Active Directory Domain Services Operations GuideMicrosoft
Corporation Published: September 2008
AbstractThis operations guide provides administering and
management information for Active Directory Domain Services (AD DS)
directory service technologies in the Windows Server 2008 operating
system.
Copyright informationInformation in this document, including URL
and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos,
people, places, and events depicted herein are fictitious, and no
association with any real company, organization, product, domain
name, e-mail address, logo, person, place, or event is intended or
should be inferred. Complying with all applicable copyright laws is
the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in,
or introduced into a retrieval system, or transmitted in any form
or by any means (electronic, mechanical, photocopying, recording,
or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation. Microsoft may have patents,
patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as
expressly provided in any written license agreement from Microsoft,
the furnishing of this document does not give you any license to
these patents, trademarks, copyrights, or other intellectual
property. 2008 Microsoft Corporation. All rights reserved. Active
Directory, Microsoft, Windows, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their
respective owners.
ContentsActive Directory Domain Services Operations
Guide........................................................................1
Abstract....................................................................................................................................1
Copyright
information.......................................................................................................................2
Contents..........................................................................................................................................3
Active Directory Domain Services Operations
Guide......................................................................24
New in This
Guide.........................................................................................................................24
Administering Active Directory Domain
Services............................................................................24
Introduction to Administering Active Directory Domain
Services.....................................................25
When to use this
guide...............................................................................................................25
How to use this
guide.................................................................................................................26
Administering Domain and Forest
Trusts.......................................................................................26
Introduction to Administering Domain and Forest
Trusts................................................................27
Best Practices for Administering Domain and Forest
Trusts...........................................................27
Managing Domain and Forest
Trusts.............................................................................................28
Creating Domain and Forest
Trusts...............................................................................................28
New Trust Wizard
terminology....................................................................................................29
Known Issues for Creating Domain and Forest
Trusts....................................................................30
Creating External
Trusts................................................................................................................31
Create a One-Way, Incoming, External Trust for One Side of the
Trust..........................................33 Create a One-Way,
Incoming, External Trust for Both Sides of the
Trust........................................34 Create a One-Way,
Outgoing, External Trust for One Side of the
Trust..........................................36 Create a One-Way,
Outgoing, External Trust for Both Sides of the
Trust........................................37 Create a Two-Way,
External Trust for One Side of the
Trust...........................................................39
Create a Two-Way, External Trust for Both Sides of the
Trust........................................................40
Creating Shortcut
Trusts................................................................................................................42
Create a One-Way, Incoming, Shortcut Trust for One Side of the
Trust..........................................43
Create a One-Way, Incoming, Shortcut Trust for Both Sides of the
Trust........................................44 Create a One-Way,
Outgoing, Shortcut Trust for One Side of the
Trust..........................................45 Create a One-Way,
Outgoing, Shortcut Trust for Both Sides of the
Trust........................................47 Create a Two-Way,
Shortcut Trust for One Side of the
Trust...........................................................48
Create a Two-Way, Shortcut Trust for Both Sides of the
Trust........................................................50
Creating Forest
Trusts...................................................................................................................51
Create a One-Way, Incoming, Forest Trust for One Side of the
Trust.............................................52 Create a
One-Way, Incoming, Forest Trust for Both Sides of the
Trust...........................................54 Create a
One-Way, Outgoing, Forest Trust for One Side of the
Trust.............................................55 Create a
One-Way, Outgoing, Forest Trust for Both Sides of the
Trust...........................................57 Create a
Two-Way, Forest Trust for One Side of the
Trust..............................................................58
Create a Two-Way, Forest Trust for Both Sides of the
Trust...........................................................60
Creating Realm
Trusts...................................................................................................................62
Create a One-Way, Incoming, Realm
Trust....................................................................................62
Create a One-Way, Outgoing, Realm
Trust....................................................................................64
Create a Two-Way, Realm
Trust.....................................................................................................65
Configuring Domain and Forest
Trusts...........................................................................................66
Validating and Removing
Trusts.....................................................................................................66
Validate a
Trust..............................................................................................................................67
Validating a
trust.........................................................................................................................67
Remove a Manually Created
Trust.................................................................................................68
Removing a manually created
trust............................................................................................68
Modifying Name Suffix Routing
Settings........................................................................................69
Modify Routing for a Forest Name
Suffix........................................................................................70
71 Modify Routing for a Subordinate Name
Suffix...............................................................................71
72 Exclude Name Suffixes from Routing to a
Forest...........................................................................72
72
Securing Domain and Forest
Trusts...............................................................................................73
Configuring SID Filter Quarantining on External
Trusts..................................................................73
Disable SID filter
Quarantining.......................................................................................................75
See
Also.....................................................................................................................................76
Reapply SID Filter
Quarantining....................................................................................................76
Configuring Selective Authentication
Settings................................................................................77
Enable Selective Authentication over an External
Trust..................................................................78
Enabling selective authentication over an external
trust..............................................................78
Enable Selective Authentication over a Forest
Trust.......................................................................80
Enabling selective authentication over a forest
trust...................................................................80
Enable Domain-Wide Authentication over an External
Trust...........................................................81
Enable Forest-Wide Authentication over a Forest
Trust..................................................................82
Grant the Allowed to Authenticate Permission on Computers in the
Trusting Domain or Forest......83 Appendix: New Trust Wizard
Pages...............................................................................................84
Direction of
Trust........................................................................................................................84
Wizard
optionTwo-way........................................................................................................84
Wizard optionOne-way:
incoming........................................................................................85
Wizard optionOne-way:
outgoing.........................................................................................86
Sides of
trust..............................................................................................................................87
Wizard optionThis domain
only............................................................................................87
Wizard optionBoth this domain and the specified
domain....................................................88
Administering the Windows Time
Service......................................................................................88
Introduction to Administering the Windows Time
Service................................................................88
Windows time source
selection...................................................................................................88
External NTP time
servers..........................................................................................................89
W32tm and net
