the tool selects the correct volumes automaticall & To bac0 up s stem state( ou must use the $badmin&e-e command/line tool&

!indows Server backup types
'n $indo%s Server 2008( ou can use $indo%s Server >ac0up tools to bac0 up three categories of domain controller data( all of %hich can be used to recover AD DS& 1ach bac0up t pe bac0s up a different set of data&

Contents of !indows Server backup types
The follo%ing list describes the bac0up t pes and the data that the contain: • System state( %hich includes all the files that are reFuired to recover AD DS& S stem state includes at least the follo%ing data( plus additional data( depending on the server roles that are installed: • • • • • • • • • • *egistr C4M] Class *egistration database >oot files Active Director Certificate Services "AD CS# database Active Director database "9tds&dit# file and log files SESB4+ director Cluster service information Microsoft 'nternet 'nformation Services "''S# metadirector S stem files that are under $indo%s *esource Protection

Critical volumes( %hich includes all volumes that contain s stem state files: • The volume that hosts the boot files( %hich consist of the >ootmgr file and the >oot Configuration Data ">CD# store • • The volume that hosts the $indo%s operating s stem and the registr The volume that hosts the SESB4+ tree 266

• •

The volume that hosts the Active Director database The volume that hosts the Active Director database log files

• #ull server( %hich includes all volumes on the server( including )niversal Serial >us ")S># drives& The bac0up does not include the volume %here the bac0up is stored&

Criteria for using backup types
The follo%ing table sho%s the Fualities and restrictions that appl to each bac0up t pe& )se this table to determine the bac0up t pe to use&
#eature System state backup Critical-volumes backup #ull server backup

Can be used to recover from registr or director service configuration errors "recover AD DS# Can be used for full server "bare/metal# recover %ith $indo%s *ecover 1nvironment "$indo%s *1# Can be used to recover from unbootable conditions Can be used to recover specific files and folders Can be created b using $indo%s Server >ac0up snap/in "5)'# Can be created b using $badmin&e-e command line tool ;as incremental bac0up support Can be stored on a DBD or on a net%or0 share if the bac0up is performed manuall "is not a scheduled bac0up#

Ees

Ees

Ees

9o

Ees

Ees

9o

Ees

Ees

9o 9o

Ees Ees

Ees Ees

Ees

Ees

Ees

9oU 9o

Ees Ees

P EesUU

262

#eature

System state backup

Critical-volumes backup

#ull server backup

Can use an of the EesUUU volumes that are included in the bac0up as the target volume Can be scheduled b using the $indo%s Server >ac0up snap/in 9o

9o

9o

Ees

Ees

U 1ach consecutive bac0up reFuires as much space as the first& To help manage the number of versions of s stem state bac0ups that ou store( ou can use the wbadmin delete systemstatebackup command to remove old versions& =or more information( see $badmin delete s stemstatebac0up "http:33go&microsoft&com3f%lin03P+in0'dQ66687:#& UU Must be stored on a different hard dis0 from the source volumes( including e-ternal dis0s or DBDs& 1-ternal storage devices must be connected to the bac0up computer& UUU 9o( b default( but ou can override the default b ma0ing a change in the registr & To store the s stem state bac0up on a volume that is included in the bac0up( ou must add the AllowSS$ oAny5olume registr entr to the server that ou are bac0ing up& ;o%ever( there are some 0no%n issues %ith storing s stem state bac0up on a volume that is included in the bac0up& =or more information( see @no%n 'ssues for >ac0ing )p Active Director Domain Services&

$ackup guidelines
The follo%ing guidelines for bac0up include the performance of bac0ups to ensure redundanc of Active Director data: • Create dail bac0ups of all uniFue data( including all domain director partitions on global catalog servers& • Create dail bac0ups of critical volumes on at least t%o uniFue domain controllers( if possible& $hen ou have environments %ith single/domain/controller forests( single/domain/ controller domains( or empt root domains( ta0e special care to bac0 up more often& • 1nsure that bac0ups are available in sites %here the are needed& Do not rel on cop ing a bac0up from a different site( %hich is ver time consuming and can significantl dela recover & • $here domains e-ist in onl one site( store additional bac0up files offsite in a secure location so that no bac0up file of a uniFue domain e-ists in onl one ph sical site at an point in time& This precaution provides an e-tra level of redundanc in case of ph sical disaster or theft& • Ma0e sure that our bac0ups are stored in a secure location at all times& • >ac0 up volumes that store Domain 9ame S stem "D9S# .ones that are not Active Director Rintegrated& Eou must be a%are of the location of D9S .ones and bac0 up 267

D9S servers accordingl & 'f ou use Active Director Rintegrated D9S( D9S .one data is captured as part of s stem state and critical/volume bac0ups on domain controllers that are also D9S servers& 'f ou do not use Active Director Rintegrated D9S( ou must bac0 up the .one volumes on a representative set of D9S servers for each D9S .one to ensure fault tolerance for the .one& Note The D9S server stores settings in the registr & Therefore( s stem state or critical/volume bac0up is reFuired for D9S( regardless of %hether the .one data is Active Director R integrated or stored in the file s stem& • 'f ou have application director partitions in our forest( ma0e sure that ou ma0e a bac0up of the domain controllers that replicate those application director partitions& • Create additional bac0ups of domains in ever geographic location %here: • +arge populations of users e-ist& • Critical populations of users e-ist( such as those %ho support compan e-ecutives or operate critical business units& • • Mission/critical %or0 is performed& A %ide area net%or0 "$A9# outage %ould disrupt business&

• The elapsed time that it ta0es to perform either of the follo%ing tas0s %ould be cost prohibitive because of slo% lin0 speeds( the si.e of the director database( or both: To create a domain controller in its intended domain over the net%or0& 4r To cop or transport installation media from a site %here a bac0up e-ists to a site that has no bac0up for the purpose of performing an installation from media "'=M#& Note Eou can use a s stem state or critical/volumes bac0up to restore onl the domain controller on %hich the bac0up %as generated or to create a ne% additional domain controller in the same domain b installing from restored bac0up media& Eou cannot use a s stem state or critical/volumes bac0up to restore a different domain controller or to restore a domain controller onto different hard%are& Eou can onl use a full server bac0up to restore a domain controller onto different hard%are&

Scheduling regular backups
Eou can use the >ac0up Schedule $i.ard to schedule regular( automatic critical/volumes or full server bac0ups of our domain controllers& Eou need a current( verified( and reliable bac0up to: • *estore Active Director data that becomes lost& • *ecover a domain controller that cannot start up or operate normall because of soft%are failure( hard%are failure( or administrative error& =or e-ample( an administrator might have set overl restrictive permissions( either e-plicitl or b using a securit polic ( that den the operating s stem access to the 9tds&dit file and log files& 26A

• 'nstall AD DS from installation media that ou create b using the ntdsutil ifm command& =or information about installing a domain controller from installation media( see 'nstalling an Additional Domain Controller b )sing '=M& • Perform a forest recover if forest/%ide failure occurs& =or information about scheduling bac0ups of AD DS in $indo%s Server 2008( see Scheduling *egular =ull Server >ac0ups of a Domain Controller "http:33go&microsoft&com3f%lin03P +in0'dQ668008#&

Immediate 6unscheduled7 backup
'n addition to scheduling regular bac0ups( perform an immediate bac0up %hen certain events occur in our environment& Eou can use the >ac0up 4nce $i.ard or the command line to bac0 up AD DS %hen the follo%ing conditions arise: • Eou have moved the Active Director database( log files( or both to a different location on a dis0& • • • • The operating s stem on a domain controller is upgraded& A Service Pac0 is installed on a domain controller& A hotfi- is installed that ma0es changes to the Active Director database& A current bac0up is reFuired for installing from bac0up media for a ne% domain controller&

• The tombstone lifetime is changed administrativel b changing the value in the tombstone+ifetime attribute of the ob,ect C9QDirector Service(C9Q$indo%s 9T(C9QServices(C9/Configuration(DCQForestRootDomain& The tombstone lifetime value in an Active Director forest defines the number of da s that a domain controller preserves information about deleted ob,ects& =or this reason( this value also defines the useful life of a bac0up that ou use for disaster recover or installation from bac0up media&

$ackup fre0uency
The freFuenc of our bac0ups depends on criteria that var for individual Active Director environments& 'n most Active Director environments( users( computers( and administrators ma0e dail changes to director ob,ects( such as group membership or 5roup Polic & =or e-ample( computer accounts( including domain controller accounts( change their pass%ords ever 70 da s b default& Therefore( ever da a percentage of computer pass%ords changes for domain controllers and domain client computers& *olling the computer pass%ord of a domain controller bac0 to a former state affects authentication and replication& A percentage of user pass%ords might also e-pire on a dail basis( and if the are lost as a result of domain controller failure( the must be reset manuall & 5enerall ( no e-ternal record of these changes e-ists e-cept in AD DS& Therefore( the more freFuentl ou bac0 up domain controllers( the fe%er problems ou %ill encounter if ou need to restore this t pe of information& The more Active Director ob,ects and domain controllers ou have( the more freFuent our bac0ups should be& =or e-ample( in a large organi.ation( to recover from the inadvertent deletion of a large organi.ational unit "4)# b restoring the domain from a bac0up that is da s or %ee0s 268

old( ou might have to re/create hundreds of accounts that %ere created in that 4) since the bac0up %as made& To avoid re/creating accounts and potentiall performing large numbers of manual pass%ord resets( ensure that recent s stem state bac0ups are al%a s available to recover recent Create( Modif ( and Delete operations&

$ackup fre0uency criteria
)se the follo%ing criteria to assess the freFuenc of our bac0ups: • Small environments %ith a single domain controller in the forest or domains that e-ist in a single ph sical location "that is( domains that have a single point of failure#: create bac0ups at least dail & • Medium "60 to A? domain controllers# and large environments "80 to 6(000 or more domain controllers#: Create bac0ups of each uniFue director partition in the forest on t%o different computers at least dail %ith an emphasis on bac0ing up application director partitions( empt root domains( domains in a single geographic site( and sites that have large populations of users or that host mission/critical %or0& Ma0e bac0ups %ith increasing freFuenc until ou are confident that if ou lose the ob,ects that %ere created or modified since the last bac0up( the loss %ould not create a disruption of our operations& Ma,or changes to the environment should al%a s be immediatel follo%ed b a ne% s stem state bac0up& Note $e al%a s recommend that ou have at least t%o domain controllers in each domain of our Active Director forest&

$ackup latency interval
After ou perform an initial Active Director bac0up on a domain controller( 1vent 'D 208? provides %arnings about the bac0up status of each director partition that a domain controller stores( including application director partitions& Specificall ( 1vent 'D 208? is logged in the Director Service event log %hen partitions in the Active Director forest are not bac0ed up %ith sufficient freFuenc ( and it continues dail until a bac0up of the partition occurs& This event serves as a %arning to administrators and monitoring applications to ma0e sure that domain controllers are bac0ed up %ell before the tombstone lifetime e-pires& > monitoring this event( ou can ensure that bac0ups occur %ith sufficient freFuenc & Sufficient freFuenc is determined b the bac0up latenc interval& The value for the bac0up latenc interval is stored as a 4.GBD!O4D value in the $ackup +atency hreshold 6days7 registr entr in "(.2B+OCA+B)AC"IN.CS2S .)CCurrentControlSetCServicesCN DSC%arameters & > default( the value of $ackup +atency hreshold 6days7 is half the value of the tombstone lifetime of the forest& 'n a $indo%s Server 2008 forest( half the tombstone lifetime is ?0 da s& ;o%ever( %e recommend that ou ma0e bac0ups at a much higher freFuenc than the default value of $ackup +atency hreshold 6days7& > setting a minimum bac0up freFuenc ( changing

26:

this setting to reflect that freFuenc ( and monitoring 1vent 'D 208?( ou ensure the bac0up freFuenc that is established in our organi.ation& To set a different $ackup +atency hreshold 6days7 value( use *egistr 1ditor "*egedit&e-e# to create the entr as a 4.GBD!O4D and provide the appropriate number of da s& More information about the $indo%s Server >ac0up tools and bac0ing up AD DS is available in the Step/b /Step 5uide for $indo%s Server 2008 AD DS >ac0up and *ecover "http:33go&microsoft&com3f%lin03P+in0'dQ?70<<#( as follo%s: • $hatVs 9e% in AD DS >ac0up and *ecover P "http:33go&microsoft&com3f%lin03P +in0'dQ668066# • @no%n 'ssues for AD DS >ac0up and *ecover "http:33go&microsoft&com3f%lin03P +in0'DQ66<?A0# • >est Practices for AD DS >ac0up and *ecover "http:33go&microsoft&com3f%lin03P +in0'dQ668062# • 5eneral *eFuirements for >ac0up )p and *ecovering AD DS "http:33go&microsoft&com3f%lin03P+in0'dQ668067# • Scenario 4vervie%s for >ac0ing )p and *ecovering AD DS "http:33go&microsoft&com3f%lin03P+in0'dQ66806A# ask re0uirements >efore ou bac0 up a domain controller( see Performing an )nscheduled >ac0up of a Domain Controller "http:33go&microsoft&com3f%lin03P+in0'dQ668068#& The follo%ing tools( media( and credentials are reFuired to perform the procedures for this tas0: • $indo%s Server >ac0up: • • • • • • $indo%s Server >ac0up snap/in "$badmin&msc# $indo%s Server >ac0up command/line tool "$badmin&e-e# 'nternal or e-ternal hard dis0 drive Shared net%or0 folder $ritable DBD

>ac0up media( as follo%s:

• >uiltin Administrator credentials to schedule bac0ups( or >ac0up 4perator credentials to perform unscheduled bac0ups To complete this tas0( ou can perform the procedures in the follo%ing topics( depending on our bac0up needs: • Perform a >ac0up of Critical Bolumes of a Domain Controller b )sing the 5)' "$indo%s Server >ac0up# • Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# • Perform a =ull Server >ac0up of a Domain Controller b )sing the 5)' "$indo%s Server >ac0up#

26<

• Perform a =ull Server >ac0up of a Domain Controller b )sing the Command +ine "$badmin#

(nown Issues for $acking 3p Active Directory Domain Services
The follo%ing 0no%n issues e-ist for bac0ing up Active Director Domain Services "AD DS# in $indo%s Server 2008: • Administrator credentials are reFuired for scheduling bac0ups& A member of >ac0up 4perators cannot schedule bac0ups b default( and the privilege cannot be delegated& • $indo%s Server >ac0up tools are not installed automaticall & Eou must use Server Manager to install the $indo%s Server >ac0up =eatures( %hich include the $indo%s Server >ac0up snap/in "$badmin&msc# and the $badmin&e-e component of $indo%s Po%erShell command/line tools& • • $indo%s Server >ac0up does not support bac0ing up to tape media& Eou cannot bac0 up individual files and folders&

• Eou cannot perform or schedule s stem state bac0ups b using $indo%s Server >ac0up& Eou must use the $badmin&e-e command/line tool& • Eou cannot schedule %ee0l or monthl bac0ups b using $indo%s Server >ac0up& ;o%ever( ou can use Tas0 Scheduler to schedule manual bac0ups that are performed at different times of the %ee0& • A s stem state bac0up and recover includes Active Director Rintegrated Domain 9ame S stem "D9S# .ones but does not include file/based D9S .ones& To bac0 up and restore file/ based D9S .ones( ou have to bac0 up and recover the entire volume that hosts the files& • The target volume for a s stem state bac0up cannot be a source volume b default& A source volume is an volume that has a file that is included in the bac0up& Therefore( the target volume cannot be an volume that hosts the operating s stem( 9tds&dit file( 9tds log files( or SESB4+ director & To change this restriction( ou can add the AllowSS$ oAny5olume registr entr to the server& ;o%ever( there are 0no%n issues %ith storing a s stem state bac0up on a source volume: • >ac0ups can fail& The bac0up can be modified during the bac0up process( %hich might cause the bac0up to fail& • )se of target space is inefficient& T%ice the amount of space is necessar for a bac0up than for the original data& The volume must allocate t%ice the amount of space for the shado% cop process& The path for adding the ne% registr entr is as follo%s: "(+)CS2S .)CCurrentControlSetCServicesCwbengineCSystemState$ackupCAllowS S$ oAny5olume T pe: D!O4D 268

A value of @ prevents the storing of s stem state bac0up on a source volume& A value of ? allo%s the storing of s stem state bac0up on a source volume&

%erform a $ackup of Critical 5olumes of a Domain Controller by 3sing the G3I 6!indows Server $ackup7
Eou can use this procedure to bac0 up critical volumes for a domain controller b using $indo%s Server >ac0up& Eou can also bac0 up critical volumes b using the wbadmin start backup command %ith the -allCritical parameter& =or more information( see $badmin start bac0up "http:33go&microsoft&com3f%lin03P+in0'dQ666878#& Note $indo%s Server >ac0up appears on the Administrative ools menu b default( even if the $indo%s Server >ac0up feature is not installed& 'f $indo%s Server >ac0up is not installed( %hen ou open $indo%s Server >ac0up( a message appears( sa ing that the tool is not installed and providing the instructions for installing $indo%s Server >ac0up& =or more information about installing $indo%s Server >ac0up( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'DQ?:A?8#& Membership in $uiltin Administrators or $ackup Operators( or eFuivalent( is the minimum reFuired to complete this procedure& 'n addition( ou must have %rite access to the target bac0up location& o perform a critical-volume backup for a domain controller 6& Clic0 Start( point to Administrative ools( and then clic0 !indows Server $ackup& 2& 'f ou are prompted( in the 3ser Account Control dialog bo-( provide >ac0up 4perator credentials( and then clic0 O(& 7& 4n the Action menu( clic0 $ackup once& A& 'n the >ac0up 4nce $i.ard( on the $ackup options page( clic0 Different options( and then clic0 Ne/t& 8& 'f ou are creating the first bac0up of the domain controller( clic0 Ne/t to select Different options& :& 4n the Select backup configuration page( clic0 Custom( and then clic0 Ne/t& <& 4n the Select backup items page( select the volumes to include in the bac0up& 'f ou select the .nable system recovery chec0 bo-( all critical volumes are selected& As an alternative( ou can clear that chec0 bo-( select the individual volumes that ou %ant to include( and then clic0 Ne/t& Eour selection must include the volumes that store the operating s stem( 9tds&dit( and SESB4+& 26?

