active directory pog[1]
TRANSCRIPT
-
8/12/2019 Active Directory POG[1]
1/215
Active DirectoryProduct Operations Guide
Managing the Windows Server Platform
-
8/12/2019 Active Directory POG[1]
2/215
-
8/12/2019 Active Directory POG[1]
3/215
iii Managing the Windows Server Platform
ContentsIntroduction to Product Operations Guide ....................................................................................... 1
Document Purpose ...................................................................................................................... 1 Intended Audience ....................................................................................................................... 1 How to Use This Guide ................................................................................................................ 1 Background .................................................................................................................................. 2
High-Level Processes for Maintaining Active Directory...... ................. .................. .................. ....... 5 Overview ...................................................................................................................................... 5 Technology Required ................................................................................................................... 6 Maintenance Processes Checklist ............................................................................................... 9
Operating Quadrant .................................................................................................................. 9 Supporting Quadrant .............................................................................................................. 11 Optimizing Quadrant .............................................................................................................. 12 Changing Quadrant ................................................................................................................ 14
Detailed Maintenance Actions ....................................................................................................... 17 Overview .................................................................................................................................... 17 Process: Back up Active Directory ............................................................................................. 18
Task: Back up Active Directory and associated components ................................................ 21 Process: Non-authoritative restore of Active Directory .............................................................. 22
Task: Perform a non-authoritative restore of a domain controller ................ ................. ......... 22 Task: Restore a domain controller through reinstallation and subsequent restorefrom backup ............................................................................................................................ 23
Process: Authoritative restore for Active Directory objects ............... .................. .................. ..... 24 Task: Perform an authoritative restore of one or more directory objects ............................... 25 Task: Perform an authoritative restore of an application partition ......................................... 27 Task: Perform an authoritative restore of Group Policy ......................................................... 27
Process: Recovering a domain controller through reinstallation ............................................... 29 Task: Recovering a domain controller through reinstallation ................................................. 29
Process: Installing a domain controller for an existing domain ............... ................. .................. 31 Task: Preparing for Active Directory installation .................................................................... 32 Task: Install Active Directory .................................................................................................. 34 Task: Install Active Directory from media ............... .................. ................. ................. ............ 34 Task: Unattended install of Active Directory .......................................................................... 35 Task: Verify Active Directory installation ................................................................................ 35
Process: Removing Active Directory.......................................................................................... 37 Task: Decommission the domain controller ........................................................................... 38 Task: Forced removal of a domain controller ......................................................................... 39
Process: Rename a domain controller ................. .................. ................. .................. ................. 41 Task: Rename using the System Properties user interface ................ ................. .................. 41 Task: Rename using the Netdom command-line tool ............................................................ 42
Process: Manage the Active Directory database ....................................................................... 43 Task: Relocate Active Directory database files .................. ................. .................. ................. 44 Task: Returning unused disk space from the Active Directory database to the filesystem .................................................................................................................................... 46
Process: Managing the SYSVOL ............................................................................................... 48
Task: Changing the space allocated to the staging area ....................................................... 50 Task: Relocate the staging area ............................................................................................ 50 Task: Relocating SYSVOL manually ................ .................. ................. .................. ................. 51 Task: Updating the system volume path ................................................................................ 53 Task: Restoring and rebuilding SYSVOL ............................................................................... 53
Process: Manage the Windows Time service ............................................................................ 55 Task: Configuring a time source for the forest ....................................................................... 56 Task: Configuring a reliable time source on a computer other than the PDC emulator ........ 57 Task: Configuring a client to request time from a specific time source ................. ................. 57
-
8/12/2019 Active Directory POG[1]
4/215
Active Directory Product Operations Guide iv
Task: Optimizing the polling interval ...................................................................................... 58 Task: Disabling the Windows Time service .................. ................. .................. ................. ...... 58
Process: Managing trusts .......................................................................................................... 59 Task: Creating external trusts ................................................................................................ 60 Task: Creating shortcut trusts ................................................................................................ 61 Task: Removing manually created trusts ............................................................................... 62 Task: Preventing unauthorized privilege escalation ................. ................. .................. ........... 62 Task: Creating cross-forest trusts .......................................................................................... 63 Task: Managing selective authentication on a cross-forest trust ........................................... 64 Task: Removing the forest trust ............................................................................................. 64
Process: Managing sites ............................................................................................................ 65 Task: Adding a new site ......................................................................................................... 66 Task: Adding a subnet to the network .................................................................................... 67 Task: Linking sites for replication ........................................................................................... 68 Task: Changing site link properties ........................................................................................ 68 Task: Moving a domain controller to a different site .............................................................. 69 Task: Removing a site ............................................................................................................ 71
Process: Manage antivirus software on domain controllers ...................................................... 74 Task: Exclude files not at risk of infection .............................................................................. 74 Task: Install software ................. ................. .................. ................. .................. ................. ...... 76
Process: Add a global catalog ................................................................................................... 77 Task: Add the global catalog to a domain controller .............................................................. 78 Task: Verify the global catalog readiness .............................................................................. 80
Process: Removing the global catalog from a domain controller .............................................. 81 Task: Remove a global catalog .............................................................................................. 81
Process: Identify global catalog servers in a site ................ ................. .................. ................. ... 82 Task: Identifying a global catalog server ................ .................. ................. ................. ............ 82 Task: Identifying a site that has no global catalog servers .................................................... 82 Task: Identifying sites that have universal group caching enabled ................. ................. ...... 82
Process: Move an operations master role ................................................................................. 83 Task: Designating a domain controller for an operations master role ................................... 88 Task: Verifying the transfer of an operations master role ...................................................... 89
Process: Reduce the workload on the PDC emulator ............................................................... 90 Task: Adjusting the DNS weight setting ................................................................................. 90 Task: Adjusting the DNS priority registry setting ................ ................. .................. ................. 91
Process: Transferring a role holder............................................................................................ 92 Task: Transfer to the standby operations master role ........................................................... 93 Task: Transfer an operations master role when no standby is ready .................................... 93
Process: Seize an operations master role ................................................................................. 95 Task: Seizing an operations master role ................ .................. ................. ................. ............ 97
Process: Choose a standby operations master ......................................................................... 99 Task: Choosing a standby operations master ................. ................. .................. ................. . 100
Processes by MOF Role Clusters ............................................................................................... 103 Operations Role Cluster ....................................................................................................... 103 Support Role Cluster ............................................................................................................ 104 Release Role Cluster ........................................................................................................... 104
Infrastructure Role Cluster ................................................................................................... 105
Security Role Cluster ................. ................. .................. ................. .................. ................. .... 106 Partner Role Cluster ............................................................................................................. 106
Appendix ................. ................. .................. ................. .................. ................. .................. ............ 107 Procedure Details..................................................................................................................... 107
-
8/12/2019 Active Directory POG[1]
5/215
v Managing the Windows Server Platform
Contributors
Program Manager
Jeff Yuhas , Microsoft Corporation
Chris Macaulay , Microsoft Corporation
Lead Contributors
Nigel Cain , Microsoft Corporation
Arren Conner , Microsoft Corporation
Dmitry Dukat , Microsoft Corporation
Levon Esibov , Microsoft Corporation
Khushru Irani , Microsoft Corporation
Kamal Janardhan , Microsoft Corporation
Gregory Johnson , Microsoft Corporation
William Lees , Microsoft Corporation
Andreas Luther , Microsoft Corporation
Kevin Sims , Microsoft Corporation
Jeromy Statia , Microsoft Corporation
Test Manager
Greg Gicewicz , Microsoft Corporation
QA Manager
Jim Ptaszynski , Microsoft Corporation
Lead Technical Writer
Jerry Dyer , Microsoft Corporation
Lead Technical Editor
Laurie Dunham , Microsoft Corporation
Technical EditorPatricia Rytkonen , Volt Technical Services
Production Editor
Kevin Klein , Volt Technical Services
-
8/12/2019 Active Directory POG[1]
6/215
-
8/12/2019 Active Directory POG[1]
7/215
1Introduction to Product OperationsGuide
Document Purpose
This guide describes processes and procedures for improving the management ofMicrosoft Active Directory directory service in an information technology (IT)infrastructure.