time...................................................................................................................90
Managing the Windows Time
Service............................................................................................90
Configuring a Time Source for the
Forest.......................................................................................91
Configure the Time Source for the
Forest......................................................................................93
Change the Windows Time Service Configuration on the PDC Emulator
in the Forest Root Domain
...................................................................................................................................................97
Disable the Windows Time
Service................................................................................................98
Enable Windows Time Service Debug
Logging..............................................................................99
Configuring Windows-Based Clients to Synchronize
Time.............................................................99
Configure a Manual Time Source for a Selected Client
Computer................................................100
Configure a Client Computer for Automatic Domain Time
Synchronization...................................102 Restoring the
Windows Time Service to Default
Settings.............................................................103
Restore the Windows Time Service on the Local Computer to the
Default Settings......................103 Administering
DFS-Replicated
SYSVOL......................................................................................104
Introduction to Administering DFS-Replicated
SYSVOL...............................................................104
SYSVOL terminology and
capitalization....................................................................................104
Using DFS Replication for replicating SYSVOL in Windows Server
2008..................................105 Requirements for using
DFS
Replication..................................................................................106
Key considerations for administering
SYSVOL.........................................................................106
Relocating SYSVOL
folders......................................................................................................108
Managing DFS-Replicated
SYSVOL............................................................................................109
Changing the Quota That Is Allocated to the SYSVOL Staging
Area............................................110 Change the
Quota That Is Allocated to the SYSVOL Staging
Folder............................................110 Relocating
the SYSVOL Staging
Area..........................................................................................111
Identify Replication
Partners........................................................................................................112
Check the Status of the SYSVOL and Netlogon
Shares...............................................................113
Verify Active Directory
Replication................................................................................................114
Gather the SYSVOL Path
Information..........................................................................................114
To gather the SYSVOL path
information....................................................................................116
Stop the DFS Replication Service and Netlogon
Service..............................................................117
Create the SYSVOL Staging Areas Folder
Structure....................................................................118
Change the SYSVOL Root Path or Staging Areas Path, or
Both..................................................119 See
Also...................................................................................................................................120
Start the DFS Replication Service and Netlogon
Service.............................................................120
Force Replication Between Domain
Controllers...........................................................................121
See
Also...................................................................................................................................122
Relocating SYSVOL
Manually......................................................................................................122
Identify Replication
Partners........................................................................................................124
Check the Status of the SYSVOL and Netlogon
Shares...............................................................124
Verify Active Directory
Replication................................................................................................125
Gather the SYSVOL Path
Information..........................................................................................126
To gather the SYSVOL path
information...................................................................................127
Stop the DFS Replication Service and Netlogon
Service..............................................................129
Copy SYSVOL to a New
Location................................................................................................130
Create the SYSVOL Root Junction
Point.....................................................................................133
Change the SYSVOL Root Path or Staging Areas Path, or
Both..................................................134 See
Also...................................................................................................................................135
Change the SYSVOL Netlogon
Parameters.................................................................................135
Reapply Default SYSVOL Security
Settings.................................................................................136
Start the DFS Replication Service and Netlogon
Service.............................................................138
Force Replication Between Domain
Controllers...........................................................................139
See
Also...................................................................................................................................139
Updating the SYSVOL
Path.........................................................................................................139
Gather the SYSVOL Path
Information..........................................................................................140
To gather the SYSVOL path
information...................................................................................142
Stop the DFS Replication Service and Netlogon
Service..............................................................143
Change the SYSVOL Netlogon
Parameters.................................................................................144
Create the SYSVOL Root Junction
Point.....................................................................................145
Start the DFS Replication Service and Netlogon
Service.............................................................146
Restoring and Rebuilding
SYSVOL..............................................................................................147
Identify Replication
Partners........................................................................................................149
Check the Status of the SYSVOL and Netlogon
Shares...............................................................149
Verify Active Directory
Replication................................................................................................150
Gather the SYSVOL Path
Information..........................................................................................151
To gather the SYSVOL path
information...................................................................................152
Restart the Domain Controller in Directory Services Restore Mode
Locally..................................154
Restarting the domain controller in DSRM
locally.....................................................................155
See
Also...................................................................................................................................156
Restart the Domain Controller in Directory Services Restore Mode
Remotely..............................157 See
Also...................................................................................................................................160
Stop the DFS Replication Service and Netlogon
Service..............................................................160
Import the SYSVOL Folder
Structure...........................................................................................161
See
Also...................................................................................................................................164
Administering the Global
Catalog.................................................................................................165
Introduction to Administering the Global
Catalog..........................................................................165
Global catalog hardware
requirements.....................................................................................165
Global catalog
placement.........................................................................................................165
Initial global catalog
replication.................................................................................................165
Global catalog
readiness..........................................................................................................166
Global catalog
removal.............................................................................................................166
Managing the Global
Catalog.......................................................................................................167
Configuring a Global Catalog
Server............................................................................................167
Determine Whether a Domain Controller Is a Global Catalog
Server...........................................168 Designate a
Domain Controller to Be a Global Catalog
Server.....................................................168
Monitor Global Catalog Replication
Progress...............................................................................169
Verify Successful Replication to a Domain
Controller...................................................................170
Determining Global Catalog
Readiness.......................................................................................173
Verify Global Catalog
Readiness..................................................................................................173
Verifying global catalog
readiness............................................................................................173
Verify Global Catalog DNS