Note 'f ou select a volume that hosts an operating s stem( all volumes that store s stem components are also selected& 8& 4n the Specify destination type page( clic0 +ocal drives or 4emote shared folder( and then clic0 Ne/t& ?& Choose the bac0up location as follo%s: • 'f ou are bac0ing up to a local drive( on the Select backup location page( in $ackup destination( select a drive( and then clic0 Ne/t& • 'f ou are bac0ing up to a remote shared folder( do the follo%ing: a& T pe the path to the shared folder& b& )nder Access Control( select Do not inherit or Inherit to determine access to the bac0up( and then clic0 Ne/t& c& 'n the %rovide user credentials for $ackup dialog bo-( provide the user name and pass%ord for a user %ho has %rite access to the shared folder( and then clic0 O(& 60& 4n the Specify advanced option page( select 5SS copy backup and then clic0 Ne/t( 66& 4n the Summary page( revie% our selections( and then clic0 $ackup& 62& After the >ac0up 4nce $i.ard begins the bac0up( clic0 Close at an time& The bac0up runs in the bac0ground and ou can vie% bac0up progress at an time during the bac0up& The %i.ard closes automaticall %hen the bac0up is complete&

Additional considerations
The target volume for a critical/volume bac0up can be a local drive( but it cannot be an of the volumes that are included in the bac0up&

%erform a System State $ackup of a Domain Controller by 3sing the Command +ine 6!badmin7
Eou can use this procedure to bac0 up s stem state on a domain controller& Membership in $uiltin Administrators or $ackup Operators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'n addition( ou must have %rite access to the target bac0up location& o perform a system state backup of a domain controller 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 220

2& 'f ou are prompted( in the 3ser Account Control dialog bo-( provide >ac0up 4perator credentials( and then clic0 O(& 7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstate'ac:up .'ac:uptarget:<targetDrive>: .quiet

$here <targetDrive> identifies the local volume or the letter of the ph sical dis0 drive to receive the bac0up& Eou cannot store a s stem state bac0up on a net%or0 shared drive& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the bac0up operation&

Additional considerations
>e a%are of the follo%ing issues %hen ou perform a s stem state bac0up: • To use $badmin&e-e( ou must install $indo%s Server >ac0up& =or more information about installing $indo%s Server >ac0up( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'DQ?:A?8#& • The target volume for a s stem state bac0up can be a local drive( but it cannot be an of the volumes that are included in the bac0up b default& To store the s stem state bac0up on a volume that is included in the bac0up( ou must add the AllowSS$ oAny5olume registr entr to the server that ou are bac0ing up& There are also some prereFuisites for storing s stem state bac0up on a volume that is included in the bac0up& =or more information( see @no%n 'ssues for AD DS >ac0up and *ecover "http:33go&microsoft&com3f%lin03P +in0'DQ66<?A0#&

%erform a #ull Server $ackup of a Domain Controller by 3sing the G3I 6!indows Server $ackup7
A full server bac0up captures all volumes on all locall attached volumes& $indo%s Server >ac0up treats )niversal Serial >us ")S># drives and 'nternet SCS' "iSCS'# devices as locall attached volumes& 'f the bac0up destination is a locall attached drive( it is e-cluded from the bac0up set& Eou can use this procedure to bac0 up all the volumes on a domain controller b using the $indo%s Server >ac0up snap/in& Note $indo%s Server >ac0up appears on the Administrative ools menu b default( even if the $indo%s Server >ac0up feature is not installed& 'f $indo%s Server >ac0up is not installed( %hen ou open $indo%s Server >ac0up( a message appears( sa ing that the tool is not installed and providing the instructions for installing $indo%s Server >ac0up&

226

=or more information about installing $indo%s Server >ac0up( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'DQ?:A?8#& Membership in $uiltin Administrators or $ackup Operators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'n addition( ou must have %rite access to the target bac0up location& o perform an unscheduled full server backup of all volumes by using the graphical user interface 6G3I7 6& Clic0 Start( point to Administrative ools( and then clic0 !indows Server $ackup& 2& 'f ou are prompted( in the 3ser Account Control dialog bo-( provide >ac0up 4perator credentials( and then clic0 O(& 7& 4n the Action menu( clic0 $ackup once& A& 'n the >ac0up 4nce $i.ard( on the $ackup options page( clic0 Different options( as sho%n in the follo%ing figure( and then clic0 Ne/t&

8& 'f ou are creating the first bac0up of the domain controller( clic0 Ne/t to select Different options& 222

:& 4n the Select backup configuration page( clic0 #ull server( as sho%n in the follo%ing figure( and then clic0 Ne/t&

<& 4n the Specify destination type page( clic0 +ocal drives or 4emote shared folder( and then clic0 Ne/t& 8& Choose the bac0up location as follo%s: • 'f ou are bac0ing up to a local drive( on the Select backup location page( in $ackup destination( select a drive( and then clic0 Ne/t&

227

• 'f ou are bac0ing up to a remote shared folder( on the Specify remote folder page( provide shared folder information( as sho%n in the follo%ing figure:

22A

a& T pe the path to the shared folder& b& )nder Access Control( select Do not inherit or Inherit to determine access to the bac0up( and then clic0 Ne/t& c& 'n the %rovide user credentials for $ackup dialog bo-( provide the user name and pass%ord for a user %ho has %rite access to the shared folder( and then clic0 O(& ?& 4n the Specify advanced option page( select 5SS copy backup 6recommended7 and then clic0 Ne/t& 60& 4n the Confirmation page( revie% our selections( and then clic0 $ackup& 66& After the >ac0up 4nce $i.ard begins the bac0up( clic0 Close at an time& The bac0up runs in the bac0ground and ou can vie% bac0up progress at an time during the bac0up& The %i.ard closes automaticall %hen the bac0up is complete&

Additional considerations
The target volume for an unscheduled bac0up can be a local drive( but it cannot be an of the volumes that are included in the bac0up& 228

%erform a #ull Server $ackup of a Domain Controller by 3sing the Command +ine 6!badmin7
A full server bac0up captures all volumes on all locall attached volumes& $indo%s Server >ac0up treats )niversal Serial >us ")S># drives and 'nternet SCS' "iSCS'# devices as locall attached volumes& 'f the bac0up target is a locall attached drive( it is e-cluded from the bac0up set& Eou can use this procedure to bac0 up all volumes %ith the $badmin&e-e command/line tool& Membership in $uiltin Administrators or $ackup Operators( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 'n addition( ou must have %rite access to the target bac0up location& o perform an unscheduled backup of all volumes by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 2& 'f ou are prompted( in the 3ser Account Control dialog bo-( provide >ac0up 4perator credentials( and then clic0 O(& 7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start 'ac:up .inc"ude:<sourceDriveE,>:F<sourceDriveE%>:F*** <sourceDriveEn>: .'ac:uptarget:<targetDrive>: .quiet

$here: • <sourceDriveE8> identifies the volume or volumes to be bac0ed up( separated b commas and no spaces& • <targetDrive> identifies the local volume or the letter of the net%or0 shared drive or ph sical dis0 drive to receive the bac0up& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the restore process&

Additional considerations
>e a%are of the follo%ing issues %hen ou perform unscheduled bac0ups: • To use $badmin&e-e( ou must install $indo%s Server >ac0up& =or more information about installing $indo%s Server >ac0up( see 'nstalling $indo%s Server >ac0up "http:33go&microsoft&com3f%lin03P+in0'DQ?:A?8#& • The target volume for an unscheduled bac0up can be a local drive( but it cannot be an of the volumes that are included in the bac0up&

22:

4ecovering Active Directory Domain Services
Eou can use the information in this section to recover Active Director Domain Services "AD DS# %hen director services are disrupted as a result of problems %ith hard%are( soft%are( the net%or0 environment( or human error& To guard against damage from these t pes of disruptions( ma0e sure that ou are al%a s prepared to restore AD DS %ith a timel bac0up of the volumes and servers that are critical to successful operation of our forest& $hen recover of AD DS b restoration from a bac0up is necessar ( the most common cause is either administrative error or hard%are failure& The best defense against these problems is prevention& >e sure to ta0e steps to protect Active Director data from accidental deletion& Eou can also manage hard%are replacement in a timel fashion( before it leads to failure and loss of Active Director data&

Causes of disruptions
Disruptions to director services can be caused b man conditions on a domain controller( in a domain or forest( and %ith service clients and applications that use AD DS& The follo%ing are some of the conditions that can disrupt director services: • *eordering or changes to drive letters that cause the operating s stem( the director service file( and logs to be unavailable in their e-pected locations • 1-cessive permissions on ob,ects in AD DS( the file s stem( or the registr ( or e-plicitl defined and assigned in 5roup Polic • Dis0 failure( %hich prevents access to or causes damage to the follo%ing sets of files: operating s stem( director service and log( SESB4+( and registr or other critical s stem files • 'nabilit to restart AD DS in normal mode( for e-ample( after an unscheduled po%er outage or soft%are update • Antivirus utilities and other utilities( such as dis0 optimi.ation utilities( %hich prevent unfettered access to the director service file and logs • 'nabilit of a domain controller to respond to +ight%eight Director Access Protocol "+DAP# reFuests( logon reFuests( or replication reFuests • 'nabilit to boot from AD DS( for e-ample( after an unscheduled po%er outage or soft%are update • • • • • Ph sical site disaster( such as natural disasters or virus attac0s or other securit attac0s Accidental deletions in AD DS( the file s stem( or the registr *ollbac0 to a 0no%n good point in time Corruption that is locali.ed to a domain controller Corruption that has replicated "the %orst/case scenario#

22<

(eys to protecting against disruptions
The 0e s to protecting our net%or0 from disruptions are preparation and prevention& To ma0e sure that ou are al%a s able to recover from disruption( prepare b scheduling bac0ups as follo%s: • >ac0 up the volumes that are reFuired to recover AD DS and the entire domain controller& • >ac0 up all critical domain controllers( as described in >ac0ing )p Active Director Domain Services& • >ac0 up on a dail schedule and %hen significant changes are made to the registr or the director & >efore ou introduce configuration changes on domain controllers in production( test our configuration changes in a lab or on a test computer that mirrors the production environment in the same %a that ou test hard%are configuration( service pac0 and soft%are update revisions( performance load( and so on& Some configuration changes have immediate implicationsW some are apparent %hen a single event or operation occurs "such as a reboot or service startup#W and some have chained implications "for e-ample( if L and E both occur( then K occurs#& 4ther changes have time/based or threshold/based implications& >e sure that ou are a%are of all the effects of a configuration change before ou implement it in production& =or more information about bac0up recommendations( see >ac0ing )p Active Director Domain Services& The most common causes of director service disruption reFuiring recover are administrative error and hard%are failure& The best defense against these problems is prevention& Eou can prevent disruptions b ta0ing steps to protect against easil avoidable problems: • )se the %rotect ob9ect from accidental deletion option in $indo%s Server 2008 to prevent inadvertent deletions of critical data& =or more information( see NPreventing un%anted deletionsO in this topic& • • Monitor all critical services& Manage hard%are replacement in a timel fashion&

$hen ou consider recover options( the ob,ective is to use the fastest method that results in the least intrusive and most complete recover & 4ptions for recover can range from repair of individual elements to restoration of a single domain controller& 'n the %orst/case scenario( the onl option might be to recover all domain controllers in a domain or forest&

%reventing unwanted deletions
Most large/scale deletions are accidental& 'n man cases( ou ma have to perform a recover operation to recover ob,ects that have been deleted from AD DS& 'n $indo%s Server 2008( the Active Director )sers and Computers snap/in provides the %rotect ob9ect from accidental deletion option& $hen enabled( %rotect ob9ect from accidental deletion implements the Deny delete subtree permission& This option is available in Active Director )sers and Computers on the domain controller and %hen vie%ed through *emote Server Administration Tools "*SAT# on computers running $indo%s Server 2008 and 228

$indo%s Bista& $hen ou enable Advanced #eatures on the 5iew menu( the %rotect ob9ect from accidental deletion option is available on the Ob9ect tab& Eou can open the %roperties page for each container in the domain and enable this option& Note C9Q)sers(DCQDomainName and C9QComputers(DCQDomainName are protected from deletion b s stem flags on the ob,ects& )se this option to protect all other containers up to the domain level& 5ood candidates for protection are containers that store 5roup Polic ob,ects "5P4s# and Active Director Rintegrated Domain 9ame S stem "D9S# .ones& $hen ou enable the %rotect ob9ect from accidental deletion option( neither the container nor an child ob,ect can be deleted b an administrator or other user& An administrator %ith the right to log on locall to a domain controller and the right to open Active Director )sers and Computers can enable or disable the setting& Pa particular attention to protecting organi.ational units "4)s# that might have been created in an earlier version of $indo%s& $hen ou create an 4) b using Active Director )sers and Computers in $indo%s Server 2008( the %rotect container from accidental deletion chec0 bois selected b default& 4n domain controllers that are running earlier versions of $indo%s( ou must appl the Deny access control entries 6AC.s7 permission on the Security tab of the properties page of the containers to implement protection from accidental deletion& =or information about ho% to appl these access control entries "AC1s# manuall ( see 5uarding Against Accidental >ul0 Deletions in Active Director "http:33go&microsoft&com3f%lin03P +in0'dQ66:7:8#&

4ecovery solutions
$hen ou are faced %ith unacceptable director service conditions that cannot be resolved reliabl b manual updates( our recover solutions depend on data issues( hard%are issues( time constraints( and the bac0ups that are available&

Solutions for configuration errors:nonauthoritative restore
To undo errors in configuration so that AD DS returns to a previous health state and is then brought up to date through replication( perform a nonauthoritative restore from bac0up& This process over%rites the current version of AD DS %ith the version in the bac0up& After replication( the director is current %ith the rest of the domain& Eou can restore AD DS b using a s stem state bac0up( a critical/volumes bac0up( or a full server bac0up& 'f a s stem state bac0up is available( use the s stem state bac0up to recover from registr or director service configuration errors& Eou can use a critical/volumes bac0up as %ell( but it contains more than Active Director data and it is not reFuired for restoring AD DS onl & )se full/server recover for more serious problems( as described in NSolutions for hard%are failure or file corruptionO later in this topic&

22?

Note 9onauthoritative restore from bac0up reFuires that the domain controller is running in Director Services *estore Mode "DS*M#& Eou cannot perform this procedure b stopping AD DS&

Solutions for data loss:authoritative restore
Accidental deletions can occur in an %ritable director partition& Such deletions are most common in the domain director partition( but the can also occur in the configuration director partition& 4b,ects in the schema director partition are protected against deletion& The method for recovering deleted ob,ects is authoritative restore& 'f ou have data loss and ou can identif the source and Fuantit of the loss( ou can recover the lost data b performing an authoritative restore& 'f ou lose domain data( ou must perform recover b restoring a domain controller that hosts a %ritable cop of the domain director partition %here the data loss occurred& 'f ob,ects are deleted from the configuration director partition( ou can recover these ob,ects b restoring an domain controller in the forest& There are special considerations if the deleted ob,ects have a for%ard lin0/bac0 lin0 relationship %ith each other& This relationship e-ists for securit groups and distribution groups& 4estoring group memberships Securit principals are ob,ects that can have group memberships& *ecovering deleted securit principals reFuires not onl restoring the ob,ect itself but also restoring the group memberships of each restored securit principal& Eou use files that are generated b 9tdsutil during authoritative restore to recover group memberships& 5roup membership is defined b lin0ed attributes on the group ob,ect and on the group member ob,ect: the member attribute of the group ob,ect is a for%ard lin0 attribute that lin0s to the memberOf attribute "the bac0 lin0# of the group member( %hich can be a user( a computer( or another group& 'f ou perform the restore on a domain controller that is not a global catalog server( onl group memberships for groups that are stored in the domain are restored& 'f ou perform the restore on a global catalog server( group memberships in universal groups that are stored in other domains in the forest are also restored& ;o%ever( restoring memberships in domain local groups that are stored in other domains reFuires additional steps that involve using the files that 9tdsutil generates during authoritative restore& $hen ou authoritativel restore securit principals on a domain controller that is running a version of $indo%s Server later than $indo%s Server 2007 "that is( $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 Service Pac0 2 "SP2#( $indo%s Server 2007 *2( or $indo%s Server 2008#( the 9tdsutil command/line tool recovers group memberships automaticall "restores the memberOf value on the restored securit principal ob,ect# for all groups that %ere created or updated at a forest functional level of at least either $indo%s Server 2007 or $indo%s Server 2007 interim& ;o%ever( replication order can undo the restored memberships in the recover domain& =or this reason( it is best to perform the additional steps to recover group memberships in the recover domain as %ell& =or more information about restoring group memberships( see Performing Authoritative *estore of Active Director 4b,ects& )ethods of authoritative restore 270

Depending on replication conditions in the domain of the deletions( ou can use the follo%ing methods to perform an authoritative restore: • 9onauthoritative restore from bac0up( follo%ed b authoritative restore: )nless ou can isolate a domain controller that has not received the deletions( authoritative restore must be preceded b a nonauthoritative restore from bac0up to restore the director to a former state that contained the deleted ob,ects& $ith the deleted ob,ects restored( ou can mar0 them as authoritative so that replication does not over%rite them %ith the delete condition that still e-ists on the other domain controllers in the domain& • Authoritative restore onl : 'f ou identif the data loss Fuic0l and ou can isolate a global catalog server in the domain %here the deletion occurred that has not received replication of the deletions( ou can mar0 the ob,ects as authoritative on the global catalog server and avoid performing an initial restore from a bac0up "nonauthoritative restore#& This option depends on our abilit to stop inbound replication on the global catalog server before replication of the deletions is received& 5lobal catalog servers often have longer replication latenc than other domain controllers& 5lobal catalog servers are preferred as recover domain controllers because the store more group information& ;o%ever( an latent domain controller in the domain of the deletions that has not received replication of the deletions can serve as the recover domain controller if ou %ant to avoid restoring from bac0up& =or more information about performing authoritative restore %ithout restoring from bac0up( see Performing Authoritative *estore of Active Director 4b,ects&

4ecovery options with no available backup
'f ou have data loss but ou do not have a bac0up( ou must recreate the deleted ob,ects& As an alternative( %here data loss is minimal( ou might be able to recover lost data b using the undelete capabilit that recovers ob,ects b reanimating the ob,ect tombstone "the retained record of the ob,ect deletion#& The $indo%s Server 2007 and $indo%s Server 2008 director database supports an +DAP application programming interface "AP'# that reanimates the tombstone of a single ob,ect "that is( it NundeletesO the ob,ect#& This AP' is available for developing applications to restore the attributes that are preserved on tombstones( %hich include the ob,ect securit identifier "S'D#( globall uniFue identifier "5)'D#( and securit descriptor( as %ell as an inde-ed attributes& 4n domain controllers that are running $indo%s Server 2007 %ith SP6( $indo%s Server 2007 %ith SP2( $indo%s Server *2( or $indo%s Server 2008( the sID"istory attribute is also retained& All other attributes must be recreated& 'n the case of a deleted user ob,ect( ou must repopulate attributes to re/establish group memberships( profile path( home director ( and contact information& Eou must also reset pass%ords and communicate the pass%ord to the users so the can log on to the domain& =or information about reanimating tombstones( see *eanimating Active Director Tombstone 4b,ects "http:33go&microsoft&com3f%lin03P+in0'dQ66:20A#&

Solutions for hardware failure or file corruption
'f ou have hard%are issues that reFuire the replacement of the hard drive on a domain controller( ou must either recover the full server to the ne% hard%are or reinstall the operating s stem& 'f 276

ou have %idespread corruption in the file s stem( our best solution is also full server recover or reinstallation& To decide %hether or not to perform a full server recover ( consider the follo%ing conditions: • A full server recover reformats and repartitions all dis0s that are attached to the server& • A full server recover might be more time consuming than reinstalling the operating s stem& • *einstallation reFuires a cleanup of server metadata on the failed domain controller& • *einstallation results in data loss& All servers have roles and features installed& 1ach role has configuration state in AD DS( the file s stem( and the registr ( and a role freFuentl has its o%n data store& =or e-ample( the server might be configured for D9S( D namic ;ost Configuration Protocol "D;CP#( $indo%s 'nternet 9ame Service "$'9S#( administration tools( and registr settings for ma-imum transmission unit "MT)#( ma/%acketSi&e( and securit & 'f ou have to reinstall( ou must either e-port and import all these settings or recreate them& This method is certain to be time consuming and error prone& 4einstalling and restoring criteria 'n general( use the follo%ing criteria to the decide %hether to reinstall or restore a domain controller from bac0up: • *einstall the operating s stem under the follo%ing conditions: • Eou do not have an available bac0up& • Eou must have the domain controller bac0 online as soon as possible and reinstallation is faster than restoring& • Eou have e-hausted all 0no%n avenues of troubleshooting a fault or error condition( and continued troubleshooting is not li0el to succeed or %ill result in diminishing returns %ith more time spent& • Perform a full server restore of the domain controller under the follo%ing conditions: • • *einstalling %ill result in an unacceptable loss of data& Eou %ant to recover from locali.ed or replicated corruption&

• The domain controller is running other server services( such as 1-change( or it contains other data that ou must restore from a bac0up& 4estoring AD DS after reinstalling the operating system 'f ou reinstall the operating s stem( ou can restore AD DS in one of the follo%ing %a s: • )se Dcpromo to reinstall AD DS and allo% replication from another( health domain controller in the domain to update the domain controller& • *estore AD DS from bac0up "nonauthoritative restore#& Then( allo% replication from another( health domain controller in the domain to update the domain controller& This method reFuires less replication than reinstalling AD DS& • 'nstall AD DS from installation media& This method( called install from media "'=M#( reFuires that ou have created installation media that can be used to install AD DS& Eou use 9tdsutil to create the media on a health domain controller in the domain& 'n this case(

272

recover is faster because Active Director replication is not reFuired& =or more information about installing from media( see 'nstalling an Additional Domain Controller b )sing '=M&

4ecovery tasks
This section includes the follo%ing tas0s for recovering AD DS: Performing 9onauthoritative *estore of Active Director Domain Services Performing Authoritative *estore of Active Director 4b,ects Performing Authoritative *estore of an Application Director Partition Performing a =ull Server *ecover of a Domain Controller *estoring a Domain Controller Through *einstallation and SubseFuent *estore from >ac0up *estoring a Domain Controller Through *einstallation

