Uploaded bygunakhan
1,146 views

Active directory

Active Directory (AD) is Microsoft's implementation of a directory service that stores data in an organized format and allows publishing and accessing of that data. AD is based on existing directory service standards like X.500 and uses LDAP for communication. AD stores information about all the resources on a network, allowing clients to query AD to find various objects like users, groups, printers and file servers. It provides features like secure storage, replication between domain controllers, and extensibility.

Downloaded 45 times
15 ACTIVE DIRECTORY A ctive Directory (AD) is Microsoft’s implementation of a Directory Service. DSs store data in an organized format and can publish and access the data. AD isn’t a Microsoft innovation but is an implementation of an existing model (i.e., X.500), communication mechanism (i.e., Lightweight Directory Access Protocol—LDAP), and location technology (i.e., DNS). To understand AD, you must understand what it is supposed to achieve. A directory is simply a container for other information. A telephone directory is an example of a DS, because a telephone directory contains data and a means to access and use the data. For example, a telephone directory has various entries, and each entry has values. A telephone directory entry consists of name, address, and telephone number values. A large directory might group entries by location (e.g., city) or type (e.g., lawyers), or by both. Thus a hierarchy of types could exist for each location. You might also consider a telephone operator a DS, because the operator has access to the data. You can request data, and the operator presents the answer to your query. AD is a type of DS that holds information about all the resources on a network. Clients can query AD for information about any aspect of the network. AD’s features include the following. • Secure information storage. Each object in AD has an ACL with a list of resources that can access the object and to what degree. • A flexible query mechanism based on an AD-generated Global Catalog (GC). Any client that supports AD can query the catalog. • Directory replication to all domain controllers (DCs) in the domain, for easy accessibility, high availability, and fault tolerance. • An extensible design that lets you add new object types or build on existing objects. For example, you could add a salary attribute to the user object. • Multiple-protocol communication. AD’s X.500 foundation lets you communicate over various protocols, such as LDAPv2, LDAPv3, and HTTP. • DNS rather than NetBIOS names for DC naming and location. • Directory information partitioned by domain to avoid replicating an excessive amount of information. 529
530 ACTIVE DIRECTORY Although AD partitions directory information into different stores, you can still query AD for information from other domains. GCs contain information about every object in the enterprise forest, so that you can perform a forestwide search. When you run DCPROMO (the domain controller promotion program) on a Windows 2000 machine for the first time to create a new domain, DCPROMO creates a domain on the DNS server. A client then contacts the DNS server to look up the client’s domain. The DNS server will discover not only the domain, but also the domain’s DCs. The server then sends the client the closest DC’s address. The client in turn connects and accesses the AD domain database on the closest DC to find objects (e.g., printers, file servers, users, groups, organizational units—OUs) in the domain. Because each DC stores links to other domains in the tree, the client can search an entire tree of domains. A version of AD that lists all the objects in the forest is also available in case you need to perform a search beyond the client’s tree of domains. This version is the GC. You can store the GC on any or all of the DCs in the forest. The GC provides shorthand access to objects anywhere in the forest. However, the GC contains only some of an object’s attributes. For the whole object, you must go to the domain AD (which is on a DC in the domain). You can configure the GC to provide the object attributes you want. To help you create AD objects, the DC maintains a copy of the classes and hierarchy of classes for the whole forest. AD stores class structures in the schema. The schema is extensible, which means that you can add classes to it. The schema is part of Win2K’s configuration namespace, which all the DCs in a forest maintain. A namespace is a range of labels. Win2K’s configuration namespace consists of several defined items such as physical locations, Win2K sites, and subnets. A site is stored within a forest; a site can contain machines from any domain, but all the machines in a site should have fast and reliable connections for DC replication. A subnet is an IP address grouping assigned to a site; subnets help speed up AD replication among DCs. Because DCs store records in an LDAP distinguished name format, AD uses LDAP to access the records. In case an application uses a name format other than the LDAP distinguished name, you can also use the LDAP URL or AD canonical name formats to access AD.
FAQ 15.1 FAQ 15.1 531 Which naming conventions does Active Directory use for objects? Active Directory (AD) uses several naming conventions for objects. These naming conventions include the distinguished name (DN), relative distinguished name (RDN), Lightweight Directory Access Protocol (LDAP) URL name, LDAP canonical name, user principal name, and Security Access Manager (SAM) account name. The most popular method for naming AD objects is to use the DN. Every AD object has a DN that uniquely identifies the object in the DS. For example, the following DN /O=Internet/DC=COM/DC=SavillTech/CN=Users/CN=John Savill identifies an object as follows: • /O=Internet—Organization=Internet • /DC=COM—Domain Component=COM • /DC=SavillTech—Domain Component=SavillTech (the full Domain Component is SavillTech.com) • /CN=Users—Common Names=Users • /CN=John Savill—Common Names=John Savill A DN might also include an organizational unit (OU). For more information about DNs, see RFC 1779, “A String Representation of Distinguished Names” at (http://www.cis.ohio-state.edu/htbin/rfc/rfc1779.html). The RDN is also known as the friendly name. The RDN for the previous example is CN=John Savill. The RDN for the users container is CN=Users. LDAP URL names begin with LDAP://, then include an LDAP server and a modified DN that identifies the object (e.g., LDAP://titanic.savilltech.com/ou=Sales, cn=JSavill,dc=SavillTech,dc=com). An LDAP canonical name is the LDAP name without certain information (i.e., ou=, cn=, dc=). An example LDAP canonical name is savilltech.com/Sales/Jsavill. Many administrative tools use these names. The user principal name contains the username and DNS domain name, linked with an asterisk (@—e.g., jsavill@savilltech.com). The SAM account name (e.g., savillj) is in the Windows NT 4.0 format. Because of this name’s single-layer convention, each name must be unique within an organization. Objects are actually stored as globally unique IDs. A GUID is a 128-bit number that generates at object creation and is stored in the object attribute object GUID. GUIDs don’t change.
532 FAQ 15.2 ACTIVE DIRECTORY What are X.500 and LDAP? X.500 is the most common directory-management protocol. Two X.500 standards exist: the 1988 version and the 1993 version. Windows 2000’s Directory Service (DS) implementation is derived from the 1993 X.500 standard. The X.500 model uses a hierarchical approach to objects in the namespace. The namespace has a root at the top, with children coming off the root. Win2K domains have DNS names (e.g., savilltech.com is a domain name, and legal.savilltech.com is a child domain of savilltech.com). Figure 15-1 shows an example domain with a DS root and several children. The first layer of children is countries. Imagine each country as a child domain of the root (e.g., usa.root.com, england. root.com). You can break each child domain into several organizations, and you can break the organizations into OUs. Various privileges and policies apply to each OU. Each OU has several objects, such as users, computers, and groups. Although Win2K’s DS is based on X.500, the access mechanism uses LDAP, which solves several X.500 problems. X.500 is part of the Open System Interconnection (OSI) model, but OSI doesn’t translate well into a TCP/IP environment. Thus, LDAP uses TCP/IP as its communication medium. LDAP reduces the number of functions available with a full X.500 implementation, providing a lean and fast DS while maintaining X.500’s overall structure. LDAP is the mechanism that communicates with AD and performs basic read, write, and modify operations. You can find more information about X.500 in D.W. Chadwick’s, “Understanding X.500—The Directory” (http://www.salford.ac.uk/its024/ Version.Web/Contents.htm). Root Countries Organizations People/Objects Figure 15-1 The X.500 hierarchical structure
FAQ 15.3 FAQ 15.3 533 What DNS entries does Windows 2000 add when you create a domain? Windows 2000 domains rely heavily on DNS entries. If you enable dynamic update on the relevant DNS zones, Win2K creates these entries automatically. Following is an explanation for each entry: _ldap._tcp.<DNSDomainName> Lets a client locate a Win2K domain controller in the domain named by <DNSDomainName>. A client searching for a domain controller in the domain savilltech.com would query the DNS server for _ldap._tcp.savilltech.com. (see Figure 15-2) _ldap._tcp.<SiteName>._sites.<DNSDomainName> Lets a client find a Win2K domain controller in the domain and site specified (e.g., _ldap._tcp.london._sites.savilltech.com for a domain controller in the London site of savilltech.com). _ldap._tcp.pdc._ms-dcs.<DNSDomainName> Lets a client find the PDC Flexible Single Master Operation (FSMO) role holder of a mixed-mode domain. Only the PDC of the domain registers this record. _ldap._tcp.gc._msdcs.<DNSTreeName> Lets a client find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the tree will register this name. If a server ceases to be a GC server, the server will deregister the record. _ldap._tcp.._sites.gc._msdcs.<DNSTreeName> Lets a client find a GC server in the specified site (e.g., _ldap._tcp.london._sites.gc._ msdcs.savilltech.com). _ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName> Lets a client find a domain controller in a domain based on the domain controller’s globally unique ID. A GUID is a 128-bit (8 byte) number that generates automatically for referencing AD objects.
534 ACTIVE DIRECTORY Figure 15-2 TCP entries added during the creation of an Active Directory domain controller <DNSDomainName> Lets a client find a domain controller through a normal host record. Figure 15-2 is an example DNS screen for a domain. FAQ 15.4 What is the schema? The schema is a blueprint of all the objects in a domain. When you create a new forest, a default schema contains definitions for users, computers, and domains. Because you can’t have multiple definitions of an object, you can have only one schema per forest. The file SCHEMA.INI contains the default schema’s definition, as well as the initial structure for the file NTDS.DIT (which stores directory data). The %systemroot%ntds directory contains the file SCHEMA.INI (although this can
FAQ 15.5 535 be changed during domain controller creation). The file is in plain ASCII format so that you can type it. FAQ 15.5 What is a domain tree? In Windows 2000, a domain can be a child of another domain (e.g., child.domain.com is a child of domain.com). A child domain name always includes the complete parent domain name. A child domain and its parent share a two-way transitive trust. A domain tree exists when one domain is the child of another domain. A domain tree must have a contiguous namespace, as in the left-most diagram in Figure 15-3. In the right-most diagram in Figure 15-3, the lack of contiguous names means that the domains can’t be part of the same tree. The tree’s name is the root domain name of the tree. In my example, the tree is root.com. Because domains are DNS names and because domains inherit the parent part of the name, if you rename part of a tree, all of the parent’s children are also implicitly renamed. For example, if you renamed the parent domain ntfaq.com to backoffice.com, the child domain sales.ntfaq.com would change to sales.backoffice. com. Although you can’t currently rename part of a tree, this problem will arise in future versions of the OS. You can currently create domain trees only when DCPROMO promotes a server to a DC. This restriction might change in a future OS. Placing domains in a tree yields several advantages. The most useful benefit is that all members of a tree have Kerberos transitive trusts with the domain’s parent and all the domain’s children. Transitive trusts also let any user or group in a domain tree obtain access to any object in the tree. In addition, you can use one network logon at any workstation in the domain tree. root.com child1.root.com gran.child1.root.com root.com child2.root.com child1.root.com child2.notroot.com gran.child2.root.com Figure 15-3 Legal and illegal parent-child relationships
536 FAQ 15.6 ACTIVE DIRECTORY What is a domain forest? You might have several domain trees in your organization that need to share resources. To solve this problem, you can join the trees to form a forest. A forest is a collection of trees that don’t necessarily form a contiguous namespace (although each tree must be contiguous). This arrangement might be useful if your company has multiple root DNS addresses, as in Figure 15-4. As Figure 15-4 shows, two root domains connect through a transitive, two-way Kerberos trust (much like the trust between a child and parent). Forests always contain a domain’s entire domain tree. You can’t create a forest that contains only part of a domain tree. When you promote a server to a domain controller (DC), DCPROMO creates a forest if the user selects to create a new forest. Forest creation can’t occur at any other time, although this restriction may change in a future OS. You can add as many domain trees to a forest as you want. All the domains in a forest can grant object access to any user in the forest. Thus, the administrator doesn’t need to manually manage the trust relationships. Creating a forest provides the following benefits: • All the trees have a common Global Catalog (GC) that contains specific information about every object in the forest. • All the trees contain a common schema. Microsoft hasn’t confirmed what happens if two trees have different schemas before you join the trees, because you currently can’t join two trees (although in .NET you can link trees using transitive trusts). However, this problem will arise in future versions of the OS. I assume the changes will merge. Transitive Kerberos Trust root.com child1.root.com gran.child1.root.com child2.root.com ntfaq.com legal.ntfaq.com ads.ntfaq.com banner.ads.ntfaq.com Figure 15-4 Two trees connected via a transitive Kerberos trust to create a forest
FAQ 15.7 537 • Performing a search in a forest initiates a deep search of the entire tree in the domain you initiate the request from and uses the GC entries for the rest of the forest. You might prefer not to join trees into a forest. Instead, you can create normal trusts between individual tree domains. FAQ 15.7 What is a Kerberos trust? Windows NT 4.0 trust relationships aren’t transitive. Therefore, if domain2 (e.g., Marketing, in Figure 15-5 ) trusts domain1 (Sales), and domain3 (Development) trusts domain2 (Marketing), domain3 (Development) doesn’t trust domain1 (Sales). The arrow denotes the direction of the trust relationship. The arrow head is the trusted domain; the other end is the trusting domain. PDC Sales This trust relationship is not created by default; it would need to be created explicitly. PDC PDC Marketing Development Figure 15-5 A nontransitive trust environment showing that the Development domain would not implicitly trust the Sales domain
538 ACTIVE DIRECTORY In Windows 2000, the trust relationships that connect members of a tree or forest are two-way, transitive Kerberos trusts. Thus, all the domains in a tree implicitly trust all the other domains in the tree or forest. Because trusts occur automatically when a domain joins a tree, time-consuming trust administration is unnecessary. Kerberos is Win2K’s primary security protocol. Kerberos verifies a user’s identity and a session’s data integrity. Each DC has Kerberos services on it, and every Win2K workstation and server has a Kerberos client. A user’s initial Kerberos authentication gives the user one logon session to enterprise resources. Kerberos isn’t a Microsoft protocol but is based on MIT’s Kerberos 5.0. For more information about Kerberos, see the Internet Engineering Task Force (IETF) Requests for Comments (RFC) 1510, “The Kerberos Version 5 GSS-API Mechanism” (http://www.ietf.org/rfc/rfc1510.txt? number=1510). FAQ 15.8 How do I automatically upgrade a server to a domain controller during installation? You can automatically run DCPROMO during an unattended installation. Enter the command dcpromo /answer:%path_to_answer_file% In my example, the DCInstall section and parameters are added directly to the unattended answer file. The Microsoft Windows 2000 Resource Kit details the DCInstall section’s parameters in the file UNATTEND.DOC. I’ve listed the main entries in the following table: AdministratorPassword The new password for the domain Administrator account AutoConfigDNS Specifies whether the wizard should configure DNS ChildName Name of the child part of the domain CreateOrJoin Specifies whether the domain will join an existing forest or create a new one DatabasePath Location for the Active Directory database DNSOnNetwork Used when a new forest of domains is installed and no DNS client is configured on the computer DomainNetBiosName NetBIOS name for the domain
FAQ 15.8 539 IsLastDCInDomain Only valid when demoting an existing domain controller to a member server LogPath Path for the Directory Service (DS) logs NewDomainDNSName Name of the new tree or when a new forest is created ParentDomainDNSName Specifies the name of the parent domain Password Password for the username used to promote the server RebootOnSuccess Specifies whether an automatic reboot should be performed ReplicaDomainDNSName Name of the domain to be replicated from ReplicaOrMember Specifies whether a Windows NT 4.0 or 3.51 BDC being upgraded should become a replica domain controller or be demoted to a regular member server ReplicaOrNewDomain Specifies whether the machine is a new domain controller in a new domain or a replica of an existing domain SiteName Name of the site (Default-First-Site by default) SysVolPath Path of SYSVOL TreeOrChild Specifies whether entry is a new tree or child of existing domain UserDomain Domain for the user being used in promotion UserName Name of the user performing the upgrade Because the DCPROMO process occurs after setup, the created answer file is called $WINNT$.INF and copies to the system32 folder. The parameters are in this file, so you need to add the following text to the GUIRunOnce section of the unattended Setup answer file: [GUIRunOnce] "DCpromo /answer:%systemroot%system32$winnt$.inf" After the DCPROMO process completes, DCPROMO removes password information from the $WINNT$.INF file. To make this process easier because the RunOnce command doesn’t execute until someone logs on to the computer, you can add the following text to the unattended answer file: [GUIUnattended] Autologon = yes ; automatically logs on the administrator account AutoLogoncount = n ; number of times to perform auto-admin logon
540 ACTIVE DIRECTORY Don’t use items such as %systemroot% or %windir% because the unattended installation process doesn’t understand them. You can just create a DCInstall section directly in your UNATTEND.TXT file to avoid having multiple unattended setup files. Enter text such as the following. [DCInstall] AdministratorPassword = cartman CreateOrJoin = Create DomainNetBiosName = savtech NewDomainDNSName = savtech.com RebootOnSuccess = Yes ReplicaOrNewDomain = Domain SiteName = "London" TreeOrChild = Tree My example script would create a new forest with domain savtech.com at the top and the new domain controller in the site London. The SYSVOL, logs, and Active Directory (AD) files would be in the default locations. The new domain Administrator account password would be cartman. If you want to use DCPROMO outside an unattended installation, enter dcpromo /answer:<DCInstall answer filename> You’ll see a dialog box that says “DCPROMO is running in unattended mode”. Then, the machine will reboot. FAQ 15.9 How do I change my Windows 2000 domain’s NetBIOS name? Although Windows 2000 domain names are DNS based (e.g., savilltech.com), when Win2K launches the domain controller promotion program DCPROMO, this program also specifies a NetBIOS name for backwards compatibility with older clients and domain controllers. This NetBIOS name is typically the leftmost part of the DNS name (e.g. savilltech), although the user can specify a different NetBIOS name. After DCPROMO sets a NetBIOS name, you must demote all the domain controllers and recreate the domain if you want to change the NetBIOS name. However, doing so would cause you to lose all domain objects. To prevent this problem, you can back up the objects before you recreate the domain and then reimport the objects.
FAQ 15.10 541 If you’re upgrading a Windows NT 4.0 domain to Win2K, you can’t change the NetBIOS name while DCPROMO is running. You must use the NT 4.0 domain’s NetBIOS name, although you can have a different DNS name. FAQ 15.10 How do I create a new Active Directory site? Active Directory (AD) has sites, which you can use to group servers into containers that mirror your network’s physical topology. Sites also let you configure replication between domain controllers (DCs). In addition, you can map several TCP/IP subnets to sites so that new servers can automatically join the correct site depending on their IP address and so that clients can easily find the DC closest to them. When you create the first DC, AD creates the default site Default-First-Site-Name and assigns the DC to this site. Subsequent DCs also add to this site, although you can later move the DCs to other sites. You can rename the default site if you want. You use the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in to create and administer sites. To create a new site, perform the following steps. 1. Start the MMC Active Directory Sites and Services snap-in. (From the Start menu, select Programs > Administrative Tools > Active Directory Sites and Services.) 2. Right-click the Site branch and select New > Site from the context menu. 3. Enter a name for the site (e.g., NewYork). The name must be 63 characters or fewer and can’t contain spaces or periods. You must also select a site link (only one site link, DEFAULTIPSITELINK, exists by default). Alternatively, enter IP 4. Click OK. After you create the site, you can assign various IP subnets to the site as follows. 1. Start the MMC Active Directory Sites and Services snap-in. (From the Start menu, select Programs > Administrative Tools > Active Directory Sites and Services.) 2. Expand the Sites branch. 3. Right-click Subnets and select New > Subnet, as the screen shows. 4. In the past, you needed to enter the subnet name in the form “network/bits masked” (e.g., for network 200.200.201.0 with subnet mask 255.255.255.0,
542 ACTIVE DIRECTORY you’d enter 200.200.201.0/24). However, this method proved too complicated. Now, you simply enter the address and mask, as shown in Figure 15-6. 5. Then select the site to associate the subnet with. 6. Click OK. After you have a subnet linked to a site, you can assign multiple subnets to the site. Determining the bits masked portion of the subnet name can be confusing. This value is the number of bits set in the subnet mask. The subnet mask consists of four sets of 8 bits. You can use Figure 15-7 to convert the subnet mask to bits. For example, the subnet mask 255.255.255.0 is 11111111.11111111.11111111. 00000000 in binary, which uses 8 + 8 + 8 bits (i.e., 24) to define the subnet mask. The subnet mask 255.255.252.0 is 11111111.11111111.11111100.00000000 in binary, which is 8 + 8 + 6, or 22. Figure 15-6 Creating a new subnet for a site
FAQ 15.11 1 1 1 1 1 1 1 1 128 64 32 16 8 4 2 1 543 = 255 Figure 15-7 How the 8-bit part of an IP address is calculated After you define multiple sites, new DCs that you use DCPROMO to create will automatically join the site that matches their IP address. If no site exists for a DC’s IP subnet, the DC will join the site that authorized the DC’s promotion. FAQ 15.11 How do I create a new site link? After you create sites of IP subnets, you must link the sites together. You can add new sites to the default IP site link DEFAULTIPSITELINK as you create the sites, or you can select another existing site link. You can also create a new site link. 1. Start the Active Directory Sites and Services MMC snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch. 3. Expand the Inter-Site Transports branch. 4. Right-click the protocol for the type of site link you want to create (i.e., IP or SMTP) and select New Site Link. 5. Enter a name for the link and select the sites that you want to be part of the link, as shown in Figure 15-8. Then click OK.
544 ACTIVE DIRECTORY Figure 15-8 Selecting the sites for a site link FAQ 15.12 How do I disable site link transitivity? Site links are bridged together to make them transitive so that the Knowledge Consistency Checker (KCC) can create connection objects between domain controllers. You can disable site link transitivity, then manually bridge specific site links to achieve more control. 1. Start the Active Directory Sites and Services MMC snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch. 3. Expand the Inter-Site Transports branch. 4. Right-click the protocol you want to disable transitivity for (i.e., IP or SMTP) and select Properties. 5. Clear the Bridge all site links checkbox, as shown in Figure 15-9, and click Apply. 6. Click OK.
FAQ 15.13 545 Figure 15-9 Disabling the bridging of all site links FAQ 15.13 How do I rename a site? When you install your first domain controller, the domain controller creates the default site Default-First-Site-Name. This name isn’t helpful, so you might want to rename it. 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch. 3. Right-click the site you want to rename (i.e., Default-First-Site-Name) and select Rename, as shown in Figure 15-10. (Alternatively, select the site and press F2.) 4. Enter the new name and press Enter.
546 ACTIVE DIRECTORY Figure 15-10 Rename option from a site context menu FAQ 15.14 How can a server belong to more than one site? By default, a server belongs to only one site. However, you might want to configure a server to belong to multiple sites. Because sites are necessary for replication, for clients to find resources and to decrease traffic on intersite connections, simply modifying a site’s membership might cause performance problems. To configure a server for multiple site membership, perform the following steps. 1. Log on to the server you want to join multiple sites. 2. Start Regedt32. 3. Go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNetlogonParameters Registry entry.
FAQ 15.15 547 4. 5. 6. 7. Select Add Value from the Edit menu. Enter the name SiteCoverage and the type REG_MULTI_SZ. Click OK. Enter the names of the sites to join, each on a new line. (Press Shift+Enter to move to the next line.) 8. Click OK. 9. Close the Registry editor. This process doesn’t create the objects in Active Directory (AD) to evaluate the sites. You must add these objects manually. FAQ 15.15 How do I move a server to a different site? If your sites and subnets are configured, new servers automatically add to the site that owns the subnet. However, you can manually move a server to a different site. 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. (From the Start menu, select Programs > Administrative Tools > Active Directory Sites and Services Manager.) 2. Expand the Sites container. 3. Expand the site that currently contains the server and expand the Servers container. 4. Right-click the server and select Move from the context menu, as shown in Figure 15-11. 5. You’ll see a list of all the sites. Select the new target site and click OK. The move takes effect immediately.
548 ACTIVE DIRECTORY Figure 15-11 Selecting the Move option for a server within a site FAQ 15.16 What is multimaster replication? In a Windows 2000 domain, all domain controllers (DCs) are equal. Thus, you can make changes on any DC. Servers’ complete domain directories are kept up-to-date with one another through a process of multimaster replication. Each time you make a change to AD, the servers’ update sequence number (USN), where the change implements, increases by one. AD then stores the new USN, as well as the change. These changes must replicate to all the DCs in the domain; the USN provides the key to multimaster replication. USN increments are atomic in operation, which means that the increment to the USN and the actual change occur simultaneously. If one part fails, the whole change fails (except the USN would still have been incremented). A change can’t occur without the USN being incremented; therefore, changes can’t be lost. Each DC keeps track of the highest USNs of the DCs it replicates with. This procedure lets a DC calculate which changes must replicate on a replication cycle. At the start of a replication cycle, each server checks its USN table and queries the DCs it replicates with for the DCs’ latest USNs. The following is an example USN table for Server A.
FAQ 15.16 549 Domain Controller B Domain Controller C Domain Controller D 54 23 53 Server A queries the DCs for their current USNs and gets the following information. Domain Controller B Domain Controller C Domain Controller D 58 23 64 From this information, Server A can calculate the changes it needs from each server, as follows. Domain Controller B Domain Controller C Domain Controller D 55-58 None 54-64 Server A then queries each DC for the necessary changes. Multiple changes to an object’s property can occur. Every property has a property version number, which helps detect collisions. Property version numbers work like USNs: Each time you modify a property, the property version number increases by one. If you try to modify an object’s property multiple times, the change with the highest property version number takes precedence. A collision occurs when the property version numbers are the same for two or more property updates. When two property version numbers match, the timestamp helps resolve the conflict. Because every change has a timestamp, DCs must be accurate with one another. In the unlikely event that the property version numbers match and the timestamps match, a binary buffer comparison occurs; the larger buffer size change takes precedence. Property version numbers increase only on original writes (not on replication writes, as USNs do) and aren’t server specific. Instead, a property version number travels with a property. A propagation-dampening scheme prevents changes repeatedly going to other servers. Each server keeps a table of up-to-date vectors, which are the highest originating writes received from each controller. The vectors take the following form. <the change>,<the DC making the original change>,<the USN of the change> For example, <object savillj, property Password xxx>,Titanic,54 DCs send this information with the USNs so that they can calculate whether they already have the change the other DCs are trying to replicate.
550 FAQ 15.17 ACTIVE DIRECTORY What are tombstone objects? Because of Windows 2000’s and Active Directory’s (AD’s) complex replication, if you simply delete an object, Win2K’s replication algorithm might recreate the object at the next replication interval. Thus, AD marks deleted objects with tombstones. When we create an object, it gets replicated to all other DCs in the domain. If deletion would mean to simply remove it from the DC, then there would be no sign on this DC that it ever existed, so during the next replication cycle, it would be simply replicated from another DC (and we won’t be able to get rid of it). So, when we delete an object from an AD, it’s not immediately removed from the AD—just most of its attributes are removed and the object is marked as deleted—tombstoned—and moved to a special hidden container. This tombstone is then replicated to all other DCs, and after a certain period of time (two months by default), a special process, the garbage collector, which runs on each DC, purges the tombstone from the AD database. Win2K deletes tombstone objects 60 days after their original tombstone status setting. To change this default time (which I don’t recommend), modify the tombstonelifetime setting under the cd=DirectoryServices,cn=WindowsNT,cn=Services,cn= Configuration,dc=DomainName parameter. FAQ 15.18 How do I modify the Active Directory’s garbage-collection period? The Active Directory (AD) garbage-collection process performs two vital functions. First, it cleans up deleted objects. When you delete an object in AD, the system doesn’t immediately delete the object because when replication occurs, a replication partner would recreate the object. Instead, the system uses a tombstone with a finite lifetime to mark the object as deleted. The tombstone replicates to all DCs, and after it expires, the garbage-collection agent deletes the object. The garbage-collection process also performs online AD defragmentation. By default this process runs every 12 hours on each DC. However, you can change this frequency by modifying the attribute garbageCollPeriod under the path CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=,DC=,DC=COM. The best way to modify the attribute is to use the Windows 2000 Support Tools’ LDP.EXE utility.
FAQ 15.19 FAQ 15.19 551 How does intrasite replication work in Windows 2000? Windows 2000’s Knowledge Consistency Checker (KCC) automatically manages replication within a site. The KCC uses a bidirectional ring topology that uses Remote Procedure Call (RPC) over TCP/IP without compression. DCs within a site are typically on a fast network (per the definition of a site), and the extra processing necessary for compression and decompression is undesirable. The KCC runs every 15 minutes, adjusting the topology as necessary. As you create new DCs, the KCC automatically places them in the ring. To view the DC links, you can use the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. Expand the site, the Servers container, and the server. Under the NTDS Settings branch are the created connection objects. Because the KCC runs on all DCs, the rings are in order of the DCs’ globally unique IDs (GUIDs) to ensure convergence on one topology. An exception to the ring rule is that no more than three hops can exist between two DCs within the ring. To protect the three-hop rule, the KCC adds extra links for seven or more DCs, as shown in Figure 15-12. Figure 15-12 The three-hop rule in action
552 ACTIVE DIRECTORY These rings are for same-naming context (i.e., domains) in one site. If you have multiple domains in a site, rings exist for each domain in the site. Another type of ring that exists replicates schema and configuration information between DCs, as shown in Figure 15-13. Because all the domains share this information (i.e., the information is forestwide), each site has only one ring. Thus, if you have two domains in a site, you have three rings: one ring for each domain and one ring for the schema and configuration information. If you have only one domain in a site, one ring functions as two. Manual configuration of intrasite replication is unnecessary, and Microsoft doesn’t recommend such configuration. The only task you might need to perform is adding extra connection objects to reduce the hop count between DCs. When you make a change to the naming context (i.e., domain) data, the DC’s local copy of AD records the change, then the DC waits five minutes (by default) before notifying its replication partners of the change. You can continue to make changes during this time period. The delay exists so that all changes transmit at once. If no changes occur during a particular time period (which you can configure in the intrasite connection object schedule), a replication sequence initiates to ensure no changes were missed. The SAM or the Local Security Authority (LSA) can trigger urgent replication during the following events: replication of a newly locked-out account (e.g., if you fire someone), change of an LSA secret (i.e., a trust account), and state changes to the DC2 DC1 DC1 DC3 DC2 Schema/configuration information DC4 sales.savilltech.com naming context savilltech.com naming context Figure 15-13 Different rings for the different domain/forest elements
FAQ 15.21 553 relative identifier (RID) master These events trigger immediate replication. Because urgent replication requires notification, this type of replication occurs only within a site (i.e., intrasite). However, you can modify site links to enable notification. An exception to multimaster normal replication is user passwords. As in other attribute changes, you can change a user password at any DC. However, the DC pushes the change to the PDC Flexible Single-Master Operation (FSMO) role holder on a best-attempt basis. Other DCs receive the password through normal replication. The reason for the extra password work is that if password validation fails, the validating DC will pass the request to the PDC FSMO in case the password has changed and the DC hasn’t yet received the new password via standard replication. The schema and configuration data replicates between DCs once an hour by default. For information about changing the replication interval, see FAQ 15.22. FAQ 15.20 How do I change the intrasite replication interval in Windows 2000 for domain information? As FAQ 15.99 explains, intrasite replication for naming context data doesn’t occur until five minutes after a change. This delay lets all changes transmit at once. You can change this five-minute delay. 1. Start Regedit. 2. Go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNTDSParameters Registry entry. 3. Double-click Replicator notify pause after modify (secs). 4. Enter the number of seconds you want for the delay and click OK. 5. Close the Registry editor. 6. Reboot the machine. You might notice the parameter Replicator notify pause between DSAs (secs). This parameter determines the number of seconds between notification of directory service agents (DSAs). This parameter prevents simultaneous replies by replication partners. FAQ 15.21 How do I force replication between two domain controllers in a site? In Windows NT 4.0, you can use Server Manager to force replication between DCs. In Windows 2000, you can force replication between DCs as follows:
554 ACTIVE DIRECTORY 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. 2. Expand the Sites branch to show the sites. 3. Expand the site that contains the DCs. (The default site Default-First-SiteName might be the only site.) 4. Expand the servers. 5. Select the server you want to replicate to and expand the server. 6. Double-click NTDS Settings for the server. 7. Right-click the server you want to replicate from. 8. Select Replicate Now from the context menu, as shown in Figure 15-14. 9. Click OK in the confirmation dialog box. This replication is one-way. If you want two-way replication, you need to replicate in each direction. Figure 15-14 Forcing a replication
FAQ 15.22 FAQ 15.22 555 How do I change the schedule for replication between two domain controllers in a site? By default, domain controllers replicate schema and configuration information once an hour. (For information about the type of data replicated, see FAQ 15.19.) To change this interval for domain controllers in one site, perform the following tasks: 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch to show the various sites. 3. Expand the site that contains the domain controllers. (The default site Default-First-Site-Name might be your only site.) 4. Expand the servers. 5. Select the server you want to configure replication to and expand it. 6. Double-click NTDS Settings for the server. 7. Right-click the server you want to set replication from. 8. Select Properties from the context menu. 9. Select the Active Directory Service connection tab. 10. Click Change Schedule. 11. Modify the replication as necessary (see Figure 15-15) and click OK. Figure 15-15 Setting the replication interval
556 ACTIVE DIRECTORY 12. Click Apply. 13. Click OK. The schedule you set is for minimum replication. The replication schedule is oneway; you need to repeat the steps to configure the other direction. If you make a change, the notification and replication will occur after a five-minute delay. FAQ 15.23 How do I tune Active Directory replication? You can use one of several settings under the HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServicesNTDSParameters Registry entry to modify elements of AD replication. When you make a change to AD, a timer starts. This timer specifies how long the domain controller will wait before notifying its first replication partner about replication between domain controllers. The default time is five minutes. To change this time period, edit the Replicator notify pause after modify (secs) value in the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDS Parameters Registry entry, as shown in Figure 15-16. After the domain controller notifies its first replication partner, the DC waits before it notifies each subsequent replication partner. This delay prevents simultaneous replies from the replication partners. The default time is 30 seconds. To change this time period, edit the Replicator notify pause between DSAs (secs) value in the HKEY_ LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters Registry entry, as shown earlier in Figure 15-16. Figure 15-16 Detailed replication options via the Registry