Registrations.....................................................................................174
Removing the Global
Catalog......................................................................................................175
Clear the Global Catalog
Setting..................................................................................................175
Monitor Global Catalog Removal in Event
Viewer........................................................................176
Administering Operations Master
Roles.......................................................................................177
Introduction to Administering Operations Master
Roles................................................................177
Guidelines for role
placement...................................................................................................178
Guidelines for role
transfer.......................................................................................................181
Managing Operations Master
Roles.............................................................................................182
Designating a Standby Operations
Master...................................................................................183
Standby operations master computer
requirements..................................................................183
Replication
requirements..........................................................................................................183
Determine Whether a Domain Controller Is a Global Catalog
Server...........................................184 Create a
Connection Object on the Operations Master and
Standby............................................184 Verify
Successful Replication to a Domain
Controller...................................................................185
Transferring an Operations Master
Role......................................................................................188
Transferring to a standby operations
master.............................................................................189
Transferring an operations master role when no standby is
ready.............................................189 Install the
Schema
Snap-in..........................................................................................................190
Transfer the Schema
Master........................................................................................................191
Transfer the Domain Naming
Master...........................................................................................192
Transfer the Domain-Level Operations Master
Roles...................................................................193
View the Current Operations Master Role
Holders.......................................................................194
Seizing an operations master
role................................................................................................195
Verify Successful Replication to a Domain
Controller...................................................................196
Seize the Operations Master
Role...............................................................................................199
View the Current Operations Master Role
Holders.......................................................................200
Reducing the Workload on the PDC Emulator
Master..................................................................201
Changing the weight for DNS service (SRV) resource records in the
registry............................201 Changing the priority for
DNS service (SRV) resource records in the
registry...........................202 Change the Weight for DNS
Service (SRV) Resource Records in the
Registry............................203 Change the Priority for DNS
Service (SRV) Resource Records in the
Registry............................203 Administering Active
Directory Backup and
Recovery..................................................................204
Introduction to Administering Active Directory Backup and Recovery
[lhsad_ADDS_Ops_5]_ADDS_Ops_5......................................................................................205
Backing up AD
DS....................................................................................................................205
Recovering AD
DS...................................................................................................................205
Additional
considerations..........................................................................................................206
Managing Active Directory Backup and
Recovery........................................................................207
Backing Up Active Directory Domain
Services.............................................................................207
Windows Server backup
tools...................................................................................................207
Windows Server backup
types..................................................................................................208
Contents of Windows Server backup
types...........................................................................208
Criteria for using backup
types..............................................................................................209
Backup
guidelines....................................................................................................................210
Scheduling regular
backups......................................................................................................211
Immediate (unscheduled)
backup.............................................................................................212
Backup
frequency.....................................................................................................................212
Backup frequency
criteria......................................................................................................213
Backup latency
interval.........................................................................................................213
Known Issues for Backing Up Active Directory Domain
Services..................................................215
Perform a Backup of Critical Volumes of a Domain Controller by
Using the GUI (Windows Server
Backup)....................................................................................................................................216
Additional
considerations...................................................................................................217
Perform a System State Backup of a Domain Controller by Using the
Command Line (Wbadmin)
.................................................................................................................................................217
Additional
considerations...................................................................................................218
Perform a Full Server Backup of a Domain Controller by Using the
GUI (Windows Server Backup)
.................................................................................................................................................218
Additional
considerations...................................................................................................222
Perform a Full Server Backup of a Domain Controller by Using the
Command Line (Wbadmin)...223 Additional
considerations...................................................................................................223
Recovering Active Directory Domain
Services..............................................................................224
Causes of
disruptions...............................................................................................................224
Keys to protecting against
disruptions......................................................................................225
Preventing unwanted
deletions.................................................................................................225
Recovery
solutions...................................................................................................................226
Solutions for configuration errorsnonauthoritative
restore..................................................226
Solutions for data lossauthoritative
restore........................................................................227
Recovery options with no available
backup...........................................................................228
Solutions for hardware failure or file
corruption......................................................................228
Recovery
tasks.........................................................................................................................230
Performing Nonauthoritative Restore of Active Directory Domain
Services...................................230 Nonauthoritative
Restore
Requirements...................................................................................231
SYSVOL
restore.......................................................................................................................231
Additional
references................................................................................................................232
Restart the Domain Controller in Directory Services Restore Mode
Locally..................................232 Restarting the domain
controller in DSRM
locally.....................................................................234
See
Also...................................................................................................................................235
Restart the Domain Controller in Directory Services Restore Mode
Remotely..............................235 See
Also...................................................................................................................................238
Restore AD DS from Backup (Nonauthoritative
Restore)..............................................................238
Additional
references................................................................................................................240
Verify AD DS
restore....................................................................................................................240
Performing Authoritative Restore of Active Directory
Objects.......................................................241
Determining objects to
restore..................................................................................................242
Selecting objects to
restore......................................................................................................243
Selecting application directory partitions to
restore...................................................................243
Restoring group memberships after authoritative
restore..........................................................244
LVR and restoration of group
memberships...........................................................................244