Intended AudienceThis material should be useful for anyone planning to deploy this product into anexisting IT infrastructure, especially one based on the IT Infrastructure Library(ITIL)a comprehensive set of best practices for IT service management andMicrosoft Operations Framework (MOF). It is aimed primarily at two main groups:IT managers and IT support staff (including analysts and service-desk specialists).
How to Use This GuideThis guide is divided into five chapters. The first chapter provides basic backgroundinformation. The second chapter provides a high-level checklist of the processesrequired for maintaining this product. The third chapter takes a more detailed lookat the processes described in the maintenance chapter and maps them to the tasksand procedures that make up each process. The fourth chapter organizes processes
by the role responsible for each process. The fifth chapter contains an appendix withprocedure details, including requirements and steps.
The guide may be read as a single volume, including the detailed maintenance andtroubleshooting sections. Reading the document this way will provide the necessarycontext so that later material can be understood more readily. However, some peoplewill prefer to use the document as a reference, only looking up information as theyneed it.
-
8/12/2019 Active Directory POG[1]
8/215
Active Directory Product Operations Guide 2
BackgroundThis guide is based on Microsoft Solutions for Management (MSM). MSM provides acombination of best practices, best-practice implementation services, and best-practice automation, all of which help customers achieve operational excellence asdemonstrated by high quality of service, industry reliability, availability, security,and low total cost of ownership (TCO).
These MSM best practices are based on MOF, a structured, yet flexible approachcentered on ITIL. MOF includes guidelines on how to plan, deploy, and maintain IToperational processes in support of mission-critical service solutions.
Central to MOF and to understanding the structure of this guide are the MOFProcess and Team Models. The Process Model and its underlying servicemanagement functions (SMFs) are the foundation for the process-based approachthat this guide recommends for maintaining a product. The Team Model and its roleclusters offer guidance for how to ensure the proper people are assigned tooperational roles.
Figure 1 shows the MOF Process Model combined with the SMFs that make up eachquadrant of the Process Model.
Figure 1 MOF Process Model and SMFs
-
8/12/2019 Active Directory POG[1]
9/215
3 Managing the Windows Server Platform
Figure 2 shows the MOF Team Model, along with some of the many functional rolesor function teams that might exist in service-management organizations. Those rolesand function teams are shown mapped to the MOF role cluster to which they wouldlikely belong.
Figure 2 MOF Team Model and examples of functional roles or teams
Security
Release
Infrastructure
Support
Operations
Partner
Change managementRelease/systems engineeringConfiguration control/assetmanagementSoftware distribution/licensingQuality assurance
Messaging operationsDatabase operationsNetwork administrationMonitoring/metrics
Availability management
Intellectual property protectionNetwork and system securi tyIntrusion detectionVirus protection
Audit and compliance adminContingency planning
Maintenance vendorsEnvironment supportManaged services, outsourcers,trading partnersSoftware/hardware suppliers
Enterprise architectureInfrastructure engineeringCapacity managementCost/IT budget managementResource and long-rangeplanning
Service desk/help deskProduction/production supportProblem managementService level management
-
8/12/2019 Active Directory POG[1]
10/215
Active Directory Product Operations Guide 4
The MOF Team Model is built on six quality goals, which are described and matchedwith the applicable team role cluster in Table 1.Table 1. MOF Team Model Quality Goals and Role Clusters
Quality Goal Team Role Cluster
Effective release and change management. Accurateinventory tracking of all IT services and systems.
Release
Management of physical environments and infrastructuretools.
Infrastructure
Quality customer support and a service culture. Support
Predictable, repeatable, and automated systemmanagement.
Operations
Mutually beneficial relationships with service and supplypartners.
Partner
Protected corporate assets, controlled authorization, andproactive security planning.
Security
Further information about MSM and MOF is available athttp://www.microsoft.com/solutions/msm/techinfo/default.asp , or search for thetopic on TechNet at http://www.microsoft.com/technet/default.asp . You can alsocontact your local Microsoft or partner representative.
http://www.microsoft.com/solutions/msm/techinfo/default.asphttp://www.microsoft.com/solutions/msm/techinfo/default.asphttp://www.microsoft.com/technet/default.asphttp://www.microsoft.com/technet/default.asphttp://www.microsoft.com/technet/default.asphttp://www.microsoft.com/technet/default.asphttp://www.microsoft.com/solutions/msm/techinfo/default.asp -
8/12/2019 Active Directory POG[1]
11/215
2High-Level Processes for Maintaining Active Directory
Overview
Every company consists of employees (people), activities that those employeesperform (processes), and tools that help them perform those activities (technology).No matter what the business, it most likely consists of people, processes, andtechnology working together to achieve a common goal. Table 2 illustrates this point.Table 2. People, Processes, and Technology Working Together
Area People Process Technology
Auto repairindustry
Mechanic Repair manual Socket set
Software
developmentindustry
Programmer Project plan Compiler;
debugger
IT operations IT technician MicrosoftOperationsFramework
Microsoft ActiveDirectory
The focus of this product operations guide is Active Directory directory service the directory service for the Microsoft Windows Server 2003 family. ActiveDirectory stores information about objects on the network; its logical, hierarchicalorganization of directory information makes it easy for administrators and users tofind this information. Windows Server 2003 brings many improvements to ActiveDirectory, making it more versatile, dependable, and economical to use. In WindowsServer 2003, Active Directory provides increased performance and scalability. It alsoallows you greater flexibility for designing, deploying, and managing anorganization's directory.
-
8/12/2019 Active Directory POG[1]
12/215
Active Directory Product Operations Guide 6
Technology RequiredTable 3 lists the tools or technologies used in the processes, and their subordinatetasks and procedures, described in this guide. All tools should be accessed from aWindows Server 2003 server console, except in those cases where a link is provided.
Table 3. Tools or Technologies Required to Manage Active DirectoryRequired
TechnologyDescription Location
Backup utility Performs backup and restoreoperations. It is automaticallyinstalled with Windows Server 2003.In Windows Server 2003, the backuputility is Backup.exe. The wizard, or
basic mode, is called Backup orRestore Wizard ; and in advancedmode, it is called Backup Utility .
Start > All Programs >Accessories > SystemTools > Backup
Or to open the Backuptool using the commandline:
Start > Run . In the Open
box, type ntbackup andthen click OK .
DNSManager
Used for modifying DNS parameters.These centralized management andmonitoring tools can be found eitherin Administrative Tools after initialinstallation of the DNS service, orthrough Adminpak.msi.
Start > Control Panel >Administrative Tools
Or to open DNSManager using thecommand line, type:
%systemroot%\System32\ dnsmgmt.msc
ActiveDirectoryDomains andTrustsMicrosoftManagementConsole snap-in
Used for modifying Active Directorydomains and trusts. Thesecentralized management andmonitoring tools can be found eitherin Administrative Tools after initialinstallation of the Active Directory,or through Adminpak.msi.
Start > Control Panel >Administrative Tools
Or to open the MMCsnap-in using thecommand line, type:
%systemroot%\System32\ domain.msc
ActiveDirectoryInstallation
Wizard
Used to promote or demote a domaincontroller.
Start > Run > dcpromo
ActiveDirectorySchema snap-in
Used for modifying Active Directoryschema. This tool does not appear bydefault in Administrative Tools.
Open the MMC snap-inusing the command line,type:
%systemroot%\System32\ schmmgmt.msc
-
8/12/2019 Active Directory POG[1]
13/215
7 Managing the Windows Server Platform
RequiredTechnology
Description Location
ActiveDirectory Sitesand ServicesMMC snap-in
Used for modifying Active Directorysites and services. This centralizedmanagement and monitoring tool can
be found either in AdministrativeTools after initial installation of theActive Directory, or throughAdminpak.msi.
