Active Directory FAQ’S and AD Troubleshooting Issues
Ravikumar lakamraju.
1. What is AD?
AD is a distributed database which organizes, manages, and controls the network resources. It‘s provides single point of administration to administer the object in directory and their appropriate membership and permissions. Enables a single administrator to centrally manage resources such as AD users and computers, AD sites and services, AD Domain and Trusts and Group policy settings and OU. At the file level, AD stores its database in a single database file named Ntds.dit, a copy of which can be found on every domain controller.
Viewing the AD Schema: To use this snap-in, you need to manually register it by selecting Start, Run (or entering a command-prompt session), and typing ‖regsvr32 schmmgmt.dll‖ you can open an MMC session and choose Add/Remove Snap-in from the Console menu, then select Active Directory Schema from the Add Standalone Snap-In dialog box
To modify the AD schema, you need to use a different utility: the MMC ADSI Edit snap-in. ADSI Edit is essentially a low-level AD editor that lets you view, change, and delete AD objects and object attributes. In terms of usefulness and potential danger, ADSI Edit is to AD what the regedit or regedt32 registry editors are to the system registry. To use the ADSI Edit utility to make schema modifications, you first need to be a member of the Schema Admins group.
Run – CMD type this ---regsvr32 adsiedit.dll 2. What is a LDAP?
Light weight directory access protocol- LDAP Provides a Way to Communicate with Active Directory by Specifying Unique Naming Paths for Each Object in the Directory, LDAP Naming Paths Include: Distinguished names, Domains, Organizational Units, Trees and Forests, Global Catalog.
LDAP specifies that every AD object be represented by a unique name. These names are formed by combining information about domain components, OUs, and the name of the target object, known as a common name. Attribute Type DN Abbreviation Description For example, the LDAP name for the user object for a person named Don Jones in the realtimepublishers.com domain‘s Marketing OU would be as follows: CN=Don Jones,OU=Marketing,DC=realtimepublishers,DC=com
This form of an object‘s name as it appears in the directory is referred to as the object‘s distinguished name (DN). Alternatively, an object can also be referred to using its relative distinguished name. The RDN is the portion of the DN that refers to the target object within its container. In the previous example, the RDN of the user object would simply be Don Jones.
3. What is the Domain?
A domain serves as the core unit in AD‘s logical structure and is defined as a collection of computers that share a common directory database.
4. What are the forests and trees?
A tree is a hierarchical arrangement of AD domains within AD that forms a contiguous namespace. For example, assume a domain named xcedia.com exists in your AD structure. The two subdivisions of xcedia.com are Europe and us, which are each represented by separate domains. Within AD, the names of these domains would be us.xcedia.com and europe.xcedia.com. These domains would form a domain tree because they share a contiguous namespace. This arrangement demonstrates the hierarchical structure of AD and its namespace—all of these domains are part of one contiguous related namespace
in the directory; that is to say, they form a single domain tree. The name of the tree is the root level of the tree, in this case, xcedia.com.
A forest is a collection of one or more trees. A forest can be as simple as a single AD domain, or more complex, such as a collection of multi-tiered domain trees.
5. What is Authoritative and Non-authoritative restore?
Non-Authoritative: When doing a normal restore, Backup is working in nonauthoritative mode. That means that any data (including Active Directory objects) will have their original sequence number. This is the number AD replication uses to detect if there are any new objects to replicate to other servers. So when you use Normal restore any data will appear as old and will therefore not replicate to other servers. If newer data is available, it will of course replicate to the restored server. This method is used when restoring all but the first replica set and when restoring a single domain controller in a replicated environment.
Authoritative restore: This is the third method. To perform an authoritative restores you have to run a utility called Ntdsutil. This must be run after you have restored the System State data, but before you restart the server. When you perform this kind of restore the sequence number of Active Directory objects are changed so that it has a higher number. This will ensure that any data you restore will be replicated (because Active Directory replication thinks it‘s new). This is a little bit difficult to understand, but if you compare this to Normal restore, Normal restore will always mark objects as old, and authoritative restore will always mark objects as new. So simply said, use Authoritative restore when you have changed something and the change has been replicated to all other servers and you want to undo the change.
6. What is backup?
Normal backup: The normal backup is…normal (surprised?). So, what does this mean? It simply means that it copies all the files you have marked to be backed up, and marks the files as having been backed up. You also only need the most recent copy of the backup file (other types of backups requires several files, see below) to restore. This type is usually what you use the first time you backup files. Incremental backup : The incremental backup backs up only those files that have been created or changed since last incremental or normal backup. It also marks the files as having been backed up. A combination of Normal backups and Incremental backups is common, and also a very good combination. It also requires the least amount if storage space and is fast for backing up the data. The disadvantage of this is that it‘s time-consuming to recover files, simply because you need the last normal backup set and all incremental backup sets, which can be stored on several backup drives or tapes. Differential backup : The differential backup is similar to the incremental backup and only copies files that have been created or changed since the last normal or incremental backup. No, it wasn‘t a typo, it doesn‘t check if a differential backup has been run. This is because differential backups does not mark files as having been backed up. A combination of differential backups and normal backups is more time-consuming concerning the backup part then the incremental + normal backups are. But on the other hand it is faster to restore data because all you need is the last normal backup and the last differential backup. Copy backup :A copy backup copies all the files you have selected, but does not mark the files as having been backed up. This backup type is useful when you must backup single files between normal and incremental backups because it does not affect these operations.
Daily backup :The daily backup copies all the files that you have selected that have been modified on the day, without marking the files as having been backed up
7. What are differences between windows 2003 flavors?
1. Standard edition: It does not support for clusters, 64 bit versions , and it supports up to 4GB RAM. 2. Enterprise edition: It supports for 8 node clusters, 64 bit versions and up to 32 GB RAM.
3. Datacenter Edition: It supports for 8 node clusters, 64 bit versions, and up to 64 GB RAM. 4. Web Edition: Maximum 2 GB RAM, does not support for clusters, 64 bit versions.
8. What are the Application Directory Partition?
Schema Partition: Every DC in an AD forest has a copy of the Schema partition which defines that object types that can be created and their associated properties.
Configuration partition: All DC‘s in Forest hold a copy of the configuration partition, which holds information about sites and services.
Domain Partition: Within a domain, all DC‘s hold a copy of the domain partition, this includes information about objects with in that particular domain only.