%erforming Nonauthoritative 4estore of Active Directory Domain Services
A nonauthoritative restore is the method for restoring Active Director Domain Services "AD DS# from a s stem state( critical/volumes( or full server bac0up& A nonauthoritative restore returns the domain controller to its state at the time of bac0up and then allo%s normal replication to over%rite that state %ith an changes that occurred after the bac0up %as ta0en& After ou restore AD DS from bac0up( the domain controller Fueries its replication partners& *eplication partners use the standard replication protocols to update AD DS and associated information( including the SESB4+ shared folder( on the restored domain controller& Eou can use a nonauthoritative restore to restore the director service on a domain controller %ithout reintroducing or changing ob,ects that have been modified since the bac0up& The most common use of a nonauthoritative restore is to reinstate a domain controller( often after catastrophic or debilitating hard%are failures& 'n the case of data corruption( do not use nonauthoritative restore unless ou have confirmed that the problem is %ith AD DS& Note 'f our ob,ective is to recover ob,ects that %ere deleted since the last bac0up( first perform a nonauthoritative restore from bac0up to reinstate the deleted ob,ects and then perform an authoritative restore to mar0 the deleted ob,ects as authoritative so that the are not over%ritten during replication& $hen ou are performing both a nonauthoritative restore and an authoritative restore( do not allo% the domain controller to restart after the nonauthoritative restore& =or information about performing authoritative restore( see Performing Authoritative *estore of Active Director 4b,ects&

277

Nonauthoritative 4estore 4e0uirements
Eou can perform a nonauthoritative restore from bac0up on a $indo%s Server 2008 s stem that is a stand/alone server( member server( or domain controller& 4n domain controllers that are running $indo%s Server 2008( ou can stop and restart AD DS as a service& Therefore( in $indo%s Server 2008( performing offline defragmentation and other database management tas0s does not reFuire restarting the domain controller in Director Services *estore Mode "DS*M#& ;o%ever( ou cannot perform a nonauthoritative restore after simpl stopping the AD DS service in regular startup mode& Eou must be able to start the domain controller in Director Services *estore Mode "DS*M#& 'f the domain controller cannot be started in DS*M( ou must first reinstall the operating s stem& 'f ou need to reinstall the operating s stem and then restore AD DS( see *estoring a Domain Controller Through *einstallation or *estoring a Domain Controller Through *einstallation& To perform a nonauthoritative restore( ou need one of the follo%ing t pes of bac0up for our bac0up source: • System state backup: )se this t pe of bac0up to restore AD DS& 'f ou have reinstalled the operating s stem( ou must use a critical/volumes or full server bac0up& 'f ou are restoring a s stem state bac0up( use the %badmin start s stemstaterecover command& • Critical/volumes bac0up: A critical/volumes bac0up includes all data on all volumes that contain operating s stem and registr files( boot files( SESB4+ files( or Active Director files& )se this t pe of bac0up if ou %ant to restore more than the s stem state& To restore a critical/volumes bac0up( use the wbadmin start recovery command& • #ull server backup: )se this t pe of bac0up onl if ou cannot start the server or ou do not have a s stem state or critical/volumes bac0up& A full server bac0up is generall larger than a critical/volumes bac0up& *estoring a full server bac0up not onl rolls bac0 data in AD DS to the time of bac0up( but it also rolls bac0 all data in all other volumes& *olling bac0 this additional data is not necessar to achieve nonauthoritative restore of AD DS& =or information about performing a full server bac0up for disaster recover ( see Performing a =ull Server *ecover of a Domain Controller on the Microsoft $eb site "http:33go&microsoft&com3f%lin03P+in0'dQ66:20:#&

S2S5O+ restore
SESB4+ is al%a s restored nonauthoritativel during a restore of AD DS& *estoring SESB4+ reFuires no additional procedures& 'f ou deleted file s stem polic and have a bac0up of polic that ou created b using 5roup Polic Management Console( ou can recover the polic b using that tool& =or information about managing 5roup Polic ( see 5roup Polic Management Console "http:33go&microsoft&com3f%lin03P+in0'dQ606:7A#& 'f ou deleted the Default Domain Polic or Default Domain Controllers Polic ( ou can use Dcgpofi-&e-e to rebuild the polic & =or information about using Dcgpofi-&e-e( see Dcgpofi-&e-e on the Microsoft $eb site "http:33go&microsoft&com3f%lin03P+in0'dQ60?2?6#& $hen ou use S stem *ecover 4ptions in $indo%s Server >ac0up to restore a $indo%s Server 2008 domain controller in an environment that has Distributed =ile S stem "D=S# 27A

*eplication implemented( the SESB4+ restore is performed nonauthoritativel b default& To perform an authoritative restore of SESB4+( include the -authsysvol s%itch in our recover command( as sho%n in the follo%ing e-ample:
w'admin start systemstaterecovery <ot&eroptions> .aut&sysvo"

'f ou use =ile *eplication Service "=*S#( the restore operation sets the $34#+AGS registr entries for =*S( %hich affects all replica sets that are replicated b =*S& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • *emote Des0top Connection "optional# $badmin&e-e >cdedit&e-e

To complete this tas0( perform the follo%ing procedures: 6& *estart the domain controller in DS*M b using one of the follo%ing methods: *estart the Domain Controller in Director Services *estore Mode +ocall 4r *estart the Domain Controller in Director Services *estore Mode *emotel 2& *estore AD DS from >ac0up "9onauthoritative *estore# 7& Berif AD DS restore

Additional references
• • • Performing Authoritative *estore of Active Director 4b,ects 1nable *emote Des0top Create a *emote Des0top Connection

4estart the Domain Controller in Directory Services 4estore )ode +ocally
'f ou have ph sical access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# locall & *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not as a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s 278

Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Eou can restart a domain controller in DS*M manuall b pressing the =8 0e during domain controller startup( %hich reFuires %atching the startup and %aiting for the appropriate point in the startup to press the 0e & This method is tedious and can %aste time if ou miss the brief %indo% of opportunit for selecting the restart mode& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & $hen ou are finished managing a domain controller in DS*M( if ou have used S stem Configuration or >cdedit&e-e to restart the domain controller in DS*M( ou must change the configuration so that the domain controller restarts in normal mode& Note A benefit of using S stem Configuration or >cdedit&e-e for implementing restart of a domain controller into DS*M is that normall the domain controller cannot be inadvertentl restarted& This benefit is particularl useful %hen ou are performing a nonauthoritative restore from bac0up follo%ed b an authoritative restore& Eou can also use S stem Configuration or >cdedit&e-e to restart a domain controller in DS*M remotel & To use S stem Configuration or >cdedit&e-e and *emote Des0top Connection to restart a domain controller in DS*M remotel ( see *estart the Domain Controller in Director Services *estore Mode *emotel & Membership in the Domain Admins group is the minimum reFuired complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M is reFuired to log on to the domain controller in DS*M& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<&

27:

Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#&

4estarting the domain controller in DS4) locally
Eou can use either of the follo%ing methods to restart the domain controller in DS*M: o restart a domain controller in DS4) locally by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 2& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& 7& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& A& Perform procedures in DS*M& 8& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & o restart a domain controller in DS4) locally by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

A& $hen ou are still in DS*M and ou are read to restart in normal mode( open a command prompt and t pe the follo%ing( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

27<

5alue

Description

3set safeboot dsrepair shutdo%n Rt 0 /r 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
*estart the Domain Controller in Director Services *estore Mode *emotel

4estart the Domain Controller in Directory Services 4estore )ode 4emotely
'f ou have remote access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# remotel & *emote access reFuires the user right to log on locall to a domain controller& *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line or to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode&

278

• Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & To restart the domain controller in DS*M remotel ( ou first use *emote Des0top Connection to connect to the domain controller %hile it is in normal startup mode& *emote Des0top Connection must be enabled on the target domain controller& After the domain controller has restarted( ou can use *emote Des0top Connection to reconnect to the domain controller and then log on as the local Administrator( using the DS*M pass%ord& Eou can use this procedure to connect to a domain controller remotel ( restart it in DS*M( and then reconnect to it as the DS*M administrator& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M and the user right to log on locall to a domain controller are reFuired to log on to the domain controller in DS*M& Members of Account 4perators( Administrators( 1nterprise Admins( Domain Admins( >ac0up 4perators( Print 4perators( and Server 4perators have the user right to log on locall to a domain controller b default& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& )sing a domain administrative account to log on to an *4DC can compromise the server& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& o restart a domain controller in DS4) remotely by using the !indows G3I 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 7& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& A& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller 27?

restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& 8& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& :& The domain controller name should still be sho%ing in Computer& 'f it is not( select it from the list( and then clic0 Connect& <& 'n the !indows Security dialog bo-( clic0 3se another account& 8& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& ?& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& 60& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 66& T pe MachineNameCAdministrator( and then press 19T1*& 62& Perform procedures in DS*M& 67& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & This procedure %ill disconnect our remote session& o restart a domain controller in DS4) remotely by using the command line 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4pen a command prompt& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:

2A0

s&utdown .t - .r

The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& A& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& 8& The domain controller name should still be sho%ing in Computer& 'f it is not( select it in the list( and then clic0 Connect& :& 'n the !indows Security dialog bo-( clic0 3se another account& <& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& 8& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& ?& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 60& T pe MachineNameCAdministrator( and then press 19T1*& 66& Perform procedures in DS*M& 62& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 'n DS*M( open a command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

b& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - >r

The domain controller restarts normall & This procedure %ill disconnect our remote session&
5alue Description

bcdedit 3set safeboot dsrepair shutdo%n Rt 0 /r bcdedit 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode +ocall 2A6

4estore AD DS from $ackup 6Nonauthoritative 4estore7
9onauthoritative restore from bac0up restores Active Director Domain Services "AD DS# from its current state to the previous state of a bac0up& )se this procedure before ou perform an authoritative restore procedure to recover ob,ects that %ere deleted after the time of the bac0up& To restore AD DS from bac0up( use a s stem state or critical/volumes bac0up& To restore AD DS from bac0up( ou must restart the domain controller in Director Services *estore Mode "DS*M#& Note 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& >e sure that ou 0no% the name and location of the version of the bac0up that ou are restoring& >ac0up files are named for the date and time of the bac0up& $hen ou restore the bac0up( the version must be stated in the form MM3DD3EEEE/;;:MM "month3da 3 ear/hour:minute#( %hich specifies the name of bac0up that ou %ant to restore& The $badmin&e-e command/line tool does not reFuire that ou provide the target for the recover & > specif ing the bac0up version that ou %ant to recover( the command proceeds to recover to the source location of the bac0up version that ou specif & Note The systemstaterecovery command in $badmin&e-e causes a nonauthoritative restore of SESB4+ b default "onl updates to SESB4+ since the time of the bac0up are replicated to the recover domain controller#& 'f ou %ant to restore SESB4+ authoritativel "all of SESB4+ is replicated from the recover domain controller to other domain controllers in the domain#( specif the Gauthsysvol option in the command& The Administrator pass%ord for DS*M is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& The server must be running in DS*M& o perform a nonauthoritative restore of AD DS 6& At the !indows logon screen( clic0 Switch 3ser( and then clic0 Other 3ser& 2& T pe 'Cadministrator as the user name( t pe the DS*M pass%ord for the server( and then press 19T1*& 7& 4pen a Command Prompt& A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin get versions .'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName>

2A2

$here: •
<targetDrive>:

is the location of the bac0up that ou %ant to restore&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as made& 8& 'dentif the bac0up version that ou %ant to restore& Eou must enter this bac0up version e-actl in the ne-t step& :& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstaterecovery .version:<AA/DD/ .##:AA>

.'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName> .quiet

$here: • •
<AA/DD/ .##:AA>

is the version of the bac0up that ou %ant to restore&

<targetDrive>:

is the volume that contains the bac0up&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as ta0en& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the restore process and then press E to confirm that the replication engine for SESB4+ has not changed since ou created the bac0up& After the recover operation is complete( if ou are not going to perform an authoritative restore of an restored ob,ects( restart the server&

Additional references
• • • • • *estart the Domain Controller in Director Services *estore Mode +ocall 1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode *emotel Performing Authoritative *estore of Active Director 4b,ects

5erify AD DS restore
After ou complete a restore of Active Director Domain Services "AD DS#( ou can use this procedure to verif the restore& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& 2A7

o verify an Active Directory restorefrom backup 6& After the restore operation completes( restart the computer in Start $indo%s 9ormall mode& 'f ou used >cdedit&e-e to configure startup in Director Services *estore Mode "DS*M#( see *estart the Domain Controller in Director Services *estore Mode *emotel or *estart the Domain Controller in Director Services *estore Mode +ocall for information about changing the configuration bac0 to normal startup mode& 2& After ou are able to log on to the s stem( perform the follo%ing verification steps: At a command prompt( use the repadmin ,showsig command to verif that the invocation 'D has changed& The invocation 'D is the director database globall uniFue identifier "5)'D#( %hich the Director S stem Agent "DSA# uses to identif the version of the database& The invocation 'D changes during the Active Director restore process to ensure the consistenc of the replication process& Berif that the previous entr appears in the retired signatures list& At a command prompt( use the repadmin ,showrepl command to verif that there are no replication errors and all director partitions are replicating properl %ith the reFuired replication partners& Eou can determine the replication partners b selecting the 9TDS Settings ob,ect for the restored server in Active Director Sites and Services& At a command prompt( use the net share command to verif that the 91T+4549 and SESB4+ shares appear& At a command prompt( use the dcdiag command to verif success of all tests on the domain controller& )se Active Director )sers and Computers to verif that the deleted ob,ects that ou %anted to recover from the bac0up are restored& 'f ou have a Bolume Shado% Cop Service "BSS# snapshot of the database( ou can use the Active Director database mounting tool "Dsamain&e-e# to mount the database and vie% it through Active Director )sers and Computers to compare the ob,ects& =or information about the Active Director database mounting tool( see the Step/b /Step 5uide for )sing the Active Director Database Mounting Tool in $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P+in0'dQ607777#&

%erforming Authoritative 4estore of Active Directory Ob9ects
An authoritative restore process returns a designated( deleted Active Director ob,ect or container of ob,ects to its predeletion state at the time %hen it %as bac0ed up& =or e-ample( ou might have to perform an authoritative restore if an administrator inadvertentl deletes an organi.ational unit "4)# that contains a large number of users& 'n most cases( there are t%o parts to the authoritative restore process: a nonauthoritative restore from bac0up( follo%ed b an authoritative restore of the deleted ob,ects& 'f ou perform a nonauthoritative restore from bac0up onl ( the deleted 4) is 2AA

not restored because the restored domain controller is updated after the restore process to the current status of its replication partners( %hich have deleted the 4)& To recover the deleted 4)( after ou perform nonauthoritative restore from bac0up and before allo%ing replication to occur( ou must perform an authoritative restore procedure& During the authoritative restore procedure( ou mar0 the 4) as authoritative and let the replication process restore it to all the other domain controllers in the domain& After an authoritative restore( ou also restore group memberships( if necessar & Note 'f ou can isolate a domain controller in the domain that has not received replication of the deletion( the preliminar ( nonauthoritative restore from bac0up is not necessar & =or more information( see *ecovering deletions %ithout restoring from bac0up& Eou can restore ob,ects in domain director partitions( application director partitions( and the configuration director partition( as follo%s: • Domain director partitions: Eou must restore the ob,ects on a domain controller in the domain& • Application director partitions: Eou must restore the ob,ects on a domain controller that hosts the application director partition& 'f ou delete an entire application director partition( ou must restore the domain naming operations master to recover the application director partition& • Configuration director partitions: Eou can restore ob,ects on an domain controller in the forest& Note Eou can also restore 5roup Polic ob,ects "5P4s#& =or information about restoring 5P4s( see N>ac0 )p( *estore( 'mport( and Cop 5roup Polic 4b,ectsO in online ;elp for the 5roup Polic Management Console "5PMC#& $hen an Active Director ob,ect is mar0ed for authoritative restore( its version number is changed so that the number is higher than the e-isting version number of the deleted ob,ect( %hich replicates as a tombstone in the Active Director replication s stem& The change in version number ensures that an ob,ect that ou restore authoritativel is replicated from the restored domain controller to other domain controllers in the forest( updating the tombstone ob,ect to the restored ob,ect& An authoritative restore is most commonl used to restore corrupt or deleted ob,ects( often to recover unintentionall deleted user and group ob,ects& An authoritative restore should not be used to restore an entire domain controller( nor should it be used as part of a change/control infrastructure& Proper delegation of administration and change enforcement %ill help optimi.e data consistenc ( integrit ( and securit &

Determining ob9ects to restore
>efore ou perform an authoritative restore operation( determine the ob,ects that must be restored& 4n domain controllers that are running $indo%s Server 2008( ou can use 9tdsutil to 2A8

ta0e a snapshot of the director database& A snapshot is a shado% cop Dcreated b the Bolume Shado% Cop Service "BSS#Dof the volumes that contain the Active Director database and log files& Eou can use the Active Director database mounting tool "Dsamain&e-e# to mount these database snapshots and vie% the director data in a +ight%eight Director Access Protocol "+DAP# tool such as Active Director )sers and Computers( ADS' 1dit( or +dp& The database mounting tool can improve recover processes b providing a means to compare data as it e-ists in snapshots or bac0ups that are ta0en at different times so that ou can better decide %hich data to restore after data loss& This eliminates the need to restore multiple bac0ups to compare the Active Director data that the contain& $hen inadvertent deletions or modifications occur( ou can use a snapshot to compare the data in the current director against data in the snapshot& 'f ou ta0e regular snapshots( ou can sometimes avoid having to restore AD DS if ou can identif the differences in the data and return the affected ob,ects to their correct state& $hen a recover operation is reFuired( ou can use a database snapshot to assess the differences and determine the ob,ects that ou %ant to authoritativel restore& =or information about using BSS shado% copies and the Active Director database mounting tool( see the Step/ b /Step 5uide for )sing the Active Director Database Mounting Tool in $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P+in0'DQ607777#&

Selecting ob9ects to restore
$hen ou are selecting ob,ects that ou %ant to replicate authoritativel ( it is important to select the ob,ect that is lo%est in the director subtree as possible that ou can still use to recover the deleted ob,ects& 'n this %a ( ou avoid reverting ob,ects bac0 in time that are not related to the deletion& 4b,ects other than the deleted ob,ects might have been modified after the bac0up %as created& $hen ou restore an 4)( an changes that are made up to the time that a bac0up is restored are rolled bac0 to their values at the time of the bac0up& =or an user accounts( computer accounts( and securit groups in the restored 4) that %ere not among the deletions being restored( this rollbac0 might mean the loss of the most recent changes to pass%ords( home director ( profile path( location and container information( group membership( and an securit descriptors that are defined on those ob,ects and attributes& =or e-ample( if an ob,ect %ith a pass%ord( such as a user or computer or trust account( is authoritativel restored( the pass%ord value of the restored ob,ect reverts to the pass%ord value at the time of the bac0up& 'n this case( user( computer( and service accounts that have a record of onl the current pass%ord cannot log on because the have no record of the pass%ord that e-isted %hen the bac0up %as created& 'n this %a ( group membership or other data can also be lost& )pdates to the pass%ord are bloc0ed because the restored value is authoritative during replication& To minimi.e the impact of rolling unrelated ob,ects bac0 in time( target as fe% ob,ects as possible& 'f ou have relativel fe% deletions to restore( ou might be able to restore each ob,ect individuall & 'f ou have a relativel large number of deleted ob,ects to restore( use the container ob,ect that contains most of the deleted ob,ects& 'deall ( the container that ou restore %ill contain all the ob,ects that ou need to recover& 2A:

Selecting application directory partitions to restore
'f ou are restoring an application director partition( the selection process is different from the process that ou use to select other Active Director ob,ects& To authoritativel restore an application director partition( follo% the procedures that are provided for this tas0 but use the procedure in Performing Authoritative *estore of an Application Director Partition to mar0 the application director partition as authoritative( and do not perform the procedures for restoring group memberships&