Start > Control Panel >Administrative Tools
Or to open the MMCsnap-in using thecommand line, type:
%systemroot%\System32\ dssit.msc
ActiveDirectoryUsers andComputersMMC snap-in
Used for modifying Active Directoryusers and computers. Thesecentralized management andmonitoring tools can be found eitherin Administrative Tools after initialinstallation of the Active Directory,or through Adminpak.msi.
Start > Control Panel >Administrative Tools
Or to open the MMCsnap-in using thecommand line, type:
%systemroot%\System32\ dsa.msc
Adsi editMMC snap-in
Used for editing Active Directory toadd, delete, or move objects withinthe directory. This centralizedmanagement and monitoring tool can
be found either in AdministrativeTools after initial installation of theActive Directory, or throughAdminpak.msi.
Open the MMC snap-inusing the command line,type:
%systemroot%\System32\ adsiedit.msc
Dcdiag.exe This command line tool analyzes thestate of domain controllers in theforest or enterprise and reports anyproblems to assist in troubleshooting.
Start > Run > dcdiag.exe
Event Viewer Provides logs for transactionalreactive reviews of system andservice events. It is automaticallyinstalled with WindowsServer 2003.
Start > Control Panel >Administrative Tools >Event Viewer
Or to open Event Viewerusing the command line:
Start >Run . In the Open
box, type eventvwr.msc and then click OK .
Ldp.exe Used to connect, bind, search,modify, add, and delete against anyLDAP-compatible directory such asActive Directory. Used to viewobjects stored in Active Directoryalong with their metadata.
Start >Run . In the Open box, type ldp.exe andthen click OK .
-
8/12/2019 Active Directory POG[1]
14/215
Active Directory Product Operations Guide 8
RequiredTechnology
Description Location
Net.exe A set of commands for a variety oftasks, such as managing useraccounts and computer accounts,sending messages, and managingshared resources.
Start > Run > cmd at thecommand prompt, typenet to see options
Netdiag.exe Helps isolate networking andconnectivity problems by performinga series of tests to determine the stateof the network client.
Start > Run > cmd at thecommand prompt, typenetdiag /? to see options
Netdom.exe Enables administrators to manageWindows 2000 and Windows Server2003 domains and trust relationshipsfrom the command line.
Start > Run > cmd at thecommand prompt, typenetdom /? to see options
Nltest.exe Helps you get a list of domaincontrollers, force a remote shutdown,and query the status of trustrelationships.
Start > Run > cmd at thecommand prompt, typenltest /? to see options
Ntdsutil.exe Used to perform databasemaintenance of Active Directory,manage and control single masteroperations, and remove metadata left
behind by domain controllers thatwere removed from the network
without being properly uninstalled.
Start > Run > cmd at thecommand prompt, typentdsutil /? to see options
Registry Editor Enables you to view and changesettings within the registry.
Start > Run > regedit
Repadmin.exe Command line tool that helpsadministrators diagnose replicationproblems between domaincontrollers.
Start > Run > cmd at thecommand prompt, typerepadmin /? to seeoptions
Secedit.exe Configures and analyzes systemsecurity by comparing currentconfiguration with at least onesecurity template.
Start > Run > cmd at thecommand prompt, typesecedit /? to see options
Services snap-in
MMC snap-in that allows you tostart, stop, or restart Windowsservices.
Start > Run > MMC >Services.msc
Ultrasound A tool that allows administrators tomonitor the health of the filereplication service (FRS).
See www.microsoft.com for more information onthe Ultrasound utility.
http://c/Documents%20and%20Settings/kannukont/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/3NLKWGIS/www.microsoft.comhttp://c/Documents%20and%20Settings/kannukont/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/3NLKWGIS/www.microsoft.comhttp://c/Documents%20and%20Settings/kannukont/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/3NLKWGIS/www.microsoft.comhttp://c/Documents%20and%20Settings/kannukont/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/3NLKWGIS/www.microsoft.com -
8/12/2019 Active Directory POG[1]
15/215
9 Managing the Windows Server Platform
RequiredTechnology
Description Location
W32tm.exe A tool used to diagnose problemshaving to do with Windows time.
Start > Run > cmd at thecommand prompt, typew32tm /? to see options
Maintenance Processes ChecklistThe following tables provide a quick reference for those product maintenanceprocesses that need to be performed on a regular basis. These tables represent asummary of the processes, and their subordinate tasks and procedures, described inmore detail in subsequent chapters of this guide. They are limited to those processesrequired for maintaining the product.
Only the pertinent MOF quadrants and SMFs are addressed in this chapter. Forexample, there are no processes that fall within the Supporting Quadrant. There is aplaceholder for the Supporting Quadrant, but no tables.
Also, because all of the Active Directory maintenance processes addressed here fallinto the as-needed category, the daily, weekly, and monthly portions of the tables are
blank. Only the portion of each table that has associated processes is filled in.
Each listed process is linked to a detailed explanation of the process in the followingchapter.
Operating Quadrant
The processes for this section are based on the service management functions that
make up the MOF Operating Quadrant. Further information on the MOF ProcessModel and the MOF SMFs is available at http://www.microsoft.com/solutions/msmand http://www.microsoft.com/mof .
http://www.microsoft.com/solutions/msmhttp://www.microsoft.com/solutions/msmhttp://www.microsoft.com/mofhttp://www.microsoft.com/mofhttp://www.microsoft.com/mofhttp://www.microsoft.com/solutions/msm -
8/12/2019 Active Directory POG[1]
16/215
Active Directory Product Operations Guide 10
System Administration SMF
Daily Processes
Process Name Related SMF MOF Role Cluster
Back up Active Directory OperationsWeekly Processes
Process Name Related SMF MOF Role Cluster
There are no weeklyprocesses for this SMF.
Monthly Processes
Process Name Related SMF MOF Role Cluster
There are no monthlyprocesses for this SMF.
As- Needed Processes
Process Name Related SMF MOF Role Cluster
Restore Active Directory Operations
Rename a domaincontroller
Operations
Transferring a roleholder
Infrastructure
Seize an operations
master role
Infrastructure
Choose a standbyoperations master
Infrastructure
Managing the SYSVOL Infrastructure
Managing sites Infrastructure
Authoritative restore forActive Directory objects
Operations
Recovering a domaincontroller throughreinstallation
Operations
Move an operationsmaster role
Infrastructure
-
8/12/2019 Active Directory POG[1]
17/215
11 Managing the Windows Server Platform
Security Administration SMF
Daily Processes
Process Name Related SMFs MOF Role Cluster
There are no dailyprocesses for this SMF.
Weekly Processes
Process Name Related SMFs MOF Role Cluster
There are no weeklyprocesses for this SMF.
Monthly Processes
Process Name Related SMFs MOF Role Cluster
There are no monthlyprocesses for this SMF.
As- Needed Processes
Process Name Related SMFs MOF Role Cluster
Manage antivirussoftware on domaincontrollers
Security
Supporting Quadrant
There are no Active Directory processes that fall within the MOF SupportingQuadrant and its SMFs.
-
8/12/2019 Active Directory POG[1]
18/215
Active Directory Product Operations Guide 12
Optimizing Quadrant
The tasks for this section are based on the SMFs that make up the MOF OptimizingQuadrant.
Availability Management SMF
Daily Processes
Process Name Related SMFs MOF Role Cluster
There are no dailyprocesses for this SMF.
Weekly Processes
Process Name Related SMFs MOF Role Cluster
There are no weeklyprocesses for this SMF.
Monthly Processes
Process Name Related SMFs MOF Role Cluster
There are no monthlyprocesses for this SMF.
As- Needed Processes
Process Name Related SMFs MOF Role Cluster
Manage the ActiveDirectory database
Infrastructure
Add a global catalog Infrastructure
Manage the WindowsTime service
Infrastructure
Managing trusts Infrastructure
-
8/12/2019 Active Directory POG[1]
19/215
13 Managing the Windows Server Platform
Capacity Management SMF
Daily Processes
Process Name Related SMFs MOF Role Cluster
There are no dailyprocesses for this SMF.