9. What are the AD Protocols? LDAP, GC DNS, NTDS, KDC, KCC,…
10. What is the GC? GC is a separate database from AD and contains a partial, read-only replica of all the directory objects in the entire AD forest. Only Windows servers acting as domain controllers can be configured as GC servers. By default, the first domain controller in a Windows forest is automatically configured to be a GC server.
The GC plays two primary roles on a Windows network:
1. Network logon authentication—In native-mode domains (networks in which all domain controllers have been upgraded to Win2K or later, and the domain‘s functional level has been manually set to the appropriate level), the GC facilitates network logons for ADenabled clients. It does so by providing universal group membership information to the account sending the logon request to a domain controller. This applies not only to regular users but also to every type of object that must authenticate to AD (including computers). In multi-domain networks, at least one domain controller acting as a GC must be available in order for users to log on. Another situation that requires a GC server occurs when a user attempts to log on with a user principal name (UPN) other than the default. If a GC server is not available in these circumstances, users will only be able to logon to the local computer (the one exception is members of the domain administrators group, who do not require a GC server in order to log on to the network).
2. Directory searches and queries—With AD, read requests such as directory searches and queries, by far tend to outweigh write-oriented requests such as directory updates (for example, by an administrator or during replication). The majority of AD-related network traffic is comprised of requests from users, administrators, and applications about objects in the directory. As a result, the GC is essential to the network infrastructure because it allows clients to quickly perform searches across all domains within a forest. GC Storing information about all AD objects from all domains in a single Forest and universal groups and their associated membership and forwarding Authentication requests to the appropriate Domain when a user principal name is used to logon and validating object references with in a Forest.
11. Port No’s? DNS- 53, DHCP- 67,WINS – 1512, NTP- 123, KERBOROS- 88, NETBIOS- 137, NNTP- 563, SQL – 1443, SSL- 443, RPC – 135, FTP- 20, 21, GC – 3268, LDAP- 389, HTTP- 88, SMTP- 25, RDP- 23, HTTPS – 443, POP3- 110, IMAP-143, IMAP3- 220.
12. What are the Trust types?
Tree Root Trust: Can be setup only between the roots of two trees in the same forest.
Parent-child: This makes all objects in the domains of the tree available to all other domain in the Tree. Shortcut: The purpose of shortcut trust is to optimize the inter domain authentication process by shortening the trust path.
Forest Trust: This allows all domains in one forest to transitively trust all domains in another forest. External: It‘s created between two AD domains that are in different forests or between AD Domain and NT or Earlier domain.
Realm: Between a non windows Kerberos realm and AD domain. 13. What are the Groups?
2. Security Groups: A group that can be used to administer permissions for users and other domain objects.
14. What are the Groups types?
1. Domain Local: Members from any domain in the forest. Use for access resources in one domain. 2. Global: Members from own domain only. Use for access resources in any domain.
3. Universal: Members from any domain in the forest. Use for access resources in any domain. 15. What is KCC?
The KCC is a special Windows service that automatically generates AD‘s replication topology and ensures that all domain controllers on the network participate in replication. Knowledge consistency checker: It‘s a Built in service that runs on all dc‘s and automatically establishes connections between individual machines in the same site, called connection objects. Which manages connection objects for Inter and Intra site replication? Its runs every 15 minutes by default.
15. What is KDC? Key Distribution Center: It‘s a network service that supplies session tickets and temporary session keys used in the Kerberos V5 Authentication protocol.
16. What is LMHosts file? An ASCII text file used by TCP/IP computers running windows to resolve NetBIOS names into IP addresses. This is a list o the NetBIOS names assigned to computers on the network and their corresponding IP Addresses.
A LMhost file is a text file that contains a list that maps th IP addresses of all servers on the Network to their associated NetBios names. When an LMhosts file is used to perform NetBios name resolution, every time a server is added or removed from the network, the LMhosts file on each individual computer on the network must be manually updated. LMhost file is stored in Systemroot\sys32\drivers\etc.
17. What are the AD Logs?
1. Sequential Logs: Its default method. Sequential log files are not overwritten with new data. These files grow until they reach a specified size. Garbage collection process deletes unnecessary log files every 12 hours by default.
2. Circular logs: This overwrites transactions at specific intervals. This method helps minimized the amount of logged data the physical disk must store.
18. What is the Bridgehead Server?
To minimize Bandwidth usage during intersite communication, the KCC dynamically chooses a server from each site to handle the communication. A DC in a site, designated automatically by the KCC as the contact point for exchange of directory information between this site and other sites.
19. What is the Cluster? A set of computers joined together in such a way that they behave as a single system. 20. What is BDC? Back up Domain Controller: In NT domain, a computer that stores a backup of the database
that contains all the security and account information from the PDC.
21. What BITS? Back Ground Intelligent Transfer Service: A service used to transfer files between a client and a HTTP server. BITs uses Idle network bandwidth and will decrease transfer requests when other network traffic increases.
22. What are the Forest Functional Levels? Win 2000 (default), Windows 2003, windows 2003 Interim. 23. What are the Domain Functional Levels? Windows 2000 Mixed mode (default), windows 2000 native
mode, Windows 2003, Windows 2003 Interim.
24. What is the GUID? Globally Unique Identifier: A 128 bit number that are assigned to objects when the objects are created. The GUID never changes, even if you move or rename the object. Applications can store the GUID of an object and use the GUID to retrieve that object regardless of its current distinguished name.
25. What is OU? OU is a logical container into which you can place users, groups, computers and other OU‘s. It can contain objects only from its parent domain. An OU is the smallest scope to which you can apply a Group Policy or delegate authority.
26. What is RIS? Allows clients to boot from a network server and use special preboot diagnostic tools installed on the server to automatically install a client operating system.
27. What is RPC? A message passing facility that allows a distributed application to call services that is available on various computers on a network. Used during remote administration of computers.
28. What is a Schema? A set of definitions of the object classes and attributes that can be stored in AD. Like other objects in AD, Schema objects have an access control list to limit alterations to only authorized users, Using ADSI tool can check the Schema. If you need to update the Schema run the regsrv32 schmmgmt.dll. 29. What is a Site? One or more well connected TCP/IP subnets. A site allows administrators to configure AD
Access and replication topology quickly and easily to take advantage of the physical network. 30. What is Tombstone? In AD, an object that is removed from the directory but not yet deleted.
31. What is VSS? Volume Shadow copy service that creates snapshot backups of files allowing a backup utility to back the snapshot regardless of whether the original file is locked or open.
32. What is Wins? Windows Internet Name Service that registers the network BIOS names and IP Addresses of computers on a LAN and resolves NetBIOS names into IP Addresses for its clients as needed.
