FSMO

FSMO Roles
In a forest, there are at least five FSMO roles that are
assigned to one or more domain controllers. The five FSMO
roles are:
• Schema Master: The schema master domain controller
controls all updates and modifications to the schema. To
update the schema of a forest, you must have access to
the schema master. There can be only one schema master
in the whole forest.
• Domain naming master: The domain controller holding the
domain naming master role controls the addition or
removal of domains in the forest. There can be only one
domain naming master in the entire forest.
Note
• Any domain controller running Windows Server 2003 can hold the
role of the domain naming master. A domain controller running
Windows 2000 Server that holds the role of domain naming master
must also be enabled as a global catalog server.
• Infrastructure Master: At any time, there can be only one
domain controller acting as the infrastructure master in
each domain. The infrastructure master is responsible for
updating references from objects in its domain to objects
in other domains. The infrastructure master compares its
data with that of a global catalog. Global catalogs receive
regular updates for objects in all domains through
replication, so the global catalog data will always be up to
date. If the infrastructure master finds data that is out of
date, it requests the updated data from a global catalog.
The infrastructure master then replicates that updated
data to the other domain controllers in the domain.
Important
• Unless there is only one domain controller in the domain, the
infrastructure master role should not be assigned to the domain
controller that is hosting the global catalog. If the infrastructure
master and global catalog are on the same domain controller, the
infrastructure master will not function. The infrastructure master will
never find data that is out of date, so it will never replicate any
changes to the other domain controllers in the domain.
In the case where all of the domain controllers in a domain are also
hosting the global catalog, all of the domain controllers will have the
current data and it does not matter which domain controller holds the
infrastructure master role.
The infrastructure master is also responsible for updating
the group-to-user references whenever the members of
groups are renamed or changed. When you rename or
move a member of a group (and that member resides in a
different domain from the group), the group may
temporarily appear not to contain that member. The
infrastructure master of the group's domain is responsible
for updating the group so it knows the new name or
location of the member. This prevents the loss of group
memberships associated with a user account when the
user account is renamed or moved. The infrastructure
master distributes the update via multimaster replication.
There is no compromise to security during the time
between the member rename and the group update. Only
 an administrator looking at that particular group
membership would notice the temporary inconsistency.
For information about transferring operations master roles,
see Transferring operations master roles . For
information about what to do when an operations master
fails, see Responding to operations master failures .

• Relative ID (RID) Master: The RID master allocates

sequences of relative IDs (RIDs) to each of the various
domain controllers in its domain. At any time, there can be
only one domain controller acting as the RID master in
each domain in the forest.
Whenever a domain controller creates a user, group, or
computer object, it assigns the object a unique security ID
(SID). The SID consists of a domain SID, which is the
same for all SIDs created in the domain, and a RID, which
is unique for each SID created in the domain.
To move an object between domains (using Movetree.exe),
you must initiate the move on the domain controller acting
as the RID master of the domain that currently contains
the object.

• PDC Emulator: If the domain contains computers operating

without Windows 2000 or Windows XP Professional client
software or if it contains Windows NT backup domain
controllers (BDCs), the PDC emulator master acts as a
Windows NT primary domain controller. It processes
password changes from clients and replicates updates to
the BDCs. At any time, there can be only one domain
controller acting as the PDC emulator master in each
domain in the forest.
By default, the PDC emulator master is also responsible for
synchronizing the time on all domain controllers
throughout the domain. The PDC emulator of a domain
gets its clock set to the clock on an arbitrary domain
controller in the parent domain. The PDC emulator in the
parent domain should be configured to synchronize with an
external time source. You can synchronize the time on the
PDC emulator with an external server by executing the
"net time" command with the following syntax:
net time \\ServerName/setsntp:TimeSource
The end result is that the time of all computers running
Windows Server 2003 or Windows 2000 in the entire forest
are within seconds of each other.
The PDC emulator receives preferential replication of
password changes performed by other domain controllers
in the domain. If a password was recently changed, that
change takes time to replicate to every domain controller
in the domain. If a logon authentication fails at another
domain controller due to a bad password, that domain
controller will forward the authentication request to the
PDC emulator before rejecting the log on attempt.
The domain controller configured with the PDC emulator
role supports two authentication protocols:
 • the Kerberos V5 protocol
• the NTLM protocol
You can transfer FSMO roles by using the Ntdsutil.exe
command-line utility or by using an MMC snap-in tool.
Depending on the FSMO role that you want to transfer, you
can use one of the following three MMC snap-in tools:
Active Directory Schema snap-in
Active Directory Domains and Trusts snap-in
Active Directory Users and Computers snap-in
If a computer no longer exists, the role must be seized. To
seize a role, use the Ntdsutil.exe utility.
Back to the top

Transfer the Schema Master Role

Use the Active Directory Schema Master snap-in to
transfer the schema master role. Before you can use this
snap-in, you must register the Schmmgmt.dll file.

Register Schmmgmt.dll
1. Click Start, and then click Run.
2. Type regsvr32 schmmgmt.dll in the Open box, and
then click OK.
3. Click OK when you receive the message that the
operation succeeded.
Transfer the Schema Master Role
1. Click Start, click Run, type mmc in the Open box, and
then click OK.
2. On the File, menu click Add/Remove Snap-in.
3. Click Add.
4. Click Active Directory Schema, click Add, click Close,
and then click OK.
5. In the console tree, right-click Active Directory
Schema, and then click Change Domain Controller.
6. Click Specify Name, type the name of the domain
controller that will be the new role holder, and then click
 OK.
7. In the console tree, right-click Active Directory
Schema, and then click Operations Master.
8. Click Change.
9. Click OK to confirm that you want to transfer the role,
and then click Close.
Back to the top

Transfer the Domain Naming Master Role

1. Click Start, point to Administrative Tools, and then
click Active Directory Domains and Trusts.
2. Right-click Active Directory Domains and Trusts, and
then click Connect to Domain Controller.

NOTE: You must perform this step if you are not on the
domain controller to which you want to transfer the role.
You do not have to perform this step if you are already
connected to the domain controller whose role you want
to transfer.
3. Do one of the following:
• In the Enter the name of another domain
controller box, type the name of the domain
controller that will be the new role holder, and then
click OK.

-or-
• In the Or, select an available domain controller
list, click the domain controller that will be the new
role holder, and then click OK.
4. In the console tree, right-click Active Directory
Domains and Trusts, and then click Operations
Master.
5. Click Change.
6. Click OK to confirm that you want to transfer the role,
and then click Close.
Back to the top
Transfer the RID Master, PDC Emulator, and
Infrastructure Master Roles
1. Click Start, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. Right-click Active Directory Users and Computers,
and then click Connect to Domain Controller.

NOTE: You must perform this step if you are not on the
domain controller to which you want to transfer the role.
You do not have to perform this step if you are already
connected to the domain controller whose role you want
to transfer.
3. Do one of the following:
• In the Enter the name of another domain
controller box, type the name of the domain
controller that will be the new role holder, and then
click OK.

-or-
• In the Or, select an available domain controller
list, click the domain controller that will be the new
role holder, and then click OK.
4. In the console tree, right-click Active Directory Users
and Computers, point to All Tasks, and then click
Operations Master.
5. Click the appropriate tab for the role that you want to
transfer (RID, PDC, or Infrastructure), and then click
Change.
6. Click OK to confirm that you want to transfer the role,
and then click Close.

