Active Directory Domain Services Operations GuideMicrosoft Corporation Published: September 2008

AbstractThis operations guide provides administering and management information for Active Directory Domain Services (AD DS) directory service technologies in the Windows Server 2008 operating system.

Copyright informationInformation in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2008 Microsoft Corporation. All rights reserved. Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

ContentsActive Directory Domain Services Operations Guide........................................................................1 Abstract....................................................................................................................................1 Copyright information.......................................................................................................................2 Contents..........................................................................................................................................3 Active Directory Domain Services Operations Guide......................................................................24 New in This Guide.........................................................................................................................24 Administering Active Directory Domain Services............................................................................24 Introduction to Administering Active Directory Domain Services.....................................................25 When to use this guide...............................................................................................................25 How to use this guide.................................................................................................................26 Administering Domain and Forest Trusts.......................................................................................26 Introduction to Administering Domain and Forest Trusts................................................................27 Best Practices for Administering Domain and Forest Trusts...........................................................27 Managing Domain and Forest Trusts.............................................................................................28 Creating Domain and Forest Trusts...............................................................................................28 New Trust Wizard terminology....................................................................................................29 Known Issues for Creating Domain and Forest Trusts....................................................................30 Creating External Trusts................................................................................................................31 Create a One-Way, Incoming, External Trust for One Side of the Trust..........................................33 Create a One-Way, Incoming, External Trust for Both Sides of the Trust........................................34 Create a One-Way, Outgoing, External Trust for One Side of the Trust..........................................36 Create a One-Way, Outgoing, External Trust for Both Sides of the Trust........................................37 Create a Two-Way, External Trust for One Side of the Trust...........................................................39 Create a Two-Way, External Trust for Both Sides of the Trust........................................................40 Creating Shortcut Trusts................................................................................................................42 Create a One-Way, Incoming, Shortcut Trust for One Side of the Trust..........................................43

Create a One-Way, Incoming, Shortcut Trust for Both Sides of the Trust........................................44 Create a One-Way, Outgoing, Shortcut Trust for One Side of the Trust..........................................45 Create a One-Way, Outgoing, Shortcut Trust for Both Sides of the Trust........................................47 Create a Two-Way, Shortcut Trust for One Side of the Trust...........................................................48 Create a Two-Way, Shortcut Trust for Both Sides of the Trust........................................................50 Creating Forest Trusts...................................................................................................................51 Create a One-Way, Incoming, Forest Trust for One Side of the Trust.............................................52 Create a One-Way, Incoming, Forest Trust for Both Sides of the Trust...........................................54 Create a One-Way, Outgoing, Forest Trust for One Side of the Trust.............................................55 Create a One-Way, Outgoing, Forest Trust for Both Sides of the Trust...........................................57 Create a Two-Way, Forest Trust for One Side of the Trust..............................................................58 Create a Two-Way, Forest Trust for Both Sides of the Trust...........................................................60 Creating Realm Trusts...................................................................................................................62 Create a One-Way, Incoming, Realm Trust....................................................................................62 Create a One-Way, Outgoing, Realm Trust....................................................................................64 Create a Two-Way, Realm Trust.....................................................................................................65 Configuring Domain and Forest Trusts...........................................................................................66 Validating and Removing Trusts.....................................................................................................66 Validate a Trust..............................................................................................................................67 Validating a trust.........................................................................................................................67 Remove a Manually Created Trust.................................................................................................68 Removing a manually created trust............................................................................................68 Modifying Name Suffix Routing Settings........................................................................................69 Modify Routing for a Forest Name Suffix........................................................................................70 71 Modify Routing for a Subordinate Name Suffix...............................................................................71 72 Exclude Name Suffixes from Routing to a Forest...........................................................................72 72

Securing Domain and Forest Trusts...............................................................................................73 Configuring SID Filter Quarantining on External Trusts..................................................................73 Disable SID filter Quarantining.......................................................................................................75 See Also.....................................................................................................................................76 Reapply SID Filter Quarantining....................................................................................................76 Configuring Selective Authentication Settings................................................................................77 Enable Selective Authentication over an External Trust..................................................................78 Enabling selective authentication over an external trust..............................................................78 Enable Selective Authentication over a Forest Trust.......................................................................80 Enabling selective authentication over a forest trust...................................................................80 Enable Domain-Wide Authentication over an External Trust...........................................................81 Enable Forest-Wide Authentication over a Forest Trust..................................................................82 Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest......83 Appendix: New Trust Wizard Pages...............................................................................................84 Direction of Trust........................................................................................................................84 Wizard optionTwo-way........................................................................................................84 Wizard optionOne-way: incoming........................................................................................85 Wizard optionOne-way: outgoing.........................................................................................86 Sides of trust..............................................................................................................................87 Wizard optionThis domain only............................................................................................87 Wizard optionBoth this domain and the specified domain....................................................88 Administering the Windows Time Service......................................................................................88 Introduction to Administering the Windows Time Service................................................................88 Windows time source selection...................................................................................................88 External NTP time servers..........................................................................................................89 W32tm and net time...................................................................................................................90 Managing the Windows Time Service............................................................................................90 Configuring a Time Source for the Forest.......................................................................................91 Configure the Time Source for the Forest......................................................................................93 Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain ...................................................................................................................................................97 Disable the Windows Time Service................................................................................................98