Authoritative restore of pre-LVR group memberships and groups in
different domains..........245 Files for recovering group
memberships following authoritative
restore.................................245 Using a global catalog
server for authoritative
restore...............................................................246
Recovering deletions without restoring from
backup.................................................................247
Retention (merge) of new group memberships or other attributes
after authoritative restore.....247 Authoritative restore
procedures...............................................................................................248
Procedures for restoring after deletions have
replicated........................................................249
Procedures for restoring before deletions have
replicated.....................................................250
Procedures for recovering group memberships (and any other
back-link attributes) in other
domains.............................................................................................................................251
Additional
references................................................................................................................251
Known Issues for Authoritative
Restore........................................................................................252
Order of replication and dropped group
memberships..............................................................252
Members added back to groups from which they were
deleted.................................................253
Incorrect assignment of Exchange
mailboxes...........................................................................253
Best Practices for Authoritative
Restore.......................................................................................253
Restart the Domain Controller in Directory Services Restore Mode
Locally..................................255 Restarting the domain
controller in DSRM
locally.....................................................................256
See
Also...................................................................................................................................257
Restart the Domain Controller in Directory Services Restore Mode
Remotely..............................257 See
Also...................................................................................................................................261
Restore AD DS from Backup (Nonauthoritative
Restore)..............................................................261
Additional
references................................................................................................................263
Mark an Object or Objects as
Authoritative..................................................................................263
Additional
references................................................................................................................265
Turn Off Inbound
Replication.......................................................................................................265
Additional
references................................................................................................................266
Synchronize Replication with All
Partners....................................................................................266
See
Also...................................................................................................................................267
Run an LDIF File to Recover
Back-Links......................................................................................267
Additional
references................................................................................................................268
Turn on Inbound
Replication........................................................................................................269
Additional
references................................................................................................................269
Create an LDIF File for Recovering Back-Links for Authoritatively
Restored Objects....................269 Additional
references................................................................................................................270
Performing Authoritative Restore of an Application Directory
Partition..........................................271 Restart the
Domain Controller in Directory Services Restore Mode
Remotely..............................271 See
Also...................................................................................................................................275
Restart the Domain Controller in Directory Services Restore Mode
Locally..................................275 Restarting the domain
controller in DSRM
locally.....................................................................276
See
Also...................................................................................................................................277
Restore AD DS from Backup (Nonauthoritative
Restore)..............................................................278
Additional
references................................................................................................................279
Mark an application directory partition as
authoritative.................................................................279
See
Also...................................................................................................................................281
Performing a Full Server Recovery of a Domain
Controller..........................................................281
Requirements for performing a full server recovery of a domain
controller................................281 Performing a full
server recovery of a domain controller by using the
GUI................................282 Performing a full server
recovery of a domain controller by using the command
line.................283 Additional
considerations..........................................................................................................284
Restoring a Domain Controller Through Reinstallation and Subsequent
Restore from Backup.....285 Restart the Domain Controller in
Directory Services Restore Mode
Locally..................................286 Restarting the domain
controller in DSRM
locally.....................................................................287
See
Also...................................................................................................................................289
Restart the Domain Controller in Directory Services Restore Mode
Remotely..............................289 See
Also...................................................................................................................................292
Restore AD DS from Backup (Nonauthoritative
Restore)..............................................................292
Additional
references................................................................................................................294
Verify AD DS
restore....................................................................................................................294
Restoring a Domain Controller Through
Reinstallation.................................................................295
Clean Up Server
Metadata...........................................................................................................297
See
Also...................................................................................................................................299
Delete a Server Object from a
Site...............................................................................................300
See
Also...................................................................................................................................300
Verify DNS Registration and TCP/IP
Connectivity........................................................................301
Verify the Availability of the Operations
Masters...........................................................................301
Install an Additional Domain Controller by Using the Windows
Interface......................................303 See
Also...................................................................................................................................305
Verifying Active Directory
Installation............................................................................................305
Administering Intersite
Replication...............................................................................................306
Introduction to Administering Intersite
Replication........................................................................306
Optimizing replication between
sites.........................................................................................307
Effects of site link
bridging.....................................................................................................307
Effects of disabling site link
bridging......................................................................................307
Optimizing domain controller
location.......................................................................................308
Finding the next closest
site..................................................................................................308
Forcing domain controller
rediscovery...................................................................................309
Improving the logon experience in branch
sites........................................................................309
See
Also...................................................................................................................................310
Managing Intersite
Replication.....................................................................................................310
Adding a New
Site.......................................................................................................................310
Create a Site Object and Add it to an Existing Site
Link................................................................311
See
Also...................................................................................................................................312
Create a Subnet Object or Objects and Associate them with a
Site..............................................312 Associate an
Existing Subnet Object with a
Site..........................................................................313
Create a Site Link Object and Add the Appropriate
Sites..............................................................313
Remove a Site from a Site
Link....................................................................................................314
Linking Sites for
Replication.........................................................................................................314
Creating site
links.....................................................................................................................315
