active directory domain services operations guide

Active Directory Domain Services Operations Guide

Microsoft Corporation

Published: September 2008

Abstract

This operations guide provides administering and management information for

Active Directory Domain Services (AD DS) directory service technologies in the

Windows Server 2008 operating system.

Copyright information

Information in this document, including URL and other Internet Web site references, is subject to

change without notice. Unless otherwise noted, the example companies, organizations, products,

domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,

and no association with any real company, organization, product, domain name, e-mail address,

logo, person, place, or event is intended or should be inferred. Complying with all applicable

copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part

of this document may be reproduced, stored in, or introduced into a retrieval system, or

transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or

otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

2008 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks or

trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their

respective owners.

Contents

Active Directory Domain Services Operations Guide .................................................................... 25

New in This Guide ......................................................................................................................... 25

Administering Active Directory Domain Services .......................................................................... 25

Introduction to Administering Active Directory Domain Services .................................................. 26

When to use this guide ............................................................................................................... 26

How to use this guide ................................................................................................................. 27

Administering Domain and Forest Trusts ...................................................................................... 27

Introduction to Administering Domain and Forest Trusts .............................................................. 28

Best Practices for Administering Domain and Forest Trusts ......................................................... 28

Managing Domain and Forest Trusts ............................................................................................ 29

Creating Domain and Forest Trusts .............................................................................................. 29

New Trust Wizard terminology ................................................................................................... 30

Known Issues for Creating Domain and Forest Trusts .................................................................. 31

Creating External Trusts ................................................................................................................ 32

Create a One-Way, Incoming, External Trust for One Side of the Trust ....................................... 34

Create a One-Way, Incoming, External Trust for Both Sides of the Trust .................................... 35

Create a One-Way, Outgoing, External Trust for One Side of the Trust ....................................... 37

Create a One-Way, Outgoing, External Trust for Both Sides of the Trust .................................... 38

Create a Two-Way, External Trust for One Side of the Trust ....................................................... 40

Create a Two-Way, External Trust for Both Sides of the Trust ..................................................... 41

Creating Shortcut Trusts ................................................................................................................ 43

Create a One-Way, Incoming, Shortcut Trust for One Side of the Trust ....................................... 44

Create a One-Way, Incoming, Shortcut Trust for Both Sides of the Trust .................................... 45

Create a One-Way, Outgoing, Shortcut Trust for One Side of the Trust ....................................... 47

Create a One-Way, Outgoing, Shortcut Trust for Both Sides of the Trust .................................... 48

Create a Two-Way, Shortcut Trust for One Side of the Trust ....................................................... 50

Create a Two-Way, Shortcut Trust for Both Sides of the Trust ..................................................... 51

Creating Forest Trusts ................................................................................................................... 52

Create a One-Way, Incoming, Forest Trust for One Side of the Trust .......................................... 54

Create a One-Way, Incoming, Forest Trust for Both Sides of the Trust ....................................... 55

Create a One-Way, Outgoing, Forest Trust for One Side of the Trust .......................................... 57

Create a One-Way, Outgoing, Forest Trust for Both Sides of the Trust ....................................... 59

Create a Two-Way, Forest Trust for One Side of the Trust .......................................................... 60

Create a Two-Way, Forest Trust for Both Sides of the Trust ........................................................ 62

Creating Realm Trusts ................................................................................................................... 63

Create a One-Way, Incoming, Realm Trust .................................................................................. 64

Create a One-Way, Outgoing, Realm Trust .................................................................................. 65

Create a Two-Way, Realm Trust ................................................................................................... 66

Configuring Domain and Forest Trusts ......................................................................................... 68

Validating and Removing Trusts .................................................................................................... 68

Validate a Trust .............................................................................................................................. 68

Validating a trust ......................................................................................................................... 69

Remove a Manually Created Trust ................................................................................................ 70

Removing a manually created trust............................................................................................ 70

Modifying Name Suffix Routing Settings ....................................................................................... 71

Modify Routing for a Forest Name Suffix ...................................................................................... 72

Modify Routing for a Subordinate Name Suffix ............................................................................. 73

Exclude Name Suffixes from Routing to a Forest ......................................................................... 74

Securing Domain and Forest Trusts .............................................................................................. 75

Configuring SID Filter Quarantining on External Trusts ................................................................ 75

Disable SID filter Quarantining ...................................................................................................... 76

See Also ..................................................................................................................................... 78

Reapply SID Filter Quarantining .................................................................................................... 78

Configuring Selective Authentication Settings ............................................................................... 79