Enable Windows Time Service Debug Logging..............................................................................99 Configuring Windows-Based Clients to Synchronize Time.............................................................99 Configure a Manual Time Source for a Selected Client Computer................................................100 Configure a Client Computer for Automatic Domain Time Synchronization...................................102 Restoring the Windows Time Service to Default Settings.............................................................103 Restore the Windows Time Service on the Local Computer to the Default Settings......................103 Administering DFS-Replicated SYSVOL......................................................................................104 Introduction to Administering DFS-Replicated SYSVOL...............................................................104 SYSVOL terminology and capitalization....................................................................................104 Using DFS Replication for replicating SYSVOL in Windows Server 2008..................................105 Requirements for using DFS Replication..................................................................................106 Key considerations for administering SYSVOL.........................................................................106 Relocating SYSVOL folders......................................................................................................108 Managing DFS-Replicated SYSVOL............................................................................................109 Changing the Quota That Is Allocated to the SYSVOL Staging Area............................................110 Change the Quota That Is Allocated to the SYSVOL Staging Folder............................................110 Relocating the SYSVOL Staging Area..........................................................................................111 Identify Replication Partners........................................................................................................112 Check the Status of the SYSVOL and Netlogon Shares...............................................................113 Verify Active Directory Replication................................................................................................114 Gather the SYSVOL Path Information..........................................................................................114 To gather the SYSVOL path information....................................................................................116 Stop the DFS Replication Service and Netlogon Service..............................................................117 Create the SYSVOL Staging Areas Folder Structure....................................................................118 Change the SYSVOL Root Path or Staging Areas Path, or Both..................................................119 See Also...................................................................................................................................120 Start the DFS Replication Service and Netlogon Service.............................................................120 Force Replication Between Domain Controllers...........................................................................121 See Also...................................................................................................................................122 Relocating SYSVOL Manually......................................................................................................122

Identify Replication Partners........................................................................................................124 Check the Status of the SYSVOL and Netlogon Shares...............................................................124 Verify Active Directory Replication................................................................................................125 Gather the SYSVOL Path Information..........................................................................................126 To gather the SYSVOL path information...................................................................................127 Stop the DFS Replication Service and Netlogon Service..............................................................129 Copy SYSVOL to a New Location................................................................................................130 Create the SYSVOL Root Junction Point.....................................................................................133 Change the SYSVOL Root Path or Staging Areas Path, or Both..................................................134 See Also...................................................................................................................................135 Change the SYSVOL Netlogon Parameters.................................................................................135 Reapply Default SYSVOL Security Settings.................................................................................136 Start the DFS Replication Service and Netlogon Service.............................................................138 Force Replication Between Domain Controllers...........................................................................139 See Also...................................................................................................................................139 Updating the SYSVOL Path.........................................................................................................139 Gather the SYSVOL Path Information..........................................................................................140 To gather the SYSVOL path information...................................................................................142 Stop the DFS Replication Service and Netlogon Service..............................................................143 Change the SYSVOL Netlogon Parameters.................................................................................144 Create the SYSVOL Root Junction Point.....................................................................................145 Start the DFS Replication Service and Netlogon Service.............................................................146 Restoring and Rebuilding SYSVOL..............................................................................................147 Identify Replication Partners........................................................................................................149 Check the Status of the SYSVOL and Netlogon Shares...............................................................149 Verify Active Directory Replication................................................................................................150 Gather the SYSVOL Path Information..........................................................................................151 To gather the SYSVOL path information...................................................................................152 Restart the Domain Controller in Directory Services Restore Mode Locally..................................154

Restarting the domain controller in DSRM locally.....................................................................155 See Also...................................................................................................................................156 Restart the Domain Controller in Directory Services Restore Mode Remotely..............................157 See Also...................................................................................................................................160 Stop the DFS Replication Service and Netlogon Service..............................................................160 Import the SYSVOL Folder Structure...........................................................................................161 See Also...................................................................................................................................164 Administering the Global Catalog.................................................................................................165 Introduction to Administering the Global Catalog..........................................................................165 Global catalog hardware requirements.....................................................................................165 Global catalog placement.........................................................................................................165 Initial global catalog replication.................................................................................................165 Global catalog readiness..........................................................................................................166 Global catalog removal.............................................................................................................166 Managing the Global Catalog.......................................................................................................167 Configuring a Global Catalog Server............................................................................................167 Determine Whether a Domain Controller Is a Global Catalog Server...........................................168 Designate a Domain Controller to Be a Global Catalog Server.....................................................168 Monitor Global Catalog Replication Progress...............................................................................169 Verify Successful Replication to a Domain Controller...................................................................170 Determining Global Catalog Readiness.......................................................................................173 Verify Global Catalog Readiness..................................................................................................173 Verifying global catalog readiness............................................................................................173 Verify Global Catalog DNS Registrations.....................................................................................174 Removing the Global Catalog......................................................................................................175 Clear the Global Catalog Setting..................................................................................................175 Monitor Global Catalog Removal in Event Viewer........................................................................176 Administering Operations Master Roles.......................................................................................177 Introduction to Administering Operations Master Roles................................................................177 Guidelines for role placement...................................................................................................178 Guidelines for role transfer.......................................................................................................181