Weekly Processes
Process Name Related SMFs MOF Role Cluster
There are no weeklyprocesses for this SMF.
Monthly Processes
Process Name Related SMFs MOF Role Cluster
There are no monthlyprocesses for this SMF.
As- Needed Processes
Process Name Related SMFs MOF Role Cluster
Removing the globalcatalog from a domaincontroller
Infrastructure
Identify global catalogservers in a site
Infrastructure
Reduce the workload onthe PDC emulator
Infrastructure
-
8/12/2019 Active Directory POG[1]
20/215
Active Directory Product Operations Guide 14
Changing Quadrant
The processes for this section are based on the SMFs that make up the MOFChanging Quadrant.
Release Management SMF
Daily Processes
Process Name Related SMFs MOF Role Cluster
There are no dailyprocesses for this SMF.
Weekly Processes
Process Name Related SMFs MOF Role Cluster
There are no weeklyprocesses for this SMF.
Monthly Processes
Process Name Related SMFs MOF Role Cluster
There are no monthlyprocesses for this SMF.
As- Needed Processes
Process Name Related SMFs MOF Role Cluster
Installing a domaincontroller for an existing
domain
Release
-
8/12/2019 Active Directory POG[1]
21/215
-
8/12/2019 Active Directory POG[1]
22/215
-
8/12/2019 Active Directory POG[1]
23/215
3Detailed Maintenance ActionsOverview
This chapter provides detailed information about the processes that must beperformed in order to maintain Active Directory. These processes are arranged
according to the MOF quadrant to which they belong and, within each quadrant, bythe MOF service management functions (SMFs) that make up that quadrant.
Those quadrants are:
Operating Quadrant
Supporting Quadrant
Optimizing Quadrant
Changing Quadrant
Further information about the MOF Process Model and the MOF SMF guides isavailable at http://www.microsoft.com/solutions/msm . Further information about
the MOF Team Model and role clusters is available athttp://www.microsoft.com/mof .
http://www.microsoft.com/solutions/msmhttp://www.microsoft.com/solutions/msmhttp://www.microsoft.com/solutions/msmhttp://www.microsoft.com/mofhttp://www.microsoft.com/mofhttp://www.microsoft.com/mofhttp://www.microsoft.com/solutions/msm -
8/12/2019 Active Directory POG[1]
24/215
Active Directory Product Operations Guide 18
Operating Quadrant System AdministrationSMF
Operations Role Cluster Daily
Process: Back up Active Directory
Description Active Directory is backed up as part of Microsoft Windows system state, acollection of system components that depend on each other. All system statecomponents must be backed up and restored together.
The system state components on a domain controller include: System start-up (boot) files. These are the files required for Windows Server 2003
to start. System registry.
Class registration database of component services. The Component Object Model
(COM) is a binary standard for writing component software in a distributedsystems environment.
System volume (SYSVOL). SYSVOL provides a default Active Directory locationfor files that must be shared for common access throughout a domain. TheSYSVOL folder on a domain controller contains:
Net Logon shared folders. These usually host user logon scripts and GroupPolicy objects (GPOs) for network clients who are not running Windows2003-based computers.
User logon scripts for Active Directory-enabled clients.
Windows 2003 GPOs.
File system junctions. File Replication service (FRS) staging directories and files that are required to
be available and synchronized between domain controllers.
Active Directory, including:
The Active Directory database (Ntds.dit) The checkpoint file (Edb.chk)
The transaction logs, each 10 megabytes (MB) in size, (Edb*.log) Reserved transaction logs (Res1.log and Res2.log)
If you use Active Directory-integrated Domain Name System (DNS), be sure that
you back up a domain controller that is hosting DNS. If you do not use ActiveDirectory-integrated DNS, you must explicitly back up the zone files. However, ifyou back up the system disk along with the system state, zone data is backed up aspart of the system disk.
If you installed Windows Clustering or Certificate Services on your domaincontroller, they are also backed up as part of system state. Details of thesecomponents are not discussed in this guide.
-
8/12/2019 Active Directory POG[1]
25/215
19 Managing the Windows Server Platform
Purpose
There are several reasons why a current, verified, and reliable backup is needed:
To restore Active Directory data that becomes lost or corrupted. Using anauthoritative restore process, you can restore individual objects or sets of objectsfrom their deleted state.
To recover a domain controller that cannot boot normally because of software orhardware failure.
To perform a forest recovery in the event that forest-wide corruption occurs. To perform an install from media operation. This new feature in Windows Server
2003 allows you to promote a new domain controller and populate it withcurrent information from a local source, rather than having to wait for a full syncreplication over potentially much slower media for example, a 56K connection.
Guidelines
Although the Backup tool in Windows Server 2003 supports multiple types of backup normal, copy, incremental, differential, and daily the only type of backupavailable and supported for Active Directory is normal, because Active Directory is
backed up as part of system state. A normal backup creates a backup of the entiresystem state while the domain controller is online.
If you do not use Active Directory-integrated DNS zones, you should include the filepaths that contain all of your DNS zone files in the backup, in addition to the systemstate and/or system disk, to ensure a successful recovery.
Which domain controllers to back up
For every Active Directory domain, you can define a backup set composed of thephysical domain controllers that would be required to successfully restore thedomain. The collection of domain backup sets ensures that a forest restore operationcan be performed.
At a minimum, the backup set consists of two or more domain controllers for eachdomain and at least one domain controller that is a member of an applicationpartition replica set.
The backup set must contain a system state, a system disk backup for each computerin the set, and a global catalog.
If you are using Active Directory-integrated DNS, it would useful to back up at leastone DNS server.
Note A backup can only be used to restore the domain controller that the backup was generated from.It cannot be used to restore a different domain controller or this domain controller onto differenthardware.
-
8/12/2019 Active Directory POG[1]
26/215
Active Directory Product Operations Guide 20
When to back up Active Directory
At a minimum, each domain controller in the backup set must be backed up at leasttwice within the tombstone lifetime. By default, the tombstone lifetime is 60 days,which places the requirement of a backup for each domain controller in the backupset every 30 days.
While monthly backup operations are adequate for successful disaster recovery, theydo not facilitate the recovery of new information since the last backup. You will needto consider these changes when you are planning backup frequency. The frequencyof backups is dictated both by business requirements and technical requirements andshould be adjusted according to your deployment's needs.
By default, machine accounts change their passwords every 30 days. Therefore,domain controllers will also change their machine account passwords every 30 days.If you were to restore a domain controller with an old password, it could result inthat domain controller being unable to replicate with its partners. Therefore, tominimize the effect of restoring a domain controller with an old password, youshould perform a backup more than once every 30 days.In addition to regular backup requirements, an immediate backup should be takenwhen: The storage location of the database [Ntds.dit] or log files is changed.
A domain controller is upgraded from Windows 2000 Server to Windows Server2003, or any further operating system upgrades.
A current backup is required for an install for media operation for a new domaincontroller.
The tombstone lifetime is changed.
Note A backup from a Windows 2000 Server cannot be used to restore a domain controller runningWindows Server 2003.
Active Directory protects itself from restoring data older than the tombstone lifetime by disallowing the restore. As a result, the useful life of a backup is equivalent to thetombstone lifetime setting for the enterprise.
-
8/12/2019 Active Directory POG[1]
27/215
21 Managing the Windows Server Platform
Task: Back up Active Directory and associated components
Procedure: Back up system state
Link to procedure
Procedure: Back up system state and the system disk
Link to procedure
Dependencies
None
Technology Required
Backup Tape drive or other backup media
-
8/12/2019 Active Directory POG[1]
28/215
Active Directory Product Operations Guide 22
Operating Quadrant System AdministrationSMF
Operations Role Cluster As Needed
Process: Non-authoritative restore of Active Directory
Description A non-authoritative restore returns the domain controller to its state at the time of
backup and then allows normal replication to overwrite that state with any changesthat have occurred after the backup was taken. After you restore the system state, thedomain controller queries its replication partners. The replication partners replicateany changes to the restored domain controller, ensuring that the domain controllerhas an accurate and updated copy of the Active Directory database.
