active directory domain services operations guide
DESCRIPTION
Active Directory Domain Services Operations GuideTRANSCRIPT
-
Active Directory Domain Services Operations Guide
Microsoft Corporation
Published: September 2008
Abstract
This operations guide provides administering and management information for
Active Directory Domain Services (AD DS) directory service technologies in the
Windows Server 2008 operating system.
-
Copyright information
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place, or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2008 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
-
Contents
Active Directory Domain Services Operations Guide .................................................................... 25
New in This Guide ......................................................................................................................... 25
Administering Active Directory Domain Services .......................................................................... 25
Introduction to Administering Active Directory Domain Services .................................................. 26
When to use this guide ............................................................................................................... 26
How to use this guide ................................................................................................................. 27
Administering Domain and Forest Trusts ...................................................................................... 27
Introduction to Administering Domain and Forest Trusts .............................................................. 28
Best Practices for Administering Domain and Forest Trusts ......................................................... 28
Managing Domain and Forest Trusts ............................................................................................ 29
Creating Domain and Forest Trusts .............................................................................................. 29
New Trust Wizard terminology ................................................................................................... 30
Known Issues for Creating Domain and Forest Trusts .................................................................. 31
Creating External Trusts ................................................................................................................ 32
Create a One-Way, Incoming, External Trust for One Side of the Trust ....................................... 34
Create a One-Way, Incoming, External Trust for Both Sides of the Trust .................................... 35
Create a One-Way, Outgoing, External Trust for One Side of the Trust ....................................... 37
Create a One-Way, Outgoing, External Trust for Both Sides of the Trust .................................... 38
Create a Two-Way, External Trust for One Side of the Trust ....................................................... 40
Create a Two-Way, External Trust for Both Sides of the Trust ..................................................... 41
Creating Shortcut Trusts ................................................................................................................ 43
Create a One-Way, Incoming, Shortcut Trust for One Side of the Trust ....................................... 44
Create a One-Way, Incoming, Shortcut Trust for Both Sides of the Trust .................................... 45
Create a One-Way, Outgoing, Shortcut Trust for One Side of the Trust ....................................... 47
Create a One-Way, Outgoing, Shortcut Trust for Both Sides of the Trust .................................... 48
-
Create a Two-Way, Shortcut Trust for One Side of the Trust ....................................................... 50
Create a Two-Way, Shortcut Trust for Both Sides of the Trust ..................................................... 51
Creating Forest Trusts ................................................................................................................... 52
Create a One-Way, Incoming, Forest Trust for One Side of the Trust .......................................... 54
Create a One-Way, Incoming, Forest Trust for Both Sides of the Trust ....................................... 55
Create a One-Way, Outgoing, Forest Trust for One Side of the Trust .......................................... 57
Create a One-Way, Outgoing, Forest Trust for Both Sides of the Trust ....................................... 59
Create a Two-Way, Forest Trust for One Side of the Trust .......................................................... 60
Create a Two-Way, Forest Trust for Both Sides of the Trust ........................................................ 62
Creating Realm Trusts ................................................................................................................... 63
Create a One-Way, Incoming, Realm Trust .................................................................................. 64
Create a One-Way, Outgoing, Realm Trust .................................................................................. 65
Create a Two-Way, Realm Trust ................................................................................................... 66
Configuring Domain and Forest Trusts ......................................................................................... 68
Validating and Removing Trusts .................................................................................................... 68
Validate a Trust .............................................................................................................................. 68
Validating a trust ......................................................................................................................... 69
Remove a Manually Created Trust ................................................................................................ 70
Removing a manually created trust............................................................................................ 70
Modifying Name Suffix Routing Settings ....................................................................................... 71
Modify Routing for a Forest Name Suffix ...................................................................................... 72
Modify Routing for a Subordinate Name Suffix ............................................................................. 73
Exclude Name Suffixes from Routing to a Forest ......................................................................... 74
Securing Domain and Forest Trusts .............................................................................................. 75
Configuring SID Filter Quarantining on External Trusts ................................................................ 75
Disable SID filter Quarantining ...................................................................................................... 76
See Also ..................................................................................................................................... 78
-
Reapply SID Filter Quarantining .................................................................................................... 78
Configuring Selective Authentication Settings ............................................................................... 79
Enable Selective Authentication over an External Trust ............................................................... 80
Enabling selective authentication over an external trust ............................................................ 80
Enable Selective Authentication over a Forest Trust .................................................................... 81
Enabling selective authentication over a forest trust .................................................................. 82
Enable Domain-Wide Authentication over an External Trust ........................................................ 83
Enable Forest-Wide Authentication over a Forest Trust ............................................................... 84
Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest . 85
Appendix: New Trust Wizard Pages .............................................................................................. 86
Direction of Trust ........................................................................................................................ 86
Wizard optionTwo-way ........................................................................................................ 86
Wizard optionOne-way: incoming ....................................................................................... 87
Wizard optionOne-way: outgoing ........................................................................................ 88
Sides of trust .............................................................................................................................. 88
Wizard optionThis domain only ........................................................................................... 89
Wizard optionBoth this domain and the specified domain .................................................. 89
Administering the Windows Time Service ..................................................................................... 89
Introduction to Administering the Windows Time Service ............................................................. 89
Windows time source selection .................................................................................................. 90
External NTP time servers ......................................................................................................... 90
W32tm and net time ................................................................................................................... 91
Managing the Windows Time Service ........................................................................................... 92
Configuring a Time Source for the Forest ..................................................................................... 92
Configure the Time Source for the Forest ..................................................................................... 94
Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root
Domain ....................................................................................................................................... 98