Managing Operations Master Roles.............................................................................................182 Designating a Standby Operations Master...................................................................................183 Standby operations master computer requirements..................................................................183 Replication requirements..........................................................................................................183 Determine Whether a Domain Controller Is a Global Catalog Server...........................................184 Create a Connection Object on the Operations Master and Standby............................................184 Verify Successful Replication to a Domain Controller...................................................................185 Transferring an Operations Master Role......................................................................................188 Transferring to a standby operations master.............................................................................189 Transferring an operations master role when no standby is ready.............................................189 Install the Schema Snap-in..........................................................................................................190 Transfer the Schema Master........................................................................................................191 Transfer the Domain Naming Master...........................................................................................192 Transfer the Domain-Level Operations Master Roles...................................................................193 View the Current Operations Master Role Holders.......................................................................194 Seizing an operations master role................................................................................................195 Verify Successful Replication to a Domain Controller...................................................................196 Seize the Operations Master Role...............................................................................................199 View the Current Operations Master Role Holders.......................................................................200 Reducing the Workload on the PDC Emulator Master..................................................................201 Changing the weight for DNS service (SRV) resource records in the registry............................201 Changing the priority for DNS service (SRV) resource records in the registry...........................202 Change the Weight for DNS Service (SRV) Resource Records in the Registry............................203 Change the Priority for DNS Service (SRV) Resource Records in the Registry............................203 Administering Active Directory Backup and Recovery..................................................................204 Introduction to Administering Active Directory Backup and Recovery [lhsad_ADDS_Ops_5]_ADDS_Ops_5......................................................................................205 Backing up AD DS....................................................................................................................205 Recovering AD DS...................................................................................................................205 Additional considerations..........................................................................................................206 Managing Active Directory Backup and Recovery........................................................................207

Backing Up Active Directory Domain Services.............................................................................207 Windows Server backup tools...................................................................................................207 Windows Server backup types..................................................................................................208 Contents of Windows Server backup types...........................................................................208 Criteria for using backup types..............................................................................................209 Backup guidelines....................................................................................................................210 Scheduling regular backups......................................................................................................211 Immediate (unscheduled) backup.............................................................................................212 Backup frequency.....................................................................................................................212 Backup frequency criteria......................................................................................................213 Backup latency interval.........................................................................................................213 Known Issues for Backing Up Active Directory Domain Services..................................................215 Perform a Backup of Critical Volumes of a Domain Controller by Using the GUI (Windows Server Backup)....................................................................................................................................216 Additional considerations...................................................................................................217 Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin) .................................................................................................................................................217 Additional considerations...................................................................................................218 Perform a Full Server Backup of a Domain Controller by Using the GUI (Windows Server Backup) .................................................................................................................................................218 Additional considerations...................................................................................................222 Perform a Full Server Backup of a Domain Controller by Using the Command Line (Wbadmin)...223 Additional considerations...................................................................................................223 Recovering Active Directory Domain Services..............................................................................224 Causes of disruptions...............................................................................................................224 Keys to protecting against disruptions......................................................................................225 Preventing unwanted deletions.................................................................................................225 Recovery solutions...................................................................................................................226 Solutions for configuration errorsnonauthoritative restore..................................................226 Solutions for data lossauthoritative restore........................................................................227 Recovery options with no available backup...........................................................................228 Solutions for hardware failure or file corruption......................................................................228 Recovery tasks.........................................................................................................................230 Performing Nonauthoritative Restore of Active Directory Domain Services...................................230 Nonauthoritative Restore Requirements...................................................................................231 SYSVOL restore.......................................................................................................................231 Additional references................................................................................................................232 Restart the Domain Controller in Directory Services Restore Mode Locally..................................232 Restarting the domain controller in DSRM locally.....................................................................234

See Also...................................................................................................................................235 Restart the Domain Controller in Directory Services Restore Mode Remotely..............................235 See Also...................................................................................................................................238 Restore AD DS from Backup (Nonauthoritative Restore)..............................................................238 Additional references................................................................................................................240 Verify AD DS restore....................................................................................................................240 Performing Authoritative Restore of Active Directory Objects.......................................................241 Determining objects to restore..................................................................................................242 Selecting objects to restore......................................................................................................243 Selecting application directory partitions to restore...................................................................243 Restoring group memberships after authoritative restore..........................................................244 LVR and restoration of group memberships...........................................................................244 Authoritative restore of pre-LVR group memberships and groups in different domains..........245 Files for recovering group memberships following authoritative restore.................................245 Using a global catalog server for authoritative restore...............................................................246 Recovering deletions without restoring from backup.................................................................247 Retention (merge) of new group memberships or other attributes after authoritative restore.....247 Authoritative restore procedures...............................................................................................248 Procedures for restoring after deletions have replicated........................................................249 Procedures for restoring before deletions have replicated.....................................................250 Procedures for recovering group memberships (and any other back-link attributes) in other domains.............................................................................................................................251 Additional references................................................................................................................251 Known Issues for Authoritative Restore........................................................................................252 Order of replication and dropped group memberships..............................................................252 Members added back to groups from which they were deleted.................................................253 Incorrect assignment of Exchange mailboxes...........................................................................253 Best Practices for Authoritative Restore.......................................................................................253 Restart the Domain Controller in Directory Services Restore Mode Locally..................................255 Restarting the domain controller in DSRM locally.....................................................................256 See Also...................................................................................................................................257 Restart the Domain Controller in Directory Services Restore Mode Remotely..............................257 See Also...................................................................................................................................261 Restore AD DS from Backup (Nonauthoritative Restore)..............................................................261 Additional references................................................................................................................263 Mark an Object or Objects as Authoritative..................................................................................263 Additional references................................................................................................................265