How to Determine the RID, PDC, and Infrastructure

FSMO Holders of a Selected Domain
1. Click Start, click Run, type dsa.msc, and then click
OK.
2. Right-click the selected Domain Object in the top left
pane, and then click Operations Masters.
3. Click the PDC tab to view the server holding the PDC
master role.
4. Click the Infrastructure tab to view the server holding
the Infrastructure master role.
5. Click the RID Pool tab to view the server holding the
RID master role.

Back to the top

How to Determine the Schema FSMO Holder in a

Forest
1. Click Start, click Run, type mmc, and then click OK.
2. On the Console menu, click Add/Remove Snap-in,
click Add, double-click Active Directory Schema, click
Close, and then click OK.
3. Right-click Active Directory Schema in the top left
pane, and then click Operations Masters to view the
server holding the schema master role.
NOTE: For the Active Directory Schema snap-in to be
available, you may have to register the Schmmgmt.dll file.
To do this, click Start, click Run, type regsvr32
schmmgmt.dll in the Open box, and then click OK. A
message is displayed that states the registration was
successful.

Back to the top

How to Determine the Domain Naming FSMO Holder in

a Forest
1. Click Start, click Run, type mmc, and then click OK.
2. On the Console menu, click Add/Remove Snap-in,
click Add, double-click Active Directory Domains and
Trusts, click Close, and then click OK.
3. In the left pane, click Active Directory Domains and
Trusts.
4. Right-click Active Directory Domains and Trust, and
then click Operations Master to view the server
holding the domain naming master role in the Forest.

Back to the top

Using the Windows 2000 Server Resource Kit

The Windows 2000 Resource Kit contains a .cmd file called
Dumpfsmos.cmd that you can use to quickly list FSMO role
owners for your current domain and forest. The .cmd file
uses Ntdsutil.exe to enumerate the role owners. The
Dumpfsmos.cmd file contains:
@echo off REM REM Script to dump FSMO role owners
on the server designated by %1 REM if ""=="%1"
goto usage Ntdsutil roles Connections "Connect to
server %1" Quit "select Operation Target" "List
roles for connected server" Quit Quit Quit goto
done :usage @echo Please provide the name of a
domain controller (i.e. dumpfsmos MYDC) @echo.
:done

Back to the top

Using the NTDSUTIL Tool

NTDSUTIL is a tool included with Windows 2000 Server,
Windows 2000 Advanced Server, and Windows 2000
Datacenter Server. This tool is can be used to verify change
certain aspects of the Active Directory. The following is the
steps needed to to view the Flexiible Single Master Operation
(FSMO) roles on a given Domain Controller.

Ntdsutil.exe is the only tool that shows you all the FSMO role
owners. You can view the PDC emulator, RID master, and
infrastructure master role owners in Active Directory Users
and Computers. You can view the schema master role owner
in the Active Directory Schema snap-in. You can view the
domain naming master role owner in Active Directory
Domains and Trusts.
1. Click Start, click Run, type cmd in the Open box, and
then press ENTER.
2. Type ntdsutil, and then press ENTER.
3. Type domain management, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server ServerName, where
ServerName is the Name of the Domain Controller you
would like to view, and then press ENTER.
6. Type quit, and then press ENTER.
7. Type select operation target, and then press ENTER.
8. Type list roles for connected server, and then press
ENTER.
A list is displayed similar to what is listed below. Results may
very depending on the roles the particular Domain Controller
may hold. If you receive an error message, check the
spelling of the commands as the syntax of the commands
must be exact. If you need the syntax of a command, type ?
at each prompt:

Server "dc1" knows about 5 roles

Schema - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=corp,DC=com
Domain - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=corp,DC=com
PDC - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=corp,DC=com
RID - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=corp,DC=com
Infrastructure - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=corp,DC=com
 Back to the top

USING DCDIAG
On a Windows 2000 Domain Controller, run the following
command:
DCdiag /test:Knowsofroleholders /v
You must use the /v switch. This lists the owners of all FSMO
roles in the enterprise.

An operations master role can only be moved by

administrative involvement; it is not moved automatically.
Additionally, moving a role is controlled by standard
Windows 2000 access controls. Thus a corporation should
tightly control the location and movement of operations
master roles. For example, an organization with a strong IT
presence might place the schema role on a server in the IT
group and configure its access control list (ACL) so that it
cannot be moved at all.
Operations master roles require two forms of management:
controlled transfer and seizure.
Use controlled transfer when you want to move a role from
one server to another, perhaps to track a policy change with
respect to role location or in anticipation of a server being
shut down, moved, or decommissioned.
Seizure is required when a server that is holding a role fails
and you do not intend to restore it. Even in the case of a
server recovered from a backup, the server does not assume
that it owns a role (even if the backup tape says so),
because the server cannot determine if the role was
legitimately transferred to another server in the time period
between when the backup was made and the server failed
and was recovered. The restored server assumes role
ownership only if a quorum of existing servers is available
during recovery and they all agree that the restored server
is still the owner.
The Roles submenu in Ntdsutil is used to perform controlled
transfer and recovery of operations master roles. Controlled
transfer is simple and safe. Because the source and
destination servers are running, the system software
guarantees that the operations master role token and its
associated data is transferred atomically. Operations master
role seizure is equally simple but not as safe. You simply tell
a particular domain controller that it is now the owner of a
particular role.
Caution
Do not make a server a role owner by means of seizure
commands if the real role holder exists on the network.
Doing this could create irreconcilable conflicts for key system
data. If an operations master role owner is temporarily
unavailable, do not make another domain controller the role
owner. This could result in a situation where two computers
function as the role owner, which might cause irreconcilable
conflicts for key system data.
The commands listed in Table C.4 are found in the Roles
submenu and perform controlled transfer and recovery of
operations master roles.
Table C.4 Roles Commands

Command Description
Abandon all Instructs the domain controller to which you
roles are connected to give away all operations
master roles it owns. This command is not
guaranteed to succeed because eligible role
recipients might be currently unreachable or
because the domain controller to which you
are connected is the last domain controller
for the domain.
Connections Invokes the Connections submenu.
Seize domain Forces the domain controller to which you
naming master are connected to claim ownership of the
domain-naming operations master role
without regard to the data associated with
the role. Use only for recovery purposes.
Seize Forces the domain controller to which you
infrastructure are connected to claim ownership of the
master infrastructure operations master role without
regard to the data associated with the role.
Use only for recovery purposes.
Seize PDC Forces the domain controller to which you
are connected to claim ownership of the PDC
operations master role without regard to the
data associated with the role. Use only for
recovery purposes.
Command Description
Seize RID Forces the domain controller to which you
master are connected to claim ownership of the
relative ID master role without regard to the
data associated with the role. Use only for
recovery purposes.
Seize schema Forces the domain controller to which you
master are connected to claim ownership of the
schema operations master role without
regard to the data associated with the role.
Use only for recovery purposes.
Select operation Invokes the Select operation target
target submenu.
Transfer domain Instructs the domain controller to which you
naming master are connected to obtain the domain-naming
role by means of controlled transfer.
Transfer Instructs the domain controller to which you
infrastructure are connected to obtain the infrastructure
master operations master role by means of
controlled transfer.
Transfer PDC Instructs the domain controller to which you
are connected to obtain the PDC operations
master by means of controlled transfer.
Transfer RID Instructs the domain controller to which you
master are connected to obtain the relative ID
master role by means of controlled transfer.
Command Description
Transfer schema Instructs the domain controller to which you
master are connected to obtain the schema
operations master role by means of
controlled transfer.