Disable the Windows Time Service ............................................................................................... 99
Enable Windows Time Service Debug Logging .......................................................................... 100
Configuring Windows-Based Clients to Synchronize Time ......................................................... 100
Configure a Manual Time Source for a Selected Client Computer ............................................. 101
-
Configure a Client Computer for Automatic Domain Time Synchronization ............................... 103
Restoring the Windows Time Service to Default Settings ........................................................... 104
Restore the Windows Time Service on the Local Computer to the Default Settings .................. 104
Administering DFS-Replicated SYSVOL ..................................................................................... 105
Introduction to Administering DFS-Replicated SYSVOL ............................................................. 105
SYSVOL terminology and capitalization .................................................................................. 106
Using DFS Replication for replicating SYSVOL in Windows Server 2008 ............................... 107
Requirements for using DFS Replication ................................................................................. 107
Key considerations for administering SYSVOL ........................................................................ 108
Relocating SYSVOL folders ..................................................................................................... 109
Managing DFS-Replicated SYSVOL ........................................................................................... 111
Changing the Quota That Is Allocated to the SYSVOL Staging Area ......................................... 111
Change the Quota That Is Allocated to the SYSVOL Staging Folder ......................................... 112
Relocating the SYSVOL Staging Area ........................................................................................ 112
Identify Replication Partners ........................................................................................................ 114
Check the Status of the SYSVOL and Netlogon Shares ............................................................. 114
Verify Active Directory Replication .............................................................................................. 115
Gather the SYSVOL Path Information ......................................................................................... 116
To gather the SYSVOL path information ................................................................................. 117
Stop the DFS Replication Service and Netlogon Service............................................................ 119
Create the SYSVOL Staging Areas Folder Structure .................................................................. 120
Change the SYSVOL Root Path or Staging Areas Path, or Both ............................................... 121
See Also ................................................................................................................................... 122
Start the DFS Replication Service and Netlogon Service ........................................................... 122
Force Replication Between Domain Controllers .......................................................................... 123
See Also ................................................................................................................................... 124
Relocating SYSVOL Manually ..................................................................................................... 124
Identify Replication Partners ........................................................................................................ 125
Check the Status of the SYSVOL and Netlogon Shares ............................................................. 126
-
Verify Active Directory Replication .............................................................................................. 127
Gather the SYSVOL Path Information ......................................................................................... 128
To gather the SYSVOL path information ................................................................................. 129
Stop the DFS Replication Service and Netlogon Service............................................................ 131
Copy SYSVOL to a New Location ............................................................................................... 132
Create the SYSVOL Root Junction Point .................................................................................... 134
Change the SYSVOL Root Path or Staging Areas Path, or Both ............................................... 135
See Also ................................................................................................................................... 136
Change the SYSVOL Netlogon Parameters ............................................................................... 136
Reapply Default SYSVOL Security Settings ............................................................................... 137
Start the DFS Replication Service and Netlogon Service ........................................................... 139
Force Replication Between Domain Controllers .......................................................................... 140
See Also ................................................................................................................................... 141
Updating the SYSVOL Path ........................................................................................................ 141
Gather the SYSVOL Path Information ......................................................................................... 142
To gather the SYSVOL path information ................................................................................. 143
Stop the DFS Replication Service and Netlogon Service............................................................ 145
Change the SYSVOL Netlogon Parameters ............................................................................... 146
Create the SYSVOL Root Junction Point .................................................................................... 146
Start the DFS Replication Service and Netlogon Service ........................................................... 148
Restoring and Rebuilding SYSVOL ............................................................................................. 149
Identify Replication Partners ........................................................................................................ 150
Check the Status of the SYSVOL and Netlogon Shares ............................................................. 151
Verify Active Directory Replication .............................................................................................. 152
Gather the SYSVOL Path Information ......................................................................................... 152
To gather the SYSVOL path information ................................................................................. 154
Restart the Domain Controller in Directory Services Restore Mode Locally ............................... 155
Restarting the domain controller in DSRM locally .................................................................... 157
See Also ................................................................................................................................... 158
-
Restart the Domain Controller in Directory Services Restore Mode Remotely ........................... 158
See Also ................................................................................................................................... 162
Stop the DFS Replication Service and Netlogon Service............................................................ 162
Import the SYSVOL Folder Structure .......................................................................................... 163
See Also ................................................................................................................................... 166
Administering the Global Catalog ................................................................................................ 166
Introduction to Administering the Global Catalog ........................................................................ 166
Global catalog hardware requirements .................................................................................... 167
Global catalog placement ......................................................................................................... 167
Initial global catalog replication ................................................................................................ 167
Global catalog readiness .......................................................................................................... 167
Global catalog removal ............................................................................................................ 168
Managing the Global Catalog ...................................................................................................... 168
Configuring a Global Catalog Server ........................................................................................... 169
Determine Whether a Domain Controller Is a Global Catalog Server ......................................... 169
Designate a Domain Controller to Be a Global Catalog Server .................................................. 170
Monitor Global Catalog Replication Progress ............................................................................. 170
Verify Successful Replication to a Domain Controller ................................................................. 171
Determining Global Catalog Readiness ...................................................................................... 174
Verify Global Catalog Readiness ................................................................................................. 175
Verifying global catalog readiness ........................................................................................... 175