33. What are the Types of AD installation? 1. DCPROMO.EXE, 2. Dcpromo / answer: answerfile (Win 2003 CD, Ref.chm in Deploy.cab in support tools). 3. Dcpromo /adv: using the network or backup media. 34. What are the new or core Feature of AD in Windows 2003? Domain and Forest Functional levels cross
forest trust relationship, domain renaming, dc renaming, universal group membership caching, Application directory partitions.
35. What are the AD Authentication Protocols?
KERBEROS V5: The Kerberos version 5 authentication protocols is a distributed security protocol based on Internet standards and is the default security mechanism used for domain authentication within or across AD domains. Kerberos replaces NT LAN Manager (NTLM) authentication used in NT Server 4.0 as the primary security protocol for access to resources within or across AD domains. AD domain controllers still support NTLM to provide backward compatibility with NT 4.0 machines.
Kerberos as part of the logon process, the authenticated user is granted what is known as a TGT (Ticket Granting Ticket) by a KDC. In win 2003 AD, a DC acts as the KDC, when the user needs to access resources on a server in the same domain, the user must first obtain a valid service ticket for that server. The client presents the TGT to the KDC requesting a service ticket to access the server on which the resources reside. The KDC checks its domain database for the service principal name (SPN) for the requested server; because the requested server is in the same domain a service ticket is passed back to the client. After obtaining this service ticket from the KDC, the client presents it, to the server and can then access resources on that server.
2. NTLM: When a client tries to access resources on a server in another domain using NTLM authentication, the server containing the resource must contact a DC in the clients account domain to verify the user‘s credentials.
36. What are the RAID levels? Redundant array of Independent Disks: A range of disk management and striping techniques to implement fault tolerance.
RAID-0: (Stripped ) part of each byte of data is written to each drive in array. RAID-0 is not redundant, but it provides the highest performance, because each byte of data is written in parallel.
RAID-1: (Mirroring) all data on a drive is mirrored to second drive. This provides the Highest reliability write performance is fairly slow, because data must be written to both drives.
RAID-0+1: As with RAID-0, data is striped across each drive in the array however the array is mirrored to one or more parallel arrays. This provides the highest reliability and performance but has the same high dist storage requirements as RAID-1.
RAID-5: Part of each byte of data is striped to each in the array. However writes includes parity information that allows any data to be recovered from the remaining drives if a drive fails.
37. Explain about FSMO Roles?
Each domain in an AD-based network has three FSMO roles that must be assigned to domain controllers within the domain:
PDC Emulator. The DC holding this role plays PDC for any legacy Windows NT BDCs you may still have running. But even if you've migrated all your legacy DCs and your domains are running in Windows 2000 mixed functional level or higher, the PDC Emulator role is still important because the PDC Emulator enforces account lockout, handles password changes, and synchronizes time for all DCs in the domain.
RID Master. When an administrator creates a new security principle in Active Directory (typically a new user or group) the SID for the new object is constructed from the domain SID and a relative ID (RID) selected from a pool of RIDs on the domain's DCs. If this pool starts running low (under 50% remaining) the RID Master replenishes it.
Infrastructure Master. Ensures cross-domain object references are handled properly, such as when objects in one domain are referenced by objects in a different domain.
The forest root domain also has two additional FSMO roles that must be assigned to domain controllers in that domain:
Domain Naming Master. Handles changes to the namespace, for example when a new child domain is added to a parent domain.
Schema Master. Handles changes to the schema and replicates these changes to all other DCs throughout the forest.
There are a number of ways you can determine which DCs are FSMO roles holders on your network, but the simplest is to install the Support Tools from the \Support\Tools folder on your product CD and type netdom query fsmo at a command prompt:
Symptoms of FSMO Problems
If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don't work properly.
1. Schema Master fails: Can't modify the schema. Can't raise the functional level for the forest. This role holder must be available when the raising the forest functional level.
2. Domain Naming Master fails: Can't add or remove a domain. Can't promote or demote a DC. Changes to the namespace need this role holder.
3. PDC Emulator fails: a) Users can't log on because if system clocks become unsynchronized, Kerberos may fail. B) Can't change passwords because Password changes need this role holder. C) Account lockout not working because Account lockout enforcement needs this role holder. D) Can't raise the functional level for a
domain because this role holder must be available when the raising the domain functional level. 4. RID Master fails: Can't create new users or groups because RID pool has been depleted.
5. Infrastructure Master fails: Problems with universal group memberships because Cross-domain objects references need this role holder.
Rules for FSMO Role Placement
Since FSMO roles are crucial for the proper functioning of an AD-based network, it's a good idea to get them right from the planning stage of your deployment. By default, when you install the first DC of your forest root domain, this first DC holds all five FSMO roles. When you install the first DC of any other domain in your forest, that DC will hold all three domain FSMO roles (PDC Emulator, RID Master, and Infrastructure Master). Depending on the complexity of your network, however, this default roles assignment may not be appropriate,
so you need to transfer some of your roles to a different machine to achieve optimal FSMO-role placement on your network.
Proper FSMO role placement basically boils down to a few simple rules, tips, and exceptions:
Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.
Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also. Rule 2: The Infrastructure Master should not be placed on a GC.
Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner. Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain. Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC. Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.
Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.
Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.
Tip: If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is down.
38. AD Tools?
Event Viewer, Performance monitor, NLTEST, BROWMON, NETDOM, DOMMON, DATALOG, REPADMIN, REPLMON, DFSCHECK.
39. Common Problems / issues In AD Domain controllers/AD
Low CPU or memory resources on domain controllers
Low disk space on volumes housing the Sysvol folder, the AD database (NTDS.DIT) file, and/or the AD transactional log files Slow or broken connections between domain controllers
Slow or failed client network logon authentication requests Slow or failed LDAP query responses
Slow or failed Key Distribution Center (KDC) requests Slow or failed AD synchronization requests
NetLogon (LSASS) service not functioning properly
Directory Service Agent (DSA) service not functioning properly KCC not functioning properly
Excessive number of SMB connections
Insufficient RID allocation pool size on local server
Problems with transitive or external trusts to Win2K or down-level NT domains
Low AD cache hit rate for name resolution queries (as a result of inefficient AD design) Replication
Failed replication (due to domain controller or network connectivity problems) Slow replication
Replication topology invalid/incomplete (lacks transitive closure/consistency) Replication using excessive network bandwidth
Too many properties being dropped during replication Update Sequence Number (USN) update failures Other miscellaneous replication-related failure events GC
Slow or failed GC query responses GC replication failures
DNS
Missing or incorrect SRV records for domain controllers Slow or failed DNS query responses
DNS server zone file update failures Operation masters (FSMOs)
Inaccessibility of one or more operation master (FSMO) servers Forest or domain-centric operation master roles not consistent across domain controllers within domain/forest
Slow or failed role master responses Miscellaneous problems
Low-level network connectivity problems TCP/IP routing problems
DHCP IP address allocation pool shortages
WINS server query or replication failures (for legacy NetBIOS systems and applications) Naming context lost + found items exist