Selecting bridgehead
servers...................................................................................................315
Create a Site Link Object and Add the Appropriate
Sites..............................................................316
Determine the ISTG Role Owner for a
Site..................................................................................317
Generate the Replication Topology on the
ISTG..........................................................................317
Designate a Server as a Preferred Bridgehead
Server.................................................................318
Changing Site Link
Properties......................................................................................................319
Configure the Site Link Schedule to Identify Times During Which
Intersite Replication Can Occur
.................................................................................................................................................319
Configure the Site Link Interval to Identify How Often Replication
Polling Can Occur During the Schedule
Window.....................................................................................................................320
Configure the Site Link Cost to Establish a Priority for
Replication Routing..................................321 Determine
the ISTG Role Owner for a
Site..................................................................................321
Generate the Replication Topology on the
ISTG..........................................................................322
Enabling Clients to Locate the Next Closest Domain
Controller...................................................323
Enable Clients to Locate a Domain Controller in the Next Closest
Site.........................................325 Moving a Domain
Controller to a Different
Site.............................................................................326
TCP/IP
settings........................................................................................................................326
DNS
settings............................................................................................................................326
Preferred bridgehead server
status...........................................................................................327
Change the Static IP Address of a Domain
Controller..................................................................328
Update the IP Address for a DNS
Delegation...............................................................................329
Update the IP Address for a DNS
Forwarder................................................................................330
Verify That an IP Address Maps to a Subnet and Determine the Site
Association.........................331 See
Also...................................................................................................................................332
Determine Whether a Server is a Preferred Bridgehead
Server...................................................332 See
Also...................................................................................................................................332
View the List of All Preferred Bridgehead
Servers........................................................................333
See
Also...................................................................................................................................333
Configure a Server to Not Be a Preferred Bridgehead
Server......................................................333 See
Also...................................................................................................................................334
Move a Server Object to a New
Site............................................................................................334
See
Also...................................................................................................................................335
Enabling Universal Group Membership Caching in a
Site............................................................335
Enable Universal Group Membership Caching in a
Site...............................................................336
Forcing
Replication......................................................................................................................336
Forcing replication of all directory updates over a
connection...................................................337
Forcing replication of configuration
updates..............................................................................337
Force Replication Between Domain
Controllers...........................................................................338
See
Also...................................................................................................................................339
Update a Server with Configuration
Changes..............................................................................339
Synchronize Replication with All
Partners....................................................................................340
See
Also...................................................................................................................................341
Verify Successful Replication to a Domain
Controller...................................................................341
Removing a
Site..........................................................................................................................345
Delete a Manual Connection
Object.............................................................................................346
Determine Whether a Server Object Has Child
Objects...............................................................347
Delete a Server Object from a
Site...............................................................................................348
See
Also...................................................................................................................................349
Delete a Site Link
object..............................................................................................................349
Associate an Existing Subnet Object with a
Site..........................................................................349
Delete a Site
object......................................................................................................................350
See
Also...................................................................................................................................350
Determine the ISTG Role Owner for a
Site..................................................................................350
Generate the Replication Topology on the
ISTG..........................................................................351
Administering the Active Directory
Database................................................................................352
Introduction to Administering the Active Directory Database
[lhsad]_ADDS_Ops_7.....................352 Database management
conditions...........................................................................................352
Disk space monitoring
recommendations.................................................................................353
Database
defragmentation.......................................................................................................353
Restartable AD
DS...................................................................................................................353
See
Also...................................................................................................................................354
Managing the Active Directory
Database.....................................................................................354
Relocating the Active Directory Database
Files............................................................................354
Disk space requirements for relocating Active Directory database
files.....................................355 Determine the
Database Size and Location
Online......................................................................357
See
Also...................................................................................................................................358
Determine the Database Size and Location
Offline......................................................................358
See
Also...................................................................................................................................359
Compare the Size of the Directory Database Files to the Volume
Size.........................................359 Perform a System
State Backup of a Domain Controller by Using the Command Line
(Wbadmin)
.................................................................................................................................................360
Additional
considerations...................................................................................................361
Move the Directory Database and Log Files to a Local
Drive.......................................................361 See
Also...................................................................................................................................364
Copy the Directory Database and Log Files to a Remote
Share...................................................364 See
Also...................................................................................................................................367
Returning Unused Disk Space from the Active Directory Database to
the File System.................367 Change the Garbage Collection
Logging Level to
1.....................................................................369
See
Also...................................................................................................................................369
Perform a System State Backup of a Domain Controller by Using the
Command Line (Wbadmin)
.................................................................................................................................................370
Additional
considerations...................................................................................................370
Compact the Directory DatabaseFfile (Offline
Defragmentation)..................................................371
See
Also...................................................................................................................................374
If the Database Integrity Check Fails, Perform Semantic Database
Analysis with Fixup...............374 Administering Domain
Controllers................................................................................................375
Additional
references................................................................................................................376
Introduction to Administering Domain
