Active Directory POG

(1)

Active Directory

Product Operations Guide

(2)

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO

WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), but only for the purposes provided in the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.

Microsoft, Active Directory, Windows, Windows NT, and Windows Serverare either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

(3)

Contributors

Program Manager

Jeff Yuhas, Microsoft Corporation Chris Macaulay, Microsoft Corporation

Lead Contributors

Nigel Cain, Microsoft Corporation Arren Conner, Microsoft Corporation Dmitry Dukat, Microsoft Corporation Levon Esibov, Microsoft Corporation Khushru Irani, Microsoft Corporation Kamal Janardhan, Microsoft Corporation Gregory Johnson, Microsoft Corporation William Lees, Microsoft Corporation Andreas Luther, Microsoft Corporation Kevin Sims, Microsoft Corporation Jeromy Statia, Microsoft Corporation

Test Manager

Greg Gicewicz, Microsoft Corporation

QA Manager

Jim Ptaszynski, Microsoft Corporation

Lead Technical Writer

Jerry Dyer, Microsoft Corporation

Lead Technical Editor

Laurie Dunham, Microsoft Corporation

Technical Editor

Patricia Rytkonen, Volt Technical Services

Production Editor

(6)

(7)

1

Introduction to Product Operations

Guide

Document Purpose

This guide describes processes and procedures for improving the management of Microsoft® Active Directory® directory service in an information technology (IT) infrastructure.

Intended Audience

This material should be useful for anyone planning to deploy this product into an existing IT infrastructure, especially one based on the IT Infrastructure Library (ITIL)—a comprehensive set of best practices for IT service management—and Microsoft Operations Framework (MOF). It is aimed primarily at two main groups: IT managers and IT support staff (including analysts and service-desk specialists).

How to Use This Guide

This guide is divided into five chapters. The first chapter provides basic background information. The second chapter provides a high-level checklist of the processes required for maintaining this product. The third chapter takes a more detailed look at the processes described in the maintenance chapter and maps them to the tasks and procedures that make up each process. The fourth chapter organizes processes by the role responsible for each process. The fifth chapter contains an appendix with procedure details, including requirements and steps.

The guide may be read as a single volume, including the detailed maintenance and troubleshooting sections. Reading the document this way will provide the necessary context so that later material can be understood more readily. However, some people will prefer to use the document as a reference, only looking up information as they need it.

(8)

Background

This guide is based on Microsoft Solutions for Management (MSM). MSM provides a combination of best practices, practice implementation services, and best-practice automation, all of which help customers achieve operational excellence as demonstrated by high quality of service, industry reliability, availability, security, and low total cost of ownership (TCO).

These MSM best practices are based on MOF, a structured, yet flexible approach centered on ITIL. MOF includes guidelines on how to plan, deploy, and maintain IT operational processes in support of mission-critical service solutions.

Central to MOF—and to understanding the structure of this guide—are the MOF Process and Team Models. The Process Model and its underlying service

management functions (SMFs) are the foundation for the process-based approach that this guide recommends for maintaining a product. The Team Model and its role clusters offer guidance for how to ensure the proper people are assigned to

operational roles.

Figure 1 shows the MOF Process Model combined with the SMFs that make up each quadrant of the Process Model.

Figure 1

(9)

Figure 2 shows the MOF Team Model, along with some of the many functional roles or function teams that might exist in service-management organizations. Those roles and function teams are shown mapped to the MOF role cluster to which they would likely belong. Security Release Infrastructure Support Operations Partner  Change management  Release/systems engineering  Configuration control/asset management  Software distribution/licensing  Quality assurance  Messaging operations  Database operations  Network administration  Monitoring/metrics  Availability management  Intellectual property protection

 Network and system security  Intrusion detection

 Virus protection

 Audit and compliance admin  Contingency planning

 Maintenance vendors  Environment support

 Managed services, outsourcers, trading partners

 Software/hardware suppliers

 Enterprise architecture  Infrastructure engineering  Capacity management  Cost/IT budget management  Resource and long-range

planning

 Service desk/help desk  Production/production support  Problem management  Service level management

Figure 2

(10)

The MOF Team Model is built on six quality goals, which are described and matched with the applicable team role cluster in Table 1.

Table 1. MOF Team Model Quality Goals and Role Clusters

Quality Goal Team Role Cluster

Effective release and change management. Accurate inventory tracking of all IT services and systems.

Release

Management of physical environments and infrastructure tools.

Infrastructure

Quality customer support and a service culture. Support

Predictable, repeatable, and automated system management.

Operations

Mutually beneficial relationships with service and supply partners.

Partner

Protected corporate assets, controlled authorization, and proactive security planning.

Security

Further information about MSM and MOF is available at

http://www.microsoft.com/solutions/msm/techinfo/default.asp, or search for the topic on TechNet at http://www.microsoft.com/technet/default.asp. You can also contact your local Microsoft or partner representative.

(11)

2

High-Level Processes for Maintaining

Active Directory

Overview

Every company consists of employees (people), activities that those employees perform (processes), and tools that help them perform those activities (technology). No matter what the business, it most likely consists of people, processes, and

technology working together to achieve a common goal. Table 2 illustrates this point. Table 2. People, Processes, and Technology Working Together

Area People Process Technology

Auto repair industry

Mechanic Repair manual Socket set

Software development industry

Programmer Project plan Compiler;

debugger

IT operations IT technician Microsoft

Operations Framework

Microsoft Active Directory

The focus of this product operations guide is Active Directory® directory service— the directory service for the Microsoft Windows Server™ 2003 family. Active Directory stores information about objects on the network; its logical, hierarchical organization of directory information makes it easy for administrators and users to find this information. Windows Server 2003 brings many improvements to Active Directory, making it more versatile, dependable, and economical to use. In Windows Server 2003, Active Directory provides increased performance and scalability. It also allows you greater flexibility for designing, deploying, and managing an

(12)

Technology Required

Table 3 lists the tools or technologies used in the processes, and their subordinate tasks and procedures, described in this guide. All tools should be accessed from a Windows Server 2003 server console, except in those cases where a link is provided. Table 3. Tools or Technologies Required to Manage Active Directory

Required Technology

Description Location

Backup utility Performs backup and restore operations. It is automatically installed with Windows Server 2003. In Windows Server 2003, the backup utility is Backup.exe. The wizard, or basic mode, is called Backup or Restore Wizard; and in advanced mode, it is called Backup Utility.