Turn Off Inbound Replication.......................................................................................................265 Additional references................................................................................................................266 Synchronize Replication with All Partners....................................................................................266 See Also...................................................................................................................................267 Run an LDIF File to Recover Back-Links......................................................................................267 Additional references................................................................................................................268 Turn on Inbound Replication........................................................................................................269 Additional references................................................................................................................269 Create an LDIF File for Recovering Back-Links for Authoritatively Restored Objects....................269 Additional references................................................................................................................270 Performing Authoritative Restore of an Application Directory Partition..........................................271 Restart the Domain Controller in Directory Services Restore Mode Remotely..............................271 See Also...................................................................................................................................275 Restart the Domain Controller in Directory Services Restore Mode Locally..................................275 Restarting the domain controller in DSRM locally.....................................................................276 See Also...................................................................................................................................277 Restore AD DS from Backup (Nonauthoritative Restore)..............................................................278 Additional references................................................................................................................279 Mark an application directory partition as authoritative.................................................................279 See Also...................................................................................................................................281 Performing a Full Server Recovery of a Domain Controller..........................................................281 Requirements for performing a full server recovery of a domain controller................................281 Performing a full server recovery of a domain controller by using the GUI................................282 Performing a full server recovery of a domain controller by using the command line.................283 Additional considerations..........................................................................................................284 Restoring a Domain Controller Through Reinstallation and Subsequent Restore from Backup.....285 Restart the Domain Controller in Directory Services Restore Mode Locally..................................286 Restarting the domain controller in DSRM locally.....................................................................287 See Also...................................................................................................................................289 Restart the Domain Controller in Directory Services Restore Mode Remotely..............................289 See Also...................................................................................................................................292 Restore AD DS from Backup (Nonauthoritative Restore)..............................................................292 Additional references................................................................................................................294 Verify AD DS restore....................................................................................................................294

Restoring a Domain Controller Through Reinstallation.................................................................295 Clean Up Server Metadata...........................................................................................................297 See Also...................................................................................................................................299 Delete a Server Object from a Site...............................................................................................300 See Also...................................................................................................................................300 Verify DNS Registration and TCP/IP Connectivity........................................................................301 Verify the Availability of the Operations Masters...........................................................................301 Install an Additional Domain Controller by Using the Windows Interface......................................303 See Also...................................................................................................................................305 Verifying Active Directory Installation............................................................................................305 Administering Intersite Replication...............................................................................................306 Introduction to Administering Intersite Replication........................................................................306 Optimizing replication between sites.........................................................................................307 Effects of site link bridging.....................................................................................................307 Effects of disabling site link bridging......................................................................................307 Optimizing domain controller location.......................................................................................308 Finding the next closest site..................................................................................................308 Forcing domain controller rediscovery...................................................................................309 Improving the logon experience in branch sites........................................................................309 See Also...................................................................................................................................310 Managing Intersite Replication.....................................................................................................310 Adding a New Site.......................................................................................................................310 Create a Site Object and Add it to an Existing Site Link................................................................311 See Also...................................................................................................................................312 Create a Subnet Object or Objects and Associate them with a Site..............................................312 Associate an Existing Subnet Object with a Site..........................................................................313 Create a Site Link Object and Add the Appropriate Sites..............................................................313 Remove a Site from a Site Link....................................................................................................314 Linking Sites for Replication.........................................................................................................314 Creating site links.....................................................................................................................315 Selecting bridgehead servers...................................................................................................315 Create a Site Link Object and Add the Appropriate Sites..............................................................316