Extending the AD schema to include new class attributes is

treacherous because the results are irreversible. After you add an
attribute to AD, you can't remove it. You can mark the attribute as
"unusable," but the schema is replicated to the Global Catalog (GC)
even if you mark it as obsolete. However, any company using AD will
certainly find the need (if it hasn't already) for an attribute in the User
class that doesn't currently exist. My company develops many
business-to-consumer (B2C) software applications for clients. In
many of these projects, one of the first attributes we add to AD is
Gender because this attribute doesn't exist by default. (B2C sites
profile their users by gender because it significantly helps in target
advertising.) This month, I show you how to use the Active Directory
Schema Console to extend AD. Specifically, I show you how to install
the Schema Console, extend the schema, and manage attributes.

Installing the Active Directory Schema Console

The first challenge in this process is installing the tool. The Schema
Console isn't installed by default with Win2K Server—not even on the
domain controller that hosts your AD. In addition, Microsoft didn't
write an installation program for the tool. You must manually register
the Schema Console, which is a COM object that is hosted as a
Microsoft Management Console (MMC) snap-in. You can find the
Schema Console in the \winnt\system32 folder.

To register the tool, choose Start, Run. Type regsvr32

C:\winnt\system32\schmmgmt.dll (assuming C is where you installed
Win2K), and click OK. When you've successfully registered the tool,
perform these steps:

1. Choose Start, Run; type mmc /a, then click OK.

2. On the Console menu, click Add/
Remove Snap-in, then click Add.
3. Under Snap-in, double-click Active Directory Schema, then click
Close.
4. Click OK.
5. On the Console menu, click Save to save the console.

By default, you save the console to the Administrative Tools folder.

Save your snap-in in that location, and it will appear under Start,
Programs, Administrative Tools.

Extending the Schema

If you want to extend the schema, you first need to enable that option
on your computer. Open the Schema Console. Right-click Active
Directory Schema in the AD Schema Console's console tree, then
select Operations Master. The Change Schema Master dialog box,
which Figure 1 shows, appears. Select the The Schema may be
modified on this Domain Controller check box to enable schema
modifications. The schema master domain controller controls all
updates and modifications to AD schema.

After you enable schema modifications, you can add attributes. For
example, suppose you want to add a Gender attribute. In the AD
Schema Console, right-click the Attributes folder, then select Create
Attribute. A warning about the implications of your actions, which
Figure 2 shows, immediately appears. Click Continue to access the
Create New Attribute dialog box, which Figure 3 shows. In the
Common Name and LDAP Display Name text boxes, enter Gender.
You now need to populate the Unique X500 Object ID text box.
Object IDs (OIDs) are unique identifiers for AD objects.

You need a valid OID to add an attribute. The Microsoft Windows

2000 Resource Kit includes a command-line OID-generator program,
oidgen.exe, that generates valid OIDs. The utility uses a base OID
from the Microsoft branch of the International Organization for
Standardization (ISO) OID tree and a globally unique ID (GUID)
generated each time the program runs to generate the OIDs. Figure 4
shows a command prompt with the OID-generator program.

Oidgen.exe produces two root OIDs—an Attribute Base OID and a

Class Base OID. Run oidgen.exe once for your organization, then
manage the OID space beneath these two roots by incrementing the
number for each attribute you add to the AD schema.

You must group all the OIDs for your organization under common
roots. AD maintains an internal table of OIDs. To optimize
performance, OIDs are maintained in a separated state as a prefix
and a suffix. The prefix is the entire OID minus the rightmost (low-
order) value. AD stores the prefixes in a table so that it can reference
them by an index value. AD then uses the remaining (low-order) part
of the OID and the index value for its prefix to identify the classes and
attributes. Grouping all your OIDs under common roots keeps the
prefix table small. Excessive growth in the prefix table can degrade
the performance of the Win2K server hosting AD.

When you've populated the Unique X500 Object ID text box with a
valid OID, you can give the Gender attribute a minimum length of four
characters (Male) and a maximum length of six characters (Female).
Click OK to add the attribute. The new attribute appears in the AD
Schema's Attributes folder, as Figure 5 shows.

When you view the new attribute in the AD Schema Console, you'll
notice that the Description field is empty. To fill in this field, right-click
the Gender attribute to access the Gender Properties dialog box that
Figure 6 shows. In this dialog box, you can fill in the Description field
and other properties. For example, you can replicate the new attribute
to the GC. Click OK to return to the AD Schema Console.

From the Schema Console, click the Class folder. Scroll down to the
User class, right-click it, and select Properties. On the user
Properties dialog box, click the Attributes tab, which Figure 7 shows.
Click Add, then choose the Gender attribute. Click OK twice, and
you've successfully added the Gender attribute to the User class.
 Active Directory Schema

All databases have a schema which is a formal

definition (set of rules) which govern the database
structure and types of objects and attributes which
can be contained in the database. The schema
contains a list of all classes and attributes in the
forest.

The schema keeps track of:

• Classes
• Class attributes
• Class relationships such as subclasses (Child
classes that inherit attributes from the super
class) and super classes (Parent classes).
• Object relationships such as what objects are
contained by other objects or what objects
contain other objects.

There is a class Schema object for each class in the

Active Directory database. For each object attribute
in the database, there is an attributeSchema object.

Partitions

Active Directory objects are stored in the Directory

Information Tree (DIT) which is broken into the
following partitions:

• Schema partition - Defines rules for object

creation and modification for all objects in the
forest. Replicated to all domain controllers in
the forest. Replicated to all domain controllers
in the forest, it is known as an enterprise
partition.
• Configuration partition - Information about
the forest directory structure is defined
including trees, domains, domain trust
relationships, and sites (TCP/IP subnet group).
Replicated to all domain controllers in the
 forest, it is known as an enterprise partition.
• Domain partition - Has complete information
about all domain objects (Objects that are part
of the domain including OUs, groups, users
and others). Replicated only to domain
controllers in the same domain.
o Partial domain directory partition - Has a
list of all objects in the directory with a
partial list of attributes for each object.

The DIT holds a subset of Active Directory

information and stores enough information to start
and run the Active Directory service.

Schema Container

The schema container is a special container at the top of the schema

partitionand is an object created from the directory Management
Domain (dMD). It can be viewed using the MMC "Active Directory
Schema" console or the Active Directory Services Interface (ADSI)
edit utility from the installation CDROM. The distinguished name
schema container address is:

/CN=schema/CN=configuration/DC=forest root
<domain_name>
Classes and attributes are stored in classSchema objects and
attributeSchema objects respectively.

attributeSchema Mandatory Attributes

These attributes provide information about attributes of another Active

Directory object.

• attributeID - Identifies the attribute with a unique value.

• attributeSyntax - Identifies the object which defines the
attribute type.
• cn - A unicode string name of the attribute.
• isSingleValued - A boolean variable which when true indicates
there is only one value for the attribute. If false, the attribute can
have several values.
• LDAPDisplayName - LDAP unicode name string used to
identify the attribute.
• NTSecurityDescriptor - The object security descriptor.
• ObjectClass - Is always attributeSchema.
• OMSyntax - Identifies the object syntax specified by the open
object model.
• SchemaIDGUID - Unique global ID value of the attribute.

classSchema Mandatory Attributes

These attributes provide information about another Active Directory

object.

• cn - A unicode string name of the object.