Controllers.........................................................................376
Installing Remote Server Administration
Tools..........................................................................376
Installing and removing AD
DS.................................................................................................376
Adding domain
controllers.....................................................................................................377
Removing domain
controllers................................................................................................377
Renaming domain
controllers...................................................................................................377
Adding domain controllers to branch
sites................................................................................377
Installing from
media.............................................................................................................378
Shipping installed domain controllers to branch
sites.............................................................379
Managing Domain
Controllers......................................................................................................379
Installing Remote Server Administration Tools for AD
DS.............................................................381
Installing Active Directory Domain Services Tools on a member
server that is running Windows Server
2008...........................................................................................................381
Installing Active Directory Domain Services Tools on a computer
that is running Windows Vista with
SP1...............................................................................................................................382
Managing Antivirus Software on Active Directory Domain
Controllers...........................................382
Guidelines for managing antivirus software on Active Directory
domain controllers...................383 Files to exclude from
scanning.................................................................................................384
Preparing for Active Directory
Installation.....................................................................................386
DNS
configuration....................................................................................................................386
Site
placement.........................................................................................................................386
Domain
connectivity.................................................................................................................387
Verify DNS Infrastructure and
Registrations.................................................................................388
Verify That an IP Address Maps to a Subnet and Determine the Site
Association.........................390 See
Also...................................................................................................................................390
Verify the Availability of the Operations
Masters...........................................................................391
Installing a Domain Controller in an Existing
Domain...................................................................392
See
Also...................................................................................................................................393
Installing an Additional Domain Controller by Using the Windows
Interface..................................393 See
Also...................................................................................................................................394
Install an Additional Domain Controller by Using the Windows
Interface......................................394 See
Also...................................................................................................................................396
Installing an Additional Domain Controller by Using
IFM..............................................................397
See
Also...................................................................................................................................399
Create Installation Media by Using
Ntdsutil..................................................................................399
See
Also...................................................................................................................................400
Install an Additional Domain Controller by Using Installation
Media..............................................400 See
Also...................................................................................................................................401
Installing an Additional Domain Controller by Using Unattend
Parameters...................................401 See
Also...................................................................................................................................402
Create an Answer File for Unattended Domain Controller
Installation...........................................402 See
Also...................................................................................................................................404
Install an Additional Domain Controller by Using an Answer
File..................................................404 See
Also...................................................................................................................................405
Install an Additional Domain Controller by Using Unattend
Parameters from the Command Line. 405 Verifying Active Directory
Installation............................................................................................406
Verify That an IP Address Maps to a Subnet and Determine the
Site Association.........................407 See
Also...................................................................................................................................408
Configure DNS Server
Forwarders..............................................................................................408
Verifying DNS
Configuration........................................................................................................409
Verify DNS Server Configuration for a Domain
Controller.............................................................409
See
Also...................................................................................................................................410
Verify DNS Client
Settings...........................................................................................................410
See
Also...................................................................................................................................411
Check the Status of the SYSVOL and Netlogon
Shares...............................................................411
Verify Active Directory
Replication................................................................................................412
Verify a Domain Computer Account for a New Domain
Controller................................................413
Adding Domain Controllers in Remote
Sites................................................................................413
Best Practices for Adding Domain Controllers in Remote
Sites....................................................414 Best
practices for using IFM to install AD DS in the remote
site................................................415 Best
practices for installing domain controllers before you ship them to
a remote site...............417 See
Also...................................................................................................................................419
Known Issues for Adding Domain Controllers in Remote
Sites.....................................................419
SYSVOL
replication..................................................................................................................419
Using IFM to install a domain controller in a remote
site...........................................................420
Advantages of using IFM to install a domain controller in a remote
site.................................420 Issues with using IFM to
install a domain controller in a remote
site......................................421 Installing domain
controllers before shipping them to the remote
site........................................422 Advantages of
installing domain controllers before shipping them to the remote
site.............422 Issues with installing domain controllers
before shipping them to the remote site..................422
Maintaining directory consistency when you disconnect a domain
controller.........................423 Protection against lingering
object
replication....................................................................424
Availability of operations
masters.......................................................................................424
Up to dateness of active directory
replication.....................................................................425
SYSVOL
consistency.........................................................................................................425
See
Also...................................................................................................................................425
Preparing a Server Computer for Shipping and Installation from
Media........................................425 Determining the
volume for installation
media...........................................................................426
Enabling Remote
Desktop........................................................................................................427
Including application directory
partitions...................................................................................427
See
Also...................................................................................................................................428
Enable Remote
Desktop..............................................................................................................428
Create a Remote Desktop
Connection.........................................................................................429
See
Also...................................................................................................................................430
Install an Additional Domain Controller by Using Installation
Media..............................................430 See
Also...................................................................................................................................431
Preparing an Existing Domain Controller for Shipping and Long-Term
Disconnection..................431 See
Also...................................................................................................................................433
Determine the Tombstone Lifetime for the
Forest.........................................................................433
Enable Strict Replication
Consistency..........................................................................................434