4estoring group memberships after authoritative restore
$hen a user ob,ect is deleted inadvertentl ( ou restore it b mar0ing the user ob,ect as authoritative during an authoritative restore procedure& ;o%ever( depending on the functional level of the forest at the time that an groups to %hich the user belongs %ere created "or the forest functional level at the time that the user %as added to the group( if the are different#( the userXs group memberships might not be restored in the process& This condition is multiplied b hundreds or thousands of users %hen an 4) is deleted& 'n this case( additional steps are reFuired to restore the group memberships of user accounts that ou restore&

+54 and restoration of group memberships
*estoration of group memberships for securit principals that are deleted and restored authoritativel differs( depending on %hether the group %as created "or its membership %as updated# before or after the implementation of $indo%s Server 2007 functionalit called lin0ed/ value replication "+B*#& +B* is a feature that is available %hen the forest has a functional level of at least $indo%s Server 2007 interim or $indo%s Server 2007& 'n groups that are created before +B* is in effect( the member attribute of a group ob,ect is replicated as a single value& Therefore( an change to the groupXs membership results in replication of the entire member attribute& 'n groups that are created after +B* is in effect( or in groups that are created before +B* but that are updated after +B* is in effect( updates to the member attribute of a group ob,ect are replicated separatel & 'n this case( group memberships are restored %hen ou use the 9tdsutil command/line tool to authoritativel restore a user( group( or computer ob,ect& Important The memberOf attribute "or an bac0/lin0 attribute# e-ists onl because of its lin0 to the member attribute "or an corresponding for%ard/lin0 attribute#& The bac0/lin0 is generated onl %hen it is accessed( and it is not replicated& 4nl the for%ard/lin0 attribute value can be updated and replicated& =or this reason( restoring the membership on a user ob,ect necessaril involves updating the member attribute on the group ob,ect to include the distinguished name of the restored user& $hen ou use the 9tdsutil command/line tool to authoritativel restore a subtree or a single ob,ect( the abilit of 9tdsutil to automaticall restore the group memberships of an ob,ect that is 2A<

authoritativel restored depends on %hether the group %as created before or after +B* %as implemented& =or e-ample( if a user ob,ect is restored and the user belongs to group 56 that %as created before +B* %as implemented and the user belongs to group 52 that %as created after +B* %as implemented "that is( after the functional level of the forest %as raised to $indo%s Server 2007 interim or $indo%s Server 2007#( the member attribute of 52 is updated during authoritative restore "and( therefore( the memberOf attribute of the restored user is updated#( but the member attribute of 56 is not updated& Note Although 9tdsutil restores bac0/lin0s for +B* groups( replication order can result in the memberships being dropped& =or more information( see Performing Authoritative *estore of Active Director 4b,ects&

Authoritative restore of pre-+54 group memberships and groups in different domains
The version of 9tdsutil that is included %ith $indo%s Server 2007 Service Pac0 6 "SP6#( $indo%s Server 2007 %ith Service Pac0 2 "SP2#( $indo%s Server 2007 *2( and $indo%s Server 2008 provides the abilit to also restore the memberships of groups that %ere created before +B* %as implemented and in groups that can have members from other domains& 9tdsutil creates a te-t file that identifies the authoritativel restored ob,ects& 'n addition( 9tdsutil creates an +DAP Data 'nterchange =ormat "+D'=# file "&ldf# that identifies restored ob,ects that have bac0/ lin0s& Eou can use the &ldf file to regenerate memberOf bac0/lin0s on restored securit principal ob,ects "users( groups( and computers# in a forest %here +B* %as not in effect %hen the groups that are identified in the memberOf bac0/lin0s %ere created& To restore group memberships in groups that are stored in other domains "that is( for universal group or domain local group memberships#( additional steps are reFuired& )se the &t-t file that 9tdsutil generates during authoritative restore to generate an &ldf file in each additional domain that has groups in %hich restored securit principals have memberships& The updates to 9tdsutil that generate files that ou can use to recover group memberships for pre/+B* groups and groups in other domains %ere introduced in $indo%s Server 2007 %ith SP6& The steps that ou perform are different if ou are restoring the ob,ects on a domain controller that is running an earlier version of $indo%s Server& 'f ou are performing authoritative restore in a preR$indo%s Server 2007 SP6 environment( see NProcedures for Domain Controllers *unning $indo%s Server 2007 %ith 9o Service Pac0 'nstalledO in Performing an Authoritative *estore of Active Director 4b,ects"http:33go&microsoft&com3f%lin03P+in0'dQ:88:A#&

#iles for recovering group memberships following authoritative restore
$hen ou perform authoritative restore( 9tdsutil creates the follo%ing files that are used to recover group memberships: • arIYYYYMMDD-HHMMSSIlin0sIDomain&ldf( %hich is an +D'= file that is generated for the domain in %hich ou perform the authoritative restore procedure& This file contains bac0/ 2A8

lin0 information for the restored ob,ects& 'f ou perform the procedure on a global catalog server( a separate &ldf file is created for each domain in the forest& Eou can use this file %ith the +difde&e-e command/line tool to import the bac0/lin0s to recover universal and global group memberships in environments that include pre/+B* groups& =or environments that do not include pre/+B* groups( the 9tdsutil tool recovers group memberships automaticall in the recover domain and in the forest "for universal groups# if the recover domain controller is a global catalog server& 'f the restore includes securit principals that can have memberships in domain local groups in other domains( ou use the arI YYYYMMDDHHMMSSIob,ects&t-t te-t file that is generated during authoritative restore to create an &ldf file to restore the memberships in each additional domain& • arIYYYYMMDD-HHMMSSIob,ects&t-t( %hich is a te-t file that contains a list of the authoritativel restored ob,ects& This file is generated for each individual ob,ect or container that ou mar0 as authoritative& Eou can use this file to generate an &ldf file that ou can use to recover memberships in domain local groups and universal groups "if ou are not restoring a global catalog server# in other domains& This file is created on an domain controller that ou authoritativel restore& 5lobal catalog servers do not store the member attribute of domain local groups& Therefore( even if ou perform the restore on a global catalog server( ou must al%a s use this file to generate an &ldf file in an domain %here there are domain local groups of %hich restored securit principals might be members& Eou must create a separate &ldf file for each ob,ect or container that ou mar0 as authoritative& Note Although group memberships are restored automaticall %hen ou use 9tdsutil to recover membership in +B* groups( it is best to process the &ldf files to ensure recover & 'n some cases( replication order can result in lost memberships& =or more information( see @no%n 'ssues for Authoritative *estore&

3sing a global catalog server for authoritative restore
'f possible( perform the authoritative restore on a global catalog server in the domain %here the ob,ects %ere deleted to recover securit principals and group memberships& 5lobal catalog servers store a single( %ritable domain and a partial( read/onl replica of all other domains in the forest& A partial replica means that the global catalog stores all ob,ects( but %ith a limited set of attributes on each ob,ect& Chec0 the properties of the 9TDS Settings ob,ect of the server ob,ect in Active Director Sites and Services to determine that a domain controller is a global catalog server& Global catalog and group memberships 'n relation to the three t pes of securit groupsDglobal groups( domain local groups( and universal groupsDglobal catalog servers are best suited for recovering group memberships after an authoritative restore procedure because the store memberships of all universal groups in the forest and all global groups in the domain& Securit group memberships are restored on a global catalog server as follo%s: 2A?

• Global groups: Securit principals "users( groups( and computers# can be members of onl the global groups that are created in the same domain& 5lobal catalog servers store a %ritable domain director partition& Therefore( the can restore global group memberships for the recover domain& • 3niversal groups* Securit principals can be members of universal groups that are created in an domain& ;o%ever( the member attribute is among the attributes that are stored on the read/onl universal group ob,ects in the global catalog& Therefore( a global catalog server can recover universal group memberships for all domains in the forest& A domain controller that is not a global catalog server stores onl universal group ob,ects that are created in its o%n domain& • Domain local groups: Securit principals can be members of domain local groups that are created in an domain& Memberships in domain local groups in the recover domain are restored automaticall during authoritative restore& ;o%ever( the global catalog does not store the member attribute for read/onl domain local group ob,ects& Therefore( for restored securit principals that have memberships in domain local groups in other domains( ou must recover these memberships b performing follo%/up procedures in each additional domain&

4ecovering deletions without restoring from backup
'f ou can isolate a global catalog server "or an domain controller( but preferabl a global catalog server# in the domain %here the deletion occurred before the server receives replication of the deletion( ou might be able to avoid performing a preliminar restore from bac0up "nonauthoritative restore# and having to e-tend the restore process to other domains& )se the repadmin ,showrepl command to determine the date and time of the latest inbound replication of the domain director partition %here the deletions occurred& 5lobal catalog servers often have greater replication latenc than ordinar domain controllers( and the are better restore candidates in general because the store universal group memberships& 'f ou can stop inbound replication on a latent global catalog server( ou can perform an authoritative restore on the global catalog server to recover the deleted memberships for all groups in the domain and for all universal groups in other domains& 'f ou %ant to use a latent global catalog server for restoring deleted ob,ects( ou must ta0e steps to stop inbound replication immediatel & Eou can use one of the follo%ing methods to stop replication: • )se the Services snap/in to stop AD DS& 'n this case( other services continue to operate& • Ta0e the global catalog service offline b restarting it in Director Services *estore Mode "DS*M#& 'n this case( all other director /related services are stopped in addition to AD DS& • )se *epadmin&e-e to stop inbound replication& 'n this case( the domain controller continues to operate but does not receive replication updates&

280

4etention 6merge7 of new group memberships or other attributes after authoritative restore
The authoritative restore procedure results in a merge of authoritativel restored ob,ects and attributes and e-isting ob,ects and attributes& =or e-ample( do not e-pect that users that have been added to a group "after the bac0up that is used to restore the deleted group# %ill be removed b an authoritative restore of the group ob,ect& 'nstead( ne% attributes of ob,ects that are specified in the authoritative restore are preserved during replication& Therefore( authoritative restore does not remove group memberships that %ere added bet%een the time of the bac0up that is used for authoritative restore and the time of the restore procedure& 4b,ects and attributes are preserved during authoritative restore as follo%s: • 'f an ob,ect e-ists in the bac0up( before inbound replication the post/restore director partition contains the version of the ob,ect that e-ists in the restored bac0up& • 'f an ob,ect %as created after the bac0up %as made and there are additional domain controllers that store the director partition( after inbound replication the restored director partition also includes the set of ob,ects that %ere created after the bac0up& • 'f an ob,ect contains ne% attributes that are not contained in the bac0up but that e-ist in the director partition of an additional domain controller in the domain at the time of the restore( after inbound replication the version of the ob,ect and attributes as the e-isted in the bac0upDplus an ne% attributes that %ere added to the ob,ect after the bac0upDare preserved& Authoritative restore affects onl the ob,ects and attributes that e-isted at the time of the bac0up& This functionalit applies to ob,ects %ith lin0ed attributes and nonlin0ed attributes ali0e& =or e-ample( if ou are restoring an ob,ect that has attribute A and attribute > in the bac0up version and has attributes AV( >V( and C in the current director ( attribute C is retained after authoritative restore& Therefore( a group ob,ect that has the member value of )ser6 in the bac0up and has both )ser6 and )ser2 in the current director includes both of those memberships after authoritative restore of the group ob,ect& An post/bac0up memberOf or member attribute values that %ere added to a user or group( respectivel ( are not affected b replication updates after the restore procedure& 'f ou %ant to remove group membershipsDor an other un%anted ob,ect attributeDcomplete the follo%ing steps: 6& Delete the ob,ect %hose updates ou do not %ant to retain& 2& Allo% the deletion to replicate throughout the forest& 7& >ac0 up a domain controller that has received the deletion& A& Authoritativel restore the ob,ect that ou deleted from the bac0up that does not contain the un%anted values&

Authoritative restore procedures
Procedures for this tas0 restore deleted ob,ects and bac0/lin0s for the restored ob,ects in the domain of the deletions& 'f ou are restoring securit principals that might belong to groups in 286

more than one domain or if ou are restoring other ob,ects that have bac0/lin0s to ob,ects in another domain( additional steps are reFuired& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • • • • *epadmin&e-e *emote Des0top Connection "optional# >cdedit&e-e "optional# 9tdsutil&e-e Procedures for restoring after deletions have replicated Procedures for restoring before deletions have replicated

To complete this tas0( perform procedures according to the conditions in our environment:

• Procedures for recovering group memberships "and an other bac0/lin0 attributes# in other domains

%rocedures for restoring after deletions have replicated
'f ou are performing authoritative restore on a domain controller that has alread received replication of the deletions( perform the follo%ing procedures on the recover domain controller: 6& 'f ou do not have a current bac0up of the recover domain controller( Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin#& Eou can use this bac0up if our recover is not successful and then tr again& 2& *estart the Domain Controller in Director Services *estore Mode +ocall 4r *estart the Domain Controller in Director Services *estore Mode *emotel *estore from bac0up reFuires restarting the domain controller in DS*M& Ta0ing the domain controller offline b stopping AD DS is not sufficient to run 9tdsutil procedures to restore from bac0up& 7& *estore AD DS from >ac0up "9onauthoritative *estore# )se this procedure to return the domain controller to its state at the time of the bac0up so that an groups that are being restoredDor %hose members are being restoredDare present in the director %ith their predeletion membership intact& $hen 9tdsutil&e-e generates the &ldf file during authoritative restore( it searches for member attributes that refer to ob,ects that are contained in the te-t file( %hich contains the ob,ects that are mar0ed for authoritative restore& To ensure that replication does not occur( do not restart the domain controller after the restore procedure& A& Mar0 an 4b,ect or 4b,ects as Authoritative Mar0 the ob,ect or ob,ects that ou %ant to restore so that replication does not over%rite them %hen ou restart the domain controller& 8& *estart the domain controller normall & :& S nchroni.e *eplication %ith All Partners 282

=or the ne%l restored ob,ect to become available and be instantiated in its restored form on all domain controllers( successful outbound replication must occur from the domain controller that originates the restored changes to its partners& Ma0e sure that all domain controllers in the domain and all global catalog servers in the forest have received the restored ob,ects& <& *un an +D'= =ile to *ecover >ac0/+in0s in this domain& This procedure updates the group memberships of a restored securit principal ob,ect or container of ob,ects in the recover domain& Perform this procedure for each individual ob,ect or container that ou mar0ed as authoritative& 8& 'f the &ldf file sho%s bac0/lin0s for ob,ects in other domains( perform the procedures in Procedures for recovering group memberships "and an other bac0/lin0 attributes# in other domains&

%rocedures for restoring before deletions have replicated
'f ou have identified a global catalog server or other domain controller that has not received replication of the deletions and for %hich ou have a recent bac0up( ou do not have to perform a preliminar restore from bac0up& Eou do not have to perform the authoritative restore procedure in DS*M& 'nstead( ou can stop the AD DS service& Perform the follo%ing procedures on the recover domain controller: 6& Turn 4ff 'nbound *eplication& +eave inbound replication turned off until ou have finished mar0ing ob,ects that ou %ant to replicate authoritativel & 2& 'f ou do not have a current bac0up of the recover domain controller( Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin#& Eou can use this bac0up if our recover is not successful and then tr again& 7& )se the Services snap/in to stop AD DS& A& Mar0 an 4b,ect or 4b,ects as Authoritative Mar0 the ob,ect or ob,ects that ou %ant to restore so that replication does not over%rite them %hen ou restart the domain controller& 8& )se the Services snap/in to restart AD DS& :& S nchroni.e *eplication %ith All Partners =or the authoritativel mar0ed ob,ects to become available and be instantiated on all domain controllers( successful outbound replication must occur from the domain controller that originates the authoritative changes to its partners& Ma0e sure that all domain controllers in the domain and all global catalog servers in the forest have received replication of the authoritative ob,ects& <& *un an +D'= =ile to *ecover >ac0/+in0s in this domain& This procedure updates the group memberships of a restored securit principal ob,ect or a container of ob,ects in the recover domain& Perform this procedure for each individual ob,ect or container that ou mar0ed as authoritative& 8& Turn on 'nbound *eplication& 287

?& >ac0 up the recovered domain controller& See Perform a S stem State >ac0up of a Domain Controller b )sing the Command +ine "$badmin# "http:33go&microsoft&com3f%lin03P +in0'dQ66878<# or Perform a >ac0up of Critical Bolumes of a Domain Controller b )sing the 5)' "$indo%s Server >ac0up# "http:33go&microsoft&com3f%lin03P+in0'dQ66:762#& 60& 'f the &ldf file sho%s bac0/lin0s for ob,ects in other domains( complete the procedures in Procedures for recovering group memberships "and an other bac0/lin0 attributes# in other domains&

%rocedures for recovering group memberships 6and any other back-link attributes7 in other domains
Eou can recover group memberships in other domains either b adding the members manuall to the respective groups or b using the te-t file from the original authoritative restore procedure to generate one or more &ldf files that ou can use to recover bac0/lin0s in other domains& >e a%are that restored ob,ects might have bac0/lin0s other than group memberships& 'f ou have restored securit principal ob,ects or other ob,ects that have bac0/lin0 attributes in a forest that has more than one domain and ou do not %ant to restore the bac0/lin0s manuall ( perform the follo%ing steps on a domain controller in each additional domain: Note =or restored securit principals( these steps are reFuired onl if the restored securit principals have memberships in domain local or universal groups in a different domain from the recover domain& 'f ou restored the securit principals on a global catalog server( ou need to recover onl domain local group memberships in other domains& 'n some cases( these accounts might be fe% enough that ou can manuall recreate the memberships instead of follo%ing these procedures& 6& *estart the Domain Controller in Director Services *estore Mode +ocall 4r *estart the Domain Controller in Director Services *estore Mode *emotel 2& *estore AD DS from >ac0up "9onauthoritative *estore# $hen the group members %ere deleted( the member attribute "for%ard lin0# on an group of %hich the %ere members %as removed from the group ob,ect& This procedure is reFuired to restore the member attribute on group ob,ects for those group members that %ere deleted& This attribute is reFuired to regenerate the memberOf attribute value on the restored group members& 7& $hile still in DS*M( use 9tdsutil to Create an +D'= =ile for *ecovering >ac0/+in0s for Authoritativel *estored 4b,ects& 'n this procedure( ou must specif the location of the &t-t file that %as generated b 9tdsutil during the authoritative restore procedure& A& *estart the domain controller normall & 8& *un an +D'= =ile to *ecover >ac0/+in0s in this domain on a domain controller other than the domain controller that ou restored from bac0up and on %hich ou created the +D'= file& 28A

>ecause ou have ,ust restored the domain controller on %hich ou created the +D'= file from bac0up( perform this procedure on a different domain controller to be sure that the group ob,ects ou update are current& This procedure updates the group memberships of a restored securit principal ob,ect or container of ob,ects& Perform this procedure for each individual ob,ect or container that ou mar0ed as authoritative&

Additional references
• • @no%n 'ssues for Authoritative *estore >est Practices for Authoritative *estore

(nown Issues for Authoritative 4estore
*evie% the follo%ing 0no%n issues before ou perform an authoritative restore on domain controllers running $indo%s Server 2008 in forests that have the forest functional level of $indo%s Server 2007( $indo%s Server 2007 interim( or $indo%s Server 2008: • • • 4rder of replication and dropped group memberships Members added bac0 to groups from %hich the %ere deleted 'ncorrect assignment of 1-change mailbo-es