Start > All Programs > Accessories > System Tools > Backup Or to open the Backup tool using the command line:

Start > Run. In the Open box, type ntbackup and then click OK.

DNS Manager

Used for modifying DNS parameters. These centralized management and monitoring tools can be found either in Administrative Tools after initial installation of the DNS service, or through Adminpak.msi.

Start > Control Panel > Administrative Tools Or to open DNS Manager using the command line, type: %systemroot%\System3 2\ dnsmgmt.msc Active Directory Domains and Trusts Microsoft Management Console snap-in

Used for modifying Active Directory domains and trusts. These

centralized management and monitoring tools can be found either in Administrative Tools after initial installation of the Active Directory, or through Adminpak.msi.

Start > Control Panel > Administrative Tools Or to open the MMC snap-in using the command line, type: %systemroot%\System3 2\ domain.msc Active Directory Installation Wizard

Used to promote or demote a domain controller.

Start > Run > dcpromo

Active Directory Schema snap-in

Used for modifying Active Directory schema. This tool does not appear by default in Administrative Tools.

Open the MMC snap-in using the command line, type:

%systemroot%\System3 2\ schmmgmt.msc

(13)

Required Technology Description Location Active Directory Sites and Services MMC snap-in

Used for modifying Active Directory sites and services. This centralized management and monitoring tool can be found either in Administrative Tools after initial installation of the Active Directory, or through Adminpak.msi.

Start > Control Panel > Administrative Tools Or to open the MMC snap-in using the command line, type: %systemroot%\System3 2\ dssit.msc Active Directory Users and Computers MMC snap-in

Used for modifying Active Directory users and computers. These

centralized management and monitoring tools can be found either in Administrative Tools after initial installation of the Active Directory, or through Adminpak.msi.

Start > Control Panel > Administrative Tools Or to open the MMC snap-in using the command line, type: %systemroot%\System3 2\ dsa.msc

Adsi edit MMC snap-in

Used for editing Active Directory to add, delete, or move objects within the directory. This centralized

management and monitoring tool can be found either in Administrative Tools after initial installation of the Active Directory, or through Adminpak.msi.

Open the MMC snap-in using the command line, type:

%systemroot%\System3 2\ adsiedit.msc

Dcdiag.exe This command line tool analyzes the state of domain controllers in the forest or enterprise and reports any problems to assist in troubleshooting.

Start > Run > dcdiag.exe

Event Viewer Provides logs for transactional reactive reviews of system and service events. It is automatically installed with Windows

Server 2003.

Start > Control Panel > Administrative Tools > Event Viewer

Or to open Event Viewer using the command line: Start >Run. In the Open box, type eventvwr.msc and then click OK. Ldp.exe Used to connect, bind, search,

modify, add, and delete against any LDAP-compatible directory such as Active Directory. Used to view objects stored in Active Directory along with their metadata.

Start >Run. In the Open box, type ldp.exe and then click OK.

(14)

Required Technology

Net.exe A set of commands for a variety of tasks, such as managing user accounts and computer accounts, sending messages, and managing shared resources.

Start > Run > cmd at the command prompt, type net to see options

Netdiag.exe Helps isolate networking and

connectivity problems by performing a series of tests to determine the state of the network client.

Start > Run > cmd at the command prompt, type netdiag /? to see options

Netdom.exe Enables administrators to manage Windows 2000 and Windows Server 2003 domains and trust relationships from the command line.

Start > Run > cmd at the command prompt, type netdom /? to see options

Nltest.exe Helps you get a list of domain controllers, force a remote shutdown, and query the status of trust

relationships.

Start > Run > cmd at the command prompt, type nltest /? to see options

Ntdsutil.exe Used to perform database maintenance of Active Directory, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.

Start > Run > cmd at the command prompt, type ntdsutil /? to see options

Registry Editor Enables you to view and change settings within the registry.

Start > Run > regedit

Repadmin.exe Command line tool that helps administrators diagnose replication problems between domain

controllers.

Start > Run > cmd at the command prompt, type repadmin /? to see options

Secedit.exe Configures and analyzes system security by comparing current configuration with at least one security template.

Start > Run > cmd at the command prompt, type secedit /? to see options

Services snap-in

MMC snap-in that allows you to start, stop, or restart Windows services.

Start > Run > MMC > Services.msc

Ultrasound A tool that allows administrators to monitor the health of the file replication service (FRS).

See www.microsoft.com

for more information on the Ultrasound utility.

(15)

Required Technology

W32tm.exe A tool used to diagnose problems having to do with Windows time.

Start > Run > cmd at the command prompt, type w32tm /? to see options

Maintenance Processes Checklist

The following tables provide a quick reference for those product maintenance processes that need to be performed on a regular basis. These tables represent a summary of the processes, and their subordinate tasks and procedures, described in more detail in subsequent chapters of this guide. They are limited to those processes required for maintaining the product.

Only the pertinent MOF quadrants and SMFs are addressed in this chapter. For example, there are no processes that fall within the Supporting Quadrant. There is a placeholder for the Supporting Quadrant, but no tables.