Purpose
A non-authoritative restore allows the entire directory to be restored on a domaincontroller, without reintroducing or changing objects that have been modified sincethe backup. The most common use of a non-authoritative restore is to bring an entiredomain controller back, often after catastrophic or debilitating hardware failures. Itis uncommon for data corruption to drive a non-authoritative restore, unless thecorruption is local and the database cannot be successfully loaded.
Guidelines
If you intend to restore a deleted object (or objects), you should refer to theprocedures outlined for an authoritative restore. A non-authoritative restore should
be used any time the entire directory is being restored on a single domain controllerin order to deal with a local database corruption or hardware failure. A non-authoritative restore can be performed on a Windows Server 2003 system that is astand-alone server, member server, or domain controller. A server must be inDirectory Services Restore Mode to perform a non-authoritative restore.
Task: Perform a non-authoritative restore of a domain controller
A non-authoritative restore is the default method for restoring Active Directory. Toperform a non-authoritative restore, you must be able to start the domain controllerin Directory Services Restore Mode. After you restore the domain controller from
backup media, replication partners use the standard replication protocols to update both the Active Directory and associated information on the restored domaincontroller.
-
8/12/2019 Active Directory POG[1]
29/215
23 Managing the Windows Server Platform
Procedure 1: Restart the domain controller in Directory Services RestoreMode
Note In cases where you have to reinstall the operating system: Before you restore the directory, youdo not have to perform a non-authoritative restore in Directory Services Restore Mode. After you havereinstalled the operating system, you can perform a restore after the machine boots normally.
Link to procedure.
Procedure 2: Restore from backup media
Link to procedure.
Procedure 3: Verify Active Directory restore
Link to procedure.
Task: Restore a domain controller through reinstallation and
subsequent restore from backupIf you cannot restart a domain controller in Directory Services Restore Mode, youcan restore it through reinstallation of the operating system, and subsequentlyrestore Active Directory from backup.
In order for the restore operation to succeed, Windows Server 2003 must bereinstalled to the same drive letter as previously and with at least the same amountof physical drive space. After you reinstall Windows Server 2003, perform a non-authoritative restore of the system state and the system disk.
Procedure 1: Install Windows Server 2003
This guide does not address installing Windows Server 2003.
Procedure 2: Restore from backup media
Link to procedure.
Procedure 3: Verify Active Directory restore
Link to procedure.
Dependencies
The domain controller being restored needs to have a previous backup taken withBackup utility.
Technology Required
Backup
-
8/12/2019 Active Directory POG[1]
30/215
Active Directory Product Operations Guide 24
Operating Quadrant System AdministrationSMF
Operations Role Cluster As Needed
Process: Authoritative restore for Active Directory objects
Description An authoritative restore process returns an object to its state at the time of the mostrecent backup. Changes made since the latest backup will be erased. This differsfrom a non-authoritative restore, which relies on the presence of a replication partnerto bring in the current data, including information about objects that were deletedsince the backup.
An authoritative restore should not be relied on as part of a change controlinfrastructure. Proper delegation of administration and change enforcement willoptimize data consistency, integrity, and security.
Purpose
An authoritative restore is most commonly used to restore corrupt or deleted objectsfrom the directory for example, a deleted user account. An authoritative restoreshould not be used to restore an entire domain controller.
Guidelines
An authoritative restore of a subtree or leaf object restores that subtree or leaf andmarks it as authoritative for the directory. This means that the restored object will bereplicated out to other domain controllers and will be the data that is maintainedmoving forward. In cases where the object was deleted, it will be revived; in othercases, the object will be returned to a previous state.
It is important to ensure successful recovery of the information being restored.Group membership is particularly sensitive and can be greatly affected by theprocedures that are followed during an authoritative restore.
You begin by restoring from backup media, just as in a non-authoritative restore, andthen perform the following additional steps to complete an authoritative restore.
-
8/12/2019 Active Directory POG[1]
31/215
25 Managing the Windows Server Platform
Task: Perform an authoritative restore of one or more directoryobjects
Note If the objects that were deleted do not include group objects, then you dont need to performsteps 3-10. Additionally, if the groups that were deleted do not have members among the list of deletedobjects, then you do not need to perform steps 3-10.
Procedure 1: Restore from backup media
Link to procedure.
Procedure 2: Mark the object(s) authoritative
Once the data has been restored from backup, you must select which objects are to bemarked authoritative in order to have them replicated to other domain controllers. Inorder to complete this operation, you must know the full distinguished name (alsoknown as DN) of the object you wish to restore.
Link to procedure.
Procedure 3: Reboot the computer in isolation
To combat some of the challenges of a distributed system and to ensure successfulrestoration of data, it is necessary to follow some additional precautions during theauthoritative restore process.
Rebooting the machine in isolation helps you prepare for the next step, which is toturn off inbound replication, since you cannot turn off inbound replication inDirectory Services Restore Mode.
If you do need to reboot, the most common way to boot a computer in isolation is toremove the network connection from the domain controller by physically removingthe network cable. Alternate methods may be possible depending on your networkhardware and enterprise practices.
It is important to prevent the domain controller from communicating with any otherdomain controller in the domain or forest. You should also isolate the domaincontroller from any clients that could invoke change on any object in the directory.
Procedure 4: Turn off inbound replication using repadmin
By turning off inbound replication, you ensure that no changes replicate into thedomain controller and alter group membership.
Link to procedure.
-
8/12/2019 Active Directory POG[1]
32/215
-
8/12/2019 Active Directory POG[1]
33/215
-
8/12/2019 Active Directory POG[1]
34/215
Active Directory Product Operations Guide 28
-
8/12/2019 Active Directory POG[1]
35/215
29 Managing the Windows Server Platform
Operating Quadrant System AdministrationSMF
Operations Role Cluster As Needed
Process: Recovering a domain controller through
reinstallationDescription
Recovering through reinstallation is the same process as creating a new domaincontroller. It does not involve restoring from backup media. This method relies onActive Directory replication to restore a domain controller to a working state and isvalid only if another healthy domain controller exists in the same domain. Thisoption is normally used on computers that function only as a domain controller.
Purpose
Recovering through reinstallation is the only method by which a domain controller
that is not part of the backup set can be restored. Additionally, this procedure may be chosen over a non-authoritative restore because of the inaccessibility of the backup media or due to convenience.
Guidelines
This process assumes a complete reinstallation of the operating system. It isrecommended that prior to installing the operating system, the entire system disk beformatted, which will remove all information on the system disk. Ensure that anyimportant or relevant data is moved or backed up before performing these actions.
Recovering through reinstallation should not be a substitute for regular backuproutines, which are needed to ensure a successful recovery should the need arise, as
it depends on the presence of another domain controller in the same domain.Bandwidth is the primary consideration for recovering a domain controller throughreinstallation. The bandwidth required is directly proportional to the size of theActive Directory database and the time in which the domain controller is required to
be in a functioning state. Ideally, the existing functional domain controller should belocated in the same Active Directory site as the replicating domain controller (newdomain controller) in order to reduce network impact and the time the reinstallationtakes to complete.
Task: Recovering a domain controller through reinstallation
Procedure 1: Clean up metadataLink to procedure.
Procedure 2: Install Windows Server 2003
It is assumed that a fresh installation of Windows Server 2003 will be performed.This may be precluded by partition or format actions on your hard disk drive inpreparation for the install.
-
8/12/2019 Active Directory POG[1]
36/215
Active Directory Product Operations Guide 30
Procedure 3: Verify DNS registration and functionality
Link to procedure.
Procedure 4: Verify communication with other domain controllers
Link to procedure.
Procedure 5: Verify the availability of the operations masters
Link to procedure.