Determine the ISTG Role Owner for a Site..................................................................................317 Generate the Replication Topology on the ISTG..........................................................................317 Designate a Server as a Preferred Bridgehead Server.................................................................318 Changing Site Link Properties......................................................................................................319 Configure the Site Link Schedule to Identify Times During Which Intersite Replication Can Occur .................................................................................................................................................319 Configure the Site Link Interval to Identify How Often Replication Polling Can Occur During the Schedule Window.....................................................................................................................320 Configure the Site Link Cost to Establish a Priority for Replication Routing..................................321 Determine the ISTG Role Owner for a Site..................................................................................321 Generate the Replication Topology on the ISTG..........................................................................322 Enabling Clients to Locate the Next Closest Domain Controller...................................................323 Enable Clients to Locate a Domain Controller in the Next Closest Site.........................................325 Moving a Domain Controller to a Different Site.............................................................................326 TCP/IP settings........................................................................................................................326 DNS settings............................................................................................................................326 Preferred bridgehead server status...........................................................................................327 Change the Static IP Address of a Domain Controller..................................................................328 Update the IP Address for a DNS Delegation...............................................................................329 Update the IP Address for a DNS Forwarder................................................................................330 Verify That an IP Address Maps to a Subnet and Determine the Site Association.........................331 See Also...................................................................................................................................332 Determine Whether a Server is a Preferred Bridgehead Server...................................................332 See Also...................................................................................................................................332 View the List of All Preferred Bridgehead Servers........................................................................333 See Also...................................................................................................................................333 Configure a Server to Not Be a Preferred Bridgehead Server......................................................333 See Also...................................................................................................................................334 Move a Server Object to a New Site............................................................................................334 See Also...................................................................................................................................335 Enabling Universal Group Membership Caching in a Site............................................................335

Enable Universal Group Membership Caching in a Site...............................................................336 Forcing Replication......................................................................................................................336 Forcing replication of all directory updates over a connection...................................................337 Forcing replication of configuration updates..............................................................................337 Force Replication Between Domain Controllers...........................................................................338 See Also...................................................................................................................................339 Update a Server with Configuration Changes..............................................................................339 Synchronize Replication with All Partners....................................................................................340 See Also...................................................................................................................................341 Verify Successful Replication to a Domain Controller...................................................................341 Removing a Site..........................................................................................................................345 Delete a Manual Connection Object.............................................................................................346 Determine Whether a Server Object Has Child Objects...............................................................347 Delete a Server Object from a Site...............................................................................................348 See Also...................................................................................................................................349 Delete a Site Link object..............................................................................................................349 Associate an Existing Subnet Object with a Site..........................................................................349 Delete a Site object......................................................................................................................350 See Also...................................................................................................................................350 Determine the ISTG Role Owner for a Site..................................................................................350 Generate the Replication Topology on the ISTG..........................................................................351 Administering the Active Directory Database................................................................................352 Introduction to Administering the Active Directory Database [lhsad]_ADDS_Ops_7.....................352 Database management conditions...........................................................................................352 Disk space monitoring recommendations.................................................................................353 Database defragmentation.......................................................................................................353 Restartable AD DS...................................................................................................................353 See Also...................................................................................................................................354 Managing the Active Directory Database.....................................................................................354 Relocating the Active Directory Database Files............................................................................354 Disk space requirements for relocating Active Directory database files.....................................355 Determine the Database Size and Location Online......................................................................357

See Also...................................................................................................................................358 Determine the Database Size and Location Offline......................................................................358 See Also...................................................................................................................................359 Compare the Size of the Directory Database Files to the Volume Size.........................................359 Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin) .................................................................................................................................................360 Additional considerations...................................................................................................361 Move the Directory Database and Log Files to a Local Drive.......................................................361 See Also...................................................................................................................................364 Copy the Directory Database and Log Files to a Remote Share...................................................364 See Also...................................................................................................................................367 Returning Unused Disk Space from the Active Directory Database to the File System.................367 Change the Garbage Collection Logging Level to 1.....................................................................369 See Also...................................................................................................................................369 Perform a System State Backup of a Domain Controller by Using the Command Line (Wbadmin) .................................................................................................................................................370 Additional considerations...................................................................................................370 Compact the Directory DatabaseFfile (Offline Defragmentation)..................................................371 See Also...................................................................................................................................374 If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup...............374 Administering Domain Controllers................................................................................................375 Additional references................................................................................................................376 Introduction to Administering Domain Controllers.........................................................................376 Installing Remote Server Administration Tools..........................................................................376 Installing and removing AD DS.................................................................................................376 Adding domain controllers.....................................................................................................377 Removing domain controllers................................................................................................377 Renaming domain controllers...................................................................................................377 Adding domain controllers to branch sites................................................................................377 Installing from media.............................................................................................................378 Shipping installed domain controllers to branch sites.............................................................379 Managing Domain Controllers......................................................................................................379 Installing Remote Server Administration Tools for AD DS.............................................................381 Installing Active Directory Domain Services Tools on a member server that is running Windows Server 2008...........................................................................................................381