Application or service failures or performance problems
40. Logical Structures of AD?
Namespace: AD is a namespace because it resolves an object‘s name to the object itself Naming context: Represents a contiguous subtree of AD
Organizational Unit: A container object that allows you to organize your objects and resources
Domain: A partition in AD that provides a place to group together users, groups, computers, printers, servers, and other resources
Tree: A grouping of domains that have a parent-child relationship with one another Forest: A collection of one or more trees
Trust relationship: A logical connection between two domains that forms one administrative unit Global catalog: A central source for AD queries for users and other objects
41. Naming Context?
The naming context represents a contiguous subtree of AD in which a given name is resolved to an object. a single domain controller always holds at least three naming contexts.
• Domain—contains the object and attribute information for the domain of which the domain controller is a member
• Configuration—contains the rules for creating the objects that define the logical and physical structure of the AD forest.
• Schema—contains the rules for creating new objects and attributes. 42. Physical Structure of AD?
Object and attributes: An object is defined by the set of attributes or characteristics assigned to it. Objects include users, printers, servers, groups, computers, and security policies.
Domain controller: A domain controller is a network server that hosts the AD service in a domain. Many computers can belong to a domain without being a domain controller, but only domain controllers actually run the software that makes AD operate. All members of a domain must contact a domain controller in order to work with the domain.
Directory server role: A server that takes the role of Flexible Single Master Operation (FSMO). Directory server roles are single-master servers that perform special roles for AD, such as managing domains, managing schemas, and supporting down-level clients.
Site: A location on the physical network that contains AD servers. A site is defined as one or more well-connected Transmission Control Protocol/Internet Protocol (TCP/IP) subnets.
Global Catalog: (GC) server Stores the GC information for AD.
43. Types of Event Logs? When you use Event Viewer, the event logs are separated into three logs, as follows: • Application Log: Contains events logged by applications or programs such as Exchange or IIS that are running on the computer. The developer of an application decides which events to record.
• System Log: Contains events logged by the subsystems and components of the domain controller. For example, if a disk driver has problems or fails, it records the events in the System Log. You can use this log to determine the general availability and uptime of the domain controller.
• Security Log: Records security events, such as when a user successfully logs on or attempts to log on. This log also records events that relate to file access. For example, an event is recorded when a file is created, opened, or deleted. By default, the Security Log can only be seen by systems administrators.
Others: Directory Services, File Replication Services, DNS service, Internet Explorer..
• Directory service log: Contains the events that are generated by AD on the domain controller. You can use this log to monitor activity or investigate any directory problems. By default, the directory records all critical error events.
• DNS server log: Contains the events generated by the DNS service installed on your domain controller. For example, when the DNS service starts or stops, it writes a corresponding event message to this log. More critical DNS events are also logged for example, if the service starts but cannot locate initializing data, such as zones or other startup information stored in the domain controller‘s registry or AD. The DNS log exists only if the DNS service is running on the server. The DNS service typically runs on only a few domain controllers in the forest.
• FRS log: Contains events generated by file replication on the domain controller. FRS is a replication engine used to replicate files among different computers simultaneously. AD uses this service to replicate Group Policy files among domain controllers.
44. Types of Events Logged by Event Viewer?
• Error: Signifies that a severe problem has occurred. This event means that data or functionality was lost. For example, if a service fails to load during startup or stops abruptly, an error is logged.
• Warning: Is less significant than an error and indicates that a problem could occur in the future. For example, a warning is logged if disk space becomes too low.
• Information: Describes important situations that need noting. This event is typically used to notify when an operation is successful—for example, a disk driver loaded successfully and without errors.
• Success audit: Logs successful access to a secured system resource such as a file or directory object. A success audit event is a successful security-access attempt. For example, if a user attempts to log on to the system and is successful, a success audit event is logged.
• Failure audit: Is the opposite of the success audit event. For example, if a user attempts to log on to the system or access a secured resource and fails, a failure audit is logged.
The Performance page in Task Manager contains eight informational panes. The first two are
CPU Usage and CPU Usage History. These two panes and the Totals pane all deal with usage on the CPU, or processor. The remaining panes can be used to analyze the memory usage for the
domain controller and include the following:
• PF Usage: A bar graph that shows the amount of paging your domain controller is currently using. This pane is one of the most useful because it can indicate when VMM is paging memory too often and thrashing. Thrashing occurs when the OS spends more time managing virtual memory than it does executing application code. If this situation arises, you need to increase the amount of memory on the system to improve performance. • Page File Usage History: A line graph that tracks the size of virtual memory over time. The history for this pane is only displayed in the line graph and not recorded anywhere. You can use this information to help determine whether there is a problem with virtual memory over a longer period of time.
• Physical Memory: This pane tells you the total amount of RAM in kilobytes (KB) that has been installed on your domain controller. This pane also shows the amount of memory that is available for processes and the amount of memory used for system cache. The amount of available memory will never go to zero because the OS will swap data to the hard drive as the memory fills up. The system cache is the amount of memory used for file cache on the domain controller.
• Commit Charge: This pane shows three numbers, which all deal with virtual memory on the domain controller: Total, Limit, and Peak. The numbers are shown in kilobytes. Total shows the current amount of virtual memory in use. Limit is the maximum possible size of virtual memory. (This is also referred to as the paging limit.) Peak is the highest amount of memory that has been used since the domain controller was started. • Kernel Memory: Shows you the total amount of paged and non-paged memory, in kilobytes, used by the kernel of the OS. The kernel provides core OS services such as memory management and task scheduling. 46. Page-Fault Counters? When a process or thread requests data on a page in memory that is no longer there,
a domain controller issues a page fault. Here, the page has typically been moved out of memory to provide memory for other processes. If the requested page is in another part of memory, the page fault is a soft page
fault. However, if the page has to be retrieved from disk, a hard page fault has occurred. Most domain
Page-fault counters help you determine the impact of virtual memory and page faults on a domain controller. These counters can be important performance indicators because they measure how VMM handles memory:
• Page Faults/sec: Indicates the number of page faults without making a distinction between soft page faults and hard page faults
• Page Reads/sec: Indicates the number of times the disk was read to resolve hard page faults; this counter indicates the impact of hard page faults
• Pages Input/sec: Indicates the number of pages read from disk to resolve hard page faults; this counter also indicates the impact of hard page faults.