Verify Global Catalog DNS Registrations .................................................................................... 176
Removing the Global Catalog ...................................................................................................... 177
Clear the Global Catalog Setting ................................................................................................. 177
Monitor Global Catalog Removal in Event Viewer ...................................................................... 178
Administering Operations Master Roles ...................................................................................... 178
Introduction to Administering Operations Master Roles .............................................................. 179
Guidelines for role placement .................................................................................................. 179
Guidelines for role transfer ....................................................................................................... 183
Managing Operations Master Roles ............................................................................................ 184
-
Designating a Standby Operations Master .................................................................................. 184
Standby operations master computer requirements ................................................................ 185
Replication requirements ......................................................................................................... 185
Determine Whether a Domain Controller Is a Global Catalog Server ......................................... 186
Create a Connection Object on the Operations Master and Standby ......................................... 186
Verify Successful Replication to a Domain Controller ................................................................. 187
Transferring an Operations Master Role ..................................................................................... 190
Transferring to a standby operations master ........................................................................... 191
Transferring an operations master role when no standby is ready .......................................... 191
Install the Schema Snap-in .......................................................................................................... 192
Transfer the Schema Master ....................................................................................................... 193
Transfer the Domain Naming Master .......................................................................................... 194
Transfer the Domain-Level Operations Master Roles ................................................................. 195
View the Current Operations Master Role Holders ..................................................................... 196
Seizing an operations master role ............................................................................................... 197
Verify Successful Replication to a Domain Controller ................................................................. 198
Seize the Operations Master Role ............................................................................................... 201
View the Current Operations Master Role Holders ..................................................................... 202
Reducing the Workload on the PDC Emulator Master ................................................................ 203
Changing the weight for DNS service (SRV) resource records in the registry ........................ 203
Changing the priority for DNS service (SRV) resource records in the registry ........................ 204
Change the Weight for DNS Service (SRV) Resource Records in the Registry ......................... 205
Change the Priority for DNS Service (SRV) Resource Records in the Registry ......................... 205
Administering Active Directory Backup and Recovery ................................................................ 206
Introduction to Administering Active Directory Backup and Recovery
[lhsad_ADDS_Ops_5]_ADDS_Ops_5 ..................................................................................... 207
Backing up AD DS.................................................................................................................... 207
Recovering AD DS ................................................................................................................... 207
Additional considerations ......................................................................................................... 209
Managing Active Directory Backup and Recovery ...................................................................... 209
-
Backing Up Active Directory Domain Services ............................................................................ 209
Windows Server backup tools .................................................................................................. 209
Windows Server backup types ................................................................................................. 210
Contents of Windows Server backup types .......................................................................... 210
Criteria for using backup types ............................................................................................. 211
Backup guidelines .................................................................................................................... 212
Scheduling regular backups ..................................................................................................... 214
Immediate (unscheduled) backup ............................................................................................ 214
Backup frequency..................................................................................................................... 214
Backup frequency criteria ..................................................................................................... 215
Backup latency interval ......................................................................................................... 215
Known Issues for Backing Up Active Directory Domain Services ............................................... 217
Perform a Backup of Critical Volumes of a Domain Controller by Using the GUI (Windows Server
Backup) .................................................................................................................................... 218
Additional considerations .................................................................................................. 219
Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin)
.................................................................................................................................................. 220
Additional considerations .................................................................................................. 220
Perform a Full Server Backup of a Domain Controller by Using the GUI (Windows Server Backup)
.................................................................................................................................................. 221
Additional considerations .................................................................................................. 225
Perform a Full Server Backup of a Domain Controller by Using the Command Line (Wbadmin) 226
Additional considerations .................................................................................................. 226
Recovering Active Directory Domain Services ............................................................................ 227
Causes of disruptions ............................................................................................................... 227
Keys to protecting against disruptions ..................................................................................... 228
Preventing unwanted deletions ................................................................................................ 228
Recovery solutions ................................................................................................................... 229
Solutions for configuration errorsnonauthoritative restore ................................................ 229
Solutions for data lossauthoritative restore ....................................................................... 230
Recovery options with no available backup .......................................................................... 231
Solutions for hardware failure or file corruption .................................................................... 232
Recovery tasks ......................................................................................................................... 233
Performing Nonauthoritative Restore of Active Directory Domain Services ............................... 233
Nonauthoritative Restore Requirements .................................................................................. 234
SYSVOL restore ....................................................................................................................... 234
Additional references ............................................................................................................... 235
Restart the Domain Controller in Directory Services Restore Mode Locally ............................... 235
-
Restarting the domain controller in DSRM locally .................................................................... 237
See Also ................................................................................................................................... 238
Restart the Domain Controller in Directory Services Restore Mode Remotely ........................... 238
See Also ................................................................................................................................... 241
Restore AD DS from Backup (Nonauthoritative Restore) ........................................................... 242
Additional references ............................................................................................................... 243