Order of replication and dropped group memberships
$hen groups that are being restored %ere created or updated %hen the forest had a forest functional level of $indo%s Server 2007( $indo%s Server 2007 interim( or $indo%s Server 2008 "that is( %hen lin0ed/value replication "+B*# %as in effect#( the version of 9tdsutil on domain controllers that are running $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 %ith Service Pac0 2 "SP2#( $indo%s Server 2007 *2( or $indo%s Server 2008 automaticall restores group memberships during the authoritative restore procedure b restoring bac0/lin0s to group ob,ects& To restore bac0/lin0s for pre/+B* groups( 9tdsutil generates an +DAP Data 'nterchange =ormat "+D'=# file "&ldf# that ou must process b using the +difde&e-e tool to manuall restore the bac0/lin0 values& ;o%everDof particular importance %here group memberships are concernedDthe order of replication can undo the benefits of authoritative restore in some cases& =or this reason( %e recommend al%a s processing the &ldf file that is produced b 9tdsutil during authoritative restore to update group memberships( even if the group or groups being restored %ere created or updated %hen +B* %as in effect& =or information about +B* and its effects on the authoritative restore process( see Performing Authoritative *estore of Active Director 4b,ects& )pdated( authoritativel mar0ed ob,ects replicate in a Nstore/and/for%ardO manner that might lead to the ob,ects being received on one domain controller and for%arded to one or more other domain controllers& *egardless of the order in %hich replication is initiated( the order in %hich 288

replicated updates are received cannot be guaranteed& =or this reason( it is possible for authoritativel restored group ob,ects to replicate ahead of authoritativel restored ob,ects that are group members( %hich can result in dropped memberships& =or e-ample( suppose group A and its member )ser L are both deleted& And suppose )ser L and 5roup A are authoritativel restored and( during the authoritative restore procedure( 9tdsutil updates the member attribute of 5roup A to include authoritativel restored )ser L( and the memberOf attribute of )ser L to include 5roup A& 'f replication of 5roup A is received before replication of )ser L( )ser L is currentl a deleted ob,ect on the recipient domain controller& 'n this case( the )ser L lin0 value is dropped from the member attribute of 5roup A& $hen replication of the authoritativel restored )ser L is received( perhaps onl seconds later( the member attribute of the group is not updated& 'f replication of )ser L is received before 5roup A( the membership on 5roup A is retained& )se the follo%ing steps to ensure that group memberships for authoritativel restored groups and their restored members are al%a s retained during replication after authoritative restore: 6& 1nsure that all authoritativel restored ob,ects have replicated and e-ist on all domain controllers in the domain& 2& *un the &ldf file on the recover domain controller& 7& =orce replication on the recover domain controller&

)embers added back to groups from which they were deleted
To recover memberships in groups in the recover domain and in other domains in %hich a restored securit principal might have group memberships( ou process an &ldf file to restore the memberships& 't is possible for the &ldf file to include memberships in groups from %hich a restored user ob,ect %as removed before the bac0up that is used for the preliminar nonauthoritative restore& 'n this case( after authoritative restore( a user might have membership in a group from %hich the user %as formerl removed& =or more information( see article ?86720 in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P+in0'dQ622:8:#&

Incorrect assignment of ./change mailbo/es
Authoritative restore of deleted user accounts that have mailbo-es in Microsoft 1-change 2007 can result in incorrect mailbo- assignments after replication& =or information about avoiding this issue( see article ?A8??< in the Microsoft @no%ledge >ase "http:33go&microsoft&com3f%lin03P +in0'dQ66:2<8#&

28:

$est %ractices for Authoritative 4estore
The follo%ing best practices are provided to ensure successful recover of the data that is being restored& 5roup membership is particularl sensitive& 't can be affected greatl b the procedures that ou follo% during an authoritative restore& The follo%ing best practices help ensure successful recover of data %hen ou use them to perform authoritative restore: • 4estore a latent domain controller' 'f possible( find a domain controller "preferabl a global catalog server# that has not received replication of the deleted ob,ects( and perform authoritative restore on that domain controller& 'n this case( ou do not have to perform a preliminar nonauthoritative restore from bac0up& • 4estore a global catalog server' Attempt to find a global catalog server to use as the recover domain controller& 4nl a global catalog server can recover universal group memberships for other domains& 'f ou cannot find a latent global catalog server or other domain controller in the domain %here the deletion occurred( find the most recent s stem state or critical/volume bac0up of a global catalog server in that domain& )se this global catalog server as the recover domain controller& 'n addition( locate the most recent bac0up of a non/global/catalog domain controller& • Stop changes to groups' Stop ma0ing changes to securit groups in the forest if all of the follo%ing statements are true: • Eou are restoring individual( deleted user or computer accounts b their distinguished name "D9# paths& • Eou are restoring a domain controller that has not received replication of the deletions& • • Eou are not restoring securit groups or their parent containers& (eep users and administrators informed'

'f ou are restoring securit groups or organi.ational unit "4)# containers that host securit groups or user accounts( notif users( administrators( and help des0 administrators in the domain of the deletionsDand in an other domains that might have group memberships for the deleted accountsDto temporaril stop all changes to these ob,ects& • Create a preliminary backup' 'f s stem state or critical/volume bac0up is not current up to the point of the deletion( before ou perform authoritative restore( create a ne% s stem state or critical/volume bac0up in the domain of the deletions& Eou can use this bac0up if ou need to roll bac0 our changes& • Select ob9ects as low as possible in the directory tree' $hen ou are selecting ob,ects to mar0 for authoritative restore( find the lo%est possible container or set of ob,ects to restore so that ou do not roll bac0 ob,ects unnecessaril & =or more information( see Performing Authoritative *estore of Active Director 4b,ects& • %rocess the 'ldf file after replication' 28<

After the authoritativel restored ob,ects have replicated to all domain controllers in the domain( al%a s use the +difde&e-e tool to process the &ldf file that is generated b 9tdsutil& 1ven %hen memberships are being restored automaticall b 9tdsutil for groups that use lin0ed/value replication "+B*#( processing the &ldf file ensures that memberships are retained %hen replicated& =or more information about the effect of replication order on group memberships follo%ing authoritative restore( see @no%n 'ssues for Authoritative *estore& Note 't is possible for the &ldf file to contain memberships in groups from %hich the restored securit principal %as removed before bac0up& =or more information( see @no%n 'ssues for Authoritative *estore& • %erform follow-up steps' a& Berif group memberships in the domain of the recover domain controller and on a global catalog server in ever other domain& b& Create a ne% s stem state or critical/volumes bac0up in the recover domain& c& 9otif users( administrators( and help des0 administrators that the can resume ma0ing changes& d& 'nstruct help des0 administrators to reset the pass%ords of restored user accounts and computer accounts %hose domain pass%ords changed after the restored bac0up %as created& After the authoritative restore procedure is complete( perform the follo%ing steps:

4estart the Domain Controller in Directory Services 4estore )ode +ocally
'f ou have ph sical access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# locall & *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not as a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the 288

$indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Eou can restart a domain controller in DS*M manuall b pressing the =8 0e during domain controller startup( %hich reFuires %atching the startup and %aiting for the appropriate point in the startup to press the 0e & This method is tedious and can %aste time if ou miss the brief %indo% of opportunit for selecting the restart mode& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & $hen ou are finished managing a domain controller in DS*M( if ou have used S stem Configuration or >cdedit&e-e to restart the domain controller in DS*M( ou must change the configuration so that the domain controller restarts in normal mode& Note A benefit of using S stem Configuration or >cdedit&e-e for implementing restart of a domain controller into DS*M is that normall the domain controller cannot be inadvertentl restarted& This benefit is particularl useful %hen ou are performing a nonauthoritative restore from bac0up follo%ed b an authoritative restore& Eou can also use S stem Configuration or >cdedit&e-e to restart a domain controller in DS*M remotel & To use S stem Configuration or >cdedit&e-e and *emote Des0top Connection to restart a domain controller in DS*M remotel ( see *estart the Domain Controller in Director Services *estore Mode *emotel & Membership in the Domain Admins group is the minimum reFuired complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M is reFuired to log on to the domain controller in DS*M& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#&

28?

4estarting the domain controller in DS4) locally
Eou can use either of the follo%ing methods to restart the domain controller in DS*M: o restart a domain controller in DS4) locally by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 2& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& 7& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& A& Perform procedures in DS*M& 8& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & o restart a domain controller in DS4) locally by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

A& $hen ou are still in DS*M and ou are read to restart in normal mode( open a command prompt and t pe the follo%ing( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

5alue

Description

3set safeboot dsrepair shutdo%n Rt 0 /r 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous 2:0

5alue

Description

setting&

See Also
*estart the Domain Controller in Director Services *estore Mode *emotel

4estart the Domain Controller in Directory Services 4estore )ode 4emotely
'f ou have remote access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# remotel & *emote access reFuires the user right to log on locall to a domain controller& *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line or to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall &

2:6

To restart the domain controller in DS*M remotel ( ou first use *emote Des0top Connection to connect to the domain controller %hile it is in normal startup mode& *emote Des0top Connection must be enabled on the target domain controller& After the domain controller has restarted( ou can use *emote Des0top Connection to reconnect to the domain controller and then log on as the local Administrator( using the DS*M pass%ord& Eou can use this procedure to connect to a domain controller remotel ( restart it in DS*M( and then reconnect to it as the DS*M administrator& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M and the user right to log on locall to a domain controller are reFuired to log on to the domain controller in DS*M& Members of Account 4perators( Administrators( 1nterprise Admins( Domain Admins( >ac0up 4perators( Print 4perators( and Server 4perators have the user right to log on locall to a domain controller b default& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& )sing a domain administrative account to log on to an *4DC can compromise the server& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& o restart a domain controller in DS4) remotely by using the !indows G3I 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 7& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& A& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& 8& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& 2:2

:& The domain controller name should still be sho%ing in Computer& 'f it is not( select it from the list( and then clic0 Connect& <& 'n the !indows Security dialog bo-( clic0 3se another account& 8& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& ?& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& 60& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 66& T pe MachineNameCAdministrator( and then press 19T1*& 62& Perform procedures in DS*M& 67& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & This procedure %ill disconnect our remote session& o restart a domain controller in DS4) remotely by using the command line 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4pen a command prompt& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& A& $ait for a period of time that is adeFuate for the remote domain controller to restart( 2:7

and then open *emote Des0top Connection& 8& The domain controller name should still be sho%ing in Computer& 'f it is not( select it in the list( and then clic0 Connect& :& 'n the !indows Security dialog bo-( clic0 3se another account& <& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& 8& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& ?& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 60& T pe MachineNameCAdministrator( and then press 19T1*& 66& Perform procedures in DS*M& 62& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 'n DS*M( open a command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

b& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - >r

The domain controller restarts normall & This procedure %ill disconnect our remote session&
5alue Description

bcdedit 3set safeboot dsrepair shutdo%n Rt 0 /r bcdedit 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode +ocall

2:A

4estore AD DS from $ackup 6Nonauthoritative 4estore7
9onauthoritative restore from bac0up restores Active Director Domain Services "AD DS# from its current state to the previous state of a bac0up& )se this procedure before ou perform an authoritative restore procedure to recover ob,ects that %ere deleted after the time of the bac0up& To restore AD DS from bac0up( use a s stem state or critical/volumes bac0up& To restore AD DS from bac0up( ou must restart the domain controller in Director Services *estore Mode "DS*M#& Note 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& >e sure that ou 0no% the name and location of the version of the bac0up that ou are restoring& >ac0up files are named for the date and time of the bac0up& $hen ou restore the bac0up( the version must be stated in the form MM3DD3EEEE/;;:MM "month3da 3 ear/hour:minute#( %hich specifies the name of bac0up that ou %ant to restore& The $badmin&e-e command/line tool does not reFuire that ou provide the target for the recover & > specif ing the bac0up version that ou %ant to recover( the command proceeds to recover to the source location of the bac0up version that ou specif & Note The systemstaterecovery command in $badmin&e-e causes a nonauthoritative restore of SESB4+ b default "onl updates to SESB4+ since the time of the bac0up are replicated to the recover domain controller#& 'f ou %ant to restore SESB4+ authoritativel "all of SESB4+ is replicated from the recover domain controller to other domain controllers in the domain#( specif the Gauthsysvol option in the command& The Administrator pass%ord for DS*M is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& The server must be running in DS*M& o perform a nonauthoritative restore of AD DS 6& At the !indows logon screen( clic0 Switch 3ser( and then clic0 Other 3ser& 2& T pe 'Cadministrator as the user name( t pe the DS*M pass%ord for the server( and then press 19T1*& 7& 4pen a Command Prompt& A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin get versions .'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName>

2:8

$here: •
<targetDrive>:

is the location of the bac0up that ou %ant to restore&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as made& 8& 'dentif the bac0up version that ou %ant to restore& Eou must enter this bac0up version e-actl in the ne-t step& :& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstaterecovery .version:<AA/DD/ .##:AA>

.'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName> .quiet

$here: • •
<AA/DD/ .##:AA>

is the version of the bac0up that ou %ant to restore&

<targetDrive>:

is the volume that contains the bac0up&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as ta0en& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the restore process and then press E to confirm that the replication engine for SESB4+ has not changed since ou created the bac0up& After the recover operation is complete( if ou are not going to perform an authoritative restore of an restored ob,ects( restart the server&

Additional references
• • • • • *estart the Domain Controller in Director Services *estore Mode +ocall 1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode *emotel Performing Authoritative *estore of Active Director 4b,ects

)ark an Ob9ect or Ob9ects as Authoritative
Eou can use this procedure to mar0 Active Director ob,ects as authoritative %hen ou perform an authoritative restore& 'n this procedure( ou use the ntdsutil command to select ob,ects that are to be mar0ed authoritative %hen the replicate to other domain controllers& This procedure has the follo%ing preliminar reFuirements:

2::

• Eou must 0no% the full distinguished name of the ob,ect or ob,ects that ou %ant to restore& • 'f the deletions that ou are recovering have replicated to the recover domain controller( ou must have completed a nonauthoritative restore procedure( after %hich ou did not restart the domain controller and it remains in Director Services *estore Mode "DS*M#& • 'f the deletions that ou are recovering have not replicated to the recover domain controller( ou can perform this procedure in normal mode %ith Active Director Domain Services "AD DS# stopped& The 9tdsutil functionalit that is described in this procedure is available on domain controllers that are running $indo%s Server 2008& To perform authoritative restore on a domain controller that is running a version of $indo%s Server 2007( see Performing an Authoritative *estore of Active Director 4b,ects "http:33go&microsoft&com3f%lin03P+in0'dQAA6?A#& Note 'f ou are able to stop inbound replication on a global catalog server or other domain controller in the domain before it has received the deletion that ou %ant to restore( ou can s0ip the nonauthoritative restore process& Perform this procedure to recover deleted ob,ects in the domain and to restore bac0/lin0s for those ob,ects in this domain& 'f ou are running the authoritative restore procedure on a global catalog server( bac0/lin0s for ob,ects in other domains are also updated if the for%ard lin0 is stored in the global catalog& =or e-ample( the values for bac0/lin0 attribute memberOf are restored in this procedure if the for%ard lin0 member is stored in the global catalog or in the domain director partition& 'n the case of domain local groups( the member attribute is not stored in the global catalog and it is not stored in the recover domain if the group e-ists in a different domain& 'n this case( ou must perform additional steps to recover domain local group memberships of restored securit principals& These steps are described in Create an +D'= =ile for *ecovering >ac0/+in0s for Authoritativel *estored 4b,ects Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o mark a subtree or individual ob9ect authoritative 6& 'n DS*M( clic0 Start( clic0 4un( t pe ntdsutil( and then press 19T1*& 2& At the ntdsuti": prompt( t pe aut&oritative
restore(

and then press 19T1*&

7& To restore a subtree or individual ob,ect( t pe one of the follo%ing commands( as appropriate( and then press 19T1*: To restore a subtree "for e-ample( an organi.ational unit "4)# and all child ob,ects#:
restore su'tree <Distinguis&edName>

To restore a single ob,ect:
restore o'=ect <Distinguis&edName>

$here <Distinguis&edName> is the distinguished name of the subtree or ob,ect that is to 2:<

be mar0ed authoritative& A& Clic0 2es in the message bo- to confirm the command& =or e-ample( if ou %ant to restore a deleted 4) named Mar0eting 9orthAm in the corp&contoso&com domain( t pe:
restore su'tree H3UIAar:eting Nort&AmFD5IcorpFD5IcontosoFD5IcomJ

"Al%a s enclose the distinguished name in Fuotes %hen there is a space or other special characters %ithin the distinguished name&# 9tdsutil attempts to mar0 the ob,ect as authoritative& The output message indicates the status of the operation& The most common cause of failure is an incorrectl specified distinguished name or a bac0up for %hich the distinguished name does not e-ist& "This occurs if ou tr to restore a deleted ob,ect that %as created after the bac0up#& The follo%ing sample output sho%s that 9tdsutil created a te-t file "&t-t# and an +DAP Data 'nterchange =ormat "+D'=# "&ldf# file %hen the mar0ed ob,ect %as found to have bac0/lin0s:

!uccessfu""y updated $ records*

T&e fo""owing te8t fi"e wit& a "ist of aut&oritative"y restored o'=ects &as 'een created in t&e current wor:ing directory: arE%--K-%-L.-L,%MLEo'=ects*t8t

3ne or more specified o'=ects &ave 'ac:."in:s in t&is domain* T&e fo""owing 4D67 fi"es wit& "in: restore operations &ave 'een created in t&e current wor:ing directory: arE%--K-%-L.-L,%MLE"in:sE5orp*5ontoso*com*"df

Aut&oritative 0estore comp"eted successfu""y*

8& Ma0e a note of the location of the &t-t and &ldf files( if an & $e recommend that ou use the &ldf file to restore bac0/lin0s in this domain( even if restored ob,ects are members of groups that %ere created before lin0ed/value replication "+B*# %as in effect& ;o%ever( in all cases %here an of the restored ob,ects listed in the &t-t file has memberships in groups in a different domain( ou must use the &t-t file to generate an &ldf file to restore bac0/lin0s in those domains& 'f ou have other domains in %hich ou %ant to restore bac0/lin0s for this restored ob,ect( ma0e a cop of this &t-t file to use on a domain controller in each additional domain& :& At the aut&oritative 19T1*&
restore:

and ntdsuti": prompts( t pe quitF and then press

2:8

<& *estart the domain controller in normal operating mode&

Additional references
• *un an +D'= =ile to *ecover >ac0/+in0s

urn Off Inbound 4eplication
Eou can use this procedure and the repadmin command to turn off inbound replication so that Active Director ob,ects on a domain controller cannot be updated b replication from another domain controller& Eou can manage the inbound replication state b setting a repadmin option to change the value in DISA$+.BIN$O3NDB4.%+& Eou change the state is b using a plus "L# to enable the disabled state "turn off inbound replication# and a minus "G# to disable "reverse# the disabled state "turn on inbound replication#& $hen ou appl the option( the command output confirms onl that the DISA$+.BIN$O3NDB4.%+ option is either ne% or current& 't does not indicate NonO or Noff&O Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o turn off inbound replication 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuested( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /options <!erverName> ND6!AG4OE6NG3UNDE0OP4

%here <!erverName> is the 9et>'4S name of the domain controller& 7& Berif that the D6!AG4OE6NG3UNDE0OP4 option is in effect& The follo%ing message should appear:
5urrent D!A options: <)&atever options are set> New D!A 3ptions: D6!AG4OE6NG3UNDE0OP4

displa s the conditions that %ere in effect at the time that ou ran sho%s the effect of the command( %hich is that the D6!AG4OE6NG3UNDE0OP4 option is no% in effect&
5urrent D!A 3ptions

the command& New

D!A 3ptions

Additional references
• Turn on 'nbound *eplication 2:?