Also, because all of the Active Directory maintenance processes addressed here fall into the as-needed category, the daily, weekly, and monthly portions of the tables are blank. Only the portion of each table that has associated processes is filled in.

Each listed process is linked to a detailed explanation of the process in the following chapter.

Operating Quadrant

The processes for this section are based on the service management functions that make up the MOF Operating Quadrant. Further information on the MOF Process Model and the MOF SMFs is available at http://www.microsoft.com/solutions/msm

(16)

System Administration SMF

Daily Processes

Process Name Related SMF MOF Role Cluster

Back up Active Directory Operations Weekly Processes

There are no weekly processes for this SMF.

Monthly Processes

There are no monthly processes for this SMF.

As-Needed Processes

Restore Active Directory Operations

Rename a domain controller Operations Transferring a role holder Infrastructure Seize an operations master role Infrastructure Choose a standby operations master Infrastructure

Managing the SYSVOL Infrastructure

Managing sites Infrastructure

Authoritative restore for Active Directory objects

Operations Recovering a domain controller through reinstallation Operations Move an operations master role Infrastructure

(17)

Security Administration SMF

Daily Processes

Process Name Related SMFs MOF Role Cluster

There are no daily processes for this SMF.

Weekly Processes

Monthly Processes

As-Needed Processes

Manage antivirus software on domain controllers

Security

Supporting Quadrant

There are no Active Directory processes that fall within the MOF Supporting Quadrant and its SMFs.

(18)

Optimizing Quadrant

The tasks for this section are based on the SMFs that make up the MOF Optimizing Quadrant.

Availability Management SMF

Daily Processes

Weekly Processes

Monthly Processes

As-Needed Processes

Manage the Active Directory database

Infrastructure

Add a global catalog Infrastructure

Manage the Windows Time service

Infrastructure

(19)

Capacity Management SMF

Daily Processes

Weekly Processes

Monthly Processes

As-Needed Processes

Removing the global catalog from a domain controller

Infrastructure

Identify global catalog servers in a site

Infrastructure

Reduce the workload on the PDC emulator

(20)

Changing Quadrant

The processes for this section are based on the SMFs that make up the MOF Changing Quadrant.

Release Management SMF

Daily Processes

Weekly Processes

Monthly Processes

As-Needed Processes

Installing a domain controller for an existing domain

(21)

Change Management SMF

Daily Processes

Process Name MOF Role Cluster

Weekly Processes

Monthly Processes

As-Needed Processes

Removing Active Directory

Release Management SMF

(22)

(23)

3

Detailed Maintenance Actions

Overview

This chapter provides detailed information about the processes that must be performed in order to maintain Active Directory. These processes are arranged according to the MOF quadrant to which they belong and, within each quadrant, by the MOF service management functions (SMFs) that make up that quadrant.

Those quadrants are: ● Operating Quadrant ● Supporting Quadrant ● Optimizing Quadrant ● Changing Quadrant

Further information about the MOF Process Model and the MOF SMF guides is available at http://www.microsoft.com/solutions/msm. Further information about the MOF Team Model and role clusters is available at

(24)

Operating Quadrant System Administration SMF

Operations Role Cluster Daily

Process: Back up Active Directory

Description

Active Directory is backed up as part of Microsoft Windows® system state, a collection of system components that depend on each other. All system state components must be backed up and restored together.

The system state components on a domain controller include:

● System start-up (boot) files. These are the files required for Windows Server 2003 to start.

● System registry.

● Class registration database of component services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment.

● System volume (SYSVOL). SYSVOL provides a default Active Directory location for files that must be shared for common access throughout a domain. The SYSVOL folder on a domain controller contains:

● Net Logon shared folders. These usually host user logon scripts and Group Policy objects (GPOs) for network clients who are not running Windows 2003-based computers.

● User logon scripts for Active Directory-enabled clients. ● Windows 2003 GPOs.

● File system junctions.

● File Replication service (FRS) staging directories and files that are required to be available and synchronized between domain controllers.

● Active Directory, including:

● The Active Directory database (Ntds.dit) ● The checkpoint file (Edb.chk)

● The transaction logs, each 10 megabytes (MB) in size, (Edb*.log) ● Reserved transaction logs (Res1.log and Res2.log)

If you use Active Directory-integrated Domain Name System (DNS), be sure that you back up a domain controller that is hosting DNS. If you do not use Active Directory-integrated DNS, you must explicitly back up the zone files. However, if you back up the system disk along with the system state, zone data is backed up as part of the system disk.

If you installed Windows Clustering or Certificate Services on your domain controller, they are also backed up as part of system state. Details of these components are not discussed in this guide.

(25)

Purpose

There are several reasons why a current, verified, and reliable backup is needed: ● To restore Active Directory data that becomes lost or corrupted. Using an

authoritative restore process, you can restore individual objects or sets of objects from their deleted state.

● To recover a domain controller that cannot boot normally because of software or hardware failure.

● To perform a forest recovery in the event that forest-wide corruption occurs. ● To perform an install from media operation. This new feature in Windows Server

2003 allows you to promote a new domain controller and populate it with current information from a local source, rather than having to wait for a full sync replication over potentially much slower media—for example, a 56K connection.

Guidelines

Although the Backup tool in Windows Server 2003 supports multiple types of backup—normal, copy, incremental, differential, and daily—the only type of backup available and supported for Active Directory is normal, because Active Directory is backed up as part of system state. A normal backup creates a backup of the entire system state while the domain controller is online.

If you do not use Active Directory-integrated DNS zones, you should include the file paths that contain all of your DNS zone files in the backup, in addition to the system state and/or system disk, to ensure a successful recovery.