Synchronize Replication with All
Partners....................................................................................435
See
Also...................................................................................................................................436
Reconnecting a Domain Controller After a Long-Term
Disconnection...........................................436
Reconnecting an outdated domain
controller............................................................................437
Updating
SYSVOL....................................................................................................................437
See
Also...................................................................................................................................438
Determine the Tombstone Lifetime for the
Forest.........................................................................439
Move a Server Object to a New
Site............................................................................................439
See
Also...................................................................................................................................440
Determine When Intersite Replication Is Scheduled to
Begin.......................................................440 Use
Repadmin to Remove Lingering
Objects...............................................................................441
Verify Successful Replication to a Domain
Controller...................................................................443
Renaming a Domain
Controller....................................................................................................447
Rename a Domain Controller Using System
Properties...............................................................448
See
Also...................................................................................................................................448
Rename a Domain Controller Using
Netdom...............................................................................448
See
Also...................................................................................................................................450
Update the FRS or DFS Replication Member
Object....................................................................451
Decommissioning a Domain
Controller........................................................................................452
Removing a domain or a
forest.................................................................................................452
Protecting EFS-encrypted
files.................................................................................................452
See
Also...................................................................................................................................455
Verify DNS Registration and TCP/IP
Connectivity........................................................................455
View the Current Operations Master Role
Holders.......................................................................455
Transfer the Schema
Master........................................................................................................456
Transfer the Domain Naming
Master...........................................................................................457
Transfer the Domain-Level Operations Master
Roles...................................................................458
Determine Whether a Domain Controller Is a Global Catalog
Server...........................................460 Verify the
Availability of the Operations
Masters...........................................................................460
Back Up a Certificate With Its Private
Key....................................................................................461
Removing a Windows Server 2008 Domain Controller from a
Domain.........................................463 Removing a
Windows Server 2008 domain controller by using the Windows
interface.............463 Removing a Windows Server 2008 domain
controller by using an answer file..........................464
Removing a Windows Server 2008 domain controller by entering
unattended installation parameters at the command
line...........................................................................................465
Import a
Certificate......................................................................................................................465
Determine Whether a Server Object Has Child
Objects...............................................................466
Delete a Server Object from a
Site...............................................................................................467
See
Also...................................................................................................................................468
Add the Certificates Snap-in to an
MMC......................................................................................468
Adding the Certificates Snap-in to an
MMC..............................................................................468
Forcing the Removal of a Domain
Controller................................................................................470
Identify Replication
Partners........................................................................................................471
Force Domain Controller
Removal...............................................................................................472
See
Also...................................................................................................................................473
Clean Up Server
Metadata...........................................................................................................473
See
Also...................................................................................................................................476
Administering Active Directory Domain
Rename..........................................................................476
In this
guide..............................................................................................................................476
Introduction to Administering Active Directory Domain
Rename...................................................476 Domain
rename
requirements..................................................................................................477
Managing Active Directory Domain
Rename................................................................................478
Preparing for the Domain Rename
Operation..............................................................................478
Adjust Forest Functional
Level.....................................................................................................479
Setting forest functional level to Windows Server 2003 or Windows
Server 2008.....................479
Create Necessary Shortcut Trust
Relationships...........................................................................480
Types of trust
relationships.......................................................................................................480
Precreating parent-child trust relationships for a restructured
forest..........................................481 Precreating a
parent-child trust
relationship...........................................................................481
Pre-creating multiple parent-child trust
relationships.............................................................481
Precreating a tree-root trust relationship with the forest root
domain.....................................483 Creating shortcut
trust
relationships......................................................................................483
Prepare DNS
Zones....................................................................................................................484
Redirect Special Folders to a Standalone
DFSN..........................................................................485
Relocate Roaming User Profiles to a Standalone
DFSN..............................................................485
Configure Member Computers for Host Name
Changes..............................................................486
Conditions for automatic computer name
change.....................................................................486
Replication effects of renaming large numbers of
computers....................................................487
Using Group Policy to apply the new primary DNS
suffix..........................................................488
Apply the new primary DNS suffix before renaming
domains.................................................488 Apply
Group Policy in stages to avoid significant
replication..................................................488
Configuration required before the application of Group
Policy...............................................489
Configuring member computers for host name changes in large
deployments..........................490 Determine the primary DNS
Suffix
configuration....................................................................491
Determine whether Group Policy controls the primary DNS
suffix..........................................491 Configure the
domain to allow a primary DNS suffix that does not match the domain
name. .492 Apply Group Policy to set the primary DNS
suffix..................................................................493
Prepare Certification
Authorities...................................................................................................494
Exchange-Specific Steps: Prepare a Domain that Contains
Exchange.........................................495 Performing the
Domain Rename
Operation.................................................................................496
Set Up the Control
Station...........................................................................................................497
Freeze the Forest
Configuration...................................................................................................498
Back Up All Domain
Controllers...................................................................................................499
Generate the Current Forest
Description.....................................................................................499
Specify the New Forest
Description.............................................................................................501
Renaming application directory
partitions.................................................................................504
DNS
data.................................................................................................................................505
TAPI
data.................................................................................................................................506
Specifying the source domain
controllers..................................................................................506
Reviewing the new forest