Verify AD DS restore ................................................................................................................... 243
Performing Authoritative Restore of Active Directory Objects ..................................................... 245
Determining objects to restore ................................................................................................. 246
Selecting objects to restore ...................................................................................................... 246
Selecting application directory partitions to restore ................................................................. 247
Restoring group memberships after authoritative restore ........................................................ 247
LVR and restoration of group memberships ......................................................................... 247
Authoritative restore of pre-LVR group memberships and groups in different domains ...... 248
Files for recovering group memberships following authoritative restore .............................. 249
Using a global catalog server for authoritative restore ............................................................. 250
Recovering deletions without restoring from backup ............................................................... 250
Retention (merge) of new group memberships or other attributes after authoritative restore . 251
Authoritative restore procedures .............................................................................................. 252
Procedures for restoring after deletions have replicated ...................................................... 252
Procedures for restoring before deletions have replicated ................................................... 253
Procedures for recovering group memberships (and any other back-link attributes) in other
domains ............................................................................................................................. 254
Additional references ............................................................................................................... 255
Known Issues for Authoritative Restore ...................................................................................... 255
Order of replication and dropped group memberships ............................................................ 256
Members added back to groups from which they were deleted .............................................. 257
Incorrect assignment of Exchange mailboxes ......................................................................... 257
Best Practices for Authoritative Restore ...................................................................................... 257
Restart the Domain Controller in Directory Services Restore Mode Locally ............................... 259
Restarting the domain controller in DSRM locally .................................................................... 260
See Also ................................................................................................................................... 261
Restart the Domain Controller in Directory Services Restore Mode Remotely ........................... 261
See Also ................................................................................................................................... 265
Restore AD DS from Backup (Nonauthoritative Restore) ........................................................... 265
Additional references ............................................................................................................... 267
-
Mark an Object or Objects as Authoritative ................................................................................. 267
Additional references ............................................................................................................... 269
Turn Off Inbound Replication ....................................................................................................... 269
Additional references ............................................................................................................... 270
Synchronize Replication with All Partners ................................................................................... 270
See Also ................................................................................................................................... 271
Run an LDIF File to Recover Back-Links .................................................................................... 271
Additional references ............................................................................................................... 272
Turn on Inbound Replication ....................................................................................................... 272
Additional references ............................................................................................................... 273
Create an LDIF File for Recovering Back-Links for Authoritatively Restored Objects ................ 273
Additional references ............................................................................................................... 274
Performing Authoritative Restore of an Application Directory Partition ....................................... 274
Restart the Domain Controller in Directory Services Restore Mode Remotely ........................... 275
See Also ................................................................................................................................... 278
Restart the Domain Controller in Directory Services Restore Mode Locally ............................... 279
Restarting the domain controller in DSRM locally .................................................................... 280
See Also ................................................................................................................................... 281
Restore AD DS from Backup (Nonauthoritative Restore) ........................................................... 281
Additional references ............................................................................................................... 283
Mark an application directory partition as authoritative ............................................................... 283
See Also ................................................................................................................................... 284
Performing a Full Server Recovery of a Domain Controller ........................................................ 285
Requirements for performing a full server recovery of a domain controller ............................. 285
Performing a full server recovery of a domain controller by using the GUI ............................. 285
Performing a full server recovery of a domain controller by using the command line ............. 287
Additional considerations ......................................................................................................... 288
Restoring a Domain Controller Through Reinstallation and Subsequent Restore from Backup 289
Restart the Domain Controller in Directory Services Restore Mode Locally ............................... 290
Restarting the domain controller in DSRM locally .................................................................... 291
See Also ................................................................................................................................... 293
Restart the Domain Controller in Directory Services Restore Mode Remotely ........................... 293
See Also ................................................................................................................................... 296
-
Restore AD DS from Backup (Nonauthoritative Restore) ........................................................... 296
Additional references ............................................................................................................... 298
Verify AD DS restore ................................................................................................................... 298
Restoring a Domain Controller Through Reinstallation ............................................................... 299
Clean Up Server Metadata .......................................................................................................... 301
See Also ................................................................................................................................... 303
Delete a Server Object from a Site .............................................................................................. 304
See Also ................................................................................................................................... 304
Verify DNS Registration and TCP/IP Connectivity ...................................................................... 305
Verify the Availability of the Operations Masters ......................................................................... 305
Install an Additional Domain Controller by Using the Windows Interface ................................... 307
See Also ................................................................................................................................... 309
Verifying Active Directory Installation .......................................................................................... 309
Administering Intersite Replication .............................................................................................. 310
Introduction to Administering Intersite Replication ...................................................................... 311
Optimizing replication between sites ........................................................................................ 311
Effects of site link bridging .................................................................................................... 312
Effects of disabling site link bridging ..................................................................................... 312
Optimizing domain controller location ...................................................................................... 313
Finding the next closest site ................................................................................................. 313