Procedure 6: Install Active Directory
During the installation process, replication occurs, ensuring that the domaincontroller has an accurate and up-to-date copy of Active Directory. Optionally, usethe same information for this domain controller as the domain controller it isreplacing. Site placement, domain controller name, and domain membership shouldremain the same. If you plan on installing the domain controller under a differentname, you may wish to also refer to the process: Installing a domain controller foran existing domain.
Link to procedure.
Procedure 7: Verify Active Directory installation
Read and perform the procedures in Task: Verify Active Directory Installation. Link to task .
Dependencies
Domain Administrator credentials
Technology Required
Dcpromo.exe or Backup
-
8/12/2019 Active Directory POG[1]
37/215
31 Managing the Windows Server Platform
Changing Quadrant Release ManagementSMF
Release Role Cluster As Needed
Process: Installing a domain controller for an existing
domainDescription
This process covers the installation of Active Directory onto a Windows Server 2003system that will become a domain controller in an existing Active Directory domain.For more information regarding the best practices for planning, testing, anddeploying Active Directory, refer to the Windows Server 2003 Deployment Kit:Designing and Deploying Directory and Security Services athttp://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en .
To ensure successful installation of a new domain controller, you should verify thatall critical services that Active Directory depends on are configured followingMicrosoft best practices.
Active Directory is installed on a Windows Server 2003 server by running the ActiveDirectory Installation Wizard. The wizard simplifies the promotion process byautomating as much of the installation as possible. To run the Active DirectoryInstallation Wizard, you must be a member of the Domain Administrators group.
Purpose
There are several motivations for adding a new domain controller. Additionalapplications (Active Directory-integrated as opposed to those running on domain
controllers) may be required to meet increased capacity requirements, provideupgrades and fault tolerance, and reduce failures. For more information on criteriafor deploying a new domain controller and best practices for Active Directory, referto the Windows Server 2003 Deployment Kit: Designing and Deploying Directory andSecurity Services.
Guidelines
Before you begin your installation, the following conditions must exist in yourenvironment:
Your Active Directory forest root domain must already exist with at least twoproperly functioning domain controllers.
If you are installing a new domain controller for a child domain, there should beat least two properly functioning domain controllers in the forest root domain.
DNS must be functioning properly.
This guide assumes you are using Active Directory integrated DNS zones. Youmust configure at least one domain controller as a DNS server.
Creating or removing a domain or forest is beyond the scope of this guide.
http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20 -
8/12/2019 Active Directory POG[1]
38/215
Active Directory Product Operations Guide 32
Task: Preparing for Active Directory installation
Properly preparing for the installation of Active Directory decreases the chances ofproblems occurring during the installation process and helps you quickly completethe operation. Preparation includes installing and configuring DNS and gatheringinformation that you need for the installation.
Configure DNS
The DNS client is always present on a server on Windows Server 2003. You shouldproperly configure both the DNS client and the DNS server to ensure that nameresolution and related dependencies will function as expected during the installationof Active Directory.
Ensure that any required configuration, forwarders, or zones are present andaccessible prior to installation. For more information about DNS configuration bestpractices, see the Windows Server 2003 Deployment Kit: Designing and DeployingDirectory and Security Services at
http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en .
Site Placement
During installation, the Active Directory Installation Wizard attempts to place thenew domain controller in the appropriate site. The appropriate site is determined bythe domain controllers IP address and subnet mask. The wizard uses the IPinformation to calculate the subnet address of the domain controller and checks tosee if a Subnet object exists in the directory for that subnet address. If the Subnetobject exists, the wizard uses it to place the new Server object in the appropriate site.If not, the wizard places the new Server object in the same site as the domaincontroller that is being used as a source to replicate the directory database to the newdomain controller. Make sure the Subnet object has been created for the desired siteprior to running the wizard.
A site is allocated according to the following rules:1. If you specify a site in the Unattended text file that is used to create the new
domain controller, the domain controller will be placed directly into that sitewhen it is built.
2. If no site is specified in the Unattended text file when the new domain controlleris built, then by default the domain controller will be placed in a site based on itsIP address.
3. If you specify a replica partner in the Unattended text file but do not specify asite, the new domain controller should be placed in the replica partner's site.
4. If the replica partner or site is not specified, then the allocation of the site israndom. It will depend on the replica partner selected for initial replication.
http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en%20 -
8/12/2019 Active Directory POG[1]
39/215
33 Managing the Windows Server Platform
Domain Connectivity
During the installation process, the Active Directory Installation Wizard needs tocommunicate with other domain controllers in order to join the new domaincontroller to the domain. The wizard needs to communicate with a member of thedomain to receive the initial copy of the directory database for the new domaincontroller. It communicates with the domain naming master for domain installs only,so that the new domain controller can be added to the domain. The wizard alsoneeds to contact the relative ID (RID) master so that the new domain controller canreceive its RID pool, and it needs to communicate with another domain controller inorder to populate the SYSVOL shared folder on the new domain controller. All ofthis communication depends on proper DNS installation and configuration. By usingNetdiag.exe and Dcdiag.exe, you can test all of these connections prior to starting theActive Directory Installation Wizard.
Required Information
The installation wizard asks for the following specific configuration information before it begins installing Active Directory:
A domain adminis trators user name and password
Location to store the directory database and log files
The password to use for Directory Services Restore Mode The fully qualified DNS name of the domain to which the new domain controller
will be added
Have this information ready before you run the Active Directory Installation Wizard.
Procedure 1: Install the DNS Server service
Link to procedure.
Procedure 2: Gather the SYSVOL path installation information
Link to procedure.
Procedure 3: Verify DNS registration and functionality
Link to procedure.
Procedure 4: Verify that an IP address maps to a subnet and determine thesite association
Link to procedure.
Procedure 5: Verify communication with other domain controllers
Link to procedure.
Procedure 6: Verify the availability of the operations masters
Link to procedure.
-
8/12/2019 Active Directory POG[1]
40/215
Active Directory Product Operations Guide 34
Caution If any of the verification tests fail, do not continue until you determine what went wrong andfix the problems. If these tests fai l, the installation is also likely to fail.
Task: Install Active Directory
There are a number of elements to consider when installing Active Directory on anew domain controller. This task addresses the general requirements concerning thesite placement, connectivity, and Active Directory Installation Wizard.
The Active Directory Installation Wizard
After you have gathered all the information that you need to run the ActiveDirectory Installation Wizard and have performed the tests to verify that all of thenecessary domain controllers are available, you are ready to install Active Directoryon your server and turn it into a domain controller.
During the installation process, the wizard asks for information that it needs in order
to properly configure the new domain controller. First, it asks if you want to install adomain controller in a new domain or an additional domain controller in an existingdomain. Because this guide pertains to adding domain controllers to domains thatalready exist, choose Additional domain controller in an existing domain .
During the installation process, the wizard needs to communicate with other domaincontrollers in order to add this new domain controller to the domain and get theappropriate information into the Active Directory database. To maintain security,you must provide credentials that have administrative access to the directory.
Procedure 1: Install Active Directory
Link to procedure.
Task: Install Active Directory from media
Installing Active Directory from media allows you to reduce the replication trafficthat is initiated during the installation of an additional domain controller in anActive Directory domain, and thus reduces the time it takes to install a replicadomain controller.
This task has three procedures:
Back up the system state of an existing domain controller in the same domain asthe new domain controller.
Restore the system state to an alternate location locally on the new domaincontroller.
Promote the server to a domain controller using dcpromo /adv option.
Procedure 1: Back up system state
Link to procedure.
-
8/12/2019 Active Directory POG[1]
41/215
35 Managing the Windows Server Platform
Procedure 2: Restore system state to an alternate location
Link to procedure.
Procedure 3: Promote server to domain controller
Link to procedure.
Task: Unattended install of Active Directory
Running an unattended install simplifies the process of setting up Active Directoryon multiple computers. The unattended install feature uses an answer file toprovide answers to the questions asked during a normal setup. This allows theinstallation process to proceed from start to completion without user intervention.This method works best when Active Directory is being installed with identicaloptions on many computers.
Procedure 1: Install and run Setup Manager to create an answer file(Unattend.txt)
Link to procedure.