Which domain controllers to back up

For every Active Directory domain, you can define a backup set composed of the physical domain controllers that would be required to successfully restore the domain. The collection of domain backup sets ensures that a forest restore operation can be performed.

At a minimum, the backup set consists of two or more domain controllers for each domain and at least one domain controller that is a member of an application partition replica set.

The backup set must contain a system state, a system disk backup for each computer in the set, and a global catalog.

If you are using Active Directory-integrated DNS, it would useful to back up at least one DNS server.

Note A backup can only be used to restore the domain controller that the backup was generated from.

It cannot be used to restore a different domain controller or this domain controller onto different hardware.

(26)

When to back up Active Directory

At a minimum, each domain controller in the backup set must be backed up at least twice within the tombstone lifetime. By default, the tombstone lifetime is 60 days, which places the requirement of a backup for each domain controller in the backup set every 30 days.

While monthly backup operations are adequate for successful disaster recovery, they do not facilitate the recovery of new information since the last backup. You will need to consider these changes when you are planning backup frequency. The frequency of backups is dictated both by business requirements and technical requirements and should be adjusted according to your deployment's needs.

By default, machine accounts change their passwords every 30 days. Therefore, domain controllers will also change their machine account passwords every 30 days. If you were to restore a domain controller with an old password, it could result in that domain controller being unable to replicate with its partners. Therefore, to minimize the effect of restoring a domain controller with an old password, you should perform a backup more than once every 30 days.

In addition to regular backup requirements, an immediate backup should be taken when:

● The storage location of the database [Ntds.dit] or log files is changed.

● A domain controller is upgraded from Windows 2000 Server to Windows Server 2003, or any further operating system upgrades.

● A current backup is required for an install for media operation for a new domain controller.

● The tombstone lifetime is changed.

Note A backup from a Windows 2000 Server cannot be used to restore a domain controller running

Windows Server 2003.

Active Directory protects itself from restoring data older than the tombstone lifetime by disallowing the restore. As a result, the useful life of a backup is equivalent to the tombstone lifetime setting for the enterprise.

(27)

Task: Back up Active Directory and associated components

Procedure: Back up system state

Link to procedure

Procedure: Back up system state and the system disk

Link to procedure

Dependencies

None

Technology Required

● Backup

(28)

Operations Role Cluster As Needed

Process: Non-authoritative restore of Active Directory

Description

A non-authoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that have occurred after the backup was taken. After you restore the system state, the domain controller queries its replication partners. The replication partners replicate any changes to the restored domain controller, ensuring that the domain controller has an accurate and updated copy of the Active Directory database.

Purpose

A non-authoritative restore allows the entire directory to be restored on a domain controller, without reintroducing or changing objects that have been modified since the backup. The most common use of a non-authoritative restore is to bring an entire domain controller back, often after catastrophic or debilitating hardware failures. It is uncommon for data corruption to drive a non-authoritative restore, unless the corruption is local and the database cannot be successfully loaded.

Guidelines

If you intend to restore a deleted object (or objects), you should refer to the

procedures outlined for an authoritative restore. A non-authoritative restore should be used any time the entire directory is being restored on a single domain controller in order to deal with a local database corruption or hardware failure. A

non-authoritative restore can be performed on a Windows Server 2003 system that is a stand-alone server, member server, or domain controller. A server must be in Directory Services Restore Mode to perform a non-authoritative restore.

Task: Perform a non-authoritative restore of a domain controller

A non-authoritative restore is the default method for restoring Active Directory. To perform a non-authoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup media, replication partners use the standard replication protocols to update both the Active Directory and associated information on the restored domain controller.

(29)

Procedure 1: Restart the domain controller in Directory Services Restore

Mode

Note In cases where you have to reinstall the operating system: Before you restore the directory, you

do not have to perform a non-authoritative restore in Directory Services Restore Mode. After you have reinstalled the operating system, you can perform a restore after the machine boots normally.

Link to procedure.

Procedure 2: Restore from backup media

Link to procedure.

Procedure 3: Verify Active Directory restore

Link to procedure.

Task: Restore a domain controller through reinstallation and

subsequent restore from backup

If you cannot restart a domain controller in Directory Services Restore Mode, you can restore it through reinstallation of the operating system, and subsequently restore Active Directory from backup.

In order for the restore operation to succeed, Windows Server 2003 must be

reinstalled to the same drive letter as previously and with at least the same amount of physical drive space. After you reinstall Windows Server 2003, perform a non-authoritative restore of the system state and the system disk.

Procedure 1: Install Windows Server 2003

This guide does not address installing Windows Server 2003.

Procedure 2: Restore from backup media

Link to procedure.

Procedure 3: Verify Active Directory restore

Link to procedure.

Dependencies

The domain controller being restored needs to have a previous backup taken with Backup utility.

(30)

Process: Authoritative restore for Active Directory objects

Description

An authoritative restore process returns an object to its state at the time of the most recent backup. Changes made since the latest backup will be erased. This differs from a non-authoritative restore, which relies on the presence of a replication partner to bring in the current data, including information about objects that were deleted since the backup.

An authoritative restore should not be relied on as part of a change control infrastructure. Proper delegation of administration and change enforcement will optimize data consistency, integrity, and security.

Purpose

An authoritative restore is most commonly used to restore corrupt or deleted objects from the directory—for example, a deleted user account. An authoritative restore should not be used to restore an entire domain controller.

Guidelines

An authoritative restore of a subtree or leaf object restores that subtree or leaf and marks it as authoritative for the directory. This means that the restored object will be replicated out to other domain controllers and will be the data that is maintained moving forward. In cases where the object was deleted, it will be revived; in other cases, the object will be returned to a previous state.