Forcing domain controller rediscovery .................................................................................. 313
Improving the logon experience in branch sites ....................................................................... 314
See Also ................................................................................................................................... 314
Managing Intersite Replication .................................................................................................... 314
Adding a New Site ....................................................................................................................... 315
Create a Site Object and Add it to an Existing Site Link ............................................................. 316
See Also ................................................................................................................................... 316
Create a Subnet Object or Objects and Associate them with a Site ........................................... 316
Associate an Existing Subnet Object with a Site ......................................................................... 317
Create a Site Link Object and Add the Appropriate Sites ........................................................... 318
Remove a Site from a Site Link ................................................................................................... 318
-
Linking Sites for Replication ........................................................................................................ 319
Creating site links ..................................................................................................................... 319
Selecting bridgehead servers ................................................................................................... 320
Create a Site Link Object and Add the Appropriate Sites ........................................................... 321
Determine the ISTG Role Owner for a Site ................................................................................. 321
Generate the Replication Topology on the ISTG ........................................................................ 322
Designate a Server as a Preferred Bridgehead Server ............................................................... 323
Changing Site Link Properties ..................................................................................................... 323
Configure the Site Link Schedule to Identify Times During Which Intersite Replication Can Occur
.................................................................................................................................................. 324
Configure the Site Link Interval to Identify How Often Replication Polling Can Occur During the
Schedule Window..................................................................................................................... 325
Configure the Site Link Cost to Establish a Priority for Replication Routing ............................... 326
Determine the ISTG Role Owner for a Site ................................................................................. 326
Generate the Replication Topology on the ISTG ........................................................................ 327
Enabling Clients to Locate the Next Closest Domain Controller ................................................. 328
Enable Clients to Locate a Domain Controller in the Next Closest Site ...................................... 329
Moving a Domain Controller to a Different Site ........................................................................... 330
TCP/IP settings ........................................................................................................................ 331
DNS settings ............................................................................................................................ 331
Preferred bridgehead server status .......................................................................................... 331
Change the Static IP Address of a Domain Controller ................................................................ 333
Update the IP Address for a DNS Delegation ............................................................................. 334
Update the IP Address for a DNS Forwarder .............................................................................. 335
Verify That an IP Address Maps to a Subnet and Determine the Site Association ..................... 336
See Also ................................................................................................................................... 337
Determine Whether a Server is a Preferred Bridgehead Server ................................................. 337
See Also ................................................................................................................................... 337
View the List of All Preferred Bridgehead Servers ...................................................................... 337
See Also ................................................................................................................................... 338
-
Configure a Server to Not Be a Preferred Bridgehead Server .................................................... 338
See Also ................................................................................................................................... 339
Move a Server Object to a New Site ........................................................................................... 339
See Also ................................................................................................................................... 340
Enabling Universal Group Membership Caching in a Site .......................................................... 340
Enable Universal Group Membership Caching in a Site ............................................................. 341
Forcing Replication ...................................................................................................................... 341
Forcing replication of all directory updates over a connection ................................................. 342
Forcing replication of configuration updates ............................................................................ 342
Force Replication Between Domain Controllers .......................................................................... 343
See Also ................................................................................................................................... 344
Update a Server with Configuration Changes ............................................................................. 344
Synchronize Replication with All Partners ................................................................................... 345
See Also ................................................................................................................................... 346
Verify Successful Replication to a Domain Controller ................................................................. 346
Removing a Site .......................................................................................................................... 349
Delete a Manual Connection Object ............................................................................................ 351
Determine Whether a Server Object Has Child Objects ............................................................. 352
Delete a Server Object from a Site .............................................................................................. 352
See Also ................................................................................................................................... 353
Delete a Site Link object .............................................................................................................. 353
Associate an Existing Subnet Object with a Site ......................................................................... 354
Delete a Site object ..................................................................................................................... 355
See Also ................................................................................................................................... 355
Determine the ISTG Role Owner for a Site ................................................................................. 355
Generate the Replication Topology on the ISTG ........................................................................ 356
Administering the Active Directory Database .............................................................................. 357
Introduction to Administering the Active Directory Database [lhsad]_ADDS_Ops_7 .................. 357
Database management conditions ........................................................................................... 357
Disk space monitoring recommendations ................................................................................ 357
Database defragmentation ....................................................................................................... 358
-
Restartable AD DS ................................................................................................................... 358
See Also ................................................................................................................................... 359
Managing the Active Directory Database .................................................................................... 359
Relocating the Active Directory Database Files .......................................................................... 359
Disk space requirements for relocating Active Directory database files .................................. 360
Determine the Database Size and Location Online .................................................................... 362
See Also ................................................................................................................................... 363
Determine the Database Size and Location Offline .................................................................... 363
See Also ................................................................................................................................... 364