FAQ 15.24 557 You can modify other values to enhance a multiple-CPU system’s performance. For example, set the replication thread priority high value to 1 to run replication at high priority. If you don’t set this value, or you set it to 0, replication will run at low priority. Set the replication thread priority low value to 1 to run replication at low priority. If you set this value to -1, the value is ignored. FAQ 15.24 How do I specify a bridgehead server? To minimize bandwidth usage during intersite communication, the Knowledge Consistency Checker (KCC) dynamically chooses a server from each site to handle the communication. These servers are the bridgehead servers. Rather than letting the KCC choose the servers, you might prefer to nominate domain controllers (e.g., a domain controller with the best network connectivity, a DC that is the proxy server in a firewall environment). A server that you nominate is a preferred bridgehead server. You can select multiple preferred bridgehead servers for a site, but only one of the servers is active at a time. If the active preferred bridgehead server fails, then another preferred bridgehead server becomes the active server. If no preferred bridgehead servers are available, a regular Windows 2000 DC becomes active for intersite communication. Letting a regular Win2K DC handle intersite communication might cause problems if the server lacks sufficient resources. 1. To nominate a server as a bridgehead server, start the Active Directory Sites and Services MMC snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch. 3. Expand the site containing the server and select the Servers container. 4. Right-click the server and select Properties. 5. Select the protocol you want the server to act as a preferred bridgehead server for (i.e., SMTP or IP), as shown in Figure 15-17, and click Add. Then click OK. When the KCC runs the next time, the connection objects will change to use the bridgehead server you specified.
558 ACTIVE DIRECTORY Figure 15-17 Specifying bridgehead transport options FAQ 15.25 How do I create a site link bridge? Site link bridges are important for intersite communication. Imagine you have the sites Liverpool, London, and Kent, and you have site links between Liverpool and London and between Kent and London (see Figure 15-18). If site link transitivity is disabled, Liverpool and Kent can’t communicate. A site link bridge lets London act as a router for communication between Liverpool and Kent. If site link transitivity is disabled, you must manually bridge sites so that replication can complete, and the Knowledge Consistency Checker (KCC) can create the necessary connection objects. 1. Start the Active Directory Sites and Services MMC snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch. 3. Expand the Inter-Site Transports branch.
FAQ 15.27 site link A London 559 site link B Liverpool Kent Figure 15-18 Site links between sites 4. Right-click the protocol you want to create the bridge for (i.e., IP or SMTP) and select New Site Link Bridge. 5. Enter a name for the bridge and select the site links that will form the bridge. 6. Click OK. FAQ 15.26 I have several sites connected over a virtual private network. How should I configure my site links? Obviously, with the Internet, the speed between sites is unknown. In addition, the route varies every time, so you can’t place an accurate link cost, which controls the desirability of remote sites as sources of replication information, between sites—which negates the usefulness of site links and bridges. Your best option is to place all sites in a single site link. FAQ 15.27 How does intersite replication work in Windows 2000? You can use Remote Procedure Call (RPC) over IP or Simple Mail Transport Protocol (SMTP) to link sites. After you define the site links, replication schedules, cost factors, and site link bridges (if appropriate), the Knowledge Consistency Checker (KCC) can create the connection objects as long as the site links are transitive. Using SMTP has some limitations. You can use SMTP to replicate the Global Catalog (GC) information, as well as schema and configuration data. However, SMTP can’t
ACTIVE DIRECTORY 560 replicate full domain name context data such as the data that DCs in a domain exchange, because some domain operations require the File Replication Service (FRS) (e.g., the Group Policy), which SMTP doesn’t support. Intersite replication uses a spanning tree topology. As long as the KCC can establish a replication route between all the sites in the enterprise forest, the replication tree is complete. The administrator manually creates the links between sites. Creating the links involves defining costs for each link (the cost relates the network’s speed and reliability) and establishing a replication schedule. You use the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in to create and maintain site links. By default, your original site is part of the site link DEFAULTIPSITELINK. You can add sites to this site link when you create them. (When you create a site, you must specify a site link.) Replication data that travels between sites is 10% to 15% of its original size due to data compression. This smaller size is important because intersite links are usually over WAN links, which tend to be slow. You need to create only the necessary links between sites. The KCC creates the required connection objects. FAQ 15.28 How do I monitor when the Knowledge Consistency Checker runs? The KCC, which manages connection objects for inter- and intrasite replication, ascertains whether you need to create new objects or delete existing objects. The KCC runs every 15 minutes by default. FAQ 15.30 explains how to change this time period. To determine when the KCC starts and stops, start Regedit and go to the HKEY_ LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnostics Registry entry. Double-click Knowledge Consistency Checker. Set the value to 3 or greater and click OK. Close the Registry editor. You don’t need to restart the machine for the change to take effect. A value of 3 or greater in Knowledge Consistency Checker causes the KCC to log extra events that you can use Event Viewer’s Directory Service branch to view. Some common events that are useful to view include • • • • • Event 1007 signifies the KCC starting Event 1009, as shown in Figure 15-19, signifies the beginning of the KCC check. Event 1013 signifies the end of the KCC check Event 1015 signifies the KCC stopping Event 1133 provides information about the KCC check
FAQ 15.29 Figure 15-19 Event log showing the Knowledge Consistency Checker in action FAQ 15.29 How do I disable the Knowledge Consistency Checker? FAQ 15.19 explains how the KCC automatically creates and maintains connection objects for intra- and intersite replication. To manually maintain connection objects (which I don’t recommend), you must disable the KCC. To disable the KCC, use the Microsoft Windows 2000 Resource Kit’s LDP tool. This program is in Win2K’s %SystemDrive%:Program FilesSupport Tools folder. 1. Start LDP.EXE. 2. From the Connection menu, select Connect. 561
562 ACTIVE DIRECTORY 3. Enter the domain controller’s DNS name, leave the port as 389 (LDAP), and make sure the Connectionless checkbox is clear. Click OK. 4. Some text will appear in the right-most pane. Next, select Bind from the Connection menu. 5. Enter an Administrator username, password, and domain, as shown in Figure 15-20. Click OK. 6. From the View menu, select Tree. 7. A dialog box will prompt you for the base distinguished name (DN), which includes a site and your domain. For example, in the London site savtech.com I enter CN=London,CN=Sites,CN=Configuration,DC=SAVTECH,DC=COM 8. Expand the route and double-click CN=NTDS Site Settings. The results will display in the right-most window. Next, look for the options Attribute. If this attribute is missing or set to 0, you can proceed. Otherwise, you need to contact Microsoft Support for help checking your configuration before you can continue. Figure 15-20 Binding to the LDAP interface
FAQ 15.29 563 9. The text you see in the right-most window will look like Expanding base 'CN=NTDS Site Settings,CN=London,CN=Sites, CN=Configuration,DC=savtech,DC=com'... Result : (null) Matched DNs: Getting 1 entries: >> DN: CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com 10. Copy the last line, except the DN: portion, onto the Clipboard (e.g., CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech, DC=com). 11. From the Browse menu, select Modify. 12. In the Dn field, enter the string you copied in Step 9, as shown in Figure 15-21. 13. In the Attribute field, enter options Figure 15-21 Replacing a value with the LDAP utility
564 ACTIVE DIRECTORY 14. In the Values field, enter the appropriate value. A value of 1 disables automatic intrasite topology generation, a value of 16 disables automatic intersite topology generation, and a value of 17 disables both types of topology generation. 15. In the Operation field, select Replace. 16. Click Enter. 17. Click Run. 18. Click Close. The right-most LDP.EXE window will display text such as ***Call Modify... ldap_modify_s(ld, 'CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com', [1] attrs); Modified "CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com". 19. Close LDP.EXE. To check whether the KCC is disabled, use Active Directory Replication Monitor (REPLMON.EXE) to generate a report on the site configuration. 1. Start REPLMON.EXE. 2. Right-click Monitored Services in the left-most window and select Add Monitored Server from the context menu. 3. Select Add the server explicitly by name and click Next. 4. Enter the server name and click Finish. 5. Right-click the server (under the site) and select Generate Status Report. 6. Enter a name and location for the log and click Save. 7. In the Options field, select Server/DC Configuration Data and Extended Site Configuration, as shown in Figure 15-22. 8. Click OK. 9. Click OK again to finish. Open the file you specified, and you’ll see site information such as the following. ******************************************************************** Enterprise Data ******************************************************************** Globally Unique Identifiers (GUIDs) for each domain controller in the enterprise
FAQ 15.29 565 Figure 15-22 Report options NOTE: the absence of a GUID means that the server has been demoted. -------------------------------------------------------------------Site Name: London --------------------------------------Site Options : NTDSSETTINGS_OPT_IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED Site Topology Generator: CN=NTDS Settings,CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savtech,DC=com Site Topology Renewal : Site Topology Failover : MORPHEUS Server GUID (used for DNS) : DA644BE4-A8C9-47AF-AC4A-71F8DA4D50F0
566 ACTIVE DIRECTORY Replication Database GUID (used to identify partner in replication) : DA644BE4-A8C9-47AF-AC4A-71F8DA4D50F0 DSA Options : NTDSDSA_OPT_IS_GC DSA Computer Path : CN=MORPHEUS,OU=Domain Controllers,DC=savtech, DC=com DSA Schema Location : CN=Schema,CN=Configuration,DC=savtech,DC=com DSA Mail Address : _IsmService@da644be4-a8c9-47af-ac4a-71f8da4d50f0 ._msdcs.savtech.com DSA DNS Host Name : MORPHEUS.savtech.com DSA BridgeHead Transports : IP In the Site Options field, the text NTDSSETTINGS_OPT_IS_INTER_SITE_ AUTO_TOPOLOGY_DISABLED means intersite topology management is disabled. The text NTDSSETTINGS_OPT_IS_AUTO_TOPOLOGY_DISABLED means intrasite topology management is disabled. To reenable the KCC, follow steps 1 through 20, but set the value in step 14 to 0. If the KCC is fully enabled, Replmon’s output won’t include Site Options information. FAQ 15.30 How do I change how often the Knowledge Consistency Checker runs? The KCC, which manages connection objects for inter- and intrasite replication, runs every 15 minutes by default. To change this time period, start Regedit and go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDS Parameters Registry entry. From the Edit menu, select New > DWORD Value. Enter the following and press Enter: Repl topology update period (secs) Double-click the new value and enter the number of seconds for how often you want the KCC to run. Click OK then close the Registry editor. Restart the machine for the change to take effect. FAQ 15.31 What tools are available for monitoring or changing replication? To monitor or change replication, you must use the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. This tool lets you view, create, or
FAQ 15.31 567 delete connection objects. Other tools you can use include the Microsoft Windows 2000 Supplemental Tools Repadmin and Replmon tools. Repadmin is a command-line tool that lets you check replication consistency (e.g., for a KCC recalculation). The switch /showreps displays a list of replication partners, as well as reasons for problems. The invocation ID is the database globally unique ID (GUID). When you use Repadmin with the switch /showreps, you’ll see text such as the following: D:>repadmin /showreps LondonTITANIC DSA Options : IS_GC objectGuid : 221d9d34-540e-4a7b-bd26-054c11e2d1ad invocationID: 221d9d34-540e-4a7b-bd26-054c11e2d1ad ==== INBOUND NEIGHBORS ====================================== CN=Schema,CN=Configuration,DC=savilltech,DC=com LondonTITUS via RPC objectGuid: 2000eb93-cc24-4af7-9ad2-c52129c98c7a Last attempt @ 1999-12-06 20:32.20 failed, result 8524: Can’t retrieve message string 8524 (0x214c), error 1815. Last success @ 1999-09-17 20:53.45. 463 consecutive failure(s). LondonTRINITY via RPC objectGuid: df3694d2-b4e9-4d9a-a560-3e8c26c48a89 Last attempt @ 1999-12-06 20:32.21 failed, result 8524: The switch /showmeta shows object information, version numbers, and other information. When you use this switch, you’ll see text such as the following: C:>repadmin /showmeta cn=garfield,DC=savtech,DC=com 45 entries. Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute ======= ============ ======= =========== === ====== 99649 LondonMORPHEUS 99649 1999-12-08 09:50.10 1 objectClass 99649 LondonMORPHEUS 99649 1999-12-08 09:50.10 1 cn 99650 LondonMORPHEUS 99650 1999-12-08 09:50.10 1 description 99649 LondonMORPHEUS 99649 1999-12-08 09:50.10 1 givenName 99649 LondonMORPHEUS 99649 1999-12-08 09:50.10 1 instanceType
568 ACTIVE DIRECTORY Replmon is a GUI tool you can use to display and monitor replication status on domain controllers (DCs). FAQ 15.32 In a Windows 2000 domain, how can I configure the site name information known to member servers and workstations? Win2K introduced the concept of sites, which let you group machines that reside in similar TCP subnets. When a Win2K or later machine logs on, the system stores the site name in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices NetlogonParameters in the subkey named DynamicSiteName. The DC updates this name every 300 seconds (5 minutes); however, you can perform the following steps to modify the update time frame: 1. Start REGEDIT.EXE. 2. Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNetlogonParameters. 3. From the Edit menu, select New > DWORD Value. 4. Enter a name of SiteNameTimeout and press Enter. 5. Double-click the new value and set it to the number of seconds. 6. Click OK. To override the assigned site name, you can add a String value named SiteName in the NetlogonParameters subkey. If you use this approach, the system will never use the SiteNameTimeout value. FAQ 15.33 How can I set the RPC port that intrasite replication uses? By default, AD replication via Remote Procedure Calls (RPCs) takes place dynamically over an available port via the RPC Endpoint Mapper using port 135 (the same as Microsoft Exchange). An administrator may override this functionality and specify the port that all replication traffic passes through, thereby locking down the port. 1. Start Regedit. 2. Go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNTDSParameters Registry entry.
FAQ 15.34 569 3. From the Edit menu, select New > DWORD Value. 4. Enter the following and press Enter: TCP/IP Port 5. Double-click the new entry and enter the port you want to use. (Make sure the port isn’t already in use.) Click OK. 6. Close the Registry editor. 7. Reboot the machine. After monitoring finishes, you need to remove the Registry entry you created. Removing this entry reinstates the security that dynamic RPC port allocation provides. FAQ 15.34 How do I back up Active Directory and the system state? You can use the Microsoft Windows Backup utility to back up Active Directory. AD is part of a machine’s system state. On Windows 2000 machines, the system state includes the Registry, class registration database, and system boot files. On a Win2K server that is a certificate server, the system state also contains the Certificate services database. On a Win2K machine that is a domain controller (DC), the system state also includes AD and the Sysvol directory. To use Win2K’s Backup Wizard to back up the system state, perform the following steps: 1. 2. 3. 4. Start Windows Backup. Click Backup Wizard. Click Next in the introduction dialog box. In the dialog box that asks what to back up, select Only back up the System State data and click Next. 5. Continue the backup process (i.e., select the backup media, etc.). To manually back up the system state, perform the following steps: 1. Start Windows Backup. 2. Select the Backup tab. 3. Select the System State checkbox, as shown in Figure 15-23, as well as any other drives.
570 ACTIVE DIRECTORY Figure 15-23 Backup of the system state on a domain controller 4. Select the backup destination. 5. Click Start Backup. 6. Confirm the backup description and click Start Backup. To back up only the system state from the command line, enter ntbackup backup systemstate /f d:active.bkf This command is a basic backup to file command. You can use more complex options if you prefer.
FAQ 15.35 FAQ 15.35 571 How do I restore Active Directory? You can’t restore AD to a domain controller (DC) while the Directory Service (DS) is running. To restore AD, perform the following steps. 1. Reboot the computer. 2. At the boot menu, select Windows 2000 Server. Don’t press Enter. Instead, press F8 for advanced options. You’ll see the following text: OS Loader V5.0 Windows NT Advanced Options Menu Please select an option: Safe Mode Safe Mode with Networking Safe Mode with Command Prompt Enable Boot Logging Enable VGA Mode Last Known Good Configuration Directory Services Restore Mode (Windows NT domain controllers only) Debugging Mode Use | and | to move the highlight to your choice. Press Enter to choose. 3. Scroll down and select Directory Services Restore Mode (Windows NT domain controllers only). 4. Press Enter. 5. When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of the screen, you’ll see in red text “Directory Services Restore Mode” (Windows NT domain controllers only). The computer will boot into a special safe mode and won’t start the DS. Be aware that during this time, the machine won’t act as a DC and won’t perform functions such as authentication. 1. Start Windows Backup. 2. Select the Restore tab. 3. Select the backup media and select System State.
ACTIVE DIRECTORY 572 4. Click Start Restore. 5. Click OK in the confirmation dialog box. After you restore the backup, reboot the computer and start in normal mode to use the restored information. The computer might hang after the restore completes; I’ve experienced a 30-minute wait on some machines. FAQ 15.36 How do I manually defragment Active Directory? Windows 2000 servers running Directory Services (DSs) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesn’t reduce the file’s size. To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following steps: 1. Back up AD (see FAQ 15.34). 2. Reboot the server, select the OS option, and press F8 for advanced options. 3. Select the Directory Services Restore Mode option and press Enter. Press Enter again to start the OS. 4. Win2K will start in safe mode, with no DS running. 5. Use the local SAM’s administrator account and password to log on. 6. You’ll see a dialog box that says you’re in safe mode. Click OK. 7. From the Start menu, select Run and type cmd.exe 8. In the command window, you’ll see the following text. (Enter the commands in bold.) C:> ntdsutil ntdsutil: files file maintenance:info .... file maintenance:compact to c:temp 9. You’ll see the defragmentation process. If the process was successful, enter the following to return to the command prompt: quit quit
FAQ 15.36 10. Then, replace the old NTDS.DIT file with the new, compressed version. copy c:tempntds.dit %systemroot%ntdsntds.dit 11. Restart the computer and boot as normal. The following is an example of the entire procedure. D:> ntdsutil ntdsutil: files file maintenance: info Drive Information: C: FAT (Fixed Drive) free(1.2 Gb) total(1.9 Gb) D: NTFS (Fixed Drive) free(152.4 Mb) total(1.9 Gb) DS Path Information: Database : D:WINNTNTDSntds.dit - 8.1 Mb Backup dir : D:WINNTNTDSdsadata.bak Working dir: D:WINNTNTDS Log dir : D:WINNTNTDS - 30.0 Mb total res2.log - 10.0 Mb res1.log - 10.0 Mb edb.log - 10.0 Mb file maintenance: compact to c:temp Opening database [Current]. Using Temporary Path: C: Executing Command: D:WINNTsystem32esentutl.exe /d "D:WINNTNTDSntds.dit" / /o /l"D:WINNTNTDS" /s"D:WINNTNTDS" /t"c:tempntds.dit" /!10240 /p Initiating DEFRAGMENTATION mode... Database: D:WINNTNTDSntds.dit Log files: D:WINNTNTDS System files: D:WINNTNTDS Temp. Database: c:tempntds.dit Defragmentation Status (% complete ) 0 10 20 30 40 50 60 70 80 90 100 |--|--|--|--|--|--|--|--|--|--| ................................................... 573
574 ACTIVE DIRECTORY Note: It is recommended that you immediately perform a full backup of this database. If you restore a backup made before the defragmentation, the database will be rolled back to the state it was in at the time of that backup. Operation completed successfully in 17.896 seconds. Spawned Process Exit code 0x0(0) If compaction was successful you either need to copy "c:tempntds.dit" to "D:WINNTNTDSntds.dit" or run: D:WINNTsystem32ntdsutil.exe files "set path DB "c:temp"" quit quit file maintenance: quit ntdsutil: quit D:> copy c:tempntds.dit %systemroot%ntdsntds.dit Overwrite D:WINNTntdsntds.dit? (Yes/No/All): y 1 file(s) copied. FAQ 15.37 I heard that more than one utility is available to defragment the Active Directory database. Is this true? In Windows 2000, Microsoft included a version of an Exchange Server utility— ESENTUTL.EXE—that can defragment database files. At a command prompt, type the following command to defragment NTDS.DIT (the default name for the Active Directory—AD—database file): ESENTUTL /D ntds.dit [options] For a list of the command options, type ESENTUTL /? or ESENTUTL /help
FAQ 15.40 575 Usually, you use Ntdsutil to defragment your AD database; Ntdsutil is still the most supported version. FAQ 15.38 Why can’t I have spaces in my Windows 2000 NetBIOS domain name? In Windows NT 4.0-based domains, the space is a legal character in NetBIOS domain names. Windows 2000 domains are DNS based and therefore use DNS names (although a NetBIOS name is available for backwards compatibility). DNS doesn’t allow spaces in names. For consistency, Microsoft removed the space as a legal character in Win2K NetBIOS domain names. Win2K NetBIOS domain names can contain the following special characters: ! @ # $ % ^ & ( ) - _ ' { } . ~ The following characters aren’t allowed: * + = | : ; " ? < > , FAQ 15.39 How do I create trusts from the command line in Windows 2000? The Microsoft Windows 2000 Resource Kit’s Trustdom tool lets you define trust relationships between Windows 2000 domains and one-way relationships with Windows NT 4.0 domains. You can create two types of one-way trusts: an outbound trust on the local or specified domain, and an inbound trust on the specified target domain. Trustdom’s syntax is trustdom [[domain[:dc],]target_domain[:dc]] [Options] The default switch is -out. To see a list of other switches, use the /? switch. FAQ 15.40 What is the Global Catalog? The Global Catalog (GC) contains an entry for every object in an enterprise forest but only a few properties for each object. An entire forest shares a GC, with multiple servers holding copies. You can perform an enterprisewide forest search only on the
576 ACTIVE DIRECTORY properties in the GC, whereas you can search for any property in a user’s domain tree. Only domain controllers (DCs) can hold a copy of the GC. Configuring an excessive number of GCs in a domain wastes network bandwidth during replication. One GC server per domain in each physical location is sufficient. Windows sets servers as GCs as necessary, so you don’t need to configure additional GCs unless you notice slow query response times. Because full searches involve querying the whole domain tree rather than the GC, grouping the enterprise into one tree will improve your searches. Thus, you can search for items not in the GC. FAQ 15.41 How do I configure a server as a Global Catalog? To configure a Windows 2000 domain controller (DC) as a Global Catalog (GC) server, perform the following steps. 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services (From the Start menu, select Programs > Administrative Tools > Active Directory Sites and Services Manager.) 2. Select the Sites branch. 3. Select the site that owns the server and expand the Servers branch. 4. Select the server you want to configure. 5. Right-click NTDS Settings and select Properties. 6. Select or clear the Global Catalog Server checkbox, shown in Figure 15-24. 7. Click Apply, then OK.
FAQ 15.42 577 Figure 15-24 Global Catalog enabling of a server FAQ 15.42 Why can’t I use my user principal name to change my password if the Global Catalog is unavailable? In Windows 2000, users have a user principal name (UPN)—e.g., john@savilltech. com—as well as the usual down-level SAM name—e.g., savillj. If you change your password using the down-level SAM username, the change works fine, even if the Global Catalog (GC) isn’t available. If you change your password using your UPN and the GC isn’t available, you receive the following error message if the account is in the parent domain: The user name or old password is incorrect. Letters in passwords must be typed using the correct case. Make sure the Caps is not accidentally on. Or you receive the following error message if the account is in the child domain: Unable to change the password on this account due to the following error:
578 ACTIVE DIRECTORY 1359: An internal error occurred Please consult your system administrator. To confirm that the GC’s absence is the problem, use the following command to find your logon server: echo %logonserver% When you find the logon server, check the Directory Service event log for the following event: Event 1126 Unable to establish connect with global catalog To fix this problem, you need to ensure that the GC is available. You need the GC to change passwords using your UPN because domains store information only about their local domain whereas the GC includes information about objects in the entire forest. Thus, the GC must be available when you use the UPN, unless you have only one domain. FAQ 15.43 What are the FSMO roles in Windows 2000? In Windows 2000, all domain controllers (DCs) are equal. Changes replicate to all the DCs in a domain through a process known as multimaster replication. Multimaster replication resolves conflicts. In some situations, preventing conflicts is preferable. Five Flexible Single-Master Operation (FSMO) roles, formerly known as Floating Single-Master Operation roles, manage an aspect of the domain or forest to prevent conflicts. You can manually move these roles between DCs. Two types of roles exist: domain and forest. Only a DC in the domain can hold a domain-specific FSMO role, whereas any DC in the forest can hold a forest FSMO role. DCs can’t hold FSMO roles in other domains or forests. You can use the Ntdsutil utility or one of several GUI methods to assign FSMO roles. The following table summarizes each role:
FAQ 15.43 579 Role Name Description Per Domain or Forest Domain Naming Master If you want to add a domain to a forest, the domain’s name must be verifiably unique. The forest’s Domain Naming Master FSMOs authorize the domain name operation. One per forest Infrastructure Master When a user and group are in different domains, a lag can exist between changes to the user (e.g., a name change) and the user’s display in the group. The Infrastructure Master of the group’s domain fixes the group-to-user reference to reflect the change. The Infrastructure Master performs its fixes locally and relies on replication to bring all other replicas of the domain up-to-date. One per domain PDC Emulator For backward compatibility, one DC in each Win2K domain must emulate a PDC for the benefit of Windows NT 4.0 and NT 3.5 DCs and clients. One per domain RID Master Any DC can create new objects (e.g., users, groups, computer accounts). However, after creating 512 user objects, a DC must contact the domain’s relative identifier (RID) Master for another 512 RIDs. (A DC actually contacts the RID Master when the DC has fewer than 100 RIDs left. Thus, the RID master can be unavailable for short periods of time without causing object creation problems.) This procedure ensures that each object has a unique RID. One per domain When a DC creates a security principal object, the DC attaches a unique SID to the object. The SID consists of the domain SID and a RID. The RID master must be available for you to use the Microsoft Windows 2000 Resource Kit’s Movetree utility to move objects between domains. (continued )
580 ACTIVE DIRECTORY Role Name Description Per Domain or Forest Schema Master At the heart of Active Directory (AD) is the schema, which is like a blueprint of all objects and containers. Because the schema must be the same throughout the forest, only one machine can authorize schema modifications. One per forest Even in native mode, the PDC Emulator has the following special roles: • Failed authentication requests. • For downlevel clients who issue a change (e.g., a password change) that would normally go to the PDC in an NT4.0 domain. • Focus of best-effort push of password changes an account lockouts. • In cases in which a time server client contacts the DC, the DC contacts the PDC Emulator, and the PDC Emulator contacts the PDC one level up, the PDC Emulator root domain could use Simple Network Time Protocol (SNTP) to contact an atomic Internet clock. • Focus of group policies: If you edit or create a group policy, you contact the PDC; if the PDC isn’t available, you can select another DC. FAQ 15.44 How do I change the RID master FSMO? FAQ 15.43 defines the relative identifier (RID) Master. To modify the role, perform the following steps: 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the domain controller (DC). (From the Start menu, select Programs > Administrative Tools > Active Directory Users and Computers.) 2. In the left-most pane, right-click the domain and select Connect to Domain Controller. 3. Select the DC you want to make the Flexible Single-Master Operation (FSMO) role owner, as shown in Figure 15-25, and click OK. 4. Right-click the domain again and select Operations Master from the context menu. 5. Select the RID Pool tab. 6. You’ll see the name of the machine that holds the RID Master FSMO role, as the shown in Figure 15-26.
FAQ 15.44 Figure 15-25 Selecting an alternate domain controller Figure 15-26 Modifying a RID operations master 581
ACTIVE DIRECTORY 582 7. To make a change, click Change. 8. Click OK in the confirmation dialog box. Finally, you’ll see a dialog box confirming the role change. You can also use the Ntdsutil utility to change the RID Master FSMO. In the following code, enter the commands in bold. C:> ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server <server name> server connections: quit fsmo maintenance: transfer rid master Click Yes in the role-transfer dialog box. Then, enter the commands in bold in the following code: Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com fsmo maintenance: quit ntdsutil: quit FAQ 15.45 How do I change the Schema Master FSMO? To change the Schema Master Flexible Single-Master Operation (FSMO), you must use the Active Directory Schema Manager. 1. First, register the .DLL for the Microsoft Management Console (MMC) snapin. Go to a command prompt and enter regsvr32 schmmgmt.dll
FAQ 15.45 583 2. Then, use the Microsoft Windows 2000 Resource Kit’s Tools console to start the Schema Manager. Alternatively, create a custom MMC and add the Active Directory Schema snap-in to it. (From the Start menu, select Run and enter MMC 3. From the Console menu, select Add/Remove Snap-in. Click Add and select Active Directory Schema. 4. Click Add, Close, and then OK. 5. Start the MMC Active Directory Schema snap-in on the domain controller (DC). 6. In the left-most pane, right-click Active Directory Schema and select Change Domain Controller from the context menu. 7. Enter the DC to connect to. 8. Right-click Active Directory Domains Schema and select Operations Master from the context menu. You’ll see the name of the machine that holds the domain name operations FSMO role, as shown in Figure 15-27. Figure 15-27 Changing the schema operations master
584 ACTIVE DIRECTORY 9. To make a change, click Change. 10. To set the Registry to allow changes to the schema, select the checkbox labeled “The Schema may be modified on this server”. (Notice in Figure 15-27 that the machine is already the Schema Master.) 11. Click OK in the confirmation dialog box. Finally, you’ll see a dialog box confirming the role change. You can also modify the role from the command line. (In the following code, enter the commands in bold.) C:> ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server <server name> server connections: quit fsmo maintenance: transfer schema master Click Yes in the role-transfer dialog box. Then, enter the commands in bold in the following code: Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com fsmo maintenance: quit ntdsutil: quit FAQ 15.46 How do I change the PDC Emulator FSMO? To modify the role, perform the following steps. 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the domain controller (DC). (From the Start
FAQ 15.46 2. 3. 4. 5. 6. 7. 8. 585 menu, select Programs > Administrative Tools > Active Directory Users and Computers.) In the left-most pane, right-click the domain and select Connect to Domain Controller. Select the DC you want to make the Flexible Single-Master Operation (FSMO) role owner and click OK Right-click the domain again and select Operations Master from the context menu. Select the PDC tab. You’ll see the name of the machine that holds the PDC Emulator FSMO role. To make a change, click Change. Click OK in the confirmation dialog box. Finally, you’ll see a dialog box confirming the role change. You can also use the Ntdsutil utility to change the PDC Emulator FSMO. In the following code, enter the commands in bold: C:> ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server <server name> server connections: quit fsmo maintenance: transfer pdc Click Yes in the role-transfer dialog box. Then, enter the commands in bold in the following code: Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com fsmo maintenance: quit ntdsutil: quit
586 FAQ 15.47 ACTIVE DIRECTORY How do I change the Infrastructure Master FSMO? To modify the role, perform the following steps: 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the domain controller (DC). (From the Start menu, select Programs, Administrative Tools > Active Directory Users and Computers.) 2. In the left-most pane, right-click the domain and select Connect to Domain Controller. 3. Select the DC you want to make the FSMO role owner and click OK. 4. Right-click the domain again and select Operations Master from the context menu. 5. Select the Infrastructure tab. You’ll see the name of the machine that holds the infrastructure FSMO role. 6. To make a change, click Change. 7. Click OK in the confirmation dialog box. Finally, you’ll see a dialog box confirming the role change. You can also use the Ntdsutil utility to change the Infrastructure Master FSMO. In the following code, enter the commands in bold: C:> ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server <server name> server connections: quit fsmo maintenance: transfer infrastructure master Click Yes in the role-transfer dialog box. Then, enter the commands in bold in the following code: Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure -
FAQ 15.48 587 CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com fsmo maintenance: quit ntdsutil: quit FAQ 15.48 How do I change the Domain Naming Master FSMO? To modify the role, make sure the machine is a Global Catalog (GC). Then, perform the following steps: 1. Start the Microsoft Management Console (MMC) Active Directory Domains and Trusts snap-in on the domain controller (DC). (From the Start menu, select Programs > Administrative Tools > Active Directory Domains and Trusts.) 2. In the left-most pane, right-click Active Directory Domains and Trusts and select Connect to Domain Controller from the context menu. 3. Enter the DC to connect to and click OK. 4. Right-click Active Directory Domains and Trusts and select Operations Master from the context menu. You’ll see the name of the machine that holds the domain name operations FSMO role. 5. To make a change, click Change. 6. Click OK in the confirmation dialog box. Finally, you’ll see a dialog box confirming the role change. You can also use the Ntdsutil utility to change the Domain Naming Master FSMO. In the following code, enter the commands in bold: C:> ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server <server name> server connections: quit fsmo maintenance: transfer domain naming master Click Yes in the role-transfer dialog box. Then, enter the commands in bold in the following code: Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,
588 ACTIVE DIRECTORY CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com fsmo maintenance: quit ntdsutil: quit FAQ 15.49 How can I find the current FSMO role holders in a domain/forest? The five Flexible Single Master of Object (FSMO) roles are Schema Master, Domain Naming Master, Relative Identifier (RID) Master, PDC Master, and Infrastructure Master. You can use a GUI to find the FSMO role holders, but you need to perform several sets of steps (for this approach, see Q234790 at http://support.microsoft.com/support/ kb/articles/Q234/7/90.ASP). However, you can use other approaches to reduce the number of steps that the GUI requires to find the current FSMO role holders. First, you can use the command file DUMPFSMOS.CMD from the Win2K Server Resource Kit. This command uses the built-in NTDSUTIL.EXE, which shows you all the FSMO role owners. To find the current FSMO role holders, you simply execute the dumpfsmos command on a domain. For example, you could type the following command: dumpfsmos.cmd savilltech.com When the following information appears on the screen, find the line that reads “Server ‘savilltech.com’ knows about 5 roles,” and read the lines below it to find information about each FSMO role holder. Ntdsutil: roles fsmo maintenance: Connections server connections: Connect to server savilltech.com Binding to savilltech.com ... Connected to savilltech.com using credentials of locally logged on user
FAQ 15.49 589 server connections: Quit fsmo maintenance: select Operation Target select operation target: List roles for connected server Server "savilltech.com" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSite-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSite-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=DefaultFirst-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com select operation target: Quit fsmo maintenance: Quit Ntdsutil: Quit Disconnecting from savilltech.com ... You can also manually execute the NTDSUTIL.EXE tool by performing the following steps: 1. 2. 3. 4. 5. 6. 7. 8. Click Start > Run. Type cmd in the Open box and press Enter. Type ntdsutil and press Enter. Type domain management and press Enter. Type connections and press Enter. Type connect to server [server name] and press Enter. Type quit and press Enter. Type select operation target and press Enter. Type list roles for connected server and then press Enter. Sample output from the command follows with the text you type shown in bold. Following the line that reads “Server ‘titanic-dc’ knows about 5 roles,” you’ll find information about your FSMO role holders. C:>ntdsutil ntdsutil: domain management domain management: connections server connections: connect to server titanic-dc Binding to titanic-dc ...
590 ACTIVE DIRECTORY Connected to titanic-dc using credentials of locally logged on user server connections: quit domain management: select operation target select operation target: list roles for connected server Server "titanic-dc" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSite-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSite-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=DefaultFirst-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com select operation target: quit domain management: quit ntdsutil: quit Disconnecting from titanic-dc ... A third option for finding the current FSMO role holders is to use the dcdiag utility, which you can find in the Support/Tools folder of the Win2K Support Tools. To use the dcdiag utility, type the following command: dcdiag /test:Knowsofroleholders /v Sample output for the command appears follows. You’ll find information about your FSMO role holders below the line that reads “Starting test: KnowsOfRoleHolders.” DC Diagnosis Performing initial setup: * * * * * Verifing that the local machine titanic-dc, is a DC. Connecting to directory service on server titanic-dc. Collecting site info. Identifying all servers. Found 1 DC(s). Testing 1 of them. Done gathering initial info. Doing initial non skippeable tests
FAQ 15.49 591 Testing server: Default-First-Site-NameTITANIC-DC Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check .......................... TITANIC-DC passed test Connectivity Doing primary tests Testing server: Default-First-Site-NameTITANIC-DC Test omitted by user request: Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Test omitted by user request: NCSecDesc Test omitted by user request: NetLogons Test omitted by user request: Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Role Domain Owner = CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Role PDC Owner = CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=Default-F irst-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Role Rid Owner = CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=Default-F irst-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Role Infrastructure Update Owner = CN=NTDS Settings,CN=TITANIC-DC, CN=Se rvers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com ......................... TITANIC-DC passed test KnowsOfRoleHolders Test omitted by user request: RidManager Test omitted by user request: MachineAccount Test omitted by user request: Services Test omitted by user request: OutboundSecureChannels Test omitted by user request: ObjectsReplicated Test omitted by user request: frssysvol Test omitted by user request: kccevent Test omitted by user request: systemlog