• DefaultObjectCategory - A distinguished name of where the
object belongs.
• GovernsID - A unique number identifying the class.
• LDAPDisplayName - LDAP unicode name string used to
identify the object.
• NTSecurityDescriptor - The object security descriptor.
• ObjectClass - Is always classSchema.
• ObjectClassCategory - An integer describing the object class
type. The class type is one of the following with values in "()"
indicating the integer value used to signify them:
o Abstract class (2) - A class that can't be an object, but is
used to pass attributes down to subclasses.
 o Auxillary class (3) - Used to provide structural or abstract
classes with attributes
o Structural class (1) - These classes can have objects
created from them and are the class type that is
contained as objects in the directory.
o Type 88 class (0) - These classes don't have a type and
they are class types created before 1993 before class
types were established in the X.500 standard.
• SchemaIDGUID - Unique global ID value of the class.
• SubClassOf - Identifier of the class parent class.

System Attributes

These system attributes can only be changed by the Directory

System Agent (DSA) which manages the Active directory database.

• systemAuxillaryClass - Identifies the auxiliary protected

classes that compose the class.
• systemMayContain - Optional system protected class
attributes.
• systemMustContain - Required system protected class
attributes.
• systemPossSuperiors - Parent system protected classes.

SAM Read Only Attributes

The SAM is the Security Access Manager.

• badPasswordCount
• badPasswordTime
• creationTime
• domainReplica
• isCriticalSystemObject
• lastLogoff
• lastLogon
• LockoutTime
• modifiedCount
• ntPwdHistory
• PrimaryGroupName
• revision
• SAMAccountName
 • SAMAccountType

Schema Modifications

The schema should only be modified when absolutely necessary.

Control mechanisms include:

• The schema operations master domain controller is the only

controller that the schema can be changed from.
• The Schema console must have schema modification set to
enabled.
• Each schema object has permissions set through the Windows
2000 security model.

Ways to modify the schema include:

• Using an application programming interface (API).

• Lightweight Directory Interface Format (LDIF) scripts.
• LDIFDE bulk schema modification tool.
• CSVDE bulk schema update tool.

Document the following when changing the schema:

• Object issuing authority

• Object ID
• Class heirarchy
• NT security descriptor
• LDAP display name
• Common name
• Class attributes

When the schema is changed, the following checks are done by

Active Directory:

• Consistency - Makes sure identifiers are unique and mandatory

attributes exist. Also existance of superclasses in the schema is
checked.
• Safety - Check to be sure Active Directory functionality is not
disrupted. Checks the following object types:
o Category 1
o Category 2
 DNS

DNS provides for domain name to IP address resolution. Host

names are not case sensitive and can contain alphabetic or
numeric letters or the hyphen. Avoid the underscore. A fully
qualified domain name (FQDN) consists of the host name plus
domain name as in the following example:

computername.domain.com

Top level domains are .com, .edu, .net, .org, and more. Second
level domains may contain other domains and hosts.

DNS Files

• CACHE.DNS - The DNS Cache file. This file is used to

resolve internet DNS queries. It is located in the
WINNTROOT\system32\DNS directory and is used to
configure a DNS server to use a DNS server on the
internet to resolve names not in the local domain.

DNS and WINS

For the system to use WINS if DNS resolution cannot supply the
IP address for a name, all DNS servers must be configured to
use WINS. It cannot be done with just the primary DNS server.

Types of DNS Servers

Three types of name servers:

• Primary - Locally stored files exist on the name server data

base.
• Secondary - Gets data called a zone transfer from another
server that is the zone authority.
• Caching - Only caches name server information and does
not contain its own files.

The caching only name server generates no zone transfer traffic.

A DNS Server that can communicate outside of the private
network to resolve a DNS name query is referred to as
forwarder.

DNS Queries

• Recursive - When performed for a client, the DNS server

stays with the query until it is resolved. The answer is
returned or an error is returned.
• Iterative - The server when it does not have the answer will
refer the client to another name server that may have the
answer. The best answer the name server has is returned
even if it is partial. Usually used between name servers to
obtain partial name resolutions.

• Reverse - The client provides the IP address and asks for

the name. In other queries the name is provided, and the
IP address is returned to the client. Reverse lookup entries
for a network 192.168.100.0 is "100.168.192.in-addr arpa".

WINS Reverse Lookup

A WINS-R record at the root zone of DNS allows WINS to be used by

DNS for reverse lookup. WINS reverse lookup is enabled at the
"WINS Reverse Lookup" property page by doing the following:

• Check the "Use WINS Reverse Lookup" checkbox.

• Enter the DNS Host Domain to be added to the NetBIOS name.

WINS TTL

The "WINS Lookup" property page (in DNS?) is used to set the WINS
TTL(Time to Live) for returned queries.

DNS Record Types

• A - Address record allowing a computer name to be translated

into an IP address. Each computer must have this record for its
IP address to be located. These names are not assigned for
clients that have dynamically assigned IP addresses, but are a
must for locating servers with static IP addresses.
 • CNAME - Canonical name allowing additional names or aliases
to be used to locate a computer.
• HINFO - Host information record with CPU type and operating
system.
• MX - Mail Exchange server record. There may be several.
• NS - Name server record. There may be several.
• RP - Responsible person.

DNS Transport protocol

DNS resolvers first attempt to use UDP for transport, then use TCP if
UDP fails.

Installing the DHCP Service

You can install DHCP either during or after the initial
installation of Windows 2000 Server or Advanced Server,
although there must be a working DNS in the environment.
To validate your DNS server, click Start, click Run, type
cmd, press ENTER, type ping friendly name of an
existing DNS server in your environment, and then
press ENTER. An unsuccessful reply generates an "Unknown
Host My DNS server name" message.

To install the DHCP Service on an existing Windows 2000

Server:
1. Click Start, click Settings, and then click Control Panel.
2. Double-click Add/Remove Programs, and then click
Add/Remove Windows Components.
3. In the Windows Component Wizard, click Networking
Services in the Components box, and then click Details.
4. Click to select the Dynamic Host Configuration
Protocol (DHCP) check box if it is not already selected,
and then click OK.
5. In the Windows Components Wizard, click Next to
start Windows 2000 Setup. Insert the Windows 2000
Advanced Server CD-ROM into the CD-ROM drive if you
 are prompted to do so. Setup copies the DHCP server and
tool files to your computer.
6. When Setup is complete, click Finish.
Back to the top

Configuring the DHCP Service

After you install and start the DHCP service, you must
create a scope (a range of valid IP addresses that are
available for lease to the DHCP clients). Each DHCP server in
your environment should have at least one scope that does
not overlap with any other DHCP server scope in your
environment. In Windows 2000, DHCP servers within an
Active Directory domain environment must be authorized to
prevent rogue DHCP servers from coming online and
authorizing a DHCP Server.

When you install and configure the DHCP service on a

domain controller, the server is typically authorized the first
time that you add the server to the DHCP console. However,
when you install and configure the DHCP service on a
member server, you need to authorize the DHCP server.

Note A stand-alone DHCP server cannot be authorized

against an existing Windows Active Directory.

To authorize a DHCP server:

1. Click Start, click Programs, click Administrative Tools,
and then click DHCP.

Note You must be logged on to the server with an account

that is a member of the Enterprise Administrators group.
2. In the console tree of the DHCP snap-in, select the new
DHCP server. If there is a red arrow in the bottom-right
corner of the server object, the server has not yet been
authorized.
3. Right-click the server, and then click Authorize.
4. After a few moments, right-click the server again and then
 click Refresh. The server should display a green arrow in
the bottom-right corner to indicate that the server has
been authorized.
To create a new scope:
1. Click Start, click Programs, point to Administrative
Tools, and then click DHCP.