Procedure 2: Run Active Directory automated install
In the Run dialog box, type dcpromo /answer:< answerfile> (where answerfile is thefile created with Setup Manager), and click OK.
Task: Verify Active Directory installation
There are several verification tasks that can be performed on a newly promoteddomain controller. Successfully completing the requirements of each verification taskwill provide a strong indication of a healthy, operational domain controller.
Procedure 1: Determine whether a Server object has Child objects
Link to procedure.
Procedure 2: Verify the site assignment for the domain controller
You must ensure that the new domain controller is located in the proper site so thatafter the installation is complete, the new domain controller can locate replicationpartners and become part of the replication topology. If the site is not correct, youcan use the Active Directory Sites and Services snap-in to move the Server object forthe domain controller to the proper site after Active Directory installation iscomplete.
Note The last dialog box displayed by the Active Directory Installation Wizard lists the site where thenew domain controller is installed. If this is not the proper site, you must move the Server object afterthe server is rebooted.
Link to procedure.
-
8/12/2019 Active Directory POG[1]
42/215
Active Directory Product Operations Guide 36
Procedure 3: Move a Server object to a different site if the domain controlleris located in the wrong site
Link to procedure.
Procedure 4: Configure DNS server forwarders
Link to procedure.
Procedure 5: Verify DNS configuration
Link to procedure.
Procedure 6: Check the status of the shared SYSVOL
Link to procedure.
Procedure 7: Verify DNS registration and functionality
Link to procedure.
Procedure 8: Verify domain membership for the new domain controllerLink to procedure.
Procedure 9: Verify communication with other domain controllers
Link to procedure.
Procedure 10: Verify replication with other domain controllers
Link to procedure.
Procedure 11: Verify the availability of the operations masters
Link to procedure.
Dependencies
The following access levels are required: Domain user
Domain admin
Technology Required
Active Directory Sites and Services (administrative tools)
DNS Manager
Event Viewer
Netdiag.exe Dcdiag.exe
Ntdsutil.exe (system tool)
-
8/12/2019 Active Directory POG[1]
43/215
37 Managing the Windows Server Platform
Changing Quadrant Change ManagementSMF
Release Role Cluster As Needed
Process: Removing Active Directory
Description A domain controller can be removed from a domain in one of two ways: byremoving Active Directory or by a system failure that renders the domain controllerinoperable so that you cannot restore it to service.
Purpose
A domain controller might need to be removed when:
You no longer need the domain controller.
The domain controller's connection to the rest of the network may not besufficient.
The domain controller has suffered a hardware failure that will not be quicklyrepaired.
Guidelines
Similarly to how you can install Active Directory to turn a Windows 2003 basedserver into a domain controller, you can remove Active Directory to turn a Windows2003 based domain controller back into a server. This process removes most of thereferences to the domain controller from the directory. You must manually removethe Server object that represents the domain controller from the computer containerafter you remove Active Directory. This method properly removes the domaincontroller from the directory.
A hardware failure on a domain controller can render it inoperable. If the problem issevere enough, you might never be able to return the domain controller to service. Inthis case, the other domain controllers eventually reconfigure themselves so that theycan continue to replicate directory information without the failed domain controller.
When a domain controller is removed from the domain without removing ActiveDirectory, all the information about that domain controller remains in the directory.You must take additional steps to remove this information from the directory.
-
8/12/2019 Active Directory POG[1]
44/215
Active Directory Product Operations Guide 38
Task: Decommission the domain controller
Demoting a domain controller effectively removes all Active Directory and relatedcomponents and returns the domain controller to a member server role.
Procedure 1: View the current operations master role holders
To avoid problems, transfer any operations master roles prior to running the ActiveDirectory Installation Wizard to decommission a domain controller so that you cancontrol the operations master role placement. If you need to transfer any roles from adomain controller, understand all the recommendations for role placement beforeperforming the transfer.
Caution During the decommissioning process, the Active Directory Installation Wizard will attempt totransfer any remaining operations master roles to other domain controllers without any userinteraction. However, if a failure occurs, the wizard will continue to demote and leave your domainwithout roles. Also, you do not have control over which domain controller receives the roles. The wizardtransfers the roles to any available domain controller and does not indicate which domain controllerhosts them.
Link to procedure.
Procedure 2: Transfer the forest-level operations master roles
This is required only if this domain controller hosts either the schema master ordomain naming master roles.
Link to procedure.
Procedure 3: Transfer the domain-level operations master roles
This is required only if this domain controller hosts the PDC emulator, infrastructuremaster, or RID master.
Link to procedure.
Procedure 4: Determine whether a domain controller is a global catalogserver
If you remove Active Directory from a domain controller that hosts a global catalog,the Active Directory Installation Wizard confirms that you want to continue withremoving Active Directory. This confirmation ensures that you are aware that youare removing a global catalog from your environment. Do not remove the last globalcatalog server from your environment because users cannot log on without anavailable global catalog server. If you are not sure, do not proceed with removingActive Directory until you know that at least one other global catalog server isavailable.
Link to procedure.
Procedure 5: Verify DNS registration and functionality
Link to procedure.
-
8/12/2019 Active Directory POG[1]
45/215
39 Managing the Windows Server Platform
Procedure 6: Verify communication with other domain controllers
During the removal of Active Directory, contact with other domain controllers isrequired to ensure:
Any unreplicated changes are replicated to another domain controller.
Removal of the domain controller from the directory. Transfer of any remaining operations master roles.
If the domain controller cannot contact the other domain controllers during ActiveDirectory removal, the decommissioning operation fails. As with the installationprocess, test the communication infrastructure prior to running the installationwizard. When you remove Active Directory, use the same connectivity tests that youused during the installation of Active Directory.
Link to procedure.
Procedure 7: Verify the availability of the operations masters
Link to procedure.
Note If any of the verification tests fail, do not continue until you determine and fix the problems. Ifthese tests fail, the removal is also likely to fail.
Procedure 8: Remove Active Directory
Link to procedure.
Procedure 9: Determine whether a Server object has Child objects
Link to procedure.
Procedure 10: Delete a Server object from a site
Note The administrator may not want to remove the Server object if it hosts something in addition toActive Directory Microsoft Exchange, for example.
Link to procedure.
Task: Forced removal of a domain controller
Forced removal of a domain controller is only intended to be used as a last resort forrecovering a domain controller without requiring reinstallation of the operating
system.It is not intended to replace the normal removal procedure in any way and isvirtually equivalent to permanently disconnecting the domain controller.
There is a considerable amount of metadata about a domain controller stored withinActive Directory. During a normal demotion, this metadata is cleaned up. A forcedremoval assumes there is no connectivity to the domain and does not attempt anycleanup.
-
8/12/2019 Active Directory POG[1]
46/215
Active Directory Product Operations Guide 40
Forced removal of a domain controller should always be followed by cleaning up theassociated metadata, thereby effectively removing all references to the domaincontroller from the domain and forest.
Forced demotion should not be done on the last domain controller in a domain.
Procedure 1: Identify replication partnersLink to procedure.
Procedure 2: Force domain controller removal
Link to procedure.
Procedure 3: Clean up metadata
Link to procedure.
Dependencies
None
Technology Required
None
-
8/12/2019 Active Directory POG[1]
47/215
41 Managing the Windows Server Platform
Operating Quadrant System AdministrationSMF
Operations Role Cluster As Needed
Process: Rename a domain controller
Description The ability to rename domain controllers running Windows Server 2003 (contrary toWindows 2000 Server) provides you with the flexibility to: Restructure your network for organizational and business needs.
Make management and administrative control easier.
Although one can rename a domain controller through the System Properties GUI(as with any other computer), Active Directory and DNS replication latency maytemporarily prevent clients from locating and/or authenticating to the renameddomain controller. To eliminate this, it is recommended that the Netdom command-
line tool be used to rename a domain controller.Purpose
Renaming a domain controller is a common operation in many organizations andusually occurs when:
New hardware is purchased to replace an existing domain controller.