592 ACTIVE DIRECTORY Running enterprise tests on : savilltech.com Test omitted by user request: Intersite Test omitted by user request: FsmoCheck FAQ 15.50 Why can’t I add a Windows NT 4.0 BDC to my Windows 2000 domain? Although Windows 2000 supports Windows NT 4.0 BDCs, you’ll run into problems if you try to create an NT 4.0 BDC machine account. You’ll receive the error message “The Machine Account for This Computer either does not exist or is inaccessible.” If you try to use Srvmgr to add the computer account from an existing Windows NT 4.0-based BDC, you’ll receive the error message “The Network Request is not supported.” Your Win2K-based PDC will log the following error message: Source: SAM EVENT ID: 12298 DESCRIPTION:The Account "COMPUTER$" Cannot be converted to be a domain controller account as its object class attribute in the directory is not a computer or is not derived from a computer. If this is caused by an attempt to install a pre-Windows 2000 Domain, then you should recreate the account for the domain controller with the correct object class. To work around this problem, use Win2K’s Srvmgr tool to create the account. FAQ 15.51 How do I remove a nonexistent domain from Active Directory? Windows 2000 tracks each domain in the metadata. If you remove all the domain controllers (DCs) for a domain and you don’t select the option “This is the last domain controller in the domain,” when you run DCPROMO to demote the DC to a normal server, DCPROMO won’t clean up the domain information, and the server’s domain information will remain. You can use the utility NTDSUTIL to remove a domain from the metadata. (In the following code, enter the commands in bold.) ntdsutil ntdsutil: metadata cleanup metadata cleanup: connections
FAQ 15.51 593 Connect to a server or domain (e.g., the parent domain) that recognizes the domain you want to delete. (In the following code, enter the commands in bold.) server connections: connect to server titanic Binding to titanic ... Connected to titanic using credentials of locally logged on user server connections: quit metadata cleanup: select operation target Next, select the domain you want to delete. (In the following code, enter the commands in bold.) select operation target: list domains Found 3 domain(s) 0 - DC=savilltech,DC=com 1 - DC=dev,DC=savilltech,DC=com 2 - DC=deleteme,DC=savilltech,DC=com select operation target: select domain 2 Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - DC=deleteme,DC=savilltech,DC=com No current server No current Naming Context select operation target: quit metadata cleanup: remove selected domain In the confirmation dialog box, which is shown in Figure 15-28, click Yes. Close the utility. (In the following code, enter the commands in bold.) "DC=deleteme,DC=savilltech,DC=com" removed from server "titanic" metadata cleanup: quit ntdsutil: quit Disconnecting from titanic ... Figure 15-28 Confirming domain deletion (with a name like that are we surprised!)
594 FAQ 15.52 ACTIVE DIRECTORY I canceled a domain controller demotion. Why can’t I demote the domain controller now? Once you start a domain controller (DC) demotion, you don’t have an option to cancel it; however, you might have stopped the demotion via the Task Manager or by getting the process ID with tlist, then using the kill command. Neither approach is supported, and if you try to run DCPROMO again, you might get the following error message (depending on the stage the DCPROMO process was in when you stopped it): Active Directory is already being installed or removed on this computer. That operation must finish before another may be attempted. The only way to remove the DC information is to manually remove it using NTDSUTIL. See FAQ 15.53 for details. FAQ 15.53 How do I remove a nonexistent domain controller? Windows 2000 tracks each domain controller (DC) in the metadata. If you remove a DC (e.g., through reinstallation or hardware removal), and you don’t run DCPROMO to clean up the DC’s metadata, connection objects will remain. You can use the utility NTDSUTIL to remove a server from the metadata. (In the following code, enter the commands in bold.) ntdsutil ntdsutil: metadata cleanup metadata cleanup: select operation target Next, you must connect to a server. In my example, I select a domain to accomplish this task. (In the following code, enter the commands in bold.) select operation target: connections server connections: connect to domain savilltech.com Binding to TITANIC.savilltech.com ... Connected to TITANIC.savilltech.com using credentials of locally logged on user server connections: quit
FAQ 15.53 595 Next, you must select a site, a server (i.e., the server you want to delete), and the domain the server is in. The order isn’t important. (In the following code, enter the commands in bold.) select operation target: list sites Found 2 site(s) 0 - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com 1 - CN=Kent,CN=Sites,CN=Configuration,DC=savilltech,DC=com select operation target: select site 0 Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com No current domain No current server No current Naming Context select operation target: list servers in site Found 4 server(s) 0 - CN=TITANIC,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com 1 - CN=TITUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com 2 - CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com 3 - CN=TRINITY,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com select operation target: select server 2 Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com No current domain Server - CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com DSA object - CN=NTDS Settings,CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com DNS host name - MORPHEUS.deleteme.savilltech.com Computer object - CN=MORPHEUS,OU=Domain Controllers,DC=deleteme, DC=savilltech,DC=com No current Naming Context select operation target: list domains Found 3 domain(s) 0 - DC=savilltech,DC=com 1 - DC=dev,DC=savilltech,DC=com 2 - DC=deleteme,DC=savilltech,DC=com select operation target: select domain 0 Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - DC=savilltech,DC=com
596 ACTIVE DIRECTORY Server - CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com DSA object - CN=NTDS Settings,CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com DNS host name - MORPHEUS.deleteme.savilltech.com Computer object - CN=MORPHEUS,OU=Domain Controllers,DC=deleteme, DC=savilltech,DC=com No current Naming Context select operation target: quit Next, remove the server you selected. (In the following code, enter the command in bold.) metadata cleanup: remove selected server In the confirmation dialog box, which is shown in Figure 15-29, click Yes. Close the utility. (In the following code, enter the commands in bold.) "CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com " removed from server "TITANIC.savilltech.com" metadata cleanup: quit ntdsutil: quit Disconnecting from TITANIC.savilltech.com ... Finally, you need to delete the server from the Microsoft Management Console (MMC) Active Directory Sites and Servers snap-in. 1. Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu. Figure 15-29 Confirming a server delete
FAQ 15.55 597 2. Expand the Sites branch, select the site, expand the Services container, right-click the server, and select Delete. 3. Click Yes in the confirmation dialog box. I have been informed of a possible problem with this if SP2 is installed, in which case, perform this procedure on a box without SP2 installed. FAQ 15.54 Why can’t I create a Kerberos-based trust between two domains in different forests? When you manually create trusts, you can select one of two authentication protocols. • Kerberos—The Kerberos V5 authentication protocol is the default authentication service for Windows 2000. You use it to verify that a user/host is who it says it is. This protocol is used for trusts between domains in a tree and between the root domains in a forest. • NT LAN Manager (NTLM)—The NTLM authentication protocol is the default for network authentication in Windows NT 4.0 and earlier, but Win2K still supports it (although not as the default). NTLM is a challenge/response authentication protocol. A transitive Kerberos-based trust links domains within a forest. Thus, when you create a trust between two domains in different forests, you can select only NTLM because Kerberos isn’t available for cross-forest trust relationships. This limitation isn’t a Kerberos one, but a limitation of the Microsoft implementation. If you use a third-party Kerberos implementation (e.g., MIT), you can use Kerberos for crossforest trusts. FAQ 15.55 How do I modify the number of Active Directory objects to search? By default, AD searches 10,000 objects at a time. This policy affects all browse displays associated with AD (e.g., those in Local Users and Groups), the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, and the dialog boxes you use to set permissions for user or group objects in AD. As your organization grows, you might need to change the number of objects to search. To set the number for a Group Policy Object:
598 ACTIVE DIRECTORY 1. Start the MMC Active Directory Users and Computers snap-in. (Select Programs > Administrative Tools > Active Directory Users and Computers from the Start menu.) 2. Right-click the container and select Properties. 3. Select the Group Policy tab. 4. Select the Group Policy Object and select Edit. 5. Select the User Configuration branch and expand Administrative Templates > Desktop > Active Directory. 6. Double-click Maximum size of Active Directory searches. 7. Select Enabled and set the number (e.g., 20000), as shown in Figure 15-30. 8. Click Apply. Figure 15-30 Modifying the number of Active Directory search results via Policy
FAQ 15.56 9. Click OK. 10. Close the Group Policy editor. To edit the Registry to set the number for a user: 1. Start Regedit. 2. Go to the HKEY_CURRENT_USERSoftwarePoliciesMicrosoft Registry entry. 3. From the Edit menu, select New > Key. 4. Enter Windows 5. Select the Windows key, and from the Edit menu, select New > Key. 6. Enter Directory UI 7. Go to the Directory UI key, and from the Edit menu, select New > DWORD Value. 8. Enter QueryLimit and press Enter. 9. Double-click the new value and set the decimal value. 10. Click OK. 11. Close the Registry editor. For both methods, the change will take effect when the user logs on the next time. FAQ 15.56 How do I configure Group Policy to apply folder redirection settings to users who access the local network remotely? By default, Windows 2000 doesn’t apply Group Policy folder redirection settings to users on slow network connections. To modify this behavior, perform the following steps: 599
600 ACTIVE DIRECTORY 1. Start Group Policy editor (GPE) and load the policy in question (you can also right-click the Active Directory—AD—container that the policy applies to, select Properties, select the Group Policy tab, and click Edit). 2. Navigate to Computer Configuration > Administrative Templates > System > Group Policy. 3. Double-click Folder Redirection policy processing. 4. Select Enabled. 5. Select the Allow processing across a slow network connection checkbox (see Figure 15-31). (You can also double-click Group Policy slow link detection to set what constitutes a slow link.) 6. Click OK. Figure 15-31 Folder Redirection options
FAQ 15.58 601 7. Select Enabled to set the connection speed (500Kbps by default). 8. Click OK. 9. Close GPE. FAQ 15.57 How can I replicate logon scripts between Windows 2000 and Windows NT 4.0 domain controllers? NT 4.0 LAN Manager Replication (LMRepl) uses directory replication to replicate data from one export machine (%systemroot%system32Replexport) to the import folders of the other domain controllers (DCs) (%systemroot%system32Replimport), which then share the data as the Netlogon share. Win2K File Replication Service (FRS) uses the SYSVOL volume (%systemroot%SYSVOLsysvol), which replicates among DCs automatically. The Netlogon share points to %systemroot%SYSVOL sysvol<domain name>SCRIPTS. The different system approaches are incompatible. Therefore, you must manually configure a script to periodically copy files from one of the Win2K Netlogon shares to the NT 4.0 export machine, which can then disseminate the files to the other NT 4.0 DCs. The Windows 2000 Resource Kit supplies LBRIDGE.CMD, a template for this script that can use either Xcopy or Robocopy to perform the file operations. If you don’t configure such a script, your NT 4.0 DCs will have out-of-date logon scripts. FAQ 15.58 How can I stop password changes from being pushed to the PDC FSMO over WAN links? By default, when someone changes a password, the change occurs on the local domain controller (DC), but Windows also pushes the change to the PDC Flexible Single-Master Operation (FSMO) role holder because such changes take time to replicate around the domain. If the change wasn’t pushed to the FSMO role holder and someone tried to log on with the new password that wasn’t replicated, the logon would fail. To avoid this kind of failure, Windows attempts to authenticate on the PDC FSMO role holder. To prevent the system from pushing password changes over slow WAN links, make the following change on the relevant DCs:
602 ACTIVE DIRECTORY 1. Start REGEDIT.EXE. 2. Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices NetlogonParameters. 3. From the Edit menu, select New > DWORD Value. 4. Enter a name of AvoidPdcOnWan and press Enter. 5. Double-click AvoidPdcOnWan and set it to 1. 6. Click OK. 7. Close Regedit. FAQ 15.59 How can I use the Registry to configure Group Policy update times? You usually configure Group Policy update times under the Computer ConfigurationAdministrative TemplatesSystemGroup Policy and the User Configuration Administrative TemplatesSystemGroup Policy branches; however, you can also directly set the Registry to configure Group Policy update times by performing the following steps: 1. Start REGEDIT.EXE. 2. Go to HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft WindowsSystem to set Computer refresh. Or, alternatively, go to HKEY_ CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem to set User refresh. 3. Create a DWORD value with a name of GroupPolicyRefreshTime and set it to a number between 0 and 648000 minutes. 4. Create a DWORD value with a name of GroupPolicyRefreshTimeOffset and set it to a number between 0 and 1440 minutes. (You specify an offset value to prevent many clients from trying to refresh at the same time.) 5. Close Regedit.
FAQ 15.61 FAQ 15.60 603 Why can’t I create an organizational unit and child domain with the same name from one parent? Although X.500 lets an organizational unit (OU) and child domain share a name, Active Directory (AD) doesn’t. Shared names in AD cause problems with relative distinguished names (RDNs). If you try to create an OU and give it the same name as a child domain that already exists, you’ll get the error message Active Directory Windows cannot create the object because: An attempt was made to add an object to the directory with a name that was already in use. Name-related properties on this object might now be out of sync. Contact your network administrator. If you try to create a child domain and give it the same name as an OU that already exists, you’ll get the error message Active Directory Installation Failed The operation failed because: The Directory Service failed to create the object CN=Sales, CN=Partitions, CN=Configuration, DC=Savilltech, DC=Com. Please check for possible system errors. "The directory service is busy" Microsoft is aware of these restrictions, and no work arounds exist. FAQ 15.61 I’ve upgraded one of my Windows NT 4.0 DCs to Windows 2000. Why do all of my Win2K Professional clients use the Win2K DC for authentication? When you upgrade to Win2K, you should upgrade at least two domain controllers (DCs). Then, if you have to stop one Win2K DC, the other Win2K DC can act as the PDC to older NT 4.0 DCs. If you have only one Win2K DC and you have to stop it, you have to promote an NT 4.0 BDC to PDC. Doing so loses all AD information, and
ACTIVE DIRECTORY 604 you can’t bring the Win2K DC back into the domain because a Win2K DC can’t act as a BDC to an NT 4.0 PDC. The behavior you’re encountering is actually a design “feature.” The idea behind this feature was that the Win2K clients understand group policy concepts, so—where possible—they should log onto a Win2K DC. However, this feature causes the Win2K clients to use the Win2K DC for all authentication, which overloads the machine. This has been fixed in Service Pack 1 for Windows 2000. FAQ 15.62 How can I move the Active Directory log files? Along with the NTDS.DIT file, the AD keeps several log files that you might want to move to a faster disk. To do so, perform the following steps: 1. 2. 3. 4. Restart the domain controller (DC). Press F8 at the Startup menu when the system displays the list of OSs. Select Directory Services Restore Mode. Select the appropriate installation. If more than one exists, and then log on as an administrator at the logon prompt. 5. Start a command prompt (Start > Run > CMD.EXE). 6. Start the NTDS utility, NTDSUTIL.EXE. 7. At the ntdsutil prompt, type files as follows: ntdsutil: files 8. At the file maintenance prompt, type the following: file maintenance: move logs to [new location for file] 9. To view the log files, at the file maintenance prompt, type info: file maintenance: info 10. Type quit twice to return to a C prompt. 11. Restart the computer in Normal mode.
FAQ 15.64 FAQ 15.63 605 How do I enable circular logging for Active Directory? AD can record sequential or circular logs. The default logging method is sequential. Sequential log files aren’t overwritten with new data. These files grow until they reach a specified size. After all the transactions in a log file are committed to the database, the log file is unnecessary. AD’s garbage-collection process deletes unnecessary log files every 12 hours by default. If your server doesn’t stay up longer than 12 hours between reboots, AD can’t clean up old log files. Eventually, the files will use all your available disk space. Circular logs overwrite transactions at specific intervals. Some administrators prefer circular logging because this method helps minimize the amount of logged data the physical disk must store. To enable circular logging, you need to edit the Registry. 1. Start Regedt32. 2. Go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNTDSParameters Registry entry. 3. If the value CircularLogging doesn’t exist, select New > String value from the Edit menu and enter CircularLogging 4. Double-click CircularLogging and set the value to 1 to enable circular logging. (Setting the value to 0 disables circular logging and enables sequential log files.) 5. Close the Registry editor. 6. Reboot the machine to restart the Directory Service (DS) and make the change effective. FAQ 15.64 How do I audit Active Directory? You can configure AD auditing to produce successful and failed entries in the Directory Service (DS) event log. 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. (Select Programs > Administrative Tools > Active Directory Users and Computers from the Start menu.) 2. From the View menu, select Advanced Features.
606 ACTIVE DIRECTORY 3. Expand the domain, right-click the Domain Controllers container, and select Properties from the context menu. 4. Select the Group Policy tab. 5. Select Default Domain Controllers Policy and click Edit. 6. Expand the Computer Configuration branch, the Windows Settings branch, the Security Settings branch, and the Local Policies branch. 7. Select Audit Policy. 8. The right-most window will show auditing levels. Double-click Audit Directory Service Access. 9. Select the relevant checkboxes (e.g., Audit successful attempts, Audit failed attempts), as shown in Figure 15-32. Click OK. 10. Close the Group Policy window. 11. In the main Domain Controllers Properties dialog box, click OK. 12. Close the Active Directory Users and Computers MMC snap-in. Figure 15-32 Directory Service audit options
FAQ 15.66 607 You can use Event Viewer to view the logs in the Security log. Because domain controllers poll for policy changes every five minutes, the policy change might take as long as five minutes to take effect. Other domain controllers in the enterprise receive the changes after the five-minute interval, plus replication time. FAQ 15.65 Why has my user group person icon’s hair gone gray? According to the Microsoft Knowledge Base, this behavior isn’t a result of a stressedout group but of a bug in Windows 2000 that results in the hair color changing from black to gray if a group has more than 500 users. Functionality doesn’t change, and the hair-color change has no other effect (except that the group appears older and slightly more distinguished). FAQ 15.66 How do I move objects within my forest? You can use the Microsoft Windows 2000 Resource Kit’s Movetree utility to move organizational units (OUs), users, or computers between domains in a forest. This capability is useful for consolidating domains or to reflect organizational restructuring. You can’t use Movetree to move certain objects, such as local and domain global groups. If you move the container that these objects are in, the utility places the objects in an orphan container in the source domain’s LostAndFound container. Movetree also doesn’t move associated data, such as policies, profiles, logon scripts, and personal data. To move these items, use the Remote Administration Scripts tool to write custom scripts. Movetree’s syntax is movetree [/start | /continue | /check] [/s SrcDSA] [/d DstDSA] [/sdn SrcDN] [/ddn DstDN] [/u DomainUsername] [/p Password] [/quiet]
608 ACTIVE DIRECTORY The following table describes each command: /start Starts a Movetree operation with the /check option by default. Use /startnocheck to start a Movetree operation without a check. /continue Continues a failed Movetree operation. /check Checks the whole tree before moving an object. /s <SrcDSA> Source server’s fully qualified primary DNS name. Required. /d <DstDSA> Destination server’s fully qualified primary DNS name. Required. /sdn <SrcDN> Source subtree’s root distinguished name (DN). Required for /start and /check operations. Optional for /continue operations. /ddn <DstDN> Destination subtree’s root DN. Relative distinguished name (RDN) plus destination parent DN. Required. /u <DomainUserName> Domain name and user account name. Optional. /p <Password> Password. Optional. /quiet Quiet mode. Doesn’t include screen output. Optional. Run the Movetree utility in /check mode first, to perform a test without carrying out the action. You’ll see any errors that will occur, and the utility will write these errors to the file MOVETREE.ERR in your current directory. If your test is OK, proceed with the /start option. An example Movetree command is movetree /check /s titanic.market.savilltech.com /d pluto.legal.savilltech.com /sdn OU=testing,DC=Market,DC=Savilltech,DC=COM /ddn OU=test2,DC=Legal,DC=Savilltech,DC=COM This command would move the OU testing from the domain market.savilltech.com to the OU test2 in the domain legal.savilltech.com. FAQ 15.67 How do I allow modifications to the schema? The schema is extensible, which means that you can change it. However, modifying the schema is dangerous because doing so affects the entire domain forest. Microsoft warns against modifying the schema because changes to the schema cannot be undone.
FAQ 15.67 609 If you insist on modifying the schema, you can use the GUI or edit the Registry. To use the GUI, you must first register the .DLL file for the Microsoft Management Console (MMC) snap-in. Go to a command prompt and enter regsvr32 schmmgmt.dll Then, use the Microsoft Windows 2000 Resource Kit’s Tools console to start the Schema Manager. Alternatively, create a custom MMC to start the Schema Manager. Next, add the Active Directory Schema snap-in to the Schema Manager. From the Start menu, select Run and enter MMC From the Console menu, select Add/Remove Snap-in. Click Add and select Active Directory Schema. Finally, click Add, Close, and then OK. 1. Start the MMC Active Directory Schema snap-in on the domain controller (DC). 2. In the left-most pane, right-click Active Directory Schema, and select Operations Master from the context menu. 3. You’ll see the name of the machine that holds the domain name operations Flexible Single-Master Operation (FSMO) role, as shown in Figure 15-33. Figure 15-33 Enabling schema modification (Be careful!)
610 ACTIVE DIRECTORY 4. Select the Schema may be modified on this server checkbox. 5. Click OK in the confirmation dialog box. Another way to modify the schema is to edit the Registry: 1. Start Regedit. 2. Go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNTDSParameters Registry entry. 3. Double-click Schema Update Allowed (of type REG_DWORD). 4. Set the value to 1. 5. Click OK. 6. Close the Registry editor. FAQ 15.68 How do I switch my Windows 2000 domain to native mode? Windows 2000 domains have two modes: mixed and native. Mixed-mode domains let Windows NT 4.0 BDCs participate in a Win2K domain. In a native mode domain, only Win2K-based domain controllers (DCs) can participate in the domain. In addition, NT 4.0-based BDCs can’t act as DCs. Switching to native mode lets you use the new universal security groups, which you can nest inside one another (unlike cross domain global groups). NetBIOS-based clients can still use their NetBIOS domain names to log on, even in native mode. To switch a Win2K domain to native mode, perform the following steps: 1. Start the Microsoft Management Console (MMC) Active Directory Domains and Trusts snap-in. 2. Right-click the domain you want to convert to native mode and select Properties. 3. Select the General tab. 4. Click Change Mode, as shown in Figure 15-34. 5. Click Yes in the confirmation dialog box. 6. Click Apply to return to the main dialog box. 7. Click OK. Check all the DCs in the domain. If you can’t contact a DC (e.g., if the DC is in a remote site and connects only periodically), the remote DC will switch to native mode the next time replication occurs.
FAQ 15.69 611 Figure 15-34 Switching the domain to native mode FAQ 15.69 How can I move the NTDS.DIT file? The NTDS.DIT file contains the Active Directory (AD) data for your domain and is stored in the %systemroot%ntds folder. This file can become very large. To improve performance, you might want to move this file to a faster drive. To do so, perform the following steps: 1. Restart the domain controller (DC). 2. Press F8 at the Startup menu when the system displays the list of OSs. 3. Select Directory Services Restore Mode.
ACTIVE DIRECTORY 612 4. Select the appropriate installation, if more than one exists, and then log on as an administrator at the logon prompt. 5. Start a command prompt (Start > Run > CMD.EXE). 6. Start the NTDS utility, NTDSUTIL.EXE. 7. At the ntdsutil prompt, type files as follows: ntdsutil: files 8. At the file maintenance prompt, type the following: file maintenance: move DB to 9. To view the database, at the file maintenance prompt, type info as follows: file maintenance: info 10. To verify the integrity of the database at its new location, at the file maintenance prompt, type integrity as follows: file maintenance: integrity 11. Type quit twice to return to a C prompt. 12. Restart the computer in Normal mode. FAQ 15.70 Why is the size of the NTDS.DIT file different on different domain controllers? The NTDS.DIT file contains Active Directory (AD) information, and because all domain controllers (DCs) replicate AD, you might expect the file to be the same size on all DCs. However, you might find differently sized files because the database file is created individually on each DC, and the data—not the database file—replicates. Thus, several factors can lead to files with different sizes: • Over time, the database can become fragmented. Although objects are deleted while the database is online, you can’t compact the database online (compacting requires a manual offline defragmentation). • If a DC is a Global Catalog (GC), it contains information about objects of other domains in the forest, thus making it larger than non-GC servers.
FAQ 15.71 613 • The displayed size of the NTDS.DIT file is the size of the file when you started the DC; if many objects are added and you restart one DC, that DC’s NTDS.DIT file size will appear larger. FAQ 15.71 How do I reset a machine account password? Like user accounts, machine accounts in a domain have passwords that change automatically. The domain stores the previous and current passwords so that the previous password is accessible for authentication in case someone changes the current password but the domain controller hasn’t yet fully replicated the password. If a password changes twice, the computers that use the password might be unable to communicate. In this case, you would receive an error message (e.g., the error message “Access Denied” when Active Directory—AD—replication occurs). Passwords can also be out of sync during replication between domain controllers in the same domain. You can manually change a machine account password. You must use the Microsoft Windows 2000 Resource Kit’s Netdom tool rather than the Active Directory Users and Computers snap-in. Netdom is in Win2K’s SupportTools folder. To reset a machine account password, enter netdom resetpwd /server:<servername> /userd:<username>Administrator /passwordd:* After you enter the command, you’ll see the following. Type the password associated with the domain user: The machine account password for the local machine has been successfully reset. The command completed successfully. You need to run this Netdom command on the machine for which you want to change the password. The server must be a domain controller in the domain, and the user must have a domain account with administrative privileges over the machine account whose password you’re changing. You need to restart the machine for the password change to take effect. Simultaneously resetting the password on the local machine and a domain controller ensures that the two computers involved in the operation are synchronized, and starts AD replication so that other domain controllers receive the change.
614 FAQ 15.72 ACTIVE DIRECTORY How can I let users search, but not browse, Active Directory? You can use either a policy setting or the Registry to configure AD for browsing. To use the policy setting method, perform the following steps: 1. Open Group Policy with the Group Policy editor (GPE). 2. Navigate to User Configurations > Administrative Templates > Desktop > AD. 3. Double-click Hide Active Directory folder. 4. Select the Policy tab. 5. Click Enabled and click OK. 6. Close the policy. To use the Registry to complete the same task, perform the following steps: 1. Start the Registry editor (e.g., REGEDIT.EXE). 2. Navigate to HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoft. 3. If the Windows key doesn’t exist, click Edit > New > Key to create the key. 4. Look for Directory UI under the Windows key, and if it doesn’t exist, click Edit > New > Key to create the key. 5. From the Edit menu, select New > DWORD Value. 6. Enter a name of HideDirectoryFolder and press Enter. 7. Double-click the new value, set it to 1, and click OK. 8. Close the Registry editor. FAQ 15.73 How does ntdsutil know it’s in Directory Restore mode? When you start the domain controller (DC) in Directory Restore mode, the DC sets the environment variable safeboot_option to dsrepair. If you want to check something in ntdsutil that is allowed only in Directory Restore mode, you can trick the program by typing the following statement at a command prompt: set SAFEBOOT_OPTION=DSREPAIR
FAQ 15.74 615 Don’t use this approach on a live or important machine because it could result in system damage if you try to perform system modifications when the system isn’t in Directory Restore mode. FAQ 15.74 How can I prevent the OS from storing LAN Manager (LM) hashes in Active Directory and the SAM? Both Windows XP and Windows 2000 support several authentication methods, including LAN Manager (LM), NT LAN Manager (NTLM), and NTLM version 2 (NTLMv2). LM stores passwords in a hashed format that’s easy to crack. Starting with Win2K Service Pack 2 (SP2), Microsoft addressed this weakness by adding the ability to disable the storage of LM hashes. To disable LM hashes in Win2K, perform the following steps: 1. Start the Registry editor (REGEDIT.EXE) on the domain controller (DC). 2. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ControlLsa. 3. From the Edit menu, select New > Key. 4. Enter a name of NoLMHash, set the value to 1, and press Enter. 5. Close the Registry editor. 6. Restart the computer for the change to take effect. To disable LM hashes in XP, perform the previously described steps 1 and 2. At step 3, from the Edit menu, select New > DWORD Value. Complete the process by performing steps 4 through 6. This change won’t take effect until each user changes his or her password. In XP, you can also use Group Policy (GP) to disable LM hashes under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options. To change the settings for this policy, locate the Network Security policy entitled “Do not store LAN Manager hash value on next password change.” Be aware that if you set this option, some components that rely on LM hashes (e.g., the Windows 9x change password operation, Win9x client authentication if you don’t have the Directory Services client pack installed) might not work as expected.
616 FAQ 15.75 ACTIVE DIRECTORY How do I publish a shared folder in Active Directory? The usual method of connecting to a shared folder is to either browse a specific machine for visible machines (ones without a $ at the end) or know the complete share Uniform Naming Convention (UNC) in advance. However, you can publish shared folders to Active Directory (AD): 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. 2. Select the container you want to house the shared folder and right-click it. 3. Select New > Shared Folder from the context menu. 4. In the display dialog box, enter a name for the share and the share’s UNC. 5. Click OK. The share you create will be visible in Windows Explorer under My Network Places > Entire Network – Directory > Domain. To remove the new share, simply right-click the shared folder in the Active Directory Users and Computers snap-in and select Delete. FAQ 15.76 What happens if two AD objects have the same RDN? Every Active Directory (AD) object has a distinguished name (DN—e.g., CN=John Savill,CN=Users,DC=SavillTech,DC=Com) that uniquely identifies the object and its position in AD. The system also creates a relative distinguished name (RDN), which is a name relative to the container (e.g., CN=John Savill for the user). Two objects with the same RDN can’t exist in one container. For example, in the container CN=Users,DC=SavillTech, CN=John Savill and OU=John Savill are allowed because one is a user and the other is an organizational unit (OU). However, CN=John Savill and CN=John Savill aren’t allowed. The only way you can have a duplicate RDN is if two objects are created on different domain controllers (DCs). But at the next replication cycle, the system will rename the older object. To find objects that the system has renamed because of RDN collisions, use the search.vbs script in supporttoolssupport.cab as follows:
FAQ 15.78 617 cscript search.vbs "LDAP://<server>/dc=<domain>,dc=com" /C:"(CN=*0ACNF:*)" /P:distinguishedName /S:SubTree Any matches will display the RDN for the renamed objects. FAQ 15.77 How can I move multiple users between organizational units? You can move individual users between OUs by right-clicking the user in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and selecting Move. To move multiple users, perform the following steps: 1. Start the Active Directory Users and Computers snap-in (go to Start > Programs > Administrative Tools, and click Active Directory Users and Computers). 2. Open the OU that contains the users you want to move. 3. Select multiple users by holding down Ctrl and selecting each user (if the users are in sequence, you can select them all by left-clicking the first name, holding down Shift, then left-clicking the last name). 4. Right-click the last user you selected and select Move from the context menu. 5. Select the destination OU and click OK. FAQ 15.78 How do I create a certificate trust list for a domain? To create a certificate trust list (CTL), you first need to configure each domain with a list of Certificate Authorities (CAs) the domain trusts, to let the domain’s users request certificates. First, you need to install an Enterprise CA. (See FAQ 15.79.) You also need an Administrator certificate or an explicit Trust Signing certificate. The following steps outline how to request an Administrator certificate: 1. 2. 3. 4. 5. 6. Start the Microsoft Management Console (MMC). From the Console menu, select Add/Remove Snap-in. Click Add. Select Certificates and click Add. Select My user account as the type and click Finish. Click Close.
618 ACTIVE DIRECTORY 7. 8. 9. 10. 11. 12. 13. 14. Click OK to return to the main dialog box. Expand the Certificates root and right-click Personal. From the All Tasks menu, select Request New Certificate, as shown in Figure 15-35. Click Next in the Certificate Request Wizard dialog box. Select the Administrator template and click Next. Enter a user-friendly name and description, and click Next. Click Finish when the confirmation screen displays. When the dialog box displays to confirm the certificate creation, click Install Certificate. 15. Finally, click OK in the success dialog box. As shown in Figure 15-36, you can use the MMC Certificates snap-in to view the certificate and see that the Enterprise CA rather than the local Administrator issued the certificate. To create the CTL, perform the following steps: 1. Start the MMC Active Directory Users and Computers snap-in. (From the Start menu, select Programs > Administrative Tools > Active Directory Users and Computers.) 2. Right-click the domain and select Properties. 3. Select the Group Policy tab. 4. Select Default Domain Policy (or another policy) and click Edit. 5. Select User Configuration > Windows Settings > Security Settings > Public Key Policies > Enterprise Trust. 6. Right-click Enterprise Trust and select New > Certificate Trust List. 7. When the Certificate Trust List Wizard starts, click Next (see Figure 15-37). 8. You can enter a prefix for the CTL and the purpose (e.g., Encrypted File System—EFS). 9. Click Next. 10. Select a certificate, click Add from Store, select a domain certificate, and click OK. Click Next. 11. Select a signature (i.e., the Administrator you created), click Select from Store, select the certificate that displays, and click OK. Click Next. 12. You can add a timestamp if you want. Click Next. 13. Enter a user-friendly name and description. Click Next. 14. Click Finish when the summary page displays. 15. Click OK in the success dialog box.
FAQ 15.78 Figure 15-35 Confirmation of the native mode switch Figure 15-36 Viewing certificates for current user Figure 15-37 Purpose dialog of a certificate 619
ACTIVE DIRECTORY 620 FAQ 15.79 How do I install an Enterprise Certificate Authority? A certificate server provides a trusted authority to confirm a private key user’s identity. A domain normally has a hierarchy of certificate servers. An enterprise root Certificate Authority (CA) grants itself a certificate and creates subordinate CAs. The root CA gives the subordinate CAs their certificates, but the subordinate CAs can grant certificates to users. For automatic certification, a domain needs an Enterprise CA to let clients request certificates, such as an Encrypted File System (EFS) recovery certificate. To install an Enterprise CA, perform the following steps. 1. Start the Control Panel Add/Remove Programs applet. 2. Click Add/Remove Windows Components to start the Windows Components Wizard. 3. Click Next when the welcome screen appears. 4. When the list of components displays, select the Certificate Services checkbox and click Next. 5. Then, you need to select the type. Types include the following: Enterprise root CA Enterprise subordinate CA Standalone root CA Standalone subordinate CA Select Enterprise root CA and click Next. 6. Enter a CA name and other information about the organization, as shown in Figure 15-38. Click Next. 7. Accept the default location for the certificate database (i.e., %systemroot% System32CertLog). Click Next. 8. If Microsoft IIS is running, the service will stop and a dialog box will display. Click OK. 9. A list of files to copy will generate, and the files will install. Service and system configurations will also install. You might need to insert the Windows 2000 Server CD-ROM. 10. When the wizard completes, click Finish. The Microsoft Management Console (MMC) Certificate Authority snap-in will now contain a shortcut in the Administrative Tools folder.
FAQ 15.80 Figure 15-38 Certificate information FAQ 15.80 How does a user request a certificate over the Web? The Windows 2000 Certification Service installation adds a virtual directory called CertSrv pointing to %systemroot%System32CertSrv. You can use this directory to request certificates over an intranet. 1. 2. 3. 4. Go to http://<Certificate Authority server>/certsrv. Select Request a certificate and click Next. Select User Certificate and click Next. Click More Options to see various Cryptographic Service Providers (CSPs). Selecting Advanced lets you set the key size, hash algorithm, etc. 621
622 ACTIVE DIRECTORY 5. Click Submit. 6. After the certificate generates, click Install this certificate. 7. Close the Web page. After the certificate installs, you can use the user’s Microsoft Management Console (MMC) Certificates snap-in to view it.