Enable Selective Authentication over an External Trust ............................................................... 80

Enabling selective authentication over an external trust ............................................................ 80

Enable Selective Authentication over a Forest Trust .................................................................... 81

Enabling selective authentication over a forest trust .................................................................. 82

Enable Domain-Wide Authentication over an External Trust ........................................................ 83

Enable Forest-Wide Authentication over a Forest Trust ............................................................... 84

Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest . 85

Appendix: New Trust Wizard Pages .............................................................................................. 86

Direction of Trust ........................................................................................................................ 86

Wizard optionTwo-way ........................................................................................................ 86

Wizard optionOne-way: incoming ....................................................................................... 87

Wizard optionOne-way: outgoing ........................................................................................ 88

Sides of trust .............................................................................................................................. 88

Wizard optionThis domain only ........................................................................................... 89

Wizard optionBoth this domain and the specified domain .................................................. 89

Administering the Windows Time Service ..................................................................................... 89

Introduction to Administering the Windows Time Service ............................................................. 89

Windows time source selection .................................................................................................. 90

External NTP time servers ......................................................................................................... 90

W32tm and net time ................................................................................................................... 91

Managing the Windows Time Service ........................................................................................... 92

Configuring a Time Source for the Forest ..................................................................................... 92

Configure the Time Source for the Forest ..................................................................................... 94

Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root

Domain ....................................................................................................................................... 98

Disable the Windows Time Service ............................................................................................... 99

Enable Windows Time Service Debug Logging .......................................................................... 100

Configuring Windows-Based Clients to Synchronize Time ......................................................... 100

Configure a Manual Time Source for a Selected Client Computer ............................................. 101

Configure a Client Computer for Automatic Domain Time Synchronization ............................... 103

Restoring the Windows Time Service to Default Settings ........................................................... 104

Restore the Windows Time Service on the Local Computer to the Default Settings .................. 104

Administering DFS-Replicated SYSVOL ..................................................................................... 105

Introduction to Administering DFS-Replicated SYSVOL ............................................................. 105

SYSVOL terminology and capitalization .................................................................................. 106

Using DFS Replication for replicating SYSVOL in Windows Server 2008 ............................... 107

Requirements for using DFS Replication ................................................................................. 107

Key considerations for administering SYSVOL ........................................................................ 108

Relocating SYSVOL folders ..................................................................................................... 109

Managing DFS-Replicated SYSVOL ........................................................................................... 111

Changing the Quota That Is Allocated to the SYSVOL Staging Area ......................................... 111

Change the Quota That Is Allocated to the SYSVOL Staging Folder ......................................... 112

Relocating the SYSVOL Staging Area ........................................................................................ 112

Identify Replication Partners ........................................................................................................ 114

Check the Status of the SYSVOL and Netlogon Shares ............................................................. 114

Verify Active Directory Replication .............................................................................................. 115

Gather the SYSVOL Path Information ......................................................................................... 116

To gather the SYSVOL path information ................................................................................. 117

Stop the DFS Replication Service and Netlogon Service............................................................ 119

Create the SYSVOL Staging Areas Folder Structure .................................................................. 120

Change the SYSVOL Root Path or Staging Areas Path, or Both ............................................... 121

See Also ................................................................................................................................... 122

Start the DFS Replication Service and Netlogon Service ........................................................... 122

Force Replication Between Domain Controllers .......................................................................... 123

See Also ................................................................................................................................... 124

Relocating SYSVOL Manually ..................................................................................................... 124







Copy SYSVOL to a New Location ............................................................................................... 132

Create the SYSVOL Root Junction Point .................................................................................... 134

Change the SYSVOL Root Path or Staging Areas Path, or Both ............................................... 135

See Also ................................................................................................................................... 136

Change the SYSVOL Netlogon Parameters ............................................................................... 136

Reapply Default SYSVOL Security Settings ............................................................................... 137



See Also ................................................................................................................................... 141

Updating the SYSVOL Path ........................................................................................................ 141




Change the SYSVOL Netlogon Parameters ............................................................................... 146

Create the SYSVOL Root Junction Point .................................................................................... 146


Restoring and Rebuilding SYSVOL ............................................................................................. 149






Restart the Domain Controller in Directory Services Restore Mode Locally ............................... 155

Restarting the domain controller in DSRM locally .................................................................... 157

See Also ................................................................................................................................... 158

Restart the Domain Controller in Directory Services Restore Mode Remotely ........................... 158

See Also ................................................................................................................................... 162


Import the SYSVOL Folder Structure .......................................................................................... 163