Installing Active Directory Domain Services Tools on a computer that is running Windows Vista with SP1...............................................................................................................................382 Managing Antivirus Software on Active Directory Domain Controllers...........................................382 Guidelines for managing antivirus software on Active Directory domain controllers...................383 Files to exclude from scanning.................................................................................................384 Preparing for Active Directory Installation.....................................................................................386 DNS configuration....................................................................................................................386 Site placement.........................................................................................................................386 Domain connectivity.................................................................................................................387 Verify DNS Infrastructure and Registrations.................................................................................388 Verify That an IP Address Maps to a Subnet and Determine the Site Association.........................390 See Also...................................................................................................................................390 Verify the Availability of the Operations Masters...........................................................................391 Installing a Domain Controller in an Existing Domain...................................................................392 See Also...................................................................................................................................393 Installing an Additional Domain Controller by Using the Windows Interface..................................393 See Also...................................................................................................................................394 Install an Additional Domain Controller by Using the Windows Interface......................................394 See Also...................................................................................................................................396 Installing an Additional Domain Controller by Using IFM..............................................................397 See Also...................................................................................................................................399 Create Installation Media by Using Ntdsutil..................................................................................399 See Also...................................................................................................................................400 Install an Additional Domain Controller by Using Installation Media..............................................400 See Also...................................................................................................................................401 Installing an Additional Domain Controller by Using Unattend Parameters...................................401 See Also...................................................................................................................................402 Create an Answer File for Unattended Domain Controller Installation...........................................402 See Also...................................................................................................................................404 Install an Additional Domain Controller by Using an Answer File..................................................404 See Also...................................................................................................................................405 Install an Additional Domain Controller by Using Unattend Parameters from the Command Line. 405 Verifying Active Directory Installation............................................................................................406

Verify That an IP Address Maps to a Subnet and Determine the Site Association.........................407 See Also...................................................................................................................................408 Configure DNS Server Forwarders..............................................................................................408 Verifying DNS Configuration........................................................................................................409 Verify DNS Server Configuration for a Domain Controller.............................................................409 See Also...................................................................................................................................410 Verify DNS Client Settings...........................................................................................................410 See Also...................................................................................................................................411 Check the Status of the SYSVOL and Netlogon Shares...............................................................411 Verify Active Directory Replication................................................................................................412 Verify a Domain Computer Account for a New Domain Controller................................................413 Adding Domain Controllers in Remote Sites................................................................................413 Best Practices for Adding Domain Controllers in Remote Sites....................................................414 Best practices for using IFM to install AD DS in the remote site................................................415 Best practices for installing domain controllers before you ship them to a remote site...............417 See Also...................................................................................................................................419 Known Issues for Adding Domain Controllers in Remote Sites.....................................................419 SYSVOL replication..................................................................................................................419 Using IFM to install a domain controller in a remote site...........................................................420 Advantages of using IFM to install a domain controller in a remote site.................................420 Issues with using IFM to install a domain controller in a remote site......................................421 Installing domain controllers before shipping them to the remote site........................................422 Advantages of installing domain controllers before shipping them to the remote site.............422 Issues with installing domain controllers before shipping them to the remote site..................422 Maintaining directory consistency when you disconnect a domain controller.........................423 Protection against lingering object replication....................................................................424 Availability of operations masters.......................................................................................424 Up to dateness of active directory replication.....................................................................425 SYSVOL consistency.........................................................................................................425 See Also...................................................................................................................................425 Preparing a Server Computer for Shipping and Installation from Media........................................425 Determining the volume for installation media...........................................................................426 Enabling Remote Desktop........................................................................................................427 Including application directory partitions...................................................................................427 See Also...................................................................................................................................428 Enable Remote Desktop..............................................................................................................428

Create a Remote Desktop Connection.........................................................................................429 See Also...................................................................................................................................430 Install an Additional Domain Controller by Using Installation Media..............................................430 See Also...................................................................................................................................431 Preparing an Existing Domain Controller for Shipping and Long-Term Disconnection..................431 See Also...................................................................................................................................433 Determine the Tombstone Lifetime for the Forest.........................................................................433 Enable Strict Replication Consistency..........................................................................................434 Synchronize Replication with All Partners....................................................................................435 See Also...................................................................................................................................436 Reconnecting a Domain Controller After a Long-Term Disconnection...........................................436 Reconnecting an outdated domain controller............................................................................437 Updating SYSVOL....................................................................................................................437 See Also...................................................................................................................................438 Determine the Tombstone Lifetime for the Forest.........................................................................439 Move a Server Object to a New Site............................................................................................439 See Also...................................................................................................................................440 Determine When Intersite Replication Is Scheduled to Begin.......................................................440 Use Repadmin to Remove Lingering Objects...............................................................................441 Verify Successful Replication to a Domain Controller...................................................................443 Renaming a Domain Controller....................................................................................................447 Rename a Domain Controller Using System Properties...............................................................448 See Also...................................................................................................................................448 Rename a Domain Controller Using Netdom...............................................................................448 See Also...................................................................................................................................450 Update the FRS or DFS Replication Member Object....................................................................451 Decommissioning a Domain Controller........................................................................................452 Removing a domain or a forest.................................................................................................452 Protecting EFS-encrypted files.................................................................................................452 See Also...................................................................................................................................455 Verify DNS Registration and TCP/IP Connectivity........................................................................455 View the Current Operations Master Role Holders.......................................................................455