Note In the console tree, select the DHCP server on which

you want to create the new DHCP scope.
2. Right-click the server, and then click New Scope. In the
New Scope Wizard, click Next, and then type a name and
description for the scope. This can be any name that you
choose, but it should be descriptive enough to identify the
purpose of the scope on your network. For example, you
might use Administration Building Client Addresses.
3. Type the range of addresses that can be leased as part of
this scope, for example, a starting IP address of
192.168.100.1 to an ending address of 192.168.100.100.
Because these addresses are given to clients, they should
all be valid addresses for your network and not currently
in use. If you want to use a different subnet mask, type
the new subnet mask. Click Next.
4. Type any IP addresses that you want to exclude from the
range you entered. This includes any addresses that may
have already been statically assigned to various computers
in your organization. Click Next.
5. Type the number of days, hours, and minutes before an IP
address lease from this scope expires. This determines the
length of time that a client can hold a leased address
without renewing it. Click Next to select Yes, I want to
configure these options now, and then extend the
wizard to include settings for the most common DHCP
options. Click Next.
6. Type the IP address for the default gateway that should be
used by clients that obtain an IP address from this scope.
Click Add to place the default gateway address into the
list, and then click Next.
 Note When DNS servers already exist on your network,
type your organization's domain name in Parent domain.
Type the name of your DNS server, and then click Resolve
to ensure that your DHCP server can contact the DNS
server and determine its address. Then click Add to
include that server in the list of DNS servers that are
assigned to the DHCP clients. Click Next.
7. Click Yes, I want to activate this scope now, to
activate the scope and allow clients to obtain leases from
it, and then click Next. Click Finish.
Back to the top

Troubleshooting
• Clients are unable to obtain an IP address
If a DHCP client does not have a configured IP address, it
generally means that the client has not been able to
contact a DHCP server. This is either because of a
network problem or because the DHCP server is
unavailable. If the DHCP server has started and other
clients have been able to obtain a valid address, verify
that the client has a valid network connection and that all
related client hardware devices (including cables and
network adapters) are working properly.
• The DHCP server is unavailable
When a DHCP server does not provide leased addresses
to clients, it is often because the DHCP service has failed
to start. If this is the case, the server may not have been
authorized to operate on the network. If you were
previously able to start the DHCP service, but it has since
stopped, use Event Viewer to check the system log for
any entries that may explain the cause.

Note To restart the DHCP service, click Start, click Run,

type cmd, and then press ENTER. Type net start
dhcpserver, and then press ENTER.
• Default global options
These options are applied globally for all scopes and
classes defined at each DHCP server and any clients that it
services. Active global option types always apply unless
they are overridden by other scope, class, or reserved
client settings for the option type.
• Scope options
These options are applied to any clients that obtain a lease
within that particular scope. Active scope option types
always apply to all computers obtaining a lease in a given
scope unless they are overridden by class or reserved
client settings for the option type.
• Class options
These options are applied to any clients that specify that
particular DHCP Class ID value when obtaining a scope
lease. Active class option types always apply to all
computers configured as members in a specified DHCP
option class unless they are overridden by a reserved client
setting for the option type.
• Reserved client options
These options apply to any appropriate, reserved, client
computer—any computer that has a reservation in the
scope for its IP address. Where reserved client option types
are active, settings for these option types override all other
possible defaults (server, scope, or class assigned option
settings for the option type).
Table 4.5 Default DHCP Options
Code Option Meaning
name
1 Subnet mask Specifies the subnet
mask of the client
subnet. This option is
defined in the DHCP
Manager Create Scope
or Scope Properties
dialog box. It cannot be
set directly in the DHCP
Options dialog box.
3 Router Specifies a list of IP
addresses for routers on
the client's subnet.
Multihomed computers
can have only one list
per computer, not one
per network adapter.
6 DNS servers Specifies a list of IP
addresses for DNS name
servers available to the
client.
15 Domain name Specifies the DNS
domain name that the
client should use for DNS
computer name
resolution.
Code Option Meaning
name
44 WINS/NBNS Specifies a list of IP
servers addresses for NetBIOS
name servers (NBNS).
46 WINS/NBT Allows configurable
node type NetBIOS over TCP/IP
(NetBT) clients to be
configured as described
in RFC 1001/1002,
where 1 = b-node, 2 =
p-node, 4 = m-node,
and 8 = h-node. On
multihomed computers,
the node type is
assigned to the entire
computer, not to
individual network
adapters.
47 NetBIOS Specifies a text string
1
scope ID that is the NetBIOS over
TCP/IP scope ID for the
client, as specified in
RFC 1001/1002.
51 Lease time Specifies the time, in
seconds, from address
assignment until the
Code Option Meaning
name
client's lease on the
address expires. Lease
time is specified in the
DHCP Manager Create
Scope or Scope
Properties dialog box,
and can be set directly in
the DHCP Options
dialog box.
58 Renewal (T1) Specifies the time in
time value seconds from address
assignment until the
client enters the
Renewing state. Renewal
time is a function of the
lease time option, which
is specified in the DHCP
Manager Create Scope
or Scope Properties
dialog box and can be
set directly in the DHCP
Options dialog box.
59 Rebinding Specifies the time, in
(T2) time seconds, from address
value assignment until the
Code Option Meaning
name
client enters the
Rebinding state.
Rebinding time is a
function of the lease
time option, which is
specified in the DHCP
Manager Create Scope
or Scope Properties
dialog box andcan be set
directly in the DHCP
Options dialog box.
1
Option 47 (NetBIOS
scope ID) is provided
for backward
compatibility. Don't
use this option unless
you already employ
NetBIOS scope IDs in
your environment.
Note
If you are using Microsoft DHCP service to configure
computers that should use the services of a WINS server for
name resolution, be sure to use option 44, WINS Servers,
and option 46, Node Type. These DHCP options
automatically configure the DHCP client as an h-node
computer that directly contacts WINS servers for NetBIOS
name registration and name query instead of using only
broadcasts.

DHCP terminology
Term Description

scope A scope is the full consecutive range of possible IP addresses for

a network. Scopes typically define a single physical subnet on
your network to which DHCP services are offered. Scopes also
provide the primary way for the server to manage distribution
and assignment of IP addresses and any related configuration
parameters to clients on the network.
super scope A superscope is an administrative grouping of scopes that can be
used to support multiple logical IP subnets on the same physical
subnet. Superscopes only contain a list of member scopes or
child scopes that can be activated together. Superscopes are not
used to configure other details about scope usage. For
configuring most properties used within a superscope, you need
to configure member scope properties individually.
exclusion An exclusion range is a limited sequence of IP addresses within
range a scope, excluded from DHCP service offerings. Exclusion
ranges assure that any addresses in these ranges are not offered
by the server to DHCP clients on your network.
address After you define a DHCP scope and apply exclusion ranges, the
pool remaining addresses form the available address pool within the
scope. Pooled addresses are eligible for dynamic assignment by
the server to DHCP clients on your network.
Term Description