More Related Content

PPTX
Ldap
byHigher Private School of Engineering and Technology
 
PPT
active-directory-domain-services
by202066
 
PPTX
Open LDAP vs. Active Directory
byAhmad Haghighi
 
PDF
Ldap introduction (eng)
byAnatoliy Okhotnikov
 
PPT
AD & LDAP
byCynoteck Technology Solutions Private Limited
 
PDF
Directory Servers and LDAP
byWildan Maulana
 
PPT
Directory services by SAJID
bySajid khan
 
PDF
Introduction to LDAP and Directory Services
byRadovan Semancik
 
Ldap
byHigher Private School of Engineering and Technology
 
active-directory-domain-services
by202066
 
Open LDAP vs. Active Directory
byAhmad Haghighi
 
Ldap introduction (eng)
byAnatoliy Okhotnikov
 
AD & LDAP
byCynoteck Technology Solutions Private Limited
 
Directory Servers and LDAP
byWildan Maulana
 
Directory services by SAJID
bySajid khan
 
Introduction to LDAP and Directory Services
byRadovan Semancik
 

What's hot

DOCX
What is active directory
byrajasekar1712
 
PPTX
Domain Controller Critical Services
byJani Sabtriady
 
DOC
Ldap
byShiva Krishna Chandra Shekar
 
PPT
Active directory
bydeshvikas
 
DOCX
Windows server Interview question and answers
byAvaility Fore Support Services pvt ltd
 
PPTX
Activedirecotryfundamentals
byShekhar Singh
 
PPT
Directory services by SAJID
bySajid khan
 
PPTX
Active Directory component
bykuldeep singh shishodia
 
PPT
Active directory and application
byaminpathan11
 
PPTX
What is active directory
byAdeel Khurram
 
PPT
Directory and discovery services
byRamchandraRegmi
 
PPTX
Windows server 2008 active directory
byRaghu nath
 
PPT
Easily Serving and Accessing HDF-EOS2 Datasets Using DODS Technologies
byThe HDF-EOS Tools and Information Center
 
PPT
Active directory ii
bydeshvikas
 
PPTX
Introduction_of_ADDS
byHarsh Sethi
 
PDF
Active directory interview_questions
bysubhashmr
 
PPTX
Ado.net
bySangeetha Rangarajan
 
PDF
MCSA 70-410 5 introduction to active directory and basic installation
byTarek Amer
 
PPTX
PostgreSQL - Object Relational Database
byMubashar Iqbal
 
What is active directory
byrajasekar1712
 
Domain Controller Critical Services
byJani Sabtriady
 
Ldap
byShiva Krishna Chandra Shekar
 
Active directory
bydeshvikas
 
Windows server Interview question and answers
byAvaility Fore Support Services pvt ltd
 
Activedirecotryfundamentals
byShekhar Singh
 
Directory services by SAJID
bySajid khan
 
Active Directory component
bykuldeep singh shishodia
 
Active directory and application
byaminpathan11
 
What is active directory
byAdeel Khurram
 
Directory and discovery services
byRamchandraRegmi
 
Windows server 2008 active directory
byRaghu nath
 
Easily Serving and Accessing HDF-EOS2 Datasets Using DODS Technologies
byThe HDF-EOS Tools and Information Center
 
Active directory ii
bydeshvikas
 
Introduction_of_ADDS
byHarsh Sethi
 
Active directory interview_questions
bysubhashmr
 
Ado.net
bySangeetha Rangarajan
 
MCSA 70-410 5 introduction to active directory and basic installation
byTarek Amer
 
PostgreSQL - Object Relational Database
byMubashar Iqbal
 

Viewers also liked

PDF
03. information technology
byGirish Vadera Girish
 
PDF
Active directory interview_questions
byUmesh Sawant
 
DOCX
What is active directory
byGirish Vadera Girish
 
PDF
Session 3 - Windows Server 2012 with Jared Thibodeau
byCTE Solutions Inc.
 
DOCX
Networking
byGirish Vadera Girish
 
PPTX
Windows Server 2012 Installation and Configurtion Superiorgrw
byAwais Amjad
 
PDF
7- How to Configure Disk Quota
byFahad Al-Balushi
 
PDF
RESTful web service with JBoss Fuse
byejlp12
 
PPTX
PMP Training - 12 project procurement management
byejlp12
 
PPTX
PMP Training - 08 project quality management
byejlp12
 
PPTX
PMP Training - 04 project integration management
byejlp12
 
PPTX
PMP Training - 10 project communication management
byejlp12
 
PPTX
PMP Training - 06 project time management2
byejlp12
 
PPTX
PMP Training - 09 project human resource management
byejlp12
 
PPTX
PMP Training - 11 project risk management
byejlp12
 
PPTX
PMP Training - 01 introduction to framework
byejlp12
 
PPTX
PMP Training - 07 project cost management
byejlp12
 
03. information technology
byGirish Vadera Girish
 
Active directory interview_questions
byUmesh Sawant
 
What is active directory
byGirish Vadera Girish
 
Session 3 - Windows Server 2012 with Jared Thibodeau
byCTE Solutions Inc.
 