47. AD Monitoring Tools?
DirectoryAnalyzer: DirectoryAnalyzer monitors the individual structures and components of AD—replication, domains, sites, Global Catalogs (GCs), operations master roles, and DNS (inasmuch as it relates to AD). Each of these components is vital to the operation of AD. DirectoryAnalyzer can monitor and alert based on specific conditions and problems in each of the individual structures. The alerts are then recorded at the Directory Analyzer client or console for viewing.
ChangeAuditor for Active Directory: Answering the questions who, what, when, and where, ChangeAuditor from NetPro starts out by capturing AD‘s own internal traffic into a log. Rather than interpreting that log and displaying it, however, ChangeAuditor analyzes that information and builds a detailed log file of every change that occurs within AD. You can‘t view the AD traffic real-time; instead, you can run a series of pre-created reports (or you can create your own reports) that display changes to various aspects of AD.
DirectoryTroubleshooter: NetPro‘s DirectoryTroubleshooter is a kind of super-performance monitor with built-in intelligence. It monitors literally hundreds of AD-related configuration settings, performance values, and other aspects of AD, and reports to you on potential problem areas
Microsoft Operations Manager: Although not strictly a third-party product, Microsoft Operations Manager (MOM) is an additional purchase from Microsoft (it is not a built-in tool). MOM is designed to provide health monitoring services for Microsoft server products, including Windows and AD. The idea behind MOM—much like AppManager—is to collect performance data and compare it with known thresholds, translating raw performance data into more useful health information. For example, knowing that your domain controllers‘ processor utilization is at 70 percent may be interesting data, but it‘s not useful. Is 70 percent good or bad? MOM is designed to quickly compare that data to a range of values known to represent good and bad server health conditions, and creates a graphical view of services and server components that are operating at levels that may represent a problem. MOM also checks several configuration parameters to help spot problems.
Built-In Tools:
System Monitor: This utility allows you to watch the internal performance counters that relate to the directory on the domain controller.
Event Viewer: To view and analyze the events that have been generated by a Windows domain controller, you can use the Event Viewer. This utility allows you to monitor the event logs generated by Windows. By default, there are three event logs: the application log, the system log, and the security log.
Replication Diagnostics: The Replication Diagnostics tool is simply referred to as REPADMIN. It‘s a command-line utility that allows you to monitor and diagnose the replication process and topology in AD. It also provides several switches that you can use to monitor specific areas of replication. For example, you can force replication among domain controllers and view the status. During normal replication, the Knowledge Consistency Checker (KCC) manages and builds the replication topology for each naming context on the domain controller. The replication topology is the set of domain controllers that share replication responsibility for the domain. REPADMIN allows you to view the replication topology as seen by the domain controller. If needed, you can use REPADMIN to manually create the replication topology, although doing so isn‘t usually beneficial or necessary because the replication topology is generated automatically by the KCC. You can also view the domain controller‘s replication partners, both inbound and outbound, and some of the internal structures used during replication, such as the metadata and up-to-date vectors.
48. Sites: The KCC uses sites to define the replication topology. Sites define the sets of domain controllers that are well connected in terms of speed and cost. When changes occur, the domain controllers in a site replicate with each other to keep AD synchronized. If the domain controllers are local (intra-site topology), replication starts as needed—with no concern for speed or cost—within 5 minutes of an update occurring. If the two domain controllers are separated by a low-speed network connection (inter-site topology), replication is scheduled as needed. Inter-site replication occurs only on a fixed schedule, regardless of when updates occur.
49. Subnets: Subnets assist the KCC to identify groups of computers and domain controllers that are physically close or on the same network.
50. Site links: Site links must be established among sites so that replication among sites can occur. Unless a site link is placed, the KCC cannot automatically create the connections among sites, and replication cannot take place. Each site link contains the schedule that determines when replication can occur among the sites that it connects.
51. Bridgehead servers: The KCC automatically designates a single server for each naming context, called the bridgehead server, to communicate across site links. You can also manually designate bridgehead servers when you establish each site link. Bridgehead servers perform site-to-site replication; in turn, they replicate
to the other domain controllers in each site. Using this method, you can ensure that inter-site replication occurs only among designated bridgehead servers. Thus, bridgehead servers are the only servers that replicate across site links, and the rest of the domain controllers are updated within the local sites.
52. When the DNS Server Doesn’t Resolve Names Correctly?
Windows includes a caching DNS-resolver service, which is enabled by default. For troubleshooting purposes, this service can be viewed, stopped, and started like any other Windows service. The caching resolver reduces DNS network traffic and speeds name resolution by providing a local cache for DNS queries.
How the Caching DNS-Resolver Service Works
When a name is submitted to DNS, if the resolver is caching names, it first checks the cache. If the name is in the cache, the data is returned to the user. If the name isn‘t in the cache, the resolver queries the other DNS servers that are listed in the TCP/IP properties for each adapter. It does this in the following order: 1. The resolver checks the local hosts file (located by default in C:\Windows\System32\drivers\etc) to see whether the required name is listed. The ―localhost‖ address, for example, resolves to 127.0.0.1 through use of the hosts file, not a DNS server.
2. If the name isn‘t in the hosts file, the resolver sends the query to the first server on the preferred adapter‘s list of DNS servers and waits one second for a response.
3. If the resolver doesn‘t receive a response from the first server within one second, it sends the query to the first DNS servers on all adapters that are still under consideration and waits 2 seconds for a response.
4. If the resolver doesn‘t receive a response from any server within 2 seconds, it sends the query to all DNS servers on all adapters that are still under consideration and waits another 2 seconds for a response.
5. If it still doesn‘t receive a response from any server, it sends the query to all DNS servers on all adapters that are still under consideration and waits 4 seconds for a response.
6. If it still doesn‘t receive a response from any server, the resolver sends the query to all DNS servers on all adapters that are still under consideration and waits 8 seconds for a response.
7. If the resolver receives a positive response, it stops querying for the name, adds the response to the cache, and returns the response to the client. If it doesn‘t receive a response from any server by the end of the 8 seconds, it responds with a time-out. Also, if it doesn‘t receive a response from any server on a specified adapter, it responds for the next 30 seconds to all queries destined for servers on that adapter with a time-out and doesn‘t query those servers.