lease A lease is a length of time that a DHCP server specifies, during

which a client computer can use an assigned IP address. When a
lease is made to a client, the lease is active. Before the lease
expires, the client typically needs to renew its address lease
assignment with the server. A lease becomes inactive when it
expires or is deleted at the server. The duration for a lease
determines when it will expire and how often the client needs to
renew it with the server.
reservation You use a reservation to create a permanent address lease
assignment by the DHCP server. Reservations assure that a
specified hardware device on the subnet can always use the same
IP address.
option Option types are other client configuration parameters a DHCP
types server can assign when serving leases to DHCP clients. For
example, some commonly used options include IP addresses for
default gateways (routers), WINS servers, and DNS servers.
Typically, these option types are enabled and configured for each
scope. The DHCP console also permits you to configure default
option types that are used by all scopes added and configured at
the server. Most options are predefined through RFC 2132, but
you can use the DHCP console to define and add custom option
types if needed.
options An options class is a way for the server to further manage option
class types provided to clients. When an options class is added to the
server, clients of that class can be provided class-specific option
types for their configuration. For Microsoft® Windows® 2000
and Windows XP, client computers can also specify a class ID
Term Description

when communicating with the server. For earlier DHCP clients

that do not support the class ID process, the server can be
configured with default classes to use instead when placing
clients in a class. Options classes can be of two types: vendor
classes and user classes.

DHCP Scopes

Adding a Scope
To add a new scope:

1. Select the DHCP settings configuration.

2. Right-click the interface on which you wish to add a
scope.
3. Choose New Scope.
4. Follow Changing Scope properties (below).

Changing Scope Properties

You can change the properties of an existing scope. You can extend the
address range of the scope, but you should not reduce it. You can, however,
exclude any unwanted addresses from the range.
To Define the Properties of a DHCP Scope:

1. Select the DHCP settings tab.

2. Double click the scope you want to change.
3. The scope properties configuration will be displayed.
4. Configure the Scope properties as required.

General Properties:
The Description is a unique name for this scope. This will be displayed in
the DHCP options window. The Scope enabled option enables/disables
allocation from this scope.
 • Allocate IP addresses in the range Properties:

This is the range of IP addresses to allocate to clients. 192.168.0.* is

the default, as is the Network Mask of 255.255.255.0. If you wish to
use different options for the range or mask, see the advanced sections.

• Lease Duration Properties:

The default lease time is 3 days. This is a suitable time for most
LANs. If you have a LAN with more computers than the size of your
scope, you may wish to have the lease period short. This will enable
the available IP's to be shared around.

• Excluded Addresses Properties:

These are IP's within the scope range that you do not wish to allocate
to client computers. In the example above, the IP address
192.168.0.100 and all the IP addresses from 220* 240 will not be
allocated.
To add an exclusion:

1. In the Scope properties configuration, type the IP

number you wish to exclude into the From field.
2. To exclude a range, type in an end address into the To
field.
3. Click Add.

Removing a Scope
When a subnet is no longer in use, or if you want to remove an existing
scope, you can remove it from the DHCP service. It is recommended that
you deactivate a scope until you know that no leases are current before
deleting it.
To Remove a Scope:
The scope should be deactivated until you are sure the scope is not in use.

1. On the Scope list in the DHCP window, select the

scope you want to remove.
2. On the Scope menu, click Delete.

Assigning DHCP Configuration Options

Besides the IP addressing information, other DHCP options to be passed to
DHCP clients must be configured for each scope, or globally under the
Global Options. options can be defined globally for all scopes, specifically
for a selected scope, or for individual DHCP clients:

• Active global option types always apply, unless

overridden by scope or DHCP client settings.
• Active option types for a scope apply to all computers
in that scope, unless overridden for an individual DHCP
client.

Only configure options if you know what effect if will have on DHCP. Some
Options are inter-related (see the DHCP Configurable Options List ).
To Assign DHCP Configuration Options:

1. In the DHCP Service/Settings tab/Settings, double click

the scope you want to configure, or click global to
configure all, or click a specific reservation
2. Click Options.
3. For options that you wish to configure, use the Add
button to add options from the Available to the In use
lists.
4. Double click an in use option name to edit it.
5. Enter the relevant information.
6. Click OK.

Example:
To specify the DNS name servers to be used by DHCP clients, double click
DNS Server and then type an IP address for a DNS server in the edit box and
click add. The list should be in the order of preference, so that the first server
in the list is the first server to be consulted.
To Remove a Configured Option:

1. Select the option and click removal.

2. Click OK.

Note on WINS Server:

If you specify a WINS Server, you must also configure a NBT Node type.

Full backup

This is the elementary type of backing up. Each time the

newly created backup file replaces the old one.

Stack backup

This archive consists of the last created backup and N

previous versions. (N - is a stack size parameter). This N
previous versions are organized in stack manner. Their
filenames are differs with suffix "_K" added to filename (K is
in range 1-N).
Than older the backup, that greater the K. All backup files
are located in the same directory.

Advanced stack backup

The structure of this archive is like stack archive with one

addition: it allows not to store the unchanged files in the old
versions of backup copies.

Incremental backup
This is a backup in which only the files that have been
modified since the last backup are copied. It consists of "full
backup" and N folowing sequental incremental backups.
(where N - is a stack size parameter). The first backup
should include all files - a "full backup". The next backup
copy could also be a "full backup" but it is usually much
quicker to do, because only files which have been changed
since the last backing up will be included in the incremental
backup. When N incremental copies will be created, at the
next step all old backup files will be deleted and the cycle
will be repeated from the beginning.
Exists possibility to save the full backup at the beginning of
the new cycle. If an additional parameter save full backups
it checked, then the full backup is renamed and saved in the
same directory.

Differential backup

This backup is consists of two files - full and differential

backup.
At first the program creates full backup. Next executions
generate a differential backup - the backup copy of
changed or newly added files since the last full backing up.
If the volume of differential copy exceeds N percents of the
full copy (Make a full backup only if ... parameter) or at least
N days has passed since the full backup creation (Make a full
backup only after ... parameter) then the program begins a
new cycle with a full backup.

The main difference between incremental and differential backups

• The incremental backup saves several intermediate

versions of files which have been modified or created
since the last backing up.
• The differential backup saves files which are not
included in the full backup (newly created or added
files) or which are differ from the same files in the full
 backup. (The files are considered identical, if they have
equal size and date-time stamp)

Mirror backup

A mirror backup is identical to a full backup, with the

exception that the files are not compressed in zip files and
they can not be protected with a password. A mirror
backup is most frequently used to create an exact copy of
the backup data. It has the benefit that the backup files can
also be readily accessed using tools like Windows Explorer.

To back up
system state
including
system-
protected files
1. To start the Windows Server 2003 backup utility, click
Start, click Run, type ntbackup, and then click OK.
This procedure provides steps for backing up in
Wizard Mode. By default, the Always Start in
Wizard Mode check box is selected in the Backup or
Restore Wizard. If the Welcome to the Backup
Utility Advanced Mode page appears, click Wizard
Mode to open the Backup or Restore Wizard.
2. On the Welcome to the Backup or Restore Wizard
page, click Next.
3. Select Back up files and settings, and then click
Next.
4. Select Let me choose what to back up, and then
click Next.
5. In the Items to Back Up window, double-click My
Computer.
6. In the expanded list below My Computer, check
System State, and then click Next.
7. Select a location to store the backup:
• If you are backing up to a file, type the path and
file name for the backup (.bkf) file (or click
Browse to find a folder or file).
• If you are backing up to a tape unit, choose the
tape that you want to use.