See Also ................................................................................................................................... 166

Administering the Global Catalog ................................................................................................ 166

Introduction to Administering the Global Catalog ........................................................................ 166

Global catalog hardware requirements .................................................................................... 167

Global catalog placement ......................................................................................................... 167

Initial global catalog replication ................................................................................................ 167

Global catalog readiness .......................................................................................................... 167

Global catalog removal ............................................................................................................ 168

Managing the Global Catalog ...................................................................................................... 168

Configuring a Global Catalog Server ........................................................................................... 169

Determine Whether a Domain Controller Is a Global Catalog Server ......................................... 169

Designate a Domain Controller to Be a Global Catalog Server .................................................. 170

Monitor Global Catalog Replication Progress ............................................................................. 170

Verify Successful Replication to a Domain Controller ................................................................. 171

Determining Global Catalog Readiness ...................................................................................... 174

Verify Global Catalog Readiness ................................................................................................. 175

Verifying global catalog readiness ........................................................................................... 175

Verify Global Catalog DNS Registrations .................................................................................... 176

Removing the Global Catalog ...................................................................................................... 177

Clear the Global Catalog Setting ................................................................................................. 177

Monitor Global Catalog Removal in Event Viewer ...................................................................... 178

Administering Operations Master Roles ...................................................................................... 178

Introduction to Administering Operations Master Roles .............................................................. 179

Guidelines for role placement .................................................................................................. 179

Guidelines for role transfer ....................................................................................................... 183

Managing Operations Master Roles ............................................................................................ 184

Designating a Standby Operations Master .................................................................................. 184

Standby operations master computer requirements ................................................................ 185

Replication requirements ......................................................................................................... 185


Create a Connection Object on the Operations Master and Standby ......................................... 186


Transferring an Operations Master Role ..................................................................................... 190

Transferring to a standby operations master ........................................................................... 191

Transferring an operations master role when no standby is ready .......................................... 191

Install the Schema Snap-in .......................................................................................................... 192

Transfer the Schema Master ....................................................................................................... 193

Transfer the Domain Naming Master .......................................................................................... 194

Transfer the Domain-Level Operations Master Roles ................................................................. 195

View the Current Operations Master Role Holders ..................................................................... 196

Seizing an operations master role ............................................................................................... 197


Seize the Operations Master Role ............................................................................................... 201


Reducing the Workload on the PDC Emulator Master ................................................................ 203

Changing the weight for DNS service (SRV) resource records in the registry ........................ 203

Changing the priority for DNS service (SRV) resource records in the registry ........................ 204

Change the Weight for DNS Service (SRV) Resource Records in the Registry ......................... 205

Change the Priority for DNS Service (SRV) Resource Records in the Registry ......................... 205

Administering Active Directory Backup and Recovery ................................................................ 206

Introduction to Administering Active Directory Backup and Recovery

[lhsad_ADDS_Ops_5]_ADDS_Ops_5 ..................................................................................... 207

Backing up AD DS.................................................................................................................... 207

Recovering AD DS ................................................................................................................... 207

Additional considerations ......................................................................................................... 209

Managing Active Directory Backup and Recovery ...................................................................... 209

Backing Up Active Directory Domain Services ............................................................................ 209

Windows Server backup tools .................................................................................................. 209

Windows Server backup types ................................................................................................. 210

Contents of Windows Server backup types .......................................................................... 210

Criteria for using backup types ............................................................................................. 211

Backup guidelines .................................................................................................................... 212

Scheduling regular backups ..................................................................................................... 214

Immediate (unscheduled) backup ............................................................................................ 214

Backup frequency..................................................................................................................... 214

Backup frequency criteria ..................................................................................................... 215

Backup latency interval ......................................................................................................... 215

Known Issues for Backing Up Active Directory Domain Services ............................................... 217

Perform a Backup of Critical Volumes of a Domain Controller by Using the GUI (Windows Server

Backup) .................................................................................................................................... 218

Additional considerations .................................................................................................. 219

Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin)

.................................................................................................................................................. 220


Perform a Full Server Backup of a Domain Controller by Using the GUI (Windows Server Backup)

.................................................................................................................................................. 221


Perform a Full Server Backup of a Domain Controller by Using the Command Line (Wbadmin) 226


Recovering Active Directory Domain Services ............................................................................ 227

Causes of disruptions ............................................................................................................... 227

Keys to protecting against disruptions ..................................................................................... 228

Preventing unwanted deletions ................................................................................................ 228

Recovery solutions ................................................................................................................... 229