Networking
byGirish Vadera Girish
 
Windows Server 2012 Installation and Configurtion Superiorgrw
byAwais Amjad
 
7- How to Configure Disk Quota
byFahad Al-Balushi
 
RESTful web service with JBoss Fuse
byejlp12
 
PMP Training - 12 project procurement management
byejlp12
 
PMP Training - 08 project quality management
byejlp12
 
PMP Training - 04 project integration management
byejlp12
 
PMP Training - 10 project communication management
byejlp12
 
PMP Training - 06 project time management2
byejlp12
 
PMP Training - 09 project human resource management
byejlp12
 
PMP Training - 11 project risk management
byejlp12
 
PMP Training - 01 introduction to framework
byejlp12
 
PMP Training - 07 project cost management
byejlp12
 

Similar to Active directory

DOCX
X.500 More Than a Global Directory
bylurdhu agnes
 
PPT
Directory Services Nma Unit-1
byGPAPassedStudents
 
PPTX
network administration directory access and remote access
bySangeetha Rangarajan
 
PPT
Active directoryfinal
byRafał Kucharski
 
PPT
Active directory slides
byTimothy Moffatt
 
PPT
ACTIVE-DIRECTORY.ppt
bymwti2
 
PPT
ACTIVE-DIRECTORY.ppt
byTrngTn67
 
PDF
LDAP Theory
bycyberleon95
 
PPT
Active Directory
bySandeep Kapadane
 
PPTX
Active Directory for Auditors
byAndrew Clark
 
PPT
ACTIVE-DIRECTORY and m365 hybrid identity.ppt
byrohit19951996
 
PPT
Active diirecotry
byPradeesh Stanislavose
 
PPT
ACTIVE-DIRECTORY in system and network .ppt
byimranahmadrana28
 
PPT
DC
byswapnil dakhore
 
PPT
Active Directory Services
byVarun Arora
 
PPT
Active Directory I
bydeshvikas
 
DOC
Active directory basics
bySanjeev Gupta
 
DOCX
LDAP
byChandanapriya Sathavalli
 
PPTX
LDAP - Lightweight Directory Access Protocol
byS. Hasnain Raza
 
PPTX
LDAP
byChandanapriya Sathavalli
 
X.500 More Than a Global Directory
bylurdhu agnes
 
Directory Services Nma Unit-1
byGPAPassedStudents
 
network administration directory access and remote access
bySangeetha Rangarajan
 
Active directoryfinal
byRafał Kucharski
 
Active directory slides
byTimothy Moffatt
 
ACTIVE-DIRECTORY.ppt
bymwti2
 
ACTIVE-DIRECTORY.ppt
byTrngTn67
 
LDAP Theory
bycyberleon95
 
Active Directory
bySandeep Kapadane
 
Active Directory for Auditors
byAndrew Clark
 
ACTIVE-DIRECTORY and m365 hybrid identity.ppt
byrohit19951996
 
Active diirecotry
byPradeesh Stanislavose
 
ACTIVE-DIRECTORY in system and network .ppt
byimranahmadrana28
 
DC
byswapnil dakhore
 
Active Directory Services
byVarun Arora
 
Active Directory I
bydeshvikas
 
Active directory basics
bySanjeev Gupta
 
LDAP
byChandanapriya Sathavalli
 
LDAP - Lightweight Directory Access Protocol
byS. Hasnain Raza
 
LDAP
byChandanapriya Sathavalli
 

Recently uploaded

PDF
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
Yelp Data Scraping for Local Services Market Insights
bycreativeclicks1733
 
PDF
A Complete Beginner's Guide to Internet of Things 2025.pdf
bySecuodsoft
 
PDF
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
PDF
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
PDF
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
PDF
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
PPTX
UiPath Data Fabric From Data Silos to Unified Flows.pptx
bysuhanisingh58689
 
PDF
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
PDF
What's New in PostgreSQL 18 | Mydbops MyWebinar 47
byMydbops
 
PDF
MathML Core in WebKit
byIgalia
 
PPTX
Practical tips for keeping your C# code base clean
byDennis Doomen
 
PDF
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
PDF
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
PPTX
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
PDF
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
Yelp Data Scraping for Local Services Market Insights
bycreativeclicks1733
 
A Complete Beginner's Guide to Internet of Things 2025.pdf
bySecuodsoft
 
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
Session 4 - Agentic Testing with UiPath Agents
byDianaGray10
 
Devfest Harare 2025 Slides [GDG Harare] - Combined Slide Deck
byGoogle Developer Group - Harare
 
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
UiPath Data Fabric From Data Silos to Unified Flows.pptx
bysuhanisingh58689
 
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
What's New in PostgreSQL 18 | Mydbops MyWebinar 47
byMydbops
 