Compare the Size of the Directory Database Files to the Volume Size ...................................... 364
Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin)
.................................................................................................................................................. 365
Additional considerations .................................................................................................. 366
Move the Directory Database and Log Files to a Local Drive ..................................................... 366
See Also ................................................................................................................................... 369
Copy the Directory Database and Log Files to a Remote Share ................................................ 369
See Also ................................................................................................................................... 372
Returning Unused Disk Space from the Active Directory Database to the File System ............. 372
Change the Garbage Collection Logging Level to 1 .................................................................... 374
See Also ................................................................................................................................... 374
Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin)
.................................................................................................................................................. 375
Additional considerations .................................................................................................. 375
Compact the Directory DatabaseFfile (Offline Defragmentation) ................................................ 376
See Also ................................................................................................................................... 379
If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup ........... 379
Administering Domain Controllers ............................................................................................... 381
Additional references ............................................................................................................... 381
Introduction to Administering Domain Controllers ....................................................................... 381
Installing Remote Server Administration Tools ........................................................................ 381
Installing and removing AD DS ................................................................................................ 382
Adding domain controllers .................................................................................................... 382
Removing domain controllers ............................................................................................... 382
-
Renaming domain controllers .................................................................................................. 382
Adding domain controllers to branch sites ............................................................................... 383
Installing from media ............................................................................................................. 383
Shipping installed domain controllers to branch sites ........................................................... 384
Managing Domain Controllers ..................................................................................................... 384
Installing Remote Server Administration Tools for AD DS .......................................................... 386
Installing Active Directory Domain Services Tools on a member server that is running
Windows Server 2008 ........................................................................................................... 387
Installing Active Directory Domain Services Tools on a computer that is running Windows Vista
with SP1 ................................................................................................................................ 387
Managing Antivirus Software on Active Directory Domain Controllers ....................................... 387
Guidelines for managing antivirus software on Active Directory domain controllers ............... 388
Files to exclude from scanning ................................................................................................. 389
Preparing for Active Directory Installation ................................................................................... 391
DNS configuration .................................................................................................................... 392
Site placement .......................................................................................................................... 392
Domain connectivity ................................................................................................................. 392
Verify DNS Infrastructure and Registrations ............................................................................... 394
Verify That an IP Address Maps to a Subnet and Determine the Site Association ..................... 395
See Also ................................................................................................................................... 396
Verify the Availability of the Operations Masters ......................................................................... 396
Installing a Domain Controller in an Existing Domain ................................................................. 398
See Also ................................................................................................................................... 399
Installing an Additional Domain Controller by Using the Windows Interface .............................. 399
See Also ................................................................................................................................... 400
Install an Additional Domain Controller by Using the Windows Interface ................................... 400
See Also ................................................................................................................................... 402
Installing an Additional Domain Controller by Using IFM ............................................................ 402
See Also ................................................................................................................................... 405
Create Installation Media by Using Ntdsutil ................................................................................. 405
See Also ................................................................................................................................... 406
Install an Additional Domain Controller by Using Installation Media ........................................... 406
See Also ................................................................................................................................... 407
Installing an Additional Domain Controller by Using Unattend Parameters ................................ 407
-
See Also ................................................................................................................................... 408
Create an Answer File for Unattended Domain Controller Installation ........................................ 408
See Also ................................................................................................................................... 410
Install an Additional Domain Controller by Using an Answer File ............................................... 410
See Also ................................................................................................................................... 411
Install an Additional Domain Controller by Using Unattend Parameters from the Command Line
.................................................................................................................................................. 411
Verifying Active Directory Installation .......................................................................................... 412
Verify That an IP Address Maps to a Subnet and Determine the Site Association ..................... 413
See Also ................................................................................................................................... 414
Configure DNS Server Forwarders.............................................................................................. 414
Verifying DNS Configuration ........................................................................................................ 415
Verify DNS Server Configuration for a Domain Controller .......................................................... 416
See Also ................................................................................................................................... 416
Verify DNS Client Settings ........................................................................................................... 417
See Also ................................................................................................................................... 417
Check the Status of the SYSVOL and Netlogon Shares ............................................................. 417
Verify Active Directory Replication .............................................................................................. 418
Verify a Domain Computer Account for a New Domain Controller ............................................. 419
Adding Domain Controllers in Remote Sites ............................................................................... 420
Best Practices for Adding Domain Controllers in Remote Sites .................................................. 421
Best practices for using IFM to install AD DS in the remote site ............................................. 421
Best practices for installing domain controllers before you ship them to a remote site ........... 423
See Also ................................................................................................................................... 425
Known Issues for Adding Domain Controllers in Remote Sites .................................................. 425
SYSVOL replication ................................................................................................................. 426