Solutions for configuration errorsnonauthoritative restore ................................................ 229

Solutions for data lossauthoritative restore ....................................................................... 230

Recovery options with no available backup .......................................................................... 231

Solutions for hardware failure or file corruption .................................................................... 232

Recovery tasks ......................................................................................................................... 233

Performing Nonauthoritative Restore of Active Directory Domain Services ............................... 233

Nonauthoritative Restore Requirements .................................................................................. 234

SYSVOL restore ....................................................................................................................... 234

Additional references ............................................................................................................... 235



See Also ................................................................................................................................... 238


See Also ................................................................................................................................... 241

Restore AD DS from Backup (Nonauthoritative Restore) ........................................................... 242


Verify AD DS restore ................................................................................................................... 243

Performing Authoritative Restore of Active Directory Objects ..................................................... 245

Determining objects to restore ................................................................................................. 246

Selecting objects to restore ...................................................................................................... 246

Selecting application directory partitions to restore ................................................................. 247

Restoring group memberships after authoritative restore ........................................................ 247

LVR and restoration of group memberships ......................................................................... 247

Authoritative restore of pre-LVR group memberships and groups in different domains ...... 248

Files for recovering group memberships following authoritative restore .............................. 249

Using a global catalog server for authoritative restore ............................................................. 250

Recovering deletions without restoring from backup ............................................................... 250

Retention (merge) of new group memberships or other attributes after authoritative restore . 251

Authoritative restore procedures .............................................................................................. 252

Procedures for restoring after deletions have replicated ...................................................... 252

Procedures for restoring before deletions have replicated ................................................... 253

Procedures for recovering group memberships (and any other back-link attributes) in other

domains ............................................................................................................................. 254


Known Issues for Authoritative Restore ...................................................................................... 255

Order of replication and dropped group memberships ............................................................ 256

Members added back to groups from which they were deleted .............................................. 257

Incorrect assignment of Exchange mailboxes ......................................................................... 257

Best Practices for Authoritative Restore ...................................................................................... 257



See Also ................................................................................................................................... 261


See Also ................................................................................................................................... 265



Mark an Object or Objects as Authoritative ................................................................................. 267


Turn Off Inbound Replication ....................................................................................................... 269


Synchronize Replication with All Partners ................................................................................... 270

See Also ................................................................................................................................... 271

Run an LDIF File to Recover Back-Links .................................................................................... 271


Turn on Inbound Replication ....................................................................................................... 272


Create an LDIF File for Recovering Back-Links for Authoritatively Restored Objects ................ 273


Performing Authoritative Restore of an Application Directory Partition ....................................... 274


See Also ................................................................................................................................... 278



See Also ................................................................................................................................... 281



Mark an application directory partition as authoritative ............................................................... 283

See Also ................................................................................................................................... 284

Performing a Full Server Recovery of a Domain Controller ........................................................ 285

Requirements for performing a full server recovery of a domain controller ............................. 285

Performing a full server recovery of a domain controller by using the GUI ............................. 285

Performing a full server recovery of a domain controller by using the command line ............. 287

Additional considerations ......................................................................................................... 288

Restoring a Domain Controller Through Reinstallation and Subsequent Restore from Backup 289



See Also ................................................................................................................................... 293


See Also ................................................................................................................................... 296



Verify AD DS restore ................................................................................................................... 298

Restoring a Domain Controller Through Reinstallation ............................................................... 299

Clean Up Server Metadata .......................................................................................................... 301

See Also ................................................................................................................................... 303

Delete a Server Object from a Site .............................................................................................. 304

See Also ................................................................................................................................... 304

Verify DNS Registration and TCP/IP Connectivity ...................................................................... 305

Verify the Availability of the Operations Masters ......................................................................... 305

Install an Additional Domain Controller by Using the Windows Interface ................................... 307

See Also ................................................................................................................................... 309

Verifying Active Directory Installation .......................................................................................... 309

Administering Intersite Replication .............................................................................................. 310

Introduction to Administering Intersite Replication ...................................................................... 311

Optimizing replication between sites ........................................................................................ 311

Effects of site link bridging .................................................................................................... 312

Effects of disabling site link bridging ..................................................................................... 312

Optimizing domain controller location ...................................................................................... 313

Finding the next closest site ................................................................................................. 313

Forcing domain controller rediscovery .................................................................................. 313

Improving the logon experience in branch sites ....................................................................... 314

See Also ................................................................................................................................... 314

Managing Intersite Replication .................................................................................................... 314

Adding a New Site ....................................................................................................................... 315