The resolver also keeps track of which servers answer queries more quickly, and it might move servers up or down on the search list based on how quickly they respond. In addition, the resolver also caches negative responses. If the resolver is able to successfully reach a domain controller, but that domain controller is unable to resolve the requested name to an IP address, the result is a negative response. So long as that negative response remains in the cache, the resolver will not try to resolve the address again. You can clear the cache by running the following from a command-line:
IPCONFIG /FLUSHDNS
Doing so forces the resolver to start over the next time any name needs to be resolved.
You can also fix this problem by using the IPCONFIG command. Entering the following command allows you to view the current list of DNS entries that the server has cached:
IPCONFIG /displayDNS
Entering the following command allows you to refresh all DHCP leases and re-register DNS names. (Wait 5 minutes for the DNS entries in the cache to be reset and updated with the RRs in the server‘s database.)
IPCONFIG /registerDNS
You can also use the IPCONFIG command to dump all of the DNS cache entries. IPCONFIG /flushDNS
It‘s worth noting that the DNS server should eventually refresh the cache because each entry has a Time-To-Live (TTL) associated with it. TTL indicates a length of time used by other DNS servers to determine how long to cache information for a record before discarding it.
53. Understanding the AD Database and Its Associated Files?
AD is stored on each domain controller in a local database. The database exists as a domain database and, married with the directory services, performs authentication services to users and applications. The domain controllers replicate their data with each other to ensure that copies of the domain database on other domain controllers are current and accurate.
The AD database is implemented on an indexed sequential access method (ISAM) table manager that has been referred to as ―Jet.‖ The table manager is called the Extensible Storage Engine (ESE). The ESE database is managed on each domain controller by the ESE.DLL file. The database is a discrete transaction system that uses log files to ensure integrity; it uses support rollback to ensure that the transactions are committed to the database.
The following files are associated with AD:
• NTDS.DIT: The main database file, ntds.dit grows as the database fills with objects and attributes. However, the log files have a fixed size of 10 megabytes (MB). Any changes made to the database are also made to the current log file and to the DIT file in the cache. Eventually the cache is flushed. If a computer failure occurs before the cache is flushed, ESE uses the log file to complete the update to the DIT file. By default, the AD database is stored in DRIVE>\WINNT\NTDS\NTDS.DIT. The log files for the directory database are stored in the same directory by default. Their purpose is to track the changes in the directory database, and they can grow to be quite large. Give all the room you can to the log files; for example, you can place the log files on different disk drives than the database file to reduce disk contention on a single drive.
• EDB.LOG and EDBXXXXX.LOG: EDB.LOG is the current log file for AD. When a change is made to the database, it‘s written to this file. When EDB.LOG becomes full of database Transactions, it‘s renamed to EDBXXXXX.LOG, where XXXXX starts at 00001 and continues to increment using hexadecimal notation. AD uses circular logging, which constantly deletes old log files. If you view the directory files at any time, you‘ll notice the EDB.LOG file and at least one or more EDBXXXXX.LOG files.
• EDB.CHK: Stores the database checkpoint, which identifies the point at which the database engine needs to replay the logs. This file is typically used during recovery and initialization.
• RES1.LOG and RES2.LOG: Placeholders designed to reserve the last 20MB of disk space on the disk drive. Saving disk space gives the log files sufficient room to shut down gracefully if other disk space is consumed. 54. DCDIAG : consists of a set of tests that you can use to verify and report on the functional components of
AD on the computer. You can use this tool on a single domain controller, a group of domain controllers holding a domain partition, or across a site. When using DCDIAG, you can collect either a minimal amount of information (confirmation of successful tests) or data for every test you execute. Unless you‘re diagnosing a specific problem on only one domain controller, I recommend that you collect only the severe errors for each one.
DCDIAG allows you to run the following tests to diagnose the status of a domain controller: • Connectivity test: Verifies that DNS names for the domain controller are registered. It also verifies that the domain controller can be reached by using TCP/IP and the domain controller‘s IP address. DCDIAG checks the connectivity to the domain controller by using LDAP and checks that communications can occur by using an RPC.
• Replication test: Checks the replication consistency for each of the target domain controllers. For example, this test checks whether replication is disabled and whether replication is taking too long. If so, the utility reports these replication errors and generates errors when there are problems with incoming replica links.
• Topology integrity test: Verifies that all domain controllers holding a specific partition are connected by the replication topology.
• Directory partition head permissions test: Checks the security descriptors for proper permissions on the directory partition heads, such as the schema, domain, and configuration directory partitions.
• Locator functionality test: Verifies that the appropriate SRV RRs are published in DNS.
This test also verifies that the domain controller can recognize and communicate with operations masters. For example, DCDIAG checks whether the locator can find a primary domain controller (PDC) and GC server.
• Inter-site health test: Identifies and ensures the consistency of domain controllers among sites. To do so, DCDIAG performs several tests, one of which identifies the inter-site topology generator and identifies the bridgeheads for each site. This test determines whether a bridgehead server is functioning; if not, the utility identifies and locates additional backup bridgeheads. In addition, this test identifies when sites aren‘t communicating with other sites on the network.
• Trust verification test—Checks explicit trust relationships—that is, trusts between two domain controllers in the forest. DCDIAG cannot check transitive trusts (Kerberos V5 trust relationships). To check transitive trusts, you can use the NETDOM utility.
• Diagnose replication latencies test: Analyzes incoming replications and watches for delays or preemption of a higher-priority job. If the replication process is delayed or preempted, latencies have occurred that slow the process. This problem typically occurs because a higher-priority task hasn‘t relinquished the computer‘s processor or because a large number of replication requests or tasks are pending. New replication tasks are delayed because the domain controller is overloaded with replication requests.
• Replication of trust objects test: Checks whether the computer account object has been replicated to all additional domain controllers in the domain. It also checks whether the DSA object has been replicated to all replicas of the configuration directory partition.
• File Replication Service (FRS) test: Verifies that FRS has started successfully on all domain controllers. If it hasn‘t, this test delays the NETLOGON service from advertising that domain controller.
• Critical services check test: Verifies that these key services are running: FRS, Inter-site Messaging Service, Kerberos Key Distribution Center Service, Server Service, Workstation Service, Remote Procedure Call Locator Service, Windows Time Service, Distributed Link Tracking Client Service, Distributed Link Tracking Server Service, and NETLOGON service. You can also use DCDIAG with the /repairmachineaccount command-line switch, which re-creates the domain controller‘s machine account if it has been accidentally deleted.