Using IFM to install a domain controller in a remote site ......................................................... 426
Advantages of using IFM to install a domain controller in a remote site .............................. 427
Issues with using IFM to install a domain controller in a remote site ................................... 427
Installing domain controllers before shipping them to the remote site ..................................... 428
Advantages of installing domain controllers before shipping them to the remote site ......... 429
Issues with installing domain controllers before shipping them to the remote site ............... 429
Maintaining directory consistency when you disconnect a domain controller ...................... 430
-
Protection against lingering object replication ................................................................... 430
Availability of operations masters ...................................................................................... 431
Up to dateness of active directory replication ................................................................... 431
SYSVOL consistency ........................................................................................................ 431
See Also ................................................................................................................................... 432
Preparing a Server Computer for Shipping and Installation from Media ..................................... 432
Determining the volume for installation media ......................................................................... 433
Enabling Remote Desktop ....................................................................................................... 433
Including application directory partitions .................................................................................. 433
See Also ................................................................................................................................... 434
Enable Remote Desktop .............................................................................................................. 434
Create a Remote Desktop Connection ........................................................................................ 436
See Also ................................................................................................................................... 436
Install an Additional Domain Controller by Using Installation Media ........................................... 437
See Also ................................................................................................................................... 438
Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection .............. 438
See Also ................................................................................................................................... 439
Determine the Tombstone Lifetime for the Forest ....................................................................... 440
Enable Strict Replication Consistency ......................................................................................... 440
Synchronize Replication with All Partners ................................................................................... 442
See Also ................................................................................................................................... 443
Reconnecting a Domain Controller After a Long-Term Disconnection ....................................... 443
Reconnecting an outdated domain controller .......................................................................... 443
Updating SYSVOL ................................................................................................................... 444
See Also ................................................................................................................................... 445
Determine the Tombstone Lifetime for the Forest ....................................................................... 445
Move a Server Object to a New Site ........................................................................................... 446
See Also ................................................................................................................................... 447
Determine When Intersite Replication Is Scheduled to Begin ..................................................... 447
Use Repadmin to Remove Lingering Objects ............................................................................. 448
Verify Successful Replication to a Domain Controller ................................................................. 450
Renaming a Domain Controller ................................................................................................... 453
Rename a Domain Controller Using System Properties ............................................................. 454
-
See Also ................................................................................................................................... 454
Rename a Domain Controller Using Netdom .............................................................................. 454
See Also ................................................................................................................................... 456
Update the FRS or DFS Replication Member Object .................................................................. 457
Decommissioning a Domain Controller ....................................................................................... 458
Removing a domain or a forest ................................................................................................ 458
Protecting EFS-encrypted files ................................................................................................. 458
See Also ................................................................................................................................... 461
Verify DNS Registration and TCP/IP Connectivity ...................................................................... 461
View the Current Operations Master Role Holders ..................................................................... 462
Transfer the Schema Master ....................................................................................................... 463
Transfer the Domain Naming Master .......................................................................................... 464
Transfer the Domain-Level Operations Master Roles ................................................................. 465
Determine Whether a Domain Controller Is a Global Catalog Server ......................................... 466
Verify the Availability of the Operations Masters ......................................................................... 466
Back Up a Certificate With Its Private Key .................................................................................. 468
Removing a Windows Server 2008 Domain Controller from a Domain ...................................... 469
Removing a Windows Server 2008 domain controller by using the Windows interface .......... 469
Removing a Windows Server 2008 domain controller by using an answer file ....................... 470
Removing a Windows Server 2008 domain controller by entering unattended installation
parameters at the command line .......................................................................................... 471
Import a Certificate ...................................................................................................................... 471
Determine Whether a Server Object Has Child Objects ............................................................. 473
Delete a Server Object from a Site .............................................................................................. 473
See Also ................................................................................................................................... 474
Add the Certificates Snap-in to an MMC ..................................................................................... 474
Adding the Certificates Snap-in to an MMC ............................................................................. 474
Forcing the Removal of a Domain Controller .............................................................................. 476
Identify Replication Partners ........................................................................................................ 478
Force Domain Controller Removal .............................................................................................. 478
See Also ................................................................................................................................... 479
-
Clean Up Server Metadata .......................................................................................................... 480
See Also ................................................................................................................................... 482
Administering Active Directory Domain Rename ........................................................................ 482
In this guide .............................................................................................................................. 483
Introduction to Administering Active Directory Domain Rename ................................................ 483
Domain rename requirements .................................................................................................. 483
Managing Active Directory Domain Rename .............................................................................. 484
Preparing for the Domain Rename Operation ............................................................................. 485
Adjust Forest Functional Level .................................................................................................... 485
Setting forest functional level to Windows Server 2003 or Windows Server 2008 .................. 485
Create Necessary Shortcut Trust Relationships ......................................................................... 486
Types of trust relationships ...................................................................................................... 487