It is important to ensure successful recovery of the information being restored. Group membership is particularly sensitive and can be greatly affected by the procedures that are followed during an authoritative restore.

You begin by restoring from backup media, just as in a non-authoritative restore, and then perform the following additional steps to complete an authoritative restore.

(31)

Task: Perform an authoritative restore of one or more directory

objects

Note If the objects that were deleted do not include group objects, then you don’t need to perform

steps 3-10. Additionally, if the groups that were deleted do not have members among the list of deleted objects, then you do not need to perform steps 3-10.

Procedure 1: Restore from backup media

Link to procedure.

Procedure 2: Mark the object(s) authoritative

Once the data has been restored from backup, you must select which objects are to be marked authoritative in order to have them replicated to other domain controllers. In order to complete this operation, you must know the full distinguished name (also known as DN) of the object you wish to restore.

Link to procedure.

Procedure 3: Reboot the computer in isolation

To combat some of the challenges of a distributed system and to ensure successful restoration of data, it is necessary to follow some additional precautions during the authoritative restore process.

Rebooting the machine in isolation helps you prepare for the next step, which is to turn off inbound replication, since you cannot turn off inbound replication in Directory Services Restore Mode.

If you do need to reboot, the most common way to boot a computer in isolation is to remove the network connection from the domain controller by physically removing the network cable. Alternate methods may be possible depending on your network hardware and enterprise practices.

It is important to prevent the domain controller from communicating with any other domain controller in the domain or forest. You should also isolate the domain controller from any clients that could invoke change on any object in the directory.

Procedure 4: Turn off inbound replication using repadmin

By turning off inbound replication, you ensure that no changes replicate into the domain controller and alter group membership.

(32)

Procedure 5: Reconnect the computer to the network

Once inbound replication has been turned off, it is safe to reconnect the domain controller to the network.

If you isolated your computer by removing the network cable or by disconnecting the network connection from the domain controller, reconnect it to bring the domain controller back onto the network.

If you followed other procedures based on your enterprise network equipment, follow the equipment's recommendations for reconnecting the domain controller to the network.

Procedure 6: Allow this computer to replicate with all its partners

In order for the newly restored object to become available and be instantiated in its restored form on all domain controllers, successful replication between the domain controller originating the restored changes and its partners must occur.

Link to procedure.

Procedure 7: Restart domain controller in Directory Services Restore Mode

Link to procedure.

Procedure 8: Mark the object(s) authoritative

One of the challenges of restoring objects, and their group memberships, is the fact that the membership and object may replicate in different orders. If the membership replicates before a user is restored, the receiving domain controller will not update the membership as the user does not exist. In order to overcome the effects of this behavior, it is necessary to mark the objects that have been restored authoritative a second time, and once again have the information replicated out.

Link to procedure.

Procedure 9: Reboot computer

Once the authoritative restore of the object or objects has been completed a second time, the domain controller can be rebooted into normal mode.

Note There are no further details for this procedure.

Procedure 10: Turn on inbound replication

(33)

Task: Perform an authoritative restore of an application partition

Restoration of an application partition will mark all data that is present in the

application partition as authoritative for the replica set. Information that is contained within an application partition will replicate to all domain controllers in the forest that were previously present in the replica set. You should have a current valid backup of the application partition prior to restoring, in the event that particular object changes are lost because of changes since backup.

If you wish to restore an object or objects from an application partition, refer to the Task: “Perform an authoritative restore of one or more directory objects.”

Procedure 1: Restore from backup media

Link to procedure.

Procedure 2: Mark the application partition as authoritative

Link to procedure.

Procedure 3: Reboot computer

Once the authoritative restore of the object or objects has been completed a second time, the domain controller can be rebooted into normal mode.

Task: Perform an authoritative restore of Group Policy

Restoring a GPO restores the GPO to a previous state. A restore operation can be used in both of the following cases: the GPO was backed up but has since been deleted, or the GPO is live and you want to roll back to a known previous state. A restore operation retains the original GPO GUID even if the restore is recreating a deleted GPO. This is a key difference between the restore operation and the import or copy operations discussed in later sections of this guide.

A restore operation replaces the following components of a GPO: ● GPO settings

● ACLs on the GPO

● WMI filter links (but not the filters themselves)

The restore operation does not restore links to a SOM (Scope of Management). Any existing links will continue to be used—for example, when restoring an existing GPO to a previous state. However, if the user has deleted a GPO and all links to the GPO, the user must recreate these links after restoring the GPO. To facilitate recreating these links, you can view the report in the backup to identify all links in the domain of the GPO.

For more information, see Administering Group Policy with the GPMC at

http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx.

Procedure 1: Restore Group Policy

(34)

Process: Recovering a domain controller through

reinstallation

Description

Recovering through reinstallation is the same process as creating a new domain controller. It does not involve restoring from backup media. This method relies on Active Directory replication to restore a domain controller to a working state and is valid only if another healthy domain controller exists in the same domain. This option is normally used on computers that function only as a domain controller.

Purpose

Recovering through reinstallation is the only method by which a domain controller that is not part of the backup set can be restored. Additionally, this procedure may be chosen over a non-authoritative restore because of the inaccessibility of the backup media or due to convenience.

Guidelines

This process assumes a complete reinstallation of the operating system. It is

recommended that prior to installing the operating system, the entire system disk be formatted, which will remove all information on the system disk. Ensure that any important or relevant data is moved or backed up before performing these actions. Recovering through reinstallation should not be a substitute for regular backup routines, which are needed to ensure a successful recovery should the need arise, as it depends on the presence of another domain controller in the same domain. Bandwidth is the primary consideration for recovering a domain controller through reinstallation. The bandwidth required is directly proportional to the size of the Active Directory database and the time in which the domain controller is required to be in a functioning state. Ideally, the existing functional domain controller should be located in the same Active Directory site as the replicating domain controller (new domain controller) in order to reduce network impact and the time the reinstallation takes to complete.