Synchroni&e 4eplication with All %artners
Eou can use this procedure to s nchroni.e replication %ith all replication partners of a domain controller& Membership in .nterprise Admins in the forest or Domain Admins in the forest root domain( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o synchroni&e replication with all partners 6& At a command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /synca"" <Domain5ontro""erName> /e /d /A /P /q

5alue

Description

repadmin 3s ncall SDomainController9ameT

S nchroni.es a specified domain controller %ith all replication partners& The Domain 9ame S stem "D9S# name of the domain controller on %hich ou %ant to s nchroni.e replication %ith all partners& 1nterpriseW includes partners in all sites& 'dentifies servers b their distinguished names in messages& AllW s nchroni.es all director partitions that are held on the home server& Pushes changes out%ard from the home server& *uns in Fuiet modeW suppresses callbac0 messages&

3e 3d 3A 3P 3F

2& Chec0 for replication errors in the output of the command in the previous step& 'f there are no errors( replication is successful& =or replication to complete( an errors must be corrected&

See Also
Berif Successful *eplication to a Domain Controller

2<0

4un an +DI# #ile to 4ecover $ack-+inks
$hen ou perform an authoritative restore on a domain controller that is running $indo%s Server 2008( $indo%s Server 2007 *2( $indo%s Server 2007 %ith Service Pac0 6 "SP6#( or $indo%s Server 2007 %ith Service Pac0 2 "SP2#( the output of the authoritative restore procedure includes an +DAP Data 'nterchange =ormat "+D'=# "&ldf# file& This &ldf file contains information about the for%ard/lin0s that are reFuired so that the group memberships "bac0/lin0s# of an restored user( group( or computer ob,ects in Active Director Domain Services "AD DS# can be recovered in the domain in %hich the deletions occurred& Eou can use this procedure to run an &ldf file to recover bac0/lin0s for Active Director ob,ects& 4estore group memberships in the domain of the deletions =or each ob,ect or subtree that ou authoritativel restore( run the &ldf file on the restored domain controller to recover group memberships in the domain of the deletions& 4estore group memberships in other domains To recover group memberships in other domains in the forest( ou must first generate an &ldf file in that domain( as described in Create an +D'= =ile for *ecovering >ac0/+in0s for Authoritativel *estored 4b,ects& Then( use this procedure in the respective domain to recover bac0/lin0s& $hen ou recover group memberships in domains other than the domain of the deletions( ou first perform a nonauthoritative restore of the domain controller to return AD DS to a state in %hich it contained the deleted memberships and then use the &t-t file to generate the &ldf file& The domain controller that ou restore from bac0up has old data until it has finished replicating from another domain controller in the domain& 'f ou add users to groups on the restored computer before it is up to date( ou might lose some of the changes that ou ma0e %hen this domain controller is updated through inbound replication& =or this reason( run the &ldf file on a different( up/to/date domain controller in the same domain& Note This procedure is critical for recovering group memberships for deleted users( groups( or computers( but it applies to an restored ob,ects that have bac0/lin0 attributes& This procedure e-plains ho% to use the +difde tool and an &ldf file to recover bac0/lin0s for authoritativel restored ob,ects in a single domain& Perform this procedure on an up/to/date domain controller in the domain of the group or groups %hose memberships ou are recovering& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o run an 'ldf file to recover back-links after authoritative restore 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& Change directories( if necessar ( to the director of the &ldf file and its respective log files& 2<6

2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
"difde .i .: .f <7i"eName>

$here <7i"eName> is the name of the &ldf file that ou %ant to run( for e-ample( arI20080:0?/6<A:0AIlin0sIcorp&contoso&com&ldf&

Additional references
• Create an +D'= =ile for *ecovering >ac0/+in0s for Authoritativel *estored 4b,ects

urn on Inbound 4eplication
Eou can use the repadmin command/line tool in this procedure to turn on inbound Active Director replication after it has been turned off manuall & Eou can manage the inbound replication state b setting a repadmin option to change the value in DISA$+.BIN$O3NDB4.%+& Eou change the state b using a plus "L# to enable the disabled state "turn off inbound replication# and a minus "G# to disable "reverse# the disabled state "turn on inbound replication#& $hen ou appl the option( the command output confirms onl that the DISA$+.BIN$O3NDB4.%+ option is either ne% or current& 't does not indicate NonO or Noff&O Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o turn on inbound replication 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuested( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
repadmin /options <!erverName> .D6!AG4OE6NG3UNDE0OP4

$here <!erverName> is the 9et>'4S name of the domain controller& 7& Berif that the D'SA>+1I'9>4)9DI*1P+ option is not in effect& The follo%ing message should appear:
5urrent D!A options: D6!AG4OE6NG3UNDE0OP4 New D!A 3ptions: <none>

displa s the conditions that %ere in effect at the time that ou ran the command& New D!A 3ptions sho%s the effect of the command( %hich is that the D6!AG4OE6NG3UNDE0OP4 option is not in effect "does not appear#&
5urrent D!A 3ptions

2<2

Additional references
• Turn 4ff 'nbound *eplication

Create an +DI# #ile for 4ecovering $ack+inks for Authoritatively 4estored Ob9ects
$hen ou perform an authoritative restore in a domain %here deletions of Active Director ob,ects occurred( the 9tdsutil tool generates a te-t "&t-t# file that identifies the ob,ects that have been restored& Eou can use this &t-t file to generate an +DAP Data 'nterchange =ormat "+D'=# file "&ldf# in other domains that might have bac0/lin0s from the restored ob,ects& This procedure generates the &ldf file that ou need to recover bac0/lin0s in this domain& Perform this procedure on a domain controller in the domain that might have the bac0/lin0s&After ou complete this procedure( ou must use the +difde tool to run the &ldf file on a domain controller in the same domain( as described in *un an +D'= =ile to *ecover >ac0/+in0s& Note To ensure that current group ob,ects are updated( run the &ldf file on a domain controller other than the domain controller that ou use to generate the &ldf file& >efore ou perform this procedure( ou must: • Cop the &t-t file that 9tdsutil created during the authoritative restore procedure( %hich ou performed on the first domain controller( to a location on this domain controller or a net%or0 share& • *estore this domain controller from bac0up& After ou restore this domain controller from bac0up( perform this procedure %hile the domain controller is still running in Director Services *estore Mode "DS*M#& To perform this procedure( ou must provide the Administrator pass%ord for DS*M& o create an 'ldf file for restoring back-links for authoritatively restored ob9ects 6& 'n DS*M( clic0 Start( clic0 4un( t pe ntdsutil( and then press 19T1*& 2& At the ntdsuti": prompt( t pe aut&oritative 7& At the aut&oritative 19T1*:
restore: restore(

and then press 19T1*&

prompt( t pe the follo%ing command( and then press

create "dif fi"es from <Te8t7i"ePat&>

$here <Te8t7i"ePat&> is the location and file name of the &t-t file that 9tdsutil created during the initial authoritative restore of the ob,ect %hose bac0/lin0s ou %ant to restore( for e-ample( d:ZldifZarI20080:0?I0?6888Iob,ects&t-t& 9tdsutil displa s a message stating that one or more specified ob,ects have bac0/lin0s in this domain and an &ldf file has been created in the current %or0ing director & A& At the aut&oritative
restore:

and ntdsuti": prompts( t pe quit& 2<7

Additional references
• • *estore AD DS from >ac0up "9onauthoritative *estore# *un an +D'= =ile to *ecover >ac0/+in0s

%erforming Authoritative 4estore of an Application Directory %artition
A restore of an application director partition mar0s all data that is present in the partition as authoritative for the replica set& The information that an application director partition contains replicates to all domain controllers in the forest that %ere previousl present in the replica set& Eou should have a current valid bac0up of the application director partition before ou begin the authoritative restore( in the event that particular ob,ect changes are lost because of changes since the bac0up %as created& 'f ou deleted an entire application director partition( ou must perform the restore procedure on the domain naming operations master role holder& >efore ou perform the procedures in this tas0( bac0 up the domain controller that ou are restoring& =or information about creating bac0ups( see >ac0ing )p Active Director Domain Services& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • • • *emote Des0top Connection "optional# >cdedit&e-e "optional# 9tdsutil&e-e

To complete this tas0( perform the follo%ing procedures: 6& *estart the domain controller in Director Services *estore Mode "DS*M#( as follo%s: *estart the Domain Controller in Director Services *estore Mode +ocall 4r *estart the Domain Controller in Director Services *estore Mode *emotel 2& *estore AD DS from >ac0up "9onauthoritative *estore#& Do not restart the domain controller& 7& Mar0 an application director partition as authoritative A& *estart the domain controller normall &

2<A

4estart the Domain Controller in Directory Services 4estore )ode 4emotely
'f ou have remote access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# remotel & *emote access reFuires the user right to log on locall to a domain controller& *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line or to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & To restart the domain controller in DS*M remotel ( ou first use *emote Des0top Connection to connect to the domain controller %hile it is in normal startup mode& *emote Des0top Connection must be enabled on the target domain controller& After the domain controller has restarted( ou can use *emote Des0top Connection to reconnect to the domain controller and then log on as the local Administrator( using the DS*M pass%ord& Eou can use this procedure to connect to a domain controller remotel ( restart it in DS*M( and then reconnect to it as the DS*M administrator& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M and the user right to log on locall to a domain controller are reFuired to 2<8

log on to the domain controller in DS*M& Members of Account 4perators( Administrators( 1nterprise Admins( Domain Admins( >ac0up 4perators( Print 4perators( and Server 4perators have the user right to log on locall to a domain controller b default& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& )sing a domain administrative account to log on to an *4DC can compromise the server& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& o restart a domain controller in DS4) remotely by using the !indows G3I 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 7& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& A& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& 8& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& :& The domain controller name should still be sho%ing in Computer& 'f it is not( select it from the list( and then clic0 Connect& <& 'n the !indows Security dialog bo-( clic0 3se another account& 8& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& ?& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& 60& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 2<:

66& T pe MachineNameCAdministrator( and then press 19T1*& 62& Perform procedures in DS*M& 67& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & This procedure %ill disconnect our remote session& o restart a domain controller in DS4) remotely by using the command line 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4pen a command prompt& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& A& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& 8& The domain controller name should still be sho%ing in Computer& 'f it is not( select it in the list( and then clic0 Connect& :& 'n the !indows Security dialog bo-( clic0 3se another account& <& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& 8& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& ?& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 2<<

60& T pe MachineNameCAdministrator( and then press 19T1*& 66& Perform procedures in DS*M& 62& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 'n DS*M( open a command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

b& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - >r

The domain controller restarts normall & This procedure %ill disconnect our remote session&
5alue Description

bcdedit 3set safeboot dsrepair shutdo%n Rt 0 /r bcdedit 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode +ocall

4estart the Domain Controller in Directory Services 4estore )ode +ocally
'f ou have ph sical access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# locall & *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not as a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account&

2<8

Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Eou can restart a domain controller in DS*M manuall b pressing the =8 0e during domain controller startup( %hich reFuires %atching the startup and %aiting for the appropriate point in the startup to press the 0e & This method is tedious and can %aste time if ou miss the brief %indo% of opportunit for selecting the restart mode& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & $hen ou are finished managing a domain controller in DS*M( if ou have used S stem Configuration or >cdedit&e-e to restart the domain controller in DS*M( ou must change the configuration so that the domain controller restarts in normal mode& Note A benefit of using S stem Configuration or >cdedit&e-e for implementing restart of a domain controller into DS*M is that normall the domain controller cannot be inadvertentl restarted& This benefit is particularl useful %hen ou are performing a nonauthoritative restore from bac0up follo%ed b an authoritative restore& Eou can also use S stem Configuration or >cdedit&e-e to restart a domain controller in DS*M remotel & To use S stem Configuration or >cdedit&e-e and *emote Des0top Connection to restart a domain controller in DS*M remotel ( see *estart the Domain Controller in Director Services *estore Mode *emotel & Membership in the Domain Admins group is the minimum reFuired complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M is reFuired to log on to the domain controller in DS*M& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& 2<?

Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#&

4estarting the domain controller in DS4) locally
Eou can use either of the follo%ing methods to restart the domain controller in DS*M: o restart a domain controller in DS4) locally by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 2& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& 7& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& A& Perform procedures in DS*M& 8& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & o restart a domain controller in DS4) locally by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

A& $hen ou are still in DS*M and ou are read to restart in normal mode( open a command prompt and t pe the follo%ing( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

280

5alue

Description

3set safeboot dsrepair shutdo%n Rt 0 /r 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
*estart the Domain Controller in Director Services *estore Mode *emotel

4estore AD DS from $ackup 6Nonauthoritative 4estore7
9onauthoritative restore from bac0up restores Active Director Domain Services "AD DS# from its current state to the previous state of a bac0up& )se this procedure before ou perform an authoritative restore procedure to recover ob,ects that %ere deleted after the time of the bac0up& To restore AD DS from bac0up( use a s stem state or critical/volumes bac0up& To restore AD DS from bac0up( ou must restart the domain controller in Director Services *estore Mode "DS*M#& Note 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& >e sure that ou 0no% the name and location of the version of the bac0up that ou are restoring& >ac0up files are named for the date and time of the bac0up& $hen ou restore the bac0up( the version must be stated in the form MM3DD3EEEE/;;:MM "month3da 3 ear/hour:minute#( %hich specifies the name of bac0up that ou %ant to restore& The $badmin&e-e command/line tool does not reFuire that ou provide the target for the recover & > specif ing the bac0up version that ou %ant to recover( the command proceeds to recover to the source location of the bac0up version that ou specif & Note The systemstaterecovery command in $badmin&e-e causes a nonauthoritative restore of SESB4+ b default "onl updates to SESB4+ since the time of the bac0up are replicated to the recover domain controller#& 'f ou %ant to restore SESB4+ authoritativel "all of SESB4+ is replicated from the recover domain controller to other domain controllers in the domain#( specif the Gauthsysvol option in the command& 286

The Administrator pass%ord for DS*M is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& The server must be running in DS*M& o perform a nonauthoritative restore of AD DS 6& At the !indows logon screen( clic0 Switch 3ser( and then clic0 Other 3ser& 2& T pe 'Cadministrator as the user name( t pe the DS*M pass%ord for the server( and then press 19T1*& 7& 4pen a Command Prompt& A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin get versions .'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName>

$here: •
<targetDrive>:

is the location of the bac0up that ou %ant to restore&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as made& 8& 'dentif the bac0up version that ou %ant to restore& Eou must enter this bac0up version e-actl in the ne-t step& :& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstaterecovery .version:<AA/DD/ .##:AA>

.'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName> .quiet

$here: • •
<AA/DD/ .##:AA>

is the version of the bac0up that ou %ant to restore&

<targetDrive>:

is the volume that contains the bac0up&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as ta0en& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the restore process and then press E to confirm that the replication engine for SESB4+ has not changed since ou created the bac0up& After the recover operation is complete( if ou are not going to perform an authoritative restore of an restored ob,ects( restart the server&

Additional references
• • *estart the Domain Controller in Director Services *estore Mode +ocall 1nable *emote Des0top 282

• • •

Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode *emotel Performing Authoritative *estore of Active Director 4b,ects

)ark an application directory partition as authoritative
'f ou are performing an authoritative restore to recover deletions in an application director partition( ou must mar0 the application director partition as authoritative& Mar0ing an application director partition as authoritative reFuires a different procedure from the procedure that ou use to mar0 other Active Director ob,ects as authoritative& Eou can use this procedure to select the application director partition that ou %ant to replicate authoritativel to other domain controllers that host the application director partition& This procedure has the follo%ing preliminar reFuirements: • >efore ou perform this procedure( bac0 up the domain controller that ou are restoring& Eou should have a current valid bac0up of the application director partition before restoring in case some ob,ect changes are lost as the result of changes that have occurred since the bac0up that ou are using to restore the domain controller %as made& • 'f the entire application director partition has been deleted( ou must perform a nonauthoritative restore from bac0up on the domain naming operations master& • Eou must have completed a nonauthoritative restore procedure( after %hich the domain controller has not been restarted and remains in Director Services *estore Mode "DS*M#& The 9tdsutil functionalit that is described in this procedure is available on domain controllers that are running $indo%s Server 2008& To perform authoritative restore on a domain controller that is running a version of $indo%s Server 2007( see Performing an Authoritative *estore of Active Director 4b,ects "http:33go&microsoft&com3f%lin03P+in0'dQAA6?A#& 'f ou are performing this procedure in DS*M( the Administrator pass%ord for DS*M is the minimum reFuired to complete this procedure& 'f ou are performing this procedure %ith AD DS stopped on the domain controller( membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o mark an application directory partition as authoritative 6& 4pen a Command Prompt& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
ntdsuti"

7& At the ntdsuti": prompt( t pe activate instance ntds( and then press 19T1*& =or assistance %ith the 9tdsutil command line/tool( t pe &e"p at an time& A& At the ntdsuti": prompt( t pe aut&oritative
restore(

and then press 19T1*& 287

8& At the aut&oritative

restore:

prompt( t pe 4ist

N5 50s(

and then press 19T1*&

9tdsutil displa s a list of director partition distinguished names and their associated cross/reference ob,ect distinguished names& 9ote the cross/reference distinguished name and application director partition distinguished name that correspond to the application director partition that ou %ant to restore& :& T pe restore su'tree <App Partition DN>( %here <App Partition DN> is the distinguished name of the application director partition that ou %ant to restore& <& 'n the confirmation dialog bo-( clic0 2es& The output message indicates the status of the operation& There should be no failures& 8& T pe restore o'=ect <5ross 0ef DN>( %here <5ross 0ef DN> is the distinguished name of the cross/reference ob,ect for the application director partition that ou %ant to restore( and then press 19T1*& ?& 'n the confirmation dialog bo-( clic0 2es& The output message indicates the status of the operation& There should be no failures& 60& Cuit the 9tdsutil tool b t ping quit at each prompt&

See Also
>ac0ing )p Active Director Domain Services

%erforming a #ull Server 4ecovery of a Domain Controller
$hen ou perform a full server recover ( ou recover all volumes from the bac0up set to the server& The procedure to perform full server recover of a domain controller is the same as for an server running $indo%s Server 2008& $henever ou perform a full server recover of a domain controller( ou perform a nonauthoritative restore of Active Director Domain Services "AD DS#& Eou can use these procedures to perform full server recover of a domain controller b using $indo%s Complete PC *estore "a graphical user interface "5)'# tool# and $badmin&e-e from the command line&

4e0uirements for performing a full server recovery of a domain controller
=ull server recover of a domain controller has the follo%ing reFuirements: • Eou must have a full server bac0up available& This t pe of bac0up contains all volumes that %ere on the server at the time that ou made the bac0up&

28A

• Eou can store the bac0up on a separate( internal or e-ternal hard drive or a DBD& 'f ou performed a manual bac0up( ou can perform a full server recover from a net%or0 shared folder& Note $indo%s Server >ac0up does not enumerate drives that are not attached or turned on %hen ou start the *ecover $i.ard& 'f ou attach or turn on a drive after ou start the %i.ard( and ou do not see it in the list of bac0up locations that ou can restore from( close( and then restart $indo%s Server >ac0up& • Eou must have the $indo%s Server 2008 operating s stem DBD or have $indo%s *1 installed on a different partition than the critical partitions that are used b the domain controller that ou are restoring& • 'f ou are recovering to ne% hard%are( the ne% hard%are must provide enough storage capacit to recover all volumes& 'n other %ords( the hard drives that ou are recovering data to must be as large asDor larger thanDthe drives that are included in the bac0up set&

%erforming a full server recovery of a domain controller by using the G3I
Eou can use this procedure to perform full server recover of a domain controller %ith $indo%s Complete PC *estore& There are no administrative credential reFuirements& 9o authentication is performed %hen ou start in $indo%s *1& o perform full server recovery of a domain controller 6a nonauthoritative restore7 by using the G3I 6& 'nsert the $indo%s Server 2008 installation DBD into the dis0 drive( and then restart the domain controller& 2& $hen ou are prompted( press a 0e to start from the DBD& 7& At the initial !indows screen( accept or select language options( the time and currenc format( and a 0e board la out( and then clic0 Ne/t& A& At the Install now screen( clic0 4epair your computer& 8& 'n the System 4ecovery Options dialog bo-( clic0 an %here to clear an operating s stems that are selected for repair( and then clic0 Ne/t& :& )nder Choose a recovery tool( clic0 !indows Complete %C 4estore& <& 'f the bac0up is stored on a remote server( a message indicates that $indo%s cannot find a bac0up on the hard dis0s or DBDs on this computer& Clic0 Cancel to close the message& 8& Clic0 4estore a different backup( and then clic0 Ne/t& ?& 4n the Select the location of the backup page( perform either set of the follo%ing steps( depending on %hether the bac0up is stored locall or on a net%or0 shared folder: 288

a& 'f the bac0up is stored on the local computer( select the location of the bac0up( and then clic0 Ne/t& 4r b& 'f the bac0up is stored on a net%or0 shared folder( clic0 Advanced( and then clic0 Search for a backup on the network& c& Clic0 2es to confirm that ou %ant to connect to the net%or0& d& 'n Network #older( t pe the )niversal 9aming Convention ")9C# name for the net%or0 share( and then clic0 O(& e& T pe credentials for a user account that has sufficient permissions to restore the bac0up( and then clic0 O(& f& 4n the Select the location of the backup page( clic0 the location of the bac0up( and then clic0 Ne/t& 60& Clic0 the bac0up to restore( and then clic0 Ne/t& 66& 'f ou %ant to replace all data on all volumes( regardless of %hether the are included in the bac0up( on the Choose how to restore the backup page( select the #ormat and repartition disks chec0 bo-& 62& To prevent volumes that are not included in the restore from being deleted and re/ created( clic0 ./clude Disks( select the chec0 bo- for the dis0s that ou %ant to e-clude( and then clic0 O(& 67& Clic0 Ne/t( and then clic0 #inish& 6A& Select the I confirm that I want to format the disks and restore the backup chec0 bo-( and then clic0 O(&