Transfer the Schema Master........................................................................................................456 Transfer the Domain Naming Master...........................................................................................457 Transfer the Domain-Level Operations Master Roles...................................................................458 Determine Whether a Domain Controller Is a Global Catalog Server...........................................460 Verify the Availability of the Operations Masters...........................................................................460 Back Up a Certificate With Its Private Key....................................................................................461 Removing a Windows Server 2008 Domain Controller from a Domain.........................................463 Removing a Windows Server 2008 domain controller by using the Windows interface.............463 Removing a Windows Server 2008 domain controller by using an answer file..........................464 Removing a Windows Server 2008 domain controller by entering unattended installation parameters at the command line...........................................................................................465 Import a Certificate......................................................................................................................465 Determine Whether a Server Object Has Child Objects...............................................................466 Delete a Server Object from a Site...............................................................................................467 See Also...................................................................................................................................468 Add the Certificates Snap-in to an MMC......................................................................................468 Adding the Certificates Snap-in to an MMC..............................................................................468 Forcing the Removal of a Domain Controller................................................................................470 Identify Replication Partners........................................................................................................471 Force Domain Controller Removal...............................................................................................472 See Also...................................................................................................................................473 Clean Up Server Metadata...........................................................................................................473 See Also...................................................................................................................................476 Administering Active Directory Domain Rename..........................................................................476 In this guide..............................................................................................................................476 Introduction to Administering Active Directory Domain Rename...................................................476 Domain rename requirements..................................................................................................477 Managing Active Directory Domain Rename................................................................................478 Preparing for the Domain Rename Operation..............................................................................478 Adjust Forest Functional Level.....................................................................................................479 Setting forest functional level to Windows Server 2003 or Windows Server 2008.....................479

Create Necessary Shortcut Trust Relationships...........................................................................480 Types of trust relationships.......................................................................................................480 Precreating parent-child trust relationships for a restructured forest..........................................481 Precreating a parent-child trust relationship...........................................................................481 Pre-creating multiple parent-child trust relationships.............................................................481 Precreating a tree-root trust relationship with the forest root domain.....................................483 Creating shortcut trust relationships......................................................................................483 Prepare DNS Zones....................................................................................................................484 Redirect Special Folders to a Standalone DFSN..........................................................................485 Relocate Roaming User Profiles to a Standalone DFSN..............................................................485 Configure Member Computers for Host Name Changes..............................................................486 Conditions for automatic computer name change.....................................................................486 Replication effects of renaming large numbers of computers....................................................487 Using Group Policy to apply the new primary DNS suffix..........................................................488 Apply the new primary DNS suffix before renaming domains.................................................488 Apply Group Policy in stages to avoid significant replication..................................................488 Configuration required before the application of Group Policy...............................................489 Configuring member computers for host name changes in large deployments..........................490 Determine the primary DNS Suffix configuration....................................................................491 Determine whether Group Policy controls the primary DNS suffix..........................................491 Configure the domain to allow a primary DNS suffix that does not match the domain name. .492 Apply Group Policy to set the primary DNS suffix..................................................................493 Prepare Certification Authorities...................................................................................................494 Exchange-Specific Steps: Prepare a Domain that Contains Exchange.........................................495 Performing the Domain Rename Operation.................................................................................496 Set Up the Control Station...........................................................................................................497 Freeze the Forest Configuration...................................................................................................498 Back Up All Domain Controllers...................................................................................................499 Generate the Current Forest Description.....................................................................................499 Specify the New Forest Description.............................................................................................501 Renaming application directory partitions.................................................................................504 DNS data.................................................................................................................................505 TAPI data.................................................................................................................................506 Specifying the source domain controllers..................................................................................506 Reviewing the new forest description........................................................................................506

Generate Domain Rename Instructions.......................................................................................507 Push Domain Rename Instructions to All Domain Controllers and Verify DNS Readiness............510 Pushing domain rename instructions to all domain controllers..................................................510 Verifying DNS readiness...........................................................................................................512 Verify Readiness of Domain Controllers.......................................................................................514 Run Domain Rename Instructions...............................................................................................516 Exchange-Specific Steps: Update the Exchange Configuration and Restart Exchange Servers...519 Unfreeze the Forest Configuration...............................................................................................519 Re-establish External Trusts........................................................................................................520 Fix Group Policy Objects and Links.............................................................................................521 Completing the Domain Rename Operation.................................................................................524 Verify Certificate Security.............................................................................................................524 Preparing URLs for CRL distribution point and Authority Information Access (AIA) extensions after a domain rename..................................................................................................................524 Verifying the use of UPNs.........................................................................................................525 Enabling certificate enrollment in a renamed domain................................................................526 Verifying the validity of CRL distribution point and AIA extensions.............................................528 Renewing subordinate and issuing CA certificates....................................................................529 Publish new CRLs....................................................................................................................529 Updating domain controller certificates.....................................................................................529 Changing the user identity for the NDES add-on......................................................................530 Perform Miscellaneous Tasks.......................................................................................................530 Back Up Domain Controllers........................................................................................................532 Restart Member Computers.........................................................................................................533 Exchange-Specific Steps: Verify the Exchange Rename and Update Active Directory Connector 534 Perform Attribute Cleanup............................................................................................................534 Rename Domain Controllers........................................................................................................535 Additional Resources for the Domain Rename Operation............................................................536 Appendix A: Command-Line Syntax for the Rendom Tool............................................................536 Appendix B: Command-Line Syntax for the Gpfixup Tool.............................................................541 Appendix C: Checklists for the Domain Rename Operation.........................................................543 Satisfying domain rename requirements...................................................................................544