description........................................................................................506
Generate Domain Rename
Instructions.......................................................................................507
Push Domain Rename Instructions to All Domain Controllers and
Verify DNS Readiness............510 Pushing domain rename
instructions to all domain
controllers..................................................510
Verifying DNS
readiness...........................................................................................................512
Verify Readiness of Domain
Controllers.......................................................................................514
Run Domain Rename
Instructions...............................................................................................516
Exchange-Specific Steps: Update the Exchange Configuration and
Restart Exchange Servers...519 Unfreeze the Forest
Configuration...............................................................................................519
Re-establish External
Trusts........................................................................................................520
Fix Group Policy Objects and
Links.............................................................................................521
Completing the Domain Rename
Operation.................................................................................524
Verify Certificate
Security.............................................................................................................524
Preparing URLs for CRL distribution point and Authority Information
Access (AIA) extensions after a domain
rename..................................................................................................................524
Verifying the use of
UPNs.........................................................................................................525
Enabling certificate enrollment in a renamed
domain................................................................526
Verifying the validity of CRL distribution point and AIA
extensions.............................................528 Renewing
subordinate and issuing CA
certificates....................................................................529
Publish new
CRLs....................................................................................................................529
Updating domain controller
certificates.....................................................................................529
Changing the user identity for the NDES
add-on......................................................................530
Perform Miscellaneous
Tasks.......................................................................................................530
Back Up Domain
Controllers........................................................................................................532
Restart Member
Computers.........................................................................................................533
Exchange-Specific Steps: Verify the Exchange Rename and Update
Active Directory Connector 534 Perform Attribute
Cleanup............................................................................................................534
Rename Domain
Controllers........................................................................................................535
Additional Resources for the Domain Rename
Operation............................................................536
Appendix A: Command-Line Syntax for the Rendom
Tool............................................................536
Appendix B: Command-Line Syntax for the Gpfixup
Tool.............................................................541
Appendix C: Checklists for the Domain Rename
Operation.........................................................543
Satisfying domain rename
requirements...................................................................................544
Preparing for the domain rename
operation..............................................................................546
Performing the domain rename
operation.................................................................................548
Completing the domain rename
operation................................................................................549
Appendix D: Worksheets for the Domain Rename
Operation.......................................................550
Worksheet 1: Domain Name Change
Information.....................................................................550
Worksheet 2: Trust
Information.................................................................................................550
Worksheet 3: DNS Zone
Information........................................................................................551
Worksheet 4: DFSN, Folder Redirection, and Roaming
Profiles................................................551
Worksheet 5: Domain Controller
Information............................................................................552
Worksheet 6: Domain Rename Execution
Readiness...............................................................552
Worksheet 7: Certification Authority (CA)
Information...............................................................553
Additional
Resources...................................................................................................................553
Active Directory Domain Services Operations Guide -
cover........................................................554
Section
Heading.......................................................................................................................554
Subsection
Heading..............................................................................................................554
Active Directory Domain Services Operations GuideThis operations
guide provides administering and management information for Active
Directory Domain Services (AD DS) directory service technologies in
the Windows Server 2008 operating system. In this guide New in This
Guide Administering Active Directory Domain Services
Acknowledgments Produced by: Microsoft Windows Server Directory
and Access Services (DAS) IT Pro Content Team Writers: Mary
Hillman, Gayana Bagdasaryan Editor: Jim Becker Technical reviewers:
Umit Akkus, David Beach, Arren Conner, Gregoire Guetat, Xin He,
Kurt Hudson, Jessie Li, Herbert Mauerer, Joe Patterson, Ned Pyle,
Wakkas Rafiq, Ryan Sizemore, Ingolfur Arnar Strangeland, Mahesh
Unnikrishnan
New in This GuideThis is the first release of the operations
guide for Active Directory Domain Services (AD DS) in Windows
Server 2008. This guide will be updated periodically to incorporate
new information, updates, customer feedback, and corrections. For
Windows Server 2008, this operations guide contains the section
Administering Active Directory Domain Rename, which is not included
in the Active Directory Operations Guide for Windows Server
2003.
Administering Active Directory Domain ServicesThis guide
provides information about administering components of Active
Directory Domain Services (AD DS) in Windows Server 2008. The
information includes detailed procedures for managing domain
controllers, sites, trusts, and other components of AD DS. In this
guide Introduction to Administering Active Directory Domain
Services Administering Domain and Forest Trusts 24
Administering the Windows Time Service Administering
DFS-Replicated SYSVOL Administering the Global Catalog
Administering Operations Master Roles Administering Active
Directory Backup and Recovery Administering Intersite Replication
Administering the Active Directory Database Administering Domain
Controllers Administering Active Directory Domain Rename Additional
Resources
Introduction to Administering Active Directory Domain
ServicesThis guide explains how to administer Active Directory
Domain Services (AD DS) in Windows Server 2008. These activities
are part of the operations phase of the information technology (IT)
life cycle. If you are not familiar with this guide, review the
following sections of this introduction.
When to use this guideUse this guide when: You want to manage
common Active Directory problems that are associated with
misconfiguration. You want to configure AD DS to increase network
availability. This guide assumes a basic understanding of what AD
DS is, how it works, and why your organization uses it to access,
manage, and secure shared resources across your network. It also
assumes a thorough understanding of how AD DS is deployed and
managed in your organization. This includes an understanding of the
mechanism your organization uses to configure and manage Active
Directory settings. This guide can be used by organizations that
have deployed Windows Server 2008. It includes information that is
relevant to different roles in an IT organization, including IT
operations managers, administrators, and operators. This
information includes management-level knowledge about AD DS and
administrator-level information about the IT processes that are
required to operate it. This guide contains detailed procedures
that are designed for operators (or designated users) who have
varied levels of expertise and experience. Although the procedures
provide operator guidance from start to finish, operators must have
a basic proficiency with Microsoft Management Console (MMC) and MMC
snap-ins. Operators must also know how to start administrative
programs and 25
access the command line. If operators are not familiar with AD
DS, it might be necessary for IT planners, managers, or
administrators to review the relevant operations in this guide and
provide the operators with the parameters or data that they must
enter when they perform the operations.
How to use this guideThis guide includes the following types of
topics: Objectives are high-level goals for administering AD DS.
Each objective consists of one or more high-level tasks that
describe how the objective is accomplished. In this guide,
"Managing the Windows Time Service" is an example of an objective.
Tasks contain groups of procedures for achieving the goals of an
objective. In this guide, "Configuring a time source for the
forest" is an example of a task. Procedures provide step-by-step
instructions for completing tasks. In this guide, "Configure a
domain controller in the parent domain as a reliable time source"
is an example of a procedure topic. If you are an IT manager who is
delegating tasks to operators in your organization: Read through
the objectives and tasks to determine how to delegate permissions.
Determine whether you need to install tools before operators
perform the procedures for each task. Before you assign tasks to
individual operators, ensure that all the tools are installed where
operators can use them. When necessary, create tear sheets for each
task that operators perform in your organization. Cut and paste the
task and its related procedures into a separate document. Then you
can either print this document or store it online.
Administering