Note:
You should not store the backup on the local
hard drive. Instead, store it in a location, such as
a tape drive, away from the computer that you
are backing up.
System State data
With Backup, you can back up and restore the following
system components to back up the System State:

When this component is

Component
included in System State?

Registry Always
COM+ Class Registration Always
database
Boot files, including the system Always
files
Certificate Services database If it is a Certificate Services server
Active Directory directory If it is a domain
service
SYSVOL directory Only if it is a domain controller
Cluster service information If it is within a cluster
IIS Metadirectory If it is installed
System files that are under Always
Windows File Protection
Backup refers to these system components as the System
State data. The exact system components that make up
your computer's System State data depend on the
computer's operating system and configuration.

The effects on trusts and computer accounts when you

authoritatively restore Active Directory
The Authoritative Restore feature lets an administrator select
objects and object trees of objects from an archived Active
Directory database and restore them to a domain controller.
This process causes Active Directory to replicate this
restored state (the system state) of objects, overwriting the
currently held copies on all domain controllers in the
domain. The restored objects and their attributes are
assigned a version that is greater than the current set of
domain objects. By default, the restored objects and their
attributes are assigned a version that is 100,000 greater
than the version in the backup.

For more information about the Authoritative Restore

process, see the "Authoritative Restore" topic in Windows
Backup Help and the following knowledge base article:
241594 How to perform an authoritative restore to a domain
controller in Windows 2000
Back to the top

MORE INFORMATION
By default, trust relationship and computer account
passwords are negotiated every thirty days, except for
computer accounts that can be disabled by the
administrator.

When you authoritatively restore Active Directory on a

domain controller, an earlier password for the Active
Directory objects that maintain trust relationships and
computer accounts might be restored. In trust relationships,
this change may disable communication with other domain
controllers from other domains. For a computer account
password, this change could disable communication between
the member workstation or server and a domain controller
of its domain.
By default, computer accounts are kept in the following
Active Directory container:
CN=Computers,DC=domain
This default container and the computer accounts can be
moved to organizational units in Active Directory.

By default, trust accounts are kept in the following Active

Directory container:
CN=Users,DC=domain
The trust accounts are named after the NETBIOS domain
name of the trusting domain with a dollar sign ($) appended
and special flags set. They are hidden by Active Directory
Users and Computers, but they are visible when you use
ADSI Editor or the LDP tool.

For more information, click the following article number to

view the article in the Microsoft Knowledge Base:
324949 Redirecting the users and computers containers in
Windows Server 2003 domains
The trusted domain objects that represent the trusting side
of trusts are located in the following Active Directory
container:
CN=system,DC=domain
This location cannot be moved. Do not authoritatively
restore this container and its immediate child leaf objects
unless you must. To recover the replication topology of a
DFS volume, you may restore subcontainers, such as the
FRS container.

Note Windows 2000 keeps a history of two passwords on

the trusted domain component of a trust relationship. For
more information, click the following article number to view
the article in the Microsoft Knowledge Base:
154501 How to disable automatic machine account password
changes
Back to the top

Nonauthoritatively restoring a domain controller

 When a domain controller is replaced or must be
recovered from hardware failure, only a restore from the
most recent backup of a domain controller is necessary if the
data on other domain controllers is known to be good.

After the restore process, Active Directory replication

automatically starts propagating any changes from other
domain controllers that occurred after the time of the
backup.
Back to the top

Authoritatively restoring a domain controller

When other domain controllers exist, but you must
recover data, use caution when you perform an authoritative
restore of data in the domain naming context. Trust
relationship data resides in the domain naming context for
both parent-child relationships to Windows 2000 domains in
the forest, and for NTLM/Kerberos trusts to pre-Active
Directory domains.

If data restoration is required, authoritatively restore only

those parts of the naming context. If you restore the
complete naming context, all computer passwords and trust
relationship passwords are restored. When these passwords
are restored, they may become invalid because passwords
may have been renegotiated after the backup occurred.
Therefore, the passwords may no longer be synchronized
and must be reset.

To reset NTLM trust relationships to Windows Active

Directory or pre-Active Directory domains, you must remove
and re-create the trust. If you must do this for multiple
domains, you can use the Netdom utility that is provided
with the Windows 2000 Resource Kit to do this by using a
batch process. When other domain controllers exist and an
authoritative restore is performed, any objects that were
created in the naming context after the backup will remain
in Active Directory.
For example, one possible scenario is as follows:
• On day 1, the administrator performs a backup of the
system.
• On day 2, the administrator creates a user named "User
Two" and this data replicates to other domain controllers in
the domain.
• On day 3, the user named "User One" is unintentionally
deleted.
• On day 4, an authoritative restore of the domain controller
is performed with the backup created on day 1.
Therefore, both User One and User Two exist within the
domain.
Back to the top

Authoritatively restoring a domain controller when no

other domain controllers exist
When no other domain controllers exist to replicate recent
changes to a restored system, or when an authoritative
restore is necessary to bring domain controllers back to a
known state, you should perform an authoritative restore of
the whole naming context.

This process creates the same scenario as previously

mentioned. If trust relationships or computer account
passwords are effected, you will have to reset them.

Active Directory database file NTDS.DIT

Windows 2000 Active Directory data store, the actual database file, is
%SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active
Directory including user accounts. Active Directory's database engine is the
Extensible Storage Engine ( ESE ) which is based on the Jet database used
by Exchange 5.5 and WINS. The ESE has the capability to grow to 16
terabytes which would be large enough for 10 million objects. Back to the
real world. Only the Jet database can maniuplate information within the AD
datastore.
For information on domain controller configuration to optimize Active
Directory, see Optimize Active Directory Disk Performance

The Active Directory ESE database, NTDS.DIT, consists of the following

tables:

• Schema table
the types of objects that can be created in the Active Directory,
relationships between them, and the optional and mandatory attributes
on each type of object. This table is fairly static and much smaller
than the data table.
• Link table
contains linked attributes, which contain values referring to other
objects in the Active Directory. Take the MemberOf attribute on a user
object. That attribute contains values that reference groups to which
the user belongs. This is also far smaller than the data table.
• Data table
users, groups, application-specific data, and any other data stored in
the Active Directory. The data table can be thought of as having rows
where each row represents an instance of an object such as a user, and
columns where each column represents an attribute in the schema
such as GivenName.

From a different perspective, Active Directory has three types of data

• Schema information
definitional details about objects and attributes that one CAN store in
the AD. Replicates to all domain controllers. Static in nature.
• Configuration information
configuration data about forest and trees. Replicates to all domain
controllers. Static as your forest is.
• Domain information
object information for a domain. Replicates to all domain controllers
within a domain. The object portion becomes part of Global Catalog.
The attribute values (the actual bulk of data) only replicates within the
domain.

Although GUIDs are unique, they are large. AD uses distinguished name tag
( DNT ). DNT is a 4-byte DWORD value which is incremented when a new
object is created in the store. The DNT represents the object's database row
number. It is an example of a fixed column. Each object's parent relationship
is stored as a parent distinguished name tag ( PDNT ). Resolution of parent-
child relationships is optimized because the DNT and PDNT are indexed
fields in the database. For more technical info on the AD datastore and its
organization, a good starting point is the Active Directory Database Sizing
document.

The size of ntds.dit will often be different sizes across the domain controllers
in a domain. Remember that Active Directory is a multi-master independent
model where updates are occuring in each of the ADs with the changes being
replicated over time to the other domain controllers. The changed data is
replicated between domain controllers, not the database, so there is no
guarantee that the files are going to be the same size across all domain
controllers.