%erforming a full server recovery of a domain controller by using the command line
)se the follo%ing procedure to perform full server recover of a domain controller from the command line& There are no administrative credential reFuirements& 9o authentication is performed %hen ou start in $indo%s *1& o perform full server recovery of a domain controller 6a nonauthoritative restore7 by using the command line 6& 'nsert the $indo%s Server 2008 installation DBD into the dis0 drive( and then restart the domain controller& 2& $hen ou are prompted( press a 0e to start from the DBD& 7& At the initial !indows screen( accept or select language options( the time and currenc format( and a 0e board la out( and then clic0 Ne/t& A& At the Install now screen( clic0 4epair your computer& 8& 'n the System 4ecovery Options dialog bo-( clic0 an %here to clear an operating 28:

s stems that are selected for repair( and then clic0 Ne/t& :& )nder Choose a recovery tool( clic0 Command %rompt& <& At the !ources prompt( t pe dis:part( and then press 19T1*& 8& At the Dis:part prompt( t pe "ist
vo"(

and then press 19T1*&

?& 'dentif the volume from the list that corresponds to the location of the full server bac0up that ou %ant to restore& The drive letters in $indo%s *1 do not necessaril match the volumes as the appear in $indo%s Server 2008& 60& T pe e8it( and then press 19T1*& 66& At the !ources prompt( t pe the follo%ing command( and then press 19T1*:
w'admin get versions .'ac:upTarget:<targetDrive>: .mac&ine:<Gac:up5omputerName>

$here: •
<targetDrive>:

is the location of the bac0up that ou %ant to restore&

• <Gac:up5omputerNameT is the name of the computer %here ou %ant to recover the bac0up& This parameter is reFuired( if the bac0up is stored on a remote computer& 62& 'dentif the version that ou %ant to restore& Eou must enter this version e-actl in the ne-t step& 67& At the !ources prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start sysrecovery .version:<AA/DD/ .##:AA> .'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName> .restoreA""2o"umes

$here: • •
<AA/DD/ .##:AA>

is the version of the bac0up that ou %ant to restore&

<targetDrive>:

is the drive that contains the bac0up&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as ta0en& 6A& $hen ou are prompted( press E to proceed %ith the restore process& 68& After the recover operation has completed( minimi.e the command %indo%( and then( in the System 4ecovery Options dialog bo-( clic0 4estart&

Additional considerations
>e a%are of the follo%ing issues %hen ou perform a full server recover of a domain controller: • $badmin&e-e does not reFuire that ou provide the recover target& > specif ing the bac0up version that ou %ant to recover( the command proceeds to recover to the source location of the specified bac0up version& 28<

• >ac0up files are named for the date and time of the bac0up& $hen ou recover( the version must be stated in the form MM3DD3EEEE/;;:MM( %hich specifies the name of the bac0up that ou %ant to recover& • After the restore is completed( restart the server normall ( and perform basic verification& $hen ou restart the computer normall ( AD DS and Active Director Certificate Services "AD CS# automaticall detect that the have been recovered from a bac0up& The perform an integrit chec0 and inde- the database again& • After ou log on to the s stem( bro%se AD DS& Berif that the follo%ing conditions are met: • All of the user ob,ects and group ob,ects that %ere present in the director at the time of the bac0up are restored& Note Active Director replication updates the ob,ects that ou restore %ith an changes that have been made to them since the time that the bac0up %as ta0en& • =iles that %ere members of a =ile *eplication Service "=*S# replica set and certificates that %ere issued b AD CS are present& • • • The $indo%s Time service "$72time# is s nchroni.ed correctl & The 91T+4549 and SESB4+ folders are properl shared& The Preferred D9S server address is configured correctl &

• ;ost "A# and service "S*B# resource records are registered correctl in Domain 9ame S stem "D9S#&

4estoring a Domain Controller hrough 4einstallation and Subse0uent 4estore from $ackup
'f ou cannot restart a domain controller in Director Services *estore Mode "DS*M#( ou can restore it through reinstallation of the operating s stem and subseFuent restore of Active Director Domain Services "AD DS# from bac0up& After ou reinstall $indo%s Server 2008( perform a nonauthoritative restore of a s stem state or critical/volumes bac0up& Eou must have a previous bac0up for the failed domain controller( and the bac0up cannot be older than the tombstone lifetime for the forest& Eou do not have to ,oin the computer to the domain before ou perform the restore procedure& During the restore( the computer account is reestablished automaticall & Note Eou must perform the restore procedure b using the same bac0up tool %ith %hich the bac0up %as made& Procedures in this tas0 describe using $indo%s Server >ac0up to

288

restore AD DS( but ou must use the tool that ou used to create the bac0up file if it is not $indo%s Server >ac0up& ask re0uirements To perform the domain controller restore procedure( ou must have the follo%ing information about the failed domain controller: • Dis0 configuration& Eou need a record of the volumes and si.es of the dis0s and partitions& 'n the case of a complete dis0 failure( use this information to recreate the dis0 configuration& $indo%s Server 2008 must be reinstalled to the same drive letter and %ith at least the same amount of ph sical drive space as for the original installation& >efore ou restore the s stem state( ou must recreate all dis0 configurations& =ailure to recreate all dis0 configurations can cause the restore process to fail( and it can prevent ou from starting the domain controller after the restore& • Computer name& Eou need the computer name to restore a domain controller of the same name and avoid changing client configuration settings& • DS*M Administrator pass%ord& Eou must 0no% the DS*M Administrator pass%ord that %as in use %hen the bac0up %as created& The follo%ing tools are reFuired to perform the procedures for this tas0: • • • *emote Des0top Connection "optional# >cdedit&e-e "optional# $badmin&e-e

To complete this tas0( perform the follo%ing procedures: 6& After ou configure the dis0s appropriatel ( install $indo%s Server 2008& Note This guide does not provide information about installing $indo%s Server 2008& =or information about installing $indo%s Server 2008( see 'nstalling $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P+in0'DQ66660A#& 2& *estart the server in DS*M b using one of the follo%ing methods: Note *estarting a member server in DS*M is not possible in $indo%s Server 2007( but it is possible in $indo%s Server 2008& *estart the Domain Controller in Director Services *estore Mode +ocall 4r *estart the Domain Controller in Director Services *estore Mode *emotel 7& *estore AD DS from >ac0up "9onauthoritative *estore# A& Berif AD DS restore

28?

4estart the Domain Controller in Directory Services 4estore )ode +ocally
'f ou have ph sical access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# locall & *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not as a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account& Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& Eou can restart a domain controller in DS*M manuall b pressing the =8 0e during domain controller startup( %hich reFuires %atching the startup and %aiting for the appropriate point in the startup to press the 0e & This method is tedious and can %aste time if ou miss the brief %indo% of opportunit for selecting the restart mode& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & $hen ou are finished managing a domain controller in DS*M( if ou have used S stem Configuration or >cdedit&e-e to restart the domain controller in DS*M( ou must change the configuration so that the domain controller restarts in normal mode&

2?0

Note A benefit of using S stem Configuration or >cdedit&e-e for implementing restart of a domain controller into DS*M is that normall the domain controller cannot be inadvertentl restarted& This benefit is particularl useful %hen ou are performing a nonauthoritative restore from bac0up follo%ed b an authoritative restore& Eou can also use S stem Configuration or >cdedit&e-e to restart a domain controller in DS*M remotel & To use S stem Configuration or >cdedit&e-e and *emote Des0top Connection to restart a domain controller in DS*M remotel ( see *estart the Domain Controller in Director Services *estore Mode *emotel & Membership in the Domain Admins group is the minimum reFuired complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M is reFuired to log on to the domain controller in DS*M& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#&

4estarting the domain controller in DS4) locally
Eou can use either of the follo%ing methods to restart the domain controller in DS*M: o restart a domain controller in DS4) locally by using the !indows G3I 6& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 2& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& 7& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& A& Perform procedures in DS*M& 8& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall &

2?6

o restart a domain controller in DS4) locally by using the command line 6& Clic0 Start( clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

A& $hen ou are still in DS*M and ou are read to restart in normal mode( open a command prompt and t pe the follo%ing( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

8& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

5alue

Description

3set safeboot dsrepair shutdo%n Rt 0 /r 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
*estart the Domain Controller in Director Services *estore Mode *emotel

4estart the Domain Controller in Directory Services 4estore )ode 4emotely
'f ou have remote access to a domain controller( ou can restart the domain controller in Director Services *estore Mode "DS*M# remotel & *emote access reFuires the user right to log on locall to a domain controller& *estarting in DS*M ta0es the domain controller offline& 'n this mode( the server is functioning as a member server( not a domain controller& During installation of Active Director Domain Services "AD DS#( ou set the Administrator pass%ord for logging on to the server in DS*M& $hen ou start $indo%s Server 2008 in DS*M( ou must log on b using this DS*M pass%ord for the local Administrator account&

2?2

Note > default( ou must start a domain controller in DS*M to log on b using the DS*M Administrator account& ;o%ever( on domain controllers that are running $indo%s Server 2008( ou can change this behavior b modif ing the DS4)Admin+ogon$ehavior registr entr & > changing the value for this entr ( ou can configure a domain controller so that ou can log on to it %ith the DS*M Administrator account if the domain controller %as started normall but the AD DS service is stopped for some reason& =or more information about changing this registr entr ( see the $indo%s Server 2008 *estartable AD DS Step/b /Step 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ88:A?#& 4n domain controllers that are running $indo%s Server 2008( tools are available that replace the >oot&ini file that is used in earlier versions of $indo%s Server to modif the boot configuration parameters and controls& Eou can use the $indo%s graphical user interface "5)'# or the command line or to restart the domain controller in DS*M: • !indows G3I* S stem Configuration "Msconfig&msc# is an administrative tool that ou can use to configure boot and startup options( including restarting in DS*M and normal mode& • Command line* >cdedit&e-e is a command/line tool that ou can use to modif the boot configuration on a server that is running $indo%s Server 2008& Eou can use >cdedit %ith shutdown commands to instruct the domain controller to restart in DS*M and to restart normall & To restart the domain controller in DS*M remotel ( ou first use *emote Des0top Connection to connect to the domain controller %hile it is in normal startup mode& *emote Des0top Connection must be enabled on the target domain controller& After the domain controller has restarted( ou can use *emote Des0top Connection to reconnect to the domain controller and then log on as the local Administrator( using the DS*M pass%ord& Eou can use this procedure to connect to a domain controller remotel ( restart it in DS*M( and then reconnect to it as the DS*M administrator& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete the S stem Configuration "$indo%s 5)'# or >cdedit "command/line# procedure& The Administrator account and pass%ord for DS*M and the user right to log on locall to a domain controller are reFuired to log on to the domain controller in DS*M& Members of Account 4perators( Administrators( 1nterprise Admins( Domain Admins( >ac0up 4perators( Print 4perators( and Server 4perators have the user right to log on locall to a domain controller b default& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P +in0'dQ87A<<& Important 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& )sing a domain administrative account to log on to an *4DC can compromise the server& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& 2?7

o restart a domain controller in DS4) remotely by using the !indows G3I 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& 7& 4n the $oot tab( in $oot options( select Safe boot( clic0 Active Directory repair( and then clic0 O(& A& 'n the System Configuration dialog bo-( clic0 4estart& The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& 8& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& :& The domain controller name should still be sho%ing in Computer& 'f it is not( select it from the list( and then clic0 Connect& <& 'n the !indows Security dialog bo-( clic0 3se another account& 8& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& ?& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& 60& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 66& T pe MachineNameCAdministrator( and then press 19T1*& 62& Perform procedures in DS*M& 67& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 4n the Start menu( point to Administrative ools( and then clic0 System Configuration& b& 4n the General tab( in Startup selection( clic0 Normal startup( and then clic0 O(& The domain controller restarts normall & This procedure %ill disconnect our remote session&

2?A

o restart a domain controller in DS4) remotely by using the command line 6& Connect to the remote domain controller that is running in normal mode: a& 4n the Start menu( clic0 All %rograms( clic0 Accessories( and then clic0 4emote Desktop Connection& b& 'n Computer( t pe the name of the domain controller that ou %ant to restart( and then clic0 Connect& c& 'n the !indows Security dialog bo-( provide credentials for a domain administrator( and then clic0 O(& d& $hen ou are connected( log on to the domain controller as a domain administrator& 2& 4pen a command prompt& At the command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /set safe'oot dsrepair

7& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - .r

The domain controller restarts in DS*M& $hen the domain controller restarts( our *emote Des0top Connection is dropped& A& $ait for a period of time that is adeFuate for the remote domain controller to restart( and then open *emote Des0top Connection& 8& The domain controller name should still be sho%ing in Computer& 'f it is not( select it in the list( and then clic0 Connect& :& 'n the !indows Security dialog bo-( clic0 3se another account& <& 'n 3ser name( t pe the follo%ing: MachineNameCAdministrator $here MachineName is the name of the domain controller& 8& 'n %assword( t pe the DS*M pass%ord( and then clic0 O(& ?& At the logon screen of the remote domain controller( clic0 Switch 3ser( and then clic0 Other 3ser& 60& T pe MachineNameCAdministrator( and then press 19T1*& 66& Perform procedures in DS*M& 62& $hen ou have finished performing procedures in DS*M( restart the domain controller normall : a& 'n DS*M( open a command prompt( t pe the follo%ing command( and then press 19T1*:
'cdedit /de"eteva"ue safe'oot

b& At the command prompt( t pe the follo%ing command( and then press 19T1*:
s&utdown .t - >r

The domain controller restarts normall & This procedure %ill disconnect our remote 2?8

session&
5alue Description

bcdedit 3set safeboot dsrepair shutdo%n Rt 0 /r bcdedit 3deletevalue safeboot

Configures the boot process to start in DS*M& Shuts do%n the server and restarts it& *eturns the boot process to the previous setting&

See Also
1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode +ocall

4estore AD DS from $ackup 6Nonauthoritative 4estore7
9onauthoritative restore from bac0up restores Active Director Domain Services "AD DS# from its current state to the previous state of a bac0up& )se this procedure before ou perform an authoritative restore procedure to recover ob,ects that %ere deleted after the time of the bac0up& To restore AD DS from bac0up( use a s stem state or critical/volumes bac0up& To restore AD DS from bac0up( ou must restart the domain controller in Director Services *estore Mode "DS*M#& Note 'f ou are logging on to a read/onl domain controller "*4DC# locall or remotel ( do not use a domain administrative account& )se onl the delegated *4DC administrator account& =or more information about access to *4DCs( see the Step/b /Step 5uide for *ead/onl Domain Controllers "http:33go&microsoft&com3f%lin03P+in0'dQ?2<28#& >e sure that ou 0no% the name and location of the version of the bac0up that ou are restoring& >ac0up files are named for the date and time of the bac0up& $hen ou restore the bac0up( the version must be stated in the form MM3DD3EEEE/;;:MM "month3da 3 ear/hour:minute#( %hich specifies the name of bac0up that ou %ant to restore& The $badmin&e-e command/line tool does not reFuire that ou provide the target for the recover & > specif ing the bac0up version that ou %ant to recover( the command proceeds to recover to the source location of the bac0up version that ou specif &

2?:

Note The systemstaterecovery command in $badmin&e-e causes a nonauthoritative restore of SESB4+ b default "onl updates to SESB4+ since the time of the bac0up are replicated to the recover domain controller#& 'f ou %ant to restore SESB4+ authoritativel "all of SESB4+ is replicated from the recover domain controller to other domain controllers in the domain#( specif the Gauthsysvol option in the command& The Administrator pass%ord for DS*M is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& The server must be running in DS*M& o perform a nonauthoritative restore of AD DS 6& At the !indows logon screen( clic0 Switch 3ser( and then clic0 Other 3ser& 2& T pe 'Cadministrator as the user name( t pe the DS*M pass%ord for the server( and then press 19T1*& 7& 4pen a Command Prompt& A& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin get versions .'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName>

$here: •
<targetDrive>:

is the location of the bac0up that ou %ant to restore&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as made& 8& 'dentif the bac0up version that ou %ant to restore& Eou must enter this bac0up version e-actl in the ne-t step& :& At the command prompt( t pe the follo%ing command( and then press 19T1*:
w'admin start systemstaterecovery .version:<AA/DD/ .##:AA>

.'ac:uptarget:<targetDrive>: .mac&ine:<Gac:up5omputerName> .quiet

$here: • •
<AA/DD/ .##:AA>

is the version of the bac0up that ou %ant to restore&

<targetDrive>:

is the volume that contains the bac0up&

• <Gac:up5omputerName> is the name of the computer %here ou %ant to recover the bac0up& This parameter is useful %hen ou have bac0ed up multiple computers to the same location or ou have renamed the computer since the bac0up %as ta0en& 'f ou do not specif the .quiet parameter( ou are prompted to press E to proceed %ith the restore process and then press E to confirm that the replication engine for SESB4+ has not changed since ou created the bac0up&

2?<

After the recover operation is complete( if ou are not going to perform an authoritative restore of an restored ob,ects( restart the server&

Additional references
• • • • • *estart the Domain Controller in Director Services *estore Mode +ocall 1nable *emote Des0top Create a *emote Des0top Connection *estart the Domain Controller in Director Services *estore Mode *emotel Performing Authoritative *estore of Active Director 4b,ects

5erify AD DS restore
After ou complete a restore of Active Director Domain Services "AD DS#( ou can use this procedure to verif the restore& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify an Active Directory restorefrom backup 6& After the restore operation completes( restart the computer in Start $indo%s 9ormall mode& 'f ou used >cdedit&e-e to configure startup in Director Services *estore Mode "DS*M#( see *estart the Domain Controller in Director Services *estore Mode *emotel or *estart the Domain Controller in Director Services *estore Mode +ocall for information about changing the configuration bac0 to normal startup mode& 2& After ou are able to log on to the s stem( perform the follo%ing verification steps: At a command prompt( use the repadmin ,showsig command to verif that the invocation 'D has changed& The invocation 'D is the director database globall uniFue identifier "5)'D#( %hich the Director S stem Agent "DSA# uses to identif the version of the database& The invocation 'D changes during the Active Director restore process to ensure the consistenc of the replication process& Berif that the previous entr appears in the retired signatures list& At a command prompt( use the repadmin ,showrepl command to verif that there are no replication errors and all director partitions are replicating properl %ith the reFuired replication partners& Eou can determine the replication partners b selecting the 9TDS Settings ob,ect for the restored server in Active Director Sites and Services& At a command prompt( use the net share command to verif that the 91T+4549 and SESB4+ shares appear& At a command prompt( use the dcdiag command to verif success of all tests on the domain controller& 2?8

)se Active Director )sers and Computers to verif that the deleted ob,ects that ou %anted to recover from the bac0up are restored& 'f ou have a Bolume Shado% Cop Service "BSS# snapshot of the database( ou can use the Active Director database mounting tool "Dsamain&e-e# to mount the database and vie% it through Active Director )sers and Computers to compare the ob,ects& =or information about the Active Director database mounting tool( see the Step/b /Step 5uide for )sing the Active Director Database Mounting Tool in $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P+in0'dQ607777#&

4estoring a Domain Controller hrough 4einstallation
*estoring a domain controller through reinstallation is the same process as creating a ne% domain controller& 't does not involve restoring from bac0up& This method relies on Active Director replication to restore a domain controller to a %or0ing state( and it is valid onl if another health domain controller e-ists in the same domain& This method is normall used on computers that function onl as domain controllers& *estoring through reinstallation is the onl method b %hich a domain controller that is not part of the bac0up set can be restored& 'n addition( ou might decide to use this method instead of a nonauthoritative restore because bac0up media is inaccessible or because this method is more convenient& *estoring a domain controller through reinstallation should not be a substitute for regular bac0up routines& This method of restoring a domain controller reFuires a complete reinstallation of the operating s stem& $e recommend that( before ou install the operating s stem( ou format the entire s stem dis0( %hich removes all information on the s stem dis0& 1nsure that an important or relevant data is moved or bac0ed up before ou format the dis0& >and%idth is the primar consideration for restoring a domain controller through reinstallation& The band%idth that is reFuired is directl proportional to the si.e of the Active Director database and the time in %hich the domain controller is reFuired to be in a functioning state& 'deall ( the e-isting functional domain controller should be located in the same Active Director site as the replicating domain controller "the ne% domain controller# to reduce the impact on the net%or0 and the time that the reinstallation ta0es to complete& Note >efore ou restore a domain controller through reinstallation( ensure that hard%are failure is not the cause of the problem& 'f fault hard%are is not changed( restoring through reinstallation might not solve the problems %ith the domain controller& ask re0uirements The follo%ing tools are reFuired to perform the procedures for this tas0: • 9tdsutil&e-e 2??