MathML Core in WebKit
byIgalia
 
Practical tips for keeping your C# code base clean
byDennis Doomen
 
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 

Active directory

  • 1.
    15 ACTIVE DIRECTORY A ctive Directory(AD) is Microsoft’s implementation of a Directory Service. DSs store data in an organized format and can publish and access the data. AD isn’t a Microsoft innovation but is an implementation of an existing model (i.e., X.500), communication mechanism (i.e., Lightweight Directory Access Protocol—LDAP), and location technology (i.e., DNS). To understand AD, you must understand what it is supposed to achieve. A directory is simply a container for other information. A telephone directory is an example of a DS, because a telephone directory contains data and a means to access and use the data. For example, a telephone directory has various entries, and each entry has values. A telephone directory entry consists of name, address, and telephone number values. A large directory might group entries by location (e.g., city) or type (e.g., lawyers), or by both. Thus a hierarchy of types could exist for each location. You might also consider a telephone operator a DS, because the operator has access to the data. You can request data, and the operator presents the answer to your query. AD is a type of DS that holds information about all the resources on a network. Clients can query AD for information about any aspect of the network. AD’s features include the following. • Secure information storage. Each object in AD has an ACL with a list of resources that can access the object and to what degree. • A flexible query mechanism based on an AD-generated Global Catalog (GC). Any client that supports AD can query the catalog. • Directory replication to all domain controllers (DCs) in the domain, for easy accessibility, high availability, and fault tolerance. • An extensible design that lets you add new object types or build on existing objects. For example, you could add a salary attribute to the user object. • Multiple-protocol communication. AD’s X.500 foundation lets you communicate over various protocols, such as LDAPv2, LDAPv3, and HTTP. • DNS rather than NetBIOS names for DC naming and location. • Directory information partitioned by domain to avoid replicating an excessive amount of information. 529
  • 2.
    530 ACTIVE DIRECTORY Although ADpartitions directory information into different stores, you can still query AD for information from other domains. GCs contain information about every object in the enterprise forest, so that you can perform a forestwide search. When you run DCPROMO (the domain controller promotion program) on a Windows 2000 machine for the first time to create a new domain, DCPROMO creates a domain on the DNS server. A client then contacts the DNS server to look up the client’s domain. The DNS server will discover not only the domain, but also the domain’s DCs. The server then sends the client the closest DC’s address. The client in turn connects and accesses the AD domain database on the closest DC to find objects (e.g., printers, file servers, users, groups, organizational units—OUs) in the domain. Because each DC stores links to other domains in the tree, the client can search an entire tree of domains. A version of AD that lists all the objects in the forest is also available in case you need to perform a search beyond the client’s tree of domains. This version is the GC. You can store the GC on any or all of the DCs in the forest. The GC provides shorthand access to objects anywhere in the forest. However, the GC contains only some of an object’s attributes. For the whole object, you must go to the domain AD (which is on a DC in the domain). You can configure the GC to provide the object attributes you want. To help you create AD objects, the DC maintains a copy of the classes and hierarchy of classes for the whole forest. AD stores class structures in the schema. The schema is extensible, which means that you can add classes to it. The schema is part of Win2K’s configuration namespace, which all the DCs in a forest maintain. A namespace is a range of labels. Win2K’s configuration namespace consists of several defined items such as physical locations, Win2K sites, and subnets. A site is stored within a forest; a site can contain machines from any domain, but all the machines in a site should have fast and reliable connections for DC replication. A subnet is an IP address grouping assigned to a site; subnets help speed up AD replication among DCs. Because DCs store records in an LDAP distinguished name format, AD uses LDAP to access the records. In case an application uses a name format other than the LDAP distinguished name, you can also use the LDAP URL or AD canonical name formats to access AD.
  • 3.
    FAQ 15.1 FAQ 15.1 531 Which namingconventions does Active Directory use for objects? Active Directory (AD) uses several naming conventions for objects. These naming conventions include the distinguished name (DN), relative distinguished name (RDN), Lightweight Directory Access Protocol (LDAP) URL name, LDAP canonical name, user principal name, and Security Access Manager (SAM) account name. The most popular method for naming AD objects is to use the DN. Every AD object has a DN that uniquely identifies the object in the DS. For example, the following DN /O=Internet/DC=COM/DC=SavillTech/CN=Users/CN=John Savill identifies an object as follows: • /O=Internet—Organization=Internet • /DC=COM—Domain Component=COM • /DC=SavillTech—Domain Component=SavillTech (the full Domain Component is SavillTech.com) • /CN=Users—Common Names=Users • /CN=John Savill—Common Names=John Savill A DN might also include an organizational unit (OU). For more information about DNs, see RFC 1779, “A String Representation of Distinguished Names” at (http://www.cis.ohio-state.edu/htbin/rfc/rfc1779.html). The RDN is also known as the friendly name. The RDN for the previous example is CN=John Savill. The RDN for the users container is CN=Users. LDAP URL names begin with LDAP://, then include an LDAP server and a modified DN that identifies the object (e.g., LDAP://titanic.savilltech.com/ou=Sales, cn=JSavill,dc=SavillTech,dc=com). An LDAP canonical name is the LDAP name without certain information (i.e., ou=, cn=, dc=). An example LDAP canonical name is savilltech.com/Sales/Jsavill. Many administrative tools use these names. The user principal name contains the username and DNS domain name, linked with an asterisk (@—e.g., [email protected]). The SAM account name (e.g., savillj) is in the Windows NT 4.0 format. Because of this name’s single-layer convention, each name must be unique within an organization. Objects are actually stored as globally unique IDs. A GUID is a 128-bit number that generates at object creation and is stored in the object attribute object GUID. GUIDs don’t change.
  • 4.
    532 FAQ 15.2 ACTIVE DIRECTORY What areX.500 and LDAP? X.500 is the most common directory-management protocol. Two X.500 standards exist: the 1988 version and the 1993 version. Windows 2000’s Directory Service (DS) implementation is derived from the 1993 X.500 standard. The X.500 model uses a hierarchical approach to objects in the namespace. The namespace has a root at the top, with children coming off the root. Win2K domains have DNS names (e.g., savilltech.com is a domain name, and legal.savilltech.com is a child domain of savilltech.com). Figure 15-1 shows an example domain with a DS root and several children. The first layer of children is countries. Imagine each country as a child domain of the root (e.g., usa.root.com, england. root.com). You can break each child domain into several organizations, and you can break the organizations into OUs. Various privileges and policies apply to each OU. Each OU has several objects, such as users, computers, and groups. Although Win2K’s DS is based on X.500, the access mechanism uses LDAP, which solves several X.500 problems. X.500 is part of the Open System Interconnection (OSI) model, but OSI doesn’t translate well into a TCP/IP environment. Thus, LDAP uses TCP/IP as its communication medium. LDAP reduces the number of functions available with a full X.500 implementation, providing a lean and fast DS while maintaining X.500’s overall structure. LDAP is the mechanism that communicates with AD and performs basic read, write, and modify operations. You can find more information about X.500 in D.W. Chadwick’s, “Understanding X.500—The Directory” (http://www.salford.ac.uk/its024/ Version.Web/Contents.htm). Root Countries Organizations People/Objects Figure 15-1 The X.500 hierarchical structure
  • 5.
    FAQ 15.3 FAQ 15.3 533 What DNSentries does Windows 2000 add when you create a domain? Windows 2000 domains rely heavily on DNS entries. If you enable dynamic update on the relevant DNS zones, Win2K creates these entries automatically. Following is an explanation for each entry: _ldap._tcp.<DNSDomainName> Lets a client locate a Win2K domain controller in the domain named by <DNSDomainName>. A client searching for a domain controller in the domain savilltech.com would query the DNS server for _ldap._tcp.savilltech.com. (see Figure 15-2) _ldap._tcp.<SiteName>._sites.<DNSDomainName> Lets a client find a Win2K domain controller in the domain and site specified (e.g., _ldap._tcp.london._sites.savilltech.com for a domain controller in the London site of savilltech.com). _ldap._tcp.pdc._ms-dcs.<DNSDomainName> Lets a client find the PDC Flexible Single Master Operation (FSMO) role holder of a mixed-mode domain. Only the PDC of the domain registers this record. _ldap._tcp.gc._msdcs.<DNSTreeName> Lets a client find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the tree will register this name. If a server ceases to be a GC server, the server will deregister the record. _ldap._tcp.._sites.gc._msdcs.<DNSTreeName> Lets a client find a GC server in the specified site (e.g., _ldap._tcp.london._sites.gc._ msdcs.savilltech.com). _ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName> Lets a client find a domain controller in a domain based on the domain controller’s globally unique ID. A GUID is a 128-bit (8 byte) number that generates automatically for referencing AD objects.
  • 6.
    534 ACTIVE DIRECTORY Figure 15-2TCP entries added during the creation of an Active Directory domain controller <DNSDomainName> Lets a client find a domain controller through a normal host record. Figure 15-2 is an example DNS screen for a domain. FAQ 15.4 What is the schema? The schema is a blueprint of all the objects in a domain. When you create a new forest, a default schema contains definitions for users, computers, and domains. Because you can’t have multiple definitions of an object, you can have only one schema per forest. The file SCHEMA.INI contains the default schema’s definition, as well as the initial structure for the file NTDS.DIT (which stores directory data). The %systemroot%ntds directory contains the file SCHEMA.INI (although this can
  • 7.
    FAQ 15.5 535 be changedduring domain controller creation). The file is in plain ASCII format so that you can type it. FAQ 15.5 What is a domain tree? In Windows 2000, a domain can be a child of another domain (e.g., child.domain.com is a child of domain.com). A child domain name always includes the complete parent domain name. A child domain and its parent share a two-way transitive trust. A domain tree exists when one domain is the child of another domain. A domain tree must have a contiguous namespace, as in the left-most diagram in Figure 15-3. In the right-most diagram in Figure 15-3, the lack of contiguous names means that the domains can’t be part of the same tree. The tree’s name is the root domain name of the tree. In my example, the tree is root.com. Because domains are DNS names and because domains inherit the parent part of the name, if you rename part of a tree, all of the parent’s children are also implicitly renamed. For example, if you renamed the parent domain ntfaq.com to backoffice.com, the child domain sales.ntfaq.com would change to sales.backoffice. com. Although you can’t currently rename part of a tree, this problem will arise in future versions of the OS. You can currently create domain trees only when DCPROMO promotes a server to a DC. This restriction might change in a future OS. Placing domains in a tree yields several advantages. The most useful benefit is that all members of a tree have Kerberos transitive trusts with the domain’s parent and all the domain’s children. Transitive trusts also let any user or group in a domain tree obtain access to any object in the tree. In addition, you can use one network logon at any workstation in the domain tree. root.com child1.root.com gran.child1.root.com root.com child2.root.com child1.root.com child2.notroot.com gran.child2.root.com Figure 15-3 Legal and illegal parent-child relationships
  • 8.
    536 FAQ 15.6 ACTIVE DIRECTORY What isa domain forest? You might have several domain trees in your organization that need to share resources. To solve this problem, you can join the trees to form a forest. A forest is a collection of trees that don’t necessarily form a contiguous namespace (although each tree must be contiguous). This arrangement might be useful if your company has multiple root DNS addresses, as in Figure 15-4. As Figure 15-4 shows, two root domains connect through a transitive, two-way Kerberos trust (much like the trust between a child and parent). Forests always contain a domain’s entire domain tree. You can’t create a forest that contains only part of a domain tree. When you promote a server to a domain controller (DC), DCPROMO creates a forest if the user selects to create a new forest. Forest creation can’t occur at any other time, although this restriction may change in a future OS. You can add as many domain trees to a forest as you want. All the domains in a forest can grant object access to any user in the forest. Thus, the administrator doesn’t need to manually manage the trust relationships. Creating a forest provides the following benefits: • All the trees have a common Global Catalog (GC) that contains specific information about every object in the forest. • All the trees contain a common schema. Microsoft hasn’t confirmed what happens if two trees have different schemas before you join the trees, because you currently can’t join two trees (although in .NET you can link trees using transitive trusts). However, this problem will arise in future versions of the OS. I assume the changes will merge. Transitive Kerberos Trust root.com child1.root.com gran.child1.root.com child2.root.com ntfaq.com legal.ntfaq.com ads.ntfaq.com banner.ads.ntfaq.com Figure 15-4 Two trees connected via a transitive Kerberos trust to create a forest
  • 9.
    FAQ 15.7 537 • Performinga search in a forest initiates a deep search of the entire tree in the domain you initiate the request from and uses the GC entries for the rest of the forest. You might prefer not to join trees into a forest. Instead, you can create normal trusts between individual tree domains. FAQ 15.7 What is a Kerberos trust? Windows NT 4.0 trust relationships aren’t transitive. Therefore, if domain2 (e.g., Marketing, in Figure 15-5 ) trusts domain1 (Sales), and domain3 (Development) trusts domain2 (Marketing), domain3 (Development) doesn’t trust domain1 (Sales). The arrow denotes the direction of the trust relationship. The arrow head is the trusted domain; the other end is the trusting domain. PDC Sales This trust relationship is not created by default; it would need to be created explicitly. PDC PDC Marketing Development Figure 15-5 A nontransitive trust environment showing that the Development domain would not implicitly trust the Sales domain
  • 10.
    538 ACTIVE DIRECTORY In Windows2000, the trust relationships that connect members of a tree or forest are two-way, transitive Kerberos trusts. Thus, all the domains in a tree implicitly trust all the other domains in the tree or forest. Because trusts occur automatically when a domain joins a tree, time-consuming trust administration is unnecessary. Kerberos is Win2K’s primary security protocol. Kerberos verifies a user’s identity and a session’s data integrity. Each DC has Kerberos services on it, and every Win2K workstation and server has a Kerberos client. A user’s initial Kerberos authentication gives the user one logon session to enterprise resources. Kerberos isn’t a Microsoft protocol but is based on MIT’s Kerberos 5.0. For more information about Kerberos, see the Internet Engineering Task Force (IETF) Requests for Comments (RFC) 1510, “The Kerberos Version 5 GSS-API Mechanism” (http://www.ietf.org/rfc/rfc1510.txt? number=1510). FAQ 15.8 How do I automatically upgrade a server to a domain controller during installation? You can automatically run DCPROMO during an unattended installation. Enter the command dcpromo /answer:%path_to_answer_file% In my example, the DCInstall section and parameters are added directly to the unattended answer file. The Microsoft Windows 2000 Resource Kit details the DCInstall section’s parameters in the file UNATTEND.DOC. I’ve listed the main entries in the following table: AdministratorPassword The new password for the domain Administrator account AutoConfigDNS Specifies whether the wizard should configure DNS ChildName Name of the child part of the domain CreateOrJoin Specifies whether the domain will join an existing forest or create a new one DatabasePath Location for the Active Directory database DNSOnNetwork Used when a new forest of domains is installed and no DNS client is configured on the computer DomainNetBiosName NetBIOS name for the domain
  • 11.
    FAQ 15.8 539 IsLastDCInDomain Only validwhen demoting an existing domain controller to a member server LogPath Path for the Directory Service (DS) logs NewDomainDNSName Name of the new tree or when a new forest is created ParentDomainDNSName Specifies the name of the parent domain Password Password for the username used to promote the server RebootOnSuccess Specifies whether an automatic reboot should be performed ReplicaDomainDNSName Name of the domain to be replicated from ReplicaOrMember Specifies whether a Windows NT 4.0 or 3.51 BDC being upgraded should become a replica domain controller or be demoted to a regular member server ReplicaOrNewDomain Specifies whether the machine is a new domain controller in a new domain or a replica of an existing domain SiteName Name of the site (Default-First-Site by default) SysVolPath Path of SYSVOL TreeOrChild Specifies whether entry is a new tree or child of existing domain UserDomain Domain for the user being used in promotion UserName Name of the user performing the upgrade Because the DCPROMO process occurs after setup, the created answer file is called $WINNT$.INF and copies to the system32 folder. The parameters are in this file, so you need to add the following text to the GUIRunOnce section of the unattended Setup answer file: [GUIRunOnce] "DCpromo /answer:%systemroot%system32$winnt$.inf" After the DCPROMO process completes, DCPROMO removes password information from the $WINNT$.INF file. To make this process easier because the RunOnce command doesn’t execute until someone logs on to the computer, you can add the following text to the unattended answer file: [GUIUnattended] Autologon = yes ; automatically logs on the administrator account AutoLogoncount = n ; number of times to perform auto-admin logon
  • 12.
    540 ACTIVE DIRECTORY Don’t useitems such as %systemroot% or %windir% because the unattended installation process doesn’t understand them. You can just create a DCInstall section directly in your UNATTEND.TXT file to avoid having multiple unattended setup files. Enter text such as the following. [DCInstall] AdministratorPassword = cartman CreateOrJoin = Create DomainNetBiosName = savtech NewDomainDNSName = savtech.com RebootOnSuccess = Yes ReplicaOrNewDomain = Domain SiteName = "London" TreeOrChild = Tree My example script would create a new forest with domain savtech.com at the top and the new domain controller in the site London. The SYSVOL, logs, and Active Directory (AD) files would be in the default locations. The new domain Administrator account password would be cartman. If you want to use DCPROMO outside an unattended installation, enter dcpromo /answer:<DCInstall answer filename> You’ll see a dialog box that says “DCPROMO is running in unattended mode”. Then, the machine will reboot. FAQ 15.9 How do I change my Windows 2000 domain’s NetBIOS name? Although Windows 2000 domain names are DNS based (e.g., savilltech.com), when Win2K launches the domain controller promotion program DCPROMO, this program also specifies a NetBIOS name for backwards compatibility with older clients and domain controllers. This NetBIOS name is typically the leftmost part of the DNS name (e.g. savilltech), although the user can specify a different NetBIOS name. After DCPROMO sets a NetBIOS name, you must demote all the domain controllers and recreate the domain if you want to change the NetBIOS name. However, doing so would cause you to lose all domain objects. To prevent this problem, you can back up the objects before you recreate the domain and then reimport the objects.
  • 13.
    FAQ 15.10 541 If you’reupgrading a Windows NT 4.0 domain to Win2K, you can’t change the NetBIOS name while DCPROMO is running. You must use the NT 4.0 domain’s NetBIOS name, although you can have a different DNS name. FAQ 15.10 How do I create a new Active Directory site? Active Directory (AD) has sites, which you can use to group servers into containers that mirror your network’s physical topology. Sites also let you configure replication between domain controllers (DCs). In addition, you can map several TCP/IP subnets to sites so that new servers can automatically join the correct site depending on their IP address and so that clients can easily find the DC closest to them. When you create the first DC, AD creates the default site Default-First-Site-Name and assigns the DC to this site. Subsequent DCs also add to this site, although you can later move the DCs to other sites. You can rename the default site if you want. You use the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in to create and administer sites. To create a new site, perform the following steps. 1. Start the MMC Active Directory Sites and Services snap-in. (From the Start menu, select Programs > Administrative Tools > Active Directory Sites and Services.) 2. Right-click the Site branch and select New > Site from the context menu. 3. Enter a name for the site (e.g., NewYork). The name must be 63 characters or fewer and can’t contain spaces or periods. You must also select a site link (only one site link, DEFAULTIPSITELINK, exists by default). Alternatively, enter IP 4. Click OK. After you create the site, you can assign various IP subnets to the site as follows. 1. Start the MMC Active Directory Sites and Services snap-in. (From the Start menu, select Programs > Administrative Tools > Active Directory Sites and Services.) 2. Expand the Sites branch. 3. Right-click Subnets and select New > Subnet, as the screen shows. 4. In the past, you needed to enter the subnet name in the form “network/bits masked” (e.g., for network 200.200.201.0 with subnet mask 255.255.255.0,
  • 14.
    542 ACTIVE DIRECTORY you’d enter200.200.201.0/24). However, this method proved too complicated. Now, you simply enter the address and mask, as shown in Figure 15-6. 5. Then select the site to associate the subnet with. 6. Click OK. After you have a subnet linked to a site, you can assign multiple subnets to the site. Determining the bits masked portion of the subnet name can be confusing. This value is the number of bits set in the subnet mask. The subnet mask consists of four sets of 8 bits. You can use Figure 15-7 to convert the subnet mask to bits. For example, the subnet mask 255.255.255.0 is 11111111.11111111.11111111. 00000000 in binary, which uses 8 + 8 + 8 bits (i.e., 24) to define the subnet mask. The subnet mask 255.255.252.0 is 11111111.11111111.11111100.00000000 in binary, which is 8 + 8 + 6, or 22. Figure 15-6 Creating a new subnet for a site
  • 15.
    FAQ 15.11 1 1 1 1 1 1 1 1 128 64 32 16 8 4 2 1 543 = 255 Figure 15-7How the 8-bit part of an IP address is calculated After you define multiple sites, new DCs that you use DCPROMO to create will automatically join the site that matches their IP address. If no site exists for a DC’s IP subnet, the DC will join the site that authorized the DC’s promotion. FAQ 15.11 How do I create a new site link? After you create sites of IP subnets, you must link the sites together. You can add new sites to the default IP site link DEFAULTIPSITELINK as you create the sites, or you can select another existing site link. You can also create a new site link. 1. Start the Active Directory Sites and Services MMC snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch. 3. Expand the Inter-Site Transports branch. 4. Right-click the protocol for the type of site link you want to create (i.e., IP or SMTP) and select New Site Link. 5. Enter a name for the link and select the sites that you want to be part of the link, as shown in Figure 15-8. Then click OK.
  • 16.
    544 ACTIVE DIRECTORY Figure 15-8Selecting the sites for a site link FAQ 15.12 How do I disable site link transitivity? Site links are bridged together to make them transitive so that the Knowledge Consistency Checker (KCC) can create connection objects between domain controllers. You can disable site link transitivity, then manually bridge specific site links to achieve more control. 1. Start the Active Directory Sites and Services MMC snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch. 3. Expand the Inter-Site Transports branch. 4. Right-click the protocol you want to disable transitivity for (i.e., IP or SMTP) and select Properties. 5. Clear the Bridge all site links checkbox, as shown in Figure 15-9, and click Apply. 6. Click OK.
  • 17.
    FAQ 15.13 545 Figure 15-9Disabling the bridging of all site links FAQ 15.13 How do I rename a site? When you install your first domain controller, the domain controller creates the default site Default-First-Site-Name. This name isn’t helpful, so you might want to rename it. 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch. 3. Right-click the site you want to rename (i.e., Default-First-Site-Name) and select Rename, as shown in Figure 15-10. (Alternatively, select the site and press F2.) 4. Enter the new name and press Enter.
  • 18.
    546 ACTIVE DIRECTORY Figure 15-10Rename option from a site context menu FAQ 15.14 How can a server belong to more than one site? By default, a server belongs to only one site. However, you might want to configure a server to belong to multiple sites. Because sites are necessary for replication, for clients to find resources and to decrease traffic on intersite connections, simply modifying a site’s membership might cause performance problems. To configure a server for multiple site membership, perform the following steps. 1. Log on to the server you want to join multiple sites. 2. Start Regedt32. 3. Go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNetlogonParameters Registry entry.
  • 19.
    FAQ 15.15 547 4. 5. 6. 7. Select AddValue from the Edit menu. Enter the name SiteCoverage and the type REG_MULTI_SZ. Click OK. Enter the names of the sites to join, each on a new line. (Press Shift+Enter to move to the next line.) 8. Click OK. 9. Close the Registry editor. This process doesn’t create the objects in Active Directory (AD) to evaluate the sites. You must add these objects manually. FAQ 15.15 How do I move a server to a different site? If your sites and subnets are configured, new servers automatically add to the site that owns the subnet. However, you can manually move a server to a different site. 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. (From the Start menu, select Programs > Administrative Tools > Active Directory Sites and Services Manager.) 2. Expand the Sites container. 3. Expand the site that currently contains the server and expand the Servers container. 4. Right-click the server and select Move from the context menu, as shown in Figure 15-11. 5. You’ll see a list of all the sites. Select the new target site and click OK. The move takes effect immediately.
  • 20.
    548 ACTIVE DIRECTORY Figure 15-11Selecting the Move option for a server within a site FAQ 15.16 What is multimaster replication? In a Windows 2000 domain, all domain controllers (DCs) are equal. Thus, you can make changes on any DC. Servers’ complete domain directories are kept up-to-date with one another through a process of multimaster replication. Each time you make a change to AD, the servers’ update sequence number (USN), where the change implements, increases by one. AD then stores the new USN, as well as the change. These changes must replicate to all the DCs in the domain; the USN provides the key to multimaster replication. USN increments are atomic in operation, which means that the increment to the USN and the actual change occur simultaneously. If one part fails, the whole change fails (except the USN would still have been incremented). A change can’t occur without the USN being incremented; therefore, changes can’t be lost. Each DC keeps track of the highest USNs of the DCs it replicates with. This procedure lets a DC calculate which changes must replicate on a replication cycle. At the start of a replication cycle, each server checks its USN table and queries the DCs it replicates with for the DCs’ latest USNs. The following is an example USN table for Server A.
  • 21.
    FAQ 15.16 549 Domain ControllerB Domain Controller C Domain Controller D 54 23 53 Server A queries the DCs for their current USNs and gets the following information. Domain Controller B Domain Controller C Domain Controller D 58 23 64 From this information, Server A can calculate the changes it needs from each server, as follows. Domain Controller B Domain Controller C Domain Controller D 55-58 None 54-64 Server A then queries each DC for the necessary changes. Multiple changes to an object’s property can occur. Every property has a property version number, which helps detect collisions. Property version numbers work like USNs: Each time you modify a property, the property version number increases by one. If you try to modify an object’s property multiple times, the change with the highest property version number takes precedence. A collision occurs when the property version numbers are the same for two or more property updates. When two property version numbers match, the timestamp helps resolve the conflict. Because every change has a timestamp, DCs must be accurate with one another. In the unlikely event that the property version numbers match and the timestamps match, a binary buffer comparison occurs; the larger buffer size change takes precedence. Property version numbers increase only on original writes (not on replication writes, as USNs do) and aren’t server specific. Instead, a property version number travels with a property. A propagation-dampening scheme prevents changes repeatedly going to other servers. Each server keeps a table of up-to-date vectors, which are the highest originating writes received from each controller. The vectors take the following form. <the change>,<the DC making the original change>,<the USN of the change> For example, <object savillj, property Password xxx>,Titanic,54 DCs send this information with the USNs so that they can calculate whether they already have the change the other DCs are trying to replicate.
  • 22.
    550 FAQ 15.17 ACTIVE DIRECTORY What aretombstone objects? Because of Windows 2000’s and Active Directory’s (AD’s) complex replication, if you simply delete an object, Win2K’s replication algorithm might recreate the object at the next replication interval. Thus, AD marks deleted objects with tombstones. When we create an object, it gets replicated to all other DCs in the domain. If deletion would mean to simply remove it from the DC, then there would be no sign on this DC that it ever existed, so during the next replication cycle, it would be simply replicated from another DC (and we won’t be able to get rid of it). So, when we delete an object from an AD, it’s not immediately removed from the AD—just most of its attributes are removed and the object is marked as deleted—tombstoned—and moved to a special hidden container. This tombstone is then replicated to all other DCs, and after a certain period of time (two months by default), a special process, the garbage collector, which runs on each DC, purges the tombstone from the AD database. Win2K deletes tombstone objects 60 days after their original tombstone status setting. To change this default time (which I don’t recommend), modify the tombstonelifetime setting under the cd=DirectoryServices,cn=WindowsNT,cn=Services,cn= Configuration,dc=DomainName parameter. FAQ 15.18 How do I modify the Active Directory’s garbage-collection period? The Active Directory (AD) garbage-collection process performs two vital functions. First, it cleans up deleted objects. When you delete an object in AD, the system doesn’t immediately delete the object because when replication occurs, a replication partner would recreate the object. Instead, the system uses a tombstone with a finite lifetime to mark the object as deleted. The tombstone replicates to all DCs, and after it expires, the garbage-collection agent deletes the object. The garbage-collection process also performs online AD defragmentation. By default this process runs every 12 hours on each DC. However, you can change this frequency by modifying the attribute garbageCollPeriod under the path CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=,DC=,DC=COM. The best way to modify the attribute is to use the Windows 2000 Support Tools’ LDP.EXE utility.
  • 23.
    FAQ 15.19 FAQ 15.19 551 How doesintrasite replication work in Windows 2000? Windows 2000’s Knowledge Consistency Checker (KCC) automatically manages replication within a site. The KCC uses a bidirectional ring topology that uses Remote Procedure Call (RPC) over TCP/IP without compression. DCs within a site are typically on a fast network (per the definition of a site), and the extra processing necessary for compression and decompression is undesirable. The KCC runs every 15 minutes, adjusting the topology as necessary. As you create new DCs, the KCC automatically places them in the ring. To view the DC links, you can use the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. Expand the site, the Servers container, and the server. Under the NTDS Settings branch are the created connection objects. Because the KCC runs on all DCs, the rings are in order of the DCs’ globally unique IDs (GUIDs) to ensure convergence on one topology. An exception to the ring rule is that no more than three hops can exist between two DCs within the ring. To protect the three-hop rule, the KCC adds extra links for seven or more DCs, as shown in Figure 15-12. Figure 15-12 The three-hop rule in action
  • 24.
    552 ACTIVE DIRECTORY These ringsare for same-naming context (i.e., domains) in one site. If you have multiple domains in a site, rings exist for each domain in the site. Another type of ring that exists replicates schema and configuration information between DCs, as shown in Figure 15-13. Because all the domains share this information (i.e., the information is forestwide), each site has only one ring. Thus, if you have two domains in a site, you have three rings: one ring for each domain and one ring for the schema and configuration information. If you have only one domain in a site, one ring functions as two. Manual configuration of intrasite replication is unnecessary, and Microsoft doesn’t recommend such configuration. The only task you might need to perform is adding extra connection objects to reduce the hop count between DCs. When you make a change to the naming context (i.e., domain) data, the DC’s local copy of AD records the change, then the DC waits five minutes (by default) before notifying its replication partners of the change. You can continue to make changes during this time period. The delay exists so that all changes transmit at once. If no changes occur during a particular time period (which you can configure in the intrasite connection object schedule), a replication sequence initiates to ensure no changes were missed. The SAM or the Local Security Authority (LSA) can trigger urgent replication during the following events: replication of a newly locked-out account (e.g., if you fire someone), change of an LSA secret (i.e., a trust account), and state changes to the DC2 DC1 DC1 DC3 DC2 Schema/configuration information DC4 sales.savilltech.com naming context savilltech.com naming context Figure 15-13 Different rings for the different domain/forest elements
  • 25.
    FAQ 15.21 553 relative identifier(RID) master These events trigger immediate replication. Because urgent replication requires notification, this type of replication occurs only within a site (i.e., intrasite). However, you can modify site links to enable notification. An exception to multimaster normal replication is user passwords. As in other attribute changes, you can change a user password at any DC. However, the DC pushes the change to the PDC Flexible Single-Master Operation (FSMO) role holder on a best-attempt basis. Other DCs receive the password through normal replication. The reason for the extra password work is that if password validation fails, the validating DC will pass the request to the PDC FSMO in case the password has changed and the DC hasn’t yet received the new password via standard replication. The schema and configuration data replicates between DCs once an hour by default. For information about changing the replication interval, see FAQ 15.22. FAQ 15.20 How do I change the intrasite replication interval in Windows 2000 for domain information? As FAQ 15.99 explains, intrasite replication for naming context data doesn’t occur until five minutes after a change. This delay lets all changes transmit at once. You can change this five-minute delay. 1. Start Regedit. 2. Go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNTDSParameters Registry entry. 3. Double-click Replicator notify pause after modify (secs). 4. Enter the number of seconds you want for the delay and click OK. 5. Close the Registry editor. 6. Reboot the machine. You might notice the parameter Replicator notify pause between DSAs (secs). This parameter determines the number of seconds between notification of directory service agents (DSAs). This parameter prevents simultaneous replies by replication partners. FAQ 15.21 How do I force replication between two domain controllers in a site? In Windows NT 4.0, you can use Server Manager to force replication between DCs. In Windows 2000, you can force replication between DCs as follows:
  • 26.
    554 ACTIVE DIRECTORY 1. Startthe Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. 2. Expand the Sites branch to show the sites. 3. Expand the site that contains the DCs. (The default site Default-First-SiteName might be the only site.) 4. Expand the servers. 5. Select the server you want to replicate to and expand the server. 6. Double-click NTDS Settings for the server. 7. Right-click the server you want to replicate from. 8. Select Replicate Now from the context menu, as shown in Figure 15-14. 9. Click OK in the confirmation dialog box. This replication is one-way. If you want two-way replication, you need to replicate in each direction. Figure 15-14 Forcing a replication
  • 27.
    FAQ 15.22 FAQ 15.22 555 How doI change the schedule for replication between two domain controllers in a site? By default, domain controllers replicate schema and configuration information once an hour. (For information about the type of data replicated, see FAQ 15.19.) To change this interval for domain controllers in one site, perform the following tasks: 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch to show the various sites. 3. Expand the site that contains the domain controllers. (The default site Default-First-Site-Name might be your only site.) 4. Expand the servers. 5. Select the server you want to configure replication to and expand it. 6. Double-click NTDS Settings for the server. 7. Right-click the server you want to set replication from. 8. Select Properties from the context menu. 9. Select the Active Directory Service connection tab. 10. Click Change Schedule. 11. Modify the replication as necessary (see Figure 15-15) and click OK. Figure 15-15 Setting the replication interval
  • 28.
    556 ACTIVE DIRECTORY 12. ClickApply. 13. Click OK. The schedule you set is for minimum replication. The replication schedule is oneway; you need to repeat the steps to configure the other direction. If you make a change, the notification and replication will occur after a five-minute delay. FAQ 15.23 How do I tune Active Directory replication? You can use one of several settings under the HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServicesNTDSParameters Registry entry to modify elements of AD replication. When you make a change to AD, a timer starts. This timer specifies how long the domain controller will wait before notifying its first replication partner about replication between domain controllers. The default time is five minutes. To change this time period, edit the Replicator notify pause after modify (secs) value in the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDS Parameters Registry entry, as shown in Figure 15-16. After the domain controller notifies its first replication partner, the DC waits before it notifies each subsequent replication partner. This delay prevents simultaneous replies from the replication partners. The default time is 30 seconds. To change this time period, edit the Replicator notify pause between DSAs (secs) value in the HKEY_ LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters Registry entry, as shown earlier in Figure 15-16. Figure 15-16 Detailed replication options via the Registry
  • 29.