Create a Site Object and Add it to an Existing Site Link ............................................................. 316

See Also ................................................................................................................................... 316

Create a Subnet Object or Objects and Associate them with a Site ........................................... 316

Associate an Existing Subnet Object with a Site ......................................................................... 317

Create a Site Link Object and Add the Appropriate Sites ........................................................... 318

Remove a Site from a Site Link ................................................................................................... 318

Linking Sites for Replication ........................................................................................................ 319

Creating site links ..................................................................................................................... 319

Selecting bridgehead servers ................................................................................................... 320

Create a Site Link Object and Add the Appropriate Sites ........................................................... 321

Determine the ISTG Role Owner for a Site ................................................................................. 321

Generate the Replication Topology on the ISTG ........................................................................ 322

Designate a Server as a Preferred Bridgehead Server ............................................................... 323

Changing Site Link Properties ..................................................................................................... 323

Configure the Site Link Schedule to Identify Times During Which Intersite Replication Can Occur

.................................................................................................................................................. 324

Configure the Site Link Interval to Identify How Often Replication Polling Can Occur During the

Schedule Window..................................................................................................................... 325

Configure the Site Link Cost to Establish a Priority for Replication Routing ............................... 326



Enabling Clients to Locate the Next Closest Domain Controller ................................................. 328

Enable Clients to Locate a Domain Controller in the Next Closest Site ...................................... 329

Moving a Domain Controller to a Different Site ........................................................................... 330

TCP/IP settings ........................................................................................................................ 331

DNS settings ............................................................................................................................ 331

Preferred bridgehead server status .......................................................................................... 331

Change the Static IP Address of a Domain Controller ................................................................ 333

Update the IP Address for a DNS Delegation ............................................................................. 334

Update the IP Address for a DNS Forwarder .............................................................................. 335

Verify That an IP Address Maps to a Subnet and Determine the Site Association ..................... 336

See Also ................................................................................................................................... 337

Determine Whether a Server is a Preferred Bridgehead Server ................................................. 337

See Also ................................................................................................................................... 337

View the List of All Preferred Bridgehead Servers ...................................................................... 337

See Also ................................................................................................................................... 338

Configure a Server to Not Be a Preferred Bridgehead Server .................................................... 338

See Also ................................................................................................................................... 339

Move a Server Object to a New Site ........................................................................................... 339

See Also ................................................................................................................................... 340

Enabling Universal Group Membership Caching in a Site .......................................................... 340

Enable Universal Group Membership Caching in a Site ............................................................. 341

Forcing Replication ...................................................................................................................... 341

Forcing replication of all directory updates over a connection ................................................. 342

Forcing replication of configuration updates ............................................................................ 342


See Also ................................................................................................................................... 344

Update a Server with Configuration Changes ............................................................................. 344


See Also ................................................................................................................................... 346


Removing a Site .......................................................................................................................... 349

Delete a Manual Connection Object ............................................................................................ 351

Determine Whether a Server Object Has Child Objects ............................................................. 352


See Also ................................................................................................................................... 353

Delete a Site Link object .............................................................................................................. 353

Associate an Existing Subnet Object with a Site ......................................................................... 354

Delete a Site object ..................................................................................................................... 355

See Also ................................................................................................................................... 355



Administering the Active Directory Database .............................................................................. 357

Introduction to Administering the Active Directory Database [lhsad]_ADDS_Ops_7 .................. 357

Database management conditions ........................................................................................... 357

Disk space monitoring recommendations ................................................................................ 357

Database defragmentation ....................................................................................................... 358

Restartable AD DS ................................................................................................................... 358

See Also ................................................................................................................................... 359

Managing the Active Directory Database .................................................................................... 359

Relocating the Active Directory Database Files .......................................................................... 359

Disk space requirements for relocating Active Directory database files .................................. 360

Determine the Database Size and Location Online .................................................................... 362

See Also ................................................................................................................................... 363

Determine the Database Size and Location Offline .................................................................... 363

See Also ................................................................................................................................... 364

Compare the Size of the Directory Database Files to the Volume Size ...................................... 364


.................................................................................................................................................. 365


Move the Directory Database and Log Files to a Local Drive ..................................................... 366

See Also ................................................................................................................................... 369

Copy the Directory Database and Log Files to a Remote Share ................................................ 369

See Also ................................................................................................................................... 372

Returning Unused Disk Space from the Active Directory Database to the File System ............. 372

Change the Garbage Collection Logging Level to 1 .................................................................... 374

See Also ................................................................................................................................... 374