Domain controllers are decommissioned, or promoted, and renamed to maintaina naming convention.
Movement or site placement of domain controllers.
Guidelines
It is important to note that domain controller names have a primary impact onadministration, rather than client access. Renaming a domain controller is anoptional exercise, and the impacts should be well-understood prior to renaming.
You can rename a domain controller by using the GUI or the Netdom tool. Thedomain functional level must be set to Windows Server 2003 for you to be able to usethe Netdom tool. In all other cases, you should use the GUI.
Task: Rename using the System Properties user interface
Procedure 1: Use System Properties interface to change name
Link to procedure.
Procedure 2: Update the FRS Member object
Link to procedure.
-
8/12/2019 Active Directory POG[1]
48/215
Active Directory Product Operations Guide 42
Task: Rename using the Netdom command-line tool
The netdom command updates the service principal name (SPN) attributes in ActiveDirectory for the computer account and registers DNS resource records for the newcomputer name. The SPN value of the computer account must be replicated to all
domain controllers in the domain, and the DNS resource records for the newcomputer name must be distributed to all the authoritative DNS servers for thedomain name. If the updates and registrations have not occurred prior to removingthe old computer name, then some clients may be unable to locate this computerusing the new or old name.
Procedure 1: Add the new domain controller name
Link to procedure.
Procedure 2: Designate the new name as the primary computer name
Prior to performing this operation, you must ensure that the SPN value has beenregistered in Active Directory and the DNS records for the new computer name have
been registered in DNS.
Link to procedure.
Procedure 3: Remove the old domain controller name
Prior to performing this operation, you must ensure that the updated dnsHostName attribute for the new computer name in the computer account has been registered inActive Directory and that the SRV DNS records have been registered in authoritativeDNS servers.
Link to procedure.
Procedure 4: Update the FRS Member object
Link to procedure.
Dependencies
Domain admin or Enterprise admin
Windows Server 2003 functional level
Technology Required
Netdom command-line tool
System Properties tool
-
8/12/2019 Active Directory POG[1]
49/215
43 Managing the Windows Server Platform
Optimizing Quadrant AvailabilityManagement SMF
Infrastructure RoleCluster
As Needed
Process: Manage the Active Directory database
Description Active Directory is stored in the Ntds.dit database file. In addition to this file, thedirectory uses log files, which store transactions prior to committing them to thedatabase file. For best performance, store the log files and the database on separatehard drives.
The Active Directory database is a self-maintained system and requires no dailymaintenance, other than regular backup, during ordinary operation. However, itmay need to be managed if the following conditions occur:
Low disk space
Pending or current hardware failure
A need to recover physical space following bulk deletion or removal of the globalcatalog
Monitor free disk space on the partition or partitions that store the directorydatabase and logs. The following are the recommended parameters for free space: Ntds.dit partition: The greater of 20 percent of the Ntds.dit file size or 500
megabytes (MB).
Log file partition: The greater of 20 percent of the combined log files size or 500MB.
Ntds.dit and logs on the same volume: The greater of 1 gigabyte (GB) or 20
percent of the combined Ntds.dit and log files sizes.
Purpose
During ordinary operation, the customer will delete objects from Active Directory.When an object is deleted, it results in white space (or unused space) being created inthe database. On a regular basis, the database will consolidate this white spacethrough a process called defragmentation, and this white space will be reused whennew objects are added (without adding any size to the file itself). This automaticonline defragmentation redistributes and retains white space for use by the database,
but does not release it to the file system. Therefore, the database size does not shrink,even though objects might be deleted. In cases where the data is decreasedsignificantly, such as when the global catalog is removed from a domain controller,white space is not automatically returned to the file system. Although this conditiondoes not affect database operation, it does result in large amounts of white space inthe database. You can use offline defragmentation to decrease the size of thedatabase file by returning white space from the database file to the file system.
-
8/12/2019 Active Directory POG[1]
50/215
Active Directory Product Operations Guide 44
Managing the Active Directory database also allows you to upgrade or replace thedisk on which the database or log files are stored or to move the files to a differentlocation, either permanently or temporarily.
Guidelines
Prior to performing any procedures that affect the directory database, be sure thatyou have a current system state backup. For information about performing systemstate backup, see Back up Active Directory earlier in this guide.
To manage the database file itself, you must take the domain controller offline byrestarting in Directory Services Restore Mode, and then use Ntdsutil.exe to managethe file.
Note NTFS disk compression is not supported for the database and log f iles.
Task: Relocate Active Directory database files
The following conditions require moving database files:
Hardware maintenance: If the physical disk on which the database or log files arestored requires upgrading or maintenance, the database files must be moved,either temporarily or permanently.
Low disk space: When free disk space is low on the logical drive that stores thedatabase file (Ntds.dit), the log files, or both, first verify that no other files arecausing the problem. If the database file or log files are the cause of the growth,then provide more disk space by taking one of the following actions:
Expand the partition on the disk that currently stores the database file, the
log files, or both. This procedure does not change the path to the files anddoes not require updating the registry.
Use Ntdsutil.exe to move the database file, the log files, or both to a largerexisting partition. If you are not using Ntdsutil.exe when moving files to adifferent partition, you will need to manually update the registry.
Guidelines
If the path to the database file or log files will change as a result of moving the files, be sure that you:
Use Ntdsutil.exe to move the files (rather than copying them) so that the registryis updated with the new path. Even if you are moving the files only temporarily,use Ntdsutil.exe to move files locally so that the registry remains current.
Perform a system state backup as soon as the move is complete so that the restoreprocedure uses the correct path.
Verify that the correct permissions are applied on the destination folderfollowing the move. Revise permissions to those that are required to protect thedatabase files, if needed.
-
8/12/2019 Active Directory POG[1]
51/215
45 Managing the Windows Server Platform
If you replace or reconfigure a drive that stores the SYSVOL folder, you must firstmove the SYSVOL folder manually. For information about moving SYSVOLmanually, see Managing the SYSVOL later in this guide.
Use the following procedures to move or copy the database file, the log files, or both.Procedures are explained in detail in the linked topics.
Note The domain controller will not be available during the time in which files are moved and the moveis verified. Ensure that alternate domain controllers are available to handle the capacity.
Procedure 1: Determine the location and size of the directory database files
Use the database size to prepare a destination location of the appropriate size. Trackthe respective file sizes during the move to ensure that you successfully move thecorrect files.
Link to procedure.
Procedure 2: Compare the size of the directory database files to the volumesize
Before moving any files in response to low disk space, verify that no other files onthe volume are responsible for the condition of low disk space.
Link to procedure.
Procedure 3: Back up system state
System state includes the database file and log files as well as SYSVOL and NetLogon shared folders, among other things. Always ensure that you have a current
backup prior to moving database files.
Link to procedure.
Procedure 4: Restart the domain controller in Directory Services RestoreMode)
If you are logged on to the domain controller console, locally restart the domaincontroller in Directory Services Restore Mode.
Link to procedure.
Procedure 5: Move the database file, the log files, or both
Link to procedure. Procedure 6: Back up system state
Link to procedure.
-
8/12/2019 Active Directory POG[1]
52/215
Active Directory Product Operations Guide 46
Task: Returning unused disk space from the Active Directorydatabase to the file system
During ordinary operation, the white space in the Active Directory database file becomes fragmented. Each time garbage collection runs (every 12 hours by default),white space is automatically defragmented online to optimize its use within thedatabase file. The unused disk space is thereby maintained for the database; it is notreturned to the file system.
Only offline defragmentation can return unused disk space from the directorydatabase to the file system. When database contents have decreased considerablythrough a bulk deletion (for example, you remove the global catalog from a domaincontroller), or if the size of the database backup is significantly increased due to thewhite space, use offline defragmentation to reduce the size of the Ntds.dit file.
You can determine how much free disk space is recoverable from the Ntds.dit file bysetting the garbage collection logging level in the registry. Changing the garbagecollection logging level from the default value of 0 to a value of 1 results in event ID1646 being logge