• •

Dcdiag&e-e Dcpromo&e-e

To complete this tas0( perform the follo%ing procedures: 6& )se the follo%ing procedure to clean up server metadata to remove the 9TDS Settings ob,ect of the failed domain controller: Clean )p Server Metadata 'f ou plan to give the ne% domain controller a different name from the name of the failed domain controller( in addition to cleaning up server metadata perform the follo%ing procedure: Delete a Server 4b,ect from a Site 2& 'nstall $indo%s Server 2008& A fresh installation of $indo%s Server 2008 is assumed& Prepare for installation of the operating s stem b partitioning or reformatting the hard dis0 drive( if necessar & Note This guide does not provide information about installing $indo%s Server 2008& =or information about installing $indo%s Server 2008( see 'nstalling $indo%s Server 2008 "http:33go&microsoft&com3f%lin03P+in0'DQ66660A#& 7& Berif D9S *egistration and TCP3'P Connectivit A& Berif the Availabilit of the 4perations Masters 8& 'nstall an Additional Domain Controller b )sing the $indo%s 'nterface During the installation process( replication occurs( %hich ensures that the domain controller has an accurate and up/to/date cop of Active Director Domain Services "AD DS#& Eou have the option to use the same information for this domain controller as the domain controller that it is replacing: site placement( domain controller name( and domain membership should remain the same& 'f ou plan to install the domain controller under a different name( see 'nstalling a Domain Controller in an 1-isting Domain& :& After ou install AD DS( see Berif ing Active Director 'nstallation and perform procedures for verification of the installation&

Clean 3p Server )etadata
Metadata cleanup is a reFuired procedure after a forced removal of Active Director Domain Services "AD DS#& Eou perform metadata cleanup on a domain controller in the domain of the domain controller that ou forcibl removed& Metadata cleanup removes data from AD DS that identifies a domain controller to the replication s stem& Metadata cleanup also removes =ile *eplication Service "=*S# and Distributed =ile S stem "D=S# *eplication connections and attempts to transfer or sei.e an operations master "also 0no%n as fle-ible single master operations or =SM4# roles that the retired domain controller holds& These additional processes are performed automaticall & Eou can use this procedure to clean up server metadata for a domain controller from %hich ou have forcibl removed AD DS& 700

4n domain controllers that are running $indo%s Server 2008( ou can use Active Director )sers and Computers to clean up server metadata& 'n this procedure( deleting the computer ob,ect in the Domain Controllers organi.ational unit "4)# initiates the cleanup process( %hich proceeds automaticall & Eou can also perform metadata cleanup b using 9tdsutil&e-e( a command/line tool that is installed automaticall on all domain controllers& Eou can perform this procedure on a domain controller that is running $indo%s Server 2007 %ith Service Pac0 6 "SP6#( $indo%s Server 2007 %ith Service Pac0 2 "SP2#( $indo%s Server 2007 *2( or $indo%s Server 2008& =or information about performing metadata cleanup on domain controllers that are running earlier versions of $indo%s Server( see NClean up server metadataO in the $indo%s Server 2007 4perations 5uide "http:33go&microsoft&com3f%lin03P+in0'dQ60A276#& Eou can also use a script to clean up server metadata on most $indo%s operating s stems& =or information about using this script( see *emove Active Director Domain Controller Metadata "http:33go&microsoft&com3f%lin03P+in0'DQ6278??#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o clean up server metadata by using Active Directory 3sers and Computers 6& 4pen Active Director )sers and Computers: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory 3sers and Computers& 2& 'f ou have identified replication partners in preparation for this procedure( and if ou are not connected to a replication partner of the removed domain controller %hose metadata ou are cleaning up( right/clic0 Active Directory 3sers and Computers MDomainControllerNameN( and then clic0 Change Domain Controller& Clic0 the name of the domain controller from %hich ou %ant to remove the metadata( and then clic0 O(& 7& 1-pand the domain of the domain controller that ou forcibl removed( and then clic0 Domain Controllers& A& 'n the details pane( right/clic0 the computer ob,ect of the domain controller %hose metadata ou %ant to clean up( and then clic0 Delete& 8& 'n the Active Directory Domain Services dialog bo-( clic0 2es to confirm the computer ob,ect deletion& :& 'n the Deleting Domain Controller dialog bo-( select his Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation !i&ard 6DC%4O)O7( and then clic0 Delete& <& 'f the domain controller is a global catalog server( in the Delete Domain Controller dialog bo-( clic0 2es to continue %ith the deletion& 8& 'f the domain controller currentl holds one or more operations master "also 0no%n as fle-ible single master operations or =SM4# roles( clic0 O( to move the role or roles to the domain controller that is sho%n& Eou cannot change this domain controller& 'f ou %ant to move the role to a different 706

domain controller( ou must move the role after ou complete the server metadata cleanup procedure& o clean up server metadata by using Ntdsutil 6& 4pen a command prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide 1nterprise Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
ntdsuti"

7& At the ntdsuti": prompt( t pe the follo%ing command( and then press 19T1*:
metadata c"eanup

A& At the metadata 19T1*: 4r

c"eanup:

prompt( t pe the follo%ing command( and then press

remove se"ected server <!erverName>

remove se"ected server <!erverName,> on <!erverName%>

5alue

Description

ntdsutil: metadata cleanup remove selected server SServer9ameT or SServer9ame6T

'nitiates removal of ob,ects that refer to a decommissioned domain controller& *emoves ob,ects for a specified( decommissioned domain controller from a specified server& The distinguished name of the domain controller %hose metadata ou %ant to remove( in the form cnQServerName(cnQServers(cnQSiteName( cnQSites(cnQConfiguration(dcQForestRootDomain& 'f ou specif onl one server name( the ob,ects are removed from the current domain controller& Specifies removing server metadata on SServer9ame2T( the Domain 9ame S stem "D9S# name of the domain controller to %hich ou %ant to connect& 'f ou have identified replication partners in preparation for this procedure( specif a domain controller that is a replication partner of the removed domain controller&

on SServer9ame2T

8& 'n Server 4emove Configuration Dialog( revie% the information and %arning( and then clic0 2es to remove the server ob,ect and metadata& 702

At this point( 9tdsutil confirms that the domain controller %as removed successfull & 'f ou receive an error message that indicates that the ob,ect cannot be found( the domain controller might have been removed earlier& :& At the metadata
c"eanup:

and ntdsuti": prompts( t pe quit( and then press 19T1*&

<& To confirm removal of the domain controller: 4pen Active Director )sers and Computers& 'n the domain of the removed domain controller( clic0 Domain Controllers& 'n the details pane( an ob,ect for the domain controller that ou removed should not appear& 4pen Active Director Sites and Services& 9avigate to the Servers container and confirm that the server ob,ect for the domain controller that ou removed does not contain an 9TDS Settings ob,ect& 'f no child ob,ects appear belo% the server ob,ect( ou can delete the server ob,ect& 'f a child ob,ect appears( do not delete the server ob,ect because another application is using the ob,ect&

See Also
Delete a Server 4b,ect from a Site

Delete a Server Ob9ect from a Site
$hen ou remove a domain controller from service b uninstalling Active Director Domain Services "AD DS#( the domain controller ob,ect is removed from the domain director partition automaticall & Eou can chec0 this deletion b loo0ing in the Domain Controllers container in the Active Director )sers and Computers snap/in& The server ob,ect( %hich represents the domain controller in the configuration director partition( can have child ob,ects and is therefore not removed automaticall & $hen no child ob,ects are visible belo% the server ob,ect in Active Director Sites and Services( ou can use this procedure to remove the server ob,ect& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o delete a server ob9ect from a site 6& 4pen Active Director Sites and Services: 4n the Start menu( point to Administrative ools( and then clic0 Active Directory Sites and Services& 'f the 3ser Account Control dialog bo- appears( provide credentials( if reFuired( and then clic0 Continue& 2& 'n the console tree( e-pand the Sites container( and then e-pand the site from %hich ou %ant to delete a server ob,ect& 7& 'f no child ob,ects appear belo% the server ob,ect( right/clic0 the server ob,ect( and 707

then clic0 Delete& Important Do not delete a server ob,ect that has a child ob,ect& 'f an 9TDS Settings ob,ect appears belo% the server ob,ect ou %ant to delete( either replication on the domain controller on %hich ou are vie%ing the configuration container has not occurred or the server %hose server ob,ect ou are removing has not been properl decommissioned& 'f a child ob,ect other than 9TDS Settings appears belo% the server ob,ect that ou %ant to delete( another application has published the ob,ect& Eou must contact an administrator for the application and determine the appropriate action to remove the child ob,ect& A& Clic0 2es to confirm our choice&

See Also
Decommissioning a Domain Controller =orcing the *emoval of a Domain Controller

5erify DNS 4egistration and C%,I% Connectivity
Eou can use the Dcdiag command/line tests in this procedure to verif that a server can successfull connect to domain controllers in the same site or in the enterprise and to verif that Domain 9ame S stem "D9S# is functioning& > default( all Dcdiag tests verif TCP3'P connectivit for both 'P version A "'PvA# and 'P version : "'Pv:#& Note Dcdiag is installed %ith Active Director Domain Services "AD DS# b default& To perform this test on a server that is not a domain controller( ou must install Dcdiag& =or information about installing Dcdiag( see 'nstalling *emote Server Administration Tools for AD DS& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify DNS registration and C%,I% connectivity 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( and then clic0 O(& 2& At the command prompt( t pe the follo%ing command( and then press 19T1*:
dcdiag /test:dns

70A

Note =or a more detailed response from this command( add command&
/v

to the end of the

'f the test fails( do not attempt an additional steps until ou determine and fi- the problem that prevents proper D9S functionalit &

5erify the Availability of the Operations )asters
Eou can use this procedure to verif that the domain controllers that hold the operations master "also 0no%n as fle-ible single master operations or =SM4# roles can be located and that the are online and responding& Eou can use the tests in this procedure before ou install Active Director Domain Services "AD DS# as %ell as after%ard& ;o%ever( if ou perform this procedure before ou install AD DS( ou must do the follo%ing: • =irst( use Server Manager to add the Active Director Domain Services server role& This part of the installation procedure installs the Dcdiag&e-e command line tool& Perform this procedure after ou add the server role but before ou run Dcpromo&e-e& • )se the ,s command option to indicate the name of an e-isting domain controller in the domain of the ne% domain controller& This domain controller is reFuired to verif the abilit of the server to connect to operations master role holders in the domain and forest& Eou do not have to use the ,s option if ou perform the test in this procedure after ou install AD DS& The test automaticall runs on the local domain controller %here ou are performing the test& The commands in this procedure sho% the ,s option& 'f ou are performing this test after ou install AD DS( omit the ,s option& =or a more detailed response from this command( ou can use the verbose option b adding ,v to the end of the command& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o verify the availability of the operations masters 6& 4pen a Command Prompt as an administrator: 4n the Start menu( right/clic0 Command %rompt( and then clic0 4un as administrator& 'f the 3ser Account Control dialog bo- appears( provide Domain Admins credentials( if reFuired( and then clic0 Continue& 2& At the command prompt( t pe the follo%ing command to ensure that the operations masters can be located( and then press 19T1*:
dcdiag /s:<Domain5ontro""erName> /test::nowsofro"e&o"ders /v

708

%here <Domain5ontro""erName> is the name of an e-isting domain controller in the domain in %hich ou %ant to add the ne% domain controller& The verbose option provides a detailed list of the operations masters that %ere tested& 9ear the bottom of the screen( a message confirms that the test succeeded& 'f ou use the verbose option( loo0 carefull at the bottom part of the displa ed output& The test confirmation message appears immediatel after the list of operations masters& 7& T pe the follo%ing command to ensure that the operations masters are functioning properl and available on the net%or0( and then press 19T1*:
dcdiag /s:<Domain5ontro""erName> /test:fsmoc&ec:

%here <Domain5ontro""erName> is the name of a domain controller in the domain in %hich ou %ant to add the ne% domain controller& The verbose option provides a detailed list of the operations masters that %ere tested as %ell as other important servers( such as global catalog servers and time servers& 9ear the bottom of our screen( a message confirms that the test succeeded& 'f these tests fail( do not attempt an additional steps until ou fi- the problem that prevents the location of operations masters and ou can verif that the are functioning properl &

Install an Additional Domain Controller by 3sing the !indows Interface
Eou can use this procedure to add the Active Director Domain Services "AD DS# server role to a server to create a domain controller in an e-isting domain& Eou can complete this procedure b using the $indo%s graphical user interface "5)'#& Membership in Domain Admins( or eFuivalent( is the minimum reFuired to complete this procedure& *evie% details about using the appropriate accounts and group memberships at http:33go&microsoft&com3f%lin03P+in0'dQ87A<<& o install an additional domain controller by using the !indows interface 6& Clic0 Start( and then clic0 Server )anager& 2& 'n 4oles Summary( clic0 Add 4oles& 7& *evie% the information on the $efore 2ou $egin page( and then clic0 Ne/t& A& 4n the Select Server 4oles page( clic0 Active Directory Domain Services( and then clic0 Ne/t& 8& *evie% the information on the Active Directory Domain Services page( and then clic0 Ne/t& :& 4n the Confirm Installation Selections page( clic0 Install& <& 4n the Installation 4esults page( clic0 Close this wi&ard and launch the Active 70:

Directory Domain Services Installation !i&ard 6dcpromo'e/e7& 8& 4n the !elcome to the Active Directory Domain Services Installation !i&ard page( clic0 Ne/t& Eou can clic0 3se advanced mode installation to see additional installation options& Specificall ( clic0 3se advanced mode installation if ou %ant to install from media or identif the source domain controller for Active Director replication& ?& 4n the Operating System Compatibility page( revie% the %arning about the default securit settings for $indo%s Server 2008 domain controllers( and then clic0 Ne/t& 60& 4n the Choose a Deployment Configuration page( clic0 ./isting forest( clic0 Add a domain controller to an e/isting domain( and then clic0 Ne/t& 66& 4n the Network Credentials page( t pe the name of an e-isting domain in the forest %here ou plan to install the additional domain controller& )nder Specify the account credentials to use to perform the installation( clic0 )y current logged on credentials or clic0 Alternate credentials( and then clic0 Set& 'n the !indows Security dialog bo-( provide the user name and pass%ord for an account that can install the additional domain controller& To install an additional domain controller( ou must be a member of the 1nterprise Admins group or the Domain Admins group& $hen ou are finished providing credentials( clic0 Ne/t& 62& 4n the Select a Domain page( select the domain of the ne% domain controller( and then clic0 Ne/t& 67& 4n the Select a Site page( select a site from the list or select the option to install the domain controller in the site that corresponds to its 'P address( and then clic0 Ne/t& 6A& 4n the Additional Domain Controller Options page( ma0e the follo%ing selections( and then clic0 Ne/t: • DNS server: This option is selected b default so that our domain controller can function as a D9S server& 'f ou do not %ant the domain controller to be a D9S server( clear this option& Note 'f ou select the option to ma0e this domain controller a D9S server( ou might receive a message that indicates that a D9S delegation for the D9S server could not be created and that ou should manuall create a D9S delegation to the D9S server to ensure reliable name resolution& 'f ou are installing an additional domain controller in either the forest root domain or a tree root domain( ou do not have to create the D9S delegation& 'n this case( clic0 2es( and disregard the message& • Global Catalog: This option is selected b default& 't adds the global catalog( read/onl director partitions to the domain controller( and it enables global catalog search functionalit & • 4ead-only domain controller& This option is not selected b default& 't ma0es the additional domain controller a read/onl domain controller "*4DC#& 68& 'f ou selected 3se advanced mode installation on the !elcome page( the Install 70<

from )edia page appears& Eou can provide the location of installation media to be used to create the domain controller and configure AD DS( or ou can have all source replication occur over the net%or0& 9ote that some data %ill be replicated over the net%or0 even if ou install from media& =or information about using this method to install the domain controller( see 'nstalling an Additional Domain Controller b )sing '=M& 6:& 'f ou selected 3se advanced mode installation on the !elcome page( the Source Domain Controller page appears& Clic0 +et the wi&ard choose an appropriate domain controller or clic0 3se this specific domain controller to specif a domain controller that ou %ant to provide as a source for replication to create the ne% domain controller( and then clic0 Ne/t& 'f ou do not choose to install from media( all data %ill be replicated from this source domain controller& 6<& 4n the +ocation for Database1 +og #iles1 and S2S5O+ page( t pe or bro%se to the volume and folder locations for the database file( the director service log files( and the SESB4+ files( and then clic0 Ne/t& $indo%s Server >ac0up bac0s up the director service b volume& =or bac0up and recover efficienc ( store these files on separate volumes that do not contain applications or other nondirector files& 68& 4n the Directory Services 4estore )ode Administrator %assword page( t pe and confirm the restore mode pass%ord( and then clic0 Ne/t& This pass%ord must be used to start AD DS in Director Services *estore Mode "DS*M# for tas0s that must be performed offline& 6?& 4n the Summary page( revie% our selections& Clic0 $ack to change an selections( if necessar & To save the settings that ou have selected to an ans%er file that ou can use to automate subseFuent Active Director operations( clic0 ./port settings& T pe the name for our ans%er file( and then clic0 Save& $hen ou are sure that our selections are accurate( clic0 Ne/t to install AD DS& Note 'f ou are installing an additional domain controller in a child domain and ou are using child domain credentials( the !indows Security dialog bo- appears because access is denied in the parent domain to update the D9S delegation in the parent .one& 'n this case( clic0 the other user icon and provide administrator credentials for the parent domain( and then clic0 O(& 20& 4n the Completing the Active Directory Domain Services Installation !i&ard page( clic0 #inish& 26& Eou can select 4eboot on completion to have the server restart automaticall ( or ou can restart the server to complete the installation of AD DS %hen ou are prompted to do so&

708

See Also
Preparing for Active Director 'nstallation Berif ing Active Director 'nstallation

5erifying Active Directory Installation
There are several verification tas0s that ou can perform on a computer on %hich Active Director Domain Services "AD DS# has been ne%l installed& Successfull completing the reFuirements of each verification tas0 %ill provide a strong indication of a health ( operational domain controller& The individual procedures in this tas0 are provided so that ou can test specific criteria to determine the health of an Active Director installation& To thoroughl test the domain controller for all director service issues( ou can run the dcdiag ,v command& The output of this command provides detailed information about the conditions on the domain controller& =or information about using the Dcdiag&e-e command/line tool( see Dcdiag "http:33go&microsoft&com3f%lin03P +in0'dQ60A:8?#& ask re0uirements The follo%ing tools are recommended to perform the procedures for this tas0: • • • • • Active Director Sites and Services D9S Manager 1vent Bie%er Dcdiag&e-e 9tdsutil&e-e

To complete this tas0( perform the follo%ing procedures: 6& Determine $hether a Server 4b,ect ;as Child 4b,ects 2& Berif That an 'P Address Maps to a Subnet and Determine the Site Association Chec0 that the ne% domain controller is located in the correct site so that the ne% domain controller can locate replication partners and become part of the replication topolog & 7& Move a Server 4b,ect to a 9e% Site 'f ou have performed an unattended installation and the domain controller %as not placed in the site that ou e-pected( ou can move the server ob,ect to the correct site& A& Configure D9S Server =or%arders 8& Complete all procedures for the Berif ing D9S Configuration tas0& :& Chec0 the Status of the SESB4+ and 9etlogon Shares <& Berif D9S *egistration and TCP3'P Connectivit 8& Berif a Domain Computer Account for a 9e% Domain Controller ?& Berif Active Director *ep