.................................................................................................................................................. 375


Compact the Directory DatabaseFfile (Offline Defragmentation) ................................................ 376

See Also ................................................................................................................................... 379

If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup ........... 379

Administering Domain Controllers ............................................................................................... 381


Introduction to Administering Domain Controllers ....................................................................... 381

Installing Remote Server Administration Tools ........................................................................ 381

Installing and removing AD DS ................................................................................................ 382

Adding domain controllers .................................................................................................... 382

Removing domain controllers ............................................................................................... 382

Renaming domain controllers .................................................................................................. 382

Adding domain controllers to branch sites ............................................................................... 383

Installing from media ............................................................................................................. 383

Shipping installed domain controllers to branch sites ........................................................... 384

Managing Domain Controllers ..................................................................................................... 384

Installing Remote Server Administration Tools for AD DS .......................................................... 386

Installing Active Directory Domain Services Tools on a member server that is running

Windows Server 2008 ........................................................................................................... 387

Installing Active Directory Domain Services Tools on a computer that is running Windows Vista

with SP1 ................................................................................................................................ 387

Managing Antivirus Software on Active Directory Domain Controllers ....................................... 387

Guidelines for managing antivirus software on Active Directory domain controllers ............... 388

Files to exclude from scanning ................................................................................................. 389

Preparing for Active Directory Installation ................................................................................... 391

DNS configuration .................................................................................................................... 392

Site placement .......................................................................................................................... 392

Domain connectivity ................................................................................................................. 392

Verify DNS Infrastructure and Registrations ............................................................................... 394


See Also ................................................................................................................................... 396


Installing a Domain Controller in an Existing Domain ................................................................. 398

See Also ................................................................................................................................... 399

Installing an Additional Domain Controller by Using the Windows Interface .............................. 399

See Also ................................................................................................................................... 400

Install an Additional Domain Controller by Using the Windows Interface ................................... 400

See Also ................................................................................................................................... 402

Installing an Additional Domain Controller by Using IFM ............................................................ 402

See Also ................................................................................................................................... 405

Create Installation Media by Using Ntdsutil ................................................................................. 405

See Also ................................................................................................................................... 406

Install an Additional Domain Controller by Using Installation Media ........................................... 406

See Also ................................................................................................................................... 407

Installing an Additional Domain Controller by Using Unattend Parameters ................................ 407

See Also ................................................................................................................................... 408

Create an Answer File for Unattended Domain Controller Installation ........................................ 408

See Also ................................................................................................................................... 410

Install an Additional Domain Controller by Using an Answer File ............................................... 410

See Also ................................................................................................................................... 411

Install an Additional Domain Controller by Using Unattend Parameters from the Command Line

.................................................................................................................................................. 411

Verifying Active Directory Installation .......................................................................................... 412


See Also ................................................................................................................................... 414

Configure DNS Server Forwarders.............................................................................................. 414

Verifying DNS Configuration ........................................................................................................ 415

Verify DNS Server Configuration for a Domain Controller .......................................................... 416

See Also ................................................................................................................................... 416

Verify DNS Client Settings ........................................................................................................... 417

See Also ................................................................................................................................... 417



Verify a Domain Computer Account for a New Domain Controller ............................................. 419

Adding Domain Controllers in Remote Sites ............................................................................... 420

Best Practices for Adding Domain Controllers in Remote Sites .................................................. 421

Best practices for using IFM to install AD DS in the remote site ............................................. 421

Best practices for installing domain controllers before you ship them to a remote site ........... 423

See Also ................................................................................................................................... 425

Known Issues for Adding Domain Controllers in Remote Sites .................................................. 425

SYSVOL replication ................................................................................................................. 426

Using IFM to install a domain controller in a remote site ......................................................... 426

Advantages of using IFM to install a domain controller in a remote site .............................. 427

Issues with using IFM to install a domain controller in a remote site ................................... 427

Installing domain controllers before shipping them to the remote site ..................................... 428

Advantages of installing domain controllers before shipping them to the remote site ......... 429

Issues with installing domain controllers before shipping them to the remote site ............... 429

Maintaining directory consistency when you disconnect a domain controller ...................... 430

Protection against lingering object replication ................................................................... 430

Availability of operations masters ...................................................................................... 431

Up to dateness of active directory replication ................................................................... 431

SYSVOL consistency ........................................................................................................ 431

See Also ................................................................................................................................... 432

Preparing a Server Computer for Shipping and Installation from Media ..................................... 432

Determining the volume for installation media ......................................................................... 433