55. Using NTDSUTIL?
The Directory Services Management utility (NTDSUTIL.EXE) is a command-line utility included in Windows that you can use to troubleshoot and repair AD. Although Microsoft designed the utility to be used interactively via a command-prompt session (launched simply by typing NTDSUTIL at any command prompt), you can also run it by using scripting and automation. NTDSUTIL allows you to troubleshoot and maintain various internal components of AD. For example, you can manage the directory store or database and clean up orphaned data objects that were improperly removed. You can also maintain the directory service database, prepare for new domain creations, manage the control of the FSMOs, purge meta data left behind by abandoned domain controllers (those removed from the forest without being uninstalled), and clean up objects and attributes of decommissioned or demoted servers. At each NTDSUTIL menu, you can type help for more information about the available options:
56. Locating the Directory Database Files
Before you use the NTDSUTIL utility to carry out troubleshooting and integrity checking on the AD database, you can use its Info command to determine the location and size of the directory database files. The Info command:
• Reports the free space for all disks installed on the domain controller • Reads the registry keys and associated location of the AD database files
• Reports the size of each of the database files, log files, and other associated files
Before you perform this check, you must either run NTDSUTIL after having booted the domain controller via the special Directory Service Restore mode Safe Boot option or set the environment variable SAFEBOOT_OPTION to a value of DSREPAIR under a normal boot of Windows (for example, via the command SET SAFEBOOT_OPTION=DSREPAIR).
To execute the Info command, select Start, Programs, Accessories, Command Prompt. In the Command Prompt window, types NTDSUTIL then press Enter.
At the ntdsutil prompt, enter the word files
The utility responds by displaying a file maintenance prompt. The following commands have been entered and displayed to this point:
C:\>SET SAFEBOOT_OPTION=DSREPAIR C:\>NTDSUTIL
ntdsutil: files file maintenance:
At the file maintenance prompt, enter the word info
57. Checking for Low-Level Database Corruption
One of the first items you need to check when troubleshooting a domain controller in AD is that the underlying database is functioning properly. To do so, you can use NTDSUTIL‘s Integrity option to detect any low-level database corruption of the directory files. The Integrity option checks that the headers for the database are correct and that all of the internal database tables are functioning and consistent with each other.
Before you perform a low-level database-integrity check, you need to start the domain controller in Directory Service Restore mode. To do so, restart the domain controller. When you‘re prompted, press F8 to display the Advanced Options menu. Select Directory Service Restore mode and press Enter, then log on using the Administrator account and password that you assigned during the DCPROMO process.
To run the NTDSUTIL Integrity option, select Start, Programs, Accessories, Command Prompt. In the Command prompt window, type
NTDSUTIL Then press Enter.
At the ntdsutil prompt, enter the word files
The utility responds by showing you the file maintenance category. The commands to this point appear in the Command Prompt window as follows:
I:>NTDSUTIL ntdsutil: files file maintenance:
At the file maintenance prompt, enter the word integrity
to start the low-level database check on the domain controller. (The Integrity command reads every byte of the directory data file and displays the percentage of completion as a graph. Depending on the size of your database and the type of hardware you‘re using for the domain controller, this process can take a considerable amount of time.)
58. Checking for Inconsistencies in the Database Contents
In addition to using NTDSUTIL to verify that the AD database is functioning properly, you can use it to help you check the consistency of the contents of the AD database. The option in NTDSUTIL that performs a contents check is the Semantic Checker. The Semantic Checker option differs from the Integrity option in that the Semantic Checker addresses the contents (objects and attributes) of the directory database, not just its low-level structures.
When you run the Semantic Checker, it performs the following checks:
• Reference Count Check: Counts the number of references in the database tables and matches the results with the values that are stored in the data file. This operation also ensures that each object has a globally unique identifier (GUID) and distinguished name (DN). For a previously deleted object, this operation ensures that the object has a deleted time and date but doesn‘t have a GUID or DN.
• Deleted Object Check: Ensures that the object has a time and date as well as a special relative distinguished name (RDN), given when the object was originally deleted.
• Ancestor Check: Ensures that the DN tag is equal to the ancestor list of the parent could also be stated as a check that the DN of the object minus its RDN is equal to its parent‘s DN.
• Security Descriptor Check: Ensures that there is a valid descriptor and that the discretionary access control list (DACL) isn‘t empty.
• Replication Check: Verifies that there is an up-to-dateness vector in the directory partition and checks to see that every object has Meta data. Like the Integrity option described earlier, you can run the Semantic Checker option only when the domain controller is in Directory Service Restore mode. To run in this mode, restart the domain controller. When you‘re prompted, press F8 to display the Advanced Options menu. Select Directory Service Restore mode and press Enter, then log on using the administrator account and password that you
assigned during the DCPROMO process. To run the Semantic Checker option, select Start, Programs, Accessories, Command Prompt. In the Command Prompt window, type
NTDSUTIL
Then press Enter. At the ntdsutil prompt, type semantic database analysis
Then press Enter. Next, type verbose on
This command displays the Semantic Checker. To start the Semantic Checker without having it repair any errors, type
go
To start it and have it repair any errors that it encounters in the database, enter go fixup
The commands to this point appear in the Command Prompt window as follows: I:>NTDSUTIL
ntdsutil: semantic database analysis semantic checker: verbose on Verbose mode enabled. semantic checker: go
59. Cleaning Up the Meta Data
The NTDSUTIL program allows you to clean up the meta data that is left behind after a domain controller is demoted. The utility that you use to demote a domain controller is the DCPROMO utility (DCPROMO.EXE). This utility is used to promote a server to a domain controller and demote a domain controller to a member server. As part of the demotion process, DCPROMO removes the configuration data for the domain controller from AD. This data takes the form of an NTDS Settings object, which exists as a child to the server object in the Active Directory Sites and Services Manager and is located in AD as the following object:
CN=NTDS
Settings,CN=<server_name>,CN=Servers,CN=<site_name>,CN=Sites,CN=C onfiguration,DC=<domain>...
The attributes of the NTDS Settings object contain values about the domain controller‘s replication partners, naming contexts, whether the domain controller is a GC server, and the default query policy. The NTDS Settings object is also a container that may have child objects that represent the replication partners. This data is required for the domain controller to synchronize quickly but is retired upon demotion. If the NTDS Settings object isn‘t properly removed when the domain controller is demoted, you can use the NTDSUTIL utility to manually remove the NTDS Settings object.