Task: Recovering a domain controller through reinstallation

Procedure 1: Clean up metadata

Link to procedure.

Procedure 2: Install Windows Server 2003

It is assumed that a fresh installation of Windows Server 2003 will be performed. This may be precluded by partition or format actions on your hard disk drive in preparation for the install.

(35)

Procedure 3: Verify DNS registration and functionality

Link to procedure.

Procedure 4: Verify communication with other domain controllers

Link to procedure.

Procedure 5: Verify the availability of the operations masters

Link to procedure.

Procedure 6: Install Active Directory

During the installation process, replication occurs, ensuring that the domain controller has an accurate and up-to-date copy of Active Directory. Optionally, use the same information for this domain controller as the domain controller it is

replacing. Site placement, domain controller name, and domain membership should remain the same. If you plan on installing the domain controller under a different name, you may wish to also refer to the process: “Installing a domain controller for an existing domain.”

Link to procedure.

Procedure 7: Verify Active Directory installation

Read and perform the procedures in “Task: Verify Active Directory Installation.”

Link to task.

Dependencies

Domain Administrator credentials

(36)

Changing Quadrant Release Management SMF

Release Role Cluster As Needed

Process: Installing a domain controller for an existing

domain

Description

This process covers the installation of Active Directory onto a Windows Server 2003 system that will become a domain controller in an existing Active Directory domain. For more information regarding the best practices for planning, testing, and

deploying Active Directory, refer to the Windows Server 2003 Deployment Kit:

Designing and Deploying Directory and Security Services at

http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en.

To ensure successful installation of a new domain controller, you should verify that all critical services that Active Directory depends on are configured following Microsoft best practices.

Active Directory is installed on a Windows Server 2003 server by running the Active Directory Installation Wizard. The wizard simplifies the promotion process by automating as much of the installation as possible. To run the Active Directory Installation Wizard, you must be a member of the Domain Administrators group.

Purpose

There are several motivations for adding a new domain controller. Additional applications (Active Directory-integrated as opposed to those running on domain controllers) may be required to meet increased capacity requirements, provide upgrades and fault tolerance, and reduce failures. For more information on criteria for deploying a new domain controller and best practices for Active Directory, refer to the Windows Server 2003 Deployment Kit: Designing and Deploying Directory and

Security Services.

Guidelines

Before you begin your installation, the following conditions must exist in your environment:

● Your Active Directory forest root domain must already exist with at least two properly functioning domain controllers.

● If you are installing a new domain controller for a child domain, there should be at least two properly functioning domain controllers in the forest root domain. ● DNS must be functioning properly.

● This guide assumes you are using Active Directory–integrated DNS zones. You must configure at least one domain controller as a DNS server.

(37)

Task: Preparing for Active Directory installation

Properly preparing for the installation of Active Directory decreases the chances of problems occurring during the installation process and helps you quickly complete the operation. Preparation includes installing and configuring DNS and gathering information that you need for the installation.

Configure DNS

The DNS client is always present on a server on Windows Server 2003. You should properly configure both the DNS client and the DNS server to ensure that name resolution and related dependencies will function as expected during the installation of Active Directory.

Ensure that any required configuration, forwarders, or zones are present and accessible prior to installation. For more information about DNS configuration best practices, see the Windows Server 2003 Deployment Kit: Designing and Deploying

Directory and Security Services at

http://www.microsoft.com/downloads/details.aspx?familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en.

Site Placement

During installation, the Active Directory Installation Wizard attempts to place the new domain controller in the appropriate site. The appropriate site is determined by the domain controller’s IP address and subnet mask. The wizard uses the IP

information to calculate the subnet address of the domain controller and checks to see if a Subnet object exists in the directory for that subnet address. If the Subnet object exists, the wizard uses it to place the new Server object in the appropriate site. If not, the wizard places the new Server object in the same site as the domain

controller that is being used as a source to replicate the directory database to the new domain controller. Make sure the Subnet object has been created for the desired site prior to running the wizard.

A site is allocated according to the following rules:

1. If you specify a site in the Unattended text file that is used to create the new domain controller, the domain controller will be placed directly into that site when it is built.

2. If no site is specified in the Unattended text file when the new domain controller is built, then by default the domain controller will be placed in a site based on its IP address.

3. If you specify a replica partner in the Unattended text file but do not specify a site, the new domain controller should be placed in the replica partner's site. 4. If the replica partner or site is not specified, then the allocation of the site is

random. It will depend on the replica partner selected for initial replication.

(38)

Domain Connectivity

During the installation process, the Active Directory Installation Wizard needs to communicate with other domain controllers in order to join the new domain controller to the domain. The wizard needs to communicate with a member of the domain to receive the initial copy of the directory database for the new domain controller. It communicates with the domain naming master for domain installs only, so that the new domain controller can be added to the domain. The wizard also needs to contact the relative ID (RID) master so that the new domain controller can receive its RID pool, and it needs to communicate with another domain controller in order to populate the SYSVOL shared folder on the new domain controller. All of this communication depends on proper DNS installation and configuration. By using Netdiag.exe and Dcdiag.exe, you can test all of these connections prior to starting the Active Directory Installation Wizard.

Required Information

The installation wizard asks for the following specific configuration information before it begins installing Active Directory:

● A domain administrator’s user name and password ● Location to store the directory database and log files ● The password to use for Directory Services Restore Mode

● The fully qualified DNS name of the domain to which the new domain controller will be added

Have this information ready before you run the Active Directory Installation Wizard.