Enabling Remote Desktop ....................................................................................................... 433

Including application directory partitions .................................................................................. 433

See Also ................................................................................................................................... 434

Enable Remote Desktop .............................................................................................................. 434

Create a Remote Desktop Connection ........................................................................................ 436

See Also ................................................................................................................................... 436

Install an Additional Domain Controller by Using Installation Media ........................................... 437

See Also ................................................................................................................................... 438

Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection .............. 438

See Also ................................................................................................................................... 439

Determine the Tombstone Lifetime for the Forest ....................................................................... 440

Enable Strict Replication Consistency ......................................................................................... 440


See Also ................................................................................................................................... 443

Reconnecting a Domain Controller After a Long-Term Disconnection ....................................... 443

Reconnecting an outdated domain controller .......................................................................... 443

Updating SYSVOL ................................................................................................................... 444

See Also ................................................................................................................................... 445

Determine the Tombstone Lifetime for the Forest ....................................................................... 445

Move a Server Object to a New Site ........................................................................................... 446

See Also ................................................................................................................................... 447

Determine When Intersite Replication Is Scheduled to Begin ..................................................... 447

Use Repadmin to Remove Lingering Objects ............................................................................. 448


Renaming a Domain Controller ................................................................................................... 453

Rename a Domain Controller Using System Properties ............................................................. 454

See Also ................................................................................................................................... 454

Rename a Domain Controller Using Netdom .............................................................................. 454

See Also ................................................................................................................................... 456

Update the FRS or DFS Replication Member Object .................................................................. 457

Decommissioning a Domain Controller ....................................................................................... 458

Removing a domain or a forest ................................................................................................ 458

Protecting EFS-encrypted files ................................................................................................. 458

See Also ................................................................................................................................... 461

Verify DNS Registration and TCP/IP Connectivity ...................................................................... 461


Transfer the Schema Master ....................................................................................................... 463

Transfer the Domain Naming Master .......................................................................................... 464

Transfer the Domain-Level Operations Master Roles ................................................................. 465



Back Up a Certificate With Its Private Key .................................................................................. 468

Removing a Windows Server 2008 Domain Controller from a Domain ...................................... 469

Removing a Windows Server 2008 domain controller by using the Windows interface .......... 469

Removing a Windows Server 2008 domain controller by using an answer file ....................... 470

Removing a Windows Server 2008 domain controller by entering unattended installation

parameters at the command line .......................................................................................... 471

Import a Certificate ...................................................................................................................... 471

Determine Whether a Server Object Has Child Objects ............................................................. 473


See Also ................................................................................................................................... 474

Add the Certificates Snap-in to an MMC ..................................................................................... 474

Adding the Certificates Snap-in to an MMC ............................................................................. 474

Forcing the Removal of a Domain Controller .............................................................................. 476


Force Domain Controller Removal .............................................................................................. 478

See Also ................................................................................................................................... 479

Clean Up Server Metadata .......................................................................................................... 480

See Also ................................................................................................................................... 482

Administering Active Directory Domain Rename ........................................................................ 482

In this guide .............................................................................................................................. 483

Introduction to Administering Active Directory Domain Rename ................................................ 483

Domain rename requirements .................................................................................................. 483

Managing Active Directory Domain Rename .............................................................................. 484

Preparing for the Domain Rename Operation ............................................................................. 485

Adjust Forest Functional Level .................................................................................................... 485

Setting forest functional level to Windows Server 2003 or Windows Server 2008 .................. 485

Create Necessary Shortcut Trust Relationships ......................................................................... 486

Types of trust relationships ...................................................................................................... 487

Precreating parent-child trust relationships for a restructured forest ....................................... 487

Precreating a parent-child trust relationship ......................................................................... 487

Pre-creating multiple parent-child trust relationships ............................................................ 488

Precreating a tree-root trust relationship with the forest root domain ................................... 489

Creating shortcut trust relationships ..................................................................................... 490

Prepare DNS Zones .................................................................................................................... 491

Redirect Special Folders to a Standalone DFSN ........................................................................ 492

Relocate Roaming User Profiles to a Standalone DFSN ............................................................ 492

Configure Member Computers for Host Name Changes ............................................................ 493

Conditions for automatic computer name change ................................................................... 493

Replication effects of renaming large numbers of computers .................................................. 494

Using Group Policy to apply the new primary DNS suffix ........................................................ 495

Apply the new primary DNS suffix before renaming domains .............................................. 495

Apply Group Policy in stages to avoid significant replication ............................................... 495

Configuration required before the application of Group Policy ............................................. 496