Active Directory routinely performs online database defragmentation, but

this is limited to the disposal of tombstoned objects. The database file cannot
be compacted while Active Directory is mounted. An ntds.dit file that has
been defragmented offline ( compacted ), can be much smaller than the
ntds.dit file on its peers. To defrag ntds.dit offline:

• Back up the Active Directory using Windows 2000 Backup. W2K

backup natively supports backing up Active Directory while online.
This occurs automatically when you select the option to back up
everything on the computer in the Backup Wizard, or independently
by selecting to back up System State in the backup wizard.
• Reboot
• Select the appropriate installation from the boot menu, and press F8 to
display the Windows 2000 Advanced Options menu.
• Choose Directory Services Restore Mode and press ENTER. Press
ENTER again to start the boot process.
• Logon using the password defined for the local Administrator account
in the offline SAM.
• Click Start, Programs, Accessories, and then click Command Prompt.
• At the command prompt, run the ntdsutil command.
• When ntdsutil has started
o Type files and press ENTER.
o Type info and then press ENTER. This will display current
information about the path and size of the Active Directory
database and its log files.
 o Type compact to drive:\directory, and press ENTER. Be sure
that the drive specified has enough drive space for the
compacted database to be created. I know, you don't know how
big the compacted version will be, but if there is enough space
for the uncompacted version, you should be OK. A gotcha!:
You must specify a directory path and if the path name has
spaces, the command will not work unless you use quotation
marks

compact to "c:\my new folder"

o Type quit and press Enter.

o Type quit and press Enter to return to the command prompt. A
new compacted database named Ntds.dit can be found in the
folder you specified.
• Copy the new ntds.dit file over the old ntds.dit file. You have
successfully compacted the Active Directory database. If you believe
in belts and suspenders, I would copy the old uncompacted database
somewhere else before I overwrote it with the new compacted
version.
• Reboot and see if all is normal.

This is a server by server task. Monitor the size of ntds.dit and if it starts
growing and performance is slow and you can not see why either situation
should apply, consider offline defrags.

If ntds.dit gets corrupted or deleted or is missing ( can happen if the

promotion process to domain controller goes bad ), you have to manually
recover it using Windows 2000 Backup. Now you did do W2K backups
right?:

• Reboot the domain controller and press F8 to display the Windows

2000 Advanced Options menu.
• Select Directory Services Restore Mode and then press ENTER.
• Select the correct installation, and then press ENTER to start the boot
process.
• Logon using the administrator account and password you specified
during the promotion process. When you ran Dcpromo.exe to install
Active Directory, it requested a password to be used for the
Administrator password for Active Directory Restore Mode. This
 password is not stored in Active Directory. It is stored in an NT4-style
SAM file and is the only account available when the AD is corrupted.
• Click OK. This acknowledges the warning message that you are using
Safe mode.
• Click Start, Programs, Accessories, System Tools, and then click
Backup.
• Select the Restore tab.
• Click the + symbol next to the following items to expand them:
o File
o Media Created
o System Drive
o Winnt
o NTDS
• Click the NTDS folder to display the files in the folder.
• Click to select the ntds.dit check box.
• Leave the Restore files to box set to Original Location. This check
box provides the option to restore to an alternative location. If you
restore to an alternative location, you will have to copy the ntds.dit
file into the %SystemRoot%\ntds folder.
• Click Start Restore.

To move a database or log file :

• Reboot the domain controller and press F8 to display the Windows

2000 Advanced Options menu.
• Select Directory Services Restore Mode and then press ENTER.
• Select the correct installation, and then press ENTER to start the boot
process.
• Logon using the administrator account and password you specified
during the promotion process. When you ran Dcpromo.exe to install
Active Directory, it requested a password to be used for the
Administrator password for Active Directory Restore Mode. This
password is not stored in Active Directory. It is stored in an NT4-style
SAM file and is the only account available when the AD is corrupted.
• Start a command prompt, and then type ntdsutil.exe .
• At a Ntdsutil prompt, type files.
• At the File Maintenance prompt
o To move a database, type move db to %s
where %s is the drive and folder where you want the database
moved.
 o To move log files, type move logs to %s
where %s is the drive and folder where you want the log files
moved.
o To view the log files or database, type info.
o To verify the integrity of the database at its new location, type
integrity.
o Type quit
o Type quit to return to a command prompt.
• Restart the computer in Normal mode.

When you move the database and log files, you must back up the domain
controller.

Monitoring and Troubleshooting Active Directory Replication

Replication may be defined as a duplicate copy of similar data on the same
or a different platform or system. When using a directory service such as
Active Directory, the directory database is carried by all domain controllers
so that when you want to contact a domain controller for use, there is always
a local copy local for use so that requests do not have to be sent over the
wide area network (WAN). Replication for Active Directory operates within
the directory service component of the security subsystem. This component
is called Ntdsa.dll and is accessed through the Lightweight Directory Access
Protocol (LDAP). Ntdsa.dll runs as a part of the local security authority
(LSA), which runs as Lsass.exe. Updates are transported over Internet
Protocol (IP) by the remote procedure call (RPC) protocol. The Simple Mail
Transfer Protocol (SMTP) is also available for use as well, although it’s
more common to see RPC over IP used.

Network Ports Used by Active Directory Replication

RPC replication uses dynamic port mapping as per the default setting. When
you need to connect to an RPC endpoint during Active Directory replication,
RPC uses TCP port 135. RPC on the client contacts the RPC endpoint
mapper on the server at a well-known port and RPC randomly allocates high
TCP ports from port 1024 to 65536. Because of this configuration, a client
will never need to know what port to use for Active Directory replication; it
will just take place seamlessly. There are also other ports assigned for Active
Directory replication. There are as follows:
Protocol Port
LDAP udp 389
tcp 389
LDAP (SSL) udp 636
tcp 636
Kerberos udp 88
tcp 88
DNS udp 53
tcp 53
SMB over IP udp 445
tcp 445
Global Catalog Server tcp 3269
tcp 3268

Examining the Event Logs:

Errors, if they occur, will show up in the Event Viewer logs. At the end of
this article, I have placed a link to the Microsoft Website so that you can
learn how to use the Event Viewer. The Event Viewer can be very helpful
when trying to locate and resolve a replication problem. Many errors are
reported to the Event Viewer for your review.
Whenever an error in the replication configuration occurs, the computer
writes events to the Directory Service and File Replication Service (FRS)
event logs. By using the Event Viewer administrative tool, you can quickly
and easily view the details associated with any problems in replication. For
example, if one domain controller is not able to communicate with another
to transfer changes, a log entry is created.
You may receive events such as:

• Event ID 1311 in the directory service log

• Event ID 1265 with error "DNS Lookup Failure" or "RPC server is
unavailable" in the directory service log. Or, received "DNS Lookup
Failure" or "Target account name is incorrect" from the repadmin
command
• Event ID 1265 "Access denied," in directory service log. Or, received
"Access denied" from the repadmin command

Verifying Site Links

Before domain controllers in different sites can communicate with each
other, the sites must be connected by site links. If replication between sites is
not occurring properly, verify that the proper site links are in place. Verify
your site links by using the Replication diagnostics utility (Repadmin.exe).
Use this tool to verify correct site links and to display inbound and outbound
connections. You can also use it to display the replication queue.