Procedure 1: Install the DNS Server service

Link to procedure.

Procedure 2: Gather the SYSVOL path installation information

Link to procedure.

Procedure 3: Verify DNS registration and functionality

Link to procedure.

Procedure 4: Verify that an IP address maps to a subnet and determine the

site association

Link to procedure.

Procedure 5: Verify communication with other domain controllers

Link to procedure.

Procedure 6: Verify the availability of the operations masters

(39)

Caution If any of the verification tests fail, do not continue until you determine what went wrong and

fix the problems. If these tests fail, the installation is also likely to fail.

Task: Install Active Directory

There are a number of elements to consider when installing Active Directory on a new domain controller. This task addresses the general requirements concerning the site placement, connectivity, and Active Directory Installation Wizard.

The Active Directory Installation Wizard

After you have gathered all the information that you need to run the Active Directory Installation Wizard and have performed the tests to verify that all of the necessary domain controllers are available, you are ready to install Active Directory on your server and turn it into a domain controller.

During the installation process, the wizard asks for information that it needs in order to properly configure the new domain controller. First, it asks if you want to install a domain controller in a new domain or an additional domain controller in an existing domain. Because this guide pertains to adding domain controllers to domains that already exist, choose Additional domain controller in an existing domain.

During the installation process, the wizard needs to communicate with other domain controllers in order to add this new domain controller to the domain and get the appropriate information into the Active Directory database. To maintain security, you must provide credentials that have administrative access to the directory.

Procedure 1: Install Active Directory

Link to procedure.

Task: Install Active Directory from media

Installing Active Directory from media allows you to reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain, and thus reduces the time it takes to install a replica domain controller.

This task has three procedures:

● Back up the system state of an existing domain controller in the same domain as the new domain controller.

● Restore the system state to an alternate location locally on the new domain controller.

● Promote the server to a domain controller using dcpromo /adv option.

Procedure 1: Back up system state

(40)

Procedure 2: Restore system state to an alternate location

Link to procedure.

Procedure 3: Promote server to domain controller

Link to procedure.

Task: Unattended install of Active Directory

Running an unattended install simplifies the process of setting up Active Directory on multiple computers. The unattended install feature uses an “answer file” to provide answers to the questions asked during a normal setup. This allows the installation process to proceed from start to completion without user intervention. This method works best when Active Directory is being installed with identical options on many computers.

Procedure 1: Install and run Setup Manager to create an answer file

(Unattend.txt)

Link to procedure.

Procedure 2: Run Active Directory automated install

● In the Run dialog box, type dcpromo /answer:<answerfile> (where answerfile is the file created with Setup Manager), and click OK.

Task: Verify Active Directory installation

There are several verification tasks that can be performed on a newly promoted domain controller. Successfully completing the requirements of each verification task will provide a strong indication of a healthy, operational domain controller.

Procedure 1: Determine whether a Server object has Child objects

Link to procedure.

Procedure 2: Verify the site assignment for the domain controller

You must ensure that the new domain controller is located in the proper site so that after the installation is complete, the new domain controller can locate replication partners and become part of the replication topology. If the site is not correct, you can use the Active Directory Sites and Services snap-in to move the Server object for the domain controller to the proper site after Active Directory installation is

complete.

Note The last dialog box displayed by the Active Directory Installation Wizard lists the site where the

new domain controller is installed. If this is not the proper site, you must move the Server object after the server is rebooted.

(41)

Procedure 3: Move a Server object to a different site if the domain controller

is located in the wrong site

Link to procedure.

Procedure 4: Configure DNS server forwarders

Link to procedure.

Procedure 5: Verify DNS configuration

Link to procedure.

Procedure 6: Check the status of the shared SYSVOL

Link to procedure.

Procedure 7: Verify DNS registration and functionality

Link to procedure.

Procedure 8: Verify domain membership for the new domain controller

Link to procedure.

Procedure 9: Verify communication with other domain controllers

Link to procedure.

Procedure 10: Verify replication with other domain controllers

Link to procedure.

Procedure 11: Verify the availability of the operations masters

Link to procedure.

Dependencies

The following access levels are required: ● Domain user

● Domain admin

● Active Directory Sites and Services (administrative tools) ● DNS Manager

● Event Viewer ● Netdiag.exe ● Dcdiag.exe

● Ntdsutil.exe (system tool)

(42)

Changing Quadrant Change Management SMF

Release Role Cluster As Needed

Process: Removing Active Directory

Description

A domain controller can be removed from a domain in one of two ways: by

removing Active Directory or by a system failure that renders the domain controller inoperable so that you cannot restore it to service.

Purpose

A domain controller might need to be removed when: ● You no longer need the domain controller.

● The domain controller's connection to the rest of the network may not be sufficient.

● The domain controller has suffered a hardware failure that will not be quickly repaired.

Guidelines

Similarly to how you can install Active Directory to turn a Windows 2003–based server into a domain controller, you can remove Active Directory to turn a Windows 2003–based domain controller back into a server. This process removes most of the references to the domain controller from the directory. You must manually remove the Server object that represents the domain controller from the computer container after you remove Active Directory. This method properly removes the domain controller from the directory.

A hardware failure on a domain controller can render it inoperable. If the problem is severe enough, you might never be able to return the domain controller to service. In this case, the other domain controllers eventually reconfigure themselves so that they can continue to replicate directory information without the failed domain controller. When a domain controller is removed from the domain without removing Active Directory, all the information about that domain controller remains in the directory. You must take additional steps to remove this information from the directory.

(43)

Task: Decommission the domain controller

Demoting a domain controller effectively removes all Active Directory and related components and returns the domain controller to a member server role.