Configuring member computers for host name changes in large deployments ...................... 497

Determine the primary DNS Suffix configuration .................................................................. 498

Determine whether Group Policy controls the primary DNS suffix ....................................... 498

Configure the domain to allow a primary DNS suffix that does not match the domain name

........................................................................................................................................... 499

Apply Group Policy to set the primary DNS suffix ................................................................ 500

Prepare Certification Authorities .................................................................................................. 501

Exchange-Specific Steps: Prepare a Domain that Contains Exchange ...................................... 503

Performing the Domain Rename Operation ................................................................................ 503

Set Up the Control Station ........................................................................................................... 504

Freeze the Forest Configuration .................................................................................................. 506

Back Up All Domain Controllers .................................................................................................. 506

Generate the Current Forest Description .................................................................................... 506

Specify the New Forest Description ............................................................................................ 509

Renaming application directory partitions ................................................................................ 512

DNS data .................................................................................................................................. 513

TAPI data ................................................................................................................................. 513

Specifying the source domain controllers ................................................................................ 514

Reviewing the new forest description....................................................................................... 514

Generate Domain Rename Instructions ...................................................................................... 515

Push Domain Rename Instructions to All Domain Controllers and Verify DNS Readiness ........ 518

Pushing domain rename instructions to all domain controllers ................................................ 518

Verifying DNS readiness .......................................................................................................... 520

Verify Readiness of Domain Controllers ..................................................................................... 522

Run Domain Rename Instructions ............................................................................................... 524

Exchange-Specific Steps: Update the Exchange Configuration and Restart Exchange Servers 527

Unfreeze the Forest Configuration .............................................................................................. 527

Re-establish External Trusts ....................................................................................................... 528

Fix Group Policy Objects and Links............................................................................................. 529

Completing the Domain Rename Operation ............................................................................... 532

Verify Certificate Security ............................................................................................................ 532

Preparing URLs for CRL distribution point and Authority Information Access (AIA) extensions

after a domain rename .......................................................................................................... 533

Verifying the use of UPNs ........................................................................................................ 533

Enabling certificate enrollment in a renamed domain .............................................................. 534

Verifying the validity of CRL distribution point and AIA extensions ......................................... 537

Renewing subordinate and issuing CA certificates .................................................................. 537

Publish new CRLs .................................................................................................................... 537

Updating domain controller certificates .................................................................................... 538

Changing the user identity for the NDES add-on ..................................................................... 538

Perform Miscellaneous Tasks ..................................................................................................... 538

Back Up Domain Controllers ....................................................................................................... 541

Restart Member Computers ........................................................................................................ 542

Exchange-Specific Steps: Verify the Exchange Rename and Update Active Directory Connector

.................................................................................................................................................. 543

Perform Attribute Cleanup ........................................................................................................... 543

Rename Domain Controllers ....................................................................................................... 544

Additional Resources for the Domain Rename Operation .......................................................... 545

Appendix A: Command-Line Syntax for the Rendom Tool ......................................................... 545

Appendix B: Command-Line Syntax for the Gpfixup Tool ........................................................... 550

Appendix C: Checklists for the Domain Rename Operation ....................................................... 553

Satisfying domain rename requirements ................................................................................. 553

Preparing for the domain rename operation ............................................................................ 556

Performing the domain rename operation ............................................................................... 557

Completing the domain rename operation ............................................................................... 558

Appendix D: Worksheets for the Domain Rename Operation ..................................................... 559

Worksheet 1: Domain Name Change Information ................................................................... 559

Worksheet 2: Trust Information ................................................................................................ 560

Worksheet 3: DNS Zone Information ....................................................................................... 560

Worksheet 4: DFSN, Folder Redirection, and Roaming Profiles ............................................. 561

Worksheet 5: Domain Controller Information ........................................................................... 561

Worksheet 6: Domain Rename Execution Readiness ............................................................. 562

Worksheet 7: Certification Authority (CA) Information ............................................................. 562

Additional Resources ................................................................................................................... 562

Active Directory Domain Services Operations Guide - cover ...................................................... 563

Section Heading ....................................................................................................................... 563

Subsection Heading .............................................................................................................. 563

25

Active Directory Domain Services Operations Guide

This operations guide provides administering and management information for

Active Directory Domain Services (AD DS) directory service technologies in the

Windows Server 2008 operating system.

In this guide

New in Thi

active directory domain services operations guide

Documents

administering domain

domain names

forest trusts

registered trademarks

windows server

intellectual property

management information

names of actual companies