    FAQ 15.24 557 You canmodify other values to enhance a multiple-CPU system’s performance. For example, set the replication thread priority high value to 1 to run replication at high priority. If you don’t set this value, or you set it to 0, replication will run at low priority. Set the replication thread priority low value to 1 to run replication at low priority. If you set this value to -1, the value is ignored. FAQ 15.24 How do I specify a bridgehead server? To minimize bandwidth usage during intersite communication, the Knowledge Consistency Checker (KCC) dynamically chooses a server from each site to handle the communication. These servers are the bridgehead servers. Rather than letting the KCC choose the servers, you might prefer to nominate domain controllers (e.g., a domain controller with the best network connectivity, a DC that is the proxy server in a firewall environment). A server that you nominate is a preferred bridgehead server. You can select multiple preferred bridgehead servers for a site, but only one of the servers is active at a time. If the active preferred bridgehead server fails, then another preferred bridgehead server becomes the active server. If no preferred bridgehead servers are available, a regular Windows 2000 DC becomes active for intersite communication. Letting a regular Win2K DC handle intersite communication might cause problems if the server lacks sufficient resources. 1. To nominate a server as a bridgehead server, start the Active Directory Sites and Services MMC snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch. 3. Expand the site containing the server and select the Servers container. 4. Right-click the server and select Properties. 5. Select the protocol you want the server to act as a preferred bridgehead server for (i.e., SMTP or IP), as shown in Figure 15-17, and click Add. Then click OK. When the KCC runs the next time, the connection objects will change to use the bridgehead server you specified.
  • 30.
    558 ACTIVE DIRECTORY Figure 15-17Specifying bridgehead transport options FAQ 15.25 How do I create a site link bridge? Site link bridges are important for intersite communication. Imagine you have the sites Liverpool, London, and Kent, and you have site links between Liverpool and London and between Kent and London (see Figure 15-18). If site link transitivity is disabled, Liverpool and Kent can’t communicate. A site link bridge lets London act as a router for communication between Liverpool and Kent. If site link transitivity is disabled, you must manually bridge sites so that replication can complete, and the Knowledge Consistency Checker (KCC) can create the necessary connection objects. 1. Start the Active Directory Sites and Services MMC snap-in. (Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu.) 2. Expand the Sites branch. 3. Expand the Inter-Site Transports branch.
  • 31.
    FAQ 15.27 site linkA London 559 site link B Liverpool Kent Figure 15-18 Site links between sites 4. Right-click the protocol you want to create the bridge for (i.e., IP or SMTP) and select New Site Link Bridge. 5. Enter a name for the bridge and select the site links that will form the bridge. 6. Click OK. FAQ 15.26 I have several sites connected over a virtual private network. How should I configure my site links? Obviously, with the Internet, the speed between sites is unknown. In addition, the route varies every time, so you can’t place an accurate link cost, which controls the desirability of remote sites as sources of replication information, between sites—which negates the usefulness of site links and bridges. Your best option is to place all sites in a single site link. FAQ 15.27 How does intersite replication work in Windows 2000? You can use Remote Procedure Call (RPC) over IP or Simple Mail Transport Protocol (SMTP) to link sites. After you define the site links, replication schedules, cost factors, and site link bridges (if appropriate), the Knowledge Consistency Checker (KCC) can create the connection objects as long as the site links are transitive. Using SMTP has some limitations. You can use SMTP to replicate the Global Catalog (GC) information, as well as schema and configuration data. However, SMTP can’t
  • 32.
    ACTIVE DIRECTORY 560 replicate fulldomain name context data such as the data that DCs in a domain exchange, because some domain operations require the File Replication Service (FRS) (e.g., the Group Policy), which SMTP doesn’t support. Intersite replication uses a spanning tree topology. As long as the KCC can establish a replication route between all the sites in the enterprise forest, the replication tree is complete. The administrator manually creates the links between sites. Creating the links involves defining costs for each link (the cost relates the network’s speed and reliability) and establishing a replication schedule. You use the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in to create and maintain site links. By default, your original site is part of the site link DEFAULTIPSITELINK. You can add sites to this site link when you create them. (When you create a site, you must specify a site link.) Replication data that travels between sites is 10% to 15% of its original size due to data compression. This smaller size is important because intersite links are usually over WAN links, which tend to be slow. You need to create only the necessary links between sites. The KCC creates the required connection objects. FAQ 15.28 How do I monitor when the Knowledge Consistency Checker runs? The KCC, which manages connection objects for inter- and intrasite replication, ascertains whether you need to create new objects or delete existing objects. The KCC runs every 15 minutes by default. FAQ 15.30 explains how to change this time period. To determine when the KCC starts and stops, start Regedit and go to the HKEY_ LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnostics Registry entry. Double-click Knowledge Consistency Checker. Set the value to 3 or greater and click OK. Close the Registry editor. You don’t need to restart the machine for the change to take effect. A value of 3 or greater in Knowledge Consistency Checker causes the KCC to log extra events that you can use Event Viewer’s Directory Service branch to view. Some common events that are useful to view include • • • • • Event 1007 signifies the KCC starting Event 1009, as shown in Figure 15-19, signifies the beginning of the KCC check. Event 1013 signifies the end of the KCC check Event 1015 signifies the KCC stopping Event 1133 provides information about the KCC check
  • 33.
    FAQ 15.29 Figure 15-19Event log showing the Knowledge Consistency Checker in action FAQ 15.29 How do I disable the Knowledge Consistency Checker? FAQ 15.19 explains how the KCC automatically creates and maintains connection objects for intra- and intersite replication. To manually maintain connection objects (which I don’t recommend), you must disable the KCC. To disable the KCC, use the Microsoft Windows 2000 Resource Kit’s LDP tool. This program is in Win2K’s %SystemDrive%:Program FilesSupport Tools folder. 1. Start LDP.EXE. 2. From the Connection menu, select Connect. 561
  • 34.
    562 ACTIVE DIRECTORY 3. Enterthe domain controller’s DNS name, leave the port as 389 (LDAP), and make sure the Connectionless checkbox is clear. Click OK. 4. Some text will appear in the right-most pane. Next, select Bind from the Connection menu. 5. Enter an Administrator username, password, and domain, as shown in Figure 15-20. Click OK. 6. From the View menu, select Tree. 7. A dialog box will prompt you for the base distinguished name (DN), which includes a site and your domain. For example, in the London site savtech.com I enter CN=London,CN=Sites,CN=Configuration,DC=SAVTECH,DC=COM 8. Expand the route and double-click CN=NTDS Site Settings. The results will display in the right-most window. Next, look for the options Attribute. If this attribute is missing or set to 0, you can proceed. Otherwise, you need to contact Microsoft Support for help checking your configuration before you can continue. Figure 15-20 Binding to the LDAP interface
  • 35.
    FAQ 15.29 563 9. Thetext you see in the right-most window will look like Expanding base 'CN=NTDS Site Settings,CN=London,CN=Sites, CN=Configuration,DC=savtech,DC=com'... Result : (null) Matched DNs: Getting 1 entries: >> DN: CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com 10. Copy the last line, except the DN: portion, onto the Clipboard (e.g., CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech, DC=com). 11. From the Browse menu, select Modify. 12. In the Dn field, enter the string you copied in Step 9, as shown in Figure 15-21. 13. In the Attribute field, enter options Figure 15-21 Replacing a value with the LDAP utility
  • 36.
    564 ACTIVE DIRECTORY 14. Inthe Values field, enter the appropriate value. A value of 1 disables automatic intrasite topology generation, a value of 16 disables automatic intersite topology generation, and a value of 17 disables both types of topology generation. 15. In the Operation field, select Replace. 16. Click Enter. 17. Click Run. 18. Click Close. The right-most LDP.EXE window will display text such as ***Call Modify... ldap_modify_s(ld, 'CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com', [1] attrs); Modified "CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com". 19. Close LDP.EXE. To check whether the KCC is disabled, use Active Directory Replication Monitor (REPLMON.EXE) to generate a report on the site configuration. 1. Start REPLMON.EXE. 2. Right-click Monitored Services in the left-most window and select Add Monitored Server from the context menu. 3. Select Add the server explicitly by name and click Next. 4. Enter the server name and click Finish. 5. Right-click the server (under the site) and select Generate Status Report. 6. Enter a name and location for the log and click Save. 7. In the Options field, select Server/DC Configuration Data and Extended Site Configuration, as shown in Figure 15-22. 8. Click OK. 9. Click OK again to finish. Open the file you specified, and you’ll see site information such as the following. ******************************************************************** Enterprise Data ******************************************************************** Globally Unique Identifiers (GUIDs) for each domain controller in the enterprise
  • 37.
    FAQ 15.29 565 Figure 15-22Report options NOTE: the absence of a GUID means that the server has been demoted. -------------------------------------------------------------------Site Name: London --------------------------------------Site Options : NTDSSETTINGS_OPT_IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED Site Topology Generator: CN=NTDS Settings,CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savtech,DC=com Site Topology Renewal : Site Topology Failover : MORPHEUS Server GUID (used for DNS) : DA644BE4-A8C9-47AF-AC4A-71F8DA4D50F0
  • 38.
    566 ACTIVE DIRECTORY Replication DatabaseGUID (used to identify partner in replication) : DA644BE4-A8C9-47AF-AC4A-71F8DA4D50F0 DSA Options : NTDSDSA_OPT_IS_GC DSA Computer Path : CN=MORPHEUS,OU=Domain Controllers,DC=savtech, DC=com DSA Schema Location : CN=Schema,CN=Configuration,DC=savtech,DC=com DSA Mail Address : _IsmService@da644be4-a8c9-47af-ac4a-71f8da4d50f0 ._msdcs.savtech.com DSA DNS Host Name : MORPHEUS.savtech.com DSA BridgeHead Transports : IP In the Site Options field, the text NTDSSETTINGS_OPT_IS_INTER_SITE_ AUTO_TOPOLOGY_DISABLED means intersite topology management is disabled. The text NTDSSETTINGS_OPT_IS_AUTO_TOPOLOGY_DISABLED means intrasite topology management is disabled. To reenable the KCC, follow steps 1 through 20, but set the value in step 14 to 0. If the KCC is fully enabled, Replmon’s output won’t include Site Options information. FAQ 15.30 How do I change how often the Knowledge Consistency Checker runs? The KCC, which manages connection objects for inter- and intrasite replication, runs every 15 minutes by default. To change this time period, start Regedit and go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDS Parameters Registry entry. From the Edit menu, select New > DWORD Value. Enter the following and press Enter: Repl topology update period (secs) Double-click the new value and enter the number of seconds for how often you want the KCC to run. Click OK then close the Registry editor. Restart the machine for the change to take effect. FAQ 15.31 What tools are available for monitoring or changing replication? To monitor or change replication, you must use the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. This tool lets you view, create, or
  • 39.
    FAQ 15.31 567 delete connectionobjects. Other tools you can use include the Microsoft Windows 2000 Supplemental Tools Repadmin and Replmon tools. Repadmin is a command-line tool that lets you check replication consistency (e.g., for a KCC recalculation). The switch /showreps displays a list of replication partners, as well as reasons for problems. The invocation ID is the database globally unique ID (GUID). When you use Repadmin with the switch /showreps, you’ll see text such as the following: D:>repadmin /showreps LondonTITANIC DSA Options : IS_GC objectGuid : 221d9d34-540e-4a7b-bd26-054c11e2d1ad invocationID: 221d9d34-540e-4a7b-bd26-054c11e2d1ad ==== INBOUND NEIGHBORS ====================================== CN=Schema,CN=Configuration,DC=savilltech,DC=com LondonTITUS via RPC objectGuid: 2000eb93-cc24-4af7-9ad2-c52129c98c7a Last attempt @ 1999-12-06 20:32.20 failed, result 8524: Can’t retrieve message string 8524 (0x214c), error 1815. Last success @ 1999-09-17 20:53.45. 463 consecutive failure(s). LondonTRINITY via RPC objectGuid: df3694d2-b4e9-4d9a-a560-3e8c26c48a89 Last attempt @ 1999-12-06 20:32.21 failed, result 8524: The switch /showmeta shows object information, version numbers, and other information. When you use this switch, you’ll see text such as the following: C:>repadmin /showmeta cn=garfield,DC=savtech,DC=com 45 entries. Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute ======= ============ ======= =========== === ====== 99649 LondonMORPHEUS 99649 1999-12-08 09:50.10 1 objectClass 99649 LondonMORPHEUS 99649 1999-12-08 09:50.10 1 cn 99650 LondonMORPHEUS 99650 1999-12-08 09:50.10 1 description 99649 LondonMORPHEUS 99649 1999-12-08 09:50.10 1 givenName 99649 LondonMORPHEUS 99649 1999-12-08 09:50.10 1 instanceType
  • 40.
    568 ACTIVE DIRECTORY Replmon isa GUI tool you can use to display and monitor replication status on domain controllers (DCs). FAQ 15.32 In a Windows 2000 domain, how can I configure the site name information known to member servers and workstations? Win2K introduced the concept of sites, which let you group machines that reside in similar TCP subnets. When a Win2K or later machine logs on, the system stores the site name in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices NetlogonParameters in the subkey named DynamicSiteName. The DC updates this name every 300 seconds (5 minutes); however, you can perform the following steps to modify the update time frame: 1. Start REGEDIT.EXE. 2. Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNetlogonParameters. 3. From the Edit menu, select New > DWORD Value. 4. Enter a name of SiteNameTimeout and press Enter. 5. Double-click the new value and set it to the number of seconds. 6. Click OK. To override the assigned site name, you can add a String value named SiteName in the NetlogonParameters subkey. If you use this approach, the system will never use the SiteNameTimeout value. FAQ 15.33 How can I set the RPC port that intrasite replication uses? By default, AD replication via Remote Procedure Calls (RPCs) takes place dynamically over an available port via the RPC Endpoint Mapper using port 135 (the same as Microsoft Exchange). An administrator may override this functionality and specify the port that all replication traffic passes through, thereby locking down the port. 1. Start Regedit. 2. Go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNTDSParameters Registry entry.
  • 41.
    FAQ 15.34 569 3. Fromthe Edit menu, select New > DWORD Value. 4. Enter the following and press Enter: TCP/IP Port 5. Double-click the new entry and enter the port you want to use. (Make sure the port isn’t already in use.) Click OK. 6. Close the Registry editor. 7. Reboot the machine. After monitoring finishes, you need to remove the Registry entry you created. Removing this entry reinstates the security that dynamic RPC port allocation provides. FAQ 15.34 How do I back up Active Directory and the system state? You can use the Microsoft Windows Backup utility to back up Active Directory. AD is part of a machine’s system state. On Windows 2000 machines, the system state includes the Registry, class registration database, and system boot files. On a Win2K server that is a certificate server, the system state also contains the Certificate services database. On a Win2K machine that is a domain controller (DC), the system state also includes AD and the Sysvol directory. To use Win2K’s Backup Wizard to back up the system state, perform the following steps: 1. 2. 3. 4. Start Windows Backup. Click Backup Wizard. Click Next in the introduction dialog box. In the dialog box that asks what to back up, select Only back up the System State data and click Next. 5. Continue the backup process (i.e., select the backup media, etc.). To manually back up the system state, perform the following steps: 1. Start Windows Backup. 2. Select the Backup tab. 3. Select the System State checkbox, as shown in Figure 15-23, as well as any other drives.
  • 42.
    570 ACTIVE DIRECTORY Figure 15-23Backup of the system state on a domain controller 4. Select the backup destination. 5. Click Start Backup. 6. Confirm the backup description and click Start Backup. To back up only the system state from the command line, enter ntbackup backup systemstate /f d:active.bkf This command is a basic backup to file command. You can use more complex options if you prefer.
  • 43.
    FAQ 15.35 FAQ 15.35 571 How doI restore Active Directory? You can’t restore AD to a domain controller (DC) while the Directory Service (DS) is running. To restore AD, perform the following steps. 1. Reboot the computer. 2. At the boot menu, select Windows 2000 Server. Don’t press Enter. Instead, press F8 for advanced options. You’ll see the following text: OS Loader V5.0 Windows NT Advanced Options Menu Please select an option: Safe Mode Safe Mode with Networking Safe Mode with Command Prompt Enable Boot Logging Enable VGA Mode Last Known Good Configuration Directory Services Restore Mode (Windows NT domain controllers only) Debugging Mode Use | and | to move the highlight to your choice. Press Enter to choose. 3. Scroll down and select Directory Services Restore Mode (Windows NT domain controllers only). 4. Press Enter. 5. When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of the screen, you’ll see in red text “Directory Services Restore Mode” (Windows NT domain controllers only). The computer will boot into a special safe mode and won’t start the DS. Be aware that during this time, the machine won’t act as a DC and won’t perform functions such as authentication. 1. Start Windows Backup. 2. Select the Restore tab. 3. Select the backup media and select System State.
  • 44.
    ACTIVE DIRECTORY 572 4. ClickStart Restore. 5. Click OK in the confirmation dialog box. After you restore the backup, reboot the computer and start in normal mode to use the restored information. The computer might hang after the restore completes; I’ve experienced a 30-minute wait on some machines. FAQ 15.36 How do I manually defragment Active Directory? Windows 2000 servers running Directory Services (DSs) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (NTDS.DIT) and doesn’t reduce the file’s size. To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the following steps: 1. Back up AD (see FAQ 15.34). 2. Reboot the server, select the OS option, and press F8 for advanced options. 3. Select the Directory Services Restore Mode option and press Enter. Press Enter again to start the OS. 4. Win2K will start in safe mode, with no DS running. 5. Use the local SAM’s administrator account and password to log on. 6. You’ll see a dialog box that says you’re in safe mode. Click OK. 7. From the Start menu, select Run and type cmd.exe 8. In the command window, you’ll see the following text. (Enter the commands in bold.) C:> ntdsutil ntdsutil: files file maintenance:info .... file maintenance:compact to c:temp 9. You’ll see the defragmentation process. If the process was successful, enter the following to return to the command prompt: quit quit
  • 45.
    FAQ 15.36 10. Then,replace the old NTDS.DIT file with the new, compressed version. copy c:tempntds.dit %systemroot%ntdsntds.dit 11. Restart the computer and boot as normal. The following is an example of the entire procedure. D:> ntdsutil ntdsutil: files file maintenance: info Drive Information: C: FAT (Fixed Drive) free(1.2 Gb) total(1.9 Gb) D: NTFS (Fixed Drive) free(152.4 Mb) total(1.9 Gb) DS Path Information: Database : D:WINNTNTDSntds.dit - 8.1 Mb Backup dir : D:WINNTNTDSdsadata.bak Working dir: D:WINNTNTDS Log dir : D:WINNTNTDS - 30.0 Mb total res2.log - 10.0 Mb res1.log - 10.0 Mb edb.log - 10.0 Mb file maintenance: compact to c:temp Opening database [Current]. Using Temporary Path: C: Executing Command: D:WINNTsystem32esentutl.exe /d "D:WINNTNTDSntds.dit" / /o /l"D:WINNTNTDS" /s"D:WINNTNTDS" /t"c:tempntds.dit" /!10240 /p Initiating DEFRAGMENTATION mode... Database: D:WINNTNTDSntds.dit Log files: D:WINNTNTDS System files: D:WINNTNTDS Temp. Database: c:tempntds.dit Defragmentation Status (% complete ) 0 10 20 30 40 50 60 70 80 90 100 |--|--|--|--|--|--|--|--|--|--| ................................................... 573
  • 46.
    574 ACTIVE DIRECTORY Note: It isrecommended that you immediately perform a full backup of this database. If you restore a backup made before the defragmentation, the database will be rolled back to the state it was in at the time of that backup. Operation completed successfully in 17.896 seconds. Spawned Process Exit code 0x0(0) If compaction was successful you either need to copy "c:tempntds.dit" to "D:WINNTNTDSntds.dit" or run: D:WINNTsystem32ntdsutil.exe files "set path DB "c:temp"" quit quit file maintenance: quit ntdsutil: quit D:> copy c:tempntds.dit %systemroot%ntdsntds.dit Overwrite D:WINNTntdsntds.dit? (Yes/No/All): y 1 file(s) copied. FAQ 15.37 I heard that more than one utility is available to defragment the Active Directory database. Is this true? In Windows 2000, Microsoft included a version of an Exchange Server utility— ESENTUTL.EXE—that can defragment database files. At a command prompt, type the following command to defragment NTDS.DIT (the default name for the Active Directory—AD—database file): ESENTUTL /D ntds.dit [options] For a list of the command options, type ESENTUTL /? or ESENTUTL /help
  • 47.
    FAQ 15.40 575 Usually, youuse Ntdsutil to defragment your AD database; Ntdsutil is still the most supported version. FAQ 15.38 Why can’t I have spaces in my Windows 2000 NetBIOS domain name? In Windows NT 4.0-based domains, the space is a legal character in NetBIOS domain names. Windows 2000 domains are DNS based and therefore use DNS names (although a NetBIOS name is available for backwards compatibility). DNS doesn’t allow spaces in names. For consistency, Microsoft removed the space as a legal character in Win2K NetBIOS domain names. Win2K NetBIOS domain names can contain the following special characters: ! @ # $ % ^ & ( ) - _ ' { } . ~ The following characters aren’t allowed: * + = | : ; " ? < > , FAQ 15.39 How do I create trusts from the command line in Windows 2000? The Microsoft Windows 2000 Resource Kit’s Trustdom tool lets you define trust relationships between Windows 2000 domains and one-way relationships with Windows NT 4.0 domains. You can create two types of one-way trusts: an outbound trust on the local or specified domain, and an inbound trust on the specified target domain. Trustdom’s syntax is trustdom [[domain[:dc],]target_domain[:dc]] [Options] The default switch is -out. To see a list of other switches, use the /? switch. FAQ 15.40 What is the Global Catalog? The Global Catalog (GC) contains an entry for every object in an enterprise forest but only a few properties for each object. An entire forest shares a GC, with multiple servers holding copies. You can perform an enterprisewide forest search only on the
  • 48.
    576 ACTIVE DIRECTORY properties inthe GC, whereas you can search for any property in a user’s domain tree. Only domain controllers (DCs) can hold a copy of the GC. Configuring an excessive number of GCs in a domain wastes network bandwidth during replication. One GC server per domain in each physical location is sufficient. Windows sets servers as GCs as necessary, so you don’t need to configure additional GCs unless you notice slow query response times. Because full searches involve querying the whole domain tree rather than the GC, grouping the enterprise into one tree will improve your searches. Thus, you can search for items not in the GC. FAQ 15.41 How do I configure a server as a Global Catalog? To configure a Windows 2000 domain controller (DC) as a Global Catalog (GC) server, perform the following steps. 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services (From the Start menu, select Programs > Administrative Tools > Active Directory Sites and Services Manager.) 2. Select the Sites branch. 3. Select the site that owns the server and expand the Servers branch. 4. Select the server you want to configure. 5. Right-click NTDS Settings and select Properties. 6. Select or clear the Global Catalog Server checkbox, shown in Figure 15-24. 7. Click Apply, then OK.
  • 49.
    FAQ 15.42 577 Figure 15-24Global Catalog enabling of a server FAQ 15.42 Why can’t I use my user principal name to change my password if the Global Catalog is unavailable? In Windows 2000, users have a user principal name (UPN)—e.g., john@savilltech. com—as well as the usual down-level SAM name—e.g., savillj. If you change your password using the down-level SAM username, the change works fine, even if the Global Catalog (GC) isn’t available. If you change your password using your UPN and the GC isn’t available, you receive the following error message if the account is in the parent domain: The user name or old password is incorrect. Letters in passwords must be typed using the correct case. Make sure the Caps is not accidentally on. Or you receive the following error message if the account is in the child domain: Unable to change the password on this account due to the following error:
  • 50.
    578 ACTIVE DIRECTORY 1359: Aninternal error occurred Please consult your system administrator. To confirm that the GC’s absence is the problem, use the following command to find your logon server: echo %logonserver% When you find the logon server, check the Directory Service event log for the following event: Event 1126 Unable to establish connect with global catalog To fix this problem, you need to ensure that the GC is available. You need the GC to change passwords using your UPN because domains store information only about their local domain whereas the GC includes information about objects in the entire forest. Thus, the GC must be available when you use the UPN, unless you have only one domain. FAQ 15.43 What are the FSMO roles in Windows 2000? In Windows 2000, all domain controllers (DCs) are equal. Changes replicate to all the DCs in a domain through a process known as multimaster replication. Multimaster replication resolves conflicts. In some situations, preventing conflicts is preferable. Five Flexible Single-Master Operation (FSMO) roles, formerly known as Floating Single-Master Operation roles, manage an aspect of the domain or forest to prevent conflicts. You can manually move these roles between DCs. Two types of roles exist: domain and forest. Only a DC in the domain can hold a domain-specific FSMO role, whereas any DC in the forest can hold a forest FSMO role. DCs can’t hold FSMO roles in other domains or forests. You can use the Ntdsutil utility or one of several GUI methods to assign FSMO roles. The following table summarizes each role:
  • 51.
    FAQ 15.43 579 Role Name Description PerDomain or Forest Domain Naming Master If you want to add a domain to a forest, the domain’s name must be verifiably unique. The forest’s Domain Naming Master FSMOs authorize the domain name operation. One per forest Infrastructure Master When a user and group are in different domains, a lag can exist between changes to the user (e.g., a name change) and the user’s display in the group. The Infrastructure Master of the group’s domain fixes the group-to-user reference to reflect the change. The Infrastructure Master performs its fixes locally and relies on replication to bring all other replicas of the domain up-to-date. One per domain PDC Emulator For backward compatibility, one DC in each Win2K domain must emulate a PDC for the benefit of Windows NT 4.0 and NT 3.5 DCs and clients. One per domain RID Master Any DC can create new objects (e.g., users, groups, computer accounts). However, after creating 512 user objects, a DC must contact the domain’s relative identifier (RID) Master for another 512 RIDs. (A DC actually contacts the RID Master when the DC has fewer than 100 RIDs left. Thus, the RID master can be unavailable for short periods of time without causing object creation problems.) This procedure ensures that each object has a unique RID. One per domain When a DC creates a security principal object, the DC attaches a unique SID to the object. The SID consists of the domain SID and a RID. The RID master must be available for you to use the Microsoft Windows 2000 Resource Kit’s Movetree utility to move objects between domains. (continued )
  • 52.
    580 ACTIVE DIRECTORY Role Name Description PerDomain or Forest Schema Master At the heart of Active Directory (AD) is the schema, which is like a blueprint of all objects and containers. Because the schema must be the same throughout the forest, only one machine can authorize schema modifications. One per forest Even in native mode, the PDC Emulator has the following special roles: • Failed authentication requests. • For downlevel clients who issue a change (e.g., a password change) that would normally go to the PDC in an NT4.0 domain. • Focus of best-effort push of password changes an account lockouts. • In cases in which a time server client contacts the DC, the DC contacts the PDC Emulator, and the PDC Emulator contacts the PDC one level up, the PDC Emulator root domain could use Simple Network Time Protocol (SNTP) to contact an atomic Internet clock. • Focus of group policies: If you edit or create a group policy, you contact the PDC; if the PDC isn’t available, you can select another DC. FAQ 15.44 How do I change the RID master FSMO? FAQ 15.43 defines the relative identifier (RID) Master. To modify the role, perform the following steps: 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the domain controller (DC). (From the Start menu, select Programs > Administrative Tools > Active Directory Users and Computers.) 2. In the left-most pane, right-click the domain and select Connect to Domain Controller. 3. Select the DC you want to make the Flexible Single-Master Operation (FSMO) role owner, as shown in Figure 15-25, and click OK. 4. Right-click the domain again and select Operations Master from the context menu. 5. Select the RID Pool tab. 6. You’ll see the name of the machine that holds the RID Master FSMO role, as the shown in Figure 15-26.
  • 53.
    FAQ 15.44 Figure 15-25Selecting an alternate domain controller Figure 15-26 Modifying a RID operations master 581
  • 54.
    ACTIVE DIRECTORY 582 7. Tomake a change, click Change. 8. Click OK in the confirmation dialog box. Finally, you’ll see a dialog box confirming the role change. You can also use the Ntdsutil utility to change the RID Master FSMO. In the following code, enter the commands in bold. C:> ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server <server name> server connections: quit fsmo maintenance: transfer rid master Click Yes in the role-transfer dialog box. Then, enter the commands in bold in the following code: Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com fsmo maintenance: quit ntdsutil: quit FAQ 15.45 How do I change the Schema Master FSMO? To change the Schema Master Flexible Single-Master Operation (FSMO), you must use the Active Directory Schema Manager. 1. First, register the .DLL for the Microsoft Management Console (MMC) snapin. Go to a command prompt and enter regsvr32 schmmgmt.dll
  • 55.
    FAQ 15.45 583 2. Then,use the Microsoft Windows 2000 Resource Kit’s Tools console to start the Schema Manager. Alternatively, create a custom MMC and add the Active Directory Schema snap-in to it. (From the Start menu, select Run and enter MMC 3. From the Console menu, select Add/Remove Snap-in. Click Add and select Active Directory Schema. 4. Click Add, Close, and then OK. 5. Start the MMC Active Directory Schema snap-in on the domain controller (DC). 6. In the left-most pane, right-click Active Directory Schema and select Change Domain Controller from the context menu. 7. Enter the DC to connect to. 8. Right-click Active Directory Domains Schema and select Operations Master from the context menu. You’ll see the name of the machine that holds the domain name operations FSMO role, as shown in Figure 15-27. Figure 15-27 Changing the schema operations master
  • 56.
    584 ACTIVE DIRECTORY 9. Tomake a change, click Change. 10. To set the Registry to allow changes to the schema, select the checkbox labeled “The Schema may be modified on this server”. (Notice in Figure 15-27 that the machine is already the Schema Master.) 11. Click OK in the confirmation dialog box. Finally, you’ll see a dialog box confirming the role change. You can also modify the role from the command line. (In the following code, enter the commands in bold.) C:> ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server <server name> server connections: quit fsmo maintenance: transfer schema master Click Yes in the role-transfer dialog box. Then, enter the commands in bold in the following code: Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com fsmo maintenance: quit ntdsutil: quit FAQ 15.46 How do I change the PDC Emulator FSMO? To modify the role, perform the following steps. 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the domain controller (DC). (From the Start
  • 57.
    FAQ 15.46 2. 3. 4. 5. 6. 7. 8. 585 menu, selectPrograms > Administrative Tools > Active Directory Users and Computers.) In the left-most pane, right-click the domain and select Connect to Domain Controller. Select the DC you want to make the Flexible Single-Master Operation (FSMO) role owner and click OK Right-click the domain again and select Operations Master from the context menu. Select the PDC tab. You’ll see the name of the machine that holds the PDC Emulator FSMO role. To make a change, click Change. Click OK in the confirmation dialog box. Finally, you’ll see a dialog box confirming the role change. You can also use the Ntdsutil utility to change the PDC Emulator FSMO. In the following code, enter the commands in bold: C:> ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server <server name> server connections: quit fsmo maintenance: transfer pdc Click Yes in the role-transfer dialog box. Then, enter the commands in bold in the following code: Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com fsmo maintenance: quit ntdsutil: quit
  • 58.
    586 FAQ 15.47 ACTIVE DIRECTORY How doI change the Infrastructure Master FSMO? To modify the role, perform the following steps: 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the domain controller (DC). (From the Start menu, select Programs, Administrative Tools > Active Directory Users and Computers.) 2. In the left-most pane, right-click the domain and select Connect to Domain Controller. 3. Select the DC you want to make the FSMO role owner and click OK. 4. Right-click the domain again and select Operations Master from the context menu. 5. Select the Infrastructure tab. You’ll see the name of the machine that holds the infrastructure FSMO role. 6. To make a change, click Change. 7. Click OK in the confirmation dialog box. Finally, you’ll see a dialog box confirming the role change. You can also use the Ntdsutil utility to change the Infrastructure Master FSMO. In the following code, enter the commands in bold: C:> ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server <server name> server connections: quit fsmo maintenance: transfer infrastructure master Click Yes in the role-transfer dialog box. Then, enter the commands in bold in the following code: Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure -
  • 59.
    FAQ 15.48 587 CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com fsmomaintenance: quit ntdsutil: quit FAQ 15.48 How do I change the Domain Naming Master FSMO? To modify the role, make sure the machine is a Global Catalog (GC). Then, perform the following steps: 1. Start the Microsoft Management Console (MMC) Active Directory Domains and Trusts snap-in on the domain controller (DC). (From the Start menu, select Programs > Administrative Tools > Active Directory Domains and Trusts.) 2. In the left-most pane, right-click Active Directory Domains and Trusts and select Connect to Domain Controller from the context menu. 3. Enter the DC to connect to and click OK. 4. Right-click Active Directory Domains and Trusts and select Operations Master from the context menu. You’ll see the name of the machine that holds the domain name operations FSMO role. 5. To make a change, click Change. 6. Click OK in the confirmation dialog box. Finally, you’ll see a dialog box confirming the role change. You can also use the Ntdsutil utility to change the Domain Naming Master FSMO. In the following code, enter the commands in bold: C:> ntdsutil ntdsutil: roles fsmo maintenance: connections server connections: connect to server <server name> server connections: quit fsmo maintenance: transfer domain naming master Click Yes in the role-transfer dialog box. Then, enter the commands in bold in the following code: Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,
  • 60.
    588 ACTIVE DIRECTORY CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain- CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com fsmo maintenance: quit ntdsutil: quit FAQ 15.49 How can I find the current FSMO role holders in a domain/forest? The five Flexible Single Master of Object (FSMO) roles are Schema Master, Domain Naming Master, Relative Identifier (RID) Master, PDC Master, and Infrastructure Master. You can use a GUI to find the FSMO role holders, but you need to perform several sets of steps (for this approach, see Q234790 at http://support.microsoft.com/support/ kb/articles/Q234/7/90.ASP). However, you can use other approaches to reduce the number of steps that the GUI requires to find the current FSMO role holders. First, you can use the command file DUMPFSMOS.CMD from the Win2K Server Resource Kit. This command uses the built-in NTDSUTIL.EXE, which shows you all the FSMO role owners. To find the current FSMO role holders, you simply execute the dumpfsmos command on a domain. For example, you could type the following command: dumpfsmos.cmd savilltech.com When the following information appears on the screen, find the line that reads “Server ‘savilltech.com’ knows about 5 roles,” and read the lines below it to find information about each FSMO role holder. Ntdsutil: roles fsmo maintenance: Connections server connections: Connect to server savilltech.com Binding to savilltech.com ... Connected to savilltech.com using credentials of locally logged on user
  • 61.
    FAQ 15.49 589 server connections:Quit fsmo maintenance: select Operation Target select operation target: List roles for connected server Server "savilltech.com" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSite-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSite-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=DefaultFirst-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com select operation target: Quit fsmo maintenance: Quit Ntdsutil: Quit Disconnecting from savilltech.com ... You can also manually execute the NTDSUTIL.EXE tool by performing the following steps: 1. 2. 3. 4. 5. 6. 7. 8. Click Start > Run. Type cmd in the Open box and press Enter. Type ntdsutil and press Enter. Type domain management and press Enter. Type connections and press Enter. Type connect to server [server name] and press Enter. Type quit and press Enter. Type select operation target and press Enter. Type list roles for connected server and then press Enter. Sample output from the command follows with the text you type shown in bold. Following the line that reads “Server ‘titanic-dc’ knows about 5 roles,” you’ll find information about your FSMO role holders. C:>ntdsutil ntdsutil: domain management domain management: connections server connections: connect to server titanic-dc Binding to titanic-dc ...
  • 62.
    590 ACTIVE DIRECTORY Connected totitanic-dc using credentials of locally logged on user server connections: quit domain management: select operation target select operation target: list roles for connected server Server "titanic-dc" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSite-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSite-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers,CN=Default-FirstSiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=DefaultFirst-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com select operation target: quit domain management: quit ntdsutil: quit Disconnecting from titanic-dc ... A third option for finding the current FSMO role holders is to use the dcdiag utility, which you can find in the Support/Tools folder of the Win2K Support Tools. To use the dcdiag utility, type the following command: dcdiag /test:Knowsofroleholders /v Sample output for the command appears follows. You’ll find information about your FSMO role holders below the line that reads “Starting test: KnowsOfRoleHolders.” DC Diagnosis Performing initial setup: * * * * * Verifing that the local machine titanic-dc, is a DC. Connecting to directory service on server titanic-dc. Collecting site info. Identifying all servers. Found 1 DC(s). Testing 1 of them. Done gathering initial info. Doing initial non skippeable tests
  • 63.
    FAQ 15.49 591 Testing server:Default-First-Site-NameTITANIC-DC Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check .......................... TITANIC-DC passed test Connectivity Doing primary tests Testing server: Default-First-Site-NameTITANIC-DC Test omitted by user request: Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Test omitted by user request: NCSecDesc Test omitted by user request: NetLogons Test omitted by user request: Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Role Domain Owner = CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=Defaul t-First-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Role PDC Owner = CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=Default-F irst-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Role Rid Owner = CN=NTDS Settings,CN=TITANIC-DC,CN=Servers, CN=Default-F irst-Site-Name,CN=Sites,CN=Configuration,DC=savilltech,DC=com Role Infrastructure Update Owner = CN=NTDS Settings,CN=TITANIC-DC, CN=Se rvers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=savilltech,DC=com ......................... TITANIC-DC passed test KnowsOfRoleHolders Test omitted by user request: RidManager Test omitted by user request: MachineAccount Test omitted by user request: Services Test omitted by user request: OutboundSecureChannels Test omitted by user request: ObjectsReplicated Test omitted by user request: frssysvol Test omitted by user request: kccevent Test omitted by user request: systemlog