Procedure 1: View the current operations master role holders

To avoid problems, transfer any operations master roles prior to running the Active Directory Installation Wizard to decommission a domain controller so that you can control the operations master role placement. If you need to transfer any roles from a domain controller, understand all the recommendations for role placement before performing the transfer.

Caution During the decommissioning process, the Active Directory Installation Wizard will attempt to

transfer any remaining operations master roles to other domain controllers without any user interaction. However, if a failure occurs, the wizard will continue to demote and leave your domain without roles. Also, you do not have control over which domain controller receives the roles. The wizard transfers the roles to any available domain controller and does not indicate which domain controller hosts them.

Link to procedure.

Procedure 2: Transfer the forest-level operations master roles

This is required only if this domain controller hosts either the schema master or domain naming master roles.

Link to procedure.

Procedure 3: Transfer the domain-level operations master roles

This is required only if this domain controller hosts the PDC emulator, infrastructure master, or RID master.

Link to procedure.

Procedure 4: Determine whether a domain controller is a global catalog

server

If you remove Active Directory from a domain controller that hosts a global catalog, the Active Directory Installation Wizard confirms that you want to continue with removing Active Directory. This confirmation ensures that you are aware that you are removing a global catalog from your environment. Do not remove the last global catalog server from your environment because users cannot log on without an available global catalog server. If you are not sure, do not proceed with removing Active Directory until you know that at least one other global catalog server is available.

Link to procedure.

Procedure 5: Verify DNS registration and functionality

(44)

Procedure 6: Verify communication with other domain controllers

During the removal of Active Directory, contact with other domain controllers is required to ensure:

● Any unreplicated changes are replicated to another domain controller. ● Removal of the domain controller from the directory.

● Transfer of any remaining operations master roles.

If the domain controller cannot contact the other domain controllers during Active Directory removal, the decommissioning operation fails. As with the installation process, test the communication infrastructure prior to running the installation wizard. When you remove Active Directory, use the same connectivity tests that you used during the installation of Active Directory.

Link to procedure.

Procedure 7: Verify the availability of the operations masters

Link to procedure.

Note If any of the verification tests fail, do not continue until you determine and fix the problems. If

these tests fail, the removal is also likely to fail.

Procedure 8: Remove Active Directory

Link to procedure.

Procedure 9: Determine whether a Server object has Child objects

Link to procedure.

Procedure 10: Delete a Server object from a site

Note The administrator may not want to remove the Server object if it hosts something in addition to

Active Directory—Microsoft Exchange, for example.

Link to procedure.

Task: Forced removal of a domain controller

Forced removal of a domain controller is only intended to be used as a last resort for recovering a domain controller without requiring reinstallation of the operating system.

It is not intended to replace the normal removal procedure in any way and is virtually equivalent to permanently disconnecting the domain controller.

There is a considerable amount of metadata about a domain controller stored within Active Directory. During a normal demotion, this metadata is cleaned up. A forced removal assumes there is no connectivity to the domain and does not attempt any cleanup.

(45)

Forced removal of a domain controller should always be followed by cleaning up the associated metadata, thereby effectively removing all references to the domain controller from the domain and forest.

Forced demotion should not be done on the last domain controller in a domain.

Procedure 1: Identify replication partners

Link to procedure.

Procedure 2: Force domain controller removal

Link to procedure.

Procedure 3: Clean up metadata

Link to procedure. Dependencies None Technology Required None

Active Directory POG

Active Directory

Product Operations Guide

Contents

Contributors

Program Manager

Lead Contributors

Test Manager

QA Manager

Lead Technical Writer

Lead Technical Editor

Technical Editor

Production Editor

1

Introduction to Product Operations

Guide

Document Purpose

Intended Audience

How to Use This Guide

Background

Figure 1

Figure 2

2

High-Level Processes for Maintaining

Active Directory

Overview

Technology Required

Maintenance Processes Checklist

Operating Quadrant

System Administration SMF

Security Administration SMF

Supporting Quadrant

Optimizing Quadrant

Availability Management SMF

Capacity Management SMF

Changing Quadrant

Release Management SMF

Change Management SMF

3

Detailed Maintenance Actions

Overview

Process: Back up Active Directory

Task: Back up Active Directory and associated components

Procedure: Back up system state

Procedure: Back up system state and the system disk

Process: Non-authoritative restore of Active Directory

Task: Perform a non-authoritative restore of a domain controller

Procedure 1: Restart the domain controller in Directory Services Restore

Mode

Procedure 2: Restore from backup media

Procedure 3: Verify Active Directory restore

Task: Restore a domain controller through reinstallation and

subsequent restore from backup

Procedure 1: Install Windows Server 2003

Procedure 2: Restore from backup media

Procedure 3: Verify Active Directory restore

Process: Authoritative restore for Active Directory objects

Task: Perform an authoritative restore of one or more directory

objects

Procedure 1: Restore from backup media

Procedure 2: Mark the object(s) authoritative

Procedure 3: Reboot the computer in isolation

Procedure 4: Turn off inbound replication using repadmin

Procedure 5: Reconnect the computer to the network

Procedure 6: Allow this computer to replicate with all its partners

Procedure 7: Restart domain controller in Directory Services Restore Mode

Procedure 8: Mark the object(s) authoritative

Procedure 9: Reboot computer

Procedure 10: Turn on inbound replication

Task: Perform an authoritative restore of an application partition

Procedure 1: Restore from backup media

Procedure 2: Mark the application partition as authoritative

Procedure 3: Reboot computer

Task: Perform an authoritative restore of Group Policy

Procedure 1: Restore Group Policy

Process: Recovering a domain controller through

reinstallation

Task: Recovering a domain controller through reinstallation

Procedure 1: Clean up metadata

Procedure 2: Install Windows Server 2003