To clean up the meta data, select Start, Programs, Accessories, Command Prompt. At the command prompt, type
NTDSUTIL
Then press Enter. At the ntdsutil prompt, type metadata cleanup
Then press Enter. Based on the options returned to the screen, you can use additional configuration parameters to ensure that the removal occurs correctly.
Before you clean up the metadata, you must select the server on which you want to make the changes. To connect to a target server, type
connections
Then press Enter. If the user who is currently logged on to the computer running NTDSUTIL doesn‘t have administrative permissions on the target server, alternative credentials need to be supplied before making the connection. To supply alternative credentials, type the following command, then press Enter:
set creds <domain_name user_name password> Next, type
connect to server <server_name>
Then press Enter. You should receive confirmation that the connection has been successfully established. If an error occurs, verify that the domain controller you specified is available and that the credentials you supplied have administrative permissions on the server. When a connection has been established and you‘ve provided the right credentials, type
quit
then press Enter, to exit the Connections menu in NTDSUTIL. When the Meta Data Cleanup menu is displayed, type
select operation target and press Enter. Type list domains
Then press Enter. A list of domains in the forest is displayed, each with an associated number. To select the appropriate domain, type
select domain <number>
and press Enter (where <number> is the number associated with the domain of which the domain controller you‘re removing is a member). The domain you select determines whether the server being removed is the last domain controller of that domain.
list sites
Then press Enter. A list of sites, each with an associated number, is displayed. Type select site <number>
And press Enter (where <number> is the number associated with the site of which the server you‘re removing is a member). You should receive a confirmation, listing the site and domain you chose. Once you receive a confirmation, type
list servers in site
And press Enter. A list of servers in the site, each with an associated number, is displayed. Type select server <number>
And press Enter (where <number> is the number associated with the server you want to remove). You receive a confirmation, listing the selected server, its DNS host name, and the location of the server‘s computer account that you want to remove. After you‘ve selected the proper domain and server, type
quit
To exit the current NTDSUTIL submenu. When the Meta Data Cleanup menu is displayed, type remove selected server
And press Enter. You should receive confirmation that the server was removed successfully. If the NTDS Settings object has already been removed, you may receive the following error message:
Error 8419 (0x20E3)
The DSA object couldn‘t be found Type
quit
At each menu to quit the NTDSUTIL utility. You should receive confirmation that the connection disconnected successfully.
60. Moving the AD Database or Log Files
There are several common problems that occur with AD that all stem from the same source: low disk space. These problems may surface as any of a number of error messages in the Windows event logs. The following list highlights the most common of these errors along with their associated symptoms and solutions.
• The following error message may occur when you start AD on a domain controller: Lsass.exe - System Error
Directory Services could not start because of the following Error: There is not enough space on the disk. Error Status:
0xc000007f. please click OK to shutdown this system and reboot into Directory Service Restore Mode, check the event logs for more detailed information.
When this error occurs, the following events are recorded in the event logs for the directory service on the domain controller and can be viewed by using Event Viewer:
Event ID: 1393
Attempts to update the Directory Service database are failing with error 112. Since Windows will be unable to log on users while this condition persists, the Netlogon service is being paused. Check to make sure that adequate free disk space is available on the drives where the directory database and log files reside.
Event ID: 428
NTDS (272) the database engine is rejecting update operations due to low free disk space on the log disk.
• The following warning message is recorded in the System Log of the domain controller and can be viewed by using Event Viewer:
Event ID 2013:
The D: disk is nearing Capacity. You may need to delete some files.
If the disk drive runs out of disk space, AD won‘t start up. Windows attempts to avoid this situation, but it can occur if you ignore warnings about low disk space in the System Log or if you run large scripts against AD for mass directory imports. To resolve the problem of having no disk space, you can either make space available on the same disk drive or move AD to a separate drive. The first method requires you to simply reduce the number of files or folders on the same disk drive as the directory database.
If you want to move the AD database to another drive on the domain controller, you can use the NTDSUTIL utility to move either the database file or the database log files. This method is ideal when you cannot move data to another drive to free space. If all drives are at capacity, you might need to install an additional hard disk in the domain controller.
Before you move the directory database file or log files, you need to start the domain controller in Directory Service Restore mode. To do so, restart the domain controller. When you‘re prompted, press F8 to display the Advanced Options menu. Select Directory Service Restore Mode and press Enter, then log on using the administrator account and password that you assigned during the DCPROMO process.
To move the directory database file or log files, locate the drive containing the directory and log files. The directory database (NTDS.DIT) and log files are located in the NTDS folder on the root drive by default. (However, the administrator may have changed their locations during the DCPROMO process.) Next, select Start, Programs, Accessories, Command Prompt. In the Command prompt window, type
NTDSUTIL
Then press Enter. At the ntdsutil prompt, enter the word files
The utility displays the file maintenance category. The commands to this point should appear as follows: I:>NTDSUTIL
ntdsutil: files file maintenance:
info
To display the location of the AD database files, log files, and other associated files. Note the location of the database and log files.
To move the database files to a target disk drive, type the following command at the ntdsutil prompt: MOVE DB TO %s (where %s is the target folder on another drive)
To move the log files to a target disk drive, type the following command at the ntdsutil prompt. (The target directory where you move the database file or log files is specified by the %s parameter. The Move command moves the files and updates the registry keys on the domain controller so that AD restarts using the new location.)
MOVE LOGS TO %s (where %s is the target folder on another drive) To quit NTDSUTIL, type
quit
Twice to return to the command prompt, then restart the domain controller normally. 61. Repairing the AD Database
You can use the NTDSUTIL Repair feature to repair the AD database file. However, you should use it only as a last resort for recovering the database—if a valid backup is available, always use it first to restore the data. The reason is that repairing the directory database doesn‘t always work correctly. For example, if a database file is corrupt, using the NTDSUTIL Repair feature may not restore all objects and attributes. In fact, in some cases, there is a risk that using the Repair feature will cause further data to be lost.
To repair the AD database file, select Start, Programs, Accessories, Command Prompt. In the Command Prompt window, type
NTDSUTIL
Then press Enter. At the ntdsutil prompt, enter the word files
The utility displays the file maintenance category. At the file maintenance prompt, enter the word repair
The commands to this point should appear as follows: I:>NTDSUTIL
ntdsutil: files
file maintenance: repair
As soon as the repair operation has completed, run the NTDSUTIL Semantic Checker on the database. Figure 5.12 shows the results of using the NTDSUTIL Repair option.