Preparing for the domain rename operation..............................................................................546 Performing the domain rename operation.................................................................................548 Completing the domain rename operation................................................................................549 Appendix D: Worksheets for the Domain Rename Operation.......................................................550 Worksheet 1: Domain Name Change Information.....................................................................550 Worksheet 2: Trust Information.................................................................................................550 Worksheet 3: DNS Zone Information........................................................................................551 Worksheet 4: DFSN, Folder Redirection, and Roaming Profiles................................................551 Worksheet 5: Domain Controller Information............................................................................552 Worksheet 6: Domain Rename Execution Readiness...............................................................552 Worksheet 7: Certification Authority (CA) Information...............................................................553 Additional Resources...................................................................................................................553 Active Directory Domain Services Operations Guide - cover........................................................554 Section Heading.......................................................................................................................554 Subsection Heading..............................................................................................................554

Active Directory Domain Services Operations GuideThis operations guide provides administering and management information for Active Directory Domain Services (AD DS) directory service technologies in the Windows Server 2008 operating system. In this guide New in This Guide Administering Active Directory Domain Services

Acknowledgments Produced by: Microsoft Windows Server Directory and Access Services (DAS) IT Pro Content Team Writers: Mary Hillman, Gayana Bagdasaryan Editor: Jim Becker Technical reviewers: Umit Akkus, David Beach, Arren Conner, Gregoire Guetat, Xin He, Kurt Hudson, Jessie Li, Herbert Mauerer, Joe Patterson, Ned Pyle, Wakkas Rafiq, Ryan Sizemore, Ingolfur Arnar Strangeland, Mahesh Unnikrishnan

New in This GuideThis is the first release of the operations guide for Active Directory Domain Services (AD DS) in Windows Server 2008. This guide will be updated periodically to incorporate new information, updates, customer feedback, and corrections. For Windows Server 2008, this operations guide contains the section Administering Active Directory Domain Rename, which is not included in the Active Directory Operations Guide for Windows Server 2003.

Administering Active Directory Domain ServicesThis guide provides information about administering components of Active Directory Domain Services (AD DS) in Windows Server 2008. The information includes detailed procedures for managing domain controllers, sites, trusts, and other components of AD DS. In this guide Introduction to Administering Active Directory Domain Services Administering Domain and Forest Trusts 24

Administering the Windows Time Service Administering DFS-Replicated SYSVOL Administering the Global Catalog Administering Operations Master Roles Administering Active Directory Backup and Recovery Administering Intersite Replication Administering the Active Directory Database Administering Domain Controllers Administering Active Directory Domain Rename Additional Resources

Introduction to Administering Active Directory Domain ServicesThis guide explains how to administer Active Directory Domain Services (AD DS) in Windows Server 2008. These activities are part of the operations phase of the information technology (IT) life cycle. If you are not familiar with this guide, review the following sections of this introduction.

When to use this guideUse this guide when: You want to manage common Active Directory problems that are associated with misconfiguration. You want to configure AD DS to increase network availability. This guide assumes a basic understanding of what AD DS is, how it works, and why your organization uses it to access, manage, and secure shared resources across your network. It also assumes a thorough understanding of how AD DS is deployed and managed in your organization. This includes an understanding of the mechanism your organization uses to configure and manage Active Directory settings. This guide can be used by organizations that have deployed Windows Server 2008. It includes information that is relevant to different roles in an IT organization, including IT operations managers, administrators, and operators. This information includes management-level knowledge about AD DS and administrator-level information about the IT processes that are required to operate it. This guide contains detailed procedures that are designed for operators (or designated users) who have varied levels of expertise and experience. Although the procedures provide operator guidance from start to finish, operators must have a basic proficiency with Microsoft Management Console (MMC) and MMC snap-ins. Operators must also know how to start administrative programs and 25

access the command line. If operators are not familiar with AD DS, it might be necessary for IT planners, managers, or administrators to review the relevant operations in this guide and provide the operators with the parameters or data that they must enter when they perform the operations.

How to use this guideThis guide includes the following types of topics: Objectives are high-level goals for administering AD DS. Each objective consists of one or more high-level tasks that describe how the objective is accomplished. In this guide, "Managing the Windows Time Service" is an example of an objective. Tasks contain groups of procedures for achieving the goals of an objective. In this guide, "Configuring a time source for the forest" is an example of a task. Procedures provide step-by-step instructions for completing tasks. In this guide, "Configure a domain controller in the parent domain as a reliable time source" is an example of a procedure topic. If you are an IT manager who is delegating tasks to operators in your organization: Read through the objectives and tasks to determine how to delegate permissions. Determine whether you need to install tools before operators perform the procedures for each task. Before you assign tasks to individual operators, ensure that all the tools are installed where operators can use them. When necessary, create tear sheets for each task that operators perform in your organization. Cut and paste the task and its related procedures into a separate document. Then you can either print this document or store it online.

Administering