Precreating parent-child trust relationships for a restructured forest ....................................... 487
Precreating a parent-child trust relationship ......................................................................... 487
Pre-creating multiple parent-child trust relationships ............................................................ 488
Precreating a tree-root trust relationship with the forest root domain ................................... 489
Creating shortcut trust relationships ..................................................................................... 490
Prepare DNS Zones .................................................................................................................... 491
Redirect Special Folders to a Standalone DFSN ........................................................................ 492
Relocate Roaming User Profiles to a Standalone DFSN ............................................................ 492
Configure Member Computers for Host Name Changes ............................................................ 493
Conditions for automatic computer name change ................................................................... 493
Replication effects of renaming large numbers of computers .................................................. 494
Using Group Policy to apply the new primary DNS suffix ........................................................ 495
Apply the new primary DNS suffix before renaming domains .............................................. 495
Apply Group Policy in stages to avoid significant replication ............................................... 495
Configuration required before the application of Group Policy ............................................. 496
Configuring member computers for host name changes in large deployments ...................... 497
Determine the primary DNS Suffix configuration .................................................................. 498
Determine whether Group Policy controls the primary DNS suffix ....................................... 498
Configure the domain to allow a primary DNS suffix that does not match the domain name
........................................................................................................................................... 499
Apply Group Policy to set the primary DNS suffix ................................................................ 500
Prepare Certification Authorities .................................................................................................. 501
Exchange-Specific Steps: Prepare a Domain that Contains Exchange ...................................... 503
-
Performing the Domain Rename Operation ................................................................................ 503
Set Up the Control Station ........................................................................................................... 504
Freeze the Forest Configuration .................................................................................................. 506
Back Up All Domain Controllers .................................................................................................. 506
Generate the Current Forest Description .................................................................................... 506
Specify the New Forest Description ............................................................................................ 509
Renaming application directory partitions ................................................................................ 512
DNS data .................................................................................................................................. 513
TAPI data ................................................................................................................................. 513
Specifying the source domain controllers ................................................................................ 514
Reviewing the new forest description....................................................................................... 514
Generate Domain Rename Instructions ...................................................................................... 515
Push Domain Rename Instructions to All Domain Controllers and Verify DNS Readiness ........ 518
Pushing domain rename instructions to all domain controllers ................................................ 518
Verifying DNS readiness .......................................................................................................... 520
Verify Readiness of Domain Controllers ..................................................................................... 522
Run Domain Rename Instructions ............................................................................................... 524
Exchange-Specific Steps: Update the Exchange Configuration and Restart Exchange Servers 527
Unfreeze the Forest Configuration .............................................................................................. 527
Re-establish External Trusts ....................................................................................................... 528
Fix Group Policy Objects and Links............................................................................................. 529
Completing the Domain Rename Operation ............................................................................... 532
Verify Certificate Security ............................................................................................................ 532
Preparing URLs for CRL distribution point and Authority Information Access (AIA) extensions
after a domain rename .......................................................................................................... 533
Verifying the use of UPNs ........................................................................................................ 533
Enabling certificate enrollment in a renamed domain .............................................................. 534
Verifying the validity of CRL distribution point and AIA extensions ......................................... 537
Renewing subordinate and issuing CA certificates .................................................................. 537
Publish new CRLs .................................................................................................................... 537
Updating domain controller certificates .................................................................................... 538
Changing the user identity for the NDES add-on ..................................................................... 538
Perform Miscellaneous Tasks ..................................................................................................... 538
-
Back Up Domain Controllers ....................................................................................................... 541
Restart Member Computers ........................................................................................................ 542
Exchange-Specific Steps: Verify the Exchange Rename and Update Active Directory Connector
.................................................................................................................................................. 543
Perform Attribute Cleanup ........................................................................................................... 543
Rename Domain Controllers ....................................................................................................... 544
Additional Resources for the Domain Rename Operation .......................................................... 545
Appendix A: Command-Line Syntax for the Rendom Tool ......................................................... 545
Appendix B: Command-Line Syntax for the Gpfixup Tool ........................................................... 550
Appendix C: Checklists for the Domain Rename Operation ....................................................... 553
Satisfying domain rename requirements ................................................................................. 553
Preparing for the domain rename operation ............................................................................ 556
Performing the domain rename operation ............................................................................... 557
Completing the domain rename operation ............................................................................... 558
Appendix D: Worksheets for the Domain Rename Operation ..................................................... 559
Worksheet 1: Domain Name Change Information ................................................................... 559
Worksheet 2: Trust Information ................................................................................................ 560
Worksheet 3: DNS Zone Information ....................................................................................... 560
Worksheet 4: DFSN, Folder Redirection, and Roaming Profiles ............................................. 561
Worksheet 5: Domain Controller Information ........................................................................... 561
Worksheet 6: Domain Rename Execution Readiness ............................................................. 562
Worksheet 7: Certification Authority (CA) Information ............................................................. 562
Additional Resources ................................................................................................................... 562
Active Directory Domain Services Operations Guide - cover ...................................................... 563
Section Heading ....................................................................................................................... 563
Subsection Heading .............................................................................................................. 563
-
25
Active Directory Domain Services Operations Guide
This operations guide provides administering and management information for
Active Directory Domain Services (AD DS) directory service technologies in the
Windows Server 2008 operating system.
In this guide
New in Thi