  • 64.
    592 ACTIVE DIRECTORY Running enterprisetests on : savilltech.com Test omitted by user request: Intersite Test omitted by user request: FsmoCheck FAQ 15.50 Why can’t I add a Windows NT 4.0 BDC to my Windows 2000 domain? Although Windows 2000 supports Windows NT 4.0 BDCs, you’ll run into problems if you try to create an NT 4.0 BDC machine account. You’ll receive the error message “The Machine Account for This Computer either does not exist or is inaccessible.” If you try to use Srvmgr to add the computer account from an existing Windows NT 4.0-based BDC, you’ll receive the error message “The Network Request is not supported.” Your Win2K-based PDC will log the following error message: Source: SAM EVENT ID: 12298 DESCRIPTION:The Account "COMPUTER$" Cannot be converted to be a domain controller account as its object class attribute in the directory is not a computer or is not derived from a computer. If this is caused by an attempt to install a pre-Windows 2000 Domain, then you should recreate the account for the domain controller with the correct object class. To work around this problem, use Win2K’s Srvmgr tool to create the account. FAQ 15.51 How do I remove a nonexistent domain from Active Directory? Windows 2000 tracks each domain in the metadata. If you remove all the domain controllers (DCs) for a domain and you don’t select the option “This is the last domain controller in the domain,” when you run DCPROMO to demote the DC to a normal server, DCPROMO won’t clean up the domain information, and the server’s domain information will remain. You can use the utility NTDSUTIL to remove a domain from the metadata. (In the following code, enter the commands in bold.) ntdsutil ntdsutil: metadata cleanup metadata cleanup: connections
  • 65.
    FAQ 15.51 593 Connect toa server or domain (e.g., the parent domain) that recognizes the domain you want to delete. (In the following code, enter the commands in bold.) server connections: connect to server titanic Binding to titanic ... Connected to titanic using credentials of locally logged on user server connections: quit metadata cleanup: select operation target Next, select the domain you want to delete. (In the following code, enter the commands in bold.) select operation target: list domains Found 3 domain(s) 0 - DC=savilltech,DC=com 1 - DC=dev,DC=savilltech,DC=com 2 - DC=deleteme,DC=savilltech,DC=com select operation target: select domain 2 Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - DC=deleteme,DC=savilltech,DC=com No current server No current Naming Context select operation target: quit metadata cleanup: remove selected domain In the confirmation dialog box, which is shown in Figure 15-28, click Yes. Close the utility. (In the following code, enter the commands in bold.) "DC=deleteme,DC=savilltech,DC=com" removed from server "titanic" metadata cleanup: quit ntdsutil: quit Disconnecting from titanic ... Figure 15-28 Confirming domain deletion (with a name like that are we surprised!)
  • 66.
    594 FAQ 15.52 ACTIVE DIRECTORY I canceleda domain controller demotion. Why can’t I demote the domain controller now? Once you start a domain controller (DC) demotion, you don’t have an option to cancel it; however, you might have stopped the demotion via the Task Manager or by getting the process ID with tlist, then using the kill command. Neither approach is supported, and if you try to run DCPROMO again, you might get the following error message (depending on the stage the DCPROMO process was in when you stopped it): Active Directory is already being installed or removed on this computer. That operation must finish before another may be attempted. The only way to remove the DC information is to manually remove it using NTDSUTIL. See FAQ 15.53 for details. FAQ 15.53 How do I remove a nonexistent domain controller? Windows 2000 tracks each domain controller (DC) in the metadata. If you remove a DC (e.g., through reinstallation or hardware removal), and you don’t run DCPROMO to clean up the DC’s metadata, connection objects will remain. You can use the utility NTDSUTIL to remove a server from the metadata. (In the following code, enter the commands in bold.) ntdsutil ntdsutil: metadata cleanup metadata cleanup: select operation target Next, you must connect to a server. In my example, I select a domain to accomplish this task. (In the following code, enter the commands in bold.) select operation target: connections server connections: connect to domain savilltech.com Binding to TITANIC.savilltech.com ... Connected to TITANIC.savilltech.com using credentials of locally logged on user server connections: quit
  • 67.
    FAQ 15.53 595 Next, youmust select a site, a server (i.e., the server you want to delete), and the domain the server is in. The order isn’t important. (In the following code, enter the commands in bold.) select operation target: list sites Found 2 site(s) 0 - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com 1 - CN=Kent,CN=Sites,CN=Configuration,DC=savilltech,DC=com select operation target: select site 0 Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com No current domain No current server No current Naming Context select operation target: list servers in site Found 4 server(s) 0 - CN=TITANIC,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com 1 - CN=TITUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com 2 - CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com 3 - CN=TRINITY,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com select operation target: select server 2 Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com No current domain Server - CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com DSA object - CN=NTDS Settings,CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com DNS host name - MORPHEUS.deleteme.savilltech.com Computer object - CN=MORPHEUS,OU=Domain Controllers,DC=deleteme, DC=savilltech,DC=com No current Naming Context select operation target: list domains Found 3 domain(s) 0 - DC=savilltech,DC=com 1 - DC=dev,DC=savilltech,DC=com 2 - DC=deleteme,DC=savilltech,DC=com select operation target: select domain 0 Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com Domain - DC=savilltech,DC=com
  • 68.
    596 ACTIVE DIRECTORY Server -CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com DSA object - CN=NTDS Settings,CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com DNS host name - MORPHEUS.deleteme.savilltech.com Computer object - CN=MORPHEUS,OU=Domain Controllers,DC=deleteme, DC=savilltech,DC=com No current Naming Context select operation target: quit Next, remove the server you selected. (In the following code, enter the command in bold.) metadata cleanup: remove selected server In the confirmation dialog box, which is shown in Figure 15-29, click Yes. Close the utility. (In the following code, enter the commands in bold.) "CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration, DC=savilltech,DC=com " removed from server "TITANIC.savilltech.com" metadata cleanup: quit ntdsutil: quit Disconnecting from TITANIC.savilltech.com ... Finally, you need to delete the server from the Microsoft Management Console (MMC) Active Directory Sites and Servers snap-in. 1. Select Programs > Administrative Tools > Active Directory Sites and Services from the Start menu. Figure 15-29 Confirming a server delete
  • 69.
    FAQ 15.55 597 2. Expandthe Sites branch, select the site, expand the Services container, right-click the server, and select Delete. 3. Click Yes in the confirmation dialog box. I have been informed of a possible problem with this if SP2 is installed, in which case, perform this procedure on a box without SP2 installed. FAQ 15.54 Why can’t I create a Kerberos-based trust between two domains in different forests? When you manually create trusts, you can select one of two authentication protocols. • Kerberos—The Kerberos V5 authentication protocol is the default authentication service for Windows 2000. You use it to verify that a user/host is who it says it is. This protocol is used for trusts between domains in a tree and between the root domains in a forest. • NT LAN Manager (NTLM)—The NTLM authentication protocol is the default for network authentication in Windows NT 4.0 and earlier, but Win2K still supports it (although not as the default). NTLM is a challenge/response authentication protocol. A transitive Kerberos-based trust links domains within a forest. Thus, when you create a trust between two domains in different forests, you can select only NTLM because Kerberos isn’t available for cross-forest trust relationships. This limitation isn’t a Kerberos one, but a limitation of the Microsoft implementation. If you use a third-party Kerberos implementation (e.g., MIT), you can use Kerberos for crossforest trusts. FAQ 15.55 How do I modify the number of Active Directory objects to search? By default, AD searches 10,000 objects at a time. This policy affects all browse displays associated with AD (e.g., those in Local Users and Groups), the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, and the dialog boxes you use to set permissions for user or group objects in AD. As your organization grows, you might need to change the number of objects to search. To set the number for a Group Policy Object:
  • 70.
    598 ACTIVE DIRECTORY 1. Startthe MMC Active Directory Users and Computers snap-in. (Select Programs > Administrative Tools > Active Directory Users and Computers from the Start menu.) 2. Right-click the container and select Properties. 3. Select the Group Policy tab. 4. Select the Group Policy Object and select Edit. 5. Select the User Configuration branch and expand Administrative Templates > Desktop > Active Directory. 6. Double-click Maximum size of Active Directory searches. 7. Select Enabled and set the number (e.g., 20000), as shown in Figure 15-30. 8. Click Apply. Figure 15-30 Modifying the number of Active Directory search results via Policy
  • 71.
    FAQ 15.56 9. ClickOK. 10. Close the Group Policy editor. To edit the Registry to set the number for a user: 1. Start Regedit. 2. Go to the HKEY_CURRENT_USERSoftwarePoliciesMicrosoft Registry entry. 3. From the Edit menu, select New > Key. 4. Enter Windows 5. Select the Windows key, and from the Edit menu, select New > Key. 6. Enter Directory UI 7. Go to the Directory UI key, and from the Edit menu, select New > DWORD Value. 8. Enter QueryLimit and press Enter. 9. Double-click the new value and set the decimal value. 10. Click OK. 11. Close the Registry editor. For both methods, the change will take effect when the user logs on the next time. FAQ 15.56 How do I configure Group Policy to apply folder redirection settings to users who access the local network remotely? By default, Windows 2000 doesn’t apply Group Policy folder redirection settings to users on slow network connections. To modify this behavior, perform the following steps: 599
  • 72.
    600 ACTIVE DIRECTORY 1. StartGroup Policy editor (GPE) and load the policy in question (you can also right-click the Active Directory—AD—container that the policy applies to, select Properties, select the Group Policy tab, and click Edit). 2. Navigate to Computer Configuration > Administrative Templates > System > Group Policy. 3. Double-click Folder Redirection policy processing. 4. Select Enabled. 5. Select the Allow processing across a slow network connection checkbox (see Figure 15-31). (You can also double-click Group Policy slow link detection to set what constitutes a slow link.) 6. Click OK. Figure 15-31 Folder Redirection options
  • 73.
    FAQ 15.58 601 7. SelectEnabled to set the connection speed (500Kbps by default). 8. Click OK. 9. Close GPE. FAQ 15.57 How can I replicate logon scripts between Windows 2000 and Windows NT 4.0 domain controllers? NT 4.0 LAN Manager Replication (LMRepl) uses directory replication to replicate data from one export machine (%systemroot%system32Replexport) to the import folders of the other domain controllers (DCs) (%systemroot%system32Replimport), which then share the data as the Netlogon share. Win2K File Replication Service (FRS) uses the SYSVOL volume (%systemroot%SYSVOLsysvol), which replicates among DCs automatically. The Netlogon share points to %systemroot%SYSVOL sysvol<domain name>SCRIPTS. The different system approaches are incompatible. Therefore, you must manually configure a script to periodically copy files from one of the Win2K Netlogon shares to the NT 4.0 export machine, which can then disseminate the files to the other NT 4.0 DCs. The Windows 2000 Resource Kit supplies LBRIDGE.CMD, a template for this script that can use either Xcopy or Robocopy to perform the file operations. If you don’t configure such a script, your NT 4.0 DCs will have out-of-date logon scripts. FAQ 15.58 How can I stop password changes from being pushed to the PDC FSMO over WAN links? By default, when someone changes a password, the change occurs on the local domain controller (DC), but Windows also pushes the change to the PDC Flexible Single-Master Operation (FSMO) role holder because such changes take time to replicate around the domain. If the change wasn’t pushed to the FSMO role holder and someone tried to log on with the new password that wasn’t replicated, the logon would fail. To avoid this kind of failure, Windows attempts to authenticate on the PDC FSMO role holder. To prevent the system from pushing password changes over slow WAN links, make the following change on the relevant DCs:
  • 74.
    602 ACTIVE DIRECTORY 1. StartREGEDIT.EXE. 2. Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices NetlogonParameters. 3. From the Edit menu, select New > DWORD Value. 4. Enter a name of AvoidPdcOnWan and press Enter. 5. Double-click AvoidPdcOnWan and set it to 1. 6. Click OK. 7. Close Regedit. FAQ 15.59 How can I use the Registry to configure Group Policy update times? You usually configure Group Policy update times under the Computer ConfigurationAdministrative TemplatesSystemGroup Policy and the User Configuration Administrative TemplatesSystemGroup Policy branches; however, you can also directly set the Registry to configure Group Policy update times by performing the following steps: 1. Start REGEDIT.EXE. 2. Go to HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoft WindowsSystem to set Computer refresh. Or, alternatively, go to HKEY_ CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem to set User refresh. 3. Create a DWORD value with a name of GroupPolicyRefreshTime and set it to a number between 0 and 648000 minutes. 4. Create a DWORD value with a name of GroupPolicyRefreshTimeOffset and set it to a number between 0 and 1440 minutes. (You specify an offset value to prevent many clients from trying to refresh at the same time.) 5. Close Regedit.
  • 75.
    FAQ 15.61 FAQ 15.60 603 Why can’tI create an organizational unit and child domain with the same name from one parent? Although X.500 lets an organizational unit (OU) and child domain share a name, Active Directory (AD) doesn’t. Shared names in AD cause problems with relative distinguished names (RDNs). If you try to create an OU and give it the same name as a child domain that already exists, you’ll get the error message Active Directory Windows cannot create the object because: An attempt was made to add an object to the directory with a name that was already in use. Name-related properties on this object might now be out of sync. Contact your network administrator. If you try to create a child domain and give it the same name as an OU that already exists, you’ll get the error message Active Directory Installation Failed The operation failed because: The Directory Service failed to create the object CN=Sales, CN=Partitions, CN=Configuration, DC=Savilltech, DC=Com. Please check for possible system errors. "The directory service is busy" Microsoft is aware of these restrictions, and no work arounds exist. FAQ 15.61 I’ve upgraded one of my Windows NT 4.0 DCs to Windows 2000. Why do all of my Win2K Professional clients use the Win2K DC for authentication? When you upgrade to Win2K, you should upgrade at least two domain controllers (DCs). Then, if you have to stop one Win2K DC, the other Win2K DC can act as the PDC to older NT 4.0 DCs. If you have only one Win2K DC and you have to stop it, you have to promote an NT 4.0 BDC to PDC. Doing so loses all AD information, and
  • 76.
    ACTIVE DIRECTORY 604 you can’tbring the Win2K DC back into the domain because a Win2K DC can’t act as a BDC to an NT 4.0 PDC. The behavior you’re encountering is actually a design “feature.” The idea behind this feature was that the Win2K clients understand group policy concepts, so—where possible—they should log onto a Win2K DC. However, this feature causes the Win2K clients to use the Win2K DC for all authentication, which overloads the machine. This has been fixed in Service Pack 1 for Windows 2000. FAQ 15.62 How can I move the Active Directory log files? Along with the NTDS.DIT file, the AD keeps several log files that you might want to move to a faster disk. To do so, perform the following steps: 1. 2. 3. 4. Restart the domain controller (DC). Press F8 at the Startup menu when the system displays the list of OSs. Select Directory Services Restore Mode. Select the appropriate installation. If more than one exists, and then log on as an administrator at the logon prompt. 5. Start a command prompt (Start > Run > CMD.EXE). 6. Start the NTDS utility, NTDSUTIL.EXE. 7. At the ntdsutil prompt, type files as follows: ntdsutil: files 8. At the file maintenance prompt, type the following: file maintenance: move logs to [new location for file] 9. To view the log files, at the file maintenance prompt, type info: file maintenance: info 10. Type quit twice to return to a C prompt. 11. Restart the computer in Normal mode.
  • 77.
    FAQ 15.64 FAQ 15.63 605 How doI enable circular logging for Active Directory? AD can record sequential or circular logs. The default logging method is sequential. Sequential log files aren’t overwritten with new data. These files grow until they reach a specified size. After all the transactions in a log file are committed to the database, the log file is unnecessary. AD’s garbage-collection process deletes unnecessary log files every 12 hours by default. If your server doesn’t stay up longer than 12 hours between reboots, AD can’t clean up old log files. Eventually, the files will use all your available disk space. Circular logs overwrite transactions at specific intervals. Some administrators prefer circular logging because this method helps minimize the amount of logged data the physical disk must store. To enable circular logging, you need to edit the Registry. 1. Start Regedt32. 2. Go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNTDSParameters Registry entry. 3. If the value CircularLogging doesn’t exist, select New > String value from the Edit menu and enter CircularLogging 4. Double-click CircularLogging and set the value to 1 to enable circular logging. (Setting the value to 0 disables circular logging and enables sequential log files.) 5. Close the Registry editor. 6. Reboot the machine to restart the Directory Service (DS) and make the change effective. FAQ 15.64 How do I audit Active Directory? You can configure AD auditing to produce successful and failed entries in the Directory Service (DS) event log. 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. (Select Programs > Administrative Tools > Active Directory Users and Computers from the Start menu.) 2. From the View menu, select Advanced Features.
  • 78.
    606 ACTIVE DIRECTORY 3. Expandthe domain, right-click the Domain Controllers container, and select Properties from the context menu. 4. Select the Group Policy tab. 5. Select Default Domain Controllers Policy and click Edit. 6. Expand the Computer Configuration branch, the Windows Settings branch, the Security Settings branch, and the Local Policies branch. 7. Select Audit Policy. 8. The right-most window will show auditing levels. Double-click Audit Directory Service Access. 9. Select the relevant checkboxes (e.g., Audit successful attempts, Audit failed attempts), as shown in Figure 15-32. Click OK. 10. Close the Group Policy window. 11. In the main Domain Controllers Properties dialog box, click OK. 12. Close the Active Directory Users and Computers MMC snap-in. Figure 15-32 Directory Service audit options
  • 79.
    FAQ 15.66 607 You canuse Event Viewer to view the logs in the Security log. Because domain controllers poll for policy changes every five minutes, the policy change might take as long as five minutes to take effect. Other domain controllers in the enterprise receive the changes after the five-minute interval, plus replication time. FAQ 15.65 Why has my user group person icon’s hair gone gray? According to the Microsoft Knowledge Base, this behavior isn’t a result of a stressedout group but of a bug in Windows 2000 that results in the hair color changing from black to gray if a group has more than 500 users. Functionality doesn’t change, and the hair-color change has no other effect (except that the group appears older and slightly more distinguished). FAQ 15.66 How do I move objects within my forest? You can use the Microsoft Windows 2000 Resource Kit’s Movetree utility to move organizational units (OUs), users, or computers between domains in a forest. This capability is useful for consolidating domains or to reflect organizational restructuring. You can’t use Movetree to move certain objects, such as local and domain global groups. If you move the container that these objects are in, the utility places the objects in an orphan container in the source domain’s LostAndFound container. Movetree also doesn’t move associated data, such as policies, profiles, logon scripts, and personal data. To move these items, use the Remote Administration Scripts tool to write custom scripts. Movetree’s syntax is movetree [/start | /continue | /check] [/s SrcDSA] [/d DstDSA] [/sdn SrcDN] [/ddn DstDN] [/u DomainUsername] [/p Password] [/quiet]
  • 80.
    608 ACTIVE DIRECTORY The followingtable describes each command: /start Starts a Movetree operation with the /check option by default. Use /startnocheck to start a Movetree operation without a check. /continue Continues a failed Movetree operation. /check Checks the whole tree before moving an object. /s <SrcDSA> Source server’s fully qualified primary DNS name. Required. /d <DstDSA> Destination server’s fully qualified primary DNS name. Required. /sdn <SrcDN> Source subtree’s root distinguished name (DN). Required for /start and /check operations. Optional for /continue operations. /ddn <DstDN> Destination subtree’s root DN. Relative distinguished name (RDN) plus destination parent DN. Required. /u <DomainUserName> Domain name and user account name. Optional. /p <Password> Password. Optional. /quiet Quiet mode. Doesn’t include screen output. Optional. Run the Movetree utility in /check mode first, to perform a test without carrying out the action. You’ll see any errors that will occur, and the utility will write these errors to the file MOVETREE.ERR in your current directory. If your test is OK, proceed with the /start option. An example Movetree command is movetree /check /s titanic.market.savilltech.com /d pluto.legal.savilltech.com /sdn OU=testing,DC=Market,DC=Savilltech,DC=COM /ddn OU=test2,DC=Legal,DC=Savilltech,DC=COM This command would move the OU testing from the domain market.savilltech.com to the OU test2 in the domain legal.savilltech.com. FAQ 15.67 How do I allow modifications to the schema? The schema is extensible, which means that you can change it. However, modifying the schema is dangerous because doing so affects the entire domain forest. Microsoft warns against modifying the schema because changes to the schema cannot be undone.
  • 81.
    FAQ 15.67 609 If youinsist on modifying the schema, you can use the GUI or edit the Registry. To use the GUI, you must first register the .DLL file for the Microsoft Management Console (MMC) snap-in. Go to a command prompt and enter regsvr32 schmmgmt.dll Then, use the Microsoft Windows 2000 Resource Kit’s Tools console to start the Schema Manager. Alternatively, create a custom MMC to start the Schema Manager. Next, add the Active Directory Schema snap-in to the Schema Manager. From the Start menu, select Run and enter MMC From the Console menu, select Add/Remove Snap-in. Click Add and select Active Directory Schema. Finally, click Add, Close, and then OK. 1. Start the MMC Active Directory Schema snap-in on the domain controller (DC). 2. In the left-most pane, right-click Active Directory Schema, and select Operations Master from the context menu. 3. You’ll see the name of the machine that holds the domain name operations Flexible Single-Master Operation (FSMO) role, as shown in Figure 15-33. Figure 15-33 Enabling schema modification (Be careful!)
  • 82.
    610 ACTIVE DIRECTORY 4. Selectthe Schema may be modified on this server checkbox. 5. Click OK in the confirmation dialog box. Another way to modify the schema is to edit the Registry: 1. Start Regedit. 2. Go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesNTDSParameters Registry entry. 3. Double-click Schema Update Allowed (of type REG_DWORD). 4. Set the value to 1. 5. Click OK. 6. Close the Registry editor. FAQ 15.68 How do I switch my Windows 2000 domain to native mode? Windows 2000 domains have two modes: mixed and native. Mixed-mode domains let Windows NT 4.0 BDCs participate in a Win2K domain. In a native mode domain, only Win2K-based domain controllers (DCs) can participate in the domain. In addition, NT 4.0-based BDCs can’t act as DCs. Switching to native mode lets you use the new universal security groups, which you can nest inside one another (unlike cross domain global groups). NetBIOS-based clients can still use their NetBIOS domain names to log on, even in native mode. To switch a Win2K domain to native mode, perform the following steps: 1. Start the Microsoft Management Console (MMC) Active Directory Domains and Trusts snap-in. 2. Right-click the domain you want to convert to native mode and select Properties. 3. Select the General tab. 4. Click Change Mode, as shown in Figure 15-34. 5. Click Yes in the confirmation dialog box. 6. Click Apply to return to the main dialog box. 7. Click OK. Check all the DCs in the domain. If you can’t contact a DC (e.g., if the DC is in a remote site and connects only periodically), the remote DC will switch to native mode the next time replication occurs.
  • 83.
    FAQ 15.69 611 Figure 15-34Switching the domain to native mode FAQ 15.69 How can I move the NTDS.DIT file? The NTDS.DIT file contains the Active Directory (AD) data for your domain and is stored in the %systemroot%ntds folder. This file can become very large. To improve performance, you might want to move this file to a faster drive. To do so, perform the following steps: 1. Restart the domain controller (DC). 2. Press F8 at the Startup menu when the system displays the list of OSs. 3. Select Directory Services Restore Mode.
  • 84.
    ACTIVE DIRECTORY 612 4. Selectthe appropriate installation, if more than one exists, and then log on as an administrator at the logon prompt. 5. Start a command prompt (Start > Run > CMD.EXE). 6. Start the NTDS utility, NTDSUTIL.EXE. 7. At the ntdsutil prompt, type files as follows: ntdsutil: files 8. At the file maintenance prompt, type the following: file maintenance: move DB to 9. To view the database, at the file maintenance prompt, type info as follows: file maintenance: info 10. To verify the integrity of the database at its new location, at the file maintenance prompt, type integrity as follows: file maintenance: integrity 11. Type quit twice to return to a C prompt. 12. Restart the computer in Normal mode. FAQ 15.70 Why is the size of the NTDS.DIT file different on different domain controllers? The NTDS.DIT file contains Active Directory (AD) information, and because all domain controllers (DCs) replicate AD, you might expect the file to be the same size on all DCs. However, you might find differently sized files because the database file is created individually on each DC, and the data—not the database file—replicates. Thus, several factors can lead to files with different sizes: • Over time, the database can become fragmented. Although objects are deleted while the database is online, you can’t compact the database online (compacting requires a manual offline defragmentation). • If a DC is a Global Catalog (GC), it contains information about objects of other domains in the forest, thus making it larger than non-GC servers.
  • 85.
    FAQ 15.71 613 • Thedisplayed size of the NTDS.DIT file is the size of the file when you started the DC; if many objects are added and you restart one DC, that DC’s NTDS.DIT file size will appear larger. FAQ 15.71 How do I reset a machine account password? Like user accounts, machine accounts in a domain have passwords that change automatically. The domain stores the previous and current passwords so that the previous password is accessible for authentication in case someone changes the current password but the domain controller hasn’t yet fully replicated the password. If a password changes twice, the computers that use the password might be unable to communicate. In this case, you would receive an error message (e.g., the error message “Access Denied” when Active Directory—AD—replication occurs). Passwords can also be out of sync during replication between domain controllers in the same domain. You can manually change a machine account password. You must use the Microsoft Windows 2000 Resource Kit’s Netdom tool rather than the Active Directory Users and Computers snap-in. Netdom is in Win2K’s SupportTools folder. To reset a machine account password, enter netdom resetpwd /server:<servername> /userd:<username>Administrator /passwordd:* After you enter the command, you’ll see the following. Type the password associated with the domain user: The machine account password for the local machine has been successfully reset. The command completed successfully. You need to run this Netdom command on the machine for which you want to change the password. The server must be a domain controller in the domain, and the user must have a domain account with administrative privileges over the machine account whose password you’re changing. You need to restart the machine for the password change to take effect. Simultaneously resetting the password on the local machine and a domain controller ensures that the two computers involved in the operation are synchronized, and starts AD replication so that other domain controllers receive the change.
  • 86.
    614 FAQ 15.72 ACTIVE DIRECTORY How canI let users search, but not browse, Active Directory? You can use either a policy setting or the Registry to configure AD for browsing. To use the policy setting method, perform the following steps: 1. Open Group Policy with the Group Policy editor (GPE). 2. Navigate to User Configurations > Administrative Templates > Desktop > AD. 3. Double-click Hide Active Directory folder. 4. Select the Policy tab. 5. Click Enabled and click OK. 6. Close the policy. To use the Registry to complete the same task, perform the following steps: 1. Start the Registry editor (e.g., REGEDIT.EXE). 2. Navigate to HKEY_CURRENT_USERSOFTWAREPoliciesMicrosoft. 3. If the Windows key doesn’t exist, click Edit > New > Key to create the key. 4. Look for Directory UI under the Windows key, and if it doesn’t exist, click Edit > New > Key to create the key. 5. From the Edit menu, select New > DWORD Value. 6. Enter a name of HideDirectoryFolder and press Enter. 7. Double-click the new value, set it to 1, and click OK. 8. Close the Registry editor. FAQ 15.73 How does ntdsutil know it’s in Directory Restore mode? When you start the domain controller (DC) in Directory Restore mode, the DC sets the environment variable safeboot_option to dsrepair. If you want to check something in ntdsutil that is allowed only in Directory Restore mode, you can trick the program by typing the following statement at a command prompt: set SAFEBOOT_OPTION=DSREPAIR
  • 87.
    FAQ 15.74 615 Don’t usethis approach on a live or important machine because it could result in system damage if you try to perform system modifications when the system isn’t in Directory Restore mode. FAQ 15.74 How can I prevent the OS from storing LAN Manager (LM) hashes in Active Directory and the SAM? Both Windows XP and Windows 2000 support several authentication methods, including LAN Manager (LM), NT LAN Manager (NTLM), and NTLM version 2 (NTLMv2). LM stores passwords in a hashed format that’s easy to crack. Starting with Win2K Service Pack 2 (SP2), Microsoft addressed this weakness by adding the ability to disable the storage of LM hashes. To disable LM hashes in Win2K, perform the following steps: 1. Start the Registry editor (REGEDIT.EXE) on the domain controller (DC). 2. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ControlLsa. 3. From the Edit menu, select New > Key. 4. Enter a name of NoLMHash, set the value to 1, and press Enter. 5. Close the Registry editor. 6. Restart the computer for the change to take effect. To disable LM hashes in XP, perform the previously described steps 1 and 2. At step 3, from the Edit menu, select New > DWORD Value. Complete the process by performing steps 4 through 6. This change won’t take effect until each user changes his or her password. In XP, you can also use Group Policy (GP) to disable LM hashes under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options. To change the settings for this policy, locate the Network Security policy entitled “Do not store LAN Manager hash value on next password change.” Be aware that if you set this option, some components that rely on LM hashes (e.g., the Windows 9x change password operation, Win9x client authentication if you don’t have the Directory Services client pack installed) might not work as expected.
  • 88.
    616 FAQ 15.75 ACTIVE DIRECTORY How doI publish a shared folder in Active Directory? The usual method of connecting to a shared folder is to either browse a specific machine for visible machines (ones without a $ at the end) or know the complete share Uniform Naming Convention (UNC) in advance. However, you can publish shared folders to Active Directory (AD): 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. 2. Select the container you want to house the shared folder and right-click it. 3. Select New > Shared Folder from the context menu. 4. In the display dialog box, enter a name for the share and the share’s UNC. 5. Click OK. The share you create will be visible in Windows Explorer under My Network Places > Entire Network – Directory > Domain. To remove the new share, simply right-click the shared folder in the Active Directory Users and Computers snap-in and select Delete. FAQ 15.76 What happens if two AD objects have the same RDN? Every Active Directory (AD) object has a distinguished name (DN—e.g., CN=John Savill,CN=Users,DC=SavillTech,DC=Com) that uniquely identifies the object and its position in AD. The system also creates a relative distinguished name (RDN), which is a name relative to the container (e.g., CN=John Savill for the user). Two objects with the same RDN can’t exist in one container. For example, in the container CN=Users,DC=SavillTech, CN=John Savill and OU=John Savill are allowed because one is a user and the other is an organizational unit (OU). However, CN=John Savill and CN=John Savill aren’t allowed. The only way you can have a duplicate RDN is if two objects are created on different domain controllers (DCs). But at the next replication cycle, the system will rename the older object. To find objects that the system has renamed because of RDN collisions, use the search.vbs script in supporttoolssupport.cab as follows:
  • 89.
    FAQ 15.78 617 cscript search.vbs"LDAP://<server>/dc=<domain>,dc=com" /C:"(CN=*0ACNF:*)" /P:distinguishedName /S:SubTree Any matches will display the RDN for the renamed objects. FAQ 15.77 How can I move multiple users between organizational units? You can move individual users between OUs by right-clicking the user in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and selecting Move. To move multiple users, perform the following steps: 1. Start the Active Directory Users and Computers snap-in (go to Start > Programs > Administrative Tools, and click Active Directory Users and Computers). 2. Open the OU that contains the users you want to move. 3. Select multiple users by holding down Ctrl and selecting each user (if the users are in sequence, you can select them all by left-clicking the first name, holding down Shift, then left-clicking the last name). 4. Right-click the last user you selected and select Move from the context menu. 5. Select the destination OU and click OK. FAQ 15.78 How do I create a certificate trust list for a domain? To create a certificate trust list (CTL), you first need to configure each domain with a list of Certificate Authorities (CAs) the domain trusts, to let the domain’s users request certificates. First, you need to install an Enterprise CA. (See FAQ 15.79.) You also need an Administrator certificate or an explicit Trust Signing certificate. The following steps outline how to request an Administrator certificate: 1. 2. 3. 4. 5. 6. Start the Microsoft Management Console (MMC). From the Console menu, select Add/Remove Snap-in. Click Add. Select Certificates and click Add. Select My user account as the type and click Finish. Click Close.
  • 90.
    618 ACTIVE DIRECTORY 7. 8. 9. 10. 11. 12. 13. 14. Click OKto return to the main dialog box. Expand the Certificates root and right-click Personal. From the All Tasks menu, select Request New Certificate, as shown in Figure 15-35. Click Next in the Certificate Request Wizard dialog box. Select the Administrator template and click Next. Enter a user-friendly name and description, and click Next. Click Finish when the confirmation screen displays. When the dialog box displays to confirm the certificate creation, click Install Certificate. 15. Finally, click OK in the success dialog box. As shown in Figure 15-36, you can use the MMC Certificates snap-in to view the certificate and see that the Enterprise CA rather than the local Administrator issued the certificate. To create the CTL, perform the following steps: 1. Start the MMC Active Directory Users and Computers snap-in. (From the Start menu, select Programs > Administrative Tools > Active Directory Users and Computers.) 2. Right-click the domain and select Properties. 3. Select the Group Policy tab. 4. Select Default Domain Policy (or another policy) and click Edit. 5. Select User Configuration > Windows Settings > Security Settings > Public Key Policies > Enterprise Trust. 6. Right-click Enterprise Trust and select New > Certificate Trust List. 7. When the Certificate Trust List Wizard starts, click Next (see Figure 15-37). 8. You can enter a prefix for the CTL and the purpose (e.g., Encrypted File System—EFS). 9. Click Next. 10. Select a certificate, click Add from Store, select a domain certificate, and click OK. Click Next. 11. Select a signature (i.e., the Administrator you created), click Select from Store, select the certificate that displays, and click OK. Click Next. 12. You can add a timestamp if you want. Click Next. 13. Enter a user-friendly name and description. Click Next. 14. Click Finish when the summary page displays. 15. Click OK in the success dialog box.
  • 91.
    FAQ 15.78 Figure 15-35Confirmation of the native mode switch Figure 15-36 Viewing certificates for current user Figure 15-37 Purpose dialog of a certificate 619
  • 92.
    ACTIVE DIRECTORY 620 FAQ 15.79 How doI install an Enterprise Certificate Authority? A certificate server provides a trusted authority to confirm a private key user’s identity. A domain normally has a hierarchy of certificate servers. An enterprise root Certificate Authority (CA) grants itself a certificate and creates subordinate CAs. The root CA gives the subordinate CAs their certificates, but the subordinate CAs can grant certificates to users. For automatic certification, a domain needs an Enterprise CA to let clients request certificates, such as an Encrypted File System (EFS) recovery certificate. To install an Enterprise CA, perform the following steps. 1. Start the Control Panel Add/Remove Programs applet. 2. Click Add/Remove Windows Components to start the Windows Components Wizard. 3. Click Next when the welcome screen appears. 4. When the list of components displays, select the Certificate Services checkbox and click Next. 5. Then, you need to select the type. Types include the following: Enterprise root CA Enterprise subordinate CA Standalone root CA Standalone subordinate CA Select Enterprise root CA and click Next. 6. Enter a CA name and other information about the organization, as shown in Figure 15-38. Click Next. 7. Accept the default location for the certificate database (i.e., %systemroot% System32CertLog). Click Next. 8. If Microsoft IIS is running, the service will stop and a dialog box will display. Click OK. 9. A list of files to copy will generate, and the files will install. Service and system configurations will also install. You might need to insert the Windows 2000 Server CD-ROM. 10. When the wizard completes, click Finish. The Microsoft Management Console (MMC) Certificate Authority snap-in will now contain a shortcut in the Administrative Tools folder.
  • 93.
    FAQ 15.80 Figure 15-38Certificate information FAQ 15.80 How does a user request a certificate over the Web? The Windows 2000 Certification Service installation adds a virtual directory called CertSrv pointing to %systemroot%System32CertSrv. You can use this directory to request certificates over an intranet. 1. 2. 3. 4. Go to http://<Certificate Authority server>/certsrv. Select Request a certificate and click Next. Select User Certificate and click Next. Click More Options to see various Cryptographic Service Providers (CSPs). Selecting Advanced lets you set the key size, hash algorithm, etc. 621
  • 94.
    622 ACTIVE DIRECTORY 5. ClickSubmit. 6. After the certificate generates, click Install this certificate. 7. Close the Web page. After the certificate installs, you can use the user’s Microsoft Management Console (MMC) Certificates snap-in to view it.